From ac9441da3ddcd7c2c88ba14362acb0196ceeec03 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Mon, 13 May 2024 11:11:09 -0700 Subject: [PATCH] chore(extern): keys --- ci/generate.sh | 1 + generate.nix | 9 +++++++-- modules/system/extern/files.nix | 5 ++++- systems/freeipa/default.nix | 4 +++- systems/freepbx/default.nix | 4 +++- systems/reisen/default.nix | 5 +++++ systems/reisen/root.authorized_keys | 6 ++++++ 7 files changed, 29 insertions(+), 5 deletions(-) create mode 100644 systems/reisen/root.authorized_keys diff --git a/ci/generate.sh b/ci/generate.sh index eb679ba5..9d6efba5 100644 --- a/ci/generate.sh +++ b/ci/generate.sh @@ -5,6 +5,7 @@ for node in reisen; do nix eval --json "${NF_CONFIG_ROOT}#lib.generate.nodes.$node.users" | jq -M . > "$NF_CONFIG_ROOT/systems/$node/users.json" nix eval --json "${NF_CONFIG_ROOT}#lib.generate.nodes.$node.systems" | jq -M . > "$NF_CONFIG_ROOT/systems/$node/systems.json" nix eval --json "${NF_CONFIG_ROOT}#lib.generate.nodes.$node.extern" | jq -M . > "$NF_CONFIG_ROOT/systems/$node/extern.json" + nix eval --raw "${NF_CONFIG_ROOT}#lib.generate.nodes.$node.ssh.root.authorizedKeys.text" > "$NF_CONFIG_ROOT/systems/$node/root.authorized_keys" done nix eval --json "${NF_CONFIG_ROOT}#lib.generate.systems" | jq -M . > "$NF_CONFIG_ROOT/ci/systems.json" diff --git a/generate.nix b/generate.nix index a76fd74b..c2a53761 100644 --- a/generate.nix +++ b/generate.nix @@ -40,16 +40,21 @@ }; }; mkNodeSystems = systems: mapAttrs (_: mkNodeSystem) systems; - mkExtern = system: { + mkExtern = system: let + enabledFiles = filterAttrs (_: file: file.enable) system.extern.files; + in { files = mapAttrs' (_: file: nameValuePair file.path { source = assert file.relativeSource != null; file.relativeSource; inherit (file) owner group mode; - }) system.extern.files; + }) enabledFiles; }; mkNode = system: { users = mkNodeUsers templateUsers; systems = mkNodeSystems (nodeSystems system.config.name); extern = mkExtern system.config; + ssh.root.authorizedKeys = { + inherit (templateSystem.config.environment.etc."ssh/authorized_keys.d/root".source) text; + }; }; mkNetwork = system: { inherit (system.config.access) hostName; diff --git a/modules/system/extern/files.nix b/modules/system/extern/files.nix index 2c1d0f51..3fcb2533 100644 --- a/modules/system/extern/files.nix +++ b/modules/system/extern/files.nix @@ -1,10 +1,13 @@ let fileModule = {config, name, gensokyo-zone, lib, ...}: let - inherit (lib.options) mkOption; + inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkOptionDefault; inherit (lib.strings) hasPrefix removePrefix; in { options = with lib.types; { + enable = mkEnableOption "external file" // { + default = true; + }; path = mkOption { type = str; default = name; diff --git a/systems/freeipa/default.nix b/systems/freeipa/default.nix index ae880a52..5ff0b305 100644 --- a/systems/freeipa/default.nix +++ b/systems/freeipa/default.nix @@ -19,7 +19,6 @@ _: { extern.files = { "/etc/systemd/resolved.conf" = { source = ./resolved.conf; - mode = "0644"; }; "/etc/NetworkManager/system-connections/ens18.nmconnection" = { source = ./ens18.nmconnection; @@ -29,6 +28,9 @@ _: { source = ./int.nmconnection; mode = "0600"; }; + "/root/.ssh/authorized_keys" = { + source = ../reisen/root.authorized_keys; + }; }; exports = { services = { diff --git a/systems/freepbx/default.nix b/systems/freepbx/default.nix index 9e17e011..c33e3d7e 100644 --- a/systems/freepbx/default.nix +++ b/systems/freepbx/default.nix @@ -17,7 +17,9 @@ _: { extern.files = { "/etc/sysconfig/network-scripts/ifcfg-eth0" = { source = ./ifcfg-eth0; - mode = "0644"; + }; + "/root/.ssh/authorized_keys" = { + source = ../reisen/root.authorized_keys; }; }; exports = { diff --git a/systems/reisen/default.nix b/systems/reisen/default.nix index f7c25e7c..ef638b0a 100644 --- a/systems/reisen/default.nix +++ b/systems/reisen/default.nix @@ -16,6 +16,11 @@ _: { "/etc/udev/rules.d/90-z2m.rules" = { source = ./udev.90-z2m.rules; }; + "/root/.ssh/authorized_keys" = { + # TODO: this can't be deployed here... + enable = false; + source = ./root.authorized_keys; + }; }; network.networks = { local = { diff --git a/systems/reisen/root.authorized_keys b/systems/reisen/root.authorized_keys new file mode 100644 index 00000000..f7cf8899 --- /dev/null +++ b/systems/reisen/root.authorized_keys @@ -0,0 +1,6 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi +