diff options
| author | EuAndreh <eu@euandre.org> | 2020-11-16 22:10:25 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2020-11-16 22:26:54 -0300 |
| commit | 1bf3861318f9cc362384722d4f312f3dd439c749 (patch) | |
| tree | 2f06c18b3ede05a935cdbc55787941ee6fe42179 /.envrc | |
| parent | Fix tests.sh (diff) | |
| download | toph-1bf3861318f9cc362384722d4f312f3dd439c749.tar.gz toph-1bf3861318f9cc362384722d4f312f3dd439c749.tar.xz | |
Add base Guix configuration and start switching to it
- remove NixOS stateVersion from .envrc;
- add guix-reconfigure.sh;
- add vps.scm with initial Guix system configuration;
- update vps.tf to use the new "base-guix" snapshot.
The "base-guix" image doesn't need a password. The "andreh" users has one, but
it is configured for not requiring it when running commands as "sudo".
The expected minimal steps one has to go through for privilege scalation is via
the SSH private key, and accessing the VPS via SSH. Since password login is
disabled and root can't login via SSH either, only the private SSH key allows
access to the server. After that, the attacker will be able to run commands as
root.
Diffstat (limited to '.envrc')
| -rw-r--r-- | .envrc | 11 |
1 files changed, 5 insertions, 6 deletions
@@ -2,16 +2,15 @@ set -Eeuo pipefail # -# envsubst variables for: -# - envsubst-configuration.nix -export TLD='euandreh.xyz' -export SYSTEM_STATE_VERSION='20.03' +# envsubst +# +export TLD='arrobaponto.org' # # Terraform # export TF_VAR_tld="${TLD}" -export TF_VAR_hostname="sovereignty-nixos" -export TF_VAR_storage_name="sovereignty-nixos-storage" +export TF_VAR_hostname="sovereignty-guix-system" +export TF_VAR_storage_name="sovereignty-storage" TF_VAR_vultr_api_key="$(cat ./secrets/terraform/vultr-api-key.txt)" export TF_VAR_vultr_api_key |