geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/machines/sleeper-service/configuration.nix
Geir Okkenhaug Jerstad 77e6b9a501 feat: Implement two-key SSH management strategy 
- Add modules/security/ssh-keys.nix for centralized SSH key management
- Generate role-specific SSH keys with geir@geokkjer.eu email:
  - Admin key (geir@geokkjer.eu-admin) for sma user server access
  - Development key (geir@geokkjer.eu-dev) for geir user and git services
- Update SSH client config with role-based host patterns
- Configure users/geir.nix and users/sma.nix with appropriate key access
- Add SSH key setup to both machine configurations
- Create scripts/setup-ssh-keys.sh for key generation automation
- Update plan.md with completed SSH security implementation

Security benefits:
- Principle of least privilege (separate admin vs dev access)
- Limited blast radius if keys are compromised
- Clear usage patterns: ssh admin-sleeper vs ssh geir@sleeper-service.home
- Maintains compatibility with existing services during transition
2025-06-05 16:25:33 +02:00

66 lines
No EOL
1.2 KiB
Nix
Raw Blame History

{ config, pkgs, inputs, unstable, ... }: {
imports = [
./hardware-configuration.nix
../../modules/network/network-sleeper-service.nix
# Security modules
../../modules/security/ssh-keys.nix
# User modules
../../modules/users/geir.nix
../../modules/users/sma.nix
];
# Boot configuration
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
devices = [ "nodev" ];
};
# Time and locale
time.timeZone = "Europe/Oslo";
i18n.defaultLocale = "en_US.UTF-8";
# Console configuration
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
# Enable unfree packages
nixpkgs.config.allowUnfree = true;
# Basic system packages
environment.systemPackages = with pkgs; [
wget
curl
git
htop
eza
bat
ripgrep
du-dust
fd
ncdu
tree
];
# Users
users.users.geir = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" ];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# Add SSH public keys here
];
};
programs.zsh.enable = true;
# Firewall configuration
networking.firewall.allowedTCPPorts = [ 22 ];
system.stateVersion = "25.05";
}
Reference in a new issue View git blame Copy permalink