diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index f1cb477..503f282 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -26,7 +26,10 @@ services = { gc.enable = true; sound.enable = true; - tailscale.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + }; nebula.node = { enable = true; address = "10.254.250.1"; diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 3c235ec..73a6c22 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -29,7 +29,10 @@ wlan.enable = true; bluetooth.enable = true; sound.enable = true; - tailscale.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + }; nebula.node = { enable = true; address = "10.254.250.3"; diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index 62d91a7..edf2c85 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -21,7 +21,10 @@ boot.loader.grub.enable = true; services = { - tailscale.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + }; nebula.node = { enable = true; diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 9ee3814..7b2c95d 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -27,6 +27,7 @@ services = { tailscale = { enable = true; + ssh.enable = true; exitNode.enable = true; }; diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index 1b5f0c3..ceb6364 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -21,7 +21,10 @@ boot.loader.systemd-boot.enable = true; services = { - tailscale.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + }; nebula.node = { enable = true; diff --git a/modules/home/programs/git.nix b/modules/home/programs/git.nix index a2488f7..176e4a5 100644 --- a/modules/home/programs/git.nix +++ b/modules/home/programs/git.nix @@ -39,11 +39,15 @@ }; }; - lazygit.enable = true; + ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = + config.custom.sops.secrets.ssh-key + |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; }); + }; - ssh.matchBlocks = - config.custom.sops.secrets.ssh-key - |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; }); + lazygit.enable = true; }; }; } diff --git a/modules/home/programs/ssh.nix b/modules/home/programs/ssh.nix deleted file mode 100644 index a82fd05..0000000 --- a/modules/home/programs/ssh.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - config, - self, - lib, - ... -}@moduleArgs: -let - cfg = config.custom.programs.ssh; -in -{ - options.custom.programs.ssh = { - enable = lib.mkEnableOption ""; - hostName = lib.mkOption { - type = lib.types.nonEmptyStr; - default = moduleArgs.osConfig.networking.hostName or ""; - }; - publicKeyPath = lib.mkOption { - type = lib.types.path; - default = "${self}/users/${config.home.username}/@${cfg.hostName}/keys/ssh.pub"; - }; - }; - - config = lib.mkIf config.custom.programs.ssh.enable { - programs.ssh = { - enable = true; - enableDefaultConfig = false; - }; - }; -} diff --git a/modules/home/sops.nix b/modules/home/sops.nix index f32118a..70041b4 100644 --- a/modules/home/sops.nix +++ b/modules/home/sops.nix @@ -7,35 +7,36 @@ }@moduleArgs: let cfg = config.custom.sops; + + absoluteSecretsPath = "${self}/${cfg.secretsFile}"; in { imports = [ inputs.sops.homeManagerModules.sops ]; options.custom.sops = { enable = lib.mkEnableOption ""; + agePublicKey = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; hostName = lib.mkOption { type = lib.types.nonEmptyStr; default = moduleArgs.osConfig.networking.hostName or ""; }; - agePublicKey = lib.mkOption { - type = lib.types.nonEmptyStr; - default = - "${self}/users/${config.home.username}/@${cfg.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; - }; secretsFile = lib.mkOption { - type = lib.types.path; - default = "${self}/users/${config.home.username}/@${cfg.hostName}/secrets.json"; + type = lib.types.nonEmptyStr; + default = "users/${config.home.username}/@${cfg.hostName}/secrets.json"; }; secrets = lib.mkOption { type = lib.types.anything; - default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; + default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON; }; }; config = lib.mkIf cfg.enable { sops = { age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ]; - defaultSopsFile = cfg.secretsFile; + defaultSopsFile = absoluteSecretsPath; }; }; } diff --git a/modules/system/services/nebula/sshd.nix b/modules/system/services/nebula/sshd.nix index eba37e7..3164c45 100644 --- a/modules/system/services/nebula/sshd.nix +++ b/modules/system/services/nebula/sshd.nix @@ -1,9 +1,4 @@ -{ - config, - self, - lib, - ... -}: +{ config, lib, ... }: let cfg = config.custom.services.nebula.node; in @@ -30,18 +25,13 @@ in addr = cfg.address; inherit (cfg.sshd) port; }; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = "no"; - }; }; nebula.networks.mesh.firewall.inbound = config.custom.services.nebula.peers |> lib.filter (node: node.isClient) |> lib.map (nebula: { - inherit (cfg.sshd) port; + port = "22"; proto = "tcp"; host = nebula.name; }); @@ -51,14 +41,5 @@ in requires = [ "nebula@mesh.service" ]; after = [ "nebula@mesh.service" ]; }; - - users.users.seb.openssh.authorizedKeys.keyFiles = - self.nixosConfigurations - |> lib.filterAttrs (name: _: name != config.networking.hostName) - |> lib.attrValues - |> lib.filter (value: value.config |> lib.hasAttr "home-manager") - |> lib.map (value: value.config.home-manager.users.seb.custom.programs.ssh) - |> lib.filter (ssh: ssh.enable) - |> lib.map (ssh: ssh.publicKeyPath); }; } diff --git a/users/seb/@desktop/home.nix b/users/seb/@desktop/home.nix index 119558b..7b41368 100644 --- a/users/seb/@desktop/home.nix +++ b/users/seb/@desktop/home.nix @@ -3,7 +3,10 @@ _: { home.stateVersion = "23.11"; - custom.theme = "dark"; + custom = { + sops.agePublicKey = "age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf"; + theme = "dark"; + }; wayland.windowManager.hyprland.settings.monitor = [ "DP-1,2560x1440@180,0x0,1" ]; } diff --git a/users/seb/@desktop/keys/age.pub b/users/seb/@desktop/keys/age.pub deleted file mode 100644 index 3b5283c..0000000 --- a/users/seb/@desktop/keys/age.pub +++ /dev/null @@ -1 +0,0 @@ -age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf diff --git a/users/seb/@desktop/keys/ssh.pub b/users/seb/@desktop/keys/ssh.pub deleted file mode 100644 index 82cd334..0000000 --- a/users/seb/@desktop/keys/ssh.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBUORYC3AvTPQmtUEApTa9DvHoJy4mjuQy8abSjCcDd seb@desktop diff --git a/users/seb/@laptop/home.nix b/users/seb/@laptop/home.nix index 35b3589..15b5a98 100644 --- a/users/seb/@laptop/home.nix +++ b/users/seb/@laptop/home.nix @@ -4,6 +4,7 @@ _: { home.stateVersion = "24.11"; custom = { + sops.agePublicKey = "age190mf9wx4ct7qvne3ly9j3cj9740z5wnfhsl6vsc5wtfyc5pueuas9hnjtr"; theme = "light"; programs.brightnessctl.enable = true; }; diff --git a/users/seb/@laptop/keys/age.pub b/users/seb/@laptop/keys/age.pub deleted file mode 100644 index cd30470..0000000 --- a/users/seb/@laptop/keys/age.pub +++ /dev/null @@ -1 +0,0 @@ -age190mf9wx4ct7qvne3ly9j3cj9740z5wnfhsl6vsc5wtfyc5pueuas9hnjtr diff --git a/users/seb/@laptop/keys/ssh.pub b/users/seb/@laptop/keys/ssh.pub deleted file mode 100644 index 4cff3a0..0000000 --- a/users/seb/@laptop/keys/ssh.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1WFOdZCvfb1ZRycBGK0x+3viQpkkl6CQ3cV/Mf3gAJ seb@laptop diff --git a/users/seb/home.nix b/users/seb/home.nix index 7aaee10..b0965b0 100644 --- a/users/seb/home.nix +++ b/users/seb/home.nix @@ -27,7 +27,6 @@ aliases.enable = true; direnv.enable = true; }; - ssh.enable = true; git.enable = true; kitty.enable = true; vscode.enable = true;