diff --git a/.gitignore b/.gitignore index a2fa571c..8bea5d28 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ result .direnv/ book/ fanny-efi-vars.fd +nix-store-overlay.img diff --git a/README.md b/README.md index de736510..0adc90ab 100644 --- a/README.md +++ b/README.md @@ -1,44 +1,20 @@ # malobeo infrastructure -this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. - -the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html) - -## hosts - -#### durruti -- nixos-container running on dedicated hetzner server -- login via ```ssh -p 222 malobeo@dynamicdiscord.de``` -- if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db``` -- currently is running tasklist in detached tmux session - - [x] make module with systemd service out of that - -## creating a new host - -### setting up filesystem -currently nixos offers no declarative way of setting up filesystems and partitions. that means this has to be done manually for every new host. [to make it as easy as possible we can use this guide to setup an encrypted zfs filesystem](https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/Root%20on%20ZFS.html) - -*we could create a shell script out of that* +this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. ### deploying configuration -#### local deployment -``` shell -nixos-rebuild switch --use-remote-sudo -``` +hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes. +Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master. -#### remote deployment +### deploy fresh host +if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html) -you need the hostname and ip address of the host: -``` shell - nixos-rebuild switch --flake .# --target-host root@ --build-host localhost -``` - -in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources +### testing configuration +refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally ## development - ### requirements we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf* ``` nix @@ -55,46 +31,13 @@ a development shell with the correct environment can be created by running ```ni If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration) ### build a configuration - to build a configuration run the following command (replace `````` with the actual hostname): ``` shell nix build .#nixosConfigurations..config.system.build.toplevel ``` -### building raspberry image - -for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM). - -to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix: - -``` nix -boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -``` - -then you can build the image with: - -``` shell -nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage -``` - -### run a configuration as vm - -to run a vm we have to build it first using the following command (replace `````` with the actual hostname): - -``` shell -nix build .#nixosConfigurations..config.system.build.vm -``` - -afterwards run the following command to start the vm: - -``` shell -./result/bin/run--vm -``` - ### documentation -for documentation we currently just use README.md files. - -the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser. -the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```. +documentation is automatically build from master and can be found here: docs.malobeo.org +locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev``` diff --git a/doc/src/Index.md b/doc/src/Index.md index 104fd5b7..0adc90ab 100644 --- a/doc/src/Index.md +++ b/doc/src/Index.md @@ -1,26 +1,20 @@ # malobeo infrastructure -this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. - -the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html) +this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. ### deploying configuration -#### local deployment -``` shell -nixos-rebuild switch --use-remote-sudo -``` -#### remote deployment -you need the hostname and ip address of the host: -``` shell - nixos-rebuild switch --flake .# --target-host root@ --build-host localhost -``` +hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes. +Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master. -in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources +### deploy fresh host +if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html) +### testing configuration + +refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally ## development - ### requirements we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf* ``` nix @@ -37,46 +31,13 @@ a development shell with the correct environment can be created by running ```ni If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration) ### build a configuration - to build a configuration run the following command (replace `````` with the actual hostname): ``` shell nix build .#nixosConfigurations..config.system.build.toplevel ``` -### building raspberry image - -for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM). - -to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix: - -``` nix -boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -``` - -then you can build the image with: - -``` shell -nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage -``` - -### run a configuration as vm - -to run a vm we have to build it first using the following command (replace `````` with the actual hostname): - -``` shell -nix build .#nixosConfigurations..config.system.build.vm -``` - -afterwards run the following command to start the vm: - -``` shell -./result/bin/run--vm -``` - ### documentation -for documentation we currently just use README.md files. - -the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser. -the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```. +documentation is automatically build from master and can be found here: docs.malobeo.org +locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev``` diff --git a/flake.lock b/flake.lock index dcad527e..9d209603 100644 --- a/flake.lock +++ b/flake.lock @@ -109,11 +109,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1736905611, - "narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=", + "lastModified": 1739104176, + "narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=", "owner": "astro", "repo": "microvm.nix", - "rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b", + "rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2", "type": "github" }, "original": { @@ -160,11 +160,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1736978406, - "narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=", + "lastModified": 1738816619, + "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b678606690027913f3434dea3864e712b862dde5", + "rev": "2eccff41bab80839b1d25b303b53d339fbb07087", "type": "github" }, "original": { @@ -192,11 +192,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1737062831, - "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", + "lastModified": 1739020877, + "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", + "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547", "type": "github" }, "original": { @@ -208,11 +208,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1736916166, - "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=", + "lastModified": 1739206421, + "narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a", + "rev": "44534bc021b85c8d78e465021e21f33b856e2540", "type": "github" }, "original": { @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1737107480, - "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=", + "lastModified": 1739262228, + "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6", + "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", "type": "github" }, "original": { diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 5a9f52cf..43869fba 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -8,10 +8,12 @@ keys: - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp + - &machine_durruti age1arwef7t65lz40lxhs5svyzentskjzam3e0e0yxen872vwy6v234s9uftvr + - &machine_infradocs age15rqsygf7yfe6pv6t4c6c9jc6yk4vu5grmmcu7sexvqfw8763mf2q6qw50h + - &machine_overwatch age1075ep3sl5ztshnq4jrygxqqqfts9wzk4gvvtwfjcep5ke8nzqs5sxtw7vd - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf - - &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr + - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk + - &machine_nextcloud age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: @@ -71,13 +73,6 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan - - path_regex: fanny/disk.key - key_groups: - - pgp: - - *admin_kalipso - - *admin_kalipso_dsktp - age: - - *admin_atlan - path_regex: bakunin/disk.key key_groups: - pgp: @@ -99,4 +94,11 @@ creation_rules: - *admin_kalipso - *admin_kalipso_dsktp age: - - *admin_atlan \ No newline at end of file + - *admin_atlan + - path_regex: .*/secrets/.* + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *admin_atlan diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index a79e0f13..786ce20d 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -20,6 +20,13 @@ in inputs.self.nixosModules.malobeo.users ]; + virtualisation.vmVariantWithDisko = { + virtualisation = { + memorySize = 4096; + cores = 3; + }; + }; + malobeo.metrics = { enable = true; enablePromtail = true; @@ -61,6 +68,11 @@ in }; }; + systemd.tmpfiles.rules = [ + "L /var/lib/microvms/data - - - - /data/microvms" + "d /data/microvms 0755 root root" #not needed for real host? + ]; + malobeo.initssh = { enable = true; authorizedKeys = sshKeys.admins; diff --git a/machines/fanny/disk.key b/machines/fanny/disk.key deleted file mode 100644 index 7a30f5e9..00000000 --- a/machines/fanny/disk.key +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-01-05T19:35:48Z", - "mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]", - "pgp": [ - { - "created_at": "2025-01-05T19:32:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-01-05T19:32:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index 195e7bcf..37dfc121 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -5,63 +5,63 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf + - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh - cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy - WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK - RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL - 2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZFBYMHMzTFRMLzhCbnBE + MXkreklWSUVOckl5OTJ0VzlWS2tIOFBRRVVJCk90OXJoMHQza0hTSGt5VUphNjY1 + MkFrTHQwTHJNSGZjT2JOYXJLWExwQTQKLS0tIHlTeVgvRlU0MXA3cUl2OE9tYUls + TStjbTBkMTNOcHBja0JRYUdvSWJUN00KtOPBH8xZy/GD9Ua3H6jisoluCR+UzaeE + pAWM9Y6Gn6f7jv2BPKVTaWsyrafsYP7cDabQe2ancAuuKvkng/jrEw== -----END AGE ENCRYPTED FILE----- - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK - U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX - eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS - cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/ - MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc282T2VVamFGcG1Ub3hp + S1VwKzVsWW1sRXczZnRNdkxDWE5Sd0hhVUJRCkovNGZ1ZlN0c1VyMXV0WThJMGFi + QVM3WW5Eam81dWpGaFd3bm80TmtQSlUKLS0tIFFSUy9SYWdKeE5KWk0yZld5dDYy + QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP + SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-14T12:41:07Z" mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str] pgp: - - created_at: "2025-01-14T12:32:13Z" + - created_at: "2025-02-11T18:32:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8 - 5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO - 8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN - zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA - cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O - /MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24 - 9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict - iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k - UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p - Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N - J+o9dahBHvIF - =GKm4 + hQGMA5HdvEwzh/H7AQwAmorRyo7mguHQxATRRuKstaXertmyz2AhKFr1Kr880vBJ + ODjEKmkH77wIpOnZjOYrx7j2JWosoJ1KgsUUh4VlAPM3O6cXVwqDucu1d8O/HzK3 + RPuPfTKDr/lKl7QyQCx5lQuxE1/qn88D/g/fMQYu3NAVJa7acpTdSsfyo9nZ3QMb + ly6YEyGDc/IhBy5igc7bIWy1o+XATmyUxA+jZVMLiBKhetogMC507Eq71tUCMEht + CItRoFFPeoCzC8JPjpQNQmXoe5WDv3hzWpUBRJgjScYz3JuEfakbsAnzrPc41Mga + yPhSPYPBtHlEt+DntW9i/CFLEJ+I0V+uz3gnNtNdHTIIe2AZbGympjZldZThldb3 + Tupo7ep6VQgi+hG37wLmQdvSVWR8lVJDMvOmV9xZqdFYfQdBr2gewTT6Y2QCc8GZ + HBtJASlpIbydd/rtLtaTwtdOz64g+F5Vw/6T3ciyExt6RCoPALqZCoyzQnvnQm7e + JPPauAs8BH8ejoDlJYjK0lgBBMSJTZ2xlGYh4wG8zmGtGok2wvXYy+DeqlXuCIy6 + 7Xu4BLTL9eOZZo0sPR+RQfYbII0zMIc2fPBtU2c2z89YOTI44FI0BVbTlhLIIXXz + NJMDln08MWwr + =hhKC -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-14T12:32:13Z" + - created_at: "2025-02-11T18:32:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs - W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF - e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR - GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q - yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM - wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap - FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT - cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul - QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2 - MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB - 5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS - WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw - CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE= - =9FN4 + hQIMA98TrrsQEbXUAQ//cBdyq4JxOhU9t7Z9iWAp2DRObgv7HMbhIXh1351wuzA7 + Fe0Kqcoo/ekCkIPrLZOC5z4CMjXwOCPSncMMm5vK5ibixTlX9446+Hv7AQ1vq2Nt + 2daL8ZzpCeCJmi07Vyp72/NJOZYa6YY/gFiiRw044lNLFS//b0sYkipne5COjvca + I7BxWCpGwLLWZ7LNKhg6i0at+0AqEdBDiwSE7jfeY6IL9tPOIqmBxYIWMbiAkPMd + /nK8PVPrt41NkJkuxfjXcYowJRcJmAYHGiRUQaAkUZyRQxmolbLwwJ+/CVYxv5Kk + hN5QvT82z5I8gK5LXrt3ZGEcC9dADkRSQr/qcWQT+CEnsGZi8b0unwUZZruDVb7d + eIwICaXu62gH/mlJN1z/J5jEciwQtC9Eh932x5qY3sdtd6Gm7/EHTf9NJ9Zg3gTk + nfytwpfUmtJO/bI5RvYSUkXkU6CLY6bqRW12+YrsAP+vDITYcLVEJGt7jrXDFto2 + Z9rlywZsQiZhLrzi1UImCTthcceI6Hd7l3TOYV84gMxdahBo3FLKnoZRK2I7ukGq + Wi0KjajcsJ6LBUCCpMg/tW+TT8/+66QY9BDzcv/hBdRc4lCKNeKDwwGFPSFZCcib + uyT8UB6iUYVMiNSHRqdGGcH0NwH45Oe2g9nF/lrJ0vYw1toN3WSpEc5v/Nch8DbS + WAE3DazXQgd4UQ19q+5cC+L5POWcAjgWpZlRwBXBRdeOKFDF9maCPL6MpfMm6XG1 + /JNfzhipjL5OXgJgK7iUFJlH9AuD18g/by7yID0bTsg2fkfLglwjfm8= + =Sdch -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted diff --git a/machines/fanny/secrets/disk.key b/machines/fanny/secrets/disk.key new file mode 100644 index 00000000..2d0018f1 --- /dev/null +++ b/machines/fanny/secrets/disk.key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:H0oMKUXc6C28tHMwSgsppcdfYKEknPIIWGq3Mwk=,iv:lExcGcA4bvwKtqeeG4KS87mWlPBtCSSpOunJMZcQG+Y=,tag:F6Pke7woX/odRT7SMJwVbw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlQwRFZLZUtGamszckt6\nNmFoZmk3U1JpM3V6MkNZc2Iwd0VlTDJpekNvCkMzVm1qNEYyNEZmQ1o0TG1LRmpP\ncUhiWlB5ZTdjZnBHQUxVblA2V2s4WVEKLS0tIDhiUUdla09WRmR6RWZnbE5XRDAv\nWVV0WW9wMWsrcjdsdkF3NHgxMVFmRDQKeUAVQU/M1DGfAmee6CFvyTr8RkRBWjYk\nK9ceXyJSojHktwr/Xllm1mMm6H2lPbzba/JAyt99YVTD8xO056vu/g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T18:09:45Z", + "mac": "ENC[AES256_GCM,data:5IGtFkE5sGjXJXlXkPdN4e15gxh6QB/z1X5A0149koG3fvOPnoLPEU+DGx1qj9Z/8vilJat1hk7qIBalMPMCn2/T1PIV45Hpvih/kNoszkFMQ9r0EsZMgXgSJClHSg1JaiCiC3LvjsIWHDoESwVx3fqos1ClOLtrzKwptCEUp2Q=,iv:15QS1AwpuUr+EMw5YQe8ogb1Y58nQh4WcFjtzuWtcUQ=,tag:vL9cZRdsPCqaTw42pzRfOw==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:13Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/WtqMo4CAW5VEqo4vEL7Lj9Z/OY1h0zPF/bdkc9u6x7IP\ngqH60j9iF3n4ae717c4eKf59iN4+4tDk51qb1XdBOw1scn6rTai6KCnqNhiGeZF9\ndKsCZG5LxdbGkEFFw0Q+6W+gV6MiGlD4SBiKpjAsGVGcn42wygfTzpFRRA2Pmlev\nAGSUs5TDmi1IqQsvzYBMBM9+6sdsKhpRalXGS0gFz+wYGPFlK4E1rd6CBKRYEWtw\nm4kRe0nA2Sk4XhVZ39nPtR9rxrhB+d+Qq7AHIqD75SoY8vI+o3UyJ5Cee5MAmMcd\nn0EG24OeThF2p4lZw0iuUgtefqkc21/MoojYP6tfS7s0vGcq9iFjZ8PgUv3IKfrZ\n9EwresYfvhKbocZj2ywPK7iavFCYmqpTzbloGkO0AVfmHpWZRpxneOaGruCwFmGg\nF3qBVTcBSBDF972KDvm/TbKV5NQmRAZuXTrTBh6vgmVcaLN8LTLP3xRQlY28Ng2P\nY5l/5sZ1CGvhfv+G/24n0lgBF7I8pMTfsUEttzPONEY3pRaYyprYxdDlutHI2Kzp\nl0oPBs19rCSn79avQr5fE0mIvqJCoB5HVPkUDjNTaMNSJAywjQEWNITh2GszRTku\nBDvnzA2VnVww\n=aFlN\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:13Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//bap7Q1HvJJ2KjVMhklTaQ2LG+TITzh0jvaRSXlXG+u5a\n//iWLTov8CH6s6e5I/T7FtslIcBVmyUX9vL9tCgVNMHy0RVG9mmykS0z5/9GY1tY\nEDcOOINQwrmuhWFHvc+9hzKEbLH7heR3ljMw9ouzBgFjEUdhFKJCIW9xrY3a45ue\nwBfaVj0tPNFMq/f/Zu5dDvw6gmYp9ziSMh3GwLNnMBmQDgdSjZJWQr+oa7KKSOM4\nu8ogeqP5Yyf7vDj1he+9TJpG8fdE68boYban9t9rfnyf0cRW7oHkpkwPtKvn9U4c\n4Tbl1RUqfHsTpHX+rxP8w/zgaLbrc0hJO1zxXeeQTOlS/0S1+i5n3pINFwzNXNBE\nIHgIpqOKabfpDFsL/DMIdNQZyr/iD4gHjzSeQPdyd0/4dbFMKPsVzA3JomE9z8NW\nRXz9Htb4Z4fybcPDOLxPkyM0qsEtdfb11U5l7IKuq+2ED5zOFxl+qhZrFz7vY1R7\nyaIM70HUeVCT7p0KZmWgtzjhafI8kTS2Qd7VjIF4Y721rB2opqaOKaCWjp4eeYI2\nE/TGivgRl57KgSF8Y8ucoC6ndsxwgJ4dYt3fos09Rbv1qFrlJftyD7m2kOXnPx5N\n5/2R4h3tiYQqGm727bjTjmGUtxToum3rY4sO0y38Woc+4BK3h/gj3AMir8DI7MfS\nWAE+yxIZH8y+c93zkZy34mEHafc6zPFD3QWuzbXzMGP+EMn710zaWmrVV1X3oLKW\n8lFB5sEX+BJaDgISOG7vgypNA+HtWZnRcB1CnzxboADE+HVAU3d+Bpg=\n=rfB5\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/initrd_ed25519_key b/machines/fanny/secrets/initrd_ed25519_key new file mode 100644 index 00000000..27b9b1b2 --- /dev/null +++ b/machines/fanny/secrets/initrd_ed25519_key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:dsb1hdpeoH1Rc4Cz10cZMlAKL//GRUKQbTXvGuRcVqMtRVkmiVZonogj1FdpIFOY8m3zIuJKLpQp9i/RuWanRaThyOA4Mqo82N0MTkco0mwLfRhxqA2EbRv1dPgytVQvdNgSrnZI1FXtsQumPgO4KvifwaCG+Wu050NhPDC2Xt8i1U1TyMTkTigk2CKYaYgo+D9xSsA9ymjFUQgvnTn10t3di7cUJi3rBoEiZeOK/EAg1Y3h53AZ4p9SyG1kBflTvtE1NbIZNBYAiFkJNbIhT+Dw67Qv2Uso6oxL/I64IDOljMQz2874wZqpAL1w7W671KdlGtq0murjQ5Sg+g8RYseA1NVmTY7BCaGagNQuU6Ab0BSSdzIuDkH14BL1zGgprCqP0CE8WeWdUzCx5qud9emF24d+VvRKIiawTArSBe34VMnRq05OTKdmtwGZom7kbhD20c1/pwhytiJpzSE08iKy9cYGPGfirNJaxhT7z9XqSoECUg2XPI7Deh75PqoxM8pATLtOtOLp2cYSr2vSrqADMXzmR2M9ixEj,iv:RQH+e6ZADH2XMPqBeuHhMhHiksQg2iR4NUnYhD3pj7w=,tag:wJByTCrYf4cKxJaD2eTCMQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-25T16:42:28Z", + "mac": "ENC[AES256_GCM,data:iJS4wLJwJZRUozNBUBxL8wYOneGI1Et3r9+DtIs3JrQLEKV16n2SeRP0jRFyCO7VNkxyjnjXJwe0/GVbxtQbVCuDFaCWVpj4xNiEH3wMeuydU96E2QgHaWJGvhyj5e/5o3GO85DeF2ueFCa9DQKtTIWH1xPfqJwtZC2PGH5Uqyo=,iv:/TpULYHxSgFfMQyv715jLVY37AhSY/qh1Zn00UN8oOw=,tag:XrOn8ZpgWFYtSjatXn8sxA==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/dMSVIuM4gsG06tcN0NvWQgZUO6E8u2M3k3kUU/xk9bem\nSJFtHluWx26V6F08PP5AoDQ1R5Z1RhP7w3JDjVyscb0WuUzDFVTbJLpuPJIX+MOe\nhz8OqLatn24+fK4eMnQFbTELYRPEKicMmoJrFaTXdUOLkynWtxijzRlCif8J1u3e\nqj2fSfPd4SI9ERiGo5MBtHA9A6nwQvboMdnlGvvlAxFF26QL0xqu8jUdllfJ5IT0\n7y3vbGixV/M29MKzt+cJk7Wnb2y5UaZdelsDmxmm4FrIxHaQrAb/kIMiwf6zVCwh\nZFvNwcAPirduvxpcjOV99mJQ3v02mWo/p4Ey3PCwRb1tQYRxiMf7IJ/eAspmiI/9\nwK/2c6ehtBVXlw738JjA+WP36u+5S7CrvzNk6RLd0y76aNvGB6ZCT4rGm1B2DfR5\nguP+RJGcMFzhv55hQNCNUHZ2jvhLvDvSaCjlOaJZBC62gCygtlDqaLtagIO6RwKR\nJdatJCEjio5yD7x1d7PY0lgBVlbkXk8K3e5CN4RdLyoZStShW3uC6dCUGG1OJzPE\n0mfW5y683CcpMATeucHROtTxxrmp+BT5CyP9eBA/CrmTAJVMaWYM/Tb3+nE4Feal\nKlamR+tLaZdj\n=9/53\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9FH3RHkKEo88HEAXYPfJ3tjctUrn6Y1muzgyilfa9R7OC\nBNdSyXP8qU9FaIEEO9cwXKY6hB30l/b42RwL2HS5MWlNZTXZO9XCjV4VpmkIy88y\nkVhxdb2QbGQSBqmfyc9GOvI2LN3jIAE5fy5GuDREKRJPfVJu6x7IbC4j3tT+3Szq\nzOTF+ZfuUlM7FDzt4vAvP2LeOZxYKCg1va6ne7rtXsry9cIotP7fTqm0xPLZ/K+2\n/+HhC2585GdUXratqod1VfUPGyvdyhrn6WV+BAvUA8O8LYO5ZIkgz16vp60XNZEA\nCkjy/kiSlMorHiy7/ZtWHwWPNQbGxVJ/u6XurgzreDT4H5FvfyzvdKTz7IGYNYfZ\nvwMtQDEd3ToP6QUyNGfpZ5eRGb3I+8xNOd3z3XIXYGFYAOPHriGXMA8Y1g21f+c8\nz0QxXXDNXlTt6qdpumfgF/d/UCFJZeuP2t+mVnnp/gkK6yKZlUHD8L8XjkgumxB+\nvFFKOpPbrO+H+L375xZp9OJTINF5QTFkrmT/jPoexCkx9koxNhM0vIKEFE7+gFsW\n5GKQqz0n1HQgbFfdm2Jk7WQqY8r0weGedalYzkfDPlbS0AdCB9Llk/vwu5Tf+hcX\nIMbph8ZwKLzld9MzEplhHwBZ/Gz0Upp1IYj5Ifr50EnlHjBJ+Z8xXWKshJ/6UerS\nWAEiuOmlWRFGWRM5EdrXwh0/dj+ZyXG7unsv+jpNXjOE8eznaH4Kd9/PEmxazbFX\nJ1gtX6JFy+HXID2DJmXng6NxCzPWpo6prAH9IbMebNVQMzbl03Dtyec=\n=WoeJ\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/initrd_ed25519_key.pub b/machines/fanny/secrets/initrd_ed25519_key.pub new file mode 100644 index 00000000..bc13aa2f --- /dev/null +++ b/machines/fanny/secrets/initrd_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFRuQZweX3r9QQmAFo6oYY9zvrf9V3EIJOl6kFMgyLm kalipso@fanny-initrd diff --git a/machines/fanny/secrets/ssh_host_ed25519_key b/machines/fanny/secrets/ssh_host_ed25519_key new file mode 100644 index 00000000..19466113 --- /dev/null +++ b/machines/fanny/secrets/ssh_host_ed25519_key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:16SwZ4RZ89+TvwPVgEg+96PmNd63Oai1GnrRipLkxQmzfeAkQvs78emYUEVT/ouAnRFQRNagbhjA4nmfTTq1xGz1u8bacjk1ny1ckd2FmkEOQ7Ry181h8UE61rZP3c8yra2WCgOcsL22oUxUMhg6iswJqEKLImi3cmJ+hASPTc6L3vlZLcP3Vx6FEbDMGrVtfpHEliSicB/rkAOnjVHmxHmVRjx1AI7jfAjCoBGnLwI9X2XREGay9H8Kt36HIhlXA9dK+xkl6WdtkllHIHe3OYHqwd730g+1htMAWtHmyI/DPLLJG48pzITnKv3cQ3aaziUWJGa89WGnBuzxP8ZOagpnC1/wQi1WTR7d/4JYoslz06fCt1ouGT4ttDFh/YqbV0hcXqkASbUnnixicBaYeVrwvSkYvlbwToZ6L+Jc+eqQRrTKXxs5pIZ4qkvImDp85v3U1bDxXT+qhpK9hasmgBqgM9GYjgw8Um/imr9HqDp9ztRsij87mRW/l47vUhxRjrAWpv+J0OlptUIpRiLv,iv:7x+dTHtSbcc47X/ZGz/bcnOxkGDDBu33ZgNrOD1FwDA=,tag:B6s1Jt1KFCitya9oAKvp9w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-25T16:43:40Z", + "mac": "ENC[AES256_GCM,data:dZJc0aqSD7dhe4Egih3z8QHIbwYDCGYU0DaOczkqHd/yMdcVNrNrcIR6yshArqCLl9jj5Zw3fIO75X09mvuvUCyszbjQyzSmTACp7K3skHuDRJ/yh5vaw6XNeJ3w26Dimfd0WfL1XC519DW532icrDiy2lCZ1qdcYwpqQUBKM/Q=,iv:4vx48jXxKLDOKfK6yYJWW28UaKl+EyqjeRAzV0WayEk=,tag:oO4cAVAv7N5aDAmK5V84mw==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+P8Y3rBJAAI2orY71hRSpCAJo/x4CUColQZf9xK4ZgYQ3\neW/15avJVso26mYiZJsTPaEczJ89igYKDrf8Ewi8NNNTmse/BO+BG8KX13QOSWKb\ngiRXMl6zpQwH/cmCXvUrDczjcUaG3vMpcWClfd3lfjEStVEzNB+OKCuRLxhKGYPn\n3HZ3Ypa97ei8uHMKbnloGigUouVKVCCLIqyrJCybQ2+UkOMzcMJpO96RMooWQOUJ\nU+0rLS2s3r8UnwQjEcedEITlmiTlZkTrUnUylcc22v3yVJh3UExCcoVWShqPUE2j\nJv667rq1EblbIzn/8vyMXxOoSYmrLJ+hgh6OXio5bbMUwd/7m6Zz2jEeTXbJi20/\nEl2V0Lu4pTWXhXxh+Y0MIdh2tHMGGWmHBk650e0M/JbnchxK5+9GblWkfzMV8scX\nPpDScHH+cqNPIsvtq/aYGSv5o2u5JfndEuW16cWU99mgYvX7rwwbRbI1zWVX5o9o\nQ6dqJGZEbtE0QilOKxiI0lYBTrDySzaWLTAngd3myVMvFBQ/K6VL7mXwJvDYgOcJ\nxHIExrd191e5eLr5MGQAzXaVietENN27aEDPw5WV9bmXoAKp/4muJnfOB/wBSjCw\nlutnbF0yLg==\n=MqvI\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//UvOmGlNKLrRg5fXmc/paHF7YVFCGuBa0epuiVsVkS6NX\nQoa57oBJS0y22/dh/fb8Nu7/bMpa9XpPwfgzqhi7+5V/y51lvAIKmrYqNTnGdKB1\na9aiX0yxK0d5Yh0RK+9/2Q+369152mZXx+9Oj3SM8396bcfvTFX4jbhGdnKPqalW\nB1OO8HfYFAu4yl11uVD5cHSdhvXKJOa/GZPkb3TK2kicUdNX3HnZJ3PPGrkOy2EU\nuwFOIVIdNp2MUDFW+V2Nso/NiGcR96uKk5ZhGJaYrXjDDMNHyoLWc0d8wEg3n1Vw\nXOSNLmkSFY39ExKRWu8sijSyZIYN+Ul4t4WdO1Puop01xGTfAkYVQOLC+H4unu3q\ngboyNZCSuZXgG02B8ph/tLlAQ78d70YAf0nxkvzQB6TTNfQ4nyp8QnUJDkwaAnvl\nxDqDDhJBjlfIpqNLT23caKqgt1hSLv3Gcb486D8ZC+6nNuefCsxop82FaUMvL1uf\nWPMcAxMyv4REO8l9V5CDn1+6i+iPyN/Mo+hpwco+sYNZMlSs9PcNKILWZg1gv6q1\nU04IyEPym9VkI1jFte4dsljlp3C2R+l1Ikv5OB6dNpnnMVnTgkDwE0vqvsSTIwbS\nYvFoWBAsRlHMFLLfA6QjRyZpWemHBjrpaqBbIJEkZQnKM1IWdIg6cGOx+mFo1MzS\nVgEePpJj/PECZpH9PQPlv/FrkHa7zC/Fi0BOPposmuQgOUTq3sA5TLYNqPOH2Yn9\nHeQCGXpIeM08Pa3BOQRWDYM2vZPZpf3cBB7VK9zmcGEdE3NZxoBG\n=p1XC\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/ssh_host_ed25519_key.pub b/machines/fanny/secrets/ssh_host_ed25519_key.pub new file mode 100644 index 00000000..340ddd9c --- /dev/null +++ b/machines/fanny/secrets/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc root@fanny diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 6174bf33..7911beba 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -102,7 +102,7 @@ in mountOptions = [ "umask=0077" ]; }; }; - encryptedSwap = { + encryptedSwap = lib.mkIf cfg.encryption { size = cfg.root.swap; content = { type = "swap"; @@ -252,6 +252,10 @@ in type = "zfs_fs"; mountpoint = "/data"; }; + "encrypted/data/microvms" = { + type = "zfs_fs"; + mountpoint = "/data/microvms"; + }; reserved = { # for cow delete if pool is full options = { diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index 772ce49f..d1fc74de 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -70,6 +70,13 @@ rec { proto = "virtiofs"; socket = "var.socket"; } + { + source = "/var/lib/microvms/data/${hostName}"; + mountPoint = "/data"; + tag = "data"; + proto = "virtiofs"; + socket = "microdata.socket"; + } ]; interfaces = [ @@ -98,135 +105,135 @@ rec { inputsMod = inputs // { malobeo = self; }; - vmMicroVMOverwrites = hostname: options: { - microvm = rec { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; + vmMicroVMOverwrites = hostname: options: { + microvm = rec { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; - #needed for hosts that deploy imperative microvms (for example fanny) - writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store"; - volumes = pkgs.lib.mkIf options.writableStore [ { - image = "nix-store-overlay.img"; - mountPoint = writableStoreOverlay; - size = 2048; - } ]; + #needed for hosts that deploy imperative microvms (for example fanny) + writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store"; + volumes = pkgs.lib.mkIf options.writableStore [ { + image = "nix-store-overlay.img"; + mountPoint = writableStoreOverlay; + size = 2048; + } ]; - shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ] ++ pkgs.lib.optionals (options.varPath != "") [ - { - source = "${options.varPath}"; - securityModel = "mapped"; - mountPoint = "/var"; - tag = "var"; - } - ]); + shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] ++ pkgs.lib.optionals (options.varPath != "") [ + { + source = "${options.varPath}"; + securityModel = "mapped"; + mountPoint = "/var"; + tag = "var"; + } + ]); - interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ - type = "user"; - id = "eth0"; - mac = "02:23:de:ad:be:ef"; - }]); + interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ + type = "user"; + id = "eth0"; + mac = "02:23:de:ad:be:ef"; + }]); - #if networking is disabled forward port 80 to still have access to webservices - forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [ - { from = "host"; host.port = options.fwdPort; guest.port = 80; } - ]); + #if networking is disabled forward port 80 to still have access to webservices + forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [ + { from = "host"; host.port = options.fwdPort; guest.port = 80; } + ]); - }; - - fileSystems = { - "/".fsType = pkgs.lib.mkForce "tmpfs"; - - # prometheus uses a memory mapped file which doesnt seem supported by 9p shares - # therefore we mount a tmpfs inside the datadir - "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { - fsType = pkgs.lib.mkForce "tmpfs"; - }); - }; - - boot.isContainer = pkgs.lib.mkForce false; - services.timesyncd.enable = false; - users.users.root.password = ""; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; }; - vmDiskoOverwrites = { - boot.initrd = { - secrets = pkgs.lib.mkForce {}; - network.ssh.enable = pkgs.lib.mkForce false; - }; + fileSystems = { + "/".fsType = pkgs.lib.mkForce "tmpfs"; - malobeo.disks.enable = pkgs.lib.mkForce false; - networking.hostId = "a3c3101f"; - }; - - vmSopsOverwrites = host: { - sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml; - - environment.etc = { - devHostKey = { - source = ../secrets/devkey_ed25519; - mode = "0600"; - }; - }; - - services.openssh.hostKeys = [{ - path = "/etc/devHostKey"; - type = "ed25519"; - }]; - }; - - vmNestedMicroVMOverwrites = host: sopsDummy: { - - services.malobeo.microvm.deployHosts = pkgs.lib.mkForce []; - microvm.vms = - let - # Map the values to each hostname to then generate an Attrset using listToAttrs - mapperFunc = name: { inherit name; value = { - specialArgs.inputs = inputsMod; - specialArgs.self = self; - config = { - imports = (makeMicroVM "${name}" - "${hosts.malobeo.hosts.${name}.network.address}" - "${hosts.malobeo.hosts.${name}.network.mac}" [ - ../${name}/configuration.nix - (vmMicroVMOverwrites name { - withNetworking = true; - varPath = ""; - writableStore = false; }) - (if sopsDummy then (vmSopsOverwrites name) else {}) - ]); - }; - }; }; - in - builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); - }; - - buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules { - modules = [ - (vmMicroVMOverwrites host { - withNetworking = networking; - varPath = "${varPath}"; - writableStore = writableStore; - fwdPort = fwdPort; }) - (if sopsDummy then (vmSopsOverwrites host) else {}) - (if disableDisko then vmDiskoOverwrites else {}) - ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ - inputs.microvm.nixosModules.microvm - ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [ - (vmNestedMicroVMOverwrites host sopsDummy) - ]; + # prometheus uses a memory mapped file which doesnt seem supported by 9p shares + # therefore we mount a tmpfs inside the datadir + "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { + fsType = pkgs.lib.mkForce "tmpfs"; }); + }; + + boot.isContainer = pkgs.lib.mkForce false; + services.timesyncd.enable = false; + users.users.root.password = ""; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }; + + vmDiskoOverwrites = { + boot.initrd = { + secrets = pkgs.lib.mkForce {}; + network.ssh.enable = pkgs.lib.mkForce false; + }; + + malobeo.disks.enable = pkgs.lib.mkForce false; + networking.hostId = "a3c3101f"; + }; + + vmSopsOverwrites = host: { + sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml; + + environment.etc = { + devHostKey = { + source = ../secrets/devkey_ed25519; + mode = "0600"; + }; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + }; + + vmNestedMicroVMOverwrites = host: sopsDummy: { + + services.malobeo.microvm.deployHosts = pkgs.lib.mkForce []; + microvm.vms = + let + # Map the values to each hostname to then generate an Attrset using listToAttrs + mapperFunc = name: { inherit name; value = { + specialArgs.inputs = inputsMod; + specialArgs.self = self; + config = { + imports = (makeMicroVM "${name}" + "${hosts.malobeo.hosts.