Use age secrets on mineral machines (mainly for work-related tasks)

Signed-off-by: Mel <mel@rnrd.eu>

5 files changed, 76 insertions, 1 deletions

diff --git a/modules/common.nix b/modules/common.nix
index 66d48bb..45395a1 100644
--- a/modules/common.nix
+++ b/modules/common.nix
@@ -92,6 +92,11 @@ in
     };
   };
 
+  # on desktop machines (a.k.a. minerals) we only use tailscale ssh
+  # for access, so we don't generally have normal host keys, and
+  # have to grab the ones tailscale uses.
+  age.identityPaths = [ "/var/lib/tailscale/ssh/ssh_host_ed25519_key" ];
+
   # TODO: the filter already does some good work, but we need some way to
   # pick out x86-only packages, so it is not as opaque as it currently is.
   # (who knows if muse-sounds-manager is actually installed, for example?)
diff --git a/modules/user.nix b/modules/user.nix
index 55985b6..5fd5dfa 100644
--- a/modules/user.nix
+++ b/modules/user.nix
@@ -1,13 +1,17 @@
 { config, pkgs, unstablePkgs, auxiliaryPkgs, ... }:
 
 {
+  age.secrets.password = {
+    file = ../secrets/password.age;
+  };
+
   users.mutableUsers = false;
   users.users.mel = {
     isNormalUser = true;
     description = "Mel";
     shell = pkgs.fish;
     extraGroups = [ "wheel" "dialout" "kvm" "networkmanager" "adbusers" ];
-    hashedPassword = "$y$j9T$4wGl.YJizIpcfFv0LyvLU0$7LLEkjIFWBOV.XXynReCOczBYNX0EZfMPIDB/bmmhhC";
+    hashedPasswordFile = config.age.secrets.password.path;
 
     # TODO: commented out pacckages are currently not available on ARM, and thus not on the
     # moissanite machine. filter them out in a better way.
diff --git a/secrets/keys.nix b/secrets/keys.nix
new file mode 100644
index 0000000..a0538e3
--- /dev/null
+++ b/secrets/keys.nix
@@ -0,0 +1,37 @@
+let
+  machines = {
+    bismuth = {
+      user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEK96G1n31aJsZOrux3BKM0ztzi/SFAVHn0MsGkPDdqY";
+      system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEP1Q8/07PD5AXghM7cd9Uf54YY8rkuBHfllr1Kzxh10";
+    };
+
+    graphite = {
+      user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDujTul5wWyGnidLnNuJDRze0Up29l2cDpyKdmvW2Ls";
+      system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHd+EvfxJC1rZbeI6hUq5tPpy8b3Xio02orgMBLwPU2l";
+    };
+
+    moissanite = {
+      user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTG/DHTkuQgwLakSBuXx3XBe+WjUmDlSgLBGzldx/ZD";
+      system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPy6IFaPkJMT89s1PZ/ekFGDKF2kvsRuAUB5NTtYQPSL";
+    };
+  };
+
+  keysOfType = type: from: with builtins; catAttrs type (attrValues from);
+
+  machinesWithKey = type: from: builtins.mapAttrs (m: k: k.${type}) from;
+in
+rec {
+  inherit machines;
+
+  # keys of admin accounts on network machines
+  allUsers = keysOfType "user" machines;
+  # system host keys of all network machines
+  allSystems = keysOfType "system" machines;
+  # all keys, whether system or user
+  all = allUsers ++ allSystems;
+
+  # user keys per machine
+  user = machinesWithKey "user" machines;
+  # system keys per machine
+  system = machinesWithKey "system" machines;
+}
diff --git a/secrets/password.age b/secrets/password.age
new file mode 100644
index 0000000..3828af6
--- /dev/null
+++ b/secrets/password.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 wCqppQ qJk8Pqz7if73uYfPRBIDvWe0wNsZj/NLLz/TA7qh2Wc
+0nA2J6KAyQqCrCz0lwQoAnmGSCobLbHCdIidL09iYtU
+-> ssh-ed25519 zzzNMA Zkxb35t5NQ9aTICPBHkGtA5jV6DfM5BRHP5jbWZH9U4
+RbD4WcorJ8AP8COzH1VZZdnU/jdgLFsJiaJT2xZFj70
+-> ssh-ed25519 RjmmfA 5sVo7hUrzMrRf9Sn0TBc1dJo1i7hectcUGJk2JmhRSE
+jeHQmHUx+WKTIeJU6o5XXbGd25aMb4pXzzINPmoS67M
+-> ssh-ed25519 Ke+vKw kIxM1mYTkd1W5WH9poKGvOmBZfhP4//ynaWYWlW4oEM
+u7MN2aYq7S+YpflYU0BpXSM4PDHPurD4W5UvmL9xQrw
+-> ssh-ed25519 bykYHg GorirhljIdkao0GOT8qYpQQQ90NUS7+2pQ5j0E80BV0
+iJBA8kjagYn7TA1RmXL3fFbGxe729ScloqsQqKhtjxY
+-> ssh-ed25519 mE4Xjg PJYnN9wqLZFq/VDai9yOWRZWCs2b7a4BEdT+Eeu6aRs
+GKVKMfPgiwO6/pbKugW1b8Tmxnesswn/wi1KOhgw1ps
+--- 99Lq/Bs9FkeLlMoJZb1b+STAs/e689WNI42JCoEg0i0
+��g�I�r�����#��}�=TŽ��f�=[�D`42���85q�{
�V�ܝ�
�,"�a��6i+M�
+XkQ��K��k�≠qrx��ۧ�-؝��
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..f11c60c
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,13 @@
+let
+  keys = import ./keys.nix;
+
+  inherit (keys) allUsers allSystems;
+  inherit (keys.system)
+    bismuth
+    graphite
+    moissanite
+    ;
+in
+{
+  "password.age".publicKeys = allSystems ++ allUsers;
+}