11 files changed, 111 insertions, 2 deletions

diff --git a/flake/default.nix b/flake/default.nix
index 87c82223..c6d3fa29 100644
--- a/flake/default.nix
+++ b/flake/default.nix
@@ -79,7 +79,7 @@
   ];
   defaultSpecialArgs = {
     nixpkgs-as-input = nixpkgs;
-    inherit templates sysLib;
+    inherit templates sysLib serverphone system;
   };
 in {
   nixosConfigurations = import ./nixosConfigurations {
@@ -113,6 +113,7 @@ in {
       impermanence
       home-manager
       agenix
+      serverphone
       ;
   };
   packages."${system}" = import ./packages {
diff --git a/flake/nixosConfigurations/default.nix b/flake/nixosConfigurations/default.nix
index 0c7ada1a..d8667673 100644
--- a/flake/nixosConfigurations/default.nix
+++ b/flake/nixosConfigurations/default.nix
@@ -24,6 +24,7 @@
   impermanence,
   home-manager,
   agenix,
+  serverphone,
   ...
 }: let
   generateHost = name: {
diff --git a/secrets/default.nix b/secrets/default.nix
index 4fdf3f5c..bdfdf34e 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -9,6 +9,18 @@ in {
         owner = "soispha";
         group = "users";
       };
+      serverphoneCa = {
+        file = ./serverphone/ca.key;
+        mode = "700";
+        owner = "root";
+        group = "root";
+      };
+      serverphoneServer = {
+        file = ./serverphone/server.key;
+        mode = "700";
+        owner = "root";
+        group = "root";
+      };
     };
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f90315f1..5a1b2baf 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,6 +6,9 @@ let
 in {
   "nheko/tiamat".publicKeys = [soispha tiamat];
   "nheko/apzu".publicKeys = [soispha apzu];
+
+  "serverphone/ca.key".publicKeys = [soispha tiamat apzu];
+  "serverphone/server.key".publicKeys = [soispha tiamat apzu];
 }
 # vim: ts=2
 
diff --git a/secrets/serverphone/ca.key b/secrets/serverphone/ca.key
new file mode 100644
index 00000000..07990738
--- /dev/null
+++ b/secrets/serverphone/ca.key
@@ -0,0 +1,19 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKV1phMTAxcVJpbkFEcm1s
+Slo0N0svZmxudTAwMnBQV2JCSm5pQUhleFIwCkZ3aEZ5a01WM1VhWVFMdjdwbHow
+dSttcnlydnN3VG5WRlBsc2p1S0tPemcKLT4gc3NoLWVkMjU1MTkgelpFb25nIDdx
+MWUrcTdpS1o5bjZibXhhKy9RYU1udE5oNCtsb2Vod2tDaUduVnZiVU0KZFZjRTlY
+U3hmMGhtS05GUXM2MWRSajJEUUs3QUZvckI1b0RVSTk2U0FlOAotPiBzc2gtZWQy
+NTUxOSBsVTV2ZFEgOGxzNktLSHRWQkRTMVV1eDVSK1g3QlBzd1hpYmNTcWhnVkho
+UTNEdnlXSQpBaHFNMllTd3ZpRXVmb1oxaFRkWUdYOW1WOHFhZ0xLMVZTUEhhSzFv
+U0dBCi0+IGAtZ3JlYXNlIGl2IDIKekxFRmlBVHNzcXM4Ukx1Qmw4OE1yczlSWHE2
+M2JYQ0RWbWJYK05EZzBDTGVscUlpUko2MnZXSlNiN29IVU9XTgo1N3dneC96cWFD
+alhqVFB6K2R1VzNpYWJNWG4rY2ZPZ0F6OFNaUE01QVEKLS0tIHhDQmV6QVhCRHRm
+aGUvTEFEeEFIUmdUOGRHZ3dkcUl3U3ErTGxKd3dYdkkKwRKhQQwjaZrJlHdZO6ud
+Jsxb1sfBbgEbrGcpA7wtRP4UVOVAU5e/JYXRHKascnMel4jq2p3ZOMfxAYH+befL
+FaB8bLRKEz/T7csTJMkZ4qRhHPr7bC66Qxr0OjWtu6MgASgJJ9X1Ztk8sR8zqeOa
++uDFQU/WbT5nogFEFkAxWMsGX5Ll0SIRr+5dfgX/RDzgUys+Yv2sksBGsl9PO5vp
+setl4hVzqT8uR3zcQx5zrKEm3HcmU1V5O9PPp8JaeONg57MgFFCz2VkrRLyG0F9n
+jk1WqxvGCfEVcQkuFvwtx/r2K9TmKpl3bTM7cNV1K32kl54sMq7Zx0l4+j3WUNwR
+VDOAM91nlyaZuFlsAix4/FFN
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/serverphone/server.key b/secrets/serverphone/server.key
new file mode 100644
index 00000000..56733357
--- /dev/null
+++ b/secrets/serverphone/server.key
@@ -0,0 +1,17 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NnJzUkdheEN5Yjl2Q2hK
+ZkFuQVc1SExZOEpBYkFhT1Jpb253OUQ5TzJBCkk1VVlVUnVEdnNFNUVwTjBNd2tz
+Sk41U1RxTktObmpDV0IyY3M2TGJZWDQKLT4gc3NoLWVkMjU1MTkgelpFb25nIFJk
+S3ZNcFByUE4xaGkvUURqUzRZbUxoSGo1clJLSWtaWXM0NVZ4aWdwV28KSXFWRDg4
+VVEwVkEwR3BQNUN2R25SbHd3SzdYemh2ZHlTNmhOUC9DZzBWRQotPiBzc2gtZWQy
+NTUxOSBsVTV2ZFEgNGNybGhFdi9FY3NrUnYydmxnVnFMMytJbDlZN2psMzA3bHB1
+b3oxZUZsMApvMmszM0pPSENkYjh2Vm12MHAzVlh5cjgyeXMxekVQUWY3Y1VXVEhp
+c2d3Ci0+ICYsUy1ncmVhc2UKVmJQY1ViUXg5RUdNYXBEL0pjbkdrVk9sZEN5bzNU
+ckNDbTBOR0EKLS0tIGVNK3E5TGZ2Sk4vVS9iNCt4c1Avb1pVRVJ3SDF2UlN6MzA3
+ZzVqNGdyZFkKQ+Quvzj/d9YTysXhbecExgfL8sA894OK8Gzu+d20XhrbR9ubt24j
+2IrTEz1mA/4q5Os0BoZYzV0td7iYVbuh34jJznhq3GQ1NUoS3445D+p/Ffxnd8Um
+ou+xff6wxV5MsdubO0Sy4PrWjZx/MusxI8g/fj1CEvWwiEeBKoY6mDZHA4LPJCsm
+V9wLx9S+GgFXEp0niOVC2WDGaHj/XNNEodAMCyfGLcFhlvpaX5IduttnkSmDz4ql
+QmTfeks8GoLA/h2zIDFMsu9nL6mkorGCX/MItKVfp9DLZIb6qjkFJjZyKSjbPbEF
+6jlIN7t/znXNH49LQ5vXUT6ZnpwvpdmzZ98WoDg6iSbCtBCsWarKfeg5
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/services/default.nix b/system/services/default.nix
index d7505293..d90afaa7 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -6,6 +6,7 @@
     ./openssh
     ./printing
     ./scanning
+    ./serverphone
     ./snapper
     ./steam
     ./swaylock
diff --git a/system/services/serverphone/certificates/ca.crt b/system/services/serverphone/certificates/ca.crt
new file mode 100644
index 00000000..7a4ae6f9
--- /dev/null
+++ b/system/services/serverphone/certificates/ca.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----

+MIIBXDCCAQOgAwIBAgIIRQ2wXiaD5pMwCgYIKoZIzj0EAwIwGTEXMBUGA1UEAwwO

+U2VydmVycGhvbmUgQ0EwHhcNMjMwNjA2MTIzNzM3WhcNMzMwNjAzMTIzNzM3WjAZ

+MRcwFQYDVQQDDA5TZXJ2ZXJwaG9uZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH

+A0IABDZMtz3liWniBedisStXDO2sxFCKBH239ezH7uADu8g5peGssmNu1rXEDrg1

+sFwVUjQeJAocYYNoUeHiVpODf1ejNTAzMB0GA1UdDgQWBBST5oMmXrANRbCLIQpN

+W7e5uSCL3DASBgNVHRMBAf8ECDAGAQH/AgEBMAoGCCqGSM49BAMCA0cAMEQCIFig

+xA3MvRNP4uXaUEWwdP1pYL/R8N46G4NZrPEfiNV4AiA+NJSTFRCOUqEsvSb7PTFx

+YuMuJF4XxWnmStz3ym7xXA==

+-----END CERTIFICATE-----

diff --git a/system/services/serverphone/certificates/server.crt b/system/services/serverphone/certificates/server.crt
new file mode 100644
index 00000000..f994cdc8
--- /dev/null
+++ b/system/services/serverphone/certificates/server.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----

+MIIBTjCB9KADAgECAgkAhKrdjsoiOrkwCgYIKoZIzj0EAwIwGTEXMBUGA1UEAwwO

+U2VydmVycGhvbmUgQ0EwHhcNMjMwNjA2MTIzOTIwWhcNMjQwNjA1MTIzOTIwWjAm

+MSQwIgYDVQQDDBtDbGllbnQgcnVubmluZyBvbiBsb2NhbGhvc3QwWTATBgcqhkjO

+PQIBBggqhkjOPQMBBwNCAAS1ILQo8ae8ydqFlt5RncUT7joQiozk6Omunb0vxVz5

+toJRDmVqc1s6KhpCTipUV5coTcaK1TBz0+fft+9VH7cwoxgwFjAUBgNVHREEDTAL

+gglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDSQAwRgIhAN7ohtsBLrjlgmSe9ngovxZM

+z61n0+/7w2mtX/OrLMWIAiEAu+D2S2o0s7E9pp2Rkug8cT5T4GCWgFgEHk5x2L/E

+RVI=

+-----END CERTIFICATE-----

diff --git a/system/services/serverphone/default.nix b/system/services/serverphone/default.nix
index 6ad0fbdf..5b43f5ee 100644
--- a/system/services/serverphone/default.nix
+++ b/system/services/serverphone/default.nix
@@ -1,7 +1,41 @@
-{...}: {
+{
+  config,
+  serverphone,
+  system,
+  ...
+}: {
   services.serverphone = {
+    package = "${serverphone.packages.${system}.default}";
     enable = true;
+    domain = "localhost";
+    acceptedSshKeys = [
+      "AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME"
+    ];
+    authorized = {
+      acceptedGpgKeys = [
+        {
+          source = ./keys/soispha_at_vhack.eu;
+          trust = "ultimate";
+        }
+      ];
+    };
+    caCertificate = "certificates/ca.crt";
+    certificate = "certificates/server.crt";
+    privateKey = config.age.secrets.serverphoneServer.path;
+    certificateRequest = {
+      acceptedUsers = [
+        "soispha $argon2id$v=19$m=19456,t=2,p=1$EvhPENIBqL5b1RO5waNMWA$pJ
+8vDrCNJKDlqwB5bVDLjHVPEXm9McQhtt9OXSD8Zkc"
+      ];
+      caPrivateKey = config.age.secrets.serverphoneCa.path;
+    };
   };
+
+  users.users.serverphone = {
+    group = "serverphone";
+    isSystemUser = true;
+  };
+  users.groups.serverphone = {};
 }
 # vim: ts=2
 
diff --git a/system/services/serverphone/keys/soispha_at_vhack.eu b/system/services/serverphone/keys/soispha_at_vhack.eu
new file mode 120000
index 00000000..0d7e61d5
--- /dev/null
+++ b/system/services/serverphone/keys/soispha_at_vhack.eu
@@ -0,0 +1 @@
+/home/soispha/repos/nix/nixos-config/home-manager/config/gpg/keys/soispha_at_vhack.eu
\ No newline at end of file