sif: import config

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-01-02 20:53:17 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-01-03 16:21:34 +0100
commit: f6e600c20d6a97ebeda23fa2bb5621646222b2b0 (patch)
tree: 5551a23218db79e3edbf41557b474121f0745821 /system-profiles/openssh/default.nix
parent: f4fa33d0d258c4f66f804ed3fc3be590d8039e6e (diff)
download: nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar
nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.gz
nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.bz2
nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.xz
nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.zip
1 files changed, 36 insertions, 0 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
new file mode 100644
index 00000000..4db3d7db
--- /dev/null
+++ b/system-profiles/openssh/default.nix
@@ -0,0 +1,36 @@
+{ customUtils, lib, config, hostName, ... }:
+{
+  services.openssh = {
+    enable = true;
+    knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
+    hostKeys = [
+      { path = "/etc/ssh/ssh_host_rsa_key";
+        type = "rsa";
+      }
+      { path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+  sops.secrets = {
+    ssh_host_rsa_key = {
+        key = "rsa";
+        path = "/etc/ssh/ssh_host_rsa_key";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
+    };
+    ssh_host_ed25519_key = {
+        key = "ed25519";
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
+    };
+  };
+  environment.etc = {
+    "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
+    "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
+  };
+  systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
+}
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-01-02 20:53:17 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-01-03 16:21:34 +0100
commit	f6e600c20d6a97ebeda23fa2bb5621646222b2b0 (patch)
tree	5551a23218db79e3edbf41557b474121f0745821 /system-profiles/openssh/default.nix
parent	f4fa33d0d258c4f66f804ed3fc3be590d8039e6e (diff)
download	nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.gz nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.bz2 nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.xz nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.zip

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix new file mode 100644 index 00000000..4db3d7db --- /dev/null +++ b/system-profiles/openssh/default.nix
@@ -0,0 +1,36 @@
	1	{ customUtils, lib, config, hostName, ... }:
	2	{
	3	services.openssh = {
	4	enable = true;
	5	knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
	6
	7	hostKeys = [
	8	{ path = "/etc/ssh/ssh_host_rsa_key";
	9	type = "rsa";
	10	}
	11	{ path = "/etc/ssh/ssh_host_ed25519_key";
	12	type = "ed25519";
	13	}
	14	];
	15	};
	16
	17	sops.secrets = {
	18	ssh_host_rsa_key = {
	19	key = "rsa";
	20	path = "/etc/ssh/ssh_host_rsa_key";
	21	sopsFile = ./host-keys + "/${hostName}.yaml";
	22	};
	23	ssh_host_ed25519_key = {
	24	key = "ed25519";
	25	path = "/etc/ssh/ssh_host_ed25519_key";
	26	sopsFile = ./host-keys + "/${hostName}.yaml";
	27	};
	28	};
	29
	30	environment.etc = {
	31	"ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
	32	"ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
	33	};
	34
	35	systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
	36	}