use vmware fusion to have a vm with nixos

author: Mike Vink <mike@pionative.com> 2024-06-20 10:13:36 +0200
committer: Mike Vink <mike@pionative.com> 2024-06-20 10:13:36 +0200
commit: 4037e2da7b0a10e087ba00f3c09ebf24e65c4953 (patch)
tree: 60ee67f68760ffbd4b8bddc30b4db50c5689fdb1
parent: 0aaaf2021709000f858bde126fcff19a67227113 (diff)
6 files changed, 28 insertions, 6 deletions
diff --git a/ivi/ivi.nix b/ivi/ivi.nix
index 473838b..c2b36d3 100644
--- a/ivi/ivi.nix
+++ b/ivi/ivi.nix
@@ -124,6 +124,9 @@ self: lib: with lib; let
             profiles = [
               "core"
             ];
+            syncthing = {
+              enable = false;
+            };
           };
           persephone = {
             isFake = true;
diff --git a/justfile b/justfile
index 808e3cc..01f2683 100644
--- a/justfile
+++ b/justfile
@@ -29,6 +29,20 @@ NIXNAME := "vm-aarch64"
         nixos-install --no-root-passwd && reboot
     "
 
+@vm-secrets ip:
+	# GPG keyring
+	rsync -av -e 'ssh {{SSH_OPTIONS}}' \
+		--exclude='.#*' \
+		--exclude='S.*' \
+		--exclude='*.conf' \
+		$HOME/.gnupg/ root@{{ip}}:~/.gnupg
+	# SSH keys
+	rsync -av -e 'ssh {{SSH_OPTIONS}}' \
+		--exclude='environment' \
+		$HOME/.ssh/ root@{{ip}}:~/.ssh
+	# Sops keys
+	rsync -avr -e 'ssh {{SSH_OPTIONS}}' --relative ~/./.config/sops root@{{ip}}:~
+
 # copy the Nix configurations into the VM.
 @vm-copy ip:
     rsync -av -e 'ssh {{SSH_OPTIONS}} -p22' \
@@ -38,7 +52,7 @@ NIXNAME := "vm-aarch64"
 
 # run the nixos-rebuild switch command. This does NOT copy files so you
 # have to run vm/copy before.
-@vm-switch ip: (vm-copy ip)
+@vm-switch ip: (vm-copy ip) (vm-secrets ip)
     ssh {{SSH_OPTIONS}} -p22 root@{{ip}} " \
         sudo NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nixos-rebuild switch --flake \"/nix-config#{{NIXNAME}}\" \
     "
diff --git a/machines/vm-aarch64.nix b/machines/vm-aarch64.nix
index ced1b86..9832eb2 100644
--- a/machines/vm-aarch64.nix
+++ b/machines/vm-aarch64.nix
@@ -1,6 +1,9 @@
 # https://github.com/mitchellh/nixos-config/blob/main/machines/vm-aarch64-prl.nix
 { config, pkgs, lib, ... }: {
   system.stateVersion = "24.05";
+
+  sops.age.keyFile = "${config.hm.xdg.configHome}/sops/age/keys.txt";
+
   services.openssh.enable = true;
   services.openssh.settings.PasswordAuthentication = true;
   services.openssh.settings.PermitRootLogin = "yes";
diff --git a/profiles/core/syncthing.nix b/profiles/core/syncthing.nix
index b736379..f8d6ee2 100644
--- a/profiles/core/syncthing.nix
