From 19a451db777efe1c7abbd73a4fc74a8eb2978055 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 8 Sep 2023 19:01:57 +0200
Subject: [PATCH] Add encrypted munge key with agenix

---
 m/common/slurm.nix    |  13 ++++++++++++-
 secrets/munge-key.age | Bin 0 -> 2007 bytes
 secrets/secrets.nix   |   5 +++--
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 secrets/munge-key.age

diff --git a/m/common/slurm.nix b/m/common/slurm.nix
index 5404d0c..22ffae6 100644
--- a/m/common/slurm.nix
+++ b/m/common/slurm.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 let
   suspendProgram = pkgs.writeScript "suspend.sh" ''
@@ -85,4 +85,15 @@ in {
       SrunPortRange=60000-61000
     '';
   };
+
+  age.secrets.mungeKey = {
+    file = ../../secrets/munge-key.age;
+    owner = "munge";
+    group = "munge";
+  };
+
+  services.munge = {
+    enable = true;
+    password = config.age.secrets.mungeKey.path;
+  };
 }
diff --git a/secrets/munge-key.age b/secrets/munge-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..ead42c816eb6d3ba2973e4dcb0a62c55e6f5ac8b
GIT binary patch
literal 2007
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4jI^loE?3B}a5ptg
zO)1Mt%yPF(HLgfXi7YoaG|F|$3v*6OEix%A%_;TGH}<#iu;4Pz%5u`q)(%cHHS_f~
zFinkg3kogw3UJExu?+CmFA2`f40g{5G0AlebwszVINdQZ*HOW-&@0m2pfoZdDJUQy
zqbyt7*)zq`tT4PFJlioO-N3^=smRpGEhsnC*@Vl*qslF((mBu2#njZ;%e>Ga)X31Y
z($~>LKP=HV*C#SEKc^(KtVBB^F%;c4k4U4+pmc?*Am=Ja|AMSC?~oAf!pz7-Q%@7O
z;-ZME%#>0O<8XgxuhPOOWAj3vJPR(fRL}C{(!AtwgTh?joN||vyc{3*a>p!v%QW+1
z*X(2?ujJ%H)2LE?r$BVuN|H-+0|FJaGs5!=t3pEjOHAC$(+qur4cxOWOfr1EiwjJA
zd|kpq6EjUxoy{wat3tU-y$a1ztBg~VJ^i!`ErN>6^z;3zqQV^Aqx>x0obrPW0z)%`
zT}l#NO)zZp@-p-ZPge-@$WAw~bc}HFOp7cC^fbzg%#8F1$*IV3$#5|-axDqV4K9w-
z_6`ZmNarex@G&sUFf4K`Pcz6ht}t}X&T@1&Eb}+dw{R<q3@s@OPbnzN&akKq#<0!V
zG2GoGP$9?AKeWIx-#e<vB+@yp*f`jzG^wB>DWl9F(yYkeGrJ_RIKrqRBqu5)oy*rR
zIm9ocEITYS(=RD7#LX+IBFW1#FFngLE6U5?-Lcpy(=aHdEK3_RmG}m`8K<NxgeF;-
zr<!@BXN8BSc;&melv)@hdX$)!CMRb&8@swy1sj)YS9k@xMpTt^<)o!}WEtgJn)-R0
zniz)URix(mx|Mn7`z7X7__^ij>zg}OIE7|bctheXS~tBYHL*BV!NStaSu3(OOd%va
zMnT6-!JjKHBR|I}F+0Gy+&v)DHzzyTqQunD*DE00ILN&)*(co7JtU{dBq=gAH#Ez)
