summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-05-15 22:02:34 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2021-05-15 22:02:34 +0200
commit0e0f035264d897e65676ecdc06aee555fae796a8 (patch)
tree1c78cd1631cffd1aaae0f578299c1928419b6f39
parent2c75432a1a48feff3f1ab86d200d4d9ac0ea487f (diff)
downloadnixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar
nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.gz
nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.bz2
nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.xz
nixos-0e0f035264d897e65676ecdc06aee555fae796a8.zip
openssh: known_hosts without enable
-rw-r--r--hosts/sif/default.nix2
-rw-r--r--hosts/surtr/default.nix1
-rw-r--r--system-profiles/openssh/default.nix61
3 files changed, 36 insertions, 28 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b090f6a7..c0b7f50c 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -106,6 +106,8 @@
106 ''; 106 '';
107 }; 107 };
108 108
109 services.openssh.enable = true;
110
109 powerManagement = { 111 powerManagement = {
110 enable = true; 112 enable = true;
111 113
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index ff9da063..d37646f9 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -93,6 +93,7 @@
93 }; 93 };
94 94
95 services.openssh = { 95 services.openssh = {
96 enable = true;
96 passwordAuthentication = false; 97 passwordAuthentication = false;
97 challengeResponseAuthentication = false; 98 challengeResponseAuthentication = false;
98 extraConfig = '' 99 extraConfig = ''
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 4db3d7db..ee7d8868 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -1,36 +1,41 @@
1{ customUtils, lib, config, hostName, ... }: 1{ customUtils, lib, config, hostName, pkgs, ... }:
2{ 2{
3 services.openssh = { 3 config = {
4 enable = true; 4 programs.ssh.knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
5 knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
6 5
7 hostKeys = [ 6 systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
8 { path = "/etc/ssh/ssh_host_rsa_key";
9 type = "rsa";
10 }
11 { path = "/etc/ssh/ssh_host_ed25519_key";
12 type = "ed25519";
13 }
14 ];
15 };
16 7
17 sops.secrets = { 8 services.openssh = lib.mkIf config.services.openssh.enable {
18 ssh_host_rsa_key = { 9 hostKeys = [
19 key = "rsa"; 10 { path = "/etc/ssh/ssh_host_rsa_key";
20 path = "/etc/ssh/ssh_host_rsa_key"; 11 type = "rsa";
21 sopsFile = ./host-keys + "/${hostName}.yaml"; 12 }
13 { path = "/etc/ssh/ssh_host_ed25519_key";
14 type = "ed25519";
15 }
16 ];
22 }; 17 };
23 ssh_host_ed25519_key = { 18
24 key = "ed25519"; 19 sops.secrets = lib.mkIf config.services.openssh.enable {
25 path = "/etc/ssh/ssh_host_ed25519_key"; 20 ssh_host_rsa_key = {
26 sopsFile = ./host-keys + "/${hostName}.yaml"; 21 key = "rsa";
22 path = "/etc/ssh/ssh_host_rsa_key";
23 sopsFile = ./host-keys + "/${hostName}.yaml";
24 };
25 ssh_host_ed25519_key = {
26 key = "ed25519";
27 path = "/etc/ssh/ssh_host_ed25519_key";
28 sopsFile = ./host-keys + "/${hostName}.yaml";
29 };
27 }; 30 };
28 };
29 31
30 environment.etc = { 32 environment.etc = lib.mkIf config.services.openssh.enable {
31 "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; 33 "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
32 "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; 34 "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
33 }; 35 };
34 36
35 systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager 37 environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [
38 rxvt_unicode.terminfo
39 ]);
40 };
36} 41}