Refactor imports and secrets. Add per system properties and role based secret access.

Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.
2023-04-20 22:01:21 -06:00
parent a02775a234
commit 71baa09bd2
42 changed files with 632 additions and 383 deletions
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -7,7 +7,6 @@ let
 in
 {
  imports = [
-    ./hosts.nix
    ./pia-openvpn.nix
    ./pia-wireguard.nix
    ./ping.nix
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@@ -1,66 +0,0 @@
-{ config, lib, ... }:
-
-let
-  system = (import ../ssh.nix).system;
-
-  # hostnames that resolve on clearnet for LUKS unlocking
-  unlock-clearnet-hosts = {
-    ponyo = "unlock.ponyo.neet.dev";
-    phil = "unlock.phil.neet.dev";
-    s0 = "s0";
-  };
-
-  # hostnames that resolve on tor for LUKS unlocking
-  unlock-onion-hosts = {
-    liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
-    router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
-    ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
-    s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
-  };
-in
-{
-  programs.ssh.knownHosts = {
-    ponyo = {
-      hostNames = [ "ponyo" "ponyo.neet.dev" "git.neet.dev" ];
-      publicKey = system.ponyo;
-    };
-    ponyo-unlock = {
-      hostNames = [ unlock-clearnet-hosts.ponyo unlock-onion-hosts.ponyo ];
-      publicKey = system.ponyo-unlock;
-    };
-    phil = {
-      hostNames = [ "phil" "phil.neet.dev" ];
-      publicKey = system.phil;
-    };
-    phil-unlock = {
-      hostNames = [ unlock-clearnet-hosts.phil ];
-      publicKey = system.phil-unlock;
-    };
-    router = {
-      hostNames = [ "router" "192.168.1.228" ];
-      publicKey = system.router;
-    };
-    router-unlock = {
-      hostNames = [ unlock-onion-hosts.router ];
-      publicKey = system.router-unlock;
-    };
-    ray = {
-      hostNames = [ "ray" ];
-      publicKey = system.ray;
-    };
-    s0 = {
-      hostNames = [ "s0" ];
-      publicKey = system.s0;
-    };
-    s0-unlock = {
-      hostNames = [ unlock-onion-hosts.s0 ];
-      publicKey = system.s0-unlock;
-    };
-  };
-
-  # prebuilt cmds for easy ssh LUKS unlock
-  environment.shellAliases =
-    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) unlock-onion-hosts
-    //
-    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) unlock-clearnet-hosts;
-}
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@@ -108,6 +108,6 @@ in
        };
      };
    };
-    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -352,6 +352,6 @@ in
      };
    };

-    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }