From 0def55578ecb0a1c5a3f67692aaf2fb1aa17cf0c Mon Sep 17 00:00:00 2001
From: Tasia Iso <tasiaiso@proton.me>
Date: Wed, 24 Apr 2024 15:17:34 +0200
Subject: [PATCH] temp ssh

---
 common/services/sshd.nix     | 24 +++++++++++++++++-------
 common/services/usbguard.nix |  1 +
 dotfiles/.gitconfig          |  6 ++++++
 3 files changed, 24 insertions(+), 7 deletions(-)
 create mode 100644 dotfiles/.gitconfig

diff --git a/common/services/sshd.nix b/common/services/sshd.nix
index 0e9054c..5189068 100644
--- a/common/services/sshd.nix
+++ b/common/services/sshd.nix
@@ -10,13 +10,14 @@
     settings = {
       PermitRootLogin = "no";
 
-
-      AllowUsers = [ "user" "tasia" ];
+      AllowUsers = ["user" "tasia"];
 
       # Public key authentiation only
       PasswordAuthentication = false;
-      ChallengeResponseAuthentication = false;
+
+      ChallengeResponseAuthentication = true;
       KbdInteractiveAuthentication = true;
+      AuthenticationMethods = "publickey,keyboard-interactive";
     };
     extraConfig = ''
       # Only allow SSH v2
@@ -40,16 +41,25 @@
       X11Forwarding no
       AllowAgentForwarding no
       AllowStreamLocalForwarding no
-      AuthenticationMethods publickey
     '';
   };
 
-  security.pam = {
-    services.sshd.googleAuthenticator.enable = true;
+  security.pam.services = {
+    sshd.text = ''
+      account required pam_unix.so # unix (order 10900)
+
+      auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)
+      # auth sufficient pam_permit.so
+
+      session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
+      session required pam_unix.so # unix (order 10200)
+      session required pam_loginuid.so # loginuid (order 10300)
+      session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)
+    '';
   };
+
   environment.systemPackages = with pkgs; [
     google-authenticator
   ];
 }
 # ssh R6: StrictHostKeyChecking ask
-
diff --git a/common/services/usbguard.nix b/common/services/usbguard.nix
index 1c69aa1..baaa327 100644
--- a/common/services/usbguard.nix
+++ b/common/services/usbguard.nix
@@ -26,6 +26,7 @@
 
       # Peripherals
       allow id 046d:c08b serial "178D316C3832" name "G502 HERO Gaming Mouse"
+      allow id 18d1:4ee1 serial "28051FDH200ATC" name "Pixel 7"
     '';
   };
 }
diff --git a/dotfiles/.gitconfig b/dotfiles/.gitconfig
new file mode 100644
index 0000000..e58c4c1
--- /dev/null
+++ b/dotfiles/.gitconfig
@@ -0,0 +1,6 @@
+[user]
+	signingkey = /home/tasia/.ssh/id_ed25519
+[gpg]
+	format = ssh
+[commit]
+	gpgsign = true