diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-15 22:02:34 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-15 22:02:34 +0200 |
| commit | 0e0f035264d897e65676ecdc06aee555fae796a8 (patch) | |
| tree | 1c78cd1631cffd1aaae0f578299c1928419b6f39 /system-profiles | |
| parent | 2c75432a1a48feff3f1ab86d200d4d9ac0ea487f (diff) | |
| download | nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.gz nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.bz2 nixos-0e0f035264d897e65676ecdc06aee555fae796a8.tar.xz nixos-0e0f035264d897e65676ecdc06aee555fae796a8.zip | |
openssh: known_hosts without enable
Diffstat (limited to 'system-profiles')
| -rw-r--r-- | system-profiles/openssh/default.nix | 61 |
1 files changed, 33 insertions, 28 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 4db3d7db..ee7d8868 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
| @@ -1,36 +1,41 @@ | |||
| 1 | { customUtils, lib, config, hostName, ... }: | 1 | { customUtils, lib, config, hostName, pkgs, ... }: |
| 2 | { | 2 | { |
| 3 | services.openssh = { | 3 | config = { |
| 4 | enable = true; | 4 | programs.ssh.knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; })); |
| 5 | knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; })); | ||
| 6 | 5 | ||
| 7 | hostKeys = [ | 6 | systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager |
| 8 | { path = "/etc/ssh/ssh_host_rsa_key"; | ||
| 9 | type = "rsa"; | ||
| 10 | } | ||
| 11 | { path = "/etc/ssh/ssh_host_ed25519_key"; | ||
| 12 | type = "ed25519"; | ||
| 13 | } | ||
| 14 | ]; | ||
| 15 | }; | ||
| 16 | 7 | ||
| 17 | sops.secrets = { | 8 | services.openssh = lib.mkIf config.services.openssh.enable { |
| 18 | ssh_host_rsa_key = { | 9 | hostKeys = [ |
| 19 | key = "rsa"; | 10 | { path = "/etc/ssh/ssh_host_rsa_key"; |
| 20 | path = "/etc/ssh/ssh_host_rsa_key"; | 11 | type = "rsa"; |
| 21 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 12 | } |
| 13 | { path = "/etc/ssh/ssh_host_ed25519_key"; | ||
| 14 | type = "ed25519"; | ||
| 15 | } | ||
| 16 | ]; | ||
| 22 | }; | 17 | }; |
| 23 | ssh_host_ed25519_key = { | 18 | |
| 24 | key = "ed25519"; | 19 | sops.secrets = lib.mkIf config.services.openssh.enable { |
| 25 | path = "/etc/ssh/ssh_host_ed25519_key"; | 20 | ssh_host_rsa_key = { |
| 26 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 21 | key = "rsa"; |
| 22 | path = "/etc/ssh/ssh_host_rsa_key"; | ||
| 23 | sopsFile = ./host-keys + "/${hostName}.yaml"; | ||
| 24 | }; | ||
| 25 | ssh_host_ed25519_key = { | ||
| 26 | key = "ed25519"; | ||
| 27 | path = "/etc/ssh/ssh_host_ed25519_key"; | ||
| 28 | sopsFile = ./host-keys + "/${hostName}.yaml"; | ||
| 29 | }; | ||
| 27 | }; | 30 | }; |
| 28 | }; | ||
| 29 | 31 | ||
| 30 | environment.etc = { | 32 | environment.etc = lib.mkIf config.services.openssh.enable { |
| 31 | "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; | 33 | "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; |
| 32 | "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; | 34 | "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; |
| 33 | }; | 35 | }; |
| 34 | 36 | ||
| 35 | systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager | 37 | environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [ |
| 38 | rxvt_unicode.terminfo | ||
| 39 | ]); | ||
| 40 | }; | ||
| 36 | } | 41 | } |