diff --git a/cache-priv-key.pem b/cache-priv-key.pem new file mode 100644 index 0000000..7bea3ca --- /dev/null +++ b/cache-priv-key.pem @@ -0,0 +1 @@ +nuc.lan:wrXtiqfGMAxEKq/M6oU5Rg0tSGXnchYFtWiUoVAhImiYutqZvBJbCqWp7ThxLHKVZuXlwgiJmwS+aCrb41P/DA== \ No newline at end of file diff --git a/cache-pub-key.pem b/cache-pub-key.pem new file mode 100644 index 0000000..08ea819 --- /dev/null +++ b/cache-pub-key.pem @@ -0,0 +1 @@ +nuc.lan:mLrambwSWwqlqe04cSxylWbl5cIIiZsEvmgq2+NT/ww= \ No newline at end of file diff --git a/flake.lock b/flake.lock index c22e677..b96aae7 100644 --- a/flake.lock +++ b/flake.lock @@ -268,11 +268,11 @@ ] }, "locked": { - "lastModified": 1685764721, - "narHash": "sha256-CIy1iwQTEKfZRrid4gBLA+r/LPGA9IUFo0lKJVyECGI=", + "lastModified": 1686574167, + "narHash": "sha256-hxE8z+S9E4Qw03D2VQRaJUmj9zep3FvhKz316JUZuPA=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "669ca1f2e2bc401abab6b837ae9c51503edc9b49", + "rev": "7e83b70f31f4483c07e6939166cb667ecb8d05d5", "type": "github" }, "original": { diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index d5c242f..869fb37 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -12,7 +12,6 @@ ./modules/nextcloud ./modules/vaultwarden ./modules/nginx - ./modules/nix-serve ]; boot = { @@ -26,6 +25,12 @@ cores = 3; auto-optimise-store = true; }; + + sops.secrets."store/secretkey" = { }; + nix.extraOptions = '' + secret-key-files = ${config.sops.secrets."store/secretkey".path} + ''; + environment.persistence."/nix/persist/system" = { directories = [ "/etc/ssh" @@ -75,8 +80,8 @@ users.users.root.initialHashedPassword = "$y$j9T$hYM7FT2hn3O7OWBn9uz8e0$XquxONcPSke6YjdRGwOzGxC0/92hgP7PIB0y0K.Qdr/"; users.users.root.openssh.authorizedKeys.keyFiles = [ ../../keys/ssh/rouven-thinkpad + ../../keys/ssh/root-thinkpad ../../keys/ssh/rouven-pixel - # ../../keys/ssh/rouven-smartcard ]; system.stateVersion = "22.11"; diff --git a/hosts/nuc/modules/nix-serve/default.nix b/hosts/nuc/modules/nix-serve/default.nix deleted file mode 100644 index 0e5f6cd..0000000 --- a/hosts/nuc/modules/nix-serve/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, ... }: -let - domain = "cache.rfive.de"; -in -{ - sops.secrets."nix-serve/secretkey" = { }; - services.nix-serve = { - enable = true; - secretKeyFile = config.sops.secrets."nix-serve/secretkey".path; - }; - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.nix-serve.port}"; - }; - }; -} diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index c6c2027..1e7ba0c 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -1,6 +1,5 @@ { config, pkgs, lib, ... }: { - nix.settings.experimental-features = [ "nix-command" "flakes" ]; imports = [ @@ -28,8 +27,32 @@ tmp.useTmpfs = true; }; - nix.settings = { - auto-optimise-store = true; + nix = { + settings = { + experimental-features = [ "nix-command" "flakes" ]; + auto-optimise-store = true; + substituters = [ + "ssh-ng://nuc.lan" + ]; + trusted-public-keys = [ + "nuc.lan:mLrambwSWwqlqe04cSxylWbl5cIIiZsEvmgq2+NT/ww=" + ]; + }; + distributedBuilds = true; + extraOptions = '' + builders-use-substitutes = true + ''; + buildMachines = [ + { + hostName = "nuc.lan"; + system = "x86_64-linux"; + protocol = "ssh-ng"; + maxJobs = 2; + speedFactor = 1; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + mandatoryFeatures = [ ]; + } + ]; }; environment.persistence."/nix/persist/system" = { @@ -37,6 +60,7 @@ "/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos "/etc/ssh" "/etc/secureboot" + "/root/.ssh" ]; files = [ "/etc/machine-id" diff --git a/keys/ssh/root-thinkpad b/keys/ssh/root-thinkpad new file mode 100644 index 0000000..09da757 --- /dev/null +++ b/keys/ssh/root-thinkpad @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2hmHR4+ilTmp+fMXS435na5PIfYxP4aFT1903y31HN root@thinkpad diff --git a/secrets/nuc.yaml b/secrets/nuc.yaml index 9693e2a..b8f872a 100644 --- a/secrets/nuc.yaml +++ b/secrets/nuc.yaml @@ -1,10 +1,10 @@ -nix-serve: - secretkey: ENC[AES256_GCM,data:h4d4CYXm58qpYoiZenS1ARRQkmfX0Q/wGtArNUpCFyD82grl189a9yZ6rPN3MOGHVsTdvZ57N1G8mGnnQYBUf66ZJuQQOr5HhjehenvRv4ZjVzT19zg4U9OyCbCaFPprJXfskyrq0A==,iv:RRezZwpmxR7ZtUE4LDevloWwi5fKkNb7hohXZgfyVVw=,tag:HN7TiFZV1LrrBnl7iv859A==,type:str] - publickey_unencrypted: cache.rfive.de:2E/yzJduGj4SJqYqDhpXO7aM2m5buMMUHN64EZdml3I= +store: + secretkey: ENC[AES256_GCM,data:hS0sCB66drf8flpuvc+yBAFAx00I6T74T0jWGQhNhe4zlZV6j4LAW/qwrlT/XKCEYY+KGk/lMuJ2RwX+i88iHQNVJtliyjKtnMJ6nzGyn6HJAw1mnJHI9vqj7rdhhV1U,iv:gN6tIGNmG/EtadhxsoVVNQ5zrXji4uaWY3257/pWKT4=,tag:P51ngidK6s0JRFdCRZdJ7Q==,type:str] + publickey_unencrypted: nuc.lan:mLrambwSWwqlqe04cSxylWbl5cIIiZsEvmgq2+NT/ww= nextcloud: - adminpass: ENC[AES256_GCM,data:Y7JrzfJTDEZa60r4LCU8gS+HH5eRc7UY1g==,iv:axm69xiZhIiJgz/PLshhAfMCo9B9qnENeDTdSy08WDw=,tag:wM81yqHQlQQZXIjcrJ+Ovg==,type:str] + adminpass: ENC[AES256_GCM,data:lfx7t/ewN23/O0qvSVHrX70W4NygAA0zTA==,iv:Px32DXH8BKQphldeW3CdJjRCXnmMgRx6g0YWZ6ON/pY=,tag:3Effg1hKNNlp+intUEmzxQ==,type:str] vaultwarden: - env: ENC[AES256_GCM,data:ig2NSczXy11oAm0dRzvXy6Fig5JMmUco6uCboKYBpvOeN9HHD8oUOudHOr6D4mI52GWRnqMAri9iBNMwjuSjT9e8A6lxQg==,iv:s33bcYtPY+2ixosePvlM0bMxOPavg0n4npi5yfNlYb4=,tag:Boxi0xkw5pf7fBsHerSxSQ==,type:str] + env: ENC[AES256_GCM,data:LZ/geI1sqA6BgFqSYNpDlNm9tn0GVKyHcbsJJoWDs89MUjEgrk7QBK1VighKQkmW+4xJqqruLfDkrNMmsSQdyWXNISawuw==,iv:ukh3ggqJ1R8DqQQDad86QoKbpHBG5mTBx7oKWbgnrZg=,tag:PlYKW5jtYVCrjAWideG1Dg==,type:str] sops: kms: [] gcp_kms: [] @@ -14,33 +14,33 @@ sops: - recipient: age18z4z5pgw8eluu32xe3krg4sxd2rncsnjw6e2axcun7x3vrj62vhq8eyz00 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUHoyMk1JSURGTmRuQ1Jh - b1pGdS92dkpSMWNRQ1JvNFBzOGRUWDdiQnpBCkxFMDMvUG9CcmpKd1pYRUdMbk9W - L0U1d0d0dUloaHhtZG1TUDhUYnRiVE0KLS0tIEpycnBYYWFpWHJHaXYyNG9icDVO - VmxkWFRsK1IzaG45TmVhVXhkZTVHREUKm7EzsUBCv6/jV4Q5wg1oSLnwJ2bElxDi - tWBWzo0oCQAk9mKDKLJoJu7xoCqDnrwhXjbxuvoWPkuAJmclUcZm1w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaHE4OTN3YXJvL0ZBb2lL + ZkFiTmN4bEtCaEpxZlJKVGs3Zlgyc2lnSGdzCmNScE9IeGMyVTVXOTZoblhWVGZO + cVE1emliN0N2L0JzMU1hVjVZL2FFS2sKLS0tIG9FNlZ6TTBHT2hMNjhRVWdCTFBw + V3l5WVZhL1dVMUxoV1NYdFhVaElYUU0KtYzj7r6+/j2Sqo7AiVdPPKBqsFBiefpj + 4nOJD81tJYMqh7deydKFB1kEYOX4HJ9HfQURzcdbhgWbUv6xys2eyg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-25T12:48:09Z" - mac: ENC[AES256_GCM,data:dBFP6IQdwnZtONmtnP7Aa5UeMs/iC2QKJPNo5r2fA9wZV3CVl/71KkLZNO/f7KrAqLS7zwwo1NJhpaQ707ILCLGAKbjc5yI5PHn/b7x0gcaAnqxiBHTvU2BY3YeSGg65lqsNpwcgvY7s8LcO8xeui9OdKl2Rgz9hFakjfRCZ8EU=,iv:c6W1MWUKBA4ubbayHXfAmsUILvo1WUOTo1N6jQQE4x4=,tag:vLZEmCcS5C/jzknM8ECCGA==,type:str] + lastmodified: "2023-06-12T14:21:14Z" + mac: ENC[AES256_GCM,data:oq2rEKv4MTm1VSVHTJGTO6rVeZsr6s47AHyRYQqr17Sm1jVx6QDnOUI4sxE0hetNEqoKm/rokjSuV2yZBTTfZec3wgCGcqHyBCeCt+HqRaYtVYU2czUTSmDSqGIozin84IEloOcWmnFburfQNaIzIYlio4KgtP+P13Y0aV4UJi8=,iv:0CyOdfN05YltBRIBlZWYC9TeI3uWvaPGJBYu0dzv9Rc=,tag:yXmCk/oc5+sTgfK5CUBCkQ==,type:str] pgp: - - created_at: "2023-02-17T20:34:57Z" + - created_at: "2023-06-12T13:53:20Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMAzUXo8ZPJwGLAQ/9FEQtzZcyNhkXxNAW7SZdPSahcv+4iWgAZWJBEzWKRmjR - oXb/WlSM0QhqZBg7Z6VywrUVGqMHO4Gwl2j3ekyWzemED6kHoKys+zAgqlyEzy41 - 90E0RLwhwRA7grkA23tDKfB6X7aAysgpgQNcaKXe2590njqjvWGRHiRwL0/xk2b6 - 6V7CTwSqrcouUkujUbWjl5AvM2Ysr4koxNayMA3IdWeO+v6n/ZJ+7LSWGYw9aoHS - /1UnIzlkrGVAS3B24cxiOnyr4R2HK4OTAn4nTNggtl7FT1r+2tVNMkRsWr0ubzvt - 27kwZvrL8zRVlsIpL0gnPLSiw8vj3H1SdHovoXC/xe/QijMYsjCOYIowR5quKbfS - 5QOhYax+spAkqaCqn2qJha/vqisYXNY7KVNZZPJWhlRawVv1+/6NZZnlxLFddICL - aERcULiXXEEA6W6tti2VUPnkWxZpeHQl8ywaSPrVhjT+qkwgo0JHtri4VDkF5RJi - lC5bjh29qvwAUkUVwouZ/tW/x++0LFrrT2PT8dhSS/+hxI/llGMbJWknXmJ3sNlc - C+cQsRFfpYAdSsGh0qO5WQ1+HzMpRpmcnpkkclFOI1mjgncjWVZVhSU13j+fSXYO - EILl5qtVQO0PoEvYnO3bfItAI5dGjSFyfJbJjTJrtj72Goi0OHATiIYXD8UKJLvS - UQHJA77LhdPgoBIvDhWPqXeu+bG2E7gcUHydoWv/ejFojeSKI3EUqBLNqhKgh6YA - VyXQOmT6I4HTXqWkGHFfIZZl5uj1poKBmDsa2ePfg8e6XQ== - =biZV + wcFMAzUXo8ZPJwGLAQ//S+sWiRzpTzfmCpM00k2bokPu9npV6ntJdQOXR3BDDfu3 + fLN5bFdtbMdTuKur7Ft7a1fqIYlBdgbP4+L7u05Y+A6/LC+u4V+q20mGlD7JGcgm + /CwMW157dT4rHKZqa4oy7F1WFtFJHL4YOIr4of0eU4i7pipNmzcXLqm3Tt2Ls/0i + bshHFPYQK75EOWb6BoZG+s0H2+4JyAN05FKX7/q6QdY6Rm+UOMWje8COalfruEB2 + OFy5Mf+zM4rWwialaQW6KVArDfV0gTZ6JVxRl1n0ADwOYMCqpYc6fxDGcmgFLQ5n + H2U93htxSVYwELYViNDwu8b0DTmVyuLSYIO4+6H9WC26/T7EBC7bTpH0JxPi7d65 + DbZ796q0Ryb3Nxth/NXOcEHBwiUZLSkrCqGC0s5cfk+NX4udJW8sVHjpNN0UalqK + mM9dgKsCGNwNs6LV31o3ML7Z8SIRvk3J7ubwbS+HCYJOM8WgnTA+qCNIGLrFjgfM + kAcMmADr0UTuY+6n3v1ugkuJaMUgRGH0RXXISZhabOignxkBsHmruzrUQNl3MNps + PDmqxFlLsoansgSG8pUuRHCK8WNoFScmcPl5hN7uc709PHjrnzLUq4kKRIauocqJ + UCc63XJAUy6Sy3bwgM/7GazGQRn4NCdWPCds38B3w1FREde7RglnsFibsr19Y+3S + UQHJ1Fs0cum+WOy+kzl0jSm9Eumqg6x4eCQYZYhG+s6xW2CvKWGIPZTNeWkE1adF + 0522Mb8J6VimqF6qwH9WGomL3P9IEJ8km483JlW0rm1frw== + =GU3+ -----END PGP MESSAGE----- fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 unencrypted_suffix: _unencrypted diff --git a/shared/activation.nix b/shared/activation.nix index 5d83539..0c975d0 100644 --- a/shared/activation.nix +++ b/shared/activation.nix @@ -2,6 +2,6 @@ { system.activationScripts.report-nixos-changes = '' PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} - nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) + nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) || true ''; } diff --git a/shared/default.nix b/shared/default.nix index 886bf93..c4a0c20 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -3,7 +3,7 @@ programs.nix-index-database.comma.enable = true; imports = [ ./activation.nix - ./caches.nix + # ./caches.nix ./gpg.nix ./sops.nix ./vim.nix diff --git a/users/rouven/modules/sway/default.nix b/users/rouven/modules/sway/default.nix index 1d745ee..4c93982 100644 --- a/users/rouven/modules/sway/default.nix +++ b/users/rouven/modules/sway/default.nix @@ -13,6 +13,9 @@ { command = "${pkgs.swaybg}/bin/swaybg -i ${../../../../images/wallpaper.png}"; } + { + command = "${pkgs.autotiling-rs}/bin/autotiling-rs"; + } ]; modifier = "Mod4"; menu = "${pkgs.fuzzel}/bin/fuzzel";