-{ config, ... }:
+{ config, hostName, ... }:
{
networking.nftables.ruleset = ''
table inet filter {
'';
services.openssh = {
- gatewayPorts = "clientspecified";
openFirewall = true;
+ settings.GatewayPorts = "clientspecified";
};
systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
"host.key:${ssh/host.key.cred}"
];
+ security.initrd.secrets."${hostName}/ssh/initrd.key" =
+ "hosts/${hostName}/ssh/initrd.key.gpg";
boot.initrd.network.ssh = {
enable = true;
- # To prevent ssh from freaking out because a different host key is used,
- # a different port for dropbear is useful
- # (assuming the same host has also a normal sshd running)
port = 2222;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
- hostKeys = [ "/root/initrd/ssh.key" ];
+ hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
};
boot.initrd.network = {
enable = true;