Add NUT to palatine-hill and add SOPS merging
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
This commit is contained in:
parent
af622e21db
commit
8c87e68fdf
@ -27,6 +27,7 @@ servers: &servers
|
||||
# then have someone already in the repo run the below
|
||||
#
|
||||
# update keys by executing: sops updatekeys secrets.yaml
|
||||
# note: add .* before \.yaml if you'd like to use the mergetool config
|
||||
creation_rules:
|
||||
- path_regex: systems/jeeves/secrets\.yaml$
|
||||
key_groups:
|
||||
@ -40,7 +41,7 @@ creation_rules:
|
||||
age:
|
||||
- *jeeves-jr
|
||||
|
||||
- path_regex: users/alice/secrets\.yaml$
|
||||
- path_regex: users/alice/secrets.*\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *admin_alice
|
||||
@ -50,7 +51,7 @@ creation_rules:
|
||||
- *jeeves-jr
|
||||
- *artemision
|
||||
|
||||
- path_regex: systems/palatine-hill/secrets\.yaml$
|
||||
- path_regex: systems/palatine-hill/secrets.*\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *admin_alice
|
||||
@ -64,7 +65,7 @@ creation_rules:
|
||||
age:
|
||||
- *palatine-hill
|
||||
|
||||
- path_regex: users/alice/systems/artemision/secrets\.yaml$
|
||||
- path_regex: users/alice/systems/artemision/secrets.*\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *admin_alice
|
||||
|
||||
79
sops-mergetool.sh
Executable file
79
sops-mergetool.sh
Executable file
@ -0,0 +1,79 @@
|
||||
#!/usr/bin/env bash
|
||||
# Exit on first error and verify variables have been set/passed via CLI
|
||||
set -eu
|
||||
|
||||
# Rename our variables to friendlier equivalents
|
||||
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
|
||||
base="$1"; local_="$2"; remote="$3"; merged="$4"
|
||||
|
||||
# Resolve our default mergetool
|
||||
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
|
||||
mergetool="$(git config --get merge.tool)"
|
||||
GIT_DIR="$(git --exec-path)"
|
||||
if test "$mergetool" = ""; then
|
||||
echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create file names for our decrypted contents
|
||||
# example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml
|
||||
extension=".${base##*.}"
|
||||
base_decrypted="${base/$extension/.decrypted$extension}"
|
||||
local_decrypted="${local_/$extension/.decrypted$extension}"
|
||||
remote_decrypted="${remote/$extension/.decrypted$extension}"
|
||||
merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
|
||||
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
|
||||
|
||||
# If anything goes wrong, then delete our decrypted files
|
||||
handle_trap_exit () {
|
||||
rm $base_decrypted || true
|
||||
rm $local_decrypted || true
|
||||
rm $remote_decrypted || true
|
||||
rm $merged_decrypted || true
|
||||
rm $backup_decrypted || true
|
||||
}
|
||||
trap handle_trap_exit EXIT
|
||||
|
||||
# Decrypt our file contents
|
||||
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
|
||||
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
|
||||
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
|
||||
|
||||
# Create a merge-diff to compare against
|
||||
set +e
|
||||
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
|
||||
set -e
|
||||
cp "$merged_decrypted" "$backup_decrypted"
|
||||
|
||||
# Set up variables for our mergetool
|
||||
# https://github.com/git/git/blob/v2.8.2/mergetools/meld
|
||||
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111
|
||||
export LOCAL="$local_decrypted"
|
||||
export BASE="$base_decrypted"
|
||||
export REMOTE="$remote_decrypted"
|
||||
export MERGED="$merged_decrypted"
|
||||
export BACKUP="$backup_decrypted"
|
||||
|
||||
# Load our mergetool scripts
|
||||
source "$GIT_DIR/git-mergetool--lib"
|
||||
source "$GIT_DIR/mergetools/$mergetool"
|
||||
|
||||
# Override `check_unchanged` with a custom script
|
||||
check_unchanged () {
|
||||
# If the contents haven't changed, then fail
|
||||
if test "$MERGED" -nt "$BACKUP"; then
|
||||
return 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Run our mergetool
|
||||
set +eu
|
||||
export merge_tool_path="$(get_merge_tool_path "$mergetool")"
|
||||
merge_cmd
|
||||
set -eu
|
||||
|
||||
# Re-encrypt content
|
||||
sops --encrypt "$merged_decrypted" > "$merged"
|
||||
|
||||
@ -237,6 +237,20 @@ in
|
||||
|
||||
nix.gc.options = "--delete-older-than 150d";
|
||||
|
||||
power.ups = {
|
||||
enable = true;
|
||||
ups."LX1325GU3" = {
|
||||
driver = "usbhid-ups";
|
||||
port = "auto";
|
||||
description = "CyberPower LX1325GU3";
|
||||
};
|
||||
users.upsmon = {
|
||||
passwordFile = config.sops.secrets."upsmon/password".path;
|
||||
upsmon = "primary";
|
||||
};
|
||||
upsmon.monitor."LX1325GU3".user = "upsmon";
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets =
|
||||
@ -252,6 +266,7 @@ in
|
||||
group = "hydra";
|
||||
mode = "440";
|
||||
};
|
||||
"upsmon/password".owner = "upsmon";
|
||||
}
|
||||
// keygen "zfs-attic-key"
|
||||
// keygen "zfs-backup-key"
|
||||
|
||||
@ -1,12 +1,14 @@
|
||||
hydra:
|
||||
