refactor authorizedKeys

2024-11-22 17:01:57 +01:00 · 2022-10-18 19:54:57 +02:00 · 2022-10-18 19:54:57 +02:00 · 39ec224d05
commit 39ec224d05
parent ed63192e5c
6 changed files with 66 additions and 51 deletions
--- a/hosts/dark-firepit/authorizedKeys.nix
+++ b/hosts/dark-firepit/authorizedKeys.nix
@ -1,39 +1,21 @@
-lib:
-
-with lib;
-let
-  # please only append keys in this list to not mess up
-  # wireguard auto-genned IPs!!
-  peerList = [
-    {
-      hostname = "aether@subsurface";
-      ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLDtlpOnQFQq9mPMhR1uQnjrTexcof+c+y+ot/7Jgnt aether@subsurface";
-      wg = "XEVSwNNPR7RTt/O0ihYmv3nopbPmqkCMGrVRCixnPWw=";
-    }
-    {
-      hostname = "oatmealine@void-defragmented";
-      ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbJDo79TD9RV77MnArQwS94wzBo+6l6dYQnaNdPk2xo019+tc7GyuQ+GHyh4qewIUQOwe3Ddj4YxJN9IS3E360/6RdaNDxn3hUp2jh/x9SOjh0W86FJfdHEQViNeFVSXJv+QBZT9ibR9IbOHYezhD6gtz15pNhEqhQyqw2hJuQzxLvnictTc4lPQnWN9I8ga+OVSh7Uauu5OKbUOyRRj1Er/hasNviCaGBJnLDYjSqTDRvEbdYlfuhrYITJ+viZOQq7Nczs6dbsl627FCvhr5vQi+/vvpx9DKHDvpGvbEglOmOwgffSkaOIIx/pNHTsRccX7c3/im6z4pCDj4bEuiqqawv2C6DV0aM01bW8cchOJrmSQGTygTrJuuVPHp4IRIZNvQGS+97j4u+d7ofricLR1RoxJcQibvRA9rhhYI2FhwrAweuuLktjSj5RkQnypd9kjOuH+nhgLZunreNoyPNDCmcOBA7BA0rD2pCIKB9SzlelMjVuvy0PA8uWfNFfxGU+m3BH7lQS/A6V+NeYrMGiZ+u+t9Pgr6kAoR7mAUO+obIdMM/lOp1/zGBY8lk2Aq3GQcyGVNi18VR0uA+NMaJYXA1JzSiPCz7cQn1pKIAKiDEnzicf5MxDHIi5F1iQ/Lc+NftgmDXZEAHDY1bQepScOttaOZQZLpYP/eWwlEQJQ== oatmealine@beppy";
-      wg = "533BncNpHKzJVx5lwdxBg+aUfLGqea9uUYz70C6wxyg=";
-    }
-    {
-      hostname = "oatmealine@beppy-phone";
-      ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUgEsAQ7EL5/3STLAk/0qWJddYqfBY71yS9RtRSWd3w JuiceSSH";
-      wg = "qT7gX8beM/kW9AYg5dV1e3cLzLDTLxMO2CmnbFpMVj4=";  
-    }
-    {
-      hostname = "mayflower@BMW-M550d-xDrive"; # car 5
-      ssh = "AAAAB3NzaC1yc2EAAAADAQABAAABAQCL75/Pg5bP7LaXE6uPyyv8QDRivWJC6YcH6oJJztkjqL6g+0xPPiN6I54q/bNF4nHA2BHVUktKUU9bGDEOpYIRq7kegp2/K/+FNTM1Kz6rJSrSc8e0Ogxg8vhD6maxqLU8q+D1OMhBu0UiWUB+GxXmeYfBtXPjpcE+AaJ80BPs7vwiulHPGn7UAcRuP36Z+3JJiN2BQnU2aizXWsgyU575Uy3DVvAt7eHon+SoJiTCs2//5KexJ42U6ZiE6f/oTFdiud70lpxhGgiiFvj6M9RZ0aLoxspiskW45jKLXIMJ+mO6husg9GfvCchbps3YkmH0hZ24Ii1EiFhi5HZMY0Lt";
-    }
-  ];
-in {
-  list = peerList;
-  # here for convinience purposes
-  set = listToAttrs (map (n: {
-    name = n.hostname;
-    value = {
-      # todo: something more generic might fit better?
-      ssh = n.ssh;
-      wg = n.wg;
-    };
-  }) peerList);
-}
+[
+  {
+    hostname = "aether@subsurface";
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLDtlpOnQFQq9mPMhR1uQnjrTexcof+c+y+ot/7Jgnt aether@subsurface";
+    wg = "XEVSwNNPR7RTt/O0ihYmv3nopbPmqkCMGrVRCixnPWw=";
+  }
+  {
+    hostname = "oatmealine@void-defragmented";
+    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbJDo79TD9RV77MnArQwS94wzBo+6l6dYQnaNdPk2xo019+tc7GyuQ+GHyh4qewIUQOwe3Ddj4YxJN9IS3E360/6RdaNDxn3hUp2jh/x9SOjh0W86FJfdHEQViNeFVSXJv+QBZT9ibR9IbOHYezhD6gtz15pNhEqhQyqw2hJuQzxLvnictTc4lPQnWN9I8ga+OVSh7Uauu5OKbUOyRRj1Er/hasNviCaGBJnLDYjSqTDRvEbdYlfuhrYITJ+viZOQq7Nczs6dbsl627FCvhr5vQi+/vvpx9DKHDvpGvbEglOmOwgffSkaOIIx/pNHTsRccX7c3/im6z4pCDj4bEuiqqawv2C6DV0aM01bW8cchOJrmSQGTygTrJuuVPHp4IRIZNvQGS+97j4u+d7ofricLR1RoxJcQibvRA9rhhYI2FhwrAweuuLktjSj5RkQnypd9kjOuH+nhgLZunreNoyPNDCmcOBA7BA0rD2pCIKB9SzlelMjVuvy0PA8uWfNFfxGU+m3BH7lQS/A6V+NeYrMGiZ+u+t9Pgr6kAoR7mAUO+obIdMM/lOp1/zGBY8lk2Aq3GQcyGVNi18VR0uA+NMaJYXA1JzSiPCz7cQn1pKIAKiDEnzicf5MxDHIi5F1iQ/Lc+NftgmDXZEAHDY1bQepScOttaOZQZLpYP/eWwlEQJQ== oatmealine@beppy";
+    wg = "533BncNpHKzJVx5lwdxBg+aUfLGqea9uUYz70C6wxyg=";
+  }
+  {
+    hostname = "oatmealine@beppy-phone";
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUgEsAQ7EL5/3STLAk/0qWJddYqfBY71yS9RtRSWd3w JuiceSSH";
+    wg = "qT7gX8beM/kW9AYg5dV1e3cLzLDTLxMO2CmnbFpMVj4=";  
+  }
+  {
+    hostname = "mayflower@BMW-M550d-xDrive"; # car 5
+    ssh = "AAAAB3NzaC1yc2EAAAADAQABAAABAQCVH1q8t7fnIlS8sUFnnfTqTK2d6wmaqUE2xJ/jNFCj3hNK4uR7aU7D85M4vMgXfTqacdrmdiNlWehOjlPf2cWxAqYFqIVcBaka0lf6iUzuEJmHtdXlSHvTK/G38pC2aE9SQkYqY5pEUrniKWNdjqmqK2bYVqXIwimI5eFLRipKYXZzzIf67vu4Zu3oaxAVn02XyWasO7660vab/gMVdn/uzj56pJ1iscuOc/IuoMPQE0TdMH1OMJ8oJMR844DdTx45+vxv1u5Jz9ECbJo91tCq7kIATfHHm739pI7ZYY7oDH0OzUKFeU5y4E8o/SaJWPvBkeXZXUxPwY5I1TBfnKAV";
+  }
+]
--- a/hosts/dark-firepit/default.nix
+++ b/hosts/dark-firepit/default.nix
@ -1,7 +1,9 @@
 { pkgs, inputs, lib, ... }:

