I am in the process of switching to NixOS, and now I want to add my ssh config (actually there are only aliases) to config. I use home-manager to configure ssh and agenix to store my secrets. As VPSes are under DDOS protection and their IPs are kind of secret, I would like to not store those IPs in public repository.
So the main problem is that path to file with secret contains env variable $XDG_RUNTIME_DIR
, and ssh doesn’t evaluate env variables in Include
option. Solutions I tried:
programs.ssh.includes = [config.age.secrets.ssh-config.path];
Result: ssh: Could not resolve hostname EDITED: Name or service not known
# somewhere read that env variables are written in format `${NAME}` in ssh config
programs.ssh.includes = [(builtins.replaceStrings ["$XDG_RUNTIME_DIR"] ["\${XDG_RUNTIME_DIR}"] config.age.secrets.ssh-config.path)];
Result: ssh: Could not resolve hostname EDITED: Name or service not known
programs.ssh.includes = [".ssh/my_config"];
home.file.".ssh/my_config".source = config.age.secrets.ssh-config.path;
Result: error: A definition for option 'home-manager.users.perchun.home.file.".ssh/real_config".source' is not of type 'path'. Definition values: "$XDG_RUNTIME_DIR/agenix/ssh-config"
programs.ssh.includes = [".ssh/my_config"];
home.activation = lib.hm.dag.entryAfter ["writeBoundary"] ''
run ln -s $VERBOSE_ARG "${config.age.secrets.ssh-config.path}" $HOME/.ssh/my_config
'';
Result (a bug in home-manager?; if I will pass writeBoundary
as a string, it will yell at empty list instead of ["writeBoundary"]
):
error: A definition for option `home-manager.users.perchun.home.activation.after.data' is not of type `string'. Definition values:
- In `/nix/store/ipsimfwkwmi5y53iqlw6hrzqlwxnhkxf-source/home-manager/ssh.nix':
[
"writeBoundary"
]
programs.ssh.extraConfig =
builtins.readFile
(builtins.replaceStrings ["$XDG_RUNTIME_DIR"] [(builtins.getEnv "XDG_RUNTIME_DIR")] config.age.secrets.ssh-config.path);
Result (builtins.getEnv "XDG_RUNTIME_DIR"
returns an empty string): error: access to absolute path '/agenix/ssh-config' is forbidden in pure eval mode (use '--impure' to override)
So my question is: how can I include my ssh config as a secret, or is there any other way to configure aliases for my VPSes without storing IPs publicly?