From 37685080b9ff89bbf1070872393954cbfba4ff5b Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 22 May 2024 17:17:14 +0200 Subject: [PATCH 1/4] hosts/hydra-1: Sign nix cache entries with multiple keys --- flake.lock | 68 ++++++++++++++++++++++++++++++++++++- flake.nix | 4 +++ flake/overlay.nix | 3 ++ hosts/hydra-1/nix-cache.nix | 13 ++++++- hosts/hydra-1/secrets.json | 7 ++-- 5 files changed, 90 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index f06f8e4..9a89aec 100644 --- a/flake.lock +++ b/flake.lock @@ -79,6 +79,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "harmonia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "ssh-to-age", @@ -117,6 +138,29 @@ "type": "github" } }, + "harmonia": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1716301230, + "narHash": "sha256-olEXRstmP0lf0H11ht6j3co7mNwcDEXTm+eGfwdEJzM=", + "owner": "clerie", + "repo": "harmonia", + "rev": "e99509779ce6d6ed46062ac556b71f6ca1eb59ad", + "type": "github" + }, + "original": { + "owner": "clerie", + "ref": "clerie/multiple-signing-keys", + "repo": "harmonia", + "type": "github" + } + }, "mitel-ommclient2": { "inputs": { "nixpkgs": [ @@ -244,6 +288,7 @@ "chaosevents": "chaosevents", "fernglas": "fernglas", "fieldpoc": "fieldpoc", + "harmonia": "harmonia", "nixos-exporter": "nixos-exporter", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_3", @@ -295,7 +340,7 @@ }, "ssh-to-age": { "inputs": { - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ] @@ -328,6 +373,27 @@ "repo": "default", "type": "github" } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "harmonia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1711963903, + "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 573bd9f..c3ef0ba 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,10 @@ url = "github:wobcom/fernglas"; inputs.nixpkgs.follows = "nixpkgs"; }; + harmonia = { + url = "github:clerie/harmonia/clerie/multiple-signing-keys"; + inputs.nixpkgs.follows = "nixpkgs"; + }; fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git"; nixos-exporter = { url = "git+https://git.clerie.de/clerie/nixos-exporter.git"; diff --git a/flake/overlay.nix b/flake/overlay.nix index 6b0e364..22ae40f 100644 --- a/flake/overlay.nix +++ b/flake/overlay.nix @@ -1,6 +1,7 @@ { self , bij , chaosevents +, harmonia , ssh-to-age , ... }@inputs: @@ -9,6 +10,8 @@ final: prev: { bij; inherit (chaosevents.packages.${final.system}) chaosevents; + inherit (harmonia.packages.${final.system}) + harmonia; inherit (ssh-to-age.packages.${final.system}) ssh-to-age; } diff --git a/hosts/hydra-1/nix-cache.nix b/hosts/hydra-1/nix-cache.nix index c85c237..17a8b96 100644 --- a/hosts/hydra-1/nix-cache.nix +++ b/hosts/hydra-1/nix-cache.nix @@ -5,7 +5,18 @@ services.harmonia = { enable = true; settings.bind = "[::1]:5005"; - signKeyPath = config.sops.secrets.nix-cache-key.path; + }; + + systemd.services.harmonia = { + environment = { + SIGN_KEY_PATHS = "%d/key1 %d/key2"; + }; + serviceConfig = { + LoadCredential = [ + "key1:${config.sops.secrets."sign-key-nix-cache.clerie.de".path}" + "key2:${config.sops.secrets."sign-key-cache.nix.clerie.de".path}" + ]; + }; }; services.nginx.virtualHosts = { diff --git a/hosts/hydra-1/secrets.json b/hosts/hydra-1/secrets.json index 189e9e8..b131b0b 100644 --- a/hosts/hydra-1/secrets.json +++ b/hosts/hydra-1/secrets.json @@ -1,5 +1,6 @@ { - "nix-cache-key": "ENC[AES256_GCM,data:AFDvfikObYvlwqRd0Wz3jfZdrKp6vu5ga6mFKRSPhh/BPFS1mBNyz3DQTL914bO7Pn47QHQVxufFVYlYmIq9sIK5snudZmRNDC21D95CvnJMWkO4d+nO8sMbjTMocEBmBEPMC18WHrkVmWOJ,iv:sD1qpX4sgAqb0c4Vmr7cRAELwiQhORKleGggKnOtmB4=,tag:q9D/f/+n9J2+ZtyuLXuk6w==,type:str]", + "sign-key-nix-cache.clerie.de": "ENC[AES256_GCM,data:V6PHF1p8I43uErwNdixWeU5dw6liI/8LtFL61bZ7vldvv/7RbqJ/e5gvLYhrsK5hzLYbBqKEpt2v7007Jh/A16fX0VZ+M1d5OqTClAzRdW6FC/A/JAaJfcDphYK2MXeXdNtN9WlRS6hBK9T6,iv:Y0eiMTFu34/Oy6hRHHPJ+wWOJsJ9S7mUFKwfJiRwjus=,tag:sYsjS3LVGDPUy2ZrDlXw8g==,type:str]", + "sign-key-cache.nix.clerie.de": "ENC[AES256_GCM,data:vuc21vilquxcasVXv7dsMSDxq1i0pUENmuoehFZHQd2vJqpkT8IFjwRBdVScxBgcz2/qv1iA3Ou4yBVPAfUKmOM6S1hzJGPxOfQySUTrQE6LgJZFAe/nKxNdiE0cBksMF7UtfJt4AmRv93BN,iv:s1N0U1X6sY/0HM7OMAGjrqFRRpiwHpedQn11/U3C944=,tag:nDrmDhB4D2OCu1ZLfoflag==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:C5C1s8GgEhu0QrIYiToJu/6Be7njwwNzdj5oMDGihT0m4lCtkwDI9NPxdBQ=,iv:icgVuwsJjl9+6pank/0MenY3Sm9eZiJ4KqQHASz+GXE=,tag:ANKZxndDHXAakUFr0euvkQ==,type:str]", "sops": { "kms": null, @@ -12,8 +13,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiS01SZzVxOGVjeDNuMEY2\nMjd3VjJHRTgyckZxbitFYTg5cUNZNHk5TTM0CkM3QnZyaFFmTUp2T2phZ3FuR3lR\nd1E3TlpsRnBQVXM4WlNIKzdTelJIbkUKLS0tIG5xR1VlK25LR3JucDIwakMzNVp6\nYkI1ZmorajhDUHdHZHQ0QlkxMkE5dHMKTaffSqKMM7Z6pDmMLvRr6MEsNPvJ9ycF\ny5Wilaie7qdFPEWJDNXOmmKwJgF/wPIsYYouL+YlKaOalL4X0i4xgA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-04-21T16:30:03Z", - "mac": "ENC[AES256_GCM,data:aEIs0bTuMJJsjCLtwQ/3ApO8iVCdlfPhBY97veU518R+Z2aywEh9R7h89skuVjrRcrbzeZthaubD3fqK+0mWkIgk9cYWzcHAA8OYNX8inZAnWuhN4kcc9pAy6abdqYtlqtTBY33m4BITEsIsUROW+VP7V87Kyp3THnn2S0QqAag=,iv:1wqiyugRLFXT3uXfo053E6mGH/wFGjUO/AkXz915GrA=,tag:8Vil1vZRkKUN4HwcFNJsXQ==,type:str]", + "lastmodified": "2024-05-22T15:14:09Z", + "mac": "ENC[AES256_GCM,data:kOC/GOhtq00jcHQoLSaCeI9ACUDv4aoMH8+Zn3tCEpK2k71/mdzV0ces5Aojxu7CIsZh+0GpStCPVgA68Ke96PKt5yYv4G0PaN0dlFs8luvl29OcvEWIvM3Hzb3KVmp5/rYsch4l1YrxCO9PqNVN6aIwe0mdJlLLpwTshZ2bgu8=,iv:0YkBoKBqi7S3ioXbo8p1yr5jVRjjBAI/y8cy9VJhIDU=,tag:3VQKXWhoK+nFZ4WKz3Y3AA==,type:str]", "pgp": [ { "created_at": "2024-04-21T16:29:22Z", From 5100591978acc832ca4894debf2257a9fc4828af Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 22 May 2024 17:52:46 +0200 Subject: [PATCH 2/4] flake/overlay.nix: Pin nix version for harmonia --- flake/overlay.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/flake/overlay.nix b/flake/overlay.nix index 22ae40f..c53b06d 100644 --- a/flake/overlay.nix +++ b/flake/overlay.nix @@ -10,8 +10,9 @@ final: prev: { bij; inherit (chaosevents.packages.${final.system}) chaosevents; - inherit (harmonia.packages.${final.system}) - harmonia; + harmonia = harmonia.packages.${final.system}.harmonia.override { + nixForHarmonia = final.nixVersions.nix_2_21; + }; inherit (ssh-to-age.packages.${final.system}) ssh-to-age; } From a2a84a66bc088c06aacf2823ce751da6df5d1e00 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 22 May 2024 18:00:19 +0200 Subject: [PATCH 3/4] configuration/desktop: Migrate networkmanager settings to attribute set --- configuration/desktop/networking.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/configuration/desktop/networking.nix b/configuration/desktop/networking.nix index 51d7a56..5d3704e 100644 --- a/configuration/desktop/networking.nix +++ b/configuration/desktop/networking.nix @@ -2,12 +2,13 @@ { - networking.networkmanager.extraConfig = '' - [connectivity] - uri=http://ping.clerie.de/nm-check.txt - - [global-dns] - searches=net.clerie.de - ''; + networking.networkmanager.settings = { + connectivity = { + uri = "http://ping.clerie.de/nm-check.txt"; + }; + global-dns = { + searches = "net.clerie.de"; + }; + }; } From d6a4efd9e0cfca2d33727285100d9d938fd0ec99 Mon Sep 17 00:00:00 2001 From: Flake Update Bot Date: Thu, 23 May 2024 03:04:07 +0200 Subject: [PATCH 4/4] Update nixpkgs 2024-05-23-01-03 --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 98091b0..41bef5e 100644 --- a/flake.lock +++ b/flake.lock @@ -268,11 +268,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1716293225, - "narHash": "sha256-pU9ViBVE3XYb70xZx+jK6SEVphvt7xMTbm6yDIF4xPs=", + "lastModified": 1716330097, + "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3eaeaeb6b1e08a016380c279f8846e0bd8808916", + "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2", "type": "github" }, "original": {