ssh: fix ssh_host_key perms

configuration.nix

@@ -45,6 +45,8 @@
     ./services/caddy_senior_project.nix
 
     ./services/graphing-calculator.nix
+
+    ./services/ssh.nix
   ];
 
   services.kmscon.enable = true;
@@ -122,19 +124,6 @@
   # Set your time zone.
   time.timeZone = "America/New_York";
 
-  # Enable the OpenSSH daemon.
-  services.openssh = {
-    enable = true;
-    settings = {
-      AllowUsers = [
-        username
-        "root"
-      ];
-      PasswordAuthentication = false;
-      PermitRootLogin = "yes"; # for deploying configs
-    };
-  };
-
   hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [
@@ -236,20 +225,9 @@
       "render"
       service_configs.media_group
     ];
-
-    # TODO! use proper secrets management
     hashedPasswordFile = config.age.secrets.hashedPass.path;
-
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
-    ];
   };
 
-  # used for deploying configs to server
-  users.users.root.openssh.authorizedKeys.keys =
-    config.users.users.${username}.openssh.authorizedKeys.keys;
-
   # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
   programs.fish.enable = true;
   programs.bash = {

flake.lock

@@ -89,11 +89,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764627417,
+        "lastModified": 1765326679,
-        "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
+        "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
+        "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e",
         "type": "github"
       },
       "original": {
@@ -315,11 +315,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765225799,
+        "lastModified": 1765570488,
-        "narHash": "sha256-KVmXm5JOf9nydqW6XKwIMnoSXIM3eW4PnLamZq0vPaU=",
+        "narHash": "sha256-NRjxrG+dog+IrnsimWIdf55iw/JKuyLSLi0mtpzhwsQ=",
         "owner": "ggml-org",
         "repo": "llama.cpp",
-        "rev": "c8554b66e0ed397f7457ed5f3ce3b466dd508d5c",
+        "rev": "e39a2ce66d0a61915f22097e5453e291618b3518",
         "type": "github"
       },
       "original": {
@@ -337,11 +337,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765245994,
+        "lastModified": 1765332486,
-        "narHash": "sha256-6mra5F/nfee/MXqSXMSxSpjll6U/jfo8D9X+5H2ldmM=",
+        "narHash": "sha256-nVTejyI8w3ePrX4tW3lBLLg3DheqhRuxtiRefT+ynrk=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "b83769c7fd3f3ab87221fdfda23f454ae95efc46",
+        "rev": "a3bdc14045dc7e5fb7a94ab11064766f472279eb",
         "type": "github"
       },
       "original": {
@@ -368,11 +368,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1764939437,
+        "lastModified": 1765363881,
-        "narHash": "sha256-4TLFHUwXraw9Df5mXC/vCrJgb50CRr3CzUzF0Mn3CII=",
+        "narHash": "sha256-3C3xWn8/2Zzr7sxVBmpc1H1QfxjNfta5IMFe3O9ZEPw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00d2457e2f608b4be6fe8b470b0a36816324b0ae",
+        "rev": "d2b1213bf5ec5e62d96b003ab4b5cbc42abfc0d0",
         "type": "github"
       },
       "original": {
@@ -518,11 +518,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765156605,
+        "lastModified": 1765415765,
-        "narHash": "sha256-dH66lgYsikQlCVs+Vf6qaVAKaS8+fWX8qwvk5XOSELA=",
+        "narHash": "sha256-DNEUksb+s7DbwahAlIZ4v/BUFUacOqGklCbjgAHZb4k=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "eab576cec5e21e0ab7767b2542e833edfdc17283",
+        "rev": "a9e46dc439591c67337a0caf0beebb5a73ed9a86",
         "type": "github"
       },
       "original": {
@@ -594,11 +594,11 @@
     "trackerlist": {
       "flake": false,
       "locked": {
-        "lastModified": 1765235267,
+        "lastModified": 1765537992,
-        "narHash": "sha256-3WmboyoGGhQM/gqR5hM+O2mHcpIhNO1BKL3bCSlXsV4=",
+        "narHash": "sha256-hJRdbxE5P3ze7Y9GtXMGuntZbTk8u5bYUYO/4l0fMAw=",
         "owner": "ngosang",
         "repo": "trackerslist",
-        "rev": "42643f66c914e674a9d1fb3a6f5cbf3a2cd6c80b",
+        "rev": "78a497bc7f81b395a4453ea5e5c24cab86bd4a54",
         "type": "github"
       },
       "original": {

services/ssh.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  username,
+  ...
+}:
+{
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings = {
+      AllowUsers = [
+        username
+        "root"
+      ];
+      PasswordAuthentication = false;
+      PermitRootLogin = "yes"; # for deploying configs
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "Z /etc/ssh 755 root root"
+    "Z /etc/ssh/ssh_host_* 600 root root"
+  ];
+
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
+  ];
+
+  # used for deploying configs to server
+  users.users.root.openssh.authorizedKeys.keys =
+    config.users.users.${username}.openssh.authorizedKeys.keys;
+
+}