From a814bdfcf8cf70b6c6de67afb27c014f435a9105 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Thu, 17 Feb 2022 18:36:39 +0000
Subject: [PATCH] home-manager: Add SSH configuration

---
 home-manager/configs/castle.nix | 11 +++++++
 home-manager/modules/common.nix | 58 +++++++++++++++++++++++++++++++--
 2 files changed, 66 insertions(+), 3 deletions(-)

diff --git a/home-manager/configs/castle.nix b/home-manager/configs/castle.nix
index 967a2b5..db29b92 100644
--- a/home-manager/configs/castle.nix
+++ b/home-manager/configs/castle.nix
@@ -3,6 +3,17 @@
   # So home-manager will inject the sourcing of ~/.nix-profile/etc/profile.d/nix.sh
   targets.genericLinux.enable = true;
 
+  my = {
+    ssh.matchBlocks = {
+      home = {
+        host =
+          "vm keep.core fw firewall moat.vm storage cellar.vm lxd ship.vm docker whale.vm kerberos gatehouse.lxd " +
+          "nginx.lxd upnp.lxd souterrain.lxd drawbridge.lxd mailcow.lxd";
+        user = "root";
+      };
+    };
+  };
+
   programs = {
     kakoune.enable = true;
   };
diff --git a/home-manager/modules/common.nix b/home-manager/modules/common.nix
index fd16be7..fbf45b5 100644
--- a/home-manager/modules/common.nix
+++ b/home-manager/modules/common.nix
@@ -1,6 +1,8 @@
-{ lib, pkgs, pkgs', inputs, config, ... }@args:
+{ lib, pkgs, pkgs', inputs, options, config, ... }@args:
 let
-  inherit (lib) optionalAttrs versionAtLeast mkMerge mkIf mkDefault mkOption;
+  inherit (builtins) mapAttrs;
+  inherit (lib) concatStringsSep optionalAttrs versionAtLeast mkMerge mkIf mkDefault mkOption;
+  inherit (lib.hm) dag;
   inherit (lib.my) mkOpt' dummyOption;
 in
 {
@@ -11,6 +13,13 @@ in
         internal = true;
         description = "Whether home-manager is running inside a NixOS system or not.";
       };
+
+      ssh = {
+        authKeys = {
+          literal = mkOpt' (listOf singleLineStr) [ ] "List of OpenSSH keys to allow";
+        };
+        matchBlocks = mkOpt' (attrsOf anything) { } "SSH match blocks";
+      };
     };
 
     # Only present in >=22.05, so forward declare
@@ -29,7 +38,36 @@ in
       };
     })
     {
-      my.isStandalone = !(args ? osConfig);
+      my = {
+        isStandalone = !(args ? osConfig);
+
+        ssh = {
+          authKeys.literal = [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+kCHXqtznkT9IBN5WxZHmXI97k3BumT+N4lyHWMo0pykpACCOcGw52EXxQveNqgcwcRUgamL9A2JTE//WRf3O4nBofeTRNKcRxTjRoUVIt/F0xbf09yWBqJOXZ8rqLkXhRvSpr1TCUZtYVp5iLtpERp622OMIqHSwa6HlxBqsCFkBeq1bRyNtYK/IaQAuBPW9MNeFriGqA0Vq078ccXp+JINxJbr+ZJybVg6PVqnMD+PgGMZQLkoWjwjH3vcJZZt584UPtrXKpNZuKy6dcMCb2U+O9NOaO66168sBVuK0kZHh51nJ7ZH38VLGiBipRgIQ1fzic3Ncn6GC9ko3/OwT jackos1998@gmail.com"
+          ];
+          matchBlocks = {
+            "rsync.net" = {
+              host = "rsyncnet";
+              user = "16413";
+              hostname = "ch-s010.rsync";
+            };
+
+            shoe = {
+              host = "shoe.netsoc.tcd.ie shoe";
+              user = "netsoc";
+            };
+            netsocBoxes = {
+              host = "cube spoon napalm gandalf saruman";
+              user = "root";
+            };
+          };
+        };
+      };
+
+      home.file.".ssh/authorized_keys".text = mkIf config.programs.ssh.enable
+        ''
+          ${concatStringsSep "\n" config.my.ssh.authKeys.literal}
+        '';
 
       programs = {
         # Even when enabled this will only be actually installed in standalone mode
@@ -60,6 +98,20 @@ in
           '';
         };
 
+        ssh = {
+          enable = mkDefault true;
+          matchBlocks = (mapAttrs (_: b: dag.entryBefore [ "all" ] b) config.my.ssh.matchBlocks) // {
+            all = {
+              host = "*";
+              identityFile = [
+                "~/.ssh/id_rsa"
+                "~/.ssh/netsoc"
+                "~/.ssh/borg"
+              ];
+            };
+          };
+        };
+
         direnv = {
           enable = mkDefault true;
           nix-direnv.enable = true;