From f6e600c20d6a97ebeda23fa2bb5621646222b2b0 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 2 Jan 2021 20:53:17 +0100
Subject: sif: import config

---
 system-profiles/openssh/default.nix | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 system-profiles/openssh/default.nix

(limited to 'system-profiles/openssh/default.nix')

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
new file mode 100644
index 00000000..4db3d7db
--- /dev/null
+++ b/system-profiles/openssh/default.nix
@@ -0,0 +1,36 @@
+{ customUtils, lib, config, hostName, ... }:
+{
+  services.openssh = {
+    enable = true;
+    knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
+
+    hostKeys = [
+      { path = "/etc/ssh/ssh_host_rsa_key";
+        type = "rsa";
+      }
+      { path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+
+  sops.secrets = {
+    ssh_host_rsa_key = {
+        key = "rsa";
+        path = "/etc/ssh/ssh_host_rsa_key";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
+    };
+    ssh_host_ed25519_key = {
+        key = "ed25519";
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
+    };
+  };
+
+  environment.etc = {
+    "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
+    "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
+  };
+
+  systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
+}
-- 
cgit v1.2.3