Get remote builder working

.sops.yaml

@@ -7,7 +7,7 @@ keys:
   - &host_htpc age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe
   - &host_matrix age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9
   - &host_controller age1vdrdnzqjy9uj34slwkpk9tfnfnn7s7z20m48tel7ezh0svgruf3sjwfsy2
-  - &host_builder age136e2dcvs2uus498qhjz33dzth4tly7s94hvkk3c22pzu4a7xzg7snzgacj
+  - &host_builder age1kqzvvxxmlv7gudllrsnle8q2hct8vx7pl3ehswkn2gaqkuxhxpcqplglyk
 
 creation_rules:
   - path_regex: '(secrets.json|secrets.yml)$'

Justfile

@@ -34,3 +34,6 @@ age-from-host host:
 
 update-secret-files:
     find -E . -regex '^.*secrets\.(json|yml)' -execdir sops updatekeys {} -y ';'
+
+nixos-anywhere hostname host:
+    nixos-anywhere --flake .#{{ hostname }} --build-on-remote root@{{ host }}

deploy/keys.tf

@@ -18,3 +18,19 @@ resource "aws_key_pair" "deploy_key" {
   key_name   = "generated-key-${sha256(tls_private_key.deploy_key.public_key_openssh)}"
   public_key = tls_private_key.deploy_key.public_key_openssh
 }
+
+resource "tls_private_key" "builder_key" {
+  algorithm = "RSA"
+}
+
+resource "local_sensitive_file" "builder_key" {
+  content         = tls_private_key.builder_key.private_key_pem
+  filename        = "${path.module}/../keys/builder_rsa"
+  file_permission = "0600"
+}
+
+resource "local_sensitive_file" "builder_public_key" {
+  content         = tls_private_key.builder_key.public_key_openssh
+  filename        = "${path.module}/../keys/builder_rsa.pub"
+  file_permission = "0600"
+}

deploy/vms.tf

@@ -104,34 +104,34 @@ resource "proxmox_vm_qemu" "builder" {
   cores       = 8
   qemu_os     = "other"
   scsihw      = "virtio-scsi-single"
-  # boot        = "order=scsi0"
+  boot        = "order=scsi0"
 
   onboot = true
   agent  = 1
 
   bios = "seabios"
 
   network {
-    model  = "virtio"
-    bridge = "vmbr0"
-    tag    = 10
-    # macaddr   = "CE:22:2C:7F:DE:79"
+    model     = "virtio"
+    bridge    = "vmbr0"
+    tag       = 10
+    macaddr   = "3A:7D:CB:E6:11:D9"
     link_down = false
     firewall  = false
-    # mtu       = 0
-    # queues    = 0
-    # rate      = 0
+    mtu       = 0
+    queues    = 0
+    rate      = 0
   }
 
   disk {
     type    = "scsi"
     size    = "2048G"
     storage = "local-zfs"
     discard = "on"
-    # file    = "vm-101-disk-0"
-    format = "raw"
-    slot   = 0
-    # volume  = "local-zfs:vm-101-disk-0"
+    file    = "vm-102-disk-0"
+    format  = "raw"
+    slot    = 0
+    volume  = "local-zfs:vm-102-disk-0"
   }
 }
 

hosts/builder/configuration.nix

@@ -1,6 +1,6 @@
-{ suites, ... }: {
+{ suites, profiles, ... }: {
   imports = with suites;
-    core ++ homelab ++ proxmox-vm
+    core ++ homelab ++ proxmox-vm ++ [ profiles.remote-builder.builder ]
     ++ [ ./hardware-configuration.nix ./disk-config.nix ];
 
   boot.loader.grub.devices =

hosts/controller/configuration.nix

@@ -16,6 +16,7 @@
       profiles.power.apc
       profiles.telemetry.prometheus-nut-exporter
       profiles.telemetry.prometheus-smokeping-exporter
+      profiles.nix.remote-builders.builder
     ] ++ [ ./disk-config.nix ./hardware-configuration.nix ];
 
   e10 = {

modules/profiles/backups/borg/secrets.yml

@@ -9,83 +9,83 @@ sops:
         - recipient: age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYck0wNzFnKzZYdG9ocEFh
-            WlNDRVBJakxCZHo0VjNVYVFzbUxEZ0JQSEZFClBKa3ZtRGk2SFduaUswTGlUcVlr
-            aUVzWFd4dGdMS0ljUjhncTE0L1lmOTAKLS0tIGhZUjAvT1g1aGFVUVZLTm9jNFZs
-            a0JUTkNLUzRBWm81VEw5RTlLRm1pTmsKMx0vNMs1U3/ZYKvywkBxrMjHM5OtWrP0
-            v2WceG8yZJEoiv6W94O6QLkD79Z6y4l7dTw+DLQnGpYx8KsgDQ5wsQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudXVpR2l3UnBKMFg3Ui9p
+            RkQxdk56d1kwSHRjcGRzMlF0SHJRVXFPclJJCkRvSHVTN3IydDl2eVpUSFhKSHI2
+            ZGRkSUN5b21mS1NzOEtkMDZUTTVxUDAKLS0tIGR6c2VIMzBqajQ2VUtDQU1mRWZK
+            RVV2TFQrRVEyMGpCYUNLRGY3NFB1QTAKomVKEp4PRzSku9cedri9sJcvZJvj37fk
+            z94RCZ8nSgZn3mR4TfC3860LXwHkmdyq5ixE3jLLvhlRactzZlRWHw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1xgvn6f36rkzmq2kfqx0g2xg90qrpar4hpu6fr8xc3s2kqw6dzqcssnslsv
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4TjZ0Z2VRbXEwYXYvZXpR
-            L0tseU5ncjhEcmNnaHBTODkzNzdBTmhYeEJNCmxEM2NQR25CWStPRmQ1YXBTNTZT
-            R1BFbldBcDN1WDhLVG55TlRnRWpNMUUKLS0tIGxMc1VWVWxoUW9HdWpsajU4MHYv
-            WDZkWFpRRGU5eGliZXAzeWN4elZFNXcKhynil5KWHMPm+LQvEP1dw8vZ6QhpSvjL
-            QlmY2siq8b8pfR3e1C1BA/ZciSx9gZQzuU23zUIHSmjoAwOsItRl4w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTllUbjhLR2ZZM0dyLzhr
+            RHFOK21DRk9DMkdxbnY3WDNmNS9iZldhaXdrCkdOWTFReVhGOXRESSswMCtuOWVV
+            MUw3ejhUM2JpUGhrd0U4cWxZR3ZHa00KLS0tIDBuQTRNZ2d5R0ZMbGE2eWpjZ1dl
+            bE5BQjR6c1NyYkNpcktoYXQwU1F4WDQKcEOedsb/n117WE+GGnDN6dq2YzaHrB/x
+            HQSZr6E11Z7nLiANqjv7SL6aXKCnUvg8ZUZLY5c0p+R1ET5MkDWmgg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ex9c847ra3fkwv9qwk85a8ukt9f5jny6rusc3pn967dvkwlpwass56jrfd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa0RVUG9zL3F0TmxxRVp3
-            WTJPOFY0Yzg5VEY2NmVDQitBSStzb0F0c1JvCm5oN2syQUcwVFo4Q0E4U1c3U0Rh
-            RXh2REZZM2plN1UvYmVDMUM5ZjZXMFEKLS0tIDZEcU1IcWhwZyt4cHRYaVA4RUFZ
-            dkwyVE9KVGRxTnlEOTAwd3VKVlV4blUKkW3kIk923/bUsKWiozLK+5a0svq5Qrlb
-            mQjF1rCEkx1eOjcaOOqSvhlSlKFAUFC+xKwd9RVVlVN+ATwjoi65Cg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcWtXK2ZrVUt6SnlPYVdT
+            ZGZBL0V1Y21LaGk1SGxPWmpLNWkzL0ZUOFE4ClhsRVFaa2RSZVFXcVg4SVdWN0M2
+            dFVoZEtDdEFGcTUrMVJteVBlUFh6WHcKLS0tIEVmOXkydThyNmdkb0Qxb1NLR2lU
+            aVpvbXhBbjhuMWV1cUpxb2tXdEN1VUkK2PCNWmbq4NUKrBS87t87mJU46mn1/Kso
+            c09yD5rVVXKPaEEPwj7zQD1R+zAXYr8F2XqAtasby3Gj07oa6L2rJw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age13ztzxk2f2cklrecwqztmwznvj2qdrjlrpcu6xmc698yfex8puvdqsryrcj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWFd2ZWRHUE5Uck1PZG5B
