From 8c87e68fdf932184bc429e0d406e65dc57d06caa Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Sat, 27 Apr 2024 20:48:44 -0400 Subject: [PATCH] Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 --- .sops.yaml | 7 ++- sops-mergetool.sh | 79 +++++++++++++++++++++++++ systems/palatine-hill/configuration.nix | 15 +++++ systems/palatine-hill/secrets.yaml | 76 +++++++++--------------- 4 files changed, 127 insertions(+), 50 deletions(-) create mode 100755 sops-mergetool.sh diff --git a/.sops.yaml b/.sops.yaml index 75b2b08..9b8252a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -27,6 +27,7 @@ servers: &servers # then have someone already in the repo run the below # # update keys by executing: sops updatekeys secrets.yaml +# note: add .* before \.yaml if you'd like to use the mergetool config creation_rules: - path_regex: systems/jeeves/secrets\.yaml$ key_groups: @@ -40,7 +41,7 @@ creation_rules: age: - *jeeves-jr - - path_regex: users/alice/secrets\.yaml$ + - path_regex: users/alice/secrets.*\.yaml$ key_groups: - pgp: - *admin_alice @@ -50,7 +51,7 @@ creation_rules: - *jeeves-jr - *artemision - - path_regex: systems/palatine-hill/secrets\.yaml$ + - path_regex: systems/palatine-hill/secrets.*\.yaml$ key_groups: - pgp: - *admin_alice @@ -64,7 +65,7 @@ creation_rules: age: - *palatine-hill - - path_regex: users/alice/systems/artemision/secrets\.yaml$ + - path_regex: users/alice/systems/artemision/secrets.*\.yaml$ key_groups: - pgp: - *admin_alice diff --git a/sops-mergetool.sh b/sops-mergetool.sh new file mode 100755 index 0000000..3f833ea --- /dev/null +++ b/sops-mergetool.sh @@ -0,0 +1,79 @@ +#!/usr/bin/env bash +# Exit on first error and verify variables have been set/passed via CLI +set -eu + +# Rename our variables to friendlier equivalents +# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver +base="$1"; local_="$2"; remote="$3"; merged="$4" + +# Resolve our default mergetool +# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3 +mergetool="$(git config --get merge.tool)" +GIT_DIR="$(git --exec-path)" +if test "$mergetool" = ""; then + echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool \`" 1>&2 + exit 1 +fi + +# Create file names for our decrypted contents +# example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml +extension=".${base##*.}" +base_decrypted="${base/$extension/.decrypted$extension}" +local_decrypted="${local_/$extension/.decrypted$extension}" +remote_decrypted="${remote/$extension/.decrypted$extension}" +merged_decrypted="${base_decrypted/_BASE_/_MERGED_}" +backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}" + +# If anything goes wrong, then delete our decrypted files +handle_trap_exit () { + rm $base_decrypted || true + rm $local_decrypted || true + rm $remote_decrypted || true + rm $merged_decrypted || true + rm $backup_decrypted || true +} +trap handle_trap_exit EXIT + +# Decrypt our file contents +sops --decrypt --show-master-keys "$base" > "$base_decrypted" +sops --decrypt --show-master-keys "$local_" > "$local_decrypted" +sops --decrypt --show-master-keys "$remote" > "$remote_decrypted" + +# Create a merge-diff to compare against +set +e +git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted" +set -e +cp "$merged_decrypted" "$backup_decrypted" + +# Set up variables for our mergetool +# https://github.com/git/git/blob/v2.8.2/mergetools/meld +# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111 +export LOCAL="$local_decrypted" +export BASE="$base_decrypted" +export REMOTE="$remote_decrypted" +export MERGED="$merged_decrypted" +export BACKUP="$backup_decrypted" + +# Load our mergetool scripts +source "$GIT_DIR/git-mergetool--lib" +source "$GIT_DIR/mergetools/$mergetool" + +# Override `check_unchanged` with a custom script +check_unchanged () { + # If the contents haven't changed, then fail + if test "$MERGED" -nt "$BACKUP"; then + return 0 + else + exit 1 + fi +} + +# Run our mergetool +set +eu +export merge_tool_path="$(get_merge_tool_path "$mergetool")" +merge_cmd +set -eu + +# Re-encrypt content +sops --encrypt "$merged_decrypted" > "$merged" + diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index c7b0301..9a44917 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -237,6 +237,20 @@ in nix.gc.options = "--delete-older-than 150d"; + power.ups = { + enable = true; + ups."LX1325GU3" = { + driver = "usbhid-ups"; + port = "auto"; + description = "CyberPower LX1325GU3"; + }; + users.upsmon = { + passwordFile = config.sops.secrets."upsmon/password".path; + upsmon = "primary"; + }; + upsmon.monitor."LX1325GU3".user = "upsmon"; + }; + sops = { defaultSopsFile = ./secrets.yaml; secrets = @@ -252,6 +266,7 @@ in group = "hydra"; mode = "440"; }; + "upsmon/password".owner = "upsmon"; } // keygen "zfs-attic-key" // keygen "zfs-backup-key" diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml index c4f60ce..12e6a43 100644 --- a/systems/palatine-hill/secrets.yaml +++ b/systems/palatine-hill/secrets.yaml @@ -1,12 +1,14 @@ hydra: - environment: ENC[AES256_GCM,data:k6t0jVLgsCbOwAnj71ogmsdoLsMaMjeScYRblE72FNEk8cgWc2Q5kw5LVShIC5Kgl2XhSJIoi1+pDS1X5huyWs+cz4T9oUtOJhtSlL9+UCLmaqoR0SCI1eCZT1fkRZ3QtitrRmtvm77Sld7Ckz/apG7cQsfpKhymkEz+Y8WdC3mc5Kjt05eAn66IbQYO8y1HQc9bkCAWYD+NSwOqC80W5RIfkKActWz1DFoeTESwMcpA9MKHlGMKP82Uo/qlRhXq+riY5e5voFGQw0O3CKRTy1Q=,iv:Fbl/9XkNTe5qmn7wvPtQ1Hpfzp7+3WLeuipkme9a29A=,tag:+git1pCZzSirfFsxj91WUQ==,type:str] + environment: ENC[AES256_GCM,data:wXhG45zjOQQSUiNfFrLB72GqS1ivnhyGppoFRPMxNzeGi7KG5oVWCAfTlqV0e5UcLrv+IhsD1TIpj9HkwxE9KZXzsX29KQ6yAG2jmuHGdHdurGSDhxdc3JeBx62n7zDD8mvNET/+Mwfca56QlUchFTQRvi+kwe7L1QNfK3bScKMsnCXlSaoEJ3Vke4j+cIy1X9jpIqTG9xknCd/DjVqiW8Mx76ppvp4mZ4JTxrXa1C19R44rFSsVVlrJeoqlhzW5Q1zfQparImM2JA08rMtMBmw=,iv:xgzucwKXLtj5iZQmpG51Vqkn7WHMsh0DmEz/41HNdUA=,tag:KOJRrd+gSbfoyRPKGC+cMw==,type:str] nix-serve: - secret-key: ENC[AES256_GCM,data:a+N7udOUnls35wCyO/icqtMWEVMorg3mSlZKih8LHQM4wgemZXuXYdhvw65CTPHvzcS0mr6QEMNzkqXios4kvlNDUvbG0OuaVhtqWqtuutz4J9VsGf8PdIvXNkLSHfm2fEY4n84nYM5tUidzwfA=,iv:045gOacG0t9rbzaszQ/5quZkRvfHLF8cETG2tABUrvk=,tag:sLs/yFdUlwf+YZf/Ja8YbA==,type:str] + secret-key: ENC[AES256_GCM,data:G1Bw1ksustRej8o8kihSLNKYXQosNUUVDMg1QefTOdU9YTY4PcxS4LCmPOumI8TDbugHhf+ybLmi8DWgkCK1bfy3Hv0c3ChrqcFCWYSUIOBv1oEAozkSf4b+wQdSGnWnLe+LcRTDLISQdzqZwMg=,iv:HSCpb4q1mHS1gPuPtaufdXaMg0GSRvwegmJDAoO815A=,tag:g240ni6AWFWROqrCNtGcEw==,type:str] attic: - secret-key: ENC[AES256_GCM,data:h6DQhTgEhcFnjwUojPEleZh8vkBiCCCwLM+dECRpqGURiRJ4mDa3Edb1Ja42GWyAYy8X5B0UmsVmc+UxzVkbsDs4G/HMRM+KMNUjhC4J0vePWU87T7AMJa0rgNF22bCfJMhpYzVtjZQZ2UlvjDoKf20do+rsC25E8b02x+tgvfiC,iv:bY5VnXfIGD/4I4Bj7+oSLdBQinY+Tuq2dGnJmzfaVQY=,tag:DpZ4DlAY7svMPk/e3tI5wg==,type:str] - database-url: ENC[AES256_GCM,data:tLmfslMFP3TtFSna3zT6UNeotGn0GcvQDmGGNgxUKtGQVBtKc7ph/hTeMhFvLOibPUJuU4xs00Cd,iv:BFr6HDYQHUCLJhL8TTqBPr8OhxYhdVZ2OxlxdEEht80=,tag:nolIYbAdadKC9FU9mS8R1A==,type:str] + secret-key: ENC[AES256_GCM,data:TyETjNbdI/6Mys2vVr1TvjO46J6D6LHZ7mwiCVc9TEC5mBa2VWR/gYSO9ulcOTnqVAw07GN7NsvXvdlTRWMQp+BEwY8Z6jn9a7n9rk2pknNpIDEO+E1wbCSZ/EDG3xP85JtoWfCfwtJSgjXaL5fP9BqI+hAcMsgyDU2rPK+gGwGn,iv:v3UHLC8vp8nBC/g3W4kz/71p1p5py/TZGg2sLWyKDPw=,tag:H02fRY+D+s9mtwzb51NARQ==,type:str] + database-url: ENC[AES256_GCM,data:5e3MfQs9Bd4B7HUeW3127KEE0e+EnnRGwz8TuV2kfmAsEsRXX2lpVKL+uxFzZZyDpt5IOxVoNamV,iv:Vi/yTzlZMB1X7Vp9DEKJEULNUi3IEYpXoCexF+DcnBE=,tag:JjvvSxJApiwst8mdCbvwqQ==,type:str] postgres: - init: ENC[AES256_GCM,data:iKgzmEq/3zBaDMLFdH/DZtfhZuqdLFhndyILwwDr5MwHiR3tQ+wT2+DQ8dBFwvAK12btrp07T7k=,iv:jEfFVS9YyGCohaORKLA8YQr2HUyCBwaYWrVYUe1UPDU=,tag:IJslOL6/ajDPEtXc7ggc5g==,type:str] + init: ENC[AES256_GCM,data:Vcw6UDt57oTKlILH/cjNCTHYAQ88WdNbs2Eh8qU/ZHhGBHm591medaC6KC3jAKIAXvu8BB0P4W0=,iv:SjaeUdP9hNBa/jGxk/jys3H6m3oo4psBE3EAAJgueZc=,tag:ICbo7dH43Rsk7FT3mSRP2A==,type:str] +upsmon: + password: ENC[AES256_GCM,data:1gmsjYcrXn0tytvs3qfYIqtCxW8=,iv:Pmt73TgtXVroo/I4HCge0P94FPFv/Iso8kWKBhtq+lQ=,tag:On/ko8s/uZXtuS2HxQ42UQ==,type:str] sops: kms: [] gcp_kms: [] @@ -16,54 +18,34 @@ sops: - recipient: age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMmpVOE5rcHVVNlIzaW0z - WTZ4Y2h3KytNL2JOSjV1cTN0Q1k4OHNIUHhFCjlrRGtpMXYrTmVCV0FaTEMzakUr - ajRqK051MmFOUHRkcHh5SFUwSklmZUEKLS0tIGxFMWN1eDU2cGEvQlZoU2hUSzZD - V0xCQjJ0aDVIQ0I4NzhjR2pKT0FlTHcKSmcW0txYcqhgtx7U4qR5yKp729rZGWmS - YkwKyyMJZP1mwTKlaKPIwTj9nrBY8RAVyMYjNs/nlNgMO0APmFH8kA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZMlJWdFlYRmlyUFpXcUhW + aWxkajBwdkJ5TFR1WldsQWxUWkZ5clArRlNJCnQzM3VzZmh0NVV1c0Ywc3pUYlFl + anNLMUNZc0NsN1dneTRTbVhRNWhlNGsKLS0tIDNXOXcwWXdwaCt0Z2h3VzlpbGtQ + aHFSVldaUVErdktTS2RWd3Vnd0xmL0UKemuIErcN8LxivrM9GoZZQmaKu6zaaRzx + GIyb8h7uOhbq0vI0gueweZyHpUtfIdoKRN8ctHM4AvIJtnyc4mm34g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-18T17:10:38Z" - mac: ENC[AES256_GCM,data:ImYBdEk+DqoG9J5fmj2aPqxFuko5AIWzVk0/v2YlMPHwBQ0dUGnYrNMXpZ4KyYlulsQ1R78agjF4Xk6jumvNbAwGZXshSSOx4A6CCAK/Xl7WbS7ilHYl9+H6K4wzTV0f8v1ShGH1INkFF+jWEpeQSSHvhHMs5lOu/N5+ZSLdC9k=,iv:17H07sayQNQmAv4hxtXYimQJX/FibannQn/7rojSrC8=,tag:15+OQlcAVitB/OYmfm+Y9Q==,type:str] + lastmodified: "2024-04-28T00:47:43Z" + mac: ENC[AES256_GCM,data:/c+0KgM16djRXPCygErfqp2NxoCZDAB9KaeO4nZlatgzTu+lt/iDniFU5s0cNq3kwZTb3B4Dk5yua6crVj9ohAhkU9OjrShtRrqrU52sVniWbflgMXlfPcxBun9j9bFlAySeQS+rgOOJsDHtfnq2cdxnK/6Sum3v+NwBaoBKI5I=,iv:wgWACIwt1deoZ3HN1CQbr20MVr6f7nCNToxVcPCXEZQ=,tag:qEsBljRPKqv+wcMIrajAmg==,type:str] pgp: - - created_at: "2024-03-23T05:48:45Z" + - created_at: "2024-04-28T00:47:43Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA84hNUGIgI/nAQ/+JfUh7rZt9rgUwmXCPd0H2U+JtZZZPTtNUfD1VYdbKegg - HonmyBzDbkK3wg7fYCX+sgI5UlUMF9Z19mblFwD7AvAytFQzQw2EhZ6Fq7EloYeP - h9SG56GCBq7aapToNjS5nV6i70QMpEuwm0exxH7WDxZCsrPo0glu5TJXQXO07gwA - O/E/MDoxrBrH/2SXnfxClzMGHTK8oO4mGKjNZRwV73AyRnsTURRxsqxgB+qMaISm - QXwj3lXQliIdesBFYvHhYFOfqnxYPL/gUZpmK9wtPOtQsrmgcx8l+bTCfFAOh1e1 - iPK/23wc3febTUO2DaX4ikAkyoefeps0+rhFswnEBwP24bdC0xyPO8aWQ5+xm7pT - +WpXrvab4q4+7sgvvWZuNgNz18M86T4rjz3x2m+m2LMOYlYna4aTrK3M2JtGYSqe - qFREsL04NCM9xq8VOiAayxtrcrE34+Df3kQHV01h/iYNyMflmFFDs6igAtOm6hxz - jCrVWiu1D1Wcmlo9WdoDbSJrcRKRaU/n3Kp2jbagDrsnL+zHUmU4KustPD8atRTE - mqdkYJlf93omnuX6FKoeLwJa0ok2fnIE/L69ZSljZ/Xy2HgV4K0oEKRa9GQLS1TO - sMa73o1qBgufRZnVmpyGjLOhrZHf6li7fwd5DmCfYQPYUJ7HnCtpuAZ9JPLbrDnS - XgGUqb+HorS9Wyq4MXgcInSX9Ycqzrj2/X0wArJJmznEW+ZfbXSleSWyEe8uZ+r6 - e1yFon0WWqpT6iIcV8KJJ1P1pJIZNbXNU1FDGgpnNCsn+xC85mBPfmdvzSl89yY= - =dN9d + hQIMA84hNUGIgI/nAQ//ZCGr5bMpbKxhs+HF3mKfJHf5+ySoJbXuxES7MSm7r4on + 5goDiGceBOfpA5EeG86Cjq2iC3ALStTyU7yVFIPHzBX2BvEzh3LnZknKox6hQLKc + lNI/IIO0WSs4GBAjjhA1Iu0FNJvOhEpRM6Hz7nEUTYw9IGOytCwXbysaTCVQkQx/ + qxroFgkh3vveOSoCRezesHB+3T0KejdxkjNSPpAgheVZk0dyPndOW0tULj/JsCEc + JoG8BWJLvscuXazzN0Yu6zg6N0Y1eFB1SX7Tb0X2j1XFl4lOgY6iNf6tS0KMw3B0 + qcGRkaudqyqvif1tT6X277yn/s6KZOf2cxqfzgd9nL3XSZ3vHMRD3o1tHA4qI8o8 + eNmxJnC4FgoE9tHAoqNKiKEK1Xh3Pb++4rqMsNPyfRYEB03IZgdmoW8tvzfsvP9Y + q64YE4zyepSpHwFPWJ+IrlpRxHv4Dui+ozIYyqB3SDzr7A9wX/hjTbehkxUUeKZ7 + D4EpeLXufa5cbdpSBoOAMxJZEt/MnZyq/+2ENMC0l8TL2LZocaQmSHpzeSnFep+p + bNEpl6vACIh4CNblsH0/erM3i+AYhe7IO0q8ydn8iHyO9an1THkF6mW7udswnjlm + uUmKrI8iat/Clc9lS5L+wQh+S+XOAPWRqO6LvBMdkFcL3nAFF9hHWhFRXcvDflPS + XgEguuyhh1ymVFKTbwFw6g792VurMCn41LlGKytn3jGu0gzgbMTqKWLdqKNJQPuf + Jo6R/3v6P4Z0tl9r6Lw+sGTWgWUH0nPGtPsqorZN1PNV+B9IeUZ8DghTEPyNHng= + =FEQP -----END PGP MESSAGE----- fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82 - - created_at: "2024-03-23T05:48:45Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA29thaGx06tOARAA1pInRr5kKFWriwQuy47+T8tAKdAvA64Sfqu/Lvr0SbMn - Q/i86fQ5tIhnCj06UGCzOsvosYuKfSsYZ9l4PHHobZOoE1xpPMOBMDvVQhISk+L6 - wYSnXro+DKkshIpCfSdv3mQ+/Sdmm27tEkAFPS6iwNc9rBOGaOkTlPBNpTMVZiu0 - hL181BhzVmZ4wRTDrh/blN0yd46TIbCub9HVBsePgsg8ABS8r/782KTOlU4zjQAG - pX+Q5JcsHqcWQInuIhzpOQzVE1iurMgaW8s8iwjRqQLtwc2drey4ORo3mQA/XYur - iVtmEV1rUPnm2Q74keaBMkK12ywk8eXM1/skbRFooXRNpwAO2X5m6+uAm35GtaQO - m0wWGxtuU69P+j+QugADo0NpcUK68gk4lNyQUEGMYleV6vXXebstMqzKfzMv0ARk - sfb1ncSyJfD1xmk7yVyg2AzjU6QyLRBtjoTpmnGq8Q0Cb1BlUQQeVhYlTbCfwlcI - YjqNw12yjT01hxONXpCFWmORzge6WB/driidb4DTLmtqQsow/pX6PeoRaADd6gTS - i2Oe35VG52L7zjob40ZeQr3ANQb8sW6Dmjm6Lg/pkcwNV5+9EuvtR+UU0N1+bAVa - U9LUcyXgoNJqt4f2JlNI74KtjrLK2lgXRKS9hr8VtMtHTQHzhZ9KslyBR00wcMLS - XgEkGpB0tAVRDA4s4veIvqTTMPl6b+DSGNq7ytv+iPLPqPN63YZ1ULEnZU1YbDvY - qhFGSIwUxfkkwqaBl0JDYF+lvAD+nko2zjbxQR8jHHcn0+55WqMa3k0dGqoTOVA= - =JBDO - -----END PGP MESSAGE----- - fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3 unencrypted_suffix: _unencrypted version: 3.8.1