Fix wol

Flake lock file updates:

• Updated input 'ccrEmacs':
    'github:aciceri/emacs/8386fbef35f25e268db1b1d636a884ed175fba27' (2024-01-26)
  → 'github:aciceri/emacs/9ad27b6ea82ebaa3dfd635ccc0ce618d9a5ec006' (2024-01-29)
• Updated input 'ccrEmacs/emacs-overlay':
    'github:nix-community/emacs-overlay/babae500c2bca610eb38e17a1ef1bf0f70beb29e' (2024-01-26)
  → 'github:nix-community/emacs-overlay/380a2b909774bc47385dfa9556f28f243ea87c71' (2024-01-29)
• Updated input 'ccrEmacs/emacs-overlay/nixpkgs':
    'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21)
  → 'github:NixOS/nixpkgs/ae5c332cbb5827f6b1f02572496b141021de335f' (2024-01-25)
• Updated input 'ccrEmacs/emacs-overlay/nixpkgs-stable':
    'github:NixOS/nixpkgs/a77ab169a83a4175169d78684ddd2e54486ac651' (2024-01-24)
  → 'github:NixOS/nixpkgs/56911ef3403a9318b7621ce745f5452fb9ef6867' (2024-01-27)
• Updated input 'ccrEmacs/extra-package-indent-bars':
    'github:jdtsmith/indent-bars/8a4ea0ab83016f87acb94ebf3816a02382b82cad' (2024-01-10)
  → 'github:jdtsmith/indent-bars/269774df6d5030832d04c5cf067d7a3a2568a46f' (2024-01-28)
• Updated input 'ccrEmacs/nixpkgs':
    'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21)
  → 'github:NixOS/nixpkgs/ae5c332cbb5827f6b1f02572496b141021de335f' (2024-01-25)
• Updated input 'disko':
    'github:nix-community/disko/f7424625dc1f2e4eceac3009cbd1203d566feebc' (2024-01-26)
  → 'github:nix-community/disko/f67ba6552845ea5d7f596a24d57c33a8a9dc8de9' (2024-01-29)
• Updated input 'flakeParts':
    'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11)
  → 'github:hercules-ci/flake-parts/60c614008eed1d0383d21daac177a3e036192ed8' (2024-01-29)
• Updated input 'homeManager':
    'github:nix-community/home-manager/4d54c29bce71f8c261513e0662cc573d30f3e33e' (2024-01-28)
  → 'github:nix-community/home-manager/d634c3abafa454551f2083b054cd95c3f287be61' (2024-01-28)
• Updated input 'nixpkgsStable':
    'github:NixOS/nixpkgs/a77ab169a83a4175169d78684ddd2e54486ac651' (2024-01-24)
  → 'github:NixOS/nixpkgs/f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4' (2024-01-29)
• Updated input 'nixpkgsUnstable':
    'github:NixOS/nixpkgs/ae5c332cbb5827f6b1f02572496b141021de335f' (2024-01-25)
  → 'github:NixOS/nixpkgs/c002c6aa977ad22c60398daaa9be52f2203d0006' (2024-01-27)
• Updated input 'nur':
    'github:nix-community/NUR/f271bc81436c96bf40da5100d8c6aa754e5cc403' (2024-01-28)
  → 'github:nix-community/NUR/68b210c7240de86b3639cf9542df9dcb9c504914' (2024-01-30)
• Updated input 'treefmt-nix':
    'github:numtide/treefmt-nix/fbef7c773be115ed33f37e97256a9e8f6312b925' (2024-01-26)
  → 'github:numtide/treefmt-nix/c6153c2a3ff4c38d231e3ae99af29b87f1df5901' (2024-01-28)

flake.lock

@@ -36,11 +36,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1706092909,
+        "lastModified": 1706523465,
-        "narHash": "sha256-VYb4NbVZKQDnW8TTD2ivJAaF9nyXv5bElJi9+oBt4xw=",
+        "narHash": "sha256-AKlrSRyoMLRUlN2fGWSWWr1nj46JUgjWDPAG/CdPZhQ=",
         "owner": "aciceri",
         "repo": "emacs",
-        "rev": "588f7b1696d3b7da77a5ea94e921def43529cb70",
+        "rev": "9ad27b6ea82ebaa3dfd635ccc0ce618d9a5ec006",
         "type": "github"
       },
       "original": {
@@ -78,11 +78,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706145859,
+        "lastModified": 1706491084,
-        "narHash": "sha256-+iGHKwzKVW6aGAWfUmUSJW1KiE6WLYhKyTyWZMTw/cg=",
+        "narHash": "sha256-eaEv+orTmr2arXpoE4aFZQMVPOYXCBEbLgK22kOtkhs=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5a2dc95464080764b9ca1b82b5d6d981157522be",
+        "rev": "f67ba6552845ea5d7f596a24d57c33a8a9dc8de9",
         "type": "github"
       },
       "original": {
@@ -118,11 +118,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1706086435,
+        "lastModified": 1706519192,
-        "narHash": "sha256-e+BqXkquFW7LtC+LCbVrVWTXXr/dCEfNAN9wmdyVJ8k=",
+        "narHash": "sha256-xnlbEJxtRR6hjmRJopRe2TBAWIvEB/S/w1V6613u9Nk=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "46d30fdef02008e5f1856d4039a0b48d20a3bca6",
+        "rev": "380a2b909774bc47385dfa9556f28f243ea87c71",
         "type": "github"
       },
       "original": {
@@ -199,11 +199,11 @@
     "extra-package-indent-bars": {
       "flake": false,
       "locked": {
-        "lastModified": 1704855682,
+        "lastModified": 1706410940,
-        "narHash": "sha256-ie7yF8rlnuJ0j6caKvxwdYH6++1Yik6UnedOg3uHKiM=",
+        "narHash": "sha256-8qi7RVjQvOJnt1ziBVPK7vQhlx93nRkomu8rEcW3Pp0=",
         "owner": "jdtsmith",
         "repo": "indent-bars",
-        "rev": "8a4ea0ab83016f87acb94ebf3816a02382b82cad",
+        "rev": "269774df6d5030832d04c5cf067d7a3a2568a46f",
         "type": "github"
       },
       "original": {
@@ -317,6 +317,27 @@
       }
     },
     "flake-parts_3": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "hercules-ci-agent",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1704982712,
+        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_4": {
       "inputs": {
         "nixpkgs-lib": [
           "hercules-ci-effects",
@@ -336,7 +357,7 @@
         "type": "indirect"
       }
     },
-    "flake-parts_4": {
+    "flake-parts_5": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib_3"
       },
@@ -395,11 +416,11 @@
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
       "locked": {
-        "lastModified": 1704982712,
+        "lastModified": 1706569497,
-        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "rev": "60c614008eed1d0383d21daac177a3e036192ed8",
         "type": "github"
       },
       "original": {
@@ -429,6 +450,42 @@
         "type": "github"
       }
     },
+    "haskell-flake": {
+      "locked": {
+        "lastModified": 1684780604,
+        "narHash": "sha256-2uMZsewmRn7rRtAnnQNw1lj0uZBMh4m6Cs/7dV5YF08=",
+        "owner": "srid",
+        "repo": "haskell-flake",
+        "rev": "74210fa80a49f1b6f67223debdbf1494596ff9f2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "ref": "0.3.0",
+        "repo": "haskell-flake",
+        "type": "github"
+      }
+    },
+    "hercules-ci-agent": {
+      "inputs": {
+        "flake-parts": "flake-parts_3",
+        "haskell-flake": "haskell-flake",
+        "nixpkgs": "nixpkgs_6"
+      },
+      "locked": {
+        "lastModified": 1706307588,
+        "narHash": "sha256-t46dB7XCBwj2FOwhFWyMOfriGny1bEOgak24fylo5j4=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-agent",
+        "rev": "f01ae96b022bb12d35d7223548a0b05623a55ddf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-agent",
+        "type": "github"
+      }
+    },
     "hercules-ci-effects": {
       "inputs": {
         "flake-parts": "flake-parts_2",
@@ -450,8 +507,8 @@
     },
     "hercules-ci-effects_2": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_4",
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_7"
       },
       "locked": {
         "lastModified": 1704029560,
@@ -495,11 +552,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706134977,
+        "lastModified": 1706473109,
-        "narHash": "sha256-KwNb1Li3K6vuVwZ77tFjZ89AWBo7AiCs9t0Cens4BsM=",
+        "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6359d40f6ec0b72a38e02b333f343c3d4929ec10",
+        "rev": "d634c3abafa454551f2083b054cd95c3f287be61",
         "type": "github"
       },
       "original": {
@@ -670,11 +727,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1705916986,
+        "lastModified": 1706373441,
-        "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=",
+        "narHash": "sha256-S1hbgNbVYhuY2L05OANWqmRzj4cElcbLuIkXTb69xkk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8",
+        "rev": "56911ef3403a9318b7621ce745f5452fb9ef6867",
         "type": "github"
       },
       "original": {
@@ -686,11 +743,11 @@
     },
     "nixpkgsStable": {
       "locked": {
-        "lastModified": 1706098335,
+        "lastModified": 1706515015,
-        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "narHash": "sha256-eFfY5A7wlYy3jD/75lx6IJRueg4noE+jowl0a8lIlVo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "rev": "f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4",
         "type": "github"
       },
       "original": {
@@ -702,11 +759,11 @@
     },
     "nixpkgsUnstable": {
       "locked": {
-        "lastModified": 1705856552,
+        "lastModified": 1706371002,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006",
         "type": "github"
       },
       "original": {
@@ -718,11 +775,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1705856552,
+        "lastModified": 1706191920,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "ae5c332cbb5827f6b1f02572496b141021de335f",
         "type": "github"
       },
       "original": {
@@ -750,11 +807,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1705856552,
+        "lastModified": 1706191920,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "ae5c332cbb5827f6b1f02572496b141021de335f",
         "type": "github"
       },
       "original": {
@@ -781,6 +838,22 @@
       }
     },
     "nixpkgs_6": {
+      "locked": {
+        "lastModified": 1705856552,
+        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_7": {
       "locked": {
         "lastModified": 1703637592,
         "narHash": "sha256-8MXjxU0RfFfzl57Zy3OfXCITS0qWDNLzlBAdwxGZwfY=",
@@ -796,7 +869,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_7": {
+    "nixpkgs_8": {
       "locked": {
         "lastModified": 1678470307,
         "narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=",
@@ -814,11 +887,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1706174248,
+        "lastModified": 1706643926,
-        "narHash": "sha256-VNN7md+kJhBvl5bINEXybSG4jHavrQIlXdywpcaEEwc=",
+        "narHash": "sha256-GOBRsUCZ3a9GgaLvbm2wpmsnZGY41IvEp9C3rQLXaTI=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "20f64c7125413fc19372f11b45db99363bea7c1f",
+        "rev": "68b210c7240de86b3639cf9542df9dcb9c504914",
         "type": "github"
       },
       "original": {
@@ -856,11 +929,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705757126,
+        "lastModified": 1706424699,
-        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
+        "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
+        "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
         "type": "github"
       },
       "original": {
@@ -911,9 +984,9 @@
     "rock5b": {
       "inputs": {
         "fan-control": "fan-control",
-        "flake-parts": "flake-parts_4",
+        "flake-parts": "flake-parts_5",
         "kernel-src": "kernel-src",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_8",
         "nixpkgs-kernel": "nixpkgs-kernel",
         "panfork": "panfork",
         "tow-boot": "tow-boot",
@@ -940,6 +1013,7 @@
         "disko": "disko",
         "dream2nix": "dream2nix",
         "flakeParts": "flakeParts",
+        "hercules-ci-agent": "hercules-ci-agent",
         "hercules-ci-effects": "hercules-ci-effects_2",
         "homeManager": "homeManager",
         "homeManagerGitWorkspace": "homeManagerGitWorkspace",
@@ -1065,11 +1139,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706111218,
+        "lastModified": 1706462057,
-        "narHash": "sha256-ueC4DvzFzN9Ft3kLSv8g6uuT3Ghz+jZ7UlGQFPZxBrg=",
+        "narHash": "sha256-7dG1D4iqqt0bEbBqUWk6lZiSqqwwAO0Hd1L5opVyhNM=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "23f601bfdef75e21fe8854e24a043bb642201794",
+        "rev": "c6153c2a3ff4c38d231e3ae99af29b87f1df5901",
         "type": "github"
       },
       "original": {

flake.nix

@@ -43,6 +43,7 @@
     };
     hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
     dream2nix.url = "github:nix-community/dream2nix";
+    hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent";
   };
 
   outputs = inputs @ {flakeParts, ...}:

hosts/default.nix

@@ -99,6 +99,7 @@
         };
         extraModules = [
           inputs.disko.nixosModules.disko
+          # inputs.hercules-ci-agent.nixosModules.agent-service
         ];
         extraHmModules = [
           inputs.ccrEmacs.hmModules.default
@@ -127,6 +128,7 @@
         };
         extraModules = with inputs; [
           disko.nixosModules.disko
+          # inputs.hercules-ci-agent.nixosModules.agent-service;
           # rock5b.nixosModules.default
         ];
         secrets = {
@@ -140,6 +142,8 @@
           "restic-hetzner-password" = {};
           "minio-credentials".owner = "minio";
           "aws-credentials".owner = "hercules-ci-agent";
+          "hass-ssh-key".owner = "hass";
+          "matrix-registration-shared-secret".owner = "matrix-synapse";
         };
       };
     };

hosts/picard/default.nix

@@ -2,6 +2,7 @@
   fleetModules,
   lib,
   config,
+  pkgs,
   ...
 }: {
   imports =
@@ -32,6 +33,7 @@
       "binfmt"
       "greetd"
       "syncthing"
+      "hass-poweroff"
     ]
     ++ [
       ./disko.nix
@@ -106,6 +108,6 @@
   # TODO move away from here (how can the interface name be retrieved programmatically?)
   networking.interfaces.enp11s0.wakeOnLan = {
     enable = true;
-    policy = ["broadcast" "magic"];
+    policy = ["magic"];
   };
 }

hosts/sisko/default.nix

@@ -28,6 +28,7 @@
       "restic"
       "syncthing"
       "minio"
+      "matrix"
     ]
     ++ [
       ./disko.nix

modules/cloudflare-dyndns/default.nix

@@ -2,15 +2,17 @@
   services.cloudflare-dyndns = {
     enable = true;
     ipv4 = true;
-    ipv6 = true;
+    ipv6 = false; # not anymore 😭
     domains = [
-      # "sevenofnix.aciceri.dev"
+      "aciceri.dev"
+      "git.aciceri.dev"
       "home.aciceri.dev"
       "torrent.aciceri.dev"
       "search.aciceri.dev"
       "invidious.aciceri.dev"
       "vpn.aciceri.dev"
       "cache.aciceri.dev"
+      "matrix.aciceri.dev"
     ];
     apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
   };

modules/hass-poweroff/default.nix

@@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  # Creates an user that home assistant can log in as to power off the system
+  users.users.hass = {
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcoVVrMFili8UBjziIu2wyFgcDGTlT1avBh2nLTa9aM"];
+    isNormalUser = true;
+    isSystemUser = false;
+    group = "hass";
+    createHome = false;
+  };
+
+  users.groups.hass = {};
+
+  security.sudo.extraConfig = ''
+    hass ALL=NOPASSWD:${pkgs.systemd}/bin/systemctl
+  '';
+}

modules/home-assistant/default.nix

@@ -21,12 +21,6 @@
     rev = "9a40a2fa09b0f74aee0b278e2858f5600b3487a9";
     hash = "sha256-i+82EUamV1Fhwhb1vhRqn9aA9dJ0FxSSMD734domyhw=";
   };
-  localtuya = pkgs.fetchFromGitHub {
-    owner = "rospogrigio";
-    repo = "localtuya";
-    rev = "f06e4848e67997edfa696aa9a89372fb17077bd0";
-    hash = "sha256-hA/1FxH0wfM0jz9VqGCT95rXlrWjxV5oIkSiBf0G0ac=";
-  };
 in {
   services.home-assistant = {
     enable = true;
@@ -58,6 +52,7 @@ in {
       "webostv"
       "media_player"
       "wyoming"
+      "wake_on_lan"
     ];
     extraPackages = python3Packages:
       with python3Packages; [
@@ -99,6 +94,18 @@ in {
       #     data.mac = "20:28:bc:74:14:c2";
       #   };
       # }];
+      wake_on_lan = {};
+      switch = [
+        {
+          name = "Picard";
+          platform = "wake_on_lan";
+          mac = "74:56:3c:37:17:bd"; # this shouldn't be public
+          host = "picard.fleet";
+          turn_off.service = "shell_command.turn_off_picard";
+        }
+      ];
+      shell_command.turn_off_picard = ''${pkgs.openssh}/bin/ssh -i /var/lib/hass/.ssh/id_ed25519 -o StrictHostKeyChecking=no hass@picard.fleet "exec sudo \$(readlink \$(which systemctl)) poweroff"'';
+      # shell_command.turn_off_picard = ''whoami'';
     };
   };
 
@@ -114,10 +121,12 @@ in {
   systemd.tmpfiles.rules = [
     "d ${config.services.home-assistant.configDir}/custom_components 770 hass hass"
     "L+ ${config.services.home-assistant.configDir}/custom_components/pun_sensor - - - - ${pun_sensor}/custom_components/pun_sensor"
-    "L+ ${config.services.home-assistant.configDir}/custom_components/cozy_life - - - - ${cozy_life}/custom_components/cozylife"
+
-    "L+ ${config.services.home-assistant.configDir}/custom_components/localtuya - - - - ${localtuya}/custom_components/localtuya"
+    "d ${config.services.home-assistant.configDir}/.ssh 770 hass hass"
+    "C ${config.services.home-assistant.configDir}/.ssh/id_ed25519 700 hass hass - ${config.age.secrets.hass-ssh-key.path}"
+
     "d ${config.services.home-assistant.configDir}/www 770 hass hass"
-    "C ${config.services.home-assistant.configDir}/www/home.png - - - - ${config.age.secrets.home-planimetry.path}"
+    "C ${config.services.home-assistant.configDir}/www/home.png 770 hass hass - - ${config.age.secrets.home-planimetry.path}"
   ];
 
   networking.firewall.interfaces."wg0" = {

modules/matrix/default.nix

@@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev";
+  serverConfig."m.server" = "matrix.aciceri.dev:443";
+  mkWellKnown = data: ''
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  imports = [../nginx-base];
+
+  services.nginx.virtualHosts = {
+    "aciceri.dev" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+    };
+    "matrix.aciceri.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString (lib.head config.services.matrix-synapse.settings.listeners).port}";
+      locations."/_matrix".proxyPass = "http://localhost:8008";
+      locations."/_synapse/client".proxyPass = "http://localhost:8008";
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+           CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+           CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+             TEMPLATE template0
+      LC_COLLATE = "C"
+             LC_CTYPE = "C";
+    '';
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "aciceri.dev";
+      public_baseurl = "https://matrix.aciceri.dev";
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["127.0.0.1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+    };
+    extraConfigFiles = [config.age.secrets.matrix-registration-shared-secret.path];
+  };
+
+  backup.paths = [
+    "/var/lib/matrix-synapse"
+    "/var/backup/postgresql/matrix-synapse.sql.gz"
+  ];
+
+  services.postgresqlBackup = {
+    enable = true;
+    databases = ["matrix-synapse"];
+  };
+}

modules/nix/default.nix

@@ -16,7 +16,7 @@
       ];
       netrc-file = "/etc/nix/netrc";
       substituters = [
-        "https://cache.aciceri.dev"
+        "s3://cache?profile=default&region=eu-south-1&scheme=https&endpoint=cache.aciceri.dev"
       ];
       trusted-public-keys = [
         "cache.aciceri.dev~1:nJMfcBnYieY2WMbYDG0s9S5qUhU+V4RPL+X9zcxXxZY="

modules/ssh-initrd/default.nix

@@ -1,24 +1,38 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
   # For unlocking the disk connect using ssh and type
   # systemctl start initrd-nixos-activation
   boot.initrd = {
     network = {
-      enable = true;
       ssh = {
         enable = true;
         ignoreEmptyHostKeys = true;
         extraConfig = ''
           HostKey /ssh_initrd_host_ed25519_key
         '';
+        authorizedKeys = with (import ../../lib).keys.users; [
+          ccr-gpg
+          ccr-ssh
+        ];
       };
     };
     systemd = {
       enable = true;
-      storePaths = ["${config.programs.ssh.package}/bin/ssh-keygen"];
+      network.enable = true;
+      storePaths = [
+        "${config.programs.ssh.package}/bin/ssh-keygen"
+        "${pkgs.bashInteractive}/bin/bash"
+      ];
       services.sshd.preStart = ''
-               ${config.programs.ssh.package}/bin/ssh-keygen -t ed25519 -N "" -f /ssh_initrd_host_ed25519_key
+        [ ! -f /ssh_initrd_host_ed25519_key ] && ${config.programs.ssh.package}/bin/ssh-keygen -t ed25519 -N "" -f /ssh_initrd_host_ed25519_key
         chmod 600 /ssh_initrd_host_ed25519_key
       '';
     };
   };
+
+  boot.initrd.systemd.additionalUpstreamUnits = ["debug-shell.service"];
+  boot.kernelParams = ["rd.systemd.debug_shell"];
 }

secrets/matrix-registration-shared-secret.age

@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-rsa /AagBw
+UlR5iCI7jZnIqgfUm7fHrwgJroFYlqA+F8aZudS/i/RjJ6b8ldqdZnefydc+XY9i
+PeAAqAdEVpC0Dae5q4BoWFb0uS5PQPOBmnYqnSm0NMEcGizzpnF+XJL1wPLur/J9
+TRUHHA9MRvVF5QoXrm2wsqQxstnUPZU4ObA+JgnXArMw31aTPOc8KmZWTQKPg2YM
+PyH1Q2Vc3HHKi4CyY2rl18e8JaJGiifrIATl0+/hsfJnOT8o54HcT11b096hiRqU
+NEdH92y4x+hF0dStTPBIEwzLiM2CVght5lR89Lvh3ZP7b10yswB+EKkH1kwcziyn
+3Hq7RM0+jNKbedyViCAuVeis5PezQlFe3yf9eR9YMJdSjhgflLU2KQ3NnXHYoJJ/
+A1XitzFOwKTSEQqHQs2yjTNa3XcoyNDxH49q/svECHmYZamPsc1Ac8cIJOeFf+Id
+xoa0zKJhSZOBwIz5+PrbNN4lYD88sbT6wspQoJwFOvqCx87kwb3HouG0rwDq57BN
+QxybvD7Vz7JPr6D15uWGhNldabvhr+pMt+17wS+DmdjO08iHrwxTrzyvvc86vxhg
+9IvAF3mhIQvBuV9yLSTGE+J8ngp3f6PUfj0CHZTpLpsBvmr83b1gqjVIpxnmJwIW
+MZpPv/x3o81kxyibFA75T+PhGlOPOybZpleRwmLazy4
+-> ssh-rsa QHr3/A
+HjOVYJ5qow3EL+ccqD/8azBdhynKeoSYDMOf9etmemrnBLigJzpoFFjlqyMmfFVj
+vjGvVok/iPO6rrmA27UpEiU6arW8IO1N0IUTulpMYNoDUEWPUHdCQv0pHfArEMi0
+KN37mpm22nusOL3bm8goIcyVFzqP83wGsQXamVjwYLI34XlD2d4ugxWtejoYK/rR
+4xbpgnQv3KuyWuxa5eehBuSPZVcBTwzF3sE9/7UFWZxSeHIpV+S8qoj/kfezqVUl
+lUoXC1uupwT5iNYs7NJ3WZZxWjYdpZdR01K8Z8GAh2BDsVXBBZfxmPZwcr+Ri7Gk
+Ai3AGyw7JyO7YeVXeiGze52fkxzxZmCuN8fKoxi5fgrt3sJMUurXnsCTOAPPj9oE
+FCUT9eGO3mxf213XHEySfhS1C0yEruCtJnmclr3bkFNKVFyM71ABOp8sQwsNuBeB
+3WeufPGCXliV7w+NuNBfa0NAemqDOWmTqZHQEv/D3gLBAiUxtm3Rd5wVkcY0Qy3X
+nq0VyMU+LEcC5h9HvJNnEbUzADR0bab/5jbKfbTrJVimCr6fQmkd8+ua6oGa++Jh
+7BrHauQnVKp5tKnvgUaMWfOp40pjMxUzb1JQMkVD5+uKqD+aUD2SDKODC/FKOLC0
+wNoSoE4m5vNy3SLjY66cVT2Mh80fs6GULqE05k2r5SQ
+-> ssh-ed25519 OgJHCw OjjSmtLRB+pMtn+5NfDQ1FGMgQttjkoN04gs0aIuRHM
+vRwkDC8EewSDLTbB3ZNZO1d3TjulShkeDjjrAFpu2Cc
+--- 4q2bfImq0xXD0apHMUgoP+oNRg9Yr8t1SXpHYtCW0ZE
+[jlE<6C>泠;
Co訰婞窌&l侾<6C>5Z>t苐 h/掠遫烌~r3<72>+縆Lg9P厯 萳▼#F揘駕7顃Sg鉀+躖)靕餿
T╁>p<><70>

secrets/secrets.nix

@@ -20,6 +20,8 @@ in
     "chatgpt-token.age".publicKeys = [ccr-ssh ccr-gpg kirk mothership picard];
     "cloudflare-dyndns-api-token.age".publicKeys = [ccr-ssh ccr-gpg sisko];
     "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk];
+    "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko];
+    "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko];
 
     # WireGuard
     "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard];