forked from poz/niksos
jacekpoz
7bde656c9f
so first when I wanted to configure ssh to use the correct keys by default I found some guide that used IdentitiesOnly yes so I used it too without even knowing what it does then later when I wanted to nix my ssh config I noticed that it's set to true and didn't know what it does so I read the manpage I wrote the description of the `indentitiesOnly` option of my wrapper module based on that but I didn't really understand what it actually does well, as you can see in the commit history, a day or two ago (forgot) I started using an ssh key to sign my commits and to make things even more convenient I moved all of my private ssh keys to my keepassxc database as attachments I tested it on my main laptop and everything worked fine but on that laptop all the keys were still in ~/.ssh as I didn't just want to immediately delete them and risk losing any well that's what hid this bug - on the main laptop when pushing, it just used the keys in ~/.ssh, which I don't have on this laptop (the one I take to classes) because, well, I did this not to have to copy both the keepassxc database and ~/.ssh between machines - I only copied the keepassxc database as it had all the keys in it well turns out with the config before this commit, it would only try to use keys in ~/.ssh which aren't - and won't - be here so it failed this option makes it actually use keys supplied by ssh-agent, which keepassxc acts as and is the only way to get them in the current setup
116 lines
4.4 KiB
Nix
116 lines
4.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}: with lib; let
|
|
cfg = config.myOptions.services.ssh;
|
|
in {
|
|
options.myOptions.services.ssh = {
|
|
daemon = mkOption {
|
|
description = "sshd options";
|
|
type = with types; submodule {
|
|
options = {
|
|
enable = mkEnableOption "enable sshd";
|
|
passwordAuth = mkOption {
|
|
description = "allow password auth";
|
|
default = false;
|
|
type = bool;
|
|
};
|
|
allowRoot = mkOption {
|
|
description = "allow root login";
|
|
default = false;
|
|
type = bool;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
agent = mkOption {
|
|
description = "ssh agent options";
|
|
type = with types; submodule {
|
|
options = {
|
|
enable = mkEnableOption "enable ssh-agent";
|
|
hostAliases = mkOption {
|
|
description = "host aliases";
|
|
type = with types; attrsOf (submodule {
|
|
options = {
|
|
hostName = mkOption {
|
|
description = "hostname to ssh into";
|
|
type = types.str;
|
|
};
|
|
port = mkOption {
|
|
description = "port to ssh into";
|
|
type = with types; nullOr number;
|
|
default = null;
|
|
};
|
|
user = mkOption {
|
|
description = "ssh user";
|
|
type = types.str;
|
|
default = "git";
|
|
};
|
|
identityFile = mkOption {
|
|
description = "path to the private key";
|
|
type = with types; nullOr path;
|
|
default = null;
|
|
};
|
|
identitiesOnly = mkOption {
|
|
description = "whether ssh should not use additional identities offered by ssh-agent";
|
|
type = types.bool;
|
|
default = false;
|
|
};
|
|
};
|
|
});
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkMerge [
|
|
(mkIf cfg.daemon.enable {
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
PermitRootLogin = "no";
|
|
};
|
|
};
|
|
})
|
|
(mkIf cfg.agent.enable {
|
|
programs.ssh = {
|
|
enableAskPassword = true;
|
|
askPassword = "${pkgs.libsForQt5.ksshaskpass}/bin/ksshaskpass";
|
|
extraConfig = ''
|
|
AddKeysToAgent yes
|
|
|
|
${concatStrings (mapAttrsToList (name: value: ''
|
|
Host ${name}
|
|
HostName ${value.hostName}
|
|
${if value.port != null then "Port ${toString value.port}" else ""}
|
|
User ${value.user}
|
|
${if value.identityFile != null then "IdentityFile ${value.identityFile}" else ""}
|
|
IdentitiesOnly ${if value.identitiesOnly then "yes" else "no"}
|
|
'') cfg.agent.hostAliases)}
|
|
'';
|
|
};
|
|
|
|
systemd.user.services.ssh-agent = {
|
|
enable = true;
|
|
description = "SSH key agent";
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
ExecStart = "${pkgs.openssh}/bin/ssh-agent -D -a $SSH_AUTH_SOCK";
|
|
};
|
|
environment = {
|
|
SSH_AUTH_SOCK = "%t/ssh-agent.socket";
|
|
DISPLAY = ":0";
|
|
};
|
|
wantedBy = [ "default.target" ];
|
|
};
|
|
|
|
environment.sessionVariables = {
|
|
SSH_AUTH_SOCK = "\$XDG_RUNTIME_DIR/ssh-agent.socket";
|
|
};
|
|
})
|
|
];
|
|
}
|