*: rejigger tls certs and more
This pretty large change does the following:
- moves nix from bootstrap.hswaw.net to nix/
- changes clustercfg to use cfssl and moves it to cluster/clustercfg
- changes clustercfg to source information about target location of
certs from nix
- changes clustercfg to push nix config
- changes tls certs to have more than one CA
- recalculates all TLS certs
(it keeps the old serviceaccoutns key, otherwise we end up with
invalid serviceaccounts - the cert doesn't match, but who cares,
it's not used anyway)
diff --git a/cluster/secrets/cipher/etcd-calico.key b/cluster/secrets/cipher/etcd-calico.key
new file mode 100644
index 0000000..1b7d637
--- /dev/null
+++ b/cluster/secrets/cipher/etcd-calico.key
@@ -0,0 +1,80 @@
+-----BEGIN PGP MESSAGE-----
+
+hQEMAzhuiT4RC8VbAQf/V/fVW4uPx22y86jRWH1wyWT/63r7j4YAHZVE6EvDJsRP
+r8WhnPxeNoGlr5KhrJ//DCDcIkaI0NwMqfpOW1tFVKboS1kP8Ntt7RGCaP/j8p5P
+8mws1VEQbROSTFmOlEuDkFY1S4e9rXADCtwX/zEft05UJSQ5sVcLp+RSUFAhsVLT
+X+xh8F3FaxvrJaXXur7RPYQORx6lRV1jiFRoYqr3Soeay1fTGeB9Jg38bUlVuA5B
+otuxjSFMJFJNqueRFaxPGlaugvAdrZyTnXiKgeRWo4nGXjiDycUFSP1M9ZVKzuUL
+IYalrBfRsz3zf2w4vPJ4ecGRfOqJQRk+IL7e8hxM4oUBDANcG2tp6fXqvgEH/0Tk
+qX403K2pXLO5D7GCo57uMr4M29BEhG8WWlcRsEOywZ7ZVwczIwslar1ymV3fxinm
+SpCf1s+5LnUye1+/fAy6yRr9AA9lj07PEpLDlOK8AQ9Xb7sQg9Uml9dCBeoBJUL1
+kagSDsrUuTbct2skwRC28wVvMViOETHAFFL2hqHYBG52J4nUd2s+7DMU4aXDg1vB
+Jepxuq2a775kBZtpd4rhfhqnZCcgQW5+oon3qjQyJMAlcV5FxJxqM78sd0TgSdOw
+ulF1BKHRxxWcxtL5ZV7JVzwrPGT3CmG6TZKzVhKST4uARMHVKWX/WZhCzfUEZU25
+AE+bIaih60nb//JJwIWFAgwDodoT8VqRl4UBD/4iQJ/Gpfyapz0BqHwVwCdJnz8V
+VIXRfEaN7e6wFrko2wUHFsPP08jyVkPi7n3991gCiTp5kJqNTx3+/F41OKAzoHR8
+J8W3UW+QJZIXwUnjLT5BH1ROPYUZYUdQtUBGLbG2UHUI2ZeDmZ7//4DXYuz6yNrD
+AIIJ2przQ4b05P62LiU8zfPXlSkGN+8+wIiBnR5m/DF9RwYR3R853PVYlRwNdUAR
+/YVsXyXPauY9JIgcLck3c7GRPT61kFWXAlO4u8KRF6GZKXONfvMCUjooD0Mdo+Ti
+WL9gX7wcilFPGWUT1Q3QAONdnuf9zueFyK4qzqi78C66k0mJ/jHBMg7TzLy6B9Al
