ssh: put gpg identity first, use pubkeys

terraform: not-working update
2024-03-19 21:08:43 +01:00 · 2024-03-19 21:00:28 +01:00
10 changed files with 75 additions and 38 deletions
--- a/flake.nix
+++ b/flake.nix
@ -102,7 +102,7 @@
            export TF_BACKEND_GIT_GIT_REF=main
            export TF_BACKEND_GIT_GIT_STATE=b12f.json
            export TF_BACKEND_HTTP_ENCRYPTION_PROVIDER=sops
-            export TF_BACKEND_HTTP_SOPS_PGP_FP=4406E80E13CD656C
+            export TF_BACKEND_HTTP_SOPS_PGP_FP=FC623BBCBD2604D5CC9D90BAE77B0AAAF0D9B76B
            export HOSTINGDE_AUTH_TOKEN=$(secret-tool lookup hosting-de terraform-auth-token)
          '';
        };
--- a/hosts/frikandel/email.nix
+++ b/hosts/frikandel/email.nix
@ -7,8 +7,7 @@
 }: let
  hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
  dkimDNSb12fio = ''
-  default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
-    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
+  default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
  '';
 in {
  age.secrets."b12f.io-dkim-private-rsa" = {
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@ -1,25 +1,25 @@
-# This file is maintained automatically by "terraform init".
+# This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.

-provider "registry.terraform.io/pub-solar/hostingde" {
-  version     = "0.0.5"
-  constraints = ">= 0.0.5"
+provider "registry.opentofu.org/pub-solar/hostingde" {
+  version     = "0.0.8"
+  constraints = ">= 0.0.8"
  hashes = [
-    "h1:PMKw2Yfpe3O2ojZEY0DvzW6K3nM36RlTECOmb9aL0N0=",
-    "zh:0816e2cf0bb6888c8e9b592bcc1ea7c4b790290e1780ddae5f77cf0659fc947e",
-    "zh:1ca89ce18f4b357f11328a792ac56358e42a87306965a433e5af88b5f94eb7f1",
-    "zh:1f3520a551ad5b9cfec2e27f1e4ab63200b753eddd1f6a530c99971c7c6750ff",
-    "zh:301d1cbb1e04e71e5be15f28bd26b33e2509af5725989a2fbba00acfb47a2c2e",
-    "zh:3430af25e31ae611404e731e0b8659911394147b2ff33ea52af00c48d5d85434",
-    "zh:62d4c85ce42c8c75416bb4122b88614c3a1881bacc568e1b7761cbfa6fdfc5cd",
-    "zh:639e356d866470b4c5db8f379799fd9e7e7a09f255af31de617ebfa39f8908df",
-    "zh:79f26737cc17c0ed98bd1f038ac46fa949f50c5b07b08f3d1478a3ec38ebf40b",
-    "zh:7a2b6ed61c95ab804767900b1bc880e83e71a5753b44e76d64494bc70f3a3dc7",
+    "h1:QLtl7oxCYpLqB6MS049/OfOq8OxR8RijRB7P1MDDh/o=",
+    "zh:04e8a62a98b19d680bf2901cbb93459f09bf2ff1ea656b3f5e1aed44f30e4c7b",
+    "zh:2291c5ffb1e66ed106793d632317c2a43f801791d666976a98d778e922b6621d",
+    "zh:40b6400f3839553e0ba36a0df42e6497fdf28a40c7d3613a59484bcfdd38e262",
+    "zh:539bbbbeef0db9b46ecafe52d9aa928443738937f3d81651b0d5a3c8fd040eff",
+    "zh:7b3036c39746981ca7b47374c8be2b79f06c94cd3827f8dac5a79ee262ff3ae2",
    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
-    "zh:92f6bf661a3db365aa3c9aa038d14e49b4a2184d77b915d34de44d4c7650a6d5",
-    "zh:956223963b90bff579f8891ce1e82ad3736dea76bafc5f8e9505b971f2f1697f",
-    "zh:c12967c9e6e7f56473c4c894d489eb4112f5979939b9cd59633e78482fd71a04",
-    "zh:f440efd67806698cb437824d07e72da7b7efe2e0b13cfe2765f2d62e2c48e433",
-    "zh:ff79c2514fa6849acf337c1ed77892184711df0c393d306b5fe9031be20ca29c",
+    "zh:ab28b68f25704f89944011b947d4c421bcb8280cfb5e70e22729143c43b046bb",
+    "zh:afffa7b0d628fd2d62b1ffa5a897061e4f2935f1a80b544c16c18342c6a7dec8",
+    "zh:ba7190619079ae95f0211e5d99f969a99bcc61422e5e5051f3d8cdea3fb57d79",
+    "zh:c97588679fe227b2dc157b73e49214fa5ff3b8f421723babc83833d8c5eab7e9",
+    "zh:ca3a9e5d393a07954ffad26afb1b3dcf94d9937da177f14cecf33290e8859138",
+    "zh:cfb48d7633bb83e1aa635d40cf12295937f9aae93ab204bd15f345ff4ea2e271",
+    "zh:dfe4c7665639d7cdc223cfd754d2bb9d9e94bacde2bdcbce3617a7a23547f0b7",
+    "zh:e9da820f3c621101bab9aa08b13516598ad66885ec013b09cd7c9ab806956e5e",
+    "zh:fcdd460b08f74a3dd5cf442b687c44e513eb46373ba57dcff0808f5a7da56a5d",
  ]
 }
--- a/terraform/README.md
+++ b/terraform/README.md
@ -1,11 +1,11 @@
 # Usage

 ```
-terraform-backend-git -l git terraform plan
+terraform-backend-git --tf tofu -l git terraform plan
 ```

 ```
-terraform-backend-git -l git terraform apply
+terraform-backend-git --tf tofu -l git terraform apply
 ```

