Fix wol

Otherwise it kept restarting
Now it's managed as a secret
2024-02-11 14:10:04 +01:00 · 2024-02-11 14:09:42 +01:00 · 2024-02-11 14:09:23 +01:00 · 2024-02-11 14:09:04 +01:00 · 2024-02-05 15:14:07 +01:00 · 2024-02-01 22:00:20 +01:00
15 changed files with 296 additions and 65 deletions
--- a/flake.lock
+++ b/flake.lock
@ -36,11 +36,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1706092909,
-        "narHash": "sha256-VYb4NbVZKQDnW8TTD2ivJAaF9nyXv5bElJi9+oBt4xw=",
+        "lastModified": 1706523465,
+        "narHash": "sha256-AKlrSRyoMLRUlN2fGWSWWr1nj46JUgjWDPAG/CdPZhQ=",
        "owner": "aciceri",
        "repo": "emacs",
-        "rev": "588f7b1696d3b7da77a5ea94e921def43529cb70",
+        "rev": "9ad27b6ea82ebaa3dfd635ccc0ce618d9a5ec006",
        "type": "github"
      },
      "original": {
@ -78,11 +78,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1706145859,
-        "narHash": "sha256-+iGHKwzKVW6aGAWfUmUSJW1KiE6WLYhKyTyWZMTw/cg=",
+        "lastModified": 1706491084,
+        "narHash": "sha256-eaEv+orTmr2arXpoE4aFZQMVPOYXCBEbLgK22kOtkhs=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "5a2dc95464080764b9ca1b82b5d6d981157522be",
+        "rev": "f67ba6552845ea5d7f596a24d57c33a8a9dc8de9",
        "type": "github"
      },
      "original": {
@ -118,11 +118,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1706086435,
-        "narHash": "sha256-e+BqXkquFW7LtC+LCbVrVWTXXr/dCEfNAN9wmdyVJ8k=",
+        "lastModified": 1706519192,
+        "narHash": "sha256-xnlbEJxtRR6hjmRJopRe2TBAWIvEB/S/w1V6613u9Nk=",
        "owner": "nix-community",
        "repo": "emacs-overlay",
-        "rev": "46d30fdef02008e5f1856d4039a0b48d20a3bca6",
+        "rev": "380a2b909774bc47385dfa9556f28f243ea87c71",
        "type": "github"
      },
      "original": {
@ -199,11 +199,11 @@
    "extra-package-indent-bars": {
      "flake": false,
      "locked": {
-        "lastModified": 1704855682,
-        "narHash": "sha256-ie7yF8rlnuJ0j6caKvxwdYH6++1Yik6UnedOg3uHKiM=",
+        "lastModified": 1706410940,
+        "narHash": "sha256-8qi7RVjQvOJnt1ziBVPK7vQhlx93nRkomu8rEcW3Pp0=",
        "owner": "jdtsmith",
        "repo": "indent-bars",
-        "rev": "8a4ea0ab83016f87acb94ebf3816a02382b82cad",
+        "rev": "269774df6d5030832d04c5cf067d7a3a2568a46f",
        "type": "github"
      },
      "original": {
@ -317,6 +317,27 @@
      }
    },
    "flake-parts_3": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "hercules-ci-agent",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1704982712,
+        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_4": {
      "inputs": {
        "nixpkgs-lib": [
          "hercules-ci-effects",
@ -336,7 +357,7 @@
        "type": "indirect"
      }
    },
-    "flake-parts_4": {
+    "flake-parts_5": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib_3"
      },
@ -395,11 +416,11 @@
        "nixpkgs-lib": "nixpkgs-lib_2"
      },
      "locked": {
-        "lastModified": 1704982712,
-        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "lastModified": 1706569497,
+        "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "rev": "60c614008eed1d0383d21daac177a3e036192ed8",
        "type": "github"
      },
      "original": {
@ -429,6 +450,42 @@
        "type": "github"
      }
    },
+    "haskell-flake": {
+      "locked": {
+        "lastModified": 1684780604,
+        "narHash": "sha256-2uMZsewmRn7rRtAnnQNw1lj0uZBMh4m6Cs/7dV5YF08=",
+        "owner": "srid",
+        "repo": "haskell-flake",
