geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/machines/congenital-optimist/configuration.nix
Geir Okkenhaug Jerstad 77e6b9a501 feat: Implement two-key SSH management strategy 
- Add modules/security/ssh-keys.nix for centralized SSH key management
- Generate role-specific SSH keys with geir@geokkjer.eu email:
  - Admin key (geir@geokkjer.eu-admin) for sma user server access
  - Development key (geir@geokkjer.eu-dev) for geir user and git services
- Update SSH client config with role-based host patterns
- Configure users/geir.nix and users/sma.nix with appropriate key access
- Add SSH key setup to both machine configurations
- Create scripts/setup-ssh-keys.sh for key generation automation
- Update plan.md with completed SSH security implementation

Security benefits:
- Principle of least privilege (separate admin vs dev access)
- Limited blast radius if keys are compromised
- Clear usage patterns: ssh admin-sleeper vs ssh geir@sleeper-service.home
- Maintains compatibility with existing services during transition
2025-06-05 16:25:33 +02:00

61 lines
1.4 KiB
Nix
Raw Blame History

{
config,
pkgs,
inputs,
unstable,
...
}: {
imports = [
./hardware-configuration.nix
../../modules/network/network-congenital-optimist.nix
# Security modules
../../modules/security/ssh-keys.nix
# System modules
../../modules/system/fonts.nix
../../modules/system/applications.nix
# Hardware modules
../../modules/hardware/amd-workstation.nix
# Desktop environments
../../modules/desktop/common.nix
../../modules/desktop/gnome.nix
../../modules/desktop/cosmic.nix
../../modules/desktop/sway.nix
# Development tools
../../modules/development/tools.nix
# User configuration
../../modules/users/geir.nix
# Virtualization configuration
../../modules/virtualization/incus.nix
../../modules/virtualization/libvirt.nix
../../modules/virtualization/podman.nix
];
# Boot configuration
boot.loader.grub = {
enable = true;
zfsSupport = true;
efiSupport = true;
efiInstallAsRemovable = true;
mirroredBoots = [
{
devices = ["nodev"];
path = "/boot";
}
];
};
# ZFS services for this machine
services.zfs = {
autoScrub.enable = true;
trim.enable = true;
};
# Basic system configuration
nixpkgs.config.allowUnfree = true;
system.stateVersion = "23.11"; # DO NOT CHANGE - maintains data compatibility
}
Reference in a new issue View git blame Copy permalink