swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: sops secrets not rendered on boot

Browse source 
also fixes an org-caldav error that required org/appointments.org to
exist
This commit is contained in:
Swarsel 2024-08-04 11:21:51 +02:00
parent 175078feee
commit 40e81f104b
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
21 changed files with 855 additions and 1141 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -8,6 +8,7 @@ keys:
- &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
- &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0
- &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej
- &server_nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
- &server_nginx age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt
- &server_calibre age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5
- &server_transmiss age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs
@ -28,6 +29,7 @@ creation_rules:
- *server_surface
- *server_stand
- *server_fourside
- *server_nbl
- path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:

511
SwarselSystems.org
View file

@ -524,8 +524,9 @@ Lastly I define some common module lists that I can simply load depending on the
# # NixOS modules that can only be used on NixOS systems
nixModules = [
inputs.stylix.nixosModules.stylix
inputs.lanzaboote.nixosModules.lanzaboote
inputs.impermanence.nixosModules.impermanence
# inputs.lanzaboote.nixosModules.lanzaboote
inputs.disko.nixosModules.disko
# inputs.impermanence.nixosModules.impermanence
inputs.sops-nix.nixosModules.sops
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
./profiles/common/nixos
@ -1872,153 +1873,6 @@ My old laptop, replaced by a new one, since most basic functions have stopped to
#+end_src
**** Threed (Surface Pro 3)
:PROPERTIES:
:CUSTOM_ID: h:7b1a8f91-ef43-433c-ba4c-c5baf50e1de4
:END:
New setup for the SP3, this time using NixOS - another machine will take over the HM-only config for compatibility in the future.
***** NixOS
:PROPERTIES:
:CUSTOM_ID: h:980f1aca-28b3-4ed7-ae7f-6d8cdc28dea1
:END:
#+begin_src nix :noweb yes :tangle profiles/threed/nixos.nix
{ lib, pkgs, ... }:
{
<<wrap>>
services = {
getty.autologinUser = "swarsel";
greetd.settings.initial_session.user = "swarsel";
};
hardware.bluetooth.enable = true;
# Bootloader
boot = {
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
loader.efi.canTouchEfiVariables = true;
# use bootspec instead of lzbt for secure boot. This is not a generally needed setting
bootspec.enable = true;
# kernelPackages = pkgs.linuxPackages_latest;
};
networking = {
hostName = "threed";
enableIPv6 = false;
firewall.enable = false;
};
stylix.image = ../../wallpaper/surfacewp.png;
<<theme>>
users.users.swarsel = {
isNormalUser = true;
description = "Leon S";
extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ];
packages = with pkgs; [ ];
};
environment.systemPackages = with pkgs; [
];
system.stateVersion = "23.05";
}
#+end_src
***** Home Manager
:PROPERTIES:
:CUSTOM_ID: h:449c20d8-338a-483c-a6f0-9a164a6071d6
:END:
#+begin_src nix :noweb yes :tangle profiles/threed/home.nix
{ config, pkgs, ... }:
{
<<gpgagent>>
home = {
username = "swarsel";
homeDirectory = "/home/swarsel";
stateVersion = "23.05"; # Please read the comment before changing.
keyboard.layout = "us";
packages = with pkgs; [
];
};
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
programs.waybar.settings.mainBar = {
cpu.format = "{icon0} {icon1} {icon2} {icon3}";
temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input";
};
<<waybarlaptop>>
wayland.windowManager.sway = {
config = rec {
input = {
"*" = {
xkb_layout = "us";
xkb_options = "grp:win_space_toggle";
xkb_variant = "altgr-intl";
};
"type:touchpad" = {
dwt = "enabled";
tap = "enabled";
natural_scroll = "enabled";
middle_emulation = "enabled";
};
};
output = {
eDP-1 = {
mode = "2160x1440@59.955Hz";
scale = "1";
bg = "~/.dotfiles/wallpaper/surfacewp.png fill";
};
};
keybindings =
let
inherit (config.wayland.windowManager.sway.config) modifier;
in
{
"${modifier}+F2" = "exec brightnessctl set +5%";
"${modifier}+F1" = "exec brightnessctl set 5%-";
"${modifier}+n" = "exec sway output eDP-1 transform normal, splith";
"${modifier}+Ctrl+p" = "exec wl-mirror eDP-1";
"${modifier}+t" = "exec sway output eDP-1 transform 90, splitv";
"${modifier}+XF86AudioLowerVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png";
"${modifier}+XF86AudioRaiseVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png";
"${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\"";
};
startup = [
<<startupnixos>>
];
keycodebindings = {
"124" = "exec systemctl suspend";
};
};
extraConfig = "
exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05 map_to_output eDP-1
exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05_Stylus map_to_output eDP-1
";
};
}
#+end_src
**** Fourside (Lenovo Thinkpad P14s Gen2)
:PROPERTIES:
:CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9
@ -2161,6 +2015,7 @@ My work machine.
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./hardware-configuration.nix
./disk-config.nix
../optional/nixos/steam.nix
# ../optional/nixos/virtualbox.nix
@ -2185,6 +2040,8 @@ My work machine.
};
};
networking.networkmanager.wifi.scanRandMacAddress = false;
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
@ -2211,6 +2068,9 @@ My work machine.
services = {
fwupd.enable = true;
udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20"
'';
};
swarselsystems = {
@ -2218,11 +2078,14 @@ My work machine.
hasBluetooth = true;
hasFingerprint = true;
initialSetup = true;
impermanence = false;
isBtrfs = true;
};
home-manager.users.swarsel.swarselsystems = {
isLaptop = true;
isNixos = true;
isBtrfs = true;
# temperatureHwmon = {
# isAbsolutePath = true;
# path = "/sys/devices/platform/thinkpad_hwmon/hwmon/";
@ -2231,31 +2094,45 @@ My work machine.
# ------ -----
# | DP-4 | |eDP-1|
# ------ -----
# monitors = {
# main = {
# name = "California Institute of Technology 0x1407 Unknown";
# mode = "1920x1080"; # TEMPLATE
# scale = "1";
# position = "2560,0";
# workspace = "2:二";
# output = "eDP-1";
# };
# homedesktop = {
# name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
# mode = "2560x1440";
# scale = "1";
# position = "0,0";
# workspace = "1:一";
# output = "DP-4";
# };
# };
# inputs = {
# "1:1:AT_Translated_Set_2_keyboard" = {
# xkb_layout = "us";
# xkb_options = "grp:win_space_toggle";
# xkb_variant = "altgr-intl";
# };
# };
monitors = {
main = {
name = "BOE 0x0BC9 Unknown";
mode = "2560x1600"; # TEMPLATE
scale = "1";
position = "2560,0";
workspace = "2:二";
output = "eDP-2";
};
homedesktop = {
name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
mode = "2560x1440";
scale = "1";
position = "0,0";
workspace = "1:一";
output = "DP-11";
};
workdesktop = {
name = "LG Electronics LG Ultra HD 0x000305A6";
mode = "2560x1440";
scale = "1";
position = "0,0";
workspace = "1:一";
output = "DP-10";
};
};
inputs = {
"12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
xkb_layout = "us";
xkb_options = "grp:win_space_toggle";
xkb_variant = "altgr-intl";
};
"2362:628:PIXA3854:00_093A:0274_Touchpad" = {
dwt = "enabled";
tap = "enabled";
natural_scroll = "enabled";
middle_emulation = "enabled";
};
};
keybindings = {
};
};
@ -2264,210 +2141,6 @@ My work machine.
#+end_src
**** Winters (Framwork Laptop 16)
:PROPERTIES:
:CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9
:END:
My work machine.
***** NixOS
:PROPERTIES:
:CUSTOM_ID: h:ab6fefc4-aabd-456c-8a21-5fcb20c02869
:END:
Mostly just sets some opened ports for several games, enables virtualbox (which I do not want everywhere because of resource considerations) and enables thinkfan, which allows for better fan control on Lenovo Thinkpad machines.
#+begin_src nix :noweb yes :tangle profiles/winters/nixos.nix
{ pkgs, ... }:
{
# <<wrap>>
imports =
[
./hardware-configuration.nix
];
services = {
getty.autologinUser = "swarsel";
greetd.settings.initial_session.user = "swarsel";
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
kernelPackages = pkgs.linuxPackages_latest;
};
networking = {
hostName = "winters"; # Define your hostname.
nftables.enable = true;
enableIPv6 = true;
firewall.checkReversePath = "strict";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
allowedTCPPortRanges = [
];
allowedUDPPortRanges = [
];
};
};
virtualisation.virtualbox = {
host = {
enable = true;
enableExtensionPack = true;
};
# leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch
guest = {
enable = false;
};
};
stylix.image = ../../wallpaper/lenovowp.png;
<<theme>>
hardware = {
graphics = {
enable = true;
enable32Bit = true;
extraPackages = with pkgs; [
];
};
bluetooth.enable = true;
};
programs.steam = {
enable = true;
extraCompatPackages = [
pkgs.proton-ge-bin
];
};
services.power-profiles-daemon.enable = true;
users.users.swarsel = {
isNormalUser = true;
description = "Leon S";
extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ];
packages = with pkgs; [ ];
};
environment.systemPackages = with pkgs; [
sbctl
teams-for-linux
# gog games installing
heroic
# minecraft
temurin-bin-17
(prismlauncher.override {
glfw = pkgs.glfw-wayland-minecraft;
})
];
system.stateVersion = "23.05";
}
#+end_src
***** TODO Home Manager
:PROPERTIES:
:CUSTOM_ID: h:85f7110c-2f25-4506-b64a-fce29f29d0d0
:END:
TODO: Adjust =hwmon= path, I/O modules and XF86 keys once laptop arrives.
#+begin_src nix :noweb yes :tangle profiles/winters/home.nix
{ config, pkgs, ... }:
{
<<gpgagent>>
home = {
username = "swarsel";
homeDirectory = "/home/swarsel";
stateVersion = "23.05"; # TEMPLATE -- Please read the comment before changing.
keyboard.layout = "us"; # TEMPLATE
packages = with pkgs; [
];
};
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
# waybar config - TEMPLATE - update for cores and temp
programs.waybar.settings.mainBar = {
cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}";
temperature.hwmon-path.abs = "/sys/devices/platform/thinkpad_hwmon/hwmon/";
temperature.input-filename = "temp1_input";
};
<<waybarlaptop>>
wayland.windowManager.sway = {
config = rec {
# update for actual inputs here,
input = {
"36125:53060:splitkb.com_Kyria_rev3" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
"1:1:AT_Translated_Set_2_keyboard" = {
# TEMPLATE
xkb_layout = "us";
xkb_options = "grp:win_space_toggle";
xkb_variant = "altgr-intl";
};
"type:touchpad" = {
dwt = "enabled";
tap = "enabled";
natural_scroll = "enabled";
middle_emulation = "enabled";
};
};
output = {
eDP-1 = {
mode = "1920x1080"; # TEMPLATE
scale = "1";
position = "1920,0";
# bg = "~/.dotfiles/wallpaper/lenovowp.png fill";
};
# external monitor
HDMI-A-1 = {
mode = "2560x1440";
scale = "1";
# bg = "~/.dotfiles/wallpaper/lenovowp.png fill";
position = "0,0";
};
};
workspaceOutputAssign = [
{ output = "eDP-1"; workspace = "1:一"; }
{ output = "HDMI-A-1"; workspace = "2:二"; }
];
# keybindings = let
# inherit (config.wayland.windowManager.sway.config) modifier;
# in {
# };
startup = [
<<startupnixos>>
];
};
};
}
#+end_src
*** Virtual hosts
:PROPERTIES:
:CUSTOM_ID: h:4dc59747-9598-4029-aa7d-92bf186d6c06
@ -4791,6 +4464,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
hardware = import ./hardware.nix;
setup = import ./setup.nix;
impermanence = import ./impermanence.nix;
filesystem = import ./filesystem.nix;
}
#+end_src
@ -4845,6 +4519,16 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
}
#+end_src
***** Filesystem
#+begin_src nix :tangle modules/nixos/filesystem.nix
{ lib, ... }:
{
options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
}
#+end_src
**** home-manager
@ -4858,6 +4542,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
