From 03a983cd3a38cdf21b2ccc955bb5e90e5dd8bf7d Mon Sep 17 00:00:00 2001
From: Alexander Heldt <me@alexanderheldt.se>
Date: Sat, 20 Jul 2024 21:45:13 +0200
Subject: [PATCH] tadpole: Add authorized `ssh` key for `pinwheel`

---
 hosts/tadpole/modules/ssh/default.nix         |  27 +++++++++++++++++-
 secrets/pinwheel/alex.pinwheel-tadpole.age    | Bin 0 -> 3756 bytes
 .../pinwheel/alex.pinwheel-tadpole.pub.age    | Bin 0 -> 1179 bytes
 secrets/secrets.nix                           |   2 ++
 4 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 secrets/pinwheel/alex.pinwheel-tadpole.age
 create mode 100644 secrets/pinwheel/alex.pinwheel-tadpole.pub.age

diff --git a/hosts/tadpole/modules/ssh/default.nix b/hosts/tadpole/modules/ssh/default.nix
index a99ee35..d9a975c 100644
--- a/hosts/tadpole/modules/ssh/default.nix
+++ b/hosts/tadpole/modules/ssh/default.nix
@@ -1,6 +1,8 @@
-{ lib, config, ... }:
+{ pkgs, lib, config, ... }:
 let
   enabled = config.mod.ssh.enable;
+
+  authorizedKeysPath = "/home/alex/.ssh/authorized-keys";
 in
 {
   options = {
@@ -23,7 +25,22 @@ in
       };
     };
 
+    environment.etc."ssh/authorized_keys_command" = {
+      mode = "0755";
+      text = ''
+        #!${pkgs.bash}/bin/bash
+        for file in ${authorizedKeysPath}/*; do
+          ${pkgs.coreutils}/bin/cat "$file"
+        done
+      '';
+    };
+
     age.secrets = {
+      "alex.pinwheel-tadpole.pub" = {
+        file = ../../../../secrets/pinwheel/alex.pinwheel-tadpole.pub.age;
+        path = "${authorizedKeysPath}/alex.pinwheel-tadpole.pub";
+      };
+
       "alex.tadpole-codeberg.org" = {
         file = ../../../../secrets/tadpole/alex.tadpole-codeberg.org.age;
         path = "/home/alex/.ssh/alex.tadpole-codeberg.org";
@@ -47,6 +64,14 @@ in
           path = "/etc/ssh/tadpole";
           type = "ed25519";
         }];
+
+        settings = {
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
+
+        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+        authorizedKeysCommandUser = "root";
       };
     };
 
diff --git a/secrets/pinwheel/alex.pinwheel-tadpole.age b/secrets/pinwheel/alex.pinwheel-tadpole.age
new file mode 100644
index 0000000000000000000000000000000000000000..273c39e2b2ec3eda7e43c78a88a2d668a4bfe819
GIT binary patch
literal 3756
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHs|ZMnN>?Zk$||W0
zHuKAh^vK9BO84?E$nZBYtSm`RjPx+8G%eBgObtp8Dy$4M%;rigEv_ojjxsDXGf5B5
z4>n8p3^om|40X0B%&F2YsVEEza!T^|NXc>wGeEa3HCsE$JW!#eGP58(!`0j?xy;DS
z+&3)3%ca~vKhZTQA}}N)B_PSSAV1qOuQ1%eFp$gG)3Ugz!pEdA(J-$v$}-H|Jkr!9
z!qeZdETu3!Fwry8N88*W+_l1A--1h5S63k~D#s(!)6=A+yf{-k->b0PBc#wbC?GYd
zFf%eK$-vDh!?!%k)zLlOGo9;<!7HZS8NCm*<~!;(@Yvm76IEX&eW9_&{g*_iRn-0~
zTVf`Z^tW)X`>?m6AZ?>=vitUB5k(L8B;AX%|C`9l%Jut)Y5&tRT(6x^@%>CZ&~L7G
zdVNH_p2@r$s=Jf#&wJ6ot@OlOCY8MY$#tb|b3=ONPB1>PORhZh@ArEzfjp6Aw^rTT
zermzv6U_(yWJJ^?)rI+1bMA3@|J>kp+4JUotbg9{^-C=(I@y!|rp!uJ>L@?kRSEwI
zOKSgoUo7*oS?sL9$CSrbn_F6Cx#JeU{Mc9=z_vfsxF@{z=SJ&Qd-%1le{4D~v3Q@S
z_`ge=a{onSU6tT%sLxRr^D`)DT9~kLXF+@MJGC7yliNLPv(`rBZTbCqt4zVUIS!(q
z#OE@st_phd>)p#Vt-UAjuXkwv=d<MUj$OeHY5V#wOsQ`7J5?Cvw!LrTyS0{&FaLZS
zU~j!5ve>AiGFSH6mx&)kR($-*yCU#rwA+nYNrfw%3<JG)&5z7byXEe4Jfi63wV16h
zyV=(orawDXJL5>He^Ua>T!)HfzpU-1il?Ql`usYv?PxaNp|oxjh2J@gTlq_CLfO<#
zvTWU=%^LJ`Thi2PeEB?`Mw2FARo!yAZ>#oE?$#}8;yfG5rNTF!o5E#%=VY_z^Wu<m
z!4fwAXQ$Y9yh**&BNCt-$5)faVq9E)J4MD#=Dd`5oUd%L7kBlf9g54pd`#RSp)bg;
z%r5BP8B#FQ{o15s1q(QAieF6#S^nDAjH@WRU(fUB%Ec@%+?sqWv!%6u`PT-v{HdDj
z){tDeL#}1TEt4p#M%iz(?l0c3=ZC=L1z|HJ>ynpT?_*Mu)Z*G%fARbIeBIUDe{25*
z*%sv~#+ewt|0$Q8IJ2~6@)Wxb%R|`W#3uR3NoGtDb~(RWmS>wi!$~E%poFUDTLSj5
zJT|$|^DF)@w^8oBTXNsdNxx~I+Y~W<(u{Y1bvAHK&h4^3H~X34DP}o-Ew|zgTX{HQ
z-oNO&wr8#Jp89VaZ!hmR=<+!6KYHEDde7Ov>P@pQ%oBK_(jc}?{K12?^e=rDzJhN*
z8t+*n^jLD+lt`b+UONBWn%9di?d%S8YdvB8J4w>QH{(Q|aIH$N=SS1x$!{I+&3@$l
z@_t4?_bkR|4O^Le3z@PHP0VW13j8QzCZQhTU164_YPRzHeVgxDP1D<#>fFumnXkjN
zMD#7UAOD@KwN)unpZ(MC3p4P~x_DXL%th?K!E#aa>&7=e{)*nmmd&(+GhFsj7ccXk
zo@4r<)AjH9{pLS(`k3*N;HcL{pH*6S#?MZ9?eSo1qtup5&7vlEBp(Z%Jo@qRYE2jK
