From e2b53c9c506cdc8ee6b0a86cb8ee0d27eddc3b94 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 12 May 2024 13:42:58 +0200
Subject: [PATCH 1/8] flake.lock: Update nixpkgs

---
 flake.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index 226df0c..4fd0764 100644
--- a/flake.lock
+++ b/flake.lock
@@ -240,11 +240,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1712963716,
-        "narHash": "sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM=",
+        "lastModified": 1713297878,
+        "narHash": "sha256-hOkzkhLT59wR8VaMbh1ESjtZLbGi+XNaBN6h49SPqEc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cfd6b5fc90b15709b780a5a1619695a88505a176",
+        "rev": "66adc1e47f8784803f2deb6cacd5e07264ec2d5c",
         "type": "github"
       },
       "original": {

From d22a3d447b25ed0310728a5337040ea3952e2d1d Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 12 May 2024 14:34:00 +0200
Subject: [PATCH 2/8] pkgs/clerie-sops: Add actions to clerie-sops-edit

---
 pkgs/clerie-sops/clerie-sops-edit.sh | 64 ++++++++++++++++++++++++++--
 1 file changed, 61 insertions(+), 3 deletions(-)

diff --git a/pkgs/clerie-sops/clerie-sops-edit.sh b/pkgs/clerie-sops/clerie-sops-edit.sh
index 79e2b95..2e03185 100755
--- a/pkgs/clerie-sops/clerie-sops-edit.sh
+++ b/pkgs/clerie-sops/clerie-sops-edit.sh
@@ -5,8 +5,42 @@
 
 set -euo pipefail
 
+print_help() {
+	cat << EOF
+clerie-sops-edit <secrets_file> <action> <key>
+
+  This script allows editing single secrets in a secrets file by key.
+
+  <secrets_file> is a sops secrets file
+  <action> is one of "edit", "read", "set" and "append"
+  <key> is the key of the secret in the secrets file to modify
+EOF
+}
+
+if [[ $# != 3 ]]; then
+	print_help
+	exit 1
+fi
+
 SECRETS_FILE="$1"
-KEY="$2"
+
+if [[ ! -f "${SECRETS_FILE}" ]]; then
+	echo "File \"${SECRETS_FILE}\" does not exist"
+	echo
+	print_help
+	exit 1
+fi
+
+ACTION="$2"
+
+if ! echo "edit read set append" | grep -wq "${ACTION}"; then
+	echo "Action \"${ACTION}\" not supported"
+	echo
+	print_help
+	exit 1
+fi
+
+KEY="$3"
 KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
 
 if [[ -n $EDITOR ]]; then
@@ -14,12 +48,36 @@ if [[ -n $EDITOR ]]; then
 fi
 
 TMP_FILE="$(mktemp)"
+DECRYPT_ERROR_FILE="$(mktemp)"
 
-clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}"
+if ! clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}" 2> "${DECRYPT_ERROR_FILE}"; then
+	# Ignore that the key does not exist, but fail for all other errors
+	if ! cat "${DECRYPT_ERROR_FILE}" | grep -q "component .* not found"; then
+		cat "${DECRYPT_ERROR_FILE}"
+		exit 1
+	fi
+fi
 
 TMP_FILE_HASH_BEFORE="$(sha256sum "${TMP_FILE}")"
 
-vim "${TMP_FILE}"
+case "${ACTION}" in
+	edit)
+		"${EDITOR}" "${TMP_FILE}"
+		;;
+	read)
+		cat "${TMP_FILE}"
+		;;
+	set)
+		cat > "${TMP_FILE}"
+		;;
+	append)
+		cat >> "${TMP_FILE}"
+		;;
+	*)
+		echo "Unsupported action"
+		exit 1
+		;;
+esac
 
 TMP_FILE_HASH_AFTER="$(sha256sum "${TMP_FILE}")"
 

From edabc9e892789b74d8b762bd5b3981af0301356e Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 12 May 2024 14:42:55 +0200
Subject: [PATCH 3/8] pkgs/clerie-sops: Remove unnecessary use of cat

