Commit 99db9c884747

Vincent Demeester <vincent@sbr.pm>
2021-11-19 23:24:38
authorizedKeys: refactor it to use hosts.toml…
… idea is to remove machines.nix. Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 26dac34
Changed files (4)
ops
hosts.toml
users
houbeb
default.nix
root
default.nix
vincent
default.nix
ops/hosts.toml
@@ -39,7 +39,8 @@ addrs = { v4 = "10.100.0.8" }
 
 [hosts.kerkouane]
 network = "vpn"
-addrs = { v4 = "167.99.17.238" } # FIXME probably not right
+# addrs = { v4 = "167.99.17.238" } # FIXME probably not right
+ssh = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtEnw+3WMa9ESRyKdBUp/OHd8NPQdHLoqQ58L3YXF1o vincent@kerkouane", gpgRemoteForward = true }
 
 [hosts.kerkouane.wireguard]
 addrs = { v4 = "10.100.0.1" }
@@ -52,4 +53,9 @@ addrs = { v4 = "192.168.1.130" }
 addrs = { v4 = "192.168.1.131" }
 
 [hosts.k8sn3]
-addrs = { v4 = "192.168.1.132" }
\ No newline at end of file
+addrs = { v4 = "192.168.1.132" }
+
+[ssh.keys]
+vincent = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICl4uBPx98p0m1ra4nKxaDvCP8TCou5J10gFUpYAuzp9 u0_a103@localhost", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINsbGtpU/w7Ff3O7hJ1QoO/5CuCrssBXrT+iHev/+rbf Generated By Termius" ]
+houbeb = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUnBCTxRoIDhExcSaiirM5nf2PIcTMDUodYlGNvqfmD Generated By Termius" ]
+root = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCDr3bRw6r43BVOltmTXtDQAtZlJ/viBrCb58fG8suSdO97xLEGukZzf1QX46aXQEsenfKOalcd+OrukcoVIiZtlh1BHAaBB09Q0vKjtB1zKcUdZQYb6kA21/ItpW3gNsZq5M98QpwS9soJOLSccQosDoVBWDcHx72Kpzp2x4seKyAIpb1gtPnQjnnwA7urTcANw7CU8lmB3UtJZNPHclJNKso7h0ZBapausk9t0xGP18rmzQAe2ipa6pwUzS5rRq+j0LiY/JZQaQWBfc1i3IcKictKW5EykKmywJcwmr/PcTdcgTT4FaD+b1t1QAPLV82HxGzOYQO+/WBptBdq7Ss5 openpgp:0x86ADD81F", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoArpBsTXr3m6q2QnA1vI1DSwmgdU0OAp7DUxcxl9CJfeZIEs/iAerk8jmHgJ2xCEF6SpzI0FWSQIXy8dKpF4wLJ0tCoq5LqQx3jEzy3NUBLfxK+/Baa1te4qG2YImlgnzmEEm5uZlCGZRY2L/U9+4Hwo1AgD69Zzin6QGh2pyTWpmZ/WyhwIfGgqsnlM9XlaVzlMHYfStDi+rUU6XEAfdSqo1SnWKDBHc3mDYGTVhfAlt2LucLKu7oI2MsSlSxva072BExctadtB3TGHbt8gRJZj8CdwgRNhT+hFfbsL6YDvQn6dhTSMuiD8sBEvVble0Nj4p+Q6ROCRIuMuhgh3 cardno:000610153832" ]
\ No newline at end of file
users/houbeb/default.nix
@@ -1,12 +1,16 @@
-{ pkgs, ... }: {
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) importTOML;
+  metadata = importTOML ../../ops/hosts.toml;
+in
+{
   users.users.houbeb = {
     createHome = true;
     description = "Houbeb Ben Othmene";
     extraGroups = [ "wheel" ];
     isNormalUser = true;
-    openssh.authorizedKeys.keys = [
-      "…"
-    ];
+    openssh.authorizedKeys.keys = metadata.ssh.keys.houbeb;
   };
   home-manager.users.houbeb = {
     home.packages = with pkgs; [ hello ];
users/root/default.nix
@@ -1,21 +1,13 @@
 { config, lib, pkgs, ... }:
 
 let
-  inherit (lib) lists attrsets mkIf optionals versionOlder;
-  secretPath = ../../secrets/machines.nix;
-  secretCondition = (builtins.pathExists secretPath);
-
-  isAuthorized = p: builtins.isAttrs p && p.authorized or false;
-  authorizedKeys = lists.optionals secretCondition (
-    attrsets.mapAttrsToList
-      (name: value: value.key)
-      (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
-  );
+  inherit (lib) lists attrsets mkIf optionals versionOlder importTOML;
+  metadata = importTOML ../../ops/hosts.toml;
 in
 {
   users.users.root = {
     shell = mkIf config.programs.zsh.enable pkgs.zsh;
-    openssh.authorizedKeys.keys = authorizedKeys;
+    openssh.authorizedKeys.keys = metadata.ssh.keys.root;
   };
   home-manager.users.root = lib.mkMerge (
     [
users/vincent/default.nix
@@ -1,15 +1,12 @@
 { config, lib, pkgs, ... }:
-with lib;
-let
-  secretPath = ../../secrets/machines.nix;
-  secretCondition = (builtins.pathExists secretPath);
 
-  isAuthorized = p: builtins.isAttrs p && p.authorized or false;
-  authorizedKeys = lists.optionals secretCondition (
-    attrsets.mapAttrsToList
-      (name: value: value.key)
-      (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
-  );
+let
+  inherit (lib) importTOML attrsets hasAttr optionals versionAtLeast mkIf;
+  metadata = importTOML ../../ops/hosts.toml;
+  hasSSHAttr = name: value: hasAttr "ssh" value;
+  authorizedKeys = attrsets.mapAttrsToList
+    (name: value: value.ssh.pubkey)
+    (attrsets.filterAttrs hasSSHAttr metadata.hosts);
 
   hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation;
   isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false;
@@ -35,7 +32,9 @@ in
       ++ optionals config.services.nginx.enable [ "nginx" ];
     shell = mkIf config.programs.zsh.enable pkgs.zsh;
     isNormalUser = true;
-    openssh.authorizedKeys.keys = authorizedKeys;
+    openssh.authorizedKeys.keys = authorizedKeys
+      ++ metadata.ssh.keys.vincent
+      ++ metadata.ssh.keys.root;
     initialPassword = "changeMe";
     subUidRanges = [{ startUid = 100000; count = 65536; }];
     subGidRanges = [{ startGid = 100000; count = 65536; }];