fix root ssh secrets

This commit is contained in:
Charlotte 🦝 Delenk 2024-11-07 08:51:24 +01:00
parent 5592bc9650
commit e1c0f409c3
6 changed files with 76 additions and 41 deletions

View file

@ -2,7 +2,6 @@ keys:
- &base age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76 - &base age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
- &not522 age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa - &not522 age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
- &pc-installer age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg - &pc-installer age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg
- &root age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew
- &darkkirb age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u - &darkkirb age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
creation_rules: creation_rules:
@ -31,6 +30,7 @@ creation_rules:
- path_regex: programs/ssh/shared-keys.yaml$ - path_regex: programs/ssh/shared-keys.yaml$
key_groups: key_groups:
- age: - age:
- *root
- *darkkirb - *darkkirb
- *base - *base
- *not522
- *pc-installer

View file

@ -1,39 +1,51 @@
{config, ...}: { {
config,
systemConfig,
lib,
...
}: let
identityFile =
if config.home.username == "root"
then systemConfig.sops.secrets.".ssh/builder_id_ed25519".path
else config.sops.secrets.".ssh/builder_id_ed25519".path;
in {
programs.ssh = { programs.ssh = {
enable = true; enable = true;
matchBlocks = { matchBlocks = {
"build-nas" = { "build-nas" = {
hostname = "nas.int.chir.rs"; hostname = "nas.int.chir.rs";
identitiesOnly = true; identitiesOnly = true;
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path; inherit identityFile;
port = 22; port = 22;
user = "remote-build"; user = "remote-build";
}; };
"build-rainbow-resort" = { "build-rainbow-resort" = {
hostname = "rainbow-resort.int.chir.rs"; hostname = "rainbow-resort.int.chir.rs";
identitiesOnly = true; identitiesOnly = true;
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path; inherit identityFile;
port = 22; port = 22;
user = "remote-build"; user = "remote-build";
}; };
"build-aarch64" = { "build-aarch64" = {
hostname = "instance-20221213-1915.int.chir.rs"; hostname = "instance-20221213-1915.int.chir.rs";
identitiesOnly = true; identitiesOnly = true;
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path; inherit identityFile;
port = 22; port = 22;
user = "remote-build"; user = "remote-build";
}; };
"build-riscv" = { "build-riscv" = {
hostname = "not522.tailbab65.ts.net"; hostname = "not522.tailbab65.ts.net";
identitiesOnly = true; identitiesOnly = true;
identityFile = config.sops.secrets.".ssh/builder_id_ed25519".path; inherit identityFile;
port = 22; port = 22;
user = "remote-build"; user = "remote-build";
}; };
}; };
}; };
sops.secrets.".ssh/builder_id_ed25519" = { sops.secrets = lib.mkIf (config.home.username != "root") {
mode = "600"; ".ssh/builder_id_ed25519" = {
sopsFile = ./shared-keys.yaml; mode = "600";
sopsFile = ./shared-keys.yaml;
};
}; };
} }

View file

@ -1,6 +1,7 @@
{ {
lib, lib,
config, config,
systemConfig,
... ...
}: { }: {
imports = [ imports = [
@ -10,12 +11,17 @@
controlMaster = "auto"; controlMaster = "auto";
controlPersist = "10m"; controlPersist = "10m";
matchBlocks."*" = lib.hm.dag.entryAfter ["build-nas" "build-rainbow-resort" "build-aarch64" "build-riscv"] { matchBlocks."*" = lib.hm.dag.entryAfter ["build-nas" "build-rainbow-resort" "build-aarch64" "build-riscv"] {
identityFile = config.sops.secrets.".ssh/id_ed25519_sk".path; identityFile =
if config.home.username == "root"
then systemConfig.sops.secrets.".ssh/id_ed25519_sk".path
else config.sops.secrets.".ssh/id_ed25519_sk".path;
}; };
enable = true; enable = true;
}; };
sops.secrets.".ssh/id_ed25519_sk" = { sops.secrets = lib.mkIf (config.home.username != "root") {
mode = "600"; ".ssh/id_ed25519_sk" = {
sopsFile = ./shared-keys.yaml; mode = "600";
sopsFile = ./shared-keys.yaml;
};
}; };
} }

View file

@ -7,32 +7,41 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1pcdyf483yl2r8wny30yxsp9yusgder6vra7yrf7qjqn5fjhcxeaq3342ew
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OGN5azZvMFZlY0wxZ0xX
b2lGakZzY1FCdnhTZlU0RTB3aUVhUlROYTJJCnlZdDk1K28wTjBVR09rVlRLT3J3
WU1FeDJWRlNjb2lyMGpCVVlJYVhLNGcKLS0tIEt1VVlkY3FsYk1aeUcvaFlDS3Ju
SFVHWnpMdXlQcXdaNUtwOUh3Sjg1YUEKEiO3ohjqoNg5lu/2Yyg07HMuvo+qtsMR
2e0CBnuUT8g2kIsN8IYgY6sMX3yNvpuL0AmjiL+ncF/w38JFBzJmCw==
-----END AGE ENCRYPTED FILE-----
- recipient: age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u - recipient: age15g6tzvcmcp3ae4hwnn4pwewat6eq9unlhtjrlaka6rf94ej9dd5qqpgt7u
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UkcrcENqckkxcXJHcG0z YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeUl2SHFQVDZEUnB6aGtT
b0hzZ0JPWjg4RjREMENmeVRyUmJvNWc2WVhJCkVoM3lhb2VpUXUvNTR2K2pwUVVU dnh4V3JObG5QVTFNWUJZNEVCZ0ZSN0RrZXdrCmZLeHVEMTl5Uk13eVZzZUhYQUpV
MzRrMm5XWTRSdXppcXdvWmlYWXNrcEEKLS0tIG92c3VOYkVvRG1Bd0Z6U2ZZRG14 ZEFjWGtvQXB4S0lPNTF6dkRuTURCaE0KLS0tIGxTRXBBQ3kvUjUya05YREUrRDVR
dHQvc3JMU0JRUEFNWHVjQkNOYmdYQzAKSWERLI8m2IzLdmGCel7ca12JeOTBm5mg dHJLcWF3QTBNNTNMTElPckZsNTVuZlkKv+O1BXdVBAhQA98crwWC8h5EHy8XT7FZ
qmjtjTTRRZc+decLAgpZd0CUza3hZcJjRWyKUXP4yeItCaAmOgJ7VQ== PB7KEKxI/K5Gk+mBEYmipU1sUIgDOlZxXqC1kDKdmZmhHbKDEC2irQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76 - recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWVZVRXoyVSsyMlVEU3NF YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVHlBeHJTODVBQ1hhYkFF
SHFMMGVVeHdMcUtvQ0ZNdHFzYlI4ZjdNL1hnCnFQK0pzaGovTHV0K1A3cUtEQVRE emFWczVmblR6VW5rbkF6MnUwejA3Wjc3aXpBCmI2Wm1xc2VFeDdXcUZEN0dJOWF0
N09hZ1BjUEtnbGdaWTJQSXJHMHZQaW8KLS0tIDlZc2RteFgycnhrMFdSR0RjOTBK V3RON2FKY1U4YmhPQldTWWNZaUZ5dEUKLS0tIDJRQVJreE9JV0FLcnRWQzhFRGtK
