fix proxy jump

2023-11-11 20:16:15 +01:00 · 2023-11-11 20:16:15 +01:00 · 62414b5ce5
parent 42e8356d2c
commit 62414b5ce5
4 changed files with 148 additions and 5 deletions
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@ -0,0 +1,76 @@
+nix-community-builders-ssh-key-pub: ENC[AES256_GCM,data:WvjdlG/k+Hm8ZRaIc+6KzJvPIN6GXuepK9zwonOPbeST0IAcDU3OGxPW4as4ENZAaRdwd4ZnIUVhcTmgKlpGaBLhxTQgXYw1rIBgBP1gsSKSaGwE4/yzEIyN99E=,iv:H0ogbpBocFi+jgnKt3Jg9AkAV9YDQTbYAtejusQIBl8=,tag:XfC/1+3qd6J6LC4GKSMKxw==,type:str]
+nix-community-builders-ssh-key: ENC[AES256_GCM,data:9QNhqQS/6Cu7VMUoWEWkpDCMPu7df6dmreI3duzesonaW6F4W6vL+YLMMTvnnR6BpgmpGvHdvk1aDQnVmpneie6WRfbL4PbLARJviyh1Z/tLQhY9i/MMIADk8D+o4HXBnzLRIWLt319h5eUN1pvmGlJLrgfC0IZLRnPCQLjulIrlhDBlswkNgTrrS0VoRFSXk59JUm8/vWu2OQef2Q99Sug7wquiDZ/XJfqYYxYsGj9SeKiVpyxyuMkviuddee+IOr92KmT19UlekuXAjrYAGeRITrVj1lBSd8DSlBm1ww+0BRqzsAAFojM6N3TkyTjjoXRbVDzDcsMaoCQ7U4Ab9FVz7GdxeNKmeulZMUi4ORPlo4PQ6uDX6RjbWyLwiP33fl5VXMN9+YByVRUrpdtjkQF6jlylCBBRcWl/yOJbYcNg3zcWmJtdVu9t29SU45J2BcJ4Oi18oPf5P6QiU6dJiX1Ba8oR1QeLbFum724J+L5k64Rd84oLkxzVr5GLfXsp54sQ7FkrwEK9HWRfwN8F,iv:NTnnv0Hax/H7EoyHn0VRMG8sbb8tF23Ur2Ak4WYp8Bk=,tag:4hyGKetJ+I3zSqh1zOw/jg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2UmM0eXdJTktjM0dqMENr
+            U1VBKzltUnRvKzRXSG9TOUUvMXRCVkpxMWlZCk4vZ08wNUdvS21IeDg0RkdNNUVv
+            OEdNbnZtNjNnV0hsVjdPV1A5Ui91eE0KLS0tIE5Vbk5KemxGNDExbjBvSnJyKzVF
+            am8xR1RqWTBFZFRhRWZidHppRGV4RDQKlv+tFquJxLIeCBuTpj9OWkiwd5kVUqJ4
+            stmVpEN/SnUq/A880+g0Yt9rb89YH9gSQuDF0huZs4MwCbmOR+U8Sg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSEVGamtuSDFXb2pnUlRM
+            clB1eXlhWVJDd3o1MlN1R2x1KzBCRzh2U1dRClVIekdrL29NSUkwb0duSFVTY2dO
+            ZldnMzZubC9sOE1yVUFnWitNbkd4RFkKLS0tIHZ1TFFyQ2NISkdka1lwNjBTYVc1
+            TDNrcFRZMUlSLzdKZWJaUUlFVzhQSmMK4AxEHJu1v8Yv9kh95ggdqwsNUbgh9+Q9
+            FSiLXWenCvk9DS2JPkpRx0w5FpMZQv0bXVVYexaI7H+/1PyNmEBL8w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYkErT0ptQnlyY1RSTFRH
+            aTduQ3VaSjhwblA5ZXF2RkYvcEJNQ2o1U1RNCjg0Z1FCdDlBSFppbGFxMER1cU1S
+            SERMSW9JUWd6WmpveUJmZHYyR1VvVkEKLS0tIGRlYnpxTG5KYjJnTXhvWTFEUTJR
+            YUZuVFJDTmplYWRwY3VpRFNmcitjZTAKJXvKVZpfP0/WllSg6iKMlW/YTuhA+KIn
+            r6TySJ7p2T/li4MqB0oSKlML9JwR362njriS3G+uPUpKXueI8x6HaQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLejBHckRFdjVoZ09MbDhS
+            K3ptSnducnd1WUxnMHdWeWE2dStPNSs4eWcwClZFOUZXU2pPWUtRZmM4TUcra2Z0
+            clQycWZtUzFobGVmejc4NGpRUE9wSUEKLS0tIFBPdEZZOEV6by9iSG83Y1hYL2I5
+            SEl6cGxmRkcwWkZNZkY0UVlQNXNOdTAKWAiwKCBscujcohi15KmzGdJpskSuBMBe
