From 616986f5342e36d8ff22465ed45e6d36ca774d85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= <vili.m.sinerva@gmail.com>
Date: Fri, 18 Jul 2025 18:55:17 +0300
Subject: [PATCH] Centralize listing of SSH public keys

---
 modules/roles/base.nix                 | 30 ++++++++++++++++++++++----
 modules/roles/development.nix          |  2 +-
 modules/services/cert-store-server.nix |  5 ++---
 modules/services/nix-cache-client.nix  |  4 ++--
 modules/services/nix-cache-server.nix  | 29 ++++++++++++++-----------
 modules/services/zfs-replication.nix   |  3 +--
 6 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/modules/roles/base.nix b/modules/roles/base.nix
index 1e8f7bc..63b2987 100644
--- a/modules/roles/base.nix
+++ b/modules/roles/base.nix
@@ -1,4 +1,5 @@
 {
+  config,
   pkgs,
   lib,
   nixpkgs-flake,
@@ -15,10 +16,33 @@
       default = null;
       description = "IPv6 GUA Prefix to use in other confs";
     };
+    sshKeys = lib.mkOption {
+      type = with lib.types; attrsOf str;
+      default = { };
+      description = "attrSet of SSH public keys";
+    };
   };
 
   config = {
-    custom.networking.guaPref = "2001:14ba:a090:39";
+    custom = {
+      networking.guaPref = "2001:14ba:a090:39";
+      sshKeys = {
+        vili-bw-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
+        cert-store = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd";
+        ci = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA";
+        forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
+        gaming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HaiVVOfb8l19aVGG1CTkZ25G439Llg4aieZdKFzSq";
+        # TODO Helium
+        idacloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbOwFM599I7trhizhUe1ZpnXf8q4Uz3zgAnMCwwCf0K";
+        lithium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRtE6KCyD6BFfzff9cuD2ZhEdPKEgp+WGsD0s81736J";
+        opnsense = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1";
+        nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvVPRMrYsacSWyVSFFydgIB9vSiu5gKs7Pn+jipTGpV";
+        siit-dc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCp67Rr03FH0DGhl6d2w/otBNaC5sI1y6rt5Gfi2tP6";
+        syncthing = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8s/x8NcdOHPVcTSuVj+X9/J+qbuZEB792YaOG0CUzD";
+        vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII10aYyPOgpd+WAtgSyomH3sE6Cq54GftVm5xeC8KKlz";
+        zfs-backup = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8";
+      };
+    };
 
     ######################################## Packages ###############################################
     environment.systemPackages = with pkgs; [
@@ -105,9 +129,7 @@
       enable = true;
       settings.PasswordAuthentication = false;
     };
-    users.users.root.openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV vili-bw-ssh-ed25519-main"
-    ];
+    users.users.root.openssh.authorizedKeys.keys = [ config.custom.sshKeys.vili-bw-main ];
 
     ######################################## Localization ###########################################
     i18n.defaultLocale = "en_US.UTF-8";
diff --git a/modules/roles/development.nix b/modules/roles/development.nix
index a069de2..7530904 100644
--- a/modules/roles/development.nix
+++ b/modules/roles/development.nix
@@ -24,7 +24,7 @@ in
         user = {
           email = "vili.m.sinerva@gmail.com";
           name = "Vili Sinervä";
-          signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
+          signingkey = config.custom.sshKeys.vili-bw-main;
         };
         merge = {
           ff = "true";
diff --git a/modules/services/cert-store-server.nix b/modules/services/cert-store-server.nix
index 37f88f7..1be88e1 100644
--- a/modules/services/cert-store-server.nix
+++ b/modules/services/cert-store-server.nix
@@ -71,12 +71,11 @@ in
     users.users."cert-store" = {
       isNormalUser = true;
       openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
+        config.custom.sshKeys.opnsense
       ];
     };
 
-    services.openssh.knownHosts."forgejo.sinerva.eu".publicKey =
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
+    services.openssh.knownHosts."forgejo.sinerva.eu".publicKey = config.custom.sshKeys.forgejo;
 
     environment.systemPackages = [ update-cert ];
 
diff --git a/modules/services/nix-cache-client.nix b/modules/services/nix-cache-client.nix
index 19c470b..9bfe0d0 100644
--- a/modules/services/nix-cache-client.nix
+++ b/modules/services/nix-cache-client.nix
@@ -42,8 +42,8 @@ in
         max-jobs = lib.mkIf cfg.remoteBuilds.exclusive 0;
       };
     };
-    services.openssh.knownHosts."cache.sinerva.eu".publicKey =
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA";
+    services.openssh.knownHosts."cache.sinerva.eu".publicKey = config.custom.sshKeys.ci;
+
     programs.ssh.extraConfig = ''
       Host cache.sinerva.eu
         IdentityFile /etc/ssh/ssh_host_ed25519_key
diff --git a/modules/services/nix-cache-server.nix b/modules/services/nix-cache-server.nix
index 5358a85..ffb937a 100644
--- a/modules/services/nix-cache-server.nix
+++ b/modules/services/nix-cache-server.nix
@@ -33,19 +33,22 @@ in
         enable = true;
         trusted = true;
         write = true;
-        keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd root@cert-store"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE root@forgejo"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HaiVVOfb8l19aVGG1CTkZ25G439Llg4aieZdKFzSq root@gaming"
-          # TODO Helium
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbOwFM599I7trhizhUe1ZpnXf8q4Uz3zgAnMCwwCf0K root@idacloud"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRtE6KCyD6BFfzff9cuD2ZhEdPKEgp+WGsD0s81736J root@lithium"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvVPRMrYsacSWyVSFFydgIB9vSiu5gKs7Pn+jipTGpV root@nextcloud"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCp67Rr03FH0DGhl6d2w/otBNaC5sI1y6rt5Gfi2tP6 root@siit-dc"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8s/x8NcdOHPVcTSuVj+X9/J+qbuZEB792YaOG0CUzD root@syncthing"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII10aYyPOgpd+WAtgSyomH3sE6Cq54GftVm5xeC8KKlz root@vaultwarden"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8 root@zfs-backup"
-        ];
+        keys =
+          let
+            keys = config.custom.sshKeys;
+          in
+          [
+            keys.cert-store
+            keys.forgejo
+            keys.gaming
+            # TODO Helium
+            keys.idacloud
+            keys.lithium
+            keys.nextcloud
+            keys.syncthing
+            keys.vaultwarden
+            keys.zfs-backup
+          ];
       };
     };
 
diff --git a/modules/services/zfs-replication.nix b/modules/services/zfs-replication.nix
index 8b86dd1..3bbaf49 100644
--- a/modules/services/zfs-replication.nix
+++ b/modules/services/zfs-replication.nix
@@ -17,7 +17,6 @@ in
       remoteFilesystem = "zroot/backups/${config.networking.hostName}";
       username = "root";
     };
-    services.openssh.knownHosts."zfs-backup.vsinerva.fi".publicKey =
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGvIc4sq+WzPqT2y003zga3StMgj7F8vwTjNkZ//d8";
+    services.openssh.knownHosts."zfs-backup.vsinerva.fi".publicKey = config.custom.sshKeys.zfs-backup;
   };
 }