Re-organize SSH keys

2025-07-19 12:38:25 +03:00 · 2025-07-19 12:38:25 +03:00 · 4e4cf88bff
commit 4e4cf88bff
parent 616986f534
6 changed files with 60 additions and 31 deletions
--- a/modules/networking/ssh-keys.nix
+++ b/modules/networking/ssh-keys.nix
@ -0,0 +1,58 @@
+{ config, lib, ... }:
+{
+  options.custom = {
+    sshKeys = lib.mkOption {
+      type = with lib.types; attrsOf str;
+      default = {
+        vili-bw-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
+        cert-store = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd";
+        ci = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA";
+        cache = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA"; # Duplicate
+        forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
+        gaming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HaiVVOfb8l19aVGG1CTkZ25G439Llg4aieZdKFzSq";
+        helium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3Feiu/KsAWubv6Lffnc38TK8q5quiHxUIWSyT+qEXU";
+        idacloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbOwFM599I7trhizhUe1ZpnXf8q4Uz3zgAnMCwwCf0K";
+        lithium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRtE6KCyD6BFfzff9cuD2ZhEdPKEgp+WGsD0s81736J";
+        opnsense = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1";
+        nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvVPRMrYsacSWyVSFFydgIB9vSiu5gKs7Pn+jipTGpV";
+        siit-dc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCp67Rr03FH0DGhl6d2w/otBNaC5sI1y6rt5Gfi2tP6";
+        syncthing = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8s/x8NcdOHPVcTSuVj+X9/J+qbuZEB792YaOG0CUzD";
+        vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII10aYyPOgpd+WAtgSyomH3sE6Cq54GftVm5xeC8KKlz";
+        zfs-backup = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8";
+      };
+      description = "attrSet of SSH public keys";
+    };
+  };
+
+  config = {
+    programs.ssh.knownHosts =
+      (builtins.listToAttrs (
+        builtins.attrValues (
+          builtins.mapAttrs (
+            host: key:
+            lib.nameValuePair host {
+              extraHostNames = [
+                "${host}.sinerva.eu"
+                "${host}.vsinerva.fi"
+              ];
+              publicKey = key;
+            }
+          ) config.custom.sshKeys
+        )
+      ))
+      // {
+        "github.com/ed25519" = {
+          hostNames = [ "github.com" ];
+          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+        };
+        "github.com/nistp256" = {
+          hostNames = [ "github.com" ];
+          publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=";
+        };
+        "github.com/rsa" = {
+          hostNames = [ "github.com" ];
+          publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=";
+        };
+      };
+  };
+}
--- a/modules/roles/base.nix
+++ b/modules/roles/base.nix
@ -13,37 +13,12 @@
    };
    networking.guaPref = lib.mkOption {
      type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
-      default = null;
+      default = "2001:14ba:a090:39";
      description = "IPv6 GUA Prefix to use in other confs";
    };
-    sshKeys = lib.mkOption {
-      type = with lib.types; attrsOf str;
-      default = { };
-      description = "attrSet of SSH public keys";
-    };
  };

  config = {
-    custom = {
-      networking.guaPref = "2001:14ba:a090:39";
-      sshKeys = {
-        vili-bw-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
-        cert-store = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd";
-        ci = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA";
-        forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
-        gaming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HaiVVOfb8l19aVGG1CTkZ25G439Llg4aieZdKFzSq";
-        # TODO Helium
-        idacloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbOwFM599I7trhizhUe1ZpnXf8q4Uz3zgAnMCwwCf0K";
-        lithium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRtE6KCyD6BFfzff9cuD2ZhEdPKEgp+WGsD0s81736J";
-        opnsense = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1";
-        nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvVPRMrYsacSWyVSFFydgIB9vSiu5gKs7Pn+jipTGpV";
-        siit-dc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCp67Rr03FH0DGhl6d2w/otBNaC5sI1y6rt5Gfi2tP6";
-        syncthing = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8s/x8NcdOHPVcTSuVj+X9/J+qbuZEB792YaOG0CUzD";
-        vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII10aYyPOgpd+WAtgSyomH3sE6Cq54GftVm5xeC8KKlz";
-        zfs-backup = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8";
-      };
-    };
-
    ######################################## Packages ###############################################
    environment.systemPackages = with pkgs; [
      tmux
--- a/modules/services/cert-store-server.nix
+++ b/modules/services/cert-store-server.nix
@ -75,8 +75,6 @@ in
      ];
    };

-    services.openssh.knownHosts."forgejo.sinerva.eu".publicKey = config.custom.sshKeys.forgejo;
-
    environment.systemPackages = [ update-cert ];

    programs.git = {
--- a/modules/services/nix-cache-client.nix
+++ b/modules/services/nix-cache-client.nix
@ -42,7 +42,6 @@ in
        max-jobs = lib.mkIf cfg.remoteBuilds.exclusive 0;
      };
    };
-    services.openssh.knownHosts."cache.sinerva.eu".publicKey = config.custom.sshKeys.ci;

    programs.ssh.extraConfig = ''
      Host cache.sinerva.eu
--- a/modules/services/nix-cache-server.nix
+++ b/modules/services/nix-cache-server.nix
@ -41,7 +41,7 @@ in
            keys.cert-store
            keys.forgejo
            keys.gaming
-            # TODO Helium
+            keys.helium
            keys.idacloud
            keys.lithium
            keys.nextcloud
--- a/modules/services/zfs-replication.nix
+++ b/modules/services/zfs-replication.nix
@ -17,6 +17,5 @@ in
      remoteFilesystem = "zroot/backups/${config.networking.hostName}";
      username = "root";
    };
-    services.openssh.knownHosts."zfs-backup.vsinerva.fi".publicKey = config.custom.sshKeys.zfs-backup;
  };
 }