From 36ec5f5837eadef5b9fe586b984130c2679c0938 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 18 Jan 2025 20:27:57 +0100 Subject: [PATCH 01/12] [sops] test sharing hostkey with vm --- outputs.nix | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/outputs.nix b/outputs.nix index 41e2be7..ba0dd47 100644 --- a/outputs.nix +++ b/outputs.nix @@ -101,6 +101,51 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems }).config.microvm.declaredRunner; }) { } + (builtins.attrNames self.nixosConfigurations) // + + builtins.foldl' + (result: host: + let + inherit (self.nixosConfigurations.${host}) config; + in + result // { + # boot any machine in a microvm + "${host}-vm-withssh" = (self.nixosConfigurations.${host}.extendModules { + modules = [{ + microvm = { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; + shares = pkgs.lib.mkForce [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + { + source = "/etc/ssh"; + mountPoint = "/etc/ssh"; + tag = "etcssh"; + } + ]; + }; + boot.isContainer = pkgs.lib.mkForce false; + users.users.root.password = ""; + fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; + fileSystems."/etc/ssh" = { + depends = [ "/etc" ]; + neededForBoot = true; + }; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }] ++ pkgs.lib.optionals (! config ? microvm) [ + microvm.nixosModules.microvm + ]; + }).config.microvm.declaredRunner; + }) + { } (builtins.attrNames self.nixosConfigurations); apps = { -- 2.51.2 From fda348f5da139d4d9b09a5965406a42e6350326e Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 19 Jan 2025 22:46:31 +0100 Subject: [PATCH 02/12] [sops] add a dummy key to allow secret usage within test vms --- machines/.sops.yaml | 11 +++++ machines/secrets/devkey_ed25519 | 7 +++ machines/secrets/devkey_ed25519.pub | 1 + machines/vpn/dummy.yaml | 68 +++++++++++++++++++++++++++++ outputs.nix | 22 +++++----- 5 files changed, 99 insertions(+), 10 deletions(-) create mode 100644 machines/secrets/devkey_ed25519 create mode 100644 machines/secrets/devkey_ed25519.pub create mode 100644 machines/vpn/dummy.yaml diff --git a/machines/.sops.yaml b/machines/.sops.yaml index ece6ddf..cdcd4cb 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -11,7 +11,18 @@ keys: - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf + #this dummy key is used for testing. + - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: + #provide fake secrets in a dummy.yaml file for each host + - path_regex: '.*dummy\.yaml$' + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *machine_dummy + - *admin_atlan - path_regex: moderatio/secrets/secrets.yaml$ key_groups: - pgp: diff --git a/machines/secrets/devkey_ed25519 b/machines/secrets/devkey_ed25519 new file mode 100644 index 0000000..7f8774d --- /dev/null +++ b/machines/secrets/devkey_ed25519 @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwgAAAJgdrbX3Ha21 +9wAAAAtzc2gtZWQyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwg +AAAECaQfylNoG/uN8fozvq3loBLWQ3gIKPOGnZpwyHUlAMO2meyBkJbC8RMkqhl/tAUoIt +pSePyGKhyL5J7ArxxRTCAAAADmthbGlwc29AY2VsaW5lAQIDBAUGBw== +-----END OPENSSH PRIVATE KEY----- diff --git a/machines/secrets/devkey_ed25519.pub b/machines/secrets/devkey_ed25519.pub new file mode 100644 index 0000000..3469bbb --- /dev/null +++ b/machines/secrets/devkey_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine diff --git a/machines/vpn/dummy.yaml b/machines/vpn/dummy.yaml new file mode 100644 index 0000000..e053fed --- /dev/null +++ b/machines/vpn/dummy.yaml @@ -0,0 +1,68 @@ +wg_private: ENC[AES256_GCM,data:4mE0dbYZfOX7RUfZAH16UYabnr7+5XDyhwR4HqpbdQMRKjfAcwz9QrmFE7M=,iv:zrY6dFa613EUlyb80bdAePXEL+aA1eEXBMbmj5lFLUE=,tag:fihRa+Bw5tzXVyMfgGsLqw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFk2bzE3OG9VR0VqOTIz + UEQySS9SUnRmMDFqVTg1dks3WTZvbE13VGxVCitHVE1SVlBlYkZwejNlWWNMTVhF + M2EzSFRmS3lFd1VPMHRpMjhtMVgyVDQKLS0tIGJObk1kcWlaeUhveHdrY1BEQkh4 + WTJua1FvNFFtMDFGWE9ZaW9wWFoxcncKlYHjkzlUj+rBPmXK/jj9XCUoGrQ4vBXH + ZTItzrbCI30juPjy6dJ0ffZF2ILvJLUdwurz4lZFybNuUjhE2sAY+A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1dhZUVpT3NMaGR4eEhV + dUxvUGVvMUtPbWhEQnpJd3Y1YTBYbm1QMTBVCmpQbkhvM3VWV2MvcmY2RVhVOWdy + MVZxK201bmcwVHlwUlFnb0p5eGFNNGsKLS0tIDlrc1ErS0NiRUJ0UFZnNHNNSk9m + U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs + CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-19T21:35:59Z" + mac: ENC[AES256_GCM,data:qp4nMAEwr/nZ2FjbXHhW2A4iSPc9PKAMQIWXMkJ6Mttia2whYDVH4oRhsfxs6xR7hixwAb/Q8dVPEgQYutWfzaXCIb6cfY1t9wCdgam4PIFyTCRHWnhnMCHFyOtMjJ6v/Kd/ERuFzAjZgi1yA4p9xePB6wwg2PjO3Amwu8yfZWU=,iv:z5gk9/KOhx/NNsa0TVza8WBG6CGUvos115idt6rG83I=,tag:W9PIGkBGQvvMbDcS6gTQhQ==,type:str] + pgp: + - created_at: "2025-01-19T21:35:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQwAoO2gRS+Vwu+5KZ4V2ReXPcjFcEUb6aoYe8PNUhjBu0yE + hs4lhWGy53BdupQ+cyxk0U+L6UhOjTfIAYE9emqTDlF5OImN/379j9NfiPe/K0/8 + ylSOuzNgVmTpsXlHGaXE2wk0ADp1P9mZUwbJ5vHCtm+ZFe5HCuTrB61drIU0fEYw + NVCaARK/IRn5eAlPCjPuW1mhKP+3HNGMQszqCRKMU5kLZPzjqsHmEITSFJ5bVtAu + fLRtF8SyJpHgvyw1AH1IX6I+/lrDRQro0oD/0LcC1Nay9n86WIWhA/VbotyFCkI2 + gZtV0IQq05mxO11DycgxlDLQk6nqiqDDjWv/8kj23HnQ3BAO6SXLKhHWq9rH8EOX + wkee7RHc09GWNcGL93YMkjIHWJyitphpU/NtTmEpTptzry5vPfittPaZ+zU+MF8G + REyft2X9Aj7UWcL1w3kbX9BDWuxImcirWWCShHakSrzAlpuIoXVQA6MCl6/Jr2Ve + lLx3lDX+BiSpU01zY32q0lgBOGcSEcRVXTiYO00EoJbIiEMwqm1aAXQzaCvhCCpP + 54NsNzZ4eoGL0DmioKwzLbv1CpIJs3w0k6StfOtTCPKdlL99k24Z8GyJ44UnkhCe + V32jGc/yCong + =OZSD + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2025-01-19T21:35:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUARAAhnd9Z1gekp4XWw+gcWK5j9mXWP7XS/FGNXmmCUBKec1j + zXzMJjG1YZyCYmqj3XGFMFwg2Ex6pBPoOTzOL2VOGd9mZvHjh0MGtuUopg1GprE7 + NoyrYlV2UikyBSzVlsvykyNCYWfEt0uDotnGIK0NXYzfWfqgw+ImAH/PvNRY4nIB + wxI/Ze100ITAN7Dop9d6MFUZbrYKZTMsO8w5Z7TWHRPzFWH//XZjY7UpxvNVP1oJ + RXqqo2I97P0c6H7s17+xw6ZjyE0Qoin1gq4XSMHc4l8o+3D7fWecoTLxcjma5gvY + SMVCYeSrI2kc8DJ2RVeXdDlEP7SS3bwPNaE4Tklxv1rE+CUuYQ1X6dkPVKnKLfRS + Lwy614LDAarZmvXc3jPgFkpG+grE80PAStzOze0eWyZA/oCAI3/CS+yaeBAI4viz + UEkNmCMTZu1eXyIurC/suTOdq4nehGlD/2F8EKU+Y/6f6J2wHUJdvLjNxOuAOHd0 + lGSu61gt/b2PFy/aHqFgQaZCPUMJ8UfK8JQ66zOIUW3HzsXOsvVqo/8DMQRIw7/z + 3tZ43LPjmIeCRFwPfbIbeThoZmq1SPejkzadxDEwD3U0YAiblBJ2E+AyEDiKqP/N + D+NRN5Ta0ySAmGOyYgDES8QDDBQGA4cSZak7pMidCrSbAagNyYNg3Qrowc0aG93S + WAFD/Q4EtOdM6kveLdbDkPX/bAiCFwhzSCtDVkLAPxfrkw/a+az6emPWmImML5FT + to3vvXendrd9+u6uSNK5acuwzW2cW8GM4gLC90+p/kRFJukiGJbl400= + =6Gw4 + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/outputs.nix b/outputs.nix index ba0dd47..8bc2d11 100644 --- a/outputs.nix +++ b/outputs.nix @@ -110,8 +110,19 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems in result // { # boot any machine in a microvm - "${host}-vm-withssh" = (self.nixosConfigurations.${host}.extendModules { + "${host}-vm-withsops" = (self.nixosConfigurations.${host}.extendModules { modules = [{ + sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; + + environment.etc = { + devHostKey.source = ./machines/secrets/devkey_ed25519; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + microvm = { mem = pkgs.lib.mkForce 4096; hypervisor = pkgs.lib.mkForce "qemu"; @@ -122,20 +133,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems source = "/nix/store"; mountPoint = "/nix/.ro-store"; } - { - source = "/etc/ssh"; - mountPoint = "/etc/ssh"; - tag = "etcssh"; - } ]; }; boot.isContainer = pkgs.lib.mkForce false; users.users.root.password = ""; fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; - fileSystems."/etc/ssh" = { - depends = [ "/etc" ]; - neededForBoot = true; - }; services.getty.helpLine = '' Log in as "root" with an empty password. Use "reboot" to shut qemu down. -- 2.51.2 From 5f780e17eb694a57ae3c6645df52f0fe02468bbb Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 19 Jan 2025 23:39:51 +0100 Subject: [PATCH 03/12] [nextcloud] add dummy secrets --- machines/nextcloud/dummy.yaml | 68 +++++++++++++++++++++++++++++++++++ outputs.nix | 6 +++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 machines/nextcloud/dummy.yaml diff --git a/machines/nextcloud/dummy.yaml b/machines/nextcloud/dummy.yaml new file mode 100644 index 0000000..0f70130 --- /dev/null +++ b/machines/nextcloud/dummy.yaml @@ -0,0 +1,68 @@ +nextcloudAdminPass: ENC[AES256_GCM,data:4GvCg7g=,iv:3m2Vh86WzrVR7BG0xlNwRE9ebIGLWbVdcxoYC9x7dXo=,tag:t2bWTVlw9rHSVnkXW8ZTFQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbTYrcUV3Wk0xSDM1Mm0w + TkoxZHBFUXFBSC80YzkwV3paWGpRaFY2WndZClh1c0xmNWpWMjFXOS9OYU9OU2Mx + c3NEREczaDkvNC90eERwb0RKUlNZemsKLS0tIEp1VWZISXZoWFNuRC9mVE1JUmc3 + bUNFd2dyRGludFQ3MzdiRzFTcXUwWlkKFGd8Uvfu2W1LejgQFpF162JnVmfPxAuX + IQ3oopYXUBM3QqCXGLTY3DBffD4WZ4AXyGLsfUtwn3kcvjQ85ewidw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraEtDblNxMGY0NlhzcDdM + RFo2VGI1UFE4eVdZdDZ5ZTNKRUFCRWFHOWdBCkRBaGk2WmYxK2ovbHQrSGl3akVp + TUhxck83Q1NVQy9VU0lXOEVraGtOZ1UKLS0tIDYxS0hHSW1nZW9hOTFJNCtheU1x + ZXk2b1RVd1FoYk4xTGxKQ1cxZmVJalkKkC5XckyrgwfqaeVq+OjNCzAtKKiCf7Q9 + sC9ZMlPoOAm8xpLEpWgNooOBa04YsDEe9XgN8S0HrVxt/NHlnS5+ow== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-19T22:23:37Z" + mac: ENC[AES256_GCM,data:ZVMA4qgliSASQ0LtuedU4pybVwJA0x4vdSlOspsTF22s9DjRbG2tA7PpxTqDBGliBqS4w5J6Rqp3OSF7zddZ23GOz72sOZv0WY5YGeYxIltT7RWSMRkhkwXoM8Pf3BOYCZ4Gy8zaMVnbwbhHZ9LZI6wulh19SDKBV965moUW+Z0=,iv:tmz8C1kGUZq8gfzTHoaU/8RfrT5ohLqA11H42l7TEv0=,tag:E3AV6t2bbKASeVI2G3kNYA==,type:str] + pgp: + - created_at: "2025-01-19T22:23:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQwAsbbUEzSg7iETqT40w/+qjJ+iuHUeeZ+NFMPVVedbLuZX + /gPPSJ3JSx3wxJke+QPX/OUiRxXwGBZ5yg7CDoc+RrrdaavazuOUGISL38KPQiin + TmUq4nY6nWjMqHPSaQ+NiGxRpIErCQCUx6YEdi4YgHhf9J4KEg0f7ueR5wWlfzx4 + c7pXkEubFpPy4v45mh8sYXOQTa2yt2keprJ6iqmfL/HKnCJf1TBFxJAvwnPuKDfe + npvE4Pk5hcoKjFQNsqpnz7Etc8XfAYXSCXSLKfSaZNSeXQRhE1lHLH9OPnC46li7 + Dw6SPW0/4MTJrg08JvrNeogQ1QohLT4mkfAnASVUUeGFaF7UhztVoodqMsG8kuhD + LtmYv625h3j/QqshpFPGe8nJG1DziE4YHngxvgToIC+6+Q2x47ciulpimlpt6b6w + s+mGEVlJLSoJMd9jwE53PMXteBYKWgSEL7osj1V5KIJDFSgwfjYEngCkuyxjf8e3 + uYxb1WEadSyLhW8xnoyE0lYB6WI8m6j2Ls9TFG7kKtQqrnVSZd2nsKk/5wPVIAXO + nrMtb4Q88PLM1eusiLgCs592owKHoWVYqBRpi79EBlnGZwmTfDQzTsQlL7aQCbIo + kBI1swNH3g== + =K/IK + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2025-01-19T22:23:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUAQ/7BGOQn8xVX9IOFHnUXKdiw/+fcXHu0L7CLuhcEfpZRJNI + vIbztLTH5gT59SkS07cIEcYWqERO+gjK6pZLCxmYO/c15YDWCv1PtS4YHZAET+ow + YHzBTZDq2k+pV/cTbUtJgGYOxuqkqUtflyGZSQM+NjSXu4In83u+nwkEaKSxcaWt + q9rrYVkBUiika2FYtyehoCoDuyJzNmfGhZ9CPJaUzrSzuRLQZy6Hdg8TDPTzGqi4 + awo53eOdsEpNu1AQ5rnJ19RFLU63IQlwEnApnXZZ+AX8J2//KgLOcAqjo5skJuN1 + EJBh4DjfmOdCCN3uRccNiDn9YYrPP5Jl3jfnkMUQ2gVEE/c5ib84hvjc+y9Eh1jJ + s2JqhfX+ccV5kuva1q1CuTUCHQVEKahJAvghl77JQjtUY6Lf+5QLeKbchUnwxaIN + v6MwZmdCwBJOS40SnA+Ft2g9psho4MIPXtu4DR4t5VWvhrmw2cl7TCffQslWETxE + 267PHQegcO40skEOYwkLSv7PWycL3YUg/EfPuElAobqlM45UQA/lcC5seV0WvEPB + Lj+Pk8stY3LZ5wpblmmA72PyJhTq7ghsPvxlyRByHIS8v94gu5Zasbi63WGmxgPA + mt/M/HIQEf2XOOKuJnGJ3yDwLTAHAgFa0jlIgvt4gkuhm5ibcHLmedBh4ecRNfDS + VgFA4UwqUKN1XYTWOvT1vlxE9UE+dgVO0QNMX8yw1ivmL2eyPUk8HtIpKbuDLFIC + iKwHMtUIW/q7UPmfKLRbDumimG/290GXxN24ouiN8AR0dCXK9oor + =EsRn + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/outputs.nix b/outputs.nix index 8bc2d11..6c2b5bc 100644 --- a/outputs.nix +++ b/outputs.nix @@ -45,6 +45,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh); scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh); }; + packages = { docs = pkgs.stdenv.mkDerivation { name = "malobeo-docs"; @@ -115,7 +116,10 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; environment.etc = { - devHostKey.source = ./machines/secrets/devkey_ed25519; + devHostKey = { + source = ./machines/secrets/devkey_ed25519; + mode = "0600"; + }; }; services.openssh.hostKeys = [{ -- 2.51.2 From 015c3260429f979683d13665eb3e335a06cd17bc Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 19 Jan 2025 23:40:15 +0100 Subject: [PATCH 04/12] [nix] rm vm interface overwrite --- outputs.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/outputs.nix b/outputs.nix index 6c2b5bc..4a4893c 100644 --- a/outputs.nix +++ b/outputs.nix @@ -83,11 +83,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems source = "/nix/store"; mountPoint = "/nix/.ro-store"; }]; - interfaces = pkgs.lib.mkForce [{ - type = "user"; - id = "eth0"; - mac = "02:23:de:ad:be:ef"; - }]; }; boot.isContainer = pkgs.lib.mkForce false; users.users.root.password = ""; -- 2.51.2 From 7431209bc289eb9ae2956cf4aad8e7732a840729 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 19 Jan 2025 23:44:51 +0100 Subject: [PATCH 05/12] [durruti] rm secrets.yaml - currently empty --- machines/durruti/configuration.nix | 3 -- machines/durruti/secrets.yaml | 70 ------------------------------ 2 files changed, 73 deletions(-) delete mode 100644 machines/durruti/secrets.yaml diff --git a/machines/durruti/configuration.nix b/machines/durruti/configuration.nix index 0285dce..b77b87d 100644 --- a/machines/durruti/configuration.nix +++ b/machines/durruti/configuration.nix @@ -3,8 +3,6 @@ with lib; { - sops.defaultSopsFile = ./secrets.yaml; - networking = { hostName = mkDefault "durruti"; useDHCP = false; @@ -20,7 +18,6 @@ with lib; ]; imports = [ - inputs.ep3-bs.nixosModules.ep3-bs inputs.tasklist.nixosModules.malobeo-tasklist ./documentation.nix diff --git a/machines/durruti/secrets.yaml b/machines/durruti/secrets.yaml deleted file mode 100644 index a769066..0000000 --- a/machines/durruti/secrets.yaml +++ /dev/null @@ -1,70 +0,0 @@ -hello: ENC[AES256_GCM,data:MKKsvoFlHX6h4qazxcjl/RE1ZsK64G926k4hgFW3AkoJgXO1QXmTaRG7ZBgS8A==,iv:hoFbcNRkge24xJfLZJH651jB4NnXCjYAdTrirkans+4=,tag:68AyEHamlGxdmSJGkTGbsA==,type:str] -ep3bsDb: ENC[AES256_GCM,data:Z4ZYRaV/eCkaW5Ma+88hbl1o8qsI7PANrIHXoLdIOqIGFLPt7dw=,iv:BCVM+PeGm2NRcvBBy0kId1iVOD/uoiVKKBDA03p0QFM=,tag:CMypO3RLOhvHdVG5YvWewg==,type:str] -ep3bsMail: ENC[AES256_GCM,data:rZhRb/+gs0Lm8Gdi2P2FMe15A344b88TRg==,iv:hEIG2CBcMslg3hmH3ST3bu6tmes01jncQ3V7h5KcuhA=,tag:XAHdMAlVZNyMdp4TznWDQQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEay9wZGM5elhUd2RqVFdJ - aHFhRVNiY0lzZEZzSkVvcVlMT1FmMXN4YzNrCkE3SnprNUJ6Ty9hUGZhbzNEVit4 - THpoUnMyNmQ2Q3Z0SlR6cDFzeE9BaDAKLS0tIHFpbFJadTdtb2s2T2hmMWFBTlBV - azZzNXBTRVFoUGtJaGpPdzlDNVpYcjAKd/9v8gn3jbMEK+UPipI8cIufCoWwWfS/ - kI9zLws/jtjhRZLNHJaXWz7CjAEwKA+6NOQA3pwZaeS1QKwSmeRdZA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc1o2eTlFc1l4YjVOUHdM - S1F2RG9PQWwyd2VYSmJmVzE4cWNSSEt5WUJZCjlwaWNJWFNHNnZkUVBwdVJUbVNi - WjdYZ2dENVIydWw4WHJmckF0ZjRLWXMKLS0tIDRsNXNSRnZkVzFkSHpDSWgrSEhv - bjBqRlYzcGIvNzhLbjdUbmFhMkU2RXMKsgkwNqQeP40boqriANQg13YKKwMz9iTZ - Vw1wYVeQmo4En7c4yAztqBriVoTNsbWkkvGw0P4z37B+6ll8kdEMSQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-26T10:07:26Z" - mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str] - pgp: - - created_at: "2024-12-19T15:09:01Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQGMA5HdvEwzh/H7AQv+K+G7MhXO0RlQENydEstPcMV5vAgkzL06kiN3wXpeOPmj - 2gwdNcbOLtcXV8a4mH6xGZPkKOV8xjkybp7Myicll6YDs+4Uw3qRTUmCyZ0BC2Wc - WDrTMz/lCx1gZGVa99KgHaLmALhZbEO/R08qW52Xkwmcvg1GdM22RtB12L+c8JPB - +RR/pLR4UCTfN21uS2CJ33bJnAayfi+s/maGYsElZkH/zoPtDBxF/ntk7g/xeN13 - Jymg1Ofmjm8JT0FPe8RE7Er/qXlxsG46GVj964chCtljz3NgL76tgC207E8CLUJq - rVqGKU0PO6h924uNmVON+JI1CeyCsjejsFOGaS8kOEAwEgCoeICqiqkTbtUCU21K - 4C7J3mFwhAL+F2IueOY8NZxEV4tMJoY6JZ8c8wtM4Gl6JePlkFRX8LhuO/Bw2VJ9 - cuGlkIIg3pA94U6Hql7LwLZbIkquI7SWGx7IHOhk/4qtCUlEn4t40JdN4PbA0bz2 - Cde3+6zFOkX0m1BXkj4f0lgBIOfcPsXmY8ho4isVd9+v7arbE2WSZ6IBG75cx0a1 - 4LYx3QWTLlujiDIc5arhBgpB2ceO8lFTARnoLLqG6y1T+w6UNoVHQZ4n987SpWkk - EKQxUDnO8Nvb - =1PHB - -----END PGP MESSAGE----- - fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2024-12-19T15:09:01Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA98TrrsQEbXUARAAhfUKm9iR11pU0U44IDfwa7NRRurim8GOPX4FWwJJORNL - q85xGM0jA/k8JRsOdsjfHb4/khHtG8cl+t09nEBxTeeb7mKdiOXfsxrvHEf6qeUw - F/DQGoaxk+ISXW4iMcV0CPYciLb7kSHCqVFovmmTGlI9fMXryKl3UpP/nzzz9Zk2 - 5cXLmbQqeQVsp17Dw5x7rglkTlx8+W7Z1tDHlHrycxzh6LYpJ7QX54EHM8JgMjw/ - WREO0qnJMt6C0qp8e3KWhYhMHIidM3WexJR9ixBICxevy0QwvNult0ryOZMc+nTY - 48sXxCTebnLspiFBS5OsagGxNgwMixydfKv0ci8E7FyB84jwq7XriiQRzYfzU/6L - wEPapKrXno0F7wyiiesl/HKdLkOujFIhAl7P1ZNHQLcDuzDCqSo2xd7dbUsbPLcR - BUNcfc0VK3TEJks1lXkO5C1PeYEy+NgsJnEQ2lrnAbmKDxpH6qOA2KSGh12uZnHp - 7kk/hRclVnygkcQc6j71eOyprQms2VjU6fVy2dED+ucjvogrceWWSUkuP6GQEqZV - bPhLxpMMw6cIWcTLZIEqLRQv9EqibIFEohkUh9A2TL7XxPb6MEhsRXKTsmMqzdiH - /xUwxH3w0w8CrEheVvxGxQi7B4XWC9jHGN+KvJGisrLeGpl/wJ8NKcqOSasB4fLS - WAHQxsAnNtNj5rV/BQJHr8lvX+ebJkMpCEBmIdQUeX4WVegr3HkDF34EWoqVfzV2 - T0ZUaCXNI+tdmvJji9MPd1ZFrTgF5XuFjQxMP1uPI6gannH9InvBXvY= - =5AlZ - -----END PGP MESSAGE----- - fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 - unencrypted_suffix: _unencrypted - version: 3.8.1 -- 2.51.2 From ba6e219d641beac8e69767232f868e2e353dc3cc Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 19 Jan 2025 23:47:41 +0100 Subject: [PATCH 06/12] [fanny] init dummy secrets --- machines/fanny/dummy.yaml | 68 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 machines/fanny/dummy.yaml diff --git a/machines/fanny/dummy.yaml b/machines/fanny/dummy.yaml new file mode 100644 index 0000000..1edbe77 --- /dev/null +++ b/machines/fanny/dummy.yaml @@ -0,0 +1,68 @@ +wg_private: ENC[AES256_GCM,data:YEmIfgtyHE9msYijva0Ye2w7shVmYBPZ3mcKRF7Cy20xa6yHEUQ0kC2OWnM=,iv:ouK6fHcrxrEtsmiPmtCz9Ca8Ec1algOifrgZSBNHi74=,tag:524e/SQt++hwVyeWruCsLg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVnB0dDdQT0tNSUJDSlhx + QVFoVTZlb01MbVBwM2V2MGdGZFJTWm1FTW5nCkN5V0Y5MEp4K2FiU0xNVlRQM2xN + SFJEWFFwTGhQWWwzNjlFN3NiakNBMnMKLS0tIE9MRHdnVHVYTG5rR1lGazdlK0Nv + cmZiN0R5OW9vaitZb0JIa2srdmNMRjAKYlL4e8hfB0YuVNLM65yyvvCKl6EAF6E5 + YkAidAO5MY/wo1SDFQMeDub0Uso1QuNexYUZt7kzotvuPOzgywUORA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZ25EdmdWVjAwWGhiVDRa + cU9saUxnSXVDN0NodzI3aXMrTDZRc1FOUUJZCmh6V3lhS1FER2lyMzk5eU1XbXVh + b3JFQ05GdEZTNVFTdFJjN3dTN2xBaXMKLS0tIG15YlVvVHZ5c2pYVmZCaktwRXFx + NjJ5cFdTVS9NZmVWMjcrcHo2WDZEZDgKiDwkuUn90cDmidwYGZBb5qp+4R1HafV0 + vMQfjT9GrwB5K/O1GumOmvbzLNhvO2vRZJhfVHzyHLzQK64abQgF5Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-19T22:46:09Z" + mac: ENC[AES256_GCM,data:eU3SIqAGrgbO2tz4zH1tgYcif7oe5j+/wmdYl2xXXI+D6IhiKrTJGvzE3rd3ElEpb+Bg0UQId952U2Ut0yPTfxGLtdlbJA66CmhLAksByoJ8lOXUcp/qDyA4yMRSuwYG2v7uF2crvue9fyRfZ7hl7abE/Q7Z2UjOKqhSZC5cO3U=,iv:NmCVvtBWZRzhpr5nMLy+98VuQZWoUms7xFSxq8PMvBA=,tag:UWjA7oqoNWh4wb0myNg7FA==,type:str] + pgp: + - created_at: "2025-01-19T22:45:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQv/fLoi/LsDTN6tDdw0rWQg1iG/6oFFxcYO44XU2vCd13Ql + okvR1ZtvXtnM/FwTboK2KjxahkuAbapXXEvfWJ2W+d2L38aYxCPe/ryQhjrUP/jJ + 4IjFSa5R6oWca9i5Apue5In71ACzGCF/v2oyNAF4fSDX7Q+YKOMiwaDatfOAKp5v + JlkcfIq6WBR+gKZsTCfLunURNJoKu7jz35OUJDmzyZl9u/xV0ENveQxaKa3hj87s + hb7RGXqph6WWhigy+rtTqYQNjycRDHuspb2GgGE5N7OYteZo/XxA3tDz2EWVCYx+ + g8aEEvxHK3qEIcWbgmbKXNPNSH/CG1XQFaUhdSnkg5lMJsBuYToeNsPTS0o866k1 + wmoiI3nT2KtnV2SeR3UUMNDqSDl5unLgBCrbDi0m3Sqt9ubjCfuOYN2T19WvAMZx + CwB33mVAevPy4Qs5IjPad1WtiaUFulkfJFd1iCM9dhA0RDxbIJRaVGCjqnaE4lW4 + yP25uKoEUSitgr5nLk000lgBQBkE3obMFZ+DPoNaqupremevGJ71LyjJhXwgzQvk + 7pwQXBZWybBFFcH7wDurSIJMqE1KP24Krshm7aR9yVNd3mEz7v2T5pbUywTP8H1I + TkFpiaZ7OG8G + =VXoo + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2025-01-19T22:45:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUARAAmhiwA8S+wZ0wiyIJwmRyLMWj3Xm95dTnEoeZmJ2I3O4g + 0szCKLdW8eUWrjZML09ByPYXQINkuyUR+g72+/ALEr9F587GxWDdMwcwLSlIYlX0 + 3GwnJ7ACv/uTZjK24AXno3TkffPQy+rRQwXkpmUz7CMCeH/WRmVtf1LFUuxgbcrj + Kmx9x52dn+ae5JOeMkEu4t8lAtI1pv1JRPnm6RIqK2N7VBRGjiD9SiyJiwLqV2GN + 7N+vepFhbBKPzt+CFpnPWnFePb+TtQmAdJVULedlFPLcJGsPMloEXSuunK2eKveB + Vj1NO80i8PEVup02IlEabp+H7eYV8wZOviAJ7HGVhpw6kxD1tqO98KeSFfhuqbul + ijaeF2COgf9lioR6Y8T+RhTqeEZK85U/OGXgiM7MdTdYQV9BrY5nR5XSYIrK6zl9 + TlS24DdM/Sd2939o+wdtgpm0FNQjW3WwA3n2QE/rqjQ6z2pyCTH16yRalAgHKNk/ + B3uDGxIO5ua6xZwPzFrOB7uKggB8W/lx1eyAT53Lv7MTRp9PW6mm+NoVkNIzmCYa + 5G2Y/bluKRt39O6UuSVrN8YLcyYCC+xYUfQf4Lr6/CwZ/XbgMTYm29+IgkOkgoS0 + UxPcmXUgxi98lu5IhdIwWTNtaWEvT9adwmd3bxebWgDmUvK5QxAc7BYUnGIe+C7S + WAHA1m5OEQrNFLKGTSha/K20cDAoV2f4IAykRRWD3zieBAP3rzsIv78mgrMBIWP6 + z1L41UXlBToKfcw8TI9XKIlYId/asI7mR+bqT3oLSdni8qr32VpRjZ0= + =MPBp + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.9.2 -- 2.51.2 From fe9ff06aae274f2f82723448495da0b565b0b42d Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 19 Jan 2025 23:47:50 +0100 Subject: [PATCH 07/12] [lucia] init dummy secrets --- machines/lucia/dummy.yaml | 70 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 machines/lucia/dummy.yaml diff --git a/machines/lucia/dummy.yaml b/machines/lucia/dummy.yaml new file mode 100644 index 0000000..307560e --- /dev/null +++ b/machines/lucia/dummy.yaml @@ -0,0 +1,70 @@ +hello: ENC[AES256_GCM,data:ehp7eckur8THsbnSUcFYobA2SVDORUpqBcPTWC6/EvunlZbihaJoDoSfSh4Itg==,iv:nEHRg9TfYVdmJgrBs62Tek/3JhwFz8BMKHph4ThUqA8=,tag:1h2DSiOk4khxhRc7YX9ljg==,type:str] +njala_api_key: ENC[AES256_GCM,data:vGH79aN2m1rZ0278ydoCQ0U5393HL0AZlajTVWcRbD+/V7QREN7ROW2LrdVK95I0cxobmJQ=,iv:vMpFTwWkC0R1/J9fZaks7c0G1Vj64/ryRkN5EgpWCdU=,tag:g2MJADBrJYTbmj2bhUQ8UA==,type:str] +wireguard_private: ENC[AES256_GCM,data:T4c0qdFZdrwRU9i+nzAdg4ePEVXyeG4e/zNyn8G9Kd//Fwu1woNhQiyDuAo=,iv:VGPCSeU+RqjUdUlLA+RaCXQZK6AMdE4BwOdxM3whwaM=,tag:pXOwj3zxuFRpv2TInjISuw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU0lpUjBadHc2c1lPMUtv + dmtqRTd0OEd6TnJrQjJaaFFaMjQ0MWlONEJZClBrdVNMb2xhK2RXRzlmN2dmTzZk + SStWSzVGbWdqNEFpMnc3RFdpYWNEcTQKLS0tIDY0SlBvcmJ5RjFKTHQyN3lpSEZ2 + Z3hTOHN2VWVPMENVS1YzR0Z6Y0MxZmMKf0K43yWL7DE15wqEWb6Z0xsQ3nb1Ybyi + 0gKxb3hTeoWJnJug3hWyeAJvAJ4pzaA5v8PonnSIJK4UxBUnr+5nGw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIa0pnOGFlYU5OenJvWGhl + TjFhU0NyWmprRDY3ZWIrRHdmSVBMS3pER3dZCmVQdlVYQ0pFRTBwZXQ1Z1V5ODVK + dkREdEpsYk1MMm5kZU1hUEJYRWZDVjAKLS0tIHdsUjJTaURjaGErclJadTF0clhh + aStSbDZ6NWtFZ2NrNHY1a29DTmo4bGcKfZZjFA2j5RgMf0crK8TV67iVizzmXvBR + 6tePJuCePnNDOoZ7WV5YThxYOPSTI1QvfEvcC1qo7l3Kca9jdkkfbQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-19T22:46:57Z" + mac: ENC[AES256_GCM,data:GIRj11bDZi38RobJvGoOf5geN42gaGk3294EvB21M/Y+lAsDOUUUbU1fQbBPRUsYvA/lyuHMQWRORTdy0LdjN9ejzwcuev8+j4i6A1zwPSmjIL2+Jp2pBqQj0F6th27hECJlh0wK3vU/aNcccRJP9kEgRME+7FS5uYw9r+ZPJWk=,iv:CUgdVr1b3O4niYTSFokA9uWR3ceiU+6qo+3N+K1BZ3Q=,tag:AERU8MZWHqVsZ+zbT27WIg==,type:str] + pgp: + - created_at: "2025-01-19T22:46:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQwAqm3KeXNDFMwVoz9qIIqtNHR+KIcdvdRTlG0GA5BEBiHp + hSGkyK/Ni3GGX0WYU5Cf85Id/eEoxqDqDd9kX6MSZK3LBnH+hFy4JiSPENVpmwfQ + eONaMwdfwI+/5ZfquVj/AApTXZ8ENhdBzLTuAfIa2hGPDwwkajzkVIg18TZOvKG6 + f2wiEpnSOVHKnPcGhI1dGxN9TqqN74IUoPhThRzQ79l9RcTEZVClos9IPOhaPfk0 + TvcBQez3G5Mn8W+s7kg4rl7g6XRZqjcaOuNwopB0x+Dx+alZExsTR6A+1Gf+29a+ + ELwQYg2mkKUi48vrcKXxz+OMhW7V7wuXQIjLP4jULc7LI3ShRP8z4QKy7asOVRBh + XPjxRJ2RcTtEHYUoW3guzoZGSiPW/ex2fcupwaSRDG2GQ/ImiB5dmXSaG2va1MbX + z93Ej7Gy2IURglWCK29v4mJiqtDzq8/GNztT7zezHxyUAjjuJ59qXzFF/MQPibxY + p3dTfkNNrTqrCQnrFa8k0lgBtKmvz/HO3eCguXVMNgOt+BmfZbJqq+AD8HKYNxaM + W0A+9WRmYXcOEUqfaoX9IE9LhgqDd/xgpW4CujUZrXRYgf4IokSm/MFAD/ZnoxKm + n2My3wf5PCNd + =oUOe + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2025-01-19T22:46:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUAQ/9HD1muIaf8us6XE5hGfrXuy5axFeJNBtc8igo/OP3jCam + M2pjwDNIX3EjsgrK2WYo43Xt7aHW5bqnP+d1faLXJ3I0cMia3XxSLmaKswQRrBSi + P00ew43kBSx0Smwixf5zCSCzBpWrtOXI8monO8xYLtRnSpfKBf/4kc2gQiuAxByd + fxdE/x1et0XXiK038KgHMnYdOIvMTGcpymoSDHk0bDw+ruBqG93cmzOkT4Oc5CsF + oeFN83ku1cGFQr58hUhJ1q5eUTK/lDEVYElGJ2n0pGxThYyrUz3SIzZu3Jbxgs/Q + 2Xok4KsNPEbY2VKz/d3nrwbg2S3VF/CHl9sKxoFK8g3WcEE+HO7BFqvz901H+aUJ + 5mN7stKSs5pViDHusv3Kv2+eT2fPJ4lPU2IEvXkCt3jjB/G0UDz+t6Qn1Wr8PPcO + 8u+QafpILgYTK7QOF88GYstq8iWOWHlN9VKFYfqHMGWkrMtnGRWCbXsNmg7lKh6D + MtdvROsESVDKtydZwBpoQ4ILLROhkoL+eOMzFOgc/i4PWFlva2RBuRnZQNlieq/R + 9aYpGsZbD+YYGjQKhlwwakpWK5XOoqqSh6Fv6Qzonu2Y++Zf9c9zpe+LINlUhxEY + AA1YnxbqvVJCqoBuq5avAd0fivhFDes0OmR7jLZzluotgwUePwBOVGo5l2ow/03S + WAGO2443OWOfbmTi/mq1C/8It1WAkC70XSQbff9pHLd4pRA6XgjMXbJ8+5X0FXRM + H5nWOAaO4Dp6SnccT3Q9zytkm+lXdJL6Rou3PkmP4JBvU535bNv5a3k= + =732R + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.9.2 -- 2.51.2 From eafe7a6b956384d3ec54e529aa2648ba9ce7f9ff Mon Sep 17 00:00:00 2001 From: kalipso Date: Sun, 19 Jan 2025 23:48:02 +0100 Subject: [PATCH 08/12] [vpn] update dummy secrets --- machines/vpn/dummy.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/machines/vpn/dummy.yaml b/machines/vpn/dummy.yaml index e053fed..c7549a4 100644 --- a/machines/vpn/dummy.yaml +++ b/machines/vpn/dummy.yaml @@ -1,4 +1,4 @@ -wg_private: ENC[AES256_GCM,data:4mE0dbYZfOX7RUfZAH16UYabnr7+5XDyhwR4HqpbdQMRKjfAcwz9QrmFE7M=,iv:zrY6dFa613EUlyb80bdAePXEL+aA1eEXBMbmj5lFLUE=,tag:fihRa+Bw5tzXVyMfgGsLqw==,type:str] +wg_private: ENC[AES256_GCM,data:s+dZfKCfrdZnFKhmCl7u1LRzR5dMflJumh1uVQ5Dktb5teohxDo0zlOR7KE=,iv:N9WSEzGonWNkqix8yaImhvrxpcAEJraWEcTrXORASow=,tag:pKgOmtKJ933FEKZVDHCWWQ==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +23,8 @@ sops: U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-19T21:35:59Z" - mac: ENC[AES256_GCM,data:qp4nMAEwr/nZ2FjbXHhW2A4iSPc9PKAMQIWXMkJ6Mttia2whYDVH4oRhsfxs6xR7hixwAb/Q8dVPEgQYutWfzaXCIb6cfY1t9wCdgam4PIFyTCRHWnhnMCHFyOtMjJ6v/Kd/ERuFzAjZgi1yA4p9xePB6wwg2PjO3Amwu8yfZWU=,iv:z5gk9/KOhx/NNsa0TVza8WBG6CGUvos115idt6rG83I=,tag:W9PIGkBGQvvMbDcS6gTQhQ==,type:str] + lastmodified: "2025-01-19T22:47:26Z" + mac: ENC[AES256_GCM,data:DiriXLPnm+08q1Jp1YxjEdsJzFiewQxgu1JDdevo9aGdkq92Xu8cnSxLzWUkh8bEDx4uhjOXvZd3PSU9rWiTh899U3Ou99NiSOgR1+wr5ouR20viCZqIe86YqoZlLJnYs2dlZDhL+ggwFqYJ5wfWbq7OauIVEEdnM/57RyNI2qM=,iv:lwOJi4pVGGHn7+CGq7jAHorOTFtl7ONzzV35ec1uEsg=,tag:DhjloWlsGqM579NafaERIw==,type:str] pgp: - created_at: "2025-01-19T21:35:34Z" enc: |- -- 2.51.2 From 74885a7ce17ecc7530c6f4ca35c39a661badd592 Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 20 Jan 2025 02:37:19 +0100 Subject: [PATCH 09/12] [nix] add run-vm script --- outputs.nix | 187 ++++++++++++++++++++++++++++------------------------ 1 file changed, 102 insertions(+), 85 deletions(-) diff --git a/outputs.nix b/outputs.nix index 4a4893c..f431122 100644 --- a/outputs.nix +++ b/outputs.nix @@ -14,6 +14,60 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems let pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}"; pkgs = nixpkgs.legacyPackages."${system}"; + + vmMicroVMOverwrites = options: { + microvm = { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; + shares = pkgs.lib.mkForce [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ + type = "user"; + id = "eth0"; + mac = "02:23:de:ad:be:ef"; + }]); + }; + + boot.initrd.network.ssh.enable = pkgs.lib.mkForce false; + boot.isContainer = pkgs.lib.mkForce false; + users.users.root.password = ""; + fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }; + + vmSopsOverwrites = host: { + sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; + + environment.etc = { + devHostKey = { + source = ./machines/secrets/devkey_ed25519; + mode = "0600"; + }; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + }; + + buildVM = host: networking: sopsDummy: (self.nixosConfigurations.${host}.extendModules { + modules = [ + (vmMicroVMOverwrites { withNetworking = networking; }) + (if sopsDummy then (vmSopsOverwrites host) else {}) + ] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [ + microvm.nixosModules.microvm + ]; + }).config.microvm.declaredRunner; in { devShells.default = @@ -38,14 +92,19 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.mdbook microvmpkg.microvm ]; + packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed; shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"''; }; + legacyPackages = { scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh); scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh); + scripts.run-vm = self.packages.${system}.run-vm; }; + vmBuilder = buildVM; + packages = { docs = pkgs.stdenv.mkDerivation { name = "malobeo-docs"; @@ -63,91 +122,44 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems cp -r ./book/* $dest ''; }; - } // - builtins.foldl' - (result: host: - let - inherit (self.nixosConfigurations.${host}) config; - in - result // { - # boot any machine in a microvm - "${host}-vm" = (self.nixosConfigurations.${host}.extendModules { - modules = [{ - microvm = { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; - shares = pkgs.lib.mkForce [{ - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - }]; - }; - boot.isContainer = pkgs.lib.mkForce false; - users.users.root.password = ""; - fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; - }] ++ pkgs.lib.optionals (! config ? microvm) [ - microvm.nixosModules.microvm - ]; - }).config.microvm.declaredRunner; - }) - { } - (builtins.attrNames self.nixosConfigurations) // - - builtins.foldl' - (result: host: - let - inherit (self.nixosConfigurations.${host}) config; - in - result // { - # boot any machine in a microvm - "${host}-vm-withsops" = (self.nixosConfigurations.${host}.extendModules { - modules = [{ - sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; - - environment.etc = { - devHostKey = { - source = ./machines/secrets/devkey_ed25519; - mode = "0600"; - }; - }; - - services.openssh.hostKeys = [{ - path = "/etc/devHostKey"; - type = "ed25519"; - }]; - - microvm = { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; - shares = pkgs.lib.mkForce [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - }; - boot.isContainer = pkgs.lib.mkForce false; - users.users.root.password = ""; - fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; - }] ++ pkgs.lib.optionals (! config ? microvm) [ - microvm.nixosModules.microvm - ]; - }).config.microvm.declaredRunner; - }) - { } - (builtins.attrNames self.nixosConfigurations); + run-vm = pkgs.writeShellScriptBin "run-vm" '' + usage() { + echo "Usage: run-vm [--networking] [--dummy-secrets]" + echo "ATTENTION: This script must be run from the flakes root directory" + echo "--networking setup interfaces. requires root and hostbridge enabled on the host" + echo "--dummy-secrets deploy dummy sops secrets" + exit 1 + } + + # check at least one arg was given + if [ "$#" -lt 1 ]; then + usage + fi + + HOSTNAME=$1 + + # Optionale Argumente + NETWORK=false + DUMMY_SECRETS=false + + # check argws + shift + while [[ "$#" -gt 0 ]]; do + case $1 in + --networking) NETWORK=true ;; + --dummy-secrets) DUMMY_SECRETS=true ;; + *) echo "Unknown argument: $1"; usage ;; + esac + shift + done + echo "starting host $HOSTNAME" + echo "enable networking: $NETWORK" + echo "deploy dummy secrets: $DUMMY_SECRETS" + + ${pkgs.nix}/bin/nix run --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS)" + ''; + }; apps = { docs = { @@ -156,9 +168,14 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems ${pkgs.mdbook}/bin/mdbook serve --open ./doc ''); }; + + run-vm = { + type = "app"; + program = self.packages.${system}.run-vm; + }; }; - })) // rec { + })) // { nixosConfigurations = import ./machines/configuration.nix (inputs // { inherit inputs; self = self; -- 2.51.2 From 4d477ce64823e3143d9445a56d3ca50afaf1718b Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 20 Jan 2025 03:06:58 +0100 Subject: [PATCH 10/12] [run-vm] add flag to disable disko needed to run fanny as vm --- outputs.nix | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/outputs.nix b/outputs.nix index f431122..4e20afa 100644 --- a/outputs.nix +++ b/outputs.nix @@ -34,7 +34,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems }]); }; - boot.initrd.network.ssh.enable = pkgs.lib.mkForce false; boot.isContainer = pkgs.lib.mkForce false; users.users.root.password = ""; fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; @@ -44,6 +43,16 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems ''; }; + vmDiskoOverwrites = { + boot.initrd = { + secrets = pkgs.lib.mkForce {}; + network.ssh.enable = pkgs.lib.mkForce false; + }; + + malobeo.disks.enable = pkgs.lib.mkForce false; + networking.hostId = "a3c3101f"; + }; + vmSopsOverwrites = host: { sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; @@ -60,10 +69,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems }]; }; - buildVM = host: networking: sopsDummy: (self.nixosConfigurations.${host}.extendModules { + buildVM = host: networking: sopsDummy: disableDisko: (self.nixosConfigurations.${host}.extendModules { modules = [ (vmMicroVMOverwrites { withNetworking = networking; }) (if sopsDummy then (vmSopsOverwrites host) else {}) + (if disableDisko then vmDiskoOverwrites else {}) ] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [ microvm.nixosModules.microvm ]; @@ -125,10 +135,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems run-vm = pkgs.writeShellScriptBin "run-vm" '' usage() { - echo "Usage: run-vm [--networking] [--dummy-secrets]" + echo "Usage: run-vm [--networking] [--dummy-secrets] [--no-disko]" echo "ATTENTION: This script must be run from the flakes root directory" echo "--networking setup interfaces. requires root and hostbridge enabled on the host" echo "--dummy-secrets deploy dummy sops secrets" + echo "--no-disko disable disko and initrd secrets. needed for actual hosts like fanny" exit 1 } @@ -142,6 +153,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems # Optionale Argumente NETWORK=false DUMMY_SECRETS=false + NO_DISKO=false # check argws shift @@ -149,6 +161,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems case $1 in --networking) NETWORK=true ;; --dummy-secrets) DUMMY_SECRETS=true ;; + --no-disko) NO_DISKO=true ;; *) echo "Unknown argument: $1"; usage ;; esac shift @@ -156,8 +169,9 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems echo "starting host $HOSTNAME" echo "enable networking: $NETWORK" echo "deploy dummy secrets: $DUMMY_SECRETS" + echo "disable disko and initrd secrets: $NO_DISKO" - ${pkgs.nix}/bin/nix run --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS)" + ${pkgs.nix}/bin/nix run --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO)" ''; }; -- 2.51.2 From 7fee35d3d775d09b862a47aa7847cdbccedc2aec Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 20 Jan 2025 12:10:31 +0100 Subject: [PATCH 11/12] [run-vm] allow sharing of /var/lib sharing /var somehow doesnt work. for example nginx fails because of lacking permissions to access /var/log/nginx. this also happens when run-vm is started as root. thats why only /var/lib is shared which still allows application persistency between tests --- outputs.nix | 45 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/outputs.nix b/outputs.nix index 4e20afa..a168398 100644 --- a/outputs.nix +++ b/outputs.nix @@ -20,13 +20,19 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems mem = pkgs.lib.mkForce 4096; hypervisor = pkgs.lib.mkForce "qemu"; socket = pkgs.lib.mkForce null; - shares = pkgs.lib.mkForce [ + shares = pkgs.lib.mkForce ([ { tag = "ro-store"; source = "/nix/store"; mountPoint = "/nix/.ro-store"; } - ]; + ] ++ pkgs.lib.optionals (options.varPath != "") [ + { + source = "${options.varPath}"; + mountPoint = "/var/lib"; + tag = "varlib"; + } + ]); interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ type = "user"; id = "eth0"; @@ -34,9 +40,16 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems }]); }; + fileSystems = { + "/".fsType = pkgs.lib.mkForce "tmpfs"; + "/var/lib" = pkgs.lib.mkIf (options.varPath != "") { + depends = [ "/var" ]; + }; + }; + boot.isContainer = pkgs.lib.mkForce false; + services.timesyncd.enable = false; users.users.root.password = ""; - fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs"; services.getty.helpLine = '' Log in as "root" with an empty password. Use "reboot" to shut qemu down. @@ -69,9 +82,9 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems }]; }; - buildVM = host: networking: sopsDummy: disableDisko: (self.nixosConfigurations.