swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 17:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: re-enable secrets on standalone home-manager

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-05 14:23:12 +02:00
parent dfea676a01
commit 8f898bcb9b
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
24 changed files with 352 additions and 284 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -45,6 +45,12 @@ creation_rules:
- *surface
- *winters
- *moonside
- path_regex: secrets/nbl-imba-2/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *swarsel
age:
- *nbl
- path_regex: secrets/moonside/secrets.yaml
key_groups:
- pgp:
@ -75,7 +81,6 @@ creation_rules:
- *swarsel
age:
- *nbl
- *moonside
- path_regex: hosts/nixos/winters/secrets/pii.nix.enc
key_groups:
- pgp:

257
SwarselSystems.org
View file

@ -790,9 +790,9 @@ The structure of =globals.nix.enc= requires a toplevel =globals=.
inherit (outputs) lib;
# lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; });
mkNixosHost = { minimal }: name:
mkNixosHost = { minimal }: configName:
lib.nixosSystem {
specialArgs = { inherit inputs outputs lib self minimal; inherit (config) globals nodes; };
specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; };
modules = [
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
@ -800,19 +800,21 @@ The structure of =globals.nix.enc= requires a toplevel =globals=.
inputs.lanzaboote.nixosModules.lanzaboote
inputs.nix-topology.nixosModules.default
inputs.home-manager.nixosModules.home-manager
"${self}/hosts/nixos/${name}"
"${self}/hosts/nixos/${configName}"
"${self}/profiles/nixos"
"${self}/modules/nixos"
{
node.name = name;
node.secretsDir = ../hosts/nixos/${name}/secrets;
node = {
name = configName;
secretsDir = ../hosts/nixos/${configName}/secrets;
};
}
];
};
mkDarwinHost = { minimal }: name:
mkDarwinHost = { minimal }: configName:
inputs.nix-darwin.lib.darwinSystem {
specialArgs = { inherit inputs outputs lib self minimal; inherit (config) globals nodes; };
specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; };
modules = [
# inputs.disko.nixosModules.disko
# inputs.sops-nix.nixosModules.sops
@ -821,28 +823,28 @@ The structure of =globals.nix.enc= requires a toplevel =globals=.
# inputs.fw-fanctrl.nixosModules.default
# inputs.nix-topology.nixosModules.default
inputs.home-manager.darwinModules.home-manager
"${self}/hosts/darwin/${name}"
"${self}/hosts/darwin/${configName}"
"${self}/modules/nixos/darwin"
# needed for infrastructure
"${self}/modules/nixos/common/meta.nix"
"${self}/modules/nixos/common/globals.nix"
{
node.name = name;
node.secretsDir = ../hosts/darwin/${name}/secrets;
node.name = configName;
node.secretsDir = ../hosts/darwin/${configName}/secrets;
}
];
};
mkHalfHost = name: type: pkgs: {
${name} =
mkHalfHost = configName: type: pkgs: {
${configName} =
let
systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration;
in
systemFunc
{
inherit pkgs;
extraSpecialArgs = { inherit inputs outputs lib self; };
modules = [ "${self}/hosts/${type}/${name}" ];
extraSpecialArgs = { inherit inputs outputs lib self configName; };
modules = [ "${self}/hosts/${type}/${configName}" ];
};
};
@ -1710,6 +1712,8 @@ My work machine. Built for more security, this is the gold standard of my config
let
primaryUser = config.swarselsystems.mainUser;
sharedOptions = {
isLaptop = true;
isNixos = true;
isBtrfs = true;
isLinux = true;
sharescreen = "eDP-2";
@ -1758,8 +1762,6 @@ My work machine. Built for more security, this is the gold standard of my config
# home.stateVersion = lib.mkForce "23.05";
swarselsystems = lib.recursiveUpdate
{
isLaptop = true;
isNixos = true;
isSecondaryGpu = true;
SecondaryGpuCard = "pci-0000_03_00_0";
cpuCount = 16;
@ -3882,10 +3884,7 @@ A breakdown of the flags being set:
We enable the use of =home-manager= as a NixoS module. A nice trick here is the =extraSpecialArgs = inputs= line, which enables the use of =seflf= in most parts of the configuration. This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity).
#+begin_src nix-ts :tangle modules/nixos/common/home-manager.nix
{ self, inputs, config, lib, outputs, globals, nodes, minimal, ... }:
let
inherit (config.swarselsystems) mainUser;
in
{ self, inputs, config, lib, outputs, globals, nodes, minimal, configName, ... }:
{
options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
config = lib.mkIf config.swarselsystems.modules.home-manager {
@ -3893,14 +3892,19 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the
useGlobalPkgs = true;
useUserPackages = true;
verbose = true;
users."${mainUser}".imports = [
"${self}/profiles/home"
"${self}/modules/home"
];
sharedModules = [
inputs.nix-index-database.hmModules.nix-index
inputs.sops-nix.homeManagerModules.sops
{
imports = [
"${self}/profiles/home"
"${self}/modules/home"
"${self}/modules/nixos/common/pii.nix"
"${self}/modules/nixos/common/meta.nix"
];
node = {
secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets;
};
home.stateVersion = lib.mkDefault config.system.stateVersion;
}
];
@ -3928,7 +3932,7 @@ For that reason, make sure that =sops-nix= is properly working before finishing
{
options.swarselsystems.modules.users = lib.mkEnableOption "user config";
config = lib.mkIf config.swarselsystems.modules.users {
sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
users = {
mutableUsers = lib.mkIf (!minimal) false;
@ -3936,7 +3940,7 @@ For that reason, make sure that =sops-nix= is properly working before finishing
isNormalUser = true;
description = "Leon S";
password = lib.mkIf minimal "setup";
hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.swarseluser.path;
hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.main-user-hashed-pw.path;
extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ];
};
@ -4007,6 +4011,8 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
:CUSTOM_ID: h:82b8ede2-02d8-4c43-8952-7200ebd4dc23
:END:
This is also exposed to home-manager configurations, in case this ever breaks, I can also go back to importing =nixosConfig= as an attribute in the input attribute set and call the secrets using =nixosConfig.repo.secrets=.
#+begin_src nix-ts :tangle modules/nixos/common/pii.nix
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
{ config, inputs, lib, minimal, ... }:
@ -4548,7 +4554,12 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
{ self, lib, config, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml;
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
in
{
@ -4560,39 +4571,33 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
sops = {
secrets = lib.mkIf (!config.swarselsystems.isPublic) {
ernest = { };
frauns = { };
hotspot = { };
eduid = { };
edupass = { };
handyhotspot = { };
vpnuser = { };
vpnpass = { };
wireguardpriv = { };
wireguardpub = { };
wireguardendpoint = { };
stashuser = { };
stashpass = { };
githubforgeuser = { };
githubforgepass = { };
gitlabforgeuser = { };
gitlabforgepass = { };
"sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
"sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
wlan1-pw = { };
wlan2-pw = { };
laptop-hotspot-pw = { };
mobile-hotspot-pw = { };
eduroam-user = { };
eduroam-pw = { };
pia-vpn-user = { };
pia-vpn-pw = { };
home-wireguard-client-private-key = { sopsFile = clientSopsFile; };
home-wireguard-server-public-key = { };
home-wireguard-endpoint = { };
pia-vpn1-crl-pem = { sopsFile = certsSopsFile; };
pia-vpn1-ca-pem = { sopsFile = certsSopsFile; };
};
templates = lib.mkIf (!config.swarselsystems.isPublic) {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
WLAN1_PW=${config.sops.placeholder.wlan1-pw}
WLAN2_PW=${config.sops.placeholder.wlan2-pw}
LAPTOP_HOTSPOT_PW=${config.sops.placeholder.laptop-hotspot-pw}
MOBILE_HOTSPOT_PW=${config.sops.placeholder.mobile-hotspot-pw}
EDUROAM_USER=${config.sops.placeholder.eduroam-user}
EDUROAM_PW=${config.sops.placeholder.eduroam-pw}
PIA_VPN_USER=${config.sops.placeholder.pia-vpn-user}
PIA_VPN_PW=${config.sops.placeholder.pia-vpn-pw}
HOME_WIREGUARD_CLIENT_PRIVATE_KEY=${config.sops.placeholder.home-wireguard-client-private-key}
HOME_WIREGUARD_SERVER_PUBLIC_KEY=${config.sops.placeholder.home-wireguard-server-public-key}
HOME_WIREGUARD_ENDPOINT=${config.sops.placeholder.home-wireguard-endpoint}
'';
};
};
@ -4634,9 +4639,9 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
"${config.sops.templates."network-manager.env".path}"
];
profiles = {
"Ernest Routerford" = {
${wlan1} = {
connection = {
id = "Ernest Routerford";
id = wlan1;
permissions = "";
type = "wifi";
};
@ -4652,12 +4657,12 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = "Ernest Routerford";
ssid = wlan1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$ERNEST";
psk = "WLAN1_PW";
};
};
@ -4670,7 +4675,6 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
mac-address = "90:2E:16:D0:A1:87";
};
ipv4 = { method = "shared"; };
ipv6 = {
@ -4683,10 +4687,10 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
eduroam = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$EDUID";
password = "$EDUPASS";
identity = "$EDUROAM_USER";
password = "$EDUROAM_PW";
phase2-auth = "mschapv2";
anonymous-identity = lib.mkIf iwd "anonymous@student.tuwien.ac.at";
anonymous-identity = lib.mkIf iwd eduroam-anon;
};
connection = {
id = "eduroam";
@ -4726,9 +4730,9 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
proxy = { };
};
HH40V_39F5 = {
${wlan2} = {
connection = {
id = "HH40V_39F5";
id = wlan2;
type = "wifi";
};
ipv4 = { method = "auto"; };
@ -4740,17 +4744,17 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
wifi = {
band = "bg";
mode = "infrastructure";
ssid = "HH40V_39F5";
ssid = wlan2;
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$FRAUNS";
psk = "$WLAN2_PW";
};
};
magicant = {
${mobile1} = {
connection = {
id = "magicant";
id = mobile1;
type = "wifi";
};
ipv4 = { method = "auto"; };
@ -4761,30 +4765,30 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "magicant";
ssid = mobile1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$HANDYHOTSPOT";
psk = "$MOBILE_HOTSPOT_PW";
};
};
wireguardvpn = {
home-wireguard = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
};
wireguard = { private-key = "$WIREGUARDPRIV"; };
"wireguard-peer.$WIREGUARDPUB" = {
endpoint = "$WIREGUARDENDPOINT";
allowed-ips = "0.0.0.0/0";
wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
"wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
endpoint = "$HOME_WIREGUARD_ENDPOINT";
allowed-ips = home-wireguard-allowed-ips;
};
ipv4 = {
method = "ignore";
address1 = "192.168.3.3/32";
address1 = home-wireguard-address;
};
ipv6 = {
addr-gen-mode = "stable-privacy";
@ -4793,10 +4797,10 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
proxy = { };
};
"sweden-aes-128-cbc-udp-dns" = {
pia-vpn1 = {
connection = {
autoconnect = "false";
id = "PIA Sweden";
id = "PIA ${vpn1-location}";
type = "vpn";
};
ipv4 = { method = "auto"; };
@ -4807,21 +4811,21 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
ca = config.sops.secrets."pia-vpn1-ca-pem".path;
challenge-response-flags = "2";
cipher = "aes-128-cbc";
cipher = vpn1-cipher;
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
dev = "tun";
password-flags = "0";
remote = "sweden.privacy.network:1198";
remote = vpn1-address;
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$VPNUSER";
username = "$PIA_VPN_USER";
};
vpn-secrets = { password = "$VPNPASS"; };
vpn-secrets = { password = "$PIA_VPN_PW"; };
};
Hotspot = {
@ -4845,7 +4849,7 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$HOTSPOT";
psk = "$MOBILE_HOTSPOT_PW";
};
};
@ -10321,7 +10325,7 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
Again, we adapt =nix= to our needs, enable the home-manager command for non-NixOS machines (NixOS machines are using it as a module) and setting user information that I always keep the same.
#+begin_src nix-ts :tangle modules/home/common/settings.nix
{ lib, config, ... }:
{ self, lib, pkgs, config, ... }:
let
inherit (config.swarselsystems) mainUser;
in
@ -10329,6 +10333,14 @@ Again, we adapt =nix= to our needs, enable the home-manager command for non-NixO
options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
config = lib.mkIf config.swarselsystems.modules.general {
nix = lib.mkIf (!config.swarselsystems.isNixos) {
package = lib.mkForce pkgs.nixVersions.nix_2_28;
extraOptions = ''
plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
})}/lib/nix/plugins
extra-builtins-file = ${self + /nix/extra-builtins.nix}
'';
settings = {
experimental-features = [
"nix-command"
@ -10340,7 +10352,7 @@ Again, we adapt =nix= to our needs, enable the home-manager command for non-NixO
trusted-users = [ "@wheel" "${mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
@ -10701,7 +10713,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
:END:
#+begin_src nix-ts :tangle modules/home/common/yubikey.nix
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (config.swarselsystems) homeDir;
in
@ -10711,13 +10723,13 @@ I use sops-nix to handle secrets that I want to have available on my machines at
config = lib.mkIf config.swarselsystems.modules.yubikey {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
};
pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
ids = [
nixosConfig.repo.secrets.common.yubikeys.dev1
nixosConfig.repo.secrets.common.yubikeys.dev2
config.repo.secrets.common.yubikeys.dev1
config.repo.secrets.common.yubikeys.dev2
];
};
};
@ -10974,10 +10986,10 @@ Also in firefox `about:config > toolkit.legacyUserProfileCustomizations.styleshe
Sets environment variables. Here I am only setting the EDITOR variable, most variables are set in the [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] section.
#+begin_src nix-ts :tangle modules/home/common/env.nix
{ lib, config, nixosConfig, globals, ... }:
{ lib, config, globals, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (config.repo.secrets.common) fullName;
crocDomain = globals.services.croc.domain;
in
{
@ -11180,10 +11192,10 @@ Eza provides me with a better =ls= command and some other useful aliases.
Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]].
#+begin_src nix-ts :tangle modules/home/common/git.nix
{ lib, config, nixosConfig, globals, minimal, ... }:
{ lib, config, globals, minimal, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1;
inherit (config.repo.secrets.common) fullName;
gitUser = globals.user.name;
in
@ -11721,10 +11733,10 @@ Currently I only use it as before with =initExtra= though.
Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here.
#+begin_src nix-ts :tangle modules/home/common/mail.nix
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
inherit (config.repo.secrets.common) fullName;
inherit (config.swarselsystems) xdgDir;
in
{
@ -11732,10 +11744,10 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
config = lib.mkIf config.swarselsystems.modules.mail {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
nautilus = { path = "${xdgDir}/secrets/nautilus"; };
leon = { path = "${xdgDir}/secrets/leon"; };
swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
address1-token = { path = "${xdgDir}/secrets/address1-token"; };
address2-token = { path = "${xdgDir}/secrets/address2-token"; };
address3-token = { path = "${xdgDir}/secrets/address3-token"; };
address4-token = { path = "${xdgDir}/secrets/address4-token"; };
};
programs = {
@ -11765,7 +11777,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
address = address1;
userName = address1;
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.leon.path}";
passwordCommand = "cat ${config.sops.secrets.address1-token.path}";
gpg = {
key = "0x76FD3810215AE097";
signByDefault = true;
@ -11795,11 +11807,11 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
swarsel = {
address = address4;
userName = "8227dc594dd515ce232eda1471cb9a19";
userName = address4-user;
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
passwordCommand = "cat ${config.sops.secrets.address4-token.path}";
smtp = {
host = "in-v3.mailjet.com";
host = address4-host;
port = 587;
tls = {
enable = true;
@ -11819,8 +11831,8 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
primary = false;
address = address2;
userName = address2;
realName = add2Name;
passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
realName = address2-name;
passwordCommand = "cat ${config.sops.secrets.address2-token.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
msmtp.enable = true;
@ -11846,8 +11858,8 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
primary = false;
address = address3;
userName = address3;
realName = add3Name;
passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
realName = address3-name;
passwordCommand = "cat ${config.sops.secrets.address3-token.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
msmtp.enable = true;
@ -11894,7 +11906,7 @@ Lastly, I am defining some more packages here that the parser has problems findi
options.swarselsystems.modules.emacs = lib.mkEnableOption "emacs settings";
config = lib.mkIf config.swarselsystems.modules.emacs {
# needed for elfeed
sops.secrets.fever = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
sops.secrets.fever-pw = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
# enable emacs overlay for bleeding edge features
# also read init.el file and install use-package packages
@ -12046,7 +12058,7 @@ The rest of the related configuration is found here:
};
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
github_notif = { path = "${xdgDir}/secrets/github_notif"; };
github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
};
programs.waybar = {
@ -13194,9 +13206,9 @@ Settinfs that are needed for the gpg-agent. Also we are enabling emacs support f
This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways.
#+begin_src nix-ts :tangle modules/home/common/gammastep.nix
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
inherit (config.repo.secrets.common.location) latitude longitude;
in
{
options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings";
@ -13357,10 +13369,10 @@ The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming
The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]. Here, I am setting up the different firefox profiles that I need for the SSO sites that I need to access at work as well as a few ssh shorthands.
#+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes
{ self, config, pkgs, lib, nixosConfig, ... }:
{ self, config, pkgs, lib, ... }:
let
inherit (config.swarselsystems) homeDir;
inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
inherit (config.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
in
{
options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";
@ -14378,7 +14390,7 @@ This utility checks if there are updated packages in nixpkgs-unstable. It does s
inherit name;
runtimeInputs = [ jq ];
text = ''
count=$(curl -u Swarsel:"$(cat "$XDG_RUNTIME_DIR/secrets/github_notif")" https://api.github.com/notifications | jq '. | length')
count=$(curl -u Swarsel:"$(cat "$XDG_RUNTIME_DIR/secrets/github-notifications-token")" https://api.github.com/notifications | jq '. | length')
if [[ "$count" != "0" ]]; then
echo "{\"text\":\"$count\"}"
@ -15707,6 +15719,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
config = lib.mkIf config.swarselsystems.profiles.personal {
swarselsystems.modules = {
packages = lib.mkDefault true;
pii = lib.mkDefault true;
general = lib.mkDefault true;
home-manager = lib.mkDefault true;
xserver = lib.mkDefault true;
@ -15720,7 +15733,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
network = lib.mkDefault true;
time = lib.mkDefault true;
sops = lib.mkDefault true;
pii = lib.mkDefault true;
stylix = lib.mkDefault true;
programs = lib.mkDefault true;
zsh = lib.mkDefault true;
@ -16177,6 +16189,7 @@ This holds modules that are to be used on most hosts. These are also the most im
config = lib.mkIf config.swarselsystems.profiles.personal {
swarselsystems.modules = {
packages = lib.mkDefault true;
pii = lib.mkDefault true;
ownpackages = lib.mkDefault true;
general = lib.mkDefault true;
nixgl = lib.mkDefault true;

4
hosts/nixos/nbl-imba-2/default.nix
View file

@ -2,6 +2,8 @@
let
primaryUser = config.swarselsystems.mainUser;
sharedOptions = {
isLaptop = true;
isNixos = true;
isBtrfs = true;
isLinux = true;
sharescreen = "eDP-2";
@ -50,8 +52,6 @@ in
# home.stateVersion = lib.mkForce "23.05";
swarselsystems = lib.recursiveUpdate
{
isLaptop = true;
isNixos = true;
isSecondaryGpu = true;
SecondaryGpuCard = "pci-0000_03_00_0";
cpuCount = 16;

6
hosts/nixos/nbl-imba-2/secrets/pii.nix.enc
View file

@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:7NtG3UFeZ4Ao/g/kfJzSfdwpiOxOT2c3N1NRsFAx2wRLnRHpsT3bgFtkQxiw8hz0GOmZXHktFvoTt6xHv7wjBk8rIil1fUJoWdqGymQWMzjb3crFDWQOkUGJxVl9ARxTQew630ITtezThuGzuOBewBuJ7ha/SAoGLqPwLuitBIuK9nC6szAIN0wdqM+S1KSNyj6yQitUNpL00/cV4PwKE6+slzjO24OEk6Ut5CO5zdS03Kv6vpXHGY2a+13xmkeusuMrfdZPkGt707FDZx5qBOZka8IEThSawZxwqVjgPfUFNwqc7l+OSMkAjgzqZ+XNsQaDGWfrZrHTkIVSGW8C40Zhvz4q2v2BtRREbWCY/mLJVf5ZP0duD95gYk+MA/4pkriPQY1SmF3ci89i3+pWWhJ4QN9fG5eEA6mvDmVquYXa3q5D2MBOnrZw5hPxM5kgwZiC1Km0aCs8yjS2PPxqZZxgjo39to4GjuLnnu+iDy/8T0IQ7vcI1f9cPQpKTUtNHiBf5SJFsDdDgzCuKR3UTBA5Nq9mvUhcSSIvzG03z0QLVHUISdKyLVWFQcmTCsrRbxfsjryPZ2MQF0sda+6/XWDzW3cdXRCUw+H3ac8XHii0xsgD08l1cBXPtDFa/TebiCsbms9tdJoAuTU7n58d0CT9LDqnutCHOUl/38eSNbg1ZpQh1TVvlW+rV9QIxYjPJulOG/USaR17mR3AZ5pwuFLr9YWOipLmSj3ivHxmnpoeQNoHNbcs2lJX40oNmxnB3wHoaicHibNkX/nMkRjYJYz1h+ocZ3sA3HQvzm21JxvDttHucO2y3LL4jq/R5KawrmD6PRl9l0faR2Z+J0m0HAVHCAAfznbQmwCipgVHuXQX0wrKVjwAngXVdYJWWNx154tdp/tDvT/rLSEBgFdVkwJHL5YXu1Vo/nw0bCQWqkoappEpTSDxcEv1MIsF83wwEo3kKrzvwA90X8m34DU2A1NMfvhE3ZJ0wBxGAG3s1BQNfRiHQNnzwqyn7MEbp9+5xHd6FJ6tiC8TByEWZt5MKXTklHf447UTq2yR7ZX+FnKdOjzgCbpH32GddSVaDbNxt91eBg/XOK5lrJTpGqVhl+E7MfLoOuRW,iv:5zbIXCwGyPZZTLscwd9VaCoEriZtaZwsxoGh2Qv4c6g=,tag:Tf7gxYE0aZCrD486M2SMzQ==,type:str]",
"data": "ENC[AES256_GCM,data:M+eOn0Sw85cFlTD3SwkbOKwYDovKbOjyHdqp1Z+sCdWrc4Ewo7upSoBozeotp7SRzXkw1rMhTWZSah/1emjtIoXK54w/tB5R4sNXKCcastC8ptkFdVAW9r7rTP7rwiS+qenPq35tO9whe3ejPeODyBnG6CPSWm0jnZVCyMGN00Jlxsa7FtP1k11OgvfxQ+gZ4NVDDCe55NSFVIlqSB5MfKsQ9d9yws5j8TY3afJQZ2hSSjhQrIpyy3DIKswljqfYKeKFoy9Akd7D9biV3t6rTzXBk8NLLC4CpjOYuatjouUntuIFQmk9JwTBox1dAU86hQxv5BxiIPRU1LElWWYlyEw7Wb80izlnMDlZvi6mrHPGJBySplY11idIVI0AruzV2UjgZcNc5ofVjWMkqJ72ma4XQiVioVs7iBBVHvo+hFMlxRchFCoKA87MfEjWqBKVH7P4ZtTvP3ss1QmRffh2ME/oPMGHFcuTwEa44clhlNP84vwKb2BnLn71akbXjQHRsny39+4S0DpCQRHw/CWqXGR3rpJpQ0xDfDd/NTgsz2EmyiDYj6FavuZ6mtVuVzVkwC+nXouCMpVqJe3J1O8PgjGoG5hjVw0IxbSV0JwSbAMryLjxWgr6FLPbhxQesT8JenHlYDN11kTj2amgGQiUbVzI6oBV9GjnKAkER8FbKR17XekDW6vP6obDY2qWuY3h+wHE/tGzaYN+8TGSqUK4+iGiCJTMLHOY+w/0qPcX2G6Y6vfDyGL/dAmCaZsEqGjh1Ajxjj1RJFDInDBJbpqjbOylojFKv6nieImAWvWGoQHmUI8uV+i+B6cd07u24G8xNp3DPiCZ+LYS0V+va/c6SqZfXzr1P/3wC+jxgo81opD2czsx4k52obL1/sh+2l5ExVWTtEmwlsIoLkK6q9n9ZZ0rVJFR7WHxUHrBYn0/ZpeuSy9svjEePIHXSfqswBg0fYCbOaXl5UXgNIa90CYrXVBomGpi00es3utGBmDHAdA6Noo9vSzagkAgz5HVP8VSZF0cSBUIFmW4rrKHSAllVrvUVNxlOuJNDC+8OlKrb+QwydEiZvrjqlYcVMNQjMrmY5uWNYNAng+10FCctpttWV2k0siemiSJ7Z7ivCLJghErk7EimSq5KKGYuKSYsc8eBPPMIVTNUOThfkDSHbmlsBCaTKsDRmgq0g+C1mbMkB6yfJMiRgwCIoIsOLQ16q/pmMopEX7t7FUCOb8SiOSfQikK2EE72A8oSTdoYnUsrBNzl8y1NSGQVA==,iv:zbR0Sq8Ka8HEQw+8H71OFv3Yv6CL1zR55jHbZg7oSYs=,tag:y97EhzsNkSZhk8TldYW+og==,type:str]",
"sops": {
"age": [
{
@ -11,8 +11,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-06-11T13:48:16Z",
"mac": "ENC[AES256_GCM,data:6WiY/gpT7V+xQCuotG41Mh+dTSjYT/sg/14Gt7Z7PsrG+WRR33N1OhBV3EVdXeeE8NXkvvoZL/wypgQTWk7wfWpzwhWH478OXc3yaVx7G/nTsDhX/XjKvajpKnXLdn/s2xt9vhPmYuJidR7JYoHN4iv1Lv1eC1mAYKpW4i+sNJk=,iv:ThUxocoeMC1GAfSSeDF9P+m4BZpNuiyWiBrwDPhvNe0=,tag:AxvMKzkG1HBdUqPbbz4Qqg==,type:str]",
"lastmodified": "2025-07-05T10:52:55Z",
"mac": "ENC[AES256_GCM,data:qqct7oB1UmnwAnJ64U4eV7nCQIGGVU82ROidWlexNCb/zrl5+1mzJ1d5oeHojoi42g2jlKU8fAdTKdpewaOsmG+udiqwxsjrlxeXok6vvvVKBfeusA7rhqhQoF2Ct24PSY9PMGD8Nnwd43bVSlZLbHFfQyRtUbzsQ5YkivJtUo4=,iv:hle/CYmxHx1IcH7z4cxZmqMHE5VotOg/ethipEtsXoo=,tag:uM8luDulFJrZm3OfiSRH5Q==,type:str]",
"pgp": [
{
"created_at": "2025-06-14T22:31:01Z",

2
modules/home/common/emacs.nix
View file

@ -6,7 +6,7 @@ in
options.swarselsystems.modules.emacs = lib.mkEnableOption "emacs settings";
config = lib.mkIf config.swarselsystems.modules.emacs {
# needed for elfeed
sops.secrets.fever = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
sops.secrets.fever-pw = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
# enable emacs overlay for bleeding edge features
# also read init.el file and install use-package packages

6
modules/home/common/env.nix
View file

@ -1,7 +1,7 @@
{ lib, config, nixosConfig, globals, ... }:
{ lib, config, globals, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (config.repo.secrets.common) fullName;
crocDomain = globals.services.croc.domain;
in
{

4
modules/home/common/gammastep.nix
View file

@ -1,6 +1,6 @@
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
inherit (config.repo.secrets.common.location) latitude longitude;
in
{
options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings";

6
modules/home/common/git.nix
View file

@ -1,7 +1,7 @@
{ lib, config, nixosConfig, globals, minimal, ... }:
{ lib, config, globals, minimal, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1;
inherit (config.repo.secrets.common) fullName;
gitUser = globals.user.name;
in

30
modules/home/common/mail.nix
View file

@ -1,7 +1,7 @@
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
inherit (config.repo.secrets.common) fullName;
inherit (config.swarselsystems) xdgDir;
in
{
@ -9,10 +9,10 @@ in
config = lib.mkIf config.swarselsystems.modules.mail {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
nautilus = { path = "${xdgDir}/secrets/nautilus"; };
leon = { path = "${xdgDir}/secrets/leon"; };
swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
address1-token = { path = "${xdgDir}/secrets/address1-token"; };
address2-token = { path = "${xdgDir}/secrets/address2-token"; };
address3-token = { path = "${xdgDir}/secrets/address3-token"; };
address4-token = { path = "${xdgDir}/secrets/address4-token"; };
};
programs = {
@ -42,7 +42,7 @@ in
address = address1;
userName = address1;
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.leon.path}";
passwordCommand = "cat ${config.sops.secrets.address1-token.path}";
gpg = {
key = "0x76FD3810215AE097";
signByDefault = true;
@ -72,11 +72,11 @@ in
swarsel = {
address = address4;
userName = "8227dc594dd515ce232eda1471cb9a19";
userName = address4-user;
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
passwordCommand = "cat ${config.sops.secrets.address4-token.path}";
smtp = {
host = "in-v3.mailjet.com";
host = address4-host;
port = 587;
tls = {
enable = true;
@ -96,8 +96,8 @@ in
primary = false;
address = address2;
userName = address2;
realName = add2Name;
passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
realName = address2-name;
passwordCommand = "cat ${config.sops.secrets.address2-token.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
msmtp.enable = true;
@ -123,8 +123,8 @@ in
primary = false;
address = address3;
userName = address3;
realName = add3Name;
passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
realName = address3-name;
passwordCommand = "cat ${config.sops.secrets.address3-token.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
msmtp.enable = true;

12
modules/home/common/settings.nix
View file

@ -1,4 +1,4 @@
{ lib, config, ... }:
{ self, lib, pkgs, config, ... }:
let
inherit (config.swarselsystems) mainUser;
in
@ -6,6 +6,14 @@ in
options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
config = lib.mkIf config.swarselsystems.modules.general {
nix = lib.mkIf (!config.swarselsystems.isNixos) {
package = lib.mkForce pkgs.nixVersions.nix_2_28;
extraOptions = ''
plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
})}/lib/nix/plugins
extra-builtins-file = ${self + /nix/extra-builtins.nix}
'';
settings = {
experimental-features = [
"nix-command"
@ -17,7 +25,7 @@ in
trusted-users = [ "@wheel" "${mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;

2
modules/home/common/waybar.nix
View file

@ -61,7 +61,7 @@ in
};
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
github_notif = { path = "${xdgDir}/secrets/github_notif"; };
github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
};
programs.waybar = {

8
modules/home/common/yubikey.nix
View file

@ -1,4 +1,4 @@
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (config.swarselsystems) homeDir;
in
@ -8,13 +8,13 @@ in
config = lib.mkIf config.swarselsystems.modules.yubikey {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
};
pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
ids = [
nixosConfig.repo.secrets.common.yubikeys.dev1
nixosConfig.repo.secrets.common.yubikeys.dev2
config.repo.secrets.common.yubikeys.dev1
config.repo.secrets.common.yubikeys.dev2
];
};
};

4
modules/home/optional/work.nix
View file

@ -1,7 +1,7 @@
{ self, config, pkgs, lib, nixosConfig, ... }:
{ self, config, pkgs, lib, ... }:
let
inherit (config.swarselsystems) homeDir;
inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
inherit (config.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
in
{
options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";

120
modules/nixos/client/network.nix
View file

@ -1,7 +1,12 @@
{ self, lib, config, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml;
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
in
{
@ -13,39 +18,33 @@ in
sops = {
secrets = lib.mkIf (!config.swarselsystems.isPublic) {
ernest = { };
frauns = { };
hotspot = { };
eduid = { };
edupass = { };
handyhotspot = { };
vpnuser = { };
vpnpass = { };
wireguardpriv = { };
wireguardpub = { };
wireguardendpoint = { };
stashuser = { };
stashpass = { };
githubforgeuser = { };
githubforgepass = { };
gitlabforgeuser = { };
gitlabforgepass = { };
"sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
"sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
wlan1-pw = { };
wlan2-pw = { };
laptop-hotspot-pw = { };
mobile-hotspot-pw = { };
eduroam-user = { };
eduroam-pw = { };
pia-vpn-user = { };
pia-vpn-pw = { };
home-wireguard-client-private-key = { sopsFile = clientSopsFile; };
home-wireguard-server-public-key = { };
home-wireguard-endpoint = { };
pia-vpn1-crl-pem = { sopsFile = certsSopsFile; };
pia-vpn1-ca-pem = { sopsFile = certsSopsFile; };
};
templates = lib.mkIf (!config.swarselsystems.isPublic) {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
WLAN1_PW=${config.sops.placeholder.wlan1-pw}
WLAN2_PW=${config.sops.placeholder.wlan2-pw}
LAPTOP_HOTSPOT_PW=${config.sops.placeholder.laptop-hotspot-pw}
MOBILE_HOTSPOT_PW=${config.sops.placeholder.mobile-hotspot-pw}
EDUROAM_USER=${config.sops.placeholder.eduroam-user}
EDUROAM_PW=${config.sops.placeholder.eduroam-pw}
PIA_VPN_USER=${config.sops.placeholder.pia-vpn-user}
PIA_VPN_PW=${config.sops.placeholder.pia-vpn-pw}
HOME_WIREGUARD_CLIENT_PRIVATE_KEY=${config.sops.placeholder.home-wireguard-client-private-key}
HOME_WIREGUARD_SERVER_PUBLIC_KEY=${config.sops.placeholder.home-wireguard-server-public-key}
HOME_WIREGUARD_ENDPOINT=${config.sops.placeholder.home-wireguard-endpoint}
'';
};
};
@ -87,9 +86,9 @@ in
"${config.sops.templates."network-manager.env".path}"
];
profiles = {
"Ernest Routerford" = {
${wlan1} = {
connection = {
id = "Ernest Routerford";
id = wlan1;
permissions = "";
type = "wifi";
};
@ -105,12 +104,12 @@ in
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = "Ernest Routerford";
ssid = wlan1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$ERNEST";
psk = "WLAN1_PW";
};
};
@ -123,7 +122,6 @@ in
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
mac-address = "90:2E:16:D0:A1:87";
};
ipv4 = { method = "shared"; };
ipv6 = {
@ -136,10 +134,10 @@ in
eduroam = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$EDUID";
password = "$EDUPASS";
identity = "$EDUROAM_USER";
password = "$EDUROAM_PW";
phase2-auth = "mschapv2";
anonymous-identity = lib.mkIf iwd "anonymous@student.tuwien.ac.at";
anonymous-identity = lib.mkIf iwd eduroam-anon;
};
connection = {
id = "eduroam";
@ -179,9 +177,9 @@ in
proxy = { };
};
HH40V_39F5 = {
${wlan2} = {
connection = {
id = "HH40V_39F5";
id = wlan2;
type = "wifi";
};
ipv4 = { method = "auto"; };
@ -193,17 +191,17 @@ in
wifi = {
band = "bg";
mode = "infrastructure";
ssid = "HH40V_39F5";
ssid = wlan2;
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$FRAUNS";
psk = "$WLAN2_PW";
};
};
magicant = {
${mobile1} = {
connection = {
id = "magicant";
id = mobile1;
type = "wifi";
};
ipv4 = { method = "auto"; };
@ -214,30 +212,30 @@ in
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "magicant";
ssid = mobile1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$HANDYHOTSPOT";
psk = "$MOBILE_HOTSPOT_PW";
};
};
wireguardvpn = {
home-wireguard = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
};
wireguard = { private-key = "$WIREGUARDPRIV"; };
"wireguard-peer.$WIREGUARDPUB" = {
endpoint = "$WIREGUARDENDPOINT";
allowed-ips = "0.0.0.0/0";
wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
"wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
endpoint = "$HOME_WIREGUARD_ENDPOINT";
allowed-ips = home-wireguard-allowed-ips;
};
ipv4 = {
method = "ignore";
address1 = "192.168.3.3/32";
address1 = home-wireguard-address;
};
ipv6 = {
addr-gen-mode = "stable-privacy";
@ -246,10 +244,10 @@ in
proxy = { };
};
"sweden-aes-128-cbc-udp-dns" = {
pia-vpn1 = {
connection = {
autoconnect = "false";
id = "PIA Sweden";
id = "PIA ${vpn1-location}";
type = "vpn";
};
ipv4 = { method = "auto"; };
@ -260,21 +258,21 @@ in
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
ca = config.sops.secrets."pia-vpn1-ca-pem".path;
challenge-response-flags = "2";
cipher = "aes-128-cbc";
cipher = vpn1-cipher;
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
dev = "tun";
password-flags = "0";
remote = "sweden.privacy.network:1198";
remote = vpn1-address;
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$VPNUSER";
username = "$PIA_VPN_USER";
};
vpn-secrets = { password = "$VPNPASS"; };
vpn-secrets = { password = "$PIA_VPN_PW"; };
};
Hotspot = {
@ -298,7 +296,7 @@ in
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$HOTSPOT";
psk = "$MOBILE_HOTSPOT_PW";
};
};

18
modules/nixos/common/home-manager.nix
View file

@ -1,7 +1,4 @@
{ self, inputs, config, lib, outputs, globals, nodes, minimal, ... }:
let
inherit (config.swarselsystems) mainUser;
in
{ self, inputs, config, lib, outputs, globals, nodes, minimal, configName, ... }:
{
options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
config = lib.mkIf config.swarselsystems.modules.home-manager {
@ -9,14 +6,19 @@ in
useGlobalPkgs = true;
useUserPackages = true;
verbose = true;
users."${mainUser}".imports = [
"${self}/profiles/home"
"${self}/modules/home"
];
sharedModules = [
inputs.nix-index-database.hmModules.nix-index
inputs.sops-nix.homeManagerModules.sops
{
imports = [
"${self}/profiles/home"
"${self}/modules/home"
"${self}/modules/nixos/common/pii.nix"
"${self}/modules/nixos/common/meta.nix"
];
node = {
secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets;
};
home.stateVersion = lib.mkDefault config.system.stateVersion;
}
];

4
modules/nixos/common/users.nix
View file

@ -5,7 +5,7 @@ in
{
options.swarselsystems.modules.users = lib.mkEnableOption "user config";
config = lib.mkIf config.swarselsystems.modules.users {
sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
users = {
mutableUsers = lib.mkIf (!minimal) false;
@ -13,7 +13,7 @@ in
isNormalUser = true;
description = "Leon S";
password = lib.mkIf minimal "setup";
hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.swarseluser.path;
hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.main-user-hashed-pw.path;
extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ];
};

30
nix/hosts.nix
View file

@ -6,9 +6,9 @@
inherit (outputs) lib;
# lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; });
mkNixosHost = { minimal }: name:
mkNixosHost = { minimal }: configName:
lib.nixosSystem {
specialArgs = { inherit inputs outputs lib self minimal; inherit (config) globals nodes; };
specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; };
modules = [
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
@ -16,19 +16,21 @@
inputs.lanzaboote.nixosModules.lanzaboote
inputs.nix-topology.nixosModules.default
inputs.home-manager.nixosModules.home-manager
"${self}/hosts/nixos/${name}"
"${self}/hosts/nixos/${configName}"
"${self}/profiles/nixos"
"${self}/modules/nixos"
{
node.name = name;
node.secretsDir = ../hosts/nixos/${name}/secrets;
node = {
name = configName;
secretsDir = ../hosts/nixos/${configName}/secrets;
};
}
];
};
mkDarwinHost = { minimal }: name:
mkDarwinHost = { minimal }: configName:
inputs.nix-darwin.lib.darwinSystem {
specialArgs = { inherit inputs outputs lib self minimal; inherit (config) globals nodes; };
specialArgs = { inherit inputs outputs lib self minimal configName; inherit (config) globals nodes; };
modules = [
# inputs.disko.nixosModules.disko
# inputs.sops-nix.nixosModules.sops
@ -37,28 +39,28 @@
# inputs.fw-fanctrl.nixosModules.default
# inputs.nix-topology.nixosModules.default
inputs.home-manager.darwinModules.home-manager
"${self}/hosts/darwin/${name}"
"${self}/hosts/darwin/${configName}"
"${self}/modules/nixos/darwin"
# needed for infrastructure
"${self}/modules/nixos/common/meta.nix"
"${self}/modules/nixos/common/globals.nix"
{
node.name = name;
node.secretsDir = ../hosts/darwin/${name}/secrets;
node.name = configName;
node.secretsDir = ../hosts/darwin/${configName}/secrets;
}
];
};
mkHalfHost = name: type: pkgs: {
${name} =
mkHalfHost = configName: type: pkgs: {
${configName} =
let
systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration;
in
systemFunc
{
inherit pkgs;
extraSpecialArgs = { inherit inputs outputs lib self; };
modules = [ "${self}/hosts/${type}/${name}" ];
extraSpecialArgs = { inherit inputs outputs lib self configName; };
modules = [ "${self}/hosts/${type}/${configName}" ];
};
};

2
pkgs/github-notifications/default.nix
View file

@ -4,7 +4,7 @@ writeShellApplication {
inherit name;
runtimeInputs = [ jq ];
text = ''
count=$(curl -u Swarsel:"$(cat "$XDG_RUNTIME_DIR/secrets/github_notif")" https://api.github.com/notifications | jq '. | length')
count=$(curl -u Swarsel:"$(cat "$XDG_RUNTIME_DIR/secrets/github-notifications-token")" https://api.github.com/notifications | jq '. | length')
if [[ "$count" != "0" ]]; then
echo "{\"text\":\"$count\"}"

1
profiles/home/personal/default.nix
View file

@ -4,6 +4,7 @@
config = lib.mkIf config.swarselsystems.profiles.personal {
swarselsystems.modules = {
packages = lib.mkDefault true;
pii = lib.mkDefault true;
ownpackages = lib.mkDefault true;
general = lib.mkDefault true;
nixgl = lib.mkDefault true;

2
profiles/nixos/personal/default.nix
View file

@ -4,6 +4,7 @@
config = lib.mkIf config.swarselsystems.profiles.personal {
swarselsystems.modules = {
packages = lib.mkDefault true;
pii = lib.mkDefault true;
general = lib.mkDefault true;
home-manager = lib.mkDefault true;
xserver = lib.mkDefault true;
@ -17,7 +18,6 @@
network = lib.mkDefault true;
time = lib.mkDefault true;
sops = lib.mkDefault true;
pii = lib.mkDefault true;
stylix = lib.mkDefault true;
programs = lib.mkDefault true;
zsh = lib.mkDefault true;

8
secrets/certs/secrets.yaml
View file

@ -1,5 +1,5 @@
sweden-aes-128-cbc-udp-dns-crl-verify.pem: ENC[AES256_GCM,data:5je4QCI3aR6jpE0O+0ssm/ZxrrgNL62XFF9XIh3mkwSKOMq3vz9H4xsDbDjnKxnZdMi7ogIEtAizbga7kuhyD3CuPlFX08poVFvALbjG95bdblphUQpKx2AN1wxpKUjLlt9DsU9sjdtCkVB8NEMwt9+CyJzyvT7ZgJYemM47Ts1gxlKvo4Vh5lHrpUWJ9Q0lHwW1J0PrAe5EBTkVc4/StdhKRgKAYnQKCAfVdrNe5SHSIqqjGvb3+5fjnwwIRE/5g6Zmn6nSpbsD7XNMDdrS1aPMLylY02sTd9BF6ZTfw2AqYbr9WSzTmMoc0Z1gMmwQX22rgvjuq0rf38Mx4TQRCCC2dPNnmSxQa5eyYfIKp3Y71Mnp07c1AVYQDOq/8Db71gapavudIV2F/iIOeJKpHmGB2HvI1bVKYfvccOdyVPZu3T+qrBHrr6kj0+PJed27tihMbVKkPTELwQJFFTAtQJcG/F2W6WEaYgu4ap51cGXOMm4SF2ANL+bSSl8mQcyOU/N69WXbfKFpHO4tV+me1lnuJwl/YcukZnzqrYvA0BwrfNHnIyyApUyqB2cLxLAJ6cH2ixceNC22j5P8s2DBBan68NJFewTqgEoyPJdbtBvHTVRM0CRHekGBjtUznwrB74iXI/BvddfAWk006f6vbja2IJ1BcE9GHG74ZEYUIag5BErQ6Rds2+pBnr+xh9wjJsYeLLiKATkvjM/4pCND+RwKLpHNlyUxw7mBeJJAsfE4EZC8ZP5Mb8bq0G2Suxe20YgIWvx4M2RskJlAX/XJcQSJqLBVb29altiOiVEcdzZRDpGPqJwPr0iWGSQuXJ2VOZFRyqRu2JxFa/DCnxVyk9fbqTMKnh7jROdh7gS7++1MGrdzg/hJw9Q0uD1bLVo472i4s2wJqt/VYYc+/3UHR0kmt2ftSiux/lSb/+gmGk5onOyWZKLmkFEYG++MJVRksXTjn1xnFT1CFmQ8c+/qWUqSmcbHuAg2btCzlpuOuANYSRmmMbFTTkMkYjKDRKrQD/CmbW52cVUIm93WuELQIJ1Ri02XVM2pwoZfnKr3VY0y4yLXSylWLnXJDydDZv0ZmfU9Gyi77M88VCzYlQX6SSpRJ/r+cjdscauXzxo4BNVxjRgvNGOe4DkAeKXy50N79sw/WMY=,iv:b4QKl9Qr2reO3kgZ4Ls1vKyz5tKAP93s9pZe4UihwW4=,tag:Xe5jcylBt4D2jhc+ZkCRWw==,type:str]
sweden-aes-128-cbc-udp-dns-ca.pem: ENC[AES256_GCM,data:G2IiEee0cVH/7fZbaGDiyyE4iphqlhsLCaWOwznl11k/rDximnc8B1y3vT9C7eZcQ9Cj0XB9C5tzeVP3Cqhq4wxOP5bqDCYvoBG6ZzMxsDXM9OcvWe6Cxv94C+t7bHwL89yroDhfz08I/YMiCc0HGXTlf1aAVyD0NBh+LM20Q3Bh1Xhpl3gITf1Xs7BJxpHDXCAEku7ufnIxZb4aTWwWn4DGG6NmzQt2we39/pW17s7/1rM7Jo6BljfqmMBLyLry004tn1tvzXjqOY64SLl0h4ufLrAIFoxg+nsnc4ymNYTuR/4eh0JzeJaNNSqZjXT7aVhTKV36HRV9vMkXIHCC83kfHLU9rB8gtb9b+pPDaSDO25yYaNS1+VkMEZNRtpq9A3Nag25z2qpIOVfRLZgIj4ScWsD+5PIwRnwn9M+hRGfYsblhf1fYtYUQnByl5K4Lh/MycMFdp8JKJMedVKRzlHNhWqDqu1zpiYTFK5wiZ+PJVshh4zzIaFbvmrHZINzVsAmhNGQBptUW2oFe+Py/c1zGpWJkZ4fk4PlhppiQ5zr4r82p3fFK0JtbSbAhprzUkgwu2nPwzFcplKDGlT/a4FpmUgYjIgNEWRjBDqk8hrMLgHayiQaZ3D2EH5FlWiKpO+kx/np/hPj7gIPMs+5IDGtFfMESlJ+wM7bxZOkk0DyNvfJkPBlJa7d8imv7XIw9hTu5ii8cfqha1rBfx8P1hy9kSq5kGqO8x8NA50Ynktrl7uu/qLJiUkSdR3bdfakWXid8wjh79saY1OXc83cooCW9DRNuFP9+murzbA+hYXvc6dr5fFvsk5mH6oVzqudgFD1UD6s16+9xwN39Z0qVloLpaZbUN5Jbl83Y0MxhzeNOL1cu2fGx8O2Pt7XsmhMs+RstGIORSjFPiGkVT3ejUJ9icIMcTVkzvT+8lW97purrJqmMUmuUEtReLFYdt8NNSLVpyZdVWhnuLlUbO05HzAOUgqKmcLoK8eTJlTkkB3qlB4LtjUKvaLKm2HD5hV3RUiEoec3rQhRsOjXox92iIdct3l2YK7TWU+xxZoM2PlajWfDVm88r+jUhckUmIuZaGNAyGWFtju3de/x1vvdsSvkjibV1eh8w1CKNU3rC38eTdLLMpAgpel/KsHk9+GyHOg/LOocUeb5BDb7NE34SHpC8LTUCYq7mh3PbyoDGkErmi4OI2qSrZzaONUcU1/nBOXYyixPfhZqa47mCTd6Czcc7d7izI+c06UXvd1lxyxDZoIpBYoIBgKBNuSE6Ek83PHx2eShI5PIZ5o+R1TbR+LRYkYLJLyxQbiFL6SIRMngTNHvSFlbTIB1RXxBhTO6RX/dBt1ZM08Ga6NCgpSbsRiuFGOS54TSi9s54b1DCWgNs3CDAoFAtkvWWr0N9uk3IvcxpDMpR5Tw5DmKk21I/gsRWfQqr3bUYcI95upQ0N6Z7li3vjUwQd7mQ7vOzteKjZitAa0VBr8gfz7DOYXJaRfzFkcdZS54O/dWCr2N8A0CcgXfUEpXanc7JR7qiYwqv4GJZ47ZcjD5uVwqbrcdXj97v4LBV+zYf49LBq2OwqssgOJ2F3N9j2PR7x4+O3Xp4aw7V7pLii4/W/LxBED++b3dUvIX2+Mv19mpU5GIX+EyXLe1Ds6pEHFW3mbKEBOdPv5iQML2qhCIsjfw6v8Flge0xaK/Ex+LY/zBtIFv4rMpDVwtkDBYEeQAmSAFPLoPxz+l7Q7xkVbgnW1vwHqt7fZ9zhoTU26y00nX/B74rLxTNLoHcoyoErmpuAJeg+53P9vvXj0F7lx5EgQaybckgx8svhrWpX+BlrZXz9clTp9DGZsZg+Uy7k5/Fc3sFZ7Y4Vatwx2e3SH6vV3g15BLjEbnM3a7e3TfUKGxUVi7bZG2Z5z+9w3aF1zuAH/tZZNO4Dgv7PoGtU4/uxzzW88dPMH+oU9M/LueepyAtIJ/AbH8b5GMCl9/TiWUsP3FZlhuDH9hf2bHaZ2Vv5trj9Y31C87RbLKGueOfY6S7GyQXbHuEygZqxI+4OPw1oBcPHh/+7twL5ltLZj/NUQSjGKcoxHhTvOoE8pjNNTDtMX9WHqiyCiy8mM7qEuSdXm48UwFB0R897kYZoa5mZoSgj3WfjkqY2yu8wmXQx2ArSeHxF/9u88+d90pRgF9LcjLzO76/aGqlkbitBCOF7wtNuMj9mAYr84Yp4/PeNxPTiYaG0hj2ysjZhL8awnt5Ua6O83TPY8obU7G98xeYO5dl4B62TbdXwrqO+0NH0k0VZWEHA1TQbbn3DKXgWl1ehr6qKZKo+vuKzUFgjEU7EKIjnuXlv5AHsdsbKul1x4mtN0lGRGpc8xB0EzFfsxRzkb8LBjZjm13HsD54KayEnZHVKtKscMAYf1+VzasHLAQJzLXQNrSTqsfknhWZ0bkRdBr5bT+4V0mU3G02Us4WqhlBfGuuot5K5z+OUy0rsC1uvgl92Q6wR/a44ikPs4b60wyRYlxStfAPM3Kqw3hQAdAw5fpPT54yE5eHF9kU3zdo2XMKhxmhV2+i1eHauPCp88xEVTNLiR22rSDwoYMdDikZIyihdWH8dZfpq2bbCDnCscAuELJD3H0+3nFeM3RvtMx+l4ySSD3cj9tyhSwKTvvvPzsbanlo0S/82LJU5hDaM9C2vDtl/EYSsYN216J0hpxDTMwZQQ5NN2JNI1qm,iv:DcPiMfGUlnOZXuULOujLhY1qhN5sUbpWX25bexN3OKc=,tag:/i7U8WVqlFdP4DGwx7SxKA==,type:str]
pia-vpn1-crl-pem: ENC[AES256_GCM,data:vIngU8HivUQpJLZyOVTeBTmlaDxfPnyTfPakYk7aEfocJgmeX5GGF24LgfOE6L/ZKq4MUS1yH5ut0dIpEKHF5patzGBhLdrE4u2zyX/+MWCrTFO44mOjH1eDMNmU8s2xmOR3PoLK0vYPSYDew/tSrgw2PJ8aQ1NLiMlXAJnMTmTfyRLrY8Rhhw79o+GLWiy6OX4KPFKpS3+d1XgUeDl25c15t1yGfTkIg9wtXnW6y29WB7HIIMGTrKR6QekFkOEBIPdu3vzI0Bs24lJzIo2yDJ5m4YQgsmmqWPd2k8wmvGzxf2z4t1wJf9vv1+45ccgqfWISz3vbYHtQFBrmpdat4UcAvPIsiladKMhrGKFc2b7o0GqUTkd97CXWoIKaeDr6UDjNTA/9fI3smO+JPVVnc4WjZZ9nZLQcQrqiYkEq+xrTGE23yWVp9mCOY0zxyx1W8dvUYRDNk5iwrY+L0lBBeCNRXNDiJ6G0+Q4TNccY/aQNDsUz1CpHnk7vUqJX2bGjkRE8uUzSBvsWGFeMeizgr6MyhO/FWBq5A12kWMRfJZt3zmFeja3/3Zep1WsMnbmGWLyF/thClxDOyzJrAplpn4HL50dPOtRfowsr6BQD7uTPaw1k83IN7q++g+mARd+JTMze2lAfiF5kHm5C7CwPJR/Dw2FaIaXubTAOmG9Yc57A8E6y7Tlg58aeMcWHX0CMQaXgDMA2auvAwbot/gJyoOK3kUnbMGcE/0DMbLWLd/UuyxYhzEaGxl1cWRmMToLQGIx8Xvm0Fg++3Av6Q9I6AljDjJdtZVqa7yaHQak3wPGAtXvyW63g/76CIgBd4zcdg79aNVN3sNJuoxAI1OP0dU/+7shWQXI+qZ4GRXSDICcU7Xf+DFmzP+/yqIy8xC/357Y5LAU/RN8yWS8mu1hOf8qEvqzhIem8YpsfD0exFSOcxo5K18Q55Av8UHdVtvGPJhXqCkpJHJT1I2KF/vgKaKSlhCjokNir4AQlagTu2hixknAUu2J+6izLrxhyXR1m77eh7MzIEFU2BI9N11Q7LMYFF01O36kBW6RtyaEusSBNQXE2IS63DsWZxq4+PFaO0xj/hSVfb+AxKKgCMlZR0fYmVhuB62b7BGsxL93N/jxkLWTYzPJ3GMMzSSU9LgqC5JWCm0Y=,iv:h4TolwwP9VUe7mmRyhj4UR4+uYP6b75xkdWNXRYxnjU=,tag:GMeuig86T4nrANUjQgth5g==,type:str]
pia-vpn1-ca-pem: ENC[AES256_GCM,data:bRFLqNnqUqvmvo/Cs1rk5m7FzFGsZKvN/btQGC0/zS8BejOztFGL7yPaWsUVXSjxRsIEbWc2JWKzFP5AZXozDvK6vH9BWV0j/4FJBN38w87+Tr0a8U5XbGVWqEm8dr3OoCo7jRi1HkASpLtjRbL3hSSLWjCBfnd7FUyCemLR5+c6tlRuAL0ubk6N3FQYbUtfWQEDLu75TGND2EWo2CMzqfRZinFigIBQZuNCMKrRJm8cLbaAcPqy95wCtH3vPanMzdG2n2jrCt7gqTWn6tmNQH7L+RYJzpfFxoK6bOxBt2iyvyPp7nTCEMt8YZvz6Salk/V0aYnIXT4gbKVmpsdnPrwggYogLWP//dAycUjC0eF16zUkB17+Lj5zvuiEr7l+VfVZ6zt+LIo3adacdxU9vR4C6izyTJq5lVbAUYKFHxN8OMS0ZM5twtsUBmoIysyUQhE6xzMDHv9PJiK6A7BDFQ+PjzJcYWeBhGCr68Fj1flcHQEZxSuqbvFdwllhJiLAsO/TlqMf5IRIDGS1H9ouiEPuZ/VpD4JrjhW6QsUF2ALqDD9IuDQVQ464kqtVZdD/tQawF0zcoBNYI/YDKjgbI/sw3IrBpOuvdVHFq0Ea26igdupRZSzuLb/OSJ0G1nKnirs6gPlMw8rlvI1p8cSrSUSFlp+BBU2kV+GD9S5cXsQYfuuFJquPM62QQo/GvlBKZ1Vbz1fr+WzLxTyoz8m0VsduPuSnRx3IUcrVvs/MOmwcylbnTpZ1nmRjZ2dy0Ev7XDLeCbi3i1gnHPKAqQaA+tNo8EmkaxBqO7nfFulUZwaooKBGwy7AxjiCD2FBKYJm+5WUqXYXCDGpA9UxPtagCkEljETRulO1tyKWuP50QiYKaXk1Y0Z8SY8PZkNHpEjlCee6Nb0VBkmusIVFFoc5D7bO0TYqq9nqgrsFUTPHOhHHyCewwcTHZcISAK3Bi9AUWYwFAQUopwFDCE5rkM2Rcfo0khW+1fd7EPQysk3HJn81KnV06jc9AcOGJQkWxGfBOsBROuXJmiCZzF5jg4AK2fEjvvPm2f1S6IbIPoTyMk79eBDAZJsbS61uvRd46Ik4IhPFmgM4wcraNEzegSnaDiIgZA+bYO1t14TD/ctOGHeGt12lqWkkqcKyL9MTOuuW32sNSWsL4MWHGYmS89RrJXYalG0ql9WKEJit8UXwTkNxDZ6XHvLGMkaJBVKgaU48Mf/ejgAoqwgob7fG0cxV/YPUnVhS5ODdZ89tjxeSeQWJULmLxK0Tq3znCqQYhHS4dKXCDOXo0P7ZoA0ludVF87QLPe5V6cccPTvnEBHKDTEhBzkkS2smbz/MLacOBexkW2ypPlNgAsiyqThrdZC4O0GpX80TmNHQy4kfqcAQ30jmN5Ay4muFjAunJvWIqBZBZ7bHUR6exvjng3tU7hmzoykJ/1ful11C59ydvOkpMdERBNbtoh9xBxSe645+H6iYrESsBfRNMzdEg5FppGM2KRLQPD27c5ywQxAvjf6e6PClkmF81FlvD3FrUoQYZBmGGYLZRtKm4Dk7rk7JxvIzVpcSH5DBhlStyVH6EAG/R/3AvGbXdGcAPK3pS6DBSur6CZh86/75HOv3/CfQQj2bkmAmtMOX+x83U8ts5sINJjq8dcsU1m9RfAgasw+OFVsqYGLfJita1kYmYIvPHQlAZuuFUrm6PPFZ73Mz+u9rkpGxEGPZ2N35naULBkX0Tn8EpTaPJgyua914Yrd5foQhtD/SvfFp4TaVAQ2XsrJpHWs92oyZipmAYonB8UoifKxwBPa6dB/E7nmzZfL9+FS+3QVvDBDvI7FNLS+90TCWY949N7Luc6EPt2NVxwXpSUI4YmB4WDpAnbvO1+9U5VToXe000DClv6N3HI54lLsm2sSNZCDAJVW8it+dKQXB+SSmwExoeamcWlEpMRTIL1kcJu16CTVXtwuEmaLNiianl/XaLSDBvXynAbqaZqjtwpTSggiuIsFU8NvofflucU2IohYJRExfser8tCWBJ7+/YznNI4zH0OByIsOfys202LfIV4DYhGITgYlCZYzeR5/egxZ7Ge0ezEW/pDaUCsqyHrx8Qj+iFuTEZtBR0/sVT34sEx0QmPmcRE+jBIZkFQ/2nt2OdRgqhl66ArbAL06S7d0VD+I+fc4Z6jFhmeDg4ROYe5Zo+4vD/WBl2bPKK2sjB80IkrnJ0f/JmT/TajeRU2d1+l9cEXzz2+pxWT0SQ7MrNIVzOuyatelvSLgzdI5bRgc4Hs4nsAvb18M+joC/CgjAw8Cf1EdqnRo9k97IhhWuglx/wVYL8XLQnSLzBzv8lUXthRIJ0EaNtp8LlAkEqQAyXGpuctRO8aSjZ3WRqudGCDQ9awwgCaxPDyLILqkNlUjqr5phuk1prSPruixFFkKT3XzT57kv9CVMTEqIH/q1ukNJC353VIFUF9RhmRMiBFKUy3Cpy7vp0YVSnq+HF0pR9xttGN2gbQ6QdeB2ZpeCbfFEOdp5nFNTKpRMGNBq6CCIF5KoZA8jdneYYzTZ5b6zkCAR8Hf1hkppDnRbZhHa4SIMO9WDCv0b7o6SFkVqtTJlTJzavcLXizMf2D/lgVBmCbqrGOBYiyOhkQvIpSLBhyUmyLu6WtET51lkc/DmLhaN4MKXdKF1PQw3UblH1wtRrng/4cYo56ftgXD7m2YMqDYevNZ11pkR,iv:bIQdKQPSsaR7cY6mfTZdqQTowEcga4H9yzNANHKcNEw=,tag:oto4R2yeumVxKoPy+U2eKQ==,type:str]
kanidm-self-signed-crt: ENC[AES256_GCM,data:1+dM8NdsKcuqlCAbQBF7+gnVbeKbc6Gtr9AaBId/ehJjHDkHm4Ptg2pVSvkapjJE5TKTAOWF17lRuKgVpCfPxATBUu6RCrvnJHRcUyQiS9wuGRAlQBWICv2ygtfx6ODGaBuLEzAulxGHT69UG7IgB7XH6bPPqTNDPKduRw35KMYMpCsH/9kVpIAWp5r0hCDL9zGUnBrGyclpdwDtbowW0j5qOoCYrcj2OvQMzr9gNvOLKiIaEBnXV95WkSUbt9RSrE476Ib4uH3aXtoWkkGeZTEiFXAhf8cqVV2xP2tpJWEgl781L9Gno6D7r3A/doF8wA9GSByS4IdOJqUpEHK1+6Txl0WrkK/h9LEqHrIaTgyzz35wMXlVeBFYFsmrmZZCZHsIaPhHRoAJxfzxrz/kThBsfhaH8G5QiiRtn8DZynopSPSj5XEsN8tZvWARfiNvNLEH9RKZgtyodoxIc6+jGCQl2Pg2oKP7YWb7Xza/zVN8ZKF2dpHzPrrxUObu275Tte9PiOXKvHVSlcBZsqom6Cd8WaI0Cwsd46sZUo0nV1FBAPyYAf329D1yauwF0S+SsHR+wQxo7pAigVjTpp3CwwiKUBhf4Pnov646+idXZNbPpAHDkhuaQM1JXkxo8EFYR13lIYvlSnPC8YwzSYHyMhV9h7GZKwUwC8988Jn1vxA1Iju7s2biJMndWT0z4522iMx6Quy7Imn78Pq4V5gYanuaDiDOJyD8na18l3BNdU8+Y+8d0hM55FlquypeR+fdp9DhGQToQb6RJzMFVurvtQIvDJzyciNbx/ha+OthI1IflhiCICNhIG4vZp5RCGLNj0ZL/nV/F9wC/JxUSIiTNSpqpI1cRfCDlKooWHLryNj73I0GfeliZFNNAoQHw506bOZD4dIOi6MleqqGOPEopKS+7c8mVTIGEXARtW1UTa40zYri8q/WIV4QkiaMBMCv8giLy3CiTPucmjOlV94KjVMU/ZnEO6BPnMWGJ2MuEzF8i27DvEH3hDdrCiRvCLwyd5xdSoVL1xv41LqhBLS0kUT8pJW3zuSAYw1IGhB201X+qvEtWa+3V19VoF9oHyBh4mwvYtJxaCq1LTVfwrw8xg0pDYP8uIpbHYIClovcZ2OtVVlIZGOKeCRrOKLClbA0cS0ZrEF0S5LO3cTwLyUlHC0GrMsZzwW2JH3mShxTvTrU4ryVaYObW0nqymeCUYZn5mxVCq3Hl2MwEX0cmB6NWAweLzDc9ngiu3w07bO2czgXZjREZrPvbQ+CFmfP6XFiguTCF0qdQJ4g31oGyDWbuK1tl/mpmnnUc02/BfZkpKB7q5FY6Ig0PsvwAyuHuARAo8uBPaNFPJp1rfkmNRZ1gIb2pL0KWG6+QQt0aoZ6/f4DSsUDKlnkTyUtSGqrwg3RJA9dBeOKkikfWtbOB6tOnA4PLnxXyEzw+s4cc3H03jxRsP72TF2qVrSJLSKYpD/Gm3ULdhqWlOO42fMAowh8Dx5w6mlXHBBxtigVfZy0Fu1Y+4lB7OnPpvCGPjX22FJlgb7cIufX2ksNGOwOV+sysI8zgJCNRRrol4vTHNsVnp1B++64Z7MYjVX7mIdffzKY4jdV8RgqJLHavn1d+dKG5NxkzPXOJtrTemZfGbuSWROEjH6MdcF45NgwCY3eakWMazeo0pGJWaBIMixN2J/XzMWhEgopO4+zrp7fDV36lqV2MUySOeRZsXFOHejxTG+OHTTa00RZxsZzvzpVzQqN5hhVeQPUCLwPurJdYnuYs7hr8leQOAVxLglqs/OnbhaCWyMKRDkqPx1baY45ytCdmp8IBCzFrIbbAvRA72xUNwHCKGf4RY9QhsyrFTltyRBVPaVG0LJhVxMbtf25gYgSyooPANcUm4BI5EvdFAJx1i9xnfGzgh/JEx8eZic7Cu9xryUbuL0n95HocJAmRu0+MTUuiFlMxIfnvB1K6I3J6KJIojd+6FMCb5k8QRESCR6TK3PtsuCpBj9oJF8g/rMfKeX8reSZn1aBtI7XHqKGxk2I7lYh5wqa07nIKQkB5FRcNUJ/tQQt+mUZDxW27ELX6Oh3JLZysSMw+Y08mT/1AwF+kqA5aHjpAxUBwQQfcn+WUxu9usNE6HdXjrrrSuIVWS9m0BloIUt/MIOPHiRYNW9wx5A5SJwdLSN0G2r9VD/2a7YguXjtDSCLxiVTzoKodhXir/U868CvCprhYZrFT8po3GeNOOb5psrNpaFeI6uWJzoNn0fren9fD+eZk+HFgZVi5aT6CNy9fYYtDv16vyapSTowmmcn3OjtTeSOe2oHfkfe4TeP1BMNx8263jmCeYLipPm+mGyHHnb3cBHWgDZX3QfMlVoFKUm9p+aDiKoA6YFqmy1+9r7EvZ9QCQ66UIxMYt7e5wL4P8ukmttG90GQFNKNA86OMd4nOrtsl4c+PNCbYRxYf0qyc0ad2wyyReHvwDKOoIRSbwkVTxZrSTZA0wXW2y7ddW3K1Ld2+qBSPtIYHTHM5w==,iv:LIuJpGoxOCBX73ZyjIUl9mYVA0wcRdue8EJyfqQzcK0=,tag:5W2UVbOH3Lma99lVxDdkNw==,type:str]
kanidm-self-signed-key: ENC[AES256_GCM,data:IIi2LK13Tskk7V6jALsVYOYKgNobhUlmai1z9PwohkUUbXYpmvaB8yu56lssUb/xX9cdFHghDM8YHhS0FOe44ugDexisZRXhyxWIenGRRTJM99/RWEO4Ew04ZFWAMrCUFdDHuSThNhaLyuEm291cp0iA05W9Z/G7i3ymKlqE8Wg6HkcaxkuSek10S74SYAABbfrz/8KfZQdfN1fl8i+0UD8/n42XpT1wU45CldZfDuRjOmsRaDwDDgXageFhsN2oJuZQjA3060sMom+/DUDHPam3eYYKE9ulNcrPhJKFzB0r5RJYnLZEY+wtiYI6YMZs2x5aXAvuh+dmjD8rVWTQb9ZuuJlMvVv0PInORojMs/LyJNsxC/Rv48wY8lCIkalfAVa8TkGiptiX02kNELOsWlBuPzawynzNi6tFRn0gHQl1wSrjOJi9oPRiiV5Ru1ufmDCivHOoJlDoPZ9fqTnMf14tdUPAlSRgAho9d6yke0t0/7y0QIEQClOMaUF+xdJ+pJxXY4puesCPcw9f7R068tFNINNz42xCvSEP2VgSEa2lvFs7Uw0OKf6QZ+cFxuM85CWPE/58kShKLz0GNo1t509+sZC9aazbpsvTMacedo+m+D9aiPiX4dmkT0VK75JXlX5WEUkFL/p8ZVQ/z3m1yvtXv56iPO0mgvGHHAPy2i8khfa1hqwnFO+Z2JiG2Bcydf2I7fW3rBOQZbBINd5YVMm8qN3f7notptLP4GY+vAWm67+FwdF/YFVVseXmqipGvhjx7bw07WasBC6Cscaw3FDRDEx3LYckdfEO928Edq3G2G+Wme5uYwzvHB9fqW3w9UoFS9j5cYumbbFjPCsQUK5PZmKa4hhg4eFnn0jcUTl7/rs213iFsHWxHmzOgVlo2iIkc1eDlKGvdJRY+zqOPnwJiiqxbE3P8kpH5FObmEqY57+eUT/g1bEaqFRYEH6Wq3kONujQrTZipCyor9ai4+bYhGI4SdxEpA6eQfcyFljofNiTbDAfURjvGtLkvY1pUpimyafoYU1EIOuB+aBlIR9XE7baiX7PnidSWqhMqS5ua/eLSYmRgFAxWmpyMNPXbMj/7CL7MSaDZvIvbyXW5nHm+RzjFYU7HzP6nl0WeURUsnvY9maYJOVPsN/1p/vrQ1ezTXFGhPmiHX1K4NunVZ8bGo7bU7OO7T3e+xcrkGjZQIlZA7FpLrYwF3kIwy1WdSOUIKF4EKNvmmJr+yYq2Mkaw6dd4hua+50hGzePGYrnYBJHYTeQhhjXd+uU30bFJ7y+WmABts4oJCEoU8wScgZ3Cds0ZKu5lCgxxBGcz4P3oMagSct400WiMHZ0VQIHb1V4+prjhVJVm5hcxgfVXFEJOA44zkmD/XIsqla2CFEpL9AEoIPyBOZFY+RUnLZ/oPVGJzVfL4XvDdji0Wcvaw7FpKu5KUYs1vxloVDsMpNUJNK4snvB63ppitm7uYF5sVD+1rLAWIs8SdT+zo7bq5mUFUBSS9ZypAKQbdcprqn4myZ62CFHJbgyAxwX0fnPcvn3YBJmCuZBm9+zCNuFr1fYOhcwY+YLiXuel1UeEfmFjTU4EDiELY34EUdhxh/PqTirvBtU7JEdeOZXInHSqILOqzWsfQ4Qp6pTDQum4Qt2aRWWg0ls4b4ublXrTaz0gKoQlfyRNQN1F6d6+dYU6O4If8VRBs5TKnJ2GxJaky2XCJW7AdtnOy3XdDv+avKwFJ1yDp1rwi9iVTUI9djmJohEBCiXDEp3gzHBtNoReZV0Fo435whb4jA3NmoJEvyZpaDSQm+lF46glxDye7dvsp6WsFL9vOLiYcED/RrlRBQpI63eVRBCslNT/4tQVSiYzxnLnDpMyVmXPIBmcV3fe94on1Uvn0J1r5Jvl8GPKuZ5BZ8rqN/psxoKVuBToUTJJZu+78T+sT1cPsn0S3rOCZp+sWn0fZ64NQzaxgH8M6G5epBj8ZDY2SSbLNUa0Gj93lPoYOYWVUIUROcKuhgbWw7JFgWIe6c+jF8yQ/BOJigLr2mLeIterVlXyILZbQEm0AkV+bu9nt0QUDWiRL4h80BVu0jycgTksCyy7zRrz09fzkjrWuFmPZ0rEr3E0dJCV5uZeF7P/GKuvLTdwwn8Imb9r6oNFhCdBvVeGD2V4XzJxzf0kem45aAYwWWSMELPCzHTSvxUMUjo6tzvILeuLYrr8ztE9pim7ZIOA9xKTfQ5LF9XTBpYTfC2+aSmPNnfxnR0gbniLPb/XYur7iGM658WwPkh+1I+VaSyUBWl4HitQGa5q5T/bfSDMe+SxczcsGibIA24iCUwCSVo/jrhcGaGVVVldTFQ+nj5jD1hMVsuzvKe4MyTyHvubjYgjK39qXmLX2NInvgz7FfVLwwPzEh5LDmK3Nl46aHqRISK95BH2PusnP1z0HA+375fVsoIxmbQT7QRbovsmIf2vEU/6EB32DeyLjRIe/2lmTsfBgpm0ju7tRRNMHe61YZBC8Ed6QuTKvHp5bFmXntMQUAoRqyQQe4XFzCHago8guAdV1UkPMcFdZxN8L2D96EXKO3dpF4+6fnCo/c/yQ5+sMhwzzJYE/gV1gOJkyraxJofjUCr6+tzF99HM7x5YFzkJGhtpHtnLGXRwml7wlKH45o0MIXrNmeE6lIX29lw0wMPyq1WYF3tZ63csRzXw8HS6/zukFKM2D6r5sOz1D8zZ3AamEkQm4axsiz45pxgzwxq8uCi4kU14vFr5QOQ0n/DYr5KSUVmsSHokCfyf769NDTRhE6SZDTEjx9mJ0uzB7VAKXI+pKUd9gJhLJcsrjVF+HoDIhoYY8h9Llm+lfhKmiS/eqmo0CbPzwYQM9LljL1V7L7ydel3wxcOrRWISQF5j52KhIT4TiVQKciCH3cvgXJzJGpnjMZzeuhHEvyFhWeLmfqCGqSq74j8alwGrPPy389ofw3lQ7Lkh3F4obz2YYoFfs+6ZhFA1kKNNbf191qskiIJFbYvaKbnASfGa7iw/W0VnC7/unNswozb+q9ur3L47ZeusPUD6ZJfAqxyabmCRpCFkfpuGgxnprzB6wECD5GLp02SnZUqRS++jXoKrMBaLtj2wnyPO8m+V5BZHaqWSUzc7yDN808ttxTCHBITQds62rDqmRhvxceT6NmWrt+ztM369M2k9WNp7BcfcExVdtdfmq0nt9Ykox0IisJKyVn5k7By4WEz3rGdIkFLPTN2SGlSs63olEFd9MYM/JePFIUicnZ7fQAh87ZwYnlzbmD7KwolcM3s+B4y+dYyjpUPAcyF6qcc7Z+6Jh+Kqr6WKl3b6K726xe7XJYpYgw3pwSigzdidknDNNicu0wHRll/BpZJ2VJkes8OBpJIun2Z0WTe6aG8b3tbwMfRG4aleoImJGwWDKZQ6o4aVR0awZifVaJ4/xgX2bjPCPVY5nOEh13aNzUW1itKw20dDIb1I5fSaRP0YLVX5uHpzGFbcLW+nySTibuRph8EeYF0yrVjuoO+KPvr7InAA7zENCmJsDjkjnd9g+WR4wm73oE68/wpBCtlFGXxuhLP5RfdM7zEzK83iQksq4Eaa/xd/lV8qBAG63wolgk3spL9ZSJwe/5lHafM7aKznKuSPU8gz3X8dMeeCKEffXUQCcsBVacNKL4EVPz6KdjZQixUkOG0JDCFcAU3YfquS9SwvfbiO7x6d7rv0kQqMEexx6j+UYV5udTyPkmfz4IEvqsmU2zjIvgUEqeM2t8+I4V7PW676gbbDfQJiRqTrKhiPw7/ZDtPwxOPOKUwT3UMaOZ7i/6gLucdivJMMWAe799tK24ZQQS4ELI1xsKiRRidB7vHOMIkCYj5QdZbLqFSyR3bCLq/EolmMDWnA0yKCsY3UtrCaYVdpaNKDM0bdMhNuXXypy8wJdFr2C4juB1kUYyAA/LTskZYbyQV80b+vq8dKc5W3b5Q13Chm/wGRlisBmi8NhYXtJL8j72L/3K82bbwhHc+VLwmffxYq/zl0XZrMc/ZlLhoKHOGEDMe33SXhRDOUxchDTsblSnbybvW6EGs2IZqp1IYi3YtWkfoo2qHvnVa1OgNlpaAs7vMZ95wmvWJO3SDIJpAkGufDcgi8MPw1AyU2BLFI2PAcY9/x83jPtimVTJ2yTysC3eBZFaYPyaK0xWlAVtk+FR6oN5CvZwu/zKLNd73VOZAL2/4cMZq9PB598MLIrY+Ear2oFoINzLqv0NxUIaX/380P2327ZoUBpb5kSxyI/oAge1PjgnmV+FiInNom49YoehMRDNSCEk9n5gFghcX8VmM6DRemXKIZlj46ZXz9b1os3gc79BiHLY2OyazwP7xQGJO7/kcNJLI/wzPuVHDdqPcI3sk+IU=,iv:p7TGpmls39IYix0rHgeeV+ngkQkXybrUtKQCOF+M8rk=,tag:lNmUlYzd/zxvCfpk50TXTw==,type:str]
sops:
@ -49,8 +49,8 @@ sops:
M3FXei9menJlNjB4ZFFoQURhdHFCUjgKmkTR92+6hZ705u9I5VPyJVfD5HrLxk7m
7O1EPw9oPNSihFhl85PbQTAJWVMjRmJFFdDxz/I0XuHKE/XaNW+ijA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-09T01:43:52Z"
mac: ENC[AES256_GCM,data:pzzSwJ7kxIg4cmnS67DmXz26EKxLKzUtSFJ7vmlAdGphspYrwrRKHeKp/Rrpr15YMLUafXK9QAxeQQEIF6tQPtSLkHgYIb8xIaSRmNOR44OtWoiGBZWgTuFhQ1g2Po2Pn4EKQ2t9obPXxPA9I7EhPhIbqFepM37OQz6TX5SPEoE=,iv:UeX221QNsS6bYsETqRCDgVBNpgSX2RXUv8qWeMKWgYo=,tag:pbOUUcIhvNWv1HM6ti/FUw==,type:str]
lastmodified: "2025-07-05T11:01:02Z"
mac: ENC[AES256_GCM,data:XnLmZ65mZqoTHQfSKdvPVr+IGb1mb0nFRQLBiVPSyKfg9ABlqwsht3sykR+enDkmIk1urRewpKvPRr1YyLKAezHaE2I5CQdRwMViGTxbtN18SCqlKcL6CgGzC7UzAI8A2jVqB6D9swCx63TEOwnaWySBFnQuOog58R43rhxcJJc=,iv:U0ZMZZyuRJVAE0el0tRAdvHS7qtqU+z2kN78XEZOW2k=,tag:TrPIoG7cxLBDgG4vXJ5NiQ==,type:str]
pgp:
- created_at: "2025-06-13T18:41:14Z"
enc: |-

49
secrets/general/secrets.yaml
View file

@ -1,30 +1,21 @@
mrswarsel: ENC[AES256_GCM,data:2PA5eSGe0U8hgSxEMYgwadcISA==,iv:pR0OHRTWM5tCv8gd1F43w1EWrpO/RNEv7cdWuUW0ORo=,tag:8jVKaWLS4FmApjFchc/2cw==,type:str]
nautilus: ENC[AES256_GCM,data:lcN8hZT1MGHwSHGJdYaeUGUDaw==,iv:8wtRxFAC/axTDnrTj3LNSdXlOIuGRf0Y0NIC+lZauOw=,tag:KOgF0geY64ZP+RdkZ63h9w==,type:str]
leon: ENC[AES256_GCM,data:2EScIa4/zFoia61VeMO3HwjDCA==,iv:sPRMBtlq95i5pcffn+hJS8Cupb+aVl0cgXTobEJka5o=,tag:x70G7BdzlNGpty3qfpe/xQ==,type:str]
caldav: ENC[AES256_GCM,data:CTRi3zjtVZKjdMHGotpLYRvAN5y3wIukl6uRGJg+83iT9ihIJWZLHPFfu+0SDbrWJcdLfOf5582SJR+dEbJTM4LQ7M8CglqQ5y+JrA==,iv:4mcrEScfd/Fls6D+Ht+VyPsy0MMDdS+uTb6kUJO8zaU=,tag:UMI7Y1SY2z7/ojKjVB8yqw==,type:str]
fever: ENC[AES256_GCM,data:Bn2ejbRLzZFoNVQ=,iv:oLILnbGWtbUYLxzO8+uY7dQsdpqjn3ZxR2ds603nOA4=,tag:8yMX6TRJcQIK+JTLq2g+4w==,type:str]
restic: ENC[AES256_GCM,data:u7xDJNe8F3fF9LY=,iv:swtX7j87JL3U0QVZMMeeGMKvASOddwEATq/XmqXALPA=,tag:dlmbo1VkZea/ZaNB7ISfow==,type:str]
swarselmail: ENC[AES256_GCM,data:lLklyM5g10V169WSKYURHubCvO2eeMYVhsLjIrfl/dI=,iv:DdzbyjHv6GKeeX3f7p4/02mrctmCsxO2f/VIPf2rAd0=,tag:it7+PBO/kVbeAadHz5/YLg==,type:str]
swarseluser: ENC[AES256_GCM,data:Yauk2ZYZ6bUB0RMdsghWhhGZtZPBJvlB1K2ZKe94OGlTiDSxi+PmLU6E0fA5514228yDU7+7Rmvspxmb2Bj0tHTh1/YXJjF0zg==,iv:dLXNOLujvJs6pAD4iFlmiZZ7Xd8IyLYkIM+o2SS5xGg=,tag:nJg5K5CP7sNkY5UFpf375A==,type:str]
ernest: ENC[AES256_GCM,data:GdiiYQsECfw=,iv:8PyR5flvX867Bj8+86taO/iAhuHoIrnyiprc5xStLQU=,tag:H5NTujub0s0oQIGAc1VF1w==,type:str]
frauns: ENC[AES256_GCM,data:mBg+13ngdm0=,iv:Y9jWoBujo0/V6qZhwMzd52tUAOLkqfdq7FBIwDTomII=,tag:cBY+WGh6u7tbnChgqU2LbQ==,type:str]
hotspot: ENC[AES256_GCM,data:MDsEaOaymLw=,iv:aHkMjBNrzBVuiSyfd4FtbSkWzVxIWmj9M0Xkjn9uIek=,tag:obmIguSF4weYSEl7XuOARw==,type:str]
eduid: ENC[AES256_GCM,data:uMwW4qqTgUVrF0xE2reCDTYRg88PeX8RH5M9OLI=,iv:HN5E03mqsVADxntZF6kh9w8gIMeA8GTPtR9Q84UcUiY=,tag:1DvEWOyjUSQlgwNcsxrXig==,type:str]
edupass: ENC[AES256_GCM,data:13w+Gk+qdymEYxg=,iv:YlmNWvhMoP5040dxQm/5FixLwtmbLkURssbNLh8FqhM=,tag:elADsdJk61S+Ggw6Rdp6/g==,type:str]
handyhotspot: ENC[AES256_GCM,data:D0ssFJ9kCBY=,iv:B1iCgDRpkTuVYtr4FtCvHTQTqVN1hpAkaNZrPdlzPMw=,tag:7LGegMEfwKLm8FJtzhbQ3Q==,type:str]
vpnuser: ENC[AES256_GCM,data:ecsoOsubEkY=,iv:9tAKHXIAqe7rb8qp0VC3uQoTKJBZVoslftHYJv/t9PI=,tag:bKUGS4tPREhrYTMAIu5P2w==,type:str]
vpnpass: ENC[AES256_GCM,data:h/dCaR9QPgS20w==,iv:2MoKiVMr2vYoPMV5xHm1OBlrqoFY2b5/jLv+5K87RyM=,tag:apjl3IjW/PH6BN4CmKpASA==,type:str]
wireguardpriv: ENC[AES256_GCM,data:rY4k+Dy8qug6XXzTRZQFgAVrv4H27CndfUoup7Bprs0eXOwNeP5LOy17Flw=,iv:tT0SMBP5ldS/y70bvPixatEZ4HOw9JHXUVm1relOOBo=,tag:S1+49H+I0vY/aRnm3Srf6Q==,type:str]
wireguardpub: ENC[AES256_GCM,data:fZDkZKXjpk3sXsNHJUyrmxsU2QO0kF35bqiNZcm+s9uuSvy/g4DtDtZUCM4=,iv:URbkDw6yYQ+eHkV73NkLdQ85xfNIVztv3R3Qi6W/zBY=,tag:XG8alTNnpbdJ2zu4ZzzxKQ==,type:str]
wireguardendpoint: ENC[AES256_GCM,data:R65L/HkraRbb630YwOOuS4SoYc60,iv:M1Z8zWbWGkGrtZnPuTMXz4MznBu6bfpZP0bY7S86aHc=,tag:D8noDszpaQq5eigkCD9LKA==,type:str]
github_notif: ENC[AES256_GCM,data:bkJh1Rta3IM51NjZm+UoOaHThib7WSpW+ZxZSNazbW2WvhhM0yB0YQ==,iv:/Z4T+kiEic4iWwvAW3QjzE67uZ2LpgFCxOHAIaunKHs=,tag:Hk1LMS07UE8coTL4BS6a+A==,type:str]
stashuser: ENC[AES256_GCM,data:+fqMk2dL3g==,iv:4AVP46giHZWhzmyUhlbFdv9B8CYsa0GCDYKcoQZYo18=,tag:tJF0NaKtgEhvYz4LXtEulA==,type:str]
stashpass: ENC[AES256_GCM,data:XmPgDgvi8o1UmR4=,iv:3mOXdVXoZmj1RljFmynA6EKMVSVdCqLBgZPGtMBTREU=,tag:Tu2D/bIlTJat3Vc5hy4h0A==,type:str]
githubforgeuser: ENC[AES256_GCM,data:O3shEkYkq+u/rCy4XQ==,iv:Oq109o5dhbl7bqgbeTxT+AoqakHhxRbzPyvTtb/zJp0=,tag:/PGKc5j5e9VdZNI/w/SX5A==,type:str]
githubforgepass: ENC[AES256_GCM,data:CS1ZmDjQQIjGrmaDTzkut/tethQueEyKomc=,iv:k8MK4ItU1jUqXbEx2Ods0YvycWVF8wgLgllTx0PuWj8=,tag:zYdPReSfFF4ar5neys976w==,type:str]
gitlabforgeuser: ENC[AES256_GCM,data:SrQw69bvtYUcVSePCg==,iv:PlaTHDWJRMtf0HQCG/fVUfw+/91x3ubJKSrcEf+R/Ck=,tag:8E+ZlJE+O+mmcPjhEc/2DA==,type:str]
gitlabforgepass: ENC[AES256_GCM,data:WvUFqQtBqqlWvUWhF7x46RcjqA3RPnKSgbd3ZIr1kHO+Vmh5zUh+LA==,iv:+n2VPdLdxFFVHlzRdMCi1lyqGLH+U3RRZX/qfs42I0s=,tag:1iBorR1N1HDRtrqcAcSmvA==,type:str]
u2f_keys: ENC[AES256_GCM,data:jk1IDfO778V3MCQ8fGoO87lCmqj2Dw+vNRfT4JuWXZ6cB/ARYblnGIpEfogciXJbmYWc4MiKHcO2PkXFdCynpniU3pf3stvNYjTV/TdUpNXkAyho1OjBXwisOMFMcqF3I8yI/XpaMr+5aL6tyMLZ4wIsa0tP4FH74BxCt426uhH8YKLCXREaLRy2PFEQS2MVwKL8i41LDhrkVaJIEMZJ34rvHQqsjckjvwEtCHzBh8XVqdJXAKPq1EgR+9gTVhixwvceDsoSAC0/q2RkSfKhqhOFnj6e09GM7i+o1e98INyABHmd3OHxzTydYk6nrcJHFWIBZlushSgVI0qn+JL+e+2CF8NFtshHH7CGI7ws23n1DZz/BkjQtcfjZEnJv5uAZ9oOt4R0hOSpXn0rGQRNgo5JSMGR37ywyJlaDHmRolS6lRk/7pEdO3jCEMSwjjitWK1/iNDSgEExclQZ/cSL2svPZmwiTKrf0wm/+gbGrd+BxzJmHCopFyNG47kweyR7iMcknF/4+iJj9t2Mi+xOxYdqmQB+I6140DOqcMz9sA0tzqV+Ou6Jf4H4w9sqvI10pnw2sK7OuvFZQ442H+iLelRiZLA/ZCzDCieddLJBtqSsmgEJtJpRsiJXUzDn4CzaAFWrNvNaU/MKAAZwsPeJywmwKgjOUSdHz3YKVDhP/TDqvlzvjKYDte7+6baAYKjVNPJpMy4aQ4/m2FnUEcgRdwct3G8JCe1CORIZSFbO9fkgEgJK6WN3XyQn1nAcDGZdmS95O5Ajmj6a1f5nZQ==,iv:B/Nf1lS0gKW43Nq8QuwJD6GCzzvx35LBw1q1OmZMfF8=,tag:gVNKbyq514J1eoM03JoQYg==,type:str]
address1-token: ENC[AES256_GCM,data:2maU0sN0+blUbmZADtzpk2BKSg==,iv:7c+7QB2liu3UjKk0OiiwaYnlz2ysPuvhYTAsgMbsfOM=,tag:MgCOEcqQDIyNlLeTOnOvxQ==,type:str]
address2-token: ENC[AES256_GCM,data:jZu02PAicI7u6K2P4YsXRmr9Wg==,iv:1Ry6+r8TL04Pioph8I1r0W8MU7UFbvkap378siJxYT0=,tag:Jk+RFCmEu93C3ULkrYh3Gg==,type:str]
address3-token: ENC[AES256_GCM,data:9rotZe4tdPJpdWZMN8UMjksqlA==,iv:gVzLlM6h/+YXEi2YnJeShrczWc8Qn0lleRdJoPHbJbk=,tag:Zg59VaKgMysjYekfpbRvhw==,type:str]
address4-token: ENC[AES256_GCM,data:q1z9P0zo8/66HZOVYv2sT1bxGsIrKSQKGcM3ouX8DaE=,iv:KJFPnQoGObsiLGH1WZFdhrg6cuasLBgbZ8sQ2jiFzEc=,tag:koqwVXnA+i27IkGSeEawkQ==,type:str]
fever-pw: ENC[AES256_GCM,data:62cQ/mUFMTb63OY=,iv:RCqzwKEi7LdIegibpVe/WlTsREECy4xrqPFNini49Z8=,tag:bfmBEFj3zzmzfk4T7CfPAw==,type:str]
main-user-hashed-pw: ENC[AES256_GCM,data:RbXaVuCd8+MTFwwRGK2aJ07clDOOt5msCsEK+384WLdeJz8fjxKJcwIsIUfqlsjKG1Ands9GINlFiCHXPFBRTjnN1ih20t6InA==,iv:pLas4FuJXz5ORvKqZmXyOp9RzKse/vUFOMbw3S1B+Wk=,tag:gkZ2C/Krf53nQiPBVnZ/rw==,type:str]
wlan1-pw: ENC[AES256_GCM,data:UMKfdycQBa8=,iv:w1Cx+Tf4D/e0bXDrV55JieuF1P0fxGYyZVaaULaIfN0=,tag:Bf8mHZC0lpt4petFzgDVMg==,type:str]
wlan2-pw: ENC[AES256_GCM,data:jAcBIgg7HjA=,iv:yPYC1rVeGQPEDuYthba93zz3D1+cypmayNqOiTEx7eI=,tag:vPji0mZwR7rfexDwxww8WQ==,type:str]
