diff --git a/home/base/tui/ssh.nix b/home/base/tui/ssh.nix index 8316726d..e762b0e9 100644 --- a/home/base/tui/ssh.nix +++ b/home/base/tui/ssh.nix @@ -1,41 +1,37 @@ -{mysecrets, ...}: { +{ + config, + mysecrets, + ... +}: { home.file.".ssh/romantic.pub".source = "${mysecrets}/public/romantic.pub"; programs.ssh = { enable = true; - # All my ssh private key are generated by `ssh-keygen -t ed25519 -a 256 -C "xxx@xxx"` - # Config format: - # Host — given the pattern used to match against the host name given on the command line. - # HostName — specify nickname or abbreviation for host - # IdentityFile — the location of your SSH key authentication file for the account. - # Format in details: - # https://www.ssh.com/academy/ssh/config - extraConfig = '' - # a private key that is used during authentication will be added to ssh-agent if it is running - AddKeysToAgent yes + # "a private key that is used during authentication will be added to ssh-agent if it is running" + addKeysToAgent = "yes"; + + matchBlocks = { + "github.com" = { + # "Using SSH over the HTTPS port for GitHub" + # "(port 22 is banned by some proxies / firewalls)" + hostname = "ssh.github.com"; + port = 443; + user = "git"; - Host 192.168.* - # allow to securely use local SSH agent to authenticate on the remote machine. - # It has the same effect as adding cli option `ssh -A user@host` - ForwardAgent yes - # romantic holds my homelab~ - IdentityFile /etc/agenix/ssh-key-romantic # Specifies that ssh should only use the identity file explicitly configured above # required to prevent sending default identity files first. - IdentitiesOnly yes + identitiesOnly = true; + }; - Host gtr5 - HostName 192.168.5.172 - Port 22 - - Host um560 - HostName 192.168.5.173 - Port 22 - - Host s500plus - HostName 192.168.5.174 - Port 22 - ''; + "192.168.*" = { + # "allow to securely use local SSH agent to authenticate on the remote machine." + # "It has the same effect as adding cli option `ssh -A user@host`" + forwardAgent = true; + # "romantic holds my homelab~" + identityFile = "/etc/agenix/ssh-key-romantic"; + identitiesOnly = true; + }; + }; }; } diff --git a/home/darwin/ssh.nix b/home/darwin/ssh.nix deleted file mode 100644 index a967e44e..00000000 --- a/home/darwin/ssh.nix +++ /dev/null @@ -1,3 +0,0 @@ -{myvars, ...}: { - programs.ssh.extraConfig = myvars.networking.ssh.extraConfig; -} diff --git a/hosts/12kingdoms-shoukei/home.nix b/hosts/12kingdoms-shoukei/home.nix index 7c20b369..78cb4ced 100644 --- a/hosts/12kingdoms-shoukei/home.nix +++ b/hosts/12kingdoms-shoukei/home.nix @@ -1,4 +1,6 @@ -{ +{config, ...}: let + hostName = "shoukei"; # Define your hostname. +in { modules.desktop.hyprland = { nvidia = false; settings = { @@ -11,16 +13,5 @@ }; }; - programs.ssh = { - enable = true; - extraConfig = '' - Host github.com - Hostname github.com - # github is controlled by shoukei~ - IdentityFile ~/.ssh/shoukei - # Specifies that ssh should only use the identity file explicitly configured above - # required to prevent sending default identity files first. - IdentitiesOnly yes - ''; - }; + programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}"; } diff --git a/hosts/darwin-fern/home.nix b/hosts/darwin-fern/home.nix index 57e85c0a..fce72149 100644 --- a/hosts/darwin-fern/home.nix +++ b/hosts/darwin-fern/home.nix @@ -1,14 +1,5 @@ -{ - programs.ssh = { - enable = true; - extraConfig = '' - Host github.com - Hostname github.com - # github is controlled by fern~ - IdentityFile ~/.ssh/fern - # Specifies that ssh should only use the identity file explicitly configured above - # required to prevent sending default identity files first. - IdentitiesOnly yes - ''; - }; +{config, ...}: let + hostName = "fern"; +in { + programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}"; } diff --git a/hosts/darwin-frieren/home.nix b/hosts/darwin-frieren/home.nix index fd84ef99..88b7b8c2 100644 --- a/hosts/darwin-frieren/home.nix +++ b/hosts/darwin-frieren/home.nix @@ -1,14 +1,5 @@ -{ - programs.ssh = { - enable = true; - extraConfig = '' - Host github.com - Hostname github.com - # github is controlled by frieren~ - IdentityFile ~/.ssh/frieren - # Specifies that ssh should only use the identity file explicitly configured above - # required to prevent sending default identity files first. - IdentitiesOnly yes - ''; - }; +{config, ...}: let + hostName = "frieren"; +in { + programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}"; } diff --git a/hosts/darwin-harmonica/home.nix b/hosts/darwin-harmonica/home.nix index 0e311de0..87a13d7f 100644 --- a/hosts/darwin-harmonica/home.nix +++ b/hosts/darwin-harmonica/home.nix @@ -1,14 +1,2 @@ _: { - programs.ssh = { - enable = true; - extraConfig = '' - Host github.com - Hostname github.com - # github is controlled by harmonica~ - IdentityFile ~/.ssh/harmonica - # Specifies that ssh should only use the identity file explicitly configured above - # required to prevent sending default identity files first. - IdentitiesOnly yes - ''; - }; } diff --git a/hosts/idols-ai/home.nix b/hosts/idols-ai/home.nix index 1ed62c6c..06edb8ab 100644 --- a/hosts/idols-ai/home.nix +++ b/hosts/idols-ai/home.nix @@ -1,4 +1,6 @@ -{ +{config, ...