Dustin Frisch
1 year ago
No known key found for this signature in database
GPG Key ID: B4C3BF012D9B26BE
26 changed files with 631 additions and 174 deletions
-
2.envrc
-
3.gitignore
-
13.sops.yaml
-
41deployment.nix
-
23flake.lock
-
23flake.nix
-
2gathered/node-00/ssh_host_ed25519_key.pub
-
59machines.nix
-
4machines/manager/beegfs.nix
-
3machines/manager/disk.nix
-
127machines/manager/ldap.nix
-
79machines/manager/netinstall/default.nix
-
22machines/manager/netinstall/installer.nix
-
39machines/manager/secrets.yaml
-
30machines/manager/secrets/ldap-sync.conf
-
30machines/manager/secrets/ldap-upstream.list
-
30machines/manager/secrets/saslauthd.conf
-
11machines/node/disk.nix
-
13patches/colmena-disable-ssh-master.patch
-
51secrets.yaml
-
5shared/default.nix
-
2shared/network.nix
-
49shared/secrets.yaml
-
65shared/ssl.nix
-
11shared/users.nix
-
56sops.nix
@ -1,3 +1,6 @@ |
|||
/.pre-commit-config.yaml |
|||
.gcroots |
|||
.direnv |
|||
|
|||
# nixago: ignore-linked-files |
|||
/.sops.yaml |
@ -1,13 +0,0 @@ |
|||
keys: |
|||
- &admin_fooker 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE |
|||
- &server_manager age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn |
|||
- &server_node-00 age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh |
|||
|
|||
creation_rules: |
|||
- key_groups: |
|||
- pgp: |
|||
- *admin_fooker |
|||
age: |
|||
- *server_manager |
|||
- *server_node-00 |
|||
path_regex: ^(secrets\.yaml|secrets/.+)$ |
@ -0,0 +1,41 @@ |
|||
{ nixpkgs, disko, sops, gather, ... }@inputs: |
|||
|
|||
let |
|||
deploymentPkgs = import nixpkgs { |
|||
localSystem.system = "x86_64-linux"; |
|||
}; |
|||
|
|||
machines = deploymentPkgs.callPackage ./machines.nix { }; |
|||
|
|||
in |
|||
with deploymentPkgs.lib; let |
|||
|
|||
mkMachine = machine: { lib, ... }: { |
|||
imports = [ |
|||
./shared |
|||
./modules |
|||
|
|||
(import /${machine.path} machine.opts) |
|||
|
|||
disko.nixosModules.disko |
|||
sops.nixosModules.sops |
|||
gather.nixosModules.gather |
|||
]; |
|||
|
|||
_module.args = { |
|||
inherit machine; |
|||
}; |
|||
}; |
|||
|
|||
in |
|||
{ |
|||
meta = { |
|||
nixpkgs = deploymentPkgs; |
|||
|
|||
specialArgs = { |
|||
inherit inputs; |
|||
}; |
|||
}; |
|||
} // (listToAttrs (map |
|||
(machine: nameValuePair machine.name (mkMachine machine)) |
|||
machines)) |
@ -1 +1 @@ |
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcyF+SJiS1f1j2Waa0Af2Mx4zxPHl6J3u9gaDMhE9Yv root@nixos |
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjQy/rUZUmLjTAP2+IdkVzGS/VNLqn3bvRpNN8ouS04 root@node-00 |
@ -1,48 +1,33 @@ |
|||
{ nixpkgs, disko, sops, gather, ... }@inputs: |
|||
{ lib, ... }: |
|||
|
|||
let |
|||
deploymentPkgs = import nixpkgs { |
|||
localSystem.system = "x86_64-linux"; |
|||
}; |
|||
with lib; |
|||
|
|||
let |
|||
nrNodes = 1; |
|||
|
|||
in |
|||
with deploymentPkgs.lib; let |
