fixed ssh key generation
This commit is contained in:
parent
caa08f1c18
commit
0c5b21d60a
2 changed files with 58 additions and 52 deletions
|
|
@ -1,6 +1,7 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
osConfig,
|
osConfig,
|
||||||
|
config,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
|
|
@ -106,9 +107,18 @@
|
||||||
};
|
};
|
||||||
bash.enable = true;
|
bash.enable = true;
|
||||||
|
|
||||||
openssh.authorizedKeys = [
|
openssh = {
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHeItmt8TRW43uNcOC+eIurYC7Eunc0V3LGocQqLaYj leyla@horizon"
|
authorizedKeys = [
|
||||||
];
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHeItmt8TRW43uNcOC+eIurYC7Eunc0V3LGocQqLaYj leyla@horizon"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILimFIW2exEH/Xo7LtXkqgE04qusvnPNpPWSCeNrFkP leyla@defiant"
|
||||||
|
];
|
||||||
|
hostKeys = [
|
||||||
|
{
|
||||||
|
type = "ed25519";
|
||||||
|
path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
dconf = {
|
dconf = {
|
||||||
|
|
|
||||||
|
|
@ -12,23 +12,18 @@
|
||||||
};
|
};
|
||||||
hostKeys = lib.mkOption {
|
hostKeys = lib.mkOption {
|
||||||
type = lib.types.listOf lib.types.attrs;
|
type = lib.types.listOf lib.types.attrs;
|
||||||
default = [
|
default = [];
|
||||||
{
|
|
||||||
type = "ed25519";
|
|
||||||
path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_ed25519";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
example = [
|
example = [
|
||||||
{
|
{
|
||||||
type = "rsa";
|
type = "rsa";
|
||||||
bits = 4096;
|
bits = 4096;
|
||||||
path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_rsa";
|
path = "${config.home.username}_${osConfig.networking.hostName}_rsa";
|
||||||
rounds = 100;
|
rounds = 100;
|
||||||
openSSHFormat = true;
|
openSSHFormat = true;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
type = "ed25519";
|
type = "ed25519";
|
||||||
path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_ed25519";
|
path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
|
||||||
rounds = 100;
|
rounds = 100;
|
||||||
comment = "key comment";
|
comment = "key comment";
|
||||||
}
|
}
|
||||||
|
|
@ -43,53 +38,54 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkMerge [
|
config = lib.mkMerge [
|
||||||
{
|
(
|
||||||
systemd.user.services."${config.home.username}-ssh-keygen" = {
|
lib.mkIf ((builtins.length config.programs.openssh.hostKeys) != 0) {
|
||||||
Unit = {
|
services.ssh-agent.enable = true;
|
||||||
description = "Generate SSH keys for user";
|
programs.ssh = {
|
||||||
|
enable = true;
|
||||||
|
addKeysToAgent = "yes";
|
||||||
};
|
};
|
||||||
Install = {
|
|
||||||
wantedBy = ["sshd.target" "multi-user.target" "default.target"];
|
|
||||||
};
|
|
||||||
Service = {
|
|
||||||
ExecStart = "${
|
|
||||||
pkgs.writeShellScript "ssh-keygen"
|
|
||||||
''
|
|
||||||
# Make sure we don't write to stdout, since in case of
|
|
||||||
# socket activation, it goes to the remote side (#19589).
|
|
||||||
exec >&2
|
|
||||||
|
|
||||||
${lib.flip lib.concatMapStrings config.programs.openssh.hostKeys (k: let
|
systemd.user.services = builtins.listToAttrs (
|
||||||
path = "${config.home.homeDirectory}/${k.path}";
|
builtins.map (hostKey:
|
||||||
in ''
|
lib.attrsets.nameValuePair "ssh-gen-keys-${hostKey.path}" {
|
||||||
if ! [ -s "${path}" ]; then
|
Install = {
|
||||||
if ! [ -h "${path}" ]; then
|
WantedBy = ["default.target"];
|
||||||
rm -f "${path}"
|
};
|
||||||
|
Service = let
|
||||||
|
path = "${config.home.homeDirectory}/.ssh/${hostKey.path}";
|
||||||
|
in {
|
||||||
|
Restart = "always";
|
||||||
|
Type = "simple";
|
||||||
|
ExecStart = "${
|
||||||
|
pkgs.writeShellScript "ssh-gen-keys" ''
|
||||||
|
if ! [ -s "${path}" ]; then
|
||||||
|
if ! [ -h "${path}" ]; then
|
||||||
|
rm -f "${path}"
|
||||||
|
fi
|
||||||
|
mkdir -p "$(dirname '${path}')"
|
||||||
|
chmod 0755 "$(dirname '${path}')"
|
||||||
|
${pkgs.openssh}/bin/ssh-keygen \
|
||||||
|
-t "${hostKey.type}" \
|
||||||
|
${lib.optionalString (hostKey ? bits) "-b ${toString hostKey.bits}"} \
|
||||||
|
${lib.optionalString (hostKey ? rounds) "-a ${toString hostKey.rounds}"} \
|
||||||
|
${lib.optionalString (hostKey ? comment) "-C '${hostKey.comment}'"} \
|
||||||
|
${lib.optionalString (hostKey ? openSSHFormat && hostKey.openSSHFormat) "-o"} \
|
||||||
|
-f "${path}" \
|
||||||
|
-N ""
|
||||||
fi
|
fi
|
||||||
mkdir -p "$(dirname '${path}')"
|
''
|
||||||
chmod 0755 "$(dirname '${path}')"
|
}";
|
||||||
ssh-keygen \
|
};
|
||||||
-t "${k.type}" \
|
})
|
||||||
${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \
|
config.programs.openssh.hostKeys
|
||||||
${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \
|
);
|
||||||
${lib.optionalString (k ? comment) "-C '${k.comment}'"} \
|
}
|
||||||
${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \
|
)
|
||||||
-f "${path}" \
|
|
||||||
-N ""
|
|
||||||
fi
|
|
||||||
'')}
|
|
||||||
''
|
|
||||||
}";
|
|
||||||
KillMode = "process";
|
|
||||||
Restart = "always";
|
|
||||||
Type = "simple";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
(lib.mkIf osConfig.host.impermanence.enable {
|
(lib.mkIf osConfig.host.impermanence.enable {
|
||||||
home.persistence."/persist${config.home.homeDirectory}" = {
|
home.persistence."/persist${config.home.homeDirectory}" = {
|
||||||
files = lib.lists.flatten (
|
files = lib.lists.flatten (
|
||||||
builtins.map (hostKey: [hostKey.path "${hostKey.path}.pub"]) config.programs.openssh.hostKeys
|
builtins.map (hostKey: [".ssh/${hostKey.path}" ".ssh/${hostKey.path}.pub"]) config.programs.openssh.hostKeys
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue