diff --git a/src/system/config/default.nix b/src/system/config/default.nix new file mode 100644 index 0000000..4bb4315 --- /dev/null +++ b/src/system/config/default.nix @@ -0,0 +1,14 @@ +{ lib, pkgs, config, ... }: + +with lib; +{ + options = { + machines = mkOption { + description = "Machine Configurations"; + type = types.attrs; + default = { + keys = import ./keys { inherit lib; }; + }; + }; + }; +} diff --git a/src/system/config/keys/default.nix b/src/system/config/keys/default.nix new file mode 100644 index 0000000..e3f3aaf --- /dev/null +++ b/src/system/config/keys/default.nix @@ -0,0 +1,33 @@ +{ lib }: + +with builtins; +let + extractName = filename: + let + # Remove .key extension + noKey = lib.removeSuffix ".key" filename; + # Remove .pub/.priv/.public/.private markers + noMarkers = replaceStrings + [ ".pub" ".priv" ".public" ".private" ] + [ "" "" "" "" ] + noKey; + in noMarkers; + + constructKeys = dir: ( + listToAttrs ( + map (subdir: { + name = subdir; + value = listToAttrs ( + map (file: { + name = extractName file; + value = readFile "${dir}/${subdir}/${file}"; + }) (filter (file: + (readDir "${dir}/${subdir}").${file} == "regular" && + lib.hasSuffix ".key" file + ) (attrNames (readDir "${dir}/${subdir}"))) + ); + }) (filter (node: (readDir dir).${node} == "directory") (attrNames (readDir dir))) + ) + ); +in + constructKeys ./. diff --git a/src/system/config/keys/desktop/README.md b/src/system/config/keys/desktop/README.md new file mode 100644 index 0000000..355d803 --- /dev/null +++ b/src/system/config/keys/desktop/README.md @@ -0,0 +1,3 @@ +# Desktop Keys + +ssh.pub.key - ~/.ssh/id_rsa diff --git a/src/user/config/keys/ssh/desktop.pub.key b/src/system/config/keys/desktop/ssh.pub.key similarity index 100% rename from src/user/config/keys/ssh/desktop.pub.key rename to src/system/config/keys/desktop/ssh.pub.key diff --git a/src/system/machines/desktop/default.nix b/src/system/machines/desktop/default.nix index 8a29c89..99a49af 100644 --- a/src/system/machines/desktop/default.nix +++ b/src/system/machines/desktop/default.nix @@ -3,6 +3,7 @@ { imports = [ ../../../user/config + ../../config ./hardware.nix ./system.nix ./modules/disko diff --git a/src/system/machines/desktop/system.nix b/src/system/machines/desktop/system.nix index 402fa85..e09b06b 100644 --- a/src/system/machines/desktop/system.nix +++ b/src/system/machines/desktop/system.nix @@ -13,7 +13,7 @@ in isNormalUser = true; extraGroups = config.user.groups ++ [ "video" "audio" "kvm" "libvirtd" "dialout" ]; - openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.android}" ]; + openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.graphone}" ]; }; }; diff --git a/src/system/machines/server/default.nix b/src/system/machines/server/default.nix index 6e64b71..c71ec8a 100644 --- a/src/system/machines/server/default.nix +++ b/src/system/machines/server/default.nix @@ -3,6 +3,7 @@ { imports = [ ../../../user/config + ../../config ./hardware.nix ./system.nix ]; diff --git a/src/system/machines/server/system.nix b/src/system/machines/server/system.nix index b0e8be6..8d289dd 100644 --- a/src/system/machines/server/system.nix +++ b/src/system/machines/server/system.nix @@ -12,13 +12,12 @@ backup = { enable = true; recipients = [ - # TODO: Add your age recipients - # "${config.user.keys.age.yubikey}" - # "${config.user.keys.ssh.desktop}" + "${config.user.keys.age.yubikey}" + "${config.machines.keys.desktop.ssh}" ]; destination = "gdrive:backups/server"; # TODO: configure rclone remote schedule = "daily"; - keepLast = 7; + keepLast = 2; }; }; @@ -27,7 +26,7 @@ isNormalUser = true; extraGroups = config.user.groups; openssh.authorizedKeys.keys = [ - "${config.user.keys.ssh.desktop}" + "${config.machines.keys.desktop.ssh}" ]; }; }; diff --git a/src/system/machines/vm/default.nix b/src/system/machines/vm/default.nix index 6e64b71..c71ec8a 100644 --- a/src/system/machines/vm/default.nix +++ b/src/system/machines/vm/default.nix @@ -3,6 +3,7 @@ { imports = [ ../../../user/config + ../../config ./hardware.nix ./system.nix ]; diff --git a/src/system/machines/vm/system.nix b/src/system/machines/vm/system.nix index f63f65e..444b180 100644 --- a/src/system/machines/vm/system.nix +++ b/src/system/machines/vm/system.nix @@ -8,7 +8,7 @@ ${config.user.name} = { isNormalUser = true; extraGroups = config.user.groups; - openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.primary}" ]; + openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.yubikey}" ]; }; }; diff --git a/src/system/machines/workstation/default.nix b/src/system/machines/workstation/default.nix index 6e64b71..c71ec8a 100644 --- a/src/system/machines/workstation/default.nix +++ b/src/system/machines/workstation/default.nix @@ -3,6 +3,7 @@ { imports = [ ../../../user/config + ../../config ./hardware.nix ./system.nix ]; diff --git a/src/system/machines/workstation/system.nix b/src/system/machines/workstation/system.nix index 9e3463a..e26e5ea 100644 --- a/src/system/machines/workstation/system.nix +++ b/src/system/machines/workstation/system.nix @@ -10,7 +10,7 @@ with lib; extraGroups = config.user.groups ++ [ "video" "audio" "kvm" "libvirtd" "dialout" ]; openssh.authorizedKeys.keys = [ - "${config.user.keys.ssh.primary}" + "${config.user.keys.ssh.yubikey}" "${config.user.keys.ssh.work}" ]; }; diff --git a/src/system/machines/wsl/default.nix b/src/system/machines/wsl/default.nix index 97c4a4c..9af8cf1 100644 --- a/src/system/machines/wsl/default.nix +++ b/src/system/machines/wsl/default.nix @@ -3,6 +3,7 @@ { imports = [ ../../../user/config + ../../config ./system.nix ]; } diff --git a/src/system/machines/wsl/system.nix b/src/system/machines/wsl/system.nix index 89bb887..729213f 100644 --- a/src/system/machines/wsl/system.nix +++ b/src/system/machines/wsl/system.nix @@ -9,8 +9,7 @@ isNormalUser = true; extraGroups = config.user.groups; openssh.authorizedKeys.keys = [ - "${config.user.keys.ssh.primary}" - "${config.user.keys.ssh.windows}" + "${config.user.keys.ssh.yubikey}" ]; }; }; diff --git a/src/user/config/default.nix b/src/user/config/default.nix index 3740db7..b539c79 100644 --- a/src/user/config/default.nix +++ b/src/user/config/default.nix @@ -14,7 +14,7 @@ in name = "bryan"; email = "bryan@ramos.codes"; shell = bash; - keys = import ./keys; + keys = import ./keys { inherit lib; }; groups = [ "wheel" "networkmanager" "home-manager" "input" ]; bookmarks = import ./bookmarks; diff --git a/src/user/config/keys/age/README.md b/src/user/config/keys/age/README.md new file mode 100644 index 0000000..92284a8 --- /dev/null +++ b/src/user/config/keys/age/README.md @@ -0,0 +1,3 @@ +# Age Keys + +yubikey.pub.key - Cold storage backup for age encryption diff --git a/src/user/config/keys/age/yubikey.pub.key b/src/user/config/keys/age/yubikey.pub.key new file mode 100644 index 0000000..559bc52 --- /dev/null +++ b/src/user/config/keys/age/yubikey.pub.key @@ -0,0 +1 @@ +age1yubikey1qfapxqnnkh92zkgayzzm9n0gtpkwaqcvrzy4d4xa4rxnjua8vjhy72hh9r9 diff --git a/src/user/config/keys/default.nix b/src/user/config/keys/default.nix index 6808c06..e3f3aaf 100644 --- a/src/user/config/keys/default.nix +++ b/src/user/config/keys/default.nix @@ -1,13 +1,17 @@ +{ lib }: + with builtins; let - extractName = string: + extractName = filename: let - metadata = [ - "pub" "public" "priv" "private" - "key" "file" "." "_" "-" "pk" - ]; - in - replaceStrings metadata (builtins.map (_: "") metadata) string; + # Remove .key extension + noKey = lib.removeSuffix ".key" filename; + # Remove .pub/.priv/.public/.private markers + noMarkers = replaceStrings + [ ".pub" ".priv" ".public" ".private" ] + [ "" "" "" "" ] + noKey; + in noMarkers; constructKeys = dir: ( listToAttrs ( @@ -17,7 +21,10 @@ let map (file: { name = extractName file; value = readFile "${dir}/${subdir}/${file}"; - }) (filter (node: (readDir "${dir}/${subdir}").${node} == "regular") (attrNames (readDir "${dir}/${subdir}"))) + }) (filter (file: + (readDir "${dir}/${subdir}").${file} == "regular" && + lib.hasSuffix ".key" file + ) (attrNames (readDir "${dir}/${subdir}"))) ); }) (filter (node: (readDir dir).${node} == "directory") (attrNames (readDir dir))) ) diff --git a/src/user/config/keys/pgp/README.md b/src/user/config/keys/pgp/README.md new file mode 100644 index 0000000..50fb051 --- /dev/null +++ b/src/user/config/keys/pgp/README.md @@ -0,0 +1,5 @@ +# PGP Keys + +yubikey.pub.key - +work.pub.key -> bryan.ramos@concurrent-rt.com +ccur.pub.key -> ? diff --git a/src/user/config/keys/pgp/primary.pub.key b/src/user/config/keys/pgp/yubikey.pub.key similarity index 100% rename from src/user/config/keys/pgp/primary.pub.key rename to src/user/config/keys/pgp/yubikey.pub.key diff --git a/src/user/config/keys/ssh/README.md b/src/user/config/keys/ssh/README.md new file mode 100644 index 0000000..2ebbe16 --- /dev/null +++ b/src/user/config/keys/ssh/README.md @@ -0,0 +1,5 @@ +# SSH Keys + +yubikey.pub.key -> PGP derived from `pgp.yubikey.pub.key` +work.pub.key - ? +graphone.pub.key -> For Android `pass` diff --git a/src/user/config/keys/ssh/android.pub.key b/src/user/config/keys/ssh/graphone.pub.key similarity index 100% rename from src/user/config/keys/ssh/android.pub.key rename to src/user/config/keys/ssh/graphone.pub.key diff --git a/src/user/config/keys/ssh/primary.pub.key b/src/user/config/keys/ssh/yubikey.pub.key similarity index 100% rename from src/user/config/keys/ssh/primary.pub.key rename to src/user/config/keys/ssh/yubikey.pub.key diff --git a/src/user/modules/security/modules/gpg/default.nix b/src/user/modules/security/modules/gpg/default.nix index 79b5ec5..1751008 100644 --- a/src/user/modules/security/modules/gpg/default.nix +++ b/src/user/modules/security/modules/gpg/default.nix @@ -18,7 +18,7 @@ in }; publicKeys = [ { - text = "${config.user.keys.pgp.primary}"; + text = "${config.user.keys.pgp.yubikey}"; trust = 5; } ] ++ optionals (osConfig.networking.hostName == "workstation") [