|||
mkMachine = { name, type, opts ? { } }: rec { |
|||
inherit name type opts; |
|||
|
|||
mkMachine = type: opts: { lib, ... }: |
|||
let |
|||
machine = import ./machines/${type} opts; |
|||
in |
|||
{ |
|||
imports = [ |
|||
./shared |
|||
./modules |
|||
path = ./machines/${type}; |
|||
|
|||
machine |
|||
gather = ./gathered/${name}; |
|||
}; |
|||
|
|||
disko.nixosModules.disko |
|||
sops.nixosModules.sops |
|||
gather.nixosModules.gather |
|||
]; |
|||
manager = mkMachine { |
|||
name = "manager"; |
|||
type = "manager"; |
|||
}; |
|||
|
|||
machines = { |
|||
manager = mkMachine "manager" { }; |
|||
} // (listToAttrs (genList |
|||
(i: nameValuePair |
|||
"node-${fixedWidthNumber 2 i}" |
|||
(mkMachine "node" { id = i; }) |
|||
) |
|||
nrNodes)); |
|||
nodes = genList |
|||
(i: mkMachine { |
|||
name = "node-${fixedWidthNumber 2 i}"; |
|||
type = "node"; |
|||
opts = { id = i; }; |
|||
}) |
|||
nrNodes; |
|||
|
|||
in |
|||
{ |
|||
meta = { |
|||
nixpkgs = deploymentPkgs; |
|||
|
|||
specialArgs = { |
|||
inherit inputs; |
|||
}; |
|||
}; |
|||
} // machines |
|||
concatLists [ |
|||
[ manager ] |
|||
nodes |
|||
] |
@ -0,0 +1,39 @@ |
|||
ldap: |
|||
root: |
|||
username: ENC[AES256_GCM,data:aXIFdQ==,iv:tdC7GFit0LrO4DJL3vbI6uKCDXeYAOwDGwvOqrvn9mM=,tag:x1mBwe+K+UKjCpGO5qKMuQ==,type:str] |
|||
password: ENC[AES256_GCM,data:Q42VVdHaPZuvLR4HJ11CICpx61qTpw/v,iv:GhsXDsWxRinPOG+uMzy/uvxvMB1G8OKu4yH0a8achJc=,tag:yEWD4slZu/kDEV8ZJs43Hg==,type:str] |
|||
sops: |
|||
kms: [] |
|||
gcp_kms: [] |
|||
azure_kv: [] |
|||
hc_vault: [] |
|||
age: |
|||
- recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn |
|||
enc: | |
|||
-----BEGIN AGE ENCRYPTED FILE----- |
|||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0anVoM3dITTB3SnN5OEZF |
|||
VWpLTzg1cXZUTlhkZFl2dm8yWCtSWlRwRW5rCkRNK24wTHFkQk5WdVhEQjVGRTVh |
|||
Vy9pazNwZGRWblJVVHJSa1E1OWN4RTgKLS0tIElZc3BncTFwbEhjRjFickdWWXNY |
|||
Sms0RWZ0RUhwNGVvbFk1dDBVZHcvZTQKEeTTP2Ked+C9XgKxVug/KIcJ/ES9nLRc |
|||
n5DsivfiAsoALxTsIRJvjPt/PNZimIeO3nobFPNuvQLb7Q27++My/g== |
|||
-----END AGE ENCRYPTED FILE----- |
|||
lastmodified: "2023-06-27T09:57:35Z" |
|||
mac: ENC[AES256_GCM,data:QpMkI/w+J49DeQ0EDrz+6WtbtvJrgNChI1Z4PNNjdD2cik9wvtZNMUhjJVV18dUxWRH3dkhwX7Jt4mPhlDjhDspbkKsNjKaSApOS8AACybs8FqodvlUCU2mF+xG4beblQn3n8oPcqc5kjbAFc2r+mPSb4b7rcoS+xrB3rKUJTng=,iv:xsjx8Gz5UfpAXMEDEzMA4Kau4BI0vq3xvgfFvHS4uFo=,tag:aiFD1PXsHtiXFrx+legUhw==,type:str] |
|||
pgp: |
|||
- created_at: "2023-06-27T09:57:24Z" |
|||
enc: | |
|||
-----BEGIN PGP MESSAGE----- |
|||
|
|||
hQEMA5ntoryXZPD4AQgAivbPI9NjQLAaIi4wE62yy1snYbzsZxsV4fktk4ebhYBQ |
|||
buvDARS3ZGQV9Tqi2xfmGx7SF3QHHWkqcYNMuBrjKSLIsgnLYW0sKd3fTU0/yux4 |
|||
7b+duZO66r2gjlFwf7dFKBwn62ln4eLtvHREZbB0UWACaRdwQnmQdRL2v9hQXbcU |
|||
/TQiq0msqCfSRLao3wWWl4LvyVY8Uv31K9Kt8NGJYL0yWYuIUMXJhx+ioIbqEBOL |
|||
XOEl4JVmR4nZ6Y/aQ3FIeW/+QjXiqenVect7i52+Bv6kVzc10Zeu0qYRI1o6hpLL |
|||
iS+/cNaNfu6QZRrypQpkzTjY3kzWWgLI9WhC40pxdtJcASZvVAQqtn3eR5FBs2/N |
|||
oRC9WrVE/b8NhgmpJXtbJkTwNLDKZ5rX0/k1lBpqmSKUgfc4Sr9HMzlHsmmIc91F |
|||
p5WpSSH0uHoebg6QnNqQXcRRk4Zh7SU4YSEJHNY= |
|||
=gHvl |
|||
-----END PGP MESSAGE----- |
|||
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE |
|||
unencrypted_suffix: _unencrypted |
|||
version: 3.7.3 |
@ -0,0 +1,30 @@ |
|||
{ |
|||
"data": "ENC[AES256_GCM,data:j4Gf2o5bInxx7kIK6zAbe6BzWKpSTDHhNXL7SigHb1RlSKpRj6JJ/M56h9omr+Aa6mNAacUiiiqkOjyT2n7w3+1OdQVcR+ZGTvRHc9TJGvQ483SxuiW5mjSYAxJ3fhJONU6KHYEauMIT/MSTgYO9NInUG9p05cZgIw5QGBFqEpHj/DiQ3EL2elvmu4YbaC4J3I2DrxZdh5i60yrWq2ny4UdpqqK8XEbfN7SY+8VDis73JCGEULJVhsYodlSx4ZMBXS0rbce7SZjJ/3O4EaCUJJOjcMcn5o7sOtXGUUAMpNnVvUuoz6SArkwGgfheL+HTf1z7rJzNpZJ2nvMFn8M0fAfH2okpX14rPvGOaYusV+VtOPwAMd4axrR0BHuDkV5L1tTyiQHcjrt6775kGuo3O+q+je3Ok5SZLu6Ysgkt3Y0T9QLYcKBc0UX+d0K3n6A8esUIBIj4KWc1iNjeE73eMb9lyp+6hFiv4TxHnsssgDMvam5KyH3Ltd5ZfqtH51CSSbi9QcvXi3ynODBVxoI1pvIIbPgaah6yGSdNH3QjZ7TtSa5yXkncwmtYhZa2DoNeTav40Uko0xdYqTOuHsOpBoH0fw9CVmoxsTjcvvhIXjLeXv4N9RelKkkFKuDK3QZojdUzoKXPt2HLjonH5Pqgk0xVSqiMHFbIQJ0uPirWEHJsJKCQfjyxkzYm24EfeAbSYLLGGMzebWB4rZw/acDA/+RdD2c+aL+L1EvRz3Tmqw4jwqwhJKeYIsuyLRG64MjmEnIlkIhfR1gSebPuEseBrsFg+0mOO8xS9aoFKJ1jujzYHxcQfyE+gW2qXIFcmBXHknM1wJI03fmyxyUIU19pPK17d1D+C1WPFvsNavXhQAXJRqUqGlUjGhqFM63w7Ij7vZHpcDaHZ69w6rPjuN/wuXHczNbdyWc0W6jp5sWYLZi+xRpYbKprfg9YL6o+zzb7D1yoxIUOty6XiVrlHb/lJlJ0t4CJbbtXNsXVNfojJ32otYM2t/X16+EdWLaFpqy2g8819luVrL+bDENm3bmtq9ARewBMGnGC4hCNaRRRnN9o9AX3sXyIgpOYotFpB/Vpl5CVQ6c1ODjNQJQgcFI=,iv:f1ZwZgu9UyzGnxE3qKPl4K6tlnqvk9jPLAYVXP7W+jI=,tag:iAXKNN/EFh4Z5HjDQogNPQ==,type:str]", |
|||
"sops": { |
|||
"kms": null, |
|||
"gcp_kms": null, |
|||
"azure_kv": null, |
|||
"hc_vault": null, |
|||
"age": [ |
|||
{ |
|||
"recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvS3l2MU4ycE9idHIwREU0\nM3k0c05idmNqVlB5anVONCtXRWNzckROYVI0CmdhVDkyVGtyczYzTGREVmpyR2g1\ncGtWeDc0Y1lqSVVWV3plZHU2cXVNZzgKLS0tIE1nYWxQL204SFNyTEVGQytJdk12\nQ3NVNHRIMTAyalBoSVBuVkNKWEhzdTgKd5b9zzarSyxl8CAugOVVJzEAG0N2mn70\nxB0PPSzXFv0fILb1h8A5bdDf1snxsbdIAfUWucSX3arCoU5l6LmHRQ==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
}, |
|||
{ |
|||
"recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOUsrS2tyTUVEUEZaN3pR\nR0drZ3JDdUtMRHhJaGtONWtwK2Ftc1JsUFRJCjZtYXFubmlpTWtHNVpRU1ZhdThl\nUFVXUERDazdvSGtDOXc1VFNqeTRKRGcKLS0tIDhTdWhWU0dCUUYrZkdSRkVxbGFE\nYkg2Nk42VnUwZFhZVXdsWHFKYnUrMVEK0Aj6aON/QIFT2fsv2D9Ajvu+f6mHT4Q3\nm5uo99snnGEl3VIcvhC2yKGEtw3XOVpCfk5xHYLV2nlSs4WCc2DrkA==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
} |
|||
], |
|||
"lastmodified": "2023-06-29T15:34:22Z", |
|||
"mac": "ENC[AES256_GCM,data:T4RlkuFsOJflLOkuvfRnhtnAp5iytfSPEla+Tf4v2zvdo1Gvh3wBmCItBdxhL8mGAl7JZCtJ5InGEccxsjBi+rgNrw9iQwYJMk4hLi6NrUYRCObhzk06JyMW3XM5N4yOQZBUEg/KWUuFR9oQhIP5A0pPdYqctalTg2GKTyusERo=,iv:dErVyHcD9A3elIZcOa0S5kryC6jmYeW4xxvfjHHviZ4=,tag:OupqMXrY147GxxEow7Hkjw==,type:str]", |
|||
"pgp": [ |
|||
{ |
|||
"created_at": "2023-06-26T09:22:36Z", |
|||
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/f7WlPOXFZGMzz/XKT0wU5HyzkdAkZg6uzSWMYeFzuzyL\nFjuAL3b1gQ5ACXwxUaoUtAN4iXdHdVtJDZxqgYiDHoqd4KBG0DtWZUzvgpT+nbcr\nkE1nQnV0Y7GIgpoJFblQKAsCYikbYGhzptHhsYRY7jB5wseOEyaEV1nS4Bh0E8rc\ndAVI8G7XreIU04cMixIqPd7f1gND/E1y1XhqoT8eQXsa43Ozi9BEobjaAXPnCjsd\nOiMcGvIYW+w+kdY2Q0R4SN3GNRt3KJnBVnL/PCuffz5xQxlnwEvS0palQNioGvrN\nfhXG5JO6cdxgExhjcw/HJEdHjl8iCG15NN6Z0ZDhD9JeAUPRivJeq1CvGJlrkD3U\nAANHHBAyQgpti23908tOsvePujOrYu2+OyG4SN5pdPvNCroDPoKTDGBik7ZvK6J8\n6TowTtKHE0xlhgRcKNNT0qYk02kmbbwtgvLuliBodw==\n=BlGq\n-----END PGP MESSAGE-----\n", |
|||
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE" |
|||
} |
|||
], |
|||
"unencrypted_suffix": "_unencrypted", |
|||
"version": "3.7.3" |
|||
} |
|||
} |
@ -0,0 +1,30 @@ |
|||
{ |
|||
"data": "ENC[AES256_GCM,data:u6XAULb0jpux4kvwJipsX0rMTQ5oLP5UtPZNNOJ7ujuv,iv:HuowckOTkBG0NOM6aRJUmJA3f9L0SxVm/w9WAXG4l6Q=,tag:2OKpVjxvFA0nELtWhPcSPQ==,type:str]", |
|||
"sops": { |
|||
"kms": null, |
|||
"gcp_kms": null, |
|||
"azure_kv": null, |
|||
"hc_vault": null, |
|||
"age": [ |
|||
{ |
|||
"recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRXhlTTBXRG01clZSTFpV\na1pTOGVac3JlOVdDRzFyd0xGeWFPbmN6empvClpJa2N5Ui9NVlNoNnFHUHBlSGl3\nVnpGd21zYVBlUGpIR2hrQk5MSXdHYlEKLS0tIFcrS0NpaERzbVdZQlVWY3dSUG1u\nMnQzWVVrOGd5TWJxYUZPZVFsTmlvWDQK44uh8H1soJ14eUxtCfcFpKf91zzYuwke\n6LZD0ugNeU61vGNltdI573Vz5e12+t7rxSd/Jdl9ADlGN1Mvnw4SUw==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
}, |
|||
{ |
|||
"recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZkJBY1ZIdXYwblFmTHYy\nelZkbEFDU3Z4T05KdWtQVFQrTEc5NUFhdUZJCjd0Ri9rV2V4cmxXVFJUbHQxVG9r\naTZLemhlQnBIdEh3Z0oyV3pPa1JhL2cKLS0tIGVhdkV3d2lEQ3MzanpNVnQrQS92\nL2VZdVpSZjlCQzJQTWY1V1EzSzZvL2sKu4UPoUmkuU60oIKlDgly1D8UjWuKVwnF\nBSUFf+m7ssAg1OK2uYbjWC6/XBo4nmmltKac1sEwALxadU2/kBDu3w==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
} |
|||
], |
|||
"lastmodified": "2023-06-29T14:33:42Z", |
|||
"mac": "ENC[AES256_GCM,data:ZDmRDxJPSmWmZL/daV37H1s9kTp5j8/WK0GbQ6JZef9OHWTXrlpUyZWSkh/mCVbIs9bD96WVos4rLX5rDOlIcMiMXEKcsw63M9KcMlLWvjqkK/D+fnhIqAiNwNPwd4aAV4SaS+3UVlucKgQIaSl06ibrEX1/dTg4by17xEIx43c=,iv:V5mN7N1dewLwqnIWKih6Uu/ocKZ1hU5wcoNW1KSF5x0=,tag:7m3KSBREQSK5ch5PZhPLgA==,type:str]", |
|||
"pgp": [ |
|||
{ |
|||
"created_at": "2023-06-29T08:41:58Z", |
|||
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/QTiDvYzIo69KMIL2Q4zfpusal9NWTdIuHGV9UmgcuwvP\nhfPa4HTXlNWoE/YBBh8AvwQemrup6toH7V+mbsNlUWJXN+Pwj/+0OMe1Cl+X/VUf\nojE5Rkr2PJBcSRW2sEa2RlVhjPALxR8UR6NKc4HkJVvBnJUng7lxOPXSQOE5M245\n3G44tKDIrQIId7naQNh9fcGJksrtJnbYufMdBOJlwwNueeEJ/ovlGvN8dU/s8OzU\nTML0QD+nRM+vz/hKOAU9R4pYO1qxViVhgeOyms5MRgSyWYLy+HsYx4xByGXNcv8I\nJ58NEYgqICkYYUNeVDr3ONsEYN0hL4VSksX2RacqbdJeAVaUtSRUH1kknrN1gAlA\nx2LB/PFFCR2aGsQWYWnBPhjtdVAVy4flUDtTkquQp837hQZZre+xEP4snY05RYdv\nhqzm7g3iZbDO/nRnsEWj13dygzHwGHruVk3T7XqQxw==\n=BGBU\n-----END PGP MESSAGE-----\n", |
