Refactor SSH key management to use centralized key retrieval function for nixremote users across configurations.

more migration stuff
2025-10-12 20:28:39 -06:00 · 2025-10-12 20:24:42 -06:00
10 changed files with 138 additions and 114 deletions
--- a/config/jawz.nix
+++ b/config/jawz.nix
@ -68,14 +68,14 @@ in
      "plugdev"
      "bluetooth"
    ];
-    openssh.authorizedKeys.keyFiles = [
-      ../secrets/ssh/ed25519_deacero.pub
-      ../secrets/ssh/ed25519_workstation.pub
-      ../secrets/ssh/ed25519_server.pub
-      ../secrets/ssh/ed25519_miniserver.pub
-      ../secrets/ssh/ed25519_galaxy.pub
-      ../secrets/ssh/ed25519_phone.pub
-      ../secrets/ssh/ed25519_vps.pub
+    openssh.authorizedKeys.keyFiles = inputs.self.lib.getSshKeys [
+      "deacero"
+      "workstation" 
+      "server"
+      "miniserver"
+      "galaxy"
+      "phone"
+      "vps"
    ];
  };
 }
--- a/hosts/miniserver/configuration.nix
+++ b/hosts/miniserver/configuration.nix
@ -5,13 +5,13 @@
    ../../config/base.nix
    ../../config/stylix.nix
  ];
-  my = import ./toggles.nix // {
+  my = import ./toggles.nix { inherit inputs; } // {
    nix.cores = 3;
    nix.maxJobs = 8;
    users.nixremote.enable = true;
-    users.nixremote.authorizedKeys = [
-      ../../secrets/ssh/ed25519_nixworkstation.pub
-      ../../secrets/ssh/ed25519_nixserver.pub
+    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
+      "nixworkstation"
+      "nixserver"
    ];
  };
  nix.buildMachines =
--- a/hosts/miniserver/toggles.nix
+++ b/hosts/miniserver/toggles.nix
@ -1,16 +1,6 @@
+{ inputs }:
 let
-  mkEnabled = name: {
-    inherit name;
-    value.enable = true;
-  };
-  mkEnabledWithProxy = name: {
-    inherit name;
-    value = {
-      enable = true;
-      enableProxy = true;
-    };
-  };
-  enableList = func: list: list |> map func |> builtins.listToAttrs;
+  inherit (inputs.self.lib) mkEnabled mkEnabledWithProxy enableList;
 in
 {
  emacs.enable = true;
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@ -10,12 +10,12 @@
    ../../config/base.nix
    ../../config/stylix.nix
  ];
-  my = import ./toggles.nix { inherit config; } // {
+  my = import ./toggles.nix { inherit config inputs; } // {
    nix.cores = 6;
    users.nixremote.enable = true;
-    users.nixremote.authorizedKeys = [
-      ../../secrets/ssh/ed25519_nixworkstation.pub
-      ../../secrets/ssh/ed25519_nixminiserver.pub
+    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
+      "nixworkstation"
+      "nixminiserver"
    ];
    network.firewall.enabledServicePorts = true;
    network.firewall.additionalPorts = [
--- a/hosts/server/toggles.nix
+++ b/hosts/server/toggles.nix
@ -1,17 +1,7 @@
-{ config }:
+{ config, inputs }:
 let
-  mkEnabled = name: {
-    inherit name;
-    value.enable = true;
-  };
-  mkEnabledIp = name: {
-    inherit name;
-    value = {
-      enable = true;
-      ip = config.my.ips.wg-server;
-    };
-  };
-  enableList = func: list: list |> map func |> builtins.listToAttrs;
+  inherit (inputs.self.lib) mkEnabled enableList;
+  mkEnabledIp = inputs.self.lib.mkEnabledIp config.my.ips.wg-server;
 in
 {
  mainServer = "server";
--- a/hosts/workstation/configuration.nix
+++ b/hosts/workstation/configuration.nix
@ -22,13 +22,13 @@ in
    ../../config/stylix.nix
    ../../environments/gnome.nix
  ];
-  my = import ./toggles.nix // {
+  my = import ./toggles.nix { inherit inputs; } // {
    nix.cores = 8;
    nix.maxJobs = 8;
    users.nixremote.enable = true;
-    users.nixremote.authorizedKeys = [
-      ../../secrets/ssh/ed25519_nixserver.pub
-      ../../secrets/ssh/ed25519_nixminiserver.pub
+    users.nixremote.authorizedKeys = inputs.self.lib.getSshKeys [
+      "nixserver"
+      "nixminiserver"
    ];
  };
  home-manager.users.jawz = {
--- a/hosts/workstation/toggles.nix
+++ b/hosts/workstation/toggles.nix
@ -1,9 +1,6 @@
+{ inputs }:
 let
-  mkEnabled = name: {
-    inherit name;
-    value.enable = true;
-  };
-  enableList = func: list: list |> map func |> builtins.listToAttrs;
+  inherit (inputs.self.lib) mkEnabled enableList;
 in
 {
  stylix.enable = true;
--- a/modules/modules.nix
+++ b/modules/modules.nix
@ -105,65 +105,71 @@ in
    enableProxy = lib.mkEnableOption "nginx reverse proxy for services";
  };
  config = {
-    assertions = [
-      {
-        assertion = config.my.servers.nextcloud.enable -> config.my.servers.postgres.enable;
-        message = "Nextcloud requires PostgreSQL to be enabled";
-      }
-      {
-        assertion = config.my.servers.vaultwarden.enable -> config.my.servers.postgres.enable;
-        message = "Vaultwarden requires PostgreSQL to be enabled";
-      }
-      {
-        assertion = config.my.servers.firefly-iii.enable -> config.my.servers.postgres.enable;
-        message = "Firefly III requires PostgreSQL to be enabled";
-      }
-      {
-        assertion = config.my.servers.mealie.enable -> config.my.servers.postgres.enable;
-        message = "Mealie requires PostgreSQL to be enabled";
-      }
-      {
-        assertion = config.my.servers.shiori.enable -> config.my.servers.postgres.enable;
-        message = "Shiori requires PostgreSQL to be enabled";
-      }
-      {
-        assertion = config.my.servers.ryot.enable -> config.my.servers.postgres.enable;
-        message = "Ryot requires PostgreSQL to be enabled";
-      }
-      {
-        assertion = config.my.servers.synapse.enable -> config.my.servers.postgres.enable;
-        message = "Matrix Synapse requires PostgreSQL to be enabled";
-      }
-      {
-        assertion = config.my.servers.gitea.enable -> config.my.servers.postgres.enable;
-        message = "Gitea requires PostgreSQL to be enabled";
-      }
-      {
-        assertion =
-          config.my.enableProxy
-          -> (builtins.any (s: s.enableProxy or false) (builtins.attrValues config.my.servers));
-        message = "enableProxy is true but no services have enableProxy enabled";
-      }
-      {
-        assertion =
-          config.my.enableContainers
-          || !(builtins.any (opt: opt) [
-            config.my.servers.ryot.enable
-            config.my.servers.lidarr.enable
-            config.my.servers.prowlarr.enable
-            config.my.servers.maloja.enable
-            config.my.servers.multi-scrobbler.enable
-            config.my.servers.flame.enable
-            config.my.servers.flameSecret.enable
-            config.my.servers.metube.enable
-            config.my.servers.go-vod.enable
-            config.my.servers.tranga.enable
-            config.my.servers.drpp.enable
-            config.my.servers.plex-discord-bot.enable
-          ]);
-        message = "Container services are enabled but enableContainers is false";
-      }
-    ];
+    assertions =
+      # PostgreSQL dependency assertions
+      inputs.self.lib.mkPostgresDependencies config [
+        {
+          service = "nextcloud";
+          name = "Nextcloud";
+        }
+        {
+          service = "vaultwarden";
+          name = "Vaultwarden";
+        }
+        {
+          service = "firefly-iii";
+          name = "Firefly III";
+        }
+        {
+          service = "mealie";
+          name = "Mealie";
+        }
+        {
+          service = "shiori";
+          name = "Shiori";
+        }
+        {
+          service = "ryot";
+          name = "Ryot";
+        }
+        {
+          service = "synapse";
+          name = "Matrix Synapse";
+        }
+        {
+          service = "gitea";
+          name = "Gitea";
+        }
+      ]
+      ++
+      # Other assertions
+      [
+        {
+          assertion =
+            config.my.enableProxy
+            -> (builtins.any (s: s.enableProxy or false) (builtins.attrValues config.my.servers));
+          message = "enableProxy is true but no services have enableProxy enabled";
+        }
+        {
+          assertion =
+            config.my.enableContainers
+            || !(builtins.any (opt: opt) [
+              config.my.servers.ryot.enable
+              config.my.servers.lidarr.enable
+              config.my.servers.prowlarr.enable
+              config.my.servers.maloja.enable
+              config.my.servers.multi-scrobbler.enable
+              config.my.servers.flame.enable
+              config.my.servers.flameSecret.enable
+              config.my.servers.metube.enable
+              config.my.servers.go-vod.enable
+              config.my.servers.tranga.enable
+              config.my.servers.drpp.enable
+              config.my.servers.plex-discord-bot.enable
+            ]);
+          message = "Container services are enabled but enableContainers is false";
+        }
+      ];
    virtualisation = {
      containers.enable = true;
      oci-containers.backend = "podman";
--- a/modules/users/nixremote.nix
+++ b/modules/users/nixremote.nix
@ -1,13 +1,13 @@
-{ lib, config, ... }:
+{ lib, config, inputs, ... }:
 {
  options.my.users.nixremote = {
    enable = lib.mkEnableOption "nixremote user for distributed builds";
    authorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.path;
-      default = [
-        ../../secrets/ssh/ed25519_nixworkstation.pub
-        ../../secrets/ssh/ed25519_nixserver.pub
-        ../../secrets/ssh/ed25519_nixminiserver.pub
+      default = inputs.self.lib.getSshKeys [
+        "nixworkstation"
+        "nixserver" 
+        "nixminiserver"
      ];
      description = "List of SSH public key files to authorize for nixremote user";
    };
--- a/parts/core.nix
+++ b/parts/core.nix
@ -171,6 +171,47 @@ in
          |> lib.attrValues
          |> map (srv: srv.port)
        );
+      mkEnabled = name: {
+        inherit name;
+        value.enable = true;
+      };
+      mkEnabledWithProxy = name: {
+        inherit name;
+        value = {
+          enable = true;
+          enableProxy = true;
+        };
+      };
+      mkEnabledIp = ip: name: {
+        inherit name;
+        value = {
+          enable = true;
+          inherit ip;
+        };
+      };
+      enableList = func: list: list |> map func |> builtins.listToAttrs;
+      mkPostgresDependency = config: serviceName: displayName: {
+        assertion = config.my.servers.${serviceName}.enable -> config.my.servers.postgres.enable;
+        message = "${displayName} requires PostgreSQL to be enabled";
+      };
+      mkPostgresDependencies =
+        config: serviceMap:
+        serviceMap |> map (entry: inputs.self.lib.mkPostgresDependency config entry.service entry.name);
+      sshKeys = {
+        deacero = ../../secrets/ssh/ed25519_deacero.pub;
+        workstation = ../../secrets/ssh/ed25519_workstation.pub;
+        server = ../../secrets/ssh/ed25519_server.pub;
+        miniserver = ../../secrets/ssh/ed25519_miniserver.pub;
+        galaxy = ../../secrets/ssh/ed25519_galaxy.pub;
+        phone = ../../secrets/ssh/ed25519_phone.pub;
+        vps = ../../secrets/ssh/ed25519_vps.pub;
+        emacs = ../../secrets/ssh/ed25519_emacs.pub;
+        # Build user keys (nixremote)
+        nixworkstation = ../../secrets/ssh/ed25519_nixworkstation.pub;
+        nixserver = ../../secrets/ssh/ed25519_nixserver.pub;
+        nixminiserver = ../../secrets/ssh/ed25519_nixminiserver.pub;
+      };
+      getSshKeys = keyNames: keyNames |> map (name: inputs.self.lib.sshKeys.${name});
    };
  };
 }
Author	SHA1	Message	Date
Danilo Reyes	de5ad541b8	Refactor SSH key management to use centralized key retrieval function for nixremote users across configurations.	2025-10-12 20:28:39 -06:00
Danilo Reyes	0f7e28abd0	more migration stuff	2025-10-12 20:24:42 -06:00