john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssh options

Browse Source
This commit is contained in:
John Lancaster
2026-03-29 16:53:54 -05:00
parent 0cf3f05df2
commit e0abbd6b90
2 changed files with 13 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
keys/ssh_user_ca.pub → modules/hosts/janus/ssh_user_ca.pub
View File
modules/services/ssh.nix
+12 -15
View File
@@ -4,32 +4,29 @@ let
sshHostCAPubKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ="; sshHostCAPubKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
in in
{ {
flake.modules.nixos.ssh = { pkgs, config, lib, ... }: flake.modules.nixos.ssh = { config, pkgs, lib, ... }:
let let
cfg = config.ssh; cfg = config.ssh;
userCAPath = "ssh/ssh_user_ca.pub"; configDir = "/etc/ssh";
in in
{ {
options.ssh = { options.ssh = {
configDir = lib.mkOption {
description = "String path to the host SSH config directory";
type = lib.types.str;
default = "/etc/ssh";
};
hostKey = lib.mkOption { hostKey = lib.mkOption {
description = "String path to the host private key file"; description = "String path to the host private key file";
type = lib.types.str; type = lib.types.str;
default = "${cfg.configDir}/ssh_host_ed25519_key"; default = "ssh_host_ed25519_key";
}; };
certificates = { certificates = {
enable = lib.mkEnableOption "Enable SSH host certificates"; enable = lib.mkEnableOption "Enable SSH host certificates";
userCA = lib.mkOption { userCA = lib.mkOption {
description = "Content for the SSH user CA file (public key)";
type = lib.types.path; type = lib.types.path;
default = ../../keys/ssh_user_ca.pub; default = ../hosts/janus/ssh_user_ca.pub;
}; };
userCAPath = lib.mkOption { userCAFile = lib.mkOption {
description = "String path to the SSh user CA";
type = lib.types.str; type = lib.types.str;
default = "${cfg.configDir}/ssh_user_ca.pub"; default = "ssh_user_ca.pub";
}; };
}; };
}; };
@@ -42,16 +39,16 @@ in
{ {
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
HostKey = cfg.hostKey; HostKey = "${configDir}/${cfg.hostKey}";
} }
(lib.mkIf cfg.certificates.enable { (lib.mkIf cfg.certificates.enable {
TrustedUserCAKeys = cfg.certificates.userCAPath; TrustedUserCAKeys = "${configDir}/${cfg.certificates.userCAFile}";
HostCertificate = "${cfg.hostKey}-cert.pub"; HostCertificate = "${configDir}/${cfg.hostKey}-cert.pub";
}) })
]; ];
}; };
environment.etc."${userCAPath}" = lib.mkIf cfg.certificates.enable { environment.etc."ssh/${cfg.certificates.userCAFile}" = lib.mkIf cfg.certificates.enable {
source = cfg.certificates.userCA; source = cfg.certificates.userCA;
}; };