refactor hosts directory, and move ssh keys out of modules/data

longer-term, i want hosts/by-name to define host-specific data
that's accessible via the other hosts (things like pubkeys).

also the secrets management needs some rethinking. there's really not
much point in me specifiying where *exactly* a secret comes from at its
use site. i should really be specifying secret store manifests; i.e.
"servo.yaml contains secrets X Y and Z", and leaving the rest up to
auto-computing.

hosts/by-name/desko/default.nix

@@ -9,7 +9,7 @@
   sane.gui.sway.enable = true;
   sane.services.duplicity.enable = true;
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../secrets/desko.yaml;
+  sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml;
   sane.persist.enable = true;
 
   boot.loader.efi.canTouchEfiVariables = false;
@@ -19,7 +19,7 @@
   services.usbmuxd.enable = true;
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/desko.yaml;
+    sopsFile = ../../../secrets/desko.yaml;
     neededForUsers = true;
   };
 
@@ -41,7 +41,7 @@
   };
 
   sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../secrets/desko.yaml;
+    sopsFile = ../../../secrets/desko.yaml;
   };
 
   programs.steam = {

hosts/by-name/lappy/default.nix

@@ -14,7 +14,7 @@
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/lappy.yaml;
+    sopsFile = ../../../secrets/lappy.yaml;
     neededForUsers = true;
   };
 

hosts/by-name/moby/default.nix

@@ -19,7 +19,7 @@
   services.getty.autologinUser = "root";  # allows for emergency maintenance?
 
   sops.secrets.colin-passwd = {
-    sopsFile = ../../secrets/moby.yaml;
+    sopsFile = ../../../secrets/moby.yaml;
     neededForUsers = true;
   };
 

hosts/by-name/servo/default.nix

@@ -5,6 +5,7 @@
     ./fs.nix
     ./net.nix
     ./users.nix
+    ./secrets.nix
     ./services
   ];
 
@@ -21,10 +22,6 @@
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
-  sops.secrets.duplicity_passphrase = {
-    sopsFile = ../../secrets/servo.yaml;
-  };
-
   # both transmission and ipfs try to set different net defaults.
   # we just use the most aggressive of the two here:
   boot.kernel.sysctl = {

hosts/by-name/servo/secrets.nix

@@ -0,0 +1,36 @@
+{ ... }:
+
+{
+  sops.secrets."ddns_afraid" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."ddns_he" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."duplicity_passphrase" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."freshrss_passwd" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."pleroma_secrets" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  sops.secrets."dovecot_passwd" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  sops.secrets."mediawiki_pw" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+
+  sops.secrets."matrix_synapse_secrets" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
+  sops.secrets."mautrix_signal_env" = {
+    sopsFile = ../../../secrets/servo/mautrix_signal_env.bin;
+  };
+}

hosts/by-name/servo/services/ddns-afraid.nix

@@ -24,8 +24,4 @@ lib.mkIf false
       OnUnitActiveSec = "10min";
     };
   };
-
-  sops.secrets."ddns_afraid" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
 }

hosts/by-name/servo/services/ddns-he.nix

@@ -27,8 +27,4 @@ lib.mkIf false
       OnUnitActiveSec = "10min";
     };
   };
-
-  sops.secrets."ddns_he" = {
-    sopsFile = ../../../secrets/servo.yaml;
-  };
 }

hosts/by-name/servo/services/freshrss.nix

@@ -11,8 +11,7 @@
 
 { config, lib, pkgs, sane-lib, ... }:
 {
-  sops.secrets.freshrss_passwd = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."freshrss_passwd" = {
     owner = config.users.users.freshrss.name;
     mode = "0400";
   };

hosts/by-name/servo/services/matrix/default.nix

@@ -131,8 +131,7 @@
   };
 
 
-  sops.secrets.matrix_synapse_secrets = {
-    sopsFile = ../../../../secrets/servo.yaml;
+  sops.secrets."matrix_synapse_secrets" = {
     owner = config.users.users.matrix-synapse.name;
   };
 }

hosts/by-name/servo/services/matrix/signal.nix

@@ -25,8 +25,7 @@
     { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
   ];
 
-  sops.secrets.mautrix_signal_env = {
-    sopsFile = ../../../../secrets/servo/mautrix_signal_env.bin;
+  sops.secrets."mautrix_signal_env" = {
     format = "binary";
     mode = "0440";
     owner = config.users.users.mautrix-signal.name;

hosts/by-name/servo/services/nixserve.nix

@@ -17,5 +17,5 @@
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
 
   sane.services.nixserve.enable = true;
-  sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
+  sane.services.nixserve.sopsFile = ../../../../secrets/servo.yaml;
 }

hosts/by-name/servo/services/pleroma.nix

@@ -179,8 +179,7 @@
 
   sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
 
-  sops.secrets.pleroma_secrets = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."pleroma_secrets" = {
     owner = config.users.users.pleroma.name;
   };
 }

hosts/by-name/servo/services/postfix.nix

@@ -197,8 +197,7 @@ in
     # }
   ];
 
-  sops.secrets.dovecot_passwd = {
-    sopsFile = ../../../secrets/servo.yaml;
+  sops.secrets."dovecot_passwd" = {
     owner = config.users.users.dovecot2.name;
     # TODO: debug why mail can't be sent without this being world-readable
     mode = "0444";

hosts/by-name/servo/services/wikipedia.nix

@@ -8,7 +8,6 @@ lib.mkIf false
 {
   sops.secrets."mediawiki_pw" = {
     owner = config.users.users.mediawiki.name;
-    sopsFile = ../../../secrets/servo.yaml;
   };
 
   services.mediawiki.enable = true;

hosts/common/default.nix

@@ -5,7 +5,7 @@
     ./cross.nix
     ./feeds.nix
     ./fs.nix
-    ./hardware
+    ./hardware.nix
     ./i2p.nix
     ./ids.nix
     ./machine-id.nix

hosts/common/ssh.nix

@@ -1,24 +1,33 @@
 { config, lib, sane-data, sane-lib, ... }:
 
