persist ssh host keys in a subdirectory

2022-10-25 02:09:27 -07:00 · 2022-10-25 02:09:27 -07:00 · e3bf585382
commit e3bf585382
parent 1fea9618ba
4 changed files with 19 additions and 18 deletions
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@ -71,17 +71,7 @@ in
        #
        # servo additions:
      ] ++ cfg.service-dirs);
-      files = [
-        "/etc/machine-id"
-        "/etc/ssh/ssh_host_ed25519_key"
-        "/etc/ssh/ssh_host_ed25519_key.pub"
-        "/etc/ssh/ssh_host_rsa_key"
-        "/etc/ssh/ssh_host_rsa_key.pub"
-        # # XXX these only need persistence because i have mutableUsers = true, i think
-        # "/etc/group"
-        # "/etc/passwd"
-        # "/etc/shadow"
-      ];
+      files = [ "/etc/machine-id" ];
    };

    # secret decoding depends on /etc/ssh keys, which are persisted
@ -93,15 +83,14 @@ in
    # but it's a decent safety net in case something goes wrong.
    # system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
    system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
-      deps = [ "persist-ssh-host-key" ];
+      deps = [ "persist-ssh-host-keys" ];
    };
-    system.activationScripts.persist-ssh-host-key = lib.mkIf secretsForUsers (
+    system.activationScripts.persist-ssh-host-keys = lib.mkIf secretsForUsers (
      let
-        key = "/etc/ssh/ssh_host_ed25519_key";
+        key_dir = "/etc/ssh/host_keys";
      in ''
-        mkdir -p /etc/ssh
-        touch ${key}
-        mount -o bind /nix/persist${key} ${key}
+        mkdir -p ${key_dir}
+        mount -o bind /nix/persist${key_dir} ${key_dir}
      ''
    );
  };
--- a/modules/universal/default.nix
+++ b/modules/universal/default.nix
@ -8,6 +8,7 @@
    ./home-packages.nix
    ./net.nix
    ./secrets.nix
+    ./ssh.nix
    ./system-packages.nix
    ./users.nix
    ./vpn.nix
--- a/modules/universal/secrets.nix
+++ b/modules/universal/secrets.nix
@ -35,7 +35,7 @@
  sops.defaultSopsFile = ./../../secrets/universal.yaml;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = [
-    "/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/host_keys/ssh_host_ed25519_key"
  ];
  sops.gnupg.sshKeyPaths = [];  # disable RSA key import
  # This is using an age key that is expected to already be in the filesystem
--- a/modules/universal/ssh.nix
+++ b/modules/universal/ssh.nix
@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we place the host keys (which we want to be persisted) into their own directory to ease that.
+  # otherwise, this is identical to nixos defaults
+  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
+
+  services.openssh.hostKeys = [
+    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
+    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
+  ];
+}