toph/dot.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix SSH username reference and update key handling in secrets configuration

Browse source
This commit is contained in:
Chris Toph 2025-05-28 23:03:38 -04:00
parent e6e0c1467a
commit a165a480cc
4 changed files with 21 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
home/global/core/ssh.nix
View file

@ -8,7 +8,7 @@
}: }:
let let
## Get the current user's SSH config ## ## Get the current user's SSH config ##
userSsh = secretsSpec.users.${hostSpec.user}.ssh; userSsh = secretsSpec.users.${hostSpec.username}.ssh;
## Generate local key paths for the config ## ## Generate local key paths for the config ##
sshKeysMap = lib.mapAttrs (name: _: "${hostSpec.home}/.ssh/${name}") userSsh.privateKeys; sshKeysMap = lib.mapAttrs (name: _: "${hostSpec.home}/.ssh/${name}") userSsh.privateKeys;

4
hosts/global/core/user.nix
View file

@ -46,7 +46,7 @@ in
"video" "video"
]) ])
]; ];
openssh.authorizedKeys.keys = builtins.attrValues config.secretsSpec.ssh.publicKeys or [ ]; openssh.authorizedKeys.keys = user.ssh.publicKeys or [ ];
}; };
# Special sudo config for user # Special sudo config for user
@ -69,7 +69,7 @@ in
users.users.root = { users.users.root = {
shell = pkgs.bash; shell = pkgs.bash;
hashedPassword = lib.mkForce hostSpec.hashedPassword; hashedPassword = lib.mkForce hostSpec.hashedPassword;
openssh.authorizedKeys.keys = builtins.attrValues config.secretsSpec.ssh.publicKeys or [ ]; openssh.authorizedKeys.keys = user.ssh.publicKeys or [ ];
}; };
} }
// lib.optionalAttrs (inputs ? "home-manager") { // lib.optionalAttrs (inputs ? "home-manager") {

42
modules/global/secret-spec.nix
View file

@ -70,7 +70,15 @@ in
privateKeys = lib.mkOption { privateKeys = lib.mkOption {
type = lib.types.attrsOf lib.types.path; type = lib.types.attrsOf lib.types.path;
description = "SSH private key file paths keyed by name"; description = "SSH private key file paths keyed by name";
readOnly = true; default = { };
apply =
_:
let
userName = config.hostSpec.username;
userConfig = config.secretsSpec.users.${userName} or { };
privateKeyContents = userConfig.ssh.privateKeyContents or { };
in
lib.mapAttrs (name: content: mkSshKeyFile "${userName}-${name}" content) privateKeyContents;
}; };
config = lib.mkOption { config = lib.mkOption {
type = lib.types.path; type = lib.types.path;
@ -104,7 +112,15 @@ in
privateKey = lib.mkOption { privateKey = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = "GPG private key file path"; description = "GPG private key file path";
readOnly = true; default = null;
apply =
_:
let
userName = config.hostSpec.username;
userConfig = config.secretsSpec.users.${userName} or { };
privateKeyContent = userConfig.gpg.privateKeyContents or "";
in
if privateKeyContent != "" then mkGpgKeyFile userName privateKeyContent else null;
}; };
trust = lib.mkOption { trust = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@ -247,26 +263,4 @@ in
default = { }; default = { };
}; };
}; };
config.secretsSpec.users = lib.mapAttrs (
userName: userConfig:
userConfig
// {
## Auto-generate SSH private key files ##
ssh = userConfig.ssh // {
privateKeys = lib.mapAttrs (
name: content: mkSshKeyFile "${userName}-${name}" content
) userConfig.ssh.privateKeyContents;
};
## Auto-generate GPG private key file ##
gpg = userConfig.gpg // {
privateKey =
if userConfig.gpg.privateKeyContents != "" then
mkGpgKeyFile "${userName}-gpg" userConfig.gpg.privateKeyContents
else
null;
};
}
) config.secretsSpec.users;
} }

BIN
secrets.nix
View file

Binary file not shown.