gortium/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP on host ssh key. broken.

Browse Source
This commit is contained in:
Thierry Pouplier
2025-08-17 17:26:59 -04:00
parent 6b367a7c95
commit 955c3255a0
6 changed files with 42 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
hosts/lazyworkhorse/configuration.nix
View File

@@ -58,31 +58,6 @@
LC_CTYPE = "en_CA.UTF-8"; LC_CTYPE = "en_CA.UTF-8";
}; };
# Private host ssh key
age = {
identityPaths = paths.identities;
secrets = {
lazyworkhorse_host_ssh_key = {
file = "${self}/secrets/lazyworkhorse_host_ssh_key.age";
owner = "root";
group = "root";
mode = "0600";
path = "/etc/ssh/ssh_host_ed25519_key";
};
};
};
# Public host ssh key
environment.etc."ssh/ssh_host_ed25519_key.pub".text = keys.hosts.lazyworkhorse.main;
# Prevent sshd from generating new keys and use this one
services.openssh.hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
# Configure network proxy if necessary # Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@@ -145,12 +120,45 @@
# List services that you want to enable: # List services that you want to enable:
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "no"; settings.PermitRootLogin = "no";
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
}; };
# Private host ssh key managed by agenix
age = {
identityPaths = paths.identities;
secrets = {
containers_env = {
file = ../../secrets/containers.env.age;
path = "/run/secrets/containers.env";
owner = "root";
group = "root";
mode = "0400";
};
# lazyworkhorse_host_ssh_key = {
# file = ../../secrets/lazyworkhorse_host_ssh_key.age;
# owner = "root";
# group = "root";
# mode = "0600";
# path = "/etc/ssh/ssh_host_ed25519_key";
# };
};
};
fileSystems."/".neededForBoot = true;
# Public host ssh key (kept in sync with the private one)
environment.etc."ssh/ssh_host_ed25519_key.pub".text =
"${keys.hosts.lazyworkhorse.main}";
services.fstrim.enable = true; services.fstrim.enable = true;
services.zfs.autoSnapshot.enable = true; services.zfs.autoSnapshot.enable = true;

2
lib/keys.nix
View File

@@ -9,7 +9,7 @@
hosts = { hosts = {
lazyworkhorse = { lazyworkhorse = {
main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBmPv4JssvhHGIx85UwFxDSrL5anR4eXB/cd9V2i9wdW"; main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmXqD+bBveCYf4khmARA0uaCzkBOUIE077ZrInLNs1O";
github = ""; github = "";
gitea = ""; gitea = "";
}; };

1
modules/nixos/default.nix
View File

@@ -5,6 +5,5 @@
# ./programs # ./programs
./services ./services
./filesystem ./filesystem
./services/systemd
]; ];
} }

13
modules/nixos/services/systemd/default.nix
View File

@@ -13,17 +13,4 @@
"dns" = [ "1.1.1.1" "8.8.8.8" ]; "dns" = [ "1.1.1.1" "8.8.8.8" ];
}; };
}; };
age = {
identityPaths = paths.identities;
secrets = {
containers_env = {
file = self + "/secrets/containers.env.age";
path = "/run/secrets/containers.env";
owner = "root";
group = "root";
mode = "0400";
};
};
};
} }

13
secrets/containers.env.age
View File

@@ -1,7 +1,8 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 GhMD8A 9Tjo08Hbj3S+nCdLUylZoUK6meXtuHq9F/qwSJZBYho -> ssh-ed25519 GhMD8A rV+MVE/yCBXffr3Za8av5+lL8B/473Owe7phe2oKzXs
iu2MmQ2VHm+QEvqGjkEy02V0cNRanAyhrA8Xu7UWRFk 1Y3qBT07SKzO0EaSzLelbz5/whoEVfBD52N4+WwVScU
-> ssh-ed25519 eB5ENw 8UTi2pmZML1Zyh9zCfEx4JqJhQ1vM/jZCEhrkuc1Hh4 -> ssh-ed25519 kYn3oA fHmhGCOWPfUOQpGEY0+lA6akxhJcCzn1zmiBQFeD4wg
et6FoN8E4tgo2DXlt/KTGLRsByJFyDu2oHA/Js/pIB8 k48jDsxD7uXfg+VUgM0+PIL1WOBdSOGsLyvsuqYOziY
--- dmEv5Fz1iUJ3W93lFtkHgtknfQGQNkMqglJZ+3e1qM8 --- PXyg0xCJqashEWw9FNHv5g9UWWZ/vzvgKfZJ85OyNKU
<EFBFBD>U<EFBFBD><EFBFBD><EFBFBD>.<2E><>#C\<11><><EFBFBD> <09>V<EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><1F>tp<74>w؁nީ<><02><>n<EFBFBD><<3C>E<EFBFBD><45><EFBFBD>~<7E><>bX<62><02><EFBFBD><EFBFBD>_<EFBFBD><EFBFBD><07><><EFBFBD><EFBFBD>u<EFBFBD>l?<3F>),s<>Ec7<EFBFBD><EFBFBD><EFBFBD><EFBFBD>v<EFBFBD>;<3B>A<EFBFBD>U<EFBFBD>-<2D>I<EFBFBD>7Y<37>-<2D>3g[<5B>jh~<7E>/<2F> <EFBFBD>;O*<2A><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>E<EFBFBD>[<5B><> <14><>z4XG<58>;R~<7E>S<EFBFBD>\<14><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>><08>Z<EFBFBD><5A>U<12>,<2C><><EFBFBD><EFBFBD><EFBFBD>ȏ<EFBFBD><EFBFBD>糿<13>#<23><13><>`:<3A>%'<27>ix<69><78><EFBFBD>ɟMf<4D><66>W
<EFBFBD><EFBFBD>&E<>̛<08><><EFBFBD>C<EFBFBD> <20>><3E>H<EFBFBD>,<2C><><EFBFBD><EFBFBD><EFBFBD>W<EFBFBD>Z<EFBFBD><5A><EFBFBD>%<25>@<40>n<EFBFBD>Y <20>

BIN
secrets/lazyworkhorse_host_ssh_key.age
View File

Binary file not shown.