jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssh keys cleanup

Browse Source
This commit is contained in:
Danilo Reyes 2024-10-22 01:36:55 -06:00
parent bd278baa5f
commit 1795e56242
5 changed files with 20 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/miniserver/configuration.nix
View File

@ -182,7 +182,7 @@
createHome = true;
group = "nixremote";
home = "/var/nixremote/";
openssh.authorizedKeys.keys = [ (builtins.readFile ../../secrets/ssh/ed25519_nixworkstation.pub) ];
openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_nixworkstation.pub ];
};
};
services = {

2
hosts/server/configuration.nix
View File

@ -89,7 +89,7 @@
createHome = true;
group = "nixremote";
home = "/var/nixremote/";
openssh.authorizedKeys.keys = [ (builtins.readFile ../../secrets/ssh/ed25519_nixworkstation.pub) ];
openssh.authorizedKeys.keys = [ ../../secrets/ssh/ed25519_nixworkstation.pub ];
};
};
};

6
hosts/workstation/configuration.nix
View File

@ -93,9 +93,9 @@
createHome = true;
group = "nixremote";
home = "/var/nixremote/";
openssh.authorizedKeys.keys = [
(builtins.readFile ../../secrets/ssh/ed25519_nixserver.pub)
(builtins.readFile ../../secrets/ssh/ed25519_nixminiserver.pub)
openssh.authorizedKeys.keyFiles = [
../../secrets/ssh/ed25519_nixserver.pub
../../secrets/ssh/ed25519_nixminiserver.pub
];
};
};

23
jawz.nix
View File

@ -5,6 +5,7 @@ in
{
sops.secrets =
let
baseDir = ".ssh/ed25519";
keyConfig = file: {
sopsFile = ./secrets/keys.yaml;
owner = config.users.users.jawz.name;
@ -14,10 +15,10 @@ in
in
{
jawz-password.neededForUsers = true;
"private_keys/age" = keyConfig ".ssh/ed25519_age";
"public_keys/age" = keyConfig ".ssh/ed25519_age.pub";
"private_keys/${hostName}" = keyConfig ".ssh/ed25519_${hostName}";
"git_private_keys/${hostName}" = keyConfig ".ssh/ed25519_git";
"private_keys/age" = keyConfig "${baseDir}_age";
"public_keys/age" = keyConfig "${baseDir}_age.pub";
"private_keys/${hostName}" = keyConfig "${baseDir}_${hostName}";
"git_private_keys/${hostName}" = keyConfig "${baseDir}_git";
"syncthing_keys/${hostName}" = keyConfig ".config/syncthing/key.pem";
"syncthing_certs/${hostName}" = keyConfig ".config/syncthing/cert.pem";
};
@ -64,13 +65,13 @@ in
"libvirt"
"rslsync"
];
openssh.authorizedKeys.keys = [
(builtins.readFile ./secrets/ssh/ed25519_deacero.pub)
(builtins.readFile ./secrets/ssh/ed25519_workstation.pub)
(builtins.readFile ./secrets/ssh/ed25519_server.pub)
(builtins.readFile ./secrets/ssh/ed25519_miniserver.pub)
(builtins.readFile ./secrets/ssh/ed25519_galaxy.pub)
(builtins.readFile ./secrets/ssh/ed25519_phone.pub)
openssh.authorizedKeys.keyFiles = [
./secrets/ssh/ed25519_deacero.pub
./secrets/ssh/ed25519_workstation.pub
./secrets/ssh/ed25519_server.pub
./secrets/ssh/ed25519_miniserver.pub
./secrets/ssh/ed25519_galaxy.pub
./secrets/ssh/ed25519_phone.pub
];
};
}

