pinwheel/tadpole: Add ed25519 ssh key

Update whib-frontend flake input
tadpole: Scope authorized_keys_command to alex
2026-06-17 08:35:07 +02:00 · 2026-06-03 12:59:11 +02:00 · 2026-06-03 12:58:08 +02:00 · 2026-06-03 12:58:07 +02:00 · 2026-06-03 12:58:05 +02:00 · 2026-06-03 12:58:04 +02:00
10 changed files with 72 additions and 13 deletions
@@ -944,11 +944,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774202723,
+        "lastModified": 1780482259,
-        "narHash": "sha256-z3kfGSm1EFzzUorewI5Jtgv79lPV128pZd8EEak4xZg=",
+        "narHash": "sha256-buOczAkw78U+g7DYcB7nMabTGzQoN15HtVE3y0kIt3I=",
        "ref": "master",
-        "rev": "02ad04e1460d7ce84db24b3bb526339df1e76501",
+        "rev": "b9ee418d14d6cb500506f9ef0cb9d54a8e78afa9",
-        "revCount": 372,
+        "revCount": 373,
        "type": "git",
        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
      },
@@ -965,11 +965,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761508816,
+        "lastModified": 1780483645,
-        "narHash": "sha256-adV/lyxcmuopyuzZ49v46Yt0gft+ioEL4yl1S+vUbus=",
+        "narHash": "sha256-Nr0WTh72uBCSO5jCcvHPE+4dqAPn07HZ5U1lAE4/3II=",
        "ref": "master",
-        "rev": "ab10bf50cb6b023a1b99f91c7e8d550231135eef",
+        "rev": "14f98eced1ccf1e62493ad65eb38502b38db5cba",
-        "revCount": 223,
+        "revCount": 224,
        "type": "git",
        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib-react.git"
      },
@@ -45,7 +45,7 @@ in
              valign = "center";
              outline_thickness = 2;
              dots_center = true;
-              fade_on_empty = true;
+              fade_on_empty = false;
              placeholder_text = "";
            }
          ];
@@ -1,6 +1,6 @@
 { pkgs, ... }:
 {
  home-manager.users.alex = {
-    home.packages = [ pkgs.nodePackages.typescript-language-server ];
+    home.packages = [ pkgs.typescript-language-server ];
  };
 }
@@ -3,10 +3,14 @@
  # Enable gnome-keyring at system level for PAM integration
  services.gnome.gnome-keyring.enable = true;
  # Use openssh's own ssh-agent — gcr's ssh-agent stalls signing RSA keys.
  services.gnome.gcr-ssh-agent.enable = false;
  programs.ssh.startAgent = true;
  home-manager.users.alex = {
    services.gnome-keyring = {
      enable = true;
-      components = [ "secrets" "ssh" ];
+      components = [ "secrets" ];
    };
    programs.ssh = {
@@ -131,6 +135,19 @@
      owner = "alex";
      group = "users";
    };
    "alex.pinwheel-tadpole-ed25519" = {
      file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.age;
      path = "/home/alex/.ssh/alex.pinwheel-tadpole-ed25519";
      owner = "alex";
      group = "users";
    };
    "alex.pinwheel-tadpole-ed25519.pub" = {
      file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.pub.age;
      path = "/home/alex/.ssh/alex.pinwheel-tadpole-ed25519.pub";
      owner = "alex";
      group = "users";
    };
  };
  services.openssh = {
@@ -1,7 +1,23 @@
-{ ... }:
+{ pkgs, ... }:
 {
  services.tailscale.enable = true;
  # Pinned to 1.96.5. 1.98.0 regressed split-DNS handling under work-vpn: the
  # netmap's "resolve <tailnet>.ts.net locally via MagicDNS" hint is dropped
  # when translated into systemd-resolved config, so *.ts.net queries get sent
  # to a public resolver (199.247.155.53) that the corporate VPN's port-53
  # egress filter blocks.
  services.tailscale.package = pkgs.tailscale.overrideAttrs (_: rec {
    version = "1.96.5";
    src = pkgs.fetchFromGitHub {
      owner = "tailscale";
      repo = "tailscale";
      tag = "v${version}";
      hash = "sha256-vYYb+2OtuXftjGGG0zWJesHccrClB8YZpclv9KzNN/c=";
    };
    vendorHash = "sha256-rhuWEEN+CtumVxOw6Dy/IRxWIrZ2x6RJb6ULYwXCQc4=";
  });
  networking.firewall = {
    checkReversePath = "loose";
    allowedUDPPorts = [ 41641 ];
@@ -22,6 +22,24 @@ in
        [[ "$PATH" == "${pkgs.bashInteractive}/bin:"* ]] || export PATH="${pkgs.bashInteractive}/bin:$PATH"
      }
      precmd_functions+=(_ensure_bash_interactive)
