merge: cube host

chore: wire up sops for cube
feat: add cube hardware configuration
2026-03-30 01:03:10 +02:00 · 2026-03-30 01:01:41 +02:00 · 2026-03-30 00:59:37 +02:00 · 2026-03-30 00:59:20 +02:00
7 changed files with 5 additions and 91 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -5,7 +5,7 @@ keys:
  - &tower age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
  - &fw16 age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
  - &floo age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
-  - &cube age15cktenavt5v7zm84se36jtly740syca5nw8em8edx404n5x2ddws8jn29g
+  - &cube age1gqzdgnfl9d04pzg4dtwny3s4277jzpwqdck8wm7jenl30z00wslqrvy393

 creation_rules:
  # per-host secrets
--- a/features/remote-base.nix
+++ b/features/remote-base.nix
@@ -1,12 +0,0 @@
-{
-  nixos =
-    { config, user, ... }:
-    {
-      sops.secrets.user-password = {
-        sopsFile = ../secrets/common.yaml;
-        neededForUsers = true;
-      };
-
-      users.users.${user}.hashedPasswordFile = config.sops.secrets.user-password.path;
-    };
-}
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@@ -81,7 +81,6 @@ in
        "localisation"
        "shell"
        "tailscale"
-        "remote-base"
      ];
    };

@@ -94,7 +93,6 @@ in
        "localisation"
        "shell"
        "tailscale"
-        "remote-base"
      ];
    };

--- a/hosts/floo/configuration.nix
+++ b/hosts/floo/configuration.nix
@@ -26,6 +26,8 @@
    };
  };

+  users.users.matej.hashedPassword = "$6$59Z5NIkOYZ3eSElX$FehMGGXQlC040G8eoO42JQDScb7hI04NbdVMAkKYKqVOLTO/.MJxfk8fHypQHrCdtAs67N1bnU2s5H/3zLWhC1";
+
  localisation = {
    timeZone = "Europe/Ljubljana";
    defaultLocale = "en_US.UTF-8";
--- a/hosts/iso/configuration.nix
+++ b/hosts/iso/configuration.nix
@@ -1,16 +1,10 @@
-{ lib, ... }:
-{
+_: {
  image.modules.iso-installer = {
    isoImage.squashfsCompression = "zstd -Xcompression-level 6";
  };

  # live iso: passwordless login and sudo
  users.users.matej.initialHashedPassword = "";
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449"
-  ];
-  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
  security.sudo.wheelNeedsPassword = false;

  system.stateVersion = "25.05";
--- a/15
+++ b/15
@@ -43,20 +43,7 @@ ephvm-ssh port="2222":

 # provision a host with nixos-anywhere
 provision host ip:
-    #!/usr/bin/env bash
-    set -euo pipefail
-    tmpdir=$(mktemp -d)
-    trap 'rm -rf "$tmpdir"' EXIT
-    install -d -m 755 "$tmpdir/etc/ssh"
-    ssh-keygen -t ed25519 -f "$tmpdir/etc/ssh/ssh_host_ed25519_key" -N ""
-    age_key=$(ssh-to-age < "$tmpdir/etc/ssh/ssh_host_ed25519_key.pub")
-    echo "age key: $age_key"
-    echo "add this key to .sops.yaml, re-encrypt secrets, then press enter to continue"
-    read -r
-    nix run github:nix-community/nixos-anywhere -- --no-reboot --flake .#{{host}} --extra-files "$tmpdir" --generate-hardware-config nixos-generate-config ./hosts/{{host}}/hardware-configuration.nix root@{{ip}}
-    echo "remove USB and press enter to reboot"
-    read -r
-    ssh root@{{ip}} reboot
+    nix run github:nix-community/nixos-anywhere -- --flake .#{{host}} --generate-hardware-config nixos-generate-config ./hosts/{{host}}/hardware-configuration.nix root@{{ip}}

 # deploy config to a remote host
 deploy host remote=host:
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -1,55 +0,0 @@
-user-password: ENC[AES256_GCM,data:c7y3RZSikVS32w7RTY5nBSWxDWbwNI5FhLIEoXcru5lpCUu3YqKjHNm8eMI7oeAg1VQIW/1axv0LPHM+bb7wn7SSHy49EvGyda4AU8hdVnsO9gNBul9WQy9Q6RM1PR5vW+IbX1HBFPTTOQ==,iv:oNsDzDugNq2E1CJ89BCXZ/ieCGV+evOwsOuKlKsotBg=,tag:jU8g9fIgexw2bm3E+ow3wA==,type:str]
-sops:
-    age:
-        - recipient: age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOU9BTksxbXdjTkExRDJV
-            aFhVbUFGd1ZSeHFBL0lJRjdSRDRjcjl6ZEQ0Cjg2TFlNZENUWTh5aWNGck52TWFx
-            SC9LS0FrelFCWUI3RUZjdCs3cXF6aDQKLS0tIEwwTWkzOXgxUC9iTFgrQ0szRW8v
-            cGFMa2Rqd1VvWjU3Z2pUdExsdnJUT1EK9iQiW5qZszu65b0wEeq+9JnzzhiAS7fo
-            BmR9OWbDA4GZJBEPBJFD8KxIcO/BYFOjfW2A9PZaTsTpa50Z6+zWxw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPczdWeTRxalA1M3R0S0Qr
-            eGdtZnJxaHllZ2lKMXJUZTN3VWhhTnU1TFRnCjM5OHoxMnEzKzdQelZEQ3ZZRFpt
-            aWRzaTg4dUc5OXpQUngrVmtSRkk1Q3MKLS0tIEZOd0FyMFRlRElWbjlHOVVkZlZP
-            eEhwRVRrcVgvQUx6bi85YWxDYjJZa28K7Hrk4fAqbjeYJfPJODvsth1p8JYbsfMf
-            a6gTckyeQWTNlE+1Tw6g18lvMP1dzIAYRPHtyzmxeCaETVMmSn7XxQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbUh0U1ZDc0ZOKzhxZ3Yv
-            ZHRwbzBIdVNsbEJmU0h4ZnpuTlNHSFdwRlQ0Ck1BREhlVFQ3bnVKajVlTGUzRjhN
-            cWpna25Ya1hoZG1ybFZ0REpCNTFTZmcKLS0tIG5ZQzNIWmd4a3J6YWxDQjYyY2px
-            Y085TkhubS9MSjJtMmZDakdZd2RhR3cKlGH906WAhXNDKwaWqHRoYO9bgiZau0ay
-            8ph3OLOVmrENPW3Othf17NDRet/nATFYZghBU/CI5CvZjr9n9SDYMg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age15cktenavt5v7zm84se36jtly740syca5nw8em8edx404n5x2ddws8jn29g
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRG5zRkxOT0RyeXVpTDJu
-            TSt2SFFtSlFrSTk1YUZBMnAxTEM3dnFnQkFrClA0cnVpMkdsQWxCakNEZm16OEVG
-            dHFIUDA3TDJLdytySEJJMSsrMGZHcTgKLS0tIHhvdWNXaUthbDJqMWVYeWxuOGpL
-            L0lEZ3FVbmlOcndGUXUybXA4RDA2alUKQo5ctVmARPNY0POf2Ft6AxjwIN1N06C7
-            ft4YX+B4D61tUZ+uvFqHzmKsNpvDdoV81zxvGnnCnv0nSXwNghPFxw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-29T23:11:10Z"
-    mac: ENC[AES256_GCM,data:XY5wElDn+YD4UHSIGd9Ru8ob39gJVE8VE5gqJJkmzF/xERXp7re/d/6RXxoYDgYS0qUnn8c2VFzJxCvakmV/lPLA8YulFk/ZDysEVn+U3CbfTIkjXcJzewJNz0N+hQKeVaCzPfWeB5oaGtB8bjxOg+GYz2TmSvEAT+kO1U/4Klg=,iv:QOlZ4O+eqvOS9/guc+RmWgVDgPzskb4WIlzyT/14MVM=,tag:ziJE9Yytlr680EpSnBGmdQ==,type:str]
-    pgp:
-        - created_at: "2026-03-29T23:25:01Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DPaEEpDtHdk8SAQdAPlvxgVq9o2boPPXWWwV6X3TjHZEl3lm9OcOj7lbsQxsw
-            5PTrX1rIV73XbRQUdFlnoYpUAwxh3UPULyA4+19fvCooC3L0FxA8e4wTiAdw6SKE
-            0l4BImy4sTiM8hNHXqB6u4rj3LbykCjesQve5C3fut62RV8x4cqUJHAB/aumQINT
-            QRXErylKmqo3h7ReRrCm2oOELauv4JFKNPi/cTE0MNh1+w9JxjoASoBufozDOxe4
-            =vIK+
-            -----END PGP MESSAGE-----
-          fp: AF349EECC849D87B790E88FF6318FFB7DB374B7D
-    unencrypted_suffix: _unencrypted
-    version: 3.12.1
Author	SHA1	Message	Date
Matej Janežič	15d97fdd00	merge: cube host	2026-03-30 01:03:10 +02:00
Matej Janežič	84524d59d8	chore: wire up sops for cube	2026-03-30 01:01:41 +02:00
Matej Janežič	c423050077	feat: add cube hardware configuration	2026-03-30 00:59:37 +02:00
Matej Janežič	e3b8bf5e48	feat: prepare initial cube host	2026-03-30 00:59:20 +02:00