jasmine/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: jasmine:6723c0e0b6eb236bfd6db06de88b89b8f8cb7ee7
Branches Tags
jasmine:master
..
compare: jasmine:a6fa8866ac766484187ac34cec62e5da56e62252
Branches Tags
jasmine:master

No commits in common. "6723c0e0b6eb236bfd6db06de88b89b8f8cb7ee7" and "a6fa8866ac766484187ac34cec62e5da56e62252" have entirely different histories.
6723c0e0b6 ... a6fa8866ac

14 changed files with 31 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
nixos/common/global/secrets/rekeyed/fuchsia/b13fe910c59fe6344a048e24e98c923c-borgbackup.age
View file

Binary file not shown.

11
nixos/common/global/secrets/rekeyed/viridian/473ab42e4fc9cfd4f093251c178bdbaa-projectsend.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 KTkZog Up5AjKprErUc0nI98az6EFmtxev7vdg+PmNzQgizHTc
NJ+/pzyDbSgmm+0jx4C2X4ISoJDD004HlN1Ul3vrmzM
-> RGCv~-grease
Ov7OyKCQF8tm4G+cXFlibXFROTAHhssk1JaozlPpUmnFOX5ao78jVORa27WHEF/H
XxEDY0JQU6oL2fM
--- hV6JhDfXuYLaf/iGqjN6Q/N6tnDR6J1V627DDLnaGZI
°ó5<EFBFBD>Œcŧ»µ²îìu=€
iFdϲß[<D™ì0|#Ú!rHU™ŸúDª´kH'çHJØÞ@5AsK[@ zÚpm P]@¤ŸŸÓâj¡Îï/)AódÉ.¤×¡M;{h6zÄ÷É)¢×4+/aûwÀøF«apü[X<δ
ŒT
?HÞoo

15
nixos/common/global/ssh.nix
View file

@ -1,17 +1,12 @@
{...}: { {...}: {
# Global SSH server configuration baseline
# Host-specific trust relationships are configured in each host's services/ssh/
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
PermitRootLogin = "no"; # Disable root login for security PermitRootLogin = "no";
PasswordAuthentication = false; # Require key-based authentication PasswordAuthentication = false;
LogLevel = "VERBOSE"; # Enhanced logging for security auditing LogLevel = "VERBOSE";
}; };
ports = [22];
ports = [22]; # Standard SSH port openFirewall = true;
openFirewall = true; # Allow SSH through firewall
}; };
} }

5
nixos/fuchsia/services/borgbackup/offsite.nix
View file

@ -78,4 +78,9 @@
monthly = 12; # Keep 12 monthly backups (1 year) monthly = 12; # Keep 12 monthly backups (1 year)
}; };
}; };
# SSH host keys for borgbase.com
programs.ssh.knownHostsFiles = [
./borgbase_hosts
];
} }

5
nixos/fuchsia/services/borgbackup/onsite.nix
View file

@ -76,4 +76,9 @@ in {
monthly = 12; monthly = 12;
}; };
}; };
# SSH host keys for viridian
programs.ssh.knownHostsFiles = [
./viridian_hosts
];
} }

BIN
nixos/fuchsia/services/borgbackup/passphrase.age
View file

Binary file not shown.

1
nixos/fuchsia/services/default.nix
View file

@ -7,7 +7,6 @@
./pipewire ./pipewire
./printing ./printing
./snapper ./snapper
./ssh
./udev ./udev
./xserver ./xserver
]; ];

3
nixos/fuchsia/services/ssh/borgbase_hosts
View file

@ -1,3 +0,0 @@
li9kg944.repo.borgbase.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMS3185JdDy7ffnr0nLWqVy8FaAQeVh1QYUSiNpW5ESq
li9kg944.repo.borgbase.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwHsO5g7kAEpqcK4bpHCUKYV1cKCUNwVEVsDQyfj7N8L92E21n+aEhIX2Nh/kFs1W9D/pgsWQBAbco9e/ORuagHrO8hUQtbda5Z31PAo4eipwP17VQr5rF3seaJJNFV72v89PGwMOWQwvoJte+yngC6PYGKJ+w63SRtflihAmf4xa5Tci/f6jbX6t32m2F3bnephVzQO6anGXvGPR8QYQXzSu/27+LaKnLd2Kugb1Ytbo0+6kioa60HWejIZ/mCrCHXYpi0jAllaYEuAsTqFWf/OFUHrKWwRAJD0TV43O1++vLlxY85oQxIgc4oUbm93dXmDBssrTnqqq2jqonteUr
li9kg944.repo.borgbase.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOstKfBbwVOYQh3J7X4nzd6/VYgLfaucP9z5n4cpSzcZAOKGh6jH8e1mhQ4YupthlsdPKyFFZ3pKo4mTaRRuiJo=

18
nixos/fuchsia/services/ssh/default.nix
View file

@ -1,18 +0,0 @@
{inputs, ...}: {
# Trust viridian's host keys for SSH connections
programs.ssh.knownHosts = {
"viridian-ed25519" = {
hostNames = ["viridian"];
publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_ed25519_key.pub";
};
"viridian-rsa" = {
hostNames = ["viridian"];
publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_rsa_key.pub";
};
};
# Trust BorgBase repository (offsite backup target)
programs.ssh.knownHostsFiles = [
./borgbase_hosts
];
}

0
nixos/viridian/services/ssh/borgbase_hosts → nixos/viridian/services/borgbackup/borgbase_hosts
View file

BIN
nixos/viridian/services/borgbackup/key.age Normal file
View file

Binary file not shown.

5
nixos/viridian/services/borgbackup/offsite.nix
View file

@ -81,4 +81,9 @@
monthly = 12; # Keep 12 monthly backups (1 year) monthly = 12; # Keep 12 monthly backups (1 year)
}; };
}; };
# SSH host keys for borgbase.com
programs.ssh.knownHostsFiles = [
./borgbase_hosts
];
} }

1
nixos/viridian/services/default.nix
View file

@ -10,7 +10,6 @@
./murmur ./murmur
./opengist ./opengist
./snapper ./snapper
./ssh
./traefik ./traefik
]; ];
} }

29
nixos/viridian/services/ssh/default.nix
View file

@ -1,29 +0,0 @@
{inputs, ...}: let
# Fuchsia's host key for backup authentication
fuchsiaHostKey = builtins.readFile (
"${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub"
);
in {
# Trust fuchsia's host keys for SSH connections
programs.ssh.knownHosts = {
"fuchsia-ed25519" = {
hostNames = ["fuchsia"];
publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub";
};
"fuchsia-rsa" = {
hostNames = ["fuchsia"];
publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_rsa_key.pub";
};
};
# Trust BorgBase repository (offsite backup target)
programs.ssh.knownHostsFiles = [
./borgbase_hosts
];
# Accept remote backups from fuchsia using host key authentication
users.users.root.openssh.authorizedKeys.keys = [
# Restrict fuchsia to only run borg serve in /srv/borg-repo
''command="borg serve --restrict-to-path /srv/borg-repo",restrict ${fuchsiaHostKey}''
];
}