From 2bb366b9ac5639ad9e4d43c887411ba95c65ae81 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Mon, 4 Sep 2023 21:36:31 +0200
Subject: [PATCH] Reorganize secrets and ssh keys

The agenix tools needs to read the secrets from a standalone file, but
we also need the same information for the SSH keys.
---
 keys.nix                     |  29 +++++++++++++++++++++++++++++
 m/common/ssh.nix             |  14 ++++++--------
 m/hut/ceph.nix               |   4 ++--
 m/hut/gitlab-runner.nix      |  10 +++++-----
 m/hut/secrets/ceph-user.age  |  11 -----------
 m/hut/secrets/nosv-token.age | Bin 541 -> 0 bytes
 m/hut/secrets/ovni-token.age | Bin 610 -> 0 bytes
 secrets/ceph-user.age        |  21 +++++++++++++++++++++
 secrets/nosv-token.age       |  11 +++++++++++
 secrets/ovni-token.age       | Bin 0 -> 553 bytes
 secrets/secrets.nix          |  13 +++++++++++++
 11 files changed, 87 insertions(+), 26 deletions(-)
 create mode 100644 keys.nix
 delete mode 100644 m/hut/secrets/ceph-user.age
 delete mode 100644 m/hut/secrets/nosv-token.age
 delete mode 100644 m/hut/secrets/ovni-token.age
 create mode 100644 secrets/ceph-user.age
 create mode 100644 secrets/nosv-token.age
 create mode 100644 secrets/ovni-token.age
 create mode 100644 secrets/secrets.nix

diff --git a/keys.nix b/keys.nix
new file mode 100644
index 0000000..681fcbc
--- /dev/null
+++ b/keys.nix
@@ -0,0 +1,29 @@
+# As agenix needs to parse the secrets from a standalone .nix file, we describe
+# here all the public keys
+rec {
+  hosts = {
+    hut   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1 hut";
+    owl1  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv owl1";
+    owl2  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK owl2";
+    eudy  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG eudy";
+    koro  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro";
+    bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
+    lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
+  };
+
+  hostGroup = with hosts; rec {
+    compute    = [ owl1 owl2 ];
+    playground = [ eudy koro ];
+    storage    = [ bay lake2 ];
+    monitor    = [ hut ];
+
+    system     = storage ++ monitor;
+    safe       = system ++ compute;
+    all        = safe ++ playground;
+  };
+
+  admins = {
+    rarias = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
+    root   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
+  };
+}
diff --git a/m/common/ssh.nix b/m/common/ssh.nix
index 2d805bf..b8cb5c1 100644
--- a/m/common/ssh.nix
+++ b/m/common/ssh.nix
@@ -1,5 +1,9 @@
-{ ... }:
+{ lib, ... }:
 
+let
+  keys = import ../../keys.nix;
+  hostsKeys = lib.mapAttrs (name: value: { publicKey = value; }) keys.hosts;
+in
 {
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
@@ -11,13 +15,7 @@
       ProxyCommand nc -X connect -x localhost:23080 %h %p
   '';
 
-  programs.ssh.knownHosts = {
-    "hut".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1";
-    "owl1".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv";
-    "owl2".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK";
-    "eudy".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG";
-    "koro".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67";
-
+  programs.ssh.knownHosts = hostsKeys // {
     "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3";
     "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS";
   };
diff --git a/m/hut/ceph.nix b/m/hut/ceph.nix
index 3bebe11..ebbb885 100644
--- a/m/hut/ceph.nix
+++ b/m/hut/ceph.nix
@@ -11,14 +11,14 @@
   # modprobe command.
   boot.kernelModules = [ "ceph" ];
 
-  age.secrets."secrets/ceph-user".file = ./secrets/ceph-user.age;
+  age.secrets.cephUser.file = ../../secrets/ceph-user.age;
 
   fileSystems."/ceph" = {
     fsType = "ceph";
     device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/";
     options = [
       "mon_addr=10.0.40.40"
-      "secretfile=${config.age.secrets."secrets/ceph-user".path}"
+      "secretfile=${config.age.secrets.cephUser.path}"
     ];
   };
 }
diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix
index 6255005..d640de9 100644
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -1,15 +1,15 @@
 { pkgs, lib, config, ... }:
 
