commit 99db9c884747bb7f00f245b13894741a2b9c67b4
parent 26dac34670227c58068fcf3e3b1ca10bd3156add
Author: Vincent Demeester <vincent@sbr.pm>
Date: Fri, 19 Nov 2021 23:24:38 +0100
authorizedKeys: refactor it to use hosts.toml…
… idea is to remove machines.nix.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
4 files changed, 30 insertions(+), 29 deletions(-)
diff --git a/ops/hosts.toml b/ops/hosts.toml
@@ -39,7 +39,8 @@ addrs = { v4 = "10.100.0.8" }
[hosts.kerkouane]
network = "vpn"
-addrs = { v4 = "167.99.17.238" } # FIXME probably not right
+# addrs = { v4 = "167.99.17.238" } # FIXME probably not right
+ssh = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtEnw+3WMa9ESRyKdBUp/OHd8NPQdHLoqQ58L3YXF1o vincent@kerkouane", gpgRemoteForward = true }
[hosts.kerkouane.wireguard]
addrs = { v4 = "10.100.0.1" }
@@ -52,4 +53,9 @@ addrs = { v4 = "192.168.1.130" }
addrs = { v4 = "192.168.1.131" }
[hosts.k8sn3]
-addrs = { v4 = "192.168.1.132" }-
\ No newline at end of file
+addrs = { v4 = "192.168.1.132" }
+
+[ssh.keys]
+vincent = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICl4uBPx98p0m1ra4nKxaDvCP8TCou5J10gFUpYAuzp9 u0_a103@localhost", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINsbGtpU/w7Ff3O7hJ1QoO/5CuCrssBXrT+iHev/+rbf Generated By Termius" ]
+houbeb = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUnBCTxRoIDhExcSaiirM5nf2PIcTMDUodYlGNvqfmD Generated By Termius" ]
+root = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCDr3bRw6r43BVOltmTXtDQAtZlJ/viBrCb58fG8suSdO97xLEGukZzf1QX46aXQEsenfKOalcd+OrukcoVIiZtlh1BHAaBB09Q0vKjtB1zKcUdZQYb6kA21/ItpW3gNsZq5M98QpwS9soJOLSccQosDoVBWDcHx72Kpzp2x4seKyAIpb1gtPnQjnnwA7urTcANw7CU8lmB3UtJZNPHclJNKso7h0ZBapausk9t0xGP18rmzQAe2ipa6pwUzS5rRq+j0LiY/JZQaQWBfc1i3IcKictKW5EykKmywJcwmr/PcTdcgTT4FaD+b1t1QAPLV82HxGzOYQO+/WBptBdq7Ss5 openpgp:0x86ADD81F", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoArpBsTXr3m6q2QnA1vI1DSwmgdU0OAp7DUxcxl9CJfeZIEs/iAerk8jmHgJ2xCEF6SpzI0FWSQIXy8dKpF4wLJ0tCoq5LqQx3jEzy3NUBLfxK+/Baa1te4qG2YImlgnzmEEm5uZlCGZRY2L/U9+4Hwo1AgD69Zzin6QGh2pyTWpmZ/WyhwIfGgqsnlM9XlaVzlMHYfStDi+rUU6XEAfdSqo1SnWKDBHc3mDYGTVhfAlt2LucLKu7oI2MsSlSxva072BExctadtB3TGHbt8gRJZj8CdwgRNhT+hFfbsL6YDvQn6dhTSMuiD8sBEvVble0Nj4p+Q6ROCRIuMuhgh3 cardno:000610153832" ]+
\ No newline at end of file
diff --git a/users/houbeb/default.nix b/users/houbeb/default.nix
@@ -1,12 +1,16 @@
-{ pkgs, ... }: {
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (lib) importTOML;
+ metadata = importTOML ../../ops/hosts.toml;
+in
+{
users.users.houbeb = {
createHome = true;
description = "Houbeb Ben Othmene";
extraGroups = [ "wheel" ];
isNormalUser = true;
- openssh.authorizedKeys.keys = [
- "…"
- ];
+ openssh.authorizedKeys.keys = metadata.ssh.keys.houbeb;
};
home-manager.users.houbeb = {
home.packages = with pkgs; [ hello ];
diff --git a/users/root/default.nix b/users/root/default.nix
@@ -1,21 +1,13 @@
{ config, lib, pkgs, ... }:
let
- inherit (lib) lists attrsets mkIf optionals versionOlder;
- secretPath = ../../secrets/machines.nix;
- secretCondition = (builtins.pathExists secretPath);
-
- isAuthorized = p: builtins.isAttrs p && p.authorized or false;
- authorizedKeys = lists.optionals secretCondition (
- attrsets.mapAttrsToList
- (name: value: value.key)
- (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
- );
+ inherit (lib) lists attrsets mkIf optionals versionOlder importTOML;
+ metadata = importTOML ../../ops/hosts.toml;
in
{
users.users.root = {
shell = mkIf config.programs.zsh.enable pkgs.zsh;
- openssh.authorizedKeys.keys = authorizedKeys;
+ openssh.authorizedKeys.keys = metadata.ssh.keys.root;
};
home-manager.users.root = lib.mkMerge (
[
diff --git a/users/vincent/default.nix b/users/vincent/default.nix
@@ -1,15 +1,12 @@
{ config, lib, pkgs, ... }:
-with lib;
-let
- secretPath = ../../secrets/machines.nix;
- secretCondition = (builtins.pathExists secretPath);
- isAuthorized = p: builtins.isAttrs p && p.authorized or false;
- authorizedKeys = lists.optionals secretCondition (
- attrsets.mapAttrsToList
- (name: value: value.key)
- (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
- );
+let
+ inherit (lib) importTOML attrsets hasAttr optionals versionAtLeast mkIf;
+ metadata = importTOML ../../ops/hosts.toml;
+ hasSSHAttr = name: value: hasAttr "ssh" value;
+ authorizedKeys = attrsets.mapAttrsToList
+ (name: value: value.ssh.pubkey)
+ (attrsets.filterAttrs hasSSHAttr metadata.hosts);
hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation;
isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false;
@@ -35,7 +32,9 @@ in
++ optionals config.services.nginx.enable [ "nginx" ];
shell = mkIf config.programs.zsh.enable pkgs.zsh;
isNormalUser = true;
- openssh.authorizedKeys.keys = authorizedKeys;
+ openssh.authorizedKeys.keys = authorizedKeys
+ ++ metadata.ssh.keys.vincent
+ ++ metadata.ssh.keys.root;
initialPassword = "changeMe";
subUidRanges = [{ startUid = 100000; count = 65536; }];
subGidRanges = [{ startGid = 100000; count = 65536; }];