+++ b/profiles/core/syncthing.nix
@@ -6,7 +6,7 @@ in {
   ];
 
   services.syncthing = {
-    enable = mkDefault true;
+    enable = machine.syncthing.enable;
     user = ivi.username;
     inherit group;
     dataDir = config.ivi.home;
diff --git a/secrets/root.yaml b/secrets/root.yaml
index 65d5d81..cb40a7d 100644
--- a/secrets/root.yaml
+++ b/secrets/root.yaml
@@ -1,5 +1,6 @@
 serber: ENC[AES256_GCM,data:YJLm1K1eW7QPFN5t3j1ni+J5m9hZemDBMHy/1X8CcMfoMPn/OJDpN4Hyz0CvdblxDNrHHCYGhDPJjZIt,iv:5j1/9sthguwv7a6JD/7OwbKB+jaj+E+ezA0/TiHHsSw=,tag:x690F9djFbnvtGbXeOFytQ==,type:str]
 lemptop: ENC[AES256_GCM,data:Ga7/9T9r2yPui30iGDN0XJ8kGYkBz4AILHMHpTo0kuT2DQiMoW0cVypABZK84hnVZcooATWpNHNoiFGs,iv:YcZEmRGeHg6RZmPpJueLlf2VznAenP5e40D7DHsKiOc=,tag:I57ssbo2CBIGLfnLlG25Ig==,type:str]
+vm-aarch64: ENC[AES256_GCM,data:icELFMMOdg8VHq3Lcq8WJ9OV/ps5a94ZL4SVSo8lni7DmSXmmSv9lywIjQ0ZQ7nFIVKUY21tT3x4H4Yu,iv:NsEZ5HXEvlHyr+uSgd0ieWfKewWRJ6o7Xl6KOFGbniM=,tag:VlzgnZyt9HwBD/OKvqTMcw==,type:str]
 cal: ENC[AES256_GCM,data:FV9wdQ4IXvQe+KaqdVyaWkrhQu5lpeWkH5Zcz2isY/nrxWF/yAj8hNdXbzwvyzxQ7P3nd90kxSh5+BU5,iv:/bs7ERZucexZff/VJoDj5S3ANrVHwsDA9uO/Jr+NsmA=,tag:Y7OtAiflkpM3kLnKye2Wjw==,type:str]
 pump: ENC[AES256_GCM,data:u66iqqcBBXkrM6Qz88HD5XydOg/D3p33ewKHjmF6zOm9ej0ZWVPU35Kh9yMFb7hAPDw8ORvsXBT5Hgvr,iv:f60wnqabPaiq3o2rh9lce+/2Y6YLR4QIFriTgCMG3H0=,tag:PuQsRAUv96MW41xZeR0m0Q==,type:str]
 sops:
@@ -35,8 +36,8 @@ sops:
             MEk2L1dEMnNOVWtsZmZPeEpYd3lNOEUKgd61tQUwe9bMItjEKzQ3LPoNphM/aYV+
             gf2yIwMCHXzbY1B5e3zsFyVR1W9x2DhqkXDoehCKoDpFoOz+R8b7Kw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-09T00:06:31Z"
-    mac: ENC[AES256_GCM,data:a09Hj80Pb2MArNf0qBoQ4u3NDjXjBAuIsJIuMcMopaJOYy8a6Uqy8TqavMLvr94jcYGA9zOSQJ+cfq2EdFwLnTe6BBol0TP0Qonk7GjYXUdviQuiletTDNHhQT3q0WJdDUhbN/6I1CE0zaTts/GV9gWVALtt5wTvtMfw4gSiJU8=,iv:0LbmlKaCvh5p7vh8D6clsVOuI7w2fxap12AYqBXoV0c=,tag:TP6hzonQ7iRW9x0cdL1eAA==,type:str]
+    lastmodified: "2024-06-20T07:38:46Z"
+    mac: ENC[AES256_GCM,data:ucCoVJuKwfwWOmeLkAY3X3b092tWwFJzh/YUAVoz6/9S8n1foctIiP+Z61E2FlIY9Psad/tUxS7EA+WqnmZFO329dTutYWxfiDyqTv+/ZRra5ADFMmn3YmFgi52Yc2vr7xgCmFXD/s1hXCcNyhdcnMoj5z1BaM7RSv4c13HZqlA=,iv:S7ujEndKsA+MFKIuGzHoTm9P8lsO07d5gl7Y3BmoNi0=,tag:544CPDv0t/ZtWdCyB9fg9w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/secrets/syncthing.yaml b/secrets/syncthing.yaml
index fc05fb9..7eedf46 100644
--- a/secrets/syncthing.yaml
+++ b/secrets/syncthing.yaml
@@ -2,6 +2,7 @@ lemptop: ENC[AES256_GCM,data:3dmcPh8EtBYe2KQQ1HMddLey5Qdhtz7kGvMFZaqidMZ099ycd+E