waybar = import ./waybar.nix;
startup = import ./startup.nix;
wallpaper = import ./wallpaper.nix;
filesystem = import ./filesystem.nix;
}
#+end_src
@ -5079,6 +4764,16 @@ in
#+end_src
***** Filesystem
#+begin_src nix :tangle modules/home/filesystem.nix
{ lib, ... }:
{
options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
}
#+end_src
** NixOS
*** Common
:PROPERTIES:
@ -5139,12 +4834,7 @@ First, we enable the use of =home-manager= as a NixoS module
#+end_src
**** General
:PROPERTIES:
:CUSTOM_ID: h:5a114da6-ef8d-404d-b31b-b51472908e77
:END:
***** Setup login keymap
**** Setup login keymap
:PROPERTIES:
:CUSTOM_ID: h:7248f338-8cad-4443-9060-deae7955b26f
:END:
@ -5163,7 +4853,7 @@ Next, we setup the keymap in case we are not in a graphical session. At this poi
}
#+end_src
***** Make users non-mutable
**** Make users non-mutable
:PROPERTIES:
:CUSTOM_ID: h:48959890-fbc7-4d28-b33c-f33e028ab473
:END:
@ -5186,7 +4876,7 @@ This ensures that all user-configuration happens here in the config file.
}
#+end_src
***** Environment setup
**** Environment setup
:PROPERTIES:
:CUSTOM_ID: h:f4006367-0965-4b4f-a3b0-45f63b07d2b8
:END:
@ -5212,7 +4902,7 @@ Next, we will setup some environment variables that need to be set on the system
}
#+end_src
***** Enable PolicyKit
**** Enable PolicyKit
:PROPERTIES:
:CUSTOM_ID: h:e2d40df9-0026-4caa-8476-9dc2353055a1
:END:
@ -5226,7 +4916,7 @@ Needed for control over system-wide privileges etc.
}
#+end_src
***** Enable automatic garbage collection
**** Enable automatic garbage collection
:PROPERTIES:
:CUSTOM_ID: h:9a3b7f1f-d0c3-417e-a262-c920fb25f3ee
:END:
@ -5245,7 +4935,7 @@ The nix store fills up over time, until =/boot/efi= is filled. This snippet clea
}
#+end_src
***** Enable automatic store optimisation
**** Enable automatic store optimisation
:PROPERTIES:
:CUSTOM_ID: h:97a2b9f7-c835-4db8-a0e9-e923bab69ee8
:END:
@ -5263,7 +4953,7 @@ This enables hardlinking identical files in the nix store, to save on disk space
#+end_src
***** Reduce systemd timeouts
**** Reduce systemd timeouts
:PROPERTIES:
:CUSTOM_ID: h:12858442-c129-4aa1-9c9c-a0916e36b302
:END:
@ -5281,7 +4971,7 @@ There is a persistent bug over Linux kernels that makes the user wait 1m30s on s
}
#+end_src
***** Hardware settings
**** Hardware settings
:PROPERTIES:
:CUSTOM_ID: h:1fa7cf61-5c03-43a3-a7f0-3d6ee246b31b
:END:
@ -5327,7 +5017,7 @@ Enable OpenGL, Sound, Bluetooth and various drivers.
}
#+end_src
***** Common network settings
**** Common network settings
:PROPERTIES:
:CUSTOM_ID: h:7d696b64-debe-4a95-80b5-1e510156a6c6
:END:
@ -5554,7 +5244,7 @@ Here I only enable =networkmanager=. Most of the 'real' network config is done i
}
#+end_src
***** Time, locale settings
**** Time, locale settings
:PROPERTIES:
:CUSTOM_ID: h:852d59ab-63c3-4831-993d-b5e23b877796
:END:
@ -5599,12 +5289,19 @@ I use sops-nix to handle secrets that I want to have available on my machines at
- update entry for sops.age.sshKeyPaths
#+begin_src nix :tangle profiles/common/nixos/sops.nix
{ config, ... }:
{ config, lib, ... }:
let
mkIfElse = p: yes: no: lib.mkMerge [
(lib.mkIf p yes)
(lib.mkIf (!p) no)
];
in
{
sops = {
age.sshKeyPaths = [ "${config.users.users.swarsel.home}/.ssh/sops" ];
defaultSopsFile = "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";
defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
secrets = {
@ -6074,7 +5771,7 @@ This section houses the greetd related settings. I do not really want to use a d
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvol=/ /dev/mapper/enc /mnt
mount -o subvol=/ /dev/mapper/cryptroot /mnt
btrfs subvolume list -o /mnt/root
# While we're tempted to just delete /root and create
@ -6107,12 +5804,14 @@ This section houses the greetd related settings. I do not really want to use a d
environment.persistence."/persist" = lib.mkIf config.swarselsystems.impermanence {
hideMounts = true;
directories =
[
"/.cache/nix/"
"/srv"
"/etc/nixos"
"/etc/nix"
"/home/swarsel/.dotfiles"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
"/var/db/sudo/"
@ -6121,8 +5820,6 @@ This section houses the greetd related settings. I do not really want to use a d
];
files = [
# important state
"/etc/machine-id"
# ssh stuff
/*
"/etc/ssh/ssh_host_ed25519_key"
@ -6223,6 +5920,9 @@ This section houses the greetd related settings. I do not really want to use a d
{
programs._1password.enable = true;
programs._1password-gui.enable = true;
environment.systemPackages = with pkgs; [
];
}
#+end_src
@ -6344,6 +6044,7 @@ Programming languages and default lsp's are defined here: [[#h:0e7e8bea-ec58-499
nixpkgs-fmt
deadnix
statix
nix-tree
# local file sharing
wormhole-rs
@ -6536,11 +6237,18 @@ I use sops-nix to handle secrets that I want to have available on my machines at
Since we are using the home-manager implementation here, we need to specify the runtime path.
#+begin_src nix :tangle profiles/common/home/sops.nix
{ config, ... }:
{ config, lib, ... }:
let
mkIfElse = p: yes: no: lib.mkMerge [
(lib.mkIf p yes)
(lib.mkIf (!p) no)
];
in
{
sops = {
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
secrets = {
mrswarsel = { path = "/run/user/1000/secrets/mrswarsel"; };
@ -11468,6 +11176,7 @@ Yes, I am aware that I am exposing my university-calendar to the public here. I
(setq org-caldav-calendars
'((:calendar-id "personal"
:inbox "~/Calendars/leon_cal.org")))
(setq org-caldav-files '("~/Calendars/leon_cal.org"))
;; (setq org-caldav-backup-file "~/org-caldav/org-caldav-backup.org")
;; (setq org-caldav-save-directory "~/org-caldav/")
@ -11863,7 +11572,7 @@ Special things to note here: We are running xcape to allow =CAPS= to act as =CTR
#keyboard config
home.keyboard.layout = "us";
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
# waybar config
programs.waybar.settings.mainBar.cpu.format = "{icon0} {icon1} {icon2} {icon3}";

