diff options
Diffstat (limited to 'system-profiles')
19 files changed, 423 insertions, 1 deletions
diff --git a/system-profiles/core.nix b/system-profiles/core.nix index 588f4632..8fed3751 100644 --- a/system-profiles/core.nix +++ b/system-profiles/core.nix | |||
@@ -44,7 +44,7 @@ in { | |||
44 | nix = { | 44 | nix = { |
45 | package = pkgs.nixUnstable; | 45 | package = pkgs.nixUnstable; |
46 | useSandbox = true; | 46 | useSandbox = true; |
47 | allowedUsers = [ "@wheel" ]; | 47 | allowedUsers = [ "*" ]; |
48 | trustedUsers = [ "root" "@wheel" ]; | 48 | trustedUsers = [ "root" "@wheel" ]; |
49 | extraOptions = '' | 49 | extraOptions = '' |
50 | experimental-features = nix-command flakes ca-references | 50 | experimental-features = nix-command flakes ca-references |
diff --git a/system-profiles/default-locale.nix b/system-profiles/default-locale.nix new file mode 100644 index 00000000..4359bd9a --- /dev/null +++ b/system-profiles/default-locale.nix | |||
@@ -0,0 +1,7 @@ | |||
1 | {...}: | ||
2 | { | ||
3 | i18n.defaultLocale = "en_US.UTF-8"; | ||
4 | console.keyMap = "dvorak-programmer"; | ||
5 | |||
6 | time.timeZone = "Europe/Berlin"; | ||
7 | } | ||
diff --git a/system-profiles/initrd-all-crypto-modules.nix b/system-profiles/initrd-all-crypto-modules.nix new file mode 100644 index 00000000..ede68e9f --- /dev/null +++ b/system-profiles/initrd-all-crypto-modules.nix | |||
@@ -0,0 +1,17 @@ | |||
1 | { pkgs, config, ...}: | ||
2 | let | ||
3 | moduleList = builtins.fromJSON (builtins.readFile (pkgs.runCommandCC "crypto-modules" { buildInputs = with pkgs; [ jq ]; } '' | ||
4 | echo "[]" > $out | ||
5 | while IFS= read -r -d $'\0' file; do | ||
6 | unpacked=$(basename "''${file}" .xz) | ||
7 | xz -cd "''${file}" > "''${unpacked}" | ||
8 | |||
9 | module=$(readelf -Wp .gnu.linkonce.this_module "''${unpacked}" | sed -rn '/\[\s*[0-9]+\] /{ s/^[^]]*\]\s*//; p; q; }') | ||
10 | jq '. + [ $name ]' $out --arg name "''${module}" > out.json && mv out.json $out | ||
11 | done < <(find ${config.system.modulesTree}/lib/modules/*/kernel{,/arch/*}/crypto -iname '*.ko.xz' -print0 | sort -z) | ||
12 | '')); | ||
13 | in { | ||
14 | boot.initrd.luks.cryptoModules = moduleList ++ [ | ||
15 | "encrypted_keys" | ||
16 | ]; | ||
17 | } | ||
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix new file mode 100644 index 00000000..09ff58f7 --- /dev/null +++ b/system-profiles/openssh/default.nix | |||
@@ -0,0 +1,41 @@ | |||
1 | { customUtils, lib, config, hostName, pkgs, ... }: | ||
2 | { | ||
3 | config = { | ||
4 | programs.ssh.knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.nixImport { dir = ./known-hosts; })); | ||
5 | |||
6 | systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager | ||
7 | |||
8 | services.openssh = lib.mkIf config.services.openssh.enable { | ||
9 | hostKeys = [ | ||
10 | { path = "/etc/ssh/ssh_host_rsa_key"; | ||
11 | type = "rsa"; | ||
12 | } | ||
13 | { path = "/etc/ssh/ssh_host_ed25519_key"; | ||
14 | type = "ed25519"; | ||
15 | } | ||
16 | ]; | ||
17 | }; | ||
18 | |||
19 | sops.secrets = lib.mkIf config.services.openssh.enable { | ||
20 | ssh_host_rsa_key = { | ||
21 | key = "rsa"; | ||
22 | path = "/etc/ssh/ssh_host_rsa_key"; | ||
23 | sopsFile = ./host-keys + "/${hostName}.yaml"; | ||
24 | }; | ||
25 | ssh_host_ed25519_key = { | ||
26 | key = "ed25519"; | ||
27 | path = "/etc/ssh/ssh_host_ed25519_key"; | ||
28 | sopsFile = ./host-keys + "/${hostName}.yaml"; | ||
29 | }; | ||
30 | }; | ||
31 | |||
32 | environment.etc = lib.mkIf config.services.openssh.enable { | ||
33 | "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey; | ||
34 | "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey; | ||
35 | }; | ||
36 | |||
37 | environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [ | ||
38 | rxvt_unicode.terminfo alacritty.terminfo | ||
39 | ]); | ||
40 | }; | ||
41 | } | ||
diff --git a/system-profiles/openssh/host-keys/sif.yaml b/system-profiles/openssh/host-keys/sif.yaml new file mode 100644 index 00000000..ddef6dd5 --- /dev/null +++ b/system-profiles/openssh/host-keys/sif.yaml | |||
@@ -0,0 +1,34 @@ | |||