+        "rev": "74210fa80a49f1b6f67223debdbf1494596ff9f2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "ref": "0.3.0",
+        "repo": "haskell-flake",
+        "type": "github"
+      }
+    },
+    "hercules-ci-agent": {
+      "inputs": {
+        "flake-parts": "flake-parts_3",
+        "haskell-flake": "haskell-flake",
+        "nixpkgs": "nixpkgs_6"
+      },
+      "locked": {
+        "lastModified": 1706307588,
+        "narHash": "sha256-t46dB7XCBwj2FOwhFWyMOfriGny1bEOgak24fylo5j4=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-agent",
+        "rev": "f01ae96b022bb12d35d7223548a0b05623a55ddf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-agent",
+        "type": "github"
+      }
+    },
    "hercules-ci-effects": {
      "inputs": {
        "flake-parts": "flake-parts_2",
@ -450,8 +507,8 @@
    },
    "hercules-ci-effects_2": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
-        "nixpkgs": "nixpkgs_6"
+        "flake-parts": "flake-parts_4",
+        "nixpkgs": "nixpkgs_7"
      },
      "locked": {
        "lastModified": 1704029560,
@ -495,11 +552,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1706134977,
-        "narHash": "sha256-KwNb1Li3K6vuVwZ77tFjZ89AWBo7AiCs9t0Cens4BsM=",
+        "lastModified": 1706473109,
+        "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6359d40f6ec0b72a38e02b333f343c3d4929ec10",
+        "rev": "d634c3abafa454551f2083b054cd95c3f287be61",
        "type": "github"
      },
      "original": {
@ -670,11 +727,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1705916986,
-        "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=",
+        "lastModified": 1706373441,
+        "narHash": "sha256-S1hbgNbVYhuY2L05OANWqmRzj4cElcbLuIkXTb69xkk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8",
+        "rev": "56911ef3403a9318b7621ce745f5452fb9ef6867",
        "type": "github"
      },
      "original": {
@ -686,11 +743,11 @@
    },
    "nixpkgsStable": {
      "locked": {
-        "lastModified": 1706098335,
-        "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
+        "lastModified": 1706515015,
+        "narHash": "sha256-eFfY5A7wlYy3jD/75lx6IJRueg4noE+jowl0a8lIlVo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
+        "rev": "f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4",
        "type": "github"
      },
      "original": {
@ -702,11 +759,11 @@
    },
    "nixpkgsUnstable": {
      "locked": {
-        "lastModified": 1705856552,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "lastModified": 1706371002,
+        "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006",
        "type": "github"
      },
      "original": {
@ -718,11 +775,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1705856552,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "lastModified": 1706191920,
+        "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "ae5c332cbb5827f6b1f02572496b141021de335f",
        "type": "github"
      },
      "original": {
@ -750,11 +807,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1705856552,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "lastModified": 1706191920,
+        "narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "ae5c332cbb5827f6b1f02572496b141021de335f",
        "type": "github"
      },
      "original": {
@ -781,6 +838,22 @@
      }
    },
    "nixpkgs_6": {
+      "locked": {
+        "lastModified": 1705856552,
+        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1703637592,
        "narHash": "sha256-8MXjxU0RfFfzl57Zy3OfXCITS0qWDNLzlBAdwxGZwfY=",
@ -796,7 +869,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_7": {
+    "nixpkgs_8": {
      "locked": {
        "lastModified": 1678470307,
        "narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=",
@ -814,11 +887,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1706174248,
-        "narHash": "sha256-VNN7md+kJhBvl5bINEXybSG4jHavrQIlXdywpcaEEwc=",
+        "lastModified": 1706643926,
+        "narHash": "sha256-GOBRsUCZ3a9GgaLvbm2wpmsnZGY41IvEp9C3rQLXaTI=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "20f64c7125413fc19372f11b45db99363bea7c1f",
+        "rev": "68b210c7240de86b3639cf9542df9dcb9c504914",
        "type": "github"
      },
      "original": {
@ -856,11 +929,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705757126,
-        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
+        "lastModified": 1706424699,
+        "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
+        "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
        "type": "github"
      },
      "original": {
@ -911,9 +984,9 @@
    "rock5b": {
      "inputs": {
        "fan-control": "fan-control",
-        "flake-parts": "flake-parts_4",
+        "flake-parts": "flake-parts_5",
        "kernel-src": "kernel-src",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_8",
        "nixpkgs-kernel": "nixpkgs-kernel",
        "panfork": "panfork",
        "tow-boot": "tow-boot",
@ -940,6 +1013,7 @@
        "disko": "disko",
        "dream2nix": "dream2nix",
        "flakeParts": "flakeParts",
+        "hercules-ci-agent": "hercules-ci-agent",
        "hercules-ci-effects": "hercules-ci-effects_2",
        "homeManager": "homeManager",
        "homeManagerGitWorkspace": "homeManagerGitWorkspace",
@ -1065,11 +1139,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1706111218,
-        "narHash": "sha256-ueC4DvzFzN9Ft3kLSv8g6uuT3Ghz+jZ7UlGQFPZxBrg=",
+        "lastModified": 1706462057,
+        "narHash": "sha256-7dG1D4iqqt0bEbBqUWk6lZiSqqwwAO0Hd1L5opVyhNM=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "23f601bfdef75e21fe8854e24a043bb642201794",
+        "rev": "c6153c2a3ff4c38d231e3ae99af29b87f1df5901",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -43,6 +43,7 @@
    };
    hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
    dream2nix.url = "github:nix-community/dream2nix";
+    hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent";
  };

  outputs = inputs @ {flakeParts, ...}:
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -99,6 +99,7 @@
        };
        extraModules = [
          inputs.disko.nixosModules.disko
+          # inputs.hercules-ci-agent.nixosModules.agent-service
        ];
        extraHmModules = [
          inputs.ccrEmacs.hmModules.default
@ -127,6 +128,7 @@
        };
        extraModules = with inputs; [
          disko.nixosModules.disko
+          # inputs.hercules-ci-agent.nixosModules.agent-service;
          # rock5b.nixosModules.default
        ];
        secrets = {
@ -140,6 +142,8 @@
          "restic-hetzner-password" = {};
          "minio-credentials".owner = "minio";
          "aws-credentials".owner = "hercules-ci-agent";
+          "hass-ssh-key".owner = "hass";
+          "matrix-registration-shared-secret".owner = "matrix-synapse";
        };
      };
    };
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@ -2,6 +2,7 @@
  fleetModules,
  lib,
  config,
+  pkgs,
  ...
 }: {
  imports =
@ -32,6 +33,7 @@
      "binfmt"
      "greetd"
      "syncthing"
+      "hass-poweroff"
    ]
