From fe542b2208da732403b96377ad55d78353009416 Mon Sep 17 00:00:00 2001 From: Moritz 'e1mo' Fromm Date: Sun, 27 Nov 2022 23:11:34 +0100 Subject: [PATCH] Initial commit --- .envrc | 1 + .gitignore | 2 + .sops.yaml | 20 +++++++ README.md | 78 ++++++++++++++++++++++++++++ common/default.nix | 86 +++++++++++++++++++++++++++++++ common/users.nix | 44 ++++++++++++++++ flake.lock | 80 ++++++++++++++++++++++++++++ flake.nix | 63 ++++++++++++++++++++++ hosts/shirley/configuration.nix | 36 +++++++++++++ hosts/shirley/hardware-config.nix | 43 ++++++++++++++++ hosts/shirley/mumble.nix | 29 +++++++++++ packages/default.nix | 24 +++++++++ secrets/all/secrets.yaml | 55 ++++++++++++++++++++ secrets/shirley/secrets.yaml | 55 ++++++++++++++++++++ 14 files changed, 616 insertions(+) create mode 100644 .envrc create mode 100644 .gitignore create mode 100644 .sops.yaml create mode 100644 README.md create mode 100644 common/default.nix create mode 100644 common/users.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/shirley/configuration.nix create mode 100644 hosts/shirley/hardware-config.nix create mode 100644 hosts/shirley/mumble.nix create mode 100644 packages/default.nix create mode 100644 secrets/all/secrets.yaml create mode 100644 secrets/shirley/secrets.yaml diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..8f390c3 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use_flake \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dcabe15 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.direnv/ +result \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..a25b9f6 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,20 @@ +keys: + # People + # TODO: Add @ruru (I was not able to find a current gpg key @e1mo) + - &e1mo 0x6D617FD0A85BAADA + - &leona 0xD5B08ADFC75E3605 + - &n0emis 0xE0262A773B824745 + + # Servers + - &shirley age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe +creation_rules: + - path_regex: secrets\/all\/* + key_groups: + - pgp: [ *e1mo, *leona, *n0emis ] + age: + - *shirley + - path_regex: secrets\/shirley\/* + key_groups: + - pgp: [ *e1mo, *leona, *n0emis ] + age: + - *shirley diff --git a/README.md b/README.md new file mode 100644 index 0000000..5771ad6 --- /dev/null +++ b/README.md @@ -0,0 +1,78 @@ +# chaos-jetzt nixfiles + +NixOS configuration for the [chaos.jetzt] project. They are very much work in progress + +## (Migration) TODOs + +- [mumble-web](https://github.com/johni0702/mumble-web), possibly adding [mumble-web-proxy](https://github.com/johni0702/mumble-web-proxy/) on top + - Both need to be packaged for Nix +- [Dokuwiki](https://www.dokuwiki.org/dokuwiki) + - NixOS module exists: `services.dokuwiki` + - Data migration + - Migrate away from SSO +- [freescout-helpdesk](https://github.com/freescout-helpdesk) + - @e1mo is already working on a nix package + NixOS module for their private nixfiles + - Migrate away from SSO + - Data migration +- [Matrix synapse](https://github.com/matrix-org/synapse) + [element-web](https://github.com/vector-im/element-web) + - Data migration (synapse) + - Migrate away from SSO (synapse) +- [maubot github](https://github.com/maubot/github) + - Not packaged for nix + - Ditch it? +- [pretix](https://github.com/pretix/pretix) + - Not aware of nix packaging + - Not really used + - Maybe skip it (for now) and use the instance of another space? + +## Development setup + +These nixfiles are built using nix flakes. See [here][nix-install] for nix installation instructions and the [nixos.wiki page on flakes][nix-flakes]. [colmena] is used for deployment, secret management is done using the [sops] based [sops-nix]. +The later two (colmena and sops) are available via a `devShell`, defined in the flake, which can be invoked using `nix develop`. [nix-direnv] can also be used in order to automatically create the respective shell upon entering these nixfiles. + +## Deployment + +[colmena] is used for deployment: + +```bash +# Build all hosts +colmena build +# Build specific host(s) +colmena build --on host-a,host-b + +# Deploy all hosts in test mode (activate config but do not add it to the bootloader menu) +colmena apply test + +# Deploy specific host (actiavte config and use it at the next boot (switch goal)) +colmena apply --on host-a + +# A VM of the host can be built using plain nix build + +nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootloader +``` + +**Note on VMs**: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail. + +## Secrets + +Secrets are managed using [sops-nix] which is based on [sops]. All secrets are stored in the `secrets/` folder. The `.sops.yaml` configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys. + +A servers private key can be derived from it's ssh key using [ssh-to-age], generated during initial installation: + +```bash +# Only ed25519 keys can be converted using ssh-to-age +ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age +# Or from the host (using legacy nix-shell) +cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age +``` + +When users or servers get added or removed, the secret files need to be updated using `sops updatekeys`. Since this can not be called on all files, `find secrets -type f -exec sops updatekeys {} \;` may be used for convenience. + +[chaos.jetzt]: https://chaos.jetzt/ +[nix-flakes]: https://nixos.wiki/wiki/Flakes +[nix-install]: https://nixos.org/download.html#download-nix +[colmena]: https://github.com/zhaofengli/colmena +[sops]: https://github.com/mozilla/sops +[sops-nix]: https://github.com/Mic92/sops-nix +[nix-direnv]: https://github.com/nix-community/nix-direnv +[ssh-to-age]: https://github.com/Mic92/ssh-to-age diff --git a/common/default.nix b/common/default.nix new file mode 100644 index 0000000..46c8b18 --- /dev/null +++ b/common/default.