From 4ea7f369f108d9a2124077667f0497453bcfc665 Mon Sep 17 00:00:00 2001
From: domrichardson <100129001+domrichardson@users.noreply.github.com>
Date: Tue, 16 Jun 2026 10:28:46 +0100
Subject: [PATCH] updates

---
 agent/internal/grpc/pb/keymanager.pb.go  |   6 +-
 agent/internal/keys/keys.go              |  31 +++-
 agent/internal/sync/sync.go              |  13 +-
 proto/keymanager/v1/keymanager.proto     |   6 +-
 server/internal/api/handlers.go          |  14 +-
 server/internal/grpc/pb/keymanager.pb.go |   6 +-
 server/internal/services/dispatch.go     |  21 ++-
 web/app/servers/[id]/page.tsx            | 177 ++++++++++++++++++++++-
 web/lib/api.ts                           |  13 +-
 9 files changed, 263 insertions(+), 24 deletions(-)

diff --git a/agent/internal/grpc/pb/keymanager.pb.go b/agent/internal/grpc/pb/keymanager.pb.go
index 79aecbd..748535a 100644
--- a/agent/internal/grpc/pb/keymanager.pb.go
+++ b/agent/internal/grpc/pb/keymanager.pb.go
@@ -50,7 +50,11 @@ type ServerCommand struct {
 }
 
 type GenerateKeyCmd struct {
-	Label string `json:"label"`
+	Label      string `json:"label"`
+	KeyType    string `json:"key_type,omitempty"`
+	KeySize    int    `json:"key_size,omitempty"`
+	Passphrase string `json:"passphrase,omitempty"`
+	Comment    string `json:"comment,omitempty"`
 }
 
 type AgentMessage struct {
diff --git a/agent/internal/keys/keys.go b/agent/internal/keys/keys.go
index e9a8cc4..00bff38 100644
--- a/agent/internal/keys/keys.go
+++ b/agent/internal/keys/keys.go
@@ -93,19 +93,36 @@ func fingerprint(pubKey string) string {
 	return "MD5:" + strings.Join(pairs, ":")
 }
 
-// GenerateKeyPair generates an ed25519 SSH keypair and returns the public key.
+// KeyGenOptions controls how ssh-keygen is invoked.
+type KeyGenOptions struct {
+	KeyType    string // ed25519 (default), rsa, ecdsa
+	KeySize    int    // bits; used for rsa and ecdsa
+	Passphrase string // empty = no passphrase
+	Comment    string // embedded in the public key
+}
+
+// GenerateKeyPair generates an SSH keypair and returns the public key.
 // The private key is written to keyPath; keyPath+".pub" holds the public key.
-func GenerateKeyPair(keyPath, comment string) (string, error) {
+func GenerateKeyPair(keyPath string, opts KeyGenOptions) (string, error) {
 	if err := os.MkdirAll(filepath.Dir(keyPath), 0700); err != nil {
 		return "", err
 	}
 
-	args := []string{
-		"-t", "ed25519",
-		"-f", keyPath,
-		"-N", "",
-		"-C", comment,
+	keyType := opts.KeyType
+	if keyType == "" {
+		keyType = "ed25519"
 	}
+
+	args := []string{
+		"-t", keyType,
+		"-f", keyPath,
+		"-N", opts.Passphrase,
+		"-C", opts.Comment,
+	}
+	if opts.KeySize > 0 && keyType != "ed25519" {
+		args = append(args, "-b", fmt.Sprintf("%d", opts.KeySize))
+	}
+
 	cmd := exec.Command("ssh-keygen", args...)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
diff --git a/agent/internal/sync/sync.go b/agent/internal/sync/sync.go
index 2f6df2d..85cccff 100644
--- a/agent/internal/sync/sync.go
+++ b/agent/internal/sync/sync.go
@@ -166,10 +166,17 @@ func connectAndHandleStream(ctx context.Context, cfg *config.Config) error {
 }
 
 func handleGenerateKey(cfg *config.Config, cmd *pb.ServerCommand) {
-	label := cmd.GenerateKey.Label
+	g := cmd.GenerateKey
+	label := g.Label
 	keyPath := fmt.Sprintf("/root/.ssh/keymanager_%s", strings.ReplaceAll(label, " ", "_"))
 
-	pubKey, err := keys.GenerateKeyPair(keyPath, label)
+	opts := keys.KeyGenOptions{
+		KeyType:    g.KeyType,
+		KeySize:    g.KeySize,
+		Passphrase: g.Passphrase,
+		Comment:    g.Comment,
+	}
+	pubKey, err := keys.GenerateKeyPair(keyPath, opts)
 	if err != nil {
 		log.Printf("key generation failed (cmd=%s): %v", cmd.CommandId, err)
 		return
@@ -214,7 +221,7 @@ func GenerateAndUpload(cfg *config.Config, label string) error {
 	defer client.Close()
 
 	keyPath := fmt.Sprintf("/root/.ssh/keymanager_%s", strings.ReplaceAll(label, " ", "_"))
-	pubKey, err := keys.GenerateKeyPair(keyPath, label)
+	pubKey, err := keys.GenerateKeyPair(keyPath, keys.KeyGenOptions{Comment: label})
 	if err != nil {
 		return err
 	}
diff --git a/proto/keymanager/v1/keymanager.proto b/proto/keymanager/v1/keymanager.proto
index 296c802..754b93d 100644
--- a/proto/keymanager/v1/keymanager.proto
+++ b/proto/keymanager/v1/keymanager.proto
@@ -71,5 +71,9 @@ message ServerCommand {
 }
 
 message GenerateKeyCmd {
-  string label = 1;
+  string label      = 1;
+  string key_type   = 2; // ed25519 | rsa | ecdsa (default: ed25519)
+  int32  key_size   = 3; // bits; used for rsa and ecdsa
+  string passphrase = 4; // empty = no passphrase
+  string comment    = 5; // embedded in public key
 }
diff --git a/server/internal/api/handlers.go b/server/internal/api/handlers.go
index beda91b..e8c3552 100644
--- a/server/internal/api/handlers.go
+++ b/server/internal/api/handlers.go
@@ -126,7 +126,11 @@ func generateKey(c *gin.Context) {
 	id := c.Param("id")
 
 	var body struct {
-		Label string `json:"label"`
+		Label      string `json:"label"`
+		KeyType    string `json:"key_type"`
+		KeySize    int    `json:"key_size"`
+		Passphrase string `json:"passphrase"`
+		Comment    string `json:"comment"`
 	}
 	_ = c.ShouldBindJSON(&body)
 	if body.Label == "" {
@@ -139,7 +143,13 @@ func generateKey(c *gin.Context) {
 		return
 	}
 
-	cmdID, err := services.DispatchGenerateKey(s.ServerID, body.Label)
+	cmdID, err := services.DispatchGenerateKey(s.ServerID, services.KeyGenParams{
+		Label:      body.Label,
+		KeyType:    body.KeyType,
+		KeySize:    body.KeySize,
+		Passphrase: body.Passphrase,
+		Comment:    body.Comment,
+	})
 	if err != nil {
 		c.JSON(http.StatusServiceUnavailable, gin.H{"error": err.Error()})
 		return
diff --git a/server/internal/grpc/pb/keymanager.pb.go b/server/internal/grpc/pb/keymanager.pb.go
index 56e3cb3..93b94fd 100644
--- a/server/internal/grpc/pb/keymanager.pb.go
+++ b/server/internal/grpc/pb/keymanager.pb.go
@@ -53,7 +53,11 @@ type ServerCommand struct {
 }
 
 type GenerateKeyCmd struct {
-	Label string `json:"label"`
+	Label      string `json:"label"`
+	KeyType    string `json:"key_type,omitempty"`
+	KeySize    int    `json:"key_size,omitempty"`
+	Passphrase string `json:"passphrase,omitempty"`
+	Comment    string `json:"comment,omitempty"`
 }
 
 type AgentMessage struct {
diff --git a/server/internal/services/dispatch.go b/server/internal/services/dispatch.go
index bb83db8..033e7ae 100644
--- a/server/internal/services/dispatch.go
+++ b/server/internal/services/dispatch.go
@@ -58,16 +58,31 @@ func (d *commandDispatcher) dispatch(serverID string, cmd *pb.ServerCommand) err
 	}
 }
 
