ragenix: prepped basic secrets

progresses #11
2023-04-17 20:14:19 +10:00 · 2023-04-17 20:14:19 +10:00 · 4a6e51a9a7
parent b141d4a90f
commit 4a6e51a9a7
7 changed files with 90 additions and 10 deletions
--- a/nixos/hosts/toscano/configuration.nix
+++ b/nixos/hosts/toscano/configuration.nix
@ -9,16 +9,19 @@
 }: {
  imports = [
    ../../../networks/linode.nix
-    ../../../profiles/gitea.nix
+    #../../../profiles/gitea.nix
-    ../../../profiles/hakyll-skeleton.nix
+    #../../../profiles/hakyll-skeleton.nix
-    ../../../profiles/jfdic-web.nix
+    #../../../profiles/jfdic-web.nix
-    ../../../profiles/resrok-web.nix
+    #../../../profiles/resrok-web.nix
-    ../../../profiles/tmateServer.nix
+    #../../../profiles/tmateServer.nix
-    ../../../profiles/voc-web.nix
+    #../../../profiles/voc-web.nix
-    ../../../secrets/gitea.nix
+    #../../../secrets/gitea.nix
  ];
-  deployment.targetHost = "45.79.236.198";
+  deployment = {
    tags = ["infra"];
    targetHost = "45.79.236.198";
  };
  networking.hostName = "toscano";
--- a/outputs.nix
+++ b/outputs.nix
@ -23,6 +23,12 @@ in {
      inherit (nix.packages."${pkgs.system}") nix;
      inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
    };
  nixosConfigurations = nixpkgs.lib.nixosSystem {
    system = "${pkgs.system}";
    modules = [
      ragenix.nixosModules.default
    ];
  };
 }))
 // {
  colmena = {
--- a/profiles/server_common.nix
+++ b/profiles/server_common.nix
@ -7,8 +7,7 @@
 }: {
  imports = [
    ../profiles/openssh.nix
-    ../nixos/secrets/user-fiscalvelvetpoet.nix
+    ../profiles/users.nix
    ../nixos/secrets/user-root.nix
  ];
  programs.mosh = {
--- a/profiles/users.nix
+++ b/profiles/users.nix
@ -0,0 +1,32 @@
 # Configuration common to all JFDIC servers
 {
  config,
  pkgs,
  ...
 }: {
  # JFDIC Ops groups:
  users.groups.fiscalvelvetpoet.gid = 1000;
  # JFDIC Ops Users
  users.users.fiscalvelvetpoet = {
    isNormalUser = true;
    uid = 1000;
    group = "fiscalvelvetpoet";
    extraGroups = ["wheel"];
    # fix this
    #passwordFile = config.age.secrets.fiscalvelvetpoet.path;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
    ];
  };
  users.users.root = {
    # fix this
    #passwordFile = config.age.secrets.root.path;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
    ];
  };
 }
--- a/secrets/fiscalvelvetpoet.age
+++ b/secrets/fiscalvelvetpoet.age
@ -0,0 +1,14 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl
 K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY
 VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1
 MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x
 Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR
 MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4
 KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp
 MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv
 RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG
 CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP
 4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc
 NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/root.age
+++ b/secrets/root.age
@ -0,0 +1,15 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ
 M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5
 SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1
 MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR
 UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD
 NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy
 Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz
 Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW
 d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG
 WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0
 cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv
 g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8
 QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,11 @@
 let
  fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
  ops = [fiscalvelvetpoet];
  users = [fiscalvelvetpoet];
  toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
  systems = [toscano];
 in {
  "root.age".publicKeys = ops ++ systems;
  "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;
 }