diff --git a/flake.lock b/flake.lock index 2c2d38f..f845836 100644 --- a/flake.lock +++ b/flake.lock @@ -36,11 +36,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1706092909, - "narHash": "sha256-VYb4NbVZKQDnW8TTD2ivJAaF9nyXv5bElJi9+oBt4xw=", + "lastModified": 1706523465, + "narHash": "sha256-AKlrSRyoMLRUlN2fGWSWWr1nj46JUgjWDPAG/CdPZhQ=", "owner": "aciceri", "repo": "emacs", - "rev": "588f7b1696d3b7da77a5ea94e921def43529cb70", + "rev": "9ad27b6ea82ebaa3dfd635ccc0ce618d9a5ec006", "type": "github" }, "original": { @@ -78,11 +78,11 @@ ] }, "locked": { - "lastModified": 1706145859, - "narHash": "sha256-+iGHKwzKVW6aGAWfUmUSJW1KiE6WLYhKyTyWZMTw/cg=", + "lastModified": 1706491084, + "narHash": "sha256-eaEv+orTmr2arXpoE4aFZQMVPOYXCBEbLgK22kOtkhs=", "owner": "nix-community", "repo": "disko", - "rev": "5a2dc95464080764b9ca1b82b5d6d981157522be", + "rev": "f67ba6552845ea5d7f596a24d57c33a8a9dc8de9", "type": "github" }, "original": { @@ -118,11 +118,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1706086435, - "narHash": "sha256-e+BqXkquFW7LtC+LCbVrVWTXXr/dCEfNAN9wmdyVJ8k=", + "lastModified": 1706519192, + "narHash": "sha256-xnlbEJxtRR6hjmRJopRe2TBAWIvEB/S/w1V6613u9Nk=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "46d30fdef02008e5f1856d4039a0b48d20a3bca6", + "rev": "380a2b909774bc47385dfa9556f28f243ea87c71", "type": "github" }, "original": { @@ -199,11 +199,11 @@ "extra-package-indent-bars": { "flake": false, "locked": { - "lastModified": 1704855682, - "narHash": "sha256-ie7yF8rlnuJ0j6caKvxwdYH6++1Yik6UnedOg3uHKiM=", + "lastModified": 1706410940, + "narHash": "sha256-8qi7RVjQvOJnt1ziBVPK7vQhlx93nRkomu8rEcW3Pp0=", "owner": "jdtsmith", "repo": "indent-bars", - "rev": "8a4ea0ab83016f87acb94ebf3816a02382b82cad", + "rev": "269774df6d5030832d04c5cf067d7a3a2568a46f", "type": "github" }, "original": { @@ -317,6 +317,27 @@ } }, "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "hercules-ci-agent", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704982712, + "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "hercules-ci-effects", @@ -336,7 +357,7 @@ "type": "indirect" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_3" }, @@ -395,11 +416,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "lastModified": 1706569497, + "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "rev": "60c614008eed1d0383d21daac177a3e036192ed8", "type": "github" }, "original": { @@ -429,6 +450,42 @@ "type": "github" } }, + "haskell-flake": { + "locked": { + "lastModified": 1684780604, + "narHash": "sha256-2uMZsewmRn7rRtAnnQNw1lj0uZBMh4m6Cs/7dV5YF08=", + "owner": "srid", + "repo": "haskell-flake", + "rev": "74210fa80a49f1b6f67223debdbf1494596ff9f2", + "type": "github" + }, + "original": { + "owner": "srid", + "ref": "0.3.0", + "repo": "haskell-flake", + "type": "github" + } + }, + "hercules-ci-agent": { + "inputs": { + "flake-parts": "flake-parts_3", + "haskell-flake": "haskell-flake", + "nixpkgs": "nixpkgs_6" + }, + "locked": { + "lastModified": 1706307588, + "narHash": "sha256-t46dB7XCBwj2FOwhFWyMOfriGny1bEOgak24fylo5j4=", + "owner": "hercules-ci", + "repo": "hercules-ci-agent", + "rev": "f01ae96b022bb12d35d7223548a0b05623a55ddf", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-agent", + "type": "github" + } + }, "hercules-ci-effects": { "inputs": { "flake-parts": "flake-parts_2", @@ -450,8 +507,8 @@ }, "hercules-ci-effects_2": { "inputs": { - "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_6" + "flake-parts": "flake-parts_4", + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1704029560, @@ -495,11 +552,11 @@ ] }, "locked": { - "lastModified": 1706134977, - "narHash": "sha256-KwNb1Li3K6vuVwZ77tFjZ89AWBo7AiCs9t0Cens4BsM=", + "lastModified": 1706473109, + "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=", "owner": "nix-community", "repo": "home-manager", - "rev": "6359d40f6ec0b72a38e02b333f343c3d4929ec10", + "rev": "d634c3abafa454551f2083b054cd95c3f287be61", "type": "github" }, "original": { @@ -670,11 +727,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1705916986, - "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", + "lastModified": 1706373441, + "narHash": "sha256-S1hbgNbVYhuY2L05OANWqmRzj4cElcbLuIkXTb69xkk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", + "rev": "56911ef3403a9318b7621ce745f5452fb9ef6867", "type": "github" }, "original": { @@ -686,11 +743,11 @@ }, "nixpkgsStable": { "locked": { - "lastModified": 1706098335, - "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", + "lastModified": 1706515015, + "narHash": "sha256-eFfY5A7wlYy3jD/75lx6IJRueg4noE+jowl0a8lIlVo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a77ab169a83a4175169d78684ddd2e54486ac651", + "rev": "f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4", "type": "github" }, "original": { @@ -702,11 +759,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1706371002, + "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006", "type": "github" }, "original": { @@ -718,11 +775,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1706191920, + "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "ae5c332cbb5827f6b1f02572496b141021de335f", "type": "github" }, "original": { @@ -750,11 +807,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1706191920, + "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "ae5c332cbb5827f6b1f02572496b141021de335f", "type": "github" }, "original": { @@ -781,6 +838,22 @@ } }, "nixpkgs_6": { + "locked": { + "lastModified": 1705856552, + "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_7": { "locked": { "lastModified": 1703637592, "narHash": "sha256-8MXjxU0RfFfzl57Zy3OfXCITS0qWDNLzlBAdwxGZwfY=", @@ -796,7 +869,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1678470307, "narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=", @@ -814,11 +887,11 @@ }, "nur": { "locked": { - "lastModified": 1706174248, - "narHash": "sha256-VNN7md+kJhBvl5bINEXybSG4jHavrQIlXdywpcaEEwc=", + "lastModified": 1706643926, + "narHash": "sha256-GOBRsUCZ3a9GgaLvbm2wpmsnZGY41IvEp9C3rQLXaTI=", "owner": "nix-community", "repo": "NUR", - "rev": "20f64c7125413fc19372f11b45db99363bea7c1f", + "rev": "68b210c7240de86b3639cf9542df9dcb9c504914", "type": "github" }, "original": { @@ -856,11 +929,11 @@ ] }, "locked": { - "lastModified": 1705757126, - "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=", + "lastModified": 1706424699, + "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc", + "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf", "type": "github" }, "original": { @@ -911,9 +984,9 @@ "rock5b": { "inputs": { "fan-control": "fan-control", - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "kernel-src": "kernel-src", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nixpkgs-kernel": "nixpkgs-kernel", "panfork": "panfork", "tow-boot": "tow-boot", @@ -940,6 +1013,7 @@ "disko": "disko", "dream2nix": "dream2nix", "flakeParts": "flakeParts", + "hercules-ci-agent": "hercules-ci-agent", "hercules-ci-effects": "hercules-ci-effects_2", "homeManager": "homeManager", "homeManagerGitWorkspace": "homeManagerGitWorkspace", @@ -1065,11 +1139,11 @@ ] }, "locked": { - "lastModified": 1706111218, - "narHash": "sha256-ueC4DvzFzN9Ft3kLSv8g6uuT3Ghz+jZ7UlGQFPZxBrg=", + "lastModified": 1706462057, + "narHash": "sha256-7dG1D4iqqt0bEbBqUWk6lZiSqqwwAO0Hd1L5opVyhNM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "23f601bfdef75e21fe8854e24a043bb642201794", + "rev": "c6153c2a3ff4c38d231e3ae99af29b87f1df5901", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1f8a1e8..84b47c3 100644 --- a/flake.nix +++ b/flake.nix @@ -43,6 +43,7 @@ }; hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects"; dream2nix.url = "github:nix-community/dream2nix"; + hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent"; }; outputs = inputs @ {flakeParts, ...