nixos/profiles/networking/ssh.nix

   1 { lib, inputs, hostName, ... }:
   2 with lib;
   3 {
   4   programs.mosh.enable = mkDefault true;
   5   services.openssh.enable = true;
   6   systemd.services.sshd.serviceConfig.LoadCredentialEncrypted =
   7     [ "host.key:${inputs.self}/hosts/${hostName}/ssh/host.key.cred" ];
   8   # TODO: use hostKeys= once LoadCredentialEncrypted= works in ExecStartPre=
   9   services.openssh.hostKeys = mkForce [ ];
  10   services.openssh.extraConfig = ''
  11     HostKey /run/credentials/sshd.service/host.key
  12   '';
  13 }