forked from mirrors_public/oddlama_nix-config
refactor: merge initrd-ssh.nix with ssh.nix, remove ccid override (now upstream)
This commit is contained in:
oddlama
parent
ccffba4930
commit
32e9896154
19 changed files with 167 additions and 439 deletions
|
|
@ -1,21 +1,57 @@
|
|||
{lib, ...}: {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
# In containers, this is true by default, but we don't want that
|
||||
# because we rely on ssh key generation for agenix
|
||||
startWhenNeeded = lib.mkForce false;
|
||||
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
sftpServerExecutable = "internal-sftp";
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
PermitRootLogin = "yes";
|
||||
};
|
||||
hostKeys = [
|
||||
{
|
||||
path = "/etc/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}
|
||||
];
|
||||
};
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
config = lib.mkMerge [
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
# In containers, this is true by default, but we don't want that
|
||||
# because we rely on ssh key generation for agenix. So we need
|
||||
# the service to start eagerly
|
||||
startWhenNeeded = lib.mkForce false;
|
||||
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
sftpServerExecutable = "internal-sftp";
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
PermitRootLogin = "yes";
|
||||
};
|
||||
hostKeys = [
|
||||
{
|
||||
path = "/etc/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
# Enable initrd-ssh unlock for non-virtualized hosts
|
||||
(lib.mkIf (config.node.type == "host") {
|
||||
age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
|
||||
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
port = 4;
|
||||
hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
|
||||
};
|
||||
|
||||
# Make sure that there is always a valid initrd hostkey available that can be installed into
|
||||
# the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
|
||||
# whatever is given, since the correct hostkey doesn't even exist yet. We still require
|
||||
# a valid hostkey to be available so that the initrd can be generated successfully.
|
||||
# The correct initrd host-key will be installed with the next update after the host is booted
|
||||
# for the first time, and the secrets were rekeyed for the the new host identity.
|
||||
system.activationScripts.agenixEnsureInitrdHostkey = {
|
||||
text = ''
|
||||
[[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
|
||||
|| ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
|
||||
'';
|
||||
deps = ["agenixInstall" "users"];
|
||||
};
|
||||
system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue