m/common: pre-populate known hosts + slight refactor

modules/common.nix

@@ -49,10 +49,17 @@ in {
       terminal = "screen256-color";
       clock24 = true;
     };
+    ssh.knownHosts = builtins.mapAttrs (name: value: {
+      inherit (value) publicKey;
+      extraHostNames = [ value.targetHost ];
+    }) secrets.hosts;
     bash.enableCompletion = true;
     mosh.enable = true;
   };
 
+  deployment.targetHost =
+    lib.mkDefault secrets.hosts.${config.networking.hostName}.targetHost;
+
   nix = {
     package = pkgs.nixUnstable;
     extraOptions = ''

nixos/khas/default.nix

@@ -2,7 +2,6 @@
 
 {
   networking.hostName = "khas";
-  deployment.targetHost = "khas.nibylandia.lan";
 
   imports = with inputs.self.nixosModules; [
     ./hardware-configuration.nix

nixos/microlith/default.nix

@@ -2,7 +2,6 @@
 
 {
   networking.hostName = "microlith";
-  deployment.targetHost = "microlith.nibylandia.lan";
 
   imports = with inputs.self.nixosModules; [
     ./hardware-configuration.nix

nixos/scylla/default.nix

@@ -72,7 +72,6 @@ in {
   };
 
   networking.hostName = "scylla";
-  deployment.targetHost = "i.am-a.cat";
 
   networking.wireless.enable = false;
 

nixos/zorigami/default.nix

@@ -315,7 +315,6 @@
 
   # need to figure out something fancy about network configuration
   networking.hostName = "zorigami";
-  deployment.targetHost = "is-a.cat";
 
   systemd.network.wait-online.enable = false;
   networking.useDHCP = false;

secrets.nix

@@ -5,60 +5,111 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6rEwERSm/Fj4KO4SxFIo0BUvi9YNyf8PSL1FteMcMt ar@microlith";
   ar = [ ar_khas ar_microlith ];
 
-  scylla =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1X7EaPNfLhWH32IAyaZj2dhJz+QLnyGuXPCZUYRTjg";
-  khas =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6VxPqJHYKmVB5d7bd6vuRqBNKXV1fo2R/WvdSF77xa";
-  zorigami =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/7CsIWlJH2F0VQpgsGgZOQeAd7Zh98WpCvmTyXCTty";
-  stereolith =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVuDOcKE8ANKGjd6kfFH1qLLzLwg91o0exJ0isIEw4O";
-  microlith =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDghNuH/3G+0BXwrBZWZXX0V3K0tfu/Q/AKokLXY5zTD";
-  akamanto =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKb4i+BmIb2wiT4y5uWsCOmSo1dRp6Ql36toUsRHN6pC";
+  hosts = {
+    scylla = {
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1X7EaPNfLhWH32IAyaZj2dhJz+QLnyGuXPCZUYRTjg";
+      targetHost = "i.am-a.cat";
+    };
+    khas = {
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6VxPqJHYKmVB5d7bd6vuRqBNKXV1fo2R/WvdSF77xa";
+      targetHost = "khas.nibylandia.lan";
+    };
+    zorigami = {
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/7CsIWlJH2F0VQpgsGgZOQeAd7Zh98WpCvmTyXCTty";
+      targetHost = "is-a.cat";
+    };
+    stereolith = {
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVuDOcKE8ANKGjd6kfFH1qLLzLwg91o0exJ0isIEw4O";
+      targetHost = "stereolith.nibylandia.lan";
+    };
+    microlith = {
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDghNuH/3G+0BXwrBZWZXX0V3K0tfu/Q/AKokLXY5zTD";
+      targetHost = "microlith.nibylandia.lan";
+    };
+    akamanto = {
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKb4i+BmIb2wiT4y5uWsCOmSo1dRp6Ql36toUsRHN6pC";
+      targetHost = "akamanto.local";
+    };
+  };
 in {
 
-  "secrets/secureboot-key.age".publicKeys = ar
-    ++ [ khas microlith zorigami scylla ];
-  "secrets/secureboot-cert.age".publicKeys = ar
-    ++ [ khas microlith zorigami scylla ];
-  "secrets/khas-ar.age".publicKeys = ar ++ [ khas ];
-  "secrets/microlith-ar.age".publicKeys = ar ++ [ microlith ];
-  "secrets/nix-store.age".publicKeys = ar
-    ++ [ zorigami scylla stereolith khas microlith akamanto ];
-  "secrets/wg/nibylandia_scylla.age".publicKeys = ar ++ [ scylla ];
-  "secrets/wg/dn42_w1kl4s_scylla.age".publicKeys = ar ++ [ scylla ];
-  "secrets/lan/nibylandia-ddns-kea.age".publicKeys = ar ++ [ scylla ];
-  "secrets/lan/nibylandia-ddns-bind.age".publicKeys = ar ++ [ scylla ];
-  "secrets/notbotEnvironment.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/nextCloudAdmin.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/nextCloudExporter.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/norkclubMinecraftRestic.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/cassAuth.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/miniflux.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/stuffAuth.age".publicKeys = ar ++ [ stereolith ];
-  "secrets/wg/nibylandia_zorigami.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/ar.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/apo.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/amie.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/mastodon.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/mastodonPlain.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/madargon.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/enki.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/matrix.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/vaultwarden.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/vaultwardenPlain.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/keycloak.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/mail/keycloakPlain.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/keycloakDatabase.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/synapseExtraConfig.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/gitea-runner-token-zorigami.age".publicKeys = ar ++ [ zorigami ];
-  "secrets/gitea-runner-token-scylla.age".publicKeys = ar ++ [ scylla ];
-  "secrets/ci-secrets.age".publicKeys = ar ++ [
-    scylla
-    zorigami
-  ]; # TODO: we're not getting ssh keys for the generated disk image, so we need to embed it at disk image build time
+  "secrets/secureboot-key.age".publicKeys = ar ++ (with hosts; [
+    khas.publicKey
+    microlith.publicKey
+    zorigami.publicKey
+    scylla.publicKey
+  ]);
+  "secrets/secureboot-cert.age".publicKeys = ar ++ (with hosts; [
+    khas.publicKey
+    microlith.publicKey
+    zorigami.publicKey
+    scylla.publicKey
+  ]);
+  "secrets/khas-ar.age".publicKeys = ar ++ [ hosts.khas.publicKey ];
+  "secrets/microlith-ar.age".publicKeys = ar ++ [ hosts.microlith.publicKey ];
+  "secrets/nix-store.age".publicKeys = ar ++ (with hosts; [
+    zorigami.publicKey
+    scylla.publicKey
+    stereolith.publicKey
+    khas.publicKey
+    microlith.publicKey
+    akamanto.publicKey
+  ]);
+  "secrets/wg/nibylandia_scylla.age".publicKeys = ar
+    ++ [ hosts.scylla.publicKey ];
+  "secrets/wg/dn42_w1kl4s_scylla.age".publicKeys = ar
+    ++ [ hosts.scylla.publicKey ];
+  "secrets/lan/nibylandia-ddns-kea.age".publicKeys = ar
+    ++ [ hosts.scylla.publicKey ];
+  "secrets/lan/nibylandia-ddns-bind.age".publicKeys = ar
+    ++ [ hosts.scylla.publicKey ];
+  "secrets/notbotEnvironment.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/nextCloudAdmin.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/nextCloudExporter.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/norkclubMinecraftRestic.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/cassAuth.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/miniflux.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/stuffAuth.age".publicKeys = ar ++ [ hosts.stereolith.publicKey ];
+  "secrets/wg/nibylandia_zorigami.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/ar.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/apo.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/amie.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/mastodon.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/mastodonPlain.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/madargon.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/enki.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/matrix.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/vaultwarden.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/vaultwardenPlain.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/keycloak.age".publicKeys = ar ++ [ hosts.zorigami.publicKey ];
+  "secrets/mail/keycloakPlain.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/keycloakDatabase.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/synapseExtraConfig.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/gitea-runner-token-zorigami.age".publicKeys = ar
+    ++ [ hosts.zorigami.publicKey ];
+  "secrets/gitea-runner-token-scylla.age".publicKeys = ar
+    ++ [ hosts.scylla.publicKey ];
+  "secrets/ci-secrets.age".publicKeys = ar ++ (with hosts; [
+    scylla.publicKey
+    zorigami.publicKey
+  ]); # TODO: we're not getting ssh keys for the generated disk image, so we need to embed it at disk image build time
 
   inherit ar;
+  inherit hosts;
 }