From c0b31b3606d9d187290a05a2d0264564fb2d8d32 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 16 Nov 2021 16:28:55 +0100 Subject: [PATCH] Add vault-secrets (part 1) --- flake.lock | 247 +++++++++++++++++++++++++++++++- flake.nix | 216 ++++++++++++++++------------ hosts/bastion/configuration.nix | 19 ++- 3 files changed, 387 insertions(+), 95 deletions(-) diff --git a/flake.lock b/flake.lock index b7acada..a1d2ffc 100644 --- a/flake.lock +++ b/flake.lock @@ -36,6 +36,148 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1627913399, + "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", + "type": "github" + }, + "original": { + "id": "flake-compat", + "type": "indirect" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1627913399, + "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", + "type": "github" + }, + "original": { + "id": "flake-compat", + "type": "indirect" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1631561581, + "narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1631561581, + "narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "gitignore-nix": { + "flake": false, + "locked": { + "lastModified": 1611672876, + "narHash": "sha256-qHu3uZ/o9jBHiA3MEKHJ06k7w4heOhA+4HCSIvflRxo=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "211907489e9f198594c0eb0ca9256a1949c9d412", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "lowdown-src": { + "flake": false, + "locked": { + "lastModified": 1632468475, + "narHash": "sha256-NNOm9CbdA8cuwbvaBHslGbPTiU6bh1Ao+MpEPx4rSGo=", + "owner": "kristapsdz", + "repo": "lowdown", + "rev": "6bd668af3fd098bdd07a1bedd399564141e275da", + "type": "github" + }, + "original": { + "owner": "kristapsdz", + "repo": "lowdown", + "type": "github" + } + }, + "lowdown-src_2": { + "flake": false, + "locked": { + "lastModified": 1632468475, + "narHash": "sha256-NNOm9CbdA8cuwbvaBHslGbPTiU6bh1Ao+MpEPx4rSGo=", + "owner": "kristapsdz", + "repo": "lowdown", + "rev": "6bd668af3fd098bdd07a1bedd399564141e275da", + "type": "github" + }, + "original": { + "owner": "kristapsdz", + "repo": "lowdown", + "type": "github" + } + }, + "nix": { + "inputs": { + "lowdown-src": "lowdown-src", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1633098935, + "narHash": "sha256-UtuBczommNLwUNEnfRI7822z4vPA7OoRKsgAZ8zsHQI=", + "owner": "nixos", + "repo": "nix", + "rev": "4f496150eb4e0012914c11f0a3ff4df2412b1d09", + "type": "github" + }, + "original": { + "id": "nix", + "type": "indirect" + } + }, + "nix_2": { + "inputs": { + "lowdown-src": "lowdown-src_2", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1633098935, + "narHash": "sha256-UtuBczommNLwUNEnfRI7822z4vPA7OoRKsgAZ8zsHQI=", + "owner": "nixos", + "repo": "nix", + "rev": "4f496150eb4e0012914c11f0a3ff4df2412b1d09", + "type": "github" + }, + "original": { + "id": "nix", + "type": "indirect" + } + }, "nixpkgs": { "locked": { "lastModified": 1632086102, @@ -68,10 +210,92 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1632864508, + "narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "82891b5e2c2359d7e58d08849e4c89511ab94234", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-21.05-small", + "type": "indirect" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1632495107, + "narHash": "sha256-4NGE56r+FJGBaCYu3CTH4O83Ys4TrtnEPXrvdwg1TDs=", + "owner": "serokell", + "repo": "nixpkgs", + "rev": "be220b2dc47092c1e739bf6aaf630f29e71fe1c4", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1632864508, + "narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "82891b5e2c2359d7e58d08849e4c89511ab94234", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-21.05-small", + "type": "indirect" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1632495107, + "narHash": "sha256-4NGE56r+FJGBaCYu3CTH4O83Ys4TrtnEPXrvdwg1TDs=", + "owner": "serokell", + "repo": "nixpkgs", + "rev": "be220b2dc47092c1e739bf6aaf630f29e71fe1c4", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, "root": { "inputs": { "deploy-rs": "deploy-rs", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "serokell-nix": "serokell-nix", + "vault-secrets": "vault-secrets" + } + }, + "serokell-nix": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils", + "gitignore-nix": "gitignore-nix", + "nix": "nix", + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1636829084, + "narHash": "sha256-ZlfUAsiJt0uq5TBrtBWYwuoFaxJu3LiHKTHrLePI+Do=", + "owner": "serokell", + "repo": "serokell.nix", + "rev": "3feedad5710f94ae18483249b7e7d12d4549f4b4", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "serokell.nix", + "type": "github" } }, "utils": { @@ -88,6 +312,27 @@ "repo": "flake-utils", "type": "github" } + }, + "vault-secrets": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils": "flake-utils_2", + "nix": "nix_2", + "nixpkgs": "nixpkgs_6" + }, + "locked": { + "lastModified": 1633626134, + "narHash": "sha256-fvd+l1iuH+ufwNIt6ppZnIfMs+BEj5dtIAKmGKTbaCQ=", + "owner": "serokell", + "repo": "vault-secrets", + "rev": "1bf4a02eea83d3042bd3d1e2f2266b15077b48b4", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "vault-secrets", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index e53e439..7f23198 100644 --- a/flake.nix +++ b/flake.nix @@ -1,94 +1,132 @@ { description = "Delft Deployment"; - inputs.deploy-rs.url = "github:serokell/deploy-rs"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/master"; - - outputs = { self, nixpkgs, deploy-rs }: { - nixosConfigurations.bastion = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ ./hosts/bastion/configuration.nix ]; - }; - - nixosConfigurations.k3s = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ ./hosts/k3s/configuration.nix ]; - }; - - nixosConfigurations.vault = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./hosts/vault/configuration.nix ]; - }; - - nixosConfigurations.mosquitto = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./hosts/mosquitto/configuration.nix ]; - }; - - nixosConfigurations.nginx = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./hosts/nginx/configuration.nix ]; - }; - - nixosConfigurations.consul = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./hosts/consul/configuration.nix ]; - }; - - deploy.nodes.bastion = { - hostname = "10.42.42.4"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.bastion; - }; - }; - - deploy.nodes.k3s-node1 = { - hostname = "10.42.42.10"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.k3s; - }; - }; - - deploy.nodes.vault = { - hostname = "10.42.42.6"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vault; - }; - }; - - deploy.nodes.mosquitto = { - hostname = "10.42.42.7"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.mosquitto; - }; - }; - - deploy.nodes.nginx = { - hostname = "10.42.42.9"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.nginx; - }; - }; - - deploy.nodes.consul = { - hostname = "10.42.42.14"; - fastConnection = true; - profiles.system = { - user = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.consul; - }; - }; - - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + inputs = { + deploy-rs.url = "github:serokell/deploy-rs"; + nixpkgs.url = "github:NixOS/nixpkgs/master"; + serokell-nix.url = "github:serokell/serokell.nix"; + vault-secrets.url = "github:serokell/vault-secrets"; }; + + outputs = { self, nixpkgs, deploy-rs, vault-secrets, serokell-nix, ... }: + let system = "x86_64-linux"; + in { + nixosConfigurations.bastion = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./hosts/bastion/configuration.nix ]; + }; + + nixosConfigurations.k3s = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./hosts/k3s/configuration.nix ]; + }; + + nixosConfigurations.vault = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/vault/configuration.nix + ]; + }; + + nixosConfigurations.mosquitto = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/mosquitto/configuration.nix + ]; + }; + + nixosConfigurations.nginx = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/nginx/configuration.nix + ]; + }; + + nixosConfigurations.consul = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ./hosts/consul/configuration.nix + ]; + }; + + deploy.nodes.bastion = { + hostname = "10.42.42.4"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.bastion; + }; + }; + + deploy.nodes.k3s-node1 = { + hostname = "10.42.42.10"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.k3s; + }; + }; + + deploy.nodes.vault = { + hostname = "10.42.42.6"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.vault; + }; + }; + + deploy.nodes.mosquitto = { + hostname = "10.42.42.7"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.mosquitto; + }; + }; + + deploy.nodes.nginx = { + hostname = "10.42.42.9"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.nginx; + }; + }; + + deploy.nodes.consul = { + hostname = "10.42.42.14"; + fastConnection = true; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.consul; + }; + }; + + devShell.${system} = let + pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} + [ vault-secrets.overlay ]; + in pkgs.mkShell { + buildInputs = [ + deploy-rs.packages.${system}.deploy-rs + pkgs.vault + (pkgs.vault-push-approle-envs self) + (pkgs.vault-push-approles self) + pkgs.nixUnstable + ]; + }; + + checks = builtins.mapAttrs + (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; } diff --git a/hosts/bastion/configuration.nix b/hosts/bastion/configuration.nix index 06bd4fc..833e921 100644 --- a/hosts/bastion/configuration.nix +++ b/hosts/bastion/configuration.nix @@ -2,9 +2,18 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: - -{ +{ pkgs, ... }: +let + fix-vscode = pkgs.writeScriptBin "fix-vscode" '' + #!${pkgs.stdenv.shell} + if [[ -d "$HOME/.vscode-server/bin" ]]; then + for versiondir in "$HOME"/.vscode-server/bin/*; do + rm "$versiondir/node" + ln -s "${pkgs.nodejs-14_x}/bin/node" "$versiondir/node" + done + fi + ''; +in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix @@ -30,11 +39,11 @@ # Additional packages environment.systemPackages = with pkgs; [ + fix-vscode fluxcd k9s kubectl kubectx - nodejs-14_x nixfmt ripgrep rsync @@ -42,7 +51,7 @@ vault vim ]; - # + programs.gnupg.agent = { enable = true; pinentryFlavor = "curses";