Merge pull request #197382 from phaer/patch-4

initrd-ssh: allow empty hostKeys
2022-12-04 15:34:43 +01:00 · 2022-12-04 15:34:43 +01:00 · e1185ea096
commit e1185ea096
parent 3ec5fa600e 3c1906b202
1 changed files with 10 additions and 1 deletions
--- a/nixos/modules/system/boot/initrd-ssh.nix
+++ b/nixos/modules/system/boot/initrd-ssh.nix
@ -73,6 +73,15 @@ in
      '';
    };

+    ignoreEmptyHostKeys = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Allow leaving {option}`config.boot.initrd.network.ssh` empty,
+        to deploy ssh host keys out of band.
+      '';
+    };
+
    authorizedKeys = mkOption {
      type = types.listOf types.str;
      default = config.users.users.root.openssh.authorizedKeys.keys;
@ -141,7 +150,7 @@ in
      }

      {
-        assertion = cfg.hostKeys != [];
+        assertion = (cfg.hostKeys != []) || cfg.ignoreEmptyHostKeys;
        message = ''
          You must now pre-generate the host keys for initrd SSH.
          See the boot.initrd.network.ssh.hostKeys documentation