+let
+  inherit (builtins) head map mapAttrs tail;
+  inherit (lib) concatStringsSep mkMerge reverseList;
+in
 {
   sane.ssh.pubkeys =
   let
     # path is a DNS-style path like [ "org" "uninsane" "root" ]
     keyNameForPath = path:
       let
-        rev = lib.reverseList path;
-        name = builtins.head rev;
-        host = lib.concatStringsSep "." (builtins.tail rev);
+        rev = reverseList path;
+        name = head rev;
+        host = concatStringsSep "." (tail rev);
       in
       "${name}@${host}";
 
     # [{ path :: [String], value :: String }] for the keys we want to install
     globalKeys = sane-lib.flattenAttrs sane-data.keys;
-    localKeys = sane-lib.flattenAttrs sane-data.keys.org.uninsane.local;
-  in lib.mkMerge (builtins.map
+    domainKeys = sane-lib.flattenAttrs (
+      mapAttrs (host: cfg: {
+        colin = cfg.ssh.user_pubkey;
+        root = cfg.ssh.host_pubkey;
+      }) config.sane.hosts
+    );
+  in mkMerge (map
     ({ path, value }: {
-      "${keyNameForPath path}" = value;
+      "${keyNameForPath path}" = lib.mkIf (value != null) value;
     })
-    (globalKeys ++ localKeys)
+    (globalKeys ++ domainKeys)
   );
 }

hosts/instantiate.nix

@@ -1,12 +1,16 @@
 # trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup
 
+# args from flake-level `import`
 { hostName, localSystem }:
+
+# module args
 { ... }:
 
 {
   imports = [
-    ./${hostName}
+    ./by-name/${hostName}
     ./common
+    ./modules
   ];
 
   networking.hostName = hostName;

hosts/modules/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  imports = [
+    ./hardware
+    ./hosts.nix
+  ];
+}

hosts/modules/hardware/default.nix

@@ -2,7 +2,6 @@
 
 {
   imports = [
-    ./all.nix
     ./x86_64.nix
   ];
 }

hosts/modules/hardware/x86_64.nix

@@ -1,8 +1,7 @@
 { lib, pkgs, ... }:
 
-with lib;
 {
-  config = mkIf (pkgs.system == "x86_64-linux") {
+  config = lib.mkIf (pkgs.system == "x86_64-linux") {
     boot.initrd.availableKernelModules = [
       "xhci_pci" "ahci" "sd_mod" "sdhci_pci"  # nixos-generate-config defaults
       "usb_storage"   # rpi needed this to boot from usb storage, i think.

hosts/modules/hosts.nix

@@ -0,0 +1,92 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) types mkOption;
+  cfg = config.sane.hosts;
+
+  host = types.submodule ({ config, ... }: {
+    options = {
+      is-target = mkOption {
+        type = types.bool;
+        description = ''
+          true if the config is being built for deployment to this host.
+          set internally.
+        '';
+      };
+
+      roles.server = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          whether this machine is a server for domain-level services like wireguard, rss aggregation, etc.
+        '';
+      };
+      roles.client = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          whether this machine is a client to domain-level services like wireguard, rss aggregation, etc.
+        '';
+      };
+
+      ssh.user_pubkey = mkOption {
+        type = types.nullOr types.str;
+        description = ''
+          ssh pubkey that the primary user of this machine will use when connecting to other machines.
+          e.g. "ssh-ed25519 AAAA<base64>".
+        '';
+      };
+      ssh.host_pubkey = mkOption {
+        type = types.nullOr types.str;
+        description = ''
+          ssh pubkey which this host will present to connections initiated against it.
+          e.g. "ssh-ed25519 AAAA<base64>".
+        '';
+      };
+    };
+
+    config = {
+      # user should set `sane.hosts.target = config.sane.hosts."${host}"` to build for it.
+      is-target = cfg ? "target" && cfg.target == config;
+    };
+  });
+in
+{
+  options = {
+    sane.hosts = mkOption {
+      type = types.attrsOf host;
+      default = {};
+      description = ''
+        map of hostname => attrset of information specific to that host,
+        like its ssh pubkey, etc.
+      '';
+    };
+  };
+
+  config = {
+    sane.hosts."desko" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
+      roles.client = true;
+    };
+    sane.hosts."lappy" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+      roles.client = true;
+    };
+    sane.hosts."moby" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
+      roles.client = true;
+    };
+    sane.hosts."servo" = {
+      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
+      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      roles.server = true;
+    };
+    sane.hosts."rescue" = {
+      ssh.user_pubkey = null;
+      ssh.host_pubkey = null;
+    };
+  };
+}

modules/data/keys.nix

@@ -5,24 +5,9 @@
   org.uninsane = rec {
     root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
     git.root = root;
-
-    local = {
-      # machine aliases i specify on my lan; not actually asserted as DNS
-      desko.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
-      desko.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
-
-      lappy.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
-      lappy.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
-
-      moby.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
-      moby.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
-
-      servo.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
-      servo.root = root;
-    };
   };
 
-  com.github = rec {
+  com.github = {
     # documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
     # Github actually uses multiple keys -- one per format
     root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";

modules/ssh.nix

@@ -57,7 +57,7 @@ in
   options = {
     sane.ssh.pubkeys = mkOption {
       type = types.attrsOf coercedToKey;
-      default = [];
+      default = {};
       description = ''
         mapping from "user@host" to pubkey.
       '';