security: use less fixed private keys
This commit is contained in:
parent
ffb3f335b4
commit
42b2825c08
GPG key ID:
249300664F2AF2C7
2 changed files with 41 additions and 4 deletions
|
|
@ -79,14 +79,22 @@ topLevel: {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"remotebuild/private-key" = {
|
||||||
|
sopsFile = ../../../secrets/secrets.yaml;
|
||||||
|
owner = "cholli";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
distributedBuilds = true;
|
distributedBuilds = true;
|
||||||
settings.builders-use-substitutes = true;
|
settings.builders-use-substitutes = true;
|
||||||
buildMachines = [
|
buildMachines = [
|
||||||
{
|
{
|
||||||
hostName = "192.168.178.2";
|
hostName = "nixberry";
|
||||||
sshUser = "remotebuild";
|
sshUser = "remotebuild";
|
||||||
sshKey = "/root/.ssh/remotebuild";
|
sshKey = config.sops.secrets."remotebuild/private-key".path;
|
||||||
systems = [ "aarch64-linux" ];
|
systems = [ "aarch64-linux" ];
|
||||||
protocol = "ssh-ng";
|
protocol = "ssh-ng";
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
topLevel: {
|
topLevel: {
|
||||||
flake = {
|
flake.modules = {
|
||||||
modules.nixos.root =
|
nixos.root =
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
inputs,
|
inputs,
|
||||||
|
|
@ -19,6 +19,7 @@ topLevel: {
|
||||||
|
|
||||||
# Activate all user based config
|
# Activate all user based config
|
||||||
cholli # TODO: make root based config that makes it clear I am root user right now
|
cholli # TODO: make root based config that makes it clear I am root user right now
|
||||||
|
root
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
@ -32,5 +33,33 @@ topLevel: {
|
||||||
hashedPasswordFile = config.sops.secrets.passwordHash.path;
|
hashedPasswordFile = config.sops.secrets.passwordHash.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
homeManager.root =
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
osConfig,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
|
||||||
|
generateHostEntry = machine: ''
|
||||||
|
Host ${machine.hostName}
|
||||||
|
IdentitiesOnly yes
|
||||||
|
IdentityFile ${machine.sshKey}
|
||||||
|
User remotebuild
|
||||||
|
'';
|
||||||
|
|
||||||
|
filteredMachines = lib.filter (machine: machine.hostName != "localhost") osConfig.nix.buildMachines;
|
||||||
|
remotebuild-ssh-config = pkgs.writeTextFile {
|
||||||
|
name = "remotebuild-ssh-config";
|
||||||
|
text = lib.concatMapStringsSep "\n" generateHostEntry filteredMachines;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
home.file = {
|
||||||
|
".ssh/config".source = remotebuild-ssh-config;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue