.gitea/workflows/update-flake.yaml

@@ -1,41 +0,0 @@
-name: Update Nix Flake
-
-on:
-  schedule:
-    - cron: "30 0 * * *" # daily run
-  workflow_dispatch: {}
-
-jobs:
-  update-flake:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          token: "${{ secrets.GH_TOKEN }}"
-          fetch-depth: 0
-          ref: flake-updates
-
-      - name: Fetch latest changes and reset branch
-        run: |
-          git fetch origin master
-          git reset --hard origin/master
-
-      - name: Set up Nix
-        uses: cachix/install-nix-action@v31
-
-      - name: Update Flake
-        run: nix flake update
-
-      - name: Commit and push changes
-        shell: bash
-        run: |
-          git config user.name "Gitea Actions"
-          git config user.email "actions@gitea.local"
-          git add flake.lock
-          if git diff --cached --quiet; then
-            echo "No changes to commit."
-          else
-            git commit -m "Update flake.lock $(date -I)"
-            git push origin flake-updates
-          fi

.sops.yaml

@@ -2,7 +2,6 @@ keys:
   - &primary age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
   - &aspi-ssh age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
   - &pianonix-ssh age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct
-  - &builder-ssh age1kw4kmdm45zprvdkrrpvgq966l7585vhusmum083qlwnr0xxgd3uqatcyja
 creation_rules:
   - path_regex: secrets/secrets.yaml$
     key_groups:
@@ -11,12 +10,6 @@ creation_rules:
       - *aspi-ssh
       - *pianonix-ssh
 
-  - path_regex: secrets/secrets-builder.yaml$
-    key_groups:
-    - age:
-      - *primary
-      - *builder-ssh
-
   - path_regex: secrets/.+
     key_groups:
     - age:

Readme.org

@@ -12,22 +12,3 @@ The structure is managed by [[https://snowfall.org/guides/lib/quickstart/][Snowf
 and [[file:flake.nix]] was symlinked to file:~/.config/home-manager/flake.nix
 
 For deployment!!
-
-* Secrets management with sops
-Full documentation here: https://github.com/Mic92/sops-nix
-
-** Edit secrets
-#+begin_src sh
-sops edit secrets/secrets.yaml
-#+end_src
-
-** Authorize new device
-- Generate public key from ssh -> Private age key generation not needed
-#+begin_src sh
-ssh-to-age < /etc/ssh/ssh_host_ed25519_key
-#+end_src
-- Add age public key to file:.sops.yaml
-- Update keys
-#+begin_src sh
-sops updatekeys secrets/*
-#+end_src

modules/nixos/builder/default.nix

@@ -51,15 +51,6 @@ in
         ];
         mandatoryFeatures = [ ];
       }
-      # {
-      #   hostName = "localhost";
-      #   protocol = null;
-      #   systems = [
-      #     "x86_64-linux"
-      #   ];
-      #   maxJobs = 4;
-      #   speedFactor = 1;
-      # }
     ];
   };
 }

modules/nixos/sops/default.nix

@@ -42,5 +42,23 @@ in
     # List of defined secrets
     # They all become files linked inside the "/run/secrets/" directory
 
+    sops.secrets."vnc-passwd" = {
+      owner = config.users.users.julian.name;
+      sopsFile = ../../../secrets/vnc-passwd;
+      format = "binary";
+    };
+    sops.secrets."wifi/pianonix" = { };
+
+    sops.secrets."password/aspi" = {
+      neededForUsers = true; # necessary for setting password
+    };
+    sops.secrets."password/pianonix" = {
+      neededForUsers = true; # necessary for setting password
+    };
+
+    sops.secrets."syncthing/pianonix/key" = { };
+    sops.secrets."syncthing/pianonix/cert" = { };
+    sops.secrets."syncthing/public-keys/aspi-nix" = { };
+    sops.secrets."syncthing/public-keys/pianonix" = { };
   };
 }

