Common: don't keep host keys as secrets

2023-07-13 18:25:27 +02:00 · 2023-07-13 18:25:27 +02:00 · 46f3c70957
commit 46f3c70957
parent 92f5996759
1 changed files with 8 additions and 25 deletions
--- a/roles/common/configuration.nix
+++ b/roles/common/configuration.nix
@ -27,32 +27,15 @@
 			# enter the password A LOT of times. Only on the first setup tho
 			"/tmp/id_ed25519_bootstrap"
 		];
-	# Copy (NOT SYMLINK) host ssh keys into place
-		secrets = {
-			"ed25519" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-ed25519;
-				path = "/etc/ssh/ssh_host_ed25519_key";
-			};
-			"rsa" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-rsa;
-				path= "/etc/ssh/ssh_host_rsa_key";
-			};
-			"ed25519-public" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-ed25519-public;
-				path = "/etc/ssh/ssh_host_ed25519_key.pub";
-				mode = "0644";
-			};
-			"rsa-public" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-rsa-public;
-				path = "/etc/ssh/ssh_host_rsa_key.pub";
-				mode = "0644";
-			};
-		};
 	};

+	/*
+	I used to keep the host keys in the repo as a secret, but since I use the
+	host keys for decrypting too I'm not sure encrypting a key with itself
+	is a good idea. Now the host keys will need to be placed manually where they are needed
+	For first time installs they are generated by services.openssh.hostKeys on servers, and
+	manually on everything else
+	*/	
+	
 	system.stateVersion = "23.05";
 }