NixOS/config/jawz.nix

{
  config,
  lib,
  inputs,
  ...
}:
let
  inherit (config.networking) hostName;
  nixosHosts = inputs.self.lib.getNixosHosts config.my.ips hostName lib;
  nixosHostsMatch = lib.concatStringsSep " " nixosHosts;
in
{
  sops.secrets = lib.mkIf config.my.secureHost (
    let
      baseDir = ".ssh/ed25519";
      keyConfig = file: {
        sopsFile = ../secrets/keys.yaml;
        owner = config.users.users.jawz.name;
        inherit (config.users.users.jawz) group;
        path = "/home/jawz/${file}";
      };
    in
    {
      jawz-password.neededForUsers = true;
      "private_keys/${hostName}" = keyConfig "${baseDir}_${hostName}";
      "git_private_keys/${hostName}" = keyConfig "${baseDir}_git";
    }
  );
  home-manager.users.jawz = {
    home.file.".librewolf/.stignore".source = ../dotfiles/stignore;
    programs.ssh = lib.mkIf config.my.secureHost {
      enable = true;
      matchBlocks = {
        linode = {
          hostname = config.my.ips.vps;
          port = 3456;
          identityFile = config.sops.secrets."private_keys/${hostName}".path;
        };
        "${nixosHostsMatch}" = {
          user = "jawz";
          identityFile = config.sops.secrets."private_keys/${hostName}".path;
        };
        "${config.my.servers.gitea.host} github.com gitlab.com bitbucket.org".identityFile =
          config.sops.secrets."git_private_keys/${hostName}".path;
      };
    };
  };
  users.users.jawz = {
    uid = 1000;
    linger = true;
    isNormalUser = true;
    hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.jawz-password.path;
    hashedPassword =
      lib.mkIf (!config.my.secureHost)
        "$6$s4kbia4u7xVwCmyo$LCN7.Ki2n3xQOqPKnTwa5idwOWYeMNTieQYbLkiiKcMFkFmK76BjtNofJk3U7yRmLGnW3oFT433.nTRq1aoN.1";
    extraGroups = [
      "wheel"
      "networkmanager"
      "scanner"
      "lp"
      "piracy"
      "kavita"
      "video"
      "docker"
      "libvirt"
      "rslsync"
      "plugdev"
      "bluetooth"
    ];
    openssh.authorizedKeys.keyFiles = inputs.self.lib.getSshKeys [
      "deacero"
      "workstation"
      "server"
      "miniserver"
      "galaxy"
      "phone"
      "vps"
    ];
  };
}