Compare commits
4 Commits
68b3da7df8
...
015c326042
| Author | SHA1 | Date | |
|---|---|---|---|
| 015c326042 | |||
| 5f780e17eb | |||
| fda348f5da | |||
| 36ec5f5837 |
@@ -11,7 +11,18 @@ keys:
|
||||
- &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
|
||||
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
|
||||
- &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
|
||||
#this dummy key is used for testing.
|
||||
- &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
|
||||
creation_rules:
|
||||
#provide fake secrets in a dummy.yaml file for each host
|
||||
- path_regex: '.*dummy\.yaml$'
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *admin_kalipso
|
||||
- *admin_kalipso_dsktp
|
||||
age:
|
||||
- *machine_dummy
|
||||
- *admin_atlan
|
||||
- path_regex: moderatio/secrets/secrets.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
|
||||
68
machines/nextcloud/dummy.yaml
Normal file
68
machines/nextcloud/dummy.yaml
Normal file
@@ -0,0 +1,68 @@
|
||||
nextcloudAdminPass: ENC[AES256_GCM,data:4GvCg7g=,iv:3m2Vh86WzrVR7BG0xlNwRE9ebIGLWbVdcxoYC9x7dXo=,tag:t2bWTVlw9rHSVnkXW8ZTFQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbTYrcUV3Wk0xSDM1Mm0w
|
||||
TkoxZHBFUXFBSC80YzkwV3paWGpRaFY2WndZClh1c0xmNWpWMjFXOS9OYU9OU2Mx
|
||||
c3NEREczaDkvNC90eERwb0RKUlNZemsKLS0tIEp1VWZISXZoWFNuRC9mVE1JUmc3
|
||||
bUNFd2dyRGludFQ3MzdiRzFTcXUwWlkKFGd8Uvfu2W1LejgQFpF162JnVmfPxAuX
|
||||
IQ3oopYXUBM3QqCXGLTY3DBffD4WZ4AXyGLsfUtwn3kcvjQ85ewidw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraEtDblNxMGY0NlhzcDdM
|
||||
RFo2VGI1UFE4eVdZdDZ5ZTNKRUFCRWFHOWdBCkRBaGk2WmYxK2ovbHQrSGl3akVp
|
||||
TUhxck83Q1NVQy9VU0lXOEVraGtOZ1UKLS0tIDYxS0hHSW1nZW9hOTFJNCtheU1x
|
||||
ZXk2b1RVd1FoYk4xTGxKQ1cxZmVJalkKkC5XckyrgwfqaeVq+OjNCzAtKKiCf7Q9
|
||||
sC9ZMlPoOAm8xpLEpWgNooOBa04YsDEe9XgN8S0HrVxt/NHlnS5+ow==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-01-19T22:23:37Z"
|
||||
mac: ENC[AES256_GCM,data:ZVMA4qgliSASQ0LtuedU4pybVwJA0x4vdSlOspsTF22s9DjRbG2tA7PpxTqDBGliBqS4w5J6Rqp3OSF7zddZ23GOz72sOZv0WY5YGeYxIltT7RWSMRkhkwXoM8Pf3BOYCZ4Gy8zaMVnbwbhHZ9LZI6wulh19SDKBV965moUW+Z0=,iv:tmz8C1kGUZq8gfzTHoaU/8RfrT5ohLqA11H42l7TEv0=,tag:E3AV6t2bbKASeVI2G3kNYA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2025-01-19T22:23:26Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQGMA5HdvEwzh/H7AQwAsbbUEzSg7iETqT40w/+qjJ+iuHUeeZ+NFMPVVedbLuZX
|
||||
/gPPSJ3JSx3wxJke+QPX/OUiRxXwGBZ5yg7CDoc+RrrdaavazuOUGISL38KPQiin
|
||||
TmUq4nY6nWjMqHPSaQ+NiGxRpIErCQCUx6YEdi4YgHhf9J4KEg0f7ueR5wWlfzx4
|
||||
c7pXkEubFpPy4v45mh8sYXOQTa2yt2keprJ6iqmfL/HKnCJf1TBFxJAvwnPuKDfe
|
||||