}: diff --git a/hosts/default.nix b/hosts/default.nix index 47676d5..66865e8 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -99,6 +99,7 @@ }; extraModules = [ inputs.disko.nixosModules.disko + # inputs.hercules-ci-agent.nixosModules.agent-service ]; extraHmModules = [ inputs.ccrEmacs.hmModules.default @@ -127,6 +128,7 @@ }; extraModules = with inputs; [ disko.nixosModules.disko + # inputs.hercules-ci-agent.nixosModules.agent-service; # rock5b.nixosModules.default ]; secrets = { @@ -140,6 +142,8 @@ "restic-hetzner-password" = {}; "minio-credentials".owner = "minio"; "aws-credentials".owner = "hercules-ci-agent"; + "hass-ssh-key".owner = "hass"; + "matrix-registration-shared-secret".owner = "matrix-synapse"; }; }; }; diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 2423303..79c6557 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -2,6 +2,7 @@ fleetModules, lib, config, + pkgs, ... }: { imports = @@ -32,6 +33,7 @@ "binfmt" "greetd" "syncthing" + "hass-poweroff" ] ++ [ ./disko.nix @@ -106,6 +108,6 @@ # TODO move away from here (how can the interface name be retrieved programmatically?) networking.interfaces.enp11s0.wakeOnLan = { enable = true; - policy = ["broadcast" "magic"]; + policy = ["magic"]; }; } diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 01818df..1e33ebf 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -28,6 +28,7 @@ "restic" "syncthing" "minio" + "matrix" ] ++ [ ./disko.nix diff --git a/modules/cloudflare-dyndns/default.nix b/modules/cloudflare-dyndns/default.nix index 3fa36c0..d9c40b5 100644 --- a/modules/cloudflare-dyndns/default.nix +++ b/modules/cloudflare-dyndns/default.nix @@ -2,15 +2,17 @@ services.cloudflare-dyndns = { enable = true; ipv4 = true; - ipv6 = true; + ipv6 = false; # not anymore 😭 domains = [ - # "sevenofnix.aciceri.dev" + "aciceri.dev" + "git.aciceri.dev" "home.aciceri.dev" "torrent.aciceri.dev" "search.aciceri.dev" "invidious.aciceri.dev" "vpn.aciceri.dev" "cache.aciceri.dev" + "matrix.aciceri.dev" ]; apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path; }; diff --git a/modules/hass-poweroff/default.nix b/modules/hass-poweroff/default.nix new file mode 100644 index 0000000..4312093 --- /dev/null +++ b/modules/hass-poweroff/default.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + # Creates an user that home assistant can log in as to power off the system + users.users.hass = { + openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcoVVrMFili8UBjziIu2wyFgcDGTlT1avBh2nLTa9aM"]; + isNormalUser = true; + isSystemUser = false; + group = "hass"; + createHome = false; + }; + + users.groups.hass = {}; + + security.sudo.extraConfig = '' + hass ALL=NOPASSWD:${pkgs.systemd}/bin/systemctl + ''; +} diff --git a/modules/home-assistant/default.nix b/modules/home-assistant/default.nix index 8bc51d0..78da7e6 100644 --- a/modules/home-assistant/default.nix +++ b/modules/home-assistant/default.nix @@ -21,12 +21,6 @@ rev = "9a40a2fa09b0f74aee0b278e2858f5600b3487a9"; hash = "sha256-i+82EUamV1Fhwhb1vhRqn9aA9dJ0FxSSMD734domyhw="; }; - localtuya = pkgs.fetchFromGitHub { - owner = "rospogrigio"; - repo = "localtuya"; - rev = "f06e4848e67997edfa696aa9a89372fb17077bd0"; - hash = "sha256-hA/1FxH0wfM0jz9VqGCT95rXlrWjxV5oIkSiBf0G0ac="; - }; in { services.home-assistant = { enable = true; @@ -58,6 +52,7 @@ in { "webostv" "media_player" "wyoming" + "wake_on_lan" ]; extraPackages = python3Packages: with python3Packages; [ @@ -99,6 +94,18 @@ in { # data.mac = "20:28:bc:74:14:c2"; # }; # }]; + wake_on_lan = {}; + switch = [ + { + name = "Picard"; + platform = "wake_on_lan"; + mac = "74:56:3c:37:17:bd"; # this shouldn't be public + host = "picard.fleet"; + turn_off.service = "shell_command.turn_off_picard"; + } + ]; + shell_command.turn_off_picard = ''${pkgs.openssh}/bin/ssh -i /var/lib/hass/.ssh/id_ed25519 -o StrictHostKeyChecking=no hass@picard.fleet "exec sudo \$(readlink \$(which systemctl)) poweroff"''; + # shell_command.turn_off_picard = ''whoami''; }; }; @@ -114,10 +121,12 @@ in { systemd.tmpfiles.rules = [ "d ${config.services.home-assistant.configDir}/custom_components 770 hass hass" "L+ ${config.services.home-assistant.configDir}/custom_components/pun_sensor - - - - ${pun_sensor}/custom_components/pun_sensor" - "L+ ${config.services.home-assistant.configDir}/custom_components/cozy_life - - - - ${cozy_life}/custom_components/cozylife" - "L+ ${config.services.home-assistant.configDir}/custom_components/localtuya - - - - ${localtuya}/custom_components/localtuya" + + "d ${config.services.home-assistant.configDir}/.ssh 770 hass hass" + "C ${config.services.home-assistant.configDir}/.ssh/id_ed25519 700 hass hass - ${config.age.secrets.hass-ssh-key.path}" + "d ${config.services.home-assistant.configDir}/www 770 hass hass" - "C ${config.services.home-assistant.configDir}/www/home.png - - - - ${config.age.secrets.home-planimetry.path}" + "C ${config.services.home-assistant.configDir}/www/home.png 770 hass hass - - ${config.age.secrets.home-planimetry.path}" ]; networking.firewall.interfaces."wg0" = { diff --git a/modules/home-assistant/home.png b/modules/home-assistant/home.png deleted file mode 100644 index 8a65c4f..0000000 Binary files a/modules/home-assistant/home.png and /dev/null differ diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix new file mode 100644 index 0000000..c248ac3 --- /dev/null +++ b/modules/matrix/default.nix @@ -0,0 +1,77 @@ +{ + config, + lib, + pkgs, + ... +}: let + clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev"; + serverConfig."m.server" = "matrix.aciceri.dev:443"; + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + imports = [../nginx-base]; + + services.nginx.virtualHosts = { + "aciceri.dev" = { + enableACME = true; + forceSSL = true; + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + "matrix.aciceri.dev" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:${builtins.toString (lib.head config.services.matrix-synapse.settings.listeners).port}"; + locations."/_matrix".proxyPass = "http://localhost:8008"; + locations."/_synapse/client".proxyPass = "http://localhost:8008"; + }; + }; + + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.matrix-synapse = { + enable = true; + settings = { + server_name = "aciceri.dev"; + public_baseurl = "https://matrix.aciceri.dev"; + listeners = [ + { + port = 8008; + bind_addresses = ["127.0.0.1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + }; + extraConfigFiles = [config.age.secrets.matrix-registration-shared-secret.path]; + }; + + backup.paths = [ + "/var/lib/matrix-synapse" + "/var/backup/postgresql/matrix-synapse.sql.gz" + ]; + + services.postgresqlBackup = { + enable = true; + databases = ["matrix-synapse"]; + }; +} diff --git a/modules/nix/default.nix b/modules/nix/default.nix index f0c669c..1568d5c 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -16,7 +16,7 @@ ]; netrc-file = "/etc/nix/netrc"; substituters = [ - "https://cache.aciceri.dev" + "s3://cache?profile=default®ion=eu-south-1&scheme=https&endpoint=cache.aciceri.dev" ]; trusted-public-keys = [ "cache.aciceri.dev~1:nJMfcBnYieY2WMbYDG0s9S5qUhU+V4RPL+X9zcxXxZY=" diff --git a/modules/ssh-initrd/default.nix b/modules/ssh-initrd/default.nix index f1c4f9a..9e1ef67 100644 --- a/modules/ssh-initrd/default.nix +++ b/modules/ssh-initrd/default.nix @@ -1,24 +1,38 @@ -{config, ...