From b6118974ec2b022ea9075fbd5fcc5c745a0ecfaa Mon Sep 17 00:00:00 2001
From: prescientmoon <git@moonythm.dev>
Date: Tue, 27 Aug 2024 23:28:37 +0200
Subject: [PATCH] Fix ssh permissions (take 3)

---
 home/features/cli/ssh.nix          | 10 ----------
 hosts/nixos/common/users/pilot.nix | 21 +++++++++++++++++++++
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/home/features/cli/ssh.nix b/home/features/cli/ssh.nix
index 163fb14..9f6de78 100644
--- a/home/features/cli/ssh.nix
+++ b/home/features/cli/ssh.nix
@@ -1,15 +1,5 @@
 { config, ... }:
 {
   programs.ssh.enable = true;
-
   satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
-  systemd.user.tmpfiles.rules =
-    let
-      ssh = "${config.satellite.persistence.at.state.home}/ssh/.ssh";
-    in
-    [
-      "d ${ssh} 0755 ${config.home.username} users"
-      "e ${ssh}/id_rsa 0700 ${config.home.username} users"
-      "e ${ssh}/id_ed25519 0700 ${config.home.username} users"
-    ];
 }
diff --git a/hosts/nixos/common/users/pilot.nix b/hosts/nixos/common/users/pilot.nix
index 79ab088..6d8dcd6 100644
--- a/hosts/nixos/common/users/pilot.nix
+++ b/hosts/nixos/common/users/pilot.nix
@@ -6,17 +6,22 @@
   ...
 }:
 {
+  # This is it's own attribute in order to prevent infinite recursion
+  # in certain places.
   satellite.pilot.name = lib.mkDefault "adrielus";
 
+  # {{{ Password handling
   sops.secrets.pilot_password = {
     sopsFile = ../secrets.yaml;
     neededForUsers = true;
   };
+  # }}}
 
   users = {
     # Configure users through nix only
     mutableUsers = false;
 
+    # {{{ Create pilot user
     users.pilot = {
       inherit (config.satellite.pilot) name;
 
@@ -44,5 +49,21 @@
 
       openssh.authorizedKeys.keyFiles = (import ./common.nix).authorizedKeys { inherit outputs lib; };
     };
+    # }}}
   };
+
+  # {{{ Set user-specific ssh permissions
+  # This is mainly useful because home-manager can often fail if the perms on
+  # `~/.ssh` are incorrect.
+  systemd.tmpfiles.rules =
+    let
+      user = config.users.users.pilot;
+      ssh = "/persist/state/${user.home}/ssh/.ssh";
+    in
+    [
+      "d ${ssh} 0755 ${user.name} ${user.group}"
+      "e ${ssh}/id_rsa 0700 ${user.name} ${user.group}"
+      "e ${ssh}/id_ed25519 0700 ${user.name} ${user.group}"
+    ];
+  # }}}
 }