    ++ [
      ./disko.nix
@ -106,6 +108,6 @@
  # TODO move away from here (how can the interface name be retrieved programmatically?)
  networking.interfaces.enp11s0.wakeOnLan = {
    enable = true;
-    policy = ["broadcast" "magic"];
+    policy = ["magic"];
  };
 }
--- a/hosts/sisko/default.nix
+++ b/hosts/sisko/default.nix
@ -28,6 +28,7 @@
      "restic"
      "syncthing"
      "minio"
+      "matrix"
    ]
    ++ [
      ./disko.nix
--- a/modules/cloudflare-dyndns/default.nix
+++ b/modules/cloudflare-dyndns/default.nix
@ -2,15 +2,17 @@
  services.cloudflare-dyndns = {
    enable = true;
    ipv4 = true;
-    ipv6 = true;
+    ipv6 = false; # not anymore 😭
    domains = [
-      # "sevenofnix.aciceri.dev"
+      "aciceri.dev"
+      "git.aciceri.dev"
      "home.aciceri.dev"
      "torrent.aciceri.dev"
      "search.aciceri.dev"
      "invidious.aciceri.dev"
      "vpn.aciceri.dev"
      "cache.aciceri.dev"
+      "matrix.aciceri.dev"
    ];
    apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
  };
--- a/modules/hass-poweroff/default.nix
+++ b/modules/hass-poweroff/default.nix
@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  # Creates an user that home assistant can log in as to power off the system
+  users.users.hass = {
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcoVVrMFili8UBjziIu2wyFgcDGTlT1avBh2nLTa9aM"];
+    isNormalUser = true;
+    isSystemUser = false;
+    group = "hass";
+    createHome = false;
+  };
+
+  users.groups.hass = {};
+
+  security.sudo.extraConfig = ''
+    hass ALL=NOPASSWD:${pkgs.systemd}/bin/systemctl
+  '';
+}
--- a/modules/home-assistant/default.nix
+++ b/modules/home-assistant/default.nix
@ -21,12 +21,6 @@
    rev = "9a40a2fa09b0f74aee0b278e2858f5600b3487a9";
    hash = "sha256-i+82EUamV1Fhwhb1vhRqn9aA9dJ0FxSSMD734domyhw=";
  };
-  localtuya = pkgs.fetchFromGitHub {
-    owner = "rospogrigio";
-    repo = "localtuya";
-    rev = "f06e4848e67997edfa696aa9a89372fb17077bd0";
-    hash = "sha256-hA/1FxH0wfM0jz9VqGCT95rXlrWjxV5oIkSiBf0G0ac=";
-  };
 in {
  services.home-assistant = {
    enable = true;
@ -58,6 +52,7 @@ in {
      "webostv"
      "media_player"
      "wyoming"
+      "wake_on_lan"
    ];
    extraPackages = python3Packages:
      with python3Packages; [
@ -99,6 +94,18 @@ in {
      #     data.mac = "20:28:bc:74:14:c2";
      #   };
      # }];
+      wake_on_lan = {};
+      switch = [
+        {
+          name = "Picard";
+          platform = "wake_on_lan";
+          mac = "74:56:3c:37:17:bd"; # this shouldn't be public
+          host = "picard.fleet";
+          turn_off.service = "shell_command.turn_off_picard";
+        }
+      ];
+      shell_command.turn_off_picard = ''${pkgs.openssh}/bin/ssh -i /var/lib/hass/.ssh/id_ed25519 -o StrictHostKeyChecking=no hass@picard.fleet "exec sudo \$(readlink \$(which systemctl)) poweroff"'';
+      # shell_command.turn_off_picard = ''whoami'';
    };
  };

@ -114,10 +121,12 @@ in {
  systemd.tmpfiles.rules = [
    "d ${config.services.home-assistant.configDir}/custom_components 770 hass hass"
    "L+ ${config.services.home-assistant.configDir}/custom_components/pun_sensor - - - - ${pun_sensor}/custom_components/pun_sensor"
-    "L+ ${config.services.home-assistant.configDir}/custom_components/cozy_life - - - - ${cozy_life}/custom_components/cozylife"
-    "L+ ${config.services.home-assistant.configDir}/custom_components/localtuya - - - - ${localtuya}/custom_components/localtuya"
+
+    "d ${config.services.home-assistant.configDir}/.ssh 770 hass hass"
+    "C ${config.services.home-assistant.configDir}/.ssh/id_ed25519 700 hass hass - ${config.age.secrets.hass-ssh-key.path}"
+
    "d ${config.services.home-assistant.configDir}/www 770 hass hass"
-    "C ${config.services.home-assistant.configDir}/www/home.png - - - - ${config.age.secrets.home-planimetry.path}"
+    "C ${config.services.home-assistant.configDir}/www/home.png 770 hass hass - - ${config.age.secrets.home-planimetry.path}"
  ];

  networking.firewall.interfaces."wg0" = {
--- a/modules/home-assistant/home.png
+++ b/modules/home-assistant/home.png
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev";
+  serverConfig."m.server" = "matrix.aciceri.dev:443";
+  mkWellKnown = data: ''
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  imports = [../nginx-base];
+
+  services.nginx.virtualHosts = {
+    "aciceri.dev" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+    };
+    "matrix.aciceri.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString (lib.head config.services.matrix-synapse.settings.listeners).port}";
+      locations."/_matrix".proxyPass = "http://localhost:8008";
+      locations."/_synapse/client".proxyPass = "http://localhost:8008";
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+           CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+           CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+             TEMPLATE template0
+      LC_COLLATE = "C"
+             LC_CTYPE = "C";
+    '';
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "aciceri.dev";
+      public_baseurl = "https://matrix.aciceri.dev";
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["127.0.0.1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+    };
+    extraConfigFiles = [config.age.secrets.matrix-registration-shared-secret.path];
+  };
+
+  backup.paths = [
+    "/var/lib/matrix-synapse"
+    "/var/backup/postgresql/matrix-synapse.sql.gz"
+  ];
+
+  services.postgresqlBackup = {
+    enable = true;
+    databases = ["matrix-synapse"];
+  };
+}
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@ -16,7 +16,7 @@
      ];
      netrc-file = "/etc/nix/netrc";
      substituters = [
-        "https://cache.aciceri.dev"
+        "s3://cache?profile=default&region=eu-south-1&scheme=https&endpoint=cache.aciceri.dev"
      ];
      trusted-public-keys = [
        "cache.aciceri.dev~1:nJMfcBnYieY2WMbYDG0s9S5qUhU+V4RPL+X9zcxXxZY="
--- a/modules/ssh-initrd/default.nix
+++ b/modules/ssh-initrd/default.nix
@ -1,24 +1,38 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
  # For unlocking the disk connect using ssh and type
  # systemctl start initrd-nixos-activation
  boot.initrd = {
    network = {
-      enable = true;
      ssh = {
        enable = true;
        ignoreEmptyHostKeys = true;
        extraConfig = ''
          HostKey /ssh_initrd_host_ed25519_key
        '';
+        authorizedKeys = with (import ../../lib).keys.users; [
+          ccr-gpg
+          ccr-ssh
+        ];
      };
    };
    systemd = {
      enable = true;
-      storePaths = ["${config.programs.ssh.package}/bin/ssh-keygen"];
+      network.enable = true;
+      storePaths = [
+        "${config.programs.ssh.package}/bin/ssh-keygen"
+        "${pkgs.bashInteractive}/bin/bash"
+      ];
      services.sshd.preStart = ''
-               ${config.programs.ssh.package}/bin/ssh-keygen -t ed25519 -N "" -f /ssh_initrd_host_ed25519_key
+        [ ! -f /ssh_initrd_host_ed25519_key ] && ${config.programs.ssh.package}/bin/ssh-keygen -t ed25519 -N "" -f /ssh_initrd_host_ed25519_key
        chmod 600 /ssh_initrd_host_ed25519_key
      '';
    };
  };
+
+  boot.initrd.systemd.additionalUpstreamUnits = ["debug-shell.service"];
+  boot.kernelParams = ["rd.systemd.debug_shell"];
 }
--- a/secrets/hass-ssh-key.age
+++ b/secrets/hass-ssh-key.age
--- a/secrets/matrix-registration-shared-secret.age
+++ b/secrets/matrix-registration-shared-secret.age
@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-rsa /AagBw
+UlR5iCI7jZnIqgfUm7fHrwgJroFYlqA+F8aZudS/i/RjJ6b8ldqdZnefydc+XY9i
+PeAAqAdEVpC0Dae5q4BoWFb0uS5PQPOBmnYqnSm0NMEcGizzpnF+XJL1wPLur/J9
+TRUHHA9MRvVF5QoXrm2wsqQxstnUPZU4ObA+JgnXArMw31aTPOc8KmZWTQKPg2YM
+PyH1Q2Vc3HHKi4CyY2rl18e8JaJGiifrIATl0+/hsfJnOT8o54HcT11b096hiRqU
+NEdH92y4x+hF0dStTPBIEwzLiM2CVght5lR89Lvh3ZP7b10yswB+EKkH1kwcziyn
+3Hq7RM0+jNKbedyViCAuVeis5PezQlFe3yf9eR9YMJdSjhgflLU2KQ3NnXHYoJJ/
+A1XitzFOwKTSEQqHQs2yjTNa3XcoyNDxH49q/svECHmYZamPsc1Ac8cIJOeFf+Id
+xoa0zKJhSZOBwIz5+PrbNN4lYD88sbT6wspQoJwFOvqCx87kwb3HouG0rwDq57BN
+QxybvD7Vz7JPr6D15uWGhNldabvhr+pMt+17wS+DmdjO08iHrwxTrzyvvc86vxhg
+9IvAF3mhIQvBuV9yLSTGE+J8ngp3f6PUfj0CHZTpLpsBvmr83b1gqjVIpxnmJwIW
+MZpPv/x3o81kxyibFA75T+PhGlOPOybZpleRwmLazy4
+-> ssh-rsa QHr3/A
+HjOVYJ5qow3EL+ccqD/8azBdhynKeoSYDMOf9etmemrnBLigJzpoFFjlqyMmfFVj
+vjGvVok/iPO6rrmA27UpEiU6arW8IO1N0IUTulpMYNoDUEWPUHdCQv0pHfArEMi0
+KN37mpm22nusOL3bm8goIcyVFzqP83wGsQXamVjwYLI34XlD2d4ugxWtejoYK/rR
+4xbpgnQv3KuyWuxa5eehBuSPZVcBTwzF3sE9/7UFWZxSeHIpV+S8qoj/kfezqVUl
+lUoXC1uupwT5iNYs7NJ3WZZxWjYdpZdR01K8Z8GAh2BDsVXBBZfxmPZwcr+Ri7Gk
+Ai3AGyw7JyO7YeVXeiGze52fkxzxZmCuN8fKoxi5fgrt3sJMUurXnsCTOAPPj9oE
+FCUT9eGO3mxf213XHEySfhS1C0yEruCtJnmclr3bkFNKVFyM71ABOp8sQwsNuBeB
+3WeufPGCXliV7w+NuNBfa0NAemqDOWmTqZHQEv/D3gLBAiUxtm3Rd5wVkcY0Qy3X
+nq0VyMU+LEcC5h9HvJNnEbUzADR0bab/5jbKfbTrJVimCr6fQmkd8+ua6oGa++Jh
+7BrHauQnVKp5tKnvgUaMWfOp40pjMxUzb1JQMkVD5+uKqD+aUD2SDKODC/FKOLC0
+wNoSoE4m5vNy3SLjY66cVT2Mh80fs6GULqE05k2r5SQ
+-> ssh-ed25519 OgJHCw OjjSmtLRB+pMtn+5NfDQ1FGMgQttjkoN04gs0aIuRHM
+vRwkDC8EewSDLTbB3ZNZO1d3TjulShkeDjjrAFpu2Cc
+--- 4q2bfImq0xXD0apHMUgoP+oNRg9Yr8t1SXpHYtCW0ZE
+[jlE<6C>泠;
Co訰婞窌&l侾<6C>5Z>t苐 h/掠遫烌~r3<72>+縆Lg9P厯 萳▼#F揘駕7顃Sg鉀+躖)靕餿
T╁>p<><70>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -20,6 +20,8 @@ in
    "chatgpt-token.age".publicKeys = [ccr-ssh ccr-gpg kirk mothership picard];
    "cloudflare-dyndns-api-token.age".publicKeys = [ccr-ssh ccr-gpg sisko];
    "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk];
+    "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko];
+    "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko];

    # WireGuard
    "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard];
Author	SHA1	Message	Date
Andrea Ciceri	7f3441fc76	Fix `wol`	2024-02-11 14:10:04 +01:00
Andrea Ciceri	cb0a071ee6	Otherwise it kept restarting	2024-02-11 14:09:42 +01:00
Andrea Ciceri	8e7cd06fc4	Now it's managed as a secret	2024-02-11 14:09:23 +01:00
Andrea Ciceri	40573a4477	Self host `matrixy-synapse` on `sisko`	2024-02-11 14:09:04 +01:00
Andrea Ciceri	231a662dc8	New ISP without IPv6	2024-02-05 15:14:07 +01:00
Andrea Ciceri	3cd9a3e4e9	Correct substituter URL	2024-02-01 22:00:20 +01:00
Hercules CI Effects	095ff99b18	flake.lock: Update Flake lock file updates: • Updated input 'ccrEmacs': 'github:aciceri/emacs/8386fbef35f25e268db1b1d636a884ed175fba27' (2024-01-26) → 'github:aciceri/emacs/9ad27b6ea82ebaa3dfd635ccc0ce618d9a5ec006' (2024-01-29) • Updated input 'ccrEmacs/emacs-overlay': 'github:nix-community/emacs-overlay/babae500c2bca610eb38e17a1ef1bf0f70beb29e' (2024-01-26) → 'github:nix-community/emacs-overlay/380a2b909774bc47385dfa9556f28f243ea87c71' (2024-01-29) • Updated input 'ccrEmacs/emacs-overlay/nixpkgs': 'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) → 'github:NixOS/nixpkgs/ae5c332cbb5827f6b1f02572496b141021de335f' (2024-01-25) • Updated input 'ccrEmacs/emacs-overlay/nixpkgs-stable': 'github:NixOS/nixpkgs/a77ab169a83a4175169d78684ddd2e54486ac651' (2024-01-24) → 'github:NixOS/nixpkgs/56911ef3403a9318b7621ce745f5452fb9ef6867' (2024-01-27) • Updated input 'ccrEmacs/extra-package-indent-bars': 'github:jdtsmith/indent-bars/8a4ea0ab83016f87acb94ebf3816a02382b82cad' (2024-01-10) → 'github:jdtsmith/indent-bars/269774df6d5030832d04c5cf067d7a3a2568a46f' (2024-01-28) • Updated input 'ccrEmacs/nixpkgs': 'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) → 'github:NixOS/nixpkgs/ae5c332cbb5827f6b1f02572496b141021de335f' (2024-01-25) • Updated input 'disko': 'github:nix-community/disko/f7424625dc1f2e4eceac3009cbd1203d566feebc' (2024-01-26) → 'github:nix-community/disko/f67ba6552845ea5d7f596a24d57c33a8a9dc8de9' (2024-01-29) • Updated input 'flakeParts': 'github:hercules-ci/flake-parts/07f6395285469419cf9d078f59b5b49993198c00' (2024-01-11) → 'github:hercules-ci/flake-parts/60c614008eed1d0383d21daac177a3e036192ed8' (2024-01-29) • Updated input 'homeManager': 'github:nix-community/home-manager/4d54c29bce71f8c261513e0662cc573d30f3e33e' (2024-01-28) → 'github:nix-community/home-manager/d634c3abafa454551f2083b054cd95c3f287be61' (2024-01-28) • Updated input 'nixpkgsStable': 'github:NixOS/nixpkgs/a77ab169a83a4175169d78684ddd2e54486ac651' (2024-01-24) → 'github:NixOS/nixpkgs/f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4' (2024-01-29) • Updated input 'nixpkgsUnstable': 'github:NixOS/nixpkgs/ae5c332cbb5827f6b1f02572496b141021de335f' (2024-01-25) → 'github:NixOS/nixpkgs/c002c6aa977ad22c60398daaa9be52f2203d0006' (2024-01-27) • Updated input 'nur': 'github:nix-community/NUR/f271bc81436c96bf40da5100d8c6aa754e5cc403' (2024-01-28) → 'github:nix-community/NUR/68b210c7240de86b3639cf9542df9dcb9c504914' (2024-01-30) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/fbef7c773be115ed33f37e97256a9e8f6312b925' (2024-01-26) → 'github:numtide/treefmt-nix/c6153c2a3ff4c38d231e3ae99af29b87f1df5901' (2024-01-28)	2024-01-30 20:20:40 +00:00
Andrea Ciceri	44d42ea5d1	🤓	2024-01-29 02:28:29 +01:00
Hercules CI Effects	2ed9253820	flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/c12719812dde4dcbc4119a2b09766a51c9c498d5' (2024-01-26) → 'github:nix-community/disko/f7424625dc1f2e4eceac3009cbd1203d566feebc' (2024-01-26) • Updated input 'homeManager': 'github:nix-community/home-manager/c7ce343d9bf1a329056a4dd5b32ea8cc43b55e15' (2024-01-25) → 'github:nix-community/home-manager/4d54c29bce71f8c261513e0662cc573d30f3e33e' (2024-01-28) • Updated input 'nixpkgsUnstable': 'github:NixOS/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21) → 'github:NixOS/nixpkgs/ae5c332cbb5827f6b1f02572496b141021de335f' (2024-01-25) • Updated input 'nur': 'github:nix-community/NUR/f68a48971bd33ff845dc5d6734f6a77d0d7a0967' (2024-01-26) → 'github:nix-community/NUR/f271bc81436c96bf40da5100d8c6aa754e5cc403' (2024-01-28) • Updated input 'pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/f56597d53fd174f796b5a7d3ee0b494f9e2285cc' (2024-01-20) → 'github:cachix/pre-commit-hooks.nix/7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf' (2024-01-28) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/3139f18ee5cf16ea2b291a717c06f1e66df3e908' (2024-01-25) → 'github:numtide/treefmt-nix/fbef7c773be115ed33f37e97256a9e8f6312b925' (2024-01-26)	2024-01-29 02:04:45 +01:00
Hercules CI Effects	aca6ba18dc	flake.lock: Update Flake lock file updates: • Updated input 'ccrEmacs': 'github:aciceri/emacs/588f7b1696d3b7da77a5ea94e921def43529cb70' (2024-01-24) → 'github:aciceri/emacs/8386fbef35f25e268db1b1d636a884ed175fba27' (2024-01-26) • Updated input 'ccrEmacs/emacs-overlay': 'github:nix-community/emacs-overlay/46d30fdef02008e5f1856d4039a0b48d20a3bca6' (2024-01-24) → 'github:nix-community/emacs-overlay/babae500c2bca610eb38e17a1ef1bf0f70beb29e' (2024-01-26) • Updated input 'ccrEmacs/emacs-overlay/nixpkgs-stable': 'github:NixOS/nixpkgs/d7f206b723e42edb09d9d753020a84b3061a79d8' (2024-01-22) → 'github:NixOS/nixpkgs/a77ab169a83a4175169d78684ddd2e54486ac651' (2024-01-24) • Updated input 'disko': 'github:nix-community/disko/5a2dc95464080764b9ca1b82b5d6d981157522be' (2024-01-25) → 'github:nix-community/disko/c12719812dde4dcbc4119a2b09766a51c9c498d5' (2024-01-26) • Updated input 'homeManager': 'github:nix-community/home-manager/6359d40f6ec0b72a38e02b333f343c3d4929ec10' (2024-01-24) → 'github:nix-community/home-manager/c7ce343d9bf1a329056a4dd5b32ea8cc43b55e15' (2024-01-25) • Updated input 'nur': 'github:nix-community/NUR/20f64c7125413fc19372f11b45db99363bea7c1f' (2024-01-25) → 'github:nix-community/NUR/f68a48971bd33ff845dc5d6734f6a77d0d7a0967' (2024-01-26) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/23f601bfdef75e21fe8854e24a043bb642201794' (2024-01-24) → 'github:numtide/treefmt-nix/3139f18ee5cf16ea2b291a717c06f1e66df3e908' (2024-01-25)	2024-01-29 02:04:45 +01:00