feat: generalize SSH key config

2026-04-26 19:40:29 +02:00
parent 0318dd0cf6
commit 52ea09563f
6 changed files with 34 additions and 48 deletions
@@ -17,8 +17,8 @@ in
        scope:
        let
          email = account.emails.${scope}.address;
-          key = machine.sourceControl.${scope};
-          hasSigningKey = key != null && key.publicKey != null;
+          key = lib.attrByPath [ scope ] null machine.sshKeys;
+          hasSigningKey = key != null;
        in
        {
          allowedSigners = lib.optional hasSigningKey "${email} ${key.publicKey}";
@@ -1,6 +1,11 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
  account = config.repo.account;
+  personalPublicKeys =
+    machines:
+    map (machine: machine.sshKeys.personal.publicKey) (
+      lib.filter (machine: machine.sshKeys ? personal) (builtins.attrValues machines)
+    );
 in
 {
  flake.modules.nixos.ssh-agent-auth = {
@@ -23,5 +28,7 @@ in
          AllowUsers = [ account.name ];
        };
      };
+
+      users.users.${account.name}.openssh.authorizedKeys.keys = personalPublicKeys config.repo.machines;
    };
 }
@@ -34,11 +34,6 @@ in
        ./_disk.nix
      ];

-      users.users.${account.name} = {
-        linger = true;
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAU2LydkXRTtNFY7oyX8JQURwXLVhB71DeK8XzrXeFX1 openpgp:0xA490D93A"
-        ];
-      };
+      users.users.${account.name}.linger = true;
    };
 }
@@ -8,8 +8,10 @@ let
 in
 {
  repo.machines.polaris = {
-    sourceControl.personal.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVORk45HKkX7gaGGp90KsVyUy6t+fKhbWN/grjkf3cQ kiri@polaris";
-    sourceControl.work.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5DMV6EQzsscgEOE0912mNglUHTEl+LPnaWYjj0y57B kiri@polaris#work";
+    sshKeys = {
+      personal.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVORk45HKkX7gaGGp90KsVyUy6t+fKhbWN/grjkf3cQ kiri@polaris";
+      work.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5DMV6EQzsscgEOE0912mNglUHTEl+LPnaWYjj0y57B kiri@polaris#work";
+    };

    syncthingId = "6HBAKXB-DB3B4H2-BODCAXF-KD23H5W-6X5LGLC-ZJHZHLG-7U7YMGO-BB6IXQ3";

@@ -10,7 +10,7 @@ in
  repo.machines.zenith = {
    portable = true;

-    sourceControl = {
+    sshKeys = {
      personal.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQy4k04gU7UpjBgyUQ57kUwxOdt79LvMCiCekXZeZhd kiri@zenith";
      work.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHJz5uHKm0/TiMNh/cmzrODHNZ8NgEEZe+47XnJwQGk kiri@zenith#work";
    };
@@ -25,6 +25,22 @@ let
    }
  );

+  sshKeyType = lib.types.submodule (
+    { name, ... }:
+    {
+      options = {
+        publicKey = lib.mkOption {
+          type = lib.types.str;
+        };
+
+        privateKeyPath = lib.mkOption {
+          type = lib.types.str;
+          default = "~/.ssh/id_${name}";
+        };
+      };
+    }
+  );
+
  accountType = lib.types.submodule (
    { config, ... }:
    {
@@ -107,40 +123,6 @@ let
    }
  );

-  sourceControlMachineKeyType = lib.types.submodule (
-    { name, ... }:
-    {
-      options = {
-        publicKey = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          default = null;
-        };
-
-        privateKeyPath = lib.mkOption {
-          type = lib.types.str;
-          default = "~/.ssh/id_${name}";
-        };
-      };
-    }
-  );
-
-  sourceControlMachineType = lib.types.submodule (
-    { ... }:
-    {
-      options = {
-        personal = lib.mkOption {
-          type = lib.types.nullOr sourceControlMachineKeyType;
-          default = null;
-        };
-
-        work = lib.mkOption {
-          type = lib.types.nullOr sourceControlMachineKeyType;
-          default = null;
-        };
-      };
-    }
-  );
-
  machineType = lib.types.submodule (
    { name, config, ... }:
    {
@@ -164,8 +146,8 @@ let
          default = { };
        };

-        sourceControl = lib.mkOption {
-          type = sourceControlMachineType;
+        sshKeys = lib.mkOption {
+          type = lib.types.attrsOf sshKeyType;
          default = { };
        };