Merge pull request 'flake.lock: Update' (#87) from Mic92-main into main

2023-08-23 13:07:15 +00:00 · 2023-08-23 13:07:15 +00:00 · 824ab14d5c
commit 824ab14d5c
parent 9134078806 638ad6d498
8 changed files with 30 additions and 54 deletions
--- a/flake.lock
+++ b/flake.lock
@ -19,11 +19,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1692792260,
-        "narHash": "sha256-jrQeZqD/KsCioCTQt91gW0egvRG9duxPeTuCsSLVXVc=",
+        "lastModified": 1692795513,
+        "narHash": "sha256-0W1GmoRI8Q0YKvhfuz9885YGuDkbzzzKLWfbdlcnMMw=",
        "ref": "refs/heads/main",
-        "rev": "7365df338bb75782703be633976ca6add6002e88",
-        "revCount": 374,
+        "rev": "a642ecfda5e3472af521bfd6f4f466201f4f3ccb",
+        "revCount": 378,
        "type": "git",
        "url": "https://git.clan.lol/clan/clan-core"
      },
@ -206,11 +206,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1692709311,
-        "narHash": "sha256-juBtQW2dKn8fWc9XbrYqfeq5hIjDZ33fcyzXPqkNueg=",
+        "lastModified": 1692792425,
+        "narHash": "sha256-l8mloOMPXPAqVoz0EajpWvZ7XD8jSV1/yQIeNNc3SM8=",
        "owner": "numtide",
        "repo": "srvos",
-        "rev": "1fdce805f65f8d44856b5af1340de0fd6d0811a9",
+        "rev": "46145a1cc93d00ced71c903ec3f9d492af857e2e",
        "type": "github"
      },
      "original": {
@ -226,11 +226,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1692524468,
-        "narHash": "sha256-wJffwu1deOgc3c/cBIZQ52dfWfPWBzjOamYBX121hcw=",
+        "lastModified": 1692792358,
+        "narHash": "sha256-yqKPLUvl9lFTy43+GvVRwT39k1qu7Yd0HNktZjRbUP4=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "e2761d701581d8dcc4e0e88aecfde317ddf6f0cd",
+        "rev": "b070c28bf9d7d3ef93084aa47c01b4b6c16cdce4",
        "type": "github"
      },
      "original": {
--- a/modules/flake-module.nix
+++ b/modules/flake-module.nix
@ -5,7 +5,7 @@
      inputs.srvos.nixosModules.mixins-telegraf
      # FIXME: switch to VPN later
      { networking.firewall.allowedTCPPorts = [ 9273 ]; }
-      inputs.sops-nix.nixosModules.default
+      inputs.clan-core.nixosModules.secrets
    ];

    hcloud.imports = [
--- a/modules/web01/borgbackup.nix
+++ b/modules/web01/borgbackup.nix
@ -1,14 +1,6 @@
 { config, ... }: {
  # 100GB storagebox is under the nix-community hetzner account

-  # $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
-  sops.secrets.hetzner-borgbackup-ssh = { };
-  # Also enable ssh support in the storagebox web interface.
-  # By default the storage box is only accessible from the hetzner network.
-  # $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
-  # $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
-  sops.secrets.hetzner-borgbackup-passphrase = { };
-
  systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [
    "/var/log/telegraf"
  ];
@ -62,10 +54,16 @@
    doInit = true;
    encryption = {
      mode = "repokey-blake2";
+      # $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
      passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
    };
    compression = "auto,zstd";
    startAt = "daily";
+
+    # Also enable ssh support in the storagebox web interface.
+    # By default the storage box is only accessible from the hetzner network.
+    # $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
+    # $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
    environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
    preHook = ''
      set -x
--- a/modules/web01/clan-merge.nix
+++ b/modules/web01/clan-merge.nix
@ -1,7 +1,4 @@
 { config, self, pkgs, ... }: {
-
-  sops.secrets.merge-bot-gitea-token = { };
-
  # service to for automatic merge bot
  systemd.services.clan-merge = {
    description = "Merge clan.lol PRs automatically";
--- a/modules/web01/default.nix
+++ b/modules/web01/default.nix
@ -13,4 +13,5 @@
  ];

  services.cloud-init.xfs.enable = true;
+  clan.sops.sopsDirectory = ../../sops;
 }
--- a/modules/web01/dendrite.nix
+++ b/modules/web01/dendrite.nix
@ -25,19 +25,15 @@ let
    '';
 in
 {
-  # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
-  sops.secrets.matrix-server-key = { };
-  # $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
-
-  # To create a user:
-  # $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
-  # $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
-  # $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
-  sops.secrets.registration-secret = { };
-
  services.dendrite = {
    enable = true;
    httpPort = 8043;
+    # $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
+
+    # To create a user:
+    # $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
+    # $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
+    # $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
    environmentFile = config.sops.secrets.registration-secret.path;

    settings = {
@ -122,6 +118,7 @@ in
  };

  systemd.services.dendrite.serviceConfig.LoadCredential = [
+    # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
    "matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
  ];

--- a/modules/web01/harmonia.nix
+++ b/modules/web01/harmonia.nix
@ -2,7 +2,6 @@
  services.harmonia.enable = true;
  # $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
  services.harmonia.signKeyPath = config.sops.secrets.harmonia-key.path;
-  sops.secrets.harmonia-key = { };

  services.nginx = {
    package = pkgs.nginxStable.override {
--- a/modules/web01/jobs.nix
+++ b/modules/web01/jobs.nix
@ -1,16 +1,5 @@
 { config, self, pkgs, lib, ... }:
 let
-
-  allFlakePackages = [
-    "job-flake-update-clan-core"
-    "job-flake-update-clan-homepage"
-    "job-flake-update-clan-infra"
-  ];
-
-  allFlakeJobs = lib.filter (lib.hasPrefix "job-") allFlakePackages;
-
-  allSystemdConfigs = map configForJob allFlakeJobs;
-
  configForJob = name: {
    systemd.timers.${name} = {
      description = "Time for flake update workflow";
@ -55,16 +44,11 @@ let
      };
    };
  };
-
 in
 {
-  config = lib.mkMerge (
-    allSystemdConfigs
-    ++ [
-      {
-        sops.secrets.clan-bot-gitea-token = { };
-        sops.secrets.clan-bot-ssh-key = { };
-      }
-    ]
-  );
+  config = lib.mkMerge (map configForJob [
+    "job-flake-update-clan-core"
+    "job-flake-update-clan-homepage"
+    "job-flake-update-clan-infra"
+  ]);
 }