From b7c7023ff05bffdcc2311b1a04076f18d9f850c7 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Thu, 24 Jul 2025 15:16:29 +0100 Subject: [PATCH] Use keyfiles Signed-off-by: Nikolaos Karaolidis --- flake.lock | 8 ++++---- hosts/jupiter-vps/configs/wireguard/default.nix | 2 +- hosts/jupiter-vps/default.nix | 4 ++-- hosts/jupiter/configs/wireguard/default.nix | 2 +- hosts/jupiter/default.nix | 4 ++-- hosts/jupiter/users/nick/default.nix | 4 ++-- .../users/storm/configs/console/podman/sish/default.nix | 7 ++++--- hosts/jupiter/users/storm/default.nix | 4 ++-- secrets | 2 +- 9 files changed, 19 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 20fe8a0..d36a528 100644 --- a/flake.lock +++ b/flake.lock @@ -262,11 +262,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1753359848, - "narHash": "sha256-sTO5BL/2UxnAv27mEOgRh1zKpe/uBN/rJssBBrjF8Cc=", + "lastModified": 1753365453, + "narHash": "sha256-ZGYHuyEqpA8RC3pDRTbGb3fJv/qT52wHBnKPygznFyI=", "ref": "refs/heads/main", - "rev": "cf03864221a2082aa766f79022de0a2284c10e6b", - "revCount": 20, + "rev": "821a1bad7b6a0359e362830c8454f66b60980ef6", + "revCount": 21, "type": "git", "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git" }, diff --git a/hosts/jupiter-vps/configs/wireguard/default.nix b/hosts/jupiter-vps/configs/wireguard/default.nix index e4778d5..9ef8ec7 100644 --- a/hosts/jupiter-vps/configs/wireguard/default.nix +++ b/hosts/jupiter-vps/configs/wireguard/default.nix @@ -31,7 +31,7 @@ in "10.0.0.2/32" "${jupiterPublicIPv4}/32" ]; - publicKey = "l0V4syZrk7HkGNa7l0cq1a4taJcdo8nKGuZt9sq3FgE="; + publicKey = builtins.readFile "${inputs.secrets}/hosts/jupiter/wireguard_key.pub"; } ]; }; diff --git a/hosts/jupiter-vps/default.nix b/hosts/jupiter-vps/default.nix index 4195cf2..dc5ab9c 100644 --- a/hosts/jupiter-vps/default.nix +++ b/hosts/jupiter-vps/default.nix @@ -30,7 +30,7 @@ environment.impermanence.enable = lib.mkForce false; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" + users.users.root.openssh.authorizedKeys.keyFiles = [ + "${inputs.secrets}/personal/id_ed25519.pub" ]; } diff --git a/hosts/jupiter/configs/wireguard/default.nix b/hosts/jupiter/configs/wireguard/default.nix index fba6354..d113d93 100644 --- a/hosts/jupiter/configs/wireguard/default.nix +++ b/hosts/jupiter/configs/wireguard/default.nix @@ -42,7 +42,7 @@ in { name = "jupiter-vps"; allowedIPs = [ "0.0.0.0/0" ]; - publicKey = "dRUBz0AZFp30zXqWyTDRe7UyNioc5lV5QE2xYJCc6yU="; + publicKey = builtins.readFile "${inputs.secrets}/hosts/jupiter-vps/wireguard_key.pub"; endpoint = "${jupiterVpsPublicIPv4}:${builtins.toString wireguardPort}"; persistentKeepalive = 25; } diff --git a/hosts/jupiter/default.nix b/hosts/jupiter/default.nix index db103cc..6a4acd8 100644 --- a/hosts/jupiter/default.nix +++ b/hosts/jupiter/default.nix @@ -62,7 +62,7 @@ "v /mnt/storage/private 0755 root root - -" ]; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" + users.users.root.openssh.authorizedKeys.keyFiles = [ + "${inputs.secrets}/personal/id_ed25519.pub" ]; } diff --git a/hosts/jupiter/users/nick/default.nix b/hosts/jupiter/users/nick/default.nix index c248464..14befa3 100644 --- a/hosts/jupiter/users/nick/default.nix +++ b/hosts/jupiter/users/nick/default.nix @@ -62,8 +62,8 @@ in ]; linger = true; uid = lib.strings.toInt (builtins.readFile ./uid); - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" + openssh.authorizedKeys.keyFiles = [ + "${inputs.secrets}/personal/id_ed25519.pub" ]; }; diff --git a/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix b/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix index 680fc01..92d20c6 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix @@ -2,6 +2,7 @@ { config, inputs, + lib, pkgs, system, ... @@ -31,9 +32,9 @@ in let authorizedKeys = pkgs.writeTextFile { name = "authorized_keys"; - text = '' - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com - ''; + text = lib.strings.concatStringsSep "\n" [ + (builtins.readFile "${inputs.secrets}/personal/id_ed25519.pub") + ]; }; in [ diff --git a/hosts/jupiter/users/storm/default.nix b/hosts/jupiter/users/storm/default.nix index 38b1091..3f8dda8 100644 --- a/hosts/jupiter/users/storm/default.nix +++ b/hosts/jupiter/users/storm/default.nix @@ -53,8 +53,8 @@ in group = user; autoSubUidGidRange = true; useDefaultShell = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" + openssh.authorizedKeys.keyFiles = [ + "${inputs.secrets}/personal/id_ed25519.pub" ]; }; diff --git a/secrets b/secrets index cf03864..821a1ba 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit cf03864221a2082aa766f79022de0a2284c10e6b +Subproject commit 821a1bad7b6a0359e362830c8454f66b60980ef6