1 files changed, 28 insertions, 4 deletions

diff --git a/modules/by-name/op/openssh/module.nix b/modules/by-name/op/openssh/module.nix
index 30d16a6..49290b9 100644
--- a/modules/by-name/op/openssh/module.nix
+++ b/modules/by-name/op/openssh/module.nix
@@ -12,16 +12,40 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    /*
+     FIXME(@bpeetz):
+      This results in a boot error, as the `/var/lib/sshd` directory
+      is only mounted _after_ the stage 2 init and with it the system
+      activation. `agenix` needs the sshd hostkey however to decrypt the
+      secrets and thus we have to ensure that this directory is mounted
+      _before_ the system activation. Alas the only way I see to achieve
+      that is to store the ssh hostkey directly on /srv, which is mounted
+      before (it's marked as 'neededForBoot' after all).
+
+      It should be possible to achieve this with impermanence however,
+      as `/var/log` is mounted in the stage 1 init; The problem is that
+      I have no idea _why_ only this is mounted and nothing else.
+
+
+    vhack.persist.directories = [
+      {
+        directory = "/var/lib/sshd";
+        user = "root";
+        group = "root";
+        mode = "0755";
+      }
+    ];
+    */
+
     services.openssh = {
       enable = true;
       settings.PasswordAuthentication = false;
       hostKeys = [
         {
-          # See the explanation for this in /system/impermanence/mods/openssh.nix
-          # path = "/var/lib/sshd/ssh_host_ed25519_key";
-
-          # FIXME: Remove this workaround
+          # FIXME: Remove the dependency on `/srv` this workaround.
+          # See the explanation for using `/srv` above.
           path = "/srv/var/lib/sshd/ssh_host_ed25519_key";
+
           rounds = 1000;
           type = "ed25519";
         }