Skip to content

Commit

Permalink
WIP kanidm VM
Browse files Browse the repository at this point in the history
  • Loading branch information
@Bert-Proesmans
Bert-Proesmans committed May 6, 2024
1 parent d50b61a commit 107a5d9
Show file tree
Hide file tree
Showing 6 changed files with 316 additions and 49 deletions.
20 changes: 10 additions & 10 deletions .sops.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,41 +5,41 @@
# REF;https://github.com/nix-community/infra/blob/428dc48b4b08c7b02a9512b0c60b84d30c6acce0/.sops.yaml
keys:
# ERROR; Age's extension for Yubikey derived age-keys is not yet merged into sops!
# REF;
# REF; https://github.com/getsops/sops/pull/1465
#- &yubikey_bert_proesmans age1yubikey1...
# VAULT transit keychain
- &master "http://169.254.245.1:8200/v1/sops/keys/master"
# HOST KEYS
#- &host_buddy age1...
- &host_buddy age14an6m226h8vu06nv5q83s7vl59ytq8j9dkaujvrwgsdj98kr0ukq0a5k0g

# NOTE; These rules are in effect when using the SOPS CLI.
# Both creation of- and running the command updatekeys will modify the key material of files with sensitive content.
#
# WARN; Creation rules are interpreted sequentially, and a first match is used to calculate/provide key material
# to the file argument.
creation_rules:
- path_regex: hosts/[^/]+/keys.encrypted.yaml$
- path_regex: hosts/[^/]+/keys\.encrypted\.yaml$
key_groups:
# NOTE; A single key group comprised of 2 different types of encryption keys/methods
# By default, to decrypt, at least one decryption key for _each_ keygroup must be present to decrypt secrets.
# Since there is exactly one keygroup, any key within can fully decrypt the secrets
- age:
#- *yubikey_bert_proesmans
hc_vault_transit_uri:
- *master
hc_vault:
- *master

- path_regex: hosts/buddy/[^/]+\.encrypted\.yaml$
key_groups:
- age:
- *host_buddy
hc_vault_transit_uri:
- *master
- *host_buddy
hc_vault:
- *master

# NOTE; No path_regex as fallback option
#
# WARN; Use `invoke update-sops-files` after updating key assignment to secret files!
- key_groups:
- age:
#- *yubikey_bert_proesmans
hc_vault_transit_uri:
- *master
hc_vault:
- *master
10 changes: 9 additions & 1 deletion flake.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,15 @@
};

# Software directly available inside the developer shell
packages = builtins.attrValues { inherit (pkgs) nyancat git vault; };
packages = builtins.attrValues {
inherit (pkgs)
# For fun
nyancat figlet
# For development
git bat vault
# For secret material
sops ssh-to-age;
};

VAULT_ADDR = "http://169.254.245.1:8200";
VAULT_TOKEN = "<none>; run export VAULT_TOKEN='<token>'";
Expand Down
3 changes: 2 additions & 1 deletion library/facts.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ _lib:
buddy.net.management.mac = "4a:5c:7c:d1:8a:35";
#buddy.net.management.ipv4 = "192.168.88.10";

vm.dns.net.mac = "4e:72:72:20:a5:2f";
#vm.dns.net.mac = "4e:72:72:20:a5:2f";
vm.idm.net.mac = "9e:30:e8:e8:b1:d0";
};
}
104 changes: 67 additions & 37 deletions nixosModules/hosts/buddy/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -366,15 +366,30 @@
mountpoint = "/var";
options.mountpoint = "legacy"; # Filesystem at boot required, prevent duplicate mount
};
#"safe" = { };
#"safe/persist" = {
# "safe/persist/vm" = {
"safe/persist/vm/state" = {
# Stores all state between reboots in a single location
# at file/folder granularity
#"persist" = { };
"persist/home" = {
# User data
type = "zfs_fs";
# WARN; Potential race while mounting, see the note about zfs generators
# REF; https://github.com/NixOS/nixpkgs/issues/212762
mountpoint = "/home";
# Workaround sync hang with SQLite WAL
# REF; https://github.com/openzfs/zfs/issues/14290
# See also `overlays.atuin`!
# options.sync = "disabled";
};
"persist/replicate" = {
# State to be sent/received from cluster
type = "zfs_fs";
mountpoint = "/replicate";
};
"persist/vm" = {
# Default storage location for vm state data without requirements.
# HELP; Create sub datasets to specialize storage behaviour to the application.
type = "zfs_fs";
options = {
mountpoint = "/vm-state";
canmount = "off";
mountpoint = "/vm";
# Qemu does its own application level caching
# NOTE; Set to none if you'd be storing raw- or qcow backed volumes.
primarycache = "metadata";
Expand All @@ -390,21 +405,14 @@
setuid = "off";
};
};
"safe/home" = {
# User data
type = "zfs_fs";
# WARN; Potential race while mounting, see the note about zfs generators
# REF; https://github.com/NixOS/nixpkgs/issues/212762
mountpoint = "/home";
# Workaround sync hang with SQLite WAL
# REF; https://github.com/openzfs/zfs/issues/14290
# See also `overlays.atuin`!
# options.sync = "disabled";
};
"replicate" = {
# State to be sent/received from cluster
"persist/vm/kanidm" = {
# Kanidm state is basically a database. This dataset is tuned for that use case.
type = "zfs_fs";
mountpoint = "/replicate";
options = {
mountpoint = "/vm/kanidm"; # Default, but good to be explicit
logbias = "latency";
recordsize = "64K";
};
};
};
};
Expand Down Expand Up @@ -638,22 +646,44 @@
# };
# };

