diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-20 12:23:23 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-20 12:23:23 +0100 |
commit | 8e0d233a31b17a5a39795b62e88617948b7efdd1 (patch) | |
tree | 800708f331562e7aa6c4a7645291e9a9d98cda85 /system-profiles | |
parent | 39b087c3c417b5108ab21dfa47ceaa3c81df9336 (diff) | |
download | nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.tar nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.tar.gz nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.tar.bz2 nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.tar.xz nixos-8e0d233a31b17a5a39795b62e88617948b7efdd1.zip |
...
Diffstat (limited to 'system-profiles')
-rw-r--r-- | system-profiles/openssh/default.nix | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index af4fb4ee..6ad7215a 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
@@ -74,15 +74,22 @@ in { | |||
74 | PasswordAuthentication = mkDefault false; | 74 | PasswordAuthentication = mkDefault false; |
75 | KbdInteractiveAuthentication = mkDefault false; | 75 | KbdInteractiveAuthentication = mkDefault false; |
76 | }; | 76 | }; |
77 | moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; | 77 | moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli"; |
78 | extraConfig = '' | 78 | extraConfig = '' |
79 | ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} | 79 | ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"} |
80 | ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} | 80 | ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} |
81 | ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} | 81 | ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"} |
82 | ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} | 82 | ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} |
83 | ''; | 83 | ''; |
84 | }; | 84 | }; |
85 | 85 | ||
86 | systemd.services.sshd.serviceConfig.LoadCredential = | ||
87 | lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" | ||
88 | ++ lib.optionals cfg.staticHostKeys [ | ||
89 | "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" | ||
90 | "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" | ||
91 | ]; | ||
92 | |||
86 | programs.ssh = { | 93 | programs.ssh = { |
87 | knownHosts = { | 94 | knownHosts = { |
88 | "*.yggdrasil.li" = { | 95 | "*.yggdrasil.li" = { |