Refactors SSH config management

- Consolidates SSH config into a unified file - Replaces deprecated config files and updates file sources - Ensures proper SSH key permission handling and mapping
2025-04-22 21:10:28 -04:00 · 2025-04-22 21:10:28 -04:00 · 39b2c02bba
commit 39b2c02bba
parent 2f83f84270
7 changed files with 69 additions and 62 deletions
--- a/home/toph/common/core/default.nix
+++ b/home/toph/common/core/default.nix
@ -10,6 +10,7 @@
 let
  username = config.hostSpec.username;
  homeDir = config.hostSpec.home;
+  shell = config.hostSpec.shell;
 in
 {
  imports = lib.flatten [
@ -18,7 +19,7 @@ in
      "modules/home"
    ])
    ./asdf.nix
-    ./bash.nix
+    ./bash.nix # TODO: setup a nicer bash config... or zsh
    ./bat.nix
    ./direnv.nix
    ./fastfetch
@ -26,7 +27,7 @@ in
    ./git.nix
    ./ranger.nix
    ./screen.nix
-    ./ssh
+    ./ssh.nix
    ./zoxide.nix
  ];

@ -45,7 +46,7 @@ in
      EDITOR = "micro";
      FLAKE = "${homeDir}/git/Nix/dot.nix";
      MANPAGER = "batman"; # see ./cli/bat.nix
-      SHELL = "fish";
+      SHELL = shell;
      TERM = "foot";
      VISUAL = "micro";
    };
--- a/home/toph/common/core/ssh.nix
+++ b/home/toph/common/core/ssh.nix
@ -0,0 +1,58 @@
+{
+  pkgs,
+  config,
+  lib,
+  hostSpec,
+  secretsSpec,
+  ...
+}:
+let
+  # Generate local key paths for the config
+  sshKeysMap = lib.mapAttrs (name: _: "${hostSpec.home}/.ssh/${name}") secretsSpec.ssh.privateKeys;
+
+  # Create the SSH config file with local paths
+  sshConfig = pkgs.writeText "ssh-config" ''
+    Host git.ryot.foo
+      IdentityFile ${sshKeysMap.git}
+
+    Host *
+      ForwardAgent no
+      AddKeysToAgent yes
+      Compression no
+      ServerAliveInterval 5
+      ServerAliveCountMax 3
+      HashKnownHosts no
+      UserKnownHostsFile ~/.ssh/known_hosts
+      ControlMaster no
+      ControlPath ~/.ssh/master-%r@%n:%p
+      ControlPersist no
+
+      IdentityFile ${sshKeysMap.pve}
+      UpdateHostKeys ask
+  '';
+in
+{
+  home.file =
+    {
+      # SSH config file
+      ".ssh/config_source" = {
+        source = sshConfig;
+        onChange = ''
+          cp $HOME/.ssh/config_source $HOME/.ssh/config
+          chmod 400 $HOME/.ssh/config
+        '';
+      };
+    }
+    # Dynamically add all SSH private keys using the existing store paths
+    # Ensures the keys have correct permissions and are not symlinks
+    // lib.mapAttrs' (name: path: {
+      name = ".ssh/${name}_source";
+      value = {
+        source = path;
+        onChange = ''
+          cp $HOME/.ssh/${name}_source $HOME/.ssh/${name}
+          chmod 600 $HOME/.ssh/${name}
+        '';
+      };
+    }) secretsSpec.ssh.privateKeys;
+}
--- a/home/toph/common/core/ssh/config
+++ b/home/toph/common/core/ssh/config
@ -1,17 +0,0 @@
-Host git.ryot.foo
-  IdentityFile ~/git/.ssh/git
-
-Host *
-  ForwardAgent no
-  AddKeysToAgent yes
-  Compression no
-  ServerAliveInterval 5
-  ServerAliveCountMax 3
-  HashKnownHosts no
-  UserKnownHostsFile ~/.ssh/known_hosts
-  ControlMaster no
-  ControlPath ~/.ssh/master-%r@%n:%p
-  ControlPersist no
-
-  IdentityFile ~/.ssh/pve
-    UpdateHostKeys ask
--- a/home/toph/common/core/ssh/default.nix
+++ b/home/toph/common/core/ssh/default.nix
@ -1,32 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  ...
-}:
-{
-  # programs.ssh = {
-  #   enable = true;
-  #   # Avoids infinite hang if control socket connection interrupted. ex: vpn goes down/up
-  #   serverAliveCountMax = 3;
-  #   serverAliveInterval = 5;
-  #   addKeysToAgent = "yes";
-
-  #   extraConfig = ''
-  #     IdentityFile ~/.ssh/pve
-  #       UpdateHostKeys ask
-  #   '';
-
-  #   matchBlocks = {
-  #     "git.ryot.foo" = {
-  #       identityFile = "~/git/.ssh/git";
-  #     };
-  #   };
-  # };
-
-  home.file.".ssh/config" = {
-    source = ./config;
-    target = ".ssh/config_source";
-    onChange = ''cat .ssh/config_source > .ssh/config && chmod 400 .ssh/config'';
-  };
-}
--- a/hosts/common/core/ssh.nix
+++ b/hosts/common/core/ssh.nix
@ -1,8 +1,3 @@
-{
-  lib,
-  config,
-  ...
-}:
 {
  programs.ssh.startAgent = true;

--- a/hosts/common/optional/system/pool.nix
+++ b/hosts/common/optional/system/pool.nix
@ -2,6 +2,7 @@
 let
  username = config.hostSpec.username;
  homeDir = config.hostSpec.home;
+  pve-key = config.secretsSpec.ssh.privateKeys.pve;
 in
 {
  # For less permission issues with SSHFS
@ -23,7 +24,7 @@ in
        "reconnect"
        "_netdev"
        "allow_other"
-        "identityfile=${homeDir}/.ssh/pve"
+        "identityfile=${pve-key}"
      ];
    };

--- a/hosts/users/toph/default.nix
+++ b/hosts/users/toph/default.nix
@ -9,15 +9,16 @@ let
  hostSpec = config.hostSpec;
  username = hostSpec.username;
  homeDir = hostSpec.home;
-  pubKeys = lib.filesystem.listFilesRecursive ./keys;
+  _shell = hostSpec.shell;
+  pubKeys = builtins.attrValues config.secretsSpec.ssh.publicKeys;
 in
 {
  users.users.${username} = {
    name = hostSpec.username;
-    shell = pkgs.fish; # default shell
+    shell = _shell;

    # These get placed into /etc/ssh/authorized_keys.d/<name> on nixos
-    openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+    openssh.authorizedKeys.keys = pubKeys;
  };

  # Create ssh sockets directory for controlpaths when homemanager not loaded (i.e. isMinimal)
@ -38,7 +39,7 @@ in
  home-manager = {
    extraSpecialArgs = {
      inherit pkgs inputs;
-      hostSpec = config.hostSpec;
+      inherit (config) secretsSpec hostSpec;
    };
    users.${username}.imports = lib.flatten (
      lib.optional (!hostSpec.isMinimal) [