From 8e0d233a31b17a5a39795b62e88617948b7efdd1 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 20 Mar 2023 12:23:23 +0100
Subject: ...

---
 system-profiles/openssh/default.nix | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'system-profiles')

diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index af4fb4ee..6ad7215a 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -74,15 +74,22 @@ in {
         PasswordAuthentication = mkDefault false;
         KbdInteractiveAuthentication = mkDefault false;
       };
-      moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
+      moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli";
       extraConfig = ''
-        ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"}
+        ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_ed25519_key"}
         ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"}
-        ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"}
+        ${optionalString cfg.staticHostKeys "HostKey /run/credentials/sshd.service/ssh_host_rsa_key"}
         ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"}
       '';
     };
 
+    systemd.services.sshd.serviceConfig.LoadCredential =
+         lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
+      ++ lib.optionals cfg.staticHostKeys [
+           "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
+           "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
+         ];
+
     programs.ssh = {
       knownHosts = {
         "*.yggdrasil.li" = {
-- 
cgit v1.2.3