5
flake.nix
View file

@ -127,8 +127,9 @@
# # NixOS modules that can only be used on NixOS systems
nixModules = [
inputs.stylix.nixosModules.stylix
inputs.lanzaboote.nixosModules.lanzaboote
inputs.impermanence.nixosModules.impermanence
# inputs.lanzaboote.nixosModules.lanzaboote
inputs.disko.nixosModules.disko
# inputs.impermanence.nixosModules.impermanence
inputs.sops-nix.nixosModules.sops
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
./profiles/common/nixos

1103
index.html
View file

File diff suppressed because it is too large Load diff

1
modules/home/default.nix
View file

@ -7,4 +7,5 @@
waybar = import ./waybar.nix;
startup = import ./startup.nix;
wallpaper = import ./wallpaper.nix;
filesystem = import ./filesystem.nix;
}

5
modules/home/filesystem.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, ... }:
{
options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
}

1
modules/nixos/default.nix
View file

@ -3,4 +3,5 @@
hardware = import ./hardware.nix;
setup = import ./setup.nix;
impermanence = import ./impermanence.nix;
filesystem = import ./filesystem.nix;
}

5
modules/nixos/filesystem.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, ... }:
{
options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
}

1
profiles/common/home/packages.nix
View file

@ -31,6 +31,7 @@
nixpkgs-fmt
deadnix
statix
nix-tree
# local file sharing
wormhole-rs

11
profiles/common/home/sops.nix
View file

@ -1,8 +1,15 @@
{ config, ... }:
{ config, lib, ... }:
let
mkIfElse = p: yes: no: lib.mkMerge [
(lib.mkIf p yes)
(lib.mkIf (!p) no)
];
in
{
sops = {
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
secrets = {
mrswarsel = { path = "/run/user/1000/secrets/mrswarsel"; };

3
profiles/common/nixos/default.nix
View file

@ -25,7 +25,8 @@
./login.nix
./stylix.nix
./power-profiles-daemon.nix
./impermanence.nix
# ./impermanence.nix
./nix-ld.nix
];
nix.settings.trusted-users = [ "swarsel" ];

6
profiles/common/nixos/impermanence.nix
View file

@ -25,7 +25,7 @@
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvol=/ /dev/mapper/enc /mnt
mount -o subvol=/ /dev/mapper/cryptroot /mnt
btrfs subvolume list -o /mnt/root
# While we're tempted to just delete /root and create
@ -58,12 +58,14 @@
environment.persistence."/persist" = lib.mkIf config.swarselsystems.impermanence {
hideMounts = true;
directories =
[
"/.cache/nix/"
"/srv"
"/etc/nixos"
"/etc/nix"
"/home/swarsel/.dotfiles"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
"/var/db/sudo/"
@ -72,8 +74,6 @@
];
files = [
# important state
"/etc/machine-id"
# ssh stuff
/*
"/etc/ssh/ssh_host_ed25519_key"

11
profiles/common/nixos/sops.nix
View file

@ -1,9 +1,16 @@
{ config, ... }:
{ config, lib, ... }:
let
mkIfElse = p: yes: no: lib.mkMerge [
(lib.mkIf p yes)
(lib.mkIf (!p) no)
];
in
{
sops = {
age.sshKeyPaths = [ "${config.users.users.swarsel.home}/.ssh/sops" ];
defaultSopsFile = "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";
defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
secrets = {

73
profiles/nbl-imba-2/default.nix
View file

@ -5,6 +5,7 @@
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./hardware-configuration.nix
./disk-config.nix
../optional/nixos/steam.nix
# ../optional/nixos/virtualbox.nix
@ -29,6 +30,8 @@
};
};
networking.networkmanager.wifi.scanRandMacAddress = false;
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
@ -55,6 +58,9 @@
services = {
fwupd.enable = true;
udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20"
'';
};
swarselsystems = {
@ -62,11 +68,14 @@
hasBluetooth = true;
hasFingerprint = true;
initialSetup = true;
impermanence = false;
isBtrfs = true;
};
home-manager.users.swarsel.swarselsystems = {
isLaptop = true;
isNixos = true;
isBtrfs = true;
# temperatureHwmon = {
# isAbsolutePath = true;
# path = "/sys/devices/platform/thinkpad_hwmon/hwmon/";
@ -75,31 +84,45 @@
# ------ -----
# | DP-4 | |eDP-1|
# ------ -----
# monitors = {
# main = {
# name = "California Institute of Technology 0x1407 Unknown";
# mode = "1920x1080"; # TEMPLATE
# scale = "1";
# position = "2560,0";
# workspace = "2:二";
# output = "eDP-1";
# };
# homedesktop = {
# name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
# mode = "2560x1440";
# scale = "1";
# position = "0,0";
# workspace = "1:一";
# output = "DP-4";
# };
# };
# inputs = {
# "1:1:AT_Translated_Set_2_keyboard" = {
# xkb_layout = "us";
# xkb_options = "grp:win_space_toggle";
# xkb_variant = "altgr-intl";
# };
# };
monitors = {
main = {
name = "BOE 0x0BC9 Unknown";
mode = "2560x1600"; # TEMPLATE
scale = "1";
position = "2560,0";
workspace = "2:";
output = "eDP-2";
};
homedesktop = {
name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
mode = "2560x1440";
scale = "1";
position = "0,0";
workspace = "1:";
output = "DP-11";
};
workdesktop = {
name = "LG Electronics LG Ultra HD 0x000305A6";
mode = "2560x1440";
scale = "1";
position = "0,0";
workspace = "1:";
output = "DP-10";
};
};
inputs = {
"12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
xkb_layout = "us";
xkb_options = "grp:win_space_toggle";
xkb_variant = "altgr-intl";
};
"2362:628:PIXA3854:00_093A:0274_Touchpad" = {
dwt = "enabled";
tap = "enabled";
natural_scroll = "enabled";
middle_emulation = "enabled";
};
};
keybindings = { };
};
}

14
profiles/nbl-imba-2/disk-config.nix
View file

@ -33,30 +33,30 @@
"--perf-no_write_workqueue"
];
# https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];};
settings = { crypttabExtraOpts = [ "fido2-device=auto" "token-timeout=10" ]; };
content = {
type = "btrfs";
extraArgs = ["-L" "nixos" "-f"];
extraArgs = [ "-L" "nixos" "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = ["subvol=root" "compress=zstd" "noatime"];
mountOptions = [ "subvol=root" "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = ["subvol=home" "compress=zstd" "noatime"];
mountOptions = [ "subvol=home" "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["subvol=nix" "compress=zstd" "noatime"];
mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = ["subvol=persist" "compress=zstd" "noatime"];
mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = ["subvol=log" "compress=zstd" "noatime"];
mountOptions = [ "subvol=log" "compress=zstd" "noatime" ];
};
"/swap" = {
mountpoint = "/swap";

82
profiles/nbl-imba-2/hardware-configuration.nix
View file

@ -5,7 +5,8 @@
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
@ -13,50 +14,57 @@
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
fsType = "btrfs";
options = [ "subvol=root" ];
};
# fileSystems."/" =
# {
# device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
# fsType = "btrfs";
# options = [ "subvol=root" ];
# };
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/98b9bf76-ca01-49f5-91ee-1884ae9ce383";
# boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/98b9bf76-ca01-49f5-91ee-1884ae9ce383";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5236-F44A";
fsType = "vfat";
};
# fileSystems."/boot" =
# {
# device = "/dev/disk/by-uuid/5236-F44A";
# fsType = "vfat";
# };
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
fsType = "btrfs";
options = [ "subvol=home" ];
};
# fileSystems."/home" =
# {
# device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
# fsType = "btrfs";
# options = [ "subvol=home" ];
# };
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
# fileSystems."/nix" =
# {
# device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
# fsType = "btrfs";
# options = [ "subvol=nix" ];
# };
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
# fileSystems."/persist" =
# {
# device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
# fsType = "btrfs";
# options = [ "subvol=persist" ];
# };
fileSystems."/swap" =
{ device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
# fileSystems."/swap" =
# {
# device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
# fsType = "btrfs";
# options = [ "subvol=swap" ];
# };
fileSystems."/var/log" =
{ device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
fsType = "btrfs";
options = [ "subvol=log" ];
};
# fileSystems."/var/log" =
# {
# device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7";
# fsType = "btrfs";
# options = [ "subvol=log" ];
# };
swapDevices = [ ];
# swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

3
profiles/optional/nixos/work.nix
View file

@ -2,4 +2,7 @@
{
programs._1password.enable = true;
programs._1password-gui.enable = true;
environment.systemPackages = with pkgs; [
];
}

1
programs/emacs/init.el
View file

@ -1716,6 +1716,7 @@ create a new one."
(setq org-caldav-calendars
'((:calendar-id "personal"
:inbox "~/Calendars/leon_cal.org")))
(setq org-caldav-files '("~/Calendars/leon_cal.org"))
;; (setq org-caldav-backup-file "~/org-caldav/org-caldav-backup.org")
;; (setq org-caldav-save-directory "~/org-caldav/")

22
scripts/fs-diff.sh Normal file
View file

@ -0,0 +1,22 @@
#!/usr/bin/env bash
# fs-diff.sh
set -euo pipefail
OLD_TRANSID=$(sudo btrfs subvolume find-new /mnt/root-blank 9999999)
OLD_TRANSID=${OLD_TRANSID#transid marker was }
sudo btrfs subvolume find-new "/mnt/root" "$OLD_TRANSID" |
sed '$d' |
cut -f17- -d' ' |
sort |
uniq |
while read path; do
path="/$path"
if [ -L "$path" ]; then
: # The path is a symbolic link, so is probably handled by NixOS already
elif [ -d "$path" ]; then
: # The path is a directory, ignore
else
echo "$path"
fi
done

