security: use less fixed private keys

2025-12-04 16:20:01 +01:00 · 2025-12-04 16:20:01 +01:00 · 42b2825c08
commit 42b2825c08
parent ffb3f335b4
2 changed files with 41 additions and 4 deletions
--- a/modules/users/root/default.nix
+++ b/modules/users/root/default.nix
@ -1,6 +1,6 @@
 topLevel: {
-  flake = {
-    modules.nixos.root =
+  flake.modules = {
+    nixos.root =
      {
        config,
        inputs,
@ -19,6 +19,7 @@ topLevel: {

                # Activate all user based config
                cholli # TODO: make root based config that makes it clear I am root user right now
+                root
              ];
            };
          }
@ -32,5 +33,33 @@ topLevel: {
          hashedPasswordFile = config.sops.secrets.passwordHash.path;
        };
      };
+
+    homeManager.root =
+      {
+        lib,
+        osConfig,
+        pkgs,
+        ...
+      }:
+      let
+
+        generateHostEntry = machine: ''
+          Host ${machine.hostName}
+            IdentitiesOnly yes
+            IdentityFile ${machine.sshKey}
+            User remotebuild
+        '';
+
+        filteredMachines = lib.filter (machine: machine.hostName != "localhost") osConfig.nix.buildMachines;
+        remotebuild-ssh-config = pkgs.writeTextFile {
+          name = "remotebuild-ssh-config";
+          text = lib.concatMapStringsSep "\n" generateHostEntry filteredMachines;
+        };
+      in
+      {
+        home.file = {
+          ".ssh/config".source = remotebuild-ssh-config;
+        };
+      };
  };
 }