diff --git a/SwarselSystems.org b/SwarselSystems.org index d7c3fc2..8e8a375 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -8866,6 +8866,7 @@ In the respective modules that use home-manager secrets (for example [[#h:506d01 inherit (config.repo.secrets.common.emacs) radicaleUser; certsSopsFile = self + /secrets/repo/certs.yaml; + workSopsFile = self + /secrets/work/secrets.yaml; in { config = { } // lib.optionalAttrs withHomeManager { @@ -8891,6 +8892,8 @@ In the respective modules that use home-manager secrets (for example [[#h:506d01 github-forge-token = { owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; + yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; }; + ucKey = { sopsFile = workSopsFile; owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-noctalia) { radicale-token = { owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { @@ -9302,7 +9305,7 @@ This system, while highly pleasant to work with during everyday use, sometimes h #+begin_src nix-ts :tangle modules/nixos/common/pii.nix # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix - { config, inputs, lib, nodes, globals, ... }: + { config, inputs, lib, homeLib, nodes, globals, ... }: let # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -9356,7 +9359,7 @@ This system, while highly pleasant to work with during everyday use, sometimes h secrets = lib.mkOption { readOnly = true; - default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes globals inputs; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles; + default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles; type = lib.types.unspecified; description = "Exposes the loaded repo secrets. This option is read-only."; }; @@ -10736,9 +10739,20 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance { options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config"; config = lib.mkIf config.swarselmodules.yubikey { - programs.ssh.startAgent = false; + programs.ssh = { + startAgent = false; # yes we want this to use FIDO2 keys + # enableAskPassword = true; + # askPassword = lib.getExe pkgs.kdePackages.ksshaskpass; + }; + services = { + gnome.gcr-ssh-agent.enable = false; + yubikey-agent.enable = false; + pcscd.enable = true; - services.pcscd.enable = true; + udev.packages = with pkgs; [ + yubikey-personalization + ]; + }; hardware.gpgSmartcards.enable = true; @@ -10757,13 +10771,12 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance }; }; - services.udev.packages = with pkgs; [ - yubikey-personalization + environment.systemPackages = with pkgs; [ + kdePackages.ksshaskpass ]; - }; } -#+end_src + #+end_src ***** Ledger :PROPERTIES: @@ -21179,7 +21192,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This ''; matchBlocks = { "*" = { - forwardAgent = true; + forwardAgent = false; addKeysToAgent = "no"; compression = false; serverAliveInterval = 0; @@ -27494,6 +27507,7 @@ When setting up a new machine: inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; + sopsFile = self + /secrets/work/secrets.yaml; certsSopsFile = self + /secrets/repo/certs.yaml; in { @@ -27638,7 +27652,7 @@ When setting up a new machine: programs = let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 clouds; + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long path1 site1 site2 site3 site4 site5 site6 site7 clouds; in { openstackclient = { @@ -27693,41 +27707,7 @@ When setting up a new machine: }; }; - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; + ssh.matchBlocks = confLib.getConfig.repo.secrets.local.work.sshConfig; firefox = { profiles = @@ -28254,6 +28234,8 @@ When setting up a new machine: path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; + yubikey-1 = { inherit sopsFile; owner = mainUser; }; + ucKey = { inherit sopsFile; owner = mainUser; }; }; }; diff --git a/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc index beb5c3f..84a7b9f 100644 --- a/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:8y8t7e8XhVy3lc+JcPnFFzI7DTpr+JlXfOKZJu7uX7DczTYQHIZQTrMcFjyBbB8SWJLWLUG8Yd5JGXk377CBX73cxGF+r895lxP+puoKRRzDapkg6y2uN0E3Gr1wnQFB4I8YX7n8UWnj18s3mTIohQHmhoxkuIqu2zvgEGBpMiz3oZIL4zmb8diLXh4PyB1qAI5U5RFWPpkwRWjXteD5m8mqcZ8k4A4l00IMgz2n9MJDQPMjYNITR3XbOlI1qNMYBVb3xuVLXBOBN6x5W4539kGAiHcAi8pOUvBjAXphOEGQ7uLoorAniHx2PPyqReDr5tx47h4RtKJGeGoJ6ZdaFS2LwD10Dkiac330ELLGpSuHoNn7cfw6P8xSyYfreIXbzgavZAlJ1t3fNjEwVtgz63bXL1IX326fP1WcFqBUgAMd8I+VZsxo15j92zZS8gUbdu4KdSMag4dlOa9rgJCLpZGw4UIifHn6RqbH8s/HdisWV2YA3p1/Oowp39Hnr1ZeUecHQCpC2Y/nVLZid9wy4NcIPDbkeb33vMzJ/G5o4EVeYcrnM4J7+KS7aJ4c2bbkRixc1w0bTYeQHFgvM9VBHHEO30t68AGEzju29XeMVi7bzamJZeApPEacMVzzCXlRiAWtPru9JtBYz17VXliMBiEc5Ffo12PXPV7VK/BimKBppJAGNSJiWg/fXawRJNs/fJkLywEL88cf3RYP0Wdy01umjU9tW7Y0W1zc46auKy8KPpCcT0e6kBGmlG2WJje3dNYDFUutFTllV+N7VeDOuZi4oaGrwF1Rz8cAKPrZWMyLX3bMc4EkP7t7h0DoTyXvl3CcA9/wgeCQrLIPLnUTBDTF6jsyt32IjxfiMMBTtR5hLJeM5BzybuYHI2Jbbnt2Ko+tCWOUNdRR7rOYT7o+xzm7g3apcrKIKaufc5YUxdD9asc8uAx+9w7tkg7O/2Ak9qPVgE7HIu9m5O4qaEQn8I1P1GbwiHZeIrfiRzcf6+KgjsLU7i+gCCb3EtMZJUS1CFmlyA+akgsFaunZFYLjg6vUmhQgTKhWooNj3DkdWXWN4bOB/lUyzsCezAD+HfPYyy2pYETRtS/XlpBktSYhP2yLZSxEyjsKBH8roZ/LpNwJV3RuvM+CPstj/pxf23Ayi8LrU1t88Q+/mje1OsMCr67Ltbl+7HXNcpM8zwLUfmTt72YZd1CnoAvbqM3pfecLM1AZEeR+p+xq8tsl1tRE2V0y/SH9kew4UOYRY/eZHmiy8P8Eyjj6/PL+/9+CLU9KGeK/28hGz1u1Ao03FxcPL1AeAeA1mlCNAErT/Q4GUKdDNa5uTHpU86VrMoELtvVaVn3V4AS5I+kTfvI9WF8oaI20U2ysAMpJSiPJyC5AVteyehXAEdGY7bgltvity8arU8efxwmrjbZ29ZWwRezqf1kZLb7pySCfsoqYwCFFDx4s7hD4RF1N4X9GQA5JupUO/+UZTcVX4aud+yf6uTb9yRC5LGjXJj5S03DQ+Vj35nZMUn6xhbPPnEj0uS9yug685mQm/bwUVHIEyoBZfPZquSSh1oolKsKnAPS2+fS13dr2sNuHktq40sJTTglz97ZexoIbZ7Ftx3tzFtqFMhh11EBV4eb0MCu9zwaq5DMoLugXECSkUy6Nfc9XGdRU/x3iIha36jg0wj9MwKNpztNFJzzWSVd8XU5rILbr9yWs4xZKBZq6PFx3NEXCIsJ0kkfc1FUBlnsiYG52A/zcFQZmUAPDy58M4rzLnWjC+qk7jU01Yw6aOcFqqE5kg9+AvYmF8JQ16s17d4o49I/fmL0MYVbSgdXrJZF9ejrkBkIMfu7UgbBlQdJCSW8BFx6zFmg2Y22bh52q8+//PK1rgUKs9RAsAasl8WKrKo+xNgai+1M9eMxg+wsBIP+j4WutMHXPv3AMeqt+JwIPiydPwny49820Z24h49pXPVK0EXTqZl46b7bUvyZqAbDTTDmjb/gOJII/ho6/EeaEUSk/r1NVUehq5S/e/UJagTDI3csmBgEcMYdk5CfoJt0cDeqHgrAo8U8xpURT5BAbeCHwWpI7sE47LZwHStf9WbHyacCGsob+ELvfMvunaY2YmqnlVaYulf0mgmn5YmBI8ouQ2Zc4eklzso+NN6e9j7ODhxPxF/MWKjoi/kpF8eBiEKEbPk0drOS4PcOFEDvbA7fFrwiwUnTqG2+FVBTgyidxDYX70jX5asox5wBc4WAgPXU0WNNb5I2bbenUoGKbDrZ989FblN5I3xnP5kxFq25evPtEvA5R9mwBYtBnd3UBBnDzcsI6gA7o73VW7Y25gfX5ODTRbMjxGYBU+xnNK+B9IOeMGTmFjuqchrlyaSOQ9T2Wx4kNyVUwWRMw/eZPkP6LtEQLVM8iotO6BNcPVqx6dCU4nh19IbjbfyrO0I5ZqSV/PVCRx2Pomceu0EfMpVReFvlIi/UyKROzLuOy6AY1RlthR8gM39l6a6l+WZeukkn+SoAEXeyw4U83K2H9WR6hYcgX0SPGVYfI3C83I0EChET30kiX/rb/fFtb8xdQogA4+R/vR3mPBaGMiWh0WDZVDhNy5/DlwYPYp1zDxtVjQffEhqWS5FqRdw5BsQJQc9glptU5QCgY/ITYwGlaW4OYWokFQWinH0JF9bcCjjjZMT9C52N9ZuZ0muxTT2/UxyhKhX7Eojxq6sz0HJ+TISa5FpUKx/W7I+XqT25n3PtKfnkRDDba+RxDy3bCYo60aOPfR9aCG0VbGLWgc4TQHCmC209rSSIlsD2DhBzFC2lCxasXHIgNAymGfbpOjvqdId9ev1XN0EEd0al4HBUvvGsq9FUeshAWMeWDKu1t0aDKJ6/c4bphThjoAqxtQaGPUFOhNw94PedCBgiRqXN02WZcrnqp/spj+uIfch1F/X5A3jTUev8vq/s7lge7h3CNWXNpBFrW5trdzE8N2Kw3AahsJfZCo/Qd9e6WHIDRgbZFEbKwkTIyeEW8rMv5Ls0Aq+kFvs76muJVnr+Pb7e/GabhgT3pPhYNLQWjPRQYkF2KDKrGUlrc2BkJqRLF3fhI7vQPFphWPl0Lj5idYglIn5v2P2HR9n3Z1+9oyIpmFsqjqILCdoMCDleQOb4DCzXnR5QE4LKg/jjJqqGyO4mAbpwdvN9Q4j1FOUsJNOgMNBUUdEr7n65ktKnJX5wX9cymosRUozgoteb2dblFJjY/pf8toH5kU+YIYmbQR0caw8tdpBl0ETcsaQpF3LbCsSfmN8tZyxS4R/0W782i08IsaN9uXEevlsyFgMg7I2q739fHqJ7kFeosXpKdUpOnmuoLu1A7,iv:9SAQXPwrhy5yjkNxn1lITD77MjqdrYOSlFpUBE8a/fY=,tag:tYApnwq2auUk+/N9alPX3w==,type:str]", + "data": "ENC[AES256_GCM,data:BicBnOKsCY0s4kAzlRdKKUCIKnxPTaTNg80nXJrXbdZWwBxy93EVpg7gOXq6rpdrPYfbjlo1Ac2OdkYC/G9mCDYxbeE/NqJmYQvRNbn5jzG176CoaBtC4tjvuT4UzrrZ3/6TI2l0QydTBfdLUUFf+PpacBxi3XY34EW0o8mZHScNeMTxrYFIIUaYCtAtYesW+LMxFFk/QMrl1ZKhC+hTGrMaDQYPJ6MqXcUrGDxG1Q/ByYPdo3AuuxXTA9bTAk4FznEKtye0AL9Cc0czwSG0dne7RDDGCWSIKNsTvFWJANyJQDo7akxYtPxMVDXIHRbyouVj2IOi/kIkoknQOHA0se3zW7BUV1eU794p5V4zMSUvcaHczldYIVYIhRXsPnNmWXIhNBwaf+CS0RehZBO+xpJsakkaHckr3YuJo01nENHj+sQNvPCSxacDsYIY/dSqJAVd3zQvZ7lXaJw5TMWP8jmG1DMxVkDNeNrsL3vvTlkdM9+ivydKNW8N2x0LDrkfJm/Xj1VCrnCAjEiufVq1+FDQRPlZlAt2TPCqo16qF4oFbxA6vZKtA3Vz+HMBUSGyRDvkY2SaQxQ2/Jb/28TDMRGeyQNbi0/nwSV3mUMaKa0HaVOGKZ+eX2sc7ryWmu1bioUXJKExaPMRYQI2bRL2tRgaJSkJA67xT5xThyJP1hpH5k5k68/eT7pM0B3TaZ5u8mAj//qAzuVDYkB76IBGbjtb7k4y5Ozv5utoQZSPagPiTRu29uzK7M33NJ679OmCwGqbTjNAjY0F7tfXXn8KH0jdW6J0DL1wyXvG/n56iJWx2K+SMF7IjXcf6grBHPPKR0qWy8flhBl/cpTTLnwWt85/UKyWB1+kegxUwZG/6p935nsZ1OpWux5TLfHnGylNUlHeJSPE3/n9hgcrS9KaarHkdE7agDx90R9jWAlZ/ZKNM+8gWj98owmSo4sQvXfmfo6jX9maH+f3y6AX4YCAyN3Ow9Nchc6AVdtfwsnb/BNXp1xsDtgJllDkjTLeVWZT6W7EKw4+qwo/jlAeVGfUhzPAfr6JzStvrRUwrj0AOV0Ugeh/dDRryrkdsQVjBPSXgtDHL8HVLrp1mqZyhOq68MN+PgSPD9jIV4+E2LnQfR4D+w/+U0btLtOjqn06oUhzVDrmWUetw/N2m/iYrVKR8n1zjRg794+BycJ+Hc/3zPWVhP60FEgOOlIBlrYKzJMn2Q/fdoaFtgRLgGgtLKOgLXDZo1tCy7B7mE7xCtB675JxeVYa+H2KCWuZ9lzD5RRS17aytn4T4jbtb09erg86KOE1g0veqmmY2eC9mXxMom80F8JMuSxiakSuc1P00EPqDNafgr4oiKbxK3Acv0D48ahpVwzzixqJACNGdDwkbhArQySlfAS2eM7DxnH6Nargdmnp5zZsGgIkVABLM3R/b36956dh1VcT3BhDRoUf+a8P8r4r20ybB6TB1LESG/IrjVXF5IBUSzrnVXgxdKBZu3Eyh/8Y8AYiIaQ7T5p257Y27zoL+I+EzekoeNzKy3zk/1r1/TJdqnB+Rv2NHLCo9MtyDeadYc1X1OReCewhkU14iCvZGtjPxKKd5j6qcSF8+5iUbpamt6m2Esef5yQIICZvywcFaBAxARIQMQ4sl20KqssfxuRIeenE/8FmoSs5XQmlQl5isKCJBPlGPN+xQChjaY076GuevPkCZ4oQU6C5WSanBlvdwtihqpGJcrqpUNKUjA6IAZEDATOksn/7urRkKuyJQVnUhxrp5MecrGVxvyQvLfRnKk8+6qBmROVvXiE3qFjePJ59Gdz7UJowX61R9c3xMTKNz4REFjv2VxSb4bESS8+dPDuXHinmJD9OrkhOHJjEltbZomSj63OzBVd2NOe9yI132gKPKrvL6vnRPUDFk4h74RjztcAn6aPvx3qbKw2kxqDTIxgF2y9jMGEYFK3v7vkh6vSGEv0d0jmTzEdkAsn4u0vQju5Wu1XuSXQr9X3LV5uRAeLGiv/KknjXs7SrX6QbJaD20zyDVKbzWyZglPgS9EyB7orPS6+aLTrOeu7es9RNzBXYUWYWEX1bLoWMTUpHHXqNLFSVv6ZG4+E50DCIzPiM86AxgslDvAEILXtrdgnxEQtA4j6Q5d/Tvuf3lCqa5Uubx6CXLGKaB17JMuAvRbnoTE3IqT9tWzddE4TIBlFtvogf8gQGOf3R/rC3PgO3nmEuLc/sFSPr0KxILygAPs3YXAALFtEB2wpzX5ZI9qWdJ4ieC2JyK2R1lwwzTufqwFWfM1o7N3OWThXzyMuUSWXJMiQOC+2iK2HejTC5KmV+7Bqx/oQl+wCk59UBif4Sf03y96nhJ+p32XqErKuBHTZR7v3os1c4Vieq1y4hT043lA406JSf8oFPEYTq7JgAzxzIbDv4l8N08jNiqR3Xrwn1nTIIBcGHehBMPTNp5voUn/FnkRN8jRsRV14IJzADUu0UVtBarEOeXws7kZjifUz4QNtIOAnkW5cOJFzqwDEo223nSoySdxGPuxIjkLQxuUc2OraK4O5ZGA4R9dftkhxCCtSOo4rbUFPTchb6L6fr3jgCSggiMTEvZUOZg4aUq1J+0H5rNZLwCrIr0DrmjOO7L9Zxz7mFh0njLkSlfDRLpbtODqQ9z1ucwU6XuZsQSkn3KmcjxDKA6/uCt+iiMF/EkGfqJmdDqqF9e9DQLoPadnHssE8atwP+UJJArrIWL95Ebzh5X8W4fyaI2oT/xjemVvLhA7t46KFgFel7doZfIM8MusqROi7x0FwFGvLV/j5ujgYMzo7QqVvuS/VPm0IHv8+JzDcixQ/tZ37UWO4xGqH6BAGdQms7qG1pDP6xPCAXXEJAmMm2fj0i9R2z1oajAg77dx5gX/9EN8xhfQknJl+/yTYEUIQPI/2BpQTGROWFM+VDj/43TNP63LU6wD8er5t6h7aYSM29APu1RSqFg8eNquLP6uxU1j3TaItOZhF7BKTtHmIOu1B5tMZsbNgZJpmpbSDX4ocPC+O4Uy2bVELkZmU2qeicq1KRRjXXQBw1edlz+pSf3X8hXl5DbCZu0WTl9s8qG4r4TUNJgDbmG8bbpE/rV9nFToYeihRX8fn7G5O35A9yniSAmVQdZQJ/z4ZvMHnFZ58w5j3BXg2szgBP4SWnDNJJ8Gi5Ijfd1igJNbMw11hVyQSMPxGwwJ3fJGemUDct1vzNgTKTrS7z9mxW3XJeJH9KcdjZjKmMYuOGb7m8r3haAjLjJqxYcelBrDt0ytVwtQPJgycWJMZpszs8qNGQ3Tdb4v4opgQK81j9Un1nWSRq7rq+7anre2yfNawd3uI0+U+u3amXVI8/6+tivwilj1LWn8MMTN46tfLCxYabAg3abY8VhvGhcp+ewh2+vPHrvXpB0STGm6Mda007MQ62nHdRu/jRVM6A4nr+em/PijF3idBpz72DN1jxFJ5ujYKQlvTqkYc0d2tZuckbbEsC3S5G4bxq3EckHgptbIhJIfWDYnS8EfbQEgw4A1WitR+G3Ci68t9d7NkNWsPkC3A2Bd4x4WzuI1qhHVaxS1jkLdwbL3/j9ibabpdwLq9SD0k7W4+9xfLoaQr25eZAGO3fbgfZVf5RKI8yEse+rQuVGew6coNj0zFQieHxTi+Kb4ReLrLizvYcM5C+h0WC5Gzr7vFjGaKutqgr+AxzhXJGf4IjSfKPdqnN2VvKH9KuS3hm+cityvj3svYGMCrHpi8Ntxc4e2tXiYJtM9Fuu3453FhFTrmHVTep6OIcYvbF1jCdl2BXy8mMzVyMwXWH874PIOwvkOev/ioVKpwTTd+5pXqKCOK2JzRV6cb/4sil/2aiAzDjq66Sg9NZYmLMLLtS2wtkTlUTI7yMkE56hTksEWGeANK76TrJUjMyDPiKrJqhWn3+PwXzQDyQjagm5YZwTVX9yxL7lB89+kEhzem8tsRCbcL7wk2EaVYzv7o7v+kKOOAIdCaKWboDoMklshs6YFx4bVLi3hG/Ch6tytlLGqKS1xm7D+kjQLCaE3CX70bu3LaXZJ9AM1QhKNul2AvPFliHRnfaaI+QdOXL8zbWA0WgFZbcRGV5ph50Kg8yHlIrK5KzVim6r/tJtWr7sO0I0f6hy5SbxWCcJztXvGmbXmlrG0QeJwXwvtXWtMn30Yvja5C5JqGpXhr31+fUcaYz6E9cTEt9UahoolUWAK8PlqfwzDiEOa2CUBYOzuB6gjf/Wo1+uM5D77eQaR9sXXrUIIQH4IoT2nVGM3zgt3CnL2KguNQYxP/S73oy0qz5RpB02hGoSOCjxaIN3F5mKj5TuL+FMGueDGmBrYtH4I5rTWZDe+xsbWmZWR3bZXy8CbVTx427jDl0p88VfbRG/gEzBYvzIT0IJNnOgcmlb0AO5nnjO5+kWrCpM0CEdnsjh+2d/PR51XIe4Z+2f4TaZfLecCpZT8rgYfOpW8akhvjUY9LCzwta1bMSyFogVm0I8kXTmYh3iGWECCakK2mjfowFzVLbBzhav0ZSerYDPXqjunmXaO2ByuPIBhCQLRJN3nvhQeVfX83poGtqolHmvJAk+z6EYSBvhvNoMFXPvbrGgEsIllA/hpUUZcstI0I3HwOCUp8pSU18h8naRbV/9KJFbeTHtdaj5tPcIP6LT894XzRBEbl7gbdkUk7lp4MEWKQuXtcMa56FEAqgRSvWwLQdZ4YoIlGbWBua6aPv/2iuL23rAfMSeVdw9gpo97UdKtSGly8s3XijbR3ITuyW6fCLaT6qhdeEXXUC1Hm8gzJ4qLNZ6yszPdEHuEzn9azaQuv2+7aSEQ6ZARsqUfSb7hLa2TCU/bc59WO3xIIaROhlCxTJHUuU6NEiyxvJLPGqqNudTt3cepdx0ZGhM95vLBzdhtVNebDHEZTtMpOiXd4WKEi0SzwufO/XYO+ov6yAp7mwQzR2J6HZbQxV5Op7zqfecXidQ9haytYHRlPNA9L4gj/X5/o8Sx8OIZR5fPX0T/AE2tv0kBwvjQF7ny3Oaq4=,iv:I5pCXGk/JXER4l9Jrqu7PfF1eKgD5OdKNvjA6HE5lfQ=,tag:u2gosk6uo6GN4+JxJsV9Ew==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTXhHajBUQnY4MzJuTW5u\nME4vWHJrRCtQMWhWQ1pvU3h1UWVielFQSFFRCkl2RmpTRDh5Z3Q5UWcwS3RCVHds\nM05GNi8vNnpwS3FZcDBGWVdlZEdyVEUKLS0tIEM1SWdtZGV4QjhpaktRNkw0NDl1\neWlYN0tDMUhsWG1OSm9xWlM2VWJKcXcKa9aySsFOXPdwkmrmFc6X+WZT67vcuJf0\ndd1soIklu7xRuNpGKMuZbNKKgyRZnGrcUZUwwGIlJ2KRDag2risOXw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-10-21T19:32:24Z", - "mac": "ENC[AES256_GCM,data:wM862FQH/qX/abuD+krJOazli9Ci5GrpLtdcnzFgKCeNdjA2cfZ8M3DyzsBwMXjp6HxBHLyO7QXGcQkx3kIKGnRhEBuQzVOtrZhqcDi2Ho8iBV8Dh4xkhcpBYufw7xP8hGWg6ZVZ4JyM3P4NfAdxbfWTdc1VMStAafJ2SZ3pAYI=,iv:tDAKNe8LV40hRCqKzN6j6B71IV81SnrBgerxGPzU4Zk=,tag:7ZsST8pl9TjMog0dNKcUcA==,type:str]", + "lastmodified": "2026-03-24T18:37:56Z", + "mac": "ENC[AES256_GCM,data:0VwPHOcQi8uAzo7F+IKpMfs+UlcaKflC8xPYcT1ITY/PNwZD/mSh18oOjZ0J90UepMysHtYRnJ7BxZSYkBCp+GFcYWYdHrNhYdUOvI5wwTz3FCw4ybaZCmepPFIJl/7LOYX7lQnxegGWFyyVpjxGWh2pe3CIbs+g3ev+EPzqA9E=,iv:cTtBXjwJaUImChgTuPfiUqfXheD8QA402+8Fd0FWor8=,tag:WAdYeB690oI0ILqP05sTTQ==,type:str]", "pgp": [ { "created_at": "2025-12-02T14:58:23Z", @@ -17,6 +17,6 @@ } ], "unencrypted_suffix": "_unencrypted", - "version": "3.11.0" + "version": "3.12.1" } } diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix index c4fc482..ea81f5e 100644 --- a/modules/home/common/ssh.nix +++ b/modules/home/common/ssh.nix @@ -11,7 +11,7 @@ ''; matchBlocks = { "*" = { - forwardAgent = true; + forwardAgent = false; addKeysToAgent = "no"; compression = false; serverAliveInterval = 0; diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix index e1f24fe..c9f7640 100644 --- a/modules/home/optional/work.nix +++ b/modules/home/optional/work.nix @@ -4,6 +4,7 @@ let inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; + sopsFile = self + /secrets/work/secrets.yaml; certsSopsFile = self + /secrets/repo/certs.yaml; in { @@ -148,7 +149,7 @@ in programs = let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 clouds; + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long path1 site1 site2 site3 site4 site5 site6 site7 clouds; in { openstackclient = { @@ -203,41 +204,7 @@ in }; }; - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; + ssh.matchBlocks = confLib.getConfig.repo.secrets.local.work.sshConfig; firefox = { profiles = @@ -764,6 +731,8 @@ in path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; + yubikey-1 = { inherit sopsFile; owner = mainUser; }; + ucKey = { inherit sopsFile; owner = mainUser; }; }; }; diff --git a/modules/nixos/client/hardwarecompatibility-yubikey.nix b/modules/nixos/client/hardwarecompatibility-yubikey.nix index 58b0078..8c5e11e 100644 --- a/modules/nixos/client/hardwarecompatibility-yubikey.nix +++ b/modules/nixos/client/hardwarecompatibility-yubikey.nix @@ -6,9 +6,20 @@ in { options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config"; config = lib.mkIf config.swarselmodules.yubikey { - programs.ssh.startAgent = false; + programs.ssh = { + startAgent = false; # yes we want this to use FIDO2 keys + # enableAskPassword = true; + # askPassword = lib.getExe pkgs.kdePackages.ksshaskpass; + }; + services = { + gnome.gcr-ssh-agent.enable = false; + yubikey-agent.enable = false; + pcscd.enable = true; - services.pcscd.enable = true; + udev.packages = with pkgs; [ + yubikey-personalization + ]; + }; hardware.gpgSmartcards.enable = true; @@ -27,9 +38,8 @@ in }; }; - services.udev.packages = with pkgs; [ - yubikey-personalization + environment.systemPackages = with pkgs; [ + kdePackages.ksshaskpass ]; - }; } diff --git a/modules/nixos/common/home-manager-secrets.nix b/modules/nixos/common/home-manager-secrets.nix index ef4d8a3..7d6e790 100644 --- a/modules/nixos/common/home-manager-secrets.nix +++ b/modules/nixos/common/home-manager-secrets.nix @@ -4,6 +4,7 @@ let inherit (config.repo.secrets.common.emacs) radicaleUser; certsSopsFile = self + /secrets/repo/certs.yaml; + workSopsFile = self + /secrets/work/secrets.yaml; in { config = { } // lib.optionalAttrs withHomeManager { @@ -29,6 +30,8 @@ in github-forge-token = { owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; + yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; }; + ucKey = { sopsFile = workSopsFile; owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-noctalia) { radicale-token = { owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { diff --git a/modules/nixos/common/pii.nix b/modules/nixos/common/pii.nix index d10ed18..49f0540 100644 --- a/modules/nixos/common/pii.nix +++ b/modules/nixos/common/pii.nix @@ -1,5 +1,5 @@ # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix -{ config, inputs, lib, nodes, globals, ... }: +{ config, inputs, lib, homeLib, nodes, globals, ... }: let # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -53,7 +53,7 @@ in secrets = lib.mkOption { readOnly = true; - default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes globals inputs; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles; + default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles; type = lib.types.unspecified; description = "Exposes the loaded repo secrets. This option is read-only."; }; diff --git a/secrets/work/secrets.yaml b/secrets/work/secrets.yaml index 6537a9b..d3b934b 100644 --- a/secrets/work/secrets.yaml +++ b/secrets/work/secrets.yaml @@ -10,6 +10,8 @@ govcds: ENC[AES256_GCM,data:X5R+N9A1ZkCMGJb4yNiAcfPxzQ==,iv:8Yx06B/R/9p6oTOnqPod govchost: ENC[AES256_GCM,data:l/5kcvUQkT/4TYl1j7Ws,iv:Lc+D4ukKkTrIIg8sKy/9NYX1D6xMgL8oEGWZ9DzJtFM=,tag:MuvEJEVYNchT1iDTRPwvbQ==,type:str] govcnetwork: ENC[AES256_GCM,data:Hevnb0fAMbXTrg1CCmAgwZbJ+sxaTUgJLRc=,iv:UoNyPYuKnACv/euoE5SGlsF4/0ni32+ysLc7nM/pCrQ=,tag:jSHYFecVUvmTKr6AmNLbgw==,type:str] govcpool: ENC[AES256_GCM,data:sfglbCi3,iv:UdvDgyI8AAFdfOxKD1sVYCof7rXFPavq8eYDaK6Kp2I=,tag:iMn7XPf0rmql2EiaqsAn8w==,type:str] +yubikey-1: ENC[AES256_GCM,data:iAdCdHCq7S7y7Br1AgTe9+swdPaG7lwI8mX1WbNRC+vobek8/5pjkCGN8cEVNFKkgQKjpKsSDTRHaA2xfEwENpF/7defvuQLzxEJohNJGbDbm8ofy1/y+ICsruylyGhmh9ACT98xfZRwMxT1vGPeYcDlhX6q4k1+sUeoZ17y0nuMJHLS/IRCYobuCbVSCWD5HRXBYIj+qIwS0w6cSiu2idM3P5cgdcvtvldLPOt6txGf2+fjWioaHF6mgQyS6sn4VyT1on8FwFTLqan+rFPldvNlgx+VakEhMKgyo+lMOGH8KrK5gMZyQaZIJ4JH7CvXS3Wyyofd598Q+kmkN/QIIDnAj3dAPiKNk/O5IMrANUHy3dDhb2SZAlYdws5kQaoe3sNwJiBI8FZY1dJxnsXnT2Ii9RFxlW4bt9hWvOElKvcH7esmtRDoO3vJo6oYVanhf1kQpQ6x+//9PM1GkdWZlgLy/3UPok0LnwABW+2/oKO/shafAo/rP11VADcmVBtv93SVkA8JVFbQHEhctKWr61RZGiSXGaWwXu1Jn32HMJw+eiC2gbW5OOFUHPVXpu+BI0tm5tOSFF19ze1Ks2VfN532qVTqIzLY+Y7OD3jHzP5mPr015SLGdg==,iv:etzqt2BFRzxXE32s2XBoTNE79k6jWCkoG+HsqnKLezE=,tag:L+SsPjqUC/vD8oFR5djnxw==,type:str] +ucKey: ENC[AES256_GCM,data:V07A8EsZcqNlggxehQ/RsYFZWkyce+RDUT01zweE2y972WtqX3cyWHI2ZrW0FoVxHdGMW2IEDptqERiBdnJZt9OpnDYkN88/ZGzXHRMPBIhDlxM9+ww9sDepfoA7TIxnkM68TjP4WswkHQejhR/+dQXd0Go7ej5k/83FvHvDJ+RNi7bBN9kwGtlv6O0DeqZwahzjGwlqzQBZD5RoWC+Hv6v50y8KA4tMFUgJmUKpUJKyN12W+Wd8g/aLNzRQWEqy8TadOlg3rOLEYJLiR4lkUUSVUMtRESI+1UKHQzpGgEboC2dcHJ5wwRYHntLtCXy9SuX9Uwbbs/iyehdAmvNp4h9pWocL7GzverAatl3JHznRfyI5HHAUcLwZcAc1yJ1w225PiWjudJGPUTDLyvq0DR8wzZQtiziv4agNqkqtZ53pCPKJvwB5wKvQvbJHB/4l6ZxFNSo20/1GT4HCrSP8Q+w+H25NAM90HFVKWBclv7ZG/hhnbcqCUrE37aWVl/nPVZMThg6ySH3iv51eV4jGUFctzFj0YClmePQH,iv:MhcRyy718AFpwfkUrY40sS5Ry1tFpexx/ck5EF5JRyo=,tag:EQWcodkt9RgKllE02L7yow==,type:str] sops: age: - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m @@ -21,8 +23,8 @@ sops: VDhiYldnZ3piamFoUHBuU0ZVaGQvbk0K/n41+x2YL/rpaEAUbjvCtyUmw1uwCXVo jmH2cXi/GH4CSoLY6oekq1m9dY/Jxgl7BK+KdRwf79IwhpP98E0xzA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-03T13:26:17Z" - mac: ENC[AES256_GCM,data:35J6pbaTXcq8zW3wtLqBAHSTaWjCxx+BsOZlKWNwxEOCkGzXIIKFtakZJIaMktgPNLvYOlUEOP7dhjUc5IvJCM5beMSNOjBVJJNnLkKQv5sCJK+4p4uTzXo3Neht/Y3xan4DQItdm5lwwQpyNlCecGynVjqN+F44liyxsAR8gtQ=,iv:gaVY3PUn7NdmBNAvuvij990T5pRrAfqY1qgCPWxGBiA=,tag:CuOMqH34hlQX8WPikAL0qw==,type:str] + lastmodified: "2026-03-24T18:20:57Z" + mac: ENC[AES256_GCM,data:0pRVfuZN0rQqGIkOiq91LE0UPxNTY7Os+iR1uMISOyQ8UDdM5aN5LGGYIAOIkFiJBO8CZbXzu1BerywUA6vb3odGq/9J8aQSHOB39wxOssjarPqwLlutMnLzo/eJWdM8c0DJ3pGUUIJPjPcJr9EEblyY9+PYOPt4QgCx/6/JwoQ=,iv:xusha09BS0IX7qZoQXqP3K7EseDLsBA3LHJ8T1bbD0I=,tag:GJmjKk0P0pO9P2aVBAeYQw==,type:str] pgp: - created_at: "2025-12-02T15:00:16Z" enc: |- @@ -56,4 +58,4 @@ sops: -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.12.1