andreijiroh.dev / nixops-config
NixOS + home-manager configs, mirrored from GitLab SaaS. gitlab.com/andreijiroh-dev/nixops-config
nix-flake nixos home-manager nixpkgs nix-flakes
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

chore(ssh): update SSH pubkeys and tweak OpenSSH server config for CF Browser Rending to work

Andrei Jiroh Halili 19d613d1 efe6d368

+100 -22
+20 -11
hosts/lairland/users/ajhalili2006.nix
··· 1 - { config, pkgs, lib, ... }: 1 + { 2 + config, 3 + pkgs, 4 + lib, 5 + ... 6 + }: 2 7 3 8 { 4 9 users.users.ajhalili2006 = { 5 10 isNormalUser = true; 6 11 description = "Andrei Jiroh Halili"; 7 12 extraGroups = [ 8 - "networkmanager" 9 - "wheel" 10 - "docker" 13 + "networkmanager" 14 + "wheel" 15 + "docker" 11 16 ]; 12 17 openssh.authorizedKeys.keys = with import ../../../shared/ssh-keys.nix; [ 13 - personal.y2022 14 - personal.passwordless 15 - personal.campus-comlab 16 - work.recaptime-dev.crew 17 - personal.rp.gildedguy 18 - ]; 18 + personal.y2022 19 + personal.campus-comlab 20 + personal.passwordless 21 + personal.rp.gildedguy 22 + work.recaptime-dev.crew 23 + sshid.personal.stellapent-cier 24 + sshid.personal.zarc 25 + fido2Keys.hackclub_yubikey.main 26 + fido2Keys.hackclub_yubikey.backup 27 + ]; 19 28 linger = true; 20 29 }; 21 - 30 + 22 31 # see ../../stellapent-cier/users/gildedguy.nix for context 23 32 home-manager.users.ajhalili2006 = { 24 33 imports = [
+17 -2
hosts/lairland/users/coolify-runner.nix
··· 1 - { config, pkgs, lib, zen-browser, dev-pkgs, ... }: 1 + { 2 + config, 3 + pkgs, 4 + lib, 5 + zen-browser, 6 + dev-pkgs, 7 + ... 8 + }: 2 9 3 10 { 4 11 users.users.coolify-runner = { ··· 10 17 extraGroups = [ "docker" ]; 11 18 linger = false; 12 19 openssh.authorizedKeys.keys = with import ../../../shared/ssh-keys.nix; [ 20 + personal.y2022 13 21 personal.campus-comlab 22 + personal.passwordless 23 + personal.rp.gildedguy 14 24 infra.termius 25 + work.recaptime-dev.crew 26 + sshid.personal.stellapent-cier 27 + sshid.personal.zarc 28 + fido2Keys.hackclub_yubikey.main 29 + fido2Keys.hackclub_yubikey.backup 15 30 ]; 16 31 createHome = true; 17 32 }; ··· 26 41 # ''; 27 42 # deps = [ "users" ]; 28 43 #}; 29 - } 44 + }
+14 -3
hosts/stellapent-cier/users/gildedguy.nix
··· 1 - { config, pkgs, lib, zen-browser, dev-pkgs, ... }: 1 + { 2 + config, 3 + pkgs, 4 + lib, 5 + zen-browser, 6 + dev-pkgs, 7 + ... 8 + }: 2 9 3 10 { 4 11 # Might be obvious to some since I'm technically roleplaying on my ··· 14 21 openssh = { 15 22 authorizedKeys.keys = with import ../../../shared/ssh-keys.nix; [ 16 23 personal.y2022 17 - personal.passwordless 18 24 personal.campus-comlab 19 - work.recaptime-dev.crew 25 + personal.passwordless 20 26 personal.rp.gildedguy 27 + work.recaptime-dev.crew 28 + sshid.personal.stellapent-cier 29 + sshid.personal.zarc 30 + fido2Keys.hackclub_yubikey.main 31 + fido2Keys.hackclub_yubikey.backup 21 32 ]; 22 33 }; 23 34 linger = true;
+13 -1
shared/server/ssh.nix
