From 19a451db777efe1c7abbd73a4fc74a8eb2978055 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 8 Sep 2023 19:01:57 +0200
Subject: [PATCH] Add encrypted munge key with agenix

---
 m/common/slurm.nix    |  13 ++++++++++++-
 secrets/munge-key.age | Bin 0 -> 2007 bytes
 secrets/secrets.nix   |   5 +++--
 3 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 secrets/munge-key.age

diff --git a/m/common/slurm.nix b/m/common/slurm.nix
index 5404d0c..22ffae6 100644
--- a/m/common/slurm.nix
+++ b/m/common/slurm.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 let
   suspendProgram = pkgs.writeScript "suspend.sh" ''
@@ -85,4 +85,15 @@ in {
       SrunPortRange=60000-61000
     '';
   };
+
+  age.secrets.mungeKey = {
+    file = ../../secrets/munge-key.age;
+    owner = "munge";
+    group = "munge";
+  };
+
+  services.munge = {
+    enable = true;
+    password = config.age.secrets.mungeKey.path;
+  };
 }
diff --git a/secrets/munge-key.age b/secrets/munge-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..ead42c816eb6d3ba2973e4dcb0a62c55e6f5ac8b
GIT binary patch
literal 2007
zcmZY8`CpBR0>^Pni%ycsD6Z5o*-yvWH{;cK&c1KY*`5>XEYEq)zVC^`Wv)z?q2Xml
zC3h|{O=ud0o1LMCVr)ZPTM=nO!^OB>ulpN+!TX2L_iI34EbKP<W8R?6<DTR3Be*aD
zg)Kk_0#+<+CQ>K_1{#3qaZv>AiSj5E*c`SS>^ufciW<#Oghn8`xNZ&00{h9nkTWFl
zkYsc|9YwO+nHUEKv{0xL37!H&T%|f9lrvpohFpXTf;Jn-v#Q80jvDw-3m|~O1)u?+
z5aQuOkld)0%dKGth9xjFs6MS%>i|>;p3gJ-DMYT)rDl;)Y<`^UjIrDVHibeG(tLO|
zksydk06tD*khsJU<Z%XV;UGq5P=BcLA!1C4pyNtb9FTeKVUbFO@!22)ML^~T{JOZ!
z9O9F-GL|sp)01dEv73&f!h(n?<Th#XK9|H9VF%q#F)sqxaSRJBz;T#}LX*iy(T8wM
z#fMtZ6mrQGXpB|s@x@gtS&+<&SO{Ve&vVepR*5L!C5t6&joM%%!z@~i6j!4{LLU{5
zlVFoTit*8vfiTV^i|aK2PcLO~nH~_YP+LKE(7+*oqzQ!tu@*sV_zncm0CY@&1@bBc
zL^ouE_$p`A$+oh|L{3oS0t0%CNTskMsIX3qr&<YqAY#G0NKpdEVF!4Gu#D!RbHk82
z7}lD-VTY9-13%JOfR;yApq&Jn+6#C@dOsOrSpp=G7&3aJMr#-kQT;N3BM1d_#Hh-t
zS0N~g)TENWZ>zD{q(+5`D>O!pLWUc$Gwgbyj0XgmHiGi~;4mMrL;`Y2W(2J^(rGZ2
zkJz<Zv(Uq4hv;|%KS&9gOjZ_&!;OQa5GE=FIl6cR<+PajcA|?xk%}l}g329*-4bqC
z<dGVjQ7PAr!_k;grrH)2{l8lw7V*P|0F0(HsI1vgsRpe=7NGOFXc@|F^*EUZhnyAR
z$svi;0n&pMf<!3Sl9W83Nvsv{R8BwH2*ED3T@v9zOtU8fg)tbq8A7~N8yUr5C?psq
z$Kc~Sop_o6g~ejg8W2bEV>o)Xk!U4xB1#<*hJlD7$Z;`gdWVk@HhHLGz$JCr5R`sW
z7rcR9iLJ{0GQQ|eSNioS%fQCBeJuXtftqcu@a6b6?C}fp3mYekC!ZhFoCuD%#$7*Y
z#wpS9VZRsrc;(x4PDJx`-jDZG#iM_%iSG68%HCA`?gnSgjT*tNX-%81W@ia!Tq*7S
zT+bfytb6%)FCUMcNVFY2q)SlZ2X8fepC*}RkyWl4xjUfS?U>M+h`hr6_rd(_e=_rK
z7Y(wbxW)&Z+LS=|+b{izi+2@X=1(ifo=f<3WqRhT(rU$0?6`Y#Q&zHGd*%~|#R7Vz
zRB&%*ZR_al^?uCy`eo%E_+xX@a&jumep|id=as9U?H~oO-4c;kzT1EHbap}2g9DeI
ztW~8%tP6q6(v$=Rf7^+18#ee~wv}hR<@6uqwA9s2X_qDMyZ=nIwY^m3lRXUXYV+M)
zcf0H0p0eRZ+YJ>zvo59Z?sqrar)Hazx^+@;`@7htt{W%&X85?3=M+!Yc&pB=S~}$X
zmq*YLoAIe3md#kCF>J4Sp>!D!)I)EBU7aaN>Xsk=%3PGcYWhjrrXT*fx_I~kZR?{8
zx&8A!?THnA3tx?&y18}w`@d*j98SJQSbKKE;EN3Z=+-O7v0p!*gH<H<_tA%Lq^8Wp
zzC3fZ|6OwvMZ1IOb?l4|<qhQTnLCufneo+=2i2D^`L6eY0|Kyl-p)Qi@iJ3(o?A#j
zFmI{`k_uL7mhL`bsbKc01;Mh@p9}L)UE@pY6H6q`i!Pd4N@~T)w5EjKlJnA=Wp(JT
zS(NmtbkpW^hWML`y}z_X4L@Zyo$a_IckJErY0);mx|1FK`mnL<wDnB+-*mJKe=Q!{
zz5&zv2NCn{)SQNzs~5-2x-jyLI4P$QyLdKucVgmt@T*E;Yi{$M*Df#f$?L;crW{HX
zucg!z*L2}R`aiZ0>vac0ndg>wI8CIRWwe<c$+<~)s(hW|iS|q1;NQ&IIr%?X-chBj
zQ@mp*@#8*&zgIRe->f<E{CL(s4t!EQVZo!jad9Ln%3IjB=WefdPD-!cn%48GSHrCQ
z<cs>!y2ImJ+FR*cutStO%*k2xZv&=+gUR1!PVA@{=i=`D<=U|o%F(xR8#xtF&+x~+
zrB+r_+ts`g?PEF)RcdcOzw?xMYT-_x=~Z1OTynf%RO|Ib4JWdZdDpWd$*$N}yR`73
z4VKk9I;saJC<%k^d$+fudU5!9V=vd<zmaSzFVZB9Jn?XK#`K|V-N??rYq~wD8I5^I
zbmW$-fGejP!=Gt6w5s|k3%B#p#dVh-<9mu5yw48K{=GSM-Kpu8q!Sx^l6&g%Q;yym
zm_EFyWyzaqMMoOHs9g8m)=A5D>`EH7BK;P&df%TdCGEBQjqPboMzAm$zb`>HYv8BB
s{<dYE8C5TwPmQAG#Ro_o>p$z+e{uH`#IZ<`Ht<{if!xgv8cxFh0FV+i@Bjb+

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 34fb177..9dce058 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -3,11 +3,12 @@ let
   adminsKeys = builtins.attrValues keys.admins;
   hut = [ keys.hosts.hut ] ++ adminsKeys;
   # Only expose ceph keys to safe nodes and admins
-  ceph = keys.hostGroup.safe ++ adminsKeys;
+  safe = keys.hostGroup.safe ++ adminsKeys;
 in
 {
   "ovni-token.age".publicKeys = hut;
   "nosv-token.age".publicKeys = hut;
 
-  "ceph-user.age".publicKeys = ceph;
+  "ceph-user.age".publicKeys = safe;
+  "munge-key.age".publicKeys = safe;
 }