From f6e600c20d6a97ebeda23fa2bb5621646222b2b0 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 2 Jan 2021 20:53:17 +0100 Subject: sif: import config --- system-profiles/openssh/default.nix | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 system-profiles/openssh/default.nix (limited to 'system-profiles/openssh/default.nix') diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix new file mode 100644 index 00000000..4db3d7db --- /dev/null +++ b/system-profiles/openssh/default.nix @@ -0,0 +1,36 @@ +{ customUtils, lib, config, hostName, ... }: +{ + services.openssh = { + enable = true; + knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; })); + + hostKeys = [ + { path = "/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + } + { path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + + sops.secrets = { + ssh_host_rsa_key = { + key = "rsa"; + path = "/etc/ssh/ssh_host_rsa_key"; + sopsFile = ./host-keys + "/${hostName}.yaml"; + }; + ssh_host_ed25519_key = { + key = "ed25519"; + path = "/etc/ssh/ssh_host_ed25519_key"; + sopsFile = ./host-keys + "/${hostName}.yaml"; + }; + }; + + environment.etc = { + "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; + "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; + }; + + systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager +} -- cgit v1.2.3