forked from c3d2/nix-config
glotzbert: mount new cephfs with keyfile from sops-nix
This commit is contained in:
parent
f21ce1c1e6
commit
2a582dc3cb
14
README.md
14
README.md
|
@ -177,3 +177,17 @@ in {
|
|||
}
|
||||
|
||||
```
|
||||
|
||||
# Secret Management Using `sops-nix`
|
||||
|
||||
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
|
||||
|
||||
```
|
||||
cd secrets
|
||||
nix develop
|
||||
sops hosts/.../secrets.yaml
|
||||
git commit -a -m YOLO
|
||||
git push origin HEAD:master
|
||||
cd ..
|
||||
nix flake lock . --update-input secrets
|
||||
```
|
||||
|
|
65
flake.lock
65
flake.lock
|
@ -167,6 +167,36 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1636574401,
|
||||
"narHash": "sha256-/VxpOq1lWGTT14PTkxFQmkXzcezb2N/E6UnosXcYcvI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "b3f59f2089722ec4f0d4a032d329d33ddd63a226",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1636228094,
|
||||
"narHash": "sha256-CpOcIwHAn3yS0PeVmUICFrJ+gde2PiZp3XsnDP3LE9w=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2606cb0fc24e65f489b7d9fdcbf219756e45db35",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1631792076,
|
||||
"narHash": "sha256-dBRsZ3JB6i53nzC30SsltdwrzjIr8e0zU/y8HitKpT8=",
|
||||
|
@ -209,6 +239,7 @@
|
|||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"scrapers": "scrapers",
|
||||
"secrets": "secrets",
|
||||
"sops-nix": "sops-nix",
|
||||
"spacemsg": "spacemsg",
|
||||
"ticker": "ticker",
|
||||
"tigger": "tigger",
|
||||
|
@ -233,12 +264,18 @@
|
|||
}
|
||||
},
|
||||
"secrets": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"sops-nix": [
|
||||
"sops-nix"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1634413351,
|
||||
"narHash": "sha256-iLtQVQSiwdHxSvOWEP54qRuJTs9E96SZULZzp7OXxS8=",
|
||||
"lastModified": 1636591632,
|
||||
"narHash": "sha256-T4Zy9eMMvlz9xN8k9RaVpXswN960fVvFSQKZawLgisY=",
|
||||
"ref": "master",
|
||||
"rev": "aa6b2921ff392ea8ce546d098d5fb1fe8dd52066",
|
||||
"revCount": 105,
|
||||
"rev": "a8a008bba31ff71f8d9cb98533bdafe8a69a4e39",
|
||||
"revCount": 106,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||
},
|
||||
|
@ -247,6 +284,24 @@
|
|||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1636497917,
|
||||
"narHash": "sha256-8U0Tvot7U5KJ8vpn6xR611v7b441QdAQC04xhxjMHOc=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "a8cbd0c796e4678f0fd2e59f274e49705ee523ed",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"spacemsg": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -333,7 +388,7 @@
|
|||
},
|
||||
"zentralwerk": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs": "nixpkgs_5",
|
||||
"nixpkgs-master": "nixpkgs-master",
|
||||
"openwrt": "openwrt",
|
||||
"zentralwerk-network-key": "zentralwerk-network-key"
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
nixpkgs-openwebrx.url = "github:astro/nixpkgs/openwebrx";
|
||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
secrets.url = "git+ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git";
|
||||
secrets.inputs.sops-nix.follows = "sops-nix";
|
||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
zentralwerk.url = "git+https://gitea.c3d2.de/zentralwerk/network.git";
|
||||
yammat.url = "git+https://gitea.c3d2.de/astro/yammat.git?ref=nix";
|
||||
|
@ -20,9 +21,10 @@
|
|||
ticker.url = "git+https://gitea.c3d2.de/astro/ticker.git";
|
||||
ticker.flake = false;
|
||||
heliwatch.url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, ... }:
|
||||
outputs = inputs@{ self, nixpkgs, secrets, nixos-hardware, zentralwerk, yammat, scrapers, spacemsg, tigger, ticker, heliwatch, sops-nix, ... }:
|
||||
let
|
||||
forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
|
||||
|
||||
|
@ -225,7 +227,12 @@
|
|||
nixos-hardware.nixosModules.common-cpu-intel
|
||||
nixos-hardware.nixosModules.common-pc-ssd
|
||||
secrets.nixosModules.admins
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
extraArgs = {
|
||||
inherit zentralwerk;
|
||||
secretsFile = "${secrets}/hosts/glotzbert/secrets.yaml";
|
||||
};
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ zentralwerk, secretsFile, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ ./hardware-configuration.nix ];
|
||||
|
@ -19,6 +19,12 @@
|
|||
maxJobs = 4;
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = secretsFile;
|
||||
sops.secrets = {
|
||||
"ceph/secret" = {};
|
||||
};
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
@ -40,6 +46,7 @@
|
|||
firefox
|
||||
mpv
|
||||
kodi
|
||||
ceph
|
||||
];
|
||||
|
||||
systemd.user.services.x11vnc = {
|
||||
|
@ -122,6 +129,29 @@
|
|||
];
|
||||
};
|
||||
|
||||
services.ceph = {
|
||||
enable = true;
|
||||
global.fsid = "d7c5c9c7-a227-4e33-ab43-3f4aa1eb0630";
|
||||
client.enable = true;
|
||||
};
|
||||
fileSystems."/mnt/storage" =
|
||||
let
|
||||
monHosts = pkgs.lib.concatMapStringsSep "," (host:
|
||||
zentralwerk.lib.config.site.net.cluster.hosts4.${host}
|
||||
) [ "server5" "server6" "server8" ];
|
||||
in {
|
||||
fsType = "ceph";
|
||||
device = "${monHosts}:/";
|
||||
options = [
|
||||
"_netdev"
|
||||
"name=c3d2"
|
||||
"secretfile=${config.sops.secrets."ceph/secret".path}"
|
||||
"noatime"
|
||||
"x-systemd.automount"
|
||||
"x-systemd.device-timeout=5"
|
||||
];
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
|
|
2
secrets
2
secrets
|
@ -1 +1 @@
|
|||
Subproject commit aa6b2921ff392ea8ce546d098d5fb1fe8dd52066
|
||||
Subproject commit a8a008bba31ff71f8d9cb98533bdafe8a69a4e39
|
Loading…
Reference in New Issue