diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix index 60668e7..e89f231 100644 --- a/nixos/hosts/phantom-ship.nix +++ b/nixos/hosts/phantom-ship.nix @@ -63,8 +63,20 @@ in isNormalUser = true; extraGroups = [ "wheel" ]; # Password is locked (key-only SSH). Use NixOS installer or recovery to reset if needed. + openssh.authorizedKeys.keys = [ + # Mac admin (~/.ssh/id_ed25519_phantom_ship on Daniel-Macbook-Air). + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNl6PrKcEhmYJVqSXNcFU6cba3neekLBGnQCkD7lWAc danny@phantom-ship" + # Self-loopback (clan ssh-ng:// back to this host). + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyEX8De/b+sMAxUZIqqiPphcrWCoAsN5p8gRFubzqvB danny@phantom-ship" + ]; }; + # root needs the mac admin key so `clan machines update` can SSH to + # root@ for SOPS upload. + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNl6PrKcEhmYJVqSXNcFU6cba3neekLBGnQCkD7lWAc danny@phantom-ship" + ]; + # Key-only auth; no password or keyboard-interactive. services.openssh = { enable = true; diff --git a/nixos/hosts/sunken-ship.nix b/nixos/hosts/sunken-ship.nix index 609bb83..e305c03 100644 --- a/nixos/hosts/sunken-ship.nix +++ b/nixos/hosts/sunken-ship.nix @@ -39,10 +39,22 @@ users.users.danny = { isNormalUser = true; extraGroups = [ "wheel" "video" "audio" ]; # video: backlight; audio: sound devices - # SSH keys: push via scp, don't commit. NixOS does not manage authorized_keys so scp'd keys persist. - # Example: scp ~/.ssh/id_ed25519_sunken_ship.pub danny@server:/tmp/ then on server: mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys + openssh.authorizedKeys.keys = [ + # Mac admin (~/.ssh/id_ed25519_sunken_ship on Daniel-Macbook-Air). + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@sunken-ship" + # Self-loopback (used by clan ssh-ng:// during nix-copy-closure + # back to this same host on `clan machines update`). Pubkey of the + # /home/danny/.ssh/id_ed25519 that lives on this host. + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9t4YAaoHvVouqp+qyFOq8o3SAtXMiAmjF6J0ldyx4g danny@sunken-ship self" + ]; }; + # root needs the mac admin key so `clan machines update` can SSH to + # root@ to upload SOPS keys (sops-install-secrets bootstrap). + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@sunken-ship" + ]; + # Key-only auth; no password or keyboard-interactive. services.openssh = { enable = true;