summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-03-20 12:25:15 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2023-03-20 12:25:15 +0100
commitd4d0300c4158b5b65575a672049cf6828cec549c (patch)
tree659f7b9780716421339e69fd0116f934fe377b3c
parent8e0d233a31b17a5a39795b62e88617948b7efdd1 (diff)
downloadnixos-d4d0300c4158b5b65575a672049cf6828cec549c.tar
nixos-d4d0300c4158b5b65575a672049cf6828cec549c.tar.gz
nixos-d4d0300c4158b5b65575a672049cf6828cec549c.tar.bz2
nixos-d4d0300c4158b5b65575a672049cf6828cec549c.tar.xz
nixos-d4d0300c4158b5b65575a672049cf6828cec549c.zip
...
-rw-r--r--system-profiles/openssh/default.nix19
1 files changed, 3 insertions, 16 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 6ad7215a..eb6df9c5 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -69,7 +69,7 @@ in {
69 inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubkeyAcceptedAlgorithms; 69 inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubkeyAcceptedAlgorithms;
70 70
71 LogLevel = "VERBOSE"; 71 LogLevel = "VERBOSE";
72 RevokedKeys = "/etc/ssh/krl.bin"; 72 RevokedKeys = ./ca/krl.bin;
73 73
74 PasswordAuthentication = mkDefault false; 74 PasswordAuthentication = mkDefault false;
75 KbdInteractiveAuthentication = mkDefault false; 75 KbdInteractiveAuthentication = mkDefault false;
@@ -77,9 +77,9 @@ in {
77 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli"; 77 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli";
78 extraConfig = '' 78 extraConfig = ''
79 ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"} 79 ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"}
80 ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} 80 ${optionalString cfg.staticHostKeys "HostCertificate ${./known-hosts + "/${hostName}/ed25519.pub"}"}
81 ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"} 81 ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"}
82 ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} 82 ${optionalString cfg.staticHostKeys "HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"}"}
83 ''; 83 '';
84 }; 84 };
85 85
@@ -119,31 +119,18 @@ in {
119 sops.secrets = mkIf cfg.enable { 119 sops.secrets = mkIf cfg.enable {
120 ssh_host_rsa_key = mkIf cfg.staticHostKeys { 120 ssh_host_rsa_key = mkIf cfg.staticHostKeys {
121 key = "rsa"; 121 key = "rsa";
122 path = "/etc/ssh/ssh_host_rsa_key";
123 sopsFile = ./host-keys + "/${hostName}.yaml"; 122 sopsFile = ./host-keys + "/${hostName}.yaml";
124 }; 123 };
125 ssh_host_ed25519_key = mkIf cfg.staticHostKeys { 124 ssh_host_ed25519_key = mkIf cfg.staticHostKeys {
126 key = "ed25519"; 125 key = "ed25519";
127 path = "/etc/ssh/ssh_host_ed25519_key";
128 sopsFile = ./host-keys + "/${hostName}.yaml"; 126 sopsFile = ./host-keys + "/${hostName}.yaml";
129 }; 127 };
130 ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) { 128 ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) {
131 format = "binary"; 129 format = "binary";
132 path = "/etc/ssh/moduli";
133 sopsFile = ./host-moduli + "/${hostName}"; 130 sopsFile = ./host-moduli + "/${hostName}";
134 }; 131 };
135 }; 132 };
136 133
137 environment.etc = mkIf cfg.enable {
138 "ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; };
139 "ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; };
140
141 "ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; };
142 "ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; };
143
144 "ssh/krl.bin".source = ./ca/krl.bin;
145 };
146
147 environment.systemPackages = mkIf cfg.enable (with pkgs; [ 134 environment.systemPackages = mkIf cfg.enable (with pkgs; [
148 alacritty.terminfo 135 alacritty.terminfo
149 ]); 136 ]);