From 2681791306c8758e2f920303ea67a82f7847f6bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 25 Jan 2026 14:46:54 +0100 Subject: [PATCH] eve: add cache2.thalheim.io with mTLS authentication Set up an experimental mTLS-authenticated binary cache endpoint to test the nix client certificate authentication feature from NixOS/nix#13030. The setup uses clan vars to generate a self-signed CA and client certificate pair. Nginx is configured to require client certificate verification against this CA before proxying to the harmonia backend. This allows testing the new nix substituter options: tls-certificate=/path/to/client.crt tls-private-key=/path/to/client.key Tested with: nix copy --from 'https://cache2.thalheim.io?tls-certificate=~/.nix-mtls/client.crt&tls-private-key=~/.nix-mtls/client.key' /nix/store/i3zw7h6pg3n9r5i63iyqxrapa70i4v5w-hello-2.12.2 --- machines/eve/configuration.nix | 1 + machines/eve/modules/mtls-cache.nix | 69 +++++++++++++++++++ .../eve/mtls-cache/ca-cert/machines/eve | 1 + .../per-machine/eve/mtls-cache/ca-cert/secret | 22 ++++++ .../eve/mtls-cache/ca-cert/users/joerg | 1 + .../eve/mtls-cache/ca-key/machines/eve | 1 + vars/per-machine/eve/mtls-cache/ca-key/secret | 22 ++++++ .../eve/mtls-cache/ca-key/users/joerg | 1 + .../eve/mtls-cache/client-cert/machines/eve | 1 + .../eve/mtls-cache/client-cert/secret | 22 ++++++ .../eve/mtls-cache/client-cert/users/joerg | 1 + .../eve/mtls-cache/client-key/machines/eve | 1 + .../eve/mtls-cache/client-key/secret | 22 ++++++ .../eve/mtls-cache/client-key/users/joerg | 1 + 14 files changed, 166 insertions(+) create mode 100644 machines/eve/modules/mtls-cache.nix create mode 120000 vars/per-machine/eve/mtls-cache/ca-cert/machines/eve create mode 100644 vars/per-machine/eve/mtls-cache/ca-cert/secret create mode 120000 vars/per-machine/eve/mtls-cache/ca-cert/users/joerg create mode 120000 vars/per-machine/eve/mtls-cache/ca-key/machines/eve create mode 100644 vars/per-machine/eve/mtls-cache/ca-key/secret create mode 120000 vars/per-machine/eve/mtls-cache/ca-key/users/joerg create mode 120000 vars/per-machine/eve/mtls-cache/client-cert/machines/eve create mode 100644 vars/per-machine/eve/mtls-cache/client-cert/secret create mode 120000 vars/per-machine/eve/mtls-cache/client-cert/users/joerg create mode 120000 vars/per-machine/eve/mtls-cache/client-key/machines/eve create mode 100644 vars/per-machine/eve/mtls-cache/client-key/secret create mode 120000 vars/per-machine/eve/mtls-cache/client-key/users/joerg diff --git a/machines/eve/configuration.nix b/machines/eve/configuration.nix index 86e7fcca2..d909c0796 100644 --- a/machines/eve/configuration.nix +++ b/machines/eve/configuration.nix @@ -42,6 +42,7 @@ ./modules/goatcounter.nix ./modules/grafana.nix ./modules/harmonia.nix + ./modules/mtls-cache.nix ./modules/knot ./modules/mastodon-hnbot.nix ./modules/n8n diff --git a/machines/eve/modules/mtls-cache.nix b/machines/eve/modules/mtls-cache.nix new file mode 100644 index 000000000..bce65082f --- /dev/null +++ b/machines/eve/modules/mtls-cache.nix @@ -0,0 +1,69 @@ +{ + config, + pkgs, + ... +}: +{ + # mTLS binary cache for testing nix client certificate authentication + # See: https://github.com/NixOS/nix/pull/13030 + # + # Usage with nix (once PR is merged): + # nix-store --store https://cache2.thalheim.io?tls-certificate=/path/to/client.crt&tls-private-key=/path/to/client.key -r /nix/store/... + + # Generate CA and client certificates using clan vars + clan.core.vars.generators.mtls-cache = { + files = { + # CA certificate and key - nginx needs to read the CA cert + ca-cert.owner = "nginx"; + ca-key.secret = true; + # Client certificate and key (for testing) + client-cert = { }; + client-key.secret = true; + }; + + runtimeInputs = [ pkgs.openssl ]; + + script = '' + # Generate CA key and certificate + openssl ecparam -genkey -name prime256v1 -out "$out/ca-key" + openssl req -new -x509 -days 3650 -key "$out/ca-key" -out "$out/ca-cert" \ + -subj "/CN=cache2.thalheim.io CA" + + # Generate client key and certificate + openssl ecparam -genkey -name prime256v1 -out "$out/client-key" + openssl req -new -key "$out/client-key" -out /tmp/client.csr \ + -subj "/CN=nix-client" + openssl x509 -req -in /tmp/client.csr \ + -CA "$out/ca-cert" -CAkey "$out/ca-key" -CAcreateserial \ + -out "$out/client-cert" -days 3650 + rm -f /tmp/client.csr + ''; + }; + + # Nginx virtual host with mTLS + services.nginx.virtualHosts."cache2.thalheim.io" = { + useACMEHost = "thalheim.io"; + forceSSL = true; + + # mTLS configuration + extraConfig = '' + ssl_client_certificate ${config.clan.core.vars.generators.mtls-cache.files.ca-cert.path}; + ssl_verify_client on; + ''; + + # Proxy to harmonia (same backend as cache.thalheim.io) + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:5000; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # Pass client certificate info to backend (optional, for logging/debugging) + proxy_set_header X-SSL-Client-Verify $ssl_client_verify; + proxy_set_header X-SSL-Client-DN $ssl_client_s_dn; + ''; + }; +} diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/machines/eve b/vars/per-machine/eve/mtls-cache/ca-cert/machines/eve new file mode 120000 index 000000000..85c11f4db --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-cert/machines/eve @@ -0,0 +1 @@ +../../../../../../sops/machines/eve \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/secret b/vars/per-machine/eve/mtls-cache/ca-cert/secret new file mode 100644 index 000000000..19be0dee0 