kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Reproducible deployments #84

Closed
ahtlon wants to merge 17 commits from reproducible-deployments into master
pull from: reproducible-deployments
merge into: kalipso:master
Conversation 6 Commits 17 Files Changed 15 +289 -252
ahtlon commented 2025-02-14 07:17:50 +01:00
Collaborator
Copy Link

This changes our install strategy by first creating the ssh keys, disk-encryption keys and other machine-specific secrets locally, allowing sops secrets to be reencrypted for the host before deploying it. Also the ssh keys will be consistent even with reinstalls, which lowers the effort required.

This changes our install strategy by first creating the ssh keys, disk-encryption keys and other machine-specific secrets locally, allowing sops secrets to be reencrypted for the host before deploying it. Also the ssh keys will be consistent even with reinstalls, which lowers the effort required.
ahtlon added 5 commits 2025-02-14 07:17:51 +01:00
Add keepass db for hostkeys etc 923cbf4621
Add script for creating new hosts aedf5ca0bf
Add age info after creation e4be136b64
move fanny to db 57c8e65917
Change install script to use db
All checks were successful
Check flake syntax / flake-check (push) Successful in 8m2s
Details
ff673f0070
ahtlon commented 2025-02-14 07:23:18 +01:00
Author
Collaborator
Copy Link

Todo: Move all other hosts to db

Todo: Move all other hosts to db
kalipso commented 2025-02-20 10:58:33 +01:00
Owner
Copy Link

Iam wondering a bit why the introduction of keepass is necessary for this. Besides bringing in a second secret managment solution i fear unsolvable merge conflicts due to the binary nature of keepass db.

By looking at scripts/add_new_host_keys.sh and scripts/remote-install-encrypt.sh it seems that all the functionality can also be implemented using pure sops files encrypted with the admin keys. Is there any specific reason for going with keepass here that i overlooked?

Iam wondering a bit why the introduction of keepass is necessary for this. Besides bringing in a second secret managment solution i fear unsolvable merge conflicts due to the binary nature of keepass db. By looking at scripts/add_new_host_keys.sh and scripts/remote-install-encrypt.sh it seems that all the functionality can also be implemented using pure sops files encrypted with the admin keys. Is there any specific reason for going with keepass here that i overlooked?
ahtlon added 3 commits 2025-02-22 12:51:37 +01:00
Changed the keepass db to sops in add_new_key script edc754ee7f
Changed the rest of the scripts to sops encryption 556cc3d423
Add fanny keys and remove keepass
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m14s
Details
d00188f770
ahtlon commented 2025-02-22 12:52:33 +01:00
Author
Collaborator
Copy Link

You are right. I changed the scripts to use sops

You are right. I changed the scripts to use sops
❤️ 1
kalipso commented 2025-02-22 18:50:59 +01:00
Owner
Copy Link

Nice thats great, thanks a lot!

Nice thats great, thanks a lot!
kalipso reviewed 2025-02-22 18:52:37 +01:00
machines/.sops.yaml Outdated
@@ -13,3 +13,3 @@
- &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
- &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
- &machine_fanny age1u6ljjefkyy242xxtpm65v8dl908efnpt4txjkh0c9emvagdv8etqt22wll
kalipso commented 2025-02-22 18:52:02 +01:00
Owner
Copy Link

I wonder if you generated new host keys for fanny? I could also enter the existing ones so we dont have to do fresh install again

I wonder if you generated new host keys for fanny? I could also enter the existing ones so we dont have to do fresh install again
ahtlon commented 2025-02-23 13:37:42 +01:00
Author
Collaborator
Copy Link

Yes, pulling the existing keys is better but since fanny is down currently that'll have to wait

Yes, pulling the existing keys is better but since fanny is down currently that'll have to wait
kalipso commented 2025-02-23 15:53:10 +01:00
Owner
Copy Link

Alright makes sense. Fanny is currently booting, so this can be taken care of soon!

Alright makes sense. Fanny is currently booting, so this can be taken care of soon!
ahtlon added 5 commits 2025-02-23 13:34:42 +01:00
[sops] change reproducible secrets file structure
Some checks failed
Check flake syntax / flake-check (push) Has been cancelled
Details
2eec2ed980
[sops] rm deprecated host secrets 70fe179b5b
[fanny] generate deployment secrets on new location
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m11s
Details
251b0f0850
[scripts] make pwpath consistant
All checks were successful
Check flake syntax / flake-check (push) Successful in 7m11s
Details
3bc74a3e80
Merge pull request 'Reproducible deployments new filestructure' (#85) from reproducible-deployments-filestructure into reproducible-deployments
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m11s
Details
b423efeaef 
Reviewed-on: #85
Reviewed-by: Ahtlon <ahtlon@noreply.git.dynamicdiscord.de>
kalipso added 4 commits 2025-02-25 17:50:13 +01:00
fix host_builder.nix tabs afd6444635
[deployment] set hostname in pubkey 8a2b948d11
[fanny] set old age key b792b738a9
[fanny] set old ssh keys
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m10s
Details
7bfffb32f4
kalipso commented 2025-02-25 18:12:47 +01:00
Owner
Copy Link

merged manually

merged manually
kalipso closed this pull request 2025-02-25 18:12:48 +01:00
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m10s
Details

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
kalipso
Labels
Clear labels
Bug/Problem
Lokal
Migration
Module/Disks
Module/Initssh
Request
Service
Updates
nextcloud
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ahtlon quinn kalipso
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: kalipso/infrastructure#84
Delete Branch "reproducible-deployments"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?