From d60e5264f30f033892040e0956d8236ac8acb36c Mon Sep 17 00:00:00 2001
From: colin <colin@uninsane.org>
Date: Tue, 20 Dec 2022 00:04:09 +0000
Subject: [PATCH] don't bind-mount /etc/ssh/host_keys: symlink them instead

---
 hosts/common/ssh.nix | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/hosts/common/ssh.nix b/hosts/common/ssh.nix
index abf54359c..a213f5283 100644
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@@ -1,22 +1,14 @@
 { ... }:
 {
-  # we place the host keys (which we want to be persisted) into their own directory so that we can
-  # bind mount that whole directory instead of doing it per-file.
-  # otherwise, this is identical to nixos defaults
-  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
-
   # we can't naively `mount /etc/ssh/host_keys` directly,
   # as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
   # we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
   # since that also depends on `users`.
+  # previously we manually `mount --bind` the host_keys here, but it's difficult to make that idempotent.
+  # symlinking seems to work just as well, and is easier to make idempotent
   system.activationScripts.persist-ssh-host-keys.text = ''
-    mkdir -p /etc/ssh/host_keys
-    if ! (mountpoint /etc/ssh/host_keys)
-    then
-      # avoid mounting the keys more than once, otherwise we have a million _stacked_ entries.
-      # TODO: should we just symlink? or find a way to make sure the existing mount is correct.
-      mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
-    fi
+    mkdir -p /etc/ssh
+    ln -sf /nix/persist/etc/ssh/host_keys /etc/ssh/
   '';
 
   services.openssh.hostKeys = [