pinwheel/tadpole: Add ed25519 ssh key

Update whib-frontend flake input
tadpole: Scope authorized_keys_command to alex
2026-06-17 08:35:07 +02:00 · 2026-06-03 12:59:11 +02:00 · 2026-06-03 12:58:08 +02:00 · 2026-06-03 12:58:07 +02:00 · 2026-06-03 12:58:05 +02:00 · 2026-06-03 12:58:04 +02:00
10 changed files with 68 additions and 9 deletions
@@ -965,11 +965,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1761508816,
-        "narHash": "sha256-adV/lyxcmuopyuzZ49v46Yt0gft+ioEL4yl1S+vUbus=",
+        "lastModified": 1780483645,
+        "narHash": "sha256-Nr0WTh72uBCSO5jCcvHPE+4dqAPn07HZ5U1lAE4/3II=",
        "ref": "master",
-        "rev": "ab10bf50cb6b023a1b99f91c7e8d550231135eef",
-        "revCount": 223,
+        "rev": "14f98eced1ccf1e62493ad65eb38502b38db5cba",
+        "revCount": 224,
        "type": "git",
        "url": "ssh://gitea@git.ppp.pm:1122/alex/whib-react.git"
      },
@@ -45,7 +45,7 @@ in
              valign = "center";
              outline_thickness = 2;
              dots_center = true;
-              fade_on_empty = true;
+              fade_on_empty = false;
              placeholder_text = "";
            }
          ];
@@ -1,6 +1,6 @@
 { pkgs, ... }:
 {
  home-manager.users.alex = {
-    home.packages = [ pkgs.nodePackages.typescript-language-server ];
+    home.packages = [ pkgs.typescript-language-server ];
  };
 }
@@ -3,10 +3,14 @@
  # Enable gnome-keyring at system level for PAM integration
  services.gnome.gnome-keyring.enable = true;

+  # Use openssh's own ssh-agent — gcr's ssh-agent stalls signing RSA keys.
+  services.gnome.gcr-ssh-agent.enable = false;
+  programs.ssh.startAgent = true;
+
  home-manager.users.alex = {
    services.gnome-keyring = {
      enable = true;
-      components = [ "secrets" "ssh" ];
+      components = [ "secrets" ];
    };

    programs.ssh = {
@@ -131,6 +135,19 @@
      owner = "alex";
      group = "users";
    };
+
+    "alex.pinwheel-tadpole-ed25519" = {
+      file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.age;
+      path = "/home/alex/.ssh/alex.pinwheel-tadpole-ed25519";
+      owner = "alex";
+      group = "users";
+    };
+    "alex.pinwheel-tadpole-ed25519.pub" = {
+      file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.pub.age;
+      path = "/home/alex/.ssh/alex.pinwheel-tadpole-ed25519.pub";
+      owner = "alex";
+      group = "users";
+    };
  };

  services.openssh = {
@@ -1,7 +1,23 @@
-{ ... }:
+{ pkgs, ... }:
 {
  services.tailscale.enable = true;

+  # Pinned to 1.96.5. 1.98.0 regressed split-DNS handling under work-vpn: the
+  # netmap's "resolve <tailnet>.ts.net locally via MagicDNS" hint is dropped
+  # when translated into systemd-resolved config, so *.ts.net queries get sent
+  # to a public resolver (199.247.155.53) that the corporate VPN's port-53
+  # egress filter blocks.
+  services.tailscale.package = pkgs.tailscale.overrideAttrs (_: rec {
+    version = "1.96.5";
+    src = pkgs.fetchFromGitHub {
+      owner = "tailscale";
+      repo = "tailscale";
+      tag = "v${version}";
+      hash = "sha256-vYYb+2OtuXftjGGG0zWJesHccrClB8YZpclv9KzNN/c=";
+    };
+    vendorHash = "sha256-rhuWEEN+CtumVxOw6Dy/IRxWIrZ2x6RJb6ULYwXCQc4=";
+  });
+
  networking.firewall = {
    checkReversePath = "loose";
    allowedUDPPorts = [ 41641 ];
@@ -22,6 +22,24 @@ in
        [[ "$PATH" == "${pkgs.bashInteractive}/bin:"* ]] || export PATH="${pkgs.bashInteractive}/bin:$PATH"
      }
      precmd_functions+=(_ensure_bash_interactive)
+
+      # Source the zsh-specific rc file that nix-direnv emits ($DIRENV_ZSH_RC)
+      # so devshell completions and zsh setup are picked up. direnv itself only
+      # exports env vars, so without this hook the zsh side of the devshell is
+      # never loaded. Guarded by LAST_LOADED_DIRENV_ZSH_RC so we don't re-source
+      # it on every precmd.
+      _nix_direnv_bridge_hook() {
+        if [[ -n "$DIRENV_ZSH_RC" && "$LAST_LOADED_DIRENV_ZSH_RC" != "$DIRENV_ZSH_RC" ]]; then
+          if [[ -f "$DIRENV_ZSH_RC" ]]; then
+            source "$DIRENV_ZSH_RC"
+            export LAST_LOADED_DIRENV_ZSH_RC="$DIRENV_ZSH_RC"
+            echo "❄️ direnv zsh loaded..."
+          fi
+        fi
+      }
+
+      autoload -Uz add-zsh-hook
+      add-zsh-hook precmd _nix_direnv_bridge_hook
    '';

    # Configure IntelliJ to exclude .direnv from indexing
@@ -48,6 +48,7 @@ in
      mode = "0755";
      text = ''
        #!${pkgs.bash}/bin/bash
+        [ "$1" = "alex" ] || exit 0
        for file in ${authorizedKeysPath}/*; do
          ${pkgs.coreutils}/bin/cat "$file"
        done
@@ -71,7 +72,7 @@ in
          KbdInteractiveAuthentication = false;
        };

-        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command %u";
        authorizedKeysCommandUser = "root";
      };
    };
@@ -97,6 +98,11 @@ in
        path = "${authorizedKeysPath}/alex.pinwheel-tadpole.pub";
      };

+      "alex.pinwheel-tadpole-ed25519.pub" = {
+        file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole-ed25519.pub.age;
+        path = "${authorizedKeysPath}/alex.pinwheel-tadpole-ed25519.pub";
+      };
+
      "alex.tadpole-git.ppp.pm" = {
        file = ../../../../secrets/tadpole/alex.tadpole-git.ppp.pm.age;
        path = "/home/alex/.ssh/alex.tadpole-git.ppp.pm";
@@ -15,6 +15,8 @@ in {
  "pinwheel/alex.pinwheel-backwards.pub.age".publicKeys = [ pinwheel backwards alex ];
  "pinwheel/alex.pinwheel-tadpole.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-tadpole.pub.age".publicKeys = [ pinwheel tadpole alex ];
+  "pinwheel/alex.pinwheel-tadpole-ed25519.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/alex.pinwheel-tadpole-ed25519.pub.age".publicKeys = [ pinwheel tadpole alex ];
  "pinwheel/alex.pinwheel-github.com.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-github.com.pub.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-github.com-signing.age".publicKeys = [ pinwheel alex ];
Author	SHA1	Message	Date
Alexander Heldt	b6fcd199c1	pinwheel/tadpole: Add ed25519 ssh key	2026-06-17 08:35:07 +02:00
Alexander Heldt	9a49839eee	Update `whib-frontend` flake input	2026-06-03 12:59:11 +02:00
Alexander Heldt	2606f1a1c6	tadpole: Scope `authorized_keys_command` to `alex` The command was hijacking auth for all users, including `gitea`, which broke `git push` over SSH — `gitea`'s `authorized_keys` (with the `gitea serv` command restriction) was being bypassed, and sshd would try to exec the raw `git-receive-pack` instead. Pass `%u` to the command and short-circuit unless the requested user is `alex`, so other users fall back to their own `~/.ssh/authorized_keys`.	2026-06-03 12:58:08 +02:00
Alexander Heldt	331a86deb0	pinwheel: Use `openssh`s ssh-agent for SSH As gnomes gcr-ssh-agent stalls RSA signing	2026-06-03 12:58:07 +02:00
Alexander Heldt	5cf4c1037a	pinwheel: Load direnv ZSH on devshell load	2026-06-03 12:58:05 +02:00
Alexander Heldt	50bf270d1c	pinwheel: Pin `tailscale` version	2026-06-03 12:58:04 +02:00
Alexander Heldt	6e7e3aeebd	pinwheel: Fix ts LSP package location	2026-06-03 12:58:02 +02:00
Alexander Heldt	477d54c7db	pinwheel: Fix `hyprland` lock input	2026-06-03 12:58:01 +02:00