From 52cc78a848c4654724302a1160947ec5aca21204 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Wed, 10 Dec 2025 22:01:20 +0100 Subject: [PATCH] feat[server]: add hydra --- SwarselSystems.org | 280 +++++++++++++++--- flake.lock | 251 ++++++++++------ flake.nix | 14 + .../aarch64-linux/belchsfactory/default.nix | 15 +- .../belchsfactory/secrets/secrets.yaml | 6 +- .../nixos/x86_64-linux/eagleland/default.nix | 1 + .../eagleland/secrets/pii.nix.enc | 6 +- .../x86_64-linux/winters/secrets/pii.nix.enc | 6 +- modules/home/optional/work.nix | 2 +- modules/nixos/client/remotebuild.nix | 1 + modules/nixos/optional/work.nix | 1 + modules/nixos/server/attic.nix | 46 ++- modules/nixos/server/croc.nix | 2 +- modules/nixos/server/garage.nix | 27 +- modules/nixos/server/hydra.nix | 133 +++++++++ modules/nixos/server/mailserver.nix | 5 +- modules/nixos/server/minecraft/default.nix | 2 +- modules/nixos/server/nsd/site1.nix | 2 +- modules/nixos/server/ssh-builder.nix | 8 + modules/nixos/server/wireguard.nix | 2 +- secrets/repo/pii.nix.enc | 6 +- 21 files changed, 652 insertions(+), 164 deletions(-) create mode 100644 modules/nixos/server/hydra.nix diff --git a/SwarselSystems.org b/SwarselSystems.org index d80a497..d05ca45 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -508,6 +508,20 @@ A short overview over each input and what it does: }; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + hydra.url = "github:nixos/hydra/nix-2.30"; + # hydra.inputs.nix.follows = "nix"; + hydra.inputs.nix-eval-jobs.follows = "nix-eval-jobs"; + # nix = { + # url = "github:NixOS/nix/2.30-maintenance"; + # # We want to control the deps precisely + # flake = false; + # }; + nix-eval-jobs = { + url = "github:nix-community/nix-eval-jobs/v2.30.0"; + # We want to control the deps precisely + flake = false; + }; + smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1"; nixpkgs-dev.url = "github:Swarsel/nixpkgs/main"; nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version @@ -3803,7 +3817,12 @@ This machine mainly acts as my proxy server to stand before my local machines. isNixos = true; isLinux = true; isCloud = true; + proxyHost = "twothreetunnel"; server = { + wireguard = { + isClient = true; + serverName = "twothreetunnel"; + }; garage = { data_dir = { capacity = "150G"; @@ -3826,10 +3845,12 @@ This machine mainly acts as my proxy server to stand before my local machines. }; swarselmodules.server = { - ssh-builder = lib.mkDefault true; - postgresql = lib.mkDefault true; - attic = lib.mkDefault true; - garage = lib.mkDefault true; + wireguard = true; + ssh-builder = true; + postgresql = true; + attic = true; + garage = true; + hydra = true; dns-hostrecord = true; }; @@ -4621,6 +4642,7 @@ This machine mainly acts as my proxy server to stand before my local machines. swarselmodules.server = { mailserver = true; dns-hostrecord = true; + postgresql = true; }; swarselprofiles = { @@ -7220,6 +7242,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at } ]; }; + programs.ssh = { knownHosts = { nixbuild = { @@ -8696,6 +8719,14 @@ Restricts access to the system by the nix build user as per https://discourse.ni }; }; + services.openssh = { + settings = { + AllowUsers = [ + "builder" + ]; + }; + }; + }; } #+end_src @@ -9016,7 +9047,7 @@ lspci -k -d 14c3:0616 PresharedKeyFile = config.sops.secrets."wireguard-${serverName}-${config.node.name}-presharedKey".path; Endpoint = "server.${serverName}.${globals.domains.main}:${toString servicePort}"; # Access to the whole network is routed through our entry node. - # PersistentKeepalive = 25; + PersistentKeepalive = 25; AllowedIPs = let wgNetwork = globals.networks."${serverNetConfigPrefix}-wg"; @@ -11493,6 +11524,12 @@ A stupid (but simple) way to get the =originUrl= is to simply set any URL there To get other URLs (token, etc.), use https:///oauth2/openid//.well-known/oauth-authorization-server, e.g. https:///oauth2/openid/nextcloud/.well-known/oauth-authorization-server, with clienID being the client name as specified in kanidm. +Create user: + + kanidm login -D idm_admin + +kanidm person credential create-reset-token + #+begin_src nix-ts :tangle modules/nixos/server/kanidm.nix { self, lib, pkgs, config, globals, dns, confLib, ... }: let @@ -12615,7 +12652,7 @@ To get other URLs (token, etc.), use https:///oauth2/openid/ s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:///>(); + '') + ]; + }); environmentFile = config.sops.templates."attic.env".path; settings = { listen = "[::]:${builtins.toString servicePort}"; @@ -14129,12 +14195,10 @@ $ attic cache create hello bucket = serviceName; # attic must be patched to never serve pre-signed s3 urls directly # otherwise it will redirect clients to this localhost endpoint - endpoint = "http://127.0.0.1:3900"; + endpoint = "http://127.0.0.1:3900"; # garage port } else { type = "local"; path = serviceDir; - # attic must be patched to never serve pre-signed s3 urls directly - # otherwise it will redirect clients to this localhost endpoint }; garbage-collection = { @@ -14143,11 +14207,11 @@ $ attic cache create hello }; chunking = { - nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # 64 KiB + nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # garage using s3 - min-size = 16 * 1024; # 16 KiB - avg-size = 64 * 1024; # 64 KiB - max-size = 256 * 1024; # 256 KiBize = 262144; + min-size = 16 * 1024; + avg-size = 64 * 1024; + max-size = 256 * 1024; }; }; }; @@ -14179,7 +14243,7 @@ $ attic cache create hello }; virtualHosts = { "${serviceDomain}" = { - enableACME = true; + useACMEHost = globals.domains.main; forceSSL = true; acmeRoot = null; oauth2.enable = false; @@ -14188,6 +14252,11 @@ $ attic cache create hello proxyPass = "http://${serviceName}"; extraConfig = '' client_max_body_size 0; + client_body_timeout 600s; + proxy_connect_timeout 600s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + proxy_request_buffering off; ''; }; }; @@ -14198,6 +14267,150 @@ $ attic cache create hello }; } #+end_src +**** Hydra + +Need to create user manually: + +# su - hydra +$ hydra-create-user alice --full-name 'Alice Q. User' \ + --email-address 'alice@example.org' --password-prompt --role admin + + +#+begin_src nix-ts :tangle modules/nixos/server/hydra.nix + { inputs, lib, config, globals, dns, confLib, ... }: + let + inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6; + inherit (config.swarselsystems) sopsFile; + in + { + options = { + swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + }; + config = lib.mkIf config.swarselmodules.server.${serviceName} { + + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + + sops = { + secrets = { + nixbuild-net-key = { mode = "0600"; }; + hydra-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + }; + templates = { + "hydra-env" = { + content = '' + HYDRA_PW="${config.sops.placeholder.hydra-pw}" + ''; + owner = serviceUser; + group = serviceGroup; + mode = "0440"; + }; + }; + }; + + services.hydra = { + enable = true; + package = inputs.hydra.packages.${config.node.arch}.hydra; + port = servicePort; + hydraURL = "https://${serviceDomain}"; + listenHost = "*"; + notificationSender = "hydra@${globals.domains.main}"; + minimumDiskFreeEvaluator = 20; # 20G + minimumDiskFree = 20; # 20G + useSubstitutes = true; + smtpHost = globals.services.mailserver.domain; + buildMachinesFiles = [ + "/etc/nix/machines" + ]; + extraConfig = '' + using_frontend_proxy 1 + ''; + }; + + systemd.services.hydra-user-setup = { + description = "Create admin user for Hydra"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = "hydra"; + EnvironmentFile = [ + config.sops.templates.hydra-env.path + ]; + }; + wantedBy = [ "multi-user.target" ]; + requires = [ "hydra-init.service" ]; + after = [ "hydra-init.service" ]; + environment = lib.mkForce config.systemd.services.hydra-init.environment; + script = '' + set -eu + if [ ! -e ~hydra/.user-setup-done ]; then + /run/current-system/sw/bin/hydra-create-user admin --full-name 'admin' --email-address 'admin@${globals.domains.main}' --password "$HYDRA_PW" --role admin + touch ~hydra/.user-setup-done + fi + ''; + }; + + environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [ + ]; + + nix = { + settings.builders-use-substitutes = true; + distributedBuilds = true; + buildMachines = [ + { + hostName = "localhost"; + protocol = null; + system = config.node.arch; + supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ]; + maxJobs = 4; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ servicePort ]; + + programs.ssh = { + extraConfig = '' + StrictHostKeyChecking no + ''; + }; + + nodes.