From 0e0f035264d897e65676ecdc06aee555fae796a8 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 15 May 2021 22:02:34 +0200 Subject: openssh: known_hosts without enable --- hosts/sif/default.nix | 2 ++ hosts/surtr/default.nix | 1 + system-profiles/openssh/default.nix | 61 ++++++++++++++++++++----------------- 3 files changed, 36 insertions(+), 28 deletions(-) diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index b090f6a7..c0b7f50c 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -106,6 +106,8 @@ ''; }; + services.openssh.enable = true; + powerManagement = { enable = true; diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index ff9da063..d37646f9 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -93,6 +93,7 @@ }; services.openssh = { + enable = true; passwordAuthentication = false; challengeResponseAuthentication = false; extraConfig = '' diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 4db3d7db..ee7d8868 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -1,36 +1,41 @@ -{ customUtils, lib, config, hostName, ... }: +{ customUtils, lib, config, hostName, pkgs, ... }: { - services.openssh = { - enable = true; - knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; })); + config = { + programs.ssh.knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; })); - hostKeys = [ - { path = "/etc/ssh/ssh_host_rsa_key"; - type = "rsa"; - } - { path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; + systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager - sops.secrets = { - ssh_host_rsa_key = { - key = "rsa"; - path = "/etc/ssh/ssh_host_rsa_key"; - sopsFile = ./host-keys + "/${hostName}.yaml"; + services.openssh = lib.mkIf config.services.openssh.enable { + hostKeys = [ + { path = "/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + } + { path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; }; - ssh_host_ed25519_key = { - key = "ed25519"; - path = "/etc/ssh/ssh_host_ed25519_key"; - sopsFile = ./host-keys + "/${hostName}.yaml"; + + sops.secrets = lib.mkIf config.services.openssh.enable { + ssh_host_rsa_key = { + key = "rsa"; + path = "/etc/ssh/ssh_host_rsa_key"; + sopsFile = ./host-keys + "/${hostName}.yaml"; + }; + ssh_host_ed25519_key = { + key = "ed25519"; + path = "/etc/ssh/ssh_host_ed25519_key"; + sopsFile = ./host-keys + "/${hostName}.yaml"; + }; }; - }; - environment.etc = { - "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; - "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; - }; + environment.etc = lib.mkIf config.services.openssh.enable { + "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; + "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; + }; - systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager + environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [ + rxvt_unicode.terminfo + ]); + }; } -- cgit v1.2.3