NixOS/config/jawz.nix

{ config, lib, ... }:
let
  inherit (config.networking) hostName;
  nixosHosts =
    lib.attrNames config.my.ips
    |> lib.filter (
      name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName
    );
  nixosHostsMatch = lib.concatStringsSep " " nixosHosts;
in
{
  sops.secrets = lib.mkIf config.my.secureHost (
    let
      baseDir = ".ssh/ed25519";
      keyConfig = file: {
        sopsFile = ../secrets/keys.yaml;
        owner = config.users.users.jawz.name;
        inherit (config.users.users.jawz) group;
        path = "/home/jawz/${file}";
      };
    in
    {
      jawz-password.neededForUsers = true;
      "private_keys/${hostName}" = keyConfig "${baseDir}_${hostName}";
      "git_private_keys/${hostName}" = keyConfig "${baseDir}_git";
    }
  );
  home-manager.users.jawz = {
    home.file.".librewolf/.stignore".source = ../dotfiles/stignore;
    programs.ssh = lib.mkIf config.my.secureHost {
      enable = true;
      matchBlocks = {
        vps = {
          hostname = config.my.ips.vps;
          user = "fedora";
          port = 3456;
          identityFile = config.sops.secrets."private_keys/${hostName}".path;
        };
        "${nixosHostsMatch}" = {
          user = "jawz";
          identityFile = config.sops.secrets."private_keys/${hostName}".path;
        };
        "${config.my.servers.gitea.host} github.com gitlab.com bitbucket.org".identityFile =
          config.sops.secrets."git_private_keys/${hostName}".path;
      };
    };
  };
  users.users.jawz = {
    uid = 1000;
    linger = true;
    isNormalUser = true;
    hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.jawz-password.path;
    hashedPassword =
      lib.mkIf (!config.my.secureHost)
        "$6$s4kbia4u7xVwCmyo$LCN7.Ki2n3xQOqPKnTwa5idwOWYeMNTieQYbLkiiKcMFkFmK76BjtNofJk3U7yRmLGnW3oFT433.nTRq1aoN.1";
    extraGroups = [
      "wheel"
      "networkmanager"
      "scanner"
      "lp"
      "piracy"
      "kavita"
      "video"
      "docker"
      "libvirt"
      "rslsync"
      "plugdev"
      "bluetooth"
    ];
    openssh.authorizedKeys.keyFiles = [
      ../secrets/ssh/ed25519_deacero.pub
      ../secrets/ssh/ed25519_workstation.pub
      ../secrets/ssh/ed25519_server.pub
      ../secrets/ssh/ed25519_miniserver.pub
      ../secrets/ssh/ed25519_galaxy.pub
      ../secrets/ssh/ed25519_phone.pub
      ../secrets/ssh/ed25519_vps.pub
    ];
  };
}