secrets/secrets-builder.yaml

@@ -1,30 +0,0 @@
-gitea_token: ENC[AES256_GCM,data:FuLEQRo8NtCIsGhtksbaKTZGliiR/5lRr6wHQCArUNN1IXFpPW49k/hZl20Wgg==,iv:MN7FBNIms/5Q841gfikk4WMaqyuXOTSQifC9IKFF0AM=,tag:RZFnJ49RZ+z9kXoTHdtYug==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaEtBdWM5WURZcllRVkp5
-            MjA2OVl6dzAzd3RjRGVDNzhuYjVXdjVEOGdFClEzenJhMjYwaW9hZGhXOVJLTjVY
-            NkJudW1tcHl3VGdKTHdmdmF6cHBqM0UKLS0tIGF4K0FMcnNhVWNZa1Q5Vzc5MFAr
-            UUJVNEpnYUN2UEp2N0UwUmJLd1NQQ1kK61EzjD/Z1VEWXHzmkih8/ZyXRoq/Ocpv
-            3dAWLVTGx6nsPHOkGZ9Hl0fMIOafu/kjO7ixzAeq21FluS97ZL/qLQ==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1kw4kmdm45zprvdkrrpvgq966l7585vhusmum083qlwnr0xxgd3uqatcyja
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMVBwNmhlS3J1dGxVZkhm
-            UVhXemZQbGpJTEFNZlBkWTFhb0lmRStVQWlZCm15UXAvTTZWNS8zdWk4QjV5TlZp
-            TkxFK3dETTdSWGxBUGwzL284T2hReTAKLS0tIGp1TmV6Q2lMcDdVWTRXNHFMcWRn
-            eWFYMlY1MmEvWjVid2NJTmFMK0FXWWcKOtUk1kcSTj5UOBLESMwQLG+LtIDwUtMz
-            l5k02Zw2whQh6IrAqXhJSUpT6AiXSoYtcy5nNjZsoC53xsfLfu97kA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-21T20:07:45Z"
-    mac: ENC[AES256_GCM,data:VrZZ2fiv0JKPBijy+1s99D8FQvRFfoNZ48+58wy/Mir979GKihx/l7o3zYEpTWalRY8gbaHjLeH0i0bIgbGW4WQg+5gGZ4PjJhOMcZMAuMdoaGi0CqYOyOPXrzfDL8V5S5s1izjY/UhwURZdSiJeNfHS2cQVsFMt5vfTYSWDOM0=,iv:gVJPSVvKiCrb6KUyzfpO5ep1I8JTAHJGJCj22UhcV+o=,tag:9yGCU+5CtLOk+aa+pYrJ5g==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.4

systems/aarch64-linux/pianonix/default.nix

@@ -25,20 +25,6 @@
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
-  sops.secrets."vnc-passwd" = {
-    owner = config.users.users.julian.name;
-    sopsFile = ../../../secrets/vnc-passwd;
-    format = "binary";
-  };
-  sops.secrets."wifi/pianonix" = { };
-  sops.secrets."syncthing/pianonix/key" = { };
-  sops.secrets."syncthing/pianonix/cert" = { };
-  # sops.secrets."syncthing/public-keys/aspi-nix" = { };
-  # sops.secrets."syncthing/public-keys/pianonix" = { };
-  sops.secrets."password/pianonix" = {
-    neededForUsers = true; # necessary for setting password
-  };
-
   modules = {
     sops.enable = true;
     nix-settings.enable = true;

systems/x86_64-linux/aspi/default.nix

@@ -36,10 +36,6 @@
 
   time.timeZone = "Europe/Berlin";
 
-  sops.secrets = {
-    "password/aspi".neededForUsers = true; # necessary for setting password
-  };
-
   modules = {
     sops.enable = true;
     nix-settings.enable = true;

systems/x86_64-linux/builder/default.nix

@@ -37,7 +37,6 @@
   modules = {
     keymap.enable = true;
     locales.enable = true;
-    sops.enable = true;
   };
 
   users.users.nix = {
@@ -105,16 +104,16 @@
   };
 
   # Ollama used by open-webui as llm backend
-  # services.ollama = {
+  services.ollama = {
-  #   enable = true;
+    enable = true;
-  #   # acceleration = "rocm";
+    # acceleration = "rocm";
-  # };
+  };
-  # services.open-webui = {
+  services.open-webui = {
-  #   enable = true;
+    enable = true;
-  #   port = 8080;
+    port = 8080;
-  #   openFirewall = true;
+    openFirewall = true;
-  #   host = "builder.julian-mutter.de";
+    host = "builder.julian-mutter.de";
-  # };
+  };
 
   networking.firewall.allowedTCPPorts = [
     80
@@ -213,22 +212,6 @@
     };
   };
 
-  # =========== Gitea actions ==========
-  services.gitea-actions-runner.instances."builder" = {
-    enable = true;
-    url = "https://gitlab.julian-mutter.de";
-    name = "builder";
-    tokenFile = config.sops.secrets."gitea_token".path;
-    labels = [ ]; # use default labels
-  };
-
-  virtualisation.podman.enable = true;
-
-  sops.secrets."gitea_token" = {
-    owner = config.users.users.nix.name;
-    sopsFile = ../../../secrets/secrets-builder.yaml;
-  };
-
   # =========== Binary Cache ==========
   services.nix-serve = {
     enable = true;