From da85dd701bbba3f4ffbc4b9df7c6b347567f78be Mon Sep 17 00:00:00 2001
From: = <ringofstorms@gmail.com>
Date: Tue, 12 Mar 2024 00:26:25 -0500
Subject: [PATCH] starting to add secrets

---
 secrets/secrets.nix                | 21 +++++++++++++++++++++
 systems/_common/shellInit.sh       | 21 ---------------------
 users/_common/generate_ssh_key.nix | 15 +++++++++++++++
 users/_common/home.nix             |  5 ++++-
 4 files changed, 40 insertions(+), 22 deletions(-)
 create mode 100644 secrets/secrets.nix
 create mode 100644 users/_common/generate_ssh_key.nix

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..836433a
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,21 @@
+## To onboard a new machine, you must use a machine that is already onboarded, or the backup authority key saved in a secure location
+## Once the new machine is setup at least once, then we can generate/fetch ssh keys from it and add to this list. Then rekey the secrets and commit the changes and pull down from the nix repo
+
+# System key: `cat /etc/ssh/ssh_host_ed25519_key.pub`
+#
+# from authority
+# `nix run github:yaxitech/ragenix/ -- -i ~/.ssh/ragenix_authority --rules /etc/nixos/secrets/secrets.nix` <-r(eykey)|-e(edit) <File>>
+
+let
+  authority = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key";
+  gpd3_josh_2024_march_11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhgYzACsd0GPuF8bl9SFB5y9KDwv+pU9UihoInzhRok josh@gpdPocket3";
+  gpd3_system_2024_march_11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnV4aVyKStFH1KySfnuqBq+DLvyvJhRfKtMs7PCKlIq root@nixos";
+in
+{
+  publicKeys =
+    [
+      authority
+      gpd3_josh_2024_march_11
+      gpd3_system_2024_march_11
+    ];
+}
diff --git a/systems/_common/shellInit.sh b/systems/_common/shellInit.sh
index 9c58717..4868464 100644
--- a/systems/_common/shellInit.sh
+++ b/systems/_common/shellInit.sh
@@ -16,8 +16,6 @@ kill_psg() {
 }
 
 term_psg() {
-  assert_command awk
-  assert_command grep
   PIDS=$(ps aux | grep -v "grep" | grep ${1} | awk '{print $2}')
   echo Terminating ${PIDS}
   for pid in ${PIDS}; do
@@ -39,14 +37,10 @@ mail_clear() {
 
 # git
 getdefault () {
-  assert_command git
-  assert_command grep
-  assert_command sed
   git remote show origin | grep "HEAD branch" | sed 's/.*: //'
 }
 
 master () {
-  assert_command git
   git stash
   git checkout $(getdefault)
   pull
@@ -58,48 +52,35 @@ mp () {
 }
 
 pullmaster () {
-  assert_command git
   git pull origin $(getdefault)
 }
 
 push () {
-  assert_command git
-  assert_command sed
   B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
   git pull origin $B
   git push origin $B --no-verify
 }
 
 pull () {
-  assert_command git
-  assert_command sed
   git fetch
   B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
   git pull origin $B
 }
 
 forcepush () {
-  assert_command git
-  assert_command sed
   B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
   git push origin $B --force
 }
 
 remote_branches () {
-  assert_command git
-  assert_command grep
   git branch -a | grep 'remotes' | grep -v -E '.*(HEAD|${DEFAULT})' | cut -d'/' -f 3-
 }
 
 local_branches () {
-  assert_command git
-  assert_command grep
-  assert_command cut
   git branch -a | grep -v 'remotes' | grep -v -E '.*(HEAD|${DEFAULT})' | grep -v '^*' |  cut -d' ' -f 3-
 }
 
 prunel () {
-  assert_command git
   git fetch
   git remote prune origin
 
@@ -119,13 +100,11 @@ prunel () {
 }
 
 checkout () {
-  assert_command git
   git fetch
   git checkout $1
   pull
 }
 
 from_master () {
-  assert_command git
   git checkout $(getdefault) $@
 }
diff --git a/users/_common/generate_ssh_key.nix b/users/_common/generate_ssh_key.nix
new file mode 100644
index 0000000..77bf46d
--- /dev/null
+++ b/users/_common/generate_ssh_key.nix
@@ -0,0 +1,15 @@
+{ settings, pkgs, ... }:
+''
+  if [ ! -f $HOME/.ssh/id_ed25519 ]; then
+    if [ -v DRY_RUN ]; then
+      echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
+    else
+      echo "Generating SSH key for ${settings.user.username}."
+      mkdir -p $HOME/.ssh
+      chmod 700 $HOME/.ssh
+      ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $HOME/.ssh/id_ed25519 -N ""
+    fi
+  else
+    echo "SSH key already exists for ${settings.user.username}."
+  fi
+''
diff --git a/users/_common/home.nix b/users/_common/home.nix
index 614eca3..22b0177 100644
--- a/users/_common/home.nix
+++ b/users/_common/home.nix
@@ -1,9 +1,12 @@
-{ settings, ylib, ... } @ args: {
+{ settings, pkgs, lib, ylib, ... } @ args: {
   home.stateVersion = "23.11";
   programs.home-manager.enable = true;
 
   home.username = settings.user.username;
   home.homeDirectory = "/home/${settings.user.username}";
 
+  # We always want a standard ssh key-pair used for secret management, create it if not there.
+  home.activation.generateSshKey = lib.hm.dag.entryAfter [ "writeBoundary" ] (import ./generate_ssh_key.nix args);
+
   imports = ylib.umport { paths = [ ./programs ]; recursive = true; };
 }