summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system-profiles/openssh/default.nix13
1 files changed, 10 insertions, 3 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index af4fb4ee..6ad7215a 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -74,15 +74,22 @@ in {
74 PasswordAuthentication = mkDefault false; 74 PasswordAuthentication = mkDefault false;
75 KbdInteractiveAuthentication = mkDefault false; 75 KbdInteractiveAuthentication = mkDefault false;
76 }; 76 };
77 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; 77 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli";
78 extraConfig = '' 78 extraConfig = ''
79 ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} 79 ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"}
80 ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} 80 ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
81 ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} 81 ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"}
82 ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} 82 ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
83 ''; 83 '';
84 }; 84 };
85 85
86 systemd.services.sshd.serviceConfig.LoadCredential =
87 lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
88 ++ lib.optionals cfg.staticHostKeys [
89 "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
90 "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
91 ];
92
86 programs.ssh = { 93 programs.ssh = {
87 knownHosts = { 94 knownHosts = {
88 "*.yggdrasil.li" = { 95 "*.yggdrasil.li" = {