ssh

conf/workstation.nix

@@ -137,6 +137,8 @@
     ];
   };
 
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

home/kindrobot.nix

@@ -53,6 +53,50 @@
     };
   };
   programs.z-lua.enable = true;
+  programs.ssh.enable = true;
+  programs.ssh.extraConfig =
+  ''
+    # Turn CanonicalizeHostname on for Match to work below.
+    CanonicalizeHostname yes
+    
+    # Defaults for all Wikimedia Foundation hosts.
+    Match host=*.wikimedia.org,*.wmnet
+        ForwardAgent no
+        IdentitiesOnly yes
+        KbdInteractiveAuthentication no
+        PasswordAuthentication no
+        User kindrobot
+    
+    # Configure the initial connection to the bastion host, with the one
+    # HostName closest to you.
+    Host bast
+        HostName bast1003.wikimedia.org
+        IdentityFile ~/.ssh/wmf_prod.key
+        # In theory this User line shouldn't be necessary due to the Match above,
+        # but in practice it seems to be.  In any case, it doesn't hurt.
+        User kindrobot
+    
+    # Proxy all connections to internal servers through the bastion host.
+    Host *.wmnet *.wikimedia.org !gerrit.wikimedia.org !bast*.wikimedia.org !gitlab.wikimedia.org
+        ProxyJump bast
+        IdentityFile ~/.ssh/wmf_prod.key
+    
+    # Configure direct connection to the bastion hosts.
+    Host bast*.wikimedia.org
+        IdentityFile ~/.ssh/wmf_prod.key
+    
+    Host gerrit.wikimedia.org
+        Port 29418
+    
+    Host town
+    	Hostname tilde.town
+    	User kindrobot
+    	ForwardAgent yes
+    Host team
+    	Hostname tilde.team
+    	User kindrobot
+    	ForwardAgent yes
+  '';
   services.kdeconnect = {
     enable = true;
   };