135
secrets/general/secrets.yaml
View file

@ -1,18 +1,18 @@
mrswarsel: ENC[AES256_GCM,data:KorCRr6QGzwXXXVcuox5lhSQrg==,iv:rdAlpEYnQaeLH/cXDLixVOZj0mmkynewNlp53L/U4lo=,tag:gE19U/CPl2hU38VYgdLlGQ==,type:str]
nautilus: ENC[AES256_GCM,data:KTBIwO/m/O3RfYBf0kTdgM83mQ==,iv:fCVfS3eYE0F9Jhju+uT0rHcFPBMLYtsJURILMATvjYA=,tag:pzpVeK8YYYl6NgC0FRnCoQ==,type:str]
leon: ENC[AES256_GCM,data:5OAaO/8XiOJEUicx+otLoUUG9w==,iv:cxoNYOQCFIjX53ZgaL/Pu4ZDeL2EByClCIWG2JcRHMw=,tag:954bA4bjcLZsv2hFbtykSQ==,type:str]
caldav: ENC[AES256_GCM,data:CfWibtX+/BJcpXJNlpO8dpYJsdORzQZX5pEXX82CB2z+ZpIhIF66+x1GsXFFgP+MnQOS6O7hSUgckxtJBh7Bmy9jLmcdf3VMwnaAcg==,iv:bcahyj8MXSxvFOveFnXbEWHG03yHURb2zWelT5MiDo0=,tag:EguaYYuYNZUQlrKE8zjjrQ==,type:str]
restic: ENC[AES256_GCM,data:YZv3dsx2U1XHfv4=,iv:82WoS3n6nlZpPLrwKFRiYwVSvB4R3AfQQDSR6vjiyno=,tag:Y88Lz2i43UEjUduUmfz/OQ==,type:str]
swarselmail: ENC[AES256_GCM,data:QqOGUsip/nmbwFcCX5EhM9u3hCNN4onZpsQAg6qS6lw=,iv:LvQEHkhHJ7+7r4iV1VhxxPW23hJ+h6RMcNIX3NTlB0Y=,tag:/+iH0P/Dmc5m6DLUeUikGw==,type:str]
swarseluser: ENC[AES256_GCM,data:sBfmHzW4Abu/rMHopLWmSglC+l7e6UwiobIQ3+FewlnOnUzj0sD1GASq4q+VwIv141CHT+0d0iGk880iVIQpx2jxh+EefnxRUQ==,iv:/KzkOkMab6oTbWIT6ZZdIJNNlaJiiAy9SfTBsvumGBc=,tag:ZNfk7EXK5xX7W8NpdRyAJQ==,type:str]
ernest: ENC[AES256_GCM,data:jgzoxnhq3Sk=,iv:oDhm5MA7vR3y/osIbancG4OUQ4HansY6MhB2FxYdzuw=,tag:wYmCak6t0CAhCj8oWhC27g==,type:str]
frauns: ENC[AES256_GCM,data:zRnPcOCmwHs=,iv:Un3iCZU7Btp2F6xrJs7e4Kyy0YdP/N+o03sDHOIbr1s=,tag:v+PD9BJl+j2V8fKFb2Tr/g==,type:str]
hotspot: ENC[AES256_GCM,data:8SWbiTvii+E=,iv:6aU6JNLVeCM520Sc8EQkXB+DFPqhu6CI9eYqSzC1Aw0=,tag:gNbZHFL09yyfet7YB59FVw==,type:str]
eduid: ENC[AES256_GCM,data:OR5yB7pfunrHMCWqsBPU13wDwgbw6qBj2Bn5q4Q=,iv:2tUTXUGpd3sDU44h203xU7VuEGV/7yUMzW073N/WEp8=,tag:+FyxO1wK9vsOeZ7+xnNYLQ==,type:str]
edupass: ENC[AES256_GCM,data:iLH0v9pAGWLt7PU=,iv:wJbW71SnKyi07UMropNYHAyPhf9P7VSO8GZpDY5TAsg=,tag:hAt+atdz5QR9GaQJauLwmg==,type:str]
handyhotspot: ENC[AES256_GCM,data:Am6KgE4VAV4=,iv:wcn9F6bRqPN368ZkGRvl9r4+2cvShfWnm+dI4AbAK6Q=,tag:mBfYH3segy9u4qOJfsCPcw==,type:str]
vpnuser: ENC[AES256_GCM,data:JOwgeXVc+U8=,iv:m5/iyZloymJ5WqX0O6lAMNFauh755R76Vae89vkULhk=,tag:Y+ecq8rPKMGSwXeXLdfAGA==,type:str]
vpnpass: ENC[AES256_GCM,data:8PAAEfmNFLOTDA==,iv:GBQAF2IxqL6rfrxwm69GsAkfACSzTPac+7Cl6EX9bpw=,tag:S8/+TzL2icVouFVhkxc0OQ==,type:str]
mrswarsel: ENC[AES256_GCM,data:WEKMUQL7gmw1Jy7nVQ75B76PNw==,iv:4W//eaU5ccAMW1+y1pspergCbEmMWx/k+sw9aLV0QMw=,tag:J6NoHtrr2s5SeneMu2I2pQ==,type:str]
nautilus: ENC[AES256_GCM,data:Yj+P+i+geMKXRyQhR2EZXvU9kQ==,iv:jgkOF8lB2bqcQHsUUR9SwbcS0s5E1n05kmuqZGMjXm8=,tag:HS0iwSYdj0Hoq2V1IlR0MA==,type:str]
leon: ENC[AES256_GCM,data:XPPOTZVtWuUhfrLRZ9+myTYdXQ==,iv:JjSluv6liOjbdswK5FcDqFaGfgc8lSxYcde0oVVAOB4=,tag:XzyfN8ak82dFUTzbNox1iQ==,type:str]
caldav: ENC[AES256_GCM,data:Hmb0K0zvZMtFwkWVJOJVe7117qfqShoUCzYbyySpVHY/ggf88t33znVqthi+HhvZP7o7mFRbxQKXVOSru3Erzruo5WsHFK/TJMZQyQ==,iv:XXS5jTpX/yFSSoHb51X/ZTHdTkqFRBIwu0UC4pcGk9g=,tag:ToCo6nL2tkc3oKdlvDTq/A==,type:str]
restic: ENC[AES256_GCM,data:oFM5eeKQi9zr1sU=,iv:mNdJO+Snc14PWu1GIHhgwI4tZp0KcroA+eVmFZ3RBic=,tag:1m9764NXm8A1g2TuZEAcFg==,type:str]
swarselmail: ENC[AES256_GCM,data:e+oqHFy1Ui1uepKhFBtYbAkn752qxRb6Xvx5gOEjQyc=,iv:oUo8HVHKog+YxWb5u3AuhHGDVeXZIUo1Heq9m/O5igM=,tag:VNhO2vf8l546AjEx+dNjIQ==,type:str]
swarseluser: ENC[AES256_GCM,data:jaNRDSLSSB60aA7FnEO25FzrH1EL1FOW33hrXtPJEFkpeJKbdWypR+f3m/z6s1pmFtL/2x8kAdJUC42kZAg20/o9ZuD4KfDoKg==,iv:f5t5Kh9k/6D0+Fs1UEn95Dbgb3pF4lertBTZqdF1Fmk=,tag:Qb6RrMMGiMIBoLzRPXhTPg==,type:str]
ernest: ENC[AES256_GCM,data:C7ppu1S0RR0=,iv:zB07MW/bAQwNWJUHEIbvo5Ug9QYTDmk6jx3znnOqjOc=,tag:EzUEyA6HalGTKgWv7gqgmg==,type:str]
frauns: ENC[AES256_GCM,data:A5n9whHLCAI=,iv:2UTWu1Fqp9iSGcykXElGNko9fPOzEW/Sb4I+9hBMLfw=,tag:FnTXC7qZkO+R4GLJBg66Cw==,type:str]
hotspot: ENC[AES256_GCM,data:PAcHBVuKCIQ=,iv:mGKtXOMZuBV+97dQiQcM3BJs2G8j58dx0c6UN6rnG3M=,tag:6xf+NBS2OvU3X/L3Hao4MQ==,type:str]
