Add certificates service
This commit is contained in:
pinpox
32
clanServices/certificates/README.md
Normal file
32
clanServices/certificates/README.md
Normal file
@@ -0,0 +1,32 @@
|
||||
This service sets up a certificate authority (CA) that can issue certificates to
|
||||
other machines in your clan. For this the `ca` role is used.
|
||||
It additionally provides a `default` role, that can be applied to all machines
|
||||
in your clan and will make sure they trust your CA.
|
||||
|
||||
## Example Usage
|
||||
|
||||
The following configuration would add a CA for the top level domain `.foo`. If
|
||||
the machine `server` now hosts a webservice at `https://something.foo`, it will
|
||||
get a certificate from `ca` which is valid inside your clan. The machine
|
||||
`client` will trust this certificate if it makes a request to
|
||||
`https://something.foo`.
|
||||
|
||||
This clan service can be combined with the `coredns` service for easy to deploy,
|
||||
SSL secured clan-internal service hosting.
|
||||
|
||||
```nix
|
||||
inventory = {
|
||||
machines.ca = { };
|
||||
machines.client = { };
|
||||
machines.server = { };
|
||||
|
||||
instances."certificates" = {
|
||||
module.name = "certificates";
|
||||
module.input = "self";
|
||||
|
||||
roles.ca.machines.ca.settings.TLDs = [ "foo" ];
|
||||
roles.default.machines.client = { };
|
||||
roles.default.machines.server = { };
|
||||
};
|
||||
};
|
||||
```
|
||||
242
clanServices/certificates/default.nix
Normal file
242
clanServices/certificates/default.nix
Normal file
@@ -0,0 +1,242 @@
|
||||
{ ... }:
|
||||
{
|
||||
_class = "clan.service";
|
||||
manifest.name = "certificates";
|
||||
manifest.description = "Sets up a certificates internal to your Clan";
|
||||
manifest.categories = [ "Network" ];
|
||||
manifest.readme = builtins.readFile ./README.md;
|
||||
|
||||
roles.ca = {
|
||||
|
||||
interface =
|
||||
{ lib, ... }:
|
||||
{
|
||||
|
||||
options.acmeEmail = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "none@none.tld";
|
||||
description = ''
|
||||
Email address for account creation and correspondence from the CA.
|
||||
It is recommended to use the same email for all certs to avoid account
|
||||
creation limits.
|
||||
'';
|
||||
};
|
||||
|
||||
options.TLDs = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
description = "Top level domain for this CA. Certificates will be issued and trusted for *.<tld>";
|
||||
};
|
||||
|
||||
options.expire = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
description = "When the certificate should expire. Defaults to no expiry";
|
||||
default = null;
|
||||
example = "8760h";
|
||||
};
|
||||
};
|
||||
|
||||
perInstance =
|
||||
{ settings, ... }:
|
||||
{
|
||||
nixosModule =
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
domains = map (tld: "ca.${tld}") settings.TLDs;
|
||||
in
|
||||
{
|
||||
security.acme.defaults.email = settings.acmeEmail;
|
||||
security.acme = {
|
||||
certs = builtins.listToAttrs (
|
||||
map (domain: {
|
||||
name = domain;
|
||||
value = {
|
||||
server = "https://${domain}:1443/acme/acme/directory";
|
||||
};
|
||||
}) domains
|
||||
);
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = builtins.listToAttrs (
|
||||
map (domain: {
|
||||
name = domain;
|
||||
value = {
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "https://localhost:1443";
|
||||
locations."= /ca.crt".alias =
|
||||
config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
|
||||
};
|
||||
}) domains
|
||||
);
|
||||
};
|
||||
|
||||
clan.core.vars.generators = {
|
||||
|
||||
# Intermediate key generator
|
||||
"step-intermediate-key" = {
|
||||
files."intermediate.key" = {
|
||||
secret = true;
|
||||
deploy = true;
|
||||
owner = "step-ca";
|
||||
group = "step-ca";
|
||||
};
|
||||
runtimeInputs = [ pkgs.step-cli ];
|
||||
script = ''
|
||||
step crypto keypair --kty EC --curve P-256 --no-password --insecure $out/intermediate.pub $out/intermediate.key
|
||||
'';
|
||||
};
|
||||
|
||||
# Intermediate certificate generator
|
||||
"step-intermediate-cert" = {
|
||||
files."intermediate.crt".secret = false;
|
||||
dependencies = [
|
||||
"step-ca"
|
||||
"step-intermediate-key"
|
||||
];
|
||||
runtimeInputs = [ pkgs.step-cli ];
|
||||
script = ''
|
||||
# Create intermediate certificate
|
||||
step certificate create \
|
||||
--ca $in/step-ca/ca.crt \
|
||||
--ca-key $in/step-ca/ca.key \
|
||||
--ca-password-file /dev/null \
|
||||
--key $in/step-intermediate-key/intermediate.key \
|
||||
--template ${pkgs.writeText "intermediate.tmpl" ''
|
||||
{
|
||||
"subject": {{ toJson .Subject }},
|
||||
"keyUsage": ["certSign", "crlSign"],
|
||||
"basicConstraints": {
|
||||
"isCA": true,
|
||||
"maxPathLen": 0
|
||||
},
|
||||
"nameConstraints": {
|
||||
"critical": true,
|
||||
"permittedDNSDomains": [${
|
||||
(lib.strings.concatStringsSep "," (map (tld: ''"${tld}"'') settings.TLDs))
|
||||
}]
|
||||
}
|
||||
}
|
||||
''} ${lib.optionalString (settings.expire != null) "--not-after ${settings.expire}"} \
|
||||
--no-password --insecure \
|
||||
"Clan Intermediate CA" \
|
||||
$out/intermediate.crt
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.step-ca = {
|
||||
enable = true;
|
||||
intermediatePasswordFile = "/dev/null";
|
||||
address = "0.0.0.0";
|
||||
port = 1443;
|
||||
settings = {
|
||||
root = config.clan.core.vars.generators.step-ca.files."ca.crt".path;
|
||||
crt = config.clan.core.vars.generators.step-intermediate-cert.files."intermediate.crt".path;
|
||||
key = config.clan.core.vars.generators.step-intermediate-key.files."intermediate.key".path;
|
||||
dnsNames = domains;
|
||||
logger.format = "text";
|
||||
db = {
|
||||
type = "badger";
|
||||
dataSource = "/var/lib/step-ca/db";
|
||||
};
|
||||
authority = {
|
||||
provisioners = [
|
||||
{
|
||||
type = "ACME";
|
||||
name = "acme";
|
||||
forceCN = true;
|
||||
}
|
||||
];
|
||||
claims = {
|
||||
maxTLSCertDuration = "2160h";
|
||||
defaultTLSCertDuration = "2160h";
|
||||
};
|
||||
backdate = "1m0s";
|
||||
};
|
||||
tls = {
|
||||
cipherSuites = [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||
];
|
||||
minVersion = 1.2;
|
||||
maxVersion = 1.3;
|
||||
renegotiation = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Empty role, so we can add non-ca machins to the instance to trust the CA
|
||||
roles.default = {
|
||||
interface =
|
||||
{ lib, ... }:
|
||||
{
|
||||
options.acmeEmail = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "none@none.tld";
|
||||
description = ''
|
||||
Email address for account creation and correspondence from the CA.
|
||||
It is recommended to use the same email for all certs to avoid account
|
||||
creation limits.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
perInstance =
|
||||
{ settings, ... }:
|
||||
{
|
||||
nixosModule.security.acme.defaults.email = settings.acmeEmail;
|
||||
};
|
||||
};
|
||||
|
||||
# All machines (independent of role) will trust the CA
|
||||
perMachine.nixosModule =
|
||||
{ pkgs, config, ... }:
|
||||
{
|
||||
# Root CA generator
|
||||
clan.core.vars.generators = {
|
||||
"step-ca" = {
|
||||
share = true;
|
||||
files."ca.key" = {
|
||||
secret = true;
|
||||
deploy = false;
|
||||
};
|
||||
files."ca.crt".secret = false;
|
||||
runtimeInputs = [ pkgs.step-cli ];
|
||||
script = ''
|
||||
step certificate create --template ${pkgs.writeText "root.tmpl" ''
|
||||
{
|
||||
"subject": {{ toJson .Subject }},
|
||||
"issuer": {{ toJson .Subject }},
|
||||
"keyUsage": ["certSign", "crlSign"],
|
||||
"basicConstraints": {
|
||||
"isCA": true,
|
||||
"maxPathLen": 1
|
||||
}
|
||||
}
|
||||
''} "Clan Root CA" $out/ca.crt $out/ca.key \
|
||||
--kty EC --curve P-256 \
|
||||
--no-password --insecure
|
||||
'';
|
||||
};
|
||||
};
|
||||
security.pki.certificateFiles = [ config.clan.core.vars.generators."step-ca".files."ca.crt".path ];
|
||||
environment.systemPackages = [ pkgs.openssl ];
|
||||
security.acme.acceptTerms = true;
|
||||
};
|
||||
}
|
||||
21
clanServices/certificates/flake-module.nix
Normal file
21
clanServices/certificates/flake-module.nix
Normal file
@@ -0,0 +1,21 @@
|
||||
{
|
||||
self,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
module = lib.modules.importApply ./default.nix {
|
||||
inherit (self) packages;
|
||||
};
|
||||
in
|
||||
{
|
||||
clan.modules.certificates = module;
|
||||
perSystem =
|
||||
{ ... }:
|
||||
{
|
||||
clan.nixosTests.certificates = {
|
||||
imports = [ ./tests/vm/default.nix ];
|
||||
clan.modules.certificates = module;
|
||||
};
|
||||
};
|
||||
}
|
||||
78
clanServices/certificates/tests/vm/default.nix
Normal file
78
clanServices/certificates/tests/vm/default.nix
Normal file
@@ -0,0 +1,78 @@
|
||||
{
|
||||
name = "certificates";
|
||||
|
||||
clan = {
|
||||
directory = ./.;
|
||||
inventory = {
|
||||
|
||||
machines.ca = { }; # 192.168.1.1
|
||||
machines.client = { }; # 192.168.1.2
|
||||
machines.server = { }; # 192.168.1.3
|
||||
|
||||
instances."certificates" = {
|
||||
module.name = "certificates";
|
||||
module.input = "self";
|
||||
|
||||
roles.ca.machines.ca.settings.TLDs = [ "foo" ];
|
||||
roles.default.machines.client = { };
|
||||
roles.default.machines.server = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nodes =
|
||||
let
|
||||
hostConfig = ''
|
||||
192.168.1.1 ca.foo
|
||||
192.168.1.3 test.foo
|
||||
'';
|
||||
in
|
||||
{
|
||||
|
||||
client.networking.extraHosts = hostConfig;
|
||||
ca.networking.extraHosts = hostConfig;
|
||||
|
||||
server = {
|
||||
|
||||
networking.extraHosts = hostConfig;
|
||||
|
||||
# TODO: Could this be set automatically?
|
||||
# I would like to get this information from the coredns module, but we
|
||||
# cannot model dependencies yet
|
||||
security.acme.certs."test.foo".server = "https://ca.foo/acme/acme/directory";
|
||||
|
||||
# Host a simple service on 'server', with SSL provided via our CA. 'client'
|
||||
# should be able to curl it via https and accept the certificates
|
||||
# presented
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."test.foo" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
return = "200 'test server response'";
|
||||
extraConfig = "add_header Content-Type text/plain;";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
|
||||
server.succeed("systemctl restart acme-test.foo.service")
|
||||
|
||||
# It takes a while for the correct certs to appear (before that self-signed
|
||||
# are presented by nginx) so we wait for a bit.
|
||||
client.wait_until_succeeds("curl -v https://test.foo")
|
||||
|
||||
# Show certificate information for debugging
|
||||
client.succeed("openssl s_client -connect test.foo:443 -servername test.foo </dev/null 2>/dev/null | openssl x509 -text -noout 1>&2")
|
||||
'';
|
||||
}
|
||||
6
clanServices/certificates/tests/vm/sops/machines/ca/key.json
Executable file
6
clanServices/certificates/tests/vm/sops/machines/ca/key.json
Executable file
@@ -0,0 +1,6 @@
|
||||
[
|
||||
{
|
||||
"publickey": "age19azjd5xvnrwdt2sckupmpk40ayvevsxktcyt43x2fzg5qyzhe9rsu6a6es",
|
||||
"type": "age"
|
||||
}
|
||||
]
|
||||
6
clanServices/certificates/tests/vm/sops/machines/client/key.json
Executable file
6
clanServices/certificates/tests/vm/sops/machines/client/key.json
Executable file
@@ -0,0 +1,6 @@
|
||||
[
|
||||
{
|
||||
"publickey": "age1wfg6c67kje626c8ud02q6lmtgkuqujc098624mr8a66zwvhmyflsl5h8e8",
|
||||
"type": "age"
|
||||
}
|
||||
]
|
||||
6
clanServices/certificates/tests/vm/sops/machines/peer1/key.json
Executable file
6
clanServices/certificates/tests/vm/sops/machines/peer1/key.json
Executable file
@@ -0,0 +1,6 @@
|
||||
[
|
||||
{
|
||||
"publickey": "age172ggu2vq92c8c7l5ytcr96whp0qwe0vuyxuenxwvr6rc2xfdcsqsffg76w",
|
||||
"type": "age"
|
||||
}
|
||||
]
|
||||
6
clanServices/certificates/tests/vm/sops/machines/peer2/key.json
Executable file
6
clanServices/certificates/tests/vm/sops/machines/peer2/key.json
Executable file
@@ -0,0 +1,6 @@
|
||||
[
|
||||
{
|
||||
"publickey": "age1zuddk94yycply5ht2ys6auh6wwzzh383utu38haz24h2625gcedsdtp3kx",
|
||||
"type": "age"
|
||||
}
|
||||
]
|
||||
6
clanServices/certificates/tests/vm/sops/machines/server/key.json
Executable file
6
clanServices/certificates/tests/vm/sops/machines/server/key.json
Executable file
@@ -0,0 +1,6 @@
|
||||
[
|
||||
{
|
||||
"publickey": "age1nslvhydmnyhcv943zx8srkuy69mqa84rn6cmz5gcag0egrfhua0q0jrt9n",
|
||||
"type": "age"
|
||||
}
|
||||
]
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:iKvDyOKpGC+Hy/1ogTrsDw3nBRqOVkDMtsmLVqxDcJA+4FmQBV2TyPsMxzSimdOPEu4QWFH08c74bpahdtMSV4iSI9OKmKhzrSc=,iv:fbsVhDrq23j2yWo3nv2VZ39plcIO2FT/sPMeMnkgENc=,tag:05W4fmFbfrWqk2xRtgofwg==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVERvYjF6YncxR09vUTFk\nVGFESzJuOFZwMVlzTTVGb1BhcCs0eVozYXlJCm1mSHpKZVNSb1VZaTV5WHRYQk5I\nOHJTRjVJNGtYSTFxbXdOQTUzOE4vYmcKLS0tIFA1aW80Y2t4ZVpPeHhqMHVTN0JS\nR2Z6ampEeW5lOE02K3AxeHFMbS9vUGMKELziMSLQRkssIa8yhHeODy5EIIYuWZhp\nc1eYZgH2BMXnAqCJgIPoc/UwGpDzyGrPozLNv4DzbgfrCCHa96Zh8Q==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-18T14:14:41Z",
|
||||
"mac": "ENC[AES256_GCM,data:knjrycqzRsNQiebp2MYK1F0ZMzlI9OkdUSThSXwIczDdbwzZcUNQt8SOoNbbBQUG7TwBqBV/ETMQIgEp9zkK5D+5BTDXHHZAnBQBocp017b9IAtGDS6wB3Rk1ggoKqrPuD1wmKbpZY4LkfAZcRv77QN3jxaBKKoe1w4A04XPfso=,iv:7oxoiKBLTJHcN8pkuy0o0TVoDVjpQ3aYjrLS5+nqZao=,tag:yrCTiwE2KQreWKJP/H1NAA==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../users/admin
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:sC9jKXivdmFm+VfZHXpf5pACs8Ru61l30WCET2TES+X37lTLdt4lS8faNXbEJPdeOUifFgnar3U5iKzYOxYXeqUgz1pko/GwLRc=,iv:MLwnfKW+00/JbdbgxVP17RGnGGVDqW75Z0omATkvhbA=,tag:bXQ4+anugrMeU6AJ6iep2A==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY2VnQWxHT0xNbk1RZ3ND\nY2cvRDZpMUcxNFhPTHF0bHJzZ0V5bE42dEhBCkQzZ2pTOWsvb3RzVlE1clBKOERz\nbmhrMUVwUnVKYzNGdDBObmtCdUtlTnMKLS0tIEhKRVVRQzFla1RVYlZEei9JUmtG\nWUx6ampweHFHOTJhR1lBRWJQNFJ6QzAKK/566CNiId1ooieE4xU+RgmzMFMgEXiw\nryaEah6F/zCXt+7bVsL7kzVgCQqcqsaTxKBaqNCzsUlar/Y5PdEj1g==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-18T14:14:52Z",
|
||||