+// KeyGenParams carries all options for a generate-key command.
+type KeyGenParams struct {
+	Label      string
+	KeyType    string
+	KeySize    int
+	Passphrase string
+	Comment    string
+}
+
 // DispatchGenerateKey sends a generate-key command to the named server's agent.
 // Returns the command ID that can be used to correlate the agent's result.
-func DispatchGenerateKey(serverID, label string) (string, error) {
+func DispatchGenerateKey(serverID string, p KeyGenParams) (string, error) {
 	if !Dispatcher.IsConnected(serverID) {
 		return "", fmt.Errorf("agent is not connected to the command stream")
 	}
 	cmdID := uuid.New().String()
 	cmd := &pb.ServerCommand{
-		CommandId:   cmdID,
-		GenerateKey: &pb.GenerateKeyCmd{Label: label},
+		CommandId: cmdID,
+		GenerateKey: &pb.GenerateKeyCmd{
+			Label:      p.Label,
+			KeyType:    p.KeyType,
+			KeySize:    p.KeySize,
+			Passphrase: p.Passphrase,
+			Comment:    p.Comment,
+		},
 	}
 	if err := Dispatcher.dispatch(serverID, cmd); err != nil {
 		return "", err
diff --git a/web/app/servers/[id]/page.tsx b/web/app/servers/[id]/page.tsx
index 28b74d9..87ab1e0 100644
--- a/web/app/servers/[id]/page.tsx
+++ b/web/app/servers/[id]/page.tsx
@@ -4,7 +4,7 @@ import { useState } from "react";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
 import { useParams, useRouter } from "next/navigation";
 import Link from "next/link";
-import { api, ServerStatus } from "@/lib/api";
+import { api, ServerStatus, GenerateKeyOptions } from "@/lib/api";
 import { Badge, Button, Card, CardHeader, CardTitle } from "@/components/ui";
 import { Table, Thead, Tbody, Tr, Th, Td } from "@/components/ui";
 
@@ -20,12 +20,173 @@ function formatDate(dateStr: string) {
   return new Date(dateStr).toLocaleString();
 }
 
+const KEY_SIZES: Record<string, number[]> = {
+  rsa: [2048, 3072, 4096],
+  ecdsa: [256, 384, 521],
+};
+
+const DEFAULT_SIZE: Record<string, number> = {
+  rsa: 4096,
+  ecdsa: 256,
+};
+
+function GenerateKeyModal({
+  onClose,
+  onSubmit,
+  isPending,
+}: {
+  onClose: () => void;
+  onSubmit: (opts: GenerateKeyOptions) => void;
+  isPending: boolean;
+}) {
+  const [label, setLabel] = useState("");
+  const [keyType, setKeyType] = useState<"ed25519" | "rsa" | "ecdsa">("ed25519");
+  const [keySize, setKeySize] = useState<number>(4096);
+  const [passphrase, setPassphrase] = useState("");
+  const [comment, setComment] = useState("");
+
+  function handleKeyTypeChange(t: "ed25519" | "rsa" | "ecdsa") {
+    setKeyType(t);
+    if (t !== "ed25519") {
+      setKeySize(DEFAULT_SIZE[t]);
+    }
+  }
+
+  function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    onSubmit({
+      label: label || "generated",
+      key_type: keyType,
+      key_size: keyType !== "ed25519" ? keySize : undefined,
+      passphrase: passphrase || undefined,
+      comment: comment || undefined,
+    });
+  }
+
+  const sizes = KEY_SIZES[keyType];
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center">
+      <div className="absolute inset-0 bg-black/60 backdrop-blur-sm" onClick={onClose} />
+      <div className="relative z-10 w-full max-w-md rounded-xl border border-border bg-surface-1 p-6 shadow-2xl">
+        <div className="mb-5 flex items-center justify-between">
+          <h2 className="text-lg font-semibold text-text-primary">Generate SSH Key</h2>
+          <button
+            onClick={onClose}
+            className="rounded-md p-1 text-text-secondary hover:text-text-primary transition-colors"
+          >
+            <svg className="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
+              <path strokeLinecap="round" strokeLinejoin="round" d="M6 18L18 6M6 6l12 12" />
+            </svg>
+          </button>
+        </div>
+
+        <form onSubmit={handleSubmit} className="space-y-4">
+          <div>
+            <label className="mb-1.5 block text-sm font-medium text-text-secondary">
+              Label <span className="text-text-tertiary">(used as the key name in KeyManager)</span>
+            </label>
+            <input
+              type="text"
+              value={label}
+              onChange={e => setLabel(e.target.value)}
+              placeholder="e.g. server-deploy-key"
+              className="w-full rounded-lg border border-border bg-surface-2 px-3 py-2 text-sm text-text-primary placeholder:text-text-tertiary focus:border-accent/50 focus:outline-none focus:ring-1 focus:ring-accent/30"
+            />
+          </div>
+
+          <div>
+            <label className="mb-1.5 block text-sm font-medium text-text-secondary">Key Type</label>
+            <div className="grid grid-cols-3 gap-2">
+              {(["ed25519", "rsa", "ecdsa"] as const).map(t => (
+                <button
+                  key={t}
+                  type="button"
+                  onClick={() => handleKeyTypeChange(t)}
+                  className={`rounded-lg border px-3 py-2 text-sm font-medium transition-colors ${
+                    keyType === t
+                      ? "border-accent bg-accent/10 text-accent"
+                      : "border-border bg-surface-2 text-text-secondary hover:border-accent/40 hover:text-text-primary"
+                  }`}
+                >
+                  {t}
+                </button>
+              ))}
+            </div>
+            {keyType === "ed25519" && (
+              <p className="mt-1.5 text-xs text-text-tertiary">Modern, fast, and secure. Recommended for new keys.</p>
+            )}
+            {keyType === "rsa" && (
+              <p className="mt-1.5 text-xs text-text-tertiary">Widely compatible with older systems.</p>
+            )}
+            {keyType === "ecdsa" && (
+              <p className="mt-1.5 text-xs text-text-tertiary">Elliptic curve — shorter keys, good compatibility.</p>
+            )}
+          </div>
+
+          {sizes && (
+            <div>
+              <label className="mb-1.5 block text-sm font-medium text-text-secondary">Key Size (bits)</label>
+              <select
+                value={keySize}
+                onChange={e => setKeySize(Number(e.target.value))}
+                className="w-full rounded-lg border border-border bg-surface-2 px-3 py-2 text-sm text-text-primary focus:border-accent/50 focus:outline-none focus:ring-1 focus:ring-accent/30"
+              >
+                {sizes.map(s => (
+                  <option key={s} value={s}>{s}</option>
+                ))}
+              </select>
+            </div>
+          )}
+
+          <div>
+            <label className="mb-1.5 block text-sm font-medium text-text-secondary">
+              Comment <span className="text-text-tertiary">(embedded in the public key)</span>
+            </label>
+            <input
+              type="text"
+              value={comment}
+              onChange={e => setComment(e.target.value)}
+              placeholder="e.g. user@hostname"
+              className="w-full rounded-lg border border-border bg-surface-2 px-3 py-2 text-sm text-text-primary placeholder:text-text-tertiary focus:border-accent/50 focus:outline-none focus:ring-1 focus:ring-accent/30"
+            />
+          </div>
+
+          <div>
+            <label className="mb-1.5 block text-sm font-medium text-text-secondary">
+              Passphrase <span className="text-text-tertiary">(leave blank for no passphrase)</span>
+            </label>
+            <input
+              type="password"
+              value={passphrase}
+              onChange={e => setPassphrase(e.target.value)}
+              placeholder="Optional passphrase"
+              autoComplete="new-password"
+              className="w-full rounded-lg border border-border bg-surface-2 px-3 py-2 text-sm text-text-primary placeholder:text-text-tertiary focus:border-accent/50 focus:outline-none focus:ring-1 focus:ring-accent/30"
+            />
+          </div>
+
+          <div className="flex gap-3 pt-1">
+            <Button type="submit" variant="primary" loading={isPending} className="flex-1">
+              Generate Key
+            </Button>
+            <Button type="button" variant="ghost" onClick={onClose}>
+              Cancel
+            </Button>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+}
+
 export default function ServerDetailPage() {
   const params = useParams();
   const router = useRouter();
   const queryClient = useQueryClient();
   const serverId = params.id as string;
   const [confirmDelete, setConfirmDelete] = useState(false);
+  const [showGenerateModal, setShowGenerateModal] = useState(false);
   const [copiedUpdate, setCopiedUpdate] = useState(false);
 
