Reorganize secrets and ssh keys

The agenix tools needs to read the secrets from a standalone file, but we also need the same information for the SSH keys.
2023-09-04 21:36:31 +02:00 · 2023-09-04 21:36:31 +02:00 · 2bb366b9ac
commit 2bb366b9ac
parent 2d16709648
11 changed files with 87 additions and 26 deletions
--- a/keys.nix
+++ b/keys.nix
@ -0,0 +1,29 @@
 # As agenix needs to parse the secrets from a standalone .nix file, we describe
 # here all the public keys
 rec {
  hosts = {
    hut   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1 hut";
    owl1  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv owl1";
    owl2  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK owl2";
    eudy  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG eudy";
    koro  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67 koro";
    bay   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICvGBzpRQKuQYHdlUQeAk6jmdbkrhmdLwTBqf3el7IgU bay";
    lake2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINo66//S1yatpQHE/BuYD/Gfq64TY7ZN5XOGXmNchiO0 lake2";
  };
  hostGroup = with hosts; rec {
    compute    = [ owl1 owl2 ];
    playground = [ eudy koro ];
    storage    = [ bay lake2 ];
    monitor    = [ hut ];
    system     = storage ++ monitor;
    safe       = system ++ compute;
    all        = safe ++ playground;
  };
  admins = {
    rarias = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
    root   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
  };
 }
--- a/m/common/ssh.nix
+++ b/m/common/ssh.nix
@ -1,5 +1,9 @@
-{ ... }:
+{ lib, ... }:
 let
  keys = import ../../keys.nix;
  hostsKeys = lib.mapAttrs (name: value: { publicKey = value; }) keys.hosts;
 in
 {
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
@ -11,13 +15,7 @@
      ProxyCommand nc -X connect -x localhost:23080 %h %p
  '';
-  programs.ssh.knownHosts = {
+  programs.ssh.knownHosts = hostsKeys // {
    "hut".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1";
    "owl1".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv";
    "owl2".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK";
    "eudy".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG";
    "koro".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67";
    "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3";
    "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS";
  };
--- a/m/hut/ceph.nix
+++ b/m/hut/ceph.nix
@ -11,14 +11,14 @@
  # modprobe command.
  boot.kernelModules = [ "ceph" ];
-  age.secrets."secrets/ceph-user".file = ./secrets/ceph-user.age;
+  age.secrets.cephUser.file = ../../secrets/ceph-user.age;
  fileSystems."/ceph" = {
    fsType = "ceph";
    device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/";
    options = [
      "mon_addr=10.0.40.40"
-      "secretfile=${config.age.secrets."secrets/ceph-user".path}"
+      "secretfile=${config.age.secrets.cephUser.path}"
    ];
  };
 }
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@ -1,15 +1,15 @@
 { pkgs, lib, config, ... }:
 {
-  age.secrets."secrets/ovni-token".file = ./secrets/ovni-token.age;
+  age.secrets.ovniToken.file = ../../secrets/ovni-token.age;
-  age.secrets."secrets/nosv-token".file = ./secrets/nosv-token.age;
+  age.secrets.nosvToken.file = ../../secrets/nosv-token.age;
  services.gitlab-runner = {
    enable = true;
    settings.concurrent = 5;
    services = {
      ovni-shell = {
-        registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
+        registrationConfigFile = config.age.secrets.ovniToken.path;
        executor = "shell";
        tagList = [ "nix" "xeon" ];
        environmentVariables = {
@ -17,7 +17,7 @@
        };
      };
      ovni-docker = {
-        registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
+        registrationConfigFile = config.age.secrets.ovniToken.path;
        dockerImage = "debian:stable";
        tagList = [ "docker" "xeon" ];
        registrationFlags = [ "--docker-network-mode host" ];
@ -27,7 +27,7 @@
        };
      };
      nosv-docker = {
-        registrationConfigFile = config.age.secrets."secrets/nosv-token".path;
+        registrationConfigFile = config.age.secrets.nosvToken.path;
        dockerImage = "debian:stable";
        tagList = [ "docker" "xeon" ];
        registrationFlags = [
--- a/m/hut/secrets/ceph-user.age
+++ b/m/hut/secrets/ceph-user.age
@ -1,11 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 CAWG4Q 35Ak+Mep9k5KnDLF1ywDbMD4l4mRFg6D0et19tqXxAw
 Wgr+CX4rzrPmUszSidtLAVSvgD80F2dqtd92hGZIFwo
 -> ssh-ed25519 MSF3dg OVFvpkAyWTowtxsafstX31H/hJpNZmnOCbvqMIN0+AQ
 VxjRcQmp+BadEh2y0PB96EeizIl3tTQpVu0CWHmsc1s
 -> ssh-ed25519 HY2yRg MJSQIpre9m0XnojgXuKQ/+hVBZNrZNGZqplwhqicpjI
 CLkE52iqpoqSnbzisNjQgxTfNqKeaRl5ntcw1d+ZDyQ
 -> m$8`De%~-grease '85p}`by
 52zMpprONcawWDDtzHdWNwFoYXErPUnVjhSONbUBpDlqAmJmD1LcAnsU
 --- 0vZOPyXQIMMGTwgFfvm8Sn8O7vjrsjGUEy5m/BASCyc
 È| üœ)‡<>ËëË*_ËDóUS`<06><>‹àŠèr Âs<C382>¢NªÈ[ÖŒ^e+A1œ“G.í#âù°m˜¸Wß ’5·àƒµ( 
--- a/m/hut/secrets/nosv-token.age
+++ b/m/hut/secrets/nosv-token.age
--- a/m/hut/secrets/ovni-token.age
+++ b/m/hut/secrets/ovni-token.age
--- a/secrets/ceph-user.age
+++ b/secrets/ceph-user.age
@ -0,0 +1,21 @@
 age-encryption.org/v1
 -> ssh-ed25519 AY8zKw J00a6ZOhkupkhLU5WQ0kD05HEF4KKsSs2hwjHKbnnHU
 J14VoNOCqLpScVO7OLXbqTcLI4tcVUHt5cqY/XQmbGs
 -> ssh-ed25519 sgAamA k8R/bSUdvVmlBI6yHPi5NBQPBGM36lPJwsir8DFGgxE
 4ZKC3gYvic6AVrNGgNjwztbUzhxP8ViX5O3wFo9wlrk
 -> ssh-ed25519 HY2yRg 966xf2fTnA6Wq0uYXbXZQOManqITJcCbQS9LZCGEOh4
 Qg5echQSrzqeDqvaMx+5fqi8XyTjAeCsY/UFJX6YnDs
 -> ssh-ed25519 tcumPQ e0U2okrGIoUpLfPYjIRx1V92rE3hZW13nJef+l3kBQg
 LejAUKBl+tPhwocCF00ZHTzFISnwX8og8GvemiMIcyo
 -> ssh-ed25519 JJ1LWg QkzTsPq9Gdh+FNz/a4bDb9LQOreFyxeTC51UNd1fsj0
 ayrlKenETfQzH1Z9drVEWqszQebicGVJve0/pCnxAE8
 -> ssh-ed25519 CAWG4Q lJLW9+dxvyoD4hYzeXeE/4rzJ6HIeEQOB1+fbhV3xw0
 T2RrVCtTuQvya9HiJB7txk3QGrntpsMX9Tt1cyXoW5E
 -> ssh-ed25519 MSF3dg JOZkFb2CfqWKvZIz7lYxXWgv8iEVDkQF8hInDMZvknc
 MHDWxjUw4dNiC1h4MrU9uKKcI3rwkxABm0+5FYMZkok
 -> ~8m;7f-grease
 lDIullfC98RhpTZ4Mk87Td+VtPmwPdgz+iIilpKugUkmV5r4Uqd7yE+5ArA6ekr/
 G/X4EA
 --- Cz4sv9ZunBcVdZCozdTh1zlg1zIASjk2MjYeYfcN9eA
 ÊN	Å$[H˜ÝQËéŠ
 d£š·'±ö7…·Í²)ÖØÀÊx9yüÐëE¡þÓM7^Ø[ÐMŽ+É&éâö½$8tM¨Ð²
--- a/secrets/nosv-token.age
+++ b/secrets/nosv-token.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE
 avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro
 -> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA
 FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70
 -> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o
 BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8
 -> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t
 oLG+0S1aGfO/ohCfgGmhDhwwLi4H
 --- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI
 ¹õW©o÷ ÙÄd;ËÐC¾.¹¡_(“u
G¡€‰#ìvâœgÉ<67>†õõy¹Y‰žl9ŒÈ¡Ïµ.Œé0x<30>Þ½úN. /ü<>tB×b‡ü¼K¼ì:Q×—È\¹ÀÍT_´»Átxïm’——_JñÞž-š
--- a/secrets/ovni-token.age
+++ b/secrets/ovni-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,13 @@
 let
  keys = import ../keys.nix;
  adminsKeys = builtins.attrValues keys.admins;
  hut = [ keys.hosts.hut ] ++ adminsKeys;
  # Only expose ceph keys to safe nodes and admins
  ceph = keys.hostGroup.safe ++ adminsKeys;
 in
 {
  "ovni-token.age".publicKeys = hut;
  "nosv-token.age".publicKeys = hut;
  "ceph-user.age".publicKeys = ceph;
 }