machines/osterei: add possibility to use gpg and ssh with forwarded agents

commit 2ec3b00777bc2307f1fd724877d0468958b82f7c
parent 24b452416e7d7499c9838da37d768286123712b2
Author: Leah (ctucx) <git@ctu.cx>
Date: Thu, 13 Oct 2022 19:26:39 +0200

machines/osterei: add possibility to use gpg and ssh with forwarded agents

5 files changed, 16 insertions(+), 7 deletions(-)

configurations/common/programs/gpg.nix

------

configurations/common/programs/ssh.nix

++++++++

configurations/linux/default.nix

machines/lollo/remote-admin.nix

machines/osterei/configuration.nix

++++++

diff --git a/configurations/common/programs/gpg.nix b/configurations/common/programs/gpg.nix
@@ -13,12 +13,6 @@
 
       sessionVariables = {
         GNUPGHOME     = "$HOME/.gnupg";
-        SSH_AUTH_SOCK = (
-          if pkgs.stdenv.isLinux then
-            "/run/user/1000/gnupg/S.gpg-agent.ssh"
-          else
-            null
-        );
       };
 
       shellAliases = {

diff --git a/configurations/common/programs/ssh.nix b/configurations/common/programs/ssh.nix
@@ -16,6 +16,14 @@
             port     = 62954;
           };
 
+          "osterei-forwardAgents" = {
+            hostname     = "osterei.ctu.cx";
+            forwardAgent = true;
+            extraOptions = {
+              RemoteForward = "/run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra";
+            };
+          };
+
           "ctucx-git" = {
             user     = "git";
             hostname = "osterei.ctu.cx";

diff --git a/configurations/linux/default.nix b/configurations/linux/default.nix
@@ -56,6 +56,7 @@
       ports                  = [ 22 ];
       passwordAuthentication = false;
       permitRootLogin        = "without-password";
+      extraConfig            = "StreamLocalBindUnlink yes";
     };
   };

diff --git a/machines/lollo/remote-admin.nix b/machines/lollo/remote-admin.nix
@@ -8,7 +8,7 @@
   ];
 
   home-manager.users.leah.services.gpg-agent = {
-    pinentryFlavor     = lib.mkForce "tty";
+    pinentryFlavor     = lib.mkForce "curses";
     defaultCacheTtl    = lib.mkForce 300;
     defaultCacheTtlSsh = lib.mkForce 300;
     maxCacheTtl        = lib.mkForce 300;

diff --git a/machines/osterei/configuration.nix b/machines/osterei/configuration.nix
@@ -5,6 +5,9 @@
   imports = [
     ./hardware-configuration.nix
 
+    ../../configurations/common/programs/gpg.nix
+    ../../configurations/common/programs/password-store.nix
+
     # dns server
     ../../configurations/linux/services/dns.nix
 

@@ -31,6 +34,9 @@
     ./websites
   ];
 
+  services.pcscd.enable                             = lib.mkForce false;
+  home-manager.users.leah.services.gpg-agent.enable = lib.mkForce false;
+
   age.secrets.restic-server-lollo.file    = ../../secrets/restic-server/lollo.age;
   age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age;
   age.secrets.restic-server-hector.file   = ../../secrets/restic-server/hector.age;