diff --git a/keys/default.nix b/keys/default.nix index 05e6854..99cc7a5 100644 --- a/keys/default.nix +++ b/keys/default.nix @@ -9,103 +9,41 @@ let meta = import ../meta lib; - getAttr = flip builtins.getAttr; + inherit (import ../lib/nix-lib) setDefault unique; + + getAttr = lib.flip builtins.getAttr; - inherit (import ../lib/nix-lib) flip setDefault unique; in rec { - # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted - # If not, you will face an angry maintainer - _keys = { - # SSH keys of the nodes - bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ]; - build01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYJcEMQpOyKInqtd2/brnSQuzwgv6fNPlTSQx9tcvPu" ]; - compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ]; - geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ]; - geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ]; - hypervisor01 = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr" - ]; - hypervisor02 = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S" - ]; - hypervisor03 = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI" - ]; - rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ]; - storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ]; - tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ]; - vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ]; - web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ]; - web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ]; - web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ]; + _memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members; + _nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes; - # SSH keys of the DGNum members - agroudiev = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM=" - ]; - catvayor = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFfIJ8BToZ9EDxBsEJXQhUju7gm+rUDjGCNMvFSZCl1o openpgp:0x5CADCA1B" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdOxx4I8BSbYPdouvuzDepwTwzQzGSBCNIV8TB5dduT openpgp:0xF6018131" - ]; - cst1 = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270" - ]; - ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ]; - gdd = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ" - ]; - jemagius = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=" - ]; - luj = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" - ]; - mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ]; - mdebray = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda" - ]; - raito = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU" - ]; - thubrecht = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" - ]; - }; + # Get keys of the users + getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name); - getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls); + # Get keys of the ssh server + getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name); - mkSecrets = - nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); }; + # List of keys for the root group + rootKeys = getMemberKeys meta.organization.groups.root; + # All keys that can access a node getNodeKeys' = node: let - names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) ( - meta.nodes.${node}.admins ++ [ node ] - ) meta.nodes.${node}.adminGroups; + names = [ node ] ++ + meta.nodes.${node}.admins + ++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups); in - unique (getKeys names); + unique (getMemberKeys names ++ getNodeKeys [ node ]); - getNodeKeys = node: rootKeys ++ getNodeKeys' node; + # List of keys for all machines wide secrets + machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes)); - # List of keys for the root group - rootKeys = getKeys meta.organization.groups.root; + mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getNodeKeys' nodes); }; - # List of 'machine' keys - machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes)); - - nixosMachineKeys = + machineKeysBySystem = system: rootKeys - ++ (getKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == "nixos") meta.nodes))); + ++ (getNodeKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes))); } diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 6fa0798..170fb37 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -29,6 +29,8 @@ bridge01 = { site = "hyp01"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ]; + hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5"; stateVersion = "24.05"; @@ -54,6 +56,8 @@ hashedPassword = "$y$j9T$n83qOn1OkQhFwQe50tPM11$jZ1tvgqMTcp4HLGEfJmTMsf0NnRUYQkzco9vibWTpU2"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYJcEMQpOyKInqtd2/brnSQuzwgv6fNPlTSQx9tcvPu" ]; + stateVersion = "24.11"; nixpkgs = { @@ -71,6 +75,8 @@ compute01 = { site = "pav01"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ]; + hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C"; stateVersion = "23.05"; @@ -86,8 +92,12 @@ site = "oik01"; deployment.tags = [ "geo" ]; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ]; + hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8"; + deployment.targetHost = "geo01.dgnum"; + stateVersion = "24.05"; nixpkgs = { @@ -100,8 +110,12 @@ site = "oik01"; deployment.tags = [ "geo" ]; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ]; + hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA"; + deployment.targetHost = "geo02.dgnum"; + stateVersion = "24.05"; nixpkgs = { @@ -122,6 +136,8 @@ system = "nixos"; }; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr" ]; + adminGroups = [ "hypervisors" ]; deployment = { @@ -141,6 +157,8 @@ system = "nixos"; }; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S" ]; + adminGroups = [ "hypervisors" ]; deployment = { @@ -155,6 +173,8 @@ stateVersion = "24.11"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI" ]; + nixpkgs = { version = "24.11"; system = "nixos"; @@ -170,6 +190,8 @@ rescue01 = { site = "luj01"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ]; + deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu"; hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC"; @@ -186,6 +208,8 @@ storage01 = { site = "pav01"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ]; + hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8"; stateVersion = "23.11"; @@ -205,6 +229,10 @@ hashedPassword = "$y$j9T$axihKDa.CrYcyoamJWxBq1$bl4TfropTrwLqMy6XK0DKkWRyx9b74kyI/ukE8X5iiD"; + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" + ]; + stateVersion = "24.11"; nixpkgs = { @@ -226,6 +254,8 @@ site = "hyp01"; deployment.targetHost = "vault01.hyp01.infra.dgnum.eu"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ]; + hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1"; stateVersion = "23.11"; @@ -243,6 +273,8 @@ deployment.tags = [ "web" ]; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ]; + hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2"; stateVersion = "23.05"; @@ -257,6 +289,8 @@ web02 = { site = "rat01"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ]; + hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5"; stateVersion = "24.05"; @@ -271,6 +305,8 @@ web03 = { site = "rat01"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ]; + hashedPassword = "$y$j9T$Un/tcX5SPKNXG.sy/BcTa.$kyNHELjb1GAOWnauJfcjyVi5tacWcuEBKflZDCUC6x4"; stateVersion = "24.05"; diff --git a/meta/options.nix b/meta/options.nix index adfe420..d72fa93 100644 --- a/meta/options.nix +++ b/meta/options.nix @@ -22,6 +22,8 @@ let ints listOf nullOr + positive + singleLineStr str submodule unspecified @@ -42,6 +44,22 @@ let }; }; + vpnKeyType = submodule { + options = { + id = mkOption { + type = positive; + description = '' + Unique ID that will be used to guess IP address + ''; + }; + key = mkOption { + type = str; + description = '' + Public key of the user for this VPN + ''; + }; + }; + }; org = config.organization; nixpkgs = import ./nixpkgs.nix; in @@ -77,6 +95,24 @@ in WARNING: Must be the same as the ens login! ''; }; + + sshKeys = lib.mkOption { + type = listOf singleLineStr; + description = '' + A list of verbatim OpenSSH public keys that should be added to the + user's authorized keys. + ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; + }; + + vpnKeys = mkOption { + type = attrsOf vpnKeyType; + default = { }; + description = "Attribute sets to define vpn keys of the user"; + }; }; } ) @@ -179,6 +215,18 @@ in ''; }; + sshKeys = lib.mkOption { + type = listOf singleLineStr; + default = [ ]; + description = '' + A list of verbatim OpenSSH public keys used by the machine ssh server. + ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; + }; + admins = mkOption { type = listOf str; default = [ ]; @@ -329,6 +377,13 @@ in IP address of the node in the netbird network. ''; }; + + vpnKeys = mkOption { + type = attrsOf vpnKeyType; + default = { }; + description = "Attribute sets to define vpn keys of the machine"; + + }; }; config = @@ -414,12 +469,6 @@ in (membersExists ( name: "A member of the external service ${name} admins was not found in the members list." ) org.external) - - # Check that all members have ssh keys - (builtins.map (name: { - assertion = ((import ../keys)._keys.${name} or [ ]) != [ ]; - message = "No ssh keys found for ${name}."; - }) members) ]; }; } diff --git a/meta/organization.nix b/meta/organization.nix index 0671b81..dcd3ddd 100644 --- a/meta/organization.nix +++ b/meta/organization.nix @@ -17,57 +17,92 @@ agroudiev = { name = "Antoine Groudiev"; email = "antoine.groudiev@dgnum.eu"; + sshKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM=" + ]; }; catvayor = { name = "Lubin Bailly"; email = "catvayor@dgnum.eu"; username = "lbailly"; + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFfIJ8BToZ9EDxBsEJXQhUju7gm+rUDjGCNMvFSZCl1o openpgp:0x5CADCA1B" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdOxx4I8BSbYPdouvuzDepwTwzQzGSBCNIV8TB5dduT openpgp:0xF6018131" + ]; }; cst1 = { name = "Constantin Gierczak--Galle"; email = "cst1@dgnum.eu"; username = "cgierczakgalle"; + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270" + ]; }; ecoppens = { name = "Elias Coppens"; email = "ecoppens@dgnum.eu"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ]; }; jemagius = { name = "Jean-Marc Gailis"; email = "jm@dgnum.eu"; username = "jgailis"; + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=" + ]; }; luj = { name = "Julien Malka"; email = "luj@dgnum.eu"; username = "jmalka"; + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" + ]; }; mboyer = { name = "Matthieu Boyer"; email = "matthieu.boyer@dgnum.eu"; username = "mboyer02"; + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ]; }; mdebray = { name = "Maurice Debray"; email = "maurice.debray@dgnum.eu"; + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda" + ]; }; raito = { name = "Ryan Lahfa"; email = "ryan@dgnum.eu"; username = "rlahfa"; + sshKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU" + ]; }; thubrecht = { name = "Tom Hubrecht"; email = "tom.hubrecht@dgnum.eu"; + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn" + ]; }; }; diff --git a/modules/liminix/dgn-access-control.nix b/modules/liminix/dgn-access-control.nix index 972ebfa..0c74f6e 100644 --- a/modules/liminix/dgn-access-control.nix +++ b/modules/liminix/dgn-access-control.nix @@ -56,7 +56,7 @@ in # Admins have root access to the node dgn-access-control.users.root = mkDefault admins; users = builtins.mapAttrs (_: members: { - openssh.authorizedKeys.keys = dgn-keys.getKeys members; + openssh.authorizedKeys.keys = dgn-keys.getMemberKeys members; }) cfg.users; }; } diff --git a/modules/netconf/dgn-access-control.nix b/modules/netconf/dgn-access-control.nix index 44df5d4..b8b381a 100644 --- a/modules/netconf/dgn-access-control.nix +++ b/modules/netconf/dgn-access-control.nix @@ -56,7 +56,7 @@ in dgn-access-control.root = mkDefault admins; system = { root-authentication = { - ssh-keys = dgn-keys.getKeys cfg.root; + ssh-keys = dgn-keys.getMemberKeys cfg.root; hashedPasswd = nodeMeta.hashedPassword; }; services.ssh.root-login = mkDefault "deny-password"; diff --git a/modules/nixos/dgn-access-control.nix b/modules/nixos/dgn-access-control.nix index ee1468b..7fed596 100644 --- a/modules/nixos/dgn-access-control.nix +++ b/modules/nixos/dgn-access-control.nix @@ -59,7 +59,7 @@ in username: members: { isNormalUser = lib.mkIf (username != "root") true; - openssh.authorizedKeys.keys = dgn-keys.getKeys members; + openssh.authorizedKeys.keys = dgn-keys.getMemberKeys members; } // optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; } ) cfg.users; diff --git a/modules/nixos/dgn-backups/default.nix b/modules/nixos/dgn-backups/default.nix index c990a70..618dd09 100644 --- a/modules/nixos/dgn-backups/default.nix +++ b/modules/nixos/dgn-backups/default.nix @@ -114,7 +114,7 @@ in access = [ { repo = "default"; - keys = dgn-keys.getKeys [ + keys = dgn-keys.getNodeKeys [ "compute01" "storage01" "vault01" @@ -131,7 +131,7 @@ in }; programs.ssh.knownHosts = - lib.extra.mapFuse (host: { "${host}.dgnum".publicKey = builtins.head dgn-keys._keys.${host}; }) + lib.extra.mapFuse (host: { "${host}.dgnum".publicKey = builtins.head dgn-keys._nodeKeys.${host}; }) [ "compute01" "geo01" diff --git a/modules/nixos/dgn-netbox-agent/secrets/secrets.nix b/modules/nixos/dgn-netbox-agent/secrets/secrets.nix index 5d0e98a..66795ca 100644 --- a/modules/nixos/dgn-netbox-agent/secrets/secrets.nix +++ b/modules/nixos/dgn-netbox-agent/secrets/secrets.nix @@ -2,4 +2,4 @@ # # SPDX-License-Identifier: EUPL-1.2 -{ netbox-agent.publicKeys = (import ../../../../keys).nixosMachineKeys; } +{ netbox-agent.publicKeys = (import ../../../../keys).machineKeysBySystem "nixos"; } diff --git a/modules/nixos/dgn-notify/secrets.nix b/modules/nixos/dgn-notify/secrets.nix index 687d35b..95f7177 100644 --- a/modules/nixos/dgn-notify/secrets.nix +++ b/modules/nixos/dgn-notify/secrets.nix @@ -2,4 +2,4 @@ # # SPDX-License-Identifier: EUPL-1.2 -{ mail.publicKeys = (import ../../../keys).nixosMachineKeys; } +{ mail.publicKeys = (import ../../../keys).machineKeysBySystem "nixos"; } diff --git a/modules/nixos/dgn-records/secrets.nix b/modules/nixos/dgn-records/secrets.nix index d483b14..13a6afd 100644 --- a/modules/nixos/dgn-records/secrets.nix +++ b/modules/nixos/dgn-records/secrets.nix @@ -2,4 +2,4 @@ # # SPDX-License-Identifier: EUPL-1.2 -{ __arkheon-token_file.publicKeys = (import ../../../keys).nixosMachineKeys; } +{ __arkheon-token_file.publicKeys = (import ../../../keys).machineKeysBySystem "nixos"; }