Pass in SSH keys

2024-06-02 16:56:56 -07:00 · 2024-06-02 16:56:56 -07:00 · 8f1bc956d1
parent e9e7d25ba8
commit 8f1bc956d1
1 changed files with 18 additions and 3 deletions
--- a/paris-container.nix
+++ b/paris-container.nix
@ -10,6 +10,10 @@ let
  hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
  hostKeypairs = config.fudo.secrets.files.ssh.host-keypairs.paris;
  keytabFilename = keypair: "host-paris-${keypair.key-type}-private-key";
 in {
  options.fudo.paris-container = with types; {
    enable = mkEnableOption "Enable Fudo Paris user server.";
@ -151,7 +155,11 @@ in {
          "LDAP_DEFAULT_AUTHTOKEN=${readFile cfg.ldap.bind-token-file}";
        target-file = "/run/paris/sssd.env";
      };
-    };
+    } // (listToAttrs (map (keypair:
      nameValuePair (keypairFilename keypair) {
        source-file = keypair.private-key;
        target-file = "/run/paris/openssh/${keypairFilename keypair}";
      }) parisKeypairs));
    virtualisation.oci-containers.containers.paris-ldap-proxy = {
      image = cfg.ldap.image;
@ -167,7 +175,11 @@ in {
          hostPath = "${cfg.state-directory}/home";
          isReadOnly = false;
        };
-      };
+      } // (listToAttrs (map (keypair:
        nameValuePair "/run/openssh/keys/${keypairFilename keypair}" {
          hostPath = "/run/paris/openssh/${keypairFilename keypair}";
          isReadOnly = true;
        }) parisKeypairs));
      additionalCapabilities = [ "CAP_NET_ADMIN" ];
      config = {
        nixpkgs.pkgs = pkgs;
@ -178,7 +190,10 @@ in {
          opensssh = {
            enable = true;
            startWhenNeeded = true;
-            hostKeys = FIXME;
+            hostKeys = map (keypair: {
              path = "/run/openssh/keys/${keypairFilename keypair}";
              type = keypair.key-type;
            }) parisKeypairs;
            settings = {
              UseDns = true;
              PermitRootLogin = "no";