replace http cache with build machines and ssh

cache-priv-key.pem

@@ -0,0 +1 @@
+nuc.lan:wrXtiqfGMAxEKq/M6oU5Rg0tSGXnchYFtWiUoVAhImiYutqZvBJbCqWp7ThxLHKVZuXlwgiJmwS+aCrb41P/DA==

cache-pub-key.pem

@@ -0,0 +1 @@
+nuc.lan:mLrambwSWwqlqe04cSxylWbl5cIIiZsEvmgq2+NT/ww=

flake.lock

@@ -268,11 +268,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685764721,
+        "lastModified": 1686574167,
-        "narHash": "sha256-CIy1iwQTEKfZRrid4gBLA+r/LPGA9IUFo0lKJVyECGI=",
+        "narHash": "sha256-hxE8z+S9E4Qw03D2VQRaJUmj9zep3FvhKz316JUZuPA=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "669ca1f2e2bc401abab6b837ae9c51503edc9b49",
+        "rev": "7e83b70f31f4483c07e6939166cb667ecb8d05d5",
         "type": "github"
       },
       "original": {

hosts/nuc/default.nix

@@ -12,7 +12,6 @@
       ./modules/nextcloud
       ./modules/vaultwarden
       ./modules/nginx
-      ./modules/nix-serve
     ];
 
   boot = {
@@ -26,6 +25,12 @@
     cores = 3;
     auto-optimise-store = true;
   };
+
+  sops.secrets."store/secretkey" = { };
+  nix.extraOptions = ''
+    secret-key-files = ${config.sops.secrets."store/secretkey".path}
+  '';
+
   environment.persistence."/nix/persist/system" = {
     directories = [
       "/etc/ssh"
@@ -75,8 +80,8 @@
   users.users.root.initialHashedPassword = "$y$j9T$hYM7FT2hn3O7OWBn9uz8e0$XquxONcPSke6YjdRGwOzGxC0/92hgP7PIB0y0K.Qdr/";
   users.users.root.openssh.authorizedKeys.keyFiles = [
     ../../keys/ssh/rouven-thinkpad
+    ../../keys/ssh/root-thinkpad
     ../../keys/ssh/rouven-pixel
-    # ../../keys/ssh/rouven-smartcard
   ];
 
   system.stateVersion = "22.11";

hosts/nuc/modules/nix-serve/default.nix

@@ -1,18 +0,0 @@
-{ config, ... }:
-let
-  domain = "cache.rfive.de";
-in
-{
-  sops.secrets."nix-serve/secretkey" = { };
-  services.nix-serve = {
-    enable = true;
-    secretKeyFile = config.sops.secrets."nix-serve/secretkey".path;
-  };
-  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString config.services.nix-serve.port}";
-    };
-  };
-}

hosts/thinkpad/default.nix

@@ -1,6 +1,5 @@
 { config, pkgs, lib, ... }:
 {
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
   imports =
     [
@@ -28,8 +27,32 @@
     tmp.useTmpfs = true;
   };
 
-  nix.settings = {
+  nix = {
+    settings = {
+      experimental-features = [ "nix-command" "flakes" ];
       auto-optimise-store = true;
+      substituters = [
+        "ssh-ng://nuc.lan"
+      ];
+      trusted-public-keys = [
+        "nuc.lan:mLrambwSWwqlqe04cSxylWbl5cIIiZsEvmgq2+NT/ww="
+      ];
+    };
+    distributedBuilds = true;
+    extraOptions = ''
+      builders-use-substitutes = true
+    '';
+    buildMachines = [
+      {
+        hostName = "nuc.lan";
+        system = "x86_64-linux";
+        protocol = "ssh-ng";
+        maxJobs = 2;
+        speedFactor = 1;
+        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+        mandatoryFeatures = [ ];
+      }
+    ];
   };
 
   environment.persistence."/nix/persist/system" = {
@@ -37,6 +60,7 @@
       "/etc/nixos" # bind mounted from /nix/persist/system/etc/nixos to /etc/nixos
       "/etc/ssh"
       "/etc/secureboot"
+      "/root/.ssh"
     ];
     files = [
       "/etc/machine-id"

keys/ssh/root-thinkpad

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2hmHR4+ilTmp+fMXS435na5PIfYxP4aFT1903y31HN root@thinkpad

secrets/nuc.yaml

@@ -1,10 +1,10 @@
-nix-serve:
+store:
-    secretkey: ENC[AES256_GCM,data:h4d4CYXm58qpYoiZenS1ARRQkmfX0Q/wGtArNUpCFyD82grl189a9yZ6rPN3MOGHVsTdvZ57N1G8mGnnQYBUf66ZJuQQOr5HhjehenvRv4ZjVzT19zg4U9OyCbCaFPprJXfskyrq0A==,iv:RRezZwpmxR7ZtUE4LDevloWwi5fKkNb7hohXZgfyVVw=,tag:HN7TiFZV1LrrBnl7iv859A==,type:str]
+    secretkey: ENC[AES256_GCM,data:hS0sCB66drf8flpuvc+yBAFAx00I6T74T0jWGQhNhe4zlZV6j4LAW/qwrlT/XKCEYY+KGk/lMuJ2RwX+i88iHQNVJtliyjKtnMJ6nzGyn6HJAw1mnJHI9vqj7rdhhV1U,iv:gN6tIGNmG/EtadhxsoVVNQ5zrXji4uaWY3257/pWKT4=,tag:P51ngidK6s0JRFdCRZdJ7Q==,type:str]
-    publickey_unencrypted: cache.rfive.de:2E/yzJduGj4SJqYqDhpXO7aM2m5buMMUHN64EZdml3I=
+    publickey_unencrypted: nuc.lan:mLrambwSWwqlqe04cSxylWbl5cIIiZsEvmgq2+NT/ww=
 nextcloud:
-    adminpass: ENC[AES256_GCM,data:Y7JrzfJTDEZa60r4LCU8gS+HH5eRc7UY1g==,iv:axm69xiZhIiJgz/PLshhAfMCo9B9qnENeDTdSy08WDw=,tag:wM81yqHQlQQZXIjcrJ+Ovg==,type:str]
+    adminpass: ENC[AES256_GCM,data:lfx7t/ewN23/O0qvSVHrX70W4NygAA0zTA==,iv:Px32DXH8BKQphldeW3CdJjRCXnmMgRx6g0YWZ6ON/pY=,tag:3Effg1hKNNlp+intUEmzxQ==,type:str]
 vaultwarden:
-    env: ENC[AES256_GCM,data:ig2NSczXy11oAm0dRzvXy6Fig5JMmUco6uCboKYBpvOeN9HHD8oUOudHOr6D4mI52GWRnqMAri9iBNMwjuSjT9e8A6lxQg==,iv:s33bcYtPY+2ixosePvlM0bMxOPavg0n4npi5yfNlYb4=,tag:Boxi0xkw5pf7fBsHerSxSQ==,type:str]
+    env: ENC[AES256_GCM,data:LZ/geI1sqA6BgFqSYNpDlNm9tn0GVKyHcbsJJoWDs89MUjEgrk7QBK1VighKQkmW+4xJqqruLfDkrNMmsSQdyWXNISawuw==,iv:ukh3ggqJ1R8DqQQDad86QoKbpHBG5mTBx7oKWbgnrZg=,tag:PlYKW5jtYVCrjAWideG1Dg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,33 +14,33 @@ sops:
         - recipient: age18z4z5pgw8eluu32xe3krg4sxd2rncsnjw6e2axcun7x3vrj62vhq8eyz00
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUHoyMk1JSURGTmRuQ1Jh
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaHE4OTN3YXJvL0ZBb2lL
-            b1pGdS92dkpSMWNRQ1JvNFBzOGRUWDdiQnpBCkxFMDMvUG9CcmpKd1pYRUdMbk9W
+            ZkFiTmN4bEtCaEpxZlJKVGs3Zlgyc2lnSGdzCmNScE9IeGMyVTVXOTZoblhWVGZO
-            L0U1d0d0dUloaHhtZG1TUDhUYnRiVE0KLS0tIEpycnBYYWFpWHJHaXYyNG9icDVO
+            cVE1emliN0N2L0JzMU1hVjVZL2FFS2sKLS0tIG9FNlZ6TTBHT2hMNjhRVWdCTFBw
-            VmxkWFRsK1IzaG45TmVhVXhkZTVHREUKm7EzsUBCv6/jV4Q5wg1oSLnwJ2bElxDi
+            V3l5WVZhL1dVMUxoV1NYdFhVaElYUU0KtYzj7r6+/j2Sqo7AiVdPPKBqsFBiefpj
-            tWBWzo0oCQAk9mKDKLJoJu7xoCqDnrwhXjbxuvoWPkuAJmclUcZm1w==
+            4nOJD81tJYMqh7deydKFB1kEYOX4HJ9HfQURzcdbhgWbUv6xys2eyg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-25T12:48:09Z"
+    lastmodified: "2023-06-12T14:21:14Z"
-    mac: ENC[AES256_GCM,data:dBFP6IQdwnZtONmtnP7Aa5UeMs/iC2QKJPNo5r2fA9wZV3CVl/71KkLZNO/f7KrAqLS7zwwo1NJhpaQ707ILCLGAKbjc5yI5PHn/b7x0gcaAnqxiBHTvU2BY3YeSGg65lqsNpwcgvY7s8LcO8xeui9OdKl2Rgz9hFakjfRCZ8EU=,iv:c6W1MWUKBA4ubbayHXfAmsUILvo1WUOTo1N6jQQE4x4=,tag:vLZEmCcS5C/jzknM8ECCGA==,type:str]
+    mac: ENC[AES256_GCM,data:oq2rEKv4MTm1VSVHTJGTO6rVeZsr6s47AHyRYQqr17Sm1jVx6QDnOUI4sxE0hetNEqoKm/rokjSuV2yZBTTfZec3wgCGcqHyBCeCt+HqRaYtVYU2czUTSmDSqGIozin84IEloOcWmnFburfQNaIzIYlio4KgtP+P13Y0aV4UJi8=,iv:0CyOdfN05YltBRIBlZWYC9TeI3uWvaPGJBYu0dzv9Rc=,tag:yXmCk/oc5+sTgfK5CUBCkQ==,type:str]
     pgp:
-        - created_at: "2023-02-17T20:34:57Z"
+        - created_at: "2023-06-12T13:53:20Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            wcFMAzUXo8ZPJwGLAQ/9FEQtzZcyNhkXxNAW7SZdPSahcv+4iWgAZWJBEzWKRmjR
+            wcFMAzUXo8ZPJwGLAQ//S+sWiRzpTzfmCpM00k2bokPu9npV6ntJdQOXR3BDDfu3
-            oXb/WlSM0QhqZBg7Z6VywrUVGqMHO4Gwl2j3ekyWzemED6kHoKys+zAgqlyEzy41
+            fLN5bFdtbMdTuKur7Ft7a1fqIYlBdgbP4+L7u05Y+A6/LC+u4V+q20mGlD7JGcgm
-            90E0RLwhwRA7grkA23tDKfB6X7aAysgpgQNcaKXe2590njqjvWGRHiRwL0/xk2b6
+            /CwMW157dT4rHKZqa4oy7F1WFtFJHL4YOIr4of0eU4i7pipNmzcXLqm3Tt2Ls/0i
-            6V7CTwSqrcouUkujUbWjl5AvM2Ysr4koxNayMA3IdWeO+v6n/ZJ+7LSWGYw9aoHS
+            bshHFPYQK75EOWb6BoZG+s0H2+4JyAN05FKX7/q6QdY6Rm+UOMWje8COalfruEB2
-            /1UnIzlkrGVAS3B24cxiOnyr4R2HK4OTAn4nTNggtl7FT1r+2tVNMkRsWr0ubzvt
+            OFy5Mf+zM4rWwialaQW6KVArDfV0gTZ6JVxRl1n0ADwOYMCqpYc6fxDGcmgFLQ5n
