summaryrefslogtreecommitdiff
path: root/system-profiles
diff options
context:
space:
mode:
Diffstat (limited to 'system-profiles')
-rw-r--r--system-profiles/openssh/default.nix27
1 files changed, 15 insertions, 12 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 25fc354f..e60e72d9 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -85,18 +85,21 @@ in {
85 }; 85 };
86 86
87 systemd.services = mkIf cfg.enable { 87 systemd.services = mkIf cfg.enable {
88 "sshd@".serviceConfig = { 88 "sshd@" = {
89 ExecStart = mkForce (concatStringsSep " " ( 89 restartIfChanged = false;
90 [ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ] 90 serviceConfig = {
91 ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"'' 91 ExecStart = mkForce (concatStringsSep " " (
92 ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"'' 92 [ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ]
93 )); 93 ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"''
94 LoadCredential = 94 ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"''
95 lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" 95 ));
96 ++ lib.optionals cfg.staticHostKeys [ 96 LoadCredential =
97 "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" 97 lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
98 "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" 98 ++ lib.optionals cfg.staticHostKeys [
99 ]; 99 "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
100 "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
101 ];
102 };
100 }; 103 };
101 }; 104 };
102 systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable { 105 systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable {