v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Actions Packages Projects Releases Activity

Add vault-secrets (part 1)

Browse source
This commit is contained in:
Vivian 2021-11-16 16:28:55 +01:00
parent 3f3decd50e
commit c0b31b3606
3 changed files with 387 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

247
flake.lock
View file

@ -36,6 +36,148 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1627913399,
"narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",
"type": "github"
},
"original": {
"id": "flake-compat",
"type": "indirect"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1627913399,
"narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",
"type": "github"
},
"original": {
"id": "flake-compat",
"type": "indirect"
}
},
"flake-utils": {
"locked": {
"lastModified": 1631561581,
"narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1631561581,
"narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"gitignore-nix": {
"flake": false,
"locked": {
"lastModified": 1611672876,
"narHash": "sha256-qHu3uZ/o9jBHiA3MEKHJ06k7w4heOhA+4HCSIvflRxo=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "211907489e9f198594c0eb0ca9256a1949c9d412",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"lowdown-src": {
"flake": false,
"locked": {
"lastModified": 1632468475,
"narHash": "sha256-NNOm9CbdA8cuwbvaBHslGbPTiU6bh1Ao+MpEPx4rSGo=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "6bd668af3fd098bdd07a1bedd399564141e275da",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
}
},
"lowdown-src_2": {
"flake": false,
"locked": {
"lastModified": 1632468475,
"narHash": "sha256-NNOm9CbdA8cuwbvaBHslGbPTiU6bh1Ao+MpEPx4rSGo=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "6bd668af3fd098bdd07a1bedd399564141e275da",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
}
},
"nix": {
"inputs": {
"lowdown-src": "lowdown-src",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1633098935,
"narHash": "sha256-UtuBczommNLwUNEnfRI7822z4vPA7OoRKsgAZ8zsHQI=",
"owner": "nixos",
"repo": "nix",
"rev": "4f496150eb4e0012914c11f0a3ff4df2412b1d09",
"type": "github"
},
"original": {
"id": "nix",
"type": "indirect"
}
},
"nix_2": {
"inputs": {
"lowdown-src": "lowdown-src_2",
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1633098935,
"narHash": "sha256-UtuBczommNLwUNEnfRI7822z4vPA7OoRKsgAZ8zsHQI=",
"owner": "nixos",
"repo": "nix",
"rev": "4f496150eb4e0012914c11f0a3ff4df2412b1d09",
"type": "github"
},
"original": {
"id": "nix",
"type": "indirect"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1632086102,
@ -68,10 +210,92 @@
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1632864508,
"narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "82891b5e2c2359d7e58d08849e4c89511ab94234",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05-small",
"type": "indirect"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1632495107,
"narHash": "sha256-4NGE56r+FJGBaCYu3CTH4O83Ys4TrtnEPXrvdwg1TDs=",
"owner": "serokell",
"repo": "nixpkgs",
"rev": "be220b2dc47092c1e739bf6aaf630f29e71fe1c4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1632864508,
"narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "82891b5e2c2359d7e58d08849e4c89511ab94234",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05-small",
"type": "indirect"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1632495107,
"narHash": "sha256-4NGE56r+FJGBaCYu3CTH4O83Ys4TrtnEPXrvdwg1TDs=",
"owner": "serokell",
"repo": "nixpkgs",
"rev": "be220b2dc47092c1e739bf6aaf630f29e71fe1c4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"deploy-rs": "deploy-rs",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_2",
"serokell-nix": "serokell-nix",
"vault-secrets": "vault-secrets"
}
},
"serokell-nix": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils",
"gitignore-nix": "gitignore-nix",
"nix": "nix",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1636829084,
"narHash": "sha256-ZlfUAsiJt0uq5TBrtBWYwuoFaxJu3LiHKTHrLePI+Do=",
"owner": "serokell",
"repo": "serokell.nix",
"rev": "3feedad5710f94ae18483249b7e7d12d4549f4b4",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "serokell.nix",
"type": "github"
}
},
"utils": {
@ -88,6 +312,27 @@
"repo": "flake-utils",
"type": "github"
}
},
"vault-secrets": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_2",
"nix": "nix_2",
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1633626134,
"narHash": "sha256-fvd+l1iuH+ufwNIt6ppZnIfMs+BEj5dtIAKmGKTbaCQ=",
"owner": "serokell",
"repo": "vault-secrets",
"rev": "1bf4a02eea83d3042bd3d1e2f2266b15077b48b4",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "vault-secrets",
"type": "github"
}
}
},
"root": "root",

216
flake.nix
View file

@ -1,94 +1,132 @@
{
description = "Delft Deployment";
inputs.deploy-rs.url = "github:serokell/deploy-rs";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/master";
outputs = { self, nixpkgs, deploy-rs }: {
nixosConfigurations.bastion = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./hosts/bastion/configuration.nix ];
};
nixosConfigurations.k3s = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./hosts/k3s/configuration.nix ];
};
nixosConfigurations.vault = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./hosts/vault/configuration.nix ];
};
nixosConfigurations.mosquitto = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./hosts/mosquitto/configuration.nix ];
};
nixosConfigurations.nginx = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./hosts/nginx/configuration.nix ];
};
nixosConfigurations.consul = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./hosts/consul/configuration.nix ];
};
deploy.nodes.bastion = {
hostname = "10.42.42.4";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.bastion;
};
};
deploy.nodes.k3s-node1 = {
hostname = "10.42.42.10";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.k3s;
};
};
deploy.nodes.vault = {
hostname = "10.42.42.6";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vault;
};
};
deploy.nodes.mosquitto = {
hostname = "10.42.42.7";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.mosquitto;
};
};
deploy.nodes.nginx = {
hostname = "10.42.42.9";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.nginx;
};
};
deploy.nodes.consul = {
hostname = "10.42.42.14";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.consul;
};
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
inputs = {
deploy-rs.url = "github:serokell/deploy-rs";
nixpkgs.url = "github:NixOS/nixpkgs/master";
serokell-nix.url = "github:serokell/serokell.nix";
vault-secrets.url = "github:serokell/vault-secrets";
};
outputs = { self, nixpkgs, deploy-rs, vault-secrets, serokell-nix, ... }:
let system = "x86_64-linux";
in {
nixosConfigurations.bastion = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./hosts/bastion/configuration.nix ];
};
nixosConfigurations.k3s = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [ ./hosts/k3s/configuration.nix ];
};
nixosConfigurations.vault = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
./hosts/vault/configuration.nix
];
};
nixosConfigurations.mosquitto = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
./hosts/mosquitto/configuration.nix
];
};
nixosConfigurations.nginx = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
./hosts/nginx/configuration.nix
];
};
nixosConfigurations.consul = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
./hosts/consul/configuration.nix
];
};
deploy.nodes.bastion = {
hostname = "10.42.42.4";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.bastion;
};
};
deploy.nodes.k3s-node1 = {
hostname = "10.42.42.10";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.k3s;
};
};
deploy.nodes.vault = {
hostname = "10.42.42.6";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.vault;
};
};
deploy.nodes.mosquitto = {
hostname = "10.42.42.7";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.mosquitto;
};
};
deploy.nodes.nginx = {
hostname = "10.42.42.9";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.nginx;
};
};
deploy.nodes.consul = {
hostname = "10.42.42.14";
fastConnection = true;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.consul;
};
};
devShell.${system} = let
pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system}
[ vault-secrets.overlay ];
in pkgs.mkShell {
buildInputs = [
deploy-rs.packages.${system}.deploy-rs
pkgs.vault
(pkgs.vault-push-approle-envs self)
(pkgs.vault-push-approles self)
pkgs.nixUnstable
];
};
checks = builtins.mapAttrs
(system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
};
}

19
hosts/bastion/configuration.nix
View file

@ -2,9 +2,18 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
{ pkgs, ... }:
let
fix-vscode = pkgs.writeScriptBin "fix-vscode" ''
#!${pkgs.stdenv.shell}
if [[ -d "$HOME/.vscode-server/bin" ]]; then
for versiondir in "$HOME"/.vscode-server/bin/*; do
rm "$versiondir/node"
ln -s "${pkgs.nodejs-14_x}/bin/node" "$versiondir/node"
done
fi
'';
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
@ -30,11 +39,11 @@
# Additional packages
environment.systemPackages = with pkgs; [
fix-vscode
fluxcd
k9s
kubectl
kubectx
nodejs-14_x
nixfmt
ripgrep
rsync
@ -42,7 +51,7 @@
vault
vim
];
#
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";