---
 pkgs/clerie-sops/clerie-sops-edit.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/clerie-sops/clerie-sops-edit.sh b/pkgs/clerie-sops/clerie-sops-edit.sh
index 2e03185..7e03445 100755
--- a/pkgs/clerie-sops/clerie-sops-edit.sh
+++ b/pkgs/clerie-sops/clerie-sops-edit.sh
@@ -52,7 +52,7 @@ DECRYPT_ERROR_FILE="$(mktemp)"
 
 if ! clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}" 2> "${DECRYPT_ERROR_FILE}"; then
 	# Ignore that the key does not exist, but fail for all other errors
-	if ! cat "${DECRYPT_ERROR_FILE}" | grep -q "component .* not found"; then
+	if ! grep -q "component .* not found" "${DECRYPT_ERROR_FILE}"; then
 		cat "${DECRYPT_ERROR_FILE}"
 		exit 1
 	fi

From 03213c838947a5f26a1b81df103c36e7ea98d3f7 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 12 May 2024 14:51:54 +0200
Subject: [PATCH 4/8] pkgs/nixfiles: Migrate nixfiles-generate-backup-secrets
 to clerie-sops-edit

---
 flake.nix                                     |  1 +
 .../nixfiles-generate-backup-secrets.nix      |  2 +-
 .../nixfiles-generate-backup-secrets.sh       | 22 +++++--------------
 pkgs/overlay.nix                              |  1 +
 4 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/flake.nix b/flake.nix
index 06f22f9..a82af9f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -132,6 +132,7 @@
         nix-remove-result-links
         nixfiles-auto-install
         nixfiles-generate-config
+        nixfiles-generate-backup-secrets
         nixfiles-update-ssh-host-keys
         print-afra
         ssh-gpg
diff --git a/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
index 9c2885e..47253ab 100644
--- a/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
+++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
@@ -4,7 +4,7 @@ pkgs.writeShellApplication {
   name = "nixfiles-generate-backup-secrets";
   text = builtins.readFile ./nixfiles-generate-backup-secrets.sh;
   runtimeInputs = with pkgs; [
-    agenix
+    clerie-sops-edit
     apacheHttpd
     git
     pwgen
diff --git a/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
index 28dcb42..9286c26 100755
--- a/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
+++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
@@ -12,21 +12,9 @@ target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
 target_magenta="$(pwgen -1 64 1)"
 target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
 
-mkdir -p "hosts/${host}/secrets"
+echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
+echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
+echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
 
-echo "$job_main" | agenix -e "hosts/${host}/secrets/new"
-mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age"
-
-echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new"
-mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age"
-
-echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new"
-mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age"
-
-prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)"
-cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new"
-mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age"
-
-prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")"
-cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new"
-mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age"
+echo "${target_cyan_htpasswd}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" append "restic-server-cyan-htpasswd"
+echo "$target_magenta_htpasswd" | clerie-sops-edit "hosts/backup-4/secrets.json" append "restic-server-magenta-htpasswd"
diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix
index 4f53201..97c7fdf 100644
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -11,6 +11,7 @@ final: prev: {
   nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
   nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
   nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
+  nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
   nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
   print-afra = final.callPackage ./print-afra {};
   ssh-gpg = final.callPackage ./ssh-gpg {};

From e6371e45d8f9b1801ebca0b544068c4f5c78604b Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 12 May 2024 16:10:23 +0200
Subject: [PATCH 5/8] users/clerie: Remove old ssh key

---
 users/clerie/clerie_id-2023.pub | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 users/clerie/clerie_id-2023.pub

diff --git a/users/clerie/clerie_id-2023.pub b/users/clerie/clerie_id-2023.pub
deleted file mode 100644
index 3355d9a..0000000
--- a/users/clerie/clerie_id-2023.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id

From 199e6e17917a519fc17880be9ff24ddf66c2f177 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 12 May 2024 16:46:19 +0200
Subject: [PATCH 6/8] hosts/hydra-1: Server nix cache on cache.nix.clerie.de
 too

---
 hosts/hydra-1/cache.nix.clerie.de/index.txt | 24 +++++++++++++++++++++
 hosts/hydra-1/nix-cache.nix                 | 23 ++++++++++++++++++--
 2 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 hosts/hydra-1/cache.nix.clerie.de/index.txt

diff --git a/hosts/hydra-1/cache.nix.clerie.de/index.txt b/hosts/hydra-1/cache.nix.clerie.de/index.txt
new file mode 100644
index 0000000..ac9b577
--- /dev/null
+++ b/hosts/hydra-1/cache.nix.clerie.de/index.txt
@@ -0,0 +1,24 @@
+Nix Cache by clerie
+
+Public key:
+
+  cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=
+
+NixOS Configuration:
+
+  nix.settings = {
+    substituters = [
+      "https://cache.nix.clerie.de"
+    ];
+    trusted-public-keys = [
+      "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+    ];
+  }
+
+Try:
+
+  nix build --substituters "https://cache.nix.clerie.de" \
+  --trusted-public-keys "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \
+  "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"
+
+.-*..*-.
diff --git a/hosts/hydra-1/nix-cache.nix b/hosts/hydra-1/nix-cache.nix
index fbfc206..743c8aa 100644
--- a/hosts/hydra-1/nix-cache.nix
+++ b/hosts/hydra-1/nix-cache.nix
@@ -13,11 +13,30 @@
       enableACME = true;
       forceSSL = true;
       locations."= /" = {
-        return = ''200 'Nix Cache by clerie\n\nPublic key:\n\n  nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=\n\nNixOS Configuration:\n\n  nix.settings = {\n    substituters = [\n      "https://nix-cache.clerie.de"\n    ];\n    trusted-public-keys = [\n      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="\n    ];\n  }\n\nTry:\n\n  nix build --substituters "https://nix-cache.clerie.de" \\\n  --trusted-public-keys "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \\\n  "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"\n\n.-*..*-.' '';
+        index = "/index.txt";
+      };
+      locations."= /index.txt" = {
+        root = ./cache.nix.clerie.de;
+      };
+      locations."/" = {
+        proxyPass = "http://[::1]:5005";
         extraConfig = ''
-          types { } default_type "text/plain; charset=utf-8";
+          proxy_redirect http:// https://;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
         '';
       };
+    };
+    "cache.nix.clerie.de" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."= /" = {
+        index = "/index.txt";
+      };
+      locations."= /index.txt" = {
+        root = ./cache.nix.clerie.de;
+      };
       locations."/" = {
         proxyPass = "http://[::1]:5005";
         extraConfig = ''

From 3b0e66dc01280fad82b4ba53d717976df3a9bfd8 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 12 May 2024 17:24:46 +0200
Subject: [PATCH 7/8] hosts/hydra-1: Serve plain nix store on
 cache.nix.clerie.de

---
 hosts/hydra-1/nix-cache.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hosts/hydra-1/nix-cache.nix b/hosts/hydra-1/nix-cache.nix
index 743c8aa..c85c237 100644
--- a/hosts/hydra-1/nix-cache.nix
+++ b/hosts/hydra-1/nix-cache.nix
@@ -37,6 +37,18 @@
       locations."= /index.txt" = {
         root = ./cache.nix.clerie.de;
       };
+      locations."= /nix/store/" = {
+        extraConfig = ''
+          return 404;
+        '';
+      };
+      locations."/nix/store/" = {
+        root = "/";
+        extraConfig = ''
+          autoindex on;
+          autoindex_exact_size off;
+        '';
+      };
       locations."/" = {
         proxyPass = "http://[::1]:5005";
         extraConfig = ''

From dd2637778358e68115d247a90f7ba8031ddff058 Mon Sep 17 00:00:00 2001
From: Flake Update Bot <flake-update-bot@clerie.de>
Date: Mon, 13 May 2024 03:04:16 +0200
Subject: [PATCH 8/8] Update nixpkgs 2024-05-13-01-03

---
 flake.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index 4fd0764..962ca73 100644
--- a/flake.lock
+++ b/flake.lock
@@ -240,11 +240,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1713297878,
-        "narHash": "sha256-hOkzkhLT59wR8VaMbh1ESjtZLbGi+XNaBN6h49SPqEc=",
+        "lastModified": 1715447595,
+        "narHash": "sha256-VsVAUQOj/cS1LCOmMjAGeRksXIAdPnFIjCQ0XLkCsT0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "66adc1e47f8784803f2deb6cacd5e07264ec2d5c",
+        "rev": "062ca2a9370a27a35c524dc82d540e6e9824b652",
         "type": "github"
       },
       "original": {