diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index f4b723dc8d..0be262b0cb 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -154,7 +154,12 @@ in }; environment.homeBinInPath = true; - security.pam.enableSSHAgentAuth = true; + security.pam.sshAgentAuth = { + enable = true; + authorizedKeysFiles = [ + (toString ../../secrets/ssh-agent-pam.pub) + ]; + }; security.pam.ussh = { enable = true; control = "sufficient"; @@ -329,7 +334,7 @@ in services.fwupd.enable = true; # This is enabled independently of my.scrapeJournal.enable. - services.journald.enableHttpGateway = config.my.ip.tailscale != null || config.my.ip.tailscale6 != null; + services.journald.gateway.enable = config.my.ip.tailscale != null || config.my.ip.tailscale6 != null; systemd.sockets.systemd-journal-gatewayd.socketConfig = lib.optionalAttrs (config.my.ip.tailscale != null) { ListenStream = [ "" ] ++ (lib.optional (config.my.ip.tailscale != null) "${config.my.ip.tailscale}:19531") ++ (lib.optional (config.my.ip.tailscale6 != null) "[${config.my.ip.tailscale6}:19531"); FreeBind = true; diff --git a/ops/secrets/ssh-agent-pam.pub b/ops/secrets/ssh-agent-pam.pub new file mode 100644 index 0000000000..981bbcfec5 --- /dev/null +++ b/ops/secrets/ssh-agent-pam.pub @@ -0,0 +1,4 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILid+1rq3k3k7Kbaw8X63vrPrQdanH55TucQwp3ZWfo+ lukegb@porcorosso +sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBAgBXCPpGxeapXvRW8z+/ZFMXvZ9q+Z2mcn5ApCSKqkS7CQjlzTj7Z21/DRQEXQALALLyqfFhcDm1VZkEp/ruBYAAAAEc3NoOg== lukegb@porcorosso +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINytpHct7PLdLNp6MoaOPP7ccBPUQKymVNMqix//Wt1f termius +cert-authority,principals="lukegb" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqNOwlR7Qa8cbGpDfSCOweDPbAGQOZIcoRgh6s/J8DR vault-clients