Generate accepted public key files through sops.

2023-09-11 19:31:15 +02:00 · 2023-09-11 19:31:15 +02:00 · 8edba95021
commit 8edba95021
parent 9878b40111
2 changed files with 8 additions and 5 deletions
--- a/config/users.nix
+++ b/config/users.nix
@ -27,10 +27,6 @@ let
        ++ (optional withPodman "podman");
      shell = "${pkgs.zsh}/bin/zsh";
      passwordFile = passPath;
-      # TODO: Fix for sops
-      # openssh.authorizedKeys.keyFiles = optional
-      #   (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub"))
-      #   "${passPath}.pub";
    };
  };

--- a/services/openssh.nix
+++ b/services/openssh.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, fn, ... }:

 # For reference:
 # https://infosec.mozilla.org/guidelines/openssh.html
@ -25,4 +25,11 @@ mkIf (elem "openssh" config.machine.services) {
        LogLevel VERBOSE
    '';
  };
+  # Add public keys to /etc/ssh/authorized_keys.d
+  # This replaces users.users.*.openssh.authorizedKeys.*
+  sops.secrets = (fn.sopsHelper
+    (user: "users/${user.name}/publicKey")
+    config.machine.administrators
+    (user: { path = "/etc/ssh/authorized_keys.d/${user.name}"; mode = "444"; })
+  );
 }