Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

age with yubikey

Browse source
This commit is contained in:
Grimmauld 2024-11-30 10:47:40 +01:00
parent c7d9d0f802
commit 19f05aec9f
Signed by: Grimmauld
SSH key fingerprint: SHA256:Q8IL6Y7sSKqzkyFdV1L0O/EflEh1fFV3tBtwxpapRH4
10 changed files with 196 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
authorizedKeys.nix
View file

@ -4,4 +4,5 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"
(builtins.readFile ./ssh/id_ed25519_sk.pub )
]

82
common/tooling/git.nix
View file

@ -29,49 +29,51 @@ in
programs.git = {
enable = true;
lfs.enable = true;
config = let
key_file = ../../ssh/id_ed25519_sk.pub;
allowed_signers_file = pkgs.writeText "allowed_signers" ''${tooling.git_email} namespaces="git" ${readFile key_file}'';
in {
config =
let
key_file = ../../ssh/id_ed25519_sk.pub;
allowed_signers_file = pkgs.writeText "allowed_signers" ''${tooling.git_email} namespaces="git" ${readFile key_file}'';
in
{
init.defaultBranch = "main";
credential.username = tooling.git_user;
gpg.format = "ssh";
user.signingkey = toString key_file;
gpg.ssh.allowedSignersFile = toString allowed_signers_file;
user.name = tooling.git_user;
user.email = tooling.git_email;
push.autoSetupRemote = true;
core.autocrlf = "input";
commit.gpgsign = true;
safe.directory = "/etc/nixos";
core.excludesfile = (
pkgs.writeText ".gitignore" ''
.idea
.obsidian
*~
result
''
);
pull.rebase = false;
include.path = "${pkgs.delta.src}/themes.gitconfig";
init.defaultBranch = "main";
credential.username = tooling.git_user;
gpg.format = "ssh";
user.signingkey = toString key_file;
gpg.ssh.allowedSignersFile = toString allowed_signers_file;
user.name = tooling.git_user;
user.email = tooling.git_email;
push.autoSetupRemote = true;
core.autocrlf = "input";
commit.gpgsign = true;
safe.directory = "/etc/nixos";
core.excludesfile = (
pkgs.writeText ".gitignore" ''
.idea
.obsidian
*~
result
''
);
pull.rebase = false;
include.path = "${pkgs.delta.src}/themes.gitconfig";
core.pager = "delta";
interactive.diffFilter = "delta --color-only";
delta = {
navigate = true;
features = "mantis-shrimp";
core.pager = "delta";
interactive.diffFilter = "delta --color-only";
delta = {
navigate = true;
features = "mantis-shrimp";
};
merge.conflictstyle = "diff3";
diff.colorMoved = "default";
alias = {
pfusch = "push --force-with-lease --force-if-includes";
fuck = "reset HEAD~1";
fixup = "commit --fixup";
};
};
merge.conflictstyle = "diff3";
diff.colorMoved = "default";
alias = {
pfusch = "push --force-with-lease --force-if-includes";
fuck = "reset HEAD~1";
fixup = "commit --fixup";
};
};
};
};

24
common/tooling/security.nix
View file

@ -2,6 +2,8 @@
pkgs,
config,
lib,
inputs,
system,
...
}:
let
@ -15,6 +17,8 @@ let
attrNames
mkEnableOption
;
age_plugins = with pkgs; [ age-plugin-yubikey ];
in
{
config = mkIf enable {
@ -40,18 +44,36 @@ in
}
];
services.pcscd.enable = true;
age.ageBin =
let
rage_wrapped = pkgs.symlinkJoin {
name = "rage";
paths = [ pkgs.rage ];
buildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/rage \
--prefix PATH : ${lib.makeBinPath age_plugins}
'';
};
in
lib.getExe' rage_wrapped "rage";
programs.yubikey-touch-detector.enable = graphical;
environment.systemPackages =
(with pkgs; [
mkpasswd
gnupg
libsecret
vulnix
# agenix
(inputs.agenix.packages."${system}".default.override { plugins = age_plugins; })
yubikey-manager
yubico-pam
yubikey-personalization
])
++ age_plugins
++ (optionals (tooling.enable && tooling.pass) [
pkgs.pass
(pkgs.writeShellScriptBin "passw" "pass $@")

98
flake.lock
View file

@ -45,10 +45,35 @@
}
},
"agenix": {
"inputs": {
"agenix": "agenix_2",
"crane": "crane",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1726755133,
"narHash": "sha256-03XIEjHeZEjHXctsXYUB+ZLQmM0WuhR6qWQjwekFk/M=",
"owner": "yaxitech",
"repo": "ragenix",
"rev": "687ee92114bce9c4724376cf6b21235abe880bfa",
"type": "github"
},
"original": {
"owner": "yaxitech",
"repo": "ragenix",
"type": "github"
}
},
"agenix_2": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"agenix",
"nixpkgs"
],
"systems": "systems"
@ -107,9 +132,25 @@
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1732906089,
"narHash": "sha256-NvYSSiKsC0rqn9yY0a9zglLXrFp92EwKhTFZC38voCQ=",
"owner": "ipetkov",
"repo": "crane",
"rev": "9ed3180f45c2d1499e5af98c4ab7ffee8e886f5f",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"agenix",
"nixpkgs"
]
@ -191,6 +232,24 @@
"url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
@ -216,6 +275,7 @@
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"agenix",
"nixpkgs"
]
@ -283,7 +343,7 @@
"nixpkgs-update",
"nixpkgs"
],
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1710694589,
@ -542,6 +602,27 @@
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1732933841,
"narHash": "sha256-dge02pUSe2QeC/B3PriA0R8eAX+EU3aDoXj9FcS3XDw=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "c65e91d4a33abc3bc4a892d3c5b5b378bad64ea1",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -572,6 +653,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [

2
flake.nix
View file

@ -11,7 +11,7 @@
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-mailserver = {

33
secrets/nextcloud_pass.age
View file

@ -1,12 +1,21 @@
age-encryption.org/v1
-> ssh-rsa skhaxw
jJVp7UZ5GPCU9072EIGSp1cTrD4blUhuVox94VsdBJDcuhAfiBtyxq80795wl3t5
z/IjGIJZfnwTD0xsVDN3MgwKvS3RvhLSBKzTmThcMjBpdf04w5Qs3bT1t3oVdl/W
w2MuJBLeWJnZnEN2vpBvGLpKYmvdVlcM4eMgeBDN0bHQUKgIefE5YwHMkn8EiNOo
eYkl7XUUlDGRjGFi34LKiuUWRw2gXv732YsX3awQkC4EXSbshkudRDXG/mFBx7vO
neOaBJR+tsyGV7XQA6p1jcXBQpEi7ctg3aN6wRUnZCyt+JsHhJi3O12Yku8JxB+F
ac9BSp0ivq/1izXM4dV6+A
-> ssh-ed25519 RbssYw 6IaH4azVjA+/8AzOE4syrepqZHm0FAeOxK4rkhKXHE8
uN2saodZfJvZMyZLWLaibqnmQTTplTNIXOg4BwxZvN8
--- IxnIgYAbNLV9/lBsaS7fdTQyDfk/6gJDMW+qVRpbwVw
kŒƒ¦”¦[Ð"¾cß:øàÂú ÄÅ@-Y=l<>¤ý…,ZÚV˜Gè½%äiµ9
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2Egc2toYXh3CkZvNHRCU3Mz
d2dHZTRGYnQ5aWdxSDNxdVpYcnQ5a3VOcmZ2RHVHQ01BUmZ3dHJlVWxpZ0tIYm4z
MW9ZR2hnc0kKYVVScElPcE1xRGdadTF0OHhMS0l2OFpEM0V5dEhiUHc2ZHV3ajBG
OWJLWmtrTVFJSWxSOUtWYk9tMm1Cb3hmYgpXeVMxWUx3NTQ5M2NFZzdXdVBRZktL
Z0paZmVpbEJDeW5SQzJHRi96RFZuSEFGR3cvUHR3Tml1cEVSdVhCL0Q4CjFXaUxK
YjVVMnFtdzgvU0Y0OEdOOVoraW9Vb3g0aWU5SHBMbzkvRmR1Vk5vNTJhRFo2a1RP
SEM3WkNvK09lZ0wKOHp6VisvT3BoejFkNVFNUFRtbHZaQnRpQitOVi9sam1nSUlw
WVVrMy9aekNIMTdJdzNHY0piK0xvRWxEUW9XWgpnV3IvWFJWWm9yNGpOR0tzSzN4
Y3Z3Ci0+IHNzaC1lZDI1NTE5IFJic3NZdyBYcHExZUkyV2tjbnJiUkdOZFZ0eGtj
RzJ4WWFFY3d3OU5jZGpvdzE1UUVzCktZdG9BeUJ3V1dyZ2ptSXBxTk5LNkYxOGRk
SEd4SXlwNzcySWI5WUY5bm8KLT4gcGl2LXAyNTYgNStEZmRnIEE5NmJJMGd4THVF
akhHV2J2Ykh3RnlqUWhScVhQWWNEa2NURHVibEFJYWRuCmZUR0VBbFU2MVY3MXE4
QWNzblF2WEVpWlB4c0JoaXlRRkpWWVNBcDlvWmcKLT4gJFZzJy8tZ3JlYXNlIEBJ
IHZbaiVlcCdzIC8uWSNxJyAyR0ZCSkw3CmdZa1d6RE1aMnRWczVvaXEvZmVlZng3
WVJ5eGxjZVBqbU5hYTE3dFE2aTNpZ2hJS0Zydzl6V0JsVGhVajNGeWMKSmlSemNi
eFRNWkpCT2l1bjhKeEhyajBOSExteHdpTTZFYVFiRlE4aEh3TWQxaUZLbCtpeXZL
RG4KLS0tIHArS3RoaHp5OXUyK2pkS1g4ak1meXp4THJMTVljZGU2OE9aeXY3M0VE
L1UK89ztHzsKK4tXOn8S9yjuqFYiNSCY3D5LqwXohNiWOV1Bdwh/xCzbXgl3nMol
rBCL
-----END AGE ENCRYPTED FILE-----

