diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index 69eaedf..d04bc70 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -9,16 +9,19 @@ }: { imports = [ ../../../networks/linode.nix - ../../../profiles/gitea.nix - ../../../profiles/hakyll-skeleton.nix - ../../../profiles/jfdic-web.nix - ../../../profiles/resrok-web.nix - ../../../profiles/tmateServer.nix - ../../../profiles/voc-web.nix - ../../../secrets/gitea.nix + #../../../profiles/gitea.nix + #../../../profiles/hakyll-skeleton.nix + #../../../profiles/jfdic-web.nix + #../../../profiles/resrok-web.nix + #../../../profiles/tmateServer.nix + #../../../profiles/voc-web.nix + #../../../secrets/gitea.nix ]; - deployment.targetHost = "45.79.236.198"; + deployment = { + tags = ["infra"]; + targetHost = "45.79.236.198"; + }; networking.hostName = "toscano"; diff --git a/outputs.nix b/outputs.nix index 621f4aa..23ce213 100644 --- a/outputs.nix +++ b/outputs.nix @@ -23,6 +23,12 @@ in { inherit (nix.packages."${pkgs.system}") nix; inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra; }; + nixosConfigurations = nixpkgs.lib.nixosSystem { + system = "${pkgs.system}"; + modules = [ + ragenix.nixosModules.default + ]; + }; })) // { colmena = { diff --git a/profiles/server_common.nix b/profiles/server_common.nix index 75e240d..2b900b4 100644 --- a/profiles/server_common.nix +++ b/profiles/server_common.nix @@ -7,8 +7,7 @@ }: { imports = [ ../profiles/openssh.nix - ../nixos/secrets/user-fiscalvelvetpoet.nix - ../nixos/secrets/user-root.nix + ../profiles/users.nix ]; programs.mosh = { diff --git a/profiles/users.nix b/profiles/users.nix new file mode 100644 index 0000000..f9b6cb3 --- /dev/null +++ b/profiles/users.nix @@ -0,0 +1,32 @@ +# Configuration common to all JFDIC servers +{ + config, + pkgs, + ... +}: { + # JFDIC Ops groups: + users.groups.fiscalvelvetpoet.gid = 1000; + + # JFDIC Ops Users + users.users.fiscalvelvetpoet = { + isNormalUser = true; + uid = 1000; + group = "fiscalvelvetpoet"; + extraGroups = ["wheel"]; + # fix this + #passwordFile = config.age.secrets.fiscalvelvetpoet.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair" + ]; + }; + + users.users.root = { + # fix this + #passwordFile = config.age.secrets.root.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair" + ]; + }; +} diff --git a/secrets/fiscalvelvetpoet.age b/secrets/fiscalvelvetpoet.age new file mode 100644 index 0000000..df3c33a --- /dev/null +++ b/secrets/fiscalvelvetpoet.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl +K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY +VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x +Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR +MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4 +KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp +MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv +RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG +CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP +4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc +NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/root.age b/secrets/root.age new file mode 100644 index 0000000..f8653d1 --- /dev/null +++ b/secrets/root.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ +M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5 +SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR +UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD +NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy +Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz +Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW +d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG +WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0 +cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv +g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8 +QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..4770ebb --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,11 @@ +let + fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so"; + ops = [fiscalvelvetpoet]; + users = [fiscalvelvetpoet]; + + toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE"; + systems = [toscano]; +in { + "root.age".publicKeys = ops ++ systems; + "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems; +}