colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

move pubkeys out a modules/data/ directory

Browse Source
This commit is contained in:
colin 2023-01-09 02:40:25 +00:00
parent 0ae548d47c
commit b2774a4004
5 changed files with 78 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
hosts/common/ssh.nix
View File

@ -1,19 +1,27 @@
{ config, lib, ... }: { config, lib, sane-data, sane-lib, ... }:
{ {
sane.ssh = rec { sane.ssh.pubkeys =
pubkeys."colin@lappy" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu"; let
pubkeys."root@lappy" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc"; # path is a DNS-style path like [ "org" "uninsane" "root" ]
keyNameForPath = path:
let
rev = lib.reverseList path;
name = builtins.head rev;
host = lib.concatStringsSep "." (builtins.tail rev);
in
"${name}@${host}";
pubkeys."colin@desko" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX"; # given a DNS-style recursive AttrSet, return a flat AttrSet that maps ssh id => pubkey.
pubkeys."root@desko" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk"; keysFor = attrs:
let
pubkeys."colin@moby" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU"; by-path = sane-lib.flattenAttrs attrs;
pubkeys."root@moby" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw"; in
sane-lib.mapToAttrs ({ path, value }: {
pubkeys."colin@servo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX"; name = keyNameForPath path;
pubkeys."root@servo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8"; inherit value;
pubkeys."root@uninsane.org" = pubkeys."root@servo"; }) by-path;
# XXX: git.uninsane.org uses the same host key as servo, so we use this to populate known_hosts globalKeys = keysFor sane-data.keys;
pubkeys."root@git.uninsane.org" = pubkeys."root@servo"; localKeys = keysFor sane-data.keys.org.uninsane.local;
}; in lib.mkMerge [ globalKeys localKeys ];
} }

9
modules/data/default.nix Normal file
View File

@ -0,0 +1,9 @@
# this directory contains data of a factual nature.
# for example, public ssh keys, GPG keys, DNS-type name mappings.
#
# don't put things like fully-specific ~/.config files in here,
# even if they're "relatively unopinionated".
{
keys = import ./keys.nix;
}

24
modules/data/keys.nix Normal file
View File

@ -0,0 +1,24 @@
# hierarchical, DNS-like mapping from <name> => ssh host/user for that name.
# host keys are represented as user keys, just with the user specified as "root".
{
org.uninsane = rec {
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
git.root = root;
local = {
# machine aliases i specify on my lan; not actually asserted as DNS
desko.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
desko.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
lappy.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
lappy.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
moby.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
moby.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
servo.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
servo.root = root;
};
};
}

1
modules/default.nix
View File

@ -18,5 +18,6 @@
_module.args = { _module.args = {
sane-lib = import ./lib { inherit lib utils; }; sane-lib = import ./lib { inherit lib utils; };
sane-data = import ./data;
}; };
} }

22
modules/lib/default.nix
View File

@ -1,6 +1,6 @@
{ lib, ... }@moduleArgs: { lib, ... }@moduleArgs:
{ rec {
feeds = import ./feeds.nix moduleArgs; feeds = import ./feeds.nix moduleArgs;
fs = import ./fs.nix moduleArgs; fs = import ./fs.nix moduleArgs;
path = import ./path.nix moduleArgs; path = import ./path.nix moduleArgs;
@ -12,8 +12,26 @@
else else
default; default;
# removes null entries from the provided AttrSet. acts recursively.
# Type: filterNonNull :: AttrSet -> AttrSet
filterNonNull = attrs: lib.filterAttrsRecursive (n: v: v != null) attrs; filterNonNull = attrs: lib.filterAttrsRecursive (n: v: v != null) attrs;
# transform a list into an attrset via a function which maps an element to a name + value
# transform a list into an AttrSet via a function which maps an element to a name + value
# Type: mapToAttrs :: (a -> { name, value }) -> [a] -> AttrSet # Type: mapToAttrs :: (a -> { name, value }) -> [a] -> AttrSet
mapToAttrs = f: list: builtins.listToAttrs (builtins.map f list); mapToAttrs = f: list: builtins.listToAttrs (builtins.map f list);
# flatten a nested AttrSet into a list of { path = [str]; value } items.
# Type: flattenAttrs :: AttrSet[item|AttrSet] -> [{ path; value; }]
flattenAttrs = flattenAttrs' [];
flattenAttrs' = path: value: if builtins.isAttrs value then (
builtins.concatLists (
lib.mapAttrsToList
(name: flattenAttrs' (path ++ [ name ]))
value
)
) else [
{
inherit path value;
}
];
} }