${name}.network.address}" + "${hosts.malobeo.hosts.${name}.network.mac}" [ + ../${name}/configuration.nix + (vmMicroVMOverwrites name { + withNetworking = true; + varPath = ""; + writableStore = false; }) + (if sopsDummy then (vmSopsOverwrites name) else {}) + ]); + }; + }; }; + in + builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); + }; + + buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules { + modules = [ + (vmMicroVMOverwrites host { + withNetworking = networking; + varPath = "${varPath}"; + writableStore = writableStore; + fwdPort = fwdPort; }) + (if sopsDummy then (vmSopsOverwrites host) else {}) + (if disableDisko then vmDiskoOverwrites else {}) + ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ + inputs.microvm.nixosModules.microvm + ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [ + (vmNestedMicroVMOverwrites host sopsDummy) + ]; + }); buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem { system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; diff --git a/machines/modules/malobeo/peers.nix b/machines/modules/malobeo/peers.nix index 787cabf8..febf4c5f 100644 --- a/machines/modules/malobeo/peers.nix +++ b/machines/modules/malobeo/peers.nix @@ -30,6 +30,13 @@ publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y="; }; + "hetzner" = { + role = "client"; + address = [ "10.100.0.6/24" ]; + allowedIPs = [ "10.100.0.6/32" ]; + publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ="; + }; + "fanny" = { role = "client"; address = [ "10.100.0.101/24" ]; diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index eea2e2db..a2cacdf9 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -37,6 +37,7 @@ with lib; hostName = "cloud.malobeo.org"; config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path; #https = true; #disable for testing + datadir = "/data/services/nextcloud/"; database.createLocally = true; config.dbtype = "pgsql"; configureRedis = true; @@ -55,6 +56,12 @@ with lib; }; settings = { trusted_domains = ["10.0.0.13"]; + "maintenance_window_start" = "1"; + "default_phone_region" = "DE"; + }; + phpOptions = { + "realpath_cache_size" = "0"; + "opcache.interned_strings_buffer" = "23"; }; }; diff --git a/machines/nextcloud/secrets.yaml b/machines/nextcloud/secrets.yaml index 0327a086..01c7c151 100644 --- a/machines/nextcloud/secrets.yaml +++ b/machines/nextcloud/secrets.yaml @@ -8,60 +8,60 @@ sops: - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSk9GWktrZ3FsRHpOcTJp - Y3VWMytTRlhxVXJma1puT1lMRTN2NHBNV2xrCi8xYTFWeVN6RWl0Um9mZXpoKzFh - SjVFcGJRNlhkVUZQYXpEb0EwYzUvUjQKLS0tIGEvdGdMRGxvcndxMllZTWZqKzg1 - aWlJOTdYV1JMM0dIWEFDSHRuQWdlcVUKsdwGZ3SkJEf4ALDhHUlSQJNKrFyWd7fW - WTGk66NJ2yD8ko/6OyB9J9U0WPbFLgr972H+klBq/IDmOx0hClbYNA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cFBEempENHlXNnhNb1d5 + UitGNFliTDliZUdCSVBPRUVEWDc1Skw3N2xvCkFoL01DL2ZmWHhoMHV4TGdhaFdH + bG9XdUQ4ano4VjRxVTloNnl4OHJ6dkkKLS0tIDJvK2ZjNVhYZ1FkQTVWWjBhSFlt + R1Ixc3pWNFMvUVl0M1NsZ0txRXFMTkkK5aDgbCd13gAfZUrROnwRHgyXvIF67o1W + EzEFyhWatq2KKzv6VoJSFnvEx5lMPSs0LLvOK2qgrsz0jWdy6yUkAg== -----END AGE ENCRYPTED FILE----- - - recipient: age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr + - recipient: age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNzdib3Ztd0g0MlVqYVF6 - cUtjZzEyY2FJYVRoT1p5RlJwYVQwUXVOUkNVCkp4V3hMYlJsaVN4RjlwQXNWS1Jt - aitzWVdOcUdrNHorenZGZU1iWFZzVjgKLS0tIGNGcTU5OUJLM3VzQk1uODFwS1hO - WG16Y25tMDkreGFnSFRKN1AybyttYWcKcLHJScp2Ozh0jIdi7Hb/tSjaCGorqXaC - 9DIrQPHbPP1RIc6Ak8Kn30/BHEWV3VaiBCT3vfS9pNJQNjB4T+901g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc3BSNVdqSTNYZSt4c05K + TnpuYXF1L2lzQkdZOS9uUnA5aUpGTldWZVQ0CkZvN2hubmwvUW5xUWhtaE0xMzlp + U3dpRHlmdU5UVG1nTS9XUVpTSjdQQ00KLS0tIC9sWTBOMStOYis1SDhLbjFlVk1F + M2dYNEpmWmxyeXU5S0FuV083NkVaQ3cKXuGyR0YQy+22z2kgM7IPhr0gurWQYczm + FA7C/2hoqb4tyyejomitndBSyxIxnaReO0Apl6JXeTLor8Dpuu42oQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-26T20:00:50Z" mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str] pgp: - - created_at: "2025-01-21T21:04:08Z" + - created_at: "2025-02-19T14:34:54Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv/ejIylIgs3yeVcZriQTA8d/xyXTdFw6On422lTCDk3d0W - GOdV44vAzUzNX5tziQtLjectLUrKh9Qb9WaP4VnTCGI0XJ/dEtYRCkYMx8MjjbLl - 8GqFi3Hw958Uykp9wt0iiP6BQ42Fo77EPxVcn21eHKZY0zg/vaeRXXeXSzkjzANs - NN/KFS06uFRJhmp+0z6hDRrHnpb0wd5JGjHOp96jK9LmpwfZZZlVpAHp04hOhlPV - cMmdjg9IRSubvbraTbDrgwB0h3JKdqovFDnAP/KvT+rw5xnVUVMq/3tUNq4MbfZb - CvQrXsjQJQbEhY+eAJZVRO07kX0+zMvIin4ss7Xt++qlo4/OvFvuGbnUhJE+hrBb - nkyGhbDrjpsfa3djCEZ0UxMAWtPeIQ7T8QMkGY+UKeJKxfOGSchARnfCtGD/rtsj - wuhqGya7g7WP78WzwASzlPwB5jpdQ29/zLWXR60lNCYu0UYSVYmlspZnKEB0FkLO - TNUrwXXMrM0XwMVaG/sF0lgBEPE6CTuE85evCHFyu6zhEAa7YimKAPIowcwYLSJ2 - 46KfttJAYnRnb68Kk9N5xcFyvhKyTx/6eMdxkgr2LMoSTBDUgZfG3rDQC+ZbFE3m - bUOvx3Ho80EC - =oQd6 + hQGMA5HdvEwzh/H7AQwAkNhF9L1ocTsJRDyIA+0y24gtvRKAZhSRwds2wvTiBkPS + jzse8z4wY2yWz/JbEgqJqeFxJCaE64oc+2dETJIl2IsiRBDlXKfpL4yfRV+P6Ffu + DQfAR57hKIYa9emx+iFGoDMpRSuuLg4EGDoe1tmAu2OwLhKsqJrbL1ak88GB7/ko + gFk02AF/QYuEetc7R0pZPxB6n1HQGBrvqAFrnHEsxw2rR7I4kNYpEzyf0IuGHfB1 + 92WfYtdYSni7cqmTPV+t+k6P1VcJe6GXdlQnHk2pByqC2WrcrP+MtaAMkmWqxU72 + AGarWEV2bnXmBsM5LcOQF6Mbui9tpEBE0O3lMlzUNXoVYHpOczlqdWkqh/y3Ea8V + bnHcaLQ8XubRyccK4JYZ4AIMJVPlVcnXdjZ4VFJwjRzGrllorq4x8L0niv60HV/g + akxsjW1DPnJURNFacT3JYF+PsN+hpj/ma2k8qUTX5wFVJy3Gm0psVYqE5901ivBA + yg7mfiftchDvIeGQR8tE0lgBZrJbf/SjpVdawq7DORFVxkaNeoSAxOkCnqZ5kc7C + w6zfxABWvwz73QM0AqfNzjkyswGk7N/09Zpj4BvjbbYuAfvIdiVVDHRPez/qWjnB + vkt9aLXFepLl + =4LVt -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-21T21:04:08Z" + - created_at: "2025-02-19T14:34:54Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUAQ//eu7YkPL7dU4AYWCZI7THsiJ51SOMahOXp/qC5yL18aZY - r4SpyNhFezGIJfMuhwBSZZBI/MNW6M+zMwIJ2wkioxUDnDvfVi10/cV6p85U75Jn - 59e1afN+eekG2DCI6sWPmLy8jmYh4CQRdEurtfzquDOARZ4IHZjotP5AWI8OPHlM - FdK2jGXFVevQY0m619CNm78D2NEdlGe1QtLVSazWQ8MsDLfMnHTYFUy3EoSihzat - QkcR//8whzlLT/NcqKlnBDNBU7FvPov+ZdUmIw1mx2wp5f2sGp4m737Yhoey2aFL - qLXHDc91nVRcw95FBDNYlSH8a2AzT4sm4vFR5EkC6vrfz+v1pdg1Fc3dc++hPgE0 - MYWn6f4v8lDhPhw2kpmAP4Oz4uPdmPgdfXKiIzr7qf3O5lIC6ZIIwoqhj2f0odj6 - 7anDUN5C3B5ruFU3UNJEBLrZelbmg4zf2hAtzfoi0L9paIZX5SCLP3PDbvdRbADc - oyC3Gw/DeddQ9ZeP+wYiwJ/614zRBmZRzQr9RFowf0gJBSS7TaWPCONfUJ/3eekX - or8JpLTD5PMQNoS0L4S41Cj+yOg/AlmHF/9yvj1GVTKT9rBj3Snki9NOmY2ZUQo3 - BDdnsftA3w4q4iu06ojQkrjn/FJjmNzb83XR2WxrHFUAaY//nISyY/9uTsEhwFbS - WAFlKfmyVc7nLBI12i0yWLLy/tcVF3c8gtGfNmyoe/RIr+6EQmzUi0v+X49Tnzpj - 8JAnE+4Jzm2ijqF4Ats5KoXqFiLUenJZQHJ3IFoI36n+hM4P/ICeZ4k= - =s9pl + hQIMA98TrrsQEbXUARAAmoHJ3i2vABDamIF3Nj6uuawarW+KKjzrIfYvAmWW4fgz + zVAquTl1Oculhv+H4eVuylNUM5kwyCkM/VAxy3KoSNZn6aGZVDuns70r9lbNC1R8 + +diYAIe33rE3h6/Rw74RgOXUgNalONeoBWbIUuG+y9XOIfu7CBoUeGJct4ycYH0h + bn5iI0e4myDldmSc7OYnyruQMYg9OcKBnQPTZl1qzTqpwR6/BnIhWJcItuc3W5rv + aEunQ8lVyNxhGWMDwFucUJ2WbxkOFOFWPrLGXtsUg/I32aCUNR6X/HnYUezqCoSA + SFJAsaPkBr07o5Be5D03m0s5ryktQUdAElyDaz2Sgc58re9mtYKBAf4P4fKD5Zx+ + TJJGr6dmtb28Nxb5mbMroKbTit92NHHatXfz/YrZ1JyCHuINZ5Sq01TGhx6y71Uj + 0Afq3S2la+85UYRsQ5g9q6jM8rBHjm9AdcUkWA1chtn6elAUG8J0B+DUYYwcrMtp + YWFaKNHT09FRn4TcgE50Wgn9lX2RZ03viBbgCvDBLh3fmzl+dU1DsFdwuYmbgOeO + B6SQ2+SF3VVR7vAn4oPKydztCfYmb+38sCQl/FtZdP1RRW150fXtUx7aAzWGsLhq + AObrNp0uMeCBHtpWctwFR1qssfRD3DHkI59MqoGK7ehDtBS6hzayjJp8sTiqCTzS + WAH/vMH2cvGN3q9mr73bBqHBxAL+ANWxrDvQmM4xwbLxET24ULnsC35bn4psWjTN + Y3aQqzhaZdYOki09fLENaYl6BMeIcfBx4qUrgfQKLUNqGV5fvVuXJUc= + =/V5O -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted diff --git a/machines/secrets/keys/hosts/durruti.asc b/machines/secrets/keys/hosts/durruti.asc deleted file mode 100644 index 5891c555..00000000 --- a/machines/secrets/keys/hosts/durruti.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEADh28tGiUsmPPbsQYKSi9WiI4UCPO4qd7hEoER34Ku5w+kpy1MI -ymJHNlZODjrjvznRidyYt+1vpED941LawzsujBV7pSfIBY0cQWYTbF/euuQFJYxN -sBLG4kek5IhdnIsav2f7fMv6Rhfkau7p20AYkWUkpoUxBJTxixIkxrO90ODSzMMe -tLI9MnqPcMASy6dbAGKXSABaYi9bwggIgyYHNaXThEuEAWPMPMMj8Wlo0H0X/B9O -UEOHSA4N3TBKJXuDhsKgUo6ADLAA5op+YG+JtAdvdjW0XxtDamLkkrEx/fsYWsn2 -LjiX7z6cCQjYy+GG6LV82cavyF9sBAs8kEl4AVXVYsaB0g99rpY91EYLAD2Ddh4d -lHPwPVQ52Ht3QeEPAsqeXRh+gZOp/xx6EJXXaH7aorXoWlbUFcCnTTEFAM0HibZg -ChZEX+pl9RxdPeIwU4kd9LxNygDwp4YhdJzbcpHkp7RrkHJHgmAxUEVCxZfw/P2c -GDIBHQSS4FZ5PIhh+aejYCo4BrisGuAjwlaH26BRNraM8EImaLwLuQZ1TOWm97tI -BEI0JFscrTi2RSPgDCg1Cu78ocbcpqC3cRclXzRohvp83NpWnAQFCAdNaTttQsio -lQTXxmJlaeo/0vHAN+Llukchh6sFzzNP3v4B8vLvdXkE3s5XYxJungblTwARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQWRHe9aQhhWcCGw8CGQEAALRQEABVEYsIn5zGV84caxE/LXN7 -7nDsUEyo3lCetStM7JT7uDdMl5t33pUAIbm4gv6/BrvVZ6pBtPfTrVrTKKDornKJ -VU/tKims+CbnuPUIbOmuXcPbQIa/IF4WVop8XJTzMOSW636/eH1D2VTLI8Jmw35s -qDmqx72hISUBGCszTJkThp8xUFMW5NcJc6zGB9I4vdac6Sf6yuZqmdfDm0MzcvmA -tDASc6ZLeffPkJxUA+x2WouAYkfdV1CdVS6ob6owrSza/T+wQ3DgzO5AVZ31HXTa -gDkVIBgdZYR2H8IaaTetb4m2+SgdXr7s9WCOR2i8DiSKpnUAJKoVIOl6pBd13jCu -PHQzkKq6kqn4bRYCZil3fKDB90mVDIyixJJCt//VA5y9Tgggp9o7a+l35I9hCJ2F -6AYtpfXkTbI9wqmk33TJX2litqqPZkhEERv25UDvnZ7Mm0my9QXJZ1Fp1nRLIKZg -VABDS/wIB1QHtOldDLMeRD7Fnrnjgnyuk4/HmCem0wFDPHDo/ppa2QtCUk1xxywu -fa7hs/oDVUMsofpDm6Ls4IgFXbSD9GUTDdB+UvZi5vITaZ1f1QLcrShhSUHkLIpc -65Fj79r9cdHKdUhnM2+pTuVM6Az3huMkZ+abgjSHWSni2njowRUd2P7pG+ZhaUk3 -Rj7jxxXh1KQ7X8Rbbce8Mg== -=sb6Z ------END PGP PUBLIC KEY BLOCK----- diff --git a/machines/secrets/keys/hosts/lucia.asc b/machines/secrets/keys/hosts/lucia.asc deleted file mode 100644 index 8fb56b40..00000000 --- a/machines/secrets/keys/hosts/lucia.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEAChmMEXC6TjRtYAHk6CsrnP0LFd1vOuH4+QSalj9fCaCpYVEStP -u9EtW2DK8kSBdo8DAngzsMFt9PoSLcPcB00s9R6EACVuOn8nTVkyYtO/8hWJVexI -G3SB/u2a+MYC2QEtw3Exzleexx3EkZywAzGWzJXpajMbGsfvssXl96xb7jxrxdNv -Msx9t2RJGADSG6Vx1+A5UmFwITkGpn6wjvQXLvkim4ZHRzX588vgz/IdJ6yqOeeV -v0VyVNTPfXkDO2urxRgZ5TG9wE5v9OKFofooR5T1rB/khW2jMoqavLWeRVCqVpmp -MQ8VMkJzEoP7RX7vAAgCbVrTe55sMmXa9gtXo50wz6lHYHnepff6FuquS7szH7Ja -lRnvx6CR1FwWIGhef/kxmNQKr2Mt3V7riFmv0bkR8ttI5uyGposeWfY1T6iJfxic -duIYXrV11T6fWOEUh80aRz+8E46LFv4sGZjTOvHWrnetKNweuOC9/yaSDkEr35sM -xVffS0wNGclhxl860qBCbhG/X7YYZs5sFHsRnsb7rvTCP8LtGhrjybE/b4WuGRCU -rEftVOBe4NSwlsdmRVl5Cyk/ZkJncrUwlaH6laCjBfldQcdxAHzdzPZQhOmBaLkF -1l0EpteSbEsi3CS2rkkriSsZ+nZwaccTa6+B6twrRmGvcBrZXlsugsdDSQARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQvNUtHtVQM9sCGw8CGQEAAGIaEAAoWuyjinNk8ovTAH+TjKWK -UD4WXwt5OJ8l3FJPpecZbhTaBrRdlLzY1tlKzwd8c69QVOoqk83Rv4Fep9b8EFQ5 -U2bTtXLm/wINSetjf6vlLYxEPNKVzGtk8ejw32NPnJVsGeXNazlcJaR2jRW4kMcj -A2b8aeUKxnLaoZYiCLZGvyvuB7oj/nIX7iuaIDHKR9oVyQOekeYlg9R92wKCZDiF -1USoknPO2cSYFZpDM6tmIjkOoEgnwEZqzwI7q5dXz/mqp86XeMJWFkyTRhPT6Hiu -iS/5wDsFJi7wgl4Jr6bBWFaHeBVSTJIwkoahxpM/qVYAYINgLO9erxMkmX5lRzxs -NC3LsqQ+L5Isx96AXaZWf+IOYgN8nB3bsQqvlqbvMIUE3wkxg7oeNzDzvgxQM/Tf -AC6zYHiGrs7WS6+ojx2flJnWA7mrOllimv5pTTUBtA7gh1JN9aUzzBjvF0LlzN1O -DLyxu1PsIazI1eklUm0ljyOoqBnOrDZoC4Kz70pguDGDvipCAJWjG9SjXDwXGAA0 -sUhnebh2HPZYj73xDIrbgkg+79n6U5UuewUFwDQfE8VFDp62s1s9haCRUKU6uwiL -i31OKOkDcYSyx/3/VvaT3lT247VERDw/5yVYrrhQwxS4WSabX8gz6qfKB4bi/HVs -lX2duwzSRzuytZCKKG+fdA== -=VTby ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/machines/secrets/keys/hosts/moderatio.asc b/machines/secrets/keys/hosts/moderatio.asc deleted file mode 100644 index 4ff84050..00000000 --- a/machines/secrets/keys/hosts/moderatio.