laptop-hotspot-pw: ENC[AES256_GCM,data:cxWByDxQups=,iv:VyM9lZDbxu95ycpZNjjWEgyBtPbEVlESZPEiIg3G/7U=,tag:nQNRdeNmgplUr2SKzXaECA==,type:str]
mobile-hotspot-pw: ENC[AES256_GCM,data:gwIK/rhU/lA=,iv:y9G5haF3w85pdCG8r/jrGGQ3+p6fTS1ugdsF3gVzyog=,tag:3x9LTZzsRsOmxlqnGFyw0g==,type:str]
eduroam-user: ENC[AES256_GCM,data:6NTjgG2b/z9XdN5aOCYT7kG+q6wWJueqwlBd3Bg=,iv:d45GuP8pk573us9dAlMPLCh2OnJ7NfhfdyqSwaqn39o=,tag:L73CEl3ruiMOomQGaFj7BQ==,type:str]
eduroam-pw: ENC[AES256_GCM,data:6xKZzf35AIGrt1g=,iv:QzTM+VXF/2cefU6vVWr/z8+PsxFWUBbcwbGfaPE+8d4=,tag:XQoXkQXLPrtp/Eh4mzDvaw==,type:str]
pia-vpn-user: ENC[AES256_GCM,data:E8c4oYZXeIw=,iv:LjpFm6v7tTQsktzJB/qID37V0SfjwWeLFcjnJkxPeqo=,tag:63G1Q9kBaNdDo8d2d4uOag==,type:str]
pia-vpn-pw: ENC[AES256_GCM,data:0s+vppedYXfbvQ==,iv:0YWFvv6kbZyRt/IPfCWmckxFV/iLHmDPYDBoB23imA4=,tag:7unJaeC6u+9eQH8y1r8xWw==,type:str]
home-wireguard-server-public-key: ENC[AES256_GCM,data:jkg1FWzDLJJ07GpeL9KGETlCLTGQoSLpmtL+CAPh27g/IqlsdESEj4wfzfk=,iv:1LGCNa/3pJ1ycB4V72TinDRYL56yl1gnliW9zNCdL6M=,tag:vq+Wlu16hixoWxSWWe4RvA==,type:str]
home-wireguard-endpoint: ENC[AES256_GCM,data:NtJNxYWJcxz7WPBnKm4H1F4Xqbbx,iv:njNzcUfcq7lzVf2+Eky2obvg6Q/Je0UmK7eeOqmIv4w=,tag:GFfc1dh5qGzjfZquGL9z9A==,type:str]
github-notifications-token: ENC[AES256_GCM,data:RYXPsn4Lqr0sFKC2J/+LOaqvWG8u/XnrwYCIyzwA07LkRScmLK3H+A==,iv:puGxNT6MNexHfFpjLwdeOMwv5zzaO4CbUt5mOmwe5nE=,tag:cTuv3sky0ax0XZwJ9ENgPQ==,type:str]
u2f-keys: ENC[AES256_GCM,data:4UPXyOYEQR1oybxPLR3JW8ro5gTzq0YQse1lnAP020Nm4JG4ElR7iLGhEduXLZSuRcBGy9x/8FIr6UenR6vjFvlt/F+vV7WM2U6rXuUqLeplZksfvYDUi1LNVbj21DUvLddryIbXOfiya9lTPBlbCtOeT5eG2yzp9uzxkIshieH3izU8H5poR2aZiPcd5v9H3aAosrWKhUAR9V6C2s1L5CvlRxKeF0rN3eocCfLFQw9xLVPmyBpOJE6JbKaZgu/9nRB5cp7/xVgLwIvCv09liF3wwqR/O9sBzA3vaTIrZiFI7CeNG++i7HhdABCtvtVb8fh8OqtTi5J4uFRZ4eI4+t5MacVbYnAlmA2U5MHPYweXogIHWMbXZtYt3gb5yreD1+VVNxSHD8ZjkJ9JRazHEkVtDHUQUeVktArxQst7hdpfqYFXY8ZnhLGWhU6mXd/5UDanfVPWhVt4lDg0OY3W9fNM8crIR3g7vwbtxTq3w3pMG5nI/Ia2kxZjpbrIY26tb780ar0lbprCmKTpmjz3zkYFVQ4j8G0/fHJ7ndP8gOhtksPrGNhE4kdF8ORxzDnpjWBCGz7Nr7B+AJuwvgf06mRNvaNDFLA+Bq9qIAZ05bwEx+B2SUJjgdLAOkDSQGD5nJQRjUg589Mzgah7oqsmKSp4y25e29BnrbLTWzYBhzi40pkC5mNyo1yeo+D/Vl1IhQvjQGidyQBg6fxQjk9+kmBybAKTyVn/DSbnoNsl7CKkcL1J0dfP0FW7FTfpNt3gqcWvR4qcvPJagyA2fQ==,iv:31oBmnpgnLuvtlmYDe6BE3q7aLIHah2fBZmhNW43IOE=,tag:9H++b6LYoQqC5nDh8sSziw==,type:str]
#ENC[AES256_GCM,data:NoqAfw==,iv:myxrEPllN9zwXn5iCxL89qX7wSN8C0foFdxvvitq7b0=,tag:Yud5HDjWvEMrw1lMp21hMg==,type:comment]
croc-password: ENC[AES256_GCM,data:uz7vI2rrPi1uTKEks4IPnWOt/R6ydlp/cQ==,iv:ZE01XcS6nF1sqz04rC1o20l+1DpNSRVjhC40ZmTVCww=,tag:REjnDQBcDkUzLg2ZsiDUvA==,type:str]
sops:
@ -83,8 +74,8 @@ sops:
azY5dGFTUWhiQ083VlBzdVRrSmZFNTQKqoJy8eP+beb/86Dg7BLaYEmZJG2oMS/I
y1tSw+Ij5TfghzbtKcK++88L7ZPJLRocnKXftFbjutHNKmWW3+oW7Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-28T17:31:16Z"
mac: ENC[AES256_GCM,data:kNNvGXtSnsaiuvIULjyfTx3tD54w8ZlI4cl/rQn5NUymu0evCflPYvc6YtBroCby6kvWn906/hR13r5m5OQuyU6rNmouLtZpCEwThlEcIbIITkFj8KwJJyaWXw+DaNlKP4n96mwoto/xyh3kBawbntcWLsYqCBgyhmLsLaAzY1Q=,iv:T5WKzdb2fck+C29qGv8QnODq5D28/94BD5g2Zw16glU=,tag:L6SPUs4tDMpVqR8swD6C+g==,type:str]
lastmodified: "2025-07-05T11:50:26Z"
mac: ENC[AES256_GCM,data:9We7i769wGZZS3D7c1BvruKwuepeVR9NatmIAbusNvvyM417YkLgggTyzNL00XFRYC1at+Wg7wAwajoFH0Eomt1gKLC8LRqYpetGja0m3+toZwpLAk1ByrknRgeueeV/LPbKZpd0DxHYHXm1AP2zUcDYUC4jikk54Kdt9G3nfEg=,iv:2QQvQNmhQlYtXo6/O/iuMeof2Cwt6aaopLNa7PHtxQc=,tag:XELS4r3bstTxHXsyjyYBAA==,type:str]
pgp:
- created_at: "2025-06-14T18:15:57Z"
enc: |-

48
secrets/nbl-imba-2/secrets.yaml Normal file
View file

@ -0,0 +1,48 @@
home-wireguard-client-private-key: ENC[AES256_GCM,data:YL/nP4DGGjVc0wRrbJ0x+iyJfdqhE90Ws92QBl/lr3RnJzA+stcz0ey/Rk4=,iv:Ek/RVzDpcT7fqVh7OnNc9QXD3Tk/2bm6vSQDA38j+DI=,tag:G2dSpA3KZmbKAfIN+2d45w==,type:str]
sops:
age:
- recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZ3dtNEZtWVJlNDN0NzVR
MGdkNXd3VGZoNGN4MEM0YUFHTHFiN0xVQWpjCjlmNUxUbW4ralFnVTQ3SFRjQU51
Vkx4TGFaQWtOUThYRmo1T1kyZ3doOEEKLS0tIE9aQWx2VkNxL3RkTVRRd3Bjb25k
S3FUSDRTSFBxTkJUWkdoaDRCSmRJMFUKA01cibzIRlGFFxLFKBLnoKqZvLekuC0w
hA3ep81RWwZbumtMzRtjMfmw6XJQN6rGwYSQDkGjBjDdph8HX7i8kQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-05T10:37:12Z"
mac: ENC[AES256_GCM,data:RcvRagYaFGwMwrV63tffmYcA/m1GRjXpefR8Ab65jaldcWjfERiCWLFha9aQ1QlWUgSvCWbgC9/zFJkBBca1qVIvLOK1+nkI/ZjQ5rdUOJaP7mukLC3tcm+5f0Fe+GjTCDHGIZd/dUgkF+xVhN2XnFW1ExzRRt6q4a4pKvL6Ml0=,iv:EISJGqa2hQfjpu0X5wMJNZXzv0Loejj0Eb6kosXjU64=,tag:S81dIphr1rqQSO8jAZCABQ==,type:str]
pgp:
- created_at: "2025-07-05T10:36:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAkLai8l9TxzmcB++jp16pVf1dxOLArOduzSzu2m/olZdM
wUnPzfLUH72XD52D3v4Hw4CKpgCDjEq3SDo5jdxkcAl7UHa43CY/Z5xr1WreQIET
ppHpnkX+zaFeE/uFe+Q+oYnGAIUetod0WNRsZOJKQJ31HaahOAVhM/mej7TrtuZG
DPdmbV26ZIXiqrMifqa/dG88o0arms4GqIqjkynSDcmcSEbf5q+aonAHs5kUylem
kBQKQUmbfksFgBkOBcg91ZJfK6SJgods44MVj677HfJ3Nmdmp0W1hmAi3WZtuzry
OVf09sY3Pow90q2qNeUEHJSktbj6KnBj3+BRMmZXvIR3aPYqhkQ5v6VJ0mjyq+uP
cD6Re+QDxU1SdymmLfzs+4O8gtbKmYt7DXiFy2e5m+geON1akfHfP6OgfHY9M94p
WOwV6IX0BwK1yeNLeoc7lO+yiDEZAzXqBhllKo6ckPpRa/i/V2YFP/5i/TxCK1tw
mMm5vruaEP0d3HzRzyY5rwXH8nKmGkt7MjTJtFd/uSQmy3r7cNKVdDFYaOhJt7QN
P81fYd+PBTEKcE969MkIKVjOx4qSWlkaAgWnHjgJ75Fc/CEfC/DVfdVkGkxepSqq
st+Zrr2S6DyAtrunqqwFHUrReynR7leq5R/ueyviNu6EiwT9CHLWvyA9xZvqWySF
AgwDC9FRLmchgYQBD/9kIT5mzCZRLFLwHkvKRzqCTolG977e1MIq3pGNdYSaAFPY
Z5FYnvjlV7fFbKHOZOB/BAEl2fcyElv8UjbM7L/mJkE1zHcpsmJK2OnKJPplNcK3
7MVm3/yqkjV6GtmNtTwlTFOzd+Z8Rc+303s7Mp7jaie68OCoZO21jjxkTn+xPh7s
U8yhxk1BLjsZFrPo45JdaVTrSKxsmr8c47fyNToTUuBg2zyqSxkqiNK0DToUncad
eiwgLTvTcFxuijQMcIAWCcoi+JAgIjK3XItNp8IqYFvLv4iQqDUtzLbWzhnEpqpZ
Tg6dt9JKV9TvZbwR67AnFD5QGEEys681NmrkEyrA8LuXEMTAt790hjvlCSY7RfhI
WPcUAmHUN8sFsKLiIyTRQ03PbEji2wsbq7TKBB/DuN6ivfjOLNnm9XgzMPG9sbRV
1BO+tnovcKmLn9FWiwWAyPtqFEvfITbj9qYpvAuJ6PmKUihkqfs8rh/FKgyo0gmh
Wq8s2rqOrmV0o/WVRxRTfoauCyyJSx+ENdR6KQLCDdE2eV7ocrztsJRIiPG2fXBi
0/38/S7oJgJA08uSz1egtK8lvI3MIojB+dWX0v+bonxxkYMNSbIOdZfTFBd68D23
2y2OG9e4/TvZjjSqM5+4fSnH74QzvxIqFMW5LSFw4UqhdiAk4/r8ljo3mIvLxNJc
AVGSBZJ95vR/FZM/25ojTGo2iBU7DAG+5uXXVeHSfckmVo5HjExQYqkYCm+imK4P
uzhLHz+6EPmnSTBnTMLU8W/U2i4cOxlDjpHCpjZs/BJk6g7yv+0+/BpiV4E=
=eLw3
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.10.2

6
secrets/repo/pii.nix.enc
View file

@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:7dWpQIRuyPRNk/fZH9nI3KgDPK8LcydFUrk8bpgK3454O1VkNGUkGnRuVfPRuBdXydMXphjB4BE8XLZGmrxS5GbvUUcxYmSGmgNqlYSLZBhcHoxnOlnAubckvst2Twf5ORBienNEo4x+9JjpGKhYXfYvULww8gM5N5mJN0qwqWOCrSgk7fYDGHUtJ187RqBlO6zQFSxT69fMUGSyzqpLahvZeqb0VaZ/aG0XpzgIeFkOFj7FkfSoA1JkY5ls+QIamvpBTib2yHh8kmDV2WIrQCEgLtbPCJxV8/9CZbhR/COUL1QjoQs5012XdyPzw5/3xOytEGmQc5Qhjd35JnnfKDyecYkb/nO2t2xpmklh1uNgy3CywzxnBj+K2aD8iRum6gVMH5xTwX/qs+ctz6bHnTy1fJp75kWMBDV4WErOz/5N3dzpRd3mZU4juQXbZC0ND1N/sx5U+IIusnASs5unkV5/FY0H6FLRwiV7kY6UCo72XAzQxr8FCrPrV+ElKaT+EGdeMi8voyssp8iYh+UYsd/6M5vH0prCGhHZ+6H/IPf1brehf2MLbK1GdmVcIGb+i0wzCqa3bOMkDKyPX0WXJYGcJZn6O+WeFbiv5XhaWxHm2ML13HDxWo1RHpIlYVw+n0vGgZcWPxE3YLjKzurKVoJ+ELQD8I3HTDSRC4Yr8xa/61LIv+Cr4LSs9YVAfuNdaH6ZgFPXFw4F3zG7M0vzi2jl2jFz/AGbXaOQQIn0GygPJ48F7R6CsyoK9sc2l5stZXEVf9Hj9mZV/K6xpLYIckkFLnXGBz4c6F7WwN71wrz6r2mMexCUrPscu1qiSrVURMIv5v3e6UgR/p/Kzt3LphP6pEckI1jxK4Ed/iynXVMrxWrcG+5iS+hgI7F7D+7I6SAU6vI5NnBC4DpOpSSxIehClbgpFVEyeWJIezAMCpMPfF6EkDm83fQ8NMtc3qL0rfp3ESyFZtC0kK4HjIizAPcSVthfF9qIggTxVgOCPRE+GcM8agjzI20JuJaWQ42K9Cg+2u5uNZE1ZCNoXEV0lCory5h1iD4NjT9POSb6ds7k9x/rFB4n1CB8CpnzEeKwHW1jaknGFvekrQPcUsVIDvIdxbdixqolFb5nbPZ/NBX0X3zJmoRAAO8Q6B9ywXTVYDIrAQuYoHuWQr+UM75DYaK/e/bG9K6zelaq0drg7RYA+HncvFemm/4aPGehYHn1GnCZ6Par8oGsXBzk2ux4w8jwl0P7XEQZ3n9ej0rSG07v+cci3yY7mjAyYbcmHW4CDFdryibrMNIk9z9YJwrsaT4aMWHIXXiLqBcDwTJxTbT9mCjm5OSZ4KqDQYXLR2p0sjtXrKndjxOVzlqZ3BzE3zAQQfP80BygKlwZORz/cvR35vYyMe5C45MUl31B2fGpsX33LeLk3WrkWQv72BY23og6hKoNAPSCJupmAbWkmsDNwihsDwqx3ABbVH7rWYsii+VaTLC7drG6FtW1TJELBLtsRLCmPyivVrWbrK6ENj9N8h7UOcSZpd2TWCG/SeAeetvtc5mi79Ok1jRhVtDNF+lsI6FKzT5F0Nqjcr1QRoKyQYXoBIFgDrYJuw0pef2Fxpn2OprJd43PaeUzwBdKrTRMl6xg9T2YdNDVK+Y0IjDWh5vN590ti7K855tqgoYo2/3rwgsp6a3AvyITrYortG6iCmNkMRIc1szrViYTvC890+cdUUNw5VqrefF5zrbF9tyzV8yTKW8tWuchLMr2GQ4ZNzHT5Y2vE5U3bakZrDVf6LpQYI1W5HZ5zxOHhQzQpvSjaHHY5ViDtzvH3vE7dfgeWBm5GO8P7xIzK7eN11jHcVhtDXBnsDIkclO+vPIiY18kE0+F3HLJKLLRXTPUqvgqMf19gA4zqiaJI11PpoxtdH3AHyzN7Kj0jBXGDG4F5cl3myJ1QrXv3d5YK0TpEse4Tlg+LnKxZGU8ePJru91T2tmgRb7Y6dy+VTKi+r1lMHkV2v199Oz6nfFUyc7GzcHhvM8024slpcHNi22ZpelyTWtEzWWHE/Tj1pqZDOOt/b3mbYTlfcLDY2s/agWsY2Pv00ZoV8+pYEv7r83Yv3uixibxT+CHM8M1NzIGgAXdOCrIRSJapQeGqppUJj42QS/WBQ==,iv:y6HKnzcG5fd+muvJ06NAF6IRR6MHzEP0Nfuk5SiLung=,tag:26txIqAHo5p8XEswWtJP3w==,type:str]",
"data": "ENC[AES256_GCM,data:kB5NklcPG+cHvbQfMji65/naMuXdpV/S2WH2iUm61W/cxp/OYw446K7fOwlBlbDofw7UOrY1C/G3CJdFiE2/oBd81d+P3+ofxFDxjQLPHz5FLITy0laADUGXnQIEKn4cP+/kwnNDUPC/eGYdsraeuWuPDJwcPVuyGCVoM7AiBXkBG+a31yEEiDj/SPIoSU3H6mojjpnSw/ZpW7Dl4HunGfK36hulNIvf3O7UJ2l90D5WgAabLYYJZpyu7uRivIvNZ9IouhTlyXqvkwGG+KZr/yNbPYQv08ShiqlevMn9R0571imZ8BxAA4jF1ndDH8vwl+d1J+XV8dbAVrZ6fDEYWMnD1DVXktEggjP0lOvYSRtqnlga422GcoDIvzm6isvE/CURPwbAcNyDt5CXYA+wGefyiQmwpa0ITLKIw404Bh3Ba/RHQsU+HCg7TWo6SQVzxods37iC6w0sxkd6/k4i/ZRGFUCElUsNPngz24W6qMYN2cmegZg6KwJ8yRSen4/6Oh/58n72pPOBB48pRXY/NYtkclilagUYqnBfVzKrFCNCv0yjLjEiyFtYfdz6L66rGy/VIYQHhS5uuT98IUXzXaoHyMhzL8r6/o0VX6/ZVjXvTPOXRBA9ZBw2HDMbCxCM6z808B3B5XPxNLoyEqBiFjKmKVW9uQCEPH1UJ65OkjZTarvpGw17YaJ9FDZvJbffhGlYvn9zLXdMw216B3rA8oI1sxP50JgRdxtfkRsyhOCNOudT5e1c98k7FqP3/Y3nVfWNATu5meOlEpA/07BIefh89JhmMOKQ3SEn1Ca1fLqwTDcdufLq5iODver5AXwARfwS+1O1BrRnuVpc9xFODoclCDIH67DKDCw3X/4z+B1NvK00yXZQWnN3npth57cejVHicU8r6/yBJk8temq87roTg7EPMZH1MlrSUHhFaxp2uvrn4BhjA7r5cTF1tdCXZdh1mbG3KmQ219GbDxooyFFmZu67NLe4Fspr11Qu+SCNZhQT9QOIcWH7IP/YkoHpBcGdb18Kszx7HlHl4Y3U3fa6qfF7q2HJs6hVZSeHGdBMzsQdp5QOkw/XVEb4fPRa7tPyOPSmFoaa8jwuY1j+01/kpFyXN+Gpnu5Ld0axszp0DJFHckKA6OerMPKWep9e0X/lhGb5JzoWil6ekn2EUbab6lrJ/PS00zaauO/KRK0FTXMYn5sI8Kxy9pPc4lVmZ7KvvwAi2MIXoUivoZRnLglOUchYgv+l7AeUWjgGjV8/6/Nhep8ws6ryy8zU9WEu8SpkFVQA7mjBV8g+H3pR4AjyX3KeuuhTfodpzMU3narAIzX36tZMGifE1Wxfr+/U0Tsc3KCX8STLMZzKL00drFyERGTjfRfCQ9vHNm5JiiCWA4gqoB1C0nHKFiokfkFoI842qWUrfb7/G+YFbRMidvjYAEtgO3JO1bm2aupNRS9O6v+/dn3te6j++wSkXA2yezwZ+ww+a0lxAVZ7NEafkcjqd73fq/6w/nz4NVoh6/zNxq6rAgbjNOTfMJyZqWTOBWWJvDa5GDmMzwn/+DlLkc7Y9FObLoDOOYV3tHOI2hREEhTVJtAWKx2uQ+w1YmvOOUXg5HoURPgYw5wGJVcHym/ECEAl0s8zkST8/nkfZMUW6rK8toYyEJ6MpOrLqsxAI1HvdkDgXcjvxhXwl9ZGjIswj7kP+o+NGExVHxvqT8NhtbxKnhRvnJXgbip8bNdjsZ/PFmjKqqSAQhwWXtfYNRaeCRuTduyedCwxtuktr6bRgcrJ5F2hFYpTN96aBh8Bb238bSBHbBV68dPzdwTbVl+2HIauXDCRBkJ/v9phiInYraQFZG9ifNw0rx0jyirNRjUTt8UTEz7+3Yg1oxvYdZ7odszTsHJ7bx2sCm+FFN5dtn5Fizo9otXkfV3h9l2k2wtQ6ZK0gIgCyIp28Rn97GiCGZrOWhKvbKJsqOR1LPGAUmXGhB9T4698g/5H0ArQFRvKKaIq2YoI62bwykIKmNFrWa0APWPEXGWch7bKZwQAazEW53A30V0UQ7QLSQwgO3oZghfA+K9Hgg3ujSeP5H7dQ7LrbuICJ9yLAbHi7bfPwLeGl0CgXjI1Z4OoK1rsDJKmV37uZUvSxkCN3oauIPxoTu1/GZ5FD/+o7Q/VDXhWrwgafNHKPpq5uhwKU0XDJaHvqMBP6s74+tMqkKkzomDTGPeRp+bVctwUwBHAdBuGUKN1pTL5iaT5fhnDIEiQFqHM0aEbjPWtDlsziRrinCc2iQF129YKEr4PSEuXg8lxjuiKhmL6G+JVh1djVTfA9zygsaikjArdh8Zpanq8VO/fwQtS99Lv/suJ1ws9PXqZiYn1t4SYHgIwDjv6+d/TmPYt6VzcThjjyEjlYjrFOT7TvN/1LIyiY0e1/KqLOw2/KZ0fXLTqwLLlWdRR0oewnrXmTzYRB0KoBeD/S7JvwnuTpdHw4ju0O+OLaM2lAxImnzo2HP8qNtDeCHq1EUwAk9ch4jYrwjhjWK8V9EqBSTDDPtPo22gKM62WJVn4LPWLehpZPwSO73s49DCCYTvvioR2iRsYYBinLNpgEEs9/WlHpyELZWDN8Ae0+x1R1+0R4GgVlH9frCPjQ1k8CMJuDN83Kzw9+V9qF2WQ,iv:i2EIMD409Y6wYhRwVjLtf30m2pR3JtFDqT+VnFBaTz8=,tag:03MllePz2dHzk5IW+DmvHw==,type:str]",
"sops": {
"age": [
{
@ -27,8 +27,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU240VjVRZmJ5TGsrclJF\nRXRLbTRCZURtR0Z3d2E2eDNNeGRDODlXVEY4CllTeVFYbDJQWlRSS1RFLzAxSnlM\nZi9NU1c3cWo3YWRLcUJ2U2ZFWFBBVEEKLS0tIGtmZU9qSWdBT3RDeStaaFFDSWtk\ndkUzZXJwZUl4LzVxYXdidmxXRnNnclUKyAMZqCKSY/RQvTR4bbjLaPnGKwdBcHXc\nvtiVSrLdIdzMa6id/J07TJH5UesUmcp0wjU41MDa4aMBLy+cXhuBHA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-07-02T12:38:20Z",
"mac": "ENC[AES256_GCM,data:BWXYSlrqB28us/6YghcLBkbC+HVCS9KTmnkutff4fhenldjqJkUXTDgHIyHmibeTE8bbuuypCi1xWlEykbQ0msYoz9X6MAe9MsE1HjcWUudLNNrZ8ae1Cs/vRLZfIgigwmLDkas9VL+5sTFnEpdiPbQ4Ov5GOtRUPm6HKTj9l9U=,iv:Z5dIjU0tz+efSjES7L/gIiwKHy53Xtb9K8huBmBwOag=,tag:IhVCdtC/3EdO+FRjCJKboQ==,type:str]",
"lastmodified": "2025-07-05T11:16:37Z",
"mac": "ENC[AES256_GCM,data:gdnY/T7kDdSzGR9FCrnMJdBhBgr3ruveVnMGnFFjydVeJeZCLkDYdGHxyoaywrJ/KQpx3OpIai/DwzDVQmNjNhC66cEE11xovLV37IzxXY2+2kFqeosIFMaAiA4vZuTBml9YbVMschGZypPwXn9rkjJxaFH0pVt3CJaNbaBn/tQ=,iv:LYHfq3rxkD1c4hvDl605Tp3OlQ4hSocSPnb2uynuc2g=,tag:Rtx8g+1CgIkrAcmsaI92KA==,type:str]",
"pgp": [
{
"created_at": "2025-06-13T20:13:06Z",