From 2a66f7ae2963513b0ba8b31124a01ee199070e81 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 13 Nov 2024 20:58:58 +0100 Subject: [PATCH 01/22] Add atlan's sops and ssh pubkeys --- machines/.sops.yaml | 7 +++++++ machines/ssh_keys.nix | 1 + shell.nix | 1 + 3 files changed, 9 insertions(+) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 451874de..44f2af4c 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -5,6 +5,7 @@ keys: - &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb - &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4 + - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567 @@ -15,15 +16,21 @@ creation_rules: - *admin_kalipso - *admin_kalipso_dsktp - *machine_moderatio + age: + - *admin_atlan - path_regex: lucia/secrets.yaml$ key_groups: - pgp: - *admin_kalipso - *admin_kalipso_dsktp - *machine_lucia + age: + - *admin_atlan - path_regex: durruti/secrets.yaml$ key_groups: - pgp: - *admin_kalipso - *admin_kalipso_dsktp - *machine_durruti + age: + - *admin_atlan diff --git a/machines/ssh_keys.nix b/machines/ssh_keys.nix index 2532f642..0f71ec3f 100644 --- a/machines/ssh_keys.nix +++ b/machines/ssh_keys.nix @@ -3,5 +3,6 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos" ]; } diff --git a/shell.nix b/shell.nix index db4fd277..3799ec9d 100644 --- a/shell.nix +++ b/shell.nix @@ -17,6 +17,7 @@ mkShell { sops-import-keys-hook sops-init-gpg-key sops + pkgs.age pkgs.python310Packages.grip pkgs.mdbook ]; From 88dad0193be776616aaf3739997ffcfb80793f77 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 14 Nov 2024 14:03:42 +0100 Subject: [PATCH 02/22] [sops] updatekeys for ahtlon --- machines/durruti/secrets.yaml | 97 +++++++++++++++++--------------- machines/lucia/secrets.yaml | 103 ++++++++++++++++++---------------- 2 files changed, 109 insertions(+), 91 deletions(-) diff --git a/machines/durruti/secrets.yaml b/machines/durruti/secrets.yaml index 9f5639b6..8f854706 100644 --- a/machines/durruti/secrets.yaml +++ b/machines/durruti/secrets.yaml @@ -6,66 +6,75 @@ sops: gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] + age: + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84 + LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw + bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm + SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV + 45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw== + -----END AGE ENCRYPTED FILE----- lastmodified: "2024-06-26T10:07:26Z" mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str] pgp: - - created_at: "2024-06-26T10:06:21Z" + - created_at: "2024-11-14T13:03:00Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+ - 43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT - d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc - 5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN - MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu - eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv - pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf - Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W - CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs - 6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq - OBN3luBRDDAj - =+dua + hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+ + nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80 + 1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F + u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ + sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt + j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V + ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v + M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP + FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z + jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx + bxCHPCFfvmX/ + =3wBJ -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2024-06-26T10:06:21Z" + - created_at: "2024-11-14T13:03:00Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo - HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx - hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh - 9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3 - rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ - lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj - fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1 - 2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl - TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC - 3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA - UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS - WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt - 08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ= - =7OG0 + hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3 + Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR + 731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn + o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG + dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t + 4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3 + NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4 + FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD + pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1 + Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB + M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S + WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P + +x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo= + =4vnh -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 - - created_at: "2024-06-26T10:06:21Z" + - created_at: "2024-11-14T13:03:00Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf - XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6 - GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U - e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc - B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l - aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv - FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v - eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK - 0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU - fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM - cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS - WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG - HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto= - =GiUe + hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+ + KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt + HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx + Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6 + 0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/ + EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM + tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ + emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv + COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb + YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS + CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS + WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP + sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34= + =FLuF -----END PGP MESSAGE----- fp: 4095412245b6efc14cf92ca25911def5a4218567 unencrypted_suffix: _unencrypted diff --git a/machines/lucia/secrets.yaml b/machines/lucia/secrets.yaml index f25764de..4a8aa1fa 100644 --- a/machines/lucia/secrets.yaml +++ b/machines/lucia/secrets.yaml @@ -5,66 +5,75 @@ sops: gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] + age: + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh + RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5 + NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4 + aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3 + f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ== + -----END AGE ENCRYPTED FILE----- lastmodified: "2023-10-24T15:09:51Z" mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str] pgp: - - created_at: "2023-10-24T14:42:18Z" - enc: | + - created_at: "2024-11-14T13:02:46Z" + enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T - xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw - L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ - /f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd - eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb - mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez - cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh - 3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a - FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2 - XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT - WxGMHNWqN7NS - =XZkW + hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3 + edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv + aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI + V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB + aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ + 513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf + 2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF + rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9 + lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn + 2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc + qkz9uKEGrGjb + =wPkW -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2023-10-24T14:42:18Z" - enc: | + - created_at: "2024-11-14T13:02:46Z" + enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA - WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT - iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW - 1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH - X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN - 0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q - D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF - apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf - OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/ - y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz - DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS - WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf - MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0= - =2A7P + hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC + FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU + OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX + HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu + Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs + 58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg + JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp + epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y + GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG + ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8 + a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS + WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0 + m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko= + =DC78 -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 - - created_at: "2023-10-24T14:42:18Z" - enc: | + - created_at: "2024-11-14T13:02:46Z" + enc: |- -----BEGIN PGP MESSAGE----- - hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO - 2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU - VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA - 2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464 - qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL - m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi - KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF - rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx - 3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ - emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh - 1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS - WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7 - wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo= - =NnkE + hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL + 3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB + OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg + 2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN + +QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI + ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0 + R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J + pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW + 608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m + c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl + 64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS + WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu + 8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY= + =8HBK -----END PGP MESSAGE----- fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db unencrypted_suffix: _unencrypted From 3cb8423485baef34a0662442379fa5f29b8700be Mon Sep 17 00:00:00 2001 From: ahtlon Date: Thu, 14 Nov 2024 17:56:56 +0100 Subject: [PATCH 03/22] Add documentation describing how to add keys to sops --- doc/src/SUMMARY.md | 1 + doc/src/anleitung/sops.md | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 doc/src/anleitung/sops.md diff --git a/doc/src/SUMMARY.md b/doc/src/SUMMARY.md index 6792fa45..e9dc6e03 100644 --- a/doc/src/SUMMARY.md +++ b/doc/src/SUMMARY.md @@ -12,5 +12,6 @@ - [musik](./projekte/musik.md) - [TODO](./todo.md) - [How-to]() + - [Sops](./anleitung/sops.md) - [Updates](./anleitung/updates.md) - [Rollbacks](./anleitung/rollback.md) \ No newline at end of file diff --git a/doc/src/anleitung/sops.md b/doc/src/anleitung/sops.md new file mode 100644 index 00000000..e4ed3190 --- /dev/null +++ b/doc/src/anleitung/sops.md @@ -0,0 +1,25 @@ +# Sops + +## How to add admin keys +- Git: + - Generate gpg key + - Add public key to `./machines/secrets/keys/users/` + - Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT` + +- Age: + - Generate age key for Sops: + ``` + $ mkdir -p ~/.config/sops/age + $ age-keygen -o ~/.config/sops/age/keys.txt + ``` + or to convert an ssh ed25519 key to an age key + ``` + $ mkdir -p ~/.config/sops/age + $ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt" + ``` + - Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt` + - Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY` + +- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to + +- Reencrypt existing secrets for the new key with `sops updatekeys` (kali is this right?) \ No newline at end of file From b3d74f5f394d104ae6588de4bc55c7c52a2e5a09 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Thu, 14 Nov 2024 18:31:36 +0100 Subject: [PATCH 04/22] Fix docs about updating keys --- doc/src/anleitung/sops.