feat/wireguard #126
|
@ -39,7 +39,7 @@
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
inputs.nixos-flake.flakeModule
|
inputs.nixos-flake.flakeModule
|
||||||
./public-keys
|
./logins
|
||||||
./lib
|
./lib
|
||||||
./overlays
|
./overlays
|
||||||
./modules
|
./modules
|
||||||
|
@ -63,6 +63,7 @@
|
||||||
deploy-rs
|
deploy-rs
|
||||||
nixpkgs-fmt
|
nixpkgs-fmt
|
||||||
agenix
|
agenix
|
||||||
|
age-plugin-yubikey
|
||||||
cachix
|
cachix
|
||||||
editorconfig-checker
|
editorconfig-checker
|
||||||
nodePackages.prettier
|
nodePackages.prettier
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
./triton-vmtools.nix
|
./triton-vmtools.nix
|
||||||
|
./wireguard.nix
|
||||||
|
|
||||||
./apps/caddy.nix
|
./apps/caddy.nix
|
||||||
|
|
||||||
|
|
29
hosts/flora-6/wireguard.nix
Normal file
29
hosts/flora-6/wireguard.nix
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
flake,
|
||||||
|
... }:
|
||||||
|
{
|
||||||
|
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||||
|
|
||||||
|
age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age";
|
||||||
|
|
||||||
|
networking.wireguard.interfaces = {
|
||||||
|
wg-ssh = {
|
||||||
|
listenPort = 51820;
|
||||||
|
mtu = 1300;
|
||||||
|
ips = [
|
||||||
|
"10.7.6.2/32"
|
||||||
|
"fd00:fae:fae:fae:fae:2::/96"
|
||||||
|
];
|
||||||
|
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||||
|
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||||
|
{
|
||||||
|
endpoint = "nachtigall.pub.solar:51820";
|
||||||
|
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
|
||||||
|
allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -8,6 +8,7 @@
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
|
|
||||||
./networking.nix
|
./networking.nix
|
||||||
|
./wireguard.nix
|
||||||
./backups.nix
|
./backups.nix
|
||||||
./apps/nginx.nix
|
./apps/nginx.nix
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,8 @@
|
||||||
{ config, pkgs, ... }:
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
flake,
|
||||||
|
... }:
|
||||||
{
|
{
|
||||||
|
|
||||||
networking.hostName = "nachtigall";
|
networking.hostName = "nachtigall";
|
||||||
|
|
29
hosts/nachtigall/wireguard.nix
Normal file
29
hosts/nachtigall/wireguard.nix
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
flake,
|
||||||
|
... }:
|
||||||
|
{
|
||||||
|
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||||
|
|
||||||
|
age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age";
|
||||||
|
|
||||||
|
networking.wireguard.interfaces = {
|
||||||
|
wg-ssh = {
|
||||||
|
listenPort = 51820;
|
||||||
|
mtu = 1300;
|
||||||
|
ips = [
|
||||||
|
"10.7.6.1/32"
|
||||||
|
"fd00:fae:fae:fae:fae:1::/96"
|
||||||
|
];
|
||||||
|
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||||
|
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||||
|
{
|
||||||
|
endpoint = "flora6.pub.solar:51820";
|
||||||
|
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
|
||||||
|
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
60
logins/admins.nix
Normal file
60
logins/admins.nix
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
{
|
||||||
|
axeman = rec {
|
||||||
|
sshPubKeys = {
|
||||||
|
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
|
||||||
|
};
|
||||||
|
|
||||||
|
secretEncryptionKeys = sshPubKeys;
|
||||||
|
};
|
||||||
|
|
||||||
|
b12f = rec {
|
||||||
|
sshPubKeys = {
|
||||||
|
b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg";
|
||||||
|
};
|
||||||
|
|
||||||
|
secretEncryptionKeys = {
|
||||||
|
bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
|
||||||
|
yubi485 = "age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q";
|
||||||
|
yubi464 = "age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7";
|
||||||
|
} // sshPubKeys;
|
||||||
|
|
||||||
|
wireguardDevices = [
|
||||||
|
{ # stroopwafel
|
||||||
|
publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE=";
|
||||||
|
allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
hensoko = rec {
|
||||||
|
sshPubKeys = {
|
||||||
|
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
|
||||||
|
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
|
||||||
|
};
|
||||||
|
|
||||||
|
secretEncryptionKeys = sshPubKeys;
|
||||||
|
wireguardDevices = [
|
||||||
|
{ # judy
|
||||||
|
publicKey = "I+gN7v1VXkAGoSir6L8aebtLbguvy5nAx1QVDTzdckk=";
|
||||||
|
allowedIPs = [ "10.7.6.202/32" "fd00:fae:fae:fae:fae:202::/96" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
teutat3s = {
|
||||||
|
sshPubKeys = {
|
||||||
|
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
|
||||||
|
};
|
||||||
|
|
||||||
|
secretEncryptionKeys = {
|
||||||
|
teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardDevices = [
|
||||||
|
{ # dumpyourvms
|
||||||
|
publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk=";
|
||||||
|
allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
14
logins/default.nix
Normal file
14
logins/default.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{ lib, ... }: let
|
||||||
|
admins = import ./admins.nix;
|
||||||
|
robots = import ./robots.nix;
|
||||||
|
in {
|
||||||
|
flake = {
|
||||||
|
logins = {
|
||||||
|
admins = lib.lists.foldl (logins: adminConfig: {
|
||||||
|
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
|
||||||
|
wireguardDevices = logins.wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []);
|
||||||
|
}) { sshPubKeys = []; wireguardDevices = []; } (lib.attrsets.attrValues admins);
|
||||||
|
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
# Please create this manually the first time.
|
# Please create this manually the first time.
|
||||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||||
authorizedKeys = flake.self.publicKeys.admins;
|
authorizedKeys = flake.self.logins.admins.sshPubKeys;
|
||||||
};
|
};
|
||||||
# this will automatically load the zfs password prompt on login
|
# this will automatically load the zfs password prompt on login
|
||||||
# and kill the other prompt so boot can continue
|
# and kill the other prompt so boot can continue
|
||||||
|
|
|
@ -4,12 +4,12 @@
|
||||||
group = flake.self.username;
|
group = flake.self.username;
|
||||||
extraGroups = [ "wheel" "docker" ];
|
extraGroups = [ "wheel" "docker" ];
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
|
openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
|
||||||
};
|
};
|
||||||
users.groups.${flake.self.username} = { };
|
users.groups.${flake.self.username} = { };
|
||||||
|
|
||||||
# TODO: Remove when we stop locking ourselves out.
|
# TODO: Remove when we stop locking ourselves out.
|
||||||
users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
|
users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
|
||||||
|
|
||||||
users.users.hakkonaut = {
|
users.users.hakkonaut = {
|
||||||
description = "CI and automation user";
|
description = "CI and automation user";
|
||||||
|
@ -19,7 +19,7 @@
|
||||||
uid = 998;
|
uid = 998;
|
||||||
group = "hakkonaut";
|
group = "hakkonaut";
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
openssh.authorizedKeys.keys = flake.self.publicKeys.robots;
|
openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.hakkonaut = { };
|
users.groups.hakkonaut = { };
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
{
|
|
||||||
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
|
|
||||||
|
|
||||||
b12f-yubi-backup = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup";
|
|
||||||
b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg";
|
|
||||||
b12f-464-fido2 = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464";
|
|
||||||
b12f-485-fido2 = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485";
|
|
||||||
|
|
||||||
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
|
|
||||||
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
|
|
||||||
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
|
|
||||||
|
|
||||||
}
|
|
1
secrets/age-yubikey-464-identity.txt
Normal file
1
secrets/age-yubikey-464-identity.txt
Normal file
|
@ -0,0 +1 @@
|
||||||
|
AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837
|
1
secrets/age-yubikey-485-identity.txt
Normal file
1
secrets/age-yubikey-485-identity.txt
Normal file
|
@ -0,0 +1 @@
|
||||||
|
AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7
|
42
secrets/flora6-wg-private-key.age
Normal file
42
secrets/flora6-wg-private-key.age
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 Y0ZZaw FvsdIE/inJoLVSosWXATnFbAAVjVuf7jlEC3nSUF6Ug
|
||||||
|
gX84OKgWdfkGBN+NFy11BxIb4WX1z9UkPA4u2Q1uV+g
|
||||||
|
-> ssh-ed25519 uYcDNw z5Veza0uVwqCqGCGYzGmXPcyaV9HztEN39cWFbSG7yg
|
||||||
|
UWZQcDP1vMsYoWwMQlr4YmzWYw2EKm/s5zJVHNf2M0U
|
||||||
|
-> ssh-rsa f5THog
|
||||||
|
v1kqiU+cx65mvTNeuAhK65eBEk1vmkABRYgcmFIrdr4eY3pru+FaQTfMhTI9HjcO
|
||||||
|
OTU0YPxxSadbUCaN6Z3QnTv5qowwOQlEsWK+RMsOZgnyRQHa2SIrhfHz7v+n8BTF
|
||||||
|
8BYB4UBJpD3aLqM7VED6dYls178HUbiq34ohrG2vY5PHE72xTU60amv9NcJhSJPR
|
||||||
|
twZPiSp3I14MlJU4bboS1YBaEmgxvbXru0DwuoQLw3OUrH7xOggVoSJxm8lVyjR2
|
||||||
|
oFYS5wdnrhAIEsJ0lTsO5fvq9Dmie7qoL60rbBbue9lPk1nD1NlUe3akd4IIo36R
|
||||||
|
kDbthUYluVSJON3o/wenSvJDOw3N3t8bu2+/XfWAd2NL9SPBijMQJtqjK8EAtmz9
|
||||||
|
OjBMjJGQzVdBxRP9U3CWYIwaqYQfWhXXY4AXTwIMsfmeV8ZHZsId3Y156p0NaKg6
|
||||||
|
NGb7eX/AWmcdNTp8ZCqlb4QexICrVd7XDkNbPHkYPUOdUhaMyS+T7YU8Qs3YWroP
|
||||||
|
Bw63QMWbvo1l4HO/3HeIKlzIXTjLEi6PjTiWb7vM4GuoCwjdDg5djMEj4nsvDyea
|
||||||
|
B9EBTEcoP2oj47wgsX0nfV5bKAQ4y8AN4ZNWb00vjN9ybBbLK3q//1DrEWmddieF
|
||||||
|
t6FyZXvZH0Gf6y5OO56yRp/vmxvKFcvxqUA3P8bPAnw
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
c+0wRUbjzdJiBhdKAVlE8yxt1O3t4oQ438F5HjMPohEXSFLiNFi4Y0JQsw6qn3GP
|
||||||
|
hySsyIoj9G+cI9FDPjTFPmE7O1SHrd2LqBZGukyswDXX8CpwmZ7vfqfK2lCgKfos
|
||||||
|
SSPiGaYk+HlQF2QfX/xdgQ2PbFXHnDy8LZ9AfZP04PrnK9wqdiEXwmkWZ/Lu1P+V
|
||||||
|
Wb/28BYxcfkseAprFr/KSJLoNuD9UphRhQwRklmjADnf0lep3vHccxz1Oo5flu5M
|
||||||
|
AD47r+0bLGM+w3epCF1GyR4L2lEBaD8pkVOt3/zIdjn8nFZVNJwjshToazvnVEd3
|
||||||
|
Vd9Uas58AyxcT7Dk/QaVO7c5KJDdfSuxnT1zElkM2ZQM4lEueTJYDBJGyfubb30y
|
||||||
|
Z7re/MsLOh0jNJbb0r1KOkzwpcdm9iyvi26eaGsX7Q1Gb2pzOYFxD1vSUUC6A6Hp
|
||||||
|
W5X6fKsiBPreYLf5MV6p9r2YJPdX4SJiq4XztQi1PL+ndq1h8wskxk3Pyvk9fhle
|
||||||
|
iC5owZ8/FikfC/1oEa2KayeLyYB001BUuktevzfH2GmbqLkR9wBGw5vUJzOO4vOW
|
||||||
|
o8SVCSUxSrG8S+HQksOSXFWywkdBDhqc8eyRUtb+6iqqMA2Q4GDqktSCB1KeBYD6
|
||||||
|
OalH6bo4H1ddV8LPMOKcFtjmTPuum43C7bNge2rxhgg
|
||||||
|
-> piv-p256 vRzPNw A/utfOjPG1zs1Lf2FOWDHhJIJW1PIHmKFqFvBZZycHPn
|
||||||
|
EfGFh9R0PDgskQg00z6thQ1YozT5ZiBhzNN9iTXWDe4
|
||||||
|
-> piv-p256 zqq/iw A0RjdOkfYmTlYCwM3aFLdXfBimXMGzVh21A5QxZ217xW
|
||||||
|
7J9cRYpr1uhQPE0VjvLAwyS7jNSK0+qjA9xUMeRwYos
|
||||||
|
-> ssh-ed25519 YFSOsg w8ljrS1oRdB9RT8Odi5UOPjEtFL3WBlQUAH9Y7gp3WM
|
||||||
|
xcrbEm66K6mNrJ9+877YEgWUdxW85YyS1z8CGMyYxeE
|
||||||
|
-> ssh-ed25519 iHV63A O0bMGpauAYAuiAtbITj+lQOS0LuFl/BDVxIUTly8tQM
|
||||||
|
0Kiu4sNN0joX5D4eB42oQ/iRSntsJI5JNKOmkQeyLGE
|
||||||
|
-> ssh-ed25519 BVsyTA k/0Rtr9qbFH7V6DyCRtyqdAHU1b7D7DNGV8pPPJmrnk
|
||||||
|
dJ29gcfSxaVQ46XbW021PxPotZ8ZG2zjostJme9GUZQ
|
||||||
|
--- 1V0sJP5JIa9GZ0F0hf1GAFX3LNkPSNsxNhqM9cH7Rgc
|
||||||
|
|¿‘#ø©mÌæR„Ö5wäÎQòÅÐf1Ü
ÑÁZ·MUüèOÃfãÜ:GÓ^<5E>ì•!<21>
|
||||||
|
gÐG29wíƒÙ_B‘ìdêÿ
|
41
secrets/nachtigall-wg-private-key.age
Normal file
41
secrets/nachtigall-wg-private-key.age
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 iDKjwg 1m2Nkhw2R1InZFZrOkzQCoQy4s/kduXyM44yWifllXc
|
||||||
|
cxz6EWfaIJUjEkXEExFGKPrrl4iXnchkFfMiCpDgnZ8
|
||||||
|
-> ssh-ed25519 uYcDNw nVtsI77gUtZKmvu6o/jkvh/Ab8KDgRuL7V6MDuFtBnk
|
||||||
|
P7xVJA1a1ioe2tROajY1uvS1kLGrJW+YrXVf2Z2K2a4
|
||||||
|
-> ssh-rsa f5THog
|
||||||
|
rr17rPe7lJ2Zc0nsHhEch7mG7D27lnaMbAJ2Zsn4oHDXFn4cnSw4L/Zf+aZVIpNY
|
||||||
|
ew2u24yBE5ButBh8t0wm2Di2SBir4cAQob7160Py5ZpqOHBGxACgxhfZm7f/FzLZ
|
||||||
|
Ue0CUKebJI8KAqkjyayLLzESMECT5buhoJ4+K8U/B6O8NgGPrjS1Xjx1zCAs8tsG
|
||||||
|
kQz2KsBFnIEH20qmj2ezmijJdkUJbyX2389jCIzZ95wOG0RcUH1+s0aMcuvvLptS
|
||||||
|
05nSlmOlnwv7M8Jkwg+BC6l6xpoG3zpQDReEBTT3DYMRL3sNPV9eIHcPrWIXlANk
|
||||||
|
7vqLPxNlu/gHhQSijcPICH0YiDZ3MIJdXtqVHxCFWmXlPAzfkSMwg2k3WT8fMSJ9
|
||||||
|
ajEM0i6AIjaNAeY6cY87kGmfSjwRTSEbDSkC0B5VV1h2CZJDot7+9eZQ1HcwnP3j
|
||||||
|
iLTijtB+dMAzpnQ8kA9bGnuOurTB3Jy+JxwejO21J1/rxBA+P0nATufnk5olhTKS
|
||||||
|
vqkor0rxkV379SMpHLpbg4IbwdIjp+77GDJkofcAxZI8tmU2IF19dC1UsDfz15N/
|
||||||
|
b984i7PpJ115U2oSbwBZ8WThx1i8I47/mabTU32IXvhfdsp9QmBoBIqUqdgHsU43
|
||||||
|
LSBHRHiMy+3BfNA0M52oWEThtScOeqzwo3oSBCTM3xI
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
fgw9rO7pT7MLo1nNvZ05Ry+Gyjb27Trc5kZ7KYYya1BpCKjLnYwOaaoLtoHkGnuz
|
||||||
|
bPJ4ouyMsWUiPpT/SZ5/uNHlSDS9dNF0RTzCAqSi31CwY5KFTfStzsOKeUvxCcGp
|
||||||
|
Z9uyOEr1sOl1+gORWphrHmllSrXFAHHgOorLrtACkrQMxn678Wko13CFvDhtkl+l
|
||||||
|
sqi+l+B5ffeJsaHmCLmrROGzWrCnT/1zwJV5KMF0HjBSOi+Fl+HxA9s6UCEHxTy/
|
||||||
|
H8GvOooDGczgjg06yI2Puzo+DvhE/XOeFOoM/cLdGPnq/R8Mo4r4BDeBnQqbbBCI
|
||||||
|
4LV0Ybz0jVpAHHCu5kAxIzc68d1mwmxYPW4pxMVDGaZKGoBnA9jkHA0DD0TKe62D
|
||||||
|
ZBWtKAZb3gD4yDZfcbZABuXFszmFzKRmoE8YLmZDw0GwLu/It+ZtL9cxUZ+YmknP
|
||||||
|
ZhBcy1NTlPhXlJdZBWImK8KKluf03BjBIAFm+ZGT1FiCnZft5SZFDf7PGq+PvRwT
|
||||||
|
wk6UMeBiVbJvpVtjthHbur5FxXG+ly9wa9Y5bP3K2VnJkVcVt6NhkJ6Hg+g2FIZ4
|
||||||
|
gzq+5azkX+7nSNr0dSR1Phk4j+6aahRc2Gb7SiMqo6nwKuWBL6SQRDuKwP1PaPvm
|
||||||
|
aGfsduWhKZQM5ZeXBYkdgQqLgx4oAgbI2SujRaJlykE
|
||||||
|
-> piv-p256 vRzPNw A77uRo1hsdtaU8Fze62NI3AocU7srSmd5A7y1PbUVEyQ
|
||||||
|
LgD5sj6ZGGYiDausGO5lxERV71MFkZltzP3W4JIK59M
|
||||||
|
-> piv-p256 zqq/iw A7rWVvgXoLOrF3w8wyR27/fGAPxeknuBMVF1yeNceSkN
|
||||||
|
qAe7DwmCiFz72fy0Ica3SWZYNyvlsE1M/Odma5FKlyI
|
||||||
|
-> ssh-ed25519 YFSOsg Hld4L4nxmssu+4vwIEE4Q13Xapfn38R42+MdT3c5Jyg
|
||||||
|
gW3YzRgpc8SKyTp6o4BqmqFurr+lak+hKvYLFGdm2s8
|
||||||
|
-> ssh-ed25519 iHV63A ODXmcURhm3oMgB5t4kigz1LoXMl0IqG7zUUog0FXRDw
|
||||||
|
pa37B1B4FFTrh4UHDh2O4VBSQyxlaozHDNR8PCQ+gis
|
||||||
|
-> ssh-ed25519 BVsyTA 1dkpnnRlhnqueC91EW7xn/q4MUUvleN23KyiTJM1ZlI
|
||||||
|
QvpM4QaFx4ey3EZ8TNnbJjdeIgR5Nfbugw3X2Xv27wY
|
||||||
|
--- dHSohj4s4bp6X8I2em011HuWwNNIDis6h4e/44CnTIU
|
||||||
|
€Ð·^Pvî
^4YYpµä'äå}Xób½q5°½âW¦ ˜nv‹îß°B=í÷³¿ƒÐ÷*Å%Ñþ‹<C3BE>Ù¡nãÕi˜ÖÔT²]
|
|
@ -1,21 +1,10 @@
|
||||||
let
|
let
|
||||||
# set ssh public keys here for your system and user
|
admins = import ../logins/admins.nix;
|
||||||
