swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 00:57:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: add moonside

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-06-13 19:36:28 +02:00
parent 80d4a38a1c
commit 22fe55c284
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
20 changed files with 1034 additions and 122 deletions
Download patch file Download diff file Expand all files Collapse all files

59
.sops.yaml
View file

@ -11,6 +11,7 @@ keys:
- &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
- &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
- &sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h - &sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
- &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
creation_rules: creation_rules:
- path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
@ -21,28 +22,6 @@ creation_rules:
- *toto - *toto
- *surface - *surface
- *nbl - *nbl
- path_regex: hosts/nixos/nbl-imba-2/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *nbl
- path_regex: hosts/nixos/winters/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *winters
- path_regex: hosts/nixos/sync/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *sync
- path_regex: hosts/darwin/nbm-imba-166/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
- path_regex: secrets/repo/[^/]+$ - path_regex: secrets/repo/[^/]+$
key_groups: key_groups:
- pgp: - pgp:
@ -53,6 +32,7 @@ creation_rules:
- *surface - *surface
- *nbl - *nbl
- *sync - *sync
- *moonside
- path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- pgp: - pgp:
@ -62,6 +42,13 @@ creation_rules:
- *toto - *toto
- *surface - *surface
- *winters - *winters
- *moonside
- path_regex: secrets/moonside/secrets.yaml
key_groups:
- pgp:
- *swarsel
age:
- *moonside
- path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- pgp: - pgp:
@ -80,3 +67,31 @@ creation_rules:
- *swarsel - *swarsel
age: age:
- *sync - *sync
- path_regex: hosts/nixos/nbl-imba-2/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *nbl
- path_regex: hosts/nixos/winters/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *winters
- path_regex: hosts/nixos/sync/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *sync
- path_regex: hosts/nixos/moonside/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *moonside
- path_regex: hosts/darwin/nbm-imba-166/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel

464
SwarselSystems.org
View file

@ -1450,6 +1450,385 @@ This machine mainly acts as an external sync helper. It manages the following th
} }
#+end_src
**** Moonside (OCI)
***** Main Configuration
#+begin_src nix :tangle hosts/nixos/moonside/default.nix
{ lib, config, primaryUser, ... }:
let
inherit (config.repo.secrets.common) workHostName;
inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
sharedOptions = {
isBtrfs = true;
isLinux = true;
};
in
{
imports = [
./hardware-configuration.nix
./disk-config.nix
];
sops = {
age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
secrets = {
wireguard-private-key = { };
};
};
boot = {
loader.systemd-boot.enable = true;
tmp.cleanOnBoot = true;
};
environment.etc."issue".text = "\4";
networking = {
nftables.enable = lib.mkForce false;
hostName = "moonside";
enableIPv6 = false;
domain = "subnet03291956.vcn03291956.oraclevcn.com";
firewall = {
allowedTCPPorts = [ 80 443 8384 ];
};
wireguard = {
enable = true;
interfaces = {
home-vpn = {
privateKeyFile = config.sops.secrets.wireguard-private-key.path;
ips = [ "192.168.3.4/24" ];
peers = [
{
publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw=";
name = "moonside";
persistentKeepalive = 25;
endpoint = "${config.repo.secrets.common.ipv4}:51820";
allowedIPs = [ "192.168.3.0/24" ];
}
];
};
};
};
};
hardware = {
enableAllFirmware = lib.mkForce false;
};
system.stateVersion = "23.11";
node.secretsDir = ./secrets;
services = {
nginx = {
virtualHosts = {
"syncthing.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:8384/";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
syncthing = {
enable = true;
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
relay.enable = false;
settings = {
urAccepted = -1;
devices = {
"magicant" = {
id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
};
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
"${workHostName}" = {
id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
};
"${dev1}" = {
id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
};
"${dev2}" = {
id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
};
"${dev3}" = {
id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
};
};
folders = {
"Default Folder" = lib.mkForce {
path = "/sync/Sync";
type = "receiveonly";
versioning = null;
devices = [ "winters" "magicant" "${workHostName}" ];
id = "default";
};
"Obsidian" = {
path = "/sync/Obsidian";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "yjvni-9eaa7";
};
"Org" = {
path = "/sync/Org";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "/sync/Vpn";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "hgp9s-fyq3p";
};
".elfeed" = {
path = "/sync/elfeed";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" ];
id = "h7xbs-fs9v1";
};
"Documents" = {
path = "/sync/Documents";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "2";
};
devices = [ "winters" ];
id = "hgr3d-pfu3w";
};
"runandbun" = {
path = "/sync/runandbun";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" ];
id = "kwnql-ev64v";
};
"${loc1}" = {
path = "/sync/${loc1}";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "3";
};
devices = [ dev1 dev2 dev3 ];
id = "5gsxv-rzzst";
};
};
};
};
};
swarselsystems = lib.recursiveUpdate
{
flakePath = "/home/swarsel/.dotfiles";
isImpermanence = true;
isSecureBoot = false;
isCrypted = false;
isSwap = false;
rootDisk = "/dev/sda";
profiles = {
server.moonside = true;
};
}
sharedOptions;
home-manager.users."${primaryUser}" = {
home.stateVersion = lib.mkForce "23.11";
swarselsystems = lib.recursiveUpdate
{ }
sharedOptions;
};
}
#+end_src
***** hardware-configuration
loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
#+begin_src nix :tangle hosts/nixos/moonside/hardware-configuration.nix
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d
:END:
#+begin_src nix :tangle hosts/nixos/moonside/disk-config.nix
# NOTE: ... is needed because dikso passes diskoFile
{ lib
, config
, rootDisk
, ...
}:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
disk1 = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
sync = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-L" "sync" "-f" ]; # force overwrite
subvolumes = {
"/sync" = {
mountpoint = "/sync";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src #+end_src
*** Utility hosts *** Utility hosts
:PROPERTIES: :PROPERTIES:
@ -1528,12 +1907,13 @@ This is a slim setup for developing base configuration. I do not track the hardw
{ {
wallpaper = self + /wallpaper/lenovowp.png; wallpaper = self + /wallpaper/lenovowp.png;
isImpermanence = true; isImpermanence = true;
isCrypted = true; isCrypted = false;
isSecureBoot = false; isSecureBoot = false;
isSwap = true; isSwap = false;
swapSize = "8G"; swapSize = "8G";
# rootDisk = "/dev/nvme0n1"; # rootDisk = "/dev/nvme0n1";
rootDisk = "/dev/vda"; rootDisk = "/dev/sda";
# rootDisk = "/dev/vda";
} }
sharedOptions; sharedOptions;
@ -2925,7 +3305,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
green "Making ssh_host_ed25519_key available to home-manager for user $target_user" green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
$scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
$ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key" $ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
# __________________________ # __________________________
if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
@ -4246,7 +4626,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
swarselsystems = { swarselsystems = {
modules = { modules = {
general = lib.mkDefault true; general = lib.mkDefault true;
nix-ld = lib.mkDefault true;
pii = lib.mkDefault true; pii = lib.mkDefault true;
home-manager = lib.mkDefault true; home-manager = lib.mkDefault true;
home-managerExtra = lib.mkDefault true; home-managerExtra = lib.mkDefault true;
@ -4308,7 +4687,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
general = lib.mkDefault true; general = lib.mkDefault true;
packages = lib.mkDefault true; packages = lib.mkDefault true;
sops = lib.mkDefault true; sops = lib.mkDefault true;
nfs = lib.mkDefault true;
nginx = lib.mkDefault true; nginx = lib.mkDefault true;
ssh = lib.mkDefault true; ssh = lib.mkDefault true;
forgejo = lib.mkDefault true; forgejo = lib.mkDefault true;
@ -4320,6 +4698,37 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
} }
#+end_src
***** Moonside
#+begin_src nix :tangle profiles/nixos/moonside/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselsystems.profiles.server.moonside = lib.mkEnableOption "is this a moonside server";
config = lib.mkIf config.swarselsystems.profiles.server.moonside {
swarselsystems = {
modules = {
general = lib.mkDefault true;
pii = lib.mkDefault true;
home-manager = lib.mkDefault true;
home-managerExtra = lib.mkDefault true;
xserver = lib.mkDefault true;
time = lib.mkDefault true;
users = lib.mkDefault true;
impermanence = lib.mkDefault true;
server = {
general = lib.mkDefault true;
packages = lib.mkDefault true;
sops = lib.mkDefault true;
nginx = lib.mkDefault true;
ssh = lib.mkDefault true;
};
};
};
};
}
#+end_src #+end_src
**** home-manager **** home-manager
:PROPERTIES: :PROPERTIES:
@ -4806,6 +5215,7 @@ in
# Decrypt only if necessary # Decrypt only if necessary
if [[ ! -e $out ]]; then if [[ ! -e $out ]]; then
echo "authenticate:"
agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key)
SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file" SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file"
fi fi
@ -5962,31 +6372,34 @@ Here I disable global completion to prevent redundant compinit calls and cache i
"winters" = { "winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
}; };
"moonside (@oracle)" = {
id = "YJLYL4Z-JIYHFKX-554ZR7B-YAF3PNH-CX7JF53-NYUMVGL-4EWWASH-GDAMBQA";
};
}; };
folders = { folders = {
"Default Folder" = lib.mkDefault { "Default Folder" = lib.mkDefault {
path = "${homeDir}/Sync"; path = "${homeDir}/Sync";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "default"; id = "default";
}; };
"Obsidian" = { "Obsidian" = {
path = "${homeDir}/Nextcloud/Obsidian"; path = "${homeDir}/Nextcloud/Obsidian";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "yjvni-9eaa7"; id = "yjvni-9eaa7";
}; };
"Org" = { "Org" = {
path = "${homeDir}/Nextcloud/Org"; path = "${homeDir}/Nextcloud/Org";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "a7xnl-zjj3d"; id = "a7xnl-zjj3d";
}; };
"Vpn" = { "Vpn" = {
path = "${homeDir}/Vpn"; path = "${homeDir}/Vpn";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "hgp9s-fyq3p"; id = "hgp9s-fyq3p";
}; };
".elfeed" = { ".elfeed" = {
path = "${homeDir}/.elfeed"; path = "${homeDir}/.elfeed";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "h7xbs-fs9v1"; id = "h7xbs-fs9v1";
}; };
}; };
@ -6429,7 +6842,7 @@ Normally, doing that also resets the lecture that happens on the first use of =s
{ config, lib, ... }: { config, lib, ... }:
let let
mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos"; mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos";
inherit (config.swarselsystems) homeDir isImpermanence isCrypted; inherit (config.swarselsystems) isImpermanence isCrypted;
in in
{ {
options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config"; options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config";
@ -6498,23 +6911,20 @@ Normally, doing that also resets the lecture that happens on the first use of =s
hideMounts = true; hideMounts = true;
directories = directories =
[ [
"/.cache/nix"
"/srv"
"/etc/nixos"
"/etc/nix" "/etc/nix"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/var/lib/nixos"
{
directory = "/var/tmp/nix-import-encrypted"; # Decrypted repo-secrets can be kept
mode = "1777";
}
# "/etc/secureboot" # "/etc/secureboot"
"${homeDir}/.dotfiles"
"/var/db/sudo"
"/var/cache"
"/var/lib"
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key" "/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key.pub"
]; ];
}; };
}; };
@ -6886,10 +7296,13 @@ Here we just define some aliases for rebuilding the system, and we allow some in
gnupg gnupg
nix-index nix-index
nvd nvd
nix-output-monitor
ssh-to-age ssh-to-age
git git
emacs emacs
vim vim
sops
swarsel-deploy
]; ];
}; };
} }
@ -10030,10 +10443,13 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9
"winters" = { "winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
}; };
"moonside (@oracle)" = {
id = "YJLYL4Z-JIYHFKX-554ZR7B-YAF3PNH-CX7JF53-NYUMVGL-4EWWASH-GDAMBQA";
};
folders = { folders = {
"Documents" = { "Documents" = {
path = "${homeDir}/Documents"; path = "${homeDir}/Documents";
devices = [ "magicant" "winters" ]; devices = [ "magicant" "winters" "moonside (@oracle)" ];
id = "hgr3d-pfu3w"; id = "hgr3d-pfu3w";
}; };
}; };
@ -10910,6 +11326,10 @@ It is very convenient to have SSH aliases in place for machines that I use. This
hostname = "193.122.53.173"; hostname = "193.122.53.173";
user = "root"; user = "root";
}; };
"moonside" = {
hostname = "130.61.238.239";
user = "root";
};
"songdiver" = { "songdiver" = {
hostname = "89.168.100.65"; hostname = "89.168.100.65";
user = "ubuntu"; user = "ubuntu";

216
hosts/nixos/moonside/default.nix Normal file
View file

@ -0,0 +1,216 @@
{ lib, config, primaryUser, ... }:
let
inherit (config.repo.secrets.common) workHostName;
inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
sharedOptions = {
isBtrfs = true;
isLinux = true;
};
in
{
imports = [
./hardware-configuration.nix
./disk-config.nix
];
sops = {
age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
secrets = {
wireguard-private-key = { };
};
};
boot = {
loader.systemd-boot.enable = true;
tmp.cleanOnBoot = true;
};
environment.etc."issue".text = "\4";
networking = {
nftables.enable = lib.mkForce false;
hostName = "moonside";
enableIPv6 = false;
domain = "subnet03291956.vcn03291956.oraclevcn.com";
firewall = {
allowedTCPPorts = [ 80 443 8384 ];
};
wireguard = {
enable = true;
interfaces = {
home-vpn = {
privateKeyFile = config.sops.secrets.wireguard-private-key.path;
ips = [ "192.168.3.4/24" ];
peers = [
{
publicKey = "NNGvakADslOTCmN9HJOW/7qiM+oJ3jAlSZGoShg4ZWw=";
name = "moonside";
persistentKeepalive = 25;
endpoint = "${config.repo.secrets.common.ipv4}:51820";
allowedIPs = [ "192.168.3.0/24" ];
}
];
};
};
};
};
hardware = {
enableAllFirmware = lib.mkForce false;
};
system.stateVersion = "23.11";
node.secretsDir = ./secrets;
services = {
nginx = {
virtualHosts = {
"syncthing.swarsel.win" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:8384/";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
syncthing = {
enable = true;
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
relay.enable = false;
settings = {
urAccepted = -1;
devices = {
"magicant" = {
id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
};
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
"${workHostName}" = {
id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
};
"${dev1}" = {
id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
};
"${dev2}" = {
id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
};
"${dev3}" = {
id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
};
};
folders = {
"Default Folder" = lib.mkForce {
path = "/sync/Sync";
type = "receiveonly";
versioning = null;
devices = [ "winters" "magicant" "${workHostName}" ];
id = "default";
};
"Obsidian" = {
path = "/sync/Obsidian";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "yjvni-9eaa7";
};
"Org" = {
path = "/sync/Org";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "/sync/Vpn";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "hgp9s-fyq3p";
};
".elfeed" = {
path = "/sync/elfeed";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" ];
id = "h7xbs-fs9v1";
};
"Documents" = {
path = "/sync/Documents";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "2";
};
devices = [ "winters" ];
id = "hgr3d-pfu3w";
};
"runandbun" = {
path = "/sync/runandbun";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" ];
id = "kwnql-ev64v";
};
"${loc1}" = {
path = "/sync/${loc1}";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "3";
};
devices = [ dev1 dev2 dev3 ];
id = "5gsxv-rzzst";
};
};
};
};
};
swarselsystems = lib.recursiveUpdate
{
flakePath = "/home/swarsel/.dotfiles";
isImpermanence = true;
isSecureBoot = false;
isCrypted = false;
isSwap = false;
rootDisk = "/dev/sda";
profiles = {
server.moonside = true;
};
}
sharedOptions;
home-manager.users."${primaryUser}" = {
home.stateVersion = lib.mkForce "23.11";
swarselsystems = lib.recursiveUpdate
{ }
sharedOptions;
};
}

124
hosts/nixos/moonside/disk-config.nix Normal file
View file

@ -0,0 +1,124 @@
# NOTE: ... is needed because dikso passes diskoFile
{ lib
, config
, rootDisk
, ...
}:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
disk1 = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
sync = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-L" "sync" "-f" ]; # force overwrite
subvolumes = {
"/sync" = {
mountpoint = "/sync";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

15
hosts/nixos/moonside/hardware-configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

22
hosts/nixos/moonside/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:CmkNQJe2siUanybNt9Nv8JSsOnJuoLUOpAPXbACPQFLc4YL9u5R9wImwbbOOgXGfVl8hQwYS5dc+2nu4kj11zdT4mCe62/fO+HgIMBEbU/c0zGZj2hjArJYBkOCHQYu1IzgXdACyamJ9s3MVe0xGJUkwK93X+89YQpc=,iv:9tzNWIk10A4w986fo6pkpaUvo4+y5+RD+OmBksy9TbU=,tag:r5Dlv/HGwtlAdKp3HsKiMg==,type:str]",
"sops": {
"age": [
{
"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-06-13T17:33:11Z",
"mac": "ENC[AES256_GCM,data:/PDAd2LB2n3gwnaYaUHDHT/Ze1YxXTA0wDxAZEc72B9DQO8trN0XISSqQ3YbopOy8J7wZu/HveX5nx4zoCPKcrMtqtFtlyviAE5Afl+3XcgKcNOGK/0yCq1fAD6q8Lfsl/t/5/4qXA5jlhobVmsDFfXJ8woYqCLijZXNNkc3X+w=,iv:Q9yngw0Z6aS1aB/iF6+oFoCYg1yN+mNKEsv8zaX4ba0=,tag:470JaIY68O3NublQLYw7GA==,type:str]",
"pgp": [
{
"created_at": "2025-06-13T20:12:55Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9HYZO7Bu/PhfIEnzlD9RpDhgk79rSdl9rfrssXOhsXh6j\ne016mp6UswsFuNUCArHOzOQ0wF7QolP/TW4ZAXK/Rb1cTr88JVuGy9UPx5cLHlaU\nZBmhFZjkYYIuYkPgKc/ztcsqGrJ/gqz15hjerFIB2vbcFRKfxN5xwIxb/hC8dWdF\n1V5iJhyTwvITBzXSJ4PfOh2RjfGmytKd5/Gf1DouW1H2Y7JgNSZPmesci5BUYyDd\nkt+rUjwe3FefOfzPVCA7ojfBuNxhU1sLJiEbGqEwd4XkwzU421jOIEzLM7qhUbGx\n0HzPUflTO85acBpwP3vf0NtsJXZyYG4/v81GLm11MEpwt5n/nJaxokbbT8CPKVpN\n8gXSwO2VhIDFWGeRMvfG3NNmwnJRJiSS0FTpRwqt3bF7btBfEE75HTGZq0qI+p+3\nPPqWz3SLMeAQvTqmscGpuIATX5PEDm+knq/D9W903mLeACZEMy8Tk1LDyuwJCK01\nJX687nOKgWfsq0PnhItF5Z1jfSMbJb6g3fH2Fpn6aB9bx9WNARNu2s28s3StE31K\nLtAvRsWNH6UzfO3VHMkphHrd7ARDre4pCeHs8B3wy+HswZxO2FEawTD0Ps0hejNF\nZPI18eTmCu6zuumhBwM72BZlWBj50HoqampjYtnlf3JemhYVysCbwyqou+i4S1yF\nAgwDC9FRLmchgYQBEACZ3fR5HsgS6ko5QCns6nqYfZyR2o6hyKb1iaH0veJEL9DI\n+EBaBJ6+8GPNETMACVz+wGd+GadoNWfgFNcUMz4TobTFGwsjmj5WRllxMtX1RNmf\nnqvMSflKk13DIHLbmsY4bGml0BE/ssLj0SiXOAmUWUZOMT+/+griCs4Er/fxphjA\nN3J+G83Prvynn8o924Ct1Q2wDXCWm6MENbbzts03IgkDHK1bCYVsTQ/ca2v+zB5g\nzRUR6xbi7Ysgco/DwDSu9DWIyNOMnsKnS3Mng/vXPoimlof4xGKMHRzrqdP5l95M\ntx2+/l4UNg5aQms8h9MML7AzVmVfJu3pLM9IE89WjVBgNE5/sQEfg7G7WvBBdfoR\njAHhkHOfZDlEjOnQzTR5MYZ57BGIGhHSOrg+IIX1zYaTNFEcnkfpLIJ71KOSs35w\n0hxud2CzFjxnbknvZP5myrMPwfQ1TJmR4PAWE1+XRMze18wCnXcosT7r+I/yc0mG\nhD1Q2YW0qYOY+AhOgshJ+OOvybaPFc8VlDriLoAqLXY0VaQVBIZGTHDY1SFUI4kY\ngMgmKJsWK0wn05J31FSdXYCEQubqClSN1BT+e0ceDnkioVvbTqwRBcOTXkQ9JFiA\nn65f6Ul4q9/ugOgLmrFiLDjdkmkdOOXo7QcgZrOL68+8c1xIxmhEgKobK5wBUtJc\nAXHosTJgXYvXHKDiZpFpN1gI2Y02tbxAb0Vois+ZZcP8AX0t++tZKARwguft0zr+\nWGhdQoGVeiQkAGXOgot66nGOtq/MtChmMZFEG63mc2B+84OOZBcXf66vsdU=\n=nCdw\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

7
hosts/nixos/toto/default.nix
View file

@ -59,12 +59,13 @@ in
{ {
wallpaper = self + /wallpaper/lenovowp.png; wallpaper = self + /wallpaper/lenovowp.png;
isImpermanence = true; isImpermanence = true;
isCrypted = true; isCrypted = false;
isSecureBoot = false; isSecureBoot = false;
isSwap = true; isSwap = false;
swapSize = "8G"; swapSize = "8G";
# rootDisk = "/dev/nvme0n1"; # rootDisk = "/dev/nvme0n1";
rootDisk = "/dev/vda"; rootDisk = "/dev/sda";
# rootDisk = "/dev/vda";
} }
sharedOptions; sharedOptions;

4
modules/home/common/ssh.nix
View file

@ -26,6 +26,10 @@
hostname = "193.122.53.173"; hostname = "193.122.53.173";
user = "root"; user = "root";
}; };
"moonside" = {
hostname = "130.61.238.239";
user = "root";
};
"songdiver" = { "songdiver" = {
hostname = "89.168.100.65"; hostname = "89.168.100.65";
user = "ubuntu"; user = "ubuntu";

17
modules/nixos/common/impermanence.nix
View file

@ -1,7 +1,7 @@
{ config, lib, ... }: { config, lib, ... }:
let let
mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos"; mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos";
inherit (config.swarselsystems) homeDir isImpermanence isCrypted; inherit (config.swarselsystems) isImpermanence isCrypted;
in in
{ {
options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config"; options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config";
@ -70,23 +70,20 @@ in
hideMounts = true; hideMounts = true;
directories = directories =
[ [
"/.cache/nix"
"/srv"
"/etc/nixos"
"/etc/nix" "/etc/nix"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/var/lib/nixos"
{
directory = "/var/tmp/nix-import-encrypted"; # Decrypted repo-secrets can be kept
mode = "1777";
}
# "/etc/secureboot" # "/etc/secureboot"
"${homeDir}/.dotfiles"
"/var/db/sudo"
"/var/cache"
"/var/lib"
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key" "/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key.pub"
]; ];
}; };
}; };

13
modules/nixos/common/syncthing.nix
View file

@ -22,31 +22,34 @@ in
"winters" = { "winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
}; };
"moonside (@oracle)" = {
id = "YJLYL4Z-JIYHFKX-554ZR7B-YAF3PNH-CX7JF53-NYUMVGL-4EWWASH-GDAMBQA";
};
}; };
folders = { folders = {
"Default Folder" = lib.mkDefault { "Default Folder" = lib.mkDefault {
path = "${homeDir}/Sync"; path = "${homeDir}/Sync";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "default"; id = "default";
}; };
"Obsidian" = { "Obsidian" = {
path = "${homeDir}/Nextcloud/Obsidian"; path = "${homeDir}/Nextcloud/Obsidian";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "yjvni-9eaa7"; id = "yjvni-9eaa7";
}; };
"Org" = { "Org" = {
path = "${homeDir}/Nextcloud/Org"; path = "${homeDir}/Nextcloud/Org";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "a7xnl-zjj3d"; id = "a7xnl-zjj3d";
}; };
"Vpn" = { "Vpn" = {
path = "${homeDir}/Vpn"; path = "${homeDir}/Vpn";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "hgp9s-fyq3p"; id = "hgp9s-fyq3p";
}; };
".elfeed" = { ".elfeed" = {
path = "${homeDir}/.elfeed"; path = "${homeDir}/.elfeed";
devices = [ "sync (@oracle)" "magicant" "winters" ]; devices = [ "sync (@oracle)" "magicant" "winters" "moonside (@oracle)" ];
id = "h7xbs-fs9v1"; id = "h7xbs-fs9v1";
}; };
}; };

5
modules/nixos/optional/work.nix
View file

@ -174,10 +174,13 @@ in
"winters" = { "winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
}; };
"moonside (@oracle)" = {
id = "YJLYL4Z-JIYHFKX-554ZR7B-YAF3PNH-CX7JF53-NYUMVGL-4EWWASH-GDAMBQA";
};
folders = { folders = {
"Documents" = { "Documents" = {
path = "${homeDir}/Documents"; path = "${homeDir}/Documents";
devices = [ "magicant" "winters" ]; devices = [ "magicant" "winters" "moonside (@oracle)" ];
id = "hgr3d-pfu3w"; id = "hgr3d-pfu3w";
}; };
}; };

3
modules/nixos/server/packages.nix
View file

@ -6,10 +6,13 @@
gnupg gnupg
nix-index nix-index
nvd nvd
nix-output-monitor
ssh-to-age ssh-to-age
git git
emacs emacs
vim vim
sops
swarsel-deploy
]; ];
}; };
} }

1
nix/sops-decrypt-and-cache.sh
View file

@ -28,6 +28,7 @@ mkdir -p "$(dirname "$out")"
# Decrypt only if necessary # Decrypt only if necessary
if [[ ! -e $out ]]; then if [[ ! -e $out ]]; then
echo "authenticate:"
agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key)
SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file" SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file"
fi fi

1
profiles/nixos/localserver/default.nix
View file

@ -5,7 +5,6 @@
swarselsystems = { swarselsystems = {
modules = { modules = {
general = lib.mkDefault true; general = lib.mkDefault true;
nix-ld = lib.mkDefault true;
pii = lib.mkDefault true; pii = lib.mkDefault true;
home-manager = lib.mkDefault true; home-manager = lib.mkDefault true;
home-managerExtra = lib.mkDefault true; home-managerExtra = lib.mkDefault true;

26
profiles/nixos/moonside/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ lib, config, ... }:
{
options.swarselsystems.profiles.server.moonside = lib.mkEnableOption "is this a moonside server";
config = lib.mkIf config.swarselsystems.profiles.server.moonside {
swarselsystems = {
modules = {
general = lib.mkDefault true;
pii = lib.mkDefault true;
home-manager = lib.mkDefault true;
home-managerExtra = lib.mkDefault true;
xserver = lib.mkDefault true;
time = lib.mkDefault true;
users = lib.mkDefault true;
impermanence = lib.mkDefault true;
server = {
general = lib.mkDefault true;
packages = lib.mkDefault true;
sops = lib.mkDefault true;
nginx = lib.mkDefault true;
ssh = lib.mkDefault true;
};
};
};
};
}

1
profiles/nixos/syncserver/default.nix
View file

@ -16,7 +16,6 @@
general = lib.mkDefault true; general = lib.mkDefault true;
packages = lib.mkDefault true; packages = lib.mkDefault true;
sops = lib.mkDefault true; sops = lib.mkDefault true;
nfs = lib.mkDefault true;
nginx = lib.mkDefault true; nginx = lib.mkDefault true;
ssh = lib.mkDefault true; ssh = lib.mkDefault true;
forgejo = lib.mkDefault true; forgejo = lib.mkDefault true;

2
scripts/swarsel-bootstrap.sh
View file

@ -285,7 +285,7 @@ sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.
green "Making ssh_host_ed25519_key available to home-manager for user $target_user" green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
$scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
$ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key" $ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
# __________________________ # __________________________
if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then

101
secrets/certs/secrets.yaml
View file

@ -7,71 +7,80 @@ sops:
- recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZjVjb1pVeWxrZVh0UHRK YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcmpISEJCeDFtaHlMaUp6
emV5Ylo4a21qcnZydTVEWGpzM3pVYlZ4WWlnCkNEY3ZSZ2F1Q1hGS2FMZVJWaEFO RlI5QnVSQ01OSVViMHZROFozWE03QU1ob2pjCk1ySzZDSUtoaTN0TSswN1R4Q1Q5
TjBTOVBxejNnMk43eW9IbjJqWWEzSFEKLS0tIHMxUUNwMDZ4dXZrUFRhQnE5UXl6 azB0Y1RUWTc4dXN2OE00cFBNeGY2ZVEKLS0tIHM1ZTFON2k1eW1MNzFWUWs4Vmwv
dXVMTTM3YVdiWGcyLzM1R3ZHdFU2eEkKTvJcAVfk4UpNDQFJwr4BW5QPQtdGhmmi SjhWM3daU3ZGUE1Ud293NENxVVUyRHMK3beWpg6G/gn8kT+ZZtnlnCw+K4Pr5O06
gsuxZOe/ojpuGoH+9Ht5d9QdENoOsqQJ+0VpHgqysy/KJxC0MmaBrg== UNFlbnWIxNzJ7ML5Rd3u88XOLmD7OO4sxwQCNZgFCFfljiyl3UW27A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL1VqalFMcEtObnhoL0U1 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c3pjTmFPZzF3NTFla0c5
TjdLSVJNMHZUNFpIL29Ib2FGMTFsdXdPdUVZCmxrb3lzL0M3Tk1xcEtnbHZxeTkv QmEwa3R5NG9NVnNQUVZWTjY3VkxtaWlFRXdFCnpwSnpJU0RMSkxrUVpIdk5ycVF1
cmJrUzRFM2ErT2lZVWFEd1NQVHlEWVkKLS0tIHFtSEJHSjhBMzljRTlxSDRBZkJQ c0ZTbGNRK2RqNTVtb1ozSUZjeTYwbHMKLS0tIFEzcG1xdCt1Wmw0S2NtMHk2TGJ6
b0gycVVHWFQ3WXhkZUlzUkxzQUYxVnMKIGMqw8hHsPB/sQqKjW6WKp/w4Idrzcg3 bU13M2NvNVQxbnJGTEl1Q09YcE5Mb1EKpCJSyUVvDndc7/RkPGcutcfOz1lM6WWp
2362DS8UswVpymq+mMHQXiyu2tuG26ZAE3U4Gx4Pyg2XZJDwC/Bymw== lRBXFELXRmdRFAF4F+7sEICIu+3zJ/bpycQPGBIfjD8uYNSa5GRbng==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMnhPT1J2dENZRzFQdi9p YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY3JVbU5OSithUVJSaERk
ZHl1LzVhSnp3ejlQbUZlT21BV3VsVHNoUHlvClUzNW9Wa3VueUNjbnZWYWZPWncy V25zbmJ4Z3NkNkxaeFZMRmZLTG1RWG1OdzA4CklvZ2lTMGZXSHRpMzkrSGdIdSs2
eEFIY25HVEJYNEptV1lXbHBsVENEM0EKLS0tIHJERmVSUnZvUFV2M3I1RlR5WGR1 N0NTZzI1YjVCVzFkNDJJMld1Vmt5QUEKLS0tIE9uUDY0WDM5RzVQUFN4WGFZL3M4
S241amNkdFIxdE9nekU0S0ZQUi9hVlUKSEpbaG9Y1rvm/QorguodDeDO77apy8cX YUtnZjBwTi80VURBNmhBQjNxMmE1UlEKsMUniG4+/nvrqXH0AoB7I0sVRBfevGov
C9NqAxRkJiSjyLvqB063oRsPr1aH5c0hTq8Y2zBjwC620jO2vqTjug== bqbZWhQoxo2lCly9RVT1EjJdk6pbes1qy4/H4vNMmjsUn0Pac4FE+A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTkdZL2lGYVVReW80VWpw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNGdEZEI5QlVmQXp2MWp1
VkRpWTFjdHhTRlJDRlBzc2pjTWdlcmYyc0RVCm13UmJla3NkaDEwaE5mK2ZpZ1Ex YkRnUWM0S2k4ZEk4R21rc3ZsTGdzUjlOY25nCkg2OEZ3blpzem5QTktoTVB6eXNS
WTNvSXZGYjVpdHNsQkdydDdKanBkOGMKLS0tIHZVZlRtaE0wcEZGc3pJNnhEQVB4 NzRVejNuS1NpbzN0ZDE2dzBldUR6bm8KLS0tIHJmT2t1UGZGVWFMNTN3WmRVOVZm
ME9BMzQ3TmZmUW5aVG1Oa3hTNzdnd1EKFqMrQnP/5Nw654EJYTLjziDmffrr2Ryj QVpQS1ZGbWdOYXNsNmlFYTNhUnIyZFEKBQaXEuhKe/qvqmXK6G/Ew+gwY8NgvyVm
5L9weh8fRKopPOPEXwPDULjxCL0G1AipFXwUgk+zJY8dJugDHvsmuA== Kd13hqsHcllaiAwg2lZ7RMl8gbKY9Sa6iQ1laV+0LHiEc/1hbg9sWg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gj6uhy8lx9asjhwmqcmm4rtu6wptrd9dr42lhf9xreet6tra4fpswkvket
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ1J4SFQ4K3RVTUlGRGxx
UzZhMnBXUGNYZ1dvbFozS3krVjBLUGFGQm1BCmdBQjhlcFhPaFk4RmtIRGFSUSsz
R2ZIR2VwQUZIaUZ4RWRLN01XdndURDQKLS0tIGg0eG9tVlB1WDhoRUpnZXhlQ21w
M3FXei9menJlNjB4ZFFoQURhdHFCUjgKmkTR92+6hZ705u9I5VPyJVfD5HrLxk7m
7O1EPw9oPNSihFhl85PbQTAJWVMjRmJFFdDxz/I0XuHKE/XaNW+ijA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-09T01:43:52Z" lastmodified: "2025-06-09T01:43:52Z"
mac: ENC[AES256_GCM,data:pzzSwJ7kxIg4cmnS67DmXz26EKxLKzUtSFJ7vmlAdGphspYrwrRKHeKp/Rrpr15YMLUafXK9QAxeQQEIF6tQPtSLkHgYIb8xIaSRmNOR44OtWoiGBZWgTuFhQ1g2Po2Pn4EKQ2t9obPXxPA9I7EhPhIbqFepM37OQz6TX5SPEoE=,iv:UeX221QNsS6bYsETqRCDgVBNpgSX2RXUv8qWeMKWgYo=,tag:pbOUUcIhvNWv1HM6ti/FUw==,type:str] mac: ENC[AES256_GCM,data:pzzSwJ7kxIg4cmnS67DmXz26EKxLKzUtSFJ7vmlAdGphspYrwrRKHeKp/Rrpr15YMLUafXK9QAxeQQEIF6tQPtSLkHgYIb8xIaSRmNOR44OtWoiGBZWgTuFhQ1g2Po2Pn4EKQ2t9obPXxPA9I7EhPhIbqFepM37OQz6TX5SPEoE=,iv:UeX221QNsS6bYsETqRCDgVBNpgSX2RXUv8qWeMKWgYo=,tag:pbOUUcIhvNWv1HM6ti/FUw==,type:str]
pgp: pgp:
- created_at: "2024-12-29T00:45:42Z" - created_at: "2025-06-13T18:41:14Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/+MDjASUMqC4cqjI7n7EPUVCBzOyLgjE5pihtWJMREsBxa hQIMAwDh3VI7VctTAQ//bvg76FopkB85Na1yjedNZjDbfg5R0H5sNOvJi/KkZRaB
dsz7pZKg+UFqOK5MZq+WPibvt4NzelNiQJdKJK3ZlG4W7o8KKk9cGqjWLCA4239e siZZHUN1jrrYH9WJxhrYhE6wmtqhClWI0r0I/prcJj2gvJWs1EAC5HoJYCNQEZjA
uXOBBheGXp+u9xX8btasqupOXN0mJ3OsHWi76ijrCOxcAPvk5+zE5c6TqI/nPE7w jVqyPWveL+1AxLze9kGcHpb/YKO++XclmbjRB7RkW9oS8h3RN+BWgjoL379fygFn
yvVFkPQRYw8DrnYKKhMPftQYQjv/7r/4N9+ve5oymgOGUtEjI7HVG+B95j/HsNQU tcYhB1zn2k1pvKovq6KQiBThGgaATShCh65sl10NXrEEzR37TBRubseC/Bhj6oDG
Ap6Gj8/Tyb3+MQs0LxFo+Tjrn7VQ6PG03aOCgQDMNRd4FpbCRbIIvZbzsc4GNszE SoviST+7tbMETKDoDvXHzKE+tVvQPi1qCagbk1FL681ldjcvTFhsLEQc7brlskoC
5fWXQox8mPxVpBTYAsRWmk749sjYcaXaB4HNXNP0euS3yIuCGbhfdeP9sWJheu45 w3H3BLKLrfpWPnsfeavMOghK6ctztwuOd6qbZCcdS0QRPbSlOWY27gzLg9nCoVYm
oqdA2XcAyD+5L7H4J1Lg5OkxP8oRO/layj7e0K11EPnBbahE12vehcHWxPFYLSwl 3ZS4o+OIOBKCkaCiWqwORqa6MTNNOgzJHmrpXygehrhyy+RCvPyV1MUgo9YyfABb
oYnzmWVQ5LUWIk+oH/Jb02CGKHHE21W6+CgX3l7WehvIO+QOxWOrBgNVHONVX4HZ uoRZxoY3svvm1mUcwJwySj0fKljF8YBOxmYHAq+cO1jPe3282Mbh8haOFxVF34c/
kMQWljcwU15yP4F2n1BU4a4D1a5hYemySTclw/ZqC+REBwq8p9tvzEsGBs10kkK4 sB7q8AJHTks9KZdO/wfMt//e3oN+IVFEsgEE8d0ecScIyVcqyEGYGcloQ+m/cUSF
1KrCx7X7OHtBgBEWqhCqHOEX/bIQ10vzAKfPywHvj2TpJEyhCh0dk7mK/jfdIASU onfJKz/WhgHUh4VngDF4HTMS2L4IRPnPFTebRNBirnM7ruQut9Q+NqYHF//UmlIa
V6x8vJfYfN1EdlFHgeiNLjx5u2Oa7azp+ZjYOEEH+xoUoI00Cn9GoIHohyZMECGF 6CWifbSdcDujd4P5O9FIG7/bRhRf5CsUdn137o9vF9hBnX5KtdrRwyYzy4dp4HGF
AgwDC9FRLmchgYQBD/0ROxGKsAyMJ0QfWtgr9wP+haPWwZ1TdWg22epTm3VSfjLQ AgwDC9FRLmchgYQBEAC2KYQRNAYxczza6nmW6n2bkGDypvKwDWV34GKtL1hy3mla
Y5qLcN4J4Cmw858JABB72yYA1dcrdnObWHDNDrM4EqmRWrAvNXRNnmyi9ozPs6Qt Dfh/k1yv0o/I6ebnbgh6yFzyFq2GRi+yNkTPF1mpGboyex4Ot3d3y7gurs0Y1p8g
rYFCa6y2MH59V75YCUqw9Dkom+v6RUIep5zioxwqTa/D5Y9pF+kKR4JAqRa4PZXP oYYniqtQmuRmkplU6EFFZf4LgQvcArmLFCzp0SbZ37AaXYFjk/pY1hSrfDbiExVV
Dqc/rg7IONShpkF0l5wEaL8WR0oNnqKeTy9Ejte9qJejx6I1PGmRoskb6WOdkwJn OK1pkE82vYXWm2bkFRE6YVNUf4lp7Q41CmDq+H+mf4DLfgw9J4TnseNi+ZsGldSj
AK9UertXc2C6PvZ7A4JqEBYBYHgDMp9nRVnKht6h3NttI5Ye/id6400KJ4SPA1xy 4jFEtxvO/t2vhNHvbXJoSVKeLKn4mUEpJdfi843XWwo0VEk0JcnzfReYUbqjLChv
tp5VQYrt8X9oD+goN835nwplXTuLT3MKAYn7/6w1txaVwgs2Ewi3D3pThERChOU9 gV13mqwGmrDY28IWzyCr4h8FURWUMJSFqkVnrEoHQ303ujX5qV3JSadl6ham4h4o
zF2eTCe0dnDtuO2YlEV1ucjqFV9Ix3gWPzOjh5B0n8WMGHRCzlLGTHO2h9soM6E+ s3gS2F4m0h9YAJnxj4/ahbBLk8go4IQ7FA+rmjVhMLRuTyUcEyPPCiY8tRJm7p/X
CKAJ8t+mNQv6BV4JPToTCZS/Sii3pSGKqtIBs3saTGrQ1CIaH2oHVw2b4luCZJXE vpkZdT2hVyYeLtK/mP5ieDArDVYUa3QTkJ3knjSfdZWBv3MtrXsTAK/C4frnOxoM
rTGzhLmOTWdZXfEeLnpTIJXTd4c7Fpuk3iKxOI/cNfd+8cY5J9SoRYbR20LzyWO+ inMpCnJtCnVQ8/xbtyXMhJWnz72vbEwDblaLId9nVtU9p9GqHB2OT1CflJBhDjb6
CFcBJhvtC4hSyA3odsBRDsptEp7MKhsn1o1jidEQYAEpESsq7BtUshG42Hx5Uc1P a49C0mIGS6xBkW3YBSJxf7szUK/lL2qXSW+aI4dg5naci62jChtagnkXbN2afhOR
DU8DGxm1eWmfcr4WONSnEVConPz85kemltTNuGjTMqJc/vvPDHu3h7o8PpHqK9Je 91hpJ2oohMkB8rbbi2uXN0wIBUO9t8GTUKKaTjCOOTWm5nXNOCW5CtamYASeetJc
AY+XGmvaUTTDm3Du4MZmKvLAoeatu7sqqo0ICrOzbZw5hDEvrGacjllQrG+XULlw AeW10mAZSNUyh8FWs9XeLtppGEdERSqWs3gPvGO+TJ9o/8v+BPIwLEu0POoUuRWo
C93eY7rbvGAjARr27h62YiH/rT16Mf8fpDkrwGDz0aeg3Nj+J2g7/OKeRWvvzw== 3Lkqrl4JHC01T7buQU3vzRfWrdranL0Ll8H2iYvsyfaJrsO01weS2jGqmgg=
=q4yh =PGCv
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097 fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

51
secrets/moonside/secrets.yaml Normal file
View file

@ -0,0 +1,51 @@
swarsel: ENC[AES256_GCM,data:AnxZLN+3ta2Dmg0=,iv:S25Xbbj5K3tWynO4/7XGRp/+XexxoUofHjlPNDo5el8=,tag:uov6okR56P324TYA3/YN/g==,type:str]
dnstokenfull: ENC[AES256_GCM,data:z9gi0pwfbDyHkKw8rhiGOIlaLUzepAAxQfAH4esla2NkSCx/S0VAiQ==,iv:qtCE+V4vHImViCquHwUEADEzl6dj7PB16PoRqYEgQ6o=,tag:jVfWgt3cx+bpYeMuyesjrA==,type:str]
swarseluser: ENC[AES256_GCM,data:s09lyp9yRPJaSsDXj19s1mosF3O39Fk7Eg==,iv:tVBEFqTQPreul617EU6CfBUhz3Fmt37VAi3GzezeEmA=,tag:9sbJ465VxKoW3/q6ju7hpg==,type:str]
wireguard-private-key: ENC[AES256_GCM,data:z5TV66YW4FqBVi/3uyE+r9Nkx9vVUOEgwVBXxqi32pecR9dQyLHW9QtFF/A=,iv:+qpRvDlF5v7hQo/S2oYGQ1MDHnxT3yHny1S1SVCainw=,tag:90pIiVx1lSXsin0b2M2SeA==,type:str]
sops:
age:
- recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPU0xlcmV5ZUN3N245eGF0
ODRabEJLK1huSk80WWhQWUwrT0ZpRzRsdTMwCnlXaEhoY0JBTGhRN3l1ZmorYUtP
NHhHY2QrTDBFaWIxNS9hYnVkOEVMK2MKLS0tIGV3ZXFjTnoyM0c0ZW1ra2dPWmxa
bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK
Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-13T22:13:23Z"
mac: ENC[AES256_GCM,data:5iAnRO8VNMf9lg9vrxFROKlMBYOavxND0m7tY91IY7TNy3Hegms72iwFYsRYagOsdNj5udD+jLGGuJTS1thSzpeZJIzDRW8p+Lzr2KNk94aGJKGNnlKPDpthryDJJ/xLonTfovIpJQHPwG26FI2eIVGp1CUh9UXKGOqqZUDMwNQ=,iv:AzZsgeIbmd0xN8adj/hs+VtEFXYaKiXXeQi5kqRQ4E4=,tag:tG5/O4RPcy7wmsu0C2iQ/w==,type:str]
pgp:
- created_at: "2025-06-13T21:18:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//ftUBIqO4dedauhSkSKOH+8elmHe30/Xv2wwAaQiidS8k
J6PTDkgplfBWer/5SpwIVZ9Rgzc/NentDYwIYs4u2ovk4w7uaqCwtSeu1Be+baVh
hHjVUUZu3mbq+9Uwp+hvIavn53tsdAz0WuW5AEqwZZCKJy8r95a2t1BWnNTy6eoN
F9Ihukul26wMRmJxIMqPp8HYKWothkeAhuE67Qsh4Bv2t10XTBV5/Qju94YLU51m
tkq9SfwHlKEqvkRvguUfnUm93xJk1PVxl1PfimhyZ8ch+RCswTFtcLUQvxbbHNKn
nBfQIjkkuZQtP4BkjlLdFr/7N4tbysjYu2aTIP7gmPCSzGs4fv23XNOALLk/N+7s
R+tnyaZg5djl8LmD34MVgx1sHV/2Q10lQjE6fmgV54hjVk5qC536fwiqjXOQyvso
QEiIs3SKnAmp93h6VDHIELJJx4Ng2fNjZ1q6w7fJR1XcbnKPLpfXLc0hf13eoAQ5
jWRmsc+9dL8o32bYlkfbt++R0unJLQ9QMrwqdCH/jv/i6YtJzutcWUZgZPRx4Swh
HIHMlI+bAKGsqIrAFfOIbpRBK537xdjHzX+FDVQ3ld+K9geVwulA1HnVXf8XZJTI
GmW1rqnN/omMr02ekCZil5LrnKs9RaE2VEyK84QfuqwdFFPXXutc2vBuP4jkLuOF
AgwDC9FRLmchgYQBEADB3Z2nHU+08jspiq7l5d8gMD5RfBoHpdNy9JE4bz+z9Mhm
KPu9qNuojovSsiaM9+23oZvRyTKHmgrRKk1eT14BTLhFXWBFAdP10+Hxp8u1hbUK
uGZoMutJtPVBvBYaz+TmQoDaGsbYULfkc4wisOeB7pnbxLrm6N+uJ4eVHSvf6H2d
nHFvgFMTXZwgIPI4G9qg0ygcYI/XwbRssGtwmKHpqc4Xmn5Lg5sVJE+/gkXdyuTj
UEQohQfdg7O6iIWq217DAZpZfKZ06dL3RFkYYQP5R0kCLtKnJOW2wDWMiLwjzagK
zXfNp1gbymqG1gOkOE3sSV09cvSH8YdO8DbWa6it4H58XCnVtnSm4iAB1dLxgOz5
vwcnqL+9TyIY9VmawoKtjXIXNTnkvRAVEGHVA+zWocmfrvVyxhvlfjV27L3rqlAP
Ambv8nzjHkq5r/vpmP9Rb5oR184gEVlXmrb34hCpJrh25cXGR7tVvFTVpL3/1CoB
kJ0KkKpDpgaJV4zOeqC5KAWomoR4/eeDAg0977umWnw2rqqM6QNgkcbD6G+h+jmQ
owoWb8LMXNKEEUIvEyrsD6lYFJ6y7jmeZEiHLESp4gHm7TE5v1ROR7fPqG7bmBvC
/NyiLd5xT+iOtBk4JCQdHD238tT9EO4RvKToe01TJKuGygNjLjkiOpo9ZrxQT9Jc
AWaSXNBoAXBnNCVkyJCTzK8ejPx6SM1K85q/Micz+eidGKr64ZN2GF2dMSdiwwFN
YbUMFxVF/iB9++97+Ax1GrI4WnBsuA8cz+hTSdIM7GufLJNX73XkOAnK5bs=
=8VK2
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.10.2

