M .sops.yaml => .sops.yaml +7 -0
@@ 8,6 8,7 @@ keys:
- &cloud age17cw2ynlaw0ruga0u5678vas50k7neevuufk7gsqn8y8673g0mu8szhx4lr
- &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
- &metrics age1m8u3a7rzyx2n6zjxjnfkla34yk3v77egxzd3lv9umt69lsynlaqqqfpt05
+ - &oci age126hmm6e36atxvyac0grym5vs89nm2pwhx7yhum4wwa2fhruujpmq5cj89l
- &proxy age19pj62rpxdh90q7zjvld8u6a7207ar0vmkkp5757j29xvx5e0f5kqjc9y8a
- &social age173lqcfnq2a3xwdjkdua6uqyskfhpdqp2lt4jskdkg3rfqv23vu2sgplq98
# VMs
@@ 50,6 51,12 @@ creation_rules:
- *liljamo_gpg
age:
- *metrics
+ - path_regex: secrets/oci/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *liljamo_gpg
+ age:
+ - *oci
- path_regex: secrets/proxy/[^/]+\.yaml$
key_groups:
- pgp:
A hosts/oci/default.nix => hosts/oci/default.nix +17 -0
@@ 0,0 1,17 @@
+{config, ...}: {
+ sops.secrets.rootPwd.neededForUsers = true;
+ sops.secrets.liljamoPwd.neededForUsers = true;
+
+ roles.base = {
+ root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
+ primaryUser = {
+ username = "liljamo";
+ hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
+ };
+ };
+
+ roles.tailscale = {
+ enable = true;
+ enableSSH = true;
+ };
+}
M lib/util.nix => lib/util.nix +1 -0
@@ 7,6 7,7 @@
lxc = {
"dns" = "10.1.2.3";
"metrics" = "10.1.2.5";
+ "oci" = "10.1.2.9";
"proxy" = "10.1.2.10";
"auth" = "10.1.2.12";
"cloud" = "10.1.2.15";
A secrets/oci/secrets.yaml => secrets/oci/secrets.yaml +34 -0
@@ 0,0 1,34 @@
+rootPwd: ENC[AES256_GCM,data:d0W9M0bRTFX6P0V9TlcZf/Kai7RuZfci/+WcGBWcxCshWcMBYOEfe+9wWhswLc5VpeNTg4Eu09+4+aBGuuG1g4shfa236qbeQ4tic6rX6rm2TpQPINSfvXTBXqPURQoNETgxeLwH/be14A==,iv:EQb9+1tNntiVorT+ORovi8nqsqd0rnncFeWSuZ+OT3s=,tag:GW0qbDfFwzErObCF/I7rVg==,type:str]
+liljamoPwd: ENC[AES256_GCM,data:sE+aU3MFnxduKolCW4FpqeT/8ltzLPqXW7exYEOCpj4s9p8n9S9O8hqSNN+Hr1oktUb5Hfhr8AaKLHTDyMiemSF252HDP+8AAzXAx5PT4k6epd69n8rab27LyhG3E7WdIC9yzW8XuRcnZg==,iv:fsTRs3H6Lyb7QemlUdGxOMdAUED+JBJCYP0CkiCR8WE=,tag:cBtmGh8SxkhNRvOePY9v1w==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age126hmm6e36atxvyac0grym5vs89nm2pwhx7yhum4wwa2fhruujpmq5cj89l
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxR1hRMXM5bkdCM084amJ4
+ dmpDZlhKb1ZuYUs1ZWgzRFhiVVlLTnBxclFVCjdjdy82SWZUWkM5UFd4QXcwT2xG
+ OEhQaWdpV3ZEWWRjS0tic092Z2VoL0EKLS0tIGNST2VwYW9aUG1kRDJaTk5KYUY4
+ NWhxT1JJS1hPb1c4VXVYNFZiUzl1TWsKV6xNCNiZu+rwCGOYWf6Mf51Oy6+702mz
+ OHctTk7f+OhQhkq5oAUEkeRLhmzrb6dx1KVCeA/V+nzksHjSwz3LLw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-09-26T16:04:32Z"
+ mac: ENC[AES256_GCM,data:Ds9tpSa8qlzM93Dabqk+xIPMwTFDCwiHXctS9zIMHXWBDMrX4/rV/bTsDNkuQf8ccG/O5/3rDEFveiQMy/6GbboSXethUonaeRA3pJfa/onFzoUL4MQ+P2MGbPciiHnyf5cmtkRZ4tIRYoae1Ztjyj+506Uf4UpwSzq/oV1ev28=,iv:PiTuaah537odXM2jnKzisInMlvX+AtxVd5Xm1OhThdA=,tag:CXY6JaG67NmFB0OiOsFlqw==,type:str]
+ pgp:
+ - created_at: "2024-09-26T16:03:05Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D8ab0ENzkR4wSAQdAkaqRQFBOrZWmKOa0c8gyzrutllDwcG17L23JaxA1uCYw
+ 5dbSQew+82LpohrlRDvr+XsI0m0VQ++hL1Ey0/fXV+J5/Lev8UpFFW5jNbj2ElmA
+ 1GgBCQIQRDYZP+gid8F7Xtga88CLGUZE35KSb+kYubh8GoCqnTFl5el61UiMJPsM
+ TQ8C5vnFj7bvEmXTXlJvRQtTz+1qY/IY71awtQy0xQyjV93P5Y4CT5KUhLAjDYlo
+ Ir2XLhY8hmtQSQ==
+ =mdkJ
+ -----END PGP MESSAGE-----
+ fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
M systems/hosts/default.nix => systems/hosts/default.nix +5 -0
@@ 37,6 37,11 @@
profile = lxc;
modules = [];
};
+ oci = {
+ system = "x86_64-linux";
+ profile = lxc;
+ modules = [];
+ };
proxy = {
system = "x86_64-linux";
profile = lxc;
A systems/hosts/oci/default.nix => systems/hosts/oci/default.nix +5 -0
@@ 0,0 1,5 @@
+{...}: let
+ aPort = 1;
+in {
+ system.stateVersion = "24.05";
+}
M tamma.yaml => tamma.yaml +3 -0
@@ 19,6 19,9 @@ hosts:
- name: metrics
data:
user: root
+ - name: oci
+ data:
+ user: root
- name: proxy
data:
user: root