From b3ef53de515183cd40c779f1bed67f3f7eb2e089 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 23 Aug 2023 17:18:17 +0200 Subject: [PATCH] Store ceph secret key in age This allows a node to mount the ceph FS without any extra ceph configuration in /etc/ceph. --- m/hut/ceph.nix | 10 ++++++++-- m/hut/secrets.nix | 1 + m/hut/secrets/ceph-user.age | 11 +++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 m/hut/secrets/ceph-user.age diff --git a/m/hut/ceph.nix b/m/hut/ceph.nix index fab5493..722466f 100644 --- a/m/hut/ceph.nix +++ b/m/hut/ceph.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { environment.systemPackages = [ pkgs.ceph-client ]; @@ -7,8 +7,14 @@ # modprobe command. boot.kernelModules = [ "ceph" ]; + age.secrets."secrets/ceph-user".file = ./secrets/ceph-user.age; + fileSystems."/ceph" = { fsType = "ceph"; - device = "animal@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/"; + device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/"; + options = [ + "mon_addr=10.0.40.40" + "secretfile=${config.age.secrets."secrets/ceph-user".path}" + ]; }; } diff --git a/m/hut/secrets.nix b/m/hut/secrets.nix index 2c4d823..d22add6 100644 --- a/m/hut/secrets.nix +++ b/m/hut/secrets.nix @@ -7,4 +7,5 @@ in { "secrets/ovni-token.age".publicKeys = default; "secrets/nosv-token.age".publicKeys = default; + "secrets/ceph-user.age".publicKeys = default; } diff --git a/m/hut/secrets/ceph-user.age b/m/hut/secrets/ceph-user.age new file mode 100644 index 0000000..735afca --- /dev/null +++ b/m/hut/secrets/ceph-user.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 CAWG4Q 35Ak+Mep9k5KnDLF1ywDbMD4l4mRFg6D0et19tqXxAw +Wgr+CX4rzrPmUszSidtLAVSvgD80F2dqtd92hGZIFwo +-> ssh-ed25519 MSF3dg OVFvpkAyWTowtxsafstX31H/hJpNZmnOCbvqMIN0+AQ +VxjRcQmp+BadEh2y0PB96EeizIl3tTQpVu0CWHmsc1s +-> ssh-ed25519 HY2yRg MJSQIpre9m0XnojgXuKQ/+hVBZNrZNGZqplwhqicpjI +CLkE52iqpoqSnbzisNjQgxTfNqKeaRl5ntcw1d+ZDyQ +-> m$8`De%~-grease '85p}`by +52zMpprONcawWDDtzHdWNwFoYXErPUnVjhSONbUBpDlqAmJmD1LcAnsU +--- 0vZOPyXQIMMGTwgFfvm8Sn8O7vjrsjGUEy5m/BASCyc +|)*_DUS`r sN[֌^e+A 1G.#mW 5 ( \ No newline at end of file