feat(security): implement metadata redaction and sops-nix migration

Migrated authorized SSH keys and personal metadata (emails, tokens) to sops-nix to prevent infrastructure fingerprinting. Introduced centralized secrets module with placeholder fallbacks.

.github/workflows/build.yml

@@ -0,0 +1,43 @@
+name: "Build"
+on:
+  pull_request:
+  push:
+
+jobs:
+  determine-hosts:
+    name: "Determining hosts to build"
+    runs-on: ubuntu-latest
+    container: catthehacker/ubuntu:act-24.04
+    outputs:
+      hosts: ${{ steps.hosts.outputs.hostnames }}
+    steps:
+      - uses: actions/checkout@v5
+      - uses: https://github.com/cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - name: "Determine hosts"
+        id: hosts
+        run: |
+          hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)"
+          printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}"
+
+  build:
+    runs-on: ubuntu-latest
+    container: catthehacker/ubuntu:act-24.04
+    needs: determine-hosts
+    strategy:
+      matrix:
+        hostname: [
+          Development,
+          Testing
+        ]
+
+    steps:
+      - uses: actions/checkout@v5
+      - uses: https://github.com/cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - name: "Build host"
+        run: |
+          nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose
+

.github/workflows/test.yml

@@ -0,0 +1,17 @@
+name: "Test"
+on:
+  pull_request:
+  push:
+jobs:
+  tests:
+    if: false
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+    - uses: actions/checkout@v5
+    - uses: https://github.com/cachix/install-nix-action@v31
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+    - name: "My custom step"
+      run: nix run nixpkgs#hello

.gitignore

@@ -1 +1,2 @@
 .idea
+result

README.md

@@ -0,0 +1,64 @@
+# Bos55 NixOS Config
+
+Automated CI/CD deployment for NixOS homelab using `deploy-rs`.
+
+## Repository Structure
+
+- `hosts/`: Host-specific configurations.
+- `modules/`: Shared NixOS modules.
+- `users/`: User definitions (including the `deploy` user).
+- `secrets/`: Encrypted secrets via `sops-nix`.
+
+## Deployment Workflow
+
+### Prerequisites
+- SSH access to the `deploy` user on target hosts.
+- `deploy-rs` installed locally (`nix profile install github:serokell/deploy-rs`).
+
+### Deployment Modes
+
+1.  **Production Deployment (main branch):**
+    Triggered on push to `main`. Automatically builds and switches all hosts. bootloader is updated.
+    Manual: `deploy .`
+
+2.  **Test Deployment (test-<hostname> branch):**
+    Triggered on push to `test-<hostname>`. Builds and activates the configuration on the specific host **without** updating the bootloader. Reboots will revert to the previous generation.
+    Manual: `deploy .#<hostname>.test`
+
+3.  **Kernel Upgrades / Maintenance:**
+    Use `deploy .#<hostname>.system --boot` to update the bootloader without immediate activation, followed by a manual reboot.
+
+## Local Development
+
+### 1. Developer Shell
+This repository includes a standardized development environment containing all necessary tools (`deploy-rs`, `sops`, `age`, etc.).
+```bash
+nix develop
+# or if using direnv
+direnv allow
+```
+
+### 2. Build a host VM
+You can build a QEMU VM for any host configuration to test changes locally:
+```bash
+nix build .#nixosConfigurations.<hostname>.config.system.build.vm
+./result/bin/run-<hostname>-vm
+```
+
+> [!WARNING]
+> **Network Conflict**: Default VMs use user-mode networking (NAT) which is safe. However, if you configure the VM to use bridge networking, it will attempt to use the static IP defined in `hostIp`. Ensure you do not have a physical host with that IP active on the same bridge to avoid network interference.
+
+### 3. Run Integration Tests
+Run the automated test suite:
+```bash
+nix-build test/vm-test.nix
+```
+
+### 3. Test CI Workflows Locally
+Use `act` to test the GitHub Actions workflows:
+```bash
+act -W .github/workflows/check.yml
+```
+
+## Security
+See [SECURITY.md](SECURITY.md) for details on the trust model and secret management.

flake.lock

@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1760524057,
-        "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=",
+        "lastModified": 1772624091,
+        "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5",
+        "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1760393368,
-        "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=",
+        "lastModified": 1772495394,
+        "narHash": "sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437",
+        "rev": "1d9b98a29a45abe9c4d3174bd36de9f28755e3ff",
         "type": "github"
       },
       "original": {

flake.nix

@@ -13,52 +13,85 @@
       url = "github:gytis-ivaskevicius/flake-utils-plus";
       inputs.flake-utils.follows = "flake-utils";
     };
+    deploy-rs = {
+      url = "github:serokell/deploy-rs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs@{
     self, nixpkgs,
-    flake-utils, sops-nix, utils,
+    flake-utils, sops-nix, utils, deploy-rs,
     ...
   }:
   let
     system = utils.lib.system.x86_64-linux;
+    lib = nixpkgs.lib;
   in
-  utils.lib.mkFlake {
-    inherit self inputs;
+    utils.lib.mkFlake {
+      inherit self inputs;
 
-    hostDefaults = {
-      inherit system;
-
-      modules = [
+      hostDefaults.modules = [
         ./modules
         ./users
-
         sops-nix.nixosModules.sops
+        ({ self, ... }: {
+          sops.defaultSopsFile = "${self}/secrets/secrets.yaml";
+          sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+        })
+        ({ self, ... }: {
+          sops.defaultSopsFile = "${self}/secrets/secrets.yaml";
+          sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+        })
       ];
+
+      hosts = {
+        # Infrastructure
+        Niko.modules        = [ ./hosts/Niko        ];
+        Ingress.modules     = [ ./hosts/Ingress     ];
+        Gitea.modules       = [ ./hosts/Gitea       ];
+        Vaultwarden.modules = [ ./hosts/Vaultwarden ];
+
+        # Production
+        Binnenpost.modules    = [ ./hosts/Binnenpost    ];
+        Production.modules    = [ ./hosts/Production    ];
+        ProductionGPU.modules = [ ./hosts/ProductionGPU ];
+        ProductionArr.modules = [ ./hosts/ProductionArr ];
+        ACE.modules           = [ ./hosts/ACE           ];
+
+        # Lab
+        Template.modules    = [ ./hosts/Template    ];
+        Development.modules = [ ./hosts/Development ];
+        Testing.modules     = [ ./hosts/Testing     ];
+      };
+
+      deploy.nodes = let
+        pkg = deploy-rs.lib.${system};
+        isDeployable = nixos: (nixos.config.homelab.users.deploy.enable or false) && (nixos.config.homelab.networking.hostIp != null);
+      in
+      builtins.mapAttrs (_: nixos: {
+        hostname = nixos.config.homelab.networking.hostIp;
+        sshUser  = "deploy";
+        user     = "root";
+        profiles.system.path = pkg.activate.nixos nixos;
+        profiles.test.path   = pkg.activate.custom nixos.config.system.build.toplevel ''
+          $PROFILE/bin/switch-to-configuration test
+        '';
+      }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);
+
+      checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
+
+      outputsBuilder = channels: {
+        formatter = channels.nixpkgs.alejandra;
+        devShells.default = channels.nixpkgs.mkShell {
+          name = "homelab-dev";
+          buildInputs = [
+            deploy-rs.packages.${system}.deploy-rs
+            channels.nixpkgs.sops
+            channels.nixpkgs.age
+          ];
+          shellHook = "echo '🛡️ Homelab Development Shell Loaded'";
+        };
+      };
     };
-
-    hosts = {
-      # Physical hosts
-      Niko.modules          = [ ./hosts/Niko          ];
-
-      # Virtual machines
-
-      # Single-service
-      Ingress.modules       = [ ./hosts/Ingress       ];
-      Gitea.modules         = [ ./hosts/Gitea         ];
-      Vaultwarden.modules   = [ ./hosts/Vaultwarden   ];
-
-      # Production multi-service
-      Binnenpost.modules    = [ ./hosts/Binnenpost    ];
-      Production.modules    = [ ./hosts/Production    ];
-      ProductionGPU.modules = [ ./hosts/ProductionGPU ];
-      ProductionArr.modules = [ ./hosts/ProductionArr ];
-      ACE.modules           = [ ./hosts/ACE           ];
-
-      # Others
-      Template.modules      = [ ./hosts/Template      ];
-      Development.modules   = [ ./hosts/Development   ];
-      Testing.modules       = [ ./hosts/Testing       ];
-    };
-  };
 }

