Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

added auto key generation to ssh

Browse source
This commit is contained in:
Leyla Becker 2025-01-04 15:20:51 -06:00
parent 994234c18b
commit e2d3bb5d01
4 changed files with 104 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -1,3 +1,7 @@
# nix-config
# Hosts # Hosts
## Host Map ## Host Map

1
configurations/home-manager/leyla/impermanence.nix
View file

@ -9,7 +9,6 @@
"desktop" "desktop"
"downloads" "downloads"
"documents" "documents"
".ssh"
{ {
directory = ".local/share/Steam"; directory = ".local/share/Steam";
method = "symlink"; method = "symlink";

100
modules/home-manager-modules/openssh.nix
View file

@ -1,8 +1,102 @@
{lib, ...}: { {
options.programs = { pkgs,
openssh.authorizedKeys = lib.mkOption { config,
osConfig,
lib,
...
}: {
options.programs.openssh = {
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
hostKeys = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [
{
type = "rsa";
bits = 4096;
path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_rsa";
}
{
type = "ed25519";
path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_ed25519";
}
];
example = [
{
type = "rsa";
bits = 4096;
path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_rsa";
rounds = 100;
openSSHFormat = true;
}
{
type = "ed25519";
path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_ed25519";
rounds = 100;
comment = "key comment";
}
];
description = ''
NixOS can automatically generate SSH host keys. This option
specifies the path, type and size of each key. See
{manpage}`ssh-keygen(1)` for supported types
and sizes. Paths are relative to home directory
'';
};
};
config = lib.mkMerge [
{
systemd.user.services."${config.home.username}-ssh-keygen" = {
Unit = {
description = "Generate SSH keys for user";
};
Install = {
wantedBy = ["sshd.target" "multi-user.target" "default.target"];
};
Service = {
ExecStart = "${
pkgs.writeShellScript "ssh-keygen"
''
# Make sure we don't write to stdout, since in case of
# socket activation, it goes to the remote side (#19589).
exec >&2
${lib.flip lib.concatMapStrings config.programs.openssh.hostKeys (k: let
path = "${config.home.homeDirectory}/${k.path}";
in ''
if ! [ -s "${path}" ]; then
if ! [ -h "${path}" ]; then
rm -f "${path}"
fi
mkdir -p "$(dirname '${path}')"
chmod 0755 "$(dirname '${path}')"
ssh-keygen \
-t "${k.type}" \
${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \
${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \
${lib.optionalString (k ? comment) "-C '${k.comment}'"} \
${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \
-f "${path}" \
-N ""
fi
'')}
''
}";
KillMode = "process";
Restart = "always";
Type = "simple";
};
}; };
} }
(lib.mkIf osConfig.host.impermanence.enable {
home.persistence."/persist${config.home.homeDirectory}" = {
files = lib.lists.flatten (
builtins.map (hostKey: [hostKey.path "${hostKey.path}.pub"]) config.programs.openssh.hostKeys
);
};
})
];
}

9
modules/nixos-modules/ssh.nix
View file

@ -19,12 +19,9 @@
} }
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {
environment.persistence."/persist/system/root" = { environment.persistence."/persist/system/root" = {
files = [ files = lib.lists.flatten (
"/etc/ssh/ssh_host_ed25519_key" builtins.map (hostKey: [hostKey.path "${hostKey.path}.pub"]) config.services.openssh.hostKeys
"/etc/ssh/ssh_host_ed25519_key.pub" );
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
}; };
}) })
]; ];