Reconfigure sops

Refactor git ssh signing
Enable ssh sign on vm
2023-04-26 01:28:39 -04:00 · 2023-04-26 01:25:39 -04:00 · 2023-04-26 01:21:29 -04:00 · 2023-04-26 01:19:06 -04:00
7 changed files with 48 additions and 22 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -8,6 +8,7 @@ keys:
  - &matrix age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
  - &tounge age15vjvppw2gzjwmtlptefhrhqtjyu0a07v488a9s25a3k2vtpqc9uqvw6vl6
  - &fusion age1fe57fel46lk5n9t34lh5nl909gk88trwy9ttgxqk3up9d83wxsnsdmuu3a
+  - &productivity-vm age1n5g03x8p54kzx9nktqgasjugqjydz8u0rw9zcdx5l9c486h3me6qtnh57s
 creation_rules:
  - path_regex: secrets/all/.*
    key_groups:
@ -20,6 +21,7 @@ creation_rules:
          - *matrix
          - *tounge
          - *fusion
+          - *productivity-vm
  - path_regex: secrets/levitation
    key_groups:
      - age:
--- a/home-manager/common/programs/core.nix
+++ b/home-manager/common/programs/core.nix
@ -74,6 +74,16 @@ with lib; {
          signByDefault = lib.mkDefault config.nathan.programs.util.git.gpgSign;
        };
      })
+    (mkIf (config.nathan.programs.util.git.enable
+      && config.nathan.programs.util.git.sshSign) {
+        programs.git = {
+          extraConfig = {
+            commit.gpgsign = true;
+            gpg.format = "ssh";
+            user.signingkey = "~/.ssh/id_ed25519.pub";
+          };
+        };
+      })
    (mkIf config.nathan.programs.util.git.enable {
      # Git adjacent packages
      home.packages = [
--- a/home-manager/options.nix
+++ b/home-manager/options.nix
@ -22,6 +22,7 @@ with nLib; {
            enable = mkEnableOptionT "git";
            gpgSign =
              mkDefaultOption "git signatures" config.nathan.config.isDesktop;
+            sshSign = mkDefaultOption "git ssh signatures" false;
          };
          # Bat configuration, enabled by default
          bat = mkEnableOptionT "bat";
--- a/info/ssh-keys.nix
+++ b/info/ssh-keys.nix
@ -0,0 +1,23 @@
+{ config, lib, pkgs }: rec {
+  keys = {
+    # yubikey ssh key
+    "yubikey" =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515";
+    # WSL key
+    "wsl" =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXEV5lvLQ1CcPuJANv5AiYxtcRFEYXD5nODCazWnYC5 nathan@mccarty.io";
+    # Phone key
+    "phone" =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR0zpmBCb0iEOeeI6SBwgucddNzccfQ5Zmdgib5iSmF nix-on-droid@localhost";
+    # Tablet key
+    "tablet" =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKltqneJjfdLjOvnWQC2iP7hP7aTYkURPiR8LFjB7z87 nix-on-droid@localhost";
+    # Macbook key
+    "extremophile" =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLIZC4A4OhpTvfoL5jeMb1Ong9CwZ/URCYZL6y4Gp7b nathan@extremophile.local";
+    # vm key
+    "productivity-vm" =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgtdTJThr5/vfUswQb3ee6A++W1OxAOGFQJTE8xDuHv nathan@productivity-vm";
+  };
+  list = builtins.attrValues keys;
+}
--- a/machines/productivity-vm/home.nix
+++ b/machines/productivity-vm/home.nix
@ -7,6 +7,10 @@
    programs = {
      media.enable = false;
      util = { wine = true; };
+      git = {
+        gpgSign = false;
+        sshSign = true;
+      };
      # games = { launcher = true; };
      # media.nicotineService = true;
    };
--- a/machines/wsl/home.nix
+++ b/machines/wsl/home.nix
@ -9,7 +9,10 @@
      };
    };
    programs = {
-      util = { productivity = true; };
+      util = {
+        productivity = true;
+        git.sshSign = true;
+      };
      devel = {
        core = true;
        rust = true;
@ -22,12 +25,4 @@
      };
    };
  };
-  # Setup git commit signing with ssh key
-  programs.git = {
-    extraConfig = {
-      commit.gpgsign = true;
-      gpg.format = "ssh";
-      user.signingkey = "~/.ssh/id_ed25519.pub";
-    };
-  };
 }
--- a/modules/linux/user.nix
+++ b/modules/linux/user.nix
@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
-let nc = config.nathan.config;
+let
+  nc = config.nathan.config;
+  ssh = import ../../info/ssh-keys.nix { };
 in with lib; {
  config = mkMerge [
    {
@ -32,18 +34,7 @@ in with lib; {
            ];
            hashedPassword =
              "$6$ShBAPGwzKZuB7eEv$cbb3erUqtVGFo/Vux9UwT2NkbVG9VGCxJxPiZFYL0DIc3t4GpYxjkM0M7fFnh.6V8MoSKLM/TvOtzdWbYwI58.";
-            openssh.authorizedKeys.keys = [
-              # yubikey ssh key
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515"
-              # WSL key
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXEV5lvLQ1CcPuJANv5AiYxtcRFEYXD5nODCazWnYC5 nathan@mccarty.io"
-              # Phone key
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR0zpmBCb0iEOeeI6SBwgucddNzccfQ5Zmdgib5iSmF nix-on-droid@localhost"
-              # Tablet key
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKltqneJjfdLjOvnWQC2iP7hP7aTYkURPiR8LFjB7z87 nix-on-droid@localhost"
-              # Macbook key
-              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLIZC4A4OhpTvfoL5jeMb1Ong9CwZ/URCYZL6y4Gp7b nathan@extremophile.local"
-            ];
+            openssh.authorizedKeys.keys = ssh.list;
          })
        ];
      };
Author	SHA1	Message	Date
Nathan McCarty	9ec930a1d2	Reconfigure sops	2023-04-26 01:28:39 -04:00
Nathan McCarty	7d45b0584a	Refactor git ssh signing	2023-04-26 01:25:39 -04:00
Nathan McCarty	3df790a53c	Enable ssh sign on vm	2023-04-26 01:21:29 -04:00
Nathan McCarty	94a6643fc4	Refactor ssh keys	2023-04-26 01:19:06 -04:00