environment: ENC[AES256_GCM,data:k6t0jVLgsCbOwAnj71ogmsdoLsMaMjeScYRblE72FNEk8cgWc2Q5kw5LVShIC5Kgl2XhSJIoi1+pDS1X5huyWs+cz4T9oUtOJhtSlL9+UCLmaqoR0SCI1eCZT1fkRZ3QtitrRmtvm77Sld7Ckz/apG7cQsfpKhymkEz+Y8WdC3mc5Kjt05eAn66IbQYO8y1HQc9bkCAWYD+NSwOqC80W5RIfkKActWz1DFoeTESwMcpA9MKHlGMKP82Uo/qlRhXq+riY5e5voFGQw0O3CKRTy1Q=,iv:Fbl/9XkNTe5qmn7wvPtQ1Hpfzp7+3WLeuipkme9a29A=,tag:+git1pCZzSirfFsxj91WUQ==,type:str]
|
||||
environment: ENC[AES256_GCM,data:wXhG45zjOQQSUiNfFrLB72GqS1ivnhyGppoFRPMxNzeGi7KG5oVWCAfTlqV0e5UcLrv+IhsD1TIpj9HkwxE9KZXzsX29KQ6yAG2jmuHGdHdurGSDhxdc3JeBx62n7zDD8mvNET/+Mwfca56QlUchFTQRvi+kwe7L1QNfK3bScKMsnCXlSaoEJ3Vke4j+cIy1X9jpIqTG9xknCd/DjVqiW8Mx76ppvp4mZ4JTxrXa1C19R44rFSsVVlrJeoqlhzW5Q1zfQparImM2JA08rMtMBmw=,iv:xgzucwKXLtj5iZQmpG51Vqkn7WHMsh0DmEz/41HNdUA=,tag:KOJRrd+gSbfoyRPKGC+cMw==,type:str]
|
||||
nix-serve:
|
||||
secret-key: ENC[AES256_GCM,data:a+N7udOUnls35wCyO/icqtMWEVMorg3mSlZKih8LHQM4wgemZXuXYdhvw65CTPHvzcS0mr6QEMNzkqXios4kvlNDUvbG0OuaVhtqWqtuutz4J9VsGf8PdIvXNkLSHfm2fEY4n84nYM5tUidzwfA=,iv:045gOacG0t9rbzaszQ/5quZkRvfHLF8cETG2tABUrvk=,tag:sLs/yFdUlwf+YZf/Ja8YbA==,type:str]
|
||||
secret-key: ENC[AES256_GCM,data:G1Bw1ksustRej8o8kihSLNKYXQosNUUVDMg1QefTOdU9YTY4PcxS4LCmPOumI8TDbugHhf+ybLmi8DWgkCK1bfy3Hv0c3ChrqcFCWYSUIOBv1oEAozkSf4b+wQdSGnWnLe+LcRTDLISQdzqZwMg=,iv:HSCpb4q1mHS1gPuPtaufdXaMg0GSRvwegmJDAoO815A=,tag:g240ni6AWFWROqrCNtGcEw==,type:str]
|
||||
attic:
|
||||
secret-key: ENC[AES256_GCM,data:h6DQhTgEhcFnjwUojPEleZh8vkBiCCCwLM+dECRpqGURiRJ4mDa3Edb1Ja42GWyAYy8X5B0UmsVmc+UxzVkbsDs4G/HMRM+KMNUjhC4J0vePWU87T7AMJa0rgNF22bCfJMhpYzVtjZQZ2UlvjDoKf20do+rsC25E8b02x+tgvfiC,iv:bY5VnXfIGD/4I4Bj7+oSLdBQinY+Tuq2dGnJmzfaVQY=,tag:DpZ4DlAY7svMPk/e3tI5wg==,type:str]
|
||||
database-url: ENC[AES256_GCM,data:tLmfslMFP3TtFSna3zT6UNeotGn0GcvQDmGGNgxUKtGQVBtKc7ph/hTeMhFvLOibPUJuU4xs00Cd,iv:BFr6HDYQHUCLJhL8TTqBPr8OhxYhdVZ2OxlxdEEht80=,tag:nolIYbAdadKC9FU9mS8R1A==,type:str]
|
||||
secret-key: ENC[AES256_GCM,data:TyETjNbdI/6Mys2vVr1TvjO46J6D6LHZ7mwiCVc9TEC5mBa2VWR/gYSO9ulcOTnqVAw07GN7NsvXvdlTRWMQp+BEwY8Z6jn9a7n9rk2pknNpIDEO+E1wbCSZ/EDG3xP85JtoWfCfwtJSgjXaL5fP9BqI+hAcMsgyDU2rPK+gGwGn,iv:v3UHLC8vp8nBC/g3W4kz/71p1p5py/TZGg2sLWyKDPw=,tag:H02fRY+D+s9mtwzb51NARQ==,type:str]
|
||||
database-url: ENC[AES256_GCM,data:5e3MfQs9Bd4B7HUeW3127KEE0e+EnnRGwz8TuV2kfmAsEsRXX2lpVKL+uxFzZZyDpt5IOxVoNamV,iv:Vi/yTzlZMB1X7Vp9DEKJEULNUi3IEYpXoCexF+DcnBE=,tag:JjvvSxJApiwst8mdCbvwqQ==,type:str]
|
||||
postgres:
|
||||
init: ENC[AES256_GCM,data:iKgzmEq/3zBaDMLFdH/DZtfhZuqdLFhndyILwwDr5MwHiR3tQ+wT2+DQ8dBFwvAK12btrp07T7k=,iv:jEfFVS9YyGCohaORKLA8YQr2HUyCBwaYWrVYUe1UPDU=,tag:IJslOL6/ajDPEtXc7ggc5g==,type:str]
|
||||
