rarias/jungle
rarias/jungle
1
0
Fork 0
Code Issues 27 Pull Requests Packages Projects Releases Wiki Activity

Add encrypted munge key with agenix

Browse Source
This commit is contained in:
Rodrigo Arias 2023-09-08 19:01:57 +02:00
parent ec9be9bb62
commit 19a451db77
3 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
m/common/slurm.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
suspendProgram = pkgs.writeScript "suspend.sh" '' suspendProgram = pkgs.writeScript "suspend.sh" ''
@ -85,4 +85,15 @@ in {
SrunPortRange=60000-61000 SrunPortRange=60000-61000
''; '';
}; };
age.secrets.mungeKey = {
file = ../../secrets/munge-key.age;
owner = "munge";
group = "munge";
};
services.munge = {
enable = true;
password = config.age.secrets.mungeKey.path;
};
} }

BIN
secrets/munge-key.age Normal file
View File

Binary file not shown.

5
secrets/secrets.nix
View File

@ -3,11 +3,12 @@ let
adminsKeys = builtins.attrValues keys.admins; adminsKeys = builtins.attrValues keys.admins;
hut = [ keys.hosts.hut ] ++ adminsKeys; hut = [ keys.hosts.hut ] ++ adminsKeys;
# Only expose ceph keys to safe nodes and admins # Only expose ceph keys to safe nodes and admins
ceph = keys.hostGroup.safe ++ adminsKeys; safe = keys.hostGroup.safe ++ adminsKeys;
in in
{ {
"ovni-token.age".publicKeys = hut; "ovni-token.age".publicKeys = hut;
"nosv-token.age".publicKeys = hut; "nosv-token.age".publicKeys = hut;
"ceph-user.age".publicKeys = ceph; "ceph-user.age".publicKeys = safe;
"munge-key.age".publicKeys = safe;
} }