diff options
| -rw-r--r-- | secrets/host-pub-keys.nix | 5 | ||||
| -rw-r--r-- | secrets/pub-ssh-keys.nix | 14 | ||||
| -rw-r--r-- | secrets/secrets.nix | 5 | ||||
| -rw-r--r-- | secrets/user-ssh-key.age | 23 | ||||
| -rw-r--r-- | secrets/user-ssh-key.pub | 1 | ||||
| -rw-r--r-- | users/leonardo.nix | 45 |
6 files changed, 48 insertions, 45 deletions
diff --git a/secrets/host-pub-keys.nix b/secrets/host-pub-keys.nix new file mode 100644 index 0000000..5d4521e --- /dev/null +++ b/secrets/host-pub-keys.nix @@ -0,0 +1,5 @@ +{ + larissa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKjyS7vbCxr7oDqBpnhHQQzolAW6Fqt1FTOo+hT+lSC"; + kunagisa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDrMCLu3VvQVmd2cqreAJsVKkrtKXqgzO8i8NDm06ysm"; + hanekawa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuIjOE3xi/frXJHXQuIBntuXP8XyboCWRx48o3sYeub"; +} diff --git a/secrets/pub-ssh-keys.nix b/secrets/pub-ssh-keys.nix deleted file mode 100644 index 14bda29..0000000 --- a/secrets/pub-ssh-keys.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - larissa = { - host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKjyS7vbCxr7oDqBpnhHQQzolAW6Fqt1FTOo+hT+lSC"; - user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFQN59YDFwwQt/1rb1dHZnxsNV2geWUvHyTKqjdSA52"; - }; - kunagisa = { - host="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDrMCLu3VvQVmd2cqreAJsVKkrtKXqgzO8i8NDm06ysm"; - user="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINWxS8tdN3j7Vm337RmJTzYTMbkAZN5g610ZesH4vhd8"; - }; - hanekawa = { - host="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuIjOE3xi/frXJHXQuIBntuXP8XyboCWRx48o3sYeub"; - user="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOafACtb4IgSczDrollTm/t/xIYcVdLlUxDz72TxsZJZ"; - }; -} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3fb2dc0..56f372e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,6 +1,7 @@ let - inherit (builtins) attrValues concatLists; - keys = concatLists (map attrValues (attrValues (import ./pub-ssh-keys.nix))); + inherit (builtins) attrValues readFile; + user-key = readFile ./user-ssh-key.pub; + keys = [ user-key ] ++ (attrValues (import ./pub-ssh-keys.nix)); in { "personal-mail.age".publicKeys = keys; diff --git a/secrets/user-ssh-key.age b/secrets/user-ssh-key.age new file mode 100644 index 0000000..7fd3b3b --- /dev/null +++ b/secrets/user-ssh-key.age @@ -0,0 +1,23 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEphd3hXQSBWZnZW +N2o4MmdYeGFtVU0wbnFqYlVzWExsNm9ZMnI5a3lyVW1sRFRERlNJClFDNE1vK1g2 +TjMzdjZxRlZmZXNRTkdzeFh6a0xzQnZ6V0x1Z0RqWW9pV3MKLT4gc3NoLWVkMjU1 +MTkgQWNlZ1lBIGlKM012Um8wM3VCSjVTMkM3RUdRS20rUU44cjBSdldZb3Z1L3J3 +dHZ4VVUKQlpoclpHQlg4MTdpOUtXMFNMbmtoWU5sVTlTemNVQ2pwMDQyU0lMR0hU +OAotPiBzc2gtZWQyNTUxOSA5a1hTdWcgaXpReXRrcnV3dkFMdGZ1WkkraS85WUR4 +TkJ6ajEzWDV4TUNBSk1qaFhtUQpQNit0d2VQK3QvWEZsMUxSVUJkQVl3eUV5VkN0 +Q1R6M3NtSnpzTFRrT01rCi0+IHNzaC1lZDI1NTE5IEhNTldudyBMOTVNQm1zSGFk +SE55a1BlS0E3N3FFY1VacG9FV1N1dGRJTmx1cDNpcTFvClUzL1BCRWN5WnlIZ0dZ +TndVa3JUMDZjbUdIV0h1SHl4a21NK1gycUNGUjQKLT4gbGV3Sy1ncmVhc2UgSyBw +U116WzhuWgp5UTAKLS0tIHBObVNDUDBtM3BodjVzdDBQTnBLdm5ZK3cwcUVYZHRF +Ykc0NUhjMFdjWDAKSJZrz9ned0pOlTcMSiQGEbarxI1DcunUfv/UXNiWjg4Gcuy1 +l/j+Aa2VWf/fMms5aWwLkbiqia4WogoumWeG9+BRVZbRtmFICHiYV0z5agx+l4GT +9gERsMOOTRtePqay1P449geODzt405dhqfByoYxgBWcJwucNWAxvO/yqrKI/OmLl +dq2/9z9x8o+uVo/LuPGKAbAhCNPSPGlfEKkAHEQ//nmR/I748WzpryqZ7HnABLAK +GdRoycIS89LugqhSRD5Iea26PqGaLaCsj69TME8Qf0r2Tfto1oGRbT6L5IlsIVQL +6v5XuOJRlBglJozfRxyBRegaRFapaHV757Dk7yt1ISXkQ99XEs6RKfkqEJaDvaxH +YLDnjPxjCH0HEvCOIJmc76ULvcjGulceGY8h+PFavUP7GA490UAxAP9XzJC/gpx2 +pEKqc8dwYMNXOh9aI/SQp7bNRsAQAC1K2SiEfKhNlL950UZcw3eTQ/dxPgTCqrF8 +qRN9SMwFY8pcKbzuUF7NK3btRguG/rRRkd7oHeFwlG/RQ0tdRy51RG+Zxnd/tVDW +Rx22oIL0lSG2RGU+YEElEC6CUMWJVJw= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/user-ssh-key.pub b/secrets/user-ssh-key.pub new file mode 100644 index 0000000..073603f --- /dev/null +++ b/secrets/user-ssh-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJp9EEbJgk/oI84419RmpoDeiACDywNfG4akgdpDBL5W
\ No newline at end of file diff --git a/users/leonardo.nix b/users/leonardo.nix index d485e8f..0115f30 100644 --- a/users/leonardo.nix +++ b/users/leonardo.nix @@ -1,8 +1,7 @@ { pkgs, config, inputs, ... }: let - all-keys = import ../secrets/pub-ssh-keys.nix; - sshkeys = all-keys.${config.networking.hostName}; - user-key = sshkeys.user; + hosts-pub-keys = import ../secrets/host-pub-keys.nix; + host-key = hosts-pub-keys.${config.networking.hostName}; in { imports = [ @@ -112,36 +111,23 @@ in extraGroups = [ "networkmanager" "wheel" ]; shell = pkgs.bashInteractive; hashedPasswordFile = config.age.secrets.user-pass.path; - openssh.authorizedKeys.keys = builtins.concatLists (map builtins.attrValues (builtins.attrValues all-keys)); + openssh.authorizedKeys.keys = builtins.attrValues (hosts-pub-keys); }; age.secrets = { - personal-mail = { - file = ../secrets/personal-mail.age; - owner = "1000"; - group = "100"; + user-ssh-key = { + file = ../secrets/user-ssh-key.age; + path = "/home/leonardo/.ssh/user-ssh-key"; + owner = "leonardo"; + group = "users"; }; - work-mail = { - file = ../secrets/work-mail.age; - owner = "1000"; - group = "100"; + } // (builtins.foldl' (acc: filename: acc // { + ${filename} = { + file = ../secrets/${filename}.age; + owner = "leonardo"; + group = "users"; }; - university-mail = { - file = ../secrets/university-mail.age; - owner = "1000"; - group = "100"; - }; - authinfo = { - file = ../secrets/authinfo.age; - owner = "1000"; - group = "100"; - }; - user-pass = { - file = ../secrets/user-pass.age; - owner = "1000"; - group = "100"; - }; - }; + }) {} [ "personal-mail" "work-mail" "university-mail" "authinfo" "user-pass" ]); services.gnome.gnome-browser-connector.enable = true; home-manager = { backupFileExtension = "backup"; @@ -150,6 +136,7 @@ in users.leonardo = { pkgs, ... } : { imports = [ ./../modules/gnome-config.nix ]; home = { + file.".ssh/user-ssh-key.pub".source = ../secrets/user-ssh-key.pub; file.".mozilla/firefox/leonardo/chrome/firefox-gnome-theme".source = inputs.firefox-gnome-theme; username = "leonardo"; homeDirectory = "/home/leonardo"; @@ -235,7 +222,7 @@ in user = { name = "Leonardo Santiago"; email = "[email protected]"; - signingkey = user-key; + signingkey = "~/.ssh/user-ssh-key"; }; color.ui = true; gpg.format = "ssh"; |