ignition/ssh-bootstrap.sh

#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :

gen_sshd_config() {
    {
    for x in ssh_host_*_key-cert.pub; do
        printf 'HostCertificate /etc/ssh/%s\n' "${x}"
    done
    } > sshd_config.d/10-hostcertificate.conf
}

parse_response() {
    jq -r '.certificates | to_entries | .[] | .key + " " + .value' \
        | while read filename contents; do
            [ -n "${filename}" ] || continue
            echo "${contents}" > "${filename}" || return
    done
}

request_sign() {
    set -- \
        https://bootstrap.pyrocufflink.blue/sshkeys/sign \
        -H 'Accept: application/json' \
        -F hostname=$(hostname -f)
    for f in /etc/ssh/ssh_host_*_key.pub; do
        set -- "$@" -F keys=@"${f}"
    done
    curl -fsSL "$@"
}

cd /etc/ssh || exit
request_sign | parse_response
gen_sshd_config

systemctl reload sshd