From 2a4a0b850a260dcd34d961af65e3b0784a670838 Mon Sep 17 00:00:00 2001
From: Felix Tenley <dev@felschr.com>
Date: Sat, 23 Oct 2021 03:06:06 +0200
Subject: [PATCH] fix(rpi4): fix initrd ssh

---
 flake.nix |  4 +++-
 key       |  1 -
 rpi4.nix  | 23 +++++++++++++++++++----
 3 files changed, 22 insertions(+), 6 deletions(-)
 delete mode 100644 key

diff --git a/flake.nix b/flake.nix
index d5eac0d..b708299 100644
--- a/flake.nix
+++ b/flake.nix
@@ -165,7 +165,9 @@
           (lib.createUser "felschr" {
             user = {
               extraGroups = [ "wheel" "audio" "disk" "media" ];
-              openssh.authorizedKeys.keyFiles = [ ./key ];
+              openssh.authorizedKeys.keys = [
+                "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIINDTp/k2m9yUn8NGDpCzyX2iK9lOwe6lJR5sk19apxC openpgp:0xBBA675EA"
+              ];
             };
             modules = [ homeManagerModules.git ];
             config = ./home/felschr-rpi4.nix;
diff --git a/key b/key
deleted file mode 100644
index e578ca5..0000000
--- a/key
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIINDTp/k2m9yUn8NGDpCzyX2iK9lOwe6lJR5sk19apxC openpgp:0xBBA675EA
diff --git a/rpi4.nix b/rpi4.nix
index f02480f..329e5bc 100644
--- a/rpi4.nix
+++ b/rpi4.nix
@@ -1,6 +1,14 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
-with builtins; {
+let
+  # mkdir /etc/secrets/initrd -p
+  # chmod 700 -R /etc/secrets/
+  # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
+  hostKeys = [{
+    path = "/etc/secrets/initrd/ssh_host_ed25519_key";
+    type = "ed25519";
+  }];
+in with builtins; {
   imports = [
     # ./hardware/base.nix
     ./hardware/gpu-rpi4.nix
@@ -66,12 +74,19 @@ with builtins; {
     challengeResponseAuthentication = false;
     passwordAuthentication = false;
     permitRootLogin = "no";
+    inherit hostKeys;
   };
 
   # ssh root@hostname "echo "$(read -s pass; echo \'"$pass"\')" > /crypt-ramfs/passphrase"
-  boot.initrd.network.ssh = {
+  boot.initrd.network = {
     enable = true;
-    authorizedKeys = [ (readFile "./key") ];
+    ssh = {
+      enable = true;
+      # requires support for initrd secrets (might work w/ uboot when it's supported)
+      # hostKeys = map (f: f.path) hostKeys;
+      hostKeys = [ ./host_key ];
+      authorizedKeys = config.users.users.felschr.openssh.authorizedKeys.keys;
+    };
   };
 
   # only change this when specified in release notes