kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

[sops] add a dummy key to allow secret usage within test vms

Browse Source
This commit is contained in:
kalipso
2025-01-19 22:46:31 +01:00
parent 36ec5f5837
commit fda348f5da
5 changed files with 99 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
machines/.sops.yaml
View File

@@ -11,7 +11,18 @@ keys:
- &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
- &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
#this dummy key is used for testing.
- &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
creation_rules: creation_rules:
#provide fake secrets in a dummy.yaml file for each host
- path_regex: '.*dummy\.yaml$'
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_dummy
- *admin_atlan
- path_regex: moderatio/secrets/secrets.yaml$ - path_regex: moderatio/secrets/secrets.yaml$
key_groups: key_groups:
- pgp: - pgp:

7
machines/secrets/devkey_ed25519 Normal file
View File

@@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwgAAAJgdrbX3Ha21
9wAAAAtzc2gtZWQyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwg
AAAECaQfylNoG/uN8fozvq3loBLWQ3gIKPOGnZpwyHUlAMO2meyBkJbC8RMkqhl/tAUoIt
pSePyGKhyL5J7ArxxRTCAAAADmthbGlwc29AY2VsaW5lAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

1
machines/secrets/devkey_ed25519.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine

68
machines/vpn/dummy.yaml Normal file
View File

@@ -0,0 +1,68 @@
wg_private: ENC[AES256_GCM,data:4mE0dbYZfOX7RUfZAH16UYabnr7+5XDyhwR4HqpbdQMRKjfAcwz9QrmFE7M=,iv:zrY6dFa613EUlyb80bdAePXEL+aA1eEXBMbmj5lFLUE=,tag:fihRa+Bw5tzXVyMfgGsLqw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFk2bzE3OG9VR0VqOTIz
UEQySS9SUnRmMDFqVTg1dks3WTZvbE13VGxVCitHVE1SVlBlYkZwejNlWWNMTVhF
M2EzSFRmS3lFd1VPMHRpMjhtMVgyVDQKLS0tIGJObk1kcWlaeUhveHdrY1BEQkh4
WTJua1FvNFFtMDFGWE9ZaW9wWFoxcncKlYHjkzlUj+rBPmXK/jj9XCUoGrQ4vBXH
ZTItzrbCI30juPjy6dJ0ffZF2ILvJLUdwurz4lZFybNuUjhE2sAY+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1dhZUVpT3NMaGR4eEhV
dUxvUGVvMUtPbWhEQnpJd3Y1YTBYbm1QMTBVCmpQbkhvM3VWV2MvcmY2RVhVOWdy
MVZxK201bmcwVHlwUlFnb0p5eGFNNGsKLS0tIDlrc1ErS0NiRUJ0UFZnNHNNSk9m
U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs
CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-19T21:35:59Z"
mac: ENC[AES256_GCM,data:qp4nMAEwr/nZ2FjbXHhW2A4iSPc9PKAMQIWXMkJ6Mttia2whYDVH4oRhsfxs6xR7hixwAb/Q8dVPEgQYutWfzaXCIb6cfY1t9wCdgam4PIFyTCRHWnhnMCHFyOtMjJ6v/Kd/ERuFzAjZgi1yA4p9xePB6wwg2PjO3Amwu8yfZWU=,iv:z5gk9/KOhx/NNsa0TVza8WBG6CGUvos115idt6rG83I=,tag:W9PIGkBGQvvMbDcS6gTQhQ==,type:str]
pgp:
- created_at: "2025-01-19T21:35:34Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQwAoO2gRS+Vwu+5KZ4V2ReXPcjFcEUb6aoYe8PNUhjBu0yE
hs4lhWGy53BdupQ+cyxk0U+L6UhOjTfIAYE9emqTDlF5OImN/379j9NfiPe/K0/8
ylSOuzNgVmTpsXlHGaXE2wk0ADp1P9mZUwbJ5vHCtm+ZFe5HCuTrB61drIU0fEYw
NVCaARK/IRn5eAlPCjPuW1mhKP+3HNGMQszqCRKMU5kLZPzjqsHmEITSFJ5bVtAu
fLRtF8SyJpHgvyw1AH1IX6I+/lrDRQro0oD/0LcC1Nay9n86WIWhA/VbotyFCkI2
gZtV0IQq05mxO11DycgxlDLQk6nqiqDDjWv/8kj23HnQ3BAO6SXLKhHWq9rH8EOX
wkee7RHc09GWNcGL93YMkjIHWJyitphpU/NtTmEpTptzry5vPfittPaZ+zU+MF8G
REyft2X9Aj7UWcL1w3kbX9BDWuxImcirWWCShHakSrzAlpuIoXVQA6MCl6/Jr2Ve
lLx3lDX+BiSpU01zY32q0lgBOGcSEcRVXTiYO00EoJbIiEMwqm1aAXQzaCvhCCpP
54NsNzZ4eoGL0DmioKwzLbv1CpIJs3w0k6StfOtTCPKdlL99k24Z8GyJ44UnkhCe
V32jGc/yCong
=OZSD
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-19T21:35:34Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAhnd9Z1gekp4XWw+gcWK5j9mXWP7XS/FGNXmmCUBKec1j
zXzMJjG1YZyCYmqj3XGFMFwg2Ex6pBPoOTzOL2VOGd9mZvHjh0MGtuUopg1GprE7
NoyrYlV2UikyBSzVlsvykyNCYWfEt0uDotnGIK0NXYzfWfqgw+ImAH/PvNRY4nIB
wxI/Ze100ITAN7Dop9d6MFUZbrYKZTMsO8w5Z7TWHRPzFWH//XZjY7UpxvNVP1oJ
RXqqo2I97P0c6H7s17+xw6ZjyE0Qoin1gq4XSMHc4l8o+3D7fWecoTLxcjma5gvY
SMVCYeSrI2kc8DJ2RVeXdDlEP7SS3bwPNaE4Tklxv1rE+CUuYQ1X6dkPVKnKLfRS
Lwy614LDAarZmvXc3jPgFkpG+grE80PAStzOze0eWyZA/oCAI3/CS+yaeBAI4viz
UEkNmCMTZu1eXyIurC/suTOdq4nehGlD/2F8EKU+Y/6f6J2wHUJdvLjNxOuAOHd0
lGSu61gt/b2PFy/aHqFgQaZCPUMJ8UfK8JQ66zOIUW3HzsXOsvVqo/8DMQRIw7/z
3tZ43LPjmIeCRFwPfbIbeThoZmq1SPejkzadxDEwD3U0YAiblBJ2E+AyEDiKqP/N
D+NRN5Ta0ySAmGOyYgDES8QDDBQGA4cSZak7pMidCrSbAagNyYNg3Qrowc0aG93S
WAFD/Q4EtOdM6kveLdbDkPX/bAiCFwhzSCtDVkLAPxfrkw/a+az6emPWmImML5FT
to3vvXendrd9+u6uSNK5acuwzW2cW8GM4gLC90+p/kRFJukiGJbl400=
=6Gw4
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

22
outputs.nix
View File

@@ -110,8 +110,19 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
in in
result // { result // {
# boot any machine in a microvm # boot any machine in a microvm
"${host}-vm-withssh" = (self.nixosConfigurations.${host}.extendModules { "${host}-vm-withsops" = (self.nixosConfigurations.${host}.extendModules {
modules = [{ modules = [{
sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml;
environment.etc = {
devHostKey.source = ./machines/secrets/devkey_ed25519;
};
services.openssh.hostKeys = [{
path = "/etc/devHostKey";
type = "ed25519";
}];
microvm = { microvm = {
mem = pkgs.lib.mkForce 4096; mem = pkgs.lib.mkForce 4096;
hypervisor = pkgs.lib.mkForce "qemu"; hypervisor = pkgs.lib.mkForce "qemu";
@@ -122,20 +133,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
source = "/nix/store"; source = "/nix/store";
mountPoint = "/nix/.ro-store"; mountPoint = "/nix/.ro-store";
} }
{
source = "/etc/ssh";
mountPoint = "/etc/ssh";
tag = "etcssh";
}
]; ];
}; };
boot.isContainer = pkgs.lib.mkForce false; boot.isContainer = pkgs.lib.mkForce false;
users.users.root.password = ""; users.users.root.password = "";
fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
fileSystems."/etc/ssh" = {
depends = [ "/etc" ];
neededForBoot = true;
};
services.getty.helpLine = '' services.getty.helpLine = ''
Log in as "root" with an empty password. Log in as "root" with an empty password.
Use "reboot" to shut qemu down. Use "reboot" to shut qemu down.