From 0bd4036cd5289b7fa79661254db828d6fa639764 Mon Sep 17 00:00:00 2001 From: Patrick Date: Wed, 27 Nov 2024 21:03:50 +0100 Subject: [PATCH] feat: remote builder --- config/basic/nix.nix | 4 +- config/basic/users.nix | 3 + hosts/mailnix/default.nix | 32 ++++ .../mailnix/secrets/generated/buildSSHKey.age | Bin 0 -> 1190 bytes .../mailnix/secrets/generated/buildSSHKey.pub | 1 + .../idmail-mailbox-hash_catch-all.age | 32 ++-- .../generated/idmail-mailbox-pw_catch-all.age | 32 ++-- .../generated/idmail-user-hash_admin.age | Bin 865 -> 791 bytes .../generated/idmail-user-pw_admin.age | Bin 792 -> 784 bytes .../secrets/generated/resticpasswd.age | 29 ++-- .../secrets/generated/stalwart-admin-hash.age | Bin 860 -> 845 bytes .../secrets/generated/stalwart-admin-pw.age | 28 ++-- .../generated/stalwartHetznerSshKey.age | 32 ++-- nix/rage-decrypt-and-cache.sh | 14 +- pkgs/scripts/build.sh | 48 +++--- pkgs/scripts/deploy.sh | 140 +++++++++--------- users/patrick/dev.nix | 26 ++++ users/patrick/programs/gpg/default.nix | 6 +- 18 files changed, 243 insertions(+), 184 deletions(-) create mode 100644 hosts/mailnix/secrets/generated/buildSSHKey.age create mode 100644 hosts/mailnix/secrets/generated/buildSSHKey.pub diff --git a/config/basic/nix.nix b/config/basic/nix.nix index 76bf159..2729536 100644 --- a/config/basic/nix.nix +++ b/config/basic/nix.nix @@ -6,6 +6,7 @@ allowed-users = [ "@wheel" ]; trusted-users = [ "root" + "@nix-build" ]; system-features = [ "recursive-nix" @@ -59,7 +60,4 @@ }; programs.nix-ld.enable = true; system.stateVersion = stateVersion; - hm-all.nixpkgs.config = { - allowUnfree = true; - }; } diff --git a/config/basic/users.nix b/config/basic/users.nix index bd9ee3b..39c8f18 100644 --- a/config/basic/users.nix +++ b/config/basic/users.nix @@ -42,6 +42,9 @@ paperless = uidGid 315; stalwart-mail = uidGid 316; build = uidGid 317; + nix-build = { + gid = 230; + }; systemd-oom = uidGid 300; systemd-coredump = uidGid 301; patrick = uidGid 1000; diff --git a/hosts/mailnix/default.nix b/hosts/mailnix/default.nix index 9df86cd..a568ea5 100644 --- a/hosts/mailnix/default.nix +++ b/hosts/mailnix/default.nix @@ -1,3 +1,4 @@ +{ config, pkgs, ... }: { imports = [ ../../config/basic @@ -24,4 +25,35 @@ }; }; nixpkgs.hostPlatform = "aarch64-linux"; + users.users.build = { + isSystemUser = true; + shell = pkgs.bash; + group = "build"; + extraGroups = [ "nix-build" ]; + createHome = false; + openssh.authorizedKeys.keyFiles = [ + ./secrets/generated/buildSSHKey.pub + ]; + }; + + age.secrets.buildSSHKey = { + generator.script = + { + lib, + name, + pkgs, + file, + ... + }: + '' + key=$(exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -C ${lib.escapeShellArg "${config.networking.hostName}:${name}"} -f /proc/self/fd/3 <</dev/null 2>&1; true) + (exec 3<&0; ${pkgs.openssh}/bin/ssh-keygen -f /proc/self/fd/3 -y) <<< "$key" > ${ + lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub") + } + echo "$key" + ''; + intermediary = true; + }; + users.groups.build = { }; + users.groups.nix-build = { }; } diff --git a/hosts/mailnix/secrets/generated/buildSSHKey.age b/hosts/mailnix/secrets/generated/buildSSHKey.age new file mode 100644 index 0000000000000000000000000000000000000000..7c8dcba46e759791b9cb08d7ea36bf334468413c GIT binary patch literal 1190 