From 923cbf4621cad3a2e90e482f0f825ee09e3b53fb Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 12 Feb 2025 19:21:44 +0100 Subject: [PATCH 01/15] Add keepass db for hostkeys etc --- machines/secrets/keys/itag.kdbx | Bin 0 -> 1589 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 machines/secrets/keys/itag.kdbx diff --git a/machines/secrets/keys/itag.kdbx b/machines/secrets/keys/itag.kdbx new file mode 100644 index 0000000000000000000000000000000000000000..1669d73b7b0916bfc99a93c566785485e596fb70 GIT binary patch literal 1589 zcmZR+xoB4UZ||)P3@i*x0t^fch6g`A+h6D$urGpDG3!s%e`Xd21_nk31_l-d1_p-h z4@Cc@r+hYEyWCt0c|J6s^SlDqc-$wqkI*XcD za(6R;%y435U|>)Q4fS*ZDSDrrd%s81#e3rSl}nf(bMdf(?C|7ZU|>jL0x4%;0E_s7 zL_oHK#8^OT0zeLuU|?Wy0`Y=DuCm^{AZNGwZuPnbd;bUP7}%dzygK^b>Rg}c{L+AP zHvcQY`oci^gh9qIfLOd-yj&$R&-l_=KhE)HbiR?Z$fUd33GxD zF5aeY+%KZEZNbwME$MeRurM&Jdm=0sSta;z;+y}o?8Pog#0gL9RJNGqrD@J_=+Y0K zD9b-Q!k+Vd%B-$iT`#*+b5(g#vC579)QhIi*i&MyR5u3v&Ds+wviH$h@rb|=$IPxy zuC99Z?Q3zvbFa0o2b#A#?whpi^pVHH$zj*T*FVZyAl+Qe`{Me)$5~9ynTPqk%*AfC zZu|MC?#W539cM%?2TTl7OXw?fslNH0wO+oob-G{q_j|>w(-L_?e{SMPxURh?4?6~2LvWgGPpD0nCRS_OLaWvepJx3>nxWwFWe&?xLEz*M`^~M z@UW`}M{hkc*WGKdoWvCPTU6X|(_Sf?mGd|!yiD_OxY)Kt z#j)?mr;KB(Zh0p#wXXIHytuw0cH))gyhi;`4<&21X&?B1YRid#F87XB$8KBf@YV3p z4h8=c|9CTd=07=NHJk0hqgQ_gyfk#V-0nYFFtw*IRb%RdT2aAn&AXP-E-l4Z+Jn$f>TRUw-<6An4NQQ&Z684UfgO18l?;~JiGF0pU9T{`9Gq= zJWiKB)8E3fs>Nb!SeV=r<279iKEFA#WkdArOZ_Feep_}Hx=L-CXL~p@WPwv@!oCOJ zlO8cOf0lpo@rmkzr6%dOx+Qe7Ivx3Y1$?$#k@DH{)%wSAw)U_Kub*0W=szpJ#Teks z`}^^RiY1m?W_)T>=YINXuc>a&@eLW$U+)$Fil1;UNa$w7{Ea+wnKr#!#r>x2WuW30 z)$4JL4%27J+8gp75i~!!?GQ^#{pw21R1(%b}Ab3hFm_67T->z83d{+m%P(B)#GGP1bwM;S+miVNl}o zi3bhrxMzL3es*t@Z-nZUwOe#HN?p*kpB*X7Rkb+tTi`pV9a-F*{U5Gb{0m>MA}^II zp?!1FInCpFr}&Fc=E>O`o|?^b`r)0szt8HLH`TmdB9V1>%Dx}`cWMK>Q@ABKg{y0d z7G9vIi^KzO(EOXXiL-y(2^E>+->aBcjs`70(u4Hx2{h~7Se71|~?#p{O zzff>5(|htD=INu&Kdk;6o6K^a+8?G@-0%L{>b$Vz#*dA`Z(Vnm3+;2m^&dw z!t__aU+gIjL7jUgH@0X`tycZ3czTJ?bpMyZ+U$X6we|#NH#|FQb09}H#7Csl{+l+^gn;znLTsL#?yOW c&J@W0z;pP Date: Wed, 12 Feb 2025 19:30:10 +0100 Subject: [PATCH 02/15] Add script for creating new hosts --- outputs.nix | 2 + scripts/add_new_host_keys.sh | 76 ++++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100755 scripts/add_new_host_keys.sh diff --git a/outputs.nix b/outputs.nix index c8dac17..1947971 100644 --- a/outputs.nix +++ b/outputs.nix @@ -39,6 +39,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.age pkgs.python310Packages.grip pkgs.mdbook + pkgs.keepassxc microvmpkg.microvm ]; @@ -49,6 +50,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems legacyPackages = { scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh); scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh); + scripts.add-host-keys = pkgs.writeShellScriptBin "add-host-keys" (builtins.readFile ./scripts/add_new_host_keys.sh); scripts.run-vm = self.packages.${system}.run-vm; }; diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh new file mode 100755 index 0000000..f2b09f1 --- /dev/null +++ b/scripts/add_new_host_keys.sh @@ -0,0 +1,76 @@ +set -o errexit +set -o pipefail + +dbpath="./machines/secrets/keys/itag.kdbx" + +if [ ! -e flake.nix ] + then + echo "flake.nix not found. Searching down." + while [ ! -e flake.nix ] + do + if [ $PWD = "/" ] + then + echo "Found root. Aborting." + exit 1 + else + cd .. + fi + done +fi + +if [ "$1" = "list" ]; then + read -sp "Enter password for keepassxc: " pw + echo "$pw" | keepassxc-cli ls -R $dbpath hosts + exit 0 + +elif [ "$1" = "add" ]; then + read -p "Enter new host name: " host + read -sp "Enter password for keepassxc: " pw + + # Create a temporary directory + temp=$(mktemp -d) + + # Function to cleanup temporary directory on exit + cleanup() { + rm -rf "$temp" + } + trap cleanup EXIT + + # Generate SSH keys + ssh-keygen -f $temp/"$host" -t ed25519 -N "" + ssh-keygen -f $temp/"$host"-init -t ed25519 -N "" + + ls $temp + + # add folder + echo "$pw" | keepassxc-cli mkdir $dbpath hosts/$host + + # add entries + echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey + echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey-init + echo "$pw" | keepassxc-cli add -glUn -L 20 $dbpath hosts/$host/encryption + + # Import keys + echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey private "$temp/$host" + echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey public "$temp/$host.pub" + + # Import init keys + echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init private "$temp/$host-init" + echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init public "$temp/$host-init.pub" + + # Show entries + echo "$pw" | keepassxc-cli show -a Title --show-attachments $dbpath hosts/$host/sshkey + echo "$pw" | keepassxc-cli show -a Title --show-attachments $dbpath hosts/$host/sshkey-init + + # Create mac-address + echo "Hier ist eine reproduzierbare mac-addresse:" + echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + + exit 0 + +else + echo + echo "Add a new host to the DB and generate ssh keys and encryption key." + echo "Usage: $0 [list|add]" + exit 1 +fi \ No newline at end of file -- 2.51.2 From e4be136b643373b37bb6c71e9d54ff8f26d3ad95 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 12 Feb 2025 20:07:27 +0100 Subject: [PATCH 03/15] Add age info after creation --- outputs.nix | 1 + scripts/add_new_host_keys.sh | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/outputs.nix b/outputs.nix index 1947971..199470a 100644 --- a/outputs.nix +++ b/outputs.nix @@ -40,6 +40,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.python310Packages.grip pkgs.mdbook pkgs.keepassxc + pkgs.ssh-to-age microvmpkg.microvm ]; diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index f2b09f1..0a4600e 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -58,11 +58,13 @@ elif [ "$1" = "add" ]; then echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init private "$temp/$host-init" echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init public "$temp/$host-init.pub" - # Show entries - echo "$pw" | keepassxc-cli show -a Title --show-attachments $dbpath hosts/$host/sshkey - echo "$pw" | keepassxc-cli show -a Title --show-attachments $dbpath hosts/$host/sshkey-init - # Create mac-address + + # Info + echo + echo "Hier ist der age public key für sops etc:" + echo "$(ssh-to-age -i $temp/$host.pub)" + echo echo "Hier ist eine reproduzierbare mac-addresse:" echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' -- 2.51.2 From 57c8e659176e1712f6681073b6d665649703b9a3 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 12 Feb 2025 20:08:57 +0100 Subject: [PATCH 04/15] move fanny to db --- machines/.sops.yaml | 9 +-------- machines/fanny/disk.key | 31 ------------------------------- machines/secrets/keys/itag.kdbx | Bin 1589 -> 3541 bytes 3 files changed, 1 insertion(+), 39 deletions(-) delete mode 100644 machines/fanny/disk.key diff --git a/machines/.sops.yaml b/machines/.sops.yaml index d3af0e2..20c00e0 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -12,7 +12,7 @@ keys: - &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se - &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0 - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk + - &machine_fanny age1u6ljjefkyy242xxtpm65v8dl908efnpt4txjkh0c9emvagdv8etqt22wll - &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng @@ -73,13 +73,6 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan - - path_regex: fanny/disk.key - key_groups: - - pgp: - - *admin_kalipso - - *admin_kalipso_dsktp - age: - - *admin_atlan - path_regex: bakunin/disk.key key_groups: - pgp: diff --git a/machines/fanny/disk.key b/machines/fanny/disk.key deleted file mode 100644 index 7a30f5e..0000000 --- a/machines/fanny/disk.key +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-01-05T19:35:48Z", - "mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]", - "pgp": [ - { - "created_at": "2025-01-05T19:32:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-01-05T19:32:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/secrets/keys/itag.kdbx b/machines/secrets/keys/itag.kdbx index 1669d73b7b0916bfc99a93c566785485e596fb70..be8a3e1bfa4adb36809734be1ea36a47e7eeaa37 100644 GIT binary patch delta 3464 zcmdnWb5)v?`R1Zo>A$_VGEU@FGktsQy8F?B>$j_GO??jc2u5zZWNIdxsc?U#$=5hR zv;G6@0t^fcKk|g`hTHeMyNG1$PS#x)JTb+9kzwLgrFs?y1_mca1_p*;1qKF&`GuS@ zC!L%7`mT4?wgd)h{B^K)dmzYspz_69!Kj3yP8N{LFpwT$1`q(Tc)57F(sO4|xy{<` zyUXU;_syIegPt8~)QghY&KS78d7hU|zU8f1OblTflIi}6Gg(Ua{GI$E_Vkjd&Y3rZlU1^vr%o1qDYF6Re zbGb45lU9FOaZ8o|wO2I-*S@+=xTW&w{HeQUDtF=oE-zpHIZ?lE>-q&v(@Va~E-{&N zKH#_Xnd?VvW8Fm3rM%0nD4Y z&&>Y(!~FwC%$Gg&hM$FnpDjEjSd(0&^;OeSNY1WvUVdeydkWwC=iI4$aSz_q%sy`V z?$*gO@0ym0?mv95EB-{-uifWse75hKIc<4v^WXaka}Fky-)vQ6GO6AC*O_U;*6>aJ z%R-#OWCwC2 zw>_y@&CJ3clRjC%JLb_DqXtd`&)*Ylv!mT+_$w8c@5<)boZMdHb^qk0D(mjRY5xoV zwJFsZ+*oa~@NT}SZ?OID14b{}#V5|N_qb$o`p4?czqEd)td0l~6Jk6!?{?$CS@lxx z4;Lg~G50n})5}~q?b*hfx^*216YFO=v$1j9DO($DIO*xU?N$>G>1ik~{QodUWA=2v zJ=)bzDo#VVdg{Q>&hswR9zi&L>XO&;S;LWzR zTuKa&9Qegt5g;Xg&|r>ZV{-)i5= zQ=jqq&&R2Ji_CR&{DrxKR@@ePT(sfBJgtL1)0Cc{ncMYQPxR<}_cvCy=lW$8+yZQS zT&M30Yg%=y<<-Kx7xP87N`5=}bKzyx3cGIUm%TH*)>U7wIq;F)-(qWJ_2wJjG}c^n zd2Gg0Hetb!*Y&?*9A3CQI+xC6VVS=)tuxni&aJNS`a7?lFYhlAjXtt?>DCjvTKsdA z)K==L&8-!RcbT^3vgd(?f~v)CU-Ku<+_1Ha`A_W8Mf%bPA1aIDT}6Lj2PFMhMPQ&8|l}$e{cM?WB0X%vO6vnG45OO;bfe~>$4_yY_cna zQ+|ji6<0p2E&P#Ezrjpgp5xCPwXZBSR(Gl%B%VDriRsN(%Lu{QcLVm+$9^hL2sJn0 zc(C)0U*yk^-xl^vzPUE)%#K_4L@WLq?+KmxXjb(b=fajl^`cX6&xyFzAe$-?IVZFJ z!-2~NpXEQO`Fmw*2nI65mZ&Ht9X<7}v#?~cq;j} zcvYi&2OpX%>hDpT=z4nU+%*T^#Pm1ZIpF-Btt&Ne=c--Gy&qydw8g%?ELtpeLiy9_faNwJGk3K8>W{ze~NZNSgd%c|m%^4m?jXpQm5HFLdv4UN;?H2&9mWwn*Q&T5uTPs@s1 zbGSK~uRDd8*{FNfWA@u$y?5Fa8t$+ZoD%2s(CtC}R~=Q88Al%Yu9A8yx>ahQ{?$DX z1;6Z(|Go103H=04X18kYiFe(u@vN=T-)O?~N!Frrh1TQ~oZp^IcikfPsBY_ab)kM| zxy2Rdcg=a-FrB4}S#6#AJI$K5J6V;P542~$)Ob|1H`w(|rud&-k07oUkLUDV zm&L9hwq-2(u=i~JjLD0Fg-;1D=sufw<|B`a$!ZO|beC<++deo>-TCQZORKMX%B|o7 zY0;j{lJAUH)~{@jw_&l}HGRE$%KY+xtl!sWKIB?p-&3@dPyYVRxLZx0HyGZm@42p- z_y70a zZ!*_#SbNsUji0yl+xcZu7gcSq)pJi02x6|>rWk9jt@Yzp6M`(aEED6Z3tM-4sckM(kvXIF(Zg_Zb6!2D`abkzXY|VLOJ_FC|FGBbY37r_iswH)5`Cw2$NDQyi>i>h*}5$vT!&k3 zf=Axuc%BniCOq4C=h3BGJuG=yZ;n~+o+0LUsa`Q;M!@v%%qQ00-S&RcpW56NU5DSY z{fRobSKsygHck_+x9=YJS0(m-k=Km9cEpN7iYYhOh4u9F-8ZXerYN5;dw4LFDP{4? zyt#AO6?W~L#ymMC*tonSAz9(Y%`1(mWf99>Rc_X-dvU<-_3hUOY8T&LGTX^5-C*vO z4O{%;CuV-$RR8_K$tOD>O3wAlUAjuxrdzu8xYduRZ7H1vvs482Co0MOdZ|!aV%8Iy zYZnmGwRmw3+k3Z%{YG zW-^&n2L1PY&6~#Y_8p(hw+$=OzkfN9v@1pG&Z-*Y0Mpb+=EJ$0%THe{Rh3$>fUhVy zukoaP_Kv91W!KC1Zc))G`?1U3a?|=c){4dHAL`aKyj+oceA|`YZq>sclAHEw*E3$& zczJh>?h%=v^P9ith4ibpEZZx8`X!6czm=}r_}A^Zd4X$QWx_@$hgVLwau=*HnYlKU z;po-ZhXQij?yZiRz4dedwhw8M+80i~ewzAYb4*G8JJ;MD_YQOWo4t<;aA@dXbNlT| z<5bs4c_zPhxwIdvQmDA9eACyBj`OT(LdE{lBCct5kvV$+<| z+4r1$lUa9`-LrZrx8&**r+StjXRE6Z?a{I96v=iIn)FBM=l?JF|GeUs`sC>F!Njxe zfJgb<1a;o}RzKD`lg_UXeJgSCkOu#Yrr&y7y<$JD*m>_|-R@J@4b~^*iKuVf)bik$ z@UbTqEBE$HOCuBUnUl7eMI=~qHZ27Zo?}Qc! zw7sfq|D;uWAn~}6&Vj^j3)|M6DhOJ=!@ke`c>I~moma0YF0!r{{yanH-SeiP3bs}3 z7Fl9_+d2-${7_X^>Ur?Xs_@4F9iyhUYm20qQ>^lzU;U)?u*LP|XZzPPtA8DLOFJo( zCiW?AJLjdfarwMoe&5Xd$&ePkt(d7w{_L82+wDF%m_-&WRJV>hYvb*;p0_D7^zUTG z*&Eh|T{gd*yZAKkt+`tttJlvm%xG(^c4E)!)@S~3g`xMg4|BokyLT&e4+t~8lo$0r zz_wsVdZpIOOq&^O8Cwk%9=)i(scq`x8R_bFjc40dMeUN0lV|IHILo5F`hJ+E_IpF) zTl*LS{j%<}ytLAvsd49gc=K`7*EeK;Hw@ G^8o-0pRo4; delta 1497 zcmcaAy_JWP`R1Zo>A$_VGEC%DGu{3`^iO*F_ZJb8vzV8fAA6sg#8+&#SXrAhYD%IW zZ|OmH0R{#J{jWaS#=?$s`8M*O)mhZMa$<@BBh$pGO7#*93=B?;3=9mx3JeSk)_WJ^ z>{j2cUe{pn|6m;h`}2xdN55O0>oc8S8gS0$e+3IjWf%(s1A{OF2!L3;T)bQ*GSB$Z zSwGJ4W^}%hv&ql!>$#KHe{C(7J9%S&#otah%QzK@-t4yT+5IVB`6u_g)U`g0OVn7? z@#KBI-yL1v`wvUzEzeX;dfYIlr~k?1itPz=f(|a;rf%FXqO@(n(-SS}cQ>#wFsyqb zEEicN_;BKz|Fi7HE=j}*PwP~+nB}Eu&T;6{51uH?KRm*o^L)yzu3KF%yHj&jc~Y^; zjsDb&rq9?@Vy#p+2K>$16DhLy(OL0`zz@gFu1>D5dR71JYjMMKueGiRnzuXdo3!lo zk;lTxVb{dhKgwDl-CWK4;`+bGSxnBEhxxtC#cs83`}wEt$w{jnXGAUsObk*>=qq%o zzWJTCUcR(-x?lPCd&R5M5_v*@ZsJI|uDvJZ=$^f+=Vsi`)O>KG@Ze$Th`!AS1SU>0 zxHI9H=-iu2bv)*NRH)aq>nxWwFWe&?xLEz*M`^~M@UW`}M{hkc*WGKdoWvCPTU6X|(_Sf?mGd|!yiD_OxY)Kt#j)?mr;KB(Zh0p#wXXIHytuw0 zcH))gyhi;`4<&21X&?B1YRid#F87XB$8KBf@YV3p4h8=c|9CTd=07=NRX>~U!J}7y z1-vwLx!mqQSunMyFI8jegIZC+Zq2)v(~I{``5zcoQ}ZP)Rqn~j6+g`N#f)O5lZ#{) zK8)Nx`KQm^^L2J_u3n$}g!f62>O+zDD)HAoPMW#v#JVdr&4=W@9{BO9DsBA!BgX33 zEWvGiN-O&>Y+4X?XTpMgZ~Bh$JvsPzR(ULHMmX!|POLg|}_KCy29 z)v2!|8Jl_b-?Swx$>DGFeXrhoJ#EL9@~ekq10R33ie1&Dljq%Y;d^g*LBWDkOH#KN zavqqSb8yb0+zVdZY6csUCpzmJ#)dq*@@k*Rmi+lYqQg8+mp;?q!m_HxVry8K+!Et8 zT?;qYe)?*! zscz5l4H?p3?-l=wpKvZn=w`(HjXZOiHoaTL{if_?pyC(R`s;Cw4%27J+8gp75i~!! z?GQ^#{pw21R1(%b}Ab3hFm_67T->z83d{+m%P(B)#GGP1bwM;S+miVNl}oi3bhrxMzL3es*t@Z-nZU zwOe#HN?p*kpB*X7RkgT2^IPCMryW_`oc$lJS^NuMt|Bj$E1`XJ(K*fId8hb`Pv*(l z8=jiYbNb<(yT8xsnm5(FT_TZncgnsW{C8>tyHmI&IEAZgisW~0H-2vLr@m9f^038 z{u`Uja-P~BrdQnW{@Uuiu;j*%jlpkScb4SWD8K1`%p#aOAw|OUSHEBEDGfoLdnGrv zXiu$H{i}F-iO+QZm%-ZXfoHY$1ZFqXKRau4AV+Riutzqh(6grp^kc*)9zI_XDgDHk z_0X9Vl~jWp98TfA`@W{zwm$5RjST8#TXXe7xwT@&W3TL$!cED7pUe6(4fo%k_>=ux z?xl7yWud5+f>nw-hwpmLH Date: Fri, 14 Feb 2025 07:10:09 +0100 Subject: [PATCH 05/15] Change install script to use db --- scripts/remote-install-encrypt.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 277f519..f0553c2 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -25,6 +25,9 @@ fi hostname=$1 ipaddress=$2 +dbpath="./machines/secrets/keys/itag.kdbx" +read -sp "Enter password for keepassxc: " pw + # Create a temporary directory temp=$(mktemp -d) @@ -39,12 +42,13 @@ trap cleanup EXIT install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/root/" -diskKey=$(sops -d machines/$hostname/disk.key) +diskKey=$(echo "$pw" | keepassxc-cli show -a Password $dbpath hosts/$hostname/encryption) echo "$diskKey" > /tmp/secret.key echo "$diskKey" > $temp/root/secret.key -ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" -ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" +echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey private "$temp/etc/ssh/$hostname" + +echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey-init private "$temp/etc/ssh/initrd" # # Set the correct permissions so sshd will accept the key chmod 600 "$temp/etc/ssh/$hostname" -- 2.51.2 From edc754ee7f9788475322bb32189ca49a35d0f72e Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 22 Feb 2025 12:36:01 +0100 Subject: [PATCH 06/15] Changed the keepass db to sops in add_new_key script --- machines/.sops.yaml | 7 ++++ scripts/add_new_host_keys.sh | 77 +++++++++++------------------------- 2 files changed, 30 insertions(+), 54 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 20c00e0..7482dec 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -95,3 +95,10 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan + - path_regex: secrets/keys/itag/.*/.* + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *admin_atlan \ No newline at end of file diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index 0a4600e..8266d3a 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -1,7 +1,5 @@ set -o errexit -set -o pipefail - -dbpath="./machines/secrets/keys/itag.kdbx" +#set -o pipefail if [ ! -e flake.nix ] then @@ -18,61 +16,32 @@ if [ ! -e flake.nix ] done fi -if [ "$1" = "list" ]; then - read -sp "Enter password for keepassxc: " pw - echo "$pw" | keepassxc-cli ls -R $dbpath hosts - exit 0 - -elif [ "$1" = "add" ]; then - read -p "Enter new host name: " host - read -sp "Enter password for keepassxc: " pw +read -p "Enter new host name: " host - # Create a temporary directory - temp=$(mktemp -d) +if [ "$host" = "" ]; then exit 0 +fi - # Function to cleanup temporary directory on exit - cleanup() { - rm -rf "$temp" - } - trap cleanup EXIT +mkdir -p machines/secrets/keys/itag/$host +cd machines/secrets/keys/itag/$host - # Generate SSH keys - ssh-keygen -f $temp/"$host" -t ed25519 -N "" - ssh-keygen -f $temp/"$host"-init -t ed25519 -N "" +# Generate SSH keys +ssh-keygen -f "$host" -t ed25519 -N "" +ssh-keygen -f "$host"-init -t ed25519 -N "" - ls $temp +#encrypt the private keys +sops -e -i ./"$host" +sops -e -i ./"$host"-init - # add folder - echo "$pw" | keepassxc-cli mkdir $dbpath hosts/$host +#generate encryption key +tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > encryption.txt +sops -e -i ./encryption.txt - # add entries - echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey - echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey-init - echo "$pw" | keepassxc-cli add -glUn -L 20 $dbpath hosts/$host/encryption +# Info +echo +echo "Hier ist der age public key für sops etc:" +echo "$(ssh-to-age -i ./$host.pub)" +echo +echo "Hier ist eine reproduzierbare mac-addresse:" +echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - # Import keys - echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey private "$temp/$host" - echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey public "$temp/$host.pub" - - # Import init keys - echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init private "$temp/$host-init" - echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init public "$temp/$host-init.pub" - - - - # Info - echo - echo "Hier ist der age public key für sops etc:" - echo "$(ssh-to-age -i $temp/$host.pub)" - echo - echo "Hier ist eine reproduzierbare mac-addresse:" - echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - - exit 0 - -else - echo - echo "Add a new host to the DB and generate ssh keys and encryption key." - echo "Usage: $0 [list|add]" - exit 1 -fi \ No newline at end of file +exit 0 \ No newline at end of file -- 2.51.2 From 556cc3d42314d54ab604691595132226545facf1 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 22 Feb 2025 12:48:32 +0100 Subject: [PATCH 07/15] Changed the rest of the scripts to sops encryption --- scripts/add_new_host_keys.sh | 9 +++++---- scripts/remote-install-encrypt.sh | 10 ++++------ scripts/unlock-boot.sh | 4 ++-- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index 8266d3a..fb18e87 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -16,13 +16,14 @@ if [ ! -e flake.nix ] done fi +pwpath="machines/secrets/keys/itag" read -p "Enter new host name: " host if [ "$host" = "" ]; then exit 0 fi -mkdir -p machines/secrets/keys/itag/$host -cd machines/secrets/keys/itag/$host +mkdir -p $pwpath/$host +cd $pwpath/$host # Generate SSH keys ssh-keygen -f "$host" -t ed25519 -N "" @@ -33,8 +34,8 @@ sops -e -i ./"$host" sops -e -i ./"$host"-init #generate encryption key -tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > encryption.txt -sops -e -i ./encryption.txt +tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key +sops -e -i ./disk.key # Info echo diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index f0553c2..6ec19c1 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -25,9 +25,7 @@ fi hostname=$1 ipaddress=$2 -dbpath="./machines/secrets/keys/itag.kdbx" -read -sp "Enter password for keepassxc: " pw - +pwpath="machines/secrets/keys/itag" # Create a temporary directory temp=$(mktemp -d) @@ -42,13 +40,13 @@ trap cleanup EXIT install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/root/" -diskKey=$(echo "$pw" | keepassxc-cli show -a Password $dbpath hosts/$hostname/encryption) +diskKey=$(sops -d $pwpath/$hostname/disk.key) echo "$diskKey" > /tmp/secret.key echo "$diskKey" > $temp/root/secret.key -echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey private "$temp/etc/ssh/$hostname" +sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname" -echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey-init private "$temp/etc/ssh/initrd" +sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd" # # Set the correct permissions so sshd will accept the key chmod 600 "$temp/etc/ssh/$hostname" diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 347f260..5d7c180 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -19,15 +19,15 @@ if [ ! -e flake.nix ] done fi +diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key) + echo if [ $# = 1 ] then - diskkey=$(sops -d machines/$HOSTNAME/disk.key) echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root elif [ $# = 2 ] then - diskkey=$(sops -d machines/$HOSTNAME/disk.key) IP=$2 echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root -- 2.51.2 From d00188f7700d0f191d4b073f23ab778aa2769ae9 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 22 Feb 2025 12:51:22 +0100 Subject: [PATCH 08/15] Add fanny keys and remove keepass --- machines/secrets/keys/itag.kdbx | Bin 3541 -> 0 bytes machines/secrets/keys/itag/fanny/disk.key | 31 ++++++++++++++++++ machines/secrets/keys/itag/fanny/fanny | 31 ++++++++++++++++++ machines/secrets/keys/itag/fanny/fanny-init | 31 ++++++++++++++++++ .../secrets/keys/itag/fanny/fanny-init.pub | 1 + machines/secrets/keys/itag/fanny/fanny.pub | 1 + outputs.nix | 1 - 7 files changed, 95 insertions(+), 1 deletion(-) delete mode 100644 machines/secrets/keys/itag.kdbx create mode 100644 machines/secrets/keys/itag/fanny/disk.key create mode 100644 machines/secrets/keys/itag/fanny/fanny create mode 100644 machines/secrets/keys/itag/fanny/fanny-init create mode 100644 machines/secrets/keys/itag/fanny/fanny-init.pub create mode 100644 machines/secrets/keys/itag/fanny/fanny.pub diff --git a/machines/secrets/keys/itag.kdbx b/machines/secrets/keys/itag.kdbx deleted file mode 100644 index be8a3e1bfa4adb36809734be1ea36a47e7eeaa37..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3541 zcmZR+xoB4UZ||*)3@i*x0t^fch6g`A+h6D$urGpDG3!s%e`Xd21_nk31_l-d1_p+= z*RH!CEx3NWy4KX^aF1Z*wo9gFvY86^SDJi{6Ey2Tzz#CvN1o8#aQl9D7m1`vyvi*`Y?gD4Feyf!mwsdD-M!-kQb4 z5T+rS?yoqLrF75V$sb}*znLy@h;3rqqD`j_l6B9;YDH>y=rb(Yz0^M|@<2*2-?8%J zFGUi1!%sMgYM*Ne;9+2hYx12rZ`a1q9mjs{UAeZSQ0{>13%fQ&Rt@(9&)e8C5+=|6 zayoUgj*_)&Y!w#rgA4f z;PUe2pA+@#wys~$G`-}z>=KhX=L3FApSga-Hr7ofUCO)MxApiVqbLN@rFCc=2`Ds6WqHX z;YeA@=JkF$A6WE!!q=G|z59LJlbY4cEbKAqlLfqE9-T32;56|3J;63R+HHovQgQjN zY>v&z?KNKaPhP6B?hc&xzwlq1Qk}t#)fNly=8O6U+wVSL^rBsS;tYF_OD3m(tls=f z>u1X9h!8O$#&h#-Hy)f-FXjGlLGl%IZ<92=%!SjQZLFzV*O4%BmNOe0$DOjZ(T0D(@_uHdgz2(@NlU_+3KTh9t>(%try)adCx?SNr;42 ztbeH7JNo;^^LwQ~n*%396?yG}|1w+O_4L^c>A2 z6U;X_9T5Igw0^4UviGg_tvnf@|9qUvx5!*a$6uH$XvJ-z$3+`1%+osPGfnCFnYmq` z^+b=pcYkALd#+zr!7aeH$94M7u%=bFT3#*8dof>RtK_$nKNntBt+4Bse%U+2YhCr_ zngbu%{VlduR&T!XO=HbPm&ay2WfKilK=iKTFzw_$( z^8OOh=p&1lZatx^#Xm<$ZKa;t+*+Y{muXurdmdOQs9NmyHGksF4O_dI|HK|$q%Upo zp|U8>rH=9XRfE$HT~rTFTeLrR`L5LE-#qWnh;f~1xXI(Vk$#Q)_r_m4c3)d4yW>(3 z!XGIc%*5q6{>)MP%2H!>r|LoC*;A94-h8!; z5S)ECU{8JQr}BhQa|4bCJKy+4{`~lDVbA27YopHWxOGpo;=l2p(3y{BRljjAY&ldf zI`#IPh+7S^sS=TMGV4DaxNPuQ{)3voSEhzwAVX}4ic-?iQ{OrZOD0QNXFT4eFkMo8 zncUTLHg>Tq7Z}y=sEk)Nx_9uQxuX6awTZ5$r_Nn-@J&pA!<_@p@7cOi^LDPo96&&!e zVAGtW(%u&9$Hvc8m?i`>o2>5KE8E;~-{6wt&+Gn^pLlM}lD~K0%%a6oCzL;(4p?pz zGIK}UPtG!J*X`FABr0q){T>m$ea^=U{~B+pgoPDf+bJ>Om>TCv7L#pU#k;A0Ge4JI=PqhAXto`ncze zW1O7LI){t9g-cgo^kcb^lT&|brt53|SGHzRo({YvzumNp));?WGuPYK&^X;qIUWk~TycKaoYxK0S*n=T)~UbKtZBQGRhjufd-h9>M@4&sUC(5S|Jn6; z!jAq&6Xx}JPTzG|?D}C_#-a~<&(4^ z9=5dls;ArvK9Cme$t?NKcxC;{_IMi>+g;PwtEbE_56Jp`ZRSI+1@=8fOZnvQ-;BG} z^N$Djw#rJGYFnMujna zNq2s=xJkU5{Oc#(_`MY^N^W;(ORXb#wNOWl8CtpZ6|%_}W*e zap#m>Vz(DxxORV*eA3C7MgQ*H4f(SDZ6LQ@=?p>D>^FbqdYpG&%GU46da7ck>|v=btklwKoL*(~ns1@KWGT-?P6PnRUZe^{lER z<&~$*`BAweOWF0=fy}M%Lr-=_uiUzv8s03YnX& z+akhsxaB5z{aDv&AJx{>|Wn~eV}&n?Ip9F z+|mu^UfHn4FMeX?=S|-qoP4tLq2yez+@-68ZMvmfk6ZnC+LqE;FiS;Hf1;Aiua^p? zC1yRLxpn~|U5gjzu)TMC=zqIxfzub(3w}!L>AoIa!$8-Po>h=T~w~ezV z@thZ6o3_Yu+J}x$=8tt&9oO5RCK}5%{h{K;Ahmh_f9vt4csFY`L>YdX^ZR$cwsFv3 z^%-3e?z2mlXWcn-J>|y7X|>${H!#&(d7XS*_F{uq@Intw{>bRQD>Yx`I48)}rJSoj z_c-LnA=aA8#pKBh6Hb{I!p-@oDcmgy-A@1-$s474j+BlhWdu=3QO-1~G?zuj6a zds<{BlSyUJf4|qfX&i6g@yUGKup<5Ymjg+=Ql##zsxb~QO^sweoV&UF^uxny?pN$6`islyX-ADt*>LPSe*W$Zau@x6}iW^UFq#sJ?tU5X|Fcp zg^ibY$LJoB`8mJ&dtOMtddsrC@~2<2`21Vxx{ZI`o|_lA=2a$abaHs*bSrnk3X_>@ zLm7@6zkJbUWAI(@zrS~0)Pl?GIq9FX%HKHtyY5)Fu{6BN=d#FGjrTL#EH=$a zoqf;AH<@*3**&Y5a!am0ajIweakjep&>kJjPLXUkp-F#~e*XV*|IaIKsZWj$A51*k z4tSK$O;G1;^<$kg>HPZ8w-Of*Y4E>j`mMLsEB4cho%deW?LKwgV0}WKi2BA&Ef0PP zAA3@KHrp*gWhs$RW0<(k7g@Jgh~l3yc0QdLdN6!1<~xH1B}tnmOtC}PH2%p z+pEg-~&AgusY0=w?nX2T^uDQ3}?vsOAWWhpp>$tNv-d^i@n<7L1PG+3F zVQtuD^UJx5PxIcIyY;d9EW?bp)@mpAtZseg4_6p^U;8i@oW6UvLid0$(@S|#?*nWL zcBEHoz09YLi8KAw@TZr6CWZB^7R`8avD{)e+H+Nn&@!_u|ia-Wx-Z8wtQub3U&^11bo z+r?9iRZPnI8xq#{@b!k-?R(T{b(2wOs`{KMA6ZW^#(%!y`%KYJ`2ETg3-moe9UK6# CoU-)* diff --git a/machines/secrets/keys/itag/fanny/disk.key b/machines/secrets/keys/itag/fanny/disk.key new file mode 100644 index 0000000..c33bd83 --- /dev/null +++ b/machines/secrets/keys/itag/fanny/disk.key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:xmMPJyp3y9XI2QsWJniRM+Nds4Y5zoqb5QSJqZo=,iv:KRLS4JYN2OVmbbLe8DCD0xW8VVnbmYN/MfZNp7eOS2M=,tag:FV1Qm8Wr5fbpJ+ovAK+uaw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ1EwOGcxazlIcy9mdmkr\nMzJCcWkxQXFEQ25sUU1HUFJqSEE1b2M2QmxVCm1hWWExbWtJdmxjMk1VUE43ZkNR\nNmRpdGNPNURwdjJkaXhxcjNxRFFiSWcKLS0tIHB5Y2NWM0pCbGdtTGRUV1hyVlVs\nZTRsUnZoUnN6cHNPTWF2SzhxUUJ0aVEKzchgMPjpDAX7NUTSxUYxoKLoOh7+X9GV\nxrarnXswpSV/bfR4w4x+DmoocG7TbdH+UvCTsg3LtdjWmfpjK/c8Kw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T11:49:56Z", + "mac": "ENC[AES256_GCM,data:WKZIdINWSCn9ZOtsnLQ9dXCOdG49Ltf7/G91zEuj88+nvQC4+WTLCCXBGdhVBamV1PWHYnFvZbiXKJ/VFdN3EDZeW9r6cXuF2PEveOn6Bj1bYi0WrzFRfxxvt56AM9j/0D5E1hE9rp2yAWg5V4E3nIGT+rVsOczMk1+Yx4Q8NCc=,iv:DKD+E5yeFJrARfP5Qw6I1Cn9lvvHUHHok+3l8dyzVcE=,tag:lCBrrqfFxvtldBfbha99vQ==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/Xn1mh8ojou0/ntHLA+iNzYf6vsJVoWB6Cfh/WL9s/Vxn\nJWhvIzo+blJnoMJMsRPx4wiIuAjT2KkJko5v8Wr9pzzOAqOCghk+8YYnpC49PpCA\nhT8Yuu1v53Ycomwj1IdZj6GWeIkuLw2N4ZVqh1vZnvTT1tWltxmp9lhb/cWP+ze1\ngzIO7wqd9hisX9DVl4IVV/q8QVIfhWR2dMX+xgRcEssAjQu/nFGv88i6NJQsbIwm\nKOlUI3QJ49DEVFxH6Z36ZhUpdszHKi3IPg2IqtpfDicU807rQ3VihM9abkhp7cY6\ndvxW2rMijahy2IXuvGyTuwh9ow4bHXWBQgEkaFo8eKCx/KnR5shpR3/0CdegU45H\nGF/RhIq5wC4lMXy5/O3pgb5QPItcOB4ke+s48sGdxWWyXkp3MLXS1NblEZ6K9xTm\n/1GUcpCeoePWMeNmPgdeEcQL8jBxBol2wP5cXl4Ov86wegd0O56lVi6L2jqhgYiZ\n+SMhqmsMqZFVJWExkyX00lgBzFNsLWpT+KGuesodu9mtbYJ/s7Pz7+d+apgtzLI1\nGyjD9TDyZQUmM4El7SbZ/KNniRhR2Rnthg1r/cAcMYSyOnRbM/n5t5ynUc8vzr4y\nIPGXwW3pEoOh\n=48Pd\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//S41vk86ETjZa/AI9N5rS/RnPk3SuvGCiFxVkPl+ScY+j\nMOIqQFr55JpZm2Tb2nYA07yzW0b9q7jnVDt1dGp1MEC9QZZj1dEoZNGU+UjLhD3F\nDW9/NLeoJ2+D2rSxQmIwWdMqw3XehZDXvcicmKprtSK1MThV1cy5BITTStoX+qSQ\n4pFg7AVJij7+mtEK6pdV3S9BT1R27X9fanm4v785MEB+KERhe+5rQ7QR33Ohrotk\nqp6FqQJRAkc2ea+SFLRp8q4oIKK8lIoVv2mos/RUyBMf1HYPERohvqBjOF7oUjHt\ntOGGb+TLpVicPEsrAiNG5krfLCcI8vZeqkZQvu3YZx1zopYrW1mQuW1/kedFqtpc\nN6piYNz7KaYX0zpCJv1YQN8z1YOc+9LxTIemDUNt3zEYwrehi/DeXMt+Np+U0PKq\nSmfxRiMnbTT14la8mUa4Uov6KNUhzLgDVm8z/6XuM4qqEPw1ApG2UT+n5swZeqhN\nXBIAdSfybLW6vGhIOJduiI7LbQOADcEqlwiMDM4WMtG5acM/MLFQVQzP0DnQeIYj\nlNeGxT0m92ZfhwPupJG8PlC4dAANU3anBVGtMGn66aAEoVq/5RdOI9Iw8z8FIvnq\nN4Sef+5eqJuNeFdvxWG4IP6mrU1BmeWTXgI59aifSPUc0vrviYD6eRYCuI1NySLS\nWAHY6GESDXqeH6mlUryle6HSnJD43faFNkdlUaEBt0tH4ij2OvM5s8XTnr03hPnT\nYOHSVh6PVF2wwgV+JJuy7Nfj1+ylZCl2G61GO4QXtLexeWpPSzbo3Hw=\n=A2Pv\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny b/machines/secrets/keys/itag/fanny/fanny new file mode 100644 index 0000000..e497201 --- /dev/null +++ b/machines/secrets/keys/itag/fanny/fanny @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:HyKweXScDgvctgx168oBvB22fQcq6mCAs/Bsy0f1+UClAf313UynPJpBig41XVZdRFHOKkAMh/GmyIP04DtrXC/eAO9As+kaLkli/mBWiXSUA9l8pU8Wb3rC5YUu6/9ZraKWaC1ONAty2+d/v2EpWJhKMJWeeihiYfT8FMqRy2tjx0wmIz/Y6HgrR2pvHxyS2nGyrGhraaMnpm1WLsJ5b5yTbgkKVAoMwKNltnSIVA9AYvWmoNB8qIEPI5ppPvrSFSLOxYBG8zl/bBVtJ5ekM2bg733nCISRWhmelQLFVrUrN+3jsfpmE/nTe+xXClUmPC+7ePsCQuU2RKVWw5g99RewPdiszHdq/73Eo+7+ETLgRmo2vtLB/zFSiC8hmtJWh7WvVc4DXhGPDrqYPsh9GR87ZlSORgvadd5Mj/JuMzvmacWoFV9ERLnWjTTlIg+vSEBa0zB2vZHgAzBL+6R7WW3VgsBylRHQqsaJP5RIc4ktT6Qrt3REnArg/V/zJJGYBw+nQrqr5rrbbAmSA/57,iv:BdRM22/SMiHrq4SWVZTIpYPy/eHS1Kc/XxYj49Jf3H4=,tag:QdIwNFO7PnChvhWJAYNONw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYVnRlb2x4SGdPbWltWVUy\nZEl5OC83UldXMjEwOUdTNTFWMytYejFVRkI0CldKN0F0MUp6U2hnRUJQaGZKbzJR\nZFByOHRwbWgxTlJndGh3NWZIR2FKbmsKLS0tIFNjNDVHWjZNYlRCY0tQRlVtTlQ2\nMTlUVFd4dEo4dythYVV1WEQ5dWlEQTgKYqoEes44TbflFTFBzNwEVP9DDHtkmhfn\ndCFBPhBTwuoFKai3kOOX/E9gEOwqY24HAqKdeyiO2VXrL8JKEazggg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T11:49:08Z", + "mac": "ENC[AES256_GCM,data:V7B26cct1W4ihesyVxpAI8AvMXSy7dd0hWFdYqWtzKkCN73au2V3h1DilOiNn3gclFhL9Crw38iNUtnGeHscGLGrNbwkyCMDj1KXKl6wnSYdFkw9XD+PnRwYq7hMTTLIH19nqBg+K9tjaDEkK7y8WygUHfknxJj5D4bURgl/jow=,iv:/f3GXl6o2oxRJjIJEpYN5T5x9q4acxFqqakzBRG4hlg=,tag:G6F9hXdO9BoXZ2eXaEG43Q==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQwAk5+mzJ/KJX4bxyb5w8dUiLXilBMJQiBxQZWsC8Q+G5v6\n9LGMMWPrQeLuTHkNe9FpddIUixjuFox1TJxaph3t+DfamR3yPdUYDuRckc9iF+jZ\n4oa8txJ9oWoEYx5QlxCCricSxomC9LV4DcBKQ2gyXnAeX2Wwe5/3uw+S/KyHZM+y\n9flO7qIVQk8MkVzZOc2KVCyvUL1UnAwgXzR1OmznpGBiZpaipCmXBs/elncxViry\nrmgA/+Aob37ChXQk5mVQLyrV+E1M+u1PwigML7PbbE3WpBVgpbb+MH639nBC/rTV\n+B70BaayFdzvUln4OFonfvsvPQEynmE1rfJRUavvAQDORHHmmbOKdWWVaYHDlp4Z\nAgYI10mnnFBpm2Qd/EjBa2a1CWboaGCaz/KldTzjp+TxW0GVf6WQ5SKlqZj3MdGM\nVS+91ph2LaRCTB5WObTX4KKDiwwoRAB+0A4ewu5ttsmeuhTy3o/r1Liu/UBdaL6i\nA9t59cMopIL6YXRD1YwF0lgBHtGC/KGsnZjC4dscoU2eTfmJ4rFx9vmc8I/JaO+h\nNDoFnd0sk2FQhnMvAN16U8HurfAzbHiqf3utEcMOg0bPw43Q/8g8JgUAaxqkJIQn\nn4fqE2GFjBqJ\n=Eivh\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9Hy7wKpuAeKotD/HBoM+aptxnKiExf7mphpdZZ1sr8fHE\nDDdVehwhFxsxLkcIwh+dj35KswHw6aMzyQGj4bYsxSmsFKscATknsklR1UATWfSw\np3hVjNFCZ+yd+uzSJnfTkldTcaJiN9MxPmaOMd4e7Ui5k7dcYo0/FD5AZQZMjKDO\nQYUsUASWLHWAoiS7nnFrbaFvXKAPS4wOsB2T263QsoZyEvpQIgWP6lb9kS7V4ftZ\nxetGJFIk2hanYfdGXZy3TiHaJO+fESpVYmp6YykDqeZqZkWB59aeWVL/7Cz7H/wj\n4RU9RWBMbXGjPz+5WMo7X7kLrJgLAWywch6bM2fktkadG9n2tAa/FISysR25qtmQ\nzJtwCY8j26ZZJdc/FEA6dYwIYeGZ0BwV91dPaEotAtgSVpSihdXI/DzE9T9OjWuQ\n1c2sCjVJ7Kw19uCHLaZg+Tvob0RQJu5mnKPnLqinpxDn6Vf/nxIU80gFsPPr4f2T\n627iBaQOaMxdxHLV8r16WrNzBRj28sPZDBlGQ0HouToO2dn3uN+onQGszRAAIadJ\nZMo8SoWCdx+xiDK0S5oxnoxfk2QMAW75qyFiR373axb6HgMMSpJSG8TE+vg9++oa\nE7dddc7nq6ZnuhRNDn9V6cam8hfkFvKwRCeul1Yg5qZn5qI9H0/glR+KisKZVK/S\nWAF/XJucPmK9gsScxB4FgfKmpZD0cJkKmwndB5Idc6waRrjHxFnLFTFxbUnUD2KC\n198dZo7Y4ftOIWKHCY1R4RWhsmIUX5XzxwEnYSzy0pta/uyaqwa6sWs=\n=wi7r\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny-init