kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

secrets during local testing #61

Merged
kalipso merged 12 commits from sops-devkey into master 2025-01-20 12:45:45 +01:00
Conversation 0 Commits 12 Files Changed 11 +459 -117
11 changed files with 459 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
doc/src/anleitung/microvm.md
View File

@@ -12,13 +12,31 @@ Use durruti as orientation:
"10.0.0.5" is the IP assigned to its tap interface.
### Testing MicroVMs locally
MicroVMs can be built and run easily on your local host, but they are not persistent!
For durruti for example this is done by:
MicroVMs can be built and run easily on your localhost for development.
We provide the script ```run-vm``` to handle stuff like development (dummy) secrets, sharing directories, ect. easily.
Usage examples:
``` bash
nix run .\#durruti-vm
# run without args to get available options and usage info
run-vm
# run nextcloud locally with dummy secrets
run-vm nextcloud --dummy-secrets
# share a local folder as /var/lib dir so that nextcloud application data stays persistent between boots
mkdir /tmp/nextcloud
run-vm nextcloud --dummy-secrets --varlib /tmp/nextcloud
# enable networking to provide connectivity between multiple vms
# for that the malobeo hostBridge must be enabled on your host
# this example deploys persistent grafana on overwatch and fetches metrics from infradocs
mkdir overwatch
run-vm overwatch --networking --varlib /tmp/overwatch
run-vm infradocs --networking
```
### Testing persistent microvms
### Fully deploy microvms on local host
In order to test persistent microvms locally we need to create them using the ```microvm``` command.
This is necessary to be able to mount persistent /etc and /var volumes on those hosts.
Do the following:

11
machines/.sops.yaml
View File

@@ -11,7 +11,18 @@ keys:
- &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
- &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
#this dummy key is used for testing.
- &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
creation_rules:
#provide fake secrets in a dummy.yaml file for each host
- path_regex: '.*dummy\.yaml$'
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_dummy
- *admin_atlan
- path_regex: moderatio/secrets/secrets.yaml$
key_groups:
- pgp:

3
machines/durruti/configuration.nix
View File

@@ -3,8 +3,6 @@
with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
networking = {
hostName = mkDefault "durruti";
useDHCP = false;
@@ -20,7 +18,6 @@ with lib;
];
imports = [
inputs.ep3-bs.nixosModules.ep3-bs
inputs.tasklist.nixosModules.malobeo-tasklist
./documentation.nix

