diff --git a/.sops.yaml b/.sops.yaml index 5b04a72..977d85e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,7 +5,7 @@ creation_rules: key_groups: - age: - age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq - - path_regex: \.sops\.(conf|crt|key)$ + - path_regex: \.sops\.(conf|crt|key|sh)$ key_groups: - age: - age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq diff --git a/Containerfile.storage b/Containerfile.storage index 953d4f3..e7cace3 100644 --- a/Containerfile.storage +++ b/Containerfile.storage @@ -41,6 +41,9 @@ COPY apps/traefik/traefik.volume /usr/share/containers/systemd/ COPY apps/traefik/config.sops.env /usr/share/traefik/config.sops.env COPY apps/traefik/config/storage.yaml /usr/etc/traefik/traefik.yaml +# Apps - Ucore +COPY apps/ucore/lib.sops.sh /usr/share/ucore/lib.sops.sh + # Apps - Zrepl COPY apps/zrepl /tmp/apps/zrepl COPY systemd/zrepl-secrets.service /etc/systemd/system/ diff --git a/Containerfile.storage-remote b/Containerfile.storage-remote index e9b0235..1bf12b9 100644 --- a/Containerfile.storage-remote +++ b/Containerfile.storage-remote @@ -11,6 +11,9 @@ COPY apps/node-exporter/node-exporter.container /usr/share/containers/systemd/ COPY apps/scrutiny-collector/storage-remote.container /usr/share/containers/systemd/scrutiny-collector.container COPY apps/scrutiny-collector/storage-remote.sops.env /usr/share/scrutiny-collector/config.sops.env +# Apps - Ucore +COPY apps/ucore/lib.sops.sh /usr/share/ucore/lib.sops.sh + # Apps - Wireguard COPY apps/wireguard/wg0-client.sops.conf /usr/share/wireguard/wg0-client.sops.conf COPY systemd/wg0-client.service /etc/systemd/system/ diff --git a/apps/ucore/lib.sops.sh b/apps/ucore/lib.sops.sh new file mode 100644 index 0000000..44cc765 --- /dev/null +++ b/apps/ucore/lib.sops.sh @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:obK7czVMPKNzihNu7Tm6VleZ4nQxlBeMLo3WCEOB3zlziudSIvZNppj2lvSynr9R5PO9vo5LRKetZzV3DFxy26FipUIXKCcIsuISelYuPfXvKznUs46I3zyPyuFbSQCxF+egVPl0yuE/0lc5s8NSY4EbPh5qcQv6wrAZdIaOAJQkMzQQ7Vgo41fp4xdodq/y7aTGXCKNDAPGwdUFm02X45hAQzFUYMo+Z8keusAFX5e/U+F9hTInFK+7F3lAihrDyAA0Q9RHJFt8PkFw2Gbe14IPLBG6y92YvTNfxQejVDWJkjTD2NQXmgU7eK17/im8iC5/C+jT0KC/h8Uuv8fpVDKQwTr4z/+vPXnzMCkFYI1A,iv:99YW/BqpU5+FGPc8DQ1RUrt6gd+rBmiT2VmLtWp89rg=,tag:zwVWkEG6qgO0RVw120KuaA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKamxUTm5VVVViWHVyby8r\nMm93UWkzMDRhcnVueEhGdkFNcHdnU2xFMkRZCnY4ZGZxQ3U2YmpWU1hIdU5BeW9J\nWVp0anFaOWxrRk1MUlBDM2FiRUNEVUUKLS0tIHBXcWEzQllJK3hYTytYdFU2R1I3\nZEhzdSt3RVNMM0Qxb2E3OUZMTXRjNVkKJs+UJtJOlaf1lwacNklMbTeAQ1vb+ZVz\nJCt6KTEv2tZjC8YF32iRePE+uB5NtkmGlcPGtrQT5J9JV2dwRZojaQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-08-17T16:56:16Z", + "mac": "ENC[AES256_GCM,data:gBxEXZMDqcau0fNtKLMqg5w+k6I519zfNgD+ip6cmgMYM921rA0l1Pyu0b898fP2h9V8nuynH3/pck7QjU1B9viem+98xxfdmjyWzejVI+vA5j3mWUqA42103w8da6utuGZBaGZ9ODvAp63BRYhGie5zYT4UmPb1I/4ZCFV34U0=,iv:Ts99qY7jokXlx5wHHoAzcJcM+jFu36jdm4dthbICNxA=,tag:iOGgSNxTmtEMQ9zmeD7yWw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/scripts/install.sh b/scripts/install.sh index 0960cb3..e39e41c 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -23,7 +23,6 @@ rpm-ostree install \ if [[ "${HOST}" = "storage" ]]; then rpm-ostree install \ - nfs-utils \ samba /tmp/apps/zrepl.sh storage storage-remote diff --git a/systemd/ucore-update.service b/systemd/ucore-update.service index 983fdb7..f75a019 100644 --- a/systemd/ucore-update.service +++ b/systemd/ucore-update.service @@ -4,4 +4,10 @@ After=local-fs.target After=network-online.target [Service] -ExecStart=/usr/bin/rpm-ostree update --reboot \ No newline at end of file +Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt +ExecStartPre=/bin/sh -c 'test -f "${SOPS_AGE_KEY_FILE}" || exit 1' +ExecStartPre=/usr/bin/sops --config /usr/share/sops/.sops.yaml exec-file /usr/share/ucore/lib.sops.sh "cp {} /etc/ucore/lib.sh ; chmod 500 /etc/ucore/lib.sh" +ExecStart=/bin/sh -c 'source /etc/ucore/lib.sh && /usr/bin/curl -m 10 --retry 5 "https://hc-ping.com/${HEALTHCHECK_ID}/start"' +ExecStart=/usr/bin/rpm-ostree update +ExecStartPost=/bin/sh -c '/usr/bin/curl -m 10 --retry 5 "https://hc-ping.com/${HEALTHCHECK_ID}/$?"' +ExecStartPost=/bin/sh -c 'reboot' \ No newline at end of file