From 4ea69cf70d3d503c01d4608168d897c7eec9eca6 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Mon, 22 Apr 2024 09:26:41 +0200
Subject: [PATCH 1/3] Server/ssh: use dns for resolving hosts

---
 roles/server/ssh.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/server/ssh.nix b/roles/server/ssh.nix
index ede04a3..db08e03 100755
--- a/roles/server/ssh.nix
+++ b/roles/server/ssh.nix
@@ -2,6 +2,7 @@
   services.openssh = {
     enable = true;
     settings = {
+      UseDns = true;
       PermitRootLogin = "no";
       PasswordAuthentication = false;
     };

From a3d1a8a744f9f96395b318f03dba21b99a61565a Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Mon, 22 Apr 2024 11:20:20 +0200
Subject: [PATCH 2/3] Flake: update secrets

---
 flake.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index f412779..47c2782 100644
--- a/flake.lock
+++ b/flake.lock
@@ -377,11 +377,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1713107869,
-        "narHash": "sha256-TniJoCQfJ3OXrcqhH/8xcV6o4Sa5C/4KSRtk0c0/RK4=",
+        "lastModified": 1713776544,
+        "narHash": "sha256-EQW8P1TfkYQV0EEK1n3Gh9wRp9KlC0EbidH2j+niCaE=",
         "ref": "refs/heads/main",
-        "rev": "a00a07cd931b6eab722727a0606837cb895997f0",
-        "revCount": 11,
+        "rev": "61410d68f15b3b970067a3fdd39667fdd9a89edd",
+        "revCount": 12,
         "type": "git",
         "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
       },

From befadf8ed215431ad7529a08e77eabf293328ab9 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Mon, 22 Apr 2024 11:25:43 +0200
Subject: [PATCH 3/3] Server/ssh: add ssh host key

---
 roles/server/ssh.nix | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/roles/server/ssh.nix b/roles/server/ssh.nix
index db08e03..14ee0b6 100755
--- a/roles/server/ssh.nix
+++ b/roles/server/ssh.nix
@@ -1,4 +1,23 @@
-{...}: {
+{
+  flakeSelf,
+  config,
+  ...
+}: let
+  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
+  hostKeyPath = "/etc/ssh/everest_host_key";
+in {
+  age.secrets = {
+    everest-host-key = {
+      file = hostSecrets + "host-private-key.age";
+      path = hostKeyPath;
+      mode = "0400";
+    };
+    "everest-host-key.pub" = {
+      file = hostSecrets + "host-public-key.age";
+      path = hostKeyPath + ".pub";
+    };
+  };
+
   services.openssh = {
     enable = true;
     settings = {
@@ -6,6 +25,13 @@
       PermitRootLogin = "no";
       PasswordAuthentication = false;
     };
+    hostKeys = [
+      {
+        path = hostKeyPath;
+        type = "ed25519";
+        comment = "Everest host key";
+      }
+    ];
     startWhenNeeded = true;
   };
 }