From 747d0a54b6a7add6b2f0577f01e53202acfd7583 Mon Sep 17 00:00:00 2001 From: Nydragon Date: Mon, 9 Sep 2024 11:22:24 +0200 Subject: [PATCH] chore(agenix): rekey --- hosts/raptus/configuration.nix | 20 ++++---------------- secrets/couchdb.age | Bin 576 -> 518 bytes secrets/rustypaste.age | 18 ++++++++---------- secrets/secrets.nix | 5 ++--- 4 files changed, 14 insertions(+), 29 deletions(-) diff --git a/hosts/raptus/configuration.nix b/hosts/raptus/configuration.nix index 924a717..d2048c5 100644 --- a/hosts/raptus/configuration.nix +++ b/hosts/raptus/configuration.nix @@ -40,6 +40,7 @@ in networking.firewall = lib.mkForce { enable = true; allowedTCPPorts = [ + 80 # for acme challenges 443 5984 # couchdb 3000 # forgejo @@ -47,22 +48,7 @@ in ] ++ config.services.openssh.ports ++ [ config.services.endlessh.port ]; }; - # User account to run remote builds - users.users.remote-build = { - isSystemUser = true; - hashedPassword = ""; # Only allow login via ssh - openssh.authorizedKeys.keys = sshAccess; - shell = pkgs.bash; - group = "remote-build"; - extraGroups = [ "wheel" ]; - }; - - security.sudo.wheelNeedsPassword = false; - - users.groups.remote-build = { }; - - # Ensure the user can build derivations - nix.settings.trusted-users = [ "remote-build" ]; + age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; security.acme.defaults.email = "admin@ccnlc.eu"; security.acme.acceptTerms = true; @@ -97,6 +83,8 @@ in services.openssh = { enable = true; ports = [ 56528 ]; + # Having automatic generation enabled breaks agenix + #hostKeys = [ ]; }; services.endlessh = { diff --git a/secrets/couchdb.age b/secrets/couchdb.age index 265d067cec553d619178f7e5bca7dad38e6b72aa..b270f1c2410456d6659572c8ffbca98e4319c3ab 100644 GIT binary patch delta 471 zcmV;|0Vw{!1cn5VC4XWwNNi9+AXaTgWMOz(OL;SFK`(k$FF8?9PF6xePGU-JV^>aU zL{Cm@PDNHnbZkU(3RO*0bZ{_pK~i-^bZ%2`WOhPJFKIPyZ*o|1azsI4b3;`|c3Dkh zN?|im3N1b$b8~1dWn?lnH8D9LZgpirW?vQB?{zRbn+Sa7Ji)P);jjQ&eF{c}i|*Pg!eAb4+?tMoMc&R%CN#PG>POH){$l zEiE80cuQnWZE`_IXIX49OmkXUHDp#tR!?nAMrLeUV?|PNR#tyGVmVeqYg20qgh41? z$}s%O?HVTXnG(7?|=@3Ttl4- zL_60zMg;MAwN!a2aq35aF!}&Ytl^ZKM$)|!HgPA^Rb&)s0(<-5Cpy$Z*BoBt6CnQm NtTS+hw2gSUCdo({tBe2u delta 530 zcmV+t0`2{V1i%E4C4Wk4OfxV+ATcjXK}axWYGqnYXLmG2YcFC$D?>$QGEPKMOJsCr zYExHuX=8Lza5YFt3N}heb$K;*OAOpQD`q{O;t@!X+v{oQ)x#xd1-S)ZbxZ&byr1pV@o+$ zFi%Tpb$V}ZNoqKe@fUweG&4CdM@&*mLUv0sYBozZb#+EhY*AA|c5i4zQ%6ceOJ-&> zc~p06M_CGUa71rJSX4D-Y;IvUI5AgBODkr1ZemkNVOVofVPjY;MMO1GF-t^pWGE871G z2T>4Y(uN5|+PiM6{T1k{PLy2I&XE{t2=u^4(?|YY=NNL{MJnl ssh-ed25519 JjL30A 1XNRKnK1XPGFU5+lqgoLMOnaf9IxQT6NV6tFK654gDc -OBePOZJ+eS1Wl7pAERJgj9MtmGqwNYibpdUWR6B84A8 --> ssh-ed25519 nueAfA SKBEBskfVR/OcKLlNj7SWr0RnYb67Npe8WRmjxytVCk -fqLgmEwmxISmpyzz3D/X5X0bN4xrIh8/hqs9vDiFkqE --> ssh-ed25519 WcjW5A cZDomiXanY2cwvZCPWcAG734dQg7RhlnqKMe5pfHMy4 -6jzLkXYDa8ZrUTlyqmAw0W4WRy0x83L53SQS0Aq7gtg ---- B4/2cwHiFwQDnGZELOsHLyxEfmZbl2I5rkZioWhh7GE -*X& [kwCV$;* -:zթgPQ+G -)b߃t-r9RߍQsčv/⇐<>'s@? \ No newline at end of file +-> ssh-ed25519 b3HlPA 2xnmAbE7usGlBUofIkT0+k9lkAOMfrUifn2kEp6u43w +IpuhSKZoguXHXBamt2xzKTIRPyKNmzIYPaIdKM90aow +-> ssh-ed25519 nueAfA LuY9xtX9NcTzA6t4XugshESmLA5omCP6CzgiEItj9CA +JCLnGxpvRLcMeTZOPy+7L02Jsni/AhYzTzL4mFk74Jo +-> ssh-ed25519 WcjW5A nQbOkYhDen935yMtYnWKeM54PeRUcAikvGRsjRQ/Ox4 +uL0PpSXX7+Xn91HYHtb/HNf90VNCRaCZ5sQjYCcOdWI +--- hr+DtkYLhfRAVjc0E6z970/JJT3iaJKTSRwMY0rLMPA +D \ YMW;nE iۉ5 _\Ճj@jc(J}5nK7ԾAh=׹:K?-V.kD6cv \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 552eba8..25dbe50 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,10 +8,9 @@ let userBrontes ]; - raptus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErbhkpCL0DuJQTxeTqxtrGvELCQFkyZmhTZ8fagszOU"; - systems = [ raptus ]; + raptus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdpjGR/pV1roktZdKIVVWqds0JB+x1ksfyQmYPMLK7o"; in { - "couchdb.age".publicKeys = [ raptus ]; + "couchdb.age".publicKeys = [ raptus ] ++ users; "rustypaste.age".publicKeys = [ raptus ] ++ users; }