refactor nitrokey ssh

2024-11-21 22:03:19 +01:00 · 2023-08-31 13:25:06 +02:00 · 2023-08-31 13:25:06 +02:00 · 441a8bba33
commit 441a8bba33
parent 2cb56b413c
1 changed files with 34 additions and 0 deletions
--- a/yodaTab/nitrokey-ssh-gpg.nix
+++ b/yodaTab/nitrokey-ssh-gpg.nix
@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+
+{
+  # Enable SSH server.
+  services.openssh = {
+    enable = true;
+    # Forbid root login through SSH.
+    settings.PermitRootLogin = "no";
+    # Use authorized keys only.
+    settings.PasswordAuthentication = false;
+  };
+
+  # Use NitroKey USB smartcard with SSH.
+  # https://nixos.wiki/wiki/Nitrokey
+  #
+  # Restart gpg-agent after config change.
+  # Otherwise there might be a gpg error about "no pinentry".
+  # https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
+  #
+  # Not sure if this is needed: Reload udev rules.
+  # sudo -- udevadm control --reload-rules && udevadm trigger
+  #
+  services.udev.packages = [ pkgs.nitrokey-udev-rules ];
+  programs = {
+    ssh.startAgent = false;
+    gnupg.agent = {
+      enable = true;
+      # ... Also sets SSH_AUTH_SOCK environment variable correctly.
+      enableSSHSupport = true;
+    };
+  };
+  # Smartcard daemon.
+  services.pcscd.enable = true;
+}