From d2456be3dd7598e76ccc55670e9660a7ea25e61d Mon Sep 17 00:00:00 2001 From: pinpox Date: Fri, 15 Aug 2025 13:29:02 +0200 Subject: [PATCH] Add certificates service --- clanServices/certificates/README.md | 32 +++ clanServices/certificates/default.nix | 242 ++++++++++++++++++ clanServices/certificates/flake-module.nix | 21 ++ .../certificates/tests/vm/default.nix | 78 ++++++ .../tests/vm/sops/machines/ca/key.json | 6 + .../tests/vm/sops/machines/client/key.json | 6 + .../tests/vm/sops/machines/peer1/key.json | 6 + .../tests/vm/sops/machines/peer2/key.json | 6 + .../tests/vm/sops/machines/server/key.json | 6 + .../tests/vm/sops/secrets/ca-age.key/secret | 15 ++ .../vm/sops/secrets/ca-age.key/users/admin | 1 + .../vm/sops/secrets/client-age.key/secret | 15 ++ .../sops/secrets/client-age.key/users/admin | 1 + .../vm/sops/secrets/peer1-age.key/secret | 15 ++ .../vm/sops/secrets/peer1-age.key/users/admin | 1 + .../vm/sops/secrets/peer2-age.key/secret | 15 ++ .../vm/sops/secrets/peer2-age.key/users/admin | 1 + .../vm/sops/secrets/server-age.key/secret | 15 ++ .../sops/secrets/server-age.key/users/admin | 1 + .../tests/vm/sops/users/admin/key.json | 4 + .../ca/state-version/version/value | 1 + .../intermediate.crt/value | 12 + .../intermediate.key/machines/ca | 1 + .../intermediate.key/secret | 19 ++ .../intermediate.key/users/admin | 1 + .../client/state-version/version/value | 1 + .../per-machine/client/step-ca/ca.crt/value | 10 + .../per-machine/client/step-ca/ca.key/secret | 15 ++ .../client/step-ca/ca.key/users/admin | 1 + .../per-machine/peer1/step-ca/ca.crt/value | 10 + .../per-machine/peer1/step-ca/ca.key/secret | 15 ++ .../peer1/step-ca/ca.key/users/admin | 1 + .../intermediate.crt/value | 12 + .../intermediate.key/machines/peer1 | 1 + .../intermediate.key/secret | 19 ++ .../intermediate.key/users/admin | 1 + .../per-machine/peer2/step-ca/ca.crt/value | 10 + .../per-machine/peer2/step-ca/ca.key/secret | 15 ++ .../peer2/step-ca/ca.key/users/admin | 1 + .../server/state-version/version/value | 1 + .../per-machine/server/step-ca/ca.crt/value | 10 + .../per-machine/server/step-ca/ca.key/secret | 15 ++ .../server/step-ca/ca.key/users/admin | 1 + .../tests/vm/vars/shared/step-ca/ca.crt/value | 10 + .../vm/vars/shared/step-ca/ca.key/secret | 15 ++ .../vm/vars/shared/step-ca/ca.key/users/admin | 1 + docs/mkdocs.yml | 1 + .../test_driver/__init__.py | 9 +- 48 files changed, 695 insertions(+), 1 deletion(-) create mode 100644 clanServices/certificates/README.md create mode 100644 clanServices/certificates/default.nix create mode 100644 clanServices/certificates/flake-module.nix create mode 100644 clanServices/certificates/tests/vm/default.nix create mode 100755 clanServices/certificates/tests/vm/sops/machines/ca/key.json create mode 100755 clanServices/certificates/tests/vm/sops/machines/client/key.json create mode 100755 clanServices/certificates/tests/vm/sops/machines/peer1/key.json create mode 100755 clanServices/certificates/tests/vm/sops/machines/peer2/key.json create mode 100755 clanServices/certificates/tests/vm/sops/machines/server/key.json create mode 100644 clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret create mode 120000 clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin create mode 100644 clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret create mode 120000 clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin create mode 100644 clanServices/certificates/tests/vm/sops/secrets/peer1-age.key/secret create mode 120000 clanServices/certificates/tests/vm/sops/secrets/peer1-age.key/users/admin create mode 100644 clanServices/certificates/tests/vm/sops/secrets/peer2-age.key/secret create mode 120000 clanServices/certificates/tests/vm/sops/secrets/peer2-age.key/users/admin create mode 100644 clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret create mode 120000 clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin create mode 100644 clanServices/certificates/tests/vm/sops/users/admin/key.json create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/ca/state-version/version/value create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value create mode 120000 clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret create mode 120000 clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.crt/value create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.key/secret create mode 120000 clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.key/users/admin create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.crt/value create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.key/secret create mode 120000 clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.key/users/admin create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-cert/intermediate.crt/value create mode 120000 clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/machines/peer1 create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/secret create mode 120000 clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/users/admin create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.crt/value create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.key/secret create mode 120000 clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.key/users/admin create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.crt/value create mode 100644 clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.key/secret create mode 120000 clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.key/users/admin create mode 100644 clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value create mode 100644 clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret create mode 120000 clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin diff --git a/clanServices/certificates/README.md b/clanServices/certificates/README.md new file mode 100644 index 000000000..2692aca70 --- /dev/null +++ b/clanServices/certificates/README.md @@ -0,0 +1,32 @@ +This service sets up a certificate authority (CA) that can issue certificates to +other machines in your clan. For this the `ca` role is used. +It additionally provides a `default` role, that can be applied to all machines +in your clan and will make sure they trust your CA. + +## Example Usage + +The following configuration would add a CA for the top level domain `.foo`. If +the machine `server` now hosts a webservice at `https://something.foo`, it will +get a certificate from `ca` which is valid inside your clan. The machine +`client` will trust this certificate if it makes a request to +`https://something.foo`. + +This clan service can be combined with the `coredns` service for easy to deploy, +SSL secured clan-internal service hosting. + +```nix +inventory = { + machines.ca = { }; + machines.client = { }; + machines.server = { }; + + instances."certificates" = { + module.name = "certificates"; + module.input = "self"; + + roles.ca.machines.ca.settings.TLDs = [ "foo" ]; + roles.default.machines.client = { }; + roles.default.machines.server = { }; + }; +}; +``` diff --git a/clanServices/certificates/default.nix b/clanServices/certificates/default.nix new file mode 100644 index 000000000..160313c00 --- /dev/null +++ b/clanServices/certificates/default.nix @@ -0,0 +1,242 @@ +{ ... }: +{ + _class = "clan.service"; + manifest.name = "certificates"; + manifest.description = "Sets up a certificates internal to your Clan"; + manifest.categories = [ "Network" ]; + manifest.readme = builtins.readFile ./README.md; + + roles.ca = { + + interface = + { lib, ... }: + { + + options.acmeEmail = lib.mkOption { + type = lib.types.str; + default = "none@none.tld"; + description = '' + Email address for account creation and correspondence from the CA. + It is recommended to use the same email for all certs to avoid account + creation limits. + ''; + }; + + options.TLDs = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "Top level domain for this CA. Certificates will be issued and trusted for *."; + }; + + options.expire = lib.mkOption { + type = lib.types.nullOr lib.types.str; + description = "When the certificate should expire. Defaults to no expiry"; + default = null; + example = "8760h"; + }; + }; + + perInstance = + { settings, ... }: + { + nixosModule = + { + config, + pkgs, + lib, + ... + }: + let + domains = map (tld: "ca.${tld}") settings.TLDs; + in + { + security.acme.defaults.email = settings.acmeEmail; + security.acme = { + certs = builtins.listToAttrs ( + map (domain: { + name = domain; + value = { + server = "https://${domain}:1443/acme/acme/directory"; + }; + }) domains + ); + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = builtins.listToAttrs ( + map (domain: { + name = domain; + value = { + addSSL = true; + enableACME = true; + locations."/".proxyPass = "https://localhost:1443"; + locations."= /ca.crt".alias = + config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path; + }; + }) domains + ); + }; + + clan.core.vars.generators = { + + # Intermediate key generator + "step-intermediate-key" = { + files."intermediate.key" = { + secret = true; + deploy = true; + owner = "step-ca"; + group = "step-ca"; + }; + runtimeInputs = [ pkgs.step-cli ]; + script = '' + step crypto keypair --kty EC --curve P-256 --no-password --insecure $out/intermediate.pub $out/intermediate.key + ''; + }; + + # Intermediate certificate generator + "step-intermediate-cert" = { + files."intermediate.crt".secret = false; + dependencies = [ + "step-ca" + "step-intermediate-key" + ]; + runtimeInputs = [ pkgs.step-cli ]; + script = '' + # Create intermediate certificate + step certificate create \ + --ca $in/step-ca/ca.crt \ + --ca-key $in/step-ca/ca.key \ + --ca-password-file /dev/null \ + --key $in/step-intermediate-key/intermediate.key \ + --template ${pkgs.writeText "intermediate.tmpl" '' + { + "subject": {{ toJson .Subject }}, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 0 + }, + "nameConstraints": { + "critical": true, + "permittedDNSDomains": [${ + (lib.strings.concatStringsSep "," (map (tld: ''"${tld}"'') settings.TLDs)) + }] + } + } + ''} ${lib.optionalString (settings.expire != null) "--not-after ${settings.expire}"} \ + --no-password --insecure \ + "Clan Intermediate CA" \ + $out/intermediate.crt + ''; + }; + }; + + services.step-ca = { + enable = true; + intermediatePasswordFile = "/dev/null"; + address = "0.0.0.0"; + port = 1443; + settings = { + root = config.clan.core.vars.generators.step-ca.files."ca.crt".path; + crt = config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path; + key = config.clan.core.vars.generators.step-intermediate-key.files."intermediate.key".path; + dnsNames = domains; + logger.format = "text"; + db = { + type = "badger"; + dataSource = "/var/lib/step-ca/db"; + }; + authority = { + provisioners = [ + { + type = "ACME"; + name = "acme"; + forceCN = true; + } + ]; + claims = { + maxTLSCertDuration = "2160h"; + defaultTLSCertDuration = "2160h"; + }; + backdate = "1m0s"; + }; + tls = { + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ]; + minVersion = 1.2; + maxVersion = 1.3; + renegotiation = false; + }; + }; + }; + }; + }; + }; + + # Empty role, so we can add non-ca machins to the instance to trust the CA + roles.default = { + interface = + { lib, ... }: + { + options.acmeEmail = lib.mkOption { + type = lib.types.str; + default = "none@none.tld"; + description = '' + Email address for