z+&$7MCBHnfOk3L`B{IFhEYpO`(lXFjJIFP$&@Cs&z}%BdS65ddELh*PNZU0kG|4E#
z*tI+;!YDP>u{^QFHP^{JD!b6KEIHrI$1&G0H#40pO8QdjB#S=XY4ROaagQ$X-%@M}
z-thOev&Wkc3+CmPU8|a>d-#Gw^afcU+4FqcSc92vx=oZ;KjwXy;kMoS>vQ;B%fsH=
ztbY=cz;kXv#m0h_GE)=&-*N4^v%vGd>XxZDWW>GHuh+h?j&fo8e6M-#k2eC6Mwtiq
zM6d)Ie7e7G8LzKuntxvp^XlS=)!7mkS<`>&|9a-I=)05hgZNJ_75W>Vxh~`^zW2AI
zh_z;A^feFFM%~ja=i2zie%8(ptk)HOV#V3!{5#*lh@rALD#*|CiN?ZRJTeoDv?s1=
zYCLOjNRL-euCL*0SKaouuFp%1OK#rxHfj66`P6Y4yJ^pMTzT6c!dadX>nK*s$r9)>
z?}+fENku>QHwyiAeYe|n=i<eRXZ+bWJ^k!G`%G;}q5sR0mHP`HPk3-?_nHRA_(h4`
z+nuj)x<9?QElWivh3#I1U+|*;l~XU>Ir>_?(5>%u;M<;pX(!t2zvV2?_gq)0E|OR&
zV;L8gxM;!GpxmS#t0MoFT)N1a&OLMOKe0HScD19KQ`au-N??o$-}UN({5yyIGpyaO
zV}FXO%-E$C8Cnwdbuar(!~Ro~K7AD`;@NdQNnr99J>5XocdsqJ-Qni6(*1Gb;Jg3Z
zwwQ)5F)GMjQSnXrgU%YOZ#pw9d*42rf9*=)t=GXHJcGB{ta$Ah_(RP9yj!$ky7r%G
zAK2{L!|GQbN$Ylc9qL)qaNOEUnd_2h^(xkC-)(W1lXq4x^kFyO!t$c}yx-l1#R``+
zP5D(Ul4tN+`b_WMcyeb&;#To3r_MeK$lf?pBz~Sp=tY-`$$OJ79nUz?C>3FT;a`ow
znMvBaJ{oE7<Ca^u;KpS>%?r#YeAwhR=+<ZjKbB;j7~I?EwM%~6qu;p&PH%tjy{@>2
z)u-Qdl~K<n{nDt9ix^(y6_<*gZa$lnY<#!DT;nXeJlmsbg%^D!v#v}x_@lQ%_MvzI
zN3HWQ_d`bwgq2d41+8=X({td<Ve!r#g7YO}UOlezDX;KWj@`fJ@r!Uh&KFr3yw88W
z2y^Nav|m-bc(3TrGrKHi>V7j_tbJ5-)!*V|yWQ+_#3avl3+K9RJbCj_OAyZk{VA^9
zk<S_5yr|7^X4`*5nduDQ**$&XcfUM(Z*(knh2xf=i^Wo_58H9<y2TpiT0X_;aefP1
zR^X<E_0cagQ~eiapPm0nBFOMl-jfHjxnAfS*a%!(`1B5Ya$|fL8}pHuT|#Q#WFnX^
zwuary=N8(ad?3PPr+9I$+&yg%jkG=O^WQt`uXuHN!nHRB&lA=aeBP~fdmHzJV`^z^
zN2WYyf4*3U^WgmtYK-wa>;9<5AJ|~uH(~B<>82$s**IGG@9WOr^nGXbnT4B^&hTzY
z3XWzs*u>(m`C;p)cl(<z3QhZ(^FGPDIbnzK*@;TeH(y>|m!2IL$ot`{&JOt*>%v@F
E0FV+i@Bjb+

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 34fb177..9dce058 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -3,11 +3,12 @@ let
   adminsKeys = builtins.attrValues keys.admins;
   hut = [ keys.hosts.hut ] ++ adminsKeys;
   # Only expose ceph keys to safe nodes and admins
-  ceph = keys.hostGroup.safe ++ adminsKeys;
+  safe = keys.hostGroup.safe ++ adminsKeys;
 in
 {
   "ovni-token.age".publicKeys = hut;
   "nosv-token.age".publicKeys = hut;
 
-  "ceph-user.age".publicKeys = ceph;
+  "ceph-user.age".publicKeys = safe;
+  "munge-key.age".publicKeys = safe;
 }