bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-03-23 16:29:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add machines.keys config and reorganize key structure

Browse source 
- Add config.machines.keys for machine-specific keys (private keys live on that machine)
- Move desktop SSH key to machines.keys.desktop.ssh
- Fix extractName to preserve "yubikey" (only strip .key/.pub extensions)
- Rename key files for clarity (android -> graphone, primary -> yubikey)
- Add age yubikey key for encrypted backups
- Add README files to document key purposes
- Update all machine configs to import system config
This commit is contained in:
Bryan Ramos 2026-03-12 15:17:46 -04:00
parent 570a321e53
commit 960904cbd9
24 changed files with 94 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/system/config/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, pkgs, config, ... }:
with lib;
{
options = {
machines = mkOption {
description = "Machine Configurations";
type = types.attrs;
default = {
keys = import ./keys { inherit lib; };
};
};
};
}

33
src/system/config/keys/default.nix Normal file
View file

@ -0,0 +1,33 @@
{ lib }:
with builtins;
let
extractName = filename:
let
# Remove .key extension
noKey = lib.removeSuffix ".key" filename;
# Remove .pub/.priv/.public/.private markers
noMarkers = replaceStrings
[ ".pub" ".priv" ".public" ".private" ]
[ "" "" "" "" ]
noKey;
in noMarkers;
constructKeys = dir: (
listToAttrs (
map (subdir: {
name = subdir;
value = listToAttrs (
map (file: {
name = extractName file;
value = readFile "${dir}/${subdir}/${file}";
}) (filter (file:
(readDir "${dir}/${subdir}").${file} == "regular" &&
lib.hasSuffix ".key" file
) (attrNames (readDir "${dir}/${subdir}")))
);
}) (filter (node: (readDir dir).${node} == "directory") (attrNames (readDir dir)))
)
);
in
constructKeys ./.

3
src/system/config/keys/desktop/README.md Normal file
View file

@ -0,0 +1,3 @@
# Desktop Keys
ssh.pub.key - ~/.ssh/id_rsa

0
src/user/config/keys/ssh/desktop.pub.key → src/system/config/keys/desktop/ssh.pub.key
View file

1
src/system/machines/desktop/default.nix
View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
../../../user/config ../../../user/config
../../config
./hardware.nix ./hardware.nix
./system.nix ./system.nix
./modules/disko ./modules/disko

2
src/system/machines/desktop/system.nix
View file

@ -13,7 +13,7 @@ in
isNormalUser = true; isNormalUser = true;
extraGroups = config.user.groups extraGroups = config.user.groups
++ [ "video" "audio" "kvm" "libvirtd" "dialout" ]; ++ [ "video" "audio" "kvm" "libvirtd" "dialout" ];
openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.android}" ]; openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.graphone}" ];
}; };
}; };

1
src/system/machines/server/default.nix
View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
../../../user/config ../../../user/config
../../config
./hardware.nix ./hardware.nix
./system.nix ./system.nix
]; ];

9
src/system/machines/server/system.nix
View file

@ -12,13 +12,12 @@
backup = { backup = {
enable = true; enable = true;
recipients = [ recipients = [
# TODO: Add your age recipients "${config.user.keys.age.yubikey}"
# "${config.user.keys.age.yubikey}" "${config.machines.keys.desktop.ssh}"
# "${config.user.keys.ssh.desktop}"
]; ];
destination = "gdrive:backups/server"; # TODO: configure rclone remote destination = "gdrive:backups/server"; # TODO: configure rclone remote
schedule = "daily"; schedule = "daily";
keepLast = 7; keepLast = 2;
}; };
}; };
@ -27,7 +26,7 @@
isNormalUser = true; isNormalUser = true;
extraGroups = config.user.groups; extraGroups = config.user.groups;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"${config.user.keys.ssh.desktop}" "${config.machines.keys.desktop.ssh}"
]; ];
}; };
}; };

1
src/system/machines/vm/default.nix
View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
../../../user/config ../../../user/config
../../config
./hardware.nix ./hardware.nix
./system.nix ./system.nix
]; ];

2
src/system/machines/vm/system.nix
View file

@ -8,7 +8,7 @@
${config.user.name} = { ${config.user.name} = {
isNormalUser = true; isNormalUser = true;
extraGroups = config.user.groups; extraGroups = config.user.groups;
openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.primary}" ]; openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.yubikey}" ];
}; };
}; };

1
src/system/machines/workstation/default.nix
View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
../../../user/config ../../../user/config
../../config
./hardware.nix ./hardware.nix
./system.nix ./system.nix
]; ];

