ninurta: use initrd ssh key from agenix

2023-06-04 02:38:42 +02:00 · 2023-06-04 02:38:42 +02:00 · 41dc68ae6f
commit 41dc68ae6f
parent 1524f02094
4 changed files with 26 additions and 22 deletions
--- a/nixos/ninurta/configuration.nix
+++ b/nixos/ninurta/configuration.nix
@ -10,7 +10,7 @@ let
  wgHydraPrivKey = "pruflas-wg-hydra-key";
  wg0PresharedKey = "pruflas-wg0-preshared-key";
  hydraGitHubAuth = "hydra-github-authorization";
-  initrdPrivateKey = "/etc/ssh/initrd_ssh_host_ed25519_key";
+  initrdSshKey = "ninurta-initrd-ssh-key";
 in
 {
  imports = [
@ -44,29 +44,29 @@ in
        enable = true;
        port = 2222;
        authorizedKeys = config.dadada.admin.users.dadada.keys;
-        hostKeys = [ initrdPrivateKey ];
+        hostKeys = [ age.secrets.${initrdSshKey}.path ];
      };
    };
    # Kinda does not work?
-    # systemd = {
-    #   enable = true;
-    #   network = {
-    #     enable = true;
-    #     links = {
-    #       "10-lan" = {
-    #         matchConfig.Name = "e*";
-    #         linkConfig.MACAddressPolicy = "persistent";
-    #       };
-    #     };
-    #     networks = {
-    #       "10-lan" = {
-    #         matchConfig.Name = "e*";
-    #         networkConfig.DHCP = "ipv4";
-    #         linkConfig.RequiredForOnline = "routable";
-    #       };
-    #     };
-    #   };
-    # };
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        links = {
+          "10-lan" = {
+            matchConfig.Name = "e*";
+            linkConfig.MACAddressPolicy = "persistent";
+          };
+        };
+        networks = {
+          "10-lan" = {
+            matchConfig.Name = "e*";
+            networkConfig.DHCP = "ipv4";
+            linkConfig.RequiredForOnline = "routable";
+          };
+        };
+      };
+    };
  };

  fileSystems."/mnt/storage" = {
@ -151,6 +151,10 @@ in
  age.secrets.${wg0PrivKey}.file = "${secretsPath}/${wg0PrivKey}.age";
  age.secrets.${wg0PresharedKey}.file = "${secretsPath}/${wg0PresharedKey}.age";
  age.secrets.${wgHydraPrivKey}.file = "${secretsPath}/${wgHydraPrivKey}.age";
+  age.secrets.${initrdSshKey} = {
+    file = "${secretsPath}/${initrdSshKey}.age";
+    mode = "700";
+  };

  services.snapper = {
    cleanupInterval = "1d";
--- a/secrets/ninurta-initrd-ssh-key.age
+++ b/secrets/ninurta-initrd-ssh-key.age
--- a/secrets/ninurta-initrd_ssh_host_ed25519_key.age
+++ b/secrets/ninurta-initrd_ssh_host_ed25519_key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -22,7 +22,7 @@ in
  "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ];
  "paperless.age".publicKeys = [ systems.gorgon dadada ];
  "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
-  "ninurta-initrd_ssh_host_ed25519_key.age".publicKeys = [ systems.ninurta dadada ];
+  "ninurta-initrd-ssh-key.age".publicKeys = [ systems.ninurta dadada ];
 } //
 backupSecrets "ninurta" //
 backupSecrets "gorgon" //