70
machines/durruti/secrets.yaml
View File

@@ -1,70 +0,0 @@
hello: ENC[AES256_GCM,data:MKKsvoFlHX6h4qazxcjl/RE1ZsK64G926k4hgFW3AkoJgXO1QXmTaRG7ZBgS8A==,iv:hoFbcNRkge24xJfLZJH651jB4NnXCjYAdTrirkans+4=,tag:68AyEHamlGxdmSJGkTGbsA==,type:str]
ep3bsDb: ENC[AES256_GCM,data:Z4ZYRaV/eCkaW5Ma+88hbl1o8qsI7PANrIHXoLdIOqIGFLPt7dw=,iv:BCVM+PeGm2NRcvBBy0kId1iVOD/uoiVKKBDA03p0QFM=,tag:CMypO3RLOhvHdVG5YvWewg==,type:str]
ep3bsMail: ENC[AES256_GCM,data:rZhRb/+gs0Lm8Gdi2P2FMe15A344b88TRg==,iv:hEIG2CBcMslg3hmH3ST3bu6tmes01jncQ3V7h5KcuhA=,tag:XAHdMAlVZNyMdp4TznWDQQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEay9wZGM5elhUd2RqVFdJ
aHFhRVNiY0lzZEZzSkVvcVlMT1FmMXN4YzNrCkE3SnprNUJ6Ty9hUGZhbzNEVit4
THpoUnMyNmQ2Q3Z0SlR6cDFzeE9BaDAKLS0tIHFpbFJadTdtb2s2T2hmMWFBTlBV
azZzNXBTRVFoUGtJaGpPdzlDNVpYcjAKd/9v8gn3jbMEK+UPipI8cIufCoWwWfS/
kI9zLws/jtjhRZLNHJaXWz7CjAEwKA+6NOQA3pwZaeS1QKwSmeRdZA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc1o2eTlFc1l4YjVOUHdM
S1F2RG9PQWwyd2VYSmJmVzE4cWNSSEt5WUJZCjlwaWNJWFNHNnZkUVBwdVJUbVNi
WjdYZ2dENVIydWw4WHJmckF0ZjRLWXMKLS0tIDRsNXNSRnZkVzFkSHpDSWgrSEhv
bjBqRlYzcGIvNzhLbjdUbmFhMkU2RXMKsgkwNqQeP40boqriANQg13YKKwMz9iTZ
Vw1wYVeQmo4En7c4yAztqBriVoTNsbWkkvGw0P4z37B+6ll8kdEMSQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-26T10:07:26Z"
mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
pgp:
- created_at: "2024-12-19T15:09:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv+K+G7MhXO0RlQENydEstPcMV5vAgkzL06kiN3wXpeOPmj
2gwdNcbOLtcXV8a4mH6xGZPkKOV8xjkybp7Myicll6YDs+4Uw3qRTUmCyZ0BC2Wc
WDrTMz/lCx1gZGVa99KgHaLmALhZbEO/R08qW52Xkwmcvg1GdM22RtB12L+c8JPB
+RR/pLR4UCTfN21uS2CJ33bJnAayfi+s/maGYsElZkH/zoPtDBxF/ntk7g/xeN13
Jymg1Ofmjm8JT0FPe8RE7Er/qXlxsG46GVj964chCtljz3NgL76tgC207E8CLUJq
rVqGKU0PO6h924uNmVON+JI1CeyCsjejsFOGaS8kOEAwEgCoeICqiqkTbtUCU21K
4C7J3mFwhAL+F2IueOY8NZxEV4tMJoY6JZ8c8wtM4Gl6JePlkFRX8LhuO/Bw2VJ9
cuGlkIIg3pA94U6Hql7LwLZbIkquI7SWGx7IHOhk/4qtCUlEn4t40JdN4PbA0bz2
Cde3+6zFOkX0m1BXkj4f0lgBIOfcPsXmY8ho4isVd9+v7arbE2WSZ6IBG75cx0a1
4LYx3QWTLlujiDIc5arhBgpB2ceO8lFTARnoLLqG6y1T+w6UNoVHQZ4n987SpWkk
EKQxUDnO8Nvb
=1PHB
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-12-19T15:09:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAhfUKm9iR11pU0U44IDfwa7NRRurim8GOPX4FWwJJORNL
q85xGM0jA/k8JRsOdsjfHb4/khHtG8cl+t09nEBxTeeb7mKdiOXfsxrvHEf6qeUw
F/DQGoaxk+ISXW4iMcV0CPYciLb7kSHCqVFovmmTGlI9fMXryKl3UpP/nzzz9Zk2
5cXLmbQqeQVsp17Dw5x7rglkTlx8+W7Z1tDHlHrycxzh6LYpJ7QX54EHM8JgMjw/
WREO0qnJMt6C0qp8e3KWhYhMHIidM3WexJR9ixBICxevy0QwvNult0ryOZMc+nTY
48sXxCTebnLspiFBS5OsagGxNgwMixydfKv0ci8E7FyB84jwq7XriiQRzYfzU/6L
wEPapKrXno0F7wyiiesl/HKdLkOujFIhAl7P1ZNHQLcDuzDCqSo2xd7dbUsbPLcR
BUNcfc0VK3TEJks1lXkO5C1PeYEy+NgsJnEQ2lrnAbmKDxpH6qOA2KSGh12uZnHp
7kk/hRclVnygkcQc6j71eOyprQms2VjU6fVy2dED+ucjvogrceWWSUkuP6GQEqZV
bPhLxpMMw6cIWcTLZIEqLRQv9EqibIFEohkUh9A2TL7XxPb6MEhsRXKTsmMqzdiH
/xUwxH3w0w8CrEheVvxGxQi7B4XWC9jHGN+KvJGisrLeGpl/wJ8NKcqOSasB4fLS
WAHQxsAnNtNj5rV/BQJHr8lvX+ebJkMpCEBmIdQUeX4WVegr3HkDF34EWoqVfzV2
T0ZUaCXNI+tdmvJji9MPd1ZFrTgF5XuFjQxMP1uPI6gannH9InvBXvY=
=5AlZ
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.8.1

