colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

desko: re-introduce the nix_serve key, which is actually needed for SSH deployements, not just nix-serve

Browse Source
This commit is contained in:
Colin 2024-05-16 02:43:32 +00:00
parent df4ef0ce5a
commit 4a15339e0e
3 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/modules/nixcache.nix
View File

@ -62,9 +62,11 @@ in
(lib.optional cfg.substituters.nixos "https://cache.nixos.org/")
(lib.optional cfg.substituters.cachix "https://nix-community.cachix.org")
]);
# always trust our keys (so one can explicitly use a substituter even if it's not the default
# always trust our keys (so one can explicitly use a substituter even if it's not the default).
# note that these are also used to sign paths before deploying over SSH; not just nix-serve.
nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
"nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
"desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];

2
secrets/desko/README.md
View File

@ -1,3 +1,5 @@
- nix_serve_privkey.bin:
- generate with `nix-store --generate-binary-cache-key desko cache-priv-key.pem cache-pub-key.pem`
- colin-passwd.bin:
- see <https://search.nixos.org/options?channel=unstable&show=users.users.%3Cname%3E.hashedPasswordFile&from=0&size=50&sort=relevance&type=packages&query=users.users>
- update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow

28
secrets/desko/nix_serve_privkey.bin Normal file
View File

@ -0,0 +1,28 @@
{
"data": "ENC[AES256_GCM,data:H47rSAxO2ktohfFRlmbB4qNEZGECfMg3SJSrhLNFXKSkboYRsqgQXmrnPHy7QphRlD6WnN+ocBGMVw0W9n5UJUOFJQTEG3a9xltRQuKSoLV05OzMkpU3jY2MfKWtIDo=,iv:2sDvuIBVskHhCgo3iAkyjrbBj4IQbOFEAOEekYEsaSI=,tag:veoxWv02bNL0meR1zwyS2Q==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZVVkanlzSmRkdlFIdnJi\nOVZNV05mZWczTDI0T2YraENBNXVqc0s3SHgwCjFHdkpGTnV2N0RySnc5L2VBMGMx\nMFRKQ1ZEV1Ywc3c4aUhkbjlkdktOTWMKLS0tIHg4K1RDMklmcXg5ZWwvbEhZTFZm\nejdHQmFQTklicmRwUkZ2b2J0TnVtZDgKx7/9IMIGA1pVAgJxrjsaWIUmJzrMhWC+\nPQvXgIfr8xIzMPV0EeDbLQGMnGuulfvp6WYO2uCb/DjMtzfO0jHKwg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTFJnTGJ5NGJRNkdOTEI1\nMDJKUFZsSjVrbmNySWpPU3Q3WGgxV2ZncVVvCmF3T3lrUkVweDB0cVVpNzA3Sk9m\nUXZYQTJnc3V1eldkZ2dHLzlXNFkvWEUKLS0tIFk0VG1ackY0ekFBVkR5V2t4aS9C\nMVA3YmZQR1FBUVpSQlNuM3BiQVBoN0UKugMq88tUmi8iP3qvJsCblL4hX1HUFn3V\nb7JzeSw4mvRxRsys6uao/EuCI2af+AW1ugzxAZDHHGH+B8lzaeeN9g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MVc2QjZpQ3Z2SjdQNVlo\nSmkwanVDcU5Sd2JpYkp4Vk5pdTFuUWRrZVZZCnBnaGVZN0xmSnFRdWNwYVVjT2Nu\nMUYrVDdEWm1ETk1hYXBndXJKQkhhK28KLS0tIC9CeXBVKzZyUDd1QnF0MDRMYmtR\nSXMyY3VCTjEvMjZ2UFlSa1dMM0FyTDgKzyHEStZL4AxvGdiCg/hy56ebWCoCHrdL\nhWcmg9YMIBDeC/vER+Den8XS+YTDZLGv8rMUF5mwhpLWXtuQUnljnw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-05-14T02:12:39Z",
"mac": "ENC[AES256_GCM,data:GRu1gxVi2zqgYUJkV0f3rQ6CPTPzxSd/oxWM5tEbTLqki7WflTNTvn2R2U/2bHwq85JuXvKcBoCsC7kGaGR/kVF4j2YA9jGp1EmUUVpooU2+s1noQHObu1OT1DG46jKlUP8QTzIYrZZ4sIKi1zAyqDDFYs5recJEBEY2goEcApU=,iv:/2pvHmiM7hTydB5g//RJiyF521BCRWNEBD5hR4+t1d8=,tag:jrIQN/Xu6VhNZ/uiy5oBHA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}