seanaye.bsky.social / nixos-config
me like nix
0
Fork 0

Configure Feed

Select the types of activity you want to include in your feed.

nixos-config / modules / sean.nix
at dc5f02d08e1633fe201788b0febebfd85ade885d 6.0 kB View raw
Sean Aye preserve forwarded ssh agents in ssh sessions
dd8daddd
1{ inputs, ... }: 2 3let 4 sshAuthorizedKeys = [ 5 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCIqgZ7kedxo+mOW7YG73Vp3zel3h180y3GKvHtRsXfGlpIIvRDy7pgCBQ4AGXYD4y78URQmFohYSAPqCPOPaWcU2un3XG9KvCzEsHmsbskPonitUmCiKvrKkb6oW4jCBtd7AEtBn+AiajAQFtPZ7NN2Df3AmTypvR6Irg7R+nxnfc9NTIHmGvxSDyWcbb4pguL20sctUSqGL6xGh8q/bqhdOThSimM+z9bEUNxK/5rPhwkNniMrp4pJcUrUiAh5/4DiRFG6KT+oeg+/myoz/Z1sPvAs7u/8JDQI4RshRD8Hu0oTkRBN6Hxj478q2SXbeBUZlD6IdjP3RhGpmSecoDdtWqKbpuV3eVRtQtba3KL86GBeV/bugaOdJ1Aud+1SOFJreAAuvxzMMKT+cdQZk6oOPP148DA/No+mDm/2S43lcdCXh79wA6YRAmKQ8jmZxTCtPutrvuZK1rguvvUlEoG/vhdNHh7eDa4Td07V6bjCRPUl8qk/e4M0E3pwsTlZc=" 6 "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILdilHXHdAP/V8Zq28EzHKtLAMMaFPu4+1det2N50QfhAAAABHNzaDo= sean@framework16" 7 ]; 8in 9{ 10 flake.modules.nixos.sean = 11 { pkgs, ... }: 12 { 13 users.groups.storage = { }; 14 users.groups.plugdev = { }; 15 users.users.sean = { 16 isNormalUser = true; 17 description = "Sean Aye"; 18 extraGroups = [ 19 "docker" 20 "networkmanager" 21 "wheel" 22 "video" 23 "disk" 24 "storage" 25 "input" 26 "plugdev" 27 "dialout" 28 ]; 29 shell = pkgs.fish; 30 linger = true; 31 openssh.authorizedKeys.keys = sshAuthorizedKeys; 32 }; 33 34 programs.fish.enable = true; 35 programs._1password.enable = true; 36 programs._1password-gui = { 37 enable = true; 38 polkitPolicyOwners = [ "sean" ]; 39 }; 40 }; 41 42 flake.modules.homeManager.sean = 43 { pkgs, config, ... }: 44 { 45 home.username = "sean"; 46 home.homeDirectory = "/home/sean"; 47 home.stateVersion = "25.05"; 48 49 nixpkgs.config.allowUnfree = true; 50 nixpkgs.config.permittedInsecurePackages = [ 51 "libsoup-2.74.3" 52 ]; 53 54 home.packages = with pkgs; [ 55 inputs.agenix.packages.${pkgs.stdenv.hostPlatform.system}.default 56 age-plugin-yubikey 57 lxqt.lxqt-policykit 58 ]; 59 60 programs.ssh = { 61 enable = true; 62 enableDefaultConfig = false; 63 matchBlocks = { 64 # For git/jj over SSH, try the local YubiKey-backed security key 65 # first. If the key is not plugged in, OpenSSH will continue on to 66 # whatever agent SSH_AUTH_SOCK points at (1Password locally, or a 67 # forwarded agent inside `ssh -A` sessions). 68 "git-forges" = { 69 host = "github.com gist.github.com codeberg.org gitlab.com"; 70 identityFile = [ 71 "${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk" 72 ]; 73 }; 74 "*" = { 75 identityFile = [ 76 "${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk" 77 ]; 78 }; 79 }; 80 }; 81 82 age.secrets.aws-credentials.file = ../secrets/aws.age; 83 84 programs.awscli = { 85 enable = true; 86 settings = { 87 "default" = { 88 region = "us-east-1"; 89 }; 90 }; 91 }; 92 93 home.sessionVariables = { 94 EDITOR = "hx"; 95 VISUAL = "hx"; 96 SUDO_EDITOR = "hx"; 97 SSH_ASKPASS = "${pkgs.openssh-askpass}/libexec/gtk-ssh-askpass"; 98 SSH_ASKPASS_REQUIRE = "prefer"; 99 AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.aws-credentials.path; 100 }; 101 102 # Prefer forwarded agents inside SSH sessions. Some login shells source 103 # hm-session-vars after sshd has set SSH_AUTH_SOCK, so recover sshd's 104 # original value from the parent process before falling back to the local 105 # 1Password GUI agent on graphical/local sessions. 106 home.sessionVariablesExtra = '' 107 if [ -n "$SSH_CONNECTION" ] || [ -n "$SSH_CLIENT" ]; then 108 forwarded_sock=$(tr '\0' '\n' < "/proc/$PPID/environ" 2>/dev/null | sed -n 's/^SSH_AUTH_SOCK=//p' | head -n1) 109 if [ -n "$forwarded_sock" ] && [ -S "$forwarded_sock" ]; then 110 export SSH_AUTH_SOCK="$forwarded_sock" 111 fi 112 elif [ -S "${config.home.homeDirectory}/.1password/agent.sock" ]; then 113 export SSH_AUTH_SOCK="${config.home.homeDirectory}/.1password/agent.sock" 114 fi 115 ''; 116 117 # SSH allowed signers for commit signature verification 118 home.file.".ssh/allowed_signers".text = '' 119 hello@seanaye.ca ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCIqgZ7kedxo+mOW7YG73Vp3zel3h180y3GKvHtRsXfGlpIIvRDy7pgCBQ4AGXYD4y78URQmFohYSAPqCPOPaWcU2un3XG9KvCzEsHmsbskPonitUmCiKvrKkb6oW4jCBtd7AEtBn+AiajAQFtPZ7NN2Df3AmTypvR6Irg7R+nxnfc9NTIHmGvxSDyWcbb4pguL20sctUSqGL6xGh8q/bqhdOThSimM+z9bEUNxK/5rPhwkNniMrp4pJcUrUiAh5/4DiRFG6KT+oeg+/myoz/Z1sPvAs7u/8JDQI4RshRD8Hu0oTkRBN6Hxj478q2SXbeBUZlD6IdjP3RhGpmSecoDdtWqKbpuV3eVRtQtba3KL86GBeV/bugaOdJ1Aud+1SOFJreAAuvxzMMKT+cdQZk6oOPP148DA/No+mDm/2S43lcdCXh79wA6YRAmKQ8jmZxTCtPutrvuZK1rguvvUlEoG/vhdNHh7eDa4Td07V6bjCRPUl8qk/e4M0E3pwsTlZc= 120 hello@seanaye.ca sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILdilHXHdAP/V8Zq28EzHKtLAMMaFPu4+1det2N50QfhAAAABHNzaDo= sean@framework16 121 ''; 122 123 # Yubikey identity for agenix 124 home.file.".config/agenix/yubikey-identity.txt".text = '' 125 # Serial: 26930059, Slot: 1 126 # Name: agenix 127 # Recipient: age1yubikey1qw64ag5lzvn9ekrflu5ruj4a6ucycscl6ctk39fjzf76jptsay39z442pxv 128 AGE-PLUGIN-YUBIKEY-1304E5QVZZD74FKSP8FMCT 129 ''; 130 131 # Same identity for sops 132 home.file.".config/sops/age/keys.txt".text = '' 133 # Serial: 26930059, Slot: 1 134 # Name: agenix 135 # Recipient: age1yubikey1qw64ag5lzvn9ekrflu5ruj4a6ucycscl6ctk39fjzf76jptsay39z442pxv 136 AGE-PLUGIN-YUBIKEY-1304E5QVZZD74FKSP8FMCT 137 ''; 138 139 # Yubikey sudo access 140 home.file.".config/Yubico/u2f_keys".text = '' 141 sean:2HY//CedY0ZSrKf57lT7abxG8+8bkPyxCfp/0HMlk/il/5W8pn4R5xLiZDcJtvL85U24h9IEIxa4CS22mpaDSA==,gcD/dpLdwvUFcGGPHS4qNsarH4lOEy1AJAT7zoC6BPlFRUYEa8DpVVKFTcvT6PotjnSHSrWWGb/f3U2k2jIOIw==,es256,+presence 142 ''; 143 144 programs.home-manager.enable = true; 145 }; 146}