"mac": "ENC[AES256_GCM,data:SGKxZ0r+kSzbr5w6nPPOSJEFJrJi0SX/I2DVfzNz+NMcEpGiU8bMQvfwG24kVJKVBQ3iDDK4wT1Gd4uqpe7+/3M1xxk46HNTOJYRoe9CqOZY+agezX8nzOYIZUzW9ZwxCPdkkUizdOgH6/2H5sOYNCiWa3U/pBkiWqzm7mzzCo0=,iv:v/4hr5XouLt7/WoLGYhq3nOHIHEEsbHEDNBISjvXj+E=,tag:MSQzgLQBR+KhEhaV1RyK4w==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../users/admin
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:PwysjnctzMBS1XJbnAJLj/qynLeHA3ujOeyG1Jmnr2HYwEWe5VwYUDzezYcMvRl6F141ZnXePx2WYYjxn8+gk1n4eNT8tynniNs=,iv:aoEaSRfoQobAuYNmHV+hg/J3NiADG2X+b4ftzFFtsvc=,tag:YpXTxbEZkRfTca6gGpaLAg==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdTlLeHZBRjBxRTZuR2Zq\nU3VnLzdwdTBNYVpNbEJMZVNCU3R6dm8rOWpFCmE2dkFZeVJCNVlUbE5rMmY0NFVu\ndWxQWnlQdXoxQklxVUNlUTJqd2dVQzgKLS0tIFo3UmxFaUhnSytrNHdxVkN5Sk85\neE9LNnJnYnhnZTNBVkdtS1pqbmdVWW8KqOKI0H6heeSWZojjw3O4fBlQtlJ3MLQy\nNmVdyDtCAP50n+pYCkfPLn4HlLwUMztGql0kHYCi3g9Zq3yB79KiCw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-18T12:55:53Z",
|
||||
"mac": "ENC[AES256_GCM,data:j7dQyhCZxFxm7j7TzqwdpuAVtJCiCIFzjnalSHGyhkxWsVf4ROdqbjV9GIcrl8wndC8+pZrKzzbSyS30RH2V+D/Gn7kyYvpUN9Krt44qjMeltzjJ+bkLDNMrCYwdBYvtCtd0WHJQrgYiRtbi48SsMORF/a0n/y2cfVcUZMW+w2g=,iv:HhDzCg2jNz3m2Gqrs+L7Mzh6PfE5vNTANtbscokceoo=,tag:xu1xYRi5E/hlNkItX96KvQ==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../users/admin
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:a8B30QbQezYTVKtkwS30L4V1K73eieyZpDFguJhYN1xmwbHRCU5axtwUz2VwPcKIeeKeeYAruu66APu/AqwEPdmavS9G+R/x340=,iv:kMO/pbKigxH5GagsGPcHnpQ2LnjHf6kuGq5/BxxEKIw=,tag:9eH0hQFMG1jMIbV4BFxS/A==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRHVJd1lRSy9Jc2RReVFY\nV0ExUEtXZDYxTnpJVXNCWjJoUzNNVjIwU0NFClpSTjcrT2lNT1FIam1WUnN4c1BE\nOWYzUHllejZRT0M2UFZRVm0rSU4wMWcKLS0tIDM3RHh3NXdaeUlUTU5HQ0pCSzIy\ndFdMVHhqR3BoM3o5OGJYMFMrcU9vbjQKwQuUmWGquxWPFx1jUCq5aQ+2wqirAmws\ntbfYjNOvPiClLfQzeMUP8n7KIHmYLOFmvPCDxBW4fx9A8qeFvuZSmg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-18T12:56:03Z",
|
||||
"mac": "ENC[AES256_GCM,data:5MnK9pAgaMqIDXJhbovxZnOw2nPfE2Sk3No6AYctetkejg60LZkayWxwFX9k8c1N2iV76KJ/iGow3SfMHdyw5PlKrKLjoICGqm+3EA/2z3En3bdGe/F0LbEWKDIbEjZdEZNz4ZXOiu/UGt+rTZJf5cJupkMENlhb8EgOyAb1Uas=,iv:dBXVvwDrJpaepQl014ev3sgDJ4GIOjVms5p01sT0fVw=,tag:csyjJ6ELeED8A7fnYLMpBQ==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../users/admin
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:W87VsHPlI0a3VUqC3xi9cujRNzXhmzPVyvgOLtO+n4BT6UWfstmV2MaopzyaTlPD5QqK6LYZ/xr140mO8YHUJ2apaeH+cqL45PQ=,iv:+FvAN1q8UWqM1y8c3UEbArsxWFxwzknyjIheuz18Uek=,tag:lIKLlt5XhG4LslnypR15pQ==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaanFZZjZnKzNNNEtqcVFV\ndnBHQ29MYlBsNklPelg2dEcwenhpOGY2ZjFNCmZySW5xb3JaWDZoL1RzeXpXYmhz\naGVMSExTMDdTbERnVk5NVUc1QVFpOW8KLS0tIFNhc01URkI5WEtxZXE1MS9ZMW5U\nNGJqVGcrLzBhbjZBUy9aM3dFNmFJQWsKGNc+34/R8uxF2o4m7SuD1MfHEB37tS4J\n5De6KnOfzSDQ/RwN0j2Qgc6RrryEb0cQfX4LXnJZFy1FnggaROmQ5Q==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-21T11:09:59Z",
|
||||
"mac": "ENC[AES256_GCM,data:E0I0OUAIc/8SikzLlqZ8b3hcPHcrlaTLZKU3HdAIqTxl589K7cVxvWB4abMVuo6Xh11Hj0+2U7uH6GYBac5SncryppWbD7AIp7nZCg6oehSyYQ8liW5n1+XW/HvECwH7HxOj1n0g62Ck5/+XKjap7X7gGiZ0w31Hwrcra9TaD7k=,iv:QQJ8U1MjtAUUrfTKuC/l7yHtgkLEInzwv/1rdtxRlAE=,tag:bOoWeGgLeevry+jPQfsLeQ==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../users/admin
|
||||
@@ -0,0 +1,4 @@
|
||||
{
|
||||
"publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"type": "age"
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
25.11
|
||||
@@ -0,0 +1,12 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBsjCCAVigAwIBAgIRANhjXurO8ndwTyO+oKZyFzMwCgYIKoZIzj0EAwIwFzEV
|
||||
MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDgyNjE0MDgwNFoXDTI1MDgyNzE0
|
||||
MDgwNFowHzEdMBsGA1UEAxMUQ2xhbiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjO
|
||||
PQIBBggqhkjOPQMBBwNCAAQHcxwLRX7EdzQMq1vBoi0e1ZQ2n5SjEyWpUqLWvfwo
|
||||
i1ffr7RT7CsjBvtn+YH1cdW+9mYl67O+t1+A53PhuHOGo30wezAOBgNVHQ8BAf8E
|
||||
BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUhuILtVrhaLygOgL2
|
||||
puK8KYWgFPIwHwYDVR0jBBgwFoAU+egcx/ayqGmZ8oiw65x8SNHOGqQwFQYDVR0e
|
||||
AQH/BAswCaAHMAWCA2ZvbzAKBggqhkjOPQQDAgNIADBFAiEAq2b75CM5mB26FyOJ
|
||||
76utOu70Cq3QjlrdFBdVthmloiACIHvIf4sJ1CpF3gNKVYILX5e+JlPfMmJviezp
|
||||
Eeqofjql
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../../sops/machines/ca
|
||||
@@ -0,0 +1,19 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:Ikcyds0f4Wpi6C6BLF/YmTVJDcUpH8UB+mdQMTl2/Tm14TDN0IudURj2HKhzkuvQ5M5VqIaIe+IIjJkCV+nIu/jr77HdS6TXmGkuSr0ssgpFu+Ak9jKFbnWkm0Ct6tekBdys5zXb4z1o7WFCwtHxa1gZlnTPRLekeTPIImSJhdESz5myEm7/253eJLs9G9Z8RPld/RnHgDYFUPbY802fm6nnaviBcnpIyTtAGaxB+8nt709i3Tg3nkcgLeYl7a92TAY0aaKMKirH9gHo1aFPRl7Ywh5dTU/HVBnisOdSwDqAoeE=,iv:56xxcM0peRgJvvwcYsu+38SA0D6IzAxh5Nt4ZOBP3js=,tag:r9jZGnYTWyVwt/pwidyC8A==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age19azjd5xvnrwdt2sckupmpk40ayvevsxktcyt43x2fzg5qyzhe9rsu6a6es",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOWZlSlV1dWs3Ry9aemlE\ndTZMOVU3V09QdEIwajJNY1laQUFTeUdIK1E4Cml0WTRsSTdxbjR4SHVBVkxQSE00\nQnF5VmhwZEQ5c2NwbUJwZTI4V2lpczgKLS0tIFZUL3ZaNTlBOTRSN2tYZUJad0Ro\nSm1XK3lZQXpMZmwra3AxQXlmM08wVXMKsXJI1fZFoqhCuXoRpbvBMOftIa6J8pXz\nV5fbFSgykKBODJaN9FghxRzQEVeu6wVmTr7sWh28mkUmIbVzXA0f5A==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aituOUdFN1VBSG5pTzVE\nUyswdDBtQlgvaHVVK3loaGNPckVsbkJxMWs4ClJ2TW8vNytkcnR3TkllWExpUHlI\nSVF0cXlXUll2TUszMTA5Y1A1KzJKbE0KLS0tIGVhN09YWUNIRGF3a01UVXN1alBD\nTnE5U1NRbGhsRnlWWFJaUjdvODZMZkUKMS7IOPp54M6j7l/ueG1EjNM8hUd2dnbp\nqlKjqqa9oMXIVabGFEYQ7NRoWQ3+3On9PmZtAJ7oiL4lqRJDHS+crg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-26T14:02:32Z",
|
||||
"mac": "ENC[AES256_GCM,data:zMdyBvy1nyeKXDcR8+BkIYj0Gbz8omUNHZRqiOAW3M1Lrq/N15g7OY9XF9wD1GN/jhcvF6YX+1Lz5J2NY0SYlVTPj5JAGhKRmHSwOey1fcuc9RU83mt6zaPMFTWevpz2BUrTTb0pzs6kSeH3xgYU+kCgmxfoy2bq5LcPWxqyarg=,iv:lDE9UUwy8CAhSXX+l7hWL3besOXbOpyM02fe2hnsHZM=,tag:80Cv63PI+AKI6OPEOxTwlg==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../../sops/users/admin
|
||||
@@ -0,0 +1 @@
|
||||
25.11
|
||||
@@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBcTCCARegAwIBAgIQMH18dheoru4OCktLPdYUmDAKBggqhkjOPQQDAjAXMRUw
|
||||
EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwODE4MTQxNDUxWhcNMjUwODE5MTQx
|
||||
NDUxWjAXMRUwEwYDVQQDEwxDbGFuIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjO
|
||||
PQMBBwNCAATRJojRdb/XI8IV1HGg+Bi6JwCmodYp0Vgqail6qaZOOzeKiJSIgsKr
|
||||
3PqN6V08ZVLVqA9UCE4+ygdT0E6bpCsjo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYD
|
||||
VR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUzAtD4krw/UgCl4GuHTVVd6gWqRgw
|
||||
CgYIKoZIzj0EAwIDSAAwRQIhALtzU+KgcthW0QT4RF6wg2MLjNnHL9RoVkGKHFeQ
|
||||
heFgAiBsuvy0XnUojhLDN3prOB+dHkNK8O26jjmcEfa73/19VA==
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:Tq6Ufw0Q/lQfUTaGQLRwVI3IprumLYZ2fm96WxmuRGhB5DJnAM8n6VmKTf8Pa7agClk7HcgJZV0EhHYFkb/BHLl38p2vjYA54KMtmdLkVfHHujxsL4ApJ47m4bXh9iMaYO47e7vqxjvpaQD3OC81kyh7qa4NuV/RMUo3ePv1S3EA6IPBYtAz1b+X4KFpvOqZd0sQ/spmcsgXF5s0bbYJ9LILXJOauw95z28dQcJ7nQeBQ8xJ3v4rwesJ2uDCEZ0f4nkEvM0Q8zuuo2tWh71vIQ/G4mFNAFbiz6XC8lOLAqfVqtM=,iv:wSsq9empaj9lZxVwniX7gHYEkBc+X8cDGwBLOPAu1y8=,tag:uYVbsF+BpbzIGKeY0k5uTg==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQkppL0g3RmxxTnV1L0Vr\nUjhVc1VuMjNqUFNicGk1RGp1UENlemFDSGc4CnVvNXM3KzFES21ocE02LzR0MmJJ\nODlWSmxEa2J3TWNmV000bzFVU25jOU0KLS0tIFZmS2JHRmtvU1RldmRFekZxQUlo\nblBzNzNYa1oycWtkMHkxcFc0Qk5ZL0EKfEE4xTMygk0nMf3gv/Hju0PJ3rAqoMHl\n9oA7LOydypaeniWQFFqdSY+/2A+VMIVJhF90IKVbpGHkXn9aNWVCCg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-18T14:14:52Z",
|
||||
"mac": "ENC[AES256_GCM,data:Bujh9M46eQes33DmvrKREoYDVPDy7s1SmBhaa9RHUMbftHyDYuorw4Pb5OVKKO1EqeoWWrTEeSw7pm8oQkCjdEehMLQ83izVfh0MVoaPdm+0FR/GVB9Xi0LOAAEfELlpH75h1zX8OoFquA1ny693/NNs+bD+0NuhuT4WM0a9hYU=,iv:kgS6+nQrmQyB62Cmcas5T/JZhb0r45S9ksWthO7kOO4=,tag:H09UiFFri6DJOMIpeZARLA==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../../sops/users/admin
|
||||
@@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBcTCCARegAwIBAgIQVY2mELDu4eW6GuKsMC77tjAKBggqhkjOPQQDAjAXMRUw
|
||||
EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwODE4MTI1NTUwWhcNMjUwODE5MTI1
|
||||
NTUwWjAXMRUwEwYDVQQDEwxDbGFuIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjO
|
||||
PQMBBwNCAAREnN+oYXxsE64OrCQ1JOV5O8p/Qp02t8oFkEMFXy/9O9jDQKLuzpwB
|
||||
HKcVEg7oxxJLYBj8qLV7NubYrueGZ2S2o0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYD
|
||||
VR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUo4rj5z6Ng0YJlX+31A5x42aPLQsw
|
||||
CgYIKoZIzj0EAwIDSAAwRQIhAIOlVnsb9WRCFmOq6Wl9yJLDFXr3Lv6zBsyl1OH6
|
||||
LjgNAiBn06NVf35AB8sijUlDgYLGX7wB5xULm6p4Vzy7iW1RgA==
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:zlLEZEN8CUsBoQODyB2keop3ZBRb5+eQc49oSyuewQbB18C55b2kQg5sjXXhu/5IK1dKt63mRlY0itVCgyDKjfStiMyoJ33EGOr19nSp8hZjpE6krTyKvzmo49rch8Y9Rq5/OkoFE6HEHHvMB2BJAtluWQrDYhnW39phhZm3Qm00x+FG8buP/2dYudOxi2Lq2axTYnljxHya5OKJcH7IQs42YAgTEs8NYYKcPZBRhQMvars4El6EQZ1A1sag4xcUnkoHi6m7zDqKxG7+87t8mwdWriqKGh6TlBqhQ/wfA5rDYjo=,iv:QbhJ4rja9yVKUQZcSbzXYI9EQmcf4BsM4nOKSW4eOlM=,tag:5+Q1zvZCrIYbR4yG/xeiyQ==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucU5GZkRUU2hLY2t2S3lY\nZkcrK1Nmd0VCdHo5NXF5M01FN1doRFpyOGpvCkhDM1RDY0oyTWZQY1cvZjFVWHUw\nc3JwSXhlWkZxL1h1NnVwTTdUdUQ3MWMKLS0tIEw2dnBtaE02WEtPSWVEaDhKVkUx\nbHZzejd0ZjNDSFVKRTRQSVpWVVVjc1UKXCV4lvPwfAFlwC4qYsRrsmWDpSsTHbK2\nPEstxYph8TlKiuwvvWP0aM5erGKItJU0tGSU+gl/AjklvVc1n9RA5A==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-18T12:55:53Z",
|
||||
"mac": "ENC[AES256_GCM,data:o6pX9WPTXDQDRfK2HuiOTzxvJzbeuIi4qR2xXWVBBviqq7IIsWI00QaJodlZaEHMikgkpMTH6IiiOfXuLEZoJT+lLOeTmfC/dozqHiRIVQPJXyPO7LIpfYSALTiJtuu+MLzjLSwEmKQ6Lus7zTygdHXjjcg1NkTjwotvixms83Q=,iv:A3S5hhEnPp98k9E/ZxqzJRI7BFediPYwPy0Crg8++Xo=,tag:FKU+xMw/6Hv5UtEK+ubfRQ==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../../sops/users/admin
|
||||
@@ -0,0 +1,12 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBuzCCAWGgAwIBAgIRAM5RGHll1s7935SFPOY4VaQwCgYIKoZIzj0EAwIwFzEV
|
||||
MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDgxODEyNTU1NloXDTI1MDgxOTEy
|
||||
NTU1NlowHzEdMBsGA1UEAxMUQ2xhbiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjO
|
||||
PQIBBggqhkjOPQMBBwNCAASqEX8K41uSBLNOKGTXgnqzaHVszCkGteXucbZ3nB7d
|
||||
lLSv16LwkfwP6/OGT28aA5bdUP7rLkOqiNLYJds6wc+Io4GFMIGCMA4GA1UdDwEB
|
||||
/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSUYY0vEuByyVbc
|
||||
sDElofzWjhUW+DAfBgNVHSMEGDAWgBSjiuPnPo2DRgmVf7fUDnHjZo8tCzAcBgNV
|
||||
HR4BAf8EEjAQoA4wBYIDZm9vMAWCA2JhcjAKBggqhkjOPQQDAgNIADBFAiAbecV2
|
||||
6HtUM7ohufLkWZ5EyeTX44ofcwmSY+eVzY0jQAIhAN0dRDWFmmCMUydwhjWc9lqM
|
||||
OlBsJUfyLEF/0p9Thij1
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../../sops/machines/peer1
|
||||
@@ -0,0 +1,19 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:8MCdfLve9QyxQexDmlwm2FT05CEYFfofpZBtOtvH9kXYmo1Et2qj2L/kAS9yXtY+GX1k6wwu26fPLdhOvbKj2KL7bfj1zHTOcdFD2pr7aOFokPyHEfVNzbwsX7qafVf4GXgutJ3msCCoMsRdgJH+B1zpDFL/diRbz+EfYaSFGEv/N10o74yMaivr1ms+kLiwvW4R0sY6Np98jKD8KTOI1FugVJ9u/eiM02l5A/waJ3XBL/7CG9we6VOnu/NGtHrZnErmYQTPqLwheKPLDYjoMY1M+xjn2m/Qvn8sRPRODtxH0TE=,iv:U8+DPuKQorIh3IWWd2YZoxRLTOMx+qMqcGMJAfjma8M=,tag:Sy9N2r1YdPuvB+Co3k7R8Q==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age172ggu2vq92c8c7l5ytcr96whp0qwe0vuyxuenxwvr6rc2xfdcsqsffg76w",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSmNjaHZ5VmF6SW11R0pl\ndkpKNjZ3YlpLN05TNkt4dnVtU2xld3Y1TFVvClVPMTVSclZJTFE0azVFVzRMbEJo\nT2lUTGxSZ1JtNjczTmwybUN5QWY3Z1UKLS0tIEF3VkZNaHBldGZrOXVTSE8rZnRi\nTVZxY0tRc3VadFpreU9ud1FGdE55UVUKhEZhNJjSP7HMqWVEKj93LuHUe9ci/0AS\nKiIWz3x1FbV5GjTDcV8+7LGBTJlUJNivXpDi6I63KrPs5Z0MQf+WKQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQjExdFhwSHNvaWRhMk91\nOWpuQ3cvNkN0VlM4WEQzQitrd0xQdkxiWEdZCjBGa25iWFROQzdUelBwZmpHaXdB\nTmNOV1EvQTM5bVNhYXNuNGpibEtacm8KLS0tIDVTalpKTEpYTFJWM2lCeGlzaWZB\nQiszbjVDVitFVDRmU2xBSUxqNmVYVFEKraf5csqKURqc84ZtBrMOo6iWoVMCh+P7\nEAaSCOjYILcF85jMKB7nBzKOMsbNjqKzb0piSfSw8YuzDGPyq9Cseg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-18T12:55:54Z",
|
||||
"mac": "ENC[AES256_GCM,data:AMp0ICuDl8UVzo2R2K7OLIj1vONM7JCF3l3J//ach7FYeUGBRLd+4jtnImshUqcbisspkTH76UyJ2PbS1yZ8pmfI6peKY5F2YicZZT1Jro+RUS7xRBNme6yNxphysah4qrQpllwArbq196tL2AB7bVptuW3XRTZI1lBFQQfyYvI=,iv:FDkDOC5dA6fMjpbkP21Fr5ORL3CkFN1RP9Bwm8OR5f0=,tag:jfFbumpj5C+9+HBS+PCAkQ==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../../sops/users/admin
|
||||
@@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBcjCCARigAwIBAgIRAM3Ky//FRGgr4QAt6CcjzrAwCgYIKoZIzj0EAwIwFzEV
|
||||
MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDgxODEyNTYwMloXDTI1MDgxOTEy
|
||||
NTYwMlowFzEVMBMGA1UEAxMMQ2xhbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZI
|
||||
zj0DAQcDQgAEV6UDjf7eOJii/ex15P0obxSSJVH5kAV1VIR5R3M9T0lHRbNrxzD7
|
||||
DztM631LylH2LEEHBx1PvVX6j7MvyQ82+6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIG
|
||||
A1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFIplQmuE2ucTxJK8qCNbxyHAPxRf
|
||||
MAoGCCqGSM49BAMCA0gAMEUCIQDKxp2MTpENOmcxHEGOfVVc88TQ905xLUouG4R2
|
||||
T2IARgIgetDda0YoaBlL8VQyZPJitLJftiIg1wU9MYi1ZXAw4cE=
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:zSYOLttNMgmglHSrZkU7KRQh0Ba1bmEynVYsrKlJlMi7uXI2RiAqWyNvUqlbxQbKexClhklLHKizgDbZGglKdDsGYyUUb5Hh4Ev1H1ciLdOgab5/znpE+dCDXwbir9V+SvXJI0LoaLj7kzqpWwTyNJdx53WUlp6BOvdxzyg/JOaMUQqXr2F6q3dDeWTFz2vEEImIjMUdgbn3y/JYfzzr2H1B0nwjicaFQnVL7bWcvsGydCekfZYZ/XKzxXCMIdariy+A/vfKPcsiBX5Y/yC75VDk5o1cZsnVk5Ijd2opyU+y+qM=,iv:XKwj51285y/ipGUackCqnDl/r0+y/cLFUX0/KDc3SZI=,tag:dD2Tv+lVpok25ViHHokH+A==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTXo3RG5NcmlOUEVVakR3\nZHBMVUlNTXQybXVtbVpITVREdlF3RWI4Wlc0CmUxL2dRalRSKzFLaVlObjZTcjBt\nMWZLR3gveGJ2dGlJZm4vTmFMZ0lsVE0KLS0tIEpDTEYwbUpXMitEK2tFTGh2RGpr\nazRMMEFHaUU1U2puaXFjbVZFR3BKVzAK2HJ2atFUm2WjCTADmNrgM6q0SdA0CSgd\nXrwsjIBliYJRA4//a72OS7h+ihuT9WaVef8HsBrmcGYCHA+xkOURxA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-18T12:56:03Z",
|
||||
"mac": "ENC[AES256_GCM,data:0f2qel/KEj+slkwDB/X2UmC2X/gC2peZiQ4ocUbTc8o73djwQWnoRQX92eVLWm85QVLXUYfZIWxt8FzadrZkVSkod3UOM+s1Nz7CE67pbaXTpLhprsKn8gB7yorjpfvh/wyS13FaTFcg1ADuifYyvawNtdYL8O8INKVobP92eTU=,iv:5SRUUaJCFQTnKROdaYjvwWgdF4BIsN6PrC1mcf77YdA=,tag:VB9Q3GaCI2OJNuC0NMoQwA==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../../sops/users/admin
|
||||
@@ -0,0 +1 @@
|
||||
25.11
|
||||
@@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBcTCCARigAwIBAgIRAK453T0q6Pc6aOBt5ns6gVgwCgYIKoZIzj0EAwIwFzEV
|
||||
MBMGA1UEAxMMQ2xhbiBSb290IENBMB4XDTI1MDgyMTExMDk1NVoXDTI1MDgyMjEx
|
||||
MDk1NVowFzEVMBMGA1UEAxMMQ2xhbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZI
|
||||
zj0DAQcDQgAEtLtVFzN7mJcY2DdlpTT0j2q5GAuA++MvKhzmUsfnKZ1OzfwOjHfL
|
||||
8Ru/s+a2nzWErlJZ+Z4p7ZrW0xZz6pzKd6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIG
|
||||
A1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFLPmgLi7xaOyEDfMcZEEhh6+JdYL
|
||||
MAoGCCqGSM49BAMCA0cAMEQCIDO0M6GRET8/4Lwc5yINbIlW7aycCV8H+edU8iAz
|
||||
HnM7AiBbirjn0iVo6usJUGJt5ohTfSVTnBi0PPb2Pjyh6OjS3Q==
