diff --git a/keys.nix b/keys.nix new file mode 100644 index 0000000..681fcbc --- /dev/null +++ b/keys.nix @@ -0,0 +1,29 @@ +# As agenix needs to parse the secrets from a standalone .nix file, we describe +# here all the public keys +rec { + hosts = { + hut = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1 hut"; + owl1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv owl1"; + owl2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK owl2"; + eudy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG eudy"; + koro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro"; + bay = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay"; + lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2"; + }; + + hostGroup = with hosts; rec { + compute = [ owl1 owl2 ]; + playground = [ eudy koro ]; + storage = [ bay lake2 ]; + monitor = [ hut ]; + + system = storage ++ monitor; + safe = system ++ compute; + all = safe ++ playground; + }; + + admins = { + rarias = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut"; + root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut"; + }; +} diff --git a/m/common/ssh.nix b/m/common/ssh.nix index 2d805bf..b8cb5c1 100644 --- a/m/common/ssh.nix +++ b/m/common/ssh.nix @@ -1,5 +1,9 @@ -{ ... }: +{ lib, ... }: +let + keys = import ../../keys.nix; + hostsKeys = lib.mapAttrs (name: value: { publicKey = value; }) keys.hosts; +in { # Enable the OpenSSH daemon. services.openssh.enable = true; @@ -11,13 +15,7 @@ ProxyCommand nc -X connect -x localhost:23080 %h %p ''; - programs.ssh.knownHosts = { - "hut".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1"; - "owl1".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv"; - "owl2".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK"; - "eudy".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG"; - "koro".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67"; - + programs.ssh.knownHosts = hostsKeys // { "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3"; "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS"; }; diff --git a/m/hut/ceph.nix b/m/hut/ceph.nix index 3bebe11..ebbb885 100644 --- a/m/hut/ceph.nix +++ b/m/hut/ceph.nix @@ -11,14 +11,14 @@ # modprobe command. boot.kernelModules = [ "ceph" ]; - age.secrets."secrets/ceph-user".file = ./secrets/ceph-user.age; + age.secrets.cephUser.file = ../../secrets/ceph-user.age; fileSystems."/ceph" = { fsType = "ceph"; device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/"; options = [ "mon_addr=10.0.40.40" - "secretfile=${config.age.secrets."secrets/ceph-user".path}" + "secretfile=${config.age.secrets.cephUser.path}" ]; }; } diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix index 6255005..d640de9 100644 --- a/m/hut/gitlab-runner.nix +++ b/m/hut/gitlab-runner.nix @@ -1,15 +1,15 @@ { pkgs, lib, config, ... }: { - age.secrets."secrets/ovni-token".file = ./secrets/ovni-token.age; - age.secrets."secrets/nosv-token".file = ./secrets/nosv-token.age; + age.secrets.ovniToken.file = ../../secrets/ovni-token.age; + age.secrets.nosvToken.file = ../../secrets/nosv-token.age; services.gitlab-runner = { enable = true; settings.concurrent = 5; services = { ovni-shell = { - registrationConfigFile = config.age.secrets."secrets/ovni-token".path; + registrationConfigFile = config.age.secrets.ovniToken.path; executor = "shell"; tagList = [ "nix" "xeon" ]; environmentVariables = { @@ -17,7 +17,7 @@ }; }; ovni-docker = { - registrationConfigFile = config.age.secrets."secrets/ovni-token".path; + registrationConfigFile = config.age.secrets.ovniToken.path; dockerImage = "debian:stable"; tagList = [ "docker" "xeon" ]; registrationFlags = [ "--docker-network-mode host" ]; @@ -27,7 +27,7 @@ }; }; nosv-docker = { - registrationConfigFile = config.age.secrets."secrets/nosv-token".path; + registrationConfigFile = config.age.secrets.nosvToken.path; dockerImage = "debian:stable"; tagList = [ "docker" "xeon" ]; registrationFlags = [ diff --git a/m/hut/secrets/ceph-user.age b/m/hut/secrets/ceph-user.age deleted file mode 100644 index 735afca..0000000 --- a/m/hut/secrets/ceph-user.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 CAWG4Q 35Ak+Mep9k5KnDLF1ywDbMD4l4mRFg6D0et19tqXxAw -Wgr+CX4rzrPmUszSidtLAVSvgD80F2dqtd92hGZIFwo --> ssh-ed25519 MSF3dg OVFvpkAyWTowtxsafstX31H/hJpNZmnOCbvqMIN0+AQ -VxjRcQmp+BadEh2y0PB96EeizIl3tTQpVu0CWHmsc1s --> ssh-ed25519 HY2yRg MJSQIpre9m0XnojgXuKQ/+hVBZNrZNGZqplwhqicpjI -CLkE52iqpoqSnbzisNjQgxTfNqKeaRl5ntcw1d+ZDyQ --> m$8`De%~-grease '85p}`by -52zMpprONcawWDDtzHdWNwFoYXErPUnVjhSONbUBpDlqAmJmD1LcAnsU ---- 0vZOPyXQIMMGTwgFfvm8Sn8O7vjrsjGUEy5m/BASCyc -|)*_DUS`r sN[֌^e+A 1G.#mW 5 ( \ No newline at end of file diff --git a/m/hut/secrets/nosv-token.age b/m/hut/secrets/nosv-token.age deleted file mode 100644 index 4b495a9..0000000 Binary files a/m/hut/secrets/nosv-token.age and /dev/null differ diff --git a/m/hut/secrets/ovni-token.age b/m/hut/secrets/ovni-token.age deleted file mode 100644 index bb850ef..0000000 Binary files a/m/hut/secrets/ovni-token.age and /dev/null differ diff --git a/secrets/ceph-user.age b/secrets/ceph-user.age new file mode 100644 index 0000000..f23e2ff --- /dev/null +++ b/secrets/ceph-user.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 AY8zKw J00a6ZOhkupkhLU5WQ0kD05HEF4KKsSs2hwjHKbnnHU +J14VoNOCqLpScVO7OLXbqTcLI4tcVUHt5cqY/XQmbGs +-> ssh-ed25519 sgAamA k8R/bSUdvVmlBI6yHPi5NBQPBGM36lPJwsir8DFGgxE +4ZKC3gYvic6AVrNGgNjwztbUzhxP8ViX5O3wFo9wlrk +-> ssh-ed25519 HY2yRg 966xf2fTnA6Wq0uYXbXZQOManqITJcCbQS9LZCGEOh4 +Qg5echQSrzqeDqvaMx+5fqi8XyTjAeCsY/UFJX6YnDs +-> ssh-ed25519 tcumPQ e0U2okrGIoUpLfPYjIRx1V92rE3hZW13nJef+l3kBQg +LejAUKBl+tPhwocCF00ZHTzFISnwX8og8GvemiMIcyo +-> ssh-ed25519 JJ1LWg QkzTsPq9Gdh+FNz/a4bDb9LQOreFyxeTC51UNd1fsj0 +ayrlKenETfQzH1Z9drVEWqszQebicGVJve0/pCnxAE8 +-> ssh-ed25519 CAWG4Q lJLW9+dxvyoD4hYzeXeE/4rzJ6HIeEQOB1+fbhV3xw0 +T2RrVCtTuQvya9HiJB7txk3QGrntpsMX9Tt1cyXoW5E +-> ssh-ed25519 MSF3dg JOZkFb2CfqWKvZIz7lYxXWgv8iEVDkQF8hInDMZvknc +MHDWxjUw4dNiC1h4MrU9uKKcI3rwkxABm0+5FYMZkok +-> ~8m;7f-grease +lDIullfC98RhpTZ4Mk87Td+VtPmwPdgz+iIilpKugUkmV5r4Uqd7yE+5ArA6ekr/ +G/X4EA +--- Cz4sv9ZunBcVdZCozdTh1zlg1zIASjk2MjYeYfcN9eA +N $[HQ +d'7Ͳ)x9yEM7^[M+&$8tMв \ No newline at end of file diff --git a/secrets/nosv-token.age b/secrets/nosv-token.age new file mode 100644 index 0000000..31a354b --- /dev/null +++ b/secrets/nosv-token.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE +avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro +-> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA +FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70 +-> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o +BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8 +-> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t +oLG+0S1aGfO/ohCfgGmhDhwwLi4H +--- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI +Wo d;C._(u G#vgɝyYl9ϵ.0x޽N./tBbK:Q\T_txm_Jޞ- \ No newline at end of file diff --git a/secrets/ovni-token.age b/secrets/ovni-token.age new file mode 100644 index 0000000..4378c38 Binary files /dev/null and b/secrets/ovni-token.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..34fb177 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,13 @@ +let + keys = import ../keys.nix; + adminsKeys = builtins.attrValues keys.admins; + hut = [ keys.hosts.hut ] ++ adminsKeys; + # Only expose ceph keys to safe nodes and admins + ceph = keys.hostGroup.safe ++ adminsKeys; +in +{ + "ovni-token.age".publicKeys = hut; + "nosv-token.age".publicKeys = hut; + + "ceph-user.age".publicKeys = ceph; +}