Added sops keys

Added helper function to load file content as base64
Make route advertising configurable
2025-12-01 01:59:39 +01:00 · 2025-12-01 01:59:08 +01:00 · 2025-12-01 01:58:48 +01:00 · 2025-12-01 01:58:26 +01:00
11 changed files with 156 additions and 2 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 _secrets.yaml filter=git-crypt diff=git-crypt
 secrets.yaml filter=git-crypt diff=git-crypt
+_sops.asc filter=git-crypt diff=git-crypt
--- a/nodes/_defaults.yaml
+++ b/nodes/_defaults.yaml
@@ -21,6 +21,7 @@ dns:
 ntp: nl.pool.ntp.org
 install: true
 autoInstall: false
+advertiseRoutes: true
 patches:
  - !patch hostname
  - !patch install-disk
@@ -30,3 +31,4 @@ patches:
  - !patch cilium
 patchesControlPlane:
  - !patch allow-control-plane-workloads
+  - !patch sops
--- a/nodes/testing/_defaults.yaml
+++ b/nodes/testing/_defaults.yaml
@@ -6,3 +6,4 @@ cluster:
  name: testing
  controlPlaneIp: 192.168.1.100
  secretsFile: !realpath _secrets.yaml
+  sopsKeyFile: !realpath _sops.asc
--- a/nodes/testing/_sops.asc
+++ b/nodes/testing/_sops.asc
--- a/nodes/testing/_sops.pub.asc
+++ b/nodes/testing/_sops.pub.asc
@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGks4XgBEADGW3kWVuEpcHoqjO19ztTrRhqG7y58M6jo3aiL1YuAKUMsGJOv
+ifWVnqy+Twbkc+o7yYZIaxdzXkmT+3vtHJzEI2HoL9tTs43fnG4Lu+28c8TFl480
+k9rOrvhP1UFTiYt5lsa7+gnH6UPcbaNFOWDxOKrzzr879Vv6884XOPUQ4qdsk/jV
+YkqYbOzsSNeaicJIfIA8PIrBNMeV/v83gnEo6sgL4E/nVT2foGZg+MnOU1rO2N63
+R+qK1iNTHR3TswuwI4TDAdw93s5Qn+5dYKKnB5lTdipXfidarMFojLAcfHPwsFl0
+p5HRJnOJo5Vfj5Ljaj0GLLPk8gZjwA69vLQYY0d+IDhnvToScgolt1b2XaKGw+m6
+gC9THU4i+RqDf/o6B7nN97ySJeuDvigu7af1jdDocQNQKp1o8BCoe93jM6CS6EZN
+YIvN/7cNP2E/ABdVPXYdrSTgbeltJyQtxPiwfdmiNKK5wFNl4GqeTa98Vh6q5Guw
+U5ZZCvk/dfXodylG/3htCJyXKx1GXzd6w3fGn3cCemNnlOih7CiBqM3mL2/jLbE1
+7AKDGXcM8gn3jEAssgZZWFl4C0Fs4c7ow4+6zMJ6+C9N/gJAd3CFMJPbiNlMbE9e
+uW4TAx5lG/pXyQugEZ9Dw/jrQS/3K71kr4D4bo2K9SUj0+tjzuL41Xd2WwARAQAB
+tCJ0ZXN0aW5nLmh1aXppbmcuZGV2IChmbHV4IHNlY3JldHMpiQJPBBMBCgA5FiEE
+dv92pag2QTfq8b5ulf94w46a1ukFAmks4XgDGy8EBQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAAAoJEJX/eMOOmtbpX8YP/2Z7a5xp+imXItXJSPgFa+NJBs4V1SMPPF2V
+2YcHJGlnX6mOJJZUYXo8f615uN4+hRI3z4n2Uc2VYZdOFCKRcqFrY10wB1nvdukb
+0OHR3CoBV4/S2NV6QS12JIyyYgV1WjstEK+CsdxVMVp4dvQvRcOWZ1Wt0tIx/rj0
+1ccvBexXkyVrMc576yK+aB+fb9EOgdmpC8JswoyicHugi2Mq+QsVoNjKwMQwvKDR
+NrLdJ+PCInuwBEwpy0cNRALrVTN9zzZpInZ7EAOkEUBH8t8g6MebDZgiZqgdeBJk
+QcY9ciC8lyPcES0MOcSY2tpSAfHkPGbytv2DHxm7p+Lraczm8bxNOFnoCfy1i62Y
+ewCMT4H/5PTmWVGPbKIOHg0B6ATZEnl+Hw4WIbKSAzIZnVNLSaFAXM3M/HWs/XUa
+5CKYi2PmN0Jo85rsRczzboTuLyfqmnah1vznwrgp+MXk5Y7vT4DqHvhiij0vG9iG
+buC4HQ642pszau2BF5+l16EnfFaC21k1AGQWiPQNZPeR18MvhJflmaMS6URZY0E9
+QY487s+rJ1gTiL7zlPAfexNHc/z8kvQi8yF5PfBKPxXBAf18nIG6+n6vxn9lLxi4
+7AjcA7pDbPAw2t9rgM6BUQkFHjwt6qCF7A65lLL1M36he/b7Wr8WYmo4Cd+X1jXK
+WgGqwzk/uQINBGks4XgBEAC8EOELmKWvvuAMvKYb0kdeBYoCYMWscig8s6fQGJRt
+vPsPvQmyZoVJ69fiEXcw9d/3StfkxlPaEakYNILdVL6Q+AgZgJFn/iY3ewMtnUNO
+/P19cahl8PFSBnOWrGRLqGfC2bDoeW7rt7Muy1YjP+cVLoXL3qz685k8SUfVspka
+qi84w1ucAvR8XTzN4/lwSgk8Avfx1vPiToFHugxDb7JiLmMBssKRRzAT3iPycMYK
+kc0tNxAlMnKXPOPntdXw/50mtsM4WNP0/yMpdbmtGrGbIQUvpRBE7D7dZ6m0/+WI
+9plpljVwbs3dikUfWILM3NseDK2CEid5VXQMqqdXaQlQDOwya2d0o5yzfUW+Yj+l
+6dWlcNeI8wM9raum/GEsxoIGkzQ+fvT73StglcIPwACOJlwdRRu+WrDtS8PebirL
+w70hKebEEwel8IA9U19L0GpnNjKhK10pqY39jX09YdMMq9f1gigsCj3Ika2l3ZyQ
+Wl6y0UhiTiVkphqM9JJAApRlZbrxUxX6Sw0M6iOBX394ZKgzQbcpGcOGnGdQXs4V
+7hMOtqYrQqYqTSoJYHqWNCgVsTcGeoo8/NN/9f0aVB2gv3CDIqnB+8xq15rsKrLN
+9mM3Bxi2fRws6gTEcENV64j22Z1tKR3yHPSLv0/1Ta7A9SXnXmqw/BMjWJxQSmmN
+ZwARAQABiQRsBBgBCgAgFiEEdv92pag2QTfq8b5ulf94w46a1ukFAmks4XgCGy4C
+QAkQlf94w46a1unBdCAEGQEKAB0WIQTXTIfxfRLD7cv4AoBl1ZPdaI4nIwUCaSzh
+eAAKCRBl1ZPdaI4nI+nzEACZspevA9KxrWo8ZMv3Jyz/SZ6qGeUZm0cS+wYlnXTO
+jwHq+gjvzQvmrg/+S9kneE4mFx21p3exKh6waYt9M18MHj623HGTXrKHuXTbKhom
+7kDISFbnKjcoyyLT7KvCP27lfhv9ahkgvj2GdjPCVsWY3m53dWMKjLEHNYrVPw5v
+ublNbjvAZ8sUEuP1wIZDqqCImYR2VP+ND8BCx+br20mnpHbB9GRSWKWZ0kG8cc9n
+bJgUnd0f6rp0kPqTvH2YNPx8V56v3NqbnvON+p/2YfRZ4ff9hTB65Gune8xlqXUf
+KbRCgepkgH5uYXCl/1+urWQZJPlUOGYP5b37wezm2vrd3Gq9LY52JXw+If953dAi
+AGYhlqtQsu/MtA0MwGqSYBWY9SRHoNkCJw798B3ZrQOescnmokjAZhH/8def2r6Q
+NXlMVwrKYl7vQMxa5uDJP9VqwrLn3FMpnOCEAWfl+nc+cu1MP17KwofwbtzbDlSq
+rTiIskYb571ZgW/wSNTi6Y0qtq0Hn7ruoRfLONgdsru/JlrRUWMHiziWz21lJYOZ
+KR3snLGdURh8JBPHI4eUYe6F0gk1g6Mn9BJljWTASzEs41Wbs7SXyn0bKEvOVZza
+t+on9ab22futkoxdD9TQgYLtYJy6kvcnd3opa9FaVlFzS4zLVetwgj2fcri779+o
+ozu/D/4qlHXpPmgfPYfaLHPzpAq6GEFf3uLU/Ue7LJAipNdgSWgQGqpu070pFTYp
+FxOyhECEixBpFzs9ygfa35Sjw/8cDd+6aAYrIPEk2V98gA8N0nIeUOwh7mcy8vfD
+1omqkiS4hanhv2Q5OrgHlTj/28K6CXTRouRaaADvudjSLdt5jM9Y87uuBE7N2okF
+tq1oYgvNOiZt9vERU3N8raefgGs869Oi3CawyD71/UV8mdUzkg4awlCDz2tCvEBg
+h8G/ys/4fVp6orac6qvIr9SGKu8oT20VCmAc4tv1ze6avjcARvuzrhIRFbiZtDpB
+nJafOLOqzOcoZgEy+7Iwa6/iZjFiRMdgEjgU62bVeQEQKny5Nm7y3lnEBNja/ISP
+xB6emz/G6nmWwAt0OnZnH3lFwiXrRgefb+MPHi5rvRN9mqRHQ43UU4pkYQO0fa1H
+PeNhhe7qo8H4AFdZTzsRurBOsLTZ+uJGjwto+Zq+hQkzPBvfVSzVbkvvEUFwn+Hm
+PmP+lKYThzVSlxbDEMHu7BDnJQZX/MTTyJnviXgMaRstgjMak52SAjIReiI+RRgO
+mihWQ21nN9u2WC78sZLHJTuej2yv6K7BZBl+TRRwwnRP7sQIassfXqB30kHFUXqr
+kC7eCKdgW/DSKw5rhmMDfS0ILBTkhtL1XmOtcHK2PKdPe9DjAA==
+=DrdW
+-----END PGP PUBLIC KEY BLOCK-----
--- a/nodes/titan/_defaults.yaml
+++ b/nodes/titan/_defaults.yaml
@@ -5,3 +5,4 @@ cluster:
  name: titan
  controlPlaneIp: 10.0.2.1
  secretsFile: !realpath _secrets.yaml
+  sopsKeyFile: !realpath _sops.asc
--- a/nodes/titan/_sops.asc
+++ b/nodes/titan/_sops.asc
--- a/nodes/titan/_sops.pub.asc
+++ b/nodes/titan/_sops.pub.asc
@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGks5cwBEADdTNm9v45f1r76Ka6+5zd9JIO0b7qGKSRaQ1FBw5Cf6424FhLg
+5VJ5Ct01cyqemJsmgf/qMOFW8hDs0X8KeQO24D79qdTu9DO/q212R6BKjuFz+TRX
+rdPrSoky5MDhLcN+AEU+Ban9aMvUbKiVeEtxJq/1SgTWfKnUsil5OmmzsR6LXhlZ
+gA2kubo2oh4hrql9+i+iO5A7HZ5dc1T5bPYivXA/7tJ8Y66OUs1kaaMR8Cy1Qfp7
+iPRkvmrMTQtLwVpWNWn0KCvyxtpBeeWxo1oGJYvVm8GJTBrB+Xhl5bOrnvqbD9Pw
+6jzyN5ecMXn+KF4JZZW8Y9EIfH5JX+hA/W/zfF4y3oNszS/JlxyuRIHc3dsQQ2za
+YpZ+rsvKJtIsZdPW+J9J5fjQkYvF1+wmOEOVtvryFlFjH5aPlDSnSPbU138dRPva
+IfY/c0bOKW/Xd5GawYGKdfkJThJR/In1WQMimSpqydzLt3ELfovLmBFyMWjmiz+b
+VFUCPktrt7m2VFHWjYu03REdV60L1CqKFvkoBp4KV5EnjAN7XKDCfKxM5gC8f/Yg
+3F+R1+XzZPLUgTk/5/rDjAFynwcWnf2WfXd5JwJEi1pXgLiFVbK6phnfAJLvcsDt
+jHVmjYf8dkMuMPXdubeyPo+CKaOffmCAmLgCppR5qDTF/ubDB20gLpBCcwARAQAB
+tCF0aXRhbi5odWl6aW5nYS5kZXYgKGZsdXggc2VjcmV0cymJAk8EEwEKADkWIQSz
+0/lFIzjCNZTY/8wOE+ZBNIET3QUCaSzlzAMbLwQFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQDhPmQTSBE92rjg//dzU4BFAZXtiSnuqCdI+kCNykRyP4UIjxZICz
+ixsXoG+0eIgOgLN5A4i1lDg/lPj/lpPCWlJvnOm/OAU7XUNA3KK98qQGViwVfrou
+CqAeWMPMAvAgUB2cwkWV3FmCR/v9xBdo6eHeZfPoZ7OnND7uSck/u+5GgtMX0ZP0
+qRbQo7DC+2fjObgXuLaCG49vBTYmy1S/uAAhSU0W7wpOUztn1srNCgWwYCAjAt0A
+CzdNYSP10k8hA2a9+a4zsXjScdVjEqkoLeWJMtzt4roYArZjt9XJ4iKnroXCx52T
+uaMmFdpGeBZno0Ih/qwGLFkvEcIwHe4uxY4aQK8k9wLNdS9s3qayXj1mF2HSMH16
+wlg6aD6XB/2rTAaIdSs4yLipbN9Lo4jDeEkmag0n6qAcqZHCp+Z1nKeehNIX2MxT
+VDo0XwQzBl3MrOJI/U/n7tD9cKi6lWHNJ2SZf42gPe6a06WklAoAj/YpLe2FbxYh
+TTnkmHbIyMSUcdQ+xC/3h8qo8F9TssO8fA0JgdwVa96iBPJShCWW4V4nfumQYRGV
+zeWRu7LEVnflSVZz/2a9P3ecE5DtmkUibVxDn5/xYYWsJpARV3QEGPT1pOvI8TBB
+hc//XxZZ8j8MyFSX+hMFj2y+cqprqb0vCUPcnP6g298yAWlpgJwP+UcnyrOuTKkM
+B0Tnume5Ag0EaSzlzAEQAODCxs7vrTtGJbEWxDUa/q4G/3cGNuA52EpSZfM3ZfCU
+66gIRC6OPrIz3pIB4UKExS9OZtLxcrAVggzFhgOEaaBK87ku6KmC+PCKX1oY6AVT
+FeaWtW8ajY53VAASNeA7GcDlCAV7DgM9n2w3SuiybvJkMQ4XkUlDwW3hxIYOi1/R
+h3cRBHiQDR6beHkBd9BmH9HFGEDO7d2sR33Bl2UZOvc6+NQartp8znDmTJ+5RoZz
+A/i8AvurEm6u3e6W1LZmHitIhBINd71tjRXiRsOmCuEcoFyChR7BpAUn9WaiW5BB
+Y3VWXZC/O86donSuoWwlgIi9T9SXs+iIZzm4w9ongKGdbsEmpp/NcT28gQytTrug
+2o9SSSVmLpnH/hg4D/M/a5eOI7UzWszf4iCZB01f/fyWtbokUxDpnn4bzUWXyie1
+2P9yGtSjyeZPRn6ELGuCOrjvHTA6uIgRaXjYenDlTOPv1Gr5XeuGEJZaK/4d7rQb
+u4yLDKC9n80pF06qD00XpnyX6hGL5ntMIiXbWeAbWNcfZEBu5TJg5H4PqcSDwI3E
+TfJgf6RBzG8+XcjAgEWzdDJhat5QGCKGKmANfwbYHLj2XJdiwWqanWZmDXFH5p6o
+b4zwceS9zx31Ex/XhJ4mutibpvTtDklpU3Ol6Jml/koB4KYHxRQwipCfPElwouhB
+ABEBAAGJBGwEGAEKACAWIQSz0/lFIzjCNZTY/8wOE+ZBNIET3QUCaSzlzAIbLgJA
+CRAOE+ZBNIET3cF0IAQZAQoAHRYhBJdlMI5OZl6R69KAiY629oMZwkJNBQJpLOXM
+AAoJEI629oMZwkJNfLgQAKclJQc1yXj8hu/peiLcfdoTqYCzitu9h3x5KNerKCO1
+I/iGDcOc/g17K8QdyTRB4zHunVMfBuC8Wp7G6uwhnCanMcOzfVdM80MSxdaBb+hM
+3nJooZTxnXNJBNy5NPy2P9vE/+Fx7UQhC5DK70wX96Xm7WnA6dunvDP/DdD7Tzf2
+qU2I9/axRBsBowJ1N0CL7VusLr+Iml6s6S/Z20o5EfFKNfHHpK7lUIxc41J1KWRw
+qhqzm9GJh+PrafeYcq1/Q99HkmFBFkAHfUhiHkpTGVdc39fEM3ywxxJ5VuK51CKj
+Q772kITdoJxgfv//+k51OPDDYmcidyK/jU+SE8GXlBsEAGDvvxf8zsh/PhXw+qNM
+1JqX+OD6Mm02cbaWieDXbFXta3/4apAcbvBLaPggHyIHvjA2WbAsq7iQwjlFLeBV
+qP9Vs6muREocNbvxQ3x8kM5ruWgogWl60TS+lKCN+bmJ2u64VdCtHZZxUZr3swQY
+67RTEUvicqr0unP9/+87rjYPPpc+XSoh+MIQLQ3YrzE9aG/29P55+WlzsjayrYBR
+MkM76zWMK/7xRx+fG+GITyfqGF+jAylNqGkpMBq8257JzfEE3kQJKBaZF6apOF+H
+uJtr1u5+Y1HpClBqROw52Szb5VfTxrYS7aCd5DJdA1YM/jFGQYh2lM0z98ZqlBqR
+R/cP+QEzGdJ1bYZhBU/P1NvHkbYc3GwN6j8UFYCGncJiUhJcNPgixogNJLFiWHom
+PrvvFrQI8ATCvcNF3pbETUP+PH2oLZ35KmOI9GGMNS/v/66E7o+1vXylXP0pZ9W
+knEgQEUSxTSqvsSxfn06rSZvwjUcd/qOjvSJVS1urtBL9dt3Ct1jiXHaJEhPEY/z
+nJLD/qaTF3Z4K2SoermaS8d3+fnp+7HrQcVfLneWpb7hrWATtRyPTvfvMEQzmmXP
+G1v57wbA2fwAHPoth5Yzn5Cnib/677n2grnsumHFWYWhpSaRVGhJe8lMXjDiwNV6
+Y45o9lmBUbgRXuO1ZprVXbc0ujkFyTLa0NZtMALHiy7XjzVMFgRmtwKX+KjAZGLr
+hhqOrX+S3pcFqJTVLMP0bk7dV8IKAcbWrf7luQAtbQqVGIECrUqzDx4OfxuZl/rF
