Mirror/nix-git
Mirror/nix-git
1
0
Fork 0
mirror of https://codeberg.org/privacy1st/nix-git synced 2024-11-22 22:09:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

refactor: merge into one file

Browse Source
This commit is contained in:
Daniel Langbein 2023-09-06 14:00:57 +02:00
parent 84292d706e
commit 03ab7b610b
4 changed files with 87 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/yodaTab/configuration.nix
View File

@ -17,7 +17,6 @@
../../modules/git.nix ../../modules/git.nix
../../modules/zsh.nix ../../modules/zsh.nix
../../modules/print-and-scan.nix ../../modules/print-and-scan.nix
../../modules/nitrokey-ssh-gpg.nix
../../modules/fde-ssh-unlock.nix ../../modules/fde-ssh-unlock.nix
../../modules/nextcloud-integration.nix ../../modules/nextcloud-integration.nix
]; ];

1
hosts/yodaTux/configuration.nix
View File

@ -17,7 +17,6 @@
../../modules/git.nix ../../modules/git.nix
../../modules/zsh.nix ../../modules/zsh.nix
../../modules/print-and-scan.nix ../../modules/print-and-scan.nix
../../modules/nitrokey-ssh-gpg.nix
../../modules/fde-ssh-unlock.nix ../../modules/fde-ssh-unlock.nix
../../modules/nextcloud-integration.nix ../../modules/nextcloud-integration.nix
]; ];

89
modules/nitrokey-ssh-gpg.home.nix
View File

@ -1,8 +1,94 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
home-manager.users.yoda = { osConfig, config, pkgs, ... }: { # Enable SSH server.
services.openssh = {
enable = true;
# Forbid root login through SSH.
settings.PermitRootLogin = "no";
# Use authorized keys only.
settings.PasswordAuthentication = false;
};
# Use NitroKey USB smartcard with SSH.
# https://nixos.wiki/wiki/Nitrokey
#
# Restart gpg-agent after config change.
# Otherwise there might be a gpg error about "no pinentry".
# https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
# Not sure if this is needed: Reload udev rules.
# sudo -- udevadm control --reload-rules && udevadm trigger
#
# Not sure if this is needed:
# killall gpg-agent
# TODO: gpg-agent pinentry problem
# https://github.com/NixOS/nixpkgs/issues/97861
#
# gpgconf --check-programs
#=> gpgconf: error running '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/pinentry': probably not installed
#
# ssh -v nas
#=> OpenSSH_9.3p2, OpenSSL 3.0.10 1 Aug 2023
#=> debug1: Reading configuration data /home/yoda/.ssh/config
#=> debug1: /home/yoda/.ssh/config line 67: Applying options for nas
#=> debug1: /home/yoda/.ssh/config line 180: Applying options for *
#=> debug1: Reading configuration data /etc/ssh/ssh_config
#=> debug1: Executing command: '/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15/bin/bash -c '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1''
#
#=> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
#=> yoda 2752 0.0 0.0 444812 3040 ? SLsl 16:09 0:00 /nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-agent --supervised --pinentry-program /nix/store/8cvidvpwnwyxixlhqfaa5jlfndh2vir5-pinentry-1.2.1-curses/bin/pinentry
# NITROKEY SSH WORKAROUND (I): Do all of this in one shell!
# CREDITS: https://unix.stackexchange.com/a/250045/315162
#
# BEFORE: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
# AFTER: SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
#
# systemctl --user stop gpg-agent
# systemctl --user stop gpg-agent.socket
# systemctl --user stop gpg-agent-ssh.socket
# ps -aux | grep -v grep | grep gpg-agent
# => NONE
# eval $(gpg-agent --daemon --pinentry-program /nix/store/8cvidvpwnwyxixlhqfaa5jlfndh2vir5-pinentry-1.2.1-curses/bin/pinentry --enable-ssh-support --sh)
# echo $SSH_AUTH_SOCK
#=> /run/user/1000/gnupg/S.gpg-agent.ssh
# gpg -d ./passphrase.txt.gpg
#=> Works!
# ssh nas
#=> Works!
# NITROKEY SSH WORKAROUND (II)
#
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
# ssh nas
#=> Works!
services.udev.packages = [ pkgs.nitrokey-udev-rules ];
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
# ... Also sets SSH_AUTH_SOCK environment variable correctly.
enableSSHSupport = true;
pinentryFlavor = "curses";
};
};
# users.users.yoda = {
# packages = with pkgs; [
# pinentry-curses
# ];
# };
# environment.systemPackages = with pkgs; [
# pinentry-curses
# ];
# Smartcard daemon.
services.pcscd.enable = true;
home-manager.users.yoda = { osConfig, config, pkgs, ... }: {
programs.ssh = { programs.ssh = {
enable = true; enable = true;
userKnownHostsFile = "~/.ssh/known_hosts ${../assets/ssh/known_hosts}"; userKnownHostsFile = "~/.ssh/known_hosts ${../assets/ssh/known_hosts}";
@ -18,6 +104,5 @@
}; };
}; };
}; };
}; };
} }

90
modules/nitrokey-ssh-gpg.nix
View File

@ -1,90 +0,0 @@
{ config, pkgs, ... }:
{
# Enable SSH server.
services.openssh = {
enable = true;
# Forbid root login through SSH.
settings.PermitRootLogin = "no";
# Use authorized keys only.
settings.PasswordAuthentication = false;
};
# Use NitroKey USB smartcard with SSH.
# https://nixos.wiki/wiki/Nitrokey
#
# Restart gpg-agent after config change.
# Otherwise there might be a gpg error about "no pinentry".
# https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
# Not sure if this is needed: Reload udev rules.
# sudo -- udevadm control --reload-rules && udevadm trigger
#
# Not sure if this is needed:
# killall gpg-agent
# TODO: gpg-agent pinentry problem
# https://github.com/NixOS/nixpkgs/issues/97861
#
# gpgconf --check-programs
#=> gpgconf: error running '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/pinentry': probably not installed
#
# ssh -v nas
#=> OpenSSH_9.3p2, OpenSSL 3.0.10 1 Aug 2023
#=> debug1: Reading configuration data /home/yoda/.ssh/config
#=> debug1: /home/yoda/.ssh/config line 67: Applying options for nas
#=> debug1: /home/yoda/.ssh/config line 180: Applying options for *
#=> debug1: Reading configuration data /etc/ssh/ssh_config
#=> debug1: Executing command: '/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15/bin/bash -c '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1''
#
#=> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
#=> yoda 2752 0.0 0.0 444812 3040 ? SLsl 16:09 0:00 /nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-agent --supervised --pinentry-program /nix/store/8cvidvpwnwyxixlhqfaa5jlfndh2vir5-pinentry-1.2.1-curses/bin/pinentry
# NITROKEY SSH WORKAROUND (I): Do all of this in one shell!
# CREDITS: https://unix.stackexchange.com/a/250045/315162
#
# BEFORE: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
# AFTER: SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
#
# systemctl --user stop gpg-agent
# systemctl --user stop gpg-agent.socket
# systemctl --user stop gpg-agent-ssh.socket
# ps -aux | grep -v grep | grep gpg-agent
# => NONE
# eval $(gpg-agent --daemon --pinentry-program /nix/store/8cvidvpwnwyxixlhqfaa5jlfndh2vir5-pinentry-1.2.1-curses/bin/pinentry --enable-ssh-support --sh)
# echo $SSH_AUTH_SOCK
#=> /run/user/1000/gnupg/S.gpg-agent.ssh
# gpg -d ./passphrase.txt.gpg
#=> Works!
# ssh nas
#=> Works!
# NITROKEY SSH WORKAROUND (II)
#
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
# ssh nas
#=> Works!
services.udev.packages = [ pkgs.nitrokey-udev-rules ];
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
# ... Also sets SSH_AUTH_SOCK environment variable correctly.
enableSSHSupport = true;
pinentryFlavor = "curses";
};
};
# users.users.yoda = {
# packages = with pkgs; [
# pinentry-curses
# ];
# };
# environment.systemPackages = with pkgs; [
# pinentry-curses
# ];
# Smartcard daemon.
services.pcscd.enable = true;
}