Verified Commit 6de7ea78 authored by Gauvain Roussel-Tarbouriech's avatar Gauvain Roussel-Tarbouriech
Browse files

secrets: switch to layer02

parent 2b70cc06
......@@ -38,6 +38,10 @@ your needs. Installing is then as simple as running
sudo nixos-install
```
Don't forget to change your initial hashed password at boot for headfull, they
are written to the world readable nix store! Someone could try to LPE by
brute-forcing them.
## Contributing
Do not forget to run `pre-commit install` to get the formatting hooks running
......
......@@ -37,8 +37,6 @@ with lib;
# headfull main user is essentially an admin, reflect that by giving it the
# wheel group
# TODO, XXX, TOFIX: the shadows are probably written in the nix store, do we
# care about that?
users.users.${config.navi.username} = {
extraGroups = [ "wheel" ];
hashedPassword = fileContents ./../secrets/headfull/assets/shadow/main;
......@@ -58,11 +56,37 @@ with lib;
jack.enable = true;
};
age.secrets.gpg-key = {
path = "/home/${config.navi.username}/.config/gnupg/key.gpg";
owner = config.navi.username;
};
# store our distbuild key so we can login to our infra
age.secrets.ssh-distbuild = {
path = "/etc/distbuild_ssh";
owner = "0";
group = "0";
mode = "0400";
};
age.secrets.ssh-navi = {
path = "/etc/navi_ssh";
owner = "0";
group = "0";
mode = "0400";
};
age.secrets.ssh-navi-2 = {
path = "/home/${config.navi.username}/.ssh/id_ed25519";
owner = config.navi.username;
mode = "0400";
};
# we setup the personal ssh and gpg key of our headfull user
home-manager.users.${config.navi.username} = {
home.file.".config/gnupg/key.gpg".source = ./../secrets/headfull/assets/gpg/key.gpg;
home.file.".config/gnupg/trust.txt".source = ./../secrets/headfull/assets/gpg/gpg-trust.txt;
home.file.".ssh/id_ed25519".source = ./../secrets/headfull/assets/ssh/navi;
home.file.".ssh/id_ed25519.pub".source = ./../secrets/common/assets/ssh/navi.pub;
home.file.".config/gnupg/gpg.conf".text = ''
......@@ -71,21 +95,6 @@ with lib;
'';
};
environment.etc."navi_ssh" = {
text = builtins.readFile ./../secrets/headfull/assets/ssh/navi;
mode = "0400";
uid = 0;
gid = 0;
};
# store our distbuild key so we can login to our infra
environment.etc."distbuild_ssh" = {
text = builtins.readFile ./../secrets/headfull/assets/ssh/distbuild;
mode = "0400";
uid = 0;
gid = 0;
};
# setup the distbuild account; while this might look like a backdoor for
# lesser privilege devices the distbuild access key is only given to at
# least headfull devices, thus headless devices cannot ssh into headfull.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment