Make sops use disabled by default

flake.lock

@@ -155,11 +155,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732540163,
-        "narHash": "sha256-5EYzmoTpem2IB9JWzd41sL98pz3lyyCSTiCjv08i4Uk=",
+        "lastModified": 1732645828,
+        "narHash": "sha256-+4U2I2653JvPFxcux837ulwYS864QvEueIljUkwytsk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "2ed5e30fc7e34adf455db8b02b9151d3922a54ea",
+        "rev": "869ba3a87486289a4197b52a6c9e7222edf00b3e",
         "type": "github"
       },
       "original": {
@@ -203,11 +203,11 @@
     "flake-compat_3": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1732719660,
+        "narHash": "sha256-xr54XK0SjczlUxRo5YwodibUSlpivS9bqHt8BNyWVQA=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "0a2144bc4373e58f68fb4d5a5e1284093dd10b47",
         "type": "github"
       },
       "original": {
@@ -551,11 +551,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1732545731,
-        "narHash": "sha256-nRit2lb7kha7bcNB6pwhySbpI7Tjc1PLnkJvayBiJr8=",
+        "lastModified": 1732717065,
+        "narHash": "sha256-urLWdhzfa6EgXbpQ8qux++CdhySBdWcPPjYjlCva79U=",
         "ref": "refs/heads/main",
-        "rev": "268778823676ef2bbda42050d78946e1fc27fc31",
-        "revCount": 5497,
+        "rev": "e9a7fb8f91d23f1ac2671e55f74234dcec2ee1c6",
+        "revCount": 5499,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/hyprwm/Hyprland"
@@ -709,11 +709,11 @@
         "utils": "utils_2"
       },
       "locked": {
-        "lastModified": 1732479786,
-        "narHash": "sha256-N2NxDB5ggCUzeGZKA5CL5IKu/tuMDTDusacMy1ua+SQ=",
+        "lastModified": 1732723667,
+        "narHash": "sha256-i2TcuSs1GUTkbSxM9hpANeR54V0IyZiXR96Qwb7X5kY=",
         "ref": "refs/heads/master",
-        "rev": "c8795588d83f1238637e60a0e1a484402502df53",
-        "revCount": 50,
+        "rev": "02120b326386e423057350f2f45fe1f0c076bae4",
+        "revCount": 55,
         "type": "git",
         "url": "https://gitlab.julian-mutter.de/julian/music-reader"
       },
@@ -809,11 +809,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732460506,
-        "narHash": "sha256-BE5aJOUwTINKg80xQhVeTwELCXpvQ3NCFynQ9Uzbcd0=",
+        "lastModified": 1732719717,
+        "narHash": "sha256-gSlfC8d35xTggVb0kZYFuhhZ3P0b95TjcBcrIzBr1eU=",
         "owner": "doronbehar",
         "repo": "nix-matlab",
-        "rev": "0a764e005f1311dc4a0e9cfa3193afcbfeda7a7a",
+        "rev": "8d1c0936f50107fe80d8acac9e12a3dec805d8be",
         "type": "gitlab"
       },
       "original": {
@@ -910,11 +910,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1731797254,
-        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
+        "lastModified": 1732632634,
+        "narHash": "sha256-+G7n/ZD635aN0sEXQLynU7pWMd3PKDM7yBIXvYmjABQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
+        "rev": "6f6076c37180ea3a916f84928cf3a714c5207a30",
         "type": "github"
       },
       "original": {
@@ -926,11 +926,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1732014248,
-        "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
+        "lastModified": 1732521221,
+        "narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
+        "rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
         "type": "github"
       },
       "original": {
@@ -972,11 +972,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1731797254,
-        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
+        "lastModified": 1732632634,
+        "narHash": "sha256-+G7n/ZD635aN0sEXQLynU7pWMd3PKDM7yBIXvYmjABQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
+        "rev": "6f6076c37180ea3a916f84928cf3a714c5207a30",
         "type": "github"
       },
       "original": {
@@ -1140,11 +1140,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732186149,
-        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
+        "lastModified": 1732575825,
+        "narHash": "sha256-xtt95+c7OUMoqZf4OvA/7AemiH3aVuWHQbErYQoPwFk=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
+        "rev": "3433ea14fbd9e6671d0ff0dd45ed15ee4c156ffa",
         "type": "github"
       },
       "original": {
@@ -1344,11 +1344,11 @@
     "yazi-flavors": {
       "flake": false,
       "locked": {
-        "lastModified": 1732522261,
-        "narHash": "sha256-zqbwE8SvY9nQyGt0NDxK9OlFMAJ5EHtTeEDZtpb1FuA=",
+        "lastModified": 1732694243,
+        "narHash": "sha256-MXfqd67yTAUkjqESJ9dkmmzvW+ui2ldYfbvF+fjUduk=",
         "owner": "yazi-rs",
         "repo": "flavors",
-        "rev": "c04be98a3fde8787da4a7b07dec65451b40ee600",
+        "rev": "c686812c0b42c83cf058d90e0a8c42b1627be335",
         "type": "github"
       },
       "original": {

