refactor: remove modules/data/keys.nix
This commit is contained in:
parent
758281f772
commit
e0a1dcd51f
3
TODO.md
3
TODO.md
|
@ -7,8 +7,7 @@
|
||||||
|
|
||||||
## REFACTORING:
|
## REFACTORING:
|
||||||
|
|
||||||
- remove modules/data/keys
|
- fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix
|
||||||
- simplify ssh keys (hosts/common/ssh.nix ; modules/ssh.nix)
|
|
||||||
|
|
||||||
### sops/secrets
|
### sops/secrets
|
||||||
- attach secrets to the thing they're used by (sane.programs)
|
- attach secrets to the thing they're used by (sane.programs)
|
||||||
|
|
|
@ -1,45 +1,25 @@
|
||||||
{ config, lib, sane-data, sane-lib, ... }:
|
{ config, lib, sane-lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (builtins) attrValues head map mapAttrs tail;
|
keysForHost = hostName: let
|
||||||
|
hostCfg = config.sane.hosts.by-name."${hostName}";
|
||||||
|
in {
|
||||||
|
"root@${hostName}" = hostCfg.ssh.host_pubkey;
|
||||||
|
"colin@${hostName}" = lib.mkIf hostCfg.ssh.authorized hostCfg.ssh.user_pubkey;
|
||||||
|
};
|
||||||
|
hostKeys = builtins.map keysForHost (builtins.attrNames config.sane.hosts.by-name);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sane.ssh.pubkeys =
|
sane.ssh.pubkeys = lib.mkMerge (hostKeys ++ [
|
||||||
let
|
{
|
||||||
# path is a DNS-style path like [ "org" "uninsane" "root" ]
|
"root@uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
|
||||||
keyNameForPath = path:
|
"root@git.uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
|
||||||
let
|
|
||||||
rev = lib.reverseList path;
|
|
||||||
name = head rev;
|
|
||||||
host = lib.concatStringsSep "." (tail rev);
|
|
||||||
in
|
|
||||||
"${name}@${host}";
|
|
||||||
|
|
||||||
# [{ path :: [String], value :: String }] for the keys we want to install
|
# documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
|
||||||
globalKeys = sane-lib.flattenAttrs sane-data.keys;
|
# Github actually uses multiple keys -- one per format
|
||||||
|
"root@github.com" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
||||||
keysForHost = hostCfg: sane-lib.mapToAttrs
|
}
|
||||||
(name: {
|
]);
|
||||||
inherit name;
|
|
||||||
value = {
|
|
||||||
root = hostCfg.ssh.host_pubkey;
|
|
||||||
} // (lib.optionalAttrs hostCfg.ssh.authorized {
|
|
||||||
colin = hostCfg.ssh.user_pubkey;
|
|
||||||
});
|
|
||||||
})
|
|
||||||
hostCfg.names
|
|
||||||
;
|
|
||||||
domainKeys = sane-lib.flattenAttrs (
|
|
||||||
sane-lib.joinAttrsets (
|
|
||||||
map keysForHost (builtins.attrValues config.sane.hosts.by-name)
|
|
||||||
)
|
|
||||||
);
|
|
||||||
in lib.mkMerge (map
|
|
||||||
({ path, value }: {
|
|
||||||
"${keyNameForPath path}" = lib.mkIf (value != null) value;
|
|
||||||
})
|
|
||||||
(globalKeys ++ domainKeys)
|
|
||||||
);
|
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -8,5 +8,4 @@ moduleArgs:
|
||||||
|
|
||||||
{
|
{
|
||||||
feeds = import ./feeds moduleArgs;
|
feeds = import ./feeds moduleArgs;
|
||||||
keys = import ./keys.nix;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
# hierarchical, DNS-like mapping from <name> => ssh host/user for that name.
|
|
||||||
# host keys are represented as user keys, just with the user specified as "root".
|
|
||||||
|
|
||||||
{
|
|
||||||
org.uninsane = rec {
|
|
||||||
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
|
|
||||||
git.root = root;
|
|
||||||
};
|
|
||||||
|
|
||||||
com.github = {
|
|
||||||
# documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
|
|
||||||
# Github actually uses multiple keys -- one per format
|
|
||||||
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user