hpc
/
nixcfg
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Secrets, netinstall, ldap and stuff

main
Dustin Frisch 1 year ago
parent
f5465b23ee
commit
b418fce1bf
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
26 changed files with 631 additions and 174 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .envrc
  2. 3
      .gitignore
  3. 13
      .sops.yaml
  4. 41
      deployment.nix
  5. 23
      flake.lock
  6. 23
      flake.nix
  7. 2
      gathered/node-00/ssh_host_ed25519_key.pub
  8. 65
      machines.nix
  9. 4
      machines/manager/beegfs.nix
  10. 3
      machines/manager/disk.nix
  11. 127
      machines/manager/ldap.nix
  12. 79
      machines/manager/netinstall/default.nix
  13. 22
      machines/manager/netinstall/installer.nix
  14. 39
      machines/manager/secrets.yaml
  15. 30
      machines/manager/secrets/ldap-sync.conf
  16. 30
      machines/manager/secrets/ldap-upstream.list
  17. 30
      machines/manager/secrets/saslauthd.conf
  18. 11
      machines/node/disk.nix
  19. 13
      patches/colmena-disable-ssh-master.patch
  20. 51
      secrets.yaml
  21. 5
      shared/default.nix
  22. 2
      shared/network.nix
  23. 49
      shared/secrets.yaml
  24. 65
      shared/ssl.nix
  25. 11
      shared/users.nix
  26. 56
      sops.nix

2
.envrc
View File

@ -2,3 +2,5 @@ use flake
watch_file "flake.nix" watch_file "flake.nix"
watch_file "flake.lock" watch_file "flake.lock"
watch_file "machines.nix"
watch_file "sops.nix"

3
.gitignore
View File

@ -1,3 +1,6 @@
/.pre-commit-config.yaml /.pre-commit-config.yaml
.gcroots .gcroots
.direnv .direnv
# nixago: ignore-linked-files
/.sops.yaml

13
.sops.yaml
View File

@ -1,13 +0,0 @@
keys:
- &admin_fooker 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
- &server_manager age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn
- &server_node-00 age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh
creation_rules:
- key_groups:
- pgp:
- *admin_fooker
age:
- *server_manager
- *server_node-00
path_regex: ^(secrets\.yaml|secrets/.+)$

41
deployment.nix
View File

@ -0,0 +1,41 @@
{ nixpkgs, disko, sops, gather, ... }@inputs:
let
deploymentPkgs = import nixpkgs {
localSystem.system = "x86_64-linux";
};
machines = deploymentPkgs.callPackage ./machines.nix { };
in
with deploymentPkgs.lib; let
mkMachine = machine: { lib, ... }: {
imports = [
./shared
./modules
(import /${machine.path} machine.opts)
disko.nixosModules.disko
sops.nixosModules.sops
gather.nixosModules.gather
];
_module.args = {
inherit machine;
};
};
in
{
meta = {
nixpkgs = deploymentPkgs;
specialArgs = {
inherit inputs;
};
};
} // (listToAttrs (map
(machine: nameValuePair machine.name (mkMachine machine))
machines))

23
flake.lock
View File

@ -30,11 +30,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1685450011,
"narHash": "sha256-/Az50GoWePZHL+Pkxy2ZuKW9zwIk+oVdzkR9xWomnpo=",
"lastModified": 1687747614,
"narHash": "sha256-KXspKgtdO2YRL12Jv0sUgkwOwHrAFwdIG/90pDx8Ydg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "0d270372b21818eba342954220c1a30a7bdaba19",
"rev": "fef67a1ddc293b595d62a660f57deabbcb70ff95",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -201,6 +201,22 @@
"type": "github" "type": "github"
} }
}, },
"ldap-sync": {
"flake": false,
"locked": {
"lastModified": 1688052624,
"narHash": "sha256-tQ0C/0zMgOYTSxzIy9koED4jzGNZygknrsC9Q6RtaJE=",
"ref": "refs/heads/main",
"rev": "69ce1d4f1a41ee313f5cb484a0bfecad9a545694",
"revCount": 11,
"type": "git",
"url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"
},
"original": {
"type": "git",
"url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"
}
},
"nixago": { "nixago": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [
@ -384,6 +400,7 @@
"colmena": "colmena", "colmena": "colmena",
"disko": "disko", "disko": "disko",
"gather": "gather", "gather": "gather",
"ldap-sync": "ldap-sync",
"nixago": "nixago", "nixago": "nixago",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks", "pre-commit-hooks": "pre-commit-hooks",

23
flake.nix
View File

@ -60,16 +60,26 @@
owner = "fooker"; owner = "fooker";
repo = "gather.nix"; repo = "gather.nix";
}; };
ldap-sync = {
type = "git";
url = "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git";
flake = false;
};
}; };
outputs = { nixpkgs, utils, ... }@inputs: {
colmena = import ./machines.nix inputs;
outputs = { nixpkgs, utils, disko, ... }@inputs: {
colmena = import ./deployment.nix inputs;
devShell = utils.lib.eachSystemMap utils.lib.allSystems (system: devShell = utils.lib.eachSystemMap utils.lib.allSystems (system:
let let
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
colmena = inputs.colmena.defaultPackage.${system};
colmena = inputs.colmena.defaultPackage.${system}.overrideAttrs (final: prev: {
patches = (prev.patches or [ ]) ++ [
./patches/colmena-disable-ssh-master.patch
];
});
pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run { pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run {
src = ./.; src = ./.;
@ -80,6 +90,12 @@
}; };
}; };
sops-hooks = inputs.nixago.lib.${system}.make {
data = (pkgs.callPackage ./sops.nix { }).config;
output = ".sops.yaml";
format = "yaml";
};
gather = pkgs.writeShellScript "gather" '' gather = pkgs.writeShellScript "gather" ''
ROOT=${toString ./.} ROOT=${toString ./.}
@ -108,6 +124,7 @@
shellHook = '' shellHook = ''
${pre-commit-hooks.shellHook} ${pre-commit-hooks.shellHook}
${sops-hooks.shellHook}
''; '';
}); });
}; };

2
gathered/node-00/ssh_host_ed25519_key.pub
View File

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcyF+SJiS1f1j2Waa0Af2Mx4zxPHl6J3u9gaDMhE9Yv root@nixos
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjQy/rUZUmLjTAP2+IdkVzGS/VNLqn3bvRpNN8ouS04 root@node-00

65
machines.nix
View File

@ -1,48 +1,33 @@
{ nixpkgs, disko, sops, gather, ... }@inputs:
{ lib, ... }:
let
deploymentPkgs = import nixpkgs {
localSystem.system = "x86_64-linux";
};
with lib;
let
nrNodes = 1; nrNodes = 1;
in
with deploymentPkgs.lib; let
mkMachine = type: opts: { lib, ... }:
let
machine = import ./machines/${type} opts;
in
{
imports = [
./shared
./modules
machine
disko.nixosModules.disko
sops.nixosModules.sops
gather.nixosModules.gather
];
};
mkMachine = { name, type, opts ? { } }: rec {
inherit name type opts;
machines = {
manager = mkMachine "manager" { };
} // (listToAttrs (genList
(i: nameValuePair
"node-${fixedWidthNumber 2 i}"
(mkMachine "node" { id = i; })
)
nrNodes));
path = ./machines/${type};
in
{
meta = {
nixpkgs = deploymentPkgs;
specialArgs = {
inherit inputs;
gather = ./gathered/${name};
}; };
manager = mkMachine {
name = "manager";
type = "manager";
}; };
} // machines
nodes = genList
(i: mkMachine {
name = "node-${fixedWidthNumber 2 i}";
type = "node";
opts = { id = i; };
})
nrNodes;
in
concatLists [
[ manager ]
nodes
]

4
machines/manager/beegfs.nix
View File

@ -25,5 +25,7 @@ in
storage.enable = true; storage.enable = true;
}; };
sops.secrets."beegfs/connection" = {};
sops.secrets."beegfs/connection" = {
sopsFile = ../../shared/secrets.yaml;
};
} }

3
machines/manager/disk.nix
View File

@ -8,7 +8,6 @@
format = "gpt"; format = "gpt";
partitions = [ partitions = [
{ {
index = 1;
name = "root"; name = "root";
start = "100MiB"; start = "100MiB";
end = "-4GB"; end = "-4GB";
@ -22,7 +21,6 @@
}; };
} }
{ {
index = 2;
name = "swap"; name = "swap";
start = "-4G"; start = "-4G";
end = "100%"; end = "100%";
@ -34,7 +32,6 @@
}; };
} }
{ {
index = 3;
name = "ESP"; name = "ESP";
start = "1MiB"; start = "1MiB";
end = "100MiB"; end = "100MiB";

127
machines/manager/ldap.nix
View File

@ -1,16 +1,68 @@
{ lib, config, ... }:
{ pkgs, lib, config, inputs, mkCert, ... }:
with lib; with lib;
let let
ldap-sync =
let
wrapped = pkgs.callPackage inputs.ldap-sync { };
env = pkgs.runCommand "ldap-sync-env" { } ''
mkdir -p $out
ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties
'';
in
pkgs.runCommand "ldap-sync-wrapper"
{
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -p $out/bin
makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \
--chdir "${env}"
'';
baseDN = concatMapStringsSep "," baseDN = concatMapStringsSep ","
(part: "dc=${part}") (part: "dc=${part}")
(splitString "." config.networking.domain); (splitString "." config.networking.domain);
cert = mkCert "ldap.${config.networking.domain}";
cyrus_sasl = pkgs.cyrus_sasl.override {
enableLdap = true;
};
in in
{ {
services.openldap = { services.openldap = {
enable = true; enable = true;
package = (pkgs.openldap.overrideAttrs (final: prev: {
configureFlags = prev.configureFlags ++ [
"--enable-overlays"
"--enable-remoteauth"
"--enable-spasswd"
"--with-cyrus-sasl"
];
})).override {
inherit cyrus_sasl;
};
urlList = [ "ldap:///" "ldaps:///" ];
settings = { settings = {
attrs = {
olcLogLevel = "config ACL stats stats2 trace";
olcTLSCACertificateFile = "${cert}/ca.pem";
olcTLSCertificateFile = "${cert}/cert.pem";
olcTLSCertificateKeyFile = "${cert}/key.pem";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
#olcSecurity = "tls=1";
olcSaslHost = "localhost";
olcSaslSecProps = "none";
};
children = { children = {
"cn=schema".includes = [ "cn=schema".includes = [
"${config.services.openldap.package}/etc/schema/core.ldif" "${config.services.openldap.package}/etc/schema/core.ldif"
@ -33,24 +85,87 @@ in
olcAccess = [ olcAccess = [
# Custom access rules for userPassword attributes # Custom access rules for userPassword attributes
''{0}to attrs=userPassword ''{0}to attrs=userPassword
by self write
by self read
by anonymous auth by anonymous auth
by * none''
by * none
''
# Allow read on anything else
''{1}to *
by * read''
# Synced is managed by sync
''{1}to dn.subtree="ou=synced,ou=users,dc=hpc,dc=informatik,dc=hs-fulda,dc=de"
by dn.base="cn=sync,dc=hpc,dc=informatik,dc=hs-fulda,dc=de" manage
by * break
''
# Allow login to read users
''{2}to dn.subtree="ou=users,dc=hpc,dc=informatik,dc=hs-fulda,dc=de"
by dn.base="cn=login,dc=hpc,dc=informatik,dc=hs-fulda,dc=de" read
by self read
by * break
''
# Prevent access
''{3}to *
by * none
''
]; ];
}; };
children = {
"olcOverlay={0}remoteauth" = {
attrs = {
objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ];
olcOverlay = "{0}remoteauth";
olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\"";
olcRemoteAuthDNAttribute = "seeAlso";
olcRemoteAuthDomainAttribute = "associatedDomain";
olcRemoteAuthDefaultDomain = "upstream";
olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream/list".path}";
olcRemoteAuthRetryCount = "3";
olcRemoteAuthStore = "false";
};
};
};
}; };
}; };
}; };
}; };
systemd.services.openldap = {
environment = {
SASL_PATH = pkgs.writeTextFile {
name = "openldap-sasl-path";
destination = "/slapd.conf";
text = ''
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
mech_list: GSSAPI EXTERNAL PLAIN NTLM
'';
};
};
};
systemd.services."ldap-sync" = {
script = "${ldap-sync}/bin/ldap-sync";
startAt = "hourly";
};
sops.secrets."ldap/root/password" = { sops.secrets."ldap/root/password" = {
owner = "openldap"; owner = "openldap";
}; };
sops.secrets."ldap/sync/config" = {
format = "binary";
sopsFile = ./secrets/ldap-sync.conf;
};
sops.secrets."ldap/upstream/list" = {
format = "binary";
sopsFile = ./secrets/ldap-upstream.list;
owner = "openldap";
};
hpc.hostFile.aliases = [ hpc.hostFile.aliases = [
"ldap.${config.networking.domain}" "ldap.${config.networking.domain}"
]; ];

79
machines/manager/netinstall/default.nix
View File

@ -20,50 +20,51 @@ let
} }
]; ];
api = pkgs.linkFarm "pixiecore-api" (mapAttrs'
(mac: name: nameValuePair
"v1/boot/${mac}"
(pkgs.writeText "pixieboot-api-${name}" (
commands = pkgs.symlinkJoin {
name = "pxeboot";
paths = mapAttrsToList
(mac: name:
let let
boot = installer.config.system.build;
node = nodes.${name}.config.system.build; node = nodes.${name}.config.system.build;
boot = installer.config.system.build;
install = pkgs.writers.writeBash "install-${name}" ''
set -o errexit
set -o nounset
set -o pipefail
"${node.diskoScript}"
"${node.nixos-install}/bin/nixos-install" \
--root /mnt \
--system "${node.toplevel}" \
--no-channel-copy \
--no-root-password \
--verbose
reboot
'';
in in
builtins.toJSON {
kernel = "file://${boot.kernel}/bzImage";
initrd = "file://${boot.netbootRamdisk}/initrd";
cmdline = concatStringsSep "\n" [
"init=${boot.toplevel}/init"
"loglevel=4"
"nixos.install=${node.toplevel}"
];
message = "NixOS Automatic Installer for ${name}";
}
)))
targets);
pkgs.writers.writeBashBin "pxe-install-${name}" ''
exec ${pkgs.pixiecore}/bin/pixiecore \
boot "${boot.kernel}/bzImage" "${boot.netbootRamdisk}/initrd" \
--cmdline "init=${boot.toplevel}/init loglevel=4 nixos.install=${install}" \
--debug \
--dhcp-no-bind \
--port 64172 \
--status-port 64172 \
"$@"
'')
targets;
};
in in
{ {
services.pixiecore = {
enable = true;
mode = "api";
dhcpNoBind = true;
debug = true;
openFirewall = true;
port = 5080;
statusPort = 6080;
apiServer = "http://boot.${config.networking.domain}/pixiecore";
};
environment.systemPackages = [ commands ];
services.nginx = {
virtualHosts = {
"boot.${config.networking.domain}" = {
locations."/".proxyPass = "http://localhost:${toString config.services.pixiecore.port}";
locations."/status".proxyPass = "http://localhost:${toString config.services.pixiecore.statusPort}";
locations."/pixiecore".root = api;
networking.firewall = {
allowedTCPPorts = [ 4011 64172 ];
allowedUDPPorts = [ 67 69 ];
}; };
};
};
hpc.hostFile.aliases = [
"boot.${config.networking.domain}"
];
} }

22
machines/manager/netinstall/installer.nix
View File

@ -3,13 +3,29 @@
with lib; with lib;
let let
auto-install = pkgs.writeShellScript "nixos-install" ''
auto-install = pkgs.writers.writeBash "auto-install" ''
set -o errexit
set -o nounset
set -o pipefail
set -x
if [[ "$(cat /proc/cmdline)" =~ nixos\.install=([^ ]+) ]]; then if [[ "$(cat /proc/cmdline)" =~ nixos\.install=([^ ]+) ]]; then
INSTALL="''${BASH_REMATCH[1]}" INSTALL="''${BASH_REMATCH[1]}"
else else
echo "No install derivation found" >&2 echo "No install derivation found" >&2
exit 1 exit 1
fi fi
${pkgs.retry}/bin/retry \
--times 10 \
--delay 15 \
-- ${pkgs.nix}/bin/nix-store \
--realize \
--add-root /tmp/install \
"$INSTALL"
exec /tmp/install
''; '';
in in
{ {
@ -31,8 +47,12 @@ in
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
conflicts = [ "getty@tty1.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.bash pkgs.nix ];
unitConfig = { unitConfig = {
AssertKernelCommandLine = "nixos.install"; AssertKernelCommandLine = "nixos.install";

