hosts: *: sign remote builds and serve cache

2023-10-02 16:56:03 +02:00 · 2023-10-02 16:56:03 +02:00 · 501f70f730
commit 501f70f730
parent 9d3d9d9a16
19 changed files with 90 additions and 44 deletions
--- a/modules/hardware/remoteBuilder.nix
+++ b/modules/hardware/remoteBuilder.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:

 {
  users.users.nixremote = {                   # System User
@ -11,7 +11,15 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades"
    ];
  };
+
  nix.settings.trusted-users = [
    "nixremote"
  ];
+
+  services.nix-serve.secretKeyFile = config.age.secrets."keys/nixservepriv".path;
+
+  age.secrets."keys/nixservepriv" = {
+    file = ../../secrets/keys/nixservepriv.age;
+    owner = "nixremote";
+  };
 }
--- a/modules/hardware/remoteClient.nix
+++ b/modules/hardware/remoteClient.nix
@ -15,6 +15,14 @@
      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVnbld5UVVVYSt2Y0hBS3g2ZWRiVGdxVzhwaCtNQ2lTNmZVd1lqWWNTK28gcm9vdEBoYWRlcwo=%";
      protocol = "ssh-ng";
    } ];
+    settings = {
+      trusted-public-keys = [
+        "hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII="
+      ];
+      substituters = [
+        "ssh-ng://hades"
+      ];
+    };
  };
  
  age.secrets."keys/nixremote" = {
--- a/secrets/keys/nixremote.age
+++ b/secrets/keys/nixremote.age
--- a/secrets/keys/nixservepriv.age
+++ b/secrets/keys/nixservepriv.age
@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-ed25519 Xp6AuQ 6zWeAuAxt6YI5JdPep5QqfWfTRWJi3T49vb75URi8SY
+IjcXC5MKPYGErpGhpeHMcgaugrVHyFg3z6TN0vhvGH8
+-> ssh-rsa VtjGpQ
+Ii3fw9b5i1T5fJL+3PXczo5EW1iE/Jp/pEQ8qpCUc+9dX6n/x6uz8IblSVYWNQnc
+0TPAmvZlXN9zAL9yL9fIsZDK0ZF9GoSlHVYt+OM+NMeNBqqkpue8jgSLd6RFO5vH
+ReSO605+latKouNHS/g4qg0XPE5AZrRRGL/UFRS890ZrMFvQfyB5NARrWrtl6O9C
+jugBjgVXRJvp62Ky1qfTYHSSs9C7Ckxl84DlMHfVMx4i00VA7JA8dg2wUJE00VZW
+LmYNQ0EOfO+BBeBrY1rFg+phBmnpZKGoIV1GVio0dA5cOAVYslSwin+jeGAvsqz7
+7rJtSx/4IlRFfAy47jrT6tIaBW04iVAJN3UXqKcIR4ULUUL5295jNHzgUzzcBCC
+q52pzFsT3VcTvzOfcHBMxkHIeWXznqWe06qrtPnzz2PknBJ4VSlw6kObX25VZqn6
+tsKFB7qXON9zKH5iB80N1KkG7fc+8geMJP8ZG3rk/49Bj4gczVwUuMDaGKqAZ0rH
+hGYTuQPxE0xS38maxMl+KH3hwYACJYWhpLqSEDFmNFhmK2QgMeCryZGn8+j+qmr6
+TTuSFym1cSnlhA9e8B3WmLqoibkOl17N0dj6D/nUPdZQ9BHujDPnt9Ghjm1Y9Jg1
+yE4Fk6Jg8aS3+pwQMOLgEY9x3jTWdouco4Kgy+f7yoM
+-> piv-p256 grR75w A/5q4DtKLFiSs1sURKgDw9rnUetNPyjIKefB/VZN9tcD
+xsd3JeqDR8GiH/dBe/zkobnhCQFZ5vxuRVf+fgWavt4
+-> piv-p256 RQguQQ Au3E8BcyQy9WvSwo89K/y1mQNu1YR+aXa/om3rYzyYoe
+ka0MIRZiyEwhEGlF4dRUyU/lUkz1yJLzi4gla+6T6i4
+-> 93`-grease uYKu~(\x b ,k k`N
+eu7veI1qvOSizB6N8yf4G4YK1qwo8R4+j/JZrKK9EGndICKyJ0r7VX4jzfZuxPfz
+EIUoI5j1Ze6JGz4Sveq2+TARFXFjOiVyhNR0JXBJ60TEtjj7sddZgEluuJSQqODv
+
+--- JbSd2VGwQKDJil/9g4vfQonVymxogwnOeKY6I/55RfE
+ÈNx¡¤GÛ5_<EFBFBD>ùFÆ!§˜kFÍ×·Óá
+QÿV(í¦ƒ‰nù[ñthI®Ä'%	Î<>‘œÞÔoSQÑë†]ô±D<02>D'Zâá¯¹/i1éø./'<27>¹ámžüˆ
+lÖÚ¾mY|”fÙ†OÃéÝƒšÎèq?Ì¬¾“°Ãa¶äò€SCÿt^†™Ó•
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -38,6 +38,9 @@ let
      jupiter
      steamdeck
  ];
+  buildServer = [
+      hades
+  ];
 in
    {
        "services/postgresql/initScript.age".publicKeys = servers ++ users;
@ -55,4 +58,5 @@ in
        "services/gitea/mailerPassword.age".publicKeys = servers ++ users;
        "services/woodpecker/environment.age".publicKeys = servers ++ users;
        "keys/nixremote.age".publicKeys = buildClients ++ users;
+        "keys/nixservepriv.age".publicKeys = buildServer ++ users;
    }
--- a/secrets/services/coturn/static-auth.age
+++ b/secrets/services/coturn/static-auth.age
--- a/secrets/services/gitea/databasePassword.age
+++ b/secrets/services/gitea/databasePassword.age
--- a/secrets/services/gitea/mailerPassword.age
+++ b/secrets/services/gitea/mailerPassword.age
--- a/secrets/services/matrix/mautrix-signal.age
+++ b/secrets/services/matrix/mautrix-signal.age
--- a/secrets/services/matrix/mautrix-telegram.age
+++ b/secrets/services/matrix/mautrix-telegram.age
--- a/secrets/services/matrix/mautrix-whatsapp.age
+++ b/secrets/services/matrix/mautrix-whatsapp.age
--- a/secrets/services/matrix/signal-registration.age
+++ b/secrets/services/matrix/signal-registration.age
--- a/secrets/services/matrix/synapse.age
+++ b/secrets/services/matrix/synapse.age
--- a/secrets/services/matrix/telegram-registration.age
+++ b/secrets/services/matrix/telegram-registration.age
--- a/secrets/services/matrix/whatsapp-registration.age
+++ b/secrets/services/matrix/whatsapp-registration.age
--- a/secrets/services/nextcloud/adminpassFile.age
+++ b/secrets/services/nextcloud/adminpassFile.age
@ -1,24 +1,23 @@
 age-encryption.org/v1
-> ssh-ed25519 neExcQ uxF7XBZs30Y7MnsPqgqZK8U0RypsU3ZSkEGPs3z6MWo
-U38OQUsd4+JAhSoNlm8Bq4vYjLIlxbtEPRNryTId7qw
+-> ssh-ed25519 neExcQ WtmJzAU0LpM3+meYwlydkBJ9+GEOrT3aD2fKZuTIdWI
+5Bt3tu+IF3646Vp3No5vOqCJfqpTL1SO2AUNLSAeapc
 -> ssh-rsa VtjGpQ
-WX552pdtAV7QTsG5PP1r+EPsao0Q+sBUFOVsGCI2zLQJM5m8UGjIJqsNu3xQMsbL
