feat: new deploy system, allows for in-repo pii

2025-12-06 09:07:21 +01:00 · 2025-06-11 02:25:34 +02:00 · 2025-06-11 02:25:34 +02:00 · a11c7854d1
commit a11c7854d1
parent 7e11641fe7
19 changed files with 1251 additions and 412 deletions
--- a/modules/nixos/server/packages.nix
+++ b/modules/nixos/server/packages.nix
@ -5,6 +5,7 @@
    environment.systemPackages = with pkgs; [
      gnupg
      nix-index
+      nvd
      ssh-to-age
      git
      emacs
--- a/modules/nixos/server/ssh.nix
+++ b/modules/nixos/server/ssh.nix
@ -4,6 +4,18 @@
  config = lib.mkIf config.swarselsystems.modules.server.ssh {
    services.openssh = {
      enable = true;
+      startWhenNeeded = lib.mkForce false;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "yes";
+      };
+      hostKeys = [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
    };
    users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
      (self + /secrets/keys/ssh/yubikey.pub)