Is there a Nix way to configure SSH server connections?

Fineness9214 · May 10, 2023, 5:18pm

I am trying to connect to an SSH server. Usually I store the private key at ~/.ssh/servermachine..

The configuration is located at ~/.ssh/config :

Host servermachine
  HostName 192.168.1.105
  #Port 22
  User user
  IdentitiesOnly yes
  IdentityFile ~/.ssh/servermachine

src: NixOS Wiki - SSH public key authentication

But can it be done the Nix way? In home-manager or /etc/nixos/configuration.nix?

I usually forget to backup my ~/.ssh when I reinstall / distrohop so I would like to avoid storing keys are configs there.

delroth · May 10, 2023, 6:06pm

If systemwide configuration is ok: programs.ssh.extraConfig will allow you to add whatever you want to /etc/ssh/ssh_config.

If you’d prefer having configuration be active only for your user, that’s within the realm of home-manager, and there you’ll want e.g. programs.ssh.matchBlocks.

Another part of the problem is managing the private key itself – for that you’ll most likely want to look at tools like agenix or sops-nix.

Fineness9214 · May 11, 2023, 1:21am

It worked, thanks! I used home-manager.

I was actually searching nix options but the term “match block” escaped me.

For now I am storing the keys in the normie way.

agenix or sops-nix.

They both look good. Do you have a recommendation?

delroth · May 11, 2023, 1:41am

I’ve only used agenix so I can’t really recommend one or another. If you’re using home-manager I think sops-nix is your only option of the two at this point – I don’t remember agenix having an home-manager module.

Fineness9214 · May 11, 2023, 11:45am

I see, thanks.

So sops-nix it is.

NobbZ · May 17, 2023, 6:47am

There is a project/fork homeage, which is based on a PR to agenix that never got merged. I am not sure about how well it works though, I am only aware of its existence.

Personally I am using sops-nix, as I can use the same input for both system and home configurations, and to some extend even share the secret files between them. Not sure if this was possible with agenix + homeage.

jpsecher · December 28, 2024, 5:32pm

For reference, I have the following ssh.nix for AWS hosts:

{
  programs.ssh = {
    enable = true; 
    matchBlocks = {
      "i-*" = {
        user = "ubuntu";
        proxyCommand = "sh -c \"aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'\"";
        identityFile = [
          "~/.ssh/devops-production-ed25519"  
          "~/.ssh/devops-staging-ed25519"
        ];
      };
    };
  };
}