From 3ceb74923940de5be39e0ad91c1aec0873ea28d6 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sun, 7 Dec 2025 21:50:44 -0800 Subject: [PATCH 01/21] Start testing k3s --- hosts/cap-clust-01/configuration.nix | 3 +++ hosts/cap-clust-02/configuration.nix | 3 +++ hosts/cap-clust-03/configuration.nix | 3 +++ modules/application-groups/k3s-primary.nix | 9 +++++++++ modules/application-groups/k3s-secondary.nix | 9 +++++++++ modules/application-groups/system-utilities.nix | 1 + 6 files changed, 28 insertions(+) create mode 100644 modules/application-groups/k3s-primary.nix create mode 100644 modules/application-groups/k3s-secondary.nix diff --git a/hosts/cap-clust-01/configuration.nix b/hosts/cap-clust-01/configuration.nix index 628d33b..9148a2e 100644 --- a/hosts/cap-clust-01/configuration.nix +++ b/hosts/cap-clust-01/configuration.nix @@ -6,6 +6,9 @@ # Host Groups ../../modules/host-groups/cluster.nix + + # Application Groups + ../../modules/application-groups/k3s-primary.nix ]; networking.hostName = "cap-clust-01"; diff --git a/hosts/cap-clust-02/configuration.nix b/hosts/cap-clust-02/configuration.nix index 6b30a45..502faee 100644 --- a/hosts/cap-clust-02/configuration.nix +++ b/hosts/cap-clust-02/configuration.nix @@ -6,6 +6,9 @@ # Host Groups ../../modules/host-groups/cluster.nix + + # Application Groups + ../../modules/application-groups/k3s-secondary.nix ]; networking.hostName = "cap-clust-02"; diff --git a/hosts/cap-clust-03/configuration.nix b/hosts/cap-clust-03/configuration.nix index 837686d..73c05d3 100644 --- a/hosts/cap-clust-03/configuration.nix +++ b/hosts/cap-clust-03/configuration.nix @@ -6,6 +6,9 @@ # Host Groups ../../modules/host-groups/cluster.nix + + # Application Groups + ../../modules/application-groups/k3s-primary.nix ]; networking.hostName = "cap-clust-03"; diff --git a/modules/application-groups/k3s-primary.nix b/modules/application-groups/k3s-primary.nix new file mode 100644 index 0000000..eb38d46 --- /dev/null +++ b/modules/application-groups/k3s-primary.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: +{ + services.k3s = { + enable = true; + role = "server"; + token = "forinitialtestingonly"; + clusterInit = true; + }; +} diff --git a/modules/application-groups/k3s-secondary.nix b/modules/application-groups/k3s-secondary.nix new file mode 100644 index 0000000..89f2b72 --- /dev/null +++ b/modules/application-groups/k3s-secondary.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: +{ + services.k3s = { + enable = true; + role = "server"; # Or "agent" for worker only nodes + token = "forinitialtestingonly"; + serverAddr = "https://cap-clust-01:6443"; + }; +} diff --git a/modules/application-groups/system-utilities.nix b/modules/application-groups/system-utilities.nix index 806474c..4db16ab 100644 --- a/modules/application-groups/system-utilities.nix +++ b/modules/application-groups/system-utilities.nix @@ -32,6 +32,7 @@ imagemagick iotop jq + k3s kdePackages.qt6ct killall kitty From 80e3eccd3233a092cdab8300b80873d979bac5bf Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Wed, 10 Dec 2025 10:17:47 -0800 Subject: [PATCH 02/21] Small webcam privacy warning for laptop --- users/caperren/dotfiles/hyprland/cap-slim7/hyprland.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/users/caperren/dotfiles/hyprland/cap-slim7/hyprland.conf b/users/caperren/dotfiles/hyprland/cap-slim7/hyprland.conf index 0e746fb..be138f4 100644 --- a/users/caperren/dotfiles/hyprland/cap-slim7/hyprland.conf +++ b/users/caperren/dotfiles/hyprland/cap-slim7/hyprland.conf @@ -6,4 +6,7 @@ source = ~/.config/hypr/hyprland-common.conf # Application launch exec-once = brightnessctl -sd platform::kbd_backlight set 1 -exec-once = brightnessctl -s set 30% \ No newline at end of file +exec-once = brightnessctl -s set 30% + +# Privacy +exec-once = sleep 10 && ls /dev/video1 &> /dev/null && notify-send "Laptop Webcam Enabled" "Please disable if not being used." -t 20000 \ No newline at end of file From 8681caca01574f3c5fc5111e76ce536ec8dc9215 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Wed, 10 Dec 2025 10:37:04 -0800 Subject: [PATCH 03/21] Some comments --- users/caperren/dotfiles/kanshi/cap-slim7/config | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/users/caperren/dotfiles/kanshi/cap-slim7/config b/users/caperren/dotfiles/kanshi/cap-slim7/config index 64359a7..c5ca0bf 100644 --- a/users/caperren/dotfiles/kanshi/cap-slim7/config +++ b/users/caperren/dotfiles/kanshi/cap-slim7/config @@ -5,16 +5,17 @@ profile builtin_only { } profile bedroom_desk { - # Top left to right + ##### Top left to right output "Dell Inc. DELL P2411H F8NDP11G0DVU" enable position 0,1280 output "Acer Technologies CB292CU 2217018D42410" enable position 1920,0 transform 90 output "Dell Inc. DELL P2411H F8NDP097114U" enable position 3000,1280 - # Bottom left to right + ##### Bottom left to right output "Aculab Ltd Digital Unknown" enable transform 270 position 0,2360 + # Primary monitor, which wayland doesn't have a concept of output "Hewlett Packard HP Z27n CNK7311DRR" enable position 1440,2560 output "Aculab Ltd QHD270 Unknown" enable transform 90 position 4000,2360 - # Far bottom right (laptop itself) + ##### Far bottom right (laptop itself) output "BOE 0x0A9B Unknown" enable position 5440,2360 adaptive_sync on } From c3607552536d58e9024238c86c8dd8682a4cac5c Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Thu, 11 Dec 2025 17:15:41 -0800 Subject: [PATCH 04/21] Add mesa-demos for glx testing, tweak to streamdeck for btop --- modules/application-groups/system-utilities.nix | 1 + users/caperren/dotfiles/streamdeck/.streamdeck_ui.