5
secrets/keys.yaml
View File

@ -6,6 +6,7 @@ public_keys:
miniserver: ENC[AES256_GCM,data:0aI1r2O3u5gBl1icg+pkf1hsReZgvG3aPZhljaYUJWlNtYeairmN6Vd7nUOMu8u4NoRQdLvZC/369p/4GR9WvNUyuELiWbep1TdkxP0hu/wlrFCFJSYwJsm8x0izXmwA,iv:/qmAMMy5obLbw/VZG8zyV4svCWptYfbKi3+Sc1t8O6Q=,tag:R6ylK8O3jqhMPZaBTsrgtg==,type:str]
galaxy: ENC[AES256_GCM,data:9xjiz/tVn0UlZ9qb/Oi951WWVjmk6HTDjjYzB8kULKYhPJgVdlQioGdJtn3MjKCfqH0UnBZHXoGaK0MsShtfB0xfZkW92dy35KiQ9kQTBJn9LMMNxuk6IEqpWKQ=,iv:6lPWZ1iqerbWfU0UavvpFNtnsxOLkKHGsm3A/X5xUs0=,tag:8hVDlOIcCN590jEFuJ6eSw==,type:str]
deacero: ENC[AES256_GCM,data:S0FKo5q+grXFBoe9c6ADDA2uGZ1/OMzGU2p3i2PPdhO34PT39ePa/O6yP9Z69RvpL2Ho9GfLlBOSxZa1KtrJecEUoJZBdHWZRhKtcc0EM+CsNHnX74T9a/+uz3IIeys36FPBv5nTs9a22QL/5Q==,iv:xfkLrkje8pv0sMSnTrPrM5fmkAiliiYbGplz1KYYmec=,tag:3D4bZpYUQ/Oq25vfSklZBw==,type:str]
phone: ENC[AES256_GCM,data:PvSqRnz2qGQU5kdZZpeqb3Eg2psLYrMoV/168CKMWpc1h5TZi7TeWkCQa6ktPR556NT4Ny2m6rBzADtYZkjFIKtDLXdhTYCeL2eFWB3VbSGFHsHgvxXHbae+zg==,iv:XGO9d0QZXbP7vuNDY4/Z/YhRCPKwj3RoQBx5daQO/xI=,tag:zayb0RYQj6UOi6FKJbhhRg==,type:str]
private_keys:
age: ENC[AES256_GCM,data:YZtCasGFuxj4mVnhDtNzXgrzvdjwvHVtaBj2gDJf3dzA7dCe+n7MC5mYowHnS+oZpGFt9P0ImKw30yAYRGZgvxJqL32ACbob4oqcnwmJgswx2ZCwboz/I1PKkAb5uo1Bhc3tyhEshiA9wk99CoI7ug+TGOC5eyFw8RM145uJdxaYJjFmYdSorbjYd5JpijYi3u7p5buIVtr8VRt3tuWNUzarW18d+ZjxtCAF68W9jqICtuODdFakt3pZ9/2byKR5KG1sBKdc38DvJFkRq3wlDE0U2PwPyc/RDdlLAnYGYlZD/GsC1YSWEW/ygxO5lpkoJlxF+/02Qs+lyZVEJd7buYCMU3xkR3kGOQB2dZXa7T6F+Jrr6Ek7svTOQRaId68KhQW33piNUXN8d6YnqIRj537exrcmVCNrRwJmlJ1M8pcYN4IGj6OFICw/lwiTcN51OL4UZOOQZZ60jbgdwWj5gM9OFmxLm0PkIRt6KMQVx58jIzmXqh8SF0+mkymbQdVaoDD5JJ+ltTQgIEBaPe7sGVEK4lGH6qbgtm4F,iv:coRTCK6BSI8QFtfjTg8IAdwumSt6fuQryTxF5g+GF9k=,tag:K06p6t3Gso30DTY/Nk5EDA==,type:str]
workstation: ENC[AES256_GCM,data:QrM6MwsStFeOH9bFaAuNPtxVWB7rlXXV0PD2Em5Nswf7PIPuzYagQaqBF5nV/AteeJjwsz6KLuBceMZ3O/WlccxvyfY6i00DuRvzJBi+5gZl2rfM4OR5sHC93bzcGmyU1dQUA0nEeGFYUfd4+ZM4BFRgD5OyhpjrqaNYw5kES6WZMCYiR8NAPE2Ca8MqCX3KVQp1AAzgFq/nN0cvuWIflYVIngR4PzAqDGXjgWaPT58rmcWk/3KS2nOKRX5tQ/CgJl4FLdrjuR4VLvoupeUqv1yNeSPSljX+gEK8Sn9vONFd5k0bifLzQd+zCLWyEdJgNvSPf7bnXcuqU8RLSmjckMRAP8YVBlyqsNY++JidXuXukV23aB63dUp44yhIYEkt49/ISJb2qerj3U/Sy97VTw/1WNwY1evzHPlobrUjt3ilxWoxAdzjrqJXWultYYBEk0crmKRRvnABMzaHrZaqaSrHsSfvE4E27m+L9HNwMyq7KywlwrB0KAog52iCi17Gbnrva9aEGrn8Mne2VCvwcrKSEciV1soKpQgy,iv:2+xsS/4+vfQ0UBsHgLVCeV6GOU8giclqNpPXoi43shE=,tag:YVSiY79mHJ2LE9Ab05VE1g==,type:str]
@ -73,8 +74,8 @@ sops:
dklwODNxYVo4a2FaWDJFM0FnV1l3SlUKMnq/MAJRwR7iEri2KomPrMj0gTkMyhzH
P5E4zheU7chJTAz5jf6iecyOvKAt6q5g9Q1MU0D6dkOcv2gzWSNAAw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-22T05:25:54Z"
mac: ENC[AES256_GCM,data:TvKDzS7B0q/e3/6x+TzNsOHtemBOS5BDXtHRa2IqgIVi10w/qjT+uMoc3i58IbrAylesSawP8adlxvBjAvjtEdFmiQGThyotXc7qSV1DFpFlizlt0f8JAFvGfdDjN05cUru6GQrwLZlqWy6WBhd8iTipyhrDqVSvaD4Ph/E12uU=,iv:opwU5cJb5WuonSY1wkqKGsn6hanGMgQ10tkstipT8+U=,tag:/7Kzr/WQxf5a30b4TOVzug==,type:str]
lastmodified: "2024-10-22T07:14:18Z"
mac: ENC[AES256_GCM,data:K3oC/OqRJyTZiCuTz/elzUjSl4sxjlkk3l9ePZ8ozTQQkXsbv/8f0uKFQwVnsErIxoKnpRhrxiQbeYFvXOIUH1ve3Bv6TDcGbFwmKZb9PTFaa/BT79+WYWkFNGk+WzExfOGf2lsSThtgqNUJhCPsdXOSbe1VLPYuKteo7/u55ys=,iv:kF1Yus8eXjkcQFy+sl3M01nJq4lWmNUyPB3Mxb37wGU=,tag:VkByqvYVmZVUXTEeHYorzA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1