diff options
Diffstat (limited to 'system-profiles')
-rw-r--r-- | system-profiles/openssh/default.nix | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 25fc354f..e60e72d9 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
@@ -85,18 +85,21 @@ in { | |||
85 | }; | 85 | }; |
86 | 86 | ||
87 | systemd.services = mkIf cfg.enable { | 87 | systemd.services = mkIf cfg.enable { |
88 | "sshd@".serviceConfig = { | 88 | "sshd@" = { |
89 | ExecStart = mkForce (concatStringsSep " " ( | 89 | restartIfChanged = false; |
90 | [ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ] | 90 | serviceConfig = { |
91 | ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"'' | 91 | ExecStart = mkForce (concatStringsSep " " ( |
92 | ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"'' | 92 | [ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ] |
93 | )); | 93 | ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"'' |
94 | LoadCredential = | 94 | ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"'' |
95 | lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" | 95 | )); |
96 | ++ lib.optionals cfg.staticHostKeys [ | 96 | LoadCredential = |
97 | "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" | 97 | lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" |
98 | "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" | 98 | ++ lib.optionals cfg.staticHostKeys [ |
99 | ]; | 99 | "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" |
100 | "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" | ||
101 | ]; | ||
102 | }; | ||
100 | }; | 103 | }; |
101 | }; | 104 | }; |
102 | systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable { | 105 | systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable { |