swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 05:09:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat[work]: prepare for sk keys

Browse source
This commit is contained in:
Leon Schwarzäugl 2026-03-25 13:54:33 +01:00
parent 30c7d8c1c2
commit a254a2712a
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
8 changed files with 62 additions and 96 deletions
Download patch file Download diff file Expand all files Collapse all files

72
SwarselSystems.org
View file

@ -8866,6 +8866,7 @@ In the respective modules that use home-manager secrets (for example [[#h:506d01
inherit (config.repo.secrets.common.emacs) radicaleUser;
certsSopsFile = self + /secrets/repo/certs.yaml;
workSopsFile = self + /secrets/work/secrets.yaml;
in
{
config = { } // lib.optionalAttrs withHomeManager {
@ -8891,6 +8892,8 @@ In the respective modules that use home-manager secrets (for example [[#h:506d01
github-forge-token = { owner = mainUser; };
}) // (lib.optionalAttrs (modules ? optional-work) {
harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; };
ucKey = { sopsFile = workSopsFile; owner = mainUser; };
}) // (lib.optionalAttrs (modules ? optional-noctalia) {
radicale-token = { owner = mainUser; };
}) // (lib.optionalAttrs modules.anki {
@ -9302,7 +9305,7 @@ This system, while highly pleasant to work with during everyday use, sometimes h
#+begin_src nix-ts :tangle modules/nixos/common/pii.nix
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
{ config, inputs, lib, nodes, globals, ... }:
{ config, inputs, lib, homeLib, nodes, globals, ... }:
let
# If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to
@ -9356,7 +9359,7 @@ This system, while highly pleasant to work with during everyday use, sometimes h
secrets = lib.mkOption {
readOnly = true;
default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes globals inputs; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
type = lib.types.unspecified;
description = "Exposes the loaded repo secrets. This option is read-only.";
};
@ -10736,9 +10739,20 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance
{
options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config";
config = lib.mkIf config.swarselmodules.yubikey {
programs.ssh.startAgent = false;
programs.ssh = {
startAgent = false; # yes we want this to use FIDO2 keys
# enableAskPassword = true;
# askPassword = lib.getExe pkgs.kdePackages.ksshaskpass;
};
services = {
gnome.gcr-ssh-agent.enable = false;
yubikey-agent.enable = false;
pcscd.enable = true;
services.pcscd.enable = true;
udev.packages = with pkgs; [
yubikey-personalization
];
};
hardware.gpgSmartcards.enable = true;
@ -10757,13 +10771,12 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance
};
};
services.udev.packages = with pkgs; [
yubikey-personalization
environment.systemPackages = with pkgs; [
kdePackages.ksshaskpass
];
};
}
#+end_src
#+end_src
***** Ledger
:PROPERTIES:
@ -21179,7 +21192,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This
'';
matchBlocks = {
"*" = {
forwardAgent = true;
forwardAgent = false;
addKeysToAgent = "no";
compression = false;
serverAliveInterval = 0;
@ -27494,6 +27507,7 @@ When setting up a new machine:
inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
sopsFile = self + /secrets/work/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
in
{
@ -27638,7 +27652,7 @@ When setting up a new machine:
programs =
let
inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 clouds;
inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long path1 site1 site2 site3 site4 site5 site6 site7 clouds;
in
{
openstackclient = {
@ -27693,41 +27707,7 @@ When setting up a new machine:
};
};
ssh = {
matchBlocks = {
"${loc1}" = {
hostname = "${loc1}.${domain2}";
user = user4;
};
"${loc1}.stg" = {
hostname = "${loc1}.${lifecycle1}.${domain2}";
user = user4;
};
"${loc1}.staging" = {
hostname = "${loc1}.${lifecycle1}.${domain2}";
user = user4;
};
"${loc1}.dev" = {
hostname = "${loc1}.${lifecycle2}.${domain2}";
user = user4;
};
"${loc2}" = {
hostname = "${loc2}.${domain1}";
user = user1Long;
};
"${loc2}.stg" = {
hostname = "${loc2}.${lifecycle1}.${domain2}";
user = user1Long;
};
"${loc2}.staging" = {
hostname = "${loc2}.${lifecycle1}.${domain2}";
user = user1Long;
};
"*.${domain1}" = {
user = user1Long;
};
};
};
ssh.matchBlocks = confLib.getConfig.repo.secrets.local.work.sshConfig;
firefox = {
profiles =
@ -28254,6 +28234,8 @@ When setting up a new machine:
path = "${homeDir}/.aws/certs/harica-root.pem";
owner = mainUser;
};
yubikey-1 = { inherit sopsFile; owner = mainUser; };
ucKey = { inherit sopsFile; owner = mainUser; };
};
};

8
hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc
View file

File diff suppressed because one or more lines are too long

2
modules/home/common/ssh.nix
View file

@ -11,7 +11,7 @@
'';
matchBlocks = {
"*" = {
forwardAgent = true;
forwardAgent = false;
addKeysToAgent = "no";
compression = false;
serverAliveInterval = 0;

41
modules/home/optional/work.nix
View file

@ -4,6 +4,7 @@ let
inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
sopsFile = self + /secrets/work/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
in
{
@ -148,7 +149,7 @@ in
programs =
let
inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 clouds;
inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long path1 site1 site2 site3 site4 site5 site6 site7 clouds;
in
{
openstackclient = {
@ -203,41 +204,7 @@ in
};
};
ssh = {
matchBlocks = {
"${loc1}" = {
hostname = "${loc1}.${domain2}";
user = user4;
};
"${loc1}.stg" = {
hostname = "${loc1}.${lifecycle1}.${domain2}";
user = user4;
};
"${loc1}.staging" = {
hostname = "${loc1}.${lifecycle1}.${domain2}";
user = user4;
};
"${loc1}.dev" = {
hostname = "${loc1}.${lifecycle2}.${domain2}";
user = user4;
};
"${loc2}" = {
hostname = "${loc2}.${domain1}";
user = user1Long;
};
"${loc2}.stg" = {
hostname = "${loc2}.${lifecycle1}.${domain2}";
user = user1Long;
};
"${loc2}.staging" = {
hostname = "${loc2}.${lifecycle1}.${domain2}";
user = user1Long;
};
"*.${domain1}" = {
user = user1Long;
};
};
};
ssh.matchBlocks = confLib.getConfig.repo.secrets.local.work.sshConfig;
firefox = {
profiles =
@ -764,6 +731,8 @@ in
path = "${homeDir}/.aws/certs/harica-root.pem";
owner = mainUser;
};
yubikey-1 = { inherit sopsFile; owner = mainUser; };
ucKey = { inherit sopsFile; owner = mainUser; };
};
};

20
modules/nixos/client/hardwarecompatibility-yubikey.nix
View file

@ -6,9 +6,20 @@ in
{
options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config";
config = lib.mkIf config.swarselmodules.yubikey {
programs.ssh.startAgent = false;
programs.ssh = {
startAgent = false; # yes we want this to use FIDO2 keys
# enableAskPassword = true;
# askPassword = lib.getExe pkgs.kdePackages.ksshaskpass;
};
services = {
gnome.gcr-ssh-agent.enable = false;
yubikey-agent.enable = false;
pcscd.enable = true;
services.pcscd.enable = true;
udev.packages = with pkgs; [
yubikey-personalization
];
};
hardware.gpgSmartcards.enable = true;
@ -27,9 +38,8 @@ in
};
};
services.udev.packages = with pkgs; [
yubikey-personalization
environment.systemPackages = with pkgs; [
kdePackages.ksshaskpass
];
};
}

3
modules/nixos/common/home-manager-secrets.nix
View file

@ -4,6 +4,7 @@ let
inherit (config.repo.secrets.common.emacs) radicaleUser;
certsSopsFile = self + /secrets/repo/certs.yaml;
workSopsFile = self + /secrets/work/secrets.yaml;
in
{
config = { } // lib.optionalAttrs withHomeManager {
@ -29,6 +30,8 @@ in
github-forge-token = { owner = mainUser; };
}) // (lib.optionalAttrs (modules ? optional-work) {
harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; };
ucKey = { sopsFile = workSopsFile; owner = mainUser; };
}) // (lib.optionalAttrs (modules ? optional-noctalia) {
radicale-token = { owner = mainUser; };
}) // (lib.optionalAttrs modules.anki {

4
modules/nixos/common/pii.nix
View file

@ -1,5 +1,5 @@
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
{ config, inputs, lib, nodes, globals, ... }:
{ config, inputs, lib, homeLib, nodes, globals, ... }:
let
# If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to
@ -53,7 +53,7 @@ in
secrets = lib.mkOption {
readOnly = true;
default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes globals inputs; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
type = lib.types.unspecified;
description = "Exposes the loaded repo secrets. This option is read-only.";
};

8
secrets/work/secrets.yaml
View file

@ -10,6 +10,8 @@ govcds: ENC[AES256_GCM,data:X5R+N9A1ZkCMGJb4yNiAcfPxzQ==,iv:8Yx06B/R/9p6oTOnqPod
govchost: ENC[AES256_GCM,data:l/5kcvUQkT/4TYl1j7Ws,iv:Lc+D4ukKkTrIIg8sKy/9NYX1D6xMgL8oEGWZ9DzJtFM=,tag:MuvEJEVYNchT1iDTRPwvbQ==,type:str]
govcnetwork: ENC[AES256_GCM,data:Hevnb0fAMbXTrg1CCmAgwZbJ+sxaTUgJLRc=,iv:UoNyPYuKnACv/euoE5SGlsF4/0ni32+ysLc7nM/pCrQ=,tag:jSHYFecVUvmTKr6AmNLbgw==,type:str]
govcpool: ENC[AES256_GCM,data:sfglbCi3,iv:UdvDgyI8AAFdfOxKD1sVYCof7rXFPavq8eYDaK6Kp2I=,tag:iMn7XPf0rmql2EiaqsAn8w==,type:str]
yubikey-1: ENC[AES256_GCM,data:iAdCdHCq7S7y7Br1AgTe9+swdPaG7lwI8mX1WbNRC+vobek8/5pjkCGN8cEVNFKkgQKjpKsSDTRHaA2xfEwENpF/7defvuQLzxEJohNJGbDbm8ofy1/y+ICsruylyGhmh9ACT98xfZRwMxT1vGPeYcDlhX6q4k1+sUeoZ17y0nuMJHLS/IRCYobuCbVSCWD5HRXBYIj+qIwS0w6cSiu2idM3P5cgdcvtvldLPOt6txGf2+fjWioaHF6mgQyS6sn4VyT1on8FwFTLqan+rFPldvNlgx+VakEhMKgyo+lMOGH8KrK5gMZyQaZIJ4JH7CvXS3Wyyofd598Q+kmkN/QIIDnAj3dAPiKNk/O5IMrANUHy3dDhb2SZAlYdws5kQaoe3sNwJiBI8FZY1dJxnsXnT2Ii9RFxlW4bt9hWvOElKvcH7esmtRDoO3vJo6oYVanhf1kQpQ6x+//9PM1GkdWZlgLy/3UPok0LnwABW+2/oKO/shafAo/rP11VADcmVBtv93SVkA8JVFbQHEhctKWr61RZGiSXGaWwXu1Jn32HMJw+eiC2gbW5OOFUHPVXpu+BI0tm5tOSFF19ze1Ks2VfN532qVTqIzLY+Y7OD3jHzP5mPr015SLGdg==,iv:etzqt2BFRzxXE32s2XBoTNE79k6jWCkoG+HsqnKLezE=,tag:L+SsPjqUC/vD8oFR5djnxw==,type:str]
ucKey: ENC[AES256_GCM,data:V07A8EsZcqNlggxehQ/RsYFZWkyce+RDUT01zweE2y972WtqX3cyWHI2ZrW0FoVxHdGMW2IEDptqERiBdnJZt9OpnDYkN88/ZGzXHRMPBIhDlxM9+ww9sDepfoA7TIxnkM68TjP4WswkHQejhR/+dQXd0Go7ej5k/83FvHvDJ+RNi7bBN9kwGtlv6O0DeqZwahzjGwlqzQBZD5RoWC+Hv6v50y8KA4tMFUgJmUKpUJKyN12W+Wd8g/aLNzRQWEqy8TadOlg3rOLEYJLiR4lkUUSVUMtRESI+1UKHQzpGgEboC2dcHJ5wwRYHntLtCXy9SuX9Uwbbs/iyehdAmvNp4h9pWocL7GzverAatl3JHznRfyI5HHAUcLwZcAc1yJ1w225PiWjudJGPUTDLyvq0DR8wzZQtiziv4agNqkqtZ53pCPKJvwB5wKvQvbJHB/4l6ZxFNSo20/1GT4HCrSP8Q+w+H25NAM90HFVKWBclv7ZG/hhnbcqCUrE37aWVl/nPVZMThg6ySH3iv51eV4jGUFctzFj0YClmePQH,iv:MhcRyy718AFpwfkUrY40sS5Ry1tFpexx/ck5EF5JRyo=,tag:EQWcodkt9RgKllE02L7yow==,type:str]
sops:
age:
- recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
@ -21,8 +23,8 @@ sops:
VDhiYldnZ3piamFoUHBuU0ZVaGQvbk0K/n41+x2YL/rpaEAUbjvCtyUmw1uwCXVo
jmH2cXi/GH4CSoLY6oekq1m9dY/Jxgl7BK+KdRwf79IwhpP98E0xzA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-03T13:26:17Z"
mac: ENC[AES256_GCM,data:35J6pbaTXcq8zW3wtLqBAHSTaWjCxx+BsOZlKWNwxEOCkGzXIIKFtakZJIaMktgPNLvYOlUEOP7dhjUc5IvJCM5beMSNOjBVJJNnLkKQv5sCJK+4p4uTzXo3Neht/Y3xan4DQItdm5lwwQpyNlCecGynVjqN+F44liyxsAR8gtQ=,iv:gaVY3PUn7NdmBNAvuvij990T5pRrAfqY1qgCPWxGBiA=,tag:CuOMqH34hlQX8WPikAL0qw==,type:str]
lastmodified: "2026-03-24T18:20:57Z"
mac: ENC[AES256_GCM,data:0pRVfuZN0rQqGIkOiq91LE0UPxNTY7Os+iR1uMISOyQ8UDdM5aN5LGGYIAOIkFiJBO8CZbXzu1BerywUA6vb3odGq/9J8aQSHOB39wxOssjarPqwLlutMnLzo/eJWdM8c0DJ3pGUUIJPjPcJr9EEblyY9+PYOPt4QgCx/6/JwoQ=,iv:xusha09BS0IX7qZoQXqP3K7EseDLsBA3LHJ8T1bbD0I=,tag:GJmjKk0P0pO9P2aVBAeYQw==,type:str]
pgp:
- created_at: "2025-12-02T15:00:16Z"
enc: |-
@ -56,4 +58,4 @@ sops:
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.12.1