starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-03-21 17:09:46 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: security - gnupg & openssh's KDF

Browse Source
This commit is contained in:
Ryan Yin
2024-01-26 12:38:13 +08:00
parent ec5ef05983
commit ecc335b07e
12 changed files with 155 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
modules/base.nix
View File

@@ -12,9 +12,20 @@
users.users.${username} = {
description = userfullname;
# Public Keys that can be used to login to all my PCs, Macbooks, and servers.
#
# Since its authority is so large, we must strengthen its security:
# 1. The corresponding private key must be:
# 1. Generated locally on every trusted client via:
# ```bash
# # KDF: bcrypt with 256 rounds, takes 2s on Apple M2):
# # Passphrase: digits + letters + symbols, 12+ chars
# ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx`
# ```
# 2. Never leave the device and never sent over the network.
# 2. Or just use hardware security keys like Yubikey/CanoKey.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiipi59EnVbi6bK1bGrcbfEM263wgdNfbrt6VBC1rHx ryan@ai-idols"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfp/hvegbK04HykWvoY1EbDW+vXu1AlCjVivWE2ZeR ryan@shoukei"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE400EbKY1D9zfevk17AaPTtQ8dxJvCS5Zec+8aleLY4 ryan@fern"
];
};

6
modules/nixos/server.nix
View File

@@ -1,6 +0,0 @@
{
imports = [
./base
../base.nix
];
}

0
modules/nixos/proxmox-hardware-configuration.nix → modules/nixos/server/proxmox-hardware-configuration.nix
View File

7
modules/nixos/server/security.nix Normal file
View File

@@ -0,0 +1,7 @@
{username, ...}: {
# Public Keys that can be used to login to all my servers.
users.users.${username}.openssh.authorizedKeys.keys = [
# TODO update keys here
"ssh-ed25519 xxx ryan@romantic"
];
}

10
modules/nixos/server-riscv64.nix → modules/nixos/server/server-riscv64.nix
View File

@@ -4,11 +4,13 @@
# =========================================================================
imports = [
./base/i18n.nix
./base/misc.nix
./base/user-group.nix
../base/i18n.nix
../base/misc.nix
../base/user-group.nix
../base.nix
../../base.nix
./security.nix
];
# List packages installed in system profile. To search, run:

8
modules/nixos/server/server.nix Normal file
View File

@@ -0,0 +1,8 @@
{
imports = [
../base
../../base.nix
./security.nix
];
}