Better deployment keys separation

2023-01-12 12:21:31 +01:00 · 2023-01-12 12:21:31 +01:00 · 2a46d9d455
commit 2a46d9d455
parent 9b026f8a05
7 changed files with 46 additions and 29 deletions
--- a/flake.nix
+++ b/flake.nix
@ -272,6 +272,14 @@
            };
          };

+          odin = {
+            hostname = "odin.local";
+            profiles.system = {
+              user = "root";
+              path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.odin;
+            };
+          };
+
          loki = {
            hostname = "loki.local";
            profiles.system = {
--- a/loki/configuration.nix
+++ b/loki/configuration.nix
@ -60,12 +60,9 @@ with lib; {

  networking = {
    hostName = "loki";
-    interfaces = {
-      eno1.useDHCP = true;
-      wlp7s0.useDHCP = true;
-    };
-    networkmanager.enable = true;
-    useDHCP = false;
+    interfaces.eno1.useDHCP = true;
+    # networkmanager.enable = true;
+    # useDHCP = false;
  };

  time.timeZone = "Europe/Rome";
--- a/nixos_modules/distributed.nix
+++ b/nixos_modules/distributed.nix
@ -1,5 +1,8 @@
 {
+  security.sudo.wheelNeedsPassword = false;
  nix.settings = {
+    trusted-users = [ "root" "@wheel" ];
+
    trusted-public-keys = [
      "thor:yRx3HglIxjUYocp4/jAP9dPWxWBEpgP6hqj1ofEfn1A="
      "odin:ClRXzxmDZl2Y94SG4YlWXGiJDY4L9DgZq/3OLR5+i6k="
--- a/nixos_modules/installer.nix
+++ b/nixos_modules/installer.nix
@ -9,6 +9,7 @@
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhxOjo9Ac9hVd3eOR56F6sClUMUh1m7VpcmzA18dslj bertof@odin"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG bertof@thor"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp1Rfb2acLM/5TDUahu+AdV/HVw+hoOTdQIeQIjV5p8"
    ];
  };
  system.stateVersion = "22.11";
--- a/nixos_modules/remote-deploy.nix
+++ b/nixos_modules/remote-deploy.nix
@ -1,12 +1,13 @@
-{ config, ... }: {
+{
  services.openssh = {
    enable = true;
    openFirewall = true;
-
    permitRootLogin = "prohibit-password";
    passwordAuthentication = false;
    kbdInteractiveAuthentication = false;
  };

-  users.users.root.openssh.authorizedKeys.keys = config.users.users.bertof.openssh.authorizedKeys.keys or [ ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp1Rfb2acLM/5TDUahu+AdV/HVw+hoOTdQIeQIjV5p8"
+  ];
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,17 +1,17 @@
 let
-  # bertof_baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbG791lSOl8Rqoy+KkdKiOJnOMRg02+HZ/VrlrWMYAX";
+  bertof_baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbG791lSOl8Rqoy+KkdKiOJnOMRg02+HZ/VrlrWMYAX";
  bertof_odin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhxOjo9Ac9hVd3eOR56F6sClUMUh1m7VpcmzA18dslj";
  bertof_thor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG";
-  # users = [ bertof_baldur bertof_odin bertof_thor ];
+  bertof_loki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbbgBCzRsIO6giIVCgTUMgBCrexgvHmq8pis5A4ievH";
+  users = [ bertof_odin bertof_thor bertof_loki bertof_baldur ];

