hodasemi/nixos-server-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity Actions

sops updates

Browse source
This commit is contained in:
aviac 2025-06-12 18:04:45 +02:00
parent 8f9458cdae
commit aac445108b
No known key found for this signature in database
GPG key ID: 644781002BDEA982
6 changed files with 73 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml
View file

@ -1,5 +1,10 @@
keys: keys:
- &pipeline age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s - &aviac-gpg 644781002BDEA982
- &michael age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d
- &pipeline age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
age: *pipeline age: |
age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d,
age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl
pgp: *aviac-gpg

9
dev_system.nix
View file

@ -24,15 +24,17 @@ in
]; ];
sops = { sops = {
defaultSopsFile = ./secrets/example.yaml; defaultSopsFile = ./secrets/ssh-key.yaml;
age = { age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25510_key" ]; sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/root/.config/sops/age/keys.txt"; keyFile = "/root/.config/sops/age/keys.txt";
generateKey = true; generateKey = true;
}; };
# secrets."foo" = {}; secrets."pipe-ssh-key" = { };
}; };
services.openssh.settings.AllowUsers = [ "pipeline" ];
users.users = { users.users = {
# connection only via ssh key # connection only via ssh key
pipeline = { pipeline = {
@ -40,7 +42,6 @@ in
home = "/home/pipeline"; home = "/home/pipeline";
description = "User used by forgejo runners to connect to this system"; description = "User used by forgejo runners to connect to this system";
extraGroups = [ "docker" ]; extraGroups = [ "docker" ];
# openssh.authorizedKeys.keyFiles = [ config.sops.secrets."foo".path ];
}; };
}; };
} }

2
git_system.nix
View file

@ -76,7 +76,7 @@ in
openssh = { openssh = {
ports = [ 62 ]; ports = [ 62 ];
settings = { settings = {
AllowUsers = [ "forgejo" ]; AllowUsers = [ "forgejo" ];
}; };
}; };

16
secrets/example.yaml
View file

@ -1,16 +0,0 @@
foo: ENC[AES256_GCM,data:rNll,iv:HkPwTkUQQoCFg249wvtM6426GzU/qbbrlcGsUOy2R4o=,tag:lKuHh4IlNeL6KeG3TrNbwg==,type:str]
sops:
age:
- recipient: age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaThvKzVmQ2dtS3FKQjg4
Y3RrS1BlcTBONzNpbStVUXVkSjYwZG5acGtrCm9DT2N4U0MzWnBzUDZNZmI1SnIy
QStmWFRnM0JhWmhKQmxYSW9Veit0Zk0KLS0tIDJQYzh0Y0szdldtZWdQYm9IWUQ0
R1UyWWhBOFJkeFltNkt3bUVMRzhjNWcKekxxKb80omoydKORZzauX3qIup0/7aAw
h8yFK6qDh3on/GOHbVpJ0S9O6H/Zkgh0aRDFjUGNZDHcevubBphfyg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-05T15:32:10Z"
mac: ENC[AES256_GCM,data:qvmntOMwDU1YZ14gaAHoqBJASrhcQ0UkX+tjb7PYAX366vEj90fszEgRSuqIKKQZrZ2OG6BjOlMudy8A6/XFmGiFQXq6Lx7rhddNQ/q8l6jmDPUB6YGgNmOjldpoeYlw8nEymnnnQv2V3Xh2Vt9YsnPxFvRdW9uhmSaNf1qhf88=,iv:d5E+VWy0MCmLjROiB60CYvGjcj1y0KK7/Esk8n+M0Vc=,tag:h+9iGJzHbbdt5Ct0/o6L2w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.1

37
secrets/ssh-key.yaml Normal file
View file

@ -0,0 +1,37 @@
pipe-ssh-key: ENC[AES256_GCM,data:hDxyWJZnNWHoeCcduuR28M90q8hX6URn9rK50TiqOLVabQGcDTjATsizLyzbo0/eC6fPUIlM5A3KpwTPxi//eC6Ioyy7Xc0mdPWuSKySfyaYw+Lfg4RpH06LOQ8qUA==,iv:h2SAoJ7q/ov/lctQjZYlL3x/9bLy3p69piUtVcCZTI8=,tag:4Ay0Pv30+C9gLAw6BRHKoA==,type:str]
sops:
age:
- recipient: age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhOXRaWFo1TzRpZnBVZW1K
TUlISGFrN3Q2OWxtenhTRHNNOEs0VmlJMkVzCm9VdGdmMml3ZHJMT1R2ZE5JNzBU
K3g5V0hUR29tQk1qUnRaTDZDS0prVmcKLS0tIGdQTEs3a0FRSUJCZEhONm12K3dW
MEpqQ295WExyT0VIQUI1a2F6SjQ0UjgK7A3I3in1m4y5zWzmNDKUDsBPFba/gDH/
265naa6JQS1Ysb7YIu1Np9ag+dp08KuFgSAnPt5olAXrIJcXh6M0Qg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRHpicTdxT3dvazJidHE5
ZG1EUGF0QWp6Qm8xKzVqODZXbVVzekgvRUQ4CjVTSGV5TlV5SnhEOE1sRlNoVkk4
bGJaOVdYS0dGZnhYSmYvTGgyTVJBVzAKLS0tIFo3eEVjL3h6bldCclhRNENJTWdK
dWNlMUIxSTkzZ0QxVWJDOGdMMUduZTAKy0CVsA6hGXv/F81fIBcAHn2NW1E63noE
/6V/FouS39Fsnb5zcK3U5FMJTn9VBNEQKHJzj9qrWlbMHo8q/Lor1w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-12T15:20:45Z"
mac: ENC[AES256_GCM,data:xhg1QK2LkkON+qP7o+rqAZRYPISuFlZ5Vhagavqiy+gNolq1ATajvdOJp6JCgHYqOpSSj6lbxs3F/i0py5cWW5jgkTBsfeiLzsm5MY+n0B0AkuNT6N/q9p2N0Btq0yA5Kez9IETRlpXk6ZnzKyOTHPllfHgoo8RBinwBDOf4VAw=,iv:36FzdyX48B8yAzwjWI95aVMYURE0saT75Z06JL6AQG0=,tag:8BVUeyeBu2YKKrG7xA9gZQ==,type:str]
pgp:
- created_at: "2025-06-12T16:02:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzYliWiOOjtYSAQdAgvWR7o5PxnElk0BjNQNhBvLM0PL40tS3G9ok7vosWUEw
RfAed4lOrDaMpY2PqZJfsxgNoLblFzj/N4F9LVxpwhuR2InRCA+5HboUjkRwiMmK
0l4BtFBAOfaTKHUVsst+dH0OWhP7IggrKo9sYFqtvSkswLfQDA7O1iGxa4P/FWdh
HXWKrs92rdJ5F2c0e0fjnVwtpdn2aOLlBTDGXGRNHTRs44mjuKOaimR4dbeIeR20
=30XJ
-----END PGP MESSAGE-----
fp: 644781002BDEA982
unencrypted_suffix: _unencrypted
version: 3.10.2

37
shared/ssh.nix
View file

@ -1,17 +1,26 @@
{ config, lib, pkgs, modulesPath, ... }:
{ {
services = { config,
endlessh = { lib,
enable = true; pkgs,
port = 22; modulesPath,
}; ...
}:
openssh = { {
enable = true; services = {
ports = [ 54222 ]; endlessh = {
settings = { enable = true;
AllowUsers = [ "dev" "root" ]; port = 22;
};
};
}; };
openssh = {
enable = true;
ports = [ 54222 ];
settings = {
AllowUsers = [
"dev"
"root"
];
};
};
};
} }