derped/nixos
1
0
Fork 0
Code Releases Activity

Generate accepted public key files through sops.

Browse source
This commit is contained in:
Kevin Baensch 2023-09-11 19:31:15 +02:00
parent 9878b40111
commit 8edba95021
Signed by: derped
GPG key ID: C0F1D326C7626543
2 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
config/users.nix
View file

@ -27,10 +27,6 @@ let
++ (optional withPodman "podman"); ++ (optional withPodman "podman");
shell = "${pkgs.zsh}/bin/zsh"; shell = "${pkgs.zsh}/bin/zsh";
passwordFile = passPath; passwordFile = passPath;
# TODO: Fix for sops
# openssh.authorizedKeys.keyFiles = optional
# (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub"))
# "${passPath}.pub";
}; };
}; };

9
services/openssh.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }: { config, lib, fn, ... }:
# For reference: # For reference:
# https://infosec.mozilla.org/guidelines/openssh.html # https://infosec.mozilla.org/guidelines/openssh.html
@ -25,4 +25,11 @@ mkIf (elem "openssh" config.machine.services) {
LogLevel VERBOSE LogLevel VERBOSE
''; '';
}; };
# Add public keys to /etc/ssh/authorized_keys.d
# This replaces users.users.*.openssh.authorizedKeys.*
sops.secrets = (fn.sopsHelper
(user: "users/${user.name}/publicKey")
config.machine.administrators
(user: { path = "/etc/ssh/authorized_keys.d/${user.name}"; mode = "444"; })
);
} }