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/application-groups/system-utilities.nix b/modules/application-groups/system-utilities.nix index 4db16ab..dc2f0fc 100644 --- a/modules/application-groups/system-utilities.nix +++ b/modules/application-groups/system-utilities.nix @@ -38,6 +38,7 @@ kitty swappy lf + mesa-demos minicom ncdu networkmanager diff --git a/users/caperren/dotfiles/streamdeck/.streamdeck_ui.json b/users/caperren/dotfiles/streamdeck/.streamdeck_ui.json index 9aee6d7..4f098b3 100644 --- a/users/caperren/dotfiles/streamdeck/.streamdeck_ui.json +++ b/users/caperren/dotfiles/streamdeck/.streamdeck_ui.json @@ -179,7 +179,7 @@ "icon": "/home/caperren/.config/streamdeck-ui/icons/btop-logo.png", "keys": "", "write": "", - "command": "bash -c \"kitty --single-instance --detach bash -c 'kitten @ launch --type=window --title btop btop ; kitten @ launch --type=window --title nvtop nvtop'\"", + "command": "kitty -e btop", "brightness_change": 0, "switch_page": 0, "switch_state": 0, From 353135a2d909e30ee3435811f9872d88f74d635f Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 01:55:25 -0800 Subject: [PATCH 05/21] Initial keys, and basic token file for sops cluster testing --- .sops.yaml | 36 ++++++++++++++++++++++ flake.nix | 19 +++++++++++- modules/application-groups/k3s-primary.nix | 4 ++- modules/system/home-manager-settings.nix | 11 ++++--- modules/system/security.nix | 7 +++++ secrets/cluster.yaml | 16 ++++++++++ 6 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/cluster.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..7ecb3e8 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,36 @@ +keys: + - &admin_users: + - &caperren age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648 + - &systems: + - &caperren_personal: + - &cap_slim7 age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d + - &cap_nr200p age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390 + - &cluster_systems: + - &cap_clust_01 age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl + - &cap_clust_02 age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u + - &cap_clust_03 age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l + - &cap_clust_04 age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2 + - &cap_clust_05 age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr + - &cap_clust_06 age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz + - &cap_clust_07 age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw + - &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r + - &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *caperren + - *cap_slim7 + - *cap_nr200p + - path_regex: secrets/cluster.yaml + key_groups: + - age: + - *cap_clust_01 + - *cap_clust_02 + - *cap_clust_03 + - *cap_clust_04 + - *cap_clust_05 + - *cap_clust_06 + - *cap_clust_07 + - *cap_clust_08 + - *cap_clust_09 \ No newline at end of file diff --git a/flake.nix b/flake.nix index deb9953..04e5e61 100644 --- a/flake.nix +++ b/flake.nix @@ -5,8 +5,13 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { - url = "github:nix-community/home-manager"; + url = "github:nix-community/home-manager/release-25.11"; inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -15,6 +20,7 @@ { self, nixpkgs, + sops-nix, home-manager, nixos-hardware, ... @@ -24,6 +30,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-01/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -31,6 +38,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-02/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -38,6 +46,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-03/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -45,6 +54,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-04/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -52,6 +62,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-05/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -59,6 +70,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-06/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -66,6 +78,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-07/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -73,6 +86,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-08/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -80,6 +94,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-09/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -91,6 +106,7 @@ }; modules = [ ./hosts/cap-slim7/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default nixos-hardware.nixosModules.lenovo-legion-16arha7 ]; @@ -100,6 +116,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-nr200p/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; diff --git a/modules/application-groups/k3s-primary.nix b/modules/application-groups/k3s-primary.nix index eb38d46..1cb94fb 100644 --- a/modules/application-groups/k3s-primary.nix +++ b/modules/application-groups/k3s-primary.nix @@ -1,9 +1,11 @@ { config, pkgs, ... }: { + sops.secrets.k3s_token.sopsFile = secrets/cluster.yaml; + services.k3s = { enable = true; role = "server"; - token = "forinitialtestingonly"; + tokenFile = config.sops.secrets.k3s_token.path; clusterInit = true; }; } diff --git a/modules/system/home-manager-settings.nix b/modules/system/home-manager-settings.nix index cdad9dc..b4e08d1 100644 --- a/modules/system/home-manager-settings.nix +++ b/modules/system/home-manager-settings.nix @@ -1,5 +1,8 @@ -{ config, pkgs, ... }: +{ inputs, ... }: { - home-manager.useGlobalPkgs = true; - home-manager.backupFileExtension = "bkp"; -} \ No newline at end of file + home-manager.useGlobalPkgs = true; + home-manager.backupFileExtension = "bkp"; + home-manager.sharedModules = [ + inputs.sops-nix.homeManagerModules.sops + ]; +} diff --git a/modules/system/security.nix b/modules/system/security.nix index 4dbec27..69287ee 100644 --- a/modules/system/security.nix +++ b/modules/system/security.nix @@ -1,5 +1,12 @@ { pkgs, config, ... }: { + environment.systemPackages = with pkgs; [ + sops + age + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + security.sudo = { enable = true; extraRules = [ diff --git a/secrets/cluster.yaml b/secrets/cluster.yaml new file mode 100644 index 0000000..09ebec6 --- /dev/null +++ b/secrets/cluster.yaml @@ -0,0 +1,16 @@ +k3s_token: ENC[AES256_GCM,data:UANQ7DzasppB8ZPtGY9wR9lhU+VpTjJE,iv:cvEiUt7zG4Joyd1gkaqi848ES7aPf7VoYc4zDwLKEDQ=,tag:j4EU/srhEL0+nQGhETuerA==,type:str] +sops: + age: + - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWHRDVXoxTVR2ZzdyUmU3 + OUI3cEk1WjE4TnpvM2o5VFFwbGNwTUVBTHhZCjFmZWVZUEc1Yk5ySDB1NEo0Qzkr + RHBxZmJEWnc5UGhRcVN4ZmIyWnhWR1kKLS0tIHh0MERwT1pOdDRkd2hzMEJTQWVz + YXE5dGd5bGZUd3BGQTNlaG1NcjJ4MXMKch4iIZaw+AL8zEgmFbbb8MElDDnbkOXO + gaxvpCqj5Eb4A2wkZAhdVE1o1LzNUcOTH2xZdb99wtwxORPUtC08dQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-13T09:05:22Z" + mac: ENC[AES256_GCM,data:Jg/J4ulZtAI7Kfeb8/ccmG3hV+2TF/5kTcwNRr6llVORVBZ0cGeJz5TvhqwHsSf3TRwgzS50RHWtbJ//TadWrYbf+EInV92mT+ybVO/p6ek0jiqRV9Kto697YnjjtMG1uJcIazWhShT4UTg6PNlAtRzBA3759tnw2aj0hCNH9QE=,iv:hu1m3GdLiwyVZDrlh/p63hGCaJgXIHuVnxzPKskj9Io=,tag:NW+d9m+eTgkb9Uea5aurSw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 From c65056be552b5326f4f97fb47db24f62be47c81b Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 01:59:07 -0800 Subject: [PATCH 06/21] Import config for home manager settings --- modules/system/home-manager-settings.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/home-manager-settings.nix b/modules/system/home-manager-settings.nix index b4e08d1..d3b570a 100644 --- a/modules/system/home-manager-settings.nix +++ b/modules/system/home-manager-settings.nix @@ -1,4 +1,4 @@ -{ inputs, ... }: +{ config, inputs, ... }: { home-manager.useGlobalPkgs = true; home-manager.backupFileExtension = "bkp"; From 2b77870bdac91e344800bb51526e0039f7356131 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 02:05:26 -0800 Subject: [PATCH 07/21] Add config import --- modules/system/home-manager-settings.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/system/home-manager-settings.nix b/modules/system/home-manager-settings.nix index d3b570a..b4e08d1 100644 --- a/modules/system/home-manager-settings.nix +++ b/modules/system/home-manager-settings.nix @@ -1,4 +1,4 @@ -{ config, inputs, ... }: +{ inputs, ... }: { home-manager.useGlobalPkgs = true; home-manager.backupFileExtension = "bkp"; From 71b9956ecdeb7270fef80bdd18219b07ee740040 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 02:17:15 -0800 Subject: [PATCH 08/21] Remove home manager sops for now --- modules/host-groups/cluster.nix | 2 ++ modules/system/home-manager-settings.nix | 3 --- modules/system/security.nix | 2 -- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/modules/host-groups/cluster.nix b/modules/host-groups/cluster.nix index f827f4d..58e33a2 100644 --- a/modules/host-groups/cluster.nix +++ b/modules/host-groups/cluster.nix @@ -21,6 +21,8 @@ ../application-groups/system-utilities-cluster.nix ]; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + time.timeZone = "America/Los_Angeles"; # This value determines the NixOS release from which the default diff --git a/modules/system/home-manager-settings.nix b/modules/system/home-manager-settings.nix index b4e08d1..a1c70da 100644 --- a/modules/system/home-manager-settings.nix +++ b/modules/system/home-manager-settings.nix @@ -2,7 +2,4 @@ { home-manager.useGlobalPkgs = true; home-manager.backupFileExtension = "bkp"; - home-manager.sharedModules = [ - inputs.sops-nix.homeManagerModules.sops - ]; } diff --git a/modules/system/security.nix b/modules/system/security.nix index 69287ee..29f162f 100644 --- a/modules/system/security.nix +++ b/modules/system/security.nix @@ -5,8 +5,6 @@ age ]; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - security.sudo = { enable = true; extraRules = [ From 439d48d1bf5860185492151ee8e7d443577508ac Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 02:19:41 -0800 Subject: [PATCH 09/21] Absolute secrets path --- modules/application-groups/k3s-primary.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/application-groups/k3s-primary.nix b/modules/application-groups/k3s-primary.nix index 1cb94fb..c2f9567 100644 --- a/modules/application-groups/k3s-primary.nix +++ b/modules/application-groups/k3s-primary.