create server key on install and allow download

dtrfs_api/src/main.rs

@@ -132,8 +132,17 @@ struct SSHKeyForm {
     ssh_key: String,
 }
 
-#[get("/ssh_key")]
+#[get("/server_ssh_pubkeys")]
-async fn get_ssh_keys(req: HttpRequest) -> HttpResponse {
+async fn get_server_pubkeys() -> HttpResponse {
+    match os::get_server_ssh_pubkeys() {
+        Ok(keys) => HttpResponse::Ok().body(keys),
+        Err(e) => HttpResponse::InternalServerError()
+            .body(format!("Could not get pubkeys due to errr: {e:?}\nDid you install the OS?")),
+    }
+}
+
+#[get("/authorized_keys")]
+async fn get_authorized_keys(req: HttpRequest) -> HttpResponse {
     if let Err(e) = verify(&req) {
         return HttpResponse::BadRequest().body(format!("Signature verification failed: {}", e));
     };
@@ -143,13 +152,13 @@ async fn get_ssh_keys(req: HttpRequest) -> HttpResponse {
     }
 }
 
-#[post("/ssh_key")]
+#[post("/authorized_keys")]
-async fn post_ssh_key(req: HttpRequest, form: web::Form<SSHKeyForm>) -> HttpResponse {
+async fn post_authorized_keys(req: HttpRequest, form: web::Form<SSHKeyForm>) -> HttpResponse {
     if let Err(e) = verify(&req) {
         return HttpResponse::BadRequest().body(format!("Signature verification failed: {}", e));
     };
     let ssh_key = &form.ssh_key;
-    match os::add_ssh_key(ssh_key) {
+    match os::add_authorized_key(ssh_key) {
         Ok(()) => HttpResponse::Ok().body("Key added to authorized_keys"),
         Err(e) => HttpResponse::BadRequest().body(format!("{e:?}")),
     }
@@ -183,7 +192,7 @@ async fn main() -> std::io::Result<()> {
         Ok(_) => {
             println!("Hot decryption successful. Booting OS...");
             return Ok(());
-        },
+        }
         Err(e) => {
             println!("Hot decryption failed: {e:?}");
         }
@@ -194,8 +203,8 @@ async fn main() -> std::io::Result<()> {
             .service(post_install_form)
             .service(post_decrypt_form)
             .service(post_process_exit)
-            .service(post_ssh_key)
+            .service(post_authorized_keys)
-            .service(get_ssh_keys)
+            .service(get_authorized_keys)
             .service(get_report)
             .service(homepage)
     })

dtrfs_api/src/os.rs

@@ -102,7 +102,7 @@ pub fn replace_hot_keyfile() -> Result<String> {
     Ok("Succesfully replaced hot keyfile using SNP KDF.".to_string())
 }
 
-pub fn add_ssh_key(key: &str) -> Result<()> {
+pub fn add_authorized_key(key: &str) -> Result<()> {
     use std::os::unix::fs::PermissionsExt;
     if !Path::new("/mnt/etc/os-release").try_exists().is_ok_and(|found| found == true) {
         return Err(anyhow!(
@@ -142,6 +142,19 @@ pub fn add_ssh_key(key: &str) -> Result<()> {
     Ok(())
 }
 
+pub fn get_server_ssh_pubkeys() -> Result<String> {
+    let files = vec![
+        "/mnt/etc/ssh/ssh_host_rsa_key.pub",
+        "/mnt/etc/ssh/ssh_host_ecdsa_key.pub",
+        "/mnt/etc/ssh/ssh_host_ed25519_key.pub",
+    ];
+
+    Ok(files
+        .iter()
+        .map(|f| std::fs::read_to_string(f))
+        .collect::<Result<String, std::io::Error>>()?)
+}
+
 pub fn list_ssh_keys() -> Result<String> {
     Ok(std::fs::read_to_string("/mnt/root/.ssh/authorized_keys")?)
 }

scripts/install_os.sh

@@ -58,3 +58,12 @@ echo "" > /mnt/etc/fstab
 hostname=$(cat /proc/cmdline | grep -oE 'detee_name=[0-9a-z\_\.\-]+' | cut -d '=' -f2)
 echo "=== Setting up guest hostname as $hostname"
 [[ -n "$hostname" ]] && echo $hostname > /mnt/etc/hostname
+
+echo "=== Generating SSH public keys"
+[[ -f "/mnt/etc/ssh/ssh_host_rsa_key" ]] ||
+  /mnt/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' > /dev/null
+[[ -f "/mnt/etc/ssh/ssh_host_ecdsa_key" ]] ||
+  /mnt/usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' > /dev/null
+[[ -f "/mnt/etc/ssh/ssh_host_ed25519_key" ]] ||
+  /mnt/usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' > /dev/null
+echo "=== Done! Download keys from /server_pubkeys"