From 3bd4674179fa483adfc92490ab2564599f450874 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Thu, 20 Mar 2025 00:04:24 +0000
Subject: [PATCH] refactor(ops): use ops.users for ssh keys consistently

Add other keys used in the snix-cache VM to //ops/users, and drop the
`all` alias.

Change-Id: I030d0d49e8a6d9e3d8f1e1c2fc19f17ecb7ecb93
Reviewed-on: https://cl.snix.dev/c/snix/+/30165
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
---
 ops/machines/build01/default.nix    |  2 +-
 ops/machines/gerrit01/default.nix   |  2 +-
 ops/machines/meta01/default.nix     |  4 +---
 ops/machines/public01/default.nix   |  2 +-
 ops/machines/snix-cache/default.nix | 24 +++++++++---------------
 ops/users/default.nix               | 16 ++++++++++++++--
 6 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/ops/machines/build01/default.nix b/ops/machines/build01/default.nix
index 4dd8ffb60..f45b16353 100644
--- a/ops/machines/build01/default.nix
+++ b/ops/machines/build01/default.nix
@@ -96,7 +96,7 @@ in
 
   services.openssh.enable = true;
   time.timeZone = "UTC";
-  users.users.root.openssh.authorizedKeys.keys = depot.ops.users.all;
+  users.users.root.openssh.authorizedKeys.keys = depot.ops.users.edef ++ depot.ops.users.flokli ++ depot.ops.users.raito;
   users.groups.kvm = { };
   users.users.root.extraGroups = [ "kvm" ];
 
diff --git a/ops/machines/gerrit01/default.nix b/ops/machines/gerrit01/default.nix
index 0ce9302e9..30b8ae648 100644
--- a/ops/machines/gerrit01/default.nix
+++ b/ops/machines/gerrit01/default.nix
@@ -110,7 +110,7 @@ in
       createHome = true;
       home = "/var/lib/git";
     };
-    users.root.openssh.authorizedKeys.keys = depot.ops.users.all;
+    users.root.openssh.authorizedKeys.keys = depot.ops.users.edef ++ depot.ops.users.flokli ++ depot.ops.users.raito;
   };
 
   boot.initrd.systemd.enable = true;
diff --git a/ops/machines/meta01/default.nix b/ops/machines/meta01/default.nix
index c449262ad..d0810ecd3 100644
--- a/ops/machines/meta01/default.nix
+++ b/ops/machines/meta01/default.nix
@@ -134,9 +134,7 @@ in
   # Required for prometheus to be able to scrape stats
   services.nginx.statusPage = true;
 
-  users = {
-    users.root.openssh.authorizedKeys.keys = depot.ops.users.all;
-  };
+  users.users.root.openssh.authorizedKeys.keys = depot.ops.users.edef ++ depot.ops.users.flokli ++ depot.ops.users.raito;
 
   boot.initrd.systemd.enable = true;
   zramSwap.enable = true;
diff --git a/ops/machines/public01/default.nix b/ops/machines/public01/default.nix
index 50bd32543..08e5cf2e3 100644
--- a/ops/machines/public01/default.nix
+++ b/ops/machines/public01/default.nix
@@ -187,7 +187,7 @@ in
   # Required for prometheus to be able to scrape stats
   services.nginx.statusPage = true;
 
-  users.users.root.openssh.authorizedKeys.keys = depot.ops.users.all;
+  users.users.root.openssh.authorizedKeys.keys = depot.ops.users.edef ++ depot.ops.users.flokli ++ depot.ops.users.raito;
 
   boot.initrd.systemd.enable = true;
   zramSwap.enable = true;
diff --git a/ops/machines/snix-cache/default.nix b/ops/machines/snix-cache/default.nix
index e6ae8d0e2..f5795c441 100644
--- a/ops/machines/snix-cache/default.nix
+++ b/ops/machines/snix-cache/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }: # readTree options
+{ depot, pkgs, lib, ... }: # readTree options
 { config, ... }: # passed by module system
 
 let
@@ -51,20 +51,14 @@ in
 
     # Enable SSH and add some keys
     services.openssh.enable = true;
-    users.users.root.openssh.authorizedKeys.keys = [
-      # edef
-      "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== edef"
-      # flokli
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli"
-      # mic92
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE"
-      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsjXKHCkpQT4LhWIdT0vDM/E/3tw/4KHTQcdJhyqPSH0FnwC8mfP2N9oHYFa2isw538kArd5ZMo5DD1ujL5dLk= ssh@secretive.Joerg’s-Laptop.local"
-      # padraic
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFlro/QUDlDpaA1AQxdWIqBg9HSFJf9Cb7CPdsh0JN7"
-      # zimbatm
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuiDoBOxgyer8vGcfAIbE6TC4n4jo8lhG9l01iJ0bZz zimbatm@no1"
-      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINwWC6CJ/E6o3WGeZxbZMajC4roXnzVi8fOo1JYJSE6YAAAABHNzaDo= zimbatm@nixos"
-    ];
+
+
+    users.users.root.openssh.authorizedKeys.keys =
+      depot.ops.users.edef
+      ++ depot.ops.users.flokli
+      ++ depot.ops.users.mic92
+      ++ depot.ops.users.padraic
+      ++ depot.ops.users.zimbatm;
 
     environment.systemPackages = [
       pkgs.helix
diff --git a/ops/users/default.nix b/ops/users/default.nix
index 445dce4d7..3f40ee693 100644
--- a/ops/users/default.nix
+++ b/ops/users/default.nix
@@ -1,4 +1,4 @@
-{ ... }: rec {
+{ ... }: {
   flokli = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6a15p9HLSrawsMTd2UQGAiM7r7VdyrfSRyzwRYTgWT flokli@m2air"
@@ -8,10 +8,22 @@
     "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== openpgp:0x803010E7"
   ];
 
+  mic92 = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE"
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsjXKHCkpQT4LhWIdT0vDM/E/3tw/4KHTQcdJhyqPSH0FnwC8mfP2N9oHYFa2isw538kArd5ZMo5DD1ujL5dLk= ssh@secretive.Joerg’s-Laptop.local"
+  ];
+
+  padraic = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFlro/QUDlDpaA1AQxdWIqBg9HSFJf9Cb7CPdsh0JN7"
+  ];
+
   raito = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
   ];
 
-  all = flokli ++ edef ++ raito;
+  zimbatm = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuiDoBOxgyer8vGcfAIbE6TC4n4jo8lhG9l01iJ0bZz zimbatm@no1"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINwWC6CJ/E6o3WGeZxbZMajC4roXnzVi8fOo1JYJSE6YAAAABHNzaDo= zimbatm@nixos"
+  ];
 }