clean up secrets files some

2025-05-28 21:31:41 -05:00
parent dd18dcadb9
commit af06d7fc2e
14 changed files with 684 additions and 94 deletions
--- a/hosts/pi5/configuration.nix
+++ b/hosts/pi5/configuration.nix
@@ -64,13 +64,20 @@ in
    };
  };

-  environment.systemPackages = with pkgs; [
-    libraspberrypi
-    raspberrypi-eeprom
-    raspberrypifw
-    raspberrypiWirelessFirmware
-    raspberrypi-armstubs
-  ];
+  environment = {
+    systemPackages = with pkgs; [
+      libraspberrypi
+      raspberrypi-eeprom
+      raspberrypifw
+      raspberrypiWirelessFirmware
+      raspberrypi-armstubs
+    ];
+
+    etc = {
+      "ssh/ssh_host_ed25519_key".source = config.sops.secrets."pi5/sys-priv-key".path;
+      "ssh/ssh_host_ed25519_key.pub".source = config.sops.secrets."pi5/sys-public-key".path;
+    };
+  };

  users = {
    mutableUsers = false;
--- a/hosts/pi5/sops.nix
+++ b/hosts/pi5/sops.nix
@@ -11,8 +11,10 @@ in
    # Secrets
    # ------------------------------
    secrets = {
-      "wifi" = { };
-      "desktop/matt_password" = {
+      "wifi" = {
+        sopsFile = ../../secrets/secrets.yaml;
+      };
+      "pi5/matt-password" = {
        neededForUsers = true;
        mode = "0600";
        owner = config.users.users."${user}".name;
@@ -24,17 +26,34 @@ in
      # ------------------------------

      "ssh-keys-public/pi5" = {
+        sopsFile = ../../secrets/secrets.yaml;
        mode = "0644";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
      "ssh-keys-private/pi5" = {
+        sopsFile = ../../secrets/secrets.yaml;
        mode = "0600";
        owner = config.users.users."${user}".name;
        group = config.users.users."${user}".group;
        restartUnits = [ "sshd.service" ];
      };
+
+      "pi5/sys-public-key" = {
+        neededForUsers = true;
+        mode = "0600";
+        owner = config.users.users.root.name;
+        group = config.users.users.root.group;
+        restartUnits = [ "sshd.service" ];
+      };
+      "pi5/sys-priv-key" = {
+        neededForUsers = true;
+        mode = "0600";
+        owner = config.users.users.root.name;
+        group = config.users.users.root.group;
+        restartUnits = [ "sshd.service" ];
+      };
    };
  };
 }