Add gitea action for updating flake

.gitea/workflows/update-flake.yaml

@@ -0,0 +1,41 @@
+name: Update Nix Flake
+
+on:
+  schedule:
+    - cron: "30 0 * * *" # daily run
+  workflow_dispatch: {}
+
+jobs:
+  update-flake:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: "${{ secrets.GH_TOKEN }}"
+          fetch-depth: 0
+          ref: flake-updates
+
+      - name: Fetch latest changes and reset branch
+        run: |
+          git fetch origin master
+          git reset --hard origin/master
+
+      - name: Set up Nix
+        uses: cachix/install-nix-action@v31
+
+      - name: Update Flake
+        run: nix flake update
+
+      - name: Commit and push changes
+        shell: bash
+        run: |
+          git config user.name "Gitea Actions"
+          git config user.email "actions@gitea.local"
+          git add flake.lock
+          if git diff --cached --quiet; then
+            echo "No changes to commit."
+          else
+            git commit -m "Update flake.lock $(date -I)"
+            git push origin flake-updates
+          fi

.sops.yaml

@@ -2,6 +2,7 @@ keys:
   - &primary age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
   - &aspi-ssh age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
   - &pianonix-ssh age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct
+  - &builder-ssh age1kw4kmdm45zprvdkrrpvgq966l7585vhusmum083qlwnr0xxgd3uqatcyja
 creation_rules:
   - path_regex: secrets/secrets.yaml$
     key_groups:
@@ -10,6 +11,12 @@ creation_rules:
       - *aspi-ssh
       - *pianonix-ssh
 
+  - path_regex: secrets/secrets-builder.yaml$
+    key_groups:
+    - age:
+      - *primary
+      - *builder-ssh
+
   - path_regex: secrets/.+
     key_groups:
     - age:

Readme.org

@@ -12,3 +12,22 @@ The structure is managed by [[https://snowfall.org/guides/lib/quickstart/][Snowf
 and [[file:flake.nix]] was symlinked to file:~/.config/home-manager/flake.nix
 
 For deployment!!
+
+* Secrets management with sops
+Full documentation here: https://github.com/Mic92/sops-nix
+
+** Edit secrets
+#+begin_src sh
+sops edit secrets/secrets.yaml
+#+end_src
+
+** Authorize new device
+- Generate public key from ssh -> Private age key generation not needed
+#+begin_src sh
+ssh-to-age < /etc/ssh/ssh_host_ed25519_key
+#+end_src
+- Add age public key to file:.sops.yaml
+- Update keys
+#+begin_src sh
+sops updatekeys secrets/*
+#+end_src

modules/nixos/builder/default.nix

@@ -51,6 +51,15 @@ in
         ];
         mandatoryFeatures = [ ];
       }
+      # {
+      #   hostName = "localhost";
+      #   protocol = null;
+      #   systems = [
+      #     "x86_64-linux"
+      #   ];
+      #   maxJobs = 4;
+      #   speedFactor = 1;
+      # }
     ];
   };
 }

modules/nixos/sops/default.nix

@@ -42,23 +42,5 @@ in
     # List of defined secrets
     # They all become files linked inside the "/run/secrets/" directory
 
-    sops.secrets."vnc-passwd" = {
-      owner = config.users.users.julian.name;
-      sopsFile = ../../../secrets/vnc-passwd;
-      format = "binary";
-    };
-    sops.secrets."wifi/pianonix" = { };
-
-    sops.secrets."password/aspi" = {
-      neededForUsers = true; # necessary for setting password
-    };
-    sops.secrets."password/pianonix" = {
-      neededForUsers = true; # necessary for setting password
-    };
-
-    sops.secrets."syncthing/pianonix/key" = { };
-    sops.secrets."syncthing/pianonix/cert" = { };
-    sops.secrets."syncthing/public-keys/aspi-nix" = { };
-    sops.secrets."syncthing/public-keys/pianonix" = { };
   };
 }

