ragenix: prepped basic secrets

progresses #11
2023-04-17 20:14:19 +10:00 · 2023-04-17 20:14:19 +10:00 · 4a6e51a9a7
parent b141d4a90f
commit 4a6e51a9a7
7 changed files with 90 additions and 10 deletions
--- a/nixos/hosts/toscano/configuration.nix
+++ b/nixos/hosts/toscano/configuration.nix
@ -9,16 +9,19 @@
 }: {
  imports = [
    ../../../networks/linode.nix
-    ../../../profiles/gitea.nix
-    ../../../profiles/hakyll-skeleton.nix
-    ../../../profiles/jfdic-web.nix
-    ../../../profiles/resrok-web.nix
-    ../../../profiles/tmateServer.nix
-    ../../../profiles/voc-web.nix
-    ../../../secrets/gitea.nix
+    #../../../profiles/gitea.nix
+    #../../../profiles/hakyll-skeleton.nix
+    #../../../profiles/jfdic-web.nix
+    #../../../profiles/resrok-web.nix
+    #../../../profiles/tmateServer.nix
+    #../../../profiles/voc-web.nix
+    #../../../secrets/gitea.nix
  ];

-  deployment.targetHost = "45.79.236.198";
+  deployment = {
+    tags = ["infra"];
+    targetHost = "45.79.236.198";
+  };

  networking.hostName = "toscano";

--- a/outputs.nix
+++ b/outputs.nix
@ -23,6 +23,12 @@ in {
      inherit (nix.packages."${pkgs.system}") nix;
      inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
    };
+  nixosConfigurations = nixpkgs.lib.nixosSystem {
+    system = "${pkgs.system}";
+    modules = [
+      ragenix.nixosModules.default
+    ];
+  };
 }))
 // {
  colmena = {
--- a/profiles/server_common.nix
+++ b/profiles/server_common.nix
@ -7,8 +7,7 @@
 }: {
  imports = [
    ../profiles/openssh.nix
-    ../nixos/secrets/user-fiscalvelvetpoet.nix
-    ../nixos/secrets/user-root.nix
+    ../profiles/users.nix
  ];

  programs.mosh = {
--- a/profiles/users.nix
+++ b/profiles/users.nix
@ -0,0 +1,32 @@
+# Configuration common to all JFDIC servers
+{
+  config,
+  pkgs,
+  ...
+}: {
+  # JFDIC Ops groups:
+  users.groups.fiscalvelvetpoet.gid = 1000;
+
+  # JFDIC Ops Users
+  users.users.fiscalvelvetpoet = {
+    isNormalUser = true;
+    uid = 1000;
+    group = "fiscalvelvetpoet";
+    extraGroups = ["wheel"];
+    # fix this
+    #passwordFile = config.age.secrets.fiscalvelvetpoet.path;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
+    ];
+  };
+
+  users.users.root = {
+    # fix this
+    #passwordFile = config.age.secrets.root.path;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
+    ];
+  };
+}
--- a/secrets/fiscalvelvetpoet.age
+++ b/secrets/fiscalvelvetpoet.age
@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl
+K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY
+VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1
+MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x
+Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR
+MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4
+KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp
+MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv
+RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG
+CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP
+4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc
+NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q==
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/root.age
+++ b/secrets/root.age
@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ
+M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5
+SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1
+MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR
+UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD
+NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy
+Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz
+Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW
+d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG
+WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0
+cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv
+g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8
+QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU=
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,11 @@
+let
+  fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
+  ops = [fiscalvelvetpoet];
+  users = [fiscalvelvetpoet];
+
+  toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
+  systems = [toscano];
+in {
+  "root.age".publicKeys = ops ++ systems;
+  "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;
+}