home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 73bcdbdbd01b5f2f06f0a4fb37ddabc828bd648c
parent eacab2d0e7c51fb2c0b0f04c57084cb0453cfc08
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Mon,  1 Jun 2020 18:50:25 +0200

systems/hokkaido: better secret management

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Mmodules/profiles/home.nixos.nix | 13++++++++-----
Mmodules/profiles/users.nixos.nix | 25+++++++++++++------------
Msystems/hokkaido.nix | 2--
Musers/vincent/default.nix | 15+++++++++++++--
4 files changed, 34 insertions(+), 21 deletions(-)

diff --git a/modules/profiles/home.nixos.nix b/modules/profiles/home.nixos.nix @@ -3,6 +3,9 @@ with lib; let cfg = config.profiles.home; + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + machines = lib.optionalAttrs secretCondition (import secretPath); in { options = { @@ -13,26 +16,26 @@ in networking.domain = "home"; time.timeZone = "Europe/Paris"; # To mimic autofs on fedora - fileSystems = with import ../../assets/machines.nix; { + fileSystems = mkIf secretCondition { "/net/synodine.home/" = { - device = "${home.ips.synodine}:/"; + device = "${machines.home.ips.synodine}:/"; fsType = "nfs"; options = [ "x-systemd.automount" "noauto" ]; }; # FIXME(vdemeester): I think it acts like this because there is only one export "/net/sakhalin.home/export/" = { - device = "${home.ips.sakhalin}:/"; + device = "${machines.home.ips.sakhalin}:/"; fsType = "nfs"; options = [ "x-systemd.automount" "noauto" ]; }; # Deprecated "/mnt/synodine" = { - device = "${home.ips.synodine}:/"; + device = "${machines.home.ips.synodine}:/"; fsType = "nfs"; options = [ "x-systemd.automount" "noauto" ]; }; "/mnt/sakhalin" = { - device = "${home.ips.sakhalin}:/"; + device = "${machines.home.ips.sakhalin}:/"; fsType = "nfs"; options = [ "x-systemd.automount" "noauto" ]; }; diff --git a/modules/profiles/users.nixos.nix b/modules/profiles/users.nixos.nix @@ -3,6 +3,16 @@ with lib; let cfg = config.profiles.users; + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + machines = optionalAttrs secretCondition (import secretPath); + + isAuthorized = p: builtins.isAttrs p && p.authorize or false; + authorizedKeys = lists.optional secretCondition ( + attrsets.mapAttrsToList + (name: value: value.key) + (attrsets.filterAttrs (name: value: isAuthorized value) machines.ssh) + ); in { options = { @@ -17,12 +27,6 @@ in description = "Username to use when creating user"; type = types.str; }; - # add more options (like openssh keys and config) - withMachines = mkOption { - default = true; - description = "Load machines.nix"; - type = types.bool; - }; }; }; config = mkIf cfg.enable (mkMerge [ @@ -41,17 +45,14 @@ in initialPassword = "changeMe"; subUidRanges = [{ startUid = 100000; count = 65536; }]; subGidRanges = [{ startGid = 100000; count = 65536; }]; + openssh.authorizedKeys.keys = authorizedKeys; }; }; }; } ( - mkIf cfg.withMachines { - users.extraUsers."${cfg.user}" = { - openssh.authorizedKeys.keys = - with import ../../assets/machines.nix; [ ssh.yubikey.key ssh.yubikey5.key ssh.wakasu.key ssh.vincent.key ssh.houbeb.key ssh.hokkaido.key ssh.okinawa.key ]; - }; - programs.ssh.extraConfig = with import ../../assets/machines.nix; '' + mkIf secretCondition { + programs.ssh.extraConfig = with import ../../secrets/machines.nix; '' Host kerkouane kerkouane.sbr.pm Hostname kerkouane.sbr.pm Port ${toString ssh.kerkouane.port} diff --git a/systems/hokkaido.nix b/systems/hokkaido.nix @@ -32,14 +32,12 @@ in }; profiles = { - home = enableHome; laptop.enable = true; avahi.enable = true; git.enable = true; ssh.enable = true; dev.enable = true; users.enable = false; - users.withMachines = enableHome; mail.enable = enableHome; yubikey.enable = true; }; diff --git a/users/vincent/default.nix b/users/vincent/default.nix @@ -1,5 +1,17 @@ { config, lib, pkgs, ... }: with lib; +let + secretPath = ../../secrets/machines.nix; + secretCondition = (builtins.pathExists secretPath); + machines = optionalAttrs secretCondition (import secretPath); + + isAuthorized = p: builtins.isAttrs p && p.authorize or false; + authorizedKeys = lists.optional secretCondition ( + attrsets.mapAttrsToList + (name: value: value.key) + (attrsets.filterAttrs (name: value: isAuthorized value) machines.ssh) + ); +in { users.users.vincent = { createHome = true; @@ -13,8 +25,7 @@ with lib; ++ optionals config.profiles.virtualization.enable [ "libvirtd" ]; shell = mkIf config.programs.zsh.enable pkgs.zsh; isNormalUser = true; - # FIXME handle this too - openssh.authorizedKeys.keys = [ ]; + openssh.authorizedKeys.keys = authorizedKeys; # FIXME change this ? initialPassword = "changeMe"; # FIXME This might be handled differently by programs.podman, …