c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

glotzbert: mount new cephfs with keyfile from sops-nix

This commit is contained in:
Astro 2021-11-11 01:55:02 +01:00
parent f21ce1c1e6
commit 2a582dc3cb
5 changed files with 114 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -177,3 +177,17 @@ in {
}
```
# Secret Management Using `sops-nix`
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
```
cd secrets
nix develop
sops hosts/.../secrets.yaml
git commit -a -m YOLO
git push origin HEAD:master
cd ..
nix flake lock . --update-input secrets
```

65
flake.lock
View File

@ -167,6 +167,36 @@
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1636574401,
"narHash": "sha256-/VxpOq1lWGTT14PTkxFQmkXzcezb2N/E6UnosXcYcvI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b3f59f2089722ec4f0d4a032d329d33ddd63a226",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1636228094,
"narHash": "sha256-CpOcIwHAn3yS0PeVmUICFrJ+gde2PiZp3XsnDP3LE9w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2606cb0fc24e65f489b7d9fdcbf219756e45db35",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1631792076,
"narHash": "sha256-dBRsZ3JB6i53nzC30SsltdwrzjIr8e0zU/y8HitKpT8=",
@ -209,6 +239,7 @@
"nixpkgs-unstable": "nixpkgs-unstable",
"scrapers": "scrapers",
"secrets": "secrets",
"sops-nix": "sops-nix",
"spacemsg": "spacemsg",
"ticker": "ticker",
"tigger": "tigger",
@ -233,12 +264,18 @@
}
},
"secrets": {
"inputs": {
"nixpkgs": "nixpkgs_3",
"sops-nix": [
"sops-nix"
]
},
"locked": {
"lastModified": 1634413351,
"narHash": "sha256-iLtQVQSiwdHxSvOWEP54qRuJTs9E96SZULZzp7OXxS8=",
"lastModified": 1636591632,
"narHash": "sha256-T4Zy9eMMvlz9xN8k9RaVpXswN960fVvFSQKZawLgisY=",
"ref": "master",
"rev": "aa6b2921ff392ea8ce546d098d5fb1fe8dd52066",
"revCount": 105,
"rev": "a8a008bba31ff71f8d9cb98533bdafe8a69a4e39",
"revCount": 106,
"type": "git",
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
},
@ -247,6 +284,24 @@
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1636497917,
"narHash": "sha256-8U0Tvot7U5KJ8vpn6xR611v7b441QdAQC04xhxjMHOc=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "a8cbd0c796e4678f0fd2e59f274e49705ee523ed",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"spacemsg": {
"flake": false,
"locked": {
@ -333,7 +388,7 @@
},
"zentralwerk": {
"inputs": {
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_5",
"nixpkgs-master": "nixpkgs-master",
"openwrt": "openwrt",
"zentralwerk-network-key": "zentralwerk-network-key"

9
flake.nix
View File

@ -7,6 +7,7 @@
nixpkgs-openwebrx.url = "github:astro/nixpkgs/openwebrx";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
secrets.inputs.sops-nix.follows = "sops-nix";
nixos-hardware.url = "github:nixos/nixos-hardware";
zentralwerk.url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
yammat.url = "git+https://gitea.c3d2.de/astro/yammat.git?ref=nix";
@ -20,9 +21,10 @@
ticker.url = "git+https://gitea.c3d2.de/astro/ticker.git";
ticker.flake = false;
heliwatch.url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
sops-nix.url = "github:Mic92/sops-nix";
};
outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, ... }:
outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, sops-nix, ... }:
let
forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
@ -225,7 +227,12 @@
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
secrets.nixosModules.admins
sops-nix.nixosModules.sops
];
extraArgs = {
inherit zentralwerk;
secretsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
};
system = "x86_64-linux";
};

32
hosts/glotzbert/default.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ zentralwerk, secretsFile, config, pkgs, ... }:
{
imports = [ ./hardware-configuration.nix ];
@ -19,6 +19,12 @@
maxJobs = 4;
};
sops.defaultSopsFile = secretsFile;
sops.secrets = {
"ceph/secret" = {};
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
@ -40,6 +46,7 @@
firefox
mpv
kodi
ceph
];
systemd.user.services.x11vnc = {
@ -122,6 +129,29 @@
];
};
services.ceph = {
enable = true;
global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
client.enable = true;
};
fileSystems."/mnt/storage" =
let
monHosts = pkgs.lib.concatMapStringsSep "," (host:
zentralwerk.lib.config.site.net.cluster.hosts4.${host}
) [ "server5" "server6" "server8" ];
in {
fsType = "ceph";
device = "${monHosts}:/";
options = [
"_netdev"
"name=c3d2"
"secretfile=${config.sops.secrets."ceph/secret".path}"
"noatime"
"x-systemd.automount"
"x-systemd.device-timeout=5"
];
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you

2
secrets

@ -1 +1 @@
Subproject commit aa6b2921ff392ea8ce546d098d5fb1fe8dd52066
Subproject commit a8a008bba31ff71f8d9cb98533bdafe8a69a4e39