··· 1 1 # To use this shared NixOS configuration for OpenSSH, just import this file 2 2 # on your NixOS configuration. 3 3 4 - { config, pkgs, lib, ... }: 4 + { 5 + config, 6 + pkgs, 7 + lib, 8 + ... 9 + }: 5 10 6 11 { 7 12 services.openssh = { ··· 14 19 # Allow port and X11 forwarding 15 20 AllowTcpForwarding = true; 16 21 X11Forwarding = true; 22 + 23 + Macs = [ 24 + "hmac-sha2-512-etm@openssh.com" 25 + "hmac-sha2-256-etm@openssh.com" 26 + "umac-128-etm@openssh.com" 27 + "hmac-sha2-256" # required for Cloudflare Access SSH via Browser Rendering 28 + ]; 17 29 }; 18 30 }; 19 31
+36 -5
shared/ssh-keys.nix
··· 4 4 # via agenix/sops. 5 5 6 6 { 7 + # Personal keys 7 8 personal = { 8 - y2022 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXuD3hJwInlcHs3wkXWAWNo8es3bPAd2e8ipjyqgGp2 ajhalili2006@andreijiroh.dev"; 9 + y2022 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXuD3hJwInlcHs3wkXWAWNo8es3bPAd2e8ipjyqgGp2 ajhalili2006@andreijiroh.dev (2022 SSH key)"; 9 10 passwordless = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUnTexcVQTGT+UhX8MRPkMvM6FPuskbY2Dn0ScZ3+ot ~ajhalili2006 [passwordless key for sshfs]"; 10 11 releases = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzLVfKtq8vBYeSrrVhwFwkpfu6TDLFgyjb3UmB+Jdhl releases@andreijiroh.dev"; 11 - campus-comlab = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFI1Mj7gTG1IwnxPyr2AsXDq2kBq98hnijhgkGklkhWH"; 12 + campus-comlab = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFI1Mj7gTG1IwnxPyr2AsXDq2kBq98hnijhgkGklkhWH halili.459491@meycauayan.sti.edu.ph"; 12 13 rp = { 13 14 gildedguy = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzMlrUe7qMA1P0lP56lq2dKTrwFU6CrVltQ9um+PhOMLkoi31kAlujHtWF6mqGRLXcK0Ao/0Wqug++r82Zu0u7dpAv8LCExtaRRMzagwPkEe4OOqUBOpS6mggfsik8mNA+1UtpkXJ+ZiB4cXtNKEZC0jtxWOTXSV67qgkSxuO+YBWB+7pnESkB0KorqwOoWGGUVfYQtbKUAt6VqM4s6dn7saXqwmN0tCPO6a+4L4mazkYjFD11HhktYsjP9dvnxYSOtMrSFb9JOXRST2LdiIJgwg+HTqBSWGO7aBRHMJaTF3ajlbMtKDQI/EcNQLyGgX6yFdjjzz9DRY+2oU0vPTytdqM2BKsfLlR0GVg7BVL7TZPaLJ1lgpCl4Z1oClW9FOzhnYJVT0W+IKPsnYsFPfv/BVgjWF7YtLdc5zqFJ31PULtikCyd0I6Kt95YD0HdrlR2faWcBHI8KKEAwCCanodGnK/xTOxisTX2dXOxx3mvR/L3Wil2ca5hnD+vt500/o8= gildedguy@andreijiroh"; 14 15 }; 15 - sshid = { 16 - tbd = "tbd"; 16 + }; 17 + 18 + # SSHid.io by Termius - https://sshid.io/ajhalili2006 19 + sshid = { 20 + personal = { 21 + zarc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOU7apiahMdtP1+8dIGUeHuYgWxJYnUdY9nzwMkoyA33 zarc.fawn-cod.ts.net (sshid.io/ajhalili2006)"; 22 + stellapent-cier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHm3aOTvaREj5QxDtSPR57msq+ZdMyzbqDU8RSIt88Aj stellapent-cier.fawn-cod.ts.net (sshid.io/ajhalili2006)"; 23 + }; 24 + # Guess I am LITERALLY CATCHING STRAYS HERE hehehehehehehehehehehehe 25 + campus = { 26 + library = { 27 + _01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+drN3n2XqGXCtVwGlNaDECSpr6M2i03d8X1ktqATj6 STI College Meycauayan - Library Computer 1 (sshid.io/ajhalili2006)"; 28 + _03 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAN42NFlLR9qNGt7Ri4G7g3A9U/Z4WuOaz1nQeclA4DW STI College Meycauayan - Library Computer 3 (sshid.io/ajhalili2006)"; 