${serviceProxy}.services.nginx = { + upstreams = { + ${serviceName} = { + servers = { + "${serviceAddress}:${builtins.toString servicePort}" = { }; + }; + }; + }; + virtualHosts = { + "${serviceDomain}" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + oauth2.enable = false; + locations = { + "/" = { + proxyPass = "http://${serviceName}"; + extraConfig = '' + client_max_body_size 0; + proxy_set_header X-Request-Base /hydra; + ''; + }; + }; + }; + }; + }; + + }; + } +#+end_src *** Darwin :PROPERTIES: :CUSTOM_ID: h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47 @@ -14667,6 +14880,7 @@ When setting up a new machine: _1password.enable = true; _1password-gui = { enable = true; + package = pkgs._1password-gui-beta; polkitPolicyOwners = [ "${mainUser}" ]; }; }; @@ -21369,7 +21583,7 @@ When setting up a new machine: }; Service = { - ExecStart = "${pkgs._1password-gui}/bin/1password"; + ExecStart = "${pkgs._1password-gui-beta}/bin/1password"; }; }; @@ -24694,7 +24908,7 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src -* Emacs +* Emacse :PROPERTIES: :CUSTOM_ID: h:ed4cd05c-0879-41c6-bc39-3f1246a96f04 :END: diff --git a/flake.lock b/flake.lock index c741784..3035936 100644 --- a/flake.lock +++ b/flake.lock @@ -337,7 +337,7 @@ }, "fenix": { "inputs": { - "nixpkgs": "nixpkgs_14", + "nixpkgs": "nixpkgs_15", "rust-analyzer-src": "rust-analyzer-src" }, "locked": { @@ -982,6 +982,29 @@ "type": "github" } }, + "hydra": { + "inputs": { + "nix": "nix", + "nix-eval-jobs": [ + "nix-eval-jobs" + ], + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1759783173, + "narHash": "sha256-KShZ8ctQ0pb7BjP6z38+O++d7v2Y2KdKCSeRJEagvu8=", + "owner": "nixos", + "repo": "hydra", + "rev": "3059dc16a3664fecbf9437d5414f4d2bc1142ff1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nix-2.30", + "repo": "hydra", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1737831083, @@ -1023,7 +1046,7 @@ "lanzaboote": { "inputs": { "crane": "crane", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "pre-commit": "pre-commit", "rust-overlay": "rust-overlay" }, @@ -1044,7 +1067,7 @@ "microvm": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "spectrum": "spectrum" }, "locked": { @@ -1126,7 +1149,7 @@ "inputs": { "niri-stable": "niri-stable", "niri-unstable": "niri-unstable", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nixpkgs-stable": "nixpkgs-stable_2", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" @@ -1178,9 +1201,26 @@ "type": "github" } }, + "nix": { + "flake": false, + "locked": { + "lastModified": 1758562014, + "narHash": "sha256-IazqNpt3jNldKy+rivmlGuo9pC1IczV0Xjk5+5EQEzQ=", + "owner": "NixOS", + "repo": "nix", + "rev": "f2b45e014b909bb5e6a9f99a8a511deed3b3e2a4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "2.30-maintenance", + "repo": "nix", + "type": "github" + } + }, "nix-darwin": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1763505477, @@ -1196,6 +1236,23 @@ "type": "github" } }, + "nix-eval-jobs": { + "flake": false, + "locked": { + "lastModified": 1752683968, + "narHash": "sha256-urOFgqXzs+cgd1CKFuN245vOeVx7rIldlS9Q5WcemCw=", + "owner": "nix-community", + "repo": "nix-eval-jobs", + "rev": "a579b1a416dc04d50c0dc2832e9da24b0d08dbac", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v2.30.0", + "repo": "nix-eval-jobs", + "type": "github" + } + }, "nix-formatter-pack": { "inputs": { "nixpkgs": [ @@ -1243,7 +1300,7 @@ "inputs": { "flake-compat": "flake-compat_2", "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1763776632, @@ -1263,7 +1320,7 @@ "inputs": { "home-manager": "home-manager_2", "nix-formatter-pack": "nix-formatter-pack", - "nixpkgs": "nixpkgs_10", + "nixpkgs": "nixpkgs_11", "nixpkgs-docs": "nixpkgs-docs", "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap", "nmd": "nmd_2" @@ -1287,7 +1344,7 @@ "inputs": { "devshell": "devshell_2", "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_12", "pre-commit-hooks": "pre-commit-hooks" }, "locked": { @@ -1342,7 +1399,7 @@ "nixgl": { "inputs": { "flake-utils": "flake-utils_5", - "nixpkgs": "nixpkgs_12" + "nixpkgs": "nixpkgs_13" }, "locked": { "lastModified": 1762090880, @@ -1377,7 +1434,7 @@ "inputs": { "devshell": "devshell_3", "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_13", + "nixpkgs": "nixpkgs_14", "nixt": "nixt", "pre-commit-hooks": "pre-commit-hooks_2" }, @@ -1399,7 +1456,7 @@ "nixos-generators": { "inputs": { "nixlib": "nixlib", - "nixpkgs": "nixpkgs_15" + "nixpkgs": "nixpkgs_16" }, "locked": { "lastModified": 1751903740, @@ -1717,6 +1774,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1748929857, + "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1764086288, "narHash": "sha256-S223/Mc4Ax75PfWySz8b44jjAnz36jUk4U+XiCfMy9I=", @@ -1731,7 +1804,7 @@ "type": "github" } }, - "nixpkgs_11": { + "nixpkgs_12": { "locked": { "lastModified": 1730531603, "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", @@ -1747,7 +1820,7 @@ "type": "github" } }, - "nixpkgs_12": { + "nixpkgs_13": { "locked": { "lastModified": 1746378225, "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", @@ -1762,7 +1835,7 @@ "type": "github" } }, - "nixpkgs_13": { + "nixpkgs_14": { "locked": { "lastModified": 1763966396, "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", @@ -1778,7 +1851,7 @@ "type": "github" } }, - "nixpkgs_14": { + "nixpkgs_15": { "locked": { "lastModified": 1677063315, "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", @@ -1794,7 +1867,7 @@ "type": "github" } }, - "nixpkgs_15": { + "nixpkgs_16": { "locked": { "lastModified": 1763934636, "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", @@ -1810,7 +1883,7 @@ "type": "github" } }, - "nixpkgs_16": { + "nixpkgs_17": { "locked": { "lastModified": 1763835633, "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", @@ -1826,7 +1899,7 @@ "type": "github" } }, - "nixpkgs_17": { + "nixpkgs_18": { "locked": { "lastModified": 1720957393, "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", @@ -1842,7 +1915,7 @@ "type": "github" } }, - "nixpkgs_18": { + "nixpkgs_19": { "locked": { "lastModified": 1763835633, "narHash": "sha256-HzxeGVID5MChuCPESuC0dlQL1/scDKu+MmzoVBJxulM=", @@ -1858,22 +1931,6 @@ "type": "github" } }, - "nixpkgs_19": { - "locked": { - "lastModified": 1763934636, - "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1763934636, @@ -1891,6 +1948,22 @@ } }, "nixpkgs_20": { + "locked": { + "lastModified": 1763934636, + "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_21": { "locked": { "lastModified": 1763553727, "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=", @@ -1906,7 +1979,7 @@ "type": "github" } }, - "nixpkgs_21": { + "nixpkgs_22": { "locked": { "lastModified": 1764445028, "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=", @@ -1922,7 +1995,7 @@ "type": "github" } }, - "nixpkgs_22": { + "nixpkgs_23": { "locked": { "lastModified": 1763966396, "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", @@ -1938,7 +2011,7 @@ "type": "github" } }, - "nixpkgs_23": { + "nixpkgs_24": { "locked": { "lastModified": 1762977756, "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", @@ -1954,7 +2027,7 @@ "type": "github" } }, - "nixpkgs_24": { + "nixpkgs_25": { "locked": { "lastModified": 1763966396, "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", @@ -1970,7 +2043,7 @@ "type": "github" } }, - "nixpkgs_25": { + "nixpkgs_26": { "locked": { "lastModified": 1761236834, "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=", @@ -1986,7 +2059,7 @@ "type": "github" } }, - "nixpkgs_26": { + "nixpkgs_27": { "locked": { "lastModified": 1751274312, "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", @@ -2002,7 +2075,7 @@ "type": "github" } }, - "nixpkgs_27": { + "nixpkgs_28": { "locked": { "lastModified": 1754800730, "narHash": "sha256-HfVZCXic9XLBgybP0318ym3cDnGwBs/+H5MgxFVYF4I=", @@ -2050,6 +2123,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1759652726, + "narHash": "sha256-2VjnimOYDRb3DZHyQ2WH2KCouFqYm9h0Rr007Al/WSA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "06b2985f0cc9eb4318bf607168f4b15af1e5e81d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1763678758, "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=", @@ -2065,39 +2154,39 @@ "type": "github" } }, - "nixpkgs_6": { - "locked": { - "lastModified": 1763966396, - "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_7": { "locked": { "lastModified": 1763966396, "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", - "owner": "NixOS", + "owner": "nixos", "repo": "nixpkgs", "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_8": { + "locked": { + "lastModified": 1763966396, + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_9": { "locked": { "lastModified": 1763934636, "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=", @@ -2113,22 +2202,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1748929857, - "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixt": { "inputs": { "flake-compat": "flake-compat_4", @@ -2225,7 +2298,7 @@ "nswitch-rcm-nix": { "inputs": { "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_17" + "nixpkgs": "nixpkgs_18" }, "locked": { "lastModified": 1721304043, @@ -2244,7 +2317,7 @@ "nur": { "inputs": { "flake-parts": "flake-parts_4", - "nixpkgs": "nixpkgs_18" + "nixpkgs": "nixpkgs_19" }, "locked": { "lastModified": 1763996502, @@ -2476,7 +2549,7 @@ "inputs": { "flake-compat": "flake-compat_7", "gitignore": "gitignore_4", - "nixpkgs": "nixpkgs_19" + "nixpkgs": "nixpkgs_20" }, "locked": { "lastModified": 1763988335, @@ -2500,11 +2573,13 @@ "emacs-overlay": "emacs-overlay", "flake-parts": "flake-parts", "home-manager": "home-manager", + "hydra": "hydra", "impermanence": "impermanence", "lanzaboote": "lanzaboote", "microvm": "microvm", "niri-flake": "niri-flake", "nix-darwin": "nix-darwin", + "nix-eval-jobs": "nix-eval-jobs", "nix-index-database": "nix-index-database", "nix-minecraft": "nix-minecraft", "nix-on-droid": "nix-on-droid", @@ -2514,7 +2589,7 @@ "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixos-images": "nixos-images", - "nixpkgs": "nixpkgs_16", + "nixpkgs": "nixpkgs_17", "nixpkgs-dev": "nixpkgs-dev", "nixpkgs-kernel": "nixpkgs-kernel", "nixpkgs-stable": "nixpkgs-stable_3", @@ -2649,7 +2724,7 @@ "blobs": "blobs", "flake-compat": "flake-compat_8", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_20" + "nixpkgs": "nixpkgs_21" }, "locked": { "lastModified": 1763564778, @@ -2685,7 +2760,7 @@ }, "sops": { "inputs": { - "nixpkgs": "nixpkgs_21" + "nixpkgs": "nixpkgs_22" }, "locked": { "lastModified": 1764483358, @@ -2719,7 +2794,7 @@ }, "spicetify-nix": { "inputs": { - "nixpkgs": "nixpkgs_22", + "nixpkgs": "nixpkgs_23", "systems": "systems_5" }, "locked": { @@ -2823,7 +2898,7 @@ "firefox-gnome-theme": "firefox-gnome-theme", "flake-parts": "flake-parts_5", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_23", + "nixpkgs": "nixpkgs_24", "nur": "nur_2", "systems": "systems_6", "tinted-foot": "tinted-foot", @@ -2849,7 +2924,7 @@ "swarsel-nix": { "inputs": { "flake-parts": "flake-parts_6", - "nixpkgs": "nixpkgs_24", + "nixpkgs": "nixpkgs_25", "systems": "systems_7" }, "locked": { @@ -3100,7 +3175,7 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_25" + "nixpkgs": "nixpkgs_26" }, "locked": { "lastModified": 1762938485, @@ -3118,7 +3193,7 @@ }, "vbc-nix": { "inputs": { - "nixpkgs": "nixpkgs_26", + "nixpkgs": "nixpkgs_27", "systems": "systems_9" }, "locked": { @@ -3196,7 +3271,7 @@ "inputs": { "crane": "crane_3", "flake-utils": "flake-utils_8", - "nixpkgs": "nixpkgs_27", + "nixpkgs": "nixpkgs_28", "rust-overlay": "rust-overlay_3" }, "locked": { diff --git a/flake.nix b/flake.nix index 74a6365..b6fbff3 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,20 @@ }; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + hydra.url = "github:nixos/hydra/nix-2.30"; + # hydra.inputs.nix.follows = "nix"; + hydra.inputs.nix-eval-jobs.follows = "nix-eval-jobs"; + # nix = { + # url = "github:NixOS/nix/2.30-maintenance"; + # # We want to control the deps precisely + # flake = false; + # }; + nix-eval-jobs = { + url = "github:nix-community/nix-eval-jobs/v2.30.0"; + # We want to control the deps precisely + flake = false; + }; + smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1"; nixpkgs-dev.url = "github:Swarsel/nixpkgs/main"; nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version diff --git a/hosts/nixos/aarch64-linux/belchsfactory/default.nix b/hosts/nixos/aarch64-linux/belchsfactory/default.nix index a3081d9..1cf9810 100644 --- a/hosts/nixos/aarch64-linux/belchsfactory/default.nix +++ b/hosts/nixos/aarch64-linux/belchsfactory/default.nix @@ -26,7 +26,12 @@ isNixos = true; isLinux = true; isCloud = true; + proxyHost = "twothreetunnel"; server = { + wireguard = { + isClient = true; + serverName = "twothreetunnel"; + }; garage = { data_dir = { capacity = "150G"; @@ -49,10 +54,12 @@ }; swarselmodules.server = { - ssh-builder = lib.mkDefault true; - postgresql = lib.mkDefault true; - attic = lib.mkDefault true; - garage = lib.mkDefault true; + wireguard = true; + ssh-builder = true; + postgresql = true; + attic = true; + garage = true; + hydra = true; dns-hostrecord = true; }; diff --git a/hosts/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml b/hosts/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml index 35b7f90..fc1437b 100644 --- a/hosts/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml +++ b/hosts/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml @@ -1,4 +1,5 @@ wireguard-private-key: ENC[AES256_GCM,data:0cxqNz1r2Hqx2JIjzEFz32gvZ+92rT5+zsHyFo5/Wx/+vdtj+KG4gNuk4ys=,iv:qonukOR1cpuCTjoR/db8WqjlJoDGJZlG25W9ql7vfzQ=,tag:iFAKWfQ7Fb6VlFwlHDK+zw==,type:str] +hydra-pw: ENC[AES256_GCM,data:aIq7vQ15NfzytSMvhAT4USdRwZwnFmD+dA==,iv:+524w/u/IwSwt/mIfpM1XEPKLHky9sw2V0dbOfEBNtE=,tag:XsPC4VVvq1dAb2cO5s2kKQ==,type:str] #ENC[AES256_GCM,data:WqtrDDqt,iv:Ksv7cH9opsgWoXj+YnTct3VtAT6qbaAr78uaZxkN+zc=,tag:9KPeAi/JZvxjKh1w4scsdQ==,type:comment] #ENC[AES256_GCM,data:kwewartySAHzmyssuWFPv0XODI/njYrSXxqEE2JBJvuCsJKwZrq4+EzKOtwOlyssEpAvaxxejmb7,iv:p3KO21NvM7zfp4U0s9TVW5jfnOzvQkn06mcFgHp9xVA=,tag:sn/zQwI8EdhWb2w9F+V4rw==,type:comment] acme-dns-token: ENC[AES256_GCM,data:Fj1V4MMKYJdXTur3xc7EDnYGXg8GBVPx8X/I6A7bRIdm7cX63yRrtw==,iv:Gaz6xYtEkQilaQG6+5Bz2gHWN3sIRQmCqLryZZYjefM=,tag:lGu+e1u6JOdxq8l8J+6+cw==,type:str] @@ -9,6 +10,7 @@ garage-admin-token: ENC[AES256_GCM,data:oxUvX41iOaS7Jvfb281lPKCavwP2z5hvP94EWCp8 #ENC[AES256_GCM,data:RB6z24ud0XkaawMtPI14nvHhRkU7pTUGezN/9L4GoAXM0M93VpMbQEouanZASg==,iv:XzDcpdIrPU/rXsqPbMPzuDRFWXvV3hkBpwntCKc604k=,tag:eBHwgiEmxipJaNB5YivyXQ==,type:comment] attic-garage-access-key: ENC[AES256_GCM,data:HqaStuLtg4DVVe8SFWvIfJwPFUvJL59rLjY=,iv:T7kkjyISziJ/Dv8BtF6LXfkd+wR9TRN+ZG+7jFMVK2c=,tag:Rlv71YCXV3sYgrrj1CX7Qg==,type:str] attic-garage-secret-key: ENC[AES256_GCM,data:XJFQN+8L5hH1wUiTyh1bwojDyQA8bp8cs8wVNYqp/5YZ58ngiuySE9WvDBP4Jxrp2kHTYXzlofcKDsh3H6AFsA==,iv:HQJwUN4dPRY40VKc7eA+O0atRss3qQ35Kg2GxWP7hYE=,tag:UWgjX+2aYm0OMWAmKRT5dQ==,type:str] +#ENC[AES256_GCM,data:7O2LxQRU,iv:k9QEUhgrRVbCmzVeZsalAVaPt4QwAuzIbyCXClm/kjk=,tag:HL9AAzevfAApUY3g8q5zyg==,type:comment] attic-server-token: ENC[AES256_GCM,data:GzTQqXHrg0/anMVg1ffLgEcYa+2dDQKckVzOGeoopeOdO9DhP/M+r5JAbCDeqdG8l/uMQHsSkahYAkPi5EQ4WUth77E3+hLuLLd13kuJDqjPn1TWyDU82omBPeRma8lmUUo8epJlpH174Ts3CX9tYpp6yL7loqRNw315gGoYNHN0FHAGauR8fMQEXf0p/NyMWmepqf+7tCmN1WyemUyLiQZxVEzKpGCLA4mVQOpevHDd6rzS843/xinZ+FhJoJxMM9EB5I2T+poAqrGrceWOMV+yMbeu7yDnf0Q17eEFZVFa41VlsiusjjZDf5kamdrQeiVFeLBmrUNpwOu5wzqvCFgk+a3zi5Ih11cPjnZSUGsN1LL0vGsmAuOvSN+QSvFeaZHx2xiFFpzAE/5r4f4yPai/n4vhUseG2GpyFjwKLU3vuk9YaCLzwgJuUz13BGzGPL//2xZnnjMDlIHz1sH5oUhDjVa4GOjeJNYdtuJBBdiWDJlKcMbsZiyWRSVGOuXg5TLdiqpl6WwOeVSSVo0Z25u0tD6GmVcTbe5bkfbpW4LNzEE6R1Zx4XGXE0KwXdxFS9O7H/EKLSEBX3eIhLFAc7zSXf92uX8yED38bETaHklDNcpTcX3zcNDtYdARkIQdY7GPgpj6RTNNMqOsz8moG2ZvEZNRtBaodYDmacjo7GL4Sxd9XsZG0juV6ZUjaPe1RIoJAaU9wZ9O2NWuCB5M+H73+P1thFSBdJp2HOMdlpvLnInrJNNC7G2NLZMSjlE/fbL8+TwQbs7QYC6msAz53FA7FXU3w4ojN0lgdpYMv6WtgEs+c4WssGhGv7GIwNcXPnbc04JMmpYgrxM7lwZVrzShfPQR/jM5u0AZD+zTeM+X/4IB4bjcWu2b1xGEoD7/JBBqBkVDLTpkryip2utwVwXimExOwTg75evLBeYRjYUIoRM4tfjKjrlwFWx+7SnRtTZTT7UrJ7lX6dWYebqR5JDRMLGk+2tEjj4NGx8hem2n6hOfkIhnGhTAi4OhvRnMwRvEX1v6fNP3X4hksV4k8hGP99GMnmeq584Bk58W/mU0odkdMqqK7xL5tVRE7yx7Muhied+S2qu/Ujj9esmTNY3t8twd8ku3jN+wlQqGOrcJURQrCt3lwMiTuVN/cJQeE/iADWt9mFO+P5P07ZROpNGqOMIJ7TVIv4KiyPkVfpQxQpOHDp2HHIUnwXuE9e6KjM3aZfHNljyadpeBM6kyqMMHmyQs/qQ/4/dFDFZcWQnAsOVatNOkYSxbQGqfrgO6Ekw0hbFxNQlfRyTzOqNjndvdonIhiPLpcxC72TNhJmLaPNmr1ZkqCWcAz+HSVlIoDquLrP2xIvnn9tu2IFhYbmieCKCGXq2VcGesygeEO75JO2ak6ia8aT6WKzlJ60E7xV2yTmTn3Tnu8ERYQEXYbECTwPqQ008bMAvzWU5cytZU1ediMxwi2BggIAoD5H3sufO73dk9RUEHV3RBfXcJ1nXqH6LTSgdCwrjRAy0058QR9UK89vwUglJKVLNsTaM/XNhGItAGazx296tjlH9lIXtTxzi7J+qWLqfNdfi50U2NMB9Ag/w/LwU0po1NNgu6/XKWzuBOJyp8RZ4wpOY4qQvJVD+fFBeubb56HCCWKYIfYexNJ12wGAky6RV5KfrQqMjm+KfPhQOrcXmtn1EODzEiPfX+l5QqqXcqwVi/l6OnGbkC2GLmcajZJEbnXgayt4ZbPIUYe0eUEwySz+QnksqDQqDUhapa0JZ6b31Pc/UmyXAMnljy2XCca0tUyYSP2HcLpLtONacaySIbu2robQuzq8MuJlqbdk4N4EusQn/VUQGqlOPgeK0sm433+WlZy0x7Drd9xI/1lBF0khZ5VP0MHPPa1FDs6xcjL7ALj7DipV8mqZreGdbS1oT8qWVxMVYwOsXYTJTwm2TXrBYTbie6rSDOvx0H7dixr716waVvME40epQy/yHQjCO4P8k+K9q2oJqKZywVZnaPV9tS1AeMttk+ydQrzxH5SuJAuyjggtS5QUzN2QauOA1OnDfVKr7T2P3zNd5mixL9gc5c5q0+XQ0T5+fCoH2alG6hHqOxssgJFTGDwEYN8NEvqihnatIzmeIpcs2GyTUOJnvIsAEA2bTuf+XZ/t42/TDDO6S4dD0R9KvBnslgDHseMi98XKwYF6bxJNjOHyVeersP/aaMkj/lSgHuQdazW+wdiLLtVXd9iDyYz1PiQmM5wCpMZ9dCzOesUQ0A6iFEcwaPzbJaeMhGDgfyVrMa3n1K3KbKon4EGSiZsJWfKcNZ4f/yo2yDO45FP795trFR1QxithgsC6j75I5dPMUDgg/H5IBFSgsGXyLObHV6cyQFav/gyCMgqF1M+ttcX+wm3DHGufGJUZqpwmCCOyoEh5KvTvTmvhGAxoYbILIMfzxkogBC144D0atnmpUaeKoyc/Xo3OpYqOmdEEzsL1ddZSkVoR4Jd0hqtdLDY0QdyFcCbNFAZiQTlRyyUej7UXtogsirhTazWCld0YPP5fI+z8zoyT2UKuO2KfYGokbbpiQBSwn/I8qMLzDIqV0iq/JglroQCzbqSxkOuY5n1kH/c79/u3CrNzha20wgkgpM6kvg4ocZMNbkSfRU859qrVCKybEatgHz9naqCyklpA+q+dIMv9yQsJJSj3gqCGqz+eweBt337W/7/9M9WVwL62gTXL1wHgCerM8LT3lKto4Rr8WmLQboH9FXJkQ1Wmg4XguM2zvIpr4rLjHlGLG7zwUBslDnwCATs7CQQ/s/VVd5cKRapa0+3np51g/9Sp/1lmR2HRBGki6JQnmK2jyDSBd6cDpg1c7wg7CWhaWGMulf9KR5MTcKAtRrGleoIcvJBKdQCO89OykmDCKdPyhR6BkQpRLnmWzM1LmEoT8JMG6zXN22gjLet8NobCn3fNqfTa7aZsqeY2ueI1YRqQolH2X6qAy41GaekNLN8ADmeIm4/jl2Hi6WhWCL5cxoToTOqI8nWVKlF4t8DgiQbXOaC6Nz2WmrjUsCWkFjNg+dVf43jOS8QQBgEcqPMYzrt/bE5t+qIH+CaQXsudP6HawqJfFkn2c6AsoqPxEJ46niuOUmYhCpvHqFUnMKlS0qiECURrriVgN/akHT07lAOxDWPSEKbTidw7njXziHquo8Rg8BnBvsM6HLgqSEqXxA+4lXicWTcgF8zERVNcbTgUMEEqL0LGwZ4Yjoiduepeqq9N5Ip61Eni4oRoa+45GLzvUeRzgufyN2zVDVr9HZ92VPEiGlG6p3cr1QNAN9Ss/qv7v9h/j3Rns0f+z0JTI3aJrV6t0Qt43mPk8Q//BVRaUV6x97J4Pn3ueR0eCaxeHCw8qtHQEqVBxpITcEkU8+PHe6k5hYkXL/IUsvf/K6FuWnEYGo+3C0TGvvmljCtYV3QxKMI2Vz3qK1E94/aThkpJGbhm7RRJtFPtpddGMc64eW5LfUefT61c9P32v/Xr+1tksLl4u9SK4z/LltoCGw03rxZvj6U1iwo7Qm7M74/uIKQmaJjkje87bfX5VbHuq7Oem4wqDbkhq740gi+9i9vW19F1EhwCG8ii+k5pFlWy/LkEr5Qd7+WXP7OsCBxDyrs8QSJIFD8tmuDFsHcGIEUjbHFRwpa02/mSTy5Mu/LUY8sfGIkqZylk02sWrmPsgu74E0l8/E9HRo5I/mAzzuHfCosbaKx5OExqj3waurwiQ5/VaKrjQIRKI2BqWSDFylRoFX7mFZF4DdupUsjehObhSgZs9le6yZJHmN+UBEtgRHuwc7yKBBtWQp9oUI5orr+Qj7eqcMMYuIfSABlqM4geXXyDiuTQa6PdOaDguTsPrZocXkUzB/cMgbUydxdMT8LnvM2qVSQ89AXi0qvDAzm6JfON01QIwzbQ7fG5EKqAV1S7RZ+zDwyS9NzSAy35Ozlw8sccWdUTZieGeU6DR9Ipq1wNOxBEikg4ye7ps6KOeqiHGoskh92iOHO8O68f8PWOcqIrfO2/g2t6O8udBDG0lMrdoihmku4WuAJu0la69kwUQXBckFH1Ptg/GTddg+gsJvuvpiU9fUgf9GwyawtNAhGwlKoHlOsCgJompAUDXLvC11MUoCLe2Mi7uFeVm5S7UD0PGQ5Nwa4Kt8qlMjx2xuqNT9ogqxc6y49qDvlNNB3IdlN72/ty1qsesU7KTWHC+GmMIcjLDmUBeiiXPYpkysZ26tVrpMEWP3Wl9Waie3VHGf6HUQOnopzYD8v+eHj60K/1anINYlUYLcAw61Fb1Nkh5W1FvJUpEEuVmXInNff1UH1Y0DX6BEEcoo/+vEDm9p+GXc6Lc874zleOb9ugfKxGTFSeB/cm/gkm49KFf3wIrcNxNo993V8PcdP9ONLK6jON6WTIIhdF1awJqJFhaPue/d/oPn8AhkqGLB0HfYzi5JesGfxRsKA8ZFQDDs7ZlZj1C6rlPljSLhuj/NsitDZoz9umEX8cClFQ5UA34jHdLj/dXPu0cZXxUany91HAmO2PQWYiPR5hL9dtmW+WIc1ptL0dwEgXe9VR0TQ+joDO/ilfEA5/MD5+CAOL7nDSLo0ypst0IdmADEKiAgQolnU7BeV3PxmSAqLysV9S3sPXo7rH6toY6cQ41ZftzquHkkD6vCDeXHPbzXNrHgM0ZzCZD4k5DDwvHuqNLc0hoaufMNzbz1Cx1aOMc/8yJBskbWtXhRJBxKAK3iBylLNLExYCUkG7PAa7Uno/gi08R/cOC1j5HaaCB82oZd7nEjKY+jO7RFyAPjwVzQItVA+tVHJHOAh4rZyPNEoaateuhGNWRW/GGSddAOVaDkyF9Vx9KldXRVJhhMjvlfGmcB2n3MrjEyOF2dcpBISXIquMm+V4LBettQ6coQPhDLaiClW5EJLgbtUTcTB7BOjOjchYkpRZeWn8Wz5jG1axfHe9BtVcIvCP6ldK05YK5tgQ5k0foFIQRKxmiD7P31+LJwGqAMxDAyM4wPS9WTPDgXWizsIx+exT2/qEpl81kaqMvSQEFTfy+fcn1Fi+81PRWElFfUVizKaiyzH0neUXQZcJCU0wFCxqSg/BA4hy+AUJTgjz8OpODsJUzqujWQ47sUqyHObxsVDAH2B+4i/hh1iYInA/wUHJ06AoD59tP/5oZDr3GIU2o2spgAUJP6rLS77awhAnGZMxoEJFqYJGU8bBllTwrXZL5GvdwJFq+EkagoEa7uXX4WRyh0BYdvynlQhnyTQNc0BOdZlsA7QLqCx4USQSXzSxEG2N/2mUPlP/DNlENf0Un4lJkdVpSose5yWERhfKS4yBP1lsh1bAoiO+JT81z7jIOEgR/G2r5riQnSGKECy7CbYUBYU6IYI86r1Abg0eg/DEJqHOr0fCBkh2/e0tO52IUQPlneTeZrWg7jJfkr0ayZQCeqtxjj2tS9bjnBHtp9AoiIlZz3uc7HBooI7JFS4YKe/Tn+3EahCdy0IzePwSDlX0MW8DauGZHbX4nCptPD6ZFH5JYG6Xs3fdUZyffc1H67/jS37+mk1QoNMk/OiGhuu/PsFT+MGzP6UnFjDPVqZr1pIU7hQBkOsgAFVtGsyGp12BOqktQx9jKbMLeHqwUd1i/XHz7/VFtqIKSNDk2MnOirLIa9+s5fqZM3j/mZe27pQPQpUMSnqErajylcHYwelw7Pkn7r8BJKbUGLI5M08LQQHgRDNxBi+gWEB9Ro2/+7GS94TwQyzfjXmmfEr6rcQ4jBffzH8bxRvgeSIwcNHnDK/SiYCA==,iv:GP5ff3lAzUqfBliMj1J9EcMnTe/BDeEPlZY/Euqep7Q=,tag:7udaKfA4h6d2qzR9EvLALA==,type:str] sops: age: @@ -21,8 +23,8 @@ sops: NHZwMEl2ZWVONkNuVWprUFhsek91NzQK84WqkK9mtR4q1G2wS6gKqflEUv0VefUJ jcQij+3T2O81paZytTzZNPX3JuebyyitC5KeEoz3Z99uSrCDaLuZAQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-03T16:14:45Z" - mac: ENC[AES256_GCM,data:3lipxr63nyC5ZCI8Pi9E9lTImopXtMAh1b6tI+f8TrlB4ai6x7ZdpPDuptvyNh47asFLr6lIkFPWq7xX9Pi/78BwhJoh8x23Ee2nS2gE+MbHo2g86tMeZUBuKvpg+1Ruorodq3RslZITQEyQo75qzh8vQZ3uYx3I7iFgxdev4Qg=,iv:JhkxhwaYcDKEwh3XGuqn0f8PQWWAXzQY2GuDRg54h5w=,tag:SCbcn5TkgL+PjTP9IiXORQ==,type:str] + lastmodified: "2025-12-05T10:03:28Z" + mac: ENC[AES256_GCM,data:b6nkrcehnZ15kUhE0iIm/HL0CHOAhVg9Yx2m9WqALhsFcaaoTlq2bF8Q9UaAkSjIseXT1nQlXyYPU1RTFhjiqRlWuOdHikIQcM9NAsuDJ9PlQeJeJwYaIXwcadvBmo6ZTFgzNsUj7PxZEVYejae8Ylodn87ys08wlcDv86Sf4mA=,iv:yydf72Coal4QQWBXwIYr7fwiXl09AS+qTLYg/LDPzXc=,tag:zqIECJKy73S9FSbEE0GWkg==,type:str] pgp: - created_at: "2025-11-26T12:40:31Z" enc: |- diff --git a/hosts/nixos/x86_64-linux/eagleland/default.nix b/hosts/nixos/x86_64-linux/eagleland/default.nix index 4d29a32..ddb8d79 100644 --- a/hosts/nixos/x86_64-linux/eagleland/default.nix +++ b/hosts/nixos/x86_64-linux/eagleland/default.nix @@ -32,6 +32,7 @@ swarselmodules.server = { mailserver = true; dns-hostrecord = true; + postgresql = true; }; swarselprofiles = { diff --git a/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc index 7407819..091f446 100644 --- a/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:nIgv3b+6o5Ce9X9xZtBK62f6dgsAGLPqq7aVFCw2qjD9UiHCrAY9vTn5NSW2O2pbLAfx6h7falS3/0yU+AkJ2H3zhxBy7ZxQ0m9dLoQGrYY/E9Z45xZmdFRxtzexCaxr2DxbP8haJKomQ22cHk07HGsrEZ/CFGkyjRxUr3Y4rewgZPBXahVtM75mWbNpVGApc8cs/W4JbjuXw3qlCQcACz8sZVPHKCjbEypypo6nTmU7NO7worrAJ2QgU75oGJ9g96wp9paFMEDofVp2Y25IVYReGg8T1Qi/kTcZzfzGfSpEwnQBB/ZCW6gNYhMK3shfB8DxKy6+romVXm1K+/0yUmwsCM8xC5zJX0GsO8Uu63YFrW/Y2E6aYZfBHdIgfy4lYOFKC2o0ixirw9EO8HyfsDt47QYB970vLPjYZfKNAZBgltbV3KPsOHxmgiZbTbAl0cb9zRc+jV2voH9T5VhFiUWdfaLBY1HUAVAjU7h62uZoCsi1HWyAroEROKS96npTD+3/vHehYuEGBf1IxYnLwHnKeqsr/Bqoukf3OecOH2EkMTTFQ7E0k9s0keRypoHmeYIh2a3dRcaXXbNEgiAMfabhgUh1NNcYKSZhcIekN8WN8azXjbVIrfEakJ8S+PUf5fJdspN/3Ppm06fDLv7yLHnLc8Eae2COOR8vYKIo3Onu4doxNjisfpHujLXYaCGhWpINEGWF7fkeC1B7,iv:v9MxvhcHg+P00UnOWujSgVlMNcOnDm/gK8kNcN54E2E=,tag:XnPMzsDeGJMt9yv6GnFzqg==,type:str]", + "data": "ENC[AES256_GCM,data:GB11Medb866IeeAeZGNRWO7ckMoNO1DACgP3bLgKhJ2ZYZa+Xkl5FUR6sZTBHJInSODpnOIMZWcV+ZjyRbQHJvvYxt1wJxcDC9fBVPnhoJATbQrV0zQ7XQBlfYyUhzvQ0w4lB+G5sbWeBkVQDwGhNoMxLaPt52Vg3uW0Vq42VIZZkpeWaJtGVDXoMIHCTIz2K/sC7JafRoE25a74i5XSrd2hxvvRFDQA1PFzH6JGguRqOXroqS1M1QNF3DEugsNhl3nwgc9bjLeSzvGdc8cCmUsS4LDITjPBJb4F/2mWqC/o1qUA4rEbgM/jTve3NInptgIUQiyPkHxZCtlU6MK5v5K0idI8njSolvqofy8j85YccsPPpOoQ06NPAUMa9hN0Jv+DpnyjUJAuf74JFzFP4kEMh+a9/6nVB/8cMeQATwt5b9Lbvr7zIZA5PMt1wOVDwAosZigMm6oUpDyYOjSlCvOgvEuojHDR7V6HHYd7mzg8AnIQyHa8iWR/A8/h+hzru5elb6H6rTwKaGW+jisDxRrsBsqxOWQrMrHZyhK3ppTc+IIDdIpKfe1QfVGnhH/cWXLE7YlG80fh48PKwp55azKfb76fDxQHJ4mx3PMHf1dF1bM/D6zGvsMcgIjZTO7xoVTZUZ/j7jiKHUpZnkciGfD9mJZKNGP80DMSgVDhVDUVBrZVCVwqbfksUob6bwU5nT5MSrlmY9Wj70uOl+VGLAaD0WF4T01qB/FBxoFBoYQJ+EIG,iv:5ZEu/YUvgNNgmxx9p/zurljFHRVRuKErhGhZpv/9XVk=,tag:ZFpqY1ewgJ8BLg9tnQc35w==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-28T10:50:22Z", - "mac": "ENC[AES256_GCM,data:lwkkp8YSzX8NM7E65kmPpF/q9Vn+FnCTeePLswDH6AVgndo/7QOy0GtJeXmiwt2YsA4AhRqxexWl2R8tjEysP35pyfQJ4vEkVi+V2tEnoLgftriNJzpoeVuRNXLxTPhPezOZgAcTDDL4yyqJXpcFj0PE1DPHKxazT28BoilaBYE=,iv:3dcAqkw/y6rAPL8wb5iewz37S4xszYFGHxvQiQ98sLk=,tag:SEmbptei6GrTXXyb7zwrIg==,type:str]", + "lastmodified": "2025-12-05T09:21:59Z", + "mac": "ENC[AES256_GCM,data:S0o8zMcZ7cVmhuQ+FyC73T2USIEGryy3v61xXafd63pymEjJiOwgLZk0+nQQii+qKzwFcXNJIOjEjWyHhprcq+2hha79unEH6nfxAFjqyKdhLzFzmP73ML0vB7Fbzl5mEDyc++v2bsH/6J8UakXCkhRTUSjyuotxIChjU0YjTKM=,iv:dzGQH3HyF3lTWYhU6Mv81WcXilYVBMc++ZK5nPSPBVw=,tag:dnsxa1XnUNdZd7XIxmTgWQ==,type:str]", "pgp": [ { "created_at": "2025-11-23T15:25:41Z", diff --git a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc index 2e2c1d5..80471e3 100644 --- a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:LZ0+D88y3gJk9OD40ko+msYTB9KUkBlFAup1+rcqthZ5l78mKyMoNR1leBf0AaraKft/9FfGSKT26e9I+Hd62XvGid2VzenR5TpVptm4+KLMBgHSUjcSiO8dl1ZrLOYD9T4vrBlVgnmhjotLMjmsQLNJwXiCuTqe3oE3N6C4J4nqBY0YKeJKoNEqb1oQL81nGgWdncEoRBhSZMLTaYApjqRCzzwlcL366Im1UebHmCb89GMUuHJrBudaiyf8gNOpQiGMFBpLCJZ2AwD78Ob91ELj5vKgv07siY44GvPP8nr7ryo3xThrcd9kde9IqJMLFh70lVM8ULztyYzxLsD0qkaAza4U0649+9UYmoA9grxkRbXtJgphjyxmxFmx2qPxx69A+PSr7l6fLaqV/B70RyXKOWxYPvkGdRW44HZKblcRUC24EjzpllqRJJRCspAUOzo2tHBvMwx8znQdjfGlpa2gSZf21Rx41qQQ7NlHt1wH1E+Twmte6SSd8EoSqdrCmNvnkuRK5tv8fgWxEXyy/3w97YeKjmjgTBqp4yhWLG5GXE2oO9WaQIYC1rbNcjGeBKJutY7fnuVZOWQPyqdDR058fGwznVRqyRxseXLPkES/4/ay0i3Za4C6fmAmiL3znQ+j39HXoFvn4GKig2PpJ/o1W2Cp0s/TqgVT+O/SmRv+VO4g4nZvqTPrXAFSj+dcoRUpof/Y+PGTsFc8WLjDndPqKhq7ApGhHnj+5Dh6dYJV07a+8Mfo6qecEGKhTwnTSCE0tuANI69/2kElExv+RJhbQLFNZ5Q346f0xkhm1Gggd1rPBONJEAm6bu6pBN5QSnpcLIDX5Z2pNIHjVvjcFz9beMbSA3HmEkEX1tEUF8Q4xNmo0h8F7T33V4E9KRRPlz8kM1lBhfnz4lj5cmTB7DCUCVpAm4Q9eDmLtpVdpic3HXmAX+LP+kiFNPUiJJH5En42MSsX/qDT4knwrcsCw7dIrpV3XsnDJ9tifZvOxfiRwRZplu8IJ9hvw9kBUDKUaxrkAw+B1PzmBOE4w19a0fh1ah0MWp7bNopEYDfrtip+FiHUSA5CzqggL6BExFmIffcUvh/Be579gRXzTEs2fhXzodJw4FF8HiyN2QPY6Irvwgs4TfBDH3btaVHvQV8nXE90s5u7PAkdYQ5UEzZePDu0QbbL6rDUk+GmzA04dEWeWfRhxNZ1MNXADqeF9kRCEmoiRANAvi2BK1b6oYQegALbZNm+xGyE5UvWQ6ZiZ4O8MTGzDiDsgnxvLRcgCbjDSC5lhwCd0elFRpeuZMAeE5apGdquLiBHaPJo8mmkE8nBc0HSf/JnKXDHN1NI0FXl14LM/Qm3Z7Mp/8tRpB5RA2AfndZsaAilBwFAqMIbJv21EGZ1UBFaG9SK5TJHO6A2KIE8rZ8OQ8TPbZORW1XfJI7y8OXWW8X1cUfCTEfd8MC4UmDf7s6XWTPVZPQ70fxhaStj+yypGQ2iJoKreC58oN9QFXdgBq6JTXRK3W4AwQoYoK6jNWG/y5wVDlPYKKM5O9fn/ODk6aFPmFs7pdfES7jOxKTAQBcZzgEKToNSvCdT49nhSe/tCBNxr5WNF/hLzIJXgZvqWXEaRz/rfIZCwf7FlqlpMT7XLXNktjItEhis+nEwz5NNdm0RzGVNE2GjaiFr8WQaF6AuoellY3jSWNSOk+jNAg0wBgj4FoklaH5JzQ9cRAKYu4xEC9amYgGGl9x4nWBTLSHfj5o5B5Yj0hBKaSDI7gUFgZNzaC1NgqxH2rhqy9pZO4YcclRh4diJ/3grYd/n8+vLr8Faa/v+68sIyvsLGklGS6IEJmipXWHqng4U+id5zU9xf7o99qZnIw==,iv:vLzkbn3IYrD+L6iwyRLPTtxLrrIKTMzIIZyoGgvXKxU=,tag:Hj2CG+kEnyVt9xlELVGkPA==,type:str]", + "data": "ENC[AES256_GCM,data:wKBQGVGzaE1aEt7BTm8tctQkRTf9La+kHnBbWGw+lzZN/IqXTFLg/bPlSWHyswxPYmtU2udFaSVxqWHe3GDv96Y0A5+wDLLI3aH8+3TRkpl3knq0+pBA8JGEXZJvydRyH0pvMIGr5hX8IEfSiDk17cQcUu1XB5l2/1mShnzU2XKXJZYtohIr9UiQoMSkas9FYetrzFDMxjsZy6Nm//w72QeWExo6NhoexZhC8r4Q4uE1QtLdBb0zFY+J4TNxFX11GdkmzNyTak2t1dvJ9i7yIMxVIz9Ykhd0J3LQFd7cpZA9YwvGemIz2Z5yvu0x+H0ZnA+qOfe4M9CfMoQO/N4ww/HdcSg86DRLnZabY8cqapAiXxfU9EaQ5NQTJJv6LFzkNfz+RoQRDDLV4IxW7/Rcmg6F3F4YJAcTwdpHPZXDze5Gk/YWIKHM/7MjUXLFnoWmTMRlmev2z8aAJMbzxczt9CkaPXth9ql8WroV9L7RMmX5sjqM8t3RIa1lDnrS3GGM27bpX7IElagBgzza9wfYfDIoXYEa5a0KPmY8GB+/T7u5GKFdmWmbPPyG9jQiXEmaDNEkjtkqF8PlqheOJSj9PmLvPLC15PkPyg1SFyeX6w5+QCqX7mQHBbtJdbkh/ZkL1Li5H28ffsA/xEXHl7A9ZAsih5hF4th8DNWBtEPsfRWmDzRmDXawJ6EkgB1M546gIHOOPiX+sbmSBbW5s0qgaoEmx8yO5jzJQ782YHLsISz2I2dXYd1fjecDoLdOWGK788t+jAvy4Dycf7JEWOpbgnRuHxx8mHj/GbvPjZ6Np2hXQedTetZCNtsvC3OyCN+hu8PRrcg4vUE8nx0t6jJXMheTuOr0JMNCO8LicBVty1jYetzYZ6ocCzPPqb/Gk1/y+caxWnfrYLTrkeKcxWeclbv8NSFlURs5Zl9OQqiuuP6WJzKkGA2gvrU0UhgY9fQi+INxLDGnLHPzLpHs5OtxalTZdibix/Ed1ISXOuYOPKlQ8B7hMGNluT41kcYAyZusIY9ymIbJylCu+ejXfcUaB3v0LlVEv4uNrf3EnU+tc2GXZdQUz6B83qOnyWX7Re8qUj/dsyFa8biwk7pOAJvZtQq0aTejPEFwPma4rP1wWdm9bepX78ipuLgIYzSMM3HUc2uJ3tgRLdOHXYBo2W7mjZUR7sqT/0eM92bA/Okt/P3DuzOsPqovM5d2GuXd9UzjVXlmeDn9JsWlYbIo6617AmJwmIas6BCpHlTd8nfg5Nqm81OsD49myC4+C8Ck+0Mb2AF1oI4OiOZjCno4DXh2BAPH9I+UeZoJYx5jUU8mVB53ZM8L4H+G/E+cp41KV2fhaJavj0qZ/OuQP6ns4VNoGZx3maYKTtv5dtsQersOGh7Y2ORo8anuzi/0upscRwdNGuhUs3mUBmPT/SkvwUdlTxYAaN71zBkWcae7sii+GtGFY4tBT3qUPmSCkzgUl2SQf6+ff5aZXJTK8mTiyNsKJo190MWe2Qq9OhNNPEmO6npDdspgjc5cW8rom6gBsoUp6GsuGDBDovE218evOpX1JjZ9+UKWb+hpeRmKYxog+cEicgbgwqRmIJmakTwQqeUXDohervTHYkwWeVNcpXH1XbDdiweXWbF6BIZS2CGRY+7Q9L1qMrmMaaDMQezTILMuMyUj1Zcf2MmNW467NOZFSh1EyXWATkpUoxjOBrR1K25jODd5jGKvIr0mw3p0jqlCGhIvPnZHJ6gGRtZgUSnHubV4gdVcutRIJ+3XEurGtDDE29X/+9/KwZmHeGDN35iKzig3wp0NuLNrbp6zSAGCAkECa/f7UXRgt9cpEgT1KeXl/Yn0EFODOKYEjwTZ7E7DdafaoFWBk4lTmICf296fopRUw+V6OIttFmiTqBzJYrTB7/NmYHphiC4naSLtQ9HzVRwKn0aVm3AYf7e3ltqUevlg9z3S8psPw4LOwFsfHRoO/zaq6+V8GoKTivoDX1CoKUnq4c+s0YTYNXwsJMjOcVJHa4wJ1iOC7QnX5jZ+R8ibqG6tOS1at8mZaOPOHHoFhnUs7OpNYEsbEFtnd/cUE9lHOp/CxLyDm0xXJSEVo0tF5CrRQLKr4H2XjoTbJssyI4Oo40QtKpip6uN/LQ==,iv:tRfCSNz1Jm1qQFXt7gVEmd8VxWsqYivXtF/u+J+mnpk=,tag:3V6uLwgc0/XZvk4en2KfIw==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UFZTaXFNdjF2UmRFd3VL\nY2pZZ3ZaRkhZSjdVUjIraHV5ZlNaNGtwM3k0CkZ4OVRFcmR3MFBDcmdsbWFId3Iy\nVzQyUGI1eG44d3JFL2NvZEg4NnduT2cKLS0tIEdhOEZETk9nRTlVbmJ5UW9GalVx\nS00yaUpJZVFVNThFei8yRzJYejRkYk0Kf6Z8WnG8phRtFIUWIPys3PW0OImhAcF+\nUFLuL4Qr7zWaeItCRieYCs1yBn7KbUJHZNkJcvnkYW50NYvlEa8wBw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-04T08:30:09Z", - "mac": "ENC[AES256_GCM,data:AeuHRN9aIfEj18uBBOR4BKGExANsUGZuxWI7K8dX+qhVLfNmsXv3ABM3FoaxhUIAyU/3mfFSK2o4SzHhAEXOo5+aN4gppvFecibSFltgME5+rSWyH9U44YB1v3MWiZkjMHuZJcyM1XDX1sLZ5TMsH72/Cu18w0u7m+QsnJ6Lc+Q=,iv:2ZIeMPnH25EAF2Xtf06ZRsCOILhn7sSWtakjl6KxDos=,tag:V8Sc6BNyi49giz5g3BpAUA==,type:str]", + "lastmodified": "2025-12-05T10:12:13Z", + "mac": "ENC[AES256_GCM,data:2uJJUnYNM7kNysGtiwmlctwjrE2ZAropTNOcph4K51VUr48UZcwYQTPpdJEqEIGiNq4pcT1W5h/ghYFUAZdZdleOKrh+tLnQ5LIib/A9WGkW44m3i6dCVlTXRt+MhrVfJXffRTMM101JoMCq8V00juuFYcDxNhI3uvKqwxXSbyo=,iv:hjMu3oSlc9gKi8cO0RX4leht40PUthldYpLwZKdX4Xw=,tag:n08RFXUHkXyUgE5jB0KZxw==,type:str]", "pgp": [ { "created_at": "2025-12-02T14:59:33Z", diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix index 40b60eb..e0ac011 100644 --- a/modules/home/optional/work.nix +++ b/modules/home/optional/work.nix @@ -483,7 +483,7 @@ in }; Service = { - ExecStart = "${pkgs._1password-gui}/bin/1password"; + ExecStart = "${pkgs._1password-gui-beta}/bin/1password"; }; }; diff --git a/modules/nixos/client/remotebuild.nix b/modules/nixos/client/remotebuild.nix index 0ce54c3..daad657 100644 --- a/modules/nixos/client/remotebuild.nix +++ b/modules/nixos/client/remotebuild.nix @@ -37,6 +37,7 @@ in } ]; }; + programs.ssh = { knownHosts = { nixbuild = { diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix index ccfbe7a..4e2ed4d 100644 --- a/modules/nixos/optional/work.nix +++ b/modules/nixos/optional/work.nix @@ -75,6 +75,7 @@ in _1password.enable = true; _1password-gui = { enable = true; + package = pkgs._1password-gui-beta; polkitPolicyOwners = [ "${mainUser}" ]; }; }; diff --git a/modules/nixos/server/attic.nix b/modules/nixos/server/attic.nix index 3cd0a69..5c1f933 100644 --- a/modules/nixos/server/attic.nix +++ b/modules/nixos/server/attic.nix @@ -1,4 +1,4 @@ -{ lib, config, globals, dns, confLib, ... }: +{ lib, config, pkgs, globals, dns, confLib, ... }: let inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6; inherit (config.swarselsystems) mainUser isPublic sopsFile; @@ -36,8 +36,33 @@ in }; }; + networking.firewall.allowedTCPPorts = [ servicePort ]; + services.atticd = { enable = true; + # NOTE: remove once https://github.com/zhaofengli/attic/pull/268 is merged + package = pkgs.attic-server.overrideAttrs + (oldAttrs: { + patches = (oldAttrs.patches or [ ]) ++ [ + (pkgs.writeText "remove-s3-checksums.patch" '' + diff --git a/server/src/storage/s3.rs b/server/src/storage/s3.rs + index 1d5719f3..036f3263 100644 + --- a/server/src/storage/s3.rs + +++ b/server/src/storage/s3.rs + @@ -278,10 +278,6 @@ impl StorageBackend for S3Backend { + CompletedPart::builder() + .set_e_tag(part.e_tag().map(str::to_string)) + .set_part_number(Some(part_number as i32)) + - .set_checksum_crc32(part.checksum_crc32().map(str::to_string)) + - .set_checksum_crc32_c(part.checksum_crc32_c().map(str::to_string)) + - .set_checksum_sha1(part.checksum_sha1().map(str::to_string)) + - .set_checksum_sha256(part.checksum_sha256().map(str::to_string)) + .build() + }) + .collect::>(); + '') + ]; + }); environmentFile = config.sops.templates."attic.env".path; settings = { listen = "[::]:${builtins.toString servicePort}"; @@ -59,12 +84,10 @@ in bucket = serviceName; # attic must be patched to never serve pre-signed s3 urls directly # otherwise it will redirect clients to this localhost endpoint - endpoint = "http://127.0.0.1:3900"; + endpoint = "http://127.0.0.1:3900"; # garage port } else { type = "local"; path = serviceDir; - # attic must be patched to never serve pre-signed s3 urls directly - # otherwise it will redirect clients to this localhost endpoint }; garbage-collection = { @@ -73,11 +96,11 @@ in }; chunking = { - nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # 64 KiB + nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # garage using s3 - min-size = 16 * 1024; # 16 KiB - avg-size = 64 * 1024; # 64 KiB - max-size = 256 * 1024; # 256 KiBize = 262144; + min-size = 16 * 1024; + avg-size = 64 * 1024; + max-size = 256 * 1024; }; }; }; @@ -109,7 +132,7 @@ in }; virtualHosts = { "${serviceDomain}" = { - enableACME = true; + useACMEHost = globals.domains.main; forceSSL = true; acmeRoot = null; oauth2.enable = false; @@ -118,6 +141,11 @@ in proxyPass = "http://${serviceName}"; extraConfig = '' client_max_body_size 0; + client_body_timeout 600s; + proxy_connect_timeout 600s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + proxy_request_buffering off; ''; }; }; diff --git a/modules/nixos/server/croc.nix b/modules/nixos/server/croc.nix index bc15734..51bcd96 100644 --- a/modules/nixos/server/croc.nix +++ b/modules/nixos/server/croc.nix @@ -1,6 +1,6 @@ { self, lib, config, pkgs, dns, globals, confLib, ... }: let - inherit (confLib.gen { name = "croc"; }) serviceName serviceDomain proxyAddress4 proxyAddress6; + inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6; servicePorts = [ 9009 9010 diff --git a/modules/nixos/server/garage.nix b/modules/nixos/server/garage.nix index b84fb50..0d7f310 100644 --- a/modules/nixos/server/garage.nix +++ b/modules/nixos/server/garage.nix @@ -19,8 +19,8 @@ let garageAdminPort = 3903; garageK2VPort = 3904; - adminDomain = "${subDomain}admin.${baseDomain}"; - webDomain = "${subDomain}web.${baseDomain}"; + adminDomain = "${subDomain}-admin.${baseDomain}"; + webDomain = "${subDomain}-web.${baseDomain}"; in { options = { @@ -71,12 +71,14 @@ in } ]; + networking.firewall.