Add SSH configuration for root@arrakis

3 files changed, 43 insertions, 0 deletions

diff --git a/home/nipsy/arrakis.nix b/home/nipsy/arrakis.nix
index b5ded5f..801148f 100644
--- a/home/nipsy/arrakis.nix
+++ b/home/nipsy/arrakis.nix
@@ -24,6 +24,7 @@
     ".mutt/headers".source = ./arrakis/mutt/headers;
     ".mutt/keys".source = ./arrakis/mutt/keys;
     ".mutt/muttrc".source = ./arrakis/mutt/muttrc;
+    "bin/knock".source = ../common/scripts/knock;
   };
 
   programs.zsh = {
diff --git a/home/root/arrakis.nix b/home/root/arrakis.nix
index ac7a30a..47c9552 100644
--- a/home/root/arrakis.nix
+++ b/home/root/arrakis.nix
@@ -5,6 +5,7 @@
   ];
 
   home.file = {
+    "bin/knock".source = ../common/scripts/knock;
     "bin/vpnctl" = {
       executable = true;
       text = ''
@@ -86,4 +87,15 @@
   nix.extraOptions = ''
     !include /run/secrets/nix-access-token-github
   '';
+
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets/arrakis.yaml;
+
+    secrets = {
+      "ssh_config" = {
+        path = "/root/.ssh/config";
+      };
+    };
+  };
 }
diff --git a/home/root/secrets/arrakis.yaml b/home/root/secrets/arrakis.yaml
new file mode 100644
index 0000000..334deda
--- /dev/null
+++ b/home/root/secrets/arrakis.yaml
@@ -0,0 +1,30 @@
+ssh_config: ENC[AES256_GCM,data:0fJ/mNzw0w4vMvpsae+2DrCGfpXSPZgbzehRURg+HewXLsj1Ir03d3o10qoxQxUGIn4NlFN7DCHSyifjdqdqYnLebTgDrZJI4/3Hv0SnIcaDNEQb30iNHlH95911RB5uPi3eCkHmOZSjS7Td21dPAhr026ntRR1TDb8MXC2L2K453qamUiE9M74WP0BTvXLucjNmvwdgUaw8ChXjiwCOG7DSar3upjv9FDuPproLGIFAfi6dl7PFBzNvhJmfoiRgkf8OUNCV61pysXi1uFl/bewPT/D5zBPL8OR/IKLm23MGbFSWuCX26ArvlbwDxtMQM7lXTw+o5muH3OWGHxUj7e8MV19fjqGY8Sx9jXZ9g/d+8ica8kQy2HyNQuGnT0jf3V49Dw6wrdUGvqtLFgbaCdKKssJjARrE8Knzg/8eDJvQhAwTKGlJLXmK9LOBCfmJZEZTTLpx50WHjy4Y0HkpMQjfdPJhRLYI58b0emvqWOt+FQOnBHNqtZV8ii3P7/3o0GtQMi6bBKGVZxzvS3zoeH9llAL3Ia1UnC3qz9xy6rT5DK6w68/LBRkI32VYxBfn0seIAwhwvrRbHt/kgXHR,iv:kKJHSQxvWxMRIo5xm2xEuoz9Pmj2UkZRUq5cRFhi2oE=,tag:rQLxqDgIXjl0NcqXylnfkg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVDdSd3VwZ1Q5ay9tbGZJ
+            c1R2ck5MSjNDemVxZ09ZT3QxeW13ZnJWdm5zCngyQTIxOWwyMG00VFlGYmtzS0w5
+            MC95S3dHVEFWQUxkb1cxeFFTamxWeUEKLS0tIEx4Z1E5NWlLLyt0MVo1WDFZekZn
+            TCtXUkFuS0d4Q0VmczlrM0RkaVVNVUUKz8Oh6Ob2KWH2Gn0sNSdBmIbvVyA3PsxZ
+            /16ZwBAbe3DnPEIe7K94V3fTUoAmQw249xiOJKPAJjo/DfohqM5x3Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsK3R3YldHdmZJYUVkV1RD
+            Z2dxVmZVUnlab0FHQU9XOEZQeS90WGxTM1hjCjhGVmRLblhMUG40ZmZSWHhLMkFp
+            MzVMbW9CRjA0REd2bXI2T040RXJJaVUKLS0tIHlqZCtrSk96WFB0MUhTUFNCdUZh
+            Z3FXd0I3N3dsT0xRMnpvZEhsNUllQXMKP1r2fp4sNcV0UNBDJboyFSGxfTIFl7TH
+            bB/9+R9jcRjTNqphJNYygqtmLDp8ZNUMmveF9RK3Q7D3GTDn4Ghxzg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-18T20:00:40Z"
+    mac: ENC[AES256_GCM,data:vtlITboaRa+1Y3YehJmxtcjSHU3sr5tgOUMQFaqKdel2O1XwHP2R66pPdXa5BIuGHSO4DJOMniIaE7BLsbwQETWELfhM3QORP1S12p+GWdf2tli50bMdlmNtHYBS5dUXEQpaA/csojYCpTvSbMFlZglGBUgNdgtjN+ivu7Q+oTE=,iv:v4skQ5lMKKtLeltwiPsmCYH0F8E2y5HlXio23aXugQs=,tag:i0eWvwG0J5fv0r+6e0zsvw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4