From 8f1bc956d14e6b7dcb326da91d06758ffcdb6525 Mon Sep 17 00:00:00 2001 From: niten Date: Sun, 2 Jun 2024 16:56:56 -0700 Subject: [PATCH] Pass in SSH keys --- paris-container.nix | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/paris-container.nix b/paris-container.nix index f7c3a51..a110df6 100644 --- a/paris-container.nix +++ b/paris-container.nix @@ -10,6 +10,10 @@ let hostSecrets = config.fudo.secrets.host-secrets."${hostname}"; + hostKeypairs = config.fudo.secrets.files.ssh.host-keypairs.paris; + + keytabFilename = keypair: "host-paris-${keypair.key-type}-private-key"; + in { options.fudo.paris-container = with types; { enable = mkEnableOption "Enable Fudo Paris user server."; @@ -151,7 +155,11 @@ in { "LDAP_DEFAULT_AUTHTOKEN=${readFile cfg.ldap.bind-token-file}"; target-file = "/run/paris/sssd.env"; }; - }; + } // (listToAttrs (map (keypair: + nameValuePair (keypairFilename keypair) { + source-file = keypair.private-key; + target-file = "/run/paris/openssh/${keypairFilename keypair}"; + }) parisKeypairs)); virtualisation.oci-containers.containers.paris-ldap-proxy = { image = cfg.ldap.image; @@ -167,7 +175,11 @@ in { hostPath = "${cfg.state-directory}/home"; isReadOnly = false; }; - }; + } // (listToAttrs (map (keypair: + nameValuePair "/run/openssh/keys/${keypairFilename keypair}" { + hostPath = "/run/paris/openssh/${keypairFilename keypair}"; + isReadOnly = true; + }) parisKeypairs)); additionalCapabilities = [ "CAP_NET_ADMIN" ]; config = { nixpkgs.pkgs = pkgs; @@ -178,7 +190,10 @@ in { opensssh = { enable = true; startWhenNeeded = true; - hostKeys = FIXME; + hostKeys = map (keypair: { + path = "/run/openssh/keys/${keypairFilename keypair}"; + type = keypair.key-type; + }) parisKeypairs; settings = { UseDns = true; PermitRootLogin = "no";