feat(servers): set passwords using hashedPasswordFile.

2025-05-16 08:18:46 +02:00 · 2025-05-16 08:18:46 +02:00 · eb5fffaaa0
commit eb5fffaaa0
parent 41747d82cc
10 changed files with 52 additions and 2 deletions
--- a/modules/servers/general/default.nix
+++ b/modules/servers/general/default.nix
@ -6,5 +6,6 @@
    ./secrets.nix
    ./podman.nix
    ./additional-pkgs.nix
+    ./root.nix
  ];
 }
--- a/modules/servers/general/root.nix
+++ b/modules/servers/general/root.nix
@ -0,0 +1,5 @@
+{config, ...}: {
+  users.users.root = {
+    hashedPasswordFile = "${config.age.secrets.root-passwd.path}";
+  };
+}
--- a/modules/servers/general/secrets.nix
+++ b/modules/servers/general/secrets.nix
@ -5,6 +5,12 @@
        file = ../../../secrets/traefik.age;
        owner = "traefik";
      };
+      crony-passwd = {
+        file = ../../../secrets/crony-passwd-servers.age;
+      };
+      root-passwd = {
+        file = ../../../secrets/root-passwd.age;
+      };
    };
  };
 }
--- a/modules/servers/general/user.nix
+++ b/modules/servers/general/user.nix
@ -1,6 +1,6 @@
-{...}: {
+{config, ...}: {
  users.users.crony = {
-    password = "whatever i will change it right away";
+    hashedPasswordFile = "${config.age.secrets.crony-passwd.path}";
    isNormalUser = true;
    description = "crony";
    extraGroups = [
--- a/secrets/conduit.age
+++ b/secrets/conduit.age
--- a/secrets/crony-passwd-servers.age
+++ b/secrets/crony-passwd-servers.age
@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 2P4nKw uE50KrXeVqboQgR3E4jBMyEY1Eag0iYyBqsFcNq46kA
+L0hB1KJ/93ZoGJA82sFK/yCp6Iqw3jGqCOs6jZg7fM8
+-> ssh-ed25519 6+hQpQ IBPIcFcduVkdO8eBZ+JnBaDGkB6BRVSKNz1JrR154Gk
+25Qa1YvB3MjwmRFuoHCPvEn/sjc14Em+cokMEKy0OGk
+-> ssh-ed25519 l/ODWA +6i2fEJzr3pwkfL/vLQcCEi8uInG44Ki89PJVN72WAg
+eI03G48J5JGKGGfMnVTy6i7yki4s5WAtx9KjTWJx+tg
+-> ssh-ed25519 7+5K3Q Z8Vcpm8f5wqyVuK5iGGOVWzB2uH/PfiW5+AF2h8wZFc
+jUuXzfNFTcI0775pp2j2QHntrcNHG47T4QT00qxZ3WU
+-> ssh-ed25519 Ow0TGw OLfB0cEoQCEbCy3qKtIk0srwSJYt8BdxO4QcWcEziCo
+KipTui0UB//I1ktebLzrursmtnhijEsJ7OqF51QRI2A
+-> ssh-ed25519 cEINMA I3KqLlTXhxMDx/m3kot4H7FQqWvYGlh9VlKYYjeWmlc
+3VYcLSHU6lDRUgQDLW32jVYiZW6NhNfFcKU15KZqSNI
+-> ssh-ed25519 fd/ZLQ LCpZ1/kZk0wcoqVyga0dKwheZbG64wUZhNjVlzxsJVM
+gj8tePLX1WKR6tPdE9ii9zKiqXDC3nCpVYES+YVKuUM
+--- 0+ou8pl8fJW8xWQeJ1v0ALJmt/GVi/hjVYY/q/Az574
+çø8@Ç`àH‰HDp\0ÂúÛ~`ÅÐËÐHgÍ\†S"ä´<C3A4>nb-ßÝÖ¼ÇÜp.F€/]bÙ€a`÷bŒ0nûNpå^»Õ+Ÿ×b©<ñC„<43>Í•ñCa`0“M:±Ÿ
+4<EFBFBD>¡
--- a/secrets/forgejo-db.age
+++ b/secrets/forgejo-db.age
--- a/secrets/miniflux.age
+++ b/secrets/miniflux.age
--- a/secrets/root-passwd.age
+++ b/secrets/root-passwd.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 2P4nKw SRZ46jEyxBUlfg+t25OcceZlxftixfwhZrGnMyhu8Tw
+khskBqjrEszMI8aV/DmDygqAii1SwpFKsn6luSssEgY
+-> ssh-ed25519 6+hQpQ k3Cz7H4EK/kgHycD+5KopNxaKCfGNrE8uAgbrIl1fyM
+tyvq6xS11MahN4CFQLKnQQvo0cMAFkbBP942gPsQM4Y
+-> ssh-ed25519 l/ODWA d3/L4FVQbcB9bx8gkwfSEW50h1fjJXuWNL5AVH73Vnw
+l08tXj6+7lnPiJcJn5VQfxJiOD8qV+5wCB/XMtPmFDE
+-> ssh-ed25519 7+5K3Q BEblcFpA0JHJWHHPyElzJpfYVOK35+cG9Io/LXVPwEk
+SwHqJU0pWLDxWPLoVBT8B/v41uEVxGckRCF6vj/NgGA
+-> ssh-ed25519 Ow0TGw Hkn4XZMDAJEF1agRN3tVwyNmCXiuvlcgcN+/dUbYKAg
+uf6f5PcIHdzsxF0LyrXkkConGCARZW3ORw9S5TCl+nw
+-> ssh-ed25519 cEINMA InM7UKDH5j86IKxEp7NjXbitrwNg++oUrWwURs3fuhc
+HdRySiqzff23IGwLIAuaxYO7gp7vN+eegNVWB/ds9EM
+-> ssh-ed25519 fd/ZLQ wPaoRwfInUvsNhrjV3QLy8akQXAE1Z/xaAO6V0Z8aFE
+bn+bdfqKzm1H/gLTWD+6Iu4ccCJfmUEA6dCYu9ixdeI
+--- VzTkVf1tEmnZ1qLDsMHndgjkTRBCMnasQx3NbWSw/y4
+Á‹Í’
ÆµqÒÈX7/À4ùëÉ
WžÁUwÏä±¦QÓOí®+¯TF;f1T<>ÍDÈe¬qüÉYo?d,•¿€±l7<6C><06>µ tÝÖ©,É+Ž†u<VFÂÖö>»˜ÑÃÿ(ˆûf’µ÷ý1Ñ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -25,4 +25,7 @@ in {
  "conduit.age".publicKeys = systems ++ users;
  "searx.age".publicKeys = systems ++ users;
  "miniflux.age".publicKeys = systems ++ users;
+  "crony-passwd-desktop.age".publicKeys = systems ++ users;
+  "crony-passwd-servers.age".publicKeys = systems ++ users;
+  "root-passwd.age".publicKeys = systems ++ users;
 }