tasiaiso/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

keys and stuff

Browse source
This commit is contained in:
Tasia Iso 2024-04-26 15:06:55 +02:00
parent 11b6e16078
commit 7f8dc48a30
Signed by: tasiaiso
SSH key fingerprint: SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw
17 changed files with 274 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
common/programs/zsh.nix
View file

@ -9,6 +9,7 @@
ll = "ls -al"; ll = "ls -al";
done = "curl -d 'Done' ntfy.sh/tasiaiso_done"; done = "curl -d 'Done' ntfy.sh/tasiaiso_done";
rebuild = "sudo nixos-rebuild switch -flake -I nixos-config=/home/tasia/Desktop/nixos-config"; # .#hostname rebuild = "sudo nixos-rebuild switch -flake -I nixos-config=/home/tasia/Desktop/nixos-config"; # .#hostname
"git ap" = "git add -p";
}; };
ohMyZsh = { ohMyZsh = {

15
common/services/sshd.nix
View file

@ -24,14 +24,13 @@
# Only allow SSH v2 # Only allow SSH v2
Protocol 2 Protocol 2
# Check file modes in /etc/ssh # Check file modes in /etc/ssh
StrictModes yes StrictModes yes
UsePrivilegeSeparation sandbox UsePrivilegeSeparation sandbox
PrintLastLog yes PrintLastLog yes
# Don't mess with environment variables # Don't allow clients to mess with environment variables
PermitUserEnvironment no PermitUserEnvironment no
# AcceptEnv # AcceptEnv
@ -45,22 +44,34 @@
''; '';
}; };
# needed for 2fa
security.pam.services = { security.pam.services = {
sshd.text = '' sshd.text = ''
# Check for the client's public key
account required pam_unix.so # unix (order 10900) account required pam_unix.so # unix (order 10900)
# Actually check for the 2FA code.
# "nullok": accept session if .google_authenticator doesn't exist
# "no_increment_hotp": make sure the counter isn't incremented for failed attempts.
auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500) auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)
# If .google_authenticator isn't present, you can still let them through
auth sufficient pam_permit.so auth sufficient pam_permit.so
# Load the environment variables for the new ssh session
session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100) session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
# Logs when a user logins or leave the system.
session required pam_unix.so # unix (order 10200) session required pam_unix.so # unix (order 10200)
# Record user's login uid to the process attribute
session required pam_loginuid.so # loginuid (order 10300) session required pam_loginuid.so # loginuid (order 10300)
# Register user sessions in the systemd login manager
session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000) session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)
''; '';
}; };
# CLI tool
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
google-authenticator google-authenticator
]; ];
} }
# ssh R6: StrictHostKeyChecking ask # ssh R6: StrictHostKeyChecking ask

24
crypto/ssh-keys.nix
View file

@ -1,18 +1,20 @@
rec { rec {
new-new-phoenix = { user = {
# host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXu/iFf6yhi6A0f6Lvp+wyltMHq1YgxZan5OdCKP9gE root@new-new-phoenix"; enry = "null";
# host-sha = "SHA256:hV3Kumt4I9Bt0/IAX3D9Y1kN93COAQFNSsAdiv9mpIg root@new-new-phoenix"; phoenix = "null";
tasia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@new-new-phoenix";
# tasia-sha = "SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix";
}; };
phoenix = { tasia = {
host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTqExIIZuW9yvK7mgveNK8KDGKaRswrjj/nwVDwUdeL root@phoenix"; # host or user ? new-new-phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@new-new-phoenix";
user = "null";
}; };
enry = { host = {
host = "enry ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCPPE7U87PZ4+BQrdJtPuD/ibf9ubyPAqcRJe6Lpc2D"; # same enry = "enry ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCPPE7U87PZ4+BQrdJtPuD/ibf9ubyPAqcRJe6Lpc2D"; # same
user = "null"; phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTqExIIZuW9yvK7mgveNK8KDGKaRswrjj/nwVDwUdeL root@phoenix"; # host or user ?
new-new-phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXu/iFf6yhi6A0f6Lvp+wyltMHq1YgxZan5OdCKP9gE root@new-new-phoenix";
}; };
} }
programs.ssh.knownHosts = {
"new-new-phoenix".publicKey = sshKeys.new-new-phoenix.host;
};

10
dotfiles/.bashrc
View file

@ -1,10 +0,0 @@
export XDG_DATA_HOME="$HOME/.local/share"
if [[ -n $SSH_CONNECTION ]] ; then
curl \
-H "Title: New SSH session" \
-H "Priority: urgent" \
-H "Tags: urgent" \
-d "$(cat /etc/hostname ): ssh session ($SSH_CONNECTION)" \
ntfy.sh/tasiaiso_alerts &> /dev/null
fi

11
dotfiles/.zshrc
View file

@ -1,11 +0,0 @@
export XDG_DATA_HOME="$HOME/.local/share"
if [[ -n $SSH_CONNECTION ]] ; then
curl \
-H "Title: New SSH session" \
-H "Priority: urgent" \
-H "Tags: urgent" \
-d "$(cat /etc/hostname ): ssh session ($SSH_CONNECTION)" \
ntfy.sh/tasiaiso_alerts &> /dev/null
fi

236
flake.lock
View file

@ -1,5 +1,71 @@
{ {
"nodes": { "nodes": {
"flake-compat": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils-plus": {
"inputs": {
"flake-utils": "flake-utils"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -7,11 +73,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1713818326, "lastModified": 1714042918,
"narHash": "sha256-aw3xbVPJauLk/bbrlakIYxKpeuMWzA2feGrkIpIuXd8=", "narHash": "sha256-4AItZA3EQIiSNAxliuYEJumw/LaVfrMv84gYyrs0r3U=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "67de98ae6eed5ad6f91b1142356d71a87ba97f21", "rev": "0c5704eceefcb7bb238a958f532a86e3b59d76db",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -20,13 +86,84 @@
"type": "github" "type": "github"
} }
}, },
"nix-software-center": {
"inputs": {
"nixpkgs": "nixpkgs",
"utils": "utils"
},
"locked": {
"lastModified": 1703105285,
"narHash": "sha256-BHoW1RQMc2Auz8paBvTBriKv0F6FI99+3nnz/ELLawg=",
"owner": "snowfallorg",
"repo": "nix-software-center",
"rev": "68e87fb6e24fb3e6fe65449918d0cbda96622b65",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "nix-software-center",
"type": "github"
}
},
"nixos-conf-editor": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"snowfall-lib": "snowfall-lib"
},
"locked": {
"lastModified": 1707338010,
"narHash": "sha256-UtLeZzDdk96sLTRcWsGrkWCslNUDytrGe0VmOTB/iig=",
"owner": "snowfallorg",
"repo": "nixos-conf-editor",
"rev": "27b5e92f580f794c690093503869aab242f075ab",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "nixos-conf-editor",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1713714899, "lastModified": 1692638711,
"narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=", "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1698318101,
"narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6143fc5eeb9c4f00163267708e26191d1e918932", "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1713895582,
"narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "572af610f6151fd41c212f897c71f7056e3fb518",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -39,18 +176,43 @@
"root": { "root": {
"inputs": { "inputs": {
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": "nixpkgs", "nix-software-center": "nix-software-center",
"nixos-conf-editor": "nixos-conf-editor",
"nixpkgs": "nixpkgs_3",
"stable": "stable", "stable": "stable",
"unstable": "unstable" "unstable": "unstable"
} }
}, },
"snowfall-lib": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"nixos-conf-editor",
"nixpkgs"
]
},
"locked": {
"lastModified": 1696432959,
"narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
"owner": "snowfallorg",
"repo": "lib",
"rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "lib",
"type": "github"
}
},
"stable": { "stable": {
"locked": { "locked": {
"lastModified": 1713725259, "lastModified": 1713995372,
"narHash": "sha256-9ZR/Rbx5/Z/JZf5ehVNMoz/s5xjpP0a22tL6qNvLt5E=", "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a5e4bbcb4780c63c79c87d29ea409abf097de3f7", "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -60,13 +222,43 @@
"type": "github" "type": "github"
} }
}, },
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1713714899, "lastModified": 1713895582,
"narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=", "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6143fc5eeb9c4f00163267708e26191d1e918932", "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -75,6 +267,24 @@
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

5
flake.nix
View file

@ -11,6 +11,9 @@
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-conf-editor.url = "github:snowfallorg/nixos-conf-editor";
nix-software-center.url = "github:snowfallorg/nix-software-center";
}; };
outputs = { outputs = {
@ -19,6 +22,8 @@
stable, stable,
unstable, unstable,
home-manager, home-manager,
nixos-conf-editor,
nix-software-center,
... ...
} @ inputs: let } @ inputs: let
inherit (self) outputs; inherit (self) outputs;

4
home/46d1/home.nix
View file

@ -12,8 +12,8 @@
home-manager.users.user = {pkgs, ...}: { home-manager.users.user = {pkgs, ...}: {
home.file = { home.file = {
".zshrc".source = ../../dotfiles/.zshrc; ".zshrc".source = ../../dotfiles/.shellrc;
".bashrc".source = ../../dotfiles/.bashrc; ".bashrc".source = ../../dotfiles/.shellrc;
# ".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg; # ".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg;
}; };

