Configure ssh signing

2026-04-21 22:53:16 +07:00 · 2026-04-21 22:53:16 +07:00 · 0f3a0c307d
parent d5d95c2dfa
commit 0f3a0c307d
5 changed files with 44 additions and 24 deletions
--- a/flake.lock
+++ b/flake.lock
@ -10,11 +10,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764289441,
-        "narHash": "sha256-ak+lgFiYE5PHByN1/BRkO5JP498hno6Ix24C1Qf/vec=",
+        "lastModified": 1775689345,
+        "narHash": "sha256-tM3s7CX+tgxlYW0Sk3nzVThg2MHn08foIuMxABupxIs=",
        "owner": "aylur",
        "repo": "ags",
-        "rev": "e169694390548dfd38ff40f1ef2163d6c3ffe3ea",
+        "rev": "bbee2f18939f1ec7ff720e717cf305e73635628f",
        "type": "github"
      },
      "original": {
@ -30,11 +30,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1773507676,
-        "narHash": "sha256-UabDWdQTsGopWsC+RW0GDBRvAXF5KbkHwEcW4UQpd/A=",
+        "lastModified": 1773914523,
+        "narHash": "sha256-GOL+bR30FPImAzy4NNsTMY1gpoINMsLTXR0WJBRSq30=",
        "owner": "aylur",
        "repo": "astal",
-        "rev": "d3fa2117d581b50e63eb3aefbf92d4883fa23f1b",
+        "rev": "41b50290c6a1cdce7b482897c22fe49286912b9a",
        "type": "github"
      },
      "original": {
@ -132,11 +132,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1773810247,
-        "narHash": "sha256-6Vz1Thy/1s7z+Rq5OfkWOBAdV4eD+OrvDs10yH6xJzQ=",
+        "lastModified": 1776661682,
+        "narHash": "sha256-X32LTSDqUdVqMy85WYdRgyt0I75wc4Lhi9j+lrCDR8w=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "d47357a4c806d18a3e853ad2699eaec3c01622e7",
+        "rev": "4bfce11ea820df0359f73736fd59c7e8f53641a6",
        "type": "github"
      },
      "original": {
@ -184,11 +184,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1773734432,
-        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
+        "lastModified": 1776169885,
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
        "type": "github"
      },
      "original": {
@ -200,11 +200,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1773734432,
-        "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=",
+        "lastModified": 1776169885,
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "cda48547b432e8d3b18b4180ba07473762ec8558",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
        "type": "github"
      },
      "original": {
@ -252,11 +252,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1773823796,
-        "narHash": "sha256-AYFcL50MSz2kdfEl1NgL5r5ukJ06MUos7l3ak2Rtn/M=",
+        "lastModified": 1776664029,
+        "narHash": "sha256-X5LbrpV66STh+DgWXx0+TnTClHoQCWjGtUcZpMfqfUk=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "098c5b211d0e445773f57d8ecefb497af07e8767",
+        "rev": "2b094682b2f7f4dbf83d4600219f4c64cda8e7e0",
        "type": "github"
      },
      "original": {
@ -299,11 +299,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1773692852,
-        "narHash": "sha256-rVzZeR2gsPCgft+SHbxlxldejpOBI6bwj6gC24XpEIk=",
+        "lastModified": 1776435302,
+        "narHash": "sha256-MSmlvbsg2kc2DdQGBR+3Shta+Spgi4A2k5tkbTnrro8=",
        "owner": "vicinaehq",
        "repo": "vicinae",
-        "rev": "f3dc9cb4696dda1218f00f2756cf25882fa5df9b",
+        "rev": "9fb1f6d2f882ebf36ab19919e99ca36ad7e06c9b",
        "type": "github"
      },
      "original": {
--- a/home/git/default.nix
+++ b/home/git/default.nix
@ -2,6 +2,14 @@
  programs.git = {
    enable = true;
    lfs.enable = true;
+
+    # 1. Update the signing configuration
+    signing = {
+      format = "ssh";
+      key = "/home/user/.secrets/SSH/Aloria/id_ed25519";
+      signByDefault = true;
+    };
+
    settings = {
      alias = {
        s = "status";
@ -11,6 +19,10 @@
        name = "Thomas Avé";
        email = "email@thomasave.be";
      };
+
+      # 2. Tell Git where your allowed_signers file is located
+      gpg.ssh.allowedSignersFile = "~/.ssh/allowed_signers";
+
      credentials.helper = "store";
      pull.rebase = false;
      push.autoSetupRemove = true;
@ -24,6 +36,7 @@
      };
      rerere.enabled = true;
    };
+
    ignores = [
      "*.direnv/"
      "*.nix/"
@ -31,6 +44,7 @@
      ".dmypy.json"
    ];
  };
+
  programs.lazygit = {
    enable = true;
    settings = {
@ -40,4 +54,9 @@
      };
    };
  };
+
+  # 3. Declaratively create the allowed_signers file (Assuming Home Manager)
+  home.file.".ssh/allowed_signers".text = ''
+    email@thomasave.be namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxMq4kubz4wWr4S8xU3GRkPcn6XRS3y7IP+qylN5QAp user@Aloria
+  '';
 }
--- a/home/utils/desktop.nix
+++ b/home/utils/desktop.nix
@ -119,4 +119,5 @@
  };

  fonts.fontconfig.enable = true;
+  gtk.gtk4.theme = config.gtk.theme; # Silence warning
 }
--- a/hosts/Aloria/default.nix
+++ b/hosts/Aloria/default.nix
@ -5,12 +5,12 @@
  config,
  ...
 }: let
-  serverIP = "10.0.0.1";
+  # serverIP = "10.0.0.1";
 in {
  imports = [
    (import ../Common/default.nix {inherit inputs pkgs config;})
    (import ../Common/desktop.nix {inherit inputs pkgs config;})
-    (import ../Common/nfs.nix {inherit pkgs serverIP;})
+    # (import ../Common/nfs.nix {inherit pkgs serverIP;})
    (import ../Common/zfs.nix {inherit inputs pkgs config;})
  ];

--- a/hosts/Aloria/hardware-configuration.nix
+++ b/hosts/Aloria/hardware-configuration.nix
@ -56,7 +56,7 @@
  nixpkgs.config.packageOverrides = pkgs: {
    zfs = pkgs.zfs_unstable;
  };
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelPackages = pkgs.linuxPackages_6_19;
  hardware.firmware = with pkgs; [
    ipu6-camera-bins
    ivsc-firmware