john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssh options

Browse Source
This commit is contained in:
John Lancaster
2026-03-29 16:53:54 -05:00
parent 0cf3f05df2
commit e0abbd6b90
2 changed files with 13 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
keys/ssh_user_ca.pub → modules/hosts/janus/ssh_user_ca.pub
View File
modules/services/ssh.nix
+12 -15
View File
@@ -4,32 +4,29 @@ let
sshHostCAPubKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
in
{
flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
flake.modules.nixos.ssh = { config, pkgs, lib, ... }:
let
cfg = config.ssh;
userCAPath = "ssh/ssh_user_ca.pub";
configDir = "/etc/ssh";
in
{
options.ssh = {
configDir = lib.mkOption {
description = "String path to the host SSH config directory";
type = lib.types.str;
default = "/etc/ssh";
};
hostKey = lib.mkOption {
description = "String path to the host private key file";
type = lib.types.str;
default = "${cfg.configDir}/ssh_host_ed25519_key";
default = "ssh_host_ed25519_key";
};
certificates = {
enable = lib.mkEnableOption "Enable SSH host certificates";
userCA = lib.mkOption {
description = "Content for the SSH user CA file (public key)";
type = lib.types.path;
default = ../../keys/ssh_user_ca.pub;
default = ../hosts/janus/ssh_user_ca.pub;
};
userCAPath = lib.mkOption {
userCAFile = lib.mkOption {
description = "String path to the SSh user CA";
type = lib.types.str;
default = "${cfg.configDir}/ssh_user_ca.pub";
default = "ssh_user_ca.pub";
};
};
};
@@ -42,16 +39,16 @@ in
{
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
HostKey = cfg.hostKey;
HostKey = "${configDir}/${cfg.hostKey}";
}
(lib.mkIf cfg.certificates.enable {
TrustedUserCAKeys = cfg.certificates.userCAPath;
HostCertificate = "${cfg.hostKey}-cert.pub";
TrustedUserCAKeys = "${configDir}/${cfg.certificates.userCAFile}";
HostCertificate = "${configDir}/${cfg.hostKey}-cert.pub";
})
];
};
environment.etc."${userCAPath}" = lib.mkIf cfg.certificates.enable {
environment.etc."ssh/${cfg.certificates.userCAFile}" = lib.mkIf cfg.certificates.enable {
source = cfg.certificates.userCA;
};