From 9873d9c34f7907a31c975c22f32497fd1278aa28 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 15 Dec 2024 18:25:01 +0100 Subject: ... --- system-profiles/openssh/default.nix | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 25fc354f..e60e72d9 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -85,18 +85,21 @@ in { }; systemd.services = mkIf cfg.enable { - "sshd@".serviceConfig = { - ExecStart = mkForce (concatStringsSep " " ( - [ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ] - ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"'' - ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"'' - )); - LoadCredential = - lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" - ++ lib.optionals cfg.staticHostKeys [ - "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" - "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" - ]; + "sshd@" = { + restartIfChanged = false; + serviceConfig = { + ExecStart = mkForce (concatStringsSep " " ( + [ "-${cfg.package or pkgs.openssh}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ] + ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"'' + ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"'' + )); + LoadCredential = + lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" + ++ lib.optionals cfg.staticHostKeys [ + "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" + "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" + ]; + }; }; }; systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable { -- cgit v1.2.3