From b418fce1bfc1b6084c6cd3917b9bdba27dfb8ea8 Mon Sep 17 00:00:00 2001 From: Dustin Frisch Date: Thu, 29 Jun 2023 17:36:33 +0200 Subject: [PATCH] Secrets, netinstall, ldap and stuff --- .envrc | 2 + .gitignore | 3 + .sops.yaml | 13 -- deployment.nix | 41 +++++++ flake.lock | 23 +++- flake.nix | 23 +++- gathered/node-00/ssh_host_ed25519_key.pub | 2 +- machines.nix | 67 ++++------- machines/manager/beegfs.nix | 8 +- machines/manager/disk.nix | 3 - machines/manager/ldap.nix | 127 +++++++++++++++++++- machines/manager/netinstall/default.nix | 79 ++++++------ machines/manager/netinstall/installer.nix | 22 +++- machines/manager/secrets.yaml | 39 ++++++ machines/manager/secrets/ldap-sync.conf | 30 +++++ machines/manager/secrets/ldap-upstream.list | 30 +++++ machines/manager/secrets/saslauthd.conf | 30 +++++ machines/node/disk.nix | 11 +- patches/colmena-disable-ssh-master.patch | 13 ++ secrets.yaml | 51 -------- shared/default.nix | 5 +- shared/network.nix | 2 +- shared/secrets.yaml | 49 ++++++++ shared/ssl.nix | 65 ++++++++++ shared/users.nix | 11 +- sops.nix | 56 +++++++++ 26 files changed, 631 insertions(+), 174 deletions(-) delete mode 100644 .sops.yaml create mode 100644 deployment.nix create mode 100644 machines/manager/secrets.yaml create mode 100644 machines/manager/secrets/ldap-sync.conf create mode 100644 machines/manager/secrets/ldap-upstream.list create mode 100644 machines/manager/secrets/saslauthd.conf create mode 100644 patches/colmena-disable-ssh-master.patch delete mode 100644 secrets.yaml create mode 100644 shared/secrets.yaml create mode 100644 shared/ssl.nix create mode 100644 sops.nix diff --git a/.envrc b/.envrc index c0718a6..8529124 100644 --- a/.envrc +++ b/.envrc @@ -2,3 +2,5 @@ use flake watch_file "flake.nix" watch_file "flake.lock" +watch_file "machines.nix" +watch_file "sops.nix" diff --git a/.gitignore b/.gitignore index 07a5e66..44ce624 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ /.pre-commit-config.yaml .gcroots .direnv + +# nixago: ignore-linked-files +/.sops.yaml \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index f9c499b..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,13 +0,0 @@ -keys: - - &admin_fooker 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE - - &server_manager age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn - - &server_node-00 age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh - -creation_rules: -- key_groups: - - pgp: - - *admin_fooker - age: - - *server_manager - - *server_node-00 - path_regex: ^(secrets\.yaml|secrets/.+)$ diff --git a/deployment.nix b/deployment.nix new file mode 100644 index 0000000..709f1f4 --- /dev/null +++ b/deployment.nix @@ -0,0 +1,41 @@ +{ nixpkgs, disko, sops, gather, ... }@inputs: + +let + deploymentPkgs = import nixpkgs { + localSystem.system = "x86_64-linux"; + }; + + machines = deploymentPkgs.callPackage ./machines.nix { }; + +in +with deploymentPkgs.lib; let + + mkMachine = machine: { lib, ... }: { + imports = [ + ./shared + ./modules + + (import /${machine.path} machine.opts) + + disko.nixosModules.disko + sops.nixosModules.sops + gather.nixosModules.gather + ]; + + _module.args = { + inherit machine; + }; + }; + +in +{ + meta = { + nixpkgs = deploymentPkgs; + + specialArgs = { + inherit inputs; + }; + }; +} // (listToAttrs (map + (machine: nameValuePair machine.name (mkMachine machine)) + machines)) diff --git a/flake.lock b/flake.lock index 4088e0e..3aa4f29 100644 --- a/flake.lock +++ b/flake.lock @@ -30,11 +30,11 @@ ] }, "locked": { - "lastModified": 1685450011, - "narHash": "sha256-/Az50GoWePZHL+Pkxy2ZuKW9zwIk+oVdzkR9xWomnpo=", + "lastModified": 1687747614, + "narHash": "sha256-KXspKgtdO2YRL12Jv0sUgkwOwHrAFwdIG/90pDx8Ydg=", "owner": "nix-community", "repo": "disko", - "rev": "0d270372b21818eba342954220c1a30a7bdaba19", + "rev": "fef67a1ddc293b595d62a660f57deabbcb70ff95", "type": "github" }, "original": { @@ -201,6 +201,22 @@ "type": "github" } }, + "ldap-sync": { + "flake": false, + "locked": { + "lastModified": 1688052624, + "narHash": "sha256-tQ0C/0zMgOYTSxzIy9koED4jzGNZygknrsC9Q6RtaJE=", + "ref": "refs/heads/main", + "rev": "69ce1d4f1a41ee313f5cb484a0bfecad9a545694", + "revCount": 