2
src/system/machines/workstation/system.nix
View file

@ -10,7 +10,7 @@ with lib;
extraGroups = config.user.groups extraGroups = config.user.groups
++ [ "video" "audio" "kvm" "libvirtd" "dialout" ]; ++ [ "video" "audio" "kvm" "libvirtd" "dialout" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"${config.user.keys.ssh.primary}" "${config.user.keys.ssh.yubikey}"
"${config.user.keys.ssh.work}" "${config.user.keys.ssh.work}"
]; ];
}; };

1
src/system/machines/wsl/default.nix
View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
../../../user/config ../../../user/config
../../config
./system.nix ./system.nix
]; ];
} }

3
src/system/machines/wsl/system.nix
View file

@ -9,8 +9,7 @@
isNormalUser = true; isNormalUser = true;
extraGroups = config.user.groups; extraGroups = config.user.groups;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"${config.user.keys.ssh.primary}" "${config.user.keys.ssh.yubikey}"
"${config.user.keys.ssh.windows}"
]; ];
}; };
}; };

2
src/user/config/default.nix
View file

@ -14,7 +14,7 @@ in
name = "bryan"; name = "bryan";
email = "bryan@ramos.codes"; email = "bryan@ramos.codes";
shell = bash; shell = bash;
keys = import ./keys; keys = import ./keys { inherit lib; };
groups = [ "wheel" "networkmanager" "home-manager" "input" ]; groups = [ "wheel" "networkmanager" "home-manager" "input" ];
bookmarks = import ./bookmarks; bookmarks = import ./bookmarks;

3
src/user/config/keys/age/README.md Normal file
View file

@ -0,0 +1,3 @@
# Age Keys
yubikey.pub.key - Cold storage backup for age encryption

1
src/user/config/keys/age/yubikey.pub.key Normal file
View file

@ -0,0 +1 @@
age1yubikey1qfapxqnnkh92zkgayzzm9n0gtpkwaqcvrzy4d4xa4rxnjua8vjhy72hh9r9

23
src/user/config/keys/default.nix
View file

@ -1,13 +1,17 @@
{ lib }:
with builtins; with builtins;
let let
extractName = string: extractName = filename:
let let
metadata = [ # Remove .key extension
"pub" "public" "priv" "private" noKey = lib.removeSuffix ".key" filename;
"key" "file" "." "_" "-" "pk" # Remove .pub/.priv/.public/.private markers
]; noMarkers = replaceStrings
in [ ".pub" ".priv" ".public" ".private" ]
replaceStrings metadata (builtins.map (_: "") metadata) string; [ "" "" "" "" ]
noKey;
in noMarkers;
constructKeys = dir: ( constructKeys = dir: (
listToAttrs ( listToAttrs (
@ -17,7 +21,10 @@ let
map (file: { map (file: {
name = extractName file; name = extractName file;
value = readFile "${dir}/${subdir}/${file}"; value = readFile "${dir}/${subdir}/${file}";
}) (filter (node: (readDir "${dir}/${subdir}").${node} == "regular") (attrNames (readDir "${dir}/${subdir}"))) }) (filter (file:
(readDir "${dir}/${subdir}").${file} == "regular" &&
lib.hasSuffix ".key" file
) (attrNames (readDir "${dir}/${subdir}")))
); );
}) (filter (node: (readDir dir).${node} == "directory") (attrNames (readDir dir))) }) (filter (node: (readDir dir).${node} == "directory") (attrNames (readDir dir)))
) )

5
src/user/config/keys/pgp/README.md Normal file
View file

@ -0,0 +1,5 @@
# PGP Keys
yubikey.pub.key -
work.pub.key -> bryan.ramos@concurrent-rt.com
ccur.pub.key -> ?

0
src/user/config/keys/pgp/primary.pub.key → src/user/config/keys/pgp/yubikey.pub.key
View file

5
src/user/config/keys/ssh/README.md Normal file
View file

@ -0,0 +1,5 @@
# SSH Keys
yubikey.pub.key -> PGP derived from `pgp.yubikey.pub.key`
work.pub.key - ?
graphone.pub.key -> For Android `pass`

0
src/user/config/keys/ssh/android.pub.key → src/user/config/keys/ssh/graphone.pub.key
View file

0
src/user/config/keys/ssh/primary.pub.key → src/user/config/keys/ssh/yubikey.pub.key
View file

2
src/user/modules/security/modules/gpg/default.nix
View file

@ -18,7 +18,7 @@ in
}; };
publicKeys = [ publicKeys = [
{ {
text = "${config.user.keys.pgp.primary}"; text = "${config.user.keys.pgp.yubikey}";
trust = 5; trust = 5;
} }
] ++ optionals (osConfig.networking.hostName == "workstation") [ ] ++ optionals (osConfig.networking.hostName == "workstation") [