diff --git a/hosts/lucent-firepit/default.nix b/hosts/lucent-firepit/default.nix index 07191fc..237df24 100644 --- a/hosts/lucent-firepit/default.nix +++ b/hosts/lucent-firepit/default.nix @@ -4,6 +4,8 @@ let keys = import ./authorizedKeys.nix; fetchSSH = (host: lib._.getSSH host keys); fetchSSHKeys = map fetchSSH; + + agenixPkg = inputs.agenix.packages.${pkgs.system}.default; in { imports = [ ./hardware-configuration.nix @@ -56,7 +58,7 @@ in { # oatmealine ?? is that a reference to jill oatmealine monoids from the beloved videogame franchise "oateamelin jill monoids???" .oat. zone??? from va11hall-a??? video game???? woman????? minecraft??????? oatmealine = { conf = { - packages = with pkgs; [ bat tmux micro direnv nix-direnv ripgrep ]; + packages = with pkgs; [ bat tmux micro direnv nix-direnv ripgrep agenixPkg ]; shell = pkgs.unstable.fish; extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ]; initialHashedPassword = "!"; @@ -68,6 +70,7 @@ in { homeConf.home = { sessionVariables = { + #EDITOR = lib.trace (lib.readFile age.secrets.huge-furry-cock.path) "micro"; EDITOR = "micro"; NIX_REMOTE = "daemon"; }; diff --git a/hosts/lucent-firepit/secrets/huge-furry-cock.age b/hosts/lucent-firepit/secrets/huge-furry-cock.age new file mode 100644 index 0000000..487f489 Binary files /dev/null and b/hosts/lucent-firepit/secrets/huge-furry-cock.age differ diff --git a/hosts/lucent-firepit/secrets/secrets.nix b/hosts/lucent-firepit/secrets/secrets.nix index 2ab9ede..e31701f 100644 --- a/hosts/lucent-firepit/secrets/secrets.nix +++ b/hosts/lucent-firepit/secrets/secrets.nix @@ -1,6 +1,9 @@ let - keys = import ../authorizedKeys.nix; - - "subsurface.aether" = keys."aether@subsurface".ssh; -in - {} + userKeys = builtins.catAttrs "ssh" (import ../authorizedKeys.nix); + systemKeys = [ + # /etc/ssh/ssh_host_ed25519_key.pub + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHp0gLv1FiavpvnXinySlZsWrNkAzo4c8GWvN2WRhQqn root@lucent-firepit" + ]; +in { + "huge-furry-cock.age".publicKeys = userKeys ++ systemKeys; +} diff --git a/modules/agenix.nix b/modules/agenix.nix index b81195c..3cc8664 100644 --- a/modules/agenix.nix +++ b/modules/agenix.nix @@ -8,17 +8,24 @@ let secretsDir = "${toString ../hosts}/${config.networking.hostName}/secrets"; secretsFile = "${secretsDir}/secrets.nix"; in { - imports = [ agenix.nixosModules.age ]; - #environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ]; + imports = [ agenix.nixosModules.default ]; - age = { - secrets = mkMerge (map (x: {"x".file = "${secretsDir}/${x}";}) (attrNames (import secretsFile))); - identityPaths = options.age.identityPaths.default ++ (foldr (l: r: l ++ r) [] (map (user: + age = let + # ugly, lazy, but works + users = map (user: "/home/${user}/.ssh") (attrNames (readDir "/home/")); + + usersWithKeys = filter (path: pathExists path) users; + + userIdentityPaths = concatLists (map (keysPath: let - d = "/home/${user}/.ssh"; - fs = map (f: d + "/" + f) - (filter (f: (f != "known_hosts") && (f != "*.old")) - (attrNames (readDir d))); - in fs) (attrNames config.defaultUsers))); + # find all files that are id_* and not *.pub + # todo: maybe make a startsWith / endsWith? + files = map (f: keysPath + "/" + f) + (filter (f: (substring 0 3 f == "id_") && (substring (stringLength f - 4) 4 f != ".pub")) + (attrNames (readDir keysPath))); + in files) usersWithKeys); + in { + secrets = mkMerge (map (x: {"${x}".file = "${secretsDir}/${x}";}) (attrNames (import secretsFile))); + identityPaths = options.age.identityPaths.default ++ userIdentityPaths; }; }