From 9456302d8ce2429ff2e8221042290b96a9942936 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Wed, 3 Jan 2024 13:38:59 +1100 Subject: [PATCH] the aether stares back at you --- .gitignore | 3 + CHANGELOG.md | 18 +++ files/nixos-rebuild.patch | 25 ---- files/store-new-generation.sh | 71 --------- flake.lock | 175 ++++++++++++++++++++++- flake.nix | 64 ++++++++- hosts/aether/configuration.nix | 27 ++++ hosts/aether/hardware-configuration.nix | 76 ++++++++++ hosts/aether/home.nix | 1 + hosts/aether/terraform-configuration.nix | 53 +++++++ hosts/echo/darwin-configuration.nix | 4 +- hosts/eris/hardware-configuration.nix | 11 +- hosts/hermes/configuration.nix | 12 ++ hosts/phi/configuration.nix | 7 +- hosts/sigma/hardware-configuration.nix | 29 +--- keys.nix | 3 + modules/base.nix | 31 ++-- modules/cachix.nix | 12 -- modules/personal.nix | 29 +++- modules/remote.nix | 38 +++++ modules/sway.nix | 60 ++++---- overlays/nixos-rebuild.nix | 49 +++++-- overlays/terraform.nix | 22 +++ secrets/secrets.nix | 5 + secrets/tailscale_aether.age | Bin 0 -> 438 bytes 25 files changed, 604 insertions(+), 221 deletions(-) delete mode 100644 files/nixos-rebuild.patch delete mode 100755 files/store-new-generation.sh create mode 100644 hosts/aether/configuration.nix create mode 100644 hosts/aether/hardware-configuration.nix create mode 100644 hosts/aether/home.nix create mode 100644 hosts/aether/terraform-configuration.nix delete mode 100644 modules/cachix.nix create mode 100644 modules/remote.nix create mode 100644 overlays/terraform.nix create mode 100644 secrets/tailscale_aether.age diff --git a/.gitignore b/.gitignore index 59bf6c5..4f47c18 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ .direnv result /.pre-commit-config.yaml +config.tf.json +.terraform* +*.tfstate* diff --git a/CHANGELOG.md b/CHANGELOG.md index 712be83..fb5c9f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,21 @@ +- Use `enzime` as the default user on `echo` +- Removed `diff.age.textconv` +- Use `/mnt/phi` on all `personal` NixOS systems +- Added `aether` as a remote builder for `hermes-nixos` +- Added `builder` user on all systems +- Fixed `man` not using colours +- Fixed `alacritty` terminfo on macOS +- Refactored `swayidle` to use `home-manager` module +- Removed RSA SSH host key for `aether` +- Removed `store-new-generation` +- Fixed `nixos-rebuild` not working with password-based sudo over SSH +- Fixed `nixos-rebuild` when host and target use different architectures +- Added `aether` and `chi-linux-builder` to `trusted-public-keys` for all systems +- Renamed `cachix` module to `remote` +- Added `aether` +- Use `nixos-anywhere` to build `aether` remotely before deploying +- Use `terranix` to provision `aether` +- Updated `nixos-apple-silicon` - Changed `-nixos` `hostSuffix` to be opt-in - Renamed `sigma-nixos` to `sigma` - Added SSH key access to `root` for `nixos-rebuild switch --target-host` diff --git a/files/nixos-rebuild.patch b/files/nixos-rebuild.patch deleted file mode 100644 index 5af3d5a..0000000 --- a/files/nixos-rebuild.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh -index 2d13a5e8137..12a72b9053b 100755 ---- a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh -+++ b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh -@@ -329,8 +329,10 @@ if [[ -n $flake ]]; then - if [[ -z $hostname ]]; then - hostname=default - fi -+ configName="\"$hostname\"" - flakeAttr="nixosConfigurations.\"$hostname\"" - else -+ configName="\"$flakeAttr\"" - flakeAttr="nixosConfigurations.\"$flakeAttr\"" - fi - fi -@@ -478,6 +480,9 @@ if [ -z "$rollback" ]; then - fi - copyToTarget "$pathToConfig" - targetHostCmd nix-env -p "$profile" --set "$pathToConfig" -+ if [[ -n $flake ]]; then -+ targetHostCmd @storeNewGeneration@ "$profile" "$pathToConfig" "$configName" "${lockFlags[@]}" >&2 -+ fi - elif [[ "$action" = test || "$action" = build || "$action" = dry-build || "$action" = dry-activate ]]; then - if [[ -z $flake ]]; then - pathToConfig="$(nixBuild '' -A system -k "${extraBuildFlags[@]}")" diff --git a/files/store-new-generation.sh b/files/store-new-generation.sh deleted file mode 100755 index 609421d..0000000 --- a/files/store-new-generation.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash -set -e -set -o pipefail -shopt -s inherit_errexit - - -profile=$1; shift 1 -pathToConfig=$1; shift 1 -configName=$1; shift 1 - -systemNumber=$( - nix-env -p "$profile" --list-generations | - sed -n '/current/ {s/ *\([0-9]*\).*/\1/; p}' -) -systemCfg="/nix/var/nix/gcroots/system-cfg/$systemNumber" - -# If a folder already exists for this generation -# it means we're either switching to the exact -# same generation (and thus this should be a no-op) -# or someone deleted a generation and is now -# overwriting it and so we also want to overwrite -# the corresponding system config folder. -if [[ -d "$systemCfg" ]]; then - rm -rf "$systemCfg" -fi - -mkdir -p "$systemCfg/bin" - -dotfiles=$(realpath "$pathToConfig/etc/nix/inputs/self") -ln -s "$dotfiles" "$systemCfg/dotfiles" - -flags=("--flake" "$dotfiles#$configName") - -while [ "$#" -gt 0 ]; do - i="$1"; shift 1 - - if [[ $i == "--override-input" ]]; then - input="$1"; shift 1 - replacement="$1"; shift 1 - - # FIXME: handle $input = "home-manager/nixpkgs" - # Ensure that we're looking at an input that is actually used - if [[ $(nix flake metadata --json "$dotfiles" --override-input "$input" "$replacement" | jq -r ".locks.nodes.${input}") != "null" ]]; then - flags+=("--override-input" "$input" "$replacement") - - pathInStore=$(nix flake metadata --json "$replacement" | jq -r ".path") - target="$systemCfg/inputs/$input" - - mkdir -p "$(dirname "$target")" - ln -s "$pathInStore" "$target" - fi - fi -done - -cat > "$systemCfg/bin/build" < "$systemCfg/bin/build-vm" < "$systemCfg/bin/switch" < etc/ssh/ssh_host_ed25519_key + chmod 400 etc/ssh/ssh_host_ed25519_key + echo "${inputs.self.keys.hosts.aether}" > etc/ssh/ssh_host_ed25519_key.pub + chmod 444 etc/ssh/ssh_host_ed25519_key.pub + op read "op://r3fgka56ukyvdslqp3jxc37e3q/kfbpbjzox2h2qapi74p5dzqld4/key" > etc/nix/key + chmod 400 etc/nix/key + echo "${inputs.self.keys.signing.aether}" > etc/nix/key.pub + chmod 444 etc/nix/key.pub + ''; + })}"; + }; +} diff --git a/hosts/echo/darwin-configuration.nix b/hosts/echo/darwin-configuration.nix index a2b4f07..f305f1e 100644 --- a/hosts/echo/darwin-configuration.nix +++ b/hosts/echo/darwin-configuration.nix @@ -1,4 +1,4 @@ -{ keys, ... }: +{ ... }: { networking.knownNetworkServices = [ "Ethernet" ]; @@ -15,7 +15,5 @@ "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo="; }]; - nix.settings.trusted-public-keys = [ keys.signing.chi-linux-builder ]; - nix.settings.min-free = 3 * 1024 * 1024 * 1024; } diff --git a/hosts/eris/hardware-configuration.nix b/hosts/eris/hardware-configuration.nix index cfca233..ae61dac 100644 --- a/hosts/eris/hardware-configuration.nix +++ b/hosts/eris/hardware-configuration.nix @@ -1,4 +1,4 @@ -{ lib, modulesPath, ... }: +{ modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; @@ -95,13 +95,4 @@ }; }; }; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/hermes/configuration.nix b/hosts/hermes/configuration.nix index cad61b4..e4d5a1c 100644 --- a/hosts/hermes/configuration.nix +++ b/hosts/hermes/configuration.nix @@ -32,6 +32,18 @@ services.xserver.displayManager.gdm.enable = lib.mkForce false; services.xserver.displayManager.lightdm.enable = true; + nix.distributedBuilds = true; + + nix.buildMachines = [{ + hostName = "aether"; + sshUser = "builder"; + sshKey = "/etc/ssh/ssh_host_ed25519_key"; + system = "aarch64-linux"; + supportedFeatures = [ "kvm" "benchmark" "big-parallel" "nixos-test" ]; + publicHostKey = + "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU5IejJTWjBjTzdsQlFyenVHclkySGNVczFSMnR5N3M5RnlXelNrSnh0OXkK"; + }]; + nix.registry.lnas.to = { type = "git"; url = "file:///home/${user}/Code/nixos-apple-silicon"; diff --git a/hosts/phi/configuration.nix b/hosts/phi/configuration.nix index 9561de9..a710fc5 100644 --- a/hosts/phi/configuration.nix +++ b/hosts/phi/configuration.nix @@ -54,11 +54,10 @@ enzime:aZod0R2utyFHotPvicvh1Kj1hcrGjT+5cHAFdnB7X8lJoDpiPDGqEvYXOCEaFsudXD3YFFjEvBiinXsj90jcXg==,mQCyOcbnehUfXRb2Jp/y40ixSeE69rhLnD66Q8bA209moCJmGMwShxT2SIwHJZPGutNTfyqaht2XRK9x27CpLg==,es256,+presence% ''; + # For /mnt/phi on other systems users.users.${user} = { - openssh.authorizedKeys.keys = builtins.attrValues { - inherit (keys.users) enzime; - inherit (keys.hosts) sigma; - }; + openssh.authorizedKeys.keys = + builtins.attrValues { inherit (keys.hosts) hermes-nixos sigma; }; }; users.groups.builder = { }; diff --git a/hosts/sigma/hardware-configuration.nix b/hosts/sigma/hardware-configuration.nix index d562b63..a3a21f8 100644 --- a/hosts/sigma/hardware-configuration.nix +++ b/hosts/sigma/hardware-configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, utils, ... }: +{ config, lib, ... }: { boot.initrd.availableKernelModules = @@ -60,33 +60,6 @@ }; }; - fileSystems."/mnt/phi" = { - device = "enzime@phi:/"; - fsType = "fuse.sshfs"; - noCheck = true; - options = [ - "noauto" - "x-systemd.automount" - "_netdev" - "IdentityFile=/etc/ssh/ssh_host_ed25519_key" - "allow_other" - "uid=1000" - "gid=100" - "ConnectTimeout=1" - "x-systemd.mount-timeout=10s" - "ServerAliveInterval=1" - "ServerAliveCountMax=5" - ]; - }; - - systemd.units."${utils.escapeSystemdPath "/mnt/phi"}.mount" = { - text = '' - [Unit] - StartLimitIntervalSec=0 - ''; - overrideStrategy = "asDropin"; - }; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/keys.nix b/keys.nix index bf7bd0a..1ce6f45 100644 --- a/keys.nix +++ b/keys.nix @@ -5,6 +5,8 @@ }; hosts = { + aether = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHz2SZ0cO7lBQrzuGrY2HcUs1R2ty7s9FyWzSkJxt9y"; echo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9lGmlJLo3tQoCfyplj2pWoIdB0lPZJm4cEdo/rKExR"; hermes-nixos = @@ -18,6 +20,7 @@ signing = { "enzime.cachix.org" = "enzime.cachix.org-1:RvUdpEy6SEXlqvKYOVHpn5lNsJRsAZs6vVK1MFqJ9k4="; + aether = "aether-1:fMOnq1aouEVTB6pz6TvszTrXQhrQAbPePlilPafmsHs="; chi-linux-builder = "chi-linux-builder-1:u0hwDFmxev8B65kKbSAjBP7nGR+it429j/UbsdZd3gs="; }; diff --git a/modules/base.nix b/modules/base.nix index 6e57533..05a0def 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -53,11 +53,11 @@ let in { imports = [ "alacritty" - "cachix" "flakes" "impermanence" "kitty" "nix-index" + "remote" "termite" "vm" "vscode" @@ -105,7 +105,7 @@ in { ''; }; - darwinModule = { user, host, inputs, config, lib, ... }: { + darwinModule = { user, host, inputs, config, pkgs, lib, ... }: { imports = [ shared ]; # Used for `system.nixpkgsRevision` @@ -113,7 +113,13 @@ in { networking.computerName = host; - users.users.${user}.home = "/Users/${user}"; + environment.shells = [ pkgs.zsh ]; + + users.users.${user} = { + home = "/Users/${user}"; + # WORKAROUND: Fixes alacritty's terminfo not being found over SSH + shell = pkgs.zsh; + }; services.nix-daemon.enable = true; @@ -158,6 +164,7 @@ in { home.sessionVariables = { EDITOR = "vim"; VISUAL = "vim"; + MANROFFOPT = "-P -c"; }; home.file.".ssh/config".text = '' @@ -186,22 +193,8 @@ in { extraConfig = { advice = { addIgnoredFile = false; }; am = { threeWay = true; }; - core = { - attributesfile = "${pkgs.writeText "attributesfile" '' - *.age diff=age - ''}"; - hooksPath = "~/.config/git/hooks"; - }; - diff = { - colorMoved = "default"; - age.textconv = "${lib.getExe (pkgs.writeShellApplication { - name = "age-textconv"; - runtimeInputs = [ pkgs.age ]; - text = '' - age --decrypt -i <(op read "op://trimcmujfu5fjcx5u4u752yk2i/6gedf3cheamokyw47sq4wbxlsy/private key?ssh-format=openssh") "$1" - ''; - })}"; - }; + core = { hooksPath = "~/.config/git/hooks"; }; + diff = { colorMoved = "default"; }; fetch = { prune = true; }; init = { defaultBranch = "main"; }; merge = { conflictStyle = "zdiff3"; }; diff --git a/modules/cachix.nix b/modules/cachix.nix deleted file mode 100644 index 2154944..0000000 --- a/modules/cachix.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - nixosModule = { inputs, ... }: { - nix.settings.substituters = - inputs.self.outputs.nixConfig.extra-substituters; - nix.settings.trusted-public-keys = - inputs.self.outputs.nixConfig.extra-trusted-public-keys; - }; - - hmModule = { pkgs, ... }: { - home.packages = builtins.attrValues { inherit (pkgs) cachix; }; - }; -} diff --git a/modules/personal.nix b/modules/personal.nix index 779e4fb..00df34c 100644 --- a/modules/personal.nix +++ b/modules/personal.nix @@ -6,7 +6,34 @@ builtins.attrValues { inherit (pkgs) apparency; }; }; - nixosModule = { user, pkgs, ... }: { + nixosModule = { user, pkgs, utils, ... }: { + fileSystems."/mnt/phi" = { + device = "enzime@phi:/"; + fsType = "fuse.sshfs"; + noCheck = true; + options = [ + "noauto" + "x-systemd.automount" + "_netdev" + "IdentityFile=/etc/ssh/ssh_host_ed25519_key" + "allow_other" + "uid=1000" + "gid=100" + "ConnectTimeout=1" + "x-systemd.mount-timeout=10s" + "ServerAliveInterval=1" + "ServerAliveCountMax=5" + ]; + }; + + systemd.units."${utils.escapeSystemdPath "/mnt/phi"}.mount" = { + text = '' + [Unit] + StartLimitIntervalSec=0 + ''; + overrideStrategy = "asDropin"; + }; + services.resilio.enable = true; services.resilio.listeningPort = 44444; services.resilio.enableWebUI = true; diff --git a/modules/remote.nix b/modules/remote.nix new file mode 100644 index 0000000..b42562e --- /dev/null +++ b/modules/remote.nix @@ -0,0 +1,38 @@ +let + shared = { inputs, keys, pkgs, ... }: { + nix.settings.substituters = + inputs.self.outputs.nixConfig.extra-substituters; + nix.settings.trusted-public-keys = + inputs.self.outputs.nixConfig.extra-trusted-public-keys; + + users.users.builder = { + shell = pkgs.zsh; + openssh.authorizedKeys.keys = builtins.attrValues { + inherit (keys.users) enzime; + inherit (keys.hosts) hermes-nixos sigma; + }; + }; + }; +in { + nixosModule = { ... }: { + imports = [ shared ]; + + users.groups.builder = { }; + + users.users.builder.isNormalUser = true; + users.users.builder.group = "builder"; + }; + + darwinModule = { config, pkgs, ... }: { + imports = [ shared ]; + + users.knownUsers = [ "builder" ]; + + users.users.builder.uid = 550; + users.users.builder.home = "/Users/builder"; + }; + + hmModule = { pkgs, ... }: { + home.packages = builtins.attrValues { inherit (pkgs) cachix; }; + }; +} diff --git a/modules/sway.nix b/modules/sway.nix index abbaf05..abf42a4 100644 --- a/modules/sway.nix +++ b/modules/sway.nix @@ -23,6 +23,7 @@ wayland.windowManager.sway.enable = true; wayland.windowManager.sway.package = null; + services.swayidle.enable = true; programs.waybar.enable = true; wayland.windowManager.sway.config = { @@ -95,35 +96,40 @@ }; }; - systemd.user.services.swayidle = { - Unit = { - Description = "Idle Manager for Wayland"; - Documentation = [ "man:swayidle(1)" ]; - PartOf = [ "graphical-session.target" ]; - }; - + services.swayidle.events = let + swaymsg = "${pkgs.sway}/bin/swaymsg"; + swaylock = lib.getExe pkgs.swaylock; # WORKAROUND: 1Password doesn't lock automatically when the screen lock is invoked under Wayland - Service.ExecStart = let - swayidle = "${pkgs.swayidle}/bin/swayidle"; - swaymsg = "${pkgs.sway}/bin/swaymsg"; - swaylock = "${pkgs.swaylock}/bin/swaylock"; - lock1Password = pkgs.writeShellScript "lock-1p" '' - if ${pkgs.procps}/bin/pidof 1password; then - ${pkgs._1password-gui}/bin/1password --lock & - fi - ''; - in '' - ${swayidle} -w -d \ - before-sleep 'loginctl lock-session' \ - timeout 1 'exit 0' \ - resume '${swaymsg} "output * dpms on"' \ - timeout 180 'loginctl lock-session' \ - resume '${swaymsg} "output * dpms on"' \ - lock '${lock1Password} && ${swaylock} -f -c 000000 && ${swaymsg} "output * dpms off"' + lock1Password = pkgs.writeShellScript "lock-1p" '' + if ${pkgs.procps}/bin/pidof 1password; then + 1password --lock & + fi ''; - - Install.WantedBy = [ "sway-session.target" ]; - }; + in [ + { + event = "before-sleep"; + command = "loginctl lock-session"; + } + { + event = "lock"; + command = + "${lock1Password} && ${swaylock} -f -c 000000 && ${swaymsg} output '*' dpms off"; + } + ]; + services.swayidle.timeouts = let swaymsg = "${pkgs.sway}/bin/swaymsg"; + in [ + { + timeout = 1; + command = "exit 0"; + resumeCommand = "${swaymsg} output '*' dpms on"; + } + { + timeout = 180; + command = "loginctl lock-session"; + resumeCommand = "${swaymsg} output '*' dpms on"; + } + ]; + services.swayidle.systemdTarget = "sway-session.target"; programs.waybar.settings = [{ modules-left = [ "sway/workspaces" "sway/mode" ]; diff --git a/overlays/nixos-rebuild.nix b/overlays/nixos-rebuild.nix index 49f5d19..c070ce3 100644 --- a/overlays/nixos-rebuild.nix +++ b/overlays/nixos-rebuild.nix @@ -1,17 +1,40 @@ self: super: { - store-new-generation = super.runCommand "patch-shebang" { } '' - cp ${../files/store-new-generation.sh} $out - patchShebangs $out - ''; + nixos-rebuild = super.nixos-rebuild.overrideAttrs (old: + let + patches = [ + (super.fetchpatch { + name = "fix-cross-building-flakes.patch"; + url = + "https://github.com/Enzime/nixpkgs/commit/6a504caae83fce4fe5e345f6c1ee4cf3f7f4fb09.patch"; + sha256 = "sha256-Rg+xo+Qr/TK5L8YBMnsIKoGwf0LHI/e+svJFvARtWnM="; + }) + + (super.fetchpatch { + name = "only-use-sudo-when-necessary.patch"; + url = + "https://github.com/Enzime/nixpkgs/commit/385898edebd54babf29ee356fac4492e64657783.patch"; + includes = + [ "pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh" ]; + sha256 = "sha256-oECc8KsCgFeQ0c7w/cRavehuqaWd+yHW+dvaDDG9zgQ="; + }) + + (super.fetchpatch { + name = "fix-sudo-password-over-ssh.patch"; + url = + "https://github.com/Enzime/nixpkgs/commit/6e18bb21cdfc4395386b60f93eef98e5d9a26762.patch"; + sha256 = "sha256-1Y9mqCXEBUxoLU3DZXVuhPPdeFCro6zZnrv2QGedkcw="; + }) - nixos-rebuild = super.nixos-rebuild.overrideAttrs (old: { - postInstall = '' - patch --no-backup-if-mismatch $target ${ - (super.substituteAll { - src = ../files/nixos-rebuild.patch; - storeNewGeneration = self.store-new-generation; + (super.fetchpatch { + name = "fix-systemd-run-hang-over-ssh.patch"; + url = + "https://github.com/Enzime/nixpkgs/commit/dda66bb0a46d0886723b7276744b6a4ebef683c2.patch"; + sha256 = "sha256-4zWnfW8gGNWnCeQvDcke22iTuXdvcirndF+pXv97JYo="; }) - } - ''; - }); + ]; + in { + postInstall = builtins.concatStringsSep "\n" + ((map (p: "patch --no-backup-if-mismatch $target ${p}") patches) + ++ [ (old.postInstall or "") ]); + }); } diff --git a/overlays/terraform.nix b/overlays/terraform.nix new file mode 100644 index 0000000..dcfb0de --- /dev/null +++ b/overlays/terraform.nix @@ -0,0 +1,22 @@ +self: super: { + terraform-providers = super.terraform-providers // (super.lib.mapAttrs + (name: plugin: + if super.terraform-providers ? ${name} then + throw "terraform-providers.${name} already exists" + else + plugin) { + onepassword = super.terraform-providers.mkProvider + (let version = "1.4.0"; + in { + inherit version; + owner = "1Password"; + repo = "terraform-provider-onepassword"; + rev = "v${version}"; + hash = "sha256-+zusrzMZqoPsSIv2Dh2IEkFd17HVDrVj2wp5th4rRjk="; + vendorHash = null; + provider-source-address = + "registry.terraform.io/1Password/onepassword"; + spdx = "MIT"; + }); + }); +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f24eea2..4576543 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -15,6 +15,11 @@ in { inherit (hosts) phi; }; + "tailscale_aether.age".publicKeys = builtins.attrValues { + inherit (users) enzime; + inherit (hosts) aether; + }; + "x11vnc_phi.age".publicKeys = builtins.attrValues { inherit (users) enzime; inherit (hosts) phi; diff --git a/secrets/tailscale_aether.age b/secrets/tailscale_aether.age new file mode 100644 index 0000000000000000000000000000000000000000..d37901f68516704c330724fd32ea09297af9f36e GIT binary patch literal 438 zcmZ9_J&%)M003YI2ZN)t2~NfkgnKCzqGyC!?%Ja*y;8msO?c^B;CfKtZ7FoQ#rScz z*u>;6=V0RGDI7D6mhWJEJ|EAds!9bauW_5#%M1?!+{YKi%4N&qZXM|)cLpR z_vs)<9!BI1qMuE=rqzkKov~M>mbJ4BLr)HJI}P!ua($C(>nF1MB;v@axI)`T4i~^{a>I zXn6kO)wR`o?)2iZQ-AmQ7-vuRZ#ggDYM;RCP&{Pg)y3UE)W`a-A8#%_llrU68wU@E Rcg|YJC+o)EhqIeM{{jbCoZ|oh literal 0 HcmV?d00001