summaryrefslogtreecommitdiff
path: root/system-profiles/openssh/default.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-01-02 20:53:17 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2021-01-03 16:21:34 +0100
commitf6e600c20d6a97ebeda23fa2bb5621646222b2b0 (patch)
tree5551a23218db79e3edbf41557b474121f0745821 /system-profiles/openssh/default.nix
parentf4fa33d0d258c4f66f804ed3fc3be590d8039e6e (diff)
downloadnixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar
nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.gz
nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.bz2
nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.tar.xz
nixos-f6e600c20d6a97ebeda23fa2bb5621646222b2b0.zip
sif: import config
Diffstat (limited to 'system-profiles/openssh/default.nix')
-rw-r--r--system-profiles/openssh/default.nix36
1 files changed, 36 insertions, 0 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
new file mode 100644
index 00000000..4db3d7db
--- /dev/null
+++ b/system-profiles/openssh/default.nix
@@ -0,0 +1,36 @@
1{ customUtils, lib, config, hostName, ... }:
2{
3 services.openssh = {
4 enable = true;
5 knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
6
7 hostKeys = [
8 { path = "/etc/ssh/ssh_host_rsa_key";
9 type = "rsa";
10 }
11 { path = "/etc/ssh/ssh_host_ed25519_key";
12 type = "ed25519";
13 }
14 ];
15 };
16
17 sops.secrets = {
18 ssh_host_rsa_key = {
19 key = "rsa";
20 path = "/etc/ssh/ssh_host_rsa_key";
21 sopsFile = ./host-keys + "/${hostName}.yaml";
22 };
23 ssh_host_ed25519_key = {
24 key = "ed25519";
25 path = "/etc/ssh/ssh_host_ed25519_key";
26 sopsFile = ./host-keys + "/${hostName}.yaml";
27 };
28 };
29
30 environment.etc = {
31 "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
32 "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
33 };
34
35 systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
36}