Pass in SSH keys

2024-06-02 16:56:56 -07:00 · 2024-06-02 16:56:56 -07:00 · 8f1bc956d1
parent e9e7d25ba8
commit 8f1bc956d1
1 changed files with 18 additions and 3 deletions
--- a/paris-container.nix
+++ b/paris-container.nix
@ -10,6 +10,10 @@ let

  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";

+  hostKeypairs = config.fudo.secrets.files.ssh.host-keypairs.paris;
+
+  keytabFilename = keypair: "host-paris-${keypair.key-type}-private-key";
+
 in {
  options.fudo.paris-container = with types; {
    enable = mkEnableOption "Enable Fudo Paris user server.";
@ -151,7 +155,11 @@ in {
          "LDAP_DEFAULT_AUTHTOKEN=${readFile cfg.ldap.bind-token-file}";
        target-file = "/run/paris/sssd.env";
      };
-    };
+    } // (listToAttrs (map (keypair:
+      nameValuePair (keypairFilename keypair) {
+        source-file = keypair.private-key;
+        target-file = "/run/paris/openssh/${keypairFilename keypair}";
+      }) parisKeypairs));

    virtualisation.oci-containers.containers.paris-ldap-proxy = {
      image = cfg.ldap.image;
@ -167,7 +175,11 @@ in {
          hostPath = "${cfg.state-directory}/home";
          isReadOnly = false;
        };
-      };
+      } // (listToAttrs (map (keypair:
+        nameValuePair "/run/openssh/keys/${keypairFilename keypair}" {
+          hostPath = "/run/paris/openssh/${keypairFilename keypair}";
+          isReadOnly = true;
+        }) parisKeypairs));
      additionalCapabilities = [ "CAP_NET_ADMIN" ];
      config = {
        nixpkgs.pkgs = pkgs;
@ -178,7 +190,10 @@ in {
          opensssh = {
            enable = true;
            startWhenNeeded = true;
-            hostKeys = FIXME;
+            hostKeys = map (keypair: {
+              path = "/run/openssh/keys/${keypairFilename keypair}";
+              type = keypair.key-type;
+            }) parisKeypairs;
            settings = {
              UseDns = true;
              PermitRootLogin = "no";