}: { +{ + config, + pkgs, + ... +}: { # For unlocking the disk connect using ssh and type # systemctl start initrd-nixos-activation boot.initrd = { network = { - enable = true; ssh = { enable = true; ignoreEmptyHostKeys = true; extraConfig = '' HostKey /ssh_initrd_host_ed25519_key ''; + authorizedKeys = with (import ../../lib).keys.users; [ + ccr-gpg + ccr-ssh + ]; }; }; systemd = { enable = true; - storePaths = ["${config.programs.ssh.package}/bin/ssh-keygen"]; + network.enable = true; + storePaths = [ + "${config.programs.ssh.package}/bin/ssh-keygen" + "${pkgs.bashInteractive}/bin/bash" + ]; services.sshd.preStart = '' - ${config.programs.ssh.package}/bin/ssh-keygen -t ed25519 -N "" -f /ssh_initrd_host_ed25519_key + [ ! -f /ssh_initrd_host_ed25519_key ] && ${config.programs.ssh.package}/bin/ssh-keygen -t ed25519 -N "" -f /ssh_initrd_host_ed25519_key chmod 600 /ssh_initrd_host_ed25519_key ''; }; }; + + boot.initrd.systemd.additionalUpstreamUnits = ["debug-shell.service"]; + boot.kernelParams = ["rd.systemd.debug_shell"]; } diff --git a/secrets/hass-ssh-key.age b/secrets/hass-ssh-key.age new file mode 100644 index 0000000..689dc4a Binary files /dev/null and b/secrets/hass-ssh-key.age differ diff --git a/secrets/matrix-registration-shared-secret.age b/secrets/matrix-registration-shared-secret.age new file mode 100644 index 0000000..cd63cd9 --- /dev/null +++ b/secrets/matrix-registration-shared-secret.age @@ -0,0 +1,29 @@ +age-encryption.org/v1 +-> ssh-rsa /AagBw +UlR5iCI7jZnIqgfUm7fHrwgJroFYlqA+F8aZudS/i/RjJ6b8ldqdZnefydc+XY9i +PeAAqAdEVpC0Dae5q4BoWFb0uS5PQPOBmnYqnSm0NMEcGizzpnF+XJL1wPLur/J9 +TRUHHA9MRvVF5QoXrm2wsqQxstnUPZU4ObA+JgnXArMw31aTPOc8KmZWTQKPg2YM +PyH1Q2Vc3HHKi4CyY2rl18e8JaJGiifrIATl0+/hsfJnOT8o54HcT11b096hiRqU +NEdH92y4x+hF0dStTPBIEwzLiM2CVght5lR89Lvh3ZP7b10yswB+EKkH1kwcziyn +3Hq7RM0+jNKbedyViCAuVeis5PezQlFe3yf9eR9YMJdSjhgflLU2KQ3NnXHYoJJ/ +A1XitzFOwKTSEQqHQs2yjTNa3XcoyNDxH49q/svECHmYZamPsc1Ac8cIJOeFf+Id +xoa0zKJhSZOBwIz5+PrbNN4lYD88sbT6wspQoJwFOvqCx87kwb3HouG0rwDq57BN +QxybvD7Vz7JPr6D15uWGhNldabvhr+pMt+17wS+DmdjO08iHrwxTrzyvvc86vxhg +9IvAF3mhIQvBuV9yLSTGE+J8ngp3f6PUfj0CHZTpLpsBvmr83b1gqjVIpxnmJwIW +MZpPv/x3o81kxyibFA75T+PhGlOPOybZpleRwmLazy4 +-> ssh-rsa QHr3/A +HjOVYJ5qow3EL+ccqD/8azBdhynKeoSYDMOf9etmemrnBLigJzpoFFjlqyMmfFVj +vjGvVok/iPO6rrmA27UpEiU6arW8IO1N0IUTulpMYNoDUEWPUHdCQv0pHfArEMi0 +KN37mpm22nusOL3bm8goIcyVFzqP83wGsQXamVjwYLI34XlD2d4ugxWtejoYK/rR +4xbpgnQv3KuyWuxa5eehBuSPZVcBTwzF3sE9/7UFWZxSeHIpV+S8qoj/kfezqVUl +lUoXC1uupwT5iNYs7NJ3WZZxWjYdpZdR01K8Z8GAh2BDsVXBBZfxmPZwcr+Ri7Gk +Ai3AGyw7JyO7YeVXeiGze52fkxzxZmCuN8fKoxi5fgrt3sJMUurXnsCTOAPPj9oE +FCUT9eGO3mxf213XHEySfhS1C0yEruCtJnmclr3bkFNKVFyM71ABOp8sQwsNuBeB +3WeufPGCXliV7w+NuNBfa0NAemqDOWmTqZHQEv/D3gLBAiUxtm3Rd5wVkcY0Qy3X +nq0VyMU+LEcC5h9HvJNnEbUzADR0bab/5jbKfbTrJVimCr6fQmkd8+ua6oGa++Jh +7BrHauQnVKp5tKnvgUaMWfOp40pjMxUzb1JQMkVD5+uKqD+aUD2SDKODC/FKOLC0 +wNoSoE4m5vNy3SLjY66cVT2Mh80fs6GULqE05k2r5SQ +-> ssh-ed25519 OgJHCw OjjSmtLRB+pMtn+5NfDQ1FGMgQttjkoN04gs0aIuRHM +vRwkDC8EewSDLTbB3ZNZO1d3TjulShkeDjjrAFpu2Cc +--- 4q2bfImq0xXD0apHMUgoP+oNRg9Yr8t1SXpHYtCW0ZE +[jlE; CoR&lPo5Z>tl h/o~r3+KLg9P l#FN{7tSg+Y)kt T>p \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d0162d1..1c7a8ca 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,6 +20,8 @@ in "chatgpt-token.age".publicKeys = [ccr-ssh ccr-gpg kirk mothership picard]; "cloudflare-dyndns-api-token.age".publicKeys = [ccr-ssh ccr-gpg sisko]; "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk]; + "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko]; + "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard];