1 files changed, 37 insertions, 10 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 098e2b25..65635912 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -64,6 +64,7 @@ in {
    systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager
    services.openssh = mkIf cfg.enable {
+      startWhenNeeded = true;
      hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
      settings = {
        inherit Ciphers Macs KexAlgorithms;
@@ -77,21 +78,36 @@ in {
        PasswordAuthentication = mkDefault false;
        KbdInteractiveAuthentication = mkDefault false;
      };
-      moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli";
      extraConfig = optionalString cfg.staticHostKeys ''
-        HostKey /run/credentials/sshd.service/ssh_host_ed25519_key
        HostCertificate ${./known-hosts + "/${hostName}/ed25519-cert.pub"}
-        HostKey /run/credentials/sshd.service/ssh_host_rsa_key
        HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"}
      '';
    };
-    systemd.services.sshd.serviceConfig.LoadCredential =
+    systemd.services = mkIf cfg.enable {
-         lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
+      "sshd@".serviceConfig = {
-      ++ lib.optionals cfg.staticHostKeys [
+        ExecStart = mkForce (concatStringsSep " " (
-           "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
+          [ "-${cfg.package}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ]
-           "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
+          ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"''
-         ];
+          ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"''
+        ));
+        LoadCredential =
+          lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
+          ++ lib.optionals cfg.staticHostKeys [
+            "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
+            "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
+          ];
+      };
+    };
+    systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable {
+      wantedBy = ["sockets.target"];
+      listenStreams = ["/run/ssh-unix-local/socket"];
+      socketConfig = {
+        Accept = true;
+        PollLimitIntervalSec = "30s";
+        PollLimitBurst = 50;
+      };
+    };
    programs.ssh = {
      knownHosts = {
@@ -116,6 +132,17 @@ in {
          CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms}
          PasswordAuthentication no
          KbdInteractiveAuthentication no
+        Host unix/* vsock/* vsock-mux/*
+            ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy %h %p
+            ProxyUseFdpass yes
+            CheckHostIP no
+        Host .host ${config.networking.hostName} ${config.networking.hostName}.yggdrasil localhost ::1 127.0.0.0/8
+            HostKeyAlias ${config.networking.hostName}.yggdrasil
+            ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p
+            ProxyUseFdpass yes
+            CheckHostIP no
      '';
    };
@@ -135,7 +162,7 @@ in {
    };
    environment.systemPackages = mkIf cfg.enable (with pkgs; [
-      alacritty.terminfo
+      kitty.terminfo
    ]);
  };
 }