poz/niksos
poz/niksos
1
3
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity
niksos/modules/services/ssh.nix
jacekpoz 7bde656c9f
ssh-agent (this shit is crazy read the whole commit message) 
so first when I wanted to configure ssh to use the correct keys by
default I found some guide that used IdentitiesOnly yes so I used it
too without even knowing what it does

then later when I wanted to nix my ssh config I noticed that it's set to
true and didn't know what it does so I read the manpage

I wrote the description of the `indentitiesOnly` option of my wrapper
module based on that but I didn't really understand what it actually
does

well, as you can see in the commit history, a day or two ago (forgot) I
started using an ssh key to sign my commits and to make things even more
convenient I moved all of my private ssh keys to my keepassxc database
as attachments

I tested it on my main laptop and everything worked fine but on that
laptop all the keys were still in ~/.ssh as I didn't just want to
immediately delete them and risk losing any

well that's what hid this bug - on the main laptop when pushing, it just
used the keys in ~/.ssh, which I don't have on this laptop (the one I
take to classes) because, well, I did this not to have to copy both the
keepassxc database and ~/.ssh between machines - I only copied the
keepassxc database as it had all the keys in it

well turns out with the config before this commit, it would only try to
use keys in ~/.ssh which aren't - and won't - be here so it failed

this option makes it actually use keys supplied by ssh-agent, which
keepassxc acts as and is the only way to get them in the current setup
2024-03-05 17:43:10 +01:00

116 lines
4.4 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}: with lib; let
cfg = config.myOptions.services.ssh;
in {
options.myOptions.services.ssh = {
daemon = mkOption {
description = "sshd options";
type = with types; submodule {
options = {
enable = mkEnableOption "enable sshd";
passwordAuth = mkOption {
description = "allow password auth";
default = false;
type = bool;
};
allowRoot = mkOption {
description = "allow root login";
default = false;
type = bool;
};
};
};
};
agent = mkOption {
description = "ssh agent options";
type = with types; submodule {
options = {
enable = mkEnableOption "enable ssh-agent";
hostAliases = mkOption {
description = "host aliases";
type = with types; attrsOf (submodule {
options = {
hostName = mkOption {
description = "hostname to ssh into";
type = types.str;
};
port = mkOption {
description = "port to ssh into";
type = with types; nullOr number;
default = null;
};
user = mkOption {
description = "ssh user";
type = types.str;
default = "git";
};
identityFile = mkOption {
description = "path to the private key";
type = with types; nullOr path;
default = null;
};
identitiesOnly = mkOption {
description = "whether ssh should not use additional identities offered by ssh-agent";
type = types.bool;
default = false;
};
};
});
};
};
};
};
};
config = mkMerge [
(mkIf cfg.daemon.enable {
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
})
(mkIf cfg.agent.enable {
programs.ssh = {
enableAskPassword = true;
askPassword = "${pkgs.libsForQt5.ksshaskpass}/bin/ksshaskpass";
extraConfig = ''
AddKeysToAgent yes
${concatStrings (mapAttrsToList (name: value: ''
Host ${name}
HostName ${value.hostName}
${if value.port != null then "Port ${toString value.port}" else ""}
User ${value.user}
${if value.identityFile != null then "IdentityFile ${value.identityFile}" else ""}
IdentitiesOnly ${if value.identitiesOnly then "yes" else "no"}
'') cfg.agent.hostAliases)}
'';
};
systemd.user.services.ssh-agent = {
enable = true;
description = "SSH key agent";
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.openssh}/bin/ssh-agent -D -a $SSH_AUTH_SOCK";
};
environment = {
SSH_AUTH_SOCK = "%t/ssh-agent.socket";
DISPLAY = ":0";
};
wantedBy = [ "default.target" ];
};
environment.sessionVariables = {
SSH_AUTH_SOCK = "\$XDG_RUNTIME_DIR/ssh-agent.socket";
};
})
];
}
Reference in a new issue View git blame Copy permalink