colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

persist ssh host keys in a subdirectory

Browse Source
This commit is contained in:
colin
2022-10-25 02:09:27 -07:00
parent 1fea9618ba
commit e3bf585382
4 changed files with 19 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
modules/impermanence.nix
View File

@@ -71,17 +71,7 @@ in
# #
# servo additions: # servo additions:
] ++ cfg.service-dirs); ] ++ cfg.service-dirs);
files = [ files = [ "/etc/machine-id" ];
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
# # XXX these only need persistence because i have mutableUsers = true, i think
# "/etc/group"
# "/etc/passwd"
# "/etc/shadow"
];
}; };
# secret decoding depends on /etc/ssh keys, which are persisted # secret decoding depends on /etc/ssh keys, which are persisted
@@ -93,15 +83,14 @@ in
# but it's a decent safety net in case something goes wrong. # but it's a decent safety net in case something goes wrong.
# system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ]; # system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers { system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
deps = [ "persist-ssh-host-key" ]; deps = [ "persist-ssh-host-keys" ];
}; };
system.activationScripts.persist-ssh-host-key = lib.mkIf secretsForUsers ( system.activationScripts.persist-ssh-host-keys = lib.mkIf secretsForUsers (
let let
key = "/etc/ssh/ssh_host_ed25519_key"; key_dir = "/etc/ssh/host_keys";
in '' in ''
mkdir -p /etc/ssh mkdir -p ${key_dir}
touch ${key} mount -o bind /nix/persist${key_dir} ${key_dir}
mount -o bind /nix/persist${key} ${key}
'' ''
); );
}; };

1
modules/universal/default.nix
View File

@@ -8,6 +8,7 @@
./home-packages.nix ./home-packages.nix
./net.nix ./net.nix
./secrets.nix ./secrets.nix
./ssh.nix
./system-packages.nix ./system-packages.nix
./users.nix ./users.nix
./vpn.nix ./vpn.nix

2
modules/universal/secrets.nix
View File

@@ -35,7 +35,7 @@
sops.defaultSopsFile = ./../../secrets/universal.yaml; sops.defaultSopsFile = ./../../secrets/universal.yaml;
# This will automatically import SSH keys as age keys # This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = [ sops.age.sshKeyPaths = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/host_keys/ssh_host_ed25519_key"
]; ];
sops.gnupg.sshKeyPaths = []; # disable RSA key import sops.gnupg.sshKeyPaths = []; # disable RSA key import
# This is using an age key that is expected to already be in the filesystem # This is using an age key that is expected to already be in the filesystem

11
modules/universal/ssh.nix Normal file
View File

@@ -0,0 +1,11 @@
{ ... }:
{
# we place the host keys (which we want to be persisted) into their own directory to ease that.
# otherwise, this is identical to nixos defaults
sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
services.openssh.hostKeys = [
{ type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
{ type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
];
}