about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-07-25 17:41:51 +0900
committersefidel <contact@sefidel.net>2023-07-25 18:26:20 +0900
commit30648c71eddb7dbc13e8d0e771f909be823f1f04 (patch)
tree8247011ccb717f492e7a9c60f0b5b92be3ccfe27
parent49948543b5de8973fbef6f30d847180614d2a7c5 (diff)
downloadinfra-30648c71eddb7dbc13e8d0e771f909be823f1f04.tar.gz
infra-30648c71eddb7dbc13e8d0e771f909be823f1f04.zip
feat(systems/cobalt): proper password management & add sefidel user
-rw-r--r--systems/cobalt/default.nix23
-rw-r--r--systems/cobalt/secrets/secrets.yaml6
2 files changed, 24 insertions, 5 deletions
diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix
index 9dd0f63..4b2378b 100644
--- a/systems/cobalt/default.nix
+++ b/systems/cobalt/default.nix
@@ -18,6 +18,9 @@ let
   hostId = "712ae82a";
   hostAddr = "cobalt.exotic.sh";
 
+  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  maintainerKeys = [ ] ++ sefidelKeys;
+
   poorObfuscation = y: x: "${x}@${y}";
 in
 {
@@ -80,7 +83,7 @@ in
     ];
 
     # Public ssh key to log into the initrd ssh
-    authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+    authorizedKeys = maintainerKeys;
   };
   boot.initrd.network.postCommands = ''
     cat <<EOF > /root/.profile
@@ -110,8 +113,22 @@ in
 
   time.timeZone = "UTC";
 
-  users.users.root.initialHashedPassword = ""; # FIXME: use proper secret
-  users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.sefidel-password.neededForUsers = true;
+
+  users.users.root.passwordFile = config.sops.secrets.root-password.path;
+  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
+
+  users.users.sefidel = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    passwordFile = config.sops.secrets.sefidel-password.path;
+    openssh.authorizedKeys.keys = sefidelKeys;
+
+    extraGroups = [ "wheel" ];
+  };
+  programs.zsh.enable = true;
+
   services.openssh.enable = true;
   services.openssh.settings.PermitRootLogin = "prohibit-password";
 
diff --git a/systems/cobalt/secrets/secrets.yaml b/systems/cobalt/secrets/secrets.yaml
index f0131ff..b0d48df 100644
--- a/systems/cobalt/secrets/secrets.yaml
+++ b/systems/cobalt/secrets/secrets.yaml
@@ -1,3 +1,5 @@
+root-password: ENC[AES256_GCM,data:utvaJtoAN+9CSmnEd86OjdMB5QFWq/ICm0cv6F26QAdBaVpi9APsSEWMej44sZ0jPXtLvXdlRYSm+Bok2/PTx5ACPWz/hyFz4w==,iv:hwai5JQvWmgSeuU8djxPng0EPZA3E08kyfhwr3P8vCA=,tag:eg29EwPSrdH5evO0sUkb3g==,type:str]
+sefidel-password: ENC[AES256_GCM,data:i3fLsgHXIogbPh95k7EPXs9rzfrl617lDqwXktMd/buy5MhUfgl6lNftayeIhIihqmZP4Fu0r7m5s6DYvpfpyvK22Y/Yvib57w==,iv:u9iZ+261lh3ckJubH9iD2iFCAJhUB8ca2VhFYvrHwzA=,tag:4j7j61aOu9zFomU4AS5ThA==,type:str]
 acme-envs: ENC[AES256_GCM,data:9IvoY1E2VLikZgPcNnEl2e33SMgLOJsX7aVTEbld1ggl8Z77a2iau17d/ZLWs0+u,iv:gr2iHuYmtZp2eWhX0E0OKolIn/Nm5+9hJqFTYZagV4c=,tag:9mqUFzqe8+3T+Nwbu5V0Fg==,type:str]
 matrix-server-key: ENC[AES256_GCM,data:MsPH8g0bc0cY+k5XvVIyi1hDpX2up7+noU9P4Dfm3Z9f1eXv7SaJhlRnR40qrk4sQN1uG0R/ro7S2z9EswX0iZx10PfjWF8Igrc9w9b2+EM/gb0O3dGskPAnDrm9JYh+gF6SsqmwJUEYh+Lx1EfuGMTWpnXZjLrimIWCfmz/1qxJECQds/aQwuA=,iv:B8yzXZ1IUVVvxFQ0MzzS5LSHZXQirnXiLoOru4S2H78=,tag:TNp1Y3C/iYgq5itqXGIt/g==,type:str]
 mjolnir-password: ENC[AES256_GCM,data:dyM2VVxn1PFRXy5dgfvq3EuWyGDhDZvJOd1sTnKE5q0Arv1y,iv:DD80um8QXLybj1w4ZsxPbv3+s2NrQfpPDAEpkztkMFo=,tag:3ZEJ7V+ICh2Ip5gZt06zjA==,type:str]
@@ -33,8 +35,8 @@ sops:
             cUpBZ01CMEFjNnNuWjlYejVKajkwcGMKehqYCZP0zZHDTfJrC/5LYiE/3doa0OiM
             OKXhOuUX8HF8RfkyiOSMpntxuNX2jSvd9sQRYnHkUvgm793+IuQjrg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-13T12:34:43Z"
-    mac: ENC[AES256_GCM,data:yAw4eSaMjubCYKLWtkLYuVQJCUXbRtz0nCKLa14WngCW08fO27qGbv+C62Wu/TSsCBdGZcI030kdYcTGJl9xILy3M9/iTe7BUGvY02mcqXoeQskMh/a9X2o3YBvKpQ0WootwkpuuBsEDX7xN4W3I4LswvVRPZHOn5kpI7v3ksMs=,iv:efNxaH0QRqRQQ2o6pEeqNyvF++agmiHEdg9I4b1rgdw=,tag:D46uRts4sbwYUbmBM22oWw==,type:str]
+    lastmodified: "2023-07-25T09:21:29Z"
+    mac: ENC[AES256_GCM,data:u/HrbQXQBxF0xwumvM57e/gIv22J6Lw64VZM6kNWcrObHNUXJG0uB+0gAa8JQUG7zpTXxgdHLe0cjesXBAFSW6+LWfZJTbO224epID8WEwrX0inYbzB3bbb3aKFaLfMOpRYkfwnh0AAZaFfdZ3IUi1tf0mj8VqfhZIBrB7xxg7g=,iv:TYG4pSvuGAo4ainZgRn+FlE7LOR1TswEwxrZoRcXKb4=,tag:XOJQn3g6gHyoNATuxJ5tHw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3