diff --git a/bootstrap b/bootstrap index 27de151..6376a33 100755 --- a/bootstrap +++ b/bootstrap @@ -40,7 +40,7 @@ read umount -l /nix/.rw-store || echo "RW-store is not mounted." mount --rbind /mnt/nix /nix -nix-build /tmp/nixpkgs/nixos -A system --substituters "https://cache.balsoft.ru https://cache.nixos.org" --no-require-sigs +nix build -f /tmp/nixpkgs/nixos system --substituters "https://cache.balsoft.ru https://cache.nixos.org" --no-require-sigs nixos-install --system ./result cd /mnt/home/balsoft chmod 777 -R . diff --git a/modules/packages.nix b/modules/packages.nix index fd67732..61f2bfe 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -155,16 +155,6 @@ in { pkgs, config, lib, ... }: { config.firefox.enablePlasmaBrowserIntegration = true; } // config.nixpkgs.config; - systemd.services.setup_root = { - serviceConfig.User = "root"; - script = '' - mkdir -p /root/.ssh - cat << EOF > /root/.ssh/id_rsa - ${config.secrets.id_rsa} - EOF - chmod 100 /root/.ssh/id_rsa - ''; - }; environment.etc.nixpkgs.source = imports.nixpkgs; nix = rec { nixPath = lib.mkForce [ diff --git a/modules/secrets.nix b/modules/secrets.nix index 8d4c3bd..153c00d 100755 --- a/modules/secrets.nix +++ b/modules/secrets.nix @@ -62,10 +62,6 @@ in rec { type = nullOr str; description = "Rclone config"; }; - id_rsa = mkOption { - type = nullOr str; - description = "SSH RSA private key"; - }; ssl = rec { cert = mkOption { type = nullOr str; diff --git a/modules/services.nix b/modules/services.nix index 156f27b..75a5507 100644 --- a/modules/services.nix +++ b/modules/services.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: { services.acpid.enable = true; - programs.ssh.startAgent = true; services.apcupsd = { enable = config.device == "AMD-Workstation"; }; diff --git a/modules/workspace/misc.nix b/modules/workspace/misc.nix index 00bbdd6..22d1a4e 100644 --- a/modules/workspace/misc.nix +++ b/modules/workspace/misc.nix @@ -23,16 +23,6 @@ after = [ ]; data = "rm -f /home/balsoft/.config/mimeapps.list"; }; - programs.gpg.enable = true; - services.gpg-agent = { - enable = true; - extraConfig = '' - pinentry-program ${pkgs.pinentry}/bin/pinentry - allow-emacs-pinentry - allow-loopback-pinentry - ''; - enableSshSupport = true; - }; services.udiskie.enable = true; programs.git = { enable = true; diff --git a/modules/workspace/ssh.nix b/modules/workspace/ssh.nix index fbac193..5e3ee96 100644 --- a/modules/workspace/ssh.nix +++ b/modules/workspace/ssh.nix @@ -4,24 +4,37 @@ passwordAuthentication = false; permitRootLogin = "no"; forwardX11 = true; - ports = [ 22 13722 ]; + ports = [ 22 ]; }; users.users.balsoft.openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd2OdcSHUsgezuV+cpFqk9+Svtup6PxIolv1zokVZdqvS8qxLsA/rwYmQgTnuq4/zK/GIxcUCH4OxYlW6Or4M4G7qrDKcLAUrRPWkectqEooWRflZXkfHduMJhzeOAsBdMfYZQ9024GwKr/4yriw2BGa8GbbAnQxiSeTipzvXHoXuRME+/2GsMFAfHFvxzXRG7dNOiLtLaXEjUPUTcw/fffKy55kHtWxMkEvvcdyR53/24fmO3kLVpEuoI+Mp1XFtX3DvRM9ulgfwZUn8/CLhwSLwWX4Xf9iuzVi5vJOJtMOktQj/MwGk4tY/NPe+sIk+nAUKSdVf0y9k9JrJT98S/ comment"]; - home-manager.users.balsoft.programs.ssh = - if (!isNull config.secrets.id_rsa) then { + services.udev.packages = [ pkgs.yubikey-personalization ]; + + + environment.shellInit = '' + export GPG_TTY="$(tty)" + gpg-connect-agent /bye + export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" + ''; + + programs = { + ssh.startAgent = false; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + }; + + home-manager.users.balsoft.home.file.".gnupg/scdaemon.conf".text = "reader-port Yubico Yubi"; + + home-manager.users.balsoft.programs.ssh = { enable = true; matchBlocks = { "*" = { - identityFile = toString (pkgs.writeTextFile { - name = "id_rsa"; - text = config.secrets.id_rsa; - }); compression = false; }; }; - } else - { }; + }; } diff --git a/result-bin b/result-bin new file mode 120000 index 0000000..3ced936 --- /dev/null +++ b/result-bin @@ -0,0 +1 @@ +/nix/store/fwban0fhsglbyn83inds5si719b2qjdd-libxml2-2.9.10-bin \ No newline at end of file