No known key found for this signature in database
GPG Key ID: B4C3BF012D9B26BE
2 changed files with
89 additions and
0 deletions
-
README.md
-
contrib/updatekeys.sh
|
|
@ -0,0 +1,53 @@ |
|
|
|
|
|
|
|
|
|
|
|
## Deploy |
|
|
|
|
|
Everything (all servers, all clients) |
|
|
|
|
|
|
|
|
|
|
|
```bash |
|
|
|
|
|
colmena apply switch |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
All Clients |
|
|
|
|
|
|
|
|
|
|
|
```bash |
|
|
|
|
|
colmena apply switch --on@client |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
Append `--on=HOSTNAME` or `--on=@TAG` to target specific hosts. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Building disk image |
|
|
|
|
|
You can build a ready to use disk image containing the whole system using the following command: |
|
|
|
|
|
|
|
|
|
|
|
```bash |
|
|
|
|
|
nix build .#images.<MACHINE_NAME> |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Secret management |
|
|
|
|
|
Secrets are encrypted using sops. |
|
|
|
|
|
Sops encrypts the secrets for all administrators and the target machines using the secret. |
|
|
|
|
|
|
|
|
|
|
|
### Prepare your system |
|
|
|
|
|
You must derive an age key from your SSH key: |
|
|
|
|
|
```bash |
|
|
|
|
|
mkdir -p ~/.config/sops/age |
|
|
|
|
|
read -s SSH_TO_AGE_PASSPHRASE |
|
|
|
|
|
export SSH_TO_AGE_PASSPHRASE |
|
|
|
|
|
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt |
|
|
|
|
|
unset SSH_TO_AGE_PASSPHRASE |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### Edit/show secrets |
|
|
|
|
|
Secrets are stored in `secrets.yaml` or in files in the `secrets` folder. |
|
|
|
|
|
To show or edit their content, use the `sops` command. I.e.: |
|
|
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
|
sops machines/nfs/secrets.yaml |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### Update encryption after fresh deployment |
|
|
|
|
|
The target machines ues the SSH host key of the target system to decryt the secrets required for that machine. |
|
|
|
|
|
Therefore the host keys spcified in `sops-config.nix` must be kept in sync with the actual host keys. |
|
|
|
|
|
These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem). |
|
|
|
|
|
After the keys have been updates, the `contrib/updatekeys.sh` script must be executed. |
|
|
|
|
|
|
|
|
@ -0,0 +1,36 @@ |
|
|
|
|
|
#!/usr/bin/env nix-shell |
|
|
|
|
|
#!nix-shell -i bash -p yq |
|
|
|
|
|
#shellcheck shell=bash |
|
|
|
|
|
|
|
|
|
|
|
if [[ ! -f ".sops.yaml" ]]; then |
|
|
|
|
|
echo "Error: .sops.yaml file not found in $(pwd)" |
|
|
|
|
|
echo "Please ensure you are running this script from the repository root directory." |
|
|
|
|
|
exit 1 |
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
# Schritt 1: Alle Regex aus der .sops.yaml-Datei extrahieren |
|
|
|
|
|
regex_list=$(yq -r '.creation_rules[].path_regex' .sops.yaml) |
|
|
|
|
|
|
|
|
|
|
|
# Schritt 2: Alle Dateien finden, die zu den Regex passen |
|
|
|
|
|
matching_files=() |
|
|
|
|
|
for regex in $regex_list; do |
|
|
|
|
|
# Entferne eventuelle ^ und $ Zeichen, damit die Regex auch in find funktionieren |
|
|
|
|
|
simplified_regex=$(echo "$regex" | sed 's/^\^//;s/\$$//') |
|
|
|
|
|
found_files=$(find . -type f | grep -E "$simplified_regex") |
|
|
|
|
|
|
|
|
|
|
|
# Füge die gefundenen Dateien zur Liste hinzu |
|
|
|
|
|
for file in $found_files; do |
|
|
|
|
|
matching_files+=("$file") |
|
|
|
|
|
done |
|
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
# Deduplizieren der Dateiliste mit mapfile |
|
|
|
|
|
mapfile -t unique_files < <(printf "%s\n" "${matching_files[@]}" | sort -u) |
|
|
|
|
|
|
|
|
|
|
|
# Schritt 3: sops updatekeys für jede Datei ausführen |
|
|
|
|
|
for file in "${unique_files[@]}"; do |
|
|
|
|
|
echo "Updating keys for: $file" |
|
|
|
|
|
sops updatekeys -y "$file" |
|
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
echo "Finished updating keys." |