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/src/anleitung/sops.md b/doc/src/anleitung/sops.md index e4ed3190..528f1507 100644 --- a/doc/src/anleitung/sops.md +++ b/doc/src/anleitung/sops.md @@ -22,4 +22,4 @@ - Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to -- Reencrypt existing secrets for the new key with `sops updatekeys` (kali is this right?) \ No newline at end of file +- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml` \ No newline at end of file From f91e515ce2215e09f3b7f9c60dc8009fa27ecaa8 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 14 Nov 2024 14:36:32 +0100 Subject: [PATCH 05/22] [nixpkgs] add microvm.nix --- flake.lock | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 2 ++ 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index b4c528b9..999afbfe 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,24 @@ "url": "https://git.dynamicdiscord.de/kalipso/ep3-bs.nix" } }, + "flake-utils": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -61,6 +79,28 @@ "type": "github" } }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1731240174, + "narHash": "sha256-HYu+bPoV3UILhwc4Ar5iQ7aF+DuQWHXl4mljN6Bwq6A=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "dd89404e1885b8d7033106f3898eaef8db660cb2", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, "nixlib": { "locked": { "lastModified": 1729386149, @@ -182,6 +222,7 @@ "ep3-bs": "ep3-bs", "home-manager": "home-manager", "mfsync": "mfsync", + "microvm": "microvm", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", @@ -212,6 +253,22 @@ "type": "github" } }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1729945407, + "narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=", + "ref": "refs/heads/main", + "rev": "f1d94ee7029af18637dbd5fdf4749621533693fa", + "revCount": 764, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -257,6 +314,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tasklist": { "inputs": { "nixpkgs": [ @@ -315,7 +387,7 @@ }, "utils_3": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1726560853, diff --git a/flake.nix b/flake.nix index 68c262c1..c02f881b 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,8 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; mfsync.url = "github:k4lipso/mfsync"; + microvm.url = "github:astro/microvm.nix"; + microvm.inputs.nixpkgs.follows = "nixpkgs"; utils = { url = "github:numtide/flake-utils"; From ee7ee52c3fffca2f244f6401da62d2c2248e405f Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 14 Nov 2024 14:37:02 +0100 Subject: [PATCH 06/22] [durruti] make durruti microvm Networking still needs to be done but the vm boots using ```nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner``` --- machines/configuration.nix | 9 ++++++++- machines/durruti/configuration.nix | 1 - 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/machines/configuration.nix b/machines/configuration.nix index 4509ea85..685f5016 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -40,6 +40,13 @@ let } ]; defaultModules = baseModules; + + defaultMicroVMModules = [ + inputs.microvm.nixosModules.microvm + { + microvm.hypervisor = "qemu"; + } + ] ++ defaultModules; in { louise = nixosSystem { @@ -53,7 +60,7 @@ in durruti = nixosSystem { system = "x86_64-linux"; specialArgs.inputs = inputs; - modules = defaultModules ++ [ + modules = defaultMicroVMModules ++ [ ./durruti/configuration.nix ]; }; diff --git a/machines/durruti/configuration.nix b/machines/durruti/configuration.nix index 9b458a88..70c68379 100644 --- a/machines/durruti/configuration.nix +++ b/machines/durruti/configuration.nix @@ -5,7 +5,6 @@ with lib; { sops.defaultSopsFile = ./secrets.yaml; - boot.isContainer = true; networking = { hostName = mkDefault "durruti"; useDHCP = false; From 5498418d06a8d400a1e1dc0f0c1669f6439249cc Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 18 Nov 2024 22:55:03 +0100 Subject: [PATCH 07/22] [microvm] setup network, allow adding bridge interface to host --- machines/configuration.nix | 25 +++++++++++++++++++++ machines/durruti/host_config.nix | 38 ++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/machines/configuration.nix b/machines/configuration.nix index 685f5016..08f1cd4a 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -62,6 +62,31 @@ in specialArgs.inputs = inputs; modules = defaultMicroVMModules ++ [ ./durruti/configuration.nix + + { + microvm = { + interfaces = [ + { + type = "tap"; + id = "vm-test1"; + mac = "02:00:00:00:00:01"; + } + ]; + }; + + systemd.network.enable = true; + + systemd.network.networks."20-lan" = { + matchConfig.Type = "ether"; + networkConfig = { + Address = ["10.0.0.3/24" "2001:db8::b/64"]; + Gateway = "10.0.0.1"; + DNS = ["1.1.1.1"]; + IPv6AcceptRA = true; + DHCP = "no"; + }; + }; + } ]; }; diff --git a/machines/durruti/host_config.nix b/machines/durruti/host_config.nix index c846990e..4f77ba8a 100644 --- a/machines/durruti/host_config.nix +++ b/machines/durruti/host_config.nix @@ -19,6 +19,14 @@ in default = ""; description = lib.mdDoc "ip of nix container provided for malo"; }; + + microvm = { + enableHostBridge = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc "Setup bridge device for microvms."; + }; + }; }; }; @@ -45,5 +53,35 @@ in locations."