From ffe0e9d26bf16512ffe0241dd212cfc0ef1ab3d0 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Tue, 13 Feb 2024 22:12:26 +0000
Subject: [PATCH] use mkstate for dropbear keys

---
 NEWS                | 14 ++++++--------
 modules/ssh/ssh.nix |  9 +++------
 2 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/NEWS b/NEWS
index 4169d82..75b1c09 100644
--- a/NEWS
+++ b/NEWS
@@ -60,13 +60,11 @@ these changes have been made
  (if there's a writeable fs on /persist) or a directory (if there
  isn't)
 
-The `output` and `mkoutputs` functions defined by ${serviceFns}
-have been updated, so unless your services are hardcoding service-state
-then the change should be seamless
+The change will lose your ssh host key(s) unless you copy them from
+the old location to the new one before rebooting into the new system
 
+   mkdir -m 02751 -p /run/services/state/dropbear
+   cp /persist/secrets/dropbear/* /run/services/state/dropbear
 
-
-
-
-21:02:51 GMT 2024 
-
+The `output`, `mkoutputs` functions defined by ${serviceFns}
+have been updated for the new location.
diff --git a/modules/ssh/ssh.nix b/modules/ssh/ssh.nix
index 3ee0511..f0c297e 100644
--- a/modules/ssh/ssh.nix
+++ b/modules/ssh/ssh.nix
@@ -29,15 +29,12 @@ let
 in
 longrun {
   name = "sshd";
+  # we need /run/dropbear to point to hostkey storage, as that
+  # pathname is hardcoded into the binary.
   # env -i clears the environment so we don't pass anything weird to
   # ssh sessions
   run = ''
-    if test -d /persist; then
-      mkdir -p /persist/secrets/dropbear
-      ln -s /persist/secrets/dropbear /run
-    else
-      mkdir -p /run/dropbear
-    fi
+    ln -s $(mkstate dropbear) /run
     . /etc/profile # sets PATH but do we need this?  it's the same file as ashrc
     exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options}
   '';