secrets/secrets-builder.yaml

@@ -0,0 +1,30 @@
+gitea_token: ENC[AES256_GCM,data:FuLEQRo8NtCIsGhtksbaKTZGliiR/5lRr6wHQCArUNN1IXFpPW49k/hZl20Wgg==,iv:MN7FBNIms/5Q841gfikk4WMaqyuXOTSQifC9IKFF0AM=,tag:RZFnJ49RZ+z9kXoTHdtYug==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaEtBdWM5WURZcllRVkp5
+            MjA2OVl6dzAzd3RjRGVDNzhuYjVXdjVEOGdFClEzenJhMjYwaW9hZGhXOVJLTjVY
+            NkJudW1tcHl3VGdKTHdmdmF6cHBqM0UKLS0tIGF4K0FMcnNhVWNZa1Q5Vzc5MFAr
+            UUJVNEpnYUN2UEp2N0UwUmJLd1NQQ1kK61EzjD/Z1VEWXHzmkih8/ZyXRoq/Ocpv
+            3dAWLVTGx6nsPHOkGZ9Hl0fMIOafu/kjO7ixzAeq21FluS97ZL/qLQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1kw4kmdm45zprvdkrrpvgq966l7585vhusmum083qlwnr0xxgd3uqatcyja
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMVBwNmhlS3J1dGxVZkhm
+            UVhXemZQbGpJTEFNZlBkWTFhb0lmRStVQWlZCm15UXAvTTZWNS8zdWk4QjV5TlZp
+            TkxFK3dETTdSWGxBUGwzL284T2hReTAKLS0tIGp1TmV6Q2lMcDdVWTRXNHFMcWRn
+            eWFYMlY1MmEvWjVid2NJTmFMK0FXWWcKOtUk1kcSTj5UOBLESMwQLG+LtIDwUtMz
+            l5k02Zw2whQh6IrAqXhJSUpT6AiXSoYtcy5nNjZsoC53xsfLfu97kA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-21T20:07:45Z"
+    mac: ENC[AES256_GCM,data:VrZZ2fiv0JKPBijy+1s99D8FQvRFfoNZ48+58wy/Mir979GKihx/l7o3zYEpTWalRY8gbaHjLeH0i0bIgbGW4WQg+5gGZ4PjJhOMcZMAuMdoaGi0CqYOyOPXrzfDL8V5S5s1izjY/UhwURZdSiJeNfHS2cQVsFMt5vfTYSWDOM0=,iv:gVJPSVvKiCrb6KUyzfpO5ep1I8JTAHJGJCj22UhcV+o=,tag:9yGCU+5CtLOk+aa+pYrJ5g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

systems/aarch64-linux/pianonix/default.nix

@@ -25,6 +25,20 @@
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
+  sops.secrets."vnc-passwd" = {
+    owner = config.users.users.julian.name;
+    sopsFile = ../../../secrets/vnc-passwd;
+    format = "binary";
+  };
+  sops.secrets."wifi/pianonix" = { };
+  sops.secrets."syncthing/pianonix/key" = { };
+  sops.secrets."syncthing/pianonix/cert" = { };
+  # sops.secrets."syncthing/public-keys/aspi-nix" = { };
+  # sops.secrets."syncthing/public-keys/pianonix" = { };
+  sops.secrets."password/pianonix" = {
+    neededForUsers = true; # necessary for setting password
+  };
+
   modules = {
     sops.enable = true;
     nix-settings.enable = true;

systems/x86_64-linux/aspi/default.nix

@@ -36,6 +36,10 @@
 
   time.timeZone = "Europe/Berlin";
 
+  sops.secrets = {
+    "password/aspi".neededForUsers = true; # necessary for setting password
+  };
+
   modules = {
     sops.enable = true;
     nix-settings.enable = true;

systems/x86_64-linux/builder/default.nix

@@ -37,6 +37,7 @@
   modules = {
     keymap.enable = true;
     locales.enable = true;
+    sops.enable = true;
   };
 
   users.users.nix = {
@@ -104,16 +105,16 @@
   };
 
   # Ollama used by open-webui as llm backend
-  services.ollama = {
+  # services.ollama = {
-    enable = true;
+  #   enable = true;
-    # acceleration = "rocm";
+  #   # acceleration = "rocm";
-  };
+  # };
-  services.open-webui = {
+  # services.open-webui = {
-    enable = true;
+  #   enable = true;
-    port = 8080;
+  #   port = 8080;
-    openFirewall = true;
+  #   openFirewall = true;
-    host = "builder.julian-mutter.de";
+  #   host = "builder.julian-mutter.de";
-  };
+  # };
 
   networking.firewall.allowedTCPPorts = [
     80
@@ -212,6 +213,22 @@
     };
   };
 
+  # =========== Gitea actions ==========
+  services.gitea-actions-runner.instances."builder" = {
+    enable = true;
+    url = "https://gitlab.julian-mutter.de";
+    name = "builder";
+    tokenFile = config.sops.secrets."gitea_token".path;
+    labels = [ ]; # use default labels
+  };
+
+  virtualisation.podman.enable = true;
+
+  sops.secrets."gitea_token" = {
+    owner = config.users.users.nix.name;
+    sopsFile = ../../../secrets/secrets-builder.yaml;
+  };
+
   # =========== Binary Cache ==========
   services.nix-serve = {
     enable = true;