From 84b23489f77b183f756d1d9f981d870717a8c20d Mon Sep 17 00:00:00 2001 From: pinpox Date: Mon, 7 Jul 2025 11:37:33 +0200 Subject: [PATCH] Migrate data-mesher to clan service --- checks/data-mesher/default.nix | 89 ----------- .../data-mesher/sops/machines/admin/key.json | 4 - .../data-mesher/sops/machines/peer/key.json | 4 - .../data-mesher/sops/machines/signer/key.json | 4 - .../sops/secrets/admin-age.key/secret | 20 --- .../sops/secrets/peer-age.key/secret | 20 --- .../sops/secrets/signer-age.key/secret | 20 --- .../data-mesher-host-key/private_key/secret | 24 --- .../data-mesher-host-key/public_key/value | 3 - .../data-mesher-host-key/private_key/secret | 24 --- .../data-mesher-host-key/public_key/value | 3 - .../data-mesher-host-key/private_key/secret | 24 --- .../data-mesher-host-key/public_key/value | 3 - .../private_key/secret | 32 ---- .../data-mesher-network-key/public_key/value | 3 - checks/flake-module.nix | 1 - clanServices/data-mesher/README.md | 10 ++ clanServices/data-mesher/admin.nix | 29 ++++ clanServices/data-mesher/default.nix | 142 ++++++++++++++++++ clanServices/data-mesher/flake-module.nix | 17 +++ clanServices/data-mesher/peer.nix | 2 + clanServices/data-mesher/shared.nix | 86 +++++++++++ clanServices/data-mesher/signer.nix | 2 + clanServices/data-mesher/tests/vm/default.nix | 90 +++++++++++ .../tests/vm/sops/machines/admin/key.json | 6 + .../tests/vm/sops/machines/peer/key.json | 6 + .../tests/vm/sops/machines/signer/key.json | 6 + .../vm/sops/secrets/admin-age.key/secret | 15 ++ .../sops/secrets/admin-age.key/users/admin | 0 .../tests/vm/sops/secrets/peer-age.key/secret | 15 ++ .../vm}/sops/secrets/peer-age.key/users/admin | 0 .../vm/sops/secrets/signer-age.key/secret | 15 ++ .../sops/secrets/signer-age.key/users/admin | 0 .../tests/vm}/sops/users/admin/key.json | 0 .../private_key/machines/admin | 0 .../data-mesher-host-key/private_key/secret | 19 +++ .../private_key/users/admin | 0 .../data-mesher-host-key/public_key/value | 3 + .../private_key/machines/peer | 0 .../data-mesher-host-key/private_key/secret | 19 +++ .../private_key/users/admin | 0 .../data-mesher-host-key/public_key/value | 3 + .../private_key/machines/signer | 0 .../data-mesher-host-key/private_key/secret | 19 +++ .../private_key/users/admin | 0 .../data-mesher-host-key/public_key/value | 3 + .../private_key/machines/admin | 0 .../private_key/machines/peer | 0 .../private_key/machines/signer | 0 .../private_key/secret | 27 ++++ .../private_key/users/admin | 0 .../data-mesher-network-key/public_key/value | 3 + docs/mkdocs.yml | 1 + 53 files changed, 538 insertions(+), 278 deletions(-) delete mode 100644 checks/data-mesher/default.nix delete mode 100755 checks/data-mesher/sops/machines/admin/key.json delete mode 100755 checks/data-mesher/sops/machines/peer/key.json delete mode 100755 checks/data-mesher/sops/machines/signer/key.json delete mode 100644 checks/data-mesher/sops/secrets/admin-age.key/secret delete mode 100644 checks/data-mesher/sops/secrets/peer-age.key/secret delete mode 100644 checks/data-mesher/sops/secrets/signer-age.key/secret delete mode 100644 checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/secret delete mode 100644 checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/public_key/value delete mode 100644 checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/secret delete mode 100644 checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/public_key/value delete mode 100644 checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/secret delete mode 100644 checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/public_key/value delete mode 100644 checks/data-mesher/vars/shared/data-mesher-network-key/private_key/secret delete mode 100644 checks/data-mesher/vars/shared/data-mesher-network-key/public_key/value create mode 100644 clanServices/data-mesher/README.md create mode 100644 clanServices/data-mesher/admin.nix create mode 100644 clanServices/data-mesher/default.nix create mode 100644 clanServices/data-mesher/flake-module.nix create mode 100644 clanServices/data-mesher/peer.nix create mode 100644 clanServices/data-mesher/shared.nix create mode 100644 clanServices/data-mesher/signer.nix create mode 100644 clanServices/data-mesher/tests/vm/default.nix create mode 100755 clanServices/data-mesher/tests/vm/sops/machines/admin/key.json create mode 100755 clanServices/data-mesher/tests/vm/sops/machines/peer/key.json create mode 100755 clanServices/data-mesher/tests/vm/sops/machines/signer/key.json create mode 100644 clanServices/data-mesher/tests/vm/sops/secrets/admin-age.key/secret rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/sops/secrets/admin-age.key/users/admin (100%) create mode 100644 clanServices/data-mesher/tests/vm/sops/secrets/peer-age.key/secret rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/sops/secrets/peer-age.key/users/admin (100%) create mode 100644 clanServices/data-mesher/tests/vm/sops/secrets/signer-age.key/secret rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/sops/secrets/signer-age.key/users/admin (100%) rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/sops/users/admin/key.json (100%) rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/per-machine/admin/data-mesher-host-key/private_key/machines/admin (100%) create mode 100644 clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/private_key/secret rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/per-machine/admin/data-mesher-host-key/private_key/users/admin (100%) create mode 100644 clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/public_key/value rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/per-machine/peer/data-mesher-host-key/private_key/machines/peer (100%) create mode 100644 clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/private_key/secret rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/per-machine/peer/data-mesher-host-key/private_key/users/admin (100%) create mode 100644 clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/public_key/value rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/per-machine/signer/data-mesher-host-key/private_key/machines/signer (100%) create mode 100644 clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/private_key/secret rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/per-machine/signer/data-mesher-host-key/private_key/users/admin (100%) create mode 100644 clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/public_key/value rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/shared/data-mesher-network-key/private_key/machines/admin (100%) rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/shared/data-mesher-network-key/private_key/machines/peer (100%) rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/shared/data-mesher-network-key/private_key/machines/signer (100%) create mode 100644 clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/secret rename {checks/data-mesher => clanServices/data-mesher/tests/vm}/vars/shared/data-mesher-network-key/private_key/users/admin (100%) create mode 100644 clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/public_key/value diff --git a/checks/data-mesher/default.nix b/checks/data-mesher/default.nix deleted file mode 100644 index 45173f49f..000000000 --- a/checks/data-mesher/default.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ - pkgs, - nixosLib, - clan-core, - lib, - ... -}: -let - machines = [ - "admin" - "peer" - "signer" - ]; -in -nixosLib.runTest ( - { ... }: - { - imports = [ - clan-core.modules.nixosTest.clanTest - ]; - - hostPkgs = pkgs; - name = "service-data-mesher"; - - clan = { - directory = ./.; - inventory = { - machines = lib.genAttrs machines (_: { }); - services = { - data-mesher.default = { - roles.peer.machines = [ "peer" ]; - roles.admin.machines = [ "admin" ]; - roles.signer.machines = [ "signer" ]; - }; - }; - }; - }; - - defaults = - { config, ... }: - { - environment.systemPackages = [ - config.services.data-mesher.package - ]; - - clan.data-mesher.network.interface = "eth1"; - clan.data-mesher.bootstrapNodes = [ - "[2001:db8:1::1]:7946" # peer1 - "[2001:db8:1::2]:7946" # peer2 - ]; - - # speed up for testing - services.data-mesher.settings = { - cluster.join_interval = lib.mkForce "2s"; - cluster.push_pull_interval = lib.mkForce "5s"; - }; - }; - - nodes = { - admin.clan.data-mesher.network.tld = "foo"; - }; - - # TODO Add better test script. - testScript = '' - - def resolve(node, success = {}, fail = [], timeout = 60): - for hostname, ips in success.items(): - for ip in ips: - node.wait_until_succeeds(f"getent ahosts {hostname} | grep {ip}", timeout) - - for hostname in fail: - node.wait_until_fails(f"getent ahosts {hostname}") - - start_all() - - admin.wait_for_unit("data-mesher") - signer.wait_for_unit("data-mesher") - peer.wait_for_unit("data-mesher") - - # check dns resolution - for node in [admin, signer, peer]: - resolve(node, { - "admin.foo": ["2001:db8:1::1", "192.168.1.1"], - "peer.foo": ["2001:db8:1::2", "192.168.1.2"], - "signer.foo": ["2001:db8:1::3", "192.168.1.3"] - }) - ''; - } -) diff --git a/checks/data-mesher/sops/machines/admin/key.json b/checks/data-mesher/sops/machines/admin/key.json deleted file mode 100755 index e0b832e80..000000000 --- a/checks/data-mesher/sops/machines/admin/key.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "publickey": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz", - "type": "age" -} diff --git a/checks/data-mesher/sops/machines/peer/key.json b/checks/data-mesher/sops/machines/peer/key.json deleted file mode 100755 index 873f72d50..000000000 --- a/checks/data-mesher/sops/machines/peer/key.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "publickey": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l", - "type": "age" -} diff --git a/checks/data-mesher/sops/machines/signer/key.json b/checks/data-mesher/sops/machines/signer/key.json deleted file mode 100755 index 7092dd868..000000000 --- a/checks/data-mesher/sops/machines/signer/key.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "publickey": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld", - "type": "age" -} diff --git a/checks/data-mesher/sops/secrets/admin-age.key/secret b/checks/data-mesher/sops/secrets/admin-age.key/secret deleted file mode 100644 index 4f9d26259..000000000 --- a/checks/data-mesher/sops/secrets/admin-age.key/secret +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:7xyb6WoaN7uRWEO8QRkBw7iytP5hFrA94VRi+sy/UhzqT9AyDPmxB/F8ASFsBbzJUwi0Oqd2E1CeIYRoDhG7JHnDyL2bYonz2RQ=,iv:slh3x774m6oTHAXFwcen1qF+jEchOKCyNsJMbNhqXHE=,tag:wtK8H8PZCESPA1vZCd7Ptw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTzZ4RTVNb2I1MTBRMEcy\neU1Eek9GakkydEJBVm9kR3AyY1pEYkorNUYwCkh2WHhNQmc1eWI2cCtEUFFWdzJq\nS0FvQWtoOFkzRVBxVzhuczc0aVprbkkKLS0tIFRLdmpnbzY1Uk9LdklEWnQzZHM2\nVEx3dzhMSnMwaWE0V0J6VTZ5ZVFYMjgKdaICa/hprHxhH89XD7ri0vyTT4rM+Si0\niHcQU4x64dgoJa4gKxgr4k9XncjoNEjJhxL7i/ZNZ5deaaLRn5rKMg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-04-08T13:24:55Z", - "mac": "ENC[AES256_GCM,data:TJWDHGSRBfOCW8Q+t3YxG3vlpf9a5u7B27AamnOk95huqIv0htqWV3RuV7NoOZ5v2ijqSe/pLfpwrmtdhO2sUBEvhdhJm8UzLShP7AbH9lxV+icJOsY7VSrp+R5W526V46ONP6p47b7fOQBbp03BMz01G191N68WYOf6k2arGxU=,iv:nEyTBwJ2EA+OAl8Ulo5cvFX6Ow2FwzTWooF/rdkPiXg=,tag:oYcG16zR+Fb5XzVsHhq2Qw==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.4" - } -} \ No newline at end of file diff --git a/checks/data-mesher/sops/secrets/peer-age.key/secret b/checks/data-mesher/sops/secrets/peer-age.key/secret deleted file mode 100644 index 09c7b119d..000000000 --- a/checks/data-mesher/sops/secrets/peer-age.key/secret +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:JOOhvl0clDD/b5YO45CXR3wVopBSNe9dYBG+p5iD+nniN2OgOwBgYPNSCVtc+NemqutD12hFUSfCzXidkv0ijhD1JZeLar9Ygxc=,iv:XctQwSYSvKhDRk/XMacC9uMydZ8e9hnhpoWTgyXiFI0=,tag:foAhBlg4DwpQU2G9DzTo5g==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWMvWkp5TnZQcGs5Ykhp\nWC91YkoyZERqdXpxQm5JVmRhaUhueEJETDJVCkM4V0hSYldkV1U2Q0d1TGh3eGNR\nVjJ1VFd6ZEN0SXZjSVEvcnV2WW0vbVUKLS0tIFRCNW9nWHdYaUxLSVVUSXM0OGtN\nVFMzRXExNkYxcFE3QWlxVUM3ay9INm8KV6r8ftpwarly3qXoU9y8KxKrUKLvP9KX\nGsP0pORsaM+qPMsdfEo35CqhAeQu0+6DWd7/67+fUMp6Jr0DthtTmg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-04-08T13:25:28Z", - "mac": "ENC[AES256_GCM,data:scY9+/fcXhfHEdrsZJLOM6nfjpRaURgTVbCRepUjhUo24B4ByEsAo2B8psVAaGEHEsFRZuoiByqrGzKhyUASmUs+wn+ziOKBTLzu55fOakp8PWYtQ4miiz2TQffp80gCQRJpykcbUgqIKXNSNutt4tosTBL7osXwCEnEQWd+SaA=,iv:1VXNvLP6DUxZYEr1juOLJmZCGbLp33DlwhxHQV9AMD4=,tag:uFM1R8OmkFS74/zkUG0k8A==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.4" - } -} \ No newline at end of file diff --git a/checks/data-mesher/sops/secrets/signer-age.key/secret b/checks/data-mesher/sops/secrets/signer-age.key/secret deleted file mode 100644 index d44a9a594..000000000 --- a/checks/data-mesher/sops/secrets/signer-age.key/secret +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:i1YBJdK8XmWnVnZKBpmWggSN8JSOr8pm2Zx+CeE8qqeLZ7xwMO8SYCutM8l94M5vzmmX0CmwzeMZ/JVPbEwFd3ZAImUfh685HOY=,iv:N4rHNaX+WmoPb0EZPqMt+CT1BzaWO9LyoemBxKn+u/s=,tag:PnzSvdGwVnTMK8Do8VzFaQ==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RXlmcVNGTnlkY2ZqZFlH\nVnh0eHhRNE5hRDNDVkt0TEE0bmRNN2JIVkN3CkxnaGM4Y3M3a0xoK2xMRzBLMHRV\nT1FzKzNRMFZOeWc2K3E5K2FzdUsvWmsKLS0tIENtVlFSWElHN3RtOUY2alhxajhs\naXI1MmR4WC9EVGVFK3dHM1gvVnlZMVUKCyLz0DkdbWfSfccShO1xjWfxhunEIbD0\n6imeIBhZHvVJmZLXnVl7B0pNXo6be7WSBMAUM9gUtCNh4zaChBNwGw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-04-08T13:25:52Z", - "mac": "ENC[AES256_GCM,data:WFGysoXN95e/RxL094CoL4iueqEcSqCSQZLahwz9HMLi+8HWZIXr55a+jyK7piqR8nBS4BquU5fKhlC6BvEbZFt69t4onTA+LxS3D7A8/TO0CWS0RymUjW9omJUseRQWwAHtE7l0qI5hdOUKhQ+o5pU+2bc3PUlaONM0aOCCoFo=,iv:l1f4aVqLl5VAMfjNxDbxQEQp/qY/nxzgv2GTuPVBoBA=,tag:4PPDCmDrviqdn42RLHQYbA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.4" - } -} \ No newline at end of file diff --git a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/secret b/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/secret deleted file mode 100644 index 109c00b34..000000000 --- a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/secret +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:w3bU23Pfe8W89lF+tOmEYPU/A4FkY6n7rgQ6yo+eqCJFxTyHydV6Mg4/g4jaL+4wwIqNYRiMR8J8jLhSvw3Bc59u7Ul+RGwdpiKoBBJfsHjO8r6uOz2u9Raa+iUJH1EJWmGvsQXAILpliZ+klS96VWnGN3pYMEI=,iv:7QbUxta6NPQLZrh6AOcNe+0wkrADuTI9VKVp8q+XoZ8=,tag:ZH0t3RylfQk5U23ZHWaw0g==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTBoSFJVSTdZeW4wZG9p\nWFR1LzVmYS8xWmRqTlNtWFVkSW9jZXpVejJBCkpqZm12L1dDSmNhekVsK1JBOU9r\nZThScGdDakFlRzNsVXp1eE5yOStFSW8KLS0tIFRrTkZBQlRsR2VNcUJvNEkzS2pw\nNksvM296UkFWTkZDVVp1ZVZMNUs4cWsKWTteB1G9Oo38a81PeqKO09NUQetuqosC\nhrToQ6NMo5O7/StmVG228MHbJS3KLXsvh2AFOEPyZrbpB2Opd2wwoA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6U2FWRThRNkVQdk9yZ0VE\nM09iSVhmeldMcDZVaFRDNGtjWTdBa0VIT2pJCkdtd04xSXdicDY3OHI1WXl5TndB\nemtQeW1SS2tVVllPUHhLUTRla3haZGMKLS0tIGN0NVNEN3RKeWM0azBBMnBpQU4r\nTFFzQ0lOcGt0ek9UZmZZRjhibTNTc0EKReUwYBVM1NKX0FD/ZeokFAAknwju5Azq\nGzl4UVJBi5Es0GWORdCGElPXMd7jMud1SwgY04AdZj/dzinCSW4CZw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-04-08T13:25:10Z", - "mac": "ENC[AES256_GCM,data:0vl9Gt4QeH+GJcnl8FuWSaqQXC8S6Pe50NmeDg5Nl2NWagz8aLCvOFyTqX/Icp/bTi1XQ5icHHhF3YhM+QAvdUL3aO0WGbh92dPRnFuvlZsdtwCFhT+LyHyYHFf6yP+0h/uFpJv9fE6xY22CezA6ZVQ8ywi1epaC548Gr27uVe4=,iv:G4hZVCLkIpbg9uwB7Y8xtHLdnlmBvFrPjxSoqdyHNvM=,tag:uvKwakhUY2aa7v0tmR/o8A==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.4" - } -} \ No newline at end of file diff --git a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/public_key/value b/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/public_key/value deleted file mode 100644 index d3041c8f3..000000000 --- a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/public_key/value +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PUBLIC KEY----- -MCowBQYDK2VwAyEAm204bpSFi4jOjZuXDpIZ/rcJBrbG4zAc7OSA4rAVSYE= ------END PUBLIC KEY----- diff --git a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/secret b/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/secret deleted file mode 100644 index 13d420523..000000000 --- a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/secret +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:kERPY40pyvke0mRBnafa4zOaF46rbueRbhpUCXjYP5ORpC7zoOhbdlVBhOsPqE2vfEP4RWkH+ZPdDYXOKXwotBCmlq2i7TfZeoNXFkzWXc3GyM5mndnjCc8hvYEQF1w6xkkVSUt4n06BAw/gT0ppz+vo5dExIA8=,iv:JmYD2o4DGqds6DV7ucUmUD0BRB61exbRsNAtINOR8cQ=,tag:Z58gVnHD+4s21Z84IRw+Vw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OFluVThBdUJSTmRVTk94\neFZnLytvcnNSdmQvR3ZkT2UvWFVieFV1SUFNCm9jWHlyZXRwaVdFaG9ocnd4S3FU\ndTZ2dklBbkFVL0hVT0Y2L1o5dnUyNG8KLS0tIGFvYlBJR3l2b3F6OU9uMTFkYjli\nNVFLOWQzOStpU2kzb0xyZUFCMnBmMVUK5Jzssf1XBX25bq0RKlJY8NwtKIytxL/c\nBPPFDZywJiUgw1izsdfGVkRhhSFCQIz+yWIJWzr01NU2jLyFjSfCNw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYW92c3Q4SktwSnJ1TkRJ\nZEJyZk96cG8ybkpPQzYzVk0xZGs0eCtISVR3CmhDaWxTem1FMjJKNmZNaTkxN01n\nenUvdFI1UkFmL1lzNlM5N0Ixd0dpc1EKLS0tIHpyS2VHaHRRdUovQVgvRmRHaXh3\naFpSNURjTWkxaW9TOXpKL2IvcUFEbmMKq4Ch7DIL34NetFV+xygTdcpQjjmV8v1n\nlvYcjUO/9c3nVkxNMJYGjuxFLuFc4Gw+AyawCjpsIYXRskYRW4UR1w==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-04-08T13:25:43Z", - "mac": "ENC[AES256_GCM,data:YhL2d6i0VpUd15B4ow2BgRpyEm0KEA8NSb7jZcjI58d7d4lAqBMcDQB+8a9e2NZbPk8p1EYl3q4VXbEnuwsJiPZI2kabRusy/IGoHzUTUMFfVaOuUcC0eyINNVSmzJxnCbLCAA1Aj1yXzgRQ0MWr7r0RHMKw0D1e0HxdEsuAPrA=,iv:yPlMmE6+NEEQ9uOZzD3lUTBcfUwGX/Ar+bCu0XKnjIg=,tag:eR22BCFVAlRHdggg9oCeaA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.4" - } -} \ No newline at end of file diff --git a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/public_key/value b/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/public_key/value deleted file mode 100644 index 9e3ca3eb8..000000000 --- a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/public_key/value +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PUBLIC KEY----- -MCowBQYDK2VwAyEAv5dICFue2fYO0Zi1IyfYjoNfR6713WpISo7+2bSjL18= ------END PUBLIC KEY----- diff --git a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/secret b/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/secret deleted file mode 100644 index 2e4d1fe4a..000000000 --- a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/secret +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:U8F7clQ2Tuj8zy5EoEga/Mc9N3LLZrlFf5m7UJKrP5yybFRCJSBs05hOcNe+LQZdEAvvr0Qbkry1pQyE84gCVbxHvwkD+l3GbguBuLMsW96bHcmstb6AvZyhMDBpm73Azf4lXhNaiB8p2pDWdxV77E+PPw1MNYI=,iv:hQhN6Ak8tB6cXSCnTmmQqHEpXWpWck3uIVCk5pUqFqU=,tag:uC4ljcs92WPlUOfwSkrK9Q==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvV05lejQrdUQvQjZPOG9v\nZ01naXlYZ1JxWHhDT1M1aUs1RWJDSU1acVFFCmdHY094aGRPYWxpdVVxSFVHRU9v\nNnVaeTlpSEdtSWRDMmVMSjdSOEQ4ZlEKLS0tIFo5NVk2bzBxYjZ5ZWpDWTMrQ2VF\nVThWUk0rVXpTY2svSCtiVDhTQ2kvbFkKEM2DBuFtdEj1G/vS1TsyIfQxSFFvPTDq\nCmO7L/J5lHdyfIXzp/FlhdKpjvmchb8gbfJn7IWpKopc7Zimy/JnGQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNzVUaHkzUzVEMlh1Q3Qr\nOEo0aDJIMG91amJiZG50MEhqblRCTWxRRVVRCk4xZlp4SkJuUHc2UnFyU1prczkz\nNGtlQlRlNnBDRFFvUGhReTh6MTBZaXMKLS0tIGxtaXhUMDM0RU4yQytualdzdTFt\nWGRiVG54MnYrR2lqZVZoT0VkbmV5WUUKbzAnOkn8RYOo7z4RISQ0yN875vSEQMDa\nnnttzVrQuK0/iZvzJ0Zq8U9+JJJKvFB1tHqye6CN0zMbv55CLLnA0g==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-04-08T13:26:07Z", - "mac": "ENC[AES256_GCM,data:uMss4+BiVupFqX7nHnMo+0yZ8RPuFD8VHYK2EtJSqzgurQrZVT4tJwY50mz2gVmwbrm49QYKk5S+H29DU0cM0HiEOgB5P5ObpXTRJPagWQ48CEFrDpBzLplobxulwnN6jJ1dpL3JF3jfrzrnSDFXMvx+n5x/86/AYXYRsi/UeyY=,iv:mPT1svKrNGmYpbL9hh2Bxxakml69q+U6gQ0ZnEcbEyg=,tag:zcZx1lTw/bEsX/1g+6T04g==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.4" - } -} \ No newline at end of file diff --git a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/public_key/value b/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/public_key/value deleted file mode 100644 index 713e73f61..000000000 --- a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/public_key/value +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PUBLIC KEY----- -MCowBQYDK2VwAyEAeUkW5UIwA1svbNY71ePyJKX68UhxrqIUGQ2jd06w5WM= ------END PUBLIC KEY----- diff --git a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/secret b/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/secret deleted file mode 100644 index 783418874..000000000 --- a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/secret +++ /dev/null @@ -1,32 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:nRlCMF58cnkdUAE2aVHEG1+vAckKtVt48Jr21Bklfbsqe1yTiHPFAMLL1ywgWWWd7FjI/Z8WID9sWzh9J8Vmotw4aJWU/rIQSeF8cJHALvfOxarJIIyb7purAiPoPPs6ggGmSmVFGB1aw8kH1JMcppQN8OItdQM=,iv:qTwaL2mgw6g7heN/H5qcjei3oY+h46PdSe3v2hDlkTs=,tag:jYNULrOPl9mcQTTrx1SDeA==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age153mke8v2qksyqjc7vta7wglzdqr5epazt83nch0ur5v7kl87cfdsr07qld", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRcG44cGFBWXk2Z0pmNklv\nTnJ5b0svLytzZmNNRkxCVU1zaDVhNUs2cld3CklsenpWd0g2OEdKKzBMQlNEejRn\nTlEvY01HYjdvVExadnN3aXZIRTZ4YlEKLS0tIGRPUXdNSHZCRDBMbno2MjJqRHBl\nSzdiSURDYitQWFpaSElkdmdicDVjMWsKweQiRqyzXmzabmU2fmgwHtOa9uDmhx9O\ns9NfUhC3ifooQUSeYp58b1ZGJQx5O5bn9q/DaEoit5LTOUprt1pUPA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTEdlL29sVWFpSDNNaXRJ\ndTJDRkU4VzFPQ0M4MkFha2IxV2FXN2o3ZEFRCjF3UnZ5U1hTc3VvSTIzcWxOZjl0\ncHlLVEFqRk1UbGdxaUxEeDFqbFVYaU0KLS0tIFFyMnJkZnRHdWg4Z1IyRHFkY0I5\nQjdIMGtGLzRGMFM0ektDZ3hzZDdHSmMKvxOQuKgePom0QfPSvn+4vsGHhJ4BoOvW\nc27Vn4/i4hbjfJr4JpULAwyIwt3F0RaTA2M6EkFkY8otEi3vkcpWvA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age10zxkj45fah3qa8uyg3a36jsd06d839xfq64nrez9etrsf4km0gtsp45gsz", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZzdsaVRnSmsrMGR1Ylg3\nZkpscTdwNUl5NUVXN3kvMU1icE0yZU1WSEJBClB6SlJYZUhDSElRREx5b0VueFUw\nNVFRU3BSU24yWEtpRnJoUC83SDVaUWsKLS0tIGVxNEo3TjlwakpDZlNsSkVCOXlz\nNDgwaE1xNjZkSnJBVlU5YXVHeGxVNFEKsXKyTzq9VsERpXzbFJGv/pbAghFAcXkf\nMmCgQHsfIMBJQUstcO8sAkxv3ced0dAEz8O6NUd0FS2zlhBzt29Rnw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1faqrml2ukc6unfm75d3v2vnaf62v92rdxaagg3ty3cfna7vt99gqlzs43l", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkK1hDMGxCc1IvYXlJMnBF\nWncxaXBQa1RpTWdwUHc3Yk16My8rVHNJc2dFCkNlK2h0dy9oU3Z5ZGhwRWVLYVUz\ncVBKT2x5VnlhbXNmdHkwbmZzVG5sd0EKLS0tIHJaMzhDanF4Rkl3akN4MEIxOHFC\nYWRUZ08xb1UwOFNRaktkMjIzNXZmNkUK1rlbJ96oUNQZLmCmPNDOKxfDMMa+Bl2E\nJPxcNc7XY3WBHa3xFUbcqiPxWxDyaZjhq/LYQGpepiGonGMEzR5JOQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-04-08T13:25:20Z", - "mac": "ENC[AES256_GCM,data:za9ku+9lu1TTRjbPcd5LYDM4tJsAYF/yuWFCGkAhqcYguEducsIfoKBwL42ahAzqLjCZp91YJuINtw16mM+Hmlhi/BVwhnXNHqcfnKoAS/zg9KJvWcvXwKMmjEjaBovqaCWXWoKS7dn/wZ7nfGrlsiUilCDkW4BzTIzkqNkyREU=,iv:2X9apXMatwCPRBIRbPxz6PJQwGrlr7O+z+MrsnFq+sQ=,tag:IYvitoV4MhyJyRO1ySxbLQ==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.4" - } -} \ No newline at end of file diff --git a/checks/data-mesher/vars/shared/data-mesher-network-key/public_key/value b/checks/data-mesher/vars/shared/data-mesher-network-key/public_key/value deleted file mode 100644 index 34598118c..000000000 --- a/checks/data-mesher/vars/shared/data-mesher-network-key/public_key/value +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PUBLIC KEY----- -MCowBQYDK2VwAyEA/5j+Js7oxwWvZdfjfEO/3UuRqMxLKXsaNc3/5N2WSaw= ------END PUBLIC KEY----- diff --git a/checks/flake-module.nix b/checks/flake-module.nix index 8cb587f45..eddd8e4b2 100644 --- a/checks/flake-module.nix +++ b/checks/flake-module.nix @@ -94,7 +94,6 @@ in service-dummy-test = import ./service-dummy-test nixosTestArgs; service-dummy-test-from-flake = import ./service-dummy-test-from-flake nixosTestArgs; - service-data-mesher = import ./data-mesher nixosTestArgs; }; packagesToBuild = lib.removeAttrs self'.packages [ diff --git a/clanServices/data-mesher/README.md b/clanServices/data-mesher/README.md new file mode 100644 index 000000000..172430861 --- /dev/null +++ b/clanServices/data-mesher/README.md @@ -0,0 +1,10 @@ +--- +description = "Set up data-mesher" +categories = ["System"] +features = [ "inventory" ] + +[constraints] +roles.admin.min = 1 +roles.admin.max = 1 +--- + diff --git a/clanServices/data-mesher/admin.nix b/clanServices/data-mesher/admin.nix new file mode 100644 index 000000000..a22392837 --- /dev/null +++ b/clanServices/data-mesher/admin.nix @@ -0,0 +1,29 @@ +{ + lib, + config, + settings, + ... +}: +{ + + services.data-mesher.initNetwork = + let + # for a given machine, read it's public key and remove any new lines + readHostKey = + machine: + let + path = "${config.clan.core.settings.directory}/vars/per-machine/${machine}/data-mesher-host-key/public_key/value"; + in + builtins.elemAt (lib.splitString "\n" (builtins.readFile path)) 1; + in + { + enable = true; + keyPath = config.clan.core.vars.generators.data-mesher-network-key.files.private_key.path; + + tld = settings.network.tld; + hostTTL = settings.network.hostTTL; + + # admin and signer host public keys + signingKeys = builtins.map readHostKey (builtins.attrNames settings.bootstrapNodes); + }; +} diff --git a/clanServices/data-mesher/default.nix b/clanServices/data-mesher/default.nix new file mode 100644 index 000000000..4acbd6d52 --- /dev/null +++ b/clanServices/data-mesher/default.nix @@ -0,0 +1,142 @@ +{ ... }: +let + sharedInterface = + { lib, ... }: + { + options = { + bootstrapNodes = lib.mkOption { + type = lib.types.nullOr (lib.types.attrsOf lib.types.str); + # the default bootstrap nodes are any machines with the admin or signers role + # we iterate through those machines, determining an IP address for them based on their VPN + # currently only supports zerotier + # default = builtins.foldl' ( + # urls: name: + # let + # ipPath = "${config.clan.core.settings.directory}/vars/per-machine/${name}/zerotier/zerotier-ip/value"; + # in + # if builtins.pathExists ipPath then + # let + # ip = builtins.readFile ipPath; + # in + # urls ++ [ "[${ip}]:${builtins.toString settings.network.port}" ] + # else + # urls + # ) [ ] (dmLib.machines config).bootstrap; + description = '' + A list of bootstrap nodes that act as an initial gateway when joining + the cluster. + ''; + example = { + "node1" = "192.168.1.1:7946"; + "node2" = "192.168.1.2:7946"; + }; + }; + + network = { + interface = lib.mkOption { + type = lib.types.str; + description = '' + The interface over which cluster communication should be performed. + All the ip addresses associate with this interface will be part of + our host claim, including both ipv4 and ipv6. + + This should be set to an internal/VPN interface. + ''; + example = "tailscale0"; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 7946; + description = '' + Port to listen on for cluster communication. + ''; + }; + }; + }; + }; +in +{ + _class = "clan.service"; + manifest.name = "data-mesher"; + manifest.description = "Set up data-mesher"; + manifest.categories = [ "System" ]; + manifest.readme = builtins.readFile ./README.md; + + roles.admin = { + interface = + { lib, ... }: + { + + imports = [ sharedInterface ]; + + options = { + + network = { + tld = lib.mkOption { + type = lib.types.str; + default = "clan"; + description = "Top level domain to use for the network"; + }; + + hostTTL = lib.mkOption { + type = lib.types.str; + default = "${toString (24 * 28)}h"; + example = "24h"; + description = "The TTL for hosts in the network, in the form of a Go time.Duration"; + }; + }; + }; + }; + perInstance = + { settings, roles, ... }: + { + nixosModule = { + imports = [ + ./admin.nix + ./shared.nix + ]; + _module.args = { inherit settings roles; }; + }; + }; + }; + + roles.signer = { + interface = + { ... }: + { + imports = [ sharedInterface ]; + }; + perInstance = + { settings, roles, ... }: + { + nixosModule = { + imports = [ + ./signer.nix + ./shared.nix + ]; + _module.args = { inherit settings roles; }; + }; + }; + }; + + roles.peer = { + interface = + { ... }: + { + imports = [ sharedInterface ]; + }; + perInstance = + { settings, roles, ... }: + { + nixosModule = { + imports = [ + ./peer.nix + ./shared.nix + ]; + _module.args = { inherit settings roles; }; + }; + }; + }; + +} diff --git a/clanServices/data-mesher/flake-module.nix b/clanServices/data-mesher/flake-module.nix new file mode 100644 index 000000000..3ec78883a --- /dev/null +++ b/clanServices/data-mesher/flake-module.nix @@ -0,0 +1,17 @@ +{ lib, ... }: +let + module = lib.modules.importApply ./default.nix { }; +in +{ + clan.modules = { + data-mesher = module; + }; + perSystem = + { ... }: + { + clan.nixosTests.service-data-mesher = { + imports = [ ./tests/vm/default.nix ]; + clan.modules."@clan/data-mesher" = module; + }; + }; +} diff --git a/clanServices/data-mesher/peer.nix b/clanServices/data-mesher/peer.nix new file mode 100644 index 000000000..2c63c0851 --- /dev/null +++ b/clanServices/data-mesher/peer.nix @@ -0,0 +1,2 @@ +{ +} diff --git a/clanServices/data-mesher/shared.nix b/clanServices/data-mesher/shared.nix new file mode 100644 index 000000000..885bfba5d --- /dev/null +++ b/clanServices/data-mesher/shared.nix @@ -0,0 +1,86 @@ +{ + config, + settings, + ... +}: +{ + + services.data-mesher = { + enable = true; + openFirewall = true; + + settings = { + log_level = "warn"; + state_dir = "/var/lib/data-mesher"; + + # read network id from vars + network.id = config.clan.core.vars.generators.data-mesher-network-key.files.public_key.value; + + host = { + names = [ config.networking.hostName ]; + key_path = config.clan.core.vars.generators.data-mesher-host-key.files.private_key.path; + }; + + cluster = { + port = settings.network.port; + join_interval = "30s"; + push_pull_interval = "30s"; + interface = settings.network.interface; + bootstrap_nodes = (builtins.attrValues settings.bootstrapNodes); + }; + + http.port = 7331; + http.interface = "lo"; + }; + }; + + # Generate host key. + clan.core.vars.generators.data-mesher-host-key = { + files = + let + owner = config.users.users.data-mesher.name; + in + { + private_key = { + inherit owner; + }; + public_key.secret = false; + }; + + runtimeInputs = [ + config.services.data-mesher.package + ]; + + script = '' + data-mesher generate keypair \ + --public-key-path "$out"/public_key \ + --private-key-path "$out"/private_key + ''; + }; + + clan.core.vars.generators.data-mesher-network-key = { + # generated once per clan + share = true; + + files = + let + owner = config.users.users.data-mesher.name; + in + { + private_key = { + inherit owner; + }; + public_key.secret = false; + }; + + runtimeInputs = [ + config.services.data-mesher.package + ]; + + script = '' + data-mesher generate keypair \ + --public-key-path "$out"/public_key \ + --private-key-path "$out"/private_key + ''; + }; +} diff --git a/clanServices/data-mesher/signer.nix b/clanServices/data-mesher/signer.nix new file mode 100644 index 000000000..2c63c0851 --- /dev/null +++ b/clanServices/data-mesher/signer.nix @@ -0,0 +1,2 @@ +{ +} diff --git a/clanServices/data-mesher/tests/vm/default.nix b/clanServices/data-mesher/tests/vm/default.nix new file mode 100644 index 000000000..b0ee33771 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/default.nix @@ -0,0 +1,90 @@ +{ + ... +}: +{ + name = "service-data-mesher"; + + clan = { + directory = ./.; + test.useContainers = true; + inventory = { + + machines.peer = { }; + machines.admin = { }; + machines.signer = { }; + + instances = { + data-mesher = + let + bootstrapNodes = { + admin = "[2001:db8:1::1]:7946"; + peer = "[2001:db8:1::2]:7946"; + # signer = "2001:db8:1::3:7946"; + }; + in + { + roles.peer.machines.peer.settings = { + network.interface = "eth1"; + inherit bootstrapNodes; + }; + roles.signer.machines.signer.settings = { + network.interface = "eth1"; + inherit bootstrapNodes; + }; + roles.admin.machines.admin.settings = { + network.tld = "foo"; + network.interface = "eth1"; + inherit bootstrapNodes; + }; + }; + }; + }; + }; + + nodes = + let + commonConfig = + { lib, config, ... }: + { + environment.systemPackages = [ + config.services.data-mesher.package + ]; + + # speed up for testing + services.data-mesher.settings = { + cluster.join_interval = lib.mkForce "2s"; + cluster.push_pull_interval = lib.mkForce "5s"; + }; + + }; + in + { + peer = commonConfig; + admin = commonConfig; + signer = commonConfig; + }; + + testScript = '' + def resolve(node, success = {}, fail = [], timeout = 60): + for hostname, ips in success.items(): + for ip in ips: + node.wait_until_succeeds(f"getent ahosts {hostname} | grep {ip}", timeout) + + for hostname in fail: + node.wait_until_fails(f"getent ahosts {hostname}") + + start_all() + + admin.wait_for_unit("data-mesher") + signer.wait_for_unit("data-mesher") + peer.wait_for_unit("data-mesher") + + # check dns resolution + for node in [admin, signer, peer]: + resolve(node, { + "admin.foo": ["2001:db8:1::1", "192.168.1.1"], + "peer.foo": ["2001:db8:1::2", "192.168.1.2"], + "signer.foo": ["2001:db8:1::3", "192.168.1.3"] + }) + ''; +} diff --git a/clanServices/data-mesher/tests/vm/sops/machines/admin/key.json b/clanServices/data-mesher/tests/vm/sops/machines/admin/key.json new file mode 100755 index 000000000..0ea02bfa9 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/sops/machines/admin/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age1r99qtxl0v86wg8ndcem87yk5wag5xcsk98ngaumqzww6t7pyms0q5cyl80", + "type": "age" + } +] diff --git a/clanServices/data-mesher/tests/vm/sops/machines/peer/key.json b/clanServices/data-mesher/tests/vm/sops/machines/peer/key.json new file mode 100755 index 000000000..ab89f12eb --- /dev/null +++ b/clanServices/data-mesher/tests/vm/sops/machines/peer/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age1hgjs2yqxhcxfgtvhydnfe5wzlagxw2dw4hu658e8neduy0lkye0skmjfc7", + "type": "age" + } +] diff --git a/clanServices/data-mesher/tests/vm/sops/machines/signer/key.json b/clanServices/data-mesher/tests/vm/sops/machines/signer/key.json new file mode 100755 index 000000000..601f70de7 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/sops/machines/signer/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age1k6h9mespmnr9zhtwwqlhnla80x5jhpd4c2p7hp0nfanr5tspup0s0rld2f", + "type": "age" + } +] diff --git a/clanServices/data-mesher/tests/vm/sops/secrets/admin-age.key/secret b/clanServices/data-mesher/tests/vm/sops/secrets/admin-age.key/secret new file mode 100644 index 000000000..874052ca3 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/sops/secrets/admin-age.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:87WFWukgpTGlH67MTkHxzTosABK/6flJObt+u9UrGSOzBr1lx4V5IsMQ9HAM4jvLpveBNH4hlFDCxbD5666n2oYylGoyBph2vAg=,iv:GKLcU7Xqmb0ImvY7M71NddkOlUDSPa/fcXrXny2iZ1o=,tag:589QMSZeXdmTxRFtMFasZg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaXlqZEU0eHRZZjBncDE1\nV2hzTGZiVy9rM0NnWjc1NlpHVVZEUFd5S2pJCmo3Nm11bGQyWWt1R2tHS2pOYlpn\nY3lGa0w3UFpDT1RLSDU4cnJ2YVBkSU0KLS0tIEJjZVc1YXJqcHczYSt6WjV3ai93\nakdPd3VHWkVnWkdhNCtZakp4VXhBUG8Kg3xd9w5oW3/q+s59LkDy5N+xmvuvHRmh\njUv6KFLaB81yv3kb7bzj8E3aMzX0x2fMIDZ3EoPVggqA/sCWQu0p5Q==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-09T10:02:45Z", + "mac": "ENC[AES256_GCM,data:IWKfE1Y6SNg/SK+OOAmra5SwqAUfhepCNPClWPDWpOyJDwXSpk/OKl7hi3KFfIZOGupaC0xV2tTni0Uj6IBwf8zW2Mb/b1T+fWkGiyafoKlucfNPXPCob/fyf4Ju4iD/u1mD5BYYYqNTNqJWE+MCyQigL0MPE4tXGEPDa7htM6w=,iv:5RKArbEKnYjacopfL+4QhzGB8txqc3gnlwNPfRWQSlM=,tag:mdXf02nYiW7CexIbUUaMyw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/checks/data-mesher/sops/secrets/admin-age.key/users/admin b/clanServices/data-mesher/tests/vm/sops/secrets/admin-age.key/users/admin similarity index 100% rename from checks/data-mesher/sops/secrets/admin-age.key/users/admin rename to clanServices/data-mesher/tests/vm/sops/secrets/admin-age.key/users/admin diff --git a/clanServices/data-mesher/tests/vm/sops/secrets/peer-age.key/secret b/clanServices/data-mesher/tests/vm/sops/secrets/peer-age.key/secret new file mode 100644 index 000000000..283b937fb --- /dev/null +++ b/clanServices/data-mesher/tests/vm/sops/secrets/peer-age.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:C9evAr01JpYiMBwuy31h+G9phm+uOYoQu+PegPFAMRbjgkjh0R+uolKtweedtHumMhzEkvz7y+BlfrriVh16ceyMozfzDEkVSWM=,iv:jM4Qx4B/j5Mvc3ybOf+10hKU19l1fCc5KcKulKgMP3c=,tag:mz01kIv5kU6u3f2+FeItYA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydzZrdDVidGpyd1NXT0Fu\nUEtZV3I4S0p5Z095QjBGaXpwOExJSkxVclVJCm54Vk12czQ5dm5TUExNNzlEcFNp\nUWorcWc1c1pvL3pkUFlQY3BJUGhUS3MKLS0tIHd2a291M0xkcjJvTXNnelRNZXda\nQi93R3FQVm0xTXBGR3E3SVpIMzgvR3MKmps5ObV1nODBQ0TKgZ++RLkjCEQM6sMn\nzonKtBingYzfeq+0+cASVkHZJpt/t0G5wmTgivKfv0OIP5eNSgIWFw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-09T10:02:57Z", + "mac": "ENC[AES256_GCM,data:Jk5eL2SmNpakrGF4N/31Q/PWShV5KYfA8NmlxEkD82UsIpPiIJ4Nec6NOoo7Y4bl/J53MLjK3u0/S6q7vv0Tih6+ze6hIddMJHTCp2qqclJvpH2xn6Ln+2ZK4okK2ZbWeSDF+LHc6nIpBak8JVjC/d8dQFT2L49Dkufc1nCD46w=,iv:oR0aQzjaEpFNrpWGc1TX6/zpg0WSfQjVG6VjAMwoLTI=,tag:pigUaCkVv91tynuaNoZenA==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/checks/data-mesher/sops/secrets/peer-age.key/users/admin b/clanServices/data-mesher/tests/vm/sops/secrets/peer-age.key/users/admin similarity index 100% rename from checks/data-mesher/sops/secrets/peer-age.key/users/admin rename to clanServices/data-mesher/tests/vm/sops/secrets/peer-age.key/users/admin diff --git a/clanServices/data-mesher/tests/vm/sops/secrets/signer-age.key/secret b/clanServices/data-mesher/tests/vm/sops/secrets/signer-age.key/secret new file mode 100644 index 000000000..191661c46 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/sops/secrets/signer-age.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:bIx3chjDwy4epCyFuJoZlO7EglT/vEg6pdf6x+ISxqekGrrGNdiGtw3Z9foXWAPQrzngVztbwIlcEpUusKwoRPpdGIj5YzbGZbU=,iv:Gi1hjn6cL8z+LP5g6o3bUMsuIzoZRr8e3j3EBwG3p+Y=,tag:ttIfOLhDroV/WK57KBFd0w==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNVh6OGE4aGJxbFd2Zks1\nL1ZoNkgrQjFSVFFUL2UzOGNqRXFkZURTMkJRCnZMWk00enRndzNXQmFvMG1UekI0\nUjhwZW9sQnFvb0FGbVE0N042UjF2OTAKLS0tIEdickxQdDdaZkVmN3RsemJzSElY\nWThGQVNMcnpxRlJ3bC9wVE56blljQUUK21wWOBiQc0Kyvl047nJ1N6QKR0/5Dd6r\nlqhhdFWninzqfVXJUk2pcMio8RVlvBujDsyjrPuhbRceSi+bUXIn+w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-09T10:03:08Z", + "mac": "ENC[AES256_GCM,data:kA2KCDZkZuR5rD7uU4xn5sIkizcnpGcoa3PYMbl73eux7JJYuSpUojFBRcYo1WCwMeOQUGsqo8LVF/rYhH4BVJ9LERs5zTLBaUsTarY8r/UK0Q5lNYZqIrqcb5LgOf1uCvfdXg5yfaFgPFJrEqjeekb9bx8xvhDZXpsND93rrUI=,iv:B6JqWWcQV/MxP4ucAIe7EnLiq9c4pnAUj3dnEp9IXJU=,tag:1i0Fv2i7Lak5JzIbPa2/cw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/checks/data-mesher/sops/secrets/signer-age.key/users/admin b/clanServices/data-mesher/tests/vm/sops/secrets/signer-age.key/users/admin similarity index 100% rename from checks/data-mesher/sops/secrets/signer-age.key/users/admin rename to clanServices/data-mesher/tests/vm/sops/secrets/signer-age.key/users/admin diff --git a/checks/data-mesher/sops/users/admin/key.json b/clanServices/data-mesher/tests/vm/sops/users/admin/key.json similarity index 100% rename from checks/data-mesher/sops/users/admin/key.json rename to clanServices/data-mesher/tests/vm/sops/users/admin/key.json diff --git a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/machines/admin b/clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/private_key/machines/admin similarity index 100% rename from checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/machines/admin rename to clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/private_key/machines/admin diff --git a/clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/private_key/secret b/clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/private_key/secret new file mode 100644 index 000000000..ababe7d99 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/private_key/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:2FgvnmawAdk+/k+RVWNsKQlUFUF+pZrrEBuupdG50uLNyxHd7Gi772gKNgHWyzZ/lpODg5mQi0rL+GmZYQwtZ7h76AGUEeQvuMMTzVUop69txxwhJD2dxZyhUAxZpibwo/St84ai+8+VksLkCSYfTXCulaeOVh4=,iv:YkPNq4zDj35PRNgt2kHEkHhbLcVc9dHP/zrAwdd94sM=,tag:KwW/74C7Z/+3dNoXB3NHwQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoaS94M0JsR2Q5N21DNnFB\nUHgvelRTK3FKZkNKcTJFbEJ1VGFIM256MVVRCmw5YjdyTVlXMlFpWnczV2dTSzhu\nSm5mMVRPeU1pYVFZNEN5MjJFZHVTejgKLS0tIDB0V2hSRkt5QzFYald0TWVza1lC\ncGNXemhGcklENTJiV1QvTFZxUDNRRlUK2dVEzSbdDNXZy7rQi5/Vq4KyHq5rMtEz\npTI8i1rFKIAy4TC7to03bOIudOIzKSCCzX31xARkM6qON0vEU9aHFg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1r99qtxl0v86wg8ndcem87yk5wag5xcsk98ngaumqzww6t7pyms0q5cyl80", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEOEMzcExzTTF3MmpaenRN\ncS9RbnM0aStZSjNqbjF4QisrRjhoaDg1T0ZBCmFVOWJYZkFaOXBOUGJTdytYWk52\nVXV1MDdmSWQ1OS9iODAvN2c2Q3VGYXMKLS0tIEQxeWR4bmRoOWJ2Z1FyUk1PUk1n\nM0c5Ri9FdG9FNE9CZ29VSmgvN2xDdjgKjfG38gVOXXN2ftGiCPxMFbnh7lKM1USl\nqf11k+rgvR8M9XsDy2SnirKAaNmpks1dR6Zs5ppQuYJDEYyQCrEO5g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-09T10:02:45Z", + "mac": "ENC[AES256_GCM,data:TEH57vUZ/swTsWQPJ1X3J//xa1Q1LYPETZS7fuXCH1LCK51u88XGqVpNzSETREQ8LAOt34qN284b03UQIBGTeTr7I9cqt+/l8ew/0rFTiO3aiaT49q9aBkeFZlA+gy47r4hkhMmzGQJMUenvnzTHwT3Pw2RES5Vjs/2TSitpqlA=,iv:ffIotRGKU8y6j/VDLKbTmA8dZJVP5vafeG4F3wd60tc=,tag:q4xOwzLw5jxDR0pPIy2irA==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/users/admin b/clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/private_key/users/admin similarity index 100% rename from checks/data-mesher/vars/per-machine/admin/data-mesher-host-key/private_key/users/admin rename to clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/private_key/users/admin diff --git a/clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/public_key/value b/clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/public_key/value new file mode 100644 index 000000000..081abef3a --- /dev/null +++ b/clanServices/data-mesher/tests/vm/vars/per-machine/admin/data-mesher-host-key/public_key/value @@ -0,0 +1,3 @@ +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEAi6qF8u2uvPXlSflB4fzJNlOhj5PgAmRiv+JyyYOOgg4= +-----END PUBLIC KEY----- diff --git a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/machines/peer b/clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/private_key/machines/peer similarity index 100% rename from checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/machines/peer rename to clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/private_key/machines/peer diff --git a/clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/private_key/secret b/clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/private_key/secret new file mode 100644 index 000000000..e1e019e22 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/private_key/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:LUNuEP/xSmzJ44sheoIYN6F24Qpr3svn6rTVUpr4KZA8uVJ9gPUd4ko4+pDisc9PyXCcxx+cYGRqr1cBp8Q3R+IyFFlR2HzuReQJaScvgjlntGtMJ2hin/aBp4pHS0F4nqPcKKROiZvIN4NHsxQ6XRVDOZbI3kE=,iv:BdRHjQXJL/OGgmqWaEDLit/zHgduNfPe3GUmYDrWLPw=,tag:N0n7CCiu+COgrfrwHUwQBQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1hgjs2yqxhcxfgtvhydnfe5wzlagxw2dw4hu658e8neduy0lkye0skmjfc7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCYlhrU2c1NnIyTzlVRHEx\nQTFxOUY1OWJXcHl1OHpPdWN1ZGpQV0UvZ1NzCnlKbmx0bllWMTd1ZnIxUHY0ZUU0\nVG9Jb3grSEdWeVpwaHoyQUxvNERqT00KLS0tIGtwZm5aMU1DOUhJbVVpVzIxZFow\nNVEvMy91SEg3M094MEFBSkVMRkhKZmMKuUzbEITGkYS39G14JXbKWLjiQFd4SVft\nWH34B97TFhOqusVF3zHsSCMxm/0BMeBvLxO/3RmzlwBtgNiKOqLwtQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SUhJQW5EN0VKVHpQdlZC\nYTczdVJiRFdFNGtURFc2SmxKWFFycjZkQUgwCnRBVkJvUytuUDlhVlhFYno2cnBR\nRUdjL0lab1MwZzhGTklyVWZDVFJmN3cKLS0tIFRjOC9DS3llWGZWMGI2aThVYTRu\nVEFhK2Y2YkRTZHEyMWV0Q05ISHdhVVUKo9bPdV1dUeIkm4gI0r9V/s1dAfJC+H5Z\nEIUdYA7fl3jRZ01cSZ0iYWlvdl2jj0XzKafZsEQU7rL0jg9zbA2s2g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-09T10:02:59Z", + "mac": "ENC[AES256_GCM,data:+JtuPacwUMHXtp93DZmkiVne7bQUP8J7VpoS8koM0oJWJqZoQRHd9qH/04lrpp8q/YoOXtqXwhViZvFLieJVRexiXf/AAHfAfMn0EI7ois9oHhscN88Ps9nY6JUxhNd0h0OrUA58KKhrkGoqreAKAPADtVhaVCmWbU7vMUu1StE=,iv:BmJnTsgMSbl4XsBUkhSLfKd0XjhrEQfurEkaRJ6uD/g=,tag:jg21c4y4bQp0RwWTXkxF1A==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/users/admin b/clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/private_key/users/admin similarity index 100% rename from checks/data-mesher/vars/per-machine/peer/data-mesher-host-key/private_key/users/admin rename to clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/private_key/users/admin diff --git a/clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/public_key/value b/clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/public_key/value new file mode 100644 index 000000000..f5c73e0f4 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/vars/per-machine/peer/data-mesher-host-key/public_key/value @@ -0,0 +1,3 @@ +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEA7kRKjQpj+BXPe5buvDZtBAcU1HIcfGmbuHZqaVm3zCo= +-----END PUBLIC KEY----- diff --git a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/machines/signer b/clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/private_key/machines/signer similarity index 100% rename from checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/machines/signer rename to clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/private_key/machines/signer diff --git a/clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/private_key/secret b/clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/private_key/secret new file mode 100644 index 000000000..cb58cad78 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/private_key/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:armAfuTE0mkoy1fxAysCX/UPNM4/mt9P6/zEDwtagTSvQjMTwVzzsM+kRdLOUV4fbZ7HdqMceaZWzurAQJenXvWlBXgn87YFOFBSpf3OnpEwCTUs9H8dsVrdSUk4SrKjCjV33mybTrae/h9tMHdkRhKJzPD1+/8=,iv:x9KVGqT2Ug6B6PNwzL7NVDQqyOmFUptUsHAJEdn30dg=,tag:XSSO6JvXaXq8aezYvpF65Q==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1k6h9mespmnr9zhtwwqlhnla80x5jhpd4c2p7hp0nfanr5tspup0s0rld2f", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMVUwMEFzVjJhYXg5MXR4\nMzZPZUFrUWdEU2hPWUVDNHpVVENpdEdYSWtnCnN0R2pVdEIxYWZXYWNBb3N5bGNK\naVpWOXp5aWVJWG9vUWtMUnhYSmMyV0UKLS0tIEtMdFAybk1PN0t2M2lkaEYzUTY3\nVzVOdTBFbnlNVTAvRU5kU0dReEZ6MlUKNHIkAUUAqnuMtXbvXqLxQwuFALsnD/i0\naBCiz6J4S18uqt3kFbXAEksbD7jCexI8m5SMp4iuumWJ/Bx1lL4TWg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbzBFSGt1dXI2bDN5TmFU\nY3N6djNmMTh2ek4vUzdHbTF6Z1hDQ2t5WVNJClEzZDZiaVpBekFrYTYweDNsNmk5\nTlhYZGRNd0llMndyMkZWMyt5N3pwTE0KLS0tIGJJbU9vbnBhSE5vRW1pRG83cEFJ\nR2xDTHk3VkJaVUZSVThRV3Jldkp6cnMK1V37txaSFYfLQM0qqRWjojyTN4fTJkRm\nGO3yHX9uwo/4D2xI7LM48n4vnNhSF05bWpq0X4r13fI4DofCJeEo1g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-09T10:03:11Z", + "mac": "ENC[AES256_GCM,data:qD1w+DO8cWFDQMBOrmO9FvxvJRn+mlUbh13exTGgmsdPn3uzTXknIDDHeWfkpF699nSzS6wRmgrB21e55rBU6iHMx1TW16S8wvCoYMFwib8zTrJzND7EJr/gRwQa0N080kBY3xBivKLUFlctgKtFUYZ9GQ6UTQeq18QKPoROjww=,iv:1mt8Er6YHxQ42F5Kb+xNtjbCAzokbeoNlHesC9Uzmhk=,tag:provO4tKDzoL5PHDg5EmhA==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/users/admin b/clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/private_key/users/admin similarity index 100% rename from checks/data-mesher/vars/per-machine/signer/data-mesher-host-key/private_key/users/admin rename to clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/private_key/users/admin diff --git a/clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/public_key/value b/clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/public_key/value new file mode 100644 index 000000000..e9e5f072d --- /dev/null +++ b/clanServices/data-mesher/tests/vm/vars/per-machine/signer/data-mesher-host-key/public_key/value @@ -0,0 +1,3 @@ +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEAVA6c25s+yNe5225PnELDV9FwbWi9ppLoTfgmdY8kILo= +-----END PUBLIC KEY----- diff --git a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/admin b/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/machines/admin similarity index 100% rename from checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/admin rename to clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/machines/admin diff --git a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/peer b/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/machines/peer similarity index 100% rename from checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/peer rename to clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/machines/peer diff --git a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/signer b/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/machines/signer similarity index 100% rename from checks/data-mesher/vars/shared/data-mesher-network-key/private_key/machines/signer rename to clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/machines/signer diff --git a/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/secret b/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/secret new file mode 100644 index 000000000..d4df7775a --- /dev/null +++ b/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/secret @@ -0,0 +1,27 @@ +{ + "data": "ENC[AES256_GCM,data:VzcB/JABSPoFdKYhRSn+nKxasn9zO/9fyNMrg3XstBelQNPpbO8mhmcnSamc/7e5GkpoVWgLRSULvosv+o6sz9EHRZ3UpSLBBTkDGAJmoBnkR8DbstPA9EgScpQ9IGOUP5tQ0oEOcJC3FrivdbWIzeXjpWb9BrU=,iv:6BNUrubJ9aNCkgonDRNgdyckCTndkPVDLE4X3J5d2zA=,tag:YqHTiGslEkslzUk24bmPZg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1hgjs2yqxhcxfgtvhydnfe5wzlagxw2dw4hu658e8neduy0lkye0skmjfc7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwK2lMUTkrSmM4dHQxU0tI\nRVV6Wm4wWlJMYXBGbGdubExrMi8vRnJjdVd3CjI3aFVpdHRURHp6UEk3ZEZMcDZT\nZWZWaGFWYmY2Mk1iQ1BjalZkUnpUUm8KLS0tIEhFUVhBUjg1dC9LWHg2TytkRTlX\nNnlJZkJQc2ExK1BwaVVFcEw2b3BLZjQK8kqf3ZP9uLtbjCJLSEYpAqgq9zOS2HrY\n5MbPAKQI8iCUfnegti6hU+/MxjvPlaX1vT4V0Kd3gT4Khjl+OPw0Og==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1r99qtxl0v86wg8ndcem87yk5wag5xcsk98ngaumqzww6t7pyms0q5cyl80", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWeUk3ZW9rdnZBTk9vQlFZ\nTzFZVDAvcXZyQjdkcGNNbnA0T3UyM3lzVERvCjFreE9RdWxnb2xWWmI4amJVdHBv\nNE9JN2tFazRnSGhiM0FId2RCUHNKWVEKLS0tIGlmM3JNSVZtR21ndFliUVpLTzJO\ncHJ2SjI1OExQK2hEN01WdG9wZ3RmVTAKi0BXp9yV2/9a9NeT7aTSK2CfkQ5yColJ\nm0+uv5AJndZ9IsaZGJxNOdAOspYdvsW38hFdfjUtVuUCyIOPc20WUg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1k6h9mespmnr9zhtwwqlhnla80x5jhpd4c2p7hp0nfanr5tspup0s0rld2f", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSUR1QVMvZ3F0NUxXd00z\nOWJGZFlsUy8vUmMxa1NoakZRVmJrSmd1RzBrCk1ZcDlBMFB0WVdWeFZaT3ZBTTh5\nS2RReWpUOGRBdGV6MDdjcEY5dFYrdjAKLS0tIG9oRWhUaWJZSElRdmlOZmRKSnNq\nUUNDZFdZbmM0c25MOGpvem1JSm9pVWsKxCLPivdHc6IN6Jbf9FujLGJaXP6ieO1S\nKsrs3Fe0RdYcEKI7P9EQNebQD2kKXficM0kKV5lRRVtW5024PftWoQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3amkyWWlxSTJkZEdMZFhL\nU2t5OGFIa25TRmdFM0ZNcUhFRHk0eDJQN2tjCm9UcUs2V0lEZ0hyNU9uaDVrckpj\nZ1JSQlhNeExjOER2aFJTM2NDS25PN2MKLS0tIFhmM21rT0Z4aUI5TUZyNnNBQ3Jy\nSDAxejhhZDZNQTVCNjNUSTBsZncra1kKFFQrFxNMyg0AEMb1wpKBc7LOVtEHyFZW\n/o7L52fTNa0GFJ3SVEdqg0PpnRzTyA8F5L77FBGKtx6auCVVHyZZ9g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-09T10:02:48Z", + "mac": "ENC[AES256_GCM,data:HooesDb1S24Cfb7H0lVTA8fAjM2QAN9MaJFvOSHniR6ICJAX8t8X0xfWIFRFuwPjAxi4kpBYSjW0420Yz9lZ2m4Fxswo1TV3lzHDVN2u9hdrsfpKXg5fW+2oZihuvCRStDagT3l2fKv+C+gBnGs1qyCM60BStvrEiQxTxTTHfho=,iv:kL8N0qBj4q+ZJbNJ8Y8RcV1KpUUMvNCpdwKbTPGpG6k=,tag:o2PmRsSkqTP5Idq7veGDOw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/checks/data-mesher/vars/shared/data-mesher-network-key/private_key/users/admin b/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/users/admin similarity index 100% rename from checks/data-mesher/vars/shared/data-mesher-network-key/private_key/users/admin rename to clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/private_key/users/admin diff --git a/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/public_key/value b/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/public_key/value new file mode 100644 index 000000000..286417068 --- /dev/null +++ b/clanServices/data-mesher/tests/vm/vars/shared/data-mesher-network-key/public_key/value @@ -0,0 +1,3 @@ +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEA/MuamRX6ZLcJunm7lZvlai0OZh++YuqMa56GiTwO68A= +-----END PUBLIC KEY----- diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 29f1fe006..be80dea06 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -86,6 +86,7 @@ nav: - Overview: reference/clanServices/index.md - reference/clanServices/admin.md - reference/clanServices/borgbackup.md + - reference/clanServices/data-mesher.md - reference/clanServices/emergency-access.md - reference/clanServices/garage.md - reference/clanServices/hello-world.md