diff --git a/hosts/chocolatebar/base.nix b/hosts/chocolatebar/base.nix index 76175878..10de4abb 100644 --- a/hosts/chocolatebar/base.nix +++ b/hosts/chocolatebar/base.nix @@ -11,7 +11,7 @@ in ]; config = { - pub-solar.x-os.keyfile = "/etc/nixos/hosts/chocolatebar/secrets/keyfile.bin"; + pub-solar.x-os.keyfile = "keyfile-chocolatebar.bin"; pub-solar.virtualisation.isolateGPU = "rx550x"; diff --git a/modules/devops/default.nix b/modules/devops/default.nix index eadac960..ab81c57f 100644 --- a/modules/devops/default.nix +++ b/modules/devops/default.nix @@ -12,6 +12,7 @@ in config = mkIf cfg.enable { home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] { home.packages = [ + croc drone-cli nmap python38Packages.ansible diff --git a/modules/x-os/boot.nix b/modules/x-os/boot.nix index 5068590e..176d9d4f 100644 --- a/modules/x-os/boot.nix +++ b/modules/x-os/boot.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, self, ... }: let cfg = config.pub-solar.x-os; @@ -17,8 +17,9 @@ with lib; { # Use Keyfile to unlock the root partition to avoid keying in twice. # Allow fstrim to work on it. + age.secrets.luksKeyFile.file = "${self}/secrets/${cfg.keyfile}"; boot.initrd = { - secrets = { "/keyfile.bin" = cfg.keyfile; }; + secrets = { "/keyfile.bin" = "/run/secrets/${cfg.keyfile}"; }; luks.devices."cryptroot" = { keyFile = "/keyfile.bin"; allowDiscards = true; diff --git a/secrets/keyfile-biolimo.bin b/secrets/keyfile-biolimo.bin new file mode 100644 index 00000000..4fb69723 Binary files /dev/null and b/secrets/keyfile-biolimo.bin differ diff --git a/secrets/keyfile-chocolatebar.bin b/secrets/keyfile-chocolatebar.bin new file mode 100644 index 00000000..53bbbf03 Binary files /dev/null and b/secrets/keyfile-chocolatebar.bin differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index bac30e03..38042bb2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,9 +1,38 @@ let # set ssh public keys here for your system and user - system = ""; - user = ""; - allKeys = [ system user ]; + bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com"; + + biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo"; + biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo"; + + chocolatebar-host = ""; + chocolatebar-user = ""; + + allKeys = [ + bbcom + + biolimo-host + biolimo-user + + chocolatebar-host + chocolatebar-user + ]; + + biolimoKeys = [ + bbcom + + biolimo-host + biolimo-user + ]; + + chocolatebarKeys = [ + bbcom + + chocolatebar-host + chocolatebar-user + ]; in { - "secret.age".publicKeys = allKeys; + "keyfile-biolimo.bin".publicKeys = biolimoKeys; + "keyfile-chocolatebar.bin".publicKeys = biolimoKeys; }