forked from Fachschaft/nixConfig
Compare commits
8 commits
6bf5b1db73
...
375c2a2e4d
| Author | SHA1 | Date | |
|---|---|---|---|
| 375c2a2e4d | |||
61d95f1b23
|
|||
|
d74be71aa1
|
|||
| 325d145b77 | |||
30854e62cf
|
|||
| 155d8565cb | |||
| 521a257fe0 | |||
| 5b3a971dd2 |
8 changed files with 93 additions and 11 deletions
|
|
@ -7,6 +7,7 @@ keys:
|
||||||
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
|
||||||
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
|
||||||
- &nyarlathotep age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
|
- &nyarlathotep age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
|
||||||
|
- &nodens age1vzhru3nsv5ttx3scmxvdep7z29qtsacft48wj2pk2rtkrdywdyuswc3lqn
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: nixos/machines/nyarlathotep/.*
|
- path_regex: nixos/machines/nyarlathotep/.*
|
||||||
|
|
@ -33,6 +34,14 @@ creation_rules:
|
||||||
- *daniel
|
- *daniel
|
||||||
- *totallynotadolphin
|
- *totallynotadolphin
|
||||||
- *lobon
|
- *lobon
|
||||||
|
- path_regex: nixos/machines/nodens/.*
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *nerf
|
||||||
|
- *gonne
|
||||||
|
- *daniel
|
||||||
|
- *totallynotadolphin
|
||||||
|
- *nodens
|
||||||
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
# this is the catchall clause if nothing above machtes. Encrypt to users but not
|
||||||
# to machines
|
# to machines
|
||||||
- key_groups:
|
- key_groups:
|
||||||
|
|
|
||||||
|
|
@ -82,6 +82,10 @@ is exactly the same it was on your machine.
|
||||||
If you have a `nixos-rebuild` available on your system, it can automatize these things with the `--flake` and
|
If you have a `nixos-rebuild` available on your system, it can automatize these things with the `--flake` and
|
||||||
`--target-host` parameters. But there are some pitfalls so look at the `nixos-rebuild` documentation beforehand.
|
`--target-host` parameters. But there are some pitfalls so look at the `nixos-rebuild` documentation beforehand.
|
||||||
|
|
||||||
|
### On nodens
|
||||||
|
You can build the machine on `nodens` the same way you would build it on your local machine. On `nodens` there
|
||||||
|
is a key trusted by all machines at `/run/secrets/nodens-deploy.key`, to sign your build.
|
||||||
|
|
||||||
### On the machine
|
### On the machine
|
||||||
|
|
||||||
Clone this repository to `/etc/nixos/` and `nixos-rebuild boot` or `nixos-rebuild switch` that will select
|
Clone this repository to `/etc/nixos/` and `nixos-rebuild boot` or `nixos-rebuild switch` that will select
|
||||||
|
|
|
||||||
12
flake.lock
generated
12
flake.lock
generated
|
|
@ -698,11 +698,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_6": {
|
"nixpkgs_6": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1744932701,
|
"lastModified": 1746141548,
|
||||||
"narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
|
"narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
|
"rev": "f02fddb8acef29a8b32f10a335d44828d7825b78",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -849,11 +849,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1744669848,
|
"lastModified": 1745310711,
|
||||||
"narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
|
"narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "61154300d945f0b147b30d24ddcafa159148026a",
|
"rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
||||||
|
|
@ -11,4 +11,11 @@
|
||||||
|
|
||||||
networking.hostName = "nodens";
|
networking.hostName = "nodens";
|
||||||
system.stateVersion = "24.11";
|
system.stateVersion = "24.11";
|
||||||
|
|
||||||
|
sops.secrets."nodens-deploy.key" = {
|
||||||
|
sopsFile = ./deploy.secrets.yaml;
|
||||||
|
owner = "root";
|
||||||
|
group = "root";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
52
nixos/machines/nodens/deploy.secrets.yaml
Normal file
52
nixos/machines/nodens/deploy.secrets.yaml
Normal file
|
|
@ -0,0 +1,52 @@
|
||||||
|
nodens-deploy.key: ENC[AES256_GCM,data:78egSKIl+ecnCoIsw30ytx9wYwtnAHppMObpn4tPBuqSNN20ILWK4IdZUTE7H/QkOAbhi+R565efg/Cxt85OghXZ9jwBNXX+EwTwS7LAiGwp2Kxm7kYGX4jWvrmAnvmd/nqM3Rw+DgfGAA==,iv:+5Hz/Vmluk9icv68rmb1Dyi0g6PkW2JyaOnqluC/TKo=,tag:c7DQRCcKsS+9zJ9agCb0VA==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MWdKbDBpaHoycmdWdlc3
|
||||||
|
MGltTU1rbUhPQ2VtbERWUXQzdWpvd2ZGdzFjCmV0aW5oTkdGMExUUkV1UFV3UkpZ
|
||||||
|
dE5kUktrYUlEQ1hNWEIzdlFxeUFKRXcKLS0tIGN6NStxdTl0VkYvcS82QjJCT0xu
|
||||||
|
eDRtM1BjN0tMVnkwZHF4ajRKUW94aVEKklPazc/5C/g0cTe0xzdwxi+G4vZ3LSbI
|
||||||
|
utp7vfDLIddT4mKVyt4bD/VffDlB5Afvu91mDMEr/WrQGQsmczqdYg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4S1RZVVB2ancrMERNSUZ1
|
||||||
|
Nlg4Q3FZNFl1WUN5b2FVM0pYUDA2cXVtendrCm1TWkZNanZqYnM2eEt3eFZpdS9M
|
||||||
|
SzlpQnZQQzE5OFM1ME5xaXQxOWdGbzQKLS0tIEdXUGFGL3ZOZlZMWTgwY1lNdE5o
|
||||||
|
MS9WYWtuWkpKdDFnb0huelcyVEgvK2sKzRQ6oxBmOrE+OnCF19Nuaf9SZus4CtHD
|
||||||
|
l+q/0xqkSnxz+/Vl3ooq0bPUPXiGrHWkSXb/LFH6crRJHxRAuiga3w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVlNZZ05TK3c1TitESEYx
|
||||||
|
dkpaMjhKaWNTTElld21yTXcyeVorTHBZYlFBCjF3R3BVNFcvZFZFK0xScmJTUEda
|
||||||
|
TmNySERXVk9jT01JWlFHNGd4MFlwUFkKLS0tIHJQV2dSd1pRbCtqKys3YW1JNVpq
|
||||||
|
QU5wdlBQODh4WmxrY1Z3aHl3WTE0eUUKTJPqJFelo6bQLfFNVa6K8UnUxCM8N15A
|
||||||
|
v8FWo1C71bIbMEtMTOq/TotJwxElUk8Oc10ECd3ST0bWZfyKFtkwHQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1m7l4x2zdgn7akgg5mkm9quen3u9sm0785tzm7vl000anuqrwwg6s5urenn
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUdtYzJMWk1YSitjNnhi
|
||||||
|
VVdpU0R4eHJIejZmSTNycWxheTZjcjBJdGlZCmxHdWxpaGdhQnFCT0tMRTVTS29X
|
||||||
|
Yks5UEw1MG5OMlZyWHVaZHpLb01vTFEKLS0tIHBTcjZrOHE4S2lZVllGNWpBdzV1
|
||||||
|
ci8xcGo2dzU0NDh2M3RCVEU3VjNDRkUKWZuklDoyHN83M0sfO9lnHP8cfj5ECqbx
|
||||||
|
3/JbV4wOalQ4+LiSSFmgxYXfADtWe4QpRUDCoVEHPc+sBvA09aCh+g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1vzhru3nsv5ttx3scmxvdep7z29qtsacft48wj2pk2rtkrdywdyuswc3lqn
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRa09heTBzZ0xtSHlqR092
|
||||||
|
R3BNQWk3ZXhnd0wwMmI0SVBOSG00cTY2czI4ClZoMHJwdDh0b08xR2lXNStEbVkz
|
||||||
|
RGFnNkJrRkUrU0hIaTJsNzBOdENpdFEKLS0tIHhlazVXeTgzakpTYW1qUzZSMXNJ
|
||||||
|
V3JSeDNsdVNOQ2ZLL2MvSDBZdk1wTzgKPzrGAY1xqJ679iTqe+gUXB3UoTuA71Rj
|
||||||
|
KUTxgml2J6R+3mI61VFL1C5mDApFPoI6FaG/dXk5zgXSO1auVxHlAA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2025-06-20T16:36:28Z"
|
||||||
|
mac: ENC[AES256_GCM,data:2UKbVUVB0WYZBAti4QN6gqsl9bsYjjjy6JOwwHYpLXywsXZOkpj1wptwdAXyjR3s9KT0fpywxZgCPtIqYb6wd8QqXkNzrTcVc6I7OJtDizcHh/tNvNsVvlC4I1+VpbTlIkmw3OxbIf88MrsVUxCFcyin7spIFHLtgIVQVO1xAHI=,iv:v7c/Wa81EE43hnWi6xISlxuzgfDxdpABkfQb/0zF+Kc=,tag:2fDl4Hy59d5QiXF3KZG+EQ==,type:str]
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.10.2
|
||||||
|
|
@ -14,7 +14,7 @@ with lib; let
|
||||||
gonne = {
|
gonne = {
|
||||||
hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
|
hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
|
||||||
sshKeys = [
|
sshKeys = [
|
||||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAhwkSDISCWLN2GhHfxdZsVkK4J7JoEcPwtNbAesb+BZAAAABHNzaDo= Gonne"
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINTLfV2kNJPSGa1K7siu2pWE4Hn01rHvvsjy1ixjvbp+AAAABHNzaDo= gonne@mathebau.de"
|
||||||
];
|
];
|
||||||
nixKeys = [
|
nixKeys = [
|
||||||
"gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
|
"gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,16 @@
|
||||||
|
|
||||||
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
|
||||||
|
# additional trusted keys for substituters for every machine
|
||||||
|
# right now it is only nodens so nodens can build system configs
|
||||||
|
# and we can deploy them from nodens.
|
||||||
|
# For security reasons we might want to move this to the vm part, as
|
||||||
|
# someone who can get control of nodens and get hold of the build process
|
||||||
|
# can gain control of the other machines. While this is very handy
|
||||||
|
# and a step towards CI, we might not want this for backups.
|
||||||
|
# (This is a tradeof between security and convenience)
|
||||||
|
nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
systemPackages = builtins.attrValues {
|
systemPackages = builtins.attrValues {
|
||||||
inherit
|
inherit
|
||||||
|
|
|
||||||
8
packages/alias-to-sieve/Cargo.lock
generated
8
packages/alias-to-sieve/Cargo.lock
generated
|
|
@ -203,9 +203,9 @@ checksum = "eded382c5f5f786b989652c49544c4877d9f015cc22e145a5ea8ea66c2921cd2"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "sha2"
|
name = "sha2"
|
||||||
version = "0.10.8"
|
version = "0.10.9"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
|
checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"cfg-if",
|
"cfg-if",
|
||||||
"cpufeatures",
|
"cpufeatures",
|
||||||
|
|
@ -214,9 +214,9 @@ dependencies = [
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "syn"
|
name = "syn"
|
||||||
version = "2.0.100"
|
version = "2.0.101"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "b09a44accad81e1ba1cd74a32461ba89dee89095ba17b32f5d03683b1b1fc2a0"
|
checksum = "8ce2b7fc941b3a24138a0a7cf8e858bfc6a992e7978a068a5c760deb0ed43caf"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"proc-macro2",
|
"proc-macro2",
|
||||||
"quote",
|
"quote",
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue