How to setup user ssh keys

I’m a little bit puzzled: I cannot find resources howto setup user ssh keys declarative in NixOS.

Looking forward for any suggestions.

Could you be more specific about what you are trying to set up? SSH keys are a big topic.

Sure. Basically I want to add the ssh keypair for a specific user (/home/user/.ssh/id_rsa and /home/user/.ssh/id_rsa.pub).

Where would this come from? Would you want nixos config to “copy” from the source to to home dir?

NixOS isn’t particularly good at managing home dirs. This would be a manual step. I would just use regular dotfile+stow approach.

Some may recommend home manager- I am not a fan, except for managing perhaps user services.

here’s my criticism of hm where I call hm a nix-lover’s hammer. https://github.com/NixOS/nixpkgs/pull/77734#issuecomment-575767459 and a cause of needless confusion.

NixOS doesn’t manage secrets. Your SSH key is a secret. You should not try to use NixOS to manage this key.

If you’re talking about adding keys to the authorized_keys file, then have a look at these options:
https://nixos.org/nixos/options.html#users.users.<name%3F>.openssh.authorizedkeys

Generating keys with nix and managing the secret part of the key with nix is a very bad idea, as it would be world-readable in the nix store. The best you could do is use nixops for that or declare a service that generates those keys on service start, something like this for example (this is not an ssh key, but it generates a secret):

Thanks for all your replies.

@SRGOM

Where would this come from? Would you want nixos config to “copy” from the source to to home dir?

Basically the key already exists. The idea was to have something in my configuration.nix which takes care of copying ssh keys to my home directory.

@aanderse

NixOS doesn’t manage secrets. Your SSH key is a secret. You should not try to use NixOS to manage this key.

Mhhh. I see so basically the recommendation would to handle this kind of stuff manually?

@tokudan

If you’re talking about adding keys to the authorized_keys file

Nah I’m talking about the public/private key of a user. Basically nixops might be an option since I’m running NixOS currently only on a raspberry pi. But I wanted to get a little more into to replace my Archlinux installation.
I guess I understand the basic problem that when managing such kind of things would be readable in nix store.

You are correct. The unfortunate situation is that you should either manually manage your secrets on NixOS, or use some other solution.

@aanderse Is there a good overview of best practices regarding storing passwords/private keys/api keys in external files and importing them via nix? I’ve heard of people using a secrets.nix, or git crypt… Things like weechat/slack api key for example.

There are some people working on a standardized approach that NixOS can endorse, but nothing has really settled yet. I’m sure some people here can give some good suggestions.

1 Like