From 68d1fa46ace99c0679b3d4611d881050405e1f8f Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@banananet.work>
Date: Fri, 16 Aug 2024 13:23:59 +0000
Subject: [PATCH] nixos-mods: add secrix module

---
 nix/nixos-modules/default.nix |  1 +
 nix/nixos-modules/secrix.nix  | 76 +++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 nix/nixos-modules/secrix.nix

diff --git a/nix/nixos-modules/default.nix b/nix/nixos-modules/default.nix
index 9736f53..f35d936 100644
--- a/nix/nixos-modules/default.nix
+++ b/nix/nixos-modules/default.nix
@@ -13,6 +13,7 @@
     ./hwCommon.nix
     ./options.nix
     ./privacy.nix
+    ./secrix.nix
     ./sshSecurity.nix
     ./useable.nix
     ./vmCommon.nix
diff --git a/nix/nixos-modules/secrix.nix b/nix/nixos-modules/secrix.nix
new file mode 100644
index 0000000..5720022
--- /dev/null
+++ b/nix/nixos-modules/secrix.nix
@@ -0,0 +1,76 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  myOpts = config.x-banananetwork;
+  cfg = config.x-banananetwork.secrix.enable;
+in
+{
+
+
+  options = {
+
+    x-banananetwork.secrix = {
+
+      enable = lib.mkEnableOption ''
+        optioniated common secrix options.
+      '';
+
+      hostKeyType = lib.mkOption {
+        description = ''
+          Type of SSH host key to use.
+
+          option{secrix.hostIdentityKey} will then automatically be set
+          to the path set in option{services.openssh.hostKeys}
+          for the host key with this type.
+
+          Type names are the same used by
+          e.g. option{services.openssh.hostKeys}
+          or in OpenSSH `ssh-keygen -t` argument.
+
+        '';
+        type = with lib.types; nullOr str;
+        default = null;
+        example = lib.literalExpression "rsa";
+      };
+
+    };
+
+  };
+
+
+  config = lib.mkIf cfg.enable {
+
+
+    assertions = [
+      {
+        assertion = config.secrix.hostPubKey != null;
+        message = "secrix.hostPubKey must be defined";
+      }
+    ];
+
+
+    secrix =
+      let
+        findHostKey = keyType: lib.lists.findSingle
+          (key: key.type == keyType)
+          (abort "cannot find generated OpenSSH host key with type ${keyType}")
+          (abort "found multiple generated OpenSSH host keys with type ${keyType}")
+          config.services.openssh.hostKeys;
+        hostKeyPrivate = (findHostKey cfg.hostKeyType).path;
+      in
+      {
+
+        defaultEncryptKeys."${myOpts.userName}" = myOpts.sshPublicKeys;
+
+        hostIdentityFile = lib.mkIf (cfg.hostKeyType != null) (lib.mkDefault hostKeyPrivate);
+
+      };
+
+
+  };
+
+
+}