ssh: fix ssh_host_key perms

ssh: move to seperate file
update
2025-12-12 21:18:51 -05:00 · 2025-12-12 21:09:39 -05:00 · 2025-12-12 15:53:53 -05:00
3 changed files with 56 additions and 42 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -45,6 +45,8 @@
    ./services/caddy_senior_project.nix

    ./services/graphing-calculator.nix
+
+    ./services/ssh.nix
  ];

  services.kmscon.enable = true;
@@ -122,19 +124,6 @@
  # Set your time zone.
  time.timeZone = "America/New_York";

-  # Enable the OpenSSH daemon.
-  services.openssh = {
-    enable = true;
-    settings = {
-      AllowUsers = [
-        username
-        "root"
-      ];
-      PasswordAuthentication = false;
-      PermitRootLogin = "yes"; # for deploying configs
-    };
-  };
-
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
@@ -236,20 +225,9 @@
      "render"
      service_configs.media_group
    ];
-
-    # TODO! use proper secrets management
    hashedPasswordFile = config.age.secrets.hashedPass.path;
-
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
-    ];
  };

-  # used for deploying configs to server
-  users.users.root.openssh.authorizedKeys.keys =
-    config.users.users.${username}.openssh.authorizedKeys.keys;
-
  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
  programs.fish.enable = true;
  programs.bash = {
--- a/flake.lock
+++ b/flake.lock
@@ -89,11 +89,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764627417,
-        "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
+        "lastModified": 1765326679,
+        "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
+        "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e",
        "type": "github"
      },
      "original": {
@@ -315,11 +315,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765225799,
-        "narHash": "sha256-KVmXm5JOf9nydqW6XKwIMnoSXIM3eW4PnLamZq0vPaU=",
+        "lastModified": 1765570488,
+        "narHash": "sha256-NRjxrG+dog+IrnsimWIdf55iw/JKuyLSLi0mtpzhwsQ=",
        "owner": "ggml-org",
        "repo": "llama.cpp",
-        "rev": "c8554b66e0ed397f7457ed5f3ce3b466dd508d5c",
+        "rev": "e39a2ce66d0a61915f22097e5453e291618b3518",
        "type": "github"
      },
      "original": {
@@ -337,11 +337,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765245994,
-        "narHash": "sha256-6mra5F/nfee/MXqSXMSxSpjll6U/jfo8D9X+5H2ldmM=",
+        "lastModified": 1765332486,
+        "narHash": "sha256-nVTejyI8w3ePrX4tW3lBLLg3DheqhRuxtiRefT+ynrk=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "b83769c7fd3f3ab87221fdfda23f454ae95efc46",
+        "rev": "a3bdc14045dc7e5fb7a94ab11064766f472279eb",
        "type": "github"
      },
      "original": {
@@ -368,11 +368,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1764939437,
-        "narHash": "sha256-4TLFHUwXraw9Df5mXC/vCrJgb50CRr3CzUzF0Mn3CII=",
+        "lastModified": 1765363881,
+        "narHash": "sha256-3C3xWn8/2Zzr7sxVBmpc1H1QfxjNfta5IMFe3O9ZEPw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "00d2457e2f608b4be6fe8b470b0a36816324b0ae",
+        "rev": "d2b1213bf5ec5e62d96b003ab4b5cbc42abfc0d0",
        "type": "github"
      },
      "original": {
@@ -518,11 +518,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765156605,
-        "narHash": "sha256-dH66lgYsikQlCVs+Vf6qaVAKaS8+fWX8qwvk5XOSELA=",
+        "lastModified": 1765415765,
+        "narHash": "sha256-DNEUksb+s7DbwahAlIZ4v/BUFUacOqGklCbjgAHZb4k=",
        "owner": "nix-community",
        "repo": "srvos",
-        "rev": "eab576cec5e21e0ab7767b2542e833edfdc17283",
+        "rev": "a9e46dc439591c67337a0caf0beebb5a73ed9a86",
        "type": "github"
      },
      "original": {
@@ -594,11 +594,11 @@
    "trackerlist": {
      "flake": false,
      "locked": {
-        "lastModified": 1765235267,
-        "narHash": "sha256-3WmboyoGGhQM/gqR5hM+O2mHcpIhNO1BKL3bCSlXsV4=",
+        "lastModified": 1765537992,
+        "narHash": "sha256-hJRdbxE5P3ze7Y9GtXMGuntZbTk8u5bYUYO/4l0fMAw=",
        "owner": "ngosang",
        "repo": "trackerslist",
-        "rev": "42643f66c914e674a9d1fb3a6f5cbf3a2cd6c80b",
+        "rev": "78a497bc7f81b395a4453ea5e5c24cab86bd4a54",
        "type": "github"
      },
      "original": {
--- a/services/ssh.nix
+++ b/services/ssh.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  username,
+  ...
+}:
+{
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings = {
+      AllowUsers = [
+        username
+        "root"
+      ];
+      PasswordAuthentication = false;
+      PermitRootLogin = "yes"; # for deploying configs
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "Z /etc/ssh 755 root root"
+    "Z /etc/ssh/ssh_host_* 600 root root"
+  ];
+
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
+  ];
+
+  # used for deploying configs to server
+  users.users.root.openssh.authorizedKeys.keys =
+    config.users.users.${username}.openssh.authorizedKeys.keys;
+
+}
Author	SHA1	Message	Date
Simon Gardling	74d0620334	ssh: fix ssh_host_key perms	2025-12-12 21:18:51 -05:00
Simon Gardling	a5112e322e	ssh: move to seperate file	2025-12-12 21:09:39 -05:00
Simon Gardling	5ae54b8981	update	2025-12-12 15:53:53 -05:00