${host}.extendModules { + buildVM = host: networking: sopsDummy: disableDisko: varPath: (self.nixosConfigurations.${host}.extendModules { modules = [ - (vmMicroVMOverwrites { withNetworking = networking; }) + (vmMicroVMOverwrites { withNetworking = networking; varPath = "${varPath}"; }) (if sopsDummy then (vmSopsOverwrites host) else {}) (if disableDisko then vmDiskoOverwrites else {}) ] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [ @@ -138,8 +151,9 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems echo "Usage: run-vm [--networking] [--dummy-secrets] [--no-disko]" echo "ATTENTION: This script must be run from the flakes root directory" echo "--networking setup interfaces. requires root and hostbridge enabled on the host" - echo "--dummy-secrets deploy dummy sops secrets" - echo "--no-disko disable disko and initrd secrets. needed for actual hosts like fanny" + echo "--dummy-secrets run vm with dummy sops secrets" + echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny" + echo "--varlib path to directory that should be shared as /var/lib. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate" exit 1 } @@ -154,6 +168,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems NETWORK=false DUMMY_SECRETS=false NO_DISKO=false + VAR_PATH="" # check argws shift @@ -162,6 +177,15 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems --networking) NETWORK=true ;; --dummy-secrets) DUMMY_SECRETS=true ;; --no-disko) NO_DISKO=true ;; + --varlib) + if [[ -n "$2" && ! "$2" =~ ^- ]]; then + VAR_PATH="$2" + shift + else + echo "Error: --var requires a non-empty string argument." + usage + fi + ;; *) echo "Unknown argument: $1"; usage ;; esac shift @@ -170,8 +194,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems echo "enable networking: $NETWORK" echo "deploy dummy secrets: $DUMMY_SECRETS" echo "disable disko and initrd secrets: $NO_DISKO" + if [ -n "$VAR_PATH" ]; then + echo "sharing var directory: $VAR_PATH" + fi - ${pkgs.nix}/bin/nix run --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO)" + ${pkgs.nix}/bin/nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\")" ''; }; @@ -185,7 +212,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems run-vm = { type = "app"; - program = self.packages.${system}.run-vm; + program = "${self.packages.${system}.run-vm}/bin/run-vm"; }; }; -- 2.51.2 From b381173dad90c794c7d55e3010d5810962bf5d28 Mon Sep 17 00:00:00 2001 From: kalipso Date: Mon, 20 Jan 2025 12:27:05 +0100 Subject: [PATCH 12/12] [docs] add run-vm examples --- doc/src/anleitung/microvm.md | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/doc/src/anleitung/microvm.md b/doc/src/anleitung/microvm.md index 9856ed0..ad7ccee 100644 --- a/doc/src/anleitung/microvm.md +++ b/doc/src/anleitung/microvm.md @@ -12,13 +12,31 @@ Use durruti as orientation: "10.0.0.5" is the IP assigned to its tap interface. ### Testing MicroVMs locally -MicroVMs can be built and run easily on your local host, but they are not persistent! -For durruti for example this is done by: +MicroVMs can be built and run easily on your localhost for development. +We provide the script ```run-vm``` to handle stuff like development (dummy) secrets, sharing directories, ect. easily. +Usage examples: ``` bash -nix run .\#durruti-vm +# run without args to get available options and usage info +run-vm + +# run nextcloud locally with dummy secrets +run-vm nextcloud --dummy-secrets + +# share a local folder as /var/lib dir so that nextcloud application data stays persistent between boots +mkdir /tmp/nextcloud +run-vm nextcloud --dummy-secrets --varlib /tmp/nextcloud + +# enable networking to provide connectivity between multiple vms +# for that the malobeo hostBridge must be enabled on your host +# this example deploys persistent grafana on overwatch and fetches metrics from infradocs +mkdir overwatch +run-vm overwatch --networking --varlib /tmp/overwatch +run-vm infradocs --networking ``` -### Testing persistent microvms + + +### Fully deploy microvms on local host In order to test persistent microvms locally we need to create them using the ```microvm``` command. This is necessary to be able to mount persistent /etc and /var volumes on those hosts. Do the following: -- 2.51.2