ssh: update user CA

scarlet-storm · Jan 25, 2025 · 35a305a · 35a305a
1 parent de463e3
commit 35a305a
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 23 deletions.
diff --git a/config/hosts/x86_64-linux/marchenstar/default.nix b/config/hosts/x86_64-linux/marchenstar/default.nix
@@ -34,17 +34,6 @@ in
   services = {
     sysstat.enable = true;
     hath.enable = true;
-    hath.package =
-      (import (pkgs.applyPatches {
-        src = inputs.nixpkgs;
-        name = "patch";
-        patches = [
-          (pkgs.fetchpatch {
-            url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/364988.patch";
-            hash = "sha256-iQsiwUV5aJVCl3mRgofOznw1v87oJ7KLQRmug9LGWeQ=";
-          })
-        ];
-      }) { system = "x86_64-linux"; }).hentai-at-home;
   };
   system.stateVersion = "25.05";
 }
diff --git a/config/hosts/x86_64-linux/marchenstar/net.nix b/config/hosts/x86_64-linux/marchenstar/net.nix
@@ -50,9 +50,7 @@
       enable = true;
       ssh = {
         enable = true;
-        authorizedKeys = [
-          "cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION8+4aF6hbXO1QxU5GqvZZHZWThD6MAiLcWq+bPSWD8 Gwen User CA"
-        ];
+        authorizedKeyFiles = config.services.openssh.authorizedKeysFiles;
         extraConfig = ''
           HostKey /etc/ssh/ssh_host_ed25519_key
         '';

diff --git a/config/nixos/base/sshd.nix b/config/nixos/base/sshd.nix
@@ -1,15 +1,13 @@
-{ ... }:
-let
-  trustedUserCAFile = "trustedUserCA";
-in
+{ config, ... }:
 {
-  environment.etc."ssh/${trustedUserCAFile}".text = ''
-    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAION8+4aF6hbXO1QxU5GqvZZHZWThD6MAiLcWq+bPSWD8 Gwen User CA
-  '';
+  sops.secrets."services/sshd/authorized_keys" = {
+    mode = "0444";
+  };
   services = {
     openssh = {
       enable = true;
       openFirewall = true;
+      authorizedKeysFiles = [ config.sops.secrets."services/sshd/authorized_keys".path ];
       settings = {
         PermitRootLogin = "prohibit-password";
         PasswordAuthentication = false;

diff --git a/secrets/common.yaml b/secrets/common.yaml
@@ -10,6 +10,8 @@ users:
 net:
     dns-sni: ENC[AES256_GCM,data:Yt67SSpt/JTOo+iNFWh8plKoMmzg,iv:O5xVFggI6z5FKc7nOVNR9EWQRqm9nFUMkGBFxh4Lxgc=,tag:EHPvYDNwmr73i3zkPdpdTg==,type:str]
 services:
+    sshd:
+        authorized_keys: ENC[AES256_GCM,data:lLsPbcV3sL8l9tIZYfDc1/AQDNa4J9Rwa1F1RQBAJO71ON6JvN7kbBA3qe9SRJ/9kw2bdEo9gqPzoHlOCzxlWaV+wNzwk1BjAXWl/aDPG6WtRJBZvXOKmvn+KxmKg7iQAL2eXLAYJdBNBCQtDu145s8egs7CfiF+5tszX0gOUD2PgdcNMdmdmc+y7DhARtzXJR1upLZqNA6RtcTETXMoHoW6k8dflPgwcXClWCmQ1VEy5Q==,iv:yoB/jNLJr5xuQcVxjvMXasNm4nsFfXadCTra645ScZM=,tag:hPlSzzsuWF3Ns9Q+l+aXQg==,type:str]
     hath:
         client_login: ENC[AES256_GCM,data:YLRs+rvx8/ZVU/wdPEHCgszFs5Jhfu7frkA=,iv:GjNGIDFVDPYm1lLkO7N/2b4nqZMkow9n017vooVMG9I=,tag:1N+dcoju+wQgvOykczUZJg==,type:str]
 sops:
@@ -54,8 +56,8 @@ sops:
             cmhqQUxvaHFSdkJNNDJvdFBVQmQ3eXcK9iZhYAHDB1hiPaukBdYoFzJdveOHGqWw
             QXnJYojFhBQ7yOwrUtWF7llCXPVEvJr2u0ThN9bMgkMnq8c4enaJjg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-25T05:07:29Z"
-    mac: ENC[AES256_GCM,data:/GmC45PX/5LrD6Wu8+FIWsQMcSGYwXoLH5E7ch+J+mvuKRwZ4Ioho83/tCTXE4Sdo59CGw5FZ/ufLI/7RzH1ALWRWllyolvOxR2fvZTVSr72iuSon//SIbsI+CXHINNan8K/wDRboX/iR0qTO73irEArjxeuu1ojqoJJnW651pA=,iv:g/eHGDC0o4ILBXv9Y9rA4bkNrM0bIXRhVcT8kJiz4Vc=,tag:NFC+5w3/5yEEzLYU01QoIw==,type:str]
+    lastmodified: "2025-01-25T06:43:10Z"
+    mac: ENC[AES256_GCM,data:MPB5wGNsupuDgB8baQOrGAeq0m+UfzBgbtPsqK+7EBK9k0lEsAPMyKVh91gTg56so3fTjsUXKyMt5QBXd0uicC4OpJvrEirqOFYjxmJyhQD3ribqZZHrg1RGQEr5U54ybgMiPxTj/68ThkaJhTtaKLbJWY3zWnM7dTf0P2eMia8=,iv:Q4iykkG4KJ8fTuouU5qA2JXGylV4UmtXw45MV0ZsvsA=,tag:gW9jsgKHwLNA6k+UxqFDbg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.3