# kanidm = {
# autostart = true;
# flake = null;
# updateFlake = null;
# specialArgs = { inherit profiles; };

# # The configuration for the MicroVM.
# # Multiple definitions will be merged as expected.
# config = {
# networking.hostName = "SSO";
# imports = [ profiles.micro-vm ];

# # Any other configuration for your MicroVM
# # [...]
# };
# };
kanidm = {
autostart = true;
specialArgs = { inherit profiles; };

# The configuration for the MicroVM.
# Multiple definitions will be merged as expected.
config = {
networking.hostName = "SSO";
imports = [ profiles.micro-vm ];

microvm.interfaces = [{
type = "tap";
id = "tap-kanidm";
mac = lib.facts.vm.idm.net.mac;
}];

microvm.shares = [{
source = "/vm/kanidm";
mountPoint = "/var/lib/kanidm";
tag = "kanidm";
proto = "virtiofs";
}];

services.kanidm = {
enableServer = true;
serverSettings = {
bindaddress = "<TODO>";
domain = "idm.proesmans.eu";
origin = "https://idm.proesmans.eu";
tls_chain = "<TODO>";
tls_key = "<TODO>";
db_fs_type = "zfs";
role = "WriteReplica";
online_backup.versions = 0; # disable online backup
};
};
};
};
};

# Ignore below
Expand Down
17 changes: 17 additions & 0 deletions nixosModules/hosts/buddy/keys.encrypted.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
ssh_host_ed25519_key: ENC[AES256_GCM,data:8zS1ZFfulZcz6JibMFMJu4SoZi7girKAX4VOJ5Bu8YH+t6Cmq3c1bjtvEIX9SKsg3ylmTnfpkQIIkf9uKj0AiyjsL/KjSus5GnlEkXDOz6Vg6YhxSQR0EgoLmbpZ207bqurh0N1r26ot2E/N7QZpc8RgC6nEhsSuouN2Go7kklk2OUqBhrIsRCwxeh6IgwSrVsSg3sEoGb9gBwB5x6MnBsHrBzt3Txpd2VcJWyCIv+6sZ1XdFLFp7PTQaNgk9Iq00UI0MhzFFkvyvZCNwemt3YVCBQUre8vH/5pwWVBR80FISx8QSzDy3jfZczmaKKxlu0UiWYucUg23rjX6R99DO9e/atap2ScXjxwXv3DiGNYG8DzCYfL70fg4mgWD3EHf6RJQkDa7ma3kDHoWCdP20mTZx7meKZMI0yPlbbNS1XNuklPR6BAacY+or8AG7aIQV2V0Q/WBgW40gmC7ek43VcWw5H5xVj3JuI5HMLK0RgOGuwOxZH7FpOfXRkkLqDR9KrJ4XKTJHOjQetIHZ4h9GhCZLSo5O29snJuvsZHAVJmgJss=,iv:Z7RETt9octI1LykaB/k6qR2VFnqX7h9WzZIMBQLzopA=,tag:F0rDdxpRJ7f2N82tqqyR0w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault:
- vault_address: http://169.254.245.1:8200
engine_path: sops
key_name: master
created_at: "2024-05-06T20:54:33Z"
enc: vault:v1:rSKb1kjPrDz92ddFnMictY9QcnwOHRLsUTRM3zXwWhN6k7bhutPcTpUOZznLurof5B2nChpt3jcRzatC
age: []
lastmodified: "2024-05-06T20:54:33Z"
mac: ENC[AES256_GCM,data:zO2IHQkdpY+JpkY8gti738/PxGprAFYMz/CeavFDG9dwRW47KP5Bin+hUO/K8QxQ9s2B2PT41wxw6R2/q4HbT8txH6Eh4bTqOMxL/rasjD40jgVYphDkW4IJVcarm+BGmgbK3RwFdBYuwftzwTF1naIMp0Le3xl0/0LpIZ4POkY=,iv:c2QkoDmLmB7QWs5zC40MaJj5dzX3WpO7LSFttCJtQi8=,tag:kZMa6FsvKLCYFty8eHIvDw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
Loading

0 comments on commit 107a5d9

Please sign in to comment.