summaryrefslogtreecommitdiff
path: root/system-profiles
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-03-20 12:23:23 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2023-03-20 12:23:23 +0100
commit8e0d233a31b17a5a39795b62e88617948b7efdd1 (patch)
tree800708f331562e7aa6c4a7645291e9a9d98cda85 /system-profiles
parent39b087c3c417b5108ab21dfa47ceaa3c81df9336 (diff)
downloadnixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.tar
nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.tar.gz
nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.tar.bz2
nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.tar.xz
nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.zip
...
Diffstat (limited to 'system-profiles')
-rw-r--r--system-profiles/openssh/default.nix13
1 files changed, 10 insertions, 3 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index af4fb4ee..6ad7215a 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -74,15 +74,22 @@ in {
74 PasswordAuthentication = mkDefault false; 74 PasswordAuthentication = mkDefault false;
75 KbdInteractiveAuthentication = mkDefault false; 75 KbdInteractiveAuthentication = mkDefault false;
76 }; 76 };
77 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; 77 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli";
78 extraConfig = '' 78 extraConfig = ''
79 ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} 79 ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"}
80 ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} 80 ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
81 ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} 81 ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"}
82 ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} 82 ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
83 ''; 83 '';
84 }; 84 };
85 85
86 systemd.services.sshd.serviceConfig.LoadCredential =
87 lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
88 ++ lib.optionals cfg.staticHostKeys [
89 "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
90 "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
91 ];
92
86 programs.ssh = { 93 programs.ssh = {
87 knownHosts = { 94 knownHosts = {
88 "*.yggdrasil.li" = { 95 "*.yggdrasil.li" = {