feat(ssh): Using SSH over the HTTPS port for GitHub, refactor ssh config (#187)

home/base/tui/ssh.nix

@@ -1,41 +1,37 @@
-{mysecrets, ...}: {
+{
+  config,
+  mysecrets,
+  ...
+}: {
   home.file.".ssh/romantic.pub".source = "${mysecrets}/public/romantic.pub";
 
   programs.ssh = {
     enable = true;
 
-    # All my ssh private key are generated by `ssh-keygen -t ed25519 -a 256 -C "xxx@xxx"`
-    # Config format:
-    #   Host —  given the pattern used to match against the host name given on the command line.
-    #   HostName — specify nickname or abbreviation for host
-    #   IdentityFile — the location of your SSH key authentication file for the account.
-    # Format in details:
-    #   https://www.ssh.com/academy/ssh/config
-    extraConfig = ''
-      # a private key that is used during authentication will be added to ssh-agent if it is running
-      AddKeysToAgent yes
+    # "a private key that is used during authentication will be added to ssh-agent if it is running"
+    addKeysToAgent = "yes";
+
+    matchBlocks = {
+      "github.com" = {
+        # "Using SSH over the HTTPS port for GitHub"
+        # "(port 22 is banned by some proxies / firewalls)"
+        hostname = "ssh.github.com";
+        port = 443;
+        user = "git";
 
-      Host 192.168.*
-        # allow to securely use local SSH agent to authenticate on the remote machine.
-        # It has the same effect as adding cli option `ssh -A user@host`
-        ForwardAgent yes
-        # romantic holds my homelab~
-        IdentityFile /etc/agenix/ssh-key-romantic
         # Specifies that ssh should only use the identity file explicitly configured above
         # required to prevent sending default identity files first.
-        IdentitiesOnly yes
+        identitiesOnly = true;
+      };
 
-      Host gtr5
-        HostName 192.168.5.172
-        Port 22
-
-      Host um560
-        HostName 192.168.5.173
-        Port 22
-
-      Host s500plus
-        HostName 192.168.5.174
-        Port 22
-    '';
+      "192.168.*" = {
+        # "allow to securely use local SSH agent to authenticate on the remote machine."
+        # "It has the same effect as adding cli option `ssh -A user@host`"
+        forwardAgent = true;
+        # "romantic holds my homelab~"
+        identityFile = "/etc/agenix/ssh-key-romantic";
+        identitiesOnly = true;
+      };
+    };
   };
 }

home/darwin/ssh.nix

@@ -1,3 +0,0 @@
-{myvars, ...}: {
-  programs.ssh.extraConfig = myvars.networking.ssh.extraConfig;
-}

hosts/12kingdoms-shoukei/home.nix

@@ -1,4 +1,6 @@
-{
+{config, ...}: let
+  hostName = "shoukei"; # Define your hostname.
+in {
   modules.desktop.hyprland = {
     nvidia = false;
     settings = {
@@ -11,16 +13,5 @@
     };
   };
 
-  programs.ssh = {
-    enable = true;
-    extraConfig = ''
-      Host github.com
-        Hostname github.com
-        # github is controlled by shoukei~
-        IdentityFile ~/.ssh/shoukei
-        # Specifies that ssh should only use the identity file explicitly configured above
-        # required to prevent sending default identity files first.
-        IdentitiesOnly yes
-    '';
-  };
+  programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}";
 }

hosts/darwin-fern/home.nix

@@ -1,14 +1,5 @@
-{
-  programs.ssh = {
-    enable = true;
-    extraConfig = ''
-      Host github.com
-        Hostname github.com
-        # github is controlled by fern~
-        IdentityFile ~/.ssh/fern
-        # Specifies that ssh should only use the identity file explicitly configured above
-        # required to prevent sending default identity files first.
-        IdentitiesOnly yes
-    '';
-  };
+{config, ...}: let
+  hostName = "fern";
+in {
+  programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}";
 }

hosts/darwin-frieren/home.nix

@@ -1,14 +1,5 @@
-{
-  programs.ssh = {
-    enable = true;
-    extraConfig = ''
-      Host github.com
-        Hostname github.com
-        # github is controlled by frieren~
-        IdentityFile ~/.ssh/frieren
-        # Specifies that ssh should only use the identity file explicitly configured above
-        # required to prevent sending default identity files first.
-        IdentitiesOnly yes
-    '';
-  };
+{config, ...}: let
+  hostName = "frieren";
+in {
+  programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}";
 }

hosts/darwin-harmonica/home.nix

@@ -1,14 +1,2 @@
 _: {
-  programs.ssh = {
-    enable = true;
-    extraConfig = ''
-      Host github.com
-        Hostname github.com
-        # github is controlled by harmonica~
-        IdentityFile ~/.ssh/harmonica
-        # Specifies that ssh should only use the identity file explicitly configured above
-        # required to prevent sending default identity files first.
-        IdentitiesOnly yes
-    '';
-  };
 }

hosts/idols-ai/home.nix

@@ -1,4 +1,6 @@
-{
+{config, ...}: let
+  hostName = "ai"; # Define your hostname.
+in {
   modules.desktop = {
     hyprland = {
       nvidia = true;
@@ -13,14 +15,5 @@
     };
   };
 
-  programs.ssh = {
-    enable = true;
-    extraConfig = ''
-      Host github.com
-          IdentityFile ~/.ssh/idols-ai
-          # Specifies that ssh should only use the identity file explicitly configured above
-          # required to prevent sending default identity files first.
-          IdentitiesOnly yes
-    '';
-  };
+  programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}";
 }

modules/base.nix

@@ -82,7 +82,7 @@
     #      ```
     #    2. Never leave the device and never sent over the network.
     # 2. Or just use hardware security keys like Yubikey/CanoKey.
-    openssh.authorizedKeys.keys = myvars.sshAuthorizedKeys;
+    openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys;
   };
 
   nix.settings = {

modules/darwin/ssh.nix

@@ -0,0 +1,5 @@
+{myvars, ...}: {
+  services.openssh.enable = false;
+
+  programs.ssh = myvars.networking.ssh;
+}

modules/nixos/base/user-group.nix

@@ -39,7 +39,7 @@
 
   # root's ssh key are mainly used for remote deployment
   users.users.root = {
-    initialHashedPassword = config.users.users."${myvars.username}".initialHashedPassword;
-    openssh.authorizedKeys.keys = config.users.users."${myvars.username}".openssh.authorizedKeys.keys;
+    inherit (myvars) initialHashedPassword;
+    openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys ++ myvars.secondaryAuthorizedKeys;
   };
 }

vars/default.nix

@@ -17,9 +17,12 @@
   #      ```
   #    2. Never leave the device and never sent over the network.
   # 2. Or just use hardware security keys like Yubikey/CanoKey.
-  sshAuthorizedKeys = [
+  mainSshAuthorizedKeys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIznBmtZlMcVUL+uPFltLTNa8Y1J0aT1E36AXQV07su ryan@fern"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc1PNTXzzvd93E+e9LXvnEzqgUI5gMTEF/IitvzgmL+ ryan@frieren"
   ];
+  secondaryAuthorizedKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzYT0Fpcp681eHY5FJV2G8Mve53iX3hMOLGbVvfL+TF ryan@romantic"
+  ];
 }

vars/networking.nix

@@ -156,29 +156,38 @@
   ssh = {
     # define the host alias for remote builders
     # this config will be written to /etc/ssh/ssh_config
-    # ''
-    #   Host ruby
-    #     HostName 192.168.5.102
-    #     Port 22
     #
-    #   Host kana
-    #     HostName 192.168.5.103
-    #     Port 22
-    #   ...
-    # '';
+    # Config format:
+    #   Host —  given the pattern used to match against the host name given on the command line.
+    #   HostName — specify nickname or abbreviation for host
+    #   IdentityFile — the location of your SSH key authentication file for the account.
+    # Format in details:
+    #   https://www.ssh.com/academy/ssh/config
     extraConfig =
-      lib.attrsets.foldlAttrs
-      (acc: host: val:
-        acc
-        + ''
-          Host ${host}
-            HostName ${val.ipv4}
-            Port 22
-        '')
-      ""
-      hostsAddr;
+      ''
+        Host gtr5
+          HostName 192.168.5.172
+          Port 22
+
+        Host um560
+          HostName 192.168.5.173
+          Port 22
+
+        Host s500plus
+          HostName 192.168.5.174
+          Port 22
+      ''
+      + (lib.attrsets.foldlAttrs
+        (acc: host: val:
+          acc
+          + ''
+            Host ${host}
+              HostName ${val.ipv4}
+              Port 22
+          '')
+        ""
+        hostsAddr);
 
-    # define the host key for remote builders so that nix can verify all the remote builders
     # this config will be written to /etc/ssh/ssh_known_hosts
     knownHosts =
       # Update only the values of the given attribute set.
@@ -189,13 +198,20 @@
       #     => { x = "bar-a"; y = "bar-b"; }
       lib.attrsets.mapAttrs
       (host: value: {
-        hostNames = [host hostsAddr.${host}.ipv4];
+        hostNames = [host] ++ (lib.optional (hostsAddr ? host) hostsAddr.${host}.ipv4);
         publicKey = value.publicKey;
       })
       {
+        # Define the root user's host key for remote builders, so that nix can verify all the remote builders
+
         aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOXFhFu9Duzp6ZBE288gDZ6VLrNaeWL4kDrFUh9Neic root@aquamarine";
         # ruby.publicKey = "";
         # kana.publicKey = "";
+
+        # ==================================== Other SSH Service's Public Key =======================================
+
+        # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
+        "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
       };
   };
 }