Better deployment keys separation

2023-01-12 12:21:31 +01:00 · 2023-01-12 12:21:31 +01:00 · 2a46d9d455
commit 2a46d9d455
parent 9b026f8a05
7 changed files with 46 additions and 29 deletions
--- a/nixos_modules/distributed.nix
+++ b/nixos_modules/distributed.nix
@ -1,5 +1,8 @@
 {
+  security.sudo.wheelNeedsPassword = false;
  nix.settings = {
+    trusted-users = [ "root" "@wheel" ];
+
    trusted-public-keys = [
      "thor:yRx3HglIxjUYocp4/jAP9dPWxWBEpgP6hqj1ofEfn1A="
      "odin:ClRXzxmDZl2Y94SG4YlWXGiJDY4L9DgZq/3OLR5+i6k="
--- a/nixos_modules/installer.nix
+++ b/nixos_modules/installer.nix
@ -9,6 +9,7 @@
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhxOjo9Ac9hVd3eOR56F6sClUMUh1m7VpcmzA18dslj bertof@odin"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG bertof@thor"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp1Rfb2acLM/5TDUahu+AdV/HVw+hoOTdQIeQIjV5p8"
    ];
  };
  system.stateVersion = "22.11";
--- a/nixos_modules/remote-deploy.nix
+++ b/nixos_modules/remote-deploy.nix
@ -1,12 +1,13 @@
-{ config, ... }: {
+{
  services.openssh = {
    enable = true;
    openFirewall = true;
-
    permitRootLogin = "prohibit-password";
    passwordAuthentication = false;
    kbdInteractiveAuthentication = false;
  };

-  users.users.root.openssh.authorizedKeys.keys = config.users.users.bertof.openssh.authorizedKeys.keys or [ ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp1Rfb2acLM/5TDUahu+AdV/HVw+hoOTdQIeQIjV5p8"
+  ];
 }