Commit `814ade802c65`

Vincent Demeester <vincent@sbr.pm>

2026-02-20 09:39:22

fix(ssh): apply non-FIDO2 override to all homelab

Extended the non-FIDO2 SSH key override on aomi and okinawa to cover all homelab machines and their shpool aliases instead of just kerkouane.vpn, ensuring consistent key usage across infrastructure.

main

1 parent ec070be

Changed files (1)

home

common

shell

openssh.nix

@@ -54,12 +54,27 @@ in
           "*.redhat.com".identityFile = "~/.ssh/id_ed25519_sk";
         };
         # Special case for aomi and okinawa: no FIDO2 homelab key, use regular ed25519
-        nonFido2Overrides = lib.optionalAttrs (isAomi || isOkinawa) {
-          "kerkouane.vpn" = {
-            identityFile = "~/.ssh/id_ed25519";
-            identitiesOnly = true;
-          };
-        };
+        # Override all homelab machine entries (generated by libx.sshConfigs and shpool aliases)
+        nonFido2Overrides =
+          let
+            # Get all host identifiers from all machines
+            allHostIds = lib.flatten (
+              lib.attrValues (
+                builtins.mapAttrs (
+                  _: machine:
+                  builtins.filter (
+                    x: (lib.hasSuffix ".home" x) || (lib.hasSuffix ".vpn" x) || (lib.hasSuffix ".sbr.pm" x)
+                  ) (libx.sshHostIdentifier machine)
+                ) globals.machines
+              )
+            );
+            # Override both the host entry and its shpool alias
+            mkOverride = id: lib.nameValuePair id { identityFile = "~/.ssh/id_ed25519"; };
+            mkShpoolOverride = id: lib.nameValuePair "${id}/*" { identityFile = "~/.ssh/id_ed25519"; };
+          in
+          lib.optionalAttrs (isAomi || isOkinawa) (
+            builtins.listToAttrs (map mkOverride allHostIds ++ map mkShpoolOverride allHostIds)
+          );
       in
       lib.recursiveUpdate
         (

Commit 814ade802c65

Commit `814ade802c65`