From 62414b5ce5e26cfe2686d59d75f40455cfdd5611 Mon Sep 17 00:00:00 2001 From: Peder Bergebakken Sundt Date: Sat, 11 Nov 2023 20:16:15 +0100 Subject: [PATCH] fix proxy jump --- secrets/default.yaml | 76 ++++++++++++++++++++++++++++++ secrets/user-pbsds.yaml | 31 ++++++++++++ users/pbsds/home/profiles/sops.nix | 36 ++++++++++++++ users/pbsds/home/profiles/ssh.nix | 10 ++-- 4 files changed, 148 insertions(+), 5 deletions(-) create mode 100644 secrets/default.yaml create mode 100644 secrets/user-pbsds.yaml create mode 100644 users/pbsds/home/profiles/sops.nix diff --git a/secrets/default.yaml b/secrets/default.yaml new file mode 100644 index 0000000..b885b6d --- /dev/null +++ b/secrets/default.yaml @@ -0,0 +1,76 @@ +nix-community-builders-ssh-key-pub: ENC[AES256_GCM,data:WvjdlG/k+Hm8ZRaIc+6KzJvPIN6GXuepK9zwonOPbeST0IAcDU3OGxPW4as4ENZAaRdwd4ZnIUVhcTmgKlpGaBLhxTQgXYw1rIBgBP1gsSKSaGwE4/yzEIyN99E=,iv:H0ogbpBocFi+jgnKt3Jg9AkAV9YDQTbYAtejusQIBl8=,tag:XfC/1+3qd6J6LC4GKSMKxw==,type:str] +nix-community-builders-ssh-key: ENC[AES256_GCM,data:9QNhqQS/6Cu7VMUoWEWkpDCMPu7df6dmreI3duzesonaW6F4W6vL+YLMMTvnnR6BpgmpGvHdvk1aDQnVmpneie6WRfbL4PbLARJviyh1Z/tLQhY9i/MMIADk8D+o4HXBnzLRIWLt319h5eUN1pvmGlJLrgfC0IZLRnPCQLjulIrlhDBlswkNgTrrS0VoRFSXk59JUm8/vWu2OQef2Q99Sug7wquiDZ/XJfqYYxYsGj9SeKiVpyxyuMkviuddee+IOr92KmT19UlekuXAjrYAGeRITrVj1lBSd8DSlBm1ww+0BRqzsAAFojM6N3TkyTjjoXRbVDzDcsMaoCQ7U4Ab9FVz7GdxeNKmeulZMUi4ORPlo4PQ6uDX6RjbWyLwiP33fl5VXMN9+YByVRUrpdtjkQF6jlylCBBRcWl/yOJbYcNg3zcWmJtdVu9t29SU45J2BcJ4Oi18oPf5P6QiU6dJiX1Ba8oR1QeLbFum724J+L5k64Rd84oLkxzVr5GLfXsp54sQ7FkrwEK9HWRfwN8F,iv:NTnnv0Hax/H7EoyHn0VRMG8sbb8tF23Ur2Ak4WYp8Bk=,tag:4hyGKetJ+I3zSqh1zOw/jg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2UmM0eXdJTktjM0dqMENr + U1VBKzltUnRvKzRXSG9TOUUvMXRCVkpxMWlZCk4vZ08wNUdvS21IeDg0RkdNNUVv + OEdNbnZtNjNnV0hsVjdPV1A5Ui91eE0KLS0tIE5Vbk5KemxGNDExbjBvSnJyKzVF + am8xR1RqWTBFZFRhRWZidHppRGV4RDQKlv+tFquJxLIeCBuTpj9OWkiwd5kVUqJ4 + stmVpEN/SnUq/A880+g0Yt9rb89YH9gSQuDF0huZs4MwCbmOR+U8Sg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSEVGamtuSDFXb2pnUlRM + clB1eXlhWVJDd3o1MlN1R2x1KzBCRzh2U1dRClVIekdrL29NSUkwb0duSFVTY2dO + ZldnMzZubC9sOE1yVUFnWitNbkd4RFkKLS0tIHZ1TFFyQ2NISkdka1lwNjBTYVc1 + TDNrcFRZMUlSLzdKZWJaUUlFVzhQSmMK4AxEHJu1v8Yv9kh95ggdqwsNUbgh9+Q9 + FSiLXWenCvk9DS2JPkpRx0w5FpMZQv0bXVVYexaI7H+/1PyNmEBL8w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYkErT0ptQnlyY1RSTFRH + aTduQ3VaSjhwblA5ZXF2RkYvcEJNQ2o1U1RNCjg0Z1FCdDlBSFppbGFxMER1cU1S + SERMSW9JUWd6WmpveUJmZHYyR1VvVkEKLS0tIGRlYnpxTG5KYjJnTXhvWTFEUTJR + YUZuVFJDTmplYWRwY3VpRFNmcitjZTAKJXvKVZpfP0/WllSg6iKMlW/YTuhA+KIn + r6TySJ7p2T/li4MqB0oSKlML9JwR362njriS3G+uPUpKXueI8x6HaQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLejBHckRFdjVoZ09MbDhS + K3ptSnducnd1WUxnMHdWeWE2dStPNSs4eWcwClZFOUZXU2pPWUtRZmM4TUcra2Z0 + clQycWZtUzFobGVmejc4NGpRUE9wSUEKLS0tIFBPdEZZOEV6by9iSG83Y1hYL2I5 + SEl6cGxmRkcwWkZNZkY0UVlQNXNOdTAKWAiwKCBscujcohi15KmzGdJpskSuBMBe + NhYPWXCb3UA0ZuuSgK4VChAREjyPEyV95dcwe4HkzrS/MeQ6mx1QCA== + -----END AGE ENCRYPTED FILE----- + - recipient: age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TmlJVkRVRjhZUk8wMVlF + aFJYeTVtM2hmTVhtbE5mYjBocjFzV3dzWlFNCkxwZmtGcnlwRkJEWWZJWnJOWE9U + NGdUbElZZDkvU2F4dHBhdHh1bWhmdzAKLS0tIEN1U2I5S3dncXlJeDVEc0VHd292 + ZGljSmRicmRSQThYTE1qbE81K1BxdW8KAMef+ULdxgbp9gwyKyOFOjdNozV/osep + vusNIAIJWA21NG+jyezkSP9AR8Fv2EdEOA4uO3Ol0ej312x1/MdenA== + -----END AGE ENCRYPTED FILE----- + - recipient: age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLa0RuUStiSzFTemdVQklq + eTNQYzdXbVh4QXIwVjVZZmttOEdid3FCK1I0Cm0wWUZWM1ZBWlo0dGxKVDV1REIy + Q2ZYN3lIWVowTEhKR2tBaFJCWG1IVWcKLS0tIGFkZStmRGJWRWhKUmgraVZ4cFhL + RjlrRGcrcTJta1ZueU9PVytKY29ucmcKWW95m49are6jH4RKGy/NmczJrTLTLewH + xqQ6o/37eaYCC9tiLPO+tyyTFfCfiUaldcgrZgiThxBLLFb3wrtqLg== + -----END AGE ENCRYPTED FILE----- + - recipient: age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SU5QVG5tUU9saXpNOFM0 + dkpOUi9nT21BeE5kNE5IdzlTcVBKRFVxaGxJCnpjYllBZnM3Q29ZNmZMa1FkL0tJ + aTNYRzNDRkJaN2h5N0NlY1JmM0xteFUKLS0tIEptZlFKRjFOSmJtWVVyaWtwdy9x + ZHVMRTJNQW5NZldJcVBqTUlxM2J3Y3cKniYqt5SL8PcDPuBgfUYu7FYbrk4aLFWS + gEAAHbwj3bB2LvJDHPQS07DN8MK4rGsIV4UjFC7maVxMsonC8F+F+A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-27T17:15:11Z" + mac: ENC[AES256_GCM,data:P9oX5KVP/64JbHX1qLiSf68gI5VxT5Ziyz3Z9oIoWWeW5SgqBXndhUKtOrM8QKjGQtFnwqjnD7nh8VTkn8SKK5+yraNkjzdpFFLwdQF7Dm0/wNKI6LNULDUQyllHO9K27qGqDWzMtT8dOpA5u9co1/mpNjbHkTR+zT40UOlgdEE=,iv:ddvCyG9BR/ZI3HbccI9yhQUAoh2pmNaCpzxG65mEGm8=,tag:UU4ylynRMPSrv2AHvI2P3A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/user-pbsds.yaml b/secrets/user-pbsds.yaml new file mode 100644 index 0000000..4763a78 --- /dev/null +++ b/secrets/user-pbsds.yaml @@ -0,0 +1,31 @@ +age: + pvv-infra: ENC[AES256_GCM,data:3LpXJ9k8RQpo1FhzvFqnY2Zr5DS/uyD57/EQhjZ+8rL5pcseHxefl+dCOSzcK8XBhYj8Uh0SriLy9xG6vvLv6fVsFVAu7kyHmjjc/g9J9R3h/B0b7kEluJAxGIdZX5qVZLJl6rp5l2b9tLMj31SCN3kr4iZOI86Y/NDfVMzijYuslmIM7rBR5ESJSOPvjLqXjVTGWZ78RQd/i6h26iC57AaQnR3K+ECrRgiWCbEARN3METzTXu2K70ml9oPv,iv:mNBvaInfI49MP5mlk9vL81oV7bF4mpC132MzNLArkQI=,tag:nMDyldfhHflKdp+yjzdLmw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVlF4UXNZa3E2OWhPbk50 + MkhCZHV3N1A1MkpmQkNUbUxoNWk2QnRwSVg0CkQ3NVQwcXMvMHZjY1dkajJmQnd6 + a2hIWTRxVUxseFJTQjBNZ1FYRHZnT2sKLS0tIFpqZWNyMXBaRWJ2SXdJWTNKZjA1 + ejNaWlFBVDFvQWdYdXFaN2UrZFdZQ1UK+ogkwat1CzhZ3DoJT6mg4JkC9B3fPc3H + G21mzWPyGS2L4LoFw8wmE6ynHzsGojAlFK+2VpE2oWM+yR40zRO8Cg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSHowTjhHVVJIVWt3SWRS + Y2wwaTllOG9JMHhWcW5TVnRZU3d1RjlEVXo0CkhsQXFEN3kyRFNvL3lzY2pQYmVL + a0NMdGNxclU2ZW9rT29ucmtGdXh4ODQKLS0tIG9KYVhoSEJRdjhsWEplZVJtb1Av + bVVVYjF3d2ZyYTdWRTI4YTZ2Q25idHMKKB3XdEYu4SDrrM372Aid0cCio+TrqCqE + dzpIzCu9Kju4ECa7+1DwgAo37n0/YIcXCX5JrWF+qxIaetAyMkJoEA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-27T17:16:46Z" + mac: ENC[AES256_GCM,data:0I5IhUaaXWXaEj3TKtLhlDN7SkhCQouUcpb6bwnsoWVibWvMX9ZrqVO35wDrU/vmY45RTuIJ0AdXlDCL0fyGIOpw4bRoizxaIH9Im8sxh47Fgh+wY4LTEa3y6rES2opuaPrPUqEQeBtS9e1WU0Vt1Wdjv1nxq+pxKKL7p51CW6s=,iv:HZn7Ehqc0fpSDx32OgwzQZ3r8ebhoE4Dy+qUeDXJgj8=,tag:uj4lX4CESO041rLgRXko7Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/users/pbsds/home/profiles/sops.nix b/users/pbsds/home/profiles/sops.nix new file mode 100644 index 0000000..3227ab7 --- /dev/null +++ b/users/pbsds/home/profiles/sops.nix @@ -0,0 +1,36 @@ +{ pkgs, config, ... }: + +{ + + sops.age.generateKey = true; + sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; + sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml; + + sops.secrets."age/pvv-infra".path = "%r/sops/age/pvv-infra.txt"; + + home.sessionVariables = { + #SOPS_AGE_KEY_FILE = config.sops.age.keyFile; + SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt"; + }; + + systemd.user.services.combine-keys = { + Install.WantedBy = config.systemd.user.services.sops-nix.Install.WantedBy; + Unit.After = [ "sops-nix.service" ]; + Service = { + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "mk-sops-age-key" '' + set -euo pipefail + test -n "$XDG_RUNTIME_DIR" + test -d "$XDG_RUNTIME_DIR" + test -f ${config.sops.age.keyFile} + install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <( + cat ${config.sops.age.keyFile} + if test -s "$XDG_RUNTIME_DIR"/sops/age/pvv-infra.txt; then + cat "$XDG_RUNTIME_DIR"/pvv-infra.txt + fi + ) + ''; + }; + }; + +} diff --git a/users/pbsds/home/profiles/ssh.nix b/users/pbsds/home/profiles/ssh.nix index 9cb5acc..bff8401 100644 --- a/users/pbsds/home/profiles/ssh.nix +++ b/users/pbsds/home/profiles/ssh.nix @@ -28,17 +28,17 @@ "*.pbsds.net".forwardX11Trusted = true; "*.ntnu.no".user = "pederbs"; "*.pvv.org".user = "pederbs"; - "*.hpc.ntnu.no".proxyJump = "isvegg.pvv.ntnu.no"; - "*.idi.ntnu.no".proxyJump = "isvegg.pvv.ntnu.no"; + "*.hpc.ntnu.no".proxyJump = "hildring.pvv.ntnu.no"; + "*.idi.ntnu.no".proxyJump = "hildring.pvv.ntnu.no"; # me - "garp.pbsds.net".proxyJump = "isvegg.pvv.ntnu.no"; - "bolle.pbsds.net".proxyJump = "isvegg.pvv.ntnu.no"; + "garp.pbsds.net".proxyJump = "hildring.pvv.ntnu.no"; + "bolle.pbsds.net".proxyJump = "hildring.pvv.ntnu.no"; "knut.pbsds.net".port = 23; "nord.pbsds.net".port = 24; "sopp.pbsds.net".port = 26; "noximilien.pbsds.net" = {}; - "rocm.pbsds.net".proxyJump = "isvegg.pvv.ntnu.no"; + "rocm.pbsds.net".proxyJump = "hildring.pvv.ntnu.no"; # ntnu "stud.ntnu.no".hostname = "login.stud.ntnu.no";