+5UZKVXTFEGEDt7OFKrPDM802FqvUVHJxCm21WDUdBKWhLd9OnD74f16+9B+0cKHt
+LXMTVEQINOcEuPwbqnkZqUz/vbR5Q7IR70Rdw3rXMEfvlyQMNzgmCw4PRzfa4cHq
+CUgCYrvIBTmcjwa78+DCvfgfbe0/FtuQv1SNkpYiSU0qYx2S+aBl07pknO8mfSll
+EWXe/zokPxeEtteNZkZ/gz4YtBymE+GUR+zM3IV7pYxVmtPE
+=UtAO
+-----END PGP PUBLIC KEY BLOCK-----
--- a/patches/sops.yaml
+++ b/patches/sops.yaml
@@ -0,0 +1,17 @@
+cluster:
+  inlineManifests:
+    - name: sops-key
+      contents: |
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: sops-gpg
+          namespace: flux-system
+        data:
+          sops.acs: |
+            {{ helper.load_secret(node.cluster.sopsKeyFile) }}
--- a/patches/tailscale.yaml
+++ b/patches/tailscale.yaml
@@ -3,5 +3,7 @@ kind: ExtensionServiceConfig
 name: tailscale
 environment:
  - TS_AUTHKEY={{ config.tailscale.authKey }}
-  - TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }}
+  - TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }} --advertise-tags=tag:cluster-{{ node.cluster.name }}
+  {% if node.advertiseRoutes %}
  - TS_ROUTES={{ helper.tailscale_subnet(node.gateway, node.netmask) }}
+  {% endif %}
--- a/tools/render
+++ b/tools/render
@@ -3,6 +3,7 @@

 # Adapted from: https://enix.io/en/blog/pxe-talos/

+import base64
 import functools
 import json
 import pathlib
@@ -71,6 +72,9 @@ def tailscale_subnet(gateway: str, netmask: str):
    netmask_bits = IPAddress(netmask).netmask_bits()
    return f"{IPAddress(gateway) & IPAddress(netmask)}/{netmask_bits}"

+def load_secret(path: str):
+    with open(path) as f:
+        return base64.b64encode(f.read().encode()).decode()

@functools.cache
 def get_schematic_id(schematic: str):
@@ -165,7 +169,7 @@ def main():
    template_args = {
        "config": config,
        "root": ROOT,
-        "helper": {"tailscale_subnet": tailscale_subnet},
+        "helper": {"tailscale_subnet": tailscale_subnet, "load_secret": load_secret},
    }

    nodes = []
Author	SHA1	Message	Date
Dreaded_X	787c763b7a	Added sops keys	2025-12-01 01:59:39 +01:00
Dreaded_X	1da24905ef	Added helper function to load file content as base64	2025-12-01 01:59:08 +01:00
Dreaded_X	b0a1d04d7d	Make route advertising configurable	2025-12-01 01:58:48 +01:00
Dreaded_X	7d5b09c623	Automatically add tailscale tag for cluster	2025-12-01 01:58:26 +01:00