chore(secrets): rekey agenix secrets for new configuration

- Add rekeyed borgbackup passphrase for fuchsia offsite backups - Remove unused projectsend secret from viridian
refactor(ssh): decentralize SSH configuration to per-host services
2025-10-07 22:37:26 +08:00 · 2025-10-07 22:33:20 +08:00 · 2025-10-07 20:58:09 +08:00
14 changed files with 62 additions and 31 deletions
--- a/nixos/common/global/secrets/rekeyed/fuchsia/b13fe910c59fe6344a048e24e98c923c-borgbackup.age
+++ b/nixos/common/global/secrets/rekeyed/fuchsia/b13fe910c59fe6344a048e24e98c923c-borgbackup.age
--- a/nixos/common/global/secrets/rekeyed/viridian/473ab42e4fc9cfd4f093251c178bdbaa-projectsend.age
+++ b/nixos/common/global/secrets/rekeyed/viridian/473ab42e4fc9cfd4f093251c178bdbaa-projectsend.age
@ -1,11 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 KTkZog Up5AjKprErUc0nI98az6EFmtxev7vdg+PmNzQgizHTc
-NJ+/pzyDbSgmm+0jx4C2X4ISoJDD004HlN1Ul3vrmzM
-> RGCv~-grease
-Ov7OyKCQF8tm4G+cXFlibXFROTAHhssk1JaozlPpUmnFOX5ao78jVORa27WHEF/H
-XxEDY0JQU6oL2fM
--- hV6JhDfXuYLaf/iGqjN6Q/N6tnDR6J1V627DDLnaGZI
-°ó5–<EFBFBD>›ŒcÅ§»µ²îìu=€
-iFd’Ï²ß[<D™ì0|#Ú!rHU™ŸúDª´kH'çHJØÞ@5AsK[@
zÚpmP]@¤ŸŸÓâj¡Îï/)AódÉ.¤×¡M;{h6zÄ÷É)¢×›4+/aûwÀøF«apü[X<Î´
-ŒT
-?HÞo‹o
--- a/nixos/common/global/ssh.nix
+++ b/nixos/common/global/ssh.nix
@ -1,12 +1,17 @@
 {...}: {
+  # Global SSH server configuration baseline
+  # Host-specific trust relationships are configured in each host's services/ssh/
+
  services.openssh = {
    enable = true;
+
    settings = {
-      PermitRootLogin = "no";
-      PasswordAuthentication = false;
-      LogLevel = "VERBOSE";
+      PermitRootLogin = "no";           # Disable root login for security
+      PasswordAuthentication = false;   # Require key-based authentication
+      LogLevel = "VERBOSE";             # Enhanced logging for security auditing
    };
-    ports = [22];
-    openFirewall = true;
+
+    ports = [22];                       # Standard SSH port
+    openFirewall = true;                # Allow SSH through firewall
  };
 }
--- a/nixos/fuchsia/services/borgbackup/offsite.nix
+++ b/nixos/fuchsia/services/borgbackup/offsite.nix
@ -78,9 +78,4 @@
      monthly = 12;   # Keep 12 monthly backups (1 year)
    };
  };
-
-  # SSH host keys for borgbase.com
-  programs.ssh.knownHostsFiles = [
-    ./borgbase_hosts
-  ];
 }
--- a/nixos/fuchsia/services/borgbackup/onsite.nix
+++ b/nixos/fuchsia/services/borgbackup/onsite.nix
@ -76,9 +76,4 @@ in {
      monthly = 12;
    };
  };
-
-  # SSH host keys for viridian
-  programs.ssh.knownHostsFiles = [
-    ./viridian_hosts
-  ];
 }
--- a/nixos/fuchsia/services/borgbackup/passphrase.age
+++ b/nixos/fuchsia/services/borgbackup/passphrase.age
--- a/nixos/fuchsia/services/default.nix
+++ b/nixos/fuchsia/services/default.nix
@ -7,6 +7,7 @@
    ./pipewire
    ./printing
    ./snapper
+    ./ssh
    ./udev
    ./xserver
  ];
--- a/nixos/fuchsia/services/ssh/borgbase_hosts
+++ b/nixos/fuchsia/services/ssh/borgbase_hosts
@ -0,0 +1,3 @@
+li9kg944.repo.borgbase.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMS3185JdDy7ffnr0nLWqVy8FaAQeVh1QYUSiNpW5ESq
+li9kg944.repo.borgbase.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwHsO5g7kAEpqcK4bpHCUKYV1cKCUNwVEVsDQyfj7N8L92E21n+aEhIX2Nh/kFs1W9D/pgsWQBAbco9e/ORuagHrO8hUQtbda5Z31PAo4eipwP17VQr5rF3seaJJNFV72v89PGwMOWQwvoJte+yngC6PYGKJ+w63SRtflihAmf4xa5Tci/f6jbX6t32m2F3bnephVzQO6anGXvGPR8QYQXzSu/27+LaKnLd2Kugb1Ytbo0+6kioa60HWejIZ/mCrCHXYpi0jAllaYEuAsTqFWf/OFUHrKWwRAJD0TV43O1++vLlxY85oQxIgc4oUbm93dXmDBssrTnqqq2jqonteUr
+li9kg944.repo.borgbase.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOstKfBbwVOYQh3J7X4nzd6/VYgLfaucP9z5n4cpSzcZAOKGh6jH8e1mhQ4YupthlsdPKyFFZ3pKo4mTaRRuiJo=
--- a/nixos/fuchsia/services/ssh/default.nix
+++ b/nixos/fuchsia/services/ssh/default.nix
@ -0,0 +1,18 @@
+{inputs, ...}: {
+  # Trust viridian's host keys for SSH connections
+  programs.ssh.knownHosts = {
+    "viridian-ed25519" = {
+      hostNames = ["viridian"];
+      publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_ed25519_key.pub";
+    };
+    "viridian-rsa" = {
+      hostNames = ["viridian"];
+      publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_rsa_key.pub";
+    };
+  };
+
+  # Trust BorgBase repository (offsite backup target)
+  programs.ssh.knownHostsFiles = [
+    ./borgbase_hosts
+  ];
+}
--- a/nixos/viridian/services/borgbackup/key.age
+++ b/nixos/viridian/services/borgbackup/key.age
--- a/nixos/viridian/services/borgbackup/offsite.nix
+++ b/nixos/viridian/services/borgbackup/offsite.nix
@ -81,9 +81,4 @@
      monthly = 12;   # Keep 12 monthly backups (1 year)
    };
  };
-
-  # SSH host keys for borgbase.com
-  programs.ssh.knownHostsFiles = [
-    ./borgbase_hosts
-  ];
 }
--- a/nixos/viridian/services/default.nix
+++ b/nixos/viridian/services/default.nix
@ -10,6 +10,7 @@
    ./murmur
    ./opengist
    ./snapper
+    ./ssh
    ./traefik
  ];
 }
--- a/nixos/viridian/services/borgbackup/borgbase_hosts
+++ b/nixos/viridian/services/borgbackup/borgbase_hosts
--- a/nixos/viridian/services/ssh/default.nix
+++ b/nixos/viridian/services/ssh/default.nix
@ -0,0 +1,29 @@
+{inputs, ...}: let
+  # Fuchsia's host key for backup authentication
+  fuchsiaHostKey = builtins.readFile (
+    "${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub"
+  );
+in {
+  # Trust fuchsia's host keys for SSH connections
+  programs.ssh.knownHosts = {
+    "fuchsia-ed25519" = {
+      hostNames = ["fuchsia"];
+      publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub";
+    };
+    "fuchsia-rsa" = {
+      hostNames = ["fuchsia"];
+      publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_rsa_key.pub";
+    };
+  };
+
+  # Trust BorgBase repository (offsite backup target)
+  programs.ssh.knownHostsFiles = [
+    ./borgbase_hosts
+  ];
+
+  # Accept remote backups from fuchsia using host key authentication
+  users.users.root.openssh.authorizedKeys.keys = [
+    # Restrict fuchsia to only run borg serve in /srv/borg-repo
+    ''command="borg serve --restrict-to-path /srv/borg-repo",restrict ${fuchsiaHostKey}''
+  ];
+}