feat/wireguard #126

Merged
b12f merged 7 commits from feat/wireguard into main 2024-04-05 11:09:31 +00:00
18 changed files with 267 additions and 64 deletions

View file

@ -39,7 +39,7 @@
imports = [ imports = [
inputs.nixos-flake.flakeModule inputs.nixos-flake.flakeModule
./public-keys ./logins
./lib ./lib
./overlays ./overlays
./modules ./modules
@ -63,6 +63,7 @@
deploy-rs deploy-rs
nixpkgs-fmt nixpkgs-fmt
agenix agenix
age-plugin-yubikey
cachix cachix
editorconfig-checker editorconfig-checker
nodePackages.prettier nodePackages.prettier

View file

@ -7,6 +7,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./configuration.nix ./configuration.nix
./triton-vmtools.nix ./triton-vmtools.nix
./wireguard.nix
./apps/caddy.nix ./apps/caddy.nix

View file

@ -0,0 +1,29 @@
{
config,
pkgs,
flake,
... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51820;
mtu = 1300;
ips = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{
endpoint = "nachtigall.pub.solar:51820";
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
}
];
};
};
}

View file

@ -8,6 +8,7 @@
./configuration.nix ./configuration.nix
./networking.nix ./networking.nix
./wireguard.nix
./backups.nix ./backups.nix
./apps/nginx.nix ./apps/nginx.nix

View file

@ -1,4 +1,8 @@
{ config, pkgs, ... }: {
config,
pkgs,
flake,
... }:
{ {
networking.hostName = "nachtigall"; networking.hostName = "nachtigall";

View file

@ -0,0 +1,29 @@
{
config,
pkgs,
flake,
... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51820;
mtu = 1300;
ips = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{
endpoint = "flora6.pub.solar:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
}
];
};
};
}

60
logins/admins.nix Normal file
View file

@ -0,0 +1,60 @@
{
axeman = rec {
sshPubKeys = {
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
};
secretEncryptionKeys = sshPubKeys;
};
b12f = rec {
sshPubKeys = {
b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg";
};
secretEncryptionKeys = {
bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
yubi485 = "age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q";
yubi464 = "age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7";
} // sshPubKeys;
wireguardDevices = [
{ # stroopwafel
publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE=";
allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ];
}
];
};
hensoko = rec {
sshPubKeys = {
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
};
secretEncryptionKeys = sshPubKeys;
wireguardDevices = [
{ # judy
publicKey = "I+gN7v1VXkAGoSir6L8aebtLbguvy5nAx1QVDTzdckk=";
allowedIPs = [ "10.7.6.202/32" "fd00:fae:fae:fae:fae:202::/96" ];
}
];
};
teutat3s = {
sshPubKeys = {
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
};
secretEncryptionKeys = {
teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
};
wireguardDevices = [
{ # dumpyourvms
publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk=";
allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ];
}
];
};
}

14
logins/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, ... }: let
admins = import ./admins.nix;
robots = import ./robots.nix;
in {
flake = {
logins = {
admins = lib.lists.foldl (logins: adminConfig: {
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
wireguardDevices = logins.wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []);
}) { sshPubKeys = []; wireguardDevices = []; } (lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots;
};
};
}

View file

@ -10,7 +10,7 @@
# Please create this manually the first time. # Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = flake.self.publicKeys.admins; authorizedKeys = flake.self.logins.admins.sshPubKeys;
}; };
# this will automatically load the zfs password prompt on login # this will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue # and kill the other prompt so boot can continue

View file

@ -4,12 +4,12 @@
group = flake.self.username; group = flake.self.username;
extraGroups = [ "wheel" "docker" ]; extraGroups = [ "wheel" "docker" ];
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = flake.self.publicKeys.admins; openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
}; };
users.groups.${flake.self.username} = { }; users.groups.${flake.self.username} = { };
# TODO: Remove when we stop locking ourselves out. # TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins; users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
users.users.hakkonaut = { users.users.hakkonaut = {
description = "CI and automation user"; description = "CI and automation user";
@ -19,7 +19,7 @@
uid = 998; uid = 998;
group = "hakkonaut"; group = "hakkonaut";
isSystemUser = true; isSystemUser = true;
openssh.authorizedKeys.keys = flake.self.publicKeys.robots; openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys;
}; };
users.groups.hakkonaut = { }; users.groups.hakkonaut = { };

View file

@ -1,13 +0,0 @@
{
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
b12f-yubi-backup = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup";
b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg";
b12f-464-fido2 = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464";
b12f-485-fido2 = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485";
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
}

View file

@ -0,0 +1 @@
AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837

View file

@ -0,0 +1 @@
AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7

View file

@ -0,0 +1,42 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw FvsdIE/inJoLVSosWXATnFbAAVjVuf7jlEC3nSUF6Ug
gX84OKgWdfkGBN+NFy11BxIb4WX1z9UkPA4u2Q1uV+g
-> ssh-ed25519 uYcDNw z5Veza0uVwqCqGCGYzGmXPcyaV9HztEN39cWFbSG7yg
UWZQcDP1vMsYoWwMQlr4YmzWYw2EKm/s5zJVHNf2M0U
-> ssh-rsa f5THog
v1kqiU+cx65mvTNeuAhK65eBEk1vmkABRYgcmFIrdr4eY3pru+FaQTfMhTI9HjcO
OTU0YPxxSadbUCaN6Z3QnTv5qowwOQlEsWK+RMsOZgnyRQHa2SIrhfHz7v+n8BTF
8BYB4UBJpD3aLqM7VED6dYls178HUbiq34ohrG2vY5PHE72xTU60amv9NcJhSJPR
twZPiSp3I14MlJU4bboS1YBaEmgxvbXru0DwuoQLw3OUrH7xOggVoSJxm8lVyjR2
oFYS5wdnrhAIEsJ0lTsO5fvq9Dmie7qoL60rbBbue9lPk1nD1NlUe3akd4IIo36R
kDbthUYluVSJON3o/wenSvJDOw3N3t8bu2+/XfWAd2NL9SPBijMQJtqjK8EAtmz9
OjBMjJGQzVdBxRP9U3CWYIwaqYQfWhXXY4AXTwIMsfmeV8ZHZsId3Y156p0NaKg6
NGb7eX/AWmcdNTp8ZCqlb4QexICrVd7XDkNbPHkYPUOdUhaMyS+T7YU8Qs3YWroP
Bw63QMWbvo1l4HO/3HeIKlzIXTjLEi6PjTiWb7vM4GuoCwjdDg5djMEj4nsvDyea
B9EBTEcoP2oj47wgsX0nfV5bKAQ4y8AN4ZNWb00vjN9ybBbLK3q//1DrEWmddieF
t6FyZXvZH0Gf6y5OO56yRp/vmxvKFcvxqUA3P8bPAnw
-> ssh-rsa kFDS0A
c+0wRUbjzdJiBhdKAVlE8yxt1O3t4oQ438F5HjMPohEXSFLiNFi4Y0JQsw6qn3GP
hySsyIoj9G+cI9FDPjTFPmE7O1SHrd2LqBZGukyswDXX8CpwmZ7vfqfK2lCgKfos
SSPiGaYk+HlQF2QfX/xdgQ2PbFXHnDy8LZ9AfZP04PrnK9wqdiEXwmkWZ/Lu1P+V
Wb/28BYxcfkseAprFr/KSJLoNuD9UphRhQwRklmjADnf0lep3vHccxz1Oo5flu5M
AD47r+0bLGM+w3epCF1GyR4L2lEBaD8pkVOt3/zIdjn8nFZVNJwjshToazvnVEd3
Vd9Uas58AyxcT7Dk/QaVO7c5KJDdfSuxnT1zElkM2ZQM4lEueTJYDBJGyfubb30y
Z7re/MsLOh0jNJbb0r1KOkzwpcdm9iyvi26eaGsX7Q1Gb2pzOYFxD1vSUUC6A6Hp
W5X6fKsiBPreYLf5MV6p9r2YJPdX4SJiq4XztQi1PL+ndq1h8wskxk3Pyvk9fhle
iC5owZ8/FikfC/1oEa2KayeLyYB001BUuktevzfH2GmbqLkR9wBGw5vUJzOO4vOW
o8SVCSUxSrG8S+HQksOSXFWywkdBDhqc8eyRUtb+6iqqMA2Q4GDqktSCB1KeBYD6
OalH6bo4H1ddV8LPMOKcFtjmTPuum43C7bNge2rxhgg
-> piv-p256 vRzPNw A/utfOjPG1zs1Lf2FOWDHhJIJW1PIHmKFqFvBZZycHPn
EfGFh9R0PDgskQg00z6thQ1YozT5ZiBhzNN9iTXWDe4
-> piv-p256 zqq/iw A0RjdOkfYmTlYCwM3aFLdXfBimXMGzVh21A5QxZ217xW
7J9cRYpr1uhQPE0VjvLAwyS7jNSK0+qjA9xUMeRwYos
-> ssh-ed25519 YFSOsg w8ljrS1oRdB9RT8Odi5UOPjEtFL3WBlQUAH9Y7gp3WM
xcrbEm66K6mNrJ9+877YEgWUdxW85YyS1z8CGMyYxeE
-> ssh-ed25519 iHV63A O0bMGpauAYAuiAtbITj+lQOS0LuFl/BDVxIUTly8tQM
0Kiu4sNN0joX5D4eB42oQ/iRSntsJI5JNKOmkQeyLGE
-> ssh-ed25519 BVsyTA k/0Rtr9qbFH7V6DyCRtyqdAHU1b7D7DNGV8pPPJmrnk
dJ29gcfSxaVQ46XbW021PxPotZ8ZG2zjostJme9GUZQ
--- 1V0sJP5JIa9GZ0F0hf1GAFX3LNkPSNsxNhqM9cH7Rgc
|¿‘#ø©mÌæR„Ö5wä­ÎQòÅÐf 1Ü ÑÁZ·MUüèOÃfãÜ:GÓ^<5E>ì•!<21>
G29ƒÙ_B­ìdêÿ

View file

@ -0,0 +1,41 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg 1m2Nkhw2R1InZFZrOkzQCoQy4s/kduXyM44yWifllXc
cxz6EWfaIJUjEkXEExFGKPrrl4iXnchkFfMiCpDgnZ8
-> ssh-ed25519 uYcDNw nVtsI77gUtZKmvu6o/jkvh/Ab8KDgRuL7V6MDuFtBnk
P7xVJA1a1ioe2tROajY1uvS1kLGrJW+YrXVf2Z2K2a4
-> ssh-rsa f5THog
rr17rPe7lJ2Zc0nsHhEch7mG7D27lnaMbAJ2Zsn4oHDXFn4cnSw4L/Zf+aZVIpNY
ew2u24yBE5ButBh8t0wm2Di2SBir4cAQob7160Py5ZpqOHBGxACgxhfZm7f/FzLZ
Ue0CUKebJI8KAqkjyayLLzESMECT5buhoJ4+K8U/B6O8NgGPrjS1Xjx1zCAs8tsG
kQz2KsBFnIEH20qmj2ezmijJdkUJbyX2389jCIzZ95wOG0RcUH1+s0aMcuvvLptS
05nSlmOlnwv7M8Jkwg+BC6l6xpoG3zpQDReEBTT3DYMRL3sNPV9eIHcPrWIXlANk
7vqLPxNlu/gHhQSijcPICH0YiDZ3MIJdXtqVHxCFWmXlPAzfkSMwg2k3WT8fMSJ9
ajEM0i6AIjaNAeY6cY87kGmfSjwRTSEbDSkC0B5VV1h2CZJDot7+9eZQ1HcwnP3j
iLTijtB+dMAzpnQ8kA9bGnuOurTB3Jy+JxwejO21J1/rxBA+P0nATufnk5olhTKS
vqkor0rxkV379SMpHLpbg4IbwdIjp+77GDJkofcAxZI8tmU2IF19dC1UsDfz15N/
b984i7PpJ115U2oSbwBZ8WThx1i8I47/mabTU32IXvhfdsp9QmBoBIqUqdgHsU43
LSBHRHiMy+3BfNA0M52oWEThtScOeqzwo3oSBCTM3xI
-> ssh-rsa kFDS0A
fgw9rO7pT7MLo1nNvZ05Ry+Gyjb27Trc5kZ7KYYya1BpCKjLnYwOaaoLtoHkGnuz
bPJ4ouyMsWUiPpT/SZ5/uNHlSDS9dNF0RTzCAqSi31CwY5KFTfStzsOKeUvxCcGp
Z9uyOEr1sOl1+gORWphrHmllSrXFAHHgOorLrtACkrQMxn678Wko13CFvDhtkl+l
sqi+l+B5ffeJsaHmCLmrROGzWrCnT/1zwJV5KMF0HjBSOi+Fl+HxA9s6UCEHxTy/
H8GvOooDGczgjg06yI2Puzo+DvhE/XOeFOoM/cLdGPnq/R8Mo4r4BDeBnQqbbBCI
4LV0Ybz0jVpAHHCu5kAxIzc68d1mwmxYPW4pxMVDGaZKGoBnA9jkHA0DD0TKe62D
ZBWtKAZb3gD4yDZfcbZABuXFszmFzKRmoE8YLmZDw0GwLu/It+ZtL9cxUZ+YmknP
ZhBcy1NTlPhXlJdZBWImK8KKluf03BjBIAFm+ZGT1FiCnZft5SZFDf7PGq+PvRwT
wk6UMeBiVbJvpVtjthHbur5FxXG+ly9wa9Y5bP3K2VnJkVcVt6NhkJ6Hg+g2FIZ4
gzq+5azkX+7nSNr0dSR1Phk4j+6aahRc2Gb7SiMqo6nwKuWBL6SQRDuKwP1PaPvm
aGfsduWhKZQM5ZeXBYkdgQqLgx4oAgbI2SujRaJlykE
-> piv-p256 vRzPNw A77uRo1hsdtaU8Fze62NI3AocU7srSmd5A7y1PbUVEyQ
LgD5sj6ZGGYiDausGO5lxERV71MFkZltzP3W4JIK59M
-> piv-p256 zqq/iw A7rWVvgXoLOrF3w8wyR27/fGAPxeknuBMVF1yeNceSkN
qAe7DwmCiFz72fy0Ica3SWZYNyvlsE1M/Odma5FKlyI
-> ssh-ed25519 YFSOsg Hld4L4nxmssu+4vwIEE4Q13Xapfn38R42+MdT3c5Jyg
gW3YzRgpc8SKyTp6o4BqmqFurr+lak+hKvYLFGdm2s8
-> ssh-ed25519 iHV63A ODXmcURhm3oMgB5t4kigz1LoXMl0IqG7zUUog0FXRDw
pa37B1B4FFTrh4UHDh2O4VBSQyxlaozHDNR8PCQ+gis
-> ssh-ed25519 BVsyTA 1dkpnnRlhnqueC91EW7xn/q4MUUvleN23KyiTJM1ZlI
QvpM4QaFx4ey3EZ8TNnbJjdeIgR5Nfbugw3X2Xv27wY
--- dHSohj4s4bp6X8I2em011HuWwNNIDis6h4e/44CnTIU
€Ð·^Pvî ^4YYpµä'äå}Xób½q5°½âW¦ ˜nvîß°B=í÷³¿ƒÐ÷*Å%Ñþ<C3BE>Ù¡n ãÕi˜ÖÔT²]

