From 6603fc2bb943f2c82f3c518185fd5780cdbd34d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Sat, 29 Jan 2022 17:24:31 +0100 Subject: [PATCH] add thinkpad to the thinkpad secret file --- .sops.yaml | 2 ++ config/services/old-homepage.nix | 2 +- config/thinkrac.nix | 10 ++++++++++ secrets/thinkrac/secrets.yaml | 19 ++++++++++++++----- 4 files changed, 27 insertions(+), 6 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 0d388306..6c51c366 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &lotte age14vup3vfvsw2m68425x5mqwaxwkv82cdvgz50cft6xfpdhuucc98sfggs0y - &nixos-8gb-fsn1-1 age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl - &nutty-noon age1zgxkntdp99dkvw7z29jjmgrzlla2ha542zrs3262dwat27a34asqckfkrl + - &thinkrac age1azy4hfse3x9tzhjn0htelx8qeannscr7mydmuphp2qu73v72tp3qdxt7my creation_rules: - path_regex: secrets/nixos-8gb-fsn1-1/[^/]+$ key_groups: @@ -17,3 +18,4 @@ creation_rules: key_groups: - age: - *lotte + - *thinkrac diff --git a/config/services/old-homepage.nix b/config/services/old-homepage.nix index e6a092d2..69ba2276 100644 --- a/config/services/old-homepage.nix +++ b/config/services/old-homepage.nix @@ -35,7 +35,7 @@ in sslCertificate = "/var/lib/acme/darkkirb.de/cert.pem"; sslCertificateKey = "/var/lib/acme/darkkirb.de/key.pem"; locations."/" = { - proxyPass = "http://127.0.0.1:9000/darkkirb.de/"; + proxyPass = "http://127.0.0.1:9000/static.darkkirb.de/"; }; }; sops.secrets."services/old-homepage" = { }; diff --git a/config/thinkrac.nix b/config/thinkrac.nix index bc0da43f..a2a92050 100644 --- a/config/thinkrac.nix +++ b/config/thinkrac.nix @@ -116,4 +116,14 @@ "http://192.168.2.1:9000/cache.int.chir.rs/" ]; nix.buildCores = 4; + + # Disable kernel mitigations + # + # Rationale: + # - device has a limited workload, consisting mostly of running trusted code and visiting trusted websites with an advertisement blocker + # - device is battery powered (we want to spend more time in an idle state, as opposed to running user code or mitigating cpu bugs) + # - device is also not involved in any sort of virtualization + boot.kernelParams = [ "mitigations=off" ]; + # use the lowest frequency possible, to save power + powerManagement.cpuFreqGovernor = "powersave"; } diff --git a/secrets/thinkrac/secrets.yaml b/secrets/thinkrac/secrets.yaml index 8a0d8e4e..10a4f5a9 100644 --- a/secrets/thinkrac/secrets.yaml +++ b/secrets/thinkrac/secrets.yaml @@ -17,11 +17,20 @@ sops: - recipient: age14vup3vfvsw2m68425x5mqwaxwkv82cdvgz50cft6xfpdhuucc98sfggs0y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZkRweUNrK3NialhXK1NR - b1drRk80SnRaNWFXVWZWMnV5cFkxZzZWQ0VvCjRjMkRtSWpwd1RhVTMxUTJYZ2Rx - OGhQclFpNzJjL01VT0lFdnFmWnZVNncKLS0tIGw3Y25rOWlHMDBuNXhWVnJoUTZ5 - U2JtQ1F6Ni96QThJVGcrVTgvV05US1EKMvNTjUkOtUnXaoV3GYiRjHQA1iEhudOl - 7KFYCal2OvhQhFutWOD3zp3eKGRFTmXpqo7Qo4mW/x94NQrEGZDUGA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERWZGSE9UV0lObDBJNU1m + ZWVYTXZUa0lsRjdGRkJMYXR0Y2NmRnBqN1NJCkFQUVJoWEkzSzFob0Jvc3RtMWcv + NHp0N1VOdTcyZHBOYXJRTnZXZHlvQmcKLS0tIFV2YWt0MkZma2E2Z0VGL21Kd3RJ + NzBma2RMdXZaMWdjV3cyeWtrdnJzUUkKO6j1FUUKK2s61LQl7oZw3LCpGhQAAPOj + 6+RbaxKmrZGCz0gsNnqLw4mJUNaQ+VXfI6yv+ZxOpOgO3uNF8vfU/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1azy4hfse3x9tzhjn0htelx8qeannscr7mydmuphp2qu73v72tp3qdxt7my + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWGFQRjNjMGFEeEtvNVRq + cTg2bUx2a000WWdaTGltSk1XNU5FNVY1eGdzCmFXL1dXdEpWZXlmRC9uR2h0YU8r + MXpRMGZWRjd4VWhCdmo1WEJGSmhrSE0KLS0tIGZ2aTJwd0JiVGVpK2xjWmcwdXBS + TWc0SlpCM0RMcHJaaWxobDlIWk9jZVEKTPMAWye0wdjV6O6kqDP+qRjXX9m/5yHB + fo9Lk7czmooSjEF/yfVyqackuMK48jwhOz541zqzNpmXDqGcDntiAw== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-01-29T14:26:48Z" mac: ENC[AES256_GCM,data:thCWFMYkps5uSuKJ/7ekOAFg7mXf701Jy2y61+7BvI/8d8UUzqS5PJSqorfI81eP2S6e7+6jQn4BfXPOn3mm7r84EIy4IkB09maHzx6zzxZR9HJCMsItxEgkS9XksBUWZjGHPMxO60p+VnXjvFPRtYtYkmRcp+C7r8wIT7pihZg=,iv:V8K6eI0tBavxzx5Vbe1oC5Ckr31o0bxA9mEapwkxwmc=,tag:brGrl0iqcoeG4iw+a4Zu1w==,type:str]