+Z8RNrYZtbd/ObO8e7+mZ/XInQMkJkCDfTkY0nequvr6c58y2WP7FXkSTOA7Fzg1q
+r/JxLqzrqvzIVYHQ2OFiW7joh06e/Lc5ZtgCjHxv2VGPJvBvrpnTtW2tAq++LoIV
+qg5WgWeXDsxlmSlimniqDgrRosieZuMIUbsySFYh+lom6id34VyzD+tGIAUU+jLj
+HfKMIHt5hebKIKiMsxwXctWV+FMHlN4m72/0+eAGNbmu+1dm29Y+MhADoee4UBn9
+J9QAexcmal6QqFf6wD5F2k0a7Y42K526YkFEs1HmA8Ijk5qUWTSiNNEOjzgwp0VB
+ocevVlmkCmydpMDcNdLrAfZIsx2uC9v5DiShJ4SoVkzRedCwXRo6DWIpe5Of3K4U
+wmKHJAljz5jfbrGsoEOcwcknbsznLMv2WwRtbJgn8zmc9gEhcr6nBX0XObT8flNJ
+icePRd265qumYeeriq4pPLuB9G3aQ0wRsFr/061Zp/9XMNHvK0msJ04ll9iRSags
+jt7KG525VRQmvYQiNHBUoo4To2Eyq4UBTQpV/Se+DddBPov3NZdN+AkYMdHBsTPD
+BCyTUQgRvkX38C/2zCx2aic4fjR7J0rrVzZV8BIwx7vY1iUKuDDfHgGtYtvDqhTH
+FodTOgERmyvsv27cnpgH07HfC8E7Dq5tPhmYXYq5t+dlcoUUv1GHy/2LWMSHWFCG
+v/vkokJ1rp2gQQaRCCg7Jx3NpleygeKJjlb0HW4EUsL9aZLBFZtQwEC1Sm7SxrLL
+5xvS/TbufzCoSyQLu+andAalwCN5Qt8EgIwLECnMAze+otABhm6HGqHXqnEE6t2q
+kK6YhnijsigUOa0WQh63fMqS0kytgGwAfl+5ZxJmWgHgOMqlk9Zkg8vpogOpJdm1
+Cy4I5iLeHGR6bpC1kpwI+X7UHxDQIR/sVlhDH6D1ZAdgyG/1XG4geL1h2oOmY1vN
+1G/JhJmdbBtkqIJhqAOQ1XSbmFfJLfN3OXqGNH6zrgIho9JsSmRtl8TUjWc4nPR8
+GZls2PcPdUDKD73jzf8KS/35kqBqdxa6ZIedh+sldi0aAdlTSweUgRDxiQ/znFFy
+gE3GH4Y+hFz/AxK6+cEbwzbvOPpgQpq4R6mY/l2L647kEdrueaz55cNwe04nxhh7
+RxkfwAzcSy1pxfOsOBGTGjKgDyWTj1BHtmpc0BeVLw/+ZkWGZeL6InYPsRNilvb7
+sa7rA16vJCulB1P618Ozh8OnJlxS9PPrnxV/GcuJXSk1qHIEkSW8poPi0eBe50Up
+jXZUemXjpxYamsNzlNjwOY8kG34unHTgxUnJcA2RKI1dqL7Esg7O8Ssx/v2c8lWc
+fU6ab2HKe4MsF3zUNQ0QYqTffTUxLjv1Vrwgl6Sp5IRftFuLS+o+sEDrum1OKNiq
+T31bVS0lUGEb58pbEgLeOQgi+1TxrOXglUDf2BJtjlKsEr8ezM2zzo0JT8odLjF8
+y5ZLpfOhFlJvbi22hlENk2JaehG9gX0OO1B7C0rQmKqdgG7VxLjCduACYKjOVmx6
+jMa2LQ/PZQJ1PKr2YfjeZl8rpDXa+564qb3KQttleHoNPUowcisjl8eB2GswkDb2
+sfjerBjNSCegfKeQ1KHS+JeCEvICv69OnkpqYLzGuS7Kc9UD+PA5r5o0Z15eubmI
+qsLf9Udz2iQDOAoFOhe0CN7WZeUn0+BZ3251WYKK8EJeTRF4qvemEMPGud39Is4Z
+8c5nG1rk8tbW5rpVxsZARgYK3DFas4V5l9OYzbb40rrM1OvFFOv9lQ7iLHalzZWt
+F03AR9aPeWQa3Q8HfTTQZcBtkQRTot/+tra9CzB5TJIyK8VsgZbp9Z1MtsjoXavJ
+ObjQ403/oKMlF+WCWE1b/CR7STEThJPtdRD9kMtDct3hoBfovJJ40U+6cNO+ArBh
+GBzLvkuxpf/Q84DXrRGiGc2nDKB1WShkU/GKmI/NaKGUldM5idWsvEUH42L0R3iF
+2FSxgEXQn6WZ30bdGz2QjquslPlM2kZCTzsk8moNGDYcHkJaBrPq4qs0sZiPikf1
+80jIMtqts2nWVoCjzpklfkDAlK9v51gI06iyGBVcPtb7XnEeBPXdBlJHRXnlXzG3
+x8DlvYH0XljVlNLxqTkyA5fUbQdUfKzKqUgxXs5fOM07aRg4FTd4QWvPG0eCYPhC
+dhTGoQcSI8jgmCue3Cna7TiYRaPeOD9wO+cvV5z4fZDtrbYV14grPyohJsbmXNuS
+wYPZcmNAOR3DoZTtFhEJ8PwCdAOFQ6F/JNkQyzIVtSclGj+DfLSKJ7GYFODB2Fqn
+jO3BQZgUKtJTd+CWjuxfDI1hGV+KH+bDN0FHsPkqUkZtvUDenVH6A8OWJPhFRrhs
+qt5XmTPIECeLHgviJXKZagddRcWXo2GkaY0mYXdkrSTS+I6vdLYT5qIoY2PbTzY2
+191+Stp4puHj7xtVTRLOBDe9gDDXXDO6lluNr8kSM+4UYtvAItIsL16v1eX2aNNP
+HMF0lRCgIRZB4uOb+cRG5BZPML/VGfeUTIQ9pA9CBjeMurD+sBUOog2k9+MoxHE6
+ip3GHZelsU0m59yiDPNk0Pi6kyxVP7UIaIpInojvkYIFcX/uziCW3r9VmB99pLZo
+bGh541Z/qJKOLr9sKOSqeH+DtGM5RIspmsYFHM/ZjLGgubTBkg46++qK+RyT0mGf
+tZ568cgWynxlOfe1BmoGWHu7e2NalKuzUbWdeXDf0Eq0pQEsLhzhaaBcJglBERD9
+HLW2HSuWRP2wNnRpzmQV+vR+I0glVOB23OZZIJ+yt78Jxxk7sYkfcPfjefU9hDdP
+bRXmMDIiX863Stykr2kOm1fKdm8HcakXeF9TF2ixZcKuCVG9xMnoasgc57SsoDai
+38tztETWoI/vSAGqx6Byb8NGR+GqHnp18CrDRaqTPyyDJag/0XobVrO3kUAry3G3
+I+mx1Bm83QckCDwuMYm8czFmH/bbin++tYxEIlMpSvfYoXT/tbm9OQrC9P1DgFDg
+bawxjvf4h/7hvn4rwSDVZXf2StQCTTn95IU3+bDIMDF/8VRK8QqHp75d+V4uewzB
+P/M/avPp3B+OJksrWQZhfodnJT0XBfMQeSLq5r/61WfITYg838kCsNvv3tteJh8+
+Aho2WFv4eDKE9Tns9WUFDaqEFCVGCbomutvMf4e0nIlrA+lfQQldGNTBaipQnC9W
+1gL51v7oy5Z/DwEAs9P2d9+l6AoPkbJPD2Epk4nRqVIAyh6LJJfJysPu5ORqYmhs
+Uetl2ul1wHNX2TZLM85qFpf+o7UGoSI8tt+tI9x/tnayvKajEbUUPOdugAOR5OKm
+LxFTv3Nv0c4mt0eU7DwU0PQSwC5wFqEyqi8+fPxLpPpTj/nwOte3wLH24p0nHVk5
+OI4PlpicWWJyJrj2otLbJzL5BTSKC2at+N2q/WXwUh3aCfOQ2xwnthLaeV8thNdl
+J+w5XLYBNPGDzaKrYXnWMYxlD2bJ3WB4CbkIEfO+liHKQEQag3Eapeip8XOmXghx
+Y7YHPtlgWOiWH67yAQWtlyK6h4Ai8RQAfzb5cukk/kC2BNGPnbc9F1o0H/yYULzf
+yFg6FU9CQ6WikSaNFDafCONAoDV/cmAHf5g05RqJGkcE10HfWEvchWWRAUHA5rec
+s/ocrAC721/qwz5cTzfWdIN+Whc0SAitHB9MDWpPBeSe4xMGMknnZ0HXCDNmi+e+
+UkmPw5IO1ImIOBjrG7ShpqN0jJUBaWov+mGNIf9GJvU=
+=+Tv2
+-----END PGP MESSAGE-----