Secrets: change syncthing key and cert

roles/common/configuration.nix

@@ -27,32 +27,15 @@
 			# enter the password A LOT of times. Only on the first setup tho
 			"/tmp/id_ed25519_bootstrap"
 		];
-	# Copy (NOT SYMLINK) host ssh keys into place
-		secrets = {
-			"ed25519" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-ed25519;
-				path = "/etc/ssh/ssh_host_ed25519_key";
-			};
-			"rsa" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-rsa;
-				path= "/etc/ssh/ssh_host_rsa_key";
-			};
-			"ed25519-public" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-ed25519-public;
-				path = "/etc/ssh/ssh_host_ed25519_key.pub";
-				mode = "0644";
-			};
-			"rsa-public" = {
-				symlink = false;
-				file = ../../secrets/${config.networking.hostName}/host-key-rsa-public;
-				path = "/etc/ssh/ssh_host_rsa_key.pub";
-				mode = "0644";
-			};
-		};
 	};
 
+	/*
+	I used to keep the host keys in the repo as a secret, but since I use the
+	host keys for decrypting too I'm not sure encrypting a key with itself
+	is a good idea. Now the host keys will need to be placed manually where they are needed
+	For first time installs they are generated by services.openssh.hostKeys on servers, and
+	manually on everything else
+	*/	
+	
 	system.stateVersion = "23.05";
 }

secrets/Archie/host-key-ed25519

@@ -1,14 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 zhSyTg v0zMwf3PyU8i5Z8cKQAM8G/egqkmPONA7twvIsTtFUU
-4BlqeR6PpQrYwf7BT1UXqzaiiNwHAxsbbvX1Sk7YG7M
--> ssh-ed25519 AuWU1Q m0nCQcYG0Jz8AeouayMRTPiQvZxWDbci88ouaaW1kBE
-FMRP4tDLTQ8wo/9j6AaVhl4/amQAjgZDPKqmtzTwHbI
--> tR-grease jXU
-zPQZdJy9DQ9MUenFWBk
---- NY5Z2u04JmXtfy09gfYTziCNqdXfSXQLe3n/e7wburg
-åê
-šKàQoƒa|É—·²ëÞ âÜ.ýƒùhSÞ
-^aɹL)m.	At‘}B¡RüÈ!7ÌJí¿%fÒ#f_/=´ïïÏÞd›:§‡\[ùTý<54>ãxÈ”—U³s(†:‘’ÝI¨ãˆ~-¢ºiº”-l!(íÌ®S†G¿»½^öä¹Ù¢ØVŒ¤Ú—ig¾ñ~ò™MDdn–WõqûÕb7¼ÃÊÖáñ‘†ôP\÷²CαˆØü½Iõþë}©ÍmsUè•4="™‚‰1Ï.Ùõ±:aT-Oo<4F>yˆ¢%v¥$iBåN—À)s8¿OV(EÇ…ì­¯ôtW•i;n·€Pè7æÝQº‡çó0†Â·„tRúá+W´’1Bdé„T’òTO…W¡f>å”æ6Cß>ö<0E>´nT¾ô
-ÈKÙ)åDÍ81Õi<17>lÃß3JPQw¢Õ.w\&6¢Åö¿j ”T:¥8E`,•Ò"ÔìaÒ‚<Êd<>K×rc2ä´ƒ<´ÔÞ~¹ù
-h?FŽc
-ÐΣJ
öüto›D€Æ

secrets/Archie/host-key-ed25519-public

@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 zhSyTg Xkk6wPQm3Sm3RuNyKhnKVz/evGJtr0UwhB7m2iuhrR4
-RMheqKeCD+Py22+xmvp3Se1z84t60+6y1Bbt7uYGxFs
--> ssh-ed25519 AuWU1Q 5l5/vuIGxW+6ZzlDKjLzNCxyiW1+Kh651xpnwjfF3FQ
-ZIx/zZZMPpO8zDW5JdkucIBVH1xK4KtoA7Kovw+bcOU
--> 7%-grease [ wwEC MxP UF:U6Cy
-Hp7t6AxdTAfm4r/LMWAt22vOYvhfHJLX4BIB7eEUfQnNAPIx43SrK8QIrAGHWbxN
-hdO18C5g6xoE5HHz5uM5ASzUWC4Nws3OXwY
---- 2kwRA1NakiMhvMQgkaiEiJ93SkjTmOt77m0tO+e/p/w
-Ï ^^ðè”Ià=Õð•ñÏ*Ã='çVå[$-Ä<10>ÙÕʲ}	.’¼²=€&°<>É­ºl@®l5êÇ×<C387>p¯—¯¼™IÈKVèˆN¼‡Œ“‹C¡ÔŽI¥¼š_<³g.…ïÄmf}Oá4(<28>шûöø¾@Ç;

