Working flake check

config/hardware/lambda.nix

@@ -68,8 +68,6 @@ in {
   nix.maxJobs = lib.mkDefault 12;
 
   networking = {
-    hostId = substring 0 8 (fileContents /etc/machine-id);
-
     macvlans = {
       intif0 = {
         interface = "enp3s0f1";

config/hardware/limina.nix

@@ -62,8 +62,6 @@ with lib; {
   hardware.bluetooth.enable = false;
 
   networking = {
-    hostId = substring 0 8 (fileContents /state/etc/machine-id);
-
     macvlans = {
       intif0 = {
         interface = "enp2s0";

config/hardware/plato.nix

@@ -59,8 +59,6 @@ with lib; {
   hardware.bluetooth.enable = false;
 
   networking = {
-    hostId = substring 0 8 (fileContents /etc/machine-id);
-
     macvlans = {
       intif0 = {
         interface = "enp1s0";

config/hardware/system3.nix

@@ -106,8 +106,6 @@ in {
   };
 
   networking = {
-    hostId = substring 0 8 (fileContents /state/etc/machine-id);
-
     useDHCP = false;
 
     macvlans = {

config/host-config/lambda.nix

@@ -88,7 +88,6 @@ in {
       mode = "0444";
     };
     nixos.source = "/etc/nixos-live";
-    "machine-id".source = "${state-dir}/host/machine-id";
     "host-config.nix".source = "/state/host/host-config.nix";
     adjtime.source = "/state/host/adjtime";
     NIXOS.source = "/state/host/NIXOS";

config/host-config/limina.nix

@@ -137,7 +137,6 @@ in {
       nixos.source = "/state/nixos";
       adjtime.source = "/state/etc/adjtime";
       NIXOS.source = "/state/etc/NIXOS";
-      machine-id.source = "/state/etc/machine-id";
       "host-config.nix".source = "/state/etc/host-config.nix";
       ## This should be handled by nixops deploy
       # "krb5.keytab" = {

config/host-config/plato.nix

@@ -41,7 +41,6 @@ in {
       nixos.source = "/state/nixos";
       adjtime.source = "/state/etc/adjtime";
       NIXOS.source = "/state/etc/NIXOS";
-      machine-id.source = "/state/etc/machine-id";
       "host-config.nix".source = "/state/etc/host-config.nix";
     };
 

config/host-config/socrates.nix

@@ -39,7 +39,6 @@ in {
       nixos.source = "/state/nixos";
       adjtime.source = "/state/etc/adjtime";
       NIXOS.source = "/state/etc/NIXOS";
-      machine-id.source = "/state/etc/machine-id";
       "host-config.nix".source = "/state/etc/host-config.nix";
     };
 

config/host-config/system3.nix

@@ -55,7 +55,6 @@ in {
       mode = "0444";
     };
     nixos.source = "/etc/nixos-live";
-    "machine-id".source = "${state-dir}/host/machine-id";
     "host-config.nix".source = "${state-dir}/host/host-config.nix";
     adjtime.source = "${state-dir}/host/adjtime";
     NIXOS.source = "${state-dir}/host/NIXOS";

config/hosts/clunk.nix

@@ -1,19 +1,19 @@
 {
   description = "rus.selby.ca gateway box.";
   docker-server = true;
-  ssh-fingerprints = [
-    "1 1 0e23d2156b1f9fca8552a0105c125aed76e51728"
-    "1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5"
-    "4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4"
-    "4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 0e23d2156b1f9fca8552a0105c125aed76e51728"
+  #   "1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5"
+  #   "4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4"
+  #   "4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   domain = "rus.selby.ca";
   site = "russell";
   profile = "server";
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
+  # ssh-pubkeys =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
   arch = "x86_64-linux";
   nixos-system = true;
 }

config/hosts/downstairs-desktop.nix

@@ -13,8 +13,9 @@
   domain = "rus.selby.ca";
   site = "russell";
   profile = "desktop";
-  ssh-pubkey =
-    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas=";
+  # ssh-pubkeys = [
+  #   "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas="
+  # ];
   arch = "x86_64-linux";
   nixos-system = false;
 }

config/hosts/france.nix

@@ -1,19 +1,19 @@
 {
   description = "Primary fudo.org server.";
   docker-server = true;
-  ssh-fingerprints = [
-    "1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94"
-    "1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80"
-    "4 1 c95a198f504a589fc62893a95424b12f0b24732d"
-    "4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94"
+  #   "1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80"
+  #   "4 1 c95a198f504a589fc62893a95424b12f0b24732d"
+  #   "4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96"
+  # ];
   rp = "admin";
   admin-email = "admin@fudo.org";
   domain = "fudo.org";
   site = "portage";
   profile = "server";
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
   arch = "x86_64-linux";
   # Just to stop this evaluating for now
   nixos-system = false;

config/hosts/lambda.nix

@@ -1,20 +1,21 @@
 {
   description = "sea.fudo.org experiment server.";
   docker-server = true;
-  ssh-fingerprints = [
-    "1 1 01c67478e2cc7a386a2468adb9d4627a53d69af5"
-    "1 2 750bc70f88a6c774077f20603a143b9f07436d9d074af78875850ae4df8971eb"
-    "4 1 fdb3da40dc48540a3f5644e360db9225a584f64e"
-    "4 2 310115023c1f98ae88ac94eb38dd529352f3036048d72c87e87c0ab53f186438"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 01c67478e2cc7a386a2468adb9d4627a53d69af5"
+  #   "1 2 750bc70f88a6c774077f20603a143b9f07436d9d074af78875850ae4df8971eb"
+  #   "4 1 fdb3da40dc48540a3f5644e360db9225a584f64e"
+  #   "4 2 310115023c1f98ae88ac94eb38dd529352f3036048d72c87e87c0ab53f186438"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   domain = "sea.fudo.org";
   site = "seattle";
   profile = "server";
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+";
   enable-gui = false;
   arch = "x86_64-linux";
   nixos-system = true;
+  machine-id = "c031cda2e88a4cedb3b22f41f9042646";
 }

config/hosts/limina.nix

@@ -1,19 +1,20 @@
 {
   description = "Seattle Gateway Server.";
-  ssh-fingerprints = [
-    "1 1 36cbb85f83e84a4052777cf9b3cfb0f7947f3e4e"
-    "1 2 041c59238f599f7a3a4ec39151f5bc79fdcf917ec7ef2c400ed19a8d148fbeeb"
-    "4 1 07318d35f52203d337d4f457acc6d00ebf0e1aad"
-    "4 2 c58ef49cb6e150995ae0bd5dd502a0fc18289caf1438fb0bc9821455c8d1f41f"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 36cbb85f83e84a4052777cf9b3cfb0f7947f3e4e"
+  #   "1 2 041c59238f599f7a3a4ec39151f5bc79fdcf917ec7ef2c400ed19a8d148fbeeb"
+  #   "4 1 07318d35f52203d337d4f457acc6d00ebf0e1aad"
+  #   "4 2 c58ef49cb6e150995ae0bd5dd502a0fc18289caf1438fb0bc9821455c8d1f41f"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   domain = "sea.fudo.org";
   site = "seattle";
   profile = "server";
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
   tmp-on-tmpfs = false;
   arch = "x86_64-linux";
   nixos-system = true;
+  machine-id = "0a1d961dbcc04037ab7938f15801c765";
 }

config/hosts/nostromo.nix

@@ -1,19 +1,20 @@
 {
   description = "sea.fudo.org primary server.";
   docker-server = true;
-  ssh-fingerprints = [
-    "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6"
-    "1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e"
-    "4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42"
-    "4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6"
+  #   "1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e"
+  #   "4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42"
+  #   "4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   domain = "sea.fudo.org";
   site = "seattle";
   profile = "server";
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
   arch = "x86_64-linux";
   nixos-system = true;
+  machine-id = "709076ea18254f8f9097c4e54dde5ab3";
 }

config/hosts/plato.nix

@@ -1,22 +1,23 @@
 {
   description = "Niten's toy server.";
-  ssh-fingerprints = [
-    "4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9"
-    "4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c"
-    "1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e"
-    "1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3"
-  ];
+  # ssh-fingerprints = [
+  #   "4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9"
+  #   "4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c"
+  #   "1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e"
+  #   "1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   domain = "sea.fudo.org";
   site = "seattle";
   profile = "server";
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
-  build-pubkeys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="
-  ];
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
+  # build-pubkeys = [
+  #   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="
+  # ];
   tmp-on-tmpfs = false;
   arch = "x86_64-linux";
   nixos-system = true;
+  machine-id = "988f39a3b6ab454e9d7dad65bfe36bbe";
 }

