From 22fe55c28475ba29df6374cadd736d17a456c784 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Fri, 13 Jun 2025 19:36:28 +0200 Subject: [PATCH] feat: add moonside --- .sops.yaml | 59 ++- SwarselSystems.org | 464 +++++++++++++++++- hosts/nixos/moonside/default.nix | 216 ++++++++ hosts/nixos/moonside/disk-config.nix | 124 +++++ .../nixos/moonside/hardware-configuration.nix | 15 + hosts/nixos/moonside/secrets/pii.nix.enc | 22 + hosts/nixos/toto/default.nix | 7 +- modules/home/common/ssh.nix | 4 + modules/nixos/common/impermanence.nix | 17 +- modules/nixos/common/syncthing.nix | 13 +- modules/nixos/optional/work.nix | 5 +- modules/nixos/server/packages.nix | 3 + nix/sops-decrypt-and-cache.sh | 1 + profiles/nixos/localserver/default.nix | 1 - profiles/nixos/moonside/default.nix | 26 + profiles/nixos/syncserver/default.nix | 1 - scripts/swarsel-bootstrap.sh | 2 +- secrets/certs/secrets.yaml | 101 ++-- secrets/moonside/secrets.yaml | 51 ++ secrets/repo/pii.nix.enc | 24 +- 20 files changed, 1034 insertions(+), 122 deletions(-) create mode 100644 hosts/nixos/moonside/default.nix create mode 100644 hosts/nixos/moonside/disk-config.nix create mode 100644 hosts/nixos/moonside/hardware-configuration.nix create mode 100644 hosts/nixos/moonside/secrets/pii.nix.enc create mode 100644 profiles/nixos/moonside/default.nix create mode 100644 secrets/moonside/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 871f4f9..4f80904 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,6 +11,7 @@ keys: - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - &sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h + - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh creation_rules: - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -21,28 +22,6 @@ creation_rules: - *toto - *surface - *nbl - - path_regex: hosts/nixos/nbl-imba-2/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *nbl - - path_regex: hosts/nixos/winters/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *winters - - path_regex: hosts/nixos/sync/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *sync - - path_regex: hosts/darwin/nbm-imba-166/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - path_regex: secrets/repo/[^/]+$ key_groups: - pgp: @@ -53,6 +32,7 @@ creation_rules: - *surface - *nbl - *sync + - *moonside - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: @@ -62,6 +42,13 @@ creation_rules: - *toto - *surface - *winters + - *moonside + - path_regex: secrets/moonside/secrets.yaml + key_groups: + - pgp: + - *swarsel + age: + - *moonside - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: @@ -80,3 +67,31 @@ creation_rules: - *swarsel age: - *sync + - path_regex: hosts/nixos/nbl-imba-2/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *nbl + - path_regex: hosts/nixos/winters/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *winters + - path_regex: hosts/nixos/sync/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *sync + - path_regex: hosts/nixos/moonside/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel + age: + - *moonside + - path_regex: hosts/darwin/nbm-imba-166/secrets/pii.nix.enc + key_groups: + - pgp: + - *swarsel diff --git a/SwarselSystems.org b/SwarselSystems.org index 445a43d..cabd4b3 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1450,6 +1450,385 @@ This machine mainly acts as an external sync helper. It manages the following th } +#+end_src +**** Moonside (OCI) +***** Main Configuration + +#+begin_src nix :tangle hosts/nixos/moonside/default.nix + { lib, config, primaryUser, ... }: + let + inherit (config.repo.secrets.common) workHostName; + inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; + sharedOptions = { + isBtrfs = true; + isLinux = true; + }; + in + { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + ]; + + sops = { + age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; + secrets = { + wireguard-private-key = { }; + }; + }; + + boot = { + loader.systemd-boot.enable = true; + tmp.cleanOnBoot = true; + }; + + environment.etc."issue".text = "\4"; + + networking = { + nftables.enable = lib.mkForce false; + hostName = "moonside"; + enableIPv6 = false; + domain = "subnet03291956.vcn03291956.oraclevcn.com"; + firewall = { + allowedTCPPorts = [ 80 443 8384 ]; + }; + wireguard = { + enable = true; + interfaces = { + home-vpn = { + privateKeyFile = config.sops.secrets.wireguard-private-key.path; + ips = [ "192.168.3.4/24" ]; + peers = [ + { + publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw="; + name = "moonside"; + persistentKeepalive = 25; + endpoint = "${config.repo.secrets.common.ipv4}:51820"; + allowedIPs = [ "192.168.3.0/24" ]; + } + ]; + }; + }; + }; + }; + + hardware = { + enableAllFirmware = lib.mkForce false; + }; + + system.stateVersion = "23.11"; + + node.secretsDir = ./secrets; + services = { + nginx = { + virtualHosts = { + "syncthing.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:8384/"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + + syncthing = { + enable = true; + guiAddress = "0.0.0.0:8384"; + openDefaultPorts = true; + relay.enable = false; + settings = { + urAccepted = -1; + devices = { + "magicant" = { + id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; + }; + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + "${workHostName}" = { + id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; + }; + "${dev1}" = { + id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; + }; + "${dev2}" = { + id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; + }; + "${dev3}" = { + id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; + }; + }; + folders = { + "Default Folder" = lib.mkForce { + path = "/sync/Sync"; + type = "receiveonly"; + versioning = null; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "default"; + }; + "Obsidian" = { + path = "/sync/Obsidian"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "yjvni-9eaa7"; + }; + "Org" = { + path = "/sync/Org"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "a7xnl-zjj3d"; + }; + "Vpn" = { + path = "/sync/Vpn"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "hgp9s-fyq3p"; + }; + ".elfeed" = { + path = "/sync/elfeed"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" ]; + id = "h7xbs-fs9v1"; + }; + "Documents" = { + path = "/sync/Documents"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "2"; + }; + devices = [ "winters" ]; + id = "hgr3d-pfu3w"; + }; + "runandbun" = { + path = "/sync/runandbun"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" ]; + id = "kwnql-ev64v"; + }; + "${loc1}" = { + path = "/sync/${loc1}"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "3"; + }; + devices = [ dev1 dev2 dev3 ]; + id = "5gsxv-rzzst"; + }; + }; + }; + }; + }; + + swarselsystems = lib.recursiveUpdate + { + flakePath = "/home/swarsel/.dotfiles"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = false; + isSwap = false; + rootDisk = "/dev/sda"; + profiles = { + server.moonside = true; + }; + } + sharedOptions; + + home-manager.users."${primaryUser}" = { + home.stateVersion = lib.mkForce "23.11"; + swarselsystems = lib.recursiveUpdate + { } + sharedOptions; + }; + + } + +#+end_src +***** hardware-configuration + + loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; +#+begin_src nix :tangle hosts/nixos/moonside/hardware-configuration.nix + { lib, modulesPath, ... }: + { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; + } +#+end_src +***** disko +:PROPERTIES: +:CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d +:END: + +#+begin_src nix :tangle hosts/nixos/moonside/disk-config.nix + # NOTE: ... is needed because dikso passes diskoFile + { lib + , config + , rootDisk + , ... + }: + let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; + in + { + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + disk1 = { + type = "disk"; + device = "/dev/sdb"; + content = { + type = "gpt"; + partitions = { + sync = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-L" "sync" "-f" ]; # force overwrite + subvolumes = { + "/sync" = { + mountpoint = "/sync"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + } + + #+end_src *** Utility hosts :PROPERTIES: @@ -1528,12 +1907,13 @@ This is a slim setup for developing base configuration. I do not track the hardw { wallpaper = self + /wallpaper/lenovowp.png; isImpermanence = true; - isCrypted = true; + isCrypted = false; isSecureBoot = false; - isSwap = true; + isSwap = false; swapSize = "8G"; # rootDisk = "/dev/nvme0n1"; - rootDisk = "/dev/vda"; + rootDisk = "/dev/sda"; + # rootDisk = "/dev/vda"; } sharedOptions; @@ -2925,7 +3305,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key - $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key" + $ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key" # __________________________ if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then @@ -4246,7 +4626,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a swarselsystems = { modules = { general = lib.mkDefault true; - nix-ld = lib.mkDefault true; pii = lib.mkDefault true; home-manager = lib.mkDefault true; home-managerExtra = lib.mkDefault true; @@ -4308,7 +4687,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a general = lib.mkDefault true; packages = lib.mkDefault true; sops = lib.mkDefault true; - nfs = lib.mkDefault true; nginx = lib.mkDefault true; ssh = lib.mkDefault true; forgejo = lib.mkDefault true; @@ -4320,6 +4698,37 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a } +#+end_src +***** Moonside + +#+begin_src nix :tangle profiles/nixos/moonside/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselsystems.profiles.server.moonside = lib.mkEnableOption "is this a moonside server"; + config = lib.mkIf config.swarselsystems.profiles.server.moonside { + swarselsystems = { + modules = { + general = lib.mkDefault true; + pii = lib.mkDefault true; + home-manager = lib.mkDefault true; + home-managerExtra = lib.mkDefault true; + xserver = lib.mkDefault true; + time = lib.mkDefault true; + users = lib.mkDefault true; + impermanence = lib.mkDefault true; + server = { + general = lib.mkDefault true; + packages = lib.mkDefault true; + sops = lib.mkDefault true; + nginx = lib.mkDefault true; + ssh = lib.mkDefault true; + }; + }; + }; + }; + + } + #+end_src **** home-manager :PROPERTIES: @@ -4806,6 +5215,7 @@ in # Decrypt only if necessary if [[ ! -e $out ]]; then + echo "authenticate:" agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file" fi @@ -5962,31 +6372,34 @@ Here I disable global completion to prevent redundant compinit calls and cache i "winters" = { id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; }; + "moonside (@oracle)" = { + id = "YJLYL4Z-JIYHFKX-554ZR7B-YAF3PNH-CX7JF53-NYUMVGL-4EWWASH-GDAMBQA"; + }; }; folders = { "Default Folder" = lib.mkDefault { path = "${homeDir}/Sync"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "default"; }; "Obsidian" = { path = "${homeDir}/Nextcloud/Obsidian"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "yjvni-9eaa7"; }; "Org" = { path = "${homeDir}/Nextcloud/Org"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "a7xnl-zjj3d"; }; "Vpn" = { path = "${homeDir}/Vpn"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "hgp9s-fyq3p"; }; ".elfeed" = { path = "${homeDir}/.elfeed"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "h7xbs-fs9v1"; }; }; @@ -6429,7 +6842,7 @@ Normally, doing that also resets the lecture that happens on the first use of =s { config, lib, ... }: let mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos"; - inherit (config.swarselsystems) homeDir isImpermanence isCrypted; + inherit (config.swarselsystems) isImpermanence isCrypted; in { options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config"; @@ -6498,23 +6911,20 @@ Normally, doing that also resets the lecture that happens on the first use of =s hideMounts = true; directories = [ - "/.cache/nix" - "/srv" - "/etc/nixos" "/etc/nix" "/etc/NetworkManager/system-connections" + "/var/lib/nixos" + { + directory = "/var/tmp/nix-import-encrypted"; # Decrypted repo-secrets can be kept + mode = "1777"; + } # "/etc/secureboot" - "${homeDir}/.dotfiles" - "/var/db/sudo" - "/var/cache" - "/var/lib" ]; files = [ "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/machine-id" ]; }; }; @@ -6886,10 +7296,13 @@ Here we just define some aliases for rebuilding the system, and we allow some in gnupg nix-index nvd + nix-output-monitor ssh-to-age git emacs vim + sops + swarsel-deploy ]; }; } @@ -10030,10 +10443,13 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9 "winters" = { id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; }; + "moonside (@oracle)" = { + id = "YJLYL4Z-JIYHFKX-554ZR7B-YAF3PNH-CX7JF53-NYUMVGL-4EWWASH-GDAMBQA"; + }; folders = { "Documents" = { path = "${homeDir}/Documents"; - devices = [ "magicant" "winters" ]; + devices = [ "magicant" "winters" "moonside (@oracle)" ]; id = "hgr3d-pfu3w"; }; }; @@ -10910,6 +11326,10 @@ It is very convenient to have SSH aliases in place for machines that I use. This hostname = "193.122.53.173"; user = "root"; }; + "moonside" = { + hostname = "130.61.238.239"; + user = "root"; + }; "songdiver" = { hostname = "89.168.100.65"; user = "ubuntu"; diff --git a/hosts/nixos/moonside/default.nix b/hosts/nixos/moonside/default.nix new file mode 100644 index 0000000..58a4e76 --- /dev/null +++ b/hosts/nixos/moonside/default.nix @@ -0,0 +1,216 @@ +{ lib, config, primaryUser, ... }: +let + inherit (config.repo.secrets.common) workHostName; + inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; + sharedOptions = { + isBtrfs = true; + isLinux = true; + }; +in +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + ]; + + sops = { + age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; + secrets = { + wireguard-private-key = { }; + }; + }; + + boot = { + loader.systemd-boot.enable = true; + tmp.cleanOnBoot = true; + }; + + environment.etc."issue".text = "\4"; + + networking = { + nftables.enable = lib.mkForce false; + hostName = "moonside"; + enableIPv6 = false; + domain = "subnet03291956.vcn03291956.oraclevcn.com"; + firewall = { + allowedTCPPorts = [ 80 443 8384 ]; + }; + wireguard = { + enable = true; + interfaces = { + home-vpn = { + privateKeyFile = config.sops.secrets.wireguard-private-key.path; + ips = [ "192.168.3.4/24" ]; + peers = [ + { + publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw="; + name = "moonside"; + persistentKeepalive = 25; + endpoint = "${config.repo.secrets.common.ipv4}:51820"; + allowedIPs = [ "192.168.3.0/24" ]; + } + ]; + }; + }; + }; + }; + + hardware = { + enableAllFirmware = lib.mkForce false; + }; + + system.stateVersion = "23.11"; + + node.secretsDir = ./secrets; + services = { + nginx = { + virtualHosts = { + "syncthing.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://localhost:8384/"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + }; + }; + + syncthing = { + enable = true; + guiAddress = "0.0.0.0:8384"; + openDefaultPorts = true; + relay.enable = false; + settings = { + urAccepted = -1; + devices = { + "magicant" = { + id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; + }; + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + "${workHostName}" = { + id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; + }; + "${dev1}" = { + id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; + }; + "${dev2}" = { + id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; + }; + "${dev3}" = { + id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; + }; + }; + folders = { + "Default Folder" = lib.mkForce { + path = "/sync/Sync"; + type = "receiveonly"; + versioning = null; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "default"; + }; + "Obsidian" = { + path = "/sync/Obsidian"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "yjvni-9eaa7"; + }; + "Org" = { + path = "/sync/Org"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "a7xnl-zjj3d"; + }; + "Vpn" = { + path = "/sync/Vpn"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "hgp9s-fyq3p"; + }; + ".elfeed" = { + path = "/sync/elfeed"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" ]; + id = "h7xbs-fs9v1"; + }; + "Documents" = { + path = "/sync/Documents"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "2"; + }; + devices = [ "winters" ]; + id = "hgr3d-pfu3w"; + }; + "runandbun" = { + path = "/sync/runandbun"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" ]; + id = "kwnql-ev64v"; + }; + "${loc1}" = { + path = "/sync/${loc1}"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "3"; + }; + devices = [ dev1 dev2 dev3 ]; + id = "5gsxv-rzzst"; + }; + }; + }; + }; + }; + + swarselsystems = lib.recursiveUpdate + { + flakePath = "/home/swarsel/.dotfiles"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = false; + isSwap = false; + rootDisk = "/dev/sda"; + profiles = { + server.moonside = true; + }; + } + sharedOptions; + + home-manager.users."