swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: cleanup

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-14 01:08:22 +02:00
parent a8daed1d10
commit e9da090c2a
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
67 changed files with 4146 additions and 2727 deletions
Download patch file Download diff file Expand all files Collapse all files

16
.sops.yaml
View file

@ -7,6 +7,7 @@ keys:
- &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097
- &hosts - &hosts
- &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
- &bakery age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
- &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
- &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
- &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
@ -19,6 +20,7 @@ creation_rules:
- *swarsel - *swarsel
age: age:
- *winters - *winters
- *bakery
- *toto - *toto
- *surface - *surface
- *nbl - *nbl
@ -30,6 +32,7 @@ creation_rules:
- *swarsel - *swarsel
age: age:
- *winters - *winters
- *bakery
- *toto - *toto
- *surface - *surface
- *nbl - *nbl
@ -41,6 +44,7 @@ creation_rules:
- *swarsel - *swarsel
age: age:
- *nbl - *nbl
- *bakery
- *toto - *toto
- *surface - *surface
- *winters - *winters
@ -57,6 +61,12 @@ creation_rules:
- *swarsel - *swarsel
age: age:
- *moonside - *moonside
- path_regex: secrets/bakery/secrets.yaml
key_groups:
- pgp:
- *swarsel
age:
- *bakery
- path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/winters/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- pgp: - pgp:
@ -93,6 +103,12 @@ creation_rules:
- *swarsel - *swarsel
age: age:
- *milkywell - *milkywell
- path_regex: hosts/nixos/bakery/secrets/pii.nix.enc
key_groups:
- pgp:
- *swarsel
age:
- *bakery
- path_regex: hosts/nixos/moonside/secrets/pii.nix.enc - path_regex: hosts/nixos/moonside/secrets/pii.nix.enc
key_groups: key_groups:
- pgp: - pgp:

1011
SwarselSystems.org
View file

File diff suppressed because it is too large Load diff

3
files/scripts/swarsel-bootstrap.sh
View file

@ -200,7 +200,7 @@ if [ "$disk_encryption" -eq 1 ]; then
green "Please confirm passphrase:" green "Please confirm passphrase:"
read -rs luks_passphrase_confirm read -rs luks_passphrase_confirm
if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
$ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" $ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password"
break break
else else
red "Passwords do not match" red "Passwords do not match"
@ -277,6 +277,7 @@ if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
fi fi
green "Updating all secrets files to reflect updates .sops.yaml" green "Updating all secrets files to reflect updates .sops.yaml"
sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_hostname"/secrets/pii.nix.enc
# -------------------------- # --------------------------
green "Making ssh_host_ed25519_key available to home-manager for user $target_user" green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts

25
flake.lock generated
View file

@ -755,24 +755,6 @@
"type": "github" "type": "github"
} }
}, },
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1749481004,
"narHash": "sha256-UmA5Dx+tzYXaqPMtKucijTwV7l+U2/+fD0Twb/edcxY=",
"ref": "main",
"rev": "f7e7b03ea03dbfc8471689f0ba7a7221240e93df",
"shallow": true,
"type": "git",
"url": "ssh://git@github.com/Swarsel/nix-secrets.git"
},
"original": {
"ref": "main",
"shallow": true,
"type": "git",
"url": "ssh://git@github.com/Swarsel/nix-secrets.git"
}
},
"nix-topology": { "nix-topology": {
"inputs": { "inputs": {
"devshell": "devshell_2", "devshell": "devshell_2",
@ -883,11 +865,11 @@
}, },
"nixpkgs-dev": { "nixpkgs-dev": {
"locked": { "locked": {
"lastModified": 1751913235, "lastModified": 1752440522,
"narHash": "sha256-4iJDKcKd57CuisFTQRMTS1EfiBlwbyUzXlCkQQ63g54=", "narHash": "sha256-CInQkEG3f8XwIBQxYFhuFCT+T++JPstThfifAMD0yRk=",
"owner": "Swarsel", "owner": "Swarsel",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2c18d068b3df6bc0fb461583c327b7b94ff4df08", "rev": "1f569e3bd49502cb4ec312214662d93619cf2c54",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1387,7 +1369,6 @@
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-index-database": "nix-index-database_2", "nix-index-database": "nix-index-database_2",
"nix-on-droid": "nix-on-droid", "nix-on-droid": "nix-on-droid",
"nix-secrets": "nix-secrets",
"nix-topology": "nix-topology", "nix-topology": "nix-topology",
"nixgl": "nixgl", "nixgl": "nixgl",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",

5
flake.nix
View file

@ -73,11 +73,6 @@
url = "github:cachix/git-hooks.nix"; url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-secrets = {
url = "git+ssh://git@github.com/Swarsel/nix-secrets.git?ref=main&shallow=1";
flake = false;
inputs = { };
};
vbc-nix = { vbc-nix = {
url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main"; url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";

66
hosts/nixos/bakery/default.nix Normal file
View file

@ -0,0 +1,66 @@
{ self, config, inputs, lib, minimal, ... }:
let
primaryUser = config.swarselsystems.mainUser;
sharedOptions = {
isLaptop = true;
isNixos = true;
isBtrfs = true;
isLinux = true;
sharescreen = "eDP-1";
profiles = {
reduced = lib.mkIf (!minimal) true;
minimal = lib.mkIf minimal true;
};
};
in
{
imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel
./disk-config.nix
./hardware-configuration.nix
];
swarselsystems = lib.recursiveUpdate
{
info = "Lenovo ThinkPad";
firewall = lib.mkForce true;
wallpaper = self + /files/wallpaper/lenovowp.png;
hasBluetooth = true;
hasFingerprint = true;
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = true;
rootDisk = "/dev/nvme0n1";
swapSize = "4G";
hostName = config.node.name;
profiles = {
btrfs = true;
};
}
sharedOptions;
home-manager.users."${primaryUser}" = {
# home.stateVersion = lib.mkForce "23.05";
swarselsystems = lib.recursiveUpdate
{
lowResolution = "1280x800";
highResolution = "1920x1080";
monitors = {
main = {
name = "LG Display 0x04EF Unknown";
mode = "1920x1080"; # TEMPLATE
scale = "1";
position = "1920,0";
workspace = "15:L";
output = "eDP-1";
};
};
}
sharedOptions;
};
}

122
hosts/nixos/bakery/disk-config.nix Normal file
View file

@ -0,0 +1,122 @@
{ lib, pkgs, config, rootDisk, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
environment.systemPackages = [
pkgs.yubikey-manager
];
}

23
hosts/nixos/bakery/hardware-configuration.nix Normal file
View file

@ -0,0 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

22
hosts/nixos/bakery/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:M8uEE2uxhHHh5UdLO+J18EMVWm+9FCR2BHMJ3P0Il4h+0CqWOS27aVWPjI2lIt+jw5svt5kVbTIzwvw1GmEdcXzJrE9yZ0eKkXSm/TYQQZhlmcPcNeJyDf/bLivwExKicRy2JR2KNyAoiW5gISF7nkUv10EnM60mzH2RftPijvdgSTmdoNu/9Q0J3M46k+EVGO370NXT89eSbhFMS4r6M94vKaA=,iv:C4ELLFaF9yFfDH+g/TwQtRm1DuRtIAxcI55I0mpKd70=,tag:jLWAD2pLkqzekJipf/Rc5Q==,type:str]",
"sops": {
"age": [
{
"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtCbDBYaDZTMUhhbTY2\nbk45NWRPZU5nWmh5M0ZDNGF2Q09rNHNzRGhzCjh1d3pLRnRtZjVnaG1oN0daOXRy\nUzVFd3QzVTBib29QbGN4cXNheVRCNWcKLS0tIFlielcwODk4MjFsS29ybXNDMm5y\nN01aaHBFN0VPdTNrMzJNaE9NRG9KRnMKNV4rqYphPTyXF5m+qNq10aIov8quVh2Y\nALelTPRpD/hMYou/s8Ro49GHNNNKeV9J+4Tvq1QEmIIdvjFLy9AS9A==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-07-10T15:25:21Z",
"mac": "ENC[AES256_GCM,data:pMWJo+JuSgs7RE+rc6vB1u/V3kfQzRjknxIMkNNJCcBp2WVoz84BZ23oruaB2Z/ZSO9zpaQMHkuAqGZU7CuvZ1JvECHWov5fRkXDPeaeIVw3dtof1XzH5plRmAUzabrmEzrGSnwJrJ6DRlAhrq2gDyyIY4qmUeySc7zgR7QVf0o=,iv:iCM7ulRAP5FYyR/z7CSDRYMsm2Gjs7qWLChtslGfzO4=,tag:QJ2Lxmwvgd+ILHeYhMvmwg==,type:str]",
"pgp": [
{
"created_at": "2025-07-10T23:51:27Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmKgk+exHX36+IkSQC03yiRpEKpmkqt+FcGsbDMonTyow\nmvhmwSc7UscNOgOQYDYA66vMCWE2Ij9gxFJNpPG3rXFiC11XN1/pq+Jy3Qvk3DNV\ntnXgwDvSt7Ry7FThXnPiJAkcjwYNeTniyjzKcUmXA+yEJAlswjGjH6uP/Nvkeo2n\np+OvRQc0cXHBSTbnIq4dHaqVlp1JWOQgtZVrIgwN/rv3xvDPE2E2dmCc9hUg83vk\naUT7fDo8v5hWwJJO7Q6OvECKw/D4jWTxnBP1nS3a66shkpcC7lpYQjE6AtAM3AbY\nB84rat/Tff6ZcmtxMvIa62vfwrfSh/00DmRlPkIe1KlbjrV1kafzbySjI7q1vy2l\neZL7/Zi49fy/KudQ+/OOMC/PlhGLYGtEo3sNmLY7pfBNuMmwjYQ0K/1kKQ8XXJDw\nbWQDP+8aeIKKciLy07NW5Fd5gc5S1exSFHDQyhCXjdUcPk3cTfnEvMP/T1bCNCaD\nGxy6IEifdJvYNeWyaxgbKzsLmz8kTd6wPj/v0BIdL+dy3/a/4SVLR9r7Qn3bMgkc\nb1wVY4XDyt6LPnwVY3UOFPSCVckGb8NRnciKOj1TnsaYI6xEQ0ObuuAedVJQj0wF\n5OqYrwnH+riiLFMVzsEspNQNlMTRY86zPIxuNe8qPDdVL5CotAoobzdmr9cc75uF\nAgwDC9FRLmchgYQBD/4ntfP9dGtNzb9BjR6NEmdqJDIS37lHCc6ts/f86VCiy0tk\nhdtVdZ7sYdFvzkGimfmcbsVJ5VOPK6S82L0xUlROCax1bVkjK8VjqppUbTxQMgWh\nek7pPzE66MJzXlpqGgmRHgLuV0yhTqz9TGbTetjYYlWiOGMGYHwvxMLnvTvQIbJb\nBwtpbK0SEu7ODMn1mGtWpzkVI9rDeCW/FT0bBj1KvkWBWbCVFCSVGjmxuWcFgRs/\nc3aNA/DLQMsX7TzvqiY+dXLdp9/vuyqIf+qzC8IIrI5fskzaVfjP+OzeAVTXeI/f\nYsgvF31Z+DfMAFQ7dnAQ56Ys/oSdNTaAnhfFjI4S40qw0SfZdTWzUm9IjhnZKgaU\nNV9V3b2D7nr64JxutHzYiJemlB4Oy+HhqMQR3AYeMDX3hEG1Xt7splkBLdXccIEe\nGTOoaIffV1QUAB2M9PVyidpLf98Ii9s8Mr2OUcQsYiJy7jNXTudx50mnIhmBSDPN\nk/RSFoMo0+v7jC7lWkfWhvunUJrJ37zNSEHZcJo7Wj+SflqZDI/QRQAez6xRF6ih\nzgFfAgNSDAkbymvju7I6V9TEOw8rLdlXLlBNd+GAy0S2HfNIN8lx2tVnP++zP54C\nhdEDMU+uKp98Wu1fVuMipzjfPqJ0lpNj9M2+ma3q3w1L4YbMa+nVEK4/mmP0e9Jc\nAdvTsgHHFgN5KOwmZkQdAhKJ89cwcGUwZwn/gO7pEGoOw6WaHIIE6ueOiThfkXm/\nWIe1AC/JQapdMlvmF+2Rf51RmSkWX3/vtFPNkWvgkGgCely/eDXRK/si+kk=\n=ep9e\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

148
hosts/nixos/milkywell/default.nix
View file

@ -1,165 +1,46 @@
{ lib, config, globals, ... }: { lib, config, minimal, ... }:
let let
primaryUser = config.swarselsystems.mainUser; primaryUser = config.swarselsystems.mainUser;
sharedOptions = { sharedOptions = {
isBtrfs = false; isBtrfs = true;
isLinux = true; isLinux = true;
isNixos = true;
};
profiles = {
minimal = lib.mkIf minimal true;
}; };
inherit (config.repo.secrets.common) workHostName;
inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
serviceDomain = config.repo.secrets.common.services.domains.syncthing2;
in in
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./disk-config.nix
]; ];
sops = {
defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/milkywell/secrets.yaml";
};
boot = { boot = {
loader.systemd-boot.enable = true;
tmp.cleanOnBoot = true; tmp.cleanOnBoot = true;
loader.grub.device = "nodev";
}; };
zramSwap.enable = false;
networking = { networking = {
nftables.enable = lib.mkForce false; nftables.enable = lib.mkForce false;
hostName = "milkywell"; hostName = "milkywell";
enableIPv6 = false; enableIPv6 = true;
domain = "subnet03112148.vcn03112148.oraclevcn.com"; domain = "subnet03112148.vcn03112148.oraclevcn.com";
firewall = {
allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ];
allowedUDPPorts = [ 21027 22000 ];
extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
'';
};
}; };
hardware = { hardware = {
enableAllFirmware = lib.mkForce false; enableAllFirmware = lib.mkForce false;
}; };
system.stateVersion = "23.11";
globals.services."syncthing-${config.networking.hostName}".domain = serviceDomain;
services = {
nginx = {
virtualHosts = {
${serviceDomain} = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://localhost:8384";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
syncthing = {
enable = true;
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
relay.enable = false;
settings = {
urAccepted = -1;
devices = {
"magicant" = {
id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
};
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
"${workHostName}" = {
id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
};
"${dev1}" = {
id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
};
"${dev2}" = {
id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
};
"${dev3}" = {
id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
};
};
folders = {
"Default Folder" = lib.mkForce {
path = "/var/lib/syncthing/Sync";
type = "receiveonly";
versioning = null;
devices = [ "winters" "magicant" "${workHostName}" ];
id = "default";
};
"Obsidian" = {
path = "/var/lib/syncthing/Obsidian";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "yjvni-9eaa7";
};
"Org" = {
path = "/var/lib/syncthing/Org";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "/var/lib/syncthing/Vpn";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" "${workHostName}" ];
id = "hgp9s-fyq3p";
};
"${loc1}" = {
path = "/var/lib/syncthing/${loc1}";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "3";
};
devices = [ dev1 dev2 dev3 ];
id = "5gsxv-rzzst";
};
};
};
};
};
swarselsystems = lib.recursiveUpdate swarselsystems = lib.recursiveUpdate
{ {
info = "VM.Standard.E2.1.Micro"; info = "VM.Standard.E2.1.Micro";
flakePath = "/root/.dotfiles"; isImpermanence = true;
isImpermanence = false;
isSecureBoot = false; isSecureBoot = false;
isCrypted = false; isCrypted = true;
isSwap = true;
rootDisk = "/dev/sda";
swapSize = "4G";
profiles = { profiles = {
server.syncserver = true; server.syncserver = true;
}; };
@ -167,7 +48,6 @@ in
sharedOptions; sharedOptions;
home-manager.users."${primaryUser}" = { home-manager.users."${primaryUser}" = {
home.stateVersion = lib.mkForce "23.05";
swarselsystems = lib.recursiveUpdate swarselsystems = lib.recursiveUpdate
{ } { }
sharedOptions; sharedOptions;

98
hosts/nixos/milkywell/disk-config.nix Normal file
View file

@ -0,0 +1,98 @@
# NOTE: ... is needed because dikso passes diskoFile
{ lib
, config
, rootDisk
, ...
}:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

16
hosts/nixos/milkywell/hardware-configuration.nix
View file

@ -10,22 +10,6 @@
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/2B75-2AD5";
fsType = "vfat";
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction

7
hosts/nixos/moonside/default.nix
View file

@ -3,10 +3,12 @@ let
primaryUser = config.swarselsystems.mainUser; primaryUser = config.swarselsystems.mainUser;
inherit (config.repo.secrets.common) workHostName; inherit (config.repo.secrets.common) workHostName;
inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
inherit (config.swarselsystems) sopsFile;
serviceDomain = config.repo.secrets.common.services.domains.syncthing3; serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
sharedOptions = { sharedOptions = {
isBtrfs = true; isBtrfs = true;
isNixos = true;
isLinux = true; isLinux = true;
}; };
in in
@ -18,9 +20,9 @@ in
sops = { sops = {
age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml"; # defaultSopsFile = lib.mkForce "/home/swarsel/.dotfiles/secrets/moonside/secrets.yaml";
secrets = { secrets = {
wireguard-private-key = { }; wireguard-private-key = { inherit sopsFile; };
}; };
}; };
@ -210,7 +212,6 @@ in
swarselsystems = lib.recursiveUpdate swarselsystems = lib.recursiveUpdate
{ {
info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM"; info = "VM.Standard.A1.Flex, 4 OCPUs, 24GB RAM";
flakePath = "/home/swarsel/.dotfiles";
isImpermanence = true; isImpermanence = true;
isSecureBoot = false; isSecureBoot = false;
isCrypted = false; isCrypted = false;

6
hosts/nixos/moonside/secrets/pii.nix.enc
View file

@ -1,5 +1,5 @@
{ {
"data": "ENC[AES256_GCM,data:CmkNQJe2siUanybNt9Nv8JSsOnJuoLUOpAPXbACPQFLc4YL9u5R9wImwbbOOgXGfVl8hQwYS5dc+2nu4kj11zdT4mCe62/fO+HgIMBEbU/c0zGZj2hjArJYBkOCHQYu1IzgXdACyamJ9s3MVe0xGJUkwK93X+89YQpc=,iv:9tzNWIk10A4w986fo6pkpaUvo4+y5+RD+OmBksy9TbU=,tag:r5Dlv/HGwtlAdKp3HsKiMg==,type:str]", "data": "ENC[AES256_GCM,data:Wk3OGKwcuY72VLL+SBYXZUqxTQ8SlYroF4H81YDGMUZu6gt6ialXNvAsZSmYyFNh+3p+ejvzqMO5mxbvAI9tKAvbdamtfO4Pi3A+sNvJ9XSLE9iLAdfWeoT2qLqGPgkXI1SGDof+FP5yIb36C8Um9P4hE3zaE+UdJBk0qgzlc1Zlq2Pdg0TGU6wwJQkRhZIDun1wabeqGWjLrBqUa9VPfNB1El63q/1rhP5v3m6tI7dXt0SQArTtbPWkkHHYPehObG6Q5s4Cm2QrWGpbK+R6xe5F+nEv4+dOuSkZgOB2HsOjzenjp/slqoZTCJYnKT5IDkFQaj5G8YftySyNE/OguMW6atCgulSygwaeuFsnjMNxxsHssrTndNe22jpTTrh2Odp9BT7oRiZPPR8zj/Z3hpLYca24X4oSlZLD0PFEExQNir6V7eT0gH6Paj7wz2rYeYKB8focatLNAwug7L6lWxnr/pw8IXCrfx4ZHw7VYn4hf/KF4isrPju6XW0u2wuiIVlJfOUXZXONmJULB6biftgZapveIMy1oHaabyuIIxkKGParhSUfj6/8/qPVftVFYotdlAy9oNRpZ8JG8z8Sf34etu9Fi7uzcZySKU9e8cU43o6kAo+r39RHRDuhUmYP0ocN2bdlTAkhPoFccK2A1Qx+W/+EwQr55mb5NCH95AVh2QX0SwWgD79FV7EYGN7iVEc+duV5YH8Qy37f6ebehQy+mZGFqCZ5s7Cqy7ChypB476qDqh82qp4K5Uv2NwoF7TT9REzjU0cbRseFbC77AgEUNvfHpHvLBTsw5Y4963GefSKltNHxKROboBfLkaGFHNOlQ8sHIY+vd5Y=,iv:g9iNn/sH7CtxcT4SeI8/DFG8BPIIoseYTuprGEQPqJ8=,tag:SuV+seYm30JAMN7QbdDl9g==,type:str]",
"sops": { "sops": {
"age": [ "age": [
{ {
@ -7,8 +7,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-06-13T17:33:11Z", "lastmodified": "2025-07-08T00:23:59Z",
"mac": "ENC[AES256_GCM,data:/PDAd2LB2n3gwnaYaUHDHT/Ze1YxXTA0wDxAZEc72B9DQO8trN0XISSqQ3YbopOy8J7wZu/HveX5nx4zoCPKcrMtqtFtlyviAE5Afl+3XcgKcNOGK/0yCq1fAD6q8Lfsl/t/5/4qXA5jlhobVmsDFfXJ8woYqCLijZXNNkc3X+w=,iv:Q9yngw0Z6aS1aB/iF6+oFoCYg1yN+mNKEsv8zaX4ba0=,tag:470JaIY68O3NublQLYw7GA==,type:str]", "mac": "ENC[AES256_GCM,data:Db2w9giZy+TyXp2hpMN1h7ZgBaJ4WiAN2P6IFaoXufOlxT2uwulbzDMYFoUm9jcdFc8zqnYCvttosJIzyjevY5up9gDarzTu+43XFrTxYqPdgRBzzvxSeXmKqDnngAvv/qOWfzt7TG1IzpyytHX/DEPHvPM9dWgut/1K6Eq94Hs=,iv:WoWAAjse1kyn9IGX4kqCl3zvq4kXEMkfTjAi2j5OCFs=,tag:xco/8fudn2kCLnFa8mUIsA==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2025-06-13T20:12:55Z", "created_at": "2025-06-13T20:12:55Z",

1
hosts/nixos/winters/default.nix
View file

@ -4,6 +4,7 @@ let
sharedOptions = { sharedOptions = {
isBtrfs = false; isBtrfs = false;
isLinux = true; isLinux = true;
isNixos = true;
profiles = { profiles = {
server.local = true; server.local = true;
}; };

1872
index.html
View file

File diff suppressed because it is too large Load diff

1
install/installer-config.nix
View file

@ -81,6 +81,7 @@ in
curl curl
git git
gnupg gnupg
networkmanager
rsync rsync
ssh-to-age ssh-to-age
sops sops

6
modules/home/common/env.nix
View file

@ -1,7 +1,7 @@
{ lib, config, globals, ... }: { lib, config, globals, nixosConfig, ... }:
let let
inherit (config.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (config.repo.secrets.common) fullName; inherit (nixosConfig.repo.secrets.common) fullName;
crocDomain = globals.services.croc.domain; crocDomain = globals.services.croc.domain;
in in
{ {

4
modules/home/common/gammastep.nix
View file

@ -1,6 +1,6 @@
{ lib, config, ... }: { lib, config, nixosConfig, ... }:
let let
inherit (config.repo.secrets.common.location) latitude longitude; inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
in in
{ {
options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings"; options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings";

6
modules/home/common/git.nix
View file

@ -1,7 +1,7 @@
{ lib, config, globals, minimal, ... }: { lib, config, globals, minimal, nixosConfig, ... }:
let let
inherit (config.repo.secrets.common.mail) address1; inherit (nixosConfig.repo.secrets.common.mail) address1;
inherit (config.repo.secrets.common) fullName; inherit (nixosConfig.repo.secrets.common) fullName;
gitUser = globals.user.name; gitUser = globals.user.name;
in in

6
modules/home/common/mail.nix
View file

@ -1,7 +1,7 @@
{ lib, config, ... }: { lib, config, nixosConfig, ... }:
let let
inherit (config.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host; inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
inherit (config.repo.secrets.common) fullName; inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.swarselsystems) xdgDir; inherit (config.swarselsystems) xdgDir;
in in
{ {

8
modules/home/common/sharedsetup.nix
View file

@ -1,4 +1,4 @@
{ self, lib, pkgs, globals, minimal, ... }: { self, config, lib, pkgs, globals, minimal, ... }:
{ {
options.swarselsystems = { options.swarselsystems = {
isLaptop = lib.mkEnableOption "laptop host"; isLaptop = lib.mkEnableOption "laptop host";
@ -11,6 +11,10 @@
type = lib.types.str; type = lib.types.str;
default = if (!minimal) then globals.user.name else "swarsel"; default = if (!minimal) then globals.user.name else "swarsel";
}; };
sopsFile = lib.mkOption {
type = lib.types.str;
default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
};
homeDir = lib.mkOption { homeDir = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "/home/swarsel"; default = "/home/swarsel";
@ -43,8 +47,6 @@
stylix = lib.mkOption { stylix = lib.mkOption {
type = lib.types.attrs; type = lib.types.attrs;
default = { default = {
enable = true;
base16Scheme = "${self}/files/stylix/swarsel.yaml";
polarity = "dark"; polarity = "dark";
opacity.popups = 0.5; opacity.popups = 0.5;
cursor = { cursor = {

4
modules/home/common/ssh.nix
View file

@ -14,6 +14,10 @@
hostname = "192.168.1.1"; hostname = "192.168.1.1";
user = "root"; user = "root";
}; };
"bakery" = {
hostname = "192.168.1.136";
user = "root";
};
"winters" = { "winters" = {
hostname = "192.168.1.2"; hostname = "192.168.1.2";
user = "root"; user = "root";

3
modules/home/common/swayosd.nix
View file

@ -1,9 +1,10 @@
{ lib, config, ... }: { lib, pkgs, config, ... }:
{ {
options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings"; options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
config = lib.mkIf config.swarselsystems.modules.swayosd { config = lib.mkIf config.swarselsystems.modules.swayosd {
services.swayosd = { services.swayosd = {
enable = true; enable = true;
package = pkgs.dev.swayosd;
topMargin = 0.5; topMargin = 0.5;
}; };
}; };

6
modules/home/common/yubikey.nix
View file

@ -1,4 +1,4 @@
{ lib, config, ... }: { lib, config, nixosConfig, ... }:
let let
inherit (config.swarselsystems) homeDir; inherit (config.swarselsystems) homeDir;
in in
@ -13,8 +13,8 @@ in
pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) { pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
ids = [ ids = [
config.repo.secrets.common.yubikeys.dev1 nixosConfig.repo.secrets.common.yubikeys.dev1
config.repo.secrets.common.yubikeys.dev2 nixosConfig.repo.secrets.common.yubikeys.dev2
]; ];
}; };
}; };

23
modules/home/optional/work.nix
View file

@ -1,7 +1,6 @@
{ self, config, pkgs, lib, ... }: { self, config, pkgs, lib, nixosConfig, ... }:
let let
inherit (config.swarselsystems) homeDir; inherit (config.swarselsystems) homeDir;
inherit (config.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
in in
{ {
options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings"; options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";
@ -39,14 +38,24 @@ in
}; };
}; };
stylix.targets.firefox.profileNames = [ stylix = {
targets.firefox.profileNames =
let
inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
in
[
"${user1}" "${user1}"
"${user2}" "${user2}"
"${user3}" "${user3}"
"work" "work"
]; ];
};
programs = { programs =
let
inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
in
{
git.userEmail = lib.mkForce gitMail; git.userEmail = lib.mkForce gitMail;
zsh = { zsh = {
@ -282,7 +291,11 @@ in
}; };
}; };
xdg = { xdg =
let
inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
in
{
mimeApps = { mimeApps = {
defaultApplications = { defaultApplications = {
"x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];

7
modules/nixos/client/default.nix
View file

@ -1,10 +1,7 @@
{ lib, inputs, ... }: { lib, ... }:
let let
importNames = lib.swarselsystems.readNix "modules/nixos/client"; importNames = lib.swarselsystems.readNix "modules/nixos/client";
in in
{ {
imports = lib.swarselsystems.mkImports importNames "modules/nixos/client" ++ [ imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
inputs.stylix.nixosModules.stylix
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
];
} }

9
modules/nixos/client/network.nix
View file

@ -1,11 +1,10 @@
{ self, lib, pkgs, config, ... }: { self, lib, pkgs, config, ... }:
let let
certsSopsFile = self + /secrets/certs/secrets.yaml; certsSopsFile = self + /secrets/certs/secrets.yaml;
clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml; clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
inherit (config.swarselsystems) mainUser; inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon; inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
iwd = config.networking.networkmanager.wifi.backend == "iwd"; iwd = config.networking.networkmanager.wifi.backend == "iwd";
in in
@ -91,7 +90,11 @@ in
environmentFiles = [ environmentFiles = [
"${config.sops.templates."network-manager.env".path}" "${config.sops.templates."network-manager.env".path}"
]; ];
profiles = { profiles =
let
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
in
{
${wlan1} = { ${wlan1} = {
connection = { connection = {
id = wlan1; id = wlan1;

5
modules/nixos/client/nvd-rebuild.nix
View file

@ -2,6 +2,11 @@
{ {
options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config"; options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config";
config = lib.mkIf config.swarselsystems.modules.nvd { config = lib.mkIf config.swarselsystems.modules.nvd {
environment.systemPackages = [
pkgs.nvd
];
system.activationScripts.diff = { system.activationScripts.diff = {
supportsDryActivation = true; supportsDryActivation = true;
text = '' text = ''

1
modules/nixos/client/packages.nix
View file

@ -75,6 +75,7 @@
elk-to-svg elk-to-svg
] ++ lib.optionals minimal [ ] ++ lib.optionals minimal [
networkmanager
curl curl
git git
gnupg gnupg

12
modules/nixos/client/stylix.nix
View file

@ -1,13 +1,17 @@
{ lib, config, ... }: { self, lib, config, ... }:
{ {
options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config"; options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config";
config = lib.mkIf config.swarselsystems.modules.stylix { config = {
stylix = lib.recursiveUpdate stylix = {
enable = true;
base16Scheme = "${self}/files/stylix/swarsel.yaml";
} // lib.optionalAttrs config.swarselsystems.modules.stylix
(lib.recursiveUpdate
{ {
targets.grub.enable = false; # the styling makes grub more ugly targets.grub.enable = false; # the styling makes grub more ugly
image = config.swarselsystems.wallpaper; image = config.swarselsystems.wallpaper;
} }
config.swarselsystems.stylix; config.swarselsystems.stylix);
home-manager.users."${config.swarselsystems.mainUser}" = { home-manager.users."${config.swarselsystems.mainUser}" = {
stylix = { stylix = {
targets = config.swarselsystems.stylixHomeTargets; targets = config.swarselsystems.stylixHomeTargets;

6
modules/nixos/client/swayosd.nix
View file

@ -2,8 +2,8 @@
{ {
options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings"; options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings";
config = lib.mkIf config.swarselsystems.modules.swayosd { config = lib.mkIf config.swarselsystems.modules.swayosd {
environment.systemPackages = [ pkgs.swayosd ]; environment.systemPackages = [ pkgs.dev.swayosd ];
services.udev.packages = [ pkgs.swayosd ]; services.udev.packages = [ pkgs.dev.swayosd ];
systemd.services.swayosd-libinput-backend = { systemd.services.swayosd-libinput-backend = {
description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc."; description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc.";
documentation = [ "https://github.com/ErikReider/SwayOSD" ]; documentation = [ "https://github.com/ErikReider/SwayOSD" ];
@ -14,7 +14,7 @@
serviceConfig = { serviceConfig = {
Type = "dbus"; Type = "dbus";
BusName = "org.erikreider.swayosd"; BusName = "org.erikreider.swayosd";
ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend"; ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend";
Restart = "on-failure"; Restart = "on-failure";
}; };
}; };

15
modules/nixos/common/home-manager.nix
View file

@ -6,23 +6,24 @@
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
verbose = true; verbose = true;
sharedModules = [ users.swarsel.imports = [
inputs.nix-index-database.hmModules.nix-index inputs.nix-index-database.hmModules.nix-index
inputs.sops-nix.homeManagerModules.sops inputs.sops-nix.homeManagerModules.sops
# inputs.stylix.homeModules.stylix
{ {
imports = [ imports = [
"${self}/profiles/home" "${self}/profiles/home"
"${self}/modules/home" "${self}/modules/home"
"${self}/modules/nixos/common/pii.nix" # "${self}/modules/nixos/common/pii.nix"
"${self}/modules/nixos/common/meta.nix" # "${self}/modules/nixos/common/meta.nix"
]; ];
node = { # node = {
secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets; # secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets;
}; # };
home.stateVersion = lib.mkDefault config.system.stateVersion; home.stateVersion = lib.mkDefault config.system.stateVersion;
} }
]; ];
extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; }; extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal configName; };
}; };
}; };
} }

7
modules/nixos/common/lanzaboote.nix
View file

@ -1,7 +1,12 @@
{ lib, config, minimal, ... }: { lib, pkgs, config, minimal, ... }:
{ {
options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config"; options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
config = lib.mkIf config.swarselsystems.modules.lanzaboote { config = lib.mkIf config.swarselsystems.modules.lanzaboote {
environment.systemPackages = lib.mkIf config.swarselsystems.isSecureBoot [
pkgs.sbctl
];
boot = { boot = {
loader = { loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;

4
modules/nixos/common/settings.nix
View file

@ -54,7 +54,9 @@ in
config = lib.mkIf config.swarselsystems.modules.general config = lib.mkIf config.swarselsystems.modules.general
(lib.recursiveUpdate (lib.recursiveUpdate
{ {
sops.secrets.github-api-token = lib.mkIf (!minimal) { }; sops.secrets.github-api-token = lib.mkIf (!minimal) {
sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
};
nix = { nix = {
package = pkgs.nixVersions.nix_2_28; package = pkgs.nixVersions.nix_2_28;

12
modules/nixos/server/ankisync.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, globals, ... }: { self, lib, config, globals, ... }:
let let
inherit (config.swarselsystems) sopsFile;
servicePort = 27701; servicePort = 27701;
serviceName = "ankisync"; serviceName = "ankisync";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
@ -12,11 +14,11 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
sops.secrets.swarsel = { owner = "root"; }; sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
topology.self.services.${serviceName} = { topology.self.services.anki = {
name = lib.mkForce "Anki Sync Server"; name = lib.mkForce "Anki Sync Server";
icon = "${self}/files/topology-images/${serviceName}.png"; icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png";
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
}; };
@ -30,12 +32,12 @@ in
users = [ users = [
{ {
username = ankiUser; username = ankiUser;
passwordFile = config.sops.secrets.swarsel.path; passwordFile = config.sops.secrets.anki-pw.path;
} }
]; ];
}; };
services.nginx = { nodes.moonside.services.nginx = {
upstreams = { upstreams = {
${serviceName} = { ${serviceName} = {
servers = { servers = {

4
modules/nixos/server/croc.nix
View file

@ -10,6 +10,8 @@ let
serviceName = "croc"; serviceName = "croc";
serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
cfg = config.services.croc; cfg = config.services.croc;
in in
{ {
@ -18,7 +20,7 @@ in
sops = { sops = {
secrets = { secrets = {
croc-password = { }; croc-password = { inherit sopsFile; };
}; };
templates = { templates = {

3
modules/nixos/server/firefly-iii.nix
View file

@ -8,6 +8,7 @@ let
nginxGroup = "nginx"; nginxGroup = "nginx";
inherit (config.swarselsystems) sopsFile;
cfg = config.services.firefly-iii; cfg = config.services.firefly-iii;
in in
{ {
@ -25,7 +26,7 @@ in
sops = { sops = {
secrets = { secrets = {
"firefly-iii-app-key" = { owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; }; "firefly-iii-app-key" = { inherit sopsFile; owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
}; };
}; };

9
modules/nixos/server/forgejo.nix
View file

@ -1,6 +1,8 @@
{ lib, config, pkgs, globals, ... }: { lib, config, pkgs, globals, ... }:
let let
servicePort = 3000; inherit (config.swarselsystems) sopsFile;
servicePort = 3004;
serviceUser = "forgejo"; serviceUser = "forgejo";
serviceGroup = serviceUser; serviceGroup = serviceUser;
serviceName = "forgejo"; serviceName = "forgejo";
@ -22,13 +24,14 @@ in
users.groups.${serviceGroup} = { }; users.groups.${serviceGroup} = { };
sops.secrets = { sops.secrets = {
kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
globals.services.${serviceName}.domain = serviceDomain; globals.services.${serviceName}.domain = serviceDomain;
services.${serviceName} = { services.${serviceName} = {
enable = true; enable = true;
stateDir = "/Vault/data/${serviceName}";
user = serviceUser; user = serviceUser;
group = serviceGroup; group = serviceGroup;
lfs.enable = lib.mkDefault true; lfs.enable = lib.mkDefault true;
@ -125,7 +128,7 @@ in
''; '';
}; };
services.nginx = { nodes.moonside.services.nginx = {
upstreams = { upstreams = {
${serviceName} = { ${serviceName} = {
servers = { servers = {

18
modules/nixos/server/freshrss.nix
View file

@ -1,12 +1,12 @@
{ self, lib, config, ... }: { self, lib, config, ... }:
let let
inherit (config.repo.secrets.local.freshrss) defaultUser;
servicePort = 80; servicePort = 80;
serviceName = "freshrss"; serviceName = "freshrss";
serviceUser = "freshrss"; serviceUser = "freshrss";
serviceGroup = serviceName; serviceGroup = serviceName;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
in in
{ {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -22,9 +22,9 @@ in
sops = { sops = {
secrets = { secrets = {
fresh = { owner = serviceUser; }; freshrss-pw = { inherit sopsFile; owner = serviceUser; };
"kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; # freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
# templates = { # templates = {
@ -55,14 +55,18 @@ in
globals.services.${serviceName}.domain = serviceDomain; globals.services.${serviceName}.domain = serviceDomain;
services.${serviceName} = { services.${serviceName} =
let
inherit (config.repo.secrets.local.freshrss) defaultUser;
in
{
inherit defaultUser; inherit defaultUser;
enable = true; enable = true;
virtualHost = serviceDomain; virtualHost = serviceDomain;
baseUrl = "https://${serviceDomain}"; baseUrl = "https://${serviceDomain}";
authType = "form"; authType = "form";
dataDir = "/Vault/data/tt-rss"; dataDir = "/Vault/data/tt-rss";
passwordFile = config.sops.secrets.fresh.path; passwordFile = config.sops.secrets.freshrss-pw.path;
}; };
# systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [ # systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [

19
modules/nixos/server/kanidm.nix
View file

@ -1,6 +1,7 @@
{ self, lib, pkgs, config, globals, ... }: { self, lib, pkgs, config, globals, ... }:
let let
certsSopsFile = self + /secrets/certs/secrets.yaml; certsSopsFile = self + /secrets/certs/secrets.yaml;
inherit (config.swarselsystems) sopsFile;
servicePort = 8300; servicePort = 8300;
serviceUser = "kanidm"; serviceUser = "kanidm";
@ -30,15 +31,15 @@ in
secrets = { secrets = {
"kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-idm-admin-pw" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-immich" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-paperless" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-forgejo" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-grafana" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-nextcloud" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-freshrss" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
}; };

6
modules/nixos/server/kavita.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, pkgs, ... }: { self, lib, config, pkgs, ... }:
let let
inherit (config.swarselsystems) sopsFile;
servicePort = 8080; servicePort = 8080;
serviceName = "kavita"; serviceName = "kavita";
serviceUser = "kavita"; serviceUser = "kavita";
@ -16,7 +18,7 @@ in
extraGroups = [ "users" ]; extraGroups = [ "users" ];
}; };
sops.secrets.kavita = { owner = serviceUser; }; sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; };
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
@ -31,7 +33,7 @@ in
enable = true; enable = true;
user = serviceUser; user = serviceUser;
settings.Port = servicePort; settings.Port = servicePort;
tokenKeyFile = config.sops.secrets.kavita.path; tokenKeyFile = config.sops.secrets.kavita-token.path;
dataDir = "/Vault/data/${serviceName}"; dataDir = "/Vault/data/${serviceName}";
}; };

8
modules/nixos/server/koillection.nix
View file

@ -9,14 +9,16 @@ let
postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
postgresPort = config.services.postgresql.settings.port; # 5432 postgresPort = config.services.postgresql.settings.port; # 5432
containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d"; containerRev = "sha256:96693e41a6eb2aae44f96033a090378270f024ddf4e6095edf8d57674f21095d";
inherit (config.swarselsystems) sopsFile;
in in
{ {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} { config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = { sops.secrets = {
koillection-db-password = { owner = postgresUser; group = postgresUser; mode = "0440"; }; koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
koillection-env-file = { }; koillection-env-file = { inherit sopsFile; };
}; };
topology.self.services.${serviceName} = { topology.self.services.${serviceName} = {
@ -70,7 +72,7 @@ in
passwordPath = config.sops.secrets.koillection-db-password.path; passwordPath = config.sops.secrets.koillection-db-password.path;
in in
'' ''
$PSQL -tA <<'EOF' ${config.services.postgresql.package}/bin/psql -tA <<'EOF'
DO $$ DO $$
DECLARE password TEXT; DECLARE password TEXT;
BEGIN BEGIN

24
modules/nixos/server/matrix.nix
View file

@ -1,5 +1,7 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
inherit (config.swarselsystems) sopsFile;
servicePort = 8008; servicePort = 8008;
serviceName = "matrix"; serviceName = "matrix";
serviceDomain = config.repo.secrets.common.services.domains.matrix; serviceDomain = config.repo.secrets.common.services.domains.matrix;
@ -29,29 +31,29 @@ in
sops = { sops = {
secrets = { secrets = {
matrixsharedsecret = { owner = serviceUser; }; matrix-shared-secret = { inherit sopsFile; owner = serviceUser; };
mautrixtelegram_as = { owner = serviceUser; }; mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; };
mautrixtelegram_hs = { owner = serviceUser; }; mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; };
mautrixtelegram_api_id = { owner = serviceUser; }; mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; };
mautrixtelegram_api_hash = { owner = serviceUser; }; mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; };
}; };
templates = { templates = {
"matrix_user_register.sh".content = '' "matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:${builtins.toString servicePort} register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort}
''; '';
matrixshared = { matrixshared = {
owner = serviceUser; owner = serviceUser;
content = '' content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret}
''; '';
}; };
mautrixtelegram = { mautrixtelegram = {
owner = serviceUser; owner = serviceUser;
content = '' content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash}
''; '';
}; };
}; };

8
modules/nixos/server/microbin.nix
View file

@ -6,6 +6,8 @@ let
serviceGroup = serviceUser; serviceGroup = serviceUser;
serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
inherit (config.swarselsystems) sopsFile;
cfg = config.services.${serviceName}; cfg = config.services.${serviceName};
in in
{ {
@ -23,9 +25,9 @@ in
sops = { sops = {
secrets = { secrets = {
microbin-admin-username = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-uploader-password = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
templates = { templates = {

22
modules/nixos/server/monitoring.nix
View file

@ -1,6 +1,5 @@
{ self, lib, config, globals, ... }: { self, lib, config, globals, ... }:
let let
servicePort = 3000; servicePort = 3000;
serviceUser = "grafana"; serviceUser = "grafana";
serviceGroup = serviceUser; serviceGroup = serviceUser;
@ -10,11 +9,12 @@ let
prometheusPort = 9090; prometheusPort = 9090;
prometheusUser = "prometheus"; prometheusUser = "prometheus";
prometheusGroup = prometheusUser; prometheusGroup = prometheusUser;
nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
grafanaUpstream = "grafana"; grafanaUpstream = "grafana";
prometheusUpstream = "prometheus"; prometheusUpstream = "prometheus";
prometheusWebRoot = "prometheus"; prometheusWebRoot = "prometheus";
kanidmDomain = globals.services.kanidm.domain; kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) sopsFile;
in in
{ {
options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselsystems.modules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -22,9 +22,9 @@ in
sops = { sops = {
secrets = { secrets = {
grafanaadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheusadminpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; }; prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
}; };
@ -84,7 +84,7 @@ in
incrementalQueryOverlapWindow = "10m"; incrementalQueryOverlapWindow = "10m";
}; };
secureJsonData = { secureJsonData = {
basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}"; basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}";
}; };
} }
]; ];
@ -95,7 +95,7 @@ in
analytics.reporting_enabled = false; analytics.reporting_enabled = false;
users.allow_sign_up = false; users.allow_sign_up = false;
security = { security = {
admin_password = "$__file{/run/secrets/grafanaadminpass}"; admin_password = "$__file{/run/secrets/grafana-admin-pw}";
cookie_secure = true; cookie_secure = true;
disable_gravatar = true; disable_gravatar = true;
}; };
@ -130,7 +130,11 @@ in
}; };
}; };
prometheus = { prometheus =
let
nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
in
{
enable = true; enable = true;
webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}"; webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
port = prometheusPort; port = prometheusPort;
@ -194,7 +198,7 @@ in
port = 9205; port = 9205;
url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info"; url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
username = nextcloudUser; username = nextcloudUser;
passwordFile = config.sops.secrets.nextcloudadminpass.path; passwordFile = config.sops.secrets.nextcloud-admin-pw.path;
}; };
}; };
}; };

6
modules/nixos/server/mpd.nix
View file

@ -1,5 +1,7 @@
{ self, lib, config, pkgs, ... }: { self, lib, config, pkgs, ... }:
let let
inherit (config.swarselsystems) sopsFile;
servicePort = 3254; servicePort = 3254;
serviceUser = "mpd"; serviceUser = "mpd";
serviceGroup = serviceUser; serviceGroup = serviceUser;
@ -23,7 +25,7 @@ in
}; };
sops = { sops = {
secrets.mpdpass = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -49,7 +51,7 @@ in
}; };
credentials = [ credentials = [
{ {
passwordFile = config.sops.secrets.mpdpass.path; passwordFile = config.sops.secrets.mpd-pw.path;
permissions = [ permissions = [
"read" "read"
"add" "add"

15
modules/nixos/server/nextcloud.nix
View file

@ -1,6 +1,7 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let let
inherit (config.repo.secrets.local.nextcloud) adminuser; inherit (config.repo.secrets.local.nextcloud) adminuser;
inherit (config.swarselsystems) sopsFile;
servicePort = 80; servicePort = 80;
serviceUser = "nextcloud"; serviceUser = "nextcloud";
@ -13,16 +14,8 @@ in
config = lib.mkIf config.swarselsystems.modules.server.${serviceName} { config = lib.mkIf config.swarselsystems.modules.server.${serviceName} {
sops.secrets = { sops.secrets = {
nextcloudadminpass = { nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
owner = serviceUser; kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
group = serviceGroup;
mode = "0440";
};
kanidm-nextcloud-client = {
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
}; };
@ -48,7 +41,7 @@ in
extraAppsEnable = true; extraAppsEnable = true;
config = { config = {
inherit adminuser; inherit adminuser;
adminpassFile = config.sops.secrets.nextcloudadminpass.path; adminpassFile = config.sops.secrets.nextcloud-admin-pw.path;
dbtype = "sqlite"; dbtype = "sqlite";
}; };
}; };

6
modules/nixos/server/nginx.nix
View file

@ -2,6 +2,7 @@
let let
inherit (config.repo.secrets.common) dnsProvider; inherit (config.repo.secrets.common) dnsProvider;
inherit (config.repo.secrets.common.mail) address3; inherit (config.repo.secrets.common.mail) address3;
in in
{ {
options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server"; options.swarselsystems.modules.server.nginx = lib.mkEnableOption "enable nginx on server";
@ -11,10 +12,9 @@ in
]; ];
sops = { sops = {
# secrets.dnstokenfull = { owner = "acme"; }; secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; };
secrets.dnstokenfull = { };
templates."certs.secret".content = '' templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token}
''; '';
}; };

6
modules/nixos/server/oauth2-proxy.nix
View file

@ -8,6 +8,8 @@ let
kanidmDomain = globals.services.kanidm.domain; kanidmDomain = globals.services.kanidm.domain;
mainDomain = globals.domains.main; mainDomain = globals.domains.main;
inherit (config.swarselsystems) sopsFile;
in in
{ {
options = { options = {
@ -123,8 +125,8 @@ in
sops = { sops = {
secrets = { secrets = {
"oauth2-cookie-secret" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; "kanidm-oauth2-proxy-client" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
templates = { templates = {

1
modules/nixos/server/packages.nix
View file

@ -13,6 +13,7 @@
vim vim
sops sops
swarsel-deploy swarsel-deploy
tmux
]; ];
}; };
} }

12
modules/nixos/server/paperless.nix
View file

@ -1,5 +1,7 @@
{ lib, pkgs, config, globals, ... }: { lib, pkgs, config, globals, ... }:
let let
inherit (config.swarselsystems) sopsFile;
servicePort = 28981; servicePort = 28981;
serviceUser = "paperless"; serviceUser = "paperless";
serviceGroup = serviceUser; serviceGroup = serviceUser;
@ -19,12 +21,8 @@ in
}; };
sops.secrets = { sops.secrets = {
paperless_admin = { owner = serviceUser; }; paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
kanidm-paperless-client = { kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
}; };
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
@ -38,7 +36,7 @@ in
dataDir = "/Vault/data/${serviceName}"; dataDir = "/Vault/data/${serviceName}";
user = serviceUser; user = serviceUser;
port = servicePort; port = servicePort;
passwordFile = config.sops.secrets.paperless_admin.path; passwordFile = config.sops.secrets.paperless-admin-pw.path;
address = "0.0.0.0"; address = "0.0.0.0";
settings = { settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_OCR_LANGUAGE = "deu+eng";

10
modules/nixos/server/radicale.nix
View file

@ -1,6 +1,5 @@
{ self, lib, config, ... }: { self, lib, config, ... }:
let let
inherit (config.repo.secrets.local.radicale) user1;
sopsFile = self + /secrets/winters/secrets2.yaml; sopsFile = self + /secrets/winters/secrets2.yaml;
servicePort = 8000; servicePort = 8000;
@ -18,7 +17,11 @@ in
sops = { sops = {
secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
templates = { templates =
let
inherit (config.repo.secrets.local.radicale) user1;
in
{
"radicale-users" = { "radicale-users" = {
content = '' content = ''
${user1}:${config.sops.placeholder.radicale-user} ${user1}:${config.sops.placeholder.radicale-user}
@ -42,7 +45,8 @@ in
"[::]:${builtins.toString servicePort}" "[::]:${builtins.toString servicePort}"
]; ];
}; };
auth = { auth =
{
type = "htpasswd"; type = "htpasswd";
htpasswd_filename = config.sops.templates.radicale-users.path; htpasswd_filename = config.sops.templates.radicale-users.path;
htpasswd_encryption = "autodetect"; htpasswd_encryption = "autodetect";

14
modules/nixos/server/restic.nix
View file

@ -1,6 +1,6 @@
{ lib, pkgs, config, ... }: { lib, pkgs, config, ... }:
let let
inherit (config.repo.secrets.local) resticRepo; inherit (config.swarselsystems) sopsFile;
in in
{ {
options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server"; options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
@ -8,9 +8,9 @@ in
sops = { sops = {
secrets = { secrets = {
resticpw = { }; resticpw = { inherit sopsFile; };
resticaccesskey = { }; resticaccesskey = { inherit sopsFile; };
resticsecretaccesskey = { }; resticsecretaccesskey = { inherit sopsFile; };
}; };
templates = { templates = {
"restic-env".content = '' "restic-env".content = ''
@ -20,7 +20,11 @@ in
}; };
}; };
services.restic = { services.restic =
let
inherit (config.repo.secrets.local) resticRepo;
in
{
backups = { backups = {
SwarselWinters = { SwarselWinters = {
environmentFile = config.sops.templates."restic-env".path; environmentFile = config.sops.templates."restic-env".path;

4
modules/nixos/server/shlink.nix
View file

@ -5,6 +5,8 @@ let
serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a"; containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
inherit (config.swarselsystems) sopsFile;
in in
{ {
options = { options = {
@ -14,7 +16,7 @@ in
sops = { sops = {
secrets = { secrets = {
shlink-api = { }; shlink-api = { inherit sopsFile; };
}; };
templates = { templates = {

2
nix/hosts.nix
View file

@ -16,6 +16,8 @@
inputs.lanzaboote.nixosModules.lanzaboote inputs.lanzaboote.nixosModules.lanzaboote
inputs.nix-topology.nixosModules.default inputs.nix-topology.nixosModules.default
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.stylix.nixosModules.stylix
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
"${self}/hosts/nixos/${configName}" "${self}/hosts/nixos/${configName}"
"${self}/profiles/nixos" "${self}/profiles/nixos"
"${self}/modules/nixos" "${self}/modules/nixos"

1
profiles/home/personal/default.nix
View file

@ -4,7 +4,6 @@
config = lib.mkIf config.swarselsystems.profiles.personal { config = lib.mkIf config.swarselsystems.profiles.personal {
swarselsystems.modules = { swarselsystems.modules = {
packages = lib.mkDefault true; packages = lib.mkDefault true;
pii = lib.mkDefault true;
ownpackages = lib.mkDefault true; ownpackages = lib.mkDefault true;
general = lib.mkDefault true; general = lib.mkDefault true;
nixgl = lib.mkDefault true; nixgl = lib.mkDefault true;

47
profiles/home/reduced/default.nix Normal file
View file

@ -0,0 +1,47 @@
{ lib, config, ... }:
{
options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
config = lib.mkIf config.swarselsystems.profiles.reduced {
swarselsystems.modules = {
packages = lib.mkDefault true;
ownpackages = lib.mkDefault true;
general = lib.mkDefault true;
nixgl = lib.mkDefault true;
sops = lib.mkDefault true;
yubikey = lib.mkDefault true;
ssh = lib.mkDefault true;
stylix = lib.mkDefault true;
desktop = lib.mkDefault true;
symlink = lib.mkDefault true;
env = lib.mkDefault true;
programs = lib.mkDefault true;
nix-index = lib.mkDefault true;
passwordstore = lib.mkDefault true;
direnv = lib.mkDefault true;
eza = lib.mkDefault true;
atuin = lib.mkDefault true;
git = lib.mkDefault true;
fuzzel = lib.mkDefault true;
starship = lib.mkDefault true;
kitty = lib.mkDefault true;
zsh = lib.mkDefault true;
zellij = lib.mkDefault true;
tmux = lib.mkDefault true;
mail = lib.mkDefault true;
emacs = lib.mkDefault true;
waybar = lib.mkDefault true;
firefox = lib.mkDefault true;
gnome-keyring = lib.mkDefault true;
kdeconnect = lib.mkDefault true;
mako = lib.mkDefault true;
swayosd = lib.mkDefault true;
yubikeytouch = lib.mkDefault true;
sway = lib.mkDefault true;
kanshi = lib.mkDefault false;
gpgagent = lib.mkDefault true;
gammastep = lib.mkDefault true;
};
};
}

2
profiles/nixos/localserver/default.nix
View file

@ -39,6 +39,8 @@
koillection = lib.mkDefault true; koillection = lib.mkDefault true;
radicale = lib.mkDefault true; radicale = lib.mkDefault true;
atuin = lib.mkDefault true; atuin = lib.mkDefault true;
forgejo = lib.mkDefault true;
ankisync = lib.mkDefault true;
}; };
}; };
}; };

55
profiles/nixos/reduced/default.nix Normal file
View file

@ -0,0 +1,55 @@
{ lib, config, ... }:
{
options.swarselsystems.profiles.reduced = lib.mkEnableOption "is this a reduced personal host";
config = lib.mkIf config.swarselsystems.profiles.reduced {
swarselsystems.modules = {
packages = lib.mkDefault true;
pii = lib.mkDefault true;
general = lib.mkDefault true;
home-manager = lib.mkDefault true;
xserver = lib.mkDefault true;
users = lib.mkDefault true;
env = lib.mkDefault true;
security = lib.mkDefault true;
systemdTimeout = lib.mkDefault true;
hardware = lib.mkDefault true;
pulseaudio = lib.mkDefault true;
pipewire = lib.mkDefault true;
network = lib.mkDefault true;
time = lib.mkDefault true;
sops = lib.mkDefault true;
stylix = lib.mkDefault true;
programs = lib.mkDefault true;
zsh = lib.mkDefault true;
syncthing = lib.mkDefault true;
blueman = lib.mkDefault true;
networkDevices = lib.mkDefault true;
gvfs = lib.mkDefault true;
interceptionTools = lib.mkDefault true;
swayosd = lib.mkDefault true;
ppd = lib.mkDefault true;
yubikey = lib.mkDefault true;
ledger = lib.mkDefault true;
keyboards = lib.mkDefault true;
login = lib.mkDefault true;
nix-ld = lib.mkDefault true;
impermanence = lib.mkDefault true;
nvd = lib.mkDefault true;
gnome-keyring = lib.mkDefault true;
sway = lib.mkDefault true;
xdg-portal = lib.mkDefault true;
distrobox = lib.mkDefault true;
appimage = lib.mkDefault true;
lid = lib.mkDefault true;
lowBattery = lib.mkDefault true;
lanzaboote = lib.mkDefault true;
autologin = lib.mkDefault true;
server = {
ssh = lib.mkDefault true;
};
};
};
}

4
profiles/nixos/syncserver/default.nix
View file

@ -17,8 +17,8 @@
packages = lib.mkDefault true; packages = lib.mkDefault true;
nginx = lib.mkDefault true; nginx = lib.mkDefault true;
ssh = lib.mkDefault true; ssh = lib.mkDefault true;
forgejo = lib.mkDefault true; forgejo = lib.mkDefault false;
ankisync = lib.mkDefault true; ankisync = lib.mkDefault false;
}; };
}; };
}; };

48
secrets/bakery/secrets.yaml Normal file
View file

@ -0,0 +1,48 @@
home-wireguard-client-private-key: ENC[AES256_GCM,data:ozkjvpAAo33495w2c06Iu1ZFvh+IGNXUDYuWVWACBoNRQSKaBX00c3Ynd10=,iv:wbeYJFEopuANyiKnWoCBESxa1dB/insEFJChEqxm/Pk=,tag:QfvICpbK5fiNEDhRLxQYGQ==,type:str]
sops:
age:
- recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Q0Z6VUR4VjgremM4UHBZ
Tk5vSm1Ma1RzMkZNRVE5NHBtMG8vNFVXR2l3Ck1yN3NoS1UyOWMyRXZTdndwaXdW
MHRkU0d0YThST1VEdVJXQ2IyMDlwaUUKLS0tIENrV0tLK2QrK2t3d3FlZU1WMVIw
aVN2eEE2WDE0RHZxNTN0aXVZbGJoUXMKjje3viWHrfHFnxoXOS3R1/TEEr2nV2Dv
2Tepz+F/vrNkH705fVePD+SmPXv0j+bEH5Lf3vLi/9zFqhrqgFDExw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-13T11:20:48Z"
mac: ENC[AES256_GCM,data:vqg0HHoDSLlPFh++CZZBpALrIOrnBtLL30XWzoXpYXMBKM/XCKGhjFPmna/ew5stK7ylNjIiAmvX8rZB3ynG5Si1/4zfGV8aKvVKhcrUjB1Upkphq7jFb0MI2JoJN9dv4SDVwKtiog8T9aYImNXe62/nMI/5xHlF1moY6JXDE0s=,iv:LprVDQU9KeSwuC/cmy06YQeCMYhaEygb44I+GkvnbiI=,tag:fodgL725veQmxsLuA57nDA==,type:str]
pgp:
- created_at: "2025-07-13T11:20:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAtBAhSfBmcZqHKU+JiBPcs8WftmIZ1L48ERCyWAfh5iHJ
lfGyM61PVxb7qAFbXf+sXsZX2QtMVjobqYgAlibGLnlUl6f1RaFHdfkbUIr2NGY+
gjCZEGUmunwRzd9hozXj12B1juop8nB5kAdeGhJ/H9CIJofYalkqlU33YNLcROa/
lGqV4Xu89QfMm+tXzz8JpsXnW+1z1j/9j0Om3KNQYN7t04BmNAYwSymFuubFEnFR
Y+tvBPqDPhpxT3YvRIkbPGhnWZBlr60owL8S1nKujVLQmSr/DjwS+om12kPl+Tpy
s0jAVB5ja6FCIE6pa5WMV3wNUinis/a/P6xJGiFxS47ZLoVjQjuF2y0pW3N8O/8v
mm7Q7J5rWjF4odZfDyfpPdh3+Gmb2cUERpK0i0BDT8xAo+6F4EkcsWrTb8BrI56X
NaTPFLenluIedqqewgN6AVjX0WaxZRdQIKupmujeWefhBgDwX++5misZdCErqLcX
uG0R8ziHGi13dm7mhn+PorFEMRcAHhQqVIA9Ck/Eg48W3GQcbGlOl6e/0S84g+YU
ndfz2J4qbJtJk/RmarpbSE2kI3edfs1DC0nM1YUIUHm91UxXZ/yhXSiR0BsW0BpG
YRtyT6TpseAfBhyMgFjeyiDk3ngLHogJT8ov706X+jG2IGz1n6MldM8EMKry8amF
AgwDC9FRLmchgYQBD/wLPUOWXyhPfuXkPuC4wOdH8q7uvIpDCJM1QfegvM0Vbfaa
BcqU8V0uC2+XirM3nLYjfgEuLtXpDnPnGx26jYXiAwO2rzurWW3Z9BJzyp+n5fBb
uoWCfTlihAznDOW5TvPTUpgosZShFKGs4Gh8Nvcm2lqx8wQfOjSYJnLdotmOYEJi
t38OTIFDobNATXvsuNHSocue5TjgCHwLvSFUPg+o0s1Xx3DSMytX83slXuYd+WRx
GbA0wQDxV03kH27AkhsvYefcsntxOW/FsZk5XzARtkCRdtBfiRb4bRRWsrrnzNBT
6hCb8+MCmnCeFFJRkj0izsA00j0Q6tE8s+NlhpeNIB0p1bxOvjyeJyOEBwI+G/s+
vE1mewutNnPYploy+E+zsmszSrWwGe97QL1rKmVgYMirLKtGo2CBHlRsgmpdhoNZ
ADrgwNCAUPD5K4eEi1Dl87p1LbdjCd4CY+c50NWpnJP//LAvTVjZFqkQr7xgnBqO
maPzDbHCQgjboSWHA/bBDlv0b164NsWJtpDrf+z9R92bhCvjTtQxQdcJ4ZXz8HWU
Z32ilAALR+uySN9gLoaVMMZyQ5vELWvFK66zMBpk3wLWPEus0e9zOA764+JYXbUG
25T6DbKNNBDtnT9w2ZRrmrK/B2CsFbZDQ4R+pom8Q8IeSke90d+jDAZzHF1erdJe
AYZ0wZtqJgw+IJL4TI9QEgFBGa1z/+83ZFuztRmwQJIawEHisWt+3cj+mbZKSHRS
aRRmLWPtvK9w/RSeoI7op7s3rUdpl/FabzcIudRYqtRiP9/Syly52YkRD7503w==
=hhjd
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.10.2

