sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: generate secrets

Browse source
This commit is contained in:
oddlama 2023-06-12 01:03:44 +02:00
parent f33fa54b65
commit 69bd2a71ce
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
24 changed files with 154 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

17
hosts/sentinel/secrets/loki-basic-auth-hashes.age
View file

@ -1,9 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> X25519 POUeKoNotGuIHX9N955m56eWzou850H02OG3O+ygIy0 -> X25519 lB23D7AmIF0aexiFK8El0nE88SFMsTdqI2AFwCkoAkw
zR6pq7sHR/Vo32YS6wITRuKRgHWjIqdcsILvR4yL6NU n1eyViq9JQCe7QTuKi3k8DNdnjR6c2lLaBoT8f4IHQg
-> piv-p256 xqSe8Q AoHB1E3JcMAeRCjGPj/Fnd7eeVbi1X/qXV62/04DabNm -> piv-p256 xqSe8Q Ar0Mqg1pFoTei1CfCUp4SZsXNSxkJw9CVV7KuiZWqVkB
Uqx5OonPfDJ++9gWVfD2RztyaRVEC+ZI0eSa7h9MVgo Vx7hdeRcSiS/IiXWkMm0Sy2c5zWGGFUtLd03WKKTpYs
-> ={9x3$iL-grease 7(o } u,|S!;51 " -> -.-grease C?E+>{j _of5
g2+PG1QoDXzzkGnd3ZLsfltd0neKRWt3NwJeTDhPACFBL7yooXk u02vRewJinMZScNTqe7+7Ee8b98EY3+T0oYs1yOhEJ2KdFPsrUcoMWivMun2KwwM
--- 5mTTZWqCisymYqhefWaZ67X1UWkrSyIMKCMvS4d6I40 rPkxdA
UWh;oDń�n&.ĄPš ži�—ł¶ČĂíşBâĚ'ĘÉr¸nâŘgŽúa@UOL_Ćfă…¨ö)ńRhŞvüžc2Ă[ięEÜJ$fZľLgÉĘÎU>­\7Ú>NbĚßr{LW?ďÎ ’Ë4ëxđ•ăĹĎŃ ‹Ý‹§7=ăŹ~qü•ŹÖO6uŁöőQÁřÍ�îÄJŚ S¶šz ČÔMŔ0ď'`ě --- zMYSBhkaD2xsuyTKqN8hG8NaJuAXeinDrXQtddfR0Gs
sŒÈ†eýpÀ®_u³¸÷”hÓ·ª¶Û¶B UÿóÖìUÚp¿›[[cøË7ÿêÿ+…O�´E eÁ�ü½lˆ`j(¿`ƪv#��_Ž¡î‰Æ.¸GP:ò?ê"’ß;_'>Ú 4Ç

BIN
hosts/sentinel/secrets/loki-basic-auth.age
View file

Binary file not shown.

30
hosts/ward/microvms/grafana/default.nix
View file

@ -6,25 +6,12 @@
utils, utils,
... ...
}: { }: {
extra.wireguard.proxy-sentinel.client.via = "sentinel"; imports = [
../../../../modules/proxy-via-sentinel.nix
];
networking.nftables.firewall = { networking.nftables.firewall.rules = lib.mkForce {
zones = lib.mkForce { sentinel-to-local.allowedTCPPorts = [3001];
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
allowedTCPPorts = [3001];
};
};
}; };
age.secrets.grafana-secret-key = { age.secrets.grafana-secret-key = {
@ -40,7 +27,10 @@
group = "grafana"; group = "grafana";
}; };
nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [config.age.secrets.grafana-loki-basic-auth-password]; nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [
aaa not wokring
config.age.secrets.grafana-loki-basic-auth-password
];
services.grafana = { services.grafana = {
enable = true; enable = true;
@ -104,7 +94,7 @@
orgId = 1; orgId = 1;
basicAuth = true; basicAuth = true;
basicAuthUser = nodeName; basicAuthUser = nodeName;
secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}"; secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-loki-basic-auth-password.path}}";
} }
]; ];
}; };

9
hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 S8bAt5Bt8ci+w8+jC/II3dMSUUEneGKpJULB+FYN6ns
DpKs7bP2Ft4fgbntM6guSFlUuCHiysmALR6jAK6bR/A
-> piv-p256 xqSe8Q A7ZD865VJVg/Lx4d2Ly4dvaIzKmmA1X5f/EOdwdH3dfb
jEqpzb0kdVzYddrmVXIi8672/YLH5+luvUJeb4/ibzA
-> gu'-grease
uGbk/7/cRAmN2VWdXgKuVrvRAfnupb/WTK0r5ow5ud/sp2iEVAM8NZ9f
--- QtjcCefxUDq0yYOou3EbBBZbGu1FfzmXo3cXhiKe44E
0ß¾.D¨$ʼC G‰­KŽ Bˆ¿FËméXêŸ]¢,'0›áæo!‘߸#‹¬]%öðŽ=—Óž ~­QÜè߀Ð̃›Gæ¶Òœr—

24
hosts/ward/microvms/kanidm/default.nix
View file

@ -6,26 +6,12 @@
utils, utils,
... ...
}: { }: {
extra.wireguard.proxy-sentinel.client.via = "sentinel"; imports = [
../../../../modules/proxy-via-sentinel.nix
];
# TODO this as includable module? networking.nftables.firewall.rules = lib.mkForce {
networking.nftables.firewall = { sentinel-to-local.allowedTCPPorts = [8300];
zones = lib.mkForce {
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
allowedTCPPorts = [8300];
};
};
}; };
age.secrets."kanidm-self-signed.crt" = { age.secrets."kanidm-self-signed.crt" = {

23
hosts/ward/microvms/loki/default.nix
View file

@ -5,25 +5,12 @@
utils, utils,
... ...
}: { }: {
extra.wireguard.proxy-sentinel.client.via = "sentinel"; imports = [
../../../../modules/proxy-via-sentinel.nix
];
networking.nftables.firewall = { networking.nftables.firewall.rules = lib.mkForce {
zones = lib.mkForce { sentinel-to-local.allowedTCPPorts = [3100];
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
allowedTCPPorts = [3100];
};
};
}; };
services.loki = let services.loki = let

9
hosts/ward/secrets/promtail-loki-basic-auth-password.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 WO6NVr8uGQ9GGngru17rGIcyZ7Jk0V47Me3ee4h0wTQ
2wi5L99XZMN4Aytb8aYH4H6iR9MeuXNXh6hOCap/75A
-> piv-p256 xqSe8Q Aoh7VxZSYtAdc4h0B9toepYGmB9Ad6lib7ovoK7P9jTp
21bQ859o1wlRZxyw84hCEZFWcCQ58uQ0sxzSMlVYvwE
-> DJt-grease ipE| /Qlv %,8pl
6Pg7ViLxJIt1CrQFYVZvTPGz
--- DNpm5163v+rHN5tTVzNbIt3mQRvkLs7Envc7HulIU0g
Í\©¬ü®ÆÄ[Ñbr©WÝ%úÿ‘ÜZ‚ÇÑ:Ù¦ý¿O_Ô6YpÔ½pÁÒƒ —"ó)Z ¼ G/B§–H¶&©}3ª‘]u� æ½õEÏóÌ‚§

1
modules/distributed-config.nix
View file

@ -34,6 +34,7 @@ in {
foreignConfigs = map (n: colmenaNodes.${n}.config.nodes.${nodeName} or {}) otherNodes; foreignConfigs = map (n: colmenaNodes.${n}.config.nodes.${nodeName} or {}) otherNodes;
toplevelAttrs = ["age" "networking" "systemd" "services"]; toplevelAttrs = ["age" "networking" "systemd" "services"];
in in
todo wrong, currently extension FROM microvms is not possible
{ {
assertions = assertions =
map (n: { map (n: {

25
modules/proxy-via-sentinel.nix Normal file
View file

@ -0,0 +1,25 @@
{
lib,
nodes,
...
}: {
extra.wireguard.proxy-sentinel.client.via = "sentinel";
networking.nftables.firewall = {
zones = lib.mkForce {
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
};
};
};
}

BIN
secrets/wireguard/proxy-sentinel/keys/ward-grafana.age Normal file
View file

Binary file not shown.

