add rootfs secrets

2023-07-23 14:27:29 +03:00 · 2023-07-23 14:27:29 +03:00 · a6a1229825
commit a6a1229825
parent 0a2cafb830
5 changed files with 31 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -1,14 +1,9 @@
 Config
 ------
-This is an attempt to configure my NixOS servers with [krops][1]. Usage:
+Flakes:
-    $ direnv allow .
+    $ deploy --interactive '#vno1-oh2'
    $ nix-build ./krops.nix -A hel1a && ./result
 There is probably nothing to look at here.
 Upcoming flakes:
    $ nix build .#deploy.nodes.hel1-a.profiles.system.path
@ -26,14 +21,3 @@ Encode a secret on host:
 Decode a secret on host (to test things out):
    rage -d -i /etc/ssh/ssh_host_ed25519_key secret.age
 Bootstrapping
 -------------
 Prereqs:
    mkdir -p /etc/secrets/initrd
    ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519
 [1]: https://cgit.krebsco.de/krops/about/
--- a/secrets.nix
+++ b/secrets.nix
@ -15,6 +15,9 @@ in {
  "secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
  "secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;
  "secrets/hel1-a/zfs-passphrase.age".publicKeys = [vno1-oh2] ++ motiejus;
  "secrets/vno1-oh2/zfs-passphrase.age".publicKeys = [hel1-a] ++ motiejus;
  "secrets/motiejus_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
  "secrets/root_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
 }
--- a/secrets/hel1-a.zfs-passphrase.gpg
+++ b/secrets/hel1-a.zfs-passphrase.gpg
--- a/secrets/hel1-a/zfs-passphrase.age
+++ b/secrets/hel1-a/zfs-passphrase.age
@ -0,0 +1,13 @@
 age-encryption.org/v1
 -> ssh-ed25519 gJrHQg DsQM1OiPx2mZ5zCIoWhswaXAruIyjeYvDT/NpCfQang
 ExnIjettDSsT1BhtrOiuKTHmkuG1UH2oJVFvtaxcskI
 -> X25519 cOjSCW3bPvgvXwZ+OGhYqmuuzTyBG5D0EUA9aSPIABE
 7dzr3eQjQcF3buVLfn66yiv4Oo8gVATjngSn3JtYiEA
 -> piv-p256 +y2G/w A9mCDRKigSM1Bjz5UfNn6pCge9Ifip1qEuSi8oXrqxFR
 v7VYoxTUZhVwjvo6HwGuLwppz808rVadQV+uSTisKc4
 -> piv-p256 jNqd3A A+IpWq0hEn3lvkXGhdA4HwzOf7qMUfP8h2Ulyw6RJWr2
 VKT5WZBnNscxcu2Bv3JyvRzzs9C1PwrrdHOW4mwJbg4
 -> c[,kV-grease
 V6pw1EYTT8KqLcGIVKZWTAGr5gjj1J3O6+jElQ
 --- rU4We/c5iA84jdP6PP46PtDHPv2hFUnKIQd7d8C2AR8
 ˜ÝâF;Dš¾`A
¤Î<C2A4>àÝcHÑ<48>V o¸J9y_¬Z°N°áÚŒoýˆÅëÞ/ýÝ+¯iœÂj±F<oô†›ó
--- a/secrets/vno1-oh2/zfs-passphrase.age
+++ b/secrets/vno1-oh2/zfs-passphrase.age
@ -0,0 +1,13 @@
 age-encryption.org/v1
 -> ssh-ed25519 vDjOfg yX0zrlNsaJBSf3PqD4ccm/9z5tQhv5d7vbGQbITKNGQ
 1adV8hkhSTQPSlPuKQypvWPAcker/kjObBxDfos6x2I
 -> X25519 TASHTwnBupJ72eFuJs4Oph68Js31AyjtpXcHDR8xKl8
 /181mos15wmANSJwo5QPZRUAx3vFoZ4wPpimbIfvC4o
 -> piv-p256 +y2G/w A09p8H96e0/FfHSTajYQZTvSYXwT7EvzFf1qVZtdwsax
 Mgkl6t5uDGN8cYVoDXjEYB+RxeXyyLsZrWvGP7KMCNc
 -> piv-p256 jNqd3A A3Rh+tYvU/vfS6+2GXyOOM3auOu4KfXWFhyvyXgojBbf
 l0whgIauEX31OqPyDMTZ2OLUBOzPVFSVnjxbYu7JeSE
 -> cD-grease u8 9nH (N(2JYW 'd
 mAo1sjuzyaHtnQhYLApV9g
 --- QcxzgeZhzogykC09MKj4VMVOZdq6i8N1OOcFf0nkABc
 kë{nµúþã/c8ÒgQ~ã1¦÷®ó“†v§Šçqùà{À<>sÝ€Å<E282AC>€„¶O²