Add encrypted munge key with agenix

2023-09-08 19:01:57 +02:00 · 2023-09-08 19:01:57 +02:00 · 19a451db77
commit 19a451db77
parent ec9be9bb62
3 changed files with 15 additions and 3 deletions
--- a/m/common/slurm.nix
+++ b/m/common/slurm.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:

 let
  suspendProgram = pkgs.writeScript "suspend.sh" ''
@ -85,4 +85,15 @@ in {
      SrunPortRange=60000-61000
    '';
  };
+
+  age.secrets.mungeKey = {
+    file = ../../secrets/munge-key.age;
+    owner = "munge";
+    group = "munge";
+  };
+
+  services.munge = {
+    enable = true;
+    password = config.age.secrets.mungeKey.path;
+  };
 }
--- a/secrets/munge-key.age
+++ b/secrets/munge-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -3,11 +3,12 @@ let
  adminsKeys = builtins.attrValues keys.admins;
  hut = [ keys.hosts.hut ] ++ adminsKeys;
  # Only expose ceph keys to safe nodes and admins
-  ceph = keys.hostGroup.safe ++ adminsKeys;
+  safe = keys.hostGroup.safe ++ adminsKeys;
 in
 {
  "ovni-token.age".publicKeys = hut;
  "nosv-token.age".publicKeys = hut;

-  "ceph-user.age".publicKeys = ceph;
+  "ceph-user.age".publicKeys = safe;
+  "munge-key.age".publicKeys = safe;
 }