don't manage k8s config

clean up ssh config hosts remove cert authorities from ssh config
2024-04-20 10:57:13 +02:00 · 2024-04-20 10:57:13 +02:00 · 6bfdf579c5
commit 6bfdf579c5
parent e0825def24
8 changed files with 17 additions and 62 deletions
--- a/flake.lock
+++ b/flake.lock
@ -275,11 +275,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1707588924,
+        "lastModified": 1709386671,
-        "narHash": "sha256-0e1ce6X5ghapv6cAF9rxLZKeNyFHHXsLbGxN2cQQE8U=",
+        "narHash": "sha256-VPqfBnIJ+cfa78pd4Y5Cr6sOWVW8GYHRVucxJGmRf8Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "10b813040df67c4039086db0f6eaf65c536886c6",
+        "rev": "fa9a51752f1b5de583ad5213eb621be071806663",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -44,6 +44,7 @@
      nixosConfigurations.pim = nixpkgs.lib.nixosSystem rec {
        system = "x86_64-linux";
        modules = [
          {
            nixpkgs.overlays = [
--- a/home-manager/default.nix
+++ b/home-manager/default.nix
@ -45,12 +45,14 @@
      insomnia
      vorta
      jellyfin-media-player
      jq
      kubectl
      file
      yq
      age
      sops
      nmap
    ];
    file.k3s-pim-privkey = {
      target = ".kube/config";
      source = ./kubeconfig.yml;
    };
  };
  programs = {
@ -124,11 +126,6 @@
      source = ../secrets/postgresql_client.key.age;
      symlinks = [ "${config.xdg.configHome}/home/postgresql_client.key" ];
    };
    file."k3s-pim-privkey" = {
      source = ../secrets/k3s-pim-privkey.age;
      symlinks = [ "${config.home.homeDirectory}/.kube/k3s-pim-privkey" ];
    };
  };
  fonts.fontconfig.enable = true;
--- a/home-manager/kubeconfig.yml
+++ b/home-manager/kubeconfig.yml
@ -1,19 +0,0 @@
 apiVersion: v1
 clusters:
 - cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTURJMU56UXlOVGt3SGhjTk1qTXhNakUwTVRjeE56TTVXaGNOTXpNeE1qRXhNVGN4TnpNNQpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTURJMU56UXlOVGt3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUMzdYdlBzUG9DeTk3Nm1zWm9qTHBlUklieVB5NWFPV0NJWXpyZVpUcVYKUlo4cDVyME1RdVViV0crNTJqQ1ZjNCtrZGN3WVkwRXRDaUpkZ21LSU5RcTRvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWx1ZGcvZWd0bUMvWkNiaTZMRkNnClhIaXFtL2t3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlTbHJ2TmVTc3RtVlFLVWp2STF3UlZPb0RMWEJjWDEKelpZOURUNW9WM214QWlBT2JKRThOaldOSUdSZE1FcWpXZXhUd1M5RUlGbGs2eUEwOXNjS0FmRUNXUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://jefke.hyp:6443
  name: default
 contexts:
 - context:
    cluster: default
    user: pim
  name: default
 current-context: default
 kind: Config
 preferences: {}
 users:
 - name: pim
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJWVENCL0tBREFnRUNBaEFWemhyQ3QwZzFQMWJXZW1IUGx2SUZNQW9HQ0NxR1NNNDlCQU1DTUNNeElUQWYKQmdOVkJBTU1HR3N6Y3kxamJHbGxiblF0WTJGQU1UY3dNalUzTkRJMU9UQWVGdzB5TXpFeU1UUXhPVEl3TURCYQpGdzB5TkRFeU1UTXhPVEl3TURCYU1BNHhEREFLQmdOVkJBTVRBM0JwYlRBcU1BVUdBeXRsY0FNaEFDYWxxaUdFCjdvcVo0SFNvLy95RGhqZXJrVVA5WWg4QXdFbHFnMXI4NGpvbG8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXcKRXdZRFZSMGxCQXd3Q2dZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTZQpkenA2TzVhajU4NGtML2FJM0pvTHhkOUtQakFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUF3eDJISGNOcVd4bkhyCmkvRVg2SmJRVlRZYThmTzhpYTdMOXRYWS84OXlQQUloQVBSanlmMU0waWtCZU95VUVUODVLS1dNaDFhbWRNZVUKSUFBZTM2WDVUSVRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key: k3s-pim-privkey
--- a/home-manager/ssh/default.nix
+++ b/home-manager/ssh/default.nix
@ -10,15 +10,10 @@
          user = "pizzapim";
          identitiesOnly = true;
        };
-        lewis = lib.hm.dag.entryBefore [ "*" ] { hostname = "lewis.hyp"; };
+        lewis = lib.hm.dag.entryBefore [ "*" ] { hostname = "lewis.dmz"; };
-        atlas = lib.hm.dag.entryBefore [ "*" ] { hostname = "atlas.hyp"; };
+        atlas = lib.hm.dag.entryBefore [ "*" ] { hostname = "atlas.dmz"; };
-        jefke = lib.hm.dag.entryBefore [ "*" ] { hostname = "jefke.hyp"; };
+        jefke = lib.hm.dag.entryBefore [ "*" ] { hostname = "jefke.dmz"; };
-        hermes = lib.hm.dag.entryBefore [ "*" ] { hostname = "hermes.dmz"; };
+        warwick = lib.hm.dag.entryBefore [ "*" ] { hostname = "warwick.dmz"; };
        maestro = lib.hm.dag.entryBefore [ "*" ] { hostname = "maestro.dmz"; };
        bancomart =
          lib.hm.dag.entryBefore [ "*" ] { hostname = "bancomart.dmz"; };
        handjecontantje =
          lib.hm.dag.entryBefore [ "*" ] { hostname = "handjecontantje.dmz"; };
      };
    };
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -68,25 +68,7 @@
    '';
  };
-  programs.ssh = {
+  programs.ssh.startAgent = true;
    startAgent = true;
    knownHosts = {
      dmz = {
        hostNames = [ "*.dmz" ];
        publicKey =
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
        certAuthority = true;
      };
      hypervisors = {
        hostNames = [ "*.hyp" ];
        publicKey =
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
        certAuthority = true;
      };
    };
  };
  security.sudo.extraConfig = ''
    Defaults        timestamp_timeout=30
@ -123,7 +105,7 @@
      home = {
        privateKeyFile = config.age.secrets.wg-quick-home-privkey.path;
        address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
-        dns = [ "192.168.30.8" "2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee08" ];
+        dns = [ "192.168.30.131" ];
        autostart = false;
        peers = [{
          presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path;
--- a/secrets/k3s-pim-privkey.age
+++ b/secrets/k3s-pim-privkey.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -19,5 +19,4 @@ in
  "keepassxc.ini.age".publicKeys =
    publicKeys; # Secret agent causes private keys in config file.
  "postgresql_client.key.age".publicKeys = publicKeys;
  "k3s-pim-privkey.age".publicKeys = publicKeys;
 }