From 7024f0e216ef642ad6364ec53c0cf35c1316cbce Mon Sep 17 00:00:00 2001 From: Asmir A Date: Sun, 21 Apr 2024 13:10:33 +0200 Subject: [PATCH] mediabox: add ssh service to initrd --- mediabox/configuration.nix | 19 +++++++++++++++++- mediabox/secrets/dummy_ssh_key.yaml | 30 +++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 mediabox/secrets/dummy_ssh_key.yaml diff --git a/mediabox/configuration.nix b/mediabox/configuration.nix index acaa691..2f86d02 100644 --- a/mediabox/configuration.nix +++ b/mediabox/configuration.nix @@ -30,6 +30,10 @@ sopsFile = ../common/secrets/wg_preshared.yaml; }; + sops.secrets."ssh_dummy_ed25519_key" = { + sopsFile = ./secrets/dummy_ssh_key.yaml; + }; + nix = { optimise.automatic = true; gc.automatic = true; @@ -41,7 +45,20 @@ }; boot = { - initrd.compressor = "zstd"; + initrd = { + compressor = "zstd"; + availableKernelModules = ["e1000e"]; + network = { + enable = true; + udhcpc.enable = true; + ssh = { + enable = true; + hostKeys = [config.sops.secrets."ssh_dummy_ed25519_key".path]; + authorizedKeys = [(builtins.readFile ../nixy/ssh_pubkey)]; + }; + }; + }; + kernelModules = ["acpi_call"]; kernelPackages = pkgs.linuxPackages_latest; kernelParams = ["msr.allow_writes=on"]; diff --git a/mediabox/secrets/dummy_ssh_key.yaml b/mediabox/secrets/dummy_ssh_key.yaml new file mode 100644 index 0000000..4d41706 --- /dev/null +++ b/mediabox/secrets/dummy_ssh_key.yaml @@ -0,0 +1,30 @@ +dummy_ssh_key: ENC[AES256_GCM,data:tI28E8IPF9sBP7QmLSigVPrNY4bdF5INSouYJ3n3PelDS64KUWis2JsKTT6da4Q0S4zf1QGMHd1L0QpyHft497AH/r1Akf4/+gwiHVV8O4dI3cZxqfm1aEIrmP4Gy6S+0gJtOkm4bRRTFAINtr4iIz+max5/TTZbcJs6Nfee4uy2bRRp2t6ZJGpkSqHVAuVbCfcj7UPtLFMle6fgpJwxKUZgeSaRiDNRgP2k8E+JWLx3k/9TZen9vYidptdxu3SQ7pOpyiyQkzMJfwc3skyDsjfqj05H/hVMs49J8Gv3JglajTTuwg+Pgtz7nAgiFI7JDvJAbvY48+3oE5ZWf0BIcoEBorOKzzIO8qV/Yy5wDBIVr5YC09MikZ4dupH4PtwgegH5dWT0vi0EDCl4opX/qOrG0tc4DgFiaqRIwxMGnINxNQ+sHUsEzom9m0hvJt0pTH0b2fRh+43roqmaBMZjhwMU/bnXB5EIdVzTxBnwOXcS+0R+a4om0ziZQku+IZCF/u23DtF/vY6I75dfaRrT,iv:y8XWPaxLC/14wtzgNMtdehZ8H/ye5P8YXCUvTWBa570=,tag:gvIAbkuZpBHuoxiLQ5bQhw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19yrl6pr73cv067ksfz0txp3zm2au25jfyjeerw23ml55ps5cyyfqtm3kmt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMUhaMDg5K0c2RUVoY3BT + b3ZRajRFWHg0eFduUFpZb2l0NzAyNFBDbkFJCjNHRUNxT1duWEdySFppNU5rblZU + bmgveE5rM0JIYno0bGdGbnZJRTgvdnMKLS0tIG5iaTRCQWN4V3QrdmhBdURDQ084 + cHhTV2Z5bzV2ckVLVkMrL2tNSUpqNWMKW2rEBB8mUlejxRnHmHyGtAAnPUuLyAM6 + 4BBvBS3zMs3mzLEXUgcH1f8LsJiLm+DQVGEPNiKUn6H6SlnCh7ZSmg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSL2Y4Mzc1YWs5cjNSc29k + QnhlRHJqbWdDK2JqZHVQYk9MSTdOTWw2WVM4ClozWHNMWmhCUmU3ZXdZaGJTS3d4 + Z0xLbnlsOCt4NitTMCtoSE9VY2hueFUKLS0tIEhVbTc0TWU2NzluVksvQ2xDZkMy + M0ZtaFJzOS9lYTFvL2dKNnRaWk5QMG8KwyQseKKVk4qQKH6goHLGsvAdyQtLmjmR + XtKPMOzHZ4aFG8h/bFHH3xxVHADh0qmfOlUMa/nG6I8IcPjXXCwyTQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-21T11:04:43Z" + mac: ENC[AES256_GCM,data:5QMf6xp8hltgDcL6TLe16zbvAEovClabzefG6on8MSW9uW4IvAJuzzSR6pL0H+WHLtzc0IwdHten/ic3jkMZDJMRBkL/vOZx5iPaZcU1GdnFyFYKcDZrEefy1i9tgiigsU3vx5qqXYOERAXgYCRIX9BO9EXZ+jamuXCONTGuWJI=,iv:5q742vstvWULdPVAAw1MKoVjdYisyxlWaSc0b0Id82w=,tag:Uph/eWCSyLrlJSUq17M8/w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1