 let
-  keys = import ./authorizedKeys.nix lib;
+  keys = import ./authorizedKeys.nix;
+  fetchSSH = (host: lib._.getSSH host keys);
+  fetchSSHKeys = map fetchSSH;
 in {
  imports = [
    ./hardware-configuration.nix
@ -31,7 +33,9 @@ in {
        shell = pkgs.unstable.fish;
        extraGroups = [ "wheel" "nix-users" "dotfiles" ];
        initialHashedPassword = "!";
-        openssh.authorizedKeys.keys = [ keys.set."aether@subsurface".ssh ];
+        openssh.authorizedKeys.keys = fetchSSHKeys [
+          "aether@subsurface"
+        ];
      };

      homeConf.home = {
@ -49,7 +53,10 @@ in {
        shell = pkgs.unstable.fish;
        extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ];
        initialHashedPassword = "!";
-        openssh.authorizedKeys.keys = [ keys.set."oatmealine@void-defragmented".ssh keys.set."oatmealine@beppy-phone".ssh ];
+        openssh.authorizedKeys.keys = fetchSSHKeys [
+          "oatmealine@void-defragmented"
+          "oatmealine@beppy-phone"
+        ];
      };

      homeConf.home = {
@ -66,7 +73,9 @@ in {
        shell = pkgs.unstable.fish;
        extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ];
        initialHashedPassword = "!";
-        openssh.authorizedKeys.keys = [ keys.set."mayflower@BMW-M550d-xDrive".ssh ];
+        openssh.authorizedKeys.keys = fetchSSHKeys [
+          "mayflower@BMW-M550d-xDrive"
+        ];
      };

      homeConf.home = {
@ -95,8 +104,8 @@ in {
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRI9sGl0EmOkNNnh8SgRq197gkEy3XEwKZjLIr27V9PfaVOLIAcZiGcOa5q7rc5FjcCtkQ9+/twE24bZpxkK0ygrRJBEdT+HGAUmpY/kRPEn/tqjmwNu43vQqOhNSYmAAzdjJ4AuRPK5st8QQyOzKv5Pnghwy8xPAjOM3o4n9ULMLjVvAu0eTmCJMKxEvz5FUEIVZtEid/ng46k/bJ/njSh8vyGBQV4fJei6M9Ovw0HPqqzWyV/e0c3hTClG4dfLCK3Qv3hLhXQ+8I9iaL7D2wZdr3F2lbg0vS/QctPZc28f1gpkFEzVflEzAk4aFwJMMflY04IG1Dr44IfM1gJbpj rsa-key-20220423"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCL75/Pg5bP7LaXE6uPyyv8QDRivWJC6YcH6oJJztkjqL6g+0xPPiN6I54q/bNF4nHA2BHVUktKUU9bGDEOpYIRq7kegp2/K/+FNTM1Kz6rJSrSc8e0Ogxg8vhD6maxqLU8q+D1OMhBu0UiWUB+GxXmeYfBtXPjpcE+AaJ80BPs7vwiulHPGn7UAcRuP36Z+3JJiN2BQnU2aizXWsgyU575Uy3DVvAt7eHon+SoJiTCs2//5KexJ42U6ZiE6f/oTFdiud70lpxhGgiiFvj6M9RZ0aLoxspiskW45jKLXIMJ+mO6husg9GfvCchbps3YkmH0hZ24Ii1EiFhi5HZMY0Lt mayflower"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrlqH2OShvXdzq1sV5IDuWQzeC9OHBVvwj0+Y0XXwi7 mayflower-thinkpad"
-        keys.set."oatmealine@void-defragmented".ssh
-        keys.set."oatmealine@beppy-phone".ssh
+        #fetchSSH "oatmealine@void-defragmented"
+        #fetchSSH "oatmealine@beppy-phone"
      ];
      packages = with pkgs; [ tmux micro ];
      shell = pkgs.unstable.fish;
--- a/hosts/dark-firepit/wireguardInterface.nix
+++ b/hosts/dark-firepit/wireguardInterface.nix
@ -2,8 +2,8 @@

 with lib;
 let
-  peerKeys = import ./authorizedKeys.nix lib;
-  wgKeys = filter (hasAttr "wg") peerKeys.list;
+  peerKeys = import ./authorizedKeys.nix;
+  wgKeys = filter (hasAttr "wg") peerKeys;
 in {
  ips = [ "10.100.0.1/24" ];

@ -11,7 +11,8 @@ in {

  listenPort = 51820;

-  peers = genList (n: let
+  peers = genList (n:
+  let
    keychain = elemAt wgKeys n;
    ip = "10.100.0.${toString (n+2)}/32";
  in {
@ -19,4 +20,3 @@ in {
    allowedIPs = [ ip ];
  }) (length wgKeys);
 }
-
--- a/lib/default.nix
+++ b/lib/default.nix
@ -4,9 +4,14 @@ lib.extend (self: super:
  let
    inherit (lib) attrValues foldr;
    inherit (modules) mapModules;
+    inherit (helpers) getSSH getWG;

    modules = import ./modules.nix { inherit lib; };
+    helpers = import ./helpers.nix { inherit lib; };
  in {
-    _ = foldr (a: b: a // b) {} (attrValues (mapModules ./. (file: import file { inherit pkgs inputs; lib = self; })));
+    _ = foldr (a: b: a // b) {} (attrValues (mapModules ./. (file: import file {
+      inherit pkgs inputs;
+      lib = self;
+    })));
  }
 )
--- a/lib/helpers.nix
+++ b/lib/helpers.nix
@ -0,0 +1,19 @@
+{ lib, ... }:
+
+with lib;
+rec {
+  indexFrom = origin: name: item: list: foldr
+  (h: t:
+    if h.${origin} == name && hasAttr item h
+    then h.${item}
+    else t)
+  (error ''
+    No item at the origin point ${origin} with element ${name} found.
+    Please make sure that the item with that origin exists, and,
+    failing that, that it also has the requested item defined.
+  '')
+  list;
+
+  getSSH = name: keys: indexFrom "hostname" name "ssh" keys;
+  getWG = name: keys: indexFrom "hostname" name "wg" keys;
+}
--- a/2
+++ b/2
@ -1 +1 @@
-/nix/store/f5ybdcl8js6wh9w643f1agaxcsfh0i12-nixos-system-dark-firepit-22.05.20220731.ede02b4
+/nix/store/js089ixiqw488kiakkbxr4kfy671f98v-nixos-system-dark-firepit-22.05.20220822.5252708