-f67taemm3FVuSlfZ4+O0NP2T16FH6lVF5gLidCTyvvY1r1LJ3bUKrkvgVsdH4TYZ
-5rCYggrAIQP7TEjs+/QsSdN079vxmmGAYKJXfcYVSF34CS0ZX+0MxW9n58E16aHP
-ByNMm3K4uCnhvy8lX21/kZvlIIHtTfrjpY4pKET5vrpqYvNi5S9FH0fG1F7UmRmq
-+qNYX2MSoOK0IkxMbG8dsbYRBDITqgpdqGaT8b2yPdyOlUNu2P/Ao892hRiRdGqU
-bplIotAPid63+6rfX6pRw+zx/7QATDp+AZsBw+KHjpboF6smRcohH+BKVatr5sxC
-6fNQIkZZ0AGkXvfP4cbBX2JK/WxM37VUhsuXnLgamRu9dsZtfLxMNxuL5EBYhPM1
-3VSzpzR3dKuxXZA9VllxJOVaMWl2mOFlAlJsXMcM2AkxTPUdHym7RntiWhz3UQ1H
-/tp/LddV6DqSVff0Q3qopZVuocQm1YDl6omFxfrGhoY7vxmGZrGZ79SC+TXmKKxn
-uxzM2s+uAzrmeZcPV4h6FrOMPMtIypUnXqUKMdtJXHlP7dw2DynxOeidAM5XHVGD
-LUKZyeL/U1PFAWxhxJhbZqGWK22oT94DQGl2wYDR7WU
-> piv-p256 grR75w AjdWi5E2CDMoTeXhua6CDa1T69jZYCZtDVzYqIip8SPG
-VxA4E27nD9omkx33BcdnC7CFUIKjYJhYcn3+ZhXoYgc
-> piv-p256 RQguQQ A66b5yIOS6X1KpBwwSIt6/0kscRCijqp7C5OdZzyVFC0
-G3EuJyFbhulryG3e5mtdjcYH8rRWOezcItF9Cy+IL+s
-> V-grease !w
-oBULpqmsbh+nnxtU7v1Iqj9RSLvwVgGau5ZHTN0daUOqcMLOHJ1L4FNUqLS8Gq8s
-yABHEWs+qsE6mfRikZEkVfVxRhHT/sfBuEDAmE7Y+W273SA
--- XeiNeiAn+Szcr8/NGWxhBJ7HUU5lWPdcKBo4+7/hTqY
-ﾓｾ<EFBFBD>M<EFBFBD>ﾊ#ﾐ澀lｧ	U43Bl	/<2F><6i9Srﾏ88<38>
+F/OrwpSkP/jCHEmodbTFC8KCklgjl8CJ8R2xbtdEofrs24vf8s5ELRvj3fwNb2B8
+qv3h5ZV09Xe/eifPYyE63/U7bUqnZ/ub+CNv3A24Jn1VSiXRxok9MLFaNfmrLxNO
+72hKvKQmg8DSEoxLnYwM5dPBxC8X2Q+yJ8o/9yGWpRBpSxLA9NESvllen37cJ3PS
+5bcIPVm32xVHWbJ9WRqOOwZRLQCJvuNUFoYQgWxc1CYhbSSlGi8wPhV5tn+TEfyS
+KnfuhAUUhOmx9a/GjBJQLn5xJyYrghAg2pfVcog9wsJzozeU+FnkwEjlg51lS0o2
+WkfyYVASJFylKbFLyLx8datN9UA4H8QDAqyCfuKWHOLZVxctl0ebxSf/1HN0zi0i
+jNY312WQ8vxAp1qU29FznHch0+lVsIO405ZQVA/hUV3evG3GsM6oprQALRaVLNi5
+DCZb2JbJTZS5RUVOsickdM3Nrn6Ney5e7N1oup/QIZBYrx3tamgrrH93SIsSCXh8
+MTJCUclQVWZTVmtDqIC0Qqig6dK8mIoMCYKWk23sduDS8/O7SsynmPbtygoI0bIK
+QVE+ktNbbD8ow4yBms/gGWJz0brM95TDoXsE5me6lbkhkRZwdYnJJP074cbZmOQi
+IpEt1H7vLxvQH/ucqlVTinSIyg9IS2Cws/FLKSmOY6g
+-> piv-p256 grR75w Ar7XlPFZhFXD7EGVV1qpgatYzXtxv+iW4K7j+j51A4Ff
+BgL570FWX3jzf1IMQtETYbdy6GSipYv7nFugSO8OypM
+-> piv-p256 RQguQQ AxSpkZbv//1jfTX6M2IlSpLJTmmdkzUOBAvC3RjGIfWr
+qJrDWnxNsrdgJ5WEIEjUAxZavktd6OB14d75fAARC/c
+-> ;2:g1-grease ^fnN2 ^dvdl ]6Q^`
+
+--- iHDyRW0hc6S1eq54cBN1MrDJEKzVKl9PEMtw+v1kIgI
+Ű’CĆ®Ť_;hÁ0‡•@”.Bđdđˇ"żű<C5BC>*Űbt}S’'V
F•3Ďt
--- a/secrets/services/nextcloud/dbpassFile.age
+++ b/secrets/services/nextcloud/dbpassFile.age
@ -1,23 +1,23 @@
 age-encryption.org/v1
-> ssh-ed25519 neExcQ QSnzAUi67z3/qQsAHp9fPxbuFDv6aZCG1z7tYlTCcBI
-Yqcvkenx+0FsPJaKbIL3kMrXhelekH5PndA8QUVofR4
+-> ssh-ed25519 neExcQ eRTtVIiKoO9AZQ9yRD4q9T/lVGSbdfS6ZgA51Ml6qXc
+w4f14e0CznYvbSUV9wH9WE4we2ZaThM1PwFrcG+6HkE
 -> ssh-rsa VtjGpQ
-S8z2t5QES+GiaY+aC09IpA4gyQddLLa8kY6zG9Yda9TECTAYkND05QwA+QwAS/QF
-O6cr4/jXaAFddz1PtGrVX6eL1nZKZHweSt9zmH7zjnKmtJN9ltPyzrmt7TYAkm1J
-Shw4O6PNGggRpsHx8YGnUZZzAhVKY9GmGR/dYg67uDEoPqcRJLCInRoDV42Pgsx9
-G0z+qJkzOn6WH/pQHHSWklJlLe3co7dKE0IFu81UMV60XyDxYhdSWCHQroLNrEM+
-aBD7CruvgfyXRvDcdlCQMHMz/9jbvPRQ1tYrooN8dnrHM7Eht8M45Q1/zn6YkEgw
-TmoRlD1ymoAh6Taxxb2CEcFar8mQPGlxDI7b8/QN6dyTDaJevt+fCpUc10AAAQEs
-5aV86DUX4fYZDTP2JUmGmd026nLfWLxstoAOThmOSAvcS+dFEmUaHCTYq9vyfbds
-/blAV6Nco9th23YWlEUlJSzcjtUX8fhBZqCm8RIOWsFeIuK+xzfqJ+HX3KERyZ4s
-5a1oXVEXJ0J2fzAMPwK1/fXFGezuIE+J4ck0mlPAGKdsqEK2I1PmzhG91/2k9pVV
-6QtUQ5weOC4lppaB72ClYnWjslPlnkmLO2y5QlHQGRPIpKPrl8BEa/e1QssPuvoH
-vMkhjERtrcolB41YPmTQ5yAARbDUEXfX4DegCNAGBVY
-> piv-p256 grR75w AnIgXEWvwFlTTBSbhr6JgitRNbxbD8KgVY3pIECu/OV/
-su+kmQmrHfE6oDDLb66mSqyhOfdaQ9sdCFCMQN+PT/Y
-> piv-p256 RQguQQ AiQNSkHb9OUEjyzsixyr8bcL2BldWZqhBHArs8V4MW/m
-Q6M/F9EnaQvw7U37gw74WEWKz8zTum6ItzRkWYJibrs
-> 2#!RA#-grease ; <K &L M%?]C=k
-VDGyfy7y8i12A2hs8fSKKIs
--- tY/xBbBKiJ07CvmaqLL4twwTHLB3kDKk4aE5O/qdAQI
-Òžj
#˜IF:‚r<72>%ðt?í¬és<{^¬³ã6ÌtÞÃÚëØŒ ÈaQñeÏÜý}×Eï´N”
+mZxOedvPF5L7aw7JjqAAUNfvjcHrl6w/75qkOgCXzcZh3EzcG+IuIUE8kYwBt/I/
+GxCb3/97fPt1sJfvosytyD0tlv2+Jw+N+PHHroYaoWEGnYbG1YFDuvnRu4viJXyi
+1DEVT50mn9SrBW3fKGRqajoSkeCMCn6QmVC07/ULB5GnxU2Pn8LspgV7CLOuCPOK
+PtBYJFOmP/HqgX6YNo3hQ2YzQMeqXepRhD/ph/o53j5FdVBznR1LCcjKm7/XyyCp
+VLp+J+7tjlIDoby/3OoDTEs5hq0+TXa/GbR4Lka80YJOeHcmR/YTD4ZZTo+Ia1cV
+/DZU08WqvF22Cl3hIpeEH6pzmsQOrMhuKrAOHb0pZV5WdToL9BAHqMljSdVWRnjs
+6w1eLs1zaFTMuW0p+1oWsENrnP3ZrmTZFgBt2Mh6caz8J8gIcVnwoHiNnb7YqHL+
+3eljflFx0RFuZT0ElRChleex4CpVaYMyJK4A48w7ZCyozZU5Bw3zB75zBhC175RU
+mk+nYdgZk9N3RaGq1LPmvQyT+MlPm7mNm8i890waKAt5/aHRJWm93rR8U6pdDvoo
+m/Tvy2GUsijPKf0aslQbythORklVbd8oCdAEriVytTvMBgVVFILELZgfkC1Xshus
+fOshVaW6SzzjFo05bMag+Jy0xvssNsAtYXASNpppU1Y
+-> piv-p256 grR75w AplHuSHuZrF5Css3ni2ERR1BzgwXyRJvx6IYTfGlyqwN
+cSdgdziCAqF0g+md3SccEYdXr2ToWjkgFsgELD1+9ok
+-> piv-p256 RQguQQ ArMD6UvO+SpTynXaYhu0/R3wv9vr+H9ItjJ6745tCldl
+V1+uCejnDgUA6Nul0Ep6p9ZfmxTWxPQI+FCAXpjvDoQ
+-> )-grease
+GkM9VaOPQsWVdWXolVrlPay6CQ
+--- 73KeTR/c+AeTO+DQo7gjDD0QIen4hYCcnPG6b3hlUQg
+WťšuµeKpç”éŽ>•f©·Ő–âĺÇMŇ iAŤZ”ŐŁ/ľ:…â·Ď«Axm2¶Ňś)˛©S…B
--- a/secrets/services/postgresql/initScript.age
+++ b/secrets/services/postgresql/initScript.age
--- a/secrets/services/woodpecker/environment.age
+++ b/secrets/services/woodpecker/environment.age