add secrets for cake

2023-11-09 23:48:37 +01:00 · 2023-11-09 23:48:37 +01:00 · f8627e3a07
parent 1e23664c46
commit f8627e3a07
12 changed files with 96 additions and 4 deletions
--- a/2configs/bam/cam.nix
+++ b/2configs/bam/cam.nix
@ -0,0 +1,11 @@
+{
+  # the pseyecam in the diorama
+  services.udev.extraRules = ''
+    KERNEL=="video*",ATTRS{vendor}=="0x1415", ATTRS{device}=="0x2000", GROUP="video", SYMLINK+="diorama_cam"
+  '';
+  services.mjpg-streamer = {
+      enable = true;
+      inputPlugin = "input_uvc.so -d /dev/diorama_cam -r 640x480 -y -f 30 -q 50 -n";
+      outputPlugin = "output_http.so -w @www@ -n -p 18088";
+  };
+}
--- a/2configs/bam/ha-ara-menu.nix
+++ b/2configs/bam/ha-ara-menu.nix
@ -7,6 +7,8 @@ in
    mode = "0440";
    group = config.users.groups.ara-secrets.name;
  };
+  users.groups.ara-secrets = {};
+
  systemd.services.ha-ara-menu = {
    description = "ha-ara-menu";
    wantedBy = [ "multi-user.target" ];
--- a/2configs/bam/influx.nix
+++ b/2configs/bam/influx.nix
@ -0,0 +1,32 @@
+let
+  collectd-port = 25826;
+  influx-port = 8086;
+  admin-port = 8083;
+  grafana-port = 3000; # TODO nginx forward
+  db = "collectd_db";
+  logging-interface = "enp0s25";
+in {
+  networking.firewall.allowedTCPPorts = [ 3000 influx-port admin-port ];
+
+  services.grafana.enable = true;
+  services.grafana.settings.server.http_addr = "0.0.0.0";
+  services.influxdb.enable = true;
+  systemd.services.influxdb.serviceConfig.LimitNOFILE = 8192;
+
+  services.influxdb.extraConfig = {
+    meta.hostname = config.krebs.build.host.name;
+    # meta.logging-enabled = true;
+    http.bind-address = ":${toString influx-port}";
+    admin.bind-address = ":${toString admin-port}";
+    collectd = [{
+      enabled = true;
+      typesdb = "${pkgs.collectd}/share/collectd/types.db";
+      database = db;
+      bind-address = ":${toString collectd-port}";
+    }];
+  };
+
+  networking.firewall.extraCommands = ''
+    iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT
+  '';
+}
--- a/2configs/bam/inventory4ce.nix
+++ b/2configs/bam/inventory4ce.nix
@ -5,11 +5,11 @@ in
 { 
  users.groups.inventory-secrets = {};

-  sops.secrets.inventory_cert = {
+  sops.secrets.wbob-inventory4ce_cert = {
    mode = "0440";
    group = config.users.groups.inventory-secrets.name;
  };
-  sops.secrets.inventory_key = {
+  sops.secrets.wbob-inventory4ce_key = {
    mode = "0440";
    group = config.users.groups.inventory-secrets.name;
  };
@ -17,8 +17,8 @@ in
    description = "inventory4ce";
    wantedBy = [ "multi-user.target" ];
    environment = {
-      INVENTORY_CERT = config.sops.secrets."inventory_cert".path;
-      INVENTORY_KEY = config.sops.secrets."inventory_key".path;
+      INVENTORY_CERT = config.sops.secrets."wbob-inventory4ce_cert".path;
+      INVENTORY_KEY = config.sops.secrets."wbob-inventory4ce_key".path;
      INVENTORY_PORT = "3001";
      INVENTORY_HOST = "0";
    };
--- a/sops/secrets/cake-retiolum.ed25519_key.priv/machines/cake
+++ b/sops/secrets/cake-retiolum.ed25519_key.priv/machines/cake
--- a/sops/secrets/cake-retiolum.ed25519_key.priv/secret
+++ b/sops/secrets/cake-retiolum.ed25519_key.priv/secret
--- a/sops/secrets/cake-retiolum.ed25519_key.priv/users/makefu
+++ b/sops/secrets/cake-retiolum.ed25519_key.priv/users/makefu
--- a/sops/secrets/cake-ssh_host_rsa.pub/secret
+++ b/sops/secrets/cake-ssh_host_rsa.pub/secret
@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:ydAuQ74xSHXLk12Vm8jbUvMWejFpRqLmiC9VwRUWe0o+EeHOrVerwWCNIpOW1oK7pDVaemiSIXv9IONAAtmaXXs4mXYm+rEqIre/pXFyCld5IXy95edMbqx8P3e1UOoymG/SL4two+BJaQRS6nh2f92dyTZYW721vJ/Jxt9UcHsSRGI/bqaB/lKmwhnsMkcKDr7zre0P/En/3u7iUXNNWdo7nVtMxb2KpV66e8RJHLpt4UeG6D7JncUGqE9IYPXH99piZSpncjDzaVoWD32EREuP4g5Ti09T+ahkUMLhsnEwDRjVX377Wv4MGS2vrevtt9r8+fgHBdTII40qE5koq91ph9v8Gayzs/bSv/u083lTdkhz5j47DchOncOTz/N65H2py2jDlLtnOT9O9lSsl5DtiV2WxKEvemRcc1gxlu/0p/QIxelrZuI9MKBny7LnWeXrLeqvcohIDJM1iAOMD0xhUv/ehPEbZ65XW31GqTgf05Tb753f/Ufe18kavsiTzrE1OaTs8IWCtglCuaOC0xq9ZhM9s35dxApcDxOLTlc7WYAe79TVGgGH/rd8BJEWfDqaLWtp3F+4SicVHm8f7B/ENqHM6Tdq4ndSnDu142zi3H62746XvSwNHsUPTyShai5zdj4EcL3mM9rr09juUUz2+rG8fTfOj1FO4HnBAMhJJBN31etguKsGzCqMOK1ERoFs8b4dyZAtsbaAsgXVA9srN8RnlB4ySOBxrJ3kgDrnFcmitNcPqWZ9o1Ou0lnD8JOydaNHXMHECp1GbJRgG+CEmo0vSKtM6U6QT+X65lvkM6yAlSM/ZBgp9WBM+UhWr4gI+4wWpRQ3sSvorXasOGM8+JPOpKlbyUR0FykH63WZhZ/ZlQ1Vsf/8PqCJK2VMIbeZIVO2MC6tzYkFpG3YdH1unuayIVLaAwHf+LfwKnGvDj1KFvJrMvJv9oxXr0Lyy4EZAMJSxYGNIFt+NglVng==,iv:rXos4YS2gqlPDOOEX6E7TVd10id1BjoNHNNPB8/cQN0=,tag:Cne6rdjCnaU8xxrQAY6oJw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1vh6qdlxzfsy8gquvzwsfz40ezkx9m5m9q8sj4225nh3mr9lrjvrqt079mp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTWd1SVhpR2hCQ2x3ZE1W\nMGZib3Uvc2NFa2pmYXo2ekMxL2RZWnRXMlRzCkFub0g0Ym52Y1JaYkFpdWhkVVlN\neXVpUFE1aUxiSG5ZaFczcXZ6MG4vaEUKLS0tIDc4V3hEK1I5V3RFRGJQZFVMcnR0\nc1ZyeHRnRENlUHpaeHRlSkxIUU1uVU0K5o0oRIu/h7Huof9OZVW0zlw83C5igWRq\nag8neU63XMdJIoWjhT2v4Wo+RuDwjQ8B22DGRht5iUzgQrbdJFdUKg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-11-09T22:45:41Z",
+		"mac": "ENC[AES256_GCM,data:61iQseLqXQ9ASbqt/dxjME3r1wUMeG0T6a4AqcV9sD3ZQyU0tgi5Y/EtNcou8eYLb1EbjqJDrbUaBgXkbcPvWQzRMVdg33nREGXi0uocQBjGqob1CbXx4npjlzBHJZIU/ZtCPBmMj0o20owsPZtTU2Zs7i3fXyIOP44hTVAIpFU=,iv:9mCFckxOlsnH6/HRKkSvxN5bCm8KNfTljDBrnhVDy4Y=,tag:5oLY5GxxmG09Txr+gS9x5g==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.0"
+	}
+}
--- a/sops/secrets/cake-ssh_host_rsa.pub/users/makefu
+++ b/sops/secrets/cake-ssh_host_rsa.pub/users/makefu
@ -0,0 +1 @@
+../../../users/makefu
--- a/sops/secrets/cake-ssh_host_rsa_key/machines/cake
+++ b/sops/secrets/cake-ssh_host_rsa_key/machines/cake
@ -0,0 +1 @@
+../../../machines/cake
--- a/sops/secrets/cake-ssh_host_rsa_key/secret
+++ b/sops/secrets/cake-ssh_host_rsa_key/secret
@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:cBlkb9Lfuu2ar4I6QFPDkTRMpphgKo+GRPGRdt1V2aG818eGM49MMA2uAyYbOkltExPZp0GDra9h+ZCZBk+jvLj0AqFVpXJjpIRSL04jK1Gvp+Ns+tT/XPR1vx50Rxd6epkUtvIqp3OARMSY68PsMDM6tcEBsLzC8a52eD6w06CPVpZZtSCU11gNzMt266xIqRF5/YSefPfjsl8Zzff2n30MtHsInfLjKdmDI4qPKnTIZMtq3GdyIBw/NSE9H0O0Pr1KcpStgkN6hWlEaksL/244FK65aoj6uoGI5ZsBdpTbrEtQQlTi5GHY6pLscg8358Z6cZbj9H5SxNy9IWIc72e4LWO9IvScUHxZ13u99VSdVBzepNwu42PcEKqq8AeSkaw5QYPKQN2rPoxvoRb2RCmu2rB3geFY7WsWAQ486hIbJ/9BSIWI+hoCKDD3zGezasWGJ38swkaGep7K+bA5sfrM5I/26gJ2bH3RFlvk9YDHbg0W46HqX9ISJoa7ZCIgVbDjrws4seOVmdidablXVhUkcg8RWc33LmhM2XNpmLQDmxYVj9qw/75EccEf05vE+WydlOVh5e5W+Mfuntb613nxNj1C+XRdJK9d6uoeLoeXSjQRtOOFvJzHl/2divGNlI5VfgDnWKdfqg7PQtKAT+fDzGqMDUPThA2y33jRi+dKZMMTVJ4DlEmmgjSsj6oEyHvxn7gR3i9VqNdAYJngZn8QEB//lLfrVkPwKVrfdPddXo2imEv45G4P9btaN0WbtsGO9XxRNRryc9v8hTKujxhOVn1qRsvKbZhV6DQuqDTNCI8iAw1xyq7x4pMkU5STOYVyPlHubJbg4gVRWwoU+RpXtcy50ZRlnDGQgRKN2QJ03iHwYHrCgSmp9PVpS//ioRxjGsE2OjoDB3enZ7wzuyxvukzLfE5uhqf/Q8snmXto58bwzQnsfyROQL7PEtxfNKHphi50JFrsUs7NXGEzEvOPYpPvtM93ozuOSIUUNNfB3Pw5TQgh7gFVnGu8SDSM5PAkW1It1ZXia8Q/BayEatu4GVd7eW2eklg3F3eIPh5nByTgtcu81L7kVgSf3suYjjdHBIAIalYJO/82MI2Jlio5yotYPSyFuJYNG9UO/P7NZwMtPrGoPVniHJa3nw5hJoZREAwR6Iu3ozuVm1aqlacJvhCSXIZY8I4IK/SoF4ve7J27/ifUGlJ/jCEsJ4nYSk+JVHu0OT6GoNhNRLhTfZqyMw0a13kMKc6/gbnguEmNW4jeAj74GD0u+cAkxRDO+HYdeLsIXloXIgbUx7Eteb4t60N5i0cPuVu70sO6/n8TGofUwYESd6ZpJ5NfYpO8ns8lMUuncCD8zya8CPKxxE530oPqHA3WUdfxnMLubP0PL7iza4MJyvO+638KDnn1EMyUWgMrwdS56Yx0spVm7wGAerIgwa/Rs/xRKlTETDAa5+Cscj1BedMTLbvknt6nydiuidVNwFOJ8VlaUE2zQY7KCwmQpV83q5zqgA9C1iEBsw2nsJ2G6TdB+uJkKc1NGOaA+BQBJuqMUZtulKBv9nnA9H07UllCCkQG7Cgog98d4a4Z5mY/ubhtWsV9DwSM64xaumY5Ng8/mNPP2TfKZr9IOxPvSvjditp+nxzZ0ijo9zfPkafeHDcqw85gDEQYiEikgSxBp+LjlMHXFtTTxHN/F6Az8s8fql3h5G/wKqdwfqo2hha0jV/PcJ3NAmvV6W7vHZFttqaKukZR7WFjqg1swHv0UxzvDAhUA4rTHv/X/pAzep/xr37Zo+8AB2ZTGRlfcOxvhC2pisBj3+6Wn9IqRSULMsIiDxyAB8qo0TNC8txePG+S4BkKPJRL5NmdS8VVkh4R6zfsItu5cTkseJyRzGzrsDpkroS7WeZPHmOAEBNXPco0RfV92i3fHULYE/6d01nxHsmoEWzDVmdoQJJgCbV2RUSUbuDZiKnZk6qd8rH7j9FH41VRcWE4GlrVumLAVuD28TwrsqFEWz9nuO7V8JbwVkpZPKstHEVPo2399jXLnR+TW1r/UPuxhdD32HA9ehaKd5SOK+APiLUcH9fqjBhPzHJeWxOjmaySiWqocEWS3Zi+ICQVn06A6VonmUAVyoB8x+bRv8d28th7sB7+gN/gQW0QlJ45uTM4YVVcwy+T2cLll5ZV84nFTpGdaeuWPJ8/bKE9Gf4+CgDgO+gtIU0beViuwRxOwx/eZ7f41z+8vpvI2bVkoT11NKAIZJDbdcNTV4Udlo5aZHfgjXqEMCYe2ZQEufZBg8DNC9kLL/evjbxven4GK4K5U3SMii/6Wshtma/r7SgxRBqf7onBUFgx9h0PDhN3N7WlA+riN4GfiPbUKRcli3UdN7+eGZQHjAamw5XfJP5dYMki6J5DWw26d5LvEkKodXflxOLz4gOrTUaAuqhlIBnQDUwCsBIv+gmPb4JXRSaSVy6ia0L4t/PjF+l8EfJjDkHzMtHHHJdtRLIACYFIJnYMY/hGrGa+hUbVGckKx9owFwQWtnocvrsIsNhDtpe+Yjd/v9Pv9uDSSXp0HsSFflRX1fHSgydYK5pO0CQjG8M8jvz/RpvFm09JdBvlCpYLPw2TGmp7ioXXBR4UM8VAm/fFpb3rCx6vPDqeIYEalazy2wY8j2qKJ4ZU5xiwsD/Joe9bNArx4+X1Q9/N+KdDxWgawDwaNch0wPe1U9RbdP8ClLzf8KcyhPy6ox1gYJ8NJ759i45YoSkcAdcl0mOMq5TSwYTZ8XzWAJlzlxau6C5PhaqvG3Ppdl0yYrMDPkqI6ke0cDWueclhz6ZcQLZQP41t8IMfeMRk0jO2p3bJnPBI4zC2MTtkQDtZI0jTzi3+2I8MlIiH+0BAHoHxlpfJBKfcdMFEw44sh74SJP7AYiBOdBGAcVTrd7mpGhfC9zKnu5KViVRZOVCp1wi9j5e0+eT8Z5LBqtzobtLgHOE9ZpCtVXQdQxNl3POXp+59D7QEnzScF0ESwK0A0VdoEMwNIXjHtuBOHWuXu5ScE9Gx18GnQvF7ZfyEqn3GZiTDBboC6R2smaZbyhI8vCddZL0sicg3FYD+PsGxIlJqDByB8dzoZWlcpE+tUpLh7s0HTMekkK+o3tr8GH1PKDyrFkQsc6DjqH7ms0GpldnvnGl7aHE6p4aHIu9tt1UgjD5yUhPH6y9ETzRLOXrJIi9xxWdkyb2+bJOOtJk8/e0oarZM7vSh5Uq1zQGrVir8MZlAccLH8MaXYVSsm2CGG/Cmhqy3kRARjAnjG/83Jct9+q6LBZ+boRbdvDW658TY1rFAdRnDOo4a+asKQZDei/1z0KKMmF41qaqSHyJ1Gs6JXujmdtrOjo/Lx+ECC08Hxj18UFqat8V9/qUMwohRVYd4MUvsT1zJaA+Uj1ddbAbPjSfDxQRw/hB27o6mNRwuhQFr7B38BAzxjBTdxDQeh7ZphBpNF9DkYKnAWzIXCK+JoOBuOjgB51k0P3lE44RWQ6os1fjnmcN6cc8oMNvBGRObFLcxP3F05T9gMmZ3isLRaa04+ub7YfmiCEdVHAZTftpIkAvhxYvS35ttgNwO/BJqMEXM8JRXN3sN73UmKDBP/xwAuXQsAPIR7xki5vSAb6AV7ohD4AR8iJxVq5e3N3GU9ghOCNyMvWGJx7DcqTuFsLSN66FhjSumezvioOXkJL2XuYmZI918yKfVK0UHu1Zg+PnKw2WxjjS6Xl0QK1q/P5unyoDlCoCk5fxyjR/pqwTU/ENzNUd2KwFKkPBU3qQe4yPJudH+3jHONVCNw4YGy9vjlj4o35A3jXpS6Ogui6Y1M3ecRwuJYNCqt0zkFGcgD90Yzyw3Q27nFAAi7UAlyW2LbsSZMZfvwG04j/rHzJfGHdG4UstlcjoSgfMQ5JYe1JR8Zwj85XAOD6S7EuQSmRiRuclCPeWqjLdGpF6hQXxcKFqLKLx/ENCsSf3dWVPfhcohSSDS+mh7ApUJ1jMg2HgWIH28TRxOam4U8Ht7TjSJdevSXpGwKMh2KM5uHsPeH+mLiMK63XQN1oKtxgC5lXbQ7vyhGAK1dhtJBAxtucT1A17vI1WaSxiWBUsL65W432y23lr8bOt5R6qKjukX3RJy6ilBXQh4HTfNx5ITApq801GRtMWbVnsvjRP0Ujpnjpz7uouyFYR5bRGDMFFG6DBKFZv6uPx21GY59p2NvlQqMboUcdEfQiC6oI3oFra1ugFjquiukgyKJ9GNMYNWOETTMObJzmyFVWVHF0lRopnJX7LF1zCfWiqw7SzUPOo8IQ/tkw09gaUF/VBHD9xM2B0y/UZcjHCwTwvCF91F786l0KyUsbxCKJ5Vr/JQSsFXul3g/mJFyq3NKVAe5DQzMqCFJdEgc6epld4EnXje5Dmd5D16rewL0OM9K6aQ4QpanZzhNWZJRFKd95+8yWwQLeJvIuEk2UV1MydEwzcE3buA2TXXOfr87gOqdCXf2zZqt+GL6rtzyySviSQC4jRQq22x,iv:Y53MRnFxhX38fbxiIVRoWYx+Pbgj0n8qiY8p/OTKp04=,tag:fsRKrt6l7F5iQRQ2AOrq0w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age12xhv7z8w3zaq2c0mf940a8afnardplye9fd6p2m5ynnck3k7vd7q00sqjy",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNGx3UGhaZ3lUalVGWm4w\nQUlVNFl2ZmpjSDcrWUNMRFhhTjZGdWx3R0VZCkxJdG5GV2RZYm9GWitmbGcwczd3\nWUdscmFyRW5XN09JNjltOGM5bzJjNkEKLS0tIHIxT0lSZ204b2cwK05JeVQxaVRU\ndHdvejZtQmVETTc0RVg1M0RQQWEwT2MKI+YSP0pgfiEoLzUeH2J9302eKvh95Xcp\nQrz58XX2f0KaqB2b4HK3X2M3nr6aqEE6L++NdHPpT0LvyupaCVPc6Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vh6qdlxzfsy8gquvzwsfz40ezkx9m5m9q8sj4225nh3mr9lrjvrqt079mp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlUHVXazdiOXBjL3FYem93\nSHAvQUIzS3RVZkMrTThBZUtYeDdZaXJnM3pNCkVwT2ZKUVROa0VrVmRsR2w4LzJX\nTCtZYkVmdkUwTHZxcWtzTjkzRTltN2MKLS0tIHE4Y3ljaW1HeDJJd095NTNHb2o5\nR05pc2F1MXBIbWI2b3dXUzR6YTRxVWcKYhuAx5dxgqEILVp+3Y3yKN2ZyOWTKu0U\nrUd+LaP9ax7DWZ1Z3SHHBXzlyT85cnCKjiWWIbHoaVoXju7szgRVcw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-11-09T22:45:46Z",
+		"mac": "ENC[AES256_GCM,data:vv5r+46ZByrSAkVgW4cSA7oetoggtJcNIy77Sczxsxph1ZO/0pAdMt+yLf7PZd8AqhuUIqxHa0hfM3EOZlWHP3wZnsc1YbhcLoEIMnlSoBIXne19rI8tsZyyULYKNKH1ypEBsoUBXR5L9xXfi857udov07h8MeHzmekd0ckMrFg=,iv:JVUH1PW1CbTDRxHsItWUjMxcp+9tPnW1CraDF/NY+IM=,tag:uw6ogC1xe0vdA1vgngbbXg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.0"
+	}
+}
--- a/sops/secrets/cake-ssh_host_rsa_key/users/makefu
+++ b/sops/secrets/cake-ssh_host_rsa_key/users/makefu
@ -0,0 +1 @@
+../../../users/makefu