security: use less fixed private keys

2025-12-04 16:20:01 +01:00 · 2025-12-04 16:20:01 +01:00 · 42b2825c08
commit 42b2825c08
parent ffb3f335b4
2 changed files with 41 additions and 4 deletions
--- a/modules/hosts/yggdrasil/default.nix
+++ b/modules/hosts/yggdrasil/default.nix
@ -79,14 +79,22 @@ topLevel: {
        ];
      };

+      sops.secrets = {
+        "remotebuild/private-key" = {
+          sopsFile = ../../../secrets/secrets.yaml;
+          owner = "cholli";
+          mode = "0400";
+        };
+      };
+
      nix = {
        distributedBuilds = true;
        settings.builders-use-substitutes = true;
        buildMachines = [
          {
-            hostName = "192.168.178.2";
+            hostName = "nixberry";
            sshUser = "remotebuild";
-            sshKey = "/root/.ssh/remotebuild";
+            sshKey = config.sops.secrets."remotebuild/private-key".path;
            systems = [ "aarch64-linux" ];
            protocol = "ssh-ng";