113
secrets/certs/secrets.yaml
View file

@ -7,80 +7,89 @@ sops:
- recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcmpISEJCeDFtaHlMaUp6 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieGlsd0NScm5WYldITTJ2
RlI5QnVSQ01OSVViMHZROFozWE03QU1ob2pjCk1ySzZDSUtoaTN0TSswN1R4Q1Q5 cG9mcnBKSGo2eXlFaURNa2FxNkZ1MGNVTjJZCldROGZiWGp0dXlMc3cwbFh0cG5H
azB0Y1RUWTc4dXN2OE00cFBNeGY2ZVEKLS0tIHM1ZTFON2k1eW1MNzFWUWs4Vmwv RDNPNUtWNFBlTG1lOUo5QVJMdncxYUEKLS0tIDNJKzc1WExlTW5ycTQyVFlXQVAz
SjhWM3daU3ZGUE1Ud293NENxVVUyRHMK3beWpg6G/gn8kT+ZZtnlnCw+K4Pr5O06 cTRDK1h5Z3NjK0h1QnhNSm51YjA4VUkKUlshWYOQLs1z8AOsFvjfl+RJBvmJWU39
UNFlbnWIxNzJ7ML5Rd3u88XOLmD7OO4sxwQCNZgFCFfljiyl3UW27A== oVVvBEkCF6pw/yZp7Zp6ejLpVQojqT0JvLzSMA0tJBt9QvNmdTT1xQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcEh3MGxWRGJPeEQvNGlh
bEc5T3ZRYkhkdkZFQy9zRHBNeksrRG56T1R3CjUxMUxhbDduRWo0N3FwaUYrUFpu
S0t6bGdXYTZGMmcyeElXcDJ1Z3QzVGMKLS0tIGRUWG9GYi9vT3dzSFh1aFRKNWhH
M2pGTzR6T29tcVltS21RMkNCcFpPc0kKkXGoVCNU72f8efjJvtz7cbUpPcfVG3Dl
puffE6poAyeevdSW5cAFGNgJMMWzyweUf5QvX0lu9i0CpuLFFTdacQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0c3pjTmFPZzF3NTFla0c5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZzFNdmJpTDVFTlJPN3ZV
QmEwa3R5NG9NVnNQUVZWTjY3VkxtaWlFRXdFCnpwSnpJU0RMSkxrUVpIdk5ycVF1 cWNNaGE1bzNmbjQ0TUh3bVJXZm85R1hDOEh3Cm1GQmxsTWJxWWl5eDUvUk9DTkRP
c0ZTbGNRK2RqNTVtb1ozSUZjeTYwbHMKLS0tIFEzcG1xdCt1Wmw0S2NtMHk2TGJ6 L3pNVEovc2FLSFgxZHQ5L051VlptSlUKLS0tIHVUSUZsMm9SRE1INDExR3djMmR5
bU13M2NvNVQxbnJGTEl1Q09YcE5Mb1EKpCJSyUVvDndc7/RkPGcutcfOz1lM6WWp dlJMc1ladVduUExXZVdHNlY4TU9UOHcKh9lzumXbRm2lkNPw39EQ990cNznX6Hj2
lRBXFELXRmdRFAF4F+7sEICIu+3zJ/bpycQPGBIfjD8uYNSa5GRbng== s2dMmqHIbanQ0VCGW2Bwi542sII7qT4YW87EX+0LpUN+6bHKCR/YhQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWY3JVbU5OSithUVJSaERk YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cHpkZFBES3B0bGNUYjU3
V25zbmJ4Z3NkNkxaeFZMRmZLTG1RWG1OdzA4CklvZ2lTMGZXSHRpMzkrSGdIdSs2 Yi9kTVNNNDNSTG4xK3NMMmxFSTd3VEJtdEVJCnFYengyY291ZFNyNE1hQ3ZVSDA1
N0NTZzI1YjVCVzFkNDJJMld1Vmt5QUEKLS0tIE9uUDY0WDM5RzVQUFN4WGFZL3M4 SXVkNDdVUjRDNHorZGlOQWM3V1QzcUkKLS0tIDZmekswRXB3OWRDVi9icUw1ZVFs
YUtnZjBwTi80VURBNmhBQjNxMmE1UlEKsMUniG4+/nvrqXH0AoB7I0sVRBfevGov NytRZVZXTzhhRmZqeGxRZ1lQdVBYMzgKs8tR6IlB84pbS9/T4fixD43hDIrHeDIY
bqbZWhQoxo2lCly9RVT1EjJdk6pbes1qy4/H4vNMmjsUn0Pac4FE+A== Bk0d64w2bkUJk7xKjxY+SNk9RHqLYmaHSudLVSlbSZ96exNBt/L9jA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNGdEZEI5QlVmQXp2MWp1 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOaUFqYVFHcnM0ZllNYUR5
YkRnUWM0S2k4ZEk4R21rc3ZsTGdzUjlOY25nCkg2OEZ3blpzem5QTktoTVB6eXNS a09mZVA0OWhNSnI0aUw5WFZlaHUzN2lRR0NvCkhaaUVSWUxuQU9qRHpSdTROSVJi
NzRVejNuS1NpbzN0ZDE2dzBldUR6bm8KLS0tIHJmT2t1UGZGVWFMNTN3WmRVOVZm SS9YQTdtdzdWNnhRd2FSdFpVTHVvWlEKLS0tIGVkN3Q1UE9NSXZGWHRGRGwzZGRh
QVpQS1ZGbWdOYXNsNmlFYTNhUnIyZFEKBQaXEuhKe/qvqmXK6G/Ew+gwY8NgvyVm Ni8rbWRWSkdtc1BwdGlaVGlNZExBWWcKbHXUCrg7c1Ekq2bQs/m22TwBijcG+3WP
Kd13hqsHcllaiAwg2lZ7RMl8gbKY9Sa6iQ1laV+0LHiEc/1hbg9sWg== vNp6a5V0wDgoDP49W4AodMarygePJzW/NgndlUXqIWuIbm6VFUEHRQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1gj6uhy8lx9asjhwmqcmm4rtu6wptrd9dr42lhf9xreet6tra4fpswkvket - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ1J4SFQ4K3RVTUlGRGxx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdlF3bzF4d004VS9NcHNH
UzZhMnBXUGNYZ1dvbFozS3krVjBLUGFGQm1BCmdBQjhlcFhPaFk4RmtIRGFSUSsz ZnBEa2xHd3ZUYW5NUlVGd2JxRGJPcW9lT2tRCnVSUWx4Z1g2U2pyNjhaWnVxdDEx
R2ZIR2VwQUZIaUZ4RWRLN01XdndURDQKLS0tIGg0eG9tVlB1WDhoRUpnZXhlQ21w SGtSNTdrMmtHeUtuL1lWQi9FUTZyZW8KLS0tIE1tNTdoOFdQV1p4MGNUYWtRQ0N5
M3FXei9menJlNjB4ZFFoQURhdHFCUjgKmkTR92+6hZ705u9I5VPyJVfD5HrLxk7m bFNpdm00MXJIMCtxelVIMXVtNG5XWlUKtkL3P6x2rafYSTCW5zv/54tgU20FYwhi
7O1EPw9oPNSihFhl85PbQTAJWVMjRmJFFdDxz/I0XuHKE/XaNW+ijA== RFc5sZRkgXhoXw+zrKkhDc28Xn+Aby2pUth9ihs1ngVB8OUqAZbrXg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-05T11:01:02Z" lastmodified: "2025-07-05T11:01:02Z"
mac: ENC[AES256_GCM,data:XnLmZ65mZqoTHQfSKdvPVr+IGb1mb0nFRQLBiVPSyKfg9ABlqwsht3sykR+enDkmIk1urRewpKvPRr1YyLKAezHaE2I5CQdRwMViGTxbtN18SCqlKcL6CgGzC7UzAI8A2jVqB6D9swCx63TEOwnaWySBFnQuOog58R43rhxcJJc=,iv:U0ZMZZyuRJVAE0el0tRAdvHS7qtqU+z2kN78XEZOW2k=,tag:TrPIoG7cxLBDgG4vXJ5NiQ==,type:str] mac: ENC[AES256_GCM,data:XnLmZ65mZqoTHQfSKdvPVr+IGb1mb0nFRQLBiVPSyKfg9ABlqwsht3sykR+enDkmIk1urRewpKvPRr1YyLKAezHaE2I5CQdRwMViGTxbtN18SCqlKcL6CgGzC7UzAI8A2jVqB6D9swCx63TEOwnaWySBFnQuOog58R43rhxcJJc=,iv:U0ZMZZyuRJVAE0el0tRAdvHS7qtqU+z2kN78XEZOW2k=,tag:TrPIoG7cxLBDgG4vXJ5NiQ==,type:str]
pgp: pgp:
- created_at: "2025-06-13T18:41:14Z" - created_at: "2025-07-10T23:51:25Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//bvg76FopkB85Na1yjedNZjDbfg5R0H5sNOvJi/KkZRaB hQIMAwDh3VI7VctTAQ//R2fMRdWshY0+/feMDAF7t/Z0YwwAT63gzfqKG8aKC3cf
siZZHUN1jrrYH9WJxhrYhE6wmtqhClWI0r0I/prcJj2gvJWs1EAC5HoJYCNQEZjA skGJtXBZ4CFW/tK0J62nS0qUIYrkWokACJk72luYg61u1KX1wUaEEqnRcEzZsxQC
jVqyPWveL+1AxLze9kGcHpb/YKO++XclmbjRB7RkW9oS8h3RN+BWgjoL379fygFn Ib6hYXyKl87WYv99QUDaItBBBoSd9BhiDCnWv5nrstZSDy+RwlIYPhQy9KgeDt0H
tcYhB1zn2k1pvKovq6KQiBThGgaATShCh65sl10NXrEEzR37TBRubseC/Bhj6oDG 6pRnPEL3VU41AYt6YKl4yLBOjweftLwZkDgKyaJalwbLmFHWOvmvESL0kBj83hyX
SoviST+7tbMETKDoDvXHzKE+tVvQPi1qCagbk1FL681ldjcvTFhsLEQc7brlskoC Lw/XZlh9KUi+xEeYmHUCjO9xDgvJsMGTUY7m52U0W0faarzy59yYWnENROwm9jCK
w3H3BLKLrfpWPnsfeavMOghK6ctztwuOd6qbZCcdS0QRPbSlOWY27gzLg9nCoVYm XoYDu903CtxqSybKJ2AtGHWx2cuOmTjsHPEefqmK7M3XsVpsHgvx1Jo1eQYO1mPI
3ZS4o+OIOBKCkaCiWqwORqa6MTNNOgzJHmrpXygehrhyy+RCvPyV1MUgo9YyfABb ZiryTsN1YMYXUkgGfFePmqA9X2iC/meboCWPcRt8lUIfmWx7uMGsv+mGXT37lWyu
uoRZxoY3svvm1mUcwJwySj0fKljF8YBOxmYHAq+cO1jPe3282Mbh8haOFxVF34c/ wYl9Y2x0qwfAOyg3wNdojE5t4rlr/XaQ+k8Ep1ud37pgXFryQtnNhwgtYuPVWiFK
sB7q8AJHTks9KZdO/wfMt//e3oN+IVFEsgEE8d0ecScIyVcqyEGYGcloQ+m/cUSF jnnUDCZrbsWbMmL88ZGYPNIcrBGAgmfYWzkWrU6fICYWIzJdgiWg91ANRHX9vnwG
onfJKz/WhgHUh4VngDF4HTMS2L4IRPnPFTebRNBirnM7ruQut9Q+NqYHF//UmlIa 5YjZHoHnBRMQg32MInjBJrm/4r38DFQBm67bI1Ol6RMDp/wD5hLrbC6gnq0hGRJt
6CWifbSdcDujd4P5O9FIG7/bRhRf5CsUdn137o9vF9hBnX5KtdrRwyYzy4dp4HGF GzsRPphwrecifIBtck5/vs/f134Y+6BIADJHNEHTA/LnJC8K1VYRW5aBiFvyUWqF
AgwDC9FRLmchgYQBEAC2KYQRNAYxczza6nmW6n2bkGDypvKwDWV34GKtL1hy3mla AgwDC9FRLmchgYQBEADKxwFZHBejt2dr2w83XZcLCV/0Mf64DOk7I16VKZ5gBNXA
Dfh/k1yv0o/I6ebnbgh6yFzyFq2GRi+yNkTPF1mpGboyex4Ot3d3y7gurs0Y1p8g 4N4W8Q/of2/EH1a8eZ5A8DZPkVZMavdXkQnww8+if6yx0e4moBusUAzeKP0XtY7T
oYYniqtQmuRmkplU6EFFZf4LgQvcArmLFCzp0SbZ37AaXYFjk/pY1hSrfDbiExVV ABUueS7B9Ou3yhdVynpOfmU+EBwQXEuYhVsOlWUJGpfESoOBRyQv12P7ToOS4pz+
OK1pkE82vYXWm2bkFRE6YVNUf4lp7Q41CmDq+H+mf4DLfgw9J4TnseNi+ZsGldSj panGeOMo5tzU/8vfkbRIF+9WWKPy/JfsufXGNQkdErgnTAdRCUegPO8kVpwZ5hE/
4jFEtxvO/t2vhNHvbXJoSVKeLKn4mUEpJdfi843XWwo0VEk0JcnzfReYUbqjLChv 7IGtddUUnwC+kIlkv4N4eM9QabjWmU70L+THveJ4q7JJCmsimYPocbikVhPK7pb0
gV13mqwGmrDY28IWzyCr4h8FURWUMJSFqkVnrEoHQ303ujX5qV3JSadl6ham4h4o mqU9hUMxJbBq6sPjLIq4QaSkSSipbiUUdZjoWuKuIbMjm6M7oWR2uGfQO3d5R+VZ
s3gS2F4m0h9YAJnxj4/ahbBLk8go4IQ7FA+rmjVhMLRuTyUcEyPPCiY8tRJm7p/X 3N3xkWPVnzoChq3zB35gkF6RniMhFMCjhYOPidYQ8QH68zN7pe3YzE0HkXgirjs1
vpkZdT2hVyYeLtK/mP5ieDArDVYUa3QTkJ3knjSfdZWBv3MtrXsTAK/C4frnOxoM Zux8KlR/Vmh7wQjzWEfv3yK7Rjj8ePt4cdAfozFf7YMUPQWSr+BJ+1CVfI3X5Gb0
inMpCnJtCnVQ8/xbtyXMhJWnz72vbEwDblaLId9nVtU9p9GqHB2OT1CflJBhDjb6 RrWwJm59MicK7mONCDB59LMKUYciQc9JGlpl6oSkbdsy49OToPtuShsoBN/nmgVE
a49C0mIGS6xBkW3YBSJxf7szUK/lL2qXSW+aI4dg5naci62jChtagnkXbN2afhOR yU8BWhJt02KFLKvs+v+HXuxXgrUfl1zNAtzH0PrB40nuyoCFuvomUExCJiTTEMgs
91hpJ2oohMkB8rbbi2uXN0wIBUO9t8GTUKKaTjCOOTWm5nXNOCW5CtamYASeetJc YBwXdecgwcRta0/Q368DZqJzxiiYIy5xlZxFFMkA62JfJLUFy9/Suy+mReWBLdJc
AeW10mAZSNUyh8FWs9XeLtppGEdERSqWs3gPvGO+TJ9o/8v+BPIwLEu0POoUuRWo Acr8AJq92TiCmHED4Rc78SaFDYjJYfvc6JLJDHxU0r2ucoMwKAR15gDDOaARt3B5
3Lkqrl4JHC01T7buQU3vzRfWrdranL0Ll8H2iYvsyfaJrsO01weS2jGqmgg= Af7fxGWQ40sY56YgjgpBRaoXYDySuQ9Ylegd33hUzEOfOqKHFNAE+aH54QM=
=PGCv =Enyz
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097 fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

121
secrets/general/secrets.yaml
View file

@ -25,89 +25,98 @@ sops:
- recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybmk3azNkM1A0MHBJZElF YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhU2M0UFVMOXFONzN5WVU5
Y244UzIvQmtSWThPbksrVmNnVEErSldLM3hFCmUxZ3hNaTkxQStNNkwxV2pkdWEr TExjNEkxbnhEOWJPemtqcW92WDVJTXlNRDNBCnVoMTFreXBZVjdFMWpxUzZhaU5j
bVQ3U2kzL0ZlOGp1NDJIaTNMYVRZd28KLS0tIFFZUENYdkRIVW1Gb2pjMjdFcG5h d0xZYUQxdUx4ZFZteHlsM2pJZXZQQ28KLS0tIEJjdjlHdklmalRUUGhLSEFDTmkx
TGRYcFpicXpFdjU4ZEk4RVpnODdBVE0Kq/i8NDtYB3L+kBs0q3NYlzRa22mWG7hi cjZNZnRVSmcxNnFCRzgrWnhOMlYzc2sKK13rGMFVsXQkNERYQLrhgYHbDn0jPYbl
lZZtwXjxTpoWacZgkNnxr/YjiOZLV7wt22TpFSKew1sfs77HvosPRw== H1pQPZdWw+LXw1Z+Y9nj74KTPPLnPckVTwETUfvs9EFkcFIyhzGK6w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWM01DeFcvQjM2bW5DcFM4
YzF5TTlURkxRYVdVbjdReG9LbUdYNjMwMFNBCmZJckdBM1YyZEFDT2RhT3g5bHJo
eVVISmhqQUZJTm1WQjNvOUE5MytiTU0KLS0tIEwrVGFwVEE2ODQwb2RyNzdselJa
b2tiTzZCcHB1NVJWS3Z6VTdMelcvTlEKdW6kkCiI1YhV7Da6SrCQxP0zdUc2ICSC
voGlNOnPb5iACvgLnX/a6EBKKO7PScKIFAzsWROC9MlLoF7ERnZdSA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQmFSM3lPRHN3eE9Gd0Jr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNnF1N25qMUkyL0N1RSt4
T2hVb2t2NTEwbVVlNGNhZFZCekRrOEVSbmlvClAra2pnS0NPTXE5aTArZnQrcXNQ ZlRPVGpsY2hkbWZKREg4cU92Y2MwM0twaXdJCmJwTWl2NjlETXJ6WFNwN2JpT3Fm
bVY2cnhUeCt0N1ZQRGNDYTZETDFMVmsKLS0tIDRsV1hDM05KcWRFbE5ITGttVk9u WjRqVlc4SW9DejV0Q0JGNkJpQm1NOGMKLS0tIHpQRGc5eHQ3bHFnRzBNRGx0ckFV
ek8rTHZYenNzbXVVYnhIUU1DY3h3VEUK5iRHq7pIa4tbYo4mrFUwPT50CWzCLnqK czdKU1p0WXQ0enRyWXpaT0k2NHBzZkEKqLRezUd0z2PF0wakJe39NAz/MkpXIRAl
X8Je+8lzkrVZ/M4RNXlgFxyD62LHycOZx342KVVdgl2b8w83xVud1Q== hvIqWsWyXHUU4a+mXwX8XWgs/uejuyXmHa7TgavqkHs9s4/p+KtNnw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNGxsQU1wcFpIYUxLcnFK YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWTFhTlMyVkZpeFRqaG4y
bjhubFRxMGwzQlpqeWpIbnZBNTQ1cGxVb1M4CmNFTFlCczJMUXJpd09zT3phMHRm RDBhMEtpSXYyMGFnN3pkVGljSGN6MVlTaFMwCjlJd1UwbXVDT2M2R0hsQStqeEQ1
OE9sRC8zQ3FDUXoraG9jNUFITHVOYzAKLS0tIEtPSmhVVFNRdEd3d1RobEZMUlhV YmNTNjdTRkU5aDZZd01DYjNaOWhKMFEKLS0tIFFKS1dXc2ZjVWlRR2ppSDRaRHRJ
OU9tWkNlSTZWcVZZbk00SjkxSEFZeGMK9Uq8oBYa7TJiaSOv5AIfPqnfH+lM8jeY cGwzMUFNTHZzcjZVTFNCcmp6VmdFNDQKNVeV1BGVuaUbSHHBOZzb/RJP4umX45RR
QEvT/llQqNHo2h1PbzoCd0W+WN81/yVvWhweJUO5GcA4cqE0Ed15yQ== 14RInoF9i1ByEzY6KS2nyP83EQzbAgfdaUkPKkIpzytj+3gvlnI/RQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYK3FyVzkwZEZLNU5hamMr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWk81ZXFRQnRnMjhVZmZL
d0ViS3FnVHVjcEtYVlM3VFp5S2dlNXQwQ1EwCjQ5dmhJenpFZmt3aUZsM0J0UFJY N1p0eTRSQWt5akJ2ZjZid2VUNW1ndFNWeFQ4CjBlZndkV0pKeFpZUjlzdHJsQTlR
SXhNdHVRbjNYZ2YrYmF1QVVMS1hBbnMKLS0tIDUyRkhTSjVhUnhBTEdtNGNqS2Vi VXE1K0p3TlhJdkdPMFRTL29BaUd5bmMKLS0tIDVlS0FmRUFjTTBpd3pGRVZMbWxF
cWIrcmxRUFpKM3V3d2ZwVm1STGlpSFkK+VMJXgzdehOUhdevVIfO68wo6VF0Lfj1 cjlaR0xvUmZvdlFlZlFwam5IU1hYZ2MKOMW/ZsXOLtYnYCVf0JIxlfXNTDjSuscn
gsHJHH6GmQbUsCt+F+fPaXUlrdN+BlCnk4ZMNKutTm2g4thAeiAeng== l1p2HspWo7J1RfJbOQgScy6rmUB/9HRMHlnwpnjgOYWE4EmuKcMYSA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RVRBOHo0ekVGakVadHBZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOUhETXZpTWs5dWw1VVhX
SWhKcDVjNHNUcGhlYkxkenovcDdpWUpwdFNzCkt6SlVCaHgxK28xQmtrR045T3Br Zi85OU9PekJQSHBIbHpNMVh6b2doa0wvSHc0CitvanJBOFgwb3V1TEpjQ2xXa2Fq
MEJjbXhKUTRSREV6YUo5d1RKenR2TUkKLS0tIHhnZW85VHRraWRXZjhWMHI4SUpD UGtzdTB1OEwxSWJKVkZJWjBDV2MwMncKLS0tIERpTlE1cWRaemZFZDAvcGx6QTNK
SUp3cUNwN1NXaXpjSm05UkFCcGw2d00K7Ai/uCOnqonQCy20hNjV8YALVlFZFbac amtUQkgvTEJFblFUWTE0RWg1cUVUbmsKx35Yu+wpJwlVd2JrXCT/qybmLjCmT+/0
C8QIpfo5FEiONRZNOB2tlr7+ziGC+1ia1DXRvobHOKzgVfmW0VP86A== v99LzVDWiiAPx8ryU2FeAZ/umDDIQfkzyLbi2f460ATKZhVfqhNDDw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeUVtUXZuTVl2SEhVMWdl YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEx1eUR0TnRVL0tsN1lV
RTNsNU1pWmZVeTZ4YzR6RkVwSUc0YVo1VzE0CjNvKzl0QTROUEVnOWNObnFNLzRm amN2M0VlUHVpNjJvM0x3UVVhUzY5QTRObG5VCndkblVGdExHZDBMbVZmU3J4K2JI
aStSOVIvNC8rOEE4WnRoUHlwV29hTFEKLS0tIG5NM1F5OVIwQUtraURRdW1hT0Ji dHZoVDZHTHJldTFLMDdlMUFTNGtjbEUKLS0tIExKVVd1UGtvelRsQldnMTBXTll3
azY5dGFTUWhiQ083VlBzdVRrSmZFNTQKqoJy8eP+beb/86Dg7BLaYEmZJG2oMS/I SjV6L3crUkdLWTlsNFgyRHBla2FFam8KILYsNbLdCirfoC/Vex8yEYpS2G4O0EQP
y1tSw+Ij5TfghzbtKcK++88L7ZPJLRocnKXftFbjutHNKmWW3+oW7Q== wa1xzPk3Ue0/g67dv5UZFhUn0ZB2XGFC3kEPWpptTj0VL+9Z/r0zKA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-07T15:40:09Z" lastmodified: "2025-07-07T15:40:09Z"
mac: ENC[AES256_GCM,data:IgodPXcdFB7zYwt1dbRXkuQ2Ko2cAy4L6BvObuP8sWRO26Sn0CRvBtfwEtJLRMoXyS3hXJ25hzTeQOUaTVRw/5GEViM4SxdUuE9b5rX1J7tRftgdI45f12tsBMJQhk4NDtxpm4CSUvh11XqNdBkBjFUMxfZVweXFhoZ7tJ3oElg=,iv:9WNevYqRUe5DtCWN6mMNNwQvxB4Z8ac/zKPocjMa33A=,tag:n/DL3B8WB/YKfcbo6ArMDw==,type:str] mac: ENC[AES256_GCM,data:IgodPXcdFB7zYwt1dbRXkuQ2Ko2cAy4L6BvObuP8sWRO26Sn0CRvBtfwEtJLRMoXyS3hXJ25hzTeQOUaTVRw/5GEViM4SxdUuE9b5rX1J7tRftgdI45f12tsBMJQhk4NDtxpm4CSUvh11XqNdBkBjFUMxfZVweXFhoZ7tJ3oElg=,iv:9WNevYqRUe5DtCWN6mMNNwQvxB4Z8ac/zKPocjMa33A=,tag:n/DL3B8WB/YKfcbo6ArMDw==,type:str]
pgp: pgp:
- created_at: "2025-06-14T18:15:57Z" - created_at: "2025-07-10T23:51:26Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/+JiUgauFwbjrUsmGPseQJMraVr3cILCN05ufXeZLWXeuj hQIMAwDh3VI7VctTAQ/+OG92tnH/dwXLTdqlvN6sEPREG/oZTLGvjPiM0Ipqyrcz
ZJV+7IecJa4BpCtaMD/xhvXiH7KNjlvlbN04AOHX/gGgJ3mENxHGtNOPb41RBzrH rgTrso9MjBf0xZkxjH49CWqBpTBoOsxopdSU2cvte2IdQEQCgCJcqff3okBsT/Cm
5FK1icAGt8xaXi8VdEwEDitKhRBnP2VzVC8ETrD+aQjVQM5DkJtvijvU3i0qsDnY 3yz10DNTdI17cc2tLFJtvcWubf+amRXTM8IbDozkc4ttuhCbCRcFMaJ0NTVMz+rV
Y/oE56IWhldeXZcsXylW8x3NfskGbOQQ4hOmRamvi5ubrfAVkMlbzCS01rXTP4tu pff9UQWGmAWBKK/u26prf6NeCU2C/v3vLAxAxVjuPBxNpXFZEuu88DdE0lIMy1rO
8MMbHtjZZcAeWrsj3rzlRw8SG/GRubn3lEd5nI7gfxHzyK6uv4sdaapw+5Y1vjbv ZAsYz7O6/flf3qbl74HXhNUhWwDTUJtU0beGSv/sziAPSEV0lpScZbq5HdFvNUk6
hB0wESidhzheIQmKeuLGTe6S+RTo+G8RNIqmrMXawFdmBoexKMFtJMXCca4LNawK rH8Tf1IdV6n0lvDqVdnY7XbmXlF0neSLJedWf6eAmcvnedCTVzMGSNAIVhiW9Y2f
TE2UWbniQqMX53XM31EW1MrkjvM325E0p5TWz3JcA3JPqkmTJQSyccuJizvf2Bdi IURsyK8NXnZTw2G5J4BOwx082Z1wroH0cJgQz1IcfU/I78DUaysH87mYfUQAGPV7
M6stq6RPl9n5feSJJSfROP1IX1+fpQOLfToOJpOm5MPCrm0YhY5h1uSTKemfVGkO cLICS/2n+olgkC9nAz9ZQO7+98Ylk1n4EKkhW2hzR5av8LSu5rs9uTkO1KWz5mTT
cV1B2SGkN+w80eEhUX/EskNagROZBHn5cuZXldCcBzEIsA4G2ZsIuVujXTcL8wmn QjsWNlD8+1OvEFxELJtdMLnTpMTZqPouwRhDhJLoh6to2/HT48xCpUu4sMyj1AY+
EL/HiEB6UQ8P5TrAREbNw6wOXVdlfkUovyfmI02NFL6wr0xY07a3Nn9qADKQzhpE ECGsXzNbfb6dlAvuloNq9DoEP3nP4KJ6DKv7gnsbS1WVT6LoG9Yg6s00YnWiMomd
5fFudXWe6mLx/bRcuhl2ozCBk9fTcVkb5SF43Pp5fmQKzKvqN8GjEHtdFrN5vfuF 0ByLH5KZdlBkZFV0K/WGWpj3c3H0IIM32+w2yYSCVQEY8UeSTQ54bI0ao+ISPLCF
AgwDC9FRLmchgYQBD/wNVDcCYqGdZ/J4wt7BEx3bG/QOkpacnQXGqo0Xv69BjOi0 AgwDC9FRLmchgYQBEAC2x72z23cpRyfiQD32Pzb4cDheSawiXSolOZMAExsRDmYl
tOsylTe+Nqge2ImCgu2lNlOYMjfhHCcnLILdriZX0KpEiEM4lzbpB2ntm+p2wMjg IhMyMOwWmetg4HOwfGhq1PuM7t1k7maVa8ulWQcmD7eSmehiaMzYpA/gctf8GFQ6
TqMhzupy7iPZbPg12rtr71Mc7pLYKn6DRTBYv+HsMY8E24T3bMnGPOn31VP1N+0k 4mmQ1siBC1qArfMgFgd9yS126NUGqXAWsrnptnlIbYuY/OsiS7W2JKLQUcx8TZqx
U0rySjg6Tuqo/F1Usi5wMG/zvLqSTJ5Sev0tHj0K8yKcmoHmSy62SdkrOd5S9xBt 6NC2zIi5+h+ZbRugpz4ZG8OjFnUwbLdZeDJ1M6i/TVuDJjGC1JkEePjY3IvcmB7P
KtGqHmJrPnKKb84BdSQThp+WfK1E3Vmsj7bd4TdqYlvo2GWMBj/bV7CuCOQvonnB QTzGCsYKwYSeUuAKel9ueqvznNqACQ78/NC/mYy8xTMiyjnhOqOFvmlHLZLy8cFs
x27GEOCoFOn4ySIyTn3LrqGOVyRmQBELLXXCQASwWBKeruh70GN1XsfPYVxBXjWQ m0eLlEfQycwGOIPZa7xo98AZ0Ohvykqy8SBcp6JSEoWcXi//lLfG2z5agfd7bEUP
ydOTCZNqBufQzakUFdly6WyaBOr1m6p9rbW0icA17ot7tVqgC5DsvVkPlgqXgI1W X0rOKwmFL1l3w1sAUzmKTa29G8b2+rrCoKCHyByDQXyhgLa3aCx7tKS1iNwGdXmc
oMhq8KvURlsflLJJ8ovI4wrpNZfDmIXZiFGTSVRcdJF6jDEYbypN34IRi5Idf9rg emvV15+jf/xQ8FrDDZFJGRuCVyuCGphEN8VxFR2BWRjEHEsy9gRMaJlo8gIw54Oe
SsH3tSLemJG5FZdztmStGTX9zWnfsCk7ivqJJpIgj7feWIr3WD1Y9Rt9KRZpJ05c ciMEBRjT+3l9B4Qipvm8V+okrdHQ56k9AbpbsAnpyHQ6A8AN7oJ19uzBq1nzRU9p
zHnGaXJYLX378q6L03C3klBhGfzBLTikApo/dmEy3DMSgsrtQt5vF7B6w4aHd318 yE4lKNIjOIJmghvUcL8jwld6+w6iMkk7Ss0ClavTA06hWld6mDoRvfrQl+t4nogT
Gn+neiFXDxOsUVA+nFKkEPSFVR3XKzWE3TeO8AYJ80KYoywDAqeB9//p/MefeNJe xypUidp/KtILrorNEVwaCsuXrqe5AspOcr8SqA77t9+Yj6b9x8gdJNZwvcMIB9Je
AZlxqdyhUqqzW2/95RC7sznoU/zVYvQ9ORfZ1K85xjAvahGWn50q2w4OKIs/gLBE AXC4iun4BpIMdbg2beONi0Iwq+IeYOTdvpo8HKk1qrQCN4zHGaO6iZLrDFqN01DA
W7s8fkHqU71bMp7Al6Mx6RFK67x3OM1srb+jAR1OCFy4WTqPDkW7bSbQTNsAkQ== IyppFwRhJ60d5TjKweEn03KAT9oVsjN4nwpazd4JkLANXrxXX2wDYOVlnfYyng==
=NdF8 =jNoq
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097 fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

10
secrets/milkywell/secrets.yaml
View file

@ -1,6 +1,6 @@
swarsel: ENC[AES256_GCM,data:WzMlNzg5iAu823s=,iv:U8ZutlrzBqq7z445kSnvluejtta4X/0YMIIOdcQuftg=,tag:IE0WMuXlNwnBHzXtrbVHKA==,type:str] #ENC[AES256_GCM,data:VljHjyZqPvnVxhuoEMhGrWA=,iv:nCHj+sdhAOJx37fGFkRzfrK+PsEP+tRELBhnP3bfoIU=,tag:fH5QNt5TeM3K4nXkeIC4wA==,type:comment]
dnstokenfull: ENC[AES256_GCM,data:hxgxSm6pcXOEHZHdSwQkfZryFccQXrCu9idULJhWK/tQ44FyRIU4Yg==,iv:ObKf1M1qkgCltkKJX+URaPSiK5Itd3xlfBXPjf1iVak=,tag:PASR0pgBdcDYjdTZ2eEUCg==,type:str] anki-pw: ENC[AES256_GCM,data:TR3roG7I1213Lj8=,iv:bK3WIC8Q4Cm6cccXPFx4K25GRRUq7Le6bEAVdEZdNPA=,tag:LLC/agUxZT0MIKxk+TSevw==,type:str]
swarseluser: ENC[AES256_GCM,data:e/p76dBuM7eLIrO0HBeJMs8eMCAGAklGcA==,iv:r+e9GGMDCCjh1eWnB4AJMFdMuXbVXxoLMefooq0SOlE=,tag:auRo+JnwH+EardJQbKek0A==,type:str] #ENC[AES256_GCM,data:EUHyFduvRqc=,iv:RHW3wsx8P1V4hkwnrl456qMgi9uz/1qoSOg5AvqwmhM=,tag:p26hGYMn5fbuNJ7Qr98E0Q==,type:comment]
kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str] kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str]
sops: sops:
age: age:
@ -13,8 +13,8 @@ sops:
cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY
UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w== UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-09T14:53:33Z" lastmodified: "2025-07-09T13:41:17Z"
mac: ENC[AES256_GCM,data:SphJHK+OP0IyBWAAr5FDWhg7VBdD8isL0QsswGI6bpSV/7FTRpd6Ehp+kvmCPcdTwpQlmVIyA5r7DpL0F+F0BQGFtMDnESXVldmsBVpvYL/Q62zvlCq1hsm24tLxHbBssSCCpDNq8b5uCp3qklCQCISBYEFeI28dnFapxl5YI/g=,iv:MbMYmCqhQw9O6VdjjBULa2PBciiNk7AJzSrFTnDhMaI=,tag:2VaUX28dyxhyxYVHinESzA==,type:str] mac: ENC[AES256_GCM,data:9SntfZTrKnCMwrQAncIcGO9qPXM4PT+ZWnmk0F6S0Lb2xx5O35/i39P9vYN/QMPMzKc5KmmLCzhictWvBE8mr4+17pfJBH0KgiAqaOm9Vgy8Zg79/xH4fCia8bwYDfKe5uNwvRwknM3u5/eXLNcr6MnkDspDYTusXhw/qTQav54=,iv:P+fHF35oMNP24vadFA/rAYDm6n0ieAMB43ovP+7vJCo=,tag:4gJqIhqRg+3P84aUgRIPbA==,type:str]
pgp: pgp:
- created_at: "2024-12-17T11:38:27Z" - created_at: "2024-12-17T11:38:27Z"
enc: |- enc: |-

