...

1 files changed, 10 insertions, 3 deletions

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index af4fb4ee..6ad7215a 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -74,15 +74,22 @@ in {
         PasswordAuthentication = mkDefault false;
         KbdInteractiveAuthentication = mkDefault false;
       };
-      moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
+      moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli";
       extraConfig = ''
-        ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"}
+        ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"}
         ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
-        ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"}
+        ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"}
         ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
       '';
     };
 
+    systemd.services.sshd.serviceConfig.LoadCredential =
+         lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
+      ++ lib.optionals cfg.staticHostKeys [
+           "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
+           "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
+         ];
+
     programs.ssh = {
       knownHosts = {
         "*.yggdrasil.li" = {