From 20fc4c8f9614959cf17f5da918d23892fe435f4a Mon Sep 17 00:00:00 2001 From: Yureka Date: Mon, 5 Aug 2024 07:17:45 +0200 Subject: [PATCH] builders: move provisioning of ssh hostkeys to a systemd service at first activation it does not yet have a working network setup --- services/baremetal-builder/netboot.nix | 29 +++++++++++++------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/services/baremetal-builder/netboot.nix b/services/baremetal-builder/netboot.nix index 16705e3..bd5af0d 100644 --- a/services/baremetal-builder/netboot.nix +++ b/services/baremetal-builder/netboot.nix @@ -5,22 +5,21 @@ in { config = lib.mkIf (cfg.enable && cfg.netboot) { - system.activationScripts.agenixInstall.deps = ["provisionSshHostKey"]; - system.activationScripts.provisionSshHostKey = { - text = '' - echo provisioning ssh hostkey - if [ ! -f /etc/ssh/ssh_host_ed25519_key ] - then - mkdir -p /etc/ssh - ( - umask 0077 - curl --local-port 25-1024 https://vpn-gw.wob01.infra.forkos.org/${config.networking.hostName}/ssh_host_ed25519_key > /etc/ssh/ssh_host_ed25519_key - ) - fi + systemd.services.openssh.after = [ "provision-ssh-hostkey" ]; + systemd.services.provision-ssh-hostkey = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + mkdir -p /etc/ssh + umask 0077 + until ${pkgs.iputils}/bin/ping -c 1 vpn-gw.wob01.infra.forkos.org; do sleep 1; done + curl --local-port 25-1024 https://vpn-gw.wob01.infra.forkos.org/${config.networking.hostName}/ssh_host_ed25519_key > /etc/ssh/ssh_host_ed25519_key + # Run the activation script again to trigger agenix decryption + /run/current-system/activate ''; - deps = [ - "specialfs" - ]; }; system.build = {