From 5a6315764306cfbf779253d385de9f1355736f03 Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Sun, 30 Oct 2022 21:09:15 +0100 Subject: [PATCH] Use solo key for ssh, disable gpg-agent ssh integration This makes use of ED25519-SK keys that provide 2FA for SSH. Also, switch to using the SSH key to sign git commits --- home-manager/modules/git/default.nix | 13 ++++++++++++- home-manager/modules/gpg/default.nix | 6 +++--- home-manager/modules/ssh/default.nix | 2 +- machines/loki/configuration.nix | 1 + modules/desktop/default.nix | 4 ++-- users/erwin/default.nix | 2 +- users/erwin/desktop.nix | 4 +++- 7 files changed, 23 insertions(+), 9 deletions(-) diff --git a/home-manager/modules/git/default.nix b/home-manager/modules/git/default.nix index 99ea5da..6d9eb9c 100644 --- a/home-manager/modules/git/default.nix +++ b/home-manager/modules/git/default.nix @@ -21,10 +21,16 @@ in }; signingKey = mkOption { - description = "your GPG signing key ID"; + description = "your signing key"; type = types.nullOr types.str; default = null; }; + + signingKeyFormat = mkOption { + description = "the type of signing key"; + type = types.enum [ "openpgp" "x509" "ssh" ]; + default = "openpgp"; + }; }; config = mkIf cfg.enable { @@ -112,6 +118,11 @@ in patternType = "extended"; }; + gpg = { + format = cfg.signingKeyFormat; + ssh.allowedSignersFile = "~/.config/git/allowed_signers"; + }; + url = { "ssh://git@repohost.bedum.horus.nu/" = { insteadOf = "rh:"; diff --git a/home-manager/modules/gpg/default.nix b/home-manager/modules/gpg/default.nix index cd7c3e3..0aa2d86 100644 --- a/home-manager/modules/gpg/default.nix +++ b/home-manager/modules/gpg/default.nix @@ -23,9 +23,9 @@ in services.gpg-agent = { enable = true; pinentryFlavor = "gnome3"; - enableSshSupport = true; - defaultCacheTtlSsh = 14400; - maxCacheTtlSsh = 14400; + # enableSshSupport = true; + # defaultCacheTtlSsh = 14400; + # maxCacheTtlSsh = 14400; extraConfig = '' allow-loopback-pinentry ''; diff --git a/home-manager/modules/ssh/default.nix b/home-manager/modules/ssh/default.nix index 72f1f32..2d8b574 100644 --- a/home-manager/modules/ssh/default.nix +++ b/home-manager/modules/ssh/default.nix @@ -15,7 +15,7 @@ in hashKnownHosts = true; matchBlocks = { "*" = { - identityFile = "~/.ssh/id_ed25519"; + identityFile = "~/.ssh/id_ed25519_sk"; identitiesOnly = true; extraOptions = { Ciphers = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"; diff --git a/machines/loki/configuration.nix b/machines/loki/configuration.nix index abc6049..fc4b335 100644 --- a/machines/loki/configuration.nix +++ b/machines/loki/configuration.nix @@ -152,6 +152,7 @@ in # }; services.openssh.enable = true; + programs.ssh.startAgent = true; services.sunshine = { enable = true; diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix index 3bc78ec..3fa5258 100644 --- a/modules/desktop/default.nix +++ b/modules/desktop/default.nix @@ -89,9 +89,9 @@ in QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; QT_QPA_PLATFORMTHEME = "qt5ct"; SDL_VIDEODRIVER = "wayland"; - SSH_AUTH_SOCK = ''''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh''; + SSH_AUTH_SOCK = ''''${XDG_RUNTIME_DIR}/ssh-agent''; AMD_VULKAN_ICD = "RADV"; - # NIXOS_OZONE_WL = "1"; + NIXOS_OZONE_WL = "1"; }; etc = { diff --git a/users/erwin/default.nix b/users/erwin/default.nix index 2ef2099..6223525 100644 --- a/users/erwin/default.nix +++ b/users/erwin/default.nix @@ -18,7 +18,7 @@ in openssh.authorizedKeys.keyFiles = [ (pkgs.fetchurl { url = "https://github.com/eboskma.keys"; - sha256 = "z/4lQnFuSkq8O0eunnkXIAH3x3ii9qVr9hxh4/8jBkc="; + sha256 = "uwK4FSLSHiwCJU9U7RBFHIoCmr7uUQLM0JM1u0bi4xo="; }) ]; }; diff --git a/users/erwin/desktop.nix b/users/erwin/desktop.nix index 7b59c0a..774070f 100644 --- a/users/erwin/desktop.nix +++ b/users/erwin/desktop.nix @@ -63,7 +63,9 @@ in enable = true; name = "Erwin Boskma"; email = "erwin@datarift.nl"; - signingKey = "EE7ADEFE1D943C7B"; + # signingKey = "EE7ADEFE1D943C7B"; + signingKey = "~/.ssh/id_ed25519_sk"; + signingKeyFormat = "ssh"; }; gpg.enable = true; neovim.enable = true;