From 941875ca3ec6a74802f841387332e82cd92f810a Mon Sep 17 00:00:00 2001 From: revol-xut Date: Tue, 18 Apr 2023 19:17:19 +0200 Subject: [PATCH] starting the testbet --- .sops.yaml | 14 ++++- flake.lock | 18 +++--- flake.nix | 6 +- hosts/fuck/default.nix | 4 +- keys/gpg/test.age | 3 + modules/data-hoarder/postgres.nix | 1 + secrets/mctest/secrets.yaml | 94 +++++++++++++++++++++++++++++++ 7 files changed, 125 insertions(+), 15 deletions(-) create mode 100644 keys/gpg/test.age create mode 100644 secrets/mctest/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index d36c4a3..e5bb379 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,7 +3,10 @@ keys: - &admin_revol-xut 91EBE87016391323642A6803B966009D57E69CC6 - &admin_marenz-1 069836A578F7939612DB4934F77D0F7E247A1EE4 - &admin_marenz-2 ED06986DFAAE6A61B751DC2F537F97DFB394C433 - # - &admin_astro + + # test key + - &test age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh + - &data-hoarder age1djp5hk6vpm5glzqy9h2e2cgam5xydx888glgs85kvs57spaf8v0sfm0pa2 - &data-hoarder-staging age1m4g4y5ga2m8xdvs7rarda3tyk4gtkyta6pfyq2n3xmy47z20kfxq73m8r8 - &watch-me-senpai age18q907v2706qxmjewqan7xng2su3z6zyz9a2q444jew22apd46y7q8wjjku @@ -50,6 +53,15 @@ creation_rules: age: - *data-hoarder - *data-hoarder-staging + - path_regex: secrets/mctest/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + - *admin_revol-xut + - *admin_marenz-1 + - *admin_marenz-2 + age: + - *test - path_regex: secrets/data-hoarder-staging/[^/]+\.yaml$ key_groups: - pgp: diff --git a/flake.lock b/flake.lock index 0bd13a4..21ab64b 100644 --- a/flake.lock +++ b/flake.lock @@ -338,11 +338,11 @@ ] }, "locked": { - "lastModified": 1681675448, - "narHash": "sha256-MZROMuhBDdkkR1Zg+L1kXQ1dzopdUH9uNGqFdO+hEUs=", + "lastModified": 1681762509, + "narHash": "sha256-IzAZeVZpuLZX2rsxVVVHhnd8lKJ3bXWXEx5S+uzELlw=", "owner": "tlm-solutions", "repo": "kindergarten", - "rev": "102c0c7b2f74c8e82384acf9bbe02aa5b92950fe", + "rev": "70a9116b0fc09335feecca63b4e2c9034692a6ee", "type": "github" }, "original": { @@ -420,11 +420,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1681696129, - "narHash": "sha256-Ba2y1lmsWmmAOAoTD5G9UnTS/UqV0ZFyzysgdfu7qag=", + "lastModified": 1681759395, + "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "de66115c552acc4e0c0f92c5a5efb32e37dfa216", + "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50", "type": "github" }, "original": { @@ -578,11 +578,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1681721408, - "narHash": "sha256-NWCbZKOQEXz1hA2YDFxdd+fVrrw9edbG1DvbbLf7KUY=", + "lastModified": 