ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use conditional identityFile in SSH host configs

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-06 16:11:04 -06:00
parent aef5e24b12
commit b8ae608af5
3 changed files with 62 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

75
flakes/common/hm_modules/ssh.nix
View file

@ -16,10 +16,6 @@ in
# TODO can I put all IP's in the flake.nix top level settings and pull them in here instead? # TODO can I put all IP's in the flake.nix top level settings and pull them in here instead?
programs.ssh = { programs.ssh = {
enable = true; enable = true;
extraConfig = ''
Host *
SetEnv TERM=xterm-256color
'';
enableDefaultConfig = false; enableDefaultConfig = false;
matchBlocks = { matchBlocks = {
"*" = { "*" = {
@ -36,6 +32,9 @@ in
extraOptions = { extraOptions = {
StrictHostKeyChecking = "accept-new"; StrictHostKeyChecking = "accept-new";
}; };
setEnv = {
TERM = "xterm-256color";
};
}; };
# EXTERNAL # EXTERNAL
@ -45,43 +44,30 @@ in
"bitbucket.org" = lib.mkIf (hasSecret "nix2bitbucket") { "bitbucket.org" = lib.mkIf (hasSecret "nix2bitbucket") {
identityFile = age.secrets.nix2bitbucket.path; identityFile = age.secrets.nix2bitbucket.path;
}; };
# "git.joshuabell.xyz" = lib.mkIf (hasSecret "nix2gitjosh") { # TODO remove old "git.joshuabell.xyz" = {
# identityFile = age.secrets.nix2gitjosh.path; identityFile = lib.mkIf (hasSecret "nix2gitforgejo") age.secrets.nix2gitforgejo.path;
# user = "git";
# };
"git.joshuabell.xyz" = lib.mkIf (hasSecret "nix2gitforgejo") {
identityFile = age.secrets.nix2gitforgejo.path;
user = "git"; user = "git";
}; };
# PERSONAL DEVICES # PERSONAL DEVICES
"lio" = lib.mkIf (hasSecret "nix2lio") { "lio" = {
identityFile = age.secrets.nix2lio.path; identityFile = lib.mkIf (hasSecret "nix2lio") age.secrets.nix2lio.path;
user = "josh"; user = "josh";
extraOptions = {
"PubkeyAcceptedKeyTypes" = "ssh-ed25519";
"ServerAliveInterval" = "60";
"IPQoS" = "throughput";
};
}; };
"lio_" = lib.mkIf (hasSecret "nix2lio") { "lio_" = {
identityFile = age.secrets.nix2lio.path; identityFile = lib.mkIf (hasSecret "nix2lio") age.secrets.nix2lio.path;
hostname = "10.12.14.116"; hostname = "10.12.14.116";
user = "josh"; user = "josh";
}; };
"oren" = lib.mkIf (hasSecret "nix2oren") { "oren" = {
identityFile = age.secrets.nix2oren.path; identityFile = lib.mkIf (hasSecret "nix2oren") age.secrets.nix2oren.path;
user = "josh"; user = "josh";
}; };
"joe" = lib.mkIf (hasSecret "nix2joe") { "gp3" = {
identityFile = age.secrets.nix2joe.path; identityFile = lib.mkIf (hasSecret "nix2gpdPocket3") age.secrets.nix2gpdPocket3.path;
user = "ringo";
};
"gp3" = lib.mkIf (hasSecret "nix2gpdPocket3") {
identityFile = age.secrets.nix2gpdPocket3.path;
user = "josh"; user = "josh";
}; };
"t" = lib.mkIf (hasSecret "nix2t") { "t" = {
identityFile = age.secrets.nix2t.path; identityFile = lib.mkIf (hasSecret "nix2t") age.secrets.nix2t.path;
user = "joshua.bell"; user = "joshua.bell";
localForwards = [ localForwards = [
{ {
@ -94,8 +80,8 @@ in
TERM = "vt100"; TERM = "vt100";
}; };
}; };
"t_" = lib.mkIf (hasSecret "nix2t") { "t_" = {
identityFile = age.secrets.nix2t.path; identityFile = lib.mkIf (hasSecret "nix2t") age.secrets.nix2t.path;
hostname = "10.12.14.181"; hostname = "10.12.14.181";
user = "joshua.bell"; user = "joshua.bell";
localForwards = [ localForwards = [
@ -109,33 +95,6 @@ in
TERM = "vt100"; TERM = "vt100";
}; };
}; };
"mbptv" = lib.mkIf (hasSecret "nix2gpdPocket3") {
identityFile = age.secrets.nix2gpdPocket3.path;
user = "waka";
setEnv = {
TERM = "vt100";
};
};
"mbptv_" = lib.mkIf (hasSecret "nix2gpdPocket3") {
identityFile = age.secrets.nix2gpdPocket3.path;
hostname = "10.12.14.30";
user = "waka";
setEnv = {
TERM = "vt100";
};
};
"nothing1" = lib.mkIf (hasSecret "nix2gpdPocket3") {
identityFile = age.secrets.nix2gpdPocket3.path;
user = "TODO";
};
"tab1" = lib.mkIf (hasSecret "nix2gpdPocket3") {
identityFile = age.secrets.nix2gpdPocket3.path;
user = "TODO";
};
"pixel6" = lib.mkIf (hasSecret "nix2gpdPocket3") {
identityFile = age.secrets.nix2gpdPocket3.path;
user = "TODO";
};
# HOME SERVERS # HOME SERVERS
"h001" = lib.mkIf (hasSecret "nix2h001") { "h001" = lib.mkIf (hasSecret "nix2h001") {
identityFile = age.secrets.nix2h001.path; identityFile = age.secrets.nix2h001.path;

29
flakes/secrets-bao/flake.nix
View file

@ -27,6 +27,35 @@
) secrets); ) secrets);
in in
builtins.foldl' (acc: v: acc // v) { } fragments; builtins.foldl' (acc: v: acc // v) { } fragments;
applyHmChanges = secrets:
let
substitute = secretPath: value:
if builtins.isAttrs value then
builtins.mapAttrs (_: v: substitute secretPath v) value
else if builtins.isList value then
map (v: substitute secretPath v) value
else if builtins.isString value then
builtins.replaceStrings [ "$SECRET_PATH" ] [ secretPath ] value
else
value;
fragments = builtins.attrValues (builtins.mapAttrs (
name: s:
let
secretPath = s.path or ("/run/secrets/" + name);
in
substitute secretPath (s.hmChanges or { })
) secrets);
merged = builtins.foldl' (acc: v: acc // v) { } fragments;
in
if merged == { } then
{ }
else
{
home-manager.sharedModules = [ (_: merged) ];
};
}; };
nixosModules = { nixosModules = {

25
flakes/secrets-bao/nixos-module.nix
View file

@ -19,7 +19,7 @@ let
request_roles="${if cfg.requestProjectRoles then "true" else "false"}" request_roles="${if cfg.requestProjectRoles then "true" else "false"}"
debug() { debug() {
if [ "$debug_enabled" = "true" ] || [ -n "${DEBUG:-}" ]; then if [ "$debug_enabled" = "true" ] || [ -n "${"DEBUG:-"}" ]; then
echo "[zitadel-mint] $*" >&2 echo "[zitadel-mint] $*" >&2
fi fi
} }
@ -157,7 +157,7 @@ let
debug "selected=$token_source" debug "selected=$token_source"
if [ "${toString cfg.debugMint}" = "true" ] || [ -n "${DEBUG:-}" ]; then if [ "${toString cfg.debugMint}" = "true" ] || [ -n "${"DEBUG:-"}" ]; then
payload="$(decode_payload "$token")" payload="$(decode_payload "$token")"
if [ -n "$payload" ]; then if [ -n "$payload" ]; then
debug "jwt.payload=$(echo "$payload" | ${pkgs.jq}/bin/jq -c '.')" debug "jwt.payload=$(echo "$payload" | ${pkgs.jq}/bin/jq -c '.')"
@ -354,7 +354,7 @@ in
kvPath = lib.mkOption { kvPath = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
default = null; default = "kv/data/machines/home_roaming/${name}";
description = "KV v2 secret API path (ex: kv/data/machines/home_roaming/nix2github)."; description = "KV v2 secret API path (ex: kv/data/machines/home_roaming/nix2github).";
}; };
@ -373,7 +373,13 @@ in
configChanges = lib.mkOption { configChanges = lib.mkOption {
type = lib.types.attrs; type = lib.types.attrs;
default = { }; default = { };
description = "Extra config applied when enabled; supports '$SECRET_PATH' string substitution."; description = "Extra NixOS config applied when enabled; supports '$SECRET_PATH' string substitution.";
};
hmChanges = lib.mkOption {
type = lib.types.attrs;
default = { };
description = "Extra Home Manager config applied when enabled; supports '$SECRET_PATH' string substitution.";
}; };
template = lib.mkOption { template = lib.mkOption {
@ -397,7 +403,6 @@ in
message = "ringofstorms.secretsBao.secrets.${name} must set either template or kvPath"; message = "ringofstorms.secretsBao.secrets.${name} must set either template or kvPath";
}) cfg.secrets; }) cfg.secrets;
environment.systemPackages = [ environment.systemPackages = [
pkgs.jq pkgs.jq
pkgs.curl pkgs.curl
@ -578,10 +583,12 @@ in
exit 1 exit 1
fi fi
${lib.concatStringsSep "\n" (map (svc: '' ${lib.concatStringsSep "\n" (
echo "Restarting ${svc} due to secret ${name}" >&2 map (svc: ''
systemctl try-restart ${lib.escapeShellArg (svc + ".service")} || true echo "Restarting ${svc} due to secret ${name}" >&2
'') secret.dependencies)} systemctl try-restart ${lib.escapeShellArg (svc + ".service")} || true
'') secret.dependencies
)}
''; '';
}; };
} }