From a0cf3f1a3c20e28153419671e734aa6ef42e53b8 Mon Sep 17 00:00:00 2001
From: alina sireneva <alina@tei.su>
Date: Wed, 1 May 2024 05:48:50 +0300
Subject: [PATCH] feat(teidesu): nix-managed ssh config

---
 agenix-edit                               |   2 +-
 lib/secrets-unsafe.nix                    |  24 +++++++-----
 secrets/UNSAFE.desu-arm-ip.age            | Bin 0 -> 225 bytes
 ssh/teidesu-git.pub                       |   1 +
 users/teidesu/{ => assets}/alacritty.toml |   0
 users/teidesu/assets/base_known_hosts     |   8 ++++
 users/teidesu/common.nix                  |   1 +
 users/teidesu/darwin.nix                  |   2 +-
 users/teidesu/ssh.nix                     |  45 ++++++++++++++++++++++
 9 files changed, 71 insertions(+), 12 deletions(-)
 create mode 100644 secrets/UNSAFE.desu-arm-ip.age
 create mode 100644 ssh/teidesu-git.pub
 rename users/teidesu/{ => assets}/alacritty.toml (100%)
 create mode 100644 users/teidesu/assets/base_known_hosts
 create mode 100644 users/teidesu/ssh.nix

diff --git a/agenix-edit b/agenix-edit
index 2eb5b87..a6129d4 100755
--- a/agenix-edit
+++ b/agenix-edit
@@ -13,7 +13,7 @@ name="$1"
 script_dir=$(dirname "$(readlink -f "$0")")
 
 if [ "$is_unsafe" == "true" ]; then
-    name="$name.UNSAFE"
+    name="UNSAFE.$name"
     public_key=$(cat "$script_dir/ssh/agenix-unsafe.pub")
 else
     public_key=$(cat "$script_dir/ssh/agenix.pub")
diff --git a/lib/secrets-unsafe.nix b/lib/secrets-unsafe.nix
index 3367f23..232f8e5 100644
--- a/lib/secrets-unsafe.nix
+++ b/lib/secrets-unsafe.nix
@@ -1,19 +1,23 @@
-{ pkgs, config, ... }: 
+{ 
+  age, 
+  writeShellScript, 
+  system,
+  stdenv,
+  ...
+}: 
 
 {
   readUnsafe = name: let 
-    path = ../secrets + "/${name}.UNSAFE.age";
-    identityPath = builtins.elemAt (
-      builtins.filter (
-        x: (builtins.match ".*-unsafe$" x) != null
-      ) config.age.identityPaths
-    ) 0;
+    isDarwin = stdenv.isDarwin;
+    identityPath = if isDarwin then "/Users/Shared/agenix-key-unsafe" else "/etc/ssh/agenix-key-unsafe";
+
+    path = ../secrets + "/UNSAFE.${name}.age";
     drv = builtins.derivation { 
-      system = pkgs.system;
+      system = system;
       name = name;
       src = path;
-      builder = pkgs.writeShellScript "read-${name}.sh" ''
-        ${pkgs.age}/bin/age --decrypt --identity ${identityPath} $src > $out
+      builder = writeShellScript "read-${name}.sh" ''
+        ${age}/bin/age --decrypt --identity ${identityPath} $src > $out
       '';
     };
   in builtins.readFile drv;
diff --git a/secrets/UNSAFE.desu-arm-ip.age b/secrets/UNSAFE.desu-arm-ip.age
new file mode 100644
index 0000000000000000000000000000000000000000..e532d0b4a21ed7f2bc5171babfdff1ba21f54658
GIT binary patch
literal 225
zcmV<703QEgXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LQ8#c<S$80H
zPcwEeS6FOjaY<2UK}k<cab|jUHd8@WV@F|gQA<!oYEW1>S5P)`Q&kF0b#+EVbWnCw
zK~!;KK{0r9QAt!&c~dqkF=}OZV{AraLRoHSdR2NjR80ykEiE8sHgi*VP-aX@Y-&w2
zaBX=vQ8F`mcv>$=Pf$lzc2_ema&}lbXk{=qPIC%6RyKG1?76a%R`>Fw`x>(H-=PH1
bIv21d#K0o-_ra`nB6IV<(?4WUW&o5Gy$w^D

literal 0
HcmV?d00001

diff --git a/ssh/teidesu-git.pub b/ssh/teidesu-git.pub
new file mode 100644
index 0000000..e3ab39a
--- /dev/null
+++ b/ssh/teidesu-git.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXaJrbD5SHp3HDtRX7YxrjO7wpcoY/L41Oc78IdT/l4
\ No newline at end of file
diff --git a/users/teidesu/alacritty.toml b/users/teidesu/assets/alacritty.toml
similarity index 100%
rename from users/teidesu/alacritty.toml
rename to users/teidesu/assets/alacritty.toml
diff --git a/users/teidesu/assets/base_known_hosts b/users/teidesu/assets/base_known_hosts
new file mode 100644
index 0000000..b7f26e7
--- /dev/null
+++ b/users/teidesu/assets/base_known_hosts
@@ -0,0 +1,8 @@
+# github
+|1|MnC0ICOowWM7KKgfbwHjSYCUDb0=|Nh2b1pRPPeLXwv5Z30FQa+0KyJ0= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+|1|MidJau0HbJFvuxJOQWQxOdmPKE4=|WW3oPvfillzC5BWLKIEeuWq8YZA= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+|1|Zy4CjKEG3Nn7RypNq9Yf+YhaH08=|s0aozDN7CqfReG7+DqabwsI3gsM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+
+# koi
+|1|mHA7S/D4GL5RvmEB+Fj2/FEQhqQ=|QaQPGfyuYGiD5gNHyPSN9NPQkLM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDROyQOLur9crvuKb33z/xhgy0r8EVbrZzDbCA3Xey4mCDEO+NIY51en7RJ01avZntRjDqFFm/Gm0cQz6HRxQwe8dG4P+OAdE6bqu7dZCU0kAiTtMsuM6u7ULuQnx5gsG0Y+Ez6c5FxrtLGOKeHYzC/QDRbdDFkq+Q09lcrW8EVjDle7B4QibNtf+dRc/UxmGXc9Ji9AJ0C6kWocA4JTdLSpsHklF3nTT60lCMzvdWt1Kn+6WCS3AJUKomjY/OY+dAgikr7saDO3f353QGgRw8shy8hPpt00kReBqXmOYzl3rOxabouWY4T90KZhr3O8wlmHqPu34rFTtHwrfmEdV6cC+94nT80tzMB0Jt/+Wx05CHCQsLr97yFm1dkoWQApVH67im2wd9SxAZxO83r4RwRCox2VaC/J24UmjKRPeETyPfkkKt7v9/O+Rhi8EhVROIO+S0eRsBZy21Si5T/LFJbDEz//MpF+5tGe02aAWVB23BvGXKu8WBDngiLFFhD+dgABBSXCnVeHTpYT3bh8sy2E7COZ2ozDOGwMLLW6mcvNjTEgqHICro+12zGxoCw1fUIg+Ceo0H2au+V873lBf7ohGEZQEAPwxqXeZJiboB5ZZPIC+pkKqjnn9uzXWnDiBcqr8gN9rZ/pzzPC1GK426R7WSutWsXbauvpYGu0yo4aw==
+|1|3hK+z5ncJuQWfstveOSecUSW5/0=|OxYTIrGT5Cn5JWRcB3yfpviCdPw= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB51jm+nmhyxYWrJfVIo7OedneOpVYG1mjwqATRVRtTh
\ No newline at end of file
diff --git a/users/teidesu/common.nix b/users/teidesu/common.nix
index 7ba9ee5..707f904 100644
--- a/users/teidesu/common.nix
+++ b/users/teidesu/common.nix
@@ -3,6 +3,7 @@
     inputs.nix-index-database.hmModules.nix-index
     ./zsh.nix
     ./git.nix
+    ./ssh.nix
   ];
 
   home.stateVersion = "23.11";
diff --git a/users/teidesu/darwin.nix b/users/teidesu/darwin.nix
index 8a0a375..bffe17c 100644
--- a/users/teidesu/darwin.nix
+++ b/users/teidesu/darwin.nix
@@ -32,6 +32,6 @@
       yt-dlp
     ];
 
-    home.file.".config/alacritty/alacritty.toml".source = ./alacritty.toml;
+    home.file.".config/alacritty/alacritty.toml".source = ./assets/alacritty.toml;
   };
 }
\ No newline at end of file
diff --git a/users/teidesu/ssh.nix b/users/teidesu/ssh.nix
new file mode 100644
index 0000000..3c7360e
--- /dev/null
+++ b/users/teidesu/ssh.nix
@@ -0,0 +1,45 @@
+{ abs, pkgs, lib, ... }:
+
+let 
+  isDarwin = pkgs.stdenv.isDarwin;
+  secrets = pkgs.callPackage (abs "lib/secrets-unsafe.nix") {};
+in {
+  home.file.".ssh/ssh.pub".source = abs "ssh/teidesu.pub";
+  home.file.".ssh/git.pub".source = abs "ssh/teidesu-git.pub";
+  home.file.".ssh/base_known_hosts".source = ./assets/base_known_hosts;
+
+  programs.ssh = {
+    enable = true;
+
+    hashKnownHosts = true;
+
+    extraOptionOverrides = {
+      GlobalKnownHostsFile = "~/.ssh/base_known_hosts";
+    };
+
+    matchBlocks = {
+      desu-arm = {
+        hostname = secrets.readUnsafe "desu-arm-ip";
+        forwardAgent = true;
+      };
+
+      koi = {
+        hostname = "10.42.0.2";
+        forwardAgent = true;
+      };
+
+      "github.com" = {
+        identityFile = "~/.ssh/ssh.pub";
+      };
+    } // (lib.optionalAttrs isDarwin {
+      # 1password ssh agent
+      "*" = {
+        extraOptions = {
+          IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
+          HostkeyAlgorithms = "+ssh-rsa";
+          PubkeyAcceptedAlgorithms = "+ssh-rsa";
+        };
+      };
+    });
+  };
+}
\ No newline at end of file