jamesog

. {
  forward . tls://2a07:a8c0::ae:9cfd tls://2a07:a8c1::ae:9cfd tls://45.90.28.178 tls://45.90.30.178 8.8.8.8 8.8.4.4 {
    tls_servername dns01-ae9cfd.dns.nextdns.io
    policy sequential
  }
  cache {
    success 12800 86400 300
    denial 12800
    prefetch 25
    serve_stale 24h

jamesog

{ config, pkgs, ... }:

{
  environment.etc = {
    "ssh/ca.pub".text = ''
      ssh-rsa ...
    '';
  };
  
  services.openssh.extraConfig =

jamesog

Edit 2023-03-03: This is now written in long-form at https://jamesog.net/2023/03/03/yubikey-as-an-ssh-certificate-authority/

The original version is retained below.

---

Prerequisites

• ykman from the yubikey-manager package
• libykcs11 from the yubico-piv-tool package

jamesog

Better config management

Syntax

Use HCL, not YAML.

# Ensure blocks group actions
ensure "Foo service" {
    package "foo" {

jamesog

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>Label</key>
		<string>net.jamesog.takeabreak</string>
		<key>Program</key>
		<string>/usr/bin/say</string>
		<key>ProgramArgs</key>
		<array>

jamesog

#!/bin/sh
#
# PROVIDE: tailscaled tailscale
# REQUIRE: NETWORKING

. /etc/rc.subr

name="tailscaled"
rcvar="${name}_enable"

jamesog

Yubikey as an SSH key

All other guides I've seen (https://github.com/drduh/YubiKey-Guide being the most prolific) tell you to use the Yubikey's smartcard (PKCS#11) features with GnuPG via gpg-agent.

STOP THE MADNESS!

OpenSSH has supported OpenSC since version 5.4. This means that all you need to do is install the OpenSC library and tell SSH to use that library as your identity.

Prequisites

jamesog

package main

import (
	"context"
	"database/sql"
	"log"
	"net/http"

	_ "github.com/lib/pq"
)

jamesog

#!/bin/sh

# siteadmin.sh
# Created 2005/01/07 by James O'Gorman <james@netinertia.co.uk>
#
# This script automatically creates directory structures and config file 
# entries needed for a new website.
# It can also be used to clean up (remove) those entries when a website is
# no longer needed.
#

jamesog

Copyright (c) 1992-2014 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.1-RELEASE-p10 #0: Wed May 13 06:54:13 UTC 2015
    root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
CPU: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz (2500.08-MHz K8-class CPU)
  Origin = "GenuineIntel"  Id = 0x306f2  Family = 0x6  Model = 0x3f  Stepping = 2
  Features=0xf8bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,SS>