From 17834b3aa7bf516cbc03ba28af5612fbc46af60c Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Sat, 28 Feb 2026 12:36:20 +0000 Subject: [PATCH] update: rotate SSH access via cloud-init secret Inject SSH public key through Terraform/cloud-init from Gitea secret so access can be rotated without rebuilding the template image. --- .gitea/workflows/terraform-apply.yml | 1 + .gitea/workflows/terraform-plan.yml | 1 + nixos/template-base/configuration.nix | 4 +--- terraform/cloud-init.tf | 5 +++-- terraform/files/cloud_init_global.tpl | 5 +++++ terraform/variables.tf | 5 +++++ 6 files changed, 16 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml index dbd7c00..cd3f59c 100644 --- a/.gitea/workflows/terraform-apply.yml +++ b/.gitea/workflows/terraform-apply.yml @@ -23,6 +23,7 @@ jobs: run: | cat > secrets.auto.tfvars << EOF pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" + SSH_KEY_PUBLIC = "${{ secrets.SSH_KEY_PUBLIC }}" EOF cat > backend.hcl << EOF bucket = "${{ secrets.B2_TF_BUCKET }}" diff --git a/.gitea/workflows/terraform-plan.yml b/.gitea/workflows/terraform-plan.yml index a213eda..d134347 100644 --- a/.gitea/workflows/terraform-plan.yml +++ b/.gitea/workflows/terraform-plan.yml @@ -25,6 +25,7 @@ jobs: echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)" cat > secrets.auto.tfvars << EOF pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" + SSH_KEY_PUBLIC = "${{ secrets.SSH_KEY_PUBLIC }}" EOF cat > backend.hcl << EOF bucket = "${{ secrets.B2_TF_BUCKET }}" diff --git a/nixos/template-base/configuration.nix b/nixos/template-base/configuration.nix index 7475bc4..d80c1a1 100644 --- a/nixos/template-base/configuration.nix +++ b/nixos/template-base/configuration.nix @@ -31,10 +31,8 @@ extraGroups = [ "wheel" ]; shell = pkgs.fish; openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDyfhho9WSqK2OWxizt45Q5KHgox3uVWDnbvMBJaDnRph6CZeKmzaS60/+HN/o7MtIm+q86TfdYeWJVt4erPEvrYN8AWfvCWi+hP2Y0l18wS8GEA+efEXyQ5CLCefraXvIneORObKetzO73bq0HytDRXDowc4J0NcbEFB7ncf2RqVTC6QRlNPRD3jHLkUeKXVmyteNgTtGdMz4MFHCC7xtzgL7kEuuHDEWuVhPkK+dkeGBejq+RzkYcd8v37L7NjFZCK91jANBVcQnTLQVUVVlMovVPyoaROn4N8KpIhb85SYZIJGUEKMhmCowb2NnZLJNC07qn8sz1dmNZO635aquuWMhZTevCySJjvIuMxDSffhBaAjkK1aVixMCW3jyzbpFIEG6FOj27TpcMnen6a0j0AecdCKgXI/Ezb08pj9qmVppAvJPyYoqN4OwHNHGWb8U2X3GghFesei8ZmBgch12RkIaXYxVzkNqv3FG4kAMFMEnGe4e6aqAAuDzUIkcjsPl2XrNJp+pxnPWDc7EMTKPUuKIcteXVDgCVgufQjPBO5/DgUyygLTzt8py9sZyyFDsqRAZ6E3IzBpxyWfUOoN81mUL6G31pZ/1b3YKpNs7DuqvP/aXIvb94o8KsLPQeoG7L2ulcOWX7I0yhlAgd8QUjhNoNq3mK/sQylq9Zy63GhQ==" + "REPLACE_WITH_SINGLE_LINE_PUBLIC_KEY" ]; - # optional while testing noVNC login: - # initialPassword = "changeme123"; }; security.sudo.wheelNeedsPassword = false; diff --git a/terraform/cloud-init.tf b/terraform/cloud-init.tf index 7d55fa0..2750576 100644 --- a/terraform/cloud-init.tf +++ b/terraform/cloud-init.tf @@ -2,8 +2,9 @@ data "template_file" "cloud_init_global" { template = file("${path.module}/files/cloud_init_global.tpl") vars = { - hostname = "generic" - domain = "home.arpa" + hostname = "generic" + domain = "home.arpa" + SSH_KEY_PUBLIC = var.SSH_KEY_PUBLIC } } diff --git a/terraform/files/cloud_init_global.tpl b/terraform/files/cloud_init_global.tpl index 0d9a2ac..91f161a 100644 --- a/terraform/files/cloud_init_global.tpl +++ b/terraform/files/cloud_init_global.tpl @@ -8,3 +8,8 @@ resolv_conf: preserve_hostname: false fqdn: ${hostname}.${domain} + +users: + - name: micqdf + ssh_authorized_keys: + - ${SSH_KEY_PUBLIC} diff --git a/terraform/variables.tf b/terraform/variables.tf index 6f94768..e805ebe 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -66,3 +66,8 @@ variable "llama_vm_count" { default = 1 description = "How many Llama VMs to create" } + +variable "SSH_KEY_PUBLIC" { + type = string + description = "Public SSH key injected via cloud-init" +}