feat: start migrating steveej-t14 and sj-vps-htz-0 to sops

nix/os/devices/steveej-t14/system.nix

@@ -3,6 +3,7 @@
   lib,
   config,
   nodeName,
+  repoFlake,
   ...
 }: let
   passwords = import ../../../variables/passwords.crypt.nix;
@@ -10,18 +11,37 @@ in {
   nix.settings = {
     substituters = [
       "https://holochain-ci.cachix.org"
-      # "https://cache.holo.host/"
+      "https://cache.holo.host/"
     ];
     trusted-public-keys = [
       "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8="
-      # "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
-      # "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
+      "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
+      "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
     ];
 
     extra-experimental-features = ["impure-derivations"];
     system-features = ["recursive-nix" "big-parallel"];
   };
 
+  networking.extraHosts = ''
+    # qemu box
+    172.24.40.13 steveej-qemu.infra.holochain.org
+    172.24.40.13 steveej-qemu.d.dweb.city
+
+    # bare metal
+    192.168.14.117 steveej-hw1.infra.holochain.org
+    192.168.14.117 steveej-hw1.d.dweb.city
+    192.168.14.117 steveej-hw2.infra.holochain.org
+    192.168.14.117 steveej-hw2.d.dweb.city
+    192.168.14.117 steveej-hw3.infra.holochain.org
+    192.168.14.117 steveej-hw3.d.dweb.city
+    192.168.14.117 steveej-hw4.infra.holochain.org
+    192.168.14.117 steveej-hw4.d.dweb.city
+
+    172.24.135.11 emerge3.d.dweb.city
+    172.24.74.194 emerge4.d.dweb.city
+  '';
+
   networking.bridges."virbr1".interfaces = [];
   networking.interfaces."virbr1".ipv4.addresses = [
     {
@@ -35,7 +55,7 @@ in {
 
   # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
   networking.firewall.interfaces."eth+".allowedTCPPorts = [
-    22 
+    22
 
     # syncthing
     22000
@@ -43,9 +63,10 @@ in {
     # iperf3
     5201
   ];
-  networking.firewall.interfaces."eth+".allowedUDPPorts = [ 
+  networking.firewall.interfaces."eth+".allowedUDPPorts = [
     # syncthing
-    22000 21027
+    22000
+    21027
   ];
 
   networking.firewall.logRefusedConnections = false;
@@ -96,8 +117,50 @@ in {
   services.zerotierone = {
     enable = true;
     joinNetworks = [
-      "93afae5963c547f1"
-      passwords.zerotier.dweb2023.networkId
+      # moved to the service below as it's now secret
     ];
   };
+
+  systemd.services.zerotieroneSecretNetworks = {
+    enable = true;
+    requiredBy = ["zerotierone.service"];
+    partOf = ["zerotierone.service"];
+
+    serviceConfig.Type = "oneshot";
+    serviceConfig.RemainAfterExit = true;
+
+    script = let
+      secret = config.sops.secrets.zerotieroneNetworks;
+    in ''
+      # include the secret's hash to trigger a restart on change
+      # ${builtins.hashString "sha256" (builtins.toJSON secret)}
+
+      ${config.systemd.services.zerotierone.preStart}
+
+      rm -rf /var/lib/zerotier-one/networks.d/*.conf
+      for network in `grep -v '#' ${secret.path}`; do
+        touch /var/lib/zerotier-one/networks.d/''${network}.conf
+      done
+    '';
+  };
+
+  sops.secrets.zerotieroneNetworks = {
+    sopsFile = ../../../../secrets/zerotierone.txt;
+    format = "binary";
+  };
+
+  sops.secrets.nomad-holochain-agent-ca = {
+    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    owner = config.users.extraUsers.steveej.name;
+  };
+
+  sops.secrets.nomad-holochain-cli-cert = {
+    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    owner = config.users.extraUsers.steveej.name;
+  };
+
+  sops.secrets.nomad-holochain-cli-key = {
+    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    owner = config.users.extraUsers.steveej.name;
+  };
 }