Refactor imports and secrets. Add per system properties and role based secret access.

Highlights
- No need to update flake for every machine anymore, just add a properties.nix file.
- Roles are automatically generated from all machine configurations.
- Roles and their secrets automatically are grouped and show up in agenix secrets.nix
- Machines and their service configs may now query the properties of all machines.
- Machine configuration and secrets are now competely isolated into each machine's directory.
- Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones.
- SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.

machines/ephemeral/minimal.nix

@@ -1,8 +1,10 @@
-{ pkgs, modulesPath, ... }:
+{ config, pkgs, modulesPath, ... }:
 
 {
   imports = [
     (modulesPath + "/installer/cd-dvd/channel.nix")
+    ../../common/machine-info
+    ../../common/ssh.nix
   ];
 
   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
@@ -16,6 +18,8 @@
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
+  system.stateVersion = "21.11";
+
   # hardware.enableAllFirmware = true;
   # nixpkgs.config.allowUnfree = true;
 
@@ -38,10 +42,12 @@
 
   services.openssh = {
     enable = true;
-    challengeResponseAuthentication = false;
-    passwordAuthentication = false;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+    };
   };
 
   services.getty.autologinUser = "root";
-  users.users.root.openssh.authorizedKeys.keys = (import ../../common/ssh.nix).users;
+  users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
 }

machines/phil/properties.nix

@@ -0,0 +1,19 @@
+{
+  hostNames = [
+    "phil"
+    "phil.neet.dev"
+  ];
+
+  arch = "aarch64-linux";
+
+  systemRoles = [
+    "server"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN";
+    clearnetHost = "unlock.phil.neet.dev";
+  };
+}

machines/ponyo/properties.nix

@@ -0,0 +1,28 @@
+{
+  hostNames = [
+    "ponyo"
+    "ponyo.neet.dev"
+    "git.neet.dev"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "server"
+    "email-server"
+    "iodine"
+    "pia"
+    "nextcloud"
+    "dailybot"
+    "gitea"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
+
+    clearnetHost = "unlock.ponyo.neet.dev";
+    onionHost = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
+  };
+}

machines/ray/properties.nix

@@ -0,0 +1,22 @@
+{
+  hostNames = [
+    "ray"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "personal"
+    "deploy"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
+
+  userKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP"
+  ];
+
+  deployKeys = [
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo="
+  ];
+}

machines/router/properties.nix

@@ -0,0 +1,21 @@
+{
+  hostNames = [
+    "router"
+    "192.168.1.228"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "server"
+    "wireless"
+    "router"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
+    onionHost = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
+  };
+}

machines/storage/s0/properties.nix

@@ -0,0 +1,20 @@
+{
+  hostNames = [
+    "s0"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "storage"
+    "server"
+    "pia"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
+    onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
+  };
+}