add rootfs secrets

2023-07-23 14:27:29 +03:00 · 2023-07-23 14:27:29 +03:00 · a6a1229825
commit a6a1229825
parent 0a2cafb830
5 changed files with 31 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -1,14 +1,9 @@
 Config
 ------

-This is an attempt to configure my NixOS servers with [krops][1]. Usage:
+Flakes:

-    $ direnv allow .
-    $ nix-build ./krops.nix -A hel1a && ./result
-
-There is probably nothing to look at here.
-
-Upcoming flakes:
+    $ deploy --interactive '#vno1-oh2'

    $ nix build .#deploy.nodes.hel1-a.profiles.system.path

@ -26,14 +21,3 @@ Encode a secret on host:
 Decode a secret on host (to test things out):

    rage -d -i /etc/ssh/ssh_host_ed25519_key secret.age
-
-Bootstrapping
-------------
-
-Prereqs:
-
-    mkdir -p /etc/secrets/initrd
-    ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519
-
-[1]: https://cgit.krebsco.de/krops/about/
-
--- a/secrets.nix
+++ b/secrets.nix
@ -15,6 +15,9 @@ in {
  "secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
  "secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;

+  "secrets/hel1-a/zfs-passphrase.age".publicKeys = [vno1-oh2] ++ motiejus;
+  "secrets/vno1-oh2/zfs-passphrase.age".publicKeys = [hel1-a] ++ motiejus;
+
  "secrets/motiejus_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
  "secrets/root_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
 }
--- a/secrets/hel1-a.zfs-passphrase.gpg
+++ b/secrets/hel1-a.zfs-passphrase.gpg
--- a/secrets/hel1-a/zfs-passphrase.age
+++ b/secrets/hel1-a/zfs-passphrase.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 gJrHQg DsQM1OiPx2mZ5zCIoWhswaXAruIyjeYvDT/NpCfQang
+ExnIjettDSsT1BhtrOiuKTHmkuG1UH2oJVFvtaxcskI
+-> X25519 cOjSCW3bPvgvXwZ+OGhYqmuuzTyBG5D0EUA9aSPIABE
+7dzr3eQjQcF3buVLfn66yiv4Oo8gVATjngSn3JtYiEA
+-> piv-p256 +y2G/w A9mCDRKigSM1Bjz5UfNn6pCge9Ifip1qEuSi8oXrqxFR
+v7VYoxTUZhVwjvo6HwGuLwppz808rVadQV+uSTisKc4
+-> piv-p256 jNqd3A A+IpWq0hEn3lvkXGhdA4HwzOf7qMUfP8h2Ulyw6RJWr2
+VKT5WZBnNscxcu2Bv3JyvRzzs9C1PwrrdHOW4mwJbg4
+-> c[,kV-grease
+V6pw1EYTT8KqLcGIVKZWTAGr5gjj1J3O6+jElQ
+--- rU4We/c5iA84jdP6PP46PtDHPv2hFUnKIQd7d8C2AR8
+˜ÝâF;Dš¾`A
¤Î<C2A4>àÝcHÑ<48>V o¸J9y_¬Z°N°áÚŒoýˆÅëÞ/ýÝ+¯iœÂj±F<oô†›ó
--- a/secrets/vno1-oh2/zfs-passphrase.age
+++ b/secrets/vno1-oh2/zfs-passphrase.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 vDjOfg yX0zrlNsaJBSf3PqD4ccm/9z5tQhv5d7vbGQbITKNGQ
+1adV8hkhSTQPSlPuKQypvWPAcker/kjObBxDfos6x2I
+-> X25519 TASHTwnBupJ72eFuJs4Oph68Js31AyjtpXcHDR8xKl8
+/181mos15wmANSJwo5QPZRUAx3vFoZ4wPpimbIfvC4o
+-> piv-p256 +y2G/w A09p8H96e0/FfHSTajYQZTvSYXwT7EvzFf1qVZtdwsax
+Mgkl6t5uDGN8cYVoDXjEYB+RxeXyyLsZrWvGP7KMCNc
+-> piv-p256 jNqd3A A3Rh+tYvU/vfS6+2GXyOOM3auOu4KfXWFhyvyXgojBbf
+l0whgIauEX31OqPyDMTZ2OLUBOzPVFSVnjxbYu7JeSE
+-> cD-grease u8 9nH (N(2JYW 'd
+mAo1sjuzyaHtnQhYLApV9g
+--- QcxzgeZhzogykC09MKj4VMVOZdq6i8N1OOcFf0nkABc
+kë{nµúþã/c8ÒgQ~ã1¦÷®ó“†v§Šçqùà{À<>sÝ€Å<E282AC>€„¶O²