-            27kwZvrL8zRVlsIpL0gnPLSiw8vj3H1SdHovoXC/xe/QijMYsjCOYIowR5quKbfS
+            H2U93htxSVYwELYViNDwu8b0DTmVyuLSYIO4+6H9WC26/T7EBC7bTpH0JxPi7d65
-            5QOhYax+spAkqaCqn2qJha/vqisYXNY7KVNZZPJWhlRawVv1+/6NZZnlxLFddICL
+            DbZ796q0Ryb3Nxth/NXOcEHBwiUZLSkrCqGC0s5cfk+NX4udJW8sVHjpNN0UalqK
-            aERcULiXXEEA6W6tti2VUPnkWxZpeHQl8ywaSPrVhjT+qkwgo0JHtri4VDkF5RJi
+            mM9dgKsCGNwNs6LV31o3ML7Z8SIRvk3J7ubwbS+HCYJOM8WgnTA+qCNIGLrFjgfM
-            lC5bjh29qvwAUkUVwouZ/tW/x++0LFrrT2PT8dhSS/+hxI/llGMbJWknXmJ3sNlc
+            kAcMmADr0UTuY+6n3v1ugkuJaMUgRGH0RXXISZhabOignxkBsHmruzrUQNl3MNps
-            C+cQsRFfpYAdSsGh0qO5WQ1+HzMpRpmcnpkkclFOI1mjgncjWVZVhSU13j+fSXYO
+            PDmqxFlLsoansgSG8pUuRHCK8WNoFScmcPl5hN7uc709PHjrnzLUq4kKRIauocqJ
-            EILl5qtVQO0PoEvYnO3bfItAI5dGjSFyfJbJjTJrtj72Goi0OHATiIYXD8UKJLvS
+            UCc63XJAUy6Sy3bwgM/7GazGQRn4NCdWPCds38B3w1FREde7RglnsFibsr19Y+3S
-            UQHJA77LhdPgoBIvDhWPqXeu+bG2E7gcUHydoWv/ejFojeSKI3EUqBLNqhKgh6YA
+            UQHJ1Fs0cum+WOy+kzl0jSm9Eumqg6x4eCQYZYhG+s6xW2CvKWGIPZTNeWkE1adF
-            VyXQOmT6I4HTXqWkGHFfIZZl5uj1poKBmDsa2ePfg8e6XQ==
+            0522Mb8J6VimqF6qwH9WGomL3P9IEJ8km483JlW0rm1frw==
-            =biZV
+            =GU3+
             -----END PGP MESSAGE-----
           fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
     unencrypted_suffix: _unencrypted

shared/activation.nix

@@ -2,6 +2,6 @@
 {
   system.activationScripts.report-nixos-changes = ''
     PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]}
-    nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
+    nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) || true
   '';
 }

shared/default.nix

@@ -3,7 +3,7 @@
   programs.nix-index-database.comma.enable = true;
   imports = [
     ./activation.nix
-    ./caches.nix
+    # ./caches.nix
     ./gpg.nix
     ./sops.nix
     ./vim.nix

users/rouven/modules/sway/default.nix

@@ -13,6 +13,9 @@
         {
           command = "${pkgs.swaybg}/bin/swaybg -i ${../../../../images/wallpaper.png}";
         }
+        {
+          command = "${pkgs.autotiling-rs}/bin/autotiling-rs";
+        }
       ];
       modifier = "Mod4";
       menu = "${pkgs.fuzzel}/bin/fuzzel";