From 319522e4d37501bfd21537962361b54d674ee635 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Tue, 24 Jun 2025 01:24:52 +0100 Subject: [PATCH] feat: properly set a root user password for physical access --- machines/_base.nix | 30 ++++++++++++++++++------------ secrets/base/root_pass.age | Bin 0 -> 2849 bytes secrets/secrets.nix | 1 + 3 files changed, 19 insertions(+), 12 deletions(-) create mode 100644 secrets/base/root_pass.age diff --git a/machines/_base.nix b/machines/_base.nix index 555666e..84abb5c 100644 --- a/machines/_base.nix +++ b/machines/_base.nix @@ -41,6 +41,8 @@ in { manageHostName = true; }; + age.secrets.root_pw.file = ../secrets/base/root_pass.age; + nix = { settings = { # flakes are essensial @@ -72,23 +74,27 @@ in { settings.PermitRootLogin = "prohibit-password"; }; - users.users.root = { - initialHashedPassword = "$y$j9T$lf/Z1Db.lAXan2WN/YQEF.$ILMN5CK4eImzrioB04D.VgD7wrV2rwUjcTi..WE5ea6"; + users = { + mutableUsers = false; - openssh.authorizedKeys.keys = [ - # no obligation to have name attached to keys + users.root = { + hashedPasswordFile = config.age.secrets.root_pw.path; - # Root account - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" + openssh.authorizedKeys.keys = [ + # no obligation to have name attached to keys - # CI/CD key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key" + # Root account + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" - # Brendan Golden - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" + # CI/CD key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer" - ]; + # Brendan Golden + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" + + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer" + ]; + }; }; # skynet-admin-linux will always be added, individual servers can override the groups option diff --git a/secrets/base/root_pass.age b/secrets/base/root_pass.age new file mode 100644 index 0000000000000000000000000000000000000000..2313336437c6050b924be3bcd8aa192dcf6d1356 GIT binary patch literal 2849 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Gb||gb5zJmF45Nx z$g0Rl(YJ64F)B+p$Dv(P!q(j(a{us9_rwW2sG+?C5Yz$@50F)%TpB-}VP!_m(qKhdq& z&!xD)(KXrM%rPLUJSxo7%P_^%q#WJ06i0)ypmYT@Uzf^EH?#cgv`Xhh%Pj5Ug7Rda zAj`1u$h4v&=QQVZm(o(p3YQR{j6g1f^yJDw{luWqL?746!Yu7FlM1I`ZBGL?mm~u- zFV8H??25pOqKqW{s7Q3%O#Mv)%n7v_o>TQ!P^5OhSqx!V9yEDnd*0Oe2C* zT(Tqb^*xG0Gs=o8D+0O9++6kZ!z(@Y1H!en158~D5(`7K3f*&3viyAuT=Eh_J*omK zgM19bEz{9$E3`=UN>5j?@XAXu2+(&ki%O0PHYzd>PBTc!EHU&?a`JOBad)gJ3(5*| zOwP&9a`xm3EH@0u%BV`oNOX5J^ouab4N5ULs4y@!_fBWy>3JWf`l;mPx?Gj6G zGxL0-iu^FAyzH!`$gGT{tP=Br;>b$hs#F87iU33JP*-%n>ANSHrUxpd<`%dmre+wp zriY~#1V-glWfb}vYnK^0m6{tTg+`cFhB>=dhKE_YRQPh0C0pnlyO8JnQn=2w#Ar|+oXW~y!CUG7zwn-@@O>gOEl zk#AuZWR{oZ;U1Y7m=l=f7Z#P~8xd-mSXIvD9%$y_?vYnm<(->k>Fs7*5@KFeX6BUT z?(Sh;lw*{Y9}wQrpM~MKGNVWXOGky!QZpYTzksO9G#97P%FIH?^b{}W(v;+K z*JK}K=TNucs`S7@XYJxdk5I0ZAUETbv^;Ik)PSn2qB6I%WGC}Tm(*y>5nSYGR<4j2ndBE9>KSG1my~E?>RKLJk>XpF9${h_RZyPlo}5wY zl2H{FSe{#&mCfasVHxQe?CYH68t4|4TI}!boS$19kQEwWVd|XZWa5~Wl4TfPo>=8+ zgi)6GW_b8UIw}~1l%)Flm8KaNI{8MVBxMA->H9@gxt0Z1_x_c!CrKaTSCmEKPW#<)J`dJuQn7L+0nMGAaxi}j+xffQXI-I{Sfy{Kvqec>c3NO*g)f(rvtzEI zYjIwAMTKE;WwBXuphbjZVQE%nQIKb1nWL+bvy)?`vqg5Xc{aLjrBPK*#_0;#j(%og zmPw&$i5__troOJJuH|m|M%e)=!9D?nm0p$}u4zFo7L`#Ud68Uckp|vDmKl+`Zute_ zkwGr{{;6r%S;2vZ;bGw^f$3$2NzU$mX0C-k!5I0?xzInvJy0Rfu+Xm{z&kvt#MHwh z$HF4X)z88(vp~Dd!Xi93(8Dy#)!4+S%GWR=%#|xIH`qDNu*@l|$fPJTr6k$U+&L&H z%A?4{Im$Ftzs#_tz}vkjJUqIx1w9XPQP-6^3L~m>ZQBM}`M^nIu{G zWSW+h7>7Am6}c6c7da)Hct)jGWOId=1bY;OnWR=GrRA9BC;Ap;RvEeGL>YuRnVFfp zIl32nR1_rZms#ZHB%_CVMvmGPHB-vxl4FxaYdy`Vs1v5fvK^6c(#R4 zNp6~FL@2s##sxY0-sK7zdBGlu9{$A{MtOl*d11cA#f4?gA%@8nIf)r25$4(fp{1TC zAz5yrq1jyihS|;$-l^us`XPoz<%xwkWo3DOMFHAD5eCU6fi5M9?%Jh60VRGpnHZ@g zxX{HZ*HOWsC?`8PBGEs;ywo!>I5fZ`B_hk%I6ctFQ9I37zbeDqTfaQX$Tu+2EuE{} zKO{LgDl4bbq|_|S$S)&ByUfVAFfz!?x2nX^$H&CPEy~-!z{@qs2qSlgx|*dW2Py;^ zWEMx3WmjZI8Alm9Rhs4{yBQZ*1|?OQCZ|~>78ZI|6{MG&RAib*q;usu`-cQM8d#Vc zSXP;u8e|v+2bCLnrn_c(n+FEESUUMS2c`!WR0d}GV5E{rx5NtPbcKNAfDkiRKg(>> z@J#Je4~we6;QTCKgJjoC|Iom2;{xsc+@Pwe3e$*?WUj!Rh}^I|3&Wrilbk?{P_Kf} z(gHV=0`D@f%Jjk{$J|86vd~adqtJ3=jF3#tadu5jSBOkWi6}^Q3i1zeaWTs-2sUyK zHVh2)570MH*A6Zz&nk=x4KXwI^UBK2=F&I!swgTmHq5s4Do+ebbqk5ouS~Bf$uY2W zO0Vz^%nWu(%nUOtv+(!E@S8$npZ@gU#fd@cxrNvPoT4zUrK7WSyDt^ zMn$QwuZebOZctQ`Q&wOkS3s(>qib=Zxs$PbdP$^zs$aO1OHM$NhjxxnmA7SfmWz=^ zuu*W9Q$(^adYbes@Nw}kSMYKVcdRNYDs?k+EY%MzaI?rYO!SP%F(@o5h$yuvGIUEb za>)+Xc1?2fQI~+Zpsuu9p8fLwwJit&a^3ad|WU<15Q}#4TSr)7@uZWv*i7p|=axgsoJ) z`cOuvJ=1fkdtsu-oWIkaZ~0o}e`=B9^`l>PBA>_9xb(f1>f93PU)sN9OPq$;jXKuP sOHK*dB`&+`u=j*$Vd#_3A#ygC3^I!S14EW8uMIvm{rBd&qEi_g0iCI%&;S4c literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index db5670f..5321af2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -105,6 +105,7 @@ let ]; in { # nix run github:ryantm/agenix -- -e secret1.age + "base/root_pass.age".publicKeys = users ++ systems; "dns_certs.secret.age".publicKeys = users ++ systems; "dns_dnskeys.conf.age".publicKeys = users ++ dns;