From 280853dc66b16777af25b708686555fc8e8320fc Mon Sep 17 00:00:00 2001 From: Ricard Illa Date: Sun, 13 Aug 2023 17:08:23 +0200 Subject: [PATCH] feat: configure ssh keys declaratively using agenix --- flake.lock | 68 +++++++++++++++++- flake.nix | 8 +++ hosts/capibara/default.nix | 24 ++++++- hosts/capibara/ssh_host_ed25519_key-cert.pub | 1 + hosts/capibara/ssh_host_ed25519_key.pub | 1 + hosts/trantor/default.nix | 14 +++- hosts/trantor/ssh_host_ed25519_key-cert.pub | 1 + hosts/trantor/ssh_host_ed25519_key.pub | 1 + modules/home-manager/common/default.nix | 2 + modules/home-manager/ssh/default.nix | 2 + .../nixos/{common.nix => common/default.nix} | 12 +++- modules/nixos/common/user_ca.pub | 1 + modules/nixos/default.nix | 4 +- .../{desktop.nix => desktop/default.nix} | 3 - overlays/default.nix | 8 --- secrets/capibara/ssh_host_ed25519_key.age | Bin 0 -> 874 bytes secrets/default.nix | 3 + secrets/secrets.nix | 8 +++ 18 files changed, 141 insertions(+), 20 deletions(-) create mode 100644 hosts/capibara/ssh_host_ed25519_key-cert.pub create mode 100644 hosts/capibara/ssh_host_ed25519_key.pub create mode 100644 hosts/trantor/ssh_host_ed25519_key-cert.pub create mode 100644 hosts/trantor/ssh_host_ed25519_key.pub rename modules/nixos/{common.nix => common/default.nix} (92%) create mode 100644 modules/nixos/common/user_ca.pub rename modules/nixos/{desktop.nix => desktop/default.nix} (98%) create mode 100644 secrets/capibara/ssh_host_ed25519_key.age create mode 100644 secrets/default.nix create mode 100644 secrets/secrets.nix diff --git a/flake.lock b/flake.lock index 8508ae9..c85fe99 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,71 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "owner": "ryantm", + "repo": "agenix", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -84,7 +149,8 @@ }, "root": { "inputs": { - "home-manager": "home-manager", + "agenix": "agenix", + "home-manager": "home-manager_2", "impermanence": "impermanence", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 0a8feab..e9506d0 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,10 @@ }; impermanence.url = "github:nix-community/impermanence"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -18,6 +22,7 @@ , nixos-hardware , home-manager , impermanence + , agenix , ... }@inputs: let @@ -27,6 +32,7 @@ overlays = import ./overlays { inherit inputs; }; nixosModules = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; + secrets = import ./secrets; stablePkgs = nixpkgs-stable.legacyPackages."x86_64-linux"; nixosConfigurations = { @@ -35,6 +41,7 @@ ./hosts/trantor home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence + agenix.nixosModules.default ]; }; @@ -45,6 +52,7 @@ nixos-hardware.nixosModules.lenovo-thinkpad-x230 home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence + agenix.nixosModules.default ]; }; }; diff --git a/hosts/capibara/default.nix b/hosts/capibara/default.nix index dc325e2..a645aa9 100644 --- a/hosts/capibara/default.nix +++ b/hosts/capibara/default.nix @@ -1,3 +1,5 @@ +# capibara + { inputs, outputs, config, pkgs, ... }: { @@ -14,8 +16,6 @@ networking.networkmanager.wifi.macAddress = "CC:AF:78:75:29:32"; programs.steam.enable = true; - - services.earlyoom.enable = true; # Power management @@ -26,6 +26,26 @@ services.power-profiles-daemon.enable = false; environment.systemPackages = with pkgs; [ powertop acpi ]; + environment.etc = { + ssh-pub-key = { + target = "ssh/ssh_host_ed25519_key.pub"; + source = ./ssh_host_ed25519_key.pub; + }; + ssh-pub-key-cert = { + target = "ssh/ssh_host_ed25519_key-cert.pub"; + source = ./ssh_host_ed25519_key-cert.pub; + }; + }; + + age.secrets.ssh-key = { + file = outputs.secrets.capibara.ssh_host_ed25519_key; + mode = "400"; + owner = "root"; + group = "root"; + symlink = false; + path = "/mnt/persist/etc/ssh/ssh_host_ed25519_key"; + }; + # todo: target and/or archive