From 8fac0bf1a309f8dfaa335e1bd9caad9aca44a352 Mon Sep 17 00:00:00 2001
From: Andreas Zweili <andreas@zweili.ch>
Date: Mon, 29 Jan 2024 13:39:27 +0100
Subject: [PATCH] Create the initrd key during setup

---
 modules/misc/initrd-ssh/default.nix           |  2 +-
 modules/misc/initrd-ssh/ssh_host_ed25519_key  |  7 ----
 .../misc/initrd-ssh/ssh_host_ed25519_key.pub  |  1 -
 modules/misc/initrd-ssh/ssh_host_rsa_key      | 38 -------------------
 modules/misc/initrd-ssh/ssh_host_rsa_key.pub  |  1 -
 scripts/format-disk.sh                        |  7 ++++
 6 files changed, 8 insertions(+), 48 deletions(-)
 delete mode 100644 modules/misc/initrd-ssh/ssh_host_ed25519_key
 delete mode 100644 modules/misc/initrd-ssh/ssh_host_ed25519_key.pub
 delete mode 100644 modules/misc/initrd-ssh/ssh_host_rsa_key
 delete mode 100644 modules/misc/initrd-ssh/ssh_host_rsa_key.pub

diff --git a/modules/misc/initrd-ssh/default.nix b/modules/misc/initrd-ssh/default.nix
index 1b4122b..97045a3 100644
--- a/modules/misc/initrd-ssh/default.nix
+++ b/modules/misc/initrd-ssh/default.nix
@@ -7,7 +7,7 @@
       shell = "/bin/cryptsetup-askpass";
       authorizedKeys =
         config.users.users.${config.az-username}.openssh.authorizedKeys.keys;
-      hostKeys = [ ./ssh_host_rsa_key ./ssh_host_ed25519_key ];
+      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
     };
   };
 }
diff --git a/modules/misc/initrd-ssh/ssh_host_ed25519_key b/modules/misc/initrd-ssh/ssh_host_ed25519_key
deleted file mode 100644
index f6c0dce..0000000
--- a/modules/misc/initrd-ssh/ssh_host_ed25519_key
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACCHLxzMWIM4QVnpjgDkkqaiy7sNSIsOLYxwvrIPFLrWIgAAAJC+S5DyvkuQ
-8gAAAAtzc2gtZWQyNTUxOQAAACCHLxzMWIM4QVnpjgDkkqaiy7sNSIsOLYxwvrIPFLrWIg
-AAAEDouhwxa1VdUpzJY9WqQWoW8WjdqX/7AeSxBiyNdTwA6IcvHMxYgzhBWemOAOSSpqLL
-uw1Iiw4tjHC+sg8UutYiAAAADGFuZHJlYXNAZ3d5bgE=
------END OPENSSH PRIVATE KEY-----
diff --git a/modules/misc/initrd-ssh/ssh_host_ed25519_key.pub b/modules/misc/initrd-ssh/ssh_host_ed25519_key.pub
deleted file mode 100644
index b6e2da7..0000000
--- a/modules/misc/initrd-ssh/ssh_host_ed25519_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcvHMxYgzhBWemOAOSSpqLLuw1Iiw4tjHC+sg8UutYi andreas@gwyn
diff --git a/modules/misc/initrd-ssh/ssh_host_rsa_key b/modules/misc/initrd-ssh/ssh_host_rsa_key
deleted file mode 100644
index 7729279..0000000
--- a/modules/misc/initrd-ssh/ssh_host_rsa_key
+++ /dev/null
@@ -1,38 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
-NhAAAAAwEAAQAAAYEAyL5M0fLnAgKzG0UisiLQ/MR4PHyE1QSZ0WlFuu+y0ITf5IC08hy8
-Cl7Sj/eUkG/H4ffgpaqOIUmQ2/59R2wYGMV9rULtKDluVrAARTZ7687CU8E4IMOXb1JwAv
-n8je57f+TOafHnjEvKxO50X6UJ3dBbOD50VNvh7FKHeWdueXi//T3s6aT8k82FRUyHm9UO
-sL5iJCVs3ikX530AmnVW2/hxSBZ3JSTnxwKIP/De4CzmjGpLcwgqu7EOtpTs2zcKEwqkHl
-M3bXRAh9PbVBqsnR2LVXDqneTkTSXBTNj/UNlK1Ynex6LaNnGWaEgi//vZEiaZ56e0ksEi
-O5IMzNxJnjqhRWnrhrbvrxnT4aWxwbcwewF+GEC18CF+MZlajMLh2eD3tJyu/3xdUmNT2P
-HBapgHYLB84exP1+5SjZY6Z77EANnNRBb7pSQZilyzSJzULrzXDMhCzB2T0m3uqVDM6FV+
-NN6l1JzScJLUhT0ZCdZBViz/8CbIvzc1O6f0BUGbAAAFiJLRJVaS0SVWAAAAB3NzaC1yc2
-EAAAGBAMi+TNHy5wICsxtFIrIi0PzEeDx8hNUEmdFpRbrvstCE3+SAtPIcvApe0o/3lJBv
-x+H34KWqjiFJkNv+fUdsGBjFfa1C7Sg5blawAEU2e+vOwlPBOCDDl29ScAL5/I3ue3/kzm
-nx54xLysTudF+lCd3QWzg+dFTb4exSh3lnbnl4v/097Omk/JPNhUVMh5vVDrC+YiQlbN4p
-F+d9AJp1Vtv4cUgWdyUk58cCiD/w3uAs5oxqS3MIKruxDraU7Ns3ChMKpB5TN210QIfT21
-QarJ0di1Vw6p3k5E0lwUzY/1DZStWJ3sei2jZxlmhIIv/72RImmeentJLBIjuSDMzcSZ46
-oUVp64a2768Z0+GlscG3MHsBfhhAtfAhfjGZWozC4dng97Scrv98XVJjU9jxwWqYB2CwfO
-HsT9fuUo2WOme+xADZzUQW+6UkGYpcs0ic1C681wzIQswdk9Jt7qlQzOhVfjTepdSc0nCS
-1IU9GQnWQVYs//AmyL83NTun9AVBmwAAAAMBAAEAAAGAK1IeA+TWg3GPs1/dF/I5hYLkq7
-D3fXzrsOx19tyJi0RRiN9ZrTIURmymJhl4vx7QVOyIV1gSKg7VKxSldodWP+pGr+BUi6yx
-KhX7SPR0E7Rf7XEyKqfrA0QYFhxaq0p+7l+zR9vDa1xj2tHW3VkhYvP265FWy4VUIQrCX6
-m5ho9PZ1g4y0cmlsLwcr8MOM3myK+dQE2vS9Y0aWlpeuu9neTklXj7p1Fqj2D1hE732gr2
-ifDabW2iwzR3h2FmJ/ydVs9RgJH000L+gN7y45ShA+cEqfb0vX0MaMhaPLsxl0k84kusK9
-OigMm1wZLlft8V6nJMxumAcOZYJhc55dyLN+ffSma4Rm0PWVhde7CrZn6JzX07rDBPssJ+
-Bg37hN589aZ89XsaIUUgqauSHY5DhVW8qXMYrBR/Evsw4femRBwCEMBguK+99xV67cOV5B
-zUqGvSjyR02qJa5Lkx0WPiRj1eg06op51e1DxiEu6awa80/C5eJrXOerrg/4oILeaZAAAA
-wQDJpJhUfS2Xk47b7MHfoWWYc7c9UOe+hZWNNnO+rU8ISIQUwAT6NHYOLeW+w9ahu9Ytll
-VUNqOke/o4isk3ypN5oYlWajtk5IEpZoJWSqDD+wjHa6KuMMVvDouoa2tDuyLNOmgsXQ0E
-1SQGIsZTF9iqE5FvEpn8rdlP7rjuTl1OUT5ahpmsgn6QcCzxWHFaSHBYX6lQtmQT6/UFmO
-uEkZisBYaiW68P7HvdODhfdVHHfJW/oxvxWh7ICcm+Fay2Uz8AAADBAPU5y8biDo/K/kyF
-KTfTleIN2HcnjdSCto3Fy0v75DfXJSNSYZaQDC5WOtQZAXqJc2ucJTUWaJVDBUhpO0sRzF
-oZb58G42m/2JS2nKI1xynRUVTjbjA/B08o/g5X3V3p7yneCguaZXAb0EieICc4LFeGcjxC
-Q1mOKCRqFYylXatfSISgjlp0JuruKIBPOjOod5YMSP0QAYxTtFKV5q+OhHVsqO/HATECYP
-koneBLEGjbNWwYhDQ+J1vfyx1/7Ds7lwAAAMEA0ZAu63r7MYst7MvCOo0OST4imuLO+grY
-FFOLHdE1ML3eK438A+ETbC63PH3sLq3YEwiGKTakOXbtGfqbcDBgn1sveQ/rJjDIGo4+nS
-Rz0BDftaNj0GdEGqi77tXxDJB5svjMiUbuxxY66xpxTqJW58jxq5ymshGtIcOOtTvLoonD
-QmbMBojhdJY82/VnteTfHfBzghSa+SxnhpNmr8lGp5bghDBQs1m+KrMi1hhSlWWTbaFkaz
-KozLfObM3NirqdAAAADGFuZHJlYXNAZ3d5bgECAwQFBg==
------END OPENSSH PRIVATE KEY-----
diff --git a/modules/misc/initrd-ssh/ssh_host_rsa_key.pub b/modules/misc/initrd-ssh/ssh_host_rsa_key.pub
deleted file mode 100644
index 90b6a42..0000000
--- a/modules/misc/initrd-ssh/ssh_host_rsa_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIvkzR8ucCArMbRSKyItD8xHg8fITVBJnRaUW677LQhN/kgLTyHLwKXtKP95SQb8fh9+Clqo4hSZDb/n1HbBgYxX2tQu0oOW5WsABFNnvrzsJTwTggw5dvUnAC+fyN7nt/5M5p8eeMS8rE7nRfpQnd0Fs4PnRU2+HsUod5Z255eL/9PezppPyTzYVFTIeb1Q6wvmIkJWzeKRfnfQCadVbb+HFIFnclJOfHAog/8N7gLOaMaktzCCq7sQ62lOzbNwoTCqQeUzdtdECH09tUGqydHYtVcOqd5ORNJcFM2P9Q2UrVid7Hoto2cZZoSCL/+9kSJpnnp7SSwSI7kgzM3EmeOqFFaeuGtu+vGdPhpbHBtzB7AX4YQLXwIX4xmVqMwuHZ4Pe0nK7/fF1SY1PY8cFqmAdgsHzh7E/X7lKNljpnvsQA2c1EFvulJBmKXLNInNQuvNcMyELMHZPSbe6pUMzoVX403qXUnNJwktSFPRkJ1kFWLP/wJsi/NzU7p/QFQZs= andreas@gwyn
diff --git a/scripts/format-disk.sh b/scripts/format-disk.sh
index a8420c9..bc2d618 100755
--- a/scripts/format-disk.sh
+++ b/scripts/format-disk.sh
@@ -84,6 +84,11 @@ create_uefi() {
     sync
 }
 
+create_initrd_keys() {
+    mkdir -p /etc/secrets/initrd
+    ssh-keygen -t ed25519 -N "" -C "" -f $ROOT_DIR/etc/secrets/initrd/ssh_host_ed25519_key
+}
+
 create_pi() {
     create_gpt
     create_boot_partition
@@ -92,6 +97,7 @@ create_pi() {
     create_f2fs
     mount_partitions
     create_uefi
+    create_initrd_keys
 }
 
 create_pc() {
@@ -103,6 +109,7 @@ create_pc() {
     create_swap
     create_ext4
     mount_partitions
+    create_initrd_keys
 }
 
 create_pi