From e0a1dcd51f7f377198a6d9036d8241f79389195a Mon Sep 17 00:00:00 2001 From: Colin Date: Thu, 23 Nov 2023 03:56:00 +0000 Subject: [PATCH] refactor: remove modules/data/keys.nix --- TODO.md | 3 +-- hosts/common/ssh.nix | 54 +++++++++++++--------------------------- modules/data/default.nix | 1 - modules/data/keys.nix | 15 ----------- 4 files changed, 18 insertions(+), 55 deletions(-) delete mode 100644 modules/data/keys.nix diff --git a/TODO.md b/TODO.md index f4b08123..6e087387 100644 --- a/TODO.md +++ b/TODO.md @@ -7,8 +7,7 @@ ## REFACTORING: -- remove modules/data/keys -- simplify ssh keys (hosts/common/ssh.nix ; modules/ssh.nix) +- fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix ### sops/secrets - attach secrets to the thing they're used by (sane.programs) diff --git a/hosts/common/ssh.nix b/hosts/common/ssh.nix index e896f8fc..0ab4b8aa 100644 --- a/hosts/common/ssh.nix +++ b/hosts/common/ssh.nix @@ -1,45 +1,25 @@ -{ config, lib, sane-data, sane-lib, ... }: +{ config, lib, sane-lib, ... }: let - inherit (builtins) attrValues head map mapAttrs tail; + keysForHost = hostName: let + hostCfg = config.sane.hosts.by-name."${hostName}"; + in { + "root@${hostName}" = hostCfg.ssh.host_pubkey; + "colin@${hostName}" = lib.mkIf hostCfg.ssh.authorized hostCfg.ssh.user_pubkey; + }; + hostKeys = builtins.map keysForHost (builtins.attrNames config.sane.hosts.by-name); in { - sane.ssh.pubkeys = - let - # path is a DNS-style path like [ "org" "uninsane" "root" ] - keyNameForPath = path: - let - rev = lib.reverseList path; - name = head rev; - host = lib.concatStringsSep "." (tail rev); - in - "${name}@${host}"; + sane.ssh.pubkeys = lib.mkMerge (hostKeys ++ [ + { + "root@uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey; + "root@git.uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey; - # [{ path :: [String], value :: String }] for the keys we want to install - globalKeys = sane-lib.flattenAttrs sane-data.keys; - - keysForHost = hostCfg: sane-lib.mapToAttrs - (name: { - inherit name; - value = { - root = hostCfg.ssh.host_pubkey; - } // (lib.optionalAttrs hostCfg.ssh.authorized { - colin = hostCfg.ssh.user_pubkey; - }); - }) - hostCfg.names - ; - domainKeys = sane-lib.flattenAttrs ( - sane-lib.joinAttrsets ( - map keysForHost (builtins.attrValues config.sane.hosts.by-name) - ) - ); - in lib.mkMerge (map - ({ path, value }: { - "${keyNameForPath path}" = lib.mkIf (value != null) value; - }) - (globalKeys ++ domainKeys) - ); + # documented here: + # Github actually uses multiple keys -- one per format + "root@github.com" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + } + ]); services.openssh = { enable = true; diff --git a/modules/data/default.nix b/modules/data/default.nix index 6c1b4d37..76eee055 100644 --- a/modules/data/default.nix +++ b/modules/data/default.nix @@ -8,5 +8,4 @@ moduleArgs: { feeds = import ./feeds moduleArgs; - keys = import ./keys.nix; } diff --git a/modules/data/keys.nix b/modules/data/keys.nix deleted file mode 100644 index f11807f4..00000000 --- a/modules/data/keys.nix +++ /dev/null @@ -1,15 +0,0 @@ -# hierarchical, DNS-like mapping from => ssh host/user for that name. -# host keys are represented as user keys, just with the user specified as "root". - -{ - org.uninsane = rec { - root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8"; - git.root = root; - }; - - com.github = { - # documented here: - # Github actually uses multiple keys -- one per format - root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - }; -}