From eb63779bb68f14b07eb42b57d97acd993295da9c Mon Sep 17 00:00:00 2001
From: b12f <git@benjaminbaedorf.eu>
Date: Tue, 12 Nov 2024 21:04:44 +0100
Subject: [PATCH] auth: use all sshPubKeys for disk unlock, fix tests, fix hm
 config

---
 logins/default.nix                      |  5 +++
 modules/core/default.nix                |  4 ---
 modules/core/terminal-tooling.nix       | 42 +++++++++++++++----------
 modules/core/users.nix                  | 14 ++++++++-
 modules/unlock-luks-on-boot/default.nix |  2 +-
 modules/unlock-zfs-on-boot/default.nix  |  2 +-
 tests/keycloak.nix                      |  2 +-
 tests/support/client.nix                |  2 +-
 8 files changed, 47 insertions(+), 26 deletions(-)

diff --git a/logins/default.nix b/logins/default.nix
index dfd2775..0493ca8 100644
--- a/logins/default.nix
+++ b/logins/default.nix
@@ -11,6 +11,11 @@ in
         wireguardDevices: adminConfig:
         wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
       ) [ ] (lib.attrsets.attrValues admins);
+      sshPubKeys = lib.lists.foldl (
+        sshPubKeys: adminConfig:
+        sshPubKeys
+        ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
+      ) [ ] (lib.attrsets.attrValues admins);
       robots.sshPubKeys = lib.attrsets.attrValues robots;
     };
   };
diff --git a/modules/core/default.nix b/modules/core/default.nix
index 64d4c76..f0914fd 100644
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@@ -54,9 +54,5 @@
     };
 
     time.timeZone = "Etc/UTC";
-
-    home-manager.users.${config.pub-solar-os.authentication.username} = {
-      home.stateVersion = "23.05";
-    };
   };
 }
diff --git a/modules/core/terminal-tooling.nix b/modules/core/terminal-tooling.nix
index 823898a..dd0a82f 100644
--- a/modules/core/terminal-tooling.nix
+++ b/modules/core/terminal-tooling.nix
@@ -1,19 +1,27 @@
-{ flake, config, ... }:
+{ flake, lib, ... }:
 {
-  home-manager.users.${config.pub-solar-os.authentication.username} = {
-    programs.git.enable = true;
-    programs.starship.enable = true;
-    programs.bash.enable = true;
-    programs.neovim = {
-      enable = true;
-      vimAlias = true;
-      viAlias = true;
-      defaultEditor = true;
-      # configure = {
-      #   packages.myVimPackages = with pkgs.vimPlugins; {
-      #     start = [vim-nix vim-surrund rainbow];
-      #   };
-      # };
-    };
-  };
+  home-manager.users = (
+    lib.attrsets.foldlAttrs (
+      acc: name: value:
+      acc
+      // {
+        ${name} = {
+          programs.git.enable = true;
+          programs.starship.enable = true;
+          programs.bash.enable = true;
+          programs.neovim = {
+            enable = true;
+            vimAlias = true;
+            viAlias = true;
+            defaultEditor = true;
+            # configure = {
+            #   packages.myVimPackages = with pkgs.vimPlugins; {
+            #     start = [vim-nix vim-surrund rainbow];
+            #   };
+            # };
+          };
+        };
+      }
+    ) { } flake.self.logins.admins
+  );
 }
diff --git a/modules/core/users.nix b/modules/core/users.nix
index f296c85..d3a1cfc 100644
--- a/modules/core/users.nix
+++ b/modules/core/users.nix
@@ -50,7 +50,7 @@
       ) { } flake.self.logins.admins)
       // {
         # TODO: Remove when we stop locking ourselves out.
-        root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+        root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
         root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
 
         ${config.pub-solar-os.authentication.robot.username} = {
@@ -65,6 +65,18 @@
         };
       };
 
+    home-manager.users = (
+      lib.attrsets.foldlAttrs (
+        acc: name: value:
+        acc
+        // {
+          ${name} = {
+            home.stateVersion = "23.05";
+          };
+        }
+      ) { } flake.self.logins.admins
+    );
+
     users.groups =
       (lib.attrsets.foldlAttrs (
         acc: name: value:
diff --git a/modules/unlock-luks-on-boot/default.nix b/modules/unlock-luks-on-boot/default.nix
index 0952188..fd8c547 100644
--- a/modules/unlock-luks-on-boot/default.nix
+++ b/modules/unlock-luks-on-boot/default.nix
@@ -10,7 +10,7 @@
 
       # Please create this manually the first time.
       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+      authorizedKeys = flake.self.logins.sshPubKeys;
     };
     postCommands = ''
       # Automatically ask for the password on SSH login
diff --git a/modules/unlock-zfs-on-boot/default.nix b/modules/unlock-zfs-on-boot/default.nix
index 2e68b39..586f944 100644
--- a/modules/unlock-zfs-on-boot/default.nix
+++ b/modules/unlock-zfs-on-boot/default.nix
@@ -11,7 +11,7 @@
 
       # Please create this manually the first time.
       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+      authorizedKeys = flake.self.logins.sshPubKeys;
     };
     # this will automatically load the zfs password prompt on login
     # and kill the other prompt so boot can continue
diff --git a/tests/keycloak.nix b/tests/keycloak.nix
index 5e735fd..59b085a 100644
--- a/tests/keycloak.nix
+++ b/tests/keycloak.nix
@@ -66,7 +66,7 @@ in
   testScript =
     { nodes, ... }:
     let
-      user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
+      user = nodes.client.users.users.b12f;
       #uid = toString user.uid;
       bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
       gdbus = "${bus} gdbus";
diff --git a/tests/support/client.nix b/tests/support/client.nix
index 41e97f0..c34c847 100644
--- a/tests/support/client.nix
+++ b/tests/support/client.nix
@@ -11,7 +11,7 @@
   services.xserver.displayManager.gdm.enable = true;
   services.xserver.desktopManager.gnome.enable = true;
   services.xserver.displayManager.autoLogin.enable = true;
-  services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
+  services.xserver.displayManager.autoLogin.user = "b12f";
 
   systemd.user.services = {
     "org.gnome.Shell@wayland" = {