From 09f461123fb0d4b44909fd44ca1ef01b69f56edb Mon Sep 17 00:00:00 2001 From: Zuckerberg Date: Wed, 18 Feb 2026 19:53:34 -0800 Subject: [PATCH] Add Attic binary cache and containerize gitea runner Replace nix-serve-only setup with Attic for managed binary caching with upstream filtering and GC. Move gitea actions runner from host into an isolated NixOS container with private networking. nix-serve kept alongside Attic during migration. --- .gitea/workflows/check-flake.yaml | 21 +++- common/binary-cache.nix | 11 +- common/server/atticd.nix | 31 +++++ common/server/default.nix | 1 + common/server/gitea-actions-runner.nix | 158 ++++++++----------------- secrets/attic-netrc.age | Bin 0 -> 2336 bytes secrets/atticd-credentials.age | Bin 0 -> 4908 bytes secrets/binary-cache-push-sshkey.age | Bin 831 -> 0 bytes secrets/gitea-actions-runner-token.age | Bin 589 -> 589 bytes secrets/secrets.nix | 9 +- 10 files changed, 119 insertions(+), 112 deletions(-) create mode 100644 common/server/atticd.nix create mode 100644 secrets/attic-netrc.age create mode 100644 secrets/atticd-credentials.age delete mode 100644 secrets/binary-cache-push-sshkey.age diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml index a073f32..d8bf265 100644 --- a/.gitea/workflows/check-flake.yaml +++ b/.gitea/workflows/check-flake.yaml @@ -16,4 +16,23 @@ jobs: fetch-depth: 0 - name: Check Flake - run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace \ No newline at end of file + run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace + + - name: Push to cache + env: + XDG_CONFIG_HOME: ${{ runner.temp }}/.config + run: | + set -euo pipefail + attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}" + # Get all system toplevel store paths, keeping only those valid in the local store + toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json \ + | jq -r '.[]' \ + | xargs -I{} sh -c 'nix path-info {} >/dev/null 2>&1 && echo {}' || true) + echo "Found $(echo "$toplevels" | wc -l) valid system toplevels" + # Expand to full closures, deduplicate, and filter out paths already + # signed by cache.nixos.org — only our custom builds need caching + paths=$(echo "$toplevels" \ + | xargs nix path-info -r --json \ + | jq -r '[to_entries[] | select(.value.signatures | all(startswith("cache.nixos.org") | not)) | .key] | unique[]') + echo "Pushing $(echo "$paths" | wc -l) unique paths to cache" + echo "$paths" | xargs attic push local:nixos diff --git a/common/binary-cache.nix b/common/binary-cache.nix index dcb0018..06f4dbb 100644 --- a/common/binary-cache.nix +++ b/common/binary-cache.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { nix = { @@ -6,11 +6,11 @@ substituters = [ "https://cache.nixos.org/" "https://nix-community.cachix.org" - "http://s0.koi-bebop.ts.net:5000" + "http://s0.koi-bebop.ts.net:28338/nixos" ]; trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=" + "nixos:SnTTQutdOJbAmxo6AQ3cbRt5w9f4byMXQODCieBH3PQ=" ]; # Allow substituters to be offline @@ -19,6 +19,11 @@ # and use this flag as intended for deciding if it should build missing # derivations locally. See https://github.com/NixOS/nix/issues/6901 fallback = true; + + # Authenticate to private nixos cache + netrc-file = config.age.secrets.attic-netrc.path; }; }; + + age.secrets.attic-netrc.file = ../secrets/attic-netrc.age; } diff --git a/common/server/atticd.nix b/common/server/atticd.nix new file mode 100644 index 0000000..9aefc5a --- /dev/null +++ b/common/server/atticd.nix @@ -0,0 +1,31 @@ +{ config, lib, ... }: + +{ + config = lib.mkIf (config.thisMachine.hasRole."binary-cache") { + services.atticd = { + enable = true; + environmentFile = config.age.secrets.atticd-credentials.path; + settings = { + listen = "[::]:28338"; + + chunking = { + nar-size-threshold = 64 * 1024; # 64 KiB + + # The preferred minimum size of a chunk, in bytes + min-size = 16 * 1024; # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 64 * 1024; # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 256 * 1024; # 256 KiB + }; + + compression.type = "zstd"; + garbage-collection.default-retention-period = "6 months"; + }; + }; + + age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age; + }; +} diff --git a/common/server/default.nix b/common/server/default.nix index c0e0f8a..a7c20cf 100644 --- a/common/server/default.nix +++ b/common/server/default.nix @@ -12,6 +12,7 @@ ./mailserver.nix ./nextcloud.nix ./gitea-actions-runner.nix + ./atticd.nix ./librechat.nix ./actualbudget.nix ./unifi.nix diff --git a/common/server/gitea-actions-runner.nix b/common/server/gitea-actions-runner.nix index fa03f46..aa68cc1 100644 --- a/common/server/gitea-actions-runner.nix +++ b/common/server/gitea-actions-runner.nix @@ -1,132 +1,78 @@ -{ config, pkgs, lib, ... }: +{ config, lib, ... }: -# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container -# This is useful for providing a real Nix/OS builder to gitea. -# Warning, NixOS containers are not secure. For example, the container shares the /nix/store -# Therefore, this should not be used to run