Add SSH configuration for root@ginaz

4 files changed, 102 insertions, 0 deletions

diff --git a/.sops.yaml b/.sops.yaml
index 3402464..6726fdc 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -35,6 +35,11 @@ creation_rules:
     - age:
       - *arrakis
       - *nipsy
+  - path_regex: ^home/root/secrets/ginaz.yaml$
+    key_groups:
+    - age:
+      - *ginaz
+      - *nipsy
   - path_regex: ^hosts/secrets/arrakis.yaml$
     key_groups:
     - age:
diff --git a/home/common/scripts/knock b/home/common/scripts/knock
new file mode 100755
index 0000000..fdff4ca
--- /dev/null
+++ b/home/common/scripts/knock
@@ -0,0 +1,50 @@
+#!/usr/bin/env zsh
+
+# load module to parse command line arguments
+zmodload zsh/zutil
+zparseopts -D -E -A opts -- h x
+
+# load module to avoid use of GNU sleep
+zmodload zsh/zselect
+
+# enable XTRACE shell option for full debugging output of scripts
+if (( ${+opts[-x]} )); then
+	set -x
+fi
+
+if [[ -z "${2}" ]] || (( ${+opts[-h]} )); then
+	echo "usage: ${0:t} [ -h ] [ -x ] host port [ knock_port ] .." >&2
+	echo -e '\n\t-h\tshow this help\n\t-x\tenable shell debugging' >&2
+	echo -e '\thost\tdestination host name' >&2
+	echo -e '\tport\tdestination service port\n' >&2
+	echo -e 'Specifying no knock_port(s) will use 12345 23456 34567 45678 by default.\n' >&2
+	exit 1
+fi
+
+host="${1}"
+port="${2}"
+shift 2
+knock_ports="${@:-12345 23456 34567 45678}"
+attempts=1
+
+function check_service_port {
+	if nc -w1 ${host} ${port} &> /dev/null <& -; then
+		exit 0
+	fi
+}
+
+#check_service_port
+
+while [[ ${attempts} -lt 9 ]]; do
+
+	for knock_port in ${=knock_ports}; do
+		nc -w1 ${host} ${knock_port} &> /dev/null <& - &
+		zselect -t ${attempts}0
+	done
+
+	check_service_port
+	((attempts+=1))
+
+done
+
+exit 1
diff --git a/home/root/ginaz.nix b/home/root/ginaz.nix
index 72dbda0..4675184 100644
--- a/home/root/ginaz.nix
+++ b/home/root/ginaz.nix
@@ -1,5 +1,12 @@
 { inputs, lib, pkgs, config, outputs, ... }:
 {
+
+  home = {
+    file = {
+      "bin/knock".source = ../common/scripts/knock;
+    };
+  };
+
   imports = [
     common/core
   ];
@@ -7,4 +14,14 @@
   nix.extraOptions = ''
     !include /run/secrets/nix-access-token-github
   '';
+
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets/ginaz.yaml;
+
+    secrets = {
+      "ssh_config" = {
+        path = "/root/.ssh/config";
+      };
+    };
 }
diff --git a/home/root/secrets/ginaz.yaml b/home/root/secrets/ginaz.yaml
new file mode 100644
index 0000000..34d4d03
--- /dev/null
+++ b/home/root/secrets/ginaz.yaml
@@ -0,0 +1,30 @@
+ssh_config: ENC[AES256_GCM,data:guy6byi4DR1knoTe+/tDxP3HdSEJI+R1Io2O7LpgVffgo6Xc2hCz6ehZY1AD2F36OpDRdRz8midFoMDwKieY/LcQ5tZWVaEKDNk4Xy+v0Ac4AJGYyJyWh9J7CWydC4kc1R2ZUkA8Vclx5WcxG91Sg7M+xVEgzLip7Pa3BIESP0Zpd8iAMrafurQLBIU5i3TB0qt3OjSG+6nrST0zB7anmoDZ4bOHtiM+ymgULv9A40TAVpL1V2xqPTOZiwIUsUXb7NpVSSrFHTWJQhv3/czmTa7supOm1aEWrbdJUlTJ+ET0+RimzlPExduoEnLpcc4qaTjTXE2wiMrsiUB5SrlLQ0lN5LL4/G6CLPi4/+GYnxytnh+Rg9cYLRY6TiFf/3k88Ra/eaQTEEXHafNbJ230PKNXMDepx0H+494f03y9ZMOljmLM7FYjRslfPTD2+Hr4z8Lixw30UZRullot2/Dxjy0DpXnBXZ1d4zp/xKwaOA==,iv:zlvCTpmVtUlBDNgpTgxizAEH8CBTDxGqWBpDI1nqEqA=,tag:IBK6THL0lsJo35HZ0m4ipw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1900zc5caephklavvjxp0g4qqvyqlzg3sux69y9p092g3d3qck3kqz62reh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISkRGZ3BnYWRYT2wyWUl5
+            ZGRQaHkxeE9mZnhJVEErbEFSNEpNV0g0ZkRVCjMwQUpmdW41TGM5d0VhSStQV1lL
+            Z0hGNzF5RHBuNE5KRTB1Z2RDYjJ5dFkKLS0tIFFtckdaaWRKbVcyYXZKYTduRGk0
+            bDhMWTlPamF3L3hOWXZ4VnIycElNT1UKFN/prKIBGlCt5FWcwgGZ7SbjlxNzqtuL
+            N/ZxxojVpkQYhjfSQ3escw5CfuCaFshneycuxFwlIKYPNfVj3/PJbg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeTlIK3dEQXBZRWhtMDNy
+            Kzl4cE9USFBqR2llaDdKNGRaZHY0eDVSL21JCm1NeTZPSVVkNmNDdDVlRy9kQ3JC
+            L2kvbmFidzJQZHNTeFFUN3BLdEJxYXMKLS0tIFJQcFBCYzFvcFhoK1RiNzczcFNS
+            OGNEN3NNSHMxd2JBUDZGNnBON1FNYUkKhdDRVtSp1hJLHJEptwbZHIN6WGFjLkMx
+            SPC0i32atDGFK/IkBdwfhx1t5pecGw19EU+QDOJqe90nQ/mJcjW4zg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-18T19:32:02Z"
+    mac: ENC[AES256_GCM,data:T+4VQgtnIkX2ZnzeM8mZfSn5ioUdtgvwaC8Xf4mXNi0A0UD0AkXBpQlhnhE8xLj3I2bka/Y007JsTr1d4M5ysEm2FHLfyGDGw91ME9voXGrekOY1sYsZisCXfFFbyL/7/ReRcLOgOHMZwxzcfMoEzg6f132bMhApBQZn+hvwpmw=,iv:HCpS8t3Vqx9ITBUElAIKBh/c5VjPK6Yrh6XrgJJvBrY=,tag:UBjKoWoibm5yb5NkmaLdHg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4