   const { data: server, isLoading, error } = useQuery({
@@ -35,8 +196,9 @@ export default function ServerDetailPage() {
   });
 
   const { mutate: generateKey, isPending: isGenerating } = useMutation({
-    mutationFn: () => api.generateKeyForServer(serverId),
+    mutationFn: (opts: GenerateKeyOptions) => api.generateKeyForServer(serverId, opts),
     onSuccess: () => {
+      setShowGenerateModal(false);
       queryClient.invalidateQueries({ queryKey: ["servers", serverId] });
       queryClient.invalidateQueries({ queryKey: ["keys"] });
     },
@@ -70,6 +232,14 @@ export default function ServerDetailPage() {
 
   return (
     <div className="p-8">
+      {showGenerateModal && (
+        <GenerateKeyModal
+          onClose={() => setShowGenerateModal(false)}
+          onSubmit={opts => generateKey(opts)}
+          isPending={isGenerating}
+        />
+      )}
+
       <div className="mb-6 flex items-start justify-between">
         <div>
           <div className="flex items-center gap-3">
@@ -86,8 +256,7 @@ export default function ServerDetailPage() {
         <div className="flex gap-2">
           <Button
             variant="secondary"
-            loading={isGenerating}
-            onClick={() => generateKey()}
+            onClick={() => setShowGenerateModal(true)}
           >
             <svg className="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={1.5}>
               <path strokeLinecap="round" strokeLinejoin="round" d="M15.75 5.25a3 3 0 013 3m3 0a6 6 0 01-7.029 5.912c-.563-.097-1.159.026-1.563.43L10.5 17.25H8.25v2.25H6v2.25H2.25v-2.818c0-.597.237-1.17.659-1.591l6.499-6.499c.404-.404.527-1 .43-1.563A6 6 0 1121.75 8.25z" />
diff --git a/web/lib/api.ts b/web/lib/api.ts
index f3dd0a9..9c67e89 100644
--- a/web/lib/api.ts
+++ b/web/lib/api.ts
@@ -38,6 +38,14 @@ export interface NewServerResponse {
   install_command: string;
 }
 
+export interface GenerateKeyOptions {
+  label: string;
+  key_type: "ed25519" | "rsa" | "ecdsa";
+  key_size?: number;
+  passphrase?: string;
+  comment?: string;
+}
+
 export interface KeyWithAssignments extends Key {
   assignments: (Assignment & { server: Server })[];
 }
@@ -96,9 +104,10 @@ export const api = {
     return request<void>(`/servers/${serverId}`, { method: "DELETE" });
   },
 
-  generateKeyForServer(serverId: string): Promise<{ key_id: string }> {
-    return request<{ key_id: string }>(`/servers/${serverId}/generate-key`, {
+  generateKeyForServer(serverId: string, opts: GenerateKeyOptions): Promise<{ command_id: string }> {
+    return request<{ command_id: string }>(`/servers/${serverId}/generate-key`, {
       method: "POST",
+      body: JSON.stringify(opts),
     });
   },