diff --git a/hosts/desko/default.nix b/hosts/by-name/desko/default.nix similarity index 91% rename from hosts/desko/default.nix rename to hosts/by-name/desko/default.nix index 92b8a5f2..0b7cbd1b 100644 --- a/hosts/desko/default.nix +++ b/hosts/by-name/desko/default.nix @@ -9,7 +9,7 @@ sane.gui.sway.enable = true; sane.services.duplicity.enable = true; sane.services.nixserve.enable = true; - sane.services.nixserve.sopsFile = ../../secrets/desko.yaml; + sane.services.nixserve.sopsFile = ../../../secrets/desko.yaml; sane.persist.enable = true; boot.loader.efi.canTouchEfiVariables = false; @@ -19,7 +19,7 @@ services.usbmuxd.enable = true; sops.secrets.colin-passwd = { - sopsFile = ../../secrets/desko.yaml; + sopsFile = ../../../secrets/desko.yaml; neededForUsers = true; }; @@ -41,7 +41,7 @@ }; sops.secrets.duplicity_passphrase = { - sopsFile = ../../secrets/desko.yaml; + sopsFile = ../../../secrets/desko.yaml; }; programs.steam = { diff --git a/hosts/desko/fs.nix b/hosts/by-name/desko/fs.nix similarity index 100% rename from hosts/desko/fs.nix rename to hosts/by-name/desko/fs.nix diff --git a/hosts/lappy/default.nix b/hosts/by-name/lappy/default.nix similarity index 95% rename from hosts/lappy/default.nix rename to hosts/by-name/lappy/default.nix index 86dfd55c..3a3885e7 100644 --- a/hosts/lappy/default.nix +++ b/hosts/by-name/lappy/default.nix @@ -14,7 +14,7 @@ sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ]; sops.secrets.colin-passwd = { - sopsFile = ../../secrets/lappy.yaml; + sopsFile = ../../../secrets/lappy.yaml; neededForUsers = true; }; diff --git a/hosts/lappy/fs.nix b/hosts/by-name/lappy/fs.nix similarity index 100% rename from hosts/lappy/fs.nix rename to hosts/by-name/lappy/fs.nix diff --git a/hosts/moby/default.nix b/hosts/by-name/moby/default.nix similarity index 98% rename from hosts/moby/default.nix rename to hosts/by-name/moby/default.nix index d6a71584..d0105fcd 100644 --- a/hosts/moby/default.nix +++ b/hosts/by-name/moby/default.nix @@ -19,7 +19,7 @@ services.getty.autologinUser = "root"; # allows for emergency maintenance? sops.secrets.colin-passwd = { - sopsFile = ../../secrets/moby.yaml; + sopsFile = ../../../secrets/moby.yaml; neededForUsers = true; }; diff --git a/hosts/moby/firmware.nix b/hosts/by-name/moby/firmware.nix similarity index 100% rename from hosts/moby/firmware.nix rename to hosts/by-name/moby/firmware.nix diff --git a/hosts/moby/fs.nix b/hosts/by-name/moby/fs.nix similarity index 100% rename from hosts/moby/fs.nix rename to hosts/by-name/moby/fs.nix diff --git a/hosts/moby/kernel.nix b/hosts/by-name/moby/kernel.nix similarity index 100% rename from hosts/moby/kernel.nix rename to hosts/by-name/moby/kernel.nix diff --git a/hosts/moby/ucm2/PinePhone/HiFi.conf b/hosts/by-name/moby/ucm2/PinePhone/HiFi.conf similarity index 100% rename from hosts/moby/ucm2/PinePhone/HiFi.conf rename to hosts/by-name/moby/ucm2/PinePhone/HiFi.conf diff --git a/hosts/moby/ucm2/PinePhone/PinePhone.conf b/hosts/by-name/moby/ucm2/PinePhone/PinePhone.conf similarity index 100% rename from hosts/moby/ucm2/PinePhone/PinePhone.conf rename to hosts/by-name/moby/ucm2/PinePhone/PinePhone.conf diff --git a/hosts/moby/ucm2/PinePhone/VoiceCall.conf b/hosts/by-name/moby/ucm2/PinePhone/VoiceCall.conf similarity index 100% rename from hosts/moby/ucm2/PinePhone/VoiceCall.conf rename to hosts/by-name/moby/ucm2/PinePhone/VoiceCall.conf diff --git a/hosts/moby/ucm2/ucm.conf b/hosts/by-name/moby/ucm2/ucm.conf similarity index 100% rename from hosts/moby/ucm2/ucm.conf rename to hosts/by-name/moby/ucm2/ucm.conf diff --git a/hosts/rescue/default.nix b/hosts/by-name/rescue/default.nix similarity