From 998e01ae8caee72ae85440994e4f951940b22e13 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 9 May 2024 17:03:13 +0200 Subject: [PATCH] Enable IPv6 support for K8s Enable DNS over IPv6 and TCP to comply with isnic Provision k3s CA Make Atlas a k8s agent instead of server --- kubenix-modules/all.nix | 24 ++-- kubenix-modules/bind9/default.nix | 107 +++++++++++++----- kubenix-modules/bind9/kun.is.zone.nix | 6 +- kubenix-modules/metallb.nix | 2 +- machines/atlas.nix | 1 + machines/jefke.nix | 5 +- my-lib/globals.nix | 1 + nixos-modules/k3s/default.nix | 105 +++++++++++++---- nixos-modules/k3s/k3s-ca/client-ca.crt | 81 +++++++++++++ nixos-modules/k3s/k3s-ca/etcd/peer-ca.crt | 81 +++++++++++++ nixos-modules/k3s/k3s-ca/etcd/server-ca.crt | 81 +++++++++++++ .../k3s/k3s-ca/request-header-ca.crt | 81 +++++++++++++ nixos-modules/k3s/k3s-ca/server-ca.crt | 81 +++++++++++++ secrets/k3s-ca/client-ca.key.age | Bin 0 -> 989 bytes secrets/k3s-ca/etcd/peer-ca.key.age | 17 +++ secrets/k3s-ca/etcd/server-ca.key.age | 16 +++ secrets/k3s-ca/request-header-ca.key.age | Bin 0 -> 989 bytes secrets/k3s-ca/server-ca.key.age | Bin 0 -> 989 bytes secrets/k3s-ca/service.key.age | Bin 0 -> 2441 bytes secrets/secrets.nix | 6 + 20 files changed, 633 insertions(+), 62 deletions(-) create mode 100644 nixos-modules/k3s/k3s-ca/client-ca.crt create mode 100644 nixos-modules/k3s/k3s-ca/etcd/peer-ca.crt create mode 100644 nixos-modules/k3s/k3s-ca/etcd/server-ca.crt create mode 100644 nixos-modules/k3s/k3s-ca/request-header-ca.crt create mode 100644 nixos-modules/k3s/k3s-ca/server-ca.crt create mode 100644 secrets/k3s-ca/client-ca.key.age create mode 100644 secrets/k3s-ca/etcd/peer-ca.key.age create mode 100644 secrets/k3s-ca/etcd/server-ca.key.age create mode 100644 secrets/k3s-ca/request-header-ca.key.age create mode 100644 secrets/k3s-ca/server-ca.key.age create mode 100644 secrets/k3s-ca/service.key.age diff --git a/kubenix-modules/all.nix b/kubenix-modules/all.nix index 53b3368..1d02a5f 100644 --- a/kubenix-modules/all.nix +++ b/kubenix-modules/all.nix @@ -1,7 +1,5 @@ -{ - imports = [ - ./base.nix - ./custom-types.nix +let + applications = [ ./freshrss.nix ./cyberchef.nix ./kms.nix @@ -17,15 +15,21 @@ ./media.nix ./bind9 ./dnsmasq.nix - ./esrom.nix - ./metallb.nix - ./cert-manager.nix ./minecraft.nix - ./custom/ingress.nix - ./custom/nfs-volume.nix - ./traefik.nix ./blog.nix ./atticd.nix ./argo.nix ]; +in +{ + imports = [ + ./base.nix + ./custom-types.nix + ./esrom.nix + ./metallb.nix + ./cert-manager.nix + ./custom/ingress.nix + ./custom/nfs-volume.nix + ./traefik.nix + ] ++ applications; } diff --git a/kubenix-modules/bind9/default.nix b/kubenix-modules/bind9/default.nix index 25a9925..7ce9a08 100644 --- a/kubenix-modules/bind9/default.nix +++ b/kubenix-modules/bind9/default.nix @@ -51,27 +51,52 @@ in metadata.labels.app = "bind9"; spec = { - containers.bind9 = { - image = "ubuntu/bind9:9.18-22.04_beta"; - envFrom = [{ configMapRef.name = "bind9-env"; }]; + containers = { + bind9-udp = { + image = "ubuntu/bind9:9.18-22.04_beta"; + envFrom = [{ configMapRef.name = "bind9-env"; }]; - ports.dns = { - containerPort = 53; - protocol = "UDP"; + ports.dns-udp = { + containerPort = 53; + protocol = "UDP"; + }; + + volumeMounts = [ + { + name = "config"; + mountPath = "/etc/bind/named.conf"; + subPath = "config"; + } + { + name = "config"; + mountPath = "/etc/bind/kun.is.zone"; + subPath = "kunis-zone"; + } + ]; }; - volumeMounts = [ - { - name = "config"; - mountPath = "/etc/bind/named.conf"; - subPath = "config"; - } - { - name = "config"; - mountPath = "/etc/bind/kun.is.zone"; - subPath = "kunis-zone"; - } - ]; + bind9-tcp = { + image = "ubuntu/bind9:9.18-22.04_beta"; + envFrom = [{ configMapRef.name = "bind9-env"; }]; + + ports.dns-tcp = { + containerPort = 53; + protocol = "TCP"; + }; + + volumeMounts = [ + { + name = "config"; + mountPath = "/etc/bind/named.conf"; + subPath = "config"; + } + { + name = "config"; + mountPath = "/etc/bind/kun.is.zone"; + subPath = "kunis-zone"; + } + ]; + }; }; volumes = [{ @@ -83,15 +108,45 @@ in }; }; - services.bind9.spec = { - type = "LoadBalancer"; - loadBalancerIP = myLib.globals.bind9IPv4; - selector.app = "bind9"; + services = { + bind9-udp = { + metadata.annotations = { + "metallb.universe.tf/loadBalancerIPs" = "${myLib.globals.bind9IPv4},${myLib.globals.bind9Ipv6}"; + "metallb.universe.tf/allow-shared-ip" = "dns"; + }; - ports.dns = { - port = 53; - targetPort = "dns"; - protocol = "UDP"; + spec = { + type = "LoadBalancer"; + selector.app = "bind9"; + ipFamilies = [ "IPv4" "IPv6" ]; + ipFamilyPolicy = "RequireDualStack"; + + ports.dns = { + port = 53; + targetPort = "dns-udp"; + protocol = "UDP"; + }; + }; + }; + + bind9-tcp = { + metadata.annotations = { + "metallb.universe.tf/loadBalancerIPs" = "${myLib.globals.bind9IPv4},${myLib.globals.bind9Ipv6}"; + "metallb.universe.tf/allow-shared-ip" = "dns"; + }; + + spec = { + type = "LoadBalancer"; + selector.app = "bind9"; + ipFamilies = [ "IPv4" "IPv6" ]; + ipFamilyPolicy = "RequireDualStack"; + + ports.dns = { + port = 53; + targetPort = "dns-tcp"; + protocol = "TCP"; + }; + }; }; }; }; diff --git a/kubenix-modules/bind9/kun.is.zone.nix b/kubenix-modules/bind9/kun.is.zone.nix index 9e15cf0..4f1b9b8 100644 --- a/kubenix-modules/bind9/kun.is.zone.nix +++ b/kubenix-modules/bind9/kun.is.zone.nix @@ -3,8 +3,8 @@ myLib: dns: with dns.lib.combinators; { SOA = { nameServer = "ns1"; - adminEmail = "webmaster@kun.is"; - serial = 2024041300; + adminEmail = "webmaster.kun.is"; + serial = 2024041301; }; NS = [ @@ -23,7 +23,7 @@ myLib: dns: with dns.lib.combinators; { subdomains = rec { "*".A = [ myLib.globals.routerPublicIPv4 ]; - ns.A = [ myLib.globals.routerPublicIPv4 ]; + ns = host myLib.globals.routerPublicIPv4 myLib.globals.bind9Ipv6; ns1 = ns; ns2 = ns; diff --git a/kubenix-modules/metallb.nix b/kubenix-modules/metallb.nix index 5988636..4adc926 100644 --- a/kubenix-modules/metallb.nix +++ b/kubenix-modules/metallb.nix @@ -1,7 +1,7 @@ # TODO: These resources should probably exist within the kube-system namespace. { kubernetes.resources = { - ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" ]; + ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" "2a0d:6e00:1a77:30::2-2a0d:6e00:1a77:30:ffff:ffff:ffff:fffe" ]; l2Advertisements.main.metadata = { }; }; } diff --git a/machines/atlas.nix b/machines/atlas.nix index d9fc33b..34f146e 100644 --- a/machines/atlas.nix +++ b/machines/atlas.nix @@ -10,6 +10,7 @@ k3s = { enable = true; + role = "agent"; serverAddr = "https://jefke.dmz:6443"; }; }; diff --git a/machines/jefke.nix b/machines/jefke.nix index b5c194b..d2df75c 100644 --- a/machines/jefke.nix +++ b/machines/jefke.nix @@ -8,7 +8,10 @@ dataPartition = "/dev/nvme0n1p1"; }; - k3s.enable = true; + k3s = { + enable = true; + clusterInit = true; + }; }; }; } diff --git a/my-lib/globals.nix b/my-lib/globals.nix index 25dcc2f..e070cc1 100644 --- a/my-lib/globals.nix +++ b/my-lib/globals.nix @@ -4,6 +4,7 @@ minecraftIPv4 = "192.168.30.136"; dnsmasqIPv4 = "192.168.30.135"; bind9IPv4 = "192.168.30.134"; + bind9Ipv6 = "2a0d:6e00:1a77:30::134"; bittorrentIPv4 = "192.168.30.133"; gitIPv4 = "192.168.30.132"; piholeIPv4 = "192.168.30.131"; diff --git a/nixos-modules/k3s/default.nix b/nixos-modules/k3s/default.nix index 40db8bc..b9e94fb 100644 --- a/nixos-modules/k3s/default.nix +++ b/nixos-modules/k3s/default.nix @@ -10,6 +10,22 @@ in { ''; }; + role = lib.mkOption { + default = "server"; + type = lib.types.str; + description = '' + Whether to run k3s as a server or an agent. + ''; + }; + + clusterInit = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether this node should initialize the K8s cluster. + ''; + }; + serverAddr = lib.mkOption { default = null; type = with lib.types; nullOr str; @@ -28,29 +44,76 @@ in { firewall.enable = lib.mkForce false; }; - services.k3s = { - enable = true; - role = "server"; - tokenFile = config.age.secrets.k3s-server-token.path; - extraFlags = "--tls-san ${config.networking.fqdn} --disable servicelb"; - clusterInit = cfg.serverAddr == null; - serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr; + services.k3s = + let + serverFlags = "--tls-san ${config.networking.fqdn} --disable servicelb --cluster-cidr=10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112"; + in + { + enable = true; + role = cfg.role; + tokenFile = config.age.secrets.k3s-server-token.path; + extraFlags = lib.mkIf (cfg.role == "server") serverFlags; + clusterInit = cfg.clusterInit; + serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr; + }; + + system = lib.mkIf (cfg.role == "server") { + activationScripts = { + k3s-bootstrap.text = ( + let + k3sBootstrapFile = (kubenix.evalModules.x86_64-linux { + module = import ./bootstrap.nix; + }).config.kubernetes.result; + in + '' + mkdir -p /var/lib/rancher/k3s/server/manifests + ln -sf ${k3sBootstrapFile} /var/lib/rancher/k3s/server/manifests/k3s-bootstrap.json + '' + ); + + k3s-certs.text = '' + mkdir -p /var/lib/rancher/k3s/server/tls/etcd + ln -sf ${./k3s-ca/server-ca.crt} /var/lib/rancher/k3s/server/tls/server-ca.crt + ln -sf ${./k3s-ca/client-ca.crt} /var/lib/rancher/k3s/server/tls/client-ca.crt + ln -sf ${./k3s-ca/request-header-ca.crt} /var/lib/rancher/k3s/server/tls/request-header-ca.crt + ln -sf ${./k3s-ca/etcd/peer-ca.crt} /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt + ln -sf ${./k3s-ca/etcd/server-ca.crt} /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt + ''; + }; }; - system = lib.mkIf (cfg.serverAddr == null) { - activationScripts.k3s-bootstrap.text = ( - let - k3sBootstrapFile = (kubenix.evalModules.x86_64-linux { - module = import ./bootstrap.nix; - }).config.kubernetes.result; - in - '' - mkdir -p /var/lib/rancher/k3s/server/manifests - ln -sf ${k3sBootstrapFile} /var/lib/rancher/k3s/server/manifests/k3s-bootstrap.json - '' - ); - }; + age.secrets = { + k3s-server-token.file = ../../secrets/k3s-server-token.age; - age.secrets.k3s-server-token.file = ../../secrets/k3s-server-token.age; + k3s-server-ca-key = lib.mkIf (cfg.role == "server") { + file = ../../secrets/k3s-ca/server-ca.key.age; + path = "/var/lib/rancher/k3s/server/tls/server-ca.key"; + }; + + k3s-client-ca-key = lib.mkIf (cfg.role == "server") { + file = ../../secrets/k3s-ca/client-ca.key.age; + path = "/var/lib/rancher/k3s/server/tls/client-ca.key"; + }; + + k3s-request-header-ca-key = lib.mkIf (cfg.role == "server") { + file = ../../secrets/k3s-ca/request-header-ca.key.age; + path = "/var/lib/rancher/k3s/server/tls/request-header-ca.key"; + }; + + k3s-etcd-peer-ca-key = lib.mkIf (cfg.role == "server") { + file = ../../secrets/k3s-ca/etcd/peer-ca.key.age; + path = "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.key"; + }; + + k3s-etcd-server-ca-key = lib.mkIf (cfg.role == "server") { + file = ../../secrets/k3s-ca/etcd/server-ca.key.age; + path = "/var/lib/rancher/k3s/server/tls/etcd/server-ca.key"; + }; + + k3s-service-key = lib.mkIf (cfg.role == "server") { + file = ../../secrets/k3s-ca/service.key.age; + path = "/var/lib/rancher/k3s/server/tls/service.key"; + }; + }; }; } diff --git a/nixos-modules/k3s/k3s-ca/client-ca.crt b/nixos-modules/k3s/k3s-ca/client-ca.crt new file mode 100644 index 0000000..cbcfa74 --- /dev/null +++ b/nixos-modules/k3s/k3s-ca/client-ca.crt @@ -0,0 +1,81 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAU6gAwIBAgIIK1UyUU0zJ3cwDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE +AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy +MFoXDTQ0MDEyNTEyMzAyMFowIzEhMB8GA1UEAwwYazNzLWNsaWVudC1jYUAxNzE1 +MjU3ODEzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBB8Y6sNAW10pxocoKo71 +BTJXo7gwFSxotKxht5rinAmpvVEZnRlIDcjtdRZ0mqTT3I8SXrhGtWjdTP37cmM1 +/KNjMGEwHQYDVR0OBBYEFA0aYftOY6QKQhCiWi2U3JEkGfqJMB8GA1UdIwQYMBaA +FPr9VQZaChg8JC0u+mpfJyqQvjdiMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ +BAQDAgKkMA0GCSqGSIb3DQEBCwUAA4ICAQDDGSh4gVbI5zjCrHn4yFt/XdGq1MML +8wJf2UvRCddQULwhuWae21P5i6cGks3v3Yqd9h+uZJ2JKl6heChuq1/vZBQ9Y31G +LuRvaGdJnzgu2S1UQMUbkc39lgJf8j20XMK4NsIOP1N3rU5i5htEzjMsi9MtiabO +yjC9fzYXVW0j5uTi14swYG9ESKPJ7WQ1nETWWRiBrs4IlPRq3jIVOJTBAHxWjMtg +96zfvqK+jgH+rx3QolwiwV7ai0D1RbCvGoOhkoQcy506SztdlNRXfGpAbcXFJ+uP +esw9xLilIjF4o42Ga9uizBGjbk/gyN4r4lZ6ojSXGKDczcQxM6i2bGRvn96KbK/R +o0gbsb56niVt1ZQDCuYdOs3B9JlrQeZaeCUypx/UbAoYnVy1FECj0OcPDI69Es60 +wHjyp3EAOTJ/gSiUhdvDjwUYT2klP0d+GvsXWbPAcqJJJS8SuVhXIZZfZW5e7Cbn ++TwO3omtxg6b7Wh7QWTUajWtmLjFSoP0MlOp56u9U5R0rfNDG5mrV4gCh0QTNyzt ++CEIC8fHDUUDAphJnirYLZszzmg14vNQUR2gm3T9/j7XYHtmzrWA7eT2pk6h1HQz +yJwoW2EsGyT6GELjztXQN+lWlBqW05cedkMsGnfym2A4Y06MaUwjNmTA3kiAoUUr +Z6PMef1lNVlmUA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE +AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx +MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1 +NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP +ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk +uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4 +yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS +TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW +aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A +vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm +3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE +HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0 +N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb +ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5 +IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY +PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC +AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5 +VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy +P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx +KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx +W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6 +36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR +dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY +i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC +1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY +JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E +XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx +MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3 +MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP +tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot +RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ +OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd +6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw +qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T +1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9 +bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc +zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB +ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ +8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/ +TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD +5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy +htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL +BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ +PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf +MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx +kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY +j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE +H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0 +jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R +G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0 +RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+ +09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm +KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq +-----END CERTIFICATE----- diff --git a/nixos-modules/k3s/k3s-ca/etcd/peer-ca.crt b/nixos-modules/k3s/k3s-ca/etcd/peer-ca.crt new file mode 100644 index 0000000..0c44c46 --- /dev/null +++ b/nixos-modules/k3s/k3s-ca/etcd/peer-ca.crt @@ -0,0 +1,81 @@ +-----BEGIN CERTIFICATE----- +MIIDaTCCAVGgAwIBAgIIK1UyUU0zJ3owDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE +AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy +MFoXDTQ0MDEyNTEyMzAyMFowJjEkMCIGA1UEAwwbazNzLWV0Y2QtcGVlci1jYUAx +NzE1MjU3ODEzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnl/F0abKbhtunsAE +gFB/NapdHORdwEku2AlLLFZuBTWTm7bDPV6aL/QrSlqKOscrh0WqCJMAy+OrC3Uz +MgKgQKNjMGEwHQYDVR0OBBYEFH8weUS7ylk6JshWGj/UTH3vt/L6MB8GA1UdIwQY +MBaAFPr9VQZaChg8JC0u+mpfJyqQvjdiMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P +AQH/BAQDAgKkMA0GCSqGSIb3DQEBCwUAA4ICAQASumDCrfrfm9AAjCou3V1YEbZA +bM20GyWfFHIWzZOtCyKJQt0oOr2tXXv8RwsG0qWeVU7C0CeGUEhF8IFe/O01idWT +wv8Fiatugen6gx2ufawyEv4ATW3tPAizt+r4eZz0euYntGevPx2iM1R5xEcaNj01 +kRiydyeP/m1C+uEXTCemIcP0vC67UE5OFBntjub7+K5h+iFApt/3MpdAW51GSDZn +t+EgaMa98ozHhTRWpA0QlmbDzQLX8hIALvFvzqyJcUHSoVeJEo0J25IXi7mJKQP3 +kTG/1WjEXlZ2LUfWtBRlhfgxjdupLTULdOpHY3E0Zl5K7gBvDayMcrdcGNIgJ0iJ +qMRfB30Qwa1Hypgio5GOi4aOEyE3dNQke+M8UtI1oMXCyPeLTBMoc7rzZii0AnwD +5IuT4Uwx8SMHBuBPlU6TVe4UsChaw+k7kPDAWJ9yULW4x4o/zHQB/opjWMSpQqc0 +nrBfFEhgFyUbwYnGutfEczwhxPlDhdICKPK2bO5dh6LEPohvmoXVks6Dp98Ha371 +61/1ZLsMqO8spMrzlkONdSjZmoyFSIWiUivzXcnGVyiuSqYEbRokgoKg1mv61c3x +lcw7ChGafWws1odaHV0A6nXf7G5+K3I6wnKW5601GwrAiQVgEba8x290WWun4k8d +USo2/Dqkd9+wVScQHw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE +AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx +MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1 +NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP +ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk +uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4 +yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS +TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW +aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A +vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm +3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE +HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0 +N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb +ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5 +IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY +PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC +AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5 +VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy +P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx +KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx +W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6 +36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR +dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY +i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC +1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY +JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E +XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx +MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3 +MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP +tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot +RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ +OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd +6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw +qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T +1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9 +bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc +zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB +ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ +8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/ +TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD +5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy +htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL +BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ +PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf +MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx +kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY +j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE +H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0 +jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R +G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0 +RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+ +09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm +KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq +-----END CERTIFICATE----- diff --git a/nixos-modules/k3s/k3s-ca/etcd/server-ca.crt b/nixos-modules/k3s/k3s-ca/etcd/server-ca.crt new file mode 100644 index 0000000..bc0b6ef --- /dev/null +++ b/nixos-modules/k3s/k3s-ca/etcd/server-ca.crt @@ -0,0 +1,81 @@ +-----BEGIN CERTIFICATE----- +MIIDazCCAVOgAwIBAgIIK1UyUU0zJ3swDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE +AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy +MFoXDTQ0MDEyNTEyMzAyMFowKDEmMCQGA1UEAwwdazNzLWV0Y2Qtc2VydmVyLWNh +QDE3MTUyNTc4MTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjDMY4U81p+y3C +k+g4MloNceEQ0+TKbnGc0xlGmJBXXKqB6zrolIdv/J9GABZ9eIUGEs8Xw0E4VEPM +l2iFGyoOo2MwYTAdBgNVHQ4EFgQUm/3f0yXxqbgLmU4a+H2QMavLUX0wHwYDVR0j +BBgwFoAU+v1VBloKGDwkLS76al8nKpC+N2IwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQELBQADggIBADcxOaGyetgWEqo5BqNZd9X6 +6Lj3rJZTYBmAJeISscG/Dwnv0MmRWw911zmRhikEu8jmLiGMQZUwFD1KoJ6Z/D2M +0Iqk87Ur4aS+mw2Yc60QatkZ2D1XBhrzk3gMaCtWMQBRiexA4qvaw8qlDkDR2eW9 +wyks+WsD6Am1Vb/9k7fIfDR1KkScpl07fAMil73URy+KNDZ6r8hW3xZulvZd5IWp +g2px4A+i4eUbevBU1xljpXjP5lrEqoApk5YQDlHHKARszWlQC9PbvyiRRn8dH69m +mC0cdt5tSWWT49bCRtfigoejeFr8SaYzDuvR4Wb31CgbH+qVZADfgggE1N6pQCsY +w+b8xvoZGAcKEWAlX3J159Rc1mV9HRCEzaGEt5kgJuPFyJUXCjQzrKTADOawFxGb +IYeKcmUJuJG0yDkYb5lNa5fv02PAqXVM+Wz+YpFryHRphKt/gGLlhg1HyqnLVowi +UhlRyPLj9XG8PH1ZRVF6/havkg9H78voMXdFMcotIF34wSP5k/wsDjmgsvuLUIek +ryImLiMuJT5sTM/xVdLT2B9cJrFz4XIAFV209PvIldDDp1ySsh7Tz8fWHdCjvd5o +8FTAcyBW72mpS5WP+FUnq0mgpHp9HrLCC3q4AQ7juJszD1PExGNW710rjMHlnrrF +w4VKyOziEAxsiuA390Ds +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE +AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx +MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1 +NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP +ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk +uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4 +yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS +TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW +aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A +vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm +3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE +HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0 +N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb +ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5 +IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY +PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC +AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5 +VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy +P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx +KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx +W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6 +36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR +dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY +i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC +1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY +JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E +XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx +MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3 +MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP +tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot +RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ +OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd +6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw +qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T +1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9 +bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc +zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB +ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ +8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/ +TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD +5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy +htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL +BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ +PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf +MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx +kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY +j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE +H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0 +jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R +G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0 +RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+ +09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm +KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq +-----END CERTIFICATE----- diff --git a/nixos-modules/k3s/k3s-ca/request-header-ca.crt b/nixos-modules/k3s/k3s-ca/request-header-ca.crt new file mode 100644 index 0000000..d675729 --- /dev/null +++ b/nixos-modules/k3s/k3s-ca/request-header-ca.crt @@ -0,0 +1,81 @@ +-----BEGIN CERTIFICATE----- +MIIDbjCCAVagAwIBAgIIK1UyUU0zJ3kwDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE +AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy +MFoXDTQ0MDEyNTEyMzAyMFowKzEpMCcGA1UEAwwgazNzLXJlcXVlc3QtaGVhZGVy +LWNhQDE3MTUyNTc4MTMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARAACYmLLW4 +6vaF9q1cqBefK/FQebhkwoDcuYuG597sjxQPEz8sO/yYVaNnNcVZZPqDsiF4OCOz +i9ge02pJJVXJo2MwYTAdBgNVHQ4EFgQUrVPDbR8zlHplrCIASYmcn8IrbDEwHwYD +VR0jBBgwFoAU+v1VBloKGDwkLS76al8nKpC+N2IwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQELBQADggIBABlvTQJx7B0LI95sOKjM +zul35QpHoMTJOM4IrtDVUQfRutsRVaJ8z2M/2PXY0OiP8ZURaUTR63fL1lklQOMq +xDM59mcyWTEB50+yTYZNCi0qUrxI7kiOGmsCWJ1JDcRRnXonF2htPdMUr8wIOrzR +CL/HIYObEqasmTZeBlaHMc7clLB+yROveCRG91MeC8iftu/ORoqUIMVhXuR2PEQn +mupksalzL71RdOPLdL7UQzhVaABDRD0JrWsb6F198PLWiGpslwqFumyxucgd4+Xq +lb9AB/Sac/2KJH2GEGUoUMac7tJ+BNNc1T6VQUeyKDCacNRemjKxOa58ilFGvGPK +xKuuPhaN/mdZNBI1EX1m8JbCTByP5naGB7DDsP8ekMg1jvfszU+BDZSZoBgDhMmu +7Hsu/CpS8LWDzZ0KRuBsCLTYwlA1H0rp3C2ZYc/cbBexo8oyHMisMvpzM/5NMkuT +aKCQFt3HOncNG6rTltTrFaJaH9sZJxaaR6Q+pKzTtRGpx3SabZnNQkmu2MoFTKoE +vApW1wYptjOm7k5+o0a7IcWWK8FbqGOwfTAiI+mNYkiwo+qunALY0q/MiX0c7beI +qDzvjAHEt/xuWLCVqXhCy7bsgAmiukICMVflWd1Bg5OlXHa9H6sXqE1hP74Wv2bo +kBKEUETfs+HldaQgT5ontb+T +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE +AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx +MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1 +NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP +ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk +uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4 +yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS +TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW +aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A +vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm +3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE +HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0 +N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb +ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5 +IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY +PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC +AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5 +VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy +P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx +KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx +W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6 +36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR +dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY +i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC +1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY +JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E +XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx +MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3 +MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP +tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot +RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ +OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd +6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw +qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T +1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9 +bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc +zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB +ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ +8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/ +TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD +5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy +htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL +BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ +PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf +MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx +kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY +j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE +H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0 +jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R +G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0 +RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+ +09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm +KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq +-----END CERTIFICATE----- diff --git a/nixos-modules/k3s/k3s-ca/server-ca.crt b/nixos-modules/k3s/k3s-ca/server-ca.crt new file mode 100644 index 0000000..a87f21f --- /dev/null +++ b/nixos-modules/k3s/k3s-ca/server-ca.crt @@ -0,0 +1,81 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAU6gAwIBAgIIK1UyUU0zJ3gwDQYJKoZIhvcNAQELBQAwKTEnMCUGA1UE +AwweazNzLWludGVybWVkaWF0ZS1jYUAxNzE1MjU3ODEzMB4XDTI0MDUwOTEyMzAy +MFoXDTQ0MDEyNTEyMzAyMFowIzEhMB8GA1UEAwwYazNzLXNlcnZlci1jYUAxNzE1 +MjU3ODEzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDhZobdYwh9+5PmK68/Pi +CETLWdTMftlpf4Kws1c1pu9diaQ2p2uAhgsdMxe8k5Su22HUG9soOsLpMfGn1fwS +dqNjMGEwHQYDVR0OBBYEFH4kXKFZ+MJI3cnwRtm2URRJk4ghMB8GA1UdIwQYMBaA +FPr9VQZaChg8JC0u+mpfJyqQvjdiMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ +BAQDAgKkMA0GCSqGSIb3DQEBCwUAA4ICAQCWi/YtfU0RFX8vZenOolcbrtSiZDYO +yYuUUI3h7U1AW7Hmn3Gk0SYdNxUbJLB2sFt8s8TX+N80M5483prUi8O3CL/DTXxD +Ae4uag2MFGh0710JY0I/7paB9H9GU6T+BAKrjdru2mwlNC+DcUIY7UX5/PrmnG9z +HMt6tSdy6RuKTBu69tr/Mpdb3VZIjrEuJ/d1LrkbxEXXW+12AvBMociBXUW+7ooO +LlKji2LGFJUYvh7yjOXykjB5U75/9oBrRpASFkGqwcXk7c89UEL9RiPDLqAm6u1U +YoE8U9mZtgTV2E4DKUbamdeVRFalJMw1Pp6WrSLsK1wBgWxydEz8djUg8WLf01ml +mRtLH7AKgFy3u5s+fxMQMGSfSmSjzsV3HCKb8bssk8bm0Q4wLznqW1ClKTbBRdDb +lE0BkI0cJqaTkjBkcuPUd9yCEUT3mCFRPIqpiYAqzPwudZ9PynZVd4NfrItpEw1V +7hVFjN2q524LK3moPFd/adfEenZEXbkaUimUloADmnR/fuTjvqkUh0OVCta3SMTd +GjhMBidfBaDPs+b/wpI4oo3JzKL9U0AqDH9/KOsJk2W38VE8z+exgY0eU2E6HOaz +O18nrHF+eMY65Zxird7xLmu+I0h1aF0qp37ejBZnWMxawQwb0km0IcVE4xzixQ9F +NBWX9TfSjd17Tg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFLzCCAxegAwIBAgIIK1UyUU0zJ3YwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UE +AwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkxMjMwMjBaFw00NDAx +MjUxMjMwMjBaMCkxJzAlBgNVBAMMHmszcy1pbnRlcm1lZGlhdGUtY2FAMTcxNTI1 +NzgxMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMZQkDW8ULwu2iUP +ZeXf+v3alHj6MQioEebJqe8ZaCFwyzQuz6VgyJIkxc0qUtvAuan2WVek22+EqLnk +uQfmEgsfuWwHt8n69SGMqZ3SA+sH5eZt+KTGEWUNzyIFZumtNgsRkeJmF+oX5QQ4 +yVWqclLrEaYkfPAr0+pf5CPugY51G8v4ezuYU4wFPjXfja4ewZj9Otpmn+X/18OS +TkSMfKG6SoY6hQPoq0rqe/C9BdilWX79C6+2Hw3fs+jzXWPaq7hkRjYEzzBPSzNW +aDl4lYQi/70wZYC85LC0J0VW0NrbrgmxieMmATnTuQAb3Ud4iQGGlqUUV7pgJO/A +vywHNR+V6xyBV2riHloy50jVkQ2ecbdqYlWn89S2Yanca/DvEYm1URWroDvhtTsm +3QPHC/Y5B04+qBaGZif7PayvRWE1WM5h130jpeTEGRRhQ7e1hM+0rvP8gyBEMiFE +HhyYGFBJ4SmZu5kbSGVQNXwS9/F9Tm47yEFEKuMQ0eFw5OASVXX4sglT/5kn8/h0 +N6EyrFMgXAo4wyCJ/m3q8ngG9VLcz+vcbSBMtt8cWxs5LyhDvK06oPsy+aGq74Pb +ripTJHysnueCqG51jC/My/vL1TAXQH8kAsz2hHFnqi5LqvY2dpeHqPa4N/9oi7i5 +IN7hw1+9kD5zO6mYMnaEQnEiYLVRAgMBAAGjYzBhMB0GA1UdDgQWBBT6/VUGWgoY +PCQtLvpqXycqkL43YjAfBgNVHSMEGDAWgBTLIkPmeEX9fvysxUa/HvlxbPKG2TAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC +AgEAE4Z9is2j6K6Kk7BvDbDjW83Gew7TIIP8kTC0jZIu1loV2K8YOnmhKjer7XN5 +VpcABZ2GOzKw0syN+Z+l54az/dnp1m81MlFhUoZCiNdIDjNwSOJuF/PuBszpODcy +P6LapwD52T0WH7HyUC1Grm84Bvmzwf87rpt29PBgRyt1ZPRgOCD96RvCH9v8/jWx +KkxrtjYpsje7SIagepWEsu4w+ZXMSCsJejj4bqH/mFpkUNGDSu+kgiHh2RXHSqTx +W1ZLHoz243vFyv1wrH1hFpZfEaOxa17zGEn8kdOXcRqkPMOEokKVrbjmv334SeE6 +36eWyFtcbrFLWES6wKw4/KLWEzBAuGWz+ujoy9G7ahpylJGTMk74+/njqLbgrOcR +dQom/UAoynkUY+U0Rj7bW1rYpxcjimpTPGyXsJ9AGz4nYtOwQEpQ441/nPxH6hAY +i7tODC4YSbP+HH8aGIkb+oSMExVnHLeypjUcbQWPLQ940p0bLIUu378yl62N9dOC +1JYW68PslezrIN/YViAF9aW7CxxI9mJQeGZlO8+4gpUTLkHX7vLws9GK2giCbvEY +JXnrtd3C2sY8BmP5Ps6hQKd//NyT0D+mIhOmoNXaTufvWSdRdWjgClcdNtEqk88E +XPWn6g0sW7r1usZQCms+bDSmO88ZZ0SDOg+Yw76pBHRAkAo= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFMzCCAxugAwIBAgIUVmq/U/xnr7TE0GqtUK9fdm6ClgAwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWazNzLXJvb3QtY2FAMTcxNTI1NzgxMzAeFw0yNDA1MDkx +MjMwMThaFw00NDA1MDQxMjMwMThaMCExHzAdBgNVBAMMFmszcy1yb290LWNhQDE3 +MTUyNTc4MTMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDAcIqRzsAP +tWnAxd3nkSyVutRe1gYGe4cqYExgwn6JLi34/ENZ8PTkUTA7crZ9okm66vn8Wcot +RCIrIQV/4FoQBKnTQgCv0TRaA59TyvLiES1W9EaFOpggrIz5TKx06DN+UhxhEOeQ +OaYpBfigVzODv3qw5+7V10a/9QErpy4PDv915zAO3fu6n/9Y3OJxpzb3vVwfQpLd +6vMl4o13gZq3Tp17DJ3pbs3RT1TMYiECCLEhuEgML9dXVFdW5HNcdiGx9mepzwcw +qyrlD4BufIJ9K6PPu3Ppp1311y0acvTLgYuRUBl9qOlrsMv0rS/7XcNEG6b9Vg+T +1s38y9FJIbtIwvLBlKPonfMatem2bkGcijlf7LHlkDmCd0GLsQtvklwzGPPa2lg9 +bCB909ivzRWtSW1ba0kLaQUbCJG7yRH/nqE+fA72IlUzxN01AvXUFtq7Hi3cw2Yc +zyyVk8IRRJLYq9EjFy8+14e1QAWCP4M4RbGLSRb53aVcOWm22KFyczaDg+NnnHtB +ASS6ODfYEeAujVj7tq90IPspT6ewPaZ91qRSanr2lABkEEEaX58ErQ6G2g4yuQLQ +8pzXX9v1crCIWGsclx77a5CV599loKcZOIIxT4e1u7Dhy0EQD0yX1tru3XaVkdP/ +TyidJLH2GS5MJ1vLuY7ezrocZJUrkSZOIwIDAQABo2MwYTAdBgNVHQ4EFgQUyyJD +5nhF/X78rMVGvx75cWzyhtkwHwYDVR0jBBgwFoAUyyJD5nhF/X78rMVGvx75cWzy +htkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZIhvcNAQEL +BQADggIBAEM7KOB7myKORjA+smmMHXeHrfWMtS5R1mlp+JFeEZaMks6ktsicynRQ +PdD49F8Kk35XtB97sfNeM0/csIngq9ES0xhRvDbfEq68edFUUD/WpyPYIFjd1MGf +MiIbOYZSVG60xOJSFgE7f+ymK6XTwd61PRojNyIvb+2lVASKT//aWMlHU1ox+2rx +kihi0YJHH8yKhFyps4oJQyW7f+0NFfy2rknvLP55EIKiLCFPHmh636vx+bJ8AbUY +j96VEN96KqZE6YTygqHmYz5n/Vl9FibOBN1hQmHwyBy6mJI8Q0RxS4PMsxSEwKoE +H5RdpAdYPF4F23gsN0rbIFzEmgwXMnJkKPgGEIMniTHcKIEjSPTPnLWScQynqRu0 +jpNXpgJ9N22sRFAzJWAaB+67YSwymClOzzAe18A7lwBrQRFZldR+GYjpywBNVI0R +G8WVmyOcQCqNeycwED+z2UvRJcGR1yxkZFDhJjcV/kLbvQQj9zNRpS8cEHWyqXZ0 +RYqQMvYebLwydDkmZ9e73NaJPFTtWciFUzzxfDid9Ql6C1sMFURl4XxBthUXNH6+ +09T9IIivtoyHV+EWPo/9yr3cO+4B18PXJv3vlmFf1PGOGjpzNLnOxiPU+fDEmAhm +KasQJscK9c2FT6/6XnJjdOnyvgTBlLM7UrZ+9M0icf8vQSVjDudq +-----END CERTIFICATE----- diff --git a/secrets/k3s-ca/client-ca.key.age b/secrets/k3s-ca/client-ca.key.age new file mode 100644 index 0000000000000000000000000000000000000000..4c672ca2e6e0c1d8ef1bac489620a1ef2a53cc92 GIT binary patch literal 989 zcmZY5-HY1<003~&`9a4#cH-Cek_|i`y4ti&+H}s7v`Nz>ZJH)++GL=YrfHHUy|l?S zAKhMLa*BhYoDX9Yk((aAY{E9iP)<<97X_zMH@!myZ>S7m<#dY2sqeSH;0HfhQ)BA9 z;)MML!=8V}cC@&ch{R?A*VSWcI|;*yEKv6uo~r_E*%%Guy?o#8fLH(-0VX7SS`-99 zU62}yl8aTFo~7DQQH(fd$wc?P_=^F?qY^?$jtM z!$T-g2nso?!pTKH%(!$|Q5sPaFBnKoRLrap2Sb}l3pu>Rbo~fBOzCM4uX1{}=bI30 zrAY_Oc#x)=DUlY-sfGsQ6(m=5b9b? z1S*HEOvpOXadYSoMhQ@q60h1h*l5<%R48lEXZmokZ|L8 z6J`5Du0x?>xta7WHakF=Ofe^L9M$h94X%|nA*m`xypBdnl&xEtq=pfq10x-q(g?!H zGj87>pj@1H8%hGoqGBW#ivbJO96B%;sx^mae3!OelH}n$>)5?Qny8}20B?Xkq^I$& z5}DgvY212xyvHPOAN40QhChw1~%hV|PV`KGt_Rgu7e-@yPv#0-2_H|Yf{0cU`_4Vs_ z&Wzu|3*7Tx{p$bw)Ug|{85`2p+%dqYY+SxnT}qzX{&b`+e)JNw@9nqdudVHEEKhSs zZg1~jT)K5&_V?N6B;?(+s2}=b@usviHG{qK!NHZu`zOZJyN@)R2OiVj9B-eS@&3Fr z>7V%R;MD%qUUp&Sbnk`x{<^?ly!SYBXl*ie!EoOA{NcZ; PG55!}lf#FP?*8U~Q4?(6 literal 0 HcmV?d00001 diff --git a/secrets/k3s-ca/etcd/peer-ca.key.age b/secrets/k3s-ca/etcd/peer-ca.key.age new file mode 100644 index 0000000..d67f9bf --- /dev/null +++ b/secrets/k3s-ca/etcd/peer-ca.key.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 UwNSRQ 7VPm9hUzbKELjQBUfKKinUdOAUbNzY2pZp9ihry9sFU +ZPkr54gFnXE9b80OKX9NPk4DWmyRTKkcJH0C+6lLJZE +-> ssh-ed25519 JJ7S4A 2TVdz1v5NBqCfPD3LzUdQsQ3ubsdJGSHwVKjj7NNpxE +uO4sRxj8RVqUQXRDlT0ZI4LxFx9MHaAWMrf9WYOZIas +-> ssh-ed25519 aqswPA V+3scofJU1OnxJI9+ryPixGiD3Z1srePETEzUZ4zfAY +QoKHxyKr5XXxgJJeoJycShOqHowt/OkaYJOm8nXXeM8 +-> ssh-ed25519 LAPUww V919z6/H/pC5smjiq1d8/7Q+QvbXcbfRKAfjiBugoSw +9urrVRscuLY6cKsfZKBdVcDdpPfex8sDHuEdH/EtujU +-> ssh-ed25519 vBZj5g v7Pkzi9F2fc9++OsVfou2j60R2iq1ZfOCr/SfFVIvkQ +bknegfUOmc1G8PDcskOCS88OGa60B3t4R2ty7Rdt/mM +-> ssh-ed25519 QP0PgA psOkHWvCkdQOpPHYJ/dpDZ/TlZhArARHT9PzsXLV9WU +EHfX0VdHJdm/0iqRfkYxmqmSqrwwgb3irBhDZPvjl3M +--- ekq08T+kFXk/v4//f8xSvqdumAFxd0jMnzUqMn180hs +͋*}`0",[vbuG_p\a#$gVq3/P3n @Bo;CmKp -#,I2_cݲʁTᇀd-`!p!}_ae"?Tjjܩ]ɔ"&"L3~= c8C ,1ܽm Bt ++D F \}I>"=alr +CU +d v \ No newline at end of file diff --git a/secrets/k3s-ca/etcd/server-ca.key.age b/secrets/k3s-ca/etcd/server-ca.key.age new file mode 100644 index 0000000..8684d17 --- /dev/null +++ b/secrets/k3s-ca/etcd/server-ca.key.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-ed25519 UwNSRQ W6uEvGJIdlkC0or4dyFcK+ytKeEiwIJB1bebPLTERDA +uzMxRth4KMhqsQYhw2tWyqBeQdCbTgbBegHrkcuHI9o +-> ssh-ed25519 JJ7S4A bw+MlxnWLuLecMuqMTrJl2TMXyXhqEWCpKFwsPgkgnw +zwWm3Fq9Q+mR+9rVaSzVO3i7qgPgWsv25ClCW1c0G8M +-> ssh-ed25519 aqswPA ZIgGWu33QpKdUfPtlIHs9BeCurnk6pm+2XLi53RBFwc +wN8Qmo9CCqVTa+y6zcYiZYbslgTOtVMUjCCUVT0W7WA +-> ssh-ed25519 LAPUww npNhPTPq8kfN2vgouVJZ5NXARHBD02L1CJHmas4ilAI +nTpXsq5BgfikRJUglFGjP9GoRIswyHZp6R7KxZhH/uc +-> ssh-ed25519 vBZj5g JOUeBxwM5Qcz/YoeYCPM9dmkWp130Ze0E2n8qdsQzzo +1SL0HH+u48cDojytjSxRHXKo1sgil7EZYBLpQAOuzPI +-> ssh-ed25519 QP0PgA /bQtDDcVg8DzFdgFkEDPzBTD02OYTC2Pe+WuEmP9j2A +IRUPa8tityX/FVKJKpcKWMtVvwRzFWueuvBIhlqcSv0 +--- DltN2dAJoEDuU6Ub6J7BZY84TjZfHGVN9P2SnoHrE7Q +q\!j> 3+4< +7adbт _.c(>5-3jwExHh;,hK*ȼmb*]Mmw~g{ʼn߀ZrVkfRXG% 1^?Y@1ڍ7*0߈d¸…2߯URG~:^X㎋5c8\t!,Ӫ \ No newline at end of file diff --git a/secrets/k3s-ca/request-header-ca.key.age b/secrets/k3s-ca/request-header-ca.key.age new file mode 100644 index 0000000000000000000000000000000000000000..57407170f3b0c0dfba5f6740f9eab002db070845 GIT binary patch literal 989 zcmZ9|U1;0{0KoAnOvm|RH?h-U4dUv?d2Mn@?xS@b$tAh3d|%S*#Sgfi7+;k4~!9Hx@bc}7F8w?o*_t2M#P?*rEIF$*d=;&(a2Pz_S&wcy9{or43X$j40 z4kFua_pFKDpf%}3vBV7EI7UKKlPC&h0XbkRq5$+mo=9tC2c&eh)}TsIyb?v0)6_FY z6D4(vlwjKp;D8HiF=PM}%)C<;%f$jpR?R^_+h9Yxr9(YFEez%xY8wr3DgzIjTeVUt zT|qEl-oR+u%dt^6s#J-hFJWX`Q7zT#5VVzUF?KFX%DG0=$AXyZsFPZ=hpJsOG&O>h z?uXQ+3AhWvbzUq(euY#}TdF6ETeW)M33v=h75h~qJ0uyO9eQCNwd;@}Ri$<&AZ$Jz z5JDiC1326=a{A@Q(VaV?i?#tipf%L;8-e{ z31TOn&fH4uJ9g=-cL#ruXI8wOGvMKOz8Qbwnf1@i!>=E?eEZS!Q>!2Swda@F_7~qS z@7&%ywRC4`^U0qU?-|SeGvxJSZ{M9>eE;B%OAl;6bNUp39{p$f`~hZ{aN)O!6C)pA zd-ZyDdgF!LHx8b=eCLxdIp9TNrN4l$P2E7jpI7%H`>U^gcsG9Fzdtq}e{Ro}Usq4w z+-q+KM^~sWA36Q`dim<|r)>SDwTqq6iQ?GkEj{{RJtG-Q2cq>9LtzYu@PpK)7bT literal 0 HcmV?d00001 diff --git a/secrets/k3s-ca/server-ca.key.age b/secrets/k3s-ca/server-ca.key.age new file mode 100644 index 0000000000000000000000000000000000000000..e4ed33283b0c785a51441e0b27b50d1b8d5c8182 GIT binary patch literal 989 zcmZXR?T^z00LJ+uiSs33NH94`7D)IqM_;$DsLZzO+HQC2wyxK%K(On&c3an%bz8S- z{Nzha%o#tZpAG`&#i&sUL?jR)s5$RQ^f(AHz9708G)6AIfqEJvem(wy=lA@cM>X`Q zZfos<+o?PDE~jk(Jt!326ZU;Gs#oDy48p@=kQ0i9a3)gpUCe4sL$sQ!*U=8b6Fyt) zD+5eP7@SLDh)4Iie!$WpzSGFtWPBK>Vi~Ni#c8f*LqN+5YN$M%CWhVs?#YUWwo zEtA0nlnCcEMyz29G<3*jj_{nCKveV?+_Zc`ZFVayNy#>v7+9NPolqtpa2m|9r9=e= zOT37wkq!@Ydb^4;UCRS`bx>0^N{HNQw$4rU{2)(+BdR1IZO!VreSmKA6$nXaepROM zqNFMe)Wte#-xQ}~=Fkrrj%8vV!&7F-ta2HSR1lu>1VLwr$y`?It6Hmux@ijIgY~pY zA}JSW}FnB11WX z=ULfp$K?!GD~nEuF2!3-B-Q9Bgqw4ExT5_Z+y~OcK#I_vREB0vTf&*Ld>gHh2lECI zE~uRthHH>%v2fjJq`G)Ik?A#ay>82)b%>pWYe2=8DR~HnlmTrw6|j*4Injpr^uR6; z31X@{Xxfux1(9fk;32gXFzBt{qS3HxQb@P1v}<%c?z%G6;YhT`@rkA*=7AWc=vhMo zNf)P5<VTaPHz1;>94)K37s4ND<|3g8{gSCfPct#stXwavLBH#QVT^It9hyz%_zyRUpQdv5x|3zugWu5>nR z`RIB0nd`@P{Vfh@-^oX^U;i3hyW`yU(OW{| Y?3%#|OUKNLR-O3fho=u_4kC;H0k<`ElmGw# literal 0 HcmV?d00001 diff --git a/secrets/k3s-ca/service.key.age b/secrets/k3s-ca/service.key.age new file mode 100644 index 0000000000000000000000000000000000000000..190851b6a6e9a985dc8ef24b2ff3e4707f5bab53 GIT binary patch literal 2441 zcmZ9_`yHtfwRHQVg_H8b|GQF)|?({)9ck?9h(lw>(PUxbXa!L%2E)1EZ!{W?jV3?^S{f}_ z#{d&l1ZgBQLC)Y{C}df5hz7}*DS$+bf*L4Kpi}tqC?7SY(A+;|#J8lqC^v=Fh3PsT=51k$J^KuV&iqSO)%ouU;;kh zhzUs&fXQX+c%ktGK!J1Gc z2T0`Lq!2h94h@wf1zHjX$v~oFnMw@`Aj$w5R>$&=7pg%LhT`o>R(ggZ$tr&&q{EgD z8f|^OeN~yCQ`+KQj_E=4A2v_(79f0=Rs_7pV*uLCG=K-)RDffokC-g50BrlbXxAKu zLnLhTrZ{F(8v+jWuGtWP$fDkNtb4Q`&vTwzwnT_|pEENYvXiRNjPb(PQ{bI8pkSc8 z3_NM9NvRC@w6?x=p}lKDp^WexuEQBdT#z_5)PQ zt(s2Qw>i=pxXX-JmcG1uxG{ed;3YJ5yLRs573ZLp*;F^SuYb-tVl&}eb?%$xJPy(0 z!DO3>`Sd>Fk&MWt)6#LdaSAm!I5i?JDQ$DfdnL_g-Lv-7bdSqOb*3*8BQxW~Qpj(>DgT)iZ-?8Z8|VE;YCG`P#y z$?54`9TXpOEQRZOp;=nVqaPgc2D+TQ(p+uK()Hzf>t_YQW^`)D4sD#v#VXV78ufm=aE zSBSoU^*q^N0u_($31fMkAKtuLv@_x`BPRFQ@|i89t*MsiHT{*T?c?IafkSQ)8Sy1{ zy7Rt;&%VtO>Ic)s`+kd6#DJIVt(ZNlE1lQwF+-(y>=6W%6~I*Gg}chxk2w{eYfs9O zcD*XAchP4LxxoFnSMZ{Mq=}|R)avJt_ZF*rX#x@AKBT(Ly|vwa305qtkAHLk0DNw0QX4vH!HxzU5;(p;Y4zhvA`u4wKQ*Q)Q9H23O%DmyHc!t#otiTfD=j*YtMV zO}Tow6}V1cwETr@2mCO$!ae_JBVTMJOOrA6OlvK#UFCpyM}wiGYr9Iq{8JKp}{U*?6gZxB1Is zIewTF-hQK-2MbULAh7tUU2#B*=kL2$)zk4O zDoVe$d>zXFveM>y^NR5qqU&0#&iBC0Y5R*s|7Nzclh;|)%Z>I7)l_C!t>1n}TMrC+ zzG`@&=keU^bq+9c${3cv?%}cb${_DS*rt+Q@e9BZ_W1wC5 z)q-t%ZxMSUgYO#J*x*E&P1egvB&}2a;JlI3sP)PYKdLThx$sB59A-1)@wkV-8}{u# zj5GMt8;qV+Hdy;PUEi5KxBGER*P7WL-HVCkRjo^(ez$u>gU^0+VseHn=Lpp^7$0_; zt%LisRV5E*_6)CC_)R0l_QbEgF>z9%GW-;9{|oGgsZX8x+TK2^>(*P=J!z;ezptI$ zRJbc}&bPzxo&HkF@%0X+p!Hr+KA{Q_`ZOijZHhbuS&^T{*OwW7aly HJ}LhL!+$mH literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index de7e4a3..dff31d8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -12,6 +12,12 @@ let "borg_passphrase.age" "borgbase.pem.age" "k3s-server-token.age" + "k3s-ca/server-ca.key.age" + "k3s-ca/client-ca.key.age" + "k3s-ca/request-header-ca.key.age" + "k3s-ca/etcd/peer-ca.key.age" + "k3s-ca/etcd/server-ca.key.age" + "k3s-ca/service.key.age" ]; machinePublicKeys = [