feat(pm/minion): bring ssh config into packetmix #180

The ssh config was getting quite unwieldy with ordering/etc. It's nicer to generate exactly what we want for each match block with nix...

+131 -1

2 changed files

Diff round #2

expand all

packetmix

homes

collabora

ssh.nix

minion

ssh.nix

+82

packetmix/homes/collabora/ssh.nix

··· 1 + # SPDX-FileCopyrightText: 2026 Collabora Productivity Limited 2 + # 3 + # SPDX-License-Identifier: MIT 4 + 5 + { config, lib, ... }: 6 + { 7 + programs.ssh = { 8 + enable = true; 9 + enableDefaultConfig = false; 10 + matchBlocks = 11 + let 12 + base = { 13 + user = "collabora"; 14 + setEnv = { 15 + TERM = "xterm-256color"; 16 + }; 17 + identityFile = "~/.ssh/id_ed25519_sk_rk_tiny_yubikey_resident"; # TODO: make this work with different YubiKeys 18 + extraOptions = { 19 + WarnWeakCrypto = "no"; 20 + }; 21 + }; 22 + 23 + headscale = { 24 + proxyCommand = "nc -X 5 -x localhost:1055 %h %p"; 25 + }; 26 + 27 + incus = name: { 28 + extraOptions = { 29 + RemoteCommand = "incus shell ${name}"; 30 + RequestTTY = "yes"; 31 + WarnWeakCrypto = "no"; 32 + }; 33 + }; 34 + 35 + bee-vm = { 36 + proxyCommand = "ssh -o 'ForwardAgent yes' collabora-bee 'ssh-add ~/.ssh/collabora-build-key && nc %h %p'"; 37 + identityFile = "~/.ssh/id_collabora_rsa"; # Does not accept -sk keys... 38 + }; 39 + 40 + mac = { 41 + user = "releng"; 42 + }; 43 + 44 + mersenne = { 45 + hostname = "mersenne.hs.collaboradmins.com"; 46 + }; 47 + 48 + systems = { 49 + collabora-almalinux8 = base // bee-vm // { hostname = "10.0.3.153"; }; 50 + collabora-almalinux8-a = incus "almalinux8-a" // base // headscale // mersenne; 51 + collabora-almalinux8-b = incus "almalinux8-b" // base // headscale // mersenne; 52 + collabora-almalinux8-c = incus "almalinux8-c" // base // headscale // mersenne; 53 + collabora-bee = base // headscale // { hostname = "bee.hs.collaboradmins.com"; }; 54 + collabora-debian10android = base // bee-vm // { hostname = "10.0.3.163"; }; 55 + collabora-eve = base // headscale // mac // { hostname = "eve.hs.collaboradmins.com"; }; 56 + collabora-fermat = base // headscale // { hostname = "fermat.hs.collaboradmins.com"; }; 57 + collabora-fox = base // headscale // mac // { hostname = "fox.hs.collaboradmins.com"; }; 58 + collabora-mersenne = base // headscale // mersenne; 59 + collabora-prime = base // headscale // { hostname = "prime.hs.collaboradmins.com"; }; 60 + collabora-ron = base // headscale // mac // { hostname = "ron.hs.collaboradmins.com"; }; 61 + collabora-woz = base // headscale // mac // { hostname = "woz.hs.collaboradmins.com"; }; 62 + }; 63 + in 64 + systems 65 + // { 66 + bee = systems.collabora-bee; 67 + collabora-cpci = systems.collabora-prime; 68 + collabora-mac-mini-intel = systems.collabora-woz; 69 + collabora-mac-mini-m1 = systems.collabora-fox; 70 + collabora-mac-mini-m4-1 = systems.collabora-eve; 71 + collabora-mac-mini-m4-2 = systems.collabora-ron; 72 + cpci = systems.collabora-prime; 73 + eve = systems.collabora-eve; 74 + fermat = systems.collabora-fermat; 75 + fox = systems.collabora-fox; 76 + mersenne = systems.collabora-mersenne; 77 + prime = systems.collabora-prime; 78 + ron = systems.collabora-ron; 79 + woz = systems.collabora-woz; 80 + }; 81 + }; 82 + }

+49 -1

packetmix/homes/minion/ssh.nix

··· 1 1 # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 + # SPDX-FileCopyrightText: 2026 Collabora Productivity Limited 2 3 # 3 4 # SPDX-License-Identifier: MIT 4 5 5 - { pkgs, ... }: 6 + { 7 + pkgs, 8 + config, 9 + lib, 10 + ... 11 + }: 6 12 { 7 13 systemd.user.services.ssh-agent-add = { 8 14 Unit = { ··· 29 35 WantedBy = [ "ssh-agent.service" ]; 30 36 }; 31 37 }; 38 + 39 + programs.ssh = { 40 + enable = true; 41 + enableDefaultConfig = false; 42 + matchBlocks = 43 + let 44 + freshly = { 45 + identityFile = "~/.ssh/id_ed25519_sk_rk_tiny_yubikey_resident"; 46 + }; # TODO: expand this to work for emden/other security keys 47 + 48 + systems = { 49 + "eu.nixbuild.net" = { 50 + hostname = "eu.nixbuild.net"; 51 + extraOptions = { 52 + WarnWeakCrypto = "no"; 53 + }; 54 + }; 55 + "git.freshlybakedca.ke" = { 56 + forwardAgent = true; 57 + hostname = "teal"; 58 + user = "git"; 59 + }; 60 + "tangled.dev.redhead.starrysky.fyi" = { 61 + hostname = "localhost"; 62 + port = 2222; 63 + user = "git"; 64 + }; 65 + freshly-midnight = freshly // { 66 + hostname = "midnight"; 67 + }; 68 + freshly-teal = freshly // { 69 + hostname = "teal"; 70 + }; 71 + }; 72 + in 73 + systems 74 + // { 75 + midnight = systems.freshly-midnight; 76 + nixbuild = systems."eu.nixbuild.net"; 77 + teal = systems.freshly-teal; 78 + }; 79 + }; 32 80 }