Add zima authorized key

This commit is contained in:
Hunter Haugen 2025-12-29 22:23:34 -08:00
parent 39ca2631dd
commit 22b754badf
Signed by: hunner
GPG key ID: EF99694AA599DDAD
2 changed files with 7 additions and 51 deletions

View file

@ -86,6 +86,10 @@
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.hashedPassword.neededForUsers = true;
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL syncoid@cryochamber"
];
# Define a user account. Don't forget to set a password with passwd.
users.users.hunner = {
uid = 1000;
@ -169,60 +173,12 @@
};
};
users.users.backup = {
uid = 1001;
isNormalUser = true;
description = "Backup replication user";
shell = pkgs.bash;
packages = with pkgs; [
sanoid
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber"
];
};
#services.syncoid = {
# enable = true;
# user = "backup";
# sshKey = "/var/lib/syncoid/.ssh/id_ed25519";
# commonArgs = [
# #"--sshoption=StrictHostKeyChecking=off"
# "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
# "--sshoption=IdentitiesOnly=yes"
# "--no-sync-snap"
# ];
# commands."backup-zima-bitrot" = {
# source = "bitrot";
# target = "root@cryochamber:tank/backups/zima/bitrot";
# recursive = true;
# };
# commands."backup-zima-rpool-safe" = {
# source = "rpool/safe";
# target = "root@cryochamber:tank/backups/zima/rpool-safe";
# recursive = true;
# };
#};
# This was needed when trying to get the backup user to work instead of using
# root; probably not needed now
#systemd.services.syncoid-backup-zima-bitrot.serviceConfig = {
# Environment = [
# "HOME=/var/lib/syncoid"
# "SSH_AUTH_SOCK="
# ];
# ExecStartPre = [
# "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh"
# "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/"
# "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/"
# "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh"
# "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh"
# "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519"
# ];
#};
services.tailscale.enable = true;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
services.openssh.settings.Macs = [
"hmac-sha2-256"
"hmac-sha2-512-etm@openssh.com"