From 500b17237e7c899877ab28ebe6c2b3ef23ef7a5a Mon Sep 17 00:00:00 2001 From: ErrorNoInternet Date: Sat, 2 May 2026 17:10:15 -0400 Subject: [PATCH] treewide: separate ssh keys --- agenix/secrets.nix | 5 +---- lib/ssh/keys.nix | 4 ++++ nixos/common.nix | 14 +------------- nixos/openssh.nix | 17 +++++++++++++++++ nixos/users.nix | 11 ++++++++++- 5 files changed, 33 insertions(+), 18 deletions(-) create mode 100644 lib/ssh/keys.nix create mode 100644 nixos/openssh.nix diff --git a/agenix/secrets.nix b/agenix/secrets.nix index 5ed4e60..49aba5e 100644 --- a/agenix/secrets.nix +++ b/agenix/secrets.nix @@ -1,8 +1,5 @@ let - users = { - error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ"; - javalsai = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCufzCHLqMfuHpKKisd9Y+3l6hudbQQyaHg1lgQs5XEO58f0dIoUK3gc8iVO6dGGeY5q2o0cDcildHiT0PYc96rq7WJLCY00mAuclEuhmRSPjsei2IT3rWTawIheD2tWq+vAQjIBKibYWnVYwNOsbR3Zz1uKG/LNqqDnyYO/t4iMmhO1qcl6j8dRVBtzWYu3TnTrwx45sj54Y9hqZZiwB1xlzhHznSw6YPOe51hUO/yUtXKF2FCyfG7LHELZBMXkPQD6h4mDu+QNPN2D5RGd+Q5WzHcXcrXH/DvogVW6g3YGpBjTNKllCjGJYdYgjcjzQOS3I8ZOL6CUQzcZt2QwO3P42s4cjGzBwIub2zFnMOCyGgbKCYh3G7KKcde9qAX0yl8k+XNPIletJAV7pDrivzmgRLdy3iWud+q8TytkDLhcd/7g+pE6FE8y3IbejwXGNUn8CXJOKWH5zk0MVWSpNqz+6rlV43iPb4yuO7TFVnzuw/wKyOoc8RlFGEb/XLXwPs="; - }; + users = import ../lib/ssh/keys.nix; tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7"; in diff --git a/lib/ssh/keys.nix b/lib/ssh/keys.nix new file mode 100644 index 0000000..e7643d6 --- /dev/null +++ b/lib/ssh/keys.nix @@ -0,0 +1,4 @@ +{ + error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com"; + javalsai = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCufzCHLqMfuHpKKisd9Y+3l6hudbQQyaHg1lgQs5XEO58f0dIoUK3gc8iVO6dGGeY5q2o0cDcildHiT0PYc96rq7WJLCY00mAuclEuhmRSPjsei2IT3rWTawIheD2tWq+vAQjIBKibYWnVYwNOsbR3Zz1uKG/LNqqDnyYO/t4iMmhO1qcl6j8dRVBtzWYu3TnTrwx45sj54Y9hqZZiwB1xlzhHznSw6YPOe51hUO/yUtXKF2FCyfG7LHELZBMXkPQD6h4mDu+QNPN2D5RGd+Q5WzHcXcrXH/DvogVW6g3YGpBjTNKllCjGJYdYgjcjzQOS3I8ZOL6CUQzcZt2QwO3P42s4cjGzBwIub2zFnMOCyGgbKCYh3G7KKcde9qAX0yl8k+XNPIletJAV7pDrivzmgRLdy3iWud+q8TytkDLhcd/7g+pE6FE8y3IbejwXGNUn8CXJOKWH5zk0MVWSpNqz+6rlV43iPb4yuO7TFVnzuw/wKyOoc8RlFGEb/XLXwPs="; +} diff --git a/nixos/common.nix b/nixos/common.nix index e4fd557..4ff3435 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -21,6 +21,7 @@ in ./hardware.nix ./impermanence.nix ./modules + ./openssh.nix ./programs.nix ./users.nix ./vm.nix @@ -100,19 +101,6 @@ in }; }; - services = { - openssh = { - enable = true; - - settings = { - ClientAliveInterval = 300; - KbdInteractiveAuthentication = false; - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - }; - }; - virtualisation.podman.enable = true; zramSwap = { diff --git a/nixos/openssh.nix b/nixos/openssh.nix new file mode 100644 index 0000000..0a8e64e --- /dev/null +++ b/nixos/openssh.nix @@ -0,0 +1,17 @@ +{ self, ... }: +{ + services.openssh = { + enable = true; + + settings = { + ClientAliveInterval = 300; + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + users.users.root.openssh.authorizedKeys.keys = builtins.attrValues { + inherit (import "${self}/lib/ssh/keys.nix") error javalsai; + }; +} diff --git a/nixos/users.nix b/nixos/users.nix index 7c04c09..8af86af 100644 --- a/nixos/users.nix +++ b/nixos/users.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, self, ... }: let users = [ { @@ -32,6 +32,15 @@ let isNormalUser = true; extraGroups = lib.optionals (options.admin or false) adminGroups; inherit uid; + + openssh.authorizedKeys.keys = + let + keys = import "${self}/lib/ssh/keys.nix"; + in + if (builtins.hasAttr name keys) then + [ keys.${name} ] + else + lib.warn "user ${name} declared without ssh key" [ ]; }; systemd.slices."user-${builtins.toString uid}".sliceConfig = {