39
machines/manager/secrets.yaml
View File

@ -0,0 +1,39 @@
ldap:
root:
username: ENC[AES256_GCM,data:aXIFdQ==,iv:tdC7GFit0LrO4DJL3vbI6uKCDXeYAOwDGwvOqrvn9mM=,tag:x1mBwe+K+UKjCpGO5qKMuQ==,type:str]
password: ENC[AES256_GCM,data:Q42VVdHaPZuvLR4HJ11CICpx61qTpw/v,iv:GhsXDsWxRinPOG+uMzy/uvxvMB1G8OKu4yH0a8achJc=,tag:yEWD4slZu/kDEV8ZJs43Hg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0anVoM3dITTB3SnN5OEZF
VWpLTzg1cXZUTlhkZFl2dm8yWCtSWlRwRW5rCkRNK24wTHFkQk5WdVhEQjVGRTVh
Vy9pazNwZGRWblJVVHJSa1E1OWN4RTgKLS0tIElZc3BncTFwbEhjRjFickdWWXNY
Sms0RWZ0RUhwNGVvbFk1dDBVZHcvZTQKEeTTP2Ked+C9XgKxVug/KIcJ/ES9nLRc
n5DsivfiAsoALxTsIRJvjPt/PNZimIeO3nobFPNuvQLb7Q27++My/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-27T09:57:35Z"
mac: ENC[AES256_GCM,data:QpMkI/w+J49DeQ0EDrz+6WtbtvJrgNChI1Z4PNNjdD2cik9wvtZNMUhjJVV18dUxWRH3dkhwX7Jt4mPhlDjhDspbkKsNjKaSApOS8AACybs8FqodvlUCU2mF+xG4beblQn3n8oPcqc5kjbAFc2r+mPSb4b7rcoS+xrB3rKUJTng=,iv:xsjx8Gz5UfpAXMEDEzMA4Kau4BI0vq3xvgfFvHS4uFo=,tag:aiFD1PXsHtiXFrx+legUhw==,type:str]
pgp:
- created_at: "2023-06-27T09:57:24Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA5ntoryXZPD4AQgAivbPI9NjQLAaIi4wE62yy1snYbzsZxsV4fktk4ebhYBQ
buvDARS3ZGQV9Tqi2xfmGx7SF3QHHWkqcYNMuBrjKSLIsgnLYW0sKd3fTU0/yux4
7b+duZO66r2gjlFwf7dFKBwn62ln4eLtvHREZbB0UWACaRdwQnmQdRL2v9hQXbcU
/TQiq0msqCfSRLao3wWWl4LvyVY8Uv31K9Kt8NGJYL0yWYuIUMXJhx+ioIbqEBOL
XOEl4JVmR4nZ6Y/aQ3FIeW/+QjXiqenVect7i52+Bv6kVzc10Zeu0qYRI1o6hpLL
iS+/cNaNfu6QZRrypQpkzTjY3kzWWgLI9WhC40pxdtJcASZvVAQqtn3eR5FBs2/N
oRC9WrVE/b8NhgmpJXtbJkTwNLDKZ5rX0/k1lBpqmSKUgfc4Sr9HMzlHsmmIc91F
p5WpSSH0uHoebg6QnNqQXcRRk4Zh7SU4YSEJHNY=
=gHvl
-----END PGP MESSAGE-----
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
unencrypted_suffix: _unencrypted
version: 3.7.3

30
machines/manager/secrets/ldap-sync.conf
View File

@ -0,0 +1,30 @@
{
"data": "ENC[AES256_GCM,data:j4Gf2o5bInxx7kIK6zAbe6BzWKpSTDHhNXL7SigHb1RlSKpRj6JJ/M56h9omr+Aa6mNAacUiiiqkOjyT2n7w3+1OdQVcR+ZGTvRHc9TJGvQ483SxuiW5mjSYAxJ3fhJONU6KHYEauMIT/MSTgYO9NInUG9p05cZgIw5QGBFqEpHj/DiQ3EL2elvmu4YbaC4J3I2DrxZdh5i60yrWq2ny4UdpqqK8XEbfN7SY+8VDis73JCGEULJVhsYodlSx4ZMBXS0rbce7SZjJ/3O4EaCUJJOjcMcn5o7sOtXGUUAMpNnVvUuoz6SArkwGgfheL+HTf1z7rJzNpZJ2nvMFn8M0fAfH2okpX14rPvGOaYusV+VtOPwAMd4axrR0BHuDkV5L1tTyiQHcjrt6775kGuo3O+q+je3Ok5SZLu6Ysgkt3Y0T9QLYcKBc0UX+d0K3n6A8esUIBIj4KWc1iNjeE73eMb9lyp+6hFiv4TxHnsssgDMvam5KyH3Ltd5ZfqtH51CSSbi9QcvXi3ynODBVxoI1pvIIbPgaah6yGSdNH3QjZ7TtSa5yXkncwmtYhZa2DoNeTav40Uko0xdYqTOuHsOpBoH0fw9CVmoxsTjcvvhIXjLeXv4N9RelKkkFKuDK3QZojdUzoKXPt2HLjonH5Pqgk0xVSqiMHFbIQJ0uPirWEHJsJKCQfjyxkzYm24EfeAbSYLLGGMzebWB4rZw/acDA/+RdD2c+aL+L1EvRz3Tmqw4jwqwhJKeYIsuyLRG64MjmEnIlkIhfR1gSebPuEseBrsFg+0mOO8xS9aoFKJ1jujzYHxcQfyE+gW2qXIFcmBXHknM1wJI03fmyxyUIU19pPK17d1D+C1WPFvsNavXhQAXJRqUqGlUjGhqFM63w7Ij7vZHpcDaHZ69w6rPjuN/wuXHczNbdyWc0W6jp5sWYLZi+xRpYbKprfg9YL6o+zzb7D1yoxIUOty6XiVrlHb/lJlJ0t4CJbbtXNsXVNfojJ32otYM2t/X16+EdWLaFpqy2g8819luVrL+bDENm3bmtq9ARewBMGnGC4hCNaRRRnN9o9AX3sXyIgpOYotFpB/Vpl5CVQ6c1ODjNQJQgcFI=,iv:f1ZwZgu9UyzGnxE3qKPl4K6tlnqvk9jPLAYVXP7W+jI=,tag:iAXKNN/EFh4Z5HjDQogNPQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS3l2MU4ycE9idHIwREU0\nM3k0c05idmNqVlB5anVONCtXRWNzckROYVI0CmdhVDkyVGtyczYzTGREVmpyR2g1\ncGtWeDc0Y1lqSVVWV3plZHU2cXVNZzgKLS0tIE1nYWxQL204SFNyTEVGQytJdk12\nQ3NVNHRIMTAyalBoSVBuVkNKWEhzdTgKd5b9zzarSyxl8CAugOVVJzEAG0N2mn70\nxB0PPSzXFv0fILb1h8A5bdDf1snxsbdIAfUWucSX3arCoU5l6LmHRQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOUsrS2tyTUVEUEZaN3pR\nR0drZ3JDdUtMRHhJaGtONWtwK2Ftc1JsUFRJCjZtYXFubmlpTWtHNVpRU1ZhdThl\nUFVXUERDazdvSGtDOXc1VFNqeTRKRGcKLS0tIDhTdWhWU0dCUUYrZkdSRkVxbGFE\nYkg2Nk42VnUwZFhZVXdsWHFKYnUrMVEK0Aj6aON/QIFT2fsv2D9Ajvu+f6mHT4Q3\nm5uo99snnGEl3VIcvhC2yKGEtw3XOVpCfk5xHYLV2nlSs4WCc2DrkA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-06-29T15:34:22Z",
"mac": "ENC[AES256_GCM,data:T4RlkuFsOJflLOkuvfRnhtnAp5iytfSPEla+Tf4v2zvdo1Gvh3wBmCItBdxhL8mGAl7JZCtJ5InGEccxsjBi+rgNrw9iQwYJMk4hLi6NrUYRCObhzk06JyMW3XM5N4yOQZBUEg/KWUuFR9oQhIP5A0pPdYqctalTg2GKTyusERo=,iv:dErVyHcD9A3elIZcOa0S5kryC6jmYeW4xxvfjHHviZ4=,tag:OupqMXrY147GxxEow7Hkjw==,type:str]",
"pgp": [
{
"created_at": "2023-06-26T09:22:36Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/f7WlPOXFZGMzz/XKT0wU5HyzkdAkZg6uzSWMYeFzuzyL\nFjuAL3b1gQ5ACXwxUaoUtAN4iXdHdVtJDZxqgYiDHoqd4KBG0DtWZUzvgpT+nbcr\nkE1nQnV0Y7GIgpoJFblQKAsCYikbYGhzptHhsYRY7jB5wseOEyaEV1nS4Bh0E8rc\ndAVI8G7XreIU04cMixIqPd7f1gND/E1y1XhqoT8eQXsa43Ozi9BEobjaAXPnCjsd\nOiMcGvIYW+w+kdY2Q0R4SN3GNRt3KJnBVnL/PCuffz5xQxlnwEvS0palQNioGvrN\nfhXG5JO6cdxgExhjcw/HJEdHjl8iCG15NN6Z0ZDhD9JeAUPRivJeq1CvGJlrkD3U\nAANHHBAyQgpti23908tOsvePujOrYu2+OyG4SN5pdPvNCroDPoKTDGBik7ZvK6J8\n6TowTtKHE0xlhgRcKNNT0qYk02kmbbwtgvLuliBodw==\n=BlGq\n-----END PGP MESSAGE-----\n",
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

30
machines/manager/secrets/ldap-upstream.list
View File

@ -0,0 +1,30 @@
{
"data": "ENC[AES256_GCM,data:u6XAULb0jpux4kvwJipsX0rMTQ5oLP5UtPZNNOJ7ujuv,iv:HuowckOTkBG0NOM6aRJUmJA3f9L0SxVm/w9WAXG4l6Q=,tag:2OKpVjxvFA0nELtWhPcSPQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRXhlTTBXRG01clZSTFpV\na1pTOGVac3JlOVdDRzFyd0xGeWFPbmN6empvClpJa2N5Ui9NVlNoNnFHUHBlSGl3\nVnpGd21zYVBlUGpIR2hrQk5MSXdHYlEKLS0tIFcrS0NpaERzbVdZQlVWY3dSUG1u\nMnQzWVVrOGd5TWJxYUZPZVFsTmlvWDQK44uh8H1soJ14eUxtCfcFpKf91zzYuwke\n6LZD0ugNeU61vGNltdI573Vz5e12+t7rxSd/Jdl9ADlGN1Mvnw4SUw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZkJBY1ZIdXYwblFmTHYy\nelZkbEFDU3Z4T05KdWtQVFQrTEc5NUFhdUZJCjd0Ri9rV2V4cmxXVFJUbHQxVG9r\naTZLemhlQnBIdEh3Z0oyV3pPa1JhL2cKLS0tIGVhdkV3d2lEQ3MzanpNVnQrQS92\nL2VZdVpSZjlCQzJQTWY1V1EzSzZvL2sKu4UPoUmkuU60oIKlDgly1D8UjWuKVwnF\nBSUFf+m7ssAg1OK2uYbjWC6/XBo4nmmltKac1sEwALxadU2/kBDu3w==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-06-29T14:33:42Z",
"mac": "ENC[AES256_GCM,data:ZDmRDxJPSmWmZL/daV37H1s9kTp5j8/WK0GbQ6JZef9OHWTXrlpUyZWSkh/mCVbIs9bD96WVos4rLX5rDOlIcMiMXEKcsw63M9KcMlLWvjqkK/D+fnhIqAiNwNPwd4aAV4SaS+3UVlucKgQIaSl06ibrEX1/dTg4by17xEIx43c=,iv:V5mN7N1dewLwqnIWKih6Uu/ocKZ1hU5wcoNW1KSF5x0=,tag:7m3KSBREQSK5ch5PZhPLgA==,type:str]",
"pgp": [
{
"created_at": "2023-06-29T08:41:58Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/QTiDvYzIo69KMIL2Q4zfpusal9NWTdIuHGV9UmgcuwvP\nhfPa4HTXlNWoE/YBBh8AvwQemrup6toH7V+mbsNlUWJXN+Pwj/+0OMe1Cl+X/VUf\nojE5Rkr2PJBcSRW2sEa2RlVhjPALxR8UR6NKc4HkJVvBnJUng7lxOPXSQOE5M245\n3G44tKDIrQIId7naQNh9fcGJksrtJnbYufMdBOJlwwNueeEJ/ovlGvN8dU/s8OzU\nTML0QD+nRM+vz/hKOAU9R4pYO1qxViVhgeOyms5MRgSyWYLy+HsYx4xByGXNcv8I\nJ58NEYgqICkYYUNeVDr3ONsEYN0hL4VSksX2RacqbdJeAVaUtSRUH1kknrN1gAlA\nx2LB/PFFCR2aGsQWYWnBPhjtdVAVy4flUDtTkquQp837hQZZre+xEP4snY05RYdv\nhqzm7g3iZbDO/nRnsEWj13dygzHwGHruVk3T7XqQxw==\n=BGBU\n-----END PGP MESSAGE-----\n",
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