services.btrbk.instances = { btrbk = { diff --git a/hosts/capibara/ssh_host_ed25519_key-cert.pub b/hosts/capibara/ssh_host_ed25519_key-cert.pub new file mode 100644 index 0000000..714cd39 --- /dev/null +++ b/hosts/capibara/ssh_host_ed25519_key-cert.pub @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIN1uoV7+UFX6EIdPzs9CdvxVxWYjT1jmLfT4OmJndjHQAAAAIAEfm3I/CAHARsvbiqemh6UYPFocE7D3NnwSqcbIc48qAAAAAAAAAAAAAAACAAAACGNhcGliYXJhAAAADAAAAAhjYXBpYmFyYQAAAABjE3hcAAAAAGTzWssAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxddAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDSalFb6LEVRYSH34+67zhOj9frcSEIwVxG8chQig+SVROJ2UV2bjhiLoXN/9bhjtYTvlm/P2QkEbS2oQHYj3oC root@narwhal diff --git a/hosts/capibara/ssh_host_ed25519_key.pub b/hosts/capibara/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..8200ad8 --- /dev/null +++ b/hosts/capibara/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEfm3I/CAHARsvbiqemh6UYPFocE7D3NnwSqcbIc48q root@narwhal diff --git a/hosts/trantor/default.nix b/hosts/trantor/default.nix index 3fdc87b..88fa859 100644 --- a/hosts/trantor/default.nix +++ b/hosts/trantor/default.nix @@ -11,10 +11,19 @@ outputs.nixosModules.desktop ]; - networking.networkmanager.wifi.macAddress = "80:FA:5B:41:12:0F"; - programs.steam.enable = true; + environment.etc = { + ssh-pub-key = { + target = "ssh/ssh_host_ed25519_key.pub"; + source = ./ssh_host_ed25519_key.pub; + }; + ssh-pub-key-cert = { + target = "ssh/ssh_host_ed25519_key-cert.pub"; + source = ./ssh_host_ed25519_key-cert.pub; + }; + }; + # todo: target and/or archive services.btrbk = { sshAccess = [{ @@ -45,6 +54,7 @@ enp3s0f1.useDHCP = true; wlp4s0.useDHCP = true; }; + networkmanager.wifi.macAddress = "80:FA:5B:41:12:0F"; }; services.xserver = { videoDrivers = [ "nvidia" ]; }; diff --git a/hosts/trantor/ssh_host_ed25519_key-cert.pub b/hosts/trantor/ssh_host_ed25519_key-cert.pub new file mode 100644 index 0000000..2a47ca0 --- /dev/null +++ b/hosts/trantor/ssh_host_ed25519_key-cert.pub @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAINaIBi2J/1pJ2bchrc74aBONRywW+aUnEwR9P/gwqo2lAAAAIG1qvkkxHQlAIjQIYoTokx+UgsRQd48kf2iuvbWJZHE2AAAAAAAAAAAAAAACAAAAB3RyYW50b3IAAAALAAAAB3RyYW50b3IAAAAAYxN4XAAAAABk81rLAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACB6Xqx8KI12XqN0FgLtX95Iginmhx0qgVyTOmWRHn8XXQAAAFMAAAALc3NoLWVkMjU1MTkAAABA/pGJOglx8wKauMh+naAQyHnV99z4YY9jXHKgYcVuORQzTPpLWOHMyiKbrz1Y9z3n4PrS6PIs9FKf8NRQU87ODQ== root@narwhal diff --git a/hosts/trantor/ssh_host_ed25519_key.pub b/hosts/trantor/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..df07614 --- /dev/null +++ b/hosts/trantor/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1qvkkxHQlAIjQIYoTokx+UgsRQd48kf2iuvbWJZHE2 root@narwhal diff --git a/modules/home-manager/common/default.nix b/modules/home-manager/common/default.nix index ad71828..67de866 100644 --- a/modules/home-manager/common/default.nix +++ b/modules/home-manager/common/default.nix @@ -57,6 +57,8 @@ signify unzip wget + inputs.agenix.packages.x86_64-linux.default + age-plugin-yubikey ]; programs.bat = { diff --git a/modules/home-manager/ssh/default.nix b/modules/home-manager/ssh/default.nix index 5dc0602..e21057b 100644 --- a/modules/home-manager/ssh/default.nix +++ b/modules/home-manager/ssh/default.nix @@ -9,6 +9,8 @@ let port = 22; }; in { + home.file.".ssh/id_rsa.pub".source = ./id_rsa_gpg.pub; + home.file.".ssh/id_rsa_-cert.pub".source = ./id_rsa_gpg-cert.pub; home.file.".ssh/id_rsa_gpg.pub".source = ./id_rsa_gpg.pub; home.file.".ssh/id_rsa_gpg-cert.pub".source = ./id_rsa_gpg-cert.pub; programs.ssh = { diff --git a/modules/nixos/common.nix b/modules/nixos/common/default.nix similarity index 92% rename from modules/nixos/common.nix rename to modules/nixos/common/default.nix index 420d463..2b26512 100644 --- a/modules/nixos/common.nix +++ b/modules/nixos/common/default.nix @@ -1,3 +1,5 @@ +# common + { inputs, outputs, lib, config, pkgs, ... }: { @@ -17,7 +19,6 @@ overlays = [ outputs.overlays.additions outputs.overlays.modifications - # outputs.overlays.stable-packages ]; config.allowUnfree = true; }; @@ -45,6 +46,13 @@ environment.systemPackages = with pkgs; [ git vim wget just ripgrep deploy-rs ]; + environment.etc = { + user-ca-pub = { + target = "/etc/ssh/user_ca.pub"; + source = ./user_ca.pub; + }; + }; + services.openssh = { enable = true; settings = { @@ -58,7 +66,7 @@ }]; knownHosts = { - "*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,snitch,trantor,capibara,axolotl" = + "*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,cuina,trantor,capibara,axolotl" = { certAuthority = true; publicKey = diff --git a/modules/nixos/common/user_ca.pub b/modules/nixos/common/user_ca.pub new file mode 100644 index 0000000..c386d28 --- /dev/null +++ b/modules/nixos/common/user_ca.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHWoElrMDzjVdjcTKjBRqM/uiBtgTHaBwbBMMFyHeT+Q user_ca diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 5401411..3257e50 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,4 +1,4 @@ { - desktop = ./desktop.nix; - common = ./common.nix; + desktop = ./desktop; + common = ./common; } diff --git a/modules/nixos/desktop.nix b/modules/nixos/desktop/default.nix similarity index 98% rename from modules/nixos/desktop.nix rename to modules/nixos/desktop/default.nix index 2bb746c..95e1528 100644 --- a/modules/nixos/desktop.nix +++ b/modules/nixos/desktop/default.nix @@ -252,9 +252,6 @@ files = [ "/etc/machine-id" "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_ed25519_key-cert.pub" - "/etc/ssh/user_ca.pub" "/home/rilla/.lmmsrc.xml" "/home/rilla/.mailsynclastrun" diff --git a/overlays/default.nix b/overlays/default.nix index cd46513..9985286 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -55,12 +55,4 @@ }); }; - - # stable-packages = final: prev: { - # stable = import inputs.nixpkgs-stable { - # system = final.system; - # config.allowUnfree = true; - # }; - # }; - } diff --git a/secrets/capibara/ssh_host_ed25519_key.age b/secrets/capibara/ssh_host_ed25519_key.age new file mode 100644 index 0000000000000000000000000000000000000000..70fac9eacd3274704c8a5260a5e6df8d8af29535 GIT binary patch literal 874 zcmV-w1C{(?XJsvAZewzJaCB*JZZ2m)tGDKlbHZ^2-N_u2WaCvDocvCAxZC6=zOlwbNH&}9JZEFg2D=TSvRZCGg zP)jj#PDM#rLu*n{GFo#_PcTYmWNb!eMPWoVFKAG1XJ-m6J|J*ub}eu+H8vn*NN7|w zcOXG-Q+Y#nb5mG&ZZA++RA)(ScVjSCZb2(fOK~eULswdKD_C$;GBPn)bwLU_WJ)(q zNiSz;ZbCV2Mma`IYiM&*cw#VTczIZ6b8}K*b9!uQFG@yeL~jZ$J|J*ub}eu+H8vno zZclh=XCOgqK|*hESW!rNGB05(HFq<2D?xWmMS4khZE|Qya&Ad4Z+1>pSVu-pWpD~K zZclo5NLF}RSVnL)VM|J6N^weRRzX2#GgNXgMsH?QZEI*UHEnE6ZD$HCJ|KKuBQ0lg zWnpt=ASEU)G$wv?AU8-LDqdqx3NvU@cSm+BGjDfJVKPZ~R|+jHEg(!cRXJ`qax_$T zVs>;+S8;4FFi=!kMocqkb5V9}GcZ<4cx+Haab-$*RSIg87WAh&09^W++Q_UuLgV(V zmNXnSpH9UO64urFfDSdcxmZ%jFnYwZ#g$rd^ZQZGtZiwBX-;!F_r?!Tu|Z3X@NKCM zI6psZKWZXWMrLVd&(xYK!ZeTdUG0^oiTGCEb;H{pO|z)fHd|)9zOTvp9;7h-Kf^j{ z+(FT^ewP%=j6QzI*i*$3X5lZn{jkL{jPyDLh6;lCL`vf1r-BN)E|CBS*G!3JNFvgl z`)WQyvG5()p5VTHfe+@T@=&I)UzAT3yE16J?)p%K+agQ2<;k#VG3>Rakv2x5*Sjzc zJKe4Hw*C(sWnqZiQ%O>p&ct+tU8zHfolQAM>ESYeL*=#ag&m6jt*5LD>HJs^=T5B* zT%WI$c*gR+KnqH$%eY`#b12Q41RCZ&X1%8SoUVVL!>Go01|YmCwZJGG;paovjyb9E zAS1gbDMuXW;D0CTV0G%h)%;9up-2&q(I${@!A26^lnFdwYO$n AQ2+n{ literal 0 HcmV?d00001 diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..2093508 --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,3 @@ +{ + capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..8db351b --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + yk_nano = "age1yubikey1qt8fc7u5lxhcqcxh6600fu2mmytaqrw3qeyak4z35dyucjdstk52ze9v47j"; + yk_nfc = "age1yubikey1qg28ggmlelfvl7wuyve2mdxvj55q8j9879gakpesczra83l33vugcdr96g6"; + capibara = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEfm3I/CAHARsvbiqemh6UYPFocE7D3NnwSqcbIc48q"; +in +{ + "capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ]; +}