1681821695, + "narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "de6514f8fe1b3c2b57307569a0898bc4be9ae1c5", + "rev": "5698b06b0731a2c15ff8c2351644427f8ad33993", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f5ce15f..34d550e 100644 --- a/flake.nix +++ b/flake.nix @@ -265,7 +265,7 @@ packages = { staging-microvm = self.nixosConfigurations.staging-data-hoarder.config.microvm.declaredRunner; data-hoarder-microvm = self.nixosConfigurations.data-hoarder.config.microvm.declaredRunner; - fuck-microvm = self.nixosConfigurations.fuck.config.microvm.declaredRunner; + fuck-microvm = self.nixosConfigurations.fuck.config.system.build.vm; docs = pkgs.callPackage ./pkgs/documentation.nix { inherit documentation-src; options-docs = (pkgs.nixosOptionsDoc { @@ -288,9 +288,9 @@ echo set -x - export QEMU_NET_OPTS="hostfwd=tcp::2223-:22,hostfwd=tcp::8050-:${toString cfg.TLMS.trekkie.port},hostfwd=tcp::8060-:${toString cfg.TLMS.datacare.port},hostfwd=tcp::8070-:${toString cfg.TLMS.dataAccumulator.port},hostfwd=tcp::8070-:${toString cfg.TLMS.funnel.defaultWebsocket.port}" + export QEMU_NET_OPTS="hostfwd=tcp::2223-:22,hostfwd=tcp::8050-:${toString cfg.TLMS.trekkie.port},hostfwd=tcp::8060-:${toString cfg.TLMS.datacare.port},hostfwd=tcp::8070-:${toString cfg.TLMS.dataAccumulator.port},hostfwd=tcp::8080-:${toString cfg.TLMS.funnel.defaultWebsocket.port}" echo "running the vm now..." - ${self.packages."x86_64-linux".fuck-microvm}/bin/run-nixos-vm + ${self.packages."x86_64-linux".fuck-microvm}/bin/run-staging-data-hoarder-vm ''); } // (import ./pkgs/deployment.nix { inherit self pkgs; systems = stop_boxes; }) diff --git a/hosts/fuck/default.nix b/hosts/fuck/default.nix index 93bbba9..0dc6e9d 100644 --- a/hosts/fuck/default.nix +++ b/hosts/fuck/default.nix @@ -1,4 +1,4 @@ -{ inputs, lib, modulesPath, ... }: +{self, inputs, lib, modulesPath, ... }: { imports = [ "${modulesPath}/virtualisation/qemu-vm.nix" @@ -41,7 +41,7 @@ have fun! ''; - + sops.defaultSopsFile = (lib.mkForce (self + /secrets/mctest/secrets.yaml)); networking.firewall.enable = false; diff --git a/keys/gpg/test.age b/keys/gpg/test.age new file mode 100644 index 0000000..69f5030 --- /dev/null +++ b/keys/gpg/test.age @@ -0,0 +1,3 @@ +# created: 2021-10-15T12:49:19+02:00 +# public key: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh +AGE-SECRET-KEY-185C2AV5M0U2FAUL3LYQXDU7N5ZE226GRFRUY2976GNKGEXLQC3DQ539JDN diff --git a/modules/data-hoarder/postgres.nix b/modules/data-hoarder/postgres.nix index c18eac9..3e5942c 100644 --- a/modules/data-hoarder/postgres.nix +++ b/modules/data-hoarder/postgres.nix @@ -44,6 +44,7 @@ # Get graphana to SELECT from tables that might be interesting for it $PSQL -c "GRANT CONNECT ON DATABASE tlms TO grafana;" + $PSQL -c "GRANT SELECT ON r09_transmission_locations TO grafana;" $PSQL -d tlms -c "GRANT SELECT ON r09_telegrams, raw_telegrams, gps_points, trekkie_runs, regions TO grafana;" unset DATABASE_URL diff --git a/secrets/mctest/secrets.yaml b/secrets/mctest/secrets.yaml new file mode 100644 index 0000000..9519890 --- /dev/null +++ b/secrets/mctest/secrets.yaml @@ -0,0 +1,94 @@ +postgres_password: ENC[AES256_GCM,data:IR2dKubCkEk=,iv:5a5t4XEgR9f6g2mErhAiNrJQ8FNIcRYp6a8vy3r9wNs=,tag:hTW/6XRL3H/J5PiOqw7hhg==,type:str] +postgres_password_grafana: ENC[AES256_GCM,data:CQV5bJcd8HI=,iv:kzz3Zao1v4tPlen3fgZ38B4/gbcYmq7g3p79g1TrLmA=,tag:gnI2TgXftH+W3aldezspnA==,type:str] +postgres_password_hash_salt: ENC[AES256_GCM,data:Z478jkpCIEk=,iv:IIQVTYyotc1Vd0yqfF/mwZLhREslKs4K/PCRFU9GNfs=,tag:TeRWb8pt9wVvEVbwIouqWg==,type:str] +wg-seckey: ENC[AES256_GCM,data:NRdydeVJW1KOlrldOcgyHEsVzTtBqehsFhpRZ21b9TDuV5Yms9lxQ2oY56M=,iv:+DQNVmAM2PkGeTjEAPHYSSvvkonpGlidDzVQJsmoGD0=,tag:ootw8XWc+1jWcNY5zSDLgg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMGdyb1I0VkRnWGFpZ3Ni + b0x6T2hRclhSZENTdUJkVUNFNVJXaTdrR0I4CkRQRUxCeHBTZnI0OEY4L0dJNDZM + eE9YT0htbENOU2o2aUlPTjlFQ2ZNVkEKLS0tIFBCQzhISFFWZUl0WDk0K3ZxdjRO + ZFhMTm5SbjA4U05jbHJvRVVOUTRXTHcKltNcBvmyccoUU8pOBI0cmbw76XjEoHri + DgAiJvPLupe9Rd+ShKwVsvMoQB0m9ZlczpFsPXaSmOZksOn+lpqP4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-18T10:14:14Z" + mac: ENC[AES256_GCM,data:3++jurmkbfeCG+xVdEB4zKHGRrIKuzWg0Mo9L2r/laNe6yIziQCP+rrcZX+YMT7wkw9JiM25nICD46aDiz7D2PkVLxiLY9artHPiaWdyZ0dUR5ZLyB/9vXM46ujtCekyDr0lOsL3rpTblTFn0XWivmHRZlbYrnrRrud7opIoTvk=,iv:E+/PhQGIjTzWu/WHytRXx/2m3ASGDUcurAS+ikW5S90=,tag:WT1rSlm6BqEgLPMKyNiINA==,type:str] + pgp: + - created_at: "2023-04-18T10:12:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7zUOKwzpAE7AQ//ajDN7xTx3YN2Qnd/Z5ih0Kvv4H75aJDB5Nw3ri6dmULR + /pFKa8XFKMcO930OnkEiYDc4hTR+5PqRCHo9miR02j2WLfGd348mVv/PHeuMMQMV + M9Naw50ZOdM87KUfE3EH6GO/6CPtGG3Dz7k1KpMoyg3g3T3jK+OJ1kJdHfxnG2h7 + +RhrZJxk9A75qPPgEusR54Uqq1DzvMzSX+GT39vkhhdMQ0iuqZBj0tsqXKFBpJEL + p60bKCQOT4NUUQcLna1LuFZNP3HckTIZdsjNGTUqsfCVL9QpAl/v+gmNA0ZGxyWT + r3al8p3LBwlGTrYGZmzNXXkUlJDKuo+N/7YBhx6KICa+Mx90gp0DgGoWXFGRqe1w + Yt/dyptP41O4OWmYNS8fz5nckYqXJTal31bJQ0i9fPiEYD1m/sV5tzKICU74aWR2 + ZggIVJ7KqjKPrfmikKWjxQu4aXMg2HzbEqYg9xS9g3N7GAIAODs04YP7vmJDfx9j + +Wx/nLvVERx232ulSlgtbFzxNtf5GrZXr85eEse+xEkNFC6YhgT8tVWSWmFWQZfJ + CRHeyfjg9x91TqrCaNfPTorQiXbsE9MuHGSyqgcIXfxH6RNBQb/uo7tN8SjfkAje + 3n/6Tmoj/ICtxLS1WIBmpKPbiSuBgQEBXnRw0UbhH2B7XVxsStnT0fjFAq2YOevS + UQEToGtLTApL1Ajc+j2wLDYyjyDa97Ac3cycCASrHEstSl0S0KpF8zwoFNh9vZZM + F7fX1503UkEfXrZpRVwkdwK2vUErEn3BvSpxz/aZTYiAQw== + =r8TU + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + - created_at: "2023-04-18T10:12:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJARAAyKKgYY/frzgwzvuI+dgoBvJ+YZ5gQJ0EvhlMuCIAz5wE + 0a63iupLo+JkLYg1FHFtAkgRBT3rxFWehIfOnp6k8HlJp8UmPziLsr+290AgSKI4 + zfjNixyBHgmycwKwzGW1SYnxMBLOU5i6psbjxtw99VLXlfassYKgdz3ORXbADqu8 + dhVdaMZsWaGHJ1wsU1HjLDbRgLyQZD7Oa5YYmiB+9uXraHkGX4t2ikRIR84Itsrh + q5Tu6+8QlANJ7Fyd+8PugRTuN+DxOUXKOZvi1dWQE0kVU8z/LdbsMh8V/JdhmjFM + NpuHEhrJctgwqmJP9UTMF0zR6vSXMPoj/0kejELNYkd7CNi1YHfidr+tFNDOvHcH + 8vDQhZx+pJA7p4GeP4iOpro21hAlu7Ee6ybHF9fqI9up6XmRyYy4AHbxudANAXyI + lTQ02nCeef18m9UchqFOR7BQ9qea6XLTny+8GZ5kQCLRzlvoJvxydZJ/3k8CdOjQ + +Qi81rogMTKVO3Dc3jvEKXfb7pRO/W+IZnrMWBmCGdkFZVox0KHtt/ktgw1FfdKU + 3pAbHTjetgYNpqid3K5QgUfps12nKyAt9B8E4+myJT//OTirbR3jfobhbS7PQh1Z + bHy+NGUiaH+2+6mJ5n4c9uFyWufn3VXTzgNczxtoXZLuiwT/7JF+Dw8Y0K5slEfS + XAFArk3WKptYG6WF80+kzCn83qengHx6rNbDvQk/ju8UEH3UQzOhnXk0HTVLLgno + 7PDVEFOCBLPQN3SM43urVrNoEkFqlVQGilAIA3mw84X9hm0bEY2wWCxkD6QM + =5+wv + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2023-04-18T10:12:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf/UwrquoJ1BEhvB4cbtQDoyL/vLD59KmQAJAXM3hFp+SQ1 + wafomilIkuqGNjy/r9BRJIRrMmSyy3AV9SYkCQWsABcFGYjWL+voF9JE0XB5T4++ + jqkGVLrWfT2L9O1k9MtDCGVjGiDA1CZN1aZvbugOp6bcOTgJeB9Qt337ejJyjFFu + qYG6BKmOK/GnZ9IWL0zAw6bMvMB5vnALe6Z0q8x/7ZlqoySFGvW96o4GXNToV1DI + 5B4QbF3r3W0oqtxLJrFF8G9IfKpWXNYU79Ks8KrDqDLh9hatVRKRm8eHAqCPVEpZ + yczRv8/9ZN3xt2IoBKHvXfmxWrD4Yy4A7SiPUtXlwdJcAUUdhPFN2Q7YVSQCraHP + vWt8GYvAlfjzKdjOcwh0nGrUhzG9w35cFo+iPfJ64dcw84nU++CbcgnBe04aNVnB + 5DPXM7Rj7ztLhP85OGcfvSXTrxFsnw7CVGYYf7Q= + =Jviq + -----END PGP MESSAGE----- + fp: 069836A578F7939612DB4934F77D0F7E247A1EE4 + - created_at: "2023-04-18T10:12:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQgAk26yI6WdDYeH+AH+QBNF/lGVq3u9ZnKbcl9FPUaQMy1h + Xubt1k9HSiFvwX6P/hs0FnVA1qpg+Hcv/MG+fHAlraxwMMj3UT36HhpryxeMvGNv + g8H0PIbZCqAz51Fd2OndvL9qsYR5DD/SSWqsKti10ANwKXE+4x+La2KmMyRM6JJE + U7AigEW81yvyScJ2CNGrUhPBpNfI2XK+5ChQliNGPs7KdBagwfO3DkVYfyG7azo/ + 1/MC4GhzF8SoSjYBw2mgEwlem4Ls+JIZCDaGGH7hASMIDfxKHXcr8uejmEa+hTyO + mk32OO6WIGglpARpd+g6T3SQEN45sv522D39orXihdJcAWwfK604jy7W5xlLpT2z + /60aKCs/59a31oqcdwte5NMYJ8fwENLIgvoKenBS5GZ1/IPH+VtYbfDu4TQTOcfn + UbK4LYB++IHJQ+u/QuwcPwGzrli529JeQwK8JAg= + =Qd0p + -----END PGP MESSAGE----- + fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433 + unencrypted_suffix: _unencrypted + version: 3.7.3