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-cert/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:9IdsUQqMCnSqPG3mGzR+0Z/iSHswE20bu98GyQI80WuW/pVdWEsQsz2RKd0WLpBfWhTRGvfdsW5aVuAyqCu+jAweM0aaf5pwSWvHDRhcl4JzTpZ4TqrJnZ3M+liN4knECQg8+rzuALgyoGKvB8FH5IsnpbCAM95hwJD1AsxlnWu0zkVsQi79KmFO2uCZ4V4V5z+rV47u4LvRaP/SP373fav/5z5d/ykrE40ZTQ5/4taNqfB23OQd+VR1LsUh6rS/COLmoSnw+u08d/IVYpvwQXeBGv5abuTUowP7ueeNj74UMYp2618bHDKMNa9ZIgHY8XYts0MsjdsB4TOl/K12KqoL0XdmwcoPVTp1J13LU/pT53DrDnQ4Vp6kBHakaBZwr5OlacmytGuCmm2V1fcHjkPlvfX5lWCB2DAQlJ2zokfQcSGA5fL5zP2RQQyJ0BCu0YRN0WcJyep6ME7UW9oVAXtz/amBe/sQyt8q9jLJmkIELDPmUNdaU2WoQcWroftygKbJ+RZssopiFjw89rwTSOzp+P2qFnY/NdU87eysQcEmG1mEBth8XyKJWY5pHf9DraMs73djEMc9p33EV/3k11VUbYYYuL6k0qBS7oKj3MkUMS2mtYbGpMY9hmM3rIR0SIdyaVApgFObYcEtM2NYBd0KWF+WM7TQmZI1SRNj++vqIQkbAD71i0qTtISa0Jrwk+pJxduHygtJTO7GF1d2C/glm9SejvLWzUBcBAYo63lC5vRK7EYI2/teW08SV9BfxYs+3wfGToFwr2Kr4/aLS1Y0Hk7FtpOiFLLta6RIxe21Vrs=,iv:Upo6s3M652KrWe25zLsevJkNBR+xBkkyklamk0BVq58=,tag:GXoBy15/4vzczAyx/X+L4A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReUFpWlY2aFhuSXo0V3pY\neE94S04xVjZabWxHRnMyZHlGNWl2cGxrdHdzClNqakNPbUJRWDFFK2hmRjl5NkdP\nQnVNamF1ODJEVllzd3dhWnVQMHI5Q1kKLS0tIFE5eHJ1Sjc0QUhPSHg5SjQrbnhs\nbFZSK3h0ZFFyVWc5c3dmMk9JYWdkZFEKvxEHeHmqUxRVzFdRBTnG9Ua89FfFIZNR\nrWWp/cnGu72RLP9TXLqRaf86XXF9AfR7ZiE/MmrtERp/jtvDoOfHCQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL1VHaG1lM1gzdE11WHpz\nMThQL05SMU5tL1hsWUtSTzR6bDJnYlZwc0JBCmhwQTA3T250YWRTbUNxVk9raHFJ\nSE9qZUV3RjdBNXM2OFFvcUYvZ1htTEkKLS0tIGROcGR5bUpHN251bkRrZVdQK0E2\nc3IvU2tqMDdYN251SG82NGJvMlIvNXcKMpge6JRlEKl7ZNay6fAGhtO9fCwfhULt\nEFd78tIUcANvpG6ltAqtKcT6kTLHZFjX646Fv7i+2IN98JySYaIvKA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZXNIVDhaZTkySTFqNXlm\ndllDUzloeXErZ04xZFVmVm9ZZ05yM1ZySWhrClAwTTM4dnZjNFNIcmlrQzh6SmZp\nY1RVTnpYRVhXQVlJd005N0RaY1NHY2MKLS0tIGF6Q2dKSGx5UHJPcU5DbklCTjdn\nR1NObHNjV0lVaU81N2VRSUFSbGQyN3MK5ytoOYfw/SV7n6cuFKYqcfSGNhwh+r2Q\nKnU3Qib36H0LQyZQ/4TX4xEpmsnVsBZsR0yhHtzJVl6s0uMgzLthAw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-25T13:48:18Z", + "mac": "ENC[AES256_GCM,data:iZzaBmrEKX9eivoOPjf4LTViclHAZA/qfg8WW/aC+trb04M0r2Qho2oNWLa+DAWrK9rzT4Qd39Iw6ZsSIq4AKrHnO4XDaHBjPp0v+Hi1VJuPYr39gqO7TbhvZJQq6Am9qVP+xkXH2MPb6U3+Xf3bPERyid+FfBQcFBv/5Gp9p88=,iv:5TIgqcuEsQEtd3z+mmAMCmqhuIiyvYVQ/XPldw712VU=,tag:d8tgaQSyZDq9JjKPN2uV8g==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/users/joerg b/vars/per-machine/eve/mtls-cache/ca-cert/users/joerg new file mode 120000 index 000000000..5d6658fc6 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-cert/users/joerg @@ -0,0 +1 @@ +../../../../../../sops/users/joerg \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/ca-key/machines/eve b/vars/per-machine/eve/mtls-cache/ca-key/machines/eve new file mode 120000 index 000000000..85c11f4db --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-key/machines/eve @@ -0,0 +1 @@ +../../../../../../sops/machines/eve \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/ca-key/secret b/vars/per-machine/eve/mtls-cache/ca-key/secret new file mode 100644 index 000000000..cedf57bb2 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-key/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:S/OEZkYq+8mradRB3fcjKqWBD5hWdXSNz/V3XBVoTE/ojsl6o6OOvUCzvNQGdwfUGr/ooPkZmxqQXRY8qwqagUAbAQVKQZCcR8BzRFk9TmSs5OtckuFe7/CK0pnuMES46lqhLsKicUu9DQy0pfj1GBJF0P6sbC/BJ3Xp7Ih5oqBJwJEPBiwVnL9HsrmnJwoGmBNwco1iHIbpee7+EKe0PtXuGz7b1BqOyl0biLcQvpoGHKGJKziki5txuuBLkBMI4WjIJyaqBFpbX/UMkpjaxTh5kiUaWG3++gDMu58dB+wOTvNsMvPiMkElKHaHJYUWiWD/4E/ELO/+wb1pyp7UXCwH+cfvbreCGb//5w+eHwiji3sFHKmEi1c81uBwmT1yakgFgbDfb1/jUR8tRyA=,iv:hWtRVY9M/tXksrAveGT3oWQYn7Xiz/937M/gyERLvRo=,tag:45/YPpnz6M5hrDNblBkhjw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeHo1QWgwNjltQ0FCL0RP\nS1B6dFI1M3RGZHZWbWtqNUE0ajdyTFdFM2tvClp1SlR4SklQOTM2MzV3bHYvdFBr\ncCszSUlwc2VYRU9kZVBhNDR4aEF6Q0kKLS0tIHVsVU1mSEluOHJpMHJZTmVEeVAy\nLzR2bWhGRHNRQzNub1p0VGlsOVY4bzgKFXC+UT6YeIVEj7sm9kz1FzeYRcA41MFK\nThPfnxKOiAW79RuRoXk0Spne8yPFe7XRUs+ZkBH8C06Am4N948BwCA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUEVhcEhnSnJwbEVnaUZy\nT0NaS3JDSGpJZEpoTS9jSTdHQ0lHd0NOZFRJCjMyeEhZV0VHZDNYOTN6bGxRcXhT\nVlJMaFdBd0EyVkN4OTU2bzdTc1Z3OXcKLS0tIHRIR2Y4ekpqaWFHNmEwcngzSk54\nbnZKVks2a1FlalpIWWNJcXB2Y2NkZUEKqKCxy7LB8iLKwRqiSl68L1BiFnmZnPw1\nRLDxy6jfwMx5zeWfwM+iHsHMneO5IfI/9hu7JLB9i/EUx5oC2WCYmQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbjJoTHFDUSs5N1AySkZV\nRjNnNjlVQ3hNcitqdUR2bUttaGhvMDJJVlNNCjBOcEZ2MXBDekx6M3NQSXdiZFFG\nZjE3ZnVKczBLUTg4bXRDVzl5aURnTzgKLS0tIDNmYk9aeFNPN2w2bVRkSURzVFZa\nRS9iWXF3cHNOSG5QZFczTXZhVExKMWcKEyPjDAtq4pEJEhbba/cnpL4G0nMO6VBw\nxS+3KmtHUZYd7CkRJoiFRZqpQ9RPWSCfsEXnN8c7LZ+TTaJ/LCJGdA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-25T13:48:19Z", + "mac": "ENC[AES256_GCM,data:dHqLqyvmXqHDDXbkfVc9ugxYTaU0gJa76QEm+XpF8sGD2T3cEPrhTJUqucjxYjFoVltsbAQ4CS8QCIIhI5ydZTOW5onKdlZzyilQsuNpw8gQUYxoLVGmS0fVT0k0INczCFr/t5nQs91vVohG0FJJhs1LnOGiDuEtsgKd3KcbuKI=,iv:81X1YwBfz+wh6BA1oboPMZd22rtAIRucYdrbVD/JD3Q=,tag:iCCI3d/slGhdRo0Kaosilg==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/eve/mtls-cache/ca-key/users/joerg b/vars/per-machine/eve/mtls-cache/ca-key/users/joerg new file mode 120000 index 000000000..5d6658fc6 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-key/users/joerg @@ -0,0 +1 @@ +../../../../../../sops/users/joerg \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/client-cert/machines/eve b/vars/per-machine/eve/mtls-cache/client-cert/machines/eve new file mode 120000 index 000000000..85c11f4db --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-cert/machines/eve @@ -0,0 +1 @@ +../../../../../../sops/machines/eve \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/client-cert/secret b/vars/per-machine/eve/mtls-cache/client-cert/secret new file mode 100644 index 000000000..31ba769e4 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-cert/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:GLpCJ38v4aeGaHt/HvUxuhc5vZ1wo67u0B+LyNYnPLTETfPcZQVwTXXdXAlXxgV0+aYfcxcFEPZlx3tFOO37zgYUuKSfUq+SFz8VWtXCG9iAw6R2DRmIR6yJ3gOZF12Y65zQ+gXnIdjGc/Q0kDN69cZxh8zuHPwOFMpMZOIOyabM/OVemXT48Pr5/2isRRdR0kHok+hre4Qkod8/Vbhsu70sWVJBXwPwXCtXlk4ZPI3QzrAxDvOo08ctE5byamsJuFYrjF4UtmXkvH/I0yU0DPgXA5/Cms3siS8D8e6owkBj+Ai/8H761o7pFHFVyKGiKivrZJehgGUYasVl7lV3ZBUJx4m0mpPah1RQMPF2dnkusyuG1rgflt0M/0D0EOziVr8d8qDx5aGtZWpzg7oI4UQZByUM3Dj+LiPuvGMgE5rlV22WP8uDPls53+DhF5WJysCjpoW2WtTeUOwqt1datm89ncr3agvuJNzlGE6PY/EJHLy8yvcQTGmsyD6Y84c3GqmhdLpgMnltm9GV4PXVyS8U2dHL6yYoGBK+3LGFTQ5GX5CTLrvq9+fdPSrJ68TS3BOOf+fKYHUaDKkEnmPkfCORxMiJmuJ8Gvuv3Pprv/ExaQU8BYA8IBjYlVuOvEdGNC6dhVJCpnewg8SbYbZB6Tpu2Iq9mMiSiowSKz3kPrWkgz4z3/vYmWbCIDLQqXORFnkQZmL/mjSyb1x86f9KKgHy5E/km46+atmHPUHrD5SB8sOrlacVx/t8Q4lvBw==,iv:XyKhUawB6oXDKdIS7dggjZa8YWvhwMDDauf1W1HncxU=,tag:R6eWoEt+OPn0XVZ/BlolwA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4blI2K3BaNGd2MG5hQ1Aw\nbWg2WWpKRm5aaG5VdUhseDB2NjJsd3p0Z1JBClEzWEswSHRYRUZJQ1l1NnhQTGMr\nTDdNbWRXblhjL2toMTNNODJBSkVyVDQKLS0tIDlMOUFaczl6VkdiVmg2SFF1ajI1\nVldnc2Q1WWUvdVhWZmh6NWZQdWhBYjAKPqL/Oswdf1iR6JWUllbxihm9dFefyx41\nFNh40Ie3WnXngPz5KRRccCO99psqy7qqLjrAqFOZg9m9JP25jYJPxQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWS8rU2lHTnRVNGdKVTlh\naG9BamlHVWlDM09HQWtUNnlqWVFJNGpWNVVvCnc0b1JHVXJXdlc3MEpJb3dZckFT\nMXA4SUtxNXlZbjBEWWZHa1ZLa3I3eUkKLS0tIHcrMzlBaG1BVy9LRGVzbURzSjh0\nK2Z3Y2J0VFhsWXRwWGlLQ05ldHc1dGsKOH5tkuhvzOMNuZwu1xabrRWroNZfFAi4\nvC4Zg715I5AjfJHd/QcYMxg1LacCRE+l9L4PCe1pEVxi4wjsGVZZFQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUVhQN2dDeGNVSmhoK05u\nTTNsbVRmZjd5QUVlanpnV2UybFp3eVhRckdFClRxNm1YUFJ4NmFwSHI5THhvUGdt\ncFNaT3ZRZ0ppanBLb0g1WnVIanJMS1UKLS0tIC81bXRRTkJmZnJUL1hRQ0duNnVz\nM05nN1pGRFRQTG03czJOZ1FRNGw5OXcKrMkVJWBIzMvl2ZKzsWIdb5eDWyUCXfYs\nojpyqyKpKxDTvg3l1Drt9cEmVmBf8yDa0udBCBbkSTF2LE8C9CqDnA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-25T13:48:19Z", + "mac": "ENC[AES256_GCM,data:pM1r5i1J6S5S+tUhxOdVhtZAcPPWAdi/cUrszNN9VHA79TMGLiJSkAY9mIrDT8f0fO8te8VNkd7rDGehO1G0BsKdDHnnkzTm66hd4WpJQmHE2GDQmkjBuizfNEItjOnZ6LawLEmTNGblMSUgQ/7ktNor3i54Lka+9S+NQt6+NQQ=,iv:kD/+zTZ7OS5zlcKdTbqKwttBb71HjCWjZNmMWZNdzz4=,tag:IRKkKkQIFofQjxJqLvvPww==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/eve/mtls-cache/client-cert/users/joerg b/vars/per-machine/eve/mtls-cache/client-cert/users/joerg new file mode 120000 index 000000000..5d6658fc6 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-cert/users/joerg @@ -0,0 +1 @@ +../../../../../../sops/users/joerg \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/client-key/machines/eve b/vars/per-machine/eve/mtls-cache/client-key/machines/eve new file mode 120000 index 000000000..85c11f4db --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-key/machines/eve @@ -0,0 +1 @@ +../../../../../../sops/machines/eve \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/client-key/secret b/vars/per-machine/eve/mtls-cache/client-key/secret new file mode 100644 index 000000000..7413ea08a --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-key/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:uk5Xxk0HjXLTU+RJLcYd34H+kovch+OfIiSoHHbab1CyJs6BcHReHADkWyWQd5CdBd69MYYtDQPG0Kt2X2ChbfxBXm3CubihfkAAu8PQ0Lgpv+mVZDtwP88J1kNY++dsv8aP2TRPhBesuodPUfb4YuO0bNpkDH4Unji09NrdSM4W0qAYWyxM1h2EVC5PQVyrVQSuxevb7p5hZF5tA5clYGGvjz/YC4rlGae6DMZ51XZiIx1KSNKXTmC8hGNDnFx9x7qQwvjHPaEAgsNJCPHEw1ZuTh8ua83XMJXkUiAxAtiEa6FBzxr2gwgyowbOiJazloiy0/TRDNaD7begNq3Gu0hC7DDF+wUXDBsK5Sw0k1W7RC1cs8r8ARGZV3rXTLgeyA9Xa44YyyGNIuif0ro=,iv:FajR192MaT40xCiSFferxW3EMDMw7816CpiE6G8qnhM=,tag:zCYYBucnasQhwKwRfIYR0A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSitPeXVYWEoxd0F1d0p5\nZ2dkaDVNT2krZzRFYWwrNkpxUVZuYjRKbFhnCm9rc0xsNmVNcW1VVlJ0Y1ZGdEpj\nUnBweTg0N0J4eEhzVTEydzMwUUpXN2MKLS0tIDNtSG9wVmg2TVFPNFVtcVVWcWxa\nYXU2RWVweWFMbGMvS1VVcU4yVzVYSGsKJDOXIX7AxutZCKelowWOInMX7zB/lb02\nu800sbwDn64nQQg0/QbvWKJG9efnm036RbMoYMLQRHQkhodW+uJIZw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2amNMVHBVRVhRR3I5Smx3\nMUJhSnk0aTVFR1NTTjFLalBRQzhGd0xNTVVzCmJwL1RNSGY0dFFKa0dEMkYwRGpK\nWCtaVmNORjlPZnZPL3haY2ladUQvTXcKLS0tIGtiQXdYRjA4M3hjZFAwZytnbWti\nMS9Qa21NbHRLNFBDNUhNcldDMWpNNEEK8SE4IdBVMDE/gtGpxprWM5sg12Ig9XZU\n63duV+8Ws5VJCYJ6Pj95vHUPjgvFxAPQhVFJlAHLo0+qCBG4d5WnMA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBb1l3Z2NIbHNXMkxOeFVj\nclczcFhydHk4WnFFYmVVZk1GM2s0bTJKZ0FZClYzWmExMW1GSi8wZUhGTnB0Q1VS\nWU5YNC9scit0a3RhclNLVzNpOXdUaUkKLS0tIDdhSXdnNnJuTjh4R3JsSm4xMjJI\ndDNxVVNlTmk1OFE2ZEloVUlmRnRCY1UKcPlERhq8eECYLGHAF6JiHzw1qJKKXBgj\noGxAGS/LdgpsuZRq9UbsuQ2AFgeoPemVxAED+HNiOJ+TidZtHCycBg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-25T13:48:19Z", + "mac": "ENC[AES256_GCM,data:RxWTiPQaQoTwruaVtxuK3LrSPzPOgSWsOcGQq4eHBKCBNZ+gYkj+uTM1idTeza2Vhg8T4Y+JIOIjYdvbtgoFNcPHqqU+YqH/AV+S5W0xb3uatnIm+85IXmGwayTGtuyVblxp3ig+P0VyF+14cGQF2GqBJbJK3DzlzZzjYryCvEA=,iv:LHEGopEMv/hE1FJnSgjh5u1tlB9+8CRrRkczEfa5fuo=,tag:F8lNDrKVQZ+yxiXUZDVYHg==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/eve/mtls-cache/client-key/users/joerg b/vars/per-machine/eve/mtls-cache/client-key/users/joerg new file mode 120000 index 000000000..5d6658fc6 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-key/users/joerg @@ -0,0 +1 @@ +../../../../../../sops/users/joerg \ No newline at end of file