ssh: use sane.persist/sane.fs instead of home-manager to ensure keys
This commit is contained in:
@@ -1,18 +1,21 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
lib.mkIf config.sane.home-manager.enable
|
let
|
||||||
{
|
|
||||||
home-manager.users.colin = let
|
|
||||||
host = config.networking.hostName;
|
host = config.networking.hostName;
|
||||||
user_pubkey = (import ../pubkeys.nix).users."${host}";
|
user_pubkey = (import ../pubkeys.nix).users."${host}";
|
||||||
known_hosts_text = builtins.concatStringsSep
|
known_hosts_text = builtins.concatStringsSep
|
||||||
"\n"
|
"\n"
|
||||||
(builtins.attrValues (import ../pubkeys.nix).hosts);
|
(builtins.attrValues (import ../pubkeys.nix).hosts);
|
||||||
in { config, ...}: {
|
mkSymlink = target: {
|
||||||
|
symlink.target = target;
|
||||||
|
wantedBeforeBy = [ "multi-user.target" ];
|
||||||
|
};
|
||||||
|
in lib.mkIf config.sane.home-manager.enable {
|
||||||
# ssh key is stored in private storage
|
# ssh key is stored in private storage
|
||||||
home.file.".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "/home/colin/private/.ssh/id_ed25519";
|
sane.persist.home.private = [ ".ssh/id_ed25519" ];
|
||||||
home.file.".ssh/id_ed25519.pub".text = user_pubkey;
|
sane.fs."/home/colin/.ssh/id_ed25519.pub" = mkSymlink (builtins.toString (pkgs.writeText "id_ed25519.pub" user_pubkey));
|
||||||
|
|
||||||
|
home-manager.users.colin = {
|
||||||
programs.ssh.enable = true;
|
programs.ssh.enable = true;
|
||||||
# this optionally accepts multiple known_hosts paths, separated by space.
|
# this optionally accepts multiple known_hosts paths, separated by space.
|
||||||
programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
|
programs.ssh.userKnownHostsFile = builtins.toString (pkgs.writeText "known_hosts" known_hosts_text);
|
||||||
|
Reference in New Issue
Block a user