Skyworks/skyworks-Nix-infra

Fork: 0

Skyworks / skyworks-Nix-infra

History for skyworks-Nix-infra / secrets

2026-03-29	6b26b45 Browse files » Fix influxdb-token encryption (was empty) ... Re-encrypted with rage directly instead of agenix EDITOR flow which silently produced an empty ciphertext. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> Dixiao-L committed on 29 Mar
2026-03-29	1c61ec3 Browse files » Update influxdb-token for skydick InfluxDB instance ... Token now authenticates against the local InfluxDB on skydick instead of the old door1 instance. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> Dixiao-L committed on 29 Mar
2026-03-25	61d8971 Browse files » fix xlab-gateway host key in secrets.nix and rekey ... The active host key on xlab-gateway is the original one (AAAAII+EKDpU...), not the replacement. Corrected and rekeyed. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> Dixiao-L committed on 25 Mar
2026-03-25	8f61461 Browse files » add ylw ed25519 key: agenix access, SSH auth, rekey all secrets ... - Add ylw's ed25519 public key to secrets.nix admins list - Re-encrypt all .age secrets so ylw can decrypt - Add ed25519 key to ye-lw21 authorized SSH keys Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> Dixiao-L committed on 25 Mar
2026-03-24	257a2b8 Browse files » harden and fix: nftables input chain, sudo, agenix, ZFS, NAT priority ... - Add inet input_filter table to xlab-gateway (policy drop on WAN) - Restrict NOPASSWD sudo to ldx only; ylw uses password sudo via wheel - Restructure secrets.nix with admins list, prepare for ylw ed25519 key - Add ye-lw21 to trusted-users in common.nix - Remove contradictory relatime=on when atime=off on rpool - Fix NAT postrouting priority: filter → srcnat - Remove duplicate nixpkgs.hostPlatform from xlab-gateway hardware-configuration Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> Dixiao-L committed on 24 Mar
2026-03-21	c5a1147 Browse files » 王八蛋bitlocker解密升级版 physicsdolphin committed on 21 Mar
2026-03-21	a11467b Browse files » change xlab pubkey physicsdolphin committed on 21 Mar
2026-03-15	0fd157f Browse files » skydick: switch Samba to ldapsam, rename ylw→ye-lw21, drop legacy datasets ... - Samba passdb backend changed from tdbsam to ldapsam:ldap://10.0.0.1 - Added samba-ldap-admin-password oneshot to seed LDAP admin cred before smbd - Pinned storage group to GID 997 to match LDAP posixGroup - Renamed ylw to ye-lw21 across all hosts (users.nix, skydick, xlab-gateway) - Removed legacy tmpfiles and NFS exports (share/backup/torrent/vm destroyed) - Added bootstrap LDIF for sambaDomain, storage group, machines OU Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 15 Mar
2026-03-15	ec5ead0 Browse files » skydick: enable LDAP-backed NSS for POSIX identity resolution ... Add users.ldap with nslcd pointed at ldap://10.0.0.1/ for passwd/group lookups. This is identity-only: loginPam=false keeps SSH/console auth local, and Samba stays on tdbsam until sambaSamAccount objects exist in LDAP. - Add agenix secret for LDAP bind credential (cn=query_user) - nss_initgroups_ignoreusers ALLLOCAL avoids boot-time NSS deadlock - Add openldap package for admin ldapsearch/ldapmodify - Update DATAPOOL.md to reflect LDAP identity model, numeric UID/GID in tmpfiles for LDAP-only users, and current auth boundaries Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 15 Mar
2026-03-14	10fdb5b Browse files » skydick: add Telegraf monitoring with SMART, ZFS, and system metrics ... Sends metrics to door1 InfluxDB (bucket: skydick) via Telegraf. Monitors all 5 Mach2 SAS drives, NVMe P4500, and boot SSD via SMART. InfluxDB token encrypted with agenix. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 14 Mar
2026-03-07	01b7580 Browse files » Re-encrypt secrets with SSH recipients (not age recipients) ... age encrypts differently for age vs SSH recipients. agenix passes raw SSH host keys as identities, which can only decrypt SSH-recipient stanzas. Previously used ssh-to-age conversion which created age-recipient stanzas, causing "no identity matched" errors. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	cf894dc Browse files » Re-encrypt secrets with correct full host public key ... The xlab-gateway SSH public key was previously truncated (missing AAAAC3NzaC1lZDI1NTE5 type prefix), causing agenix decryption failures. Re-encrypted all .age files with the correct full key. Verified decryption succeeds on target host. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	3481177 Browse files » Add agenix-encrypted secrets and flake.lock ... - Encrypted WireGuard keys for xlab-gateway (wgnet, skyworks, warp) - Encrypted WireGuard PSK for wg-to-wgnet - Placeholder skydick WireGuard secret - Updated disko.nix with correct NVMe disk ID (MEMPEK1J016GAD) - Generated flake.lock pinning nixpkgs 24.11, disko, agenix, deploy-rs Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar
	1f0408a Browse files » Initial skyworks infrastructure flake ... Unified NixOS configuration for skydick (storage server) and xlab-gateway (lab router). Flat module structure with shared common/users/ssh modules, agenix secrets, disko, and deploy-rs. Co-Authored-By: Claude Opus 4.6 <[email protected]> Dixiao-L committed on 7 Mar