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
|
|
||||||
b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
|
|
||||||
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
|
|
||||||
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
|
|
||||||
teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
|
|
||||||
|
|
||||||
nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
|
nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
|
||||||
flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
|
flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
|
||||||
|
|
||||||
baseKeys = [
|
adminKeys = builtins.foldl' (keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)) [] (builtins.attrValues admins);
|
||||||
axeman-1
|
|
||||||
b12f-bbcom
|
|
||||||
hensoko-1
|
|
||||||
hensoko-2
|
|
||||||
teutat3s-1
|
|
||||||
];
|
|
||||||
|
|
||||||
nachtigallKeys = [
|
nachtigallKeys = [
|
||||||
nachtigall-host
|
nachtigall-host
|
||||||
|
@ -27,48 +16,51 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
|
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
|
||||||
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys;
|
||||||
"mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
"mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
"mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
|
|
||||||
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ baseKeys;
|
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
|
|
||||||
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys;
|
||||||
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
|
|
||||||
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"searx-environment.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
|
|
||||||
"drone-db-secrets.age".publicKeys = flora6Keys ++ baseKeys;
|
"restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"drone-secrets.age".publicKeys = flora6Keys ++ baseKeys;
|
"restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys;
|
||||||
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"drone-secrets.age".publicKeys = flora6Keys ++ adminKeys;
|
||||||
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
|
||||||
|
|
||||||
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
|
||||||
"grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys;
|
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys;
|
|
||||||
"grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys;
|
|
||||||
|
|
||||||
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys;
|
"grafana-admin-password.age".publicKeys = flora6Keys ++ adminKeys;
|
||||||
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys;
|
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ adminKeys;
|
||||||
|
"grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys;
|
||||||
|
|
||||||
|
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||||
|
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue