Nitrokey and SSH

known_hosts

@@ -0,0 +1,2 @@
+# 2023-07 yodaNas with Arch Linux
+[p1st.de]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASF7AJeGIkQG0erOJym8bHLBjRClkdPPCDNZAKOZ6S+

yodaTab/configuration.nix

@@ -187,6 +187,24 @@
     settings.PasswordAuthentication = false;
   };
 
+  # Use NitroKey USB smartcard with SSH.
+  # https://nixos.wiki/wiki/Nitrokey
+  #
+  # Restart gpg-agent after config change.
+  # Otherwise there might be a gpg error about "no pinentry".
+  # https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
+  #
+  # Import public key of Nitrokey with GNOME "Passwords and Keys" and set trust to "Ultimate".
+  #
+  services.udev.packages = [ pkgs.nitrokey-udev-rules ];
+  programs = {
+    ssh.startAgent = false;
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+  };
+
   nix.settings.auto-optimise-store = true;
 
   # Open ports in the firewall.

yodaTab/home-manager.nix

@@ -34,6 +34,21 @@ in
     #  defaultCacheTtl = 1800;
     #};
 
+    programs.ssh = {
+      enable = true;
+      userKnownHostsFile = "~/.ssh/known_hosts ${../known_hosts}";
+      matchBlocks = {
+        "nas" = {
+          hostname = "p1st.de";
+          user = "yoda";
+          port = 2222;
+          compression = true;
+          # TODO
+          #preferredAuthentication = "publickey";
+        };
+      };
+    };
+
 # TODO: See history.path below.
 #    xdg = {
 #      enable = true;