john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssh options

Browse Source
This commit is contained in:
John Lancaster
2026-03-29 17:38:45 -05:00
parent e0abbd6b90
commit 04bbf00c3d
5 changed files with 54 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/services/ssh.nix
+44 -37
View File
@@ -32,6 +32,7 @@ in
};
config = {
cfg.certificates = lib.mkDefault true;
services.openssh = {
enable = true;
# require public key authentication for better security
@@ -65,52 +66,56 @@ in
};
};
flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:
flake.modules.homeManager.ssh = { config, pkgs, lib, ... }:
let
cfg = config.ssh;
configDir = "${config.home.homeDirectory}/.ssh";
identityFile = cfg.identityFile;
publicKeyFile = "${identityFile}.pub";
certificateFile = "${identityFile}-cert.pub";
in
{
options.ssh = {
IdentityFile = lib.mkOption {
options.ssh = with lib; {
identityFile = mkOption {
# Intentionally not using a path type here because that will end up with the private key getting copied into the store
type = lib.types.str;
type = types.str;
default = "${config.home.homeDirectory}/.ssh/id_ed25519";
description = "Path to the SSH identity file.";
};
certificates = {
enable = lib.mkEnableOption "Enable SSH user certificates";
# sshCertProvisioner = lib.mkOption {
# type = lib.types.str;
# default = "admin";
# };
enable = mkEnableOption "Enable SSH client certificates";
};
knownHostsFile = lib.mkOption {
type = lib.types.str;
default = "${config.home.homeDirectory}/.ssh/known_hosts";
knownHostsFile = mkOption {
type = types.str;
default = "${configDir}/known_hosts";
};
knownHosts = mkOption {
description = "";
type = types.listOf types.str;
default = [ ];
};
matchSets = {
appdaemon = lib.mkEnableOption "Enable AppDaemon SSH targets";
certs = lib.mkEnableOption "Enable Janus and Soteria SSH targets";
homelab = lib.mkEnableOption "Enable various Homelab targets";
dev = lib.mkEnableOption "Enable development targets";
appdaemon = mkEnableOption "Enable AppDaemon SSH targets";
certs = mkEnableOption "Enable Janus and Soteria SSH targets";
homelab = mkEnableOption "Enable various Homelab targets";
dev = mkEnableOption "Enable development targets";
};
};
# All this stuff has to be wrapped in a config attribute because of the presence of the options here?
config = let
cfg = config.ssh;
identityFile = cfg.IdentityFile;
publicKeyFile = "${identityFile}.pub";
certificateFile = "${identityFile}-cert.pub";
provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
in {
home.file.".ssh/known_hosts" = {
text = lib.concatStringsSep "\n" (
[
"fded:fb16:653e:25da:be24:11ff:fea0:753f ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ZqiWPrCwHjxFCiu0lT4rlQs7KyMapxKJQQ5PJP1eh"
cfg.knownHosts ++ lib.optionals cfg.certificates.enable [
"@cert-authority 192.168.1.* ${sshHostCAPubKey}"
"@cert-authority *.john-stream.com ${sshHostCAPubKey}"
]
++ (lib.optional cfg.certificates.enable "@cert-authority 192.168.1.* ${sshHostCAPubKey}")
++ (lib.optional cfg.certificates.enable "@cert-authority *.john-stream.com ${sshHostCAPubKey}")
);
};
@@ -119,27 +124,29 @@ in
enableDefaultConfig = false;
extraConfig = ''
SetEnv TERM="xterm-256color"
IdentityAgent ~/.1password/agent.sock
'';
matchBlocks = lib.mkMerge [
{
"*" = {
user = "john";
"*" = lib.mkMerge [
{
user = "john";
compression = false;
serverAliveInterval = 0;
serverAliveCountMax = 3;
compression = false;
serverAliveInterval = 0;
serverAliveCountMax = 3;
identitiesOnly = true;
inherit identityFile certificateFile;
identitiesOnly = true;
inherit identityFile;
hashKnownHosts = false;
userKnownHostsFile = cfg.knownHostsFile;
hashKnownHosts = false;
userKnownHostsFile = cfg.knownHostsFile;
addKeysToAgent = "yes";
forwardAgent = false;
};
addKeysToAgent = "yes";
forwardAgent = false;
}
(lib.mkIf cfg.certificates.enable { inherit certificateFile; })
];
}
(lib.mkIf cfg.matchSets.appdaemon {
"appdaemon" = {