|||
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE" |
|||
} |
|||
], |
|||
"unencrypted_suffix": "_unencrypted", |
|||
"version": "3.7.3" |
|||
} |
|||
} |
@ -0,0 +1,30 @@ |
|||
{ |
|||
"data": "ENC[AES256_GCM,data:pekng5DHyeza16XqzFIxKWKktRUZ8mMDnjMGln47d2K6ojzl7KetDwDeyjq25RRTL8ssev/hbHI/7jZo56KI8rKjJ4AsQrECNUu8djjek6yfwPonzSP58nKYllufQiQGPq6yIc7VxMX5wBARh03/2KtObOmiPvGmyFasSVv9Vfg0rCgTG7kD3D6Xvha8fd17I8cl9fFZJH5SsDuzFgyGanwaol7FumXzBwDq4HbQG43aC/YctjwgZaVA7Y9Gah3IULies2r54Le5DCd+Maysg3mJ+3uwEOxqtwumVX4KyGnZ7MpJSwu574xgVj5xFSCAt5W97IoeOWHV+Xru6JQCR/p6UC1VSnJzNFL9TjqW39qNOKgrpsN9b5KciPiLBTTpJF7ij23rYZ0jBkuYeEH7jCzIiaW/P08G2RU/gg==,iv:u7YpDyqO/61JLk5AmBLzgtfkzoJs4I1CIew99lAgXzM=,tag:JXCYrT92t0n7TMtYbe1iEQ==,type:str]", |
|||
"sops": { |
|||
"kms": null, |
|||
"gcp_kms": null, |
|||
"azure_kv": null, |
|||
"hc_vault": null, |
|||
"age": [ |
|||
{ |
|||
"recipient": "age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcFA3bTVxNnRJREtqU2dN\nSFFtUzVyVjdxclFwSHhibEJLMjZXNDZYQ1ZVCnFOVE9sY01QWXlBNlViRDJpb3Z5\nSVBTamR2V1lPVTNUSktRVTloc2hyU2MKLS0tIG5rdm9TYlpHS2JWMTVEUlYvUm1T\nN2Y4UDB6K2VqbFRSSVpKSXUzaFNqYXMK1FtROF7wMlwtKNIN55fWS+OXovVfwzML\n9uObWRxuI2ePJz6pTIhDGJ3m9azGepG02ynX/ZpZ3ggkTnULL+pV3w==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
}, |
|||
{ |
|||
"recipient": "age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdGM0Z2VPdEs2VWd4a1lU\nN25XdUFXMkt6cHBNeHBUMUNPc1pBYXRKTmxNClI1UGZYZEROTTF6YUVMQ1JhZ3hZ\nRzk3bHBhS1Yvamh4eDZDajVCUWxUQ1EKLS0tIDVodVpIYkVsSnhJZTM4WkxTbnNz\nTTRESnlSZVdndVR0UGJRSkRvTVo5b3MK5ncgqt7iq5C2WSskWK4Aqy8lONpEgHbA\ncRXaXwO9dbRd9Qo9Am1VeKHyPXVOga/pJONPt6SNBjWhvpBiwStzDQ==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
} |
|||
], |
|||
"lastmodified": "2023-06-28T12:21:14Z", |
|||
"mac": "ENC[AES256_GCM,data:IbNlGRnejcbpN8JkHZZ5S0brF7HxJnB9+scAZ4lStO0HuUG32TFmdbCC5mIY8Ci7M91kT4+ikqKJ3dMWiwhBrAQh766tSVHlyKw81P2kQGGD13Fe+pujPIPBTum9jAwhKDEgNA8Jgm+4NiOUq1n0mksFkbDqNj5vdvNAn0i5I/Y=,iv:e6VEUgGX51STIZdbKobyN/vwPgKwnrDNM/vA80EAtl4=,tag:zv+meM5/gJ8Ry4VtkBDTnQ==,type:str]", |
|||
"pgp": [ |
|||
{ |
|||
"created_at": "2023-06-28T12:20:31Z", |
|||
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf+PR9rAWJHzPWF4LZ+/2yNTzMG0qbgiPevLCNcJCUp4DZ6\nCbBuHrEJVrOdQuCb/rKcgYtnr2Ec4cWZ5kk+wZVKNR6+GsloA1n4C7cY+5aWr7Oo\nKOpuZICUxMLgf/PlSUq5NBAG0oDfT71+N3uQJJhclaPs+P1EcjceX45s48t+A36v\nks8WMqgVMDw5TRxI377WzR7olS99eMAVaLISlu04OIIZw+J7cfaRAgA6gegF2rZZ\nNDYOBXlH4mqKGjmQ6SWyQODUUoAsk5hBWDV7LXyjGIh6Tld+wLlddjC5Abwp9H0m\n2FIDMbIokr72i9c1F1lRp+0PsQsF09UU1Mtg2iBjBdJeAd61RpZQ++a9VziqP1Ex\nMB4FPrsU4qgT3VsvvjYZzPyews5XHOczA/aocUFVf4r1QPFOwt/6wbSLnJ8g472c\nFfBuv+KTjKWLwJYtQDoHTKuiLcQDX5acbLLmT6GDxg==\n=GRPn\n-----END PGP MESSAGE-----\n", |
|||
"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE" |
|||
} |
|||
