From c8e32b689bfaa75c47db940a3679bf1990a24be6 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Fri, 23 May 2025 21:32:11 +0200 Subject: [PATCH 1/4] Add `netrc` secret --- secrets/nix-netrc.age | Bin 0 -> 1558 bytes secrets/secrets.nix | 7 +++++++ 2 files changed, 7 insertions(+) create mode 100644 secrets/nix-netrc.age diff --git a/secrets/nix-netrc.age b/secrets/nix-netrc.age new file mode 100644 index 0000000000000000000000000000000000000000..7b0438f51792139cfc5411d21633bbda8cd428b9 GIT binary patch literal 1558 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTS$}soNEmsI}E-rBQ z@O2KV3NOlYHS>>f4|Dd5u*`P%3kpn2$xJE@ax}KEERHJ7b>#BNDv3z6G`B2@D)!6v zaZmLKEOGX7GVqN^F3EQ+_9zcDG%~3)EqC-PO-Hv)yDTLr&ru;gI3qPT)iAT5Fu>Ks z)zs3ZxYRu?*{L+#!X(+kG0fjNtRU4btT?mEu$ZgNsUpub!X-c0-9p=}AlE3IsgObuj z3+Gh*ykbXlZG+50&&2$+NY}uEOjjY^uu#KebN;|gCjCiGON6@s*F-|Bi$TLyp3EvDoV0)%rl)L zEY0%Wsw!PdbILu+-O9N<6SeaTTr10sON&!d%FT@RQ=Ky`tIBeU91D`tj8Y0LGmT8m z{EDOU3W_motMo~64^+^0G0ID=Gzm8IN>9!TO-}T$a8C*j4@j}BNRA3i(XNd2tn?1{ zu}sNw_vOlT$u=%G^3~2twJ3EjHpntccgf2M@T|)9kI2X__bu>rElP1q@iojh%jVM6 z)m1Qy@DDN!^f&YjbT-Hf%FJ{04|Vda3@h{s4@xs|vUG9wtO!Xh()KC$H{eQ`F1a9i zq38h#hPQ#9msej*b?gC1L;4JyJ{W zZOG1<5tjO6eg2K-3>VJq)Kpumf8w$IKhHOBR!b@fAIn&n{Qu!!@7D`=HLu;+ms-15 z>EV^v`<}WoKHqMf%@(2YE6(*`Q~5*wmXk@(PBghSCGI;h+CSB6@6{jNqx}1$p3}S(-O42@ zrtEQllYH)8o@>bZZKAA+kG%b-vW`c)uj_pIdwPcMSN)|w_O!Pge&l;DXDQQCCYP=` zB5}WCbPt7A)|}n4>O=3AY2Q?Xe#9>RviV*7#`a~~%dDII{4Rz2eTgXfb$rjZhCOSZ zch6rX^5&pbz=oy2-`XTU`@j-?^w^s-OIY6&bY#qYsC1j@OuO{z*h5DqOkZ=qEOA%n zhf{DvGvO+_KDe6(`rqU@HT2mvM>&mtpGbr5V+VVx^;*N-@by2SM4bK-}P|z{iRXVdY zM0s)TwBrq0>wMKRp5&b5F5kT7(9Ca~vTs)0dK7oMZC%XYC(VV+t;P8pmR7vjyU($k z{m1sQxg5pqT`bicB^$PW4C>s;@+5?(>G|Dl%bn9K*DqpZc$MN@rN_HS#mBTqE0ZJO z>Y-q1gRHy0$0ag0@mccos8>`4?fe*Vcx6d->iVj~J~B_6&Z$?ct0|eDESp=S@?zU> z-%HkK^6DRM7no61U0;^N(Dve#+bgX*pExHzJeSm(QX0Z-o4h7W@RdRTF%?q)Z>^v% literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3ab2d98..fd1bca9 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -157,6 +157,13 @@ with keys.users; ccr-ssh sisko ]; + "nix-netrc.age".publicKeys = [ + ccr-ssh + sisko + pike + picard + kirk + ]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ From ddfb93214f3e8b08f4ba20305b212c16f6c4fef0 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Fri, 23 May 2025 21:32:34 +0200 Subject: [PATCH 2/4] Use `netrc` provided by agenix --- modules/nix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 000ede4..59f2692 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -20,7 +20,7 @@ "root" "@wheel" ]; - netrc-file = "/etc/nix/netrc"; + netrc-file = config.age.secrets.nix-netrc.path; substituters = [ # "s3://cache?profile=default®ion=eu-south-1&scheme=https&endpoint=cache.aciceri.dev" "https://cache.iog.io" From 959016455f865cef60f6c080a2b5c082a634ac76 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Fri, 23 May 2025 21:32:48 +0200 Subject: [PATCH 3/4] Remove unused caches --- modules/nix/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 59f2692..ef46e63 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -22,18 +22,18 @@ ]; netrc-file = config.age.secrets.nix-netrc.path; substituters = [ - # "s3://cache?profile=default®ion=eu-south-1&scheme=https&endpoint=cache.aciceri.dev" "https://cache.iog.io" "https://cache.lix.systems" "https://nix-community.cachix.org" - "https://mlabs.cachix.org" + # "https://mlabs.cachix.org" + "http://sisko.wg.aciceri.dev:8081/nixfleet" ]; trusted-public-keys = [ - # "cache.aciceri.dev~1:nJMfcBnYieY2WMbYDG0s9S5qUhU+V4RPL+X9zcxXxZY=" "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=" + # "mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=" + "nixfleet:Bud23440n6mMTmgq/7U+mk91zlLjnx2X3lQQrCBCCU4=" ]; deprecated-features = [ "url-literals" ]; }; From 7188dbf66579fe9c443f38157cb9ba8239afad4e Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Fri, 23 May 2025 21:34:13 +0200 Subject: [PATCH 4/4] Add `nix-netrc` secret to `picard`, `pike`, `kirk` and `sisko` --- hosts/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/default.nix b/hosts/default.nix index 3ac0ce9..efdd865 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -59,6 +59,7 @@ "git-workspace-tokens".owner = "ccr"; "autistici-password".owner = "ccr"; "restic-hetzner-password" = { }; + "nix-netrc" = { }; }; }; @@ -87,6 +88,7 @@ "restic-hetzner-password" = { }; "forgejo-runners-token".owner = "nixuser"; "forgejo-nix-access-tokens".owner = "nixuser"; + "nix-netrc" = { }; }; }; @@ -120,6 +122,7 @@ }; "matrix-registration-shared-secret".owner = "matrix-synapse"; "arbi-config".owner = "arbi"; + "nix-netrc" = { }; }; }; @@ -143,6 +146,7 @@ "cachix-personal-token".owner = "ccr"; "git-workspace-tokens".owner = "ccr"; "autistici-password".owner = "ccr"; + "nix-netrc" = { }; }; };