persist ssh host keys in a subdirectory

modules/universal/default.nix

@@ -8,6 +8,7 @@
     ./home-packages.nix
     ./net.nix
     ./secrets.nix
+    ./ssh.nix
     ./system-packages.nix
     ./users.nix
     ./vpn.nix

modules/universal/secrets.nix

@@ -35,7 +35,7 @@
   sops.defaultSopsFile = ./../../secrets/universal.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
-    "/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/host_keys/ssh_host_ed25519_key"
   ];
   sops.gnupg.sshKeyPaths = [];  # disable RSA key import
   # This is using an age key that is expected to already be in the filesystem

modules/universal/ssh.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we place the host keys (which we want to be persisted) into their own directory to ease that.
+  # otherwise, this is identical to nixos defaults
+  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
+
+  services.openssh.hostKeys = [
+    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
+    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
+  ];
+}