From 9c27dbc6c3e87c16f51ec1c86013266f2684ddf6 Mon Sep 17 00:00:00 2001 From: dadada Date: Sat, 4 Feb 2023 17:54:21 +0100 Subject: [PATCH] surgat: add sshd to initrd --- nixos/modules/profiles/cloud.nix | 34 ++++++++++++++++++++++++ nixos/modules/profiles/server.nix | 2 +- nixos/surgat/configuration.nix | 2 ++ secrets/secrets.nix | 1 + secrets/surgat-ssh_host_ed25519_key.age | Bin 0 -> 802 bytes 5 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 nixos/modules/profiles/cloud.nix create mode 100644 secrets/surgat-ssh_host_ed25519_key.age diff --git a/nixos/modules/profiles/cloud.nix b/nixos/modules/profiles/cloud.nix new file mode 100644 index 0000000..39e5bf1 --- /dev/null +++ b/nixos/modules/profiles/cloud.nix @@ -0,0 +1,34 @@ +{ config, lib, ... }: +let + secretsPath = config.dadada.secrets.path; + initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key"; +in +{ + boot.initrd.availableKernelModules = [ "virtio-pci" ]; + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 43235; + hostKeys = [ + age.secrets."${initrdHostKey}" + ]; + authorizedKeys = with lib; + concatLists (mapAttrsToList + (name: user: + if elem "wheel" user.extraGroups then + user.openssh.authorizedKeys.keys + else + [ ]) + config.users.users); + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + + age.secrets."${initrdHostKey}" = { + file = "${secretsPath}/${initrdHostKey}"; + mode = "600"; + }; +} diff --git a/nixos/modules/profiles/server.nix b/nixos/modules/profiles/server.nix index 2bb73ec..31086f2 100644 --- a/nixos/modules/profiles/server.nix +++ b/nixos/modules/profiles/server.nix @@ -26,7 +26,7 @@ with lib; { system.autoUpgrade = { enable = true; flake = "github:dadada/nix-config#${config.networking.hostName}"; - allowReboot = true; + allowReboot = mkDefault true; randomizedDelaySec = "45min"; }; diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix index f80b215..4e73860 100644 --- a/nixos/surgat/configuration.nix +++ b/nixos/surgat/configuration.nix @@ -113,5 +113,7 @@ in ]; }; + system.autoUpgrade.allowReboot = false; + system.stateVersion = "20.09"; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3fd977e..1ff2383 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,6 +19,7 @@ in "hydra-github-authorization.age".publicKeys = [ systems.pruflas dadada ]; "miniflux-admin-credentials.age".publicKeys = [ systems.surgat dadada ]; "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ]; + "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ]; } // backupSecrets "gorgon" // backupSecrets "ifrit" // diff --git a/secrets/surgat-ssh_host_ed25519_key.age b/secrets/surgat-ssh_host_ed25519_key.age new file mode 100644 index 0000000000000000000000000000000000000000..48860abc4509595f5ba0a220929eb2dd90564a8f GIT binary patch literal 802 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU73iZz_C|AgFH4FDD zbv6w)aLzFeC{MRA4u~wv4>k*RD)MqQ%L&O(^7r;AbSW!!OXn&Ki_AB5%<(cX_Dqkg zND9s~baZ#}_9*f*^EZr23UN$JDYQ%p3H0#Ea7DMxza%>+yIdh9v&b(ept#b=u_8Dp zINUKYtkSGFu`DT|!ptYxz`(+|Al0)ZFV8JI+<>bvBr4M*G9}7C-y_*8)W_7r)iJv$ zs=~)IC@m_-qs%$g*+00r+@~tZ-vne^oNjtiYGQG!f`x&pmuf_IDOb9me|}k5XktaV zVR?p2KxkUAiJ@^)UZ!8DN2Ou9gZW0+^KwqJ^uxd)f7 zuC9VbW$sl3uSbW!GZ*6wphG(&Y&Ov(?+uGwv;z{0+NZd(1R+}Ot|AH)M=_ZiPM^KzI} z`X@#G{6s!-9Nz&9-Y1zE!;x+BUJ7RC;mbfW=X84oa@p9rHk96)b zpR7-22X0%i?p8|X)Hv65@}PC+)hnfoKi@aAltL9Tkt6)6m%IG7L(tmDP zY`9CJTkYA=%_etumW6%dXLGK4{bXje^tvxIWW&2d=an4H`y=h{Wb%0RtrtoSf`U02 zf45(6yU=&J;^Wz)4bf3z1;_I5z+cG z*U)apqI@_0%PvhE+E1Q$Uf6iCW`15x<+m^Mdz{toZ2u$Ye!BS7<&;~p9P2c5)njZ! zL)EvMeAs5qS-hyBV7gR`O<ADe3}EWA+ts9?1D+!