commit 4c07edf6dede6ab739f00468d533eca901305dc3 Author: Dustin Frisch Date: Wed Nov 13 00:47:45 2024 +0100 Init diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f920593 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +/result + +/.direnv +/.envrc + +/*-efi-vars.fd + +# nixago: ignore-linked-files +/.sops.yaml diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..4a09330 --- /dev/null +++ b/TODO.md @@ -0,0 +1,12 @@ +# Tasks +- Configure user env on client (using envfs?) +- A fancy background image? +- Make installer work +- Move ldap to subdomain +- Switch to HS nameservers +- Check external SSH access +- Remove x-tools like xterm + +# Issuse +- Cleartext password in sssd/ldap config + diff --git a/client/default.nix b/client/default.nix new file mode 100644 index 0000000..734acdd --- /dev/null +++ b/client/default.nix @@ -0,0 +1,35 @@ +{ lib, ... }: + +with lib; + +{ + imports = [ + ./hardware.nix + ./gpu.nix + ./home.nix + ./users.nix + ./desktop.nix + ./programs.nix + ]; + + deployment = { + targetHost = "10.32.45.150"; + }; + + networking = { + useDHCP = mkForce true; + }; + + services.hardware.bolt.enable = true; + + security.rtkit.enable = true; + + services.avahi = { + enable = true; + nssmdns4 = true; + nssmdns6 = true; + }; + + system.stateVersion = "24.05"; +} + diff --git a/client/desktop.nix b/client/desktop.nix new file mode 100644 index 0000000..424a2d3 --- /dev/null +++ b/client/desktop.nix @@ -0,0 +1,37 @@ +{ pkgs, ... }: + +{ + services.xserver = { + enable = true; + displayManager.gdm = { + enable = true; + wayland = true; + }; + desktopManager.gnome.enable = true; + xkb.layout = "de"; + }; + + environment.gnome.excludePackages = with pkgs; [ + epiphany + gnome-online-accounts-gtk + gnome-tour + gnome.geary + gnome.gnome-calendar + gnome.gnome-contacts + ]; + + programs.dconf = { + enable = true; + profiles.user.databases = [ + { + settings = { + # Set the color scheme to dark. + "org/gnome/desktop/interface".color-scheme = "prefer-dark"; + + "org/gnome/desktop/wm/keybindings".close = [ "q" ]; + }; + } + ]; + }; +} + diff --git a/client/gpu.nix b/client/gpu.nix new file mode 100644 index 0000000..a82ccf8 --- /dev/null +++ b/client/gpu.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +{ + hardware.opengl = { + enable = true; + driSupport32Bit = true; + extraPackages = with pkgs; [ + ]; + }; +} + diff --git a/client/hardware.nix b/client/hardware.nix new file mode 100644 index 0000000..f6a6ed4 --- /dev/null +++ b/client/hardware.nix @@ -0,0 +1,91 @@ +{ modulesPath, ... }: + +{ + imports = [ + "${modulesPath}/installer/scan/not-detected.nix" + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + consoleLogLevel = 3; + + initrd = { + systemd.enable = true; + verbose = false; + availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ata_piix" + "mptsas" + "usb_storage" + "usbhid" + "sd_mod" + "sr_mod" + ]; + }; + + kernelParams = [ + "quiet" + "udev.log_level=3" + ]; + + plymouth = { + enable = true; + theme = "bgrt"; + }; + }; + + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + + disko.devices = { + disk = { + root = { + type = "disk"; + device = "/dev/sda"; + imageSize = "32G"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + end = "-8G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + swap = { + size = "100%"; + content = { + type = "swap"; + randomEncryption = true; + resumeDevice = false; + }; + }; + }; + }; + }; + }; + }; +} + diff --git a/client/home.nix b/client/home.nix new file mode 100644 index 0000000..68e2bd3 --- /dev/null +++ b/client/home.nix @@ -0,0 +1,21 @@ +{ config, ...}: + +{ + services.cachefilesd = { + enable = true; + }; + + fileSystems."home" = { + mountPoint = "/home"; + device = "nfs.${config.networking.domain}:/home"; + fsType = "nfs"; + options = [ + "nfsvers=4.2" + "noauto" + "fsc" + "x-systemd.automount" + ]; + }; + +} + diff --git a/client/programs.nix b/client/programs.nix new file mode 100644 index 0000000..9a935ec --- /dev/null +++ b/client/programs.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: + +{ + programs = { + vim.defaultEditor = true; +# zsh = { +# enable = true; +# autosuggestions.enable = true; +# syntaxHighlighting.enable = true; +# }; + chromium.enable = true; + firefox.enable = true; + fish.enable = true; + git.enable = true; + htop.enable = true; + mtr.enable = true; + }; + + environment.systemPackages = with pkgs; [ + bat + eza + nil + fd + ripgrep + vscode + ]; +} + diff --git a/client/sound.nix b/client/sound.nix new file mode 100644 index 0000000..cb089c0 --- /dev/null +++ b/client/sound.nix @@ -0,0 +1,11 @@ +{ + hardware.pulseaudio.enable = false; + + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; +} + diff --git a/client/users.nix b/client/users.nix new file mode 100644 index 0000000..45aeaeb --- /dev/null +++ b/client/users.nix @@ -0,0 +1,91 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + baseDN = concatMapStringsSep "," + (part: "dc=${part}") + (splitString "." "informatik.hs-fulda.de"); + +in +{ + security.pam.services = { + sshd = { + makeHomeDir = true; + sssdStrictAccess = true; + unixAuth = lib.mkForce true; + }; + login = { + makeHomeDir = true; + sssdStrictAccess = true; + unixAuth = lib.mkForce true; + }; + systemd-user = { + makeHomeDir = true; + sssdStrictAccess = true; + unixAuth = lib.mkForce true; + }; + }; + + services.sssd = { + enable = true; + config = '' + [sssd] + config_file_version = 2 + services = nss, pam, ssh, ifp + domains = hsfd + + debug_level = 8 + + [nss] + override_homedir = /home/%u + override_shell = /run/current-system/sw/bin/bash + + filter_users = root + filter_groups = root + + reconnection_retries = 3 + + [pam] + + [domain/hsfd] + id_provider = ldap + access_provider = ldap + auth_provider = ldap + + # TODO: ldap_uri = ldaps://ldap${config.networking.domain}/ + ldap_uri = ldaps://ldap-linuxlab.informatik.hs-fulda.de/ + ldap_search_base = ou=users,${baseDN} + + ldap_tls_reqcert = demand + ldap_id_use_start_tls = true + + ldap_default_bind_dn = cn=login,dc=informatik,dc=hs-fulda,dc=de + ldap_default_authtok_type = password + ldap_default_authtok = TXyk&6G?Ta/B[DZ2^g'KmpUw + + ldap_access_order = filter + ldap_access_filter = (objectClass=*) + + ldap_user_object_class = posixAccount + ldap_user_name = cn + + override_gid = ${toString config.users.groups."users".gid} + + cache_credentials = true + + min_id = 1000 + enumerate = false + ''; + }; + + users.users."root".packages = with pkgs; [ + sss-cli + ]; + + #sops.secrets."ldap/login/password" = { + # owner = "nslcd"; + # sopsFile = ./secrets.yaml; + #}; +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..3df5e3a --- /dev/null +++ b/flake.lock @@ -0,0 +1,494 @@ +{ + "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "flake-utils" + ], + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "nixpkgs" + ], + "stable": "stable" + }, + "locked": { + "lastModified": 1731249827, + "narHash": "sha256-04iOZoJ0D+y3xhZtaCgSBOz8T4hED7oMVkuAOzXT8vU=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "a2193487bcf70bbb998ad1a25a4ff02b8d55db7a", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731274291, + "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=", + "owner": "nix-community", + "repo": "disko", + "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1730814269, + "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "d70155fdc00df4628446352fc58adc640cd705c2", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "ldap-sync": { + "flake": false, + "locked": { + "lastModified": 1705328305, + "narHash": "sha256-PPc16Obzg53YVLSMP2pCOXBF6+q7/BIG6FF7EiI0st8=", + "ref": "refs/heads/main", + "rev": "49edeafeaf7fbadbfe59e4763223593cab989317", + "revCount": 14, + "type": "git", + "url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git" + }, + "original": { + "type": "git", + "url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "colmena", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nixago": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixago-exts": "nixago-exts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714086354, + "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", + "owner": "jmgilman", + "repo": "nixago", + "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", + "type": "github" + }, + "original": { + "owner": "jmgilman", + "repo": "nixago", + "type": "github" + } + }, + "nixago-exts": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixago": "nixago_2", + "nixpkgs": [ + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070308, + "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago-exts_2": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixago": "nixago_3", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655508669, + "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago_2": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixago-exts": "nixago-exts_2", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070010, + "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", + "owner": "nix-community", + "repo": "nixago", + "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "rename-config-data", + "repo": "nixago", + "type": "github" + } + }, + "nixago_3": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655405483, + "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", + "owner": "nix-community", + "repo": "nixago", + "rev": "e6a9566c18063db5b120e69e048d3627414e327d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1730963269, + "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1730602179, + "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1731139594, + "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "colmena": "colmena", + "disko": "disko", + "flake-utils": "flake-utils", + "git-hooks": "git-hooks", + "ldap-sync": "ldap-sync", + "nixago": "nixago", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops": "sops" + } + }, + "sops": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1731213149, + "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "stable": { + "locked": { + "lastModified": 1730883749, + "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..57ffeae --- /dev/null +++ b/flake.nix @@ -0,0 +1,153 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + + flake-utils.url = "github:numtide/flake-utils"; + + git-hooks = { + url = "github:cachix/git-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + colmena = { + url = "github:zhaofengli/colmena"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixago = { + url = "github:jmgilman/nixago"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; + + sops = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + ldap-sync = { + type = "git"; + url = "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"; + flake = false; + }; + }; + + outputs = + { self + , nixpkgs + , flake-utils + , colmena + , git-hooks + , nixago + , ... + }@inputs: + let + + # List of all machine names as defined in the machines directory + machines = builtins.attrNames (builtins.readDir ./machines); + + in + { + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + + specialArgs = { + inherit inputs; + }; + }; + + defaults = { + imports = [ + inputs.disko.nixosModules.disko + inputs.sops.nixosModules.sops + + ./shared + ]; + + deployment.replaceUnknownProfiles = false; + }; + + "client" = ./client; + + } // (builtins.listToAttrs (builtins.map + (name: { + inherit name; + value = ./machines/${name}; + }) + machines)); + + } // flake-utils.lib.eachDefaultSystem (system: { + checks = { + pre-commit = git-hooks.lib.${system}.run { + src = ./.; + hooks = { + nixpkgs-fmt.enable = true; + statix.enable = true; + shellcheck.enable = true; + }; + }; + }; + + devShells.default = + let + pkgs = nixpkgs.legacyPackages.${system}; + + sops-config = nixago.lib.${system}.make { + data = (pkgs.callPackage ./sops-config.nix { + inherit machines; + }).config; + output = ".sops.yaml"; + format = "yaml"; + }; + + in + pkgs.mkShell { + buildInputs = + self.checks.${system}.pre-commit.enabledPackages ++ + [ colmena.packages.${system}.colmena ] ++ + (with pkgs; [ + bash + gitAndTools.git + sops + age + openssh + ssh-to-age + ]); + + shellHook = '' + ${self.checks.${system}.pre-commit.shellHook} + ${sops-config.shellHook} + ''; + }; + + packages.disks = + let + pkgs = nixpkgs.legacyPackages.${system}; + hive = colmena.lib.makeHive self.outputs.colmena; + + in pkgs.linkFarm "linuxlab-testing" (builtins.mapAttrs + (_: node: node.config.system.build.diskoImages) + hive.nodes); + }); + + nixConfig = { + extra-substituters = [ + "https://colmena.cachix.org" + ]; + + extra-trusted-public-keys = [ + "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" + ]; + }; +} + diff --git a/machines/installer/default.nix b/machines/installer/default.nix new file mode 100644 index 0000000..1e1e17e --- /dev/null +++ b/machines/installer/default.nix @@ -0,0 +1,28 @@ +{ + imports = [ + ./hardware.nix +# TODO: ./cache.nix + ./netinstall.nix + ]; + + deployment = { + targetHost = "10.32.45.12"; + }; + + networking = { + interfaces."eth0" = { + ipv4.addresses = [{ + address = "10.32.45.12"; + prefixLength = 24; + }]; + }; + + defaultGateway = { + interface = "eth0"; + address = "10.32.45.1"; + }; + }; + + system.stateVersion = "24.05"; +} + diff --git a/machines/installer/hardware.nix b/machines/installer/hardware.nix new file mode 100644 index 0000000..b35c6e1 --- /dev/null +++ b/machines/installer/hardware.nix @@ -0,0 +1,65 @@ +{ modulesPath, ... }: + +{ + imports = [ + "${modulesPath}/installer/scan/not-detected.nix" + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ata_piix" + "mptsas" + "usb_storage" + "usbhid" + "sd_mod" + "sr_mod" + ]; + + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + + disko.devices = { + disk = { + root = { + type = "disk"; + device = "/dev/sda"; + imageSize = "64G"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} + diff --git a/machines/installer/installer/default.nix b/machines/installer/installer/default.nix new file mode 100644 index 0000000..fc0c1f6 --- /dev/null +++ b/machines/installer/installer/default.nix @@ -0,0 +1,59 @@ +{ pkgs, lib, modulesPath, config, target, ... }: + +with lib; + +let + installer = pkgs.writers.writeBash "installer" '' + set -euo pipefail + + "${target.config.system.build.diskoScript}" + + "${target.config.system.build.nixos-install}" \ + --root /mnt \ + --system "${target.config.system.build.toplevel}" \ + --no-channel-copy \ + --no-root-password \ + --verbose + + reboot + ''; + +in { + imports = [ + "${modulesPath}/installer/netboot/netboot-minimal.nix" + ]; + + networking.hostName = "installer"; + + services.getty.autologinUser = lib.mkForce "root"; + + systemd.services."auto-install" = { + description = "Automated NixOS installer"; + + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + conflicts = [ "getty@tty1.service" ]; + + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ bash nix ]; + + unitConfig = { + FailureAction = "force-reboot"; + }; + + serviceConfig = { + Type = "oneshot"; + + ExecStart = installer; + + StandardInput = "none"; + StandardOutput = "journal+console"; + StandardError = "journal+console"; + }; + }; + + system.stateVersion = config.system.nixos.release; +} + diff --git a/machines/installer/netinstall.nix b/machines/installer/netinstall.nix new file mode 100644 index 0000000..bc3e890 --- /dev/null +++ b/machines/installer/netinstall.nix @@ -0,0 +1,38 @@ +{ pkgs, lib, nodes, ... }: + +with lib; + +let + installer = pkgs.nixos [ + ./installer + + { + _module.args = { + target = nodes."client"; + }; + } + ]; + +in +{ + services.pixiecore = { + enable = true; + + dhcpNoBind = true; + + port = 5080; + + mode = "boot"; + kernel = "file://${installer.config.system.build.kernel}/bzImage"; + initrd = "file://${installer.config.system.build.netbootRamdisk}/initrd"; + cmdLine = concatStringsSep " " [ + "init=${installer.config.system.build.toplevel}/init" + "loglevel=4" + "console=tty0" + "console=ttyS1,57600n8" + ]; + + openFirewall = true; + }; +} + diff --git a/machines/installer/secrets/cache.crt b/machines/installer/secrets/cache.crt new file mode 100644 index 0000000..ef137af --- /dev/null +++ b/machines/installer/secrets/cache.crt @@ -0,0 +1 @@ +cache.linuxlab.informatik.hs-fulda.de:jrTFzlS3uRzOOteHmynLmSIvFMWgb4+YH+ShcrczdEY= \ No newline at end of file diff --git a/machines/installer/secrets/cache.key b/machines/installer/secrets/cache.key new file mode 100644 index 0000000..e4a0235 --- /dev/null +++ b/machines/installer/secrets/cache.key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:u2f84L2XIPqNBPKtkAU7LAwUj0wwxemsOuUB/qk/SSjutA8RLi5TmBQHnnBY/5l3u154JN9RzHsHQyMp7NHiT1gsmvrmNhdWRzLTxG7MfIJW0SVpjD7X6GLmH5vnVSLJZScRfHgdRcYl9sFO7HlT/vRAtb57ZYM+QZS5b1ZB,iv:yzwOKZA5iwrn/CkhtwF7tUytsy0lseJcBqm4UqVAsqA=,tag:WhxIH/K314fvOm81lfK6EQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVDhNSjF0amNnSWJ2ZEhq\ndnRoOXZpYk5oN09abFozK1Y0WVhDSVJ2U0RzCkw0OXhScjQwRGlDcDdnUHh2cDd3\nclBDd2RwQzRIMy9CVjZXbGFNSUdjU2cKLS0tIHBzSXdCMElkclJMU2I0WWtHbTJP\nWW5TQ2syRk9Obm5qYUtZVGZYbmtzTkEKkMiRInW2OuY6FhXTfueqokehWNxwO905\ntk5jVzyS0kVDt2Mi29Ny+HUhTpLWn2mJii8HMz698ElAxvXrHBZurQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age14lgxmyw860py9yyjz3cxkr6u0x30qra2e27c9my0sycqyfankf2sjrsse6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSHBOUUhqcHlPeTNXOE8z\nWDlNZkhSbnY5SEV5MFplWmhNVXpTaXlycHd3Ck9hY1F6LzNpWjhFdWN0SnpaT0M0\nR2R5TmRNek0wYTJUREp4YklTaVJzdXMKLS0tIDdOTWN6b2kwR1R3bzNTT2s1UFMr\nUm0yWHNkSXg5ZFR1dWhUdHRmSm13eG8Kcprh4nvmUDgI6/nntD+FTY4SsqpEAs3U\n44tvzXSNjEMp9dHIkVu45+NyKOGjZoNUAA7dEvFYAAgZqHPbLMJ0aw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-11-11T21:50:59Z", + "mac": "ENC[AES256_GCM,data:n6TfbZmYcV2ER7n4fXanVJ9ekbytU07NdHVDO/VoTkERvstb1NuTeo7LjA+KVVKxM3ZUvAtMfjpAXvgP1exL4WkOzQHk5RV3odfZhGsvMOUaHp7cfww6/JrO8I+EzJWhDh2tO+xFpuD2sprvNiWT60PFG6kDQKn7XYy63+ECCyo=,iv:7ytrvXtk3Mz3ioeuv0hc80y2FLSyUWdtFyVEhidUeAI=,tag:BS8am9kxloRP+AbavEmfPA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/machines/ldap/default.nix b/machines/ldap/default.nix new file mode 100644 index 0000000..1e5c955 --- /dev/null +++ b/machines/ldap/default.nix @@ -0,0 +1,27 @@ +{ + imports = [ + ./hardware.nix + ./ldap.nix + ]; + + deployment = { + targetHost = "10.32.45.11"; + }; + + networking = { + interfaces."eth0" = { + ipv4.addresses = [{ + address = "10.32.45.11"; + prefixLength = 24; + }]; + }; + + defaultGateway = { + interface = "eth0"; + address = "10.32.45.1"; + }; + }; + + system.stateVersion = "24.05"; +} + diff --git a/machines/ldap/hardware.nix b/machines/ldap/hardware.nix new file mode 100644 index 0000000..cb0a876 --- /dev/null +++ b/machines/ldap/hardware.nix @@ -0,0 +1,65 @@ +{ modulesPath, ... }: + +{ + imports = [ + "${modulesPath}/installer/scan/not-detected.nix" + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ata_piix" + "mptsas" + "usb_storage" + "usbhid" + "sd_mod" + "sr_mod" + ]; + + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + + disko.devices = { + disk = { + root = { + type = "disk"; + device = "/dev/sda"; + imageSize = "32G"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} + diff --git a/machines/ldap/ldap.nix b/machines/ldap/ldap.nix new file mode 100644 index 0000000..75d25e8 --- /dev/null +++ b/machines/ldap/ldap.nix @@ -0,0 +1,226 @@ +{ pkgs, lib, config, inputs, ... }: + +with lib; + +let + baseDN = concatMapStringsSep "," + (part: "dc=${part}") + (splitString "." "informatik.hs-fulda.de"); + + ldap-sync = + let + wrapped = pkgs.callPackage inputs.ldap-sync { }; + env = pkgs.runCommand "ldap-sync-env" { } '' + mkdir -p $out + ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties + ''; + in + pkgs.runCommand "ldap-sync-wrapper" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + } '' + mkdir -p $out/bin + makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \ + --chdir "${env}" + ''; + +in +{ + services.openldap = { + enable = true; + + package = (pkgs.openldap.overrideAttrs (final: prev: { + configureFlags = prev.configureFlags ++ [ + "--enable-overlays" + "--enable-remoteauth" + "--enable-spasswd" + "--with-cyrus-sasl" + ]; + + doCheck = false; + + })).override { + cyrus_sasl = pkgs.cyrus_sasl.override { + enableLdap = true; + }; + }; + + urlList = [ "ldap:///" "ldaps:///" ]; + + settings = { + attrs = { + olcLogLevel = "config ACL stats stats2 trace"; + + olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path; + olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path; + olcTLSCRLCheck = "none"; + olcTLSVerifyClient = "never"; + olcTLSProtocolMin = "3.1"; + + olcSaslHost = "localhost"; + olcSaslSecProps = "none"; + + olcSizeLimit = "unlimited"; + }; + + children = { + "cn=schema".includes = [ + "${config.services.openldap.package}/etc/schema/core.ldif" + "${config.services.openldap.package}/etc/schema/cosine.ldif" + "${config.services.openldap.package}/etc/schema/inetorgperson.ldif" + "${config.services.openldap.package}/etc/schema/nis.ldif" + ]; + "olcDatabase={1}mdb" = { + attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/db"; + + olcSuffix = baseDN; + + olcRootDN = "cn=root,${baseDN}"; + olcRootPW.path = config.sops.secrets."ldap/root/password".path; + + olcAccess = [ + # Custom access rules for userPassword attributes + ''{0}to attrs=userPassword + by self read + by anonymous auth + by * none + '' + + # Synced is managed by sync + ''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de" + by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage + by * break + '' + + # Allow login to read users + ''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de" + by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read + by self read + by * break + '' + + # Prevent access + ''{3}to * + by * none + '' + ]; + }; + + children = { + "olcOverlay={0}remoteauth" = { + attrs = { + objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ]; + + olcOverlay = "{0}remoteauth"; + + olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\""; + olcRemoteAuthDNAttribute = "seeAlso"; + olcRemoteAuthDomainAttribute = "associatedDomain"; + olcRemoteAuthDefaultDomain = "upstream"; + olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}"; + olcRemoteAuthRetryCount = "3"; + olcRemoteAuthStore = "false"; + }; + }; + }; + }; + }; + }; + + declarativeContents = { + "dc=informatik,dc=hs-fulda,dc=de" = '' + dn: dc=informatik,dc=hs-fulda,dc=de + objectClass: domain + dc: informatik + + dn: ou=users,dc=informatik,dc=hs-fulda,dc=de + objectClass: organizationalUnit + ou: users + + dn: ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de + objectClass: organizationalUnit + ou: users + + dn: cn=sync,dc=informatik,dc=hs-fulda,dc=de + objectClass: applicationProcess + objectClass: simpleSecurityObject + objectClass: top + cn: sync + userPassword: {SSHA}Kf5ViggnBdUAPJ3/X5F80Qf/tXOzGI9G + + dn: cn=login,dc=informatik,dc=hs-fulda,dc=de + objectClass: applicationProcess + objectClass: simpleSecurityObject + objectClass: top + cn: login + userPassword: {SSHA}esWkdMFThbFD0gSE5tC+jJ1rjwfUuI0p + ''; + }; + }; + + systemd.services."openldap" = { + environment = { + SASL_PATH = pkgs.writeTextFile { + name = "openldap-sasl-path"; + destination = "/slapd.conf"; + text = '' + pwcheck_method: saslauthd + saslauthd_path: /var/run/saslauthd/mux + mech_list: GSSAPI EXTERNAL PLAIN NTLM + ''; + }; + }; + + onSuccess = [ "ldap-sync.service" ]; + }; + + systemd.services."ldap-sync" = { + script = "${ldap-sync}/bin/ldap-sync"; + startAt = "hourly"; + + requisite = [ "openldap.service" ]; + + # Flush caches + postStop = '' + ${config.services.nscd.package}/bin/nscd --invalidate=group + ${config.services.nscd.package}/bin/nscd --invalidate=passwd + ''; + }; + + sops.secrets."ldap/root/password" = { + sopsFile = ./secrets/ldap.yaml; + owner = "openldap"; + }; + + sops.secrets."ldap/upstream" = { + sopsFile = ./secrets/ldap.yaml; + owner = "openldap"; + }; + + sops.secrets."ldap/tls/key" = { + sopsFile = ./secrets/ldap.tls.key; + format = "binary"; + owner = "openldap"; + }; + + sops.secrets."ldap/tls/crt" = { + sopsFile = ./secrets/ldap.tls.crt; + format = "binary"; + owner = "openldap"; + }; + + sops.secrets."ldap/sync/config" = { + sopsFile = ./secrets/ldap.yaml; + }; + + networking.firewall.allowedTCPPorts = [ + 22 + 389 + 636 + ]; +} + diff --git a/machines/ldap/secrets/ldap.tls.crt b/machines/ldap/secrets/ldap.tls.crt new file mode 100644 index 0000000..1f01098 --- /dev/null +++ b/machines/ldap/secrets/ldap.tls.crt @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:qAAyvNe+HobjwIVWc05sHJSk6qkSM8ZAPhYsQp8Z4qQGw0BpoZyNJAuyws40QIUmMtOWVDGn0jxZzMAaV+q5kot4ZESVtzWBB0ti7zZo6ktsxMD5N8KtnU9JW3YoWKyBn5NLN7dLaDs+tRET3CHX4wWSd2klArp/v/1OvPBB5mLyCS5QfFBLXJEuRIphkCJdbeTiAOcTHBcQlhMpnDe9TVo0rssxyF+A7hRIq4EyXoHwGkHsgryq7VF9iq0RTy6quAYWbBfujve5IA3BxSL+RxGSq8+i8LWaQtynEchl2siFK3pPeKNZSjvhD+iQTXE94aIHw/JGXkt/kDXKuOb+e55jXfysyV1kyfimR2FbSCuRKCwJq/XktKmI+na+K9Maf5Jx99AyPKDPJrZndfKGJhIid2YxWkOrPF1bvqAmb/7pdFcCDlnWfuzzfGdoeXBx0xAE5IxrhzcpzJTZYeXO8vnfT4CECx2w8PPUfeFRXjssCDV8LaSqjz/T/fuXitjaOzHFtQEqoaKGG6omPAKwzbSrnuqCTR7zdGz5+J7hAcV0QSteGN9uW1pf5NDVL0izAqmOLPMgyhT+2GPM58bn5lfWw3Fz5iTKJqLBc8ViWqgwbDrvvKgl90gpP1qR/y1QR9Fiqtv9ZBvekWRT/O0VBDknaORfyWyYhY1Vkun3cLnIr6UsI20o0QWwp8D96rumqWMXYwx7ZjkxbVqZSBFvorC25K3H7utEuFrG561EsCwhxYkVd1PDcMxa6NqLldLmJhMET+G3xi8gtikfgFcIqxfZjn/BI9yD0Ry+OmnlB9L1A4zy8+DYr4JidwU0tlhE/LLWN2AwxIrbdKCGddhs1J7YbPT6vBLOhl/fKsY4HQRMCArj6XjgSSlI4lZGLIu0HvQvD8Isv9hCvO9ff7CAnQcw/krUyzaJA1ctksgA0B/HQIWGaMBSfYiNtRY//SCYkQNVb1UPcj/gDsUiQvD5ERPqhn0N/RL9sGrJa3EttrG4Ny96GseuWK/7PKYIZuHmoTwxMqvxZda2fRjR9LWYu4x7yhilDtfec/glAfOuw5B87OsHe16lHqndlhzfrkdPeoa0LbH8euDBk0kVi1tknIrNMc4PnuSebAZJ1FA6xCpbcUBaposCIMqqq7BIr7rMVItvEb332ZE3OjDjbvpkXucQnS1eVzbfeLEDkgwmmNcs0tHNoU7E0pZAeCGbQ7twOPVelWxNe/iJsZdK3BBXJpbGLQJLzaPnUnf8qW8HWaCrI9C4lVabhs1jnDeOyacLYt0BqcBefhgyhHFrItGyIifB2+WY8Px4ABUCAHhHla5BXB3353uLuBrU2YQAI4YAYg0E/A6L972qbyBpkjhMbNIjPMJq4J6ix5YvLDJvLQ91kATOUkilUHpkiD4p4dPA3xvDJndqic+ToQzoTkFx9aBMVgPF3qc03kwOAjkh12JROdZrI3yuzjbCRRTK5LIHQzDt4aixLB59izxB4vv+UoRErx+wr+t8n1lZ7iClkVjVjS2O0ufZiAEet/4cUEaH8ieZPw25NvHjanlBmYPq2Ib2Plu70D8qNrJc9yW4YudUTpf39V+IJWJuiPKD1yJLZmKtv+wyi5wbMWvAy1QNCtuql7Bu4SOOPn1PO5MxXUkeynVuoHe4PVz5MED4vR8EFLXidnJVM3LJPIeQ7YmZ1M5duzrrfC8BbjzPj0Oi2z7FkY1t8mzgFzmvS14AlrW+7smktkT14YUSJIFMGQ6BqNz5BllTsOBSqP//OVr8mAamxmw/jEA4TsdQqRr1JRNBkKWD5s7RT74eAVmjgOItEll98QQFxfcFnPQ/i/LKZqd0gqhU5p+5fqtQwGTe83iIpAwsysTDQnAcWIUfLihQ2sGXtes0c3KUVkkX7g5RQNDyFIdbGDFXZjGXvY3MV5gti6aswvPlHFNZy1H7jwVkKmx4i4XORHlqZ859MlFucb+uk1AZLkmONGOSblaRWWsq0vQyP8yp68MYUF7Z3o5p76bcsHnbXbA8nRGtAtJywLEAS6avHz1IBtiDglzQ+6VA3z8KMHE7zHjxYBjK7fglzMU/ODdMxRYlCg0Nxf5ZELXLv70HTxF/wnfddWgAZ9gcPZcARZMtEbbhempEevjhjWScauGCJd0B7/lBpKc+7bwBdXZz0olVJOEbzOf8TKijnNnLdTCIC+2PA6bmw+caEFQU3KJiObqi9qiec/xXd3jjt8wMh5oivvYjApU1klchbdePTwzNWfI6gKvhc14I5zOrOokheaeJgZoU6I2aE5HvwubQI4VgkY9pkSyLisLKh2h5f5hp1ywaim1SO1EGOgHvYTzryD4iGpJeeQMHAVv/HI/PXTwhOWl9nnTGl0bLk/sXvsZAl/pu5sfAu9+Aqm4O1J1diq59Yj54n7SIrNidOkXJfoqi09/w/5RGZcAyVggMTFiYgiQXdZFzi0Je6QKzBPqX3ktBEO8Fz1S0AB08W/21rpPNhNIIvsUnbRa9t//+bQCdbc+Wftc0EZYY9sgKiPeHkQHtAlQLSXvd+aQBM7Sy51vOvp8rQNe0hllDeGg+zHzMksx51ha1tmUMRdRw325+1C+Ni/pqRJQMikxnZbfV0xDYli37oXfPs2RYnraChIVzYAj+uxYY7Z7pdpwlEOJJDLn7Ub3kZ0CHKOuKegcVsuFnj9pfWtDyD1Pn8ysP6kGLFEtl2WC7b0aSlCpm+q4GvbCnICthXbF+MhET3Fe7fFy0yMawu30NFod4Pvqy9As+i77iKBsrhUGEt76hDa1BhXDLmF7ZwhVZnM0Qbo+AubebO0q+4qhm+R+W4OZCczpXVpnbBmmSIjbal7nuAIq8rrXmwWKMcLdOIoxu46JteAP8WgaO+Zkhgk6NhzDccnAMH4XSDuyasBCbmeIN1uYGkN9by9K4TfqRjWMoITAASPUD771r9CIuf/8leWaj0X8eING9RLs5T7twNLtrtPeIHwj8iIw9zLpo8wa2oBdY/4Yf9+ypwLcDd1UAE2AqFfhoQEzLEdY8aw/CEJtVyy7b/HgaQfv2YFL1byoRxw/bxFmWK+lHP46KwdO2uAVT0m7OQX8VHO90aKcQ7zmffkrO/eZD1VPIOpwu9dJkeTqPHvqSS0+9X0QzSpgJk0nxXM0SgJfYugYQV3YsvEcpywGadyquzKhRW46ORissVvSoaiJ1MOb4VX8RyE/tRhwimi00fC1rjpAUgrmpRvB9htsMjCpExlmBUh90D8lX0XM/+x8sYbFHDpvGbnhAD+Dw6P5McTwIdKEv71EZsbScXvqZaxBtCBh8NlEk5RTKFxIBRITSyS9TyJb6ZDoItvKAoXOFVy7aIBm/JYB3X2jYfdgxl/XpleBeRQlbhql993cBMhPfPuTxAN+t6zoKE8K3Wl//1o/7vuczZ0N7/eSY3I0IYuIifeTWPL+Q7KMKOR82YdBufeEm83uEk6D1zJz7UaqnPNYcb903DvptB1cRUtI7ME5+vYDPJz9pT5Wfy6zzBXgfufNUO/JsLr+0vOJSdCpYi+uD3TK7VPHr3MicQ9M6GvrjtHXiMBOVGt1U+HSCjtV2Q/eibuOJeMqk3ljKg0xlMV+LOowI1YP2OjKTxSucA9SAJJkNNzOUMcp8ODF25JjJIHWXY9z0GCEwNc+3x5KIwWJNUZXvPp2wrw83Ndph7QUbQPR6kKfpE83PylPcnhz3gf+A+TuW5TDhjnEnNB+tE1PQ437nks4AJK3DWY6QZdyu5hUu0W5VA8MRrheSac+TRDgsn28rXPcUZNNCyG1m9d5UKLN2l6oO0MPatrCT1TMGLPrrcEoz8bq/XPm7S0gY7Xp9wlitHjupLaBhTzhRb1IsM7tcxT5NtjR4pZdlgh/W2rGBTuDvMYdQ1g1L5cJ28IYQKKR5SvVa9tLClMhBH50i8ycYUEbVTXMl9vTYGrVGgMRsCZbpE8GVmOsTQE8ajqkKIssyjNlpvEOSVtlHjpq7QlAd4nDTA9dOhtoH3EKb/LSOvZh7HIfTJSijL83SfkYBBXLDJX1c7PN5Md/78y1hqHEoQlU3H48IZOKmLwss4OnheOj/934QUrpkKkEQbGPsmTMaeX4dnNsfKd5Zeto7pzavoE13KmcwUjm4i890IQgELJ/lka0rMt1/HoDk4zOOFOknb44SqC7gGpx6OehTo3dKJjGv30MQa54651E07v3FyT+pscjpSGwHtuFQQNI1FVwaJa5hJTvRiGT8HyoQXv1IpOHCl4END0M8Fa7d3e6iqdc0Wc1L/9kj3hLcEqofEgKvTiXA56IOAk4HlCiRdECCFo04Y/HjaQdhIku2U93xsjKRzTSZWyLtPiqsl9gYueqoP5i2gVzLJyuMx2F0Zsj7G7Vmwaro4bUDbMAC4AE7TUZCXx1i3qGMaJEDf++qAhcuZF2orVwckwKjEcg6xNJhs/+dZYP+E3wrmzRE2LHvr1D6cFOfWxwMMi4D4kr8kfATn5u8Tq+OvlJBK2CVFAZcJm5oz4ImXznAzvj5XxuBy/iByM6nu62io9isY793K0ITmq6PYnA5vnZPNF+E8wzX+Mdxc4a6kSaC6XDxwxCzjK466tEyH+KadVGX75mfO1prHiy7tV6h5r4x51DOctMOnWM9jEIoKQ+4xuTXo+CUtwykti/QacS4ooVsynbQmklF2ZIAkf2gQxCLnISQV1EjQciUJe5dfqe0BmeaAyw+ZFe94q98zb62YTNR1ytIp2v6i7NeOavAAlPpdtzrP8y/CLoXnL6oPiW1tNqBNliW4uyVTPQxooC8PEMyR5TYdpOCCxe2GRcbHw6kk7AS9iDN0QZF+g529Rm4ObeT6lqvTKUD/vIYcF4jsMJ1zbfAodtJKlwOtHNYzbxDhzH6SWY00rpXadiaZ2C5oID0lH3fsoI2w0bHsAiIF/C+zDQhOfvqkf0GNqdagdHgp1R9Z3HVi7IF9WRzaJa04eU2AJyTt44F4h+T3fHHKUGistwmQDDWelCzqLP1ZYD7g77kO7G2wxDAOcIFzC33P7lklWpgXf0AXvJZUGZLvoYxL0SQGL7zOOSOFLjTFRkYR1CfnVgrUSVCGYsNMCdnDbUwFbegA9vnVNhCq3hxNMfaE2Nbm9qRUNoyUiXVSWYxJQq6G+zVQOoNU1nmSHbO/khyScuWhlY+4mZ2uAx7h+n65qC+RZlgPJQtgW7xFxc4R4Isosex4R+JX8h9R4zmu/IPxzASV1mwjo8wwLpL0e66GPXA+/DyQiYKWuiAb6zfHjpbXfi20lnEkvbceR0K1FgEXBwt6I5bu6P3/I6fyKiM/HVNOHnB4bbzogg8wDsnv4T+zfNJCLL/7dbn5InFZRjFZzpsWwkkjq+XeGRQvHJgH01xFkQWoSTCqn5AYn+/MioMEGHvG22eAuQCYgj4roHMYeTjCFPJEloRPPU7Nn3MggC2A65dcdK1/ap3cPNV6TPsfYq82KEYmQNvebJgfBGM7DSjodOqkbKN3P1GZWjmkhwbCFJdYyL/PEXm4dCYqcgZsK+lMMj4RgI4gb4sUn7c2SBCHuAxFeGxxkiBK0unv19/MKm1N1nkyVFEjhW231q2C2Y5YnmPliSEuQdRvPXbl5VvX2Pmvl9KJ90mNCT4JZR+5dCyu4AMBWEPsbVR9Yisufh2mDO9fAAowZLrzKOvtN/mX3T2BE7vhv8L2UiETohU5IQy5ktbU1xTZq/1JhDqEPRYId76EQ9dgk1hAGPrjoa4cRoliJZFjwCh7LFvpMBCGBcuchBdOuMKVIgbGwLtzhQSQdOYPXsk/qjPrDu8RAVXPMP06wIXr0D7cpQPQlRNwq3pBGEzxcuLJxp8mpqEXwLNfVIppqW3GOphp6aunL+moz1LKuEHRMOs13Lff3oxdaOcx3oLtZY/q1lncJ/qAoFyoeo/TXM2pYY00kZFjnS+8i2dZgbsvwnWOqHxKOriH5UZ24VF30QGpMBv5XT1To1bxp8oq8Xg0SYdoMWlbs37Gmm/1Dwdtk/cHM0iq38Kmdd7RDmq7KmpIS9o56m11a2w9fqt78qZwWiwM+sKkrg9fSR0kEFkv1wddTNBfSRXqSN/CBPAypMTFVbEtRihsHfafrSubsjr1ftA1HsubwTfBrDrlBRNta5ElPk9z6WZ2IHqVT3MYJrDIpvYcdld8JtDvphMo/ELMggC5FI5T1ncOqlcTTHmU9WGRrKA9RsXCUhQJ690DrWjdBoTTSo+GC7zSJfjRsvXVMQIIfmI0xVVLg0r89G4c9DCVuf+hNwuiN1GzQFRfpA/gkXBy/iIX+y6w9fDk7s/JvZRkPmgQaw63KSewvvd6SAxWfxKWK52aOz9KcjH3PdFcbMf9oRlXPCe5jWC4E3gcfX9ZL2D0Sn7pWpq63TIgkFc1fdNhuDADJH4/lD+tdGkLjkMHFq/LhQc8TTDmS+c7ErDQAJBcaQ9O2rJ3cNfi8rHs2kpCKm5jGzsD3Cfs813ACI3CCrAWIugFDK3p08tiMx+kB8om0YlH4Tpzo/4RkqrKhUy94r7lFjNN5zeXaqkJf3TsGlzSlOEVZMrkAWa7gw/z11zLvQ8DMLSVs/UaT5qS2lt3ejXtRl0bWF4h0isjfX+jIIVzPWC9o0i/l6OAvce+euris/yIGA/ebmCOs1F37y/ujMIY+XCp2RUOrnQpBoU1PgFCuhOJQzZorCrKy7QmjbARJKUprqiMHE5wD0NZqHuiyUT6q6z0SKJuUsio8gvSzJ3lx0TUrtVgf93+oyKzOXvySvpgvWKpysQ3ysnuj/ydRsliIEGjfsHYMLSoTf5eFMU2E7d8mpSa4FGSYO1KmiD41jO/jlolDI4PLGp7A4RMH0NAeehYO3lihNZoZwD5RrmA4MbkusCfvCo376OEjVcXYWEjc1YbncZ4BJCwhKSyTNL6dHQJWpHWSmhFOxlRvOb5va9jsujuDCZCnNeV6xaxUNJNTkEoOC3AfXw2+fnsWVrZA397N+0Lzy84zQb2ikmtvnNzwz9UVMzh00rUNsd8bDUESqNR6xsIWDT+bVUrlPnO34mF7lhuZmomXRTEIIzjobxp1tssEGT5yHIMvRqFHWGy3eDsa5q2tmqtcpzW+oWfR/jMs9XIxZxLz8BtWwt/xEG03oGnz7wYE/kQVDmr7h6mogy1bQ3JtWfpHpeESXC0RquNb5Dpdm/AAyagBlkTITeYuzOBFH9jDJd+35l7wTSEwGX1wzle/yEjcX6GCayy6t6cgPzoKgIqCvjIyCiftJnFa+Bh0Szzt+DwD8Mbaj4lZaQfHBjxfMUKCk4B01VDm7RWIJXFgCUv4GyNLFUaZCorq8qqHzPPn/XAxNY8Cq7TZlRXde2Ze1Nhebq36WQQti1q/zuqe4Op0s1s1GYu5ncmKMXprRv4qHNanc1sGBhxyepy/GuvMXp6uCP3CgnhXX7KcUypFOzmcTWfZlQtzvEKSeU/EAzdoEkf8FkGb5wC/aZ9xQXe7PNkJD+vbxheL9rtOVu1IK0cefbqLsxcUHBapP2QsPYAMU5Oqr+KcLaNJkcUX3u9MjDbwK+JbuVCzjCis8YMp6IlDCt/cURfey/mNsR/PGEVBAs+txudc6+r5WtbyOtlJGJtLKdFq6ZCxv4vaTZch+6wdeczDCL0d8Ct7hMHNr5div4mvIoC2t2OOZ9X9eZ8m6k70NDUAkGfa0/7FgfxO/x6nkQPNrkrB03ZpVv/o2GiW1tGMQPmvi+kTO/mgbEVR/6p1VyaspxaJN9eSiyL3VDExa/TMUZfBuUoNXgfeUZlYL/HWhIn8ddcyOcsKmGwgroY7r02bfVcP/To53ZuYQ9CLYbgtQgHdcbFd5BUM0zJf0wYb9yr/lhcaCHnPWftJCEzsXAPeOjAAvyHhCohQGxdVgLgZDtI9UFqOXrr5VZrwZSHRHh5+84hsB9q7pNdGFozAOWk0Q9wVijO6WhOSGUxt2b0CDs5EqN7cplJZfRjcK3ECjW1cfDrcVxc1ETMMq/ABhPH7xOYq1a+G/WBaDeiPFZ7Wd2Nz7W5L6CkIRhJOUWABeTWUZkjPeVUCSFDx2QjtRkd1dV+fLxEhsC/Va5LyXIdGnNpkz8JmeIyhwe1up/Wfe7QfVrRsnX+xvAb3qMxjyl52+sf6OItWHaFZEDIDql4QLrShupJI6cIVrc9APLcsGXpOgMDetdK06l6+x6qro9pdCQ7Ne141JyBxukGoMlYw0FB43cGeTP7ihNfEkNVbMWUlPgAGgAvlwIcfsCWLAs6LizpZEVG8TDXnacvKj55PVf3z1ykbGiQ9v/1QNgN1ISJniMKKXPHg/pG+0wJK/6YN+0lLLOPM9N/0cJ049J8UsweZv7lyYdyMxHlEMpk3/WNDLoLM1D3Rr12jLZIeb8XgaKNGxmnElDcuI6HKL72W9odPJYkv4XArVoA6AOY298FRg3AKvpAy6Tz9R8ft2ZEgJnSaq4Opnwet2FKIGA5cDeSIvGTLLg6/yNz0NVPOl5iyHIL5oG7Q5o6s/iPfA69IhnJDU7o+8ZRLDdlH6l5DehtVy7c29W0bIrNm9dLgrpZw8yEQT/xH2KZxC1p9Fnlf9VX7urL/34Nqhj7tp9RetzQtlysAsQvY/oerk06iHZ7f3Lpx/s0kG19aAAVVNWSOTBHmBYqjFlehi1KwIzp3XWP+b4h/qgap3qYxZtg1p7eY/6vV6YmqEWaTV4cW05P5JsfDr3q9mo75YJ+dPvuQLlF6o1iASyrr9NQuS97Rp1GPXwDf/HOCrHD1RdsrKz11csgRNUmqPBdKZDxIkXAtNLOYUGqOEOC9ON4Aa5Wg9S6FGMtCwmAjLKwpdjFhuMIe4pWbW2n3nRmvlANWCBbC3SK4d9M8mqaSYUjR4wspglXOaIqBQt8/rmPsb8PPRbMxLeOMK3pwgHltpnuJOlj7GMkL7XeKV7Bm2acKJTgmgMbrqzb/kTcFyfL6ch7BGD4tklEZSfjySIIZ5JcBwD19fjMo4HlQLFX6WLyqPirCy2fb912dmHfeW3kqX5qp5zVXKk9ooniY7BlrMeLC97ksec8YUcxjnVSdhhgLQRUx5tnhogA/CtLI0hIBa+prqCt7WtaaA8JnWmy/Mukyztb0zMbNi1IVV0ORXNG8BAD+nKlugKa8tzBVwVOKJKivW1cMKRf2wXDQOl/+w+NAm3wBnauoYKt3m0O57GVEIIS+I4MpS0V44YsTwN2EZYrRzPaCyolMBb98pLnUqc/UR9LvGs9KiAIKrC2aToRIpIjzcwFHPL5AKMGQMaStn+kwYb/S8pU9IpTY+hOqcGlrB6NZzbpKiwH0YSpu1M0QF22i9fPhcdp6zoJksaxjGJciJ0RmxziXzjYaJbdYbDXhbdobsj+T5rQx6Ldgmy+9RI6v6BxtxhZLzZWfN6aYRlkcvt4eqzOVvCk5uQlRGCzw01eY/UlcS7dGGIP4xSLHNmYh+hJdAoubl+3EvlNHZuKJCdbHmDaJ6Z0e+d7wgDRc7rlDjBnuSzoDTF3pps5HP54x6JoLYNYbNt4Xs3kFVqWde+aqSIy0pMYaVROiTkxHYHRj8cwRQYnkpbNxe4QQzpDfEhsmxL7ApbEq/mor+Jk93D8M+J0/shR6eIVQ2U1/jOLBi7eiKb2uJshLY33A3t8cncxIowET5EtNLpH94aezidr67jFp8fSLH2RHmHi2ABJJpMJjvBLPKo7/xPcSRwktgJBhgyG4DLhG+ICQ3kBuPwy08w9rs88Coijo7P9Mt0NAtuzIlnBlGOaDcGpqNgMalTA0AhCdI1+NIVXUMthDVUtxOowx9qAk/b1bvgLcjy5wOPW89hxc7IVkdwGvk3WAkPSkQV87/ho9m6MX4Mhsr7oRWMfl+MGqnCVOV5XkeGdfYY2TY2Fmot,iv:k7tjyQc7k+pkK/xzN0+xhN7OMxbD499+iFq5cOO1P/s=,tag:8FIHjVq1jKYjRa+QUQvoag==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTkxXVEZMMm04bFVVbTNV\ndTluWmdNdU1sMVZqNHVUckZ0Rzh5WUM1cGxvCmIxb2Rld0NWek9xQVh5dlo0VGZL\ncXpYeXdUK1dVNVc3SitSeUpnVjVqMlEKLS0tIDd0Si8rbFd6YkFsMWZEMFdIQmd4\nVGNzR3BiaVdaODRtRmI1UW5kbm5sQWsKOYN2GuBROfSVmbPK3gvJhqLfXEgbh/NF\nOYNbi+i0cL41gAQjgqVcAJmzJSyp/wecfge2J8EQnbegFeUGfmrljw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QUZtMHpScDFxbXp2cnpW\nSE00Q2JDV2Z0RUtBdGJidlVYSjFkV0RicVNFCi9ZUW12T1ZJUGdWWlJONkNCZFJR\nMEt5dGVvVDlCQWttczNCMGJkSEZ0OEUKLS0tIG9qWVA3dG5KNUY5R1BZRkZBRDNU\nejZLbUpXUXNZL0JYdk4xbXhUZlZHczAKcduhbeOO9wEZo5FOzOae4tl1OMddBgAw\n1JjHE8JzY3yud6C6UNoghwhAG+B1kTa1KlcsUezVxT55rTGQk+Ghog==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-23T13:43:39Z", + "mac": "ENC[AES256_GCM,data:+EuHBBTU4BQSskZahMNKWly/OOYdNpyMi3FsYoP4aty1MdFtcnoNeC3VtZPQrouxA3Ljeml83i6OEPI/J9S9BlQH7fKK5ihWtcYlsX0q9jMNs+aYaWAu143GUkdSIhTmxceT4tYaQucdvsnOyopW+px8JJ7TOfoajGbmbOpxFsI=,iv:xav2lFC9MIuh3Px7BzZUAd0Gcc16rqD+tXIDfFAUj6w=,tag:UtCNgGIcGI3zcIXfTtdk5Q==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/machines/ldap/secrets/ldap.tls.key b/machines/ldap/secrets/ldap.tls.key new file mode 100644 index 0000000..591c06a --- /dev/null +++ b/machines/ldap/secrets/ldap.tls.key @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:kX2fP6oI4d4ssW+XDv5lF1dn7zAOEH1Qg+tY1AlKkRiWnQmKt5ik2ot6/jcoq9w2hv3Rnrh4Zb6Ndy/OJi3JzPb8Je+lOKC8nTekYz7ZTqdO8CKfONmGaMJO9crR6bJrIXkw3GLd8m14wmFg2tYSYOz918t91BTNpujcDS0t4VpNdgRjX7TFq4+SOOO0oqQDyuXrnK830NvUranO4tNkFCRzIuW0nMeXqE8lehp9wPfJJ9vhNXk8nizgQaazvtjl2An34BQeZFHp7ff+C6XrLoFFX0CkewAkwZ9EUVFzJwShrKjRGgdTqd9u6CuuP02UQrxyfyj8MqRThnyTtZ3GPFGcO6bsPEfQav5PjdhAuoM3XTqLkYIsoyNK+XGNmYy7lEn+optXJxfpzEt1TT7uSftyCsJ13fQOG1JsXNaGrORagSp0ngDyOVMFMZTWDpavB+hweV1ITeMqN6pukWGtYCW/KRpBWDxUQUZGXTdLyt8SL+LZZgPzgLuKxWwmwsbjTZh01EB32VdRfiSSEano8nhM+Z1Xq+Zxpf7PwCrv1CXBHkcj+j856ywE1+J2KayI3mzOB6zV1Hauw/HuIvw4Y9a7QNk1YwWn21XBJtI0Qc8luV8cJCGryElOJUXXF+RE5QveHKX4QOPXZ4kUib6qZqN9BsPmnEskJq8seKGdfufFLuqUNEdaGKwrK3zH9BFKTLk2sA7JRaMsSlOwFNF+HcK6Sjyn46ZWRRCX6fmdHaJv2ECHVVeZdlFY5x2TZz5LQB4XALKcTXyvlwoytrboGm2S4X1qwqfpUSSd4WIQ3l+Ygtd9MwbcazwDjlASVDU7mFQEElWS//KV1VZjr5KrT0ZCCdLMdwA7BooUqk9q/nePvuW7hssvFNw+GiiGKGDgVPlxMRY6NaVv59/k5lw0x40HOXWs9LuhhvQ51KQtMyIKMygWsJ6IQYyZrhf8c4T9K+llt5CUrUQr3OFh1mhhancw0n9Uvnn5npV4Ig17+di9EhPWDbVbYSoGm4r4SD6aR8BBFQ1Q1yeFsoBGJnm2b3N/l0xyw94H6fD4dDw+BROH6LpbpcMAZGK/WTn1vrgMjbLWpJUa4T2gBkYzDt67lETygQ8iYhFBW+U0TvK4Dh8VSJFiA4T3UpAgl/+LN2TjFogkHbhYuMDYXChr9mcJ+rhq5ztd0HQw9Wi1xsC7w/PPSV25aOfpXq9PucYkb1WU0MT0qyU/T9jrMqs2FzkG5J8L/dzll92ZbXgzKE+017MA+YXFulPKd4oio1qFXYKa9n9KPTRCE4uq6tBfuPQ/JtQFuzd8j3pds6oM0hiuuSujqk5Ci5Tj9/fAjk0jM4RcTsHRtOUoS/JFyzTmJ9B4sWBDzB+GD1QfKAJaVgmmEULLEhNpaB6DtUTXAp/9zm041LWlk+XzL3f2gwPvPTxKm64cOQPoDbyQk8ZV1+5KqrleEc1lyj1nL+RXf8CO93Y5IWZg855cY5EugKlwCeL2zR647JD/Yn9BjbsCp5DVjo+VjwEDBcYgCBHbvK6HHt6T2SEYcCUTmLpVpXaTPBYXL8xsanABAixlcdgtk4X1ZoNqEnS0+HBwdZBwDtwF2OPDOJHbtozOGdA/aqpxamjm0tfcaPf/1I4S6pHUONZ2J/o3bDKf2RITMoDMeC8G3w9tHrqWzYs6iWbFz/vTsYw622KrkFMAwO14zBwyUoG6R7o160hy7T6R/KKUyw7M+b1yKRFNuuhFEATNC4BhG60N0nyWfKdFP3cMeJEG8OMCzl4M/xHXX9Y81GTK1Yd1vpR3IhGo2wDWwiXEUic4r7gD8paEkgvXefOqIVBg7eE7MMofOk45sEKmD11h0ao5scEQ3ObtkVP8iJlH5tQ52r1vlSHnvCvbwNX5rurH6JqvU0/bH2JhcbkGvvFWIExn+8usmuJFy1ffJ2gOS5Z1AMJHsQJ+0bmny26BgN76zVJHJ0PLAUjY+M0PsgyxZTNJJUqc72h+4AF2nTSbdzlkAaxS92g7xxkZCRNnVgI04nDkqbxu12ej8y1kB1p3s1JWoI63bsflkI9boPqAWNYqlBRHnZT5v+/SOXq3RCOvsTbiBi/Mq2PGQs4YVXh2iE/AxtORUqGkg5slXsb7AmogXSn+U+EscwopMm1NknREmNFMGYvOU5PffBspW+3JRbRsTUymRLcHyUN1p1NhIyWQ9Kdxs9LJx6eKDoi7duYYokmK0isQj8fndgjwwguyjN4VLxsud7W/57O5izOO0C0N/G/mKbhe9ZCRxcLhfvwJq6EEWiTyf9DLQcO8A988JPzMU/oJTpKPkt/9JjK9P2imPKNQMKrV+09+lC3ZqYEP0kRrSCnVvcB1XPiaXLfr2CkO0U48xMHf52A238BtcTGO1rSNU3FkWiHVu3U+rW9woW7y8/f1F4sVy4xzFKnyYvVSrTyLIEW9d7sUX6m70of2bxvWkVcU/m2SYe5MPVyvdLTy1KbllKbA6mLPqGeGMDVbHRsc7Pyht5hZda6ahZCuadaCsU1klkmof2OhpLy9Lzq0rNJ3eMmxrqnNfCe35HWOK9iEA9O52kLbhmmo+K0jDsC3hoc1Bsu03754rePapLFi4oRtxw2ahLpVTfNEgHGNguJSUUpKV28pvVhN133+Bysod9KrJxYtjWzjJpaf2U2sbyb2IUSwPLCGsUe6whCZwVLI53qeUgBIq/i7eBWwhMezvjUU6i08V1oQPBTq+3QNOTg8qVdLETYAiApO+9wsZ+7ko8QbV+hfCWiHepFSSVw8mmsooiOZucs3TRrw6e7skEOzrrQKDwbnltP4h0oW0KRStF10VhH6GqsNv5gusKhMVQ85q5HjbDmR1mhL6Weg1olrAhDiFSqSqTRqrLfU96UPQ99wUo+Z/x/XftnYthK3AePGgNJc9OoSewTvQtYWj4GWTES46fft9RqjCgUi5RudlOsDE876jQTsIMb70+TicGZn6cTaj49ECmUFwG6pq0ZqzYkgNFTVahrLPWQoV3HjhO95SczAAwK+gf9a/11h5Doa+3ViqJ/GC6r/5nhzmFC6nP+fsM041SiVtlQcQdFmu7EKOcDk9h+MZijh0J4Ta93/XbCUTEpvXKB8uscLa2jsocMyyy+THjwDY3XXdN9asKi+XDYQ87WN3bX2h3rfm0QuwBdqosApiCtt5a73GUXxyGIPogOHf/cOrZhIu7x+mJfkjLO2gtGspkvZ8dDZolff2LTTNJ/+ne9MJN6bowzWsY8isTCtvRugAdytKOdJ/gkkTUAVP/2+rQNTX0BBgQgJzIqBMLu+FDT4Sc3ySCqnqPpgQJqiH5y9faLdx4p23ZKxh4WSc0zqidHkibFvMzsouXMDNgKVeRuExWCPZyNrNl6c6220oIjmExUIlvmNDOFaeAedN+tMljJiORL70XI63ebwkNfc/BFwFr2kG1J96bNXHgGXmdAZ2Xt2+Do+MGWFuP52B2rk9Q/pF4XYTWjGSAJNzWyMfs4Z5eG6J2vNN0JWYXnu8tEeXzCXwmarYrxafoblBEVzbt0UON2TwzCqkk3G33k3wWwPZLuvnW5muCtyK9bDTmOIaaPlWPyQ0g/c29tlNKRtfSGGT71B/LT895S85G0p4mahUj7KPchCeB0xRsnd3xQQCzBoOUGgIn3b61pYjL/kLyO4Znr15L84o1osXsW+OzvbTD2yxn7KND6iG+7OaqCyt9TwYZN94dMl+0c0thmNrluhaJ3VioYacC+TJG9GhoE4GCZP4hz6urw5I0CLNtKLv+botrCvAq+daAE9dt/8GcZDkT9GBGidmyX12v03pkOpkOx8mLffE/Ccl9Mt6//sK5t019Q/myIt+i5YTrHGerAdWQTFdxQj3LG6xbWf9BRPU81Z9XqLO+KNnzdA18cGlxMAlR0Fodq8iVCtO9c7uS5XgkSFdNOWdhAw2we6qMmBp/pwDtZUxdeepj7TQfVynx//lT1tg7WOxd3nf0V9U94759Vvz7r7wvREwcjqa4AjJLoUQGfhddpmOd4ycqxreqx1MCKqY+E3kU36zedB7eO/P2hD6OkFDFacZUBXzIw+csTwT0ehSv6zHGSPvF1H0gXzjgoB6CgDznPfRLWnGBfBggK2O3CIjP9wjzs4hXlP14U+0KL9sycPfV32WDTLzLIzyhek4CpVT5nUMLz5uXgkCdiIW6yYs3e46+eZKkXC21bVh7O6PVvwsJci5gZAz3PGM7Bpgqz0WbSItVAJpkOqCNivdim88vD+CT/m9sIppz9USqCMOfx9/UplwXbVtfSUQXPlIRprDIV1vJWka3oY2uN0oz1VPDHgN5VJ4PSO1mnQPmFg4B/hPoNCo2HVu49DrQL86uuAw6xkfL0=,iv:dQC+JMRPyNFqbIYRSDMBXEmTVK5QmRbBpEYXG+06l+M=,tag:brQ2Fl9jtvmlT5N/gaN4jA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeEpiRjhYU3ErSW56a3Z5\nbUN2TUxaSTlIT3dFK0p1dlV6WTd2bzJLbW4wCkJLd0hSZmRGUHg4Z2NpQ2VFa25T\na0dhUlpLSk1GSEl6eGY0NllMclY2bDgKLS0tIENGanhCK2dLcmFxclNDWUtuS0Vt\nejZncjdVUll1OG1aM1BFK0EwckNodGcKMBn25B8U9pR+NDm4xTK43DSPxSLmcDgz\ntm6EZy6ENOJYsFf1UCILrd9pkX5Vt/h3RE5U/IJEpIiYsaYSTRjG6w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMHZqcEs3SjBHaDB3YUR6\nbldiNVVTcjd0dkU3aWVZUnNzSG1FakRLR21nCkthT25oMnlLaVloTE5ZdnA3SXAx\nYXZveWJRSWowcTZ6Y3QyaDVvaU4vZk0KLS0tIHZ0ZndoV2RINEVkTXpkT0gwV295\nZy9jMVVNaVF0MENhZ2FNZlhjVWhtYWMKDjw+F73tFDuXBODKE1ntB4XjKnualbRX\nHoK5ZWz2kQiD5j9Z3eiA3K4UkQs8+XLBzFHKWsUJm+DXFj6pRex2iw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-23T13:42:58Z", + "mac": "ENC[AES256_GCM,data:BUQmiBa481d2vggylNYkIKBuOg579REAnxMxX/je+IOvGwx/ODC7W0Zm+bzUYtNa/hmvW4fxwmA8VBHNUPgHrmI7zbNQlXdegg3QcXabr0jr3tqcFkLU7LeOt72tCRSGiZSZ3Pz0GXLzhZo9u+t1d/NVVO3p6ZFp/8Ta5fxq0ns=,iv:8PZROLEwl9wdVXsEMMBNKkbnlboeZQiVKDvjiyGJW38=,tag:d+y/GgHHgcSS8SGqIiPs8g==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/machines/ldap/secrets/ldap.yaml b/machines/ldap/secrets/ldap.yaml new file mode 100644 index 0000000..29aa573 --- /dev/null +++ b/machines/ldap/secrets/ldap.yaml @@ -0,0 +1,36 @@ +ldap: + root: + username: ENC[AES256_GCM,data:h6YGYg==,iv:QaCy9dRJNnI4UiQwgeboAxl8XZ+xGyYK8mLyybLNyF4=,tag:PQpKFwltnyRvmYJbPoGxvQ==,type:str] + password: ENC[AES256_GCM,data:3np5tR14nxbZe0hlX0Wd4/kDNRb3z3y3z13SyqTY3wE=,iv:yXz45Tsfof0U2JljSRxuUICRjNZ1U3YD4IlXsU4E0/o=,tag:XABl21e6uaj96ApLcRMSpA==,type:str] + upstream: ENC[AES256_GCM,data:KT6x/jm+p9+3e69yWE/hUMWlNrVuecUK3TcnRdqOJWA=,iv:n5P8NE7xUkOz68g/OcemnpZdEjT8aSEgzC4AS0kyStc=,tag:r+gEb4DIzdyBAsavBucvFQ==,type:str] + sync: + config: ENC[AES256_GCM,data:sgobPqiTsGDNfJKvIYiv+6E3s8Ipfog+2EVgz16ZPMwIU6u1id6cxPnE0nnCQcGVKc80owHmy/zYPzsPF7bHhSebGgZN8dN/xnP1xStIssqRP3XhSitNIMREImHs7iKT7f1/Km9CfZxm2WL2XPlaalK/oC/VJ9TiKcJjjnKuQvFbk1Ph2Pe2wPnd6/tZ8/EPGpRm1s+28YzaxWABFjLG/VEdrCJt45rOxpFXDXzQN/3iIRc7EM/CGQZEoJLky2QBd5597UuB9DBU7mkRUPv9JO7euMX9KH8CAYvHutOMpzEaD/LoRMmZxhpBhn3jQGj/uIyr13nJynQ39xkh58UYsENgyTMeAtr7MBzUDuAe1FC7f1NPbKpNuhaab25IqVwnGoOGOj5B8JcWZR1hDU5OTsp5xLTQn3K/SlWeii79EGwgS/pmtyCziQqtd+oS46dnWJupS5ESoU3gdXDvgzNnJsD3qCqrgY+pw3bcQY9D5HhhLdkYByiAbVgtTDVO9EZDxeyHG0APq1J3rkEZxTGunlx9M/wVWD2h/lVsY45KCD+0S9ukhxcEM89LTlI5jeiKbt689uPp6WjmfFo4sdFFm0XbpxTew1YXXORFC+nyM/nh9IhK3G9Jo2LvRDoX0XeZkH+Zmy8J5BZ7kwpdw6de8KEnpj+jyxFD15D5gQfGQC8vfiKA0yNoKdUNGPkkF4vRCFoJLIRnqJfmqWmXcW4E8BjiQId8nx6QGDty+i5HJnYktR7AvK61Q8VMjTYsT12Uwk9Buqn5AbC1Z7pwM7CgiRR7hpUIRYAlB6VBuqXK0xBqSqRIlT5izSyjCRz2W+njeWhPrKF4rSglzHr0/wB3lwpBF7VEOBuvItxhuTpdhZdN3RTAqehj/KRuPx1vdLKdH8s9xTx6leHvaBnVQJ4jCcO8wTMrHXVmGUPtZ852OIQpKjeLQqzSs9mDK/jT0zz5gQXChBiYIP+2XOVFuyoSqTKkMBf0zuPqcq8ZD9gSYc53/XWNGUFGWvzlb/PvnfkKnaetOlyIYelAgm0Tb9VNye1HPODxXnZ1DXhZwGw7CLfxtavu8PrmiQDZwD8FbOWwyDoQA+6rCijZ2gHnoyDP,iv:uX/5gv+bQEKXZPVJDXiBajaWasxmh/mZZq66UNaKe3Q=,tag:kvAZYD+kqcWtc/Oo+ym20g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3b2JsOXdFTndnclZCRm80 + REZpZFBuMlFvVWhMcDRBNDJlV3d0MEFIUno0CncrejdPeTN1Z2t2SnRzNjBSTXc4 + dWRWTE1XTy9LcHZYSWRabDZSemQrS2sKLS0tIHkwbFpuenpwOCtoVFg4ZHBDc3k3 + bnJ3YzRHcDBPcGR0NzlKUzF6bHcyajQK214Dek7XUkmIelWsmVxk5eZmPsfbllP0 + 1kqP5vImXTMVmcvGR0XTnYxkNt5LVke8DWnsfEEMZniJxbm61N7+UQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcFh2R3lDdGc1cVBrWWhz + VTN6S2hyM20vSlhIRTUvbld3dE0wOGdUZHpzCjJvMFkrdndVUHlIaFZKSW04amlS + enlBNmJGc0pjbEkvNTNucTExNE9PSXMKLS0tIDlHSEQ4VVBFci9aWEpmRTNVY0hL + SDdOQkVUZVFKZUhIcytGVHNWRU9yWnMKgrnTLzfvi9RRL59+iOnvXVew3GUQtXvV + lBZ7Jam2G3AKFsdY/Z4QMAH9cqaLypPQRt5uJ+2Agl2dbGKqTqUFrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-23T15:39:50Z" + mac: ENC[AES256_GCM,data:x2XnbLAAWuCudb9C71I11Hmigh8sQE6lsy4YM5qg2IYRBrOnh+90MblMNAqlj5PX5/c2qg9wlRRpkCTtjcSDtur8j0dnbwQ1gg1AcwB0SWoG0QI1ynFZOJ/aCDeqcRK52AdSkrgz/wRSN2WpPX4O+hNvDRVASIyhumZQb6rrHRU=,iv:uBGxIZdwyGebtNCkpvLlVG1Wg1DdL00rJFxZjbbCV50=,tag:pg41so3tG+no/JaDA/SJMg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/machines/nfs/default.nix b/machines/nfs/default.nix new file mode 100644 index 0000000..b3f3a15 --- /dev/null +++ b/machines/nfs/default.nix @@ -0,0 +1,27 @@ +{ + imports = [ + ./hardware.nix + ./nfs.nix + ]; + + deployment = { + targetHost = "10.32.45.10"; + }; + + networking = { + interfaces."eth0" = { + ipv4.addresses = [{ + address = "10.32.45.10"; + prefixLength = 24; + }]; + }; + + defaultGateway = { + interface = "eth0"; + address = "10.32.45.1"; + }; + }; + + system.stateVersion = "24.05"; +} + diff --git a/machines/nfs/hardware.nix b/machines/nfs/hardware.nix new file mode 100644 index 0000000..cb0a876 --- /dev/null +++ b/machines/nfs/hardware.nix @@ -0,0 +1,65 @@ +{ modulesPath, ... }: + +{ + imports = [ + "${modulesPath}/installer/scan/not-detected.nix" + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ata_piix" + "mptsas" + "usb_storage" + "usbhid" + "sd_mod" + "sr_mod" + ]; + + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + hardware.enableRedistributableFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + + disko.devices = { + disk = { + root = { + type = "disk"; + device = "/dev/sda"; + imageSize = "32G"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} + diff --git a/machines/nfs/nfs.nix b/machines/nfs/nfs.nix new file mode 100644 index 0000000..ae7adb7 --- /dev/null +++ b/machines/nfs/nfs.nix @@ -0,0 +1,13 @@ +{ + services.nfs.server = { + enable = true; + exports = '' + /home 10.32.45.0/24(rw,async,no_root_squash) + ''; + }; + + networking.firewall.allowedTCPPorts = [ + 2049 # NFSv4 + ]; +} + diff --git a/shared/default.nix b/shared/default.nix new file mode 100644 index 0000000..72b16d6 --- /dev/null +++ b/shared/default.nix @@ -0,0 +1,21 @@ +{ name, ...}: + +{ + imports = [ + ./nix.nix + ./network.nix + ./users.nix + ./system.nix + ]; + + time.timeZone = "Europe/Berlin"; + i18n.defaultLocale = "en_US.UTF-8"; + console.keyMap = "de"; + + _module.args = { + machinePath = ../machines/${name}; + }; + + disko.imageBuilder.imageFormat = "qcow2"; +} + diff --git a/shared/network.nix b/shared/network.nix new file mode 100644 index 0000000..c529bb7 --- /dev/null +++ b/shared/network.nix @@ -0,0 +1,28 @@ +{ config, name, ...}: + +{ + networking = { + nftables.enable = true; + + hostName = name; + domain = "linuxlab.informatik.hs-fulda.de"; + + search = [ + "linuxlab.informatik.hs-fulda.de" + ]; + + # TODO: nameservers = [ "10.0.0.53" ]; + nameservers = [ "1.0.0.1" "1.1.1.1" ]; + + useDHCP = false; + + extraHosts = '' + 10.32.45.10 nfs.${config.networking.domain} + 10.32.45.11 ldap.${config.networking.domain} + 10.32.45.12 install.${config.networking.domain} + + 10.32.45.11 ldap-linuxlab.informatik.hs-fulda.de + ''; + }; +} + diff --git a/shared/nix.nix b/shared/nix.nix new file mode 100644 index 0000000..17ae3d4 --- /dev/null +++ b/shared/nix.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, inputs, ... }: + +{ + nixpkgs.overlays = [ + # Make nixpkgs-unstable available as subtree + (_: _: { + unstable = import inputs.nixpkgs-unstable { + inherit (config.nixpkgs) system; + config = { + allowUnfree = true; + }; + }; + }) + + # Let builders fetch sources directly instead of uploading + (self: super: (super.prefer-remote-fetch self super)) + ]; + + # Who cares about licenses? + nixpkgs.config.allowUnfree = true; + + # Link nixpkgs to etc for usage in NIX_PATH. + # This allows update to the symlinks when updating nixpkgs without changes + # to NIX_PATH, which requires a new session to bekome active. + environment.etc.nixpkgs.source = pkgs.linkFarm "nixpkgs" [ + { name = "nixpkgs"; inherit (pkgs) path; } + { name = "nixpkgs-unstable"; inherit (pkgs.unstable) path; } + ]; + + nix = { + nixPath = lib.mkForce [ + "nixpkgs=/etc/nixpkgs/nixpkgs" + "nixpkgs-unstable=/etc/nixpkgs/nixpkgs-unstable" + ]; + + registry = { + "nixpkgs" = { + from = { type = "indirect"; id = "nixpkgs"; }; + to = { type = "path"; path = "/etc/nixpkgs/nixpkgs"; }; + }; + "nixpkgs-unstable" = { + from = { type = "indirect"; id = "nixpkgs-unstable"; }; + to = { type = "path"; path = "/etc/nixpkgs/nixpkgs-unstable"; }; + }; + }; + + # Take out the trash + gc = { + automatic = true; + dates = "monthly"; + options = "--delete-older-than 30d"; + }; + + # Optimize the store + optimise = { + automatic = true; + dates = [ "monthly" ]; + }; + + # Enable modern commands + settings = { + experimental-features = [ + "flakes" + "nix-command" + ]; + }; + }; +} + diff --git a/shared/system.nix b/shared/system.nix new file mode 100644 index 0000000..6af77aa --- /dev/null +++ b/shared/system.nix @@ -0,0 +1,14 @@ +{ + services.haveged.enable = true; + + services.openssh = { + enable = true; + settings.PermitRootLogin = "without-password"; + }; + + networking.firewall = { + allowedTCPPorts = [ + 22 # SSH + ]; + }; +} diff --git a/shared/users.nix b/shared/users.nix new file mode 100644 index 0000000..3018342 --- /dev/null +++ b/shared/users.nix @@ -0,0 +1,31 @@ +{ pkgs, config, ...}: + +{ + users.mutableUsers = false; + + users.users."root" = { + #hashedPassword = "$y$j9T$5ZEv2RROIXAqdFjFEXEst0$5HA63fmwjGXw1id4n94TRgY1gTuXsQGKXmzlcWXyE07"; + hashedPassword = "$y$j9T$IqOVsS6/ACfhDXzA3LqsZ1$J/16UDhw44bHWJqIoCdjms6IEwT4tk4ghq2WpThOlMA"; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so" + ]; + + packages = with pkgs; [ + vim + wget + curl + tmux + fd + ripgrep + htop + iotop + iftop + file + iperf + ldns + tcpdump + ]; + }; +} + diff --git a/sops-config.nix b/sops-config.nix new file mode 100644 index 0000000..307e9aa --- /dev/null +++ b/sops-config.nix @@ -0,0 +1,78 @@ +{ lib +, runCommandNoCCLocal +, writeText +, ssh-to-age +, machines +, ... +}: + +with lib; + +let + admins = { + "fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ"; + }; + + hosts = { + "nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMW2Ouwep/O0ULtPC8aHx+s9oB8RDJis02u9wYnJe7My"; + "ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRJF8IwyYAe4T4x7+n6ufO6lmOTu6PgPdmHiPRfCqI"; + "installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o"; + }; + + sshToAge = ssh-key: + let + key = runCommandNoCCLocal "hostkey-to-age" { } '' + ${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out" + ''; + in + pipe key [ + readFile + (removeSuffix "\n") + ]; + + # Keys for each machine + machine-keys = genAttrs machines (machine: + let + ssh-key = assert assertMsg (hasAttr machine hosts) '' + SSH host key is not specified for machine '${machine}'. + + Make sure the SSH host key is added to `sops-config.nix` after initial provisioning. + After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files. + ''; + getAttr machine hosts; + in + sshToAge ssh-key); + + # Keys for all admins + admin-keys = mapAttrsToList + (_: sshToAge) + admins; + + mkRule = path: keys: { + "path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$"; + "key_groups" = [{ + "age" = keys; + }]; + }; + + # Create a rule for each machine allowing the mechanie and all admins + machine-rules = map + (machine: mkRule + "machines/${machine}" + (admin-keys ++ (singleton machine-keys.${machine}))) + machines; + + # A single global rule allowing all machines and all admins to access + global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys))); + +in +{ + inherit admin-keys; + + config = { + "creation_rules" = concatLists [ + machine-rules + global-rules + ]; + }; +}