untrusted code. -# To enable, assign a machine the 'gitea-actions-runner' system role - -# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running +# Gitea Actions Runner inside a NixOS container. +# The container shares the host's /nix/store (read-only) and nix-daemon socket, +# so builds go through the host daemon and outputs land in the host store. +# Warning: NixOS containers are not fully secure — do not run untrusted code. +# To enable, assign a machine the 'gitea-actions-runner' system role. let thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner"; containerName = "gitea-runner"; + giteaRunnerUid = 991; + giteaRunnerGid = 989; in { config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) { - # containers.${containerName} = { - # ephemeral = true; - # autoStart = true; - # # for podman - # enableTun = true; + containers.${containerName} = { + autoStart = true; + ephemeral = true; - # # privateNetwork = true; - # # hostAddress = "172.16.101.1"; - # # localAddress = "172.16.101.2"; + bindMounts = { + "/run/agenix/gitea-actions-runner-token" = { + hostPath = "/run/agenix/gitea-actions-runner-token"; + isReadOnly = true; + }; + "/var/lib/gitea-runner" = { + hostPath = "/var/lib/gitea-runner"; + isReadOnly = false; + }; + }; - # bindMounts = - # { - # "/run/agenix/gitea-actions-runner-token" = { - # hostPath = "/run/agenix/gitea-actions-runner-token"; - # isReadOnly = true; - # }; - # "/var/lib/gitea-runner" = { - # hostPath = "/var/lib/gitea-runner"; - # isReadOnly = false; - # }; - # }; + config = { config, lib, pkgs, ... }: { + system.stateVersion = "25.11"; - # extraFlags = [ - # # Allow podman - # ''--system-call-filter=thisystemcalldoesnotexistforsure'' - # ]; + services.gitea-actions-runner.instances.inst = { + enable = true; + name = containerName; + url = "https://git.neet.dev/"; + tokenFile = "/run/agenix/gitea-actions-runner-token"; + labels = [ "nixos:host" ]; + }; - # additionalCapabilities = [ - # "CAP_SYS_ADMIN" - # ]; + # Disable dynamic user so runner state persists via bind mount + systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false; + users.users.gitea-runner = { + uid = giteaRunnerUid; + home = "/var/lib/gitea-runner"; + group = "gitea-runner"; + isSystemUser = true; + createHome = true; + }; + users.groups.gitea-runner.gid = giteaRunnerGid; - # config = { - # imports = allModules; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; - # # speeds up evaluation - # nixpkgs.pkgs = pkgs; - - # networking.hostName = lib.mkForce containerName; - - # # don't use remote builders - # nix.distributedBuilds = lib.mkForce false; - - # environment.systemPackages = with pkgs; [ - # git - # # Gitea Actions rely heavily on node. Include it because it would be installed anyway. - # nodejs - # ]; - - # services.gitea-actions-runner.instances.inst = { - # enable = true; - # name = config.networking.hostName; - # url = "https://git.neet.dev/"; - # tokenFile = "/run/agenix/gitea-actions-runner-token"; - # labels = [ - # "ubuntu-latest:docker://node:18-bullseye" - # "nixos:host" - # ]; - # }; - - # # To allow building on the host, must override the the service's config so it doesn't use a dynamic user - # systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false; - # users.users.gitea-runner = { - # home = "/var/lib/gitea-runner"; - # group = "gitea-runner"; - # isSystemUser = true; - # createHome = true; - # }; - # users.groups.gitea-runner = { }; - - # virtualisation.podman.enable = true; - # boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - # }; - # }; - - # networking.nat.enable = true; - # networking.nat.internalInterfaces = [ - # "ve-${containerName}" - # ]; - # networking.ip_forward = true; - - # don't use remote builders - nix.distributedBuilds = lib.mkForce false; - - services.gitea-actions-runner.instances.inst = { - enable = true; - name = config.networking.hostName; - url = "https://git.neet.dev/"; - tokenFile = "/run/agenix/gitea-actions-runner-token"; - labels = [ - "ubuntu-latest:docker://node:18-bullseye" - "nixos:host" - ]; + environment.systemPackages = with pkgs; [ + git + nodejs + jq + attic-client + ]; + }; }; - environment.systemPackages = with pkgs; [ - git - # Gitea Actions rely heavily on node. Include it because it would be installed anyway. - nodejs - ]; - - # To allow building on the host, must override the the service's config so it doesn't use a dynamic user - systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false; + # Matching user on host — the container's gitea-runner UID must be + # recognized by the host's nix-daemon as trusted (shared UID namespace) users.users.gitea-runner = { + uid = giteaRunnerUid; home = "/var/lib/gitea-runner"; group = "gitea-runner"; isSystemUser = true; createHome = true; }; - users.groups.gitea-runner = { }; - - virtualisation.podman.enable = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + users.groups.gitea-runner.gid = giteaRunnerGid; age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age; }; diff --git a/secrets/attic-netrc.age b/secrets/attic-netrc.age new file mode 100644 index 0000000000000000000000000000000000000000..c3feeafb9d0bbcd7811ed85cd99ed691e0d496e4 GIT binary patch literal 2336 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHbWO_iO;<=NP4p-T z2}t!aEX@q9Ffw!V3)a_m^G=OS%d|+%NG=QT4GT{)56d!jbL7f(PxQz$3N6d>5B7^R z^w!Rb%yu^oDb34EPAc~+OGGKg=z>ASov`BFQT|JDIDr*uucTJ0daBG{-5pw4yxSJuSf0 zC@0t{%RJ4+vfMev#JeOZDKtz!#RT29tiVJMM@I$yFz4Xl5(5(xlXPFR;^Zn{vvkXV zsPJ5)tZcP_HBd<77u)-}I0|Kc6tS z0$h`$%#4c7eJv|f-3mi|e0&`%40Aj(@{|1? zD@?OoebdoxD>u$7wMbV;am)2JF$oC@HO+U7GD`BVG|Nl%Pxa0VG4d@dtMD{5Eb)%e zPfB-6G>qhm@Qd^cr(5O_~*rz-tEj85JB{#&k%nKuxggb>8dXy`; zhi15DT4V-ilz9{drWF(?mXsKKg*uvKT7=}LSa@rjM;JJ2`|W+n{OEzck1*vdq~rJv7xYATKg3G&jjNEz(FkGcDIW z%fK};FQ~}FOy9RG)vcT>vDC*TJGIo<$NXg z)YB}Z)Wj3rHfWm6@hOWea?SVjj|#BNGz_jR%kmD7Ffl2}b`5tfb#*p2Dk}>q@H7bV zbTi<}PjXLkGf67(wJ6ii^7E+hb~X))EG}?!j&L_jH7h90@hu2Rb}TRPOiM<$4Vos6 zjf~O)qH=w*Djh@9oWfI$lFP%ha@`WsjJ(r=$}02SqmnXQOM}t^-SWA-96g-FgY!Le zBD8&SqjG(`DpDkTs=TotJ%MYb(OONQk+4ru1T~E(B z_m5cW(eg-a7FWmdVU+VszwbBC9rp8Q*_Fa{^y-eBb`FF06n$MTt zmApA*Y`dz(sAk8*ME0L|c{CQD|0}^;xM|tvt#gZxZJ2dIS;=<(%g(P?c05n#s5Z{i zk5vm7`9JGK`hVe#_uaOy|5&p3yPE%AzvP^+Svz*$-cSp2%l>s%F^dOhj-!x`tMRnBbMv&X_Y*--1?b+-RE)wwOc|39=*V~_B4Nx^c7B%c$^ zk0jP?T=P7#HQl_F=XpyyS4ig+$zNQ_(!5Q#q^7bYx5*y7{byfjgreQ+sS>k0w0?bO zFg#Jep#8?-$96hf|IM5;X-9yF+Nu5tW~=&+=Pi6!q4IT-@0RmT#mr7S^~^TR{O~rx zZhOJ?eGlhJ1bp_bpCo-Kt@VbY-_xxfv2nMj*ex!%zb9?1ZE@7OV7>Q&*DpiWrj+V_ zbeJ}qTXXB#p8R_+b4)o_`DE@Eijums|9NiRQ|-GCBa$Y5eIlYi;o*z>m9jtljxDJ% znP{r;{_Lku)p=h-D%blverC}4I`>5MFWWcs6cB5*qP^fFKpRsc{6?g9og&d|9-#d(Vg?zYW*2M)sFbJVL|HryVuDlwLCarZ@cN_ z0a@|nGtZwsioNml%0s?`eHTiz&o6pShNzLU`WVx%qL007bEaRY)F9avnbKB2qus2b$e|PSM`r@_L zbB|Z$C;$8$sh+HGbIY!G?FS#eWvmmOFYPt;sfd*M-|rcbbG!w&f4tWGVnMLeqd$kf zlo`%$a@DFl{P%%PvSUt<1>tG)YX-clR*Lt8noMODy!&FGsg6%B9lS#8JW7)1o*(E6LBjG$TDH zve=}wuqxb9KP1n`*vu=UJkmSg-`L&9EIh};xtPm6)z2wdyC@?xB`n#X(A&vEKiJ-7N~svMjQLjrG%v&Ah83jV-(bqntg;GAsR^ zD~dBxO#-=eb#)bzBXTX%Gm}l+gR9a*e9ZDvD@qK*-75mz3ri9covVU;JwrWn@(s*A z10A`N4s2K5c>K_dS#6sP7TB_G)okXRR9B`Ma7J$7ri9h~F4rx#bP1kVBC5LOcjGAz zYnlH^g&&IFMuqDbrj|9|U}HFK?xW@N<*aNSV_)B-jFjX_!Tbu7d}C|(ALc(|{9DjB@o2T8F=%lN^N+KiFUxpn;S>+MvD zJ(xTt=EFIkYfrQuF1-@a6dENgl9xT}NMXv=y9W-O)nvTo)}{9#eR6xWmHtvz(|#{y z%@8K@d@i1tiI)~0doZ7QwpFcKa`U0ZMOp`wjHF}?_AEWKBCBslt>ssFXuUwSKK(UJ`fZ@(q4du#k+m)bJ9tS84#KMOWd?9kl$ z^`@TYuKWX&uicPm-ufc5OC;iA(XF?&8k-OA)_Q!Ya!UulQ%hb|v#U&&jjE;DxkzKZ zNvX$9IcKWo>iOR@+G7}MZJgMCjYv4aeYuWwlr$*Z+_dwhwe#a!pAJ;tkk|GvLHFDPgCnFjs?n8H)qUkBR$80Gpe%6h32sQl0S$|MsHlSL2v7wuc# zwrJ^xn00Eui%u;wu6n&o{Xd(za`>eG{3@51Ju<%e%2sXI<#kMC6a_V<5iI=Aeet+EnTNzD*Y&+C6lWoD@FKa%O>O@JVkaTj}LI(kka#u1RoY z8n4aKVsra&Cu>QL+wRTN)t;sPfAb^D-L@%Khvk^Uq`c6A0#>UXsy>Zt#lFTzB_CS+ zwd<7yTlw6I&<(ns&z#~ny$lT8Uee|E=3s41Wt7m`rqzlfeER<%PDqws{`sGM*8Z>~ zIve|VW7o87xK!`S6qR(~z|)&Y`ciAAJg}5WJLGwR=O!b=)ESPX z`#2J}H9Wp_`$dP*r>|-&%N9N^IlMHaH14!r_9C;Nt?|qBU6O&MfzG8Gk8vlcTrX5 z+Z`Q5`7Gzus{Vrif2E{a{^sq4SH@_Xo`R z{z8`hWBdV87k@6%H#t0&%UMoT-6)USYcWCHKDT>a(GjtQUc2UfiJG~3&+lbvUwG_J zSg1|o=8(AE)akS}x@K~|pGC>T{#W*Q%j14O{^V59rybj{eQnS#EA_}(;Z=`(LR_cs z%ZsmEyEI_snd=wJRi|}IvGd%0`*?18jM|#xhps*CH_0!QXZO6p;1THdDcU6f_juDYuH@w8+=s#?mDJM;O~#oG*?a2}K0 zk~{r`L--fHWsk0y`QM*?a9W&v&fXH|3D?AHa+@`nBqw~X@1Ly9*^>z({6N;%afDSKoTj5th=Hgw#+<5zIMRQ6*>XoSV@SsGW_#aMOD*IctX!+_f48VS@eQls&iGV!G%>~E4WsR?^1R4x+=D~&yAf$g5$;6 zb1PkZ9Zv7FWSF$_+jH~D0w?s2{WMmzIpcMI(X3lXatr=28D=h;XC?Y($p>c6`Jby2 z|FDLA*s^b*i7%tnliW2)ii`GzUJ~th6*<9N|> zUvc9{t(#o6IZNIs9)1+KVddG*?epxW?>n-1{)WU$mQj- zEBAj-&kWjdO}d}w&aZj=FHN|&`|Ra-ze}X`lSy~$woBobaz-kTC9~d7EmnERc&lKi z#ol}2N8hVvbv@mFHQryx`pE(Z=NHdR=9D~S+ERJADw)M*Q%auij^ob!4<=3dF1h+b z_My27XBCdrGFcwAY}~VFN!#DJwPqKR+^)=1y>2hQ#>4FWv7;9I3)bqiKbeuZh;Pz` z$!328+H_Wnuh8}~Q?h=4^Z3L$@n8NaOf6e_e^Q@la?J|H#}C-wJ?`jKvfWcVRWGA= z!ix1TcD=mN(c@74uPQ*hAb7?TgK~z0OIwZoX6m;nEcLaKW_-J6>YPazSGGzmoo?xC zT~}1b@KFBY6_(2(;<2lmqYSq_kzYDzh5xqfSJxswx{7A%++Duu0&kZYSCaJl9SM!o zXZ*W=t~h&%h^FAm*9pl}g+r`AEMpZecRC{|Y1sM6bdK(U$1Sfus>m(n`z~o^@;znp zfi4eSxV-JZno%gnSKjOVP@p} z&TBuXY@*Qp_$BYEyr+a6=bReM@+ndl`(d>|9LUZUA@MCWv6h(r^S-Zp>mV;-g~V2#w=ayrfS{@oh|yA%Xjhv>C$tBd!p@sPSccLpS}6pq)j!754DsuZ|$0u z6kL~4-^jZpiZN_sw_IJ)WAEsb*Z%8YnVaUCT@zqBx4}f}BkQ@6Z`yftJ8o?#U^gh< zw|3o&wTI@cXtT34_DPZp&*n^uou_8dcl=XT_=!E*96M%8H8D3mIO(%A{lV?6ycTCq zePDLJsWk7?#Mk|c->(%YSNXl-MZ;qq+ixGLvNKN~PUu>@!*B4RSZnRIFqdWW`Zd!Je2$DT{H5LKvpnfxXxwChbKYxXI+nibaBW_) zTwA8Aj>Y(k{C@L&2YeEW#p$?Cl(MsZxQgY4&d)vNSBeXk6fE%h+x(l$ z{nMS&OKaFB?*EbTZr{1%*(W((xvV*0=6g#{kHPZO{qshKS&1{Rhdus%I<&Yr@598% zM>0?AkMX}${m`=|Y zZTP+M)QL_F%dWc6S=R2lQl@Gt(+%}X<|TZ3nAQ?~sNmJ?DYvIhn*KQ4@70wJ-(NqP zKmFZ>&u4$Q=&Fh?FEC)p8oxH;FZebZEwY27)@}O(JVjDzc_Ve+OvrbZPS)dKT+zr z{@MJS8>gIl@q~-9Y45*(3DsAkjvAZQ_47@)Ql6RhV|}xu*3QH({!iYKA*Ln4MMH znv-RE{_gR;#ro<0+B{r(L%rhn`TkqDF>%#lzo|FXv+5k%ZfVYGaz7EZ^61C8U#_pT z?A*yKZQPMENm%T%^wK12Q-%B6FDD2b6I*_3snz>iJ(C#4o=@r4nvwoQIin?YOVxf} zYggMlf-fU7~{UZr^DT0SLL^ZrQ%+9B=!naMyGtMu{Yr=lA5%jgK5XMH#({P zY){=&x4ezXzY=uBV$IW|U(XwzkoWpp^K+xmlr5KER$p%Jee&a*bMvEr{@O`@p4z*< zjM|@esqVp#l~<2{*kOBe@z?c_Po1)q;f#ngaQky$a!U7!8*a*eLT$4ST>q&zQRhLQ z^Wpv0B8vH}_5z7lf6ZSjRc(E6bmOP+*1CO8fpe06Ej#&2 z_t$Budj?A3X5M;!`U@_r2V_0gJQ%7g(j(Wz?Ko-WwXWBvYvPT?8kT(9;jEVL!y;Lq zr=H4wkFjEoOhdq-yjC&4%Cg2AOodziE`G=O*Pv3-XWGot2hT2kahths<;5-g0-pyL z&2ayfE!@0$`?LMA;XCeD*PPJOxp{NW`STWHsfCG-)w&^Gi-Y%Mo<97~b5qfq1#gVF zcV1^ZA@I^Hv8B3w&-QuqgeSjiRrzZ>=^6jG${ubeza?+~zsSxvw7)om;pDpG4>Xvk z^7%~p`Ly$8SpUqgZeDp;zCOG5!tol5i@M5R89&Ce^K-w-R9*CPHaT-vK+o{+8(*2E zq#wHj&;6BhzWHpyzT*tNI+GveD1I@E*>NT?A!JwSx##67wl^lMZQXf4m)GR$QRZT4 Pnaa0J*H23sz ztnw@_voy?4w9GQdF3*i}^bM;D%`I{ZEA>oH3bf32F-s}P@Z~BG_AfQfHwo7_3ri^o zaw_poOz{lQu`r7;whT{7GcPVk^$&0GR3q!)za9^!ZAPGTtC?)KO5b))Uv{|v~&fxs8EkegYb0M@UYOtlmM6DsH(E` zqV&QF|B&*G!hrlzqh!;RV8_s0!*ni}yCl+kffH4X!1go%j8gh}U#%YuPY4<71fc`Wk0M1(j!d{6Dvejj_c$@TJDrPv7`s6}yrx8`qeJO00X)Q4u-g zw}XK#U(t;2#D7YEHuc>7rC)7sC7O4fpSdw{%kJ8U?&IQJA1-y@$&QH?j;plGyyhfy z{=@b|ECo+aE<9wsx1sM_boZ4PS5gxCCW^V77u)BVA>E|M_&lIt^8OPmYJNzo+Wc&t z*XJCUS1a6Kb~9(U&}7!hj3r0xj@%cX{U+Y+PKC48ejSgvJAz5?MK8Y%wOBku`}89> zk*BAxHN4#M;tDM4p?xLAi3;*zB%bGvy*%G?)Ez{YC7rt|!i#J^={}|7_Q`qr+ zr=+Tl{_3tp(@&Wi%7&!eH?6)et|P8}_E1lXCI9|X>%yMn?OXLvIelP^cyiNl`jON< zitf$F+|0k#bnlbgbg*JhG~d^zYZ47i2K!#0`OT^FTrEK7HPbJKIdW+;&DC8#GRIzDPR8mxARl0#?dQMvQ z#E;_P76BF&E9wnLP*-jS8;Q`*ho{nJ!-lo205pEWf;~B;43&S&03j>S2 z9h3Z`Od>0M0?dpe({hu{E6gLgbaizVywWp+tDMb?v#b0A-3u&&_0to> zOH&iw-A%#@tFlvlit>vi@(caa6HSXlxyp|%RoKnq?vNt3^!LHW>5q=`h&a11Giedi z@3;JaJ4-Ai()#z$?l-zix5jB6ir4efns`QcxnIv~y;r|Z`UEoUJfwTF!%V4fn)B2t JyCb_#0stH?x8wi- delta 517 zcmX@ha+YO+PQ7z*kda4GQ9x)~Vyb_-W1?|ciAiN?pnp+eWvM}7o|{u{NQjZYNl;2& zGFM(?W@bQcp1w(7Zc(ynn7_BSer|3_mA8v!MM{~gn^|yfP-Z};exh4pF_*5LLUD11 zZfc5=si~o*LX=CTv5BKXa&As~c6z00U|D2jo>`tprCV;kL8-Zsaj=QGL19^_TZutv zQh`}|x_6cZmxZIVb5WtYb9Pu#shh7~zPqKFQ{ZPFaPCMt&9s`Gu+eDdnMD$(HVE z&e`6ci50%-#oplsIT44u)BUcru&;~B;4y-lLbT?zv- zbG*YXvt85Nd|ax$%#)4W%>v4@f-)*HoI_ko%MC)xEiyv60*k|3j559blad3>Ju1VT zBl0ZM1H#Kv%kzx9a`pWqeH;y4OU-;z4-sq Kv?aSHG6Mko+_??_ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7e4131f..f9d042e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,6 +7,9 @@ let # nobody is using this secret but I still need to be able to r/w it nobody = sshKeys.userKeys; + + # For secrets that all machines need to know + everyone = roles.personal ++ roles.server; in with roles; @@ -22,8 +25,10 @@ with roles; # nix binary cache # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU= "binary-cache-private-key.age".publicKeys = binary-cache; - # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB - "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea + + # attic binary cache + "atticd-credentials.age".publicKeys = binary-cache; + "attic-netrc.age".publicKeys = everyone; # vpn "pia-login.age".publicKeys = pia;