7 files changed, 44 insertions, 63 deletions

diff --git a/flake.nix b/flake.nix
index c2a3b63..870bccb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -101,6 +101,14 @@
         userinfo = {
           email = "franck@fcuny.net";
           fullName = "Franck Cuny";
+          sshPublicKeys = {
+            onepassword = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4Puffs";
+            yubikey-personal-nano = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo=";
+            yubikey-personal-keychain = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo=";
+            yubikey-personal-backup = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo=";
+            yubikey-work-nano = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo=";
+            yubikey-work-backup = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo=";
+          };
         };
       };
 
diff --git a/home/modules/userinfo.nix b/home/modules/userinfo.nix
index 46afc73..bea964e 100644
--- a/home/modules/userinfo.nix
+++ b/home/modules/userinfo.nix
@@ -10,6 +10,16 @@
         type = types.str;
         example = "some@email.com";
       };
+      sshPublicKeys = mkOption {
+        type = types.attrsOf types.str;
+        default = { };
+        example = {
+          yubikey-keychain = "sk-ssh-ed25519@openssh.com AAAAC3NzaC1lZDI1NTE5...";
+          yubikey-backup = "sk-ssh-ed25519@openssh.com AAAAC3NzaC1lZDI1NTE5...";
+          yubikey-nano = "sk-ssh-ed25519@openssh.com AAAAC3NzaC1lZDI1NTE5...";
+        };
+        description = "SSH public keys tagged by their source/location";
+      };
     };
   };
 }
diff --git a/profiles/defaults.nix b/profiles/defaults.nix
index 96b1461..2683c5a 100644
--- a/profiles/defaults.nix
+++ b/profiles/defaults.nix
@@ -2,6 +2,7 @@
   config,
   pkgs,
   lib,
+  adminUser,
   ...
 }:
 {
@@ -112,19 +113,11 @@
 
   users = {
     mutableUsers = false;
-    users.root.openssh.authorizedKeys.keys = [
-      # 1password
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
-      # YubiKey 5C Nano (personal)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo= ssh:"
-      # Yubikey 5C (keychain)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
-      # Yubikey 5C NFC (backup)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo= ssh:"
-      # Yubikey 5C Nano (work)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo="
-      # Yubikey Security Key C NFC (work, backup)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo="
+    users.root.openssh.authorizedKeys.keys = with adminUser.userinfo.sshPublicKeys; [
+      onepassword
+      yubikey-personal-nano
+      yubikey-personal-keychain
+      yubikey-personal-backup
     ];
   };
 
diff --git a/profiles/git-server.nix b/profiles/git-server.nix
index 504027a..d162a8e 100644
--- a/profiles/git-server.nix
+++ b/profiles/git-server.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, ... }:
+{
+  pkgs,
+  lib,
+  adminUser,
+  ...
+}:
 let
   cgit-org2html = pkgs.writeShellScriptBin "org2html" ''
     ${pkgs.pandoc}/bin/pandoc \
@@ -27,7 +32,7 @@ in
 {
   services.gitolite = {
     enable = true;
-    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+    adminPubkey = adminUser.userinfo.sshPublicKeys."yubikey-personal-nano";
     user = "git";
     group = "git";
     extraGitoliteRc = ''
diff --git a/profiles/remote-unlock.nix b/profiles/remote-unlock.nix
index 310d52b..9812ce8 100644
--- a/profiles/remote-unlock.nix
+++ b/profiles/remote-unlock.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ adminUser, ... }:
 {
   boot.kernelParams = [
     "ip=dhcp"
@@ -14,23 +14,11 @@
       hostKeys = [
         "/etc/initrd/ssh_host_ed25519_key"
       ];
-      authorizedKeys = [
-        # my personal key
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
-        # key used to automatically unlock
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPr9Dv2MjZoRltmxi21PoS/42KnOhYxuq9r6ER62vjAx"
-        # YubiKey 5C Nano (personal)
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo= ssh:"
-        # Yubikey 5C (keychain)
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
-        # Yubikey 5C (keychain)
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
-        # Yubikey 5C NFC (backup)
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo= ssh:"
-        # Yubikey 5C Nano (work)
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo="
-        # Yubikey Security Key C NFC (work, backup)
-        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo="
+      authorizedKeys = with adminUser.userinfo.sshPublicKeys; [
+        onepassword
+        yubikey-personal-nano
+        yubikey-personal-keychain
+        yubikey-personal-backup
       ];
     };
   };
diff --git a/profiles/users/admin-user.nix b/profiles/users/admin-user.nix
index 6658050..2e33603 100644
--- a/profiles/users/admin-user.nix
+++ b/profiles/users/admin-user.nix
@@ -11,20 +11,7 @@
     shell = pkgs.fish;
     isNormalUser = true;
     hashedPassword = "$y$j9T$U3mXpCzXC1VUp8wV5snJz/$32vTk0KwVXvP/jLO13nMlGPHy0nCe4ZtebdvqU4hwmD";
-    openssh.authorizedKeys.keys = [
-      # 1password
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
-      # YubiKey 5C Nano (personal)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo="
-      # Yubikey 5C (keychain)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo="
-      # Yubikey 5C NFC (backup)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo="
-      # Yubikey 5C Nano (work)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo="
-      # Yubikey Security Key C NFC (work, backup)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo="
-    ];
+    openssh.authorizedKeys.keys = pkgs.lib.attrValues adminUser.userinfo.sshPublicKeys;
     extraGroups = [
       "wheel"
       "docker"
diff --git a/profiles/users/builder.nix b/profiles/users/builder.nix
index 2998c19..0b91efe 100644
--- a/profiles/users/builder.nix
+++ b/profiles/users/builder.nix
@@ -1,23 +1,13 @@
-{ ... }:
+{ adminUser, ... }:
 {
   nix.settings.trusted-users = [ "builder" ];
 
   users.users.builder = {
-    openssh.authorizedKeys.keys = [
-      # 1password
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
-      # remote builder ssh key
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
-      # YubiKey 5C Nano (personal)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo= ssh:"
-      # Yubikey 5C (keychain)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDnU4Xd8bElZYVWDbknlIgskR/q7ORrbvO0FLnJMQX+eAAAABHNzaDo= ssh:"
-      # Yubikey 5C NFC (backup)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINLBHE4O9RrTgTa+m0kcWL2Mhpi3C57MpTpip7riTophAAAABHNzaDo= ssh:"
-      # Yubikey 5C Nano (work)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBVuEgqp/pmfskha3gIaYIfP0JEgKG/vVV3Bswb63wr2AAAABHNzaDo="
-      # Yubikey Security Key C NFC (work, backup)
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjs8WvWBuiL6hujqSaXLxBIs5unjBex22Whdrj/radmAAAABHNzaDo="
+    openssh.authorizedKeys.keys = with adminUser.userinfo.sshPublicKeys; [
+      onepassword
+      yubikey-personal-nano
+      yubikey-personal-keychain
+      yubikey-personal-backup
     ];
     isNormalUser = true;
     group = "nogroup";