summaryrefslogtreecommitdiff
path: root/system-profiles/openssh/default.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-05-15 22:02:34 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2021-05-15 22:02:34 +0200
commit0e0f035264d897e65676ecdc06aee555fae796a8 (patch)
tree1c78cd1631cffd1aaae0f578299c1928419b6f39 /system-profiles/openssh/default.nix
parent2c75432a1a48feff3f1ab86d200d4d9ac0ea487f (diff)
downloadnixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar
nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.gz
nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.bz2
nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.xz
nixos-0e0f035264d897e65676ecdc06aee555fae796a8.zip
openssh: known_hosts without enable
Diffstat (limited to 'system-profiles/openssh/default.nix')
-rw-r--r--system-profiles/openssh/default.nix61
1 files changed, 33 insertions, 28 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 4db3d7db..ee7d8868 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -1,36 +1,41 @@
1{ customUtils, lib, config, hostName, ... }: 1{ customUtils, lib, config, hostName, pkgs, ... }:
2{ 2{
3 services.openssh = { 3 config = {
4 enable = true; 4 programs.ssh.knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
5 knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
6 5
7 hostKeys = [ 6 systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
8 { path = "/etc/ssh/ssh_host_rsa_key";
9 type = "rsa";
10 }
11 { path = "/etc/ssh/ssh_host_ed25519_key";
12 type = "ed25519";
13 }
14 ];
15 };
16 7
17 sops.secrets = { 8 services.openssh = lib.mkIf config.services.openssh.enable {
18 ssh_host_rsa_key = { 9 hostKeys = [
19 key = "rsa"; 10 { path = "/etc/ssh/ssh_host_rsa_key";
20 path = "/etc/ssh/ssh_host_rsa_key"; 11 type = "rsa";
21 sopsFile = ./host-keys + "/${hostName}.yaml"; 12 }
13 { path = "/etc/ssh/ssh_host_ed25519_key";
14 type = "ed25519";
15 }
16 ];
22 }; 17 };
23 ssh_host_ed25519_key = { 18
24 key = "ed25519"; 19 sops.secrets = lib.mkIf config.services.openssh.enable {
25 path = "/etc/ssh/ssh_host_ed25519_key"; 20 ssh_host_rsa_key = {
26 sopsFile = ./host-keys + "/${hostName}.yaml"; 21 key = "rsa";
22 path = "/etc/ssh/ssh_host_rsa_key";
23 sopsFile = ./host-keys + "/${hostName}.yaml";
24 };
25 ssh_host_ed25519_key = {
26 key = "ed25519";
27 path = "/etc/ssh/ssh_host_ed25519_key";
28 sopsFile = ./host-keys + "/${hostName}.yaml";
29 };
27 }; 30 };
28 };
29 31
30 environment.etc = { 32 environment.etc = lib.mkIf config.services.openssh.enable {
31 "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; 33 "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
32 "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; 34 "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
33 }; 35 };
34 36
35 systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager 37 environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [
38 rxvt_unicode.terminfo
39 ]);
40 };
36} 41}