diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 646fb33..8202017 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -1,3 +1,5 @@ +name: flake check + on: [push] jobs: check: diff --git a/.forgejo/workflows/deployment/deploy-systems.yml b/.forgejo/workflows/deployment/deploy-systems.yml new file mode 100644 index 0000000..396d9a0 --- /dev/null +++ b/.forgejo/workflows/deployment/deploy-systems.yml @@ -0,0 +1,27 @@ +name: deploy systems + +on: + push: + paths: + - "**.lock" +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: install nix action + uses: https://github.com/DeterminateSystems/nix-installer-action@v5 + with: + github-token: ${{ secrets.GH_TOKEN }} + - name: write private key + run: | + mkdir -p .ssh && cd .ssh + echo "$SSH_KEY" > forgejo + chmod 400 forgejo + shell: bash + env: + SSH_KEY: ${{secrets.SSH_DEPLOY_KEY}} + - name: deploy + run: | + cd .ssh + nix run github:serokell/deploy-rs -- --ssh-opts="-i forgejo -o StrictHostKeyChecking=no" --skip-checks --targets .#arashi .#kariru .#sakura .#sora .#yuki diff --git a/.forgejo/workflows/fmt.yml b/.forgejo/workflows/fmt.yml index c854864..e202ec9 100644 --- a/.forgejo/workflows/fmt.yml +++ b/.forgejo/workflows/fmt.yml @@ -1,3 +1,5 @@ +name: fmt check + on: [push] jobs: check: diff --git a/hosts/arashi/default.nix b/hosts/arashi/default.nix index 7bad61f..079c367 100644 --- a/hosts/arashi/default.nix +++ b/hosts/arashi/default.nix @@ -28,6 +28,9 @@ }; users.users.notoh.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWRbIwwHuyEOLhA9dKTf4TgFqtPR5MNcJorKm731S7G arashi'' + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWRbIwwHuyEOLhA9dKTf4TgFqtPR5MNcJorKm731S7G arashi" + ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo" ]; } diff --git a/hosts/deploy.nix b/hosts/deploy.nix index 4a7a35b..cf82c55 100644 --- a/hosts/deploy.nix +++ b/hosts/deploy.nix @@ -1,54 +1,64 @@ inputs: { nodes = with inputs.deploy-rs.lib.x86_64-linux; { sakura = { - hostname = "sakura"; + hostname = "100.121.201.47"; profiles.system = { user = "root"; path = activate.nixos inputs.self.nixosConfigurations.sakura; }; - sshUser = "notoh"; - sshOpts = ["-t" "-i" "~/.ssh/sakura"]; - magicRollback = false; + sshUser = "root"; + sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; + magicRollback = true; }; kariru = { - hostname = "kariru"; + hostname = "100.126.229.95"; profiles.system = { user = "root"; path = activate.nixos inputs.self.nixosConfigurations.kariru; }; - sshUser = "notoh"; - sshOpts = ["-t" "-i" "~/.ssh/kariru"]; - magicRollback = false; + sshUser = "root"; + sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; + magicRollback = true; }; yuki = { - hostname = "yuki"; + hostname = "100.110.140.130"; profiles.system = { user = "root"; path = activate.nixos inputs.self.nixosConfigurations.yuki; }; - sshUser = "notoh"; - sshOpts = ["-t" "-i" "~/.ssh/yuki"]; - magicRollback = false; + sshUser = "root"; + sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; + magicRollback = true; }; arashi = { - hostname = "arashi"; + hostname = "100.94.214.100"; profiles.system = { user = "root"; path = activate.nixos inputs.self.nixosConfigurations.arashi; }; - sshUser = "notoh"; - sshOpts = ["-t" "-i" "~/.ssh/arashi"]; - magicRollback = false; + sshUser = "root"; + sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; + magicRollback = true; }; sora = { - hostname = "sora"; + hostname = "100.87.54.48"; profiles.system = { user = "root"; path = activate.nixos inputs.self.nixosConfigurations.sora; }; - sshUser = "notoh"; - sshOpts = ["-t" "-i" "~/.ssh/kumo"]; - magicRollback = false; + sshUser = "root"; + sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; + magicRollback = true; + }; + tsuru = { + hostname = "100.82.146.40"; + profiles.system = { + user = "root"; + path = activate.nixos inputs.self.nixosConfigurations.tsuru; + }; + sshUser = "root"; + sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; + magicRollback = true; }; }; } diff --git a/hosts/kariru/default.nix b/hosts/kariru/default.nix index 2ed3b0c..a78f0ea 100644 --- a/hosts/kariru/default.nix +++ b/hosts/kariru/default.nix @@ -24,6 +24,9 @@ }; users.users.notoh.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmWafzbhah18nm2z1epc6139XVlcKT0ndAI0wbLj+/6 kariru'' + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmWafzbhah18nm2z1epc6139XVlcKT0ndAI0wbLj+/6 kariru" + ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo" ]; } diff --git a/hosts/sakura/default.nix b/hosts/sakura/default.nix index 7c218a0..b72db52 100644 --- a/hosts/sakura/default.nix +++ b/hosts/sakura/default.nix @@ -1,4 +1,4 @@ -{...}: { +{pkgs, ...}: { imports = [ ./hardware-configuration.nix ./services @@ -26,6 +26,11 @@ }; users.users.notoh.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqAjaV2D2J8ln4n39ZvszCF5Jql+0IaSpFCJlzDSLv6 sakura'' + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqAjaV2D2J8ln4n39ZvszCF5Jql+0IaSpFCJlzDSLv6 sakura" ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo" + ]; + + environment.systemPackages = [pkgs.cowsay]; } diff --git a/hosts/sora/default.nix b/hosts/sora/default.nix index 00f4165..06ffeef 100644 --- a/hosts/sora/default.nix +++ b/hosts/sora/default.nix @@ -10,6 +10,9 @@ _: { zramSwap.enable = true; networking.hostName = "sora"; users.users.notoh.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmI3hRDFjxLjrM3pE471e4jxSlcqeizh3iNVVdaMHeN sora'' + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmI3hRDFjxLjrM3pE471e4jxSlcqeizh3iNVVdaMHeN sora" + ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo" ]; } diff --git a/hosts/tsuru/default.nix b/hosts/tsuru/default.nix index 69468b3..8f257ed 100644 --- a/hosts/tsuru/default.nix +++ b/hosts/tsuru/default.nix @@ -24,6 +24,9 @@ }; users.users.notoh.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKwby2FLCKFZZlOLDRhsm9GckyYAuyk0mq28jRD02tdv tsuru'' + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKwby2FLCKFZZlOLDRhsm9GckyYAuyk0mq28jRD02tdv tsuru" + ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo" ]; } diff --git a/hosts/yuki/default.nix b/hosts/yuki/default.nix index fca7feb..28da01a 100644 --- a/hosts/yuki/default.nix +++ b/hosts/yuki/default.nix @@ -24,6 +24,9 @@ }; users.users.notoh.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoLDqOjZIQQ+YYir9MQnlh8wgqI1dz5nYL054OnIgDa yuki'' + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoLDqOjZIQQ+YYir9MQnlh8wgqI1dz5nYL054OnIgDa yuki" + ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo" ]; } diff --git a/modules/openssh.nix b/modules/openssh.nix index 749d2ec..14d7c60 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -5,7 +5,7 @@ KbdInteractiveAuthentication = false; PasswordAuthentication = lib.mkForce false; PubkeyAuthentication = lib.mkForce true; - PermitRootLogin = lib.mkForce "no"; + PermitRootLogin = lib.mkForce "yes"; StreamLocalBindUnlink = "yes"; GatewayPorts = "clientspecified"; }; diff --git a/modules/security.nix b/modules/security.nix index 5c78728..e904164 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -55,7 +55,9 @@ "192.168.0.0/16" "172.16.0.0/12" "10.0.0.0/8" - "5.161.181.184" + "5.161.181.184/32" + "100.71.49.65/10" + "100.82.146.40/10" ]; jails.DEFAULT = { settings = {