diff options
Diffstat (limited to 'modules/by-name/op')
-rw-r--r-- | modules/by-name/op/openssh/module.nix | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/modules/by-name/op/openssh/module.nix b/modules/by-name/op/openssh/module.nix index 30d16a6..49290b9 100644 --- a/modules/by-name/op/openssh/module.nix +++ b/modules/by-name/op/openssh/module.nix @@ -12,16 +12,40 @@ in { }; config = lib.mkIf cfg.enable { + /* + FIXME(@bpeetz): + This results in a boot error, as the `/var/lib/sshd` directory + is only mounted _after_ the stage 2 init and with it the system + activation. `agenix` needs the sshd hostkey however to decrypt the + secrets and thus we have to ensure that this directory is mounted + _before_ the system activation. Alas the only way I see to achieve + that is to store the ssh hostkey directly on /srv, which is mounted + before (it's marked as 'neededForBoot' after all). + + It should be possible to achieve this with impermanence however, + as `/var/log` is mounted in the stage 1 init; The problem is that + I have no idea _why_ only this is mounted and nothing else. + + + vhack.persist.directories = [ + { + directory = "/var/lib/sshd"; + user = "root"; + group = "root"; + mode = "0755"; + } + ]; + */ + services.openssh = { enable = true; settings.PasswordAuthentication = false; hostKeys = [ { - # See the explanation for this in /system/impermanence/mods/openssh.nix - # path = "/var/lib/sshd/ssh_host_ed25519_key"; - - # FIXME: Remove this workaround + # FIXME: Remove the dependency on `/srv` this workaround. + # See the explanation for using `/srv` above. path = "/srv/var/lib/sshd/ssh_host_ed25519_key"; + rounds = 1000; type = "ed25519"; } |