copy over ssh host keys

tie · mergify[bot] · commit eb5ff3441472 · 2023-10-04T17:40:24.000Z
nixos-kexec-installer preserves SSH host keys, so should we, to avoid changing host identity. See also - https://github.com/nix-community/nixos-images/blob/c4c73bce65306a1e747684dd0d4bcf0ab2779585/nix/kexec-installer/kexec-run.sh#L42C1-L46C1 - https://github.com/nix-community/nixos-images/blob/c4c73bce65306a1e747684dd0d4bcf0ab2779585/nix/installer.nix#L44-L55
diff --git a/docs/howtos/secrets.md b/docs/howtos/secrets.md
@@ -61,3 +61,16 @@ In the above example, replace `"my-super-safe-password"` with your actual
 encryption password, and `my-disk-encryption-password` with the relevant entry
 in your pass password store. Also, ensure to replace `'.#your-host'` and
 `root@yourip` with your actual flake and IP address, respectively.
+
+## Example: Using existing SSH host keys
+
+If the system contains existing trusted `/etc/ssh/ssh_host_*` SSH host keys and
+certificates, `nixos-anywhere` can copy them in case they are necessary during
+installation and system activation.
+
+```
+nixos-anywhere --copy-host-keys --flake '.#your-host' root@yourip
+```
+
+This would copy `/etc/ssh/ssh_host_*` to `/mnt` after kexec but before
+installation, ignoring files that already exist in destination.
diff --git a/src/nixos-anywhere.sh b/src/nixos-anywhere.sh
@@ -29,6 +29,8 @@ Options:
   use another kexec tarball to bootstrap NixOS
 * --post-kexec-ssh-port <ssh_port>
   after kexec is executed, use a custom ssh port to connect. Defaults to 22
+* --copy-host-keys
+  copy over existing /etc/ssh/ssh_host_* host keys to the installation
 * --stop-after-disko
   exit after disko formatting, you can then proceed to install manually or some other way
 * --extra-files <file...>
@@ -119,6 +121,10 @@ while [[ $# -gt 0 ]]; do
     post_kexec_ssh_port=$2
     shift
     ;;
+  --copy-host-keys)
+    copy_host_keys=y
+    shift
+    ;;
   --debug)
     enable_debug="-x"
     print_build_logs=y
@@ -450,13 +456,25 @@ fi
 
 step Installing NixOS
 ssh_ bash <<SSH
-set -efu ${enable_debug}
+set -eu ${enable_debug}
 # when running not in nixos we might miss this directory, but it's needed in the nixos chroot during installation
-export PATH=\$PATH:/run/current-system/sw/bin 
+export PATH="\$PATH:/run/current-system/sw/bin"
 
 # needed for installation if initrd-secrets are used
 mkdir -p /mnt/tmp
 chmod 777 /mnt/tmp
+if [[ ${copy_host_keys-n} == "y" ]]; then
+  # NB we copy host keys that are in turn copied by kexec installer.
+  mkdir -m 755 -p /mnt/etc/ssh
+  for p in /etc/ssh/ssh_host_*; do
+    # Skip if the source file does not exist (i.e. glob did not match any files)
+    # or the destination already exists (e.g. copied with --extra-files).
+    if [ ! -e "\$p" -o -e "/mnt/\$p" ]; then
+      continue
+    end
+    cp -a "\$p" "/mnt/\$p"
+  done
+fi
 nixos-install --no-root-passwd --no-channel-copy --system "$nixos_system"
 if command -v zpool >/dev/null; then
   zpool export -a || : # we always want to export the zfs pools so people can boot from it without force import