View file

@ -1,21 +1,10 @@
let let
# set ssh public keys here for your system and user admins = import ../logins/admins.nix;
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6"; flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
baseKeys = [ adminKeys = builtins.foldl' (keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)) [] (builtins.attrValues admins);
axeman-1
b12f-bbcom
hensoko-1
hensoko-2
teutat3s-1
];
nachtigallKeys = [ nachtigallKeys = [
nachtigall-host nachtigall-host
@ -27,48 +16,51 @@ let
in in
{ {
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ baseKeys; "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ baseKeys; "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ baseKeys; "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys;
"mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys; "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ baseKeys; "keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys; "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys;
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys; "forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
"restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys; "searx-environment.age".publicKeys = nachtigallKeys ++ adminKeys;
"restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ baseKeys;
"drone-db-secrets.age".publicKeys = flora6Keys ++ baseKeys; "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys;
"drone-secrets.age".publicKeys = flora6Keys ++ baseKeys; "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys; "drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys;
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys; "drone-secrets.age".publicKeys = flora6Keys ++ adminKeys;
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys; "mediawiki-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys; "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys;
"grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys;
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys; "grafana-admin-password.age".publicKeys = flora6Keys ++ adminKeys;
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys; "grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ adminKeys;
"grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys;
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys;
} }