diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-20 12:25:15 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-20 12:25:15 +0100 |
commit | d4d0300c4158b5b65575a672049cf6828cec549c (patch) | |
tree | 659f7b9780716421339e69fd0116f934fe377b3c /system-profiles/openssh | |
parent | 8e0d233a31b17a5a39795b62e88617948b7efdd1 (diff) | |
download | nixos-d4d0300c4158b5b65575a672049cf6828cec549c.tar nixos-d4d0300c4158b5b65575a672049cf6828cec549c.tar.gz nixos-d4d0300c4158b5b65575a672049cf6828cec549c.tar.bz2 nixos-d4d0300c4158b5b65575a672049cf6828cec549c.tar.xz nixos-d4d0300c4158b5b65575a672049cf6828cec549c.zip |
...
Diffstat (limited to 'system-profiles/openssh')
-rw-r--r-- | system-profiles/openssh/default.nix | 19 |
1 files changed, 3 insertions, 16 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 6ad7215a..eb6df9c5 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
@@ -69,7 +69,7 @@ in { | |||
69 | inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubkeyAcceptedAlgorithms; | 69 | inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubkeyAcceptedAlgorithms; |
70 | 70 | ||
71 | LogLevel = "VERBOSE"; | 71 | LogLevel = "VERBOSE"; |
72 | RevokedKeys = "/etc/ssh/krl.bin"; | 72 | RevokedKeys = ./ca/krl.bin; |
73 | 73 | ||
74 | PasswordAuthentication = mkDefault false; | 74 | PasswordAuthentication = mkDefault false; |
75 | KbdInteractiveAuthentication = mkDefault false; | 75 | KbdInteractiveAuthentication = mkDefault false; |
@@ -77,9 +77,9 @@ in { | |||
77 | moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli"; | 77 | moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli"; |
78 | extraConfig = '' | 78 | extraConfig = '' |
79 | ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"} | 79 | ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"} |
80 | ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} | 80 | ${optionalString cfg.staticHostKeys "HostCertificate ${./known-hosts + "/${hostName}/ed25519.pub"}"} |
81 | ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"} | 81 | ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"} |
82 | ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} | 82 | ${optionalString cfg.staticHostKeys "HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"}"} |
83 | ''; | 83 | ''; |
84 | }; | 84 | }; |
85 | 85 | ||
@@ -119,31 +119,18 @@ in { | |||
119 | sops.secrets = mkIf cfg.enable { | 119 | sops.secrets = mkIf cfg.enable { |
120 | ssh_host_rsa_key = mkIf cfg.staticHostKeys { | 120 | ssh_host_rsa_key = mkIf cfg.staticHostKeys { |
121 | key = "rsa"; | 121 | key = "rsa"; |
122 | path = "/etc/ssh/ssh_host_rsa_key"; | ||
123 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 122 | sopsFile = ./host-keys + "/${hostName}.yaml"; |
124 | }; | 123 | }; |
125 | ssh_host_ed25519_key = mkIf cfg.staticHostKeys { | 124 | ssh_host_ed25519_key = mkIf cfg.staticHostKeys { |
126 | key = "ed25519"; | 125 | key = "ed25519"; |
127 | path = "/etc/ssh/ssh_host_ed25519_key"; | ||
128 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 126 | sopsFile = ./host-keys + "/${hostName}.yaml"; |
129 | }; | 127 | }; |
130 | ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) { | 128 | ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) { |
131 | format = "binary"; | 129 | format = "binary"; |
132 | path = "/etc/ssh/moduli"; | ||
133 | sopsFile = ./host-moduli + "/${hostName}"; | 130 | sopsFile = ./host-moduli + "/${hostName}"; |
134 | }; | 131 | }; |
135 | }; | 132 | }; |
136 | 133 | ||
137 | environment.etc = mkIf cfg.enable { | ||
138 | "ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; }; | ||
139 | "ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; }; | ||
140 | |||
141 | "ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; }; | ||
142 | "ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; }; | ||
143 | |||
144 | "ssh/krl.bin".source = ./ca/krl.bin; | ||
145 | }; | ||
146 | |||
147 | environment.systemPackages = mkIf cfg.enable (with pkgs; [ | 134 | environment.systemPackages = mkIf cfg.enable (with pkgs; [ |
148 | alacritty.terminfo | 135 | alacritty.terminfo |
149 | ]); | 136 | ]); |