nydragon/nix-da
1
Fork 0
Code Issues Pull requests Activity Actions 1

chore(agenix): rekey

Browse source
This commit is contained in:
Nydragon 2024-09-09 11:22:24 +02:00
parent ae5776d7be
commit 747d0a54b6
Signed by: nydragon
SSH key fingerprint: SHA256:iQnIC12spf4QjWSbarmkD2No1cLMlu6TWoV7K6cYF5g
4 changed files with 14 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
hosts/raptus/configuration.nix
View file

@ -40,6 +40,7 @@ in
networking.firewall = lib.mkForce { networking.firewall = lib.mkForce {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
80 # for acme challenges
443 443
5984 # couchdb 5984 # couchdb
3000 # forgejo 3000 # forgejo
@ -47,22 +48,7 @@ in
] ++ config.services.openssh.ports ++ [ config.services.endlessh.port ]; ] ++ config.services.openssh.ports ++ [ config.services.endlessh.port ];
}; };
# User account to run remote builds age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
users.users.remote-build = {
isSystemUser = true;
hashedPassword = ""; # Only allow login via ssh
openssh.authorizedKeys.keys = sshAccess;
shell = pkgs.bash;
group = "remote-build";
extraGroups = [ "wheel" ];
};
security.sudo.wheelNeedsPassword = false;
users.groups.remote-build = { };
# Ensure the user can build derivations
nix.settings.trusted-users = [ "remote-build" ];
security.acme.defaults.email = "admin@ccnlc.eu"; security.acme.defaults.email = "admin@ccnlc.eu";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
@ -97,6 +83,8 @@ in
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [ 56528 ]; ports = [ 56528 ];
# Having automatic generation enabled breaks agenix
#hostKeys = [ ];
}; };
services.endlessh = { services.endlessh = {

BIN
secrets/couchdb.age
View file

Binary file not shown.

18
secrets/rustypaste.age
View file

@ -1,11 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 JjL30A 1XNRKnK1XPGFU5+lqgoLMOnaf9IxQT6NV6tFK654gDc -> ssh-ed25519 b3HlPA 2xnmAbE7usGlBUofIkT0+k9lkAOMfrUifn2kEp6u43w
OBePOZJ+eS1Wl7pAERJgj9MtmGqwNYibpdUWR6B84A8 IpuhSKZoguXHXBamt2xzKTIRPyKNmzIYPaIdKM90aow
-> ssh-ed25519 nueAfA SKBEBskfVR/OcKLlNj7SWr0RnYb67Npe8WRmjxytVCk -> ssh-ed25519 nueAfA LuY9xtX9NcTzA6t4XugshESmLA5omCP6CzgiEItj9CA
fqLgmEwmxISmpyzz3D/X5X0bN4xrIh8/hqs9vDiFkqE JCLnGxpvRLcMeTZOPy+7L02Jsni/AhYzTzL4mFk74Jo
-> ssh-ed25519 WcjW5A cZDomiXanY2cwvZCPWcAG734dQg7RhlnqKMe5pfHMy4 -> ssh-ed25519 WcjW5A nQbOkYhDen935yMtYnWKeM54PeRUcAikvGRsjRQ/Ox4
6jzLkXYDa8ZrUTlyqmAw0W4WRy0x83L53SQS0Aq7gtg uL0PpSXX7+Xn91HYHtb/HNf90VNCRaCZ5sQjYCcOdWI
--- B4/2cwHiFwQDnGZELOsHLyxEfmZbl2I5rkZioWhh7GE --- hr+DtkYLhfRAVjc0E6z970/JJT3iaJKTSRwMY0rLMPA
*•X& [œ«kÎwCÉV<C389>Ãóâ$µŽ•ƒ;* D Š\ YM ¾W;¹œÆ¦¸ÃÎÀên<C3AA>E °i»Û‰É5 _\âÕƒj™@ã˜jãcê(¯Jó}5À˜nKÌ7Ô¾AÙÁh¬¬…¿Ü=<3D>×¹:K?-<2D>V«.Öðð®k<C2AE>¶£ÞêDæ­6œc¡v <0C>
„:ÑzÂÕ©ÈÇ­Ãô™PQ+¾GƒÀ
)Á‹œ×­¦ßƒ¾t-r9RÜß<C39C>Q“sƒÿÌòÄ<C3B2>ºv/ôâ‡<C3A2>è<>Ð's@?

5
secrets/secrets.nix
View file

@ -8,10 +8,9 @@ let
userBrontes userBrontes
]; ];
raptus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErbhkpCL0DuJQTxeTqxtrGvELCQFkyZmhTZ8fagszOU"; raptus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdpjGR/pV1roktZdKIVVWqds0JB+x1ksfyQmYPMLK7o";
systems = [ raptus ];
in in
{ {
"couchdb.age".publicKeys = [ raptus ]; "couchdb.age".publicKeys = [ raptus ] ++ users;
"rustypaste.age".publicKeys = [ raptus ] ++ users; "rustypaste.age".publicKeys = [ raptus ] ++ users;
} }