...

author: Gregor Kleen <gkleen@yggdrasil.li> 2024-12-15 18:25:01 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2024-12-15 18:25:01 +0100
commit: 9873d9c34f7907a31c975c22f32497fd1278aa28 (patch)
tree: 93a72f917760eef7ad683b99842ccb5f0d380fb7 /system-profiles/openssh
parent: afaaaadb33316ee7705de192a6f667f1b07a10d3 (diff)
download: nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.tar
nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.tar.gz
nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.tar.bz2
nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.tar.xz
nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.zip
1 files changed, 15 insertions, 12 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 25fc354f..e60e72d9 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -85,18 +85,21 @@ in {
    };
    systemd.services = mkIf cfg.enable {
-      "sshd@".serviceConfig = {
+      "sshd@" = {
-        ExecStart = mkForce (concatStringsSep " " (
+        restartIfChanged = false;
-          [ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ]
+        serviceConfig = {
-          ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"''
+          ExecStart = mkForce (concatStringsSep " " (
-          ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"''
+            [ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ]
-        ));
+            ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"''
-        LoadCredential =
+            ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"''
-          lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
+          ));
-          ++ lib.optionals cfg.staticHostKeys [
+          LoadCredential =
-            "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
+            lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
-            "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
+            ++ lib.optionals cfg.staticHostKeys [
-          ];
+              "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
+              "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
+            ];
+        };
      };
    };
    systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable {
author	Gregor Kleen <gkleen@yggdrasil.li>	2024-12-15 18:25:01 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2024-12-15 18:25:01 +0100
commit	9873d9c34f7907a31c975c22f32497fd1278aa28 (patch)
tree	93a72f917760eef7ad683b99842ccb5f0d380fb7 /system-profiles/openssh
parent	afaaaadb33316ee7705de192a6f667f1b07a10d3 (diff)
download	nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.tar nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.tar.gz nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.tar.bz2 nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.tar.xz nixos-9873d9c34f7907a31c975c22f32497fd1278aa28.zip

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 25fc354f..e60e72d9 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix
@@ -85,18 +85,21 @@ in {
85	};	85	};
86		86
87	systemd.services = mkIf cfg.enable {	87	systemd.services = mkIf cfg.enable {
88	"sshd@".serviceConfig = {	88	"sshd@" = {
89	ExecStart = mkForce (concatStringsSep " " (	89	restartIfChanged = false;
90	[ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ]	90	serviceConfig = {
91	++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"''	91	ExecStart = mkForce (concatStringsSep " " (
92	++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"''	92	[ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ]
93	));	93	++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"''
94	LoadCredential =	94	++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"''
95	lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"	95	));
96	++ lib.optionals cfg.staticHostKeys [	96	LoadCredential =
97	"ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"	97	lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
98	"ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"	98	++ lib.optionals cfg.staticHostKeys [
99	];	99	"ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
		100	"ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
		101	];
		102	};
100	};	103	};
101	};	104	};
102	systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable {	105	systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable {