glotzbert: mount new cephfs with keyfile from sops-nix
This commit is contained in:
parent
f21ce1c1e6
commit
2a582dc3cb
14
README.md
14
README.md
|
@ -177,3 +177,17 @@ in {
|
||||||
}
|
}
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# Secret Management Using `sops-nix`
|
||||||
|
|
||||||
|
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
|
||||||
|
|
||||||
|
```
|
||||||
|
cd secrets
|
||||||
|
nix develop
|
||||||
|
sops hosts/.../secrets.yaml
|
||||||
|
git commit -a -m YOLO
|
||||||
|
git push origin HEAD:master
|
||||||
|
cd ..
|
||||||
|
nix flake lock . --update-input secrets
|
||||||
|
```
|
||||||
|
|
65
flake.lock
65
flake.lock
|
@ -167,6 +167,36 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs_3": {
|
"nixpkgs_3": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1636574401,
|
||||||
|
"narHash": "sha256-/VxpOq1lWGTT14PTkxFQmkXzcezb2N/E6UnosXcYcvI=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "b3f59f2089722ec4f0d4a032d329d33ddd63a226",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "nixpkgs",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_4": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1636228094,
|
||||||
|
"narHash": "sha256-CpOcIwHAn3yS0PeVmUICFrJ+gde2PiZp3XsnDP3LE9w=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "2606cb0fc24e65f489b7d9fdcbf219756e45db35",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_5": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1631792076,
|
"lastModified": 1631792076,
|
||||||
"narHash": "sha256-dBRsZ3JB6i53nzC30SsltdwrzjIr8e0zU/y8HitKpT8=",
|
"narHash": "sha256-dBRsZ3JB6i53nzC30SsltdwrzjIr8e0zU/y8HitKpT8=",
|
||||||
|
@ -209,6 +239,7 @@
|
||||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||||
"scrapers": "scrapers",
|
"scrapers": "scrapers",
|
||||||
"secrets": "secrets",
|
"secrets": "secrets",
|
||||||
|
"sops-nix": "sops-nix",
|
||||||
"spacemsg": "spacemsg",
|
"spacemsg": "spacemsg",
|
||||||
"ticker": "ticker",
|
"ticker": "ticker",
|
||||||
"tigger": "tigger",
|
"tigger": "tigger",
|
||||||
|
@ -233,12 +264,18 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"secrets": {
|
"secrets": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs_3",
|
||||||
|
"sops-nix": [
|
||||||
|
"sops-nix"
|
||||||
|
]
|
||||||
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1634413351,
|
"lastModified": 1636591632,
|
||||||
"narHash": "sha256-iLtQVQSiwdHxSvOWEP54qRuJTs9E96SZULZzp7OXxS8=",
|
"narHash": "sha256-T4Zy9eMMvlz9xN8k9RaVpXswN960fVvFSQKZawLgisY=",
|
||||||
"ref": "master",
|
"ref": "master",
|
||||||
"rev": "aa6b2921ff392ea8ce546d098d5fb1fe8dd52066",
|
"rev": "a8a008bba31ff71f8d9cb98533bdafe8a69a4e39",
|
||||||
"revCount": 105,
|
"revCount": 106,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||||
},
|
},
|
||||||
|
@ -247,6 +284,24 @@
|
||||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs_4"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1636497917,
|
||||||
|
"narHash": "sha256-8U0Tvot7U5KJ8vpn6xR611v7b441QdAQC04xhxjMHOc=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "a8cbd0c796e4678f0fd2e59f274e49705ee523ed",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"spacemsg": {
|
"spacemsg": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -333,7 +388,7 @@
|
||||||
},
|
},
|
||||||
"zentralwerk": {
|
"zentralwerk": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": "nixpkgs_3",
|
"nixpkgs": "nixpkgs_5",
|
||||||
"nixpkgs-master": "nixpkgs-master",
|
"nixpkgs-master": "nixpkgs-master",
|
||||||
"openwrt": "openwrt",
|
"openwrt": "openwrt",
|
||||||
"zentralwerk-network-key": "zentralwerk-network-key"
|
"zentralwerk-network-key": "zentralwerk-network-key"
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
nixpkgs-openwebrx.url = "github:astro/nixpkgs/openwebrx";
|
nixpkgs-openwebrx.url = "github:astro/nixpkgs/openwebrx";
|
||||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
|
secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
|
||||||
|
secrets.inputs.sops-nix.follows = "sops-nix";
|
||||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||||
zentralwerk.url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
|
zentralwerk.url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
|
||||||
yammat.url = "git+https://gitea.c3d2.de/astro/yammat.git?ref=nix";
|
yammat.url = "git+https://gitea.c3d2.de/astro/yammat.git?ref=nix";
|
||||||
|
@ -20,9 +21,10 @@
|
||||||
ticker.url = "git+https://gitea.c3d2.de/astro/ticker.git";
|
ticker.url = "git+https://gitea.c3d2.de/astro/ticker.git";
|
||||||
ticker.flake = false;
|
ticker.flake = false;
|
||||||
heliwatch.url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
|
heliwatch.url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
|
||||||
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, ... }:
|
outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, sops-nix, ... }:
|
||||||
let
|
let
|
||||||
forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
|
forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
|
||||||
|
|
||||||
|
@ -225,7 +227,12 @@
|
||||||
nixos-hardware.nixosModules.common-cpu-intel
|
nixos-hardware.nixosModules.common-cpu-intel
|
||||||
nixos-hardware.nixosModules.common-pc-ssd
|
nixos-hardware.nixosModules.common-pc-ssd
|
||||||
secrets.nixosModules.admins
|
secrets.nixosModules.admins
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
];
|
];
|
||||||
|
extraArgs = {
|
||||||
|
inherit zentralwerk;
|
||||||
|
secretsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
|
||||||
|
};
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ zentralwerk, secretsFile, config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [ ./hardware-configuration.nix ];
|
imports = [ ./hardware-configuration.nix ];
|
||||||
|
@ -19,6 +19,12 @@
|
||||||
maxJobs = 4;
|
maxJobs = 4;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.defaultSopsFile = secretsFile;
|
||||||
|
sops.secrets = {
|
||||||
|
"ceph/secret" = {};
|
||||||
|
};
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
# Use the systemd-boot EFI boot loader.
|
# Use the systemd-boot EFI boot loader.
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
@ -40,6 +46,7 @@
|
||||||
firefox
|
firefox
|
||||||
mpv
|
mpv
|
||||||
kodi
|
kodi
|
||||||
|
ceph
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.user.services.x11vnc = {
|
systemd.user.services.x11vnc = {
|
||||||
|
@ -122,6 +129,29 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.ceph = {
|
||||||
|
enable = true;
|
||||||
|
global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
|
||||||
|
client.enable = true;
|
||||||
|
};
|
||||||
|
fileSystems."/mnt/storage" =
|
||||||
|
let
|
||||||
|
monHosts = pkgs.lib.concatMapStringsSep "," (host:
|
||||||
|
zentralwerk.lib.config.site.net.cluster.hosts4.${host}
|
||||||
|
) [ "server5" "server6" "server8" ];
|
||||||
|
in {
|
||||||
|
fsType = "ceph";
|
||||||
|
device = "${monHosts}:/";
|
||||||
|
options = [
|
||||||
|
"_netdev"
|
||||||
|
"name=c3d2"
|
||||||
|
"secretfile=${config.sops.secrets."ceph/secret".path}"
|
||||||
|
"noatime"
|
||||||
|
"x-systemd.automount"
|
||||||
|
"x-systemd.device-timeout=5"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
# servers. You should change this only after NixOS release notes say you
|
# servers. You should change this only after NixOS release notes say you
|
||||||
|
|
2
secrets
2
secrets
|
@ -1 +1 @@
|
||||||
Subproject commit aa6b2921ff392ea8ce546d098d5fb1fe8dd52066
|
Subproject commit a8a008bba31ff71f8d9cb98533bdafe8a69a4e39
|
Loading…
Reference in New Issue