Generate git allowed_signers file

home-manager/common/programs/core.nix

@@ -76,11 +76,16 @@ with lib; {
       })
     (mkIf (config.nathan.programs.util.git.enable
       && config.nathan.programs.util.git.sshSign) {
+        home.file.allowedSigners = {
+          target = ".ssh/allowed_signers";
+          text = (import ../../../info/ssh-keys.nix).allowedSigners;
+        };
         programs.git = {
           extraConfig = {
             commit.gpgsign = true;
             gpg.format = "ssh";
             user.signingkey = "~/.ssh/id_ed25519.pub";
+            gpg.ssh.allowedSignersFile = "~/.ssh/allowed_signers";
           };
         };
       })

info/ssh-keys.nix

@@ -1,23 +1,45 @@
 rec {
   keys = {
     # yubikey ssh key
-    "yubikey" =
+    "yubikey" = {
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515";
+      key =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515";
+    };
+    # levitation ssh key
+    "levitation" = {
+      key =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0zeLTlg++shIYcqxksDVkTtHS3MIvlqPIIW+9pufQa nathan@levitation";
+    };
     # WSL key
-    "wsl" =
+    "wsl" = {
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXEV5lvLQ1CcPuJANv5AiYxtcRFEYXD5nODCazWnYC5 nathan@mccarty.io";
+      key =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXEV5lvLQ1CcPuJANv5AiYxtcRFEYXD5nODCazWnYC5 nathan@mccarty.io";
+    };
     # Phone key
-    "phone" =
+    "phone" = {
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR0zpmBCb0iEOeeI6SBwgucddNzccfQ5Zmdgib5iSmF nix-on-droid@localhost";
+      key =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR0zpmBCb0iEOeeI6SBwgucddNzccfQ5Zmdgib5iSmF nix-on-droid@localhost";
+    };
     # Tablet key
-    "tablet" =
+    "tablet" = {
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKltqneJjfdLjOvnWQC2iP7hP7aTYkURPiR8LFjB7z87 nix-on-droid@localhost";
+      key =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKltqneJjfdLjOvnWQC2iP7hP7aTYkURPiR8LFjB7z87 nix-on-droid@localhost";
+    };
     # Macbook key
-    "extremophile" =
+    "extremophile" = {
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLIZC4A4OhpTvfoL5jeMb1Ong9CwZ/URCYZL6y4Gp7b nathan@extremophile.local";
+      key =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLIZC4A4OhpTvfoL5jeMb1Ong9CwZ/URCYZL6y4Gp7b nathan@extremophile.local";
+    };
     # vm key
-    "productivity-vm" =
+    "productivity-vm" = {
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgtdTJThr5/vfUswQb3ee6A++W1OxAOGFQJTE8xDuHv nathan@productivity-vm";
+      key =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgtdTJThr5/vfUswQb3ee6A++W1OxAOGFQJTE8xDuHv nathan@productivity-vm";
+    };
   };
-  list = builtins.attrValues keys;
+  list = map (x: x.key) (builtins.attrValues keys);
+  allowedSigners = builtins.concatStringsSep "\n" (map (x:
+    "${
+      builtins.concatStringsSep ","
+      (x.emails or [ "*@mccarty.io" "*@stranger.systems" ])
+    } ${x.key}") (builtins.attrValues keys));
 }

machines/levitation/home.nix

@@ -3,7 +3,13 @@
     services = { email = { enable = true; }; };
     config = { isDesktop = true; };
     programs = {
-      util = { wine = true; };
+      util = {
+        wine = true;
+        git = {
+          gpgSign = false;
+          sshSign = true;
+        };
+      };
       games = { launcher = true; };
       media.nicotineService = true;
     };