feat: configure ssh keys declaratively using agenix
parent
6ab585ff13
commit
280853dc66
GPG Key ID:
525307BD467E4205
68
flake.lock
68
flake.lock
|
|
@ -1,6 +1,71 @@
|
|||
{
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": "darwin",
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1690228878,
|
||||
"narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1673295039,
|
||||
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1682203081,
|
||||
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
|
|
@ -84,7 +149,8 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"home-manager": "home-manager",
|
||||
"agenix": "agenix",
|
||||
"home-manager": "home-manager_2",
|
||||
"impermanence": "impermanence",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs",
|
||||
|
|
|
|||
|
|
@ -9,6 +9,10 @@
|
|||
};
|
||||
impermanence.url = "github:nix-community/impermanence";
|
||||
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
||||
agenix = {
|
||||
url = "github:ryantm/agenix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs =
|
||||
|
|
@ -18,6 +22,7 @@
|
|||
, nixos-hardware
|
||||
, home-manager
|
||||
, impermanence
|
||||
, agenix
|
||||
, ...
|
||||
}@inputs:
|
||||
let
|
||||
|
|
@ -27,6 +32,7 @@
|
|||
overlays = import ./overlays { inherit inputs; };
|
||||
nixosModules = import ./modules/nixos;
|
||||
homeManagerModules = import ./modules/home-manager;
|
||||
secrets = import ./secrets;
|
||||
stablePkgs = nixpkgs-stable.legacyPackages."x86_64-linux";
|
||||
|
||||
nixosConfigurations = {
|
||||
|
|
@ -35,6 +41,7 @@
|
|||
./hosts/trantor
|
||||
home-manager.nixosModules.home-manager
|
||||
impermanence.nixosModules.impermanence
|
||||
agenix.nixosModules.default
|
||||
];
|
||||
};
|
||||
|
||||
|
|
@ -45,6 +52,7 @@
|
|||
nixos-hardware.nixosModules.lenovo-thinkpad-x230
|
||||
home-manager.nixosModules.home-manager
|
||||
impermanence.nixosModules.impermanence
|
||||
agenix.nixosModules.default
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
# capibara
|
||||
|
||||
{ inputs, outputs, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
|
@ -14,8 +16,6 @@
|
|||
networking.networkmanager.wifi.macAddress = "CC:AF:78:75:29:32";
|
||||
|
||||
programs.steam.enable = true;
|
||||
|
||||
|
||||
services.earlyoom.enable = true;
|
||||
|
||||
# Power management
|
||||
|
|
@ -26,6 +26,26 @@
|
|||
services.power-profiles-daemon.enable = false;
|
||||
environment.systemPackages = with pkgs; [ powertop acpi ];
|
||||
|
||||
environment.etc = {
|
||||
ssh-pub-key = {
|
||||
target = "ssh/ssh_host_ed25519_key.pub";
|
||||
source = ./ssh_host_ed25519_key.pub;
|
||||
};
|
||||
ssh-pub-key-cert = {
|
||||
target = "ssh/ssh_host_ed25519_key-cert.pub";
|
||||
source = ./ssh_host_ed25519_key-cert.pub;
|
||||
};
|
||||
};
|
||||
|
||||
age.secrets.ssh-key = {
|
||||
file = outputs.secrets.capibara.ssh_host_ed25519_key;
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
symlink = false;
|
||||
path = "/mnt/persist/etc/ssh/ssh_host_ed25519_key";
|
||||
};
|
||||
|
||||
# todo: target and/or archive
|
||||
services.btrbk.instances = {
|
||||
btrbk = {
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIN1uoV7+UFX6EIdPzs9CdvxVxWYjT1jmLfT4OmJndjHQAAAAIAEfm3I/CAHARsvbiqemh6UYPFocE7D3NnwSqcbIc48qAAAAAAAAAAAAAAACAAAACGNhcGliYXJhAAAADAAAAAhjYXBpYmFyYQAAAABjE3hcAAAAAGTzWssAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxddAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDSalFb6LEVRYSH34+67zhOj9frcSEIwVxG8chQig+SVROJ2UV2bjhiLoXN/9bhjtYTvlm/P2QkEbS2oQHYj3oC root@narwhal
|
||||
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEfm3I/CAHARsvbiqemh6UYPFocE7D3NnwSqcbIc48q root@narwhal
|
||||
|
|
@ -11,10 +11,19 @@
|
|||
outputs.nixosModules.desktop
|
||||
];
|
||||
|
||||
networking.networkmanager.wifi.macAddress = "80:FA:5B:41:12:0F";
|
||||
|
||||
programs.steam.enable = true;
|
||||
|
||||
environment.etc = {
|
||||
ssh-pub-key = {
|
||||
target = "ssh/ssh_host_ed25519_key.pub";
|
||||
source = ./ssh_host_ed25519_key.pub;
|
||||
};
|
||||
ssh-pub-key-cert = {
|
||||
