From c580c077867619f93e3a1825e2507e6792130587 Mon Sep 17 00:00:00 2001 From: Alexander Heldt Date: Thu, 15 Aug 2024 15:12:48 +0200 Subject: [PATCH] backwards: Add secrets for `ssh` machine (root) key --- hosts/backwards/modules/ssh/default.nix | 18 ++++++++++++++++++ secrets/backwards/root.backwards.age | 7 +++++++ secrets/backwards/root.backwards.pub.age | 7 +++++++ secrets/secrets.nix | 4 ++++ 4 files changed, 36 insertions(+) create mode 100644 secrets/backwards/root.backwards.age create mode 100644 secrets/backwards/root.backwards.pub.age diff --git a/hosts/backwards/modules/ssh/default.nix b/hosts/backwards/modules/ssh/default.nix index 075e675..1c7e6e8 100644 --- a/hosts/backwards/modules/ssh/default.nix +++ b/hosts/backwards/modules/ssh/default.nix @@ -1,6 +1,8 @@ { lib, config, ... }: let enabled = config.mod.ssh.enable; + + rootSSHKeyPath = "/etc/ssh"; in { options = { @@ -20,6 +22,11 @@ in openssh = { enable = true; ports = [ 1122 ]; + + hostKeys = [{ + path = "${rootSSHKeyPath}/root.backwards"; + type = "ed25519"; + }]; }; }; @@ -28,5 +35,16 @@ in allowedTCPPorts = [ 1122 ]; }; }; + + age.secrets = { + "root.backwards" = { + file = ../../../../secrets/backwards/root.backwards.age; + path = "${rootSSHKeyPath}/root.backwards"; + }; + "root.backwards.pub" = { + file = ../../../../secrets/backwards/root.backwards.pub.age; + path = "${rootSSHKeyPath}/root.backwards.pub"; + }; + }; }; } diff --git a/secrets/backwards/root.backwards.age b/secrets/backwards/root.backwards.age new file mode 100644 index 0000000..2f4ee5d --- /dev/null +++ b/secrets/backwards/root.backwards.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Pu0HWg SsaAxjzGm2Q7rwXGUniBIBFFwnjg/hhy9+c6ZaplCGk +awhDZ95EJOqz31KAtajWx95t22bhOWmDlMYfKEr9aiI +-> ssh-ed25519 +oNaHQ QMsREm+h/zLGAxFlGwA85+TVrkRZB96lZQg9Wxnt0zE +qRxhWfoB/tJW3DCefigcmuptEsUNCm1MPHWJVwbbPr8 +--- GSqVz4fYWPpvi7wq+MC6PXW/HAGnDB3T2YGEPePsqkY +H(8/~!V:juODIof;kv/ B(I!?uqȢ 0VlPhKjҩ?+5l>Aihx !Y]CMN𽙺'aGʺDlކn,rW ĕ7VM2+#3yIjOw7Tz:!"2ı | s[MK680Փ1C dJ^ S=C߲<*ɲ]@^do%ruu \ No newline at end of file diff --git a/secrets/backwards/root.backwards.pub.age b/secrets/backwards/root.backwards.pub.age new file mode 100644 index 0000000..a9212c9 --- /dev/null +++ b/secrets/backwards/root.backwards.pub.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Pu0HWg P3gzWhc5giZhfHFAPsx3xj3h5geZm4ry5Wznr0m4rGM +Pl+9HcagLawy3yJXbfq2IPw0agHgIA1WoaIZEz7a1eY +-> ssh-ed25519 +oNaHQ 36FMdDGTlM/3RM8rTMjvAAYzqF65KiyDbczveRb9tXo +qlAhrXJeCmoqIP5pGep3cvAATL+Lzj2H2NiisQWGTww +--- zswHAYFu5pwVD8Z5zxgGdRerFHvzcirEwLeMvE1LDWQ +Hm던VY#:'dIj=Ϭ!F $:٦%.n{vN՜PR@O4(6 #PO𴑊Xw5ۂ5vop`(o-,TWv \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 55a66d9..6f81a58 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,6 +1,7 @@ let # see `modules/age/default.nix` where these are defined pinwheel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoI7Q4zT2AGXU+i8fLmzcNLdfMkEnfHYh4PmaEmo2QW root@pinwheel"; + backwards = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcTK3CUtTsgavuLlbfOqCbHYLtUrIKqnSqYmtzGCZnv root.backwards"; sombrero = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/NltCo1L+X1OIBfIKzfrbxLpCOerQ4vTIs+QPTXkf/ root@sombrero"; tadpole = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDbyj/vYafqpJH33jFz5HV+gwCiEIJTpxKrEFrBWx73A root@tadpole"; alex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTgiHYcdhS87pPnduLunZVEgLVj4EtbG9XVSZP1l5s5 alex"; @@ -26,6 +27,9 @@ in { "pinwheel/work-staging-ovpn.age".publicKeys = [ pinwheel alex ]; "pinwheel/work-production-ovpn.age".publicKeys = [ pinwheel alex ]; + "backwards/root.backwards.age".publicKeys = [ backwards alex ]; + "backwards/root.backwards.pub.age".publicKeys = [ backwards alex ]; + "sombrero/syncthing-cert.age".publicKeys = [ sombrero alex ]; "sombrero/syncthing-key.age".publicKeys = [ sombrero alex ]; "sombrero/alex.sombrero-github.com.age".publicKeys = [ sombrero alex ];