pretend this stuff worked :P
this is basically what we do now:
{
defaults = { resources, ... }: {
deployment.sshKey = resources.sshKeyPairs.management-key;
};
resources.sshKeyPairs.management-key = {};
}
create an SSH key per machine, automatically:
{
defaults = { machine_uuid, resources, ... }: {
deployment.sshKey = resources.sshKeyPairs."${machine_uid}"; # implicitly create an SSH key per host
};
}
use a yubikey or other PKCS11-compatible device for SSH:
{
defaults = { machine_uuid, resources, ... }: {
deployment.sshKey = resources.sshKeyPairs.adams-yubikey;
};
resources.sshKeyPairs.adams-yubikey = {
provider = "pkcs11";
keyId = "abc123";
};
}
get an automatically provisioned SSH key from Vault:
{
defaults = { machine_uuid, resources, ... }: {
deployment.sshKey = resources.sshKeyPairs.vault-deploykey;
};
resources.sshKeyPairs.vault-deploykey = {
provider = "vault";
server = "https://127.0.0.1:8200";
secretEngine = "ssh-keys";
role = "nixops-deploy";
};
}
use your SSH agent, and using a defined SSH public key for provisioning:
{
defaults = { machine_uuid, resources, ... }: {
deployment.sshKey = resources.sshKeyPairs.agent;
};
resources.sshKeyPairs.agent = {
provider = "ssh-agent";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUy2CGT6P3q2kApZEuyCHsuCruwdRzeWMdQe/WjdCak grahamc@Petunia";
};
}