], |
|||
"unencrypted_suffix": "_unencrypted", |
|||
"version": "3.7.3" |
|||
} |
|||
} |
@ -0,0 +1,13 @@ |
|||
diff --git a/src/nix/host/ssh.rs b/src/nix/host/ssh.rs
|
|||
index 1622007..5824494 100644
|
|||
--- a/src/nix/host/ssh.rs
|
|||
+++ b/src/nix/host/ssh.rs
|
|||
@@ -345,6 +345,8 @@ impl Ssh {
|
|||
"StrictHostKeyChecking=accept-new", |
|||
"-o", |
|||
"BatchMode=yes", |
|||
"-T", |
|||
+ "-o", "ControlMaster=no",
|
|||
+ "-o", "ControlPath=/var/empty/non-existant",
|
|||
] |
|||
.iter() |
@ -1,51 +0,0 @@ |
|||
ldap: |
|||
root: |
|||
password: ENC[AES256_GCM,data:bYuw+9ywfRDNVt0nrLDmWE8+f8aHQvGd,iv:JHU3MxmNdxI2a62Dcky8xhHhjhcxyjM0Z0xLEnLxJwU=,tag:3VW0zTlRFxLDI8WxGu1lew==,type:str] |
|||
login: |
|||
password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str] |
|||
beegfs: |
|||
connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str] |
|||
sops: |
|||
kms: [] |
|||
gcp_kms: [] |
|||
azure_kv: [] |
|||
hc_vault: [] |
|||
age: |
|||
- recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn |
|||
enc: | |
|||
-----BEGIN AGE ENCRYPTED FILE----- |
|||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVVdBd0hvWG0zT3BTRGVh |
|||
NWxtdlJocy8wSnIvMUdoOVZYM0owMW9TWGxnCmZLcStDdzVvNlh3dzVQN0NvVUJw |
|||
S1l5aG9ocVp3RWNJbWl5bjVxT3U3WjQKLS0tIEZkdHk4dGM4YnloR2FZSkNWOWxo |
|||
cXg2OTd4OTRzN1MxWmtIczRleXdBU0UKID449Ln3KBshJVgn2RyZS5M73WGDWMs8 |
|||
HxrSlpf8HajxtU/iPpgkIRHLNIVa0C/1NlQOTvxPyDhEvuV31xm/JQ== |
|||
-----END AGE ENCRYPTED FILE----- |
|||
- recipient: age1q3tqh4w7yeae4xs0cxevtp5tn4gm8xthc39fsht2kv9rq7xm4q3qxqt9sh |
|||
enc: | |
|||
-----BEGIN AGE ENCRYPTED FILE----- |
|||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkM0ErekJGUlVRZDFQMFpN |
|||
UlBOdUpIMENSbEVMZnhKcFRLelBFZUlFdjFjCk9ucFExMmFGSjVnT0Mxdml0MVRI |
|||
NWNzeHM3cVpSMzE1STlHQkdKUW9NTm8KLS0tIDFSS2VWbHN4ckpCc3p0YXV3Mitp |
|||
T2h5bStSVFQ1YXM2TXgyQnk2amdQKzgKzncSU2ryAYQHlsSeFejE2NfHxoR9WJDm |
|||
jy2ALBMAInl7e5TP89QAEvthUrfyos3f8jV4GOQm7TIerYTr/5kctA== |
|||
-----END AGE ENCRYPTED FILE----- |
|||
lastmodified: "2023-06-01T13:46:17Z" |
|||
mac: ENC[AES256_GCM,data:Uei7c4/hHSqtv0bN2dLrF3mh6MYrx85N0KXO2R/Eu+78MTlwKPmCeD1H4tfyMTS4hJdjGYmk6H8Hj5K5B7irmb39BKnGWq86eFj9AxhODr4/nS0n1f+F4lX5R/3v5JJ4J54y0IymfQj/iN5QZsOGmVw9z8cFs5a9tUD118yYq3E=,iv:OXt5e854thU/SWFhoiy/YzDBqzF3M3GRXXIFaAX+Vrs=,tag:KuuxsINhybfd274v3z63qA==,type:str] |
|||
pgp: |
|||
- created_at: "2023-06-01T13:41:20Z" |
|||
enc: | |
|||
-----BEGIN PGP MESSAGE----- |
|||
|
|||
hQEMA5ntoryXZPD4AQf/X1yiMrb68+TJkcOH010pRLVUu6Wlsr51nFsuObSx+8Vs |
|||
I43EPxiFEHa5fQvi6KMqUgfc50aYfjcS8ZKy67B6Hf4F7h5kB2dGCkOjjmBLYX2W |
|||
dc20han6qDfPUFnp+owoNEspMvHjcGAhm1CKKFXS7cr4VgdRZCQPfmQwhHSnMk/B |
|||
ii4j1sgCNoOnzXUuEfZ0InN+VVKCxGtidAiFXjBtaoqordlFllje4znxXDjIHM8/ |
|||
APzRYtP1TcZG6c/WorgkOpwSIX4tz8ZNePmXdkbg9wxvg0lAb+ACX8vRGXBnbZ8d |
|||
oQ1dHcGfIaA+GWVF5uTuabShbHqL7cg2D+TJUWh1CdJeAYBQqSl/8mE2N9i8Vojx |