b/machines/secrets/keys/itag/fanny/fanny-init new file mode 100644 index 0000000..9851688 --- /dev/null +++ b/machines/secrets/keys/itag/fanny/fanny-init @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:2RNOB8VVg+TGykuRU0h9fElGUhrje8gDkMdQyYQaF1U9P68oMJCEJYJno4qB0jEb5IPeTHrJamDjoQKv97OsGBkhPiamlImuBHjAUIxQq9a8xmFAhT60dZqCqIPqSuBs2OeVJE+wbHlo4pjGqe/PymMtz5M85SgOxvYSOktYRUZLmHIkZ9APy6PVit7AeUzRkf5H9Y58Xhg8gh4wCK0djorszPSY3Pf+G5PeV4EdNjIZ2FoL8MjWnYyEl8e/C11w1qdRA39J6l9LDTn8kNp3zHzYEWfY1G1sShc9M6kT83qmU4HMExERs4MlXEXkPd8EztAAgMKZIZWiwJ2Eu+9854V7KDb6T48sILCesjJwB94DWuXmdf/2CV1uGVat9baGOIE0ImGHTZYtGutxP1pBl1qZcU89LLRSPlmnRNWnTLcc3nnw0dgSsk132/7Qckrq5mUpD7F/fs1bYfG2LZGCqnXq6olnzh5jILe5iffvZprEH/Fm6jcDXBQN8WR4ADReSvHN7r0Vpvm1aZ01NtkJ,iv:6IIpVx4Dtrn+uahiH3kZHy6bmBj9ti1UiswKwAe2qZE=,tag:hGJkYXIarS+QEwJiHVmP/w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMXJSeTFQdElLc2FKVFlG\nTjdlOGZHaUZkNjMzZDJTcXh1ZjF2bVpzRlU4CjdiS3NYeDZyNit1OCswSjFWbWJU\nT1BTNWFsRnpQWjZGbzJFV05tV1lNS2sKLS0tIEdrb3JOMUFRMkdIdFUwK0dHSXRQ\nbmtCVEJjRllnMHZFNkJ2UndBcXlaQkUK9bHFPsVaZovR4rGuQ6GfqAvZxNKqVhC5\nHybQWv1PCoaNOvQbtBgCxMlV8HOJfwe2EgysJErvriXeyVad5+zY2g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T11:49:08Z", + "mac": "ENC[AES256_GCM,data:IFctz/f9I9vcWN82u3qta+o/oILTHpCScSezHwt0ifsENnUQLz+uAmpMs+ok1ZR5+20XpEq4C7f1s4n2h8dijxsPuE/IOQM7rvwjoVPsM/0XUglDK3Vc5u1oooGpLJg1PchwWGOAlKQHun3mh4j/bz5UMpD8AWC++NLPE1Hr0Jc=,iv:y0aD+4iLSKedGAjZP1SygyzzIE0/SHWcOUS/aghzrII=,tag:01dQZoLlz0w5dE3DePwjbA==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv6A4kG9S33l07+BwNeUsDZVrzRTP2Gz5F679VKTBrr96t/\nTJaa+FlCWDU3DczaC18Y6yIyU22+97xqQ4WYnno0h7bF2uhjbyXjp3JV5na7BgGe\nn3V6p0yJcBM5XfrJRuKghEB3kHddQIcVR8JurWrynCKy1C4njR6pJDA3pqp9PReP\n0ubTiJqAwJfx5hGSAjSDWitQ2vpubowCXssqyh9S2P07H5u8HHbLRyJGgvl/LgTR\nEe2EUh7KrTMT6cCXBHAPSK2bZgwP667bhEOJzuCpknG4/Q7EtVQzjKaXGrDR0vMi\nIwA7knQ0UMeRCa/jSSPYUbscMJIb5+wh0rnPfWGGgtVshdd6YtuETBnqZsjUETXd\nsXdem+UoMEN6Co1ABzHEeSGT7y6D8OghoodofLBvgf5TduiX5Pqceo7SkfXPN/3G\n4fqg+e+VTT63Jwp7rk+ekRJYPkHNoB5w0VIrvsyBPlDUhEVywKWJTfzu8905hkVP\ntsQEoJxkpT27PFACoxZ80lgB/9kyQKvsRG9kl68osivg2gIB/13+4TjMdS+x3ycL\no5QnE0D/adRJHpDRwuPfzGyRwFWT8bHFEpw8qErLEWaXh27QMStOgr2By2PsOFTP\nAtJo/wheNGMb\n=qa04\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T11:49:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9F41AW+ruudLanRh8Rn8rHJRfGpdhv1oFkFRIK+Z/2oGr\nMGMm+2EPhCHCMp2tFJRm0HwZruGJda31iFNbaFSqHmTlqWfEMoEj4ztcOhe1vFG/\nhqtp39DawyHb/1AXPHvsuwbucEf/DH9gflXgbnBrZQ0K+7FiOSnXNi34YByKipbI\nbGg+8PV1iYXw0vuLgERy5aP20zyvr+sg53jnr8RR98A2E7VWg2YNfxEOKxxQczxe\nlgblSVqLLmEKAJcE3JWY6c5HR5Xlt4Y02JrAYD11qD21hmtS8plEZ70kiz4elgMU\nkWxM1HSm9Tyq2I5c9v8uk8VOCfEYE+glASJKtyHtyzDJRJcKwvaE8SqStlfoGot6\nKiJ4flqGapTOkJtOvR7FczO7T3j19Ga62dUvoHrei9Q0FYcyG70/lvTWEJy4/jYg\nOk5QJyseRhrDhcLKg9nUbuSfYhXtJc9C/S8B1n/bwjO1O3vslkewFAnhBIqweh1D\nnHjrSHsssrpkeyefmjVh7NiQZtn122hnPnIz5B62is27MD+m8qWWoWghc5lzsw5S\nCGBRY8l+vvGca1TZFJX1JO/L6vhdN4qd/H4IWRmj1oSR8qtQ6SKbt1UmQtB2BtPg\ncqlRCn4x2ORpRgwAIZtD6GFUFUjUduz6LpaxG2tpnmZcQfPAF7YYjjpR07oPIg3S\nWAGomgQyyubfDCH/tM0RwuTlMX4hkMtlKyMDuOHuZVxWZqoh/utGazasBogGm6zK\nIz0nKh+z0w0nv9kGzalq9L+ek0A07ylIlakSaR/vxh2ZaKHojBEEPh8=\n=1EB6\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny-init.pub b/machines/secrets/keys/itag/fanny/fanny-init.pub new file mode 100644 index 0000000..31efbb0 --- /dev/null +++ b/machines/secrets/keys/itag/fanny/fanny-init.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY60NKfdjFiXNvl1r4mBcXKADHA80laxio+qN6izevN atlan@nixos diff --git a/machines/secrets/keys/itag/fanny/fanny.pub b/machines/secrets/keys/itag/fanny/fanny.pub new file mode 100644 index 0000000..9a6c590 --- /dev/null +++ b/machines/secrets/keys/itag/fanny/fanny.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiKzGgQVfvfSqhdWNqkhTWd8gfJCVoyYoe9zh1LATsC atlan@nixos diff --git a/outputs.nix b/outputs.nix index 199470a..6da2c53 100644 --- a/outputs.nix +++ b/outputs.nix @@ -39,7 +39,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs.age pkgs.python310Packages.grip pkgs.mdbook - pkgs.keepassxc pkgs.ssh-to-age microvmpkg.microvm ]; -- 2.51.2 From 2eec2ed9809cee5e3e8ddd4d9125398e4a79cd5e Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 19:10:44 +0100 Subject: [PATCH 09/15] [sops] change reproducible secrets file structure --- machines/.sops.yaml | 4 ++-- scripts/add_new_host_keys.sh | 20 +++++++++++--------- scripts/remote-install-encrypt.sh | 12 +++++++----- scripts/unlock-boot.sh | 4 ++-- 4 files changed, 22 insertions(+), 18 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 7482dec..bfa9498 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -95,10 +95,10 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan - - path_regex: secrets/keys/itag/.*/.* + - path_regex: .*/secrets/.* key_groups: - pgp: - *admin_kalipso - *admin_kalipso_dsktp age: - - *admin_atlan \ No newline at end of file + - *admin_atlan diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index fb18e87..b8db477 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -16,22 +16,24 @@ if [ ! -e flake.nix ] done fi -pwpath="machines/secrets/keys/itag" +pwpath="machines" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" read -p "Enter new host name: " host if [ "$host" = "" ]; then exit 0 fi -mkdir -p $pwpath/$host -cd $pwpath/$host +mkdir -p $pwpath/$host/secrets +cd $pwpath/$host/secrets # Generate SSH keys -ssh-keygen -f "$host" -t ed25519 -N "" -ssh-keygen -f "$host"-init -t ed25519 -N "" +ssh-keygen -f $hostkey -t ed25519 -N "" +ssh-keygen -f $initrdkey -t ed25519 -N "" #encrypt the private keys -sops -e -i ./"$host" -sops -e -i ./"$host"-init +sops -e -i ./$hostkey +sops -e -i ./$initrdkey #generate encryption key tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key @@ -40,9 +42,9 @@ sops -e -i ./disk.key # Info echo echo "Hier ist der age public key für sops etc:" -echo "$(ssh-to-age -i ./$host.pub)" +echo "$(ssh-to-age -i ./"$hostkey".pub)" echo echo "Hier ist eine reproduzierbare mac-addresse:" echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' -exit 0 \ No newline at end of file +exit 0 diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 6ec19c1..4d24adc 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -25,7 +25,9 @@ fi hostname=$1 ipaddress=$2 -pwpath="machines/secrets/keys/itag" +pwpath="machines/$hostname/secrets" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" # Create a temporary directory temp=$(mktemp -d) @@ -40,13 +42,13 @@ trap cleanup EXIT install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/root/" -diskKey=$(sops -d $pwpath/$hostname/disk.key) +diskKey=$(sops -d $pwpath/disk.key) echo "$diskKey" > /tmp/secret.key echo "$diskKey" > $temp/root/secret.key -sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname" +sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname" -sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd" +sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd" # # Set the correct permissions so sshd will accept the key chmod 600 "$temp/etc/ssh/$hostname" @@ -62,4 +64,4 @@ if [ $# = 3 ] else nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress -fi \ No newline at end of file +fi diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 5d7c180..e00afc8 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -19,7 +19,7 @@ if [ ! -e flake.nix ] done fi -diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key) +diskkey=$(sops -d machines/$HOSTNAME/secrets/disk.key) echo if [ $# = 1 ] @@ -37,4 +37,4 @@ else echo "Usage: $0 [ip]" echo "If an IP is not provided, the hostname will be used as the IP address." exit 1 -fi \ No newline at end of file +fi -- 2.51.2 From 70fe179b5b81d916b96e71816549abc750ee01cc Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 19:15:10 +0100 Subject: [PATCH 10/15] [sops] rm deprecated host secrets --- machines/secrets/keys/hosts/durruti.asc | 28 ----------------------- machines/secrets/keys/hosts/lucia.asc | 28 ----------------------- machines/secrets/keys/hosts/moderatio.asc | 28 ----------------------- 3 files changed, 84 deletions(-) delete mode 100644 machines/secrets/keys/hosts/durruti.asc delete mode 100644 machines/secrets/keys/hosts/lucia.asc delete mode 100644 machines/secrets/keys/hosts/moderatio.asc diff --git a/machines/secrets/keys/hosts/durruti.asc b/machines/secrets/keys/hosts/durruti.asc deleted file mode 100644 index 5891c55..0000000 --- a/machines/secrets/keys/hosts/durruti.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEADh28tGiUsmPPbsQYKSi9WiI4UCPO4qd7hEoER34Ku5w+kpy1MI -ymJHNlZODjrjvznRidyYt+1vpED941LawzsujBV7pSfIBY0cQWYTbF/euuQFJYxN -sBLG4kek5IhdnIsav2f7fMv6Rhfkau7p20AYkWUkpoUxBJTxixIkxrO90ODSzMMe -tLI9MnqPcMASy6dbAGKXSABaYi9bwggIgyYHNaXThEuEAWPMPMMj8Wlo0H0X/B9O -UEOHSA4N3TBKJXuDhsKgUo6ADLAA5op+YG+JtAdvdjW0XxtDamLkkrEx/fsYWsn2 -LjiX7z6cCQjYy+GG6LV82cavyF9sBAs8kEl4AVXVYsaB0g99rpY91EYLAD2Ddh4d -lHPwPVQ52Ht3QeEPAsqeXRh+gZOp/xx6EJXXaH7aorXoWlbUFcCnTTEFAM0HibZg -ChZEX+pl9RxdPeIwU4kd9LxNygDwp4YhdJzbcpHkp7RrkHJHgmAxUEVCxZfw/P2c -GDIBHQSS4FZ5PIhh+aejYCo4BrisGuAjwlaH26BRNraM8EImaLwLuQZ1TOWm97tI -BEI0JFscrTi2RSPgDCg1Cu78ocbcpqC3cRclXzRohvp83NpWnAQFCAdNaTttQsio -lQTXxmJlaeo/0vHAN+Llukchh6sFzzNP3v4B8vLvdXkE3s5XYxJungblTwARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQWRHe9aQhhWcCGw8CGQEAALRQEABVEYsIn5zGV84caxE/LXN7 -7nDsUEyo3lCetStM7JT7uDdMl5t33pUAIbm4gv6/BrvVZ6pBtPfTrVrTKKDornKJ -VU/tKims+CbnuPUIbOmuXcPbQIa/IF4WVop8XJTzMOSW636/eH1D2VTLI8Jmw35s -qDmqx72hISUBGCszTJkThp8xUFMW5NcJc6zGB9I4vdac6Sf6yuZqmdfDm0MzcvmA -tDASc6ZLeffPkJxUA+x2WouAYkfdV1CdVS6ob6owrSza/T+wQ3DgzO5AVZ31HXTa -gDkVIBgdZYR2H8IaaTetb4m2+SgdXr7s9WCOR2i8DiSKpnUAJKoVIOl6pBd13jCu -PHQzkKq6kqn4bRYCZil3fKDB90mVDIyixJJCt//VA5y9Tgggp9o7a+l35I9hCJ2F -6AYtpfXkTbI9wqmk33TJX2litqqPZkhEERv25UDvnZ7Mm0my9QXJZ1Fp1nRLIKZg -VABDS/wIB1QHtOldDLMeRD7Fnrnjgnyuk4/HmCem0wFDPHDo/ppa2QtCUk1xxywu -fa7hs/oDVUMsofpDm6Ls4IgFXbSD9GUTDdB+UvZi5vITaZ1f1QLcrShhSUHkLIpc -65Fj79r9cdHKdUhnM2+pTuVM6Az3huMkZ+abgjSHWSni2njowRUd2P7pG+ZhaUk3 -Rj7jxxXh1KQ7X8Rbbce8Mg== -=sb6Z ------END PGP PUBLIC KEY BLOCK----- diff --git a/machines/secrets/keys/hosts/lucia.asc b/machines/secrets/keys/hosts/lucia.asc deleted file mode 100644 index 8fb56b4..0000000 --- a/machines/secrets/keys/hosts/lucia.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEAChmMEXC6TjRtYAHk6CsrnP0LFd1vOuH4+QSalj9fCaCpYVEStP -u9EtW2DK8kSBdo8DAngzsMFt9PoSLcPcB00s9R6EACVuOn8nTVkyYtO/8hWJVexI -G3SB/u2a+MYC2QEtw3Exzleexx3EkZywAzGWzJXpajMbGsfvssXl96xb7jxrxdNv -Msx9t2RJGADSG6Vx1+A5UmFwITkGpn6wjvQXLvkim4ZHRzX588vgz/IdJ6yqOeeV -v0VyVNTPfXkDO2urxRgZ5TG9wE5v9OKFofooR5T1rB/khW2jMoqavLWeRVCqVpmp -MQ8VMkJzEoP7RX7vAAgCbVrTe55sMmXa9gtXo50wz6lHYHnepff6FuquS7szH7Ja -lRnvx6CR1FwWIGhef/kxmNQKr2Mt3V7riFmv0bkR8ttI5uyGposeWfY1T6iJfxic -duIYXrV11T6fWOEUh80aRz+8E46LFv4sGZjTOvHWrnetKNweuOC9/yaSDkEr35sM -xVffS0wNGclhxl860qBCbhG/X7YYZs5sFHsRnsb7rvTCP8LtGhrjybE/b4WuGRCU -rEftVOBe4NSwlsdmRVl5Cyk/ZkJncrUwlaH6laCjBfldQcdxAHzdzPZQhOmBaLkF -1l0EpteSbEsi3CS2rkkriSsZ+nZwaccTa6+B6twrRmGvcBrZXlsugsdDSQARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQvNUtHtVQM9sCGw8CGQEAAGIaEAAoWuyjinNk8ovTAH+TjKWK -UD4WXwt5OJ8l3FJPpecZbhTaBrRdlLzY1tlKzwd8c69QVOoqk83Rv4Fep9b8EFQ5 -U2bTtXLm/wINSetjf6vlLYxEPNKVzGtk8ejw32NPnJVsGeXNazlcJaR2jRW4kMcj -A2b8aeUKxnLaoZYiCLZGvyvuB7oj/nIX7iuaIDHKR9oVyQOekeYlg9R92wKCZDiF -1USoknPO2cSYFZpDM6tmIjkOoEgnwEZqzwI7q5dXz/mqp86XeMJWFkyTRhPT6Hiu -iS/5wDsFJi7wgl4Jr6bBWFaHeBVSTJIwkoahxpM/qVYAYINgLO9erxMkmX5lRzxs -NC3LsqQ+L5Isx96AXaZWf+IOYgN8nB3bsQqvlqbvMIUE3wkxg7oeNzDzvgxQM/Tf -AC6zYHiGrs7WS6+ojx2flJnWA7mrOllimv5pTTUBtA7gh1JN9aUzzBjvF0LlzN1O -DLyxu1PsIazI1eklUm0ljyOoqBnOrDZoC4Kz70pguDGDvipCAJWjG9SjXDwXGAA0 -sUhnebh2HPZYj73xDIrbgkg+79n6U5UuewUFwDQfE8VFDp62s1s9haCRUKU6uwiL -i31OKOkDcYSyx/3/VvaT3lT247VERDw/5yVYrrhQwxS4WSabX8gz6qfKB4bi/HVs -lX2duwzSRzuytZCKKG+fdA== -=VTby ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/machines/secrets/keys/hosts/moderatio.asc b/machines/secrets/keys/hosts/moderatio.asc deleted file mode 100644 index 4ff8405..0000000 --- a/machines/secrets/keys/hosts/moderatio.asc +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -xsFNBAAAAAABEACm+W5sGSC25OtlwQdOBCSfX2DnPuk5abjxY5HMIv3MnySouXpW -L3VoE6Irur9lZwfKrXaUweJPJHVo/Sfknh9GSBCW6yFFcGZ5nNx/QNdbfjOSaUw2 -0BkW1CYRVcLIKSHpepbTDHBxgKaCYsmupptFQ0Nzx19PPMV/WBqrkSlEpDJyq9y6 -cTaGulRKWBVDytMFmibhGlqpfEI8bzrxaeGTqiRTZJqL3zDDi2afDt1kJeCXKd32 -XOywDZgB5CinY3qsR45ftC6mZ5fV+ex3M/Uc4YJiVgwg6GlSdiYW9Mqf4koqpLCq -Xq3ztEo9FjFen7KmAcLstFmzY3fAXGIJzb0CfvVrM32wsdC6NRDINdMBmrOeKXT7 -g45n0LOdCFr4AOKyABqMudbKrgF9txHt549oaQ0wHCy1nStji1OpbhdpCKDFKPnl -ojG1Nur9DPRFmQ01I3KIjvCrf8J+CgI5YVwOr+m5Zw3i/b0qd+9R/8oAmzhhuyt7 -kckSVTCjNzsDgjjOa8FVQJremTdkQuWOlx0HxC3aQdSoPxOfpeUhybfttNpvUuta -5EbsiS/PJfzMOtZDG++naKO/xGJDiaYDhW1ZeGI2fOFUm4RYHqCFES32XF4ygpGq -wz2bZNKKSf4lxoD1+SBqOyd1eN3u8GmX8OgUB3TpgEuQb/XL31zDKCZ7pwARAQAB -zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQj5s8BYqm1MICGw8CGQEAACMDEAAFko8JYC1zGt5rFKokXGbs -K331UHReN02QpdL8fhMt0Rqoh1FKt8Sr8lzCLPNOnlgxSG5lXmA3dFfWAnFrNw5T -1u1oU0sB+CiekyWXJxTASur1g3DtLv6qA19Uw4i9bu57LK5E0ycoI3RnR+YbDri0 -psPNP01x7NBO42O71rnBypGbCPXnLOAaKq+ISCN+XCZBkmjKhcWJlg5DJfUGCEdr -DCKi/1j5mgs8H3sUrc5Y4gLz3BWuypAGWhQr/KDAcmCm/u0ZfzVyrxw50eMuzeF7 -GfePPI70nXjUlywuFUFg7EWlCT6sRtZf+o4jkXcwGpZLx2/rdZ9J2I4VmYakBVpA -2OQwi47YAFe1wz+nsF3fImuGQdHu0x0sFLbuJaSJCOVYhMcZhskRygqqI+wEvDF1 -i7SYzi5Xt7rJrSaqGhAzlg1Cc8wzMhoCE/IU5Hd55OtbvRwZ2JKH+UAl/L9Qizqy -AM7nSrUjA5p4H09PMuKGmCEcZDKpH2huAeqmtGQ626edE2WNduE2jCdAIcN263PX -1+TIe4IRLhtmTKqfJgbzrt0cSIAsuvI8s78ehsP2eNANdkQjzBAaEiOo75G/g+sd -tWl8gxOhrPKkb07KqcPEfXq4QYk7kV+pWuA2yMiTX5A+oy8gVFBxUp+zbjYeRuW8 -cpHyvbDvdnQ5LGNC/v0rdA== -=Rmch ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file -- 2.51.2 From 251b0f0850b1ce2fbcf94bff1d0420709d6e9f2c Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 19:15:36 +0100 Subject: [PATCH 11/15] [fanny] generate deployment secrets on new location --- machines/fanny/secrets/disk.key | 31 +++++++++++++++++++ machines/fanny/secrets/initrd_ed25519_key | 31 +++++++++++++++++++ machines/fanny/secrets/initrd_ed25519_key.pub | 1 + machines/fanny/secrets/ssh_host_ed25519_key | 31 +++++++++++++++++++ .../fanny/secrets/ssh_host_ed25519_key.pub | 1 + machines/secrets/keys/itag/fanny/disk.key | 31 ------------------- machines/secrets/keys/itag/fanny/fanny | 31 ------------------- machines/secrets/keys/itag/fanny/fanny-init | 31 ------------------- .../secrets/keys/itag/fanny/fanny-init.pub | 1 - machines/secrets/keys/itag/fanny/fanny.pub | 1 - 10 files changed, 95 insertions(+), 95 deletions(-) create mode 100644 machines/fanny/secrets/disk.key create mode 100644 machines/fanny/secrets/initrd_ed25519_key create mode 100644 machines/fanny/secrets/initrd_ed25519_key.pub create mode 100644 machines/fanny/secrets/ssh_host_ed25519_key create mode 100644 machines/fanny/secrets/ssh_host_ed25519_key.pub delete mode 100644 machines/secrets/keys/itag/fanny/disk.key delete mode 100644 machines/secrets/keys/itag/fanny/fanny delete mode 100644 machines/secrets/keys/itag/fanny/fanny-init delete mode 100644 machines/secrets/keys/itag/fanny/fanny-init.pub delete mode 100644 machines/secrets/keys/itag/fanny/fanny.pub diff --git a/machines/fanny/secrets/disk.key b/machines/fanny/secrets/disk.key new file mode 100644 index 0000000..2d0018f --- /dev/null +++ b/machines/fanny/secrets/disk.key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:H0oMKUXc6C28tHMwSgsppcdfYKEknPIIWGq3Mwk=,iv:lExcGcA4bvwKtqeeG4KS87mWlPBtCSSpOunJMZcQG+Y=,tag:F6Pke7woX/odRT7SMJwVbw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlQwRFZLZUtGamszckt6\nNmFoZmk3U1JpM3V6MkNZc2Iwd0VlTDJpekNvCkMzVm1qNEYyNEZmQ1o0TG1LRmpP\ncUhiWlB5ZTdjZnBHQUxVblA2V2s4WVEKLS0tIDhiUUdla09WRmR6RWZnbE5XRDAv\nWVV0WW9wMWsrcjdsdkF3NHgxMVFmRDQKeUAVQU/M1DGfAmee6CFvyTr8RkRBWjYk\nK9ceXyJSojHktwr/Xllm1mMm6H2lPbzba/JAyt99YVTD8xO056vu/g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T18:09:45Z", + "mac": "ENC[AES256_GCM,data:5IGtFkE5sGjXJXlXkPdN4e15gxh6QB/z1X5A0149koG3fvOPnoLPEU+DGx1qj9Z/8vilJat1hk7qIBalMPMCn2/T1PIV45Hpvih/kNoszkFMQ9r0EsZMgXgSJClHSg1JaiCiC3LvjsIWHDoESwVx3fqos1ClOLtrzKwptCEUp2Q=,iv:15QS1AwpuUr+EMw5YQe8ogb1Y58nQh4WcFjtzuWtcUQ=,tag:vL9cZRdsPCqaTw42pzRfOw==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:13Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/WtqMo4CAW5VEqo4vEL7Lj9Z/OY1h0zPF/bdkc9u6x7IP\ngqH60j9iF3n4ae717c4eKf59iN4+4tDk51qb1XdBOw1scn6rTai6KCnqNhiGeZF9\ndKsCZG5LxdbGkEFFw0Q+6W+gV6MiGlD4SBiKpjAsGVGcn42wygfTzpFRRA2Pmlev\nAGSUs5TDmi1IqQsvzYBMBM9+6sdsKhpRalXGS0gFz+wYGPFlK4E1rd6CBKRYEWtw\nm4kRe0nA2Sk4XhVZ39nPtR9rxrhB+d+Qq7AHIqD75SoY8vI+o3UyJ5Cee5MAmMcd\nn0EG24OeThF2p4lZw0iuUgtefqkc21/MoojYP6tfS7s0vGcq9iFjZ8PgUv3IKfrZ\n9EwresYfvhKbocZj2ywPK7iavFCYmqpTzbloGkO0AVfmHpWZRpxneOaGruCwFmGg\nF3qBVTcBSBDF972KDvm/TbKV5NQmRAZuXTrTBh6vgmVcaLN8LTLP3xRQlY28Ng2P\nY5l/5sZ1CGvhfv+G/24n0lgBF7I8pMTfsUEttzPONEY3pRaYyprYxdDlutHI2Kzp\nl0oPBs19rCSn79avQr5fE0mIvqJCoB5HVPkUDjNTaMNSJAywjQEWNITh2GszRTku\nBDvnzA2VnVww\n=aFlN\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:13Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//bap7Q1HvJJ2KjVMhklTaQ2LG+TITzh0jvaRSXlXG+u5a\n//iWLTov8CH6s6e5I/T7FtslIcBVmyUX9vL9tCgVNMHy0RVG9mmykS0z5/9GY1tY\nEDcOOINQwrmuhWFHvc+9hzKEbLH7heR3ljMw9ouzBgFjEUdhFKJCIW9xrY3a45ue\nwBfaVj0tPNFMq/f/Zu5dDvw6gmYp9ziSMh3GwLNnMBmQDgdSjZJWQr+oa7KKSOM4\nu8ogeqP5Yyf7vDj1he+9TJpG8fdE68boYban9t9rfnyf0cRW7oHkpkwPtKvn9U4c\n4Tbl1RUqfHsTpHX+rxP8w/zgaLbrc0hJO1zxXeeQTOlS/0S1+i5n3pINFwzNXNBE\nIHgIpqOKabfpDFsL/DMIdNQZyr/iD4gHjzSeQPdyd0/4dbFMKPsVzA3JomE9z8NW\nRXz9Htb4Z4fybcPDOLxPkyM0qsEtdfb11U5l7IKuq+2ED5zOFxl+qhZrFz7vY1R7\nyaIM70HUeVCT7p0KZmWgtzjhafI8kTS2Qd7VjIF4Y721rB2opqaOKaCWjp4eeYI2\nE/TGivgRl57KgSF8Y8ucoC6ndsxwgJ4dYt3fos09Rbv1qFrlJftyD7m2kOXnPx5N\n5/2R4h3tiYQqGm727bjTjmGUtxToum3rY4sO0y38Woc+4BK3h/gj3AMir8DI7MfS\nWAE+yxIZH8y+c93zkZy34mEHafc6zPFD3QWuzbXzMGP+EMn710zaWmrVV1X3oLKW\n8lFB5sEX+BJaDgISOG7vgypNA+HtWZnRcB1CnzxboADE+HVAU3d+Bpg=\n=rfB5\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/initrd_ed25519_key b/machines/fanny/secrets/initrd_ed25519_key new file mode 100644 index 0000000..003cb1d --- /dev/null +++ b/machines/fanny/secrets/initrd_ed25519_key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:7JromtbrVy9ecNzz+uprYJk43wgWypEeMRpN/Pk4BGxxyUATyQwDRC+EyEwFju44vDLBzzpjZ8/gJJl4CeHJJahc50/n44IR8TmCC1DoKCbZ0KnUkHWijDAnW2hIvabonWoGGBusPJOC99VJ4OFNHJkneg0lPmDU812LGw6tQU34LOLd5CowPdD82yNWfmHCDTAwJU26pmmCntfecBQilLyYEXq0UncqkUuIlKLOLdRXwbFGxqu/POZyKEo5Er3dycnT69yanHRcKAEFlmfJ1lxXvbBG4s2bGOzaEXxkI2GjkHuCx7lPfvWAgbX6pS6UQvn7b7JuAojOjNqsnpaO0DBDeD8IfPimHa16TKubO1wcXaJLFRmw196oPnoVZBkd/aZU4XifSPFWAlS47/nIpeP5MRxmvp1WzHoWWtNinmGxxjGnzOVkn4FdbGeB0Af8OtI2PUFY4ghH92ugOWxgFZucLeJ3AjPkzodr4W38ej1F2rE5QVJdKZltQHm7V64KLh0L9OQ3WjWNa1Bf06uhYtIGLCJj/p9M6C2M,iv:Qlpz/Req6OBwjy7WiPyvdARFydZhiUIbwphpRlxuUdk=,tag:ARhK3X2TvdlStlVeUwgsYQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T18:08:12Z", + "mac": "ENC[AES256_GCM,data:cieSOz+0E1tFuRTgiIP9M84eV4bH5lgF4x2bwCGUTi3vG8FSlkk0+EVYjqDokLH7LnRysPO75YlZcuntvnUZYFVWPid/yjgCVR0qlfVbLx6ZUCW6GCNq5993Sa97mI6XjbiIO/yZE1lFqPhd+hev9koDqAGm/SbD9unqPzntBvM=,iv:+4xlcKGalNnR9PujjL54h2E3EnONXi+83g5bNAjFUSo=,tag:1O7lWZUPjPc6NtBqJ+nTxg==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/dMSVIuM4gsG06tcN0NvWQgZUO6E8u2M3k3kUU/xk9bem\nSJFtHluWx26V6F08PP5AoDQ1R5Z1RhP7w3JDjVyscb0WuUzDFVTbJLpuPJIX+MOe\nhz8OqLatn24+fK4eMnQFbTELYRPEKicMmoJrFaTXdUOLkynWtxijzRlCif8J1u3e\nqj2fSfPd4SI9ERiGo5MBtHA9A6nwQvboMdnlGvvlAxFF26QL0xqu8jUdllfJ5IT0\n7y3vbGixV/M29MKzt+cJk7Wnb2y5UaZdelsDmxmm4FrIxHaQrAb/kIMiwf6zVCwh\nZFvNwcAPirduvxpcjOV99mJQ3v02mWo/p4Ey3PCwRb1tQYRxiMf7IJ/eAspmiI/9\nwK/2c6ehtBVXlw738JjA+WP36u+5S7CrvzNk6RLd0y76aNvGB6ZCT4rGm1B2DfR5\nguP+RJGcMFzhv55hQNCNUHZ2jvhLvDvSaCjlOaJZBC62gCygtlDqaLtagIO6RwKR\nJdatJCEjio5yD7x1d7PY0lgBVlbkXk8K3e5CN4RdLyoZStShW3uC6dCUGG1OJzPE\n0mfW5y683CcpMATeucHROtTxxrmp+BT5CyP9eBA/CrmTAJVMaWYM/Tb3+nE4Feal\nKlamR+tLaZdj\n=9/53\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9FH3RHkKEo88HEAXYPfJ3tjctUrn6Y1muzgyilfa9R7OC\nBNdSyXP8qU9FaIEEO9cwXKY6hB30l/b42RwL2HS5MWlNZTXZO9XCjV4VpmkIy88y\nkVhxdb2QbGQSBqmfyc9GOvI2LN3jIAE5fy5GuDREKRJPfVJu6x7IbC4j3tT+3Szq\nzOTF+ZfuUlM7FDzt4vAvP2LeOZxYKCg1va6ne7rtXsry9cIotP7fTqm0xPLZ/K+2\n/+HhC2585GdUXratqod1VfUPGyvdyhrn6WV+BAvUA8O8LYO5ZIkgz16vp60XNZEA\nCkjy/kiSlMorHiy7/ZtWHwWPNQbGxVJ/u6XurgzreDT4H5FvfyzvdKTz7IGYNYfZ\nvwMtQDEd3ToP6QUyNGfpZ5eRGb3I+8xNOd3z3XIXYGFYAOPHriGXMA8Y1g21f+c8\nz0QxXXDNXlTt6qdpumfgF/d/UCFJZeuP2t+mVnnp/gkK6yKZlUHD8L8XjkgumxB+\nvFFKOpPbrO+H+L375xZp9OJTINF5QTFkrmT/jPoexCkx9koxNhM0vIKEFE7+gFsW\n5GKQqz0n1HQgbFfdm2Jk7WQqY8r0weGedalYzkfDPlbS0AdCB9Llk/vwu5Tf+hcX\nIMbph8ZwKLzld9MzEplhHwBZ/Gz0Upp1IYj5Ifr50EnlHjBJ+Z8xXWKshJ/6UerS\nWAEiuOmlWRFGWRM5EdrXwh0/dj+ZyXG7unsv+jpNXjOE8eznaH4Kd9/PEmxazbFX\nJ1gtX6JFy+HXID2DJmXng6NxCzPWpo6prAH9IbMebNVQMzbl03Dtyec=\n=WoeJ\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/initrd_ed25519_key.pub b/machines/fanny/secrets/initrd_ed25519_key.pub new file mode 100644 index 0000000..6ab1740 --- /dev/null +++ b/machines/fanny/secrets/initrd_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOywBnc5vmhjQbkFZhiL0BAigcMWVSusrwazxgGwXl6C kalipso@celine diff --git a/machines/fanny/secrets/ssh_host_ed25519_key b/machines/fanny/secrets/ssh_host_ed25519_key new file mode 100644 index 0000000..346e6cd --- /dev/null +++ b/machines/fanny/secrets/ssh_host_ed25519_key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:hbYmYjGE+qWLnxB5H2K0MMuvhfmNGawcQm4z42YDHIcO24ZW+PlsEDaTQOxS1gGHvz7AKyL8swVRuf1IQhv0dQLp9nh1+idl0aFgOiky7MS7plchcyu41iZZOq6ScYO8nlTtDyjIMsi5WCflJbF7K+GDAPS6V2jn04760EuXg8wz//+WVKBDNBb9JRbW7nZIUeoLYY8bPhz0/754KBUoxscmthTUrt2C9VQAUCP3D6m7ug828d2XOX/oqbgwfvNu2rEWAlsTZ6DX+wuQGKZFLzwSMvE7YaE/fjxIjaYAXrwciGrDYI9WZn/oEdTAodUAeY9fMWHTogH7mwYHKtSg6pAqEL5kM+5Ssr8wzuit7AmGtq7x8l4ExTCodg+Y47tA++Rhnvf+bJRRUEPY1kNHzECNepSK/anHzPX0iisUxxmBn8yiJlBtiAbF06nuW0/yW/dRE6wLR+Y84JqiDcYK2WKy5q7W+Miw7m3TwJge/mDeezSiNqzROl5gtT58hvGixuYie+M93wO9M7h7EvJWHkN+kl+kcANBcMzF,iv:giFXavSHQsKhN2mES4Ud/wleYLIIELcvH08pCp+vEHw=,tag:xGkXW+0dzci6koXkujCQpw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-22T18:08:12Z", + "mac": "ENC[AES256_GCM,data:+dXI8Hm1FDsB9bD2jli+YpWmcY9j85ezNnNYrQmCRNuPUp1EqAQ1PuXkgTabzImqq8N6f4DMUAnL9+kVM2Fr0SMk3O4N6DbMTIkIBh2jos543DUR4tcE+KCeU4+tqzghArODeRtOzV1jDW6sW89pUfGpSZ2JTRfz+QcybySWQXY=,iv:1jzlnQrUDoENp6+nlsxdDsdeeYg+J03KAm7lRw1bi64=,tag:3QvMHCGTZJdHv0r/eX/JQQ==,type:str]", + "pgp": [ + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+P8Y3rBJAAI2orY71hRSpCAJo/x4CUColQZf9xK4ZgYQ3\neW/15avJVso26mYiZJsTPaEczJ89igYKDrf8Ewi8NNNTmse/BO+BG8KX13QOSWKb\ngiRXMl6zpQwH/cmCXvUrDczjcUaG3vMpcWClfd3lfjEStVEzNB+OKCuRLxhKGYPn\n3HZ3Ypa97ei8uHMKbnloGigUouVKVCCLIqyrJCybQ2+UkOMzcMJpO96RMooWQOUJ\nU+0rLS2s3r8UnwQjEcedEITlmiTlZkTrUnUylcc22v3yVJh3UExCcoVWShqPUE2j\nJv667rq1EblbIzn/8vyMXxOoSYmrLJ+hgh6OXio5bbMUwd/7m6Zz2jEeTXbJi20/\nEl2V0Lu4pTWXhXxh+Y0MIdh2tHMGGWmHBk650e0M/JbnchxK5+9GblWkfzMV8scX\nPpDScHH+cqNPIsvtq/aYGSv5o2u5JfndEuW16cWU99mgYvX7rwwbRbI1zWVX5o9o\nQ6dqJGZEbtE0QilOKxiI0lYBTrDySzaWLTAngd3myVMvFBQ/K6VL7mXwJvDYgOcJ\nxHIExrd191e5eLr5MGQAzXaVietENN27aEDPw5WV9bmXoAKp/4muJnfOB/wBSjCw\nlutnbF0yLg==\n=MqvI\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2025-02-22T18:08:12Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//UvOmGlNKLrRg5fXmc/paHF7YVFCGuBa0epuiVsVkS6NX\nQoa57oBJS0y22/dh/fb8Nu7/bMpa9XpPwfgzqhi7+5V/y51lvAIKmrYqNTnGdKB1\na9aiX0yxK0d5Yh0RK+9/2Q+369152mZXx+9Oj3SM8396bcfvTFX4jbhGdnKPqalW\nB1OO8HfYFAu4yl11uVD5cHSdhvXKJOa/GZPkb3TK2kicUdNX3HnZJ3PPGrkOy2EU\nuwFOIVIdNp2MUDFW+V2Nso/NiGcR96uKk5ZhGJaYrXjDDMNHyoLWc0d8wEg3n1Vw\nXOSNLmkSFY39ExKRWu8sijSyZIYN+Ul4t4WdO1Puop01xGTfAkYVQOLC+H4unu3q\ngboyNZCSuZXgG02B8ph/tLlAQ78d70YAf0nxkvzQB6TTNfQ4nyp8QnUJDkwaAnvl\nxDqDDhJBjlfIpqNLT23caKqgt1hSLv3Gcb486D8ZC+6nNuefCsxop82FaUMvL1uf\nWPMcAxMyv4REO8l9V5CDn1+6i+iPyN/Mo+hpwco+sYNZMlSs9PcNKILWZg1gv6q1\nU04IyEPym9VkI1jFte4dsljlp3C2R+l1Ikv5OB6dNpnnMVnTgkDwE0vqvsSTIwbS\nYvFoWBAsRlHMFLLfA6QjRyZpWemHBjrpaqBbIJEkZQnKM1IWdIg6cGOx+mFo1MzS\nVgEePpJj/PECZpH9PQPlv/FrkHa7zC/Fi0BOPposmuQgOUTq3sA5TLYNqPOH2Yn9\nHeQCGXpIeM08Pa3BOQRWDYM2vZPZpf3cBB7VK9zmcGEdE3NZxoBG\n=p1XC\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/machines/fanny/secrets/ssh_host_ed25519_key.pub b/machines/fanny/secrets/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..a258d8c --- /dev/null +++ b/machines/fanny/secrets/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvdnpvwSD1EEStciMitKahPlysD4L95bcwOuY4wV/6I kalipso@celine diff --git a/machines/secrets/keys/itag/fanny/disk.key b/machines/secrets/keys/itag/fanny/disk.key deleted file mode 100644 index c33bd83..0000000 --- a/machines/secrets/keys/itag/fanny/disk.key +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:xmMPJyp3y9XI2QsWJniRM+Nds4Y5zoqb5QSJqZo=,iv:KRLS4JYN2OVmbbLe8DCD0xW8VVnbmYN/MfZNp7eOS2M=,tag:FV1Qm8Wr5fbpJ+ovAK+uaw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ1EwOGcxazlIcy9mdmkr\nMzJCcWkxQXFEQ25sUU1HUFJqSEE1b2M2QmxVCm1hWWExbWtJdmxjMk1VUE43ZkNR\nNmRpdGNPNURwdjJkaXhxcjNxRFFiSWcKLS0tIHB5Y2NWM0pCbGdtTGRUV1hyVlVs\nZTRsUnZoUnN6cHNPTWF2SzhxUUJ0aVEKzchgMPjpDAX7NUTSxUYxoKLoOh7+X9GV\nxrarnXswpSV/bfR4w4x+DmoocG7TbdH+UvCTsg3LtdjWmfpjK/c8Kw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-02-22T11:49:56Z", - "mac": "ENC[AES256_GCM,data:WKZIdINWSCn9ZOtsnLQ9dXCOdG49Ltf7/G91zEuj88+nvQC4+WTLCCXBGdhVBamV1PWHYnFvZbiXKJ/VFdN3EDZeW9r6cXuF2PEveOn6Bj1bYi0WrzFRfxxvt56AM9j/0D5E1hE9rp2yAWg5V4E3nIGT+rVsOczMk1+Yx4Q8NCc=,iv:DKD+E5yeFJrARfP5Qw6I1Cn9lvvHUHHok+3l8dyzVcE=,tag:lCBrrqfFxvtldBfbha99vQ==,type:str]", - "pgp": [ - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/Xn1mh8ojou0/ntHLA+iNzYf6vsJVoWB6Cfh/WL9s/Vxn\nJWhvIzo+blJnoMJMsRPx4wiIuAjT2KkJko5v8Wr9pzzOAqOCghk+8YYnpC49PpCA\nhT8Yuu1v53Ycomwj1IdZj6GWeIkuLw2N4ZVqh1vZnvTT1tWltxmp9lhb/cWP+ze1\ngzIO7wqd9hisX9DVl4IVV/q8QVIfhWR2dMX+xgRcEssAjQu/nFGv88i6NJQsbIwm\nKOlUI3QJ49DEVFxH6Z36ZhUpdszHKi3IPg2IqtpfDicU807rQ3VihM9abkhp7cY6\ndvxW2rMijahy2IXuvGyTuwh9ow4bHXWBQgEkaFo8eKCx/KnR5shpR3/0CdegU45H\nGF/RhIq5wC4lMXy5/O3pgb5QPItcOB4ke+s48sGdxWWyXkp3MLXS1NblEZ6K9xTm\n/1GUcpCeoePWMeNmPgdeEcQL8jBxBol2wP5cXl4Ov86wegd0O56lVi6L2jqhgYiZ\n+SMhqmsMqZFVJWExkyX00lgBzFNsLWpT+KGuesodu9mtbYJ/s7Pz7+d+apgtzLI1\nGyjD9TDyZQUmM4El7SbZ/KNniRhR2Rnthg1r/cAcMYSyOnRbM/n5t5ynUc8vzr4y\nIPGXwW3pEoOh\n=48Pd\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//S41vk86ETjZa/AI9N5rS/RnPk3SuvGCiFxVkPl+ScY+j\nMOIqQFr55JpZm2Tb2nYA07yzW0b9q7jnVDt1dGp1MEC9QZZj1dEoZNGU+UjLhD3F\nDW9/NLeoJ2+D2rSxQmIwWdMqw3XehZDXvcicmKprtSK1MThV1cy5BITTStoX+qSQ\n4pFg7AVJij7+mtEK6pdV3S9BT1R27X9fanm4v785MEB+KERhe+5rQ7QR33Ohrotk\nqp6FqQJRAkc2ea+SFLRp8q4oIKK8lIoVv2mos/RUyBMf1HYPERohvqBjOF7oUjHt\ntOGGb+TLpVicPEsrAiNG5krfLCcI8vZeqkZQvu3YZx1zopYrW1mQuW1/kedFqtpc\nN6piYNz7KaYX0zpCJv1YQN8z1YOc+9LxTIemDUNt3zEYwrehi/DeXMt+Np+U0PKq\nSmfxRiMnbTT14la8mUa4Uov6KNUhzLgDVm8z/6XuM4qqEPw1ApG2UT+n5swZeqhN\nXBIAdSfybLW6vGhIOJduiI7LbQOADcEqlwiMDM4WMtG5acM/MLFQVQzP0DnQeIYj\nlNeGxT0m92ZfhwPupJG8PlC4dAANU3anBVGtMGn66aAEoVq/5RdOI9Iw8z8FIvnq\nN4Sef+5eqJuNeFdvxWG4IP6mrU1BmeWTXgI59aifSPUc0vrviYD6eRYCuI1NySLS\nWAHY6GESDXqeH6mlUryle6HSnJD43faFNkdlUaEBt0tH4ij2OvM5s8XTnr03hPnT\nYOHSVh6PVF2wwgV+JJuy7Nfj1+ylZCl2G61GO4QXtLexeWpPSzbo3Hw=\n=A2Pv\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny b/machines/secrets/keys/itag/fanny/fanny deleted file mode 100644 index e497201..0000000 --- a/machines/secrets/keys/itag/fanny/fanny +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:HyKweXScDgvctgx168oBvB22fQcq6mCAs/Bsy0f1+UClAf313UynPJpBig41XVZdRFHOKkAMh/GmyIP04DtrXC/eAO9As+kaLkli/mBWiXSUA9l8pU8Wb3rC5YUu6/9ZraKWaC1ONAty2+d/v2EpWJhKMJWeeihiYfT8FMqRy2tjx0wmIz/Y6HgrR2pvHxyS2nGyrGhraaMnpm1WLsJ5b5yTbgkKVAoMwKNltnSIVA9AYvWmoNB8qIEPI5ppPvrSFSLOxYBG8zl/bBVtJ5ekM2bg733nCISRWhmelQLFVrUrN+3jsfpmE/nTe+xXClUmPC+7ePsCQuU2RKVWw5g99RewPdiszHdq/73Eo+7+ETLgRmo2vtLB/zFSiC8hmtJWh7WvVc4DXhGPDrqYPsh9GR87ZlSORgvadd5Mj/JuMzvmacWoFV9ERLnWjTTlIg+vSEBa0zB2vZHgAzBL+6R7WW3VgsBylRHQqsaJP5RIc4ktT6Qrt3REnArg/V/zJJGYBw+nQrqr5rrbbAmSA/57,iv:BdRM22/SMiHrq4SWVZTIpYPy/eHS1Kc/XxYj49Jf3H4=,tag:QdIwNFO7PnChvhWJAYNONw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYVnRlb2x4SGdPbWltWVUy\nZEl5OC83UldXMjEwOUdTNTFWMytYejFVRkI0CldKN0F0MUp6U2hnRUJQaGZKbzJR\nZFByOHRwbWgxTlJndGh3NWZIR2FKbmsKLS0tIFNjNDVHWjZNYlRCY0tQRlVtTlQ2\nMTlUVFd4dEo4dythYVV1WEQ5dWlEQTgKYqoEes44TbflFTFBzNwEVP9DDHtkmhfn\ndCFBPhBTwuoFKai3kOOX/E9gEOwqY24HAqKdeyiO2VXrL8JKEazggg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-02-22T11:49:08Z", - "mac": "ENC[AES256_GCM,data:V7B26cct1W4ihesyVxpAI8AvMXSy7dd0hWFdYqWtzKkCN73au2V3h1DilOiNn3gclFhL9Crw38iNUtnGeHscGLGrNbwkyCMDj1KXKl6wnSYdFkw9XD+PnRwYq7hMTTLIH19nqBg+K9tjaDEkK7y8WygUHfknxJj5D4bURgl/jow=,iv:/f3GXl6o2oxRJjIJEpYN5T5x9q4acxFqqakzBRG4hlg=,tag:G6F9hXdO9BoXZ2eXaEG43Q==,type:str]", - "pgp": [ - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQwAk5+mzJ/KJX4bxyb5w8dUiLXilBMJQiBxQZWsC8Q+G5v6\n9LGMMWPrQeLuTHkNe9FpddIUixjuFox1TJxaph3t+DfamR3yPdUYDuRckc9iF+jZ\n4oa8txJ9oWoEYx5QlxCCricSxomC9LV4DcBKQ2gyXnAeX2Wwe5/3uw+S/KyHZM+y\n9flO7qIVQk8MkVzZOc2KVCyvUL1UnAwgXzR1OmznpGBiZpaipCmXBs/elncxViry\nrmgA/+Aob37ChXQk5mVQLyrV+E1M+u1PwigML7PbbE3WpBVgpbb+MH639nBC/rTV\n+B70BaayFdzvUln4OFonfvsvPQEynmE1rfJRUavvAQDORHHmmbOKdWWVaYHDlp4Z\nAgYI10mnnFBpm2Qd/EjBa2a1CWboaGCaz/KldTzjp+TxW0GVf6WQ5SKlqZj3MdGM\nVS+91ph2LaRCTB5WObTX4KKDiwwoRAB+0A4ewu5ttsmeuhTy3o/r1Liu/UBdaL6i\nA9t59cMopIL6YXRD1YwF0lgBHtGC/KGsnZjC4dscoU2eTfmJ4rFx9vmc8I/JaO+h\nNDoFnd0sk2FQhnMvAN16U8HurfAzbHiqf3utEcMOg0bPw43Q/8g8JgUAaxqkJIQn\nn4fqE2GFjBqJ\n=Eivh\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9Hy7wKpuAeKotD/HBoM+aptxnKiExf7mphpdZZ1sr8fHE\nDDdVehwhFxsxLkcIwh+dj35KswHw6aMzyQGj4bYsxSmsFKscATknsklR1UATWfSw\np3hVjNFCZ+yd+uzSJnfTkldTcaJiN9MxPmaOMd4e7Ui5k7dcYo0/FD5AZQZMjKDO\nQYUsUASWLHWAoiS7nnFrbaFvXKAPS4wOsB2T263QsoZyEvpQIgWP6lb9kS7V4ftZ\nxetGJFIk2hanYfdGXZy3TiHaJO+fESpVYmp6YykDqeZqZkWB59aeWVL/7Cz7H/wj\n4RU9RWBMbXGjPz+5WMo7X7kLrJgLAWywch6bM2fktkadG9n2tAa/FISysR25qtmQ\nzJtwCY8j26ZZJdc/FEA6dYwIYeGZ0BwV91dPaEotAtgSVpSihdXI/DzE9T9OjWuQ\n1c2sCjVJ7Kw19uCHLaZg+Tvob0RQJu5mnKPnLqinpxDn6Vf/nxIU80gFsPPr4f2T\n627iBaQOaMxdxHLV8r16WrNzBRj28sPZDBlGQ0HouToO2dn3uN+onQGszRAAIadJ\nZMo8SoWCdx+xiDK0S5oxnoxfk2QMAW75qyFiR373axb6HgMMSpJSG8TE+vg9++oa\nE7dddc7nq6ZnuhRNDn9V6cam8hfkFvKwRCeul1Yg5qZn5qI9H0/glR+KisKZVK/S\nWAF/XJucPmK9gsScxB4FgfKmpZD0cJkKmwndB5Idc6waRrjHxFnLFTFxbUnUD2KC\n198dZo7Y4ftOIWKHCY1R4RWhsmIUX5XzxwEnYSzy0pta/uyaqwa6sWs=\n=wi7r\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny-init b/machines/secrets/keys/itag/fanny/fanny-init deleted file mode 100644 index 9851688..0000000 --- a/machines/secrets/keys/itag/fanny/fanny-init +++ /dev/null @@ -1,31 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:2RNOB8VVg+TGykuRU0h9fElGUhrje8gDkMdQyYQaF1U9P68oMJCEJYJno4qB0jEb5IPeTHrJamDjoQKv97OsGBkhPiamlImuBHjAUIxQq9a8xmFAhT60dZqCqIPqSuBs2OeVJE+wbHlo4pjGqe/PymMtz5M85SgOxvYSOktYRUZLmHIkZ9APy6PVit7AeUzRkf5H9Y58Xhg8gh4wCK0djorszPSY3Pf+G5PeV4EdNjIZ2FoL8MjWnYyEl8e/C11w1qdRA39J6l9LDTn8kNp3zHzYEWfY1G1sShc9M6kT83qmU4HMExERs4MlXEXkPd8EztAAgMKZIZWiwJ2Eu+9854V7KDb6T48sILCesjJwB94DWuXmdf/2CV1uGVat9baGOIE0ImGHTZYtGutxP1pBl1qZcU89LLRSPlmnRNWnTLcc3nnw0dgSsk132/7Qckrq5mUpD7F/fs1bYfG2LZGCqnXq6olnzh5jILe5iffvZprEH/Fm6jcDXBQN8WR4ADReSvHN7r0Vpvm1aZ01NtkJ,iv:6IIpVx4Dtrn+uahiH3kZHy6bmBj9ti1UiswKwAe2qZE=,tag:hGJkYXIarS+QEwJiHVmP/w==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMXJSeTFQdElLc2FKVFlG\nTjdlOGZHaUZkNjMzZDJTcXh1ZjF2bVpzRlU4CjdiS3NYeDZyNit1OCswSjFWbWJU\nT1BTNWFsRnpQWjZGbzJFV05tV1lNS2sKLS0tIEdrb3JOMUFRMkdIdFUwK0dHSXRQ\nbmtCVEJjRllnMHZFNkJ2UndBcXlaQkUK9bHFPsVaZovR4rGuQ6GfqAvZxNKqVhC5\nHybQWv1PCoaNOvQbtBgCxMlV8HOJfwe2EgysJErvriXeyVad5+zY2g==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-02-22T11:49:08Z", - "mac": "ENC[AES256_GCM,data:IFctz/f9I9vcWN82u3qta+o/oILTHpCScSezHwt0ifsENnUQLz+uAmpMs+ok1ZR5+20XpEq4C7f1s4n2h8dijxsPuE/IOQM7rvwjoVPsM/0XUglDK3Vc5u1oooGpLJg1PchwWGOAlKQHun3mh4j/bz5UMpD8AWC++NLPE1Hr0Jc=,iv:y0aD+4iLSKedGAjZP1SygyzzIE0/SHWcOUS/aghzrII=,tag:01dQZoLlz0w5dE3DePwjbA==,type:str]", - "pgp": [ - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv6A4kG9S33l07+BwNeUsDZVrzRTP2Gz5F679VKTBrr96t/\nTJaa+FlCWDU3DczaC18Y6yIyU22+97xqQ4WYnno0h7bF2uhjbyXjp3JV5na7BgGe\nn3V6p0yJcBM5XfrJRuKghEB3kHddQIcVR8JurWrynCKy1C4njR6pJDA3pqp9PReP\n0ubTiJqAwJfx5hGSAjSDWitQ2vpubowCXssqyh9S2P07H5u8HHbLRyJGgvl/LgTR\nEe2EUh7KrTMT6cCXBHAPSK2bZgwP667bhEOJzuCpknG4/Q7EtVQzjKaXGrDR0vMi\nIwA7knQ0UMeRCa/jSSPYUbscMJIb5+wh0rnPfWGGgtVshdd6YtuETBnqZsjUETXd\nsXdem+UoMEN6Co1ABzHEeSGT7y6D8OghoodofLBvgf5TduiX5Pqceo7SkfXPN/3G\n4fqg+e+VTT63Jwp7rk+ekRJYPkHNoB5w0VIrvsyBPlDUhEVywKWJTfzu8905hkVP\ntsQEoJxkpT27PFACoxZ80lgB/9kyQKvsRG9kl68osivg2gIB/13+4TjMdS+x3ycL\no5QnE0D/adRJHpDRwuPfzGyRwFWT8bHFEpw8qErLEWaXh27QMStOgr2By2PsOFTP\nAtJo/wheNGMb\n=qa04\n-----END PGP MESSAGE-----", - "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" - }, - { - "created_at": "2025-02-22T11:49:08Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9F41AW+ruudLanRh8Rn8rHJRfGpdhv1oFkFRIK+Z/2oGr\nMGMm+2EPhCHCMp2tFJRm0HwZruGJda31iFNbaFSqHmTlqWfEMoEj4ztcOhe1vFG/\nhqtp39DawyHb/1AXPHvsuwbucEf/DH9gflXgbnBrZQ0K+7FiOSnXNi34YByKipbI\nbGg+8PV1iYXw0vuLgERy5aP20zyvr+sg53jnr8RR98A2E7VWg2YNfxEOKxxQczxe\nlgblSVqLLmEKAJcE3JWY6c5HR5Xlt4Y02JrAYD11qD21hmtS8plEZ70kiz4elgMU\nkWxM1HSm9Tyq2I5c9v8uk8VOCfEYE+glASJKtyHtyzDJRJcKwvaE8SqStlfoGot6\nKiJ4flqGapTOkJtOvR7FczO7T3j19Ga62dUvoHrei9Q0FYcyG70/lvTWEJy4/jYg\nOk5QJyseRhrDhcLKg9nUbuSfYhXtJc9C/S8B1n/bwjO1O3vslkewFAnhBIqweh1D\nnHjrSHsssrpkeyefmjVh7NiQZtn122hnPnIz5B62is27MD+m8qWWoWghc5lzsw5S\nCGBRY8l+vvGca1TZFJX1JO/L6vhdN4qd/H4IWRmj1oSR8qtQ6SKbt1UmQtB2BtPg\ncqlRCn4x2ORpRgwAIZtD6GFUFUjUduz6LpaxG2tpnmZcQfPAF7YYjjpR07oPIg3S\nWAGomgQyyubfDCH/tM0RwuTlMX4hkMtlKyMDuOHuZVxWZqoh/utGazasBogGm6zK\nIz0nKh+z0w0nv9kGzalq9L+ek0A07ylIlakSaR/vxh2ZaKHojBEEPh8=\n=1EB6\n-----END PGP MESSAGE-----", - "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.9.2" - } -} \ No newline at end of file diff --git a/machines/secrets/keys/itag/fanny/fanny-init.pub b/machines/secrets/keys/itag/fanny/fanny-init.pub deleted file mode 100644 index 31efbb0..0000000 --- a/machines/secrets/keys/itag/fanny/fanny-init.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY60NKfdjFiXNvl1r4mBcXKADHA80laxio+qN6izevN atlan@nixos diff --git a/machines/secrets/keys/itag/fanny/fanny.pub b/machines/secrets/keys/itag/fanny/fanny.pub deleted file mode 100644 index 9a6c590..0000000 --- a/machines/secrets/keys/itag/fanny/fanny.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiKzGgQVfvfSqhdWNqkhTWd8gfJCVoyYoe9zh1LATsC atlan@nixos -- 2.51.2 From 63f3b5da1d985115f459d34876f891b87e8c9d31 Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 21:11:22 +0100 Subject: [PATCH 12/15] fix host_builder.nix tabs --- machines/modules/host_builder.nix | 238 +++++++++++++++--------------- 1 file changed, 119 insertions(+), 119 deletions(-) diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index c75f6f0..d1fc74d 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -105,135 +105,135 @@ rec { inputsMod = inputs // { malobeo = self; }; - vmMicroVMOverwrites = hostname: options: { - microvm = rec { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; + vmMicroVMOverwrites = hostname: options: { + microvm = rec { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; - #needed for hosts that deploy imperative microvms (for example fanny) - writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store"; - volumes = pkgs.lib.mkIf options.writableStore [ { - image = "nix-store-overlay.img"; - mountPoint = writableStoreOverlay; - size = 2048; - } ]; + #needed for hosts that deploy imperative microvms (for example fanny) + writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store"; + volumes = pkgs.lib.mkIf options.writableStore [ { + image = "nix-store-overlay.img"; + mountPoint = writableStoreOverlay; + size = 2048; + } ]; - shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ] ++ pkgs.lib.optionals (options.varPath != "") [ - { - source = "${options.varPath}"; - securityModel = "mapped"; - mountPoint = "/var"; - tag = "var"; - } - ]); + shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] ++ pkgs.lib.optionals (options.varPath != "") [ + { + source = "${options.varPath}"; + securityModel = "mapped"; + mountPoint = "/var"; + tag = "var"; + } + ]); - interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ - type = "user"; - id = "eth0"; - mac = "02:23:de:ad:be:ef"; - }]); + interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ + type = "user"; + id = "eth0"; + mac = "02:23:de:ad:be:ef"; + }]); - #if networking is disabled forward port 80 to still have access to webservices - forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [ - { from = "host"; host.port = options.fwdPort; guest.port = 80; } - ]); + #if networking is disabled forward port 80 to still have access to webservices + forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [ + { from = "host"; host.port = options.fwdPort; guest.port = 80; } + ]); - }; - - fileSystems = { - "/".fsType = pkgs.lib.mkForce "tmpfs"; - - # prometheus uses a memory mapped file which doesnt seem supported by 9p shares - # therefore we mount a tmpfs inside the datadir - "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { - fsType = pkgs.lib.mkForce "tmpfs"; - }); - }; - - boot.isContainer = pkgs.lib.mkForce false; - services.timesyncd.enable = false; - users.users.root.password = ""; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; }; - vmDiskoOverwrites = { - boot.initrd = { - secrets = pkgs.lib.mkForce {}; - network.ssh.enable = pkgs.lib.mkForce false; - }; + fileSystems = { + "/".fsType = pkgs.lib.mkForce "tmpfs"; - malobeo.disks.enable = pkgs.lib.mkForce false; - networking.hostId = "a3c3101f"; - }; - - vmSopsOverwrites = host: { - sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml; - - environment.etc = { - devHostKey = { - source = ../secrets/devkey_ed25519; - mode = "0600"; - }; - }; - - services.openssh.hostKeys = [{ - path = "/etc/devHostKey"; - type = "ed25519"; - }]; - }; - - vmNestedMicroVMOverwrites = host: sopsDummy: { - - services.malobeo.microvm.deployHosts = pkgs.lib.mkForce []; - microvm.vms = - let - # Map the values to each hostname to then generate an Attrset using listToAttrs - mapperFunc = name: { inherit name; value = { - specialArgs.inputs = inputsMod; - specialArgs.self = self; - config = { - imports = (makeMicroVM "${name}" - "${hosts.malobeo.hosts.${name}.network.address}" - "${hosts.malobeo.hosts.${name}.network.mac}" [ - ../${name}/configuration.nix - (vmMicroVMOverwrites name { - withNetworking = true; - varPath = ""; - writableStore = false; }) - (if sopsDummy then (vmSopsOverwrites name) else {}) - ]); - }; - }; }; - in - builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); - }; - - buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules { - modules = [ - (vmMicroVMOverwrites host { - withNetworking = networking; - varPath = "${varPath}"; - writableStore = writableStore; - fwdPort = fwdPort; }) - (if sopsDummy then (vmSopsOverwrites host) else {}) - (if disableDisko then vmDiskoOverwrites else {}) - ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ - inputs.microvm.nixosModules.microvm - ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [ - (vmNestedMicroVMOverwrites host sopsDummy) - ]; + # prometheus uses a memory mapped file which doesnt seem supported by 9p shares + # therefore we mount a tmpfs inside the datadir + "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { + fsType = pkgs.lib.mkForce "tmpfs"; }); + }; + + boot.isContainer = pkgs.lib.mkForce false; + services.timesyncd.enable = false; + users.users.root.password = ""; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }; + + vmDiskoOverwrites = { + boot.initrd = { + secrets = pkgs.lib.mkForce {}; + network.ssh.enable = pkgs.lib.mkForce false; + }; + + malobeo.disks.enable = pkgs.lib.mkForce false; + networking.hostId = "a3c3101f"; + }; + + vmSopsOverwrites = host: { + sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml; + + environment.etc = { + devHostKey = { + source = ../secrets/devkey_ed25519; + mode = "0600"; + }; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + }; + + vmNestedMicroVMOverwrites = host: sopsDummy: { + + services.malobeo.microvm.deployHosts = pkgs.lib.mkForce []; + microvm.vms = + let + # Map the values to each hostname to then generate an Attrset using listToAttrs + mapperFunc = name: { inherit name; value = { + specialArgs.inputs = inputsMod; + specialArgs.self = self; + config = { + imports = (makeMicroVM "${name}" + "${hosts.malobeo.hosts.${name}.network.address}" + "${hosts.malobeo.hosts.${name}.network.mac}" [ + ../${name}/configuration.nix + (vmMicroVMOverwrites name { + withNetworking = true; + varPath = ""; + writableStore = false; }) + (if sopsDummy then (vmSopsOverwrites name) else {}) + ]); + }; + }; }; + in + builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); + }; + + buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules { + modules = [ + (vmMicroVMOverwrites host { + withNetworking = networking; + varPath = "${varPath}"; + writableStore = writableStore; + fwdPort = fwdPort; }) + (if sopsDummy then (vmSopsOverwrites host) else {}) + (if disableDisko then vmDiskoOverwrites else {}) + ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ + inputs.microvm.nixosModules.microvm + ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [ + (vmNestedMicroVMOverwrites host sopsDummy) + ]; + }); buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem { system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; -- 2.51.2 From 3caa94c53b1522fe13735e39f53fbea95b1d1e32 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 25 Feb 2025 17:40:37 +0100 Subject: [PATCH 13/15] [deployment] set hostname in pubkey --- scripts/add_new_host_keys.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index b8db477..3c8d6cc 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -28,8 +28,8 @@ mkdir -p $pwpath/$host/secrets cd $pwpath/$host/secrets # Generate SSH keys -ssh-keygen -f $hostkey -t ed25519 -N "" -ssh-keygen -f $initrdkey -t ed25519 -N "" +ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host" +ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd" #encrypt the private keys sops -e -i ./$hostkey -- 2.51.2 From afbc31b96ca625cf31267b766e3fdd4a56d59d4b Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 25 Feb 2025 17:46:08 +0100 Subject: [PATCH 14/15] [fanny] set old age key --- machines/.sops.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index bfa9498..7aa346a 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -12,7 +12,7 @@ keys: - &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se - &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0 - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - - &machine_fanny age1u6ljjefkyy242xxtpm65v8dl908efnpt4txjkh0c9emvagdv8etqt22wll + - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk - &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng -- 2.51.2 From 433888c3c3f561a45c5dd1cf1ec2734eb5f090ef Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 25 Feb 2025 17:46:55 +0100 Subject: [PATCH 15/15] [fanny] set old ssh keys --- machines/fanny/secrets/initrd_ed25519_key | 6 +++--- machines/fanny/secrets/initrd_ed25519_key.pub | 2 +- machines/fanny/secrets/ssh_host_ed25519_key | 6 +++--- machines/fanny/secrets/ssh_host_ed25519_key.pub | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/machines/fanny/secrets/initrd_ed25519_key b/machines/fanny/secrets/initrd_ed25519_key index 003cb1d..27b9b1b 100644 --- a/machines/fanny/secrets/initrd_ed25519_key +++ b/machines/fanny/secrets/initrd_ed25519_key @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:7JromtbrVy9ecNzz+uprYJk43wgWypEeMRpN/Pk4BGxxyUATyQwDRC+EyEwFju44vDLBzzpjZ8/gJJl4CeHJJahc50/n44IR8TmCC1DoKCbZ0KnUkHWijDAnW2hIvabonWoGGBusPJOC99VJ4OFNHJkneg0lPmDU812LGw6tQU34LOLd5CowPdD82yNWfmHCDTAwJU26pmmCntfecBQilLyYEXq0UncqkUuIlKLOLdRXwbFGxqu/POZyKEo5Er3dycnT69yanHRcKAEFlmfJ1lxXvbBG4s2bGOzaEXxkI2GjkHuCx7lPfvWAgbX6pS6UQvn7b7JuAojOjNqsnpaO0DBDeD8IfPimHa16TKubO1wcXaJLFRmw196oPnoVZBkd/aZU4XifSPFWAlS47/nIpeP5MRxmvp1WzHoWWtNinmGxxjGnzOVkn4FdbGeB0Af8OtI2PUFY4ghH92ugOWxgFZucLeJ3AjPkzodr4W38ej1F2rE5QVJdKZltQHm7V64KLh0L9OQ3WjWNa1Bf06uhYtIGLCJj/p9M6C2M,iv:Qlpz/Req6OBwjy7WiPyvdARFydZhiUIbwphpRlxuUdk=,tag:ARhK3X2TvdlStlVeUwgsYQ==,type:str]", + "data": "ENC[AES256_GCM,data:dsb1hdpeoH1Rc4Cz10cZMlAKL//GRUKQbTXvGuRcVqMtRVkmiVZonogj1FdpIFOY8m3zIuJKLpQp9i/RuWanRaThyOA4Mqo82N0MTkco0mwLfRhxqA2EbRv1dPgytVQvdNgSrnZI1FXtsQumPgO4KvifwaCG+Wu050NhPDC2Xt8i1U1TyMTkTigk2CKYaYgo+D9xSsA9ymjFUQgvnTn10t3di7cUJi3rBoEiZeOK/EAg1Y3h53AZ4p9SyG1kBflTvtE1NbIZNBYAiFkJNbIhT+Dw67Qv2Uso6oxL/I64IDOljMQz2874wZqpAL1w7W671KdlGtq0murjQ5Sg+g8RYseA1NVmTY7BCaGagNQuU6Ab0BSSdzIuDkH14BL1zGgprCqP0CE8WeWdUzCx5qud9emF24d+VvRKIiawTArSBe34VMnRq05OTKdmtwGZom7kbhD20c1/pwhytiJpzSE08iKy9cYGPGfirNJaxhT7z9XqSoECUg2XPI7Deh75PqoxM8pATLtOtOLp2cYSr2vSrqADMXzmR2M9ixEj,iv:RQH+e6ZADH2XMPqBeuHhMhHiksQg2iR4NUnYhD3pj7w=,tag:wJByTCrYf4cKxJaD2eTCMQ==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-02-22T18:08:12Z", - "mac": "ENC[AES256_GCM,data:cieSOz+0E1tFuRTgiIP9M84eV4bH5lgF4x2bwCGUTi3vG8FSlkk0+EVYjqDokLH7LnRysPO75YlZcuntvnUZYFVWPid/yjgCVR0qlfVbLx6ZUCW6GCNq5993Sa97mI6XjbiIO/yZE1lFqPhd+hev9koDqAGm/SbD9unqPzntBvM=,iv:+4xlcKGalNnR9PujjL54h2E3EnONXi+83g5bNAjFUSo=,tag:1O7lWZUPjPc6NtBqJ+nTxg==,type:str]", + "lastmodified": "2025-02-25T16:42:28Z", + "mac": "ENC[AES256_GCM,data:iJS4wLJwJZRUozNBUBxL8wYOneGI1Et3r9+DtIs3JrQLEKV16n2SeRP0jRFyCO7VNkxyjnjXJwe0/GVbxtQbVCuDFaCWVpj4xNiEH3wMeuydU96E2QgHaWJGvhyj5e/5o3GO85DeF2ueFCa9DQKtTIWH1xPfqJwtZC2PGH5Uqyo=,iv:/TpULYHxSgFfMQyv715jLVY37AhSY/qh1Zn00UN8oOw=,tag:XrOn8ZpgWFYtSjatXn8sxA==,type:str]", "pgp": [ { "created_at": "2025-02-22T18:08:12Z", diff --git a/machines/fanny/secrets/initrd_ed25519_key.pub b/machines/fanny/secrets/initrd_ed25519_key.pub index 6ab1740..bc13aa2 100644 --- a/machines/fanny/secrets/initrd_ed25519_key.pub +++ b/machines/fanny/secrets/initrd_ed25519_key.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOywBnc5vmhjQbkFZhiL0BAigcMWVSusrwazxgGwXl6C kalipso@celine +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFRuQZweX3r9QQmAFo6oYY9zvrf9V3EIJOl6kFMgyLm kalipso@fanny-initrd diff --git a/machines/fanny/secrets/ssh_host_ed25519_key b/machines/fanny/secrets/ssh_host_ed25519_key index 346e6cd..1946611 100644 --- a/machines/fanny/secrets/ssh_host_ed25519_key +++ b/machines/fanny/secrets/ssh_host_ed25519_key @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:hbYmYjGE+qWLnxB5H2K0MMuvhfmNGawcQm4z42YDHIcO24ZW+PlsEDaTQOxS1gGHvz7AKyL8swVRuf1IQhv0dQLp9nh1+idl0aFgOiky7MS7plchcyu41iZZOq6ScYO8nlTtDyjIMsi5WCflJbF7K+GDAPS6V2jn04760EuXg8wz//+WVKBDNBb9JRbW7nZIUeoLYY8bPhz0/754KBUoxscmthTUrt2C9VQAUCP3D6m7ug828d2XOX/oqbgwfvNu2rEWAlsTZ6DX+wuQGKZFLzwSMvE7YaE/fjxIjaYAXrwciGrDYI9WZn/oEdTAodUAeY9fMWHTogH7mwYHKtSg6pAqEL5kM+5Ssr8wzuit7AmGtq7x8l4ExTCodg+Y47tA++Rhnvf+bJRRUEPY1kNHzECNepSK/anHzPX0iisUxxmBn8yiJlBtiAbF06nuW0/yW/dRE6wLR+Y84JqiDcYK2WKy5q7W+Miw7m3TwJge/mDeezSiNqzROl5gtT58hvGixuYie+M93wO9M7h7EvJWHkN+kl+kcANBcMzF,iv:giFXavSHQsKhN2mES4Ud/wleYLIIELcvH08pCp+vEHw=,tag:xGkXW+0dzci6koXkujCQpw==,type:str]", + "data": "ENC[AES256_GCM,data:16SwZ4RZ89+TvwPVgEg+96PmNd63Oai1GnrRipLkxQmzfeAkQvs78emYUEVT/ouAnRFQRNagbhjA4nmfTTq1xGz1u8bacjk1ny1ckd2FmkEOQ7Ry181h8UE61rZP3c8yra2WCgOcsL22oUxUMhg6iswJqEKLImi3cmJ+hASPTc6L3vlZLcP3Vx6FEbDMGrVtfpHEliSicB/rkAOnjVHmxHmVRjx1AI7jfAjCoBGnLwI9X2XREGay9H8Kt36HIhlXA9dK+xkl6WdtkllHIHe3OYHqwd730g+1htMAWtHmyI/DPLLJG48pzITnKv3cQ3aaziUWJGa89WGnBuzxP8ZOagpnC1/wQi1WTR7d/4JYoslz06fCt1ouGT4ttDFh/YqbV0hcXqkASbUnnixicBaYeVrwvSkYvlbwToZ6L+Jc+eqQRrTKXxs5pIZ4qkvImDp85v3U1bDxXT+qhpK9hasmgBqgM9GYjgw8Um/imr9HqDp9ztRsij87mRW/l47vUhxRjrAWpv+J0OlptUIpRiLv,iv:7x+dTHtSbcc47X/ZGz/bcnOxkGDDBu33ZgNrOD1FwDA=,tag:B6s1Jt1KFCitya9oAKvp9w==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-02-22T18:08:12Z", - "mac": "ENC[AES256_GCM,data:+dXI8Hm1FDsB9bD2jli+YpWmcY9j85ezNnNYrQmCRNuPUp1EqAQ1PuXkgTabzImqq8N6f4DMUAnL9+kVM2Fr0SMk3O4N6DbMTIkIBh2jos543DUR4tcE+KCeU4+tqzghArODeRtOzV1jDW6sW89pUfGpSZ2JTRfz+QcybySWQXY=,iv:1jzlnQrUDoENp6+nlsxdDsdeeYg+J03KAm7lRw1bi64=,tag:3QvMHCGTZJdHv0r/eX/JQQ==,type:str]", + "lastmodified": "2025-02-25T16:43:40Z", + "mac": "ENC[AES256_GCM,data:dZJc0aqSD7dhe4Egih3z8QHIbwYDCGYU0DaOczkqHd/yMdcVNrNrcIR6yshArqCLl9jj5Zw3fIO75X09mvuvUCyszbjQyzSmTACp7K3skHuDRJ/yh5vaw6XNeJ3w26Dimfd0WfL1XC519DW532icrDiy2lCZ1qdcYwpqQUBKM/Q=,iv:4vx48jXxKLDOKfK6yYJWW28UaKl+EyqjeRAzV0WayEk=,tag:oO4cAVAv7N5aDAmK5V84mw==,type:str]", "pgp": [ { "created_at": "2025-02-22T18:08:12Z", diff --git a/machines/fanny/secrets/ssh_host_ed25519_key.pub b/machines/fanny/secrets/ssh_host_ed25519_key.pub index a258d8c..340ddd9 100644 --- a/machines/fanny/secrets/ssh_host_ed25519_key.pub +++ b/machines/fanny/secrets/ssh_host_ed25519_key.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvdnpvwSD1EEStciMitKahPlysD4L95bcwOuY4wV/6I kalipso@celine +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc root@fanny -- 2.51.2