From 84a76670977e9a4c37dd84dd5406abec5235b060 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Thu, 19 Dec 2024 12:35:31 +0000 Subject: [PATCH] Add keys Signed-off-by: Nikolaos Karaolidis --- .../configs/console/gpg-agent/default.nix | 4 ++ .../console/gpg-agent/import-gpg-keys.sh | 2 +- .../user/configs/console/ssh/default.nix | 24 +++++++++++ hosts/eirene/users/nick/default.nix | 21 +++++++++- hosts/elara/users/nikara/default.nix | 42 ++++++++++++++++++- scripts/add-host.sh | 1 + scripts/remove-host.sh | 3 +- 7 files changed, 91 insertions(+), 6 deletions(-) create mode 100644 hosts/common/user/configs/console/ssh/default.nix diff --git a/hosts/common/user/configs/console/gpg-agent/default.nix b/hosts/common/user/configs/console/gpg-agent/default.nix index 58373d2..64cdbdd 100644 --- a/hosts/common/user/configs/console/gpg-agent/default.nix +++ b/hosts/common/user/configs/console/gpg-agent/default.nix @@ -10,6 +10,10 @@ }: { home-manager.users.${user} = { + # gpg --full-generate-key + # gpg --list-secret-keys --keyid-format LONG + # gpg --export-secret-keys -a $signature > priv.key + # gpg --export -a $signature > pub.key programs.gpg = { enable = true; homedir = "${home}/.local/share/gnupg"; diff --git a/hosts/common/user/configs/console/gpg-agent/import-gpg-keys.sh b/hosts/common/user/configs/console/gpg-agent/import-gpg-keys.sh index 5ff16a8..cd7d09a 100644 --- a/hosts/common/user/configs/console/gpg-agent/import-gpg-keys.sh +++ b/hosts/common/user/configs/console/gpg-agent/import-gpg-keys.sh @@ -1,6 +1,6 @@ install -d -m 700 "${GNUPGHOME}" -for dir in "${HOME}"/.config/sops-nix/secrets/gpg-agent/*; do +for dir in "${HOME}"/.config/sops-nix/secrets/gpg/*; do keyfile="${dir}/key" passfile="${dir}/pass" diff --git a/hosts/common/user/configs/console/ssh/default.nix b/hosts/common/user/configs/console/ssh/default.nix new file mode 100644 index 0000000..aaf9f62 --- /dev/null +++ b/hosts/common/user/configs/console/ssh/default.nix @@ -0,0 +1,24 @@ +{ + user ? throw "user argument is required", + home ? throw "home argument is required", +}: +{ + config, + lib, + pkgs, + ... +}: +{ + home-manager.users.${user} = { + programs.ssh = { + enable = true; + addKeysToAgent = "yes"; + userKnownHostsFile = lib.strings.concatStringsSep " " [ + ../../../../../eirene/secrets/ssh_host_ed25519_key.pub + ../../../../../elara/secrets/ssh_host_ed25519_key.pub + ]; + }; + + services.ssh-agent.enable = true; + }; +} diff --git a/hosts/eirene/users/nick/default.nix b/hosts/eirene/users/nick/default.nix index a9aba97..7f2c9dd 100644 --- a/hosts/eirene/users/nick/default.nix +++ b/hosts/eirene/users/nick/default.nix @@ -29,6 +29,7 @@ in (import ../../../common/user/configs/console/pipewire { inherit user home; }) (import ../../../common/user/configs/console/ranger { inherit user home; }) (import ../../../common/user/configs/console/sops { inherit user home; }) + (import ../../../common/user/configs/console/ssh { inherit user home; }) (import ../../../common/user/configs/console/syncthing { inherit user home; }) (import ../../../common/user/configs/console/tmux { inherit user home; }) (import ../../../common/user/configs/console/tree { inherit user home; }) @@ -105,8 +106,24 @@ in sopsFile = ../../../../secrets/personal/secrets.yaml; path = "${home}/.config/git/cookies"; }; - "gpg-agent/personal/key".sopsFile = ../../../../secrets/personal/secrets.yaml; - "gpg-agent/personal/pass".sopsFile = ../../../../secrets/personal/secrets.yaml; + + "ssh/personal/git/key" = { + sopsFile = ../../../../secrets/personal/secrets.yaml; + path = "${home}/.ssh/ssh_git_personal_ed25519_key"; + }; + "ssh/personal/git/pass".sopsFile = ../../../../secrets/personal/secrets.yaml; + + "gpg/personal/key".sopsFile = ../../../../secrets/personal/secrets.yaml; + "gpg/personal/pass".sopsFile = ../../../../secrets/personal/secrets.yaml; + }; + + programs.ssh.matchBlocks = { + "github.com" = { + hostname = "github.com"; + user = "git"; + identityFile = "${home}/.ssh/ssh_git_personal_ed25519_key"; + extraOptions.StrictHostKeyChecking = "accept-new"; + }; }; theme.wallpaper = ../../../../static/wallpapers/clouds.png; diff --git a/hosts/elara/users/nikara/default.nix b/hosts/elara/users/nikara/default.nix index d6bd9d5..0d386e3 100644 --- a/hosts/elara/users/nikara/default.nix +++ b/hosts/elara/users/nikara/default.nix @@ -27,6 +27,7 @@ in (import ../../../common/user/configs/console/pipewire { inherit user home; }) (import ../../../common/user/configs/console/ranger { inherit user home; }) (import ../../../common/user/configs/console/sops { inherit user home; }) + (import ../../../common/user/configs/console/ssh { inherit user home; }) (import ../../../common/user/configs/console/tmux { inherit user home; }) (import ../../../common/user/configs/console/tree { inherit user home; }) (import ../../../common/user/configs/console/wget { inherit user home; }) @@ -99,14 +100,51 @@ in sopsFile = ../../../../secrets/personal/secrets.yaml; path = "${home}/.config/git/cookies"; }; - "gpg-agent/personal/key".sopsFile = ../../../../secrets/personal/secrets.yaml; - "gpg-agent/personal/pass".sopsFile = ../../../../secrets/personal/secrets.yaml; + + "ssh/personal/git/key" = { + sopsFile = ../../../../secrets/personal/secrets.yaml; + path = "${home}/.ssh/ssh_git_personal_ed25519_key"; + }; + "ssh/personal/git/pass".sopsFile = ../../../../secrets/personal/secrets.yaml; + + "gpg/personal/key".sopsFile = ../../../../secrets/personal/secrets.yaml; + "gpg/personal/pass".sopsFile = ../../../../secrets/personal/secrets.yaml; # SAS "globalprotect/server".sopsFile = ../../../../secrets/sas/secrets.yaml; "globalprotect/email".sopsFile = ../../../../secrets/sas/secrets.yaml; "globalprotect/password".sopsFile = ../../../../secrets/sas/secrets.yaml; "globalprotect/gateway".sopsFile = ../../../../secrets/sas/secrets.yaml; + + "ssh/sas/git/key" = { + sopsFile = ../../../../secrets/sas/secrets.yaml; + path = "${home}/.ssh/ssh_git_sas_ed25519_key"; + }; + "ssh/sas/git/pass".sopsFile = ../../../../secrets/sas/secrets.yaml; + }; + + programs.ssh.matchBlocks = { + # Personal + "github.com/karaolidis" = { + hostname = "github.com"; + user = "git"; + identityFile = "${home}/.ssh/ssh_git_personal_ed25519_key"; + extraOptions.StrictHostKeyChecking = "accept-new"; + }; + + # SAS + "github.com" = { + hostname = "github.com"; + user = "git"; + identityFile = "${home}/.ssh/ssh_git_sas_ed25519_key"; + extraOptions.StrictHostKeyChecking = "accept-new"; + }; + "gitlab.sas.com" = { + hostname = "gitlab.sas.com"; + user = "git"; + identityFile = "${home}/.ssh/ssh_git_sas_ed25519_key"; + extraOptions.StrictHostKeyChecking = "accept-new"; + }; }; theme.wallpaper = ../../../../static/wallpapers/snow.jpg; diff --git a/scripts/add-host.sh b/scripts/add-host.sh index 12101de..cc7788b 100755 --- a/scripts/add-host.sh +++ b/scripts/add-host.sh @@ -23,6 +23,7 @@ for SOPS_FILE in $(find . -type f -name "sops.yaml"); do done sed -i "/knownHosts = {/a\ ${HOST}.publicKeyFile = ../../../../${HOST}/secrets/ssh_host_ed25519_key.pub;" ./hosts/common/system/configs/ssh/default.nix +sed -i "/userKnownHostsFile = lib.strings.concatStringsSep " " [/a\ \${../../../../../${HOST}/secrets/ssh_host_ed25519_key.pub}" ./hosts/common/user/configs/console/ssh/default.nix "$(dirname "$0")/update-keys.sh" "$2" diff --git a/scripts/remove-host.sh b/scripts/remove-host.sh index b861753..7e6d080 100755 --- a/scripts/remove-host.sh +++ b/scripts/remove-host.sh @@ -18,7 +18,8 @@ for SOPS_FILE in $(find . -type f -name "sops.yaml"); do sed -i "/ - \*${HOST}/d" "${SOPS_FILE}" done -sed -i "/${HOST}.publicKeyFile/d" ./hosts/common/system/configs/ssh/default.nix +sed -i "/${HOST}/d" ./hosts/common/system/configs/ssh/default.nix +sed -i "/${HOST}/d" ./hosts/common/user/configs/console/ssh/default.nix "$(dirname "$0")/update-keys.sh" "$2"