2
secrets/secrets.nix
View file

@ -1,6 +1,7 @@
let
laptop_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos";
laptop_pub_ed = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos";
yubi = "age1yubikey1qghu93392cf93jzpyqmwhf005xxkrzf0rv20gyx652lyhkxjznyfw7w8j0s";
# obtained with `ssh-keyscan [ip]`
contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
@ -8,6 +9,7 @@ in
{
"nextcloud_pass.age".publicKeys = [
laptop_pub
yubi
laptop_pub_ed
];

7
secrets/yubikey-identity.txt Normal file
View file

@ -0,0 +1,7 @@
# Serial: 26681512, Slot: 1
# Name: age identity e7e0df76
# Created: Sat, 30 Nov 2024 09:42:11 +0000
# PIN policy: Never (A PIN is NOT required to decrypt)
# Touch policy: Never (A physical touch is NOT required to decrypt)
# Recipient: age1yubikey1qghu93392cf93jzpyqmwhf005xxkrzf0rv20gyx652lyhkxjznyfw7w8j0s
AGE-PLUGIN-YUBIKEY-14QSFWQVZULSD7ASD5UX5U

2
specific/grimm-nixos-ssd/configuration.nix
View file

@ -12,7 +12,7 @@
./../../sway
];
age.identityPaths = [ "/root/.ssh/id_ed25519" ];
age.identityPaths = [ ../../secrets/yubikey-identity.txt ];
services.zfs.trim.enable = true;
boot.supportedFilesystems.zfs = true;

2
sway/default.nix
View file

@ -182,7 +182,7 @@
aw-bundle = (
pkgs.writeShellScriptBin "aw-bundle" ''
export RUST_BACKTRACE=full
export PATH=$PATH:${lib.makeBinPath (aw-modules ++ [pkgs.coreutils-full])}
export PATH=$PATH:${lib.makeBinPath (aw-modules ++ [ pkgs.coreutils-full ])}
${getExe' pkgs.coreutils-full "sleep"} 5
${getExe pkgs.aw-qt} --autostart-modules ${aw-modules-list}
''