Refactor secrets handling

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-10-07 15:17:30 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-10-13 00:00:55 +0200
commit: 282c67a117b7d349b30a96972b050d630f906dec (patch)
tree: 6686bdc126d5c0bd548cd6286a41be5c8cfdc01f /modules/private/system.nix
parent: 97f5a24bc8839328571b23eb5f910de206ddbe1f (diff)
download: Nix-282c67a117b7d349b30a96972b050d630f906dec.tar.gz
Nix-282c67a117b7d349b30a96972b050d630f906dec.tar.zst
Nix-282c67a117b7d349b30a96972b050d630f906dec.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/modules/private/system.nix b/modules/private/system.nix
index 0e72d99..c7e277c 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -4,7 +4,12 @@
    networking.extraHosts = builtins.concatStringsSep "\n"
      (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
-    users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ];
+    users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
+    secrets.deleteSecretsVars = true;
+    secrets.gpgKeys = [
+      ../../nixops/public_keys/Immae.pub
+    ];
    services.openssh.enable = true;
    services.duplyBackup.profiles.system = {
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-10-07 15:17:30 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-10-13 00:00:55 +0200
commit	282c67a117b7d349b30a96972b050d630f906dec (patch)
tree	6686bdc126d5c0bd548cd6286a41be5c8cfdc01f /modules/private/system.nix
parent	97f5a24bc8839328571b23eb5f910de206ddbe1f (diff)
download	Nix-282c67a117b7d349b30a96972b050d630f906dec.tar.gz Nix-282c67a117b7d349b30a96972b050d630f906dec.tar.zst Nix-282c67a117b7d349b30a96972b050d630f906dec.zip