fix root ssh secrets
This commit is contained in:
parent
5592bc9650
commit
e1c0f409c3
6 changed files with 76 additions and 41 deletions
|
@ -2,7 +2,6 @@ keys:
|
||||||
- &base age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
|
- &base age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
|
||||||
- ¬522 age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
|
- ¬522 age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
|
||||||
- &pc-installer age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg
|
- &pc-installer age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg
|
||||||
- &root age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew
|
|
||||||
- &darkkirb age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
|
- &darkkirb age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
|
@ -31,6 +30,7 @@ creation_rules:
|
||||||
- path_regex: programs/ssh/shared-keys.yaml$
|
- path_regex: programs/ssh/shared-keys.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *root
|
|
||||||
- *darkkirb
|
- *darkkirb
|
||||||
- *base
|
- *base
|
||||||
|
- *not522
|
||||||
|
- *pc-installer
|
||||||
|
|
|
@ -1,39 +1,51 @@
|
||||||
{config, ...}: {
|
{
|
||||||
|
config,
|
||||||
|
systemConfig,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
identityFile =
|
||||||
|
if config.home.username == "root"
|
||||||
|
then systemConfig.sops.secrets.".ssh/builder_id_ed25519".path
|
||||||
|
else config.sops.secrets.".ssh/builder_id_ed25519".path;
|
||||||
|
in {
|
||||||
programs.ssh = {
|
programs.ssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
matchBlocks = {
|
matchBlocks = {
|
||||||
"build-nas" = {
|
"build-nas" = {
|
||||||
hostname = "nas.int.chir.rs";
|
hostname = "nas.int.chir.rs";
|
||||||
identitiesOnly = true;
|
identitiesOnly = true;
|
||||||
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path;
|
inherit identityFile;
|
||||||
port = 22;
|
port = 22;
|
||||||
user = "remote-build";
|
user = "remote-build";
|
||||||
};
|
};
|
||||||
"build-rainbow-resort" = {
|
"build-rainbow-resort" = {
|
||||||
hostname = "rainbow-resort.int.chir.rs";
|
hostname = "rainbow-resort.int.chir.rs";
|
||||||
identitiesOnly = true;
|
identitiesOnly = true;
|
||||||
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path;
|
inherit identityFile;
|
||||||
port = 22;
|
port = 22;
|
||||||
user = "remote-build";
|
user = "remote-build";
|
||||||
};
|
};
|
||||||
"build-aarch64" = {
|
"build-aarch64" = {
|
||||||
hostname = "instance-20221213-1915.int.chir.rs";
|
hostname = "instance-20221213-1915.int.chir.rs";
|
||||||
identitiesOnly = true;
|
identitiesOnly = true;
|
||||||
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path;
|
inherit identityFile;
|
||||||
port = 22;
|
port = 22;
|
||||||
user = "remote-build";
|
user = "remote-build";
|
||||||
};
|
};
|
||||||
"build-riscv" = {
|
"build-riscv" = {
|
||||||
hostname = "not522.tailbab65.ts.net";
|
hostname = "not522.tailbab65.ts.net";
|
||||||
identitiesOnly = true;
|
identitiesOnly = true;
|
||||||
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path;
|
inherit identityFile;
|
||||||
port = 22;
|
port = 22;
|
||||||
user = "remote-build";
|
user = "remote-build";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
sops.secrets.".ssh/builder_id_ed25519" = {
|
sops.secrets = lib.mkIf (config.home.username != "root") {
|
||||||
mode = "600";
|
".ssh/builder_id_ed25519" = {
|
||||||
sopsFile = ./shared-keys.yaml;
|
mode = "600";
|
||||||
|
sopsFile = ./shared-keys.yaml;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
config,
|
config,
|
||||||
|
systemConfig,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -10,12 +11,17 @@
|
||||||
controlMaster = "auto";
|
controlMaster = "auto";
|
||||||
controlPersist = "10m";
|
controlPersist = "10m";
|
||||||
matchBlocks."*" = lib.hm.dag.entryAfter ["build-nas" "build-rainbow-resort" "build-aarch64" "build-riscv"] {
|
matchBlocks."*" = lib.hm.dag.entryAfter ["build-nas" "build-rainbow-resort" "build-aarch64" "build-riscv"] {
|
||||||
identityFile = config.sops.secrets.".ssh/id_ed25519_sk".path;
|
identityFile =
|
||||||
|
if config.home.username == "root"
|
||||||
|
then systemConfig.sops.secrets.".ssh/id_ed25519_sk".path
|
||||||
|
else config.sops.secrets.".ssh/id_ed25519_sk".path;
|
||||||
};
|
};
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
sops.secrets.".ssh/id_ed25519_sk" = {
|
sops.secrets = lib.mkIf (config.home.username != "root") {
|
||||||
mode = "600";
|
".ssh/id_ed25519_sk" = {
|
||||||
sopsFile = ./shared-keys.yaml;
|
mode = "600";
|
||||||
|
sopsFile = ./shared-keys.yaml;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,32 +7,41 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age:
|
age:
|
||||||
- recipient: age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OGN5azZvMFZlY0wxZ0xX
|
|
||||||
b2lGakZzY1FCdnhTZlU0RTB3aUVhUlROYTJJCnlZdDk1K28wTjBVR09rVlRLT3J3
|
|
||||||
WU1FeDJWRlNjb2lyMGpCVVlJYVhLNGcKLS0tIEt1VVlkY3FsYk1aeUcvaFlDS3Ju
|
|
||||||
SFVHWnpMdXlQcXdaNUtwOUh3Sjg1YUEKEiO3ohjqoNg5lu/2Yyg07HMuvo+qtsMR
|
|
||||||
2e0CBnuUT8g2kIsN8IYgY6sMX3yNvpuL0AmjiL+ncF/w38JFBzJmCw==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
- recipient: age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
|
- recipient: age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UkcrcENqckkxcXJHcG0z
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeUl2SHFQVDZEUnB6aGtT
|
||||||
b0hzZ0JPWjg4RjREMENmeVRyUmJvNWc2WVhJCkVoM3lhb2VpUXUvNTR2K2pwUVVU
|
dnh4V3JObG5QVTFNWUJZNEVCZ0ZSN0RrZXdrCmZLeHVEMTl5Uk13eVZzZUhYQUpV
|
||||||
MzRrMm5XWTRSdXppcXdvWmlYWXNrcEEKLS0tIG92c3VOYkVvRG1Bd0Z6U2ZZRG14
|
ZEFjWGtvQXB4S0lPNTF6dkRuTURCaE0KLS0tIGxTRXBBQ3kvUjUya05YREUrRDVR
|
||||||
dHQvc3JMU0JRUEFNWHVjQkNOYmdYQzAKSWERLI8m2IzLdmGCel7ca12JeOTBm5mg
|
dHJLcWF3QTBNNTNMTElPckZsNTVuZlkKv+O1BXdVBAhQA98crwWC8h5EHy8XT7FZ
|
||||||
qmjtjTTRRZc+decLAgpZd0CUza3hZcJjRWyKUXP4yeItCaAmOgJ7VQ==
|
PB7KEKxI/K5Gk+mBEYmipU1sUIgDOlZxXqC1kDKdmZmhHbKDEC2irQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
|
- recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWVZVRXoyVSsyMlVEU3NF
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVHlBeHJTODVBQ1hhYkFF
|
||||||
SHFMMGVVeHdMcUtvQ0ZNdHFzYlI4ZjdNL1hnCnFQK0pzaGovTHV0K1A3cUtEQVRE
|
emFWczVmblR6VW5rbkF6MnUwejA3Wjc3aXpBCmI2Wm1xc2VFeDdXcUZEN0dJOWF0
|
||||||
N09hZ1BjUEtnbGdaWTJQSXJHMHZQaW8KLS0tIDlZc2RteFgycnhrMFdSR0RjOTBK
|
V3RON2FKY1U4YmhPQldTWWNZaUZ5dEUKLS0tIDJRQVJreE9JV0FLcnRWQzhFRGtK
|
||||||
SEtJZWVEZ3dsbkUyM09JVnI1WnN6RXcK+odcorNYMvm21CWVDlO48ubj3X3nuhRh
|
cFhyUlBMQVg1a2pPdXI3SW5KSmsvNVUK86u53KET36rjOqB7Ecp//vk+fr7sSxyR
|
||||||
m0giyDyxRRXFye7XptZayT64Vcx6wRXXMm3SOZL2BVwuLibZeIagrg==
|
luP5xkQKNCECQxsSMuFO3T4qY8Kso93mO9vajv51rXBOK/8mQ2Q/CQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQlVwem1tQ3NqSHViQm1a
|
||||||
|
bkR2MnVZT1ZLM0Q2V0tiUEg4UC8zTjBIbUFNCkZ4REhYb2hNTFFCSFF0VmZnbSty
|
||||||
|
SklVZ0JQWXRka0pSajV2TlU1aUJSeVEKLS0tIHFEWHdteW50WVArcmtISEFoNTVa
|
||||||
|
d3hwK2F1VVNWbUxpZmY3cjNKMHd3L1kKyqHhER26gbDrmn+bDHVlhG3/MP5hL2OF
|
||||||
|
OuqVrOI1wBFwFN5BCbSnvnG4QOkqFnhh9O+zmGzPfw95nsLVF2wjng==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VzA2VUNoRVFNNUlaTyt1
|
||||||
|
VEVyRmJxYlBPZ2RwQkFKU2JFbDEyYU8wZjE4Cm54a29ZaGRueFRtaHI4RXFEN1FB
|
||||||
|
U3RUYjRQM2hDY0RHd0FiZ0VBWmtwTHcKLS0tIG1sejZtWTJReVA0ZmlYVmFNSzIx
|
||||||
|
MkNpV3pYYlNCQ05QN0NyQXM3Q2Nzb00K9o3t7LNSk8A9MTGUicE1KmyQdWnBOypn
|
||||||
|
PCyV+1tAfQeDaKCHR0Wvxlfqz3EEb8KzCK1tAohxGeSJywl9PF4unQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-11-06T08:58:58Z"
|
lastmodified: "2024-11-06T08:58:58Z"
|
||||||
mac: ENC[AES256_GCM,data:yzeJcuRDNbPebTJ4wwT4yiOuFMplSOf/XJcdw+g04S3ELj8tWwmQszv/gYJfCTI7kfeREbggyddF/2g4T7dzwCK2dWvGNRvGz96JFvYalWwI8a1ZSDk2DCS1ahKzcXisLG1WtVqVpr7i5ttkWGUjrgcRJrekLCCHGz228JnlUvE=,iv:EQs/TLqF8Hzah5YDZ2GqSrpr8FGkZgHt/Q/4bMlWe8U=,tag:AWsIaUAphZ2g95idHnhNSQ==,type:str]
|
mac: ENC[AES256_GCM,data:yzeJcuRDNbPebTJ4wwT4yiOuFMplSOf/XJcdw+g04S3ELj8tWwmQszv/gYJfCTI7kfeREbggyddF/2g4T7dzwCK2dWvGNRvGz96JFvYalWwI8a1ZSDk2DCS1ahKzcXisLG1WtVqVpr7i5ttkWGUjrgcRJrekLCCHGz228JnlUvE=,iv:EQs/TLqF8Hzah5YDZ2GqSrpr8FGkZgHt/Q/4bMlWe8U=,tag:AWsIaUAphZ2g95idHnhNSQ==,type:str]
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
{config, ...}: {
|
{
|
||||||
|
nixos-config,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
users.users.root = {
|
users.users.root = {
|
||||||
createHome = true;
|
createHome = true;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
|
@ -10,10 +15,14 @@
|
||||||
neededForUsers = true;
|
neededForUsers = true;
|
||||||
sopsFile = ./system.yaml;
|
sopsFile = ./system.yaml;
|
||||||
};
|
};
|
||||||
sops.secrets."users/users/root/age-key" = {
|
sops.secrets.".ssh/builder_id_ed25519" = {
|
||||||
owner = "root";
|
mode = "600";
|
||||||
sopsFile = ./system.yaml;
|
sopsFile = "${nixos-config}/programs/ssh/shared-keys.yaml";
|
||||||
};
|
};
|
||||||
home-manager.users.root.sops.age.keyFile = config.sops.secrets."users/users/root/age-key".path;
|
sops.secrets.".ssh/id_ed25519_sk" = {
|
||||||
|
mode = "600";
|
||||||
|
sopsFile = "${nixos-config}/programs/ssh/shared-keys.yaml";
|
||||||
|
};
|
||||||
|
home-manager.users.root.sops.secrets = lib.mkForce {};
|
||||||
environment.impermanence.users = ["root"];
|
environment.impermanence.users = ["root"];
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,6 @@ users:
|
||||||
users:
|
users:
|
||||||
root:
|
root:
|
||||||
hashedPassword: ENC[AES256_GCM,data:ptHTZ/MHRId363TlEWNJpOMQ46dISPSQjvrqsxQzq9hmDU3oC0FO9Mtf08I9wcVa0KpIEQfSZp/AgZ7yburK9EpfBccwudRdzpCBynsRYxhbuirSAm4ANaBLyrYx1jsCXFbeNDA4xsrmfw==,iv:WIG8qv7vAIUN8MMPkPKc9sjG1CQMYk03/C2TYSDs9zY=,tag:9Vm8Grn2AtME0O329N60Bw==,type:str]
|
hashedPassword: ENC[AES256_GCM,data:ptHTZ/MHRId363TlEWNJpOMQ46dISPSQjvrqsxQzq9hmDU3oC0FO9Mtf08I9wcVa0KpIEQfSZp/AgZ7yburK9EpfBccwudRdzpCBynsRYxhbuirSAm4ANaBLyrYx1jsCXFbeNDA4xsrmfw==,iv:WIG8qv7vAIUN8MMPkPKc9sjG1CQMYk03/C2TYSDs9zY=,tag:9Vm8Grn2AtME0O329N60Bw==,type:str]
|
||||||
age-key: ENC[AES256_GCM,data:A0G/R9o2Qray5kk7lqwu00EOJD0mRQ5cYWRDBzvw0gMTIq+JU16m5QrXLgzK3M/oURxPbBUOC+Wy7ZdiPAHVj5i353bsVLzGi6wIuwQpL2HA0RUwcos/bBnPTcvRriErBIpMYxgkxEVvgb4NpS0523V09AiXgX5DSY/z6pmQ1ERtXl1YRW+lCRqewgUUweC4WE31iG82NDOXkPZM+oaFginQeUy0Ruy4Kya4xQjC/+pzbxRdJwQKGkf/5fLl,iv:1TnvWbolHgQgOMmOBxpqxUlKmD14oCd+Yo/Jn2AHuL8=,tag:ML2ifWFpzHHxJ4F2OQ3+jA==,type:str]
|
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -36,8 +35,8 @@ sops:
|
||||||
MGg3ZUxqcnhzbiszb2RNVkkwNUNIbHcK/NdUErDE9xecelLx1i0MjZCKkdev+hdx
|
MGg3ZUxqcnhzbiszb2RNVkkwNUNIbHcK/NdUErDE9xecelLx1i0MjZCKkdev+hdx
|
||||||
ZWwQORih0fGotN9FjFQuBTc4Y0ApRy8Su52xCp1UOqM0FhnaHjwEQQ==
|
ZWwQORih0fGotN9FjFQuBTc4Y0ApRy8Su52xCp1UOqM0FhnaHjwEQQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-11-06T08:34:07Z"
|
lastmodified: "2024-11-07T07:35:18Z"
|
||||||
mac: ENC[AES256_GCM,data:U3+GUzxyPL7infWqht48rQ7Oe7E7Fu3WU883VZjJSKLM46ilDf0mWhpIWX7JDwhFzii/fSyF3+FsJvBDD4bcnK8L0UiS7C9z6yH9RGtOXI6is6jitfgm4qOuPP+aZa99hEDUf/ZO5uEzE/Psayf4aVAxEyL3L+SgVdiWf2MIFmk=,iv:XQavrryRBHnSf/xPMGY/lk/ep1qdRdgDtzUVwde4vXE=,tag:yWScrP9lTH1SiHpUiQuAXw==,type:str]
|
mac: ENC[AES256_GCM,data:fGS1pQBHJ6vausZUbARxt7J/69tcFk1kkzrHLox12J+QQfgZYAm8xoue343Jw2NH+OgeYyOfAz8nKfKmZiibQIGPbV/JPkFvI7KQL7sEy7PLYLFU0cWF5DXwG4Y4z71rfgnNcX7emc2iQWwEcXMU6wM84ltkqf5zPPelvphXz+I=,iv:mVOFo1PtYVqMTvHmrmTO+eOqZ3N57kuc0KP5/XAN1b0=,tag:OJBY9qGxkVVNqJlDmDOJGQ==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.1
|
version: 3.9.1
|
||||||
|
|
Loading…
Reference in a new issue