jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor SSH key management to use centralized key retrieval function for nixremote users across configurations.

Browse Source
This commit is contained in:
Danilo Reyes 2025-10-12 20:28:39 -06:00
parent 0f7e28abd0
commit de5ad541b8
6 changed files with 37 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
config/jawz.nix
View File

@ -68,14 +68,14 @@ in
"plugdev"
"bluetooth"
];
openssh.authorizedKeys.keyFiles = [
../secrets/ssh/ed25519_deacero.pub
../secrets/ssh/ed25519_workstation.pub
../secrets/ssh/ed25519_server.pub
../secrets/ssh/ed25519_miniserver.pub
../secrets/ssh/ed25519_galaxy.pub
../secrets/ssh/ed25519_phone.pub
../secrets/ssh/ed25519_vps.pub
openssh.authorizedKeys.keyFiles = inputs.self.lib.getSshKeys [
"deacero"
"workstation"
"server"
"miniserver"
"galaxy"
"phone"
"vps"
];
};
}

6
hosts/miniserver/configuration.nix
View File

@ -9,9 +9,9 @@
nix.cores = 3;
nix.maxJobs = 8;
users.nixremote.enable = true;
users.nixremote.authorizedKeys = [
../../secrets/ssh/ed25519_nixworkstation.pub
../../secrets/ssh/ed25519_nixserver.pub
users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
"nixworkstation"
"nixserver"
];
};
nix.buildMachines =

6
hosts/server/configuration.nix
View File

@ -13,9 +13,9 @@
my = import ./toggles.nix { inherit config inputs; } // {
nix.cores = 6;
users.nixremote.enable = true;
users.nixremote.authorizedKeys = [
../../secrets/ssh/ed25519_nixworkstation.pub
../../secrets/ssh/ed25519_nixminiserver.pub
users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
"nixworkstation"
"nixminiserver"
];
network.firewall.enabledServicePorts = true;
network.firewall.additionalPorts = [

6
hosts/workstation/configuration.nix
View File

@ -26,9 +26,9 @@ in
nix.cores = 8;
nix.maxJobs = 8;
users.nixremote.enable = true;
users.nixremote.authorizedKeys = [
../../secrets/ssh/ed25519_nixserver.pub
../../secrets/ssh/ed25519_nixminiserver.pub
users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
"nixserver"
"nixminiserver"
];
};
home-manager.users.jawz = {

10
modules/users/nixremote.nix
View File

@ -1,13 +1,13 @@
{ lib, config, ... }:
{ lib, config, inputs, ... }:
{
options.my.users.nixremote = {
enable = lib.mkEnableOption "nixremote user for distributed builds";
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [
../../secrets/ssh/ed25519_nixworkstation.pub
../../secrets/ssh/ed25519_nixserver.pub
../../secrets/ssh/ed25519_nixminiserver.pub
default = inputs.self.lib.getSshKeys [
"nixworkstation"
"nixserver"
"nixminiserver"
];
description = "List of SSH public key files to authorize for nixremote user";
};

15
parts/core.nix
View File

@ -197,6 +197,21 @@ in
mkPostgresDependencies =
config: serviceMap:
serviceMap |> map (entry: inputs.self.lib.mkPostgresDependency config entry.service entry.name);
sshKeys = {
deacero = ../../secrets/ssh/ed25519_deacero.pub;
workstation = ../../secrets/ssh/ed25519_workstation.pub;
server = ../../secrets/ssh/ed25519_server.pub;
miniserver = ../../secrets/ssh/ed25519_miniserver.pub;
galaxy = ../../secrets/ssh/ed25519_galaxy.pub;
phone = ../../secrets/ssh/ed25519_phone.pub;
vps = ../../secrets/ssh/ed25519_vps.pub;
emacs = ../../secrets/ssh/ed25519_emacs.pub;
# Build user keys (nixremote)
nixworkstation = ../../secrets/ssh/ed25519_nixworkstation.pub;
nixserver = ../../secrets/ssh/ed25519_nixserver.pub;
nixminiserver = ../../secrets/ssh/ed25519_nixminiserver.pub;
};
getSshKeys = keyNames: keyNames |> map (name: inputs.self.lib.sshKeys.${name});
};
};
}