config/hosts/procul.nix

@@ -1,19 +1,19 @@
 {
   description = "informis.land server.";
   docker-server = true;
-  ssh-fingerprints = [
-    "1 1 d089902f60751b3d35b5329bf7b906df254d5fa7"
-    "1 2 8deebf42bbc40881a327f561bffd5d7bd328a4fc94d4e4ce8c502a9c6cbdfb92"
-    "4 1 2a8e086d3589ce50b58c55bc35638af8da23988e"
-    "4 2 55a9f7c0addf08bb24c62ced954574db6e95eff38ee56d6a2cff312d20eb910e"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 d089902f60751b3d35b5329bf7b906df254d5fa7"
+  #   "1 2 8deebf42bbc40881a327f561bffd5d7bd328a4fc94d4e4ce8c502a9c6cbdfb92"
+  #   "4 1 2a8e086d3589ce50b58c55bc35638af8da23988e"
+  #   "4 2 55a9f7c0addf08bb24c62ced954574db6e95eff38ee56d6a2cff312d20eb910e"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   domain = "informis.land";
   site = "joes-datacenter-0";
   profile = "server";
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEsvl1mTSWJJrqXbYrc8wYdlOiW5gNg4Nzf2QCxB6XW";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEsvl1mTSWJJrqXbYrc8wYdlOiW5gNg4Nzf2QCxB6XW";
   tmp-on-tmpfs = false;
   enable-gui = false;
   arch = "x86_64-linux";

config/hosts/socrates.nix

@@ -1,19 +1,20 @@
 {
   description = "sea.fudo.org deploy server.";
-  ssh-fingerprints = [
-    "1 1 4055c1d922ec858e703856dd76237f09219261e5"
-    "1 2 0f7bfa92fa0435785782b68ca4c9b71786d67df60804ea4b4c42ebb37d061659"
-    "4 1 5dc2b674554df5e042171b4045fcfe31f03ad01a"
-    "4 2 9bcf664a191e31bf53aa4728828480babdab5377da39a002324303c719b16a55"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 4055c1d922ec858e703856dd76237f09219261e5"
+  #   "1 2 0f7bfa92fa0435785782b68ca4c9b71786d67df60804ea4b4c42ebb37d061659"
+  #   "4 1 5dc2b674554df5e042171b4045fcfe31f03ad01a"
+  #   "4 2 9bcf664a191e31bf53aa4728828480babdab5377da39a002324303c719b16a55"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   domain = "sea.fudo.org";
   site = "seattle";
   profile = "server";
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab";
   tmp-on-tmpfs = false;
   arch = "x86_64-linux";
   nixos-system = true;
+  machine-id = "edc4baa9cc1c401dba1bf870725b4bf0";
 }

config/hosts/spark.nix

@@ -1,20 +1,21 @@
 {
   description = "Niten's backup desktop.";
-  ssh-fingerprints = [
-    "1 1 d26812dee9b26a19a52c38d2b346442979093142"
-    "1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3"
-    "4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63"
-    "4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 d26812dee9b26a19a52c38d2b346442979093142"
+  #   "1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3"
+  #   "4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63"
+  #   "4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   enable-gui = true;
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa";
   profile = "desktop";
   domain = "sea.fudo.org";
   site = "seattle";
   android-dev = true;
   arch = "x86_64-linux";
   nixos-system = true;
+  machine-id = "63dbd567d55a468482aa15d8aa9097f6";
 }

config/hosts/system3.nix

@@ -1,20 +1,21 @@
 {
   description = "Niten's gaming desktop.";
-  ssh-fingerprints = [
-    "1 1 c1bec5217880c0567f23414663d59804cf5c0fe4"
-    "1 2 bb4e479f14591dc230141e0d87b1a0fd1bdee52ad369a83188714100476c26f6"
-    "4 1 c1c2c74c3e2bb214f59b51a6a02452fe2e1658ea"
-    "4 2 897793ada12accb15231732a4c6e4ea34f1cd88d13ee9f3fc0b74a40d588b36c"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 c1bec5217880c0567f23414663d59804cf5c0fe4"
+  #   "1 2 bb4e479f14591dc230141e0d87b1a0fd1bdee52ad369a83188714100476c26f6"
+  #   "4 1 c1c2c74c3e2bb214f59b51a6a02452fe2e1658ea"
+  #   "4 2 897793ada12accb15231732a4c6e4ea34f1cd88d13ee9f3fc0b74a40d588b36c"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   enable-gui = true;
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEb/+VMOdBavfZxZOto/qa7Xy0T1nJdd7X52nPJdfB1k";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEb/+VMOdBavfZxZOto/qa7Xy0T1nJdd7X52nPJdfB1k";
   profile = "desktop";
   domain = "sea.fudo.org";
   site = "seattle";
   android-dev = true;
   arch = "x86_64-linux";
   nixos-system = true;
+  machine-id = "39ebe622cf40413b950d832105e0bb2e";
 }

