home-manager: Add SSH configuration

2022-02-17 18:36:39 +00:00 · 2022-02-17 18:36:39 +00:00 · a814bdfcf8
commit a814bdfcf8
parent 778f635542
2 changed files with 66 additions and 3 deletions
--- a/home-manager/configs/castle.nix
+++ b/home-manager/configs/castle.nix
@ -3,6 +3,17 @@
  # So home-manager will inject the sourcing of ~/.nix-profile/etc/profile.d/nix.sh
  targets.genericLinux.enable = true;

+  my = {
+    ssh.matchBlocks = {
+      home = {
+        host =
+          "vm keep.core fw firewall moat.vm storage cellar.vm lxd ship.vm docker whale.vm kerberos gatehouse.lxd " +
+          "nginx.lxd upnp.lxd souterrain.lxd drawbridge.lxd mailcow.lxd";
+        user = "root";
+      };
+    };
+  };
+
  programs = {
    kakoune.enable = true;
  };
--- a/home-manager/modules/common.nix
+++ b/home-manager/modules/common.nix
@ -1,6 +1,8 @@
-{ lib, pkgs, pkgs', inputs, config, ... }@args:
+{ lib, pkgs, pkgs', inputs, options, config, ... }@args:
 let
-  inherit (lib) optionalAttrs versionAtLeast mkMerge mkIf mkDefault mkOption;
+  inherit (builtins) mapAttrs;
+  inherit (lib) concatStringsSep optionalAttrs versionAtLeast mkMerge mkIf mkDefault mkOption;
+  inherit (lib.hm) dag;
  inherit (lib.my) mkOpt' dummyOption;
 in
 {
@ -11,6 +13,13 @@ in
        internal = true;
        description = "Whether home-manager is running inside a NixOS system or not.";
      };
+
+      ssh = {
+        authKeys = {
+          literal = mkOpt' (listOf singleLineStr) [ ] "List of OpenSSH keys to allow";
+        };
+        matchBlocks = mkOpt' (attrsOf anything) { } "SSH match blocks";
+      };
    };

    # Only present in >=22.05, so forward declare
@ -29,7 +38,36 @@ in
      };
    })
    {
-      my.isStandalone = !(args ? osConfig);
+      my = {
+        isStandalone = !(args ? osConfig);
+
+        ssh = {
+          authKeys.literal = [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+kCHXqtznkT9IBN5WxZHmXI97k3BumT+N4lyHWMo0pykpACCOcGw52EXxQveNqgcwcRUgamL9A2JTE//WRf3O4nBofeTRNKcRxTjRoUVIt/F0xbf09yWBqJOXZ8rqLkXhRvSpr1TCUZtYVp5iLtpERp622OMIqHSwa6HlxBqsCFkBeq1bRyNtYK/IaQAuBPW9MNeFriGqA0Vq078ccXp+JINxJbr+ZJybVg6PVqnMD+PgGMZQLkoWjwjH3vcJZZt584UPtrXKpNZuKy6dcMCb2U+O9NOaO66168sBVuK0kZHh51nJ7ZH38VLGiBipRgIQ1fzic3Ncn6GC9ko3/OwT jackos1998@gmail.com"
+          ];
+          matchBlocks = {
+            "rsync.net" = {
+              host = "rsyncnet";
+              user = "16413";
+              hostname = "ch-s010.rsync";
+            };
+
+            shoe = {
+              host = "shoe.netsoc.tcd.ie shoe";
+              user = "netsoc";
+            };
+            netsocBoxes = {
+              host = "cube spoon napalm gandalf saruman";
+              user = "root";
+            };
+          };
+        };
+      };
+
+      home.file.".ssh/authorized_keys".text = mkIf config.programs.ssh.enable
+        ''
+          ${concatStringsSep "\n" config.my.ssh.authKeys.literal}
+        '';

      programs = {
        # Even when enabled this will only be actually installed in standalone mode
@ -60,6 +98,20 @@ in
          '';
        };

+        ssh = {
+          enable = mkDefault true;
+          matchBlocks = (mapAttrs (_: b: dag.entryBefore [ "all" ] b) config.my.ssh.matchBlocks) // {
+            all = {
+              host = "*";
+              identityFile = [
+                "~/.ssh/id_rsa"
+                "~/.ssh/netsoc"
+                "~/.ssh/borg"
+              ];
+            };
+          };
+        };
+
        direnv = {
          enable = mkDefault true;
          nix-direnv.enable = true;