68
machines/fanny/dummy.yaml Normal file
View File

@@ -0,0 +1,68 @@
wg_private: ENC[AES256_GCM,data:YEmIfgtyHE9msYijva0Ye2w7shVmYBPZ3mcKRF7Cy20xa6yHEUQ0kC2OWnM=,iv:ouK6fHcrxrEtsmiPmtCz9Ca8Ec1algOifrgZSBNHi74=,tag:524e/SQt++hwVyeWruCsLg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVnB0dDdQT0tNSUJDSlhx
QVFoVTZlb01MbVBwM2V2MGdGZFJTWm1FTW5nCkN5V0Y5MEp4K2FiU0xNVlRQM2xN
SFJEWFFwTGhQWWwzNjlFN3NiakNBMnMKLS0tIE9MRHdnVHVYTG5rR1lGazdlK0Nv
cmZiN0R5OW9vaitZb0JIa2srdmNMRjAKYlL4e8hfB0YuVNLM65yyvvCKl6EAF6E5
YkAidAO5MY/wo1SDFQMeDub0Uso1QuNexYUZt7kzotvuPOzgywUORA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZ25EdmdWVjAwWGhiVDRa
cU9saUxnSXVDN0NodzI3aXMrTDZRc1FOUUJZCmh6V3lhS1FER2lyMzk5eU1XbXVh
b3JFQ05GdEZTNVFTdFJjN3dTN2xBaXMKLS0tIG15YlVvVHZ5c2pYVmZCaktwRXFx
NjJ5cFdTVS9NZmVWMjcrcHo2WDZEZDgKiDwkuUn90cDmidwYGZBb5qp+4R1HafV0
vMQfjT9GrwB5K/O1GumOmvbzLNhvO2vRZJhfVHzyHLzQK64abQgF5Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-19T22:46:09Z"
mac: ENC[AES256_GCM,data:eU3SIqAGrgbO2tz4zH1tgYcif7oe5j+/wmdYl2xXXI+D6IhiKrTJGvzE3rd3ElEpb+Bg0UQId952U2Ut0yPTfxGLtdlbJA66CmhLAksByoJ8lOXUcp/qDyA4yMRSuwYG2v7uF2crvue9fyRfZ7hl7abE/Q7Z2UjOKqhSZC5cO3U=,iv:NmCVvtBWZRzhpr5nMLy+98VuQZWoUms7xFSxq8PMvBA=,tag:UWjA7oqoNWh4wb0myNg7FA==,type:str]
pgp:
- created_at: "2025-01-19T22:45:26Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/fLoi/LsDTN6tDdw0rWQg1iG/6oFFxcYO44XU2vCd13Ql
okvR1ZtvXtnM/FwTboK2KjxahkuAbapXXEvfWJ2W+d2L38aYxCPe/ryQhjrUP/jJ
4IjFSa5R6oWca9i5Apue5In71ACzGCF/v2oyNAF4fSDX7Q+YKOMiwaDatfOAKp5v
JlkcfIq6WBR+gKZsTCfLunURNJoKu7jz35OUJDmzyZl9u/xV0ENveQxaKa3hj87s
hb7RGXqph6WWhigy+rtTqYQNjycRDHuspb2GgGE5N7OYteZo/XxA3tDz2EWVCYx+
g8aEEvxHK3qEIcWbgmbKXNPNSH/CG1XQFaUhdSnkg5lMJsBuYToeNsPTS0o866k1
wmoiI3nT2KtnV2SeR3UUMNDqSDl5unLgBCrbDi0m3Sqt9ubjCfuOYN2T19WvAMZx
CwB33mVAevPy4Qs5IjPad1WtiaUFulkfJFd1iCM9dhA0RDxbIJRaVGCjqnaE4lW4
yP25uKoEUSitgr5nLk000lgBQBkE3obMFZ+DPoNaqupremevGJ71LyjJhXwgzQvk
7pwQXBZWybBFFcH7wDurSIJMqE1KP24Krshm7aR9yVNd3mEz7v2T5pbUywTP8H1I
TkFpiaZ7OG8G
=VXoo
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-19T22:45:26Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAmhiwA8S+wZ0wiyIJwmRyLMWj3Xm95dTnEoeZmJ2I3O4g
0szCKLdW8eUWrjZML09ByPYXQINkuyUR+g72+/ALEr9F587GxWDdMwcwLSlIYlX0
3GwnJ7ACv/uTZjK24AXno3TkffPQy+rRQwXkpmUz7CMCeH/WRmVtf1LFUuxgbcrj
Kmx9x52dn+ae5JOeMkEu4t8lAtI1pv1JRPnm6RIqK2N7VBRGjiD9SiyJiwLqV2GN
7N+vepFhbBKPzt+CFpnPWnFePb+TtQmAdJVULedlFPLcJGsPMloEXSuunK2eKveB
Vj1NO80i8PEVup02IlEabp+H7eYV8wZOviAJ7HGVhpw6kxD1tqO98KeSFfhuqbul
ijaeF2COgf9lioR6Y8T+RhTqeEZK85U/OGXgiM7MdTdYQV9BrY5nR5XSYIrK6zl9
TlS24DdM/Sd2939o+wdtgpm0FNQjW3WwA3n2QE/rqjQ6z2pyCTH16yRalAgHKNk/
B3uDGxIO5ua6xZwPzFrOB7uKggB8W/lx1eyAT53Lv7MTRp9PW6mm+NoVkNIzmCYa
5G2Y/bluKRt39O6UuSVrN8YLcyYCC+xYUfQf4Lr6/CwZ/XbgMTYm29+IgkOkgoS0
UxPcmXUgxi98lu5IhdIwWTNtaWEvT9adwmd3bxebWgDmUvK5QxAc7BYUnGIe+C7S
WAHA1m5OEQrNFLKGTSha/K20cDAoV2f4IAykRRWD3zieBAP3rzsIv78mgrMBIWP6
z1L41UXlBToKfcw8TI9XKIlYId/asI7mR+bqT3oLSdni8qr32VpRjZ0=
=MPBp
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

70
machines/lucia/dummy.yaml Normal file
View File

@@ -0,0 +1,70 @@
hello: ENC[AES256_GCM,data:ehp7eckur8THsbnSUcFYobA2SVDORUpqBcPTWC6/EvunlZbihaJoDoSfSh4Itg==,iv:nEHRg9TfYVdmJgrBs62Tek/3JhwFz8BMKHph4ThUqA8=,tag:1h2DSiOk4khxhRc7YX9ljg==,type:str]
njala_api_key: ENC[AES256_GCM,data:vGH79aN2m1rZ0278ydoCQ0U5393HL0AZlajTVWcRbD+/V7QREN7ROW2LrdVK95I0cxobmJQ=,iv:vMpFTwWkC0R1/J9fZaks7c0G1Vj64/ryRkN5EgpWCdU=,tag:g2MJADBrJYTbmj2bhUQ8UA==,type:str]
wireguard_private: ENC[AES256_GCM,data:T4c0qdFZdrwRU9i+nzAdg4ePEVXyeG4e/zNyn8G9Kd//Fwu1woNhQiyDuAo=,iv:VGPCSeU+RqjUdUlLA+RaCXQZK6AMdE4BwOdxM3whwaM=,tag:pXOwj3zxuFRpv2TInjISuw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU0lpUjBadHc2c1lPMUtv
dmtqRTd0OEd6TnJrQjJaaFFaMjQ0MWlONEJZClBrdVNMb2xhK2RXRzlmN2dmTzZk
SStWSzVGbWdqNEFpMnc3RFdpYWNEcTQKLS0tIDY0SlBvcmJ5RjFKTHQyN3lpSEZ2
Z3hTOHN2VWVPMENVS1YzR0Z6Y0MxZmMKf0K43yWL7DE15wqEWb6Z0xsQ3nb1Ybyi
0gKxb3hTeoWJnJug3hWyeAJvAJ4pzaA5v8PonnSIJK4UxBUnr+5nGw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIa0pnOGFlYU5OenJvWGhl
TjFhU0NyWmprRDY3ZWIrRHdmSVBMS3pER3dZCmVQdlVYQ0pFRTBwZXQ1Z1V5ODVK
dkREdEpsYk1MMm5kZU1hUEJYRWZDVjAKLS0tIHdsUjJTaURjaGErclJadTF0clhh
aStSbDZ6NWtFZ2NrNHY1a29DTmo4bGcKfZZjFA2j5RgMf0crK8TV67iVizzmXvBR
6tePJuCePnNDOoZ7WV5YThxYOPSTI1QvfEvcC1qo7l3Kca9jdkkfbQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-19T22:46:57Z"
mac: ENC[AES256_GCM,data:GIRj11bDZi38RobJvGoOf5geN42gaGk3294EvB21M/Y+lAsDOUUUbU1fQbBPRUsYvA/lyuHMQWRORTdy0LdjN9ejzwcuev8+j4i6A1zwPSmjIL2+Jp2pBqQj0F6th27hECJlh0wK3vU/aNcccRJP9kEgRME+7FS5uYw9r+ZPJWk=,iv:CUgdVr1b3O4niYTSFokA9uWR3ceiU+6qo+3N+K1BZ3Q=,tag:AERU8MZWHqVsZ+zbT27WIg==,type:str]
pgp:
