ymir: openssh ca

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-12 14:06:09 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-12 14:06:09 +0100
commit: ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf (patch)
tree: b18bd1ce1434609ab4476a508e3da413623bdaea /ymir.nix
parent: 7dfdf54de426b995173cec67b40451f0b83d264a (diff)
download: nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.gz
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.bz2
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.xz
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/ymir.nix b/ymir.nix
index df306121..8f01ad6b 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -212,9 +212,20 @@ in rec {
    challengeResponseAuthentication = false;
    extraConfig = ''
      AllowGroups ssh
+      HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+      HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+      RevokedKeys /etc/ssh/krl.bin
    '';
    knownHosts = import ./knownHosts.nix;
+    hostKeys = [
+      { bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa"; }
+      { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
  };
+  environment.etc."ssh/ssh_host_rsa_key-cert.pub".source = ./ymir/rsa-cert.pub;
+  environment.etc."ssh/ssh_host_ed25519_key-cert.pub".source = ./ymir/ed25519-cert.pub;
+  environment.etc."ssh/krl.bin".source = ./krl.bin;
  users.groups."ssh" = {
    members = ["gitolite" "uucp" "root"];
  };
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-12 14:06:09 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-12 14:06:09 +0100
commit	ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf (patch)
tree	b18bd1ce1434609ab4476a508e3da413623bdaea /ymir.nix
parent	7dfdf54de426b995173cec67b40451f0b83d264a (diff)
download	nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.gz nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.bz2 nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.xz nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.zip

diff --git a/ymir.nix b/ymir.nix index df306121..8f01ad6b 100644 --- a/ymir.nix +++ b/ymir.nix
@@ -212,9 +212,20 @@ in rec {
212	challengeResponseAuthentication = false;	212	challengeResponseAuthentication = false;
213	extraConfig = ''	213	extraConfig = ''
214	AllowGroups ssh	214	AllowGroups ssh
		215
		216	HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
		217	HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
		218	RevokedKeys /etc/ssh/krl.bin
215	'';	219	'';
216	knownHosts = import ./knownHosts.nix;	220	knownHosts = import ./knownHosts.nix;
		221	hostKeys = [
		222	{ bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa"; }
		223	{ path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
		224	];
217	};	225	};
		226	environment.etc."ssh/ssh_host_rsa_key-cert.pub".source = ./ymir/rsa-cert.pub;
		227	environment.etc."ssh/ssh_host_ed25519_key-cert.pub".source = ./ymir/ed25519-cert.pub;
		228	environment.etc."ssh/krl.bin".source = ./krl.bin;
218	users.groups."ssh" = {	229	users.groups."ssh" = {
219	members = ["gitolite" "uucp" "root"];	230	members = ["gitolite" "uucp" "root"];
220	};	231	};