ulic-youthlic
d6380773b3
Updated all flake inputs and applied srveral improvements to the system configurations. *** Updates - Ran =flake update= to bring all dependencies to their latest versions. - Pinned =lix-module= to the stable =release-2.93= branch to prevent breakages from its main branch. *** System Configuration - ssh: Reworked the client configuration to use a global =*= match block for secure defaults. Disabled the default home-manager config for removing nixpkgs' wrannings. - intel-vaapi-driver: Enabled =enableHybridCodec= override to avoid to build whole package from scratch. - kde: Forced the Qt platform theme to =kde= to fix a visual bug with Stylix. - onnxruntime: Disabled CUDA/NCCL support to avoid to build the whole package from scratch. *** Application Changes - firefox: Switched the default browser package to =firefox-beta= across the entire configuration (NixOS, home-manager, and niri). - editor: Removed =hurl= and =cmake-language-server= from the editor runtime environment for broken packages.
78 lines
2.6 KiB
Nix
78 lines
2.6 KiB
Nix
{
|
|
rootPath,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.david.programs.openssh;
|
|
in
|
|
{
|
|
options = {
|
|
david.programs.openssh = {
|
|
enable = lib.mkEnableOption "openssh";
|
|
};
|
|
};
|
|
config = lib.mkMerge [
|
|
(lib.mkIf cfg.enable {
|
|
programs.ssh = {
|
|
enable = true;
|
|
extraOptionOverrides = {
|
|
HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256";
|
|
KexAlgorithms = "curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256";
|
|
MACs = "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com";
|
|
Ciphers = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr";
|
|
};
|
|
enableDefaultConfig = false;
|
|
matchBlocks = {
|
|
"*" = {
|
|
forwardAgent = false;
|
|
addKeysToAgent = "no";
|
|
compression = false;
|
|
serverAliveInterval = 0;
|
|
serverAliveCountMax = 3;
|
|
hashKnownHosts = false;
|
|
userKnownHostsFile = "~/.ssh/known_hosts";
|
|
controlMaster = "no";
|
|
controlPath = "~/.ssh/master-%r@%n:%p";
|
|
controlPersist = "no";
|
|
};
|
|
"github.com" = {
|
|
hostname = "ssh.github.com";
|
|
port = 443;
|
|
user = "git";
|
|
extraOptions = {
|
|
AddKeysToAgent = "yes";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
})
|
|
(lib.mkIf (cfg.enable && config.youthlic.programs.sops.enable) {
|
|
programs.ssh.includes = [ config.sops.secrets.ssh-config.path ];
|
|
sops.secrets = {
|
|
"ssh-private-key/tytonidae" = {
|
|
mode = "0600";
|
|
path = "${config.home.homeDirectory}/.ssh/id_ed25519_tytonidae";
|
|
};
|
|
"ssh-private-key/akun" = {
|
|
mode = "0600";
|
|
path = "${config.home.homeDirectory}/.ssh/id_ed25519_akun";
|
|
};
|
|
"ssh-private-key/cape" = {
|
|
mode = "0600";
|
|
path = "${config.home.homeDirectory}/.ssh/id_ed25519_cape";
|
|
};
|
|
"ssh-private-key/deploy" = {
|
|
mode = "0600";
|
|
path = "${config.home.homeDirectory}/.ssh/id_ed25519_deploy";
|
|
};
|
|
"ssh-config" = {
|
|
mode = "0400";
|
|
format = "yaml";
|
|
sopsFile = rootPath + "/secrets/ssh-config.yaml";
|
|
};
|
|
};
|
|
})
|
|
];
|
|
}
|