${primaryUser}" = { + home.stateVersion = lib.mkForce "23.11"; + swarselsystems = lib.recursiveUpdate + { } + sharedOptions; + }; + +} diff --git a/hosts/nixos/moonside/disk-config.nix b/hosts/nixos/moonside/disk-config.nix new file mode 100644 index 0000000..b9fa336 --- /dev/null +++ b/hosts/nixos/moonside/disk-config.nix @@ -0,0 +1,124 @@ +# NOTE: ... is needed because dikso passes diskoFile +{ lib +, config +, rootDisk +, ... +}: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + disk1 = { + type = "disk"; + device = "/dev/sdb"; + content = { + type = "gpt"; + partitions = { + sync = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-L" "sync" "-f" ]; # force overwrite + subvolumes = { + "/sync" = { + mountpoint = "/sync"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosts/nixos/moonside/hardware-configuration.nix b/hosts/nixos/moonside/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosts/nixos/moonside/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/nixos/moonside/secrets/pii.nix.enc b/hosts/nixos/moonside/secrets/pii.nix.enc new file mode 100644 index 0000000..b82de98 --- /dev/null +++ b/hosts/nixos/moonside/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:CmkNQJe2siUanybNt9Nv8JSsOnJuoLUOpAPXbACPQFLc4YL9u5R9wImwbbOOgXGfVl8hQwYS5dc+2nu4kj11zdT4mCe62/fO+HgIMBEbU/c0zGZj2hjArJYBkOCHQYu1IzgXdACyamJ9s3MVe0xGJUkwK93X+89YQpc=,iv:9tzNWIk10A4w986fo6pkpaUvo4+y5+RD+OmBksy9TbU=,tag:r5Dlv/HGwtlAdKp3HsKiMg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-06-13T17:33:11Z", + "mac": "ENC[AES256_GCM,data:/PDAd2LB2n3gwnaYaUHDHT/Ze1YxXTA0wDxAZEc72B9DQO8trN0XISSqQ3YbopOy8J7wZu/HveX5nx4zoCPKcrMtqtFtlyviAE5Afl+3XcgKcNOGK/0yCq1fAD6q8Lfsl/t/5/4qXA5jlhobVmsDFfXJ8woYqCLijZXNNkc3X+w=,iv:Q9yngw0Z6aS1aB/iF6+oFoCYg1yN+mNKEsv8zaX4ba0=,tag:470JaIY68O3NublQLYw7GA==,type:str]", + "pgp": [ + { + "created_at": "2025-06-13T20:12:55Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9HYZO7Bu/PhfIEnzlD9RpDhgk79rSdl9rfrssXOhsXh6j\ne016mp6UswsFuNUCArHOzOQ0wF7QolP/TW4ZAXK/Rb1cTr88JVuGy9UPx5cLHlaU\nZBmhFZjkYYIuYkPgKc/ztcsqGrJ/gqz15hjerFIB2vbcFRKfxN5xwIxb/hC8dWdF\n1V5iJhyTwvITBzXSJ4PfOh2RjfGmytKd5/Gf1DouW1H2Y7JgNSZPmesci5BUYyDd\nkt+rUjwe3FefOfzPVCA7ojfBuNxhU1sLJiEbGqEwd4XkwzU421jOIEzLM7qhUbGx\n0HzPUflTO85acBpwP3vf0NtsJXZyYG4/v81GLm11MEpwt5n/nJaxokbbT8CPKVpN\n8gXSwO2VhIDFWGeRMvfG3NNmwnJRJiSS0FTpRwqt3bF7btBfEE75HTGZq0qI+p+3\nPPqWz3SLMeAQvTqmscGpuIATX5PEDm+knq/D9W903mLeACZEMy8Tk1LDyuwJCK01\nJX687nOKgWfsq0PnhItF5Z1jfSMbJb6g3fH2Fpn6aB9bx9WNARNu2s28s3StE31K\nLtAvRsWNH6UzfO3VHMkphHrd7ARDre4pCeHs8B3wy+HswZxO2FEawTD0Ps0hejNF\nZPI18eTmCu6zuumhBwM72BZlWBj50HoqampjYtnlf3JemhYVysCbwyqou+i4S1yF\nAgwDC9FRLmchgYQBEACZ3fR5HsgS6ko5QCns6nqYfZyR2o6hyKb1iaH0veJEL9DI\n+EBaBJ6+8GPNETMACVz+wGd+GadoNWfgFNcUMz4TobTFGwsjmj5WRllxMtX1RNmf\nnqvMSflKk13DIHLbmsY4bGml0BE/ssLj0SiXOAmUWUZOMT+/+griCs4Er/fxphjA\nN3J+G83Prvynn8o924Ct1Q2wDXCWm6MENbbzts03IgkDHK1bCYVsTQ/ca2v+zB5g\nzRUR6xbi7Ysgco/DwDSu9DWIyNOMnsKnS3Mng/vXPoimlof4xGKMHRzrqdP5l95M\ntx2+/l4UNg5aQms8h9MML7AzVmVfJu3pLM9IE89WjVBgNE5/sQEfg7G7WvBBdfoR\njAHhkHOfZDlEjOnQzTR5MYZ57BGIGhHSOrg+IIX1zYaTNFEcnkfpLIJ71KOSs35w\n0hxud2CzFjxnbknvZP5myrMPwfQ1TJmR4PAWE1+XRMze18wCnXcosT7r+I/yc0mG\nhD1Q2YW0qYOY+AhOgshJ+OOvybaPFc8VlDriLoAqLXY0VaQVBIZGTHDY1SFUI4kY\ngMgmKJsWK0wn05J31FSdXYCEQubqClSN1BT+e0ceDnkioVvbTqwRBcOTXkQ9JFiA\nn65f6Ul4q9/ugOgLmrFiLDjdkmkdOOXo7QcgZrOL68+8c1xIxmhEgKobK5wBUtJc\nAXHosTJgXYvXHKDiZpFpN1gI2Y02tbxAb0Vois+ZZcP8AX0t++tZKARwguft0zr+\nWGhdQoGVeiQkAGXOgot66nGOtq/MtChmMZFEG63mc2B+84OOZBcXf66vsdU=\n=nCdw\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/hosts/nixos/toto/default.nix b/hosts/nixos/toto/default.nix index c20aa2e..aef8a80 100644 --- a/hosts/nixos/toto/default.nix +++ b/hosts/nixos/toto/default.nix @@ -59,12 +59,13 @@ in { wallpaper = self + /wallpaper/lenovowp.png; isImpermanence = true; - isCrypted = true; + isCrypted = false; isSecureBoot = false; - isSwap = true; + isSwap = false; swapSize = "8G"; # rootDisk = "/dev/nvme0n1"; - rootDisk = "/dev/vda"; + rootDisk = "/dev/sda"; + # rootDisk = "/dev/vda"; } sharedOptions; diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix index f1b9f33..b29a8d5 100644 --- a/modules/home/common/ssh.nix +++ b/modules/home/common/ssh.nix @@ -26,6 +26,10 @@ hostname = "193.122.53.173"; user = "root"; }; + "moonside" = { + hostname = "130.61.238.239"; + user = "root"; + }; "songdiver" = { hostname = "89.168.100.65"; user = "ubuntu"; diff --git a/modules/nixos/common/impermanence.nix b/modules/nixos/common/impermanence.nix index 00a2956..854a2a8 100644 --- a/modules/nixos/common/impermanence.nix +++ b/modules/nixos/common/impermanence.nix @@ -1,7 +1,7 @@ { config, lib, ... }: let mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos"; - inherit (config.swarselsystems) homeDir isImpermanence isCrypted; + inherit (config.swarselsystems) isImpermanence isCrypted; in { options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config"; @@ -70,23 +70,20 @@ in hideMounts = true; directories = [ - "/.cache/nix" - "/srv" - "/etc/nixos" "/etc/nix" "/etc/NetworkManager/system-connections" + "/var/lib/nixos" + { + directory = "/var/tmp/nix-import-encrypted"; # Decrypted repo-secrets can be kept + mode = "1777"; + } # "/etc/secureboot" - "${homeDir}/.dotfiles" - "/var/db/sudo" - "/var/cache" - "/var/lib" ]; files = [ "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/machine-id" ]; }; }; diff --git a/modules/nixos/common/syncthing.nix b/modules/nixos/common/syncthing.nix index 2dd4ccc..11bc550 100644 --- a/modules/nixos/common/syncthing.nix +++ b/modules/nixos/common/syncthing.nix @@ -22,31 +22,34 @@ in "winters" = { id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; }; + "moonside (@oracle)" = { + id = "YJLYL4Z-JIYHFKX-554ZR7B-YAF3PNH-CX7JF53-NYUMVGL-4EWWASH-GDAMBQA"; + }; }; folders = { "Default Folder" = lib.mkDefault { path = "${homeDir}/Sync"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "default"; }; "Obsidian" = { path = "${homeDir}/Nextcloud/Obsidian"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "yjvni-9eaa7"; }; "Org" = { path = "${homeDir}/Nextcloud/Org"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "a7xnl-zjj3d"; }; "Vpn" = { path = "${homeDir}/Vpn"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "hgp9s-fyq3p"; }; ".elfeed" = { path = "${homeDir}/.elfeed"; - devices = [ "sync (@oracle)" "magicant" "winters" ]; + devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ]; id = "h7xbs-fs9v1"; }; }; diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix index 718db82..aab2c7b 100644 --- a/modules/nixos/optional/work.nix +++ b/modules/nixos/optional/work.nix @@ -174,10 +174,13 @@ in "winters" = { id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; }; + "moonside (@oracle)" = { + id = "YJLYL4Z-JIYHFKX-554ZR7B-YAF3PNH-CX7JF53-NYUMVGL-4EWWASH-GDAMBQA"; + }; folders = { "Documents" = { path = "${homeDir}/Documents"; - devices = [ "magicant" "winters" ]; + devices = [ "magicant" "winters" "moonside (@oracle)" ]; id = "hgr3d-pfu3w"; }; }; diff --git a/modules/nixos/server/packages.nix b/modules/nixos/server/packages.nix index 7094668..1781091 100644 --- a/modules/nixos/server/packages.nix +++ b/modules/nixos/server/packages.nix @@ -6,10 +6,13 @@ gnupg nix-index nvd + nix-output-monitor ssh-to-age git emacs vim + sops + swarsel-deploy ]; }; } diff --git a/nix/sops-decrypt-and-cache.sh b/nix/sops-decrypt-and-cache.sh index e851db1..b63f51d 100755 --- a/nix/sops-decrypt-and-cache.sh +++ b/nix/sops-decrypt-and-cache.sh @@ -28,6 +28,7 @@ mkdir -p "$(dirname "$out")" # Decrypt only if necessary if [[ ! -e $out ]]; then + echo "authenticate:" agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file" fi diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix index 8a85630..67e4757 100644 --- a/profiles/nixos/localserver/default.nix +++ b/profiles/nixos/localserver/default.nix @@ -5,7 +5,6 @@ swarselsystems = { modules = { general = lib.mkDefault true; - nix-ld = lib.mkDefault true; pii = lib.mkDefault true; home-manager = lib.mkDefault true; home-managerExtra = lib.mkDefault true; diff --git a/profiles/nixos/moonside/default.nix b/profiles/nixos/moonside/default.nix new file mode 100644 index 0000000..7b4f267 --- /dev/null +++ b/profiles/nixos/moonside/default.nix @@ -0,0 +1,26 @@ +{ lib, config, ... }: +{ + options.swarselsystems.profiles.server.moonside = lib.mkEnableOption "is this a moonside server"; + config = lib.mkIf config.swarselsystems.profiles.server.moonside { + swarselsystems = { + modules = { + general = lib.mkDefault true; + pii = lib.mkDefault true; + home-manager = lib.mkDefault true; + home-managerExtra = lib.mkDefault true; + xserver = lib.mkDefault true; + time = lib.mkDefault true; + users = lib.mkDefault true; + impermanence = lib.mkDefault true; + server = { + general = lib.mkDefault true; + packages = lib.mkDefault true; + sops = lib.mkDefault true; + nginx = lib.mkDefault true; + ssh = lib.mkDefault true; + }; + }; + }; + }; + +} diff --git a/profiles/nixos/syncserver/default.nix b/profiles/nixos/syncserver/default.nix index adeef3d..c8bc86f 100644 --- a/profiles/nixos/syncserver/default.nix +++ b/profiles/nixos/syncserver/default.nix @@ -16,7 +16,6 @@ general = lib.mkDefault true; packages = lib.mkDefault true; sops = lib.mkDefault true; - nfs = lib.mkDefault true; nginx = lib.mkDefault true; ssh = lib.mkDefault true; forgejo = lib.mkDefault true; diff --git a/scripts/swarsel-bootstrap.sh b/scripts/swarsel-bootstrap.sh index ad8a202..4636428 100644 --- a/scripts/swarsel-bootstrap.sh +++ b/scripts/swarsel-bootstrap.sh @@ -285,7 +285,7 @@ sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets. green "Making ssh_host_ed25519_key available to home-manager for user $target_user" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key -$ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key" +$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key" # __________________________ if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then diff --git a/secrets/certs/secrets.yaml b/secrets/certs/secrets.yaml index c1a54d8..935651e 100644 --- a/secrets/certs/secrets.yaml +++ b/secrets/certs/secrets.yaml @@ -7,71 +7,80 @@ sops: - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZjVjb1pVeWxrZVh0UHRK - emV5Ylo4a21qcnZydTVEWGpzM3pVYlZ4WWlnCkNEY3ZSZ2F1Q1hGS2FMZVJWaEFO - TjBTOVBxejNnMk43eW9IbjJqWWEzSFEKLS0tIHMxUUNwMDZ4dXZrUFRhQnE5UXl6 - dXVMTTM3YVdiWGcyLzM1R3ZHdFU2eEkKTvJcAVfk4UpNDQFJwr4BW5QPQtdGhmmi - gsuxZOe/ojpuGoH+9Ht5d9QdENoOsqQJ+0VpHgqysy/KJxC0MmaBrg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcmpISEJCeDFtaHlMaUp6 + RlI5QnVSQ01OSVViMHZROFozWE03QU1ob2pjCk1ySzZDSUtoaTN0TSswN1R4Q1Q5 + azB0Y1RUWTc4dXN2OE00cFBNeGY2ZVEKLS0tIHM1ZTFON2k1eW1MNzFWUWs4Vmwv + SjhWM3daU3ZGUE1Ud293NENxVVUyRHMK3beWpg6G/gn8kT+ZZtnlnCw+K4Pr5O06 + UNFlbnWIxNzJ7ML5Rd3u88XOLmD7OO4sxwQCNZgFCFfljiyl3UW27A== -----END AGE ENCRYPTED FILE----- - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL1VqalFMcEtObnhoL0U1 - TjdLSVJNMHZUNFpIL29Ib2FGMTFsdXdPdUVZCmxrb3lzL0M3Tk1xcEtnbHZxeTkv - cmJrUzRFM2ErT2lZVWFEd1NQVHlEWVkKLS0tIHFtSEJHSjhBMzljRTlxSDRBZkJQ - b0gycVVHWFQ3WXhkZUlzUkxzQUYxVnMKIGMqw8hHsPB/sQqKjW6WKp/w4Idrzcg3 - 2362DS8UswVpymq+mMHQXiyu2tuG26ZAE3U4Gx4Pyg2XZJDwC/Bymw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c3pjTmFPZzF3NTFla0c5 + QmEwa3R5NG9NVnNQUVZWTjY3VkxtaWlFRXdFCnpwSnpJU0RMSkxrUVpIdk5ycVF1 + c0ZTbGNRK2RqNTVtb1ozSUZjeTYwbHMKLS0tIFEzcG1xdCt1Wmw0S2NtMHk2TGJ6 + bU13M2NvNVQxbnJGTEl1Q09YcE5Mb1EKpCJSyUVvDndc7/RkPGcutcfOz1lM6WWp + lRBXFELXRmdRFAF4F+7sEICIu+3zJ/bpycQPGBIfjD8uYNSa5GRbng== -----END AGE ENCRYPTED FILE----- - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMnhPT1J2dENZRzFQdi9p - ZHl1LzVhSnp3ejlQbUZlT21BV3VsVHNoUHlvClUzNW9Wa3VueUNjbnZWYWZPWncy - eEFIY25HVEJYNEptV1lXbHBsVENEM0EKLS0tIHJERmVSUnZvUFV2M3I1RlR5WGR1 - S241amNkdFIxdE9nekU0S0ZQUi9hVlUKSEpbaG9Y1rvm/QorguodDeDO77apy8cX - C9NqAxRkJiSjyLvqB063oRsPr1aH5c0hTq8Y2zBjwC620jO2vqTjug== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY3JVbU5OSithUVJSaERk + V25zbmJ4Z3NkNkxaeFZMRmZLTG1RWG1OdzA4CklvZ2lTMGZXSHRpMzkrSGdIdSs2 + N0NTZzI1YjVCVzFkNDJJMld1Vmt5QUEKLS0tIE9uUDY0WDM5RzVQUFN4WGFZL3M4 + YUtnZjBwTi80VURBNmhBQjNxMmE1UlEKsMUniG4+/nvrqXH0AoB7I0sVRBfevGov + bqbZWhQoxo2lCly9RVT1EjJdk6pbes1qy4/H4vNMmjsUn0Pac4FE+A== -----END AGE ENCRYPTED FILE----- - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTkdZL2lGYVVReW80VWpw - VkRpWTFjdHhTRlJDRlBzc2pjTWdlcmYyc0RVCm13UmJla3NkaDEwaE5mK2ZpZ1Ex - WTNvSXZGYjVpdHNsQkdydDdKanBkOGMKLS0tIHZVZlRtaE0wcEZGc3pJNnhEQVB4 - ME9BMzQ3TmZmUW5aVG1Oa3hTNzdnd1EKFqMrQnP/5Nw654EJYTLjziDmffrr2Ryj - 5L9weh8fRKopPOPEXwPDULjxCL0G1AipFXwUgk+zJY8dJugDHvsmuA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNGdEZEI5QlVmQXp2MWp1 + YkRnUWM0S2k4ZEk4R21rc3ZsTGdzUjlOY25nCkg2OEZ3blpzem5QTktoTVB6eXNS + NzRVejNuS1NpbzN0ZDE2dzBldUR6bm8KLS0tIHJmT2t1UGZGVWFMNTN3WmRVOVZm + QVpQS1ZGbWdOYXNsNmlFYTNhUnIyZFEKBQaXEuhKe/qvqmXK6G/Ew+gwY8NgvyVm + Kd13hqsHcllaiAwg2lZ7RMl8gbKY9Sa6iQ1laV+0LHiEc/1hbg9sWg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1gj6uhy8lx9asjhwmqcmm4rtu6wptrd9dr42lhf9xreet6tra4fpswkvket + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ1J4SFQ4K3RVTUlGRGxx + UzZhMnBXUGNYZ1dvbFozS3krVjBLUGFGQm1BCmdBQjhlcFhPaFk4RmtIRGFSUSsz + R2ZIR2VwQUZIaUZ4RWRLN01XdndURDQKLS0tIGg0eG9tVlB1WDhoRUpnZXhlQ21w + M3FXei9menJlNjB4ZFFoQURhdHFCUjgKmkTR92+6hZ705u9I5VPyJVfD5HrLxk7m + 7O1EPw9oPNSihFhl85PbQTAJWVMjRmJFFdDxz/I0XuHKE/XaNW+ijA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-06-09T01:43:52Z" mac: ENC[AES256_GCM,data:pzzSwJ7kxIg4cmnS67DmXz26EKxLKzUtSFJ7vmlAdGphspYrwrRKHeKp/Rrpr15YMLUafXK9QAxeQQEIF6tQPtSLkHgYIb8xIaSRmNOR44OtWoiGBZWgTuFhQ1g2Po2Pn4EKQ2t9obPXxPA9I7EhPhIbqFepM37OQz6TX5SPEoE=,iv:UeX221QNsS6bYsETqRCDgVBNpgSX2RXUv8qWeMKWgYo=,tag:pbOUUcIhvNWv1HM6ti/FUw==,type:str] pgp: - - created_at: "2024-12-29T00:45:42Z" + - created_at: "2025-06-13T18:41:14Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAwDh3VI7VctTAQ/+MDjASUMqC4cqjI7n7EPUVCBzOyLgjE5pihtWJMREsBxa - dsz7pZKg+UFqOK5MZq+WPibvt4NzelNiQJdKJK3ZlG4W7o8KKk9cGqjWLCA4239e - uXOBBheGXp+u9xX8btasqupOXN0mJ3OsHWi76ijrCOxcAPvk5+zE5c6TqI/nPE7w - yvVFkPQRYw8DrnYKKhMPftQYQjv/7r/4N9+ve5oymgOGUtEjI7HVG+B95j/HsNQU - Ap6Gj8/Tyb3+MQs0LxFo+Tjrn7VQ6PG03aOCgQDMNRd4FpbCRbIIvZbzsc4GNszE - 5fWXQox8mPxVpBTYAsRWmk749sjYcaXaB4HNXNP0euS3yIuCGbhfdeP9sWJheu45 - oqdA2XcAyD+5L7H4J1Lg5OkxP8oRO/layj7e0K11EPnBbahE12vehcHWxPFYLSwl - oYnzmWVQ5LUWIk+oH/Jb02CGKHHE21W6+CgX3l7WehvIO+QOxWOrBgNVHONVX4HZ - kMQWljcwU15yP4F2n1BU4a4D1a5hYemySTclw/ZqC+REBwq8p9tvzEsGBs10kkK4 - 1KrCx7X7OHtBgBEWqhCqHOEX/bIQ10vzAKfPywHvj2TpJEyhCh0dk7mK/jfdIASU - V6x8vJfYfN1EdlFHgeiNLjx5u2Oa7azp+ZjYOEEH+xoUoI00Cn9GoIHohyZMECGF - AgwDC9FRLmchgYQBD/0ROxGKsAyMJ0QfWtgr9wP+haPWwZ1TdWg22epTm3VSfjLQ - Y5qLcN4J4Cmw858JABB72yYA1dcrdnObWHDNDrM4EqmRWrAvNXRNnmyi9ozPs6Qt - rYFCa6y2MH59V75YCUqw9Dkom+v6RUIep5zioxwqTa/D5Y9pF+kKR4JAqRa4PZXP - Dqc/rg7IONShpkF0l5wEaL8WR0oNnqKeTy9Ejte9qJejx6I1PGmRoskb6WOdkwJn - AK9UertXc2C6PvZ7A4JqEBYBYHgDMp9nRVnKht6h3NttI5Ye/id6400KJ4SPA1xy - tp5VQYrt8X9oD+goN835nwplXTuLT3MKAYn7/6w1txaVwgs2Ewi3D3pThERChOU9 - zF2eTCe0dnDtuO2YlEV1ucjqFV9Ix3gWPzOjh5B0n8WMGHRCzlLGTHO2h9soM6E+ - CKAJ8t+mNQv6BV4JPToTCZS/Sii3pSGKqtIBs3saTGrQ1CIaH2oHVw2b4luCZJXE - rTGzhLmOTWdZXfEeLnpTIJXTd4c7Fpuk3iKxOI/cNfd+8cY5J9SoRYbR20LzyWO+ - CFcBJhvtC4hSyA3odsBRDsptEp7MKhsn1o1jidEQYAEpESsq7BtUshG42Hx5Uc1P - DU8DGxm1eWmfcr4WONSnEVConPz85kemltTNuGjTMqJc/vvPDHu3h7o8PpHqK9Je - AY+XGmvaUTTDm3Du4MZmKvLAoeatu7sqqo0ICrOzbZw5hDEvrGacjllQrG+XULlw - C93eY7rbvGAjARr27h62YiH/rT16Mf8fpDkrwGDz0aeg3Nj+J2g7/OKeRWvvzw== - =q4yh + hQIMAwDh3VI7VctTAQ//bvg76FopkB85Na1yjedNZjDbfg5R0H5sNOvJi/KkZRaB + siZZHUN1jrrYH9WJxhrYhE6wmtqhClWI0r0I/prcJj2gvJWs1EAC5HoJYCNQEZjA + jVqyPWveL+1AxLze9kGcHpb/YKO++XclmbjRB7RkW9oS8h3RN+BWgjoL379fygFn + tcYhB1zn2k1pvKovq6KQiBThGgaATShCh65sl10NXrEEzR37TBRubseC/Bhj6oDG + SoviST+7tbMETKDoDvXHzKE+tVvQPi1qCagbk1FL681ldjcvTFhsLEQc7brlskoC + w3H3BLKLrfpWPnsfeavMOghK6ctztwuOd6qbZCcdS0QRPbSlOWY27gzLg9nCoVYm + 3ZS4o+OIOBKCkaCiWqwORqa6MTNNOgzJHmrpXygehrhyy+RCvPyV1MUgo9YyfABb + uoRZxoY3svvm1mUcwJwySj0fKljF8YBOxmYHAq+cO1jPe3282Mbh8haOFxVF34c/ + sB7q8AJHTks9KZdO/wfMt//e3oN+IVFEsgEE8d0ecScIyVcqyEGYGcloQ+m/cUSF + onfJKz/WhgHUh4VngDF4HTMS2L4IRPnPFTebRNBirnM7ruQut9Q+NqYHF//UmlIa + 6CWifbSdcDujd4P5O9FIG7/bRhRf5CsUdn137o9vF9hBnX5KtdrRwyYzy4dp4HGF + AgwDC9FRLmchgYQBEAC2KYQRNAYxczza6nmW6n2bkGDypvKwDWV34GKtL1hy3mla + Dfh/k1yv0o/I6ebnbgh6yFzyFq2GRi+yNkTPF1mpGboyex4Ot3d3y7gurs0Y1p8g + oYYniqtQmuRmkplU6EFFZf4LgQvcArmLFCzp0SbZ37AaXYFjk/pY1hSrfDbiExVV + OK1pkE82vYXWm2bkFRE6YVNUf4lp7Q41CmDq+H+mf4DLfgw9J4TnseNi+ZsGldSj + 4jFEtxvO/t2vhNHvbXJoSVKeLKn4mUEpJdfi843XWwo0VEk0JcnzfReYUbqjLChv + gV13mqwGmrDY28IWzyCr4h8FURWUMJSFqkVnrEoHQ303ujX5qV3JSadl6ham4h4o + s3gS2F4m0h9YAJnxj4/ahbBLk8go4IQ7FA+rmjVhMLRuTyUcEyPPCiY8tRJm7p/X + vpkZdT2hVyYeLtK/mP5ieDArDVYUa3QTkJ3knjSfdZWBv3MtrXsTAK/C4frnOxoM + inMpCnJtCnVQ8/xbtyXMhJWnz72vbEwDblaLId9nVtU9p9GqHB2OT1CflJBhDjb6 + a49C0mIGS6xBkW3YBSJxf7szUK/lL2qXSW+aI4dg5naci62jChtagnkXbN2afhOR + 91hpJ2oohMkB8rbbi2uXN0wIBUO9t8GTUKKaTjCOOTWm5nXNOCW5CtamYASeetJc + AeW10mAZSNUyh8FWs9XeLtppGEdERSqWs3gPvGO+TJ9o/8v+BPIwLEu0POoUuRWo + 3Lkqrl4JHC01T7buQU3vzRfWrdranL0Ll8H2iYvsyfaJrsO01weS2jGqmgg= + =PGCv -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted diff --git a/secrets/moonside/secrets.yaml b/secrets/moonside/secrets.yaml new file mode 100644 index 0000000..1f208a4 --- /dev/null +++ b/secrets/moonside/secrets.yaml @@ -0,0 +1,51 @@ +swarsel: ENC[AES256_GCM,data:AnxZLN+3ta2Dmg0=,iv:S25Xbbj5K3tWynO4/7XGRp/+XexxoUofHjlPNDo5el8=,tag:uov6okR56P324TYA3/YN/g==,type:str] +dnstokenfull: ENC[AES256_GCM,data:z9gi0pwfbDyHkKw8rhiGOIlaLUzepAAxQfAH4esla2NkSCx/S0VAiQ==,iv:qtCE+V4vHImViCquHwUEADEzl6dj7PB16PoRqYEgQ6o=,tag:jVfWgt3cx+bpYeMuyesjrA==,type:str] +swarseluser: ENC[AES256_GCM,data:s09lyp9yRPJaSsDXj19s1mosF3O39Fk7Eg==,iv:tVBEFqTQPreul617EU6CfBUhz3Fmt37VAi3GzezeEmA=,tag:9sbJ465VxKoW3/q6ju7hpg==,type:str] +wireguard-private-key: ENC[AES256_GCM,data:z5TV66YW4FqBVi/3uyE+r9Nkx9vVUOEgwVBXxqi32pecR9dQyLHW9QtFF/A=,iv:+qpRvDlF5v7hQo/S2oYGQ1MDHnxT3yHny1S1SVCainw=,tag:90pIiVx1lSXsin0b2M2SeA==,type:str] +sops: + age: + - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPU0xlcmV5ZUN3N245eGF0 + ODRabEJLK1huSk80WWhQWUwrT0ZpRzRsdTMwCnlXaEhoY0JBTGhRN3l1ZmorYUtP + NHhHY2QrTDBFaWIxNS9hYnVkOEVMK2MKLS0tIGV3ZXFjTnoyM0c0ZW1ra2dPWmxa + bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK + Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-13T22:13:23Z" + mac: ENC[AES256_GCM,data:5iAnRO8VNMf9lg9vrxFROKlMBYOavxND0m7tY91IY7TNy3Hegms72iwFYsRYagOsdNj5udD+jLGGuJTS1thSzpeZJIzDRW8p+Lzr2KNk94aGJKGNnlKPDpthryDJJ/xLonTfovIpJQHPwG26FI2eIVGp1CUh9UXKGOqqZUDMwNQ=,iv:AzZsgeIbmd0xN8adj/hs+VtEFXYaKiXXeQi5kqRQ4E4=,tag:tG5/O4RPcy7wmsu0C2iQ/w==,type:str] + pgp: + - created_at: "2025-06-13T21:18:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//ftUBIqO4dedauhSkSKOH+8elmHe30/Xv2wwAaQiidS8k + J6PTDkgplfBWer/5SpwIVZ9Rgzc/NentDYwIYs4u2ovk4w7uaqCwtSeu1Be+baVh + hHjVUUZu3mbq+9Uwp+hvIavn53tsdAz0WuW5AEqwZZCKJy8r95a2t1BWnNTy6eoN + F9Ihukul26wMRmJxIMqPp8HYKWothkeAhuE67Qsh4Bv2t10XTBV5/Qju94YLU51m + tkq9SfwHlKEqvkRvguUfnUm93xJk1PVxl1PfimhyZ8ch+RCswTFtcLUQvxbbHNKn + nBfQIjkkuZQtP4BkjlLdFr/7N4tbysjYu2aTIP7gmPCSzGs4fv23XNOALLk/N+7s + R+tnyaZg5djl8LmD34MVgx1sHV/2Q10lQjE6fmgV54hjVk5qC536fwiqjXOQyvso + QEiIs3SKnAmp93h6VDHIELJJx4Ng2fNjZ1q6w7fJR1XcbnKPLpfXLc0hf13eoAQ5 + jWRmsc+9dL8o32bYlkfbt++R0unJLQ9QMrwqdCH/jv/i6YtJzutcWUZgZPRx4Swh + HIHMlI+bAKGsqIrAFfOIbpRBK537xdjHzX+FDVQ3ld+K9geVwulA1HnVXf8XZJTI + GmW1rqnN/omMr02ekCZil5LrnKs9RaE2VEyK84QfuqwdFFPXXutc2vBuP4jkLuOF + AgwDC9FRLmchgYQBEADB3Z2nHU+08jspiq7l5d8gMD5RfBoHpdNy9JE4bz+z9Mhm + KPu9qNuojovSsiaM9+23oZvRyTKHmgrRKk1eT14BTLhFXWBFAdP10+Hxp8u1hbUK + uGZoMutJtPVBvBYaz+TmQoDaGsbYULfkc4wisOeB7pnbxLrm6N+uJ4eVHSvf6H2d + nHFvgFMTXZwgIPI4G9qg0ygcYI/XwbRssGtwmKHpqc4Xmn5Lg5sVJE+/gkXdyuTj + UEQohQfdg7O6iIWq217DAZpZfKZ06dL3RFkYYQP5R0kCLtKnJOW2wDWMiLwjzagK + zXfNp1gbymqG1gOkOE3sSV09cvSH8YdO8DbWa6it4H58XCnVtnSm4iAB1dLxgOz5 + vwcnqL+9TyIY9VmawoKtjXIXNTnkvRAVEGHVA+zWocmfrvVyxhvlfjV27L3rqlAP + Ambv8nzjHkq5r/vpmP9Rb5oR184gEVlXmrb34hCpJrh25cXGR7tVvFTVpL3/1CoB + kJ0KkKpDpgaJV4zOeqC5KAWomoR4/eeDAg0977umWnw2rqqM6QNgkcbD6G+h+jmQ + owoWb8LMXNKEEUIvEyrsD6lYFJ6y7jmeZEiHLESp4gHm7TE5v1ROR7fPqG7bmBvC + /NyiLd5xT+iOtBk4JCQdHD238tT9EO4RvKToe01TJKuGygNjLjkiOpo9ZrxQT9Jc + AWaSXNBoAXBnNCVkyJCTzK8ejPx6SM1K85q/Micz+eidGKr64ZN2GF2dMSdiwwFN + YbUMFxVF/iB9++97+Ax1GrI4WnBsuA8cz+hTSdIM7GufLJNX73XkOAnK5bs= + =8VK2 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc index a6f95c6..9295802 100644 --- a/secrets/repo/pii.nix.enc +++ b/secrets/repo/pii.nix.enc @@ -1,34 +1,38 @@ { - "data": "ENC[AES256_GCM,data:lLLUOryVRlriVc94mUX486tGhdg3yO6MkVf43hQIfo9mmYks0NbvCb05VeN/zzVP5fZU4kX/KKA5gfpK8lPKnnE0eN0Tv98hfkAExH1zTowUaj+XcXOPmCyRydeKm04sITDPsuhH7c6jkk2RNXBF/3ER8VZ3uho0K1gqokJlQUcA3QPCDFh6t5jlJakB2AX0rQYBtlG/QfLMf1YqU+hMsOFSrEXkPL7B1FwTkOHlU3oefpia1h4OJBJEjXQW+e57zgPRqc7z9lT8sOsXKRldWXgb1bhQM6MTDbSnEkSE44EtsFefkrmU34riu0KjQMcDbDFH3NpNibtKammlHBaKEWrxyFsgEEnFtqpMrr/ageW+DIttHIEbO170PHyaExo2pw1if0x/kRMe9/aPdDbG4oXtoZ9WqqB/ziBVTy+rau/aeuBU5XOEF+iQGwlkdQcjaUv55VVaCrT1DLSLdfWj5bmlls2pgu3SRkqhRFa+QveFu8i80rLQT9KcELuGpx7AB8U7gz8Oz4pU0iZkH3A1Cw9sO2vjwPd2AnPi8YQsqCIGQtZp/Y/OJa/7GfPFmmJlWZFiFbKGUfZg6sPsLPyTqTzES0erf67dwpXaBtuz7iS1yS58HQwhT0ZdrRJdMsrg0j+rejYHdIbZeeRVRLoPastyHjVKTarrYtAeT3MuqKbqjQRTdoaNlOQovG8WBlPNRJ93qOWh0wLVYuD2ou3epDlwGbwIuJ8D/DbW5mWNw5gpbI50LC1+SM6/flb3iG7bJ5DmkA1c2+fm8Jm5me5SCCE=,iv:8VSsznbOJyV/ZYCP9hKuAprtjssYTQEjW0Z/P5fgYqw=,tag:Tc/N0KgF9sNHuTXjWKksUw==,type:str]", + "data": "ENC[AES256_GCM,data:1+srGBXtYZCAsE32yEhH+1Ab3uebTDITbY8oQDIDkrqNMSGpfFH8i9nS0gmGHD35CKxn+2da+LxzWd7cjDwPre92D5+1K55RzrvWHwnq/0gYdNqvJZGKyJ71HJyr0wPSjK5Ne+fOPiYw+L4vwVukPTJcJHhe7H58Ia6rItnvdBe/RmUbVkTuVB1WEG9AYN1paQorNobSdNTTSCSXRIGTSaQfjk0xJ8B2wOALOXHoxBFUGR0SXIdk9M1CJ48uYU4JQ/RQguB3fG+PAbFYwm8B53SCo9zEnfonwmnFVe27Qm3Lz275stI0NuQiHuSJrcaXVyBX+So7xKPAMI2AyzPVhCukanPZxYwWMtFBYn5jgGL4P3aidsoqo0u0+PdIAr7U3dcDrpTnCQHiX71mG5h3CpKIs2yRhHmcnI27EEpVQv6LilZBHjT8tMUeS7H0UJlWsyj7lDzVl2WO6d7TeA8nnrNH5YWVzsAKCIsjvFYwwIJhdLWaVK9aI2VXJQEJAhQLbBKZ5pJwajw4GpeFu0ISyqo/foIzvaGvnW2fuxWwLYeGDlzPrqogT5433kFEambwXbdHGGdzuYqiWMLrysE+3AEPpOhwFuDpncFgGkHoZV+gZVcpG8TRTmKD9W4IK37sJqDrGGeWxvB2+/HE6ZbQqU05tdbyjXdHsXvAXSnSrLwqXVrds1zYk3g0bKjlZSwCBwKOhGU7JKsq1eBvJ1NgvBl7+JWtpCYBjCGaWM5whqxEkW0MR/7Xxkf0d5X5SDJEVUC8zAABiagNRfbyH8uix4NZCQyJeSFqeYMMWbXr3Z2XGyPXuKKwZC+vK6Kd,iv:D3wUi87sNqZG33GGlDnB1msJF3xvy7dMqQ/8gE5fpZU=,tag:cBqADzZhfiMGMKCUGTpHUg==,type:str]", "sops": { "age": [ { "recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVEtLVVQvTUVGOUtwWmdE\nM291NmRENW5mT3FNa2k4SHNpZWM1V0t5SFcwCjdtQW9jV3d3aDR4M2d5TFRaTEZO\ncXZBazJhc0FsY3dNakxsTGhFaHRLRmcKLS0tIHZMRUYwZHVwV0F2SGV6R0lGZDhW\nVDVIYzhUVlV5TWNQbXBzNTk1LzBGQUUKVsntBAZ6ani53sK7loNBnn8QfXuEOP7s\nY3PEzWyPLxryX8LQ+i7swvv8GaBZ8IxhiyR2dCdoJwQifA7xlkrVkQ==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOK05CODZFTWk5TkhjZnh1\nNXZjZ2ttM0VndU96Nk5oN3E2VTJhbWloNGpRCk93MkZqTldQNUZNbDJVVjVYTWJu\nZVFBTEFFMVN3cThUd3U2ekttLzJyMTAKLS0tIGFBTmNKOWZiME1hQWpLMXprRzh1\neVpFb0swSnVVRmZFclRjVkd0V0MvQlUK1JUjwmyotjEVt88K9B5EyCGSnTOBlT5g\nyD4wIMSQxm7/E+8F/o9s1aDm3PG9SM2U0A/y5Mb/TWscU34ShnDm+g==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdWtvVWNRM0VJc1BqRytV\nQjJUMDN0SEMvQVByK0l0ZU5raVlHWTlnb0FnCjdkRm4wcEYydFlncWFjQWoybEtu\na2dHOTFKQkdTa1VZbW81LzhDYTRoekkKLS0tIEZOZXhsdzQ0a01MSThpZUZFNko0\nQ2RULzRxZnIzSi9IRkJXNWhDN0dxUDgKH1e1MDSP3Jex/afETM49iqyMm4fbDMGY\nKsRlVb4+ZiT+opkhEMvdiA/DqtHi8xXTiwyIszWv2m2YwETownbQng==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZlFKQjVCSXRSZUNVMDFs\nd1VYWVp1SkNTclg3REwyMXhlUHlBSm9OWXpRCmU1Mm9ZNW05a1lweUtsVHhLY2ZZ\nZUtaU0tLNlNva2E3VzZFVkZaamJsV3cKLS0tIFE0Nm8wSVRiRW41b1ROTGFQNFA2\nTjRVdHUvN21Vc2ZLL09KS2N3aDVhR28KYTNt5W4NlvkQgcXsJgWzhOMFXX30/DHf\njbpekMCUEd8P7rvV2IrZUUCAd7d72SysWG/1Bjud+7OvE1BLw+001w==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJY2NzUHZ1WDZNQnRqTUI2\ncDQrWjZRSGxqRVJPekV6ZzRNWFdOaS82VFJNCmZVVWpjdTJEcEN2WHZWNG9Cd1Fr\nZXNPb3Q1Nm5mTWJlZ3BLUTZ2bmdFK1UKLS0tIEVCRC9FQXFybExLbVR0Q3pFbDJy\ndVY4bElVRDVYTkRmcW54SUJVcjdmVmsKAQDTjgDxupu+Lbkhks9eR5iouaPe5Ubh\nHLSb6iKFvnaG+vapVNPonLPW0x5Cp8Co5Lh8aTdWvaL8PeKJSnMZ7A==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Y3BuNFhyYXFJdzdkK1A0\nQytCM1ZHZ3Q1OU9IT0FEWGxnNTc0UDIyWGh3CjV3Z3o4SFlGS0VHOXlNK2pEQW5E\nRFJzMG80eWh1OStObm9GdzlXL3EvaG8KLS0tIDRMUFdFMDFyNFdWcE85Y1p1Rmph\nVHhEdkd6SUxmOFpGcVdIVEtGN1VWZHMKor1bN9dhFbjPq9uhB0Io7Ekg9fVsxANz\n6UerABKTnZcXBzoEzsUKCLGtZQPftW94gwZ18ofE6rQ0Ref/wJMpkg==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqV2c4eHlpNlpwNmsxMnM1\nbjQ3SFZlR1hFY3d2WTk5R3NLcllqdzdETjJrClBKWGVwRHlpbENFdElRWGdWNWVE\nL1NBa3d5bnZCVHBRaldQTjFzYnRkc1UKLS0tIDcrOEhNY3Z5VTMzM0RSUm4yNmpW\nM2l1SFpVYXFjNmhSdnBrU0pWYXNXZkUKD0rk5+3McTNhgyJ0e7qpdHTS1ajQ2eZl\nP98G2Xz6zlE7uFxUTyEprPcuvc5SrOpWplemnerhCvwUs78S/fd+jg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldmdYY0o1YlUvbCtSZ1dB\nUzVsbWhvZXV2aDZjKzNWcVk5ZFliN3MzZ2dnClVkV0xRYTBHbXdDQ01hRERBREJj\nQ3ZQZGh3M09IUXJBRzl4OHgwc29idUEKLS0tIG5VSS8rY0g3SEVLaGpheU1YSDRO\nWGNIc1VCcitRTHUxUE8yUU8zZzVMRmcKdZlbPcCgNGz8bm39yULl6ou306ofV1Gn\n6tYYXgEb4PA/VpLSHQBOdO7uaSIb0WSfLRP1Sd75dgsT+WlhQYoHkg==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bFIrQjZ5cUFBQUp4dTRW\ndEdaZys0OHE5L3BPaVNic3ZZRDQ5N09SaGdZCllhWnY4T2lLZzVUMlp5VjMvQ2lP\ndGFNSTBqbjNMaUcwbVRaWFVCazU3OEUKLS0tIHBIWUZCYjFDVDgzbUUxMC9TNzdp\naFdiWmV6TGIva0RNUDNHWmdJZGgzNHMKiIzjo6sH/SP12cAXTvXiP0X9EE/A8Qw1\nIfgZfyEHdf/Mxd/iNzlWb2Nb0MLerYYw/qZ/+L5eDpUr4Vl051qOXA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcnJhbjVlU2gwWU9sOWVG\naHptNlFlRUdjNWFOSkFNdVlwMWNkTWJOcVdZCkEvYTg4MDJ3TWFPdUpzOW9Ma1lN\na3NPZWtYS2FSN3dYbG4vbnE4MGpSVDQKLS0tIHEzTEV4UGdDVy9TUzRQdng5dnhj\nMnpXUUxiUE9UY0V5SXIzMXVLYnM0N0kKkesE0fgETq2RvizLIOMaJpCdcS3tThZE\n8k7cm9iNSpf43wa9Fvszu+hRiPZW9om8caZOiKid5VWBnMEQ3MYvkw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU240VjVRZmJ5TGsrclJF\nRXRLbTRCZURtR0Z3d2E2eDNNeGRDODlXVEY4CllTeVFYbDJQWlRSS1RFLzAxSnlM\nZi9NU1c3cWo3YWRLcUJ2U2ZFWFBBVEEKLS0tIGtmZU9qSWdBT3RDeStaaFFDSWtk\ndkUzZXJwZUl4LzVxYXdidmxXRnNnclUKyAMZqCKSY/RQvTR4bbjLaPnGKwdBcHXc\nvtiVSrLdIdzMa6id/J07TJH5UesUmcp0wjU41MDa4aMBLy+cXhuBHA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-06-12T22:56:18Z", - "mac": "ENC[AES256_GCM,data:KnewBjWIibq08JjmotKuJWJS6zqBWH7akh7a5nI3Sq6ae+QINN8M7ueTjdpbq1PqK9leiubbdECT4F/qHwpwmIKEB2vKY8eSsDsmjSmbtVFdYEv4UaOPEJAGr/8u3t7q97m+Ad2P+tLH/jIDc0BXGXYfQYogSiaHqKqytJK9cQo=,iv:8U6m1+00n1Aip08kO2Q0cdX/TnRy7Bpig7b23H6Plgg=,tag:UPskdkeO/qO7RkninZ4jow==,type:str]", + "lastmodified": "2025-06-13T22:20:13Z", + "mac": "ENC[AES256_GCM,data:W+k2UGDwWcS7/rBZQZE8ruU7ma429CdzmbtINtLF2DGz7Ofzj2EwkrVQeEtbUt9k+psSzsxnXD9hnrPzjgId7DGXlKPG55kwL++zuPvAe6qvJ05UhRahJfxBgpD+xcBHkCkQjgQcafOXha+BRKq2u5iSbB6aLxHq0i30xOq/n0E=,iv:g8xtWd6nDCs6WWx1CQRQAFExGFH9YQmgGBzyQNS9q2I=,tag:b9tLJz/JOFnegPQR8h5Zuw==,type:str]", "pgp": [ { - "created_at": "2025-06-11T01:05:00Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//WxrJpUeO3Patchym/u5+UVliqMoHtH0RPDaUNkjwnEXV\ndI5kNkwjTp1FHLLGm8WS4JKVejSmg4RUNIx0h53CViKrw75oMArHpFLF3y0ffsfK\nocvYW3tmtRKSBiv13T9bmo/BglhbuZVPKtSSb+0oo4bhzsQRWj4GBmkLGa4uSbC2\n2+QIk5C0+6IR2BtB4l5Txsx1hu3Z7Hb4uhtmw/veyulpRiI3LwW4FgmO3CVRYw27\noEr+8X/sJ/RVevU0IRKa0mbRi7KYl73JDb4a+VZw2BAFXfI6SuOtJfxW8oTPTYjC\nIf/ZRaa9tLvf1Q1cicnmth8I1WlwGUA8P2vBolxLhA46UxlpbdeBqXwunswWAEWw\nt/AYr3loNDeV2A0kUoUtI0TNFVOZBRK4zvEYoRP9My4A7ZNSCy1KCXie7UJs7YOH\nCtlNwArJxAXhOYQuN5amvHsvM99/fXeztqvj43uNVaoOFA73+s70WyscvPxeQKKt\nY5y2Xs/iCPnV6p1gEUgeqEd7IDxYicqEZS1rrC+vLffPxmw9aLMCBjzPdfNCOiIM\njOOMt3zU2dyHgeSarpTWheVZc6j0bOAi8pyfcxoAQgxFhMOmArQPYt+D8NMIJV7U\nnteZCWikYGXh3apEA/cxgNDOFMa3SzQNRI5Fw3vX5ab/GNm9XBe6L4lOV5oY8z2F\nAgwDC9FRLmchgYQBD/9CSRv2RDKnFqbvoEThajl5JTGE3kWEf4WrIcB7e78OPa9r\nXj88CpwwblBLt5GJno5t2pThO4t9jn+VvqfX8h1B+NNR4S4T66Ng2n8SXIfhmSgA\nW71tkaAYWCPMg/sp0pc5C6HttsWf9nhrthxHA41WbHXAtmPTh44YrDA2pRlozQNb\n2qxJs4jnSqhlz8CS8/LZ1IMyJKDfD8vlGJ6FcvPh1vjnO3jOa/DnuK2nxmoqpg23\nN2niPqPhcNkMmaQwdsOUxuRg+2sR1RecTI9YO0dY9s2225PObv6c58BicF9+76Bm\nASTGY5lKCwAS1mVdSuaujImWguEoG3JDZY2NaZa0bqkXbHU3htAo+/QdssMnr7BG\n/KzReLMDJqHhcDx9PRaOylEVi16RjTDLoWlaPDv45q5C78e9LVrVdrFrvPC5+IPY\nBElAtXUk7J9+siIlOPETkYIha9vtQMp6It+1zmgcj9L3ziLPtSJGS/MmG6ipS73w\nku1bKWmWMKiFY6ewUeTZRhyHBi/Zp/25j1XN+NC2pPyqL2bkLCXMP4thMMqykBu1\nQtD6G3KTpfxhKudRpQWWBf6YjI0h5/P50Z74ruVNSAjB/IJ4p8uVSsFiMRb4OYDA\nb5L2GRmDmqo8/zh45WP0Qe931zBNYnskZXGfdSdXAyO+DkKVv6GSI6uWKtZl29Jc\nAbDEhXsCr9rREBVDbrSEfiI26nxBZQyZxAj4sozfxBu425bAi2suLt5TilkWWZrD\nR6dedAYVESvFjU3Zd4Saru0Ko6FvTm5EWjQzofCU94mviStnFoMqFrjA00Y=\n=Z2Jy\n-----END PGP MESSAGE-----", + "created_at": "2025-06-13T20:13:06Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmZXyxrBEhacTQUwv9FVbGqeRHWUXrpJRybOA8pufPNnx\nLiwPK9op9HhMqfJ8uirmtsUhDg3lPCQRmnCMHpJt2Uy71SVomp9zkAQTRDFOp22E\n1SAAGEF1q4AP4YdM05iJcsxjQi7+2mufwrxxVdND+qjj4xbop5rFL2PNZUhJeCEz\nfFBdu8bL+IfHASN6xJDtgxat0shh2+hYebdDriu7JmlfvLtsTHRzsWJqNPQ45/+N\ni7LQTgkDDfCm+IDJ4sG5dJDovLCzgwiYtmRjaoRQFYGOEgPAoUcDQSYfHoCGCQ7a\naALczQHIZ4ant2kfQxcpM3nYXpCmBm+gu+VzggLMGpgYeajiquXszdLbqhHs7KqM\nsBSWpDyhNgAzr1+5nBkpkRmZTeelZQkFKukNLx9Xa0DJTTsDsnVB2AsFixqDrDnf\nb768FvRWtJgKQ/igY5sItD5qUA/mHpE/eXn8EhTdrGoFvTIxjzWuxQ+l+bHbUwqk\nHj3rJFPp1jJQshqToa/J1cASli9kOarh8+nl3/b+dfhiQ0ttpoE9W95LTsYprPfI\nMG9chQ5rOBO0Z/dQSuB33c5wrKm76dqNJG+zJht8bZxQw9lS8Ish86dZkdf8GVWP\nxPHx8A7RfLoMKI4huBXJ9uLtr1CJ9odzjTiH1zQZmpaU8ZeVvKpgjiSxM1L5OqqF\nAgwDC9FRLmchgYQBD/99rzXeVRHewJGRjIQ3tH79rmSA0teEPH42P4BJmYbStgVB\n+v0fuJ4GgPMcYDFlK2xcn2W78PU+/hgmfXwuIMkXCFv+SCKB+tgulIFmvOTrsyUl\nTQdzRisnLt+wc5+Sv6vSeOwRAwYlLrFfBBf2gtyxNDS64xelpILKCvWkLXEbI77p\nUdHRAZFesZgVv1jYVDQekHSFg4wPouWlqf28Btj5FsrDlr6/urLc5LOZEbUrXVj+\nZ61oNdC867xUyMQng/Scco58ysUWVlNDkR5mI9Utop1PPkzEMEsS5wPqw3oVlTsT\n3SqxUNAivZUakENbk6kKQmzLDwZ4ZduNJOwvopOoYHme5eC3yVjj7JpGSYmL2CsS\nHmByP1I8bCYibLOeNKiNLZ8uTdNunYuwNW3xnqOcwbPjtTlf0crfDQPB5HkYqs+F\nJw5p+UUP51Ls35MFfLf1zwiIE1WbkX3//BFTdhCgdPdXP+OZmhnDoP2VR7b0JdRx\n7IHvEDmw35s02XBDWS1fY5rJDcnaUOoyjM1EACIR3ArIuAeJr5CtzXxM3+pt4e4O\noEC1t8C7/W5DOLGgeki1lXipGHg2yZH5RSf66DjUNta1rIH4VsA5PoOShEy9dWCF\nWR018lWIFfpiRYAD3KQ2SvjuSAs8zSZW9QlXN2t1J9BM82etvR8bObhKIJE3Q9Jc\nARN4GVV0kpVwHH/kmXeoi+WcwfUVCuWQXH47Wf++UzzTJnBFUc2uQeWGQZLyb+qF\nfLb3MJwImA68QUz54a3YDaNsm1J6x4swR5bcRkUMsdozzSDInz5i0NsZrE0=\n=CQXY\n-----END PGP MESSAGE-----", "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" } ],