From 6393af9620be93178b2df3c4aca2b8fa74f8d2a8 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Mon, 2 Sep 2024 20:51:30 -0500 Subject: [PATCH] added password for remote user --- README.md | 21 ++++++++++++++++++--- secrets/secrets.yaml | 7 ++++--- users/remote/default.nix | 3 +++ 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 1cfbddf..31eec77 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ +# Hosts -Build Command: -`sudo nixos-rebuild switch --flake .#hostname` - +## Host Map | Hostname | Device Description | Primary User | Role | | :---------: | :------------------------: | :--------------: | :-------: | | `twilight` | Desktop Computer | Leyla | Desktop | @@ -9,3 +8,19 @@ Build Command: | `defiant` | NAS Server | Leyla | Service | | `emergent` | Desktop Computer | Eve | Laptop | | `threshold` | Laptop | Eve | Desktop | + + +### Rebuild current machine to match target host: +`sudo nixos-rebuild switch --flake .#hostname` + +### Rebuild current machine maintaining current target +`./rebuild.sh` + +# New machine setup +keys for decrypting password secrets for each users located at ~/.config/sops/age/keys.txt + +updating passwords: `sops secrets/secrets.yaml` + +> how the current config was set up https://www.youtube.com/watch?v=G5f6GC7SnhU + +> look into this? https://technotim.live/posts/rotate-sops-encryption-keys/ diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index fb57b2b..dc3185e 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -2,6 +2,7 @@ passwords: leyla: ENC[AES256_GCM,data:c69e5uF40ACxVI0zXizydaqMVk6MXVJ13HwptHKeYIJ9H6bCgZRK0HCoTYw366mIpe7zt2V/OVdNr6hdzGfLa90/iOAMaCGqgw==,iv:esVvjfJm3RvO8RdXPvrnT/+At7VFl9Vt6077I5Ks89Q=,tag:fHfIFBRVH3y/V16rHYsT2g==,type:str] ester: ENC[AES256_GCM,data:Cz3oXNOVz35Uino3HLUNcao4YbG1QwmZn6ulWafGpa6Z3U+X+92f+PpHNx6L+q9ToIDabx0vNGs0Pfsrs4y9k/nmhWB1i66PzA==,iv:pY3aVbxmILYXHG06+XJWM6nHA8FbmsNBssh5LXplCOM=,tag:D09d2Bv4SAO7v4JeHVM+tw==,type:str] eve: ENC[AES256_GCM,data:XvJjFNIujwk9ttYLTbAE+PEMUpWzLXrJeJJ0aEqWBwx+gjOwX4XVg0J/B75ByJxflh9RSwB0oAGfC+6coAHoMTXPyym52zAYBw==,iv:lVbZ8uC6IKn3Bew0LHmwl47nFfBuNqslltNBiv6cx7I=,tag:lgE0N6JKDcOPqynwtXJKzQ==,type:str] + remote: ENC[AES256_GCM,data:J/Ew48IO1UGCLl038t87AV0fdxHklfEKhmmsAhd4jPbyK88i/GjljF7mSJnlav9L+7GbxbGRjsFXkL753M7hF/n1hcVDAYpGhA==,iv:7PIgHRHXorkrOmjaWaWhu+Evu4SsNFSCk3euPdlGK20=,tag:tQ57gIselHNKlmQ1ySsAAQ==,type:str] sops: kms: [] gcp_kms: [] @@ -17,8 +18,8 @@ sops: VFBiZm5ZK2kwZjJPd3dCai9QUlpLaFEKFuwGgcdleN69voM5mpsa4J/ulmzZo7q+ Q7KHOOidDH9C4xKjztYMuJSyviOYiIgILhljMXbNlmZnRs867gmmbw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-03T01:27:28Z" - mac: ENC[AES256_GCM,data:ExP2Q8judGmQ5QFdZjmkNuMXlI9XJLeKaFn15Y4YuA2r+qLYYegN/IR1VeDrDO+XfWJJS7qednRnb9gErqUQgwX06AhMFDGUHHgB2lFdr/X0KBNt9EcrQ+S4Zh9zh8aTZesvnLaorz5QqF1Mt4FRz8mFYQIJ3DCWXV0cHrmmvcA=,iv:QBMc5E9SXP7aMCYFF/JnhM3bAuBA6mY4cENOW8SSaW0=,tag:ftg5Q8rS0NfUSogXXKEePA==,type:str] + lastmodified: "2024-09-03T01:50:34Z" + mac: ENC[AES256_GCM,data:il1m33cFCKnL1x2QQWKfvRX7/zea+15PH8KZrAW89EizJowgefR0rpaMgO+I9CyWuIoAV77JrF9echiAvkv+eteJjkkzyG9Qo/gejC0afQAeMLGpJLEk8carxlmhJXZUrqTW3VnIY4cl0CGBinTzGqMJ2WtAQLccoQR7tDP0jBk=,iv:bdDqVdXdqXB32kjUhN8OBz9+4DwrhYAw8eWsxJNGRJ4=,tag:9T+2oBvxW0ssZV4inyvY3Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/users/remote/default.nix b/users/remote/default.nix index 491bc51..6792b74 100644 --- a/users/remote/default.nix +++ b/users/remote/default.nix @@ -19,6 +19,9 @@ in ( if cfg.isNormalUser then { # extraGroups = [ "wheel" ]; + + hashedPasswordFile = config.sops.secrets."passwords/remote".path; + isNormalUser = true; openssh.authorizedKeys.keys = []; } else {