From d4d0300c4158b5b65575a672049cf6828cec549c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 20 Mar 2023 12:25:15 +0100 Subject: ... --- system-profiles/openssh/default.nix | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) (limited to 'system-profiles/openssh') diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 6ad7215a..eb6df9c5 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -69,7 +69,7 @@ in { inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubkeyAcceptedAlgorithms; LogLevel = "VERBOSE"; - RevokedKeys = "/etc/ssh/krl.bin"; + RevokedKeys = ./ca/krl.bin; PasswordAuthentication = mkDefault false; KbdInteractiveAuthentication = mkDefault false; @@ -77,9 +77,9 @@ in { moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli"; extraConfig = '' ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"} - ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} + ${optionalString cfg.staticHostKeys "HostCertificate ${./known-hosts + "/${hostName}/ed25519.pub"}"} ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"} - ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} + ${optionalString cfg.staticHostKeys "HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"}"} ''; }; @@ -119,31 +119,18 @@ in { sops.secrets = mkIf cfg.enable { ssh_host_rsa_key = mkIf cfg.staticHostKeys { key = "rsa"; - path = "/etc/ssh/ssh_host_rsa_key"; sopsFile = ./host-keys + "/${hostName}.yaml"; }; ssh_host_ed25519_key = mkIf cfg.staticHostKeys { key = "ed25519"; - path = "/etc/ssh/ssh_host_ed25519_key"; sopsFile = ./host-keys + "/${hostName}.yaml"; }; ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) { format = "binary"; - path = "/etc/ssh/moduli"; sopsFile = ./host-moduli + "/${hostName}"; }; }; - environment.etc = mkIf cfg.enable { - "ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; }; - "ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; }; - - "ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; }; - "ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; }; - - "ssh/krl.bin".source = ./ca/krl.bin; - }; - environment.systemPackages = mkIf cfg.enable (with pkgs; [ alacritty.terminfo ]); -- cgit v1.2.3