Simon Gardling
bedc94cbc0
- enable gitea actions - add native host runner (nix:host label, capacity 1) - add gitea-runner system user with persisted state - add agenix-encrypted CI secrets (deploy key, git-crypt key, runner token) - authorize CI deploy key for root SSH - add build-and-deploy workflow triggered on push to main
39 lines
950 B
Nix
39 lines
950 B
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
username,
|
|
...
|
|
}:
|
|
{
|
|
# Enable the OpenSSH daemon.
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
AllowUsers = [
|
|
username
|
|
"root"
|
|
];
|
|
PasswordAuthentication = false;
|
|
PermitRootLogin = "yes"; # for deploying configs
|
|
};
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"Z /etc/ssh 755 root root"
|
|
"Z /etc/ssh/ssh_host_* 600 root root"
|
|
];
|
|
|
|
users.users.${username}.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
|
|
];
|
|
|
|
# used for deploying configs to server
|
|
users.users.root.openssh.authorizedKeys.keys =
|
|
config.users.users.${username}.openssh.authorizedKeys.keys
|
|
++ [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin"
|
|
];
|
|
}
|