roles/common/configuration.nix

@@ -27,15 +27,32 @@
 			# enter the password A LOT of times. Only on the first setup tho
 			"/tmp/id_ed25519_bootstrap"
 		];
+	# Copy (NOT SYMLINK) host ssh keys into place
+		secrets = {
+			"ed25519" = {
+				symlink = false;
+				file = ../../secrets/${config.networking.hostName}/host-key-ed25519;
+				path = "/etc/ssh/ssh_host_ed25519_key";
+			};
+			"rsa" = {
+				symlink = false;
+				file = ../../secrets/${config.networking.hostName}/host-key-rsa;
+				path= "/etc/ssh/ssh_host_rsa_key";
+			};
+			"ed25519-public" = {
+				symlink = false;
+				file = ../../secrets/${config.networking.hostName}/host-key-ed25519-public;
+				path = "/etc/ssh/ssh_host_ed25519_key.pub";
+				mode = "0644";
+			};
+			"rsa-public" = {
+				symlink = false;
+				file = ../../secrets/${config.networking.hostName}/host-key-rsa-public;
+				path = "/etc/ssh/ssh_host_rsa_key.pub";
+				mode = "0644";
+			};
+		};
 	};
 
-	/*
-	I used to keep the host keys in the repo as a secret, but since I use the
-	host keys for decrypting too I'm not sure encrypting a key with itself
-	is a good idea. Now the host keys will need to be placed manually where they are needed
-	For first time installs they are generated by services.openssh.hostKeys on servers, and
-	manually on everything else
-	*/	
-	
 	system.stateVersion = "23.05";
 }

secrets/Archie/host-key-ed25519

@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 zhSyTg v0zMwf3PyU8i5Z8cKQAM8G/egqkmPONA7twvIsTtFUU
+4BlqeR6PpQrYwf7BT1UXqzaiiNwHAxsbbvX1Sk7YG7M
+-> ssh-ed25519 AuWU1Q m0nCQcYG0Jz8AeouayMRTPiQvZxWDbci88ouaaW1kBE
+FMRP4tDLTQ8wo/9j6AaVhl4/amQAjgZDPKqmtzTwHbI
+-> tR-grease jXU
+zPQZdJy9DQ9MUenFWBk
+--- NY5Z2u04JmXtfy09gfYTziCNqdXfSXQLe3n/e7wburg
+åê
+šKàQoƒa|É—·²ëÞ âÜ.ýƒùhSÞ
+^aɹL)m.	At‘}B¡RüÈ!7ÌJí¿%fÒ#f_/=´ïïÏÞd›:§‡\[ùTý<54>ãxÈ”—U³s(†:‘’ÝI¨ãˆ~-¢ºiº”-l!(íÌ®S†G¿»½^öä¹Ù¢ØVŒ¤Ú—ig¾ñ~ò™MDdn–WõqûÕb7¼ÃÊÖáñ‘†ôP\÷²CαˆØü½Iõþë}©ÍmsUè•4="™‚‰1Ï.Ùõ±:aT-Oo<4F>yˆ¢%v¥$iBåN—À)s8¿OV(EÇ…ì­¯ôtW•i;n·€Pè7æÝQº‡çó0†Â·„tRúá+W´’1Bdé„T’òTO…W¡f>å”æ6Cß>ö<0E>´nT¾ô
+ÈKÙ)åDÍ81Õi<17>lÃß3JPQw¢Õ.w\&6¢Åö¿j ”T:¥8E`,•Ò"ÔìaÒ‚<Êd<>K×rc2ä´ƒ<´ÔÞ~¹ù
+h?FŽc
+ÐΣJ
öüto›D€Æ

secrets/Archie/host-key-ed25519-public

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 zhSyTg Xkk6wPQm3Sm3RuNyKhnKVz/evGJtr0UwhB7m2iuhrR4
+RMheqKeCD+Py22+xmvp3Se1z84t60+6y1Bbt7uYGxFs
+-> ssh-ed25519 AuWU1Q 5l5/vuIGxW+6ZzlDKjLzNCxyiW1+Kh651xpnwjfF3FQ
+ZIx/zZZMPpO8zDW5JdkucIBVH1xK4KtoA7Kovw+bcOU
+-> 7%-grease [ wwEC MxP UF:U6Cy
+Hp7t6AxdTAfm4r/LMWAt22vOYvhfHJLX4BIB7eEUfQnNAPIx43SrK8QIrAGHWbxN
+hdO18C5g6xoE5HHz5uM5ASzUWC4Nws3OXwY
+--- 2kwRA1NakiMhvMQgkaiEiJ93SkjTmOt77m0tO+e/p/w
+Ï ^^ðè”Ià=Õð•ñÏ*Ã='çVå[$-Ä<10>ÙÕʲ}	.’¼²=€&°<>É­ºl@®l5êÇ×<C387>p¯—¯¼™IÈKVèˆN¼‡Œ“‹C¡ÔŽI¥¼š_<³g.…ïÄmf}Oá4(<28>шûöø¾@Ç;

secrets/Everest/host-key-ed25519-public

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 5qrYxA OECuD3X/YhnhNDjXFBsoq+mOQmadIQch2DhcVM2es3g
+Y9tNL/OXgxSrWtvrLDHBnaWGxDoSopQAVoFwx6WiHFE
+-> ssh-ed25519 AuWU1Q RawOBsHa1yGd0Nn3QPaZNlh3Qy5D5TNU0VVc6t7uwmU
+M0OgClrDATN23KARdN8kee/tDSolbdVQwxclOwUlCY8
+-> }|y:w-grease [|V >/-D+*J
+zPzM
+--- st6EavuBsvVd84P9CGhxLpgckxCsYjucYvpMiNS0YVY
+ÈÈÅíà¾wÕÊav\ÏÄÎGÍU.ð„é<<3C>8\ÏÍ<Ú‚½>È^=„<C382>Ÿø’Ïè0[f,£!S0z%/eo48Ååÿ’ò«&Jì¾ÿ‚?ä@‹À©‚žZJ;1/
á‚„*/t{ʹ-<2D>dn¶a8.EÇS$Ë–¦:Žþ©

secrets/ddclient-passwd

@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 06objA y4bV1ytUwkmt9PbOrVgGT5UvhG122nbW1Uoj4X4G1ko
-iCncwjYew9IxINLtdTBCH1xVwMxlbEUj0+QDbqQo220
--> R520hu&,-grease BU
-r02YR9brHoUAtWXZd1yzrnA1IEymE6EGi+INiYzaU/6ucoMpqD1kTbnNA/XImBw
---- nHrpo/xmcD3yGS8tygN/HL5o4uyFBVJslY7xycLuJ9M
-ä޺ȮP';25$«Nç}™níhÓ<68>5<>Hóúû[ØŒØ<C592>ØÀ^ÍÃb_ØœS€<53>¿RIÊXû±×jhíx×$ 
+-> ssh-ed25519 5qrYxA YZag1cf+LCNznpoLx8wXN0lqaDfcxpP8Axmgt1gyiDo
+DujRQ8hZtv6CyKWmOGK82jFoRkT/72Y1OmWcTb+aiVw
+-> <VqXw-grease /l=NY
+GR5DcmYCCOReyAPxTCuH1GAJ1GA2KccU/Hy/CszPABNVUrP58EGa733eI7nZyqlD
+xooUCOLDwNF+LNA4ctKt+jSB/lLnLJT+chkkrtQ
+--- RdGZN42joziXDu9EHSl00YyASXnPCxFU3tFk5QjQnNU
+€<03>®diPÃvÀ|öm7Ú,gP ÃÜ_nª ´>ú–tRõ{…rv:IÚ“¶`Ëè¤%-וÈvé©M³pD9Ï,

secrets/secrets.nix

@@ -1,9 +1,18 @@
 let
-	everest = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY+nRHGyId1eYdC0tk4eKDG8UPpWjNekif+XPPHa0XD root@Everest";
-	bootsrtrap = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKloSXSeF4dNXebd93uMuiFuXRHfxo/he4+O9SFTz1s bootstrap key";
+	everest = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7GzKZIK/UAMfRjsaxWWKOBqG7sa1ttJ+Gp0zTQSBXM root@Everest";
+	archie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINuqKOfYb2lyhoQYBQbuIEyMomze872rnpxDnax8BsC5 root@Archie";
+  bootsrtrap = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKloSXSeF4dNXebd93uMuiFuXRHfxo/he4+O9SFTz1s bootstrap key";
 in
 {
 	"ddclient-passwd".publicKeys = [ everest ];
 	"syncthing/key".publicKeys = [ everest ];
 	"syncthing/cert".publicKeys = [ everest ];
+	"Everest/host-key-ed25519".publicKeys = [ everest bootsrtrap ];
+	"Everest/host-key-ed25519-public".publicKeys = [ everest bootsrtrap ];
+	"Everest/host-key-rsa".publicKeys = [ everest bootsrtrap ];
+	"Everest/host-key-rsa-public".publicKeys = [ everest bootsrtrap ];
+	"Archie/host-key-ed25519".publicKeys = [ archie  bootsrtrap ];
+	"Archie/host-key-ed25519-public".publicKeys = [ archie bootsrtrap ];
+	"Archie/host-key-rsa".publicKeys = [ archie bootsrtrap ];
+	"Archie/host-key-rsa-public".publicKeys = [ archie bootsrtrap ];
 }