1 files changed, 31 insertions, 19 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 048a948f..19bc46b7 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -1,22 +1,34 @@
 { customUtils, lib, config, hostName, pkgs, ... }:
-{
+with lib;
+let
+  cfg = config.services.openssh;
+in {
+  options = {
+    services.openssh.staticHostKeys = mkOption {
+      type = types.bool;
+      default = true;
+    };
+  };
+  
  config = {
-    systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
+    systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager
-    services.openssh = lib.mkIf config.services.openssh.enable {
+    services.openssh = mkIf cfg.enable {
-      hostKeys = lib.mkForce []; # done manually
+      hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
      ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
      macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
      kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
-      moduliFile = config.sops.secrets.ssh_moduli.path;
+      moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
      extraConfig = ''
        HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
        CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
-        HostKey /etc/ssh/ssh_host_ed25519_key
+        ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"}
-        HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+        ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
-        HostKey /etc/ssh/ssh_host_rsa_key
+        ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"}
-        HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+        ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
        RevokedKeys /etc/ssh/krl.bin
      '';
      logLevel = "VERBOSE";
@@ -45,35 +57,35 @@
      '';
    };
-    sops.secrets = lib.mkIf config.services.openssh.enable {
+    sops.secrets = mkIf cfg.enable {
-      ssh_host_rsa_key = {
+      ssh_host_rsa_key = mkIf cfg.staticHostKeys {
        key = "rsa";
        path = "/etc/ssh/ssh_host_rsa_key";
        sopsFile = ./host-keys + "/${hostName}.yaml";
      };
-      ssh_host_ed25519_key = {
+      ssh_host_ed25519_key = mkIf cfg.staticHostKeys {
        key = "ed25519";
        path = "/etc/ssh/ssh_host_ed25519_key";
        sopsFile = ./host-keys + "/${hostName}.yaml";
      };
-      ssh_moduli = {
+      ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) {
        format = "binary";
        path = "/etc/ssh/moduli";
        sopsFile = ./host-moduli + "/${hostName}";
      };
    };
-    environment.etc = lib.mkIf config.services.openssh.enable {
+    environment.etc = mkIf cfg.enable {
-      "ssh/ssh_host_rsa_key.pub".source = ./known-hosts + "/${hostName}/rsa.pub";
+      "ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; };
-      "ssh/ssh_host_ed25519_key.pub".source = ./known-hosts + "/${hostName}/ed25519.pub";
+      "ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; };
-      "ssh/ssh_host_rsa_key-cert.pub".source = ./known-hosts + "/${hostName}/rsa-cert.pub";
+      "ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; };
-      "ssh/ssh_host_ed25519_key-cert.pub".source = ./known-hosts + "/${hostName}/ed25519-cert.pub";
+      "ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; };
      "ssh/krl.bin".source = ./ca/krl.bin;
    };
-    environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [
+    environment.systemPackages = mkIf cfg.enable (with pkgs; [
      rxvt_unicode.terminfo alacritty.terminfo
    ]);
  };

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 048a948f..19bc46b7 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix
@@ -1,22 +1,34 @@
1	{ customUtils, lib, config, hostName, pkgs, ... }:	1	{ customUtils, lib, config, hostName, pkgs, ... }:
2	{	2
		3	with lib;
		4
		5	let
		6	cfg = config.services.openssh;
		7	in {
		8	options = {
		9	services.openssh.staticHostKeys = mkOption {
		10	type = types.bool;
		11	default = true;
		12	};
		13	};
		14
3	config = {	15	config = {
4	systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager	16	systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager
5		17
6	services.openssh = lib.mkIf config.services.openssh.enable {	18	services.openssh = mkIf cfg.enable {
7	hostKeys = lib.mkForce []; # done manually	19	hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
8	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];	20	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
9	macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];	21	macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
10	kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];	22	kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
11	moduliFile = config.sops.secrets.ssh_moduli.path;	23	moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
12	extraConfig = ''	24	extraConfig = ''
13	HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512	25	HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
14	CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512	26	CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
15		27
16	HostKey /etc/ssh/ssh_host_ed25519_key	28	${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"}
17	HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub	29	${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
18	HostKey /etc/ssh/ssh_host_rsa_key	30	${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"}
19	HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub	31	${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
20	RevokedKeys /etc/ssh/krl.bin	32	RevokedKeys /etc/ssh/krl.bin
21	'';	33	'';
22	logLevel = "VERBOSE";	34	logLevel = "VERBOSE";
@@ -45,35 +57,35 @@
45	'';	57	'';
46	};	58	};
47		59
48	sops.secrets = lib.mkIf config.services.openssh.enable {	60	sops.secrets = mkIf cfg.enable {
49	ssh_host_rsa_key = {	61	ssh_host_rsa_key = mkIf cfg.staticHostKeys {
50	key = "rsa";	62	key = "rsa";
51	path = "/etc/ssh/ssh_host_rsa_key";	63	path = "/etc/ssh/ssh_host_rsa_key";
52	sopsFile = ./host-keys + "/${hostName}.yaml";	64	sopsFile = ./host-keys + "/${hostName}.yaml";
53	};	65	};
54	ssh_host_ed25519_key = {	66	ssh_host_ed25519_key = mkIf cfg.staticHostKeys {
55	key = "ed25519";	67	key = "ed25519";
56	path = "/etc/ssh/ssh_host_ed25519_key";	68	path = "/etc/ssh/ssh_host_ed25519_key";
57	sopsFile = ./host-keys + "/${hostName}.yaml";	69	sopsFile = ./host-keys + "/${hostName}.yaml";
58	};	70	};
59	ssh_moduli = {	71	ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) {
60	format = "binary";	72	format = "binary";
61	path = "/etc/ssh/moduli";	73	path = "/etc/ssh/moduli";
62	sopsFile = ./host-moduli + "/${hostName}";	74	sopsFile = ./host-moduli + "/${hostName}";
63	};	75	};
64	};	76	};
65		77
66	environment.etc = lib.mkIf config.services.openssh.enable {	78	environment.etc = mkIf cfg.enable {
67	"ssh/ssh_host_rsa_key.pub".source = ./known-hosts + "/${hostName}/rsa.pub";	79	"ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; };
68	"ssh/ssh_host_ed25519_key.pub".source = ./known-hosts + "/${hostName}/ed25519.pub";	80	"ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; };
69		81
70	"ssh/ssh_host_rsa_key-cert.pub".source = ./known-hosts + "/${hostName}/rsa-cert.pub";	82	"ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; };
71	"ssh/ssh_host_ed25519_key-cert.pub".source = ./known-hosts + "/${hostName}/ed25519-cert.pub";	83	"ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; };
72		84
73	"ssh/krl.bin".source = ./ca/krl.bin;	85	"ssh/krl.bin".source = ./ca/krl.bin;
74	};	86	};
75		87
76	environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [	88	environment.systemPackages = mkIf cfg.enable (with pkgs; [
77	rxvt_unicode.terminfo alacritty.terminfo	89	rxvt_unicode.terminfo alacritty.terminfo
78	]);	90	]);
79	};	91	};