Mirror/nix-git
Mirror/nix-git
1
0
Fork 0
mirror of https://codeberg.org/privacy1st/nix-git synced 2024-11-22 22:09:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
9943aec1af
nix-git/modules/nitrokey-ssh-gpg.nix
Daniel Langbein 9943aec1af
refactor
2023-09-07 22:15:58 +02:00

139 lines
4.4 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
# Enable SSH server.
services.openssh = {
enable = true;
# Forbid root login through SSH.
settings.PermitRootLogin = "no";
# Use authorized keys only.
settings.PasswordAuthentication = false;
};
# Use NitroKey USB smartcard with SSH.
# https://nixos.wiki/wiki/Nitrokey
#
# Restart gpg-agent after config change.
# Otherwise there might be a gpg error about "no pinentry".
# https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
# Not sure if this is needed: Reload udev rules.
# sudo -- udevadm control --reload-rules && udevadm trigger
#
# Not sure if this is needed:
# killall gpg-agent
# TODO: gpg-agent pinentry problem
# https://github.com/NixOS/nixpkgs/issues/97861
#
# gpgconf --check-programs
#=> gpgconf: error running '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/pinentry': probably not installed
#
# ssh -v nas
#=> OpenSSH_9.3p2, OpenSSL 3.0.10 1 Aug 2023
#=> debug1: Reading configuration data /home/yoda/.ssh/config
#=> debug1: /home/yoda/.ssh/config line 67: Applying options for nas
#=> debug1: /home/yoda/.ssh/config line 180: Applying options for *
#=> debug1: Reading configuration data /etc/ssh/ssh_config
#=> debug1: Executing command: '/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15/bin/bash -c '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1''
#
#=> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
#=> yoda 2752 0.0 0.0 444812 3040 ? SLsl 16:09 0:00 /nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-agent --supervised --pinentry-program /nix/store/8cvidvpwnwyxixlhqfaa5jlfndh2vir5-pinentry-1.2.1-curses/bin/pinentry
# NITROKEY SSH WORKAROUND (I): Do all of this in one shell!
# CREDITS: https://unix.stackexchange.com/a/250045/315162
#
# BEFORE: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
# AFTER: SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
#
# systemctl --user stop gpg-agent
# systemctl --user stop gpg-agent.socket
# systemctl --user stop gpg-agent-ssh.socket
# ps -aux | grep -v grep | grep gpg-agent
# => NONE
# eval $(gpg-agent --daemon --pinentry-program /nix/store/8cvidvpwnwyxixlhqfaa5jlfndh2vir5-pinentry-1.2.1-curses/bin/pinentry --enable-ssh-support --sh)
# echo $SSH_AUTH_SOCK
#=> /run/user/1000/gnupg/S.gpg-agent.ssh
# gpg -d ./passphrase.txt.gpg
#=> Works!
# ssh nas
#=> Works!
# NITROKEY SSH WORKAROUND (II)
#
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
# ssh nas
#=> Works!
# TODO: What is the difference between programs.gnupg.agent.enableSSHSupport and
# services.gpg-agent.enableSshSupport = true;
services.udev.packages = [ pkgs.nitrokey-udev-rules ];
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
# ... Also sets SSH_AUTH_SOCK environment variable correctly.
enableSSHSupport = true;
pinentryFlavor = "curses";
};
};
# users.users.yoda = {
# packages = with pkgs; [
# pinentry-curses
# ];
# };
# environment.systemPackages = with pkgs; [
# pinentry-curses
# ];
# Smartcard daemon.
services.pcscd.enable = true;
home-manager.users.yoda = { osConfig, config, pkgs, ... }: {
# SSH configuration.
programs.ssh = {
enable = true;
userKnownHostsFile = "~/.ssh/known_hosts ${../assets/ssh/known_hosts}";
matchBlocks = {
"nas" = {
hostname = "p1st.de";
user = "yoda";
port = 2222;
compression = true;
#identityFile = "pubkey_nitrokey_ssh.pub";
#identitiesOnly = true;
};
};
};
# GnuPG configuration.
# Examples:
# https://github.com/ioerror/duraconf
# https://gist.github.com/graffen/37eaa2332ee7e584bfda
programs.gpg = {
enable = true;
settings = {
# Display long key IDs
keyid-format = "0xlong";
# List all keys (or the specified ones) along with their fingerprints
with-fingerprint = true;
# Display the calculated validity of user IDs during key listings.
list-options = "show-uid-validity";
verify-options = "show-uid-validity";
};
publicKeys = [
{
source = "${../assets/gpg/pubkey_nitrokey.asc}";
# ultimate
trust = 5;
}
];
};
};
}
Reference in New Issue View Git Blame Copy Permalink