4
home/tasia-but-old-username/home.nix
View file

@ -14,8 +14,8 @@
home-manager.users.user = {pkgs, ...}: { home-manager.users.user = {pkgs, ...}: {
home.file = { home.file = {
".zshrc".source = ../../dotfiles/.zshrc; ".zshrc".source = ../../dotfiles/.shellrc;
".bashrc".source = ../../dotfiles/.bashrc; ".bashrc".source = ../../dotfiles/.shellrc;
".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg; ".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg;
}; };

5
home/tasia/home.nix
View file

@ -14,8 +14,9 @@
home-manager.users.tasia = {pkgs, ...}: { home-manager.users.tasia = {pkgs, ...}: {
home.file = { home.file = {
".zshrc".source = ../../dotfiles/.zshrc; ".zshrc".source = ../../dotfiles/.shellrc;
".bashrc".source = ../../dotfiles/.bashrc; ".bashrc".source = ../../dotfiles/.shellrc;
# ".gitconfig".source = ../../dotfiles/.gitconfig;
".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg; ".librewolf/librewolf.overrides.cfg".source = ../../dotfiles/librewolf.overrides.cfg;
}; };

4
home/user/home.nix
View file

@ -14,8 +14,8 @@
home-manager.users.user = {pkgs, ...}: { home-manager.users.user = {pkgs, ...}: {
home.file = { home.file = {
".zshrc".source = ../../dotfiles/.zshrc; ".zshrc".source = ../../dotfiles/.shellrc;
".bashrc".source = ../../dotfiles/.bashrc; ".bashrc".source = ../../dotfiles/.shellrc;
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [

4
hosts/enry/configuration.nix
View file

@ -24,8 +24,8 @@ in {
extraGroups = ["networkmanager" "wheel" "dialout"]; extraGroups = ["networkmanager" "wheel" "dialout"];
initialPassword = "correcthorsebatterystaple"; initialPassword = "correcthorsebatterystaple";
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
sshKeys.phoenix.tasia sshKeys.tasia.phoenix
sshKeys.new-new-phoenix.tasia sshKeys.tasia.new-new-phoenix
]; ];
}; };

5
hosts/new-new-phoenix/configuration.nix
View file

@ -64,7 +64,7 @@ in {
}; };
users.users.tasia.openssh.authorizedKeys.keys = [ users.users.tasia.openssh.authorizedKeys.keys = [
sshKeys.new-new-phoenix.tasia sshKeys.tasia.new-new-phoenix
]; ];
services.btrfs.autoScrub.fileSystems = ["/"]; services.btrfs.autoScrub.fileSystems = ["/"];
@ -87,6 +87,9 @@ in {
tildefriends tildefriends
osu-lazer-bin osu-lazer-bin
inputs.nixos-conf-editor.packages.${system}.nixos-conf-editor
inputs.nix-software-center.packages.${system}.nix-software-center
]; ];
services.blueman.enable = true; services.blueman.enable = true;

2
hosts/new-phoenix/configuration.nix
View file

@ -36,7 +36,7 @@ in {
}; };
users.users.user.openssh.authorizedKeys.keys = [ users.users.user.openssh.authorizedKeys.keys = [
sshKeys.new-new-phoenix.tasia sshKeys.tasia.new-new-phoenix
]; ];
services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"]; services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"];

2
hosts/phoenix/configuration.nix
View file

@ -48,7 +48,7 @@ in {
}; };
users.users.user.openssh.authorizedKeys.keys = [ users.users.user.openssh.authorizedKeys.keys = [
sshKeys.new-new-phoenix.tasia sshKeys.tasia.new-new-phoenix
]; ];
services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"]; services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"];

2
hosts/stuff/configuration.nix
View file

@ -22,7 +22,7 @@ in {
networking.hostName = "stuff"; networking.hostName = "stuff";
users.users.user.openssh.authorizedKeys.keys = [ users.users.user.openssh.authorizedKeys.keys = [
sshKeys.new-new-phoenix.tasia sshKeys.tasia.new-new-phoenix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

2
hosts/theseus/configuration.nix
View file

@ -35,7 +35,7 @@ in {
}; };
users.users.user.openssh.authorizedKeys.keys = [ users.users.user.openssh.authorizedKeys.keys = [
sshKeys.new-new-phoenix.tasia sshKeys.tasia.new-new-phoenix
]; ];
services.btrfs.autoScrub.fileSystems = lb.mkForce ["/" "/data"]; services.btrfs.autoScrub.fileSystems = lb.mkForce ["/" "/data"];