30
machines/manager/secrets/saslauthd.conf
View File

@ -0,0 +1,30 @@
{
"data": "ENC[AES256_GCM,data:pekng5DHyeza16XqzFIxKWKktRUZ8mMDnjMGln47d2K6ojzl7KetDwDeyjq25RRTL8ssev/hbHI/7jZo56KI8rKjJ4AsQrECNUu8djjek6yfwPonzSP58nKYllufQiQGPq6yIc7VxMX5wBARh03/2KtObOmiPvGmyFasSVv9Vfg0rCgTG7kD3D6Xvha8fd17I8cl9fFZJH5SsDuzFgyGanwaol7FumXzBwDq4HbQG43aC/YctjwgZaVA7Y9Gah3IULies2r54Le5DCd+Maysg3mJ+3uwEOxqtwumVX4KyGnZ7MpJSwu574xgVj5xFSCAt5W97IoeOWHV+Xru6JQCR/p6UC1VSnJzNFL9TjqW39qNOKgrpsN9b5KciPiLBTTpJF7ij23rYZ0jBkuYeEH7jCzIiaW/P08G2RU/gg==,iv:u7YpDyqO/61JLk5AmBLzgtfkzoJs4I1CIew99lAgXzM=,tag:JXCYrT92t0n7TMtYbe1iEQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcFA3bTVxNnRJREtqU2dN\nSFFtUzVyVjdxclFwSHhibEJLMjZXNDZYQ1ZVCnFOVE9sY01QWXlBNlViRDJpb3Z5\nSVBTamR2V1lPVTNUSktRVTloc2hyU2MKLS0tIG5rdm9TYlpHS2JWMTVEUlYvUm1T\nN2Y4UDB6K2VqbFRSSVpKSXUzaFNqYXMK1FtROF7wMlwtKNIN55fWS+OXovVfwzML\n9uObWRxuI2ePJz6pTIhDGJ3m9azGepG02ynX/ZpZ3ggkTnULL+pV3w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdGM0Z2VPdEs2VWd4a1lU\nN25XdUFXMkt6cHBNeHBUMUNPc1pBYXRKTmxNClI1UGZYZEROTTF6YUVMQ1JhZ3hZ\nRzk3bHBhS1Yvamh4eDZDajVCUWxUQ1EKLS0tIDVodVpIYkVsSnhJZTM4WkxTbnNz\nTTRESnlSZVdndVR0UGJRSkRvTVo5b3MK5ncgqt7iq5C2WSskWK4Aqy8lONpEgHbA\ncRXaXwO9dbRd9Qo9Am1VeKHyPXVOga/pJONPt6SNBjWhvpBiwStzDQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-06-28T12:21:14Z",
"mac": "ENC[AES256_GCM,data:IbNlGRnejcbpN8JkHZZ5S0brF7HxJnB9+scAZ4lStO0HuUG32TFmdbCC5mIY8Ci7M91kT4+ikqKJ3dMWiwhBrAQh766tSVHlyKw81P2kQGGD13Fe+pujPIPBTum9jAwhKDEgNA8Jgm+4NiOUq1n0mksFkbDqNj5vdvNAn0i5I/Y=,iv:e6VEUgGX51STIZdbKobyN/vwPgKwnrDNM/vA80EAtl4=,tag:zv+meM5/gJ8Ry4VtkBDTnQ==,type:str]",
"pgp": [
{
"created_at": "2023-06-28T12:20:31Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf+PR9rAWJHzPWF4LZ+/2yNTzMG0qbgiPevLCNcJCUp4DZ6\nCbBuHrEJVrOdQuCb/rKcgYtnr2Ec4cWZ5kk+wZVKNR6+GsloA1n4C7cY+5aWr7Oo\nKOpuZICUxMLgf/PlSUq5NBAG0oDfT71+N3uQJJhclaPs+P1EcjceX45s48t+A36v\nks8WMqgVMDw5TRxI377WzR7olS99eMAVaLISlu04OIIZw+J7cfaRAgA6gegF2rZZ\nNDYOBXlH4mqKGjmQ6SWyQODUUoAsk5hBWDV7LXyjGIh6Tld+wLlddjC5Abwp9H0m\n2FIDMbIokr72i9c1F1lRp+0PsQsF09UU1Mtg2iBjBdJeAd61RpZQ++a9VziqP1Ex\nMB4FPrsU4qgT3VsvvjYZzPyews5XHOczA/aocUFVf4r1QPFOwt/6wbSLnJ8g472c\nFfBuv+KTjKWLwJYtQDoHTKuiLcQDX5acbLLmT6GDxg==\n=GRPn\n-----END PGP MESSAGE-----\n",
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

11
machines/node/disk.nix
View File

@ -5,10 +5,16 @@
type = "disk"; type = "disk";
content = { content = {
type = "table"; type = "table";
format = "msdos";
format = "gpt";
partitions = [ partitions = [
{ {
index = 1;
name = "boot";
start = "0";
end = "1M";
part-type = "primary";
flags = [ "bios_grub" ];
}
{
name = "root"; name = "root";
start = "1MB"; start = "1MB";
end = "-4GB"; end = "-4GB";
@ -22,7 +28,6 @@
}; };
} }
{ {
index = 2;
name = "swap"; name = "swap";
start = "-4G"; start = "-4G";
end = "100%"; end = "100%";

13
patches/colmena-disable-ssh-master.patch
View File

@ -0,0 +1,13 @@
diff --git a/src/nix/host/ssh.rs b/src/nix/host/ssh.rs
index 1622007..5824494 100644
--- a/src/nix/host/ssh.rs
+++ b/src/nix/host/ssh.rs
@@ -345,6 +345,8 @@ impl Ssh {
"StrictHostKeyChecking=accept-new",
"-o",
"BatchMode=yes",
"-T",
+ "-o", "ControlMaster=no",
+ "-o", "ControlPath=/var/empty/non-existant",
]
.iter()

51
secrets.yaml
View File

@ -1,51 +0,0 @@
ldap:
root:
password: ENC[AES256_GCM,data:bYuw+9ywfRDNVt0nrLDmWE8+f8aHQvGd,iv:JHU3MxmNdxI2a62Dcky8xhHhjhcxyjM0Z0xLEnLxJwU=,tag:3VW0zTlRFxLDI8WxGu1lew==,type:str]
login:
password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str]
beegfs:
connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVVdBd0hvWG0zT3BTRGVh
NWxtdlJocy8wSnIvMUdoOVZYM0owMW9TWGxnCmZLcStDdzVvNlh3dzVQN0NvVUJw
S1l5aG9ocVp3RWNJbWl5bjVxT3U3WjQKLS0tIEZkdHk4dGM4YnloR2FZSkNWOWxo
cXg2OTd4OTRzN1MxWmtIczRleXdBU0UKID449Ln3KBshJVgn2RyZS5M73WGDWMs8
HxrSlpf8HajxtU/iPpgkIRHLNIVa0C/1NlQOTvxPyDhEvuV31xm/JQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkM0ErekJGUlVRZDFQMFpN
UlBOdUpIMENSbEVMZnhKcFRLelBFZUlFdjFjCk9ucFExMmFGSjVnT0Mxdml0MVRI
NWNzeHM3cVpSMzE1STlHQkdKUW9NTm8KLS0tIDFSS2VWbHN4ckpCc3p0YXV3Mitp
T2h5bStSVFQ1YXM2TXgyQnk2amdQKzgKzncSU2ryAYQHlsSeFejE2NfHxoR9WJDm
jy2ALBMAInl7e5TP89QAEvthUrfyos3f8jV4GOQm7TIerYTr/5kctA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-01T13:46:17Z"
mac: ENC[AES256_GCM,data:Uei7c4/hHSqtv0bN2dLrF3mh6MYrx85N0KXO2R/Eu+78MTlwKPmCeD1H4tfyMTS4hJdjGYmk6H8Hj5K5B7irmb39BKnGWq86eFj9AxhODr4/nS0n1f+F4lX5R/3v5JJ4J54y0IymfQj/iN5QZsOGmVw9z8cFs5a9tUD118yYq3E=,iv:OXt5e854thU/SWFhoiy/YzDBqzF3M3GRXXIFaAX+Vrs=,tag:KuuxsINhybfd274v3z63qA==,type:str]
pgp:
- created_at: "2023-06-01T13:41:20Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA5ntoryXZPD4AQf/X1yiMrb68+TJkcOH010pRLVUu6Wlsr51nFsuObSx+8Vs
I43EPxiFEHa5fQvi6KMqUgfc50aYfjcS8ZKy67B6Hf4F7h5kB2dGCkOjjmBLYX2W
dc20han6qDfPUFnp+owoNEspMvHjcGAhm1CKKFXS7cr4VgdRZCQPfmQwhHSnMk/B
ii4j1sgCNoOnzXUuEfZ0InN+VVKCxGtidAiFXjBtaoqordlFllje4znxXDjIHM8/
APzRYtP1TcZG6c/WorgkOpwSIX4tz8ZNePmXdkbg9wxvg0lAb+ACX8vRGXBnbZ8d
oQ1dHcGfIaA+GWVF5uTuabShbHqL7cg2D+TJUWh1CdJeAYBQqSl/8mE2N9i8Vojx
shSnO2hCF2cTKU/gzSy8VYmvHiZTPKUcyffDRoTqBj77gmCwLUE0aIF2R7YkQor5
SNe+HeQ6WxIJD2D09wvhDg+TD+jNskxEcjI8EMueZQ==
=l0Nv
-----END PGP MESSAGE-----
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
unencrypted_suffix: _unencrypted
version: 3.7.3

5
shared/default.nix
View File

@ -1,4 +1,4 @@
{ pkgs, config, modulesPath, ... }:
{ pkgs, config, modulesPath, machine, ... }:
{ {
imports = [ imports = [
@ -6,13 +6,14 @@
./users.nix ./users.nix
./ssh.nix ./ssh.nix
./rdma.nix ./rdma.nix
./ssl.nix
"${modulesPath}/profiles/headless.nix" "${modulesPath}/profiles/headless.nix"
"${modulesPath}/profiles/all-hardware.nix" "${modulesPath}/profiles/all-hardware.nix"
]; ];
sops = { sops = {
defaultSopsFile = ../secrets.yaml;
defaultSopsFile = /${machine.path}/secrets.yaml;
defaultSopsFormat = "yaml"; defaultSopsFormat = "yaml";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

2
shared/network.nix
View File

@ -8,7 +8,7 @@
]; ];
networking.nameservers = [ networking.nameservers = [
"10.0.0.52"
"10.0.0.53"
"10.1.1.10" "10.1.1.10"
]; ];

49
shared/secrets.yaml
View File

@ -0,0 +1,49 @@
ldap:
login:
password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str]
beegfs:
connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUGZ5RXVyV3g3cXBMSmtt
d2tvL0ZhL01ISHE0RVB1alZDVFZ3RHRtZndVCnVGWDIrSmdsa055THdld0lUeEVq
NWxRUllKQkdhdkFvZkI5MEVXV212ZVkKLS0tIFlPWE84M2U1dUlLTGlLc2N1UXJV
UlV1UEs3cE9Bc0VqdWRSYmtOd3V1bTgK0q1nj4z4Tnso5ts4sCEn0jEunhFuuk+W
5d3ktEhBY6vC/eNMmv0B9+Z9/Tw3dbmou/VATObWAvprIVR143oIIw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3S2dqcXM5UUNvWjZxU3pW
dytFeStXNUdaV3YxSXlKUkZuUFp6ajNTOGpRCkF0TzQ4U25lamZRUGhNeDE4blN5
S2t3ZTVrWWVmSkN5V1VmVzdGcS9Za1kKLS0tIEE4azlPdTZoK09xTHNzc3dQNUIv
T0hhOHIxRXB0Y2g5M1BIK0R5cjBCcncKwZHZHnQN0GGnzOXFGDFhUqx8Nzxk3Vx2
Gr+6Z/OjxFREPzDlrLS5No4huQiNMhMjacw2uqmcVLOVSVy8HaCHXg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-27T09:58:35Z"
mac: ENC[AES256_GCM,data:pPgwJnUdwQegqaCXdh7lweQq2Kos6szvo/mfBul+2TruUSSRXlGwKmNVLM2BuodMNZpTan2vCyvVlXvN4zBfW6nVWPzlBrCTbgtyBNodB+k3OJsfgUElQ32T9KccsMVuUsfKDzjhlFnV3NA9A7DVnrYz+jf1NcNSsz4yOjHudzA=,iv:ciFHyXhIcNFlB9fhzcAX8LICIsGPWDe29fxtjmJ0G+s=,tag:oldhGvm8vfPnuhpIXIpVWw==,type:str]
pgp:
- created_at: "2023-06-26T09:22:14Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA5ntoryXZPD4AQgAi8lqhO1SXvABXXZGNTaU+T4Z/9KWqGltg7nq4qhU44cN
Ge3zstD887gUsxoUEWCSUXoTHSoV6nilgs0KdIs1Jul6MVrK9xFqL9aQMfS4pTMS
oXRbkhtvzbNrxN091sh8rDxzG8OlCU+aE4IyPt4scdDMNviq8vebtmiQjOEv9M00
HDngyFHVMPsCzWW/cD1D/N/2xQFE9kt1GLbZsOoO41/muyiXVA6uoL8nFXlFZ5MR
H9hJRyfjH5XbGBguKzSPW9rtdbcZZfMark91JCodQQxnA+Tq15cUtM0lOTP6UZvt
7EQ/ayD6T+wziYXR0iuc7m9uCKTJoY83PK3xkt02hNJeAWU6A33sEe5bPnepTHR+
4kT+YxJY5etwYt5KbLCNtVRcL5cCc7jCyYq4m9kRn30evUyMJdmq02fjAi3JgVpW
DZeuooaR6CAQiT8O/BLfNIxRyebAKLJoo6l7szotTA==
=3PbD
-----END PGP MESSAGE-----
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
unencrypted_suffix: _unencrypted
version: 3.7.3

65
shared/ssl.nix
View File

@ -0,0 +1,65 @@
{ pkgs, lib, config, ... }:
with lib;
let
ca = pkgs.stdenv.mkDerivation {
name = "hpc-ca";
nativeBuildInputs = [ pkgs.minica ];
phases = [ "buildPhase" "installPhase" ];
buildPhase = ''
minica \
-ca-key ca.key.pem \
-ca-cert ca.cert.pem \
-domains "ca.${config.networking.domain}"
'';
installPhase = ''
mkdir -p $out
mv ca.key.pem $out/
mv ca.cert.pem $out/
'';
};
ca-cert = pkgs.runCommandNoCCLocal "hpc-ca.cert" { } ''
cp "${ca}/ca.cert.pem" $out
'';
mkCert = domain: pkgs.stdenv.mkDerivation {
name = "hpc-ca:${domain}";
nativeBuildInputs = [ pkgs.minica ];
phases = [ "buildPhase" "installPhase" ];
buildPhase = ''
minica \
-ca-key "${ca}/ca.key.pem" \
-ca-cert "${ca}/ca.cert.pem" \
-domains "${domain}"
'';
installPhase = ''
mkdir -p $out
mv "${domain}/key.pem" $out/
mv "${domain}/cert.pem" $out/
ln -s "${ca}/ca.cert.pem" $out/ca.pem
'';
};
in
{
security.pki.certificateFiles = [
ca-cert
];
_module.args = {
inherit mkCert;
};
}

11
shared/users.nix
View File

@ -6,6 +6,7 @@ let
baseDN = concatMapStringsSep "," baseDN = concatMapStringsSep ","
(part: "dc=${part}") (part: "dc=${part}")
(splitString "." config.networking.domain); (splitString "." config.networking.domain);
in in
{ {
users.mutableUsers = false; users.mutableUsers = false;
@ -21,13 +22,15 @@ in
users.ldap = { users.ldap = {
enable = true; enable = true;
server = "ldap://ldap.${config.networking.domain}/";
base = baseDN;
useTLS = true;
server = "ldaps://ldap.${config.networking.domain}/";
base = "ou=users,${baseDN}";
daemon.enable = true; daemon.enable = true;
bind = { bind = {
distinguishedName = "cn=root,${baseDN}";
distinguishedName = "cn=login,${baseDN}";
passwordFile = config.sops.secrets."ldap/login/password".path; passwordFile = config.sops.secrets."ldap/login/password".path;
}; };
}; };
@ -42,6 +45,6 @@ in
sops.secrets."ldap/login/password" = { sops.secrets."ldap/login/password" = {
owner = "nslcd"; owner = "nslcd";
key = "ldap/root/password";
sopsFile = ./secrets.yaml;
}; };
} }

56
sops.nix
View File

@ -0,0 +1,56 @@
{ lib
, callPackage
, runCommandNoCCLocal
, ssh-to-age
, ...
}:
with lib;
let
adminKeys = [
''3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE''
];
machines = callPackage ./machines.nix { };
sshToKey = name: path: runCommandNoCCLocal "sops-key-${name}.pub" { } ''
${ssh-to-age}/bin/ssh-to-age < ${path} > $out
'';
# Map machine name to its key
machineKeys = listToAttrs (map
(machine:
let
keyFile = sshToKey "machine-${machine.name}" /${machine.gather}/ssh_host_ed25519_key.pub;
in
{
inherit (machine) name;
value = removeSuffix "\n" (readFile keyFile);
})
machines);
pattern = path: "^${escapeRegex path}/(${escapeRegex "secrets.yaml"}|secrets/.+)$";
machine_rules = map
(machine: {
"path_regex" = pattern "/machines/${machine.type}";
"key_groups" = [{
"age" = singleton (getAttr machine.name machineKeys);
"pgp" = adminKeys;
}];
})
machines;
in
{
config = {
"creation_rules" = machine_rules ++ [{
"relPath" = pattern "shared";
"key_groups" = [{
"age" = attrValues machineKeys;
"pgp" = adminKeys;
}];
}];
};
}
Write Preview
Loading…
Cancel
Save