From 8e0d233a31b17a5a39795b62e88617948b7efdd1 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 20 Mar 2023 12:23:23 +0100 Subject: ... --- system-profiles/openssh/default.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'system-profiles') diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index af4fb4ee..6ad7215a 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -74,15 +74,22 @@ in { PasswordAuthentication = mkDefault false; KbdInteractiveAuthentication = mkDefault false; }; - moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; + moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli"; extraConfig = '' - ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} + ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"} ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} - ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} + ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"} ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} ''; }; + systemd.services.sshd.serviceConfig.LoadCredential = + lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" + ++ lib.optionals cfg.staticHostKeys [ + "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" + "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" + ]; + programs.ssh = { knownHosts = { "*.yggdrasil.li" = { -- cgit v1.2.3