flake.nix

@@ -138,5 +138,15 @@
           confirmTimeout = 90; # default: 30s; raspberrypi takes a little longer restarting services
         };
       };
+
+      deploy.nodes.builder = {
+        hostname = "builder.julian-mutter.de";
+        profiles.system = {
+          sshUser = "root";
+          user = "root";
+          path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.builder;
+          # confirmTimeout = 90; # default: 30s; raspberrypi takes a little longer restarting services
+        };
+      };
     };
 }

modules/home/suites/development/default.nix

@@ -82,6 +82,7 @@ in
       deploy-rs
       sops
       pandoc # markdown preview
+      docker-compose
 
       ## My scripts
       frajul.deploy-to-pianopi

modules/nixos/sops/default.nix

@@ -24,9 +24,11 @@ let
   cfg = config.modules.sops;
 in
 {
-  options.modules.sops = { };
+  options.modules.sops = {
+    enable = lib.mkOption { default = false; };
+  };
 
-  config = {
+  config = lib.mkIf cfg.enable {
     sops.defaultSopsFile = ../../../secrets/secrets.yaml;
     sops.defaultSopsFormat = "yaml";
 
@@ -52,6 +54,5 @@ in
     sops.secrets."syncthing/pianonix/cert" = { };
     sops.secrets."syncthing/public-keys/aspi-nix" = { };
     sops.secrets."syncthing/public-keys/pianonix" = { };
-
   };
 }

systems/aarch64-linux/pianonix/default.nix

@@ -26,6 +26,7 @@
   time.timeZone = "Europe/Berlin";
 
   modules = {
+    sops.enable = true;
     nix-settings.enable = true;
     xserver-defaults.enable = true;
     keymap.enable = true;

systems/x86_64-linux/aspi/default.nix

@@ -35,6 +35,7 @@
   time.timeZone = "Europe/Berlin";
 
   modules = {
+    sops.enable = true;
     nix-settings.enable = true;
     xserver-defaults.enable = true;
     keymap.enable = true;

systems/x86_64-linux/builder/default.nix

@@ -0,0 +1,96 @@
+# sudo nixos-rebuild switch --flake .#builder --target-host root@192.168.3.118
+# or
+# deploy .#builder
+{ config, pkgs, ... }:
+
+{
+  imports = [ ./hardware-configuration.nix ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  # Emulated systems used as alternative to cross-compiling
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  networking.hostName = "builder";
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "Europe/Berlin";
+
+  modules = {
+    keymap.enable = true;
+    locales.enable = true;
+  };
+
+  users.users.nix = {
+    isNormalUser = true;
+    description = "Nix";
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
+  };
+
+  nix.settings.trusted-users = [ "@wheel" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  # Setup binary caches
+  nix.settings = {
+    substituters = [
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
+  };
+
+  # optimize store by hardlinking store files
+  nix.optimise.automatic = true;
+  nix.optimise.dates = [ "03:15" ];
+
+  nix.gc.automatic = true;
+  nix.gc.dates = "weekly";
+  nix.gc.options = "--delete-older-than 30d";
+
+  # Garbage collect up to 30 GiB when only 5 GiB storage left
+  nix.extraOptions = ''
+    min-free = ${toString (5 * 1024 * 1024 * 1024)}
+    max-free = ${toString (30 * 1024 * 1024 * 1024)}
+    min-free-check-interval = 60
+  '';
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    mc
+  ];
+
+  # services.ollama = {
+  #   enable = true;
+  #   acceleration = "cuda";
+  # };
+  services.open-webui = {
+    enable = true;
+    port = 8080;
+    openFirewall = true;
+  };
+
+  services.openssh = {
+    enable = true;
+    # require public key authentication for better security
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PermitRootLogin = "yes";
+  };
+  users.users."root".openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
+  ];
+
+  # security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
+
+  # ======================== DO NOT CHANGE THIS ========================
+  system.stateVersion = "23.11";
+  # ======================== DO NOT CHANGE THIS ========================
+}

systems/x86_64-linux/nix-builder/default.nix

@@ -1,128 +0,0 @@
-# sudo nixos-rebuild switch --flake .#nix-builder --target-host root@192.168.3.118
-
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    # Include the results of the hardware scan.
-    ./hardware-configuration.nix
-  ];
-
-  # Bootloader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-  boot.loader.grub.useOSProber = true;
-
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-
-  networking.hostName = "nix-builder"; # Define your hostname.
-
-  # Enable networking
-  networking.networkmanager.enable = true;
-
-  # Set your time zone.
-  time.timeZone = "Europe/Berlin";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "de_DE.UTF-8";
-    LC_IDENTIFICATION = "de_DE.UTF-8";
-    LC_MEASUREMENT = "de_DE.UTF-8";
-    LC_MONETARY = "de_DE.UTF-8";
-    LC_NAME = "de_DE.UTF-8";
-    LC_NUMERIC = "de_DE.UTF-8";
-    LC_PAPER = "de_DE.UTF-8";
-    LC_TELEPHONE = "de_DE.UTF-8";
-    LC_TIME = "de_DE.UTF-8";
-  };
-
-  # Configure keymap in X11
-  services.xserver = {
-    xkb.layout = "de";
-    xkb.variant = "";
-  };
-
-  # Configure console keymap
-  console.keyMap = "de";
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.nix = {
-    isNormalUser = true;
-    description = "Nix";
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-    ];
-    packages = with pkgs; [ ];
-  };
-
-  nix.settings.trusted-users = [ "@wheel" ];
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-
-  # Setup binary caches
-  nix.settings = {
-    substituters = [
-      "https://nix-community.cachix.org"
-      "https://cache.nixos.org/"
-    ];
-    trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
-  };
-
-  # optimize store by hardlinking store files
-  nix.optimise.automatic = true;
-  nix.optimise.dates = [ "03:15" ];
-
-  nix.gc.automatic = true;
-  nix.gc.dates = "weekly";
-  nix.gc.options = "--delete-older-than 30d";
-
-  # Garbage collect up to 30 GiB when only 5 GiB storage left
-  nix.extraOptions = ''
-    min-free = ${toString (5 * 1024 * 1024 * 1024)}
-    max-free = ${toString (30 * 1024 * 1024 * 1024)}
-    min-free-check-interval = 60
-  '';
-
-  nixpkgs.config.allowUnfree = true;
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    vim
-    htop
-    mc
-  ];
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  services.ollama = {
-    enable = true;
-    acceleration = "cuda";
-  };
-
-  security.pam.sshAgentAuth.enable = true; # enable sudo logins via ssh
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.11"; # Did you read the comment?
-}