Commit `98ca48ae1546`

Vincent Demeester <vincent@sbr.pm>

2026-01-29 19:25:09

fix(ssh): force id_ed25519 for kerkouane.vpn on aomi

On aomi (no Yubikey), explicitly use id_ed25519 with IdentitiesOnly to prevent SSH from trying other keys when connecting to kerkouane. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

main

1 parent b03c1dd

Changed files (1)

home

common

shell

openssh.nix

@@ -10,6 +10,7 @@
 let
   # FIDO2 keys are only available on hosts with Yubikey attached
   hasFido2Keys = hostname == "kyushu";
+  isAomi = hostname == "aomi";
 in
 {
   home.packages = with pkgs; [
@@ -139,7 +140,14 @@ in
         identityFile = lib.mkIf hasFido2Keys "~/.ssh/id_critical_infra_sk";
       };
       "kerkouane.vpn" = {
-        identityFile = lib.mkIf hasFido2Keys "~/.ssh/id_critical_infra_sk";
+        identityFile =
+          if hasFido2Keys then
+            "~/.ssh/id_critical_infra_sk"
+          else if isAomi then
+            "~/.ssh/id_ed25519"
+          else
+            null;
+        identitiesOnly = isAomi;
       };
     }
     // libx.sshConfigs globals.machines;

Commit 98ca48ae1546

Commit `98ca48ae1546`