diff --git a/hosts/zima/configuration.nix b/hosts/zima/configuration.nix index 91d334a..c5171ec 100644 --- a/hosts/zima/configuration.nix +++ b/hosts/zima/configuration.nix @@ -86,6 +86,10 @@ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.secrets.hashedPassword.neededForUsers = true; + users.users."root".openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL syncoid@cryochamber" + ]; + # Define a user account. Don't forget to set a password with ‘passwd’. users.users.hunner = { uid = 1000; @@ -169,60 +173,12 @@ }; }; - users.users.backup = { - uid = 1001; - isNormalUser = true; - description = "Backup replication user"; - shell = pkgs.bash; - packages = with pkgs; [ - sanoid - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber" - ]; - }; - #services.syncoid = { - # enable = true; - # user = "backup"; - # sshKey = "/var/lib/syncoid/.ssh/id_ed25519"; - # commonArgs = [ - # #"--sshoption=StrictHostKeyChecking=off" - # "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts" - # "--sshoption=IdentitiesOnly=yes" - # "--no-sync-snap" - # ]; - # commands."backup-zima-bitrot" = { - # source = "bitrot"; - # target = "root@cryochamber:tank/backups/zima/bitrot"; - # recursive = true; - # }; - # commands."backup-zima-rpool-safe" = { - # source = "rpool/safe"; - # target = "root@cryochamber:tank/backups/zima/rpool-safe"; - # recursive = true; - # }; - #}; - # This was needed when trying to get the backup user to work instead of using - # root; probably not needed now - #systemd.services.syncoid-backup-zima-bitrot.serviceConfig = { - # Environment = [ - # "HOME=/var/lib/syncoid" - # "SSH_AUTH_SOCK=" - # ]; - # ExecStartPre = [ - # "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh" - # "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/" - # "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/" - # "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh" - # "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh" - # "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519" - # ]; - #}; services.tailscale.enable = true; # Enable the OpenSSH daemon. services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "prohibit-password"; services.openssh.settings.Macs = [ "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" diff --git a/hosts/zima/secrets/config.yaml b/hosts/zima/secrets/config.yaml index 7295c73..6030988 100644 --- a/hosts/zima/secrets/config.yaml +++ b/hosts/zima/secrets/config.yaml @@ -19,7 +19,7 @@ sops: L0hXK1ZSY292dTRDU0Z2NGlJNHhpb2cK76bGG3yJD8ORZFPvW/WAlHLi9mt2A8+Q /uOs6FBcubW6MGiC50OlSAI19yvg7BYqqWRFI+XEkXjxbLlwhWy1RA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-21T01:32:03Z" - mac: ENC[AES256_GCM,data:PezvH3WCehALUH3QEvIu21hJX5xyjnuGIvZAtVbEhDeD1JdO+lXSFVyH2gWjNWSgrDiDEKXMKtdl0Q+5eXJPpqHjNHIh0lDLePG0JSMZWdOz/F7uuiXqqeA7b4Plrf28PniqA4+c2PURhp5UggW6Tb2mBmVgwtsSuVH7kPnted8=,iv:59HIfn640uI6YvRwJ5WCY9QiJLvMnrdVnjpsCTG000k=,tag:3rZ4sm9cwc/n9cK/SOnMLw==,type:str] + lastmodified: "2025-12-30T06:33:44Z" + mac: ENC[AES256_GCM,data:pmop5GVM3saheiCWbXD58hpW9uy3cbwJPTjESqw0w6L54+OjGdOKZF/k86nPIP+DGGRnMjG3DF2GiMkZz4C8/Tx6mM9Fo9eSPOKgV2ZFkf5ws08fJH2Vubvh7wvJ1ReFthz5/RIhvpgAwMYNB594KwlbTriPLJSuq1litUAfDZw=,iv:GQ/rHlk3qrUVK/CumLnkY6EB3AkC7wTgQnB42GeGiZU=,tag:mBtBndRXUTED8Gk4X2324Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0