home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit 99db9c884747bb7f00f245b13894741a2b9c67b4
parent 26dac34670227c58068fcf3e3b1ca10bd3156add
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Fri, 19 Nov 2021 23:24:38 +0100

authorizedKeys: refactor it to use hosts.toml…

… idea is to remove machines.nix.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Mops/hosts.toml | 12+++++++++---
Musers/houbeb/default.nix | 12++++++++----
Musers/root/default.nix | 14+++-----------
Musers/vincent/default.nix | 21++++++++++-----------
4 files changed, 30 insertions(+), 29 deletions(-)

diff --git a/ops/hosts.toml b/ops/hosts.toml @@ -39,7 +39,8 @@ addrs = { v4 = "10.100.0.8" } [hosts.kerkouane] network = "vpn" -addrs = { v4 = "167.99.17.238" } # FIXME probably not right +# addrs = { v4 = "167.99.17.238" } # FIXME probably not right +ssh = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtEnw+3WMa9ESRyKdBUp/OHd8NPQdHLoqQ58L3YXF1o vincent@kerkouane", gpgRemoteForward = true } [hosts.kerkouane.wireguard] addrs = { v4 = "10.100.0.1" } @@ -52,4 +53,9 @@ addrs = { v4 = "192.168.1.130" } addrs = { v4 = "192.168.1.131" } [hosts.k8sn3] -addrs = { v4 = "192.168.1.132" }- \ No newline at end of file +addrs = { v4 = "192.168.1.132" } + +[ssh.keys] +vincent = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICl4uBPx98p0m1ra4nKxaDvCP8TCou5J10gFUpYAuzp9 u0_a103@localhost", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINsbGtpU/w7Ff3O7hJ1QoO/5CuCrssBXrT+iHev/+rbf Generated By Termius" ] +houbeb = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUnBCTxRoIDhExcSaiirM5nf2PIcTMDUodYlGNvqfmD Generated By Termius" ] +root = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCDr3bRw6r43BVOltmTXtDQAtZlJ/viBrCb58fG8suSdO97xLEGukZzf1QX46aXQEsenfKOalcd+OrukcoVIiZtlh1BHAaBB09Q0vKjtB1zKcUdZQYb6kA21/ItpW3gNsZq5M98QpwS9soJOLSccQosDoVBWDcHx72Kpzp2x4seKyAIpb1gtPnQjnnwA7urTcANw7CU8lmB3UtJZNPHclJNKso7h0ZBapausk9t0xGP18rmzQAe2ipa6pwUzS5rRq+j0LiY/JZQaQWBfc1i3IcKictKW5EykKmywJcwmr/PcTdcgTT4FaD+b1t1QAPLV82HxGzOYQO+/WBptBdq7Ss5 openpgp:0x86ADD81F", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoArpBsTXr3m6q2QnA1vI1DSwmgdU0OAp7DUxcxl9CJfeZIEs/iAerk8jmHgJ2xCEF6SpzI0FWSQIXy8dKpF4wLJ0tCoq5LqQx3jEzy3NUBLfxK+/Baa1te4qG2YImlgnzmEEm5uZlCGZRY2L/U9+4Hwo1AgD69Zzin6QGh2pyTWpmZ/WyhwIfGgqsnlM9XlaVzlMHYfStDi+rUU6XEAfdSqo1SnWKDBHc3mDYGTVhfAlt2LucLKu7oI2MsSlSxva072BExctadtB3TGHbt8gRJZj8CdwgRNhT+hFfbsL6YDvQn6dhTSMuiD8sBEvVble0Nj4p+Q6ROCRIuMuhgh3 cardno:000610153832" ]+ \ No newline at end of file diff --git a/users/houbeb/default.nix b/users/houbeb/default.nix @@ -1,12 +1,16 @@ -{ pkgs, ... }: { +{ config, lib, pkgs, ... }: + +let + inherit (lib) importTOML; + metadata = importTOML ../../ops/hosts.toml; +in +{ users.users.houbeb = { createHome = true; description = "Houbeb Ben Othmene"; extraGroups = [ "wheel" ]; isNormalUser = true; - openssh.authorizedKeys.keys = [ - "…" - ]; + openssh.authorizedKeys.keys = metadata.ssh.keys.houbeb; }; home-manager.users.houbeb = { home.packages = with pkgs; [ hello ]; diff --git a/users/root/default.nix b/users/root/default.nix @@ -1,21 +1,13 @@ { config, lib, pkgs, ... }: let - inherit (lib) lists attrsets mkIf optionals versionOlder; - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - - isAuthorized = p: builtins.isAttrs p && p.authorized or false; - authorizedKeys = lists.optionals secretCondition ( - attrsets.mapAttrsToList - (name: value: value.key) - (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh) - ); + inherit (lib) lists attrsets mkIf optionals versionOlder importTOML; + metadata = importTOML ../../ops/hosts.toml; in { users.users.root = { shell = mkIf config.programs.zsh.enable pkgs.zsh; - openssh.authorizedKeys.keys = authorizedKeys; + openssh.authorizedKeys.keys = metadata.ssh.keys.root; }; home-manager.users.root = lib.mkMerge ( [ diff --git a/users/vincent/default.nix b/users/vincent/default.nix @@ -1,15 +1,12 @@ { config, lib, pkgs, ... }: -with lib; -let - secretPath = ../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - isAuthorized = p: builtins.isAttrs p && p.authorized or false; - authorizedKeys = lists.optionals secretCondition ( - attrsets.mapAttrsToList - (name: value: value.key) - (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh) - ); +let + inherit (lib) importTOML attrsets hasAttr optionals versionAtLeast mkIf; + metadata = importTOML ../../ops/hosts.toml; + hasSSHAttr = name: value: hasAttr "ssh" value; + authorizedKeys = attrsets.mapAttrsToList + (name: value: value.ssh.pubkey) + (attrsets.filterAttrs hasSSHAttr metadata.hosts); hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation; isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false; @@ -35,7 +32,9 @@ in ++ optionals config.services.nginx.enable [ "nginx" ]; shell = mkIf config.programs.zsh.enable pkgs.zsh; isNormalUser = true; - openssh.authorizedKeys.keys = authorizedKeys; + openssh.authorizedKeys.keys = authorizedKeys + ++ metadata.ssh.keys.vincent + ++ metadata.ssh.keys.root; initialPassword = "changeMe"; subUidRanges = [{ startUid = 100000; count = 65536; }]; subGidRanges = [{ startGid = 100000; count = 65536; }];