Configure host to use SSH certs on the host and client side.

host_config/bootstrap_host.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
+host_ca_key="${SCRIPT_DIR}/ssh_certs/host_ca"
+user_ca_pub="${SCRIPT_DIR}/ssh_certs/user_ca.pub"
+
+if [ ! -f "${host_ca_key}" ]
+then
+  echo "Host CA key not found."
+  exit 1
+fi
+
+if [ ! -f "${user_ca_pub}" ]
+then
+  echo "Public User CA key not found."
+  exit 1
+fi
+
+temp=$(mktemp -d)
+
+cleanup() {
+  rm -rf "${temp}"
+}
+# trap cleanup EXIT
+
+host_type=$1
+hostname=$2
+extra_names=${3:-}
+
+principal_names="${hostname}"
+
+if [ ! -z "${extra_names}" ]
+then
+    principal_names="${principal_names},${extra_names}"
+fi
+
+install -d -m755 "${temp}/persisted/etc/ssh"
+ssh-keygen -t ed25519 -f "${temp}/persisted/etc/ssh/ssh_host_ed25519_key" -C '' -N ''
+ssh-keygen -s ${host_ca_key} -I ${hostname} -h -n "${principal_names}" -V +52w "${temp}/persisted/etc/ssh/ssh_host_ed25519_key.pub"
+
+cp "${user_ca_pub}" "${temp}/persisted/etc/ssh/user_cas.pub"
+
+echo "${temp}"
+
+#nix run github:nix-community/nixos-anywhere -- --extra-files "${temp}" --flake .#${host_type} --target-host root@${hostname}