-  dev_users = [ bertof_odin bertof_thor ];
-  # baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9G8I75gOfB1QJhZU9z+UaYovWq05OfK2FVKtCb8Xxh";
+  baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9G8I75gOfB1QJhZU9z+UaYovWq05OfK2FVKtCb8Xxh";
  odin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8bfOYmFN+KRjnAOdt9IazGeaRKm5tvGyblHD7MUhtr";
  thor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbMiGx/QZ/RKgad3UNyEzgLfqRU0zBo8n0AU3s244Zw";
-  dev_systems = [ odin thor ];
-  # systems = [ baldur odin thor ];
+  loki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeomEH/27XFlOjQ/GTO2mo8qPMHTbzLIsX0dloxXfhb";
+  systems = [ odin thor baldur loki ];
 in
 {
  # "oauth_proxy_client_credentials.age".publicKeys = users ++ systems;
-  "spotify_password.age".publicKeys = dev_users ++ dev_systems;
+  "spotify_password.age".publicKeys = users ++ systems;
 }
--- a/secrets/spotify_password.age
+++ b/secrets/spotify_password.age
@ -1,14 +1,21 @@
 age-encryption.org/v1
-> ssh-ed25519 13iwjQ ihFwxfFgF+mEzpG0+4/V9sMSyghxxJvKCCvaoR78cX0
-PIsBREW20MK11QAVjVlKiUFSIHgPY5Rh+RLIwa4972I
-> ssh-ed25519 7MB20A cuuRqdeYnRDTUqpSKy5GSX9z7fwuxmSyqPEGv7/4gy4
-fzVYk6+1LMe3BCZHrvrjXSEccvh9yloneKRtKKaY4HI
-> ssh-ed25519 IvyYug KH0Ar+DRAK01cn000DQ1jrVRnvi/IY38wH0+hio24Gk
-0jZLR6ArJk55Fa1pWs3jzzEidinOlFRQa+t/QpvbGoQ
-> ssh-ed25519 v7O/FA Wzn2CDmBuSTQRsvijqxzggc8i6MQ9Sev/oYOsGE3SRY
-SICT5z35r4VxlnWQimUqka0ZTsq6VaVEnw3cMW2XfI8
-> h#yDi>P-grease :C(yo\96
-Z1rgHDuj00pfkwxbYNtCwj+KJHSz8oOi/Q
--- b0AXJG43DTS1dcH32SDOj71OoxQqtjA77VlbI+CQ+z8
-¹/E
-CÓ÷úu¼<S°ø¦[úž@PüUªw‡{é<> =ý-#ì2 Óã÷ZÆ`!
+-> ssh-ed25519 13iwjQ 3FaFv6V6/c8+iC5ZUBFcTCh8f1nkUEi1jQo6f8Nj6EE
+IagH9X5Lelr0+rU0hS6XPHAeAV4Uv6IpXa0wYGJbN2U
+-> ssh-ed25519 7MB20A wBj0Sdvpex7glo7tKK/VtHaq8aVnzHSZJ5oAhnQ5RHE
+FoFkY+O+HKTUh5W5aUO0fyb9rDwkJZ4Kc3RhInpKKso
+-> ssh-ed25519 ieE3Vw X7kWcENcijldVFJpUqX8+W4CuKZgOlYuPGVZDD6WLTM
+sRibg3hzeyc7gf9jHJ7bE5p3FTebcOhN98E87c1CXbY
+-> ssh-ed25519 IBFs4A +e7hl3h3nQr/uW3OTT6nMDTiC2ePMLAByeqCtXNpyAg
+5J6VX1ph34fNlZ8NDhIgKIhiG0qhJvLJmDwtZYcr6YM
+-> ssh-ed25519 IvyYug 3xIQyUD44gdZ2JEbK066RIF0xj0eFkwf2AUxgP38oRo
+fEXw+SvhtXnMMgncloKYQhgRZom6tS16hJIrf68VxxQ
+-> ssh-ed25519 v7O/FA tNTXdS/Bs9k3iagAjaRmgboPLdUpGJqq6OKQrOujy2I
+KCmUPezLDYA6p3k0q+FEiP2KI1Bao3H3DIiuNVUlFLY
+-> ssh-ed25519 HowkUg lAwKW9SMX2d5sGWkXwjq6R/Swyr//220wEYYc0Svclo
+9cp96pse6QG32ScYf85D3cEqHffe0f2YKjYdKZ3i08o
+-> ssh-ed25519 XgC3XA SsG1GtxJveRM5yGAawrs/Ez7hQyu/4zTJo3tRS3Oe0s
+sm7snutfRmeR+B/0wRMaEqatzz7opZ4uA0WMAzvSH7I
+-> {f-3Fh-grease NBm}: JZ!#"1q/ nE63"]%v 8Oi;D/Z|
+UNGlf5emYkMaKI+WDQH1xfQLuePiqaf7LBseLu2f76/zad74Ur3mWZKbTvDrtA
+--- ACYOrlmjOexIr0dagfb3W66gu3Sqk7Na5197wYBsTiI
+h/wĄđĘKŮz4ťáČÔO;śé´Ď2gKç+	BŮ1vŰ¤x+Ă0 ,xć_