From 7f8dc48a307aacb5b58dc2a495e1ea707330f071 Mon Sep 17 00:00:00 2001 From: Tasia Iso Date: Fri, 26 Apr 2024 15:06:55 +0200 Subject: [PATCH] keys and stuff --- common/programs/zsh.nix | 1 + common/services/sshd.nix | 15 +- crypto/ssh-keys.nix | 24 +-- dotfiles/.bashrc | 10 - dotfiles/.zshrc | 11 -- flake.lock | 236 ++++++++++++++++++++++-- flake.nix | 5 + home/46d1/home.nix | 4 +- home/tasia-but-old-username/home.nix | 4 +- home/tasia/home.nix | 5 +- home/user/home.nix | 4 +- hosts/enry/configuration.nix | 4 +- hosts/new-new-phoenix/configuration.nix | 5 +- hosts/new-phoenix/configuration.nix | 2 +- hosts/phoenix/configuration.nix | 2 +- hosts/stuff/configuration.nix | 2 +- hosts/theseus/configuration.nix | 2 +- 17 files changed, 274 insertions(+), 62 deletions(-) delete mode 100644 dotfiles/.bashrc delete mode 100644 dotfiles/.zshrc diff --git a/common/programs/zsh.nix b/common/programs/zsh.nix index e963590..05d66bb 100644 --- a/common/programs/zsh.nix +++ b/common/programs/zsh.nix @@ -9,6 +9,7 @@ ll = "ls -al"; done = "curl -d 'Done' ntfy.sh/tasiaiso_done"; rebuild = "sudo nixos-rebuild switch -flake -I nixos-config=/home/tasia/Desktop/nixos-config"; # .#hostname + "git ap" = "git add -p"; }; ohMyZsh = { diff --git a/common/services/sshd.nix b/common/services/sshd.nix index f408dba..253632b 100644 --- a/common/services/sshd.nix +++ b/common/services/sshd.nix @@ -24,14 +24,13 @@ # Only allow SSH v2 Protocol 2 - # Check file modes in /etc/ssh StrictModes yes UsePrivilegeSeparation sandbox PrintLastLog yes - # Don't mess with environment variables + # Don't allow clients to mess with environment variables PermitUserEnvironment no # AcceptEnv @@ -45,22 +44,34 @@ ''; }; + # needed for 2fa security.pam.services = { sshd.text = '' + # Check for the client's public key account required pam_unix.so # unix (order 10900) + # Actually check for the 2FA code. + # "nullok": accept session if .google_authenticator doesn't exist + # "no_increment_hotp": make sure the counter isn't incremented for failed attempts. auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500) + # If .google_authenticator isn't present, you can still let them through auth sufficient pam_permit.so + # Load the environment variables for the new ssh session session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100) + # Logs when a user logins or leave the system. session required pam_unix.so # unix (order 10200) + # Record user's login uid to the process attribute session required pam_loginuid.so # loginuid (order 10300) + # Register user sessions in the systemd login manager session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000) ''; }; + # CLI tool environment.systemPackages = with pkgs; [ google-authenticator ]; } # ssh R6: StrictHostKeyChecking ask + diff --git a/crypto/ssh-keys.nix b/crypto/ssh-keys.nix index 75e43aa..4602094 100644 --- a/crypto/ssh-keys.nix +++ b/crypto/ssh-keys.nix @@ -1,18 +1,20 @@ rec { - new-new-phoenix = { - # host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXu/iFf6yhi6A0f6Lvp+wyltMHq1YgxZan5OdCKP9gE root@new-new-phoenix"; - # host-sha = "SHA256:hV3Kumt4I9Bt0/IAX3D9Y1kN93COAQFNSsAdiv9mpIg root@new-new-phoenix"; - tasia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@new-new-phoenix"; - # tasia-sha = "SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix"; + user = { + enry = "null"; + phoenix = "null"; }; - phoenix = { - host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTqExIIZuW9yvK7mgveNK8KDGKaRswrjj/nwVDwUdeL root@phoenix"; # host or user ? - user = "null"; + tasia = { + new-new-phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@new-new-phoenix"; }; - enry = { - host = "enry ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCPPE7U87PZ4+BQrdJtPuD/ibf9ubyPAqcRJe6Lpc2D"; # same - user = "null"; + host = { + enry = "enry ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCPPE7U87PZ4+BQrdJtPuD/ibf9ubyPAqcRJe6Lpc2D"; # same + phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTqExIIZuW9yvK7mgveNK8KDGKaRswrjj/nwVDwUdeL root@phoenix"; # host or user ? + new-new-phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXu/iFf6yhi6A0f6Lvp+wyltMHq1YgxZan5OdCKP9gE root@new-new-phoenix"; }; } + +programs.ssh.knownHosts = { + "new-new-phoenix".publicKey = sshKeys.new-new-phoenix.host; +}; diff --git a/dotfiles/.bashrc b/dotfiles/.bashrc deleted file mode 100644 index 3733729..0000000 --- a/dotfiles/.bashrc +++ /dev/null @@ -1,10 +0,0 @@ -export XDG_DATA_HOME="$HOME/.local/share" - -if [[ -n $SSH_CONNECTION ]] ; then - curl \ - -H "Title: New SSH session" \ - -H "Priority: urgent" \ - -H "Tags: urgent" \ - -d "$(cat /etc/hostname ): ssh session ($SSH_CONNECTION)" \ - ntfy.sh/tasiaiso_alerts &> /dev/null -fi diff --git a/dotfiles/.zshrc b/dotfiles/.zshrc deleted file mode 100644 index fea2ccd..0000000 --- a/dotfiles/.zshrc +++ /dev/null @@ -1,11 +0,0 @@ -export XDG_DATA_HOME="$HOME/.local/share" - -if [[ -n $SSH_CONNECTION ]] ; then - curl \ - -H "Title: New SSH session" \ - -H "Priority: urgent" \ - -H "Tags: urgent" \ - -d "$(cat /etc/hostname ): ssh session ($SSH_CONNECTION)" \ - ntfy.sh/tasiaiso_alerts &> /dev/null -fi - diff --git a/flake.lock b/flake.lock index ed3124e..7cdf09f 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,71 @@ { "nodes": { + "flake-compat": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils" + }, + "locked": { + "lastModified": 1696331477, + "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -7,11 +73,11 @@ ] }, "locked": { - "lastModified": 1713818326, - "narHash": "sha256-aw3xbVPJauLk/bbrlakIYxKpeuMWzA2feGrkIpIuXd8=", + "lastModified": 1714042918, + "narHash": "sha256-4AItZA3EQIiSNAxliuYEJumw/LaVfrMv84gYyrs0r3U=", "owner": "nix-community", "repo": "home-manager", - "rev": "67de98ae6eed5ad6f91b1142356d71a87ba97f21", + "rev": "0c5704eceefcb7bb238a958f532a86e3b59d76db", "type": "github" }, "original": { @@ -20,13 +86,84 @@ "type": "github" } }, + "nix-software-center": { + "inputs": { + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1703105285, + "narHash": "sha256-BHoW1RQMc2Auz8paBvTBriKv0F6FI99+3nnz/ELLawg=", + "owner": "snowfallorg", + "repo": "nix-software-center", + "rev": "68e87fb6e24fb3e6fe65449918d0cbda96622b65", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "nix-software-center", + "type": "github" + } + }, + "nixos-conf-editor": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "snowfall-lib": "snowfall-lib" + }, + "locked": { + "lastModified": 1707338010, + "narHash": "sha256-UtLeZzDdk96sLTRcWsGrkWCslNUDytrGe0VmOTB/iig=", + "owner": "snowfallorg", + "repo": "nixos-conf-editor", + "rev": "27b5e92f580f794c690093503869aab242f075ab", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "nixos-conf-editor", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1713714899, - "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=", + "lastModified": 1692638711, + "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1698318101, + "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6143fc5eeb9c4f00163267708e26191d1e918932", + "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1713895582, + "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "572af610f6151fd41c212f897c71f7056e3fb518", "type": "github" }, "original": { @@ -39,18 +176,43 @@ "root": { "inputs": { "home-manager": "home-manager", - "nixpkgs": "nixpkgs", + "nix-software-center": "nix-software-center", + "nixos-conf-editor": "nixos-conf-editor", + "nixpkgs": "nixpkgs_3", "stable": "stable", "unstable": "unstable" } }, + "snowfall-lib": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixos-conf-editor", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696432959, + "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, "stable": { "locked": { - "lastModified": 1713725259, - "narHash": "sha256-9ZR/Rbx5/Z/JZf5ehVNMoz/s5xjpP0a22tL6qNvLt5E=", + "lastModified": 1713995372, + "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a5e4bbcb4780c63c79c87d29ea409abf097de3f7", + "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8", "type": "github" }, "original": { @@ -60,13 +222,43 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "unstable": { "locked": { - "lastModified": 1713714899, - "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=", + "lastModified": 1713895582, + "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6143fc5eeb9c4f00163267708e26191d1e918932", + "rev": "572af610f6151fd41c212f897c71f7056e3fb518", "type": "github" }, "original": { @@ -75,6 +267,24 @@ "repo": "nixpkgs", "type": "github" } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 109918f..5dc3cd8 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,9 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nixos-conf-editor.url = "github:snowfallorg/nixos-conf-editor"; + nix-software-center.url = "github:snowfallorg/nix-software-center"; }; outputs = { @@ -19,6 +22,8 @@ stable, unstable, home-manager, + nixos-conf-editor, + nix-software-center, ... } @ inputs: let inherit (self) outputs; diff --git a/home/46d1/home.nix b/home/46d1/home.nix index 58deda6..f6e7dc0 100644 --- a/home/46d1/home.nix +++ b/home/46d1/home.nix @@ -12,8 +12,8 @@ home-manager.users.user = {pkgs, ...