From 2a46d9d455cafd47d0f64bf53123c426f3f09e2c Mon Sep 17 00:00:00 2001 From: Filippo Berto Date: Thu, 12 Jan 2023 12:21:31 +0100 Subject: [PATCH] Better deployment keys separation --- flake.nix | 8 ++++++++ loki/configuration.nix | 9 +++------ nixos_modules/distributed.nix | 3 +++ nixos_modules/installer.nix | 1 + nixos_modules/remote-deploy.nix | 7 ++++--- secrets/secrets.nix | 14 +++++++------- secrets/spotify_password.age | 33 ++++++++++++++++++++------------- 7 files changed, 46 insertions(+), 29 deletions(-) diff --git a/flake.nix b/flake.nix index 0505b85..473f9d8 100644 --- a/flake.nix +++ b/flake.nix @@ -272,6 +272,14 @@ }; }; + odin = { + hostname = "odin.local"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.odin; + }; + }; + loki = { hostname = "loki.local"; profiles.system = { diff --git a/loki/configuration.nix b/loki/configuration.nix index b929821..988b26f 100644 --- a/loki/configuration.nix +++ b/loki/configuration.nix @@ -60,12 +60,9 @@ with lib; { networking = { hostName = "loki"; - interfaces = { - eno1.useDHCP = true; - wlp7s0.useDHCP = true; - }; - networkmanager.enable = true; - useDHCP = false; + interfaces.eno1.useDHCP = true; + # networkmanager.enable = true; + # useDHCP = false; }; time.timeZone = "Europe/Rome"; diff --git a/nixos_modules/distributed.nix b/nixos_modules/distributed.nix index ed0175e..f8887c0 100644 --- a/nixos_modules/distributed.nix +++ b/nixos_modules/distributed.nix @@ -1,5 +1,8 @@ { + security.sudo.wheelNeedsPassword = false; nix.settings = { + trusted-users = [ "root" "@wheel" ]; + trusted-public-keys = [ "thor:yRx3HglIxjUYocp4/jAP9dPWxWBEpgP6hqj1ofEfn1A=" "odin:ClRXzxmDZl2Y94SG4YlWXGiJDY4L9DgZq/3OLR5+i6k=" diff --git a/nixos_modules/installer.nix b/nixos_modules/installer.nix index 51c65c7..00fc7ce 100644 --- a/nixos_modules/installer.nix +++ b/nixos_modules/installer.nix @@ -9,6 +9,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhxOjo9Ac9hVd3eOR56F6sClUMUh1m7VpcmzA18dslj bertof@odin" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG bertof@thor" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp1Rfb2acLM/5TDUahu+AdV/HVw+hoOTdQIeQIjV5p8" ]; }; system.stateVersion = "22.11"; diff --git a/nixos_modules/remote-deploy.nix b/nixos_modules/remote-deploy.nix index 087d6c4..5a02408 100644 --- a/nixos_modules/remote-deploy.nix +++ b/nixos_modules/remote-deploy.nix @@ -1,12 +1,13 @@ -{ config, ... }: { +{ services.openssh = { enable = true; openFirewall = true; - permitRootLogin = "prohibit-password"; passwordAuthentication = false; kbdInteractiveAuthentication = false; }; - users.users.root.openssh.authorizedKeys.keys = config.users.users.bertof.openssh.authorizedKeys.keys or [ ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp1Rfb2acLM/5TDUahu+AdV/HVw+hoOTdQIeQIjV5p8" + ]; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 45bd648..0330bca 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,17 +1,17 @@ let - # bertof_baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbG791lSOl8Rqoy+KkdKiOJnOMRg02+HZ/VrlrWMYAX"; + bertof_baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbG791lSOl8Rqoy+KkdKiOJnOMRg02+HZ/VrlrWMYAX"; bertof_odin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhxOjo9Ac9hVd3eOR56F6sClUMUh1m7VpcmzA18dslj"; bertof_thor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG"; - # users = [ bertof_baldur bertof_odin bertof_thor ]; + bertof_loki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbbgBCzRsIO6giIVCgTUMgBCrexgvHmq8pis5A4ievH"; + users = [ bertof_odin bertof_thor bertof_loki bertof_baldur ]; - dev_users = [ bertof_odin bertof_thor ]; - # baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9G8I75gOfB1QJhZU9z+UaYovWq05OfK2FVKtCb8Xxh"; + baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9G8I75gOfB1QJhZU9z+UaYovWq05OfK2FVKtCb8Xxh"; odin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8bfOYmFN+KRjnAOdt9IazGeaRKm5tvGyblHD7MUhtr"; thor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbMiGx/QZ/RKgad3UNyEzgLfqRU0zBo8n0AU3s244Zw"; - dev_systems = [ odin thor ]; - # systems = [ baldur odin thor ]; + loki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeomEH/27XFlOjQ/GTO2mo8qPMHTbzLIsX0dloxXfhb"; + systems = [ odin thor baldur loki ]; in { # "oauth_proxy_client_credentials.age".publicKeys = users ++ systems; - "spotify_password.age".publicKeys = dev_users ++ dev_systems; + "spotify_password.age".publicKeys = users ++ systems; } diff --git a/secrets/spotify_password.age b/secrets/spotify_password.age index 8cfe308..0ed4bc7 100644 --- a/secrets/spotify_password.age +++ b/secrets/spotify_password.age @@ -1,14 +1,21 @@ age-encryption.org/v1 --> ssh-ed25519 13iwjQ ihFwxfFgF+mEzpG0+4/V9sMSyghxxJvKCCvaoR78cX0 -PIsBREW20MK11QAVjVlKiUFSIHgPY5Rh+RLIwa4972I --> ssh-ed25519 7MB20A cuuRqdeYnRDTUqpSKy5GSX9z7fwuxmSyqPEGv7/4gy4 -fzVYk6+1LMe3BCZHrvrjXSEccvh9yloneKRtKKaY4HI --> ssh-ed25519 IvyYug KH0Ar+DRAK01cn000DQ1jrVRnvi/IY38wH0+hio24Gk -0jZLR6ArJk55Fa1pWs3jzzEidinOlFRQa+t/QpvbGoQ --> ssh-ed25519 v7O/FA Wzn2CDmBuSTQRsvijqxzggc8i6MQ9Sev/oYOsGE3SRY -SICT5z35r4VxlnWQimUqka0ZTsq6VaVEnw3cMW2XfI8 --> h#yDi>P-grease :C(yo\96 -Z1rgHDuj00pfkwxbYNtCwj+KJHSz8oOi/Q ---- b0AXJG43DTS1dcH32SDOj71OoxQqtjA77VlbI+CQ+z8 -¹/E -CÓ÷úu¼ ssh-ed25519 13iwjQ 3FaFv6V6/c8+iC5ZUBFcTCh8f1nkUEi1jQo6f8Nj6EE +IagH9X5Lelr0+rU0hS6XPHAeAV4Uv6IpXa0wYGJbN2U +-> ssh-ed25519 7MB20A wBj0Sdvpex7glo7tKK/VtHaq8aVnzHSZJ5oAhnQ5RHE +FoFkY+O+HKTUh5W5aUO0fyb9rDwkJZ4Kc3RhInpKKso +-> ssh-ed25519 ieE3Vw X7kWcENcijldVFJpUqX8+W4CuKZgOlYuPGVZDD6WLTM +sRibg3hzeyc7gf9jHJ7bE5p3FTebcOhN98E87c1CXbY +-> ssh-ed25519 IBFs4A +e7hl3h3nQr/uW3OTT6nMDTiC2ePMLAByeqCtXNpyAg +5J6VX1ph34fNlZ8NDhIgKIhiG0qhJvLJmDwtZYcr6YM +-> ssh-ed25519 IvyYug 3xIQyUD44gdZ2JEbK066RIF0xj0eFkwf2AUxgP38oRo +fEXw+SvhtXnMMgncloKYQhgRZom6tS16hJIrf68VxxQ +-> ssh-ed25519 v7O/FA tNTXdS/Bs9k3iagAjaRmgboPLdUpGJqq6OKQrOujy2I +KCmUPezLDYA6p3k0q+FEiP2KI1Bao3H3DIiuNVUlFLY +-> ssh-ed25519 HowkUg lAwKW9SMX2d5sGWkXwjq6R/Swyr//220wEYYc0Svclo +9cp96pse6QG32ScYf85D3cEqHffe0f2YKjYdKZ3i08o +-> ssh-ed25519 XgC3XA SsG1GtxJveRM5yGAawrs/Ez7hQyu/4zTJo3tRS3Oe0s +sm7snutfRmeR+B/0wRMaEqatzz7opZ4uA0WMAzvSH7I +-> {f-3Fh-grease NBm}: JZ!#"1q/ nE63"]%v 8Oi;D/Z| +UNGlf5emYkMaKI+WDQH1xfQLuePiqaf7LBseLu2f76/zad74Ur3mWZKbTvDrtA +--- ACYOrlmjOexIr0dagfb3W66gu3Sqk7Na5197wYBsTiI +h/w¡ðÊKÙz4»áÈÔO;¶é´Ï2gKç+ BÙ1vÛ¤x+Ã0 ,xæ_ \ No newline at end of file