ssh: explain why we specify host_keys the way we do instead of through sane.persist

2023-01-08 08:41:48 +00:00 · 2023-01-08 08:41:48 +00:00 · 2c0b0f6947
commit 2c0b0f6947
parent f10de6c2c4
1 changed files with 3 additions and 0 deletions
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@ -1,7 +1,10 @@
 { config, lib, ... }:
 {
  # persist the host key
+  # prefer specifying it via environment.etc since although it is generated per-host,
+  # it's made to be immutable after generation. hence, a `persist`-style mount wouldn't be as great.
  environment.etc."ssh/host_keys".source = "/nix/persist/etc/ssh/host_keys";
+  # sane.persist.sys.plaintext = [ "/etc/ssh/host_keys" ];

  # let openssh find our host keys
  services.openssh.hostKeys = [