From 6eb7b95b120aa32c79a964c035fd1175e44021b4 Mon Sep 17 00:00:00 2001
From: Natsu Kagami <nki@nkagami.me>
Date: Thu, 1 Dec 2022 19:14:40 +0100
Subject: [PATCH] Move server!

---
 .sops.yaml                                 |  9 +++++++
 flake.lock                                 | 10 ++++----
 modules/cloud/mail/default.nix             |  8 +++----
 nki-personal-do/configuration.nix          |  4 ++--
 nki-personal-do/hardware-configuration.nix |  8 +++----
 nki-personal-do/secrets/recipient.txt      |  1 +
 nki-personal-do/secrets/secrets.yaml       | 28 ++++++++++++++++++----
 7 files changed, 48 insertions(+), 20 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index eb3a16f..cb3f08d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,9 +1,18 @@
 keys:
   - &admin_macbook_m1 age169v95f5fqx0sg5mjpp63sumrj9sma9se203ra2c05qa67h2h2drs3tvdph
   - &machine_macbook_m1 age10dd4t507h3ey68l2alu7z94s5lw0kshjq9lre5sv2vehrm9hg4rqk2let7
+  - &nki_pc age1hw22lrsskyvsrwgq9kl48eekwyzgnwt57pe9d9zx3q9xrwyrte4qgvft78
+  - &nkagami_main age1n8tnmmgredzltzwkspag7aufhrn6034ny8ysjeulhkwdnf7vqqaqec4mg5
+  - &nkagami_do age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36
 creation_rules:
   - path_regex: kagami-air-m1/secrets\.yaml$
     key_groups:
     - age:
         - *admin_macbook_m1
         - *machine_macbook_m1
+  - path_regex: nki-personal-do/secrets/secrets\.yaml$
+    key_groups:
+    - age:
+        - *nki_pc
+        - *nkagami_main
+        - *nkagami_do
diff --git a/flake.lock b/flake.lock
index ec28378..d6999f1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -500,11 +500,11 @@
         "flake-utils": "flake-utils_3"
       },
       "locked": {
-        "lastModified": 1666006086,
-        "narHash": "sha256-wjrQ9ngadZwfbz2o+iiNQvOTuRYS06Ate9FCXQEv94I=",
-        "ref": "master",
-        "rev": "333e5e06c0f40dab2c6f9556a6ea09f44971561b",
-        "revCount": 3,
+        "lastModified": 1669915544,
+        "narHash": "sha256-wByoZ+HWXo7L9QyUefMhe26IUUeFGtffG6v/AL31neo=",
+        "ref": "refs/heads/master",
+        "rev": "9142ca82ec1e9a6e1314d2727cdc15db30c94c14",
+        "revCount": 4,
         "type": "git",
         "url": "ssh://git@github.com/natsukagami/nix-deploy-secrets"
       },
diff --git a/modules/cloud/mail/default.nix b/modules/cloud/mail/default.nix
index 8bec312..ab488ac 100644
--- a/modules/cloud/mail/default.nix
+++ b/modules/cloud/mail/default.nix
@@ -182,10 +182,10 @@ in
             }
             mx_auth {
                 dane
-                mtasts {
-                    cache fs
-                    fs_dir mtasts_cache/
-                }
+                # mtasts {
+                #     cache fs
+                #     fs_dir mtasts_cache/
+                # }
                 local_policy {
                     min_tls_level encrypted
                     min_mx_level none
diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix
index cf3c400..768e29c 100644
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@@ -41,7 +41,7 @@
 
   # Secret management
   sops.defaultSopsFile = ./secrets/secrets.yaml;
-  sops.age.sshKeyPaths = [ "/root/.ssh/id_ed25519" ];
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   # tinc
   services.my-tinc.enable = true;
@@ -75,7 +75,7 @@
   cloud.mail = {
     enable = true;
     debug = true;
-    local_ip = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address;
+    # local_ip = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address;
     tls.certFile = "${config.cloud.traefik.certsDumper.destination}/${config.cloud.mail.hostname}/certificate.crt";
     tls.keyFile = "${config.cloud.traefik.certsDumper.destination}/${config.cloud.mail.hostname}/privatekey.key";
     usersFile = config.sops.secrets.mail-users.path;
diff --git a/nki-personal-do/hardware-configuration.nix b/nki-personal-do/hardware-configuration.nix
index 324b97e..6ec06be 100644
--- a/nki-personal-do/hardware-configuration.nix
+++ b/nki-personal-do/hardware-configuration.nix
@@ -1,10 +1,10 @@
 { modulesPath, ... }:
 {
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.loader.grub.device = "/dev/vda";
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
   boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
-
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
   # swap
-  swapDevices = [{ device = "/var/swapfile"; }];
+  swapDevices = [{ device = "/var/swapfile"; size = 2 * 1024; }];
 }
diff --git a/nki-personal-do/secrets/recipient.txt b/nki-personal-do/secrets/recipient.txt
index 37d7a3a..165a642 100644
--- a/nki-personal-do/secrets/recipient.txt
+++ b/nki-personal-do/secrets/recipient.txt
@@ -1 +1,2 @@
 age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36
+age1n8tnmmgredzltzwkspag7aufhrn6034ny8ysjeulhkwdnf7vqqaqec4mg5
diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml
index e3ff776..e814be5 100644
--- a/nki-personal-do/secrets/secrets.yaml
+++ b/nki-personal-do/secrets/secrets.yaml
@@ -12,14 +12,32 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
+        - recipient: age1hw22lrsskyvsrwgq9kl48eekwyzgnwt57pe9d9zx3q9xrwyrte4qgvft78
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3NHY2Y0lsVFViMHBTUHRp
+            L2RROGV3OGhSZGVmRnJTZWlZNVJVMFJ4N2hzCllXRXg3bTBjZFBvM3FPRlhBbkRu
+            VWR1UkFKUmJhT25OUWQ1aXJiRkhkV2sKLS0tIEF1Zkp0bUFsTGFaMjFYTUNNYmFx
+            N2RGSHpTajRuV3JEcElkN0VZdCtrczgKbpjSE6pSDD/bIa6he0sfH9dE74Z5ZpTG
+            DmPwclKkBarbCY50w1U4crHkhwICkHKNX0K1YwAdwuXBsgGEEJsPug==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n8tnmmgredzltzwkspag7aufhrn6034ny8ysjeulhkwdnf7vqqaqec4mg5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVWVZMm53L3ViaWhwZVFD
+            bWhwUDFaVmp4VE1IanFkeUIrYmxnS3IrZ0VNCnFicjJVamxDTmJ4VWVFRmYyUmRV
+            OW50RlRlN3pzK3VZbko4dkN1QklnMncKLS0tIG55Zi95dTl1akFQczNlbFY2Nmt1
+            VUJWS09UMU9PS3pnL01zR05Id01wVXcK15My8g1eqxq89XxrBs5uCIxX6qTq/HEK
+            pJRrUlz9VEsbvi2Lr2SfQT84ouNc0nk6/8qlzmJUNAktydw5VCyDug==
+            -----END AGE ENCRYPTED FILE-----
         - recipient: age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2eUo1WjJtdDhzWjFrM3Rm
-            QkovcmoxdjNsMXdyaVZiNFhZZGlqOUMvcEJ3Ckk3TnJzNDVBWVFTNUd5RXhlcDU5
-            Y2xmdmVjYUZRMXF1Y1RZZDZGMXM3NDgKLS0tIGdreURjTFVxSWQ5ODJPQlpySWxY
-            NUovcTZlOVpyTm5WWGkyUmdLRUVpcmMK1YIwNE/5avvplxqtUFs1JZn7f2AuTzyR
-            lRtXUm8InT5GwV50Ot6FLdai5aVxpicafduH/J5RSAXqL8LssQi7HA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBob0N3bk91S3JSOGxqQm5J
+            YnJlMjZEL2ppamdkM2lyZXNvOEozWGJXSUVzCmxnbldrNVZLSWt4TnJveEg4ZGpO
+            bENvWG5VV1FRTUtLaDV5Y3FsQmVFOGcKLS0tIFd3WTZ6bTF1WW5TRFJwckN3dERQ
+            U1V2ZGozMWc3NzJMamgwbXB6dE4vME0Kxw2aeENkO0hg0bvpshoI1rMbw8T6LpXf
+            n1bnkmfCSE2V5JlI7z6jvuW/6C7bo6RDbbmLOA8dbF4sVTbnymsqsw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2022-10-17T11:49:07Z"
     mac: ENC[AES256_GCM,data:T2fDMcgfP+CVO3UyPhE2LnwZrCjnQfyxIAYE/L3kANAf6+dW7p3NsWvV6N9K39sdDKJ1ZWa239efCcFIRwiE91vbuTZQAudfP9pDvRAo2TfWis0PhB32S3Vs2e1MGQiYyEtPzLuLOGzDldUEexQfiUCpWd1NGGvpE3Fo378QCig=,iv:fSwa5xmasrNlQkaBL0kcJK3NjhLnRH6txlzhPW8LlMc=,tag:xWuajzQ1F3HWXXRJfFS8fg==,type:str]