all: move ssh config to configs/ssh

2024-07-01 13:15:07 -06:00 · 2024-07-01 13:15:07 -06:00 · eb70c898a0
commit eb70c898a0
parent 23d3483229
4 changed files with 61 additions and 41 deletions
--- a/configs/default.nix
+++ b/configs/default.nix
@ -14,6 +14,7 @@
    ./net-overlay.nix
    ./nix.nix
    ./polybar.nix
    ./ssh.nix
    ./tmux.nix
    ./update.nix
    ./zsh.nix
--- a/configs/ssh.nix
+++ b/configs/ssh.nix
@ -0,0 +1,58 @@
 { config
 , lib
 , pkgs
 , xinlib
 , ...
 }:
 let
  myOpenSSH = pkgs.pkgsMusl.callPackage ../pkgs/openssh.nix {
    inherit config;
    inherit xinlib;
  };
 in
 {
  config = {
    programs = {
      ssh = {
        package = lib.mkDefault myOpenSSH;
        agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
        knownHosts = {
          "[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
          "[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
        };
        knownHostsFiles = [ ./ssh_known_hosts ];
        startAgent = true;
        agentTimeout = "100m";
        extraConfig = ''
          Host *
            controlmaster         auto
            controlpath           /tmp/ssh-%r@%h:%p
          VerifyHostKeyDNS	yes
          AddKeysToAgent	90m
          CanonicalizeHostname	always
        '';
      };
    };
    services = {
      openssh = {
        enable = true;
        extraConfig = ''
          TrustedUserCAKeys = /etc/ssh/ca.pub
        '';
        settings = {
          PrintMotd = true;
          PermitRootLogin = "prohibit-password";
          PasswordAuthentication = false;
          KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
          Macs = [
            "hmac-sha2-512-etm@openssh.com"
            "hmac-sha2-256-etm@openssh.com"
            "umac-128-etm@openssh.com"
          ];
        };
      };
    };
  };
 }
--- a/default.nix
+++ b/default.nix
@ -16,10 +16,7 @@ let
    command="/run/current-system/sw/bin/xin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
  '';
  gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
-  myOpenSSH = pkgs.pkgsMusl.callPackage ./pkgs/openssh.nix {
+
    inherit config;
    inherit xinlib;
  };
  xin = pkgs.perlPackages.callPackage ./bins/xin { inherit pkgs; };
 in
 {
@ -216,26 +213,6 @@ in
    programs = {
      zsh.enable = true;
      gnupg.agent.enable = true;
      ssh = {
        package = lib.mkDefault myOpenSSH;
        agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
        knownHosts = {
          "[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
          "[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
        };
        knownHostsFiles = [ ./configs/ssh_known_hosts ];
        startAgent = true;
        agentTimeout = "100m";
        extraConfig = ''
          Host *
            controlmaster         auto
            controlpath           /tmp/ssh-%r@%h:%p
          VerifyHostKeyDNS	yes
          AddKeysToAgent	90m
          CanonicalizeHostname	always
        '';
      };
    };
    services.logrotate.checkConfig =
@ -243,23 +220,6 @@ in
    services = {
      smartd.enable = lib.mkDefault true;
      openssh = {
        enable = true;
        extraConfig = ''
          TrustedUserCAKeys = /etc/ssh/ca.pub
        '';
        settings = {
          PrintMotd = true;
          PermitRootLogin = "prohibit-password";
          PasswordAuthentication = false;
          KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
          Macs = [
            "hmac-sha2-512-etm@openssh.com"
            "hmac-sha2-256-etm@openssh.com"
            "umac-128-etm@openssh.com"
          ];
        };
      };
    };
  };
 }
--- a/hosts/tv/default.nix
+++ b/hosts/tv/default.nix
@ -21,6 +21,7 @@ in
  imports = [
    ./hardware-configuration.nix
    ../../configs/zsh.nix
    ../../configs/ssh.nix
  ];
  needsDeploy.enable = false;