From 4a285e04445d410a68ae9de0e9ab8f3879ae74ce Mon Sep 17 00:00:00 2001
From: xqtc161 <xqtc@tutanota.com>
Date: Mon, 1 Jul 2024 15:53:59 +0200
Subject: [PATCH] Mitigate CVE-2024-6387 until merged upstream; Add justfile

---
 home/modules/home-pkgs.nix               | 2 ++
 hosts/x86_64-linux/beleth/default.nix    | 5 ++++-
 hosts/x86_64-linux/beleth/networking.nix | 2 ++
 justfile                                 | 7 +++++++
 4 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 justfile

diff --git a/home/modules/home-pkgs.nix b/home/modules/home-pkgs.nix
index 65d157c..77d5a64 100644
--- a/home/modules/home-pkgs.nix
+++ b/home/modules/home-pkgs.nix
@@ -28,6 +28,8 @@ in {
       pkgs.iftop
       pkgs.ranger
 
+      pkgs.just
+
       pkgs.catppuccin-kde
 
       pkgs.anki
diff --git a/hosts/x86_64-linux/beleth/default.nix b/hosts/x86_64-linux/beleth/default.nix
index e789d00..654e1d3 100644
--- a/hosts/x86_64-linux/beleth/default.nix
+++ b/hosts/x86_64-linux/beleth/default.nix
@@ -161,7 +161,10 @@ with lib; {
     ];
   };
   users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7UkcmSVo+SeB5Obevz3mf3UHruYxn0UHUzoOs2gDBy xqtc@asmodeus"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTLJqIVwnqFO64rnc66d234TFOdFXpDS9fJUA4/f4in xqtc@alastor"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7UkcmSVo+SeB5Obevz3mf3UHruYxn0UHUzoOs2gDBy xqtc@asmodeus"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPf3w5bHAssHthg9SPXVpG4w9v8m16X/0J3bjg08P6EA xqtc@seraphim"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYa+LoHGGvu12iBufUcr3GD8tsq4LuJdwLjaDkTr0SL xqtc@lilith"
   ];
 
   programs.bash.blesh.enable = true;
diff --git a/hosts/x86_64-linux/beleth/networking.nix b/hosts/x86_64-linux/beleth/networking.nix
index d398a56..35d0c40 100644
--- a/hosts/x86_64-linux/beleth/networking.nix
+++ b/hosts/x86_64-linux/beleth/networking.nix
@@ -7,6 +7,8 @@
   # imports = [./wireguard.nix];
 
   services.openssh.settings.PasswordAuthentication = false;
+  # Mitigates https://www.cve.org/CVERecord?id=CVE-2024-6387
+  services.openssh.settings.LoginGraceTime = 0;
 
   networking = {
     interfaces = {
diff --git a/justfile b/justfile
new file mode 100644
index 0000000..0f9346c
--- /dev/null
+++ b/justfile
@@ -0,0 +1,7 @@
+beleth-host := "root@88.99.90.90"
+
+rebuild:
+  nh os switch . -- -vv
+
+beleth:
+  nixos-rebuild switch --flake '.#beleth' --build-host {{beleth-host}} --target-host {{beleth-host}}