eduid: ENC[AES256_GCM,data:/qfAWRxwIGRGK5HEsYsNtes9VJHfkx2C0WL8igw=,iv:znQJUPTbX/ZBpX5JB5QAUWTsbISZR2CAa9vZ9N3V2x0=,tag:2NiZ5Ynt3CFvsZ0i5s71xA==,type:str]
edupass: ENC[AES256_GCM,data:StcWMBpiRQk4tro=,iv:RGQ0i27eErOaTvHJINSgCh/sO48IJWoR5nwdk4Kgfic=,tag:M1zPdKrNLXdXLSJ9A8Ay7w==,type:str]
handyhotspot: ENC[AES256_GCM,data:6XS3MI1sFbQ=,iv:2QQDbWre66cZxcQJqjMfYC6Uxfw6RBcgypWb31uJJxU=,tag:2gbd3tdFlSTv84GpTMQHiQ==,type:str]
vpnuser: ENC[AES256_GCM,data:/fRpq/wyKuM=,iv:er+BKrfzihyRNzyTx3LIlecpyXlelh8OE8LZrGw6PNg=,tag:h7weTZXh43myaf35UwW0ZQ==,type:str]
vpnpass: ENC[AES256_GCM,data:Vrhex2J5MmGdxw==,iv:rauPM5/cGfj5btQaUVIeMpr/hjKInl31+semAfZchCQ=,tag:3hshXzNp9rtp2en1lxi5mg==,type:str]
sops:
kms: []
gcp_kms: []
@ -22,71 +22,80 @@ sops:
- recipient: age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmN3pCM0l5VEQ4ZERDRVBx
MllTOXQwSEtjeDNSM1JqVFU2YmlzTmYrekFvClp2eG51VXlnb3dQTzJDbmw2czVv
NEM0OHBCNDJmbnIwWkxsYzg0Z3ZteVUKLS0tIDZLTW1GVUtPcUVKNmpvd0swREZF
ZEF0SCtWNEE4b2FJaVZBdGZLWXJMNGMKAcZCLU47OB8n3RhZOxMqUPxrjp2lXfuX
kG4MITOw/lw067YP1REpTqwPj4Ylleqx7KBafEsfzXPuuUh9gPgKKg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR3NldGhjcTNXR0lhNU1Q
TWE4dyswREM3ekllV1huOWhTN00wWjFEdDFVCnc4UG5RRng3Qm5VMkJRdHl5TmxJ
TG5iMDFGSXJPekZQeHl1L2ZpYnR0aFkKLS0tIER3cWlkS01KSlhjNit2L0NkZXRV
WHVtNVJkc3VnZmFiZzk0Mm1vWDZwRU0Kif4fwm3AEv3DJZXEoYRfWbYbPei2dO4m
OisWDDWKqeZ6vZF+BVk3eak+wY+Vy853k6nDg+PhvSMM31V4vL8NDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMVFoQTFGYmRreVhqQ2Zl
aTZlb3VrZjJzZUp5OUM4SEhGcjg0YlBWdWhBCk1ISzhCZ1FsVjdYaUpKOXlVMkxU
b0doSlVKN0hmSTRtTWFnL0JNR0JWSTQKLS0tIFVWZGNqVWVZa3dkSllqZ2Z2emdt
M3VYZW4yd2hza1pBUGhnSTlsRWJOd0kKebxg9WhWN4PI7GUNZJrKF9z5KWU6ZCS/
UpnaXNQJVGihJ5QaO+WxyCG5ivAwyToHA2aJEgLrHTF9eK1Rd4Wb6w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNHM4bUxISUNQWUE4Tm5H
L3pZUVlGTk1hOEpCQmJZbEZoL24zWXUwY0hBClV5K2FLUFp1a05zQURpeXo2T09W
Q001L3dLSk5KZTUwdHAxQXhxMnVoMWMKLS0tIEt5YWF2VU1VMUdOZXNPMXd0L0xo
Q1FCVGNGY1EybklSTWJMTERJREo4TUUKSXFdoiK1NfjEK93Rl6sq7/RxkrS49N13
bfPdkiwwNe85YavOFSQ18EXGQkw4CvuX4IpIScsyiKdo31o1r/ys9Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdEtIWnJnY0JYMHlRUjZ4
OGx4MlE3N3JnaURnUU1NTyt0Sm82T3N6ZldBCjRkMkxSRG0rajNQczlOUXdFOVcx
VGRhVDJOUW8wN0IvL1lSa3ZSeGlCODQKLS0tIFp3STl1amR5MGd1UDBaRXU4N3J4
YzhlVnJRU1VFQkxwQmJQaHAwZy8rK1EKlQCB+gtblDchGxZeMgzRLWzpINXHTo6L
UAAHdlvUd3yql5W1RzFvfyepuyG9JzzgP0q5geMoMaQdS4ADUfZ6Ww==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU0diQ2hjcmRsdEpWTm1X
SmJwZlRTakt0RkVIU0VhRnN3d1c0aTYrODFvCjF2NVNkR2pBS3NVdjFiWnFPZ25T
N0tHc2lRdnlmdXliRE5UVUdOQ0xtczAKLS0tIEZ0SGhUd1p6V1RrSjl5Y09JZ3Bu
Q2cvQ1BMTTEyYmFSS3VKM1lRbkZFa1kK99zAahCmxYTfGDzUYJwboUs3uZ46raZS
7Lc9NbNF/V5WhF91d8B0LUWkoreouWsV2qhV2y1hjl8jsiFV16FOoQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyT2xMc2lYWCtHTHU0ZjAz
NUNHRVlnOThJbmFxN1liSTVvVXNMb2lsVVFJCjdES2dES3grVGI1bStrNHltbHFj
M0QwaXhZUEExYUJtVHRLVllIVDc2aDAKLS0tIFcrZkRjckJXc1N6Q3VweFJJYWo2
Q0NTRzR0cFVPT2phTlUyL0phU25TdncKD/4ZFw/oR2FEm0U8hUkF6ts5AkxfdXrS
2KdJTSXqy+UmbMHSoapcMQoeaOkfpIpmHZZzwhHzOBd3YPtBYMc91Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidm5OQ25LamQ5dlBYZGdN
TEdNVjF5U2lZZ0xRaXFGd0k0aERRci9yN2pvCklQUmZHYW0xdjZvWTI0TGc4SXly
SzFJN0RTb2UzdUdTY2dBNUJKMW9kNnMKLS0tIEZoLzRqb0ZTbDJWRHhPYmhTSUE1
OUNMVFhQdnRHcitQVUFub0ZhZW1FMTQKMCETAd193P5dLGMoY3bv0V2+J3HSty5X
zCfOxBLsK4X30dudIHLVj8aRsfv2nSWEqELs9e4UeEASVle/leVY9w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-16T23:20:25Z"
mac: ENC[AES256_GCM,data:o/VXKsxpvHbXCynyPMoVHpFPjJTDLZASIJ13yntB42fYg5xKEAQJE7+AVlL/HEprP8NlJ2yV2KSC64nALqucz1gkzFjZTNBYINpz6bgehkZ1/58Qoln/1cUvn3jwgbHY+cxvYsAeA+cmTYQf3yD7Eng2HmfN4r/jKbQpOgssSBY=,iv:7GwCMJH7v61KBBfiyLFXe+PcnAjk8/nF3Qrsne7GhIA=,tag:XHrconuMvauPoF3JlVhEhQ==,type:str]
- recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTGxlOVZJRW5VTHJmOGZo
M0cyQ1ZUTG1TWWFlVFcvZEhzeURCQld5TUFjCmRBOEc0bjlWNTgyeWlhWTRuMVZ0
WGNCUHRWUFRLb05jeWsyeFBlTkhOamsKLS0tIE0zSHhSQ0FZMm9PUDU4bkhyaTQ4
