john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

started SSH certs

Browse Source
This commit is contained in:
John Lancaster
2026-03-12 13:22:40 -05:00
parent 3bbe6d359e
commit 026f413e7b
4 changed files with 33 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
modules/hosts/test-nix.nix
View File

@@ -19,18 +19,19 @@ in
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
nixos."${username}" nixos."${username}"
nixos.lxc nixos.lxc
nixos.sudo # nixos.sudo
nixos.zsh nixos.zsh
nixos.docker nixos.docker
nixos.step-client
{ {
users.users."${username}" = { users.users."${username}" = {
extraGroups = [ "docker" ]; extraGroups = [ "docker" ];
}; };
home-manager.users."${username}" = { home-manager.users."${username}" = {
imports = with inputs.self.modules.homeManager; [ # imports = with inputs.self.modules.homeManager; [
step-client # step-client
]; # ];
shell.program = "zsh"; shell.program = "zsh";
docker.enable = true; docker.enable = true;
ssh.matchSets = { ssh.matchSets = {

8
modules/programs/step-client.nix
View File

@@ -1,5 +1,13 @@
{ inputs, ... }: { inputs, ... }:
{ {
flake.modules.nixos.step-client = { pkgs, config, ... }: {
imports = with inputs.self.modules.nixos; [ ssh ];
ssh.certificates = true;
home-manager.sharedModules = with inputs.self.modules; [
homeManager.step-client
];
};
flake.modules.homeManager.step-client = { pkgs, ... }: { flake.modules.homeManager.step-client = { pkgs, ... }: {
home.packages = with pkgs; [ home.packages = with pkgs; [
step-cli step-cli

17
modules/programs/sudo.nix
View File

@@ -3,27 +3,14 @@
security.sudo = { security.sudo = {
enable = true; enable = true;
extraRules = [{ extraRules = [{
groups = [ "wheel" ];
commands = [ commands = [
{ {
command = "${pkgs.systemd}/bin/systemctl suspend"; command = "ALL";
options = [ "NOPASSWD" ];
}
{
command = "${pkgs.systemd}/bin/reboot";
options = [ "NOPASSWD" ];
}
{
command = "${pkgs.systemd}/bin/poweroff";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
} }
]; ];
groups = [ "wheel" ];
}]; }];
extraConfig = with pkgs; ''
Defaults:picloud secure_path="${lib.makeBinPath [
systemd
]}:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
'';
}; };
}; };
} }

27
modules/services/ssh.nix
View File

@@ -3,17 +3,26 @@ let
userName = "john"; userName = "john";
in in
{ {
flake.modules.nixos.ssh = { flake.modules.nixos.ssh = { pkgs, config, lib, ... }: {
services.openssh = { options = {
enable = true; ssh.certificates = lib.mkEnableOption "Enable SSH certificates";
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
}; };
home-manager.sharedModules = with inputs.self.modules.homeManager; [ config = {
ssh services.openssh = {
]; enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
programs.ssh.knownHosts = lib.mkIf config.ssh.certificates {
"192.168.1.*" = {
certAuthority = true;
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
};
};
};
}; };
flake.modules.homeManager.ssh = { pkgs, config, lib, ... }: flake.modules.homeManager.ssh = { pkgs, config, lib, ... }: