chore: fix netbird ssh

2026-03-02 19:24:28 +01:00
parent 674ce6957c
commit e4195230a5
6 changed files with 115 additions and 20 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -246,11 +246,11 @@
        "openspec": "openspec"
      },
      "locked": {
-        "lastModified": 1772041931,
-        "narHash": "sha256-NQOQrGtR1EXM33JSVUt5Sz5MburSxWU7t9iZrJk9gQo=",
+        "lastModified": 1772460048,
+        "narHash": "sha256-qN2a0yrXZplR0z98ZVgWNSwh3hbR600KSJmgHLegjcg=",
        "ref": "refs/heads/master",
-        "rev": "e22774539ac26071b1bc0e6e8272df3c3ec732f2",
-        "revCount": 132,
+        "rev": "be401c2ebbf336cb6b443a1e9bbee3adb4c58d13",
+        "revCount": 141,
        "type": "git",
        "url": "https://code.m3ta.dev/m3tam3re/nixpkgs"
      },
@@ -393,11 +393,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1771574031,
-        "narHash": "sha256-yKeO6auxI8PrBZOdt/LVRDm+bh939E60l4iZKo1ExeA=",
+        "lastModified": 1772459199,
+        "narHash": "sha256-bwbGxsckrQDHihUGkb9Bw9+6RnpPOZ1Uo6h+Dp94Th4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ab43bb60c7d266a4a285e863d89c1e69cd124dd5",
+        "rev": "f88889dd2451655660dde8700eae20f93a789355",
        "type": "github"
      },
      "original": {
@@ -457,11 +457,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1771369470,
-        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
+        "lastModified": 1772198003,
+        "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0182a361324364ae3f436a63005877674cf45efb",
+        "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61",
        "type": "github"
      },
      "original": {
@@ -548,16 +548,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1772031356,
-        "narHash": "sha256-PA3/P5nUDlrKD6xjDXFoNNF8U2Wzz2JeeY4H+CzWWgY=",
+        "lastModified": 1772094145,
+        "narHash": "sha256-26MV9TbyAF0KFqZtIHPYu6wqJwf0pNPdW/D3gDQEUlQ=",
        "owner": "anomalyco",
        "repo": "opencode",
-        "rev": "de2bc25677b419d2af0da8b6a24a05d3f22b67a8",
+        "rev": "799b2623cbb1c0f19e045d87c2c8593e83678bc0",
        "type": "github"
      },
      "original": {
        "owner": "anomalyco",
-        "ref": "v1.2.14",
+        "ref": "v1.2.15",
        "repo": "opencode",
        "type": "github"
      }
@@ -570,11 +570,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771554066,
-        "narHash": "sha256-nQPz81Um+4zhEeNz1o55Ix1DoBEM3CxeABAmOJkgIac=",
+        "lastModified": 1772182342,
+        "narHash": "sha256-9Q0iUyZGcDPLdgvnrBN3GumV8g9akV8TFb8bFkD1yYs=",
        "owner": "Fission-AI",
        "repo": "OpenSpec",
-        "rev": "4ba26902dfecf6f54c5a729993e012a57f4e2877",
+        "rev": "afdca0d5dab1aa109cfd8848b2512333ccad60c3",
        "type": "github"
      },
      "original": {
--- a/hosts/common/users/m3tam3re.nix
+++ b/hosts/common/users/m3tam3re.nix
@@ -24,6 +24,7 @@
    ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZcjCKl0DRuOUOMXbM0GKY5JjvmyFpVZ/tRlTKWu/zp razr"
    ];
    packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default];
  };
--- a/hosts/m3-ares/services/default.nix
+++ b/hosts/m3-ares/services/default.nix
@@ -1,6 +1,7 @@
-{
+{pkgs, ...}: {
  imports = [
    ./containers
+    ./netbird.nix
    #./n8n.nix
    ./mem0.nix
    ./postgres.nix
@@ -9,8 +10,20 @@
    ./udev.nix
    ./wireguard.nix
  ];
+  # console.useXkbConfig = true;
+
+  # services.xserver.xkb = {
+  #   layout = "de,us";
+  #   options = "ctrl:nocaps";
+  # };
+
+  # optional, falls du auch die TTY-Konsole deutsch willst:
  services = {
    hypridle.enable = true;
+    espanso = {
+      enable = true;
+      package = pkgs.espanso-wayland;
+    };
    printing.enable = true;
    gvfs.enable = true;
    trezord.enable = true;
--- a/hosts/m3-ares/services/netbird.nix
+++ b/hosts/m3-ares/services/netbird.nix
@@ -0,0 +1,29 @@
+{pkgs, ...}: {
+  services.netbird.enable = true;
+  environment.systemPackages = with pkgs; [netbird-ui];
+
+  systemd.services.netbird = {
+    environment = {
+      NB_DISABLE_SSH_CONFIG = "true";
+    };
+    path = [
+      pkgs.shadow
+      pkgs.util-linux
+    ];
+  };
+
+  programs.ssh.extraConfig = ''
+    Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
+        PreferredAuthentications password,publickey,keyboard-interactive
+        PasswordAuthentication yes
+        PubkeyAuthentication yes
+        BatchMode no
+        ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
+        StrictHostKeyChecking no
+        UserKnownHostsFile /dev/null
+        CheckHostIP no
+        LogLevel ERROR
+  '';
+
+  networking.firewall.checkReversePath = "loose";
+}
--- a/hosts/m3-atlas/services/netbird.nix
+++ b/hosts/m3-atlas/services/netbird.nix
@@ -1,3 +1,28 @@
-{
+{pkgs, ...}: {
  services.netbird.enable = true;
+
+  systemd.services.netbird = {
+    environment = {
+      NB_DISABLE_SSH_CONFIG = "true";
+    };
+    path = [
+      pkgs.shadow
+      pkgs.util-linux
+    ];
+  };
+
+  programs.ssh.extraConfig = ''
+    Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
+        PreferredAuthentications password,publickey,keyboard-interactive
+        PasswordAuthentication yes
+        PubkeyAuthentication yes
+        BatchMode no
+        ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
+        StrictHostKeyChecking no
+        UserKnownHostsFile /dev/null
+        CheckHostIP no
+        LogLevel ERROR
+  '';
+
+  networking.firewall.checkReversePath = "loose";
 }
--- a/hosts/m3-kratos/services/netbird.nix
+++ b/hosts/m3-kratos/services/netbird.nix
@@ -1,5 +1,32 @@
 {pkgs, ...}: {
  services.netbird.enable = true;
-  environment.systemPackages = [pkgs.netbird-ui];
+  environment.systemPackages = with pkgs; [netbird-ui];
+
+  systemd.services.netbird = {
+    environment = {
+      NB_DISABLE_SSH_CONFIG = "true";
+    };
+    path = [
+      pkgs.shadow # login
+      pkgs.util-linux # runuser
+    ];
+  };
+
+  # Symlink kannst du jetzt ENTFERNEN – nicht mehr nötig!
+  # system.activationScripts.netbird-login-link = ...  # LÖSCHEN
+
+  programs.ssh.extraConfig = ''
+    Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
+        PreferredAuthentications password,publickey,keyboard-interactive
+        PasswordAuthentication yes
+        PubkeyAuthentication yes
+        BatchMode no
+        ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
+        StrictHostKeyChecking no
+        UserKnownHostsFile /dev/null
+        CheckHostIP no
+        LogLevel ERROR
+  '';
+
  networking.firewall.checkReversePath = "loose";
 }