From 1f0bbc9daf8dd0333a6f3bcf6d843ad7fcb1e63d Mon Sep 17 00:00:00 2001 From: unexplrd Date: Sun, 6 Apr 2025 13:38:15 +0300 Subject: [PATCH] sync sops and users Signed-off-by: unexplrd --- hosts/dunamis/sops.nix | 50 +++++++++++++++++++-------------------- hosts/eldrid/sops.nix | 53 +++++++++++++++++++++--------------------- hosts/eldrid/users.nix | 21 +++++++---------- hosts/sarien/sops.nix | 6 +---- 4 files changed, 60 insertions(+), 70 deletions(-) diff --git a/hosts/dunamis/sops.nix b/hosts/dunamis/sops.nix index ace120f..71933be 100644 --- a/hosts/dunamis/sops.nix +++ b/hosts/dunamis/sops.nix @@ -3,9 +3,15 @@ inputs, ... }: let - s = inputs.mysecrets; - hostname = config.networking.hostName; - sopsFile = "${s}/hosts/${hostname}.yaml"; + inherit (inputs) mysecrets; + # TODO: stop relying on networking.hostName + inherit (config.networking) hostName; + sopsFile = mysecrets + "/hosts/${hostName}.yaml"; + dotSsh = name: "/home/user/.ssh/" + name; + sshKey = { + mode = "0400"; + owner = "user"; + }; in { imports = with inputs; [ sops-nix.nixosModules.sops @@ -17,45 +23,39 @@ in { keyFile = "/var/lib/sops-nix/key.txt"; generateKey = true; }; - defaultSopsFile = "${s}/common.yaml"; + defaultSopsFile = mysecrets + "/common.yaml"; secrets = { "user-password-hashed".neededForUsers = true; "ssh-config" = { - path = "/home/user/.ssh/config"; + path = dotSsh "config"; mode = "0400"; owner = "user"; }; - "ssh-${hostname}-user" = { + "ssh-${hostName}-user" = { inherit sopsFile; - path = "/home/user/.ssh/id_ed25519"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_ed25519"; }; - "ssh-${hostname}-user.pub" = { + "ssh-${hostName}-user.pub" = { inherit sopsFile; - path = "/home/user/.ssh/id_ed25519.pub"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_ed25519.pub"; }; "ssh-unexplrd" = { - path = "/home/user/.ssh/id_unexplrd_ed25519"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_unexplrd_ed25519"; }; "ssh-unexplrd.pub" = { - path = "/home/user/.ssh/id_unexplrd_ed25519.pub"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_unexplrd_ed25519.pub"; }; "ssh-uni" = { - path = "/home/user/.ssh/id_uni_ed25519"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_uni_ed25519"; }; "ssh-uni.pub" = { - path = "/home/user/.ssh/id_uni_ed25519.pub"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_uni_ed25519.pub"; }; }; }; diff --git a/hosts/eldrid/sops.nix b/hosts/eldrid/sops.nix index ace120f..19188e1 100644 --- a/hosts/eldrid/sops.nix +++ b/hosts/eldrid/sops.nix @@ -3,9 +3,15 @@ inputs, ... }: let - s = inputs.mysecrets; - hostname = config.networking.hostName; - sopsFile = "${s}/hosts/${hostname}.yaml"; + inherit (inputs) mysecrets; + # TODO: stop relying on networking.hostName + inherit (config.networking) hostName; + sopsFile = mysecrets + "/hosts/${hostName}.yaml"; + dotSsh = name: "/home/user/.ssh/" + name; + sshKey = { + mode = "0400"; + owner = "user"; + }; in { imports = with inputs; [ sops-nix.nixosModules.sops @@ -17,45 +23,38 @@ in { keyFile = "/var/lib/sops-nix/key.txt"; generateKey = true; }; - defaultSopsFile = "${s}/common.yaml"; + defaultSopsFile = mysecrets + "/common.yaml"; secrets = { "user-password-hashed".neededForUsers = true; "ssh-config" = { - path = "/home/user/.ssh/config"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "config"; }; - "ssh-${hostname}-user" = { + "ssh-${hostName}-user" = { inherit sopsFile; - path = "/home/user/.ssh/id_ed25519"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_ed25519"; }; - "ssh-${hostname}-user.pub" = { + "ssh-${hostName}-user.pub" = { inherit sopsFile; - path = "/home/user/.ssh/id_ed25519.pub"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_ed25519.pub"; }; "ssh-unexplrd" = { - path = "/home/user/.ssh/id_unexplrd_ed25519"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_unexplrd_ed25519"; }; "ssh-unexplrd.pub" = { - path = "/home/user/.ssh/id_unexplrd_ed25519.pub"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_unexplrd_ed25519.pub"; }; "ssh-uni" = { - path = "/home/user/.ssh/id_uni_ed25519"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_uni_ed25519"; }; "ssh-uni.pub" = { - path = "/home/user/.ssh/id_uni_ed25519.pub"; - mode = "0400"; - owner = "user"; + inherit (sshKey) mode owner; + path = dotSsh "id_uni_ed25519.pub"; }; }; }; diff --git a/hosts/eldrid/users.nix b/hosts/eldrid/users.nix index 5d91211..5c7d11c 100644 --- a/hosts/eldrid/users.nix +++ b/hosts/eldrid/users.nix @@ -4,27 +4,22 @@ pkgs, ... }: let - sopSec = config.sops.secrets; - secrets = inputs.mysecrets; + inherit (config.sops) secrets; + inherit (inputs) mysecrets; in { nix.settings.trusted-users = ["user"]; users.mutableUsers = false; users.users = { user = { - hashedPasswordFile = sopSec."user-password-hashed".path; - # passwordFile = config.sops.secrets.user-password.path; - isNormalUser = true; + hashedPasswordFile = secrets."user-password-hashed".path; extraGroups = ["wheel" "video" "libvirtd" "dialout"]; + isNormalUser = true; shell = pkgs.fish; - openssh.authorizedKeys.keyFiles = [ - "${secrets}/ssh/id_ed25519_sarien_user.pub" - "${secrets}/ssh/id_ed25519_eldrid_user.pub" + openssh.authorizedKeys.keyFiles = map (f: "${mysecrets}/ssh/user/${f}") [ + "id_dunamis_ed25519.pub" + "id_eldrid_ed25519.pub" + "id_sarien_ed25519.pub" ]; }; - # work = { - # isNormalUser = true; - # extraGroups = ["video"]; - # shell = pkgs.nushell; - # }; }; } diff --git a/hosts/sarien/sops.nix b/hosts/sarien/sops.nix index 37d946f..b72931d 100644 --- a/hosts/sarien/sops.nix +++ b/hosts/sarien/sops.nix @@ -1,8 +1,4 @@ -{ - config, - inputs, - ... -}: let +{inputs, ...}: let inherit (inputs) mysecrets; # TODO: stop relying on networking.hostName hostname = "sarien";