From f0edcec82eadf7dc57ea0a12562717d40cff2cb6 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Tue, 17 Jan 2023 06:50:27 +0100
Subject: Sec: Persistent ssh host keys

I changed the valid ssh-host-keys from both rsa and ed25519 to
only ed25519 and moved them to `/srv/ssh` to make them persistent.
In addition to that, I also increased the rounds for the ed25519 key to
1000.
This fixes the ssh-host-key issue introduced by pull request #5.

Fixes: #5
---
 configuration.nix     | 12 ++----------
 services/opensshd.nix | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 10 deletions(-)
 create mode 100644 services/opensshd.nix

diff --git a/configuration.nix b/configuration.nix
index 600201d..4d1f8d9 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -3,7 +3,9 @@
     ./hardware-configuration.nix
     ./packages.nix
     ./networking.nix # network configuration that just works
+
     ./services/minecraft.nix
+    ./services/opensshd.nix
   ];
 
   boot.cleanTmpDir = true;
@@ -11,16 +13,6 @@
   networking.hostName = "server1";
   networking.domain = "vhack.eu";
 
-  # openssh config
-  services.openssh = {
-    enable = true;
-    passwordAuthentication = false;
-    extraConfig = "PrintMotd yes\n"; # this could be done with pam
-  };
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
-  ];
 
   system.stateVersion = "22.11";
 }
diff --git a/services/opensshd.nix b/services/opensshd.nix
new file mode 100644
index 0000000..4bd38fd
--- /dev/null
+++ b/services/opensshd.nix
@@ -0,0 +1,19 @@
+{ config, pkg, ... }: {
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+    extraConfig = ''
+      PrintMotd yes
+    ''; # this could be done with pam
+    hostKeys = [{
+      comment = "key comment";
+      path = "/srv/sshd/ssh_host_ed25519_key";
+      rounds = 1000;
+      type = "ed25519";
+    }];
+  };
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
+  ];
+}
-- 
cgit 1.4.1