diff --git a/README.md b/README.md index 6d5119d..626e3f2 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ +# nix-config + + + # Hosts ## Host Map diff --git a/configurations/home-manager/leyla/impermanence.nix b/configurations/home-manager/leyla/impermanence.nix index 3f85d14..b3d058d 100644 --- a/configurations/home-manager/leyla/impermanence.nix +++ b/configurations/home-manager/leyla/impermanence.nix @@ -9,7 +9,6 @@ "desktop" "downloads" "documents" - ".ssh" { directory = ".local/share/Steam"; method = "symlink"; diff --git a/modules/home-manager-modules/openssh.nix b/modules/home-manager-modules/openssh.nix index ef4f11f..4710cd9 100644 --- a/modules/home-manager-modules/openssh.nix +++ b/modules/home-manager-modules/openssh.nix @@ -1,8 +1,102 @@ -{lib, ...}: { - options.programs = { - openssh.authorizedKeys = lib.mkOption { +{ + pkgs, + config, + osConfig, + lib, + ... +}: { + options.programs.openssh = { + authorizedKeys = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; }; + hostKeys = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + default = [ + { + type = "rsa"; + bits = 4096; + path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_rsa"; + } + { + type = "ed25519"; + path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_ed25519"; + } + ]; + example = [ + { + type = "rsa"; + bits = 4096; + path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_rsa"; + rounds = 100; + openSSHFormat = true; + } + { + type = "ed25519"; + path = ".ssh/${config.home.username}_${osConfig.networking.hostName}_ed25519"; + rounds = 100; + comment = "key comment"; + } + ]; + description = '' + NixOS can automatically generate SSH host keys. This option + specifies the path, type and size of each key. See + {manpage}`ssh-keygen(1)` for supported types + and sizes. Paths are relative to home directory + ''; + }; }; + + config = lib.mkMerge [ + { + systemd.user.services."${config.home.username}-ssh-keygen" = { + Unit = { + description = "Generate SSH keys for user"; + }; + Install = { + wantedBy = ["sshd.target" "multi-user.target" "default.target"]; + }; + Service = { + ExecStart = "${ + pkgs.writeShellScript "ssh-keygen" + '' + # Make sure we don't write to stdout, since in case of + # socket activation, it goes to the remote side (#19589). + exec >&2 + + ${lib.flip lib.concatMapStrings config.programs.openssh.hostKeys (k: let + path = "${config.home.homeDirectory}/${k.path}"; + in '' + if ! [ -s "${path}" ]; then + if ! [ -h "${path}" ]; then + rm -f "${path}" + fi + mkdir -p "$(dirname '${path}')" + chmod 0755 "$(dirname '${path}')" + ssh-keygen \ + -t "${k.type}" \ + ${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \ + ${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \ + ${lib.optionalString (k ? comment) "-C '${k.comment}'"} \ + ${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \ + -f "${path}" \ + -N "" + fi + '')} + '' + }"; + KillMode = "process"; + Restart = "always"; + Type = "simple"; + }; + }; + } + (lib.mkIf osConfig.host.impermanence.enable { + home.persistence."/persist${config.home.homeDirectory}" = { + files = lib.lists.flatten ( + builtins.map (hostKey: [hostKey.path "${hostKey.path}.pub"]) config.programs.openssh.hostKeys + ); + }; + }) + ]; } diff --git a/modules/nixos-modules/ssh.nix b/modules/nixos-modules/ssh.nix index 69bd185..6f5fac1 100644 --- a/modules/nixos-modules/ssh.nix +++ b/modules/nixos-modules/ssh.nix @@ -19,12 +19,9 @@ } (lib.mkIf config.host.impermanence.enable { environment.persistence."/persist/system/root" = { - files = [ - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; + files = lib.lists.flatten ( + builtins.map (hostKey: [hostKey.path "${hostKey.path}.pub"]) config.services.openssh.hostKeys + ); }; }) ];