Commit 5281c23562d7
Changed files (3)
home
common
shell
systems
okinawa
home/common/shell/git.nix
@@ -30,6 +30,8 @@ let
sshkeyPerHost = {
# FIDO2 resident key (ssh:signing) - no touch required for signing
kyushu = "${pkgs.writeText "yubikey5-fido2-signing" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGF/BoGqFc5/pM40bF/2UhWzRFaDmS4hJ45VtpXjUh36AAAAC3NzaDpzaWduaW5n"}";
+ # Okinawa uses a different FIDO2 key (single key for all purposes)
+ okinawa = "${pkgs.writeText "okinawa-fido2" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEefW7gStvkrO98v6UUawwa3yOu896Ei8USE/Sh2DjaUAAAABHNzaDo="}";
aomi = "${pkgs.writeText "aomi" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3 vincent@aomi"}";
};
defaultSSHKey = sshkeyPerHost.kyushu;
@@ -38,11 +40,13 @@ let
enableGpgSign = builtins.elem hostname [
"aomi"
"kyushu"
+ "okinawa"
];
# List of allowed SSH signing keys for git commit verification
allowedSigners = ''
vincent@aomi ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3
vincent@kyushu sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGF/BoGqFc5/pM40bF/2UhWzRFaDmS4hJ45VtpXjUh36AAAAC3NzaDpzaWduaW5n
+ vincent@okinawa sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEefW7gStvkrO98v6UUawwa3yOu896Ei8USE/Sh2DjaUAAAABHNzaDo=
'';
in
{
home/common/shell/openssh.nix
@@ -11,6 +11,7 @@ let
# FIDO2 keys are only available on hosts with Yubikey attached
hasFido2Keys = hostname == "kyushu";
isAomi = hostname == "aomi";
+ isOkinawa = hostname == "okinawa";
in
{
home.packages = with pkgs; [
@@ -41,6 +42,14 @@ in
identitiesOnly = true;
};
};
+ # Okinawa uses a single FIDO2 key (id_ed25519_sk) for everything
+ okinawaOverrides = lib.optionalAttrs isOkinawa {
+ "github.com".identityFile = "~/.ssh/id_ed25519_sk";
+ "gitlab.com".identityFile = "~/.ssh/id_ed25519_sk";
+ "codeberg.org".identityFile = "~/.ssh/id_ed25519_sk";
+ "git.sr.ht".identityFile = "~/.ssh/id_ed25519_sk";
+ "*.redhat.com".identityFile = "~/.ssh/id_ed25519_sk";
+ };
in
lib.recursiveUpdate (
{
@@ -169,7 +178,7 @@ in
identityFile = lib.mkIf hasFido2Keys "~/.ssh/id_homelab_sk";
};
}
- ) (lib.recursiveUpdate criticalInfraOverrides aomiOverrides);
+ ) (lib.recursiveUpdate criticalInfraOverrides (lib.recursiveUpdate aomiOverrides okinawaOverrides));
extraConfig = ''
# IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock
GlobalKnownHostsFile ~/.ssh/ssh_known_hosts ~/.ssh/ssh_known_hosts.redhat ~/.ssh/ssh_known_hosts.mutable
@@ -177,6 +186,7 @@ in
PreferredAuthentications publickey,password
StreamLocalBindUnlink yes
IdentityFile ~/.ssh/keys/%h
+ ${lib.optionalString isOkinawa "IdentityFile ~/.ssh/id_ed25519_sk"}
IdentityFile ~/.ssh/id_ed25519
'';
};
systems/okinawa/extra.nix
@@ -25,7 +25,7 @@
# Ollama for local LLM inference with dGPU
services.ollama = {
- enable = false; # Re-enable once installed
+ enable = true;
package = pkgs.ollama-rocm; # ROCm support for AMD GPU
host = "0.0.0.0";
port = 11434;