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ]; + nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = { "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; - "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6; - "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + "${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + "${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6; "*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; - "*.${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + "*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; sops = { @@ -307,10 +309,6 @@ in }; }; - security.acme.certs."${webDomain}" = { - domain = "*.${webDomain}"; - }; - nodes.${serviceProxy}.services.nginx = { upstreams = { ${serviceName} = { @@ -331,7 +329,7 @@ in }; virtualHosts = { "${adminDomain}" = { - enableACME = true; + useACMEHost = globals.domains.main; forceSSL = true; acmeRoot = null; oauth2.enable = false; @@ -342,7 +340,7 @@ in }; }; "*.${webDomain}" = { - useACMEHost = webDomain; + useACMEHost = globals.domains.main; forceSSL = true; acmeRoot = null; oauth2.enable = false; @@ -354,7 +352,7 @@ in }; "${serviceDomain}" = { serverAliases = [ "*.${serviceDomain}" ]; - enableACME = true; + useACMEHost = globals.domains.main; forceSSL = true; acmeRoot = null; oauth2.enable = false; @@ -363,6 +361,11 @@ in proxyPass = "http://${serviceName}"; extraConfig = '' client_max_body_size 0; + client_body_timeout 600s; + proxy_connect_timeout 600s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + proxy_request_buffering off; ''; }; }; diff --git a/modules/nixos/server/hydra.nix b/modules/nixos/server/hydra.nix new file mode 100644 index 0000000..4751d09 --- /dev/null +++ b/modules/nixos/server/hydra.nix @@ -0,0 +1,133 @@ +{ inputs, lib, config, globals, dns, confLib, ... }: +let + inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6; + inherit (config.swarselsystems) sopsFile; +in +{ + options = { + swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + }; + config = lib.mkIf config.swarselmodules.server.${serviceName} { + + nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + + globals.services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6; + }; + + sops = { + secrets = { + nixbuild-net-key = { mode = "0600"; }; + hydra-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + }; + templates = { + "hydra-env" = { + content = '' + HYDRA_PW="${config.sops.placeholder.hydra-pw}" + ''; + owner = serviceUser; + group = serviceGroup; + mode = "0440"; + }; + }; + }; + + services.hydra = { + enable = true; + package = inputs.hydra.packages.${config.node.arch}.hydra; + port = servicePort; + hydraURL = "https://${serviceDomain}"; + listenHost = "*"; + notificationSender = "hydra@${globals.domains.main}"; + minimumDiskFreeEvaluator = 20; # 20G + minimumDiskFree = 20; # 20G + useSubstitutes = true; + smtpHost = globals.services.mailserver.domain; + buildMachinesFiles = [ + "/etc/nix/machines" + ]; + extraConfig = '' + using_frontend_proxy 1 + ''; + }; + + systemd.services.hydra-user-setup = { + description = "Create admin user for Hydra"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = "hydra"; + EnvironmentFile = [ + config.sops.templates.hydra-env.path + ]; + }; + wantedBy = [ "multi-user.target" ]; + requires = [ "hydra-init.service" ]; + after = [ "hydra-init.service" ]; + environment = lib.mkForce config.systemd.services.hydra-init.environment; + script = '' + set -eu + if [ ! -e ~hydra/.user-setup-done ]; then + /run/current-system/sw/bin/hydra-create-user admin --full-name 'admin' --email-address 'admin@${globals.domains.main}' --password "$HYDRA_PW" --role admin + touch ~hydra/.user-setup-done + fi + ''; + }; + + environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [ + ]; + + nix = { + settings.builders-use-substitutes = true; + distributedBuilds = true; + buildMachines = [ + { + hostName = "localhost"; + protocol = null; + system = config.node.arch; + supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ]; + maxJobs = 4; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ servicePort ]; + + programs.ssh = { + extraConfig = '' + StrictHostKeyChecking no + ''; + }; + + nodes.${serviceProxy}.services.nginx = { + upstreams = { + ${serviceName} = { + servers = { + "${serviceAddress}:${builtins.toString servicePort}" = { }; + }; + }; + }; + virtualHosts = { + "${serviceDomain}" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + oauth2.enable = false; + locations = { + "/" = { + proxyPass = "http://${serviceName}"; + extraConfig = '' + client_max_body_size 0; + proxy_set_header X-Request-Base /hydra; + ''; + }; + }; + }; + }; + }; + + }; +} diff --git a/modules/nixos/server/mailserver.nix b/modules/nixos/server/mailserver.nix index 06270b2..f1d7cfa 100644 --- a/modules/nixos/server/mailserver.nix +++ b/modules/nixos/server/mailserver.nix @@ -2,7 +2,7 @@ let inherit (config.swarselsystems) sopsFile; inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceDomain serviceProxy proxyAddress4 proxyAddress6; - inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 user3; + inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 user3; baseDomain = globals.domains.main; in { @@ -31,7 +31,7 @@ in { directory = "/var/sieve"; user = serviceUser; group = serviceGroup; mode = "0770"; } { directory = "/var/dkim"; user = "rspamd"; group = "rspamd"; mode = "0700"; } { directory = serviceDir; user = serviceUser; group = serviceGroup; mode = "0700"; } - { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; } + # { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; } { directory = "/var/lib/rspamd"; user = "rspamd"; group = "rspamd"; mode = "0700"; } { directory = "/var/lib/roundcube"; user = "roundcube"; group = "roundcube"; mode = "0700"; } { directory = "/var/lib/redis-rspamd"; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; } @@ -63,6 +63,7 @@ in hashedPasswordFile = config.sops.secrets.user2-hashed-pw.path; aliases = [ "${alias2_1}@${baseDomain}" + "${alias2_2}@${baseDomain}" ]; sendOnly = true; }; diff --git a/modules/nixos/server/minecraft/default.nix b/modules/nixos/server/minecraft/default.nix index dbb7d27..1b483c7 100644 --- a/modules/nixos/server/minecraft/default.nix +++ b/modules/nixos/server/minecraft/default.nix @@ -1,6 +1,6 @@ { lib, config, pkgs, globals, dns, confLib, ... }: let - inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6; + inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6; inherit (config.swarselsystems) mainUser; worldName = "${mainUser}craft"; in diff --git a/modules/nixos/server/nsd/site1.nix b/modules/nixos/server/nsd/site1.nix index 31682a3..b7ea2b9 100644 --- a/modules/nixos/server/nsd/site1.nix +++ b/modules/nixos/server/nsd/site1.nix @@ -3,7 +3,7 @@ with dns.lib.combinators; { SOA = { nameServer = "soa"; adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin") - serial = 2025120501; # update this on changes for secondary dns + serial = 2025120506; # update this on changes for secondary dns }; useOrigin = false; diff --git a/modules/nixos/server/ssh-builder.nix b/modules/nixos/server/ssh-builder.nix index 9e03da9..f36be9a 100644 --- a/modules/nixos/server/ssh-builder.nix +++ b/modules/nixos/server/ssh-builder.nix @@ -31,5 +31,13 @@ in }; }; + services.openssh = { + settings = { + AllowUsers = [ + "builder" + ]; + }; + }; + }; } diff --git a/modules/nixos/server/wireguard.nix b/modules/nixos/server/wireguard.nix index d39f09f..0a0c8bf 100644 --- a/modules/nixos/server/wireguard.nix +++ b/modules/nixos/server/wireguard.nix @@ -117,7 +117,7 @@ in PresharedKeyFile = config.sops.secrets."wireguard-${serverName}-${config.node.name}-presharedKey".path; Endpoint = "server.${serverName}.${globals.domains.main}:${toString servicePort}"; # Access to the whole network is routed through our entry node. - # PersistentKeepalive = 25; + PersistentKeepalive = 25; AllowedIPs = let wgNetwork = globals.networks."${serverNetConfigPrefix}-wg"; diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc index 582a289..a4af656 100644 --- a/secrets/repo/pii.nix.enc +++ b/secrets/repo/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:uALYjqxXxQcU7yQ4t3oLkzbOIOEkHV+ASMFsWHTznZ0VzNGn5bUf9AJJ8pFVJMtUygSBskJ9ZIAurAtNzbBxGjDhLejjIM/5I0wYRxA42J8GIhc1NFzPwfPsIA5ZB7Urzk8MDwAi65L3glNrXqsxpKSTrxGvWM+3TJHhaujgQ46/Ls2yJm6JfNC7rA5a93FjK7J9BM/PNUtYdAWNmOVGWQqV0z1OxLFR7ihn/1bWD/erLm1teL2FPC/BZtQfxygmrHacyQhdCjc/0ywPJz5Ws7wV9gWfzpY35rw26FAn8kKr6cocYt3qsoAC0gszEfaXuVrgwUlkGM1S1K52ciVWJEW9rFZaVQ/7/Dgefu0MPBcYeZthZohes8+JdMz2e7v7GdAaxgS8UFEoD/DCHeNhYcVTSNrKiKhbndXcXqHpbaRFasvAZpgIXJAQJtK8y7bP5cjWzgGi46N3Mq70XX7TqFsk01zeGwuSBD3B+8L9ZLx/I1Fmv8U3zee5W2mDq+2X1q0fNKW/tZPy84msTgr2qVhHB9dK3QcwCZsowPaqOGIiPUZwXqPKuOcD2vH6cqGF/hVALNn7r4VRf5OTqQw1wdsb+2kcAD4wR8F/gVhQtl7tvKPxx7S+Ua9m68tL2Hs8wQBcSW9guxd6IdsBkHa3SJizrrtWhFff8TSVZnzzuxrgFnJ+QOQyRK+1oZ+eFs/KP7TSDAbONue7OH3h2/v3d5zYucVNJoLkZQQi87GSF7tu7D1D3ggmAIdhgU/wTXS4loOimw5dhcVANS+XgpSPvQj4TbKjn/cVd5qytvftepfGWL/nETNBexw7KEJ7rghgRjsZj9el2ApIpMs16EOWx+YAAOR0PyXA5pMqBKjsAskthCLYYBcuWC/JBJl7aiVpehlv3JpoGoAE3mIbDDWaYzRf3zm+Ml6wgLQ2tyT6yZn7xQ9W7880CXy6Vq/+cGEwxpnNwQpKxyqzxKMyKOyzzh9rBFQS3LPGuTHCR97UgLthyWFMI/glsZTsGj85/JSPgIxJWuARksq0cRXUvtHm3Djs+y3sfX+U6/VX21OVUtloPunv+YLfyRhV2SkFft6tfrHOqf0gEaGGvKgbI5l4SPELiRPZ0TX0l6T5xaKcg3v6K9PtGj/nOjlWo4MmyyqkeT0sX+TXbeEVuyWZemJ57cx4kA2qpfkMocXJs4T/JJRvU1ufsYjFNXPheSHQ9ZcRBVnrruSqg9zYziIZeTqFbYTloqxjrueHL+ESLW9Q87sHxtNGBmN9vQOPO2hczX7KDw4CpJysN2+v+ikC1E9+k3aFUSL29K6/+BOrwfN0DSSckYOn9oKxwCFGgw2C6uB5PpNRIcFh6byyPShVkaunVFgWAFBEMIYnUwdEBHe0RSxN2VvKuMjyhCtTlx+EiHhidp9tVV0TWYW1cQz5hoFqaTDkXfFoImeQWDjj0zBECKJBbisGAZ4bQPAhUthjF3/lzp7LMu3TFnsa9En7i0qxpxEsQCuUMT99PiSqydq9KeWwx3ar7sCt9hP3XyQeBhYH1p8aDH6hp71c37irw5YY68K7BwelbMm+fn2Ofv9kdFv0IeF/9NXwQp6v9aKi17eglHF7go/7OPfEksPjGq7E/KCTTVYx0He9z2ETk5kdrDDiKXXcPcgnktBkrXa5dDOz68ggN38f3+gkMZMy3J55zGs/b4CZATy39Ngf3KUAu6B5sN6M1lSIF+RD7lTclHi13tdUyoaOgv4lxTDHF6zl8GccM7J2bRMsEIv+8Hi61TwB8hD583TiPwZwJNrg+uBB2Iy6DL6u/GIY5tUzxoxoRLATJ7vwBbRcMXdfUb1PYbB27XTTpOyW+M6fmwugaFSZHxCtTpVgkn2MOkuXzGMbo9DTcnsxK7aQR72QOMEZpIYBRZzcOECR+Ijzn0LiD0Hm60FeIG7aIDjobjat31/4x/jUhDOFiDDOYbG6FGIL/GcOFtq2tVJzPFBoao/d5bhOabtXkGgLO+O5EvHkgcO2MMfwqL+md2yKOStmLpj9ZRyHb4rl6uUCwXw6NC7Ewv5xEZMKhU7/Tv73Xck/ivjxkldTp3O0Dks/kFBPIL4qJ4umaPUuJdYkPKasq47OQLdCfaLGHyjx/T4auUxY1u6+/Vc4lBKRt6rIwY7mSMSik7C5t/NB4FmHNP8Tv9p/p5WcqFwK8SClV0ow+4Wk+pDQGMC4kkKcMeih6Gd/YtD8OtCyP6Ho+adqBEdoGorolIlV3ayJVkga/zCusIeJ3EDwCC8gHTa2xHde+cXEIyFLflsUvtA44g8uWRQP/7Rpox2+9MBhEI3Rn9cCnNCF7wzo5rt+j8bt75QhhHypG+7Lph9rI90ZdkjOQgpzBbtERA3um8v4GAfq/oZl3qYhmw5t49PkNVECw2WkuaR4Z4i7EIre0rAhbMDzvA9vEFp0G5+TI6ZqzA9aNnG8PSo554rG8S5Kk6hAm2GJfbeEo4vE0/2Noqz7YQbQEave1pGvETV93VdClCNWOrjbuqUfEb/PQHeVgDxr7JQJ0WFS4XrFSO+PoVL2XxeLxGQL6qlJ7yCSwSeodfnPgxx7KVf1L67l0KDvBZfk9iO7KoD7aMIW/NkNA5PKclvpBc8wxVV0MRPfcuMAhhe5wppsUoHTy1+HbS9VAQs3g52eTQOjGQ212sJsNjIVuS+rPk1nocX4SZJD4IgILzZVCGDzdUZ2Iou3Yih6XUjVyMQ+HNdcp/7Omf/z4W4PZ5t7TqZ1uKePBav0Q/IIzoXdMuAEahC1228hnHVXLk+UEIj/zngHztMVc/o40elfRjHCzgbrgyqR5yzcWa8ONkLdJsn9KTbDFx6YY3XK1KwKqaZfTMbCjl5043xc2wtN5O+059USsPrIpdAGzLO+X132VKrZQTcM2Bw/ZXI68A/o7W7Isx1O6Qr2vcCX5CgaA00mG/TgRjzPkge281NVC2x6lfHO9j8Tf63VkC10aEcboi0WRRkMrxYfcThe1jD3W0FEb8/GxZZPqKw+wT+1VxQwBrK7K2wANHEXga3E2ycxn7NuIAh30NxJux3wtYnHBOZLMZ01+5QUqXvi1bgciqlVHSVhhyLa9QTJ5QG2BOui0YftTeFCiwFC/mIuHPgWF7JKoOYOvzo4bPkfN7PAjLg+Pl5LDpqmgK9/34ocHHEXwkfT5wXlWe8MtCDhodfA0Hu05QzFuZZSNydL6itPCwAbIibcTdCwcjpyYAbcFulmq5MKQV0dVwFEno62bFyrnIHUkIjggeJfe2FqJkSuXav6h38kVQrMQxEQR3mAL4o2tSV7rZ+ABBd2nuepcT1TiLjH+RO5jtbXw8mx+2LBtZ5qGHBT9eOPco/+QxcqPzdBVo2zVa1s3DFP5kz/gXv5j3W3aVJBpW2H9SxuTmHCVFlnia0kt+xlnEC0xg0rO4g+c0GYSMNp/JMC0mX6sD4sGxMJUqC3OEWg2d1/4L2KPRucO9TEF3fzKxIPMI3lljvfhghGrfCTM9WxFUHJahyNXqlN9rWwp+s8zOAK6mdNL3WoFXmwuHy6xPnMi127dmmJ2aU6rv+Jcm/6VUX3brTTWwA+jYOPkcMp1KHlwCG5FBujFDh4mIycc/J2H0Ya6uuLW8C7Cyf1WZrkKD+cKDSbcIkYGnJnoB65NdevSvToEkksaDfsLUSuKNlJImkXh0Bwh5Lnk+w9Mkohwqn2CCJaNfx/Nd+o9S/z5uQLqRWvUm55DYVokyvo86EC7N1CTJuU7bxdY21JAkvOLTa8hz6TGynGkU39hpzCwHSS6sALZxshCkwy+hEw3JgsAqQgSQr64CwGyd1n3mwvw3LQC5wNyHdtzZ+TIZVpxsObYX6cZCEAB42Y4ZXncYQWcEaJcg909pb1jUiTRr8zkVpMgrzMxM8j2iNyFQBRRlRtVmiYAXpnBKDv95gIfssZ3dlKj7d1iFwHQz5ki6vvV/Ddds1nmDP7ouept/sDwVjn4djf+T8mljxHB59sNkqlz7QsDXEzI8UTE4kUwyC8En2QuaQh3rq4vRO+WYBKUkUjFiaftvQWjwBr7eY/cRsdWCwb2bmNqX9kF/7+o6sDrP+xl1NdpyVqNdkDK/nvYV+I1tpjF9N6HPb4ynbGD3tFTBHdCRYuUeS71kRsJB48AD9nkIgQgDg8CcFaCHKRO0K9wQyLf/xRKsy7xriTPp+jWoGuX8yxYJZ2/NMt3PKzT1sRjBMiIA7zOVfh8ynO9SYoYrdFZpDydTt9+jpaU1TVkSwmSScVq5uIB4tQrNUqZC4dXPRsGbrKAAdKU0x9AAzohBHWhYPwk5eii1rqnm9MkzvJ6dCurXoGL9cjrfC+AxoddeNDoO7RqtN90L22GkVcWY0zJECRBYciPmmXgncubfBa+fcEnMcJ+2k5a0f2FcH1rkxykbUkeajYB66b+ivZFpIGcVImB3V+RPetFw9lI7w922L+YDpDF9R+GBG80uS3f0XbfA0/YNP3ptZntk5JlpbeeKXBxrZZDLDrc2FQxIdI824WJiMNfN2O+KoDarIuHXIjzy7tJ6szOlg+CVjUXUD2O46ZT7g9p6rKFt1THjvKx3DNozUXD9zvsx7Mxai4MBqG15Czpe2BeefhCDAU0ieSaaVxvyg+4BxWcavUZnN7xfgwrsG9Lrpn+vcWnmOZUnaV7tl5O8aUzwobCdfagb9ktttc/W7Yx4y6BqxAfNoyUWLCcfJbCyLn7KmY4BixNpCB0nh4xoju+DV0Wed8FaP0NzUG70Ec8nb+QjLhnO+/1/8IRUrXrXWKWnUjM9wNz8Omljf+LmFkRuRIKUpg8wPG1WNdA/EX0Apzb2uc+5QL69Rwrpv+Q+ymjKkE7840jynZL5cXvVyiSAf/sdpYenTismJmlH6m1v19NIKIkXe4bsMHH/DxL/4vPz4lSDKorfRkuHwq4FW+I9RBib34VWiHk4sawe2p6C1JPJJEgRzskL7PKFi3jiDUisCHHByBqP99LreADjRJ1vcbtIse9hgl+AFtg4be5/8F70KsYJ9ceu9cFMTFNUjFWWUENwdQFZKgzDFuYE/hOCR4KVBrQ1YIsNIFKidEBppaQeM7C/vrnY90xEk0+VPgp7wG1odYeQ4CsHkwLCcGsSCGVbhqhMaAAxixa1SRfmvwjTnGC9AMEb22Jov0zNfnW1vMb/RZUkxoG5sPX0/gb2UffxGc2Ou1N8Pee+nJTLyBlONd0zFHzV/A8UOR5D7OmZjouBTBKDiem5WJE+qk+iTF6hFPToJ4oBeB+BbZmCKoPLHszOc/gDxUdK3qpQKtkIgMPzOxj0YiRV6BHm4SDEWu/LlxmZriVem34x2ihhI4clE52QNGKa/VuotYwPMHrfLsF+MJsFy81X3Deu2hgveIuH9MTis7r6N+M7vP+sOhnAmvCUDeh+6lK4imcOHlrziiOC0gpziQq8ddXxX82YSjErTfZOtvC/6lJ2I5VzcxqReiZOqj5R5hn6wP9lQ32n3Fs/MbesOwwE3FWwhEfTQOhuN07h2FDxLTnhswgjH96+e5fcZzkU/wlFzYBaTIWb3kkF0aDQQgrrfJe661XncY5jUuqeJD79Cjp2ERoqxjZ0ViDCHk++faMOcidYTERvCgwEHg8dvl9SvtZSMdl3pDLUz9YJLjbdS4o78QaQZQRbzUhVZr51yi56b/KYKuNJoxaAe1NQtltN1HhNzr+I/XnJl8O9EVsA8z74kaL3k73qMsZzblPLIURxqNMs0zaWKolkobJ2vIxzJUKVPf0CluG68d19QKuj1hYJ1RbBHG5TLFayOl4fqHsx2u03tVi0K+tOVGslIo+8hcU6LQztqta2FzjWkHpWhWQN466orYwAgdHvLeMOZaIIHtwRlwgqwdZX4oAUw7r5j91WPgY/NXzCAAz65wvVKylrPSUEml3S8PkNVNURKRoieKCUqfRc2B/7JTRJmMlq6R8GFSQetJ8tDsti0TMc75BcRzfABWgyWtwZrFm5IdwolucA+1w37wXTUsbQYgwXA3SLciNUR3nGt+SEvFyLrZspN1EicMdDlFFmGqtPjQbPIINhisAiiFiQvqzhyxeXugXNOcpt1N8wt5EWq7UgWLtHF+Ft6w1FKXtGXqrKM1vf6Ou/isKpAchIEHFkWuFy8WncpHFxSBVBN1bcMjQbUzz2GvR9MkCDScrWdFKTBUasNVL91kWwTIBRkharmDF/OamIS3x3/C2//4LTgYLG6KgALbUuGUl3uX+ZmY//124dqNMKgcGsUVvVNBiy4SDXY6JNK0YcHiR7ePMe+JDJLs3h9IL8y03fwStZPGTfwRC6hVq7tD+EfB+Wvg9KjGWoJ78oCrevC2llfWYIK+idczPOq30WmSU0qavXsysyKpv9sCxtoWu60rMSFz1Yo1qMp64Oa9hOLB2pPkA1qMvJ9yk/OuJgx0/2TBmPDOGrCzo4oylBUXSag2H8vjWq1ns4Qre3EgvTf8BSYeFnzTud/AZBQC1qHssa0eM5WS3kPIvf7KLvEiARgpJaBHimXwOgxq86plmBtGuWSS0H0WI6g2+9Bw+DEaGApKFifMp1Y9YmqtEuok52qllBb2mWiZqCzgCiaz5JNKvw2yNUyaKMMhJgQYePl5oDolGzW8TU2zLM1FgoPPj8uEKlGmJvpSO+Ek/sRzJkQN+A/4y2IHA1+CScu6geWP6EHhe4Ypk3kfUAJNhcgAWlcEgMHWTWjcUmoMetGIUZAsPo/+dZNzSrkiVL7VnKc40FQTKPY9JR0Ve9WcafW2C1cN5ji87hyD7jWhN315HXyHSnXdZBsdwiAUY6/xaslPhpV4DwVJ63iG6M66copyRTD/aF2jc3ZZCAr5cozP15FqwX+4BuUzWVhz2/vMb9T1owNEA1sST83aXc18z6wWKXVbQrU8sACaXl7AlLtV+z1x7/mW6ZIIc3JBzfg8qWzlCkWWqenv4u3UpIzbbmxl9ftzfU1L1eXpFhEKCsv8MFWMaNikVQnQ/Pis6owxRFmBZmKOGsrMNK4psfot9pbsd36Z1hx54d/UpNuL3AU0ybSRkhJN1rq4TR3TvI95c9u/lCA0j07z57cfux3t+dT+M5MREF/H9lJK5HqQ4f+rjR14CXWjtI3lx7o8nVswk1mi59p4qMTigsa2LI7ppr/fjRmBz/EZy3Pn+HStPTvpq4tDWcBkCb2RA+5GunHR/rJuDV3N1o0XuOP7jLEuFk6KOiJXBxrFON/P1ybQ2OD9dOfa03OiE4+W2/0xiyabLpksoslMCxWvVG3/fpsiRbVg9qIfJZvJL3s4K3cdKhUXBeKO9UplNuUJ6EJ6GZVWQajOFAPcueQvcYaBwyDDFzpvFuVjoylP/OHTe71ZtxSno5RmiBihnB8r2hA2NbeAxQL45tYP/sgwP/iYihO+mjo54dG7/nC5SVD0/J4scvHwcDP/D3rDS/rqmsGlrNoX8IBjTBGkolPC31ZK+Xy3/jDZVEBmOIYGgXfhXPgzoccvktDfIiAaCkcumyWOIOMTd/Mp/ZCC/oZXRdqR89+TMq6WBSU44y+2qQhIHqGSEfBvmMvat9HaOhHwu/6Mt6WmIgZaKKOkA+RkFu3orJdPYpIP737PcYg042lg+myI6cIPMJD5RQ2cTvfHciAm6mcuFS+6HkAaMmeObICdFFs7wXH8TiUiQ1mXxUCO5BeZ6U0h6OBw4y8cK93L2mxt9vDll1uLt/ZLcMThq6RR68Wfiw+v3jsVf8xmVKuSl8qIVvINys527DWnGjNkKCVWTkEvelwrfq/jBOHGzHDLkSLAYiUb57PcIrcnxHh15kfN1FPbK8k+pCrcl0AscpEQ9H7mwld09EAuPshlTUnbvSVTJ5CQ2xEvHwZ2MJuY/KQ8pg8pI9OfsyaDonFzDDzRk5To2VOkvTaH2k/bWEhJPKFcCZXbwluuQidQVZlWoI4XsV3aJY71pGZaBo8EBlqO5Hh0ISg3aNz1kbhpDOCf72sGjjlRXt//in7/edD8ljIiBsPqI57EkQ4CspiR9X1LeaQGPIOnlo50fLGAV3pg4Ui8hVTH93I70epnxO7zgf9+Mi7ysR37bxIbD+i/WG/AgzbReKmj28zoF2qXRVuEKzW9x+e67dc7hECroGEpXBbeBob9GNb9pPBV6JBJU6gpOC/utn2MH7px8i292DWGbSeyhjE+kLU5cTdS6yoIsIGDACcXDNM7RcplqVi4vjgh7ceCLFu1/jyMcL5jfMQZB9sG/156J6rzK0XJw7jQa4gFRjlATdaVo1uxwXj1dioR9+ddf27hDuMHNqRBL+I8pM5svtRXj2/swMrQr/JIKCcvQHNJUkgRekJzHecAXGG8W7K0eJWYO4gvcOda7OHI,iv:yv5ZIdrTmY8OmMi4GXUlpRIISap40lsIBglsc5dxJnI=,tag:8TcT4p0xTAkX5/dM1R3j+w==,type:str]", + "data": "ENC[AES256_GCM,data:R/CbQQ/R7u2tA6DbB8W3s9jTaSXzp6NI/fYPo+LTpclsK+N3wyIozYiCX719yTtevNfLGqtAj/By7cFxz/QC2UDqLW2WIzyaRJfwm9A4zVYWWk06k4XU2AzY25ON7rSH8BnxbSaTvkNZzBTNx7zCva0dfturcURKqmJJOyvZYN/LqsuMRteSp5jh+yNMbBcjii2CIVWKJrd5HqrALKMQauQTFG7CvpG3cMpnNwYUxL6Ww5H4aHDu1BwULfUlkUnSIGvIhWhkiy8QYAdknNqvlHriJkGwjm5VeHOAlJYsme34v8aQ9vlwvjRZ+SfSX/SGE9/SkGils9l4Fg5Vl2S4N4jMGvpeZVmGy3y5UQYAlEInXfvMI8Ro7gjfWB1vXWho0l2otn8iQxP30TMX2Kqj9fn0hPGhQrIlmJH3lYvYo2VcykXVoVRszzCLop/Z7R/sNIvpO/O4om2LKLFWTUNg0sb1QLI5US0i0qL19Sba67GSUprQtafetkfXhqzy5d936j1UpW8yKnYE9fLGB78n5p5aqmazHmtpgi+xnd4otsE/FVUP6ZiiDFYMCvvDITwYgVsn77pl5u5sXctu8+XJpVHicARfLi9OIVbMZ8prTOMiyP2roxfO8pUEBEvL4aSpzSB3FlGxUp2Vzhqv4etNEOsClw2w0NKsKI7Yt6rWBeURZOovOv1hTTO24TMRhvZNdxxJ1EhfnKdyr+OBJh26wgp4px/T4vNCmV7Ag0gtW7NYw3P7FVEV+VwCJFyn0XsGr0U/jO9nM1Sh9BpQDkMkfD9rwUUGJPnwRHtk9ysxDMLN9cMg1uyNVWPT76I5yn06QW3eth9lF/y3mx3O3IC7bmwRSOYjD1x75CZcoE/1uiqsSDAbU7HYZVxnnNgD0qaU3Q7GVtK0H9iLMhyGWVEBs+Be2EquyICjbGP2L0pE/6iGHXFdmIlu5Tqvz3ob9tk3acGwE/0p6DMFmZNqZJKqweLi8YHax9PFOoVC75fIjw76QaKw+la/Br/CL9eT2OkBVgcKOPU5A5czbBkz5nPvTHVVeBLvC99NR7+LdYL4/HNT3hOatRBpaTvUd4ag74akjuadFfUxCKrYJO+StrGPGTY7BH7dw22JTQCC3W6mZi3vZb6t7Dc0jckMrzmJdH+uHV1Xcy+TGZDJ7qspzg6Yj4jwfyC7LQmv5FDRlOtultj0QsBWF9pzWevr0/masbcVwFgEfTmsWaoEpZ4L3HaUYfLLJ6eQTxx2lgJ/weHgGlHCzgTbQGw6i13CB8biPsQJdTtBuIBFrE4o8q8mYHFy4COQAqrB7NX/j8lNI/0TOada/6pkBWtkfnB6NPzLGiJX/mCcbMF2XMjc2p2LbjKxxgM4ScmM9vh3QNqmJnzuSbeAyUSXmgZnb/DseEVPcBXKQQutPdyvfWfkyCDoJxM1Pj9Pr7rmONzKv19yfdldsksC57FqwRkYIF/lnf/OZDJX3umLn3wgPNC4O2o70DozpMokIpvBGlcpJCgot5qB7HvdX/3AovnMmqlbf5zAY9G7SC9BAlfadLCGlWLSO6FqTA6gjDNcDl2BKnnl8p1N2i/uTDL8hWDz8xRMey9c9HlCn2iZLB+31cU/NZJq19HfMR6p7+4pcVMOThWp2e5ywFlo8w55MCcL0wpc1IYLUngxmqC1eRooSRHGZ5zDXRtd0iD53/oY8udJDfSjsooHsXNswE1rkVbMG5HPkBq8KcwFp1ki7yvzfN+cHVQZtzCNqi1vcimz7tn98SfuDR40cxfZgmb55eKlMRR0o+WIvuGEKVaBOENTxKN2ffT167qz0bPfj16FDaZw1uRgt3MWG5UYgynfgd/q+PfL5CBq7HjdQn1QHRClSlGPjsBzeKzbCkn0qL9lMTNhIG1gMAMPVaTGrrwY+vD1Fqf8bxZof48uAgW/JwzPj6+Vrcc89lHa69yWatKgK9kgzqCtAflFYTsEFNtShoCAhuWvoOw6rW+SrXl3KEASKArcpuA55Q3lUbI/lJnQQjmVpOxjxp6Ea9/qK8prfdsip2Xv2bPqeFnXEqKA9u0kEy4RSJtxvrNKI1flR9YdRvwD8oxsc/fXbYWZMa41J4eICrD4crMov5/Gg3hQisnVLBeAC/QyfgDjd8RhjDu3gPf7JSM9hkv5Xje6h5wyi5n7YWtPEfG2XLZAMH2MMIeVBXWFo6UgwrS8GhvBptygNYxRawX2Qcs+48FicO0xS9KQN3zHJEE3fe93gT/8o2tLvm3zRxE5LsskfbWZLVPX3enSopSVYh/tzr6ZMcMksu3BQeCd9fBRWLCpowIhCxUEHSNfJf0WtplPN7S8cXwDS6sv+nh7tQZ7CiPRMQ5d9uN4ws17tZ74u2oAckFMOOk6Dtq+J+1ndhd71dOCq5CPp/6a1yOvstefkOFCc/EkgGnMGbZFhcRwfqeQFD+hxbNhffafWK7+BR77YKD52cZcWHdNzSs9iZinqQOrhgv1Q7w8luhXVDKka/xw2BXbXhDkZxA6G84hs6v5644sRqHnPa2XZNaimJlQZfnDFWMTAVm5mavzBXYmO8EqDCPVtf1XLsr0UfgLeBbHjerFlN3StAl8KSFYzJsaudP3iHNwF9e3cyS5UaLUYHCpiPVyxTYu4TTXCo5b393cHGVdNx8ZU2dhUVH3XqX5IQPhR/HN/QA4lEsBZzQH6x/2N+b8wa+VF3lebqJ1qpSppG6uqHHl0oSYhl4IaMv8HP00EhvuFfAo/QWu2WvwFGWAWWXLBQ1mwU3duOYUnBhx4szXytx9eBWczcixb9y0ehzAZVC67XmH85YStnEfXDtGEquBd/e0BYW62E5Ily2stQefx361elX978iXGZp4gSFlSeCg7b1EDZcmmCbjC09f+tab7AXssp6VLn9iGeI+4lwmYna7lLdOn4Ugdx36MqYhzXe0EWSC9fzIo2S4WJQtk0+CaFrWTn8mHuEMiZxdVUDjRW88kkVD/LAYl+SNjuGPCJT8H8fqWwgdSxqSU8HtnDA0S7a8/WmHSutJr9RVsLjnlI4xuLVD2EYCrKVPf5Coowpcs4oe589l5XTNQysJ1kkDHX+H7h0E+PkqnftREDArE09tk16IrgDfH9wI7Bdr6affuvYF0f4/5SLAIGNFLeWgiKS7+NR/wJu1Whmz2LQ1+88vtTDmnVbphM2BVrHEThUSyBcCUBz0oUJP7jwvI583PfksSNarx5gxMoqu+FNtjLPKad3h7xwk7+r0LjA2EUSta3fcf86xrBLUrJwkrMn/28ivkR9g2owSa0S4QCMgXiIr28wWO0tvJLI1FFevR5eiXi2L4r5CgtQI6EYcxIqqt+knl9XVOwuJ4MqdebXIBfSBJIci6i3Ail27Hq+niydjHrSBK2rEdyMfl5SzMhKejySM+tTa/lLyevDMlK6aE2jBkV/6I7Wk8eK/un/4EmEsg9hXQ7M5QsikEVmccprLXiKEf84/SM0ukdpvRbRCRCajsZxUccMPu2z9lDJ6QPkB+BTeV76apV5WA6SW+xGJKuigOp44iL/KzYdPSdL4qVnEM06/INpu8ZMo5cQkTL1NUYLvks4gcjzTGLAHrPHWy5MQCREVBYiY6pwQPtw3Z5fZ2Q+oDtVBgXTiZC2cGKfy+fs7mv/E+Osjp9BaZppa8MpfG9yNJV/Z7CABJg0THd1CHwN9DVtvrDOHfH9Zk8PoNpSBXo+LJqHKyKMbsrBhrKk4Hjc2vucO280hV/GBQtCcpMFqIAQAjVaBaAyQjmYOikN0SiQjKI55fUCrOngUPMNnrCw6fDRtY5+FFrII1jHM43yMaPr9pU1SzAzGrLlcKTRzO+AapPi4f+89U/aYEbMhEKw8egdGY2s332iztV2TXIExJdnCxBtNqrkcqlPfc26/PKVDFk6Stutsct8XNWslsOIbjpR+CMsd5Mje0ugET3Rg8pGEfuCKSF3Xh5NgSEcToTz6RoJuFjnAOFyN5a254XgdoAVMFia5uHO0l2Iq3KpN89g27XOVFjod35X0wK2sY+Le8yVNxOK4jd8e6V3dJ3rnlywDKBaHmW2p4JPsrZP1aDHIaDbjww4UUAKEQeLP8CUR93W1BBrnAnCWjC/b3JpEZ7ytJSacxiKxT8WfyN3rudGevKYULxz+vzBvoYfIhIQ0F7bTy1NrBqXSiwRl8HrqhWQ1lrawX0WU9NWsO2Egfv2/Oxe7VS3amFsyq5n95sN6bcCQr7NmeyYc2OsExriIBuHMKFAFD+GGRITmdAWpnDIbGF/2UlF2Q4b9Erkx3O8unTVGo1etpnhEdlD0hHZDPuw2QzZE4VbtngePqo/p1SvHvwQ9SmfuiUyxKproACz+p6VRbuGQsXUZx8eN9ehGg1OX814eBwI3UQ5jmWClssiF7cW/HtlduZEreT3nf3lcfuL3gzipuYcH1wqKkLwGxNpoJNUiT1q/rhxB0jtAby+UuZSfPao9YSW7JtBNhw4GKjmClmDAE+rFXAK00ukU6PNsPRTSFo9PCSIO751onicTItvUrsoA5QD4gYDoz2dkznMuimivYEgGSGGLd7+Fem78T5PFzP2D8ExJ5UKcnhouis5Ao8UhGKu4zsTmWMC6SlpQ+Bu+j7zQaoyIBKu8vnfzshvLJTk1+5n2LCJMx7o/VjytHfg7R1DOkRuPfjO7WUpnHhYlWkbG+5r4zG/C2LcRYnhoVHMMw5YsnGsVmcCJUbd/7NvoLWTTAo3GP8aO/8aiNe3yaNXmEUt+bK5Rum68U/sWhmFbyYla1zU2r4Gg6YSf7+BxhHrSmgMfcAsM+LSn+Tpd72l/yX7ViIxrwyD7Y+X7LBAxdr2djTsN8VEaSFuPjyMMtanZZX0nr0L/w7mSqqYgni7fpd5rXoMl6ookK0I935eSTLyuHxUypLop/pN6b17whRzfsMmn0Ey+0Vsy3Ov4zgfBchr1KMf19ZBByGepOGeShnSOT+JSmZT4ekNbmlmOy8Hpk4DLSmYy/2mMMR0qW/U31h4/FNPmOXNlNFAydQu2TntJKA2qKywoZ75hl++pnSMb7Z8H7MG7TGKKwutxgaUpqhOOEuXAmBq/WUzu5hLFY1S1MwuDWobRyZbmZvx+Kz5ZD/eP321CDTYlx6QP2THNH2idO2Ai/4GR6bSMf6DYDBYPEaQ10mMdQVIc/jCj0ue8OMRrXvIgPYbVHfk/HNJgG5jEGYI6DAVUTSqVkhrW3htDkYzhGG+U5P4lMW4/m9LVVlUhxMssyt9ElovyQYgfR310mqr47qmVHYY6EsX3bQYkcKaP1rVRBc0Vx3/CMtTVufVxp+jy4YpH3LwsJDWtoj3TIl5RSSFBNHD6x8NXrjaI1vt1dOU2hX1S8eXB00BOmYChPEjTmNag8h5DzLpzfvc/g1/Mj8c3Pzgp/LuwzykSBMkwxAfVnkhnZFbvdlFMem0cn0kE7+NEmZrazRhwPUbm9WCiQ5YZMS6dum4/qkjiFhD8L//gXMJviVP+T/nx4DZSv0JXqKK0ZqeuFIoDVUizr/mv51mC4ovwezgBJACe5owYepNoRbfUzAboCvKDf7mRaK6n/j9O+a0iNMUTrl+LyuQA0Tiz7nBNFZY+hPaoUzibbEymDrURbyZMPtYMvbQMoUmsSScioDcggTWb2gcjV/f4MZ+f6578jtZQGsyXSwEkhQlbkMJCiDQ1dk7Ci9rmXP/sXfhAX4LWixziAPuTr3/fgdFlo/TcDgCyyjABsBlnBTDZ9i9liqpHdwOxaPCt6otvvd1SFnLeXOcbRrk0w29jAaPPWK8CrkP38h0QAMbKsXFd4yfqDToCprcJcQ5ALyp7Io7pAX83YfkuXDycttmBfkybY+LG/xbNJxMCfilcyJYk4l+fknZPZJeKbDpTR0Khxm/35/7IbrR7T8ZD+h2rHN8Fb+3q3+gqhFu+ogAhvzOZLy5m49eH6JLP8/lcWouBz6zNoACtfwrriZ7dhGN3SedcgZZW3zH3gbxl4AsmbA6hadyxAwYaqlUdyvNNYvZGu5tiWtTkO4co7ihNFped4W92geq5k7W7mU/9DYNmYOVG2URaW7VlmXAdpJXbN3qLHbR3B3Xfi/mJ3tdLp6KqoWuPdFBVjJC/BH6pMBCUTXWlULvxpPbFuBLKVIbkhfCKTBhAHQQ7i0VvSQVYrx5ME6KcyKDH8Up5IGmUMD1O7rQHg0Itblqx4zt2eLxH4FpRrImyZNAqvHMOEP2gKafYK6SuQHYGflQaPWhxXRYeTTjd2ovgekNsrRI/coqOsTAFfZ7k0nBVxwRkB+lfe9LcpQg7WJNi07z5nNpZbfcp1/59Y2iZe+DkC8YGs9qmvfDz5wD5RaW4rQZWASQSlwEoyF9UbAAU77VHykAqKmFigKTJOQUnwkysGx543FWbRf4g+hy14Ga5gjsUCNbuqKsydDjGG2caMnuaC8W2DNtBYcTw/kMsak0kwf5e40MqYloDjdPT8JM43UfEcKv8teSUF8AwG3LnnK40D148YNpfk8bGfClS6zf00M2XnksyzYkOlFviRBPy5FChnetqauuKxZLTqwloRf7YQk2sIvUx4sj6NahCU1eE2ioaILSomutLleX/efaWcU5sh98Zqu/6Z37WiUe4qxx3p8B7yzB0g7X9ZUCtvnoBF/hUr2IE10lVT419GBrbX02Nb+MgzJBMgPUuUAM61nSPu6hoMzfOhVGNZvF3uGqyJdm+4cUxJFim6kPKr/oxC8erR7HvH84g6mlfaaBYSBCBegQm6miLEKzb0iBibSVO7x8iBadoyGhrvypv0OTGuTElZH7Zeo4dnPsS9JJUSeXXJH/e+ByFjTYuGghQdw17bxxJl/3jJzce8R7YD/iiqJnSSR0MmDuyfu2mdf+zeEE1jz+ur3O+29I2baBHKhnJNKpPXPd/xHK+5yF4scORS1BHdQz7ePWtinZN/hU6o+wSomiD8ldL3qKLMb22hvJUuRxKGIIWmyEt5cP0B5IUISVmawEO7qxVk87uoDHNmGtZVa267WzIyicF9jbPD8ur5R6cJGRcuPbuFgeRwwAViBUWrL3K8P3ly5oyr/mAJAbCUPap1Qwt+MAaiYBkUse8/cDLYk1qat8qtq5wjEe8/sIgsbWqFC5sjE/pQb/eQxBJ++UJoUMoOV5h+lc41JM0ayvJNKHVfdDNuTZCVQe/MfvQlvzp4CnWYbJ85+Y7dYCWgQgk9MZy2ZkT/IV/ctGTbXBkC4/DUkBoeFEuaNJq0m2W1IDO+N2FLJQaIKg1ZmQws8xqTNRga8EHS7PkYEDhlxsqEgkEj/ZE874kfaNWQISklAznKXz+ucHkWhlAPeNyZskVV3eU9yR7RmwmoNErktoXqEIK/ju/ebK8zRCA93TtNOGY2wOjWR5RnfvFF/nwOqCU8Itnvc62Jb9WxjAHrVfQBZBXYr5FjMnVEx++wNe36qP8z/Y7HSVnal5sZFBs/mZTTsv6KzzvsCQC4c+kKg20hxTqx+/+anVy4pekQgu9oaJ9ku/g32A23VLDDtlDeeMjSb4LDIIn2oV1di5LxvLXKRYXiDbWbyDVSrcOHv6ybLI4L2kJknPovHEniKij55CtPBUZ2cdCAPEMemjL0hCtnQnA4UdUdD/gYZjraqAP6On5T8nPhvPcw9ywzDuKBvsdJ58+sHKVYYB6cv589e1sbuN5vH4siIb9l5L+6Mjo7imdKDjS/R32aQK5idxt7YYdeJMWf447OWmYJQI5FqPxocL6jKUEg5JHvaEA7sLPdnbHNcF/S54z8GtOISceH8sM8eOTbAQdjFHiq4a6VgBIjLyTf974NmIP5s4BzvPNMFDTDeKERxX/n6ykTYuMkkXqU6SSkg4MTbhrWa3qpctrFGeL06OXvkLeA6cZbPdKXPcU9Kox8ijF1PjdnoyTxDxm1k2+H1ns28XZ/pGQC0mfWDWI3bCBfZoaEeUdwnpCLXQwpeCbAC4mx284zUFrQvSWzf3sgClkiFhPRzjywaDqKxrg6O2kf21g+yLRCjaB+nAY/x6wObHT6SwHfhG3ebC+7VAmZ+Pt0ByLgZgQYC8zEKVO3AdG4wetNMpsy9WRirwPwB3kYRFdm8xPKbVn8TXdQv8qbBRCAmqJhXoiiWphOY4djnXT2Fl3wVAougapIFL0021Z9IxBIzjtiAZJ7sCxxoEFnxAXTv3JB8bnsLN+K2GSoGuG3Kl2FvUltNV3QBoypNzkX3ZNkYZg3h5w8I+mq5EUb1SeygIRR+SqaGS+z40vqrXUzytUCs3XUky/jXHImE9WxjERKpQw/h9frqLiMLPfZzRHzi7u0rqAdDIcQJCgJbNdLi18mqz5OUqiWAPFAMdtr6H37OnMNIV36IZ+9IOmoFzq2VuBPdgdOMcAwBkZr7DOeCka0qahiSyZaDTZgSFv0fbo9JfQbeqYZoWlTYJnPIIB1rfm6qt5/bmnBXaI5y0on4FFkD9+6tNI6A7obNVavbtHKjAVQI9oA3N2ROde+BUwJLL8XFt0AYCQACFqoNm5MHcEObSwWINwnEhc59gRuUYCC/Z/XZlDNEFHDXiy+bU=,iv:qv/kRdYyw1XZZF6EE4C+QlwAPL4/FD4u5ickQcRorF8=,tag:T+04fRZNCMghZWgludFb7w==,type:str]", "sops": { "age": [ { @@ -51,8 +51,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndExDdXBrblUwY2hKYVFV\nMGRJNzQzZVQ1c3ZCMjhhQURVcUJoN3NuZUVvCm92aFdqaEtwM0czTW10L29HT1BL\nay9IV3l5QUphWkFyV1YyM3BZelpiWTAKLS0tIGtFbTdXMk5LcEgxTFh1ZmhWNlpX\nQUExdFNOaUNkN1N2VFpBd0h2SjhrdDAKFoNlyz+coOn1lFUTZlOuVOFvhnoQwwiT\n5U2TdCA8hlFyxlf7gGu47MyGVXbgtRBVGTXH0oVU8nn6RvquT2aBUQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-04T23:59:27Z", - "mac": "ENC[AES256_GCM,data:7PWe/nUA6j+Qszkt8CrEwZtGK6lEpI5GMRI0qW7ZlfK4nx5VHTpnXqjBQgKHjOS9FP8DJAlq1KIVnr/2DKfezytm2j8WCqDl474e2XDykhEetGS10WTgrh9VazoXwILNp4jagdoKzswY+9bAvlG/53TX1gxBxtfBHp/+d6NlfoY=,iv:6GT0+j6P7YgeBnQOgabIQF8kUIcaLbC8BbIvq+SoMpg=,tag:JCmmRgpWPKGAnHzxwDqXFA==,type:str]", + "lastmodified": "2025-12-05T10:57:30Z", + "mac": "ENC[AES256_GCM,data:cvnq17eam3EEw3v0ipMFkCpmh/yy3IxTwGbkXBR1oAOf1ykSRVNJvLJFYUsyOXgIfcAYW5rR8f16o6VZsQIZH0Fk/8Tq5I7baaqWQYkI8hS0RBwybNuatRnowTm4sO6Bx6itJuZ4CPrOj8c2RjVms6HYuUBrDhTGd6MyEME294U=,iv:eyYsnJAvijcwu5TqG+mk3OzTyC9YIQMySLRAn/huc/0=,tag:CxV1WPhwjskiO+LeFiRCig==,type:str]", "pgp": [ { "created_at": "2025-12-02T15:47:04Z",