- created_at: "2025-01-19T22:46:34Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQwAqm3KeXNDFMwVoz9qIIqtNHR+KIcdvdRTlG0GA5BEBiHp
hSGkyK/Ni3GGX0WYU5Cf85Id/eEoxqDqDd9kX6MSZK3LBnH+hFy4JiSPENVpmwfQ
eONaMwdfwI+/5ZfquVj/AApTXZ8ENhdBzLTuAfIa2hGPDwwkajzkVIg18TZOvKG6
f2wiEpnSOVHKnPcGhI1dGxN9TqqN74IUoPhThRzQ79l9RcTEZVClos9IPOhaPfk0
TvcBQez3G5Mn8W+s7kg4rl7g6XRZqjcaOuNwopB0x+Dx+alZExsTR6A+1Gf+29a+
ELwQYg2mkKUi48vrcKXxz+OMhW7V7wuXQIjLP4jULc7LI3ShRP8z4QKy7asOVRBh
XPjxRJ2RcTtEHYUoW3guzoZGSiPW/ex2fcupwaSRDG2GQ/ImiB5dmXSaG2va1MbX
z93Ej7Gy2IURglWCK29v4mJiqtDzq8/GNztT7zezHxyUAjjuJ59qXzFF/MQPibxY
p3dTfkNNrTqrCQnrFa8k0lgBtKmvz/HO3eCguXVMNgOt+BmfZbJqq+AD8HKYNxaM
W0A+9WRmYXcOEUqfaoX9IE9LhgqDd/xgpW4CujUZrXRYgf4IokSm/MFAD/ZnoxKm
n2My3wf5PCNd
=oUOe
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-19T22:46:34Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ/9HD1muIaf8us6XE5hGfrXuy5axFeJNBtc8igo/OP3jCam
M2pjwDNIX3EjsgrK2WYo43Xt7aHW5bqnP+d1faLXJ3I0cMia3XxSLmaKswQRrBSi
P00ew43kBSx0Smwixf5zCSCzBpWrtOXI8monO8xYLtRnSpfKBf/4kc2gQiuAxByd
fxdE/x1et0XXiK038KgHMnYdOIvMTGcpymoSDHk0bDw+ruBqG93cmzOkT4Oc5CsF
oeFN83ku1cGFQr58hUhJ1q5eUTK/lDEVYElGJ2n0pGxThYyrUz3SIzZu3Jbxgs/Q
2Xok4KsNPEbY2VKz/d3nrwbg2S3VF/CHl9sKxoFK8g3WcEE+HO7BFqvz901H+aUJ
5mN7stKSs5pViDHusv3Kv2+eT2fPJ4lPU2IEvXkCt3jjB/G0UDz+t6Qn1Wr8PPcO
8u+QafpILgYTK7QOF88GYstq8iWOWHlN9VKFYfqHMGWkrMtnGRWCbXsNmg7lKh6D
MtdvROsESVDKtydZwBpoQ4ILLROhkoL+eOMzFOgc/i4PWFlva2RBuRnZQNlieq/R
9aYpGsZbD+YYGjQKhlwwakpWK5XOoqqSh6Fv6Qzonu2Y++Zf9c9zpe+LINlUhxEY
AA1YnxbqvVJCqoBuq5avAd0fivhFDes0OmR7jLZzluotgwUePwBOVGo5l2ow/03S
WAGO2443OWOfbmTi/mq1C/8It1WAkC70XSQbff9pHLd4pRA6XgjMXbJ8+5X0FXRM
H5nWOAaO4Dp6SnccT3Q9zytkm+lXdJL6Rou3PkmP4JBvU535bNv5a3k=
=732R
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

68
machines/nextcloud/dummy.yaml Normal file
View File

@@ -0,0 +1,68 @@
nextcloudAdminPass: ENC[AES256_GCM,data:4GvCg7g=,iv:3m2Vh86WzrVR7BG0xlNwRE9ebIGLWbVdcxoYC9x7dXo=,tag:t2bWTVlw9rHSVnkXW8ZTFQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbTYrcUV3Wk0xSDM1Mm0w
TkoxZHBFUXFBSC80YzkwV3paWGpRaFY2WndZClh1c0xmNWpWMjFXOS9OYU9OU2Mx
c3NEREczaDkvNC90eERwb0RKUlNZemsKLS0tIEp1VWZISXZoWFNuRC9mVE1JUmc3
bUNFd2dyRGludFQ3MzdiRzFTcXUwWlkKFGd8Uvfu2W1LejgQFpF162JnVmfPxAuX
IQ3oopYXUBM3QqCXGLTY3DBffD4WZ4AXyGLsfUtwn3kcvjQ85ewidw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraEtDblNxMGY0NlhzcDdM
RFo2VGI1UFE4eVdZdDZ5ZTNKRUFCRWFHOWdBCkRBaGk2WmYxK2ovbHQrSGl3akVp
TUhxck83Q1NVQy9VU0lXOEVraGtOZ1UKLS0tIDYxS0hHSW1nZW9hOTFJNCtheU1x
ZXk2b1RVd1FoYk4xTGxKQ1cxZmVJalkKkC5XckyrgwfqaeVq+OjNCzAtKKiCf7Q9
sC9ZMlPoOAm8xpLEpWgNooOBa04YsDEe9XgN8S0HrVxt/NHlnS5+ow==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-19T22:23:37Z"
mac: ENC[AES256_GCM,data:ZVMA4qgliSASQ0LtuedU4pybVwJA0x4vdSlOspsTF22s9DjRbG2tA7PpxTqDBGliBqS4w5J6Rqp3OSF7zddZ23GOz72sOZv0WY5YGeYxIltT7RWSMRkhkwXoM8Pf3BOYCZ4Gy8zaMVnbwbhHZ9LZI6wulh19SDKBV965moUW+Z0=,iv:tmz8C1kGUZq8gfzTHoaU/8RfrT5ohLqA11H42l7TEv0=,tag:E3AV6t2bbKASeVI2G3kNYA==,type:str]
pgp:
- created_at: "2025-01-19T22:23:26Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQwAsbbUEzSg7iETqT40w/+qjJ+iuHUeeZ+NFMPVVedbLuZX
/gPPSJ3JSx3wxJke+QPX/OUiRxXwGBZ5yg7CDoc+RrrdaavazuOUGISL38KPQiin
TmUq4nY6nWjMqHPSaQ+NiGxRpIErCQCUx6YEdi4YgHhf9J4KEg0f7ueR5wWlfzx4
c7pXkEubFpPy4v45mh8sYXOQTa2yt2keprJ6iqmfL/HKnCJf1TBFxJAvwnPuKDfe
npvE4Pk5hcoKjFQNsqpnz7Etc8XfAYXSCXSLKfSaZNSeXQRhE1lHLH9OPnC46li7
Dw6SPW0/4MTJrg08JvrNeogQ1QohLT4mkfAnASVUUeGFaF7UhztVoodqMsG8kuhD
LtmYv625h3j/QqshpFPGe8nJG1DziE4YHngxvgToIC+6+Q2x47ciulpimlpt6b6w
s+mGEVlJLSoJMd9jwE53PMXteBYKWgSEL7osj1V5KIJDFSgwfjYEngCkuyxjf8e3
uYxb1WEadSyLhW8xnoyE0lYB6WI8m6j2Ls9TFG7kKtQqrnVSZd2nsKk/5wPVIAXO
nrMtb4Q88PLM1eusiLgCs592owKHoWVYqBRpi79EBlnGZwmTfDQzTsQlL7aQCbIo
kBI1swNH3g==
=K/IK
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-19T22:23:26Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ/7BGOQn8xVX9IOFHnUXKdiw/+fcXHu0L7CLuhcEfpZRJNI
vIbztLTH5gT59SkS07cIEcYWqERO+gjK6pZLCxmYO/c15YDWCv1PtS4YHZAET+ow
YHzBTZDq2k+pV/cTbUtJgGYOxuqkqUtflyGZSQM+NjSXu4In83u+nwkEaKSxcaWt
q9rrYVkBUiika2FYtyehoCoDuyJzNmfGhZ9CPJaUzrSzuRLQZy6Hdg8TDPTzGqi4
awo53eOdsEpNu1AQ5rnJ19RFLU63IQlwEnApnXZZ+AX8J2//KgLOcAqjo5skJuN1
EJBh4DjfmOdCCN3uRccNiDn9YYrPP5Jl3jfnkMUQ2gVEE/c5ib84hvjc+y9Eh1jJ
s2JqhfX+ccV5kuva1q1CuTUCHQVEKahJAvghl77JQjtUY6Lf+5QLeKbchUnwxaIN
v6MwZmdCwBJOS40SnA+Ft2g9psho4MIPXtu4DR4t5VWvhrmw2cl7TCffQslWETxE
267PHQegcO40skEOYwkLSv7PWycL3YUg/EfPuElAobqlM45UQA/lcC5seV0WvEPB
Lj+Pk8stY3LZ5wpblmmA72PyJhTq7ghsPvxlyRByHIS8v94gu5Zasbi63WGmxgPA
mt/M/HIQEf2XOOKuJnGJ3yDwLTAHAgFa0jlIgvt4gkuhm5ibcHLmedBh4ecRNfDS
VgFA4UwqUKN1XYTWOvT1vlxE9UE+dgVO0QNMX8yw1ivmL2eyPUk8HtIpKbuDLFIC
iKwHMtUIW/q7UPmfKLRbDumimG/290GXxN24ouiN8AR0dCXK9oor
=EsRn
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

