staging-hydra: init

non-critical-infra/.sops.yaml

@@ -3,7 +3,7 @@ keys:
   - &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
   - &caliban age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq
   - &umbriel age15vcp7875xwtf64j4yshyld0a3hpgzv6n2kxky493s3q0swr9hdaqxugpv6
-  - &staging-hydra age13emk4xkrde0qhgnuu24jl7vt6mdq99w56c4ngse9mxh4j0pxvuvq3zsppt
+  - &staging-hydra age1vawam63mv097z4ae94tm2xlzkc66u3s87n7neu5jzm6687482u4sx8us3v
   - &m1-s age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8
   - &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
 
@@ -23,7 +23,7 @@ creation_rules:
           - *zimbatm
 
   # ssh keys used to bootstrap new machines
-  - path_regex: secrets/[^/]+.hostkeys
+  - path_regex: secrets/[^/]+-hostkeys.yaml
     key_groups:
       - age:
           - *m1-s

non-critical-infra/hosts/staging-hydra/bootstrap-staging-hydra.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+# Use this script to deploy the initial keys when bootstrapping a new machines.
+
+set -euo pipefail
+tmpDir=$(mktemp -d)
+sshDir="$tmpDir/etc/ssh"
+mkdir -p "$sshDir"
+trap 'rm -rf "$tmpDir"' EXIT
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+for keyname in ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
+  if [[ $keyname == *.pub ]]; then
+    umask 0133
+  else
+    umask 0177
+  fi
+  sops --extract '["'$keyname'"]' --decrypt "$SCRIPT_DIR/../../secrets/staging-hydra-hostkeys.yaml" >"$sshDir/$keyname"
+done
+nix run nixpkgs#nixos-anywhere -- --extra-files "$tmpDir" -f .#staging-hydra [email protected]

non-critical-infra/secrets/signing-key.staging-hydra

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:r5OuTSn3XvJnDotfbVuCC/CmMJM30GTpvi9xYd824nc8RwoFG5ivV29mUo8kj2A/C8I1sgmxHbRSM3zCDQ5nDV6ul9XFqsFlK+9l5O2hZXSEq7crE6IEPJKXlYvQGTbZH9VcIrigDOCUiZgbfDFTnWIQ,iv:DcMMvNoINfUwCp4kKcQt3Ya5iOD1rQ08ft0blz7QuoA=,tag:APdvyc+0L9rz+5vhtothtQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:cPViz9seX59g1dneq/kngFZSIUP81osOEs/kbLr+OrKB8MSe4tg6O1G5c3uSHPfMNbeYdhG6CinZZCY5Lk22rRyrFLaJfHi8xTsnsEtIcC9v4q+cFyOfPmJE7SblmiNGyjYNTZl6sdC5awnbXjo1aNPGfQ==,iv:DrY/VDNXiV/WMNjyD8wrQmEE36jHbCTUn7UiHk/PeDM=,tag:DRVVu7VMqlfnxwDJaobSpw==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -19,8 +19,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWb2ljNWl5SUhGUXZmQXhP\nTDF4bzhVYnpSdUFFVWVzeURnS1gxSVUrNWtVClR0S05HWUtpSU5ETWh0YVhJcS9C\nMmtwS1ZZSnRSMlVYQWtMMk5GVGhWVjAKLS0tIGdnYmEyaDBMbDhaUVpOUzN5OWk3\nKzkvSU1wQWxETDJiMWxVYUhuV1V4aEkKwjiLNhN2WvjV1WC648tl2bUIgcthFo/r\nwGF2G+J7ueAp3WGWRtd1a2kQNn8MLqCZksUMeksy4+3570kKmdCOrg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-02-12T07:28:02Z",
-		"mac": "ENC[AES256_GCM,data:Kk+FO9fjspAPkzs1orp5iXuVc1iLXbMr5PRmM9lDULjGZ2gpgS2JJF/Uf+4OeWrmLRmUwqa0dPPr3gR4/BEQmPk7FKqlr66iFun8Y/ExV38hWKGzBOvDxZIGdzT5i0S5SrohjhjQN2qzM8l6YANN21wogv/I0Mb/KKUNlBK/z9E=,iv:2fN19YDoZ7+0BVBo9FQJkPpjyGr2AB9GtYp4kvX+tUw=,tag:KrYOLR38mxv1eYOEoG9pNg==,type:str]",
+		"lastmodified": "2025-02-12T09:27:43Z",
+		"mac": "ENC[AES256_GCM,data:6IPR2vcE0XxIbwsyaTIADl34wHSikT/Jy1UYPJPexvw22JbAQyIJn8dZQvpa6IrIi1+thLyambL1BXwiYmOepQWCXIWTYNDhu3xNi9UwpjdwGpLGCFQz18eXnqRLWZT3UXyZ5aEFdHGHgbMbHEkJ+suK3FqJCXn4AvmlqER211Q=,iv:q1ZKHd4VwLLmx5lUekt0yVdSy7kiZCUMzuygjg/jCh8=,tag:VBkblBU0osFoANXymHiWcw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.4"

non-critical-infra/secrets/staging-hydra-hostkeys.yaml

@@ -0,0 +1,31 @@
+ssh_host_ed25519_key: ENC[AES256_GCM,data:Okg9SB54M1j/Os2cjYL4b7Xy9qafNKjTD+/pJx8NoPg5+GACiPuiseDa3WcF7gtozzpzLOn+37nrnE11Qy+GT7FrRFnbhWlv41ZEWaktaysOOnVdclHu1e8gGdLYqX32cK2AL4hQYxVJgk9aVVQ+Zm0cnv9Tz8FEdCPuItOwaph6N0WF9+Ssq+zf50RKn8DwOrssGb/QOM45JC4R1wLP6Qf3OjvJRThP8TvVoFCn2kaQS1rKmJ84kn6HAjOkkDZVIHekea0OegKY1szA4FL+Tt+9S1PbtTcjkWnLVISCOkH3FpzNFWDRkLAloZtAHOSOUCwxumzBKApLpvp1K4Z/ctFWIqEI7pCpVxL32KJC2S7u2xc/tXvH2KWG+/u0dfX9UXHEm5UCZ8njHZYGRQl46tbBfBv45KQUi+mL+Xpcv176XGpx08kYeIlKIQ/vKqp2hPfBQkHMisA+bUwzIqg3eWQrrfbNU1cevMqSPg3VzXtfdf7sTnG5tsIqsEHspTURzIdBFSEKPxB5TR2MWLPM9iO9LQCLuyvA/qTG,iv:kWEbM4cKF2gBc6YFkjag38CQFHwPr1WjoFazQJKJCPA=,tag:JTcCuDq5VbwcvnLX7/fT3Q==,type:str]
+ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:l81c4JwjKoWutFi1+WzyDh8Hcr5spDbRCOtghyPlRjq8vIzCqwnhtf5ifTKVgIvN1Updd0oYDSWa9YhjFhrWvCGBh0JVqKLVKB/ejm1jRdUO,iv:W9CY6YjtnCv6L7kdSwpFB/38GoU2AIIzdWTsxUPHnGU=,tag:TNq7oDVbUb6mrSdZ4Z6/wg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1j3spleg4m7rtjww4zqsws6qaj69v5j0rc3asaxxlpwnu7fmx8p9qvmvjn8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbFN4Tkg3MnV4bjlObmpK
+            QURHRmRabURXa0VUak1nRFJmNWhkNWtvNlJVCmlDNXdMaVpjU1FIMXpyemZZNzJs
+            WUx4eVdsNWNSRXJBbVVRelJOODlqOHcKLS0tIDlwWlJtcjdVYUVHajNPTDgxVHVB
+            cVFhZ3pyLys3cS9CVVRtYjR0VkVBTjQK0akV7tJlU6anfPFn6yZxEn2uVfmtwDdg
+            2yxRSw1GfKP/d0Ww8BJers37VSzQ+GS3C9KEwoh3lgpWOHGm1CfQUA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0aTdFNG5HWllVdzlSc1ZM
+            aElmeEM4RFF1bGhMSVNQOW93aUhxOHRHQlc4CnByUHd5Ry8xM1J2OVd3aWMxSU9Q
+            b2gzM2dHb0Y4OHkvakV4U1lDRWNYdzgKLS0tIDg4a1cwR1pZeXpGZUNIdTBJRU8v
+            cmVqWnNndTBSZ2FsSUpLcnhNdVk0Y1kKTkWMPsIPf0scvmRMu4ZWm6btHYB7NJ5R
+            b0mBraRi+IUOsIdRbNfemh7DQPfqjnFD2lRtwa3/PNNQDB5AS6K5Bw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-12T09:19:59Z"
+    mac: ENC[AES256_GCM,data:Ym3YsYfQOd4D8iZ0K01gF6IzvYYvQEKFWzLqL815Nk0ozW1g3D8xPcNxVxb0juvRjbeBXlz0fkDLXxJ1N0ZMASmZ2wHxfR9w5J+CL8hyCmsutJ+ofdiZVJ+ZwEKfenPp/Ke02ce+5EixxU5X3Ad04kLjNalOmmkNhTd5WRFbFe8=,iv:guGa3Nz1DC8Bo5yVP6unoCFGVigKmAKliXA8r5gKyNg=,tag:k69LdmsWW5gYbamdD2S4Ig==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4