From 026f413e7ba7b6da811ceffce03fba7244ab764e Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Thu, 12 Mar 2026 13:22:40 -0500 Subject: [PATCH] started SSH certs --- modules/hosts/test-nix.nix | 9 +++++---- modules/programs/step-client.nix | 8 ++++++++ modules/programs/sudo.nix | 17 ++--------------- modules/services/ssh.nix | 27 ++++++++++++++++++--------- 4 files changed, 33 insertions(+), 28 deletions(-) diff --git a/modules/hosts/test-nix.nix b/modules/hosts/test-nix.nix index 75113a9..e064547 100644 --- a/modules/hosts/test-nix.nix +++ b/modules/hosts/test-nix.nix @@ -19,18 +19,19 @@ in inputs.home-manager.nixosModules.home-manager nixos."${username}" nixos.lxc - nixos.sudo + # nixos.sudo nixos.zsh nixos.docker + nixos.step-client { users.users."${username}" = { extraGroups = [ "docker" ]; }; home-manager.users."${username}" = { - imports = with inputs.self.modules.homeManager; [ - step-client - ]; + # imports = with inputs.self.modules.homeManager; [ + # step-client + # ]; shell.program = "zsh"; docker.enable = true; ssh.matchSets = { diff --git a/modules/programs/step-client.nix b/modules/programs/step-client.nix index dbbc200..6e6d63b 100644 --- a/modules/programs/step-client.nix +++ b/modules/programs/step-client.nix @@ -1,5 +1,13 @@ { inputs, ... }: { + flake.modules.nixos.step-client = { pkgs, config, ... }: { + imports = with inputs.self.modules.nixos; [ ssh ]; + ssh.certificates = true; + home-manager.sharedModules = with inputs.self.modules; [ + homeManager.step-client + ]; + }; + flake.modules.homeManager.step-client = { pkgs, ... }: { home.packages = with pkgs; [ step-cli diff --git a/modules/programs/sudo.nix b/modules/programs/sudo.nix index ecbbe54..535f4d6 100644 --- a/modules/programs/sudo.nix +++ b/modules/programs/sudo.nix @@ -3,27 +3,14 @@ security.sudo = { enable = true; extraRules = [{ + groups = [ "wheel" ]; commands = [ { - command = "${pkgs.systemd}/bin/systemctl suspend"; - options = [ "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/reboot"; - options = [ "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/poweroff"; + command = "ALL"; options = [ "NOPASSWD" ]; } ]; - groups = [ "wheel" ]; }]; - extraConfig = with pkgs; '' - Defaults:picloud secure_path="${lib.makeBinPath [ - systemd - ]}:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" - ''; }; }; } \ No newline at end of file diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix index cf1e858..b2a911f 100644 --- a/modules/services/ssh.nix +++ b/modules/services/ssh.nix @@ -3,17 +3,26 @@ let userName = "john"; in { - flake.modules.nixos.ssh = { - services.openssh = { - enable = true; - # require public key authentication for better security - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; + flake.modules.nixos.ssh = { pkgs, config, lib, ... }: { + options = { + ssh.certificates = lib.mkEnableOption "Enable SSH certificates"; }; - home-manager.sharedModules = with inputs.self.modules.homeManager; [ - ssh - ]; + config = { + services.openssh = { + enable = true; + # require public key authentication for better security + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + }; + + programs.ssh.knownHosts = lib.mkIf config.ssh.certificates { + "192.168.1.*" = { + certAuthority = true; + publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ="; + }; + }; + }; }; flake.modules.homeManager.ssh = { pkgs, config, lib, ... }: