refactor, ssh keys for root

2025-05-26 11:49:02 +02:00 · 2025-05-26 11:49:02 +02:00 · c45f9f7f46
commit c45f9f7f46
parent 8fbd9d06b4
7 changed files with 78 additions and 54 deletions
--- a/flake.nix
+++ b/flake.nix
@ -21,14 +21,13 @@
      lib = nixpkgs.lib;
      lib' = import ./lib.nix { inherit lib; };
      mod = lib'.walk-dir ./mod;
-      var = lib'.walk-dir ./var;
+
      specialArgs = {
-        inherit
-          inputs
-          lib'
-          mod
-          var
-          ;
+        inherit inputs lib' mod;
+        var = (lib'.walk-dir ./var).map_import;
+      };
+      overlays = _: {
+        nixpkgs.overlays = [ colmena.overlay ];
      };
    in
    {
@ -38,8 +37,9 @@
          inherit specialArgs;
          modules = [
            ./host/solo
-            mod.common._nixos_mod
-            mod.pc-common._nixos_mod
+            mod.common.to_mod
+            mod.pc-common.to_mod
+            overlays
          ];
        };

@ -48,8 +48,9 @@
          inherit specialArgs;
          modules = [
            ./host/c2
-            mod.common._nixos_mod
-            mod.pc-common._nixos_mod
+            mod.common.to_mod
+            mod.pc-common.to_mod
+            overlays
          ];
        };
      };
@ -68,7 +69,8 @@
          };
          imports = [
            ./host/roam
-            mod.common._nixos_mod
+            mod.common.to_mod
+            overlays
          ];
        };
      };
--- a/host/roam/default.nix
+++ b/host/roam/default.nix
@ -1,8 +1,11 @@
 { lib', ... }:
+let
+  submodules = lib'.walk-dir ./.;
+in
 {
  networking.hostName = "roam";

-  imports = lib'.import-recursive ./.;
+  imports = [ submodules.to_mod_without_default ];

  # ====== DON'T CHANGE ======
  system.stateVersion = "24.11";
--- a/host/solo/default.nix
+++ b/host/solo/default.nix
@ -1,8 +1,11 @@
 { lib', ... }:
+let
+  submodules = lib'.walk-dir ./.;
+in
 {
  networking.hostName = "solo";

-  imports = lib'.import-recursive ./.;
+  imports = [ submodules.to_mod_without_default ];

  powerManagement = {
    enable = true;
--- a/lib.nix
+++ b/lib.nix
@ -1,33 +1,47 @@
 { lib, ... }:
+with builtins;
 rec {
  walk-dir =
+    let
+      walk-dir-inner =
        path:
        let
-      dir = builtins.readDir path;
+          dir = readDir path;

-      subpaths = lib.mapAttrs' (filename: value: {
+        in
+        lib.mapAttrs' (filename: value: {
          name = lib.removeSuffix ".nix" filename;
          value =
            if value == "regular" then
              path + "/${filename}"
            else if value == "directory" then
-            walk-dir (path + "/${filename}")
+              walk-dir-inner (path + "/${filename}")
            else
-            builtins.throw "Items of type ${value} are unsupported.";
+              throw "Items of type ${value} are unsupported.";
        }) dir;
+
+      helper-attrs =
+        subpaths:
+        let
+          _files = lib.collect (x: isPath x || isString x) subpaths;
+          _nix_files = filter (lib.hasSuffix ".nix") _files;
        in
-    subpaths
-    // rec {
-      _files = lib.collect builtins.isPath (subpaths // { default = { }; });
-      _nix_files = builtins.filter (lib.hasSuffix ".nix") _files;
-      _nixos_mod =
-        { ... }:
-        {
+        rec {
+          to_mod = _: {
            imports = _nix_files;
          };
+          to_mod_without_default = without_default.to_mod;
+          collect_nix_files = _nix_files;
+          map_import = lib.mapAttrsRecursive (_: import) subpaths;
+          without_default =
+            let
+              subpaths' = removeAttrs subpaths [ "default" ];
+            in
+            with-helper-attrs subpaths';
        };

-  # Takes a path `p` and returns a list of all files in that
-  # directory recursively, ignoring `p/default.nix`.
-  import-recursive = path: (walk-dir path)._files;
+      with-helper-attrs =
+        x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x;
+    in
+    p: with-helper-attrs (walk-dir-inner p);
 }
--- a/mod/common/shell.nix
+++ b/mod/common/shell.nix
@ -18,7 +18,7 @@
    unzip
    wget
    wl-clipboard
-    inputs.colmena.packages."x86_64-linux".colmena # todo use overlay
+    colmena
  ];

  programs = {
--- a/mod/common/users.nix
+++ b/mod/common/users.nix
@ -2,6 +2,7 @@
  pkgs,
  lib,
  options,
+  var,
  ...
 }:
 {
@ -15,24 +16,12 @@
      extraGroups = [ "wheel" ];
      shell = pkgs.fish;
      packages = [ ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"
-      ];
+      openssh.authorizedKeys.keys = var.ssh-keys.unprivileged;
      hashedPassword = "$y$jDT$dhvO.xqs8mopz.sFFul.q/$ud5642o7CnVetU6QEu0ctiVMFh7ngZznDf0wp4cXos8";
    };
    users.root = {
      hashedPassword = "!";
-
-      # I don't like the unprivileged users to have unrestricted access to root
-      # but this is required for colmena. Better options are
-      #  - only authorize root's pubkey
-      #  - create password protected key
-      # TODO: do one of the above
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"
-      ];
+      openssh.authorizedKeys.keys = var.ssh-keys.priviliged;
    };
  };
 }
--- a/var/ssh-keys.nix
+++ b/var/ssh-keys.nix
@ -0,0 +1,13 @@
+rec {
+  # this is only used for forcing password entry on colmena apply
+  priviliged-by-host = {
+    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
+  };
+  priviliged = builtins.attrValues priviliged-by-host;
+
+  unprivileged-by-host = {
+    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
+    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
+  };
+  unprivileged = builtins.attrValues unprivileged-by-host;
+}