SEtJZWVEZ3dsbkUyM09JVnI1WnN6RXcK+odcorNYMvm21CWVDlO48ubj3X3nuhRh cFhyUlBMQVg1a2pPdXI3SW5KSmsvNVUK86u53KET36rjOqB7Ecp//vk+fr7sSxyR
m0giyDyxRRXFye7XptZayT64Vcx6wRXXMm3SOZL2BVwuLibZeIagrg== luP5xkQKNCECQxsSMuFO3T4qY8Kso93mO9vajv51rXBOK/8mQ2Q/CQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQlVwem1tQ3NqSHViQm1a
bkR2MnVZT1ZLM0Q2V0tiUEg4UC8zTjBIbUFNCkZ4REhYb2hNTFFCSFF0VmZnbSty
SklVZ0JQWXRka0pSajV2TlU1aUJSeVEKLS0tIHFEWHdteW50WVArcmtISEFoNTVa
d3hwK2F1VVNWbUxpZmY3cjNKMHd3L1kKyqHhER26gbDrmn+bDHVlhG3/MP5hL2OF
OuqVrOI1wBFwFN5BCbSnvnG4QOkqFnhh9O+zmGzPfw95nsLVF2wjng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1eh2vd6cdy23qazwg0hzq95pn9e6p8yaqu4g6zyan8gzal4x5ed5qful8kg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VzA2VUNoRVFNNUlaTyt1
VEVyRmJxYlBPZ2RwQkFKU2JFbDEyYU8wZjE4Cm54a29ZaGRueFRtaHI4RXFEN1FB
U3RUYjRQM2hDY0RHd0FiZ0VBWmtwTHcKLS0tIG1sejZtWTJReVA0ZmlYVmFNSzIx
MkNpV3pYYlNCQ05QN0NyQXM3Q2Nzb00K9o3t7LNSk8A9MTGUicE1KmyQdWnBOypn
PCyV+1tAfQeDaKCHR0Wvxlfqz3EEb8KzCK1tAohxGeSJywl9PF4unQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-06T08:58:58Z" lastmodified: "2024-11-06T08:58:58Z"
mac: ENC[AES256_GCM,data:yzeJcuRDNbPebTJ4wwT4yiOuFMplSOf/XJcdw+g04S3ELj8tWwmQszv/gYJfCTI7kfeREbggyddF/2g4T7dzwCK2dWvGNRvGz96JFvYalWwI8a1ZSDk2DCS1ahKzcXisLG1WtVqVpr7i5ttkWGUjrgcRJrekLCCHGz228JnlUvE=,iv:EQs/TLqF8Hzah5YDZ2GqSrpr8FGkZgHt/Q/4bMlWe8U=,tag:AWsIaUAphZ2g95idHnhNSQ==,type:str] mac: ENC[AES256_GCM,data:yzeJcuRDNbPebTJ4wwT4yiOuFMplSOf/XJcdw+g04S3ELj8tWwmQszv/gYJfCTI7kfeREbggyddF/2g4T7dzwCK2dWvGNRvGz96JFvYalWwI8a1ZSDk2DCS1ahKzcXisLG1WtVqVpr7i5ttkWGUjrgcRJrekLCCHGz228JnlUvE=,iv:EQs/TLqF8Hzah5YDZ2GqSrpr8FGkZgHt/Q/4bMlWe8U=,tag:AWsIaUAphZ2g95idHnhNSQ==,type:str]

View file

@ -1,4 +1,9 @@
{config, ...}: { {
nixos-config,
config,
lib,
...
}: {
users.users.root = { users.users.root = {
createHome = true; createHome = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
@ -10,10 +15,14 @@
neededForUsers = true; neededForUsers = true;
sopsFile = ./system.yaml; sopsFile = ./system.yaml;
}; };
sops.secrets."users/users/root/age-key" = { sops.secrets.".ssh/builder_id_ed25519" = {
owner = "root"; mode = "600";
sopsFile = ./system.yaml; sopsFile = "${nixos-config}/programs/ssh/shared-keys.yaml";
}; };
home-manager.users.root.sops.age.keyFile = config.sops.secrets."users/users/root/age-key".path; sops.secrets.".ssh/id_ed25519_sk" = {
mode = "600";
sopsFile = "${nixos-config}/programs/ssh/shared-keys.yaml";
};
home-manager.users.root.sops.secrets = lib.mkForce {};
environment.impermanence.users = ["root"]; environment.impermanence.users = ["root"];
} }

View file

@ -2,7 +2,6 @@ users:
users: users:
root: root:
hashedPassword: ENC[AES256_GCM,data:ptHTZ/MHRId363TlEWNJpOMQ46dISPSQjvrqsxQzq9hmDU3oC0FO9Mtf08I9wcVa0KpIEQfSZp/AgZ7yburK9EpfBccwudRdzpCBynsRYxhbuirSAm4ANaBLyrYx1jsCXFbeNDA4xsrmfw==,iv:WIG8qv7vAIUN8MMPkPKc9sjG1CQMYk03/C2TYSDs9zY=,tag:9Vm8Grn2AtME0O329N60Bw==,type:str] hashedPassword: ENC[AES256_GCM,data:ptHTZ/MHRId363TlEWNJpOMQ46dISPSQjvrqsxQzq9hmDU3oC0FO9Mtf08I9wcVa0KpIEQfSZp/AgZ7yburK9EpfBccwudRdzpCBynsRYxhbuirSAm4ANaBLyrYx1jsCXFbeNDA4xsrmfw==,iv:WIG8qv7vAIUN8MMPkPKc9sjG1CQMYk03/C2TYSDs9zY=,tag:9Vm8Grn2AtME0O329N60Bw==,type:str]
age-key: ENC[AES256_GCM,data:A0G/R9o2Qray5kk7lqwu00EOJD0mRQ5cYWRDBzvw0gMTIq+JU16m5QrXLgzK3M/oURxPbBUOC+Wy7ZdiPAHVj5i353bsVLzGi6wIuwQpL2HA0RUwcos/bBnPTcvRriErBIpMYxgkxEVvgb4NpS0523V09AiXgX5DSY/z6pmQ1ERtXl1YRW+lCRqewgUUweC4WE31iG82NDOXkPZM+oaFginQeUy0Ruy4Kya4xQjC/+pzbxRdJwQKGkf/5fLl,iv:1TnvWbolHgQgOMmOBxpqxUlKmD14oCd+Yo/Jn2AHuL8=,tag:ML2ifWFpzHHxJ4F2OQ3+jA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -36,8 +35,8 @@ sops:
MGg3ZUxqcnhzbiszb2RNVkkwNUNIbHcK/NdUErDE9xecelLx1i0MjZCKkdev+hdx MGg3ZUxqcnhzbiszb2RNVkkwNUNIbHcK/NdUErDE9xecelLx1i0MjZCKkdev+hdx
ZWwQORih0fGotN9FjFQuBTc4Y0ApRy8Su52xCp1UOqM0FhnaHjwEQQ== ZWwQORih0fGotN9FjFQuBTc4Y0ApRy8Su52xCp1UOqM0FhnaHjwEQQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-06T08:34:07Z" lastmodified: "2024-11-07T07:35:18Z"
mac: ENC[AES256_GCM,data:U3+GUzxyPL7infWqht48rQ7Oe7E7Fu3WU883VZjJSKLM46ilDf0mWhpIWX7JDwhFzii/fSyF3+FsJvBDD4bcnK8L0UiS7C9z6yH9RGtOXI6is6jitfgm4qOuPP+aZa99hEDUf/ZO5uEzE/Psayf4aVAxEyL3L+SgVdiWf2MIFmk=,iv:XQavrryRBHnSf/xPMGY/lk/ep1qdRdgDtzUVwde4vXE=,tag:yWScrP9lTH1SiHpUiQuAXw==,type:str] mac: ENC[AES256_GCM,data:fGS1pQBHJ6vausZUbARxt7J/69tcFk1kkzrHLox12J+QQfgZYAm8xoue343Jw2NH+OgeYyOfAz8nKfKmZiibQIGPbV/JPkFvI7KQL7sEy7PLYLFU0cWF5DXwG4Y4z71rfgnNcX7emc2iQWwEcXMU6wM84ltkqf5zPPelvphXz+I=,iv:mVOFo1PtYVqMTvHmrmTO+eOqZ3N57kuc0KP5/XAN1b0=,tag:OJBY9qGxkVVNqJlDmDOJGQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1