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEACm+W5sGSC25OtlwQdOBCSfX2DnPuk5abjxY5HMIv3MnySouXpW -L3VoE6Irur9lZwfKrXaUweJPJHVo/Sfknh9GSBCW6yFFcGZ5nNx/QNdbfjOSaUw2 -0BkW1CYRVcLIKSHpepbTDHBxgKaCYsmupptFQ0Nzx19PPMV/WBqrkSlEpDJyq9y6 -cTaGulRKWBVDytMFmibhGlqpfEI8bzrxaeGTqiRTZJqL3zDDi2afDt1kJeCXKd32 -XOywDZgB5CinY3qsR45ftC6mZ5fV+ex3M/Uc4YJiVgwg6GlSdiYW9Mqf4koqpLCq -Xq3ztEo9FjFen7KmAcLstFmzY3fAXGIJzb0CfvVrM32wsdC6NRDINdMBmrOeKXT7 -g45n0LOdCFr4AOKyABqMudbKrgF9txHt549oaQ0wHCy1nStji1OpbhdpCKDFKPnl -ojG1Nur9DPRFmQ01I3KIjvCrf8J+CgI5YVwOr+m5Zw3i/b0qd+9R/8oAmzhhuyt7 -kckSVTCjNzsDgjjOa8FVQJremTdkQuWOlx0HxC3aQdSoPxOfpeUhybfttNpvUuta -5EbsiS/PJfzMOtZDG++naKO/xGJDiaYDhW1ZeGI2fOFUm4RYHqCFES32XF4ygpGq -wz2bZNKKSf4lxoD1+SBqOyd1eN3u8GmX8OgUB3TpgEuQb/XL31zDKCZ7pwARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQj5s8BYqm1MICGw8CGQEAACMDEAAFko8JYC1zGt5rFKokXGbs -K331UHReN02QpdL8fhMt0Rqoh1FKt8Sr8lzCLPNOnlgxSG5lXmA3dFfWAnFrNw5T -1u1oU0sB+CiekyWXJxTASur1g3DtLv6qA19Uw4i9bu57LK5E0ycoI3RnR+YbDri0 -psPNP01x7NBO42O71rnBypGbCPXnLOAaKq+ISCN+XCZBkmjKhcWJlg5DJfUGCEdr -DCKi/1j5mgs8H3sUrc5Y4gLz3BWuypAGWhQr/KDAcmCm/u0ZfzVyrxw50eMuzeF7 -GfePPI70nXjUlywuFUFg7EWlCT6sRtZf+o4jkXcwGpZLx2/rdZ9J2I4VmYakBVpA -2OQwi47YAFe1wz+nsF3fImuGQdHu0x0sFLbuJaSJCOVYhMcZhskRygqqI+wEvDF1 -i7SYzi5Xt7rJrSaqGhAzlg1Cc8wzMhoCE/IU5Hd55OtbvRwZ2JKH+UAl/L9Qizqy -AM7nSrUjA5p4H09PMuKGmCEcZDKpH2huAeqmtGQ626edE2WNduE2jCdAIcN263PX -1+TIe4IRLhtmTKqfJgbzrt0cSIAsuvI8s78ehsP2eNANdkQjzBAaEiOo75G/g+sd -tWl8gxOhrPKkb07KqcPEfXq4QYk7kV+pWuA2yMiTX5A+oy8gVFBxUp+zbjYeRuW8 -cpHyvbDvdnQ5LGNC/v0rdA== -=Rmch ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/outputs.nix b/outputs.nix index 62c922f4..4f341e6c 100644 --- a/outputs.nix +++ b/outputs.nix @@ -39,6 +39,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.age pkgs.python310Packages.grip pkgs.mdbook + pkgs.ssh-to-age microvmpkg.microvm ]; @@ -49,6 +50,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems legacyPackages = { scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh); scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh); + scripts.add-host-keys = pkgs.writeShellScriptBin "add-host-keys" (builtins.readFile ./scripts/add_new_host_keys.sh); scripts.run-vm = self.packages.${system}.run-vm; }; diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh new file mode 100755 index 00000000..df94d2f6 --- /dev/null +++ b/scripts/add_new_host_keys.sh @@ -0,0 +1,51 @@ +set -o errexit +#set -o pipefail + +if [ ! -e flake.nix ] + then + echo "flake.nix not found. Searching down." + while [ ! -e flake.nix ] + do + if [ $PWD = "/" ] + then + echo "Found root. Aborting." + exit 1 + else + cd .. + fi + done +fi + +read -p "Enter new host name: " hostname + +if [ "$hostname" = "" ]; then exit 0 +fi + +pwpath="machines/$hostname/secrets" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" + +mkdir -p "$pwpath" +cd "$pwpath" + +# Generate SSH keys +ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host" +ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd" + +#encrypt the private keys +sops -e -i ./$hostkey +sops -e -i ./$initrdkey + +#generate encryption key +tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key +sops -e -i ./disk.key + +# Info +echo +echo "Hier ist der age public key für sops etc:" +echo "$(ssh-to-age -i ./"$hostkey".pub)" +echo +echo "Hier ist eine reproduzierbare mac-addresse:" +echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + +exit 0 diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 277f5194..4d24adcd 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -25,6 +25,9 @@ fi hostname=$1 ipaddress=$2 +pwpath="machines/$hostname/secrets" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" # Create a temporary directory temp=$(mktemp -d) @@ -39,12 +42,13 @@ trap cleanup EXIT install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/root/" -diskKey=$(sops -d machines/$hostname/disk.key) +diskKey=$(sops -d $pwpath/disk.key) echo "$diskKey" > /tmp/secret.key echo "$diskKey" > $temp/root/secret.key -ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" -ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" +sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname" + +sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd" # # Set the correct permissions so sshd will accept the key chmod 600 "$temp/etc/ssh/$hostname" @@ -60,4 +64,4 @@ if [ $# = 3 ] else nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress -fi \ No newline at end of file +fi diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 347f260a..b0d82706 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -2,7 +2,7 @@ set -o errexit set -o pipefail sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T" -HOSTNAME=$1 +hostname=$1 if [ ! -e flake.nix ] then @@ -19,17 +19,17 @@ if [ ! -e flake.nix ] done fi +diskkey=$(sops -d machines/$hostname/secrets/disk.key) + echo if [ $# = 1 ] then - diskkey=$(sops -d machines/$HOSTNAME/disk.key) - echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root + echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root elif [ $# = 2 ] then - diskkey=$(sops -d machines/$HOSTNAME/disk.key) - IP=$2 - echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root + ip=$2 + echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root else echo @@ -37,4 +37,4 @@ else echo "Usage: $0 [ip]" echo "If an IP is not provided, the hostname will be used as the IP address." exit 1 -fi \ No newline at end of file +fi