Browse Source

More progress

main
Dustin Frisch 1 month ago
parent
commit
17b10d8366
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
  1. 3
      .gitignore
  2. 6
      TODO.md
  3. 22
      machines/installer/cache.nix
  4. 12
      machines/installer/default.nix
  5. 4
      machines/installer/hardware.nix
  6. 15
      machines/ldap/default.nix
  7. 33
      machines/ldap/hardware.nix
  8. 48
      machines/ldap/ldap.nix
  9. 6
      machines/ldap/secrets/ldap.tls.crt
  10. 6
      machines/ldap/secrets/ldap.tls.key
  11. 22
      machines/ldap/secrets/ldap.yaml
  12. 18
      machines/nfs/default.nix
  13. 125
      machines/nfs/dhcp.nix
  14. 32
      machines/nfs/hardware.nix
  15. 13
      shared/network.nix
  16. 10
      sops-config.nix

3
.gitignore

@ -5,5 +5,6 @@
/*-efi-vars.fd
# nixago: ignore-linked-files
/.sops.yaml
/.pre-commit-config.yaml

6
TODO.md

@ -1,11 +1,13 @@
# Tasks
- Configure user env on client (using envfs?)
- A fancy background image?
- Configure docker on client
- Make installer work
- Move ldap to subdomain
- Switch to HS nameservers
- Check external SSH access
- Remove x-tools like xterm
- Quota per user on homedir
- Exim recovery
- A fancy background image?
# Issuse
- Cleartext password in sssd/ldap config

22
machines/installer/cache.nix

@ -0,0 +1,22 @@
{ config, ... }:
{
services.nix-serve = {
enable = true;
secretKeyFile = config.sops.secrets."cache/key".path;
};
services.nginx = {
enable = true;
virtualHosts."cache.${config.networking.domain}" = {
locations."/".proxyPass = with config.services.nix-serve;
"http://${bindAddress}:${port}";
};
};
sops.secrets."cache/key" = {
sopsFile = ./secrets/cache.key;
format = "binary";
};
}

12
machines/installer/default.nix

@ -1,25 +1,25 @@
{
imports = [
./hardware.nix
# TODO: ./cache.nix
./netinstall.nix
# TODO: ./cache.nix
# ./netinstall.nix
];
deployment = {
targetHost = "10.32.45.12";
targetHost = "10.33.64.21";
};
networking = {
interfaces."eth0" = {
ipv4.addresses = [{
address = "10.32.45.12";
prefixLength = 24;
address = "10.33.64.21";
prefixLength = 20;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
address = "10.33.64.1";
};
};

4
machines/installer/hardware.nix

@ -1,4 +1,4 @@
{ modulesPath, ... }:
{ modulesPath, ... }:
{
imports = [
@ -30,7 +30,7 @@
disk = {
root = {
type = "disk";
device = "/dev/sda";
device = "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:1:0:0";
imageSize = "64G";
content = {
type = "gpt";

15
machines/ldap/default.nix

@ -2,23 +2,26 @@
imports = [
./hardware.nix
./ldap.nix
# TODO:
# ../installer/netinstall.nix
];
deployment = {
targetHost = "10.32.45.11";
targetHost = "10.33.64.19";
};
networking = {
interfaces."eth0" = {
interfaces."eno1" = {
ipv4.addresses = [{
address = "10.32.45.11";
prefixLength = 24;
address = "10.33.64.19";
prefixLength = 20;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
interface = "eno1";
address = "10.33.64.1";
};
};

33
machines/ldap/hardware.nix

@ -1,4 +1,4 @@
{ modulesPath, ... }:
{ modulesPath, ... }:
{
imports = [
@ -7,20 +7,22 @@
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot = {
initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"mpt3sas"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
kernelModules = [ "kvm-amd" ];
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
loader.grub.enable = true;
};
hardware.enableRedistributableFirmware = true;
@ -30,7 +32,7 @@
disk = {
root = {
type = "disk";
device = "/dev/sda";
device = "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:1:0:0";
imageSize = "32G";
content = {
type = "gpt";
@ -46,6 +48,7 @@
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {

48
machines/ldap/ldap.nix

@ -191,30 +191,32 @@ in
'';
};
sops.secrets."ldap/root/password" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets = {
"ldap/root/password" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets."ldap/upstream" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets."ldap/tls/key" = {
sopsFile = ./secrets/ldap.tls.key;
format = "binary";
owner = "openldap";
};
sops.secrets."ldap/tls/crt" = {
sopsFile = ./secrets/ldap.tls.crt;
format = "binary";
owner = "openldap";
};
sops.secrets."ldap/sync/config" = {
sopsFile = ./secrets/ldap.yaml;
"ldap/upstream" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
"ldap/tls/key" = {
sopsFile = ./secrets/ldap.tls.key;
format = "binary";
owner = "openldap";
};
"ldap/tls/crt" = {
sopsFile = ./secrets/ldap.tls.crt;
format = "binary";
owner = "openldap";
};
"ldap/sync/config" = {
sopsFile = ./secrets/ldap.yaml;
};
};
networking.firewall.allowedTCPPorts = [

6
machines/ldap/secrets/ldap.tls.crt

@ -8,11 +8,11 @@
"age": [
{
"recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTkxXVEZMMm04bFVVbTNV\ndTluWmdNdU1sMVZqNHVUckZ0Rzh5WUM1cGxvCmIxb2Rld0NWek9xQVh5dlo0VGZL\ncXpYeXdUK1dVNVc3SitSeUpnVjVqMlEKLS0tIDd0Si8rbFd6YkFsMWZEMFdIQmd4\nVGNzR3BiaVdaODRtRmI1UW5kbm5sQWsKOYN2GuBROfSVmbPK3gvJhqLfXEgbh/NF\nOYNbi+i0cL41gAQjgqVcAJmzJSyp/wecfge2J8EQnbegFeUGfmrljw==\n-----END AGE ENCRYPTED FILE-----\n"
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRTB5dHBnaHJIaWU1a2tF\nemxTYzMrU0VyWWpGYUV4VmYvZ05pRW9jaVhJClQralFYdjVrbHg2RUh4empRTVRJ\nREZFWW5QYVdaTEFJU0E2N1N4T1MxekEKLS0tIDNXWU5QdnZtL2RsUmFjQW5ZYVlB\nYlVPY2J2S2RScS9JRW5uNGd6K2dvQWcKB4n41c1B4G63+VwihKCgKit+2LqDuOpH\ngLSzTRhpqIthk/IA0JCGYsgI7LdbC+dyMzHlFnwKj/PY6YXEsbluEg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QUZtMHpScDFxbXp2cnpW\nSE00Q2JDV2Z0RUtBdGJidlVYSjFkV0RicVNFCi9ZUW12T1ZJUGdWWlJONkNCZFJR\nMEt5dGVvVDlCQWttczNCMGJkSEZ0OEUKLS0tIG9qWVA3dG5KNUY5R1BZRkZBRDNU\nejZLbUpXUXNZL0JYdk4xbXhUZlZHczAKcduhbeOO9wEZo5FOzOae4tl1OMddBgAw\n1JjHE8JzY3yud6C6UNoghwhAG+B1kTa1KlcsUezVxT55rTGQk+Ghog==\n-----END AGE ENCRYPTED FILE-----\n"
"recipient": "age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbXJkeUNNVmJoRlRzQllN\nRCtmR2ErUURMVFk2aGllRk1XVzNFbmlaQjBZCmM3dWphQTN2TXU1YkVqUk1RWm13\nWW5SdkduQjlLSVVLeS9VSS9tMFRMRFUKLS0tIEVJMFR5NDdRc3hXQ2JsZ2JLL2Nr\nekdVd1VUUFM4eTNTN2RJbm1TeU04ZlUKLESgMA+mqU4IyVWh4sceRarIEb1asBV2\nJF7BIqhqd4N0SVULQg9yeu7cqqg2pJTgkV1Y6nGpOrhtn0nrtor9Dg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-10-23T13:43:39Z",

6
machines/ldap/secrets/ldap.tls.key

@ -8,11 +8,11 @@
"age": [
{
"recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeEpiRjhYU3ErSW56a3Z5\nbUN2TUxaSTlIT3dFK0p1dlV6WTd2bzJLbW4wCkJLd0hSZmRGUHg4Z2NpQ2VFa25T\na0dhUlpLSk1GSEl6eGY0NllMclY2bDgKLS0tIENGanhCK2dLcmFxclNDWUtuS0Vt\nejZncjdVUll1OG1aM1BFK0EwckNodGcKMBn25B8U9pR+NDm4xTK43DSPxSLmcDgz\ntm6EZy6ENOJYsFf1UCILrd9pkX5Vt/h3RE5U/IJEpIiYsaYSTRjG6w==\n-----END AGE ENCRYPTED FILE-----\n"
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cTdvSlc2RUljc3l1SERM\neEJVbXZPVnJ4eDk3MDJPelAwWFNJcEp3RkdNCkp3bXBIbUlNeHc2N1NRaGQ5NXFP\nQXJRbVc3N1lKc1hZM2tNcGhNM0pPTncKLS0tIFlQQkE5aURrTzliejV2SHJ1VW1w\nNDJFajBhVkdUK2xpWGpPN0pxL29zT1EKwBt+0/rVeNrwFUiX/PTMEUm6ckrlO6ke\nzldXMZNP69jhrPo9j9jX4kt3Rgg96A0wfIm0AOc82bZyQSxW5wBbtg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMHZqcEs3SjBHaDB3YUR6\nbldiNVVTcjd0dkU3aWVZUnNzSG1FakRLR21nCkthT25oMnlLaVloTE5ZdnA3SXAx\nYXZveWJRSWowcTZ6Y3QyaDVvaU4vZk0KLS0tIHZ0ZndoV2RINEVkTXpkT0gwV295\nZy9jMVVNaVF0MENhZ2FNZlhjVWhtYWMKDjw+F73tFDuXBODKE1ntB4XjKnualbRX\nHoK5ZWz2kQiD5j9Z3eiA3K4UkQs8+XLBzFHKWsUJm+DXFj6pRex2iw==\n-----END AGE ENCRYPTED FILE-----\n"
"recipient": "age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VkVjL1ZWVlBUQWtEcVB6\nL2tVN2RIWlF4cmlNTmZTOElRcnVNWGZNVjN3CmJEcWFsNFo5STBDb2c0Zk9UczVG\nQTN6d3lFdHA1T3hvaWJtc2tiVUd0dTQKLS0tIEJCNE9wMTFsckRFZ2srd0lwTzFS\nV0twVDVsWVBYcWFxNy9YNVJxTzc5M2cK8TuqO2N31GxmpzUSpllEaM4Rwxf+Ph53\nriaIdZsCZfE04BySoZPil1/IjQ8aDALLe/MUK5AHXYFn8EKfxkqDVQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-10-23T13:42:58Z",

22
machines/ldap/secrets/ldap.yaml

@ -14,20 +14,20 @@ sops:
- recipient: age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3b2JsOXdFTndnclZCRm80
REZpZFBuMlFvVWhMcDRBNDJlV3d0MEFIUno0CncrejdPeTN1Z2t2SnRzNjBSTXc4
dWRWTE1XTy9LcHZYSWRabDZSemQrS2sKLS0tIHkwbFpuenpwOCtoVFg4ZHBDc3k3
bnJ3YzRHcDBPcGR0NzlKUzF6bHcyajQK214Dek7XUkmIelWsmVxk5eZmPsfbllP0
1kqP5vImXTMVmcvGR0XTnYxkNt5LVke8DWnsfEEMZniJxbm61N7+UQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0aklvbmwwRnF5Uk9PZTMy
a2hKbEExUDNwVCtGZ2k3cE5SSHRzYy83L0FjCjdQVjNIWk15UFhvRUdtQTZDRFpq
WHlWcHlEcHVzR0dERWhSMTVFVVBWOWsKLS0tIGRBUjhPaGJmWnBvOGxRSTdHM1RJ
cHJRejg5UXlzYm8xS3dKaURBSm9Sd00KxahaaD6oZMEQbV65qxMYL+C4aXafG7aE
RgN/vB9WFBeJmqqKtm0kvtFR4xfwEnTo4aO1UlPw1WCSLF1+j3ZgNg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6
- recipient: age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcFh2R3lDdGc1cVBrWWhz
VTN6S2hyM20vSlhIRTUvbld3dE0wOGdUZHpzCjJvMFkrdndVUHlIaFZKSW04amlS
enlBNmJGc0pjbEkvNTNucTExNE9PSXMKLS0tIDlHSEQ4VVBFci9aWEpmRTNVY0hL
SDdOQkVUZVFKZUhIcytGVHNWRU9yWnMKgrnTLzfvi9RRL59+iOnvXVew3GUQtXvV
lBZ7Jam2G3AKFsdY/Z4QMAH9cqaLypPQRt5uJ+2Agl2dbGKqTqUFrg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdGphWi9NUkdEQVBicTQ0
WURkWGY3a3R6RUgxSnlobURhQVRKT3NFUnpjClFYanIydlRRNC9meXd6U29rR3k1
SGhpTExHcHErcFhXK2JOeUIxMmp4UUEKLS0tIDhoeGFyNkFCR2FBTlR0c2c1N2Nx
TWgzM3hGUFJPMWVHL3FqNzB4MWNTcU0KBu1/Cj3EeXrUajcFfZCZgOytHDuJv2fI
Oth9Mc+jRhKqvDBsc+qcDGzQQaBljkdLrvACM+uFua+hsNgPqxolCw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-23T15:39:50Z"
mac: ENC[AES256_GCM,data:x2XnbLAAWuCudb9C71I11Hmigh8sQE6lsy4YM5qg2IYRBrOnh+90MblMNAqlj5PX5/c2qg9wlRRpkCTtjcSDtur8j0dnbwQ1gg1AcwB0SWoG0QI1ynFZOJ/aCDeqcRK52AdSkrgz/wRSN2WpPX4O+hNvDRVASIyhumZQb6rrHRU=,iv:uBGxIZdwyGebtNCkpvLlVG1Wg1DdL00rJFxZjbbCV50=,tag:pg41so3tG+no/JaDA/SJMg==,type:str]

18
machines/nfs/default.nix

@ -1,24 +1,32 @@
{
imports = [
./hardware.nix
./dhcp.nix
./nfs.nix
];
deployment = {
targetHost = "10.32.45.10";
targetHost = "10.33.64.20";
};
networking = {
interfaces."eth0" = {
interfaces."enp4s0f0" = {
ipv4.addresses = [{
address = "10.32.45.10";
address = "10.33.64.20";
prefixLength = 20;
}];
};
interfaces."enp4s0f1" = {
ipv4.addresses = [{
address = "10.32.44.20";
prefixLength = 24;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
interface = "enp4s0f0";
address = "10.33.64.1";
};
};

125
machines/nfs/dhcp.nix

@ -0,0 +1,125 @@
{ pkgs, config, ... }:
{
services.kea.dhcp4 = {
enable = true;
settings = {
interfaces-config = {
interfaces = [
"enp4s0f0"
"enp4s0f1"
];
};
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
rebind-timer = 2000;
renew-timer = 1000;
subnet4 = [
{
subnet = "10.33.64.0/20";
interface = "enp4s0f1";
pools = [
{
pool = "10.33.65.100 - 10.33.65.200";
}
];
option-data = [
{
name = "routers";
data = "10.33.64.1";
}
{
name = "domain-name-servers";
data = "10.0.0.53";
}
{
name = "domain-name";
data = config.networking.domain;
}
{
name = "domain-search";
data = config.networking.domain;
}
];
}
{
subnet = "10.32.44.0/24";
interface = "enp4s0f1";
pools = [
{
pool = "10.32.44.100 - 10.32.44.200";
}
];
option-data = [
{
name = "routers";
data = "10.32.44.1";
}
{
name = "domain-name-servers";
data = "10.0.0.53";
}
{
name = "domain-name";
data = config.networking.domain;
}
{
name = "domain-search";
data = config.networking.domain;
}
];
}
];
valid-lifetime = 4000;
};
};
networking.firewall.allowedUDPPorts = [
67
68 # DHCP
];
services.pixiecore =
let
script = pkgs.writeText "boot-local.ipxe" ''
#!ipxe
sleep 2
sanboot -n -d 0x80
shell
'';
in
{
enable = true;
dhcpNoBind = true;
port = 5080;
mode = "boot";
kernel = toString script;
openFirewall = true;
};
}

32
machines/nfs/hardware.nix

@ -1,4 +1,4 @@
{ modulesPath, ... }:
{ modulesPath, ... }:
{
imports = [
@ -7,20 +7,22 @@
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot = {
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
kernelModules = [ "kvm-intel" ];
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
hardware.enableRedistributableFirmware = true;
@ -30,7 +32,7 @@
disk = {
root = {
type = "disk";
device = "/dev/sda";
device = "/dev/disk/by-path/pci-0000:00:17.0-ata-8.0";
imageSize = "32G";
content = {
type = "gpt";

13
shared/network.nix

@ -1,4 +1,4 @@
{ config, name, ...}:
{ config, name, ... }:
{
networking = {
@ -11,17 +11,16 @@
"linuxlab.informatik.hs-fulda.de"
];
# TODO: nameservers = [ "10.0.0.53" ];
nameservers = [ "1.0.0.1" "1.1.1.1" ];
nameservers = [ "10.0.0.53" ];
useDHCP = false;
extraHosts = ''
10.32.45.10 nfs.${config.networking.domain}
10.32.45.11 ldap.${config.networking.domain}
10.32.45.12 install.${config.networking.domain}
10.33.64.20 nfs.${config.networking.domain}
10.33.64.19 ldap.${config.networking.domain}
10.33.64.19 install.${config.networking.domain}
10.32.45.11 ldap-linuxlab.informatik.hs-fulda.de
10.33.64.19 ldap-linuxlab.informatik.hs-fulda.de
'';
};
}

10
sops-config.nix

@ -12,14 +12,14 @@ let
admins = {
"fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ";
};
hosts = {
"nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMW2Ouwep/O0ULtPC8aHx+s9oB8RDJis02u9wYnJe7My";
"ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRJF8IwyYAe4T4x7+n6ufO6lmOTu6PgPdmHiPRfCqI";
"nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENsd6EdgIn5jhqXUEyPckoViHLLsYM2on/liwf1IO8p";
"ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhkh5L4jYl/i4E+lBVDppHcoiohR/gDricyV2wY/3Np";
"installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o";
};
sshToAge = ssh-key:
sshToAge = ssh-key:
let
key = runCommandNoCCLocal "hostkey-to-age" { } ''
${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out"
@ -39,7 +39,7 @@ let
Make sure the SSH host key is added to `sops-config.nix` after initial provisioning.
After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files.
'';
getAttr machine hosts;
getAttr machine hosts;
in
sshToAge ssh-key);

Loading…
Cancel
Save