7
machines/secrets/devkey_ed25519 Normal file
View File

@@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwgAAAJgdrbX3Ha21
9wAAAAtzc2gtZWQyNTUxOQAAACBpnsgZCWwvETJKoZf7QFKCLaUnj8hioci+SewK8cUUwg
AAAECaQfylNoG/uN8fozvq3loBLWQ3gIKPOGnZpwyHUlAMO2meyBkJbC8RMkqhl/tAUoIt
pSePyGKhyL5J7ArxxRTCAAAADmthbGlwc29AY2VsaW5lAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----

1
machines/secrets/devkey_ed25519.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmeyBkJbC8RMkqhl/tAUoItpSePyGKhyL5J7ArxxRTC kalipso@celine

68
machines/vpn/dummy.yaml Normal file
View File

@@ -0,0 +1,68 @@
wg_private: ENC[AES256_GCM,data:s+dZfKCfrdZnFKhmCl7u1LRzR5dMflJumh1uVQ5Dktb5teohxDo0zlOR7KE=,iv:N9WSEzGonWNkqix8yaImhvrxpcAEJraWEcTrXORASow=,tag:pKgOmtKJ933FEKZVDHCWWQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFk2bzE3OG9VR0VqOTIz
UEQySS9SUnRmMDFqVTg1dks3WTZvbE13VGxVCitHVE1SVlBlYkZwejNlWWNMTVhF
M2EzSFRmS3lFd1VPMHRpMjhtMVgyVDQKLS0tIGJObk1kcWlaeUhveHdrY1BEQkh4
WTJua1FvNFFtMDFGWE9ZaW9wWFoxcncKlYHjkzlUj+rBPmXK/jj9XCUoGrQ4vBXH
ZTItzrbCI30juPjy6dJ0ffZF2ILvJLUdwurz4lZFybNuUjhE2sAY+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5S1dhZUVpT3NMaGR4eEhV
dUxvUGVvMUtPbWhEQnpJd3Y1YTBYbm1QMTBVCmpQbkhvM3VWV2MvcmY2RVhVOWdy
MVZxK201bmcwVHlwUlFnb0p5eGFNNGsKLS0tIDlrc1ErS0NiRUJ0UFZnNHNNSk9m
U2xLQVhoS2NxNUVvcGZBYW9VVkZNOUEKeCpijhxpkAxCB9/iIQmek03mj7b14sqs
CuGKgoeq7C6eG1PK3I8MzGplQMyCpEFQ+33KMj0vGwktpv/eVzC8/w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-19T22:47:26Z"
mac: ENC[AES256_GCM,data:DiriXLPnm+08q1Jp1YxjEdsJzFiewQxgu1JDdevo9aGdkq92Xu8cnSxLzWUkh8bEDx4uhjOXvZd3PSU9rWiTh899U3Ou99NiSOgR1+wr5ouR20viCZqIe86YqoZlLJnYs2dlZDhL+ggwFqYJ5wfWbq7OauIVEEdnM/57RyNI2qM=,iv:lwOJi4pVGGHn7+CGq7jAHorOTFtl7ONzzV35ec1uEsg=,tag:DhjloWlsGqM579NafaERIw==,type:str]
pgp:
- created_at: "2025-01-19T21:35:34Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQwAoO2gRS+Vwu+5KZ4V2ReXPcjFcEUb6aoYe8PNUhjBu0yE
hs4lhWGy53BdupQ+cyxk0U+L6UhOjTfIAYE9emqTDlF5OImN/379j9NfiPe/K0/8
ylSOuzNgVmTpsXlHGaXE2wk0ADp1P9mZUwbJ5vHCtm+ZFe5HCuTrB61drIU0fEYw
NVCaARK/IRn5eAlPCjPuW1mhKP+3HNGMQszqCRKMU5kLZPzjqsHmEITSFJ5bVtAu
fLRtF8SyJpHgvyw1AH1IX6I+/lrDRQro0oD/0LcC1Nay9n86WIWhA/VbotyFCkI2
gZtV0IQq05mxO11DycgxlDLQk6nqiqDDjWv/8kj23HnQ3BAO6SXLKhHWq9rH8EOX
wkee7RHc09GWNcGL93YMkjIHWJyitphpU/NtTmEpTptzry5vPfittPaZ+zU+MF8G
REyft2X9Aj7UWcL1w3kbX9BDWuxImcirWWCShHakSrzAlpuIoXVQA6MCl6/Jr2Ve
lLx3lDX+BiSpU01zY32q0lgBOGcSEcRVXTiYO00EoJbIiEMwqm1aAXQzaCvhCCpP
54NsNzZ4eoGL0DmioKwzLbv1CpIJs3w0k6StfOtTCPKdlL99k24Z8GyJ44UnkhCe
V32jGc/yCong
=OZSD
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-19T21:35:34Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAhnd9Z1gekp4XWw+gcWK5j9mXWP7XS/FGNXmmCUBKec1j
zXzMJjG1YZyCYmqj3XGFMFwg2Ex6pBPoOTzOL2VOGd9mZvHjh0MGtuUopg1GprE7
NoyrYlV2UikyBSzVlsvykyNCYWfEt0uDotnGIK0NXYzfWfqgw+ImAH/PvNRY4nIB
wxI/Ze100ITAN7Dop9d6MFUZbrYKZTMsO8w5Z7TWHRPzFWH//XZjY7UpxvNVP1oJ
RXqqo2I97P0c6H7s17+xw6ZjyE0Qoin1gq4XSMHc4l8o+3D7fWecoTLxcjma5gvY
SMVCYeSrI2kc8DJ2RVeXdDlEP7SS3bwPNaE4Tklxv1rE+CUuYQ1X6dkPVKnKLfRS
Lwy614LDAarZmvXc3jPgFkpG+grE80PAStzOze0eWyZA/oCAI3/CS+yaeBAI4viz
UEkNmCMTZu1eXyIurC/suTOdq4nehGlD/2F8EKU+Y/6f6J2wHUJdvLjNxOuAOHd0
lGSu61gt/b2PFy/aHqFgQaZCPUMJ8UfK8JQ66zOIUW3HzsXOsvVqo/8DMQRIw7/z
3tZ43LPjmIeCRFwPfbIbeThoZmq1SPejkzadxDEwD3U0YAiblBJ2E+AyEDiKqP/N
D+NRN5Ta0ySAmGOyYgDES8QDDBQGA4cSZak7pMidCrSbAagNyYNg3Qrowc0aG93S
WAFD/Q4EtOdM6kveLdbDkPX/bAiCFwhzSCtDVkLAPxfrkw/a+az6emPWmImML5FT
to3vvXendrd9+u6uSNK5acuwzW2cW8GM4gLC90+p/kRFJukiGJbl400=
=6Gw4
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

