From 42b2825c08a83b0155a28693fbb1d07fec879487 Mon Sep 17 00:00:00 2001
From: Christoph Hollizeck <christoph.hollizeck@hey.com>
Date: Thu, 4 Dec 2025 16:20:01 +0100
Subject: [PATCH] security: use less fixed private keys

---
 modules/hosts/yggdrasil/default.nix | 12 +++++++++--
 modules/users/root/default.nix      | 33 +++++++++++++++++++++++++++--
 2 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/modules/hosts/yggdrasil/default.nix b/modules/hosts/yggdrasil/default.nix
index e0f5809..76527f3 100644
--- a/modules/hosts/yggdrasil/default.nix
+++ b/modules/hosts/yggdrasil/default.nix
@@ -79,14 +79,22 @@ topLevel: {
         ];
       };
 
+      sops.secrets = {
+        "remotebuild/private-key" = {
+          sopsFile = ../../../secrets/secrets.yaml;
+          owner = "cholli";
+          mode = "0400";
+        };
+      };
+
       nix = {
         distributedBuilds = true;
         settings.builders-use-substitutes = true;
         buildMachines = [
           {
-            hostName = "192.168.178.2";
+            hostName = "nixberry";
             sshUser = "remotebuild";
-            sshKey = "/root/.ssh/remotebuild";
+            sshKey = config.sops.secrets."remotebuild/private-key".path;
             systems = [ "aarch64-linux" ];
             protocol = "ssh-ng";
 
diff --git a/modules/users/root/default.nix b/modules/users/root/default.nix
index ac236de..6361a36 100644
--- a/modules/users/root/default.nix
+++ b/modules/users/root/default.nix
@@ -1,6 +1,6 @@
 topLevel: {
-  flake = {
-    modules.nixos.root =
+  flake.modules = {
+    nixos.root =
       {
         config,
         inputs,
@@ -19,6 +19,7 @@ topLevel: {
 
                 # Activate all user based config
                 cholli # TODO: make root based config that makes it clear I am root user right now
+                root
               ];
             };
           }
@@ -32,5 +33,33 @@ topLevel: {
           hashedPasswordFile = config.sops.secrets.passwordHash.path;
         };
       };
+
+    homeManager.root =
+      {
+        lib,
+        osConfig,
+        pkgs,
+        ...
+      }:
+      let
+
+        generateHostEntry = machine: ''
+          Host ${machine.hostName}
+            IdentitiesOnly yes
+            IdentityFile ${machine.sshKey}
+            User remotebuild
+        '';
+
+        filteredMachines = lib.filter (machine: machine.hostName != "localhost") osConfig.nix.buildMachines;
+        remotebuild-ssh-config = pkgs.writeTextFile {
+          name = "remotebuild-ssh-config";
+          text = lib.concatMapStringsSep "\n" generateHostEntry filteredMachines;
+        };
+      in
+      {
+        home.file = {
+          ".ssh/config".source = remotebuild-ssh-config;
+        };
+      };
   };
 }