nix: remove useless abstraction

diff --git a/flake.nix b/flake.nix
index dd5e76d6f578ee78483e56bf0434029d89a4547a..e88b2ee6f9eca1bfe6359cd6367837b2308f3089 100644 (file)
--- a/flake.nix
+++ b/flake.nix
@@ -90,7 +90,6 @@ outputs = inputs: let
     '';
   };
   lib = originPkgs.lib;
-  initrdKey = "initrd/ssh.key";
   machines = builtins.mapAttrs (machineName: machineConfig:
     let cfg = import machineConfig { inherit inputs; }; in
     import (nixpkgs + "/nixos/lib/eval-config.nix") (cfg // {
@@ -109,7 +108,7 @@ outputs = inputs: let
         system.nixos.revision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
         # Let 'nixos-version --json' know about the Git revision of this flake.
         system.configurationRevision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
-        boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
+        boot.initrd.network.ssh.hostKeys = [ "/root/initrd/ssh.key" ];
         /*
         system.configurationRevision =
           if inputs.self ? rev
@@ -139,7 +138,6 @@ outputs = inputs: let
     devShell = import ./shell.nix { inherit inputs pkgs; };
     apps = builtins.mapAttrs (machineName: { config, ... }: let
       system = config.system.build.toplevel;
-      rootKey = "root/key";
       keygrip = builtins.getAttr machineName {
         losurdo = "9AA84E6F6D71F9163C46BF396B141A0806219077";
         mermet  = "89F52A879E0019A966503AFFDE72EEA84CDFA3A7";
@@ -153,13 +151,14 @@ outputs = inputs: let
         type = "app";
         program = (pkgs.writeShellScript "switch" ''
           set -eux
+          set -o pipefail
           nix-store --add-root machines/${machineName}.root --indirect --realise ${system}
           ${pkgs.nixFlakes}/bin/nix copy --to ssh://'${target}' \
            ${lib.escapeShellArgs nixCopyFlags} ${system}
           ${sendkeys.program}
           # Send the SSH key of the initrd
-          gpg --decrypt '${config.security.gnupg.store}/${initrdKey}.gpg' |
-          ssh '${target}' install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
+          gpg --decrypt '${config.security.gnupg.store}/initrd/ssh.key.gpg' |
+          ssh '${target}' install -D -m 400 -o root -g root /dev/stdin /root/initrd/ssh.key
           # Send the Wireguard key of the initrd
           gpg --decrypt '${config.security.gnupg.store}/wireguard/wg-intra/privateKey.gpg' |
           ssh '${target}' install -D -m 400 -o root -g root /dev/stdin /root/initrd/wg-intra.key
@@ -173,18 +172,19 @@ outputs = inputs: let
         type = "app";
         program = (pkgs.writeShellScript "sendkeys" ''
           set -eux
+          set -o pipefail
           ssh '${target}' \
             ${pkgs.gnupg}/bin/gpg-connect-agent --no-autostart --homedir /var/lib/gnupg "'keyinfo --list'" /bye 2>&1 |
           grep -qx -e "gpg-connect-agent: no gpg-agent running in this session" \
                    -e "S KEYINFO ${keygrip} . . . 1 .*" || {
-            # Send the rootKey
-            gpg --decrypt '${config.security.gnupg.store}/${rootKey}.pass.gpg' |
+            # Send the GnuPG root key
+            gpg --decrypt '${config.security.gnupg.store}/root/key.pass.gpg' |
             gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
             ssh '${target}' \
               gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
 
-            # Send the rootKey's passphrase
-            gpg --decrypt '${config.security.gnupg.store}/${rootKey}.pass.gpg' |
+            # Send the GnuPG root key's passphrase
+            gpg --decrypt '${config.security.gnupg.store}/root/key.pass.gpg' |
             ssh '${target}' \
               gpg-preset-passphrase --homedir /var/lib/gnupg --preset ${keygrip}
           }