From 955c3255a00c5259151693500d9d56bb72fcab8d Mon Sep 17 00:00:00 2001 From: Thierry Pouplier Date: Sun, 17 Aug 2025 17:26:59 -0400 Subject: [PATCH] WIP on host ssh key. broken. --- hosts/lazyworkhorse/configuration.nix | 60 ++++++++++++--------- lib/keys.nix | 2 +- modules/nixos/default.nix | 1 - modules/nixos/services/systemd/default.nix | 13 ----- secrets/containers.env.age | 13 ++--- secrets/lazyworkhorse_host_ssh_key.age | Bin 733 -> 727 bytes 6 files changed, 42 insertions(+), 47 deletions(-) diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix index 52799d9..bb2770c 100644 --- a/hosts/lazyworkhorse/configuration.nix +++ b/hosts/lazyworkhorse/configuration.nix @@ -58,31 +58,6 @@ LC_CTYPE = "en_CA.UTF-8"; }; - # Private host ssh key - age = { - identityPaths = paths.identities; - secrets = { - lazyworkhorse_host_ssh_key = { - file = "${self}/secrets/lazyworkhorse_host_ssh_key.age"; - owner = "root"; - group = "root"; - mode = "0600"; - path = "/etc/ssh/ssh_host_ed25519_key"; - }; - }; - }; - - # Public host ssh key - environment.etc."ssh/ssh_host_ed25519_key.pub".text = keys.hosts.lazyworkhorse.main; - - # Prevent sshd from generating new keys and use this one - services.openssh.hostKeys = [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; @@ -145,12 +120,45 @@ # List services that you want to enable: - # Enable the OpenSSH daemon. + # Enable the OpenSSH daemon services.openssh = { enable = true; settings.PermitRootLogin = "no"; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; }; + # Private host ssh key managed by agenix + age = { + identityPaths = paths.identities; + secrets = { + containers_env = { + file = ../../secrets/containers.env.age; + path = "/run/secrets/containers.env"; + owner = "root"; + group = "root"; + mode = "0400"; + }; + # lazyworkhorse_host_ssh_key = { + # file = ../../secrets/lazyworkhorse_host_ssh_key.age; + # owner = "root"; + # group = "root"; + # mode = "0600"; + # path = "/etc/ssh/ssh_host_ed25519_key"; + # }; + }; + }; + + fileSystems."/".neededForBoot = true; + + # Public host ssh key (kept in sync with the private one) + environment.etc."ssh/ssh_host_ed25519_key.pub".text = + "${keys.hosts.lazyworkhorse.main}"; + services.fstrim.enable = true; services.zfs.autoSnapshot.enable = true; diff --git a/lib/keys.nix b/lib/keys.nix index e61a0fe..e82a203 100644 --- a/lib/keys.nix +++ b/lib/keys.nix @@ -9,7 +9,7 @@ hosts = { lazyworkhorse = { - main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBmPv4JssvhHGIx85UwFxDSrL5anR4eXB/cd9V2i9wdW"; + main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmXqD+bBveCYf4khmARA0uaCzkBOUIE077ZrInLNs1O"; github = ""; gitea = ""; }; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0d44c89..855b2f2 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -5,6 +5,5 @@ # ./programs ./services ./filesystem - ./services/systemd ]; } diff --git a/modules/nixos/services/systemd/default.nix b/modules/nixos/services/systemd/default.nix index b93d2d4..fbcaff2 100644 --- a/modules/nixos/services/systemd/default.nix +++ b/modules/nixos/services/systemd/default.nix @@ -13,17 +13,4 @@ "dns" = [ "1.1.1.1" "8.8.8.8" ]; }; }; - - age = { - identityPaths = paths.identities; - secrets = { - containers_env = { - file = self + "/secrets/containers.env.age"; - path = "/run/secrets/containers.env"; - owner = "root"; - group = "root"; - mode = "0400"; - }; - }; - }; } diff --git a/secrets/containers.env.age b/secrets/containers.env.age index 897b9b0..2a8c362 100644 --- a/secrets/containers.env.age +++ b/secrets/containers.env.age @@ -1,7 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 GhMD8A 9Tjo08Hbj3S+nCdLUylZoUK6meXtuHq9F/qwSJZBYho -iu2MmQ2VHm+QEvqGjkEy02V0cNRanAyhrA8Xu7UWRFk --> ssh-ed25519 eB5ENw 8UTi2pmZML1Zyh9zCfEx4JqJhQ1vM/jZCEhrkuc1Hh4 -et6FoN8E4tgo2DXlt/KTGLRsByJFyDu2oHA/Js/pIB8 ---- dmEv5Fz1iUJ3W93lFtkHgtknfQGQNkMqglJZ+3e1qM8 -U.#C\ V-tpw؁nީn ssh-ed25519 GhMD8A rV+MVE/yCBXffr3Za8av5+lL8B/473Owe7phe2oKzXs +1Y3qBT07SKzO0EaSzLelbz5/whoEVfBD52N4+WwVScU +-> ssh-ed25519 kYn3oA fHmhGCOWPfUOQpGEY0+lA6akxhJcCzn1zmiBQFeD4wg +k48jDsxD7uXfg+VUgM0+PIL1WOBdSOGsLyvsuqYOziY +--- PXyg0xCJqashEWw9FNHv5g9UWWZ/vzvgKfZJ85OyNKU +;O*E[ z4XG;R~S\7Ђ>ZU,ȏ糿#`:%'ixɟMfW +&E̛C >H,WZ%@nY \ No newline at end of file diff --git a/secrets/lazyworkhorse_host_ssh_key.age b/secrets/lazyworkhorse_host_ssh_key.age index 13079600754207083e00cb31127b1247c4329844..6fc1a13e78b88f5d699ca899e3233c1ab170e40a 100644 GIT binary patch delta 695 zcmV;o0!aPc1=j_TEPrlvT5B(NYi3z&R8UJeI5RauYj9^dbx%lkOJ`O_MnY*cdRbXS zPgqfCSqf4!cThoTR#!A`Pjz@_bTKb+aCLTdH91yjOE_m~IXG5rRcUWfQek0DV+t)k zAaiqQEoEdfH8n9gAZuA}GjBm4Y*#XLQ7=|TO-4;YVK!)acYkL>WL9%_Pjf43cUnPb zO<6%uNKZmXRd_)#3VKOJO?X&GZ#hYMG;u>kQciMsR%1p=SaL#GcWg8^WK&T}ZFEX+ zb~0313N0-yAVP3!Gjd90a%?qjH&R10c11%}V^vscQ8I5vZ%A4}G%ATb9xFyCuWcB3MZCSxwA>;K z=vV65o6zsZ`;d1nP9^Jbj7id#=c;xcf^7Iqb#A{q3P*IrMXoU}X~@M|Thh1mriL+x z8_@63feL!md}9EIR=dQ76Z;=lkT1y8WrC_E{+>zQp?`E^}lpu0hAaZE=?SJXmV}=2aVHd$(G86 z$Mc^@`+qTR=BKV#pRC3F|0hj5Bf$%w2FUZEPrh@QEXXlP<1#_a$#vNX+>^kMRqeVMp-#AW^P1KOhsWraCmuf zT3KayO$udCS29<6bWv?nby#XjG&M0oO+{H|WNC9!S7>fbH+pnQQgk;&L2Xh-FbXX` zAaiqQEoEdfH8n9gAZ0=|MNW4hD@{yfNMdJbbV^utO=wd=Lw`6{azjl`M@B_9L|H;> zcV<&mMt4OCZdF4sHdbO|F=0wVM|U3?QSAmv?Ss&v3l`ezCnj&*Yj-JKqd6B7}3ArR-^W5^lH;k^6RG$)%i zYMne=f72fnbYLsHQ%fc9#7nIWg3DsxmdPe`n}bQ6vyBb!fxV2f$@2+VN^P5CZP#h| z5-%pqrH&_!thp_zey`4WY1rRlw=^QxVErtN?t-Q6?|*)axpK}sGy`Eh8vnDTW~*t= zNV4d<6ORZ0FXP(gvk(iRdVjP*F-@cD{9b0xG)sG18(z>wYx0 zUnauSbLi$_i4rxR7ZqdfOYjWF%GnyXkjJzWvi9%QZsFgb6qw!fhUNe zk_!P>zes}RCO~J?zZsA$U`fzze|Mz=Rvc8i`Zi>U08TU}0tLM41crjml?236Z!^i5 j7t_mWZm|59{h2>#2lFDo5m@v%oAi)~>1x7d2K?1Nod7FQ