From 1f9d39b53d0450bacc28bc1bef905f7ff51af563 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 28 Jan 2025 14:56:09 +0100 Subject: [PATCH 01/29] [malovpn] add hetzner --- machines/modules/malobeo/peers.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/modules/malobeo/peers.nix b/machines/modules/malobeo/peers.nix index 787cabf8..febf4c5f 100644 --- a/machines/modules/malobeo/peers.nix +++ b/machines/modules/malobeo/peers.nix @@ -30,6 +30,13 @@ publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y="; }; + "hetzner" = { + role = "client"; + address = [ "10.100.0.6/24" ]; + allowedIPs = [ "10.100.0.6/32" ]; + publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ="; + }; + "fanny" = { role = "client"; address = [ "10.100.0.101/24" ]; From 896f355ad0cdf3b40ae610c7e59271af41194246 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 5 Feb 2025 16:32:18 +0100 Subject: [PATCH 02/29] [fanny] update sops key after reset --- machines/.sops.yaml | 2 +- machines/fanny/secrets.yaml | 78 ++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 560284a4..4ef61494 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -10,7 +10,7 @@ keys: - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf + - &machine_fanny age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce - &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index 195e7bcf..dd23b25b 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -5,63 +5,63 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf + - recipient: age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh - cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy - WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK - RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL - 2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTmFmVEd0cjY1QkJNRXRQ + NytpanU0UzF5aXlhRklJbW5yOExrbVFoREFjClRlVGVhOHZ2OW56Z21NU1FjaVFh + ZnJHZk5mV3ZKQm84M0Z6em14akc4Rk0KLS0tIHRMQTdOZTVvNUNoM29tZ2Nockp6 + VUJFMEpxb0Y4WlJhZGZPTk54ZXhIMEkKPwkXj7gRlIZ9aYGNlX+PdZa9BcaHt1G6 + DVNxfuYvecprnQWQ+pjVGzm8j78p7HpAcmJ/Aue3FTYo6S/vyEmK6A== -----END AGE ENCRYPTED FILE----- - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK - U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX - eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS - cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/ - MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzF1WW82MlB3N2tmVjVa + UGlLaThRUFNQOVV0d1ZxK2hJTE1pSGVoV2hVCis0UW41cXRVaC8yWGdCUEVaZjFM + MmViQXJrV3pTNzN4aDNpVCtYNmdXUjQKLS0tIGZsYTRwUDI2YWlMNjBJY2ZNREVu + ZzI3MWRLZ3lseitrQ0YrZ1BuM3BacmsK1gbJH+Qs6sTLrSZSUJtnvUNmbLNnPWVT + WOs8Pxf6ROYmstcF8yEGHxbVesWn0jMbC4aIAZOIyglh+6glxsbnpw== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-14T12:41:07Z" mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str] pgp: - - created_at: "2025-01-14T12:32:13Z" + - created_at: "2025-02-05T15:31:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8 - 5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO - 8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN - zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA - cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O - /MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24 - 9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict - iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k - UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p - Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N - J+o9dahBHvIF - =GKm4 + hQGMA5HdvEwzh/H7AQv9FdyMi1hVqhXAHEIjv5hiCw+l+OU+WomhmQTNue3pfgLi + eP15nIqjOg4H+akley0alE5ZL7AU/x5catwmd+JqG3p+j4v3z4GGgpgob6srxhRR + jcSZZZpOi5kMdvayX90Mm1zbzTSdxgHcI7tOtnr00kuUfkvTNyYP8ofvb19OZ3sS + ednM9E6h+qfCI+R2iv0WcyF0UXS8vExCl5djL4kV/gzc8iQz5qm1f67xem7kiN8M + dJZMmAkGSbSzCx/czqZ7pIB5LCmnGmLeYNBoMXdnj970dJrJ6/1DZqQNq4mkE8PG + odn7U4dq37pfpp8LJR9XZuCuQ2TbW8WqczQ3l2u4hqQNhHNRGDB/FGJrkn31BirN + Mwbb7UJQYQR5OzGwHTigpXDJnrf9j1CyAxbx3TrSHBrh63eVgUs1+mD9SUj6vVN7 + aBb8Y1M/cPiDyo2dpsa5lG6hzDQzlpBuJI4a8kN9JVTbcwYuWECx2kTGnZDBW+xf + KPNPrNzZmhIyZXMjPuK/0lgBuskgYg3sLqGgwUMisKCV56yRJr0zCoje3XWY6X2y + J7F0+/R3ESt98Za/qs4PG+U5oOXsUVlDZK0D+zVvnunJLOP/fT2yu4YoCZxy9Y6I + HbJzEdNC98ow + =nYXr -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-14T12:32:13Z" + - created_at: "2025-02-05T15:31:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs - W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF - e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR - GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q - yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM - wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap - FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT - cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul - QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2 - MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB - 5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS - WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw - CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE= - =9FN4 + hQIMA98TrrsQEbXUAQ//b/vbXzTW+NgmpAfTEkrha0OeU3w4UEwejZVYJeFcTHrS + nOh1W/a4pMNJ0n/xabGkwJs1o1CPEcV8ctta6OgwiXLFmfuVDYiT4YZw2zUML8kd + umCgGFcCq5xjxIVbY7GXz/Grv+cJa6JfdQirNRoaDFvhgZxinAcuOhlb01pmf4o2 + frGrbCvkbDU/OLjMkfakUT87tZh6wfhlT14FABpZNrDHl7mpEvNH/prUMzj87ZME + g1OkwdjC7sBXngPQjstgMeZmLfsXVhDlhPIPi2kh6LUCdDFkadOZG9+dMf5HpTPW + v69CKJyzK8WcH5RoksYgYuACIMRO1VXfIpm6sJqHn2gXc/6CsiST7ofvGtBUhaW+ + B342tjWJiRhcU96KCP91NAo4aiNeQ/UjW6EAbJ9BaPWwAod6f3nxBEVvg8pMlLOR + pdW6p/Bz4HmvNW+xXLyxUER+ynkOouCMVrb7/eSvzV1Lf2Yz6K8hVe2ehgyVz++v + sXl6KqMGu5FNJS9j07hXYgWzwk6M+IBBC/YcjQdZQys4IadS1QbtuQOuP3KJ3wwk + qa4wyHRxb7/3svBP+2vi7HvjizwiEdk7r4CRnrdUm0C7Qozy8UdFMFWMdPMIdL2L + tI2n71HASMmc7ekU4J45/d9MHqLUahO0wuTd7L4IvAsepZqY+uWuYBVoZW/vHc7S + WAGwfJ7/D8i3lbRP91TslhrCMdzrdzgAb/TLWAyKwSwPPzzf1dCLNp6yF4QRICwJ + d/yxpSHBVgShCN3qIsiryx4FtUCPRwzgY96delesewJOIzxwjByIvTY= + =vEEz -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted From 580096435e91f72efadcb97b5bca17c03cd2fcf2 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 6 Feb 2025 13:37:46 +0100 Subject: [PATCH 03/29] [sops] update secrets --- machines/.sops.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 4ef61494..5fc798fe 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -8,10 +8,12 @@ keys: - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp + - &machine_durruti age1pd2kkscyh7fuvm49umz8lfhse4fpkmp5pa3gvnh4ranwxs4mz9nqdy7sda + - &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se + - &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0 - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - &machine_fanny age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce - - &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr + - &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: From 03aa9a57050effe63d9334eb9121c1d80f838112 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 6 Feb 2025 13:37:54 +0100 Subject: [PATCH 04/29] [nextcloud] update sops key --- machines/nextcloud/secrets.yaml | 78 ++++++++++++++++----------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/machines/nextcloud/secrets.yaml b/machines/nextcloud/secrets.yaml index 0327a086..860d17bb 100644 --- a/machines/nextcloud/secrets.yaml +++ b/machines/nextcloud/secrets.yaml @@ -8,60 +8,60 @@ sops: - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSk9GWktrZ3FsRHpOcTJp - Y3VWMytTRlhxVXJma1puT1lMRTN2NHBNV2xrCi8xYTFWeVN6RWl0Um9mZXpoKzFh - SjVFcGJRNlhkVUZQYXpEb0EwYzUvUjQKLS0tIGEvdGdMRGxvcndxMllZTWZqKzg1 - aWlJOTdYV1JMM0dIWEFDSHRuQWdlcVUKsdwGZ3SkJEf4ALDhHUlSQJNKrFyWd7fW - WTGk66NJ2yD8ko/6OyB9J9U0WPbFLgr972H+klBq/IDmOx0hClbYNA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dCt1ZFR0QnRqVFdiL0Zi + VTR6Zy9ZTy9YNDBZaDRTZzJnU2ZKcjJ0MG1vCldpRU5tTzc1YU5KbjlDbXlNRjBU + Sm8yc0oyNWU1WHJoYTRvK3o4aGtTY2MKLS0tIE9wY0R0V3Vkc3Y1T1YwTkFTY0J5 + ZCtzbVdtNlh0cXpra2RWbEwzUDM0UjgKY3zZn5PUWuLBQgYxm9BUpLYWw3CdXYA8 + 4U6OVdRF6foj4/GrKKyhVf8dMbLbkhPvxqZ5wg40o6bwHEw9QNM+5Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr + - recipient: age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNzdib3Ztd0g0MlVqYVF6 - cUtjZzEyY2FJYVRoT1p5RlJwYVQwUXVOUkNVCkp4V3hMYlJsaVN4RjlwQXNWS1Jt - aitzWVdOcUdrNHorenZGZU1iWFZzVjgKLS0tIGNGcTU5OUJLM3VzQk1uODFwS1hO - WG16Y25tMDkreGFnSFRKN1AybyttYWcKcLHJScp2Ozh0jIdi7Hb/tSjaCGorqXaC - 9DIrQPHbPP1RIc6Ak8Kn30/BHEWV3VaiBCT3vfS9pNJQNjB4T+901g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDZaYjRTTDc0SFU2U2xQ + cUhESStvKzM5Z0QyZlJldURtRUJZTHhvNEFrCmxReGJ6MU9qdkh6UFVPYmRuQThs + VmVCMTQwc0xkR0gzemlSUVlnN0NCZE0KLS0tIDFtK041ZlF4VFBreHVacitSVEN5 + WXg4UkJtU2dTR3ZjeFYzR3lRODhLYzgKrO+NtT0Q3K8FgDwW0WiZJOUHwkEz+wp8 + lgBkXy2QJuuJ11f2e9ZJ3hx1xgOm6SMBmgl3zQVfVpq88yZE8uDe2Q== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-26T20:00:50Z" mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str] pgp: - - created_at: "2025-01-21T21:04:08Z" + - created_at: "2025-02-06T12:36:59Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv/ejIylIgs3yeVcZriQTA8d/xyXTdFw6On422lTCDk3d0W - GOdV44vAzUzNX5tziQtLjectLUrKh9Qb9WaP4VnTCGI0XJ/dEtYRCkYMx8MjjbLl - 8GqFi3Hw958Uykp9wt0iiP6BQ42Fo77EPxVcn21eHKZY0zg/vaeRXXeXSzkjzANs - NN/KFS06uFRJhmp+0z6hDRrHnpb0wd5JGjHOp96jK9LmpwfZZZlVpAHp04hOhlPV - cMmdjg9IRSubvbraTbDrgwB0h3JKdqovFDnAP/KvT+rw5xnVUVMq/3tUNq4MbfZb - CvQrXsjQJQbEhY+eAJZVRO07kX0+zMvIin4ss7Xt++qlo4/OvFvuGbnUhJE+hrBb - nkyGhbDrjpsfa3djCEZ0UxMAWtPeIQ7T8QMkGY+UKeJKxfOGSchARnfCtGD/rtsj - wuhqGya7g7WP78WzwASzlPwB5jpdQ29/zLWXR60lNCYu0UYSVYmlspZnKEB0FkLO - TNUrwXXMrM0XwMVaG/sF0lgBEPE6CTuE85evCHFyu6zhEAa7YimKAPIowcwYLSJ2 - 46KfttJAYnRnb68Kk9N5xcFyvhKyTx/6eMdxkgr2LMoSTBDUgZfG3rDQC+ZbFE3m - bUOvx3Ho80EC - =oQd6 + hQGMA5HdvEwzh/H7AQv8DLbU8OaQmYtAjTPlqeg1nv+/z3gA16MTZjz8rRBqK695 + JaEbWoCJ2Nv5Mnzj7owQSk/+f+Q/d00osr4KOhQWTNoq1442MyWgIXKGPDmHgXv8 + CxFT3hIKMEFFvFtkSdo+HlBSTQJZtHgDSGabd2xd4e45tLnHsPvWQ4ngGn+piUaw + qz5+YIpmFNlnL9ubsB8NivryXlIL6wBXL83FyfAPnY+qG0/7frVWwP1Cejg1CGYl + bOYxgb1uPYIIqvvU9bZ4r46DfojFFGur9pwG/wKGOgIQ867vsXtRnNm6+SJIHeyt + eNqil3tee++V4VVUrDTf+gWufx9YFS/afRgMKuf1pUvQGTBMbUJNhIp+PjpOSBCk + Kk6uyMWrBhiCpAVU9GKFW1AbDBCgUig2sLIUGOrfb+RkzDLX4pEoa9DVVDC2pRVy + F2fjEEbPAZepsPFNbgDyaixv+FeA5oWWiBnA7qO/v8t142UOtqBcexUZjBYYgRmt + c0S+lTk//xEip9wYvY6W0lgBOLqEUEiLg1tw0xvt9H4R9aGNLkCyvUediwuAbfw4 + bGha9PTckYpnKN589xxsDMqbQ0Vn/rxeSzC7RT+qtjUg1gDbDJQTZdYr0+//e0YV + xRvlnfPW9voB + =xqAk -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-21T21:04:08Z" + - created_at: "2025-02-06T12:36:59Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUAQ//eu7YkPL7dU4AYWCZI7THsiJ51SOMahOXp/qC5yL18aZY - r4SpyNhFezGIJfMuhwBSZZBI/MNW6M+zMwIJ2wkioxUDnDvfVi10/cV6p85U75Jn - 59e1afN+eekG2DCI6sWPmLy8jmYh4CQRdEurtfzquDOARZ4IHZjotP5AWI8OPHlM - FdK2jGXFVevQY0m619CNm78D2NEdlGe1QtLVSazWQ8MsDLfMnHTYFUy3EoSihzat - QkcR//8whzlLT/NcqKlnBDNBU7FvPov+ZdUmIw1mx2wp5f2sGp4m737Yhoey2aFL - qLXHDc91nVRcw95FBDNYlSH8a2AzT4sm4vFR5EkC6vrfz+v1pdg1Fc3dc++hPgE0 - MYWn6f4v8lDhPhw2kpmAP4Oz4uPdmPgdfXKiIzr7qf3O5lIC6ZIIwoqhj2f0odj6 - 7anDUN5C3B5ruFU3UNJEBLrZelbmg4zf2hAtzfoi0L9paIZX5SCLP3PDbvdRbADc - oyC3Gw/DeddQ9ZeP+wYiwJ/614zRBmZRzQr9RFowf0gJBSS7TaWPCONfUJ/3eekX - or8JpLTD5PMQNoS0L4S41Cj+yOg/AlmHF/9yvj1GVTKT9rBj3Snki9NOmY2ZUQo3 - BDdnsftA3w4q4iu06ojQkrjn/FJjmNzb83XR2WxrHFUAaY//nISyY/9uTsEhwFbS - WAFlKfmyVc7nLBI12i0yWLLy/tcVF3c8gtGfNmyoe/RIr+6EQmzUi0v+X49Tnzpj - 8JAnE+4Jzm2ijqF4Ats5KoXqFiLUenJZQHJ3IFoI36n+hM4P/ICeZ4k= - =s9pl + hQIMA98TrrsQEbXUARAAqGyBZLrJ1UpiJKIbQSTQpKA7bRD7olMczjh0Bx1fTN0U + bctdfIGVvdp5pM1C6xbvubNqAMEisQ1tMVozDkXCnLARTwcaq6lyE9vl3gJ1iF1Z + N8SbxVTYV1SXg3qokyBsZIggQ6gJqAr62Pyoansp4HfwwFwYohwR2zTfHJ8pFkkW + R2FfEI2Gw5nN4GaauIxUGFDPuvvZapCWZ/ejt4s/ezT9cYrwYfu9XIlqsivsi3yp + I03ohKS/pKhxlE7RV2ufRboG+m6TUCnyj5U5AzQa09hkSHd94s9A6M8I6M6zWebv + pdX73sCjWZQdIZoeM5oXcyY/s/h4/w37loOUE/thh1+hIjybAG0CH31nJkjcdcLg + l/fqTLa89JVt37bU9c/hVsx2Bc1cTO7nqhG3kyahkMSLFrsb73yTNn4kOqSKZ7+z + 189oR0EjNySgRt+M20vjKzhPbjxxQTKlpTE0vho6fEHYRmzPQ3IQbVUbPEbZR64I + S+Nk7m95ZV8djaUOwqqU9pwDTvuYIBwhGOY1kefDg1sCCTM8C9RI9sG02HeQpme3 + bgkO+m4khXeiiIrTAODiyM+GCwx6UcwooUSpu8LZJmhiZtfgMsFdGF3P7ngtoOEQ + 4cxP231EI/zoMqRyXYrvAovxXndwghG0LGcCAZZL6mNN2xzE6z1gesVWRjXM8inS + WAFB7DgLTlY43D4QbhkyZfo6XltYe1g1tcJJraG/HICa7hq5BZn48t/BcacCvsrJ + lIkEgOT8gn1SlQbDL+T+3pRNOixGKPNU6Ategoy+Eq0Im3AhE0XO8Ns= + =Uvc2 -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted From 5877e1dbd92073a02b0578b694c81220ed6f018b Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 25 Jan 2025 01:21:05 +0100 Subject: [PATCH 05/29] [nextcloud] add some attributes --- machines/nextcloud/configuration.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index eea2e2db..e577bdd9 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -55,6 +55,12 @@ with lib; }; settings = { trusted_domains = ["10.0.0.13"]; + "maintenance_window_start" = "1"; + "default_phone_region" = "DE"; + }; + phpOptions = { + "realpath_cache_size" = "0"; + "opcache.interned_strings_buffer" = "23"; }; }; From 3ae3bbda6b32d51cdb25241c5390b4a5e36d6067 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Tue, 28 Jan 2025 12:19:53 +0100 Subject: [PATCH 06/29] Fix #67 --- machines/nextcloud/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index e577bdd9..a2cacdf9 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -37,6 +37,7 @@ with lib; hostName = "cloud.malobeo.org"; config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path; #https = true; #disable for testing + datadir = "/data/services/nextcloud/"; database.createLocally = true; config.dbtype = "pgsql"; configureRedis = true; From 49aed32687ec376eb6b2c9705e74759a50ab7d51 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Thu, 6 Feb 2025 15:40:25 +0100 Subject: [PATCH 07/29] Add microvm data dirs (untested because virtiofs mounts currently dont work) --- .gitignore | 1 + machines/fanny/configuration.nix | 5 +++++ machines/modules/disko/default.nix | 4 ++++ machines/modules/host_builder.nix | 7 +++++++ 4 files changed, 17 insertions(+) diff --git a/.gitignore b/.gitignore index a2fa571c..8bea5d28 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ result .direnv/ book/ fanny-efi-vars.fd +nix-store-overlay.img diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 748396ee..f6af913a 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -57,6 +57,11 @@ in }; }; + systemd.tmpfiles.rules = [ + "L /var/lib/microvms/data - - - - /data/microvms" + "d /data/microvms 0755 root root" #not needed for real host? + ]; + malobeo.initssh = { enable = true; authorizedKeys = sshKeys.admins; diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 6174bf33..9ffd02ce 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -252,6 +252,10 @@ in type = "zfs_fs"; mountpoint = "/data"; }; + "encrypted/data/microvm" = { + type = "zfs_fs"; + mountpoint = "/data/microvm"; + }; reserved = { # for cow delete if pool is full options = { diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index 772ce49f..c75f6f08 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -70,6 +70,13 @@ rec { proto = "virtiofs"; socket = "var.socket"; } + { + source = "/var/lib/microvms/data/${hostName}"; + mountPoint = "/data"; + tag = "data"; + proto = "virtiofs"; + socket = "microdata.socket"; + } ]; interfaces = [ From a0756e46174f3dd34dbff61d8d48e042d1026947 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 6 Feb 2025 17:36:25 +0100 Subject: [PATCH 08/29] [disko] no encrypted swap when encryption disabled --- machines/modules/disko/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 9ffd02ce..e8770f63 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -102,7 +102,7 @@ in mountOptions = [ "umask=0077" ]; }; }; - encryptedSwap = { + encryptedSwap = lib.mkIf cfg.encryption { size = cfg.root.swap; content = { type = "swap"; From 698cfcf3839b1003a46f8f164e9f80a292903099 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 6 Feb 2025 17:37:00 +0100 Subject: [PATCH 09/29] [fanny] more ram and cores for vmVariantWithDisko --- machines/fanny/configuration.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index f6af913a..075db24e 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -20,6 +20,13 @@ in inputs.self.nixosModules.malobeo.metrics ]; + virtualisation.vmVariantWithDisko = { + virtualisation = { + memorySize = 4096; + cores = 3; + }; + }; + malobeo.metrics = { enable = true; enablePromtail = true; From 9209f84586aa6e6a30ca9efa2c7a8b99cfd2c42b Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 11 Feb 2025 19:31:37 +0100 Subject: [PATCH 10/29] [disko] fix dataset typo --- machines/modules/disko/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index e8770f63..7911beba 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -252,9 +252,9 @@ in type = "zfs_fs"; mountpoint = "/data"; }; - "encrypted/data/microvm" = { + "encrypted/data/microvms" = { type = "zfs_fs"; - mountpoint = "/data/microvm"; + mountpoint = "/data/microvms"; }; reserved = { # for cow delete if pool is full From 849505807c77ea7a2da8ae3251dd046140f8b655 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 11 Feb 2025 19:33:02 +0100 Subject: [PATCH 11/29] [fanny] update sops key after reset --- machines/.sops.yaml | 2 +- machines/fanny/secrets.yaml | 78 ++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 5fc798fe..d3af0e27 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -12,7 +12,7 @@ keys: - &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se - &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0 - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - - &machine_fanny age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce + - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk - &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index dd23b25b..37dfc121 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -5,63 +5,63 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce + - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTmFmVEd0cjY1QkJNRXRQ - NytpanU0UzF5aXlhRklJbW5yOExrbVFoREFjClRlVGVhOHZ2OW56Z21NU1FjaVFh - ZnJHZk5mV3ZKQm84M0Z6em14akc4Rk0KLS0tIHRMQTdOZTVvNUNoM29tZ2Nockp6 - VUJFMEpxb0Y4WlJhZGZPTk54ZXhIMEkKPwkXj7gRlIZ9aYGNlX+PdZa9BcaHt1G6 - DVNxfuYvecprnQWQ+pjVGzm8j78p7HpAcmJ/Aue3FTYo6S/vyEmK6A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZFBYMHMzTFRMLzhCbnBE + MXkreklWSUVOckl5OTJ0VzlWS2tIOFBRRVVJCk90OXJoMHQza0hTSGt5VUphNjY1 + MkFrTHQwTHJNSGZjT2JOYXJLWExwQTQKLS0tIHlTeVgvRlU0MXA3cUl2OE9tYUls + TStjbTBkMTNOcHBja0JRYUdvSWJUN00KtOPBH8xZy/GD9Ua3H6jisoluCR+UzaeE + pAWM9Y6Gn6f7jv2BPKVTaWsyrafsYP7cDabQe2ancAuuKvkng/jrEw== -----END AGE ENCRYPTED FILE----- - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzF1WW82MlB3N2tmVjVa - UGlLaThRUFNQOVV0d1ZxK2hJTE1pSGVoV2hVCis0UW41cXRVaC8yWGdCUEVaZjFM - MmViQXJrV3pTNzN4aDNpVCtYNmdXUjQKLS0tIGZsYTRwUDI2YWlMNjBJY2ZNREVu - ZzI3MWRLZ3lseitrQ0YrZ1BuM3BacmsK1gbJH+Qs6sTLrSZSUJtnvUNmbLNnPWVT - WOs8Pxf6ROYmstcF8yEGHxbVesWn0jMbC4aIAZOIyglh+6glxsbnpw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc282T2VVamFGcG1Ub3hp + S1VwKzVsWW1sRXczZnRNdkxDWE5Sd0hhVUJRCkovNGZ1ZlN0c1VyMXV0WThJMGFi + QVM3WW5Eam81dWpGaFd3bm80TmtQSlUKLS0tIFFSUy9SYWdKeE5KWk0yZld5dDYy + QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP + SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-14T12:41:07Z" mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str] pgp: - - created_at: "2025-02-05T15:31:49Z" + - created_at: "2025-02-11T18:32:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv9FdyMi1hVqhXAHEIjv5hiCw+l+OU+WomhmQTNue3pfgLi - eP15nIqjOg4H+akley0alE5ZL7AU/x5catwmd+JqG3p+j4v3z4GGgpgob6srxhRR - jcSZZZpOi5kMdvayX90Mm1zbzTSdxgHcI7tOtnr00kuUfkvTNyYP8ofvb19OZ3sS - ednM9E6h+qfCI+R2iv0WcyF0UXS8vExCl5djL4kV/gzc8iQz5qm1f67xem7kiN8M - dJZMmAkGSbSzCx/czqZ7pIB5LCmnGmLeYNBoMXdnj970dJrJ6/1DZqQNq4mkE8PG - odn7U4dq37pfpp8LJR9XZuCuQ2TbW8WqczQ3l2u4hqQNhHNRGDB/FGJrkn31BirN - Mwbb7UJQYQR5OzGwHTigpXDJnrf9j1CyAxbx3TrSHBrh63eVgUs1+mD9SUj6vVN7 - aBb8Y1M/cPiDyo2dpsa5lG6hzDQzlpBuJI4a8kN9JVTbcwYuWECx2kTGnZDBW+xf - KPNPrNzZmhIyZXMjPuK/0lgBuskgYg3sLqGgwUMisKCV56yRJr0zCoje3XWY6X2y - J7F0+/R3ESt98Za/qs4PG+U5oOXsUVlDZK0D+zVvnunJLOP/fT2yu4YoCZxy9Y6I - HbJzEdNC98ow - =nYXr + hQGMA5HdvEwzh/H7AQwAmorRyo7mguHQxATRRuKstaXertmyz2AhKFr1Kr880vBJ + ODjEKmkH77wIpOnZjOYrx7j2JWosoJ1KgsUUh4VlAPM3O6cXVwqDucu1d8O/HzK3 + RPuPfTKDr/lKl7QyQCx5lQuxE1/qn88D/g/fMQYu3NAVJa7acpTdSsfyo9nZ3QMb + ly6YEyGDc/IhBy5igc7bIWy1o+XATmyUxA+jZVMLiBKhetogMC507Eq71tUCMEht + CItRoFFPeoCzC8JPjpQNQmXoe5WDv3hzWpUBRJgjScYz3JuEfakbsAnzrPc41Mga + yPhSPYPBtHlEt+DntW9i/CFLEJ+I0V+uz3gnNtNdHTIIe2AZbGympjZldZThldb3 + Tupo7ep6VQgi+hG37wLmQdvSVWR8lVJDMvOmV9xZqdFYfQdBr2gewTT6Y2QCc8GZ + HBtJASlpIbydd/rtLtaTwtdOz64g+F5Vw/6T3ciyExt6RCoPALqZCoyzQnvnQm7e + JPPauAs8BH8ejoDlJYjK0lgBBMSJTZ2xlGYh4wG8zmGtGok2wvXYy+DeqlXuCIy6 + 7Xu4BLTL9eOZZo0sPR+RQfYbII0zMIc2fPBtU2c2z89YOTI44FI0BVbTlhLIIXXz + NJMDln08MWwr + =hhKC -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-02-05T15:31:49Z" + - created_at: "2025-02-11T18:32:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUAQ//b/vbXzTW+NgmpAfTEkrha0OeU3w4UEwejZVYJeFcTHrS - nOh1W/a4pMNJ0n/xabGkwJs1o1CPEcV8ctta6OgwiXLFmfuVDYiT4YZw2zUML8kd - umCgGFcCq5xjxIVbY7GXz/Grv+cJa6JfdQirNRoaDFvhgZxinAcuOhlb01pmf4o2 - frGrbCvkbDU/OLjMkfakUT87tZh6wfhlT14FABpZNrDHl7mpEvNH/prUMzj87ZME - g1OkwdjC7sBXngPQjstgMeZmLfsXVhDlhPIPi2kh6LUCdDFkadOZG9+dMf5HpTPW - v69CKJyzK8WcH5RoksYgYuACIMRO1VXfIpm6sJqHn2gXc/6CsiST7ofvGtBUhaW+ - B342tjWJiRhcU96KCP91NAo4aiNeQ/UjW6EAbJ9BaPWwAod6f3nxBEVvg8pMlLOR - pdW6p/Bz4HmvNW+xXLyxUER+ynkOouCMVrb7/eSvzV1Lf2Yz6K8hVe2ehgyVz++v - sXl6KqMGu5FNJS9j07hXYgWzwk6M+IBBC/YcjQdZQys4IadS1QbtuQOuP3KJ3wwk - qa4wyHRxb7/3svBP+2vi7HvjizwiEdk7r4CRnrdUm0C7Qozy8UdFMFWMdPMIdL2L - tI2n71HASMmc7ekU4J45/d9MHqLUahO0wuTd7L4IvAsepZqY+uWuYBVoZW/vHc7S - WAGwfJ7/D8i3lbRP91TslhrCMdzrdzgAb/TLWAyKwSwPPzzf1dCLNp6yF4QRICwJ - d/yxpSHBVgShCN3qIsiryx4FtUCPRwzgY96delesewJOIzxwjByIvTY= - =vEEz + hQIMA98TrrsQEbXUAQ//cBdyq4JxOhU9t7Z9iWAp2DRObgv7HMbhIXh1351wuzA7 + Fe0Kqcoo/ekCkIPrLZOC5z4CMjXwOCPSncMMm5vK5ibixTlX9446+Hv7AQ1vq2Nt + 2daL8ZzpCeCJmi07Vyp72/NJOZYa6YY/gFiiRw044lNLFS//b0sYkipne5COjvca + I7BxWCpGwLLWZ7LNKhg6i0at+0AqEdBDiwSE7jfeY6IL9tPOIqmBxYIWMbiAkPMd + /nK8PVPrt41NkJkuxfjXcYowJRcJmAYHGiRUQaAkUZyRQxmolbLwwJ+/CVYxv5Kk + hN5QvT82z5I8gK5LXrt3ZGEcC9dADkRSQr/qcWQT+CEnsGZi8b0unwUZZruDVb7d + eIwICaXu62gH/mlJN1z/J5jEciwQtC9Eh932x5qY3sdtd6Gm7/EHTf9NJ9Zg3gTk + nfytwpfUmtJO/bI5RvYSUkXkU6CLY6bqRW12+YrsAP+vDITYcLVEJGt7jrXDFto2 + Z9rlywZsQiZhLrzi1UImCTthcceI6Hd7l3TOYV84gMxdahBo3FLKnoZRK2I7ukGq + Wi0KjajcsJ6LBUCCpMg/tW+TT8/+66QY9BDzcv/hBdRc4lCKNeKDwwGFPSFZCcib + uyT8UB6iUYVMiNSHRqdGGcH0NwH45Oe2g9nF/lrJ0vYw1toN3WSpEc5v/Nch8DbS + WAE3DazXQgd4UQ19q+5cC+L5POWcAjgWpZlRwBXBRdeOKFDF9maCPL6MpfMm6XG1 + /JNfzhipjL5OXgJgK7iUFJlH9AuD18g/by7yID0bTsg2fkfLglwjfm8= + =Sdch -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted From 9df89d603924923c9ab9605591f3b84a4eb02c90 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 19 Feb 2025 15:35:14 +0100 Subject: [PATCH 12/29] [sops] update keys --- machines/.sops.yaml | 8 ++-- machines/nextcloud/secrets.yaml | 78 ++++++++++++++++----------------- 2 files changed, 43 insertions(+), 43 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index d3af0e27..c919312f 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -8,12 +8,12 @@ keys: - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - - &machine_durruti age1pd2kkscyh7fuvm49umz8lfhse4fpkmp5pa3gvnh4ranwxs4mz9nqdy7sda - - &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se - - &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0 + - &machine_durruti age1arwef7t65lz40lxhs5svyzentskjzam3e0e0yxen872vwy6v234s9uftvr + - &machine_infradocs age15rqsygf7yfe6pv6t4c6c9jc6yk4vu5grmmcu7sexvqfw8763mf2q6qw50h + - &machine_overwatch age1075ep3sl5ztshnq4jrygxqqqfts9wzk4gvvtwfjcep5ke8nzqs5sxtw7vd - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk - - &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k + - &machine_nextcloud age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: diff --git a/machines/nextcloud/secrets.yaml b/machines/nextcloud/secrets.yaml index 860d17bb..01c7c151 100644 --- a/machines/nextcloud/secrets.yaml +++ b/machines/nextcloud/secrets.yaml @@ -8,60 +8,60 @@ sops: - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dCt1ZFR0QnRqVFdiL0Zi - VTR6Zy9ZTy9YNDBZaDRTZzJnU2ZKcjJ0MG1vCldpRU5tTzc1YU5KbjlDbXlNRjBU - Sm8yc0oyNWU1WHJoYTRvK3o4aGtTY2MKLS0tIE9wY0R0V3Vkc3Y1T1YwTkFTY0J5 - ZCtzbVdtNlh0cXpra2RWbEwzUDM0UjgKY3zZn5PUWuLBQgYxm9BUpLYWw3CdXYA8 - 4U6OVdRF6foj4/GrKKyhVf8dMbLbkhPvxqZ5wg40o6bwHEw9QNM+5Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cFBEempENHlXNnhNb1d5 + UitGNFliTDliZUdCSVBPRUVEWDc1Skw3N2xvCkFoL01DL2ZmWHhoMHV4TGdhaFdH + bG9XdUQ4ano4VjRxVTloNnl4OHJ6dkkKLS0tIDJvK2ZjNVhYZ1FkQTVWWjBhSFlt + R1Ixc3pWNFMvUVl0M1NsZ0txRXFMTkkK5aDgbCd13gAfZUrROnwRHgyXvIF67o1W + EzEFyhWatq2KKzv6VoJSFnvEx5lMPSs0LLvOK2qgrsz0jWdy6yUkAg== -----END AGE ENCRYPTED FILE----- - - recipient: age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k + - recipient: age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDZaYjRTTDc0SFU2U2xQ - cUhESStvKzM5Z0QyZlJldURtRUJZTHhvNEFrCmxReGJ6MU9qdkh6UFVPYmRuQThs - VmVCMTQwc0xkR0gzemlSUVlnN0NCZE0KLS0tIDFtK041ZlF4VFBreHVacitSVEN5 - WXg4UkJtU2dTR3ZjeFYzR3lRODhLYzgKrO+NtT0Q3K8FgDwW0WiZJOUHwkEz+wp8 - lgBkXy2QJuuJ11f2e9ZJ3hx1xgOm6SMBmgl3zQVfVpq88yZE8uDe2Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc3BSNVdqSTNYZSt4c05K + TnpuYXF1L2lzQkdZOS9uUnA5aUpGTldWZVQ0CkZvN2hubmwvUW5xUWhtaE0xMzlp + U3dpRHlmdU5UVG1nTS9XUVpTSjdQQ00KLS0tIC9sWTBOMStOYis1SDhLbjFlVk1F + M2dYNEpmWmxyeXU5S0FuV083NkVaQ3cKXuGyR0YQy+22z2kgM7IPhr0gurWQYczm + FA7C/2hoqb4tyyejomitndBSyxIxnaReO0Apl6JXeTLor8Dpuu42oQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-26T20:00:50Z" mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str] pgp: - - created_at: "2025-02-06T12:36:59Z" + - created_at: "2025-02-19T14:34:54Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv8DLbU8OaQmYtAjTPlqeg1nv+/z3gA16MTZjz8rRBqK695 - JaEbWoCJ2Nv5Mnzj7owQSk/+f+Q/d00osr4KOhQWTNoq1442MyWgIXKGPDmHgXv8 - CxFT3hIKMEFFvFtkSdo+HlBSTQJZtHgDSGabd2xd4e45tLnHsPvWQ4ngGn+piUaw - qz5+YIpmFNlnL9ubsB8NivryXlIL6wBXL83FyfAPnY+qG0/7frVWwP1Cejg1CGYl - bOYxgb1uPYIIqvvU9bZ4r46DfojFFGur9pwG/wKGOgIQ867vsXtRnNm6+SJIHeyt - eNqil3tee++V4VVUrDTf+gWufx9YFS/afRgMKuf1pUvQGTBMbUJNhIp+PjpOSBCk - Kk6uyMWrBhiCpAVU9GKFW1AbDBCgUig2sLIUGOrfb+RkzDLX4pEoa9DVVDC2pRVy - F2fjEEbPAZepsPFNbgDyaixv+FeA5oWWiBnA7qO/v8t142UOtqBcexUZjBYYgRmt - c0S+lTk//xEip9wYvY6W0lgBOLqEUEiLg1tw0xvt9H4R9aGNLkCyvUediwuAbfw4 - bGha9PTckYpnKN589xxsDMqbQ0Vn/rxeSzC7RT+qtjUg1gDbDJQTZdYr0+//e0YV - xRvlnfPW9voB - =xqAk + hQGMA5HdvEwzh/H7AQwAkNhF9L1ocTsJRDyIA+0y24gtvRKAZhSRwds2wvTiBkPS + jzse8z4wY2yWz/JbEgqJqeFxJCaE64oc+2dETJIl2IsiRBDlXKfpL4yfRV+P6Ffu + DQfAR57hKIYa9emx+iFGoDMpRSuuLg4EGDoe1tmAu2OwLhKsqJrbL1ak88GB7/ko + gFk02AF/QYuEetc7R0pZPxB6n1HQGBrvqAFrnHEsxw2rR7I4kNYpEzyf0IuGHfB1 + 92WfYtdYSni7cqmTPV+t+k6P1VcJe6GXdlQnHk2pByqC2WrcrP+MtaAMkmWqxU72 + AGarWEV2bnXmBsM5LcOQF6Mbui9tpEBE0O3lMlzUNXoVYHpOczlqdWkqh/y3Ea8V + bnHcaLQ8XubRyccK4JYZ4AIMJVPlVcnXdjZ4VFJwjRzGrllorq4x8L0niv60HV/g + akxsjW1DPnJURNFacT3JYF+PsN+hpj/ma2k8qUTX5wFVJy3Gm0psVYqE5901ivBA + yg7mfiftchDvIeGQR8tE0lgBZrJbf/SjpVdawq7DORFVxkaNeoSAxOkCnqZ5kc7C + w6zfxABWvwz73QM0AqfNzjkyswGk7N/09Zpj4BvjbbYuAfvIdiVVDHRPez/qWjnB + vkt9aLXFepLl + =4LVt -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-02-06T12:36:59Z" + - created_at: "2025-02-19T14:34:54Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUARAAqGyBZLrJ1UpiJKIbQSTQpKA7bRD7olMczjh0Bx1fTN0U - bctdfIGVvdp5pM1C6xbvubNqAMEisQ1tMVozDkXCnLARTwcaq6lyE9vl3gJ1iF1Z - N8SbxVTYV1SXg3qokyBsZIggQ6gJqAr62Pyoansp4HfwwFwYohwR2zTfHJ8pFkkW - R2FfEI2Gw5nN4GaauIxUGFDPuvvZapCWZ/ejt4s/ezT9cYrwYfu9XIlqsivsi3yp - I03ohKS/pKhxlE7RV2ufRboG+m6TUCnyj5U5AzQa09hkSHd94s9A6M8I6M6zWebv - pdX73sCjWZQdIZoeM5oXcyY/s/h4/w37loOUE/thh1+hIjybAG0CH31nJkjcdcLg - l/fqTLa89JVt37bU9c/hVsx2Bc1cTO7nqhG3kyahkMSLFrsb73yTNn4kOqSKZ7+z - 189oR0EjNySgRt+M20vjKzhPbjxxQTKlpTE0vho6fEHYRmzPQ3IQbVUbPEbZR64I - S+Nk7m95ZV8djaUOwqqU9pwDTvuYIBwhGOY1kefDg1sCCTM8C9RI9sG02HeQpme3 - bgkO+m4khXeiiIrTAODiyM+GCwx6UcwooUSpu8LZJmhiZtfgMsFdGF3P7ngtoOEQ - 4cxP231EI/zoMqRyXYrvAovxXndwghG0LGcCAZZL6mNN2xzE6z1gesVWRjXM8inS - WAFB7DgLTlY43D4QbhkyZfo6XltYe1g1tcJJraG/HICa7hq5BZn48t/BcacCvsrJ - lIkEgOT8gn1SlQbDL+T+3pRNOixGKPNU6Ategoy+Eq0Im3AhE0XO8Ns= - =Uvc2 + hQIMA98TrrsQEbXUARAAmoHJ3i2vABDamIF3Nj6uuawarW+KKjzrIfYvAmWW4fgz + zVAquTl1Oculhv+H4eVuylNUM5kwyCkM/VAxy3KoSNZn6aGZVDuns70r9lbNC1R8 + +diYAIe33rE3h6/Rw74RgOXUgNalONeoBWbIUuG+y9XOIfu7CBoUeGJct4ycYH0h + bn5iI0e4myDldmSc7OYnyruQMYg9OcKBnQPTZl1qzTqpwR6/BnIhWJcItuc3W5rv + aEunQ8lVyNxhGWMDwFucUJ2WbxkOFOFWPrLGXtsUg/I32aCUNR6X/HnYUezqCoSA + SFJAsaPkBr07o5Be5D03m0s5ryktQUdAElyDaz2Sgc58re9mtYKBAf4P4fKD5Zx+ + TJJGr6dmtb28Nxb5mbMroKbTit92NHHatXfz/YrZ1JyCHuINZ5Sq01TGhx6y71Uj + 0Afq3S2la+85UYRsQ5g9q6jM8rBHjm9AdcUkWA1chtn6elAUG8J0B+DUYYwcrMtp + YWFaKNHT09FRn4TcgE50Wgn9lX2RZ03viBbgCvDBLh3fmzl+dU1DsFdwuYmbgOeO + B6SQ2+SF3VVR7vAn4oPKydztCfYmb+38sCQl/FtZdP1RRW150fXtUx7aAzWGsLhq + AObrNp0uMeCBHtpWctwFR1qssfRD3DHkI59MqoGK7ehDtBS6hzayjJp8sTiqCTzS + WAH/vMH2cvGN3q9mr73bBqHBxAL+ANWxrDvQmM4xwbLxET24ULnsC35bn4psWjTN + Y3aQqzhaZdYOki09fLENaYl6BMeIcfBx4qUrgfQKLUNqGV5fvVuXJUc= + =/V5O -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted From 2e0e58b8438da655fd042898962d07b8fdc29b13 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 20 Feb 2025 15:15:53 +0100 Subject: [PATCH 13/29] [readme] update --- README.md | 75 ++++++------------------------------------------ doc/src/Index.md | 59 +++++++------------------------------ 2 files changed, 19 insertions(+), 115 deletions(-) diff --git a/README.md b/README.md index de736510..0adc90ab 100644 --- a/README.md +++ b/README.md @@ -1,44 +1,20 @@ # malobeo infrastructure -this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. - -the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html) - -## hosts - -#### durruti -- nixos-container running on dedicated hetzner server -- login via ```ssh -p 222 malobeo@dynamicdiscord.de``` -- if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db``` -- currently is running tasklist in detached tmux session - - [x] make module with systemd service out of that - -## creating a new host - -### setting up filesystem -currently nixos offers no declarative way of setting up filesystems and partitions. that means this has to be done manually for every new host. [to make it as easy as possible we can use this guide to setup an encrypted zfs filesystem](https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/Root%20on%20ZFS.html) - -*we could create a shell script out of that* +this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. ### deploying configuration -#### local deployment -``` shell -nixos-rebuild switch --use-remote-sudo -``` +hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes. +Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master. -#### remote deployment +### deploy fresh host +if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html) -you need the hostname and ip address of the host: -``` shell - nixos-rebuild switch --flake .# --target-host root@ --build-host localhost -``` - -in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources +### testing configuration +refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally ## development - ### requirements we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf* ``` nix @@ -55,46 +31,13 @@ a development shell with the correct environment can be created by running ```ni If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration) ### build a configuration - to build a configuration run the following command (replace `````` with the actual hostname): ``` shell nix build .#nixosConfigurations..config.system.build.toplevel ``` -### building raspberry image - -for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM). - -to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix: - -``` nix -boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -``` - -then you can build the image with: - -``` shell -nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage -``` - -### run a configuration as vm - -to run a vm we have to build it first using the following command (replace `````` with the actual hostname): - -``` shell -nix build .#nixosConfigurations..config.system.build.vm -``` - -afterwards run the following command to start the vm: - -``` shell -./result/bin/run--vm -``` - ### documentation -for documentation we currently just use README.md files. - -the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser. -the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```. +documentation is automatically build from master and can be found here: docs.malobeo.org +locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev``` diff --git a/doc/src/Index.md b/doc/src/Index.md index 104fd5b7..0adc90ab 100644 --- a/doc/src/Index.md +++ b/doc/src/Index.md @@ -1,26 +1,20 @@ # malobeo infrastructure -this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. - -the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html) +this repository contains nixos configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. ### deploying configuration -#### local deployment -``` shell -nixos-rebuild switch --use-remote-sudo -``` -#### remote deployment -you need the hostname and ip address of the host: -``` shell - nixos-rebuild switch --flake .# --target-host root@ --build-host localhost -``` +hosts are deployed automatically from master. The [hydra build server](https://hydra.dynamicdiscord.de/jobset/malobeo/infrastructure) will build new commits and on success, hosts will periodically pull those changes. +Big changes (like updating flake lock) could be commited to the staging branch first. [Hydra builds staging seperate](https://hydra.dynamicdiscord.de/jobset/malobeo/staging), and on success you can merge into master. -in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources +### deploy fresh host +if you want to deploy a completly new host refer to [docs](https://docs.malobeo.org/anleitung/create.html) +### testing configuration + +refer to https://docs.malobeo.org/anleitung/microvm.html#testing-microvms-locally ## development - ### requirements we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf* ``` nix @@ -37,46 +31,13 @@ a development shell with the correct environment can be created by running ```ni If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration) ### build a configuration - to build a configuration run the following command (replace `````` with the actual hostname): ``` shell nix build .#nixosConfigurations..config.system.build.toplevel ``` -### building raspberry image - -for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM). - -to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix: - -``` nix -boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -``` - -then you can build the image with: - -``` shell -nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage -``` - -### run a configuration as vm - -to run a vm we have to build it first using the following command (replace `````` with the actual hostname): - -``` shell -nix build .#nixosConfigurations..config.system.build.vm -``` - -afterwards run the following command to start the vm: - -``` shell -./result/bin/run--vm -``` - ### documentation -for documentation we currently just use README.md files. - -the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser. -the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```. +documentation is automatically build from master and can be found here: docs.malobeo.org +locally you can run documentation using ```nix run .#docs``` or ```nix run .#docsDev``` From 3a4a1500c076b41912e70aa275fc8edcc753e5c7 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 11 Feb 2025 18:00:43 +0100 Subject: [PATCH 14/29] [nixpkgs] update --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index dcad527e..9d209603 100644 --- a/flake.lock +++ b/flake.lock @@ -109,11 +109,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1736905611, - "narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=", + "lastModified": 1739104176, + "narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=", "owner": "astro", "repo": "microvm.nix", - "rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b", + "rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2", "type": "github" }, "original": { @@ -160,11 +160,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1736978406, - "narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=", + "lastModified": 1738816619, + "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b678606690027913f3434dea3864e712b862dde5", + "rev": "2eccff41bab80839b1d25b303b53d339fbb07087", "type": "github" }, "original": { @@ -192,11 +192,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1737062831, - "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", + "lastModified": 1739020877, + "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", + "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547", "type": "github" }, "original": { @@ -208,11 +208,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1736916166, - "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=", + "lastModified": 1739206421, + "narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a", + "rev": "44534bc021b85c8d78e465021e21f33b856e2540", "type": "github" }, "original": { @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1737107480, - "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=", + "lastModified": 1739262228, + "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6", + "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", "type": "github" }, "original": { From 03d7816617379d5e223af08b0e2ded46c047d12e Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 12 Feb 2025 19:21:44 +0100 Subject: [PATCH 15/29] Add keepass db for hostkeys etc --- machines/secrets/keys/itag.kdbx | Bin 0 -> 1589 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 machines/secrets/keys/itag.kdbx diff --git a/machines/secrets/keys/itag.kdbx b/machines/secrets/keys/itag.kdbx new file mode 100644 index 0000000000000000000000000000000000000000..1669d73b7b0916bfc99a93c566785485e596fb70 GIT binary patch literal 1589 zcmZR+xoB4UZ||)P3@i*x0t^fch6g`A+h6D$urGpDG3!s%e`Xd21_nk31_l-d1_p-h z4@Cc@r+hYEyWCt0c|J6s^SlDqc-$wqkI*XcD za(6R;%y435U|>)Q4fS*ZDSDrrd%s81#e3rSl}nf(bMdf(?C|7ZU|>jL0x4%;0E_s7 zL_oHK#8^OT0zeLuU|?Wy0`Y=DuCm^{AZNGwZuPnbd;bUP7}%dzygK^b>Rg}c{L+AP zHvcQY`oci^gh9qIfLOd-yj&$R&-l_=KhE)HbiR?Z$fUd33GxD zF5aeY+%KZEZNbwME$MeRurM&Jdm=0sSta;z;+y}o?8Pog#0gL9RJNGqrD@J_=+Y0K zD9b-Q!k+Vd%B-$iT`#*+b5(g#vC579)QhIi*i&MyR5u3v&Ds+wviH$h@rb|=$IPxy zuC99Z?Q3zvbFa0o2b#A#?whpi^pVHH$zj*T*FVZyAl+Qe`{Me)$5~9ynTPqk%*AfC zZu|MC?#W539cM%?2TTl7OXw?fslNH0wO+oob-G{q_j|>w(-L_?e{SMPxURh?4?6~2LvWgGPpD0nCRS_OLaWvepJx3>nxWwFWe&?xLEz*M`^~M z@UW`}M{hkc*WGKdoWvCPTU6X|(_Sf?mGd|!yiD_OxY)Kt z#j)?mr;KB(Zh0p#wXXIHytuw0cH))gyhi;`4<&21X&?B1YRid#F87XB$8KBf@YV3p z4h8=c|9CTd=07=NHJk0hqgQ_gyfk#V-0nYFFtw*IRb%RdT2aAn&AXP-E-l4Z+Jn$f>TRUw-<6An4NQQ&Z684UfgO18l?;~JiGF0pU9T{`9Gq= zJWiKB)8E3fs>Nb!SeV=r<279iKEFA#WkdArOZ_Feep_}Hx=L-CXL~p@WPwv@!oCOJ zlO8cOf0lpo@rmkzr6%dOx+Qe7Ivx3Y1$?$#k@DH{)%wSAw)U_Kub*0W=szpJ#Teks z`}^^RiY1m?W_)T>=YINXuc>a&@eLW$U+)$Fil1;UNa$w7{Ea+wnKr#!#r>x2WuW30 z)$4JL4%27J+8gp75i~!!?GQ^#{pw21R1(%b}Ab3hFm_67T->z83d{+m%P(B)#GGP1bwM;S+miVNl}o zi3bhrxMzL3es*t@Z-nZUwOe#HN?p*kpB*X7Rkb+tTi`pV9a-F*{U5Gb{0m>MA}^II zp?!1FInCpFr}&Fc=E>O`o|?^b`r)0szt8HLH`TmdB9V1>%Dx}`cWMK>Q@ABKg{y0d z7G9vIi^KzO(EOXXiL-y(2^E>+->aBcjs`70(u4Hx2{h~7Se71|~?#p{O zzff>5(|htD=INu&Kdk;6o6K^a+8?G@-0%L{>b$Vz#*dA`Z(Vnm3+;2m^&dw z!t__aU+gIjL7jUgH@0X`tycZ3czTJ?bpMyZ+U$X6we|#NH#|FQb09}H#7Csl{+l+^gn;znLTsL#?yOW c&J@W0z;pP Date: Wed, 12 Feb 2025 19:30:10 +0100 Subject: [PATCH 16/29] Add script for creating new hosts --- outputs.nix | 2 + scripts/add_new_host_keys.sh | 76 ++++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100755 scripts/add_new_host_keys.sh diff --git a/outputs.nix b/outputs.nix index c8dac173..1947971f 100644 --- a/outputs.nix +++ b/outputs.nix @@ -39,6 +39,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.age pkgs.python310Packages.grip pkgs.mdbook + pkgs.keepassxc microvmpkg.microvm ]; @@ -49,6 +50,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems legacyPackages = { scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh); scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh); + scripts.add-host-keys = pkgs.writeShellScriptBin "add-host-keys" (builtins.readFile ./scripts/add_new_host_keys.sh); scripts.run-vm = self.packages.${system}.run-vm; }; diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh new file mode 100755 index 00000000..f2b09f1e --- /dev/null +++ b/scripts/add_new_host_keys.sh @@ -0,0 +1,76 @@ +set -o errexit +set -o pipefail + +dbpath="./machines/secrets/keys/itag.kdbx" + +if [ ! -e flake.nix ] + then + echo "flake.nix not found. Searching down." + while [ ! -e flake.nix ] + do + if [ $PWD = "/" ] + then + echo "Found root. Aborting." + exit 1 + else + cd .. + fi + done +fi + +if [ "$1" = "list" ]; then + read -sp "Enter password for keepassxc: " pw + echo "$pw" | keepassxc-cli ls -R $dbpath hosts + exit 0 + +elif [ "$1" = "add" ]; then + read -p "Enter new host name: " host + read -sp "Enter password for keepassxc: " pw + + # Create a temporary directory + temp=$(mktemp -d) + + # Function to cleanup temporary directory on exit + cleanup() { + rm -rf "$temp" + } + trap cleanup EXIT + + # Generate SSH keys + ssh-keygen -f $temp/"$host" -t ed25519 -N "" + ssh-keygen -f $temp/"$host"-init -t ed25519 -N "" + + ls $temp + + # add folder + echo "$pw" | keepassxc-cli mkdir $dbpath hosts/$host + + # add entries + echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey + echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey-init + echo "$pw" | keepassxc-cli add -glUn -L 20 $dbpath hosts/$host/encryption + + # Import keys + echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey private "$temp/$host" + echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey public "$temp/$host.pub" + + # Import init keys + echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init private "$temp/$host-init" + echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init public "$temp/$host-init.pub" + + # Show entries + echo "$pw" | keepassxc-cli show -a Title --show-attachments $dbpath hosts/$host/sshkey + echo "$pw" | keepassxc-cli show -a Title --show-attachments $dbpath hosts/$host/sshkey-init + + # Create mac-address + echo "Hier ist eine reproduzierbare mac-addresse:" + echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + + exit 0 + +else + echo + echo "Add a new host to the DB and generate ssh keys and encryption key." + echo "Usage: $0 [list|add]" + exit 1 +fi \ No newline at end of file From 2a873b22fd28fde62822a3297e96acc1a775c057 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 12 Feb 2025 20:07:27 +0100 Subject: [PATCH 17/29] Add age info after creation --- outputs.nix | 1 + scripts/add_new_host_keys.sh | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/outputs.nix b/outputs.nix index 1947971f..199470a9 100644 --- a/outputs.nix +++ b/outputs.nix @@ -40,6 +40,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.python310Packages.grip pkgs.mdbook pkgs.keepassxc + pkgs.ssh-to-age microvmpkg.microvm ]; diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index f2b09f1e..0a4600e6 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -58,11 +58,13 @@ elif [ "$1" = "add" ]; then echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init private "$temp/$host-init" echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init public "$temp/$host-init.pub" - # Show entries - echo "$pw" | keepassxc-cli show -a Title --show-attachments $dbpath hosts/$host/sshkey - echo "$pw" | keepassxc-cli show -a Title --show-attachments $dbpath hosts/$host/sshkey-init - # Create mac-address + + # Info + echo + echo "Hier ist der age public key für sops etc:" + echo "$(ssh-to-age -i $temp/$host.pub)" + echo echo "Hier ist eine reproduzierbare mac-addresse:" echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' From ff53ef63834402410243748b8adfa338adf3a53c Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 12 Feb 2025 20:08:57 +0100 Subject: [PATCH 18/29] move fanny to db --- machines/.sops.yaml | 7 ------- machines/fanny/disk.key | 31 ------------------------------- machines/secrets/keys/itag.kdbx | Bin 1589 -> 3541 bytes 3 files changed, 38 deletions(-) delete mode 100644 machines/fanny/disk.key diff --git a/machines/.sops.yaml b/machines/.sops.yaml index c919312f..10aa66e4 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -73,13 +73,6 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan - - path_regex: fanny/disk.key - key_groups: - - pgp: - - *admin_kalipso - - *admin_kalipso_dsktp - age: - - *admin_atlan - path_regex: bakunin/disk.key key_groups: - pgp: diff --git a/machines/fanny/disk.key b/machines/fanny/disk.key deleted file mode 100644 index 7a30f5e9..00000000 --- a/machines/fanny/disk.key +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-01-05T19:35:48Z", - "mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]", - "pgp": [ - { - "created_at": "2025-01-05T19:32:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-01-05T19:32:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/secrets/keys/itag.kdbx b/machines/secrets/keys/itag.kdbx index 1669d73b7b0916bfc99a93c566785485e596fb70..be8a3e1bfa4adb36809734be1ea36a47e7eeaa37 100644 GIT binary patch delta 3464 zcmdnWb5)v?`R1Zo>A$_VGEU@FGktsQy8F?B>$j_GO??jc2u5zZWNIdxsc?U#$=5hR zv;G6@0t^fcKk|g`hTHeMyNG1$PS#x)JTb+9kzwLgrFs?y1_mca1_p*;1qKF&`GuS@ zC!L%7`mT4?wgd)h{B^K)dmzYspz_69!Kj3yP8N{LFpwT$1`q(Tc)57F(sO4|xy{<` zyUXU;_syIegPt8~)QghY&KS78d7hU|zU8f1OblTflIi}6Gg(Ua{GI$E_Vkjd&Y3rZlU1^vr%o1qDYF6Re zbGb45lU9FOaZ8o|wO2I-*S@+=xTW&w{HeQUDtF=oE-zpHIZ?lE>-q&v(@Va~E-{&N zKH#_Xnd?VvW8Fm3rM%0nD4Y z&&>Y(!~FwC%$Gg&hM$FnpDjEjSd(0&^;OeSNY1WvUVdeydkWwC=iI4$aSz_q%sy`V z?$*gO@0ym0?mv95EB-{-uifWse75hKIc<4v^WXaka}Fky-)vQ6GO6AC*O_U;*6>aJ z%R-#OWCwC2 zw>_y@&CJ3clRjC%JLb_DqXtd`&)*Ylv!mT+_$w8c@5<)boZMdHb^qk0D(mjRY5xoV zwJFsZ+*oa~@NT}SZ?OID14b{}#V5|N_qb$o`p4?czqEd)td0l~6Jk6!?{?$CS@lxx z4;Lg~G50n})5}~q?b*hfx^*216YFO=v$1j9DO($DIO*xU?N$>G>1ik~{QodUWA=2v zJ=)bzDo#VVdg{Q>&hswR9zi&L>XO&;S;LWzR zTuKa&9Qegt5g;Xg&|r>ZV{-)i5= zQ=jqq&&R2Ji_CR&{DrxKR@@ePT(sfBJgtL1)0Cc{ncMYQPxR<}_cvCy=lW$8+yZQS zT&M30Yg%=y<<-Kx7xP87N`5=}bKzyx3cGIUm%TH*)>U7wIq;F)-(qWJ_2wJjG}c^n zd2Gg0Hetb!*Y&?*9A3CQI+xC6VVS=)tuxni&aJNS`a7?lFYhlAjXtt?>DCjvTKsdA z)K==L&8-!RcbT^3vgd(?f~v)CU-Ku<+_1Ha`A_W8Mf%bPA1aIDT}6Lj2PFMhMPQ&8|l}$e{cM?WB0X%vO6vnG45OO;bfe~>$4_yY_cna zQ+|ji6<0p2E&P#Ezrjpgp5xCPwXZBSR(Gl%B%VDriRsN(%Lu{QcLVm+$9^hL2sJn0 zc(C)0U*yk^-xl^vzPUE)%#K_4L@WLq?+KmxXjb(b=fajl^`cX6&xyFzAe$-?IVZFJ z!-2~NpXEQO`Fmw*2nI65mZ&Ht9X<7}v#?~cq;j} zcvYi&2OpX%>hDpT=z4nU+%*T^#Pm1ZIpF-Btt&Ne=c--Gy&qydw8g%?ELtpeLiy9_faNwJGk3K8>W{ze~NZNSgd%c|m%^4m?jXpQm5HFLdv4UN;?H2&9mWwn*Q&T5uTPs@s1 zbGSK~uRDd8*{FNfWA@u$y?5Fa8t$+ZoD%2s(CtC}R~=Q88Al%Yu9A8yx>ahQ{?$DX z1;6Z(|Go103H=04X18kYiFe(u@vN=T-)O?~N!Frrh1TQ~oZp^IcikfPsBY_ab)kM| zxy2Rdcg=a-FrB4}S#6#AJI$K5J6V;P542~$)Ob|1H`w(|rud&-k07oUkLUDV zm&L9hwq-2(u=i~JjLD0Fg-;1D=sufw<|B`a$!ZO|beC<++deo>-TCQZORKMX%B|o7 zY0;j{lJAUH)~{@jw_&l}HGRE$%KY+xtl!sWKIB?p-&3@dPyYVRxLZx0HyGZm@42p- z_y70a zZ!*_#SbNsUji0yl+xcZu7gcSq)pJi02x6|>rWk9jt@Yzp6M`(aEED6Z3tM-4sckM(kvXIF(Zg_Zb6!2D`abkzXY|VLOJ_FC|FGBbY37r_iswH)5`Cw2$NDQyi>i>h*}5$vT!&k3 zf=Axuc%BniCOq4C=h3BGJuG=yZ;n~+o+0LUsa`Q;M!@v%%qQ00-S&RcpW56NU5DSY z{fRobSKsygHck_+x9=YJS0(m-k=Km9cEpN7iYYhOh4u9F-8ZXerYN5;dw4LFDP{4? zyt#AO6?W~L#ymMC*tonSAz9(Y%`1(mWf99>Rc_X-dvU<-_3hUOY8T&LGTX^5-C*vO z4O{%;CuV-$RR8_K$tOD>O3wAlUAjuxrdzu8xYduRZ7H1vvs482Co0MOdZ|!aV%8Iy zYZnmGwRmw3+k3Z%{YG zW-^&n2L1PY&6~#Y_8p(hw+$=OzkfN9v@1pG&Z-*Y0Mpb+=EJ$0%THe{Rh3$>fUhVy zukoaP_Kv91W!KC1Zc))G`?1U3a?|=c){4dHAL`aKyj+oceA|`YZq>sclAHEw*E3$& zczJh>?h%=v^P9ith4ibpEZZx8`X!6czm=}r_}A^Zd4X$QWx_@$hgVLwau=*HnYlKU z;po-ZhXQij?yZiRz4dedwhw8M+80i~ewzAYb4*G8JJ;MD_YQOWo4t<;aA@dXbNlT| z<5bs4c_zPhxwIdvQmDA9eACyBj`OT(LdE{lBCct5kvV$+<| z+4r1$lUa9`-LrZrx8&**r+StjXRE6Z?a{I96v=iIn)FBM=l?JF|GeUs`sC>F!Njxe zfJgb<1a;o}RzKD`lg_UXeJgSCkOu#Yrr&y7y<$JD*m>_|-R@J@4b~^*iKuVf)bik$ z@UbTqEBE$HOCuBUnUl7eMI=~qHZ27Zo?}Qc! zw7sfq|D;uWAn~}6&Vj^j3)|M6DhOJ=!@ke`c>I~moma0YF0!r{{yanH-SeiP3bs}3 z7Fl9_+d2-${7_X^>Ur?Xs_@4F9iyhUYm20qQ>^lzU;U)?u*LP|XZzPPtA8DLOFJo( zCiW?AJLjdfarwMoe&5Xd$&ePkt(d7w{_L82+wDF%m_-&WRJV>hYvb*;p0_D7^zUTG z*&Eh|T{gd*yZAKkt+`tttJlvm%xG(^c4E)!)@S~3g`xMg4|BokyLT&e4+t~8lo$0r zz_wsVdZpIOOq&^O8Cwk%9=)i(scq`x8R_bFjc40dMeUN0lV|IHILo5F`hJ+E_IpF) zTl*LS{j%<}ytLAvsd49gc=K`7*EeK;Hw@ G^8o-0pRo4; delta 1497 zcmcaAy_JWP`R1Zo>A$_VGEC%DGu{3`^iO*F_ZJb8vzV8fAA6sg#8+&#SXrAhYD%IW zZ|OmH0R{#J{jWaS#=?$s`8M*O)mhZMa$<@BBh$pGO7#*93=B?;3=9mx3JeSk)_WJ^ z>{j2cUe{pn|6m;h`}2xdN55O0>oc8S8gS0$e+3IjWf%(s1A{OF2!L3;T)bQ*GSB$Z zSwGJ4W^}%hv&ql!>$#KHe{C(7J9%S&#otah%QzK@-t4yT+5IVB`6u_g)U`g0OVn7? z@#KBI-yL1v`wvUzEzeX;dfYIlr~k?1itPz=f(|a;rf%FXqO@(n(-SS}cQ>#wFsyqb zEEicN_;BKz|Fi7HE=j}*PwP~+nB}Eu&T;6{51uH?KRm*o^L)yzu3KF%yHj&jc~Y^; zjsDb&rq9?@Vy#p+2K>$16DhLy(OL0`zz@gFu1>D5dR71JYjMMKueGiRnzuXdo3!lo zk;lTxVb{dhKgwDl-CWK4;`+bGSxnBEhxxtC#cs83`}wEt$w{jnXGAUsObk*>=qq%o zzWJTCUcR(-x?lPCd&R5M5_v*@ZsJI|uDvJZ=$^f+=Vsi`)O>KG@Ze$Th`!AS1SU>0 zxHI9H=-iu2bv)*NRH)aq>nxWwFWe&?xLEz*M`^~M@UW`}M{hkc*WGKdoWvCPTU6X|(_Sf?mGd|!yiD_OxY)Kt#j)?mr;KB(Zh0p#wXXIHytuw0 zcH))gyhi;`4<&21X&?B1YRid#F87XB$8KBf@YV3p4h8=c|9CTd=07=NRX>~U!J}7y z1-vwLx!mqQSunMyFI8jegIZC+Zq2)v(~I{``5zcoQ}ZP)Rqn~j6+g`N#f)O5lZ#{) zK8)Nx`KQm^^L2J_u3n$}g!f62>O+zDD)HAoPMW#v#JVdr&4=W@9{BO9DsBA!BgX33 zEWvGiN-O&>Y+4X?XTpMgZ~Bh$JvsPzR(ULHMmX!|POLg|}_KCy29 z)v2!|8Jl_b-?Swx$>DGFeXrhoJ#EL9@~ekq10R33ie1&Dljq%Y;d^g*LBWDkOH#KN zavqqSb8yb0+zVdZY6csUCpzmJ#)dq*@@k*Rmi+lYqQg8+mp;?q!m_HxVry8K+!Et8 zT?;qYe)?*! zscz5l4H?p3?-l=wpKvZn=w`(HjXZOiHoaTL{if_?pyC(R`s;Cw4%27J+8gp75i~!! z?GQ^#{pw21R1(%b}Ab3hFm_67T->z83d{+m%P(B)#GGP1bwM;S+miVNl}oi3bhrxMzL3es*t@Z-nZU zwOe#HN?p*kpB*X7RkgT2^IPCMryW_`oc$lJS^NuMt|Bj$E1`XJ(K*fId8hb`Pv*(l z8=jiYbNb<(yT8xsnm5(FT_TZncgnsW{C8>tyHmI&IEAZgisW~0H-2vLr@m9f^038 z{u`Uja-P~BrdQnW{@Uuiu;j*%jlpkScb4SWD8K1`%p#aOAw|OUSHEBEDGfoLdnGrv zXiu$H{i}F-iO+QZm%-ZXfoHY$1ZFqXKRau4AV+Riutzqh(6grp^kc*)9zI_XDgDHk z_0X9Vl~jWp98TfA`@W{zwm$5RjST8#TXXe7xwT@&W3TL$!cED7pUe6(4fo%k_>=ux z?xl7yWud5+f>nw-hwpmLH Date: Fri, 14 Feb 2025 07:10:09 +0100 Subject: [PATCH 19/29] Change install script to use db --- scripts/remote-install-encrypt.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 277f5194..f0553c2f 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -25,6 +25,9 @@ fi hostname=$1 ipaddress=$2 +dbpath="./machines/secrets/keys/itag.kdbx" +read -sp "Enter password for keepassxc: " pw + # Create a temporary directory temp=$(mktemp -d) @@ -39,12 +42,13 @@ trap cleanup EXIT install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/root/" -diskKey=$(sops -d machines/$hostname/disk.key) +diskKey=$(echo "$pw" | keepassxc-cli show -a Password $dbpath hosts/$hostname/encryption) echo "$diskKey" > /tmp/secret.key echo "$diskKey" > $temp/root/secret.key -ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" -ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" +echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey private "$temp/etc/ssh/$hostname" + +echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey-init private "$temp/etc/ssh/initrd" # # Set the correct permissions so sshd will accept the key chmod 600 "$temp/etc/ssh/$hostname" From 67e30370399ea8f8c3eb7333dd85f8142b1235b6 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 22 Feb 2025 12:36:01 +0100 Subject: [PATCH 20/29] Changed the keepass db to sops in add_new_key script --- machines/.sops.yaml | 7 ++++ scripts/add_new_host_keys.sh | 77 +++++++++++------------------------- 2 files changed, 30 insertions(+), 54 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 10aa66e4..18617729 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -95,3 +95,10 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan + - path_regex: secrets/keys/itag/.*/.* + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *admin_atlan \ No newline at end of file diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index 0a4600e6..8266d3a4 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -1,7 +1,5 @@ set -o errexit -set -o pipefail - -dbpath="./machines/secrets/keys/itag.kdbx" +#set -o pipefail if [ ! -e flake.nix ] then @@ -18,61 +16,32 @@ if [ ! -e flake.nix ] done fi -if [ "$1" = "list" ]; then - read -sp "Enter password for keepassxc: " pw - echo "$pw" | keepassxc-cli ls -R $dbpath hosts - exit 0 - -elif [ "$1" = "add" ]; then - read -p "Enter new host name: " host - read -sp "Enter password for keepassxc: " pw +read -p "Enter new host name: " host - # Create a temporary directory - temp=$(mktemp -d) +if [ "$host" = "" ]; then exit 0 +fi - # Function to cleanup temporary directory on exit - cleanup() { - rm -rf "$temp" - } - trap cleanup EXIT +mkdir -p machines/secrets/keys/itag/$host +cd machines/secrets/keys/itag/$host - # Generate SSH keys - ssh-keygen -f $temp/"$host" -t ed25519 -N "" - ssh-keygen -f $temp/"$host"-init -t ed25519 -N "" +# Generate SSH keys +ssh-keygen -f "$host" -t ed25519 -N "" +ssh-keygen -f "$host"-init -t ed25519 -N "" - ls $temp +#encrypt the private keys +sops -e -i ./"$host" +sops -e -i ./"$host"-init - # add folder - echo "$pw" | keepassxc-cli mkdir $dbpath hosts/$host +#generate encryption key +tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > encryption.txt +sops -e -i ./encryption.txt - # add entries - echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey - echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey-init - echo "$pw" | keepassxc-cli add -glUn -L 20 $dbpath hosts/$host/encryption +# Info +echo +echo "Hier ist der age public key für sops etc:" +echo "$(ssh-to-age -i ./$host.pub)" +echo +echo "Hier ist eine reproduzierbare mac-addresse:" +echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - # Import keys - echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey private "$temp/$host" - echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey public "$temp/$host.pub" - - # Import init keys - echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init private "$temp/$host-init" - echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init public "$temp/$host-init.pub" - - - - # Info - echo - echo "Hier ist der age public key für sops etc:" - echo "$(ssh-to-age -i $temp/$host.pub)" - echo - echo "Hier ist eine reproduzierbare mac-addresse:" - echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - - exit 0 - -else - echo - echo "Add a new host to the DB and generate ssh keys and encryption key." - echo "Usage: $0 [list|add]" - exit 1 -fi \ No newline at end of file +exit 0 \ No newline at end of file From 3871f2e553c86ad83a6c123ecb041a7929ae9d1d Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 22 Feb 2025 12:48:32 +0100 Subject: [PATCH 21/29] Changed the rest of the scripts to sops encryption --- scripts/add_new_host_keys.sh | 9 +++++---- scripts/remote-install-encrypt.sh | 10 ++++------ scripts/unlock-boot.sh | 4 ++-- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index 8266d3a4..fb18e870 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -16,13 +16,14 @@ if [ ! -e flake.nix ] done fi +pwpath="machines/secrets/keys/itag" read -p "Enter new host name: " host if [ "$host" = "" ]; then exit 0 fi -mkdir -p machines/secrets/keys/itag/$host -cd machines/secrets/keys/itag/$host +mkdir -p $pwpath/$host +cd $pwpath/$host # Generate SSH keys ssh-keygen -f "$host" -t ed25519 -N "" @@ -33,8 +34,8 @@ sops -e -i ./"$host" sops -e -i ./"$host"-init #generate encryption key -tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > encryption.txt -sops -e -i ./encryption.txt +tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key +sops -e -i ./disk.key # Info echo diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index f0553c2f..6ec19c19 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -25,9 +25,7 @@ fi hostname=$1 ipaddress=$2 -dbpath="./machines/secrets/keys/itag.kdbx" -read -sp "Enter password for keepassxc: " pw - +pwpath="machines/secrets/keys/itag" # Create a temporary directory temp=$(mktemp -d) @@ -42,13 +40,13 @@ trap cleanup EXIT install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/root/" -diskKey=$(echo "$pw" | keepassxc-cli show -a Password $dbpath hosts/$hostname/encryption) +diskKey=$(sops -d $pwpath/$hostname/disk.key) echo "$diskKey" > /tmp/secret.key echo "$diskKey" > $temp/root/secret.key -echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey private "$temp/etc/ssh/$hostname" +sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname" -echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey-init private "$temp/etc/ssh/initrd" +sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd" # # Set the correct permissions so sshd will accept the key chmod 600 "$temp/etc/ssh/$hostname" diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 347f260a..5d7c1803 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -19,15 +19,15 @@ if [ ! -e flake.nix ] done fi +diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key) + echo if [ $# = 1 ] then - diskkey=$(sops -d machines/$HOSTNAME/disk.key) echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root elif [ $# = 2 ] then - diskkey=$(sops -d machines/$HOSTNAME/disk.key) IP=$2 echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root From f4544b1b90215fbf4aaecd8cacbd0b4a1c9298c3 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 22 Feb 2025 12:51:22 +0100 Subject: [PATCH 22/29] Add fanny keys and remove keepass --- machines/secrets/keys/itag.kdbx | Bin 3541 -> 0 bytes machines/secrets/keys/itag/fanny/disk.key | 31 ++++++++++++++++++ machines/secrets/keys/itag/fanny/fanny | 31 ++++++++++++++++++ machines/secrets/keys/itag/fanny/fanny-init | 31 ++++++++++++++++++ .../secrets/keys/itag/fanny/fanny-init.pub | 1 + machines/secrets/keys/itag/fanny/fanny.pub | 1 + outputs.nix | 1 - 7 files changed, 95 insertions(+), 1 deletion(-) delete mode 100644 machines/secrets/keys/itag.kdbx create mode 100644 machines/secrets/keys/itag/fanny/disk.key create mode 100644 machines/secrets/keys/itag/fanny/fanny create mode 100644 machines/secrets/keys/itag/fanny/fanny-init create mode 100644 machines/secrets/keys/itag/fanny/fanny-init.pub create mode 100644 machines/secrets/keys/itag/fanny/fanny.pub diff --git a/machines/secrets/keys/itag.kdbx b/machines/secrets/keys/itag.kdbx deleted file mode 100644 index be8a3e1bfa4adb36809734be1ea36a47e7eeaa37..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3541 zcmZR+xoB4UZ||*)3@i*x0t^fch6g`A+h6D$urGpDG3!s%e`Xd21_nk31_l-d1_p+= z*RH!CEx3NWy4KX^aF1Z*wo9gFvY86^SDJi{6Ey2Tzz#CvN1o8#aQl9D7m1`vyvi*`Y?gD4Feyf!mwsdD-M!-kQb4 z5T+rS?yoqLrF75V$sb}*znLy@h;3rqqD`j_l6B9;YDH>y=rb(Yz0^M|@<2*2-?8%J zFGUi1!%sMgYM*Ne;9+2hYx12rZ`a1q9mjs{UAeZSQ0{>13%fQ&Rt@(9&)e8C5+=|6 zayoUgj*_)&Y!w#rgA4f z;PUe2pA+@#wys~$G`-}z>=KhX=L3FApSga-Hr7ofUCO)MxApiVqbLN@rFCc=2`Ds6WqHX z;YeA@=JkF$A6WE!!q=G|z59LJlbY4cEbKAqlLfqE9-T32;56|3J;63R+HHovQgQjN zY>v&z?KNKaPhP6B?hc&xzwlq1Qk}t#)fNly=8O6U+wVSL^rBsS;tYF_OD3m(tls=f z>u1X9h!8O$#&h#-Hy)f-FXjGlLGl%IZ<92=%!SjQZLFzV*O4%BmNOe0$DOjZ(T0D(@_uHdgz2(@NlU_+3KTh9t>(%try)adCx?SNr;42 ztbeH7JNo;^^LwQ~n*%396?yG}|1w+O_4L^c>A2 z6U;X_9T5Igw0^4UviGg_tvnf@|9qUvx5!*a$6uH$XvJ-z$3+`1%+osPGfnCFnYmq` z^+b=pcYkALd#+zr!7aeH$94M7u%=bFT3#*8dof>RtK_$nKNntBt+4Bse%U+2YhCr_ zngbu%{VlduR&T!XO=HbPm&ay2WfKilK=iKTFzw_$( z^8OOh=p&1lZatx^#Xm<$ZKa;t+*+Y{muXurdmdOQs9NmyHGksF4O_dI|HK|$q%Upo zp|U8>rH=9XRfE$HT~rTFTeLrR`L5LE-#qWnh;f~1xXI(Vk$#Q)_r_m4c3)d4yW>(3 z!XGIc%*5q6{>)MP%2H!>r|LoC*;A94-h8!; z5S)ECU{8JQr}BhQa|4bCJKy+4{`~lDVbA27YopHWxOGpo;=l2p(3y{BRljjAY&ldf zI`#IPh+7S^sS=TMGV4DaxNPuQ{)3voSEhzwAVX}4ic-?iQ{OrZOD0QNXFT4eFkMo8 zncUTLHg>Tq7Z}y=sEk)Nx_9uQxuX6awTZ5$r_Nn-@J&pA!<_@p@7cOi^LDPo96&&!e zVAGtW(%u&9$Hvc8m?i`>o2>5KE8E;~-{6wt&+Gn^pLlM}lD~K0%%a6oCzL;(4p?pz zGIK}UPtG!J*X`FABr0q){T>m$ea^=U{~B+pgoPDf+bJ>Om>TCv7L#pU#k;A0Ge4JI=PqhAXto`ncze zW1O7LI){t9g-cgo^kcb^lT&|brt53|SGHzRo({YvzumNp));?WGuPYK&^X;qIUWk~TycKaoYxK0S*n=T)~UbKtZBQGRhjufd-h9>M@4&sUC(5S|Jn6; z!jAq&6Xx}JPTzG|?D}C_#-a~<&(4^ z9=5dls;ArvK9Cme$t?NKcxC;{_IMi>+g;PwtEbE_56Jp`ZRSI+1@=8fOZnvQ-;BG} z^N$Djw#rJGYFnMujna zNq2s=xJkU5{Oc#(_`MY^N^W;(ORXb#wNOWl8CtpZ6|%_}W*e zap#m>Vz(DxxORV*eA3C7MgQ*H4f(SDZ6LQ@=?p>D>^FbqdYpG&%GU46da7ck>|v=btklwKoL*(~ns1@KWGT-?P6PnRUZe^{lER z<&~$*`BAweOWF0=fy}M%Lr-=_uiUzv8s03YnX& z+akhsxaB5z{aDv&AJx{>|Wn~eV}&n?Ip9F z+|mu^UfHn4FMeX?=S|-qoP4tLq2yez+@-68ZMvmfk6ZnC+LqE;FiS;Hf1;Aiua^p? zC1yRLxpn~|U5gjzu)TMC=zqIxfzub(3w}!L>AoIa!$8-Po>h=T~w~ezV z@thZ6o3_Yu+J}x$=8tt&9oO5RCK}5%{h{K;Ahmh_f9vt4csFY`L>YdX^ZR$cwsFv3 z^%-3e?z2mlXWcn-J>|y7X|>${H!#&(d7XS*_F{uq@Intw{>bRQD>Yx`I48)}rJSoj z_c-LnA=aA8#pKBh6Hb{I!p-@oDcmgy-A@1-$s474j+BlhWdu=3QO-1~G?zuj6a zds<{BlSyUJf4|qfX&i6g@yUGKup<5Ymjg+=Ql##zsxb~QO^sweoV&UF^uxny?pN$6`islyX-ADt*>LPSe*W$Zau@x6}iW^UFq#sJ?tU5X|Fcp zg^ibY$LJoB`8mJ&dtOMtddsrC@~2<2`21Vxx{ZI`o|_lA=2a$abaHs*bSrnk3X_>@ zLm7@6zkJbUWAI(@zrS~0)Pl?GIq9FX%HKHtyY5)Fu{6BN=d#FGjrTL#EH=$a zoqf;AH<@*3**&Y5a!am0ajIweakjep&>kJjPLXUkp-F#~e*XV*|IaIKsZWj$A51*k z4tSK$O;G1;^<$kg>HPZ8w-Of*Y4E>j`mMLsEB4cho%deW?LKwgV0}WKi2BA&Ef0PP zAA3@KHrp*gWhs$RW0<(k7g@Jgh~l3yc0QdLdN6!1<~xH1B}tnmOtC}PH2%p z+pEg-~&AgusY0=w?nX2T^uDQ3}?vsOAWWhpp>$tNv-d^i@n<7L1PG+3F zVQtuD^UJx5PxIcIyY;d9EW?bp)@mpAtZseg4_6p^U;8i@oW6UvLid0$(@S|#?*nWL zcBEHoz09YLi8KAw@TZr6CWZB^7R`8avD{)e+H+Nn&@!_u|ia-Wx-Z8wtQub3U&^11bo z+r?9iRZPnI8xq#{@b!k-?R(T{b(2wOs`{KMA6ZW^#(%!y`%KYJ`2ETg3-moe9UK6# CoU-)* diff --git a/machines/secrets/keys/itag/fanny/disk.key b/machines/secrets/keys/itag/fanny/disk.key new file mode 100644 index 00000000..c33bd83e --- /dev/null +++ b/machines/secrets/keys/itag/fanny/disk.key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:xmMPJyp3y9XI2QsWJniRM+Nds4Y5zoqb5QSJqZo=,iv:KRLS4JYN2OVmbbLe8DCD0xW8VVnbmYN/MfZNp7eOS2M=,tag:FV1Qm8Wr5fbpJ+ovAK+uaw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ1EwOGcxazlIcy9mdmkr\nMzJCcWkxQXFEQ25sUU1HUFJqSEE1b2M2QmxVCm1hWWExbWtJdmxjMk1VUE43ZkNR\nNmRpdGNPNURwdjJkaXhxcjNxRFFiSWcKLS0tIHB5Y2NWM0pCbGdtTGRUV1hyVlVs\nZTRsUnZoUnN6cHNPTWF2SzhxUUJ0aVEKzchgMPjpDAX7NUTSxUYxoKLoOh7+X9GV\nxrarnXswpSV/bfR4w4x+DmoocG7TbdH+UvCTsg3LtdjWmfpjK/c8Kw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T11:49:56Z", + "mac": "ENC[AES256_GCM,data:WKZIdINWSCn9ZOtsnLQ9dXCOdG49Ltf7/G91zEuj88+nvQC4+WTLCCXBGdhVBamV1PWHYnFvZbiXKJ/VFdN3EDZeW9r6cXuF2PEveOn6Bj1bYi0WrzFRfxxvt56AM9j/0D5E1hE9rp2yAWg5V4E3nIGT+rVsOczMk1+Yx4Q8NCc=,iv:DKD+E5yeFJrARfP5Qw6I1Cn9lvvHUHHok+3l8dyzVcE=,tag:lCBrrqfFxvtldBfbha99vQ==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/Xn1mh8ojou0/ntHLA+iNzYf6vsJVoWB6Cfh/WL9s/Vxn\nJWhvIzo+blJnoMJMsRPx4wiIuAjT2KkJko5v8Wr9pzzOAqOCghk+8YYnpC49PpCA\nhT8Yuu1v53Ycomwj1IdZj6GWeIkuLw2N4ZVqh1vZnvTT1tWltxmp9lhb/cWP+ze1\ngzIO7wqd9hisX9DVl4IVV/q8QVIfhWR2dMX+xgRcEssAjQu/nFGv88i6NJQsbIwm\nKOlUI3QJ49DEVFxH6Z36ZhUpdszHKi3IPg2IqtpfDicU807rQ3VihM9abkhp7cY6\ndvxW2rMijahy2IXuvGyTuwh9ow4bHXWBQgEkaFo8eKCx/KnR5shpR3/0CdegU45H\nGF/RhIq5wC4lMXy5/O3pgb5QPItcOB4ke+s48sGdxWWyXkp3MLXS1NblEZ6K9xTm\n/1GUcpCeoePWMeNmPgdeEcQL8jBxBol2wP5cXl4Ov86wegd0O56lVi6L2jqhgYiZ\n+SMhqmsMqZFVJWExkyX00lgBzFNsLWpT+KGuesodu9mtbYJ/s7Pz7+d+apgtzLI1\nGyjD9TDyZQUmM4El7SbZ/KNniRhR2Rnthg1r/cAcMYSyOnRbM/n5t5ynUc8vzr4y\nIPGXwW3pEoOh\n=48Pd\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//S41vk86ETjZa/AI9N5rS/RnPk3SuvGCiFxVkPl+ScY+j\nMOIqQFr55JpZm2Tb2nYA07yzW0b9q7jnVDt1dGp1MEC9QZZj1dEoZNGU+UjLhD3F\nDW9/NLeoJ2+D2rSxQmIwWdMqw3XehZDXvcicmKprtSK1MThV1cy5BITTStoX+qSQ\n4pFg7AVJij7+mtEK6pdV3S9BT1R27X9fanm4v785MEB+KERhe+5rQ7QR33Ohrotk\nqp6FqQJRAkc2ea+SFLRp8q4oIKK8lIoVv2mos/RUyBMf1HYPERohvqBjOF7oUjHt\ntOGGb+TLpVicPEsrAiNG5krfLCcI8vZeqkZQvu3YZx1zopYrW1mQuW1/kedFqtpc\nN6piYNz7KaYX0zpCJv1YQN8z1YOc+9LxTIemDUNt3zEYwrehi/DeXMt+Np+U0PKq\nSmfxRiMnbTT14la8mUa4Uov6KNUhzLgDVm8z/6XuM4qqEPw1ApG2UT+n5swZeqhN\nXBIAdSfybLW6vGhIOJduiI7LbQOADcEqlwiMDM4WMtG5acM/MLFQVQzP0DnQeIYj\nlNeGxT0m92ZfhwPupJG8PlC4dAANU3anBVGtMGn66aAEoVq/5RdOI9Iw8z8FIvnq\nN4Sef+5eqJuNeFdvxWG4IP6mrU1BmeWTXgI59aifSPUc0vrviYD6eRYCuI1NySLS\nWAHY6GESDXqeH6mlUryle6HSnJD43faFNkdlUaEBt0tH4ij2OvM5s8XTnr03hPnT\nYOHSVh6PVF2wwgV+JJuy7Nfj1+ylZCl2G61GO4QXtLexeWpPSzbo3Hw=\n=A2Pv\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny b/machines/secrets/keys/itag/fanny/fanny new file mode 100644 index 00000000..e497201f --- /dev/null +++ b/machines/secrets/keys/itag/fanny/fanny @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:HyKweXScDgvctgx168oBvB22fQcq6mCAs/Bsy0f1+UClAf313UynPJpBig41XVZdRFHOKkAMh/GmyIP04DtrXC/eAO9As+kaLkli/mBWiXSUA9l8pU8Wb3rC5YUu6/9ZraKWaC1ONAty2+d/v2EpWJhKMJWeeihiYfT8FMqRy2tjx0wmIz/Y6HgrR2pvHxyS2nGyrGhraaMnpm1WLsJ5b5yTbgkKVAoMwKNltnSIVA9AYvWmoNB8qIEPI5ppPvrSFSLOxYBG8zl/bBVtJ5ekM2bg733nCISRWhmelQLFVrUrN+3jsfpmE/nTe+xXClUmPC+7ePsCQuU2RKVWw5g99RewPdiszHdq/73Eo+7+ETLgRmo2vtLB/zFSiC8hmtJWh7WvVc4DXhGPDrqYPsh9GR87ZlSORgvadd5Mj/JuMzvmacWoFV9ERLnWjTTlIg+vSEBa0zB2vZHgAzBL+6R7WW3VgsBylRHQqsaJP5RIc4ktT6Qrt3REnArg/V/zJJGYBw+nQrqr5rrbbAmSA/57,iv:BdRM22/SMiHrq4SWVZTIpYPy/eHS1Kc/XxYj49Jf3H4=,tag:QdIwNFO7PnChvhWJAYNONw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYVnRlb2x4SGdPbWltWVUy\nZEl5OC83UldXMjEwOUdTNTFWMytYejFVRkI0CldKN0F0MUp6U2hnRUJQaGZKbzJR\nZFByOHRwbWgxTlJndGh3NWZIR2FKbmsKLS0tIFNjNDVHWjZNYlRCY0tQRlVtTlQ2\nMTlUVFd4dEo4dythYVV1WEQ5dWlEQTgKYqoEes44TbflFTFBzNwEVP9DDHtkmhfn\ndCFBPhBTwuoFKai3kOOX/E9gEOwqY24HAqKdeyiO2VXrL8JKEazggg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T11:49:08Z", + "mac": "ENC[AES256_GCM,data:V7B26cct1W4ihesyVxpAI8AvMXSy7dd0hWFdYqWtzKkCN73au2V3h1DilOiNn3gclFhL9Crw38iNUtnGeHscGLGrNbwkyCMDj1KXKl6wnSYdFkw9XD+PnRwYq7hMTTLIH19nqBg+K9tjaDEkK7y8WygUHfknxJj5D4bURgl/jow=,iv:/f3GXl6o2oxRJjIJEpYN5T5x9q4acxFqqakzBRG4hlg=,tag:G6F9hXdO9BoXZ2eXaEG43Q==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQwAk5+mzJ/KJX4bxyb5w8dUiLXilBMJQiBxQZWsC8Q+G5v6\n9LGMMWPrQeLuTHkNe9FpddIUixjuFox1TJxaph3t+DfamR3yPdUYDuRckc9iF+jZ\n4oa8txJ9oWoEYx5QlxCCricSxomC9LV4DcBKQ2gyXnAeX2Wwe5/3uw+S/KyHZM+y\n9flO7qIVQk8MkVzZOc2KVCyvUL1UnAwgXzR1OmznpGBiZpaipCmXBs/elncxViry\nrmgA/+Aob37ChXQk5mVQLyrV+E1M+u1PwigML7PbbE3WpBVgpbb+MH639nBC/rTV\n+B70BaayFdzvUln4OFonfvsvPQEynmE1rfJRUavvAQDORHHmmbOKdWWVaYHDlp4Z\nAgYI10mnnFBpm2Qd/EjBa2a1CWboaGCaz/KldTzjp+TxW0GVf6WQ5SKlqZj3MdGM\nVS+91ph2LaRCTB5WObTX4KKDiwwoRAB+0A4ewu5ttsmeuhTy3o/r1Liu/UBdaL6i\nA9t59cMopIL6YXRD1YwF0lgBHtGC/KGsnZjC4dscoU2eTfmJ4rFx9vmc8I/JaO+h\nNDoFnd0sk2FQhnMvAN16U8HurfAzbHiqf3utEcMOg0bPw43Q/8g8JgUAaxqkJIQn\nn4fqE2GFjBqJ\n=Eivh\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9Hy7wKpuAeKotD/HBoM+aptxnKiExf7mphpdZZ1sr8fHE\nDDdVehwhFxsxLkcIwh+dj35KswHw6aMzyQGj4bYsxSmsFKscATknsklR1UATWfSw\np3hVjNFCZ+yd+uzSJnfTkldTcaJiN9MxPmaOMd4e7Ui5k7dcYo0/FD5AZQZMjKDO\nQYUsUASWLHWAoiS7nnFrbaFvXKAPS4wOsB2T263QsoZyEvpQIgWP6lb9kS7V4ftZ\nxetGJFIk2hanYfdGXZy3TiHaJO+fESpVYmp6YykDqeZqZkWB59aeWVL/7Cz7H/wj\n4RU9RWBMbXGjPz+5WMo7X7kLrJgLAWywch6bM2fktkadG9n2tAa/FISysR25qtmQ\nzJtwCY8j26ZZJdc/FEA6dYwIYeGZ0BwV91dPaEotAtgSVpSihdXI/DzE9T9OjWuQ\n1c2sCjVJ7Kw19uCHLaZg+Tvob0RQJu5mnKPnLqinpxDn6Vf/nxIU80gFsPPr4f2T\n627iBaQOaMxdxHLV8r16WrNzBRj28sPZDBlGQ0HouToO2dn3uN+onQGszRAAIadJ\nZMo8SoWCdx+xiDK0S5oxnoxfk2QMAW75qyFiR373axb6HgMMSpJSG8TE+vg9++oa\nE7dddc7nq6ZnuhRNDn9V6cam8hfkFvKwRCeul1Yg5qZn5qI9H0/glR+KisKZVK/S\nWAF/XJucPmK9gsScxB4FgfKmpZD0cJkKmwndB5Idc6waRrjHxFnLFTFxbUnUD2KC\n198dZo7Y4ftOIWKHCY1R4RWhsmIUX5XzxwEnYSzy0pta/uyaqwa6sWs=\n=wi7r\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny-init b/machines/secrets/keys/itag/fanny/fanny-init new file mode 100644 index 00000000..98516885 --- /dev/null +++ b/machines/secrets/keys/itag/fanny/fanny-init @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:2RNOB8VVg+TGykuRU0h9fElGUhrje8gDkMdQyYQaF1U9P68oMJCEJYJno4qB0jEb5IPeTHrJamDjoQKv97OsGBkhPiamlImuBHjAUIxQq9a8xmFAhT60dZqCqIPqSuBs2OeVJE+wbHlo4pjGqe/PymMtz5M85SgOxvYSOktYRUZLmHIkZ9APy6PVit7AeUzRkf5H9Y58Xhg8gh4wCK0djorszPSY3Pf+G5PeV4EdNjIZ2FoL8MjWnYyEl8e/C11w1qdRA39J6l9LDTn8kNp3zHzYEWfY1G1sShc9M6kT83qmU4HMExERs4MlXEXkPd8EztAAgMKZIZWiwJ2Eu+9854V7KDb6T48sILCesjJwB94DWuXmdf/2CV1uGVat9baGOIE0ImGHTZYtGutxP1pBl1qZcU89LLRSPlmnRNWnTLcc3nnw0dgSsk132/7Qckrq5mUpD7F/fs1bYfG2LZGCqnXq6olnzh5jILe5iffvZprEH/Fm6jcDXBQN8WR4ADReSvHN7r0Vpvm1aZ01NtkJ,iv:6IIpVx4Dtrn+uahiH3kZHy6bmBj9ti1UiswKwAe2qZE=,tag:hGJkYXIarS+QEwJiHVmP/w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMXJSeTFQdElLc2FKVFlG\nTjdlOGZHaUZkNjMzZDJTcXh1ZjF2bVpzRlU4CjdiS3NYeDZyNit1OCswSjFWbWJU\nT1BTNWFsRnpQWjZGbzJFV05tV1lNS2sKLS0tIEdrb3JOMUFRMkdIdFUwK0dHSXRQ\nbmtCVEJjRllnMHZFNkJ2UndBcXlaQkUK9bHFPsVaZovR4rGuQ6GfqAvZxNKqVhC5\nHybQWv1PCoaNOvQbtBgCxMlV8HOJfwe2EgysJErvriXeyVad5+zY2g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T11:49:08Z", + "mac": "ENC[AES256_GCM,data:IFctz/f9I9vcWN82u3qta+o/oILTHpCScSezHwt0ifsENnUQLz+uAmpMs+ok1ZR5+20XpEq4C7f1s4n2h8dijxsPuE/IOQM7rvwjoVPsM/0XUglDK3Vc5u1oooGpLJg1PchwWGOAlKQHun3mh4j/bz5UMpD8AWC++NLPE1Hr0Jc=,iv:y0aD+4iLSKedGAjZP1SygyzzIE0/SHWcOUS/aghzrII=,tag:01dQZoLlz0w5dE3DePwjbA==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv6A4kG9S33l07+BwNeUsDZVrzRTP2Gz5F679VKTBrr96t/\nTJaa+FlCWDU3DczaC18Y6yIyU22+97xqQ4WYnno0h7bF2uhjbyXjp3JV5na7BgGe\nn3V6p0yJcBM5XfrJRuKghEB3kHddQIcVR8JurWrynCKy1C4njR6pJDA3pqp9PReP\n0ubTiJqAwJfx5hGSAjSDWitQ2vpubowCXssqyh9S2P07H5u8HHbLRyJGgvl/LgTR\nEe2EUh7KrTMT6cCXBHAPSK2bZgwP667bhEOJzuCpknG4/Q7EtVQzjKaXGrDR0vMi\nIwA7knQ0UMeRCa/jSSPYUbscMJIb5+wh0rnPfWGGgtVshdd6YtuETBnqZsjUETXd\nsXdem+UoMEN6Co1ABzHEeSGT7y6D8OghoodofLBvgf5TduiX5Pqceo7SkfXPN/3G\n4fqg+e+VTT63Jwp7rk+ekRJYPkHNoB5w0VIrvsyBPlDUhEVywKWJTfzu8905hkVP\ntsQEoJxkpT27PFACoxZ80lgB/9kyQKvsRG9kl68osivg2gIB/13+4TjMdS+x3ycL\no5QnE0D/adRJHpDRwuPfzGyRwFWT8bHFEpw8qErLEWaXh27QMStOgr2By2PsOFTP\nAtJo/wheNGMb\n=qa04\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9F41AW+ruudLanRh8Rn8rHJRfGpdhv1oFkFRIK+Z/2oGr\nMGMm+2EPhCHCMp2tFJRm0HwZruGJda31iFNbaFSqHmTlqWfEMoEj4ztcOhe1vFG/\nhqtp39DawyHb/1AXPHvsuwbucEf/DH9gflXgbnBrZQ0K+7FiOSnXNi34YByKipbI\nbGg+8PV1iYXw0vuLgERy5aP20zyvr+sg53jnr8RR98A2E7VWg2YNfxEOKxxQczxe\nlgblSVqLLmEKAJcE3JWY6c5HR5Xlt4Y02JrAYD11qD21hmtS8plEZ70kiz4elgMU\nkWxM1HSm9Tyq2I5c9v8uk8VOCfEYE+glASJKtyHtyzDJRJcKwvaE8SqStlfoGot6\nKiJ4flqGapTOkJtOvR7FczO7T3j19Ga62dUvoHrei9Q0FYcyG70/lvTWEJy4/jYg\nOk5QJyseRhrDhcLKg9nUbuSfYhXtJc9C/S8B1n/bwjO1O3vslkewFAnhBIqweh1D\nnHjrSHsssrpkeyefmjVh7NiQZtn122hnPnIz5B62is27MD+m8qWWoWghc5lzsw5S\nCGBRY8l+vvGca1TZFJX1JO/L6vhdN4qd/H4IWRmj1oSR8qtQ6SKbt1UmQtB2BtPg\ncqlRCn4x2ORpRgwAIZtD6GFUFUjUduz6LpaxG2tpnmZcQfPAF7YYjjpR07oPIg3S\nWAGomgQyyubfDCH/tM0RwuTlMX4hkMtlKyMDuOHuZVxWZqoh/utGazasBogGm6zK\nIz0nKh+z0w0nv9kGzalq9L+ek0A07ylIlakSaR/vxh2ZaKHojBEEPh8=\n=1EB6\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny-init.pub b/machines/secrets/keys/itag/fanny/fanny-init.pub new file mode 100644 index 00000000..31efbb07 --- /dev/null +++ b/machines/secrets/keys/itag/fanny/fanny-init.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY60NKfdjFiXNvl1r4mBcXKADHA80laxio+qN6izevN atlan@nixos diff --git a/machines/secrets/keys/itag/fanny/fanny.pub b/machines/secrets/keys/itag/fanny/fanny.pub new file mode 100644 index 00000000..9a6c5900 --- /dev/null +++ b/machines/secrets/keys/itag/fanny/fanny.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiKzGgQVfvfSqhdWNqkhTWd8gfJCVoyYoe9zh1LATsC atlan@nixos diff --git a/outputs.nix b/outputs.nix index 199470a9..6da2c537 100644 --- a/outputs.nix +++ b/outputs.nix @@ -39,7 +39,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.age pkgs.python310Packages.grip pkgs.mdbook - pkgs.keepassxc pkgs.ssh-to-age microvmpkg.microvm ]; From 21cb9ece114f26b2df4bf6cfde1c07a817a21fca Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 19:10:44 +0100 Subject: [PATCH 23/29] [sops] change reproducible secrets file structure --- machines/.sops.yaml | 4 ++-- scripts/add_new_host_keys.sh | 20 +++++++++++--------- scripts/remote-install-encrypt.sh | 12 +++++++----- scripts/unlock-boot.sh | 4 ++-- 4 files changed, 22 insertions(+), 18 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 18617729..43869fba 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -95,10 +95,10 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan - - path_regex: secrets/keys/itag/.*/.* + - path_regex: .*/secrets/.* key_groups: - pgp: - *admin_kalipso - *admin_kalipso_dsktp age: - - *admin_atlan \ No newline at end of file + - *admin_atlan diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index fb18e870..b8db4770 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -16,22 +16,24 @@ if [ ! -e flake.nix ] done fi -pwpath="machines/secrets/keys/itag" +pwpath="machines" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" read -p "Enter new host name: " host if [ "$host" = "" ]; then exit 0 fi -mkdir -p $pwpath/$host -cd $pwpath/$host +mkdir -p $pwpath/$host/secrets +cd $pwpath/$host/secrets # Generate SSH keys -ssh-keygen -f "$host" -t ed25519 -N "" -ssh-keygen -f "$host"-init -t ed25519 -N "" +ssh-keygen -f $hostkey -t ed25519 -N "" +ssh-keygen -f $initrdkey -t ed25519 -N "" #encrypt the private keys -sops -e -i ./"$host" -sops -e -i ./"$host"-init +sops -e -i ./$hostkey +sops -e -i ./$initrdkey #generate encryption key tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key @@ -40,9 +42,9 @@ sops -e -i ./disk.key # Info echo echo "Hier ist der age public key für sops etc:" -echo "$(ssh-to-age -i ./$host.pub)" +echo "$(ssh-to-age -i ./"$hostkey".pub)" echo echo "Hier ist eine reproduzierbare mac-addresse:" echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' -exit 0 \ No newline at end of file +exit 0 diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 6ec19c19..4d24adcd 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -25,7 +25,9 @@ fi hostname=$1 ipaddress=$2 -pwpath="machines/secrets/keys/itag" +pwpath="machines/$hostname/secrets" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" # Create a temporary directory temp=$(mktemp -d) @@ -40,13 +42,13 @@ trap cleanup EXIT install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/root/" -diskKey=$(sops -d $pwpath/$hostname/disk.key) +diskKey=$(sops -d $pwpath/disk.key) echo "$diskKey" > /tmp/secret.key echo "$diskKey" > $temp/root/secret.key -sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname" +sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname" -sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd" +sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd" # # Set the correct permissions so sshd will accept the key chmod 600 "$temp/etc/ssh/$hostname" @@ -62,4 +64,4 @@ if [ $# = 3 ] else nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress -fi \ No newline at end of file +fi diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 5d7c1803..e00afc8e 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -19,7 +19,7 @@ if [ ! -e flake.nix ] done fi -diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key) +diskkey=$(sops -d machines/$HOSTNAME/secrets/disk.key) echo if [ $# = 1 ] @@ -37,4 +37,4 @@ else echo "Usage: $0 [ip]" echo "If an IP is not provided, the hostname will be used as the IP address." exit 1 -fi \ No newline at end of file +fi From 1980ab4ec15267d82c8630744f555fdb2f7f05f4 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 19:15:10 +0100 Subject: [PATCH 24/29] [sops] rm deprecated host secrets --- machines/secrets/keys/hosts/durruti.asc | 28 ----------------------- machines/secrets/keys/hosts/lucia.asc | 28 ----------------------- machines/secrets/keys/hosts/moderatio.asc | 28 ----------------------- 3 files changed, 84 deletions(-) delete mode 100644 machines/secrets/keys/hosts/durruti.asc delete mode 100644 machines/secrets/keys/hosts/lucia.asc delete mode 100644 machines/secrets/keys/hosts/moderatio.asc diff --git a/machines/secrets/keys/hosts/durruti.asc b/machines/secrets/keys/hosts/durruti.asc deleted file mode 100644 index 5891c555..00000000 --- a/machines/secrets/keys/hosts/durruti.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEADh28tGiUsmPPbsQYKSi9WiI4UCPO4qd7hEoER34Ku5w+kpy1MI -ymJHNlZODjrjvznRidyYt+1vpED941LawzsujBV7pSfIBY0cQWYTbF/euuQFJYxN -sBLG4kek5IhdnIsav2f7fMv6Rhfkau7p20AYkWUkpoUxBJTxixIkxrO90ODSzMMe -tLI9MnqPcMASy6dbAGKXSABaYi9bwggIgyYHNaXThEuEAWPMPMMj8Wlo0H0X/B9O -UEOHSA4N3TBKJXuDhsKgUo6ADLAA5op+YG+JtAdvdjW0XxtDamLkkrEx/fsYWsn2 -LjiX7z6cCQjYy+GG6LV82cavyF9sBAs8kEl4AVXVYsaB0g99rpY91EYLAD2Ddh4d -lHPwPVQ52Ht3QeEPAsqeXRh+gZOp/xx6EJXXaH7aorXoWlbUFcCnTTEFAM0HibZg -ChZEX+pl9RxdPeIwU4kd9LxNygDwp4YhdJzbcpHkp7RrkHJHgmAxUEVCxZfw/P2c -GDIBHQSS4FZ5PIhh+aejYCo4BrisGuAjwlaH26BRNraM8EImaLwLuQZ1TOWm97tI -BEI0JFscrTi2RSPgDCg1Cu78ocbcpqC3cRclXzRohvp83NpWnAQFCAdNaTttQsio -lQTXxmJlaeo/0vHAN+Llukchh6sFzzNP3v4B8vLvdXkE3s5XYxJungblTwARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQWRHe9aQhhWcCGw8CGQEAALRQEABVEYsIn5zGV84caxE/LXN7 -7nDsUEyo3lCetStM7JT7uDdMl5t33pUAIbm4gv6/BrvVZ6pBtPfTrVrTKKDornKJ -VU/tKims+CbnuPUIbOmuXcPbQIa/IF4WVop8XJTzMOSW636/eH1D2VTLI8Jmw35s -qDmqx72hISUBGCszTJkThp8xUFMW5NcJc6zGB9I4vdac6Sf6yuZqmdfDm0MzcvmA -tDASc6ZLeffPkJxUA+x2WouAYkfdV1CdVS6ob6owrSza/T+wQ3DgzO5AVZ31HXTa -gDkVIBgdZYR2H8IaaTetb4m2+SgdXr7s9WCOR2i8DiSKpnUAJKoVIOl6pBd13jCu -PHQzkKq6kqn4bRYCZil3fKDB90mVDIyixJJCt//VA5y9Tgggp9o7a+l35I9hCJ2F -6AYtpfXkTbI9wqmk33TJX2litqqPZkhEERv25UDvnZ7Mm0my9QXJZ1Fp1nRLIKZg -VABDS/wIB1QHtOldDLMeRD7Fnrnjgnyuk4/HmCem0wFDPHDo/ppa2QtCUk1xxywu -fa7hs/oDVUMsofpDm6Ls4IgFXbSD9GUTDdB+UvZi5vITaZ1f1QLcrShhSUHkLIpc -65Fj79r9cdHKdUhnM2+pTuVM6Az3huMkZ+abgjSHWSni2njowRUd2P7pG+ZhaUk3 -Rj7jxxXh1KQ7X8Rbbce8Mg== -=sb6Z ------END PGP PUBLIC KEY BLOCK----- diff --git a/machines/secrets/keys/hosts/lucia.asc b/machines/secrets/keys/hosts/lucia.asc deleted file mode 100644 index 8fb56b40..00000000 --- a/machines/secrets/keys/hosts/lucia.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEAChmMEXC6TjRtYAHk6CsrnP0LFd1vOuH4+QSalj9fCaCpYVEStP -u9EtW2DK8kSBdo8DAngzsMFt9PoSLcPcB00s9R6EACVuOn8nTVkyYtO/8hWJVexI -G3SB/u2a+MYC2QEtw3Exzleexx3EkZywAzGWzJXpajMbGsfvssXl96xb7jxrxdNv -Msx9t2RJGADSG6Vx1+A5UmFwITkGpn6wjvQXLvkim4ZHRzX588vgz/IdJ6yqOeeV -v0VyVNTPfXkDO2urxRgZ5TG9wE5v9OKFofooR5T1rB/khW2jMoqavLWeRVCqVpmp -MQ8VMkJzEoP7RX7vAAgCbVrTe55sMmXa9gtXo50wz6lHYHnepff6FuquS7szH7Ja -lRnvx6CR1FwWIGhef/kxmNQKr2Mt3V7riFmv0bkR8ttI5uyGposeWfY1T6iJfxic -duIYXrV11T6fWOEUh80aRz+8E46LFv4sGZjTOvHWrnetKNweuOC9/yaSDkEr35sM -xVffS0wNGclhxl860qBCbhG/X7YYZs5sFHsRnsb7rvTCP8LtGhrjybE/b4WuGRCU -rEftVOBe4NSwlsdmRVl5Cyk/ZkJncrUwlaH6laCjBfldQcdxAHzdzPZQhOmBaLkF -1l0EpteSbEsi3CS2rkkriSsZ+nZwaccTa6+B6twrRmGvcBrZXlsugsdDSQARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQvNUtHtVQM9sCGw8CGQEAAGIaEAAoWuyjinNk8ovTAH+TjKWK -UD4WXwt5OJ8l3FJPpecZbhTaBrRdlLzY1tlKzwd8c69QVOoqk83Rv4Fep9b8EFQ5 -U2bTtXLm/wINSetjf6vlLYxEPNKVzGtk8ejw32NPnJVsGeXNazlcJaR2jRW4kMcj -A2b8aeUKxnLaoZYiCLZGvyvuB7oj/nIX7iuaIDHKR9oVyQOekeYlg9R92wKCZDiF -1USoknPO2cSYFZpDM6tmIjkOoEgnwEZqzwI7q5dXz/mqp86XeMJWFkyTRhPT6Hiu -iS/5wDsFJi7wgl4Jr6bBWFaHeBVSTJIwkoahxpM/qVYAYINgLO9erxMkmX5lRzxs -NC3LsqQ+L5Isx96AXaZWf+IOYgN8nB3bsQqvlqbvMIUE3wkxg7oeNzDzvgxQM/Tf -AC6zYHiGrs7WS6+ojx2flJnWA7mrOllimv5pTTUBtA7gh1JN9aUzzBjvF0LlzN1O -DLyxu1PsIazI1eklUm0ljyOoqBnOrDZoC4Kz70pguDGDvipCAJWjG9SjXDwXGAA0 -sUhnebh2HPZYj73xDIrbgkg+79n6U5UuewUFwDQfE8VFDp62s1s9haCRUKU6uwiL -i31OKOkDcYSyx/3/VvaT3lT247VERDw/5yVYrrhQwxS4WSabX8gz6qfKB4bi/HVs -lX2duwzSRzuytZCKKG+fdA== -=VTby ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/machines/secrets/keys/hosts/moderatio.asc b/machines/secrets/keys/hosts/moderatio.asc deleted file mode 100644 index 4ff84050..00000000 --- a/machines/secrets/keys/hosts/moderatio.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEACm+W5sGSC25OtlwQdOBCSfX2DnPuk5abjxY5HMIv3MnySouXpW -L3VoE6Irur9lZwfKrXaUweJPJHVo/Sfknh9GSBCW6yFFcGZ5nNx/QNdbfjOSaUw2 -0BkW1CYRVcLIKSHpepbTDHBxgKaCYsmupptFQ0Nzx19PPMV/WBqrkSlEpDJyq9y6 -cTaGulRKWBVDytMFmibhGlqpfEI8bzrxaeGTqiRTZJqL3zDDi2afDt1kJeCXKd32 -XOywDZgB5CinY3qsR45ftC6mZ5fV+ex3M/Uc4YJiVgwg6GlSdiYW9Mqf4koqpLCq -Xq3ztEo9FjFen7KmAcLstFmzY3fAXGIJzb0CfvVrM32wsdC6NRDINdMBmrOeKXT7 -g45n0LOdCFr4AOKyABqMudbKrgF9txHt549oaQ0wHCy1nStji1OpbhdpCKDFKPnl -ojG1Nur9DPRFmQ01I3KIjvCrf8J+CgI5YVwOr+m5Zw3i/b0qd+9R/8oAmzhhuyt7 -kckSVTCjNzsDgjjOa8FVQJremTdkQuWOlx0HxC3aQdSoPxOfpeUhybfttNpvUuta -5EbsiS/PJfzMOtZDG++naKO/xGJDiaYDhW1ZeGI2fOFUm4RYHqCFES32XF4ygpGq -wz2bZNKKSf4lxoD1+SBqOyd1eN3u8GmX8OgUB3TpgEuQb/XL31zDKCZ7pwARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQj5s8BYqm1MICGw8CGQEAACMDEAAFko8JYC1zGt5rFKokXGbs -K331UHReN02QpdL8fhMt0Rqoh1FKt8Sr8lzCLPNOnlgxSG5lXmA3dFfWAnFrNw5T -1u1oU0sB+CiekyWXJxTASur1g3DtLv6qA19Uw4i9bu57LK5E0ycoI3RnR+YbDri0 -psPNP01x7NBO42O71rnBypGbCPXnLOAaKq+ISCN+XCZBkmjKhcWJlg5DJfUGCEdr -DCKi/1j5mgs8H3sUrc5Y4gLz3BWuypAGWhQr/KDAcmCm/u0ZfzVyrxw50eMuzeF7 -GfePPI70nXjUlywuFUFg7EWlCT6sRtZf+o4jkXcwGpZLx2/rdZ9J2I4VmYakBVpA -2OQwi47YAFe1wz+nsF3fImuGQdHu0x0sFLbuJaSJCOVYhMcZhskRygqqI+wEvDF1 -i7SYzi5Xt7rJrSaqGhAzlg1Cc8wzMhoCE/IU5Hd55OtbvRwZ2JKH+UAl/L9Qizqy -AM7nSrUjA5p4H09PMuKGmCEcZDKpH2huAeqmtGQ626edE2WNduE2jCdAIcN263PX -1+TIe4IRLhtmTKqfJgbzrt0cSIAsuvI8s78ehsP2eNANdkQjzBAaEiOo75G/g+sd -tWl8gxOhrPKkb07KqcPEfXq4QYk7kV+pWuA2yMiTX5A+oy8gVFBxUp+zbjYeRuW8 -cpHyvbDvdnQ5LGNC/v0rdA== -=Rmch ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file From 02292085efeba2076a5aa02212a5fc17b4b88a41 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 19:15:36 +0100 Subject: [PATCH 25/29] [fanny] generate deployment secrets on new location --- machines/fanny/secrets/disk.key | 31 +++++++++++++++++++ machines/fanny/secrets/initrd_ed25519_key | 31 +++++++++++++++++++ machines/fanny/secrets/initrd_ed25519_key.pub | 1 + machines/fanny/secrets/ssh_host_ed25519_key | 31 +++++++++++++++++++ .../fanny/secrets/ssh_host_ed25519_key.pub | 1 + machines/secrets/keys/itag/fanny/disk.key | 31 ------------------- machines/secrets/keys/itag/fanny/fanny | 31 ------------------- machines/secrets/keys/itag/fanny/fanny-init | 31 ------------------- .../secrets/keys/itag/fanny/fanny-init.pub | 1 - machines/secrets/keys/itag/fanny/fanny.pub | 1 - 10 files changed, 95 insertions(+), 95 deletions(-) create mode 100644 machines/fanny/secrets/disk.key create mode 100644 machines/fanny/secrets/initrd_ed25519_key create mode 100644 machines/fanny/secrets/initrd_ed25519_key.pub create mode 100644 machines/fanny/secrets/ssh_host_ed25519_key create mode 100644 machines/fanny/secrets/ssh_host_ed25519_key.pub delete mode 100644 machines/secrets/keys/itag/fanny/disk.key delete mode 100644 machines/secrets/keys/itag/fanny/fanny delete mode 100644 machines/secrets/keys/itag/fanny/fanny-init delete mode 100644 machines/secrets/keys/itag/fanny/fanny-init.pub delete mode 100644 machines/secrets/keys/itag/fanny/fanny.pub diff --git a/machines/fanny/secrets/disk.key b/machines/fanny/secrets/disk.key new file mode 100644 index 00000000..2d0018f1 --- /dev/null +++ b/machines/fanny/secrets/disk.key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:H0oMKUXc6C28tHMwSgsppcdfYKEknPIIWGq3Mwk=,iv:lExcGcA4bvwKtqeeG4KS87mWlPBtCSSpOunJMZcQG+Y=,tag:F6Pke7woX/odRT7SMJwVbw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlQwRFZLZUtGamszckt6\nNmFoZmk3U1JpM3V6MkNZc2Iwd0VlTDJpekNvCkMzVm1qNEYyNEZmQ1o0TG1LRmpP\ncUhiWlB5ZTdjZnBHQUxVblA2V2s4WVEKLS0tIDhiUUdla09WRmR6RWZnbE5XRDAv\nWVV0WW9wMWsrcjdsdkF3NHgxMVFmRDQKeUAVQU/M1DGfAmee6CFvyTr8RkRBWjYk\nK9ceXyJSojHktwr/Xllm1mMm6H2lPbzba/JAyt99YVTD8xO056vu/g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T18:09:45Z", + "mac": "ENC[AES256_GCM,data:5IGtFkE5sGjXJXlXkPdN4e15gxh6QB/z1X5A0149koG3fvOPnoLPEU+DGx1qj9Z/8vilJat1hk7qIBalMPMCn2/T1PIV45Hpvih/kNoszkFMQ9r0EsZMgXgSJClHSg1JaiCiC3LvjsIWHDoESwVx3fqos1ClOLtrzKwptCEUp2Q=,iv:15QS1AwpuUr+EMw5YQe8ogb1Y58nQh4WcFjtzuWtcUQ=,tag:vL9cZRdsPCqaTw42pzRfOw==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:13Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/WtqMo4CAW5VEqo4vEL7Lj9Z/OY1h0zPF/bdkc9u6x7IP\ngqH60j9iF3n4ae717c4eKf59iN4+4tDk51qb1XdBOw1scn6rTai6KCnqNhiGeZF9\ndKsCZG5LxdbGkEFFw0Q+6W+gV6MiGlD4SBiKpjAsGVGcn42wygfTzpFRRA2Pmlev\nAGSUs5TDmi1IqQsvzYBMBM9+6sdsKhpRalXGS0gFz+wYGPFlK4E1rd6CBKRYEWtw\nm4kRe0nA2Sk4XhVZ39nPtR9rxrhB+d+Qq7AHIqD75SoY8vI+o3UyJ5Cee5MAmMcd\nn0EG24OeThF2p4lZw0iuUgtefqkc21/MoojYP6tfS7s0vGcq9iFjZ8PgUv3IKfrZ\n9EwresYfvhKbocZj2ywPK7iavFCYmqpTzbloGkO0AVfmHpWZRpxneOaGruCwFmGg\nF3qBVTcBSBDF972KDvm/TbKV5NQmRAZuXTrTBh6vgmVcaLN8LTLP3xRQlY28Ng2P\nY5l/5sZ1CGvhfv+G/24n0lgBF7I8pMTfsUEttzPONEY3pRaYyprYxdDlutHI2Kzp\nl0oPBs19rCSn79avQr5fE0mIvqJCoB5HVPkUDjNTaMNSJAywjQEWNITh2GszRTku\nBDvnzA2VnVww\n=aFlN\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:13Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//bap7Q1HvJJ2KjVMhklTaQ2LG+TITzh0jvaRSXlXG+u5a\n//iWLTov8CH6s6e5I/T7FtslIcBVmyUX9vL9tCgVNMHy0RVG9mmykS0z5/9GY1tY\nEDcOOINQwrmuhWFHvc+9hzKEbLH7heR3ljMw9ouzBgFjEUdhFKJCIW9xrY3a45ue\nwBfaVj0tPNFMq/f/Zu5dDvw6gmYp9ziSMh3GwLNnMBmQDgdSjZJWQr+oa7KKSOM4\nu8ogeqP5Yyf7vDj1he+9TJpG8fdE68boYban9t9rfnyf0cRW7oHkpkwPtKvn9U4c\n4Tbl1RUqfHsTpHX+rxP8w/zgaLbrc0hJO1zxXeeQTOlS/0S1+i5n3pINFwzNXNBE\nIHgIpqOKabfpDFsL/DMIdNQZyr/iD4gHjzSeQPdyd0/4dbFMKPsVzA3JomE9z8NW\nRXz9Htb4Z4fybcPDOLxPkyM0qsEtdfb11U5l7IKuq+2ED5zOFxl+qhZrFz7vY1R7\nyaIM70HUeVCT7p0KZmWgtzjhafI8kTS2Qd7VjIF4Y721rB2opqaOKaCWjp4eeYI2\nE/TGivgRl57KgSF8Y8ucoC6ndsxwgJ4dYt3fos09Rbv1qFrlJftyD7m2kOXnPx5N\n5/2R4h3tiYQqGm727bjTjmGUtxToum3rY4sO0y38Woc+4BK3h/gj3AMir8DI7MfS\nWAE+yxIZH8y+c93zkZy34mEHafc6zPFD3QWuzbXzMGP+EMn710zaWmrVV1X3oLKW\n8lFB5sEX+BJaDgISOG7vgypNA+HtWZnRcB1CnzxboADE+HVAU3d+Bpg=\n=rfB5\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/initrd_ed25519_key b/machines/fanny/secrets/initrd_ed25519_key new file mode 100644 index 00000000..003cb1de --- /dev/null +++ b/machines/fanny/secrets/initrd_ed25519_key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:7JromtbrVy9ecNzz+uprYJk43wgWypEeMRpN/Pk4BGxxyUATyQwDRC+EyEwFju44vDLBzzpjZ8/gJJl4CeHJJahc50/n44IR8TmCC1DoKCbZ0KnUkHWijDAnW2hIvabonWoGGBusPJOC99VJ4OFNHJkneg0lPmDU812LGw6tQU34LOLd5CowPdD82yNWfmHCDTAwJU26pmmCntfecBQilLyYEXq0UncqkUuIlKLOLdRXwbFGxqu/POZyKEo5Er3dycnT69yanHRcKAEFlmfJ1lxXvbBG4s2bGOzaEXxkI2GjkHuCx7lPfvWAgbX6pS6UQvn7b7JuAojOjNqsnpaO0DBDeD8IfPimHa16TKubO1wcXaJLFRmw196oPnoVZBkd/aZU4XifSPFWAlS47/nIpeP5MRxmvp1WzHoWWtNinmGxxjGnzOVkn4FdbGeB0Af8OtI2PUFY4ghH92ugOWxgFZucLeJ3AjPkzodr4W38ej1F2rE5QVJdKZltQHm7V64KLh0L9OQ3WjWNa1Bf06uhYtIGLCJj/p9M6C2M,iv:Qlpz/Req6OBwjy7WiPyvdARFydZhiUIbwphpRlxuUdk=,tag:ARhK3X2TvdlStlVeUwgsYQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T18:08:12Z", + "mac": "ENC[AES256_GCM,data:cieSOz+0E1tFuRTgiIP9M84eV4bH5lgF4x2bwCGUTi3vG8FSlkk0+EVYjqDokLH7LnRysPO75YlZcuntvnUZYFVWPid/yjgCVR0qlfVbLx6ZUCW6GCNq5993Sa97mI6XjbiIO/yZE1lFqPhd+hev9koDqAGm/SbD9unqPzntBvM=,iv:+4xlcKGalNnR9PujjL54h2E3EnONXi+83g5bNAjFUSo=,tag:1O7lWZUPjPc6NtBqJ+nTxg==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/dMSVIuM4gsG06tcN0NvWQgZUO6E8u2M3k3kUU/xk9bem\nSJFtHluWx26V6F08PP5AoDQ1R5Z1RhP7w3JDjVyscb0WuUzDFVTbJLpuPJIX+MOe\nhz8OqLatn24+fK4eMnQFbTELYRPEKicMmoJrFaTXdUOLkynWtxijzRlCif8J1u3e\nqj2fSfPd4SI9ERiGo5MBtHA9A6nwQvboMdnlGvvlAxFF26QL0xqu8jUdllfJ5IT0\n7y3vbGixV/M29MKzt+cJk7Wnb2y5UaZdelsDmxmm4FrIxHaQrAb/kIMiwf6zVCwh\nZFvNwcAPirduvxpcjOV99mJQ3v02mWo/p4Ey3PCwRb1tQYRxiMf7IJ/eAspmiI/9\nwK/2c6ehtBVXlw738JjA+WP36u+5S7CrvzNk6RLd0y76aNvGB6ZCT4rGm1B2DfR5\nguP+RJGcMFzhv55hQNCNUHZ2jvhLvDvSaCjlOaJZBC62gCygtlDqaLtagIO6RwKR\nJdatJCEjio5yD7x1d7PY0lgBVlbkXk8K3e5CN4RdLyoZStShW3uC6dCUGG1OJzPE\n0mfW5y683CcpMATeucHROtTxxrmp+BT5CyP9eBA/CrmTAJVMaWYM/Tb3+nE4Feal\nKlamR+tLaZdj\n=9/53\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9FH3RHkKEo88HEAXYPfJ3tjctUrn6Y1muzgyilfa9R7OC\nBNdSyXP8qU9FaIEEO9cwXKY6hB30l/b42RwL2HS5MWlNZTXZO9XCjV4VpmkIy88y\nkVhxdb2QbGQSBqmfyc9GOvI2LN3jIAE5fy5GuDREKRJPfVJu6x7IbC4j3tT+3Szq\nzOTF+ZfuUlM7FDzt4vAvP2LeOZxYKCg1va6ne7rtXsry9cIotP7fTqm0xPLZ/K+2\n/+HhC2585GdUXratqod1VfUPGyvdyhrn6WV+BAvUA8O8LYO5ZIkgz16vp60XNZEA\nCkjy/kiSlMorHiy7/ZtWHwWPNQbGxVJ/u6XurgzreDT4H5FvfyzvdKTz7IGYNYfZ\nvwMtQDEd3ToP6QUyNGfpZ5eRGb3I+8xNOd3z3XIXYGFYAOPHriGXMA8Y1g21f+c8\nz0QxXXDNXlTt6qdpumfgF/d/UCFJZeuP2t+mVnnp/gkK6yKZlUHD8L8XjkgumxB+\nvFFKOpPbrO+H+L375xZp9OJTINF5QTFkrmT/jPoexCkx9koxNhM0vIKEFE7+gFsW\n5GKQqz0n1HQgbFfdm2Jk7WQqY8r0weGedalYzkfDPlbS0AdCB9Llk/vwu5Tf+hcX\nIMbph8ZwKLzld9MzEplhHwBZ/Gz0Upp1IYj5Ifr50EnlHjBJ+Z8xXWKshJ/6UerS\nWAEiuOmlWRFGWRM5EdrXwh0/dj+ZyXG7unsv+jpNXjOE8eznaH4Kd9/PEmxazbFX\nJ1gtX6JFy+HXID2DJmXng6NxCzPWpo6prAH9IbMebNVQMzbl03Dtyec=\n=WoeJ\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/initrd_ed25519_key.pub b/machines/fanny/secrets/initrd_ed25519_key.pub new file mode 100644 index 00000000..6ab17400 --- /dev/null +++ b/machines/fanny/secrets/initrd_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOywBnc5vmhjQbkFZhiL0BAigcMWVSusrwazxgGwXl6C kalipso@celine diff --git a/machines/fanny/secrets/ssh_host_ed25519_key b/machines/fanny/secrets/ssh_host_ed25519_key new file mode 100644 index 00000000..346e6cd2 --- /dev/null +++ b/machines/fanny/secrets/ssh_host_ed25519_key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:hbYmYjGE+qWLnxB5H2K0MMuvhfmNGawcQm4z42YDHIcO24ZW+PlsEDaTQOxS1gGHvz7AKyL8swVRuf1IQhv0dQLp9nh1+idl0aFgOiky7MS7plchcyu41iZZOq6ScYO8nlTtDyjIMsi5WCflJbF7K+GDAPS6V2jn04760EuXg8wz//+WVKBDNBb9JRbW7nZIUeoLYY8bPhz0/754KBUoxscmthTUrt2C9VQAUCP3D6m7ug828d2XOX/oqbgwfvNu2rEWAlsTZ6DX+wuQGKZFLzwSMvE7YaE/fjxIjaYAXrwciGrDYI9WZn/oEdTAodUAeY9fMWHTogH7mwYHKtSg6pAqEL5kM+5Ssr8wzuit7AmGtq7x8l4ExTCodg+Y47tA++Rhnvf+bJRRUEPY1kNHzECNepSK/anHzPX0iisUxxmBn8yiJlBtiAbF06nuW0/yW/dRE6wLR+Y84JqiDcYK2WKy5q7W+Miw7m3TwJge/mDeezSiNqzROl5gtT58hvGixuYie+M93wO9M7h7EvJWHkN+kl+kcANBcMzF,iv:giFXavSHQsKhN2mES4Ud/wleYLIIELcvH08pCp+vEHw=,tag:xGkXW+0dzci6koXkujCQpw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T18:08:12Z", + "mac": "ENC[AES256_GCM,data:+dXI8Hm1FDsB9bD2jli+YpWmcY9j85ezNnNYrQmCRNuPUp1EqAQ1PuXkgTabzImqq8N6f4DMUAnL9+kVM2Fr0SMk3O4N6DbMTIkIBh2jos543DUR4tcE+KCeU4+tqzghArODeRtOzV1jDW6sW89pUfGpSZ2JTRfz+QcybySWQXY=,iv:1jzlnQrUDoENp6+nlsxdDsdeeYg+J03KAm7lRw1bi64=,tag:3QvMHCGTZJdHv0r/eX/JQQ==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+P8Y3rBJAAI2orY71hRSpCAJo/x4CUColQZf9xK4ZgYQ3\neW/15avJVso26mYiZJsTPaEczJ89igYKDrf8Ewi8NNNTmse/BO+BG8KX13QOSWKb\ngiRXMl6zpQwH/cmCXvUrDczjcUaG3vMpcWClfd3lfjEStVEzNB+OKCuRLxhKGYPn\n3HZ3Ypa97ei8uHMKbnloGigUouVKVCCLIqyrJCybQ2+UkOMzcMJpO96RMooWQOUJ\nU+0rLS2s3r8UnwQjEcedEITlmiTlZkTrUnUylcc22v3yVJh3UExCcoVWShqPUE2j\nJv667rq1EblbIzn/8vyMXxOoSYmrLJ+hgh6OXio5bbMUwd/7m6Zz2jEeTXbJi20/\nEl2V0Lu4pTWXhXxh+Y0MIdh2tHMGGWmHBk650e0M/JbnchxK5+9GblWkfzMV8scX\nPpDScHH+cqNPIsvtq/aYGSv5o2u5JfndEuW16cWU99mgYvX7rwwbRbI1zWVX5o9o\nQ6dqJGZEbtE0QilOKxiI0lYBTrDySzaWLTAngd3myVMvFBQ/K6VL7mXwJvDYgOcJ\nxHIExrd191e5eLr5MGQAzXaVietENN27aEDPw5WV9bmXoAKp/4muJnfOB/wBSjCw\nlutnbF0yLg==\n=MqvI\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//UvOmGlNKLrRg5fXmc/paHF7YVFCGuBa0epuiVsVkS6NX\nQoa57oBJS0y22/dh/fb8Nu7/bMpa9XpPwfgzqhi7+5V/y51lvAIKmrYqNTnGdKB1\na9aiX0yxK0d5Yh0RK+9/2Q+369152mZXx+9Oj3SM8396bcfvTFX4jbhGdnKPqalW\nB1OO8HfYFAu4yl11uVD5cHSdhvXKJOa/GZPkb3TK2kicUdNX3HnZJ3PPGrkOy2EU\nuwFOIVIdNp2MUDFW+V2Nso/NiGcR96uKk5ZhGJaYrXjDDMNHyoLWc0d8wEg3n1Vw\nXOSNLmkSFY39ExKRWu8sijSyZIYN+Ul4t4WdO1Puop01xGTfAkYVQOLC+H4unu3q\ngboyNZCSuZXgG02B8ph/tLlAQ78d70YAf0nxkvzQB6TTNfQ4nyp8QnUJDkwaAnvl\nxDqDDhJBjlfIpqNLT23caKqgt1hSLv3Gcb486D8ZC+6nNuefCsxop82FaUMvL1uf\nWPMcAxMyv4REO8l9V5CDn1+6i+iPyN/Mo+hpwco+sYNZMlSs9PcNKILWZg1gv6q1\nU04IyEPym9VkI1jFte4dsljlp3C2R+l1Ikv5OB6dNpnnMVnTgkDwE0vqvsSTIwbS\nYvFoWBAsRlHMFLLfA6QjRyZpWemHBjrpaqBbIJEkZQnKM1IWdIg6cGOx+mFo1MzS\nVgEePpJj/PECZpH9PQPlv/FrkHa7zC/Fi0BOPposmuQgOUTq3sA5TLYNqPOH2Yn9\nHeQCGXpIeM08Pa3BOQRWDYM2vZPZpf3cBB7VK9zmcGEdE3NZxoBG\n=p1XC\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/ssh_host_ed25519_key.pub b/machines/fanny/secrets/ssh_host_ed25519_key.pub new file mode 100644 index 00000000..a258d8c2 --- /dev/null +++ b/machines/fanny/secrets/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvdnpvwSD1EEStciMitKahPlysD4L95bcwOuY4wV/6I kalipso@celine diff --git a/machines/secrets/keys/itag/fanny/disk.key b/machines/secrets/keys/itag/fanny/disk.key deleted file mode 100644 index c33bd83e..00000000 --- a/machines/secrets/keys/itag/fanny/disk.key +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:xmMPJyp3y9XI2QsWJniRM+Nds4Y5zoqb5QSJqZo=,iv:KRLS4JYN2OVmbbLe8DCD0xW8VVnbmYN/MfZNp7eOS2M=,tag:FV1Qm8Wr5fbpJ+ovAK+uaw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ1EwOGcxazlIcy9mdmkr\nMzJCcWkxQXFEQ25sUU1HUFJqSEE1b2M2QmxVCm1hWWExbWtJdmxjMk1VUE43ZkNR\nNmRpdGNPNURwdjJkaXhxcjNxRFFiSWcKLS0tIHB5Y2NWM0pCbGdtTGRUV1hyVlVs\nZTRsUnZoUnN6cHNPTWF2SzhxUUJ0aVEKzchgMPjpDAX7NUTSxUYxoKLoOh7+X9GV\nxrarnXswpSV/bfR4w4x+DmoocG7TbdH+UvCTsg3LtdjWmfpjK/c8Kw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-02-22T11:49:56Z", - "mac": "ENC[AES256_GCM,data:WKZIdINWSCn9ZOtsnLQ9dXCOdG49Ltf7/G91zEuj88+nvQC4+WTLCCXBGdhVBamV1PWHYnFvZbiXKJ/VFdN3EDZeW9r6cXuF2PEveOn6Bj1bYi0WrzFRfxxvt56AM9j/0D5E1hE9rp2yAWg5V4E3nIGT+rVsOczMk1+Yx4Q8NCc=,iv:DKD+E5yeFJrARfP5Qw6I1Cn9lvvHUHHok+3l8dyzVcE=,tag:lCBrrqfFxvtldBfbha99vQ==,type:str]", - "pgp": [ - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/Xn1mh8ojou0/ntHLA+iNzYf6vsJVoWB6Cfh/WL9s/Vxn\nJWhvIzo+blJnoMJMsRPx4wiIuAjT2KkJko5v8Wr9pzzOAqOCghk+8YYnpC49PpCA\nhT8Yuu1v53Ycomwj1IdZj6GWeIkuLw2N4ZVqh1vZnvTT1tWltxmp9lhb/cWP+ze1\ngzIO7wqd9hisX9DVl4IVV/q8QVIfhWR2dMX+xgRcEssAjQu/nFGv88i6NJQsbIwm\nKOlUI3QJ49DEVFxH6Z36ZhUpdszHKi3IPg2IqtpfDicU807rQ3VihM9abkhp7cY6\ndvxW2rMijahy2IXuvGyTuwh9ow4bHXWBQgEkaFo8eKCx/KnR5shpR3/0CdegU45H\nGF/RhIq5wC4lMXy5/O3pgb5QPItcOB4ke+s48sGdxWWyXkp3MLXS1NblEZ6K9xTm\n/1GUcpCeoePWMeNmPgdeEcQL8jBxBol2wP5cXl4Ov86wegd0O56lVi6L2jqhgYiZ\n+SMhqmsMqZFVJWExkyX00lgBzFNsLWpT+KGuesodu9mtbYJ/s7Pz7+d+apgtzLI1\nGyjD9TDyZQUmM4El7SbZ/KNniRhR2Rnthg1r/cAcMYSyOnRbM/n5t5ynUc8vzr4y\nIPGXwW3pEoOh\n=48Pd\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//S41vk86ETjZa/AI9N5rS/RnPk3SuvGCiFxVkPl+ScY+j\nMOIqQFr55JpZm2Tb2nYA07yzW0b9q7jnVDt1dGp1MEC9QZZj1dEoZNGU+UjLhD3F\nDW9/NLeoJ2+D2rSxQmIwWdMqw3XehZDXvcicmKprtSK1MThV1cy5BITTStoX+qSQ\n4pFg7AVJij7+mtEK6pdV3S9BT1R27X9fanm4v785MEB+KERhe+5rQ7QR33Ohrotk\nqp6FqQJRAkc2ea+SFLRp8q4oIKK8lIoVv2mos/RUyBMf1HYPERohvqBjOF7oUjHt\ntOGGb+TLpVicPEsrAiNG5krfLCcI8vZeqkZQvu3YZx1zopYrW1mQuW1/kedFqtpc\nN6piYNz7KaYX0zpCJv1YQN8z1YOc+9LxTIemDUNt3zEYwrehi/DeXMt+Np+U0PKq\nSmfxRiMnbTT14la8mUa4Uov6KNUhzLgDVm8z/6XuM4qqEPw1ApG2UT+n5swZeqhN\nXBIAdSfybLW6vGhIOJduiI7LbQOADcEqlwiMDM4WMtG5acM/MLFQVQzP0DnQeIYj\nlNeGxT0m92ZfhwPupJG8PlC4dAANU3anBVGtMGn66aAEoVq/5RdOI9Iw8z8FIvnq\nN4Sef+5eqJuNeFdvxWG4IP6mrU1BmeWTXgI59aifSPUc0vrviYD6eRYCuI1NySLS\nWAHY6GESDXqeH6mlUryle6HSnJD43faFNkdlUaEBt0tH4ij2OvM5s8XTnr03hPnT\nYOHSVh6PVF2wwgV+JJuy7Nfj1+ylZCl2G61GO4QXtLexeWpPSzbo3Hw=\n=A2Pv\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny b/machines/secrets/keys/itag/fanny/fanny deleted file mode 100644 index e497201f..00000000 --- a/machines/secrets/keys/itag/fanny/fanny +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:HyKweXScDgvctgx168oBvB22fQcq6mCAs/Bsy0f1+UClAf313UynPJpBig41XVZdRFHOKkAMh/GmyIP04DtrXC/eAO9As+kaLkli/mBWiXSUA9l8pU8Wb3rC5YUu6/9ZraKWaC1ONAty2+d/v2EpWJhKMJWeeihiYfT8FMqRy2tjx0wmIz/Y6HgrR2pvHxyS2nGyrGhraaMnpm1WLsJ5b5yTbgkKVAoMwKNltnSIVA9AYvWmoNB8qIEPI5ppPvrSFSLOxYBG8zl/bBVtJ5ekM2bg733nCISRWhmelQLFVrUrN+3jsfpmE/nTe+xXClUmPC+7ePsCQuU2RKVWw5g99RewPdiszHdq/73Eo+7+ETLgRmo2vtLB/zFSiC8hmtJWh7WvVc4DXhGPDrqYPsh9GR87ZlSORgvadd5Mj/JuMzvmacWoFV9ERLnWjTTlIg+vSEBa0zB2vZHgAzBL+6R7WW3VgsBylRHQqsaJP5RIc4ktT6Qrt3REnArg/V/zJJGYBw+nQrqr5rrbbAmSA/57,iv:BdRM22/SMiHrq4SWVZTIpYPy/eHS1Kc/XxYj49Jf3H4=,tag:QdIwNFO7PnChvhWJAYNONw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYVnRlb2x4SGdPbWltWVUy\nZEl5OC83UldXMjEwOUdTNTFWMytYejFVRkI0CldKN0F0MUp6U2hnRUJQaGZKbzJR\nZFByOHRwbWgxTlJndGh3NWZIR2FKbmsKLS0tIFNjNDVHWjZNYlRCY0tQRlVtTlQ2\nMTlUVFd4dEo4dythYVV1WEQ5dWlEQTgKYqoEes44TbflFTFBzNwEVP9DDHtkmhfn\ndCFBPhBTwuoFKai3kOOX/E9gEOwqY24HAqKdeyiO2VXrL8JKEazggg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-02-22T11:49:08Z", - "mac": "ENC[AES256_GCM,data:V7B26cct1W4ihesyVxpAI8AvMXSy7dd0hWFdYqWtzKkCN73au2V3h1DilOiNn3gclFhL9Crw38iNUtnGeHscGLGrNbwkyCMDj1KXKl6wnSYdFkw9XD+PnRwYq7hMTTLIH19nqBg+K9tjaDEkK7y8WygUHfknxJj5D4bURgl/jow=,iv:/f3GXl6o2oxRJjIJEpYN5T5x9q4acxFqqakzBRG4hlg=,tag:G6F9hXdO9BoXZ2eXaEG43Q==,type:str]", - "pgp": [ - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQwAk5+mzJ/KJX4bxyb5w8dUiLXilBMJQiBxQZWsC8Q+G5v6\n9LGMMWPrQeLuTHkNe9FpddIUixjuFox1TJxaph3t+DfamR3yPdUYDuRckc9iF+jZ\n4oa8txJ9oWoEYx5QlxCCricSxomC9LV4DcBKQ2gyXnAeX2Wwe5/3uw+S/KyHZM+y\n9flO7qIVQk8MkVzZOc2KVCyvUL1UnAwgXzR1OmznpGBiZpaipCmXBs/elncxViry\nrmgA/+Aob37ChXQk5mVQLyrV+E1M+u1PwigML7PbbE3WpBVgpbb+MH639nBC/rTV\n+B70BaayFdzvUln4OFonfvsvPQEynmE1rfJRUavvAQDORHHmmbOKdWWVaYHDlp4Z\nAgYI10mnnFBpm2Qd/EjBa2a1CWboaGCaz/KldTzjp+TxW0GVf6WQ5SKlqZj3MdGM\nVS+91ph2LaRCTB5WObTX4KKDiwwoRAB+0A4ewu5ttsmeuhTy3o/r1Liu/UBdaL6i\nA9t59cMopIL6YXRD1YwF0lgBHtGC/KGsnZjC4dscoU2eTfmJ4rFx9vmc8I/JaO+h\nNDoFnd0sk2FQhnMvAN16U8HurfAzbHiqf3utEcMOg0bPw43Q/8g8JgUAaxqkJIQn\nn4fqE2GFjBqJ\n=Eivh\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9Hy7wKpuAeKotD/HBoM+aptxnKiExf7mphpdZZ1sr8fHE\nDDdVehwhFxsxLkcIwh+dj35KswHw6aMzyQGj4bYsxSmsFKscATknsklR1UATWfSw\np3hVjNFCZ+yd+uzSJnfTkldTcaJiN9MxPmaOMd4e7Ui5k7dcYo0/FD5AZQZMjKDO\nQYUsUASWLHWAoiS7nnFrbaFvXKAPS4wOsB2T263QsoZyEvpQIgWP6lb9kS7V4ftZ\nxetGJFIk2hanYfdGXZy3TiHaJO+fESpVYmp6YykDqeZqZkWB59aeWVL/7Cz7H/wj\n4RU9RWBMbXGjPz+5WMo7X7kLrJgLAWywch6bM2fktkadG9n2tAa/FISysR25qtmQ\nzJtwCY8j26ZZJdc/FEA6dYwIYeGZ0BwV91dPaEotAtgSVpSihdXI/DzE9T9OjWuQ\n1c2sCjVJ7Kw19uCHLaZg+Tvob0RQJu5mnKPnLqinpxDn6Vf/nxIU80gFsPPr4f2T\n627iBaQOaMxdxHLV8r16WrNzBRj28sPZDBlGQ0HouToO2dn3uN+onQGszRAAIadJ\nZMo8SoWCdx+xiDK0S5oxnoxfk2QMAW75qyFiR373axb6HgMMSpJSG8TE+vg9++oa\nE7dddc7nq6ZnuhRNDn9V6cam8hfkFvKwRCeul1Yg5qZn5qI9H0/glR+KisKZVK/S\nWAF/XJucPmK9gsScxB4FgfKmpZD0cJkKmwndB5Idc6waRrjHxFnLFTFxbUnUD2KC\n198dZo7Y4ftOIWKHCY1R4RWhsmIUX5XzxwEnYSzy0pta/uyaqwa6sWs=\n=wi7r\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny-init b/machines/secrets/keys/itag/fanny/fanny-init deleted file mode 100644 index 98516885..00000000 --- a/machines/secrets/keys/itag/fanny/fanny-init +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:2RNOB8VVg+TGykuRU0h9fElGUhrje8gDkMdQyYQaF1U9P68oMJCEJYJno4qB0jEb5IPeTHrJamDjoQKv97OsGBkhPiamlImuBHjAUIxQq9a8xmFAhT60dZqCqIPqSuBs2OeVJE+wbHlo4pjGqe/PymMtz5M85SgOxvYSOktYRUZLmHIkZ9APy6PVit7AeUzRkf5H9Y58Xhg8gh4wCK0djorszPSY3Pf+G5PeV4EdNjIZ2FoL8MjWnYyEl8e/C11w1qdRA39J6l9LDTn8kNp3zHzYEWfY1G1sShc9M6kT83qmU4HMExERs4MlXEXkPd8EztAAgMKZIZWiwJ2Eu+9854V7KDb6T48sILCesjJwB94DWuXmdf/2CV1uGVat9baGOIE0ImGHTZYtGutxP1pBl1qZcU89LLRSPlmnRNWnTLcc3nnw0dgSsk132/7Qckrq5mUpD7F/fs1bYfG2LZGCqnXq6olnzh5jILe5iffvZprEH/Fm6jcDXBQN8WR4ADReSvHN7r0Vpvm1aZ01NtkJ,iv:6IIpVx4Dtrn+uahiH3kZHy6bmBj9ti1UiswKwAe2qZE=,tag:hGJkYXIarS+QEwJiHVmP/w==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMXJSeTFQdElLc2FKVFlG\nTjdlOGZHaUZkNjMzZDJTcXh1ZjF2bVpzRlU4CjdiS3NYeDZyNit1OCswSjFWbWJU\nT1BTNWFsRnpQWjZGbzJFV05tV1lNS2sKLS0tIEdrb3JOMUFRMkdIdFUwK0dHSXRQ\nbmtCVEJjRllnMHZFNkJ2UndBcXlaQkUK9bHFPsVaZovR4rGuQ6GfqAvZxNKqVhC5\nHybQWv1PCoaNOvQbtBgCxMlV8HOJfwe2EgysJErvriXeyVad5+zY2g==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-02-22T11:49:08Z", - "mac": "ENC[AES256_GCM,data:IFctz/f9I9vcWN82u3qta+o/oILTHpCScSezHwt0ifsENnUQLz+uAmpMs+ok1ZR5+20XpEq4C7f1s4n2h8dijxsPuE/IOQM7rvwjoVPsM/0XUglDK3Vc5u1oooGpLJg1PchwWGOAlKQHun3mh4j/bz5UMpD8AWC++NLPE1Hr0Jc=,iv:y0aD+4iLSKedGAjZP1SygyzzIE0/SHWcOUS/aghzrII=,tag:01dQZoLlz0w5dE3DePwjbA==,type:str]", - "pgp": [ - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv6A4kG9S33l07+BwNeUsDZVrzRTP2Gz5F679VKTBrr96t/\nTJaa+FlCWDU3DczaC18Y6yIyU22+97xqQ4WYnno0h7bF2uhjbyXjp3JV5na7BgGe\nn3V6p0yJcBM5XfrJRuKghEB3kHddQIcVR8JurWrynCKy1C4njR6pJDA3pqp9PReP\n0ubTiJqAwJfx5hGSAjSDWitQ2vpubowCXssqyh9S2P07H5u8HHbLRyJGgvl/LgTR\nEe2EUh7KrTMT6cCXBHAPSK2bZgwP667bhEOJzuCpknG4/Q7EtVQzjKaXGrDR0vMi\nIwA7knQ0UMeRCa/jSSPYUbscMJIb5+wh0rnPfWGGgtVshdd6YtuETBnqZsjUETXd\nsXdem+UoMEN6Co1ABzHEeSGT7y6D8OghoodofLBvgf5TduiX5Pqceo7SkfXPN/3G\n4fqg+e+VTT63Jwp7rk+ekRJYPkHNoB5w0VIrvsyBPlDUhEVywKWJTfzu8905hkVP\ntsQEoJxkpT27PFACoxZ80lgB/9kyQKvsRG9kl68osivg2gIB/13+4TjMdS+x3ycL\no5QnE0D/adRJHpDRwuPfzGyRwFWT8bHFEpw8qErLEWaXh27QMStOgr2By2PsOFTP\nAtJo/wheNGMb\n=qa04\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9F41AW+ruudLanRh8Rn8rHJRfGpdhv1oFkFRIK+Z/2oGr\nMGMm+2EPhCHCMp2tFJRm0HwZruGJda31iFNbaFSqHmTlqWfEMoEj4ztcOhe1vFG/\nhqtp39DawyHb/1AXPHvsuwbucEf/DH9gflXgbnBrZQ0K+7FiOSnXNi34YByKipbI\nbGg+8PV1iYXw0vuLgERy5aP20zyvr+sg53jnr8RR98A2E7VWg2YNfxEOKxxQczxe\nlgblSVqLLmEKAJcE3JWY6c5HR5Xlt4Y02JrAYD11qD21hmtS8plEZ70kiz4elgMU\nkWxM1HSm9Tyq2I5c9v8uk8VOCfEYE+glASJKtyHtyzDJRJcKwvaE8SqStlfoGot6\nKiJ4flqGapTOkJtOvR7FczO7T3j19Ga62dUvoHrei9Q0FYcyG70/lvTWEJy4/jYg\nOk5QJyseRhrDhcLKg9nUbuSfYhXtJc9C/S8B1n/bwjO1O3vslkewFAnhBIqweh1D\nnHjrSHsssrpkeyefmjVh7NiQZtn122hnPnIz5B62is27MD+m8qWWoWghc5lzsw5S\nCGBRY8l+vvGca1TZFJX1JO/L6vhdN4qd/H4IWRmj1oSR8qtQ6SKbt1UmQtB2BtPg\ncqlRCn4x2ORpRgwAIZtD6GFUFUjUduz6LpaxG2tpnmZcQfPAF7YYjjpR07oPIg3S\nWAGomgQyyubfDCH/tM0RwuTlMX4hkMtlKyMDuOHuZVxWZqoh/utGazasBogGm6zK\nIz0nKh+z0w0nv9kGzalq9L+ek0A07ylIlakSaR/vxh2ZaKHojBEEPh8=\n=1EB6\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny-init.pub b/machines/secrets/keys/itag/fanny/fanny-init.pub deleted file mode 100644 index 31efbb07..00000000 --- a/machines/secrets/keys/itag/fanny/fanny-init.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY60NKfdjFiXNvl1r4mBcXKADHA80laxio+qN6izevN atlan@nixos diff --git a/machines/secrets/keys/itag/fanny/fanny.pub b/machines/secrets/keys/itag/fanny/fanny.pub deleted file mode 100644 index 9a6c5900..00000000 --- a/machines/secrets/keys/itag/fanny/fanny.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiKzGgQVfvfSqhdWNqkhTWd8gfJCVoyYoe9zh1LATsC atlan@nixos From 2297dec03d01b51aec2569355f632b88249a6dde Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sun, 23 Feb 2025 13:16:17 +0100 Subject: [PATCH 26/29] [scripts] make pwpath consistant --- scripts/add_new_host_keys.sh | 17 +++++++++-------- scripts/unlock-boot.sh | 10 +++++----- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index b8db4770..8fcce666 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -16,16 +16,17 @@ if [ ! -e flake.nix ] done fi -pwpath="machines" -hostkey="ssh_host_ed25519_key" -initrdkey="initrd_ed25519_key" -read -p "Enter new host name: " host +read -p "Enter new host name: " hostname -if [ "$host" = "" ]; then exit 0 +if [ "$hostname" = "" ]; then exit 0 fi -mkdir -p $pwpath/$host/secrets -cd $pwpath/$host/secrets +pwpath="machines/$hostname/secrets" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" + +mkdir -p "$pwpath" +cd "$pwpath" # Generate SSH keys ssh-keygen -f $hostkey -t ed25519 -N "" @@ -45,6 +46,6 @@ echo "Hier ist der age public key für sops etc:" echo "$(ssh-to-age -i ./"$hostkey".pub)" echo echo "Hier ist eine reproduzierbare mac-addresse:" -echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' +echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' exit 0 diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index e00afc8e..b0d82706 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -2,7 +2,7 @@ set -o errexit set -o pipefail sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T" -HOSTNAME=$1 +hostname=$1 if [ ! -e flake.nix ] then @@ -19,17 +19,17 @@ if [ ! -e flake.nix ] done fi -diskkey=$(sops -d machines/$HOSTNAME/secrets/disk.key) +diskkey=$(sops -d machines/$hostname/secrets/disk.key) echo if [ $# = 1 ] then - echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root + echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root elif [ $# = 2 ] then - IP=$2 - echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root + ip=$2 + echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root else echo From 251fe62574d5725543076db3bf0749ebabcedfbe Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 21:11:22 +0100 Subject: [PATCH 27/29] fix host_builder.nix tabs --- machines/modules/host_builder.nix | 238 +++++++++++++++--------------- 1 file changed, 119 insertions(+), 119 deletions(-) diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index c75f6f08..d1fc74de 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -105,135 +105,135 @@ rec { inputsMod = inputs // { malobeo = self; }; - vmMicroVMOverwrites = hostname: options: { - microvm = rec { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; + vmMicroVMOverwrites = hostname: options: { + microvm = rec { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; - #needed for hosts that deploy imperative microvms (for example fanny) - writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store"; - volumes = pkgs.lib.mkIf options.writableStore [ { - image = "nix-store-overlay.img"; - mountPoint = writableStoreOverlay; - size = 2048; - } ]; + #needed for hosts that deploy imperative microvms (for example fanny) + writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store"; + volumes = pkgs.lib.mkIf options.writableStore [ { + image = "nix-store-overlay.img"; + mountPoint = writableStoreOverlay; + size = 2048; + } ]; - shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ] ++ pkgs.lib.optionals (options.varPath != "") [ - { - source = "${options.varPath}"; - securityModel = "mapped"; - mountPoint = "/var"; - tag = "var"; - } - ]); + shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] ++ pkgs.lib.optionals (options.varPath != "") [ + { + source = "${options.varPath}"; + securityModel = "mapped"; + mountPoint = "/var"; + tag = "var"; + } + ]); - interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ - type = "user"; - id = "eth0"; - mac = "02:23:de:ad:be:ef"; - }]); + interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ + type = "user"; + id = "eth0"; + mac = "02:23:de:ad:be:ef"; + }]); - #if networking is disabled forward port 80 to still have access to webservices - forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [ - { from = "host"; host.port = options.fwdPort; guest.port = 80; } - ]); + #if networking is disabled forward port 80 to still have access to webservices + forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [ + { from = "host"; host.port = options.fwdPort; guest.port = 80; } + ]); - }; - - fileSystems = { - "/".fsType = pkgs.lib.mkForce "tmpfs"; - - # prometheus uses a memory mapped file which doesnt seem supported by 9p shares - # therefore we mount a tmpfs inside the datadir - "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { - fsType = pkgs.lib.mkForce "tmpfs"; - }); - }; - - boot.isContainer = pkgs.lib.mkForce false; - services.timesyncd.enable = false; - users.users.root.password = ""; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; }; - vmDiskoOverwrites = { - boot.initrd = { - secrets = pkgs.lib.mkForce {}; - network.ssh.enable = pkgs.lib.mkForce false; - }; + fileSystems = { + "/".fsType = pkgs.lib.mkForce "tmpfs"; - malobeo.disks.enable = pkgs.lib.mkForce false; - networking.hostId = "a3c3101f"; - }; - - vmSopsOverwrites = host: { - sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml; - - environment.etc = { - devHostKey = { - source = ../secrets/devkey_ed25519; - mode = "0600"; - }; - }; - - services.openssh.hostKeys = [{ - path = "/etc/devHostKey"; - type = "ed25519"; - }]; - }; - - vmNestedMicroVMOverwrites = host: sopsDummy: { - - services.malobeo.microvm.deployHosts = pkgs.lib.mkForce []; - microvm.vms = - let - # Map the values to each hostname to then generate an Attrset using listToAttrs - mapperFunc = name: { inherit name; value = { - specialArgs.inputs = inputsMod; - specialArgs.self = self; - config = { - imports = (makeMicroVM "${name}" - "${hosts.malobeo.hosts.${name}.network.address}" - "${hosts.malobeo.hosts.${name}.network.mac}" [ - ../${name}/configuration.nix - (vmMicroVMOverwrites name { - withNetworking = true; - varPath = ""; - writableStore = false; }) - (if sopsDummy then (vmSopsOverwrites name) else {}) - ]); - }; - }; }; - in - builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); - }; - - buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules { - modules = [ - (vmMicroVMOverwrites host { - withNetworking = networking; - varPath = "${varPath}"; - writableStore = writableStore; - fwdPort = fwdPort; }) - (if sopsDummy then (vmSopsOverwrites host) else {}) - (if disableDisko then vmDiskoOverwrites else {}) - ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ - inputs.microvm.nixosModules.microvm - ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [ - (vmNestedMicroVMOverwrites host sopsDummy) - ]; + # prometheus uses a memory mapped file which doesnt seem supported by 9p shares + # therefore we mount a tmpfs inside the datadir + "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { + fsType = pkgs.lib.mkForce "tmpfs"; }); + }; + + boot.isContainer = pkgs.lib.mkForce false; + services.timesyncd.enable = false; + users.users.root.password = ""; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }; + + vmDiskoOverwrites = { + boot.initrd = { + secrets = pkgs.lib.mkForce {}; + network.ssh.enable = pkgs.lib.mkForce false; + }; + + malobeo.disks.enable = pkgs.lib.mkForce false; + networking.hostId = "a3c3101f"; + }; + + vmSopsOverwrites = host: { + sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml; + + environment.etc = { + devHostKey = { + source = ../secrets/devkey_ed25519; + mode = "0600"; + }; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + }; + + vmNestedMicroVMOverwrites = host: sopsDummy: { + + services.malobeo.microvm.deployHosts = pkgs.lib.mkForce []; + microvm.vms = + let + # Map the values to each hostname to then generate an Attrset using listToAttrs + mapperFunc = name: { inherit name; value = { + specialArgs.inputs = inputsMod; + specialArgs.self = self; + config = { + imports = (makeMicroVM "${name}" + "${hosts.malobeo.hosts.${name}.network.address}" + "${hosts.malobeo.hosts.${name}.network.mac}" [ + ../${name}/configuration.nix + (vmMicroVMOverwrites name { + withNetworking = true; + varPath = ""; + writableStore = false; }) + (if sopsDummy then (vmSopsOverwrites name) else {}) + ]); + }; + }; }; + in + builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); + }; + + buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules { + modules = [ + (vmMicroVMOverwrites host { + withNetworking = networking; + varPath = "${varPath}"; + writableStore = writableStore; + fwdPort = fwdPort; }) + (if sopsDummy then (vmSopsOverwrites host) else {}) + (if disableDisko then vmDiskoOverwrites else {}) + ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ + inputs.microvm.nixosModules.microvm + ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [ + (vmNestedMicroVMOverwrites host sopsDummy) + ]; + }); buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem { system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; From f0e25ab64cfdb09a8e640681ead02c8b4ddcc48e Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 25 Feb 2025 17:40:37 +0100 Subject: [PATCH 28/29] [deployment] set hostname in pubkey --- scripts/add_new_host_keys.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index 8fcce666..df94d2f6 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -29,8 +29,8 @@ mkdir -p "$pwpath" cd "$pwpath" # Generate SSH keys -ssh-keygen -f $hostkey -t ed25519 -N "" -ssh-keygen -f $initrdkey -t ed25519 -N "" +ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host" +ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd" #encrypt the private keys sops -e -i ./$hostkey From ca246861c341cbe577db59f0b5354c2f835693b0 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 25 Feb 2025 17:46:55 +0100 Subject: [PATCH 29/29] [fanny] set old ssh keys --- machines/fanny/secrets/initrd_ed25519_key | 6 +++--- machines/fanny/secrets/initrd_ed25519_key.pub | 2 +- machines/fanny/secrets/ssh_host_ed25519_key | 6 +++--- machines/fanny/secrets/ssh_host_ed25519_key.pub | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/machines/fanny/secrets/initrd_ed25519_key b/machines/fanny/secrets/initrd_ed25519_key index 003cb1de..27b9b1b2 100644 --- a/machines/fanny/secrets/initrd_ed25519_key +++ b/machines/fanny/secrets/initrd_ed25519_key @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:7JromtbrVy9ecNzz+uprYJk43wgWypEeMRpN/Pk4BGxxyUATyQwDRC+EyEwFju44vDLBzzpjZ8/gJJl4CeHJJahc50/n44IR8TmCC1DoKCbZ0KnUkHWijDAnW2hIvabonWoGGBusPJOC99VJ4OFNHJkneg0lPmDU812LGw6tQU34LOLd5CowPdD82yNWfmHCDTAwJU26pmmCntfecBQilLyYEXq0UncqkUuIlKLOLdRXwbFGxqu/POZyKEo5Er3dycnT69yanHRcKAEFlmfJ1lxXvbBG4s2bGOzaEXxkI2GjkHuCx7lPfvWAgbX6pS6UQvn7b7JuAojOjNqsnpaO0DBDeD8IfPimHa16TKubO1wcXaJLFRmw196oPnoVZBkd/aZU4XifSPFWAlS47/nIpeP5MRxmvp1WzHoWWtNinmGxxjGnzOVkn4FdbGeB0Af8OtI2PUFY4ghH92ugOWxgFZucLeJ3AjPkzodr4W38ej1F2rE5QVJdKZltQHm7V64KLh0L9OQ3WjWNa1Bf06uhYtIGLCJj/p9M6C2M,iv:Qlpz/Req6OBwjy7WiPyvdARFydZhiUIbwphpRlxuUdk=,tag:ARhK3X2TvdlStlVeUwgsYQ==,type:str]", + "data": "ENC[AES256_GCM,data:dsb1hdpeoH1Rc4Cz10cZMlAKL//GRUKQbTXvGuRcVqMtRVkmiVZonogj1FdpIFOY8m3zIuJKLpQp9i/RuWanRaThyOA4Mqo82N0MTkco0mwLfRhxqA2EbRv1dPgytVQvdNgSrnZI1FXtsQumPgO4KvifwaCG+Wu050NhPDC2Xt8i1U1TyMTkTigk2CKYaYgo+D9xSsA9ymjFUQgvnTn10t3di7cUJi3rBoEiZeOK/EAg1Y3h53AZ4p9SyG1kBflTvtE1NbIZNBYAiFkJNbIhT+Dw67Qv2Uso6oxL/I64IDOljMQz2874wZqpAL1w7W671KdlGtq0murjQ5Sg+g8RYseA1NVmTY7BCaGagNQuU6Ab0BSSdzIuDkH14BL1zGgprCqP0CE8WeWdUzCx5qud9emF24d+VvRKIiawTArSBe34VMnRq05OTKdmtwGZom7kbhD20c1/pwhytiJpzSE08iKy9cYGPGfirNJaxhT7z9XqSoECUg2XPI7Deh75PqoxM8pATLtOtOLp2cYSr2vSrqADMXzmR2M9ixEj,iv:RQH+e6ZADH2XMPqBeuHhMhHiksQg2iR4NUnYhD3pj7w=,tag:wJByTCrYf4cKxJaD2eTCMQ==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-02-22T18:08:12Z", - "mac": "ENC[AES256_GCM,data:cieSOz+0E1tFuRTgiIP9M84eV4bH5lgF4x2bwCGUTi3vG8FSlkk0+EVYjqDokLH7LnRysPO75YlZcuntvnUZYFVWPid/yjgCVR0qlfVbLx6ZUCW6GCNq5993Sa97mI6XjbiIO/yZE1lFqPhd+hev9koDqAGm/SbD9unqPzntBvM=,iv:+4xlcKGalNnR9PujjL54h2E3EnONXi+83g5bNAjFUSo=,tag:1O7lWZUPjPc6NtBqJ+nTxg==,type:str]", + "lastmodified": "2025-02-25T16:42:28Z", + "mac": "ENC[AES256_GCM,data:iJS4wLJwJZRUozNBUBxL8wYOneGI1Et3r9+DtIs3JrQLEKV16n2SeRP0jRFyCO7VNkxyjnjXJwe0/GVbxtQbVCuDFaCWVpj4xNiEH3wMeuydU96E2QgHaWJGvhyj5e/5o3GO85DeF2ueFCa9DQKtTIWH1xPfqJwtZC2PGH5Uqyo=,iv:/TpULYHxSgFfMQyv715jLVY37AhSY/qh1Zn00UN8oOw=,tag:XrOn8ZpgWFYtSjatXn8sxA==,type:str]", "pgp": [ { "created_at": "2025-02-22T18:08:12Z", diff --git a/machines/fanny/secrets/initrd_ed25519_key.pub b/machines/fanny/secrets/initrd_ed25519_key.pub index 6ab17400..bc13aa2f 100644 --- a/machines/fanny/secrets/initrd_ed25519_key.pub +++ b/machines/fanny/secrets/initrd_ed25519_key.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOywBnc5vmhjQbkFZhiL0BAigcMWVSusrwazxgGwXl6C kalipso@celine +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFRuQZweX3r9QQmAFo6oYY9zvrf9V3EIJOl6kFMgyLm kalipso@fanny-initrd diff --git a/machines/fanny/secrets/ssh_host_ed25519_key b/machines/fanny/secrets/ssh_host_ed25519_key index 346e6cd2..19466113 100644 --- a/machines/fanny/secrets/ssh_host_ed25519_key +++ b/machines/fanny/secrets/ssh_host_ed25519_key @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:hbYmYjGE+qWLnxB5H2K0MMuvhfmNGawcQm4z42YDHIcO24ZW+PlsEDaTQOxS1gGHvz7AKyL8swVRuf1IQhv0dQLp9nh1+idl0aFgOiky7MS7plchcyu41iZZOq6ScYO8nlTtDyjIMsi5WCflJbF7K+GDAPS6V2jn04760EuXg8wz//+WVKBDNBb9JRbW7nZIUeoLYY8bPhz0/754KBUoxscmthTUrt2C9VQAUCP3D6m7ug828d2XOX/oqbgwfvNu2rEWAlsTZ6DX+wuQGKZFLzwSMvE7YaE/fjxIjaYAXrwciGrDYI9WZn/oEdTAodUAeY9fMWHTogH7mwYHKtSg6pAqEL5kM+5Ssr8wzuit7AmGtq7x8l4ExTCodg+Y47tA++Rhnvf+bJRRUEPY1kNHzECNepSK/anHzPX0iisUxxmBn8yiJlBtiAbF06nuW0/yW/dRE6wLR+Y84JqiDcYK2WKy5q7W+Miw7m3TwJge/mDeezSiNqzROl5gtT58hvGixuYie+M93wO9M7h7EvJWHkN+kl+kcANBcMzF,iv:giFXavSHQsKhN2mES4Ud/wleYLIIELcvH08pCp+vEHw=,tag:xGkXW+0dzci6koXkujCQpw==,type:str]", + "data": "ENC[AES256_GCM,data:16SwZ4RZ89+TvwPVgEg+96PmNd63Oai1GnrRipLkxQmzfeAkQvs78emYUEVT/ouAnRFQRNagbhjA4nmfTTq1xGz1u8bacjk1ny1ckd2FmkEOQ7Ry181h8UE61rZP3c8yra2WCgOcsL22oUxUMhg6iswJqEKLImi3cmJ+hASPTc6L3vlZLcP3Vx6FEbDMGrVtfpHEliSicB/rkAOnjVHmxHmVRjx1AI7jfAjCoBGnLwI9X2XREGay9H8Kt36HIhlXA9dK+xkl6WdtkllHIHe3OYHqwd730g+1htMAWtHmyI/DPLLJG48pzITnKv3cQ3aaziUWJGa89WGnBuzxP8ZOagpnC1/wQi1WTR7d/4JYoslz06fCt1ouGT4ttDFh/YqbV0hcXqkASbUnnixicBaYeVrwvSkYvlbwToZ6L+Jc+eqQRrTKXxs5pIZ4qkvImDp85v3U1bDxXT+qhpK9hasmgBqgM9GYjgw8Um/imr9HqDp9ztRsij87mRW/l47vUhxRjrAWpv+J0OlptUIpRiLv,iv:7x+dTHtSbcc47X/ZGz/bcnOxkGDDBu33ZgNrOD1FwDA=,tag:B6s1Jt1KFCitya9oAKvp9w==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-02-22T18:08:12Z", - "mac": "ENC[AES256_GCM,data:+dXI8Hm1FDsB9bD2jli+YpWmcY9j85ezNnNYrQmCRNuPUp1EqAQ1PuXkgTabzImqq8N6f4DMUAnL9+kVM2Fr0SMk3O4N6DbMTIkIBh2jos543DUR4tcE+KCeU4+tqzghArODeRtOzV1jDW6sW89pUfGpSZ2JTRfz+QcybySWQXY=,iv:1jzlnQrUDoENp6+nlsxdDsdeeYg+J03KAm7lRw1bi64=,tag:3QvMHCGTZJdHv0r/eX/JQQ==,type:str]", + "lastmodified": "2025-02-25T16:43:40Z", + "mac": "ENC[AES256_GCM,data:dZJc0aqSD7dhe4Egih3z8QHIbwYDCGYU0DaOczkqHd/yMdcVNrNrcIR6yshArqCLl9jj5Zw3fIO75X09mvuvUCyszbjQyzSmTACp7K3skHuDRJ/yh5vaw6XNeJ3w26Dimfd0WfL1XC519DW532icrDiy2lCZ1qdcYwpqQUBKM/Q=,iv:4vx48jXxKLDOKfK6yYJWW28UaKl+EyqjeRAzV0WayEk=,tag:oO4cAVAv7N5aDAmK5V84mw==,type:str]", "pgp": [ { "created_at": "2025-02-22T18:08:12Z", diff --git a/machines/fanny/secrets/ssh_host_ed25519_key.pub b/machines/fanny/secrets/ssh_host_ed25519_key.pub index a258d8c2..340ddd9c 100644 --- a/machines/fanny/secrets/ssh_host_ed25519_key.pub +++ b/machines/fanny/secrets/ssh_host_ed25519_key.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvdnpvwSD1EEStciMitKahPlysD4L95bcwOuY4wV/6I kalipso@celine +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc root@fanny