1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 14:50:40 +02:00
oddlama_nix-config/config/ssh.nix
2024-11-26 13:34:55 +01:00

61 lines
2.1 KiB
Nix

{
config,
lib,
pkgs,
...
}:
{
config = lib.mkMerge [
{
services.openssh = {
enable = true;
# In containers, this is true by default, but we don't want that
# because we rely on ssh key generation for agenix. So we need
# the service to start eagerly
startWhenNeeded = lib.mkForce false;
authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
sftpServerExecutable = "internal-sftp";
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}
# Enable initrd-ssh unlock for non-virtualized hosts
(lib.mkIf (config.node.type == "host") {
age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 4;
hostKeys = [ config.age.secrets.initrd_host_ed25519_key.path ];
};
# Make sure that there is always a valid initrd hostkey available that can be installed into
# the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
# whatever is given, since the correct hostkey doesn't even exist yet. We still require
# a valid hostkey to be available so that the initrd can be generated successfully.
# The correct initrd host-key will be installed with the next update after the host is booted
# for the first time, and the secrets were rekeyed for the the new host identity.
system.activationScripts.agenixEnsureInitrdHostkey = {
text = ''
[[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
|| ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
'';
deps = [
"agenixInstall"
"users"
];
};
system.activationScripts.agenixChown.deps = [ "agenixEnsureInitrdHostkey" ];
})
];
}