document plans for better handling of /etc/ssh
This commit is contained in:
parent
9743aee79d
commit
50dfd482cf
|
|
@ -2,9 +2,17 @@
|
|||
{
|
||||
# we can't naively `mount /etc/ssh/host_keys` directly, as all of the `etc` activationScript
|
||||
# (which includes /etc/fstab, and wherein we'd normally insert a nix-store symlink) depends on activationScripts.users.
|
||||
# activationScripts.etc depends on users apparently only because it converts names to uids when mapping file permissions.
|
||||
# in fact, most everything in /etc/ssh seems to use integer uids -- so we *might* be able to just remove the requirement
|
||||
# of etc on users (or duplicate the activation script and run it once before sops).
|
||||
#
|
||||
# previously we manually `mount --bind` the host_keys here, but it's difficult to make that idempotent.
|
||||
# symlinking seems to work just as well, and is easier to make idempotent
|
||||
# finally (possible best):
|
||||
# - TODO: remove the "users" dep on activationScripts.etc, but add a static assertion that all uids/gids are hardcoded (like we do with user gids).
|
||||
#
|
||||
# alternatively
|
||||
# - just tell sops to use the /persist key path (always), and be done with this?
|
||||
# - stash symlinks to /nix/persist inside `environment.etc....`, tell sops to use /etc/static/ssh, and add an activationScript that makes `/etc/static` available early?
|
||||
# - hack the sops manifest file using during setupSecretsForUsers to use a fully-qualified ssh key pat
|
||||
system.activationScripts.persist-ssh-host-keys.text = ''
|
||||
mkdir -p /etc/ssh
|
||||
ln -sf /nix/persist/etc/ssh/host_keys /etc/ssh/
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user