diff --git a/machines/.sops.yaml b/machines/.sops.yaml index ece6ddf..cdcd4cb 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -11,7 +11,18 @@ keys: - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf + #this dummy key is used for testing. + - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: + #provide fake secrets in a dummy.yaml file for each host + - path_regex: '.*dummy\.yaml$' + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *machine_dummy + - *admin_atlan - path_regex: moderatio/secrets/secrets.yaml$ key_groups: - pgp: diff --git a/machines/secrets/devkey_ed25519 b/machines/secrets/devkey_ed25519 new file mode 100644 index 0000000..7f8774d --- /dev/null +++ b/machines/secrets/devkey_ed25519 @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwgAAAJgdrbX3Ha21 +9wAAAAtzc2gtZWQyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwg +AAAECaQfylNoG/uN8fozvq3loBLWQ3gIKPOGnZpwyHUlAMO2meyBkJbC8RMkqhl/tAUoIt +pSePyGKhyL5J7ArxxRTCAAAADmthbGlwc29AY2VsaW5lAQIDBAUGBw== +-----END OPENSSH PRIVATE KEY----- diff --git a/machines/secrets/devkey_ed25519.pub b/machines/secrets/devkey_ed25519.pub new file mode 100644 index 0000000..3469bbb --- /dev/null +++ b/machines/secrets/devkey_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine diff --git a/machines/vpn/dummy.yaml b/machines/vpn/dummy.yaml new file mode 100644 index 0000000..e053fed --- /dev/null +++ b/machines/vpn/dummy.yaml @@ -0,0 +1,68 @@ +wg_private: ENC[AES256_GCM,data:4mE0dbYZfOX7RUfZAH16UYabnr7+5XDyhwR4HqpbdQMRKjfAcwz9QrmFE7M=,iv:zrY6dFa613EUlyb80bdAePXEL+aA1eEXBMbmj5lFLUE=,tag:fihRa+Bw5tzXVyMfgGsLqw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFk2bzE3OG9VR0VqOTIz + UEQySS9SUnRmMDFqVTg1dks3WTZvbE13VGxVCitHVE1SVlBlYkZwejNlWWNMTVhF + M2EzSFRmS3lFd1VPMHRpMjhtMVgyVDQKLS0tIGJObk1kcWlaeUhveHdrY1BEQkh4 + WTJua1FvNFFtMDFGWE9ZaW9wWFoxcncKlYHjkzlUj+rBPmXK/jj9XCUoGrQ4vBXH + ZTItzrbCI30juPjy6dJ0ffZF2ILvJLUdwurz4lZFybNuUjhE2sAY+A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1dhZUVpT3NMaGR4eEhV + dUxvUGVvMUtPbWhEQnpJd3Y1YTBYbm1QMTBVCmpQbkhvM3VWV2MvcmY2RVhVOWdy + MVZxK201bmcwVHlwUlFnb0p5eGFNNGsKLS0tIDlrc1ErS0NiRUJ0UFZnNHNNSk9m + U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs + CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-19T21:35:59Z" + mac: ENC[AES256_GCM,data:qp4nMAEwr/nZ2FjbXHhW2A4iSPc9PKAMQIWXMkJ6Mttia2whYDVH4oRhsfxs6xR7hixwAb/Q8dVPEgQYutWfzaXCIb6cfY1t9wCdgam4PIFyTCRHWnhnMCHFyOtMjJ6v/Kd/ERuFzAjZgi1yA4p9xePB6wwg2PjO3Amwu8yfZWU=,iv:z5gk9/KOhx/NNsa0TVza8WBG6CGUvos115idt6rG83I=,tag:W9PIGkBGQvvMbDcS6gTQhQ==,type:str] + pgp: + - created_at: "2025-01-19T21:35:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQwAoO2gRS+Vwu+5KZ4V2ReXPcjFcEUb6aoYe8PNUhjBu0yE + hs4lhWGy53BdupQ+cyxk0U+L6UhOjTfIAYE9emqTDlF5OImN/379j9NfiPe/K0/8 + ylSOuzNgVmTpsXlHGaXE2wk0ADp1P9mZUwbJ5vHCtm+ZFe5HCuTrB61drIU0fEYw + NVCaARK/IRn5eAlPCjPuW1mhKP+3HNGMQszqCRKMU5kLZPzjqsHmEITSFJ5bVtAu + fLRtF8SyJpHgvyw1AH1IX6I+/lrDRQro0oD/0LcC1Nay9n86WIWhA/VbotyFCkI2 + gZtV0IQq05mxO11DycgxlDLQk6nqiqDDjWv/8kj23HnQ3BAO6SXLKhHWq9rH8EOX + wkee7RHc09GWNcGL93YMkjIHWJyitphpU/NtTmEpTptzry5vPfittPaZ+zU+MF8G + REyft2X9Aj7UWcL1w3kbX9BDWuxImcirWWCShHakSrzAlpuIoXVQA6MCl6/Jr2Ve + lLx3lDX+BiSpU01zY32q0lgBOGcSEcRVXTiYO00EoJbIiEMwqm1aAXQzaCvhCCpP + 54NsNzZ4eoGL0DmioKwzLbv1CpIJs3w0k6StfOtTCPKdlL99k24Z8GyJ44UnkhCe + V32jGc/yCong + =OZSD + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2025-01-19T21:35:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUARAAhnd9Z1gekp4XWw+gcWK5j9mXWP7XS/FGNXmmCUBKec1j + zXzMJjG1YZyCYmqj3XGFMFwg2Ex6pBPoOTzOL2VOGd9mZvHjh0MGtuUopg1GprE7 + NoyrYlV2UikyBSzVlsvykyNCYWfEt0uDotnGIK0NXYzfWfqgw+ImAH/PvNRY4nIB + wxI/Ze100ITAN7Dop9d6MFUZbrYKZTMsO8w5Z7TWHRPzFWH//XZjY7UpxvNVP1oJ + RXqqo2I97P0c6H7s17+xw6ZjyE0Qoin1gq4XSMHc4l8o+3D7fWecoTLxcjma5gvY + SMVCYeSrI2kc8DJ2RVeXdDlEP7SS3bwPNaE4Tklxv1rE+CUuYQ1X6dkPVKnKLfRS + Lwy614LDAarZmvXc3jPgFkpG+grE80PAStzOze0eWyZA/oCAI3/CS+yaeBAI4viz + UEkNmCMTZu1eXyIurC/suTOdq4nehGlD/2F8EKU+Y/6f6J2wHUJdvLjNxOuAOHd0 + lGSu61gt/b2PFy/aHqFgQaZCPUMJ8UfK8JQ66zOIUW3HzsXOsvVqo/8DMQRIw7/z + 3tZ43LPjmIeCRFwPfbIbeThoZmq1SPejkzadxDEwD3U0YAiblBJ2E+AyEDiKqP/N + D+NRN5Ta0ySAmGOyYgDES8QDDBQGA4cSZak7pMidCrSbAagNyYNg3Qrowc0aG93S + WAFD/Q4EtOdM6kveLdbDkPX/bAiCFwhzSCtDVkLAPxfrkw/a+az6emPWmImML5FT + to3vvXendrd9+u6uSNK5acuwzW2cW8GM4gLC90+p/kRFJukiGJbl400= + =6Gw4 + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/outputs.nix b/outputs.nix index ba0dd47..8bc2d11 100644 --- a/outputs.nix +++ b/outputs.nix @@ -110,8 +110,19 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems in result // { # boot any machine in a microvm - "${host}-vm-withssh" = (self.nixosConfigurations.${host}.extendModules { + "${host}-vm-withsops" = (self.nixosConfigurations.${host}.extendModules { modules = [{ + sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; + + environment.etc = { + devHostKey.source = ./machines/secrets/devkey_ed25519; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + microvm = { mem = pkgs.lib.mkForce 4096; hypervisor = pkgs.lib.mkForce "qemu"; @@ -122,20 +133,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems source = "/nix/store"; mountPoint = "/nix/.ro-store"; } - { - source = "/etc/ssh"; - mountPoint = "/etc/ssh"; - tag = "etcssh"; - } ]; }; boot.isContainer = pkgs.lib.mkForce false; users.users.root.password = ""; fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; - fileSystems."/etc/ssh" = { - depends = [ "/etc" ]; - neededForBoot = true; - }; services.getty.helpLine = '' Log in as "root" with an empty password. Use "reboot" to shut qemu down.