alex/nixos-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: alex/nixos-configs:e02b21013baf8dfc7e16a118dbaabc3f9c4df8bf
Branches Tags
alex/nixos-configs:main
..
compare: alex/nixos-configs:2606f1a1c6bba2e9c75820243c0ba00c78b3085e
Branches Tags
alex/nixos-configs:main

6 Commits
e02b21013b .. 2606f1a1c6

Author SHA1 Message Date
Alexander Heldt 2606f1a1c6 tadpole: Scope authorized_keys_command to alex 
The command was hijacking auth for all users, including `gitea`, which
broke `git push` over SSH — `gitea`'s `authorized_keys` (with the
`gitea serv` command restriction) was being bypassed, and sshd would
try to exec the raw `git-receive-pack` instead.

Pass `%u` to the command and short-circuit unless the requested user
is `alex`, so other users fall back to their own `~/.ssh/authorized_keys`.
 2026-06-03 12:58:08 +02:00
Alexander Heldt 331a86deb0 pinwheel: Use opensshs ssh-agent for SSH 
As gnomes gcr-ssh-agent stalls RSA signing
 2026-06-03 12:58:07 +02:00
Alexander Heldt 5cf4c1037a pinwheel: Load direnv ZSH on devshell load 2026-06-03 12:58:05 +02:00
Alexander Heldt 50bf270d1c pinwheel: Pin tailscale version 2026-06-03 12:58:04 +02:00
Alexander Heldt 6e7e3aeebd pinwheel: Fix ts LSP package location 2026-06-03 12:58:02 +02:00
Alexander Heldt 477d54c7db pinwheel: Fix hyprland lock input 2026-06-03 12:58:01 +02:00
6 changed files with 44 additions and 5 deletions
Expand all files Collapse all files
hosts/pinwheel/modules/hyprlock/default.nix
+1 -1
View File
@@ -45,7 +45,7 @@ in
valign = "center"; valign = "center";
outline_thickness = 2; outline_thickness = 2;
dots_center = true; dots_center = true;
fade_on_empty = true; fade_on_empty = false;
placeholder_text = ""; placeholder_text = "";
} }
]; ];
hosts/pinwheel/modules/javascript/default.nix
+1 -1
View File
@@ -1,6 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
home-manager.users.alex = { home-manager.users.alex = {
home.packages = [ pkgs.nodePackages.typescript-language-server ]; home.packages = [ pkgs.typescript-language-server ];
}; };
} }
hosts/pinwheel/modules/ssh/default.nix
+5 -1
View File
@@ -3,10 +3,14 @@
# Enable gnome-keyring at system level for PAM integration # Enable gnome-keyring at system level for PAM integration
services.gnome.gnome-keyring.enable = true; services.gnome.gnome-keyring.enable = true;
# Use openssh's own ssh-agent — gcr's ssh-agent stalls signing RSA keys.
services.gnome.gcr-ssh-agent.enable = false;
programs.ssh.startAgent = true;
home-manager.users.alex = { home-manager.users.alex = {
services.gnome-keyring = { services.gnome-keyring = {
enable = true; enable = true;
components = [ "secrets" "ssh" ]; components = [ "secrets" ];
}; };
programs.ssh = { programs.ssh = {
hosts/pinwheel/modules/tailscale/default.nix
+17 -1
View File
@@ -1,7 +1,23 @@
{ ... }: { pkgs, ... }:
{ {
services.tailscale.enable = true; services.tailscale.enable = true;
# Pinned to 1.96.5. 1.98.0 regressed split-DNS handling under work-vpn: the
# netmap's "resolve <tailnet>.ts.net locally via MagicDNS" hint is dropped
# when translated into systemd-resolved config, so *.ts.net queries get sent
# to a public resolver (199.247.155.53) that the corporate VPN's port-53
# egress filter blocks.
services.tailscale.package = pkgs.tailscale.overrideAttrs (_: rec {
version = "1.96.5";
src = pkgs.fetchFromGitHub {
owner = "tailscale";
repo = "tailscale";
tag = "v${version}";
hash = "sha256-vYYb+2OtuXftjGGG0zWJesHccrClB8YZpclv9KzNN/c=";
};
vendorHash = "sha256-rhuWEEN+CtumVxOw6Dy/IRxWIrZ2x6RJb6ULYwXCQc4=";
});
networking.firewall = { networking.firewall = {
checkReversePath = "loose"; checkReversePath = "loose";
allowedUDPPorts = [ 41641 ]; allowedUDPPorts = [ 41641 ];
hosts/pinwheel/modules/work/default.nix
+18
View File
@@ -22,6 +22,24 @@ in
[[ "$PATH" == "${pkgs.bashInteractive}/bin:"* ]] || export PATH="${pkgs.bashInteractive}/bin:$PATH" [[ "$PATH" == "${pkgs.bashInteractive}/bin:"* ]] || export PATH="${pkgs.bashInteractive}/bin:$PATH"
} }
precmd_functions+=(_ensure_bash_interactive) precmd_functions+=(_ensure_bash_interactive)
# Source the zsh-specific rc file that nix-direnv emits ($DIRENV_ZSH_RC)
# so devshell completions and zsh setup are picked up. direnv itself only
# exports env vars, so without this hook the zsh side of the devshell is
# never loaded. Guarded by LAST_LOADED_DIRENV_ZSH_RC so we don't re-source
# it on every precmd.
_nix_direnv_bridge_hook() {
if [[ -n "$DIRENV_ZSH_RC" && "$LAST_LOADED_DIRENV_ZSH_RC" != "$DIRENV_ZSH_RC" ]]; then
if [[ -f "$DIRENV_ZSH_RC" ]]; then
source "$DIRENV_ZSH_RC"
export LAST_LOADED_DIRENV_ZSH_RC="$DIRENV_ZSH_RC"
echo " direnv zsh loaded..."
fi
fi
}
autoload -Uz add-zsh-hook
add-zsh-hook precmd _nix_direnv_bridge_hook
''; '';
# Configure IntelliJ to exclude .direnv from indexing # Configure IntelliJ to exclude .direnv from indexing
hosts/tadpole/modules/ssh/default.nix
+2 -1
View File
@@ -48,6 +48,7 @@ in
mode = "0755"; mode = "0755";
text = '' text = ''
#!${pkgs.bash}/bin/bash #!${pkgs.bash}/bin/bash
[ "$1" = "alex" ] || exit 0
for file in ${authorizedKeysPath}/*; do for file in ${authorizedKeysPath}/*; do
${pkgs.coreutils}/bin/cat "$file" ${pkgs.coreutils}/bin/cat "$file"
done done
@@ -71,7 +72,7 @@ in
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
}; };
authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; authorizedKeysCommand = "/etc/ssh/authorized_keys_command %u";
authorizedKeysCommandUser = "root"; authorizedKeysCommandUser = "root";
}; };
}; };