From f7796d4848476d1c1f9b616ceaa2ee7c05840ee2 Mon Sep 17 00:00:00 2001
From: Andrea Ciceri <andrea.ciceri@autistici.org>
Date: Mon, 19 May 2025 12:35:44 +0200
Subject: [PATCH 1/4] Split cloudflare API tokens secret

---
 secrets/cloudflare-api-tokens.age       |  17 +++++++++++++++++
 secrets/cloudflare-dyndns-api-token.age | Bin 1052 -> 363 bytes
 secrets/secrets.nix                     |   4 ++++
 3 files changed, 21 insertions(+)
 create mode 100644 secrets/cloudflare-api-tokens.age

diff --git a/secrets/cloudflare-api-tokens.age b/secrets/cloudflare-api-tokens.age
new file mode 100644
index 0000000..57e68b8
--- /dev/null
+++ b/secrets/cloudflare-api-tokens.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-rsa /AagBw
+hD7PDjueXimBVI/rjcYxN77LHV2eGytKcUbmh17aSL1CNM+eriURFao3tj52Hiaz
+3VMB6FxWUk9kzgjMPvf5WZukuZ2WbpPH8xlDV+6ZH7e/IzmjIfx8Ny14Mr1IF/Rx
+TBiCIAM19/1/mR9MiIBW85bb+Bb/waWIZAgxW3N1RpqH5+vAVqx0iY3XRF5+0gOq
+blP3yEw3QaL6FuY0+a+d/TnCsrz2Gi1Rba9oCUmkzOP96TsJYdN58Ut6nrHFkURK
+mShL2xBMLmfA8Z5ep+D8ueyQbcYpeU3KHcIcRM6dRTwQKvWXAVkRt1nUGasKrO9Y
+oJT9BrcxjtqgF/xhHRjWpamjFSI3mlJnJNEbruddDwQUccrJOvEzvqZ7GK0WoFX2
+HmhdDOiocMGWFeBPAKlNtU3+QmtZvhvOIgbjKhNxmCt1A/qxfvRk7Y2IDIBo+CFo
+sKMrT1tCo4UYaJdZYl64XYNCQb3C2EfO7Exrq3d2urNidzUbr9OBx7CCI1nu375c
+Qol9Kr28fLtxRuSZlrqIe9vKVYyLDPznrRlh6TmgqmMLIW70Y8cZwMtT8L8sOkcm
+A8MoxpWFzK4BKo0Iqmw6eZ3nx/0LAzkz005ZEwrmi2W/XxOWJgBiaLmu7YwnoGq0
+gzwwvA5V5MT6Iy7FzkQpMi0h/H4MZ0mcbihKdPun85Q
+-> ssh-ed25519 +vdRnA 23Gviu8hfWCEBPHP7xYIaOx34kFsxJJgJ/BNUDlb9Cg
+ROiMY2gw/rpNBmJnlRVb7Qhi5+8TY3Velj8gEZcaedI
+--- dhmvfQoCjuRUJtvXNI/eCjH0W+IeJm8bFRvYk1JihD0
+qMCÐ,Ýˆ½Ôêì‹9-\‘KJ¡ã]Á­ÿJ ð½(¡SnŸ°.ñQpá~Z$ó±eØ"êí”’\ù£'rS’l‰ÿuÜ+UD <äÕvÐÚáÓ]|/g[†	W_“È>-fl•›8|w­ÊÙŠÈlš–¢ÜõB•[\òá.k(W±{=w 3N}¤qGÏ-w´Mb^‰ŒQ{
\ No newline at end of file
diff --git a/secrets/cloudflare-dyndns-api-token.age b/secrets/cloudflare-dyndns-api-token.age
index 57e68b81f89ed04ace61da07a9fd220e13b469a2..6f09f5277550356ad8269d527914a73a6ef8602c 100644
GIT binary patch
delta 324
zcmbQk@tSFZY+7oHk*TSnr9xDOxp!{4Lb^vmmb0a?Nshj8W|Wh!S#eRaSFuq=Sw^T!
zfuBKHX^L}FxRalLs!>%Smvec3q@#CIUT{jbnL&U>a8an4fm=jbp}CK@OG-pRdO=X3
zxp8DvWLQSz<hxAb_3n|$mX1d0IhiJwCH_XaMfrwV*{%h7p21F*NzRF$`DVEp9)AA%
zd4ZX}T*(2+#U=SkC0@?u>Hc|H1um&sp&q$aUMcxW1%<9f0cGXs$(H%am02nIT)Mit
z3S}PJCh5s$Ik{=s=}|eAMh0%7UIvNonLeetVaZWdDgGILK}BV0iSEXg>0AtKh3pA!
z%kNL_oshXLihZL?(lh0_(|33HH?5oVVZxa!HaEpA8s~2~zuio9eHo8-w%es&)hWe6
XD;K)h%xAHP{}^0%<yC9cpV?*rJ^*;k

delta 1038
zcmaFOG>2n?Y<*F2qJq9-V!Bf~SB8sufJ;_sYD8wPQ<$fIQC4zfg`c^(k4KnMs(WRL
zcXDV_Zib<GVz7^)v!AbaYEforkXvHDaY>e`kw<1?6_;_CualWuMR;hoWp-71mTy2=
znrV1cX?AIpQFu~8fQLmzj!T%fS(Jx)s=jAcZkA_SMZJYzrJ;#$k)fxXeozHhh*PGs
zr=zc-rM{tlZjhyKrl(W5g=tcfwo{URd1AO{lw*2DxUrvMP(h)GsdkxTSYd@hW~6aM
zkejKtLArk-S5i)ZaiwdyabTj4nOkY3fp(&Hihf9*b8%6Xk$a|LP*S30zH?}9c9nmC
zrCCU^SAArPpQ%M?iCJEehg)`NkT+LuaE6ajg_EyOZknS-lxb>#wu?n+YGq(ja%4ej
zsIj+4vS)ITuUSe^NO_=lS$KqFSawi}VP2?vVzGCTzhxv>zE_B)Q&Dn7R!L#Hn|?)x
zM^ILHL1J!}Td=2bZjM);m!E4=QE5twOL<^ua(!}<mw%aSRas$_xx2SPc)nYN5tm19
zMv9AnW`44-d$?PwQ-Gs)j$cWrv36i?NmN-znZIXxQkHjyUq!BSiJ_x@VMSV5P_}ub
zk*ABNQ@*ydTRvB@w{KC1VTp6TNoZuES4vc5j+seBq@QzOlCiUqYns2gYei9^af(rC
zQN3SgN>yl5k)^*=g}Jk{r(s^HvAJn7S73gQrFW5$MVe1ZMNnyQR8CQ$XR2kHcUWYl
zk4r#RUQtj^hFM5%dSR}wk7u~KL8L`;RJm_Sh=q?uv43`QE|;T)Z+=BVxLcLCiIaD}
zfoEZExmjwIabAVKfsbQVc9nsFX_RYuQGITvQMi6Yg@3qLx>IJNPj0DsWO-h`d!YeW
zdR2LOnWJf#sc(pxXQjDYRd!&3Z>B+pzK4l#ltFHCQf7vCN<e9zg=rv{uAM@0afWVc
zijk?Qp{0U$SxQizqk@sKds$|wMMhe<v#V2pM}T=nq-Uakg|SJtTXBV#SGt$JQ@vlP
zOHPudb2?X$f2MDwQF^(4QGuURu2)`8P*{?AU`D2?wna#!aad|jmPNX2RB~c!iYJ$@
zuC78#Ms8VJV7_x!X;7$FNm+!Sr+%t)mWM&Owr8qWu0@htP+4TQp;u;xivd@muk(d^
zo%*{Sd#}uW^`_fWH)f*u1h0jUV-MD^{qMEl!(NSr!FlsHi0XX|EO=NKrSf@W>J0&<
zS8u0Giut)%y(oB6PUn9y`O-VQ+MzBBY@S^0ExRCl>*3|t8b<x}=r+#q_{k^ibklOC
z&bFv2Uwi6imk{fToLSQrN#6PDG&Nc-=F>wx)@+UNjn%g03OsDaezoFD3f<4^mT&P*
NVvp;T<Le2m1^`u#Y;phq

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8724ce7..7b341b1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -92,6 +92,10 @@ with keys.users;
     deltaflyer
     pike
   ];
+  "cloudflare-api-tokens.age".publicKeys = [
+    ccr-ssh
+    sisko
+  ];
   "cloudflare-dyndns-api-token.age".publicKeys = [
     ccr-ssh
     sisko

From 3ed798d1a8d4ba37f4c49dcd5c34da4541a3768a Mon Sep 17 00:00:00 2001
From: Andrea Ciceri <andrea.ciceri@autistici.org>
Date: Mon, 19 May 2025 12:35:56 +0200
Subject: [PATCH 2/4] Fix remote builder: change used SSH key

---
 modules/nix/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nix/default.nix b/modules/nix/default.nix
index 1b2258d..000ede4 100644
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@@ -92,7 +92,7 @@
         ];
         protocol = "ssh-ng";
         sshUser = "root";
-        sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
+        sshKey = "/home/${config.ccr.username}/.ssh/id_ed25519";
       }
       ++ (lib.lists.optional (config.networking.hostName == "picard") {
         hostName = "mac.staging.mlabs.city?remote-program=/run/current-system/sw/bin/nix-store";

From c9fe62115ba8f00ff1462aade3aad2134815fab9 Mon Sep 17 00:00:00 2001
From: Andrea Ciceri <andrea.ciceri@autistici.org>
Date: Mon, 19 May 2025 12:36:39 +0200
Subject: [PATCH 3/4] Add secret

---
 hosts/default.nix              | 1 +
 modules/nginx-base/default.nix | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/hosts/default.nix b/hosts/default.nix
index 7ed6ca8..cf4fc6f 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -109,6 +109,7 @@
           "home-assistant-token".owner = "prometheus";
           "grafana-password".owner = "grafana";
           "cloudflare-dyndns-api-token" = { };
+          "cloudflare-api-tokens" = { };
           "restic-hetzner-password" = { };
           "hass-ssh-key".owner = "hass";
           "sisko-attic-environment-file".owner = "atticd";
diff --git a/modules/nginx-base/default.nix b/modules/nginx-base/default.nix
index 5068162..a79716e 100644
--- a/modules/nginx-base/default.nix
+++ b/modules/nginx-base/default.nix
@@ -14,7 +14,7 @@
         dnsProvider = "cloudflare";
         dnsPropagationCheck = true;
         group = config.services.nginx.group;
-        environmentFile = config.age.secrets.cloudflare-dyndns-api-token.path;
+        environmentFile = config.age.secrets.cloudflare-api-tokens.path;
       };
     };
   };

From 71566df168b2f2a8bbee778144271111f287cd42 Mon Sep 17 00:00:00 2001
From: Andrea Ciceri <andrea.ciceri@autistici.org>
Date: Mon, 19 May 2025 12:36:55 +0200
Subject: [PATCH 4/4] Bump `nixpkgsSisko`

---
 flake.lock | 8 ++++----
 flake.nix  | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/flake.lock b/flake.lock
index 04719bc..474c3aa 100644
--- a/flake.lock
+++ b/flake.lock
@@ -663,17 +663,17 @@
     },
     "nixpkgsSisko": {
       "locked": {
-        "lastModified": 1742288794,
-        "narHash": "sha256-Txwa5uO+qpQXrNG4eumPSD+hHzzYi/CdaM80M9XRLCo=",
+        "lastModified": 1747542820,
+        "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b6eaf97c6960d97350c584de1b6dcff03c9daf42",
+        "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b6eaf97c6960d97350c584de1b6dcff03c9daf42",
+        "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
         "type": "github"
       }
     },
diff --git a/flake.nix b/flake.nix
index 440867f..145218e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,7 +3,7 @@
 
   inputs = {
     flakeParts.url = "github:hercules-ci/flake-parts";
-    nixpkgsSisko.url = "github:NixOS/nixpkgs/b6eaf97c6960d97350c584de1b6dcff03c9daf42";
+    nixpkgsSisko.url = "github:NixOS/nixpkgs/292fa7d4f6519c074f0a50394dbbe69859bb6043";
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     nixosHardware.url = "github:NixOS/nixos-hardware";
     homeManager = {