refactor, ssh keys for root

flake.nix

@@ -21,14 +21,13 @@
       lib = nixpkgs.lib;
       lib' = import ./lib.nix { inherit lib; };
       mod = lib'.walk-dir ./mod;
-      var = lib'.walk-dir ./var;
+
       specialArgs = {
-        inherit
-          inputs
-          lib'
-          mod
-          var
-          ;
+        inherit inputs lib' mod;
+        var = (lib'.walk-dir ./var).map_import;
+      };
+      overlays = _: {
+        nixpkgs.overlays = [ colmena.overlay ];
       };
     in
     {
@@ -38,8 +37,9 @@
           inherit specialArgs;
           modules = [
             ./host/solo
-            mod.common._nixos_mod
-            mod.pc-common._nixos_mod
+            mod.common.to_mod
+            mod.pc-common.to_mod
+            overlays
           ];
         };
 
@@ -48,8 +48,9 @@
           inherit specialArgs;
           modules = [
             ./host/c2
-            mod.common._nixos_mod
-            mod.pc-common._nixos_mod
+            mod.common.to_mod
+            mod.pc-common.to_mod
+            overlays
           ];
         };
       };
@@ -68,7 +69,8 @@
           };
           imports = [
             ./host/roam
-            mod.common._nixos_mod
+            mod.common.to_mod
+            overlays
           ];
         };
       };

host/roam/default.nix

@@ -1,8 +1,11 @@
 { lib', ... }:
+let
+  submodules = lib'.walk-dir ./.;
+in
 {
   networking.hostName = "roam";
 
-  imports = lib'.import-recursive ./.;
+  imports = [ submodules.to_mod_without_default ];
 
   # ====== DON'T CHANGE ======
   system.stateVersion = "24.11";

host/solo/default.nix

@@ -1,8 +1,11 @@
 { lib', ... }:
+let
+  submodules = lib'.walk-dir ./.;
+in
 {
   networking.hostName = "solo";
 
-  imports = lib'.import-recursive ./.;
+  imports = [ submodules.to_mod_without_default ];
 
   powerManagement = {
     enable = true;

lib.nix

@@ -1,33 +1,47 @@
 { lib, ... }:
+with builtins;
 rec {
   walk-dir =
-    path:
     let
-      dir = builtins.readDir path;
+      walk-dir-inner =
+        path:
+        let
+          dir = readDir path;
 
-      subpaths = lib.mapAttrs' (filename: value: {
-        name = lib.removeSuffix ".nix" filename;
-        value =
-          if value == "regular" then
-            path + "/${filename}"
-          else if value == "directory" then
-            walk-dir (path + "/${filename}")
-          else
-            builtins.throw "Items of type ${value} are unsupported.";
-      }) dir;
-    in
-    subpaths
-    // rec {
-      _files = lib.collect builtins.isPath (subpaths // { default = { }; });
-      _nix_files = builtins.filter (lib.hasSuffix ".nix") _files;
-      _nixos_mod =
-        { ... }:
-        {
-          imports = _nix_files;
+        in
+        lib.mapAttrs' (filename: value: {
+          name = lib.removeSuffix ".nix" filename;
+          value =
+            if value == "regular" then
+              path + "/${filename}"
+            else if value == "directory" then
+              walk-dir-inner (path + "/${filename}")
+            else
+              throw "Items of type ${value} are unsupported.";
+        }) dir;
+
+      helper-attrs =
+        subpaths:
+        let
+          _files = lib.collect (x: isPath x || isString x) subpaths;
+          _nix_files = filter (lib.hasSuffix ".nix") _files;
+        in
+        rec {
+          to_mod = _: {
+            imports = _nix_files;
+          };
+          to_mod_without_default = without_default.to_mod;
+          collect_nix_files = _nix_files;
+          map_import = lib.mapAttrsRecursive (_: import) subpaths;
+          without_default =
+            let
+              subpaths' = removeAttrs subpaths [ "default" ];
+            in
+            with-helper-attrs subpaths';
         };
-    };
 
-  # Takes a path `p` and returns a list of all files in that
-  # directory recursively, ignoring `p/default.nix`.
-  import-recursive = path: (walk-dir path)._files;
+      with-helper-attrs =
+        x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x;
+    in
+    p: with-helper-attrs (walk-dir-inner p);
 }

mod/common/shell.nix

@@ -18,7 +18,7 @@
     unzip
     wget
     wl-clipboard
-    inputs.colmena.packages."x86_64-linux".colmena # todo use overlay
+    colmena
   ];
 
   programs = {

mod/common/users.nix

@@ -2,6 +2,7 @@
   pkgs,
   lib,
   options,
+  var,
   ...
 }:
 {
@@ -15,24 +16,12 @@
       extraGroups = [ "wheel" ];
       shell = pkgs.fish;
       packages = [ ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"
-      ];
+      openssh.authorizedKeys.keys = var.ssh-keys.unprivileged;
       hashedPassword = "$y$jDT$dhvO.xqs8mopz.sFFul.q/$ud5642o7CnVetU6QEu0ctiVMFh7ngZznDf0wp4cXos8";
     };
     users.root = {
       hashedPassword = "!";
-
-      # I don't like the unprivileged users to have unrestricted access to root
-      # but this is required for colmena. Better options are
-      #  - only authorize root's pubkey
-      #  - create password protected key
-      # TODO: do one of the above
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"
-      ];
+      openssh.authorizedKeys.keys = var.ssh-keys.priviliged;
     };
   };
 }

var/ssh-keys.nix

@@ -0,0 +1,13 @@
+rec {
+  # this is only used for forcing password entry on colmena apply
+  priviliged-by-host = {
+    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
+  };
+  priviliged = builtins.attrValues priviliged-by-host;
+
+  unprivileged-by-host = {
+    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
+    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
+  };
+  unprivileged = builtins.attrValues unprivileged-by-host;
+}