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, nixpkgs, ... }: { + imports = [ + ./users.nix + ]; + + environment.systemPackages = with pkgs; [ + htop + vim + tmux + rsync + curl + wget + bat + fd + ripgrep + ]; + + nix = { + package = pkgs.nixVersions.stable; + settings.auto-optimise-store = lib.mkDefault true; + settings.trusted-users = [ "root" "@wheel" ]; + registry.nixpkgs.flake = nixpkgs; + extraOptions = '' + experimental-features = nix-command flakes + ''; + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + }; + documentation.nixos.enable = false; + console.keyMap = "de"; + time.timeZone = "Europe/Berlin"; + i18n = { + defaultLocale = "de_DE.UTF-8"; + extraLocaleSettings.LC_MESSAGES = "en_US.UTF-8"; + }; + networking.domain = "net.chaos.jetzt"; + networking.firewall = { + logRefusedConnections = false; + enable = true; + allowedTCPPorts = (lib.optionals (config.services.nginx.enable) [ 80 443 ]) + ++ config.services.openssh.ports; + }; + + services.openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + }; + # That way we can't forget to disable the access logs for each individual website + services.nginx.appendHttpConfig = '' + access_log off; + ''; + security.acme = { + acceptTerms = true; + defaults.email = "acme+${config.networking.hostName}@chaos.jetzt"; + defaults.webroot = "/var/lib/acme/acme-challenge"; + }; + + sops = { + defaultSopsFile = lib.mkDefault (../secrets + ("/" + config.networking.hostName) + "/secrets.yaml"); + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; + + security.sudo = { + enable = true; + wheelNeedsPassword = false; + }; + + users.motd = '' + ##### ##### + #### #### _____ _ ___ _ _ + ### ### / __ \ | |_ | | | | | + ## # ## | / \/ |__ __ _ ___ ___ | | ___| |_ ___| |_ + # ### # | | | '_ \ / _` |/ _ \/ __| | |/ _ \ __|_ / __| + # # # | \__/\ | | | (_| | (_) \__ \_/\__/ / __/ |_ / /| |_ + # # \____/_| |_|\__,_|\___/|___(_)____/ \___|\__/___|\__| + ## ## + ## # # ## + # ## ## # ${config.networking.fqdn} + # ## ## # + # ####### # + ''; +} diff --git a/common/users.nix b/common/users.nix new file mode 100644 index 0000000..487a542 --- /dev/null +++ b/common/users.nix @@ -0,0 +1,44 @@ +{ config, ... }: +{ + sops.secrets."root_user_password" = { + format = "yaml"; + sopsFile = ../secrets/all/secrets.yaml; + neededForUsers = true; + }; + + users.mutableUsers = false; + users.users = { + root.passwordFile = config.sops.secrets."root_user_password".path; + e1mo = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBfbb4m4o89EumFjE8ichX03CC/mWry0JYaz91HKVJPb e1mo" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID9x/kL2fFqQSEyFvdEgiM2UKYAZyV1oct9alS6mweVa e1mo (ssh_0x6D617FD0A85BAADA)" + ]; + }; + leona = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN9nTU+lsrfp+uLo1IvMEIi64m6ke0FmfZ6FxBgmKXp leona@leona.is" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkvy9P1Qweq1kykgn3IWIBWe/v/dTNAx+hd9i2aKe1O openpgp:0xCACA6CB6" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDR9Kp84lHQRnaWU6gd8MHppZD3pQCI2TCeGF/kHm/A/kqADWqtTWjnD5ad1ZhOTSThCF35VGH3ICdnSCHh0uAHV7eK3GDjhxdrIJHY/WiubEpQJcS5OX/qTEn6QrPDIAZy2ykdHX7XrNWDGOlxpTjkPpHJmmDIQTZn/mMADuhVhIm03aFyVbUxpHSU+v7N8yxV5RehIw0RTy+qSjWcthDgTGPjPk1a2sElNVbsgF4VhqpdUfzG0BQCqr+zPDbeH66+gumDPXC5Pw4NQB596UWPDKaQv7juzveiPTpIjhTfpoWBjCmexGPbSYecXNee61NXe6HsGrGLtw/pRLEYVYH0ecU/b0A7TGd2gznKBgvk8xXoxkqHbDPoCPqC3moPD3BwCXTGNi6DBDAquC/Ho266AgZ+z83mP7TuDJmZ/F4f/glbb2hdZ6ITDS7Dvd+jGlw6UXlKeZThHOy+B1c9at4FeyQs6JBd4P5RwekUCF45gk0RfRu1+HE3YOXbN1s1DRXJs689DaBzTbD9rhROEjZgNT/m0VxC6w2i6WRvxcEvy+wL4HyJxdSK0MMVhZJza4MOB7qLvIq8z3L9kLDrKh6R49m+LsH7NCS9gh0wAH17E2cImSoX4IiRemn39oKZTplAwvvaGNXOmH/SqeZlGpYOL9Yn9nE5mC10/5In/KIZMQ== openpgp:0xF5B75815" + ]; + }; + n0emis = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu" + ]; + }; + ruru = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMSH41EwxyxnsqDUIRxnhpl+CmvMftPRJK/CVJgft+gGurZ9X5KUeKiMPy7hCe/BAnsduhYTk452vV5JSAN0tj0c0RzDjUrM+Z+XdkRSpwKeI97QxTJADBVmxun2Y2msgnxa4eQX2J4xBqI94ogfuBKM3xKpu9IPu3ozmhSJSR1uI7MoFZpmd10Eqw5uWSld8ZjotcOibhIVisZkqIRF6OjkVDFOmeA8GqRCUa5XB24c8iUknfo1nxSednCMy+Q0tIb44+HdBhSOqSMEvDXg26PNk9sg087nOQggG8GEt1pUHmoNox528pz/UdRPl0P4bn26kIte0MGSpCjcIjYrCy6h+bXgbr6sGY47LEeyGzNDUftXA8uZzULKQLJl1IogExPZHh2JXmNKlWxlkMPGEO+BwG1uWvqDidJ8DksenWAeSDu/qhpppA56FrWHvrkok7cZCQyQfx17iZGgzI4fiYxZZDVaieLooC5S5NlpLTI2/jXyIsvcmzdX6CI0hbLhNjrlutILxvdeKuUWe7yQLeGYeYdyVj7KiA4l5f+qqVLBnzh1i/jJe6sBTTJGHUFc3TJm1p0jEkbQ9Zz/BfOc25bIzwXYbsC0dDh+b19hzrwLuzXcc2tCMIBtbmpnic+A/Gt/WuOROBApcRw5F/Ymrdrx7SwmuRL2pztkMN+Pa3jQ== linus@3-Anaklet" + ]; + }; + }; +} \ No newline at end of file diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..f57bbee --- /dev/null +++ b/flake.lock @@ -0,0 +1,80 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1669411043, + "narHash": "sha256-LfPd3+EY+jaIHTRIEOUtHXuanxm59YKgUacmSzaqMLc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5dc7114b7b256d217fe7752f1614be2514e61bb8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-22_05": { + "locked": { + "lastModified": 1668908668, + "narHash": "sha256-oimCE4rY7Btuo/VYmA8khIyTHSMV7qUWTpz9w8yc9LQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b68a6a27adb452879ab66c0eaac0c133e32823b2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-22_05": "nixpkgs-22_05" + }, + "locked": { + "lastModified": 1668915833, + "narHash": "sha256-7VYPiDJZdGct8Nl3kKhg580XZfoRcViO+zUGPkfBsqM=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "f72e050c3ef148b1131a0d2df55385c045e4166b", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..a32daf2 --- /dev/null +++ b/flake.nix @@ -0,0 +1,63 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs@{ self, nixpkgs, sops-nix, flake-utils }: let + overlay = import ./packages; + pkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = [ overlay ]; + }; + defaultModules = [ + sops-nix.nixosModules.sops + ./common/default.nix + { + nixpkgs.overlays = [ overlay ]; + _module.args = { + inherit nixpkgs; + # TODO: Change when going to production + # Not sure if this is the best way to do this + baseDomain = "dev.chaos.jetzt"; + }; + } + ]; + in { + nixosConfigurations = { + shirley = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = defaultModules ++ [ + ./hosts/shirley/configuration.nix + ]; + }; + }; + + colmena = { + meta.nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + defaults = { name, ... }: { + deployment = { + # TODO: It'd probably be nice to derive that from the host-configured fqdn + targetHost = "${name}.net.chaos.jetzt"; + targetUser = null; + }; + }; + } // builtins.mapAttrs (name: host: { + nixpkgs = { inherit (host.config.nixpkgs) system; }; + imports = host._module.args.modules; + }) self.nixosConfigurations; + + devShells.x86_64-linux.default = pkgs.mkShell { + buildInputs = with pkgs; [ sops colmena ]; + }; + + overlays.default = overlay; + legacyPackages.x86_64-linux = pkgs; + + }; +} diff --git a/hosts/shirley/configuration.nix b/hosts/shirley/configuration.nix new file mode 100644 index 0000000..ac2152a --- /dev/null +++ b/hosts/shirley/configuration.nix @@ -0,0 +1,36 @@ +{ lib, pkgs, config, baseDomain, ... }: { + imports = [ + ./hardware-config.nix + ./mumble.nix + ]; + + system.stateVersion = "23.05"; + networking.hostName = "shirley"; + # Fallback / for the monitoring v(x)lan + networking.useDHCP = true; + + # We need to configure IPv6 statically, and if we start with that we can just also do it for IPv4 + networking.interfaces.ens3.useDHCP = false; + networking.interfaces.ens3.ipv4.addresses = [ { address = "94.130.107.245"; prefixLength = 32; } ]; + networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f8:c0c:83eb::1"; prefixLength = 64; } ]; + networking.defaultGateway = { address = "172.31.1.1"; interface = "ens3"; }; + networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; + networking.nameservers = [ "213.133.98.98" "213.133.99.99" "213.133.100.100" ]; + + services.nginx = { + enable = true; + enableReload = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts.${baseDomain} = { + default = true; + enableACME = true; + forceSSL = true; + # TODO: Change this to be deployed by some sort of CI + rsync so we don't need to always update the package version + locations."/".root = pkgs.chaos-jetzt-website-pelican; + }; + }; +} diff --git a/hosts/shirley/hardware-config.nix b/hosts/shirley/hardware-config.nix new file mode 100644 index 0000000..0ce4be1 --- /dev/null +++ b/hosts/shirley/hardware-config.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/75529c3e-9af0-46ca-8893-bc4052f68e1a"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens10.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/shirley/mumble.nix b/hosts/shirley/mumble.nix new file mode 100644 index 0000000..a4454cd --- /dev/null +++ b/hosts/shirley/mumble.nix @@ -0,0 +1,29 @@ +{ config, baseDomain, lib, ... }: { + + sops.secrets."murmur/registry_password".owner = "murmur"; + security.acme.certs."mumble.${baseDomain}" = { + group = "murmur"; + reloadServices = [ "murmur.service" ]; + }; + + services.murmur = let + sslDir = config.security.acme.certs."mumble.${baseDomain}".directory; + in { + enable = true; + openFirewall = true; + sslCa = "${sslDir}/chain.pem"; + sslKey = "${sslDir}/key.pem"; + sslCert = "${sslDir}/fullchain.pem"; + welcometext = "Welcome on the ${baseDomain}-mumble server. Enjoy your stay!"; + bandwidth = 128000; + registerName = baseDomain; + registerUrl = "https://${baseDomain}/"; + registerPassword = "$MURMURD_REGISTRATION_PASSWORD"; + registerHostname = baseDomain; + environmentFile = config.sops.secrets."murmur/registry_password".path; + extraConfig = '' + # To "randomize" user IP Adresses in logs + obfuscate=true + ''; + }; +} \ No newline at end of file diff --git a/packages/default.nix b/packages/default.nix new file mode 100644 index 0000000..60518b6 --- /dev/null +++ b/packages/default.nix @@ -0,0 +1,24 @@ +final: prev: +{ + chaos-jetzt-website-pelican = final.stdenv.mkDerivation { + name = "chaos-jetzt-website-pelican"; + + src = prev.fetchFromGitHub { + owner = "chaos-jetzt"; + repo = "website_pelican"; + rev = "89b1020678886a07446ac98db275a6db995c53ec"; + hash = "sha256-T3MSxMshlH3nFOttajDdacWGi1g+TkhjFlr+MjQlb/4="; + }; + installTargets = "build"; + buildFlags = [ + "publish" + ]; + installPhase = " + cp -r public/ $out/ + "; + buildInputs = with final.python3Packages; [ + pelican + markdown + ]; + }; +} diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml new file mode 100644 index 0000000..e027980 --- /dev/null +++ b/secrets/all/secrets.yaml @@ -0,0 +1,55 @@ +#ENC[AES256_GCM,data:yZuJDeNL04htjQK/wCi7tDFzkeurKNWtMcX3YO4ZTIjksZBDMG7/mvAEuVeL5ffWa+faIs/uM1cATaRm4JVDCai5fWR7S2//TRUHAhkDbSYIZHDjFUFGqpWd8T7WVT53TPtX,iv:n1zrjd/QCFNXfYbnaeZviUfeDq+x0Z8skkkcS/dP86o=,tag:2sn+f3m2PH3BIKt4qrqVSw==,type:comment] +root_user_password: ENC[AES256_GCM,data:hzwnpYfDNN46Hahf8Vlr01AotR6zuUDqFz/z/XxWx+i3G1p4j03stuKmB//wQSF45T8b+Iuh7PMOrCgwwtRyJVVYnm4q2m2xin+pHQ+/ecr5NgNx6XzsU03DtLLORTCzV4XE4DcMZHQA1g==,iv:bN3hgWYiGGkSIyixZdEt8q41GINlIeO/c/Z0CcAzFik=,tag:Y7xf5NQcvfJaoWYbx88eeA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dEdFZXVINmI2YTZHWnVM + NVREK3lSbFB2b01KYVBMTEpJcEpDOEFzVXpBCmNPdk5Fd2tFcVdSZmFHbk9NVHFv + L3NmNktjZWpNbVdqSmh6bGdBWWZRSHcKLS0tICtSTGRQSzFFWHFaRWxReS9QU3BI + REtURzRrZ1phZFhicCs1OFhsYkpHdDAK6+PpCcZkk2RN0AtdzEdamADncYHsZ1Cg + qynxxBpAyc7xaJX7RQAxuZSEH05sKJ/no5ap+tFyofxc6qJayg31vA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-27T21:53:46Z" + mac: ENC[AES256_GCM,data:8rzaM8lDGLwwMbgcqaB3zj73l3mV0OFeshrHGRVw+akk9ipz0WKnhKHPGbGcaktWd61cg52/F2Fz573PWHthqoI/v0NJc7bpOKG3HreKyJyJ5AbZ+eFYrSLSNKaOXvKmwWHRMnFASOd97QaSYxQaHCDhQObf0XBXEnRktX9NtXs=,iv:j5E/YS1yI/Tgqq9Dio/b7EKrPwcJFBnVDtry91suym0=,tag:Hev9lYgsMxKFxcfozX+VdA==,type:str] + pgp: + - created_at: "2022-11-27T01:42:46Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DOnsoj685gdcSAQdAfObqsRYcqS3ajTXsyhchzoclYXtc8RY+s3eig5nL4Vsw + FjgYcICzqSwxskBWxPTC+wE5sZFWtpQgQC7iBW9kMrM3tyOLHiAWiYUj6Slowb4T + 0l4BUqFYYiGO0U6odYapCo9X4jeTwovV1NEne7UQHoUMLy73d4wcAwxDqFOFbW7T + pfkKSunmpkeYaJVwpqFh/jkPNIZzXF/21vPXMWTjQDJfUjl2kf5CWjpf1WaA7YTJ + =jWsU + -----END PGP MESSAGE----- + fp: "0x6D617FD0A85BAADA" + - created_at: "2022-11-27T01:42:46Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4D/2siLyjns28SAQdANLVNXn+mLHefaf8++uArNCSxYdreGR/wbNTOUROjHUIw + QlO5BemuANtiOVje50wh7Z1blYmVimu3B8GhLWgfoEb2XkOH08UK/ngUrU6nQtyl + 0l4BsBum3yQvasUmzFKdqx6932h6NPNHxhF92kTspnCiNgWZTuaR+xq5Q62I9CUp + ntZAjIkVmD/Zlblg5sLz1c4dtRMkt385pyDJirneMWYcw2EetH+frhdNRwYMwE4W + =Kk5a + -----END PGP MESSAGE----- + fp: "0xD5B08ADFC75E3605" + - created_at: "2022-11-27T01:42:46Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4D6iFd6webPCUSAQdAD4eqSFTnqARe7eET9LSFhLM7W0gjPrKxGR/2+egbfAkw + rqXJkIRpRnp0Qa65i46X992a0cv+zzXhYlS25Ve3c0onM2JOZ17JD1SfOdU1H2l8 + 0l4BysZauzbFSu9B7m1ooVxRZZAhVWq5ISbej9sCpiZ6pZURNAQOvyrizgZAXPMW + gscWMUt+jNXPFU9zhsYB8sMw2sqzv8O3nYgWQ/F1IQyqWCBRiUMUquKDuz0qZkWd + =Gc4R + -----END PGP MESSAGE----- + fp: "0xE0262A773B824745" + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shirley/secrets.yaml b/secrets/shirley/secrets.yaml new file mode 100644 index 0000000..ee5d276 --- /dev/null +++ b/secrets/shirley/secrets.yaml @@ -0,0 +1,55 @@ +murmur: + registry_password: ENC[AES256_GCM,data:jgMmirQNhwTQZMyfbbbJku9JDqxtuKepIIpbiloX0qnUnytu1vvjFkGZH5dag/e/EDHszqkALNlUZz7wdlxZn3QDDlv0rQITJtsp,iv:aLIPiHDGC4vNXfNgqR852/jbChv2uu5q0Yy9I4ej5ts=,tag:cy4rs+YCglNKEaq+3arfow==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14ysl953378r2vvy7ft3gwce9xp83pr6wypf5lgx2yjwx2lxra5qs6j8eqe + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEWTgxaWtDa0wxZjUvbjZl + dXdTWGVFSEExMjZUbXR3SDlWL1lVbXBvNFVrCkE4cmdzODRjK3ZPUGhPd3NvK0Vi + YU1KWDcwQzRLLzhGMHpsbHNpTXJHOFkKLS0tIHpBOWh1SkNrSGxYdU5kcnMzN0xN + SmhVYUl6a0RFNUtnTGo4S3hGSmJVM1kK9I/qqZXJZAncX5ypv3J/VbC81ugFyCPQ + 0a1GOwxQU8NG2VYhyLIUuxEiM/Xi4F1dIt/2A9x6r9xf3anT/pQLlA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-26T23:55:22Z" + mac: ENC[AES256_GCM,data:ec3JBflxNEo9aHsben5oXb4FlCZzNGh6u6Xc+oa1TFL6rpL2qmOErT8RMkvzij49cz2hLEHMWbiD12fPO2sU/ZHjck7G+dvyRphavEsflzRmLWMj8k7SZR6e/UZIhwcBx15uQndbKhTTSH5EMtiH3Kq+HDNPgAtG6fFQLjNJWk8=,iv:3Od/41rv8YOXdq6uNUcRUtEdFuO4HL9xAtcGRrw6OQ4=,tag:JpVVVveJZfLQteBOOFndCg==,type:str] + pgp: + - created_at: "2022-11-27T01:42:41Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DOnsoj685gdcSAQdAfd5WjaVver30W/+mLzXe3TrzafrtnEvSkFF4i9WUk2sw + CrodsBhVaQ7eeVgYC4E+WYkcCUtZutu8sFWHXHeLv4MKQk1QESjvWbahOjfDOxm6 + 0l4B+bgPdVsNyQDMeHbLoyN5XpNUUOZviLAzpGDsawTNSXBeb6UPxnMI6JTpWfFU + J1XdA7X7T82zC0dzR1jyXVaJQjSTM8/luCD4HGN6wFXKK3FQzNBg8eI/P+JNSS3i + =JH3B + -----END PGP MESSAGE----- + fp: "0x6D617FD0A85BAADA" + - created_at: "2022-11-27T01:42:41Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4D/2siLyjns28SAQdA70ZeRS3+4ObvIupaiH6T1aB/YnteeRKdVuKlfwp/kBIw + ff0pcDD2Mk+q0Wi7ydbMSGle9KmDfEAYQezg3HHj7H5HD5Navd0GthBac+LnDTjU + 0l4BcLhkodpQO5hu4+7nBXrh9cuZvovImxGwYImnWJYqO7tBPaYF8Dbou9e+PiQh + Q4wOx03Jq+YY8SPO4li0DHSVf3JmUF6NBY7fA1yKkPb4y1JNksHfubAOjpGoV2YT + =fepQ + -----END PGP MESSAGE----- + fp: "0xD5B08ADFC75E3605" + - created_at: "2022-11-27T01:42:41Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4D6iFd6webPCUSAQdAHBFUxEGTQTnsmD8jYHBvbUmppGOPFF9AGPJo68mcH3Uw + ORFO7ThT3Wi0ocZwK9ZmE8AUZeOhgm6T2PJpPLfMV8gYw5WcCBoL5uSAZFcyyiR8 + 0l4B7LT9IxjzGxx5TPztSUuEcUEwFHGR4lwlqIjNP3SxS/fBlpgh3nBveU1SKsn7 + 2LHQXzN3oe4wLi22st3VYFyK/yDH3/WkrYFT0/Kqw5A9RRbRIxI5URuIgDtyR9Vi + =KMfp + -----END PGP MESSAGE----- + fp: "0xE0262A773B824745" + unencrypted_suffix: _unencrypted + version: 3.7.3