From 8edba9502150ff9cd7567526a51964d6c8703a42 Mon Sep 17 00:00:00 2001 From: derped Date: Mon, 11 Sep 2023 19:31:15 +0200 Subject: [PATCH] Generate accepted public key files through sops. --- config/users.nix | 4 ---- services/openssh.nix | 9 ++++++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/config/users.nix b/config/users.nix index 8fc973a..5ad3bfd 100644 --- a/config/users.nix +++ b/config/users.nix @@ -27,10 +27,6 @@ let ++ (optional withPodman "podman"); shell = "${pkgs.zsh}/bin/zsh"; passwordFile = passPath; - # TODO: Fix for sops - # openssh.authorizedKeys.keyFiles = optional - # (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub")) - # "${passPath}.pub"; }; }; diff --git a/services/openssh.nix b/services/openssh.nix index 3c239a4..5521536 100644 --- a/services/openssh.nix +++ b/services/openssh.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, fn, ... }: # For reference: # https://infosec.mozilla.org/guidelines/openssh.html @@ -25,4 +25,11 @@ mkIf (elem "openssh" config.machine.services) { LogLevel VERBOSE ''; }; + # Add public keys to /etc/ssh/authorized_keys.d + # This replaces users.users.*.openssh.authorizedKeys.* + sops.secrets = (fn.sopsHelper + (user: "users/${user.name}/publicKey") + config.machine.administrators + (user: { path = "/etc/ssh/authorized_keys.d/${user.name}"; mode = "444"; }) + ); }