From 2f4a83a90690e8077c17c0b2dd30d144ca38825b Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Wed, 7 Jan 2026 18:46:59 +0100 Subject: [PATCH 1/3] sops: Align home module with system module --- modules/home/sops.nix | 19 +++++++++---------- users/seb/@desktop/home.nix | 5 +---- users/seb/@desktop/keys/age.pub | 1 + users/seb/@laptop/home.nix | 1 - users/seb/@laptop/keys/age.pub | 1 + 5 files changed, 12 insertions(+), 15 deletions(-) create mode 100644 users/seb/@desktop/keys/age.pub create mode 100644 users/seb/@laptop/keys/age.pub diff --git a/modules/home/sops.nix b/modules/home/sops.nix index 70041b4..f32118a 100644 --- a/modules/home/sops.nix +++ b/modules/home/sops.nix @@ -7,36 +7,35 @@ }@moduleArgs: let cfg = config.custom.sops; - - absoluteSecretsPath = "${self}/${cfg.secretsFile}"; in { imports = [ inputs.sops.homeManagerModules.sops ]; options.custom.sops = { enable = lib.mkEnableOption ""; - agePublicKey = lib.mkOption { - type = lib.types.nonEmptyStr; - default = ""; - }; hostName = lib.mkOption { type = lib.types.nonEmptyStr; default = moduleArgs.osConfig.networking.hostName or ""; }; - secretsFile = lib.mkOption { + agePublicKey = lib.mkOption { type = lib.types.nonEmptyStr; - default = "users/${config.home.username}/@${cfg.hostName}/secrets.json"; + default = + "${self}/users/${config.home.username}/@${cfg.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; + }; + secretsFile = lib.mkOption { + type = lib.types.path; + default = "${self}/users/${config.home.username}/@${cfg.hostName}/secrets.json"; }; secrets = lib.mkOption { type = lib.types.anything; - default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON; + default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; }; }; config = lib.mkIf cfg.enable { sops = { age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ]; - defaultSopsFile = absoluteSecretsPath; + defaultSopsFile = cfg.secretsFile; }; }; } diff --git a/users/seb/@desktop/home.nix b/users/seb/@desktop/home.nix index 7b41368..119558b 100644 --- a/users/seb/@desktop/home.nix +++ b/users/seb/@desktop/home.nix @@ -3,10 +3,7 @@ _: { home.stateVersion = "23.11"; - custom = { - sops.agePublicKey = "age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf"; - theme = "dark"; - }; + custom.theme = "dark"; wayland.windowManager.hyprland.settings.monitor = [ "DP-1,2560x1440@180,0x0,1" ]; } diff --git a/users/seb/@desktop/keys/age.pub b/users/seb/@desktop/keys/age.pub new file mode 100644 index 0000000..3b5283c --- /dev/null +++ b/users/seb/@desktop/keys/age.pub @@ -0,0 +1 @@ +age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf diff --git a/users/seb/@laptop/home.nix b/users/seb/@laptop/home.nix index 15b5a98..35b3589 100644 --- a/users/seb/@laptop/home.nix +++ b/users/seb/@laptop/home.nix @@ -4,7 +4,6 @@ _: { home.stateVersion = "24.11"; custom = { - sops.agePublicKey = "age190mf9wx4ct7qvne3ly9j3cj9740z5wnfhsl6vsc5wtfyc5pueuas9hnjtr"; theme = "light"; programs.brightnessctl.enable = true; }; diff --git a/users/seb/@laptop/keys/age.pub b/users/seb/@laptop/keys/age.pub new file mode 100644 index 0000000..cd30470 --- /dev/null +++ b/users/seb/@laptop/keys/age.pub @@ -0,0 +1 @@ +age190mf9wx4ct7qvne3ly9j3cj9740z5wnfhsl6vsc5wtfyc5pueuas9hnjtr From 72ed799826a5063879de94994492838236a8736a Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Wed, 7 Jan 2026 20:40:09 +0100 Subject: [PATCH 2/3] nebula/sshd: Only allow key auth --- modules/home/programs/git.nix | 12 ++++------ modules/home/programs/ssh.nix | 29 +++++++++++++++++++++++++ modules/system/services/nebula/sshd.nix | 23 ++++++++++++++++++-- users/seb/@desktop/keys/ssh.pub | 1 + users/seb/@laptop/keys/ssh.pub | 1 + users/seb/home.nix | 1 + 6 files changed, 57 insertions(+), 10 deletions(-) create mode 100644 modules/home/programs/ssh.nix create mode 100644 users/seb/@desktop/keys/ssh.pub create mode 100644 users/seb/@laptop/keys/ssh.pub diff --git a/modules/home/programs/git.nix b/modules/home/programs/git.nix index 176e4a5..a2488f7 100644 --- a/modules/home/programs/git.nix +++ b/modules/home/programs/git.nix @@ -39,15 +39,11 @@ }; }; - ssh = { - enable = true; - enableDefaultConfig = false; - matchBlocks = - config.custom.sops.secrets.ssh-key - |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; }); - }; - lazygit.enable = true; + + ssh.matchBlocks = + config.custom.sops.secrets.ssh-key + |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; }); }; }; } diff --git a/modules/home/programs/ssh.nix b/modules/home/programs/ssh.nix new file mode 100644 index 0000000..a82fd05 --- /dev/null +++ b/modules/home/programs/ssh.nix @@ -0,0 +1,29 @@ +{ + config, + self, + lib, + ... +}@moduleArgs: +let + cfg = config.custom.programs.ssh; +in +{ + options.custom.programs.ssh = { + enable = lib.mkEnableOption ""; + hostName = lib.mkOption { + type = lib.types.nonEmptyStr; + default = moduleArgs.osConfig.networking.hostName or ""; + }; + publicKeyPath = lib.mkOption { + type = lib.types.path; + default = "${self}/users/${config.home.username}/@${cfg.hostName}/keys/ssh.pub"; + }; + }; + + config = lib.mkIf config.custom.programs.ssh.enable { + programs.ssh = { + enable = true; + enableDefaultConfig = false; + }; + }; +} diff --git a/modules/system/services/nebula/sshd.nix b/modules/system/services/nebula/sshd.nix index 3164c45..eba37e7 100644 --- a/modules/system/services/nebula/sshd.nix +++ b/modules/system/services/nebula/sshd.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + self, + lib, + ... +}: let cfg = config.custom.services.nebula.node; in @@ -25,13 +30,18 @@ in addr = cfg.address; inherit (cfg.sshd) port; }; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; }; nebula.networks.mesh.firewall.inbound = config.custom.services.nebula.peers |> lib.filter (node: node.isClient) |> lib.map (nebula: { - port = "22"; + inherit (cfg.sshd) port; proto = "tcp"; host = nebula.name; }); @@ -41,5 +51,14 @@ in requires = [ "nebula@mesh.service" ]; after = [ "nebula@mesh.service" ]; }; + + users.users.seb.openssh.authorizedKeys.keyFiles = + self.nixosConfigurations + |> lib.filterAttrs (name: _: name != config.networking.hostName) + |> lib.attrValues + |> lib.filter (value: value.config |> lib.hasAttr "home-manager") + |> lib.map (value: value.config.home-manager.users.seb.custom.programs.ssh) + |> lib.filter (ssh: ssh.enable) + |> lib.map (ssh: ssh.publicKeyPath); }; } diff --git a/users/seb/@desktop/keys/ssh.pub b/users/seb/@desktop/keys/ssh.pub new file mode 100644 index 0000000..82cd334 --- /dev/null +++ b/users/seb/@desktop/keys/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBUORYC3AvTPQmtUEApTa9DvHoJy4mjuQy8abSjCcDd seb@desktop diff --git a/users/seb/@laptop/keys/ssh.pub b/users/seb/@laptop/keys/ssh.pub new file mode 100644 index 0000000..4cff3a0 --- /dev/null +++ b/users/seb/@laptop/keys/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1WFOdZCvfb1ZRycBGK0x+3viQpkkl6CQ3cV/Mf3gAJ seb@laptop diff --git a/users/seb/home.nix b/users/seb/home.nix index b0965b0..7aaee10 100644 --- a/users/seb/home.nix +++ b/users/seb/home.nix @@ -27,6 +27,7 @@ aliases.enable = true; direnv.enable = true; }; + ssh.enable = true; git.enable = true; kitty.enable = true; vscode.enable = true; From 1c61682e5a0ed534b574394702b8ee57c84147df Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Wed, 7 Jan 2026 20:51:50 +0100 Subject: [PATCH 3/3] tailscale: Disable ssh for all hosts --- hosts/desktop/default.nix | 5 +---- hosts/laptop/default.nix | 5 +---- hosts/vps-monitor/default.nix | 5 +---- hosts/vps-private/default.nix | 1 - hosts/vps-public/default.nix | 5 +---- 5 files changed, 4 insertions(+), 17 deletions(-) diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix index 503f282..f1cb477 100644 --- a/hosts/desktop/default.nix +++ b/hosts/desktop/default.nix @@ -26,10 +26,7 @@ services = { gc.enable = true; sound.enable = true; - tailscale = { - enable = true; - ssh.enable = true; - }; + tailscale.enable = true; nebula.node = { enable = true; address = "10.254.250.1"; diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 73a6c22..3c235ec 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -29,10 +29,7 @@ wlan.enable = true; bluetooth.enable = true; sound.enable = true; - tailscale = { - enable = true; - ssh.enable = true; - }; + tailscale.enable = true; nebula.node = { enable = true; address = "10.254.250.3"; diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index edf2c85..62d91a7 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -21,10 +21,7 @@ boot.loader.grub.enable = true; services = { - tailscale = { - enable = true; - ssh.enable = true; - }; + tailscale.enable = true; nebula.node = { enable = true; diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 7b2c95d..9ee3814 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -27,7 +27,6 @@ services = { tailscale = { enable = true; - ssh.enable = true; exitNode.enable = true; }; diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index ceb6364..1b5f0c3 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -21,10 +21,7 @@ boot.loader.systemd-boot.enable = true; services = { - tailscale = { - enable = true; - ssh.enable = true; - }; + tailscale.enable = true; nebula.node = { enable = true;