+            NhYPWXCb3UA0ZuuSgK4VChAREjyPEyV95dcwe4HkzrS/MeQ6mx1QCA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TmlJVkRVRjhZUk8wMVlF
+            aFJYeTVtM2hmTVhtbE5mYjBocjFzV3dzWlFNCkxwZmtGcnlwRkJEWWZJWnJOWE9U
+            NGdUbElZZDkvU2F4dHBhdHh1bWhmdzAKLS0tIEN1U2I5S3dncXlJeDVEc0VHd292
+            ZGljSmRicmRSQThYTE1qbE81K1BxdW8KAMef+ULdxgbp9gwyKyOFOjdNozV/osep
+            vusNIAIJWA21NG+jyezkSP9AR8Fv2EdEOA4uO3Ol0ej312x1/MdenA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLa0RuUStiSzFTemdVQklq
+            eTNQYzdXbVh4QXIwVjVZZmttOEdid3FCK1I0Cm0wWUZWM1ZBWlo0dGxKVDV1REIy
+            Q2ZYN3lIWVowTEhKR2tBaFJCWG1IVWcKLS0tIGFkZStmRGJWRWhKUmgraVZ4cFhL
+            RjlrRGcrcTJta1ZueU9PVytKY29ucmcKWW95m49are6jH4RKGy/NmczJrTLTLewH
+            xqQ6o/37eaYCC9tiLPO+tyyTFfCfiUaldcgrZgiThxBLLFb3wrtqLg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SU5QVG5tUU9saXpNOFM0
+            dkpOUi9nT21BeE5kNE5IdzlTcVBKRFVxaGxJCnpjYllBZnM3Q29ZNmZMa1FkL0tJ
+            aTNYRzNDRkJaN2h5N0NlY1JmM0xteFUKLS0tIEptZlFKRjFOSmJtWVVyaWtwdy9x
+            ZHVMRTJNQW5NZldJcVBqTUlxM2J3Y3cKniYqt5SL8PcDPuBgfUYu7FYbrk4aLFWS
+            gEAAHbwj3bB2LvJDHPQS07DN8MK4rGsIV4UjFC7maVxMsonC8F+F+A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-27T17:15:11Z"
+    mac: ENC[AES256_GCM,data:P9oX5KVP/64JbHX1qLiSf68gI5VxT5Ziyz3Z9oIoWWeW5SgqBXndhUKtOrM8QKjGQtFnwqjnD7nh8VTkn8SKK5+yraNkjzdpFFLwdQF7Dm0/wNKI6LNULDUQyllHO9K27qGqDWzMtT8dOpA5u9co1/mpNjbHkTR+zT40UOlgdEE=,iv:ddvCyG9BR/ZI3HbccI9yhQUAoh2pmNaCpzxG65mEGm8=,tag:UU4ylynRMPSrv2AHvI2P3A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/secrets/user-pbsds.yaml
+++ b/secrets/user-pbsds.yaml
@ -0,0 +1,31 @@
+age:
+    pvv-infra: ENC[AES256_GCM,data:3LpXJ9k8RQpo1FhzvFqnY2Zr5DS/uyD57/EQhjZ+8rL5pcseHxefl+dCOSzcK8XBhYj8Uh0SriLy9xG6vvLv6fVsFVAu7kyHmjjc/g9J9R3h/B0b7kEluJAxGIdZX5qVZLJl6rp5l2b9tLMj31SCN3kr4iZOI86Y/NDfVMzijYuslmIM7rBR5ESJSOPvjLqXjVTGWZ78RQd/i6h26iC57AaQnR3K+ECrRgiWCbEARN3METzTXu2K70ml9oPv,iv:mNBvaInfI49MP5mlk9vL81oV7bF4mpC132MzNLArkQI=,tag:nMDyldfhHflKdp+yjzdLmw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVlF4UXNZa3E2OWhPbk50
+            MkhCZHV3N1A1MkpmQkNUbUxoNWk2QnRwSVg0CkQ3NVQwcXMvMHZjY1dkajJmQnd6
+            a2hIWTRxVUxseFJTQjBNZ1FYRHZnT2sKLS0tIFpqZWNyMXBaRWJ2SXdJWTNKZjA1
+            ejNaWlFBVDFvQWdYdXFaN2UrZFdZQ1UK+ogkwat1CzhZ3DoJT6mg4JkC9B3fPc3H
+            G21mzWPyGS2L4LoFw8wmE6ynHzsGojAlFK+2VpE2oWM+yR40zRO8Cg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSHowTjhHVVJIVWt3SWRS
+            Y2wwaTllOG9JMHhWcW5TVnRZU3d1RjlEVXo0CkhsQXFEN3kyRFNvL3lzY2pQYmVL
+            a0NMdGNxclU2ZW9rT29ucmtGdXh4ODQKLS0tIG9KYVhoSEJRdjhsWEplZVJtb1Av
+            bVVVYjF3d2ZyYTdWRTI4YTZ2Q25idHMKKB3XdEYu4SDrrM372Aid0cCio+TrqCqE
+            dzpIzCu9Kju4ECa7+1DwgAo37n0/YIcXCX5JrWF+qxIaetAyMkJoEA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-27T17:16:46Z"
+    mac: ENC[AES256_GCM,data:0I5IhUaaXWXaEj3TKtLhlDN7SkhCQouUcpb6bwnsoWVibWvMX9ZrqVO35wDrU/vmY45RTuIJ0AdXlDCL0fyGIOpw4bRoizxaIH9Im8sxh47Fgh+wY4LTEa3y6rES2opuaPrPUqEQeBtS9e1WU0Vt1Wdjv1nxq+pxKKL7p51CW6s=,iv:HZn7Ehqc0fpSDx32OgwzQZ3r8ebhoE4Dy+qUeDXJgj8=,tag:uj4lX4CESO041rLgRXko7Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/users/pbsds/home/profiles/sops.nix
+++ b/users/pbsds/home/profiles/sops.nix
@ -0,0 +1,36 @@
+{ pkgs, config, ... }:
+
+{
+
+  sops.age.generateKey = true;
+  sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+  sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml;
+
+  sops.secrets."age/pvv-infra".path = "%r/sops/age/pvv-infra.txt";
+
+  home.sessionVariables = {
+    #SOPS_AGE_KEY_FILE = config.sops.age.keyFile;
+    SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt";
+  };
+
+  systemd.user.services.combine-keys = {
+    Install.WantedBy = config.systemd.user.services.sops-nix.Install.WantedBy;
+    Unit.After = [ "sops-nix.service" ];
+    Service = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeShellScript "mk-sops-age-key" ''
+        set -euo pipefail
+        test -n "$XDG_RUNTIME_DIR"
+        test -d "$XDG_RUNTIME_DIR"
+        test -f ${config.sops.age.keyFile}
+        install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <(
+           cat ${config.sops.age.keyFile}
+           if test -s "$XDG_RUNTIME_DIR"/sops/age/pvv-infra.txt; then
+             cat "$XDG_RUNTIME_DIR"/pvv-infra.txt
+           fi
+        )
+      '';
+    };
+  };
+
+}
--- a/users/pbsds/home/profiles/ssh.nix
+++ b/users/pbsds/home/profiles/ssh.nix
@ -28,17 +28,17 @@
    "*.pbsds.net".forwardX11Trusted = true;
    "*.ntnu.no".user = "pederbs";
    "*.pvv.org".user = "pederbs";
-    "*.hpc.ntnu.no".proxyJump = "isvegg.pvv.ntnu.no";
-    "*.idi.ntnu.no".proxyJump = "isvegg.pvv.ntnu.no";
+    "*.hpc.ntnu.no".proxyJump = "hildring.pvv.ntnu.no";
+    "*.idi.ntnu.no".proxyJump = "hildring.pvv.ntnu.no";

    # me
-    "garp.pbsds.net".proxyJump = "isvegg.pvv.ntnu.no";
-    "bolle.pbsds.net".proxyJump = "isvegg.pvv.ntnu.no";
+    "garp.pbsds.net".proxyJump = "hildring.pvv.ntnu.no";
+    "bolle.pbsds.net".proxyJump = "hildring.pvv.ntnu.no";
    "knut.pbsds.net".port = 23;
    "nord.pbsds.net".port = 24;
    "sopp.pbsds.net".port = 26;
    "noximilien.pbsds.net" = {};
-    "rocm.pbsds.net".proxyJump = "isvegg.pvv.ntnu.no";
+    "rocm.pbsds.net".proxyJump = "hildring.pvv.ntnu.no";

    # ntnu
    "stud.ntnu.no".hostname = "login.stud.ntnu.no";