1
0

Compare commits

...

5 Commits

Author SHA1 Message Date
Flake Update Bot
7550ff62c2 Update from master 2023-12-08T02:03+00:00 2023-12-08 03:03:02 +01:00
0220dbbcdd users/isa: Refactor ssh public key 2023-12-07 20:23:11 +01:00
0ea664287b users/isa: Move to users directory 2023-12-07 20:21:44 +01:00
35d2b3a76c user/criese-nethinks: refactor ssh.pub 2023-12-07 20:18:21 +01:00
a00c276c5c secrets.nix: Document the magic 2023-12-07 20:17:31 +01:00
8 changed files with 76 additions and 17 deletions

View File

@ -38,6 +38,7 @@
group = "event"; group = "event";
modules = [ modules = [
./users/criese-nethinks ./users/criese-nethinks
./users/isa
]; ];
}; };
backup-4 = { name = "backup-4"; }; backup-4 = { name = "backup-4"; };

View File

@ -5,7 +5,6 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./isa.nix
./users.nix ./users.nix
]; ];

View File

@ -1,11 +0,0 @@
{ ... }:
{
users.users.isa = {
isNormalUser = true;
extraGroups = [ "guests" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e"
];
};
}

View File

@ -16,6 +16,15 @@
*/ */
let let
/*
Returns an attrset for a given directory,
having the name of a subdirectory as its attribute names
and the contents of the containing ssh.pub file as their value
{
clerie = "ssh-ed25519 AAAA...";
}
*/
pubkeysFor = directory: let pubkeysFor = directory: let
instances = builtins.attrNames (builtins.readDir directory); instances = builtins.attrNames (builtins.readDir directory);
instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances; instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances;
@ -25,13 +34,63 @@ let
users = pubkeysFor ./users; users = pubkeysFor ./users;
hosts = pubkeysFor ./hosts; hosts = pubkeysFor ./hosts;
/*
Returns secret configuration for a given hostname
*/
secretsForHost = hostname: let secretsForHost = hostname: let
/*
Returns a list of all file names in the secrets directory of the specified host
*/
secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets")); secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets"));
listOfSecrets = builtins.filter (i: (builtins.stringLength i) > 4 && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age") secretsFiles;
/*
Returns all file names that end with .age
*/
listOfSecrets = builtins.filter (i:
# Make sure the file name is longer than the file extension
(builtins.stringLength i) > 4
# Take the last four letters of the file name and check if it is .age
&& builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age"
) secretsFiles;
in in
if builtins.pathExists (./hosts + "/${hostname}/secrets") && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") then if
map (secret: { name = "hosts/${hostname}/secrets/${secret}"; value = { publicKeys = [ users.clerie hosts."${hostname}" ]; }; }) (listOfSecrets ++ [ "new" ]) # Make sure the host has a secrets directory
builtins.pathExists (./hosts + "/${hostname}/secrets")
# Make sure the host has a public ssh key provided
&& builtins.pathExists (./hosts + "/${hostname}/ssh.pub")
then
/*
This map specifies all public keys for which a given secret file should be encrypted
It returns a list of name value pairs
The name is the path to the secret file
The value is an attribute set containing a list of public keys as a string
*/
map
(secret: {
name = "hosts/${hostname}/secrets/${secret}";
value = {
publicKeys = [
# Hardcode clerie's public key here
users.clerie
# No other user should have access to any secrets
# A host should only have access to their own secrets
hosts."${hostname}"
];
};
})
# All file names of already existing secrets plus the magic "new" secret
(listOfSecrets ++ [ "new" ])
else else
# Answer with an empty list, if no secrets are provided for a host
[]; [];
in in
builtins.listToAttrs (builtins.concatMap (hostname: secretsForHost hostname) (builtins.attrNames (builtins.readDir ./hosts))) # We just have a list of name value pairs that need to get transformed into an attribute set
builtins.listToAttrs (
builtins.concatMap
# Provide a list of secrets for a given hostname
(hostname: secretsForHost hostname)
# Names of all hosts
(builtins.attrNames (builtins.readDir ./hosts))
)

View File

@ -4,7 +4,7 @@
users.users.criese-nethinks = { users.users.criese-nethinks = {
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
(builtins.readFile ./ssh-criese.pub) (builtins.readFile ./ssh.pub)
]; ];
}; };
} }

10
users/isa/default.nix Normal file
View File

@ -0,0 +1,10 @@
{ ... }:
{
users.users.isa = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
(builtins.readFile ./ssh.pub)
];
};
}

1
users/isa/ssh.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e