zcmY+<`)?Bk0Kjo2#9$}eLi86RQd~en?RtIQ7Ioupy}qu`d-Sdq*{OV|gjHyVPHCjm8S>x+YRAin zSF5>9qLd+$gi0hm3=Gxi1RZe_s3pW(IJUb*u}eCZ^D2&zMzh%`f|9FP6^GknPW$*= zP&Y&Fh(eVyp(;>r4S-=nNW>(Dh2Ub$0YT*+isNF*o)jJ>B-vyaaBNPWZ za4zWffti}-E(nGy8ZK9njmMo?FYuH_6Nx+tnIStH!CaM6l}pBeB2=_+vP%F&S5c;_ zNP*Kx5-ioc8CO80G*bfU$SVvR3`A9#OUC)`fIz|dBE}G9$>t`a7R;NDVIDnGLY}hz z|El>tIcK)DhGcB+l*%cTDSz0xcj-7$#2TLjvSSVI%KARRedz zUb~1DxMb8XG4Y_5;QSP7%Z4>fe#&xJdg7&o87h=rP!Mi$(g3rb{fGuJSCBk3dEs zPlj!hA&40+SEMxE%eN9D1ULbc5Yv-H2(z)eEt1FvaKa;^9Wtr~(GXUNhV#ilA>uEB zAP7@EXu=gHG=vZSmt?h?i6X;Sq@-k^Nj{${qLdnq`m-rdp_IXk1sZdT6xcy$AW+~< za|Y6spQe~oXrK_{-w;`hfFH?;j)Kl}1cyw~$^>bF;Y*Qe{6 z{@A^2&G1k||IVXFCPp?6&Fz`EqSSZRtyq|NU+LU?=c~sjyXcK~2XfmYTfn}TZp~m9 zF7NqtQ~jKQGsErebN*bo?#}Tyzl;Xj4~5?l-ZJVgoE<(@zwcO$-8#kZQ+C4+q7mtFE6m_!sf_`yt^9eezH#+S0YZonVJiTDY@X{6YzqP%x)O#Z@o}Ha&yZ&?SP}`B2!J*{~R(_Oi zn!I%G2DJFdBJ#}0YYz`set54S^lrZ0a_d~zXnO2~c_*^?-NXI20J3TAhVA#REZDyM z*~Zr+(%Ds|ZBrLdpF0VBm|8VB-Mjjy`XBG#Y#DDH6?eBC_~iH$Wxe{$z|EQ*Fn8{6 uSbuMeb2D5Sl*(h1zxO$Vlilxpe^fU&4qh9(bc`QZ(fMfl?OgxN-~R%J%hMbH literal 0 HcmV?d00001 diff --git a/hosts/mailnix/secrets/generated/buildSSHKey.pub b/hosts/mailnix/secrets/generated/buildSSHKey.pub new file mode 100644 index 0000000..54e5465 --- /dev/null +++ b/hosts/mailnix/secrets/generated/buildSSHKey.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5PpLxcHVOES86RNuukcbIoRIlSDoBFEp3KPvPzwSZ7 mailnix:buildSSHKey diff --git a/hosts/mailnix/secrets/generated/idmail-mailbox-hash_catch-all.age b/hosts/mailnix/secrets/generated/idmail-mailbox-hash_catch-all.age index 03e9d70..fdb8f23 100644 --- a/hosts/mailnix/secrets/generated/idmail-mailbox-hash_catch-all.age +++ b/hosts/mailnix/secrets/generated/idmail-mailbox-hash_catch-all.age @@ -1,17 +1,17 @@ age-encryption.org/v1 --> X25519 7NpA9hDsF1TwTVRvAKHpovHSUCr0Gg11mzsubZemyDs -3eE/PWJizZWIDMr3Dt6012F6db/nlmhpM8y06eLO48s --> piv-p256 ZFgiIw Alb1ynSHX7YiSZkhDbId9MGoQeRacJJ9Mv4a64WVxXdE -gTRZ2XC+K6bZ9my7B28oXJGfQ2fvHFZHDTGWfjzQMdA --> piv-p256 XTQkUA AhrEyyEHX3BxETBIWDmbK5pfzmfcFCmTWX2psLAzGhYS -XFR2JtZJikRDATiZ8eflzShfvrrUMLp00s2+0N54tiI --> piv-p256 ZFgiIw A/MHWK7H85OTk0JLH8y0t7QHcG4xRNwYwEuWPuVBLojT -Vbwyekt8SwUfJzfyualAekCf/MGW+Igs/ZALTydd9Qc --> piv-p256 5vmPtQ Av/BlH1sZh++RL4fh2NS2HN7yipM9nLfT90OiRh9Flbj -kzi2VBRvIxbBbze4iBahMGROtnSOKznXzCNS0PR9TG0 --> N"-grease p, Pb+NMCL ^ -BeBdV3XQgNJVO309KZx1hphkECZLRrCqPmEoR3pEzB4I3L8Q6ur+4ALEy2mLjmSp -Mir7Hdy3Pg ---- Klvxozur3RYybVYWbakGVXiTymaTfOoFXcwnj7hsEAY -믰zRx-r@`֫?kaL53ܘ}Bʡ7-6B»th릂$h&B.7O.kgm5 -PڏkѱW41Gy1% X25519 h8OLMwPUFKNXzJ1edlaA04bW2e01AKT5kHgOZ6cABWo +nY7s2G16b9ekcsrTFttHtBs+jikOIUUkbzNz+8o4Rto +-> piv-p256 ZFgiIw A7eQWNtKe0sOTfroM+2M8FBHyKmdqMgCe9Gqi7ocqc5h +fraNvIFfPFUUqam22DljaFuQkbH3BEdkhu4c1sqiI+8 +-> piv-p256 XTQkUA A6n62U0qaztqqO8W7gf/qvM/rIyic4SSVrvaOxiIIThf +5FFoMCzUCclVsZwTrrSZnZA117iI9/O1HDPSPfZ0dwQ +-> piv-p256 ZFgiIw A51hnMPc7+zsnI7SI2YNaQY4ZT79BOdRrrL8eE+4Cj5G +KmdNeq7ucj1LBVwMMsDw2hdMTjflgJ3MDptP5doA3Lk +-> piv-p256 5vmPtQ AvQFCl4sVuiTEHLdy0v+DzK6Czah1JJd2yUYHhW5+kDW +94MRzY0CXgS8R23xPlKT3MkZE/G/pYaCd7XPe5B5BIY +-> 4:bi^-grease +nMsgcFv+J2d+auxMxq1ZrEp2YH8FnX2UAF9wLE8bf/n+Szkcb+ZZCM1r3yV2ooif +KtY +--- mgyHpsqrpplGUIeksuwaT+ManchIcH65t2ZswkvWu8Y +Z0U>6vzh8-`8t~1_c粼T&GE ѴY +Srxn69q>\ţCGEԜ9ZR˨/sLRJE1_p|mC1ɹ \ No newline at end of file diff --git a/hosts/mailnix/secrets/generated/idmail-mailbox-pw_catch-all.age b/hosts/mailnix/secrets/generated/idmail-mailbox-pw_catch-all.age index ce4fb2e..cff9906 100644 --- a/hosts/mailnix/secrets/generated/idmail-mailbox-pw_catch-all.age +++ b/hosts/mailnix/secrets/generated/idmail-mailbox-pw_catch-all.age @@ -1,18 +1,16 @@ age-encryption.org/v1 --> X25519 Ud9UzEUeDmMIb90vOTWVkdDvIcebEwSzI4Ii8M5jAUI -4rloQ7OzT0voyVboOaWLvOxvrlYxtcOY91dt1lq6wtg --> piv-p256 ZFgiIw Aro3d4Lv0WTRa1OiE1f0hROViqhes5elbt5a+uKCS0y7 -UZFViBihW5si4+JbzN1OyzWDuWiFwWfoVls+EH+EUmk --> piv-p256 XTQkUA A0mE5ni66UlnsafkVu3MK0N6aTX2UtV+jADROmg4M1aN -cYqc/9CCT1PC3inzqfQvK59MCHHNEtIhpvOvqL7E2nA --> piv-p256 ZFgiIw AnFFxNY3lsY4fsze7Hm4vAmK7zZKGA4qEfSUH5aIkQ4j -1OwdPteTYQCWrt4IkRhflolMXJ+FUMm91n3p7icqnsc --> piv-p256 5vmPtQ Amg+62BwmCb9ZQmZ74PzT0/FheaK2OzfyGgbHYcyo5Cl -OnlF+hKq6p91i3Jk+iwYQ2ByRTgmZX57mIAIpMRoCD8 --> >aAO.fE-grease ' 7nl% c#t R]jw \ No newline at end of file +-> X25519 C9NITC3gtm5VFtiAkXSf7cyTJsQmVBI+4bFr0y3B+zM +VSWfR2UuQgthDNllrgRvLhGRVScvgt+PX4QJ+3qVRgo +-> piv-p256 ZFgiIw A+3wjbiWaoMtjAp/27ibZGkSILthx+tW/zECzuoeLOHq +er2Cxn8kSKhtkMMRJCTCS7aniUmIVkzXg5dsDV/opJ0 +-> piv-p256 XTQkUA A0G+RwWjo5MwYX64BW6beOePDKVjwP5znIBDvv05b++z +nQOGoVVgwTofjzVW0MkkpgGg4U+1F63TAsnluJbo4No +-> piv-p256 ZFgiIw AnneHrm3kpe8vWMjVB/JlTeFiiKUP+2vecNYEw+JiKu/ +hUcdZSXo98byAsadmfWiB7UyudrOQZYVYR7ypRcY3b8 +-> piv-p256 5vmPtQ Aj9rtohDiMAJNy/aJL4+qeTpNjhMS1rrKOugGXNOAhhu +kVmfMupNBNV21RI4BTspu1xtdtyP73SUolmTZEyDs+k +-> \@ma^t-grease ! YP$J4W ;Q d6YZ+f4X +eChvjZgQhd7isLuN+dOJ0xORqeT6UQmg7LnJgvALwonCax2NC1+rLR1cJKOskW9I +/9H9s8EbAv5oasYmraBMDiOEn2WULSQ6a4VRCg +--- 7CrdQczJS2Wdqjpac3oexXv4rogT8CGXmqVeCtuaL60 +u*`ǂ/2Lkyq]*jrƒ F7/]f=y$;@ zHc nlм|: \ No newline at end of file diff --git a/hosts/mailnix/secrets/generated/idmail-user-hash_admin.age b/hosts/mailnix/secrets/generated/idmail-user-hash_admin.age index 26bffe7b32cde9a4661bb3fccb7633b5b3acf0d7..bd7bcede8e372a4b59cc5a2d8f1170c68f82d50c 100644 GIT binary patch literal 791 zcmY+<-HX!(003}NhLDHhy_^reWMj%$%_U8n#NeFX{y*F(@J+jY*}&E@w;pSmw&q(5<=}k1Dh2-02Py zAT9`Gc9hXv1&^4T%O`fjox^Bcw&GE9Oz2p}pb)nvb-KtqA?U?WfMPhPsO0m~Jn+*} zI4>YtvD_pWp%>vUor0t65lgL$Zi50Tmna1!QIb5G=-IVytTm?+4y&F&v*00SATm>o z5H5tPbrw(^ujA_iYc7`>BQ`B2lBJ?kho<7d;o!-<*;GBEHnCH)qt^c~rH4tP7jSMe zQ9VbuY}6>glrYh);ym&Zxt5gpDod`-eXrm7`q@`IH`?v{x6U(%8^=Gq_tOuBs}S>Y z_xIOZ55D`B**dVV?H8%_Kl1IHTj#EPv4}rco_4-JB=%oiXm3H^94@9FFD&dFy#06S z`Y%ro2yXSy&FziN%Wrm$%+McG-EPt z#6?j@4w}krG8EyQGu3kLZ0EdBXZk9V$B+Wks8eUSR43zVvr`ne7$_?bFXg?^!!ivw zB}YKOoGhNSbafVLOpB@da4dVfp1M_qs$9>vOM}4!yzEHIRGc?{qgtGzX~R_tAfJmm zMA+ST;YGx%gpo73yHy{IT>XJIEOax><1X21zLFzeXL zk)CMDw2iydbTT7AJ_68gi+Lt8Dp?6#j~Y8#G+TAd_wAKKCCYqDp*R{F)2TYzBTral z8Bce!vkfmIB1#z==%Ej!IdAr`Q<0;ouh~PtGjD2-nw@8{EhwlpS7dS`6KYu@uyeV z;n&ws4o?c?>EGVG2r~~J)=BvGKl*D|51v20{bTao>fbxh1h9Itdk|{VOemc*3-Y!&ysAtorFLV zI(5vFZk^h(OO_*$DTPaDhj7_5WNx7lNTKN?feiN-eE7n575Z&Ic6UvhgCsskb|F^c zt@bs)xVoU56-HU`V21{8TBMzC*o=495=5_eo_6}6H{ zrV{rUXGS|t)QIg7Fcma1JHe8%IZ_Ha{;iOLvYiq%gV@6mOe%zjZpF;lTmmfZ%qzw# zSggVuMcfCor8BjW{V{%`B{Pxk_NB$Lfko75rn=1I zM(tG>EK64-gGYE`0UDG>U0I%VCS2Yjob`I(QiJXkLyM$TNkJg@`WWQpuEpAcIv(IO ztWarG$CfEdAjcH1Sb5$EDv@at0> za#vN#Z8pEbKaMCV4C^n<40_jqV5+EV|q% zxr*>71r$&grWzv*ky1Rgf~d@q ztG%yUM|~M}7JPS`$>IhswsoZ|f=*xU(QYG^ zqIzAD&h|5?YcAgK^m-PIYkp46eVQ8<#<+}YtsCkCqjmE%e0ZEaI=_Ec`Td8#KmYE7 z<7eIZ++o{aoXh0xpTCzcJ(&OW`jgXN|8)Po U_2G|yJ$Vj(lTVe89v_DP0aR=ZVgLXD literal 792 zcmY+=JFnYh0D$3*O5QtkKuV_yS;3C4iI5K1iG7X}$G7;7K(Za%`FywIOMKL-1+jMN z&~_|ELTv5Az{CU_VxzDy7Ik2O0ay@p=x~0)qxbdVa2ggtGgd7qi+9T=M*0~vJ)77V zNzN9N!58M~+EoV~!^*7n`B2?iHnQ3Ku&SJo$XJuS1&G$rI7m&G+9>L~Fy-kGUbOrn zYj8>{&_3r}g4xqW?(pNPF$C_lP=S70VI(zi`4|YpgefxK3z~p2bBFDz%sTGc4mlse zK}y_H%>s>SB&S!y`IPua;_#5X6FKF+T`B>P-x)d|x$Ihy#m zEJYwOP19Omn1&rGIed`Uj9?ZRtQm}*3l^@4Ml|$^{##FG1!RIm-!E1|KlJcrNadx5Y zWt?8h7iB~R?40yyk0M~+(r0SG2(SV#xfA42JaDn2glGw1EU{{82dhmW5A^u_mYUH>Nd T@q^#3_v$C_-}>##?aTiF|LPA@ diff --git a/hosts/mailnix/secrets/generated/resticpasswd.age b/hosts/mailnix/secrets/generated/resticpasswd.age index ca37fbd..d676d74 100644 --- a/hosts/mailnix/secrets/generated/resticpasswd.age +++ b/hosts/mailnix/secrets/generated/resticpasswd.age @@ -1,16 +1,15 @@ age-encryption.org/v1 --> X25519 PdEHSeb3vou1ceHtkrlTbsu5BGWZ2onVCXPCwmW8znk -q8UKSDCiI+oZp+iODHddauFYFbLdc82tEo+Bsu2bgbo --> piv-p256 ZFgiIw AnZuTRltFip1RHFY1dr+uTJPGbAYFzWpU/HEiZYuMIgz -r0nxJt1eZsXsnCnQ0Ls+kYqyz/PJCUjef9uvziqMqls --> piv-p256 XTQkUA Au50Oa5SpTyUFjF4W6ETiofTruRqQItE94SmHRPzR4Y2 -T9m1cYYtJr8TQuZYquoJUM+uDeim8llDiMVk3N+kDqk --> piv-p256 ZFgiIw A/6WS2AnElPTKjwYT6K7CWnL8bolB6HNlQnuqjQ8lKt+ -/0StgIwLSpVT7NyOJLxsPJz9TtfAOZU+qWls8gYkkFE --> piv-p256 5vmPtQ A92v/hxaXEVRNqrsNhFuKCn5TllPrJCGk1e726IDBVo+ -+yCS8ZD3uO4UWwMhk9xqWSWZ3UGgmBkIAqAtBGKF8Nw --> a^_IFyLy-grease -smwxe0ZqF7Qc1wsp0rYM20J5FjFiTQV2UpYfUUgt3edM0+iMmBzHG9EPxKjGNmt9 -yogZ0dRKId6mKtaNJeLHUDaCMhIsYAcrhNVGDvG9JOPdhRx9Og0 ---- sG4CDChcMPfQS4gtEDGd+bH/WKNXi5ohWX4NTNkaAi0 -⹎od6?K|$ d(@) ӷ#Eq(!jY`hlL!_ \ No newline at end of file +-> X25519 3RgX2VmSDapxJiZK9X6FKJPgY0+KQv1/WTQjdLI3kx8 +LG5Rg/i6MxWETS9GlJEFmAjvFlnGgK6jzNyiK72KK/4 +-> piv-p256 ZFgiIw A0H0SIYntYF4+2mb2vxv0XwP71ucvywY5XVT+zU9tgqf +auyYU2LhqeAq6kQWMQRZavgpY7+fCbUIl7EeGblHDzM +-> piv-p256 XTQkUA AsmspPZL/5b34zkclSAIX/FIZZU2tE3/M2XswVg5CvmR +gIV/00PSjr5pdIfLV9NqVBDX9hSAavB38RpW2RSrJ2s +-> piv-p256 ZFgiIw AhuPJgO/tKGP0HreiqFjFWalRgbll1fYGhWb5kK7a4hP +e9oJPqmGf58UdTTcd5DM7PtE/08x2HM3oMXYe/rQYRc +-> piv-p256 5vmPtQ Aukw861aPJyok6rFAW/kuH4WI3swri9Vl8J4bD7Rr/gY +4+/nC0yeI7vJdsFP8uWUcdx92agTs+9bkloIuQKutL8 +-> +4]A!-grease L#S +TdoI3ma07LkywQKU +--- RmFBAPozJf5KlDygAiPTprVgM0CTL0oL7kV8WRjKn90 +zUpBa1UXik#sܫA:`#NyA`HҹIIQiPvxe )[dsEt \ No newline at end of file diff --git a/hosts/mailnix/secrets/generated/stalwart-admin-hash.age b/hosts/mailnix/secrets/generated/stalwart-admin-hash.age index a341ba530d35e5b4f3232ee96ad25026592c95ff..53b498c094b4beb4d1889f7a47c05c160a57e2c7 100644 GIT binary patch literal 845 zcmY+?J&)UT0D$qSKm!#>ER`ydTM9xKT)#UpcR+0?j_q?2+ezvd)K-b(_$_{^9XtN} z2ADt{4%iT)WkF?NKnNB#kbnU(wPL!e3<&W7kQln0Xon8>34VH{XYRSMn>abhHbI(P zN^=jXuonC_Wa1QsF%Z#As~p%ARf|TA>P14y+9GC9MYnvK6E@LYwL^byQ-Ex(dh)Vw zDioLKqHB4j*09)mIJWU&+1G`Vi4!%7XR2fEdyj=IsNf8zXvh}4K-xm=TJ;hjuS-jI z{El6C3lwpt+A3epzRs@3aFtbn#-bl~>qks2pK-SM$PvX|VXJMbo^J~8ATU}rvg z!lJ5J-DnV7mI=_sjTmW2ipFcS$N36Ph*yYqL>Jpt*Yn&k=*@;8n6^wg3+g5bt(%33!!-mC=(IQYkoB1v0)K12^o^IA5X?&F5sRh zMVkNU3>bzgn{-?b*km6u6hw;JH#+E}qq@&JJ>MfwU!$E@!c1vcb~h| zg%4l8`^&kby$9#c{QHg@oyv9+?eBw~uRa#<-@N<7g*!iecz&Tgy!p}Z4{8`~|M<^~ z5`O!=!9j$)bnWQB%eN0dtNwcZZ1;uV-v7M0clr40_24wZ93MS=13x^zVIV>zbs^3t_B}B+a8~vb-xylIGp!(L9=_2R#WY zf;b(*C-^vcRK$S_6Y=6f+`&0L?J`jm1Z5z2*hNwB@cjipesy>wZ$c@<^p*{le9 zTNvn`15E@)VG?82YYFmkUVsBkf-ykG9<$K{0Sa2NBzV!z>VFv*GZqyPriv ze&fz@ogeIJ4Wg%HhpXnXPR(LsAWuesDe#=pntBi8Gpa3AkLlpk?7}ugDqA5&ev)D+ zDNaZnYK~c^DzCI5I4sIOhY%Sou>swx9zk#vVJR*<6^E9aPIeY7raLTKV}<~f#au;o z%J9l6By4PBjNm!Gub0cZf$DK;`s2{gSV%1W)$ zQYC}Kbgk}%sW{giFDr`FbP5}@%-MtfB9@JJOXGn4( z>^c1`MzqCFH3czxhx2e!_I5}E6 z5h_YnXCH+4mR*coeYu(>eXP%H<`aFfi*Sbz7*og^EpLf-zy^&5lzt5nt0YO`dKUF! zR7O@2>GnFi@s0ty-7c7vm1`?fDRJ{WOEtWc5meBwp;A=SAZ|Q%R3XB^q%EugUg#yK ze*5#%?ZfLQANUaY!#d4A|Lv`#_^0z%Uil#Y;?5gC-uKwu-yb}>IlT8S;rbJwetp@V zfj^vi@8+G?KEJ^*Z#vh;=x6%HSJx-*|MKyVet-Dq@4k9DJNL}Nlij~Q@uXWHBX7O` x`uTUid9i=uo?n=EE X25519 GPymk3LLzkZtbBTHtb5BryUrBoDLImS86IoNS78OqlE -YrRCbTE595ZhRw6VxiBS9lTWB9yP4kijFqSFFdIiUpQ --> piv-p256 ZFgiIw AsaTyNrw7YuguAOnLv5BFyU2lW61yY++gJmgNq2M+0wq -VGtlEXVaKpzomsLzjEiBtFE3q0emFLHsiWdahPS/WJU --> piv-p256 XTQkUA A+Jsj+fWxo26HKlA5TOM2nB5WggS6TVRyfhKzNFQxpI2 -RwQp5jlvHByeXPPsov5wMEuZ2pED/iFpVBVXVrKshH4 --> piv-p256 ZFgiIw A6HBCYbgWEEBsBQpJfiRwu672I9QOI2JF9eSeCztlBKJ -LOcgLvCIGWvs9Vhc1VuvGlYWKbnkJdngVhBDbdoMSLs --> piv-p256 5vmPtQ A1VVL35NHnMdTROSGAKYG6V32v2D7KVo9eHuRPqejzas -WvdUexTb/Di4mv5owD/3ug2nn8Le/TMgJ+hZYbuED6c --> M$iT~z2-grease SDOB\mE" Zxfxg kZ\' LB@$4 - ---- 2KhnAceJmwDjVhuEx3saTPzXbDOAjFcpp4DH2lgqsZE -QIu{ʼEv7s^eL%Akih_$r"z0AIq* ScL \ No newline at end of file +-> X25519 cAZnqaUIag6UnwLKnfF8EHwSzGt8sskaUyS8buWd3mw +hOXAQzWEmpJhk8hA0DxPgVUBwBlCYaSOE+x1MpSZNhY +-> piv-p256 ZFgiIw A6ahySY+PyEWWW3DZCfaIYszijTLZp+uBn1EpKeTyllt +u6Qe5KMHEwNQBygQg8pi8By+529Ln0aQBCWWuki2fQA +-> piv-p256 XTQkUA AufkVYexxdoH90WE3WDfkMwOXh6qh0C3lXY9Rhb7g6mU +dLHGSGhUS5FYQkO1MrlYGuljrKaaRDgtfpw+Gi6iQNg +-> piv-p256 ZFgiIw ArZckrqQo0XEcSnhBOfbePBjWjcpaSKqnj4GTHCTd2KB +514eHJ1tOTYhD2mHRXCwDcuqFqFpU1nNsGoH0eEqn/w +-> piv-p256 5vmPtQ AggvfcieYkV5CNUGAHGVQYPS6ghcLwoOZA+ACnJk7SLL +soTSl5rsCYp1Q8dKryl0d7vQaLRVz1m3FiMvtROzVoc +-> N-grease v- 1"Wb wl6i> (\@7 +8VnJ +--- k/wLOK8Bm7WWVTEHFYSwWkYQsTYJX6vm9BPiIWOSc+U +"Қ-$חsr\Vaȍ*t@d WJu%/&IoTOvָn \ No newline at end of file diff --git a/hosts/mailnix/secrets/generated/stalwartHetznerSshKey.age b/hosts/mailnix/secrets/generated/stalwartHetznerSshKey.age index e379832..9783bcf 100644 --- a/hosts/mailnix/secrets/generated/stalwartHetznerSshKey.age +++ b/hosts/mailnix/secrets/generated/stalwartHetznerSshKey.age @@ -1,16 +1,18 @@ age-encryption.org/v1 --> X25519 rLdYm0p5eFCwaK8u7dz/Qco//mCdnylMwhLo6nX28R4 -0XcnRiSWtCyxn1YISgdt/zVIFKPBPbKOueh+L1f62Fc --> piv-p256 ZFgiIw A6fWtzhy3ylrbXZG4xjSGRh3Qrk7ZwMS7Fawt0XZvESm -wAMOQQvRnMCJ5DriuLHRsc9zJe5UazJBVvNNy97jJos --> piv-p256 XTQkUA ArhoKZeRdRGXbHOcLiPcT1AruJEE7hckq7QiGKLfcm9d -YXh4slVMY/U+DfCBW6V/4Uf60Zb8RPyd0PrAHHB8xDE --> piv-p256 ZFgiIw AsjeXhDC4x+6TPG902gZSlW9qFC0JVoznTVmnpQgip9f -ZxDSKVSBiGCGVE1w+8yZwEJx59DkdFy/6Iq1tbHQ41I --> piv-p256 5vmPtQ AmlUti+62DpPs4k9HN+ZdKry9pwPjS1HAtnTq9xm1zT1 -zTmFw+xHDQSLkDyVXC8MtlxD5cw/tQ1yK5zlYoDKv8Y --> w0-grease /mVZ/4hd jq'R -fvJoC6ucvHgsXQysHHQhXQQ3TMUhFIPpSHwOURHSHn/+9qFVd02Ey0DWl9LujA ---- 5VjQP6nmIwBXtA/0+zL+EQt9eZHtyp6oD6u5IPgW1s8 -0s((ىX5UJp}:yAr_ã6 -XDF9֟?1]4{Ehƍꔿ&~SA֭ S dVJeS0/WGp^fB"^ӶԂN:EiB޷lK4I1'K2>^ݽL)x\q.#.Yr8scNRQ66 xZ)عBv)ʞ4" $K d Mp*=Ρ垫Os3CE#;!..4IT{fTlѺ{ձbxHn7^ˏ_%5fqPLl`0?-!uEJ[%bENWC,E11a1{EPcXTsB m]RH"#vaXA(qc`՟&Oap%` \ No newline at end of file +-> X25519 3JaB9SFo35zKLdSE+hZ7lMnkrP2lWmxyFnwVm6t0LlY +2xZW1OBjis7vxOMgfgoP9bdP100+3ygPN67Li8w9xS0 +-> piv-p256 ZFgiIw A2sQisyYFMNlHr/R4qMk2M/u6PeX44Xm7j/zCzeVBc+j +5m0H3afrYfe+Zb+u3n5cDVKeJi1dT4t2gVmRjRZ36/I +-> piv-p256 XTQkUA AjNbgb628e7O35YJ9LPCPekshCVX4rtmYoNpEHGf2ZGQ +EvXeSXWeH8VI1l60f6yeJX5DBNaAslwjXOGKlq2vYTU +-> piv-p256 ZFgiIw AvCA/khyjqHaDqsUwDk+JO8COiO5cWuNAMiZfadcknt6 +Bmh/Sq49LGaVep6vmbSvIX1OtRClcLezyUYGcnqgzls +-> piv-p256 5vmPtQ A6TitgQQUzNKUrjLgsU+6QkHP53f1kmx0ZGVPdN+xIiY +IpCyE/YV7HRYC+FRcVqLZmz0p8ueVErkl6zuAamRCXY +-> M+.N!SP|-grease sp lhrKY`> k75p`;=t bMkPFBx +CDJYAj2yESkl0JqCjCC1Ud0fRO/wqE8ZdI39F90cKKWk+uu1VP5oNZK33aSu+tUb +kVnxDbFligk6kxPKTvzMWs4xtn0IidtsY10 +--- UoX3XKKRjOlgYFNaVwFBhsCl7bHgm0VMEkJxU05pQW0 +v!7βڴq]P<*zFb AAr.p벳СWrn6v1Oѝ-oxT]}ͮ9EO?Coh wL{(k"; <!GA)v<ՊĢ-^9R{/9=lb^"sq*D +pLPwVpU3s;e\]Y3ka@\' JA_Bjn[p,eЄRL#+RU6*oƶbi(̺Q)]?=%8UĮWD!mqi=95 t0\vEm82(g`#Qx~ɵhw)4 'y|G%VmV+*X7u$ +=ڮȸ.xU \ No newline at end of file diff --git a/nix/rage-decrypt-and-cache.sh b/nix/rage-decrypt-and-cache.sh index 3291530..19223b6 100755 --- a/nix/rage-decrypt-and-cache.sh +++ b/nix/rage-decrypt-and-cache.sh @@ -4,8 +4,8 @@ set -euo pipefail print_out_path=false if [[ "$1" == "--print-out-path" ]]; then - print_out_path=true - shift + print_out_path=true + shift fi file="$1" @@ -28,11 +28,11 @@ mkdir -p "$(dirname "$out")" # Decrypt only if necessary if [[ ! -e "$out" ]]; then - args=() - for i in "${identities[@]}"; do - args+=("-i" "$i") - done - rage -d "${args[@]}" -o "$out" "$file" + args=() + for i in "${identities[@]}"; do + args+=("-i" "$i") + done + rage -d "${args[@]}" -o "$out" "$file" fi # Print out path or decrypted content diff --git a/pkgs/scripts/build.sh b/pkgs/scripts/build.sh index 91bdc13..f2379e1 100644 --- a/pkgs/scripts/build.sh +++ b/pkgs/scripts/build.sh @@ -1,55 +1,55 @@ set -euo pipefail function die { - echo "error: $*" >&2 - exit 1 + echo "error: $*" >&2 + exit 1 } function show_help() { - echo ' Usage: build [OPTIONS] ' - echo 'Build the toplevel nixos configuration for hosts' + echo ' Usage: build [OPTIONS] ' + echo 'Build the toplevel nixos configuration for hosts' } USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) || - die "Could not determine current directory" +die "Could not determine current directory" cd "$USER_FLAKE_DIR" [[ $# -gt 0 ]] || { - show_help - exit 1 + show_help + exit 1 } OPTIONS=() POSITIONAL_ARGS=() while [[ $# -gt 0 ]]; do - case "$1" in - "help" | "--help" | "-h") - show_help - exit 1 - ;; - -*) - OPTIONS+=("$1") - ;; - *) - POSITIONAL_ARGS+=("$1") - ;; - esac - shift + case "$1" in + "help" | "--help" | "-h") + show_help + exit 1 + ;; + -*) + OPTIONS+=("$1") + ;; + *) + POSITIONAL_ARGS+=("$1") + ;; + esac + shift done [[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] || - die "Missing argument: " +die "Missing argument: " [[ ! ${#POSITIONAL_ARGS[@]} -gt 1 ]] || - die "Too many arguments" +die "Too many arguments" shopt -s lastpipe tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS NIXOS_CONFIGS=() for host in "${HOSTS[@]}"; do - NIXOS_CONFIGS+=(".#nixosConfigurations.$host.config.system.build.toplevel") + NIXOS_CONFIGS+=(".#nixosConfigurations.$host.config.system.build.toplevel") done echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m" nom build --print-out-paths --no-link "${OPTIONS[@]}" "${NIXOS_CONFIGS[@]}" || - die "Failed building derivations" +die "Failed building derivations" diff --git a/pkgs/scripts/deploy.sh b/pkgs/scripts/deploy.sh index 4aa21b6..78ab17d 100644 --- a/pkgs/scripts/deploy.sh +++ b/pkgs/scripts/deploy.sh @@ -1,56 +1,56 @@ set -euo pipefail function die { - echo "error: $*" >&2 - exit 1 + echo "error: $*" >&2 + exit 1 } function show_help() { - echo ' Usage: deploy [OPTIONS] [ACTION]' - echo ' Deploy a system as defined in the current flakes nixosSystem' - echo ' If host is not given use the system name as host' - echo "" - echo 'ACTION:' - echo ' switch [default] build, push and switch to the new configuration' - echo ' boot switch on next boot' - echo ' test switch to config but do not make it the boot default' - echo ' dry-activate just show what an activation would do' - echo "" - echo 'OPTIONS:' - echo ' --help show this help menu' + echo ' Usage: deploy [OPTIONS] [ACTION]' + echo ' Deploy a system as defined in the current flakes nixosSystem' + echo ' If host is not given use the system name as host' + echo "" + echo 'ACTION:' + echo ' switch [default] build, push and switch to the new configuration' + echo ' boot switch on next boot' + echo ' test switch to config but do not make it the boot default' + echo ' dry-activate just show what an activation would do' + echo "" + echo 'OPTIONS:' + echo ' --help show this help menu' } USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) || - die "Could not determine current directory" +die "Could not determine current directory" cd "$USER_FLAKE_DIR" [[ $# -gt 0 ]] || { - show_help - exit 1 + show_help + exit 1 } OPTIONS=() POSITIONAL_ARGS=() while [[ $# -gt 0 ]]; do - case "$1" in - "help" | "--help" | "-h") - show_help - exit 1 - ;; - -*) - OPTIONS+=("$1") - ;; - *) - POSITIONAL_ARGS+=("$1") - ;; - esac - shift + case "$1" in + "help" | "--help" | "-h") + show_help + exit 1 + ;; + -*) + OPTIONS+=("$1") + ;; + *) + POSITIONAL_ARGS+=("$1") + ;; + esac + shift done [[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] || - die "Missing argument: " +die "Missing argument: " [[ ! ${#POSITIONAL_ARGS[@]} -gt 2 ]] || - die "Too many arguments" +die "Too many arguments" shopt -s lastpipe tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS @@ -58,50 +58,50 @@ tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS ACTION="${POSITIONAL_ARGS[1]-switch}" function main() { - local system - local host - if [[ $1 == *"@"* ]]; then - arr=() - echo -n "$1" | readarray -d "@" -t arr - system="${arr[0]}" - host="root@${arr[1]}" - else - system=$1 - host=$system - fi - local config - config=".#nixosConfigurations.$system.config.system.build.toplevel" - local top_level - exec > >( - trap "" INT TERM - sed "s/^/$system: /" - ) - exec 2> >( - trap "" INT TERM - sed "s/^/$system: /" >&2 - ) - top_level=$(nix build --no-link --print-out-paths "${OPTIONS[@]}" "$config" || die "Failed building derivation for $system") + local system + local host + if [[ $1 == *"@"* ]]; then + arr=() + echo -n "$1" | readarray -d "@" -t arr + system="${arr[0]}" + host="root@${arr[1]}" + else + system=$1 + host=$system + fi + local config + config=".#nixosConfigurations.$system.config.system.build.toplevel" + local top_level + exec > >( + trap "" INT TERM + sed "s/^/$system: /" + ) + exec 2> >( + trap "" INT TERM + sed "s/^/$system: /" >&2 + ) + top_level=$(nix build --no-link --print-out-paths "${OPTIONS[@]}" "$config" || die "Failed building derivation for $system") - echo -e "Copying toplevel for \033[0;32m$system\033[0m" - nix copy --to "ssh://$host" "$top_level" || - die "Failed copying closure to $system" + echo -e "Copying toplevel for \033[0;32m$system\033[0m" + nix copy --to "ssh://$host" "$top_level" || + die "Failed copying closure to $system" - echo -e "Applying toplevel for \033[0;32m$system\033[0m" - ( - prev_system=$(ssh "$host" -- readlink -e /nix/var/nix/profiles/system) - ssh "$host" -- /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$top_level" || - die "Error registering toplevel $system" - ssh "$host" -- "$top_level/bin/switch-to-configuration" "$ACTION" || - die "Error activating toplevel for $system" - if [[ -n "$prev_system" ]]; then - ssh "$host" -- nvd --color always diff "$prev_system" "$top_level" - fi - ) + echo -e "Applying toplevel for \033[0;32m$system\033[0m" + ( + prev_system=$(ssh "$host" -- readlink -e /nix/var/nix/profiles/system) + ssh "$host" -- /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$top_level" || + die "Error registering toplevel $system" + ssh "$host" -- "$top_level/bin/switch-to-configuration" "$ACTION" || + die "Error activating toplevel for $system" + if [[ -n "$prev_system" ]]; then + ssh "$host" -- nvd --color always diff "$prev_system" "$top_level" + fi + ) } echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m" for host in "${HOSTS[@]}"; do - main "$host" & + main "$host" & done wait diff --git a/users/patrick/dev.nix b/users/patrick/dev.nix index 03ea1e9..39a4b70 100644 --- a/users/patrick/dev.nix +++ b/users/patrick/dev.nix @@ -1,5 +1,7 @@ { lib, + config, + nodes, minimal, pkgs, ... @@ -22,6 +24,7 @@ lib.optionalAttrs (!minimal) { enableDebugInfo = true; }; documentation = { + enable = true; dev.enable = true; doc.enable = false; man.enable = true; @@ -33,4 +36,27 @@ lib.optionalAttrs (!minimal) { export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) umask 077 ''; + age.secrets.mailnixSSHKey = { + inherit (nodes.mailnix.config.age.secrets.buildSSHKey) rekeyFile; + mode = "400"; + }; + nix = { + distributedBuilds = true; + buildMachines = [ + { + hostName = config.secrets.secrets.global.user.mailnix_ip; + protocol = "ssh-ng"; + sshUser = "build"; + system = "aarch64-linux"; + sshKey = config.age.secrets.mailnixSSHKey.path; + supportedFeatures = [ + "big-parallel" + #"kvm" + ]; + publicHostKey = builtins.readFile "${pkgs.runCommand "base64HoseKey" { } + ''${pkgs.coreutils}/bin/base64 -w0 ${nodes.mailnix.config.node.secretsDir}/host.pub > $out'' + }"; + } + ]; + }; } diff --git a/users/patrick/programs/gpg/default.nix b/users/patrick/programs/gpg/default.nix index 024c343..cf2c201 100644 --- a/users/patrick/programs/gpg/default.nix +++ b/users/patrick/programs/gpg/default.nix @@ -10,7 +10,7 @@ group = "patrick"; mode = "640"; }; - hm.programs.gpg.publicKeys = [ + hm-all.programs.gpg.publicKeys = [ { source = ./pubkey.gpg; trust = 5; @@ -30,13 +30,13 @@ lib.escapeShellArg config.age.secrets."my-gpg-yubikey-keygrip.tar".path } -C "$HOME/.gnupg/private-keys-v1.d/" ''; - hm.services.gpg-agent = { + hm-all.services.gpg-agent = { enable = true; enableSshSupport = true; pinentryPackage = pkgs.pinentry-gnome3; }; - hm.programs.gpg = { + hm-all.programs.gpg = { enable = true; scdaemonSettings.disable-ccid = true; settings = {