diff --git a/flake.lock b/flake.lock index 97a8e6bc..065bc45e 100644 --- a/flake.lock +++ b/flake.lock @@ -481,10 +481,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1703047359, - "narHash": "sha256-Wx4rpa+oTPMRgUcUkhUq4oKBvvPZR+4U1YMnRB6rAQU=", + "lastModified": 1703697935, + "narHash": "sha256-tRwFFk6ICMlVAv8Ko4MV7FObX/cSeiZis2FcIFlw8uQ=", "ref": "refs/heads/main", - "rev": "4126e1894fbc8a2ce260def885dcc6ad558a52ca", + "rev": "a5143705420a687ad535fdcff4765ee409d6e494", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" diff --git a/home/base/desktop/ssh.nix b/home/base/desktop/ssh.nix index 5a396627..c46d1362 100644 --- a/home/base/desktop/ssh.nix +++ b/home/base/desktop/ssh.nix @@ -1,4 +1,6 @@ -_: { +{mysecrets, ...}: { + home.file.".ssh/romantic.pub".source = "${mysecrets}/public/romantic.pub"; + programs.ssh = { enable = true; @@ -18,7 +20,7 @@ _: { # It has the same effect as adding cli option `ssh -A user@host` ForwardAgent yes # romantic holds my homelab~ - IdentityFile ~/.ssh/romantic + IdentityFile /etc/agenix/ssh-key-romantic # Specifies that ssh should only use the identity file explicitly configured above # required to prevent sending default identity files first. IdentitiesOnly yes @@ -38,20 +40,14 @@ _: { Host k8s-main HostName 192.168.5.181 ForwardAgent yes - IdentityFile ~/.ssh/romantic - IdentitiesOnly yes Host k8s-data1 HostName 192.168.5.182 ForwardAgent yes - IdentityFile ~/.ssh/romantic - IdentitiesOnly yes Host k8s-data2 HostName 192.168.5.183 ForwardAgent yes - IdentityFile ~/.ssh/romantic - IdentitiesOnly yes ''; }; } diff --git a/secrets/darwin.nix b/secrets/darwin.nix index 7a92cf2f..570bb8da 100644 --- a/secrets/darwin.nix +++ b/secrets/darwin.nix @@ -25,6 +25,12 @@ owner = username; }; + "ssh-key-romantic" = { + file = "${mysecrets}/ssh-key-romantic.age"; + mode = "0600"; + owner = username; + }; + # alias-for-work "alias-for-work.nushell" = { file = "${mysecrets}/alias-for-work.nushell.age"; @@ -52,6 +58,10 @@ source = config.age.secrets."wg-business.conf".path; }; + "agenix/ssh-key-romantic" = { + source = config.age.secrets."ssh-key-romantic".path; + }; + # The following secrets are used by home-manager modules # But nix-darwin doesn't support environment.etc..mode # So we need to change its mode manually diff --git a/secrets/nixos.nix b/secrets/nixos.nix index ea734a60..8c922273 100644 --- a/secrets/nixos.nix +++ b/secrets/nixos.nix @@ -34,6 +34,12 @@ owner = username; }; + "ssh-key-romantic" = { + file = "${mysecrets}/ssh-key-romantic.age"; + mode = "0600"; + owner = username; + }; + # alias-for-work "alias-for-work.nushell" = { file = "${mysecrets}/alias-for-work.nushell.age"; @@ -60,6 +66,12 @@ source = config.age.secrets."wg-business.conf".path; }; + "agenix/ssh-key-romantic" = { + source = config.age.secrets."ssh-key-romantic".path; + mode = "0600"; + user = username; + }; + # The following secrets are used by home-manager modules # So we need to make then readable by the user "agenix/alias-for-work.nushell" = {