builders: move provisioning of ssh hostkeys to a systemd service
at first activation it does not yet have a working network setup
This commit is contained in:
parent
bce44930b1
commit
20fc4c8f96
|
@ -5,22 +5,21 @@ in
|
||||||
{
|
{
|
||||||
config = lib.mkIf (cfg.enable && cfg.netboot) {
|
config = lib.mkIf (cfg.enable && cfg.netboot) {
|
||||||
|
|
||||||
system.activationScripts.agenixInstall.deps = ["provisionSshHostKey"];
|
systemd.services.openssh.after = [ "provision-ssh-hostkey" ];
|
||||||
system.activationScripts.provisionSshHostKey = {
|
systemd.services.provision-ssh-hostkey = {
|
||||||
text = ''
|
wantedBy = [ "multi-user.target" ];
|
||||||
echo provisioning ssh hostkey
|
serviceConfig = {
|
||||||
if [ ! -f /etc/ssh/ssh_host_ed25519_key ]
|
Type = "oneshot";
|
||||||
then
|
RemainAfterExit = true;
|
||||||
mkdir -p /etc/ssh
|
};
|
||||||
(
|
script = ''
|
||||||
umask 0077
|
mkdir -p /etc/ssh
|
||||||
curl --local-port 25-1024 https://vpn-gw.wob01.infra.forkos.org/${config.networking.hostName}/ssh_host_ed25519_key > /etc/ssh/ssh_host_ed25519_key
|
umask 0077
|
||||||
)
|
until ${pkgs.iputils}/bin/ping -c 1 vpn-gw.wob01.infra.forkos.org; do sleep 1; done
|
||||||
fi
|
curl --local-port 25-1024 https://vpn-gw.wob01.infra.forkos.org/${config.networking.hostName}/ssh_host_ed25519_key > /etc/ssh/ssh_host_ed25519_key
|
||||||
|
# Run the activation script again to trigger agenix decryption
|
||||||
|
/run/current-system/activate
|
||||||
'';
|
'';
|
||||||
deps = [
|
|
||||||
"specialfs"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
system.build = {
|
system.build = {
|
||||||
|
|
Loading…
Reference in a new issue