cUxsRjB5MUVkQk14Mng5bEk2eW8xY0UKFcPwc3iVpmjPwogW2t48IdKOc/AiN+r1
AJryUc2CZ3PK/njAnIxKqkCwsR527Txn0ulpaimqfv9nyJSVdbVXIQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-02T00:34:14Z"
mac: ENC[AES256_GCM,data:vI3IAz0MQF9Ub1KQmHDuDSvoUaPlBhZjE66pS9ZWT5wsLKOjSdbFbXvpGGieUh9MdgALNPSXqDvNMExsiRHNTgbQHf0yA2Esni5WoHVgXDPRiq9dB6ixJwsO8UlygIsdQyKJo+DdbXRA15hR2I1xDpY6YnhdIOCDI/fyD95Nlt4=,iv:Vi/RDx1BPmSKnihP0NtkCf+GukeQojxhGtoSLH7fOtA=,tag:4MEZjDELRHlVxV/Kk1a0rA==,type:str]
pgp:
- created_at: "2024-02-07T21:17:55Z"
- created_at: "2024-08-02T00:34:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//QHYJAlJUacTFHu7iIK2q3mPdE3Zrn7AFK/JmhSIjyiS1
fJ8EzsPdgydlDiwGPoQqpyWZRccblek1PEVyxjQSjnGSU5hmAfYQCnT3zvBGgljS
UY2pnaFeXO7Tvo0rGgrUEAkkFD9WTC3UFcb1ZDo/OmybA3eVLMbvMsPXDGXln2Pg
KkxoblQIE7OAOMWg+YaS60J1DFGIY2Zj6BQ5K8LkA4lfgYWkmpvmwU8CzE/rlv2s
hsRL7pa1WMYAgdYsCemk2egohJA3kOmdlsGiIguY22AeeVadsJJEHOEucsIs36El
7u9b/TxusncNa2eQvnVak18zr4LPOr/1fmMxzmQWwDhRZeKhK1Y6LBU1XqvOggaL
rcAx42oCR16MEiMFty2iFyRvBSCCXOur45L/TsCDUTkKLdgunU8HFyyE0NIJ+Qig
Ffum+hfZ6UYv/nkz6Agfeu5ZSikok97+Lagh1GF0VawCSi5xq49Ky0i9NLFlPq3G
cFcI2qaei3EtY9CKeYmU1OdT4RX2aO8XwXH4LyC6TPQ4hgjV/DlLMSQIUd6RDLyT
2Aw3HkeKm2CfEkxTLlCvGjcYGB/b0tH5Y6n2dJUcFocUlxQem8xf+FFbyeR8CBDK
b9LXbBC0ywO9WHFXFIcjYU+Pb+O0MAK6nxTVDLoTmZXn61v041Nfonz9q1M2K72F
AgwDC9FRLmchgYQBEAC9IUmTrFZowCCWg18VWPr5sH7wV1QqMLkCIFsT+mAdZ2dC
96DzY2Y+8wSOnQVIlqWU8168v0qYtjN2J/wBTjlAWX6e7Yeg6mhulqiMLG6VrGyh
+M3u6Tfyp5LHIJbGkHTrlVrfdfU7J3pk3yercWyd2GW6Rq/W5bwvmvebseHiC6VS
N3NrH/MggW1g/V92ARIuNylK96mrVq7BuCB7VNlCIDEmmoI5G/AN822UXauvXZ1K
my/F6W+QOZFCtzgIAe7qM8MGsA2SYWb+yAfhxQJdlwT3V0lIX1q8brv/VPd+kL/1
ABP3NyU3zZ/x1q9Ur3HZGd3MdvumHZd4pCZuMHiYJMfXpmnYKrk6Fmw9sMw6ztfx
VRI6ZoiRiK/R391WPrF14PuN9ji0tALPAZ1SubKYSI7FwSSEFyVTTCAsS/EkXUo/
5SI+edynod8UtYSMqLfMEDqwXYnH2YHol4yhdiaa54CoOz9bc+O8PuYYyZGhzmrb
nfEItWOuHEf4VNZSjj93Rrg/7rhJLScK+Sx8ylSMoT6nNE9k3Hw3G4TeEgbR3lTn
v55xILKqN2BjeVab3KSvEac+yooz3xFmkCmB6wzSu5wMfz5HhO1ASUHs7TSey6B4
o/oRxR9uIUg/vXfR49750krKrs6V2u6x7DCLwpyNcQUyprltJfoxPvz4viA9kdJc
AUEOAMtiSSudTdKEH9Xx4x2ioMKRRcPgB1FuvDz/+Bl8VBj7db7zs5v0qPHg1/p7
4LRZ04XghV3qSmwI8va1RFPMOnQbOCkz0wWZsprCQMYAAktc6VrCj6rhJHQ=
=FV09
hQIMAwDh3VI7VctTAQ/+MfOhtax5VRg/OtVPoj4T/qTYTymbKZkvQZ/Cd6vox4WO
xAADZ9kVbkUATDfhSpM7HjtsxLZTq1gmzXQCrSKDcAuVP0qZ0ZHs3TI+dk09m1R0
3aBLWsIbo3oLLdawmyWwpIJ9aSaP711MsIY6nv7sH1a3DpFYGpETgx/D4sC77zVg
WQX6xTbjr8Y+0vJg1P9ShNE0V/7KUFEmLkmDU6e9bAZiLem7x4ydxcZvA/l5avSy
T+HqPQGUg7DO9wa9vlpRAkxF5OaW0XMt4Lfq+rFohronCkQYfEKJ2MpEBdX/yNZC
UzK6ZQe/8pcCJ3wqrvH9pIvwTY0v7goYPhzyPXtmjMjLMObSw9avd0upTvkMmHvg
DQlZeFGDSCY7+E6d68JCbCuSnH8P8aE5WGxP/d58j54lTybtiiM15b8djmHaOaKd
64H08mDX1Utig7BFYIX9OGAcC+Kk/XA6J+QsISL+VVO7+AiAqQGXQiwSB6hAvPZ1
a0OKT5NaFqpzCBjJNkhy168n7hx1XZYNsydHfxGamLeU+/o/3+2eUxbVnO31PZ22
HZpR8Czsxd1q9UKmKP1WUc9mQfBVEyltqsRzQWQwCGN8pscKOjzjqZsKP6Ro/zfZ
08nKAioUFwNAGaOYbscFANZVCwkqsstpSUhu5teBFRApLiZO3/mZuMIGKdjNb2yF
AgwDC9FRLmchgYQBEACVBDESKyqIBkkETsLRHY8y4oFtDgiZPMTM7YTJe+cA52JE
J0ut6FmBSqpIrrCSeGydvHN3OI0CirnEuXsQ/i0XAjx5/zXGWcQZqFZEfW9yJ7KM
M3PkqC45ybeiUslqRy4P89vrhE1+6YLvepUxYJiFVNOVQKkF55NBF5MDeehhenkO
O7PzHRF1cZ2yWpiM6UhtspOVoygdAeP1+fdSeRoIvicmAG5NmhtJPdST+8St+er8
LO2ON5iU2SpvN8Lx03dW/Pjoy9Wv8mqh3lZWt1NHRJ2GBWaUu58e0lECL0TAyzRf
NFYQ3mOwyxXl2Fn41qXr/HWWh5IDi3diZwWfgTJAPclxKTvJs+2Tc1V71RqFVHeA
ES//vLQyjWGefze7HvryEiGwkG3WFp76v10msP0TBrhRCBVHJk7ni3Q2OfV7ZI8S
YMPj3wftqp4tbUN5qtkKv3unb1+s8Kwh741xNUcupH5a8RsaDCxloLeOhpIfqwX3
lowV2ogYujrPWwnmm3Jya7Kkxf+mvb/rgU0lho/YyIGif1dDLvtKoOyfhoqKh8J3
7Ru3yvmarN9guDM9b17gF9pOXEdHQW2nRjBuePr6RiRXU6iTxr7W7DaG6dYMBxkT
x3Z4M2f6uIokMEGGplBWLo7VI/meaQ6/0v0iazbxHRDScFw6AYqhb+esF32Yx9Je
AXF9GBITGTM9h9beEiF6tA19QPBLQumT0SIGdlXaCe49gD8c5p3nslhcc4uqDkXF
Y6h4pRiuamgCqReHDFGJjofRoXleew0ILFI2wOOOHkFdE99A2RI+zBqM/9dWpg==
=oTeC
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted

1
secrets/keys/nbl.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC001+6mmxNrM7GtywMVY/ZJi+wx8f+kS6MMjc6260Ed nbl sops