NixOps cannot SSH into NixOS boxes after initial deployment

Help
1

I initially configured a NixOS machine with an SSH configuration that looked like this:

services.openssh.enable = true;
services.openssh.permitRootLogin = "yes";
services.openssh.passwordAuthentication = true;

I then deployed using NixOps with a more bare-bones OpenSSH configuration:

services.openssh.enable = true;

It did place a new key in /etc/ssh/ssh_host_ed25519_key (and it’s corresponding public key) on the machine. I checked inside of the nixops.state file, and it is set there as well. However, when I go to SSH into the box using NixOps, it doesn’t use the key:

➜ nixops ssh bastion -vvv
bastion.....................................> OpenSSH_8.4p1, OpenSSL 1.1.1i  8 Dec 2020
bastion.....................................> debug1: Reading configuration data /Users/ethan/.ssh/config
bastion.....................................> debug1: Reading configuration data /etc/ssh/ssh_config
bastion.....................................> debug1: /etc/ssh/ssh_config line 47: Applying options for *
bastion.....................................> debug1: /etc/ssh/ssh_config line 51: Applying options for *
bastion.....................................> debug2: resolve_canonicalize: hostname 100.101.26.126 is address
bastion.....................................> debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/ethan/.ssh/known_hosts'
bastion.....................................> debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/ethan/.ssh/known_hosts2'
bastion.....................................> debug2: ssh_connect_direct
bastion.....................................> debug1: Connecting to 100.101.26.126 [100.101.26.126] port 22.
bastion.....................................> debug1: Connection established.
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_rsa type 0
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_rsa-cert type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_dsa type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_dsa-cert type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_ecdsa type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_ecdsa-cert type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_ecdsa_sk type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_ecdsa_sk-cert type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_ed25519 type 3
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_ed25519-cert type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_ed25519_sk type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_ed25519_sk-cert type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_xmss type -1
bastion.....................................> debug1: identity file /Users/ethan/.ssh/id_xmss-cert type -1
bastion.....................................> debug1: Local version string SSH-2.0-OpenSSH_8.4

This doesn’t happen with boxes I’ve deployed on AWS. Is there a way to have it use the correct key during nixops ssh?

2

I’m confused, are you talking about host key or root authorized key?

I don’t use NixOps on AWS but presumably it authorizes the root key that AWS assigned to the VM.