From 2a582dc3cb5a713a00d26441bf32c51098296ca6 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Thu, 11 Nov 2021 01:55:02 +0100
Subject: [PATCH] glotzbert: mount new cephfs with keyfile from sops-nix

---
 README.md                   | 14 ++++++++
 flake.lock                  | 65 ++++++++++++++++++++++++++++++++++---
 flake.nix                   |  9 ++++-
 hosts/glotzbert/default.nix | 32 +++++++++++++++++-
 secrets                     |  2 +-
 5 files changed, 114 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 3a64d66e..c8d296c2 100644
--- a/README.md
+++ b/README.md
@@ -177,3 +177,17 @@ in {
 }
 
 ```
+
+# Secret Management Using `sops-nix`
+
+Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
+
+```
+cd secrets
+nix develop
+sops hosts/.../secrets.yaml
+git commit -a -m YOLO
+git push origin HEAD:master
+cd ..
+nix flake lock . --update-input secrets
+```
diff --git a/flake.lock b/flake.lock
index 01f6b138..5fe3ce24 100644
--- a/flake.lock
+++ b/flake.lock
@@ -167,6 +167,36 @@
       }
     },
     "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1636574401,
+        "narHash": "sha256-/VxpOq1lWGTT14PTkxFQmkXzcezb2N/E6UnosXcYcvI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b3f59f2089722ec4f0d4a032d329d33ddd63a226",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1636228094,
+        "narHash": "sha256-CpOcIwHAn3yS0PeVmUICFrJ+gde2PiZp3XsnDP3LE9w=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2606cb0fc24e65f489b7d9fdcbf219756e45db35",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_5": {
       "locked": {
         "lastModified": 1631792076,
         "narHash": "sha256-dBRsZ3JB6i53nzC30SsltdwrzjIr8e0zU/y8HitKpT8=",
@@ -209,6 +239,7 @@
         "nixpkgs-unstable": "nixpkgs-unstable",
         "scrapers": "scrapers",
         "secrets": "secrets",
+        "sops-nix": "sops-nix",
         "spacemsg": "spacemsg",
         "ticker": "ticker",
         "tigger": "tigger",
@@ -233,12 +264,18 @@
       }
     },
     "secrets": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3",
+        "sops-nix": [
+          "sops-nix"
+        ]
+      },
       "locked": {
-        "lastModified": 1634413351,
-        "narHash": "sha256-iLtQVQSiwdHxSvOWEP54qRuJTs9E96SZULZzp7OXxS8=",
+        "lastModified": 1636591632,
+        "narHash": "sha256-T4Zy9eMMvlz9xN8k9RaVpXswN960fVvFSQKZawLgisY=",
         "ref": "master",
-        "rev": "aa6b2921ff392ea8ce546d098d5fb1fe8dd52066",
-        "revCount": 105,
+        "rev": "a8a008bba31ff71f8d9cb98533bdafe8a69a4e39",
+        "revCount": 106,
         "type": "git",
         "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
       },
@@ -247,6 +284,24 @@
         "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_4"
+      },
+      "locked": {
+        "lastModified": 1636497917,
+        "narHash": "sha256-8U0Tvot7U5KJ8vpn6xR611v7b441QdAQC04xhxjMHOc=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "a8cbd0c796e4678f0fd2e59f274e49705ee523ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "spacemsg": {
       "flake": false,
       "locked": {
@@ -333,7 +388,7 @@
     },
     "zentralwerk": {
       "inputs": {
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_5",
         "nixpkgs-master": "nixpkgs-master",
         "openwrt": "openwrt",
         "zentralwerk-network-key": "zentralwerk-network-key"
diff --git a/flake.nix b/flake.nix
index e9fbd401..2422ffc3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -7,6 +7,7 @@
     nixpkgs-openwebrx.url = "github:astro/nixpkgs/openwebrx";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
+    secrets.inputs.sops-nix.follows = "sops-nix";
     nixos-hardware.url = "github:nixos/nixos-hardware";
     zentralwerk.url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
     yammat.url = "git+https://gitea.c3d2.de/astro/yammat.git?ref=nix";
@@ -20,9 +21,10 @@
     ticker.url = "git+https://gitea.c3d2.de/astro/ticker.git";
     ticker.flake = false;
     heliwatch.url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
+    sops-nix.url = "github:Mic92/sops-nix";
   };
 
-  outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, ... }:
+  outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, sops-nix, ... }:
     let
       forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
 
@@ -225,7 +227,12 @@
             nixos-hardware.nixosModules.common-cpu-intel
             nixos-hardware.nixosModules.common-pc-ssd
             secrets.nixosModules.admins
+            sops-nix.nixosModules.sops
           ];
+          extraArgs = {
+            inherit zentralwerk;
+            secretsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
+          };
           system = "x86_64-linux";
         };
 
diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix
index cdc59ce2..b40d53e6 100644
--- a/hosts/glotzbert/default.nix
+++ b/hosts/glotzbert/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ zentralwerk, secretsFile, config, pkgs, ... }:
 
 {
   imports = [ ./hardware-configuration.nix ];
@@ -19,6 +19,12 @@
     maxJobs = 4;
   };
 
+  sops.defaultSopsFile = secretsFile;
+  sops.secrets = {
+    "ceph/secret" = {};
+  };
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -40,6 +46,7 @@
     firefox
     mpv
     kodi
+    ceph
   ];
 
   systemd.user.services.x11vnc = {
@@ -122,6 +129,29 @@
     ];
   };
 
+  services.ceph = {
+    enable = true;
+    global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
+    client.enable = true;
+  };
+  fileSystems."/mnt/storage" =
+    let
+      monHosts = pkgs.lib.concatMapStringsSep "," (host:
+        zentralwerk.lib.config.site.net.cluster.hosts4.${host}
+      ) [ "server5" "server6" "server8" ];
+    in {
+      fsType = "ceph";
+      device = "${monHosts}:/";
+      options = [
+        "_netdev"
+        "name=c3d2"
+        "secretfile=${config.sops.secrets."ceph/secret".path}"
+        "noatime"
+        "x-systemd.automount"
+        "x-systemd.device-timeout=5"
+      ];
+    };
+
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
diff --git a/secrets b/secrets
index aa6b2921..a8a008bb 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit aa6b2921ff392ea8ce546d098d5fb1fe8dd52066
+Subproject commit a8a008bba31ff71f8d9cb98533bdafe8a69a4e39