24
secrets/repo/pii.nix.enc
View file

@ -1,34 +1,38 @@
{ {
"data": "ENC[AES256_GCM,data:lLLUOryVRlriVc94mUX486tGhdg3yO6MkVf43hQIfo9mmYks0NbvCb05VeN/zzVP5fZU4kX/KKA5gfpK8lPKnnE0eN0Tv98hfkAExH1zTowUaj+XcXOPmCyRydeKm04sITDPsuhH7c6jkk2RNXBF/3ER8VZ3uho0K1gqokJlQUcA3QPCDFh6t5jlJakB2AX0rQYBtlG/QfLMf1YqU+hMsOFSrEXkPL7B1FwTkOHlU3oefpia1h4OJBJEjXQW+e57zgPRqc7z9lT8sOsXKRldWXgb1bhQM6MTDbSnEkSE44EtsFefkrmU34riu0KjQMcDbDFH3NpNibtKammlHBaKEWrxyFsgEEnFtqpMrr/ageW+DIttHIEbO170PHyaExo2pw1if0x/kRMe9/aPdDbG4oXtoZ9WqqB/ziBVTy+rau/aeuBU5XOEF+iQGwlkdQcjaUv55VVaCrT1DLSLdfWj5bmlls2pgu3SRkqhRFa+QveFu8i80rLQT9KcELuGpx7AB8U7gz8Oz4pU0iZkH3A1Cw9sO2vjwPd2AnPi8YQsqCIGQtZp/Y/OJa/7GfPFmmJlWZFiFbKGUfZg6sPsLPyTqTzES0erf67dwpXaBtuz7iS1yS58HQwhT0ZdrRJdMsrg0j+rejYHdIbZeeRVRLoPastyHjVKTarrYtAeT3MuqKbqjQRTdoaNlOQovG8WBlPNRJ93qOWh0wLVYuD2ou3epDlwGbwIuJ8D/DbW5mWNw5gpbI50LC1+SM6/flb3iG7bJ5DmkA1c2+fm8Jm5me5SCCE=,iv:8VSsznbOJyV/ZYCP9hKuAprtjssYTQEjW0Z/P5fgYqw=,tag:Tc/N0KgF9sNHuTXjWKksUw==,type:str]", "data": "ENC[AES256_GCM,data:1+srGBXtYZCAsE32yEhH+1Ab3uebTDITbY8oQDIDkrqNMSGpfFH8i9nS0gmGHD35CKxn+2da+LxzWd7cjDwPre92D5+1K55RzrvWHwnq/0gYdNqvJZGKyJ71HJyr0wPSjK5Ne+fOPiYw+L4vwVukPTJcJHhe7H58Ia6rItnvdBe/RmUbVkTuVB1WEG9AYN1paQorNobSdNTTSCSXRIGTSaQfjk0xJ8B2wOALOXHoxBFUGR0SXIdk9M1CJ48uYU4JQ/RQguB3fG+PAbFYwm8B53SCo9zEnfonwmnFVe27Qm3Lz275stI0NuQiHuSJrcaXVyBX+So7xKPAMI2AyzPVhCukanPZxYwWMtFBYn5jgGL4P3aidsoqo0u0+PdIAr7U3dcDrpTnCQHiX71mG5h3CpKIs2yRhHmcnI27EEpVQv6LilZBHjT8tMUeS7H0UJlWsyj7lDzVl2WO6d7TeA8nnrNH5YWVzsAKCIsjvFYwwIJhdLWaVK9aI2VXJQEJAhQLbBKZ5pJwajw4GpeFu0ISyqo/foIzvaGvnW2fuxWwLYeGDlzPrqogT5433kFEambwXbdHGGdzuYqiWMLrysE+3AEPpOhwFuDpncFgGkHoZV+gZVcpG8TRTmKD9W4IK37sJqDrGGeWxvB2+/HE6ZbQqU05tdbyjXdHsXvAXSnSrLwqXVrds1zYk3g0bKjlZSwCBwKOhGU7JKsq1eBvJ1NgvBl7+JWtpCYBjCGaWM5whqxEkW0MR/7Xxkf0d5X5SDJEVUC8zAABiagNRfbyH8uix4NZCQyJeSFqeYMMWbXr3Z2XGyPXuKKwZC+vK6Kd,iv:D3wUi87sNqZG33GGlDnB1msJF3xvy7dMqQ/8gE5fpZU=,tag:cBqADzZhfiMGMKCUGTpHUg==,type:str]",
"sops": { "sops": {
"age": [ "age": [
{ {
"recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63", "recipient": "age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVEtLVVQvTUVGOUtwWmdE\nM291NmRENW5mT3FNa2k4SHNpZWM1V0t5SFcwCjdtQW9jV3d3aDR4M2d5TFRaTEZO\ncXZBazJhc0FsY3dNakxsTGhFaHRLRmcKLS0tIHZMRUYwZHVwV0F2SGV6R0lGZDhW\nVDVIYzhUVlV5TWNQbXBzNTk1LzBGQUUKVsntBAZ6ani53sK7loNBnn8QfXuEOP7s\nY3PEzWyPLxryX8LQ+i7swvv8GaBZ8IxhiyR2dCdoJwQifA7xlkrVkQ==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOK05CODZFTWk5TkhjZnh1\nNXZjZ2ttM0VndU96Nk5oN3E2VTJhbWloNGpRCk93MkZqTldQNUZNbDJVVjVYTWJu\nZVFBTEFFMVN3cThUd3U2ekttLzJyMTAKLS0tIGFBTmNKOWZiME1hQWpLMXprRzh1\neVpFb0swSnVVRmZFclRjVkd0V0MvQlUK1JUjwmyotjEVt88K9B5EyCGSnTOBlT5g\nyD4wIMSQxm7/E+8F/o9s1aDm3PG9SM2U0A/y5Mb/TWscU34ShnDm+g==\n-----END AGE ENCRYPTED FILE-----\n"
}, },
{ {
"recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl", "recipient": "age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdWtvVWNRM0VJc1BqRytV\nQjJUMDN0SEMvQVByK0l0ZU5raVlHWTlnb0FnCjdkRm4wcEYydFlncWFjQWoybEtu\na2dHOTFKQkdTa1VZbW81LzhDYTRoekkKLS0tIEZOZXhsdzQ0a01MSThpZUZFNko0\nQ2RULzRxZnIzSi9IRkJXNWhDN0dxUDgKH1e1MDSP3Jex/afETM49iqyMm4fbDMGY\nKsRlVb4+ZiT+opkhEMvdiA/DqtHi8xXTiwyIszWv2m2YwETownbQng==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZlFKQjVCSXRSZUNVMDFs\nd1VYWVp1SkNTclg3REwyMXhlUHlBSm9OWXpRCmU1Mm9ZNW05a1lweUtsVHhLY2ZZ\nZUtaU0tLNlNva2E3VzZFVkZaamJsV3cKLS0tIFE0Nm8wSVRiRW41b1ROTGFQNFA2\nTjRVdHUvN21Vc2ZLL09KS2N3aDVhR28KYTNt5W4NlvkQgcXsJgWzhOMFXX30/DHf\njbpekMCUEd8P7rvV2IrZUUCAd7d72SysWG/1Bjud+7OvE1BLw+001w==\n-----END AGE ENCRYPTED FILE-----\n"
}, },
{ {
"recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg", "recipient": "age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJY2NzUHZ1WDZNQnRqTUI2\ncDQrWjZRSGxqRVJPekV6ZzRNWFdOaS82VFJNCmZVVWpjdTJEcEN2WHZWNG9Cd1Fr\nZXNPb3Q1Nm5mTWJlZ3BLUTZ2bmdFK1UKLS0tIEVCRC9FQXFybExLbVR0Q3pFbDJy\ndVY4bElVRDVYTkRmcW54SUJVcjdmVmsKAQDTjgDxupu+Lbkhks9eR5iouaPe5Ubh\nHLSb6iKFvnaG+vapVNPonLPW0x5Cp8Co5Lh8aTdWvaL8PeKJSnMZ7A==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Y3BuNFhyYXFJdzdkK1A0\nQytCM1ZHZ3Q1OU9IT0FEWGxnNTc0UDIyWGh3CjV3Z3o4SFlGS0VHOXlNK2pEQW5E\nRFJzMG80eWh1OStObm9GdzlXL3EvaG8KLS0tIDRMUFdFMDFyNFdWcE85Y1p1Rmph\nVHhEdkd6SUxmOFpGcVdIVEtGN1VWZHMKor1bN9dhFbjPq9uhB0Io7Ekg9fVsxANz\n6UerABKTnZcXBzoEzsUKCLGtZQPftW94gwZ18ofE6rQ0Ref/wJMpkg==\n-----END AGE ENCRYPTED FILE-----\n"
}, },
{ {
"recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy", "recipient": "age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqV2c4eHlpNlpwNmsxMnM1\nbjQ3SFZlR1hFY3d2WTk5R3NLcllqdzdETjJrClBKWGVwRHlpbENFdElRWGdWNWVE\nL1NBa3d5bnZCVHBRaldQTjFzYnRkc1UKLS0tIDcrOEhNY3Z5VTMzM0RSUm4yNmpW\nM2l1SFpVYXFjNmhSdnBrU0pWYXNXZkUKD0rk5+3McTNhgyJ0e7qpdHTS1ajQ2eZl\nP98G2Xz6zlE7uFxUTyEprPcuvc5SrOpWplemnerhCvwUs78S/fd+jg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldmdYY0o1YlUvbCtSZ1dB\nUzVsbWhvZXV2aDZjKzNWcVk5ZFliN3MzZ2dnClVkV0xRYTBHbXdDQ01hRERBREJj\nQ3ZQZGh3M09IUXJBRzl4OHgwc29idUEKLS0tIG5VSS8rY0g3SEVLaGpheU1YSDRO\nWGNIc1VCcitRTHUxUE8yUU8zZzVMRmcKdZlbPcCgNGz8bm39yULl6ou306ofV1Gn\n6tYYXgEb4PA/VpLSHQBOdO7uaSIb0WSfLRP1Sd75dgsT+WlhQYoHkg==\n-----END AGE ENCRYPTED FILE-----\n"
}, },
{ {
"recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h", "recipient": "age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bFIrQjZ5cUFBQUp4dTRW\ndEdaZys0OHE5L3BPaVNic3ZZRDQ5N09SaGdZCllhWnY4T2lLZzVUMlp5VjMvQ2lP\ndGFNSTBqbjNMaUcwbVRaWFVCazU3OEUKLS0tIHBIWUZCYjFDVDgzbUUxMC9TNzdp\naFdiWmV6TGIva0RNUDNHWmdJZGgzNHMKiIzjo6sH/SP12cAXTvXiP0X9EE/A8Qw1\nIfgZfyEHdf/Mxd/iNzlWb2Nb0MLerYYw/qZ/+L5eDpUr4Vl051qOXA==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcnJhbjVlU2gwWU9sOWVG\naHptNlFlRUdjNWFOSkFNdVlwMWNkTWJOcVdZCkEvYTg4MDJ3TWFPdUpzOW9Ma1lN\na3NPZWtYS2FSN3dYbG4vbnE4MGpSVDQKLS0tIHEzTEV4UGdDVy9TUzRQdng5dnhj\nMnpXUUxiUE9UY0V5SXIzMXVLYnM0N0kKkesE0fgETq2RvizLIOMaJpCdcS3tThZE\n8k7cm9iNSpf43wa9Fvszu+hRiPZW9om8caZOiKid5VWBnMEQ3MYvkw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU240VjVRZmJ5TGsrclJF\nRXRLbTRCZURtR0Z3d2E2eDNNeGRDODlXVEY4CllTeVFYbDJQWlRSS1RFLzAxSnlM\nZi9NU1c3cWo3YWRLcUJ2U2ZFWFBBVEEKLS0tIGtmZU9qSWdBT3RDeStaaFFDSWtk\ndkUzZXJwZUl4LzVxYXdidmxXRnNnclUKyAMZqCKSY/RQvTR4bbjLaPnGKwdBcHXc\nvtiVSrLdIdzMa6id/J07TJH5UesUmcp0wjU41MDa4aMBLy+cXhuBHA==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-06-12T22:56:18Z", "lastmodified": "2025-06-13T22:20:13Z",
"mac": "ENC[AES256_GCM,data:KnewBjWIibq08JjmotKuJWJS6zqBWH7akh7a5nI3Sq6ae+QINN8M7ueTjdpbq1PqK9leiubbdECT4F/qHwpwmIKEB2vKY8eSsDsmjSmbtVFdYEv4UaOPEJAGr/8u3t7q97m+Ad2P+tLH/jIDc0BXGXYfQYogSiaHqKqytJK9cQo=,iv:8U6m1+00n1Aip08kO2Q0cdX/TnRy7Bpig7b23H6Plgg=,tag:UPskdkeO/qO7RkninZ4jow==,type:str]", "mac": "ENC[AES256_GCM,data:W+k2UGDwWcS7/rBZQZE8ruU7ma429CdzmbtINtLF2DGz7Ofzj2EwkrVQeEtbUt9k+psSzsxnXD9hnrPzjgId7DGXlKPG55kwL++zuPvAe6qvJ05UhRahJfxBgpD+xcBHkCkQjgQcafOXha+BRKq2u5iSbB6aLxHq0i30xOq/n0E=,iv:g8xtWd6nDCs6WWx1CQRQAFExGFH9YQmgGBzyQNS9q2I=,tag:b9tLJz/JOFnegPQR8h5Zuw==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2025-06-11T01:05:00Z", "created_at": "2025-06-13T20:13:06Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//WxrJpUeO3Patchym/u5+UVliqMoHtH0RPDaUNkjwnEXV\ndI5kNkwjTp1FHLLGm8WS4JKVejSmg4RUNIx0h53CViKrw75oMArHpFLF3y0ffsfK\nocvYW3tmtRKSBiv13T9bmo/BglhbuZVPKtSSb+0oo4bhzsQRWj4GBmkLGa4uSbC2\n2+QIk5C0+6IR2BtB4l5Txsx1hu3Z7Hb4uhtmw/veyulpRiI3LwW4FgmO3CVRYw27\noEr+8X/sJ/RVevU0IRKa0mbRi7KYl73JDb4a+VZw2BAFXfI6SuOtJfxW8oTPTYjC\nIf/ZRaa9tLvf1Q1cicnmth8I1WlwGUA8P2vBolxLhA46UxlpbdeBqXwunswWAEWw\nt/AYr3loNDeV2A0kUoUtI0TNFVOZBRK4zvEYoRP9My4A7ZNSCy1KCXie7UJs7YOH\nCtlNwArJxAXhOYQuN5amvHsvM99/fXeztqvj43uNVaoOFA73+s70WyscvPxeQKKt\nY5y2Xs/iCPnV6p1gEUgeqEd7IDxYicqEZS1rrC+vLffPxmw9aLMCBjzPdfNCOiIM\njOOMt3zU2dyHgeSarpTWheVZc6j0bOAi8pyfcxoAQgxFhMOmArQPYt+D8NMIJV7U\nnteZCWikYGXh3apEA/cxgNDOFMa3SzQNRI5Fw3vX5ab/GNm9XBe6L4lOV5oY8z2F\nAgwDC9FRLmchgYQBD/9CSRv2RDKnFqbvoEThajl5JTGE3kWEf4WrIcB7e78OPa9r\nXj88CpwwblBLt5GJno5t2pThO4t9jn+VvqfX8h1B+NNR4S4T66Ng2n8SXIfhmSgA\nW71tkaAYWCPMg/sp0pc5C6HttsWf9nhrthxHA41WbHXAtmPTh44YrDA2pRlozQNb\n2qxJs4jnSqhlz8CS8/LZ1IMyJKDfD8vlGJ6FcvPh1vjnO3jOa/DnuK2nxmoqpg23\nN2niPqPhcNkMmaQwdsOUxuRg+2sR1RecTI9YO0dY9s2225PObv6c58BicF9+76Bm\nASTGY5lKCwAS1mVdSuaujImWguEoG3JDZY2NaZa0bqkXbHU3htAo+/QdssMnr7BG\n/KzReLMDJqHhcDx9PRaOylEVi16RjTDLoWlaPDv45q5C78e9LVrVdrFrvPC5+IPY\nBElAtXUk7J9+siIlOPETkYIha9vtQMp6It+1zmgcj9L3ziLPtSJGS/MmG6ipS73w\nku1bKWmWMKiFY6ewUeTZRhyHBi/Zp/25j1XN+NC2pPyqL2bkLCXMP4thMMqykBu1\nQtD6G3KTpfxhKudRpQWWBf6YjI0h5/P50Z74ruVNSAjB/IJ4p8uVSsFiMRb4OYDA\nb5L2GRmDmqo8/zh45WP0Qe931zBNYnskZXGfdSdXAyO+DkKVv6GSI6uWKtZl29Jc\nAbDEhXsCr9rREBVDbrSEfiI26nxBZQyZxAj4sozfxBu425bAi2suLt5TilkWWZrD\nR6dedAYVESvFjU3Zd4Saru0Ko6FvTm5EWjQzofCU94mviStnFoMqFrjA00Y=\n=Z2Jy\n-----END PGP MESSAGE-----", "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmZXyxrBEhacTQUwv9FVbGqeRHWUXrpJRybOA8pufPNnx\nLiwPK9op9HhMqfJ8uirmtsUhDg3lPCQRmnCMHpJt2Uy71SVomp9zkAQTRDFOp22E\n1SAAGEF1q4AP4YdM05iJcsxjQi7+2mufwrxxVdND+qjj4xbop5rFL2PNZUhJeCEz\nfFBdu8bL+IfHASN6xJDtgxat0shh2+hYebdDriu7JmlfvLtsTHRzsWJqNPQ45/+N\ni7LQTgkDDfCm+IDJ4sG5dJDovLCzgwiYtmRjaoRQFYGOEgPAoUcDQSYfHoCGCQ7a\naALczQHIZ4ant2kfQxcpM3nYXpCmBm+gu+VzggLMGpgYeajiquXszdLbqhHs7KqM\nsBSWpDyhNgAzr1+5nBkpkRmZTeelZQkFKukNLx9Xa0DJTTsDsnVB2AsFixqDrDnf\nb768FvRWtJgKQ/igY5sItD5qUA/mHpE/eXn8EhTdrGoFvTIxjzWuxQ+l+bHbUwqk\nHj3rJFPp1jJQshqToa/J1cASli9kOarh8+nl3/b+dfhiQ0ttpoE9W95LTsYprPfI\nMG9chQ5rOBO0Z/dQSuB33c5wrKm76dqNJG+zJht8bZxQw9lS8Ish86dZkdf8GVWP\nxPHx8A7RfLoMKI4huBXJ9uLtr1CJ9odzjTiH1zQZmpaU8ZeVvKpgjiSxM1L5OqqF\nAgwDC9FRLmchgYQBD/99rzXeVRHewJGRjIQ3tH79rmSA0teEPH42P4BJmYbStgVB\n+v0fuJ4GgPMcYDFlK2xcn2W78PU+/hgmfXwuIMkXCFv+SCKB+tgulIFmvOTrsyUl\nTQdzRisnLt+wc5+Sv6vSeOwRAwYlLrFfBBf2gtyxNDS64xelpILKCvWkLXEbI77p\nUdHRAZFesZgVv1jYVDQekHSFg4wPouWlqf28Btj5FsrDlr6/urLc5LOZEbUrXVj+\nZ61oNdC867xUyMQng/Scco58ysUWVlNDkR5mI9Utop1PPkzEMEsS5wPqw3oVlTsT\n3SqxUNAivZUakENbk6kKQmzLDwZ4ZduNJOwvopOoYHme5eC3yVjj7JpGSYmL2CsS\nHmByP1I8bCYibLOeNKiNLZ8uTdNunYuwNW3xnqOcwbPjtTlf0crfDQPB5HkYqs+F\nJw5p+UUP51Ls35MFfLf1zwiIE1WbkX3//BFTdhCgdPdXP+OZmhnDoP2VR7b0JdRx\n7IHvEDmw35s02XBDWS1fY5rJDcnaUOoyjM1EACIR3ArIuAeJr5CtzXxM3+pt4e4O\noEC1t8C7/W5DOLGgeki1lXipGHg2yZH5RSf66DjUNta1rIH4VsA5PoOShEy9dWCF\nWR018lWIFfpiRYAD3KQ2SvjuSAs8zSZW9QlXN2t1J9BM82etvR8bObhKIJE3Q9Jc\nARN4GVV0kpVwHH/kmXeoi+WcwfUVCuWQXH47Wf++UzzTJnBFUc2uQeWGQZLyb+qF\nfLb3MJwImA68QUz54a3YDaNsm1J6x4swR5bcRkUMsdozzSDInz5i0NsZrE0=\n=CQXY\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097" "fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
} }
], ],