all: move ssh config to configs/ssh

2024-07-01 13:15:07 -06:00 · 2024-07-01 13:15:07 -06:00 · eb70c898a0
commit eb70c898a0
parent 23d3483229
4 changed files with 61 additions and 41 deletions
--- a/configs/default.nix
+++ b/configs/default.nix
@ -14,6 +14,7 @@
    ./net-overlay.nix
    ./nix.nix
    ./polybar.nix
+    ./ssh.nix
    ./tmux.nix
    ./update.nix
    ./zsh.nix
--- a/configs/ssh.nix
+++ b/configs/ssh.nix
@ -0,0 +1,58 @@
+{ config
+, lib
+, pkgs
+, xinlib
+, ...
+}:
+let
+  myOpenSSH = pkgs.pkgsMusl.callPackage ../pkgs/openssh.nix {
+    inherit config;
+    inherit xinlib;
+  };
+in
+{
+  config = {
+    programs = {
+      ssh = {
+        package = lib.mkDefault myOpenSSH;
+        agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
+        knownHosts = {
+          "[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
+          "[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
+        };
+        knownHostsFiles = [ ./ssh_known_hosts ];
+        startAgent = true;
+        agentTimeout = "100m";
+        extraConfig = ''
+          Host *
+            controlmaster         auto
+            controlpath           /tmp/ssh-%r@%h:%p
+
+          VerifyHostKeyDNS	yes
+          AddKeysToAgent	90m
+          CanonicalizeHostname	always
+        '';
+      };
+    };
+
+    services = {
+      openssh = {
+        enable = true;
+        extraConfig = ''
+          TrustedUserCAKeys = /etc/ssh/ca.pub
+        '';
+        settings = {
+          PrintMotd = true;
+          PermitRootLogin = "prohibit-password";
+          PasswordAuthentication = false;
+          KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+          Macs = [
+            "hmac-sha2-512-etm@openssh.com"
+            "hmac-sha2-256-etm@openssh.com"
+            "umac-128-etm@openssh.com"
+          ];
+        };
+      };
+    };
+  };
+}
--- a/default.nix
+++ b/default.nix
@ -16,10 +16,7 @@ let
    command="/run/current-system/sw/bin/xin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
  '';
  gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
-  myOpenSSH = pkgs.pkgsMusl.callPackage ./pkgs/openssh.nix {
-    inherit config;
-    inherit xinlib;
-  };
+
  xin = pkgs.perlPackages.callPackage ./bins/xin { inherit pkgs; };
 in
 {
@ -216,26 +213,6 @@ in
    programs = {
      zsh.enable = true;
      gnupg.agent.enable = true;
-      ssh = {
-        package = lib.mkDefault myOpenSSH;
-        agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
-        knownHosts = {
-          "[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
-          "[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
-        };
-        knownHostsFiles = [ ./configs/ssh_known_hosts ];
-        startAgent = true;
-        agentTimeout = "100m";
-        extraConfig = ''
-          Host *
-            controlmaster         auto
-            controlpath           /tmp/ssh-%r@%h:%p
-
-          VerifyHostKeyDNS	yes
-          AddKeysToAgent	90m
-          CanonicalizeHostname	always
-        '';
-      };
    };

    services.logrotate.checkConfig =
@ -243,23 +220,6 @@ in

    services = {
      smartd.enable = lib.mkDefault true;
-      openssh = {
-        enable = true;
-        extraConfig = ''
-          TrustedUserCAKeys = /etc/ssh/ca.pub
-        '';
-        settings = {
-          PrintMotd = true;
-          PermitRootLogin = "prohibit-password";
-          PasswordAuthentication = false;
-          KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
-          Macs = [
-            "hmac-sha2-512-etm@openssh.com"
-            "hmac-sha2-256-etm@openssh.com"
-            "umac-128-etm@openssh.com"
-          ];
-        };
-      };
    };
  };
 }
--- a/hosts/tv/default.nix
+++ b/hosts/tv/default.nix
@ -21,6 +21,7 @@ in
  imports = [
    ./hardware-configuration.nix
    ../../configs/zsh.nix
+    ../../configs/ssh.nix
  ];

  needsDeploy.enable = false;