add thinkpad to the thinkpad secret file

2022-01-29 17:24:31 +01:00 · 2022-01-29 17:24:31 +01:00 · 6603fc2bb9
commit 6603fc2bb9
parent 6cc86785a6
4 changed files with 27 additions and 6 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -2,6 +2,7 @@ keys:
  - &lotte age14vup3vfvsw2m68425x5mqwaxwkv82cdvgz50cft6xfpdhuucc98sfggs0y
  - &nixos-8gb-fsn1-1 age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl
  - &nutty-noon age1zgxkntdp99dkvw7z29jjmgrzlla2ha542zrs3262dwat27a34asqckfkrl
+  - &thinkrac age1azy4hfse3x9tzhjn0htelx8qeannscr7mydmuphp2qu73v72tp3qdxt7my
 creation_rules:
  - path_regex: secrets/nixos-8gb-fsn1-1/[^/]+$
    key_groups:
@ -17,3 +18,4 @@ creation_rules:
    key_groups:
      - age:
          - *lotte
+          - *thinkrac
--- a/config/services/old-homepage.nix
+++ b/config/services/old-homepage.nix
@ -35,7 +35,7 @@ in
    sslCertificate = "/var/lib/acme/darkkirb.de/cert.pem";
    sslCertificateKey = "/var/lib/acme/darkkirb.de/key.pem";
    locations."/" = {
-      proxyPass = "http://127.0.0.1:9000/darkkirb.de/";
+      proxyPass = "http://127.0.0.1:9000/static.darkkirb.de/";
    };
  };
  sops.secrets."services/old-homepage" = { };
--- a/config/thinkrac.nix
+++ b/config/thinkrac.nix
@ -116,4 +116,14 @@
    "http://192.168.2.1:9000/cache.int.chir.rs/"
  ];
  nix.buildCores = 4;
+
+  # Disable kernel mitigations
+  # 
+  # Rationale:
+  # - device has a limited workload, consisting mostly of running trusted code and visiting trusted websites with an advertisement blocker
+  # - device is battery powered (we want to spend more time in an idle state, as opposed to running user code or mitigating cpu bugs)
+  # - device is also not involved in any sort of virtualization
+  boot.kernelParams = [ "mitigations=off" ];
+  # use the lowest frequency possible, to save power
+  powerManagement.cpuFreqGovernor = "powersave";
 }
--- a/secrets/thinkrac/secrets.yaml
+++ b/secrets/thinkrac/secrets.yaml
@ -17,11 +17,20 @@ sops:
        - recipient: age14vup3vfvsw2m68425x5mqwaxwkv82cdvgz50cft6xfpdhuucc98sfggs0y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZkRweUNrK3NialhXK1NR
-            b1drRk80SnRaNWFXVWZWMnV5cFkxZzZWQ0VvCjRjMkRtSWpwd1RhVTMxUTJYZ2Rx
-            OGhQclFpNzJjL01VT0lFdnFmWnZVNncKLS0tIGw3Y25rOWlHMDBuNXhWVnJoUTZ5
-            U2JtQ1F6Ni96QThJVGcrVTgvV05US1EKMvNTjUkOtUnXaoV3GYiRjHQA1iEhudOl
-            7KFYCal2OvhQhFutWOD3zp3eKGRFTmXpqo7Qo4mW/x94NQrEGZDUGA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERWZGSE9UV0lObDBJNU1m
+            ZWVYTXZUa0lsRjdGRkJMYXR0Y2NmRnBqN1NJCkFQUVJoWEkzSzFob0Jvc3RtMWcv
+            NHp0N1VOdTcyZHBOYXJRTnZXZHlvQmcKLS0tIFV2YWt0MkZma2E2Z0VGL21Kd3RJ
+            NzBma2RMdXZaMWdjV3cyeWtrdnJzUUkKO6j1FUUKK2s61LQl7oZw3LCpGhQAAPOj
+            6+RbaxKmrZGCz0gsNnqLw4mJUNaQ+VXfI6yv+ZxOpOgO3uNF8vfU/Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1azy4hfse3x9tzhjn0htelx8qeannscr7mydmuphp2qu73v72tp3qdxt7my
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWGFQRjNjMGFEeEtvNVRq
+            cTg2bUx2a000WWdaTGltSk1XNU5FNVY1eGdzCmFXL1dXdEpWZXlmRC9uR2h0YU8r
+            MXpRMGZWRjd4VWhCdmo1WEJGSmhrSE0KLS0tIGZ2aTJwd0JiVGVpK2xjWmcwdXBS
+            TWc0SlpCM0RMcHJaaWxobDlIWk9jZVEKTPMAWye0wdjV6O6kqDP+qRjXX9m/5yHB
+            fo9Lk7czmooSjEF/yfVyqackuMK48jwhOz541zqzNpmXDqGcDntiAw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2022-01-29T14:26:48Z"
    mac: ENC[AES256_GCM,data:thCWFMYkps5uSuKJ/7ekOAFg7mXf701Jy2y61+7BvI/8d8UUzqS5PJSqorfI81eP2S6e7+6jQn4BfXPOn3mm7r84EIy4IkB09maHzx6zzxZR9HJCMsItxEgkS9XksBUWZjGHPMxO60p+VnXjvFPRtYtYkmRcp+C7r8wIT7pihZg=,iv:V8K6eI0tBavxzx5Vbe1oC5Ckr31o0bxA9mEapwkxwmc=,tag:brGrl0iqcoeG4iw+a4Zu1w==,type:str]