jasmine/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

refactor(ssh): decentralize SSH configuration to per-host services

Browse source 
Restructures SSH trust relationships from global to host-specific configuration
for better locality of concern and principle of least privilege.

Changes:
- Collapse nixos/common/global/ssh/ back to ssh.nix (single-file module)
- Move internal host trust (fuchsia/viridian) to per-host services/ssh/
- Split BorgBase known hosts by repository (li9kg944 for fuchsia, r7ag7x1w for viridian)
- Add viridian SSH server config to accept backup connections from fuchsia
- Add fuchsia borgbackup passphrase for offsite backups
- Configure viridian to create /srv/borg-repo/fuchsia for remote backups

This enables the 3-2-1 backup strategy with fuchsia backing up to both viridian
(onsite) and BorgBase (offsite) with proper SSH authentication.
This commit is contained in:
♥ Minnie ♥ 2025-10-07 22:33:20 +08:00
parent acab920858
commit 85dc419349
Signed by: jasmine
GPG key ID: 8563E358D4E8040E
9 changed files with 69 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
nixos/fuchsia/services/borgbackup/passphrase.age Normal file
View file

Binary file not shown.

1
nixos/fuchsia/services/default.nix
View file

@ -7,6 +7,7 @@
./pipewire
./printing
./snapper
./ssh
./udev
./xserver
];

3
nixos/fuchsia/services/ssh/borgbase_hosts Normal file
View file

@ -0,0 +1,3 @@
li9kg944.repo.borgbase.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMS3185JdDy7ffnr0nLWqVy8FaAQeVh1QYUSiNpW5ESq
li9kg944.repo.borgbase.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwHsO5g7kAEpqcK4bpHCUKYV1cKCUNwVEVsDQyfj7N8L92E21n+aEhIX2Nh/kFs1W9D/pgsWQBAbco9e/ORuagHrO8hUQtbda5Z31PAo4eipwP17VQr5rF3seaJJNFV72v89PGwMOWQwvoJte+yngC6PYGKJ+w63SRtflihAmf4xa5Tci/f6jbX6t32m2F3bnephVzQO6anGXvGPR8QYQXzSu/27+LaKnLd2Kugb1Ytbo0+6kioa60HWejIZ/mCrCHXYpi0jAllaYEuAsTqFWf/OFUHrKWwRAJD0TV43O1++vLlxY85oQxIgc4oUbm93dXmDBssrTnqqq2jqonteUr
li9kg944.repo.borgbase.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOstKfBbwVOYQh3J7X4nzd6/VYgLfaucP9z5n4cpSzcZAOKGh6jH8e1mhQ4YupthlsdPKyFFZ3pKo4mTaRRuiJo=

18
nixos/fuchsia/services/ssh/default.nix Normal file
View file

@ -0,0 +1,18 @@
{inputs, ...}: {
# Trust viridian's host keys for SSH connections
programs.ssh.knownHosts = {
"viridian-ed25519" = {
hostNames = ["viridian"];
publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_ed25519_key.pub";
};
"viridian-rsa" = {
hostNames = ["viridian"];
publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_rsa_key.pub";
};
};
# Trust BorgBase repository (offsite backup target)
programs.ssh.knownHostsFiles = [
./borgbase_hosts
];
}