target = "ssh/ssh_host_ed25519_key-cert.pub";
|
||||
source = ./ssh_host_ed25519_key-cert.pub;
|
||||
};
|
||||
};
|
||||
|
||||
# todo: target and/or archive
|
||||
services.btrbk = {
|
||||
sshAccess = [{
|
||||
|
|
@ -45,6 +54,7 @@
|
|||
enp3s0f1.useDHCP = true;
|
||||
wlp4s0.useDHCP = true;
|
||||
};
|
||||
networkmanager.wifi.macAddress = "80:FA:5B:41:12:0F";
|
||||
};
|
||||
|
||||
services.xserver = { videoDrivers = [ "nvidia" ]; };
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAINaIBi2J/1pJ2bchrc74aBONRywW+aUnEwR9P/gwqo2lAAAAIG1qvkkxHQlAIjQIYoTokx+UgsRQd48kf2iuvbWJZHE2AAAAAAAAAAAAAAACAAAAB3RyYW50b3IAAAALAAAAB3RyYW50b3IAAAAAYxN4XAAAAABk81rLAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACB6Xqx8KI12XqN0FgLtX95Iginmhx0qgVyTOmWRHn8XXQAAAFMAAAALc3NoLWVkMjU1MTkAAABA/pGJOglx8wKauMh+naAQyHnV99z4YY9jXHKgYcVuORQzTPpLWOHMyiKbrz1Y9z3n4PrS6PIs9FKf8NRQU87ODQ== root@narwhal
|
||||
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1qvkkxHQlAIjQIYoTokx+UgsRQd48kf2iuvbWJZHE2 root@narwhal
|
||||
|
|
@ -57,6 +57,8 @@
|
|||
signify
|
||||
unzip
|
||||
wget
|
||||
inputs.agenix.packages.x86_64-linux.default
|
||||
age-plugin-yubikey
|
||||
];
|
||||
|
||||
programs.bat = {
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ let
|
|||
port = 22;
|
||||
};
|
||||
in {
|
||||
home.file.".ssh/id_rsa.pub".source = ./id_rsa_gpg.pub;
|
||||
home.file.".ssh/id_rsa_-cert.pub".source = ./id_rsa_gpg-cert.pub;
|
||||
home.file.".ssh/id_rsa_gpg.pub".source = ./id_rsa_gpg.pub;
|
||||
home.file.".ssh/id_rsa_gpg-cert.pub".source = ./id_rsa_gpg-cert.pub;
|
||||
programs.ssh = {
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
# common
|
||||
|
||||
{ inputs, outputs, lib, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
|
@ -17,7 +19,6 @@
|
|||
overlays = [
|
||||
outputs.overlays.additions
|
||||
outputs.overlays.modifications
|
||||
# outputs.overlays.stable-packages
|
||||
];
|
||||
config.allowUnfree = true;
|
||||
};
|
||||
|
|
@ -45,6 +46,13 @@
|
|||
|
||||
environment.systemPackages = with pkgs; [ git vim wget just ripgrep deploy-rs ];
|
||||
|
||||
environment.etc = {
|
||||
user-ca-pub = {
|
||||
target = "/etc/ssh/user_ca.pub";
|
||||
source = ./user_ca.pub;
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
|
@ -58,7 +66,7 @@
|
|||
}];
|
||||
|
||||
knownHosts = {
|
||||
"*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,snitch,trantor,capibara,axolotl" =
|
||||
"*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,cuina,trantor,capibara,axolotl" =
|
||||
{
|
||||
certAuthority = true;
|
||||
publicKey =
|
||||
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHWoElrMDzjVdjcTKjBRqM/uiBtgTHaBwbBMMFyHeT+Q user_ca
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
desktop = ./desktop.nix;
|
||||
common = ./common.nix;
|
||||
desktop = ./desktop;
|
||||
common = ./common;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -252,9 +252,6 @@
|
|||
files = [
|
||||
"/etc/machine-id"
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
"/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
||||
"/etc/ssh/user_ca.pub"
|
||||
|
||||
"/home/rilla/.lmmsrc.xml"
|
||||
"/home/rilla/.mailsynclastrun"
|
||||
|
|
@ -55,12 +55,4 @@
|
|||
});
|
||||
|
||||
};
|
||||
|
||||
# stable-packages = final: prev: {
|
||||
# stable = import inputs.nixpkgs-stable {
|
||||
# system = final.system;
|
||||
# config.allowUnfree = true;
|
||||
# };
|
||||
# };
|
||||
|
||||
}
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -0,0 +1,3 @@
|
|||
{
|
||||
capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age;
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
let
|
||||
yk_nano = "age1yubikey1qt8fc7u5lxhcqcxh6600fu2mmytaqrw3qeyak4z35dyucjdstk52ze9v47j";
|
||||
yk_nfc = "age1yubikey1qg28ggmlelfvl7wuyve2mdxvj55q8j9879gakpesczra83l33vugcdr96g6";
|
||||
capibara = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEfm3I/CAHARsvbiqemh6UYPFocE7D3NnwSqcbIc48q";
|
||||
in
|
||||
{
|
||||
"capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ];
|
||||
}
|
||||
Loading…
Reference in New Issue