diff --git a/.sops.yaml b/.sops.yaml index 6d52deb..621bc24 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,5 +1,10 @@ keys: - - &pipeline age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s + - &aviac-gpg 644781002BDEA982 + - &michael age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d + - &pipeline age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ - age: *pipeline \ No newline at end of file + age: | + age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d, + age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl + pgp: *aviac-gpg diff --git a/dev_system.nix b/dev_system.nix index cc904e1..e87ddc3 100644 --- a/dev_system.nix +++ b/dev_system.nix @@ -24,15 +24,17 @@ in ]; sops = { - defaultSopsFile = ./secrets/example.yaml; + defaultSopsFile = ./secrets/ssh-key.yaml; age = { - sshKeyPaths = [ "/etc/ssh/ssh_host_ed25510_key" ]; + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; keyFile = "/root/.config/sops/age/keys.txt"; generateKey = true; }; - # secrets."foo" = {}; + secrets."pipe-ssh-key" = { }; }; + services.openssh.settings.AllowUsers = [ "pipeline" ]; + users.users = { # connection only via ssh key pipeline = { @@ -40,7 +42,6 @@ in home = "/home/pipeline"; description = "User used by forgejo runners to connect to this system"; extraGroups = [ "docker" ]; - # openssh.authorizedKeys.keyFiles = [ config.sops.secrets."foo".path ]; }; }; } diff --git a/git_system.nix b/git_system.nix index bc57966..36c9194 100644 --- a/git_system.nix +++ b/git_system.nix @@ -76,7 +76,7 @@ in openssh = { ports = [ 62 ]; settings = { - AllowUsers = [ "forgejo" ]; + AllowUsers = [ "forgejo" ]; }; }; diff --git a/secrets/example.yaml b/secrets/example.yaml deleted file mode 100644 index 67899d3..0000000 --- a/secrets/example.yaml +++ /dev/null @@ -1,16 +0,0 @@ -foo: ENC[AES256_GCM,data:rNll,iv:HkPwTkUQQoCFg249wvtM6426GzU/qbbrlcGsUOy2R4o=,tag:lKuHh4IlNeL6KeG3TrNbwg==,type:str] -sops: - age: - - recipient: age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaThvKzVmQ2dtS3FKQjg4 - Y3RrS1BlcTBONzNpbStVUXVkSjYwZG5acGtrCm9DT2N4U0MzWnBzUDZNZmI1SnIy - QStmWFRnM0JhWmhKQmxYSW9Veit0Zk0KLS0tIDJQYzh0Y0szdldtZWdQYm9IWUQ0 - R1UyWWhBOFJkeFltNkt3bUVMRzhjNWcKekxxKb80omoydKORZzauX3qIup0/7aAw - h8yFK6qDh3on/GOHbVpJ0S9O6H/Zkgh0aRDFjUGNZDHcevubBphfyg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-05T15:32:10Z" - mac: ENC[AES256_GCM,data:qvmntOMwDU1YZ14gaAHoqBJASrhcQ0UkX+tjb7PYAX366vEj90fszEgRSuqIKKQZrZ2OG6BjOlMudy8A6/XFmGiFQXq6Lx7rhddNQ/q8l6jmDPUB6YGgNmOjldpoeYlw8nEymnnnQv2V3Xh2Vt9YsnPxFvRdW9uhmSaNf1qhf88=,iv:d5E+VWy0MCmLjROiB60CYvGjcj1y0KK7/Esk8n+M0Vc=,tag:h+9iGJzHbbdt5Ct0/o6L2w==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.1 diff --git a/secrets/ssh-key.yaml b/secrets/ssh-key.yaml new file mode 100644 index 0000000..714b35c --- /dev/null +++ b/secrets/ssh-key.yaml @@ -0,0 +1,37 @@ +pipe-ssh-key: ENC[AES256_GCM,data:hDxyWJZnNWHoeCcduuR28M90q8hX6URn9rK50TiqOLVabQGcDTjATsizLyzbo0/eC6fPUIlM5A3KpwTPxi//eC6Ioyy7Xc0mdPWuSKySfyaYw+Lfg4RpH06LOQ8qUA==,iv:h2SAoJ7q/ov/lctQjZYlL3x/9bLy3p69piUtVcCZTI8=,tag:4Ay0Pv30+C9gLAw6BRHKoA==,type:str] +sops: + age: + - recipient: age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhOXRaWFo1TzRpZnBVZW1K + TUlISGFrN3Q2OWxtenhTRHNNOEs0VmlJMkVzCm9VdGdmMml3ZHJMT1R2ZE5JNzBU + K3g5V0hUR29tQk1qUnRaTDZDS0prVmcKLS0tIGdQTEs3a0FRSUJCZEhONm12K3dW + MEpqQ295WExyT0VIQUI1a2F6SjQ0UjgK7A3I3in1m4y5zWzmNDKUDsBPFba/gDH/ + 265naa6JQS1Ysb7YIu1Np9ag+dp08KuFgSAnPt5olAXrIJcXh6M0Qg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRHpicTdxT3dvazJidHE5 + ZG1EUGF0QWp6Qm8xKzVqODZXbVVzekgvRUQ4CjVTSGV5TlV5SnhEOE1sRlNoVkk4 + bGJaOVdYS0dGZnhYSmYvTGgyTVJBVzAKLS0tIFo3eEVjL3h6bldCclhRNENJTWdK + dWNlMUIxSTkzZ0QxVWJDOGdMMUduZTAKy0CVsA6hGXv/F81fIBcAHn2NW1E63noE + /6V/FouS39Fsnb5zcK3U5FMJTn9VBNEQKHJzj9qrWlbMHo8q/Lor1w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-12T15:20:45Z" + mac: ENC[AES256_GCM,data:xhg1QK2LkkON+qP7o+rqAZRYPISuFlZ5Vhagavqiy+gNolq1ATajvdOJp6JCgHYqOpSSj6lbxs3F/i0py5cWW5jgkTBsfeiLzsm5MY+n0B0AkuNT6N/q9p2N0Btq0yA5Kez9IETRlpXk6ZnzKyOTHPllfHgoo8RBinwBDOf4VAw=,iv:36FzdyX48B8yAzwjWI95aVMYURE0saT75Z06JL6AQG0=,tag:8BVUeyeBu2YKKrG7xA9gZQ==,type:str] + pgp: + - created_at: "2025-06-12T16:02:00Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzYliWiOOjtYSAQdAgvWR7o5PxnElk0BjNQNhBvLM0PL40tS3G9ok7vosWUEw + RfAed4lOrDaMpY2PqZJfsxgNoLblFzj/N4F9LVxpwhuR2InRCA+5HboUjkRwiMmK + 0l4BtFBAOfaTKHUVsst+dH0OWhP7IggrKo9sYFqtvSkswLfQDA7O1iGxa4P/FWdh + HXWKrs92rdJ5F2c0e0fjnVwtpdn2aOLlBTDGXGRNHTRs44mjuKOaimR4dbeIeR20 + =30XJ + -----END PGP MESSAGE----- + fp: 644781002BDEA982 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/shared/ssh.nix b/shared/ssh.nix index fd93f2b..ae9d850 100644 --- a/shared/ssh.nix +++ b/shared/ssh.nix @@ -1,17 +1,26 @@ -{ config, lib, pkgs, modulesPath, ... }: { - services = { - endlessh = { - enable = true; - port = 22; - }; - - openssh = { - enable = true; - ports = [ 54222 ]; - settings = { - AllowUsers = [ "dev" "root" ]; - }; - }; + config, + lib, + pkgs, + modulesPath, + ... +}: +{ + services = { + endlessh = { + enable = true; + port = 22; }; + + openssh = { + enable = true; + ports = [ 54222 ]; + settings = { + AllowUsers = [ + "dev" + "root" + ]; + }; + }; + }; }