1 | ed25519: ENC[AES256_GCM,data:R7Ejs0DrCJOtEquvxuPCpwrOvV1xwCRtSMgzt7H6Dbv5z3zp94Ei8WKRPfju9dSz/4etHa1FV+1Zy7pAExWOOLU6qvaj4ZQa1FEMnJH76SN974D0hp2TON1l7QS/uRfopJJ0vnzITeCmeQcvvv0Rdz7ZUmyfPv8e76/k3h7FsGndu4wEkVg1/0a+E2dNST+/cp+l8RjXljYTiVLAByaMNz1XoK6wupef40Ce11zAGSmJS57gCwmc2yyq01sgnwex1TeDi+Pd43dTR/21n7AssqnpZGsSqpC4+RzHnxP3YGHN1dLTjHZ5fWW+zEHJZ/lG2eW4Gful+TnQ3fw2SHCjW/9BxpCjzo8GAByuJEr569fRXXAiDnmLG8GXGCpQDgSpjdkL4bFEDs0Uss3ydJEmwL3DaNkr/SHUyovwE2k5KnfIt6v0uEH+HsDSPRQpVoOgn7q3GgDmqwADfGt8MStdFVo3el/s6Rs+Q6r/ukYYu+Mon7Akv7HPGAnHDBSGOPBwy/a5Di3AA0TH/CHCmNdv,iv:HD2JAEUDz5BvZDOMAxb83UjoGZBewdePfSktD5Vh7qw=,tag:CIcXaGYLFeJrp+AU3dpStQ==,type:str] | ||
2 | rsa: ENC[AES256_GCM,data:48rCmH0Id6ACaz4oGNfb72sIhfP5P8flVU4DniyTnRbaS98CIg9B3Utj7kZQYwFOOT/esQY7o/82udh8vW2j3D5eF6HfJPZa6ata5SV5b0HIZd+HMNEz2eo4FQ+ev5JWRA0I0FlYMYM/3+w855d2qolHc+voQf/+g4edlU460hx9rbhyn4injrGFdK/AxCNUwB1YXSB+UzRAV3p3U6IXd4ULQydWjJnm5lePZdBEa2q5ZKggFUVoF59fCrKPuxoRuiQTFB9UX2cRxS/MDp70m76NuxP93wGNFRfqWsVxZW7d5WH42ifLYTpIdnB0nRV4VcYdZbVxSTH2/CdRTrQ+BXut4pEsrxq91k6H3EM1FhYYDYTO+fOoKhpe/uidBTuqf3m2A7pM4zdZoTfT/0dcOxIDbtDl+2xfZEiXwXPEsoPAzLcnA23CasY0rc3I+xFgI2yIa+DFUXTiwOuqMbTRooacYVGWa5UsYO0JztizNNgp+GApxBu5fco3J2TVVBIaOpoeRZsX3BlT/8NdR3DBw00ERdj3UVBOUCNV9s++3BfnQgXDdSk/FJ0otrgXQgYxiUN6jbldP+vxt/b4S+tALu7iVApjS0UHP76zvnYotcW57UCX0Gpf9zJc2jPjxGmtIkenVSNB9ZufRg0zvGQ1qN6Ct3j/U2Ka/mfs5AE8PXYC6wFxqlOB5P5OdmVXF9srtnTirgeWbsA4Jeg+OvwAq9DbIvKDDHk0miVMu7JRsPsuCpGjgA1hHHunqFJ6vwKwKvF9k1kCmd61Kgj5MuF4BDnfRC4V22g84eO0ojJH2vU8vzjF9k5MA5zznGYgojZAtQnCXcC3k9CFbPjJE8fqk4fJ3kKoZZy+M3d4rn7JY4HZfjVs2iHZtQv7CskAi9JSULPCEirRsMnzm7jvKVUm0viS4E8dWeUoEDtMnZ1PU/IeWxlJua9hkzWmH3HqigmUq22SBTVJeb24KXyLJcvaeOsoQMOwmdJm7VUYqM8h9L8iomFf1bbExgfmhN20ACCs39sgW6wrW3ODmW85BiC/QkdApxEk65fjL+T23fN1KbXf9la/xz2FCXGUdgKMjUc+HdCtOB7VgvIehfRKodgq4l9E0zIkukT+4RdHiEA0GVga9sesLsLVtgM0UzBca7Sx9NSxEjRNrOxABohu30WPaFHoIOGg+szpD3GOGI4EpmwPK3NEjfG/RTG0ncTf910Shr9OTO69DUcoN9RVR/j6Kq7+WG9G9KxiSn2Qa0F5KFj+Pq5oIPIvGR4YkMPAvlWvvXtfTwweLr8OsNpd716WKap75iykjleeE7qGWPiFtyaiBn98VzZ9e85I8gPVCZcDTtMNXxATYDd1q0yzKV87dOL2SuzC1a2t8htb3lQuugemSfXcoLlYTdZloCClb63oLbLkDtmfd3WCpUFFlYSIxbnamixqdeLeiSL7FwkF/QpUhw0ILm+EQrZGiQ+JcOyPiiJQTDmtcAS6LbprHmapMeQCMtP3/Jk6WdfN5Jhj0x7feVJfATIoLPx0aqox7ekbU4aSzZ/8qjxlMqBcsHUEKfKCoZdVOwuklEKPhPJzGAyom/FNIVrU4EjSxcPtotMP/munJ1BWHFL5UJWPoTAZHz3Ywt50e9Fpwz9coo5NbPhRtFqVs4bOeFqJb1kq6/gPMY7J57+QSetcbBJvwVzCBsQSHoUHgvnIn7kAwM8QbfpilKZd5McL6AiGUtQbAgalXtptnnI/U59IJ8ILkdffQioM0PmzXRdTcSpe6pS6M60stQPwFE4Z9+LHr5LBuuM34YkCq1jd4EMWti+KbEFzipvdAfCYLVdacCqPXzEg3mZ00A/xCXkKk4GDpOIbC3u2T6d5UyIY6b5aX1ZJEbTa1ndVU41+Rt5z0x8tuJkqNVRK8VJ2aVqc8t+o7Ga9IRV9YcIPtDWYcVRt6zTz+DqFEmTRrnBO0AwXdT+eGrMn6X3Nj+DIjPf2B5Nve/98PyRZDRlXkcAKe5FLrVqh1d888MX7pfH+BK8I4kmFokqitxKMw63aeakjpotgN1jUdMtZR9weo6pp4TCStQwlRA41fMLgjxiiZquiajxz1zTlYKr2CVpaw6fDLkBvUw44+ZNHHn75O1/lCuT6MmK9Bu1TwsNsNd4JQSpeY0KHF6VZM0EaS3rIsnZz61X02fdpmo6Nw0mFtB4AidghSI1l+tKVVMnYJqB48eU0w+PHhdkWsi6F3Agp4L4043tWr1o4+WGBnOnx0/rNUEEu30Dtwsty0V87k1c5GRo8PKnzSHtis+QaDOL+xSIVMhsFOcuLV+VhVm84NWjgpKcCb++NInR2BbAwNRBArdIaOfQVw/HlkfnAJNWmOr6y8db1PEPNQVPVflb8bfMsZjZpBy6w1JN2Y15ZL7L0tltyUyDomT3IfMURpIW6OoyaIQS+T6NAkqq0bOllnkRnBziTNae57zl/iNg4AlWtq0NRSed0ls7Dr3yYe5Y+JvGmuW+HEA1r1/Yp9ZYQrhAc6qmAZU4+XuOgANr/4tRFA2091M05+Ow0QMquZr5odLlSyVxDU+5P/+lxb4U2ltLg/lcDeTT7qJZt3vqNVRaWg+864uUO5GFtq56x+egmYpXrgGtIRjABA6oxEHRH8RENeVMIpriv0KQ0WrGvlCnZYOMkydN1YBIX9B5gXZQBDzN3POKyo7KiBtcyMi+iOkH15AaB6G5yZymckAsfVzA/VPi/M115vjOtcqK/yyYbKpzF5ZybRlDlwsWww8aymN5i9b6q0ZI1iQoV/8P8lnal1ziYABr1s30ZqYByZ3PS1OIg6Qc/UtFT8C0OhtBPtwPEy/Xalvtqhl8/9y4Yuv6D5MNCwbL5oQ2JafEaFCOslGklg0ORCwgF+Ho5ZcZPB1tK2c424wde+KBDrBDfDrrCrYoxpeuvpFoRyy0DF3xh+25OkBfxb7+VXQxn3wXDBR7Yr1tuBLQUlbiZ0d4uPj9Pw7RA4UQTMXCRfmUiHP2nTdCbBg41M/5Cx6xaOzXJPOrkvsCZnXvNpc7+nkynsHYMqOuuWuuedh4WMU7YEPZt4CasJ5iofrhjzJNI5G5+rTMwaLTNA5AM2hi9DPqvFOaRUv/noYlTxtBT3LzUfgprPYnCKQd4j+6wO/bfbrlQq8WFH+RwFw4W0eMTJRFYFF2ctX0HOi9TOyTTHh/4l/mzTi4OaeFi5GsboDeczeh4acQCt5IjJih4qRnB7fdQy7PF8ccNuGvKWpN2mnDZJnoCrjbX8ihwzePzYPkUQ/ZKUI4KWVuixiis8b+CH0p92/dSOzGvP2MeQVMwRMpqk2EZdj3oE/gYG7RvfgM12N5ZLAUACczbwS17rquSwgznojewY+g/8oTolY81w4P/hPqX6FhWVeeZZaBJVKVDJSm4Aqp67FSYtoOHkEsOROtqklA7JVourGOgU6DfHlaSGGU6khAPv0smaYgi7+8tztNHoaaGSrtWU5+fxEzfD+NrOLm6Wz+ZZNvxWMMwrwkdeYqSc1tJACNo6CDtN/Tx+ZZCVVE+O+Qi5HFHx13c/ChQhRVMCha0VS8sYMokcZ5H2FLFLApOpwYLLFAiNwWr18PxRf3830xRwSM5bbASl9XLz2xxrbzpApDz5EDvvWJ/lPqnxYxVKCY9cEmDLuRtpEezTUpC8t6LqxhkqCTGiHjto668Mx8OTCDI8ys/D2qOFojbDyYIzl3l+AiVucXHXUrOkPJhhiOufiR6rks5UYqC6Mffb14e8JAY4IGsszmPqVY0hFS9AWp/aHuQ61stnMmhNxUw11fCDuUd4R+NvQlWSmN4Nyv0JmC6rHaa+Y/FEIQTCmFRiutTX+0nLPwJYKx+oQYklRDZ1DLtqMcF7PPUZGSFnZGGLN6UxoDhmrwz6NYwn+bBViL6iWFIgLbpRme/3TFBplDVIDUsSmbqsiysOmtzjw3y4YgiYmlZoEc//WK109KVrQUDSKKpjCMki6wsJ+27v5rlvhyBrG8QMUqWtTTB7Xu63iRrlASXcLk8Y99ehrxw/R3bjyXu5jHe0sowoKATerpiukBIOBTzPyFWQp/8MG6wWTzDM+HyGrAoCnkC3RanF56ldyqBzbqMbBIOx+fRWWuUl27YTwWLaPoZbO/+kgwzmguUj+bfqxExa4OTiMamLoZQh3LfIIJhQMd6MR1SDpRNg6D4YI7ftzrgQIe/CjjlWAfzkgeaPLx7Qeer0Te7wdJymWnQs5NBNAdWGcBgAS7/h4JZPBaqvd8KYPl2cg0Mv9k6+ogExv8YAz25rRPaJB1pKbhB5bkNIBRbUzCUhD3nk5uumvgKS0p6qn8hcD1CqEPt+ZH2CemlP5wjt9aHxplVZgG5vFZX0SREGDTSKwQoUbig1cHmRMOkO7vgS3B8eB7/J1UK3QeQe6roQSM80kbcLYH2flUmqQluGO1ZZDUttlp0ACP2lwlaBysp4X3KYPIwiHf1mXH/EQqgt305FNiKynDV6or7VWYQe5CXvTGg,iv:X57Ayvq6r0m1SGeVrBH8WCZ7TihobLLhy7spX4NIly8=,tag:caDTP5SwuWJAWGpwr9x0eQ==,type:str] | ||
