Use fork of nixpkgs to allow sops-managed k3s config

2023-02-05 17:11:54 -06:00 · 2023-02-05 17:11:54 -06:00 · 3f64793cea
parent eff63a4415
commit 3f64793cea
4 changed files with 44 additions and 14 deletions
--- a/flake.lock
+++ b/flake.lock
@ -60,27 +60,27 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1675454231,
-        "narHash": "sha256-5rgcWq1nFWlbR3NsLqY7i/7358uhkSeMQJ/LEHk3BWA=",
-        "owner": "nixos",
+        "lastModified": 1675634907,
+        "narHash": "sha256-c8bc899hRk9AS39h9eerkfdLz2UkFLs0ezAI12dUR14=",
+        "owner": "asonix",
        "repo": "nixpkgs",
-        "rev": "06999209d7a0043d4372e38f57cffae00223d592",
+        "rev": "80ca273c4d540819dc82ec981c52e2539a16f1dd",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "owner": "asonix",
+        "ref": "asonix/nixos-unstable-pinned",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1675265860,
-        "narHash": "sha256-PZNqc4ZnTRT34NsHJYbXn+Yhghh56l8HEXn39SMpGNc=",
+        "lastModified": 1675556398,
+        "narHash": "sha256-5Gf5KlmFXfIGVQb2hmiiE7FQHoLd4UtEhIolLQvNB/A=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a3a1400571e3b9ccc270c2e8d36194cf05aab6ce",
+        "rev": "e32c33811815ca4a535a16faf1c83eeb4493145b",
        "type": "github"
      },
      "original": {
@ -106,11 +106,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1675288837,
-        "narHash": "sha256-76s8TLENa4PzWDeuIpEF78gqeUrXi6rEJJaKEAaJsXw=",
+        "lastModified": 1675566616,
+        "narHash": "sha256-Wki1ffvQUIB044M9ltjOxpXJGsqnQiVQPvMpQ0RiEBE=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "a81ce6c961480b3b93498507074000c589bd9d60",
+        "rev": "4d16c18787ba8ff80c1ff8db25c5ca56f68ceed3",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -10,7 +10,7 @@
      url = "git+https://git.asonix.dog/asonix/nixos-aarch64-images";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:asonix/nixpkgs/asonix/nixos-unstable-pinned";
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/modules/k3s/default.nix
+++ b/modules/k3s/default.nix
@ -1,5 +1,5 @@
 {
-  server = { enable ? true }: { pkgs, ... }: {
+  server = { enable ? true }: { config, pkgs, ... }: {
    networking.firewall.enable = false;

    boot.kernelModules = [ "ceph" ];
@ -9,8 +9,14 @@
      (writeShellScriptBin "kubectl" (builtins.readFile ./kubectl))
    ];

+    sops.secrets.k3s_env = {
+      format = "binary";
+      sopsFile = ../../secrets/k3s_env.bin;
+    };
+
    services.k3s = {
      inherit enable;
+      environmentFile = config.sops.secrets.k3s_env.path;
      extraFlags = "--disable traefik --disable servicelb";
      role = "server";
    };
--- a/secrets/k3s_env.bin
+++ b/secrets/k3s_env.bin
@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:fz/2OyrlzXP83EiBAzbZdwUdf1XdGojLgtJd1H2jBe+gotWF1Lp85yKRK+bnJaI53BJvEgUVi7+9RG/XAups0SGhMdS61/kF7QSrd77Rbm9MAvuUVtChWpQ058Z/Q/kksKXJMzMdGlC/KrBebKUAamiyV+ynoVVv6EllcHHHmTW6+Wrgs2sv1TayKGPE2g==,iv:RtkXTI0WP2Ri5bvclVP1i1JzeVOUM2wZ9IL+TJke3a0=,tag:m2R1ZZSWoFyZ3k5awIGSuA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTis3eDJ6OGZQK2FWZXZ0\nRHJNVHlULzBpM0RMbDJIYW5LSnp1R3d2SlJFCnR1Zm1ic05mUEtRTU5JeGtLYWhZ\nazBkQkVqQllydUJ3Unkwb2RTc3RpYW8KLS0tIEx6bzVOc2x1YTdXeEY1YUNOUWMv\nYkE1SGpwTU9LMHdYVmNDTldnVWQzcEUKkWETPro3eCiImwuODJgUu17rDAORf0MT\n43HgNAm/6FtNlj8kPZBHCt4K+7kySO4roL/5zDH9fGGfeTIiA0VJaQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBN2RlVXh0cHN0RjVtcHds\nTWxleGZpZHk0Sjl3L3NLSHA0NW1za3dLQlRVCjRCdXJiTjBJb1RoRlZqbUsrUWZE\neXgwRzg4clAyRUxWK1pPU3Z3Znpkb0UKLS0tIHd1Zy9yLysyWnJpNXg3a1FQYURN\nT1FnWXF0QmdGN0NvVm0yM2gzNHRCdm8K993lhwndBDaFKlpCOi5WSdIsTMvhoi83\n5eyiQYjhfILeJWIIzDHOMHcNqE6plei+bhFRY23dZft8IxQWcAQfOg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-02-05T22:37:54Z",
+		"mac": "ENC[AES256_GCM,data:e2Sa0nox0yi69ARjy+zB50g9xa5lISLCw3YgAmou1YonK1GMG6IqyB0NiAEhxH158snVuXrp7wJU8cFRDTZ2RxPgIpEkb7dTFSDDvC/ZzkG7nK7DdIDLcMc7GNLOjCRqVwzssWLDoxJs0coZf5m9rUjX9DgKgAZ46H6ZhsLbYQY=,iv:WB4agP0mddVy+gLNdnz8jLtCpf/ETUsIXz3eEwjY09U=,tag:hurc9s8aXEQVLqEzlkPdFg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}