From c55406911624a92171a728ce763a42c1b85b8d84 Mon Sep 17 00:00:00 2001 From: Petru Paler Date: Sat, 3 May 2025 22:35:31 +0100 Subject: [PATCH] Post-reinstall updates for c2. --- .sops.yaml | 2 +- hosts/c2/default.nix | 4 +-- secrets/c2.yaml | 22 +++++++------- secrets/common.yaml | 72 ++++++++++++++++++++++---------------------- setup-host.txt | 2 +- 5 files changed, 51 insertions(+), 51 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 756a40e..22d8580 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,7 +4,7 @@ keys: - &server_chilly age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp - &server_alo_cloud_1 age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z - &server_c1 age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt - - &server_c2 age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam + - &server_c2 age1c2kc034n7tqztarcu7n5ldnjmy9sr3jgwrsaddsj0hwfus9mdp3sctts4m - &server_c3 age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer creation_rules: - path_regex: secrets/common\.yaml diff --git a/hosts/c2/default.nix b/hosts/c2/default.nix index 94339e6..250b313 100644 --- a/hosts/c2/default.nix +++ b/hosts/c2/default.nix @@ -9,8 +9,8 @@ diskLayout = { mainDiskDevice = "/dev/disk/by-id/nvme-KINGSTON_SNV3S1000G_50026B7383365CD5"; - keyDiskDevice = "/dev/disk/by-id/usb-Intenso_Micro_Line_22080777650675-0:0"; - #keyDiskDevice = "/dev/sda"; + #keyDiskDevice = "/dev/disk/by-id/usb-Intenso_Micro_Line_22080777650675-0:0"; + keyDiskDevice = "/dev/sda"; }; networking.hostName = "c2"; diff --git a/secrets/c2.yaml b/secrets/c2.yaml index 87c207b..b1b234d 100644 --- a/secrets/c2.yaml +++ b/secrets/c2.yaml @@ -8,20 +8,20 @@ sops: - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqN0txU0NKVVprUnlCWGtt - azFFdzJuMHN1MVlWemJIQ0lQRU5TZURpQjEwCkNHcGVaUUtESTZCVVFpa2pxLzF6 - bmZmMVlqRWtvUVNtajNqWTZxNWJWZEEKLS0tIHovT1N1TFgrVjlXYUZSckJ2K1lr - VWZoTjBWWVl3WjVSMXc5VENPbkJlNXMK1Mi9CDyY/zn090pgGIWmbY5fR/G9fpwm - rtl32WdXCcpo8c+XgzYowRw4qxNnNL4gzvGn+91And55eF25Ozl+yA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybTNNK3lNZFJremVmUFc1 + cjZqRjJhSDJ3OGFQOWpITFNZdVdQTi9nWDE4CkZJNjNtdHRBeS85OU8ybXNXVk5l + SVFBMHlVZVBKdUphWWZaRzhPaUltek0KLS0tIFVWWG43Um54Mm5LS0d2MTZkN3Ay + K3J2cnlpRGlNQm1abmdMMzJXdER0NHcK0HbMgUuxwa7OqvWi+fDqNBflxzZoOm9I + dCHVWjoBL8j6CIpn9ybCBv9oUWhb17xwxd7YIVmkZ7oIQ7F9f3r/Yg== -----END AGE ENCRYPTED FILE----- - - recipient: age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam + - recipient: age1c2kc034n7tqztarcu7n5ldnjmy9sr3jgwrsaddsj0hwfus9mdp3sctts4m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMm1BWUxKdi9VNFNFOUdv - UTB3ZzdiTVBUKzd1eFZ6ZWxteW1lc3NFOXljClFVUkRqVjVtSTg2aVluNnZNNzdx - RFVvT1hxUkR3SzU4NXFqbXNYUU5JWk0KLS0tICtFWFQveDB6SnVqNXRXZS9FbU9D - TDhodzYzV3AzWmdjQ0Q5UEJLWTFKT2sKoIz2O7Ot/F+crGjaYvCQRM5iuzMG3L3J - sjysqAuESLrcUwPX574NwRaOKvlpTaNnKtl7ZXqKnbfucTJPc6o8NQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYzBoQURsckNBTDFBcENw + ak8xZ3NIWDM0OGZmVElVVWJWbndwMjRJMlFBCnp3M2EwaDJkYWxrbHkwNUttREl3 + cWRFWVpLbGMySGNFcENXbzJyd0k0NVEKLS0tIEtNd2Y2V2ZMWC9rQ0Z2Slk4YjBt + S1lKalRuSmRYYmlDeHgrUFFnL0lzaVkKE8mk9PiPD/Tb+e3GEy1sXvIxdInlNGh0 + HVHuQ/22UDTKSxXGKkD8WTl4VZVmJAwLAU4TbvtVzx96+SCi8uVy1Q== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-03-12T11:54:39Z" mac: ENC[AES256_GCM,data:g8nz1Azs5X59ulimMRzgvKz9Y7lKnjFq2SCctdt+yMBLojlk8RXMSf7tY311dZLcd00wi8xsGlBY1XaCbDjIlkG4sLWuQIareYjfqGK5s0pRvELTTF2ZE9yY+5iYdeVkBe7yv44sWJGNN1BcgFpR9zUouA+6yKVt2/XcPu8+7Fs=,iv:zDyECD2w1bTq0xbart+cIjHBAmfSHnpFG5nHPbiT2UY=,tag:b50oQfRgLtI/XbkINuzx5A==,type:str] diff --git a/secrets/common.yaml b/secrets/common.yaml index fffdcae..8395cf7 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -8,65 +8,65 @@ sops: - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZ0dzYmlHVHRnSjNwUWhI - M2ZhTVRtN2ZIb0JacXpaM2hxejFab2tkdTJrCnFaVUpBSGpKUUNzL0xEMUo4Qkg4 - eWpLL3RRMkovR1AvYklLNXcvZGtrR2cKLS0tIExPN3lPTjFueGlzc3c4UFVjcHVO - Y0N2cFlKSkNSU01SOEN1OXIvRmtQbFEKDGuIvYvMhXWOz9GLIDSs/PEaXpwn3Ust - BffIB24x01nPXdz0O+GHC8J4LkvdwRrYL5kX6vqZ/RWOQEpPDpjvFA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOWdvMkRQQUV0emx3WDZt + aDEvRHhKZGQxTThjakc5VVpMRFlxQ3pwdEhrCjl1Y3hKM2FRVENRcEtCYlphVTR5 + ejFDZzhYUG5NTHgyUVp2emgwVWx1RVEKLS0tIDFWM1RublZVWjN3cXZKM1RsZHBt + ZFl4elUxbHdUZVQ4ajYvd2h3RHpMaVkKxviRk3TCTl9SdqAC7C+e+ugD3o/6/3sh + 6I7Z1f9K99ONAaP3VhVoW34+qDXyA/RmNk85TWDjE8U/Y4A7/+kYAQ== -----END AGE ENCRYPTED FILE----- - recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TkxMSFJLbzdPTTdYR0hC - U1dSVENJckFjVlBkUThrYnRUN2Q5ek9JcFhjCllmVFYzenF6SHByUGtFQUhTZWg2 - UTBLckZpYWQ2QXkxaWMvR2d6eHREYTgKLS0tIC9DMmZ0QXVUMlJ1NVZielV6dWlv - QWpybkVtcVhXOEhHRVFNMUJhMXhqSW8KcrPWhqGA8J5zIu5JaBd7N4VjR4iq/6Mq - qfi3OPQQlisN6zLzpM1kWs+BTzeAVzfC+UXKmuFeOUHcVJFG6TbLMg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBOVNYRTB1NVpMYzJlakpZ + cXd4amF2dUEyZXVubFZvUDVJZFVlSWh2TTBnCmhRMDhTdjFDQzg4eGNBYzhVTGNy + THJrbXZBeVVxMkJweXJESDVSR1U1S1kKLS0tIGpOcFZ1NnZyczZZT01BcUVLVGo5 + cmdiMTNKZ0pJVWpOTDNHSUt1UUJCM2cKsCOQM166AQjNqlBoB3r04HMGiUkgkFvA + /uxxVnapjzn0Fj9OgtTSsHT7TnRHsPLvFbIPNuvzk2T7j2sv8TEZnw== -----END AGE ENCRYPTED FILE----- - recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMWltT2Yvdk96elVqWWI0 - WE5rR1ZjYXMxYXNiNWdlLzJWMkJObGFENnpVCnVsenJzdUIrc1M2cFJReUExSVU3 - dWpMUk53dU9UTG9EUlNOTHBja0JqazAKLS0tIGYzU2pxVmpFR3UzaDhCd0ZrdkRj - V1V5M2g2elRMR2lYZHM0QVRTdDFBOHcKFIlNxdy6KyZK42qsLgXNIR0lTmNnCOLS - xn0MT+YG6j4YP23OslkjXlr8lEAOggh6+2fFssRXtXZGKdQobQl3Jw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZnVQVzhYaGlzcUY2ckNW + RkxKVHZpa2RRZ3ZuWGFkaTNWVVNISnpaMEhRCmxjbnlGbEJPWGhOdGFnNzNoSkgx + ZTNvL0ZKZ2JyeFRlMFJHK2dRTzhoTVkKLS0tIHBoZ09TdHFpTUs4TE5BVUxKemRr + WCttVkpwNVVhRUhtaWlDcDBSMzA1eEEKG149AvnnLyGGYA7oXIhUz46rFzYDFcC+ + r1UrA6MrJXSDggNh2puQ1dDtntub9BHCO8qDGsxSOCpp/TqEtrv9eA== -----END AGE ENCRYPTED FILE----- - recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzK1FBcHh2NlBCMDVJTVJi - V3JzYmRqVnNxcTBZSWJacDF5NUF0dGJqWWxZCk1aaTdra3RRcklIb1VkU1VpRGlI - VVZNTUFXQzcwT1NRUFFtZTFaZERiOTgKLS0tIFNTbUVXQmRaWmdPWWVzMTJEYk83 - RGo1aDJJV3RiRkJsTXNoa2ZFSWJNcFUKM21CtHAX2swT++JqKSQ2R9htE0+Csvlz - h/SfoTkVlm8OPrYzaEQV0SB0yxC7jgBKL9X5HZQDaflGbTUBi9LP1A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTTV0QkdnWDlVckJjaVF6 + bXhZUHFFNEVReE1qSURZdjlXVkN4ZE1VOVVrCjBsdTdOSXRISkpVMGVDY0RtMXIy + MGtHakFuV2VqNk4vcFJmV2FmQjhJQk0KLS0tIC9nRHJSVWVWY0tEaURValdOY1Vm + bTFWS25lajdzNDdXd0lJY3VCbm0xbW8KgW0kqgIoH2UWqMPhyI1lY3qJJhDankCr + wQ1s6Jyxi58hFpCChfSi0q3s0Nd1RWo/MMHZnw8IJ9YAp7MFRY/6lA== -----END AGE ENCRYPTED FILE----- - recipient: age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRGxmaUE5V1NabytJT3E0 - elZ0T1YybS9OQXdERWdoSkxpbDcvM3Buem1jCnBjSWROT1NxWGxXOERCLy82akJ4 - clVyVVpZMTI3cTEvT0U5aWorQ21LN0UKLS0tIGJDZGhtUWVVQmpKcnFvNlZvUS9B - STdUQUxXcUNnRmZvNzVIZjlVUGVuWFUKp8qPooDNNFa73mRtmBuzwlccVBX7TF7P - NcQQUzTe5i1B2S5Q8iDVkEKnPJxb10KGJEGGD+gh29beOWsZXEu06g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeTBZM2NnV3EvSFQveUFE + OWJoeC9sR1BVemczT01YbjJCUW45dCtOamh3CjJycHNBb2RRaUVrd1E4V2k5d0Jt + SUhuakRFWDRQbnJmNDl1b0g2ZGV1S1kKLS0tIHd2eW5sNFAwUjhCaVVibGowSVNS + VGRMUmUxcjVqekFXV0MzbnpVN2V6dUUKze9Ys+rYb46Oz1ZTCoUGCjWteuheoa4h + DnhKGEcHVYVsJ+lxRheLeEEilLUSluWK0ejAomPSR9oi9y0Z3rEUAw== -----END AGE ENCRYPTED FILE----- - - recipient: age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam + - recipient: age1c2kc034n7tqztarcu7n5ldnjmy9sr3jgwrsaddsj0hwfus9mdp3sctts4m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVVJQOXlXRVhYMHVZQjdD - VzRGSUw5L2hRbXdJYkJndUlOb3ZPVWJ1dUcwCkxGLzBLd0RUeWwxc1ZZL2hTYzUz - VVBjZVFzN3VCY3o4UXFIT0plSEFoWm8KLS0tIGhJRVRLMVE0eGtkeE82SlMydE1m - TDhLOENRREVlemt0ZHBid0RNelV0bUkK0MYZpO5AWieaHnW/tP8bND/bJQYKf85e - fEs1AE83bhS4pLGhf7elXUW9Yc7YG7M7maPyK9Yf3G8cFH1sYLYhVQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5L3FmS3JFTHRqeUkxY1JS + TXFONTNFNnUyVE1CSWhnM05pT21aVStWVDN3ClE2WHhRTExsVmhaaWQyNCs4LzJo + ampVZHlycE9McEEzdCtFZzNoY1ROcmcKLS0tIGFhcFM3cVNEa0k2NS93amtEVHp4 + cE42N2Y5WGVMOUZ5a3VvQVlEcDNqZUEKUhfElhoxunhwhIEouSCzqbsqAHcBcuh6 + tuzDqSuc3z8NMfLKW3EwCwmGbk9YX57WHmGbd1EM54kAE7zflymOLQ== -----END AGE ENCRYPTED FILE----- - recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcjlObDQ4eVE1SjJrUlBF - YlVyS1FDYThtdDNGSTVReTRidGVPMXRZVGdjCnkvZENzMkFBKzZaU0paOFJkRmMw - MWpQaTg0c1RweStNeFVZZ05KY0VDbmcKLS0tIGhjNkxMeDhxVEtLdTF5Qjl1MVJv - UHZwRmc2NjNDUlJCdWN1V1dhS1RkelEKF1KiZLQvruEAfjwbW8lIyzvcCqeAMReI - svl1uSaSaxPtCbnc9RA2nfo0vvCoz0a02dhr7CAy3syfQPLLZqRAIA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RS9maGVJeDNnRUl5Yk0r + N3pvbWxQL3h6aU01TGRFNysrZkd1TmRER1JBCmJjdnBiUUlMR1poZGpTeC8wSVQx + aGF0STE0TE1sa3YxakEwMUt3bURxUkkKLS0tIDVsdnpxcHpvQStjM09iSDRMdU1T + c09FQVJURG5PaW43cGhIWFRhQ1ppcEUK2iJ/M228wXCdIcs7LBbnntTrJqzmfdOi + btMKaOX0d3vecXooJF6smssVrdUIwRdoLe8qBeGiMqhjCqjwur0UzQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-04-04T09:34:06Z" mac: ENC[AES256_GCM,data:YIcRrsPparPfPaI2+MLlKsxu7M19H8nndOsrDLuh/5BXzIZNiuTIWyvxODyhI745rDwlibO+7Q0QctanhTl4+IzGaYtuY4i+rb+3dzBMpcdT2VAbtCHHxcltWeanRGFq2K3WM2tbnQCERst5kejfn0Razjq3UU5vNwfBsdJMwGc=,iv:izDxy0ufVnH8ImkZIngcYhGuj0PGpLqBD/ZDvQyE+5I=,tag:oYBUEQS52pr09h5OvOadNg==,type:str] diff --git a/setup-host.txt b/setup-host.txt index 20099de..c612edc 100644 --- a/setup-host.txt +++ b/setup-host.txt @@ -9,4 +9,4 @@ * set the actual device IDs in hosts//default.nix * on base host: nix run github:nix-community/nixos-anywhere -- --flake '.#' nixos@ * after confirmed working, update hosts//default.nix to set keyFile to /dev/sdX (otherwise when the USB drive fails it's harder to replace) -* if replacing failed host in place, update key in .sops.yaml with the output from "ssh-keyscan | ssh-to-age" then "sops updatekeys secrets/secrets.yaml" +* if replacing failed host in place, update key in .sops.yaml with the output from "ssh-keyscan | ssh-to-age" then "sops updatekeys secrets/*.yaml"