commit 73bcdbdbd01b5f2f06f0a4fb37ddabc828bd648c
parent eacab2d0e7c51fb2c0b0f04c57084cb0453cfc08
Author: Vincent Demeester <vincent@sbr.pm>
Date: Mon, 1 Jun 2020 18:50:25 +0200
systems/hokkaido: better secret management
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
4 files changed, 34 insertions(+), 21 deletions(-)
diff --git a/modules/profiles/home.nixos.nix b/modules/profiles/home.nixos.nix
@@ -3,6 +3,9 @@
with lib;
let
cfg = config.profiles.home;
+ secretPath = ../../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+ machines = lib.optionalAttrs secretCondition (import secretPath);
in
{
options = {
@@ -13,26 +16,26 @@ in
networking.domain = "home";
time.timeZone = "Europe/Paris";
# To mimic autofs on fedora
- fileSystems = with import ../../assets/machines.nix; {
+ fileSystems = mkIf secretCondition {
"/net/synodine.home/" = {
- device = "${home.ips.synodine}:/";
+ device = "${machines.home.ips.synodine}:/";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
# FIXME(vdemeester): I think it acts like this because there is only one export
"/net/sakhalin.home/export/" = {
- device = "${home.ips.sakhalin}:/";
+ device = "${machines.home.ips.sakhalin}:/";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
# Deprecated
"/mnt/synodine" = {
- device = "${home.ips.synodine}:/";
+ device = "${machines.home.ips.synodine}:/";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
"/mnt/sakhalin" = {
- device = "${home.ips.sakhalin}:/";
+ device = "${machines.home.ips.sakhalin}:/";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
diff --git a/modules/profiles/users.nixos.nix b/modules/profiles/users.nixos.nix
@@ -3,6 +3,16 @@
with lib;
let
cfg = config.profiles.users;
+ secretPath = ../../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+ machines = optionalAttrs secretCondition (import secretPath);
+
+ isAuthorized = p: builtins.isAttrs p && p.authorize or false;
+ authorizedKeys = lists.optional secretCondition (
+ attrsets.mapAttrsToList
+ (name: value: value.key)
+ (attrsets.filterAttrs (name: value: isAuthorized value) machines.ssh)
+ );
in
{
options = {
@@ -17,12 +27,6 @@ in
description = "Username to use when creating user";
type = types.str;
};
- # add more options (like openssh keys and config)
- withMachines = mkOption {
- default = true;
- description = "Load machines.nix";
- type = types.bool;
- };
};
};
config = mkIf cfg.enable (mkMerge [
@@ -41,17 +45,14 @@ in
initialPassword = "changeMe";
subUidRanges = [{ startUid = 100000; count = 65536; }];
subGidRanges = [{ startGid = 100000; count = 65536; }];
+ openssh.authorizedKeys.keys = authorizedKeys;
};
};
};
}
(
- mkIf cfg.withMachines {
- users.extraUsers."${cfg.user}" = {
- openssh.authorizedKeys.keys =
- with import ../../assets/machines.nix; [ ssh.yubikey.key ssh.yubikey5.key ssh.wakasu.key ssh.vincent.key ssh.houbeb.key ssh.hokkaido.key ssh.okinawa.key ];
- };
- programs.ssh.extraConfig = with import ../../assets/machines.nix; ''
+ mkIf secretCondition {
+ programs.ssh.extraConfig = with import ../../secrets/machines.nix; ''
Host kerkouane kerkouane.sbr.pm
Hostname kerkouane.sbr.pm
Port ${toString ssh.kerkouane.port}
diff --git a/systems/hokkaido.nix b/systems/hokkaido.nix
@@ -32,14 +32,12 @@ in
};
profiles = {
- home = enableHome;
laptop.enable = true;
avahi.enable = true;
git.enable = true;
ssh.enable = true;
dev.enable = true;
users.enable = false;
- users.withMachines = enableHome;
mail.enable = enableHome;
yubikey.enable = true;
};
diff --git a/users/vincent/default.nix b/users/vincent/default.nix
@@ -1,5 +1,17 @@
{ config, lib, pkgs, ... }:
with lib;
+let
+ secretPath = ../../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+ machines = optionalAttrs secretCondition (import secretPath);
+
+ isAuthorized = p: builtins.isAttrs p && p.authorize or false;
+ authorizedKeys = lists.optional secretCondition (
+ attrsets.mapAttrsToList
+ (name: value: value.key)
+ (attrsets.filterAttrs (name: value: isAuthorized value) machines.ssh)
+ );
+in
{
users.users.vincent = {
createHome = true;
@@ -13,8 +25,7 @@ with lib;
++ optionals config.profiles.virtualization.enable [ "libvirtd" ];
shell = mkIf config.programs.zsh.enable pkgs.zsh;
isNormalUser = true;
- # FIXME handle this too
- openssh.authorizedKeys.keys = [ ];
+ openssh.authorizedKeys.keys = authorizedKeys;
# FIXME change this ?
initialPassword = "changeMe";
# FIXME This might be handled differently by programs.podman, …