zt_t;w@_wqx22OK6wnx3%W@67H*7R3#g~ba0oH<|WmfGlDSI#|@d*(S)<B{r9^?l~o
zMV;n8Ir8M<+Jl!4+E3Aal<<^S{J-SV#x2YBCpBL1lGovnQOviSc8J;ik)}(=)DK5z
z1eG;?e*INhNA6_z!n%w6ZM}Jt;hz>H?q#2|=aumKDPL~L@|GW)d#T*_?U~mZCai4l
z>~hvQv(Cu+8k$nkReCdUi`&A2o=M-oF85j(Kl9qv!W9x8nag*qxT>+cuhL>2w|ifu
z*FLqD5Yszr#UI32D01E?3A_@fsF$!RUqGqKJ8{qX8+(hs{+OBf?TnbC<hf}Qnk@=W
zFBNAoUcUJ`Sz`OvHz&Wdnigq@NUVKhu(-S}N0K>x;dG~Cv)5nLZr|A7cZL6eT;MOa
zTKQzNCz5l@Z*asPmRDag=f;^f&gq}T>VKx~`kv)BZ-+ns^fP=*u5%bYTz>pf@Agh5
zagKu_e%xt~-?>gL=l|3ByJE4{de1{wS{?hRALcX`e$&l!;D6SXhs$%_j+Cfx)%+_e
z_DN{BM*RA#v!14L37wSS@;h{^=?>F&3)emRs{dqD;^GsRUAsNIrNlmzqh3OB>A|YH
zpofXyPq8i0y-`|LRQ&N(h}}(_7rwKNH}4g_Bhu=1l*#(voq4v&tM2u%=LMercYcZU
zo$z%W=6i*je!KI0e=p=?_A$5R2~Ud8)WzY)s&tkgl{A03bL|AR+nhhYU%C10*R;L5
zJjVj>Wp7yJB=a^|s>Eo97gxFre;}{*pV<dy-4*SR77@x2%{zM5$}3Ay^0>pwh5vs>
zKAI@-LAAiYF?HqiBU2eP%3e;*d$)&?x3#b-Z`rQMsj9565;X$-?DNa(&9to5<(Aid
z==#MQ{A21G-i802yPnK<>yzErc|48fso9)0e*=x59R9FUcxA?!`{$KaQi`uU`>{yF
zA+bYy|HFrkkIyChg<QRpdGBRnwuMtn_Kp4O40g=3Pq!I8mEGU`M(RbaA(uVl@piV;
zVUz#&sD?hA5;twp=Zs6~j?3S#z53i<XyrTJ^7EU%>*k*J&^b3NBBMsxuVqHeYZF%U
z-noV4SMINI=GC+Jn7t+U|BJs)?LOScov%rDiT%EovGRw}hTB4uin#6;%v;6HahE|R
zSoZ_N?WU4t?6Y^4-<Bz~5ubE#vci)U*X$)$eVzMjqaoY%_imgyn|8kPI`i6Vp`Fx4
zGe!3HeGEQ~av}l&zZb@wbaaw>xSIXpwLg|Q+xI+L7FKj_PORm%tzS&LtUt!op2*6X
z-Ec$TC414{ozY8Hte>9hdXs;$ZhuTo<BeP5PxB403$px=a#hb`nK%30<Dw;bocbGA
z$zN|T36nB!xf^m+MpUEHE~<4x(|)tf_mlI~8x+5~+cMf3R?MwTShuG9UZ(kM@x5*Q
z{k^lkY&4p%uFy|YgJlnMZ<??{)%31atVNmA`w~{w?&-V`?<)6Pd2P$fI-?73@~)|0
zJ$+93U+%Q7tFKI}6hlilJWu`ZH6iBGg8MDGzd5wJo28w0KHsDG>qddlAF~OW2XlV)
zSO1;(pvOt(OLpt71B>ljecN*9v|c;8_x+U(Ve*?T4+Xmazq9B&-?r59Gb}7|$9@HI
z|C`FLcR!UOa*A=(K4#zaj$gkxCgokSUTm@bwq3IDi9NM(f0p0M_`h;j&Vua*Obr+P
zZk#r}_-*&k4JDVpd|kFq^-9)^`LFpE5-*rt^f-S1$;tAcp3g5bH*WE7U|MRWd+7e0
ztc%+=nTC{f#ICWcIP>Y9+ok+4KZXzDhZ#>ze&d<gq9Id0sr9AegpYGy{+Y8+JfX6m
zZxXBV1$VQ1ik%@kr`qn9Fgj=5HQn@3c}}3ZUAf7d+RZK}wW`nB^!|%~dD!G82c!1F
zSra6$z7^^=*uqnGL+O&));YH})gI9d-6s{VW>Xw=)_>yKd;fpuE<Vyb{cz<??Fmk;
zJ9FbAUY3-Y+Dv>==&4!po&DL3qqFNJjkXHsByu_GG7IJiE}hQY?ax~J*mZBiri<#I
z{+Vk24Otg0G)eY|nxy=j2jOd3w3!7nA7zPpX}tA*xm=PX?t;8@0*COwq^X+~?^W9S
z6@8b{{kqv`MTx7kf4=ka&55f!yQ1Y-?)^5qA23r|)wOir^LsbCQg|(+G%f_{pLKNC
zu3Z_tz2)eOv=4jN20V5@yW`)d`48BW6w)1i4xQsX=l58~QN{9~W+$JDg4&gDuP@I}
z<#+yl<E`%I3ny(<CQgy-_-LMBKV4DhUclD4xwUt6XI^#Ze)yCB*WR14;R3V#tlFmZ
zIda6XdNF@vcPkOzw_^9lvoV)NEsb_hTD2+Pwr^trzuFrX9eeIgXHUf^Z|ddUw5(>=
z_ccCszl^`{)2;b-cYkH|)galK_Mbm*>8+@G-qF0Ef4cMUsG_xBQaByumpm@#+!*`y
zl*1;WX{Jq6rB3o5J@&r&M|8z(1_s^8<%_o`>UY>}ESGbwky@y<_?uVN;;62+o)-s~
zT}ZQ)OMh^TJ0s9nG3&(P8$wlL4qb-c7Q6m0-yKr^=4x|Ci0pQ=*zMCeOC6g7cPE}T
zo&GNVtKr_+%UT|v+H&HUXW_Jqvm$a<Y1d@NMjSHnohflb;MB$ieDeBiOv{qf(%yaJ
z5L}aRa{Hb;hFUGpcrx8vra5mosA|oAroTLH-wVkX%xUk<7KUDQzqxa{%hij?DJ;d4
z=lt+X`1jC2&->1Vi>p6POzBHjI}_Qs(jw;`gO=<;_SqM<vVN)9rEL`P+H6-7Yr*Yr
z>pgGJb16I(B~;AZl>BsIZMWjJ)%)TmSvhlb3-t0Y<n_OEhPTB$bc6k#XZ;H^Uq7*O
z{iR)zl(R!;iE!6^lV_aSk+ai1b`~fUdv8m=vNFTUvhPBnOGyR0V@Ka9yGT1`?+p>b
z$8L6naJHP{`x?}KFXpXNq5pl|Px8ON^&VMm+H?PRq1uFU{f6xo7gu_&ocO<ggJu^$
z!&VdX%+Anvud*8cZP;+*=6&|{t7l&0D|KCDA64v?`+DuPGn;k2-d9Y>zjVo=LFt9f
zn_cP*_k(B5P<Og;COF>v?BmTlkM!Ej>h@pbf9z+~`pK_ryCZK{F1M(TIB@uK)`baY
z7RtYymDO-CTYt{}x$1$JPiFtu<-NNrTOnZPrV#a0HUE0-#N8SWgw0+!`@$X304Byu
zzq-$_`aI2OMqKXR8=r){WcCMfE?-md=UQlq&xV;ETU)KeU)s#<wT@f&wPEri-PKk4
zryixX-FR|r(zz!SowFt1)=usFF1p6@wMxmN7Q5|^OHBIqE}Rfw*r#6QSasfh*Pa_n
z`fnqg6W#jXmb-4La?v~bZqA(JZxy&JZxnQ<fAU`BV7s8}PuHTKUhY#}_zd<c{HvR%
jHf`^(@S{8bcV4wRb@Se4$CH;fO`NUSZoOOM%aX|eH7^>c

literal 0
HcmV?d00001

diff --git a/secrets/pinwheel/alex.pinwheel-tadpole.pub.age b/secrets/pinwheel/alex.pinwheel-tadpole.pub.age
new file mode 100644
index 0000000000000000000000000000000000000000..9881070085771dd320256644b1aba8a14fd4780d
GIT binary patch
literal 1179
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHs|ZMnN>?Z;jxbO3
zPtJEKEUWTMb&4qT3M(!2cXn|zajOhUEcLP|&kHUN4|VeiF6OGrPcAOcbPm_gcL`1j
z$u03Vk2E*TEOIg}_Vz9E2`b7-vd9iDN{uvj_C>eNG|1fD(ow<7(!kHWG$JQBEZwid
zu}HttML*O%)IZ0gtimkB*xf1JF+bASEwRMiDU{1QFCfdrtRk_Zs>&(dJJ-w0KReIA
zN?YI1H8VRqJKM=QJV!exG`u3+JrLct)NJh}^FRel*MgK>lOluUlH#)9Aitudu&Cf*
zr%=aCmkOV>h|tP#FW*d0?V>_c4_B^4U*lq@BzKccA2$<kr-0&uR0EIv!n|bDkPs82
z9OLxLl)@Afqojbqf@CgTU0sC~5AzV;$N)$Gv_ik~?7S=sN8kKlAAP^fqBOG<{S=>w
zs3QN6>?Hlv5??Mh!+Fo=m+X;Hce}jq$?Iup?z1Z<zgbah%vSbf|6<YQ##3fLvwVNU
zb4y2_+8$F8#s?=JJQ0gG3+bsolHC6D<X`Uyt|rGvi^6_SNvZp@@FLsNovD23e;(}Y
zjn?LQ=AOAGwW{Z3@k4>GawY|%BdW5Jtuv=@aD1dubY@Dxj*W~zO>-rm)g(R)__IS>
z$k?C%=e45TTe4jq+IJ@kKbLwda^QK{Dq*D%rN?I(1?JYy;>ydN#&J^M;Hm3;Gxs>k
z-#*R0!u6|_zx{{5H;OlRcfI?#fpzoYx0ahrY(ym<PBHIat^f1S>7$(oUnq90KEjgw
z|I^N8vWI_YE2r%~`lP-2$?5%B9W{zsvz{BbGM+8|(%1LphDzU>W~F~?R9DaY#cX$5
zXx;lzH~rny9X|xQ6<UNGo>O&3YxN9CowA*C7BMYpF}f%h?C&{QB{zy8L0v`ri@*QZ
z?Nz?kZ%YpyoD;n0v3UFJwb6cCl5_H(8(K%aDP1DKy6k)Bxg~oPk4wy5!c)<n-W6)M
z?9us~@lCy3og<VcKIs!ro@nX5Soy#)H|{Rus-&2r7jl6yIU0L&KK)8~f5aqwbHXVO
zq1V4I$)~6npTG7}oB!IkApH%qW*z-|?5MGkwAuOQ^Do0=YbPG-X8ojd`R6Vv=IZx~
zj)j>w+Bx5-9Ef^%i}!q*)&g0l_{3Kdi(a&~t!ed4ubw(1!S2GTPcQFOyp27-xJp6s
z)1fE(Is2XOTR&}h`L%A&z8infAN$BN|IS7g-D0+<8+|HY%s(#Ytz{dzH+b5o8%LZ@
zo-&ztwD5Yu#XB4}Q_g5TU2#(I-7ig!=X^F#!d|v5TD9D`{L#_0>$350|15Iqv00z<
zqSpA<+-bk%D;tA#`dtcdiL}4Je`0-J;HMStM}?B+I!Z>}y!Ni(j`9?#;)kpkj6eMj
zRI@P3UL=1~xRUeLHRfwQK7S_V9*fX9W;|cvr0yMqdH=)HpU*be=WBTG{pm*O%s1EC
zSz|x8%fC_zySA$2ig>u9K*;CJz>jesuBocr*Nyio=4fI1V9Ih$BQxZX-s|wGt9sQt
H7CQj|sG<=(

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index eaaae22..c8171cd 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,6 +11,8 @@ in {
   "pinwheel/mullvad-account-history.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-sombrero.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-sombrero.pub.age".publicKeys = [ pinwheel sombrero alex ];
+  "pinwheel/alex.pinwheel-tadpole.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/alex.pinwheel-tadpole.pub.age".publicKeys = [ pinwheel tadpole alex ];
   "pinwheel/alex.pinwheel-github.com.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-github.com.pub.age".publicKeys = [ pinwheel alex ];
   "pinwheel/alex.pinwheel-andromeda.age".publicKeys = [ pinwheel alex ];