VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Centralize listing of SSH public keys

Browse source
This commit is contained in:
Vili Sinervä 2025-07-18 18:55:17 +03:00
parent b477690d33
commit 616986f534
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
6 changed files with 48 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

30
modules/roles/base.nix
View file

@ -1,4 +1,5 @@
{
config,
pkgs,
lib,
nixpkgs-flake,
@ -15,10 +16,33 @@
default = null;
description = "IPv6 GUA Prefix to use in other confs";
};
sshKeys = lib.mkOption {
type = with lib.types; attrsOf str;
default = { };
description = "attrSet of SSH public keys";
};
};
config = {
custom.networking.guaPref = "2001:14ba:a090:39";
custom = {
networking.guaPref = "2001:14ba:a090:39";
sshKeys = {
vili-bw-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
cert-store = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd";
ci = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA";
forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
gaming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HaiVVOfb8l19aVGG1CTkZ25G439Llg4aieZdKFzSq";
# TODO Helium
idacloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbOwFM599I7trhizhUe1ZpnXf8q4Uz3zgAnMCwwCf0K";
lithium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRtE6KCyD6BFfzff9cuD2ZhEdPKEgp+WGsD0s81736J";
opnsense = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1";
nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvVPRMrYsacSWyVSFFydgIB9vSiu5gKs7Pn+jipTGpV";
siit-dc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCp67Rr03FH0DGhl6d2w/otBNaC5sI1y6rt5Gfi2tP6";
syncthing = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8s/x8NcdOHPVcTSuVj+X9/J+qbuZEB792YaOG0CUzD";
vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII10aYyPOgpd+WAtgSyomH3sE6Cq54GftVm5xeC8KKlz";
zfs-backup = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8";
};
};
######################################## Packages ###############################################
environment.systemPackages = with pkgs; [
@ -105,9 +129,7 @@
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV vili-bw-ssh-ed25519-main"
];
users.users.root.openssh.authorizedKeys.keys = [ config.custom.sshKeys.vili-bw-main ];
######################################## Localization ###########################################
i18n.defaultLocale = "en_US.UTF-8";

2
modules/roles/development.nix
View file

@ -24,7 +24,7 @@ in
user = {
email = "vili.m.sinerva@gmail.com";
name = "Vili Sinervä";
signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
signingkey = config.custom.sshKeys.vili-bw-main;
};
merge = {
ff = "true";

5
modules/services/cert-store-server.nix
View file

@ -71,12 +71,11 @@ in
users.users."cert-store" = {
isNormalUser = true;
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
config.custom.sshKeys.opnsense
];
};
services.openssh.knownHosts."forgejo.sinerva.eu".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
services.openssh.knownHosts."forgejo.sinerva.eu".publicKey = config.custom.sshKeys.forgejo;
environment.systemPackages = [ update-cert ];

4
modules/services/nix-cache-client.nix
View file

@ -42,8 +42,8 @@ in
max-jobs = lib.mkIf cfg.remoteBuilds.exclusive 0;
};
};
services.openssh.knownHosts."cache.sinerva.eu".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA";
services.openssh.knownHosts."cache.sinerva.eu".publicKey = config.custom.sshKeys.ci;
programs.ssh.extraConfig = ''
Host cache.sinerva.eu
IdentityFile /etc/ssh/ssh_host_ed25519_key

29
modules/services/nix-cache-server.nix
View file

@ -33,19 +33,22 @@ in
enable = true;
trusted = true;
write = true;
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd root@cert-store"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE root@forgejo"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HaiVVOfb8l19aVGG1CTkZ25G439Llg4aieZdKFzSq root@gaming"
# TODO Helium
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbOwFM599I7trhizhUe1ZpnXf8q4Uz3zgAnMCwwCf0K root@idacloud"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRtE6KCyD6BFfzff9cuD2ZhEdPKEgp+WGsD0s81736J root@lithium"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvVPRMrYsacSWyVSFFydgIB9vSiu5gKs7Pn+jipTGpV root@nextcloud"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCp67Rr03FH0DGhl6d2w/otBNaC5sI1y6rt5Gfi2tP6 root@siit-dc"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8s/x8NcdOHPVcTSuVj+X9/J+qbuZEB792YaOG0CUzD root@syncthing"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII10aYyPOgpd+WAtgSyomH3sE6Cq54GftVm5xeC8KKlz root@vaultwarden"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8 root@zfs-backup"
];
keys =
let
keys = config.custom.sshKeys;
in
[
keys.cert-store
keys.forgejo
keys.gaming
# TODO Helium
keys.idacloud
keys.lithium
keys.nextcloud
keys.syncthing
keys.vaultwarden
keys.zfs-backup
];
};
};

3
modules/services/zfs-replication.nix
View file

@ -17,7 +17,6 @@ in
remoteFilesystem = "zroot/backups/${config.networking.hostName}";
username = "root";
};
services.openssh.knownHosts."zfs-backup.vsinerva.fi".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8";
services.openssh.knownHosts."zfs-backup.vsinerva.fi".publicKey = config.custom.sshKeys.zfs-backup;
};
}