The process will setup DHCP dnsmasq on opnsense to boot the correct ipxe file depending on the architecture
Then ipxe will chainload to either a mac-specific ipxe boot file or the fallback inventory boot file
Then a kickstart pre script will setup the cluster ssh key to allow ssh connections to the machine and also setup and start harmony_inventory_agent to allow being scraped
Note: there is a bug with the inventory agent currently, it cannot find lsmod on centos stream 9, will fix this soon
Reviewed-on: https://git.nationtech.io/NationTech/harmony/pulls/111
This pull request introduces a comprehensive and ergonomic secret management system via a new harmony-secret crate.
What's Done
New harmony-secret Crate:
A new crate dedicated to secret management, providing a clean, static API: SecretManager::get::<MySecret>() and SecretManager::set(&my_secret).
A #[derive(Secret)] procedural macro that automatically uses the struct's name as the secret key, simplifying usage.
An async SecretStore trait to support various backend implementations.
Two Secret Store Implementations:
LocalFileSecretStore: A simple file-based store that saves secrets as JSON in the user's data directory. Ideal for local development and testing.
InfisicalSecretStore: A production-ready implementation that integrates with Infisical for centralized, secure secret management.
Configuration via Environment Variables:
The secret store is selected at runtime via the HARMONY_SECRET_STORE environment variable (file or infisical).
Infisical integration is configured through HARMONY_SECRET_INFISICAL_* variables.
What's Not Done (Future Work)
Automated Infisical Setup: The initial configuration for the Infisical backend is currently manual. Developers must create a project and a Universal Auth identity in Infisical and set the corresponding environment variables to run tests or use the backend. The new test_harmony_secret_infisical.sh script serves as a clear example of the required variables.
This new secrets module provides a solid and secure foundation for managing credentials for components like OPNsense, Kubernetes, and other infrastructure services going forward. Even with the manual first-time setup for Infisical, this architecture is robust enough to serve our needs for the foreseeable future.