diff --git a/hosts/darwin02/configuration.nix b/hosts/darwin02/configuration.nix
index 84f1d93..4ec0ccb 100644
--- a/hosts/darwin02/configuration.nix
+++ b/hosts/darwin02/configuration.nix
@@ -8,7 +8,6 @@
inputs.self.darwinModules.remote-builder
];
- # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
nix.settings.sandbox = "relaxed";
diff --git a/hosts/darwin03/configuration.nix b/hosts/darwin03/configuration.nix
index 3f12a8a..6359769 100644
--- a/hosts/darwin03/configuration.nix
+++ b/hosts/darwin03/configuration.nix
@@ -8,7 +8,6 @@
inputs.self.darwinModules.remote-builder
];
- # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
nix.settings.sandbox = "relaxed";
diff --git a/modules/darwin/common/default.nix b/modules/darwin/common/default.nix
index 04408ff..29c0016 100644
--- a/modules/darwin/common/default.nix
+++ b/modules/darwin/common/default.nix
@@ -19,7 +19,6 @@ in
];
# TODO: refactor this to share /users with nixos
- # if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
users.users = {
customer.openssh = { inherit authorizedKeys; };
hetzner.openssh = { inherit authorizedKeys; };
@@ -68,15 +67,12 @@ in
# disable application layer firewall, telegraf needs an incoming connection
system.defaults.alf.globalstate = 0;
- # srvos
- services.openssh.authorizedKeysFiles = pkgs.lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
-
# srvos
environment.etc."ssh/sshd_config.d/darwin.conf".text = ''
+ AuthorizedKeysFile none
HostKey /etc/ssh/ssh_host_ed25519_key
KbdInteractiveAuthentication no
PasswordAuthentication no
- StrictModes no
'';
# Make sure to disable netbios on activation
diff --git a/modules/darwin/community-builder/users.nix b/modules/darwin/community-builder/users.nix
index 72dec6f..22236a8 100644
--- a/modules/darwin/community-builder/users.nix
+++ b/modules/darwin/community-builder/users.nix
@@ -10,228 +10,272 @@ let
name = "winter";
trusted = true;
uid = 502;
+ keys = ./keys/winter;
}
{
name = "stephank";
trusted = true;
uid = 503;
+ keys = ./keys/stephank;
}
{
name = "hexa";
trusted = true;
uid = 504;
+ keys = ./keys/hexa;
}
{
name = "0x4A6F";
trusted = true;
uid = 505;
+ keys = ./keys/0x4A6F;
}
{
name = "artturin";
trusted = true;
uid = 506;
+ keys = ./keys/artturin;
}
{
name = "figsoda";
trusted = true;
uid = 507;
+ keys = ./keys/figsoda;
}
{
name = "raitobezarius";
trusted = true;
uid = 508;
+ keys = ./keys/raitobezarius;
}
{
name = "k900";
trusted = true;
uid = 509;
+ keys = ./keys/k900;
}
{
name = "julienmalka";
trusted = true;
uid = 510;
+ keys = ./keys/julienmalka;
}
{
name = "dotlambda";
trusted = true;
uid = 511;
+ keys = ./keys/dotlambda;
}
{
name = "lily";
trusted = true;
uid = 512;
+ keys = ./keys/lily;
}
{
name = "ma27";
trusted = true;
uid = 513;
+ keys = ./keys/ma27;
}
{
name = "fab";
trusted = true;
uid = 514;
+ keys = ./keys/fab;
}
{
name = "phaer";
trusted = true;
uid = 515;
+ keys = ./keys/phaer;
}
{
name = "emilylange";
trusted = true;
uid = 516;
+ keys = ./keys/emilylange;
}
{
name = "emilytrau";
trusted = true;
uid = 517;
+ keys = ./keys/emilytrau;
}
{
name = "janik";
trusted = true;
uid = 518;
+ keys = ./keys/janik;
}
{
name = "delroth";
trusted = true;
uid = 519;
+ keys = ./keys/delroth;
}
{
name = "toonn";
trusted = true;
uid = 520;
+ keys = ./keys/toonn;
}
{
name = "glepage";
trusted = true;
uid = 521;
+ keys = ./keys/glepage;
}
{
name = "anthonyroussel";
trusted = true;
uid = 522;
+ keys = ./keys/anthonyroussel;
}
{
name = "sgo";
trusted = true;
uid = 523;
+ keys = ./keys/sgo;
}
{
name = "chayleaf";
trusted = true;
uid = 524;
+ keys = ./keys/chayleaf;
}
{
# https://github.com/lf-
name = "jade";
trusted = true;
uid = 525;
+ keys = ./keys/jade;
}
{
name = "kranzes";
trusted = true;
uid = 526;
+ keys = ./keys/kranzes;
}
{
name = "sternenseemann";
trusted = true;
uid = 527;
+ keys = ./keys/sternenseemann;
}
{
name = "jtojnar";
trusted = true;
uid = 528;
+ keys = ./keys/jtojnar;
}
{
name = "corngood";
trusted = true;
uid = 529;
+ keys = ./keys/corngood;
}
{
name = "teto";
trusted = true;
uid = 530;
+ keys = ./keys/teto;
}
{
name = "matthewcroughan";
trusted = true;
uid = 531;
+ keys = ./keys/matthewcroughan;
}
{
name = "pennae";
trusted = true;
uid = 532;
+ keys = ./keys/pennae;
}
{
name = "jopejoe1";
trusted = true;
uid = 533;
+ keys = ./keys/jopejoe1;
}
{
name = "puckipedia";
trusted = true;
uid = 534;
+ keys = ./keys/puckipedia;
}
{
name = "kenji";
trusted = true;
uid = 535;
+ keys = ./keys/kenji;
}
{
name = "pinpox";
trusted = true;
uid = 536;
+ keys = ./keys/pinpox;
}
{
# https://github.com/n0emis
name = "ember";
trusted = true;
uid = 537;
+ keys = ./keys/ember;
}
{
# lib.maintainers.nicoo, @nbraud on github.com
name = "nicoo";
trusted = true;
uid = 538;
+ keys = ./keys/nicoo;
}
{
name = "imincik";
trusted = true;
uid = 539;
+ keys = ./keys/imincik;
}
{
name = "wolfgangwalther";
trusted = true;
uid = 540;
+ keys = ./keys/wolfgangwalther;
}
{
name = "tnias";
trusted = true;
uid = 541;
+ keys = ./keys/tnias;
}
{
# lib.maintainers.emily, https://github.com/emilazy
name = "emily";
trusted = true;
uid = 542;
+ keys = ./keys/emily;
}
{
# lib.maintainers.johnrtitor, https://github.com/JohnRTitor
name = "johnrtitor";
trusted = true;
uid = 543;
+ keys = ./keys/johnrtitor;
}
{
# lib.maintainers.kashw2, https://github.com/kashw2
name = "kashw2";
trusted = true;
uid = 544;
+ keys = ./keys/kashw2;
}
{
# lib.maintainers.superherointj, https://github.com/superherointj
name = "superherointj";
trusted = true;
uid = 545;
+ keys = ./keys/superherointj;
}
];
in
@@ -244,6 +288,9 @@ in
home = "/Users/${u.name}";
createHome = true;
shell = "/bin/zsh";
+ openssh.authorizedKeys.keyFiles = [
+ u.keys
+ ];
};
})
users);
@@ -252,12 +299,5 @@ in
users.forceRecreate = true;
- environment.etc = builtins.listToAttrs (builtins.map
- (u: {
- name = "ssh/authorized_keys.d/${u.name}";
- value = { source = ./keys/${u.name}; };
- })
- users);
-
nix.settings.trusted-users = builtins.map (u: u.name) (builtins.filter (u: u.trusted) users);
}