pazpi/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Divided who can provision and who can access the machines

Browse source
This commit is contained in:
pazpi 2025-08-22 18:13:31 +02:00
parent 00574c51b3
commit 06536ac58b
4 changed files with 13 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/base-lxc.nix
View file

@ -19,7 +19,7 @@ in
users = { users = {
users.root = { users.root = {
hashedPassword = "$6$gir1YD6tNdC9xAj0$zLr1yt/ea9PvwygjHfQVnPmeCd1.2zrAKWiN80duidwOkZF6hwm06ta6J3O9uw6F3uUHC0N7iiKYhCgXXR.Q7/"; hashedPassword = "$6$gir1YD6tNdC9xAj0$zLr1yt/ea9PvwygjHfQVnPmeCd1.2zrAKWiN80duidwOkZF6hwm06ta6J3O9uw6F3uUHC0N7iiKYhCgXXR.Q7/";
openssh.authorizedKeys.keys = sshKeys.infra-core; openssh.authorizedKeys.keys = sshKeys.provisioning-machine;
}; };
}; };

2
modules/utils/server-node-users.nix
View file

@ -25,7 +25,7 @@ in
users.root = { users.root = {
hashedPassword = "!"; hashedPassword = "!";
openssh.authorizedKeys.keys = sshKeys.infra-core; openssh.authorizedKeys.keys = sshKeys.provisioning-machine;
}; };
users.pazpi = { users.pazpi = {

2
secrets.nix
View file

@ -39,6 +39,6 @@ in
builtins.listToAttrs ( builtins.listToAttrs (
map (secretName: { map (secretName: {
name = "secrets/${secretName}.age"; name = "secrets/${secretName}.age";
value.publicKeys = secrets."${secretName}" ++ keys.infra-core; value.publicKeys = secrets."${secretName}" ++ keys.provisioning-machine;
}) (builtins.attrNames secrets) }) (builtins.attrNames secrets)
) )

19
ssh-keys.nix
View file

@ -1,12 +1,9 @@
rec { rec {
deadbeef = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhiGLc/whCY3lCmDiRlYnMJOLiO/gvcRj/sKVEFVAhQ pazpi@deadbeef"; deadbeef = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhiGLc/whCY3lCmDiRlYnMJOLiO/gvcRj/sKVEFVAhQ pazpi@deadbeef";
colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG2r9aO4pty4j2dgRIKe68DPPwdtZBEDlz54F2VBdKcg pazpi@colmena";
ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAm5OG80MtjLCEnibCTgW1oeVRmVYVlVwf28HZAWQZE6 ai"; ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAm5OG80MtjLCEnibCTgW1oeVRmVYVlVwf28HZAWQZE6 ai";
krzo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrVYJrU6Ys2o/QYfI6Es5yqVVyjUyDYj6Fglvz63ywP krzo@pazpi.top";
colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG2r9aO4pty4j2dgRIKe68DPPwdtZBEDlz54F2VBdKcg pazpi@colmena";
# The key are found executing `ssh-keyscan <ip-address>` # The key are found executing `ssh-keyscan <ip-address>`
machines = { machines = {
arr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjAFjbSGaeWnImPFBEQ/PeGz7hgpLhUYgZg5Hb/JJ42"; arr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjAFjbSGaeWnImPFBEQ/PeGz7hgpLhUYgZg5Hb/JJ42";
@ -25,14 +22,18 @@ rec {
zigbee2mqtt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN0z+RxfAIARVMFgtF9olJrL5lt95IoC0Mtzg0MKd3g"; zigbee2mqtt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN0z+RxfAIARVMFgtF9olJrL5lt95IoC0Mtzg0MKd3g";
}; };
# Machines able to provision other machines # Machines able to provisioning other machines
infra-core = [ provisioning-machine = [
deadbeef
ai
krzo
colmena colmena
deadbeef
]; ];
# Machines able to login with other machines
infra-core = [
ai
]
++ provisioning-machine;
# Machines in tailscale network # Machines in tailscale network
tailscale-machine = [ tailscale-machine = [
machines.arr machines.arr