+45 -1

modules/editor.nix

Reviewed

··· 1 1 { ... }: { 2 2 flake.modules.homeManager.editor = 3 3 { pkgs, config, ... }: 4 4 + let 5 5 + yubikeyThen1PasswordSsh = pkgs.writeShellScriptBin "yubikey-then-1password-ssh" '' 6 6 + set -u 7 7 + 8 8 + ssh=${pkgs.openssh}/bin/ssh 9 9 + yubi_key="''${YUBIKEY_SSH_KEY:-$HOME/.ssh/id_ed25519_sk_rk}" 10 10 + op_sock="''${ONEPASSWORD_SSH_AUTH_SOCK:-$HOME/.1password/agent.sock}" 11 11 + err_file="$(${pkgs.coreutils}/bin/mktemp -t yubikey-ssh.XXXXXX)" 12 12 + trap '${pkgs.coreutils}/bin/rm -f "$err_file"' EXIT 13 13 + 14 14 + # First try the local security-key identity without any agent. This 15 15 + # makes the YubiKey win over whatever identities 1Password exposes. 16 16 + if [ -r "$yubi_key" ]; then 17 17 + if "$ssh" \ 18 18 + -o IdentityAgent=none \ 19 19 + -o IdentitiesOnly=yes \ 20 20 + -o PreferredAuthentications=publickey \ 21 21 + -i "$yubi_key" \ 22 22 + "$@" 2>"$err_file"; then 23 23 + exit 0 24 24 + fi 25 25 + 26 26 + status=$? 27 27 + if ! ${pkgs.gnugrep}/bin/grep -Eiq 'permission denied|sign_and_send_pubkey|device not found|no such device|agent refused|security key|authenticat' "$err_file"; then 28 28 + ${pkgs.coreutils}/bin/cat "$err_file" >&2 29 29 + exit "$status" 30 30 + fi 31 31 + fi 32 32 + 33 33 + # Fall back to the normal agent. Locally that is 1Password; inside an 34 34 + # SSH session keep any forwarded agent instead of clobbering it. 35 35 + if [ -z "''${SSH_CONNECTION:-}" ] && [ -S "$op_sock" ]; then 36 36 + export SSH_AUTH_SOCK="$op_sock" 37 37 + exec "$ssh" -o IdentityAgent="$op_sock" "$@" 38 38 + fi 39 39 + 40 40 + exec "$ssh" "$@" 41 41 + ''; 42 42 + in 4 43 { 5 5 - home.packages = with pkgs; [ 44 44 + home.packages = (with pkgs; [ 6 45 helix 7 46 diffnav 8 47 gh ··· 11 50 nixfmt 12 51 nil 13 52 vscode-json-languageserver 53 53 + ]) ++ [ 54 54 + yubikeyThen1PasswordSsh 14 55 ]; 56 56 + 57 57 + home.sessionVariables.GIT_SSH_COMMAND = "${yubikeyThen1PasswordSsh}/bin/yubikey-then-1password-ssh"; 15 58 16 59 programs.helix = { 17 60 enable = true; ··· 160 203 email = "hello@seanaye.ca"; 161 204 }; 162 205 init.defaultBranch = "main"; 206 206 + core.sshCommand = "${yubikeyThen1PasswordSsh}/bin/yubikey-then-1password-ssh"; 163 207 commit.gpgSign = true; 164 208 gpg.format = "ssh"; 165 209 user.signingKey = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOIgEteUEW06dnBHe2z8vNLwz2iMKe8bba6JgMmOUpcBAAAABHNzaDo= sean@framework16";

+1 -31

modules/sean.nix

Reviewed

··· 40 40 }; 41 41 42 42 flake.modules.homeManager.sean = 43 43 - { 44 44 - pkgs, 45 45 - config, 46 46 - lib, 47 47 - ... 48 48 - }: 43 43 + { pkgs, config, ... }: 49 44 { 50 45 home.username = "sean"; 51 46 home.homeDirectory = "/home/sean"; ··· 66 61 enable = true; 67 62 enableDefaultConfig = false; 68 63 matchBlocks = { 69 69 - # For git/jj over SSH, try the local YubiKey-backed security key 70 70 - # first. For Codeberg, restrict agent identities so 1Password is 71 71 - # only used as a fallback after the YubiKey identity. 72 72 - "codeberg.org" = lib.hm.dag.entryBefore [ "git-forges" ] { 73 73 - identityFile = [ 74 74 - "${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk" 75 75 - "${config.home.homeDirectory}/.ssh/1password-codeberg.pub" 76 76 - ]; 77 77 - identityAgent = [ 78 78 - "${config.home.homeDirectory}/.1password/agent.sock" 79 79 - ]; 80 80 - identitiesOnly = true; 81 81 - }; 82 82 - "git-forges" = { 83 83 - host = "github.com gist.github.com gitlab.com"; 84 84 - identityFile = [ 85 85 - "${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk" 86 86 - ]; 87 87 - }; 88 64 "*" = { 89 65 identityFile = [ 90 66 "${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk" ··· 132 108 home.file.".ssh/allowed_signers".text = '' 133 109 hello@seanaye.ca ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCIqgZ7kedxo+mOW7YG73Vp3zel3h180y3GKvHtRsXfGlpIIvRDy7pgCBQ4AGXYD4y78URQmFohYSAPqCPOPaWcU2un3XG9KvCzEsHmsbskPonitUmCiKvrKkb6oW4jCBtd7AEtBn+AiajAQFtPZ7NN2Df3AmTypvR6Irg7R+nxnfc9NTIHmGvxSDyWcbb4pguL20sctUSqGL6xGh8q/bqhdOThSimM+z9bEUNxK/5rPhwkNniMrp4pJcUrUiAh5/4DiRFG6KT+oeg+/myoz/Z1sPvAs7u/8JDQI4RshRD8Hu0oTkRBN6Hxj478q2SXbeBUZlD6IdjP3RhGpmSecoDdtWqKbpuV3eVRtQtba3KL86GBeV/bugaOdJ1Aud+1SOFJreAAuvxzMMKT+cdQZk6oOPP148DA/No+mDm/2S43lcdCXh79wA6YRAmKQ8jmZxTCtPutrvuZK1rguvvUlEoG/vhdNHh7eDa4Td07V6bjCRPUl8qk/e4M0E3pwsTlZc= 134 110 hello@seanaye.ca sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILdilHXHdAP/V8Zq28EzHKtLAMMaFPu4+1det2N50QfhAAAABHNzaDo= sean@framework16 135 135 - ''; 136 136 - 137 137 - # Public half of the 1Password Codeberg key, used to make OpenSSH try 138 138 - # this agent identity only after the YubiKey security key. 139 139 - home.file.".ssh/1password-codeberg.pub".text = '' 140 140 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHfOR2xQ1b+oZytOmbNvThIRym0R1zKtCd0dbwjPcxd1 SSH Key Codeberg 141 111 ''; 142 112 143 113 # Yubikey identity for agenix