Divided who can provision and who can access the machines

2025-08-22 18:13:31 +02:00 · 2025-08-22 18:13:31 +02:00 · 06536ac58b
commit 06536ac58b
parent 00574c51b3
4 changed files with 13 additions and 12 deletions
--- a/hosts/base-lxc.nix
+++ b/hosts/base-lxc.nix
@ -19,7 +19,7 @@ in
  users = {
    users.root = {
      hashedPassword = "$6$gir1YD6tNdC9xAj0$zLr1yt/ea9PvwygjHfQVnPmeCd1.2zrAKWiN80duidwOkZF6hwm06ta6J3O9uw6F3uUHC0N7iiKYhCgXXR.Q7/";
-      openssh.authorizedKeys.keys = sshKeys.infra-core;
+      openssh.authorizedKeys.keys = sshKeys.provisioning-machine;
    };
  };

--- a/modules/utils/server-node-users.nix
+++ b/modules/utils/server-node-users.nix
@ -25,7 +25,7 @@ in

      users.root = {
        hashedPassword = "!";
-        openssh.authorizedKeys.keys = sshKeys.infra-core;
+        openssh.authorizedKeys.keys = sshKeys.provisioning-machine;
      };

      users.pazpi = {
--- a/secrets.nix
+++ b/secrets.nix
@ -39,6 +39,6 @@ in
 builtins.listToAttrs (
  map (secretName: {
    name = "secrets/${secretName}.age";
-    value.publicKeys = secrets."${secretName}" ++ keys.infra-core;
+    value.publicKeys = secrets."${secretName}" ++ keys.provisioning-machine;
  }) (builtins.attrNames secrets)
 )
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@ -1,12 +1,9 @@
 rec {
  deadbeef = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhiGLc/whCY3lCmDiRlYnMJOLiO/gvcRj/sKVEFVAhQ pazpi@deadbeef";
+  colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG2r9aO4pty4j2dgRIKe68DPPwdtZBEDlz54F2VBdKcg pazpi@colmena";

  ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAm5OG80MtjLCEnibCTgW1oeVRmVYVlVwf28HZAWQZE6 ai";

-  krzo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrVYJrU6Ys2o/QYfI6Es5yqVVyjUyDYj6Fglvz63ywP krzo@pazpi.top";
-
-  colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG2r9aO4pty4j2dgRIKe68DPPwdtZBEDlz54F2VBdKcg pazpi@colmena";
-
  # The key are found executing `ssh-keyscan <ip-address>`
  machines = {
    arr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjAFjbSGaeWnImPFBEQ/PeGz7hgpLhUYgZg5Hb/JJ42";
@ -25,14 +22,18 @@ rec {
    zigbee2mqtt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN0z+RxfAIARVMFgtF9olJrL5lt95IoC0Mtzg0MKd3g";
  };

-  # Machines able to provision other machines
-  infra-core = [
-    deadbeef
-    ai
-    krzo
+  # Machines able to provisioning other machines
+  provisioning-machine = [
    colmena
+    deadbeef
  ];

+  # Machines able to login with other machines
+  infra-core = [
+    ai
+  ]
+  ++ provisioning-machine;
+
  # Machines in tailscale network
  tailscale-machine = [
    machines.arr