diff --git a/home/hosts/Styx.nix b/home/hosts/Styx.nix index 7c53216..23bc581 100644 --- a/home/hosts/Styx.nix +++ b/home/hosts/Styx.nix @@ -24,7 +24,7 @@ ../programs/scripts.nix - ../programs/ssh.nix + ../programs/ssh/Styx.nix ../programs/streamlink.nix ../programs/yt-dlp.nix diff --git a/home/programs/ssh.nix b/home/programs/ssh.nix deleted file mode 100644 index eb6a369..0000000 --- a/home/programs/ssh.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ pkgs, config, ... }: - -let - ssh-directory = "${config.home.homeDirectory}/.ssh"; - ssh-keys = import ../../system/shared/ssh-keys.nix; - - auth-socket = "${ssh-directory}/1password.sock"; - signers-directory = "${ssh-directory}/allowed_signers"; - - secret-sail = import ../../secret/hosts/sail.nix; -in -{ - home.packages = [ pkgs.openssh ]; - - programs.ssh = { - enable = true; - - forwardAgent = false; - compression = false; - hashKnownHosts = true; - serverAliveInterval = 60; - extraConfig = '' - IdentityAgent "${auth-socket}" - UpdateHostKeys ask - VerifyHostKeyDNS yes - ''; - - matchBlocks = { - # Work - - "git.app.nedeco.de" = { - port = 22; - user = "git"; - identityFile = "~/.ssh/nedeco_gitlab.pub"; - identitiesOnly = true; - compression = true; - }; - - "nedeco-smartos-hosting" = { - host = "10.0.90.*"; - port = 22; - user = "root"; - identityFile = "~/.ssh/nedeco.pub"; - identitiesOnly = true; - }; - - "msc.nedeco.local" = { - port = 22; - user = "root"; - identityFile = "~/.ssh/nedeco.pub"; - identitiesOnly = true; - }; - - # Private - - "github.com" = { - port = 22; - user = "git"; - identityFile = "~/.ssh/GitHub.pub"; - identitiesOnly = true; - compression = true; - }; - - "gitlab.com" = { - port = 22; - user = "git"; - identityFile = "~/.ssh/GitLab.pub"; - identitiesOnly = true; - compression = true; - }; - - "router" = { - hostname = "10.0.0.1"; - port = 22; - user = "root"; - }; - - "nas" = { - hostname = "10.0.0.100"; - port = 22; - user = "daniel"; - identityFile = "~/.ssh/LAN.pub"; - identitiesOnly = true; - }; - - "piboat.lan" = { - port = 22; - user = "pi"; - identityFile = "~/.ssh/LAN.pub"; - identitiesOnly = true; - }; - - "adsb-antenna" = { - hostname = "adsb-antenna.laniot"; - port = 22; - user = "daniel"; - forwardAgent = true; - identityFile = "~/.ssh/LAN.pub"; - identitiesOnly = true; - }; - - "sail" = { - hostname = secret-sail.publicIP; - port = 22; - user = "daniel"; - forwardAgent = true; - identityFile = "~/.ssh/Hetzner.pub"; - identitiesOnly = true; - }; - - # Builder - - "builder-sail" = { - hostname = secret-sail.publicIP; - port = 22; - user = "root"; - identityFile = "~/.ssh/Hetzner.pub"; - identitiesOnly = true; - }; - }; - - includes = [ - "~/.ssh/config_work" - ]; - }; - - home.sessionVariables.SSH_AUTH_SOCK = "${auth-socket}"; - - home.file = { - "${ssh-directory}/GitHub.pub".text = ssh-keys.GitHub; - "${ssh-directory}/GitLab.pub".text = ssh-keys.GitLab; - "${ssh-directory}/Hetzner.pub".text = ssh-keys.Hetzner; - "${ssh-directory}/LAN.pub".text = ssh-keys.LAN; - - "${signers-directory}" = { - source = ../config/ssh/allowed_signers; - recursive = true; - }; - }; -} diff --git a/home/programs/ssh/Styx.nix b/home/programs/ssh/Styx.nix new file mode 100644 index 0000000..ce64c8f --- /dev/null +++ b/home/programs/ssh/Styx.nix @@ -0,0 +1,52 @@ +{ pkgs, config, ... }: + +let + secret = import ../../../secret/hosts/Styx.nix; + + ssh-directory = "${config.home.homeDirectory}/.ssh"; + auth-socket = "${ssh-directory}/1password.sock"; + signers-directory = "${ssh-directory}/allowed_signers"; + + shared-private = import ./shared/private.nix; + shared-builder = import ./shared/builder.nix; + shared-work = import ./shared/work.nix { inherit secret; }; + + ssh-keys = import ../../../system/shared/ssh-keys.nix; +in +{ + home.packages = [ pkgs.openssh ]; + + programs.ssh = { + enable = true; + + forwardAgent = false; + compression = false; + hashKnownHosts = true; + serverAliveInterval = 60; + extraConfig = '' + IdentityAgent "${auth-socket}" + UpdateHostKeys ask + VerifyHostKeyDNS yes + ''; + + matchBlocks = shared-private.matchBlocks // shared-builder.matchBlocks // shared-work.matchBlocks; + + includes = [ + "~/.ssh/config_work" + ]; + }; + + home.sessionVariables.SSH_AUTH_SOCK = "${auth-socket}"; + + home.file = { + "${ssh-directory}/GitHub.pub".text = ssh-keys.GitHub; + "${ssh-directory}/GitLab.pub".text = ssh-keys.GitLab; + "${ssh-directory}/Hetzner.pub".text = ssh-keys.Hetzner; + "${ssh-directory}/LAN.pub".text = ssh-keys.LAN; + + "${signers-directory}" = { + source = ../../config/ssh/allowed_signers; + recursive = true; + }; + }; +} diff --git a/home/programs/ssh/shared/builder.nix b/home/programs/ssh/shared/builder.nix new file mode 100644 index 0000000..03fb0cb --- /dev/null +++ b/home/programs/ssh/shared/builder.nix @@ -0,0 +1,14 @@ +let + secret-sail = import ../../../../secret/hosts/sail.nix; +in +{ + matchBlocks = { + "builder-sail" = { + hostname = secret-sail.publicIP; + port = 22; + user = "root"; + identityFile = "~/.ssh/Hetzner.pub"; + identitiesOnly = true; + }; + }; +} diff --git a/home/programs/ssh/shared/private.nix b/home/programs/ssh/shared/private.nix new file mode 100644 index 0000000..a16eff3 --- /dev/null +++ b/home/programs/ssh/shared/private.nix @@ -0,0 +1,64 @@ +let + secret-sail = import ../../../../secret/hosts/sail.nix; +in +{ + matchBlocks = { + "github.com" = { + port = 22; + user = "git"; + identityFile = "~/.ssh/GitHub.pub"; + identitiesOnly = true; + compression = true; + }; + + "gitlab.com" = { + port = 22; + user = "git"; + identityFile = "~/.ssh/GitLab.pub"; + identitiesOnly = true; + compression = true; + }; + + "router" = { + hostname = "10.0.0.1"; + port = 22; + user = "root"; + extraOptions = { + PreferredAuthentications = "password"; + }; + }; + + "nas" = { + hostname = "10.0.0.100"; + port = 22; + user = "daniel"; + identityFile = "~/.ssh/LAN.pub"; + identitiesOnly = true; + }; + + "piboat.lan" = { + port = 22; + user = "pi"; + identityFile = "~/.ssh/LAN.pub"; + identitiesOnly = true; + }; + + "adsb-antenna" = { + hostname = "adsb-antenna.laniot"; + port = 22; + user = "daniel"; + forwardAgent = true; + identityFile = "~/.ssh/LAN.pub"; + identitiesOnly = true; + }; + + "sail" = { + hostname = secret-sail.publicIP; + port = 22; + user = "daniel"; + forwardAgent = true; + identityFile = "~/.ssh/Hetzner.pub"; + identitiesOnly = true; + }; + }; +} diff --git a/home/programs/ssh/shared/work.nix b/home/programs/ssh/shared/work.nix new file mode 100644 index 0000000..2aa6c24 --- /dev/null +++ b/home/programs/ssh/shared/work.nix @@ -0,0 +1,47 @@ +{ secret, ... }: + +{ + matchBlocks = { + "git.app.nedeco.de" = { + port = 22; + user = "git"; + identityFile = "~/.ssh/nedeco_gitlab.pub"; + identitiesOnly = true; + compression = true; + }; + + "nedeco-smartos-hosting" = { + host = "10.0.90.*"; + port = 22; + user = "root"; + identityFile = "~/.ssh/nedeco.pub"; + identitiesOnly = true; + }; + + "msc.nedeco.local" = { + port = 22; + user = "root"; + identityFile = "~/.ssh/nedeco.pub"; + identitiesOnly = true; + }; + + "headnode.nedeco-hosting.local" = { + hostname = "10.0.90.13"; + port = 22; + user = "root"; + extraOptions = { + PreferredAuthentications = "password"; + }; + }; + + "cnode01.nedeco-hosting.local" = { + hostname = "10.0.88.45"; + port = 22; + user = "root"; + proxyCommand = "ssh headnode.nedeco-hosting.local nc -w 120 %h %p"; + extraOptions = { + PreferredAuthentications = "password"; + }; + }; + } // secret.ssh.matchBlocks.work; +} diff --git a/secret/hosts/Styx.nix b/secret/hosts/Styx.nix new file mode 100644 index 0000000..2118ac2 Binary files /dev/null and b/secret/hosts/Styx.nix differ