}: let + hostName = "ai"; # Define your hostname. +in { modules.desktop = { hyprland = { nvidia = true; @@ -13,14 +15,5 @@ }; }; - programs.ssh = { - enable = true; - extraConfig = '' - Host github.com - IdentityFile ~/.ssh/idols-ai - # Specifies that ssh should only use the identity file explicitly configured above - # required to prevent sending default identity files first. - IdentitiesOnly yes - ''; - }; + programs.ssh.matchBlocks."github.com".identityFile = "${config.home.homeDirectory}/.ssh/${hostName}"; } diff --git a/modules/base.nix b/modules/base.nix index 367cc912..a4674e95 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -82,7 +82,7 @@ # ``` # 2. Never leave the device and never sent over the network. # 2. Or just use hardware security keys like Yubikey/CanoKey. - openssh.authorizedKeys.keys = myvars.sshAuthorizedKeys; + openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys; }; nix.settings = { diff --git a/modules/darwin/ssh.nix b/modules/darwin/ssh.nix new file mode 100644 index 00000000..dabf42c7 --- /dev/null +++ b/modules/darwin/ssh.nix @@ -0,0 +1,5 @@ +{myvars, ...}: { + services.openssh.enable = false; + + programs.ssh = myvars.networking.ssh; +} diff --git a/modules/nixos/base/user-group.nix b/modules/nixos/base/user-group.nix index 216000df..55ee7e3a 100644 --- a/modules/nixos/base/user-group.nix +++ b/modules/nixos/base/user-group.nix @@ -39,7 +39,7 @@ # root's ssh key are mainly used for remote deployment users.users.root = { - initialHashedPassword = config.users.users."${myvars.username}".initialHashedPassword; - openssh.authorizedKeys.keys = config.users.users."${myvars.username}".openssh.authorizedKeys.keys; + inherit (myvars) initialHashedPassword; + openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys ++ myvars.secondaryAuthorizedKeys; }; } diff --git a/vars/default.nix b/vars/default.nix index 272676ca..1f4a593a 100644 --- a/vars/default.nix +++ b/vars/default.nix @@ -17,9 +17,12 @@ # ``` # 2. Never leave the device and never sent over the network. # 2. Or just use hardware security keys like Yubikey/CanoKey. - sshAuthorizedKeys = [ + mainSshAuthorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIznBmtZlMcVUL+uPFltLTNa8Y1J0aT1E36AXQV07su ryan@fern" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc1PNTXzzvd93E+e9LXvnEzqgUI5gMTEF/IitvzgmL+ ryan@frieren" ]; + secondaryAuthorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzYT0Fpcp681eHY5FJV2G8Mve53iX3hMOLGbVvfL+TF ryan@romantic" + ]; } diff --git a/vars/networking.nix b/vars/networking.nix index f4b4e6e5..8819e4b1 100644 --- a/vars/networking.nix +++ b/vars/networking.nix @@ -156,29 +156,38 @@ ssh = { # define the host alias for remote builders # this config will be written to /etc/ssh/ssh_config - # '' - # Host ruby - # HostName 192.168.5.102 - # Port 22 # - # Host kana - # HostName 192.168.5.103 - # Port 22 - # ... - # ''; + # Config format: + # Host — given the pattern used to match against the host name given on the command line. + # HostName — specify nickname or abbreviation for host + # IdentityFile — the location of your SSH key authentication file for the account. + # Format in details: + # https://www.ssh.com/academy/ssh/config extraConfig = - lib.attrsets.foldlAttrs - (acc: host: val: - acc - + '' - Host ${host} - HostName ${val.ipv4} - Port 22 - '') - "" - hostsAddr; + '' + Host gtr5 + HostName 192.168.5.172 + Port 22 + + Host um560 + HostName 192.168.5.173 + Port 22 + + Host s500plus + HostName 192.168.5.174 + Port 22 + '' + + (lib.attrsets.foldlAttrs + (acc: host: val: + acc + + '' + Host ${host} + HostName ${val.ipv4} + Port 22 + '') + "" + hostsAddr); - # define the host key for remote builders so that nix can verify all the remote builders # this config will be written to /etc/ssh/ssh_known_hosts knownHosts = # Update only the values of the given attribute set. @@ -189,13 +198,20 @@ # => { x = "bar-a"; y = "bar-b"; } lib.attrsets.mapAttrs (host: value: { - hostNames = [host hostsAddr.${host}.ipv4]; + hostNames = [host] ++ (lib.optional (hostsAddr ? host) hostsAddr.${host}.ipv4); publicKey = value.publicKey; }) { + # Define the root user's host key for remote builders, so that nix can verify all the remote builders + aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOXFhFu9Duzp6ZBE288gDZ6VLrNaeWL4kDrFUh9Neic root@aquamarine"; # ruby.publicKey = ""; # kana.publicKey = ""; + + # ==================================== Other SSH Service's Public Key ======================================= + + # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints + "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; }; }; }