-            WEpJcVNzL2QwN1NoTTlXR2Y5SnNGeDBCV1Y4CmxvSktSeUREVTJhZ21mRkJCelFm
-            amFteDJQSVZoazdFWmxKa0t4anJFWjQKLS0tIHNrWHpnWWpxbFllbGp2NGh2Ullt
-            UkRwLzFlWloxL1FXWXF6WWd3MFRsRjQKRoO8fDqIbBfYRGn+FBKD/GrtvDrijGRe
-            FYaiFt0BCQtIJA2LS7b4mXYQoeVLx+WY7X5xorpTjB4f5OoFW8dHJA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVHlNaURxU3BSdTFKT01W
+            Znp2TUQ1MVloSjV5dVpuL1A2THpxOU9MNHprCkZMaEVTbGhrYkd0MU45WUtLbU1U
+            eS9vODVEQmlKODEwbnFuZUFPYU9OeVUKLS0tIHZKajRYbWU4NW94ZzZCL0VWVFFy
+            UGZvQ0x6eG1UVHUvZ3M2L1pvcnNGRm8KIaz6zjjAuncHPSmrw7ImcbPSc47lbQ3f
+            +sQV5rNVzQAbosk93g65e1t30kltb8WdU8BDwtpmxlaYhXPtTIqCRw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaRlk3QnE5Ty9YdDFQV2VU
-            TEZmQm5KVVRFVFdaWnBocS81d0JPdnV4TmtvCm1uV3dNMGZNT2Z1NzdlUnlOZ1p3
-            ZVdXQXc0S3dPY0ZmVWRYb3RrWi9lQmMKLS0tIHhGUUowZDFpdjZ5RktaQVhNMkJK
-            U0dKNG8wMGl0WE9BZVF2aWw2MkEzWnMKqqTkVjQdhcD8PT2mz7bjHhYgrYnkoIcX
-            1zkJaPGj4kkK3dm1A3cP8C9k9XZfLjubBeZQJfLuuwYk5uHKWYEwxQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VnQydFJqM1NQQVYxZlpS
+            NGg5cS9MTjIxdysvNU9CWWdFL0NXeFlodTNBCjZYWFE0VHQza1JFbEp1c2FKeFJ3
+            TUVnRUtleW53REZ4SUZycjlZVExGWkEKLS0tIFdyZlBmQi9CeTZpTjhwVnhIaWFr
+            QlhSV1RXRGJnZThoUFdzUVROTkhIWXcK6Q+S9MVVcTiowLg2dYB5cJXCW+qTpIBN
+            iYSU3zceoUQvVBJJxtqPLky/lZn9sBdiyvZV8sZ/q8kWI3pJv9h9CA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaQTR5Y3BabVR6M0RCT2Rx
-            WC9xVmZxdHRBRXdpM2dOYmZ0VkZIcU15QldNCkkyUFNuTnMrb29QbWh6dEZiVnd1
-            VDZkbGZMUmpKN1VndVlpK2pCdGJIblEKLS0tIENsMDBXc0VWcU5WdWRlOUdhNTBq
-            SzZleU0zazIyQ0wxUkZNQUE3U1RtaDAKTO/BSyEwCL657NCzmkSxJcovkQ2eFZo6
-            OvB628QQokdeRCQ1y20TRw9ji6knFTo7adHYUr96UWKIy4gU5ePDxw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZHRiWURzMHh1OVl1aDFW
+            cWRmNVcrNkpPTDlvcG1VL2syM1BqQlNNVVFjCkR6VHdVV3p3TEFCd3hHUlhYVUtX
+            MFNVdTR5cEwxZHpGeEg3MXFDb3c3anMKLS0tIDRzVWtWRzg3Q05EUUY0REFPTElY
+            Qm1RQkdRY0tyT1hnZEJIQlNNZnB0MzAKvRbLCgL8disPaMEa1iuiEzBdcUf8p7Au
+            +0T1Sa4VKEkTC5xjctPwCWTOmYCSFZUCa5OnA3saHg4urdY5yCL9eA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwd29qMUthaGdHQmFISzV5
-            c1F5azRPb1krMUNLZHZreGQ0TSs0TDliVlVvClBURGhvT3lkSkZzWllSeVM5bCtH
-            MzVHNVZUek1BcktPWWZEQ01WMTBIT0UKLS0tIFhHcmJnVnF4U1d6c3lIY3NHbjE2
-            VTk5TE0rdGZYR2NXVUZTbkJNVjlQcFUKq5DCR3+BfOxcCRcJbsao+8gSndcWa6GC
-            um6l0uqm+10Y5nzwwzocnLkPQzATiJZ30Ih2ZXK2WQjDGoBJttTDhA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbUZjV3BZZE94eFJJTjk3
+            S1IxVGlzZWdYNndoTXVicjhITzZpMmJXSVhnCmRCZE9NMUcwOUlTYVZpb2JqUTgv
+            RHJWN2paaE1IdjN4UWlWR3dMZ080bUUKLS0tIERaUm5Ick0ybUxad3p5Z3paTDhH
