From b8bc17f385795ecd2c85cf3c393e627de720fa61 Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Sat, 25 Apr 2026 13:30:40 +0200 Subject: [PATCH] =?UTF-8?q?feat(servers):=20declare=20SSH=20authorizedKeys?= =?UTF-8?q?=20+=20root=20mac=20admin=20trust=20=F0=9F=94=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the imperative SSH-key-related scars accumulated during the clan/VPS rollout into nix config so future installs and rebuilds reproduce the same state: - danny@sunken-ship + danny@phantom-ship: trust the mac admin key (id_ed25519_ on Daniel-Macbook-Air) and the host's own self-loopback key (used by clan ssh-ng:// nix-copy-closure back to the same host during `clan machines update`). - root@sunken-ship + root@phantom-ship: trust the mac admin key so `clan machines update` can run its SOPS-key upload step that SSHes to root@ to write /var/lib/sops-nix/key.txt. Existing key files (~/.ssh/id_ed25519 on each host) stay where they are; the keypair was generated once during initial bootstrap and the public side is now declared above. Reinstalls would regenerate and need the pubkey re-pinned here. --- nixos/hosts/phantom-ship.nix | 12 ++++++++++++ nixos/hosts/sunken-ship.nix | 16 ++++++++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix index 60668e7..e89f231 100644 --- a/nixos/hosts/phantom-ship.nix +++ b/nixos/hosts/phantom-ship.nix @@ -63,8 +63,20 @@ in isNormalUser = true; extraGroups = [ "wheel" ]; # Password is locked (key-only SSH). Use NixOS installer or recovery to reset if needed. + openssh.authorizedKeys.keys = [ + # Mac admin (~/.ssh/id_ed25519_phantom_ship on Daniel-Macbook-Air). + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNl6PrKcEhmYJVqSXNcFU6cba3neekLBGnQCkD7lWAc danny@phantom-ship" + # Self-loopback (clan ssh-ng:// back to this host). + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyEX8De/b+sMAxUZIqqiPphcrWCoAsN5p8gRFubzqvB danny@phantom-ship" + ]; }; + # root needs the mac admin key so `clan machines update` can SSH to + # root@ for SOPS upload. + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDNl6PrKcEhmYJVqSXNcFU6cba3neekLBGnQCkD7lWAc danny@phantom-ship" + ]; + # Key-only auth; no password or keyboard-interactive. services.openssh = { enable = true; diff --git a/nixos/hosts/sunken-ship.nix b/nixos/hosts/sunken-ship.nix index 609bb83..e305c03 100644 --- a/nixos/hosts/sunken-ship.nix +++ b/nixos/hosts/sunken-ship.nix @@ -39,10 +39,22 @@ users.users.danny = { isNormalUser = true; extraGroups = [ "wheel" "video" "audio" ]; # video: backlight; audio: sound devices - # SSH keys: push via scp, don't commit. NixOS does not manage authorized_keys so scp'd keys persist. - # Example: scp ~/.ssh/id_ed25519_sunken_ship.pub danny@server:/tmp/ then on server: mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys + openssh.authorizedKeys.keys = [ + # Mac admin (~/.ssh/id_ed25519_sunken_ship on Daniel-Macbook-Air). + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@sunken-ship" + # Self-loopback (used by clan ssh-ng:// during nix-copy-closure + # back to this same host on `clan machines update`). Pubkey of the + # /home/danny/.ssh/id_ed25519 that lives on this host. + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9t4YAaoHvVouqp+qyFOq8o3SAtXMiAmjF6J0ldyx4g danny@sunken-ship self" + ]; }; + # root needs the mac admin key so `clan machines update` can SSH to + # root@ to upload SOPS keys (sops-install-secrets bootstrap). + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW/akfIiVU5o63YrTAJVZhMj7kXfYHOnXDtlpVFW7pf danny@sunken-ship" + ]; + # Key-only auth; no password or keyboard-interactive. services.openssh = { enable = true;