{ config, lib, inputs, ... }: let inherit (config.networking) hostName; nixosHosts = inputs.self.lib.getNixosHosts config.my.ips hostName lib; nixosHostsMatch = lib.concatStringsSep " " nixosHosts; in { sops.secrets = lib.mkIf config.my.secureHost ( let baseDir = ".ssh/ed25519"; keyConfig = file: { sopsFile = ../secrets/keys.yaml; owner = config.users.users.jawz.name; inherit (config.users.users.jawz) group; path = "/home/jawz/${file}"; }; in { jawz-password.neededForUsers = true; "private_keys/${hostName}" = keyConfig "${baseDir}_${hostName}"; "git_private_keys/${hostName}" = keyConfig "${baseDir}_git"; } ); home-manager.users.jawz = { home.file.".librewolf/.stignore".source = ../dotfiles/stignore; programs.ssh = lib.mkIf config.my.secureHost { enable = true; matchBlocks = { linode = { hostname = config.my.ips.linode; port = 3456; identityFile = config.sops.secrets."private_keys/${hostName}".path; }; "${nixosHostsMatch}" = { user = "jawz"; identityFile = config.sops.secrets."private_keys/${hostName}".path; }; "${config.my.servers.gitea.host} github.com gitlab.com bitbucket.org".identityFile = config.sops.secrets."git_private_keys/${hostName}".path; }; }; }; users.users.jawz = { uid = 1000; linger = true; isNormalUser = true; hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.jawz-password.path; hashedPassword = lib.mkIf (!config.my.secureHost) "$6$s4kbia4u7xVwCmyo$LCN7.Ki2n3xQOqPKnTwa5idwOWYeMNTieQYbLkiiKcMFkFmK76BjtNofJk3U7yRmLGnW3oFT433.nTRq1aoN.1"; extraGroups = [ "wheel" "networkmanager" "scanner" "lp" "piracy" "kavita" "video" "docker" "libvirt" "rslsync" "plugdev" "bluetooth" ]; openssh.authorizedKeys.keyFiles = inputs.self.lib.getSshKeys [ "deacero" "workstation" "server" "miniserver" "galaxy" "phone" "linode" ]; }; }