}: { home.file = { - ".zshrc".source = ../../dotfiles/.zshrc; - ".bashrc".source = ../../dotfiles/.bashrc; + ".zshrc".source = ../../dotfiles/.shellrc; + ".bashrc".source = ../../dotfiles/.shellrc; # ".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg; }; diff --git a/home/tasia-but-old-username/home.nix b/home/tasia-but-old-username/home.nix index bb2cc99..c97361b 100644 --- a/home/tasia-but-old-username/home.nix +++ b/home/tasia-but-old-username/home.nix @@ -14,8 +14,8 @@ home-manager.users.user = {pkgs, ...}: { home.file = { - ".zshrc".source = ../../dotfiles/.zshrc; - ".bashrc".source = ../../dotfiles/.bashrc; + ".zshrc".source = ../../dotfiles/.shellrc; + ".bashrc".source = ../../dotfiles/.shellrc; ".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg; }; diff --git a/home/tasia/home.nix b/home/tasia/home.nix index fc6521d..1bc9956 100644 --- a/home/tasia/home.nix +++ b/home/tasia/home.nix @@ -14,8 +14,9 @@ home-manager.users.tasia = {pkgs, ...}: { home.file = { - ".zshrc".source = ../../dotfiles/.zshrc; - ".bashrc".source = ../../dotfiles/.bashrc; + ".zshrc".source = ../../dotfiles/.shellrc; + ".bashrc".source = ../../dotfiles/.shellrc; + # ".gitconfig".source = ../../dotfiles/.gitconfig; ".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg; }; diff --git a/home/user/home.nix b/home/user/home.nix index 459c03b..6609705 100644 --- a/home/user/home.nix +++ b/home/user/home.nix @@ -14,8 +14,8 @@ home-manager.users.user = {pkgs, ...}: { home.file = { - ".zshrc".source = ../../dotfiles/.zshrc; - ".bashrc".source = ../../dotfiles/.bashrc; + ".zshrc".source = ../../dotfiles/.shellrc; + ".bashrc".source = ../../dotfiles/.shellrc; }; home.packages = with pkgs; [ diff --git a/hosts/enry/configuration.nix b/hosts/enry/configuration.nix index 95a9609..d5efb61 100644 --- a/hosts/enry/configuration.nix +++ b/hosts/enry/configuration.nix @@ -24,8 +24,8 @@ in { extraGroups = ["networkmanager" "wheel" "dialout"]; initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ - sshKeys.phoenix.tasia - sshKeys.new-new-phoenix.tasia + sshKeys.tasia.phoenix + sshKeys.tasia.new-new-phoenix ]; }; diff --git a/hosts/new-new-phoenix/configuration.nix b/hosts/new-new-phoenix/configuration.nix index 26cb4e5..1788c0b 100644 --- a/hosts/new-new-phoenix/configuration.nix +++ b/hosts/new-new-phoenix/configuration.nix @@ -64,7 +64,7 @@ in { }; users.users.tasia.openssh.authorizedKeys.keys = [ - sshKeys.new-new-phoenix.tasia + sshKeys.tasia.new-new-phoenix ]; services.btrfs.autoScrub.fileSystems = ["/"]; @@ -87,6 +87,9 @@ in { tildefriends osu-lazer-bin + + inputs.nixos-conf-editor.packages.${system}.nixos-conf-editor + inputs.nix-software-center.packages.${system}.nix-software-center ]; services.blueman.enable = true; diff --git a/hosts/new-phoenix/configuration.nix b/hosts/new-phoenix/configuration.nix index ccfbaff..9f9e0ec 100644 --- a/hosts/new-phoenix/configuration.nix +++ b/hosts/new-phoenix/configuration.nix @@ -36,7 +36,7 @@ in { }; users.users.user.openssh.authorizedKeys.keys = [ - sshKeys.new-new-phoenix.tasia + sshKeys.tasia.new-new-phoenix ]; services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"]; diff --git a/hosts/phoenix/configuration.nix b/hosts/phoenix/configuration.nix index a4aff1e..168cd63 100644 --- a/hosts/phoenix/configuration.nix +++ b/hosts/phoenix/configuration.nix @@ -48,7 +48,7 @@ in { }; users.users.user.openssh.authorizedKeys.keys = [ - sshKeys.new-new-phoenix.tasia + sshKeys.tasia.new-new-phoenix ]; services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"]; diff --git a/hosts/stuff/configuration.nix b/hosts/stuff/configuration.nix index bfcd21a..690900c 100644 --- a/hosts/stuff/configuration.nix +++ b/hosts/stuff/configuration.nix @@ -22,7 +22,7 @@ in { networking.hostName = "stuff"; users.users.user.openssh.authorizedKeys.keys = [ - sshKeys.new-new-phoenix.tasia + sshKeys.tasia.new-new-phoenix ]; environment.systemPackages = with pkgs; [ diff --git a/hosts/theseus/configuration.nix b/hosts/theseus/configuration.nix index 0e7bbba..c7b344d 100644 --- a/hosts/theseus/configuration.nix +++ b/hosts/theseus/configuration.nix @@ -35,7 +35,7 @@ in { }; users.users.user.openssh.authorizedKeys.keys = [ - sshKeys.new-new-phoenix.tasia + sshKeys.tasia.new-new-phoenix ]; services.btrfs.autoScrub.fileSystems = lb.mkForce ["/" "/data"];