sops updates

.sops.yaml

@@ -1,5 +1,10 @@
 keys:
-  - &pipeline age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
+  - &aviac-gpg 644781002BDEA982
+  - &michael age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d 
+  - &pipeline age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl
 creation_rules:
   - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
-    age: *pipeline
+    age: |
+      age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d,
+      age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl
+    pgp: *aviac-gpg

dev_system.nix

@@ -24,15 +24,17 @@ in
   ];
 
   sops = {
-    defaultSopsFile = ./secrets/example.yaml;
+    defaultSopsFile = ./secrets/ssh-key.yaml;
     age = {
-      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25510_key" ];
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
       keyFile = "/root/.config/sops/age/keys.txt";
       generateKey = true;
     };
-    # secrets."foo" = {};
+    secrets."pipe-ssh-key" = { };
   };
 
+  services.openssh.settings.AllowUsers = [ "pipeline" ];
+
   users.users = {
     # connection only via ssh key
     pipeline = {
@@ -40,7 +42,6 @@ in
       home = "/home/pipeline";
       description = "User used by forgejo runners to connect to this system";
       extraGroups = [ "docker" ];
-      # openssh.authorizedKeys.keyFiles = [ config.sops.secrets."foo".path ];
     };
   };
 }

git_system.nix

@@ -76,7 +76,7 @@ in
     openssh = {
       ports = [ 62 ];
       settings = {
-          AllowUsers = [ "forgejo" ];
+        AllowUsers = [ "forgejo" ];
       };
     };
 

secrets/example.yaml

@@ -1,16 +0,0 @@
-foo: ENC[AES256_GCM,data:rNll,iv:HkPwTkUQQoCFg249wvtM6426GzU/qbbrlcGsUOy2R4o=,tag:lKuHh4IlNeL6KeG3TrNbwg==,type:str]
-sops:
-    age:
-        - recipient: age1554v6n9mqc7e38hf6fzzueygy00jlvzrs9p4p5w068jq4xp5f9xskdae7s
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaThvKzVmQ2dtS3FKQjg4
-            Y3RrS1BlcTBONzNpbStVUXVkSjYwZG5acGtrCm9DT2N4U0MzWnBzUDZNZmI1SnIy
-            QStmWFRnM0JhWmhKQmxYSW9Veit0Zk0KLS0tIDJQYzh0Y0szdldtZWdQYm9IWUQ0
-            R1UyWWhBOFJkeFltNkt3bUVMRzhjNWcKekxxKb80omoydKORZzauX3qIup0/7aAw
-            h8yFK6qDh3on/GOHbVpJ0S9O6H/Zkgh0aRDFjUGNZDHcevubBphfyg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-05T15:32:10Z"
-    mac: ENC[AES256_GCM,data:qvmntOMwDU1YZ14gaAHoqBJASrhcQ0UkX+tjb7PYAX366vEj90fszEgRSuqIKKQZrZ2OG6BjOlMudy8A6/XFmGiFQXq6Lx7rhddNQ/q8l6jmDPUB6YGgNmOjldpoeYlw8nEymnnnQv2V3Xh2Vt9YsnPxFvRdW9uhmSaNf1qhf88=,iv:d5E+VWy0MCmLjROiB60CYvGjcj1y0KK7/Esk8n+M0Vc=,tag:h+9iGJzHbbdt5Ct0/o6L2w==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.1

secrets/ssh-key.yaml

@@ -0,0 +1,37 @@
+pipe-ssh-key: ENC[AES256_GCM,data:hDxyWJZnNWHoeCcduuR28M90q8hX6URn9rK50TiqOLVabQGcDTjATsizLyzbo0/eC6fPUIlM5A3KpwTPxi//eC6Ioyy7Xc0mdPWuSKySfyaYw+Lfg4RpH06LOQ8qUA==,iv:h2SAoJ7q/ov/lctQjZYlL3x/9bLy3p69piUtVcCZTI8=,tag:4Ay0Pv30+C9gLAw6BRHKoA==,type:str]
+sops:
+    age:
+        - recipient: age14qgh6kzdlrwcvsrwhy75y3qtrkv46rverqxupu7ugwj8xwrm84dsfupg7d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhOXRaWFo1TzRpZnBVZW1K
+            TUlISGFrN3Q2OWxtenhTRHNNOEs0VmlJMkVzCm9VdGdmMml3ZHJMT1R2ZE5JNzBU
+            K3g5V0hUR29tQk1qUnRaTDZDS0prVmcKLS0tIGdQTEs3a0FRSUJCZEhONm12K3dW
+            MEpqQ295WExyT0VIQUI1a2F6SjQ0UjgK7A3I3in1m4y5zWzmNDKUDsBPFba/gDH/
+            265naa6JQS1Ysb7YIu1Np9ag+dp08KuFgSAnPt5olAXrIJcXh6M0Qg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1f8p9wqgsr9vlzgfqnmt94cnecq7yyugv2cyvf88d4hzfqwyrhc8qywhsgl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRHpicTdxT3dvazJidHE5
+            ZG1EUGF0QWp6Qm8xKzVqODZXbVVzekgvRUQ4CjVTSGV5TlV5SnhEOE1sRlNoVkk4
+            bGJaOVdYS0dGZnhYSmYvTGgyTVJBVzAKLS0tIFo3eEVjL3h6bldCclhRNENJTWdK
+            dWNlMUIxSTkzZ0QxVWJDOGdMMUduZTAKy0CVsA6hGXv/F81fIBcAHn2NW1E63noE
+            /6V/FouS39Fsnb5zcK3U5FMJTn9VBNEQKHJzj9qrWlbMHo8q/Lor1w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-12T15:20:45Z"
+    mac: ENC[AES256_GCM,data:xhg1QK2LkkON+qP7o+rqAZRYPISuFlZ5Vhagavqiy+gNolq1ATajvdOJp6JCgHYqOpSSj6lbxs3F/i0py5cWW5jgkTBsfeiLzsm5MY+n0B0AkuNT6N/q9p2N0Btq0yA5Kez9IETRlpXk6ZnzKyOTHPllfHgoo8RBinwBDOf4VAw=,iv:36FzdyX48B8yAzwjWI95aVMYURE0saT75Z06JL6AQG0=,tag:8BVUeyeBu2YKKrG7xA9gZQ==,type:str]
+    pgp:
+        - created_at: "2025-06-12T16:02:00Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DzYliWiOOjtYSAQdAgvWR7o5PxnElk0BjNQNhBvLM0PL40tS3G9ok7vosWUEw
+            RfAed4lOrDaMpY2PqZJfsxgNoLblFzj/N4F9LVxpwhuR2InRCA+5HboUjkRwiMmK
+            0l4BtFBAOfaTKHUVsst+dH0OWhP7IggrKo9sYFqtvSkswLfQDA7O1iGxa4P/FWdh
+            HXWKrs92rdJ5F2c0e0fjnVwtpdn2aOLlBTDGXGRNHTRs44mjuKOaimR4dbeIeR20
+            =30XJ
+            -----END PGP MESSAGE-----
+          fp: 644781002BDEA982
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

shared/ssh.nix

@@ -1,17 +1,26 @@
-{ config, lib, pkgs, modulesPath, ... }:
 {
-    services = {
-        endlessh = {
-            enable = true;
-            port = 22;
-        };
-
-        openssh = {
-            enable = true;
-            ports = [ 54222 ];
-            settings = {
-                AllowUsers = [ "dev" "root" ];
-            };
-        };
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  services = {
+    endlessh = {
+      enable = true;
+      port = 22;
     };
+
+    openssh = {
+      enable = true;
+      ports = [ 54222 ];
+      settings = {
+        AllowUsers = [
+          "dev"
+          "root"
+        ];
+      };
+    };
+  };
 }