10
secrets/moonside/secrets.yaml
View file

@ -1,6 +1,6 @@
swarsel: ENC[AES256_GCM,data:AnxZLN+3ta2Dmg0=,iv:S25Xbbj5K3tWynO4/7XGRp/+XexxoUofHjlPNDo5el8=,tag:uov6okR56P324TYA3/YN/g==,type:str] #ENC[AES256_GCM,data:HCHFN2Q=,iv:Z3tD7Hn5eudPR9DuX6etamkpNnYB/NRYGppWdyuUDuM=,tag:tbuWEFDmh4HAyksOZOihLw==,type:comment]
dnstokenfull: ENC[AES256_GCM,data:z9gi0pwfbDyHkKw8rhiGOIlaLUzepAAxQfAH4esla2NkSCx/S0VAiQ==,iv:qtCE+V4vHImViCquHwUEADEzl6dj7PB16PoRqYEgQ6o=,tag:jVfWgt3cx+bpYeMuyesjrA==,type:str] acme-dns-token: ENC[AES256_GCM,data:lW/XJCHwApvIofSZHL5h7AUPISjARfmDnpSnprDBHQYzj0u5ZlZS5A==,iv:/y3gjgC9AEU3r+l8Uq6P7DAU2C8i+qTQ9DP4t0g8ZhE=,tag:v24WRudw8NB84b3XBFupHQ==,type:str]
swarseluser: ENC[AES256_GCM,data:s09lyp9yRPJaSsDXj19s1mosF3O39Fk7Eg==,iv:tVBEFqTQPreul617EU6CfBUhz3Fmt37VAi3GzezeEmA=,tag:9sbJ465VxKoW3/q6ju7hpg==,type:str] #ENC[AES256_GCM,data:XdLlonkGBN0b,iv:wimLW/7+a4MJCVg4zazY0ogakxXjdyPNZmZt0CzpXao=,tag:rg7FEi1qaYMkCXX+dwjFLA==,type:comment]
wireguard-private-key: ENC[AES256_GCM,data:GCi+otqW06yoBKnG0WCIN4Wu9VKDsOUv8WRm240cHBnSAoW/ycd2WgDWsYY=,iv:TYj38C00fMIhg8LEGz6HPWxg11xUdwGgnxOmy+1SG9k=,tag:CQr9phCmU5it2EYjzqhAlA==,type:str] wireguard-private-key: ENC[AES256_GCM,data:GCi+otqW06yoBKnG0WCIN4Wu9VKDsOUv8WRm240cHBnSAoW/ycd2WgDWsYY=,iv:TYj38C00fMIhg8LEGz6HPWxg11xUdwGgnxOmy+1SG9k=,tag:CQr9phCmU5it2EYjzqhAlA==,type:str]
#ENC[AES256_GCM,data:u/O2rHXqOoTNpOSm,iv:hqhZC9R76P3sPkpQMximrvcTC15IM99QaRZErC9AIc4=,tag:wc2w7iwtfazlwWpnQJV63w==,type:comment] #ENC[AES256_GCM,data:u/O2rHXqOoTNpOSm,iv:hqhZC9R76P3sPkpQMximrvcTC15IM99QaRZErC9AIc4=,tag:wc2w7iwtfazlwWpnQJV63w==,type:comment]
oauth2-cookie-secret: ENC[AES256_GCM,data:cbNVAkBAWJCN4fLmkYUFhy8v9iE5fB30hFI3nTpZuVIFCnmXPBtlftI58Zg=,iv:q9xjUDOH9M4pW+9YB9dEYSqEu9gpsezbxcGbpORNljU=,tag:KoGNcssD608huewmHeJOxw==,type:str] oauth2-cookie-secret: ENC[AES256_GCM,data:cbNVAkBAWJCN4fLmkYUFhy8v9iE5fB30hFI3nTpZuVIFCnmXPBtlftI58Zg=,iv:q9xjUDOH9M4pW+9YB9dEYSqEu9gpsezbxcGbpORNljU=,tag:KoGNcssD608huewmHeJOxw==,type:str]
@ -24,8 +24,8 @@ sops:
bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK
Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA== Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-28T20:39:53Z" lastmodified: "2025-07-09T13:40:12Z"
mac: ENC[AES256_GCM,data:eJf8SlsN5lxPLVnN0m+LAd6twJ2QnnmUK3h3ueAFV96oTsG7wUCJ/M/cqMGUkG3hy38OKk/BFDAHDmmjc02stWf14HiN02fm5CYjROLhJMaeXuSXOLQSPuo72s45YiKZL1x3ph//cgO3CQP+mvElywYDy4LQRTVKm9Eajq5Q/ZU=,iv:Ch9dS9Vkk8ag/3BIsxoWyJ3ksbh8oIjHZJJjoQSGGHA=,tag:PjNd3256sSb6o/6iUIjjyQ==,type:str] mac: ENC[AES256_GCM,data:B1pkubTJuLU1pCprTHtANC58sfgbvjgnDtztF4g7M4cIgj4pasrPGjOXLw5hrRwpYKffuciOogDOJx1/DekpFG0rydc5+R46saCtzGYVBEXWpH+SuaiHGBokTq0zIwnNEDpMpQ2xKTDiv3yKJBNUXOPugEYgDuvmg1wRyZ9iWBY=,iv:ZUij0KY74PEYo2IcCQoFiHFB/uOF6CxyHIpL4yJyFlg=,tag:srWW114VV3oCMjSLG9lVwA==,type:str]
pgp: pgp:
- created_at: "2025-06-13T21:18:31Z" - created_at: "2025-06-13T21:18:31Z"
enc: |- enc: |-

