diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-15 22:02:34 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-15 22:02:34 +0200 |
commit | 0e0f035264d897e65676ecdc06aee555fae796a8 (patch) | |
tree | 1c78cd1631cffd1aaae0f578299c1928419b6f39 /system-profiles/openssh/default.nix | |
parent | 2c75432a1a48feff3f1ab86d200d4d9ac0ea487f (diff) | |
download | nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.gz nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.bz2 nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.xz nixos-0e0f035264d897e65676ecdc06aee555fae796a8.zip |
openssh: known_hosts without enable
Diffstat (limited to 'system-profiles/openssh/default.nix')
-rw-r--r-- | system-profiles/openssh/default.nix | 61 |
1 files changed, 33 insertions, 28 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 4db3d7db..ee7d8868 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
@@ -1,36 +1,41 @@ | |||
1 | { customUtils, lib, config, hostName, ... }: | 1 | { customUtils, lib, config, hostName, pkgs, ... }: |
2 | { | 2 | { |
3 | services.openssh = { | 3 | config = { |
4 | enable = true; | 4 | programs.ssh.knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; })); |
5 | knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; })); | ||
6 | 5 | ||
7 | hostKeys = [ | 6 | systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager |
8 | { path = "/etc/ssh/ssh_host_rsa_key"; | ||
9 | type = "rsa"; | ||
10 | } | ||
11 | { path = "/etc/ssh/ssh_host_ed25519_key"; | ||
12 | type = "ed25519"; | ||
13 | } | ||
14 | ]; | ||
15 | }; | ||
16 | 7 | ||
17 | sops.secrets = { | 8 | services.openssh = lib.mkIf config.services.openssh.enable { |
18 | ssh_host_rsa_key = { | 9 | hostKeys = [ |
19 | key = "rsa"; | 10 | { path = "/etc/ssh/ssh_host_rsa_key"; |
20 | path = "/etc/ssh/ssh_host_rsa_key"; | 11 | type = "rsa"; |
21 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 12 | } |
13 | { path = "/etc/ssh/ssh_host_ed25519_key"; | ||
14 | type = "ed25519"; | ||
15 | } | ||
16 | ]; | ||
22 | }; | 17 | }; |
23 | ssh_host_ed25519_key = { | 18 | |
24 | key = "ed25519"; | 19 | sops.secrets = lib.mkIf config.services.openssh.enable { |
25 | path = "/etc/ssh/ssh_host_ed25519_key"; | 20 | ssh_host_rsa_key = { |
26 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 21 | key = "rsa"; |
22 | path = "/etc/ssh/ssh_host_rsa_key"; | ||
23 | sopsFile = ./host-keys + "/${hostName}.yaml"; | ||
24 | }; | ||
25 | ssh_host_ed25519_key = { | ||
26 | key = "ed25519"; | ||
27 | path = "/etc/ssh/ssh_host_ed25519_key"; | ||
28 | sopsFile = ./host-keys + "/${hostName}.yaml"; | ||
29 | }; | ||
27 | }; | 30 | }; |
28 | }; | ||
29 | 31 | ||
30 | environment.etc = { | 32 | environment.etc = lib.mkIf config.services.openssh.enable { |
31 | "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; | 33 | "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; |
32 | "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; | 34 | "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; |
33 | }; | 35 | }; |
34 | 36 | ||
35 | systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager | 37 | environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [ |
38 | rxvt_unicode.terminfo | ||
39 | ]); | ||
40 | }; | ||
36 | } | 41 | } |