config/hosts/zbox.nix

@@ -1,20 +1,21 @@
 {
   description = "Niten's primary desktop.";
-  ssh-fingerprints = [
-    "1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d"
-    "1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493"
-    "4 1 862842d99f5afb33db4f073d2f3d1154c6417110"
-    "4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3"
-  ];
+  # ssh-fingerprints = [
+  #   "1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d"
+  #   "1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493"
+  #   "4 1 862842d99f5afb33db4f073d2f3d1154c6417110"
+  #   "4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3"
+  # ];
   rp = "niten";
   admin-email = "niten@fudo.org";
   enable-gui = true;
-  ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8";
+  # ssh-pubkey =
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8";
   profile = "desktop";
   domain = "sea.fudo.org";
   site = "seattle";
   android-dev = true;
   arch = "x86_64-linux";
   nixos-system = true;
+  machine-id = "e5f456e3183a4dc186181a70bc3af2d1";
 }

flake.lock

@@ -46,7 +46,7 @@
         "ssh-keypairs": "ssh-keypairs"
       },
       "locked": {
-        "narHash": "sha256-fCEml2rFMgJboI7EN0QQLsAYSKdKegnu23IwRK5GBdE=",
+        "narHash": "sha256-5lkN+UzOEgzUIDhX8tRdWyqO6aqDCzTK0DvCJ2AgUSw=",
         "path": "/state/secrets",
         "type": "path"
       },

initialize.nix

@@ -19,9 +19,9 @@ in {
   ];
 
   config = {
-    fudo.local-network.timestamp = build-timestamp;
-
-    instance = { hostname = hostname; };
+    instance = {
+      inherit hostname build-timestamp;
+    };
 
     nixpkgs.pkgs = pkgs;
 

lib/fudo/distributed-builds.nix

@@ -2,7 +2,9 @@
 
 with lib;
 let
-  sys = callPackage ../system.nix {};
+  sys = import ../system.nix { inherit config lib; };
+
+  hostname = config.instance.hostname;
 
   site-cfg = config.fudo.sites.${sys.local-site};
 
@@ -13,9 +15,9 @@ let
   enable-distributed-builds =
     site-cfg.enable-distributed-builds && has-build-servers && build-keypair != null;
 
-  local-build-cfg =
-    mkIf (hasKey site-cfg.build-servers hostname)
-      site-cfg.build-servers.hostname;
+  local-build-cfg = if (hasAttr hostname site-cfg.build-servers) then
+    site-cfg.build-servers.${hostname}
+      else null;
 
 in {
   config = {
@@ -39,8 +41,8 @@ in {
       ${local-build-cfg.build-user} = {
         isSystemUser = true;
         openssh.authorizedKeys.keyFiles =
-          foldr (a: b: a ++ b) []
-            mapAttrsToList (host: hostOpts: hostOpts.build-pubkeys) sys.local-hosts;
+          concatLists
+            (mapAttrsToList (host: hostOpts: hostOpts.build-pubkeys) sys.local-hosts);
       };
     };
   };

lib/fudo/dns.nix

@@ -139,7 +139,7 @@ in {
             $TTL 12h
 
             @ IN SOA ns1.${dom}. hostmaster.${dom}. (
-              ${toString builtins.currentTime}
+              ${toString config.instance.build-timestamp}
               30m
               2m
               3w

lib/fudo/hosts.nix

@@ -4,8 +4,28 @@ with lib;
 let
   mapOptional = f: val: if (val != null) then (f val) else null;
 
