WIP on host ssh key. broken.

hosts/lazyworkhorse/configuration.nix

@@ -58,31 +58,6 @@
     LC_CTYPE = "en_CA.UTF-8";
   };
 
-  # Private host ssh key
-  age = {
-    identityPaths = paths.identities;
-    secrets = {
-      lazyworkhorse_host_ssh_key = {
-        file = "${self}/secrets/lazyworkhorse_host_ssh_key.age";
-        owner = "root";
-        group = "root";
-        mode = "0600";
-        path = "/etc/ssh/ssh_host_ed25519_key";
-      };
-    };
-  };
-
-  # Public host ssh key
-  environment.etc."ssh/ssh_host_ed25519_key.pub".text = keys.hosts.lazyworkhorse.main;
-
-  # Prevent sshd from generating new keys and use this one
-  services.openssh.hostKeys = [
-    {
-      path = "/etc/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }
-  ];
-
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@@ -145,12 +120,45 @@
 
   # List services that you want to enable:
 
-  # Enable the OpenSSH daemon.
+  # Enable the OpenSSH daemon
   services.openssh = {
     enable = true;
     settings.PermitRootLogin = "no";
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
   };
 
+  # Private host ssh key managed by agenix
+  age = {
+    identityPaths = paths.identities;
+    secrets = {
+      containers_env = {
+        file = ../../secrets/containers.env.age;
+        path = "/run/secrets/containers.env";
+        owner = "root";
+        group = "root";
+        mode = "0400";
+      };
+      # lazyworkhorse_host_ssh_key = {
+      #   file = ../../secrets/lazyworkhorse_host_ssh_key.age;
+      #   owner = "root";
+      #   group = "root";
+      #   mode = "0600";
+      #   path = "/etc/ssh/ssh_host_ed25519_key";
+      # };
+    };
+  };
+
+  fileSystems."/".neededForBoot = true;
+
+  # Public host ssh key (kept in sync with the private one)
+  environment.etc."ssh/ssh_host_ed25519_key.pub".text =
+    "${keys.hosts.lazyworkhorse.main}";
+
   services.fstrim.enable = true;
 
   services.zfs.autoSnapshot.enable = true;

lib/keys.nix

@@ -9,7 +9,7 @@
 
   hosts = {
     lazyworkhorse = {
-      main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBmPv4JssvhHGIx85UwFxDSrL5anR4eXB/cd9V2i9wdW";
+      main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmXqD+bBveCYf4khmARA0uaCzkBOUIE077ZrInLNs1O";
       github = "";
       gitea = "";
     };

modules/nixos/default.nix

@@ -5,6 +5,5 @@
       # ./programs
       ./services
       ./filesystem
-      ./services/systemd
     ];
 }

modules/nixos/services/systemd/default.nix

@@ -13,17 +13,4 @@
       "dns" = [ "1.1.1.1" "8.8.8.8" ];
     };
   };
-
-  age = {
-    identityPaths = paths.identities;
-    secrets = {
-      containers_env = {
-        file = self + "/secrets/containers.env.age";
-        path = "/run/secrets/containers.env";
-        owner = "root";
-        group = "root";
-        mode = "0400";
-      };
-    };
-  };
 }

secrets/containers.env.age

@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 GhMD8A 9Tjo08Hbj3S+nCdLUylZoUK6meXtuHq9F/qwSJZBYho
-iu2MmQ2VHm+QEvqGjkEy02V0cNRanAyhrA8Xu7UWRFk
--> ssh-ed25519 eB5ENw 8UTi2pmZML1Zyh9zCfEx4JqJhQ1vM/jZCEhrkuc1Hh4
-et6FoN8E4tgo2DXlt/KTGLRsByJFyDu2oHA/Js/pIB8
---- dmEv5Fz1iUJ3W93lFtkHgtknfQGQNkMqglJZ+3e1qM8
-<EFBFBD>U<EFBFBD><EFBFBD><EFBFBD>.<2E><>#C\<11><><EFBFBD>	<09>V<EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><1F>tp<74>w؁n
ީ<><02><>n<EFBFBD><<3C>E<EFBFBD><45><EFBFBD>~<7E><>bX<62><02><EFBFBD><EFBFBD>_<EFBFBD><EFBFBD><07><><EFBFBD><EFBFBD>u<EFBFBD>l?<3F>),s<>Ec7<EFBFBD><EFBFBD><EFBFBD><EFBFBD>v<EFBFBD>;<3B>A<EFBFBD>U<EFBFBD>-<2D>I<EFBFBD>7Y<37>-<2D>3g[<5B>jh~<7E>/<2F>
+-> ssh-ed25519 GhMD8A rV+MVE/yCBXffr3Za8av5+lL8B/473Owe7phe2oKzXs
+1Y3qBT07SKzO0EaSzLelbz5/whoEVfBD52N4+WwVScU
+-> ssh-ed25519 kYn3oA fHmhGCOWPfUOQpGEY0+lA6akxhJcCzn1zmiBQFeD4wg
+k48jDsxD7uXfg+VUgM0+PIL1WOBdSOGsLyvsuqYOziY
+--- PXyg0xCJqashEWw9FNHv5g9UWWZ/vzvgKfZJ85OyNKU
+<EFBFBD>;O*<2A><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>E<EFBFBD>[<5B><>	<14><>z4XG<58>;R~<7E>S<EFBFBD>\<14><>7Ђ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>><08>Z<EFBFBD><5A>U<12>,<2C><><EFBFBD><EFBFBD><EFBFBD>ȏ<EFBFBD><EFBFBD>糿<13>#<23><13><>`:<3A>%'<27>ix<69><78><EFBFBD>ɟMf<4D><66>W
+<EFBFBD><EFBFBD>&E<>̛<08><><EFBFBD>C<EFBFBD> <20>><3E>H<EFBFBD>,<2C><><EFBFBD><EFBFBD><EFBFBD>W<EFBFBD>Z<EFBFBD><5A><EFBFBD>%<25>@<40>n<EFBFBD>Y <20>