From 391080d74f57e6702a13c914950dcb5b4bab2e99 Mon Sep 17 00:00:00 2001
From: Adrien Bourmault <neox@a-lec.org>
Date: Sun, 15 Dec 2024 18:41:59 +0100
Subject: [PATCH] add support for offloading from other computers

---
 .gitignore                      |  7 ++++++-
 config.scm                      | 25 ++++++++++++++++++++++---
 guix/n-t400s.pub                |  4 ++++
 guix/signing-key.pub            |  6 ++++++
 ssh/ssh_n-t400s_ed25519_key.pub |  1 +
 ssh/ssh_neox_ed25519_key.pub    |  1 +
 6 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 guix/n-t400s.pub
 create mode 100644 guix/signing-key.pub
 create mode 100644 ssh/ssh_n-t400s_ed25519_key.pub
 create mode 100644 ssh/ssh_neox_ed25519_key.pub

diff --git a/.gitignore b/.gitignore
index be2f2b7..b8a5a16 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,6 @@ dbus-1
 environment
 fstab
 group
-guix/
 hostname
 hosts
 issue
@@ -44,3 +43,9 @@ sysconfig/
 syslog.conf
 timezone
 udev
+*.sec
+ssh/ssh_host_*_key
+ssh/authorized_keys.d/
+guix/acl*
+bluetooth
+shadow*
diff --git a/config.scm b/config.scm
index 1f73bc0..e479c5c 100644
--- a/config.scm
+++ b/config.scm
@@ -347,6 +347,11 @@ fi"))
   ;; La liste des comptes utilisateurs (« root » est implicite).
   (users
     (cons*
+      (user-account
+        (name "offload")
+        (comment "guix offload account")
+        (group "users")
+        (system? #t))
       (user-account
         (name "neox")
         (comment "neox")
@@ -601,9 +606,12 @@ fi"))
           ;; Service OpenSSH
           (service openssh-service-type
             (openssh-configuration
-               (x11-forwarding? #t)
-               (password-authentication? #f)
-               (permit-root-login 'prohibit-password)))
+              (authorized-keys
+                `(("neox" ,(local-file "/etc/ssh/ssh_neox_ed25519_key.pub"))
+                  ("offload" ,(local-file "/etc/ssh/ssh_n-t400s_ed25519_key.pub"))))
+              (x11-forwarding? #t)
+              (password-authentication? #f)
+              (permit-root-login 'prohibit-password)))
           ;; Service Tor
           (service tor-service-type)
        
@@ -652,6 +660,17 @@ fi"))
           (handle-lid-switch 'ignore)
           (handle-lid-switch-external-power 'ignore)))
 
+        ;; Configuration du service Guix
+        (guix-service-type config => (guix-configuration
+          (inherit config)
+          (authorize-key? #t)
+          (authorized-keys
+            (append
+              (list
+                (local-file "/etc/guix/n-t400s.pub"))
+              %default-authorized-guix-keys))
+          (extra-options '("--gc-keep-derivations=yes" "--gc-keep-output=yes"))))
+
         ;; Configuration du service network-manager pour prendre en charge
         ;; OpenVPN
         (network-manager-service-type config => (network-manager-configuration 
diff --git a/guix/n-t400s.pub b/guix/n-t400s.pub
new file mode 100644
index 0000000..8239911
--- /dev/null
+++ b/guix/n-t400s.pub
@@ -0,0 +1,4 @@
+(public-key 
+  (ecc 
+   (curve Ed25519)
+   (q #7F8EB1AE40F138A9DF5F61C57CC4E33F4F1E42244CE71D855806CDE06113A245#)))
diff --git a/guix/signing-key.pub b/guix/signing-key.pub
new file mode 100644
index 0000000..0f5ae61
--- /dev/null
+++ b/guix/signing-key.pub
@@ -0,0 +1,6 @@
+(public-key 
+ (ecc 
+  (curve Ed25519)
+  (q #8E46170F0B43CC3C0AD67F162CB1707246D18F322C3EA040898FBB15F2A18963#)
+  )
+ )
diff --git a/ssh/ssh_n-t400s_ed25519_key.pub b/ssh/ssh_n-t400s_ed25519_key.pub
new file mode 100644
index 0000000..f701b53
--- /dev/null
+++ b/ssh/ssh_n-t400s_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhNNT9tFGTTGQ9e+L5u1gJiPpiivE04r8iQ4zapXpSU root@(none)
diff --git a/ssh/ssh_neox_ed25519_key.pub b/ssh/ssh_neox_ed25519_key.pub
new file mode 100644
index 0000000..25e29c6
--- /dev/null
+++ b/ssh/ssh_neox_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZQd7U/DRPK5/qk35dzeG5dpnS/0FesbRrgZTSMHEsv openpgp:0x18D3885F