/".proxyPass = "http://${cfg.host_ip}:80"; }; + systemd.network = mkIf cfg.microvm.enableHostBridge { + enable = true; + # create a bride device that all the microvms will be connected to + netdevs."10-microvm".netdevConfig = { + Kind = "bridge"; + Name = "microvm"; + }; + + networks."10-microvm" = { + matchConfig.Name = "microvm"; + networkConfig = { + DHCPServer = true; + IPv6SendRA = true; + }; + addresses = [ { + Address = "10.0.0.1/24"; + } { + Address = "fd12:3456:789a::1/64"; + } ]; + ipv6Prefixes = [ { + Prefix = "fd12:3456:789a::/64"; + } ]; + }; + + # connect the vms to the bridge + networks."11-microvm" = { + matchConfig.Name = "vm-*"; + networkConfig.Bridge = "microvm"; + }; + }; }; } From d012f7cb5a24c7c68e4b15b7cce3bed4e766a89b Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 19 Nov 2024 12:59:11 +0100 Subject: [PATCH 08/22] [microvm] split module files --- machines/modules/malobeo/microvm_host.nix | 52 +++++++++++++++++++++++ outputs.nix | 5 ++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 machines/modules/malobeo/microvm_host.nix diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix new file mode 100644 index 00000000..e730488a --- /dev/null +++ b/machines/modules/malobeo/microvm_host.nix @@ -0,0 +1,52 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + cfg = config.services.malobeo.microvm; +in +{ + options = { + services.malobeo.microvm = { + enableHostBridge = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc "Setup bridge device for microvms."; + }; + }; + }; + + config = mkIf cfg.enableHostBridge + { + systemd.network = { + enable = true; + # create a bride device that all the microvms will be connected to + netdevs."10-microvm".netdevConfig = { + Kind = "bridge"; + Name = "microvm"; + }; + + networks."10-microvm" = { + matchConfig.Name = "microvm"; + networkConfig = { + DHCPServer = true; + IPv6SendRA = true; + }; + addresses = [ { + Address = "10.0.0.1/24"; + } { + Address = "fd12:3456:789a::1/64"; + } ]; + ipv6Prefixes = [ { + Prefix = "fd12:3456:789a::/64"; + } ]; + }; + + # connect the vms to the bridge + networks."11-microvm" = { + matchConfig.Name = "vm-*"; + networkConfig.Bridge = "microvm"; + }; + }; + }; +} diff --git a/outputs.nix b/outputs.nix index 042216db..c9bbcf03 100644 --- a/outputs.nix +++ b/outputs.nix @@ -52,7 +52,10 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems inherit inputs; }); - nixosModules.malobeo = import ./machines/durruti/host_config.nix; + nixosModules.malobeo.imports = [ + ./machines/durruti/host_config.nix + ./machines/modules/malobeo/microvm_host.nix + ]; hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) ( let From 1aeb1c2ab9bb26d1f7dcf2f3476a0f77f9f81357 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 19 Nov 2024 13:03:47 +0100 Subject: [PATCH 09/22] [microvm] rm duplicate option --- machines/durruti/host_config.nix | 39 -------------------------------- 1 file changed, 39 deletions(-) diff --git a/machines/durruti/host_config.nix b/machines/durruti/host_config.nix index 4f77ba8a..418bbeba 100644 --- a/machines/durruti/host_config.nix +++ b/machines/durruti/host_config.nix @@ -19,14 +19,6 @@ in default = ""; description = lib.mdDoc "ip of nix container provided for malo"; }; - - microvm = { - enableHostBridge = mkOption { - default = false; - type = types.bool; - description = lib.mdDoc "Setup bridge device for microvms."; - }; - }; }; }; @@ -52,36 +44,5 @@ in enableACME= true; locations."/".proxyPass = "http://${cfg.host_ip}:80"; }; - - systemd.network = mkIf cfg.microvm.enableHostBridge { - enable = true; - # create a bride device that all the microvms will be connected to - netdevs."10-microvm".netdevConfig = { - Kind = "bridge"; - Name = "microvm"; - }; - - networks."10-microvm" = { - matchConfig.Name = "microvm"; - networkConfig = { - DHCPServer = true; - IPv6SendRA = true; - }; - addresses = [ { - Address = "10.0.0.1/24"; - } { - Address = "fd12:3456:789a::1/64"; - } ]; - ipv6Prefixes = [ { - Prefix = "fd12:3456:789a::/64"; - } ]; - }; - - # connect the vms to the bridge - networks."11-microvm" = { - matchConfig.Name = "vm-*"; - networkConfig.Bridge = "microvm"; - }; - }; }; } From 03f03e86e44b6010e0ff90c4b31ebb79569c15d2 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 19 Nov 2024 13:31:09 +0100 Subject: [PATCH 10/22] [microvm] put vm creation into function --- machines/configuration.nix | 54 ++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 29 deletions(-) diff --git a/machines/configuration.nix b/machines/configuration.nix index 08f1cd4a..f62f7bd8 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -41,12 +41,33 @@ let ]; defaultModules = baseModules; - defaultMicroVMModules = [ + makeMicroVM = hostName: ipv4Addr: modules: [ inputs.microvm.nixosModules.microvm { - microvm.hypervisor = "qemu"; + microvm = { + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = "vm-${hostName}"; + mac = "02:00:00:00:00:01"; + } + ]; + }; + + systemd.network.enable = true; + + systemd.network.networks."20-lan" = { + matchConfig.Type = "ether"; + networkConfig = { + Address = [ "${ipv4Addr}/24" ]; + Gateway = "10.0.0.1"; + DNS = ["1.1.1.1"]; + DHCP = "no"; + }; + }; } - ] ++ defaultModules; + ] ++ defaultModules ++ modules; in { louise = nixosSystem { @@ -60,33 +81,8 @@ in durruti = nixosSystem { system = "x86_64-linux"; specialArgs.inputs = inputs; - modules = defaultMicroVMModules ++ [ + modules = makeMicroVM "durruti" "10.0.0.5" [ ./durruti/configuration.nix - - { - microvm = { - interfaces = [ - { - type = "tap"; - id = "vm-test1"; - mac = "02:00:00:00:00:01"; - } - ]; - }; - - systemd.network.enable = true; - - systemd.network.networks."20-lan" = { - matchConfig.Type = "ether"; - networkConfig = { - Address = ["10.0.0.3/24" "2001:db8::b/64"]; - Gateway = "10.0.0.1"; - DNS = ["1.1.1.1"]; - IPv6AcceptRA = true; - DHCP = "no"; - }; - }; - } ]; }; From 2cdfe8c999fd4391ef413acf97ff6bb8a296cf6e Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 19 Nov 2024 15:31:27 +0100 Subject: [PATCH 11/22] [docs] fix docs app exec format error --- outputs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.nix b/outputs.nix index c9bbcf03..3458614b 100644 --- a/outputs.nix +++ b/outputs.nix @@ -41,7 +41,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems apps = { docs = { type = "app"; - program = builtins.toString (pkgs.writeScript "docs" '' + program = builtins.toString (pkgs.writeShellScript "docs" '' ${pkgs.mdbook}/bin/mdbook serve --open ./doc ''); }; From dbdf817d79e975bfcec396930b0046cefee88c5a Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 19 Nov 2024 15:43:23 +0100 Subject: [PATCH 12/22] [doc] add basic microvm documentation --- doc/src/SUMMARY.md | 3 ++- doc/src/anleitung/microvm.md | 39 ++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 doc/src/anleitung/microvm.md diff --git a/doc/src/SUMMARY.md b/doc/src/SUMMARY.md index e9dc6e03..a3076d21 100644 --- a/doc/src/SUMMARY.md +++ b/doc/src/SUMMARY.md @@ -14,4 +14,5 @@ - [How-to]() - [Sops](./anleitung/sops.md) - [Updates](./anleitung/updates.md) - - [Rollbacks](./anleitung/rollback.md) \ No newline at end of file + - [Rollbacks](./anleitung/rollback.md) + - [MicroVM](./anleitung/microvm.md) diff --git a/doc/src/anleitung/microvm.md b/doc/src/anleitung/microvm.md new file mode 100644 index 00000000..f8c9005c --- /dev/null +++ b/doc/src/anleitung/microvm.md @@ -0,0 +1,39 @@ +### Declaring a MicroVM + +The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function. +Use durruti as orientation: +``` nix + modules = makeMicroVM "durruti" "10.0.0.5" [ + ./durruti/configuration.nix + ]; +``` + +"durruti" is the hostname. +"10.0.0.5" is the IP assigned to its tap interface. + +### Testing MicroVMs locally +MicroVMs can be built and run easily on your local host. +For durruti this is done by: +``` bash +sudo nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner +``` + +It seems to be necessary to run this as root so that the according tap interface can be created. +To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below. + +### Host Setup +To provide network access to the VMs a bridge interface needs to be created on your host. +For that: +- Add the infrastructure flake as input to your hosts flake +- Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports +- enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;``` + +If you want to provide Internet access to the VM it is necessary to create a nat. +This could be done like this: +``` nix +networking.nat = { + enable = true; + internalInterfaces = [ "microvm" ]; + externalInterface = "eth0"; #change to your interface name +}; +``` From efffa450d4b93530ba9e0b05795977c0897070cf Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 19 Nov 2024 15:10:13 +0100 Subject: [PATCH 13/22] [microvm] share read only nix store this reduces build times drastically --- machines/configuration.