starting to add secrets

secrets/secrets.nix

@@ -0,0 +1,21 @@
+## To onboard a new machine, you must use a machine that is already onboarded, or the backup authority key saved in a secure location
+## Once the new machine is setup at least once, then we can generate/fetch ssh keys from it and add to this list. Then rekey the secrets and commit the changes and pull down from the nix repo
+
+# System key: `cat /etc/ssh/ssh_host_ed25519_key.pub`
+#
+# from authority
+# `nix run github:yaxitech/ragenix/ -- -i ~/.ssh/ragenix_authority --rules /etc/nixos/secrets/secrets.nix` <-r(eykey)|-e(edit) <File>>
+
+let
+  authority = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key";
+  gpd3_josh_2024_march_11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhgYzACsd0GPuF8bl9SFB5y9KDwv+pU9UihoInzhRok josh@gpdPocket3";
+  gpd3_system_2024_march_11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnV4aVyKStFH1KySfnuqBq+DLvyvJhRfKtMs7PCKlIq root@nixos";
+in
+{
+  publicKeys =
+    [
+      authority
+      gpd3_josh_2024_march_11
+      gpd3_system_2024_march_11
+    ];
+}

systems/_common/shellInit.sh

@@ -16,8 +16,6 @@ kill_psg() {
 }
 
 term_psg() {
-  assert_command awk
-  assert_command grep
   PIDS=$(ps aux | grep -v "grep" | grep ${1} | awk '{print $2}')
   echo Terminating ${PIDS}
   for pid in ${PIDS}; do
@@ -39,14 +37,10 @@ mail_clear() {
 
 # git
 getdefault () {
-  assert_command git
-  assert_command grep
-  assert_command sed
   git remote show origin | grep "HEAD branch" | sed 's/.*: //'
 }
 
 master () {
-  assert_command git
   git stash
   git checkout $(getdefault)
   pull
@@ -58,48 +52,35 @@ mp () {
 }
 
 pullmaster () {
-  assert_command git
   git pull origin $(getdefault)
 }
 
 push () {
-  assert_command git
-  assert_command sed
   B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
   git pull origin $B
   git push origin $B --no-verify
 }
 
 pull () {
-  assert_command git
-  assert_command sed
   git fetch
   B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
   git pull origin $B
 }
 
 forcepush () {
-  assert_command git
-  assert_command sed
   B=$(git branch | sed -n -e 's/^\* \(.*\)/\1/p')
   git push origin $B --force
 }
 
 remote_branches () {
-  assert_command git
-  assert_command grep
   git branch -a | grep 'remotes' | grep -v -E '.*(HEAD|${DEFAULT})' | cut -d'/' -f 3-
 }
 
 local_branches () {
-  assert_command git
-  assert_command grep
-  assert_command cut
   git branch -a | grep -v 'remotes' | grep -v -E '.*(HEAD|${DEFAULT})' | grep -v '^*' |  cut -d' ' -f 3-
 }
 
 prunel () {
-  assert_command git
   git fetch
   git remote prune origin
 
@@ -119,13 +100,11 @@ prunel () {
 }
 
 checkout () {
-  assert_command git
   git fetch
   git checkout $1
   pull
 }
 
 from_master () {
-  assert_command git
   git checkout $(getdefault) $@
 }

users/_common/generate_ssh_key.nix

@@ -0,0 +1,15 @@
+{ settings, pkgs, ... }:
+''
+  if [ ! -f $HOME/.ssh/id_ed25519 ]; then
+    if [ -v DRY_RUN ]; then
+      echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
+    else
+      echo "Generating SSH key for ${settings.user.username}."
+      mkdir -p $HOME/.ssh
+      chmod 700 $HOME/.ssh
+      ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $HOME/.ssh/id_ed25519 -N ""
+    fi
+  else
+    echo "SSH key already exists for ${settings.user.username}."
+  fi
+''

users/_common/home.nix

@@ -1,9 +1,12 @@
-{ settings, ylib, ... } @ args: {
+{ settings, pkgs, lib, ylib, ... } @ args: {
   home.stateVersion = "23.11";
   programs.home-manager.enable = true;
 
   home.username = settings.user.username;
   home.homeDirectory = "/home/${settings.user.username}";
 
+  # We always want a standard ssh key-pair used for secret management, create it if not there.
+  home.activation.generateSshKey = lib.hm.dag.entryAfter [ "writeBoundary" ] (import ./generate_ssh_key.nix args);
+
   imports = ylib.umport { paths = [ ./programs ]; recursive = true; };
 }