chandlerswift/machine-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
machine-config/sam/configuration.nix
Chandler Swift 7ffe208af9
sam: Squelch post-quantum warn on Azure Devops SSH 
Connecting to ADO gives this warning:

    ** WARNING: connection is not using a post-quantum key exchange algorithm.
    ** This session may be vulnerable to "store now, decrypt later" attacks.
    ** The server may need to be upgraded. See https://openssh.com/pq.html

ADO doesn't support any flavor of keys besides RSA. There are several
issues open about this on their feedback site, and it's been radio
silence:

https://developercommunity.visualstudio.com/t/support-non-rsa-keys-for-ssh-authentication/365980
https://developercommunity.visualstudio.com/t/11032779

And Microsoft has nothing to say besides vague "we've routed your
feedback to the appropriate product team".

There's more information on the warning at OpenSSH's docs page:

https://www.openssh.org/pq.html
2026-02-11 09:37:20 -06:00

275 lines
7.3 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
(import "${builtins.fetchTarball https://github.com/nix-community/home-manager/archive/master.tar.gz}/nixos")
];
# https://discourse.nixos.org/t/github-strategies-for-configuration-nix/1983/14
nix.nixPath = [
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
"nixos-config=/home/chandler/projects/machine-config/${config.networking.hostName}/configuration.nix"
"/nix/var/nix/profiles/per-user/root/channels"
];
services.spice-vdagentd.enable = true;
services.qemuGuest.enable = true;
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Use latest kernel.
boot.kernelPackages = pkgs.linuxPackages_latest;
nixpkgs.overlays = [
(final: prev: {
spice-vdagent = prev.spice-vdagent.overrideAttrs ( old: rec {
version = "0.22.1";
src = prev.fetchurl {
url = "https://www.spice-space.org/download/releases/spice-vdagent-${version}.tar.bz2";
hash = "sha256-k7DRWspHYsx9N5sXmnEBFJ267WK3IRL/+ys+kLEWh6A=";
};
});
})
];
networking.hostName = "sam"; # Define your hostname.
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Chicago";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
services.displayManager.sddm.enable = true;
services.displayManager.sddm.wayland.enable = true;
services.desktopManager.plasma6.enable = true;
# Enable sound with pipewire.
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
security.sudo.wheelNeedsPassword = false;
users.groups.users.gid = 100;
users.users.chandler = {
uid = 1000;
isNormalUser = true;
description = "Chandler Swift";
extraGroups = [ "networkmanager" "wheel" "docker"];
};
home-manager.users.chandler = { pkgs, ... }: {
home.packages = with pkgs; [
# applications
gimp3
inkscape
kdePackages.kate
libreoffice-qt
# command line applications
(azure-cli.withExtensions [
# azure-cli.extensions.automation
azure-cli.extensions.azure-devops
azure-cli.extensions.bastion
# azure-cli.extensions.fleet
# azure-cli.extensions.interactive
# azure-cli.extensions.log-analytics
azure-cli.extensions.resource-graph
# azure-cli.extensions.serial-console
azure-cli.extensions.ssh
])
iperf
units
# command line utilities
alsa-utils
dig
file
ffmpeg
git-absorb
gh
hyperfine
imagemagick
jujutsu
killall
kubectl
openconnect
pv
ripgrep
unzip
wl-clipboard
# ✨ AI ✨
ollama
# compilers/language utils
cargo
rustc
clang
go-tools
gopls
];
programs.bash = {
enable = true;
historyControl = [ "ignoredups" "ignorespace" ];
initExtra = ''
# https://kubernetes.io/docs/reference/kubectl/quick-reference/#bash
source <(kubectl completion bash)
k() {
if [[ -t 1 ]]; then # stdout is a terminal
tput dim # Konsole's default theme requires some adjustment
printf "$ kubectl --context %q" "$(kubectl config current-context 2>/dev/null)"
printf " %q" "$@"
echo
tput sgr0
fi
kubectl "$@"
}
complete -o default -F __start_kubectl k
'';
};
programs.go = {
enable = true;
env.GOPATH = [ "/home/chandler/.local/share/go" ];
};
programs.direnv = {
enable = true;
enableBashIntegration = true;
nix-direnv.enable = true;
};
programs.git = {
enable = true;
lfs.enable = true;
# TODO: delta or diff-so-fancy or difftastic
settings = {
user.name = "Chandler Swift";
help.autoCorrect = "prompt";
init.defaultBranch = "main";
diff.wsErrorHighlight = "all";
pull.ff = "only";
url."ssh://git@github.com/ChandlerSwift/".insteadOf = "gh:";
url."ssh://forgejo@bert/chandlerswift/".insteadOf = "forgejo:";
push.autoSetupRemote = true;
rebase.autosquash = true;
rebase.autostash = true;
fetch.parallel = 0; # "some reasonable default"
fetch.prune = true;
merge.conflictstyle = "diff3";
};
ignores = [
"*.kate-swp"
"*.swp"
"*~"
"\\#*\\#"
"venv"
".direnv"
];
includes = [
{
condition = "gitdir:/home/chandler/work/";
contents.user.email = "chandler.swift@pearson.com";
}
{
condition = "gitdir:/home/chandler/projects/";
contents.user.email = "chandler+pearson@chandlerswift.com";
}
{
condition = "gitdir:/home/chandler/work/github-vue/";
contents.core.sshCommand = "ssh -i ~/.ssh/github-vue";
}
{
condition = "gitdir:/home/chandler/projects/machine-config/";
contents.core.sshCommand = "ssh -i ~/.ssh/machine-config-deploy-key";
}
];
hooks = {
pre-commit = ../git-pre-commit-hook;
};
signing.signByDefault = true;
signing.key = null; # "let GnuPG decide what signing key to use depending on commit's author"
};
programs.ssh = {
enable = true;
matchBlocks."*".addKeysToAgent = "yes";
matchBlocks."ssh.dev.azure.com".extraOptions.WarnWeakCrypto = "no-pq-kex";
includes = [
"config.d/*"
];
};
programs.firefox.enable = true;
programs.chromium = {
enable = true;
extensions = [
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # ublock origin
];
};
programs.atuin = {
enable = true;
flags = [
"--disable-up-arrow"
];
};
home.stateVersion = "25.05";
};
services.displayManager.autoLogin.enable = true;
services.displayManager.autoLogin.user = "chandler";
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
git
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
# enableSSHSupport = true;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.05"; # Did you read the comment?
}
Reference in a new issue View git blame Copy permalink