Dustin Frisch
22 hours ago
No known key found for this signature in database
GPG Key ID: B4C3BF012D9B26BE
2 changed files with 89 additions and 0 deletions
@ -0,0 +1,53 @@ |
|||
|
|||
## Deploy |
|||
Everything (all servers, all clients) |
|||
|
|||
```bash |
|||
colmena apply switch |
|||
``` |
|||
|
|||
All Clients |
|||
|
|||
```bash |
|||
colmena apply switch --on@client |
|||
``` |
|||
|
|||
Append `--on=HOSTNAME` or `--on=@TAG` to target specific hosts. |
|||
|
|||
|
|||
### Building disk image |
|||
You can build a ready to use disk image containing the whole system using the following command: |
|||
|
|||
```bash |
|||
nix build .#images.<MACHINE_NAME> |
|||
``` |
|||
|
|||
|
|||
## Secret management |
|||
Secrets are encrypted using sops. |
|||
Sops encrypts the secrets for all administrators and the target machines using the secret. |
|||
|
|||
### Prepare your system |
|||
You must derive an age key from your SSH key: |
|||
```bash |
|||
mkdir -p ~/.config/sops/age |
|||
read -s SSH_TO_AGE_PASSPHRASE |
|||
export SSH_TO_AGE_PASSPHRASE |
|||
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt |
|||
unset SSH_TO_AGE_PASSPHRASE |
|||
``` |
|||
|
|||
### Edit/show secrets |
|||
Secrets are stored in `secrets.yaml` or in files in the `secrets` folder. |
|||
To show or edit their content, use the `sops` command. I.e.: |
|||
|
|||
``` |
|||
sops machines/nfs/secrets.yaml |
|||
``` |
|||
|
|||
### Update encryption after fresh deployment |
|||
The target machines ues the SSH host key of the target system to decryt the secrets required for that machine. |
|||
Therefore the host keys spcified in `sops-config.nix` must be kept in sync with the actual host keys. |
|||
These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem). |
|||
After the keys have been updates, the `contrib/updatekeys.sh` script must be executed. |
|||
|
@ -0,0 +1,36 @@ |
|||
#!/usr/bin/env nix-shell |
|||
#!nix-shell -i bash -p yq |
|||
#shellcheck shell=bash |
|||
|
|||
if [[ ! -f ".sops.yaml" ]]; then |
|||
echo "Error: .sops.yaml file not found in $(pwd)" |
|||
echo "Please ensure you are running this script from the repository root directory." |
|||
exit 1 |
|||
fi |
|||
|
|||
# Schritt 1: Alle Regex aus der .sops.yaml-Datei extrahieren |
|||
regex_list=$(yq -r '.creation_rules[].path_regex' .sops.yaml) |
|||
|
|||
# Schritt 2: Alle Dateien finden, die zu den Regex passen |
|||
matching_files=() |
|||
for regex in $regex_list; do |
|||
# Entferne eventuelle ^ und $ Zeichen, damit die Regex auch in find funktionieren |
|||
simplified_regex=$(echo "$regex" | sed 's/^\^//;s/\$$//') |
|||
found_files=$(find . -type f | grep -E "$simplified_regex") |
|||
|
|||
# Füge die gefundenen Dateien zur Liste hinzu |
|||
for file in $found_files; do |
|||
matching_files+=("$file") |
|||
done |
|||
done |
|||
|
|||
# Deduplizieren der Dateiliste mit mapfile |
|||
mapfile -t unique_files < <(printf "%s\n" "${matching_files[@]}" | sort -u) |
|||
|
|||
# Schritt 3: sops updatekeys für jede Datei ausführen |
|||
for file in "${unique_files[@]}"; do |
|||
echo "Updating keys for: $file" |
|||
sops updatekeys -y "$file" |
|||
done |
|||
|
|||
echo "Finished updating keys." |
Write
Preview
Loading…
Cancel
Save
Reference in new issue