+            VW5OVTM1MWFHdnYxZGdtNW9IcVdDcXMKTXVq9H/d7Fr+xjwUR4tlmWDKFCdRgWb6
+            PL171V9zPOvq5vIjHcI/3LA+HvurnbgWjYHJofpY98lgfo0635r0wg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1vdrdnzqjy9uj34slwkpk9tfnfnn7s7z20m48tel7ezh0svgruf3sjwfsy2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwczFnUngvK0Z6KzNyeHVn
-            V3dSQ3JNYkQ3YlhaSGNtV2pXQzY1d2dBc20wCmJ1K2h0TWlwcXRNSy94WDRyZ3RT
-            bVdCOHo5dkF1Z3ZlMU1YMEs2Q2d6SGsKLS0tIGtJMzdmbmZTKy95RUxEZzlZbXNB
-            VXg2ZGsranZPSndSaFRhY1NVMVd1Q0EKQb+IXg2VV6sBQPNsdV3vVypJDhWYRwlv
-            nKkNdTVvQJY0aqhGi27zsG169p7Yp5P5VaykLncYALcbxIyi3eZvjg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSc0VWbkQrVUd2STBqY2sw
+            bjNFdGZabGtUMW02Q2dEN2Y0Z0YxbzZza0NBCkdLWXg3RnJra3BLZ2RvUDNKakYz
+            cmRROU9ybGxta2Z0cVh2czkzWWVPSjgKLS0tIHVpWHlsbmw2U3JyTWM3bWRFeG4r
+            bkZpTkdvSjRobHVGUnVoVTJsdDFtUFkKfTjEl8e/V/E72IFlx1vzaT44yju631/p
+            qqx5B6xjn95F+I6wTYwIfKMiLuI7sEFUFKgWPeFJPusZTRip18AkyQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age136e2dcvs2uus498qhjz33dzth4tly7s94hvkk3c22pzu4a7xzg7snzgacj
+        - recipient: age1kqzvvxxmlv7gudllrsnle8q2hct8vx7pl3ehswkn2gaqkuxhxpcqplglyk
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TC9peERFOXBodE5jOFI0
-            amJFMy9KYXJtdGs5enZnRXdvWWVTZzhXQXpRCi8zV3NxS1hLcWExcmlWeDcwdDVh
-            b2lpL2orNTBza1YzQWY3NGxNTC9zbXcKLS0tIFNndjJjbkVCV3VEYjczc3VuVmxS
-            ckpHU0pVNHVJSldNSGg5MDJpYjhXTmMKityFrRe1UNEtSX3BhrGcW+jUum3bl2nV
-            8R5+SpCMv4RFVzjBzMIKHaBx7vpKovfW4D733+tcD5L3Jc6p+uplwA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VDludjB4Z1pEZUhzU3VC
+            L3hLUHkzUEEvTDFsNFlERzZhT3BJQmRkU3dBCkJoWjY3alIrVmNKM1g5QlA0c1VZ
+            UnVtZDVxM2d0VzhtSDU2SnVlcDZESEEKLS0tIEs4azgzMUJOc0xBMDUxY015T1pn
+            My9NV0ViZDlGM2V2eTVKZmlydVpYUHMK+bY/iMSNJaZtAeQvZ95IeSiMjW7Ud4b7
+            XBM85+119D2rM5gn9nNQFcl3F8kBTcEL35Wggcp3HqMFxOuL0dPVYw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-08-31T03:01:06Z"
     mac: ENC[AES256_GCM,data:NswuHhj/nosAyGhpaI3ejhR2Gy38eIM6/uYImMjWO6dNKbrWzMdX9pBhxj0IVLvNzMuMKSk+E46szIOn7JhINSFuUYbQeAUily6/CKMvQt1TdObcTsOmic6HceT2E/Nts2tPbzmihS6NVpHJ8uIQf/u6IBKlaid5lc4AvFBr1ng=,iv:7elNsLI53nyNSk2LwrbF5wksFiW2fNdxkyyyVRO23g8=,tag:NHu8IaRDAVu033ND4wFOag==,type:str]

modules/profiles/networking/blocky.nix

@@ -85,11 +85,11 @@
           }";
       };
       ede.enable = true;
-      # queryLog = {
-      #   type = "postgresql";
-      #   target = "postgres://blocky?host=/run/postgresql";
-      #   logRetentionDays = 90;
-      # };
+      queryLog = {
+        type = "none";
+        # target = "postgres://blocky?host=/run/postgresql";
+        # logRetentionDays = 90;
+      };
     };
   };