init: ENC[AES256_GCM,data:Vcw6UDt57oTKlILH/cjNCTHYAQ88WdNbs2Eh8qU/ZHhGBHm591medaC6KC3jAKIAXvu8BB0P4W0=,iv:SjaeUdP9hNBa/jGxk/jys3H6m3oo4psBE3EAAJgueZc=,tag:ICbo7dH43Rsk7FT3mSRP2A==,type:str]
|
||||
upsmon:
|
||||
password: ENC[AES256_GCM,data:1gmsjYcrXn0tytvs3qfYIqtCxW8=,iv:Pmt73TgtXVroo/I4HCge0P94FPFv/Iso8kWKBhtq+lQ=,tag:On/ko8s/uZXtuS2HxQ42UQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -16,54 +18,34 @@ sops:
|
||||
- recipient: age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMmpVOE5rcHVVNlIzaW0z
|
||||
WTZ4Y2h3KytNL2JOSjV1cTN0Q1k4OHNIUHhFCjlrRGtpMXYrTmVCV0FaTEMzakUr
|
||||
ajRqK051MmFOUHRkcHh5SFUwSklmZUEKLS0tIGxFMWN1eDU2cGEvQlZoU2hUSzZD
|
||||
V0xCQjJ0aDVIQ0I4NzhjR2pKT0FlTHcKSmcW0txYcqhgtx7U4qR5yKp729rZGWmS
|
||||
YkwKyyMJZP1mwTKlaKPIwTj9nrBY8RAVyMYjNs/nlNgMO0APmFH8kA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZMlJWdFlYRmlyUFpXcUhW
|
||||
aWxkajBwdkJ5TFR1WldsQWxUWkZ5clArRlNJCnQzM3VzZmh0NVV1c0Ywc3pUYlFl
|
||||
anNLMUNZc0NsN1dneTRTbVhRNWhlNGsKLS0tIDNXOXcwWXdwaCt0Z2h3VzlpbGtQ
|
||||
aHFSVldaUVErdktTS2RWd3Vnd0xmL0UKemuIErcN8LxivrM9GoZZQmaKu6zaaRzx
|
||||
GIyb8h7uOhbq0vI0gueweZyHpUtfIdoKRN8ctHM4AvIJtnyc4mm34g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-02-18T17:10:38Z"
|
||||
mac: ENC[AES256_GCM,data:ImYBdEk+DqoG9J5fmj2aPqxFuko5AIWzVk0/v2YlMPHwBQ0dUGnYrNMXpZ4KyYlulsQ1R78agjF4Xk6jumvNbAwGZXshSSOx4A6CCAK/Xl7WbS7ilHYl9+H6K4wzTV0f8v1ShGH1INkFF+jWEpeQSSHvhHMs5lOu/N5+ZSLdC9k=,iv:17H07sayQNQmAv4hxtXYimQJX/FibannQn/7rojSrC8=,tag:15+OQlcAVitB/OYmfm+Y9Q==,type:str]
|
||||
lastmodified: "2024-04-28T00:47:43Z"
|
||||
mac: ENC[AES256_GCM,data:/c+0KgM16djRXPCygErfqp2NxoCZDAB9KaeO4nZlatgzTu+lt/iDniFU5s0cNq3kwZTb3B4Dk5yua6crVj9ohAhkU9OjrShtRrqrU52sVniWbflgMXlfPcxBun9j9bFlAySeQS+rgOOJsDHtfnq2cdxnK/6Sum3v+NwBaoBKI5I=,iv:wgWACIwt1deoZ3HN1CQbr20MVr6f7nCNToxVcPCXEZQ=,tag:qEsBljRPKqv+wcMIrajAmg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-03-23T05:48:45Z"
|
||||
- created_at: "2024-04-28T00:47:43Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA84hNUGIgI/nAQ/+JfUh7rZt9rgUwmXCPd0H2U+JtZZZPTtNUfD1VYdbKegg
|
||||
HonmyBzDbkK3wg7fYCX+sgI5UlUMF9Z19mblFwD7AvAytFQzQw2EhZ6Fq7EloYeP
|
||||
h9SG56GCBq7aapToNjS5nV6i70QMpEuwm0exxH7WDxZCsrPo0glu5TJXQXO07gwA
|
||||
O/E/MDoxrBrH/2SXnfxClzMGHTK8oO4mGKjNZRwV73AyRnsTURRxsqxgB+qMaISm
|
||||
QXwj3lXQliIdesBFYvHhYFOfqnxYPL/gUZpmK9wtPOtQsrmgcx8l+bTCfFAOh1e1
|
||||
iPK/23wc3febTUO2DaX4ikAkyoefeps0+rhFswnEBwP24bdC0xyPO8aWQ5+xm7pT
|
||||
+WpXrvab4q4+7sgvvWZuNgNz18M86T4rjz3x2m+m2LMOYlYna4aTrK3M2JtGYSqe
|
||||
qFREsL04NCM9xq8VOiAayxtrcrE34+Df3kQHV01h/iYNyMflmFFDs6igAtOm6hxz
|
||||
jCrVWiu1D1Wcmlo9WdoDbSJrcRKRaU/n3Kp2jbagDrsnL+zHUmU4KustPD8atRTE
|
||||
mqdkYJlf93omnuX6FKoeLwJa0ok2fnIE/L69ZSljZ/Xy2HgV4K0oEKRa9GQLS1TO
|
||||
sMa73o1qBgufRZnVmpyGjLOhrZHf6li7fwd5DmCfYQPYUJ7HnCtpuAZ9JPLbrDnS
|
||||
XgGUqb+HorS9Wyq4MXgcInSX9Ycqzrj2/X0wArJJmznEW+ZfbXSleSWyEe8uZ+r6
|
||||
e1yFon0WWqpT6iIcV8KJJ1P1pJIZNbXNU1FDGgpnNCsn+xC85mBPfmdvzSl89yY=
|
||||
=dN9d
|
||||
hQIMA84hNUGIgI/nAQ//ZCGr5bMpbKxhs+HF3mKfJHf5+ySoJbXuxES7MSm7r4on
|
||||
5goDiGceBOfpA5EeG86Cjq2iC3ALStTyU7yVFIPHzBX2BvEzh3LnZknKox6hQLKc
|
||||
lNI/IIO0WSs4GBAjjhA1Iu0FNJvOhEpRM6Hz7nEUTYw9IGOytCwXbysaTCVQkQx/
|
||||
qxroFgkh3vveOSoCRezesHB+3T0KejdxkjNSPpAgheVZk0dyPndOW0tULj/JsCEc
|
||||
JoG8BWJLvscuXazzN0Yu6zg6N0Y1eFB1SX7Tb0X2j1XFl4lOgY6iNf6tS0KMw3B0
|
||||
qcGRkaudqyqvif1tT6X277yn/s6KZOf2cxqfzgd9nL3XSZ3vHMRD3o1tHA4qI8o8
|
||||
eNmxJnC4FgoE9tHAoqNKiKEK1Xh3Pb++4rqMsNPyfRYEB03IZgdmoW8tvzfsvP9Y
|
||||
q64YE4zyepSpHwFPWJ+IrlpRxHv4Dui+ozIYyqB3SDzr7A9wX/hjTbehkxUUeKZ7
|
||||
D4EpeLXufa5cbdpSBoOAMxJZEt/MnZyq/+2ENMC0l8TL2LZocaQmSHpzeSnFep+p
|
||||
bNEpl6vACIh4CNblsH0/erM3i+AYhe7IO0q8ydn8iHyO9an1THkF6mW7udswnjlm
|
||||
uUmKrI8iat/Clc9lS5L+wQh+S+XOAPWRqO6LvBMdkFcL3nAFF9hHWhFRXcvDflPS
|
||||
XgEguuyhh1ymVFKTbwFw6g792VurMCn41LlGKytn3jGu0gzgbMTqKWLdqKNJQPuf
|
||||
Jo6R/3v6P4Z0tl9r6Lw+sGTWgWUH0nPGtPsqorZN1PNV+B9IeUZ8DghTEPyNHng=
|
||||
=FEQP
|
||||
-----END PGP MESSAGE-----
|
||||
fp: F63832C3080D6E1AC77EECF80B4245FFE305BC82
|
||||
- created_at: "2024-03-23T05:48:45Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA29thaGx06tOARAA1pInRr5kKFWriwQuy47+T8tAKdAvA64Sfqu/Lvr0SbMn
|
||||
Q/i86fQ5tIhnCj06UGCzOsvosYuKfSsYZ9l4PHHobZOoE1xpPMOBMDvVQhISk+L6
|
||||
wYSnXro+DKkshIpCfSdv3mQ+/Sdmm27tEkAFPS6iwNc9rBOGaOkTlPBNpTMVZiu0
|
||||
hL181BhzVmZ4wRTDrh/blN0yd46TIbCub9HVBsePgsg8ABS8r/782KTOlU4zjQAG
|
||||
pX+Q5JcsHqcWQInuIhzpOQzVE1iurMgaW8s8iwjRqQLtwc2drey4ORo3mQA/XYur
|
||||
iVtmEV1rUPnm2Q74keaBMkK12ywk8eXM1/skbRFooXRNpwAO2X5m6+uAm35GtaQO
|
||||
m0wWGxtuU69P+j+QugADo0NpcUK68gk4lNyQUEGMYleV6vXXebstMqzKfzMv0ARk
|
||||
sfb1ncSyJfD1xmk7yVyg2AzjU6QyLRBtjoTpmnGq8Q0Cb1BlUQQeVhYlTbCfwlcI
|
||||
YjqNw12yjT01hxONXpCFWmORzge6WB/driidb4DTLmtqQsow/pX6PeoRaADd6gTS
|
||||
i2Oe35VG52L7zjob40ZeQr3ANQb8sW6Dmjm6Lg/pkcwNV5+9EuvtR+UU0N1+bAVa
|
||||
U9LUcyXgoNJqt4f2JlNI74KtjrLK2lgXRKS9hr8VtMtHTQHzhZ9KslyBR00wcMLS
|
||||
XgEkGpB0tAVRDA4s4veIvqTTMPl6b+DSGNq7ytv+iPLPqPN63YZ1ULEnZU1YbDvY
|
||||
qhFGSIwUxfkkwqaBl0JDYF+lvAD+nko2zjbxQR8jHHcn0+55WqMa3k0dGqoTOVA=
|
||||
=JBDO
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user