From db1a88ab2eb877726b723113ff956610f9ec545f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 22:14:06 +0000 Subject: [PATCH] fix: repair legacy factory ssh key passphrases --- modules/core/ssh-bootstrap.nix | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/modules/core/ssh-bootstrap.nix b/modules/core/ssh-bootstrap.nix index e88dcd8..91c6160 100644 --- a/modules/core/ssh-bootstrap.nix +++ b/modules/core/ssh-bootstrap.nix @@ -31,7 +31,7 @@ lib.mkIf userExists { }; systemd.services.factory-ssh-keygen = { - description = "Generate factory SSH key for ${userName} if missing"; + description = "Generate or repair factory SSH key for ${userName}"; wantedBy = [ "multi-user.target" ]; after = [ "ssh-passphrase-setup.service" ]; requires = [ "ssh-passphrase-setup.service" ]; @@ -41,12 +41,34 @@ lib.mkIf userExists { }; path = [ pkgs.openssh pkgs.coreutils ]; script = '' - if [ ! -f "${keyPath}" ]; then - PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase) + PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase) + + generate_factory_key() { ssh-keygen -q -N "$PASSPHRASE" -t ed25519 -f "${keyPath}" chown ${userName}:users "${keyPath}" "${keyPath}.pub" chmod 600 "${keyPath}" chmod 644 "${keyPath}.pub" + } + + if [ ! -f "${keyPath}" ]; then + generate_factory_key + elif ! ssh-keygen -y -P "$PASSPHRASE" -f "${keyPath}" >/dev/null 2>&1; then + backup_suffix=$(date -u +%Y%m%d%H%M%S) + backup_path="${keyPath}.bak-$backup_suffix" + backup_index=0 + + while [ -e "$backup_path" ] || [ -e "$backup_path.pub" ]; do + backup_index=$((backup_index + 1)) + backup_path="${keyPath}.bak-$backup_suffix-$backup_index" + done + + mv "${keyPath}" "$backup_path" + + if [ -f "${keyPath}.pub" ]; then + mv "${keyPath}.pub" "$backup_path.pub" + fi + + generate_factory_key fi ''; };