🚚 [shared] Added shared config that shared desktop config inherits from

2025-05-20 21:52:00 +02:00
parent adb02fbcc2
commit 9a8cc63674
92 changed files with 41 additions and 25 deletions
--- a/shared/desktop/modules/security/default.nix
+++ b/shared/desktop/modules/security/default.nix
@ -0,0 +1,9 @@
+{
+  imports = [
+    ./sops.nix
+    ./ssh.nix
+    ./yubikey.nix
+  ];
+
+  programs.gnupg.agent.enable = true;
+}
--- a/shared/desktop/modules/security/sops.nix
+++ b/shared/desktop/modules/security/sops.nix
@ -0,0 +1,20 @@
+{
+  inputs,
+  lib,
+  systemConfig,
+  ...
+}:
+
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = lib.custom.relativeToRoot "shared/secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+
+    age.keyFile = "/home/${systemConfig.username}/.config/sops/age/keys.txt";
+    secrets.password-hash.neededForUsers = true;
+  };
+}
--- a/shared/desktop/modules/security/ssh.nix
+++ b/shared/desktop/modules/security/ssh.nix
@ -0,0 +1,25 @@
+# /nix/store/<hash>/etc/ssh/ssh_config & /nix/store/<hash>/etc/ssh/authorized_keys
+{
+  systemConfig,
+  systems,
+  common,
+  ...
+}:
+with builtins;
+let
+  domain = "dns.${common.domain}";
+in
+{
+  programs.ssh.knownHosts = listToAttrs (
+    map (system: {
+      name = system.hostName;
+      value = {
+        extraHostNames = [ "${system.hostName}.${domain}" ];
+        publicKey = system.ssh.publicKey;
+      };
+    }) systems
+  );
+  users.users.${systemConfig.username}.openssh.authorizedKeys.keys = (
+    map (system: system.ssh.publicKey) systems
+  );
+}
--- a/shared/desktop/modules/security/yubikey.nix
+++ b/shared/desktop/modules/security/yubikey.nix
@ -0,0 +1,30 @@
+# Yubikey config: https://nixos.wiki/wiki/Yubikey#pam_u2f
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    gnupg
+    yubioath-flutter # GUI
+  ];
+
+  security = {
+    pam = {
+      services = {
+        login.u2fAuth = false; # U2F and password
+        sudo.u2fAuth = true; # U2F or password
+      };
+      u2f = {
+        enable = true;
+        settings = {
+          cue = true; # Prompt: Please touch the device
+          interactive = false; # Prompt: Insert your U2F device, then press ENTER.
+        };
+      };
+    };
+  };
+
+  services = {
+    pcscd.enable = true; # Required for Yubikey
+    udev.packages = with pkgs; [ yubikey-personalization ];
+  };
+}