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/machines/configuration.nix b/machines/configuration.nix index f62f7bd8..a2c24569 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -46,6 +46,11 @@ let { microvm = { hypervisor = "qemu"; + shares = [ { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } ]; interfaces = [ { type = "tap"; From 3f4c7350c2a08db57403fe65aa1b90bd162d7510 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 13:00:21 +0100 Subject: [PATCH 14/22] [microvm] add microvm deployment option to host --- machines/modules/malobeo/microvm_host.nix | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index e730488a..91797fe1 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -13,6 +13,14 @@ in type = types.bool; description = lib.mdDoc "Setup bridge device for microvms."; }; + + deployHosts = mkOption { + default = []; + type = types.listOf string; + description = '' + List hostnames of MicroVMs that should be automatically initializes and autostart + ''; + }; }; }; @@ -48,5 +56,24 @@ in networkConfig.Bridge = "microvm"; }; }; + + imports = mkIf cfg.deployHosts != [] [ + inputs.microvm.nixosModules.host + ]; + + microvm.autostart = cfg.deployHosts; + microvm.vms = + let + # Map the values to each hostname to then generate a Attrs using listToAttrs + mapperFunc = name: { inherit name; value = { + # Host build-time reference to where the MicroVM NixOS is defined + # under nixosConfigurations + flake = self; + # Specify from where to let `microvm -u` update later on + updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure?ref=microvm"; + }; }; + in + mkIf cfg.deployHosts != [] + builtins.listToAttrs (map mapperFunc cfg.deployHosts); }; } From 1dc140ad9f59513d3abf16e10489b691c7745f1a Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 13:02:54 +0100 Subject: [PATCH 15/22] [microvm] fix comparision --- machines/modules/malobeo/microvm_host.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index 91797fe1..cee56046 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -57,7 +57,7 @@ in }; }; - imports = mkIf cfg.deployHosts != [] [ + imports = mkIf (lib.length cfg.deployHosts != 0) [ inputs.microvm.nixosModules.host ]; @@ -73,7 +73,7 @@ in updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure?ref=microvm"; }; }; in - mkIf cfg.deployHosts != [] + mkIf (lib.length cfg.deployHosts != 0) builtins.listToAttrs (map mapperFunc cfg.deployHosts); }; } From ca8e0cffdad53eaa7686666882bcb7a275433bd0 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 13:07:12 +0100 Subject: [PATCH 16/22] [microvm] fix type --- machines/modules/malobeo/microvm_host.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index cee56046..fc1c8162 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -16,7 +16,7 @@ in deployHosts = mkOption { default = []; - type = types.listOf string; + type = types.listOf types.str; description = '' List hostnames of MicroVMs that should be automatically initializes and autostart ''; From 64dbe6bb84ed00b5e90196929f4bc00fe1169b33 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 13:42:31 +0100 Subject: [PATCH 17/22] [microvm] fix errors within module still checking if list is empty does not work as expected -.- --- machines/modules/malobeo/microvm_host.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index fc1c8162..d7cdc55b 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -1,9 +1,10 @@ -{ config, lib, options, pkgs, ... }: +{ config, self, lib, inputs, options, pkgs, ... }: with lib; let cfg = config.services.malobeo.microvm; + hostsEmpty = length cfg.deployHosts == 0; in { options = { @@ -24,6 +25,11 @@ in }; }; + + imports = [ + inputs.microvm.nixosModules.host + ]; + config = mkIf cfg.enableHostBridge { systemd.network = { @@ -57,10 +63,6 @@ in }; }; - imports = mkIf (lib.length cfg.deployHosts != 0) [ - inputs.microvm.nixosModules.host - ]; - microvm.autostart = cfg.deployHosts; microvm.vms = let @@ -68,12 +70,11 @@ in mapperFunc = name: { inherit name; value = { # Host build-time reference to where the MicroVM NixOS is defined # under nixosConfigurations - flake = self; + flake = inputs.malobeo; # Specify from where to let `microvm -u` update later on updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure?ref=microvm"; }; }; in - mkIf (lib.length cfg.deployHosts != 0) builtins.listToAttrs (map mapperFunc cfg.deployHosts); }; } From 873a4f38315a2cfa97030e04aa2171ff0bc0773b Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 14:23:10 +0100 Subject: [PATCH 18/22] [microvm] separate enableHostBridge from deployHosts --- machines/modules/malobeo/microvm_host.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index d7cdc55b..dae2e894 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.services.malobeo.microvm; - hostsEmpty = length cfg.deployHosts == 0; in { options = { @@ -56,6 +55,8 @@ in } ]; }; + } // mkIf (!hostEmpty) { + # connect the vms to the bridge networks."11-microvm" = { matchConfig.Name = "vm-*"; From d0ed65d13a62dd7a83910bd294922b6bfb6a02be Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 14:55:24 +0100 Subject: [PATCH 19/22] [docs] update microvm docu --- doc/src/anleitung/microvm.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/src/anleitung/microvm.md b/doc/src/anleitung/microvm.md index f8c9005c..86f13c5c 100644 --- a/doc/src/anleitung/microvm.md +++ b/doc/src/anleitung/microvm.md @@ -22,6 +22,8 @@ It seems to be necessary to run this as root so that the according tap interface To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below. ### Host Setup + +#### Network Bridge To provide network access to the VMs a bridge interface needs to be created on your host. For that: - Add the infrastructure flake as input to your hosts flake @@ -37,3 +39,14 @@ networking.nat = { externalInterface = "eth0"; #change to your interface name }; ``` +#### Auto Deploy VMs +By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool. +But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option. +VMs configured using this option will be initialized and autostarted at boot. +Updating still needs to be done imperative, or by enabling autoupdates.nix + +The following example would init and autostart durruti and gitea: +``` nix +malobeo.microvm.deployHosts = [ "durruti" "gitea" ]; +``` + From bdd13a204f7c5b97b9ac10be7b1b1c4f1b22e87f Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 15:12:32 +0100 Subject: [PATCH 20/22] [microvm] mv mkIf down one layer --- machines/modules/malobeo/microvm_host.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index dae2e894..7ff90ac4 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -29,9 +29,8 @@ in inputs.microvm.nixosModules.host ]; - config = mkIf cfg.enableHostBridge - { - systemd.network = { + config = { + systemd.network = mkIf cfg.enableHostBridge { enable = true; # create a bride device that all the microvms will be connected to netdevs."10-microvm".netdevConfig = { From 84fef37dc7b01e13a4d550d261f4a406f38f85dc Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 15:25:57 +0100 Subject: [PATCH 21/22] [microvm] Fix conditionals within module finally i hope.... --- machines/modules/malobeo/microvm_host.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index 7ff90ac4..0dbbafc5 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -29,8 +29,8 @@ in inputs.microvm.nixosModules.host ]; - config = { - systemd.network = mkIf cfg.enableHostBridge { + config = mkIf cfg.enableHostBridge { + systemd.network = { enable = true; # create a bride device that all the microvms will be connected to netdevs."10-microvm".netdevConfig = { @@ -54,16 +54,13 @@ in } ]; }; - } // mkIf (!hostEmpty) { - # connect the vms to the bridge networks."11-microvm" = { matchConfig.Name = "vm-*"; networkConfig.Bridge = "microvm"; }; - }; + }; - microvm.autostart = cfg.deployHosts; microvm.vms = let # Map the values to each hostname to then generate a Attrs using listToAttrs From d2e97448f7250baf9304934394ce10f9da7cb107 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 21 Nov 2024 15:50:13 +0100 Subject: [PATCH 22/22] [microvm] differentiate between stable and unstable nixpkgs --- machines/modules/malobeo/microvm_host.nix | 32 ++++++++++++++++------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/machines/modules/malobeo/microvm_host.nix b/machines/modules/malobeo/microvm_host.nix index 0dbbafc5..8846a4b5 100644 --- a/machines/modules/malobeo/microvm_host.nix +++ b/machines/modules/malobeo/microvm_host.nix @@ -14,6 +14,12 @@ in description = lib.mdDoc "Setup bridge device for microvms."; }; + enableHostBridgeUnstable = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc "Setup bridge device for microvms."; + }; + deployHosts = mkOption { default = []; type = types.listOf types.str; @@ -29,8 +35,17 @@ in inputs.microvm.nixosModules.host ]; - config = mkIf cfg.enableHostBridge { - systemd.network = { + config = { + assertions = [ + { + assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge); + message = '' + Only enableHostBridge or enableHostBridgeUnstable! Not Both! + ''; + } + ]; + + systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) { enable = true; # create a bride device that all the microvms will be connected to netdevs."10-microvm".netdevConfig = { @@ -44,14 +59,11 @@ in DHCPServer = true; IPv6SendRA = true; }; - addresses = [ { - Address = "10.0.0.1/24"; - } { - Address = "fd12:3456:789a::1/64"; - } ]; - ipv6Prefixes = [ { - Prefix = "fd12:3456:789a::/64"; - } ]; + addresses = if cfg.enableHostBridgeUnstable then [ + { Address = "10.0.0.1/24"; } + ] else [ + { addressConfig.Address = "10.0.0.1/24"; } + ]; }; # connect the vms to the bridge