      # Source the zsh-specific rc file that nix-direnv emits ($DIRENV_ZSH_RC)
      # so devshell completions and zsh setup are picked up. direnv itself only
      # exports env vars, so without this hook the zsh side of the devshell is
      # never loaded. Guarded by LAST_LOADED_DIRENV_ZSH_RC so we don't re-source
      # it on every precmd.
      _nix_direnv_bridge_hook() {
        if [[ -n "$DIRENV_ZSH_RC" && "$LAST_LOADED_DIRENV_ZSH_RC" != "$DIRENV_ZSH_RC" ]]; then
          if [[ -f "$DIRENV_ZSH_RC" ]]; then
            source "$DIRENV_ZSH_RC"
            export LAST_LOADED_DIRENV_ZSH_RC="$DIRENV_ZSH_RC"
            echo "❄️ direnv zsh loaded..."
          fi
        fi
      }
      autoload -Uz add-zsh-hook
      add-zsh-hook precmd _nix_direnv_bridge_hook
    '';
    # Configure IntelliJ to exclude .direnv from indexing
@@ -48,6 +48,7 @@ in
      mode = "0755";
      text = ''
        #!${pkgs.bash}/bin/bash
        [ "$1" = "alex" ] || exit 0
        for file in ${authorizedKeysPath}/*; do
          ${pkgs.coreutils}/bin/cat "$file"
        done
@@ -71,7 +72,7 @@ in
          KbdInteractiveAuthentication = false;
        };
-        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command %u";
        authorizedKeysCommandUser = "root";
      };
    };
@@ -97,6 +98,11 @@ in
        path = "${authorizedKeysPath}/alex.pinwheel-tadpole.pub";
      };
      "alex.pinwheel-tadpole-ed25519.pub" = {
        file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.pub.age;
        path = "${authorizedKeysPath}/alex.pinwheel-tadpole-ed25519.pub";
      };
      "alex.tadpole-git.ppp.pm" = {
        file = ../../../../secrets/tadpole/alex.tadpole-git.ppp.pm.age;
        path = "/home/alex/.ssh/alex.tadpole-git.ppp.pm";
@@ -15,6 +15,8 @@ in {
  "pinwheel/alex.pinwheel-backwards.pub.age".publicKeys = [ pinwheel backwards alex ];
  "pinwheel/alex.pinwheel-tadpole.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-tadpole.pub.age".publicKeys = [ pinwheel tadpole alex ];
  "pinwheel/alex.pinwheel-tadpole-ed25519.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-tadpole-ed25519.pub.age".publicKeys = [ pinwheel tadpole alex ];
  "pinwheel/alex.pinwheel-github.com.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-github.com.pub.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-github.com-signing.age".publicKeys = [ pinwheel alex ];
Author	SHA1	Message	Date
Alexander Heldt	b6fcd199c1	pinwheel/tadpole: Add ed25519 ssh key	2026-06-17 08:35:07 +02:00
Alexander Heldt	9a49839eee	Update `whib-frontend` flake input	2026-06-03 12:59:11 +02:00
Alexander Heldt	2606f1a1c6	tadpole: Scope `authorized_keys_command` to `alex` The command was hijacking auth for all users, including `gitea`, which broke `git push` over SSH — `gitea`'s `authorized_keys` (with the `gitea serv` command restriction) was being bypassed, and sshd would try to exec the raw `git-receive-pack` instead. Pass `%u` to the command and short-circuit unless the requested user is `alex`, so other users fall back to their own `~/.ssh/authorized_keys`.	2026-06-03 12:58:08 +02:00
Alexander Heldt	331a86deb0	pinwheel: Use `openssh`s ssh-agent for SSH As gnomes gcr-ssh-agent stalls RSA signing	2026-06-03 12:58:07 +02:00
Alexander Heldt	5cf4c1037a	pinwheel: Load direnv ZSH on devshell load	2026-06-03 12:58:05 +02:00
Alexander Heldt	50bf270d1c	pinwheel: Pin `tailscale` version	2026-06-03 12:58:04 +02:00
Alexander Heldt	6e7e3aeebd	pinwheel: Fix ts LSP package location	2026-06-03 12:58:02 +02:00
Alexander Heldt	477d54c7db	pinwheel: Fix `hyprland` lock input	2026-06-03 12:58:01 +02:00
Alexander Heldt	e02b21013b	Update `whib-backend` flake input	2026-06-03 10:25:19 +00:00