secrets/Everest/host-key-ed25519-public

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5qrYxA OECuD3X/YhnhNDjXFBsoq+mOQmadIQch2DhcVM2es3g
-Y9tNL/OXgxSrWtvrLDHBnaWGxDoSopQAVoFwx6WiHFE
--> ssh-ed25519 AuWU1Q RawOBsHa1yGd0Nn3QPaZNlh3Qy5D5TNU0VVc6t7uwmU
-M0OgClrDATN23KARdN8kee/tDSolbdVQwxclOwUlCY8
--> }|y:w-grease [|V >/-D+*J
-zPzM
---- st6EavuBsvVd84P9CGhxLpgckxCsYjucYvpMiNS0YVY
-ÈÈÅíà¾wÕÊav\ÏÄÎGÍU.ð„é<<3C>8\ÏÍ<Ú‚½>È^=„<C382>Ÿø’Ïè0[f,£!S0z%/eo48Ååÿ’ò«&Jì¾ÿ‚?ä@‹À©‚žZJ;1/
á‚„*/t{ʹ-<2D>dn¶a8.EÇS$Ë–¦:Žþ©

secrets/ddclient-passwd

@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 5qrYxA YZag1cf+LCNznpoLx8wXN0lqaDfcxpP8Axmgt1gyiDo
+-> ssh-ed25519 06objA y4bV1ytUwkmt9PbOrVgGT5UvhG122nbW1Uoj4X4G1ko
-DujRQ8hZtv6CyKWmOGK82jFoRkT/72Y1OmWcTb+aiVw
+iCncwjYew9IxINLtdTBCH1xVwMxlbEUj0+QDbqQo220
--> <VqXw-grease /l=NY
+-> R520hu&,-grease BU
-GR5DcmYCCOReyAPxTCuH1GAJ1GA2KccU/Hy/CszPABNVUrP58EGa733eI7nZyqlD
+r02YR9brHoUAtWXZd1yzrnA1IEymE6EGi+INiYzaU/6ucoMpqD1kTbnNA/XImBw
-xooUCOLDwNF+LNA4ctKt+jSB/lLnLJT+chkkrtQ
+--- nHrpo/xmcD3yGS8tygN/HL5o4uyFBVJslY7xycLuJ9M
---- RdGZN42joziXDu9EHSl00YyASXnPCxFU3tFk5QjQnNU
+ä޺ȮP';25$«Nç}™níhÓ<68>5<>Hóúû[ØŒØ<C592>ØÀ^ÍÃb_ØœS€<53>¿RIÊXû±×jhíx×$ 
-€<03>®diPÃvÀ|öm7Ú,gP ÃÜ_nª ´>ú–tRõ{…rv:IÚ“¶`Ëè¤%-וÈvé©M³pD9Ï,

secrets/secrets.nix

@@ -1,18 +1,9 @@
 let
-	everest = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7GzKZIK/UAMfRjsaxWWKOBqG7sa1ttJ+Gp0zTQSBXM root@Everest";
+	everest = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY+nRHGyId1eYdC0tk4eKDG8UPpWjNekif+XPPHa0XD root@Everest";
-	archie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINuqKOfYb2lyhoQYBQbuIEyMomze872rnpxDnax8BsC5 root@Archie";
+	bootsrtrap = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKloSXSeF4dNXebd93uMuiFuXRHfxo/he4+O9SFTz1s bootstrap key";
-  bootsrtrap = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKloSXSeF4dNXebd93uMuiFuXRHfxo/he4+O9SFTz1s bootstrap key";
 in
 {
 	"ddclient-passwd".publicKeys = [ everest ];
 	"syncthing/key".publicKeys = [ everest ];
 	"syncthing/cert".publicKeys = [ everest ];
-	"Everest/host-key-ed25519".publicKeys = [ everest bootsrtrap ];
-	"Everest/host-key-ed25519-public".publicKeys = [ everest bootsrtrap ];
-	"Everest/host-key-rsa".publicKeys = [ everest bootsrtrap ];
-	"Everest/host-key-rsa-public".publicKeys = [ everest bootsrtrap ];
-	"Archie/host-key-ed25519".publicKeys = [ archie  bootsrtrap ];
-	"Archie/host-key-ed25519-public".publicKeys = [ archie bootsrtrap ];
-	"Archie/host-key-rsa".publicKeys = [ archie bootsrtrap ];
-	"Archie/host-key-rsa-public".publicKeys = [ archie bootsrtrap ];
 }