diff --git a/.gitignore b/.gitignore index f920593..525176e 100644 --- a/.gitignore +++ b/.gitignore @@ -5,5 +5,6 @@ /*-efi-vars.fd -# nixago: ignore-linked-files /.sops.yaml +/.pre-commit-config.yaml + diff --git a/TODO.md b/TODO.md index 4a09330..6e1227a 100644 --- a/TODO.md +++ b/TODO.md @@ -1,11 +1,13 @@ # Tasks - Configure user env on client (using envfs?) -- A fancy background image? +- Configure docker on client - Make installer work - Move ldap to subdomain -- Switch to HS nameservers - Check external SSH access - Remove x-tools like xterm +- Quota per user on homedir +- Exim recovery +- A fancy background image? # Issuse - Cleartext password in sssd/ldap config diff --git a/machines/installer/cache.nix b/machines/installer/cache.nix new file mode 100644 index 0000000..5edeebc --- /dev/null +++ b/machines/installer/cache.nix @@ -0,0 +1,22 @@ +{ config, ... }: + +{ + services.nix-serve = { + enable = true; + secretKeyFile = config.sops.secrets."cache/key".path; + }; + + services.nginx = { + enable = true; + virtualHosts."cache.${config.networking.domain}" = { + locations."/".proxyPass = with config.services.nix-serve; + "http://${bindAddress}:${port}"; + }; + }; + + sops.secrets."cache/key" = { + sopsFile = ./secrets/cache.key; + format = "binary"; + }; +} + diff --git a/machines/installer/default.nix b/machines/installer/default.nix index 1e1e17e..c937ab7 100644 --- a/machines/installer/default.nix +++ b/machines/installer/default.nix @@ -1,25 +1,25 @@ { imports = [ ./hardware.nix -# TODO: ./cache.nix - ./netinstall.nix + # TODO: ./cache.nix + # ./netinstall.nix ]; deployment = { - targetHost = "10.32.45.12"; + targetHost = "10.33.64.21"; }; networking = { interfaces."eth0" = { ipv4.addresses = [{ - address = "10.32.45.12"; - prefixLength = 24; + address = "10.33.64.21"; + prefixLength = 20; }]; }; defaultGateway = { interface = "eth0"; - address = "10.32.45.1"; + address = "10.33.64.1"; }; }; diff --git a/machines/installer/hardware.nix b/machines/installer/hardware.nix index b35c6e1..cfb872a 100644 --- a/machines/installer/hardware.nix +++ b/machines/installer/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, ... }: +{ modulesPath, ... }: { imports = [ @@ -30,7 +30,7 @@ disk = { root = { type = "disk"; - device = "/dev/sda"; + device = "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:1:0:0"; imageSize = "64G"; content = { type = "gpt"; diff --git a/machines/ldap/default.nix b/machines/ldap/default.nix index 1e5c955..1650687 100644 --- a/machines/ldap/default.nix +++ b/machines/ldap/default.nix @@ -2,23 +2,26 @@ imports = [ ./hardware.nix ./ldap.nix + + # TODO: + # ../installer/netinstall.nix ]; deployment = { - targetHost = "10.32.45.11"; + targetHost = "10.33.64.19"; }; networking = { - interfaces."eth0" = { + interfaces."eno1" = { ipv4.addresses = [{ - address = "10.32.45.11"; - prefixLength = 24; + address = "10.33.64.19"; + prefixLength = 20; }]; }; defaultGateway = { - interface = "eth0"; - address = "10.32.45.1"; + interface = "eno1"; + address = "10.33.64.1"; }; }; diff --git a/machines/ldap/hardware.nix b/machines/ldap/hardware.nix index cb0a876..a5e6dc4 100644 --- a/machines/ldap/hardware.nix +++ b/machines/ldap/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, ... }: +{ modulesPath, ... }: { imports = [ @@ -7,20 +7,22 @@ nixpkgs.hostPlatform = "x86_64-linux"; - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ata_piix" - "mptsas" - "usb_storage" - "usbhid" - "sd_mod" - "sr_mod" - ]; + boot = { + initrd.availableKernelModules = [ + "ahci" + "ohci_pci" + "ehci_pci" + "pata_atiixp" + "mpt3sas" + "usbhid" + "usb_storage" + "sd_mod" + "sr_mod" + ]; + + kernelModules = [ "kvm-amd" ]; - boot.loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; + loader.grub.enable = true; }; hardware.enableRedistributableFirmware = true; @@ -30,7 +32,7 @@ disk = { root = { type = "disk"; - device = "/dev/sda"; + device = "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:1:0:0"; imageSize = "32G"; content = { type = "gpt"; @@ -46,6 +48,7 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; }; }; root = { diff --git a/machines/ldap/ldap.nix b/machines/ldap/ldap.nix index 75d25e8..8f0f6b5 100644 --- a/machines/ldap/ldap.nix +++ b/machines/ldap/ldap.nix @@ -191,30 +191,32 @@ in ''; }; - sops.secrets."ldap/root/password" = { - sopsFile = ./secrets/ldap.yaml; - owner = "openldap"; - }; + sops.secrets = { + "ldap/root/password" = { + sopsFile = ./secrets/ldap.yaml; + owner = "openldap"; + }; - sops.secrets."ldap/upstream" = { - sopsFile = ./secrets/ldap.yaml; - owner = "openldap"; - }; - - sops.secrets."ldap/tls/key" = { - sopsFile = ./secrets/ldap.tls.key; - format = "binary"; - owner = "openldap"; - }; - - sops.secrets."ldap/tls/crt" = { - sopsFile = ./secrets/ldap.tls.crt; - format = "binary"; - owner = "openldap"; - }; - - sops.secrets."ldap/sync/config" = { - sopsFile = ./secrets/ldap.yaml; + "ldap/upstream" = { + sopsFile = ./secrets/ldap.yaml; + owner = "openldap"; + }; + + "ldap/tls/key" = { + sopsFile = ./secrets/ldap.tls.key; + format = "binary"; + owner = "openldap"; + }; + + "ldap/tls/crt" = { + sopsFile = ./secrets/ldap.tls.crt; + format = "binary"; + owner = "openldap"; + }; + + "ldap/sync/config" = { + sopsFile = ./secrets/ldap.yaml; + }; }; networking.firewall.allowedTCPPorts = [ diff --git a/machines/ldap/secrets/ldap.tls.crt b/machines/ldap/secrets/ldap.tls.crt index 1f01098..9d8eff9 100644 --- a/machines/ldap/secrets/ldap.tls.crt +++ b/machines/ldap/secrets/ldap.tls.crt @@ -8,11 +8,11 @@ "age": [ { "recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTkxXVEZMMm04bFVVbTNV\ndTluWmdNdU1sMVZqNHVUckZ0Rzh5WUM1cGxvCmIxb2Rld0NWek9xQVh5dlo0VGZL\ncXpYeXdUK1dVNVc3SitSeUpnVjVqMlEKLS0tIDd0Si8rbFd6YkFsMWZEMFdIQmd4\nVGNzR3BiaVdaODRtRmI1UW5kbm5sQWsKOYN2GuBROfSVmbPK3gvJhqLfXEgbh/NF\nOYNbi+i0cL41gAQjgqVcAJmzJSyp/wecfge2J8EQnbegFeUGfmrljw==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRTB5dHBnaHJIaWU1a2tF\nemxTYzMrU0VyWWpGYUV4VmYvZ05pRW9jaVhJClQralFYdjVrbHg2RUh4empRTVRJ\nREZFWW5QYVdaTEFJU0E2N1N4T1MxekEKLS0tIDNXWU5QdnZtL2RsUmFjQW5ZYVlB\nYlVPY2J2S2RScS9JRW5uNGd6K2dvQWcKB4n41c1B4G63+VwihKCgKit+2LqDuOpH\ngLSzTRhpqIthk/IA0JCGYsgI7LdbC+dyMzHlFnwKj/PY6YXEsbluEg==\n-----END AGE ENCRYPTED FILE-----\n" }, { - "recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QUZtMHpScDFxbXp2cnpW\nSE00Q2JDV2Z0RUtBdGJidlVYSjFkV0RicVNFCi9ZUW12T1ZJUGdWWlJONkNCZFJR\nMEt5dGVvVDlCQWttczNCMGJkSEZ0OEUKLS0tIG9qWVA3dG5KNUY5R1BZRkZBRDNU\nejZLbUpXUXNZL0JYdk4xbXhUZlZHczAKcduhbeOO9wEZo5FOzOae4tl1OMddBgAw\n1JjHE8JzY3yud6C6UNoghwhAG+B1kTa1KlcsUezVxT55rTGQk+Ghog==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbXJkeUNNVmJoRlRzQllN\nRCtmR2ErUURMVFk2aGllRk1XVzNFbmlaQjBZCmM3dWphQTN2TXU1YkVqUk1RWm13\nWW5SdkduQjlLSVVLeS9VSS9tMFRMRFUKLS0tIEVJMFR5NDdRc3hXQ2JsZ2JLL2Nr\nekdVd1VUUFM4eTNTN2RJbm1TeU04ZlUKLESgMA+mqU4IyVWh4sceRarIEb1asBV2\nJF7BIqhqd4N0SVULQg9yeu7cqqg2pJTgkV1Y6nGpOrhtn0nrtor9Dg==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2024-10-23T13:43:39Z", diff --git a/machines/ldap/secrets/ldap.tls.key b/machines/ldap/secrets/ldap.tls.key index 591c06a..f663450 100644 --- a/machines/ldap/secrets/ldap.tls.key +++ b/machines/ldap/secrets/ldap.tls.key @@ -8,11 +8,11 @@ "age": [ { "recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeEpiRjhYU3ErSW56a3Z5\nbUN2TUxaSTlIT3dFK0p1dlV6WTd2bzJLbW4wCkJLd0hSZmRGUHg4Z2NpQ2VFa25T\na0dhUlpLSk1GSEl6eGY0NllMclY2bDgKLS0tIENGanhCK2dLcmFxclNDWUtuS0Vt\nejZncjdVUll1OG1aM1BFK0EwckNodGcKMBn25B8U9pR+NDm4xTK43DSPxSLmcDgz\ntm6EZy6ENOJYsFf1UCILrd9pkX5Vt/h3RE5U/IJEpIiYsaYSTRjG6w==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cTdvSlc2RUljc3l1SERM\neEJVbXZPVnJ4eDk3MDJPelAwWFNJcEp3RkdNCkp3bXBIbUlNeHc2N1NRaGQ5NXFP\nQXJRbVc3N1lKc1hZM2tNcGhNM0pPTncKLS0tIFlQQkE5aURrTzliejV2SHJ1VW1w\nNDJFajBhVkdUK2xpWGpPN0pxL29zT1EKwBt+0/rVeNrwFUiX/PTMEUm6ckrlO6ke\nzldXMZNP69jhrPo9j9jX4kt3Rgg96A0wfIm0AOc82bZyQSxW5wBbtg==\n-----END AGE ENCRYPTED FILE-----\n" }, { - "recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMHZqcEs3SjBHaDB3YUR6\nbldiNVVTcjd0dkU3aWVZUnNzSG1FakRLR21nCkthT25oMnlLaVloTE5ZdnA3SXAx\nYXZveWJRSWowcTZ6Y3QyaDVvaU4vZk0KLS0tIHZ0ZndoV2RINEVkTXpkT0gwV295\nZy9jMVVNaVF0MENhZ2FNZlhjVWhtYWMKDjw+F73tFDuXBODKE1ntB4XjKnualbRX\nHoK5ZWz2kQiD5j9Z3eiA3K4UkQs8+XLBzFHKWsUJm+DXFj6pRex2iw==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VkVjL1ZWVlBUQWtEcVB6\nL2tVN2RIWlF4cmlNTmZTOElRcnVNWGZNVjN3CmJEcWFsNFo5STBDb2c0Zk9UczVG\nQTN6d3lFdHA1T3hvaWJtc2tiVUd0dTQKLS0tIEJCNE9wMTFsckRFZ2srd0lwTzFS\nV0twVDVsWVBYcWFxNy9YNVJxTzc5M2cK8TuqO2N31GxmpzUSpllEaM4Rwxf+Ph53\nriaIdZsCZfE04BySoZPil1/IjQ8aDALLe/MUK5AHXYFn8EKfxkqDVQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2024-10-23T13:42:58Z", diff --git a/machines/ldap/secrets/ldap.yaml b/machines/ldap/secrets/ldap.yaml index 29aa573..aaa146e 100644 --- a/machines/ldap/secrets/ldap.yaml +++ b/machines/ldap/secrets/ldap.yaml @@ -14,20 +14,20 @@ sops: - recipient: age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3b2JsOXdFTndnclZCRm80 - REZpZFBuMlFvVWhMcDRBNDJlV3d0MEFIUno0CncrejdPeTN1Z2t2SnRzNjBSTXc4 - dWRWTE1XTy9LcHZYSWRabDZSemQrS2sKLS0tIHkwbFpuenpwOCtoVFg4ZHBDc3k3 - bnJ3YzRHcDBPcGR0NzlKUzF6bHcyajQK214Dek7XUkmIelWsmVxk5eZmPsfbllP0 - 1kqP5vImXTMVmcvGR0XTnYxkNt5LVke8DWnsfEEMZniJxbm61N7+UQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0aklvbmwwRnF5Uk9PZTMy + a2hKbEExUDNwVCtGZ2k3cE5SSHRzYy83L0FjCjdQVjNIWk15UFhvRUdtQTZDRFpq + WHlWcHlEcHVzR0dERWhSMTVFVVBWOWsKLS0tIGRBUjhPaGJmWnBvOGxRSTdHM1RJ + cHJRejg5UXlzYm8xS3dKaURBSm9Sd00KxahaaD6oZMEQbV65qxMYL+C4aXafG7aE + RgN/vB9WFBeJmqqKtm0kvtFR4xfwEnTo4aO1UlPw1WCSLF1+j3ZgNg== -----END AGE ENCRYPTED FILE----- - - recipient: age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6 + - recipient: age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcFh2R3lDdGc1cVBrWWhz - VTN6S2hyM20vSlhIRTUvbld3dE0wOGdUZHpzCjJvMFkrdndVUHlIaFZKSW04amlS - enlBNmJGc0pjbEkvNTNucTExNE9PSXMKLS0tIDlHSEQ4VVBFci9aWEpmRTNVY0hL - SDdOQkVUZVFKZUhIcytGVHNWRU9yWnMKgrnTLzfvi9RRL59+iOnvXVew3GUQtXvV - lBZ7Jam2G3AKFsdY/Z4QMAH9cqaLypPQRt5uJ+2Agl2dbGKqTqUFrg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdGphWi9NUkdEQVBicTQ0 + WURkWGY3a3R6RUgxSnlobURhQVRKT3NFUnpjClFYanIydlRRNC9meXd6U29rR3k1 + SGhpTExHcHErcFhXK2JOeUIxMmp4UUEKLS0tIDhoeGFyNkFCR2FBTlR0c2c1N2Nx + TWgzM3hGUFJPMWVHL3FqNzB4MWNTcU0KBu1/Cj3EeXrUajcFfZCZgOytHDuJv2fI + Oth9Mc+jRhKqvDBsc+qcDGzQQaBljkdLrvACM+uFua+hsNgPqxolCw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-10-23T15:39:50Z" mac: ENC[AES256_GCM,data:x2XnbLAAWuCudb9C71I11Hmigh8sQE6lsy4YM5qg2IYRBrOnh+90MblMNAqlj5PX5/c2qg9wlRRpkCTtjcSDtur8j0dnbwQ1gg1AcwB0SWoG0QI1ynFZOJ/aCDeqcRK52AdSkrgz/wRSN2WpPX4O+hNvDRVASIyhumZQb6rrHRU=,iv:uBGxIZdwyGebtNCkpvLlVG1Wg1DdL00rJFxZjbbCV50=,tag:pg41so3tG+no/JaDA/SJMg==,type:str] diff --git a/machines/nfs/default.nix b/machines/nfs/default.nix index b3f3a15..c2097df 100644 --- a/machines/nfs/default.nix +++ b/machines/nfs/default.nix @@ -1,24 +1,32 @@ { imports = [ ./hardware.nix + ./dhcp.nix ./nfs.nix ]; deployment = { - targetHost = "10.32.45.10"; + targetHost = "10.33.64.20"; }; networking = { - interfaces."eth0" = { + interfaces."enp4s0f0" = { ipv4.addresses = [{ - address = "10.32.45.10"; + address = "10.33.64.20"; + prefixLength = 20; + }]; + }; + + interfaces."enp4s0f1" = { + ipv4.addresses = [{ + address = "10.32.44.20"; prefixLength = 24; }]; }; defaultGateway = { - interface = "eth0"; - address = "10.32.45.1"; + interface = "enp4s0f0"; + address = "10.33.64.1"; }; }; diff --git a/machines/nfs/dhcp.nix b/machines/nfs/dhcp.nix new file mode 100644 index 0000000..39dee87 --- /dev/null +++ b/machines/nfs/dhcp.nix @@ -0,0 +1,125 @@ +{ pkgs, config, ... }: + +{ + services.kea.dhcp4 = { + enable = true; + + settings = { + interfaces-config = { + interfaces = [ + "enp4s0f0" + "enp4s0f1" + ]; + }; + + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + + rebind-timer = 2000; + renew-timer = 1000; + + subnet4 = [ + { + subnet = "10.33.64.0/20"; + interface = "enp4s0f1"; + + pools = [ + { + pool = "10.33.65.100 - 10.33.65.200"; + } + ]; + + option-data = [ + { + name = "routers"; + data = "10.33.64.1"; + } + + { + name = "domain-name-servers"; + data = "10.0.0.53"; + } + + { + name = "domain-name"; + data = config.networking.domain; + } + + { + name = "domain-search"; + data = config.networking.domain; + } + ]; + } + { + subnet = "10.32.44.0/24"; + interface = "enp4s0f1"; + + pools = [ + { + pool = "10.32.44.100 - 10.32.44.200"; + } + ]; + + option-data = [ + { + name = "routers"; + data = "10.32.44.1"; + } + + { + name = "domain-name-servers"; + data = "10.0.0.53"; + } + + { + name = "domain-name"; + data = config.networking.domain; + } + + { + name = "domain-search"; + data = config.networking.domain; + } + ]; + } + ]; + + valid-lifetime = 4000; + }; + }; + + networking.firewall.allowedUDPPorts = [ + 67 + 68 # DHCP + ]; + + services.pixiecore = + let + script = pkgs.writeText "boot-local.ipxe" '' + #!ipxe + + sleep 2 + + sanboot -n -d 0x80 + + shell + ''; + in + { + enable = true; + + dhcpNoBind = true; + + port = 5080; + + mode = "boot"; + kernel = toString script; + + openFirewall = true; + }; +} + diff --git a/machines/nfs/hardware.nix b/machines/nfs/hardware.nix index cb0a876..d90fd6b 100644 --- a/machines/nfs/hardware.nix +++ b/machines/nfs/hardware.nix @@ -1,4 +1,4 @@ -{ modulesPath, ... }: +{ modulesPath, ... }: { imports = [ @@ -7,20 +7,22 @@ nixpkgs.hostPlatform = "x86_64-linux"; - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ata_piix" - "mptsas" - "usb_storage" - "usbhid" - "sd_mod" - "sr_mod" - ]; + boot = { + initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + "sr_mod" + ]; + + kernelModules = [ "kvm-intel" ]; - boot.loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; }; hardware.enableRedistributableFirmware = true; @@ -30,7 +32,7 @@ disk = { root = { type = "disk"; - device = "/dev/sda"; + device = "/dev/disk/by-path/pci-0000:00:17.0-ata-8.0"; imageSize = "32G"; content = { type = "gpt"; diff --git a/shared/network.nix b/shared/network.nix index c529bb7..058ae0b 100644 --- a/shared/network.nix +++ b/shared/network.nix @@ -1,4 +1,4 @@ -{ config, name, ...}: +{ config, name, ... }: { networking = { @@ -11,17 +11,16 @@ "linuxlab.informatik.hs-fulda.de" ]; - # TODO: nameservers = [ "10.0.0.53" ]; - nameservers = [ "1.0.0.1" "1.1.1.1" ]; + nameservers = [ "10.0.0.53" ]; useDHCP = false; extraHosts = '' - 10.32.45.10 nfs.${config.networking.domain} - 10.32.45.11 ldap.${config.networking.domain} - 10.32.45.12 install.${config.networking.domain} + 10.33.64.20 nfs.${config.networking.domain} + 10.33.64.19 ldap.${config.networking.domain} + 10.33.64.19 install.${config.networking.domain} - 10.32.45.11 ldap-linuxlab.informatik.hs-fulda.de + 10.33.64.19 ldap-linuxlab.informatik.hs-fulda.de ''; }; } diff --git a/sops-config.nix b/sops-config.nix index 307e9aa..a45b969 100644 --- a/sops-config.nix +++ b/sops-config.nix @@ -12,14 +12,14 @@ let admins = { "fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ"; }; - + hosts = { - "nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMW2Ouwep/O0ULtPC8aHx+s9oB8RDJis02u9wYnJe7My"; - "ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRJF8IwyYAe4T4x7+n6ufO6lmOTu6PgPdmHiPRfCqI"; + "nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENsd6EdgIn5jhqXUEyPckoViHLLsYM2on/liwf1IO8p"; + "ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhkh5L4jYl/i4E+lBVDppHcoiohR/gDricyV2wY/3Np"; "installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o"; }; - sshToAge = ssh-key: + sshToAge = ssh-key: let key = runCommandNoCCLocal "hostkey-to-age" { } '' ${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out" @@ -39,7 +39,7 @@ let Make sure the SSH host key is added to `sops-config.nix` after initial provisioning. After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files. ''; - getAttr machine hosts; + getAttr machine hosts; in sshToAge ssh-key);