Merge pull request #154 from ryan4yin/refactor-vars

refactor: migrate ssh auth keys & hashed password into vars
2026-01-11 22:30:25 +01:00 · 2024-08-16 14:40:54 +08:00
parent 6c8e8111c6 eb83e88267
commit 07178984b1
3 changed files with 21 additions and 6 deletions
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -74,11 +74,7 @@
    #      ```
    #    2. Never leave the device and never sent over the network.
    # 2. Or just use hardware security keys like Yubikey/CanoKey.
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
-    ];
+    openssh.authorizedKeys.keys = myvars.sshAuthorizedKeys;
  };

  nix.settings = {
--- a/modules/nixos/base/user-group.nix
+++ b/modules/nixos/base/user-group.nix
@@ -22,7 +22,7 @@
  users.users."${myvars.username}" = {
    # generated by `mkpasswd -m scrypt`
    # we have to use initialHashedPassword here when using tmpfs for /
-    initialHashedPassword = "$7$CU..../....KDvTIXqLTXpmCaoUy2yC9.$145eM358b7Q0sRXgEBvxctd5EAuEEdao57LmZjc05D.";
+    inherit (myvars) initialHashedPassword;
    home = "/home/${myvars.username}";
    isNormalUser = true;
    extraGroups = [
--- a/vars/default.nix
+++ b/vars/default.nix
@@ -3,4 +3,23 @@
  userfullname = "Ryan Yin";
  useremail = "xiaoyin_c@qq.com";
  networking = import ./networking.nix {inherit lib;};
+  # generated by `mkpasswd -m scrypt`
+  initialHashedPassword = "$7$CU..../....KDvTIXqLTXpmCaoUy2yC9.$145eM358b7Q0sRXgEBvxctd5EAuEEdao57LmZjc05D.";
+  # Public Keys that can be used to login to all my PCs, Macbooks, and servers.
+  #
+  # Since its authority is so large, we must strengthen its security:
+  # 1. The corresponding private key must be:
+  #    1. Generated locally on every trusted client via:
+  #      ```bash
+  #      # KDF: bcrypt with 256 rounds, takes 2s on Apple M2):
+  #      # Passphrase: digits + letters + symbols, 12+ chars
+  #      ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx`
+  #      ```
+  #    2. Never leave the device and never sent over the network.
+  # 2. Or just use hardware security keys like Yubikey/CanoKey.
+  sshAuthorizedKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
+  ];
 }