john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP

Browse Source
This commit is contained in:
John Lancaster
2026-03-10 21:48:44 -05:00
parent 95391fc713
commit 7eaa32f161
7 changed files with 189 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/home-manager/profiles/base.nix
View File

@@ -4,7 +4,7 @@
{
imports = with inputs.self.homeModules; [
rebuild
ssh
# ssh
git
shell-tools
];

13
modules/home-manager/programs/ssh.nix
View File

@@ -117,4 +117,17 @@ in
};
};
};
flake.modules.nixos.ssh = {
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
home-manager.sharedModules = with inputs.self.homeModules; [
ssh
];
};
}

11
modules/hosts/janus.nix
View File

@@ -8,11 +8,18 @@ in
imports = [
inputs.self.modules.nixos.lxc
inputs.self.modules.nixos."${username}"
# inputs.self.modules.nixos.step-ca
inputs.self.modules.nixos.docker
];
home-manager.users."${username}" = {
imports = [
# inputs.self.homeModules."${username}"
imports = with inputs.self.homeModules; [
ssh
];
docker.enable = true;
ssh.matchSets = {
certs = true;
homelab = true;
};
};
};

16
modules/home-manager/programs/docker.nix → modules/services/docker.nix
View File

@@ -1,4 +1,17 @@
{ inputs, ... }:
{
flake.modules.nixos.docker = {
virtualisation.docker = {
enable = true;
};
home-manager.sharedModules = [
inputs.self.homeModules.docker
];
# users.users.john = {
# extraGroups = [ "docker" ];
# };
};
flake.homeModules.docker = { config, lib, pkgs, ... }:
{
options.docker = {
@@ -13,9 +26,6 @@
docker
docker-compose
lazydocker
(pkgs.writeShellScriptBin "test-docker" ''
echo "Hello from docker.nix!"
'')
];
home.shellAliases = {
lzd = "lazydocker";

129
modules/services/step-ca/ca.json Normal file
View File

@@ -0,0 +1,129 @@
{
"root": "/etc/step-ca/certs/root_ca.crt",
"federatedRoots": null,
"crt": "/etc/step-ca/certs/intermediate_ca.crt",
"key": "/etc/step-ca/secrets/intermediate_ca_key",
"address": ":443",
"insecureAddress": "",
"dnsNames": [
"janus.john-stream.com",
"192.168.1.113"
],
"ssh": {
"hostKey": "/etc/step-ca/secrets/ssh_host_ca_key",
"userKey": "/etc/step-ca/secrets/ssh_user_ca_key"
},
"logger": {
"format": "text"
},
"db": {
"type": "badgerv2",
"dataSource": "/var/lib/step-ca/db",
"badgerFileLoadingMode": ""
},
"authority": {
"provisioners": [
{
"type": "ACME",
"name": "acme"
},
{
"type": "SSHPOP",
"name": "sshpop",
"claims": {
"enableSSHCA": true
}
},
{
"type": "JWK",
"name": "admin",
"key": {
"use": "sig",
"kty": "EC",
"kid": "xoxgOJFbveSLIL2gm1Yu5ZiRb9v8Jxe44F56i3v-Nf8",
"crv": "P-256",
"alg": "ES256",
"x": "zFO8hPx_eH0Iyz7UJI-w8ODMusEKCZ28M76sGWmWYxA",
"y": "XIWLLyKDzqxV9UH-2KeAkKPDrgLoPrxxW9-PzkXggME"
},
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiUVJnTnJVTF9KcmxJYkJMVTlGNVRPZyJ9.DMu7xBNCq5pr-_--YTxNr5Hrcqy6ZmSVHsWurfVXL7Hk0Q3vyYRxiw.h-CnFiYc-DhxThI3.plx3_Qa_0kU-2TwnqFNfAfGnCpfQ2e0iiCMLruNHbLMnHeXQ1BysHBqps45_02zZXIRdHoDgYGtXRSfcdUYYoS0pLoPzC6m301ZFNSAFdRVlSZ3Q6VmWdixPXXnEB4EgSKTT_wxR33L8t9OpFzD85KfY-b_Un1l99ufjCnfg-EYkcICTn_G4-8bcW3eFIvJ6setzu-l0jHMhLQdIweqncn9on9xBXBD-ANhZfP95P2BJt-APqCi8eqiAvn_vClovdg0PxzRwOVDvWREz66FDw-HTU7xDtGO9hACopT5tfZOXDoykgZw1mJsq9NEq9ZzvKG2hvyk1UXtExxrNtFo.5q1OfGU4Amo4Si-vpeI42g",
"claims": {
"enableSSHCA": true,
"disableRenewal": false,
"allowRenewalAfterExpiry": false,
"disableSmallstepExtensions": false
},
"options": {
"x509": {},
"ssh": {}
}
}
],
"template": {},
"backdate": "1m0s"
},
"tls": {
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion": 1.2,
"maxVersion": 1.3,
"renegotiation": false
},
"templates": {
"ssh": {
"user": [
{
"name": "config.tpl",
"type": "snippet",
"template": "templates/ssh/config.tpl",
"path": "~/.ssh/config",
"comment": "#"
},
{
"name": "step_includes.tpl",
"type": "prepend-line",
"template": "templates/ssh/step_includes.tpl",
"path": "${STEPPATH}/ssh/includes",
"comment": "#"
},
{
"name": "step_config.tpl",
"type": "file",
"template": "templates/ssh/step_config.tpl",
"path": "ssh/config",
"comment": "#"
},
{
"name": "known_hosts.tpl",
"type": "file",
"template": "templates/ssh/known_hosts.tpl",
"path": "ssh/known_hosts",
"comment": "#"
}
],
"host": [
{
"name": "sshd_config.tpl",
"type": "snippet",
"template": "templates/ssh/sshd_config.tpl",
"path": "/etc/ssh/sshd_config",
"comment": "#",
"requires": [
"Certificate",
"Key"
]
},
{
"name": "ca.tpl",
"type": "snippet",
"template": "templates/ssh/ca.tpl",
"path": "/etc/ssh/ca.pub",
"comment": "#"
}
]
}
},
"commonName": "Step Online CA"
}

22
modules/services/step-ca/step-ca.nix Normal file
View File

@@ -0,0 +1,22 @@
{ inputs, ... }:
let
ipAddress = "0.0.0.0";
in
{
flake.modules.nixos.step-ca = { pkgs, ... }: {
# https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/security/step-ca.nix
services.step-ca = {
enable = true;
openFirewall = true;
address = ipAddress;
port = 8443;
# https://smallstep.com/docs/step-ca/configuration/#configuration-options
settings = {
root = "";
crt = "";
};
};
environment.systemPackages = with pkgs; [ step-ca step-cli ];
};
}

3
modules/users/john.nix
View File

@@ -15,6 +15,7 @@ in
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
];
};
programs.zsh.enable = true;
@@ -31,7 +32,7 @@ in
imports = with inputs.self.homeModules; [
base
docker
# docker
# resticprofile
];
};