feat: automate SSH config ('known_hosts', 'authorized_keys' ...)

chore(nixfmt): format
2026-01-17 17:37:37 +01:00 · 2026-01-17 17:35:38 +01:00
19 changed files with 246 additions and 99 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -50,6 +50,7 @@
      nvim,
    }@inputs:
    let
+      inherit (self) outputs;
      lib = inputs.nixpkgs.lib;
      utils = import ./utils { inherit lib; };
      hostDirNames = utils.dirNames ./hosts;
@@ -67,14 +68,18 @@
        host:
        nixpkgs.lib.nixosSystem {
          modules = [ ./hosts/${host} ];
-          specialArgs = { inherit inputs; };
+          specialArgs = {
+            inherit inputs outputs;
+          };
        }
      );
      homeConfigurations = {
        work = home-manager.lib.homeManagerConfiguration {
          inherit pkgs;
          modules = [ ./home/hosts/work ];
-          extraSpecialArgs = { inherit inputs; };
+          extraSpecialArgs = {
+            inherit inputs outputs;
+          };
        };
      };
    };
--- a/home/hosts/andromache/default.nix
+++ b/home/hosts/andromache/default.nix
@@ -14,6 +14,7 @@ in
    ../../modules/desktop/niri
    ../../modules/git.nix
    ../../modules/k9s.nix
+    ../../modules/ssh.nix
    ../../modules/taskwarrior.nix
    ../../modules/keepassxc.nix
    ../../modules/anki.nix
--- a/home/hosts/astyanax/default.nix
+++ b/home/hosts/astyanax/default.nix
@@ -14,6 +14,7 @@ in
    ../../modules/desktop/niri
    ../../modules/git.nix
    ../../modules/k9s.nix
+    ../../modules/ssh.nix
    ../../modules/taskwarrior.nix
    ../../modules/keepassxc.nix
    ../../modules/browser
--- a/home/hosts/work/default.nix
+++ b/home/hosts/work/default.nix
@@ -24,11 +24,11 @@ in
    defaultSopsFile = "${inputs.nix-secrets}/secrets.yaml";

    secrets = {
-      taskwarrior_sync_server_url = {};
-      taskwarrior_sync_server_client_id = {};
-      taskwarrior_sync_encryption_secret = {};
-      anki_sync_user = {};
-      anki_sync_key = {};
+      taskwarrior_sync_server_url = { };
+      taskwarrior_sync_server_client_id = { };
+      taskwarrior_sync_encryption_secret = { };
+      anki_sync_user = { };
+      anki_sync_key = { };
    };

    templates."taskrc.d/sync" = {
--- a/home/modules/browser/firefox.nix
+++ b/home/modules/browser/firefox.nix
@@ -1,4 +1,10 @@
-{ config, inputs, lib, pkgs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:

 let
  bookmarks = import ./bookmarks.nix;
--- a/home/modules/browser/librewolf.nix
+++ b/home/modules/browser/librewolf.nix
@@ -1,83 +1,91 @@
-{ config, inputs, lib, pkgs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:

 let
  bookmarks = import ./bookmarks.nix;
 in

 {
-  config = lib.mkIf (config.browser.primary == "librewolf" || config.browser.secondary == "librewolf") {
-    programs.librewolf = {
-      enable = true;
-      nativeMessagingHosts = with pkgs; [
-        tridactyl-native
-      ];
-      profiles = {
-        default = {
-          settings = {
-            "signon.rememberSignons" = false;
-            "findbar.highlightAll" = true;
-            "extensions.autoDisableScopes" = 0;
-          };
-          extensions = {
-            packages = with inputs.firefox-addons.packages.${pkgs.system}; [
-              duckduckgo-privacy-essentials
-              istilldontcareaboutcookies
-              libredirect
-              keepassxc-browser
-              react-devtools
-              sponsorblock
-              tridactyl
-              ublock-origin
-            ];
-          };
-          bookmarks = {
-            force = true;
-            settings = [
-              {
-                toolbar = true;
-                bookmarks = [
-                  bookmarks.nixos
+  config =
+    lib.mkIf (config.browser.primary == "librewolf" || config.browser.secondary == "librewolf")
+      {
+        programs.librewolf = {
+          enable = true;
+          nativeMessagingHosts = with pkgs; [
+            tridactyl-native
+          ];
+          profiles = {
+            default = {
+              settings = {
+                "signon.rememberSignons" = false;
+                "findbar.highlightAll" = true;
+                "extensions.autoDisableScopes" = 0;
+              };
+              extensions = {
+                packages = with inputs.firefox-addons.packages.${pkgs.system}; [
+                  duckduckgo-privacy-essentials
+                  istilldontcareaboutcookies
+                  libredirect
+                  keepassxc-browser
+                  react-devtools
+                  sponsorblock
+                  tridactyl
+                  ublock-origin
                ];
-              }
-            ];
+              };
+              bookmarks = {
+                force = true;
+                settings = [
+                  {
+                    toolbar = true;
+                    bookmarks = [
+                      bookmarks.nixos
+                    ];
+                  }
+                ];
+              };
+            };
+          };
+          policies = {
+            DefaultDownloadDirectory = "\${home}/dl";
+            ExtensionSettings = {
+              "jid1-ZAdIEUB7XOzOJw@jetpack" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "idcac-pub@guus.ninja" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "7esoorv3@alefvanoon.anonaddy.me" = {
+                default_area = "navbar";
+              };
+              "keepassxc-browser@keepassxc.org" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "@react-devtools" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "sponsorBlocker@ajay.app" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "tridactyl.vim@cmcaine.co.uk".settings = {
+                private_browsing = true;
+              };
+              "uBlock0@raymondhill.net".settings = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+            };
          };
        };
      };
-      policies = {
-        DefaultDownloadDirectory = "\${home}/dl";
-        ExtensionSettings = {
-          "jid1-ZAdIEUB7XOzOJw@jetpack" = {
-            default_area = "navbar";
-            private_browsing = true;
-          };
-          "idcac-pub@guus.ninja" = {
-            default_area = "navbar";
-            private_browsing = true;
-          };
-          "7esoorv3@alefvanoon.anonaddy.me" = {
-            default_area = "navbar";
-          };
-          "keepassxc-browser@keepassxc.org" = {
-            default_area = "navbar";
-            private_browsing = true;
-          };
-          "@react-devtools" = {
-            default_area = "navbar";
-            private_browsing = true;
-          };
-          "sponsorBlocker@ajay.app" = {
-            default_area = "navbar";
-            private_browsing = true;
-          };
-          "tridactyl.vim@cmcaine.co.uk".settings = {
-            private_browsing = true;
-          };
-          "uBlock0@raymondhill.net".settings = {
-            default_area = "navbar";
-            private_browsing = true;
-          };
-        };
-      };
-    };
-  };
 }
--- a/home/modules/shell/bash.nix
+++ b/home/modules/shell/bash.nix
@@ -59,17 +59,16 @@ in
      '';
    };

-    home.file =
-      {
-        ".inputrc".source = dotsPath + "/.inputrc";
-        ".bashrc.d/prompt".source = dotsPath + "/.bashrc.d/prompt";
-        ".bashrc.d/editor".source = dotsPath + "/.bashrc.d/editor";
-      }
-      // lib.optionalAttrs cfg.aliases.all {
-        ".bash_aliases/all".source = dotsPath + "/.bash_aliases/all";
-      }
-      // lib.optionalAttrs cfg.aliases.lang-js {
-        ".bash_aliases/lang-js".source = dotsPath + "/.bash_aliases/lang-js";
-      };
+    home.file = {
+      ".inputrc".source = dotsPath + "/.inputrc";
+      ".bashrc.d/prompt".source = dotsPath + "/.bashrc.d/prompt";
+      ".bashrc.d/editor".source = dotsPath + "/.bashrc.d/editor";
+    }
+    // lib.optionalAttrs cfg.aliases.all {
+      ".bash_aliases/all".source = dotsPath + "/.bash_aliases/all";
+    }
+    // lib.optionalAttrs cfg.aliases.lang-js {
+      ".bash_aliases/lang-js".source = dotsPath + "/.bash_aliases/lang-js";
+    };
  };
 }
--- a/home/modules/ssh.nix
+++ b/home/modules/ssh.nix
@@ -0,0 +1,25 @@
+{
+  outputs,
+  lib,
+  ...
+}:
+let
+  nixosConfigs = builtins.attrNames outputs.nixosConfigurations;
+  homeConfigs = map (n: lib.last (lib.splitString "@" n)) (
+    builtins.attrNames outputs.homeConfigurations
+  );
+  allHosts = lib.unique (homeConfigs ++ nixosConfigs);
+  hostsWithKeys = lib.filter (
+    hostname: builtins.pathExists ../../hosts/${hostname}/ssh_host.pub
+  ) allHosts;
+in
+{
+  programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+
+    matchBlocks = lib.genAttrs hostsWithKeys (hostname: {
+      host = hostname;
+    });
+  };
+}
--- a/home/ssh.pub
+++ b/home/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzP1PjIDb1tN9nhPOK88HYDtTNk9SN9ZpEem2id49Fa h@astyanax
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -1,6 +1,7 @@
 {
  lib,
  inputs,
+  outputs,
  config,
  pkgs,
  ...
@@ -81,7 +82,9 @@ in
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
-    extraSpecialArgs = { inherit inputs; };
+    extraSpecialArgs = {
+      inherit inputs outputs;
+    };
    users.${username} = import ../../home/hosts/andromache {
      inherit lib;
      inherit inputs;
@@ -90,6 +93,8 @@ in
    };
  };

+  ssh.authorizedHosts = [ "astyanax" ];
+
  services.xserver = {
    videoDrivers = [ "nvidia" ];
  };
--- a/hosts/astyanax/default.nix
+++ b/hosts/astyanax/default.nix
@@ -1,6 +1,7 @@
 {
  lib,
  inputs,
+  outputs,
  config,
  pkgs,
  ...
@@ -75,7 +76,9 @@ in
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
-    extraSpecialArgs = { inherit inputs; };
+    extraSpecialArgs = {
+      inherit inputs outputs;
+    };
    users.${username} = import ../../home/hosts/astyanax {
      inherit inputs;
      inherit config;
@@ -88,6 +91,8 @@ in
    hostId = "80eef97e";
  };

+  ssh.authorizedHosts = [ "andromache" ];
+
  services = {
    fwupd.enable = true;
    openssh = {
--- a/hosts/astyanax/ssh_host.pub
+++ b/hosts/astyanax/ssh_host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8+UOyZbvQeHfFfYox3SQi42KJ0S3RZj79iswSsZeFy root@nixos
--- a/hosts/astyanax/ssh_user.pub
+++ b/hosts/astyanax/ssh_user.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzP1PjIDb1tN9nhPOK88HYDtTNk9SN9ZpEem2id49Fa h@astyanax
--- a/hosts/hecuba/default.nix
+++ b/hosts/hecuba/default.nix
@@ -1,4 +1,11 @@
-{ pkgs, ... }:
+{
+  lib,
+  inputs,
+  outputs,
+  config,
+  pkgs,
+  ...
+}:

 # Also see <https://wiki.nixos.org/wiki/Install_NixOS_on_Hetzner_Cloud>

@@ -31,12 +38,14 @@
    username = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOXPEhdKOVnb6mkeLLUcFGt+mnUR5pMie17JtjrxwgO h@andromache"
-      ];
    };
  };

+  ssh = {
+    username = "username";
+    authorizedHosts = [ "andromache" ];
+  };
+
  security.sudo.wheelNeedsPassword = false;

  networking = {
@@ -57,4 +66,6 @@
    enable = true;
    harden = true;
  };
+
+  networking.hostName = "hecuba";
 }
--- a/hosts/vm/default.nix
+++ b/hosts/vm/default.nix
@@ -1,6 +1,7 @@
 {
  lib,
  inputs,
+  outputs,
  config,
  pkgs,
  ...
@@ -58,7 +59,9 @@ in
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
-    extraSpecialArgs = { inherit inputs; };
+    extraSpecialArgs = {
+      inherit inputs outputs;
+    };
    users.${username} = import ../../home/hosts/vm {
      inherit inputs;
      inherit config;
--- a/modules/ssh/authorized-keys.nix
+++ b/modules/ssh/authorized-keys.nix
@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+{
+  options.ssh = {
+    authorizedHosts = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "h";
+    };
+  };
+
+  # auto generate authorized_keys from `authorizedHosts`
+  config.users.users.${config.ssh.username}.openssh.authorizedKeys.keys = lib.flatten (
+    map (
+      hostname:
+      let
+        keyFile = ../../hosts/${hostname}/ssh_user.pub;
+      in
+      lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
+    ) config.ssh.authorizedHosts
+  );
+}
--- a/modules/ssh/extract-keys.nix
+++ b/modules/ssh/extract-keys.nix
@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+let
+  username = config.ssh.username;
+in
+{
+  # auto extract SSH keys
+  system.activationScripts.extractSshKeys = lib.stringAfter [ "etc" ] ''
+    HOST_KEY="/etc/ssh/ssh_host_ed25519_key.pub"
+    HOST_DIR="/home/${username}/nix/hosts/${config.networking.hostName}"
+
+    if [ -f "$HOST_KEY" ] && [ -d "$HOST_DIR" ]; then
+      cp "$HOST_KEY" "$HOST_DIR/ssh_host.pub"
+      chown ${username}:users "$HOST_DIR/ssh_host.pub"
+      chmod 644 "$HOST_DIR/ssh_host.pub"
+    fi
+
+    USER_KEY="/home/${username}/.ssh/id_ed25519.pub"
+    if [ -f "$USER_KEY" ] && [ -d "$HOST_DIR" ]; then
+      cp "$USER_KEY" "$HOST_DIR/ssh_user.pub"
+      chown ${username}:users "$HOST_DIR/ssh_user.pub"
+      chmod 644 "$HOST_DIR/ssh_user.pub"
+    fi
+  '';
+}
--- a/modules/ssh/hardened-openssh.nix
+++ b/modules/ssh/hardened-openssh.nix
@@ -4,9 +4,17 @@ let
  cfg = config.services.openssh;
 in
 {
+  imports = [
+    ./known-hosts.nix
+    ./authorized-keys.nix
+    ./extract-keys.nix
+  ];
+
  options.services.openssh.harden = mkEnableOption "harden ssh server configuration";
+
  config = {
    networking.firewall.allowedTCPPorts = [ 22 ];
+
    services.openssh.settings = optionalAttrs cfg.harden {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
--- a/modules/ssh/known-hosts.nix
+++ b/modules/ssh/known-hosts.nix
@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  outputs,
+  ...
+}:
+let
+  hosts = lib.attrNames outputs.nixosConfigurations;
+  hostsWithKeys = lib.filter (
+    hostname: builtins.pathExists ../../hosts/${hostname}/ssh_host.pub
+  ) hosts;
+in
+{
+  # auto generate known_hosts for all hosts in flake
+  programs.ssh.knownHosts = lib.genAttrs hostsWithKeys (hostname: {
+    publicKeyFile = ../../hosts/${hostname}/ssh_host.pub;
+    extraHostNames = lib.optional (hostname == config.networking.hostName) "localhost";
+  });
+}
Author	SHA1	Message	Date
hektor	b7ac7ecbd4	feat: automate SSH config ('known_hosts', 'authorized_keys' ...)	2026-01-17 17:37:37 +01:00
hektor	d63f525a9c	chore(nixfmt): format	2026-01-17 17:35:38 +01:00
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzP1PjIDb1tN9nhPOK88HYDtTNk9SN9ZpEem2id49Fa h@astyanax`
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8+UOyZbvQeHfFfYox3SQi42KJ0S3RZj79iswSsZeFy root@nixos`