184
outputs.nix
View File

@@ -14,6 +14,83 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
let
pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}";
pkgs = nixpkgs.legacyPackages."${system}";
vmMicroVMOverwrites = options: {
microvm = {
mem = pkgs.lib.mkForce 4096;
hypervisor = pkgs.lib.mkForce "qemu";
socket = pkgs.lib.mkForce null;
shares = pkgs.lib.mkForce ([
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
] ++ pkgs.lib.optionals (options.varPath != "") [
{
source = "${options.varPath}";
mountPoint = "/var/lib";
tag = "varlib";
}
]);
interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
type = "user";
id = "eth0";
mac = "02:23:de:ad:be:ef";
}]);
};
fileSystems = {
"/".fsType = pkgs.lib.mkForce "tmpfs";
"/var/lib" = pkgs.lib.mkIf (options.varPath != "") {
depends = [ "/var" ];
};
};
boot.isContainer = pkgs.lib.mkForce false;
services.timesyncd.enable = false;
users.users.root.password = "";
services.getty.helpLine = ''
Log in as "root" with an empty password.
Use "reboot" to shut qemu down.
'';
};
vmDiskoOverwrites = {
boot.initrd = {
secrets = pkgs.lib.mkForce {};
network.ssh.enable = pkgs.lib.mkForce false;
};
malobeo.disks.enable = pkgs.lib.mkForce false;
networking.hostId = "a3c3101f";
};
vmSopsOverwrites = host: {
sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml;
environment.etc = {
devHostKey = {
source = ./machines/secrets/devkey_ed25519;
mode = "0600";
};
};
services.openssh.hostKeys = [{
path = "/etc/devHostKey";
type = "ed25519";
}];
};
buildVM = host: networking: sopsDummy: disableDisko: varPath: (self.nixosConfigurations.${host}.extendModules {
modules = [
(vmMicroVMOverwrites { withNetworking = networking; varPath = "${varPath}"; })
(if sopsDummy then (vmSopsOverwrites host) else {})
(if disableDisko then vmDiskoOverwrites else {})
] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [
microvm.nixosModules.microvm
];
}).config.microvm.declaredRunner;
in
{
devShells.default =
@@ -38,13 +115,19 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
pkgs.mdbook
microvmpkg.microvm
];
packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
};
legacyPackages = {
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
scripts.run-vm = self.packages.${system}.run-vm;
};
vmBuilder = buildVM;
packages = {
docs = pkgs.stdenv.mkDerivation {
name = "malobeo-docs";
@@ -62,46 +145,62 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
cp -r ./book/* $dest
'';
};
} //
builtins.foldl'
(result: host:
let
inherit (self.nixosConfigurations.${host}) config;
in
result // {
# boot any machine in a microvm
"${host}-vm" = (self.nixosConfigurations.${host}.extendModules {
modules = [{
microvm = {
mem = pkgs.lib.mkForce 4096;
hypervisor = pkgs.lib.mkForce "qemu";
socket = pkgs.lib.mkForce null;
shares = pkgs.lib.mkForce [{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}];
interfaces = pkgs.lib.mkForce [{
type = "user";
id = "eth0";
mac = "02:23:de:ad:be:ef";
}];
};
boot.isContainer = pkgs.lib.mkForce false;
users.users.root.password = "";
fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
services.getty.helpLine = ''
Log in as "root" with an empty password.
Use "reboot" to shut qemu down.
'';
}] ++ pkgs.lib.optionals (! config ? microvm) [
microvm.nixosModules.microvm
];
}).config.microvm.declaredRunner;
})
{ }
(builtins.attrNames self.nixosConfigurations);
run-vm = pkgs.writeShellScriptBin "run-vm" ''
usage() {
echo "Usage: run-vm <hostname> [--networking] [--dummy-secrets] [--no-disko]"
echo "ATTENTION: This script must be run from the flakes root directory"
echo "--networking setup interfaces. requires root and hostbridge enabled on the host"
echo "--dummy-secrets run vm with dummy sops secrets"
echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
echo "--varlib path to directory that should be shared as /var/lib. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
exit 1
}
# check at least one arg was given
if [ "$#" -lt 1 ]; then
usage
fi
HOSTNAME=$1
# Optionale Argumente
NETWORK=false
DUMMY_SECRETS=false
NO_DISKO=false
VAR_PATH=""
# check argws
shift
while [[ "$#" -gt 0 ]]; do
case $1 in
--networking) NETWORK=true ;;
--dummy-secrets) DUMMY_SECRETS=true ;;
--no-disko) NO_DISKO=true ;;
--varlib)
if [[ -n "$2" && ! "$2" =~ ^- ]]; then
VAR_PATH="$2"
shift
else
echo "Error: --var requires a non-empty string argument."
usage
fi
;;
*) echo "Unknown argument: $1"; usage ;;
esac
shift
done
echo "starting host $HOSTNAME"
echo "enable networking: $NETWORK"
echo "deploy dummy secrets: $DUMMY_SECRETS"
echo "disable disko and initrd secrets: $NO_DISKO"
if [ -n "$VAR_PATH" ]; then
echo "sharing var directory: $VAR_PATH"
fi
${pkgs.nix}/bin/nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\")"
'';
};
apps = {
docs = {
@@ -110,9 +209,14 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
${pkgs.mdbook}/bin/mdbook serve --open ./doc
'');
};
run-vm = {
type = "app";
program = "${self.packages.${system}.run-vm}/bin/run-vm";
};
};
})) // rec {
})) // {
nixosConfigurations = import ./machines/configuration.nix (inputs // {
inherit inputs;
self = self;