npvE4Pk5hcoKjFQNsqpnz7Etc8XfAYXSCXSLKfSaZNSeXQRhE1lHLH9OPnC46li7
|
||||
Dw6SPW0/4MTJrg08JvrNeogQ1QohLT4mkfAnASVUUeGFaF7UhztVoodqMsG8kuhD
|
||||
LtmYv625h3j/QqshpFPGe8nJG1DziE4YHngxvgToIC+6+Q2x47ciulpimlpt6b6w
|
||||
s+mGEVlJLSoJMd9jwE53PMXteBYKWgSEL7osj1V5KIJDFSgwfjYEngCkuyxjf8e3
|
||||
uYxb1WEadSyLhW8xnoyE0lYB6WI8m6j2Ls9TFG7kKtQqrnVSZd2nsKk/5wPVIAXO
|
||||
nrMtb4Q88PLM1eusiLgCs592owKHoWVYqBRpi79EBlnGZwmTfDQzTsQlL7aQCbIo
|
||||
kBI1swNH3g==
|
||||
=K/IK
|
||||
-----END PGP MESSAGE-----
|
||||
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
|
||||
- created_at: "2025-01-19T22:23:26Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA98TrrsQEbXUAQ/7BGOQn8xVX9IOFHnUXKdiw/+fcXHu0L7CLuhcEfpZRJNI
|
||||
vIbztLTH5gT59SkS07cIEcYWqERO+gjK6pZLCxmYO/c15YDWCv1PtS4YHZAET+ow
|
||||
YHzBTZDq2k+pV/cTbUtJgGYOxuqkqUtflyGZSQM+NjSXu4In83u+nwkEaKSxcaWt
|
||||
q9rrYVkBUiika2FYtyehoCoDuyJzNmfGhZ9CPJaUzrSzuRLQZy6Hdg8TDPTzGqi4
|
||||
awo53eOdsEpNu1AQ5rnJ19RFLU63IQlwEnApnXZZ+AX8J2//KgLOcAqjo5skJuN1
|
||||
EJBh4DjfmOdCCN3uRccNiDn9YYrPP5Jl3jfnkMUQ2gVEE/c5ib84hvjc+y9Eh1jJ
|
||||
s2JqhfX+ccV5kuva1q1CuTUCHQVEKahJAvghl77JQjtUY6Lf+5QLeKbchUnwxaIN
|
||||
v6MwZmdCwBJOS40SnA+Ft2g9psho4MIPXtu4DR4t5VWvhrmw2cl7TCffQslWETxE
|
||||
267PHQegcO40skEOYwkLSv7PWycL3YUg/EfPuElAobqlM45UQA/lcC5seV0WvEPB
|
||||
Lj+Pk8stY3LZ5wpblmmA72PyJhTq7ghsPvxlyRByHIS8v94gu5Zasbi63WGmxgPA
|
||||
mt/M/HIQEf2XOOKuJnGJ3yDwLTAHAgFa0jlIgvt4gkuhm5ibcHLmedBh4ecRNfDS
|
||||
VgFA4UwqUKN1XYTWOvT1vlxE9UE+dgVO0QNMX8yw1ivmL2eyPUk8HtIpKbuDLFIC
|
||||
iKwHMtUIW/q7UPmfKLRbDumimG/290GXxN24ouiN8AR0dCXK9oor
|
||||
=EsRn
|
||||
-----END PGP MESSAGE-----
|
||||
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.2
|
||||
7
machines/secrets/devkey_ed25519
Normal file
7
machines/secrets/devkey_ed25519
Normal file
@@ -0,0 +1,7 @@
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||
QyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwgAAAJgdrbX3Ha21
|
||||
9wAAAAtzc2gtZWQyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwg
|
||||
AAAECaQfylNoG/uN8fozvq3loBLWQ3gIKPOGnZpwyHUlAMO2meyBkJbC8RMkqhl/tAUoIt
|
||||
pSePyGKhyL5J7ArxxRTCAAAADmthbGlwc29AY2VsaW5lAQIDBAUGBw==
|
||||
-----END OPENSSH PRIVATE KEY-----
|
||||
1
machines/secrets/devkey_ed25519.pub
Normal file
1
machines/secrets/devkey_ed25519.pub
Normal file
@@ -0,0 +1 @@
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine
|
||||
68
machines/vpn/dummy.yaml
Normal file
68
machines/vpn/dummy.yaml
Normal file
@@ -0,0 +1,68 @@
|
||||
wg_private: ENC[AES256_GCM,data:4mE0dbYZfOX7RUfZAH16UYabnr7+5XDyhwR4HqpbdQMRKjfAcwz9QrmFE7M=,iv:zrY6dFa613EUlyb80bdAePXEL+aA1eEXBMbmj5lFLUE=,tag:fihRa+Bw5tzXVyMfgGsLqw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFk2bzE3OG9VR0VqOTIz
|
||||
UEQySS9SUnRmMDFqVTg1dks3WTZvbE13VGxVCitHVE1SVlBlYkZwejNlWWNMTVhF
|
||||
M2EzSFRmS3lFd1VPMHRpMjhtMVgyVDQKLS0tIGJObk1kcWlaeUhveHdrY1BEQkh4
|
||||
WTJua1FvNFFtMDFGWE9ZaW9wWFoxcncKlYHjkzlUj+rBPmXK/jj9XCUoGrQ4vBXH
|
||||
ZTItzrbCI30juPjy6dJ0ffZF2ILvJLUdwurz4lZFybNuUjhE2sAY+A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1dhZUVpT3NMaGR4eEhV
|
||||
dUxvUGVvMUtPbWhEQnpJd3Y1YTBYbm1QMTBVCmpQbkhvM3VWV2MvcmY2RVhVOWdy
|
||||
MVZxK201bmcwVHlwUlFnb0p5eGFNNGsKLS0tIDlrc1ErS0NiRUJ0UFZnNHNNSk9m
|
||||
U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs
|
||||
CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-01-19T21:35:59Z"
|
||||
mac: ENC[AES256_GCM,data:qp4nMAEwr/nZ2FjbXHhW2A4iSPc9PKAMQIWXMkJ6Mttia2whYDVH4oRhsfxs6xR7hixwAb/Q8dVPEgQYutWfzaXCIb6cfY1t9wCdgam4PIFyTCRHWnhnMCHFyOtMjJ6v/Kd/ERuFzAjZgi1yA4p9xePB6wwg2PjO3Amwu8yfZWU=,iv:z5gk9/KOhx/NNsa0TVza8WBG6CGUvos115idt6rG83I=,tag:W9PIGkBGQvvMbDcS6gTQhQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2025-01-19T21:35:34Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQGMA5HdvEwzh/H7AQwAoO2gRS+Vwu+5KZ4V2ReXPcjFcEUb6aoYe8PNUhjBu0yE
|
||||
hs4lhWGy53BdupQ+cyxk0U+L6UhOjTfIAYE9emqTDlF5OImN/379j9NfiPe/K0/8
|
||||
ylSOuzNgVmTpsXlHGaXE2wk0ADp1P9mZUwbJ5vHCtm+ZFe5HCuTrB61drIU0fEYw
|
||||
NVCaARK/IRn5eAlPCjPuW1mhKP+3HNGMQszqCRKMU5kLZPzjqsHmEITSFJ5bVtAu
|
||||
fLRtF8SyJpHgvyw1AH1IX6I+/lrDRQro0oD/0LcC1Nay9n86WIWhA/VbotyFCkI2
|
||||
gZtV0IQq05mxO11DycgxlDLQk6nqiqDDjWv/8kj23HnQ3BAO6SXLKhHWq9rH8EOX
|
||||
wkee7RHc09GWNcGL93YMkjIHWJyitphpU/NtTmEpTptzry5vPfittPaZ+zU+MF8G
|
||||
REyft2X9Aj7UWcL1w3kbX9BDWuxImcirWWCShHakSrzAlpuIoXVQA6MCl6/Jr2Ve
|
||||
lLx3lDX+BiSpU01zY32q0lgBOGcSEcRVXTiYO00EoJbIiEMwqm1aAXQzaCvhCCpP
|
||||
54NsNzZ4eoGL0DmioKwzLbv1CpIJs3w0k6StfOtTCPKdlL99k24Z8GyJ44UnkhCe
|
||||
V32jGc/yCong
|
||||
=OZSD
|
||||
-----END PGP MESSAGE-----
|
||||
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
|
||||
- created_at: "2025-01-19T21:35:34Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA98TrrsQEbXUARAAhnd9Z1gekp4XWw+gcWK5j9mXWP7XS/FGNXmmCUBKec1j
|
||||
zXzMJjG1YZyCYmqj3XGFMFwg2Ex6pBPoOTzOL2VOGd9mZvHjh0MGtuUopg1GprE7
|
||||
NoyrYlV2UikyBSzVlsvykyNCYWfEt0uDotnGIK0NXYzfWfqgw+ImAH/PvNRY4nIB
|
||||
wxI/Ze100ITAN7Dop9d6MFUZbrYKZTMsO8w5Z7TWHRPzFWH//XZjY7UpxvNVP1oJ
|
||||
RXqqo2I97P0c6H7s17+xw6ZjyE0Qoin1gq4XSMHc4l8o+3D7fWecoTLxcjma5gvY
|
||||
SMVCYeSrI2kc8DJ2RVeXdDlEP7SS3bwPNaE4Tklxv1rE+CUuYQ1X6dkPVKnKLfRS
|
||||
Lwy614LDAarZmvXc3jPgFkpG+grE80PAStzOze0eWyZA/oCAI3/CS+yaeBAI4viz
|
||||
UEkNmCMTZu1eXyIurC/suTOdq4nehGlD/2F8EKU+Y/6f6J2wHUJdvLjNxOuAOHd0
|
||||
lGSu61gt/b2PFy/aHqFgQaZCPUMJ8UfK8JQ66zOIUW3HzsXOsvVqo/8DMQRIw7/z
|
||||
3tZ43LPjmIeCRFwPfbIbeThoZmq1SPejkzadxDEwD3U0YAiblBJ2E+AyEDiKqP/N
|
||||
D+NRN5Ta0ySAmGOyYgDES8QDDBQGA4cSZak7pMidCrSbAagNyYNg3Qrowc0aG93S
|
||||
WAFD/Q4EtOdM6kveLdbDkPX/bAiCFwhzSCtDVkLAPxfrkw/a+az6emPWmImML5FT
|
||||
to3vvXendrd9+u6uSNK5acuwzW2cW8GM4gLC90+p/kRFJukiGJbl400=
|
||||
=6Gw4
|
||||
-----END PGP MESSAGE-----
|
||||
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.2
|
||||
54
outputs.nix
54
outputs.nix
@@ -45,6 +45,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
|
||||
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
|
||||
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
|
||||
};
|
||||
|
||||
packages = {
|
||||
docs = pkgs.stdenv.mkDerivation {
|
||||
name = "malobeo-docs";
|
||||
@@ -82,11 +83,56 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
}];
|
||||
interfaces = pkgs.lib.mkForce [{
|
||||
type = "user";
|
||||
id = "eth0";
|
||||
mac = "02:23:de:ad:be:ef";
|
||||
};
|
||||
boot.isContainer = pkgs.lib.mkForce false;
|
||||
users.users.root.password = "";
|
||||
fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
|
||||
services.getty.helpLine = ''
|
||||
Log in as "root" with an empty password.
|
||||
Use "reboot" to shut qemu down.
|
||||
'';
|
||||
}] ++ pkgs.lib.optionals (! config ? microvm) [
|
||||
microvm.nixosModules.microvm
|
||||
];
|
||||
}).config.microvm.declaredRunner;
|
||||
})
|
||||
{ }
|
||||
(builtins.attrNames self.nixosConfigurations) //
|
||||
|
||||
builtins.foldl'
|
||||
(result: host:
|
||||
let
|
||||
inherit (self.nixosConfigurations.${host}) config;
|
||||
in
|
||||
result // {
|
||||
# boot any machine in a microvm
|
||||
"${host}-vm-withsops" = (self.nixosConfigurations.${host}.extendModules {
|
||||
modules = [{
|
||||
sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml;
|
||||
|
||||
environment.etc = {
|
||||
devHostKey = {
|
||||
source = ./machines/secrets/devkey_ed25519;
|
||||
mode = "0600";
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.hostKeys = [{
|
||||
path = "/etc/devHostKey";
|
||||
type = "ed25519";
|
||||
}];
|
||||
|
||||
microvm = {
|
||||
mem = pkgs.lib.mkForce 4096;
|
||||
hypervisor = pkgs.lib.mkForce "qemu";
|
||||
socket = pkgs.lib.mkForce null;
|
||||
shares = pkgs.lib.mkForce [
|
||||
{
|
||||
tag = "ro-store";
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
}
|
||||
];
|
||||
};
|
||||
boot.isContainer = pkgs.lib.mkForce false;
|
||||
users.users.root.password = "";
|
||||
|
||||
Reference in New Issue
Block a user