persist ssh host keys in a subdirectory
This commit is contained in:
parent
1fea9618ba
commit
e3bf585382
|
@ -71,17 +71,7 @@ in
|
|||
#
|
||||
# servo additions:
|
||||
] ++ cfg.service-dirs);
|
||||
files = [
|
||||
"/etc/machine-id"
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
"/etc/ssh/ssh_host_rsa_key"
|
||||
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||
# # XXX these only need persistence because i have mutableUsers = true, i think
|
||||
# "/etc/group"
|
||||
# "/etc/passwd"
|
||||
# "/etc/shadow"
|
||||
];
|
||||
files = [ "/etc/machine-id" ];
|
||||
};
|
||||
|
||||
# secret decoding depends on /etc/ssh keys, which are persisted
|
||||
|
@ -93,15 +83,14 @@ in
|
|||
# but it's a decent safety net in case something goes wrong.
|
||||
# system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
|
||||
system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
|
||||
deps = [ "persist-ssh-host-key" ];
|
||||
deps = [ "persist-ssh-host-keys" ];
|
||||
};
|
||||
system.activationScripts.persist-ssh-host-key = lib.mkIf secretsForUsers (
|
||||
system.activationScripts.persist-ssh-host-keys = lib.mkIf secretsForUsers (
|
||||
let
|
||||
key = "/etc/ssh/ssh_host_ed25519_key";
|
||||
key_dir = "/etc/ssh/host_keys";
|
||||
in ''
|
||||
mkdir -p /etc/ssh
|
||||
touch ${key}
|
||||
mount -o bind /nix/persist${key} ${key}
|
||||
mkdir -p ${key_dir}
|
||||
mount -o bind /nix/persist${key_dir} ${key_dir}
|
||||
''
|
||||
);
|
||||
};
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
./home-packages.nix
|
||||
./net.nix
|
||||
./secrets.nix
|
||||
./ssh.nix
|
||||
./system-packages.nix
|
||||
./users.nix
|
||||
./vpn.nix
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
sops.defaultSopsFile = ./../../secrets/universal.yaml;
|
||||
# This will automatically import SSH keys as age keys
|
||||
sops.age.sshKeyPaths = [
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/host_keys/ssh_host_ed25519_key"
|
||||
];
|
||||
sops.gnupg.sshKeyPaths = []; # disable RSA key import
|
||||
# This is using an age key that is expected to already be in the filesystem
|
||||
|
|
11
modules/universal/ssh.nix
Normal file
11
modules/universal/ssh.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ ... }:
|
||||
{
|
||||
# we place the host keys (which we want to be persisted) into their own directory to ease that.
|
||||
# otherwise, this is identical to nixos defaults
|
||||
sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
|
||||
|
||||
services.openssh.hostKeys = [
|
||||
{ type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
|
||||
{ type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
|
||||
];
|
||||
}
|
Loading…
Reference in New Issue
Block a user