add krebs.build.scripts.init

krebs/3modules/build/default.nix

@@ -28,6 +28,46 @@ let
       type = types.user;
     };
 
+    options.krebs.build.scripts.init = lib.mkOption {
+      type = lib.types.str;
+      default =
+        let
+          inherit (config.krebs.build) host;
+          inherit (host.ssh) privkey;
+        in
+        ''
+          #! /bin/sh
+          set -efu
+
+          hostname=${host.name}
+          secrets_dir=${config.krebs.build.source.dir.secrets.path}
+          key_type=${privkey.type}
+          key_file=$secrets_dir/ssh.id_$key_type
+          key_comment=$hostname
+
+          if test -e "$key_file"; then
+            echo "Warning: privkey already exists: $key_file" >&2
+          else
+            ssh-keygen \
+                ${optionalString (privkey.bits != null)
+                  "-b ${toString privkey.bits}"} \
+                -C "$key_comment" \
+                -t "$key_type" \
+                -f "$key_file" \
+                -N ""
+            rm "$key_file.pub"
+          fi
+
+          pubkey=$(ssh-keygen -y -f "$key_file")
+
+          cat<<EOF
+          # put following into config.krebs.hosts.$hostname:
+          ssh.privkey = <secrets/ssh.id_$key_type>;
+          ssh.pubkey = $(echo $pubkey | jq -R .);
+          EOF
+        '';
+    };
+
     options.krebs.build.scripts.deploy = lib.mkOption {
       type = lib.types.str;
       default = ''