Yubikey stuff
This commit is contained in:
parent
63f906cecd
commit
b3eeccf114
3 changed files with 31 additions and 14 deletions
12
flake.lock
generated
12
flake.lock
generated
|
|
@ -6,11 +6,11 @@
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1775271377,
|
"lastModified": 1777436347,
|
||||||
"narHash": "sha256-0ru4G0uQeokPTlJGuRHf3ApBZMeuIRdUyp0SYi//RWM=",
|
"narHash": "sha256-RD/HyNMkmeN4zqENph5Xzks/fz/ZwdUyL1x8rr5tQyA=",
|
||||||
"owner": "sadjow",
|
"owner": "sadjow",
|
||||||
"repo": "claude-code-nix",
|
"repo": "claude-code-nix",
|
||||||
"rev": "214fdf6592f40a8bb472e80283c029d01fb6653d",
|
"rev": "bf3e43090b15d1e335f08e21c80678d6457458e8",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -277,11 +277,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1775126147,
|
"lastModified": 1777270315,
|
||||||
"narHash": "sha256-J0dZU4atgcfo4QvM9D92uQ0Oe1eLTxBVXjJzdEMQpD0=",
|
"narHash": "sha256-yKB4G6cKsQsWN7M6rZGk6gkJPDNPIzT05y4qzRyCDlI=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "8d8c1fa5b412c223ffa47410867813290cdedfef",
|
"rev": "6368eda62c9775c38ef7f714b2555a741c20c72d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@
|
||||||
inputs.home-manager.nixosModules.default
|
inputs.home-manager.nixosModules.default
|
||||||
../../modules/nixos/user-jack.nix
|
../../modules/nixos/user-jack.nix
|
||||||
../../modules/nixos/syncthingServer.nix
|
../../modules/nixos/syncthingServer.nix
|
||||||
|
../../modules/nixos/yubikey-auth.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# Use the systemd-boot EFI boot loader.
|
# Use the systemd-boot EFI boot loader.
|
||||||
|
|
@ -52,15 +53,10 @@
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
|
||||||
services.openssh.settings = {
|
services.openssh.settings = {
|
||||||
PasswordAuthentication = true;
|
PasswordAuthentication = false;
|
||||||
KbdInteractiveAuthentication = true;
|
KbdInteractiveAuthentication = false;
|
||||||
ChallengeResponseAuthentication = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# 2FA
|
|
||||||
security.pam.services.login.googleAuthenticator.enable = true;
|
|
||||||
security.pam.services.sshd.googleAuthenticator.enable = true;
|
|
||||||
|
|
||||||
## services.nginx = {
|
## services.nginx = {
|
||||||
## enable = true;
|
## enable = true;
|
||||||
## virtualHosts."your.domain.or.ip" = {
|
## virtualHosts."your.domain.or.ip" = {
|
||||||
|
|
@ -138,7 +134,7 @@
|
||||||
unzip
|
unzip
|
||||||
python3
|
python3
|
||||||
nodejs
|
nodejs
|
||||||
google-authenticator
|
inputs.claude-code.packages.${pkgs.system}.claude-code
|
||||||
];
|
];
|
||||||
|
|
||||||
virtualisation.docker.enable = true;
|
virtualisation.docker.enable = true;
|
||||||
|
|
|
||||||
21
modules/nixos/yubikey-auth.nix
Normal file
21
modules/nixos/yubikey-auth.nix
Normal file
|
|
@ -0,0 +1,21 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
yubikey-manager
|
||||||
|
libfido2
|
||||||
|
];
|
||||||
|
|
||||||
|
# sudo authenticates via the forwarded SSH agent.
|
||||||
|
# Requires: ssh -A when connecting, and an ed25519-sk key in your agent.
|
||||||
|
# Generate one locally if you haven't:
|
||||||
|
# ssh-keygen -t ed25519-sk
|
||||||
|
# Then add the public key to ~/.ssh/authorized_keys on the server.
|
||||||
|
security.pam.sshAgentAuth.enable = true;
|
||||||
|
security.pam.services.sudo.sshAgentAuth = true;
|
||||||
|
|
||||||
|
# Preserve the forwarded agent socket across the sudo boundary
|
||||||
|
security.sudo.extraConfig = ''
|
||||||
|
Defaults env_keep+=SSH_AUTH_SOCK
|
||||||
|
'';
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue