From 46f3c709570544f8b82df550323826419327400a Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Thu, 13 Jul 2023 18:25:27 +0200
Subject: [PATCH] Common: don't keep host keys as secrets

---
 roles/common/configuration.nix | 33 ++++++++-------------------------
 1 file changed, 8 insertions(+), 25 deletions(-)

diff --git a/roles/common/configuration.nix b/roles/common/configuration.nix
index c2b45d4..ba301c4 100755
--- a/roles/common/configuration.nix
+++ b/roles/common/configuration.nix
@@ -27,32 +27,15 @@
 			# enter the password A LOT of times. Only on the first setup tho
 			"/tmp/id_ed25519_bootstrap"
 		];
-	# Copy (NOT SYMLINK) host ssh keys into place
-		secrets = {
-			"ed25519" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-ed25519;
-				path = "/etc/ssh/ssh_host_ed25519_key";
-			};
-			"rsa" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-rsa;
-				path= "/etc/ssh/ssh_host_rsa_key";
-			};
-			"ed25519-public" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-ed25519-public;
-				path = "/etc/ssh/ssh_host_ed25519_key.pub";
-				mode = "0644";
-			};
-			"rsa-public" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-rsa-public;
-				path = "/etc/ssh/ssh_host_rsa_key.pub";
-				mode = "0644";
-			};
-		};
 	};
 
+	/*
+	I used to keep the host keys in the repo as a secret, but since I use the
+	host keys for decrypting too I'm not sure encrypting a key with itself
+	is a good idea. Now the host keys will need to be placed manually where they are needed
+	For first time installs they are generated by services.openssh.hostKeys on servers, and
+	manually on everything else
+	*/	
+	
 	system.stateVersion = "23.05";
 }