From e26a65beca905cf44e1b02633f67d213ae3a84b6 Mon Sep 17 00:00:00 2001 From: Linnnus Date: Tue, 25 Mar 2025 12:50:29 +0100 Subject: Refactor metadata.toml --- hosts/ahmed/git.linus.onl/default.nix | 3 ++- hosts/ahmed/local-dns/dns-resolver.nix | 2 +- hosts/ahmed/remote-builder/default.nix | 5 +++-- hosts/ahmed/ssh/default.nix | 2 +- hosts/muhammed/remote-builders/ahmed-builder.nix | 4 ++-- metadata.toml | 17 +++++++++++---- secrets/secrets.nix | 27 +++++++++++++++++------- shared/nixos/cloudflare-proxy/default.nix | 1 - 8 files changed, 41 insertions(+), 20 deletions(-) diff --git a/hosts/ahmed/git.linus.onl/default.nix b/hosts/ahmed/git.linus.onl/default.nix index be62efa..24eda7f 100644 --- a/hosts/ahmed/git.linus.onl/default.nix +++ b/hosts/ahmed/git.linus.onl/default.nix @@ -35,7 +35,8 @@ in { openssh.authorizedKeys.keys = map (key: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ${key}") [ - metadata.hosts.muhammed.sshPubKey + # The user's own SSH key is used when the Git CLI connects to the server. + metadata.hosts.muhammed.sshKeys.linus ]; }; users.groups.git = {}; diff --git a/hosts/ahmed/local-dns/dns-resolver.nix b/hosts/ahmed/local-dns/dns-resolver.nix index 1954a52..7d966ee 100644 --- a/hosts/ahmed/local-dns/dns-resolver.nix +++ b/hosts/ahmed/local-dns/dns-resolver.nix @@ -32,7 +32,7 @@ # Here we publish all the services we want. data = let - subdomainToARecord = subdomain: "=${subdomain}.${config.linus.local-dns.domain}:${metadata.hosts.ahmed.ipAddress}"; + subdomainToARecord = subdomain: "=${subdomain}.${config.linus.local-dns.domain}:${metadata.hosts.ahmed.ipv4Address}"; ARecords = lib.concatMapStringsSep "\n" subdomainToARecord config.linus.local-dns.subdomains; in '' # We are authoritative over ${config.linus.local-dns.domain}. diff --git a/hosts/ahmed/remote-builder/default.nix b/hosts/ahmed/remote-builder/default.nix index 50f9595..1bb85f6 100644 --- a/hosts/ahmed/remote-builder/default.nix +++ b/hosts/ahmed/remote-builder/default.nix @@ -10,9 +10,10 @@ group = "remotebuilder"; # Allow SSH connections by the Nix client. - # This is matched with the ssh config IdentityFile on the client-side. openssh.authorizedKeys.keys = [ - metadata.hosts.muhammed.sshPubKey + # This is matched with the ssh config IdentityFile on the client-side. + # TODO: Use root key! + metadata.hosts.muhammed.sshKeys.linus ]; }; users.groups.remotebuilder = {}; diff --git a/hosts/ahmed/ssh/default.nix b/hosts/ahmed/ssh/default.nix index 4912bf5..a2110b7 100644 --- a/hosts/ahmed/ssh/default.nix +++ b/hosts/ahmed/ssh/default.nix @@ -13,7 +13,7 @@ users.users = lib.genAttrs ["root" "linus"] (_: { openssh.authorizedKeys.keys = [ - metadata.hosts.muhammed.sshPubKey + metadata.hosts.muhammed.sshKeys.linus # Identity used by Termios on iPhone. "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBPbGet0Mn5+HMeRBXeOkSYqGqbefFZ4kE9aYemyDp9D" diff --git a/hosts/muhammed/remote-builders/ahmed-builder.nix b/hosts/muhammed/remote-builders/ahmed-builder.nix index 7b9bd99..384ac51 100644 --- a/hosts/muhammed/remote-builders/ahmed-builder.nix +++ b/hosts/muhammed/remote-builders/ahmed-builder.nix @@ -11,7 +11,7 @@ # See: hosts/ahmed/remote-builder/default.nix # FIXME: How to trust key ahead of time? {metadata, ...}: let - inherit (metadata.hosts.ahmed) ipAddress; + inherit (metadata.hosts.ahmed) ipv4Address; in { nix.buildMachines = [ { @@ -29,7 +29,7 @@ in { environment.etc."ssh/ssh_config.d/100-ahmed-builder.conf".text = '' Host ahmed-builder User remotebuilder - Hostname ${ipAddress} + Hostname ${ipv4Address} HostKeyAlias ahmed-builder # This matches `users.users..authorizedKeys` on the server-side. # HACK: We should use a purpose-specific key. diff --git a/metadata.toml b/metadata.toml index abff3ca..a2a5573 100644 --- a/metadata.toml +++ b/metadata.toml @@ -1,9 +1,18 @@ # This file specifies metadata for each host. [hosts.ahmed] -ipAddress = "192.168.68.222" -sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodiSwTcZcaZxqLyHjI2MGe1CpIBvIzzbjpXrwAyiYO root@ahmed" +network = "rumpenettet" +ipv4Address = "192.168.68.222" + +[hosts.ahmed.sshKeys] +root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodiSwTcZcaZxqLyHjI2MGe1CpIBvIzzbjpXrwAyiYO root@ahmed" [hosts.muhammed] -ipAddress = "192.168.68.111" -sshPubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcmUCfFA/arYpT0zBWoOXcyxN5bgk5cMrWgTIol5RsHB82VzoS+LG3IV4IwBz4QALaCj5DlhfbasGKMkFRgFvLerEtBleIb58RtOXIOf6TIUaqpyHB3h2CjdwrbmyjjWEl9W2BTpadrR5uPr0HoeED8dCFYE5cPjrSELtrYxEW0o1DBJw8bXfpgyYB21loBzrcOhRsrPSaS0gYHZLGY7Av7FGfncVZDLNYL0/pZ/t0UWD6JF+6FgOdGWAuuwSt5WR9DVxGilVG5aFktDB14fNPEBIVf7tkT4/McAihR/u344yaiUWA4bV7w039Ubhn9NdnoBSvGrP6jTy/zDgq5ywFj8aqcdlahxtELNWgxYYrI8HZzvITKo1FU7BOcUN1vNS4npOvyWBl7s3jFCO+R2E/BoyjfsjYTylacpepf26D87U32jNsh39OKdHxRF3/qmMGYa1L7N4M0iT9WFEMCcKB/MMAcHgE25vWPQaY1orU8X8NZPhxjfIVcw1rqcjwCryNwb1ZOMTIEc9kbGiP99MhE7ZA0yvHZfMezeymSwg1kN+iJDTp24gSsFtYuz5vm9lRu/PzfU9lNlp2KHdaLISUouSCCHPgF7zZSWtXa1B920zrAg2Fco8/Iymh+Fa0UNnrbnfyQTgLeNT12SLD4Y5gHimUsuq8tFkxjR6WffmrRw==" +network = "rumpenettet" +ipv4Address = "192.168.68.111" + +[hosts.muhammed.sshKeys] + linus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcmUCfFA/arYpT0zBWoOXcyxN5bgk5cMrWgTIol5RsHB82VzoS+LG3IV4IwBz4QALaCj5DlhfbasGKMkFRgFvLerEtBleIb58RtOXIOf6TIUaqpyHB3h2CjdwrbmyjjWEl9W2BTpadrR5uPr0HoeED8dCFYE5cPjrSELtrYxEW0o1DBJw8bXfpgyYB21loBzrcOhRsrPSaS0gYHZLGY7Av7FGfncVZDLNYL0/pZ/t0UWD6JF+6FgOdGWAuuwSt5WR9DVxGilVG5aFktDB14fNPEBIVf7tkT4/McAihR/u344yaiUWA4bV7w039Ubhn9NdnoBSvGrP6jTy/zDgq5ywFj8aqcdlahxtELNWgxYYrI8HZzvITKo1FU7BOcUN1vNS4npOvyWBl7s3jFCO+R2E/BoyjfsjYTylacpepf26D87U32jNsh39OKdHxRF3/qmMGYa1L7N4M0iT9WFEMCcKB/MMAcHgE25vWPQaY1orU8X8NZPhxjfIVcw1rqcjwCryNwb1ZOMTIEc9kbGiP99MhE7ZA0yvHZfMezeymSwg1kN+iJDTp24gSsFtYuz5vm9lRu/PzfU9lNlp2KHdaLISUouSCCHPgF7zZSWtXa1B920zrAg2Fco8/Iymh+Fa0UNnrbnfyQTgLeNT12SLD4Y5gHimUsuq8tFkxjR6WffmrRw== linus@muhammed" + +[networks.rumpenettet] +v4 = "192.168.68.0" diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 45a40a5..56fa89e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,13 +2,24 @@ # imported into the system cofniguration. let metadata = builtins.fromTOML (builtins.readFile ../metadata.toml); - ahmedKey = metadata.hosts.ahmed.sshPubKey; - muhammedKey = metadata.hosts.muhammed.sshPubKey; + + # Keys used for editing secrets on interactive hosts. + interactiveKeys = [ + metadata.hosts.ahmed.sshKeys.linus + metadata.hosts.muhammed.sshKeys.linus + ]; + + # These are the keys which are used when actually decoding the secrets as part of activation. + # On NixOS hosts this is the root user, and on nix-darwin hosts it's the user who installed nix-darwin. + decodingKeys = { + ahmed = metadata.hosts.ahmed.sshKeys.root; + muhammed = metadata.hosts.muhammed.linus; + }; in { - "cloudflare-ddns-token.env.age".publicKeys = [muhammedKey ahmedKey]; - "cloudflare-acme-token.env.age".publicKeys = [muhammedKey ahmedKey]; - "duksebot.env.age".publicKeys = [muhammedKey ahmedKey]; - "mullvad-wg.key.age".publicKeys = [muhammedKey ahmedKey]; - "wraaath-sftp-password.txt.age".publicKeys = [muhammedKey ahmedKey]; - "linus.onl-github-secret.txt.age".publicKeys = [muhammedKey ahmedKey]; + "cloudflare-ddns-token.env.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; + "cloudflare-acme-token.env.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; + "duksebot.env.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; + "mullvad-wg.key.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; + "wraaath-sftp-password.txt.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; + "linus.onl-github-secret.txt.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; } diff --git a/shared/nixos/cloudflare-proxy/default.nix b/shared/nixos/cloudflare-proxy/default.nix index 7725fbb..f505016 100644 --- a/shared/nixos/cloudflare-proxy/default.nix +++ b/shared/nixos/cloudflare-proxy/default.nix @@ -5,7 +5,6 @@ config, lib, pkgs, - metadata, ... }: let # TODO: What happens when these get out of date??? Huh??? You little pissbaby -- cgit v1.2.3