Alexander Heldt
2606f1a1c6
The command was hijacking auth for all users, including `gitea`, which broke `git push` over SSH — `gitea`'s `authorized_keys` (with the `gitea serv` command restriction) was being bypassed, and sshd would try to exec the raw `git-receive-pack` instead. Pass `%u` to the command and short-circuit unless the requested user is `alex`, so other users fall back to their own `~/.ssh/authorized_keys`.
116 lines
2.8 KiB
Nix
116 lines
2.8 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
enabled = config.mod.ssh.enable;
|
|
|
|
authorizedKeysPath = "/home/alex/.ssh/authorized-keys";
|
|
rootSSHKeyPath = "/etc/ssh";
|
|
in
|
|
{
|
|
options = {
|
|
mod.ssh = {
|
|
enable = lib.mkEnableOption "enable ssh module";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf enabled {
|
|
home-manager.users.alex = {
|
|
programs.ssh = {
|
|
enable = true;
|
|
|
|
matchBlocks = {
|
|
"git.ppp.pm" = {
|
|
hostname = "git.ppp.pm";
|
|
identityFile = "/home/alex/.ssh/alex.tadpole-git.ppp.pm";
|
|
};
|
|
|
|
"*" = {
|
|
forwardAgent = false;
|
|
addKeysToAgent = "no";
|
|
compression = false;
|
|
serverAliveInterval = 0;
|
|
serverAliveCountMax = 3;
|
|
hashKnownHosts = false;
|
|
userKnownHostsFile = "~/.ssh/known_hosts";
|
|
controlMaster = "no";
|
|
controlPath = "~/.ssh/master-%r@%n:%p";
|
|
controlPersist = "no";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
environment.etc."ssh/authorized_keys_command" = {
|
|
mode = "0755";
|
|
text = ''
|
|
#!${pkgs.bash}/bin/bash
|
|
[ "$1" = "alex" ] || exit 0
|
|
for file in ${authorizedKeysPath}/*; do
|
|
${pkgs.coreutils}/bin/cat "$file"
|
|
done
|
|
'';
|
|
};
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
ports = [ 1122 ];
|
|
|
|
hostKeys = [
|
|
{
|
|
path = "${rootSSHKeyPath}/root.tadpole";
|
|
type = "ed25519";
|
|
}
|
|
];
|
|
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
};
|
|
|
|
authorizedKeysCommand = "/etc/ssh/authorized_keys_command %u";
|
|
authorizedKeysCommandUser = "root";
|
|
};
|
|
};
|
|
|
|
networking = {
|
|
firewall = {
|
|
allowedTCPPorts = [ 1122 ];
|
|
};
|
|
};
|
|
|
|
age.secrets = {
|
|
"root.tadpole" = {
|
|
file = ../../../../secrets/tadpole/root.tadpole.age;
|
|
path = "${rootSSHKeyPath}/root.tadpole";
|
|
};
|
|
"root.tadpole.pub" = {
|
|
file = ../../../../secrets/tadpole/root.tadpole.pub.age;
|
|
path = "${rootSSHKeyPath}/root.tadpole.pub";
|
|
};
|
|
|
|
"alex.pinwheel-tadpole.pub" = {
|
|
file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole.pub.age;
|
|
path = "${authorizedKeysPath}/alex.pinwheel-tadpole.pub";
|
|
};
|
|
|
|
"alex.tadpole-git.ppp.pm" = {
|
|
file = ../../../../secrets/tadpole/alex.tadpole-git.ppp.pm.age;
|
|
path = "/home/alex/.ssh/alex.tadpole-git.ppp.pm";
|
|
owner = "alex";
|
|
group = "users";
|
|
};
|
|
"alex.tadpole-git.ppp.pm.pub" = {
|
|
file = ../../../../secrets/tadpole/alex.tadpole-git.ppp.pm.pub.age;
|
|
path = "/home/alex/.ssh/alex.tadpole-git.ppp.pm.pub";
|
|
owner = "alex";
|
|
group = "users";
|
|
};
|
|
};
|
|
};
|
|
}
|