From bf8e4d435a33b6c112f71ff2f02b19dbb5b9d9ea Mon Sep 17 00:00:00 2001 From: Ricard Illa Date: Sun, 4 Sep 2022 18:02:18 +0200 Subject: [PATCH] ssh certs --- nixos/common.nix | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/nixos/common.nix b/nixos/common.nix index ccb7917..9fb7c38 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -187,9 +187,6 @@ "adbusers" "video" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaiwmnSKC4DpznZlode1987DvGVLWqkvDZXZ6ey/LOZhRHvNnr5lP4Ke034R17mHHuTlzzuTKUKTN6JcIxBURGUwjWgNQO5z+7SapdOvPpw7M8wOlgp92CbIMiE/tReNbUi2e584Y5NR4tMCQm+FPvQ7c7nY/WoxJ6VSiKBbXzN+IrB9H6ZAVyfAlzHpxhwXeuP5xFwTtapzyzyc4phvuIhbXUc9NOZHXwoAR2La/0TVOgDyktEmCq6aGet03Azz6KPRptdnf4g9V3u8YivccXfd9WTrJr9fj1fWjDU9bBKVU6GtdcSwfqKwa6X4sQIZfONKvVEfqbIIEB70FsXHcdfnm3EN5L1PWbC441Q8bB1zvu/GnlXTlxDFmzByxnbLWTSPLuQyKq5sv9va8Jl9QEVpS3qWJbPHYBTevgboTExyLmpEfsCI+Of86Oxb8PNjyhX1/oWiy8S3w+5oQgAb+yNfSVPnX7CO4oGQhnttoXHA94LzxArYr9zZIp2asRMlc4VVWVH/jQ4FdLDjvKNARYiytOplZBPvFOHJiGb/rfjZKbMPPE+3V1WQPZ6B2nlWN5QxTpnLgTQnONr5rlSrvzFPY8BISUAYcdOCErG4agHDkHFZqWn8u+51wUZUnXo4NI+rty4Nzmc/kPfqWyv/8mSJfihidfuuHGEEzCk1qVdQ== cardno:000611073199" - ]; initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; }; @@ -217,6 +214,25 @@ enable = true; passwordAuthentication = false; permitRootLogin = "no"; + + hostKeys = [{ + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + }]; + + knownHosts = { + "*.monotremata.xyz,10.*,narwhal,caladan,fugu,snitch,trantor,capibara,axolotl,echidna" = + { + certAuthority = true; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxdd host_ca"; + }; + }; + + extraConfig = '' + HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub + TrustedUserCAKeys /etc/ssh/user_ca.pub + ''; }; virtualisation = {