 # FAQ
--- a/terraform/b12f.io.tf
+++ b/terraform/b12f.io.tf
@ -112,7 +112,15 @@ resource "hostingde_record" "b12f-dkim" {
  zone_id = hostingde_zone.b12f.id
  name = "default._domainkey.b12f.io"
  type = "TXT"
-  content = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB"
+  content = "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB\""
+  ttl = 300
+}
+
+resource "hostingde_record" "b12f-dmarc" {
+  zone_id = hostingde_zone.b12f.id
+  name = "_dmarc.b12f.io"
+  type = "TXT"
+  content = "\"v=DMARC1; p=none;\""
  ttl = 300
 }

--- a/terraform/git_http_backend.auto.tf
+++ b/terraform/git_http_backend.auto.tf
@ -0,0 +1,12 @@
+
+terraform {
+	backend "http" {
+		address = "http://localhost:6061/?type=git&repository=gitea@git.pub.solar:b12f/terraform-state.git&ref=main&state=b12f.json"
+		lock_address = "http://localhost:6061/?type=git&repository=gitea@git.pub.solar:b12f/terraform-state.git&ref=main&state=b12f.json"
+		unlock_address = "http://localhost:6061/?type=git&repository=gitea@git.pub.solar:b12f/terraform-state.git&ref=main&state=b12f.json"
+		skip_cert_verification = false
+		username = ""
+		password = ""
+	}
+}
+		
--- a/terraform/h.net.tf
+++ b/terraform/h.net.tf
@ -60,6 +60,6 @@ resource "hostingde_record" "hz-mta-sts" {
  zone_id = hostingde_zone.hz.id
  name = "mta-sts.${local.domain}"
  type = "CNAME"
-  content = "frikandel.${local.domain}"
+  content = local.domain
  ttl = 300
 }
--- a/terraform/mezza.biz.tf
+++ b/terraform/mezza.biz.tf
@ -0,0 +1,20 @@
+resource "hostingde_zone" "mezza" {
+  name = "mezza.biz"
+  type = "NATIVE"
+}
+
+resource "hostingde_record" "mezza-web" {
+  zone_id = hostingde_zone.mezza.id
+  name = "mezza.biz"
+  type = "CNAME"
+  content = "frikandel.b12f.io"
+  ttl = 300
+}
+
+resource "hostingde_record" "mezza-www" {
+  zone_id = hostingde_zone.mezza.id
+  name = "www.mezza.biz"
+  type = "CNAME"
+  content = "frikandel.b12f.io"
+  ttl = 300
+}
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@ -1,9 +1,10 @@
 terraform {
-  required_version = "~> 1.5.3"
+  required_version = "~> 1.6.1"
+
  required_providers {
    hostingde = {
      source = "pub-solar/hostingde"
-      version = ">=0.0.5"
+      version = ">=0.0.8"
    }
  }
 }
--- a/users/b12f/ssh.nix
+++ b/users/b12f/ssh.nix
@ -31,17 +31,14 @@ in {

    programs.ssh = {
      enable = true;
+      extraConfig = ''
+        IdentitiesOnly yes
+        IdentityFile /home/${psCfg.user.name}/.ssh/id_yubi_gpg.pub
+        IdentityFile /home/${psCfg.user.name}/.ssh/id_ed25519_sk-464.pub
+        IdentityFile /home/${psCfg.user.name}/.ssh/id_ed25519_sk-485.pub
+        IdentityFile /home/${psCfg.user.name}/.ssh/id_nistp256-748.pub
+      '';
      matchBlocks = {
-        "*" = {
-          identitiesOnly = true;
-          identityFile = [
-            "/home/${psCfg.user.name}/.ssh/id_yubi_gpg.pub"
-            "/home/${psCfg.user.name}/.ssh/id_ed25519_sk-464"
-            "/home/${psCfg.user.name}/.ssh/id_ed25519_sk-485"
-            "/home/${psCfg.user.name}/.ssh/id_nistp256-748.pub"
-          ];
-        };
-
        "git.pub.solar" = {
          user = "gitea";
        };
Author	SHA1	Message	Date
Benjamin Yule Bädorf	429a6bf3e5	ssh: put gpg identity first, use pubkeys	2024-03-19 21:08:43 +01:00
Benjamin Yule Bädorf	6fb030837f	terraform: not-working update	2024-03-19 21:00:28 +01:00