diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5f333b0..b2f208b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,11 +11,17 @@ jobs: - uses: actions/checkout@v3 - uses: cachix/install-nix-action@v20 with: + install_url: https://releases.nixos.org/nix/nix-2.19.1/install extra_nix_config: | accept-flake-config = true access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - - uses: cachix/cachix-action@v12 + - uses: webfactory/ssh-agent@v0.8.0 with: - name: klarkc - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - run: nix flake check + ssh-private-key: ${{ secrets.BUILDER_TOKEN }} + - uses: gacts/run-and-post-run@v1 + with: + run: nix -v flake check -L --show-trace + post: | + mkdir -p ~/.ssh/ && touch ~/.ssh/known_hosts + ssh-keyscan cache.tcp4.me >> ~/.ssh/known_hosts + nix -v copy -s --all --to ssh://builder@cache.tcp4.me diff --git a/flake.nix b/flake.nix index a41c70e..1ee4b00 100644 --- a/flake.nix +++ b/flake.nix @@ -52,7 +52,8 @@ inherit (setups.cache.machines) cache-vultr; }; - packages.${system} = { + packages.${system} = rec { + default = cache-vm; inherit (setups.recover.packages) recover-efi recover-vm; inherit (setups.cache.packages) cache-vm; }; @@ -65,12 +66,10 @@ # Nix should ask for permission before using it, # but remove it here if you do not want it to. extra-substituters = [ - "https://klarkc.cachix.org?priority=99" - "https://cache.nixos.org" + "https://cache.tcp4.me" ]; extra-trusted-public-keys = [ - "klarkc.cachix.org-1:R+z+m4Cq0hMgfZ7AQ42WRpGuHJumLLx3k0XhwpNFq9U=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "cache.tcp4.me:cmk2Iz81lQuX7FtTUcBgtqgI70E8p6SOamNAIcFDSew=" ]; }; } diff --git a/secrets/builder.pub b/secrets/builder.pub new file mode 100644 index 0000000..4c982b6 --- /dev/null +++ b/secrets/builder.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPSuuFCsXXHk6JYXZ+hIrZGjb3d4wwRPoks0mrMmidk klarkc@ssdinarch diff --git a/secrets/cache.age b/secrets/cache.age index ab7db47..07a5da9 100644 Binary files a/secrets/cache.age and b/secrets/cache.age differ diff --git a/secrets/cache.pub b/secrets/cache.pub new file mode 100644 index 0000000..4421764 --- /dev/null +++ b/secrets/cache.pub @@ -0,0 +1 @@ +cache.tcp4.me:cmk2Iz81lQuX7FtTUcBgtqgI70E8p6SOamNAIcFDSew= \ No newline at end of file diff --git a/setups/cache/default.nix b/setups/cache/default.nix index 93e760a..d7dbdbe 100644 --- a/setups/cache/default.nix +++ b/setups/cache/default.nix @@ -8,9 +8,6 @@ let domain = "cache.tcp4.me"; home = "/home/klarkc"; email = "walkerleite490@gmail.com"; - authorizedKeys.keys = [ - (builtins.readFile ../../secrets/klarkc.pub) - ]; cache-module = { disks ? [ "/dev/vda" ], config, ... }: { imports = [ @@ -19,9 +16,9 @@ let disko ]; # cd secrets - # nix-store --generate-binary-cache-key cache.tcp4.me ./cache ./cache.skey - # cat cache | nix run github:ryantm/agenix -- -e cache.age -i cache-vultr.pub + # nix-store --generate-binary-cache-key cache.tcp4.me ./cache ./cache.pub # scp ssh://root@cache.tcp4.me:/etc/ssh/ssh_host_ed25519_key.pub cache-vultr.pub + # cat cache | nix run github:ryantm/agenix -- -e cache.age -i cache-vultr.pub age.secrets.cache.file = "${secrets}/cache.age"; system.stateVersion = config.system.nixos.version; boot.loader.systemd-boot.enable = true; @@ -30,6 +27,15 @@ let 22 config.services.nix-serve.port ]; + # builders + nix.settings.trusted-users = [ "builder" ]; + users.users.builder = { + home = "/home/builder"; + isNormalUser = true; + openssh. authorizedKeys.keys = [ + (builtins.readFile ../../secrets/builder.pub) + ]; + }; # cache service services.nix-serve = { enable = true; @@ -41,7 +47,9 @@ let ''; # SSH services.sshd.enable = true; - users.users.root.openssh = { inherit authorizedKeys; }; + users.users.root.openssh.authorizedKeys.keys = [ + (builtins.readFile ../../secrets/klarkc.pub) + ]; # beesd services.beesd.filesystems = { root = {