complete rework v3

2026-01-22 08:06:50 +01:00 · 2025-02-18 20:17:57 +01:00 · 2025-02-18 20:17:57 +01:00 · 366a0e221a
commit 366a0e221a
parent 7409e9ca10
131 changed files with 20171 additions and 585 deletions
--- a/parts/modules/base/ssh.nix
+++ b/parts/modules/base/ssh.nix
@ -1,25 +1,53 @@
-{config, ...}: {
+{
+  config,
+  username,
+  hostname,
+  lib,
+  ...
+}: let
+  # Load all public keys from ../../../secrets/hosts/*/id_ed25519.pub
+  allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../../secrets/hosts));
+  publicKeys = map (x: builtins.readFile (../../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
+in {
+  age.secrets.ssh-key = {
+    rekeyFile = ../../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
+    mode = "0600";
+    owner = username;
+  };
+  age.secrets.ssh-key-ao = {
+    rekeyFile = ../../../secrets/ssh-key-ao.age;
+    mode = "0600";
+    owner = username;
+  };
+  fireproof.home-manager = {
+    programs.ssh = {
+      enable = true;
+      forwardAgent = true;
+      matchBlocks = {
+        "*" = {
+          identityFile = "${config.age.secrets.ssh-key.path}";
+        };
+        # Work hostnames definded in ./networking.nix
+        "*.ao" = {
+          user = "nij";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+        "dev.ao,scw.ao".proxyJump = "bastion.ao";
+        "clickhouse.ao".user = "ubuntu";
+        "flex.ao" = {
+          hostname = "192.168.2.5";
+          proxyJump = "bastion.ao";
+        };
+      };
+    };
+  };
+
  programs.ssh.startAgent = true;
-  services.openssh.hostKeys = [
-    {
-      type = "ed25519";
-      inherit (config.age.secrets.id_ed25519) path;
-    }
-  ];
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
  };

-  users.users.${config.user.username}.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/oT15GWYcRvWCTchReh5rnkXTC9Ukm6Zfufei9bq1fWB0EjpvosCMupADw+jvqiP/ttyBKewHwZQxiw9oeRPSphUtKB0UlQXFPASNf1VxrFlsbkDOSEa+FB+PBS3eeP0TTyNJh18oYszt/OFDzCvr1n53iGXTX9xm76bkBxVfAvhm/5vadjmXKGOpdM/OWNF8rCqSgwkME6PXdT1UAFVj+FBdLrNCqYh1pe1ZdRxYlYL5b4uHwQmuz57AkvWwRNKipzdtxMCkT3LNiCQzuOhv3QaqxQ6fgJ+ktkbcTLZtY7HdT+CRUuC+APr266jeLAz1yUxFH693QifbBdn8v7wWD++UnbP23QqNwdXEMnCjEPRFgnK4ERnhIq6jVR328f5DTRJHZZ9spEx7pWsiT2iQC8MxK0gk9xul4fduJsPETWXe84YaHe6wLK92SQKQMdLh6p+TBvhMhPW2PrH5C6iH2w1oXVGlhc4wvoB1leiKNVHf4m9CWRFgznSmVbxFHFk= nickolaj@arch-desktop"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtjpdHPRXg75YBonNshQdeuNZ3W3k/RzdYY+8QuQ3Pc nickolaj1177@gmail.com"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdBiNbNPcMdI/hp4zgBS3ShqYuVVRvUAA1ffrdiBQ0k nickolaj@fireproof.website"
-  ];
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/oT15GWYcRvWCTchReh5rnkXTC9Ukm6Zfufei9bq1fWB0EjpvosCMupADw+jvqiP/ttyBKewHwZQxiw9oeRPSphUtKB0UlQXFPASNf1VxrFlsbkDOSEa+FB+PBS3eeP0TTyNJh18oYszt/OFDzCvr1n53iGXTX9xm76bkBxVfAvhm/5vadjmXKGOpdM/OWNF8rCqSgwkME6PXdT1UAFVj+FBdLrNCqYh1pe1ZdRxYlYL5b4uHwQmuz57AkvWwRNKipzdtxMCkT3LNiCQzuOhv3QaqxQ6fgJ+ktkbcTLZtY7HdT+CRUuC+APr266jeLAz1yUxFH693QifbBdn8v7wWD++UnbP23QqNwdXEMnCjEPRFgnK4ERnhIq6jVR328f5DTRJHZZ9spEx7pWsiT2iQC8MxK0gk9xul4fduJsPETWXe84YaHe6wLK92SQKQMdLh6p+TBvhMhPW2PrH5C6iH2w1oXVGlhc4wvoB1leiKNVHf4m9CWRFgznSmVbxFHFk= nickolaj@arch-desktop"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtjpdHPRXg75YBonNshQdeuNZ3W3k/RzdYY+8QuQ3Pc nickolaj1177@gmail.com"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdBiNbNPcMdI/hp4zgBS3ShqYuVVRvUAA1ffrdiBQ0k nickolaj@fireproof.website"
-  ];
+  users.users.${username}.openssh.authorizedKeys.keys = publicKeys;
 }