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: { - sops.secrets.k3s_token.sopsFile = secrets/cluster.yaml; + sops.secrets.k3s_token.sopsFile = /etc/nixos/secrets/cluster.yaml; services.k3s = { enable = true; From 154a177a51e2007d7a2f3158a51840d458b463db Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 02:21:29 -0800 Subject: [PATCH 10/21] Huh, guess it has to be relative --- modules/application-groups/k3s-primary.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/application-groups/k3s-primary.nix b/modules/application-groups/k3s-primary.nix index c2f9567..dbef2ba 100644 --- a/modules/application-groups/k3s-primary.nix +++ b/modules/application-groups/k3s-primary.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: { - sops.secrets.k3s_token.sopsFile = /etc/nixos/secrets/cluster.yaml; + sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml; services.k3s = { enable = true; From 35c0153da99d3f8028305cafc8f1ea056de08e73 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 02:26:00 -0800 Subject: [PATCH 11/21] Temporarily remove git autorebuild --- modules/host-groups/cluster.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/host-groups/cluster.nix b/modules/host-groups/cluster.nix index 58e33a2..c6604ba 100644 --- a/modules/host-groups/cluster.nix +++ b/modules/host-groups/cluster.nix @@ -8,7 +8,7 @@ # System Configuration ../system/cpu-amd.nix ../system/fonts.nix - ../system/git-auto-rebuild.nix +# ../system/git-auto-rebuild.nix ../system/gpu-amd.nix ../system/home-manager-settings.nix ../system/internationalization.nix From 420513c859f886c72e5fbce2ddce66b0606cffec Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 02:31:36 -0800 Subject: [PATCH 12/21] Had to run sops updatekeys to add new hosts --- secrets/cluster.yaml | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/secrets/cluster.yaml b/secrets/cluster.yaml index 09ebec6..d2b4a8d 100644 --- a/secrets/cluster.yaml +++ b/secrets/cluster.yaml @@ -4,11 +4,29 @@ sops: - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWHRDVXoxTVR2ZzdyUmU3 - OUI3cEk1WjE4TnpvM2o5VFFwbGNwTUVBTHhZCjFmZWVZUEc1Yk5ySDB1NEo0Qzkr - RHBxZmJEWnc5UGhRcVN4ZmIyWnhWR1kKLS0tIHh0MERwT1pOdDRkd2hzMEJTQWVz - YXE5dGd5bGZUd3BGQTNlaG1NcjJ4MXMKch4iIZaw+AL8zEgmFbbb8MElDDnbkOXO - gaxvpCqj5Eb4A2wkZAhdVE1o1LzNUcOTH2xZdb99wtwxORPUtC08dQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOY3Uzb3BEUjJjRjR1Z1ZP + MWxtOVdzMmhDZDJ6WGNtSjF3VTEyT1l0UEVVCklmcldubUpvWCtmT0lMblVhMFlO + YTIvQ21HMzRBOGVsZ1daN0JrZTloblUKLS0tICtwcjFEZC84NG1EeXBLYU5DQ1dK + YlJBVkE4SUtNSEJDNFRLelZqcFl1blkKPVL+/e2GWR2dcvVRl/QaNQ5Bh++8KvjU + G7mzZ7pvw/clOniDp59ttGNBbtc+Ph0Eyh46bHoXjSN3uLRQ2qF5FA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWERMUEZEbkZSN0tVTUZZ + SVA5SXB5NFF4a1R6UmdMRUIwQWRuOXM5TkRNCk9GOEF2Yi9OUVMwS1Z6a084NjhL + QzdLQU4zbmtZR093NE42bkc2eUFaQ28KLS0tIDJPU2NUT1IzMFZSczV3U2tDRXhM + NnhINWpQak4xTDczVmVnTU9NVzBNVWMK5HWwYmhViGAIuIYY7Om96ZpCG/fhDsD0 + zJ7XAvRJ4SJLwQ+4UoYk/6LQ56HE1JxTBRxKhi/UHMEO6zQs26mJBQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMnR0Q2JMajBYOEIwL3R6 + VHpPOTl1N2M0R3FnUUswOVZVbVhPeDBCSlRvCnZlMGVwemVyZUZxTElTY0VBTDNu + bWZRUEVHZ0VGS2xPTCt1RW9VZE5XZmcKLS0tIGllc2R1Y05NN0ZSbjdOOWFKcmcz + NXBWdXYzWjEwVXl5MW9lN2gwUnludFEKZzOcLZf3ONSKZ5s25PHai6J5OQUTm5Se + 8DJ9r/qq4LczD1kjc+2/BFsay1/myL3EkmL5oOZxQ2CjGdRrCeBikg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-12-13T09:05:22Z" mac: ENC[AES256_GCM,data:Jg/J4ulZtAI7Kfeb8/ccmG3hV+2TF/5kTcwNRr6llVORVBZ0cGeJz5TvhqwHsSf3TRwgzS50RHWtbJ//TadWrYbf+EInV92mT+ybVO/p6ek0jiqRV9Kto697YnjjtMG1uJcIazWhShT4UTg6PNlAtRzBA3759tnw2aj0hCNH9QE=,iv:hu1m3GdLiwyVZDrlh/p63hGCaJgXIHuVnxzPKskj9Io=,tag:NW+d9m+eTgkb9Uea5aurSw==,type:str] From ade7bdd89215a02e69e2f7f8b752d7d91441f908 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 02:36:20 -0800 Subject: [PATCH 13/21] Add default.yaml for sops and set as such --- .sops.yaml | 21 ++++++++++++++++++--- modules/system/security.nix | 5 +++++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 7ecb3e8..d0a79f3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -16,12 +16,27 @@ keys: - &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r - &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp creation_rules: + - path_regex: secrets/default.yaml + key_groups: + - age: + - *caperren + - *cap_slim7 + - *cap_nr200p + - *cap_clust_01 + - *cap_clust_02 + - *cap_clust_03 + - *cap_clust_04 + - *cap_clust_05 + - *cap_clust_06 + - *cap_clust_07 + - *cap_clust_08 + - *cap_clust_09 - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - - *caperren - - *cap_slim7 - - *cap_nr200p + - *caperren + - *cap_slim7 + - *cap_nr200p - path_regex: secrets/cluster.yaml key_groups: - age: diff --git a/modules/system/security.nix b/modules/system/security.nix index 29f162f..a501dc2 100644 --- a/modules/system/security.nix +++ b/modules/system/security.nix @@ -4,6 +4,11 @@ sops age ]; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + defaultSopsFile = ../../secrets/default.yaml; + }; security.sudo = { enable = true; From d40951b6a8044a6767d86b0e101707d2c7524a8f Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 02:36:59 -0800 Subject: [PATCH 14/21] Actually commit default.yaml --- secrets/default.