29 + _04 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+drN3n2XqGXCtVwGlNaDECSpr6M2i03d8X1ktqATj6 STI College Meycauayan - Library Computer 4 (sshid.io/ajhalili2006)"; 30 + _07 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKq7XqFqcUhmw932vSIKuwwZdC4PG19BPh2SsXvmqPA7 STI College Meycauayan - Library Computer 7 (sshid.io/ajhalili2006)"; 31 + }; 32 + comlab = { 33 + a-029 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcJERg5i2CBjoDSSvy2veQKDrUj6z1l3vkxSnziwyhQ STI College Meycauayan - Computer Lab A-029 (sshid.io/ajhalili2006)"; 34 + b-033 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0qDkS8JP7dtBf5znRlQXTK8QSPDEWgnKaOK+5SlcoR STI College Meycauayan - Computer Lab B-033 (sshid.io/ajhalili2006)"; 35 + b-034_labs = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSf5bpqdVCYindZBh1DyKbyInFBJ5SFh5Bl+c9++92u STI College Meycauayan - Ubuntu VirtualBox VM Labs (andreijiroh@halili-459491-labs) on Computer Lab B-033 (sshid.io/ajhalili2006)"; 36 + }; 17 37 }; 18 38 }; 19 39 40 + # SSH keys for work, mainly at Recap Time Squad HQ 20 41 work = { 21 42 recaptime-dev = { 22 43 crew = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEYDna7HlVN6FL+Mxaof+WH5EoVmaUrM7GFAdQSveTJ ajhalili2006@crew.recaptime.dev"; ··· 24 45 }; 25 46 }; 26 47 48 + # Infrastructure Operations 27 49 infra = { 28 50 termius = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+H0oixQCgHiZWk4+H6VupW+2Aibs7poK7kNPf+hJEv"; 29 51 gcp = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9p6XYWUumCEk8ExaoProbI6BQHu52SErSlrOzUzzCUTjRPq2vfENTL7GwG6cgsrDLBxW+u+t6qoTXRVeRc7YCXzmPofls7dy2wXwBSM1Z/AzXCFDEVxtn3Y3F6gLi7nUbMZywBmBSlNjiN1w3FbBKMMP4SYgz0O1SGIjIFBQFheZgRTJxUq9DyPQRbY4U3jcJV8968JPQELKBCvmeI2iKNLOeSY1kVmwwM90yKgcvJsM/uTNXzUjTRK3Y4J0GWA2Up53pQxjmskqOusI+rwDVpnLsJEsjszvpOj5UAQrW4PuhJKjY0RYbigCrqqmCDbFuX9w6N9Sjo6Vp5MVxsMq7OwdNxNhBKDPJ8le4km8hdO8Z162+pSqUftk0hA4OjHIX2/i4avEl6Hh7MD1nbTnTbbaZV+1g6edWCnH0UASnrhulYkUNoWvpAi/bHJsfVuw5tZ8FprI5t6rCKiOXnXqU+jsn+fabDeuIt1mlN7BueebLUzAQ44npsFdSMEDCdJs= gildedguy@stellapent-cier"; 30 52 aws = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICx7San3UCFg3+vr5a07MoNBM9egqAeKHnu4Jhpx3Zwx devlab.aws"; 31 53 }; 32 - 54 + 55 + # Hardware-backed SSH keys 56 + fido2Keys = { 57 + hackclub_yubikey = { 58 + main = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFCCafMJLzv8vyQ5TCsevYGE6UMZE1puzHtbGslONvvCAAAABHNzaDo= ~ajhalili2006 on YubiKey 5C NFC Hack Club <ajhalili2006@andreijiroh.dev>"; 59 + backup = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFlEOSuf1O2/2m60F9BGW8Wyzoef51ycbG4R2TmPVZVbAAAABHNzaDo= ~ajhalili2006 on YubiKey 5C NFC Hack Club - Backup <ajhalili2006@andreijiroh.dev>"; 60 + }; 61 + }; 62 + 63 + # Host keys 33 64 hosts = { 34 65 lairland = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMJeo4V8JiW0eLIzmpNB1jdhde0RR5pVOCaSUoBxXces root@lairland.fawn-cod.ts.net"; 35 66 stellapent-cier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJkAk5TIXkwy9xKPmcyucgbz6SRSG5qhVAPod2nSw1M root@stellapent-cier.fawn-cod.ts.net";