3 | sops: | ||
4 | kms: [] | ||
5 | gcp_kms: [] | ||
6 | azure_kv: [] | ||
7 | hc_vault: [] | ||
8 | lastmodified: '2021-01-02T19:05:26Z' | ||
9 | mac: ENC[AES256_GCM,data:yJGzs0W0R+b6WPkUaQc9cxeTBBEXot0ffUAG77Of88kREFsD5ams9qEDCs8LhPhMtLSH5L8bqMLF28n2w6d9gf41NDBl/oj+XTJE26c4D+MWF2A0fqTvwv1l3524TfavVU8iur0bCbytNfcHSZ3zCQAYElswOGupO+K0Y3hwKKI=,iv:jHSgQV6Jg2Yckp8G0Z23Ny74ZQxZ/+C/neXKrEWUVak=,tag:DhOr2cVhIq8i4JAO+fdXxA==,type:str] | ||
10 | pgp: | ||
11 | - created_at: '2021-01-02T19:04:29Z' | ||
12 | enc: | | ||
13 | -----BEGIN PGP MESSAGE----- | ||
14 | |||
15 | hF4Dgwm4NZSaLAcSAQdArkswGx9w0Rbfp1N89qALAbPMhboirsnlNvms/FomXiUw | ||
16 | taW9n4oEJ5oW2UYzNNn72SwF1jYbrqczAbxt3dM9PSz1gHFoh+ZJhGokVFJvJ7sO | ||
17 | 0l4BEOkWmL/9uyOiCq574nH6OxxTPu9C4GNU8lv/Z/qJ+oAocJkGknsIJzd8M5ax | ||
18 | Fo/HqAGGfvnH3RI5FO3tTxfAKlfxlO2MJ2lsCypJuez5WewPnaTPjTbogjhzG2aQ | ||
19 | =HXLp | ||
20 | -----END PGP MESSAGE----- | ||
21 | fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8 | ||
22 | - created_at: '2021-01-02T19:04:29Z' | ||
23 | enc: | | ||
24 | -----BEGIN PGP MESSAGE----- | ||
25 | |||
26 | hF4DXxoViZlp6dISAQdAUSTwFAciB+Yh2IieFoN/xmQd+GU/g+cuKej6cZk78TUw | ||
27 | ETM8c1TSovML5q9usUX0pl/AbRBwp2In47RMkTn4Mul1XxJuXhgCnrc5swwYrS+h | ||
28 | 0l4BOxJ3bF/yYyKfGrmc/mNe51sdHH+fgQ9IXaQhcopw4kyZqvBXhJF/oP/mhnOL | ||
29 | VMhsfg50ol1XmXVefyo5JPedbzABm3vRZv9U+/zvKNJxIro2hWchd5CxvzN4l/MR | ||
30 | =30r5 | ||
31 | -----END PGP MESSAGE----- | ||
32 | fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 | ||
33 | unencrypted_suffix: _unencrypted | ||
34 | version: 3.6.1 | ||
diff --git a/system-profiles/openssh/host-keys/surtr.yaml b/system-profiles/openssh/host-keys/surtr.yaml new file mode 100644 index 00000000..d31fda3c --- /dev/null +++ b/system-profiles/openssh/host-keys/surtr.yaml | |||
@@ -0,0 +1,37 @@ | |||
1 | dsa: ENC[AES256_GCM,data:+2nv7zqZ47EhQnZ5x8no5J/0r1iWgmSxBMkiYig18JgdZa77lj9y05EubUlELJlGcqcQMD97xFKQdU9BRMGn2Bq0IeK3nBoENkDEp7ksmn6c+hh2GVCDDk5sQnNl1yQB0bo7TEHRddJe+xbAWZ2LGFRyc+ApBWCtqBnQ12+58dY2VarcogT0tNPaga76Mz6K31V6g9PAhiEL9hFl8F3p/ptgsdIArX6xI6+g/tRkE056EuPsqiAXbMagm2dBQOEUiicUEqpgMvnLhlre3FkRWWotrGtGsB0Sum4BY1mrTxaXJf/J5kt4DrPconjooSkzQPImTPtO1cXIHmmAWiQIOJ6xon3dXB2pq4KpWs4wVZ1a2OMXrgAkUCDsYwNQiyv85YREaMvo7J1nfbrP2VRRdPcP3XgbwXkcqzt0r9LYq17bYHxJmhrP9Si7wCwBkCkGxgyLhMTmXQjKairqRqM+5lnHa44bQ2AhMmq4iKCkSJo7fUXOdDNX0n61PFJSOT/UVsHiVDlqcpcSm/GcARcObdVWmXvjw81pmMTjMlAmLupU5yPiWTZr5lMTG42hDO1Yjq9fuA6tN+Op9duVaWc6YiA7qDSTEpGtGmb4wObAgelCfuUTTo+Wp77lqTAeL2eGfuSAKDMb6z3NfCpSpgvJMWhGJtqJfKd2Cu87P06UUgmnyyjVazVTUWmT/ALX6rosUmGChbx5SSQ8tin/jQdIoq4Qs3hR+7AtBil7DF9fpUfHy8OmP/BKbgihuZa1+n9fyiLnw4QfKGFWmmoh06upSrAu3fYofVe1iYuZUUTP/NNUxn/JxbYn2OrQ9PY7GVcFdRBtyU+R8aQ/bawlcwnaIIQOA04iip1P5tgQ8CWCzuHFyP+d9Eun9oD6wPvSoNWXAftochNU6Ol8MQ8ESe22hrO19TrirgxEGwOTVFVLIV1kLlRZ+eCcY3HI/Mq9hnu9KndrMcLsPnjPyzsPo/CmeIOxryT1lY+LKU2mJT0pLq4j1Mt3QrjOuruM4fSYrS5DdDWTXP1Gk5GiULyd12RQFQVznRlYMy6BcSUmRgTWezX+o0dt18aJGNsm0UpS3yjL8BQpatpxq8LxCp9pNhuIyfF3HyjyNeTX1be60XmblYPr+w6OK8sV83p7TTGYVe9xzp0HC87+SBRTWN6SUCkmVrdhzbEBaDZG1a5Ldvar1QbAZF8riUMHnGarh2ZX6Gv2acsnMV5qb8t/HlK3rCKtYk27ok8ENFQqNIpMvVtoxKNPLNBRMNz8KG77fSnYoGmDFVlY82mrDBqvfbHbZgd3wb6WO3xu0KYY8Vc+ymcFromXBxYOhliNAHxYWNRJPfbXEqGRmA2/P5H0yWPdqL29JLX7SeW6+xzWUY5LWDSHBd2qTl8FdWIddAl8jBs2IiNUIGAUayNLNCSjgbVXOsdk8Hx9aQs5RmwFzXX+jBCeYRXdkN5HLFP8o+9hkWbBv4vIRrJxrRvRAVEoP55ZLhFZakrQ52NQwA2Z2SlFnMgSbs9jzDuMRjhX6kkuiE4DdbCkEfkhaqWDY46PGpfhNJ1LTWJZjTLuwvSwb6toyhEzRdpZGHX9ZCGR39h8GtLD/NVvYx4+8rgvWEah8Aizh5PtmjxJD03dQBuFSpnniuxYyEzRiQPK0QcvDerBRzUFC45CCBOdvbf2EcaQygkRCyoAC4hQ5KE/0sWKlotg0zOtwh3Yd+yts4AA4Hmf8Mx3i4hTlG90hVccdPULr9M613V9VmD95+Vz1ugxM5QwTvMvqNh4WI86hX4RfpgulxVYrQOAKZjgTlGnUNu3wZK7X8P9PGOCt/QkfXIXMA==,iv:+x4eD9lw/b2GvLV8Wsp+UZY+lqCN1oknXCbTGwnQNqU=,tag:pU67QbCxEmUc/mT1gzTTsQ==,type:str] | ||
2 | ecdsa: ENC[AES256_GCM,data:obC22x4LSu8YAbqioGx+6SMggFZyT5SDLN+XyOyoTP9OxP8OV73yWp4G36jJqxri9uRtdZbhy+sMXwNEErvN4p9H3pPv0H9KiqJf3Lbs/7pqGT5xbWD4f5A9BcXVwi7qk9XQIDtLfyL6YsQnyOFRO2/bWKY/CpvZOxhyRCkt3s4PsuTRRNvPfmuGbH4OgKDB8aIzNtracLpYakQtg9hI9izQetE4rf758QR6E76C4h5/J7SBzzPh2TfDYesVjjM8PwR7elN8ee8bfpQLKhyqA+FGSInLWrPho+7vBVLC2IYHOShbCXX19XXp9w/vefFGdBIKE7yEaKpCIavW4g1ZVt3UJJC9th/yVUDMpwp7/L72qgwgH7/tO4X5fT6NhUnhJA7xl+eiqe5/SpVCJwyYduTZHAlLlMAM4moF134vj3clsDb2fkV1AoZYeUtxCmbKVDy9lD12FqJ+mfTJ+bc3SZTCBR1ZeBMu/6u/xNzl3TLTfuJ5bW9VFa7vCy48di9mtcr5BhEU7u4C9T7RzoVNDjstxyoc5grqX4Q7GPOcmghV21QE49nsvdQTUxQejtZ/83lY5h/7nhzfd12mHR99cZhiZdwdJZoK8XKWwgjkXLXQF353+KShgFNmBs/8SyqAjNP66wUPO+YW/S7c7HoDiPIN9n/Za4erCg==,iv:agx+d66Pv5KOqzuzQFLMiywyh3REDzXrGW/F6lAm9tE=,tag:ozfiD2P6knpu+QQpSo+GCg==,type:str] | ||
3 | ed25519: ENC[AES256_GCM,data:oFbZx5F797BF/lmKgfdX6ByB2/wBe8gfzJ2gc6m56vgBKFVIs1aIaOFHcUkeJ5wGfSVTZ4C6zv8bTPouIEDSEkFXT9rUXXUbnQ4tCw7BtpfJv40uZWEror5L8vLGzDV5kBs3TaD96ceAdzIF4psQpsyLhhJTtM8h6tJOs5JpDIG3BMXzVkaSAUCsYLIK9iqkyhVCDidqUm+A9Tke6NP5Oqq90n5q7hamPPwpzMFAFl6z5rf6jH3KTSOk+X98VT6vuInuoKc4ODLfGx1AQPJou4GGEOuFkbmsyA7CPZgNsgfnn13nR3CBqiioyzUJwBww3HAfyA2+ZvXhT4fQwAyM/o72F1gpL+LyPzHKPw4IR7f5+WGgoJjs/ORCvPbPG9jpkFEXKOUEgNFO881eIFizBYHvGc7zQS0rD5SspzSqETJ7zRqeB5EpANvZ2Fpv4adJKHZ/o0McMjr9meAxtV6Iunp2EG8tT1/QvuZZ+dFB1Uitpwt2fpd5iFX0uTeSB3gMPgWz3fvx207Bp/SprQdO,iv:vNu2tRvwkBUdgVSnkPli8NMlXNKfbrnf+MsPbnrDF58=,tag:oWYTDKymFM8YRSXwKdc5wg==,type:str] | ||
4 | rsa: ENC[AES256_GCM,data:RBq1mV5XP4J7ETvRI/BLi1+MwqowUflN12h5T8csVejTLVjNDb03TbPMyH0mACPFK5fNDO+9vQ9HC6riIOiSZkXCjwkP//HdF8XqfAg4GrB+Y21fALDF4+Hmux/SrdJfL+JQ4iKWc1zI/bXZOX686/gdDC/dBFLbBD2Tc+n2yqRY6qDAqHZev7epAUtF0w5DTU+Oyt1tcuP73U+oqNs1C8o8zlKAfOgfSAS03sA0WDJJDWCwlnqAnP/Oh4MmUxAobi5afrJLLnmotCsvBCWN8a+zjR5PanGXINv8O1Fhi/ehKauM51zL7IZfKpjZxHS3IzjcTsGKJKP3QE6e8tYojKAPmZac/xcmsDTG/qZC4z7Tp0u6haENbZo+5kK8QyWLZr7b0yUqIYq4s7Y1/dMv3VO+EdmEKfVugg+W2+J9YsZNEkOuAptfKgM3eklry5YrkUVPy8U2nNyahVPzZExfFmjGGmKhdita8SLpD6s+ang0D5GIU8QmfAcrEqIqsCWn202BTdb77NMsfziTmRsJxdTtB5ZmeQL611uL2GI06Th6WqN96I+7eh0hze5TySaDRasKpnqWKnfg0UcoPaw8qW39CXWlZ1sqjlJP82lDs1rKkAeBDcB6YU+mtQnpfSPdGMOHnMNJ97tY4JhdJW4QCqR5Lr/m2aKxOwoc+BQqT4lSymBqPkolDYrBS+pHMHF6MS8TPsdBHt/6bFEiCzXBEmDe/Hx3eNVuT/YQJSBJzF9g98X0/79fkBMi+yI857d/a93cGzddQ1jLjS1yT6Qr+eegozNfeJPzdOSYbIh2xaYZ4MjUiO0LQr44DXOCA+y2viOpi44EvLqqqqDWHf5bcLfljVVF2bgzS54MThC0qlllNDaFpDSUdDQbVYgu8V2D8yCW/WuS+FPtvqIcSL3ZVsE1KgLplIXOdAOlw7YTisjOaXU1uwJNBYfxWlNjiiV/BtJ8rs53i9uPJN5oZ3cRh14mjAoJAhajamN3+xaXo85clthH9B3qSacduzsinsKiy4gL00Fi2WY3MKKbjaWL/JuELqvD37EibQ7HXffWPTBzc7zILRBetW57w44vMCX3kr0ESGzdtfVLsb7/WY937LACkkFIs7puWcgBJVwhAAEvTeOl11ynPKGDEjHah1wTNvWlpe6v4ko3zwNJOVp3lk9M0fwrNbS1jz4HKU+NGPrZS1/nOUd3YjJXCXzJTcq7hhhsBQYOw8+CT3EeWPURj0L0Ddo/a7MZgdTnN325iPqGErDx0F6UkAR8KcyT2M7AWqF0XRYsGDRs99siRF2aQ8UTq2IX5NE8lLG/QtyPrvVTV/tOX285Jt9C5yRufbNcGKUrXPB+SQM2eH0ip6QTvZ+CYfbGO2VIR7RISTUHKKNPMEMGOz5ZQaPc+8qMfFP7+1lz+fkZ7n+ZSVj9GI/GkbDHNERBos7JBSeG3hvVgraGKeanmHerRxlX42GEF8cQvMEjrCGp+PZPMcEmM7c5/5yJ0iYNyk3ES8LP2ax0XoGpWPxA67WNdzNiDd2JSLwHytxaPf3U5FO5rWLj4byrjDRoOZs0maIsVkEkABcCEyN7t20WzhBmnrx8fkrULXgeIcbQjFcL1x6UW2FS1AUWnHu23XoFxFu4HHIPYZdL70DdsoJr5MS0oZ92oBhaQAXE8nP3RLIMm8yZTqnYuTNzXo3ap9iXyFX+Srp4UvVPyHj8hO3LsXeX6TDQL5R93VMtv9EMQVksSLJU+kLeoKqkMivSAEtD9Zt/GYQdXoXjInY7NpDCha9NBSg+5N2vtVeojI7q/g6Oimq+uT2dRB+62lOd635xgnMRTlwwwkdNI9t1vLcuGStnzWMzYAQhf+TS3LPx7+JGeR8/TXMSoegFf+64hXFJRnxLJTjpfHAJkk0pQ02XAWObab6GVLj8uDcra9cDAKKDftVRX7gOC0k+Vt7vWxkfVPYb8F0EMa2MVm/qYUzcxtnCrxYljtzqXU4UDgw7jUb1yxzI1scU04MaQknfQammw0Lk+ICPEdEX2sJGiG9zH4acCdyqW77QL3tJouCaKPdd6cVq20cyfgjNYT6zbkdlmXTz960Nx9zT4mmk6ngoYwvR1g4nub6Fgo6JDA3AIU7e+uxbO83+I+0jmyOePqkbbJs3igIGekm4M5nl5MhnFyEOr0UrcEKqgp/suRZf/As4UqOHf2NAjP2CMtnHwB8Ug40j5blU/s38ILfdD/Vd87gwZFpx5QCsJjVC+ucuINl4V5WbRBkbIID6ZrLGXoVzYYVqY6oNAF93fl2xCSZykdkVdBaJvSbpz8wbzimjV7nUL2Bxu+sJN7809DTpgwyGutQJ4f9CgpAb0+g2TCGdvbvB+Uh5H62iQaZDsaD8guusrIEkxjW83V/38DYaWe/Wh3CTfTqRqgDxql22n6a33qlU+k0F/het07ZhqtQ8bwL8QATDYg9zxCfRgr4YiMFQ1evS1qCOF8KWnRa2ApOO0qPJJ49DxJeFMD29pXhmxtrBPJelSeZqDUYVx8Ns0n72hh6FxBkRItntU6HGAtC+aZCi3h5HnUKyRTb63tJwm7OGkVltP5QaFT0nE1Tv2FdQSKFcLvnMCcx+P9VJ0dPXShbCv6JMdxQuqRIR3RRI5D6cv4O4HZKxtMuiZmsZySRFbSG033TGDEJKShlT5CleowW+21dHZeAWGLR9d/ScRE2i1Z69O4SgoZPyDpwHTb5jB+47oh0HNvUIvskyHfp57HkcUCmszZHf4wPblUjr33hCpk0k48mQfVEjekdRxojE7FTbDIERFZPb6tMDuUnhM7p7CE96A2ka0/renFPA8czLGOTltyxQmaCc0ZOV4nlUJ0m6L5dcXSPjpfm81y23GJJVy0DCY0tZ5YKT2C+5EEhL1gx0pWZ7Tf844FmwCfXaUIkxNkAKV4c/hBlvdAev6unXUj6LdsHEg8GqlV3KCAeG0wG9CnspmUnSrgNDSfa3AkFjTKXzLtLXa+FYTq8GNEyvrMQq/cWrHNU6kDr6Q+CH86U8J7kVepwbSTi49TvTxgkY8DiOlufv7EPa6CmgEYGNybMWhvdZ+rghVyp7botR30Wab/T7eHnUd+0CQHKaQmJ/eHBxIfJToQrchyXTM+VrehI7EQqn2HzeuSt5SneMtgNS71p+jgdrAO7w1LhJy7TDutGGPsW5ln5aT509OhwSUF5ZzJTTVytwb0QsBeGq+2DyrGwxQoaBOgXOFyI4Slryeb1+BC2ednybYRpve75cWUJ1RBxq9TrD8HSesOUE4tTH0DLhe211NLDCSzQ8wk4jVaPr+us4YKEAiBjL6TSWMg3ZdHDIcQVO4o8iXSlM4mDpRU56JODuQLJtBAMVPDkj1Ybj18qIhJ1ZO5YZmUfTQPXtv9heGRQI4MB00RmF8VTXafyqu07DY3bM2RPj9r/1ygEXq2sNXFQ2v2Q0Hai+sl9xU8djdvL8zhTNUWHyewhYnA==,iv:aSdbpsJoDerPqWTSWp0bQIcLChCzeoeGSTKEzvfzafo=,tag:LeOxrwyXdJyj7M0FRn25QQ==,type:str] | ||
5 | sops: | ||
6 | kms: [] | ||
7 | gcp_kms: [] | ||
8 | azure_kv: [] | ||
9 | hc_vault: [] | ||
10 | age: [] | ||
11 | lastmodified: "2021-05-15T13:05:09Z" | ||
12 | mac: ENC[AES256_GCM,data:ATdT6u3dMOgaBVg7cS5tpaA0fyoQdlW/jSzwPjm1mi7j5rNkilIiqIR+C159MrI5eeApkyOpzQP2lIAlANjbO+TlO2YIYd0Ue8pdoEZGQvDyWv3AARLfdlaPzFAGAnBnjihVmKp2kQjfmcSJkASBQM8e89R1PsAKGhH5xS5b0zM=,iv:UyMsuxYWVs/Q9/HTfPtjDNf+tUOHSAqA3klFt7yewYQ=,tag:Vu8xY4NVdw6MvjDWZwiO4A==,type:str] | ||
13 | pgp: | ||
14 | - created_at: "2021-05-15T13:03:47Z" | ||
15 | enc: | | ||
16 | -----BEGIN PGP MESSAGE----- | ||
17 | |||
18 | hF4DXxoViZlp6dISAQdAr0a9IJdY95UvcmMkCS73pQZVdjqHnVTTcpCXYuqkmiYw | ||
19 | rTIqyEsqpoSrkR57LBNX98ix99H/hvj6x8+dsv+K/nJQ9Jjs921UW2HJ8hPMD44Q | ||
20 | 0l4B2MyG+We3OClbt8BJmDo38/+/k9zSBdW2zbYEr4zhG7SCw0BryrPJwGAW54KT | ||
21 | 1fdnNwzN5jdFRObhkq8I725IaU4d7GYrpVebw29HP2fd0Uf+62iBToraRJNj3sxL | ||
22 | =JRkx | ||
23 | -----END PGP MESSAGE----- | ||
24 | fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 | ||
25 | - created_at: "2021-05-15T13:03:47Z" | ||
26 | enc: | | ||
27 | -----BEGIN PGP MESSAGE----- | ||
28 | |||
29 | hF4DyFKFNkTVG5oSAQdAINIHQVygfLGVo2gdlKCoojmD5layNM6K/QlQR/CsaTsw | ||
30 | SY+3psZUwnwwe7QRnt2gHSOUgYrG6/nhiCAfxoZBQZ6zm+v0IUdbRKEJhhGJnHfV | ||
31 | 0l4BUMxGLYHapIPjzTUwYQv9rF30zO7pJ3vU+4zkReNOcPzENLGX1uZu/1aULOcO | ||
32 | F33lTLP2B9B7pjvPoetJiuds3jO7JZrN3mFhIf7MTZyg5dMBbDSnUMJ6NIW+ug5F | ||
33 | =SAFL | ||
34 | -----END PGP MESSAGE----- | ||
35 | fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8 | ||
36 | unencrypted_suffix: _unencrypted | ||
37 | version: 3.7.1 | ||
diff --git a/system-profiles/openssh/known-hosts/sif.nix b/system-profiles/openssh/known-hosts/sif.nix new file mode 100644 index 00000000..8326d389 --- /dev/null +++ b/system-profiles/openssh/known-hosts/sif.nix | |||
@@ -0,0 +1,16 @@ | |||
1 | let | ||
2 | hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"]; | ||
3 | in { | ||
4 | rsa = { | ||
5 | inherit hostNames; | ||
6 | publicKey = '' | ||
7 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp9w== | ||
8 | ''; | ||
9 | }; | ||
10 | ed25519 = { | ||
11 | inherit hostNames; | ||
12 | publicKey = '' | ||
13 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+v | ||
14 | ''; | ||
15 | }; | ||
16 | } | ||
diff --git a/system-profiles/openssh/known-hosts/surtr.nix b/system-profiles/openssh/known-hosts/surtr.nix new file mode 100644 index 00000000..8d227b44 --- /dev/null +++ b/system-profiles/openssh/known-hosts/surtr.nix | |||
@@ -0,0 +1,28 @@ | |||
1 | let | ||
2 | hostNames = ["surtr.muspelheim.yggdrasil" "surtr.yggdrasil.li"]; | ||
3 | in { | ||
4 | dsa = { | ||
5 | inherit hostNames; | ||
6 | publicKey = '' | ||
7 | ssh-dss AAAAB3NzaC1kc3MAAACBAIgY3WWK/yD1QzQMako4FDkD22YODiCA/d7Ga14xpx7ujSPQJ0PqFd1aTPhrEZdy6pMnL82chGJD/oeurAacBxeuUouKvr10vtpaDJpcvqr/9m4zsx0OSeHl9M5PuSumjEXL/bsF/QSeo9Vp8uznLgHP/oglP8OI4Qsdh/0wisK1AAAAFQD04cH0JaWgJEUePcuYd02KW7t4aQAAAIBkFCGDPkJedRdJRy+l2OW6H7XdCQnA814cWOGaUItw5IVWz6KlVGPlETrBtRJhrgiwApy1Sk2rHxmuHCirAFS6FCZ5ct5wHKV2L/1CDphJzsYql9hUBTgevEpuAg9Kn1WjtcV+t+3LO9URD64BKHzpvtM2I5hAU4Zu6G2OV150MQAAAIB7B3lRZBxkDfb5x4cjitzFXN3FUzBcl0SD6/TJ+TH2lbTONMIXdT9zHw5BfEz3ObcScxCT2g99bvkxDwPNFRAorLAlEhCYB2zUV5QnJd8ZpIB3AFbokUxq+Q8fs5tU16Wv9TQ4oYmY3m9UAEqVz6ph562Ss+axO9qfSlNZX8feGA== | ||
8 | ''; | ||
9 | }; | ||
10 | ecdsa = { | ||
11 | inherit hostNames; | ||
12 | publicKey = '' | ||
13 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKLjbW8GWc7dF8HD8QrFZpZJop2xvFgvZnYfIl/slFASvphD6MBOHq3jx0+Tuk51xd4mvByTwoh8eokLZJidkZQ= | ||
14 | ''; | ||
15 | }; | ||
16 | ed25519 = { | ||
17 | inherit hostNames; | ||
18 | publicKey = '' | ||
19 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2LOAbV3XuAqJpXVY+YUnLIbhRsmAUmVQT3MioXGGgj | ||
20 | ''; | ||
21 | }; | ||
22 | rsa = { | ||
23 | inherit hostNames; | ||
24 | publicKey = '' | ||
25 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClFn6IDsDjuLXpThBtrRj+HLkNAwuBc4BgNqqIXkSRXy1FhDVgdI2iXKnJJLT/MWBMz73+QEYI+nDV6cxMCu292sZal+EAkyXJG6gQ9/rboucTuMWosrifAYabY4jUY79vYOiQGHG3XMIVjTQE8dRoXASzPKcok7PHftuW2qUu6ti7s3tqxY89Ez0cUz7jIECR7zHpIHZQbPd7z9luWOwZZc/eUGGWSxxz6idSPi/Adjk4FS56kIBk/uq9bZ8ylE/nwuJFUV90GzIr2nIQAcg6UVjYkw22+tA8BKzkS5Kx9ur7jVAhgs1qavKGnkYBuE4MvfjDzrkxRtlIPOjUQ3uuqYXkkkdMCooDl6+oKvN8dug6+cMdXn3/Q63cA0ols5rJz8iAtBoPRI8b835BWZcYHCk2aF2xT5hmB+GVhnFRZP8p9cRlr0jhYRjJKp80gTT7BPlMAQ0Sfmz5jLPd7X9yInKXCXdzxLTWvGqDq4GpunWVR6rgDMq5AswIcNhcwCc= | ||
26 | ''; | ||
27 | }; | ||
28 | } | ||
diff --git a/system-profiles/openssh/known-hosts/ymir.nix b/system-profiles/openssh/known-hosts/ymir.nix new file mode 100644 index 00000000..f29baf1d --- /dev/null +++ b/system-profiles/openssh/known-hosts/ymir.nix | |||
@@ -0,0 +1,16 @@ | |||
1 | let | ||
2 | hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; | ||
3 | in { | ||
4 | rsa = { | ||
5 | inherit hostNames; | ||
6 | publicKey = '' | ||
7 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw== | ||
8 | ''; | ||
9 | }; | ||
10 | ed25519 = { | ||
11 | inherit hostNames; | ||
12 | publicKey = '' | ||
13 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD | ||
14 | ''; | ||
15 | }; | ||
16 | } | ||
diff --git a/system-profiles/qemu-guest.nix b/system-profiles/qemu-guest.nix new file mode 100644 index 00000000..8654eba0 --- /dev/null +++ b/system-profiles/qemu-guest.nix | |||
@@ -0,0 +1,10 @@ | |||
1 | { ... }: | ||
2 | { | ||
3 | config = { | ||
4 | boot.initrd = { | ||
5 | kernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" "virtio_balloon" "virtio_console" "virtio_rng" ]; | ||
6 | }; | ||
7 | |||
8 | services.qemuGuest.enable = true; | ||
9 | }; | ||
10 | } | ||
diff --git a/system-profiles/rebuild-machines/default.nix b/system-profiles/rebuild-machines/default.nix new file mode 100644 index 00000000..e2a15aae --- /dev/null +++ b/system-profiles/rebuild-machines/default.nix | |||
@@ -0,0 +1,111 @@ | |||
1 | { config, pkgs, hostName, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | cfg = config.system.rebuild-machine; | ||
7 | |||
8 | sshConfig = pkgs.writeText "config" '' | ||
9 | UserKnownHostsFile ${knownHostsFile} | ||
10 | |||
11 | Host ${cfg.repoHost} | ||
12 | User ${cfg.repoUser} | ||
13 | IdentityFile ${if isNull cfg.sopsConfig then cfg.repoPrivkey else config.sops.secrets."${cfg.sopsName}".path} | ||
14 | IdentitiesOnly yes | ||
15 | ''; | ||
16 | |||
17 | knownHostsFile = pkgs.writeText "known_hosts" (concatMapStringsSep "\n" (kPath: cfg.repoHost + " " + readFile kPath) (attrValues cfg.repoPubkeys)); | ||
18 | |||
19 | rebuildScript = pkgs.stdenv.mkDerivation { | ||
20 | name = "rebuild-${hostName}"; | ||
21 | |||
22 | src = ./rebuild-machine.zsh; | ||
23 | |||
24 | buildInputs = with pkgs; [ makeWrapper ]; | ||
25 | |||
26 | phases = [ "buildPhase" "installPhase" ]; | ||
27 | |||
28 | inherit (pkgs) zsh coreutils openssh; | ||
29 | inherit (cfg) flake scriptName; | ||
30 | nixosRebuild = config.system.build.nixos-rebuild; | ||
31 | inherit (config.security) wrapperDir; | ||
32 | inherit sshConfig; | ||
33 | |||
34 | buildPhase = '' | ||
35 | substituteAll $src rebuild-machine.zsh | ||
36 | ''; | ||
37 | |||
38 | installPhase = '' | ||
39 | mkdir -p $out/bin | ||
40 | install -m 0755 rebuild-machine.zsh $out/bin/${cfg.scriptName} | ||
41 | ''; | ||
42 | }; | ||
43 | in { | ||
44 | options = { | ||
45 | system.rebuild-machine = { | ||
46 | scriptName = mkOption { | ||
47 | type = types.str; | ||
48 | default = "rebuild-${hostName}"; | ||
49 | description = '' | ||
50 | Name of the script wrapping <literal>nixos-rebuild</literal> | ||
51 | ''; | ||
52 | }; | ||
53 | |||
54 | flake = mkOption { | ||
55 | type = types.nullOr types.str; | ||
56 | default = "git+ssh://${cfg.repoHost}/nixos?ref=flakes#${hostName}"; | ||
57 | description = '' | ||
58 | The Flake URI of the NixOS configuration to build. | ||
59 | ''; | ||
60 | }; | ||
61 | |||
62 | repoHost = mkOption { | ||
63 | type = types.str; | ||
64 | default = "git.yggdrasil.li"; | ||
65 | }; | ||
66 | |||
67 | repoUser = mkOption { | ||
68 | type = types.str; | ||
69 | default = "gitolite"; | ||
70 | }; | ||
71 | |||
72 | repoPubkeys = mkOption { | ||
73 | type = types.attrsOf types.path; | ||
74 | default = genAttrs ["rsa" "ed25519"] (kType: ./ssh-pub + "/${cfg.repoHost}-${kType}.pub"); | ||
75 | }; | ||
76 | |||
77 | repoPrivkey = mkOption { | ||
78 | type = types.path; | ||
79 | default = ./ssh + "/${hostName}/private"; | ||
80 | }; | ||
81 | |||
82 | sopsName = mkOption { | ||
83 | type = types.nullOr types.str; | ||
84 | default = "rebuild-machines"; | ||
85 | }; | ||
86 | |||
87 | sopsConfig = mkOption { | ||
88 | type = types.nullOr types.attrs; | ||
89 | default = { | ||
90 | format = "binary"; | ||
91 | }; | ||
92 | }; | ||
93 | }; | ||
94 | }; | ||
95 | |||
96 | config = { | ||
97 | assertions = [ | ||
98 | { assertion = isNull cfg.sopsConfig || (!(isNull cfg.sopsName)); | ||
99 | message = "If option sopsConfig is not null option sopsName may not be null"; | ||
100 | } | ||
101 | ]; | ||
102 | |||
103 | sops.secrets = lib.mkIf (!(isNull cfg.sopsConfig)) { | ||
104 | "${cfg.sopsName}" = { | ||
105 | sopsFile = cfg.repoPrivkey; | ||
106 | } // cfg.sopsConfig; | ||
107 | }; | ||
108 | |||
109 | environment.systemPackages = [ rebuildScript ]; | ||
110 | }; | ||
111 | } | ||
diff --git a/system-profiles/rebuild-machines/rebuild-machine.zsh b/system-profiles/rebuild-machines/rebuild-machine.zsh new file mode 100644 index 00000000..6420a417 --- /dev/null +++ b/system-profiles/rebuild-machines/rebuild-machine.zsh | |||
@@ -0,0 +1,10 @@ | |||
1 | #!@zsh@/bin/zsh -e | ||
2 | |||
3 | if [[ $(@coreutils@/bin/whoami) != "root" ]]; then | ||
4 | exec @wrapperDir@/sudo -H -- @out@/bin/@scriptName@ $@ | ||
5 | fi | ||
6 | |||
7 | export NIX_SSHOPTS="-F @sshConfig@" | ||
8 | export GIT_SSH_COMMAND="@openssh@/bin/ssh -F @sshConfig@" | ||
9 | export GIT_CONFIG_COUNT=0 GIT_CONFIG_KEY_0="init.defaultBranch" GIT_CONFIG_VALUE_0=main | ||
10 | exec -- @nixosRebuild@/bin/nixos-rebuild --refresh --flake '@flake@' ${@:-switch} | ||
diff --git a/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-ed25519.pub b/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-ed25519.pub new file mode 100644 index 00000000..aaf4b012 --- /dev/null +++ b/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-ed25519.pub | |||
@@ -0,0 +1 @@ | |||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD | |||
diff --git a/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-rsa.pub b/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-rsa.pub new file mode 100644 index 00000000..7748d3a1 --- /dev/null +++ b/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-rsa.pub | |||
@@ -0,0 +1 @@ | |||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw== | |||
diff --git a/system-profiles/rebuild-machines/ssh/sif/private b/system-profiles/rebuild-machines/ssh/sif/private new file mode 100644 index 00000000..ffac520a --- /dev/null +++ b/system-profiles/rebuild-machines/ssh/sif/private | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:8AhUuD0/SiwXAv3nD+nzJPUtf67O9/wcyY1Iu/RCMzqKOs6iRTLlcvxyOtirUUtKRc7QECpX/TQ/K6PFo/0FKrNWn/aVCb0TnZFucL5UXsjO6TDnLWV7x+Huvcgj3RmEi4l24S/NBDuo7RtBBDByfaegavBRkx9NuFiYD16YVrQgvqL8owzXBTSmwfnlTNmRv2tsZzEbaaxRzgRf8USbks7bHWeEMOJ1Lx7svPm5GgARm+6N+wwXmsyDCXiRCOu54bHftUPh0lOKLw6Nggnn8vDgv1OJLemwtrMr7vZ0wZ8NWwYDfHr0FyYI/0isCpDXzFvtFd8XsXCOQxD29QM1C1CdSbavnBcc4UMoKoJzBeBHFlqqMSLrHDmFSKet+rr8nTu2ZKEyHq0C8T/h4sBXdrOF2G7GGEdohL/9sy9yrNgvvYRBv/85uieV3qr8OQ8dhmR4Cj1DucLROslLW9/QOp12Z8wcDRbA185Vh2SnYEF+K+EPYlEV3SBLLl3GxOT2cjUHefBEl727lgNdh2gYxIpMTYxTMum7cosv,iv:y97GnUb2wyIHP3Nj+/VkHbC3nwegrKnAipp33tjFLE4=,tag:u01az3q8edvpQ52k9SQL1w==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2021-06-06T15:05:54Z", | ||
10 | "mac": "ENC[AES256_GCM,data:Cf8WbqV4bqkg+W84hRSjMsrqzV7QZqAJeU/DrlN94NRaLDbayXK/kbxz9gMWY6Eyv3D70ulc75EBojZF1SXfk/WpDHpVJ4DEizb28oIfE4x88MmQ7ZJuskqXQaFa4MohJVQ/7ukr9bTjNMm7RFtq+yNKkIy6mj2YBk6BYsPgwic=,iv:kq+FpwQEWJo18QEEqG1uZ3uJ1MpklqN7Oaj0fPw8/0k=,tag:FYHLHjzeD+28KHD7x5JwGA==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2021-06-06T15:05:54Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAO0QzeTgAkvdr+w43Yk9a0X1AmwQd1b1CFPNbINQbvSww\noa85a30JfMy9r2LRfTd9S8sd7rAfOaRCaPrJVWHQBXd0s36Ux8gSktcAM+PzYBCE\n0l4BkVI6bLaO756h5ru+gANRuqMRKgpV8PB3PMmIlhinUAZFsmNJb1T1O13JkMsM\nMuygJ8cg8LukjEeXM7jnWO52cX1NcoquhJK7f0eVvFMNW3Iexf9pI0XC0iSYW69B\n=lQQZ\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2021-06-06T15:05:54Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdANW63iv/Mn2irKYdSZxX7iwIPyDGmGDUDUnbWEgel/jcw\nLILXuiWOkgfG2G4tvqdM4AHkYoKEA1mAfH9ybFJMhiS12WI60or6Z8e0cd23mteo\n0l4BU7FiVt9p8/96qJlVuGUS3GRlhnczFN9GIBaj9BkzuifFbC+S4iphvO6u59m1\nGodFjFZ5ayfvgSRLb93DN7cGUfhcZ80oQHSiuJxFC7I0xnTcg/LKxYvX49yHE6/I\n=63VB\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.1" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/system-profiles/rebuild-machines/ssh/sif/public b/system-profiles/rebuild-machines/ssh/sif/public new file mode 100644 index 00000000..fa3eeefb --- /dev/null +++ b/system-profiles/rebuild-machines/ssh/sif/public | |||
@@ -0,0 +1 @@ | |||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj5I8YSEwS+44YDksxm5JgrmOvz+Jhzj2tWFUWT9z+M rebuild-machines@sif | |||
diff --git a/system-profiles/rebuild-machines/ssh/surtr/private b/system-profiles/rebuild-machines/ssh/surtr/private new file mode 100644 index 00000000..40651674 --- /dev/null +++ b/system-profiles/rebuild-machines/ssh/surtr/private | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:6iBi0nQMKJccWxpWkJcWIdpQ4qitMgewFs0LAUU7PFH268hoCkmiWgfq+ZJ1E4hfgAMqTmiS+FJUnYyAGaHHghPCMjHLaNaoS25GjQM3S0pUFd56zGipP0xkii4HaiEGEpcxmXuGHnfrJgJZIHSsl8KRaLRJUKmIl7uorN0nGo6A2R+DKljExXRpH/ZSZj5dCoTu8tVCwnKxgDh9rDhEKCYIl1XnTKV8U8KeT9M7KJt6VWA5mmYhziv0No2U8g22T1ZQP+ATIqGXzbDUDEjY+kg7q6Om0ZsWBL2mJ7U88V/BBMymeYrJiawxrjXzG1VtsnMC7pn8F5BgHCz8x3lUIi2/wlWdqKEUp+TuKEMeuGLdaAifdeFKG/qnFBtNQLxcScvilXAH4w2L+yjCnJbdKoGk1GdJl1U/a2lEXmzbwSQ7Gxlq2rSDpTRW91Gr6I/JXJS6vpq8XRv1faHDGGW+AuNArP9P85/d/S7Fv/UeRQ7vNi30ePG6LjTN+0ajhqwv2YEocArFj+1I8vY3RSQ0PVj27Cwcc582BBmhRZNccgI7AL8=,iv:IwcMztAFDpOE23dYEzjJiv6qhk9E0/Qb/xgwbtt9xt0=,tag:qYMBaoUtkUDR1taehr7Y/g==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2021-05-15T17:58:53Z", | ||
10 | "mac": "ENC[AES256_GCM,data:N/CM/+4b02tRBFqFioX/FRPPj4bG3QGltIg7KZk7BYrl+5rJ/6QKL1g+CqsLTteRAbHiluBNFMT/dUBSmiQ+So95sUTc+rICRNKmxCX5GFxw3Kr5/y4r9W/sw/NOSXQD4+dctkhKmzg9NFR+T4pLM8W4KErtV384Wy3ccAW/g8g=,iv:Rr4rDloQRRsLTErUNbB1OIKbi5qyh2gU1y55sU7ecTY=,tag:sYHPOKcAWNfjz26X+w4r3g==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2021-05-15T17:58:52Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAJOYE8FC5GREn7xoQfuSMvow0GwajGfi4bw+FEydrDhAw\n+F8ryseAyQPgVouzlO2aItBy20dYYNs6zkcfnuZemDdBSpQQmahtXBs5Dt3wGhvg\n0l4BPJeJ3cpuLDQMFnNfTOLJRdoR0kvxVHJBBYJ+Jn4ArPrpiMReJvyLl7i83wDb\nsb+WCcu83IFLM/oInb22cto3shATTLgr30hq65+RwAXlGBNmoAT0HH9MDsgq+VQw\n=nsV9\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2021-05-15T17:58:52Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA12ftTan1dZSX50t5H1/LdTse+nhePZS6RxqV7WcRi04w\nyiqJt+C6AFBZl4esCqHQjpPnmkb5pvI2/P9e8bvK8uszIF35KC+r55LAaB2RXkr2\n0l4BX0fPwE6XNtiBn2hQo7KYnci6s25itij+uppRyu6Cnc3Hi4Emro4MFBBJlot8\no773ulk8jmOeR2k9fLDSMQ0EO+3zZbm7zz/fK46SyFzBIAPvCx0fEpXi0ZdLES2k\n=rULf\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.1" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/system-profiles/rebuild-machines/ssh/surtr/public b/system-profiles/rebuild-machines/ssh/surtr/public new file mode 100644 index 00000000..323e8398 --- /dev/null +++ b/system-profiles/rebuild-machines/ssh/surtr/public | |||
@@ -0,0 +1 @@ | |||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HJRwdwtmIqx8HRK0AKIq+vSCHvGv98rOmraSGwnTL rebuild-machines@surtr | |||
diff --git a/system-profiles/sudo.nix b/system-profiles/sudo.nix new file mode 100644 index 00000000..f2401b9f --- /dev/null +++ b/system-profiles/sudo.nix | |||
@@ -0,0 +1,39 @@ | |||
1 | { ... }: | ||
2 | { | ||
3 | security.sudo.extraRules = [ | ||
4 | { groups = "wheel"; | ||
5 | commands = map (command: { inherit command; options = "NOPASSWD"; }) [ | ||
6 | "/run/current-system/sw/sbin/shutdown" | ||
7 | "/run/current-system/sw/sbin/reboot" | ||
8 | "/run/current-system/sw/sbin/halt" | ||
9 | "/run/current-system/sw/bin/systemctl" | ||
10 | ]; | ||
11 | } | ||
12 | ]; | ||
13 | |||
14 | users.extraGroups.network = {}; | ||
15 | |||
16 | security.polkit = { | ||
17 | enable = true; | ||
18 | extraConfig = '' | ||
19 | polkit.addRule(function(action, subject) { | ||
20 | if ( action.id == "org.freedesktop.systemd1.manage-units" | ||
21 | && subject.isInGroup("wheel") | ||
22 | ) { | ||
23 | return polkit.Result.YES; | ||
24 | } | ||
25 | }); | ||
26 | |||
27 | polkit.addRule(function(action, subject) { | ||
28 | if ((action.id == "org.blueman.rfkill.setstate" || | ||
29 | action.id == "org.blueman.network.setup" || | ||
30 | action.id == "org.freedesktop.NetworkManager.settings.modify.system" | ||
31 | ) && subject.local | ||
32 | && subject.active && subject.isInGroup("network") | ||
33 | ) { | ||
34 | return polkit.Result.YES; | ||
35 | } | ||
36 | }); | ||
37 | ''; | ||
38 | }; | ||
39 | } | ||