 {
-  age.secrets."secrets/ovni-token".file = ./secrets/ovni-token.age;
-  age.secrets."secrets/nosv-token".file = ./secrets/nosv-token.age;
+  age.secrets.ovniToken.file = ../../secrets/ovni-token.age;
+  age.secrets.nosvToken.file = ../../secrets/nosv-token.age;
 
   services.gitlab-runner = {
     enable = true;
     settings.concurrent = 5;
     services = {
       ovni-shell = {
-        registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
+        registrationConfigFile = config.age.secrets.ovniToken.path;
         executor = "shell";
         tagList = [ "nix" "xeon" ];
         environmentVariables = {
@@ -17,7 +17,7 @@
         };
       };
       ovni-docker = {
-        registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
+        registrationConfigFile = config.age.secrets.ovniToken.path;
         dockerImage = "debian:stable";
         tagList = [ "docker" "xeon" ];
         registrationFlags = [ "--docker-network-mode host" ];
@@ -27,7 +27,7 @@
         };
       };
       nosv-docker = {
-        registrationConfigFile = config.age.secrets."secrets/nosv-token".path;
+        registrationConfigFile = config.age.secrets.nosvToken.path;
         dockerImage = "debian:stable";
         tagList = [ "docker" "xeon" ];
         registrationFlags = [
diff --git a/m/hut/secrets/ceph-user.age b/m/hut/secrets/ceph-user.age
deleted file mode 100644
index 735afca..0000000
--- a/m/hut/secrets/ceph-user.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 CAWG4Q 35Ak+Mep9k5KnDLF1ywDbMD4l4mRFg6D0et19tqXxAw
-Wgr+CX4rzrPmUszSidtLAVSvgD80F2dqtd92hGZIFwo
--> ssh-ed25519 MSF3dg OVFvpkAyWTowtxsafstX31H/hJpNZmnOCbvqMIN0+AQ
-VxjRcQmp+BadEh2y0PB96EeizIl3tTQpVu0CWHmsc1s
--> ssh-ed25519 HY2yRg MJSQIpre9m0XnojgXuKQ/+hVBZNrZNGZqplwhqicpjI
-CLkE52iqpoqSnbzisNjQgxTfNqKeaRl5ntcw1d+ZDyQ
--> m$8`De%~-grease '85p}`by
-52zMpprONcawWDDtzHdWNwFoYXErPUnVjhSONbUBpDlqAmJmD1LcAnsU
---- 0vZOPyXQIMMGTwgFfvm8Sn8O7vjrsjGUEy5m/BASCyc
-�|���)�����*_�D�US`������r �s��N��[֌^e+A1��G.�#���m��W� �5����( 
\ No newline at end of file
diff --git a/m/hut/secrets/nosv-token.age b/m/hut/secrets/nosv-token.age
deleted file mode 100644
index 4b495a944de69fccbfdde7394b7f63f80e53e06e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 541
zcmZ9`O>5I&003Y?JlKO5&ts8^V!N6pY5Fz@l{U@NH0jc&P20?ar0tuJrb*f){YWl)
z*kOXg*m3jV(Tl?73W6S$T~tu<=wTOOpopLoiU;+&U+_Gt4wKO7c;O&0UFW*%>F5}X
zC9{a{8%fy3NfM(FI@e@VRb&+dV5l+rfKxiG#IMzB_yD4~Em5`fie<?WFRK+kLyTLw
zSVwF`*2tn|D#Nr!ZH6EBMN|_w&G(GJ=kxxMs<5Cynu+phtz26rx;kQr4I5x9P3U)k
zzFv|1LYWM5T4F#<^eJtpYszSXxt;`jnONXEWyP(uX-uCuO{?XB5e=}3*M(EDg@tfD
ztqDQ_5S-wi)`|)qN;)F<0b#b;(ohB?uPUs2XeJaeqUt!+v~5%MkP4^a)Rn6^7c;R)
zF>Hkfq#LmzIc%nkK<W%tqfK|%5F;C~BBXGs)f_SZH5kvM2~;g5bq}gOjCt<AL^6qR
zrseCEy2v}Zv23EsB+u1Lc&2NoSRyPsy@UkWAg^f*lZxHTZhby~2A}WmI<vX<_T_ye
z%WN(8gr(o_XY+$=hu<DPyZq(d)meFW@s3(}^?h^a*7nAO=&SeP#X|5%Tv&s*H(fHm
zbYszcefHzy{_)-~{@n8?Pxrv~;gvrZPwpQ7__Ta*wDBgouzz$@{khYR7cZUs1uJ00
ASpWb4

diff --git a/m/hut/secrets/ovni-token.age b/m/hut/secrets/ovni-token.age
deleted file mode 100644
index bb850ef38e40d426b50aba25ae6993fe521b4d74..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 610
zcmZ9|J&%)M003Z(#-VYz!JG~k!(be);aX^+&_ol;M@vgR`j&Dn-d%)3;cbByD6}-W
zIC)EVKcdq`CkJnGa4<URY}_t!a52%<<gA0|dcWXF9^JN3%kPKjWD3Xr);P3t36??c
zB2na^mWdMtMk6e<Q!Ta-9;02xlv;6=m{mD&e39<?ik2ts;r4(H`bjC@q^pLWcvL1%
zb3H1yOIaB@4Q^tHgRT-pG6vc;Hc*Yl5b#3B4dx&}KCd;~Lcz2VjFhVK5Gc6BH6@~=
zOL**b2278a36Hn3Ig+h;ZoF{Ww3BIyRW2P=%<K;D&HO?*axfZe2@M6Wz}Y=(OoCcF
zulqC=7SC(79-aal$uTDMAwJ71+l3+Bb9r8#%5ITkil92xv~DVmi5axHNa<$`Z(;{g
z=sOdNQsr=@g@FpSgf6s18FbBVopOyH2w{k~{%hi9Yqx^hp`}L_QYsrXa&{`;FPAgG
zRLs8WC9$6c4NL{NP+#!mT=a<|=aQ-vG)6-|)t!c$Eef&5j66MpVk+t8SsIEW&5pq2
z*r+YnggP~H3^Dc=9t|Z~D24PC&P_O0RNvAmmd|jjwXpu=_*L*D0EZpA|NC_A-ei!!
z*zGT+qh}kpK0e>Cd{`c=McTFR8xQaNdE38CG*;;8UMzkhPmY%F-ftd?`^@9yn?YRC
uXU6e`&z|t~*Q0K?-dSzA>lNkV>yzcdi#PUzt3QpeFK?_{*OxH8vilFpr_yf#

diff --git a/secrets/ceph-user.age b/secrets/ceph-user.age
new file mode 100644
index 0000000..f23e2ff
--- /dev/null
+++ b/secrets/ceph-user.age
@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 AY8zKw J00a6ZOhkupkhLU5WQ0kD05HEF4KKsSs2hwjHKbnnHU
+J14VoNOCqLpScVO7OLXbqTcLI4tcVUHt5cqY/XQmbGs
+-> ssh-ed25519 sgAamA k8R/bSUdvVmlBI6yHPi5NBQPBGM36lPJwsir8DFGgxE
+4ZKC3gYvic6AVrNGgNjwztbUzhxP8ViX5O3wFo9wlrk
+-> ssh-ed25519 HY2yRg 966xf2fTnA6Wq0uYXbXZQOManqITJcCbQS9LZCGEOh4
+Qg5echQSrzqeDqvaMx+5fqi8XyTjAeCsY/UFJX6YnDs
+-> ssh-ed25519 tcumPQ e0U2okrGIoUpLfPYjIRx1V92rE3hZW13nJef+l3kBQg
+LejAUKBl+tPhwocCF00ZHTzFISnwX8og8GvemiMIcyo
+-> ssh-ed25519 JJ1LWg QkzTsPq9Gdh+FNz/a4bDb9LQOreFyxeTC51UNd1fsj0
+ayrlKenETfQzH1Z9drVEWqszQebicGVJve0/pCnxAE8
+-> ssh-ed25519 CAWG4Q lJLW9+dxvyoD4hYzeXeE/4rzJ6HIeEQOB1+fbhV3xw0
+T2RrVCtTuQvya9HiJB7txk3QGrntpsMX9Tt1cyXoW5E
+-> ssh-ed25519 MSF3dg JOZkFb2CfqWKvZIz7lYxXWgv8iEVDkQF8hInDMZvknc
+MHDWxjUw4dNiC1h4MrU9uKKcI3rwkxABm0+5FYMZkok
+-> ~8m;7f-grease
+lDIullfC98RhpTZ4Mk87Td+VtPmwPdgz+iIilpKugUkmV5r4Uqd7yE+5ArA6ekr/
+G/X4EA
+--- Cz4sv9ZunBcVdZCozdTh1zlg1zIASjk2MjYeYfcN9eA
+�N	�$[H��Q��
+d���'���7��Ͳ)����x9y���E���M7^�[�M�+�&����$8tM�в
\ No newline at end of file
diff --git a/secrets/nosv-token.age b/secrets/nosv-token.age
new file mode 100644
index 0000000..31a354b
--- /dev/null
+++ b/secrets/nosv-token.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE
+avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro
+-> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA
+FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70
+-> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o
+BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8
+-> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t
+oLG+0S1aGfO/ohCfgGmhDhwwLi4H
+--- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI
+��W�o� ��d;��C�.��_(�u
G���#�v��gɝ���y�Y��l9��
�ϵ.��0x�޽�N.�/��tB�b���K��:Q���\���T_���tx�m���_J�ޞ-�
\ No newline at end of file
diff --git a/secrets/ovni-token.age b/secrets/ovni-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..4378c388dd465e6d39681bbca5354136454855f8
GIT binary patch
literal 553
zcmZ9HO>5Ht06;}VFiaHjvWo=4Q%IAv`B;Sw+9XZVHf_^%$r42DN18TClcq`2q$-Fg
zUWCC;A}V+gL7XSSgCg_eA}A=EF!kW@Ac#2k2L=w0`vH&lUeh#S!)=d}Vc7TFls7Vw
z2m{~+FbI0E(Mb~omIZk&ozzWG*F9CSg6_bM1W4%GOU@Es#E^7FX<@cepxS+|f%H1E
zH$Z{VfHY#v>Mb7E*k(JT(E{i9GpK^N95V<fTBuc~CEU_V?0y@aQ#o7$7sq%8g_OQj
zkx1Lk`E-CVaS@e#wh^mJW7;s#Dm9S@du2cn2IFzy*kQhk)@V%MqZqP^6Fep7i$cp{
zyAiDtme@>${Wei9WI84Y<>H#f&JlB%qnTJmsrO{AIh;~Oi-Pc}6?t*XnsC`9ujYVG
zl+@8FLW-hW_ZXq3MxxJ9iIY^y6rrhFA<i`PZWl@h|KEzRIWn4o0s1(R0+Tp{gQxvP
z2_W>i48Sl9s)T?dS~{l)tlQ(sQ73LqT$^-B7YU*maoltTlga_p@3ny=E1UU^m1B76
zJAHfh=by_TpKLs~-ah?s_dtM(()zR2m#ORbFV1fL4z#Olb@|QC<W&8V*S>b}-jyF`
zPpp0+FU-6*U+|BX?|h>lY@h!$f9PcV{MGSy$kFBXouMLc-+Xv(_sslE_V8MBcj5Kc
NU+43!ujyYm)PDq_#q9t9

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..34fb177
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,13 @@
+let
+  keys = import ../keys.nix;
+  adminsKeys = builtins.attrValues keys.admins;
+  hut = [ keys.hosts.hut ] ++ adminsKeys;
+  # Only expose ceph keys to safe nodes and admins
+  ceph = keys.hostGroup.safe ++ adminsKeys;
+in
+{
+  "ovni-token.age".publicKeys = hut;
+  "nosv-token.age".publicKeys = hut;
+
+  "ceph-user.age".publicKeys = ceph;
+}