Skynet/nixos
7
1
Fork 0
Code Issues 45 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: properly set a root user password for physical access
Some checks failed
Build_Deploy / linter (push) Successful in 12s
Details
Build_Deploy / build (push) Successful in 21s
Details
Build_Deploy / deploy_active (active-core) (push) Has been cancelled
Details
Build_Deploy / deploy_active (active-ext) (push) Has been cancelled
Details
Build_Deploy / deploy_dns (push) Successful in 1m6s
Details
Build_Deploy / deploy_active (active) (push) Successful in 1m46s
Details

Browse source
This commit is contained in:
silver 2025-06-24 01:24:52 +01:00
parent 017d383d08
commit 319522e4d3
Signed by: silver
GPG key ID: 36F93D61BAD3FD7D
3 changed files with 19 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

30
machines/_base.nix
View file

@ -41,6 +41,8 @@ in {
manageHostName = true;
};
age.secrets.root_pw.file = ../secrets/base/root_pass.age;
nix = {
settings = {
# flakes are essensial
@ -72,23 +74,27 @@ in {
settings.PermitRootLogin = "prohibit-password";
};
users.users.root = {
initialHashedPassword = "$y$j9T$lf/Z1Db.lAXan2WN/YQEF.$ILMN5CK4eImzrioB04D.VgD7wrV2rwUjcTi..WE5ea6";
users = {
mutableUsers = false;
openssh.authorizedKeys.keys = [
# no obligation to have name attached to keys
users.root = {
hashedPasswordFile = config.age.secrets.root_pw.path;
# Root account
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
openssh.authorizedKeys.keys = [
# no obligation to have name attached to keys
# CI/CD key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
# Root account
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
# Brendan Golden
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
# CI/CD key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
];
# Brendan Golden
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
];
};
};
# skynet-admin-linux will always be added, individual servers can override the groups option

BIN
secrets/base/root_pass.age Normal file
View file

Binary file not shown.

1
secrets/secrets.nix
View file

@ -105,6 +105,7 @@ let
];
in {
# nix run github:ryantm/agenix -- -e secret1.age
"base/root_pass.age".publicKeys = users ++ systems;
"dns_certs.secret.age".publicKeys = users ++ systems;
"dns_dnskeys.conf.age".publicKeys = users ++ dns;