chore(ssh): clean key-mgmt

2024-10-26 18:29:35 +02:00 · 2024-10-26 18:29:35 +02:00 · 545b05ebe5
commit 545b05ebe5
parent dd7e1d177a
7 changed files with 32 additions and 19 deletions
--- a/hive.nix
+++ b/hive.nix
@ -2,7 +2,6 @@ let
  mods = import ./modules;
  users = import ./users;
  sources = import ./npins;
-  id_sylvain = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix";
  mkNixpkgsSrc = (import sources.nix-patches { patchFile = ./patches; }).mkNixpkgsSrc;
 in
 {
@ -31,8 +30,6 @@ in
    {
      imports = [
        ./kat
-        "${sources.home-manager}/nixos"
-        "${sources.disko}/module.nix"
      ];
      networking.hostName = name;
    };
@ -75,7 +72,7 @@ in
    };

  kat-virt =
-    { users, ... }:
+    { ssh-keys, ... }:
    {
      deployment = {
        targetHost = "virt.kat";
@ -89,14 +86,11 @@ in
      imports = [
        ./machines/kat-virt
      ];
-      users.users.root.openssh.authorizedKeys.keys = [
-        id_sylvain
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoQZ/77uiai4rBHYwL55IweUOdR9svxDxlP/o7sulRT gdesfrene@clipper.ens.fr"
-      ];
+      users.users.root.openssh.authorizedKeys.keys = with ssh-keys; sylvain ++ gaby;
    };

  kat-mail-test =
-    { users, ... }:
+    { ssh-keys, ... }:
    {
      deployment = {
        targetHost = "mail-test.kat";
@ -110,7 +104,7 @@ in
      imports = [
        ./machines/kat-mail-test
      ];
-      users.users.root.openssh.authorizedKeys.keys = [ id_sylvain ];
+      users.users.root.openssh.authorizedKeys.keys = ssh-keys.sylvain;
    };

  kat-son =
--- a/kat/default.nix
+++ b/kat/default.nix
@ -2,6 +2,7 @@
  lib,
  config,
  pkgs,
+  sources,
  ...
 }:
 with lib;
@ -10,6 +11,8 @@ with lib;
    ./users
    ./proxies
    ./root.nix
+    "${sources.home-manager}/nixos"
+    "${sources.disko}/module.nix"
  ];
  options.kat = {
    wireguardPubKey = mkOption {
@ -18,18 +21,18 @@ with lib;
    fqdn = mkOption {
      type = types.str;
    };
-    path = mkOption {
-      readOnly = true;
-      type = types.path;
-    };
    anywhere = lib.mkOption {
      type = lib.types.package;
      readOnly = true;
    };
  };
  config = {
+    _module.args = {
+      ssh-keys = import ./ssh-keys { inherit lib; };
+      kat-path = ./.;
+    };
+
    kat = {
-      path = ./.;
      anywhere = pkgs.writeShellApplication {
        name = "anywhere-deploy_${name}.sh";
        runtimeInputs = [ pkgs.nixos-anywhere ];
--- a/kat/root.nix
+++ b/kat/root.nix
@ -1,7 +1,5 @@
-{ ... }:
+{ ssh-keys, ... }:
 {
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
-  ];
+  users.users.root.openssh.authorizedKeys.keys = ssh-keys.catvayor;
  home-manager.users.root = { };
 }
--- a/kat/ssh-keys/catvayor.keys
+++ b/kat/ssh-keys/catvayor.keys
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor
--- a/kat/ssh-keys/default.nix
+++ b/kat/ssh-keys/default.nix
@ -0,0 +1,15 @@
+{ lib }:
+with lib;
+let
+  key-files = filterAttrs (name: _: name != "default.nix") (builtins.readDir ./.);
+  readKeys =
+    file:
+    let
+      lines = map trim (splitString "\n" (readFile file));
+    in
+    filter (line: line != "" && !hasPrefix "#" line) lines;
+in
+mapAttrs' (name: _: {
+  name = removeSuffix ".keys" name;
+  value = readKeys ./${name};
+}) key-files
--- a/kat/ssh-keys/gaby.keys
+++ b/kat/ssh-keys/gaby.keys
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoQZ/77uiai4rBHYwL55IweUOdR9svxDxlP/o7sulRT gdesfrene@clipper.ens.fr
--- a/kat/ssh-keys/sylvain.keys
+++ b/kat/ssh-keys/sylvain.keys
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoQZ/77uiai4rBHYwL55IweUOdR9svxDxlP/o7sulRT gdesfrene@clipper.ens.fr`
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix