erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Use solo key for ssh, disable gpg-agent ssh integration

Browse source 
This makes use of ED25519-SK keys that provide 2FA for SSH. Also,
switch to using the SSH key to sign git commits
This commit is contained in:
Erwin Boskma 2022-10-30 21:09:15 +01:00
parent c3b621225d
commit 5a63157643
Signed by: erwin
SSH key fingerprint: SHA256:CyeNoWXd3kjX2Nwu6pDxxdS7OqmPVOy0NavA/KU/ntU
7 changed files with 23 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
home-manager/modules/git/default.nix
View file

@ -21,10 +21,16 @@ in
}; };
signingKey = mkOption { signingKey = mkOption {
description = "your GPG signing key ID"; description = "your signing key";
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
}; };
signingKeyFormat = mkOption {
description = "the type of signing key";
type = types.enum [ "openpgp" "x509" "ssh" ];
default = "openpgp";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -112,6 +118,11 @@ in
patternType = "extended"; patternType = "extended";
}; };
gpg = {
format = cfg.signingKeyFormat;
ssh.allowedSignersFile = "~/.config/git/allowed_signers";
};
url = { url = {
"ssh://git@repohost.bedum.horus.nu/" = { "ssh://git@repohost.bedum.horus.nu/" = {
insteadOf = "rh:"; insteadOf = "rh:";

6
home-manager/modules/gpg/default.nix
View file

@ -23,9 +23,9 @@ in
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
pinentryFlavor = "gnome3"; pinentryFlavor = "gnome3";
enableSshSupport = true; # enableSshSupport = true;
defaultCacheTtlSsh = 14400; # defaultCacheTtlSsh = 14400;
maxCacheTtlSsh = 14400; # maxCacheTtlSsh = 14400;
extraConfig = '' extraConfig = ''
allow-loopback-pinentry allow-loopback-pinentry
''; '';

2
home-manager/modules/ssh/default.nix
View file

@ -15,7 +15,7 @@ in
hashKnownHosts = true; hashKnownHosts = true;
matchBlocks = { matchBlocks = {
"*" = { "*" = {
identityFile = "~/.ssh/id_ed25519"; identityFile = "~/.ssh/id_ed25519_sk";
identitiesOnly = true; identitiesOnly = true;
extraOptions = { extraOptions = {
Ciphers = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"; Ciphers = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr";

1
machines/loki/configuration.nix
View file

@ -152,6 +152,7 @@ in
# }; # };
services.openssh.enable = true; services.openssh.enable = true;
programs.ssh.startAgent = true;
services.sunshine = { services.sunshine = {
enable = true; enable = true;

4
modules/desktop/default.nix
View file

@ -89,9 +89,9 @@ in
QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
QT_QPA_PLATFORMTHEME = "qt5ct"; QT_QPA_PLATFORMTHEME = "qt5ct";
SDL_VIDEODRIVER = "wayland"; SDL_VIDEODRIVER = "wayland";
SSH_AUTH_SOCK = ''''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh''; SSH_AUTH_SOCK = ''''${XDG_RUNTIME_DIR}/ssh-agent'';
AMD_VULKAN_ICD = "RADV"; AMD_VULKAN_ICD = "RADV";
# NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";
}; };
etc = { etc = {

2
users/erwin/default.nix
View file

@ -18,7 +18,7 @@ in
openssh.authorizedKeys.keyFiles = [ openssh.authorizedKeys.keyFiles = [
(pkgs.fetchurl { (pkgs.fetchurl {
url = "https://github.com/eboskma.keys"; url = "https://github.com/eboskma.keys";
sha256 = "z/4lQnFuSkq8O0eunnkXIAH3x3ii9qVr9hxh4/8jBkc="; sha256 = "uwK4FSLSHiwCJU9U7RBFHIoCmr7uUQLM0JM1u0bi4xo=";
}) })
]; ];
}; };

4
users/erwin/desktop.nix
View file

@ -63,7 +63,9 @@ in
enable = true; enable = true;
name = "Erwin Boskma"; name = "Erwin Boskma";
email = "erwin@datarift.nl"; email = "erwin@datarift.nl";
signingKey = "EE7ADEFE1D943C7B"; # signingKey = "EE7ADEFE1D943C7B";
signingKey = "~/.ssh/id_ed25519_sk";
signingKeyFormat = "ssh";
}; };
gpg.enable = true; gpg.enable = true;
neovim.enable = true; neovim.enable = true;