SSH updates

2024-04-25 10:47:21 -05:00 · 2024-04-25 10:47:21 -05:00 · 57090ccde1
commit 57090ccde1
parent 74545072dd
12 changed files with 96 additions and 59 deletions
--- a/users/_common/home_manager/_home_manager.nix
+++ b/users/_common/home_manager/_home_manager.nix
@ -4,9 +4,4 @@

  home.username = settings.user.username;
  home.homeDirectory = "/home/${settings.user.username}";
-
-  imports = ylib.umport {
-    paths = [ ./programs ];
-    recursive = true;
-  };
 }
--- a/users/_common/home_manager/direnv.nix
+++ b/users/_common/home_manager/direnv.nix
--- a/users/_common/home_manager/git.nix
+++ b/users/_common/home_manager/git.nix
--- a/users/_common/home_manager/ssh.nix
+++ b/users/_common/home_manager/ssh.nix
@ -0,0 +1,15 @@
+{ age, ... }:
+{
+  programs.ssh = {
+    enable = true;
+    matchBlocks = {
+      "github.com" = {
+        identityFile = age.secrets.nix2github.path;
+      };
+      "bitbucket.org" = {
+        identityFile = age.secrets.nix2bitbucket.path;
+      };
+    };
+  };
+}
+
--- a/users/_common/nix_modules/ssh-key.nix
+++ b/users/_common/nix_modules/ssh-key.nix
@ -0,0 +1,30 @@
+{ settings, pkgs, ... }:
+let
+  sshScript = pkgs.writeScript "ssh-key-generation" ''
+    #!${pkgs.stdenv.shell}
+    if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519]; then
+      if [ -v DRY_RUN ]; then
+        echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
+      else
+        echo "Generating SSH key for ${settings.user.username}."
+        mkdir -p /home/${settings.user.username}/.ssh
+        chmod 700 /home/${settings.user.username}/.ssh
+        /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519-N ""
+      fi
+    else
+      echo "SSH key already exists for ${settings.user.username}."
+    fi
+  '';
+in
+{
+  # Ensure SSH key pair generation for non-root users
+  systemd.services.generate_ssh_key = {
+    description = "Generate SSH key pair for ${settings.user.username}";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      User = "${settings.user.username}";
+      Type = "oneshot";
+      ExecStart = sshScript;
+    };
+  };
+}
--- a/users/_common/programs/ssh.nix
+++ b/users/_common/programs/ssh.nix
@ -1,31 +0,0 @@
-{ lib, settings, age, pkgs, ... } @ args:
-{
-  # We always want a standard ssh key-pair used for secret management, create it if not there.
-  home.activation.generateSshKey = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
-    if [ ! -f $HOME/.ssh/id_ed25519 ]; then
-      if [ -v DRY_RUN ]; then
-        echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
-      else
-        echo "Generating SSH key for ${settings.user.username}."
-        mkdir -p $HOME/.ssh
-        chmod 700 $HOME/.ssh
-        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $HOME/.ssh/id_ed25519 -N ""
-      fi
-    else
-      echo "SSH key already exists for ${settings.user.username}."
-    fi
-  '';
-
-  programs.ssh = {
-    enable = true;
-    matchBlocks = {
-      "github.com" = {
-        identityFile = age.secrets.nix2github.path;
-      };
-      "bitbucket.org" = {
-        identityFile = age.secrets.nix2bitbucket.path;
-      };
-    };
-  };
-}
-
--- a/users/_common/readme.md
+++ b/users/_common/readme.md