11, + "type": "git", + "url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git" + }, + "original": { + "type": "git", + "url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git" + } + }, "nixago": { "inputs": { "flake-utils": [ @@ -384,6 +400,7 @@ "colmena": "colmena", "disko": "disko", "gather": "gather", + "ldap-sync": "ldap-sync", "nixago": "nixago", "nixpkgs": "nixpkgs", "pre-commit-hooks": "pre-commit-hooks", diff --git a/flake.nix b/flake.nix index 5e6a85c..0d3178c 100644 --- a/flake.nix +++ b/flake.nix @@ -60,16 +60,26 @@ owner = "fooker"; repo = "gather.nix"; }; + + ldap-sync = { + type = "git"; + url = "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"; + flake = false; + }; }; - outputs = { nixpkgs, utils, ... }@inputs: { - colmena = import ./machines.nix inputs; + outputs = { nixpkgs, utils, disko, ... }@inputs: { + colmena = import ./deployment.nix inputs; devShell = utils.lib.eachSystemMap utils.lib.allSystems (system: let pkgs = nixpkgs.legacyPackages.${system}; - colmena = inputs.colmena.defaultPackage.${system}; + colmena = inputs.colmena.defaultPackage.${system}.overrideAttrs (final: prev: { + patches = (prev.patches or [ ]) ++ [ + ./patches/colmena-disable-ssh-master.patch + ]; + }); pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run { src = ./.; @@ -80,6 +90,12 @@ }; }; + sops-hooks = inputs.nixago.lib.${system}.make { + data = (pkgs.callPackage ./sops.nix { }).config; + output = ".sops.yaml"; + format = "yaml"; + }; + gather = pkgs.writeShellScript "gather" '' ROOT=${toString ./.} @@ -108,6 +124,7 @@ shellHook = '' ${pre-commit-hooks.shellHook} + ${sops-hooks.shellHook} ''; }); }; diff --git a/gathered/node-00/ssh_host_ed25519_key.pub b/gathered/node-00/ssh_host_ed25519_key.pub index 6243b3e..b10fc86 100644 --- a/gathered/node-00/ssh_host_ed25519_key.pub +++ b/gathered/node-00/ssh_host_ed25519_key.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcyF+SJiS1f1j2Waa0Af2Mx4zxPHl6J3u9gaDMhE9Yv root@nixos +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjQy/rUZUmLjTAP2+IdkVzGS/VNLqn3bvRpNN8ouS04 root@node-00 diff --git a/machines.nix b/machines.nix index 24c959a..471d312 100644 --- a/machines.nix +++ b/machines.nix @@ -1,48 +1,33 @@ -{ nixpkgs, disko, sops, gather, ... }@inputs: +{ lib, ... }: -let - deploymentPkgs = import nixpkgs { - localSystem.system = "x86_64-linux"; - }; +with lib; +let nrNodes = 1; -in -with deploymentPkgs.lib; let - - mkMachine = type: opts: { lib, ... }: - let - machine = import ./machines/${type} opts; - in - { - imports = [ - ./shared - ./modules - - machine - - disko.nixosModules.disko - sops.nixosModules.sops - gather.nixosModules.gather - ]; - }; - - machines = { - manager = mkMachine "manager" { }; - } // (listToAttrs (genList - (i: nameValuePair - "node-${fixedWidthNumber 2 i}" - (mkMachine "node" { id = i; }) - ) - nrNodes)); + mkMachine = { name, type, opts ? { } }: rec { + inherit name type opts; -in -{ - meta = { - nixpkgs = deploymentPkgs; + path = ./machines/${type}; - specialArgs = { - inherit inputs; - }; + gather = ./gathered/${name}; }; -} // machines + + manager = mkMachine { + name = "manager"; + type = "manager"; + }; + + nodes = genList + (i: mkMachine { + name = "node-${fixedWidthNumber 2 i}"; + type = "node"; + opts = { id = i; }; + }) + nrNodes; + +in +concatLists [ + [ manager ] + nodes +] diff --git a/machines/manager/beegfs.nix b/machines/manager/beegfs.nix index 3795ec8..ec0c04f 100644 --- a/machines/manager/beegfs.nix +++ b/machines/manager/beegfs.nix @@ -1,4 +1,4 @@ -{ pkgs, config, lib, ... }: +{ pkgs, config, lib, ... }: with lib; @@ -25,5 +25,7 @@ in storage.enable = true; }; - sops.secrets."beegfs/connection" = {}; -} \ No newline at end of file + sops.secrets."beegfs/connection" = { + sopsFile = ../../shared/secrets.yaml; + }; +} diff --git a/machines/manager/disk.nix b/machines/manager/disk.nix index 8d693bd..ecfe528 100644 --- a/machines/manager/disk.nix +++ b/machines/manager/disk.nix @@ -8,7 +8,6 @@ format = "gpt"; partitions = [ { - index = 1; name = "root"; start = "100MiB"; end = "-4GB"; @@ -22,7 +21,6 @@ }; } { - index = 2; name = "swap"; start = "-4G"; end = "100%"; @@ -34,7 +32,6 @@ }; } { - index = 3; name = "ESP"; start = "1MiB"; end = "100MiB"; diff --git a/machines/manager/ldap.nix b/machines/manager/ldap.nix index e7d3f60..c0096ac 100644 --- a/machines/manager/ldap.nix +++ b/machines/manager/ldap.nix @@ -1,16 +1,68 @@ -{ lib, config, ... }: +{ pkgs, lib, config, inputs, mkCert, ... }: with lib; let + ldap-sync = + let + wrapped = pkgs.callPackage inputs.ldap-sync { }; + env = pkgs.runCommand "ldap-sync-env" { } '' + mkdir -p $out + ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties + ''; + in + pkgs.runCommand "ldap-sync-wrapper" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + } '' + mkdir -p $out/bin + makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \ + --chdir "${env}" + ''; + baseDN = concatMapStringsSep "," (part: "dc=${part}") (splitString "." config.networking.domain); + + cert = mkCert "ldap.${config.networking.domain}"; + + cyrus_sasl = pkgs.cyrus_sasl.override { + enableLdap = true; + }; in { services.openldap = { enable = true; + package = (pkgs.openldap.overrideAttrs (final: prev: { + configureFlags = prev.configureFlags ++ [ + "--enable-overlays" + "--enable-remoteauth" + "--enable-spasswd" + "--with-cyrus-sasl" + ]; + })).override { + inherit cyrus_sasl; + }; + + urlList = [ "ldap:///" "ldaps:///" ]; + settings = { + attrs = { + olcLogLevel = "config ACL stats stats2 trace"; + + olcTLSCACertificateFile = "${cert}/ca.pem"; + olcTLSCertificateFile = "${cert}/cert.pem"; + olcTLSCertificateKeyFile = "${cert}/key.pem"; + olcTLSCRLCheck = "none"; + olcTLSVerifyClient = "never"; + olcTLSProtocolMin = "3.1"; + + #olcSecurity = "tls=1"; + + olcSaslHost = "localhost"; + olcSaslSecProps = "none"; + }; + children = { "cn=schema".includes = [ "${config.services.openldap.package}/etc/schema/core.ldif" @@ -33,24 +85,87 @@ in olcAccess = [ # Custom access rules for userPassword attributes ''{0}to attrs=userPassword - by self write + by self read by anonymous auth - by * none'' + by * none + '' - # Allow read on anything else - ''{1}to * - by * read'' + # Synced is managed by sync + ''{1}to dn.subtree="ou=synced,ou=users,dc=hpc,dc=informatik,dc=hs-fulda,dc=de" + by dn.base="cn=sync,dc=hpc,dc=informatik,dc=hs-fulda,dc=de" manage + by * break + '' + + # Allow login to read users + ''{2}to dn.subtree="ou=users,dc=hpc,dc=informatik,dc=hs-fulda,dc=de" + by dn.base="cn=login,dc=hpc,dc=informatik,dc=hs-fulda,dc=de" read + by self read + by * break + '' + + # Prevent access + ''{3}to * + by * none + '' ]; }; + + children = { + "olcOverlay={0}remoteauth" = { + attrs = { + objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ]; + + olcOverlay = "{0}remoteauth"; + + olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\""; + olcRemoteAuthDNAttribute = "seeAlso"; + olcRemoteAuthDomainAttribute = "associatedDomain"; + olcRemoteAuthDefaultDomain = "upstream"; + olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream/list".path}"; + olcRemoteAuthRetryCount = "3"; + olcRemoteAuthStore = "false"; + }; + }; + }; }; }; }; }; + systemd.services.openldap = { + environment = { + SASL_PATH = pkgs.writeTextFile { + name = "openldap-sasl-path"; + destination = "/slapd.conf"; + text = '' + pwcheck_method: saslauthd + saslauthd_path: /var/run/saslauthd/mux + mech_list: GSSAPI EXTERNAL PLAIN NTLM + ''; + }; + }; + }; + + systemd.services."ldap-sync" = { + script = "${ldap-sync}/bin/ldap-sync"; + startAt = "hourly"; + }; + sops.secrets."ldap/root/password" = { owner = "openldap"; }; + sops.secrets."ldap/sync/config" = { + format = "binary"; + sopsFile = ./secrets/ldap-sync.conf; + }; + + sops.secrets."ldap/upstream/list" = { + format = "binary"; + sopsFile = ./secrets/ldap-upstream.list; + owner = "openldap"; + }; + hpc.hostFile.aliases = [ "ldap.${config.networking.domain}" ]; diff --git a/machines/manager/netinstall/default.nix b/machines/manager/netinstall/default.nix index d764248..87381ed 100644 --- a/machines/manager/netinstall/default.nix +++ b/machines/manager/netinstall/default.nix @@ -20,50 +20,51 @@ let } ]; - api = pkgs.linkFarm "pixiecore-api" (mapAttrs' - (mac: name: nameValuePair - "v1/boot/${mac}" - (pkgs.writeText "pixieboot-api-${name}" ( + commands = pkgs.symlinkJoin { + name = "pxeboot"; + paths = mapAttrsToList + (mac: name: let - boot = installer.config.system.build; node = nodes.${name}.config.system.build; + boot = installer.config.system.build; + + install = pkgs.writers.writeBash "install-${name}" '' + set -o errexit + set -o nounset + set -o pipefail + + "${node.diskoScript}" + + "${node.nixos-install}/bin/nixos-install" \ + --root /mnt \ + --system "${node.toplevel}" \ + --no-channel-copy \ + --no-root-password \ + --verbose + + reboot + ''; + in - builtins.toJSON { - kernel = "file://${boot.kernel}/bzImage"; - initrd = "file://${boot.netbootRamdisk}/initrd"; - cmdline = concatStringsSep "\n" [ - "init=${boot.toplevel}/init" - "loglevel=4" - "nixos.install=${node.toplevel}" - ]; - message = "NixOS Automatic Installer for ${name}"; - } - ))) - targets); + pkgs.writers.writeBashBin "pxe-install-${name}" '' + exec ${pkgs.pixiecore}/bin/pixiecore \ + boot "${boot.kernel}/bzImage" "${boot.netbootRamdisk}/initrd" \ + --cmdline "init=${boot.toplevel}/init loglevel=4 nixos.install=${install}" \ + --debug \ + --dhcp-no-bind \ + --port 64172 \ + --status-port 64172 \ + "$@" + '') + targets; + }; + in { - services.pixiecore = { - enable = true; - mode = "api"; - dhcpNoBind = true; - debug = true; - openFirewall = true; - port = 5080; - statusPort = 6080; - apiServer = "http://boot.${config.networking.domain}/pixiecore"; - }; + environment.systemPackages = [ commands ]; - services.nginx = { - virtualHosts = { - "boot.${config.networking.domain}" = { - locations."/".proxyPass = "http://localhost:${toString config.services.pixiecore.port}"; - locations."/status".proxyPass = "http://localhost:${toString config.services.pixiecore.statusPort}"; - locations."/pixiecore".root = api; - }; - }; + networking.firewall = { + allowedTCPPorts = [ 4011 64172 ]; + allowedUDPPorts = [ 67 69 ]; }; - - hpc.hostFile.aliases = [ - "boot.${config.networking.domain}" - ]; } diff --git a/machines/manager/netinstall/installer.nix b/machines/manager/netinstall/installer.nix index 8afe46a..0c99046 100644 --- a/machines/manager/netinstall/installer.nix +++ b/machines/manager/netinstall/installer.nix @@ -3,13 +3,29 @@ with lib; let - auto-install = pkgs.writeShellScript "nixos-install" '' + auto-install = pkgs.writers.writeBash "auto-install" '' + set -o errexit + set -o nounset + set -o pipefail + + set -x + if [[ "$(cat /proc/cmdline)" =~ nixos\.install=([^ ]+) ]]; then INSTALL="''${BASH_REMATCH[1]}" else echo "No install derivation found" >&2 exit 1 fi + + ${pkgs.retry}/bin/retry \ + --times 10 \ + --delay 15 \ + -- ${pkgs.nix}/bin/nix-store \ + --realize \ + --add-root /tmp/install \ + "$INSTALL" + + exec /tmp/install ''; in { @@ -31,8 +47,12 @@ in wants = [ "network-online.target" ]; after = [ "network-online.target" ]; + conflicts = [ "getty@tty1.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.bash pkgs.nix ]; + unitConfig = { AssertKernelCommandLine = "nixos.install"; diff --git a/machines/manager/secrets.yaml b/machines/manager/secrets.yaml new file mode 100644 index 0000000..4903641 --- /dev/null +++ b/machines/manager/secrets.yaml @@ -0,0 +1,39 @@ +ldap: + root: + username: ENC[AES256_GCM,data:aXIFdQ==,iv:tdC7GFit0LrO4DJL3vbI6uKCDXeYAOwDGwvOqrvn9mM=,tag:x1mBwe+K+UKjCpGO5qKMuQ==,type:str] + password: ENC[AES256_GCM,data:Q42VVdHaPZuvLR4HJ11CICpx61qTpw/v,iv:GhsXDsWxRinPOG+uMzy/uvxvMB1G8OKu4yH0a8achJc=,tag:yEWD4slZu/kDEV8ZJs43Hg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0anVoM3dITTB3SnN5OEZF + VWpLTzg1cXZUTlhkZFl2dm8yWCtSWlRwRW5rCkRNK24wTHFkQk5WdVhEQjVGRTVh + Vy9pazNwZGRWblJVVHJSa1E1OWN4RTgKLS0tIElZc3BncTFwbEhjRjFickdWWXNY + Sms0RWZ0RUhwNGVvbFk1dDBVZHcvZTQKEeTTP2Ked+C9XgKxVug/KIcJ/ES9nLRc + n5DsivfiAsoALxTsIRJvjPt/PNZimIeO3nobFPNuvQLb7Q27++My/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-27T09:57:35Z" + mac: ENC[AES256_GCM,data:QpMkI/w+J49DeQ0EDrz+6WtbtvJrgNChI1Z4PNNjdD2cik9wvtZNMUhjJVV18dUxWRH3dkhwX7Jt4mPhlDjhDspbkKsNjKaSApOS8AACybs8FqodvlUCU2mF+xG4beblQn3n8oPcqc5kjbAFc2r+mPSb4b7rcoS+xrB3rKUJTng=,iv:xsjx8Gz5UfpAXMEDEzMA4Kau4BI0vq3xvgfFvHS4uFo=,tag:aiFD1PXsHtiXFrx+legUhw==,type:str] + pgp: + - created_at: "2023-06-27T09:57:24Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA5ntoryXZPD4AQgAivbPI9NjQLAaIi4wE62yy1snYbzsZxsV4fktk4ebhYBQ + buvDARS3ZGQV9Tqi2xfmGx7SF3QHHWkqcYNMuBrjKSLIsgnLYW0sKd3fTU0/yux4 + 7b+duZO66r2gjlFwf7dFKBwn62ln4eLtvHREZbB0UWACaRdwQnmQdRL2v9hQXbcU + /TQiq0msqCfSRLao3wWWl4LvyVY8Uv31K9Kt8NGJYL0yWYuIUMXJhx+ioIbqEBOL + XOEl4JVmR4nZ6Y/aQ3FIeW/+QjXiqenVect7i52+Bv6kVzc10Zeu0qYRI1o6hpLL + iS+/cNaNfu6QZRrypQpkzTjY3kzWWgLI9WhC40pxdtJcASZvVAQqtn3eR5FBs2/N + oRC9WrVE/b8NhgmpJXtbJkTwNLDKZ5rX0/k1lBpqmSKUgfc4Sr9HMzlHsmmIc91F + p5WpSSH0uHoebg6QnNqQXcRRk4Zh7SU4YSEJHNY= + =gHvl + -----END PGP MESSAGE----- + fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/manager/secrets/ldap-sync.conf b/machines/manager/secrets/ldap-sync.conf new file mode 100644 index 0000000..724f5d2 --- /dev/null +++ b/machines/manager/secrets/ldap-sync.conf @@ -0,0 +1,30 @@ +{ + "data": "ENC[AES256_GCM,data:j4Gf2o5bInxx7kIK6zAbe6BzWKpSTDHhNXL7SigHb1RlSKpRj6JJ/M56h9omr+Aa6mNAacUiiiqkOjyT2n7w3+1OdQVcR+ZGTvRHc9TJGvQ483SxuiW5mjSYAxJ3fhJONU6KHYEauMIT/MSTgYO9NInUG9p05cZgIw5QGBFqEpHj/DiQ3EL2elvmu4YbaC4J3I2DrxZdh5i60yrWq2ny4UdpqqK8XEbfN7SY+8VDis73JCGEULJVhsYodlSx4ZMBXS0rbce7SZjJ/3O4EaCUJJOjcMcn5o7sOtXGUUAMpNnVvUuoz6SArkwGgfheL+HTf1z7rJzNpZJ2nvMFn8M0fAfH2okpX14rPvGOaYusV+VtOPwAMd4axrR0BHuDkV5L1tTyiQHcjrt6775kGuo3O+q+je3Ok5SZLu6Ysgkt3Y0T9QLYcKBc0UX+d0K3n6A8esUIBIj4KWc1iNjeE73eMb9lyp+6hFiv4TxHnsssgDMvam5KyH3Ltd5ZfqtH51CSSbi9QcvXi3ynODBVxoI1pvIIbPgaah6yGSdNH3QjZ7TtSa5yXkncwmtYhZa2DoNeTav40Uko0xdYqTOuHsOpBoH0fw9CVmoxsTjcvvhIXjLeXv4N9RelKkkFKuDK3QZojdUzoKXPt2HLjonH5Pqgk0xVSqiMHFbIQJ0uPirWEHJsJKCQfjyxkzYm24EfeAbSYLLGGMzebWB4rZw/acDA/+RdD2c+aL+L1EvRz3Tmqw4jwqwhJKeYIsuyLRG64MjmEnIlkIhfR1gSebPuEseBrsFg+0mOO8xS9aoFKJ1jujzYHxcQfyE+gW2qXIFcmBXHknM1wJI03fmyxyUIU19pPK17d1D+C1WPFvsNavXhQAXJRqUqGlUjGhqFM63w7Ij7vZHpcDaHZ69w6rPjuN/wuXHczNbdyWc0W6jp5sWYLZi+xRpYbKprfg9YL6o+zzb7D1yoxIUOty6XiVrlHb/lJlJ0t4CJbbtXNsXVNfojJ32otYM2t/X16+EdWLaFpqy2g8819luVrL+bDENm3bmtq9ARewBMGnGC4hCNaRRRnN9o9AX3sXyIgpOYotFpB/Vpl5CVQ6c1ODjNQJQgcFI=,iv:f1ZwZgu9UyzGnxE3qKPl4K6tlnqvk9jPLAYVXP7W+jI=,tag:iAXKNN/EFh4Z5HjDQogNPQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS3l2MU4ycE9idHIwREU0\nM3k0c05idmNqVlB5anVONCtXRWNzckROYVI0CmdhVDkyVGtyczYzTGREVmpyR2g1\ncGtWeDc0Y1lqSVVWV3plZHU2cXVNZzgKLS0tIE1nYWxQL204SFNyTEVGQytJdk12\nQ3NVNHRIMTAyalBoSVBuVkNKWEhzdTgKd5b9zzarSyxl8CAugOVVJzEAG0N2mn70\nxB0PPSzXFv0fILb1h8A5bdDf1snxsbdIAfUWucSX3arCoU5l6LmHRQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOUsrS2tyTUVEUEZaN3pR\nR0drZ3JDdUtMRHhJaGtONWtwK2Ftc1JsUFRJCjZtYXFubmlpTWtHNVpRU1ZhdThl\nUFVXUERDazdvSGtDOXc1VFNqeTRKRGcKLS0tIDhTdWhWU0dCUUYrZkdSRkVxbGFE\nYkg2Nk42VnUwZFhZVXdsWHFKYnUrMVEK0Aj6aON/QIFT2fsv2D9Ajvu+f6mHT4Q3\nm5uo99snnGEl3VIcvhC2yKGEtw3XOVpCfk5xHYLV2nlSs4WCc2DrkA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-06-29T15:34:22Z", + "mac": "ENC[AES256_GCM,data:T4RlkuFsOJflLOkuvfRnhtnAp5iytfSPEla+Tf4v2zvdo1Gvh3wBmCItBdxhL8mGAl7JZCtJ5InGEccxsjBi+rgNrw9iQwYJMk4hLi6NrUYRCObhzk06JyMW3XM5N4yOQZBUEg/KWUuFR9oQhIP5A0pPdYqctalTg2GKTyusERo=,iv:dErVyHcD9A3elIZcOa0S5kryC6jmYeW4xxvfjHHviZ4=,tag:OupqMXrY147GxxEow7Hkjw==,type:str]", + "pgp": [ + { + "created_at": "2023-06-26T09:22:36Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/f7WlPOXFZGMzz/XKT0wU5HyzkdAkZg6uzSWMYeFzuzyL\nFjuAL3b1gQ5ACXwxUaoUtAN4iXdHdVtJDZxqgYiDHoqd4KBG0DtWZUzvgpT+nbcr\nkE1nQnV0Y7GIgpoJFblQKAsCYikbYGhzptHhsYRY7jB5wseOEyaEV1nS4Bh0E8rc\ndAVI8G7XreIU04cMixIqPd7f1gND/E1y1XhqoT8eQXsa43Ozi9BEobjaAXPnCjsd\nOiMcGvIYW+w+kdY2Q0R4SN3GNRt3KJnBVnL/PCuffz5xQxlnwEvS0palQNioGvrN\nfhXG5JO6cdxgExhjcw/HJEdHjl8iCG15NN6Z0ZDhD9JeAUPRivJeq1CvGJlrkD3U\nAANHHBAyQgpti23908tOsvePujOrYu2+OyG4SN5pdPvNCroDPoKTDGBik7ZvK6J8\n6TowTtKHE0xlhgRcKNNT0qYk02kmbbwtgvLuliBodw==\n=BlGq\n-----END PGP MESSAGE-----\n", + "fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/machines/manager/secrets/ldap-upstream.list b/machines/manager/secrets/ldap-upstream.list new file mode 100644 index 0000000..0de14fe --- /dev/null +++ b/machines/manager/secrets/ldap-upstream.list @@ -0,0 +1,30 @@ +{ + "data": "ENC[AES256_GCM,data:u6XAULb0jpux4kvwJipsX0rMTQ5oLP5UtPZNNOJ7ujuv,iv:HuowckOTkBG0NOM6aRJUmJA3f9L0SxVm/w9WAXG4l6Q=,tag:2OKpVjxvFA0nELtWhPcSPQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRXhlTTBXRG01clZSTFpV\na1pTOGVac3JlOVdDRzFyd0xGeWFPbmN6empvClpJa2N5Ui9NVlNoNnFHUHBlSGl3\nVnpGd21zYVBlUGpIR2hrQk5MSXdHYlEKLS0tIFcrS0NpaERzbVdZQlVWY3dSUG1u\nMnQzWVVrOGd5TWJxYUZPZVFsTmlvWDQK44uh8H1soJ14eUxtCfcFpKf91zzYuwke\n6LZD0ugNeU61vGNltdI573Vz5e12+t7rxSd/Jdl9ADlGN1Mvnw4SUw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZkJBY1ZIdXYwblFmTHYy\nelZkbEFDU3Z4T05KdWtQVFQrTEc5NUFhdUZJCjd0Ri9rV2V4cmxXVFJUbHQxVG9r\naTZLemhlQnBIdEh3Z0oyV3pPa1JhL2cKLS0tIGVhdkV3d2lEQ3MzanpNVnQrQS92\nL2VZdVpSZjlCQzJQTWY1V1EzSzZvL2sKu4UPoUmkuU60oIKlDgly1D8UjWuKVwnF\nBSUFf+m7ssAg1OK2uYbjWC6/XBo4nmmltKac1sEwALxadU2/kBDu3w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-06-29T14:33:42Z", + "mac": "ENC[AES256_GCM,data:ZDmRDxJPSmWmZL/daV37H1s9kTp5j8/WK0GbQ6JZef9OHWTXrlpUyZWSkh/mCVbIs9bD96WVos4rLX5rDOlIcMiMXEKcsw63M9KcMlLWvjqkK/D+fnhIqAiNwNPwd4aAV4SaS+3UVlucKgQIaSl06ibrEX1/dTg4by17xEIx43c=,iv:V5mN7N1dewLwqnIWKih6Uu/ocKZ1hU5wcoNW1KSF5x0=,tag:7m3KSBREQSK5ch5PZhPLgA==,type:str]", + "pgp": [ + { + "created_at": "2023-06-29T08:41:58Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/QTiDvYzIo69KMIL2Q4zfpusal9NWTdIuHGV9UmgcuwvP\nhfPa4HTXlNWoE/YBBh8AvwQemrup6toH7V+mbsNlUWJXN+Pwj/+0OMe1Cl+X/VUf\nojE5Rkr2PJBcSRW2sEa2RlVhjPALxR8UR6NKc4HkJVvBnJUng7lxOPXSQOE5M245\n3G44tKDIrQIId7naQNh9fcGJksrtJnbYufMdBOJlwwNueeEJ/ovlGvN8dU/s8OzU\nTML0QD+nRM+vz/hKOAU9R4pYO1qxViVhgeOyms5MRgSyWYLy+HsYx4xByGXNcv8I\nJ58NEYgqICkYYUNeVDr3ONsEYN0hL4VSksX2RacqbdJeAVaUtSRUH1kknrN1gAlA\nx2LB/PFFCR2aGsQWYWnBPhjtdVAVy4flUDtTkquQp837hQZZre+xEP4snY05RYdv\nhqzm7g3iZbDO/nRnsEWj13dygzHwGHruVk3T7XqQxw==\n=BGBU\n-----END PGP MESSAGE-----\n", + "fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/machines/manager/secrets/saslauthd.conf b/machines/manager/secrets/saslauthd.conf new file mode 100644 index 0000000..9d9ce34 --- /dev/null +++ b/machines/manager/secrets/saslauthd.conf @@ -0,0 +1,30 @@ +{ + "data": "ENC[AES256_GCM,data:pekng5DHyeza16XqzFIxKWKktRUZ8mMDnjMGln47d2K6ojzl7KetDwDeyjq25RRTL8ssev/hbHI/7jZo56KI8rKjJ4AsQrECNUu8djjek6yfwPonzSP58nKYllufQiQGPq6yIc7VxMX5wBARh03/2KtObOmiPvGmyFasSVv9Vfg0rCgTG7kD3D6Xvha8fd17I8cl9fFZJH5SsDuzFgyGanwaol7FumXzBwDq4HbQG43aC/YctjwgZaVA7Y9Gah3IULies2r54Le5DCd+Maysg3mJ+3uwEOxqtwumVX4KyGnZ7MpJSwu574xgVj5xFSCAt5W97IoeOWHV+Xru6JQCR/p6UC1VSnJzNFL9TjqW39qNOKgrpsN9b5KciPiLBTTpJF7ij23rYZ0jBkuYeEH7jCzIiaW/P08G2RU/gg==,iv:u7YpDyqO/61JLk5AmBLzgtfkzoJs4I1CIew99lAgXzM=,tag:JXCYrT92t0n7TMtYbe1iEQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcFA3bTVxNnRJREtqU2dN\nSFFtUzVyVjdxclFwSHhibEJLMjZXNDZYQ1ZVCnFOVE9sY01QWXlBNlViRDJpb3Z5\nSVBTamR2V1lPVTNUSktRVTloc2hyU2MKLS0tIG5rdm9TYlpHS2JWMTVEUlYvUm1T\nN2Y4UDB6K2VqbFRSSVpKSXUzaFNqYXMK1FtROF7wMlwtKNIN55fWS+OXovVfwzML\n9uObWRxuI2ePJz6pTIhDGJ3m9azGepG02ynX/ZpZ3ggkTnULL+pV3w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdGM0Z2VPdEs2VWd4a1lU\nN25XdUFXMkt6cHBNeHBUMUNPc1pBYXRKTmxNClI1UGZYZEROTTF6YUVMQ1JhZ3hZ\nRzk3bHBhS1Yvamh4eDZDajVCUWxUQ1EKLS0tIDVodVpIYkVsSnhJZTM4WkxTbnNz\nTTRESnlSZVdndVR0UGJRSkRvTVo5b3MK5ncgqt7iq5C2WSskWK4Aqy8lONpEgHbA\ncRXaXwO9dbRd9Qo9Am1VeKHyPXVOga/pJONPt6SNBjWhvpBiwStzDQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-06-28T12:21:14Z", + "mac": "ENC[AES256_GCM,data:IbNlGRnejcbpN8JkHZZ5S0brF7HxJnB9+scAZ4lStO0HuUG32TFmdbCC5mIY8Ci7M91kT4+ikqKJ3dMWiwhBrAQh766tSVHlyKw81P2kQGGD13Fe+pujPIPBTum9jAwhKDEgNA8Jgm+4NiOUq1n0mksFkbDqNj5vdvNAn0i5I/Y=,iv:e6VEUgGX51STIZdbKobyN/vwPgKwnrDNM/vA80EAtl4=,tag:zv+meM5/gJ8Ry4VtkBDTnQ==,type:str]", + "pgp": [ + { + "created_at": "2023-06-28T12:20:31Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf+PR9rAWJHzPWF4LZ+/2yNTzMG0qbgiPevLCNcJCUp4DZ6\nCbBuHrEJVrOdQuCb/rKcgYtnr2Ec4cWZ5kk+wZVKNR6+GsloA1n4C7cY+5aWr7Oo\nKOpuZICUxMLgf/PlSUq5NBAG0oDfT71+N3uQJJhclaPs+P1EcjceX45s48t+A36v\nks8WMqgVMDw5TRxI377WzR7olS99eMAVaLISlu04OIIZw+J7cfaRAgA6gegF2rZZ\nNDYOBXlH4mqKGjmQ6SWyQODUUoAsk5hBWDV7LXyjGIh6Tld+wLlddjC5Abwp9H0m\n2FIDMbIokr72i9c1F1lRp+0PsQsF09UU1Mtg2iBjBdJeAd61RpZQ++a9VziqP1Ex\nMB4FPrsU4qgT3VsvvjYZzPyews5XHOczA/aocUFVf4r1QPFOwt/6wbSLnJ8g472c\nFfBuv+KTjKWLwJYtQDoHTKuiLcQDX5acbLLmT6GDxg==\n=GRPn\n-----END PGP MESSAGE-----\n", + "fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/machines/node/disk.nix b/machines/node/disk.nix index 257e5a9..c797379 100644 --- a/machines/node/disk.nix +++ b/machines/node/disk.nix @@ -5,10 +5,16 @@ type = "disk"; content = { type = "table"; - format = "msdos"; + format = "gpt"; partitions = [ { - index = 1; + name = "boot"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = [ "bios_grub" ]; + } + { name = "root"; start = "1MB"; end = "-4GB"; @@ -22,7 +28,6 @@ }; } { - index = 2; name = "swap"; start = "-4G"; end = "100%"; diff --git a/patches/colmena-disable-ssh-master.patch b/patches/colmena-disable-ssh-master.patch new file mode 100644 index 0000000..24f56a4 --- /dev/null +++ b/patches/colmena-disable-ssh-master.patch @@ -0,0 +1,13 @@ +diff --git a/src/nix/host/ssh.rs b/src/nix/host/ssh.rs +index 1622007..5824494 100644 +--- a/src/nix/host/ssh.rs ++++ b/src/nix/host/ssh.rs +@@ -345,6 +345,8 @@ impl Ssh { + "StrictHostKeyChecking=accept-new", + "-o", + "BatchMode=yes", + "-T", ++ "-o", "ControlMaster=no", ++ "-o", "ControlPath=/var/empty/non-existant", + ] + .iter() diff --git a/secrets.yaml b/secrets.yaml deleted file mode 100644 index 35f8939..0000000 --- a/secrets.yaml +++ /dev/null @@ -1,51 +0,0 @@ -ldap: - root: - password: ENC[AES256_GCM,data:bYuw+9ywfRDNVt0nrLDmWE8+f8aHQvGd,iv:JHU3MxmNdxI2a62Dcky8xhHhjhcxyjM0Z0xLEnLxJwU=,tag:3VW0zTlRFxLDI8WxGu1lew==,type:str] - login: - password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str] -beegfs: - connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVVdBd0hvWG0zT3BTRGVh - NWxtdlJocy8wSnIvMUdoOVZYM0owMW9TWGxnCmZLcStDdzVvNlh3dzVQN0NvVUJw - S1l5aG9ocVp3RWNJbWl5bjVxT3U3WjQKLS0tIEZkdHk4dGM4YnloR2FZSkNWOWxo - cXg2OTd4OTRzN1MxWmtIczRleXdBU0UKID449Ln3KBshJVgn2RyZS5M73WGDWMs8 - HxrSlpf8HajxtU/iPpgkIRHLNIVa0C/1NlQOTvxPyDhEvuV31xm/JQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkM0ErekJGUlVRZDFQMFpN - UlBOdUpIMENSbEVMZnhKcFRLelBFZUlFdjFjCk9ucFExMmFGSjVnT0Mxdml0MVRI - NWNzeHM3cVpSMzE1STlHQkdKUW9NTm8KLS0tIDFSS2VWbHN4ckpCc3p0YXV3Mitp - T2h5bStSVFQ1YXM2TXgyQnk2amdQKzgKzncSU2ryAYQHlsSeFejE2NfHxoR9WJDm - jy2ALBMAInl7e5TP89QAEvthUrfyos3f8jV4GOQm7TIerYTr/5kctA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-01T13:46:17Z" - mac: ENC[AES256_GCM,data:Uei7c4/hHSqtv0bN2dLrF3mh6MYrx85N0KXO2R/Eu+78MTlwKPmCeD1H4tfyMTS4hJdjGYmk6H8Hj5K5B7irmb39BKnGWq86eFj9AxhODr4/nS0n1f+F4lX5R/3v5JJ4J54y0IymfQj/iN5QZsOGmVw9z8cFs5a9tUD118yYq3E=,iv:OXt5e854thU/SWFhoiy/YzDBqzF3M3GRXXIFaAX+Vrs=,tag:KuuxsINhybfd274v3z63qA==,type:str] - pgp: - - created_at: "2023-06-01T13:41:20Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQEMA5ntoryXZPD4AQf/X1yiMrb68+TJkcOH010pRLVUu6Wlsr51nFsuObSx+8Vs - I43EPxiFEHa5fQvi6KMqUgfc50aYfjcS8ZKy67B6Hf4F7h5kB2dGCkOjjmBLYX2W - dc20han6qDfPUFnp+owoNEspMvHjcGAhm1CKKFXS7cr4VgdRZCQPfmQwhHSnMk/B - ii4j1sgCNoOnzXUuEfZ0InN+VVKCxGtidAiFXjBtaoqordlFllje4znxXDjIHM8/ - APzRYtP1TcZG6c/WorgkOpwSIX4tz8ZNePmXdkbg9wxvg0lAb+ACX8vRGXBnbZ8d - oQ1dHcGfIaA+GWVF5uTuabShbHqL7cg2D+TJUWh1CdJeAYBQqSl/8mE2N9i8Vojx - shSnO2hCF2cTKU/gzSy8VYmvHiZTPKUcyffDRoTqBj77gmCwLUE0aIF2R7YkQor5 - SNe+HeQ6WxIJD2D09wvhDg+TD+jNskxEcjI8EMueZQ== - =l0Nv - -----END PGP MESSAGE----- - fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/shared/default.nix b/shared/default.nix index 67246b8..0eeae28 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, modulesPath, ... }: +{ pkgs, config, modulesPath, machine, ... }: { imports = [ @@ -6,13 +6,14 @@ ./users.nix ./ssh.nix ./rdma.nix + ./ssl.nix "${modulesPath}/profiles/headless.nix" "${modulesPath}/profiles/all-hardware.nix" ]; sops = { - defaultSopsFile = ../secrets.yaml; + defaultSopsFile = /${machine.path}/secrets.yaml; defaultSopsFormat = "yaml"; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; diff --git a/shared/network.nix b/shared/network.nix index a9fb894..7a219d4 100644 --- a/shared/network.nix +++ b/shared/network.nix @@ -8,7 +8,7 @@ ]; networking.nameservers = [ - "10.0.0.52" + "10.0.0.53" "10.1.1.10" ]; diff --git a/shared/secrets.yaml b/shared/secrets.yaml new file mode 100644 index 0000000..1011ae1 --- /dev/null +++ b/shared/secrets.yaml @@ -0,0 +1,49 @@ +ldap: + login: + password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str] +beegfs: + connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUGZ5RXVyV3g3cXBMSmtt + d2tvL0ZhL01ISHE0RVB1alZDVFZ3RHRtZndVCnVGWDIrSmdsa055THdld0lUeEVq + NWxRUllKQkdhdkFvZkI5MEVXV212ZVkKLS0tIFlPWE84M2U1dUlLTGlLc2N1UXJV + UlV1UEs3cE9Bc0VqdWRSYmtOd3V1bTgK0q1nj4z4Tnso5ts4sCEn0jEunhFuuk+W + 5d3ktEhBY6vC/eNMmv0B9+Z9/Tw3dbmou/VATObWAvprIVR143oIIw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3S2dqcXM5UUNvWjZxU3pW + dytFeStXNUdaV3YxSXlKUkZuUFp6ajNTOGpRCkF0TzQ4U25lamZRUGhNeDE4blN5 + S2t3ZTVrWWVmSkN5V1VmVzdGcS9Za1kKLS0tIEE4azlPdTZoK09xTHNzc3dQNUIv + T0hhOHIxRXB0Y2g5M1BIK0R5cjBCcncKwZHZHnQN0GGnzOXFGDFhUqx8Nzxk3Vx2 + Gr+6Z/OjxFREPzDlrLS5No4huQiNMhMjacw2uqmcVLOVSVy8HaCHXg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-27T09:58:35Z" + mac: ENC[AES256_GCM,data:pPgwJnUdwQegqaCXdh7lweQq2Kos6szvo/mfBul+2TruUSSRXlGwKmNVLM2BuodMNZpTan2vCyvVlXvN4zBfW6nVWPzlBrCTbgtyBNodB+k3OJsfgUElQ32T9KccsMVuUsfKDzjhlFnV3NA9A7DVnrYz+jf1NcNSsz4yOjHudzA=,iv:ciFHyXhIcNFlB9fhzcAX8LICIsGPWDe29fxtjmJ0G+s=,tag:oldhGvm8vfPnuhpIXIpVWw==,type:str] + pgp: + - created_at: "2023-06-26T09:22:14Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA5ntoryXZPD4AQgAi8lqhO1SXvABXXZGNTaU+T4Z/9KWqGltg7nq4qhU44cN + Ge3zstD887gUsxoUEWCSUXoTHSoV6nilgs0KdIs1Jul6MVrK9xFqL9aQMfS4pTMS + oXRbkhtvzbNrxN091sh8rDxzG8OlCU+aE4IyPt4scdDMNviq8vebtmiQjOEv9M00 + HDngyFHVMPsCzWW/cD1D/N/2xQFE9kt1GLbZsOoO41/muyiXVA6uoL8nFXlFZ5MR + H9hJRyfjH5XbGBguKzSPW9rtdbcZZfMark91JCodQQxnA+Tq15cUtM0lOTP6UZvt + 7EQ/ayD6T+wziYXR0iuc7m9uCKTJoY83PK3xkt02hNJeAWU6A33sEe5bPnepTHR+ + 4kT+YxJY5etwYt5KbLCNtVRcL5cCc7jCyYq4m9kRn30evUyMJdmq02fjAi3JgVpW + DZeuooaR6CAQiT8O/BLfNIxRyebAKLJoo6l7szotTA== + =3PbD + -----END PGP MESSAGE----- + fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/shared/ssl.nix b/shared/ssl.nix new file mode 100644 index 0000000..81f8e12 --- /dev/null +++ b/shared/ssl.nix @@ -0,0 +1,65 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + ca = pkgs.stdenv.mkDerivation { + name = "hpc-ca"; + + nativeBuildInputs = [ pkgs.minica ]; + + phases = [ "buildPhase" "installPhase" ]; + + buildPhase = '' + minica \ + -ca-key ca.key.pem \ + -ca-cert ca.cert.pem \ + -domains "ca.${config.networking.domain}" + ''; + + installPhase = '' + mkdir -p $out + + mv ca.key.pem $out/ + mv ca.cert.pem $out/ + ''; + }; + + ca-cert = pkgs.runCommandNoCCLocal "hpc-ca.cert" { } '' + cp "${ca}/ca.cert.pem" $out + ''; + + mkCert = domain: pkgs.stdenv.mkDerivation { + name = "hpc-ca:${domain}"; + + nativeBuildInputs = [ pkgs.minica ]; + + phases = [ "buildPhase" "installPhase" ]; + + buildPhase = '' + minica \ + -ca-key "${ca}/ca.key.pem" \ + -ca-cert "${ca}/ca.cert.pem" \ + -domains "${domain}" + ''; + + installPhase = '' + mkdir -p $out + + mv "${domain}/key.pem" $out/ + mv "${domain}/cert.pem" $out/ + + ln -s "${ca}/ca.cert.pem" $out/ca.pem + ''; + }; + +in +{ + security.pki.certificateFiles = [ + ca-cert + ]; + + _module.args = { + inherit mkCert; + }; +} diff --git a/shared/users.nix b/shared/users.nix index 6f18cd8..48cb021 100644 --- a/shared/users.nix +++ b/shared/users.nix @@ -6,6 +6,7 @@ let baseDN = concatMapStringsSep "," (part: "dc=${part}") (splitString "." config.networking.domain); + in { users.mutableUsers = false; @@ -21,13 +22,15 @@ in users.ldap = { enable = true; - server = "ldap://ldap.${config.networking.domain}/"; - base = baseDN; + useTLS = true; + + server = "ldaps://ldap.${config.networking.domain}/"; + base = "ou=users,${baseDN}"; daemon.enable = true; bind = { - distinguishedName = "cn=root,${baseDN}"; + distinguishedName = "cn=login,${baseDN}"; passwordFile = config.sops.secrets."ldap/login/password".path; }; }; @@ -42,6 +45,6 @@ in sops.secrets."ldap/login/password" = { owner = "nslcd"; - key = "ldap/root/password"; + sopsFile = ./secrets.yaml; }; } diff --git a/sops.nix b/sops.nix new file mode 100644 index 0000000..50c4aba --- /dev/null +++ b/sops.nix @@ -0,0 +1,56 @@ +{ lib +, callPackage +, runCommandNoCCLocal +, ssh-to-age +, ... +}: + +with lib; + +let + adminKeys = [ + ''3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE'' + ]; + + machines = callPackage ./machines.nix { }; + + sshToKey = name: path: runCommandNoCCLocal "sops-key-${name}.pub" { } '' + ${ssh-to-age}/bin/ssh-to-age < ${path} > $out + ''; + + # Map machine name to its key + machineKeys = listToAttrs (map + (machine: + let + keyFile = sshToKey "machine-${machine.name}" /${machine.gather}/ssh_host_ed25519_key.pub; + in + { + inherit (machine) name; + value = removeSuffix "\n" (readFile keyFile); + }) + machines); + + pattern = path: "^${escapeRegex path}/(${escapeRegex "secrets.yaml"}|secrets/.+)$"; + + machine_rules = map + (machine: { + "path_regex" = pattern "/machines/${machine.type}"; + "key_groups" = [{ + "age" = singleton (getAttr machine.name machineKeys); + "pgp" = adminKeys; + }]; + }) + machines; + +in +{ + config = { + "creation_rules" = machine_rules ++ [{ + "relPath" = pattern "shared"; + "key_groups" = [{ + "age" = attrValues machineKeys; + "pgp" = adminKeys; + }]; + }]; + }; +}