65
secrets/winters/secrets.yaml
View file

@ -1,51 +1,29 @@
#ENC[AES256_GCM,data:ZDHvt3C3,iv:7zsB088YWliEbEvDSaiYS/Tf54PtkQ/G/4/gSE0PbhU=,tag:YFDfhVQdYc6CnM9UaeKXXw==,type:comment] #ENC[AES256_GCM,data:2coSbGjKAg==,iv:QXAGBCUEBypVs93R6p9DpWsZ6i6VMmdlmeffQxPTGWI=,tag:2sfSIFT9W8anEunXHxP7oA==,type:comment]
smbuser: ENC[AES256_GCM,data:KWW6VBGTh/Y=,iv:laYedVHB/aK8VKKsTk8BViTG7xQ3VSCEoh0bcsZzzCE=,tag:0TBFVELPpsNhJPhvtBhCjg==,type:str] kavita-token: ENC[AES256_GCM,data:T59wnJO0CClMP+jGd6LFtIDihYxDEZ6OATN1LizmLqYyPZ0Sxqoavgm3B3VWywLEIpSXyHfH3+qZKahnUA5/3c9okEbI1X3FFkiOYM0tVHe/E3lLQhHujw==,iv:ojm6RKZbxDjnGE377tjqZ6Zu3jkR6GHpxjZ7uZ3I5Y4=,tag:Y7KliDHxx2QIWoUdLbtH1A==,type:str]
smbpassword: ENC[AES256_GCM,data:qKQQQtat2Rf6ETzb1AdxhzoD10VUi2U=,iv:yUGL4TPvFtDy7FHSQM9YfgK54ZvhnWFYQyVIQiBUzl0=,tag:aWVzJ4hVitMJRrfCaifJpg==,type:str]
smbdomain: ENC[AES256_GCM,data:hbK/MXee6gI=,iv:X+NapRDPAYqhi+CQOWSKwNpP0lCGmGe3vvKDQFkq32M=,tag:L8dDN+WgmaB1rqIes0WHKQ==,type:str]
#ENC[AES256_GCM,data:GCIBk7ouxPsX18czYCrhOQahUG3JSV83l2ujNxKQK8LAlBInFeSpjWOyYHuS2XWhYiJrW4I=,iv:jgYXl2DnDqUjLBpXjRNbxydktY65IvD2JcUb2SPwQjM=,tag:Wpnhf1NGf/AELvmPpjgM7g==,type:comment]
kavita: ENC[AES256_GCM,data:2dQNwfRXw6SPhNbP0fRaVryhc64dxJOZuMw6ZpeFzwY7LVB6Oo6PJCzfL0S+Gr3od31d6yeOo/64Z5hJ8h6rXjnkqNU/46jUpChzOfihwkNzhcJZgdFzIQ==,iv:kNxQgqjxDXvNXvlEiXfFoBs69CzuzMNB1ka/7ywxUiw=,tag:ZEwbJu/86LIKuvtfKcx2Qw==,type:str]
#ENC[AES256_GCM,data:EnKPtPHaMw==,iv:6bKMTGB7CFBGzpcXv5bq1pPoN2dcfSsQn8CIAuawAEE=,tag:B7s6b5A1W8cr+rk12sfnzw==,type:comment] #ENC[AES256_GCM,data:EnKPtPHaMw==,iv:6bKMTGB7CFBGzpcXv5bq1pPoN2dcfSsQn8CIAuawAEE=,tag:B7s6b5A1W8cr+rk12sfnzw==,type:comment]
matrixsharedsecret: ENC[AES256_GCM,data:P9dO+qmeKAtRL482s/Z4Zdmfo1KN9hB21b6zJsi4C29DQlpFwyMRwd7bCNB78I6r2NNQIdnsOtZvcy5Wy4mLCw==,iv:H7eqV7DqvGNfmwN95AjPAgecZE+xGeXMF1r/VpxAHaQ=,tag:pZB2SaxHx60Enn+ycbZ25w==,type:str] matrix-shared-secret: ENC[AES256_GCM,data:ykgD+w6nxfegBhzVZmXmuxxsf1lIdV+0OOHlEt9V7YgmFFjHPw+SUxOsGnpwfTXB6Bwo70MDC9fLMSWZxtfIlQ==,iv:LoKIuJYvdKTE7QKrbJvAaKXucesrGgCZpVfmMNt1WhA=,tag:Q8EQSF28Cx/UMCBp5k+vCg==,type:str]
mautrixtelegram_as: ENC[AES256_GCM,data:twr126P6/7zRPntbgPqpIerNgg4bw6pwmMUjyzwMlMJCdPOP3TVaaXkXccOnkyZY80U3e89WZ5MA+sIEbZb98g==,iv:92dtW8lRLXdOIx/iTmb27Er55XY6p2Rne/14TzYGfJA=,tag:zEGPFhsQCU3RniY7rC+5pw==,type:str] mautrix-telegram-as-token: ENC[AES256_GCM,data:nVragL+I4Fl0+0gG0nnSFoVt6PrDGCic8nh7AneOiJ8ktpsmq3wkuMzeg3aQkfM27HXTkkdhKBmCy/W+i9G2XA==,iv:ozhwDo8H87UCHIPEHCjWfnUtdK8L2jChz6y3NIO5j6Y=,tag:H2geLETkaUnM3xM/2Jvp7Q==,type:str]
mautrixtelegram_hs: ENC[AES256_GCM,data:C4amampQPckSWZCpYANfXjLHZV64smadRAUUlJnLNPlMUuoFja4m5rPjKdu6p2bqTAmPO92wSeCuqi2kMZycuw==,iv:h33AR1d7QA++uFC3VcJKuJmOOEvG+5zooLGhkYUMRgY=,tag:oNZXsvwWlTaoJ98BODav4w==,type:str] mautrix-telegram-hs-token: ENC[AES256_GCM,data:bsuGGKASj65MkSri1MbZDEppRlr5qXzdRnpTF9gDshj4ahpvt0R1aLyr/dIaHk+OKdDvaeJ8JHkr2AVsJxMAzQ==,iv:ESnTEmOjkkOAJTJZq4CjPtPs17dBoc06fgI4T41Z1Hs=,tag:EC6CukTgFIDzlmeuOvLIWA==,type:str]
mautrixtelegram_api_id: ENC[AES256_GCM,data:DR5GoVM2Dg==,iv:PYIHS65piMhXppV4vL54lxtsb8Mmw5BIAXkFixgfvNM=,tag:4JgwEvTckNuOmb+Jjn6IBg==,type:str] mautrix-telegram-api-id: ENC[AES256_GCM,data:GLaYJupsuA==,iv:EZ7i3jregI2puUAQbbkUK7OWA9Dnk0GdXRQuF/crD0Y=,tag:FL86Xji+YEkBPIm7m6sStw==,type:str]
mautrixtelegram_api_hash: ENC[AES256_GCM,data:M3qA63nhw5tIQfqgtnAth/O1COrtpli7dfKuC7wFGIk=,iv:uppaVZDpqY7d3LhKqO/b/3WInkiKkaDFM/gZnlPGTZA=,tag:J986Cd6p2BrEq60LYoe4iw==,type:str] mautrix-telegram-api-hash: ENC[AES256_GCM,data:vikwgZLPV7YBdKlzf8+LEUnNIMx950CfBMGXKOga2cs=,iv:16+qS4L1LEKyWQKC2+a9l4OugWLJou2I2t9oRfKjS24=,tag:zhjD2dyGkqfMQlAt/LTCzw==,type:str]
#ENC[AES256_GCM,data:3ZJfIpB7,iv:bS0q1SvUfAX8s6/R1z9IWoJ1vIitIDc2lGZUjS6P+Ao=,tag:Hc1HVrtkT6gNceN87PF/YA==,type:comment] #ENC[AES256_GCM,data:3ZJfIpB7,iv:bS0q1SvUfAX8s6/R1z9IWoJ1vIitIDc2lGZUjS6P+Ao=,tag:Hc1HVrtkT6gNceN87PF/YA==,type:comment]
dnsmail: ENC[AES256_GCM,data:fsmv/CVSpVJ2ZwBibs6PzCTKtA0g,iv:Pdy91cL2jxRLpMfzeveAbjr/mpQ+iWVPXK7eLQg6mMM=,tag:CbgTXpf6G0gz6YTjlV7AqQ==,type:str] acme-dns-token: ENC[AES256_GCM,data:QyOHnPFiNiOXBK41pr6XfG9KCWRysTxzW4cjuUesbGdFOOFi8W4lCQ==,iv:Iuc77X4t5V1xFPu2F1njo93l4oaciou7UfOLBm18gaM=,tag:+40ELYAGxaQfwiTKPPwI4w==,type:str]
dnstoken: ENC[AES256_GCM,data:mRVmT1B1xzQWLRjwJUPBoYKSzr4Np3BJiV7psARFKcOZJlBAW38ztw==,iv:YEKdzGBRlwPv0baJ28uRJvWkFSmF2+VHP5VHJtMn4nM=,tag:1S5l0HMpqvY9llveT1dTmw==,type:str]
dnstokenfull: ENC[AES256_GCM,data:nIFYEO0KMXWBQyLsfM0v7xPSCbmW9Z4qKiGVh38b3mhWklYdMtarqQ==,iv:aQfxbBolEpMkfWHC+5/c5a/xiDhlz8BfJuuKicjVCzo=,tag:LoDgjcR6/VwKVy8DubLdew==,type:str]
#ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment] #ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment]
paperless_admin: ENC[AES256_GCM,data:IbZxJzscc2z77RTYTBt5ZdCgtEgTSq5k0A==,iv:lrmP3rOLMuV04H+E0nsKF+KhNKAGHCFyaQnT+gg0wM0=,tag:lNbMYqAdjn0K1AhJKvhB9w==,type:str] paperless-admin-pw: ENC[AES256_GCM,data:8s2WunvnlL0xE8XNN1Re6/9nBAM57AgM9g==,iv:Pol+RjNMKpNYCQWY0BZamRnob+MO/e/14jc8uArtDz4=,tag:FXRrlhR3DpZ+7lSlXb7wsw==,type:str]
kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str] kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str]
#ENC[AES256_GCM,data:+dReUV9p,iv:gmVwWra3sP+9I0KVxzTXGzdbZEyRiT7p2BwE34ZDttM=,tag:jse7bGtSva6llqjSOCY/KA==,type:comment] #ENC[AES256_GCM,data:RamYuA==,iv:4/LaPYi4hIvg2/ftF8Dh5eEVrsgtuOkmB75Cpm5oHJc=,tag:blCudo/EVHesDdUs1nLBhQ==,type:comment]
mpdpass: ENC[AES256_GCM,data:OXDL8eyfBpX2gXB8aODahA5wNK7laaCQUg==,iv:zSQUtu1j+Z7SnYMA3jNvIFbG9LEbiB7uJ4y9xEmnvJY=,tag:ZKgtccYWT/k4q6Qc2y5WEg==,type:str] mpd-pw: ENC[AES256_GCM,data:/j++A2IrOwNse4+lvq7OI3Wde4KsdQ5UkQ==,iv:e0mjQyeefB3FFVsYQvTtjO9mewlmtQ8pl7O/ZmEllSU=,tag:SwbWBN8PqUrXTpKILhLquw==,type:str]
#ENC[AES256_GCM,data:pn5jSPCWhDl+,iv:f7dyv+83dT3azAuY+/+6i/KzX2a4JIEi+PLeYamORmg=,tag:c5doNQBt6A7fRXl26dWsEg==,type:comment]
username: ENC[AES256_GCM,data:ONoDSJL0VTqts6n8yAEwOPFyJFbC,iv:soHSy4FV0JiXNqqj/zL+52e9tGOKOtG3iCni8FQpTBk=,tag:1iHXNP0l5fQ0S3wUZrFWbg==,type:str]
password: ENC[AES256_GCM,data:xFb/oOmzJmUN37Q=,iv:Jb/gAWJdHOm+8Nd2r3CyXeH72ex11L3AqcjbkZMs/oE=,tag:Zx3As+yV3N3R0njzGzRLhg==,type:str]
#ENC[AES256_GCM,data:hEEbuFI=,iv:wO77BmvRu5EgQPKQZTQm4nd4Hr0AG5Ws6QQzjclen4I=,tag:ZU31DwdIbsQHBlNPLhFldg==,type:comment]
swarsel: ENC[AES256_GCM,data:20UAUTx54IX7LV4=,iv:odWk+VMnMahH8Uue21S8PAv9mW6T5c1eUjftZMe4JJw=,tag:gLnjqQsHWmkytpq6x4iIEQ==,type:str]
#ENC[AES256_GCM,data:MKBsVnZ42nZ+9Xy0Cg==,iv:Myk1h9p6zGLiW6/UHkI9yLKb+HKY+wH5AcqAoQVBppM=,tag:Cu9TkUZTs6qZ6htxQpHEbA==,type:comment]
vpnuser: ENC[AES256_GCM,data:NipHQzuXa2o=,iv:3SnaJGVpcazJYQmbqgKv33ZfZBBQ+N+A8OzXNN9ayNU=,tag:IWrIoWJiMYEyI1Xhrcb2uQ==,type:str]
rpcuser: ENC[AES256_GCM,data:o1BipxnQTg==,iv:edlFbnE20p6ub/N1Ko/wplMwNQRsB6yNaJ6h8cI/1QE=,tag:1XwbOzO/QF0KJpwkSy0B0A==,type:str]
vpnpass: ENC[AES256_GCM,data:fnnvxcRXM5AsnA==,iv:OP4A1qyyUc73zUB4+5wJ4yk+xff4WEFDDWrBldFn9QE=,tag:/L4GXKpIL4Mhb29wZTj5Wg==,type:str]
rpcpass: ENC[AES256_GCM,data:2kHNLnsSsndOZ6xaKFY0QQFD3i43NOt2,iv:8IQEIgPdRT6gqkPZsrs5c5D0iamUaZGrWNag4fDoUkU=,tag:R5d1uMGwvxFt0i2Y1DPmbA==,type:str]
vpnprot: ENC[AES256_GCM,data:/NV2,iv:wVvlcdisq2PdLeNpaxE7cwBsKEJgoi/MAmWoTgHFMbQ=,tag:9wZXcI1AsSH/mHUFwiwRGw==,type:str]
vpnloc: ENC[AES256_GCM,data:U8ModKho4vSHnMo9BOE978V6ZlMeQEoLaFW/,iv:Sw06YsWSZ4tGt/TRhRGkU4KdLBcmZTCY4mGqQbpEh7Q=,tag:kDoTkpzXZKEUIa1CSh3Pwg==,type:str]
#ENC[AES256_GCM,data:yp7ApA4YLSk=,iv:O/SQxKe9EWqExHbeKsTXvbst0pjCxy3yiOjmeCVjmdY=,tag:RMkAOLOLCodnPSDEuImwRw==,type:comment]
swarseluser: ENC[AES256_GCM,data:XvmOHYFNhb/bAYAZ/kmUWbbmRy/WrxSYri/Y5k+SH4N7ZIjuZDHOkWk93ERFuTb77HvhbPX/NRQraUoJoFsxGGg5co/gJnyfRg==,iv:J50PeDcC4PM3+yQ/YQNb8TW4kubwi2kjjSFU0RVFM30=,tag:ydLYkz1YKyguGZZZD/JcLA==,type:str]
#ENC[AES256_GCM,data:7UtHAqAZLmzT,iv:xBbdv1aHFrSc5/H6o3VujZdtAN7JwHbpckDcoZ5z78M=,tag:0ZEFJcPa6RIwv+kIgNHj4A==,type:comment] #ENC[AES256_GCM,data:7UtHAqAZLmzT,iv:xBbdv1aHFrSc5/H6o3VujZdtAN7JwHbpckDcoZ5z78M=,tag:0ZEFJcPa6RIwv+kIgNHj4A==,type:comment]
nextcloudadminpass: ENC[AES256_GCM,data:ZOCsu4/ijfheBfY9ZR5DBXSB,iv:bNlTLKQblnt2eYJqVgXwCaGAyAw2yhlb9Whsz0LBhm4=,tag:VQAWP/b8IghzXDFLJxXZ4Q==,type:str] nextcloud-admin-pw: ENC[AES256_GCM,data:PN1K4gyosG9YQUbXrLt7okDe,iv:HpAQOmTXnixm3cd/gNOzICrR4xoSKxsYWavJReKnhvM=,tag:KhCQ+8HpTaFfzn7dFSwE+Q==,type:str]
kanidm-nextcloud-client: ENC[AES256_GCM,data:RJ5XSYvnJS6r2zzs2SOBZYx+GV7EVjB7XQ==,iv:KfinHenUiYgWrZtMBSGTuVUd5aZlfxvM7Rf8ocFv64k=,tag:WiknAlc29ohsLwnBCXzHpQ==,type:str] kanidm-nextcloud-client: ENC[AES256_GCM,data:RJ5XSYvnJS6r2zzs2SOBZYx+GV7EVjB7XQ==,iv:KfinHenUiYgWrZtMBSGTuVUd5aZlfxvM7Rf8ocFv64k=,tag:WiknAlc29ohsLwnBCXzHpQ==,type:str]
#ENC[AES256_GCM,data:dyEwvFDSvI0=,iv:4LPFthS73mIYQt6MRLBTeNxCwKnJGc7sNFJfZCpMU3Y=,tag:X2mBwG1++2gcFIOi/xIgFA==,type:comment] #ENC[AES256_GCM,data:dyEwvFDSvI0=,iv:4LPFthS73mIYQt6MRLBTeNxCwKnJGc7sNFJfZCpMU3Y=,tag:X2mBwG1++2gcFIOi/xIgFA==,type:comment]
grafanaadminpass: ENC[AES256_GCM,data:TBu0WOdvE+9CAH8EVm8=,iv:/usKOYscSXpo8tiSV/Las9eucBeYnpwG5DM9gJg8bfU=,tag:/LZqwuPWQyjSZURnsqq3hA==,type:str] grafana-admin-pw: ENC[AES256_GCM,data:FBF/YEPTL7HAfLybMqg=,iv:SctfD7uRKeclHr7R831Ns87/ASCfhFE0yfDQrNxWOMU=,tag:UuaSMMs/y4h4ASueseywYA==,type:str]
prometheus-admin-pw: ENC[AES256_GCM,data:onPtYsfFbE1LFRpeDC5ipGJ7xnLRLbAPqQ==,iv:CDxzBfIzgF9naCQ0UDyTYWQGZ/J0Noia56YASsHLz3I=,tag:xs+PiGk5dfvUpGXVsDnAFQ==,type:str]
kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,iv:p0y/UyIrFBTvWZKHbfdOSEpbMun7dZ8FyB5W7VS0oSY=,tag:+jKD+d9cRGKJkapGYxUEnw==,type:str] kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,iv:p0y/UyIrFBTvWZKHbfdOSEpbMun7dZ8FyB5W7VS0oSY=,tag:+jKD+d9cRGKJkapGYxUEnw==,type:str]
prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str]
#ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment] #ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment]
fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+NojMifsy8S0=,tag:mHf0YYYxulLXAIByqmnOsA==,type:str] freshrss-pw: ENC[AES256_GCM,data:GU5rHmJCAb27pWo=,iv:f1YcUsf2jznGAk0zSX3L01lbB9kXiFKAKSgB/RMaq0U=,tag:xsB1QxhDQPX/B2VJV3Wi9g==,type:str]
freshrss-oidc-crypto-key: ENC[AES256_GCM,data:FvkaTTfOIo2wn5SnOCiMqy/g/4vcjSX7BjX6GIJrPsQUkqWHvL4LmQ==,iv:930d5Cgb6jly8NAdr21XO0lkWWCXujCho6fW+RYNlRI=,tag:fidIhKA25mwsxpORJOVeTA==,type:str]
kanidm-freshrss-client: ENC[AES256_GCM,data:jBplXWOX/mRTQf6cKmP3C5PZJoBAmb3mhg==,iv:5hcLNGuEQ0T9FiczznGKMul38Ftv8PmG3q0Vaao10oI=,tag:tpx+EDvA31HCnG1/XJOBWg==,type:str] kanidm-freshrss-client: ENC[AES256_GCM,data:jBplXWOX/mRTQf6cKmP3C5PZJoBAmb3mhg==,iv:5hcLNGuEQ0T9FiczznGKMul38Ftv8PmG3q0Vaao10oI=,tag:tpx+EDvA31HCnG1/XJOBWg==,type:str]
oidc-crypto-key: ENC[AES256_GCM,data:O48Va8j2L/GDdTZRQEtVsoy1jsZSCLx0IxFYnCBGhoGRwDW+t0LKPw==,iv:DLCeGhRqRp/JfFaY3vva86OzMwGlcXxiBbQ4Tayjyq4=,tag:We5W8cIntW3D/5vdC/t8IA==,type:str]
#ENC[AES256_GCM,data:+lbLElpVOYo=,iv:DaVuudlnW+vy2PZOs9eiwZhOyILnqEX9KUehFlX2gWE=,tag:lvM6r0JM0DZir4y7iVTeKg==,type:comment]
kanidm-forgejo-client: ENC[AES256_GCM,data:pitJ6re5xm2w1MSs5Ul7Tl1/H1KSR7Ps7w==,iv:4k8/cxpLqWxCgJuk/y9K3OAMCkzu8gb8CDxY+gUuOvg=,tag:OocTFS54teDUfHaHAHZiHw==,type:str]
#ENC[AES256_GCM,data:Ur0/rfBv5g==,iv:eH+KbbkmtBWbobqAIUFF0jIrGhbHnk9g8hLZoxE3swI=,tag:3dnoA+O5GXW5Dvxcx4jiTw==,type:comment] #ENC[AES256_GCM,data:Ur0/rfBv5g==,iv:eH+KbbkmtBWbobqAIUFF0jIrGhbHnk9g8hLZoxE3swI=,tag:3dnoA+O5GXW5Dvxcx4jiTw==,type:comment]
resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str] resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str]
resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str] resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str]
@ -60,14 +38,15 @@ kanidm-grafana: ENC[AES256_GCM,data:61PEA1fBcaRy8+x0dn9WrH9P0D+NOkbeZw==,iv:kbR3
kanidm-nextcloud: ENC[AES256_GCM,data:9FjsOzBos18ouHBeuzrzHIpCDowFt0Aktw==,iv:iqUQUsWsO5N+KZqHyqNxMxSija/yPrrrAqvz4b1NG1M=,tag:/WC3wg/eYXV3hLJPRVWLog==,type:str] kanidm-nextcloud: ENC[AES256_GCM,data:9FjsOzBos18ouHBeuzrzHIpCDowFt0Aktw==,iv:iqUQUsWsO5N+KZqHyqNxMxSija/yPrrrAqvz4b1NG1M=,tag:/WC3wg/eYXV3hLJPRVWLog==,type:str]
kanidm-oauth2-proxy: ENC[AES256_GCM,data:DQ5tj7N+P1b8vFnF+MGhaUBvbVQoE4sVhQ==,iv:Xy4bdi8fSFuFHsQKgZ3PswFFYsqtiAeqeSRam1k/H0E=,tag:9W4LRPPYtDOrSpxRDK/7sg==,type:str] kanidm-oauth2-proxy: ENC[AES256_GCM,data:DQ5tj7N+P1b8vFnF+MGhaUBvbVQoE4sVhQ==,iv:Xy4bdi8fSFuFHsQKgZ3PswFFYsqtiAeqeSRam1k/H0E=,tag:9W4LRPPYtDOrSpxRDK/7sg==,type:str]
kanidm-freshrss: ENC[AES256_GCM,data:4y0X3sSOfs5pKNCmZGJhxlAKH7GD1UACdw==,iv:LuQQCfOpsTqglwQvohHMFpNGaOjoZ8PKDgG50qBP02k=,tag:Z5mVYP/9nToerQ1qui1eWQ==,type:str] kanidm-freshrss: ENC[AES256_GCM,data:4y0X3sSOfs5pKNCmZGJhxlAKH7GD1UACdw==,iv:LuQQCfOpsTqglwQvohHMFpNGaOjoZ8PKDgG50qBP02k=,tag:Z5mVYP/9nToerQ1qui1eWQ==,type:str]
#ENC[AES256_GCM,data:5wFeVBBdeDlAHZwUdA==,iv:mAmgS9gbPklWPFu425MPngjGm3SNGnUSNyR5oG4EK+E=,tag:nNUTTbs+aWAU1qNgtTsBgA==,type:comment]
oauth2-cookie-secret: ENC[AES256_GCM,data:l8BPYA7t9NG9MPFs/LDlFHqwbnwsvie7FM5v613358E+jLf2wD+tipyUb6c=,iv:1kZ6G6Z0cSQS53kc/hygh/1Ke491agWDlYHR9Yq0jT0=,tag:mi7Un2JBnrq1dnP3jZX4ng==,type:str]
kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:+mcA/sz3AZuw+I44iIdOEfDmtjEVdxi2fg==,iv:m4NpieUicS7xsR+F5AgPqkcUFRF+CGOA8IK6GeS9tgM=,tag:1wypxpiHPdQBD8Td/PSdMw==,type:str]
#ENC[AES256_GCM,data:M9U+Mr1cAhlt7NpW,iv:LY19BZEwDdQD1Nhbmgdt9/9VNJjcTkOGP7SwEDE3Xwk=,tag:TlYrhu5dBj1D+Qd72r7Ofg==,type:comment] #ENC[AES256_GCM,data:M9U+Mr1cAhlt7NpW,iv:LY19BZEwDdQD1Nhbmgdt9/9VNJjcTkOGP7SwEDE3Xwk=,tag:TlYrhu5dBj1D+Qd72r7Ofg==,type:comment]
firefly-iii-app-key: ENC[AES256_GCM,data:hzgl8eRL0irNRP5TO7G1rNtNM7fXCkmbcaX4QoTsM0xA1rgyKwiy6a4lYDjoXZyOMy5p,iv:q5eepIELwIecyQ56A6THUOu+rebK3irKVYb7/gNHlU8=,tag:+M/KTX1JzPzXeK4TRzW42w==,type:str] firefly-iii-app-key: ENC[AES256_GCM,data:hzgl8eRL0irNRP5TO7G1rNtNM7fXCkmbcaX4QoTsM0xA1rgyKwiy6a4lYDjoXZyOMy5p,iv:q5eepIELwIecyQ56A6THUOu+rebK3irKVYb7/gNHlU8=,tag:+M/KTX1JzPzXeK4TRzW42w==,type:str]
#ENC[AES256_GCM,data:mBlfyJvQyrhTnpkJ,iv:hHnTCsHfzCgKuBO82JjNbjYYjWV8e7+0VRkbTGw+WRE=,tag:7Dp77Q2VjWJM5LydvpbJnQ==,type:comment] #ENC[AES256_GCM,data:mBlfyJvQyrhTnpkJ,iv:hHnTCsHfzCgKuBO82JjNbjYYjWV8e7+0VRkbTGw+WRE=,tag:7Dp77Q2VjWJM5LydvpbJnQ==,type:comment]
koillection-env-file: ENC[AES256_GCM,data:X1dndR7XIhGCwbRQzET5MbzW71PT7WmyryNbOhCKx2I=,iv:bP/90aJT+eA8EmwoFZ7uXxOWfOprpHfc9CvL/A9Os5M=,tag:ZxFDInJBtFrulvOL9PwNJQ==,type:str] koillection-env-file: ENC[AES256_GCM,data:X1dndR7XIhGCwbRQzET5MbzW71PT7WmyryNbOhCKx2I=,iv:bP/90aJT+eA8EmwoFZ7uXxOWfOprpHfc9CvL/A9Os5M=,tag:ZxFDInJBtFrulvOL9PwNJQ==,type:str]
koillection-db-password: ENC[AES256_GCM,data:5Ue4l8CMZpjRpcryEtzPyR2Zf7M=,iv:Ol/G6nFY5H/SIY7l4o5woqFVeLfnv3FJfaAZIqI4NHA=,tag:hYorZv2nyLvsJ8AT2xTkBA==,type:str] koillection-db-password: ENC[AES256_GCM,data:5Ue4l8CMZpjRpcryEtzPyR2Zf7M=,iv:Ol/G6nFY5H/SIY7l4o5woqFVeLfnv3FJfaAZIqI4NHA=,tag:hYorZv2nyLvsJ8AT2xTkBA==,type:str]
#ENC[AES256_GCM,data:oTo0OgB8QQyPVxzEoEw38eM=,iv:V8UJrZvlAEUVxajLjty56LoiHqi9mvX2NxlZeYr0P0g=,tag:gSiHry8iRcYWAFi5Lt1GiQ==,type:comment]
anki-pw: ENC[AES256_GCM,data:h4RBhKV6ZzDQk7s=,iv:r21zH3sDKwRxfi8A1DPNEVhKTbb35qWv2mTGaXJxynM=,tag:kT4pVhz6pHxyBZ0iXdGx7w==,type:str]
#ENC[AES256_GCM,data:5jJoV7vZl1A=,iv:Uc9/nyvdzgH6USVxhDhVs6aDqy/k9D53AJP2AvTj3ZQ=,tag:K4zDz5RoLuHevTeLqxw/XQ==,type:comment]
kanidm-forgejo-client: ENC[AES256_GCM,data:2iXE/dmOQtY2NEsBgDqkqwD/brF0vJs+Ag==,iv:PBQ03z/E6R+u7Y56fPzJSnsoCa5PUYSiezZFOMLz4eo=,tag:jThgOC6h2hHJUclDju/MtQ==,type:str]
sops: sops:
age: age:
- recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
@ -79,8 +58,8 @@ sops:
MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA== qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-01T23:25:43Z" lastmodified: "2025-07-09T20:28:09Z"
mac: ENC[AES256_GCM,data:TS1UWyZGQ1zgzHGVlcWhWgWgo56zaSbhcB3KryS6Ya5clgyFt4vY0R4dC+uYnjmY1QCXAFPVLQU24ufKFDz94fEm0sQCPEWF2d1n156IpMce4wtCUqc0sXJOqTI3OA8ty91EWSUXTaapXEG2Pd9MSKr6XXpAVVbhzXKU1rFd1zc=,iv:xeOThqJ0tWUu55O8JAQMi0D6YzkrrHe7AshSATgpQ2U=,tag:VvtzsK1/06BD39bfQUr7Mg==,type:str] mac: ENC[AES256_GCM,data:tLAljNEDR4Ab27OXVJhvDuGmfuxE/L9KSFsJGDo25Vs3P56/HnjrI77y+ytLuf2sK/OHup7jXnlwBWUDAfNWIQzUdjIBtr/OiggkPHgWhr4rH55ayLM1IfZU1ex6MPvliz2yi0nU6jqHXoSlBCqu+hdfyTQri1EmZ9Bh811YDqs=,iv:4VmwBcmQIjQ16mwxYjgud3OUjQE0rH0wN72sAXXs3to=,tag:OQNYvxLZg+0hapvUYsexuA==,type:str]
pgp: pgp:
- created_at: "2024-12-17T16:24:32Z" - created_at: "2024-12-17T16:24:32Z"
enc: |- enc: |-