hosts/ACE/default.nix

@@ -1,10 +1,12 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   config = {
     homelab = {
+      networking.hostIp = "192.168.0.41";
       services.actions.enable = true;
       virtualisation.guest.enable = true;
+      users.deploy.enable = true;
     };
 
     networking = {
@@ -24,7 +26,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.41";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];

hosts/Binnenpost/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   config = {
@@ -13,12 +13,14 @@
     };
 
     homelab = {
+      networking.hostIp = "192.168.0.89";
       apps = {
         speedtest.enable = true;
         technitiumDNS.enable = true;
         traefik.enable = true;
       };
       virtualisation.guest.enable = true;
+      users.deploy.enable = true;
     };
 
     networking = {
@@ -43,7 +45,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.89";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];

hosts/Development/default.nix

@@ -3,6 +3,7 @@
 {
   config = {
     homelab = {
+      networking.hostIp = "192.168.0.91";
       apps = {
         bind9.enable = true;
         homepage = {
@@ -13,6 +14,7 @@
         plex.enable = true;
       };
       virtualisation.guest.enable = true;
+      users.deploy.enable = true;
     };
 
     networking = {
@@ -36,7 +38,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.91";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];
@@ -59,7 +61,8 @@
         environment = {
           # NOTE Required
           # The email address used when setting up the initial administrator account to login to pgAdmin.
-          PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com";
+          # TODO Hugo: Populate 'pgadmin_email' in sops.
+          PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com";
           # NOTE Required
           # The password used when setting up the initial administrator account to login to pgAdmin.
           PGADMIN_DEFAULT_PASSWORD = "ChangeMe";

hosts/Gitea/default.nix

@@ -3,9 +3,12 @@
 {
   config = {
     homelab = {
+      networking.hostIp = "192.168.0.24";
       apps.gitea.enable = true;
       virtualisation.guest.enable = true;
 
+      users.deploy.enable = true;
+
       users.admin = {
         enable = true;
         authorizedKeys = [
@@ -28,7 +31,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.24";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];

hosts/Ingress/default.nix

@@ -2,7 +2,11 @@
 
 {
   config = {
-    homelab.virtualisation.guest.enable = true;
+    homelab = {
+      networking.hostIp = "192.168.0.10";
+      virtualisation.guest.enable = true;
+      users.deploy.enable = true;
+    };
 
     networking = {
       hostName = "Ingress";
@@ -19,8 +23,8 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.10";
-prefixLength = 24;
+            address = config.homelab.networking.hostIp;
+            prefixLength = 24;
           }
         ];
       };
@@ -39,6 +43,7 @@ prefixLength = 24;
       };
     };
 
+
     security.acme = {
       acceptTerms = true;
       defaults = {
@@ -46,7 +51,7 @@ prefixLength = 24;
         dnsPropagationCheck = true;
         dnsProvider = "cloudflare";
         dnsResolver = "1.1.1.1:53";
-        email = "tibo.depeuter@telenet.be";
+        email = config.sops.placeholder.acme_email or "acme-email@example.com";
         credentialFiles = {
           CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token";
         };

hosts/Isabel/default.nix

@@ -165,7 +165,7 @@ providers:
             # Certificates
             "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
             "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-            "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+            "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
             "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
 
             # Additional routes
@@ -176,8 +176,8 @@ providers:
             # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
           ];
           environment = {
-            # TODO Hide this!
-            "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
+            # TODO Hugo: Populate 'cloudflare_dns_token' in sops.
+            "CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER";
           };
           environmentFiles = [
           ];

hosts/Niko/default.nix

@@ -7,6 +7,7 @@
   ];
 
   homelab = {
+    networking.hostIp = "192.168.0.11";
     apps = {
       technitiumDNS.enable = true;
       traefik.enable = true;

hosts/Production/default.nix

@@ -3,11 +3,13 @@
 {
   config = {
     homelab = {
+      networking.hostIp = "192.168.0.31";
       apps = {
         calibre.enable = true;
         traefik.enable = true;
       };
       virtualisation.guest.enable = true;
+      users.deploy.enable = true;
     };
 
     networking = {
@@ -31,7 +33,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.31";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];

hosts/ProductionArr/default.nix

@@ -3,11 +3,13 @@
 {
   config = {
     homelab = {
+      networking.hostIp = "192.168.0.33";
       apps = {
         arr.enable = true;
         traefik.enable = true;
       };
       virtualisation.guest.enable = true;
+      users.deploy.enable = true;
     };
 
     networking = {
@@ -31,7 +33,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.33";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];

hosts/ProductionGPU/default.nix

@@ -3,8 +3,10 @@
 {
   config = {
     homelab = {
+      networking.hostIp = "192.168.0.94";
       apps.jellyfin.enable = true;
       virtualisation.guest.enable = true;
+      users.deploy.enable = true;
     };
 
     networking = {
@@ -28,7 +30,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.94";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];

hosts/Testing/default.nix

@@ -3,11 +3,13 @@
 {
   config = {
     homelab = {
+      networking.hostIp = "192.168.0.92";
       apps = {
         freshrss.enable = true;
         traefik.enable = true;
       };
       virtualisation.guest.enable = true;
+      users.deploy.enable = true;
     };
 
     networking = {
@@ -32,7 +34,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.92";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];

hosts/Vaultwarden/default.nix

@@ -3,6 +3,7 @@
 {
   config = {
     homelab = {
+      networking.hostIp = "192.168.0.22";
       apps.vaultwarden = {
         enable = true;
         domain = "https://vault.depeuter.dev";
@@ -10,11 +11,15 @@
       };
       virtualisation.guest.enable = true;
 
-      users.admin = {
-        enable = true;
-        authorizedKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
-        ];
+      users = {
+        deploy.enable = true;
+
+        admin = {
+          enable = true;
+          authorizedKeys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93"
+          ];
+        };
       };
     };
 
@@ -32,7 +37,7 @@
       interfaces.ens18 = {
         ipv4.addresses = [
           {
-            address = "192.168.0.22";
+            address = config.homelab.networking.hostIp;
             prefixLength = 24;
           }
         ];

modules/apps/gitea/default.nix

@@ -496,7 +496,8 @@ in {
           #FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
           # Mail from address, RFC 5322. This can be just an email address, or the
           # `"Name" <email@example.com>` format.
-          FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
+          # TODO Hugo: Populate 'gitea_mailer_from' in sops.
+          FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
           # Sometimes it is helpful to use a different address on the envelope. Set this to use
           # ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
           #FORGEJO__mailer__ENVELOPE_FROM = "";

modules/apps/traefik/default.nix

@@ -72,7 +72,7 @@ in {
         # Certificates
         "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
         "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-        "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+        "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
         "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
       ];
       volumes = [

modules/apps/vaultwarden/default.nix

@@ -13,12 +13,12 @@ in {
       description = "Vaultwarden WebUI port";
     };
     domain = lib.mkOption {
-      type = lib.types.string;
+      type = lib.types.str;
       example = "https://vault.depeuter.dev";
       description = "Domain to configure Vaultwarden on";
     };
     name = lib.mkOption {
-      type = lib.types.string;
+      type = lib.types.str;
       example = "Hugo's Vault";
       description = "Service name to use for invitations and mail";
     };
@@ -77,7 +77,7 @@ in {
         dataDir = "/data";
       in {
         hostname = "vaultwarden";
-        image = "vaultwarden/server:1.34.3-alpine";
+        image = "vaultwarden/server:1.35.4-alpine";
         autoStart = true;
         ports = [
           "${toString cfg.port}:80/tcp"
@@ -344,6 +344,7 @@ in {
           # ORG_CREATION_USERS=none
           ## A comma-separated list means only those users can create orgs:
           # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+          # TODO Hugo: Redact org creation users if needed.
           