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:ydnH/j+bqa4PaRPcf8GPSry+xViZ/qCxnzHMGQFXdDt7PWE/fYyekPZ1e5294afC0XNzvMKUQpNDAEgPdZlvGQG9PGeKIhG8u82J8EwSB/aKDFWpPXYNEJAUReuJV1baP+vJLWooLYySylHC+j/cR3LfqvVU/O7zmpIY8yihe0oLOPTWf2jEJrTwNMYiF3oAKOVpZsQ7JIW2UXJhJ6AYmbUp2/CdlHzwI1ydc55OXQknQnbTAeoXBI6KUKAUHzC4CqxPecGuL2e/QgZFiuIvkIPoF1T/DZZLG2KIaEMBMSgPfVw=,iv:vZEXlQHwtNMu1GKuQFZyZ1iLZPhz1QCwZWTjVaAC5i4=,tag:dTXEdaj4/EWIq7gfcNu2iw==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMDdkK3dQTUl1L29Ca2Yr\nYndPT0FJcjY1YmJ5a2Z5aS90RmFsUTIwNW13CnB4MCtSNkJaMlhpQlk3dWVqR3VH\nakFaRi82dDdUMktSZml6N01WYlBOR1kKLS0tIGR5eVhQc2Vkekc5UEd5SVZqZkcv\nYndLSVpGT2VKeEVKYmsvTXE3ODV6d3MKgcZe/uYatholk+0nmPb0Q7YGX7aMZjxx\nqmUB8F3G72i1eZHAR7fXffXpQuCPSD110OE46NtG6aNa6M2Fe6JKpA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-21T11:09:59Z",
|
||||
"mac": "ENC[AES256_GCM,data:bc2HGcsDoCbekdQXEjPeaK0gZd/4I6LwYNzY4Houg4QeI0lVKdUYcPazQSHrWAdSqZflYjyqc0BdFl6LWfkGra7RCLsnqehehF+KsmKAfJmrU0oa70JVRrP97hPugB+Hu1wV+lAByM4CviC91AO4RwdQzEagXy6a/1sBadvTu0g=,iv:UPD9fCpOZlwPjtKBImv5DTbiinDjroM+LS3FzN5VTJ8=,tag:7hIvYK6LaBkjY+Kw18az5g==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../../sops/users/admin
|
||||
@@ -0,0 +1,10 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBcTCCARegAwIBAgIQSdkvT2W8pqB3FRl8QxcP3zAKBggqhkjOPQQDAjAXMRUw
|
||||
EwYDVQQDEwxDbGFuIFJvb3QgQ0EwHhcNMjUwODI2MTQwODAyWhcNMjUwODI3MTQw
|
||||
ODAyWjAXMRUwEwYDVQQDEwxDbGFuIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjO
|
||||
PQMBBwNCAATZI+8Q8kkMQTvdJsCMQqWdYscvxcMbRjZCnWCh72uyYgzejsZETkYJ
|
||||
Ns+oADB3ogLb5mY9o7dmaoLzsRUH+FSxo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYD
|
||||
VR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU+egcx/ayqGmZ8oiw65x8SNHOGqQw
|
||||
CgYIKoZIzj0EAwIDSAAwRQIgcBF5zlTtMO0Pr9b7ZN9yEYKEdigj6T11g/vXPwsV
|
||||
+coCIQD2zarT6BYA2HhD0TZGBPELXQPpwnGMjwY/xMWIzNdr5g==
|
||||
-----END CERTIFICATE-----
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:vVcVCRV8wTbPGCsR2t8iD0uOoBk7uefKmpvIqmeHSIfVyCubElWovRJdjpJyy0P3ZJrU1smvaV01XWpBoOhb+YW+cLVMQ0l6zZUs6KbzCnJ7fvZUtbyvkVPCJRt5PSftCskWGJRzCtwYbDh4hRkIPHfW2rwsB6hVutLFZMTDp8tEK8hE9sic2/1CqNztJZpyik3gUgZdxOZ9LiBVPsdos1tEcmUMSi9E7y0zc7pLXIn5uIiMZIz0XTCAu2tLDpCWqi+vQIr8oVz4EmscvFmsVMcs/Xk8ctm3ZCjt8BoPjZ34vnA=,iv:ye6Vmk7YB3YPOJIiysgqaCM/4aWyME3pqEkMfYJmwkA=,tag:HkgL//NSSASpyJzqEzxLeg==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbVgvS3ZzT21QOTRrZjNT\nMlR5U01BRzRRVG1HOUZVbzZDUmhpRk1lbGxFCnlSVU1kY2NIV0wrT01CcXhKVDVW\nK0h5TDRDN0RMUGhKTWp5OVdubStSY1EKLS0tIG1NSXozbDUzZTFKclZvR2xqaWlk\nSisxQ1kyY3JWdzRmMy9hak5scjd3L3cKgDD4cAWv+e7DTPKyUiWSgM9K+gshYHCu\nuA8g7y3mHhFXsPPg0AJJpRl8afltc2Z9TX/OpZvRSHbZWAAuFj0T7A==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-26T14:08:02Z",
|
||||
"mac": "ENC[AES256_GCM,data:mbLKJbQ4kwwic5ghVEGSl7BykyEE4c+JPujnNQSJw7JoBHx42XBHVuC3o6vXsb11LizFYiRPUaDkKX67FCQAVWMy3c10aFqLvxsp1Y/NAurZAPAdh7Zo5UoI8CCCR+hzs3KtQ/YwjJJg7vj7mZrfDtR9Qkhk2H8hY3engRf698Q=,iv:WD1l+ubMXAdPWWNFNkEwoGReuYbUwrf6DJmbnkGWcck=,tag:P0OrmfgJ6aOSrNIaW7YR1Q==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
../../../../../sops/users/admin
|
||||
@@ -94,6 +94,7 @@ nav:
|
||||
- reference/clanServices/index.md
|
||||
- reference/clanServices/admin.md
|
||||
- reference/clanServices/borgbackup.md
|
||||
- reference/clanServices/certificates.md
|
||||
- reference/clanServices/coredns.md
|
||||
- reference/clanServices/data-mesher.md
|
||||
- reference/clanServices/dyndns.md
|
||||
|
||||
@@ -268,8 +268,14 @@ class Machine:
|
||||
)
|
||||
|
||||
def nsenter_command(self, command: str) -> list[str]:
|
||||
nsenter = shutil.which("nsenter")
|
||||
|
||||
if not nsenter:
|
||||
msg = "nsenter command not found"
|
||||
raise RuntimeError(msg)
|
||||
|
||||
return [
|
||||
"nsenter",
|
||||
nsenter,
|
||||
"--target",
|
||||
str(self.container_pid),
|
||||
"--mount",
|
||||
@@ -326,6 +332,7 @@ class Machine:
|
||||
|
||||
return subprocess.run(
|
||||
self.nsenter_command(command),
|
||||
env={},
|
||||
timeout=timeout,
|
||||
check=False,
|
||||
stdout=subprocess.PIPE,
|
||||
|
||||
Reference in New Issue
Block a user