DavHau/clan-core
1
0
Fork 0
forked from clan/clan-core
Code Pull Requests Activity

Merge pull request 'also encrypt secret for the machine itself' (#372) from Mic92-main into main

Browse Source
This commit is contained in:
clan-bot 2023-09-28 16:01:03 +00:00
commit 36fc57c0be
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixosModules/clanCore/zerotier/default.nix
View File

@ -79,9 +79,10 @@ in
KeepConfiguration = "static";
};
};
networking.firewall.allowedUDPPorts = [ 9993 ];
networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ];
networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ];
networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ]; # mdns
networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ]; # mdns
networking.networkmanager.unmanaged = [ "interface-name:zt*" ];
services.zerotierone = {
enable = true;
joinNetworks = [ cfg.networkId ];

1
pkgs/clan-cli/clan_cli/secrets/sops_generate.py
View File

@ -64,6 +64,7 @@ export secrets={shlex.quote(str(secrets_dir))}
encrypt_secret(
sops_secrets_folder() / f"{machine_name}-{secret['name']}",
secret_file.read_text(),
add_machines=[machine_name],
)
for fact in secret_options["facts"].values():
fact_file = facts_dir / fact["name"]

8
pkgs/clan-cli/tests/test_secrets_generate.py
View File

@ -40,3 +40,11 @@ def test_upload_secret(
cli.run(["secrets", "generate", "vm1"])
assert age_key.lstat().st_mtime_ns == age_key_mtime
assert identity_secret.lstat().st_mtime_ns == secret1_mtime
machine_path = (
sops_secrets_folder()
.joinpath("vm1-zerotier-identity-secret")
.joinpath("machines")
.joinpath("vm1")
)
assert machine_path.exists()