|||
shSnO2hCF2cTKU/gzSy8VYmvHiZTPKUcyffDRoTqBj77gmCwLUE0aIF2R7YkQor5 |
|||
SNe+HeQ6WxIJD2D09wvhDg+TD+jNskxEcjI8EMueZQ== |
|||
=l0Nv |
|||
-----END PGP MESSAGE----- |
|||
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE |
|||
unencrypted_suffix: _unencrypted |
|||
version: 3.7.3 |
@ -0,0 +1,49 @@ |
|||
ldap: |
|||
login: |
|||
password: ENC[AES256_GCM,data:IFPwehOGSYore+HEv7MyymCKaOKn5XEH,iv:JTrZucSL/MohMgUdWqalpgjCCh7ueXd3cgNB0FuJo/U=,tag:o/1nvTrfojYsXYeuvxKfNg==,type:str] |
|||
beegfs: |
|||
connection: ENC[AES256_GCM,data:YTHMg76+5Azb+ex5ArUHt4xP+YYWr9Ph,iv:TEf8i+yezPsaW12Lg5jRnhds9uW9WhV6duZPdxeW9co=,tag:bPGsl7ofwE1Jh+FTyHJqzQ==,type:str] |
|||
sops: |
|||
kms: [] |
|||
gcp_kms: [] |
|||
azure_kv: [] |
|||
hc_vault: [] |
|||
age: |
|||
- recipient: age1ys5pskgkjsgqfy2lr0afcnl2edry8jmryhymkwtked2se74e9g4s23gunn |
|||
enc: | |
|||
-----BEGIN AGE ENCRYPTED FILE----- |
|||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUGZ5RXVyV3g3cXBMSmtt |
|||
d2tvL0ZhL01ISHE0RVB1alZDVFZ3RHRtZndVCnVGWDIrSmdsa055THdld0lUeEVq |
|||
NWxRUllKQkdhdkFvZkI5MEVXV212ZVkKLS0tIFlPWE84M2U1dUlLTGlLc2N1UXJV |
|||
UlV1UEs3cE9Bc0VqdWRSYmtOd3V1bTgK0q1nj4z4Tnso5ts4sCEn0jEunhFuuk+W |
|||
5d3ktEhBY6vC/eNMmv0B9+Z9/Tw3dbmou/VATObWAvprIVR143oIIw== |
|||
-----END AGE ENCRYPTED FILE----- |
|||
- recipient: age1s3evxsdz6zly5qn4fjfl4py8z35n8penm63uwmq0ge2kx0u4rsdq07cn90 |
|||
enc: | |
|||
-----BEGIN AGE ENCRYPTED FILE----- |
|||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3S2dqcXM5UUNvWjZxU3pW |
|||
dytFeStXNUdaV3YxSXlKUkZuUFp6ajNTOGpRCkF0TzQ4U25lamZRUGhNeDE4blN5 |
|||
S2t3ZTVrWWVmSkN5V1VmVzdGcS9Za1kKLS0tIEE4azlPdTZoK09xTHNzc3dQNUIv |
|||
T0hhOHIxRXB0Y2g5M1BIK0R5cjBCcncKwZHZHnQN0GGnzOXFGDFhUqx8Nzxk3Vx2 |
|||
Gr+6Z/OjxFREPzDlrLS5No4huQiNMhMjacw2uqmcVLOVSVy8HaCHXg== |
|||
-----END AGE ENCRYPTED FILE----- |
|||
lastmodified: "2023-06-27T09:58:35Z" |
|||
mac: ENC[AES256_GCM,data:pPgwJnUdwQegqaCXdh7lweQq2Kos6szvo/mfBul+2TruUSSRXlGwKmNVLM2BuodMNZpTan2vCyvVlXvN4zBfW6nVWPzlBrCTbgtyBNodB+k3OJsfgUElQ32T9KccsMVuUsfKDzjhlFnV3NA9A7DVnrYz+jf1NcNSsz4yOjHudzA=,iv:ciFHyXhIcNFlB9fhzcAX8LICIsGPWDe29fxtjmJ0G+s=,tag:oldhGvm8vfPnuhpIXIpVWw==,type:str] |
|||
pgp: |
|||
- created_at: "2023-06-26T09:22:14Z" |
|||
enc: | |
|||
-----BEGIN PGP MESSAGE----- |
|||
|
|||
hQEMA5ntoryXZPD4AQgAi8lqhO1SXvABXXZGNTaU+T4Z/9KWqGltg7nq4qhU44cN |
|||
Ge3zstD887gUsxoUEWCSUXoTHSoV6nilgs0KdIs1Jul6MVrK9xFqL9aQMfS4pTMS |
|||
oXRbkhtvzbNrxN091sh8rDxzG8OlCU+aE4IyPt4scdDMNviq8vebtmiQjOEv9M00 |
|||
HDngyFHVMPsCzWW/cD1D/N/2xQFE9kt1GLbZsOoO41/muyiXVA6uoL8nFXlFZ5MR |
|||
H9hJRyfjH5XbGBguKzSPW9rtdbcZZfMark91JCodQQxnA+Tq15cUtM0lOTP6UZvt |
|||
7EQ/ayD6T+wziYXR0iuc7m9uCKTJoY83PK3xkt02hNJeAWU6A33sEe5bPnepTHR+ |
|||
4kT+YxJY5etwYt5KbLCNtVRcL5cCc7jCyYq4m9kRn30evUyMJdmq02fjAi3JgVpW |
|||
DZeuooaR6CAQiT8O/BLfNIxRyebAKLJoo6l7szotTA== |
|||
=3PbD |
|||
-----END PGP MESSAGE----- |
|||
fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE |
|||
unencrypted_suffix: _unencrypted |
|||
version: 3.7.3 |
@ -0,0 +1,65 @@ |
|||
{ pkgs, lib, config, ... }: |
|||
|
|||
with lib; |
|||
|
|||
let |
|||
ca = pkgs.stdenv.mkDerivation { |
|||
name = "hpc-ca"; |
|||
|
|||
nativeBuildInputs = [ pkgs.minica ]; |
|||
|
|||
phases = [ "buildPhase" "installPhase" ]; |
|||
|
|||
buildPhase = '' |
|||
minica \ |
|||
-ca-key ca.key.pem \ |
|||
-ca-cert ca.cert.pem \ |
|||
-domains "ca.${config.networking.domain}" |
|||
''; |
|||
|
|||
installPhase = '' |
|||
mkdir -p $out |
|||
|
|||
mv ca.key.pem $out/ |
|||
mv ca.cert.pem $out/ |
|||
''; |
|||
}; |
|||
|
|||
ca-cert = pkgs.runCommandNoCCLocal "hpc-ca.cert" { } '' |
|||
cp "${ca}/ca.cert.pem" $out |
|||
''; |
|||
|
|||
mkCert = domain: pkgs.stdenv.mkDerivation { |
|||
name = "hpc-ca:${domain}"; |
|||
|
|||
nativeBuildInputs = [ pkgs.minica ]; |
|||
|
|||
phases = [ "buildPhase" "installPhase" ]; |
|||
|
|||
buildPhase = '' |
|||
minica \ |
|||
-ca-key "${ca}/ca.key.pem" \ |
|||
-ca-cert "${ca}/ca.cert.pem" \ |
|||
-domains "${domain}" |
|||
''; |
|||
|
|||
installPhase = '' |
|||
mkdir -p $out |
|||
|
|||
mv "${domain}/key.pem" $out/ |
|||
mv "${domain}/cert.pem" $out/ |
|||
|
|||
ln -s "${ca}/ca.cert.pem" $out/ca.pem |
|||
''; |
|||
}; |
|||
|
|||
in |
|||
{ |
|||
security.pki.certificateFiles = [ |
|||
ca-cert |
|||
]; |
|||
|
|||
_module.args = { |
|||
inherit mkCert; |
|||
}; |
|||
} |
@ -0,0 +1,56 @@ |
|||
{ lib |
|||
, callPackage |
|||
, runCommandNoCCLocal |
|||
, ssh-to-age |
|||
, ... |
|||
}: |
|||
|
|||
with lib; |
|||
|
|||
let |
|||
adminKeys = [ |
|||
''3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE'' |
|||
]; |
|||
|
|||
machines = callPackage ./machines.nix { }; |
|||
|
|||
sshToKey = name: path: runCommandNoCCLocal "sops-key-${name}.pub" { } '' |
|||
${ssh-to-age}/bin/ssh-to-age < ${path} > $out |
|||
''; |
|||
|
|||
# Map machine name to its key |
|||
machineKeys = listToAttrs (map |
|||
(machine: |
|||
let |
|||
keyFile = sshToKey "machine-${machine.name}" /${machine.gather}/ssh_host_ed25519_key.pub; |
|||
in |
|||
{ |
|||
inherit (machine) name; |
|||
value = removeSuffix "\n" (readFile keyFile); |
|||
}) |
|||
machines); |
|||
|
|||
pattern = path: "^${escapeRegex path}/(${escapeRegex "secrets.yaml"}|secrets/.+)$"; |
|||
|
|||
machine_rules = map |
|||
(machine: { |
|||
"path_regex" = pattern "/machines/${machine.type}"; |
|||
"key_groups" = [{ |
|||
"age" = singleton (getAttr machine.name machineKeys); |
|||
"pgp" = adminKeys; |
|||
}]; |
|||
}) |
|||
machines; |
|||
|
|||
in |
|||
{ |
|||
config = { |
|||
"creation_rules" = machine_rules ++ [{ |
|||
"relPath" = pattern "shared"; |
|||
"key_groups" = [{ |
|||
"age" = attrValues machineKeys; |
|||
"pgp" = adminKeys; |
|||
}]; |
|||
}]; |
|||
}; |
|||
} |
Write
Preview
Loading…
Cancel
Save
Reference in new issue