1
secrets/wireguard/proxy-sentinel/keys/ward-grafana.pub Normal file
View file

@ -0,0 +1 @@
e01aX1saudxbQ2QNI171c3HQYopzr65dUSvy3nttv2I=

9
secrets/wireguard/proxy-sentinel/keys/ward-kanidm.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 iDP/l9JWpSbmurGwatXgJB7lpXbN91ni8Q2dJQcOuHI
0mZ+TZtBjLrxg+9S4wPNfmQMMF8Muoz80FljLGZeQls
-> piv-p256 xqSe8Q Any/1MXgHhAG2HbdPc6E9tm4S+LwrzYl0I4Ueqhu/paX
C95VJbBXVDaKe6yHLjZ3QHhh+X9gn8xZ7NdF/1egY/w
-> r1b-grease !c:IOcD~
G3m3OhWWqAc+CuI
--- XmXpw9TwMOGptOoWlyvlwiuKIhqiBc0+hq2zJ+jZwuc
*ƒ½oXØ>R’=v† ½›b" vNã€Å”¥¯YÃ|¿$‡îã�ë …:Ý<鹊£.Z/̪`P|[ŽõŠÍ�ÀÞUj›D›³üè»hY

1
secrets/wireguard/proxy-sentinel/keys/ward-kanidm.pub Normal file
View file

@ -0,0 +1 @@
n+WfDPdO0Xz1j7pVdc/TgCxj+LQQSiAjs3isjPC2GUM=

12
secrets/wireguard/proxy-sentinel/psks/sentinel+ward-grafana.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> X25519 0yESayMtWrk28Z68kjxDmDD9JH68LZbhw0HsaSDXoVY
G7TX9cB4VAvnz5yPVxGM+7CNhhsYpc9z1AnmDX68fDE
-> piv-p256 xqSe8Q A4nALj+oE9+cPh20V0q7Q3FW+BUe6ss1YL28G7qgT3AP
eSUmv9rudIjfD9eqF+4C1PBsrH96YyQsalxA2SHnOuk
-> Og-_`qm-grease R.-KV
2vNoHmyK16/IIrS3NnRBc1TTkfnf8ZC55hgzxfHuB2dhuRH2MuNGS9nz5HHfZ9yi
iIw
--- CoRs6zw5vxbWfLmaO3aE7PrYJHcPWkJ16Dcb+9pecrw
:
É<^7¥å–vÈù uáÍÌQû“ªuÁ­�eËY"·ê
�#!‘!ÉM¢Gé&ßêÂ{¬Þ¬x.©!|F äÿ¦>[ˆÄ«q¹6Ïs

BIN
secrets/wireguard/proxy-sentinel/psks/sentinel+ward-kanidm.age Normal file
View file

Binary file not shown.

10
secrets/wireguard/ward-local-vms/keys/ward-grafana.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 1VMVSzcANsteZ4hAHqn/TJJcEU1jqj2m3fgY6SNe1Vc
w5a7A0Suk4RHNVUbqdLnodZf5qPmAd214QtOqHLMFU8
-> piv-p256 xqSe8Q Ah1xDNBFPyADUPmDyZn1nrdd1etkCGCP9k1FVzO2ax05
SLRXGnfmBI+MucpBj5IhdCLOSCE+VdEsVGJrV8Uno1c
-> Bk(9k-grease
X7PFQXIU0w0BA4i39o/DvXD7RvSI6a/19qbgDus8QspP2zizCYLRiir4GC/eEmbx
naZ8rbadAiqF33d9TJjt0GHLAKEO41LLag
--- S9BGD+Tn7zOwdYaOL6bxMJg+miYxMClrfVYF++N1bT8
YʾÔS/OðÕÆ}€‘ `Ì’GSt€Hg—/cѻɼ¥Àö+GŽÀ¥Ú`üˆù§y‘O2-ž‰eÇSøº¥ìùË/.ˆ³Ä³ê‹$ͳK

1
secrets/wireguard/ward-local-vms/keys/ward-grafana.pub Normal file
View file

@ -0,0 +1 @@
JhRPg09Lsu7OJ2YpyZHD+/KaKYT9xHJ6D8Ljhwa7JXU=

9
secrets/wireguard/ward-local-vms/keys/ward-kanidm.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 fh0OvxTr6Zttk6+VAI9c4Y9ann6FIkTmBvC7Y82SrxI
Y6k/ZKI7a1J0/hcPrPdl25l6takAd//omssdtLinYlo
-> piv-p256 xqSe8Q AjohzpU4WsG47TdoKLAUQ38ebUvlFSh6HK+tpFIa8XiD
OIBdk79gYZCYn6Cpb7g/wYMdiP2f244nGfkuhHvtIdM
-> PvW.-grease M`]UA5 5e} %97ce
IC2uBMgrkvgSG7PDF7sNIA
--- Ewa38w9RjdbGnOTGDW9Np0S5URA9FP1vLSm+5ewr0vk
¤…�¦¶mV.ñ«蘮iLA`½fLÖ1hOêñ@V‹=.òˆ�l‰` ¢¦Í¾ÚÅ´=ñ/¬YÚ¹Jß©�+WõaŒáëz

1
secrets/wireguard/ward-local-vms/keys/ward-kanidm.pub Normal file
View file

@ -0,0 +1 @@
utKdEpCoObpQQBsgTdHo9ILebtAmky2ODzzvyxqCNGU=

9
secrets/wireguard/ward-local-vms/psks/ward+ward-grafana.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 l+Kx2WdyZAcXw1khpjWLlp3i0ZGsL55c4uglYcjM8lg
X7K6tEd5ShwZTV77QJGOUze5xqC7h52p/sgxdYjd+Hw
-> piv-p256 xqSe8Q Almjk6hOZRvyUCMKI/zvfBxtiRHkeJ0osoqhgkNKJwWb
zICEosfjzSTe4KF29PpxpUiEb3+U7tSVgPd6DBGrTF8
-> ZiQW'-grease f cV
hIn+gaL0Gga0VyVw9KFhgc/tIrleJnE
--- rtrMiXdLfW6uqYP8F8OUPGxJxiBV2L7x4/6zQk6MbVo
¡�û€š™ª+óÛf>>¿«Ã˜º1dËà"Ÿ„ÀdŸ êÚuN³y=Ñ­²Ž–œâÙtf+_·m”ƒè=”¡à)*’¡¶ûŒ°

BIN
secrets/wireguard/ward-local-vms/psks/ward+ward-kanidm.age Normal file
View file

Binary file not shown.

9
secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-kanidm.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 0rM+VxBb/RV2VTW5xCQEsiKcEavMhS84MczYVNu3M28
JqY5QAqkTOe+DPTcQ+hE8VyydiuCTB/oMfybJy77nTw
-> piv-p256 xqSe8Q A7YPM7afy7jQlOjLSGnRZxM1Lpjq/MIrE/Re/eXvTWLG
DVs5SmBiriP1N5Ao/JZCW4kMMsM5Pn3GZq2wGEUIQ5Y
-> WkDB[!<@-grease NA %r x ?p8%w^w
KzfsXKRvSOnHZCqBCNA
--- 0nKf16DM2WX3m8hCsuXJhepeoqW4ijIFDvrS7j9RUuI
¾‰í8ÿ3Ì×Åxå0"~<âÜê1€+ºÙ”zb„Õ�=$-´\ý wåëu}ââ)¤×ìù¸ÔÃÃðÔtR5šT78Ъäý—÷þš

9
secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-loki.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 uqBWvpQ8DR8aQY2r3Vhw6axyVbKmgXvEXFLZuM7rA1o
+uCVaGfiloQOtRdJXkqi3DmyflJxCmnHBdTd8i+Pafc
-> piv-p256 xqSe8Q AoCH6+psiFFiq55UYRSO1xsTxDAbspFul9JLvoa15kwp
6jgEbmnQtGkajeVOOVcna+3lBwWn9ugUAOueJ3xHMpo
-> z-grease n3dm|_ '/E`@% H
85u5GUpIwcbSPBPN9Kulccacf9/mWWvIHfTb
--- feOoiwcKK14ARe6JX6Fgn8mql8i6pQ9D8RLo5VF13VI
&L)¼/¢øÓʇ…–¡Û^H‡,báN<üÌB †³K†6 >²ƒKEí8¢ ÞçM߀õÃ�ú1¼µ€í¬Ùsæù¦%BdÈäg¨Òr

10
secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-loki.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 UnfKesPLrwZKz3l1tgw3u0eSpH/znFoeEtDJMkBzz3E
SdRp4/E0e54l1P9f7/qh6Y/FT3AItVnNyu+z+IRE91Q
-> piv-p256 xqSe8Q Ai0cV8qTPFWewQC9MDQUm5pnKUa2Vkq1CwbWcpTURxOj
56B02YgriclCJMU8qT8J9auzEAi2dQFrYZwCSIny7Lc
-> PS-rC-grease kf8 Ri>B
yrzDq1oL2vHsqwzYr5I8nV+oC7QWnGWDMLVe
--- L7Jd7UDHK8K1mjVqv25iOui+8jbVx+fcd3Bp0aqFstQ
«{"ŸqK¨sóqË Ãá|?' 2ÌðÁàü½Û
°S]jíW2½„úÛNõ¸ªMÖÁð;ühüüíš`ñ°• Ú˜‰"*eÙÄxy