SSH Leaf
cells/shell/ssh.nix attaches SSH user configuration to the security branch.
Up: shell leaves
Down: SOPS secrets | OpenSSH
What this leaf does
The leaf imports a private SSH host map from the secrets input, declares secret-managed private key files, writes public key files, and enables Home Manager SSH configuration.
Public examples should redact real host aliases, public keys, identity file names, and private repository paths.
programs.ssh = {
enable = true;
enableDefaultConfig = false;
matchBlocks = {
"example-host" = {
hostName = "host.example.com";
user = "admin";
identityFile = "~/.ssh/example_key";
};
"*".extraOptions = {
AddKeysToAgent = "yes";
PasswordAuthentication = "no";
ForwardAgent = "no";
};
};
};Why it belongs to security
SSH configuration encodes trust relationships. It controls identity files, host matching, forwarding, and authentication policy. That belongs with security and secrets, not with generic shell convenience.
Hardened mode
The real leaf tightens algorithms when the security level is hardened. Keep this as a profile-controlled policy so compatibility and strictness can be adjusted intentionally.