index 100% rename from hosts/rescue/default.nix rename to hosts/by-name/rescue/default.nix diff --git a/hosts/rescue/fs.nix b/hosts/by-name/rescue/fs.nix similarity index 100% rename from hosts/rescue/fs.nix rename to hosts/by-name/rescue/fs.nix diff --git a/hosts/servo/default.nix b/hosts/by-name/servo/default.nix similarity index 92% rename from hosts/servo/default.nix rename to hosts/by-name/servo/default.nix index 28992cfc..68ab5ea2 100644 --- a/hosts/servo/default.nix +++ b/hosts/by-name/servo/default.nix @@ -5,6 +5,7 @@ ./fs.nix ./net.nix ./users.nix + ./secrets.nix ./services ]; @@ -21,10 +22,6 @@ boot.loader.efi.canTouchEfiVariables = false; sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ]; - sops.secrets.duplicity_passphrase = { - sopsFile = ../../secrets/servo.yaml; - }; - # both transmission and ipfs try to set different net defaults. # we just use the most aggressive of the two here: boot.kernel.sysctl = { diff --git a/hosts/servo/fs.nix b/hosts/by-name/servo/fs.nix similarity index 100% rename from hosts/servo/fs.nix rename to hosts/by-name/servo/fs.nix diff --git a/hosts/servo/net.nix b/hosts/by-name/servo/net.nix similarity index 100% rename from hosts/servo/net.nix rename to hosts/by-name/servo/net.nix diff --git a/hosts/by-name/servo/secrets.nix b/hosts/by-name/servo/secrets.nix new file mode 100644 index 00000000..1434f4f9 --- /dev/null +++ b/hosts/by-name/servo/secrets.nix @@ -0,0 +1,36 @@ +{ ... }: + +{ + sops.secrets."ddns_afraid" = { + sopsFile = ../../../secrets/servo.yaml; + }; + + sops.secrets."ddns_he" = { + sopsFile = ../../../secrets/servo.yaml; + }; + + sops.secrets."duplicity_passphrase" = { + sopsFile = ../../../secrets/servo.yaml; + }; + + sops.secrets."freshrss_passwd" = { + sopsFile = ../../../secrets/servo.yaml; + }; + + sops.secrets."pleroma_secrets" = { + sopsFile = ../../../secrets/servo.yaml; + }; + sops.secrets."dovecot_passwd" = { + sopsFile = ../../../secrets/servo.yaml; + }; + sops.secrets."mediawiki_pw" = { + sopsFile = ../../../secrets/servo.yaml; + }; + + sops.secrets."matrix_synapse_secrets" = { + sopsFile = ../../../secrets/servo.yaml; + }; + sops.secrets."mautrix_signal_env" = { + sopsFile = ../../../secrets/servo/mautrix_signal_env.bin; + }; +} diff --git a/hosts/servo/services/ddns-afraid.nix b/hosts/by-name/servo/services/ddns-afraid.nix similarity index 89% rename from hosts/servo/services/ddns-afraid.nix rename to hosts/by-name/servo/services/ddns-afraid.nix index fd1d6f55..e30311f8 100644 --- a/hosts/servo/services/ddns-afraid.nix +++ b/hosts/by-name/servo/services/ddns-afraid.nix @@ -24,8 +24,4 @@ lib.mkIf false OnUnitActiveSec = "10min"; }; }; - - sops.secrets."ddns_afraid" = { - sopsFile = ../../../secrets/servo.yaml; - }; } diff --git a/hosts/servo/services/ddns-he.nix b/hosts/by-name/servo/services/ddns-he.nix similarity index 92% rename from hosts/servo/services/ddns-he.nix rename to hosts/by-name/servo/services/ddns-he.nix index a79865c2..e4871e75 100644 --- a/hosts/servo/services/ddns-he.nix +++ b/hosts/by-name/servo/services/ddns-he.nix @@ -27,8 +27,4 @@ lib.mkIf false OnUnitActiveSec = "10min"; }; }; - - sops.secrets."ddns_he" = { - sopsFile = ../../../secrets/servo.yaml; - }; } diff --git a/hosts/servo/services/default.nix b/hosts/by-name/servo/services/default.nix similarity index 100% rename from hosts/servo/services/default.nix rename to hosts/by-name/servo/services/default.nix diff --git a/hosts/servo/services/ejabberd.nix b/hosts/by-name/servo/services/ejabberd.nix similarity index 100% rename from hosts/servo/services/ejabberd.nix rename to hosts/by-name/servo/services/ejabberd.nix diff --git a/hosts/servo/services/freshrss.nix b/hosts/by-name/servo/services/freshrss.nix similarity index 96% rename from hosts/servo/services/freshrss.nix rename to hosts/by-name/servo/services/freshrss.nix index b371ae0c..aed602e4 100644 --- a/hosts/servo/services/freshrss.nix +++ b/hosts/by-name/servo/services/freshrss.nix @@ -11,8 +11,7 @@ { config, lib, pkgs, sane-lib, ... }: { - sops.secrets.freshrss_passwd = { - sopsFile = ../../../secrets/servo.yaml; + sops.secrets."freshrss_passwd" = { owner = config.users.users.freshrss.name; mode = "0400"; }; diff --git a/hosts/servo/services/gitea.nix b/hosts/by-name/servo/services/gitea.nix similarity index 100% rename from hosts/servo/services/gitea.nix rename to hosts/by-name/servo/services/gitea.nix diff --git a/hosts/servo/services/goaccess.nix b/hosts/by-name/servo/services/goaccess.nix similarity index 100% rename from hosts/servo/services/goaccess.nix rename to hosts/by-name/servo/services/goaccess.nix diff --git a/hosts/servo/services/ipfs.nix b/hosts/by-name/servo/services/ipfs.nix similarity index 100% rename from hosts/servo/services/ipfs.nix rename to hosts/by-name/servo/services/ipfs.nix diff --git a/hosts/servo/services/jackett.nix b/hosts/by-name/servo/services/jackett.nix similarity index 100% rename from hosts/servo/services/jackett.nix rename to hosts/by-name/servo/services/jackett.nix diff --git a/hosts/servo/services/jellyfin.nix b/hosts/by-name/servo/services/jellyfin.nix similarity index 100% rename from hosts/servo/services/jellyfin.nix rename to hosts/by-name/servo/services/jellyfin.nix diff --git a/hosts/servo/services/kiwix-serve.nix b/hosts/by-name/servo/services/kiwix-serve.nix similarity index 100% rename from hosts/servo/services/kiwix-serve.nix rename to hosts/by-name/servo/services/kiwix-serve.nix diff --git a/hosts/servo/services/matrix/default.nix b/hosts/by-name/servo/services/matrix/default.nix similarity index 98% rename from hosts/servo/services/matrix/default.nix rename to hosts/by-name/servo/services/matrix/default.nix index 843f46f6..13337434 100644 --- a/hosts/servo/services/matrix/default.nix +++ b/hosts/by-name/servo/services/matrix/default.nix @@ -131,8 +131,7 @@ }; - sops.secrets.matrix_synapse_secrets = { - sopsFile = ../../../../secrets/servo.yaml; + sops.secrets."matrix_synapse_secrets" = { owner = config.users.users.matrix-synapse.name; }; } diff --git a/hosts/servo/services/matrix/discord-puppet.nix b/hosts/by-name/servo/services/matrix/discord-puppet.nix similarity index 100% rename from hosts/servo/services/matrix/discord-puppet.nix rename to hosts/by-name/servo/services/matrix/discord-puppet.nix diff --git a/hosts/servo/services/matrix/irc.nix b/hosts/by-name/servo/services/matrix/irc.nix similarity index 100% rename from hosts/servo/services/matrix/irc.nix rename to hosts/by-name/servo/services/matrix/irc.nix diff --git a/hosts/servo/services/matrix/signal.nix b/hosts/by-name/servo/services/matrix/signal.nix similarity index 91% rename from hosts/servo/services/matrix/signal.nix rename to hosts/by-name/servo/services/matrix/signal.nix index df78f94d..00705761 100644 --- a/hosts/servo/services/matrix/signal.nix +++ b/hosts/by-name/servo/services/matrix/signal.nix @@ -25,8 +25,7 @@ { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; } ]; - sops.secrets.mautrix_signal_env = { - sopsFile = ../../../../secrets/servo/mautrix_signal_env.bin; + sops.secrets."mautrix_signal_env" = { format = "binary"; mode = "0440"; owner = config.users.users.mautrix-signal.name; diff --git a/hosts/servo/services/matrix/synapse-log_level.yaml b/hosts/by-name/servo/services/matrix/synapse-log_level.yaml similarity index 100% rename from hosts/servo/services/matrix/synapse-log_level.yaml rename to hosts/by-name/servo/services/matrix/synapse-log_level.yaml diff --git a/hosts/servo/services/navidrome.nix b/hosts/by-name/servo/services/navidrome.nix similarity index 100% rename from hosts/servo/services/navidrome.nix rename to hosts/by-name/servo/services/navidrome.nix diff --git a/hosts/servo/services/nginx.nix b/hosts/by-name/servo/services/nginx.nix similarity index 100% rename from hosts/servo/services/nginx.nix rename to hosts/by-name/servo/services/nginx.nix diff --git a/hosts/servo/services/nixserve.nix b/hosts/by-name/servo/services/nixserve.nix similarity index 89% rename from hosts/servo/services/nixserve.nix rename to hosts/by-name/servo/services/nixserve.nix index cbd3f580..60750408 100644 --- a/hosts/servo/services/nixserve.nix +++ b/hosts/by-name/servo/services/nixserve.nix @@ -17,5 +17,5 @@ sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native"; sane.services.nixserve.enable = true; - sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml; + sane.services.nixserve.sopsFile = ../../../../secrets/servo.yaml; } diff --git a/hosts/servo/services/pleroma.nix b/hosts/by-name/servo/services/pleroma.nix similarity index 98% rename from hosts/servo/services/pleroma.nix rename to hosts/by-name/servo/services/pleroma.nix index c66600ac..65514b92 100644 --- a/hosts/servo/services/pleroma.nix +++ b/hosts/by-name/servo/services/pleroma.nix @@ -179,8 +179,7 @@ sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native"; - sops.secrets.pleroma_secrets = { - sopsFile = ../../../secrets/servo.yaml; + sops.secrets."pleroma_secrets" = { owner = config.users.users.pleroma.name; }; } diff --git a/hosts/servo/services/postfix.nix b/hosts/by-name/servo/services/postfix.nix similarity index 98% rename from hosts/servo/services/postfix.nix rename to hosts/by-name/servo/services/postfix.nix index 1a64ed6a..1469f12e 100644 --- a/hosts/servo/services/postfix.nix +++ b/hosts/by-name/servo/services/postfix.nix @@ -197,8 +197,7 @@ in # } ]; - sops.secrets.dovecot_passwd = { - sopsFile = ../../../secrets/servo.yaml; + sops.secrets."dovecot_passwd" = { owner = config.users.users.dovecot2.name; # TODO: debug why mail can't be sent without this being world-readable mode = "0444"; diff --git a/hosts/servo/services/postgres.nix b/hosts/by-name/servo/services/postgres.nix similarity index 100% rename from hosts/servo/services/postgres.nix rename to hosts/by-name/servo/services/postgres.nix diff --git a/hosts/servo/services/prosody.nix b/hosts/by-name/servo/services/prosody.nix similarity index 100% rename from hosts/servo/services/prosody.nix rename to hosts/by-name/servo/services/prosody.nix diff --git a/hosts/servo/services/transmission.nix b/hosts/by-name/servo/services/transmission.nix similarity index 100% rename from hosts/servo/services/transmission.nix rename to hosts/by-name/servo/services/transmission.nix diff --git a/hosts/servo/services/trust-dns.nix b/hosts/by-name/servo/services/trust-dns.nix similarity index 100% rename from hosts/servo/services/trust-dns.nix rename to hosts/by-name/servo/services/trust-dns.nix diff --git a/hosts/servo/services/wikipedia.nix b/hosts/by-name/servo/services/wikipedia.nix similarity index 95% rename from hosts/servo/services/wikipedia.nix rename to hosts/by-name/servo/services/wikipedia.nix index b0efc1ce..d68054c2 100644 --- a/hosts/servo/services/wikipedia.nix +++ b/hosts/by-name/servo/services/wikipedia.nix @@ -8,7 +8,6 @@ lib.mkIf false { sops.secrets."mediawiki_pw" = { owner = config.users.users.mediawiki.name; - sopsFile = ../../../secrets/servo.yaml; }; services.mediawiki.enable = true; diff --git a/hosts/servo/users.nix b/hosts/by-name/servo/users.nix similarity index 100% rename from hosts/servo/users.nix rename to hosts/by-name/servo/users.nix diff --git a/hosts/common/default.nix b/hosts/common/default.nix index c3f54367..68ff9583 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -5,7 +5,7 @@ ./cross.nix ./feeds.nix ./fs.nix - ./hardware + ./hardware.nix ./i2p.nix ./ids.nix ./machine-id.nix diff --git a/hosts/common/hardware/all.nix b/hosts/common/hardware.nix similarity index 100% rename from hosts/common/hardware/all.nix rename to hosts/common/hardware.nix diff --git a/hosts/common/ssh.nix b/hosts/common/ssh.nix index b105865d..8e885630 100644 --- a/hosts/common/ssh.nix +++ b/hosts/common/ssh.nix @@ -1,24 +1,33 @@ { config, lib, sane-data, sane-lib, ... }: +let + inherit (builtins) head map mapAttrs tail; + inherit (lib) concatStringsSep mkMerge reverseList; +in { sane.ssh.pubkeys = let # path is a DNS-style path like [ "org" "uninsane" "root" ] keyNameForPath = path: let - rev = lib.reverseList path; - name = builtins.head rev; - host = lib.concatStringsSep "." (builtins.tail rev); + rev = reverseList path; + name = head rev; + host = concatStringsSep "." (tail rev); in "${name}@${host}"; # [{ path :: [String], value :: String }] for the keys we want to install globalKeys = sane-lib.flattenAttrs sane-data.keys; - localKeys = sane-lib.flattenAttrs sane-data.keys.org.uninsane.local; - in lib.mkMerge (builtins.map + domainKeys = sane-lib.flattenAttrs ( + mapAttrs (host: cfg: { + colin = cfg.ssh.user_pubkey; + root = cfg.ssh.host_pubkey; + }) config.sane.hosts + ); + in mkMerge (map ({ path, value }: { - "${keyNameForPath path}" = value; + "${keyNameForPath path}" = lib.mkIf (value != null) value; }) - (globalKeys ++ localKeys) + (globalKeys ++ domainKeys) ); } diff --git a/hosts/instantiate.nix b/hosts/instantiate.nix index 076407f2..54c23f74 100644 --- a/hosts/instantiate.nix +++ b/hosts/instantiate.nix @@ -1,12 +1,16 @@ # trampoline from flake.nix into the specific host definition, while doing a tiny bit of common setup +# args from flake-level `import` { hostName, localSystem }: + +# module args { ... }: { imports = [ - ./${hostName} + ./by-name/${hostName} ./common + ./modules ]; networking.hostName = hostName; diff --git a/hosts/modules/default.nix b/hosts/modules/default.nix new file mode 100644 index 00000000..548c431c --- /dev/null +++ b/hosts/modules/default.nix @@ -0,0 +1,8 @@ +{ ... }: + +{ + imports = [ + ./hardware + ./hosts.nix + ]; +} diff --git a/hosts/common/hardware/default.nix b/hosts/modules/hardware/default.nix similarity index 78% rename from hosts/common/hardware/default.nix rename to hosts/modules/hardware/default.nix index 095addcc..e9f0b575 100644 --- a/hosts/common/hardware/default.nix +++ b/hosts/modules/hardware/default.nix @@ -2,7 +2,6 @@ { imports = [ - ./all.nix ./x86_64.nix ]; } diff --git a/hosts/common/hardware/x86_64.nix b/hosts/modules/hardware/x86_64.nix similarity index 92% rename from hosts/common/hardware/x86_64.nix rename to hosts/modules/hardware/x86_64.nix index e93e1a41..88bbc6d9 100644 --- a/hosts/common/hardware/x86_64.nix +++ b/hosts/modules/hardware/x86_64.nix @@ -1,8 +1,7 @@ { lib, pkgs, ... }: -with lib; { - config = mkIf (pkgs.system == "x86_64-linux") { + config = lib.mkIf (pkgs.system == "x86_64-linux") { boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "sdhci_pci" # nixos-generate-config defaults "usb_storage" # rpi needed this to boot from usb storage, i think. diff --git a/hosts/modules/hosts.nix b/hosts/modules/hosts.nix new file mode 100644 index 00000000..e7cadae1 --- /dev/null +++ b/hosts/modules/hosts.nix @@ -0,0 +1,92 @@ +{ config, lib, ... }: + +let + inherit (lib) types mkOption; + cfg = config.sane.hosts; + + host = types.submodule ({ config, ... }: { + options = { + is-target = mkOption { + type = types.bool; + description = '' + true if the config is being built for deployment to this host. + set internally. + ''; + }; + + roles.server = mkOption { + type = types.bool; + default = false; + description = '' + whether this machine is a server for domain-level services like wireguard, rss aggregation, etc. + ''; + }; + roles.client = mkOption { + type = types.bool; + default = false; + description = '' + whether this machine is a client to domain-level services like wireguard, rss aggregation, etc. + ''; + }; + + ssh.user_pubkey = mkOption { + type = types.nullOr types.str; + description = '' + ssh pubkey that the primary user of this machine will use when connecting to other machines. + e.g. "ssh-ed25519 AAAA". + ''; + }; + ssh.host_pubkey = mkOption { + type = types.nullOr types.str; + description = '' + ssh pubkey which this host will present to connections initiated against it. + e.g. "ssh-ed25519 AAAA". + ''; + }; + }; + + config = { + # user should set `sane.hosts.target = config.sane.hosts."${host}"` to build for it. + is-target = cfg ? "target" && cfg.target == config; + }; + }); +in +{ + options = { + sane.hosts = mkOption { + type = types.attrsOf host; + default = {}; + description = '' + map of hostname => attrset of information specific to that host, + like its ssh pubkey, etc. + ''; + }; + }; + + config = { + sane.hosts."desko" = { + ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX"; + ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk"; + roles.client = true; + }; + sane.hosts."lappy" = { + ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu"; + ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc"; + roles.client = true; + }; + sane.hosts."moby" = { + ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU"; + ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw"; + roles.client = true; + }; + sane.hosts."servo" = { + ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX"; + ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8"; + roles.server = true; + }; + sane.hosts."rescue" = { + ssh.user_pubkey = null; + ssh.host_pubkey = null; + }; + }; +} diff --git a/modules/data/keys.nix b/modules/data/keys.nix index e0ef22b8..f11807f4 100644 --- a/modules/data/keys.nix +++ b/modules/data/keys.nix @@ -5,24 +5,9 @@ org.uninsane = rec { root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8"; git.root = root; - - local = { - # machine aliases i specify on my lan; not actually asserted as DNS - desko.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX"; - desko.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk"; - - lappy.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu"; - lappy.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc"; - - moby.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU"; - moby.root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw"; - - servo.colin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX"; - servo.root = root; - }; }; - com.github = rec { + com.github = { # documented here: # Github actually uses multiple keys -- one per format root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; diff --git a/modules/ssh.nix b/modules/ssh.nix index cc98ca46..3f7c616e 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -57,7 +57,7 @@ in options = { sane.ssh.pubkeys = mkOption { type = types.attrsOf coercedToKey; - default = []; + default = {}; description = '' mapping from "user@host" to pubkey. '';