 pump: ENC[AES256_GCM,data:2Vu1idorw/kMsDThT2ywGmdPMgQdDHQItpZRukpdiapcKxMa65U/AQzshkbuQVTN5AaDkMNnLQrrLt8qQY0QxhTpddc4+y1kLaVAE5G+8di/2GJiGKUAjHOwyX72BXqjkAYOZ6u96PThOs3PmyhHhiH5ge9ZpOh1zOG2CD4dzoMLHHPHgSv8NLuhZ3kuc3yE3a/YgMgs9NjCvL44Pks8ktVq9DZAJfJB+eRGJPA9k6sN1NP1vMW9RKnk6dI+ZwOz1OHnQvfyVqe/vJxG96m4ALq4oeqn003+me72GB4DO9GLx2IkAsK0Jw9ZoiiJDSfEMVGzhH348mZXfAsTTb2coN9+834V5tBIT9OVDx+cJfHF7+7sm1FHH+fkzbteSH4q,iv:2IY08X5IYjGPEEZYqB/Sa8B1GOkURQg8nqgRwgTJs5c=,tag:ey3TMSDpt5xuEB9eH1ylOw==,type:str]
 work: ENC[AES256_GCM,data:Kfw00ljs0JUEMET3Ii+pQwdNAe7A49oZUB+f5+rKU/doKqW5KC5T4vRV+AY2xIle6Gz2qQI4tN9ffdFZnKS6HvS/aoSnPwSrZo9VYyyBFlhcEwqfdhtzspu+oDkz6EQtqOxZAqzKP5mEPN5YRT0FWTWT99oYtXEHtuG7h80ivZbnY2gjQgkGGieq/c2TDVotS6Av/ycUd5ZQrd9iNXgeuHuQbfLF7/xhOZweYgcDuTqcGNaPdz4y/TRWQa05VkhkcByvHZ+6fG8SkZ7RjUuRsAC5D6ErJqqQmRznOZ6E6RElLWZdkIr2ahXtdU8t7VCDsInA8ua15V2vTEcVNoNYRFjDCAx3lbgO0pelHUno1bwXah6YFEPCMqlieSOMtT3p,iv:jsPrGHem6Qq87/ePRjGLcPWfAqWcy13yNCuZjN2I8pw=,tag:ED7trfDcmuIB/ljyqPMB8Q==,type:str]
 serber: ENC[AES256_GCM,data:iQTU+w==,iv:FbnGkujV72nsFIk74CerwT7dxmHPQNuSMFx4vesR5gQ=,tag:xCsJYRRYwhD5r5kf2buOTw==,type:str]
+vm-aarch64: ENC[AES256_GCM,data:PSQQ/g==,iv:H8GBjrRuz4zCHQLZFCInTtFhPZQSBdiXCoAJ1JFySYA=,tag:xDuJ1xwBQb9ialpkDnIIWA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -35,8 +36,8 @@ sops:
             WUUxdCtNbHhtbWo0NGloY1NSMHFEYzAKZG5k7qu7N4SyUogiO+qDQIoEXcT2B4zQ
             L7bA4NDUJBFNfekX6R/VWTuOdPHHIZkcbjEj79iEbFSo4DBeSOatRw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-04T15:28:12Z"
-    mac: ENC[AES256_GCM,data:dZWLIx940OneSMprfbV5gyrKdJngb1mDWEu7kP2UGaJIdFQTiSsg4hlkhZqMb0sG9WIeBuEre3AUmk7a2WudehMzl+WD/fZ/os3nStkY6kHGbnPIO6r2D6YRobtD0WPOFQNXaQ9xdyIByHjeP7hDnlNsIRSDcfmlfYHYLeFY/n4=,iv:hjTLx4kQ5NCrNkUBZTnTaCIaHLbpsm7PmXLTX1msSc0=,tag:jfGqAu9RjvpJllg2lkvFvw==,type:str]
+    lastmodified: "2024-06-20T07:40:21Z"
+    mac: ENC[AES256_GCM,data:QR8h58ORw9jApjIX//K/4GsIzVPjWRL5uH6I5UL1RCdJs06dmeotmSyNmi/BIX7BzkObS5YP8ysq3tITDiMfNwyT14S+Ju/aVUlTvxAopmIkF/jYo8DtbfIlxfV0IeXOjsOkmPSzanDQK7T8gf1NrNpKLbjWEofSPEOsInMd2MQ=,iv:iBJGMUPJVp8c2JYZjWx3ZeSbCECfbBaZhz9RyWnX4xI=,tag:Pd/AzzWcaxNvmBuSFwsweA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
author	Mike Vink <mike@pionative.com>	2024-06-20 10:13:36 +0200
committer	Mike Vink <mike@pionative.com>	2024-06-20 10:13:36 +0200
commit	4037e2da7b0a10e087ba00f3c09ebf24e65c4953 (patch)
tree	60ee67f68760ffbd4b8bddc30b4db50c5689fdb1
parent	0aaaf2021709000f858bde126fcff19a67227113 (diff)