account creation and correspondence from the CA. + It is recommended to use the same email for all certs to avoid account + creation limits. + ''; + }; + }; + + perInstance = + { settings, ... }: + { + nixosModule.security.acme.defaults.email = settings.acmeEmail; + }; + }; + + # All machines (independent of role) will trust the CA + perMachine.nixosModule = + { pkgs, config, ... }: + { + # Root CA generator + clan.core.vars.generators = { + "step-ca" = { + share = true; + files."ca.key" = { + secret = true; + deploy = false; + }; + files."ca.crt".secret = false; + runtimeInputs = [ pkgs.step-cli ]; + script = '' + step certificate create --template ${pkgs.writeText "root.tmpl" '' + { + "subject": {{ toJson .Subject }}, + "issuer": {{ toJson .Subject }}, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 1 + } + } + ''} "Clan Root CA" $out/ca.crt $out/ca.key \ + --kty EC --curve P-256 \ + --no-password --insecure + ''; + }; + }; + security.pki.certificateFiles = [ config.clan.core.vars.generators."step-ca".files."ca.crt".path ]; + environment.systemPackages = [ pkgs.openssl ]; + security.acme.acceptTerms = true; + }; +} diff --git a/clanServices/certificates/flake-module.nix b/clanServices/certificates/flake-module.nix new file mode 100644 index 000000000..a58fec290 --- /dev/null +++ b/clanServices/certificates/flake-module.nix @@ -0,0 +1,21 @@ +{ + self, + lib, + ... +}: +let + module = lib.modules.importApply ./default.nix { + inherit (self) packages; + }; +in +{ + clan.modules.certificates = module; + perSystem = + { ... }: + { + clan.nixosTests.certificates = { + imports = [ ./tests/vm/default.nix ]; + clan.modules.certificates = module; + }; + }; +} diff --git a/clanServices/certificates/tests/vm/default.nix b/clanServices/certificates/tests/vm/default.nix new file mode 100644 index 000000000..6b9d07820 --- /dev/null +++ b/clanServices/certificates/tests/vm/default.nix @@ -0,0 +1,78 @@ +{ + name = "certificates"; + + clan = { + directory = ./.; + inventory = { + + machines.ca = { }; # 192.168.1.1 + machines.client = { }; # 192.168.1.2 + machines.server = { }; # 192.168.1.3 + + instances."certificates" = { + module.name = "certificates"; + module.input = "self"; + + roles.ca.machines.ca.settings.TLDs = [ "foo" ]; + roles.default.machines.client = { }; + roles.default.machines.server = { }; + }; + }; + }; + + nodes = + let + hostConfig = '' + 192.168.1.1 ca.foo + 192.168.1.3 test.foo + ''; + in + { + + client.networking.extraHosts = hostConfig; + ca.networking.extraHosts = hostConfig; + + server = { + + networking.extraHosts = hostConfig; + + # TODO: Could this be set automatically? + # I would like to get this information from the coredns module, but we + # cannot model dependencies yet + security.acme.certs."test.foo".server = "https://ca.foo/acme/acme/directory"; + + # Host a simple service on 'server', with SSL provided via our CA. 'client' + # should be able to curl it via https and accept the certificates + # presented + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + virtualHosts."test.foo" = { + enableACME = true; + forceSSL = true; + locations."/" = { + return = "200 'test server response'"; + extraConfig = "add_header Content-Type text/plain;"; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + + server.succeed("systemctl restart acme-test.foo.service") + + # It takes a while for the correct certs to appear (before that self-signed + # are presented by nginx) so we wait for a bit. + client.wait_until_succeeds("curl -v https://test.foo") + + # Show certificate information for debugging + client.succeed("openssl s_client -connect test.foo:443 -servername test.foo /dev/null | openssl x509 -text -noout 1>&2") + ''; +} diff --git a/clanServices/certificates/tests/vm/sops/machines/ca/key.json b/clanServices/certificates/tests/vm/sops/machines/ca/key.json new file mode 100755 index 000000000..26936171f --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/machines/ca/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age19azjd5xvnrwdt2sckupmpk40ayvevsxktcyt43x2fzg5qyzhe9rsu6a6es", + "type": "age" + } +] diff --git a/clanServices/certificates/tests/vm/sops/machines/client/key.json b/clanServices/certificates/tests/vm/sops/machines/client/key.json new file mode 100755 index 000000000..e95679682 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/machines/client/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age1wfg6c67kje626c8ud02q6lmtgkuqujc098624mr8a66zwvhmyflsl5h8e8", + "type": "age" + } +] diff --git a/clanServices/certificates/tests/vm/sops/machines/peer1/key.json b/clanServices/certificates/tests/vm/sops/machines/peer1/key.json new file mode 100755 index 000000000..2c452905a --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/machines/peer1/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age172ggu2vq92c8c7l5ytcr96whp0qwe0vuyxuenxwvr6rc2xfdcsqsffg76w", + "type": "age" + } +] diff --git a/clanServices/certificates/tests/vm/sops/machines/peer2/key.json b/clanServices/certificates/tests/vm/sops/machines/peer2/key.json new file mode 100755 index 000000000..c64d9985d --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/machines/peer2/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age1zuddk94yycply5ht2ys6auh6wwzzh383utu38haz24h2625gcedsdtp3kx", + "type": "age" + } +] diff --git a/clanServices/certificates/tests/vm/sops/machines/server/key.json b/clanServices/certificates/tests/vm/sops/machines/server/key.json new file mode 100755 index 000000000..f24ed5388 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/machines/server/key.json @@ -0,0 +1,6 @@ +[ + { + "publickey": "age1nslvhydmnyhcv943zx8srkuy69mqa84rn6cmz5gcag0egrfhua0q0jrt9n", + "type": "age" + } +] diff --git a/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret b/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret new file mode 100644 index 000000000..14067322b --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:iKvDyOKpGC+Hy/1ogTrsDw3nBRqOVkDMtsmLVqxDcJA+4FmQBV2TyPsMxzSimdOPEu4QWFH08c74bpahdtMSV4iSI9OKmKhzrSc=,iv:fbsVhDrq23j2yWo3nv2VZ39plcIO2FT/sPMeMnkgENc=,tag:05W4fmFbfrWqk2xRtgofwg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVERvYjF6YncxR09vUTFk\nVGFESzJuOFZwMVlzTTVGb1BhcCs0eVozYXlJCm1mSHpKZVNSb1VZaTV5WHRYQk5I\nOHJTRjVJNGtYSTFxbXdOQTUzOE4vYmcKLS0tIFA1aW80Y2t4ZVpPeHhqMHVTN0JS\nR2Z6ampEeW5lOE02K3AxeHFMbS9vUGMKELziMSLQRkssIa8yhHeODy5EIIYuWZhp\nc1eYZgH2BMXnAqCJgIPoc/UwGpDzyGrPozLNv4DzbgfrCCHa96Zh8Q==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-18T14:14:41Z", + "mac": "ENC[AES256_GCM,data:knjrycqzRsNQiebp2MYK1F0ZMzlI9OkdUSThSXwIczDdbwzZcUNQt8SOoNbbBQUG7TwBqBV/ETMQIgEp9zkK5D+5BTDXHHZAnBQBocp017b9IAtGDS6wB3Rk1ggoKqrPuD1wmKbpZY4LkfAZcRv77QN3jxaBKKoe1w4A04XPfso=,iv:7oxoiKBLTJHcN8pkuy0o0TVoDVjpQ3aYjrLS5+nqZao=,tag:yrCTiwE2KQreWKJP/H1NAA==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin b/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin new file mode 120000 index 000000000..9e21a9938 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/ca-age.key/users/admin @@ -0,0 +1 @@ +../../../users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret b/clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret new file mode 100644 index 000000000..17f80d1e8 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/client-age.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:sC9jKXivdmFm+VfZHXpf5pACs8Ru61l30WCET2TES+X37lTLdt4lS8faNXbEJPdeOUifFgnar3U5iKzYOxYXeqUgz1pko/GwLRc=,iv:MLwnfKW+00/JbdbgxVP17RGnGGVDqW75Z0omATkvhbA=,tag:bXQ4+anugrMeU6AJ6iep2A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY2VnQWxHT0xNbk1RZ3ND\nY2cvRDZpMUcxNFhPTHF0bHJzZ0V5bE42dEhBCkQzZ2pTOWsvb3RzVlE1clBKOERz\nbmhrMUVwUnVKYzNGdDBObmtCdUtlTnMKLS0tIEhKRVVRQzFla1RVYlZEei9JUmtG\nWUx6ampweHFHOTJhR1lBRWJQNFJ6QzAKK/566CNiId1ooieE4xU+RgmzMFMgEXiw\nryaEah6F/zCXt+7bVsL7kzVgCQqcqsaTxKBaqNCzsUlar/Y5PdEj1g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-18T14:14:52Z", + "mac": "ENC[AES256_GCM,data:SGKxZ0r+kSzbr5w6nPPOSJEFJrJi0SX/I2DVfzNz+NMcEpGiU8bMQvfwG24kVJKVBQ3iDDK4wT1Gd4uqpe7+/3M1xxk46HNTOJYRoe9CqOZY+agezX8nzOYIZUzW9ZwxCPdkkUizdOgH6/2H5sOYNCiWa3U/pBkiWqzm7mzzCo0=,iv:v/4hr5XouLt7/WoLGYhq3nOHIHEEsbHEDNBISjvXj+E=,tag:MSQzgLQBR+KhEhaV1RyK4w==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin b/clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin new file mode 120000 index 000000000..9e21a9938 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/client-age.key/users/admin @@ -0,0 +1 @@ +../../../users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/sops/secrets/peer1-age.key/secret b/clanServices/certificates/tests/vm/sops/secrets/peer1-age.key/secret new file mode 100644 index 000000000..8429e8b24 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/peer1-age.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:PwysjnctzMBS1XJbnAJLj/qynLeHA3ujOeyG1Jmnr2HYwEWe5VwYUDzezYcMvRl6F141ZnXePx2WYYjxn8+gk1n4eNT8tynniNs=,iv:aoEaSRfoQobAuYNmHV+hg/J3NiADG2X+b4ftzFFtsvc=,tag:YpXTxbEZkRfTca6gGpaLAg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdTlLeHZBRjBxRTZuR2Zq\nU3VnLzdwdTBNYVpNbEJMZVNCU3R6dm8rOWpFCmE2dkFZeVJCNVlUbE5rMmY0NFVu\ndWxQWnlQdXoxQklxVUNlUTJqd2dVQzgKLS0tIFo3UmxFaUhnSytrNHdxVkN5Sk85\neE9LNnJnYnhnZTNBVkdtS1pqbmdVWW8KqOKI0H6heeSWZojjw3O4fBlQtlJ3MLQy\nNmVdyDtCAP50n+pYCkfPLn4HlLwUMztGql0kHYCi3g9Zq3yB79KiCw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-18T12:55:53Z", + "mac": "ENC[AES256_GCM,data:j7dQyhCZxFxm7j7TzqwdpuAVtJCiCIFzjnalSHGyhkxWsVf4ROdqbjV9GIcrl8wndC8+pZrKzzbSyS30RH2V+D/Gn7kyYvpUN9Krt44qjMeltzjJ+bkLDNMrCYwdBYvtCtd0WHJQrgYiRtbi48SsMORF/a0n/y2cfVcUZMW+w2g=,iv:HhDzCg2jNz3m2Gqrs+L7Mzh6PfE5vNTANtbscokceoo=,tag:xu1xYRi5E/hlNkItX96KvQ==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/sops/secrets/peer1-age.key/users/admin b/clanServices/certificates/tests/vm/sops/secrets/peer1-age.key/users/admin new file mode 120000 index 000000000..9e21a9938 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/peer1-age.key/users/admin @@ -0,0 +1 @@ +../../../users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/sops/secrets/peer2-age.key/secret b/clanServices/certificates/tests/vm/sops/secrets/peer2-age.key/secret new file mode 100644 index 000000000..f589a4330 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/peer2-age.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:a8B30QbQezYTVKtkwS30L4V1K73eieyZpDFguJhYN1xmwbHRCU5axtwUz2VwPcKIeeKeeYAruu66APu/AqwEPdmavS9G+R/x340=,iv:kMO/pbKigxH5GagsGPcHnpQ2LnjHf6kuGq5/BxxEKIw=,tag:9eH0hQFMG1jMIbV4BFxS/A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRHVJd1lRSy9Jc2RReVFY\nV0ExUEtXZDYxTnpJVXNCWjJoUzNNVjIwU0NFClpSTjcrT2lNT1FIam1WUnN4c1BE\nOWYzUHllejZRT0M2UFZRVm0rSU4wMWcKLS0tIDM3RHh3NXdaeUlUTU5HQ0pCSzIy\ndFdMVHhqR3BoM3o5OGJYMFMrcU9vbjQKwQuUmWGquxWPFx1jUCq5aQ+2wqirAmws\ntbfYjNOvPiClLfQzeMUP8n7KIHmYLOFmvPCDxBW4fx9A8qeFvuZSmg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-18T12:56:03Z", + "mac": "ENC[AES256_GCM,data:5MnK9pAgaMqIDXJhbovxZnOw2nPfE2Sk3No6AYctetkejg60LZkayWxwFX9k8c1N2iV76KJ/iGow3SfMHdyw5PlKrKLjoICGqm+3EA/2z3En3bdGe/F0LbEWKDIbEjZdEZNz4ZXOiu/UGt+rTZJf5cJupkMENlhb8EgOyAb1Uas=,iv:dBXVvwDrJpaepQl014ev3sgDJ4GIOjVms5p01sT0fVw=,tag:csyjJ6ELeED8A7fnYLMpBQ==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/sops/secrets/peer2-age.key/users/admin b/clanServices/certificates/tests/vm/sops/secrets/peer2-age.key/users/admin new file mode 120000 index 000000000..9e21a9938 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/peer2-age.key/users/admin @@ -0,0 +1 @@ +../../../users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret b/clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret new file mode 100644 index 000000000..64df36217 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/server-age.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:W87VsHPlI0a3VUqC3xi9cujRNzXhmzPVyvgOLtO+n4BT6UWfstmV2MaopzyaTlPD5QqK6LYZ/xr140mO8YHUJ2apaeH+cqL45PQ=,iv:+FvAN1q8UWqM1y8c3UEbArsxWFxwzknyjIheuz18Uek=,tag:lIKLlt5XhG4LslnypR15pQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaanFZZjZnKzNNNEtqcVFV\ndnBHQ29MYlBsNklPelg2dEcwenhpOGY2ZjFNCmZySW5xb3JaWDZoL1RzeXpXYmhz\naGVMSExTMDdTbERnVk5NVUc1QVFpOW8KLS0tIFNhc01URkI5WEtxZXE1MS9ZMW5U\nNGJqVGcrLzBhbjZBUy9aM3dFNmFJQWsKGNc+34/R8uxF2o4m7SuD1MfHEB37tS4J\n5De6KnOfzSDQ/RwN0j2Qgc6RrryEb0cQfX4LXnJZFy1FnggaROmQ5Q==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-21T11:09:59Z", + "mac": "ENC[AES256_GCM,data:E0I0OUAIc/8SikzLlqZ8b3hcPHcrlaTLZKU3HdAIqTxl589K7cVxvWB4abMVuo6Xh11Hj0+2U7uH6GYBac5SncryppWbD7AIp7nZCg6oehSyYQ8liW5n1+XW/HvECwH7HxOj1n0g62Ck5/+XKjap7X7gGiZ0w31Hwrcra9TaD7k=,iv:QQJ8U1MjtAUUrfTKuC/l7yHtgkLEInzwv/1rdtxRlAE=,tag:bOoWeGgLeevry+jPQfsLeQ==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin b/clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin new file mode 120000 index 000000000..9e21a9938 --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/secrets/server-age.key/users/admin @@ -0,0 +1 @@ +../../../users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/sops/users/admin/key.json b/clanServices/certificates/tests/vm/sops/users/admin/key.json new file mode 100644 index 000000000..e408aa96b --- /dev/null +++ b/clanServices/certificates/tests/vm/sops/users/admin/key.json @@ -0,0 +1,4 @@ +{ + "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "type": "age" +} diff --git a/clanServices/certificates/tests/vm/vars/per-machine/ca/state-version/version/value b/clanServices/certificates/tests/vm/vars/per-machine/ca/state-version/version/value new file mode 100644 index 000000000..115ab7a6a --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/state-version/version/value @@ -0,0 +1 @@ +25.11 \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value new file mode 100644 index 000000000..c91b2a962 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-cert/intermediate.crt/value @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBsjCCAVigAwIBAgIRANhjXurO8ndwTyO+oKZyFzMwCgYIKoZIzj0EAwIwFzEV +MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDgyNjE0MDgwNFoXDTI1MDgyNzE0 +MDgwNFowHzEdMBsGA1UEAxMUQ2xhbiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAAQHcxwLRX7EdzQMq1vBoi0e1ZQ2n5SjEyWpUqLWvfwo +i1ffr7RT7CsjBvtn+YH1cdW+9mYl67O+t1+A53PhuHOGo30wezAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUhuILtVrhaLygOgL2 +puK8KYWgFPIwHwYDVR0jBBgwFoAU+egcx/ayqGmZ8oiw65x8SNHOGqQwFQYDVR0e +AQH/BAswCaAHMAWCA2ZvbzAKBggqhkjOPQQDAgNIADBFAiEAq2b75CM5mB26FyOJ +76utOu70Cq3QjlrdFBdVthmloiACIHvIf4sJ1CpF3gNKVYILX5e+JlPfMmJviezp +Eeqofjql +-----END CERTIFICATE----- diff --git a/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca new file mode 120000 index 000000000..d353872a0 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/machines/ca @@ -0,0 +1 @@ +../../../../../../sops/machines/ca \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret new file mode 100644 index 000000000..ef159a838 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:Ikcyds0f4Wpi6C6BLF/YmTVJDcUpH8UB+mdQMTl2/Tm14TDN0IudURj2HKhzkuvQ5M5VqIaIe+IIjJkCV+nIu/jr77HdS6TXmGkuSr0ssgpFu+Ak9jKFbnWkm0Ct6tekBdys5zXb4z1o7WFCwtHxa1gZlnTPRLekeTPIImSJhdESz5myEm7/253eJLs9G9Z8RPld/RnHgDYFUPbY802fm6nnaviBcnpIyTtAGaxB+8nt709i3Tg3nkcgLeYl7a92TAY0aaKMKirH9gHo1aFPRl7Ywh5dTU/HVBnisOdSwDqAoeE=,iv:56xxcM0peRgJvvwcYsu+38SA0D6IzAxh5Nt4ZOBP3js=,tag:r9jZGnYTWyVwt/pwidyC8A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age19azjd5xvnrwdt2sckupmpk40ayvevsxktcyt43x2fzg5qyzhe9rsu6a6es", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOWZlSlV1dWs3Ry9aemlE\ndTZMOVU3V09QdEIwajJNY1laQUFTeUdIK1E4Cml0WTRsSTdxbjR4SHVBVkxQSE00\nQnF5VmhwZEQ5c2NwbUJwZTI4V2lpczgKLS0tIFZUL3ZaNTlBOTRSN2tYZUJad0Ro\nSm1XK3lZQXpMZmwra3AxQXlmM08wVXMKsXJI1fZFoqhCuXoRpbvBMOftIa6J8pXz\nV5fbFSgykKBODJaN9FghxRzQEVeu6wVmTr7sWh28mkUmIbVzXA0f5A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aituOUdFN1VBSG5pTzVE\nUyswdDBtQlgvaHVVK3loaGNPckVsbkJxMWs4ClJ2TW8vNytkcnR3TkllWExpUHlI\nSVF0cXlXUll2TUszMTA5Y1A1KzJKbE0KLS0tIGVhN09YWUNIRGF3a01UVXN1alBD\nTnE5U1NRbGhsRnlWWFJaUjdvODZMZkUKMS7IOPp54M6j7l/ueG1EjNM8hUd2dnbp\nqlKjqqa9oMXIVabGFEYQ7NRoWQ3+3On9PmZtAJ7oiL4lqRJDHS+crg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-26T14:02:32Z", + "mac": "ENC[AES256_GCM,data:zMdyBvy1nyeKXDcR8+BkIYj0Gbz8omUNHZRqiOAW3M1Lrq/N15g7OY9XF9wD1GN/jhcvF6YX+1Lz5J2NY0SYlVTPj5JAGhKRmHSwOey1fcuc9RU83mt6zaPMFTWevpz2BUrTTb0pzs6kSeH3xgYU+kCgmxfoy2bq5LcPWxqyarg=,iv:lDE9UUwy8CAhSXX+l7hWL3besOXbOpyM02fe2hnsHZM=,tag:80Cv63PI+AKI6OPEOxTwlg==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin new file mode 120000 index 000000000..ca714e122 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/ca/step-intermediate-key/intermediate.key/users/admin @@ -0,0 +1 @@ +../../../../../../sops/users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value b/clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value new file mode 100644 index 000000000..115ab7a6a --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/client/state-version/version/value @@ -0,0 +1 @@ +25.11 \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.crt/value b/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.crt/value new file mode 100644 index 000000000..5409d771c --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.crt/value @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBcTCCARegAwIBAgIQMH18dheoru4OCktLPdYUmDAKBggqhkjOPQQDAjAXMRUw +EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwODE4MTQxNDUxWhcNMjUwODE5MTQx +NDUxWjAXMRUwEwYDVQQDEwxDbGFuIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAATRJojRdb/XI8IV1HGg+Bi6JwCmodYp0Vgqail6qaZOOzeKiJSIgsKr +3PqN6V08ZVLVqA9UCE4+ygdT0E6bpCsjo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYD +VR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUzAtD4krw/UgCl4GuHTVVd6gWqRgw +CgYIKoZIzj0EAwIDSAAwRQIhALtzU+KgcthW0QT4RF6wg2MLjNnHL9RoVkGKHFeQ +heFgAiBsuvy0XnUojhLDN3prOB+dHkNK8O26jjmcEfa73/19VA== +-----END CERTIFICATE----- diff --git a/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.key/secret b/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.key/secret new file mode 100644 index 000000000..6f254492d --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:Tq6Ufw0Q/lQfUTaGQLRwVI3IprumLYZ2fm96WxmuRGhB5DJnAM8n6VmKTf8Pa7agClk7HcgJZV0EhHYFkb/BHLl38p2vjYA54KMtmdLkVfHHujxsL4ApJ47m4bXh9iMaYO47e7vqxjvpaQD3OC81kyh7qa4NuV/RMUo3ePv1S3EA6IPBYtAz1b+X4KFpvOqZd0sQ/spmcsgXF5s0bbYJ9LILXJOauw95z28dQcJ7nQeBQ8xJ3v4rwesJ2uDCEZ0f4nkEvM0Q8zuuo2tWh71vIQ/G4mFNAFbiz6XC8lOLAqfVqtM=,iv:wSsq9empaj9lZxVwniX7gHYEkBc+X8cDGwBLOPAu1y8=,tag:uYVbsF+BpbzIGKeY0k5uTg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQkppL0g3RmxxTnV1L0Vr\nUjhVc1VuMjNqUFNicGk1RGp1UENlemFDSGc4CnVvNXM3KzFES21ocE02LzR0MmJJ\nODlWSmxEa2J3TWNmV000bzFVU25jOU0KLS0tIFZmS2JHRmtvU1RldmRFekZxQUlo\nblBzNzNYa1oycWtkMHkxcFc0Qk5ZL0EKfEE4xTMygk0nMf3gv/Hju0PJ3rAqoMHl\n9oA7LOydypaeniWQFFqdSY+/2A+VMIVJhF90IKVbpGHkXn9aNWVCCg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-18T14:14:52Z", + "mac": "ENC[AES256_GCM,data:Bujh9M46eQes33DmvrKREoYDVPDy7s1SmBhaa9RHUMbftHyDYuorw4Pb5OVKKO1EqeoWWrTEeSw7pm8oQkCjdEehMLQ83izVfh0MVoaPdm+0FR/GVB9Xi0LOAAEfELlpH75h1zX8OoFquA1ny693/NNs+bD+0NuhuT4WM0a9hYU=,iv:kgS6+nQrmQyB62Cmcas5T/JZhb0r45S9ksWthO7kOO4=,tag:H09UiFFri6DJOMIpeZARLA==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.key/users/admin b/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.key/users/admin new file mode 120000 index 000000000..ca714e122 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/client/step-ca/ca.key/users/admin @@ -0,0 +1 @@ +../../../../../../sops/users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.crt/value b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.crt/value new file mode 100644 index 000000000..3e800203b --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.crt/value @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBcTCCARegAwIBAgIQVY2mELDu4eW6GuKsMC77tjAKBggqhkjOPQQDAjAXMRUw +EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwODE4MTI1NTUwWhcNMjUwODE5MTI1 +NTUwWjAXMRUwEwYDVQQDEwxDbGFuIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAAREnN+oYXxsE64OrCQ1JOV5O8p/Qp02t8oFkEMFXy/9O9jDQKLuzpwB +HKcVEg7oxxJLYBj8qLV7NubYrueGZ2S2o0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYD +VR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUo4rj5z6Ng0YJlX+31A5x42aPLQsw +CgYIKoZIzj0EAwIDSAAwRQIhAIOlVnsb9WRCFmOq6Wl9yJLDFXr3Lv6zBsyl1OH6 +LjgNAiBn06NVf35AB8sijUlDgYLGX7wB5xULm6p4Vzy7iW1RgA== +-----END CERTIFICATE----- diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.key/secret b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.key/secret new file mode 100644 index 000000000..4de22fb54 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:zlLEZEN8CUsBoQODyB2keop3ZBRb5+eQc49oSyuewQbB18C55b2kQg5sjXXhu/5IK1dKt63mRlY0itVCgyDKjfStiMyoJ33EGOr19nSp8hZjpE6krTyKvzmo49rch8Y9Rq5/OkoFE6HEHHvMB2BJAtluWQrDYhnW39phhZm3Qm00x+FG8buP/2dYudOxi2Lq2axTYnljxHya5OKJcH7IQs42YAgTEs8NYYKcPZBRhQMvars4El6EQZ1A1sag4xcUnkoHi6m7zDqKxG7+87t8mwdWriqKGh6TlBqhQ/wfA5rDYjo=,iv:QbhJ4rja9yVKUQZcSbzXYI9EQmcf4BsM4nOKSW4eOlM=,tag:5+Q1zvZCrIYbR4yG/xeiyQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucU5GZkRUU2hLY2t2S3lY\nZkcrK1Nmd0VCdHo5NXF5M01FN1doRFpyOGpvCkhDM1RDY0oyTWZQY1cvZjFVWHUw\nc3JwSXhlWkZxL1h1NnVwTTdUdUQ3MWMKLS0tIEw2dnBtaE02WEtPSWVEaDhKVkUx\nbHZzejd0ZjNDSFVKRTRQSVpWVVVjc1UKXCV4lvPwfAFlwC4qYsRrsmWDpSsTHbK2\nPEstxYph8TlKiuwvvWP0aM5erGKItJU0tGSU+gl/AjklvVc1n9RA5A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-18T12:55:53Z", + "mac": "ENC[AES256_GCM,data:o6pX9WPTXDQDRfK2HuiOTzxvJzbeuIi4qR2xXWVBBviqq7IIsWI00QaJodlZaEHMikgkpMTH6IiiOfXuLEZoJT+lLOeTmfC/dozqHiRIVQPJXyPO7LIpfYSALTiJtuu+MLzjLSwEmKQ6Lus7zTygdHXjjcg1NkTjwotvixms83Q=,iv:A3S5hhEnPp98k9E/ZxqzJRI7BFediPYwPy0Crg8++Xo=,tag:FKU+xMw/6Hv5UtEK+ubfRQ==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.key/users/admin b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.key/users/admin new file mode 120000 index 000000000..ca714e122 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-ca/ca.key/users/admin @@ -0,0 +1 @@ +../../../../../../sops/users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-cert/intermediate.crt/value b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-cert/intermediate.crt/value new file mode 100644 index 000000000..c3248e5a4 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-cert/intermediate.crt/value @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuzCCAWGgAwIBAgIRAM5RGHll1s7935SFPOY4VaQwCgYIKoZIzj0EAwIwFzEV +MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDgxODEyNTU1NloXDTI1MDgxOTEy +NTU1NlowHzEdMBsGA1UEAxMUQ2xhbiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAASqEX8K41uSBLNOKGTXgnqzaHVszCkGteXucbZ3nB7d +lLSv16LwkfwP6/OGT28aA5bdUP7rLkOqiNLYJds6wc+Io4GFMIGCMA4GA1UdDwEB +/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSUYY0vEuByyVbc +sDElofzWjhUW+DAfBgNVHSMEGDAWgBSjiuPnPo2DRgmVf7fUDnHjZo8tCzAcBgNV +HR4BAf8EEjAQoA4wBYIDZm9vMAWCA2JhcjAKBggqhkjOPQQDAgNIADBFAiAbecV2 +6HtUM7ohufLkWZ5EyeTX44ofcwmSY+eVzY0jQAIhAN0dRDWFmmCMUydwhjWc9lqM +OlBsJUfyLEF/0p9Thij1 +-----END CERTIFICATE----- diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/machines/peer1 b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/machines/peer1 new file mode 120000 index 000000000..3e5f3fae3 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/machines/peer1 @@ -0,0 +1 @@ +../../../../../../sops/machines/peer1 \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/secret b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/secret new file mode 100644 index 000000000..dfeb0c515 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:8MCdfLve9QyxQexDmlwm2FT05CEYFfofpZBtOtvH9kXYmo1Et2qj2L/kAS9yXtY+GX1k6wwu26fPLdhOvbKj2KL7bfj1zHTOcdFD2pr7aOFokPyHEfVNzbwsX7qafVf4GXgutJ3msCCoMsRdgJH+B1zpDFL/diRbz+EfYaSFGEv/N10o74yMaivr1ms+kLiwvW4R0sY6Np98jKD8KTOI1FugVJ9u/eiM02l5A/waJ3XBL/7CG9we6VOnu/NGtHrZnErmYQTPqLwheKPLDYjoMY1M+xjn2m/Qvn8sRPRODtxH0TE=,iv:U8+DPuKQorIh3IWWd2YZoxRLTOMx+qMqcGMJAfjma8M=,tag:Sy9N2r1YdPuvB+Co3k7R8Q==,type:str]", + "sops": { + "age": [ + { + "recipient": "age172ggu2vq92c8c7l5ytcr96whp0qwe0vuyxuenxwvr6rc2xfdcsqsffg76w", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSmNjaHZ5VmF6SW11R0pl\ndkpKNjZ3YlpLN05TNkt4dnVtU2xld3Y1TFVvClVPMTVSclZJTFE0azVFVzRMbEJo\nT2lUTGxSZ1JtNjczTmwybUN5QWY3Z1UKLS0tIEF3VkZNaHBldGZrOXVTSE8rZnRi\nTVZxY0tRc3VadFpreU9ud1FGdE55UVUKhEZhNJjSP7HMqWVEKj93LuHUe9ci/0AS\nKiIWz3x1FbV5GjTDcV8+7LGBTJlUJNivXpDi6I63KrPs5Z0MQf+WKQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQjExdFhwSHNvaWRhMk91\nOWpuQ3cvNkN0VlM4WEQzQitrd0xQdkxiWEdZCjBGa25iWFROQzdUelBwZmpHaXdB\nTmNOV1EvQTM5bVNhYXNuNGpibEtacm8KLS0tIDVTalpKTEpYTFJWM2lCeGlzaWZB\nQiszbjVDVitFVDRmU2xBSUxqNmVYVFEKraf5csqKURqc84ZtBrMOo6iWoVMCh+P7\nEAaSCOjYILcF85jMKB7nBzKOMsbNjqKzb0piSfSw8YuzDGPyq9Cseg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-18T12:55:54Z", + "mac": "ENC[AES256_GCM,data:AMp0ICuDl8UVzo2R2K7OLIj1vONM7JCF3l3J//ach7FYeUGBRLd+4jtnImshUqcbisspkTH76UyJ2PbS1yZ8pmfI6peKY5F2YicZZT1Jro+RUS7xRBNme6yNxphysah4qrQpllwArbq196tL2AB7bVptuW3XRTZI1lBFQQfyYvI=,iv:FDkDOC5dA6fMjpbkP21Fr5ORL3CkFN1RP9Bwm8OR5f0=,tag:jfFbumpj5C+9+HBS+PCAkQ==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/users/admin b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/users/admin new file mode 120000 index 000000000..ca714e122 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer1/step-intermediate-key/intermediate.key/users/admin @@ -0,0 +1 @@ +../../../../../../sops/users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.crt/value b/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.crt/value new file mode 100644 index 000000000..67e8bce8d --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.crt/value @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBcjCCARigAwIBAgIRAM3Ky//FRGgr4QAt6CcjzrAwCgYIKoZIzj0EAwIwFzEV +MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDgxODEyNTYwMloXDTI1MDgxOTEy +NTYwMlowFzEVMBMGA1UEAxMMQ2xhbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAEV6UDjf7eOJii/ex15P0obxSSJVH5kAV1VIR5R3M9T0lHRbNrxzD7 +DztM631LylH2LEEHBx1PvVX6j7MvyQ82+6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIG +A1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFIplQmuE2ucTxJK8qCNbxyHAPxRf +MAoGCCqGSM49BAMCA0gAMEUCIQDKxp2MTpENOmcxHEGOfVVc88TQ905xLUouG4R2 +T2IARgIgetDda0YoaBlL8VQyZPJitLJftiIg1wU9MYi1ZXAw4cE= +-----END CERTIFICATE----- diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.key/secret b/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.key/secret new file mode 100644 index 000000000..2d8fe5a44 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:zSYOLttNMgmglHSrZkU7KRQh0Ba1bmEynVYsrKlJlMi7uXI2RiAqWyNvUqlbxQbKexClhklLHKizgDbZGglKdDsGYyUUb5Hh4Ev1H1ciLdOgab5/znpE+dCDXwbir9V+SvXJI0LoaLj7kzqpWwTyNJdx53WUlp6BOvdxzyg/JOaMUQqXr2F6q3dDeWTFz2vEEImIjMUdgbn3y/JYfzzr2H1B0nwjicaFQnVL7bWcvsGydCekfZYZ/XKzxXCMIdariy+A/vfKPcsiBX5Y/yC75VDk5o1cZsnVk5Ijd2opyU+y+qM=,iv:XKwj51285y/ipGUackCqnDl/r0+y/cLFUX0/KDc3SZI=,tag:dD2Tv+lVpok25ViHHokH+A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTXo3RG5NcmlOUEVVakR3\nZHBMVUlNTXQybXVtbVpITVREdlF3RWI4Wlc0CmUxL2dRalRSKzFLaVlObjZTcjBt\nMWZLR3gveGJ2dGlJZm4vTmFMZ0lsVE0KLS0tIEpDTEYwbUpXMitEK2tFTGh2RGpr\nazRMMEFHaUU1U2puaXFjbVZFR3BKVzAK2HJ2atFUm2WjCTADmNrgM6q0SdA0CSgd\nXrwsjIBliYJRA4//a72OS7h+ihuT9WaVef8HsBrmcGYCHA+xkOURxA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-18T12:56:03Z", + "mac": "ENC[AES256_GCM,data:0f2qel/KEj+slkwDB/X2UmC2X/gC2peZiQ4ocUbTc8o73djwQWnoRQX92eVLWm85QVLXUYfZIWxt8FzadrZkVSkod3UOM+s1Nz7CE67pbaXTpLhprsKn8gB7yorjpfvh/wyS13FaTFcg1ADuifYyvawNtdYL8O8INKVobP92eTU=,iv:5SRUUaJCFQTnKROdaYjvwWgdF4BIsN6PrC1mcf77YdA=,tag:VB9Q3GaCI2OJNuC0NMoQwA==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.key/users/admin b/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.key/users/admin new file mode 120000 index 000000000..ca714e122 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/peer2/step-ca/ca.key/users/admin @@ -0,0 +1 @@ +../../../../../../sops/users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value b/clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value new file mode 100644 index 000000000..115ab7a6a --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/server/state-version/version/value @@ -0,0 +1 @@ +25.11 \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.crt/value b/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.crt/value new file mode 100644 index 000000000..8ba55739a --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.crt/value @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBcTCCARigAwIBAgIRAK453T0q6Pc6aOBt5ns6gVgwCgYIKoZIzj0EAwIwFzEV +MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDgyMTExMDk1NVoXDTI1MDgyMjEx +MDk1NVowFzEVMBMGA1UEAxMMQ2xhbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAEtLtVFzN7mJcY2DdlpTT0j2q5GAuA++MvKhzmUsfnKZ1OzfwOjHfL +8Ru/s+a2nzWErlJZ+Z4p7ZrW0xZz6pzKd6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIG +A1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFLPmgLi7xaOyEDfMcZEEhh6+JdYL +MAoGCCqGSM49BAMCA0cAMEQCIDO0M6GRET8/4Lwc5yINbIlW7aycCV8H+edU8iAz +HnM7AiBbirjn0iVo6usJUGJt5ohTfSVTnBi0PPb2Pjyh6OjS3Q== +-----END CERTIFICATE----- diff --git a/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.key/secret b/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.key/secret new file mode 100644 index 000000000..e3a7605da --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:ydnH/j+bqa4PaRPcf8GPSry+xViZ/qCxnzHMGQFXdDt7PWE/fYyekPZ1e5294afC0XNzvMKUQpNDAEgPdZlvGQG9PGeKIhG8u82J8EwSB/aKDFWpPXYNEJAUReuJV1baP+vJLWooLYySylHC+j/cR3LfqvVU/O7zmpIY8yihe0oLOPTWf2jEJrTwNMYiF3oAKOVpZsQ7JIW2UXJhJ6AYmbUp2/CdlHzwI1ydc55OXQknQnbTAeoXBI6KUKAUHzC4CqxPecGuL2e/QgZFiuIvkIPoF1T/DZZLG2KIaEMBMSgPfVw=,iv:vZEXlQHwtNMu1GKuQFZyZ1iLZPhz1QCwZWTjVaAC5i4=,tag:dTXEdaj4/EWIq7gfcNu2iw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMDdkK3dQTUl1L29Ca2Yr\nYndPT0FJcjY1YmJ5a2Z5aS90RmFsUTIwNW13CnB4MCtSNkJaMlhpQlk3dWVqR3VH\nakFaRi82dDdUMktSZml6N01WYlBOR1kKLS0tIGR5eVhQc2Vkekc5UEd5SVZqZkcv\nYndLSVpGT2VKeEVKYmsvTXE3ODV6d3MKgcZe/uYatholk+0nmPb0Q7YGX7aMZjxx\nqmUB8F3G72i1eZHAR7fXffXpQuCPSD110OE46NtG6aNa6M2Fe6JKpA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-21T11:09:59Z", + "mac": "ENC[AES256_GCM,data:bc2HGcsDoCbekdQXEjPeaK0gZd/4I6LwYNzY4Houg4QeI0lVKdUYcPazQSHrWAdSqZflYjyqc0BdFl6LWfkGra7RCLsnqehehF+KsmKAfJmrU0oa70JVRrP97hPugB+Hu1wV+lAByM4CviC91AO4RwdQzEagXy6a/1sBadvTu0g=,iv:UPD9fCpOZlwPjtKBImv5DTbiinDjroM+LS3FzN5VTJ8=,tag:7hIvYK6LaBkjY+Kw18az5g==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.key/users/admin b/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.key/users/admin new file mode 120000 index 000000000..ca714e122 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/per-machine/server/step-ca/ca.key/users/admin @@ -0,0 +1 @@ +../../../../../../sops/users/admin \ No newline at end of file diff --git a/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value new file mode 100644 index 000000000..93a7c0baf --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.crt/value @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBcTCCARegAwIBAgIQSdkvT2W8pqB3FRl8QxcP3zAKBggqhkjOPQQDAjAXMRUw +EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwODI2MTQwODAyWhcNMjUwODI3MTQw +ODAyWjAXMRUwEwYDVQQDEwxDbGFuIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAATZI+8Q8kkMQTvdJsCMQqWdYscvxcMbRjZCnWCh72uyYgzejsZETkYJ +Ns+oADB3ogLb5mY9o7dmaoLzsRUH+FSxo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYD +VR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU+egcx/ayqGmZ8oiw65x8SNHOGqQw +CgYIKoZIzj0EAwIDSAAwRQIgcBF5zlTtMO0Pr9b7ZN9yEYKEdigj6T11g/vXPwsV ++coCIQD2zarT6BYA2HhD0TZGBPELXQPpwnGMjwY/xMWIzNdr5g== +-----END CERTIFICATE----- diff --git a/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret new file mode 100644 index 000000000..426e2339d --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:vVcVCRV8wTbPGCsR2t8iD0uOoBk7uefKmpvIqmeHSIfVyCubElWovRJdjpJyy0P3ZJrU1smvaV01XWpBoOhb+YW+cLVMQ0l6zZUs6KbzCnJ7fvZUtbyvkVPCJRt5PSftCskWGJRzCtwYbDh4hRkIPHfW2rwsB6hVutLFZMTDp8tEK8hE9sic2/1CqNztJZpyik3gUgZdxOZ9LiBVPsdos1tEcmUMSi9E7y0zc7pLXIn5uIiMZIz0XTCAu2tLDpCWqi+vQIr8oVz4EmscvFmsVMcs/Xk8ctm3ZCjt8BoPjZ34vnA=,iv:ye6Vmk7YB3YPOJIiysgqaCM/4aWyME3pqEkMfYJmwkA=,tag:HkgL//NSSASpyJzqEzxLeg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbVgvS3ZzT21QOTRrZjNT\nMlR5U01BRzRRVG1HOUZVbzZDUmhpRk1lbGxFCnlSVU1kY2NIV0wrT01CcXhKVDVW\nK0h5TDRDN0RMUGhKTWp5OVdubStSY1EKLS0tIG1NSXozbDUzZTFKclZvR2xqaWlk\nSisxQ1kyY3JWdzRmMy9hak5scjd3L3cKgDD4cAWv+e7DTPKyUiWSgM9K+gshYHCu\nuA8g7y3mHhFXsPPg0AJJpRl8afltc2Z9TX/OpZvRSHbZWAAuFj0T7A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-26T14:08:02Z", + "mac": "ENC[AES256_GCM,data:mbLKJbQ4kwwic5ghVEGSl7BykyEE4c+JPujnNQSJw7JoBHx42XBHVuC3o6vXsb11LizFYiRPUaDkKX67FCQAVWMy3c10aFqLvxsp1Y/NAurZAPAdh7Zo5UoI8CCCR+hzs3KtQ/YwjJJg7vj7mZrfDtR9Qkhk2H8hY3engRf698Q=,iv:WD1l+ubMXAdPWWNFNkEwoGReuYbUwrf6DJmbnkGWcck=,tag:P0OrmfgJ6aOSrNIaW7YR1Q==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin new file mode 120000 index 000000000..f14859ae0 --- /dev/null +++ b/clanServices/certificates/tests/vm/vars/shared/step-ca/ca.key/users/admin @@ -0,0 +1 @@ +../../../../../sops/users/admin \ No newline at end of file diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 6b1616709..22265bd99 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -94,6 +94,7 @@ nav: - reference/clanServices/index.md - reference/clanServices/admin.md - reference/clanServices/borgbackup.md + - reference/clanServices/certificates.md - reference/clanServices/coredns.md - reference/clanServices/data-mesher.md - reference/clanServices/dyndns.md diff --git a/lib/test/container-test-driver/test_driver/__init__.py b/lib/test/container-test-driver/test_driver/__init__.py index ead6e9723..26f61326c 100644 --- a/lib/test/container-test-driver/test_driver/__init__.py +++ b/lib/test/container-test-driver/test_driver/__init__.py @@ -268,8 +268,14 @@ class Machine: ) def nsenter_command(self, command: str) -> list[str]: + nsenter = shutil.which("nsenter") + + if not nsenter: + msg = "nsenter command not found" + raise RuntimeError(msg) + return [ - "nsenter", + nsenter, "--target", str(self.container_pid), "--mount", @@ -326,6 +332,7 @@ class Machine: return subprocess.run( self.nsenter_command(command), + env={}, timeout=timeout, check=False, stdout=subprocess.PIPE,