+  masterKeyOpts = { ... }: {
+    options = with types; {
+      key-path = mkOption {
+        type = str;
+        description = "Path of the host master key file, used to decrypt secrets.";
+      };
+
+      public-key = mkOption {
+        type = str;
+        description = "Public key used during deployment to decrypt secrets for the host.";
+      };
+    };
+  };
+
   hostOpts = { hostname, ... }: {
     options = with types; {
+      master-key = mkOption {
+        type = nullOr (submodule masterKeyOpts);
+        description = "Public key for the host master key, used by the host to decrypt secrets.";
+        default = null;
+      };
+
       domain = mkOption {
         type = str;
         description =
@@ -109,9 +129,9 @@ let
       };
 
       ssh-pubkeys = mkOption {
-        type = listOf str;
+        type = listOf path;
         description =
-          "SSH keys of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key.";
+          "SSH key files of the host.";
         default = [];
       };
 
@@ -150,6 +170,12 @@ let
         description = "System architecture of the system.";
       };
 
+      machine-id = mkOption {
+        type = nullOr str;
+        description = "Machine id of the system. See: man machine-id.";
+        default = null;
+      };
+
       android-dev = mkEnableOption "Enable ADB on the host.";
     };
   };
@@ -187,23 +213,35 @@ in {
         enable = (length host-cfg.external-interfaces) > 0;
         allowedTCPPorts = [ 22 ];
       };
+
+      hostId = mkIf (host-cfg.machine-id != null)
+        (substring 0 8 host-cfg.machine-id);
     };
 
     # NixOS generates a stupid hosts file, just force it
-    environment.etc.hosts = let
-      host-entries = mapAttrsToList
-        (ip: hostnames: "${ip} ${concatStringsSep " " hostnames}")
-        config.fudo.system.hostfile-entries;
-    in mkForce {
-      text = ''
+    environment.etc = {
+      hosts = let
+        host-entries = mapAttrsToList
+          (ip: hostnames: "${ip} ${concatStringsSep " " hostnames}")
+          config.fudo.system.hostfile-entries;
+      in mkForce {
+        text = ''
         127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost
         127.0.0.2 ${hostname} localhost
         ::1 ${hostname}.${domain-name} ${hostname} localhost
         ${concatStringsSep "\n" host-entries}
       '';
-      user = "root";
-      group = "root";
-      mode = "0444";
+        user = "root";
+        group = "root";
+        mode = "0444";
+      };
+
+      machine-id = mkIf (host-cfg.machine-id != null) {
+        text = host-cfg.machine-id;
+        user = "root";
+        group = "root";
+        mode = "0444";
+      };
     };
 
     # fudo.hosts.${hostname}.build-pubkeys =
@@ -269,31 +307,29 @@ in {
       members = system.local-admins;
     };
 
-    programs.ssh.knownHosts = let
-      keyed-hosts =
-        filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts;
+    # programs.ssh.knownHosts = let
+    #   keyed-hosts =
+    #     filterAttrs (host: opts: opts.ssh-pubkeys != []) config.fudo.hosts;
 
-      traceOut = obj: builtins.trace obj obj;
+    #   crossProduct = f: list0: list1:
+    #     concatMap (el0: map (el1: f el0 el1) list1) list0;
 
-      crossProduct = f: list0: list1:
-        concatMap (el0: map (el1: f el0 el1) list1) list0;
+    #   getHostnames = hostOpts:
+    #     [ hostOpts.hostname ]
+    #     ++ (crossProduct (host: domain: "${host}.${domain}")
+    #       ([ hostOpts.hostname ] ++ hostOpts.aliases)
+    #       ([ hostOpts.domain ] ++ hostOpts.extra-domains));
 
-      getHostnames = hostOpts:
-        [ hostOpts.hostname ]
-        ++ (crossProduct (host: domain: "${host}.${domain}")
-          ([ hostOpts.hostname ] ++ hostOpts.aliases)
-          ([ hostOpts.domain ] ++ hostOpts.extra-domains));
+    #   getHostEntryPairs = host:
+    #     map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; })
+    #     (getHostnames host);
 
-      getHostEntryPairs = host:
-        map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; })
-        (getHostnames host);
+    #   hostAttrsToList = hostAttrs:
+    #     mapAttrsToList (hostname: opts: { hostname = hostname; } // opts)
+    #     hostAttrs;
 
-      hostAttrsToList = hostAttrs:
-        mapAttrsToList (hostname: opts: { hostname = hostname; } // opts)
-        hostAttrs;
-
-      getKnownHosts = hosts:
-        concatMap getHostEntryPairs (hostAttrsToList hosts);
-    in listToAttrs (getKnownHosts keyed-hosts);
+    #   getKnownHosts = hosts:
+    #     concatMap getHostEntryPairs (hostAttrsToList hosts);
+    # in listToAttrs (getKnownHosts keyed-hosts);
   };
 }

lib/fudo/local-network.nix

@@ -83,11 +83,6 @@ in {
         description = "Definition of network to be served by local server.";
         default = { };
       };
-
-    timestamp = mkOption {
-      type = int;
-      description = "Timestamp of build, to be used as a serial.";
-    };
   };
 
   config = mkIf cfg.enable {
@@ -149,7 +144,7 @@ in {
           $TTL 1h
 
           @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. (
-            ${toString cfg.timestamp}
+            ${toString config.instance.build-timestamp}
             1800
             900
             604800
@@ -206,7 +201,7 @@ in {
         name = cfg.domain;
         file = pkgs.writeText "${cfg.domain}-zone" ''
           @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. (
-            ${toString cfg.timestamp}
+            ${toString config.instance.build-timestamp}
             5m
             2m
             6w

lib/fudo/secrets.nix

@@ -4,32 +4,33 @@ with lib;
 let
   cfg = config.fudo.secrets;
 
-  encrypt-on-disk = { secret-name, target-host, source-file }:
+  encrypt-on-disk = { secret-name, target-host, target-pubkey, source-file }:
     pkgs.stdenv.mkDerivation {
       name = "${target-host}-${secret-name}-secret";
       phases = "installPhase";
       buildInputs = [ pkgs.age ];
-      installPhase = let key = config.fudo.hosts.${target-host}.ssh-pubkey;
-      in ''
-        age -a -r "${key}" -o $out ${source-file}
+      installPhase = ''
+        age -a -r "${target-pubkey}" -o $out ${source-file}
       '';
     };
 
   decrypt-script = { secret-name, source-file, target-host, target-file
-    , decrypt-key, user, group, permissions }:
+    , host-master-key, user, group, permissions }:
     pkgs.writeShellScript
     "decrypt-fudo-secret-${target-host}-${secret-name}.sh" ''
       rm -rf ${target-file}
-      age -d -i ${decrypt-key} -o ${target-file} ${
-        encrypt-on-disk { inherit secret-name source-file target-host; }
+      age -d -i ${host-master-key.key-path} -o ${target-file} ${
+        encrypt-on-disk {
+          inherit secret-name source-file target-host;
+          target-pubkey = host-master-key.public-key;
+        }
       }
       chown ${user}:${group} ${target-file}
       chmod ${permissions} ${target-file}
     '';
 
   secret-service = target-host: secret-name:
-    { source-file, target-file, user, group, permissions, key-type ? "ed25519"
-    }: {
+    { source-file, target-file, user, group, permissions }: {
       description = "decrypt secret ${secret-name} for ${target-host}.";
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
@@ -42,11 +43,9 @@ let
             fi
           '';
         ExecStart = let
-          decrypt-keys =
-            filter (key: key.type == key-type) config.services.openssh.hostKeys;
-          decrypt-key = head (map (key: key.path) decrypt-keys);
+          host-master-key = config.fudo.hosts.${target-host}.master-key;
         in decrypt-script {
-          inherit secret-name source-file target-host target-file decrypt-key
+          inherit secret-name source-file target-host target-file host-master-key
             user group permissions;
         };
       };
@@ -56,7 +55,7 @@ let
   secretOpts = { ... }: {
     options = with types; {
       source-file = mkOption {
-        type = path; # CAREFUL: this will copy the file to nixstore...I think?
+        type = path; # CAREFUL: this will copy the file to nixstore...keep on deploy host
         description = "File from which to load the secret.";
       };
 

lib/fudo/sites.nix

@@ -129,12 +129,6 @@ let
         };
       };
 
-      build-user = mkOption {
-        type = str;
-        description = "User as which to run builds.";
-        default = "nix-site-builder";
-      };
-
       local-networks = mkOption {
         type = listOf str;
         description = "List of networks to consider local at this site.";
@@ -163,7 +157,7 @@ let
     };
   };
 
-  buildServerOpts = { ... }: {
+  buildServerOpts = { hostname, ... }: {
     options = with types; {
       port = mkOption {
         type = port;
@@ -199,7 +193,7 @@ let
       build-user = mkOption {
         type = str;
         description = "User as which to run distributed builds.";
-        default = "site-builder";
+        default = "nix-site-builder";
       };
     };
   };
@@ -212,17 +206,17 @@ in {
   };
 
   config = {
-    users.users = {
-      ${site-cfg.build-user} = mkIf
-        (any (build-host: build-host == config.instance.hostname)
-          (attrNames site-cfg.build-servers)) {
-            isSystemUser = true;
-            openssh.authorizedKeys.keys =
-              concatMap (hostOpts: hostOpts.build-pubkeys)
-                (attrValues site-hosts);
-            shell = pkgs.bash;
-          };
-    };
+    # users.users = {
+    #   ${site-cfg.build-user} = mkIf
+    #     (any (build-host: build-host == config.instance.hostname)
+    #       (attrNames site-cfg.build-servers)) {
+    #         isSystemUser = true;
+    #         openssh.authorizedKeys.keys =
+    #           concatMap (hostOpts: hostOpts.build-pubkeys)
+    #             (attrValues site-hosts);
+    #         shell = pkgs.bash;
+    #       };
+    # };
 
     networking.firewall.allowedTCPPorts =
       mkIf site-cfg.enable-ssh-backdoor [ site-cfg.dropbear-ssh-port ];

lib/fudo/ssh.nix

@@ -14,15 +14,16 @@ let
 
   dns-sshfp-records = host: keypair: let
     filename = sshfp-filename host keypair;
-  in mkDerivation {
+  in pkgs.stdenv.mkDerivation {
+    name = "${host}-sshfp-record";
+
+    phases = [ "installPhase" ];
+
     buildInputs = with pkgs; [ openssh ];
 
-    buildPhase = ''
-      ssh-keygen -r REMOVEME -f ${keypair.public-key} | sed 's/^REMOVEME IN SSHFP //' > ${filename}
-    '';
-
     installPhase = ''
-      mv ${filename} $out/${filename}
+      mkdir $out
+      ssh-keygen -r REMOVEME -f "${keypair.public-key}" | sed 's/^REMOVEME IN SSHFP //' > $out/${filename}
     '';
   };
 
@@ -42,7 +43,7 @@ in {
         ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
         ssh-fingerprints = map (keypair:
           let
-            fingerprint-derivation = dns-sshfp-records hostname keypair.public-key;
+            fingerprint-derivation = dns-sshfp-records hostname keypair;
             filename = sshfp-filename hostname keypair;
           in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;
       }) config.fudo.secrets.files.host-ssh-keypairs;
@@ -55,13 +56,24 @@ in {
       type = keypair.key-type;
     }) host-keypairs;
 
-    programs.ssh.knownHosts = mapAttrs (hostname: keypairs: {
-      publicKeyFile = keypairs.public-key;
-      hostNames = let
-        host-cfg = config.fudo.hosts.${hostname};
-        domains = [host-cfg.domain] ++ host-cfg.extra-domains;
-      in [ hostname ] ++
-         (map (domain: "${hostname}.${domain}") domains);
-    });
+    programs.ssh.knownHosts = let
+
+      keyed-hosts =
+        filterAttrs (h: o: o.ssh-pubkeys != [])
+          config.fudo.hosts;
+
+      crossProduct = f: list0: list1:
+        concatMap (el0: map (el1: f el0 el1) list1) list0;
+
+      all-hostnames = opts:
+        [ opts.hostname ] ++
+        (crossProduct (host: domain: "${host}.${domain}")
+          ([ opts.hostname ] ++ opts.aliases)
+          ([ opts.domain ] ++ opts.extra-domains));
+
+    in mapAttrs (hostname: hostOpts: {
+      publicKeyFile = builtins.head hostOpts.ssh-pubkeys;
+      hostNames = all-hostnames host-cfg;
+    }) keyed-hosts;
   };
 }

lib/instance.nix

@@ -2,12 +2,15 @@
 
 with lib;
 {
-  options.instance = {
+  options.instance = with types; {
     hostname = mkOption {
-      type = types.str;
-      description = ''
-        Hostname of this specific host (without domain).
-      '';
+      type = str;
+      description = "Hostname of this specific host (without domain).";
+    };
+
+    build-timestamp = mkOption {
+      type = int;
+      description = "Timestamp associated with the build. Used for e.g. DNS serials.";
     };
   };
 }