refactor: remove modules/data/keys.nix

2023-11-23 03:56:00 +00:00 · 2023-11-23 03:56:00 +00:00 · e0a1dcd51f
parent 758281f772
commit e0a1dcd51f
4 changed files with 18 additions and 55 deletions
--- a/TODO.md
+++ b/TODO.md
@ -7,8 +7,7 @@

 ## REFACTORING:

- remove modules/data/keys
- simplify ssh keys (hosts/common/ssh.nix ; modules/ssh.nix)
+- fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix

 ### sops/secrets
 - attach secrets to the thing they're used by (sane.programs)
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@ -1,45 +1,25 @@
-{ config, lib, sane-data, sane-lib, ... }:
+{ config, lib,  sane-lib, ... }:

 let
-  inherit (builtins) attrValues head map mapAttrs tail;
+  keysForHost = hostName: let
+    hostCfg = config.sane.hosts.by-name."${hostName}";
+  in {
+    "root@${hostName}" = hostCfg.ssh.host_pubkey;
+    "colin@${hostName}" = lib.mkIf hostCfg.ssh.authorized hostCfg.ssh.user_pubkey;
+  };
+  hostKeys = builtins.map keysForHost (builtins.attrNames config.sane.hosts.by-name);
 in
 {
-  sane.ssh.pubkeys =
-  let
-    # path is a DNS-style path like [ "org" "uninsane" "root" ]
-    keyNameForPath = path:
-      let
-        rev = lib.reverseList path;
-        name = head rev;
-        host = lib.concatStringsSep "." (tail rev);
-      in
-      "${name}@${host}";
+  sane.ssh.pubkeys = lib.mkMerge (hostKeys ++ [
+    {
+      "root@uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
+      "root@git.uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;

-    # [{ path :: [String], value :: String }] for the keys we want to install
-    globalKeys = sane-lib.flattenAttrs sane-data.keys;
-
-    keysForHost = hostCfg: sane-lib.mapToAttrs
-      (name: {
-        inherit name;
-        value = {
-          root = hostCfg.ssh.host_pubkey;
-        } // (lib.optionalAttrs hostCfg.ssh.authorized {
-          colin = hostCfg.ssh.user_pubkey;
-        });
-      })
-      hostCfg.names
-    ;
-    domainKeys = sane-lib.flattenAttrs (
-      sane-lib.joinAttrsets (
-        map keysForHost (builtins.attrValues config.sane.hosts.by-name)
-      )
-    );
-  in lib.mkMerge (map
-    ({ path, value }: {
-      "${keyNameForPath path}" = lib.mkIf (value != null) value;
-    })
-    (globalKeys ++ domainKeys)
-  );
+      # documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
+      # Github actually uses multiple keys -- one per format
+      "root@github.com" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+    }
+  ]);

  services.openssh = {
    enable = true;
--- a/modules/data/default.nix
+++ b/modules/data/default.nix
@ -8,5 +8,4 @@ moduleArgs:

 {
  feeds = import ./feeds moduleArgs;
-  keys = import ./keys.nix;
 }
--- a/modules/data/keys.nix
+++ b/modules/data/keys.nix
@ -1,15 +0,0 @@
-# hierarchical, DNS-like mapping from <name> => ssh host/user for that name.
-# host keys are represented as user keys, just with the user specified as "root".
-
-{
-  org.uninsane = rec {
-    root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
-    git.root = root;
-  };
-
-  com.github = {
-    # documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
-    # Github actually uses multiple keys -- one per format
-    root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-  };
-}