Daholli/nixos-config
1
0
Fork 0
Code Issues 2 Pull requests Releases Packages Activity Actions

security: use less fixed private keys

Browse source
This commit is contained in:
Christoph Hollizeck 2025-12-04 16:20:01 +01:00
parent ffb3f335b4
commit 42b2825c08
Signed by: Daholli
GPG key ID: 249300664F2AF2C7
2 changed files with 41 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/hosts/yggdrasil/default.nix
View file

@ -79,14 +79,22 @@ topLevel: {
];
};
sops.secrets = {
"remotebuild/private-key" = {
sopsFile = ../../../secrets/secrets.yaml;
owner = "cholli";
mode = "0400";
};
};
nix = {
distributedBuilds = true;
settings.builders-use-substitutes = true;
buildMachines = [
{
hostName = "192.168.178.2";
hostName = "nixberry";
sshUser = "remotebuild";
sshKey = "/root/.ssh/remotebuild";
sshKey = config.sops.secrets."remotebuild/private-key".path;
systems = [ "aarch64-linux" ];
protocol = "ssh-ng";

33
modules/users/root/default.nix
View file

@ -1,6 +1,6 @@
topLevel: {
flake = {
modules.nixos.root =
flake.modules = {
nixos.root =
{
config,
inputs,
@ -19,6 +19,7 @@ topLevel: {
# Activate all user based config
cholli # TODO: make root based config that makes it clear I am root user right now
root
];
};
}
@ -32,5 +33,33 @@ topLevel: {
hashedPasswordFile = config.sops.secrets.passwordHash.path;
};
};
homeManager.root =
{
lib,
osConfig,
pkgs,
...
}:
let
generateHostEntry = machine: ''
Host ${machine.hostName}
IdentitiesOnly yes
IdentityFile ${machine.sshKey}
User remotebuild
'';
filteredMachines = lib.filter (machine: machine.hostName != "localhost") osConfig.nix.buildMachines;
remotebuild-ssh-config = pkgs.writeTextFile {
name = "remotebuild-ssh-config";
text = lib.concatMapStringsSep "\n" generateHostEntry filteredMachines;
};
in
{
home.file = {
".ssh/config".source = remotebuild-ssh-config;
};
};
};
}