From 1231f94f710fd13728705ec1fac204f1da39abd3 Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Wed, 30 Aug 2023 19:23:13 +0200 Subject: [PATCH] Nitrokey and SSH --- known_hosts | 2 ++ yodaTab/configuration.nix | 18 ++++++++++++++++++ yodaTab/home-manager.nix | 15 +++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 known_hosts diff --git a/known_hosts b/known_hosts new file mode 100644 index 0000000..8ae4a0a --- /dev/null +++ b/known_hosts @@ -0,0 +1,2 @@ +# 2023-07 yodaNas with Arch Linux +[p1st.de]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASF7AJeGIkQG0erOJym8bHLBjRClkdPPCDNZAKOZ6S+ diff --git a/yodaTab/configuration.nix b/yodaTab/configuration.nix index c2cadb1..bdaff90 100644 --- a/yodaTab/configuration.nix +++ b/yodaTab/configuration.nix @@ -187,6 +187,24 @@ settings.PasswordAuthentication = false; }; + # Use NitroKey USB smartcard with SSH. + # https://nixos.wiki/wiki/Nitrokey + # + # Restart gpg-agent after config change. + # Otherwise there might be a gpg error about "no pinentry". + # https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19 + # + # Import public key of Nitrokey with GNOME "Passwords and Keys" and set trust to "Ultimate". + # + services.udev.packages = [ pkgs.nitrokey-udev-rules ]; + programs = { + ssh.startAgent = false; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + }; + nix.settings.auto-optimise-store = true; # Open ports in the firewall. diff --git a/yodaTab/home-manager.nix b/yodaTab/home-manager.nix index 83d24b1..bce4089 100644 --- a/yodaTab/home-manager.nix +++ b/yodaTab/home-manager.nix @@ -34,6 +34,21 @@ in # defaultCacheTtl = 1800; #}; + programs.ssh = { + enable = true; + userKnownHostsFile = "~/.ssh/known_hosts ${../known_hosts}"; + matchBlocks = { + "nas" = { + hostname = "p1st.de"; + user = "yoda"; + port = 2222; + compression = true; + # TODO + #preferredAuthentication = "publickey"; + }; + }; + }; + # TODO: See history.path below. # xdg = { # enable = true;