           ## Invitations org admins to invite users, even when signups are disabled
           # INVITATIONS_ALLOWED=true
@@ -590,7 +591,7 @@ in {
           ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
           ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
           SMTP_HOST = "smtp.gmail.com";
-          SMTP_FROM = "vault@depeuter.dev";
+          SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
           SMTP_FROM_NAME = cfg.name;
           # SMTP_USERNAME=username
           # SMTP_PASSWORD=password

modules/common/default.nix

@@ -1,4 +1,9 @@
 {
+  imports = [
+    ./networking.nix
+    ./secrets.nix
+  ];
+
   config = {
     homelab = {
       services.openssh.enable = true;

modules/common/networking.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+{
+  options.homelab.networking = {
+    hostIp = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = ''
+        The primary IP address of the host. 
+        Used for automated deployment and internal service discovery.
+      '';
+    };
+  };
+
+  config = lib.mkIf (config.homelab.networking.hostIp != null) {
+    # If a hostIp is provided, we can potentially use it to configure 
+    # networking interfaces or firewall rules automatically here in the future.
+  };
+}

modules/common/secrets.nix

@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  sops.secrets = {
+    # -- User Public Keys (Anti-Fingerprinting) --
+    "user_keys_admin" = { neededForUsers = true; };
+    "user_keys_deploy" = { neededForUsers = true; };
+    "user_keys_backup" = { neededForUsers = true; };
+
+    # -- Infrastructure Metadata --
+    # Hugo TODO: Populate these in your .sops.yaml / secrets file
+    "acme_email" = {};
+    "cloudflare_dns_token" = {};
+    "pgadmin_email" = {};
+    "gitea_mailer_from" = {};
+    "vaultwarden_smtp_from" = {};
+  };
+}

users/admin/default.nix

@@ -26,7 +26,9 @@ in {
         config.users.groups.wheel.name # Enable 'sudo' for the user.
       ];
       initialPassword = "ChangeMe";
-      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+      openssh.authorizedKeys.keyFiles = [
+        config.sops.secrets.user_keys_admin.path
+      ];
       packages = with pkgs; [
         curl
         git

users/backup/default.nix

@@ -12,9 +12,8 @@ in {
       extraGroups = [
         "docker" # Allow access to the docker socket.
       ];
-      openssh.authorizedKeys.keys = [
-        # Hugo
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh"
+      openssh.authorizedKeys.keyFiles = [
+        config.sops.secrets.user_keys_backup.path
       ];
     };
   };

users/deploy/default.nix

@@ -3,7 +3,19 @@
 let
   cfg = config.homelab.users.deploy;
 in {
-  options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
+  options.homelab.users.deploy = {
+    enable = lib.mkEnableOption "user Deploy";
+
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [];
+      description = ''
+        Additional SSH public keys authorized for the deploy user.
+        The CI runner key should be provided as a base key; personal
+        workstation keys can be appended here per host or globally.
+      '';
+    };
+  };
 
   config = lib.mkIf cfg.enable {
     users = {
@@ -15,12 +27,15 @@ in {
         isSystemUser = true;
         home = "/var/empty";
         shell = pkgs.bashInteractive;
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
+        openssh.authorizedKeys.keyFiles = [
+          config.sops.secrets.user_keys_deploy.path
         ];
       };
     };
 
+    # Allow the deploy user to push closures to the nix store
+    nix.settings.trusted-users = [ "deploy" ];
+
     security.sudo.extraRules = [
       {
         groups = [