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 secrets/default.yaml diff --git a/secrets/default.yaml b/secrets/default.yaml new file mode 100644 index 0000000..e69de29 From a3837016aecd8efce411f83a967af85d1c0acca0 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 03:03:38 -0800 Subject: [PATCH 15/21] Fixed sops config --- .sops.yaml | 35 ++++---- hosts/cap-clust-01/configuration.nix | 2 + secrets/cluster.yaml | 111 ++++++++++++++++++++++---- secrets/default.yaml | 115 +++++++++++++++++++++++++++ 4 files changed, 232 insertions(+), 31 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index d0a79f3..25ae30a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,10 +2,10 @@ keys: - &admin_users: - &caperren age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648 - &systems: - - &caperren_personal: + - &personal: - &cap_slim7 age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d - &cap_nr200p age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390 - - &cluster_systems: + - &cluster: - &cap_clust_01 age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl - &cap_clust_02 age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u - &cap_clust_03 age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l @@ -16,7 +16,22 @@ keys: - &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r - &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp creation_rules: - - path_regex: secrets/default.yaml + - path_regex: secrets/default.yaml$ + key_groups: + - age: + - *caperren + - *cap_slim7 + - *cap_nr200p + - *cap_clust_01 + - *cap_clust_02 + - *cap_clust_03 + - *cap_clust_04 + - *cap_clust_05 + - *cap_clust_06 + - *cap_clust_07 + - *cap_clust_08 + - *cap_clust_09 + - path_regex: secrets/cluster.yaml$ key_groups: - age: - *caperren @@ -36,16 +51,4 @@ creation_rules: - age: - *caperren - *cap_slim7 - - *cap_nr200p - - path_regex: secrets/cluster.yaml - key_groups: - - age: - - *cap_clust_01 - - *cap_clust_02 - - *cap_clust_03 - - *cap_clust_04 - - *cap_clust_05 - - *cap_clust_06 - - *cap_clust_07 - - *cap_clust_08 - - *cap_clust_09 \ No newline at end of file + - *cap_nr200p \ No newline at end of file diff --git a/hosts/cap-clust-01/configuration.nix b/hosts/cap-clust-01/configuration.nix index 9148a2e..e3dad93 100644 --- a/hosts/cap-clust-01/configuration.nix +++ b/hosts/cap-clust-01/configuration.nix @@ -11,5 +11,7 @@ ../../modules/application-groups/k3s-primary.nix ]; +# sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml; + networking.hostName = "cap-clust-01"; } diff --git a/secrets/cluster.yaml b/secrets/cluster.yaml index d2b4a8d..f8cce39 100644 --- a/secrets/cluster.yaml +++ b/secrets/cluster.yaml @@ -4,29 +4,110 @@ sops: - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOY3Uzb3BEUjJjRjR1Z1ZP - MWxtOVdzMmhDZDJ6WGNtSjF3VTEyT1l0UEVVCklmcldubUpvWCtmT0lMblVhMFlO - YTIvQ21HMzRBOGVsZ1daN0JrZTloblUKLS0tICtwcjFEZC84NG1EeXBLYU5DQ1dK - YlJBVkE4SUtNSEJDNFRLelZqcFl1blkKPVL+/e2GWR2dcvVRl/QaNQ5Bh++8KvjU - G7mzZ7pvw/clOniDp59ttGNBbtc+Ph0Eyh46bHoXjSN3uLRQ2qF5FA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTWNzM0RMMXpDZnZHSEFz + U01jN1FPTFJ6YzBMQlhQMEpSZ0NTNCtteWk4CmhyU1ZTeE1wMzAxRWszS0NKeVpL + dmw3TGlvdG80TVVXUWVTYTVHMzcwajgKLS0tIFMraXVmTS9zSkFzRGZjZlhzR1lj + eDRubW5hWnQzdjVzRytWTW44Y2xoU2MKA2yvOK0DfKSj6U7094a9+4t7E6nFGD+5 + p8XlMAkroS8RhdwBi//xn5I05/iJMKJikaeclvsNlvLV5b/GkCE3nw== -----END AGE ENCRYPTED FILE----- - recipient: age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWERMUEZEbkZSN0tVTUZZ - SVA5SXB5NFF4a1R6UmdMRUIwQWRuOXM5TkRNCk9GOEF2Yi9OUVMwS1Z6a084NjhL - QzdLQU4zbmtZR093NE42bkc2eUFaQ28KLS0tIDJPU2NUT1IzMFZSczV3U2tDRXhM - NnhINWpQak4xTDczVmVnTU9NVzBNVWMK5HWwYmhViGAIuIYY7Om96ZpCG/fhDsD0 - zJ7XAvRJ4SJLwQ+4UoYk/6LQ56HE1JxTBRxKhi/UHMEO6zQs26mJBQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5RzZSTFNPMkprTk00SjBv + WTdvcVFuU0hPZ2hteWsrOXp3TTlGdXBvb1FRCjlCbitacFJpV1l3YXMvU0xMMm5Q + TjJwR3JtQk9Rbmc1S2J5OVF0WXBRQ1EKLS0tIHBHdzFlN21FZHFoRjc3cHlSZ2FK + YnBOOU5Bejl6MjB6MDliZWpPeTdFRncKRXH8gKhKVcSxja+dhIrPBNeeV8rJatSJ + +ZlHQL3109Ya/V6Aq9AtEypmLld9Ech7AGMCePNLYvc6DYkDE9bJDA== -----END AGE ENCRYPTED FILE----- - recipient: age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMnR0Q2JMajBYOEIwL3R6 - VHpPOTl1N2M0R3FnUUswOVZVbVhPeDBCSlRvCnZlMGVwemVyZUZxTElTY0VBTDNu - bWZRUEVHZ0VGS2xPTCt1RW9VZE5XZmcKLS0tIGllc2R1Y05NN0ZSbjdOOWFKcmcz - NXBWdXYzWjEwVXl5MW9lN2gwUnludFEKZzOcLZf3ONSKZ5s25PHai6J5OQUTm5Se - 8DJ9r/qq4LczD1kjc+2/BFsay1/myL3EkmL5oOZxQ2CjGdRrCeBikg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2eFE4bWRPQitrVDN4Y21J + TUJyd214L1JMazNiUzJEb29FTmRORkJmR1QwCjIrVzZ5WllDbGNCd1c0Q09XVDFm + UjhudDNCZ1BWSmpmbHkvWjROMnpkb3cKLS0tIFhzdlpiTFRPMFM5Nm1DcVN3djVB + SWZtVWNvRVdweWVxZVlQL1k1QVdESXMKc6OdFAyEvxhf5xyBFfiZajgUkwlfMMMJ + 4KqoZGTmh+4GTedJDAKClKce1TEQTKrf1ePP+5HhcSKOoPTolMh/Sw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUUt4ZCtrU2djKzRkN2h2 + bHpVSk15M2lTVjRrTi9aVmpETjV3UUN6TWlrCk5rdytrYWoxTmJDQmJITVRMa0ZV + UGc3dzhsQlM3T29BenY4VlRqbmdvd2sKLS0tIE9HVmxBMnZOMnUvdFcyNGRjTm1o + V29UVXRKWUhERkYwZ0NsOUZna1ErcWsK3ya1FW0WPKrZ4gMVx9M1eAgj6lQiv++M + TSZmVJfUMyV1OATtg3MSDFqsppN/i7+aQAP2D0G1fzG30/1qYwCsHA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUVpUW5CTEFGUVlSeVJa + QVNpUE9uaFV0eWxyQjhjcUFXOTVqN1JwTm1vCmE5dmVuZnFpeWRXbnh4V0J6eHF2 + R3l5ZFhTSitzSnFYbXEvbGoyY2R6WFEKLS0tIEwwWWcydmhPdW1wL083NVJncmF3 + U3lPYm9EZFRUWVhualFNZHhVU1JlQzgKsc4y+hfdGB3WW+NpzvA0RH54Zc46j3zt + 2Pak/SdxiMnHfF0cw9EP/xrGJ15IUUWvDmRu+om0fEMjg+OBOKLXXQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmamp3Uk40ZGRJQW1MUVJS + SUlabWx3Zkd1b0xLMFQ5Y3hUelk1RU1HYW5FCnQ4bG5qRnhQRnlmTm13WXdYUWg5 + ZUVvRlRaN0NSSWhJV002N2pBL28yQXcKLS0tIEQ3bmJnUHNEUThvM2MvQUlDaUV3 + ZXd2T1RmM0l4YzZKaGkrRXc4VXBRVnMKnCp42FU0vQOb9VN/+DbsmNHvZc8lH+Rh + skZvMvTHgpMWTdhHYFWub+CIXZfUrJfy/vSWBvDw6c81r4p1l+Jyfw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNHNsYjJoTlhRcUJ5UnZw + eU9tVW9zVW5XRFR2ZUNaKzlieUNmdDNCS1JFCjVJaGoxdFArU09GMXpYMVdZaVk0 + TXpKUHo1cEdXZnpCNXpyRHJnYmRldWMKLS0tIFBnSktZWmp3M2NJbVAwTy94bnVx + YVlwaEZ0Z09aNFo0OCt1dUxpYzdiZEUKDHKAZYVC9ON48i9p5DZDopgm9afSg069 + m3mq5d+aBZIrnSdwgIuvyPJH+L8clIUXcJ47QH9ML/4MsFk+d4xvpA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bm15TmhpRXg5V05qWmRn + UExicGhXZ0ZWNUxPTUM3OEV2U1JveGRUQ1RVCkpaMXZwVUxiT0pQRkFFSjBMRnFw + RnJJalBrSTR5V3IvUnU2a2hWSmM0ajAKLS0tIDJ6ZWpiVlBBdDBxWnhZT2lyRi81 + dCtqV1ZwQVlHWFgvTkN4eTZmSG5XMzgKKAPm8crJXBvCAIgTCcpLBi74Fq/AT7Uo + SREKHWpC3pLtNyfgHuEhm3lCYmyZyxTsZFd/2ezAjqtQZAf29EEUjg== + -----END AGE ENCRYPTED FILE----- + - recipient: age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbVhvQlZDWXhmMXpnaDBk + YUFwMkhwRDlkMXhjS1NJSVR3QWhBNDY2c0VFCklMaTBaKzQvRjdLQjFlelpkY2Ra + R0E3NjNVV1pPOG02WnhLdHhqRytPdlkKLS0tIFBFQlpWL0FEUWNGOThzNW1RdG9S + V2lSdVpweWZKM3VYZ01hclV4ZENZbTQKMQ3/EZk82q4oGnFJb49+X5uQzuTji8qV + K61/vy40g/1f8wgpJwjvGCHx7VyzsBp4lhXiLODMIW6ubp5kAU4r9A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVVJSRmZucDc1Vk5HZ0py + NS9BcDlLRkpyYitmd0hZdlVOaFgxS3JyR1ZJCkVBajVBTjlWamNMNFYza2xWaitx + V2loazBmaE5kVWRoVWwvR2NQa3Mwb1EKLS0tIFZYNGNRc00rUGlDT2tGUFlCcDc3 + aFB3SmpjVFVBc3lPWmMyM29URHpaUzQKguiKNjvJayezQ2tAqmFSgA8tY/6tx1Pb + OeB5cBtSyXfdZhL8HGYAqiIph9zbO3NId7icJsZ11YTW6XHHr1P7gw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aDJ5UkM1WENoUDZOUld3 + ZXpTdWJjQzVhNEI4RGs4UlhyVytBcmcwbUdBCkxhNnlzSm5yS21zVVNoSmc3VmJF + REE1YXpFSWtPcVhzMnFGckpLZUxQR2cKLS0tIE5DWGFKNUxRZnpFNGpMS0xxVVhq + OWIwRXBXMmxHN09pZVcyNElQZVhFWUUKAN0Yd2/RB0ZjE0BGZnVY+bCSEQXVpZrS + DwsxXlldtJLVebLxthPaXcPI4UmUFYSPFYWDPijjxQ7gbRYnOsV1eA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaVNQeVd3c0JKakhEWWE0 + ZDNjUitGaUVxM3h0UjF4Z2ZVR0w2L2xKTlRzCjhVVERodmpFVXF6Tnp5N011Tk9J + TVR2akpwRlBKOEs0T3loa0p1cGU5c1EKLS0tIEh5TGYrZ0c3MjQ0bDlsb3J6UGls + VWRsQy9BeU1rTmUxd0xwZHA2MjMrZmcKPI2g7B4Ylmbq1Z6WHAhdDx43oB/OeIKY + MKpwZ985JUrxwwiM0UC9DfNYaM9ScUf4l3qHFPHjh+N899rf7nW3zA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-12-13T09:05:22Z" mac: ENC[AES256_GCM,data:Jg/J4ulZtAI7Kfeb8/ccmG3hV+2TF/5kTcwNRr6llVORVBZ0cGeJz5TvhqwHsSf3TRwgzS50RHWtbJ//TadWrYbf+EInV92mT+ybVO/p6ek0jiqRV9Kto697YnjjtMG1uJcIazWhShT4UTg6PNlAtRzBA3759tnw2aj0hCNH9QE=,iv:hu1m3GdLiwyVZDrlh/p63hGCaJgXIHuVnxzPKskj9Io=,tag:NW+d9m+eTgkb9Uea5aurSw==,type:str] diff --git a/secrets/default.yaml b/secrets/default.yaml index e69de29..827123c 100644 --- a/secrets/default.yaml +++ b/secrets/default.yaml @@ -0,0 +1,115 @@ +default: ENC[AES256_GCM,data:hblL4UM//g==,iv:pu+XlfdZl8XZFk16iwV5juImHosUfOhZJ54UAzi9iwo=,tag:8h2ybkmNoqUT85L2JfXLrA==,type:str] +sops: + age: + - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWUtjYmxwWVJtekY5RTcz + Yno1M0Z6RnRYRkowRmVWMWVTNWRTc0RWWWprCjlRZ0dVYnkzaU1CTmljR2VxVDZX + a1lzNUNCb0FrdGhvcUV1NTUxa0RRMG8KLS0tIG9PVWMzbHA4Q2YrbTQ2cWFpTU1F + NE9TN3QyNEZEM1BoeFFSRHZqUmF0TlkKSvm5PXarwX2/034Y2LThEVQWgGm4emWU + abvCD566vlA+MZdRx0CUo1S8xqXDse9inAwroPs3nZ2TabtvCAqNGA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Y2J5a1V5Q1U0eVZPOGlB + R2dBcElMQ0kwQUJCTkJuT0J2Tm9ETVlNcUYwCm0wbndXdFBZUllRZm5zdEVEczl4 + b1NYVXFqVlhTb0R5YTZSUnBlMGNYSkUKLS0tIGJXOUNYV0NNZUlnd3I2OUhjSCs0 + QzA3SXcwQmI4WE5qTElVWFhmRVhyN28KE2br0ZBj8dUep8O6hf0W1mrOXTDhTq/X + xR6zx93tpGdqg+jT0BS+7GMaxj4jM5VMmrTYQrIZc0g9ah34AbFT6g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQzl1MWtYczd5aEpacFNZ + elpwaC90d2xTWUFJeGdMTjkxSVhZTUU4a3hnCnFOZ1ViS0hqbW45aU0vajh5NjVv + VmNYcmNGT21lMDl4QnljOS9oSHNpTjAKLS0tIGpndTNQU21PSVU1UzErTjFtOVYw + ZU1IRWdacUtKeEloQjM0TFU3Q1A0OUkKiFY+UfTgGtPuQBuHfmRKEVV6nyi7ggLT + x81Gl5COm0zCuXJuQw5FQutFXnYRC/9ndlNpO1HmrDHnEDp1osdNqg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSUnFJVWNYYlNLSk1xbFYy + WGlBYzZHYVc5USt2eXNKdzlabWhYMWExZTFvCmZTeTJxWVhISWt5cjBwT3gvcnJ6 + QzNRL0lFUGcraURLVnBGQXpXUzFiVG8KLS0tIEpobkwvaHBRU0FjQ3NIWDc2bWRj + ZWpwYURSc2dGTzJGaWgrWDRKZlRDZzQK0BZeC4JAbP8sHVy48O5rTyojRIkL8SUe + JPTYEa/wIDWOgp9Kkxa6QwVMr061pdEnIF6pal2efJjtvS0Q8JaegQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVzUwSkQrTGhBQ1VVR25D + ZU5BY1NnUVVhVTJ2VUxPTWpqVXNhQWhpc0dnCk5EQ3JYdmUvQWo3QzdqcXVaN2Q4 + ODFIeVhZWFAwV0hvUm5UTyt3VEZ3NFUKLS0tIElZL2NqQTY0dGJzVjJNWEh2U0pp + Nk94MldCTnZQRG00S1NGZWlsbmxLencKkeUHuYFIwQYdAAwfBcJ4F/1oR8mQfK9t + ka9WdGJZ+w2UDU0zOdkaD01lnqHenV/MhkzQ+SYnFEETDNLWt+OkwQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdktET3FCUmw2TVhSWXcv + MTlHYlR2KzhPS2ZrdHA5ekcxZVZSc1JNM3lVCndQZUFKTFJFZG1GVWJvWllobGJU + eERoSmFMZWh5ZmZHM3Z3UWc5aVpab0EKLS0tIFIrdkdyaHg1NFVpM1JGWlBSWWpu + N0Q4YzZCbmd6bUc0U3FaZ3lLNUJOTXMKHC/emqz88i9dq+rWaw7Lh92pdu2D1aDD + K7G4d5AgRuSZxPWxwQMGTsCS3arsex0KrxdWE2ksZYTwVdi5CU3zTA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM1BWd08zNFNPdTlUa1Vt + TzBJcDNIbHl3aXFUMXpkMmE1ajVwVFcrUVZBCkFDUnEyRktNRDlLdmFZT3Y0cVNT + UCtQQmhjT2hvbWdSOGh1WkMxcFFBWGMKLS0tIE1NQ3AraGVxVUxvZUVDOC9NY2xE + UHJZOWp6RmU2SFR4bU5hTDJnbHo5Rk0K/6Loz0GabBTy1VxePYwiuDtFCiDniGTv + RP7SKgMbN0SUjeaXwTmksC9DmfhWzXwDJqh/n/cNrtE2yuKR2AGzQA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6d1lFaGxEOElxYjBVV2w5 + dVJyUnNveklTbXJQSzA4UlVHYTlWZUUyVlIwCnRwS1RTejAzNllHdWVaYU5tZXhq + bzZVcnpjYXBhWFFnWjY1cFhQZ0JuZ3cKLS0tIE1zYWlJTTV2VWRma2JjWlRZZ2Ro + NitqbEFuUENKaDZWY2dVRU9tWUF4b1kKAZAVyohLFZPMC0O6AF7GUXaE/8Q9bF2s + o1rS/8Cg0KqmalQ992wSMjUj1Z0y+najuaF6Kp9r2Q+6b9IVe7HQFA== + -----END AGE ENCRYPTED FILE----- + - recipient: age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzN01Db01QMVdudC9idjBm + N3B4a3hUR2ZNYUQzL3RVVlQvelFFNUZFTlhFCnpaMDFpcVpkcThFanJRcEVxOFNP + cC9xL29MVTd0R1FUQzMzazVoNDUvMkkKLS0tIEVYRTlZSkVUcmZIVWJ2dmlBVGxq + R0E2MmdSZDFPTG9WMmhzT0dRYWRkclkK6Hg6rNuEhWb1PLA8z5l2YPDBMXxo0VwA + GrpQjbrcFKXTxOpi9FU5m1Dy0HSkEkUnmcFiVr98g6xJwWQjp9Xduw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ0tJRDYzMDQvdVBDZ1ZD + NjJyc2x4NFhhd3oycjRxSFZhaHZTN25kc1NFCldvMy9IWUNadzRNWFh0QVQrczhB + aFhyd1d3cWlad3RCWVN0VWQzNkU5eWsKLS0tIDZSbmxLbnNTYmJhL0l6L1JwRWFN + ZUQ4cVlyL3VYQ0RFdHgvalFnWnU1Z1EKTkQZ14qvVykxfkD1smBd7aXzqji4sUGi + dI0PoKWAy4rqVbNMsNTOutNk8KMxJG+d9Qw947W2O7fA2XIY7/hnug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQnNCR2w4YjlzUSt5bDE3 + c0VMWmQ4M00zMVErd21DYnlPb0JtelFDeml3CjNGV1ZJMVZOTFNpT1RSc3FXV0No + d25GUGVzTi9WWlVDeWRzd3BDOXNHb1UKLS0tIHFVdVRRb2l4YjlaY0NlUFpiRmxs + aE91WkxSYittL2Y5aWZBUFpYS0tzR28KK7B4TLpgtcRj8zttl/oHaYuedm2r8LDd + 6C/cMrD+hQEb45OiDcn4V1L444vwbAZJvzgoiQWem6+1Wvepqe+P0A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbjJKSGlLbFBCd011bHBG + emM4MVJCKy9UejY3M0E4VWFKTDFUeGZQQkVFCk1ZTkpUYm5adVZOU1hpR0xqOUdi + ZXppQ3lFdlBxQWdRdW9TbUFkcDJFbG8KLS0tIEhycFp1WGRCVUxBVzJRamptYnli + dW1YMTBIa202Tkp3WC9KRUhTckFCMUEKgUhihP1CN+kNOcbtfsr/gofI0tVzMVwo + 4aQPOxmvp3gyKdvPtUUTxJ3QrZ3laAHcVmsxPjEPnaAjfmGSUZh/YQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-13T11:02:46Z" + mac: ENC[AES256_GCM,data:roAByCemPPNz6kkAX1nOL/TU3p2Jv67paQKlouek40FEf5cwVRMmygKDhs1vV8ZO4Ot0xGjXwiq+ylD0aSzbzvdcD/gG+cZ67XpqcW7CQMMtCrQ3Rt+U7q4rxyUeR55VxJdusjwtPp8qPVutKNJlebOUdBgaSKzDzwbnRppDUxk=,iv:PZVwlU3uUO+hHisHaoQAAfcBR2jlB0UHSU7ZFRXYfPo=,tag:0hPLfuSoSLRR1LiOWHFpfQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 From b3fd29faeff6735dafe2312d3c4e90279fb73339 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 13:49:50 -0800 Subject: [PATCH 16/21] Fixed home manager inputs, and got sops-nix working for all current hosts --- .sops.yaml | 6 ++++++ flake.nix | 16 ++++++++++++---- modules/application-groups/k3s-secondary.nix | 4 +++- modules/system/home-manager-settings.nix | 10 ++++++++-- users/caperren/caperren.nix | 6 ++++-- 5 files changed, 33 insertions(+), 9 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 25ae30a..971baf8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -16,6 +16,12 @@ keys: - &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r - &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp creation_rules: + - path_regex: users/caperren/secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *caperren + - *cap_slim7 + - *cap_nr200p - path_regex: secrets/default.yaml$ key_groups: - age: diff --git a/flake.nix b/flake.nix index 04e5e61..9bb69e3 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,7 @@ { nixosConfigurations.cap-clust-01 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-01/configuration.nix sops-nix.nixosModules.sops @@ -36,6 +37,7 @@ }; nixosConfigurations.cap-clust-02 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-02/configuration.nix sops-nix.nixosModules.sops @@ -44,6 +46,7 @@ }; nixosConfigurations.cap-clust-03 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-03/configuration.nix sops-nix.nixosModules.sops @@ -52,6 +55,7 @@ }; nixosConfigurations.cap-clust-04 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-04/configuration.nix sops-nix.nixosModules.sops @@ -60,6 +64,7 @@ }; nixosConfigurations.cap-clust-05 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-05/configuration.nix sops-nix.nixosModules.sops @@ -68,6 +73,7 @@ }; nixosConfigurations.cap-clust-06 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-06/configuration.nix sops-nix.nixosModules.sops @@ -76,6 +82,7 @@ }; nixosConfigurations.cap-clust-07 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-07/configuration.nix sops-nix.nixosModules.sops @@ -84,6 +91,7 @@ }; nixosConfigurations.cap-clust-08 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-08/configuration.nix sops-nix.nixosModules.sops @@ -92,6 +100,7 @@ }; nixosConfigurations.cap-clust-09 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-clust-09/configuration.nix sops-nix.nixosModules.sops @@ -101,9 +110,7 @@ nixosConfigurations.cap-slim7 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-slim7/configuration.nix sops-nix.nixosModules.sops @@ -114,10 +121,11 @@ nixosConfigurations.cap-nr200p = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./hosts/cap-nr200p/configuration.nix - sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default + sops-nix.nixosModules.sops ]; }; }; diff --git a/modules/application-groups/k3s-secondary.nix b/modules/application-groups/k3s-secondary.nix index 89f2b72..138e846 100644 --- a/modules/application-groups/k3s-secondary.nix +++ b/modules/application-groups/k3s-secondary.nix @@ -1,9 +1,11 @@ { config, pkgs, ... }: { + sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml; + services.k3s = { enable = true; role = "server"; # Or "agent" for worker only nodes - token = "forinitialtestingonly"; + tokenFile = config.sops.secrets.k3s_token.path; serverAddr = "https://cap-clust-01:6443"; }; } diff --git a/modules/system/home-manager-settings.nix b/modules/system/home-manager-settings.nix index a1c70da..84819c4 100644 --- a/modules/system/home-manager-settings.nix +++ b/modules/system/home-manager-settings.nix @@ -1,5 +1,11 @@ { inputs, ... }: { - home-manager.useGlobalPkgs = true; - home-manager.backupFileExtension = "bkp"; + home-manager = { + useGlobalPkgs = true; + backupFileExtension = "bkp"; + sharedModules = [ + inputs.sops-nix.homeManagerModules.sops + ]; + }; + } diff --git a/users/caperren/caperren.nix b/users/caperren/caperren.nix index be3bde6..6637d7e 100644 --- a/users/caperren/caperren.nix +++ b/users/caperren/caperren.nix @@ -25,8 +25,8 @@ in "wheel" ]; openssh.authorizedKeys.keys = [ - sshDesktopPubkey - sshLaptopPubkey + sshDesktopPubkey + sshLaptopPubkey ]; }; @@ -58,6 +58,8 @@ in }; }; + programs.ssh.enable = true; + # Assets/scripts home.file.".config/streamdeck-ui/icons".source = ./dotfiles/streamdeck/icons; home.file.".config/hypr/scripts".source = ./dotfiles/.config/hypr/scripts; From 180d6cf1b0cec2da7d1baf643c57fa68cbbc3a45 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 15:06:11 -0800 Subject: [PATCH 17/21] Reset cluster for change to sops-nix managed token --- modules/application-groups/k3s-primary.nix | 2 +- modules/application-groups/k3s-secondary.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/application-groups/k3s-primary.nix b/modules/application-groups/k3s-primary.nix index dbef2ba..d7af473 100644 --- a/modules/application-groups/k3s-primary.nix +++ b/modules/application-groups/k3s-primary.nix @@ -3,7 +3,7 @@ sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml; services.k3s = { - enable = true; + enable = false; role = "server"; tokenFile = config.sops.secrets.k3s_token.path; clusterInit = true; diff --git a/modules/application-groups/k3s-secondary.nix b/modules/application-groups/k3s-secondary.nix index 138e846..09c47ab 100644 --- a/modules/application-groups/k3s-secondary.nix +++ b/modules/application-groups/k3s-secondary.nix @@ -3,7 +3,7 @@ sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml; services.k3s = { - enable = true; + enable = false; role = "server"; # Or "agent" for worker only nodes tokenFile = config.sops.secrets.k3s_token.path; serverAddr = "https://cap-clust-01:6443"; From b110daed58e40097ead5803bbba1349c66d5db6f Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 15:09:38 -0800 Subject: [PATCH 18/21] Re-enable primary server --- modules/application-groups/k3s-primary.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/application-groups/k3s-primary.nix b/modules/application-groups/k3s-primary.nix index d7af473..dbef2ba 100644 --- a/modules/application-groups/k3s-primary.nix +++ b/modules/application-groups/k3s-primary.nix @@ -3,7 +3,7 @@ sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml; services.k3s = { - enable = false; + enable = true; role = "server"; tokenFile = config.sops.secrets.k3s_token.path; clusterInit = true; From 307cf5108cc415ebe348c6d6a1a5345ae6509a43 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 15:23:24 -0800 Subject: [PATCH 19/21] Re-enable nix rebuild service for cluster --- modules/host-groups/cluster.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/host-groups/cluster.nix b/modules/host-groups/cluster.nix index c6604ba..f827f4d 100644 --- a/modules/host-groups/cluster.nix +++ b/modules/host-groups/cluster.nix @@ -8,7 +8,7 @@ # System Configuration ../system/cpu-amd.nix ../system/fonts.nix -# ../system/git-auto-rebuild.nix + ../system/git-auto-rebuild.nix ../system/gpu-amd.nix ../system/home-manager-settings.nix ../system/internationalization.nix @@ -21,8 +21,6 @@ ../application-groups/system-utilities-cluster.nix ]; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - time.timeZone = "America/Los_Angeles"; # This value determines the NixOS release from which the default From d72c3d4e567eb56a7f49a5d27a024aaa02699d19 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 15:28:48 -0800 Subject: [PATCH 20/21] Re-enable secondaries --- modules/application-groups/k3s-secondary.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/application-groups/k3s-secondary.nix b/modules/application-groups/k3s-secondary.nix index 09c47ab..138e846 100644 --- a/modules/application-groups/k3s-secondary.nix +++ b/modules/application-groups/k3s-secondary.nix @@ -3,7 +3,7 @@ sops.secrets.k3s_token.sopsFile = ../../secrets/cluster.yaml; services.k3s = { - enable = false; + enable = true; role = "server"; # Or "agent" for worker only nodes tokenFile = config.sops.secrets.k3s_token.path; serverAddr = "https://cap-clust-01:6443"; From 1fe9c9c9cf3934962be7f8b8653dbc95c47567f8 Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 15:56:29 -0800 Subject: [PATCH 21/21] Secondaries need to inherit secondary config --- hosts/cap-clust-03/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/cap-clust-03/configuration.nix b/hosts/cap-clust-03/configuration.nix index 73c05d3..118cb0c 100644 --- a/hosts/cap-clust-03/configuration.nix +++ b/hosts/cap-clust-03/configuration.nix @@ -8,7 +8,7 @@ ../../modules/host-groups/cluster.nix # Application Groups - ../../modules/application-groups/k3s-primary.nix + ../../modules/application-groups/k3s-secondary.nix ]; networking.hostName = "cap-clust-03";