diff --git a/SwarselSystems.org b/SwarselSystems.org index 6c28513..2fe8f77 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -51,7 +51,7 @@ This project manages my entire IT infrastructure. In particular: - My work workstation ([[#h:ced1795a-9884-4277-bcde-6f7b9b1cc2f0][Treehouse (DGX Spark)]]) - My phone ([[#h:729af373-37e7-4379-9a3d-b09792219415][Magicant (Phone)]]) - This is a system that grew organically over {{{days-since(2021,11,27)}}} days and has reached considerable complexity at this point. This documents exists to try and make it understandable to other people as well. + This is a system that grew organically over {{{days-since(2021,11,27)}}} days (as of {{{revision-date}}}) and has reached considerable complexity at this point. This documents exists to try and make it understandable to other people as well. ** How to use this document :PROPERTIES: @@ -3149,7 +3149,6 @@ This exposes all of my modular configuration as modules. Other people can use th inputs.disko.nixosModules.disko inputs.home-manager.nixosModules.home-manager inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm inputs.nix-index-database.nixosModules.nix-index @@ -3166,6 +3165,7 @@ This exposes all of my modular configuration as modules. Other people can use th inputs.noctoggle.nixosModules.default (inputs.nixos-extra-modules + "/modules/guests") (inputs.nixos-extra-modules + "/modules/interface-naming.nix") + "${self}/hosds/nixos/${arch}/${configName}" "${self}/profiles-clone/nixos" "${self}/modules-clone/nixos" { @@ -8692,6 +8692,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru }; includes = [ den.provides.define-user + den.provides.nixpkgs ]; }; }; @@ -8703,13 +8704,35 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru #+begin_src nix-ts :tangle aspects/shared.nix { den = { - schema.conf = { lib, ... }: { - options = { - isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)"; - isMicroVM = lib.mkEnableOption "mark this config as a microvm"; - mainUser = lib.mkOption { - type = lib.types.str; - default = "swarsel"; + schema = { + host = { lib, ... }: { + + }; + conf = { config, lib, ... }: { + options = { + isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)"; + isMicroVM = lib.mkEnableOption "mark this config as a microvm"; + mainUser = lib.mkOption { + type = lib.types.str; + default = "swarsel"; + }; + node = { + secretsDir = lib.mkOption { + description = "Path to the secrets directory for this node."; + type = lib.types.path; + default = ../hosts/${config.class}/${config.system}/${config.name}/secrets; + }; + configDir = lib.mkOption { + description = "Path to the base directory for this node."; + type = lib.types.path; + default = ../hosts/${config.class}/${config.system}/${config.name}; + }; + lockFromBootstrapping = lib.mkOption { + description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap."; + type = lib.types.bool; + default = true; + }; + }; }; }; }; @@ -10013,6 +10036,94 @@ This is the battery for PII +#+end_src +**** Boot + +#+begin_src nix-ts :tangle aspects/boot.nix + { inputs, ...}: + { + den.aspects.boot = { lib, pkgs, ... }: { + nixos = { + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + environment.systemPackages = [ + pkgs.sbctl + ]; + + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + configurationLimit = 6; + }; + }; + }; + }; + } +#+end_src +**** nixpkgs + +#+begin_src nix-ts :tangle aspects/nixpkgs.nix + { self, den, lib, ... }: + let + nixpkgsModule = from: + let + config = if (from ? host) then from.host else if (from ? home) then from.home else { }; + in + { + nixpkgs = { + overlays = [ + self.outputs.overlays.default + self.outputs.overlays.stables + self.outputs.overlays.modifications + ] ++ lib.optionals ((from ? user) || (from ? home)) [ + (final: prev: + let + additions = final: _: import "${self}/pkgs/config" { + inherit self config lib; + pkgs = final; + homeConfig = if (from ? user) then from.user else if (from ? home) then from.home else { }; + }; + in + additions final prev + ) + ]; + config = lib.mkIf (!config.isMicroVM) { + allowUnfree = true; + }; + }; + }; + + hostAspect = + { host }: + { + ${host.class} = nixpkgsModule { inherit host; }; + }; + + hostUserAspect = + { host, user }: + { + ${host.class} = nixpkgsModule { inherit host user; }; + }; + + homeAspect = + { home }: + { + ${home.class} = nixpkgsModule { inherit home; }; + }; + + in + { + den.provides.nixpkgs = den.lib.parametric.exactly { + includes = [ + hostAspect + hostUserAspect + homeAspect + ]; + }; + } #+end_src *** Hosts **** Pyramid @@ -10020,31 +10131,13 @@ This is the battery for PII #+begin_src nix-ts :tangle aspects/hosts/pyramid.nix { mkNixos, lib, den, ... }: let - hostContext = { host }: + hostContext = { host, ... }: let inherit (host) mainUser; in { nixos = { self, inputs, lib, ... }: { - imports = [ - inputs.nixos-hardware.nixosModules.framework-16-7040-amd - - "${self}/hosts/nixos/x86_64-linux/pyramid/disk-config.nix" - "${self}/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix" - - "${self}/modules/nixos/optional/amdcpu.nix" - "${self}/modules/nixos/optional/amdgpu.nix" - "${self}/modules/nixos/optional/framework.nix" - "${self}/modules/nixos/optional/gaming.nix" - "${self}/modules/nixos/optional/hibernation.nix" - "${self}/modules/nixos/optional/nswitch-rcm.nix" - "${self}/modules/nixos/optional/virtualbox.nix" - "${self}/modules/nixos/optional/work.nix" - "${self}/modules/nixos/optional/niri.nix" - "${self}/modules/nixos/optional/noctalia.nix" - ]; - topology.self = { interfaces = { eth1.network = lib.mkForce "home"; @@ -10099,7 +10192,7 @@ This is the battery for PII }; }; }; - } // lib.optionalAttrs (!minimal) { + } // { swarselprofiles = { personal = true; }; @@ -10117,6 +10210,7 @@ This is the battery for PII includes = [ hostContext den.aspects.work + den.aspects.boot ]; }; } diff --git a/aspects/boot.nix b/aspects/boot.nix new file mode 100644 index 0000000..13b124a --- /dev/null +++ b/aspects/boot.nix @@ -0,0 +1,22 @@ +{ inputs, ... }: +{ + den.aspects.boot = { pkgs, ... }: { + nixos = { + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + environment.systemPackages = [ + pkgs.sbctl + ]; + + boot = { + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + configurationLimit = 6; + }; + }; + }; + }; +} diff --git a/aspects/defaults.nix b/aspects/defaults.nix index 21de37d..13d9cc7 100644 --- a/aspects/defaults.nix +++ b/aspects/defaults.nix @@ -13,6 +13,7 @@ }; includes = [ den.provides.define-user + den.provides.nixpkgs ]; }; }; diff --git a/aspects/hosts/pyramid.nix b/aspects/hosts/pyramid.nix index b1dafe0..5a6b89f 100644 --- a/aspects/hosts/pyramid.nix +++ b/aspects/hosts/pyramid.nix @@ -1,29 +1,11 @@ { mkNixos, lib, den, ... }: let - hostContext = { host }: + hostContext = { host, ... }: let inherit (host) mainUser; in { - nixos = { self, inputs, lib, ... }: { - - imports = [ - inputs.nixos-hardware.nixosModules.framework-16-7040-amd - - "${self}/hosts/nixos/x86_64-linux/pyramid/disk-config.nix" - "${self}/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix" - - "${self}/modules/nixos/optional/amdcpu.nix" - "${self}/modules/nixos/optional/amdgpu.nix" - "${self}/modules/nixos/optional/framework.nix" - "${self}/modules/nixos/optional/gaming.nix" - "${self}/modules/nixos/optional/hibernation.nix" - "${self}/modules/nixos/optional/nswitch-rcm.nix" - "${self}/modules/nixos/optional/virtualbox.nix" - "${self}/modules/nixos/optional/work.nix" - "${self}/modules/nixos/optional/niri.nix" - "${self}/modules/nixos/optional/noctalia.nix" - ]; + nixos = { self, lib, ... }: { topology.self = { interfaces = { @@ -55,7 +37,7 @@ let }; }; - home-manager = { lib, minimal, ... }: { + home-manager = _: { users."${mainUser}" = { swarselsystems = { isSecondaryGpu = true; @@ -79,7 +61,7 @@ let }; }; }; - } // lib.optionalAttrs (!minimal) { + } // { swarselprofiles = { personal = true; }; @@ -99,6 +81,7 @@ lib.recursiveUpdate includes = [ hostContext den.aspects.work + den.aspects.boot ]; }; } diff --git a/aspects/nixpkgs.nix b/aspects/nixpkgs.nix new file mode 100644 index 0000000..7333f49 --- /dev/null +++ b/aspects/nixpkgs.nix @@ -0,0 +1,58 @@ +{ self, den, lib, ... }: +let + nixpkgsModule = from: + let + config = if (from ? host) then from.host else if (from ? home) then from.home else { }; + in + { + nixpkgs = { + overlays = [ + self.outputs.overlays.default + self.outputs.overlays.stables + self.outputs.overlays.modifications + ] ++ lib.optionals ((from ? user) || (from ? home)) [ + (final: prev: + let + additions = final: _: import "${self}/pkgs/config" { + inherit self config lib; + pkgs = final; + homeConfig = if (from ? user) then from.user else if (from ? home) then from.home else { }; + }; + in + additions final prev + ) + ]; + config = lib.mkIf (!config.isMicroVM) { + allowUnfree = true; + }; + }; + }; + + hostAspect = + { host }: + { + ${host.class} = nixpkgsModule { inherit host; }; + }; + + hostUserAspect = + { host, user }: + { + ${host.class} = nixpkgsModule { inherit host user; }; + }; + + homeAspect = + { home }: + { + ${home.class} = nixpkgsModule { inherit home; }; + }; + +in +{ + den.provides.nixpkgs = den.lib.parametric.exactly { + includes = [ + hostAspect + hostUserAspect + homeAspect + ]; + }; +} diff --git a/aspects/shared.nix b/aspects/shared.nix index 831349f..40325b2 100644 --- a/aspects/shared.nix +++ b/aspects/shared.nix @@ -1,12 +1,32 @@ { den = { - schema.conf = { lib, ... }: { - options = { - isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)"; - isMicroVM = lib.mkEnableOption "mark this config as a microvm"; - mainUser = lib.mkOption { - type = lib.types.str; - default = "swarsel"; + schema = { + host = _: { }; + conf = { config, lib, ... }: { + options = { + isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)"; + isMicroVM = lib.mkEnableOption "mark this config as a microvm"; + mainUser = lib.mkOption { + type = lib.types.str; + default = "swarsel"; + }; + node = { + secretsDir = lib.mkOption { + description = "Path to the secrets directory for this node."; + type = lib.types.path; + default = ../hosts/${config.class}/${config.system}/${config.name}/secrets; + }; + configDir = lib.mkOption { + description = "Path to the base directory for this node."; + type = lib.types.path; + default = ../hosts/${config.class}/${config.system}/${config.name}; + }; + lockFromBootstrapping = lib.mkOption { + description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap."; + type = lib.types.bool; + default = true; + }; + }; }; }; }; diff --git a/flake/instantiate.nix b/flake/instantiate.nix index d7fe674..5de2246 100644 --- a/flake/instantiate.nix +++ b/flake/instantiate.nix @@ -21,7 +21,6 @@ inputs.disko.nixosModules.disko inputs.home-manager.nixosModules.home-manager inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm inputs.nix-index-database.nixosModules.nix-index @@ -38,6 +37,7 @@ inputs.noctoggle.nixosModules.default (inputs.nixos-extra-modules + "/modules/guests") (inputs.nixos-extra-modules + "/modules/interface-naming.nix") + "${self}/hosds/nixos/${arch}/${configName}" "${self}/profiles-clone/nixos" "${self}/modules-clone/nixos" { diff --git a/hosds/android/aarch64-linux/magicant/default.nix b/hosds/android/aarch64-linux/magicant/default.nix new file mode 100644 index 0000000..4abd480 --- /dev/null +++ b/hosds/android/aarch64-linux/magicant/default.nix @@ -0,0 +1,44 @@ +{ pkgs, ... }: { + environment = { + packages = with pkgs; [ + vim + git + openssh + # toybox + dig + man + gnupg + curl + deadnix + statix + nixpgks-fmt + nvd + ]; + + etcBackupExtension = ".bak"; + extraOutputsToInstall = [ + "doc" + "info" + "devdoc" + ]; + motd = null; + }; + + android-integration = { + termux-open.enable = true; + xdg-open.enable = true; + termux-open-url.enable = true; + termux-reload-settings.enable = true; + termux-setup-storage.enable = true; + }; + + # Backup etc files instead of failing to activate generation if a file already exists in /etc + + # Read the changelog before changing this value + system.stateVersion = "23.05"; + + # Set up nix for flakes + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; +} diff --git a/hosds/darwin/x86_64-darwin/machpizza/default.nix b/hosds/darwin/x86_64-darwin/machpizza/default.nix new file mode 100644 index 0000000..2e77295 --- /dev/null +++ b/hosds/darwin/x86_64-darwin/machpizza/default.nix @@ -0,0 +1,23 @@ +{ lib, config, ... }: +let + inherit (config.repo.secrets.local) workUser; +in +{ + + # Auto upgrade nix package and the daemon service. + services.nix-daemon.enable = true; + services.karabiner-elements.enable = true; + + home-manager.users.workUser.home = { + username = lib.mkForce workUser; + swarselsystems = { + isDarwin = true; + isLaptop = true; + isNixos = false; + isBtrfs = false; + mainUser = workUser; + homeDir = "/home/${workUser}"; + flakePath = "/home/${workUser}/.dotfiles"; + }; + }; +} diff --git a/hosds/darwin/x86_64-darwin/machpizza/secrets/pii.nix.enc b/hosds/darwin/x86_64-darwin/machpizza/secrets/pii.nix.enc new file mode 100644 index 0000000..8b96a26 --- /dev/null +++ b/hosds/darwin/x86_64-darwin/machpizza/secrets/pii.nix.enc @@ -0,0 +1,16 @@ +{ + "data": "ENC[AES256_GCM,data:6u0RRfaZaNk5KwnMoWY4dUC7xn132a7yKDZnStUSRS+Ci7XHMak=,iv:VQ2cYcdOS+S31d1yQioj95CTVmuvBVkgojIs6ib9iOM=,tag:QtC54hIryboeaOnDf1u2yw==,type:str]", + "sops": { + "lastmodified": "2025-06-11T13:04:16Z", + "mac": "ENC[AES256_GCM,data:sOzsL5QIET0hGTR3UwcKx7G8RAlOoLZaDlqsn9Yqw2+0yHPmNFs1N1BST3NNaNe+P9j2XruGgBNGCCm9igq8j37W46hf6uAy69Rx1Kzvrxih2Qu3P0Bb1ozyymQxeXDtKdvC0pxOFsgEk05l9VG0JM2Calxq/pK/EoGPfRQS1Zg=,iv:l0M0BrEQSixlU4I2UrB5g0FaKL32/VrCyJcm3MXujRs=,tag:hiNfmFMpHtoghOEv5JmVKw==,type:str]", + "pgp": [ + { + "created_at": "2025-06-11T13:03:51Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cqwpzR+VevsftDMoj79xiFvayPxluot/mZKQAMPNpMIG\nKDNMYYnIKa1z5TBeDVuivslEytIqB8zEmiZ0Sa6oMJ3T1t72cQbKjARKyKxneGAz\nYqVEM/zHq6W4E0NwE74F4ZAhGA8abFu6nKxQwITwyw28TiOzkNHG0W49ZRLXAHRm\nRBih8p6B05Q1EPK3I3Gz4KUklqNptrbjtRvTzcLcVEkfbOhKz2OOck1a/kqjmKrb\n7/9ORD00wfcXnUykIzN7noe5WixEuDdaE1T2f7kgB1749OVPNW4ZhWsm6yGsRJbJ\nh3n4xUhTrwRZ+9MtWqOdoJ8Z2I8ylUmXiHJYfOj/U/BG7H4y/EMXQ8RR4sMZjlcm\nqhuzor4Ku8Og72RHhY7SnSCCSH10uHVqlfapVH7iLkwywg3pKWdqqEv7wU7A83tR\noDa7+zD4wZYS4p6TEvvv9jyUE9r5A0r5evqHSHzM6Cgkp42FDWkTb30NeBvX2RJC\nyBeQEPqiaAIM+dUdxvM+cFzYBMVdfMtgQHwr3Wkw+Bb2+Pt/JDxcSDBtJbxl+GGp\n+tWn6etfSe4Nr0Z0abgUcKq+niaM8rD4W0DhLNDLhXE2KRTbQV0YgBqlXZf+uY8A\nHagbCeGGT0k67PJs++hlDEeVhB980eMzHdLsv0w+Ie6bttgY81gOvsrr23RQN42F\nAgwDC9FRLmchgYQBD/46neLbZcA0IIPUyeOjwiS2p1O1sR/i9UaSALa+4lw/pdCu\n7iPWwGMDNkh6I+5A3++3lC3MME7A846MFGq9iFpH/+TyTZrqnwcwGY92CE60T1Q6\nouA+g7C/CIX1r04IiAVxi9tBjUmB+dFApdFCC5Mg6Yx+3zh6Z49zvMoO5yGqLLhE\nhqAgxJB0lB07nepgB0spJAaKBs7GyYEss3Cm5WpsitLitPRMEUKLcdvYUw6G09Kc\ndmJb9LbZy4Mn7YziIb+czWZ/hW6B7BUSUZMhQJwMcRFBT6+6aTpO6zWM7URbPQaO\nieN+2ShM5OotiUiO3nfRquBw5mUFDOR1ZVxF/rBtiZe2Jt0URE7pKfcuFQREKp01\nVgI+JUrEl0t8e5J3SSAoXColf+Oq4xDY+CNUJOAtuJ/LrNc0+Q0KwZwShHzGOl5M\neqUgkS+IMYrfJjuJZjTzQTJJ6PeC2VpEGO7czgCn9/5FftsrH2wSSLL4FGX4tXfU\nhrbtt4gMN0had0QkZkuhxlIwYcATjUQ7CGQfrhINC+EpEju/NlE6zuuIa+05eigR\n3kEemBa5Ely4onQeMh81nOAyhkhj6QcbE7qn+ueUMAb70u5B115ULLQUrivLu2jI\nSK6o1WAeZKZIcf0/6iB+mMc7qbG36nelK2JYK8e0KiVSIUGehpYwV3ELwuhzEtJc\nAYobc//aa6GU3pCFzp90TA9kAZXhqgaw9wkzicueAhgCfr8s0FxG5WxWQxfJBLYF\nVSPqrqJ0EBU1EF9G2nz0ynJL1iWiN5VcN7JTXYXTK8TPJUe0ZU1boS4AhOY=\n=AG4y\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/hosds/home/aarch64-linux/treehouse/default.nix b/hosds/home/aarch64-linux/treehouse/default.nix new file mode 100644 index 0000000..0ab2386 --- /dev/null +++ b/hosds/home/aarch64-linux/treehouse/default.nix @@ -0,0 +1,35 @@ +{ self, pkgs, ... }: +{ + + imports = [ + "${self}/modules/home" + ]; + + services.xcape = { + enable = true; + mapExpression = { + Control_L = "Escape"; + }; + }; + + home.packages = with pkgs; [ + attic-client + ]; + # programs.zsh.initContent = " + # export GPG_TTY=\"$(tty)\" + # export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + # gpgconf --launch gpg-agent + # "; + swarselmodules.pii = true; + + swarselsystems = { + isLaptop = false; + isNixos = false; + wallpaper = self + /files/wallpaper/landscape/surfacewp.png; + }; + + swarselprofiles = { + dgxspark = true; + }; + +} diff --git a/hosds/nixos/aarch64-linux/belchsfactory/default.nix b/hosds/nixos/aarch64-linux/belchsfactory/default.nix new file mode 100644 index 0000000..f024b3b --- /dev/null +++ b/hosds/nixos/aarch64-linux/belchsfactory/default.nix @@ -0,0 +1,67 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + "${self}/modules/nixos/optional/nix-topology-self.nix" + ]; + + node.lockFromBootstrapping = lib.mkForce false; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/sda"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + garage = { + data_dir = { + capacity = "150G"; + path = "/var/lib/garage/data"; + }; + keys = { + nixos = [ + "attic" + ]; + }; + buckets = [ + "attic" + ]; + }; + }; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + wireguard = true; + ssh-builder = true; + postgresql = true; + attic = true; + garage = true; + hydra = false; + }; + +} diff --git a/hosds/nixos/aarch64-linux/belchsfactory/disk-config.nix b/hosds/nixos/aarch64-linux/belchsfactory/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosds/nixos/aarch64-linux/belchsfactory/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosds/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix b/hosds/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosds/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosds/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc b/hosds/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc new file mode 100644 index 0000000..efc25e8 --- /dev/null +++ b/hosds/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:8qaX0CjyxK8qoAyVyxwfXlejWyGSY579EVmmUCi9PPyB5LyPjfDvXxlRFCOlC6eYbSJ1AWLqqZ6yYgZaimUHkOTh7dL+D4wSkmGeRnxZoQhq9n9sYZPJUfqEhMwEGxlrAvchXJuruZG+Tp9+Ev0if9f9J9qdU1y+yLGQxc2vnibMg2uxdpfYjHaDWa9bybRQZxINkD//um8uxkRs0xvWgZu63ReQZMPjx9K3vNtdJTZsW5+ZUB368QA2mnry2Zf60PWJT/+NsNKIwyzjhUNJ/eTFxjNJ4zPj/AnXFezfGvpVu6XFYsLk5uPb3XfpUlCj4mTVvmVlA40lf4rOhyoRRAW8d28puJArBf3nPzIkWQUfmFwO5EE3qPDkjMlaRa/RdRx0dvrbLDv7Ujt1XaK8bl3Vkz77oumCYFPV7J4mAeu3/LFBAoWKik6Wj8WQE+QwUWo=,iv:ZQaOO2Blpqn+Xnzt4fcPu+rNAvEdluwJEYRxPVItLcU=,tag:rKJ5g27ZK1wCpcyCVfffpA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-11-28T14:15:06Z", + "mac": "ENC[AES256_GCM,data:TxnVPtRHzUEr9StM3RlOgqD11036yM74HL1Q8ZkNSU89geAaUoDj8LJD1QKglDT5UNzfKeaZD4DT6bqill+H5FUuonOgLPxNoFKMyWhppQkMWM5F/bw8JUulacmE28b2Rd5zRVOYe3TkE11kMAbxRD+CvqEFBrLsZAndr9QdfUc=,iv:uzjzk1FUN52oAE0cuw7OLLmMRxE/VLQ+tUExxYQjwTQ=,tag:+BOG6wRb0h/jhyy7l8ZA/A==,type:str]", + "pgp": [ + { + "created_at": "2025-11-25T18:32:49Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Mi33CAnGK/475xmMlZn2P4aR2iFjWFms6XU540JZnfQi\nF6/bjq1otgxGlnR6x3zhPQU3whCQIv538UeiYWMoS8oPxj5b5eF33agihYaCq2wx\nHv4p0+hOJMl2SJPCHfmTkClqYGYMOzTPe1g6oiY0N3FWVoiWXdbWNkIGVNjgkedz\n5f9JPFWn6iB/Z07qUMwG2OOzh8ZPlh/PgNCBrCVMUYrD/FrAck389uMw4yHFz8AV\n3ETnx2gHFTwL5F8H7x3uVungoBVCJk+NpXiKS6nVKwH4jliydiU2ZClSzjHpCqCW\nd365MCahC67IkuCkWhwuPwDaKIk7Qw4rZaLybcad5/TQ0zT+XCm6/2DYIYTj2gip\nqrBDZxHZhkpYcArjckWDRchO9t9E/c3qJfD1Zxi6fBz0vu2WcCuTT8Qd6Zn+DlMb\nVr0D2LPlZGRJ+kM9xuZXaY1bGNAA2POvLn698prPuTkMNxidQEhPNuNy4PlYKXAP\nFfRzJ5zFUneW19j8SgL6BxfLoYDFWkoHIutNDH5H290MJqnFDUrQ5bQn8odM+1OL\noJ1AchHN3J0J5aa2Z8X0NSVN7N0TmU3xVZ1GmfdqbH+3V+OR3NMgJ/FKMQEutT56\nAsBc7tSHtJGaRS9plJ+RryuPRRnqGmRkS3vVmBkrD+pY/TwUbXUBKjEOWhq9uwiF\nAgwDC9FRLmchgYQBEACD1XnsK/sTsgtvt69H/aBHWVIWQNTmdhwJBUHmqkusFhPf\nXxfGN+bvapWulYI+Wb4LAQQbUhMmz8drPnWpCEobS3LSeU8CDD3wBrGAJubI7YLK\nttn4oB7XK5mrg9SIQ8M8kOElv19oCMudkX8dRs4gs0TBO6jbr7/lsiyL/sN3Ylk+\nnyORFeSgE9vVcvJ8QnIF+MQXF9Re61zJFqjXiDMEklzbHHVeLzS5IlYgJoDvV3Gg\n9lTtvdO/FV5JtjFeYI16rjPb7ip/KtljU5pBM8wp6VU4Dre0VsRBgztm279g+WaL\nDJuf6lmfwNSk66tiLpsaJoEu7A+UhLURI10cv92E7fydbGRZMgSjK6ZK4Ue6WH1U\nYQJenngZPXcRcqfCeTVTjzG6ikL3aCfvbuJ3/oT8Y8oBA5Ch2PG7fWAJMMUVIFAM\nLO8KqCSdRCoJrJ69s8iyBycOhPhMiwLZU2HLlMux/kLq5OB2JMGm8P4nxoXTp9Dz\n2TPoPigZritYHsIXZ3cM2iR3OL3AiotKlaIp74ElUeuc0K+Bcp1C//OtKTPuYGnc\n0ttC/dx3c9vv6W80JJ6i7bCRoDiuGrrdx783ly2br4VLDFSaS8rNbrM5ccSTVImw\nUFxZO9rLO0n7N6z4hlgrKw3G1SWKYqbgOVXxIog7st8JvmPLQZYjEuH9Xwq6WdJc\nAU2esxsAaDKyIPHg+DAXOPBagzU1tBKFYtwaiFVDqYk5gNE/2hAnKcuU7O3sua1q\ntsgL2kY8VSHcFFv8N6FhDYPdCrDgAwOtJSZGf7uV92q7/vbMWx+vGq/7FaQ=\n=m1sm\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml b/hosds/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml new file mode 100644 index 0000000..fc1437b --- /dev/null +++ b/hosds/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml @@ -0,0 +1,61 @@ +wireguard-private-key: ENC[AES256_GCM,data:0cxqNz1r2Hqx2JIjzEFz32gvZ+92rT5+zsHyFo5/Wx/+vdtj+KG4gNuk4ys=,iv:qonukOR1cpuCTjoR/db8WqjlJoDGJZlG25W9ql7vfzQ=,tag:iFAKWfQ7Fb6VlFwlHDK+zw==,type:str] +hydra-pw: ENC[AES256_GCM,data:aIq7vQ15NfzytSMvhAT4USdRwZwnFmD+dA==,iv:+524w/u/IwSwt/mIfpM1XEPKLHky9sw2V0dbOfEBNtE=,tag:XsPC4VVvq1dAb2cO5s2kKQ==,type:str] +#ENC[AES256_GCM,data:WqtrDDqt,iv:Ksv7cH9opsgWoXj+YnTct3VtAT6qbaAr78uaZxkN+zc=,tag:9KPeAi/JZvxjKh1w4scsdQ==,type:comment] +#ENC[AES256_GCM,data:kwewartySAHzmyssuWFPv0XODI/njYrSXxqEE2JBJvuCsJKwZrq4+EzKOtwOlyssEpAvaxxejmb7,iv:p3KO21NvM7zfp4U0s9TVW5jfnOzvQkn06mcFgHp9xVA=,tag:sn/zQwI8EdhWb2w9F+V4rw==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:Fj1V4MMKYJdXTur3xc7EDnYGXg8GBVPx8X/I6A7bRIdm7cX63yRrtw==,iv:Gaz6xYtEkQilaQG6+5Bz2gHWN3sIRQmCqLryZZYjefM=,tag:lGu+e1u6JOdxq8l8J+6+cw==,type:str] +#ENC[AES256_GCM,data:IaG0khKtH/NwwvpDAWwZ9kVhtxI=,iv:IFP93sRIw3Lkze3ut20VBYWxBC1/6euA+uJoggFP5SU=,tag:dq2cU1tB2MPA99BJtp0gZA==,type:comment] +garage-rpc-secret: ENC[AES256_GCM,data:QzyqeNuJPjtG7MTyO+6f+KfquWhHbDGBJ6hrEGDh+3kg6wkCGx/0pUjeOMAaren1jMIwk1iKaAnSbq7NW1GcLA==,iv:WmCRD/kNtmBljkA78Vb5guUVrsQxdoZfRE2tNlt0iWQ=,tag:6wKCXlwbLzxvLpACJbACEg==,type:str] +#ENC[AES256_GCM,data:guiRBJqw3HqM3e0Zw27bhc/h8sPcni0=,iv:J1Bc5LPzYdhlTUeenn8QqpBzrsoKGr+b499h8T+ilNo=,tag:kjXtd7tH5PzQLWt7EWbMaQ==,type:comment] +garage-admin-token: ENC[AES256_GCM,data:oxUvX41iOaS7Jvfb281lPKCavwP2z5hvP94EWCp8V/2CuLbeDWJtCxrlqoA=,iv:Qk/0/yJFcUWrgiEJSh2e+cQNsfkCPv7+RETINBDsgzo=,tag:bfTEOjB1Ln/WFy5MbKYCVA==,type:str] +#ENC[AES256_GCM,data:RB6z24ud0XkaawMtPI14nvHhRkU7pTUGezN/9L4GoAXM0M93VpMbQEouanZASg==,iv:XzDcpdIrPU/rXsqPbMPzuDRFWXvV3hkBpwntCKc604k=,tag:eBHwgiEmxipJaNB5YivyXQ==,type:comment] +attic-garage-access-key: ENC[AES256_GCM,data:HqaStuLtg4DVVe8SFWvIfJwPFUvJL59rLjY=,iv:T7kkjyISziJ/Dv8BtF6LXfkd+wR9TRN+ZG+7jFMVK2c=,tag:Rlv71YCXV3sYgrrj1CX7Qg==,type:str] +attic-garage-secret-key: ENC[AES256_GCM,data:XJFQN+8L5hH1wUiTyh1bwojDyQA8bp8cs8wVNYqp/5YZ58ngiuySE9WvDBP4Jxrp2kHTYXzlofcKDsh3H6AFsA==,iv:HQJwUN4dPRY40VKc7eA+O0atRss3qQ35Kg2GxWP7hYE=,tag:UWgjX+2aYm0OMWAmKRT5dQ==,type:str] +#ENC[AES256_GCM,data:7O2LxQRU,iv:k9QEUhgrRVbCmzVeZsalAVaPt4QwAuzIbyCXClm/kjk=,tag:HL9AAzevfAApUY3g8q5zyg==,type:comment] +attic-server-token: ENC[AES256_GCM,data:GzTQqXHrg0/anMVg1ffLgEcYa+2dDQKckVzOGeoopeOdO9DhP/M+r5JAbCDeqdG8l/uMQHsSkahYAkPi5EQ4WUth77E3+hLuLLd13kuJDqjPn1TWyDU82omBPeRma8lmUUo8epJlpH174Ts3CX9tYpp6yL7loqRNw315gGoYNHN0FHAGauR8fMQEXf0p/NyMWmepqf+7tCmN1WyemUyLiQZxVEzKpGCLA4mVQOpevHDd6rzS843/xinZ+FhJoJxMM9EB5I2T+poAqrGrceWOMV+yMbeu7yDnf0Q17eEFZVFa41VlsiusjjZDf5kamdrQeiVFeLBmrUNpwOu5wzqvCFgk+a3zi5Ih11cPjnZSUGsN1LL0vGsmAuOvSN+QSvFeaZHx2xiFFpzAE/5r4f4yPai/n4vhUseG2GpyFjwKLU3vuk9YaCLzwgJuUz13BGzGPL//2xZnnjMDlIHz1sH5oUhDjVa4GOjeJNYdtuJBBdiWDJlKcMbsZiyWRSVGOuXg5TLdiqpl6WwOeVSSVo0Z25u0tD6GmVcTbe5bkfbpW4LNzEE6R1Zx4XGXE0KwXdxFS9O7H/EKLSEBX3eIhLFAc7zSXf92uX8yED38bETaHklDNcpTcX3zcNDtYdARkIQdY7GPgpj6RTNNMqOsz8moG2ZvEZNRtBaodYDmacjo7GL4Sxd9XsZG0juV6ZUjaPe1RIoJAaU9wZ9O2NWuCB5M+H73+P1thFSBdJp2HOMdlpvLnInrJNNC7G2NLZMSjlE/fbL8+TwQbs7QYC6msAz53FA7FXU3w4ojN0lgdpYMv6WtgEs+c4WssGhGv7GIwNcXPnbc04JMmpYgrxM7lwZVrzShfPQR/jM5u0AZD+zTeM+X/4IB4bjcWu2b1xGEoD7/JBBqBkVDLTpkryip2utwVwXimExOwTg75evLBeYRjYUIoRM4tfjKjrlwFWx+7SnRtTZTT7UrJ7lX6dWYebqR5JDRMLGk+2tEjj4NGx8hem2n6hOfkIhnGhTAi4OhvRnMwRvEX1v6fNP3X4hksV4k8hGP99GMnmeq584Bk58W/mU0odkdMqqK7xL5tVRE7yx7Muhied+S2qu/Ujj9esmTNY3t8twd8ku3jN+wlQqGOrcJURQrCt3lwMiTuVN/cJQeE/iADWt9mFO+P5P07ZROpNGqOMIJ7TVIv4KiyPkVfpQxQpOHDp2HHIUnwXuE9e6KjM3aZfHNljyadpeBM6kyqMMHmyQs/qQ/4/dFDFZcWQnAsOVatNOkYSxbQGqfrgO6Ekw0hbFxNQlfRyTzOqNjndvdonIhiPLpcxC72TNhJmLaPNmr1ZkqCWcAz+HSVlIoDquLrP2xIvnn9tu2IFhYbmieCKCGXq2VcGesygeEO75JO2ak6ia8aT6WKzlJ60E7xV2yTmTn3Tnu8ERYQEXYbECTwPqQ008bMAvzWU5cytZU1ediMxwi2BggIAoD5H3sufO73dk9RUEHV3RBfXcJ1nXqH6LTSgdCwrjRAy0058QR9UK89vwUglJKVLNsTaM/XNhGItAGazx296tjlH9lIXtTxzi7J+qWLqfNdfi50U2NMB9Ag/w/LwU0po1NNgu6/XKWzuBOJyp8RZ4wpOY4qQvJVD+fFBeubb56HCCWKYIfYexNJ12wGAky6RV5KfrQqMjm+KfPhQOrcXmtn1EODzEiPfX+l5QqqXcqwVi/l6OnGbkC2GLmcajZJEbnXgayt4ZbPIUYe0eUEwySz+QnksqDQqDUhapa0JZ6b31Pc/UmyXAMnljy2XCca0tUyYSP2HcLpLtONacaySIbu2robQuzq8MuJlqbdk4N4EusQn/VUQGqlOPgeK0sm433+WlZy0x7Drd9xI/1lBF0khZ5VP0MHPPa1FDs6xcjL7ALj7DipV8mqZreGdbS1oT8qWVxMVYwOsXYTJTwm2TXrBYTbie6rSDOvx0H7dixr716waVvME40epQy/yHQjCO4P8k+K9q2oJqKZywVZnaPV9tS1AeMttk+ydQrzxH5SuJAuyjggtS5QUzN2QauOA1OnDfVKr7T2P3zNd5mixL9gc5c5q0+XQ0T5+fCoH2alG6hHqOxssgJFTGDwEYN8NEvqihnatIzmeIpcs2GyTUOJnvIsAEA2bTuf+XZ/t42/TDDO6S4dD0R9KvBnslgDHseMi98XKwYF6bxJNjOHyVeersP/aaMkj/lSgHuQdazW+wdiLLtVXd9iDyYz1PiQmM5wCpMZ9dCzOesUQ0A6iFEcwaPzbJaeMhGDgfyVrMa3n1K3KbKon4EGSiZsJWfKcNZ4f/yo2yDO45FP795trFR1QxithgsC6j75I5dPMUDgg/H5IBFSgsGXyLObHV6cyQFav/gyCMgqF1M+ttcX+wm3DHGufGJUZqpwmCCOyoEh5KvTvTmvhGAxoYbILIMfzxkogBC144D0atnmpUaeKoyc/Xo3OpYqOmdEEzsL1ddZSkVoR4Jd0hqtdLDY0QdyFcCbNFAZiQTlRyyUej7UXtogsirhTazWCld0YPP5fI+z8zoyT2UKuO2KfYGokbbpiQBSwn/I8qMLzDIqV0iq/JglroQCzbqSxkOuY5n1kH/c79/u3CrNzha20wgkgpM6kvg4ocZMNbkSfRU859qrVCKybEatgHz9naqCyklpA+q+dIMv9yQsJJSj3gqCGqz+eweBt337W/7/9M9WVwL62gTXL1wHgCerM8LT3lKto4Rr8WmLQboH9FXJkQ1Wmg4XguM2zvIpr4rLjHlGLG7zwUBslDnwCATs7CQQ/s/VVd5cKRapa0+3np51g/9Sp/1lmR2HRBGki6JQnmK2jyDSBd6cDpg1c7wg7CWhaWGMulf9KR5MTcKAtRrGleoIcvJBKdQCO89OykmDCKdPyhR6BkQpRLnmWzM1LmEoT8JMG6zXN22gjLet8NobCn3fNqfTa7aZsqeY2ueI1YRqQolH2X6qAy41GaekNLN8ADmeIm4/jl2Hi6WhWCL5cxoToTOqI8nWVKlF4t8DgiQbXOaC6Nz2WmrjUsCWkFjNg+dVf43jOS8QQBgEcqPMYzrt/bE5t+qIH+CaQXsudP6HawqJfFkn2c6AsoqPxEJ46niuOUmYhCpvHqFUnMKlS0qiECURrriVgN/akHT07lAOxDWPSEKbTidw7njXziHquo8Rg8BnBvsM6HLgqSEqXxA+4lXicWTcgF8zERVNcbTgUMEEqL0LGwZ4Yjoiduepeqq9N5Ip61Eni4oRoa+45GLzvUeRzgufyN2zVDVr9HZ92VPEiGlG6p3cr1QNAN9Ss/qv7v9h/j3Rns0f+z0JTI3aJrV6t0Qt43mPk8Q//BVRaUV6x97J4Pn3ueR0eCaxeHCw8qtHQEqVBxpITcEkU8+PHe6k5hYkXL/IUsvf/K6FuWnEYGo+3C0TGvvmljCtYV3QxKMI2Vz3qK1E94/aThkpJGbhm7RRJtFPtpddGMc64eW5LfUefT61c9P32v/Xr+1tksLl4u9SK4z/LltoCGw03rxZvj6U1iwo7Qm7M74/uIKQmaJjkje87bfX5VbHuq7Oem4wqDbkhq740gi+9i9vW19F1EhwCG8ii+k5pFlWy/LkEr5Qd7+WXP7OsCBxDyrs8QSJIFD8tmuDFsHcGIEUjbHFRwpa02/mSTy5Mu/LUY8sfGIkqZylk02sWrmPsgu74E0l8/E9HRo5I/mAzzuHfCosbaKx5OExqj3waurwiQ5/VaKrjQIRKI2BqWSDFylRoFX7mFZF4DdupUsjehObhSgZs9le6yZJHmN+UBEtgRHuwc7yKBBtWQp9oUI5orr+Qj7eqcMMYuIfSABlqM4geXXyDiuTQa6PdOaDguTsPrZocXkUzB/cMgbUydxdMT8LnvM2qVSQ89AXi0qvDAzm6JfON01QIwzbQ7fG5EKqAV1S7RZ+zDwyS9NzSAy35Ozlw8sccWdUTZieGeU6DR9Ipq1wNOxBEikg4ye7ps6KOeqiHGoskh92iOHO8O68f8PWOcqIrfO2/g2t6O8udBDG0lMrdoihmku4WuAJu0la69kwUQXBckFH1Ptg/GTddg+gsJvuvpiU9fUgf9GwyawtNAhGwlKoHlOsCgJompAUDXLvC11MUoCLe2Mi7uFeVm5S7UD0PGQ5Nwa4Kt8qlMjx2xuqNT9ogqxc6y49qDvlNNB3IdlN72/ty1qsesU7KTWHC+GmMIcjLDmUBeiiXPYpkysZ26tVrpMEWP3Wl9Waie3VHGf6HUQOnopzYD8v+eHj60K/1anINYlUYLcAw61Fb1Nkh5W1FvJUpEEuVmXInNff1UH1Y0DX6BEEcoo/+vEDm9p+GXc6Lc874zleOb9ugfKxGTFSeB/cm/gkm49KFf3wIrcNxNo993V8PcdP9ONLK6jON6WTIIhdF1awJqJFhaPue/d/oPn8AhkqGLB0HfYzi5JesGfxRsKA8ZFQDDs7ZlZj1C6rlPljSLhuj/NsitDZoz9umEX8cClFQ5UA34jHdLj/dXPu0cZXxUany91HAmO2PQWYiPR5hL9dtmW+WIc1ptL0dwEgXe9VR0TQ+joDO/ilfEA5/MD5+CAOL7nDSLo0ypst0IdmADEKiAgQolnU7BeV3PxmSAqLysV9S3sPXo7rH6toY6cQ41ZftzquHkkD6vCDeXHPbzXNrHgM0ZzCZD4k5DDwvHuqNLc0hoaufMNzbz1Cx1aOMc/8yJBskbWtXhRJBxKAK3iBylLNLExYCUkG7PAa7Uno/gi08R/cOC1j5HaaCB82oZd7nEjKY+jO7RFyAPjwVzQItVA+tVHJHOAh4rZyPNEoaateuhGNWRW/GGSddAOVaDkyF9Vx9KldXRVJhhMjvlfGmcB2n3MrjEyOF2dcpBISXIquMm+V4LBettQ6coQPhDLaiClW5EJLgbtUTcTB7BOjOjchYkpRZeWn8Wz5jG1axfHe9BtVcIvCP6ldK05YK5tgQ5k0foFIQRKxmiD7P31+LJwGqAMxDAyM4wPS9WTPDgXWizsIx+exT2/qEpl81kaqMvSQEFTfy+fcn1Fi+81PRWElFfUVizKaiyzH0neUXQZcJCU0wFCxqSg/BA4hy+AUJTgjz8OpODsJUzqujWQ47sUqyHObxsVDAH2B+4i/hh1iYInA/wUHJ06AoD59tP/5oZDr3GIU2o2spgAUJP6rLS77awhAnGZMxoEJFqYJGU8bBllTwrXZL5GvdwJFq+EkagoEa7uXX4WRyh0BYdvynlQhnyTQNc0BOdZlsA7QLqCx4USQSXzSxEG2N/2mUPlP/DNlENf0Un4lJkdVpSose5yWERhfKS4yBP1lsh1bAoiO+JT81z7jIOEgR/G2r5riQnSGKECy7CbYUBYU6IYI86r1Abg0eg/DEJqHOr0fCBkh2/e0tO52IUQPlneTeZrWg7jJfkr0ayZQCeqtxjj2tS9bjnBHtp9AoiIlZz3uc7HBooI7JFS4YKe/Tn+3EahCdy0IzePwSDlX0MW8DauGZHbX4nCptPD6ZFH5JYG6Xs3fdUZyffc1H67/jS37+mk1QoNMk/OiGhuu/PsFT+MGzP6UnFjDPVqZr1pIU7hQBkOsgAFVtGsyGp12BOqktQx9jKbMLeHqwUd1i/XHz7/VFtqIKSNDk2MnOirLIa9+s5fqZM3j/mZe27pQPQpUMSnqErajylcHYwelw7Pkn7r8BJKbUGLI5M08LQQHgRDNxBi+gWEB9Ro2/+7GS94TwQyzfjXmmfEr6rcQ4jBffzH8bxRvgeSIwcNHnDK/SiYCA==,iv:GP5ff3lAzUqfBliMj1J9EcMnTe/BDeEPlZY/Euqep7Q=,tag:7udaKfA4h6d2qzR9EvLALA==,type:str] +sops: + age: + - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTEN5NkFlN3BzWVA3elRy + eHdlRmE3amJvZWI4OVQyT0VuQjJvWk5MYVJZCkpPc05udWZtTWpnai85MmJzUVQ3 + TmtGZzhHbGxUWHNiL0lrUmNiNjVvMzgKLS0tIEROR1lzYm5kWE1mVDN5dHJXMkF5 + NHZwMEl2ZWVONkNuVWprUFhsek91NzQK84WqkK9mtR4q1G2wS6gKqflEUv0VefUJ + jcQij+3T2O81paZytTzZNPX3JuebyyitC5KeEoz3Z99uSrCDaLuZAQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-05T10:03:28Z" + mac: ENC[AES256_GCM,data:b6nkrcehnZ15kUhE0iIm/HL0CHOAhVg9Yx2m9WqALhsFcaaoTlq2bF8Q9UaAkSjIseXT1nQlXyYPU1RTFhjiqRlWuOdHikIQcM9NAsuDJ9PlQeJeJwYaIXwcadvBmo6ZTFgzNsUj7PxZEVYejae8Ylodn87ys08wlcDv86Sf4mA=,iv:yydf72Coal4QQWBXwIYr7fwiXl09AS+qTLYg/LDPzXc=,tag:zqIECJKy73S9FSbEE0GWkg==,type:str] + pgp: + - created_at: "2025-11-26T12:40:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/5Adw1O86oiP1IkusK1t5JcPR9lt6aZNNVwVTFzkenAQoA + oO23QmBYIgrsPNYdck/6EownjbfMCjaIXPiKEGoV3qy9hLk4XM0VRJNYhO+dWLSY + 2qPoOTHuhDJeaNwJdZe/Q45+rPaYJj7lEoOWsTnNuXyQ8lZ6mDiUPUhiBUrAecFf + p1nKg4g6r/kYFmU9Pa7MQ58usZADj8i2zN9qOE0s7Lp0AKTHf2xh1ApIZpjntqBU + IHbvBlPhqDRtfJMG13+qs99NTZ8kMNHluZu9suuBuioJC9P7nqyJdB2a/izEVzpr + nFW6iRNxn8I2E9BgaH1r1AzhKGtVmy8WKcRQB4RFU5I9ex0qB8JThLUBl2uPDv/Z + 0CrGH9eC2w1E1NwEyfFDowQvRoo65lNz7xgNtlFpPkJX4X9yZjJHElvVg2I0HJhH + XzUCsnsTanQPGzXRbVRhVDyFU0xeUa19l898Ft/lTKguOVaRcrCajXq4ACmykHA2 + nnEoHh+25ablQiF8JIoWgLREKftdL8zCBWRlyv3i49nmlABykYWy7YJVYloTF4ow + k1y9JTD8JjaMT+LFU1s5j9mVPnc1byeKkHdB/Pf0R9wGtESuWdfiyOGxco1rHePi + i6Cnn3mEro1Ty+P1aPN/ahxCzAoFs93stF4JgebWjmOZ0R8LOn28OypzRdR91R6F + AgwDC9FRLmchgYQBD/0at3f5R74CdMtw0VGIT99q9VbXNpD/ZBETRsNwosWLICDf + wLbrlT0YHro+1mDyTcNtM9ZX8OlfppqsD+HSYxCfDIbi6dQwRT4PhB4V1ZtY241X + 41XfMsMo83TD43JYRn+3XwLwp0ZjLmteGI8x/vVD2OoSxA/2n83+jsVHUj3bM2Yz + hO6aQi3dPbv0PlFjAOVzsZ04kXnCM4SiUZGNVUxOHofoPS0ISiROoBZZuB4iTSXJ + V87UgqZdyo8eaF6zj9iNo95yfaWJoplJFcTnzUBX4+OU4OxjiS5h3QEWeSG2fJtG + NCjztSkDjf/rOOrRJ0nhFC04HuOSs4ccz33RqOrWByyI11SublzcDNanLpV/lfIc + q5J626fFqrVanbr/zKJPNBqD+vqH8odbkx+MxntYPt4jPtj6Ijuhva7g8dUCT3n8 + JPOCVG4oj10djmStnpazs8mCQJm9XcrOyXReQEHnKuO0J3fbvdg98QEom5KZcjY2 + jHATK7+xCYgOEcN90PFaC+doq9467jODvCJRAj+A5kRp0AgOChlttb0C4kT+Ulc0 + 4+ydcYbRZMJy1f86f6bFCuK0+X2K8IYlJSl/lb69Et4gDdRdDHGqZY4GtbMoJ5yb + AVrM6VXFvQI2eEPNUJBir17QDdgdMVSktF6xg+rtEtYAjU0T6fmZTrlpL6jmdNJe + ATswWpOyg77HLgPrvBM3ahVwMdBPZYP4ahms3afCTWKvo9ucWSCR4LF/xMEaHZV1 + yGEpRV0NUMU13CprYem84VFHFeu4+AFKgxeP7xHmqio3Q+v0IMiE+QvWZZ+Z4A== + =x3px + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/aarch64-linux/liliputsteps/default.nix b/hosds/nixos/aarch64-linux/liliputsteps/default.nix new file mode 100644 index 0000000..28083e9 --- /dev/null +++ b/hosds/nixos/aarch64-linux/liliputsteps/default.nix @@ -0,0 +1,51 @@ +{ self, config, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + "${self}/modules/nixos/optional/nix-topology-self.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + interfaces.ProxyJump = { + virtual = true; + physicalConnections = [ + (config.lib.topology.mkConnection "moonside" "lan") + (config.lib.topology.mkConnection "twothreetunnel" "lan") + (config.lib.topology.mkConnection "belchsfactory" "lan") + (config.lib.topology.mkConnection "stoicclub" "lan") + (config.lib.topology.mkConnection "eagleland" "wan") + ]; + }; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + mainUser = "jump"; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + bastion = true; + # ssh = false; + }; + + # users.users.swarsel.enable = lib.mkForce false; + # home-manager.users.swarsel.enable = lib.mkForce false +} diff --git a/hosds/nixos/aarch64-linux/liliputsteps/disk-config.nix b/hosds/nixos/aarch64-linux/liliputsteps/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosds/nixos/aarch64-linux/liliputsteps/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosds/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix b/hosds/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosds/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosds/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc b/hosds/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc new file mode 100644 index 0000000..bd5dbdf --- /dev/null +++ b/hosds/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:GntHmFTkr7OKUlAVPP1aPeGJEoM1/W9xoZzdXG/udBrKB8eadaOsdsT9/I4Q4zydLnAUZAb+k+/pu3inqiGPClNWU0LUMj7wTwPuVe57EyLaO2oaN4z2nvWhJnwfatvdLrFICz3MN7XLnpEe3D+3ovN2hmys1pd6cAJtEKDtmLJ3RNAhEXrMwOZ0MSzylApoi9yXULH8PqNBX7jPOZYYZ0jlnIbZB267Ln19ES0bZcK7L0608NdB+Q3xb3TQ+oSfnvsdxKyPkPqjxAto40feG97UYVW6AgYV1KlRp9etjEhIRZgn1qDvigGM/Y4HLgLxPM83h79LIVHDj1OySMyYR4bfwAR1U+Ij2nX0Wv6Q/nKx0Nmghen40AqLYp762ACLVRd30DALthhtMxhsiYIT6za3dNFRNnL1Lfss1+IwDm+XHBehBQsjXbs06nZcQURfszW03Y9KH1h5ePIS93gmkdUyH5Ya1JT609s8faukz4fcNmnXlZcnCW4fUawW3YS1zpWPGDNm54GFI06vii5JuVORrf6m2HJEIyYSzeYASC+rZOfEF8gXGjyaeh/B9nAzSq2Q/Nfm+fsceXfOkhD+ZD/nYg+whYPPfA38B5oWvwnSNRNipJLYVvdLLd6M9pTV2FHuEsFKpXwumuwMAhl287jpDVb5B6gYPnWm4zOXYX3KXd68KVFNOGCC1XrrlqVBwQqraozD+1e77eCK4OEyF8R2Wt+mCFDwrMp5hKiiFCHEX67RYqWwmZVx2hS1bovBfacoXknUaSQnfpUd5GYIVYqonyqo6cdn6LKR/0d+7wR+JuL+PO83XcEQvegfHXAXmxIEzPdsL2PqVWGL2B/qyyAZGb3hoY7hmrpEeCCefYhSkxewVDCuvL7xLBCFjq0PsPJw0CqYE0KDIgXxcGLQ5f+pn6O07YDfN+7PVPrPAaN/UTwd+2Xa9UfVELdKKhAWiywsiDCUVO9vkpvgSoYYSrtB8Ceg3RXWohbO8VrjF6UhUxnslAw8TBnBx4FtaSuI73UiJnkg9V1es47NmOA7,iv:JYRzdtAYu24aWIL/hfWLbkS8xpcPw3ylZROuuUMVmIY=,tag:Ot7G/QiTLhmnlYe7Z9aOTQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU5HTGhyL0ZBRXkzZ3hq\ndzBMd1JZTktZbWNFMGRzcXhFK3RHb090cFdBCmpMa0FNMWFCenBjYk9FaDIrTkFS\nSnN6S210ejN5SVVhd2FWRG1SUHB4WWcKLS0tIDV2K0h1QWxwUXkwVnZlYnR6eEtl\nUVR0UGJOR1hadUtNcjYyWE9wblAwWFUKVM+J/pqtZFADYTQHfWCdvPzlhtgR6zAy\nu0EWk77+K2J0GeBuDr1W5yblUCknht6WZCJZcO6fW7AuWSQK3e/EVA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-01T16:51:40Z", + "mac": "ENC[AES256_GCM,data:SWLGPgFcdiGSvN5BTmE8Nq7+pBiNJM05H1hhqJY6wJqYZehKhQrQRj6/DSlYWPvYE/DdWo5Tiuc3RNY3NANwhki+7kl0OBxHoaHqBgOTa96rdPwe6V3s55v++jtm0xg/qLHEPCqrKqw/aiBAQLJkDOh/IykeEXBMW3S6EM+aQ0U=,iv:2wn4jQHdWWhIzOyGhZxow8WG6W0VgA2gwhb5X+k9ja0=,tag:8g4wQb0u7vbIPkVX8Ey0eA==,type:str]", + "pgp": [ + { + "created_at": "2025-12-01T15:59:42Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cl6I+s/JLwwTCX7WKdzeOIkrsK9DpY3pXBuzoZRSRSJE\nwFJO99Uc7/uH1DSsEB/25CWI6eWx7k6l7YDbcbXQgi5ZNoAt7BePeCu2LK/3coZB\nJe4SManP0sPqxrSd92Tnm6Zl9EL4cJ/5D2C2RBTWOaOtZHR8gyxx5+rzCotCoTXA\nJseGE4B8r/M0O7PAS9+oD14AwCndhuvkmFOq0Y1/wXldV6yCdgc//0oJBSTCBJUZ\nYMSQLovEYGvF9bFfpWYU8J53WqlGn7QKVccDN0/gfi8IVGVZGccUA58VaVqkzR41\ndYlRZ/sjtd+VXmOg8Fx79bOlzTn+RBCp9y+q5yKnzUKGe0/Lrnt6+j7+ieIowi76\npBd0bEaoh6wqdCJ7GSjsj5kdSXRop3Ae0ff+J0pBQNctehpcWj5/TpeA1zyslwEC\nD1B/KVN+Gh0XBCg636dUkt2E4NPNDckSRuvTLy+8IkTm7aQqTjqDu3WUOSPzZiZK\nBUGZWwXAS+xPPMH26X6gPTfZj+7Gdv6yxTVIwkphDbWfihxIP//WNbKX1QN4VSHf\nCmoPOrriIdgZ7d2olZEJxPgEVzavkRkiMSFQbQgzjx5Af3ccdav3mxlubjXldmpe\n689Joj8cgBPg1Yfk/yl7tVK9TFJgYXTqKfsXwscrSlsV+dRAN0pHuq1uo9cTE/SF\nAgwDC9FRLmchgYQBEADCJ5IVMNp+PgUDOiajCfpNq3/HsntzIWG0tIjCb5L9TFWQ\nMA2LQWhcU5CRBh7Sakf8IFi/U40SD+dILUh8JR/7g2i9mCS+1e0pkUwSIYxzAI+z\nQeycuyOrdQJFrk+nFbTdZVAerElxew/wQUiC2uoI8tA5+XyNeNfipaptPh9FpFuz\nXhFbkZDJ4kapGzsAn4FgUdmdqAgZ5n2W46WAmDmVKM0W1F0zZdkBEdkEKkv1gRpZ\nRntb/mVEiGAdXv6yAzvHrxgIBkxazzstRmCMXa252RUIakXqvkP1vw7B6ChSFQR+\nq9WNo9x0EYXivd/+ROjHT7WNhEToWems/3CQpQd1LEFXajLdpAWd875acqhBJqtY\nkpKqUG5F4JmTZ7hMuGI0g30nOofMtmFhDX/gCpJ97lEudHyNrHe0KWaQAwtRknz+\nrcPrZQmGRRcf4xcBVe/EDUNlkp9fPWEhFAwKMsVkkvCAADZbvdhLR6URJMmUj5KG\nOuwglHnSOMxCovAQUd3vCtNkkAnRPNOW/WMThr+qfjq8oKdDIaYBxjzjSz1FIsho\nKiz4W3flRzUcALjKTXadQl/jJEhpP3C6Ivh0d29SiKyrWG+Y4KlDIRctub9UjH46\nb2wqbnBzSrC8u9xJINIB4yryXsZiQyP5b39guSKIPjURebus7LBxq+0I7Z1OptJe\nAYk5htmFDe9Sgc+Do1L0kdxjblaoWOc0OiwYshQ9cMv+/IsU0U6T7w2A+8QkzPFc\nGVEmrW1Jyz2O3eMpq/Nl2IsmPDYTEPqhkRtAshBuYsoZJUz73/EovcSxyJ2moA==\n=o5Pw\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/aarch64-linux/liliputsteps/secrets/secrets.yaml b/hosds/nixos/aarch64-linux/liliputsteps/secrets/secrets.yaml new file mode 100644 index 0000000..fb6586c --- /dev/null +++ b/hosds/nixos/aarch64-linux/liliputsteps/secrets/secrets.yaml @@ -0,0 +1,48 @@ +jump-key: ENC[AES256_GCM,data:JLGy1LiNMjn1Kz0NmLYyiqarAj3evsoilCmiqXMc1JeZiFwLYoPiQjLYXg0b4Z77O5g71/OjRwKmocrLV3VBxo0rbw4rpnljGyZ8ehc/kyvoFQN44yGF+6EkKvVn9I8qTzwukTxCs4H7JgsjALAL8a4CGEowfXJlmZxk/a2SKsTr8qPB9XbCsUwrGBpBHa0bjIb52B/srXvKBfPAxIbWNlWdXFKuDyVJ01WNqlADj2sMAGRvI/X99o/EhyKL/3lMZ1rbSzq+RDlzKd6RFNyLM9751WRIc3xT+YHS13MYgpUu0B+2tKqJLXCSoGbRRSYlBw99JF66ns/fB3+Z/KnpoUGGfRN3S1orCnXkTp61UO8zskSIwU0MamrKGL8DM7kDJk1QLxTPU3usBZPXasTOxK4KAdOYo7nk8OvoZKtNj9xci6R9jeMfSh8CycKdxvcqsOw7vVeATUAGrml5Kf+/8AjYZdGdt2EiFL+7o0e8NgI/lkbiFzNISLBc/lrg0rk61pv/,iv:fPbPAptt3Gsgi7v1xCCHRClSJOXokBsvyCuLz/BoGP4=,tag:NhzeHRxwhQNI9HUFwLYMYg==,type:str] +sops: + age: + - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM2J4a0pNZFRXQ0VjOFFQ + YVJIL3hFVlg0SlNFaXRvbkxMV3RhZm00Umg4CkszSnZLTXBXWUJHQTlmRllQRjhi + OENYMWRaVitPOFAvYXpJMFFYRnVYZ3MKLS0tIHk1UXhOL3FuZjZWNUxzNFdBT2E1 + R3MrQ2IvVWxGOCtkSDBPZWF1dWdHSk0Kz+zJhpJNmHHj6npV6tQ+n4F01A93haSm + nyT+MAs+VxRlRNNbAih8En2uxRlzSHjFekrLLaGbVYTrRtMfLiKyvg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-01T16:49:44Z" + mac: ENC[AES256_GCM,data:RIz594CVnEbUw3Zugj+WO82o6yqOD4JwSFzkqFOfd0M+LOFM68tT/14D7vxPitXEPqLvJC6MHG5vQ61PgU4fG9JoIEqxjvq4AAYmSdCwmB64MCeUIr+V4/fcYrRxuRyiXC79z+rJneO7SkGCX95pfVhGjaLftzSjfiNPPsC5pps=,iv:D345cMUSPCGzrL9uWuDwAkAqz2mTvVTL3QVqHesldGk=,tag:HkBF29S1c9g68aKKSYSWhA==,type:str] + pgp: + - created_at: "2025-12-01T15:59:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/6AsofKCzZ3PjJRHeHSt4XfdIVCCvWScjT1JuvOnq2fXIO + ZcgXPtVoDvd5vSv/fZed+1WJNRpiuNBdmD8cj7N+XqJotgCsQt3HwROCD1UC70Ww + cyHxh3MyukexrO/uIMbQ6ugtIHPVaeC7XyAOugJfHFWZG49aW9LYDkPRGluc0/zh + 7X/p+hZFLpljfL/qdZAakBDw2V0+yt1+5JW5V57jIXRX62BRSFoHqLrasHjvDgyX + h3ktgaIeDL+WssV7jra0oetGsXOL8+GPpo5PVgWONrOl4FBBS1qmNRAbLkJ77KVN + bBDV6Oy1DLqYvv/3UcqWy5XW9VxepEVsAaR+gtLzemMQo9e+qBmhE6tNR6Gvi0y4 + WmVqUZL/gF38sCHoYDT7oWq1cMJ7/zT9Xz5AXgXXSbtBKaxZAFs6QwZfw1rW7dj6 + Is1lXDNCtprsvc3Kxf/R4hHWT5nVFJN4xpKT+epLnumMA1YvkhWx0uziiky4ZH+6 + u+RkK9YZYpGdIYPg7ZK+xLmGLU0YwdIbgiyyH5Jo9JJcqgS405ftAe0iyQjHpiU4 + 0b9JvGMWPzJxWvi8rzwYcI/cfd2n7ZPchTT7KTgva9xeFbn4g1ZOlEKOWg/ZoBr4 + WhpI1SPS9kW0huGXS1k7Dsu0GzRBmv37AEm2mVtYPYwsK0PYLKfd4XGFQnrL0euF + AgwDC9FRLmchgYQBD/4jbW4xGw3JC4OLE7o+GqOoAFz5c034IHiEdgStYNx1RrFm + m4lstvzqUNL0DFyYdMi74iBtqnnFc+KymCTxiAlKiJThosMbV2sffc7e6CI/z9/Q + dsssJwPhv5h8XTbDSeGDk6gEr2kyKV1+9UZky9UYASHii4uzonofnV0RO+PdgTPk + mp36YufsnW2yVuKpsbCdMddEXqyaSYuhsU/bMAG2orlWFqqp7kyaARNrdI9hBnYQ + ITZTM4pPKQ334qhqUd/JYIR4luBbmBxJgTWSe5VqWqshK7u1aHr2mfXUip43+5hA + mxNEp0bmR0SnczKcxiZjZK2ZN+fBTqBnPQAxzCgsBjWrCd4a3CzIDOR/Uf3rEx2W + ccDJWRFI+cSpjLps1BphJvgkFjd31XcplLR41R78h28Mec1bE6xHMi21XUbGrITy + IuOmWAv4EDwRQtnfq+9qJ2DbmA3Ldo5pNPhldH7njET0TZVvB0ugq7EIvKxiNmX1 + kHcq0nV1udSRPr/ta/eHInBD0VbVwNhk/z13xzPGKQVkhpcgy1dJj9FeJnUXqzWt + 7xvHCqeGXVo46YeXYXglxUvEzBtdTGdEC2NTntEGhX6dEC1gl/g1VYcPfJJlk+S4 + RENvBpCa1Ji51ix8L6u18jT2epfbxcZcSFS/0Nv8a0IUktvOeLe6y6jdYJHYPtJc + AQk4Y0lgOBoqiaNtybNCd8c/rO/yQ8m+xIxmiyyghjmPGWzEX8fHrR9fE9TVY0s3 + 8iBJVVDZEwtiLiELlbce0zkdCIH4UiyyEovhP/EEwxF8BrnAXo0NnVzcDGI= + =2NIK + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/aarch64-linux/moonside/default.nix b/hosds/nixos/aarch64-linux/moonside/default.nix new file mode 100644 index 0000000..2a7c61b --- /dev/null +++ b/hosds/nixos/aarch64-linux/moonside/default.nix @@ -0,0 +1,114 @@ +{ self, lib, config, minimal, ... }: +let + inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1; +in +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + "${self}/modules/nixos/optional/nix-topology-self.nix" + ]; + + system.stateVersion = "23.11"; + + services.syncthing = { + dataDir = lib.mkForce "/sync"; + settings = { + devices = config.swarselsystems.syncthing.devices // { + "${dev1}" = { + id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; + }; + "${dev2}" = { + id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; + }; + "${dev3}" = { + id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; + }; + }; + folders = { + "Documents" = { + path = "/sync/Documents"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "2"; + }; + devices = [ "pyramid" ]; + id = "hgr3d-pfu3w"; + }; + "runandbun" = { + path = "/sync/runandbun"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" ]; + id = "kwnql-ev64v"; + }; + "${loc1}" = { + path = "/sync/${loc1}"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "3"; + }; + devices = [ dev1 dev2 dev3 ]; + id = "5gsxv-rzzst"; + }; + }; + }; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = false; + isSwap = false; + rootDisk = "/dev/sda"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + restic.targets = { + SwarselMoonside = { + repository = config.repo.secrets.local.resticRepo; + paths = [ + "/persist/opt/minecraft" + ]; + }; + }; + }; + syncthing = { + serviceDomain = config.repo.secrets.common.services.domains.syncthing3; + }; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + wireguard = true; + croc = true; + microbin = true; + shlink = true; + slink = true; + syncthing = true; + minecraft = true; + restic = true; + diskEncryption = lib.mkForce false; + }; +} diff --git a/hosds/nixos/aarch64-linux/moonside/disk-config.nix b/hosds/nixos/aarch64-linux/moonside/disk-config.nix new file mode 100644 index 0000000..76fc1a4 --- /dev/null +++ b/hosds/nixos/aarch64-linux/moonside/disk-config.nix @@ -0,0 +1,123 @@ +# NOTE: ... is needed because dikso passes diskoFile +{ lib +, config +, ... +}: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + disk1 = { + type = "disk"; + device = "/dev/sdb"; + content = { + type = "gpt"; + partitions = { + sync = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-L" "sync" "-f" ]; # force overwrite + subvolumes = { + "/sync" = { + mountpoint = "/sync"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosds/nixos/aarch64-linux/moonside/hardware-configuration.nix b/hosds/nixos/aarch64-linux/moonside/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosds/nixos/aarch64-linux/moonside/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosds/nixos/aarch64-linux/moonside/secrets/pii.nix.enc b/hosds/nixos/aarch64-linux/moonside/secrets/pii.nix.enc new file mode 100644 index 0000000..a22bd90 --- /dev/null +++ b/hosds/nixos/aarch64-linux/moonside/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:MeJM7Y4TN0doXAHHxa5y+ZuatVyEsx4HL5sMBGJ77J6VIuqS1GvY9D2p+/JETZx5iwEf+oJ5CMUD4/PQtXbUM7RKzhyzU9AjCdfNos4ZTEyLUhmHgAup2AP0yVO/Qb7dYjDPwbT5wycAAQUx+3xc1GKX93MqsKfNVUqIHWAr20s5ct0RxBylvPWeZA6eNDmcdgNaA5QgKoEDrZtfK3inTg1UmhQZrvw7MWzFN68DdC7FRxeDxSdn1ctucGTJW8k1LT5MdwGCA7nX08vAMG7VBIuj61ZXXU3zFtNRtdHBiyzlqjgInHRWevajK7L/Vjxpy3ffBRAFFQYZi6jVaui5acOywSvCvvrzVKN6Z2Rzc72KfC/np0NElJBrTAqBfQ+8tXrjjd8uaTQXbcXc3qk/y6+kfjOcYB8lk0opA/r33xUR7QkMElu7zuw1+u5ClKTOIZSqkdqrEbTCnw+hn5fL2VH0bShEACXQal6z/XnJSULmzxE5YfSK7qsJxakVux+Ksz3E5EHYgyyMCNk5WEyJtFz5FFBV0+FDbar9ChdLPvY/SEGLGS7ekx6aA/PQGQtb/xsk5pylt5Ie6vxL4YBDAxgm1ss4ciK3HfoAZJnQbfa6kkqm1rfAvzr2rM4WH/Vyocakpqxv16QH4AtbX0A02Y4lwMhxTz+8XRFxLOm4CBXYBddKSMKEaW0VCMEl3U3g4e7vPRg2tp+1WxouJSjbejgnVeq/A026j6ZwQ44xADkWjG+4lCvIO0NLZIv5uE3Sb3a4sW4dphqrQPWMaiOmtzxxZWbO0GTnQ5/U2U6DCdyspGjFEFAGOxduFTBMhIeDzWfHLty/S17Hjaxp+v3qEnOs7aMznIzV/LmzAxMp0CVA6I7ehtzbHVNdaY4DfrrNZJgYzkoUG1F0De5in+Bk6g22UecAXBW2sLugmxPwV14sa0iD4IpAvrGE4LwdnGOFAXWunYvOK2zsn92v7ymESayGj9PqH9srL/yaB/RZuJ3VtwLNgPTc+Ly9G6PL3XMInjWdmI9+wIuBaDyWdUxLZhhlH+njc9Bc/rxQWbXHlggrTFQw+rLlQtw0w6rS+avbC+KDpnhhTKDV4gQZsvY8PpKlsmvgN8g6BKrY25JE9sLBMMxmzSbLfIUDGgfUi7BM9p0l4wpdWrHB+rBQtoULDXCWR3LRD4SnyBoNSgXhoXxMaelUVpfOlY105sLLYxMzkzSijQ+OJ1pST1ED+XEnjddcLJtJ+1zIQ5aRZCYDcRr0FGvLcfW+M2yORIc03r/RI/wKTASezuydtMGibUUwBq1jjb5ZDGQEVdABPCEdqBgubDllFm3JdkyPV6V0EoQ4Qq+dv021exQqclentdBqK/A/LJ+h1QQyg7+wDdeC0sJF0EHP,iv:5u/hx1/P7QsLpx/tXceGMjI2Hh5crdguiI30+HJfd/w=,tag:8k5G2WALcjD8S8lZ30EWGw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-19T14:14:55Z", + "mac": "ENC[AES256_GCM,data:tNJ4mSS9ulh3sQ1X5ccoswadbnQVm0+3bbyai486ljw59IBkGbf3mo35Dc1PHZJB+zXoiAj7d+hhY7YGJNz7CJjunI0o4+Aj38aEMUa/VpdO0LX+7xTz+r2wX3zaDYbAI16klElXJ30Z8PyVSoGosbz5DbPAKFED7silxVfiPbc=,iv:KOWA4/+jKqbrghw+LW91UQj5+IWSYx2RSi76ew7uNZ4=,tag:znrx6hMqFu+lykXu3DCHMQ==,type:str]", + "pgp": [ + { + "created_at": "2025-06-13T20:12:55Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9HYZO7Bu/PhfIEnzlD9RpDhgk79rSdl9rfrssXOhsXh6j\ne016mp6UswsFuNUCArHOzOQ0wF7QolP/TW4ZAXK/Rb1cTr88JVuGy9UPx5cLHlaU\nZBmhFZjkYYIuYkPgKc/ztcsqGrJ/gqz15hjerFIB2vbcFRKfxN5xwIxb/hC8dWdF\n1V5iJhyTwvITBzXSJ4PfOh2RjfGmytKd5/Gf1DouW1H2Y7JgNSZPmesci5BUYyDd\nkt+rUjwe3FefOfzPVCA7ojfBuNxhU1sLJiEbGqEwd4XkwzU421jOIEzLM7qhUbGx\n0HzPUflTO85acBpwP3vf0NtsJXZyYG4/v81GLm11MEpwt5n/nJaxokbbT8CPKVpN\n8gXSwO2VhIDFWGeRMvfG3NNmwnJRJiSS0FTpRwqt3bF7btBfEE75HTGZq0qI+p+3\nPPqWz3SLMeAQvTqmscGpuIATX5PEDm+knq/D9W903mLeACZEMy8Tk1LDyuwJCK01\nJX687nOKgWfsq0PnhItF5Z1jfSMbJb6g3fH2Fpn6aB9bx9WNARNu2s28s3StE31K\nLtAvRsWNH6UzfO3VHMkphHrd7ARDre4pCeHs8B3wy+HswZxO2FEawTD0Ps0hejNF\nZPI18eTmCu6zuumhBwM72BZlWBj50HoqampjYtnlf3JemhYVysCbwyqou+i4S1yF\nAgwDC9FRLmchgYQBEACZ3fR5HsgS6ko5QCns6nqYfZyR2o6hyKb1iaH0veJEL9DI\n+EBaBJ6+8GPNETMACVz+wGd+GadoNWfgFNcUMz4TobTFGwsjmj5WRllxMtX1RNmf\nnqvMSflKk13DIHLbmsY4bGml0BE/ssLj0SiXOAmUWUZOMT+/+griCs4Er/fxphjA\nN3J+G83Prvynn8o924Ct1Q2wDXCWm6MENbbzts03IgkDHK1bCYVsTQ/ca2v+zB5g\nzRUR6xbi7Ysgco/DwDSu9DWIyNOMnsKnS3Mng/vXPoimlof4xGKMHRzrqdP5l95M\ntx2+/l4UNg5aQms8h9MML7AzVmVfJu3pLM9IE89WjVBgNE5/sQEfg7G7WvBBdfoR\njAHhkHOfZDlEjOnQzTR5MYZ57BGIGhHSOrg+IIX1zYaTNFEcnkfpLIJ71KOSs35w\n0hxud2CzFjxnbknvZP5myrMPwfQ1TJmR4PAWE1+XRMze18wCnXcosT7r+I/yc0mG\nhD1Q2YW0qYOY+AhOgshJ+OOvybaPFc8VlDriLoAqLXY0VaQVBIZGTHDY1SFUI4kY\ngMgmKJsWK0wn05J31FSdXYCEQubqClSN1BT+e0ceDnkioVvbTqwRBcOTXkQ9JFiA\nn65f6Ul4q9/ugOgLmrFiLDjdkmkdOOXo7QcgZrOL68+8c1xIxmhEgKobK5wBUtJc\nAXHosTJgXYvXHKDiZpFpN1gI2Y02tbxAb0Vois+ZZcP8AX0t++tZKARwguft0zr+\nWGhdQoGVeiQkAGXOgot66nGOtq/MtChmMZFEG63mc2B+84OOZBcXf66vsdU=\n=nCdw\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/aarch64-linux/moonside/secrets/secrets.yaml b/hosds/nixos/aarch64-linux/moonside/secrets/secrets.yaml new file mode 100644 index 0000000..c78d1a6 --- /dev/null +++ b/hosds/nixos/aarch64-linux/moonside/secrets/secrets.yaml @@ -0,0 +1,68 @@ +#ENC[AES256_GCM,data:HCHFN2Q=,iv:Z3tD7Hn5eudPR9DuX6etamkpNnYB/NRYGppWdyuUDuM=,tag:tbuWEFDmh4HAyksOZOihLw==,type:comment] +#ENC[AES256_GCM,data:cEw0zCAIF5242UDWZeHCxNHVWQ18mnmaRyjd62orx2P+uq9fiaoDP39ez1Y+wGh1d+FyyYUlh2l4,iv:TfK44vaoHmvShckrn7ztRvWnEUftaMVNNf8O+c70sS0=,tag:/fDK7VrkBLrcWfbBe/A4wA==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:qajr+/1OpVno7yyt1z7cXuSFqjZ4aUW41RP6ww1ZxJ0FhZQxhF8OTA==,iv:8QxdzLc7T803XB0E7ZeVmSLnkUQICZP0Jk1zpoWjdqA=,tag:xERubWmq/vxwFk5V59o69w==,type:str] +#ENC[AES256_GCM,data:XdLlonkGBN0b,iv:wimLW/7+a4MJCVg4zazY0ogakxXjdyPNZmZt0CzpXao=,tag:rg7FEi1qaYMkCXX+dwjFLA==,type:comment] +wireguard-private-key: ENC[AES256_GCM,data:aBQSwDyASfVPhU+5/yT9P99DCEfgt4SvhVq/aLe+AUcXwSqMiI2DkM5THO4=,iv:iAW/OUihMXHoQpX8pX+f/mz2nclj+n/ygwYxx7PVxnQ=,tag:zhlxjoIkfa237RoFNblszw==,type:str] +wireguard-home-preshared-key: ENC[AES256_GCM,data:yr4vO9Bn+3PJheJHbeNRHu0ozCkgxCGuKBJnb/3zzHVQAsI7GonXXQxFjBM=,iv:1r9QgfdLkXCtrRS+/2+f251FjHiAm9nf/Zfzu+CYuws=,tag:kWiXCTfj4Rrzhx+SpSp/dg==,type:str] +#ENC[AES256_GCM,data:u/O2rHXqOoTNpOSm,iv:hqhZC9R76P3sPkpQMximrvcTC15IM99QaRZErC9AIc4=,tag:wc2w7iwtfazlwWpnQJV63w==,type:comment] +oauth2-cookie-secret: ENC[AES256_GCM,data:cbNVAkBAWJCN4fLmkYUFhy8v9iE5fB30hFI3nTpZuVIFCnmXPBtlftI58Zg=,iv:q9xjUDOH9M4pW+9YB9dEYSqEu9gpsezbxcGbpORNljU=,tag:KoGNcssD608huewmHeJOxw==,type:str] +kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:wUTfb0r9d7nRb1wmQEOjXwDTM8V56DmOGw==,iv:OMXiObgt4AbKmovT62+P99r0UzGELj37FX+lqW38F0g=,tag:lksIWm0cSLydTZvlxliXgA==,type:str] +#ENC[AES256_GCM,data:+aP4Jw==,iv:TYiFr6tWfRzWyFq9DO//0SOJ3+Hu4H+Weh5KeCUlD6g=,tag:kTgWC64QIHlwVertJpSCCw==,type:comment] +croc-password: ENC[AES256_GCM,data:c7u5xj4mG222wLPYuKPVh6X0SaoUBH4w6A==,iv:BEkTlLUawAqs6zk309WMCW3DEXjmXv9LHt8mkt8RfoU=,tag:7CM5D4ibgXuVIM83ismUaA==,type:str] +#ENC[AES256_GCM,data:v0/dQUi4gcI=,iv:JXSkXO8BDbHPzxlgnCro5OgN9sMkMQBX7qTmMvf2D2M=,tag:XBgoXC3JCPsBL3g0x9h3Lw==,type:comment] +microbin-admin-username: ENC[AES256_GCM,data:1YaDw08=,iv:hg+zaL5jiEfyvGpptfJ0uJgxygtMBJ6kfCcrAzUW3jM=,tag:HWVTTLwFjV37gRVirIQ4bw==,type:str] +microbin-admin-password: ENC[AES256_GCM,data:+UyWJAsQ4Jd5iJgdepJ/m9OvkEewLKQz+A==,iv:oJPZjMnFJ9Mq4tUUWQV0yf/bBvesEXuWqhxr1s5IORQ=,tag:VX2TwIzTbpsyxf11RtA5vg==,type:str] +microbin-uploader-password: ENC[AES256_GCM,data:20QOWTMLS7iTS/Q=,iv:EuUYcY1l4ykKjWvCA0bpXPU0033jlQ8qjYyqSuLAQl0=,tag:Ka5gWBajMdeZS25AajToiA==,type:str] +#ENC[AES256_GCM,data:ZnMVMv6M,iv:z53BHIVvMUfYseftc6DTU9Mlb9ywEvNHv24TvIZiMFI=,tag:QdeWjrw0pmJsXYobADzA1A==,type:comment] +shlink-api: ENC[AES256_GCM,data:XdfDJMjyhJyeqVB4RKgCdkWT2nYC/Pw21D8H/JzkGLuwGx8Q,iv:zucJGNLX8018gD34NL/BwTe0fPFucqpBtMCYXd3IGHs=,tag:/sN/ayEhUaCPmu6fS+mMHQ==,type:str] +#ENC[AES256_GCM,data:R5mm4WAJww==,iv:6Uyb7Qtl6vt7nur/NLBlrVtKoPkF3ZjXdAhT24HW/ug=,tag:6X9b1zZbpHoEZmaYb9NQSw==,type:comment] +resticpw-SwarselMoonside: ENC[AES256_GCM,data:+kPee07ZmnAv4V0=,iv:gi7sdKO+WE8qTuYb3wbjgmVzRvmF8hd1h5vV9QDx+6Q=,tag:0/azZWAqeXcXCsmx2HkFmQ==,type:str] +resticaccesskey-SwarselMoonside: ENC[AES256_GCM,data:R9yj4NFFeZ/iU8Jwp5r3BwnZDy1eSWsebQ==,iv:8C05b7pxA7fJC1Mh5oAH1A5LtNYhZaZnQfAjZMURGtc=,tag:pSGpJrOy/i9Iq22OQPtU9g==,type:str] +resticsecretaccesskey-SwarselMoonside: ENC[AES256_GCM,data:8dp2FGgoJa5TBy2HFITO2to8Z4xoowzhLrCZVDLrAA==,iv:2t3CoVp/4+8xZvSjuMnq4d4nFugnL53HPv1r/odKGvM=,tag:I5zxggxsNHVovq8bcRs0Pw==,type:str] +sops: + age: + - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPU0xlcmV5ZUN3N245eGF0 + ODRabEJLK1huSk80WWhQWUwrT0ZpRzRsdTMwCnlXaEhoY0JBTGhRN3l1ZmorYUtP + NHhHY2QrTDBFaWIxNS9hYnVkOEVMK2MKLS0tIGV3ZXFjTnoyM0c0ZW1ra2dPWmxa + bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK + Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-19T14:13:20Z" + mac: ENC[AES256_GCM,data:XKsR8Gp6UHhAfoOdRozMxoGtdhfV7b6ogsqlqiAfTsuUayVVK6fRIgy5no5jcNnyyN8zveH/QZS1kGpNSY24N0l4gBA3u5ay5fsS0HjfW5b7mNpasOttqCrm6RpY2ZDdTUmsk3F25QEsdc28fajURJKOazZSs78dbdNq1LdJK1s=,iv:TgLuYGZtxx0ZPPeR1M/NgV1Wt7f5V89KEFOpKSjBxws=,tag:I/CGHZcT6n9X8R2EYRbOYw==,type:str] + pgp: + - created_at: "2025-06-13T21:18:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//ftUBIqO4dedauhSkSKOH+8elmHe30/Xv2wwAaQiidS8k + J6PTDkgplfBWer/5SpwIVZ9Rgzc/NentDYwIYs4u2ovk4w7uaqCwtSeu1Be+baVh + hHjVUUZu3mbq+9Uwp+hvIavn53tsdAz0WuW5AEqwZZCKJy8r95a2t1BWnNTy6eoN + F9Ihukul26wMRmJxIMqPp8HYKWothkeAhuE67Qsh4Bv2t10XTBV5/Qju94YLU51m + tkq9SfwHlKEqvkRvguUfnUm93xJk1PVxl1PfimhyZ8ch+RCswTFtcLUQvxbbHNKn + nBfQIjkkuZQtP4BkjlLdFr/7N4tbysjYu2aTIP7gmPCSzGs4fv23XNOALLk/N+7s + R+tnyaZg5djl8LmD34MVgx1sHV/2Q10lQjE6fmgV54hjVk5qC536fwiqjXOQyvso + QEiIs3SKnAmp93h6VDHIELJJx4Ng2fNjZ1q6w7fJR1XcbnKPLpfXLc0hf13eoAQ5 + jWRmsc+9dL8o32bYlkfbt++R0unJLQ9QMrwqdCH/jv/i6YtJzutcWUZgZPRx4Swh + HIHMlI+bAKGsqIrAFfOIbpRBK537xdjHzX+FDVQ3ld+K9geVwulA1HnVXf8XZJTI + GmW1rqnN/omMr02ekCZil5LrnKs9RaE2VEyK84QfuqwdFFPXXutc2vBuP4jkLuOF + AgwDC9FRLmchgYQBEADB3Z2nHU+08jspiq7l5d8gMD5RfBoHpdNy9JE4bz+z9Mhm + KPu9qNuojovSsiaM9+23oZvRyTKHmgrRKk1eT14BTLhFXWBFAdP10+Hxp8u1hbUK + uGZoMutJtPVBvBYaz+TmQoDaGsbYULfkc4wisOeB7pnbxLrm6N+uJ4eVHSvf6H2d + nHFvgFMTXZwgIPI4G9qg0ygcYI/XwbRssGtwmKHpqc4Xmn5Lg5sVJE+/gkXdyuTj + UEQohQfdg7O6iIWq217DAZpZfKZ06dL3RFkYYQP5R0kCLtKnJOW2wDWMiLwjzagK + zXfNp1gbymqG1gOkOE3sSV09cvSH8YdO8DbWa6it4H58XCnVtnSm4iAB1dLxgOz5 + vwcnqL+9TyIY9VmawoKtjXIXNTnkvRAVEGHVA+zWocmfrvVyxhvlfjV27L3rqlAP + Ambv8nzjHkq5r/vpmP9Rb5oR184gEVlXmrb34hCpJrh25cXGR7tVvFTVpL3/1CoB + kJ0KkKpDpgaJV4zOeqC5KAWomoR4/eeDAg0977umWnw2rqqM6QNgkcbD6G+h+jmQ + owoWb8LMXNKEEUIvEyrsD6lYFJ6y7jmeZEiHLESp4gHm7TE5v1ROR7fPqG7bmBvC + /NyiLd5xT+iOtBk4JCQdHD238tT9EO4RvKToe01TJKuGygNjLjkiOpo9ZrxQT9Jc + AWaSXNBoAXBnNCVkyJCTzK8ejPx6SM1K85q/Micz+eidGKr64ZN2GF2dMSdiwwFN + YbUMFxVF/iB9++97+Ax1GrI4WnBsuA8cz+hTSdIM7GufLJNX73XkOAnK5bs= + =8VK2 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/aarch64-linux/stoicclub/default.nix b/hosds/nixos/aarch64-linux/stoicclub/default.nix new file mode 100644 index 0000000..38128a9 --- /dev/null +++ b/hosds/nixos/aarch64-linux/stoicclub/default.nix @@ -0,0 +1,41 @@ +{ self, config, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + "${self}/modules/nixos/optional/nix-topology-self.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + isBastionTarget = true; + }; + + globals.general.dnsServer = config.node.name; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nsd = true; + }; + + networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ]; +} diff --git a/hosds/nixos/aarch64-linux/stoicclub/disk-config.nix b/hosds/nixos/aarch64-linux/stoicclub/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosds/nixos/aarch64-linux/stoicclub/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosds/nixos/aarch64-linux/stoicclub/hardware-configuration.nix b/hosds/nixos/aarch64-linux/stoicclub/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosds/nixos/aarch64-linux/stoicclub/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosds/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc b/hosds/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc new file mode 100644 index 0000000..e4005d1 --- /dev/null +++ b/hosds/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:4C3fdXBKI/x/7B56b2n6OshGRaGgwYc4HQv4CRgXi+Y83hQj6wfbcqA55Xm9cXOfGAm2NNGIcUrVyuGHKlur7lUkvoNYe+a5A4GEkXVxiAoJKGcHa2nqfmR+GQJRAE6gNm9wgUL24CfKonEb09NgFBFfL7srXtkU8R1TMduUiYvzH7eNy45jQnWdQ3xgNYkb65iIZ3KCkcbjKrlOtN1Qu8+PuQmMl175gUVJcaLmpMgsz5IPetyHUWIkmqjgwhim4CyTZGwOaQW376Xq2mZUf9IOhdqLyR8GcKFLsY/GLDzp1eGfx9xUpAu3NMmjblHDdIyRcv0EjS+Cj/EUQwTrw3R2szXAb1m33sIVyloGT8RyVsu1J+RSIQOEKpVLaTxsCoulIfyBj5h9vajMVFdMmyqAFPJTVF8fNmy57VuBiDR1WYY5WT2QkBwe4A5ZZLpRmudeZAqEjD+R8Itcin4Ce8K4LtkpfLZeCUpnoaWk1u0CH5QuFCyd+s2+S2DBnFqfBmhTVzEtwXyd6zEeLo+LGCh2Eu2XwYi+DV5Xfdp4leTwEXQ+63MB2ZtOQkoxT6pi/w1rSlEcVknJJIc0HRhrRSx685i29qmcWGfjw765ECxCM2RKJKdwtYHwyLQGyTkGgzNlWr/EzskD7wwtanR0K0NUBS3MGbBaSmeI+bJ+B1ld2n7Efp1eg8AdMz/VHywvFQpS6HY5ItPCWNcDB9DMerUQINO1EtP1Dd57vafzQGGcduUKW+ywuwUdOU/XTXPaVP7VWdX9EFIlv/RMK4UX/l3Yy/Vf6iciT45zouIgoFECRe59Uz0185BHTn9xeE9oYGiLfKzlnxhNpXNaNmYGVRxKxKwfMNrA+hRtuoGrD0uE/Ev6F5ytMYMZGsQ5D6TJOHXPfAVWo5MzPA1Q2dgoCF9zZvYgCaOcSZTntoJY9X1MiwMkYIbtOtTQ4jJOI9DfXX+kOp/fejHrQEyAasCvh2zxCW2FjMckREdqtYxPEDsHGc8+0BDGgj+00a5wC19U60jolvdLsUwy41inmirgxBMaQhuavMXEpFXT0hEecZfJn8eJqPVPDVLC8LvlB+C593ByHeoR3VOIfFVv3bgCP+cQudAR+U/b8YO4gSpuVV4WF7JXLCwRCi0Flw7EzAuhuR9JYd8GKUEDctGmAYiPy1YiQCLFnAWmZvHQ2q6TeVDTQ5LPmjqM1b4iqoqn3AHhMu9HWswy4LFNujZblSo0hSHRZ+2P/+Xjrgfz2d3QF66ngEjW1tanw7hxGmiZJXXyPN+2bdB04B8ZnL/gBzQ2661fGYGYCBU=,iv:mU4ydooaOySi7MTe+b/DGfs1fzpDXbkASUo1cDsh4O8=,tag:Jh18+kJPLJFlGx5HymywOw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzclI3dlQ1dUY3WGVYL29E\nSGhZV3VMcm5zYmRsTHVlM2wvNFVyMy9CRlh3CkQrZEIvMyt2TVdXQUJJT21mY0lF\nZU1oakIzOWduU3pNeWVvcFMzNDBFTTgKLS0tIDF6YTROOHBjUnBkVklPQjFRQ3pX\nQWtlYi9iOFFjNUFrSUNMZGJqT1pTVEEKFesEHZQjpenLp3oBQwxDcMv1pEAReXQs\njT8ydzfTuvIP6bXu6lcJe0J90NVZ36qBZ2fTs/RqvZbvM0oufb5/VA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-01T12:12:55Z", + "mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]", + "pgp": [ + { + "created_at": "2025-12-02T14:57:22Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RNM47rdREvCOPQ83++DSlGWeoGlVeFvM4a1og2Nkzoq9\nLKsZh6bQP2SC01UOD4UDKBcT7PoQU86xePjV1ze6nejo+L0twrhQNT76jAw5OhFh\n1DkOVnUpcjZE3aBxDa6g79qVKfp31i6xfvgjipF4SMGpSlZuMLKL+nTL1357HXU+\nzQKPwSLymDq7EdxnCUwTGx8rVI59j4hyEwinxZhbQYiiHQpTQ3AHDu3oBO64daPh\n7WEmMShU4I9PIdvie7sRK3txZTcjM759m9B3Fm+KEWZXO/bQXjy9/Kab5WlEWwFK\nP7aHLin53wc6HMZjset3o61i/FPeQdm6IVoUujjuSI6076OqsWv7fQp9NApftCko\ns0yNY0RMgRpOQNho5Navr71eH6X8QujrEkCGzVqHm16issJUJkw95tlj9q4qghSn\na4RCUmgfToQYvL9ahNTfqP2S1xqI4hbP0elBXbrMUJ7iYOWOLwEPCgmuoTyw+RXD\nA5P/HDEvgnkVxB4vdzfcQjgVtR01nG5rAcclec9gXZg8Q3K0b+MoKOhdvTucRNek\n8+t3XEzTBBjPdaIhW8038qbCueuetsWNjb7B3Km/muQ0CnTzQ45GWozKdDC2qB69\nS9z1KIn9FrmGxCd5hrL9fbwJpisdtOD0foQKoD6X2B+h9KqORWbSGLXfxRo2uBOF\nAgwDC9FRLmchgYQBD/0Y8owdtA5dgxv6W5lej/sT7+PSc2fvIQVQvvYTrT2wJxc5\nrTX49HtIFxPwGdwBHH6Z3oLZjojpX7u8bm9+ewD7sOsvC3PLsKfrvx3naUnEZrww\nzKC762LWiYS3qlFR1QAbPWDjJSi7rDqFkQhGMP59MDOifYOLCbSQQpdTCMYC550I\nmljenkA5nm6sdYnHa54hkyiWzGSO+pAv531X5GMaTvHB3+Fy8QA5o3/+ZpNtVieG\n8RAbvqeH8PyTZsc2GW2D6WfudB4jrhvYBio4T8+5/3Fg6pWIq4pmi4o0F8I8BaAi\nuL90IEtSeFQSytg/EL0JtFxMBy8ImlE/SAfM4Y6UZAbiWBykmrD9TM5IPMUbMTT6\nxwfhcsQ97m9sRT2TWSrxp2Q+k/BQxVK+AbOaxEtWqqOUnWG4sskw8DQ+qAU5v0yC\nGH46gbklEYDmvYMY/kLXSK4iYJ0UmXNhB+DuM0WihQJ22PUPZy6YGWjwPgxjoYXZ\nbfoRjzb5N6etY/W3QjGbzhy7H+JLKXZbq+DLtH5A3Wya09ilpf2cy6FWD+o857op\nKdfybFtXZIBTZWjRQSeLOL+a157M5c6MFC/xr7E18qqL6xl6v3jgF05SZ72bcGVG\n2zvTWnAV1Y+oH8NhRb0i2uyZCEWvv8MRrHJFypcUqImAJylGnYu8lwicGXA9C9Je\nAZ6JqTMkc6Ji6AOzY75gP1lPQNv0HrIbE6RzZyAX41WDB+0okERps2IZF7HSb5/7\nVAXUR2QRmqagMf/qV3iNDQS/kuwGiv/2WTXAtm4446/mpdkaKf+gN7dgcJf84A==\n=eXQe\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/aarch64-linux/stoicclub/secrets/secrets.yaml b/hosds/nixos/aarch64-linux/stoicclub/secrets/secrets.yaml new file mode 100644 index 0000000..0f27848 --- /dev/null +++ b/hosds/nixos/aarch64-linux/stoicclub/secrets/secrets.yaml @@ -0,0 +1,48 @@ +tsig-key: ENC[AES256_GCM,data:E6fpwErUUmyLbtSyCItzLxvrUfq2UPV//5u1VxnMMn5+TWj/PMuwjvmClEQ=,iv:KJrXIgWMMcs7riIPotAK+Qtj94o/sGKrgi7sOxVs1rU=,tag:YAyz9tEf4vC2LnJV56DMpw==,type:str] +sops: + age: + - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMREU0eVFEbnRaVEJlRG5L + QjhVQ2F2WHZFaXJOM2hsOTBPMTQ2ditVMXpVClA5bndRc1YzV29NUEorSFNDNUxE + eEFwMnJoMHhMbDJtY0J2UnNIME1DRVEKLS0tIHN1dVNLWGRvbTRsWE1rT3c5aS96 + VXBRUEc0eDlQOXg5YlNJSmhDL0ZiUW8KvzVC0PMvMRjBaAS9WhpYvsWc34coUupY + aoF/zkgPmPWj6SY1vURpgUHC5FHolHL3DYQS/SQxdOXSrXIDxlIJyQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-28T15:48:32Z" + mac: ENC[AES256_GCM,data:Rd9MTRKzK4AaqzPBsxztoY10pECecWjHZlQAtbQdzzdLVe2TL8hIjH8TlJ8Pju9nmS5gvb/gB2CoaQZcxJsOvYsEYVg27+B2/ITGHslkbK7ngVd8ARNYITbx/eGp9D6VIYIzPBqcz1TkNvtPIuBLZzjCnxrvhA4gX93ZEEAUknM=,iv:Lrhi7Zj2IqC1ApsRT0IwmhJHaHf3dopvi7/4etVOBuQ=,tag:fSTaLrVhJd9A87PsPV+z1A==,type:str] + pgp: + - created_at: "2025-11-28T00:26:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAhPx3hRyNLnIXwbGsjD6lAwhdqhe1yfJikB3+kWa+vaKC + /WOu22h0HB8cQwzeU6+LKeieuy70fEMcE2EHh8HjTuAIoi6kCDFjXA37pEtyIKaJ + 9uAc7EBNPOcv2TzFEnHjJXlMIRX1M4RegiZpOiZbkVkJeC7lJSe1mQhvHEqw3wmT + 7ye3ohDvHB7y2W040AD5wymntNOO3BSxQJEVPaKo7sLmbkUSPXRCBj7H715dHyFe + jf6nWbAElfUVM9oSK/TiYZwVcZv4/LbexAivRrlkFmnPpQMTrTeafS8r0sUtOoDn + 8YKuBu0JQMVFJpLA0hUrH/MIkEalbgv3DWsC5DoEEni5oQY3vC/bd0nM7P0hETop + wGFoBHM/kvGK8AnhcRmWy1fj15/TNrzF4uXn1Xr2tOLFrlLTor3JKCqIYTBWUIAl + Ve98SrZcvEdZKRqQiRyAXueJ1S4R60pCtTp6AtKxc7RyJuw6YM3VD3jcKBeIWf2l + UZr8yKfu24Rhy1WAe8+HT/LBzkB6/RKacBtJZVd0Ffnp8Cjaid3BJN3OQTLSSRCc + /t037ctWN/nSC8M/P6F/ZbSN4xEHRxT75c/qGpSBaMJgtwlD0wNIBCS9McuYD8p6 + e74KFlmm4901fytpHJvrdeQl6IAJCPV80540z3N78cdSxfTOF4Qj4/Dr4Flcp4CF + AgwDC9FRLmchgYQBD/4vX3zwM6MDpwW7+zeKrAgXYsHjIj2TYz8EIJ+bIH5/sUPn + F+o8kZyVjAc/c4AnKcCyWz1aYR47p9iHnk7Tf3mh8+MzZ4LCkuZjKmYjlfExd3RI + J0upRtTak4M/k2nxfVnosYwwFJhUnJpBlIt9DIU1AcDshAHnAOOeysIsfV7ahNQB + iYMvk196d+2HGdIPFPIG5tgJOFqamY3TtHrPmFx5SSj1ep4V2IMPqDudZDoyMscn + /8dYZCgnSFBDTFY/X8ngftxaXsdyRE/0QJFjG+c2M6G5gkccfpxkNU0toAwz3m9p + hS3s2YYkrMem/VdkqEvGW3cHnmM3ZHAttrfO49z91nmRaWDMm2ocl4CNoAsiEmc9 + /pQN9spgQGonDLM/yMpiuHEZNT8Pv+1YDS7kN2FlHuodsTazAi2ZoMDOrvHQhXkG + 9mS8fgVIJncthfxwbswjz77OZo/zyF41WgYzet9Lr8g7RDegmA+nPeFIJ+EVDKXH + o+KMJVbRrCiGnSvcVtBXQtvhcuJLe/LWvXbnsAo18+HPqA1PyaJtuMgc3dihuddV + KXGtDIpiy7UFw5o2w7Plqs2T+N0wQI2MTEkKS/TdWVO5zTMoI1uPE+b5H7z56Cnj + Xa65aUphUxxLMN9rbVXBSfhTyZCFM+nj7fY9pFmoUgfhKSZ83j3w5XlVL6bz9tJR + AUc8r4d6z59EE5vsIuImiM7/jsSudYewau2wnMuli3FmYISiR6kU+bRBmm0nF6Q/ + Kqt5nLxrcGKz2ivRxU6Hxc9D4gRaekoTkeP5J0Cr0IYt + =D/qK + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/aarch64-linux/twothreetunnel/default.nix b/hosds/nixos/aarch64-linux/twothreetunnel/default.nix new file mode 100644 index 0000000..34cb243 --- /dev/null +++ b/hosds/nixos/aarch64-linux/twothreetunnel/default.nix @@ -0,0 +1,86 @@ +{ self, config, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + "${self}/modules/nixos/optional/nix-topology-self.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + globals.general = { + webProxy = config.node.name; + oauthServer = config.node.name; + }; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = false; + rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d"; + isBtrfs = true; + isNixos = true; + isLinux = true; + isCloud = true; + server = { + wireguard.interfaces = { + wgProxy = { + isServer = true; + peers = [ + "moonside" + "winters" + "summers" + "summers-ankisync" + "summers-atuin" + "summers-audio" + "summers-firefly" + "summers-forgejo" + "summers-freshrss" + "summers-homebox" + "summers-immich" + "summers-jellyfin" + "summers-kanidm" + "summers-kavita" + "summers-koillection" + "summers-matrix" + "summers-monitoring" + "summers-nextcloud" + "summers-paperless" + "summers-radicale" + "summers-storage" + "belchsfactory" + "eagleland" + "hintbooth-adguardhome" + ]; + }; + }; + }; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + nginx = true; + oauth2-proxy = true; + wireguard = true; + firezone = true; + }; + + networking.nftables = { + firewall.zones.untrusted.interfaces = [ "lan" ]; + chains.forward.dnat = { + after = [ "conntrack" ]; + rules = [ "ct status dnat accept" ]; + }; + }; + +} diff --git a/hosds/nixos/aarch64-linux/twothreetunnel/disk-config.nix b/hosds/nixos/aarch64-linux/twothreetunnel/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosds/nixos/aarch64-linux/twothreetunnel/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosds/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix b/hosds/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix new file mode 100644 index 0000000..2278aaf --- /dev/null +++ b/hosds/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix @@ -0,0 +1,15 @@ +{ lib, modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosds/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc b/hosds/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc new file mode 100644 index 0000000..7a21c2d --- /dev/null +++ b/hosds/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:mQPfK2Dh2ACae0a+1GRHY/CV0JpHH8JO+td+RR17UXyq5v/OF6YDfS7loIpQvImEAs6AvIzIdyq0848Fh/34kh/K2ZAq4AknW9jQx5YyP4nbk8/q1/dk+95c0u98WnN6mw3BFHHesKYCfGy82GMnu00Ffxu7WSYzTKxq6yvROS7ugefRjsoMsuJcEeHmoIBgEIjXntGT4DxJjw4RhWPm+unSmce9SXfqbAuuizHm/S5URYvicIzalSITlfFBrpKWNxNe9fC2etDb/fB+uMpG28rmB98ov1W0X/W3JOUhASXVhB+YCau8XdIRPopEnkR4Wm1HD+exJ3CToJMgrdmv5Cj9rJoFI0jvApRpjBix5qDrTsbn3iWbv/QYuCnL8ulXY7nYtkmFjFCG3fLZ5G+6EVE+bZnh2V8KYAVM9moehNJ9Or4kGST5JWnIizFvAeeYef0xZtBMwv36Yc1JNAh3zlHP26lcXew+Ulxxcv07RmmV52jZMfWweyg4nXNumrbmy/GwingIhqN8wHrOD3Tu0HlvqmX5C5YRZg5iVU4lnAjKJc6XRn7B1GQzKeyE9HKagkrULQKGmqDlqEvEAp/9eW+rTR2Yho1QStK7J2RXFnWwpE4PH3cIfHWtwIv67yw+QWqj+lXMztHaX3RIRXGLyqnWtaLjMG+IIYytzaBt,iv:djDts0mzoVU6Cvf8KJb01CkHO+OrnIJyMhTfgJ8lZEE=,tag:JiZ2t5cBfSAKG0b1wAZCZA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-30T14:45:29Z", + "mac": "ENC[AES256_GCM,data:/hfp7IopUWZSMequVWcpMup9lM/e5G3Qda+8zz8ecPMdMrbUqpzi43QAbiTvMC1Wa2DKWFOsZPilClJQfG0MMEYD4GWehd2C5psK5HOxS3h9pjE/AjctaCwu8RB71paK940W6NY8sCjOi+zm+Az4KDwkOl0R3ApaUMofV4hsg6M=,iv:d5Zy4HXtoSfRN4E0FHjT2vIWMY8k3G422ygVAZ7gXrc=,tag:a6UZVjb9kTj+8FZG1FIyrg==,type:str]", + "pgp": [ + { + "created_at": "2025-12-01T23:06:36Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RhpX1uVa49yA8FIfj/y/2C92Z7iBl+l1TGjaYMnuLAp5\nYybqAHwi1gzbnhKvpqO3ndm7qHNwbPBuYBDhu1ZDkQnzyzIthx3JA2G+je4Jem+N\nF8XWUglO+lEUpHD62s9JdOSS2dNRHSd/mcu/GV+k0/DzkXDn3TzzOciKBLn1u03+\n6T3mipG5cm00EEstR+iX46FSzOPX3M2+hYY+HY9rQa1RKUrUUsBBdCEYWgMsQOA9\nDGyweibxkcyxIGZIc882gxa06QxM07ON7NuZjW7vvUz3k7CI3bf5IBfaCvDywaDL\n0AKeTAVGVLnzdapZoP9lZmu6T639wu8BKMxSHiGeUenOrhs/Gl+CA2iCU5XimZCw\nbwPvKRbOGLu2eiBL/BHEMg1XpRw6bh24o3vNIchGRqDKbXICgkKr2gXhvli3qPrH\nCXokXF48e51bERfr9YWi0ryW5tgVEMwyubRi85cYnslwqfT78xzKMNRwF8wJ6PxG\ngwT6bEJ/f7QzXkw9VPY2HbaBBhe7XUBRDhLnV5sPBiZW2JDOt9rXH1LqWQLo7Ot6\nLWvOicAtmY5vnRIm9x1pPFKipmTWj7NzRCLEq5yt0borQsPO5RTC6fvhL/1Lpe1B\nzjAIjJBfQptEn4xjA0unZk6x45UDp9KpJz5zdKF43DSvGOkEF8NuTdEXNpeYHzCF\nAgwDC9FRLmchgYQBEADA36phB2C1d2DvEzi7AB7lK5gGExmaYSCzMJkSfjNQ4SO5\nwMhvRZZyIf5PT9wdJ6hCtOSqqhh0cubmZadrFnz/qjXLVSv9aTD4PFshF5lYgT0x\n2GkiIOkrVZ6vuP6/iIW/p+CqztDymVRR6DAhNNX6gx2NARdhii2K/hitW0QejoJk\nWY07qUIb2z0fPVp5TfAf3Nr87u3faYr0usW8GGABFA7IzJwCK1VA1284UZm4zj6Z\naHm+0wK/1g7Ck2sjzbhqzK3HlZVKd6lBIhmwdzcG1y0Ua5L7PIauLR6ArZkFD3WO\naHyyZ5hyNmoyOMjuTvPCIhiZ3T+aQK2f8pzyOApEWX4piCNhIvcSSy9AQ/f5hvVd\nWLG68dIMnmOWYxHX68jdNttSCcc9oJKNboOPKDdmEblZxGx5HZpYYL7X+Q0JKoMO\nqCXVc7GlIVLX0GghAvgC9Xww8XMQTWgJJJAVOa0tlTDJ4ybvCiyy850+ZPTevlHV\nfvlKSSCGHtjVIuZ5b+jMtBqg0aPDY0OqNFSvJ6x6wk0uICMesv2LNAKF7tUkMvHF\ncHljW96IOLocW96bwVR+nQG7U/ZY7/P6+2Nva8AgbrCd0erEZ/2lIvRV4IEzCk2g\nVzuzg+7pjkh1iHYUX+VX6CbyIPyx2Ic+VNaMrbqtC1YiPK6Bx+SF3eYHw9DYJ9Jc\nASJeqALtG3vg/TOKZwOfTp1GNvSExTUKqhEHpcCCty1UxIpNCPByvvsUqY0Q63DA\nyJ4TVO1QLCLwKz8nK8NWSRGrZ29jNJfAjcNDV/FrPiFqSPHVAErd4Vnbeu8=\n=Yn71\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml b/hosds/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml new file mode 100644 index 0000000..c5c0dc7 --- /dev/null +++ b/hosds/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml @@ -0,0 +1,66 @@ +#ENC[AES256_GCM,data:Zj552Ho=,iv:uOiDvsLPsT3D6A1SLgDl8jbAyz5bK8s1h7mIc6WT10k=,tag:rTD510uyO65F/qcD/UTUpw==,type:comment] +#ENC[AES256_GCM,data:a8v9FPS8GcZOyREs74GhUpnAZlYF9Q9lRU3ZdsYERajtDiGncywKPLE61PlnH8o/h+QkkWjpsjy+,iv:Ck+7CaYym5fT4uy44b8yLw+b1FDvvjxrxql3ed+B2as=,tag:sb7vA0tVe1G+TDcJLhQ66g==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:9AvuFB/nYm2H6JK+pKY0wD658dHGZyV9w8B/+PeTKb5PkFJGlqdz0A==,iv:DeH3sRv9hCzhy38jnXVeGlAbUeXWOwf2avdINWuhJb8=,tag:jXjmtG+uoTonlXSSKLkY3g==,type:str] +acme-creds: ENC[AES256_GCM,data:X8qOlnbaQo2RE8MyMnI/1EsyyHl5t7TemUTRYqhuHGtFP4mK5+obd/S+VzscfVJqPkCY/faGAQXtbI7x9ST3AmxiCZEbuuV85OvrM+lz5muV16YNjovPxG5BsjI/ZzYZ2V7H9CiUQLvoZ9D652mvwA10wPnKrIpZ0Z8TFeC6vFx8vyin07IOQmNnfanUVMf46/axAR9KM9ksB0uJfsEo8WFmt5q0sfXRRe+qBtdgPgvn9ebeU++Tv8JpHTPSIoagh1PslabrsgNEcM8H4kzIsOly9uYmYCZ7X732vTKLRvimJ64+MLWw3+DCy2eX5sgrSRZw8r5F19P6a+gGBTy3TsW+Ql1dI468fayltXg1hiy8bD/WEXaEalaB2w==,iv:DkX6988ls3nc5aoLP8sQOXR2alXKuogRAXCtrj8/pVs=,tag:LTwZhUWgXfbLg3YxQGlZZQ==,type:str] +#ENC[AES256_GCM,data:/+idD/eetpnX,iv:NNXMyIt6uUfT3JVU9g39xjUL71cw5UVmESKVIf54tqc=,tag:pz+D3tUk0gWTfAirJGhlkw==,type:comment] +wireguard-private-key: ENC[AES256_GCM,data:m8fL4Y5TusV4imzcVqTmJZB0rlb+ndoH/Bl7KvbP/7awfR0FyDTmt81+3aM=,iv:qKT+61HLz8q/0T0nKvnV+wap/cvjss8THXupPNlotAE=,tag:cKrRuJjhVYdEWfrFEhUKZQ==,type:str] +#ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment] +oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str] +kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str] +#ENC[AES256_GCM,data:vm48D/CiRtw=,iv:7Vs8SfqqGEEU64ZqF3uvFIG7DnUfOT3kGqodiIbCwjQ=,tag:hdNZZUMTLIrAGydGSFfP5Q==,type:comment] +kanidm-firezone-client: ENC[AES256_GCM,data:YD1lkGkg+HxqHrGsbIz2GRq/VMIJqOD+VQ==,iv:AJa/sVAC0s4hdfvQYf+/NaYTJaxO0fdwzNmmD7S+kc8=,tag:JSU6aX8kYbr70+YYwRV56Q==,type:str] +#ENC[AES256_GCM,data:XS4Kqba//4tVSj8AzyLY19Milwl0w7UkTM48t8m/wyB/P8TgDerxJwOGJvz3uLZJX/EO0/4rKminMYSoMybRnNn4TVv9pa9uV3JEkUsGkFk2abMfBriAQjQgziwLbDZQJmnJs46YD5s+sYELN4MJtwFNg6NzEDATDMWuE4+loyxoqgF/lzG3OFGkDl1R2JkCIOU6NGRqTn8a4XpX+p8U5QrY2V4iBCXajGXrcqLfINYW508feq1TAUZazaNdA+RC2SMvq6Diy8mysP1p/5mGUpIATjmoDqN74Yc5uZAwaenI6jIsfcE4JP5lFy7dHWOfTQS/9MCsEsRN2LWuP0ivaKOgF79ykd4Tb19EACdhpkip8XV0hKHJMuyEr6zJ23dUNtBE,iv:lpA1sk5y4tSk6iXAjArtF4piJW5af3+tIwMos1BpPEU=,tag:479ZIsnwkSSFq+C2a0jHzQ==,type:comment] +#ENC[AES256_GCM,data:XeQYwDUAkfNmWcM+jdPdfHSD9AC7Kn/mWRHCMV96AIws9xJq51+XoR2cmiVmLfeE3eQWBB8KrCvML7oyJ25oBjFvFjjH7BrPhhrNiVc6D3JqjtV4Mg/5GTTCsdSk2aTQf3/UIqclYw/kH/ofMRa/O2ujkAeuFCZrM/2+DBlkLqTehx32MCTM6SDsEKrU4tBjp814M4QdDVgdDdLziNDwYgzyGSaCnpV4dy+RgWKKZYElGUIm2QltibV6CLS2iD/HiJxyY0bAeZzaS8fxVVDugg33BAJ5Ttzc7SG7mBqj1aslflK9N5rG5d5fvLN6kMJizY3KFq61zU+2CDjPmvCLSEO7JOS5UADrUOEcbW6bfghRSNHjSMZkoo4+/AZPAsnvv4aYaA==,iv:/dVcnaewPEpSIa2CzVCk4XpUcpRdj7xYkOk/lEyjWXA=,tag:w5w4xnzdkEBwdpVl/LdFdQ==,type:comment] +firezone-relay-token: ENC[AES256_GCM,data:c4PHNWORFTxY4tHp3Br0BWah7vWbFjfuSbql+hkW6nfRyQt9PAxYzdXlF9ArZaXH3073HH+uSBC4Nb7h4u8chhw/14uz4zFZfhJO/YuWxdcP+fVcT/m1zeRr19YiXhFQPcCdqQV8HP4SMZepVJ5WHsQT2DVCmYoeHG9ym09i2nW/JYC4+Gl3KBKG3XgW7gCNW0Ut/CXCg/rxoupHosS56qB6PIng3O+erixugKy/AcHfk4Ew9q2uSOxovCCI8jfWRhSgQtfSV++thwGOuVphwbxQVtetFrgp6xT/nMROWhszqXRHEE2wGKWACrfyk2f77RfDrJE2BzTDKgN8CV5MLJhl2ULNlYRZ8jg6GOM=,iv:8TP4AXIfdVK45bTQGlgmKaW8bFAmd3E7b/ZDetzcwz4=,tag:+N7zOhgMZbdfU3sWnb/Hlg==,type:str] +firezone-smtp-password: ENC[AES256_GCM,data:WLj+kcidIMQIP6gPuuIrujA+fHypUpGUFg==,iv:kg96vVaGund6HcXoJltIma9ecv6tK9AxZJf8n62+9aE=,tag:g54wHPhD4qnHlKZQd+MPZw==,type:str] +#ENC[AES256_GCM,data:aBNmUs9ZW+h5fDMVKdW3WQebJ8zmbHuYmNK9slZx5tZONTfnfnFRYjbzyqFTBKfC0bYjzLYL8AxXiEiPmBo2yLgbXtsOrVMoML3hD9Oi9T/7++BUBpbBQ31cC/EtnALumpes7+hO3DULm5tzWYc9qIz3yB9/gQzuKCqFOB6TCt/PwAKrVKNbcOihx/5xh04s6WyqfSUjWOOcHSY/ng2G7NeYRInLe6TgM6gGQGe2DjXCmNvgxJV2Mh78IWs3yA3aJ9VtrgF5R0PGoqHHZ8GfRZfYn7MBSW2dHztb0oLWux6bnO61Wnm8iDdR7xguQkNXPO0XXIIIO6AOL9duThXYjwQmieqYEEu1BmrvaQ4/tslLHX77axQCm1miwmZP9DoKor3yAziCBMa/pbU5JFlft4QZ2QGY7EreDfBVoDcPjCgA+gXuvq1VozPTiRH+y1hiulGlbGL0TmA=,iv:nsXYOxnWGceyB0aiv0Db7H+oD4hagzwQi96h4mGWD+o=,tag:n4p5Aoh7lYvCRDWRcc9tbQ==,type:comment] +firezone-adapter-config: ENC[AES256_GCM,data:CPY6DPFJ0OZRJqY0u05rAoc9gfCvHY8fFXkSyKvC+VdjNkC4LwjSJkaBU7aBAyIVsLrLz7cS52fcFfwdnAp/6V7BUDE2qpRdpwuN0ZuTMrnFnmLIi0jy4JXcU5niiClSfulgRfY9Dw9f8oHdYiu+uziVhDdjThx61tNyW+OVMNsKv2avWKqotM/fhBf59hJDS0NwaFi10X4X9Z0Oljd9mHQw+LDJkSTX0dk=,iv:IRn5awskI2mZCzQka6VFvCaNnYATvj6yMH9UWs4vJus=,tag:3gbxkbfwS2mNLkVK9KmTUw==,type:str] +#ENC[AES256_GCM,data:xZvu7VeZ8IVeiR94gfJR1BB34V1z8ou+YKRrIxlK+qJ8idgzEKXRiWCcdwC345UNIEuVShI8CT7+Bno9c2bllkkKwW4RhSEnMOYo3g+iouKB3p2iwRBX+OEZuWbpoZGDr1KpHLP+ypiTekNOAZgx4EmxQWFL78bBMswoPn/Tv5ahN1Gha75A9iO7nNQgjRIn62s4l+U1cMXDBBKUCIwcfg==,iv:V7G6wGFjSoKNGNuwW4i2U8+zKI8AQm+ATbSLls7688s=,tag:jQqxbMGaJ96fHvPj5Y0CTw==,type:comment] +#ENC[AES256_GCM,data:td0zw1WORHtMvBO7IK06Of1PoG1QTMiDeJ8KSa4LpLrIgOPTdIg9TkU7UYPNxFD1bVGpU708Rs8Skmyz0v4y9S9H6PM9+4fVij5GN6uaLH/pfMXzaArD8SHbppYQGgpVqsq4kJ+sk02yAjvEM4BBfTpOEPgnu1CSmwlyjw0ysrCwq5YLOYqAQa9rT9uiVCL3FYWuuUzh7SPuRaZouGX2m/MdtQ==,iv:uetwzIK53P3ja94Jw/QDnrel61ducf907mZwB1yy6cQ=,tag:89IjmIvEQs7ayBmuvw3RFQ==,type:comment] +sops: + age: + - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcDZzcEJTNE94amhZSEZk + Wlhkc0dXY0d5Y2Myd21YYURORlRnMDRlYTBzCkZ1UEhzSzdTZjJENzAvOHJBVFRH + MDBMb3VmTGhnUXhRRnpYS3p5NE5HYnMKLS0tIHpROEhpeDZQYUNJMkExTDBsNUh3 + NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS + ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-02T14:04:11Z" + mac: ENC[AES256_GCM,data:1LVGAaA5z/if1C3tVkrM3iL2Jmz+XQfFJ3df2a02wyIIZiY8/oHguVYN6rBwPFY7+CJ1NeuTL/lrz1y5NJwhFEtxmrQOVYzx5HCw9uc1psTDFJFt9q0ZFVsBJs3wQYgf2QJgY2PAnZpmk6T896KHrmeRKty6Km2ltVSp8c+ieEs=,iv:t+9xgqcjjtyxzZINT60sB3qB6QkpROC9Rs1ASz/7On8=,tag:iv7ojyELZaGx4ZZhIDv4ug==,type:str] + pgp: + - created_at: "2025-12-01T23:06:35Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/+O2d2BMDS3DVPfUHLD69K6VsdewczQkPoskMrS5JeQn0R + gDhR318J311UMClomIIrgDlbleoKS9tdC1rM3DoCaGFq4MyydK4MLy0+6wme1n3a + ZyOsQ1jSpdgkWUfbalbxL9/cWtQBwfahXve39L+ocqb34KT8jeLcRNZWORWAst7X + a6fHFp4gZrTnOjn26TJc7dJxYGWQIWk3WBYpzC8kpqkMaIemIy0FHaObNYy3DvM0 + Z++AYqmwEYiz+tG1bVRUZ1ck/z8kR+Zv1Wg0uVM5Jmg6rArrz75xSS297euPZhO3 + bQwEdJ2rcrdaz5LHC6zgsDrVz5LsfoTxilOwIgsqSGqOBIGAN6XttZXjjul6MVyE + XBlHqqrCVlLl+OCumWC0U6vr/bcGV6CaMJPE80Rh//wThtvyKVFRQey8EmJH7IGx + vHtfOaOScJc0sCCyXOx4HBeeGAYq0ogSRTlgK6Z+kXx/MkYRHiw6Vdrw0anmFF08 + 7lYB4SPafnEB4m2IPz1390ZSDXWGT5QmrhpnajuILIIcWwe0mNPfDbLQWF6CZALB + UJs0XvM/gfXhnqVnkayTXc9IrIHkLoKwyMh1g+st+d0fAYaUD2Wd9BI+zi22m4iR + J7Mw0bMBciO4MRIZEEFsCvuv4UzFjQ4mO9ib6LXI7y51sIJuYPkq3lllkntFdCuF + AgwDC9FRLmchgYQBD/9F+tb1K7aKNq73pk2YTmzH+WR2Dr3+MxNgnQlnIJMxdoTi + QE3C9U9UaO5ngdHbnG3ruBQKjGhLI8meFMTJatPwuOFcHPN+I3lEO+PkHGH0VkGQ + A1xkeFizc5l0tfTD9JpatOwaKKr1b4cERZP5hSTZ3MJsRJsykySKmLLpfmC1pZ7L + OWLdJ740YEPXXw76seRgZ66tKou1lADRBXAfHxmlj7yrt/MB2xg0FfPw6/i1HTlV + kwyobNlNO6whpgHjX16Qfcuj5YMRSDmyb+Ol5dheiA+DvoowhkijCGv04Mye10RI + bvjcmhVA+2lNP3tzF2duyIQi4nPDhQLcBs8djH8flKWDZOuz9Jt1QDTb4h6iJzfK + RkfU9j7/GjDiiksOdC0/yYgn90dGdPBI/iR890Uyuav/nwzF9Kz9aHQGPhCbwfRZ + gN7f3zyt9XPw7Qdyf5+zvaarg5xf8i3q6vhYZSGpOGC/ZrRdJcNfo5Sw4gVzrTOD + M9IGoeoyWkCHrjKPjYf8fVW8dDgMsddaT/ub8jh9OcM5YA6mrbeAGyf135mOurLd + PCsu/tNAA1GLImgc/MYplkPsOfC0+7fJ9gCSirXyRgT6Eir1VJLL7wE0zrPYfqdX + NOXYKdHQxfhtk33XlnxNJ73cJVGtBXy3B2kkM2DBHxY2Zj8ysO48zSri280RVdJc + ARILzsczZMXmJVYuR/r103j+doR/kMVEeH+gwhTSyj3yOgP06Ychawx4m8QrjF93 + FfpVVia8JmpXAymJ93fO1HCzpQgZwX+BuhjfGcUoa3kr+lJjzU4571CCI84= + =lNG0 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/bakery/default.nix b/hosds/nixos/x86_64-linux/bakery/default.nix new file mode 100644 index 0000000..fc14391 --- /dev/null +++ b/hosds/nixos/x86_64-linux/bakery/default.nix @@ -0,0 +1,64 @@ +{ self, config, inputs, lib, minimal, ... }: +let + primaryUser = config.swarselsystems.mainUser; +in +{ + + imports = [ + inputs.nixos-hardware.nixosModules.common-cpu-intel + + ./disk-config.nix + ./hardware-configuration.nix + + "${self}/modules/nixos/optional/gaming.nix" + "${self}/modules/nixos/optional/nswitch-rcm.nix" + "${self}/modules/nixos/optional/virtualbox.nix" + + ]; + + topology.self.interfaces = { + eth1.network = lib.mkForce "home"; + wifi = { }; + }; + + swarselsystems = { + isLaptop = true; + isNixos = true; + isBtrfs = true; + isLinux = true; + lowResolution = "1280x800"; + highResolution = "1920x1080"; + sharescreen = "eDP-1"; + info = "Lenovo Ideapad 720S-13IKB"; + firewall = lib.mkForce true; + wallpaper = self + /files/wallpaper/landscape/lenovowp.png; + hasBluetooth = true; + hasFingerprint = true; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isSwap = true; + rootDisk = "/dev/nvme0n1"; + swapSize = "4G"; + }; + + home-manager.users."${primaryUser}" = { + # home.stateVersion = lib.mkForce "23.05"; + swarselsystems = { + monitors = { + main = { + name = "LG Display 0x04EF Unknown"; + mode = "1920x1080"; # TEMPLATE + scale = "1"; + position = "1920,0"; + workspace = "15:L"; + output = "eDP-1"; + }; + }; + }; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + personal = true; + }; +} diff --git a/hosds/nixos/x86_64-linux/bakery/disk-config.nix b/hosds/nixos/x86_64-linux/bakery/disk-config.nix new file mode 100644 index 0000000..3dbabf8 --- /dev/null +++ b/hosds/nixos/x86_64-linux/bakery/disk-config.nix @@ -0,0 +1,122 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + + environment.systemPackages = [ + pkgs.yubikey-manager + ]; +} diff --git a/hosds/nixos/x86_64-linux/bakery/hardware-configuration.nix b/hosds/nixos/x86_64-linux/bakery/hardware-configuration.nix new file mode 100644 index 0000000..8322c04 --- /dev/null +++ b/hosds/nixos/x86_64-linux/bakery/hardware-configuration.nix @@ -0,0 +1,23 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosds/nixos/x86_64-linux/bakery/secrets/pii.nix.enc b/hosds/nixos/x86_64-linux/bakery/secrets/pii.nix.enc new file mode 100644 index 0000000..903f22f --- /dev/null +++ b/hosds/nixos/x86_64-linux/bakery/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:M8uEE2uxhHHh5UdLO+J18EMVWm+9FCR2BHMJ3P0Il4h+0CqWOS27aVWPjI2lIt+jw5svt5kVbTIzwvw1GmEdcXzJrE9yZ0eKkXSm/TYQQZhlmcPcNeJyDf/bLivwExKicRy2JR2KNyAoiW5gISF7nkUv10EnM60mzH2RftPijvdgSTmdoNu/9Q0J3M46k+EVGO370NXT89eSbhFMS4r6M94vKaA=,iv:C4ELLFaF9yFfDH+g/TwQtRm1DuRtIAxcI55I0mpKd70=,tag:jLWAD2pLkqzekJipf/Rc5Q==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtCbDBYaDZTMUhhbTY2\nbk45NWRPZU5nWmh5M0ZDNGF2Q09rNHNzRGhzCjh1d3pLRnRtZjVnaG1oN0daOXRy\nUzVFd3QzVTBib29QbGN4cXNheVRCNWcKLS0tIFlielcwODk4MjFsS29ybXNDMm5y\nN01aaHBFN0VPdTNrMzJNaE9NRG9KRnMKNV4rqYphPTyXF5m+qNq10aIov8quVh2Y\nALelTPRpD/hMYou/s8Ro49GHNNNKeV9J+4Tvq1QEmIIdvjFLy9AS9A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-10T15:25:21Z", + "mac": "ENC[AES256_GCM,data:pMWJo+JuSgs7RE+rc6vB1u/V3kfQzRjknxIMkNNJCcBp2WVoz84BZ23oruaB2Z/ZSO9zpaQMHkuAqGZU7CuvZ1JvECHWov5fRkXDPeaeIVw3dtof1XzH5plRmAUzabrmEzrGSnwJrJ6DRlAhrq2gDyyIY4qmUeySc7zgR7QVf0o=,iv:iCM7ulRAP5FYyR/z7CSDRYMsm2Gjs7qWLChtslGfzO4=,tag:QJ2Lxmwvgd+ILHeYhMvmwg==,type:str]", + "pgp": [ + { + "created_at": "2025-07-10T23:51:27Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmKgk+exHX36+IkSQC03yiRpEKpmkqt+FcGsbDMonTyow\nmvhmwSc7UscNOgOQYDYA66vMCWE2Ij9gxFJNpPG3rXFiC11XN1/pq+Jy3Qvk3DNV\ntnXgwDvSt7Ry7FThXnPiJAkcjwYNeTniyjzKcUmXA+yEJAlswjGjH6uP/Nvkeo2n\np+OvRQc0cXHBSTbnIq4dHaqVlp1JWOQgtZVrIgwN/rv3xvDPE2E2dmCc9hUg83vk\naUT7fDo8v5hWwJJO7Q6OvECKw/D4jWTxnBP1nS3a66shkpcC7lpYQjE6AtAM3AbY\nB84rat/Tff6ZcmtxMvIa62vfwrfSh/00DmRlPkIe1KlbjrV1kafzbySjI7q1vy2l\neZL7/Zi49fy/KudQ+/OOMC/PlhGLYGtEo3sNmLY7pfBNuMmwjYQ0K/1kKQ8XXJDw\nbWQDP+8aeIKKciLy07NW5Fd5gc5S1exSFHDQyhCXjdUcPk3cTfnEvMP/T1bCNCaD\nGxy6IEifdJvYNeWyaxgbKzsLmz8kTd6wPj/v0BIdL+dy3/a/4SVLR9r7Qn3bMgkc\nb1wVY4XDyt6LPnwVY3UOFPSCVckGb8NRnciKOj1TnsaYI6xEQ0ObuuAedVJQj0wF\n5OqYrwnH+riiLFMVzsEspNQNlMTRY86zPIxuNe8qPDdVL5CotAoobzdmr9cc75uF\nAgwDC9FRLmchgYQBD/4ntfP9dGtNzb9BjR6NEmdqJDIS37lHCc6ts/f86VCiy0tk\nhdtVdZ7sYdFvzkGimfmcbsVJ5VOPK6S82L0xUlROCax1bVkjK8VjqppUbTxQMgWh\nek7pPzE66MJzXlpqGgmRHgLuV0yhTqz9TGbTetjYYlWiOGMGYHwvxMLnvTvQIbJb\nBwtpbK0SEu7ODMn1mGtWpzkVI9rDeCW/FT0bBj1KvkWBWbCVFCSVGjmxuWcFgRs/\nc3aNA/DLQMsX7TzvqiY+dXLdp9/vuyqIf+qzC8IIrI5fskzaVfjP+OzeAVTXeI/f\nYsgvF31Z+DfMAFQ7dnAQ56Ys/oSdNTaAnhfFjI4S40qw0SfZdTWzUm9IjhnZKgaU\nNV9V3b2D7nr64JxutHzYiJemlB4Oy+HhqMQR3AYeMDX3hEG1Xt7splkBLdXccIEe\nGTOoaIffV1QUAB2M9PVyidpLf98Ii9s8Mr2OUcQsYiJy7jNXTudx50mnIhmBSDPN\nk/RSFoMo0+v7jC7lWkfWhvunUJrJ37zNSEHZcJo7Wj+SflqZDI/QRQAez6xRF6ih\nzgFfAgNSDAkbymvju7I6V9TEOw8rLdlXLlBNd+GAy0S2HfNIN8lx2tVnP++zP54C\nhdEDMU+uKp98Wu1fVuMipzjfPqJ0lpNj9M2+ma3q3w1L4YbMa+nVEK4/mmP0e9Jc\nAdvTsgHHFgN5KOwmZkQdAhKJ89cwcGUwZwn/gO7pEGoOw6WaHIIE6ueOiThfkXm/\nWIe1AC/JQapdMlvmF+2Rf51RmSkWX3/vtFPNkWvgkGgCely/eDXRK/si+kk=\n=ep9e\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/hosds/nixos/x86_64-linux/bakery/secrets/secrets.yaml b/hosds/nixos/x86_64-linux/bakery/secrets/secrets.yaml new file mode 100644 index 0000000..429dee6 --- /dev/null +++ b/hosds/nixos/x86_64-linux/bakery/secrets/secrets.yaml @@ -0,0 +1,48 @@ +home-wireguard-client-private-key: ENC[AES256_GCM,data:ozkjvpAAo33495w2c06Iu1ZFvh+IGNXUDYuWVWACBoNRQSKaBX00c3Ynd10=,iv:wbeYJFEopuANyiKnWoCBESxa1dB/insEFJChEqxm/Pk=,tag:QfvICpbK5fiNEDhRLxQYGQ==,type:str] +sops: + age: + - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Q0Z6VUR4VjgremM4UHBZ + Tk5vSm1Ma1RzMkZNRVE5NHBtMG8vNFVXR2l3Ck1yN3NoS1UyOWMyRXZTdndwaXdW + MHRkU0d0YThST1VEdVJXQ2IyMDlwaUUKLS0tIENrV0tLK2QrK2t3d3FlZU1WMVIw + aVN2eEE2WDE0RHZxNTN0aXVZbGJoUXMKjje3viWHrfHFnxoXOS3R1/TEEr2nV2Dv + 2Tepz+F/vrNkH705fVePD+SmPXv0j+bEH5Lf3vLi/9zFqhrqgFDExw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-13T11:20:48Z" + mac: ENC[AES256_GCM,data:vqg0HHoDSLlPFh++CZZBpALrIOrnBtLL30XWzoXpYXMBKM/XCKGhjFPmna/ew5stK7ylNjIiAmvX8rZB3ynG5Si1/4zfGV8aKvVKhcrUjB1Upkphq7jFb0MI2JoJN9dv4SDVwKtiog8T9aYImNXe62/nMI/5xHlF1moY6JXDE0s=,iv:LprVDQU9KeSwuC/cmy06YQeCMYhaEygb44I+GkvnbiI=,tag:fodgL725veQmxsLuA57nDA==,type:str] + pgp: + - created_at: "2025-07-13T11:20:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAtBAhSfBmcZqHKU+JiBPcs8WftmIZ1L48ERCyWAfh5iHJ + lfGyM61PVxb7qAFbXf+sXsZX2QtMVjobqYgAlibGLnlUl6f1RaFHdfkbUIr2NGY+ + gjCZEGUmunwRzd9hozXj12B1juop8nB5kAdeGhJ/H9CIJofYalkqlU33YNLcROa/ + lGqV4Xu89QfMm+tXzz8JpsXnW+1z1j/9j0Om3KNQYN7t04BmNAYwSymFuubFEnFR + Y+tvBPqDPhpxT3YvRIkbPGhnWZBlr60owL8S1nKujVLQmSr/DjwS+om12kPl+Tpy + s0jAVB5ja6FCIE6pa5WMV3wNUinis/a/P6xJGiFxS47ZLoVjQjuF2y0pW3N8O/8v + mm7Q7J5rWjF4odZfDyfpPdh3+Gmb2cUERpK0i0BDT8xAo+6F4EkcsWrTb8BrI56X + NaTPFLenluIedqqewgN6AVjX0WaxZRdQIKupmujeWefhBgDwX++5misZdCErqLcX + uG0R8ziHGi13dm7mhn+PorFEMRcAHhQqVIA9Ck/Eg48W3GQcbGlOl6e/0S84g+YU + ndfz2J4qbJtJk/RmarpbSE2kI3edfs1DC0nM1YUIUHm91UxXZ/yhXSiR0BsW0BpG + YRtyT6TpseAfBhyMgFjeyiDk3ngLHogJT8ov706X+jG2IGz1n6MldM8EMKry8amF + AgwDC9FRLmchgYQBD/wLPUOWXyhPfuXkPuC4wOdH8q7uvIpDCJM1QfegvM0Vbfaa + BcqU8V0uC2+XirM3nLYjfgEuLtXpDnPnGx26jYXiAwO2rzurWW3Z9BJzyp+n5fBb + uoWCfTlihAznDOW5TvPTUpgosZShFKGs4Gh8Nvcm2lqx8wQfOjSYJnLdotmOYEJi + t38OTIFDobNATXvsuNHSocue5TjgCHwLvSFUPg+o0s1Xx3DSMytX83slXuYd+WRx + GbA0wQDxV03kH27AkhsvYefcsntxOW/FsZk5XzARtkCRdtBfiRb4bRRWsrrnzNBT + 6hCb8+MCmnCeFFJRkj0izsA00j0Q6tE8s+NlhpeNIB0p1bxOvjyeJyOEBwI+G/s+ + vE1mewutNnPYploy+E+zsmszSrWwGe97QL1rKmVgYMirLKtGo2CBHlRsgmpdhoNZ + ADrgwNCAUPD5K4eEi1Dl87p1LbdjCd4CY+c50NWpnJP//LAvTVjZFqkQr7xgnBqO + maPzDbHCQgjboSWHA/bBDlv0b164NsWJtpDrf+z9R92bhCvjTtQxQdcJ4ZXz8HWU + Z32ilAALR+uySN9gLoaVMMZyQ5vELWvFK66zMBpk3wLWPEus0e9zOA764+JYXbUG + 25T6DbKNNBDtnT9w2ZRrmrK/B2CsFbZDQ4R+pom8Q8IeSke90d+jDAZzHF1erdJe + AYZ0wZtqJgw+IJL4TI9QEgFBGa1z/+83ZFuztRmwQJIawEHisWt+3cj+mbZKSHRS + aRRmLWPtvK9w/RSeoI7op7s3rUdpl/FabzcIudRYqtRiP9/Syly52YkRD7503w== + =hhjd + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/hosds/nixos/x86_64-linux/eagleland/default.nix b/hosds/nixos/x86_64-linux/eagleland/default.nix new file mode 100644 index 0000000..dea0095 --- /dev/null +++ b/hosds/nixos/x86_64-linux/eagleland/default.nix @@ -0,0 +1,54 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + "${self}/modules/nixos/optional/nix-topology-self.nix" + ]; + + topology.self = { + icon = "devices.cloud-server"; + }; + + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "2vCPU, 4GB Ram"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = true; + isCloud = true; + isSwap = true; + swapSize = "4G"; + rootDisk = "/dev/sda"; + isBtrfs = true; + isNixos = true; + isLinux = true; + proxyHost = "twothreetunnel"; # mail shall not be proxied through twothreetunnel + server = { + wireguard.interfaces = { + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; +} // lib.optionalAttrs (!minimal) { + + swarselmodules.server = { + mailserver = true; + postgresql = true; + nginx = true; + wireguard = true; + }; + + swarselprofiles = { + server = true; + }; + + networking.nftables.firewall.zones.untrusted.interfaces = [ "wan" ]; + +} diff --git a/hosds/nixos/x86_64-linux/eagleland/disk-config.nix b/hosds/nixos/x86_64-linux/eagleland/disk-config.nix new file mode 100644 index 0000000..9a98cce --- /dev/null +++ b/hosds/nixos/x86_64-linux/eagleland/disk-config.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko = { + imageBuilder.extraDependencies = [ pkgs.kmod ]; + devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosds/nixos/x86_64-linux/eagleland/hardware-configuration.nix b/hosds/nixos/x86_64-linux/eagleland/hardware-configuration.nix new file mode 100644 index 0000000..8dc40ba --- /dev/null +++ b/hosds/nixos/x86_64-linux/eagleland/hardware-configuration.nix @@ -0,0 +1,18 @@ +{ lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosds/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc b/hosds/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc new file mode 100644 index 0000000..ab88732 --- /dev/null +++ b/hosds/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:sfFILq+nY2tqP2aHjJZqUZMdk+qQXSsL72ubGsu/U5G8ULqXcq73d69Op1M8ARfLgOrzoBfzyjcxFMUZiVxoSHevEtqoRBq0Yol6S+3m8vXbW6k/4tj7vRTCsnuxEbGgX2MCbpfb8GChkX2xy5ZKdOWTyXNGWIIAOkHj9NAfnKz2ppY8tFPcQseOtfbI7o/MiFtaMzI6HTpbgBqhifJHLvJyIjsFH1ZecyYjYtL6682isMGZwywUdzaE7dH4m8+sFztHiliJaCM/gID+Kl4GsWlIqZuJmCi3Ac6czCCnLf2fXk53YLXawjwkQmNWjSkOVYI5yybonySSzmyjCfB15487E/ScNlG/Cc0GesoaxkJQpgys3rjuyIUwBKhfHa0qsEd5XkUFKemlB3uQTNfst6CQ1WzZYagIGwTM4zB8HjsjG2hRX6Jck7kS+5eQAoxToe5Z/bDGworUYWRhm5To7bbWn6w2AZ0FjWsb/h2lGy3rgCpjtaaKLAcG7kzbXyUW3crjLg0NR7REKYQf/ZLDGs7a0zYiDfGHyh9+krNiZ7c4dAlCh0lwUJuWSLP3VBPlcLqvSoOg8rRvoJwmIwh9rCCuKxhhGHwwL4SiE10Gw+5rajHNfj+ZnjvVXmFdpZRQW73FF8ThVexKu0qtCmzGik8R7wIhI5AW3Pj1wBURftl+jd3vRZkU9isCE3CZit0L536ZJwawoAZ0eU5tYkRjI/7iHXAbyLEILspSdrHDneRiVLh/IYXv6BEtlZFXwQMtPRPAwx9F8JG0zG9iX4Yy,iv:js4R7cAoIFGCgURc2WyiqRwfqLLBKNWCEEAlsRYdUeA=,tag:NZD44GRRgt7B7U2oDBDjyg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-25T00:58:02Z", + "mac": "ENC[AES256_GCM,data:AVZqvJDOcRyUKkxxN3QkxFDiPgB7R/yI5cSGrsgZS/T+rcyi9db9fYhS60c7egLpYmO1ieBk59wwykCAP5TdTQoPXm/+O24MCXquEYuY9CR4YjYno/dBnbCWtKvIB7vs/yIyVfKBW4VQYSbnH/LpBSB6RJ0ivLU9S8hrmrgTkDw=,iv:pSbmaXMW7hqxxTNS7n9vDlVlO7zE3rqHnDAP0XaC5xw=,tag:jH1qSjGWX8bwKSk/MFmDQw==,type:str]", + "pgp": [ + { + "created_at": "2025-11-23T15:25:41Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+OOUtfNq9RBpm1/AbgTjenkcsRwzvyxMQ+VfT7AN/OjEH\naYaVnoU+IYoUJIw8u0zfFuJGyhcU862pMN+isngqNNZiEqY8C9rP4+l82Ks4qLU2\nanUk8HPcUc7bQC19zoSpl5MIeppV4SNC5OAph+YKVcj95l6OFw1EieptfhRFtTps\nwUKMf3p9FC/ndxjDG6Rxro7RQsETJgZ3DE3tRFPsBzMiC3sf+fsOzFgVyABqYZ1k\nDr+pkdBzGB3LXOyeDJWK38DxY/NEEfDgdSGLC6ntQ8eS9fbcNajT6FUwH2uwHJ4y\niWT6Q8z+XFjh3Z458tZhcnBGv6AKGeQ/QG9z+0DALKkkmij+vJqRAGjJxur6XM3K\nf0anUMXLeCINcLEa+Wv7inYJaPXu2NSmqtd1yYYXoAbVcnmzmgW9D2in+JnG5urQ\nCq0MEALyp1axExIaD3BHrFIaK9IX2PO1E/PLDng8AtGEx5Fn//OQX0Wt/yB2eEk2\n3uubPz1a1eMfRz1pK5CFOpJoZ8bmyg5n4g/5MgVgoxzA5nhjfMYD/HD8EG3ta8PI\nrQZhtlg7C+5nEsNevD4RPmzO7z1JdqJGMIWPPUJKZ7WozA5192aAw6HVKdtI4FH7\nXv4KY+GcmUvsKhpaWidW7vsY4MWSfn4m6Ybg2vqHsCUjj5fHVHF9BeKQecIcTTyF\nAgwDC9FRLmchgYQBD/4mfMCt5Ez8WITcru+pwlMHCeSUOxfftsydqdtt/gZ2oJTH\nhMMN2A26x3LXIfZ8IA6to6ldxQLfj3gDF8H+akHbRyndrA1V0U+EhoNZ/DYECkNB\nx8xtrJwsY47siT7sWlounXqnQr5E4nfSfDOsfSv04aUyyUsMqdjFRVY1/b5BCkoJ\nOptFJJjdosfmGfsHCGYvqj0XNycVQj3ioYEwOdDMlZ8riSyRTRPL9UAfgFeQ5swG\n1I1qWaF2+8KUk01wQwmwYLKs1JUnVOl6Uy4XpHbcZcCEIW3VVnwxFVCYcHwhDXWT\n4YGeGFfosuthL4AjJ2EmNKLq+sUxmD7ANS2E561+0BDAakQ3Z0eA/wpJ6VWQtfV0\n05tw6zS3BWwTi5fiiN4JvXqnj+8aT1PBtgxrCeDCjQ36KGViLzDsZOCMNYcr1EZI\nEFMTmaUDFWtoHQKi7ZU+oiRGGfZdnbh0icCsnBecePo4//LaCvBn6lA+vFBmuHLo\nZ2Idh5JSYFoEvhdX3j+sO0dOqzQdDEDy6+Y3S3T4vuSB3w5k1B5c3EDseKfLHUY/\nhgAIxO7rtELyhlFODMmEOzLWwOfxq/5ar/izxkdQS5HPNyVXT6SKikTGmI2z8Uw3\njyCaXv7ny5IVG/kR5aTP+DIHhichcpxJk7j+wZfZV/g8O2PWQpYXfxr36gSo49Je\nARJUBGaEVAhqoNfaHCUbvHCSbbI2yKY+sliX3p7MmcMdy/cvKyowQUuw/FYtdbGD\nHwCe6GZZzHWJZkX3nju3zhOy3gBDBDB1fbF4W0VjsjOwYjy/7MNMVH0eXli20Q==\n=qkvc\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/eagleland/secrets/secrets.yaml b/hosds/nixos/x86_64-linux/eagleland/secrets/secrets.yaml new file mode 100644 index 0000000..b7496b0 --- /dev/null +++ b/hosds/nixos/x86_64-linux/eagleland/secrets/secrets.yaml @@ -0,0 +1,56 @@ +wireguard-private-key: ENC[AES256_GCM,data:grHYayd0/og7SZhnkemUE9NySA8M2Pev5C/GgXH/UMnRXJLDQiJameGMZuQ=,iv:FyJJeDpGu3OqV0YihVUnBNcgHVH4yFOR4KkVxM0qQzU=,tag:MTGgQ+RT5boa85gHNkWBwg==,type:str] +#ENC[AES256_GCM,data:TeJxdPs=,iv:M76JVBlBfgjjm1SuT/0tG/98FXpkIPpGng4u4F5p07I=,tag:RXAqa2R0HmEOjW0dD1treA==,type:comment] +#ENC[AES256_GCM,data:YczkPHAlYVsdVPPGyuByxK9wvRVbAuR6rR9rSFjMvMGxg0QUdIa/yo8o0ppe8I2ywwlLSROp3WLJ,iv:ltLRGMLZsOte9jQEi/VW4Diu/Od8kHPbzsmvPqVgLCE=,tag:YbtxLcYhvPZrC+QFfxtMrA==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:5U/74jeGpQH39kyjuVwLU3WBYk5MrCMZSFouRFRVbB5FhOkiJtqYBA==,iv:f1TgdiVVbAB+580AtQAe8mCXU0WuS9JX7AWukKbDYj4=,tag:Ut0tbtiNcV/NxfStyZA9XA==,type:str] +#ENC[AES256_GCM,data:dZiEtGPKsbsd9g==,iv:lNgXQHx/w7pm3EUTBwyFnqv2j0T7zQ59nFLom8F0hQ8=,tag:1cF89QMfjipYZgfl08qSOA==,type:comment] +user1-hashed-pw: ENC[AES256_GCM,data:uPyDpGOVIqE6cCyvhXIM6v8sTqEx9dV96oqMYS7fRMLiR0kYlCmgNBEeDFmTNRskqwW/WGXrOBn555ZH,iv:KbHW2mOGzOw4t9aOrKLOIobkUNLWj69dk7fFuy1x3aQ=,tag:51+qAavIiM6K256MkhBaZw==,type:str] +#ENC[AES256_GCM,data:brmNZZpgXixukd/wVGB+aedAR69Lw97B/vJIJndX6gSZXmv85ioXOE+INhdXFzCjUA2FDZlWOVmBLbtWSsgF9bqV/4WTBOwk8Cy4fInU,iv:x1aYveoBXS48OodS+4MtW74oUdCS9EFdaFZBgpmmfSU=,tag:FlGm89rFi5ZLoRq8Uxnpbg==,type:comment] +user2-hashed-pw: ENC[AES256_GCM,data:B2gK16sr8GqnngSyhG3vdGb9x8M3j0A/KDF6Vak+ZHO8hOsFAriKHnHEyvcJCE9p6oi+9cqPzcbL6VT7gYQf3KJrid+Ejzl4EQ==,iv:PVG04/i7xAokvcjcedXOEYuTwfdt0Jofev0Eit9kD+8=,tag:zCV4JPQHRArqW48lkhCzfw==,type:str] +user3-hashed-pw: ENC[AES256_GCM,data:sr7jv7PppT5Ub8VsvipXdZZWTZ31GFscmZ/CcHzYE4vsfIYYHpFElHGMjlbcTSLjyqfVOcXAKNvabcoO,iv:C22sZLrUUc3G80yyYr1snuwqtAa8USZd8FRtua5hllw=,tag:lu0hPo24CXNI2kE7C8g3Eg==,type:str] +sops: + age: + - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWkxKRHJnTjFHcGlhN2Ev + aHphYWN6SXNNZWdNc2dBclViaUJFdW9HTUNVCnN2Q2MvMUZpMmFENlpNTVZmZFJj + bjFRTmtENzQ2WVpHWmc3S1BCMzZmeE0KLS0tIHRPZlNQRnZXcjMvSERuVVN5WDIr + SmZrb2xuVW5VVjM0b244U0lkVmlkVGcKin/6A8ONfW72fbQmvJWiNCzAZfGUtxCI + WV0DaPvO7sO5y7q37QxVUOxgJgF0WpKiNel4Y9E06xbl3TK6jXk2MA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-25T01:03:31Z" + mac: ENC[AES256_GCM,data:phjkITBZVZ9Mk0y1FL2dZNgrxyIPbLIXmoTYSlRdHslHg0+hBViLnXAvS0QN/HvsvAldzH8THyACQrXDZQSFBHljIy2wqZr5bu7ByIlRc8FhwNePXNOUs7HH7bQISvFuDWrXl2KQn8OirfJjpIpwQIi5d44pa4Fs1+tpWAg+OiI=,iv:k7brMvP64XV5eNYdm1OJqpjEJ3xEhhfOqErBIG7xMNs=,tag:EhXT3gZrZg2QkYzVCUQKlw==,type:str] + pgp: + - created_at: "2025-11-24T12:05:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//XLsWCm+hQ4388h7XmawVSSjBF5dRYHUpuW35fMG/+EWj + 8cGL9dXCBTwBMCV1tEPQikjdVdzFPfCdroeKozvdt9XEOv26sYxtUwihPsp3PDtZ + Mq42veeVqcd33NgfINim7DALCoF6wlh6FM8Xeg/HHcFk9T6gcnhHRWbka/nBXm5y + 3ESVCMws+nuenmNsAp7NP6+TbF5kToSHSd5sf/S+mdo3rMIWVtdwc3Ox7RGeA2Kc + 1AEGfkIZmrUtnCnhbE6Q89nNfmtdmQ6RFY0sPZem3Kksx5SfxLTP+QwsyUeNG402 + ndnjCKiWLlQGkO51wgl3oobJ4KqqC1A9wMvYCIiv163bCy+jA1fsGH/OAIa3kCTb + sauCsLeq3ilSmzmwbWKFIi3dst+YR63XSs7aSCaZ0HnI8CCPV4TMtNkgtiVCXIGv + UmF5XCx7aN3cfGTbTwBzMs741HzQHSxMgKekicJS+NJC/P0DfJu/st781rFqJ536 + FLYF9yK98kVNLrxpWlw+ayp8pP2wMmDScYjZU0Pi4Xz9y6iF0ZtJfEc/NaThKJ6l + K1xat17b7dTdn0H1Ncq2zhZ41nydk6+0K1zYMtjFplCwzGtTDAn7QIY2YEFf+zEF + A/FrEW8sjTOYbWORz3ZdH/lhd12FKEG/QFiM5UwQkINRjBO9NFLTmGXzD0C0kVOF + AgwDC9FRLmchgYQBD/9TYF9hq4JEshBgmUrv+6MnnuXJCYkDdPFrDWk14bAL+J/M + 9r3hHNK/PY9OUqgVf1HRO8d/bIvAwDJhs3rhWP/el6IM5UWfkwwwx/blhTzTlbgm + 1XjN9uPd8lAaNFDgZBKg341zxxuQa6Ikm3MCI/pyXqeOKMlxXfrkH0Lx+e4TyoBF + pDflamEOVJt15dQFOB9aiphTZMCmVQfV/eYfjqpRDR837/ptzQgasgk2KFvyxCkp + iWL/n1nN4n4lg2BYeg0EinFu9lR03VIPaWYrmYCU1XvDUbVKr3c5FbX1mcyt4PvW + oSCq7Gax/YCSQFy6Iv2QiPqhrnelYRuBMuXrnSz8TKfXJtsW8+R42vNc4o4iSYsj + ZIzBQO39YcUA01qogP0hxPSGzo1M0cWRpZaX3JbjWLwqZQoiDi9Uw482xDuxO0bx + TeFtekSCZTV7Mi1EdENb3J4UdgpEsviFLSsK0uSnCPkHu8MteS+FiztxusgHtH5f + YVhQhJ/bIp7jTheow5SZSnb+pRHbTq9GcN48k4G8l4YQZjbXRaYR0ojL//9yexCL + z2poLvkw0q59GgiBNudITIKSB0IJCcg3jDafMCJ8iqyBzwPzPHOL0oB+cYyMth5a + chufOtDAE3JEUJb8c3RXUnpIl2JScYV/IZNHDIUSpWOszCVDYZ9TUqM/+C8iV9Je + AeVg5jGHq5yGwhzhXgM0DJfFksCNvC6uyAJKpw8YRhNGNBt+pSvF38TMA+R1YPmd + yntweGKTK9Qjg4zpS0zwnDehJis/RSkNTkK66RsdVpcaMj47WOrvw3zGVqz1fg== + =A+L4 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/hintbooth/default.nix b/hosds/nixos/x86_64-linux/hintbooth/default.nix new file mode 100644 index 0000000..6721ebf --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/default.nix @@ -0,0 +1,94 @@ +{ self, config, lib, minimal, confLib, globals, ... }: +{ + + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + "${self}/modules/nixos/optional/systemd-networkd-server-home.nix" + "${self}/modules/nixos/optional/microvm-host.nix" + ]; + + topology.self = { + interfaces = { + lan2.physicalConnections = [{ node = "summers"; interface = "lan"; }]; + lan3.physicalConnections = [{ node = "summers"; interface = "bmc"; }]; + lan4.physicalConnections = [{ node = "switch-bedroom"; interface = "eth1"; }]; + lan5.physicalConnections = [{ node = "switch-livingroom"; interface = "eth1"; }]; + }; + }; + + globals.general = { + homeProxy = config.node.name; + routerServer = config.node.name; + }; + + swarselsystems = { + info = "HUNSN RM02, 8GB RAM"; + flakePath = "/root/.dotfiles"; + isImpermanence = true; + isSecureBoot = true; + isCrypted = true; + isBtrfs = true; + isLinux = true; + isNixos = true; + rootDisk = "/dev/sda"; + swapSize = "8G"; + networkKernelModules = [ "igb" ]; + withMicroVMs = true; + localVLANs = map (name: "${name}") (builtins.attrNames globals.networks.home-lan.vlans); + initrdVLAN = "home"; + server = { + wireguard.interfaces = { + wgHome = { + isServer = true; + peers = [ + "hintbooth-adguardhome" + "hintbooth-nginx" + "summers" + "summers-ankisync" + "summers-atuin" + "summers-audio" + "summers-firefly" + "summers-forgejo" + "summers-freshrss" + "summers-homebox" + "summers-immich" + "summers-jellyfin" + "summers-kanidm" + "summers-kavita" + "summers-koillection" + "summers-matrix" + "summers-monitoring" + "summers-nextcloud" + "summers-paperless" + "summers-radicale" + "summers-storage" + "summers-transmission" + "winters" + ]; + }; + }; + }; + }; + +} // lib.optionalAttrs (!minimal) { + + swarselprofiles = { + server = true; + router = true; + }; + + swarselmodules = { + server = { + wireguard = true; + }; + }; + + guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) ( + { } + // confLib.mkMicrovm "adguardhome" { } + // confLib.mkMicrovm "nginx" { } + ); + +} diff --git a/hosds/nixos/x86_64-linux/hintbooth/disk-config.nix b/hosds/nixos/x86_64-linux/hintbooth/disk-config.nix new file mode 100644 index 0000000..a4b5089 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/disk-config.nix @@ -0,0 +1,118 @@ +{ lib, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosds/nixos/x86_64-linux/hintbooth/guests/adguardhome/default.nix b/hosds/nixos/x86_64-linux/hintbooth/guests/adguardhome/default.nix new file mode 100644 index 0000000..eaf90f4 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/guests/adguardhome/default.nix @@ -0,0 +1,44 @@ +{ self, config, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + "${self}/modules/nixos/optional/microvm-guest-shares.nix" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + globals.general.homeDnsServer = config.node.name; + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 1; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + adguardhome = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/hintbooth/guests/nginx/default.nix b/hosds/nixos/x86_64-linux/hintbooth/guests/nginx/default.nix new file mode 100644 index 0000000..aef38bd --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/guests/nginx/default.nix @@ -0,0 +1,61 @@ +{ self, config, lib, minimal, globals, confLib, ... }: +let + inherit (confLib.static) nginxAccessRules; +in +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + "${self}/modules/nixos/optional/microvm-guest-shares.nix" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = config.node.name; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + }; + }; + }; + + globals.general.homeWebProxy = config.node.name; + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 3072 * 1; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + nginx = true; + }; + + services.nginx = { + upstreams.fritzbox = { + servers.${globals.networks.home-lan.hosts.fritzbox.ipv4} = { }; + }; + virtualHosts.${globals.services.fritzbox.domain} = { + useACMEHost = globals.domains.main; + forceSSL = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://fritzbox"; + proxyWebsockets = true; + }; + extraConfig = '' + proxy_ssl_verify off; + '' + nginxAccessRules; + }; + }; + +} diff --git a/hosds/nixos/x86_64-linux/hintbooth/hardware-configuration.nix b/hosds/nixos/x86_64-linux/hintbooth/hardware-configuration.nix new file mode 100644 index 0000000..21725ec --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/hardware-configuration.nix @@ -0,0 +1,24 @@ +{ config, lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosds/nixos/x86_64-linux/hintbooth/secrets/adguardhome/pii.nix.enc b/hosds/nixos/x86_64-linux/hintbooth/secrets/adguardhome/pii.nix.enc new file mode 100644 index 0000000..97b9fc8 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/secrets/adguardhome/pii.nix.enc @@ -0,0 +1,25 @@ +{ + "data": "ENC[AES256_GCM,data:j4Vhhuinx3xb0YhEvtjK6CmGm4HDmhOZN9ftHJ6IgrINdlj8tWxyxsOfQkJoX+PmIjhloLob61MSBm2QfMGojMsvbgNrvakpPBoTd8w2H9u6IxMH0DpPCnXOq2rD6aC2Y5Xjg6AZJCXQNWMCfkhTgbZoTOen3e/1IUXtPtbURKe7vpOuyaB3d7IIO6NnMGlNpF3ZXRuxoOtu9Y9ZrMjgRH7I5vkE4KkMoFIt//Tx1rtlhu68UrFKlochelXNPxWc+NHNbi1ynibdgeuipak5GmheJ1vY7oKAMogvsZWvn5qs8Ar5juoonWWKsc++dIcFwhDHaxd/xHiak2MhKmnU+do=,iv:LLAaoxXaqVnoCprUfSNLNBU/69ZTxytVswgdz5s2swQ=,tag:B8wC/3YB04tKvBrS2AvmdQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YjFzelZTVE40L2hiZ0pP\nL1o2ZUJ3VmFnZE15alRaTHE0aEU2T2M5YjFZCk9tdUxEdStRemZTdnNodE5aUzk2\nSFlaeklZZU1NYVdTcW5VOHczWkNabDgKLS0tIFJtM0dlN2N4WnltaGVLMFg5ZEJG\nbVdMU085TnlzMmxEWkNvdUxnVUIxeU0KRW+NWgYTqxKUIrK9v3E2zYmZCnAEsUjw\n4WxVqwhGgUoHDeURiKkJNJ4kg3op6pNZg12NJ2JfAngAKfCK4xUNzw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQXc1MWpLNms2QzVzeHRo\nd2NJNVh6MWIvVkFsbEc2b2FVSkxkQjFYMURJCnJGOGZPMkt4L1ZXSW5UbGQzNFA1\nYm5uZlFXNlNjd0VSQVo3N3lFQ3BvUmcKLS0tIFlqQmpOL3VLVzZmcmxnN2RuOEd5\nZXRBN0wvbDB3a2hSdWRuN096ZExCcTQKMGRB1v9Jlilzx65/5yUgWQ+i7ubK8y3Z\n87o23XUIdXAx9oPW3j3HP1OpuYqiJc0FYX+THtmpHln/J9n9Qe18qw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-09T13:49:03Z", + "mac": "ENC[AES256_GCM,data:cJauc3/EUrx5uYx1SGLTmXdPrsnLY0SYm9vCakX9CUuBOoOp3aA5SGFtzGSjOlbPa22uo5Yt0t25setij3G4A9DjTGG/P/aQq9lLYvEeBxN0oxmBnww0YeLUoHT+04qxSH/5CShwZg26Ycep/43DMO1x3HH3fx4ijenfwmKhuAo=,iv:aZc6KMC2JaxEdKX3uOuSzJ6Bhfu0I77Yw+9t0z+ZI80=,tag:lQCZmxfq+Hp8G0JG/bjhVA==,type:str]", + "pgp": [ + { + "created_at": "2026-01-09T13:48:11Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAxNIPrwgDPEUjt+06WWjvh+NYFfxkEdVPH+8o7O1GG/xS\nH+K3iviN+IPdvXeV5zDjHfARVpnnaT0GfH1yb9+4X8731bDPhZk4iYH/RTloByoL\nx+yRhBzo6YfWvLVBHDXuV0Ux5xWFlQmhAoUrsHeBycDmNCEoQV58igBNgHxROpHA\nwwWxkuAk2A6LQRIJkCd3q0FonES7G8Oi2sslYOqlsMzzfTS3OrZfc+y6vjjQshqn\nldZLjFogOPH6YJZe9r/LTaXqoY31t4ZeGKlH5ShfKui+e7va6pZy0X63iNmhLAfw\nccxIJVQCEf7DOtFdohKVrhpLD88nj2PIv618QFLgBW72Cyw0O1RPGRCQkwk0WGqN\nlzm/2MoStUlO/0/GvWi3KN46E1E0LR6FkAOEphxH7gB+1wiJpgnDCSWtR8ow1gOG\n/SNKb6xFD2haKZVl4DyioK6yiOQ2/tHEeYrIDhVfW3+KZ57zd6R5euhaK+QxABVW\niCNDaERqMvwWuwfBUif7g3V4CU1iTkQ6DHI8LbaVH4Vs+YwqGt21kpe/dcIiqtm1\nSNACM5mJ1Q1P7r8fM4i544IxFbl+LHijJzFTjTxdgkEsovwXbOVpWqVl5oQ8xVVx\nkd1FZuQmcNvsS9y1enK5kD3DUZzygvtZwKcKRohLyQV3T+ujUFAh8hhVUwmrRKKF\nAgwDC9FRLmchgYQBD/9AhPK/E4/cmSFSnUYpyvoRqlUhGtXzZMwTzRKjf5hRHyio\npjqJEND+UTIrIMy8rExBFiE39+7crsICG+k03Fawtmmw9Q5zXmhPFW1pD6g2zQcH\nMtGmg2BJBdXXcL6wuaaDaDUWVVhYw8iN9QaC6ma0/i92ZiH7T55D3+0MQeqSrDFx\nISjtg4xU8Vx/vHXayEHSuLzaqU2/5vnx0DUalqYUTE4f9eeaD9e1qLyoDBGRld3T\nHuAXdKulwL1YSKNBe2X9Y3kHlHzK48I5NfMy8NuTkMPUQ442ZZYD7mYM7J3kyjgH\n9DTRC7P2sfacE7f3i3Tnum0kwTEs6a8aeIR/BS+EDrPouKXuHevWLzbqB/pa9cfm\nU0yvZmcXOrLVXsjOKdgHzS2I2jGnbacza/FTkkjS4amDKq5kmkqeBkSol0//oDUR\n15sa+vEWDBFTdDZPvYZAKwndNkPy4prjOsXxHSpLa0oX+vT5UWdLvYy8P6av5Hk8\nNBDePCf/WhwIr3612n7kSBzEdh7HQTtPWapq31GaH7+vgZAw9hVWrWiIBuHf3j60\nN1zHfid7wMeFHqnRvT74vpM7ekvfVf2ab0XLpQmFMvMkZSj7gZllJsiA4TiAqgvg\ntANiOnPtZDr25GDogl+3b6uBEhmTmSi40D0te84zsT18yvZXbJhr23swRlo7cNJe\nAdAi5A4/stmMaLSzFoyt/FZL7+/lwOGmGHo6TMcr2b1UkLfA/c7r9udVnOJGuDFW\nau9MXji34BkREW2gzEaJBqOJ5RkaKB3TBxbl3c6FX0DsFoEINzALM1yJ/B6NbQ==\n=NwLj\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/hintbooth/secrets/adguardhome/secrets.yaml b/hosds/nixos/x86_64-linux/hintbooth/secrets/adguardhome/secrets.yaml new file mode 100644 index 0000000..ff54541 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/secrets/adguardhome/secrets.yaml @@ -0,0 +1,57 @@ +wireguard-private-key: ENC[AES256_GCM,data:5RdR6CvGBwaklSgiP0kmz/ShroIa1By7ZqgxKrnSGjHRyrzaeWGTuJmqKJM=,iv:D5UmcQkbRs8WVQUA8XpFCwLy8+O4+RoJLWOkHj0H7ss=,tag:feSuK9jW+wLeygqhKHycDw==,type:str] +sops: + age: + - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMEM4alliWlBCT3VsbVA5 + OGt5bmQvZW1TaUNkbWtFdzVGNDNpY0hBOVhzCm84TldYNHBrU01HMlBkbGNwZFAw + WVk0T3FycVRHUUNtM1pTYkQ4Qmw3RTgKLS0tIE9LUlNEVjJHOGVIK1RSMmRXUDF6 + QlRKY1hRVzNTVXhESUd3OElXL2pBZXcKDWYoOzi2b4qeIbCVCfTj0lTW+OfbnsXB + 8MugCHu7+b+ju0v/lUP66jDW9/2AH4PzHtCNHjsafyzr2qnW8HlOzA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRWJXR2tYdEd4cTZsSi9l + Tm1pSC9pek5BakpEMlkwVTcrMlBuVzlXWUVrCmlnV0xJc25nL0twK3VCZ3FRK2x2 + RW52Q1NxWUhTUGY0NnQ0WEhLMWxIcFUKLS0tIG83eVM0KzdLQ004aDRKNTYvdmVZ + d3ZOSStBMFpSU2ZjNWhFRkREQWlUdmcKggVvLy1mLYGf8084RQtlipS4+z4dfPsN + HZfid0srwYnezlQ5qOY8/HrDLWHEyuZ4xFZVi4n0k49qBpNwJdmvyQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-02T04:14:03Z" + mac: ENC[AES256_GCM,data:aA+oIq31QBla9hOpApaMeP7MFl/hI0kDjC1QyPkmexXuMB2pQJ6bBEmazreX2m2TPtHv1rtVUak7F6TbA+97IFb9EQFuAREi1Ca0xjz2eGVFQKu94qkS/FNemXTAkEZxC9LQ1TRqNXXNITehKUeIN65epuNbWqo+iOW0OHEXm/w=,iv:1NKL2PZBUDyHEIiB2ZpvTdCh9ZO+r8bPyJo+EO1PBmQ=,tag:5W9owm1Z+7O1CGVmH1afUw==,type:str] + pgp: + - created_at: "2026-01-02T21:12:51Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAmvkQ9V14f0BT/bNdFVZtTlY4yVon37CX32SZPUcHV7o8 + Dya0sZd9tuVATSv79TnybscuNx95fkoZJwujBfAadexn2zY8zl1oEWEHx7p+8/mE + W8JbQAjbcbX9sNQYXc8kYJylBThmgNN/HXK7CGtgDFr9xnGzDBnDm/M31P1HwYBm + IdIQgFGErEt1K3xvw28Lk3tPuZLK3Y+H2Yna7RRF6K1blGJUvEnL6yFdA10/eFW7 + 8066mO26F2l5xFuktK0nNeniLHKa5VVYp8iM+JMhX38l0wiIi8pGyxo3uAjNpa0w + IfpCneEBe/yyaUPcWMjXmUG5LJe3kWUup8cSzvu01Z3W159/QsflxIMkIsklqhim + B2zuPdAlYsjjS/05DIHInN2IIB/rjADkQvXji1XYLhWJj4jxDeck/UIc6Q22TED+ + autlbl8d/5sqyO5ghPpShF/s0vMTqUfpXZrDrbuyDFqCfwi0ahP03bUsv20ZEz6u + zG3K5HuXHh7ATSppwuMbcv7vcjF1tkbo6XhWZDv0rY0DFWqiYhnxWwlFlGLxf4zX + g6r7Ca/E/YXG/eOET6M9DxwHjj0D7u/ryAkCktqPL9w8oNGarZQ/xMx0+ocI3byc + Zvzlmd63BtgaGNSxH3stK29KN3ED8cDkG/JzAxCATWiUBBkqW/ga4sGZqtLlSO+F + AgwDC9FRLmchgYQBD/9JbFZie25PO2CyELlUWm5SmJcugT9SK/mIA2fe1PlA+Gnf + 5z9iXraMSQchz4R1IoiixDhubwKeKp/auqhlOPvo58Lsi6iDR/WaLWabD+hcyAb1 + ck/f/PUzTLhlLcfu18VPfXVzfnky3dX8P5aS0WMLAQblj2RaaiHxnPqf49kXSn3q + VSJ0pr0nEsPuWtoCkHUAwAJ8X5GPXN2OD4YbHsNaA9h2vrJAxNd5+HNsvg8JtI88 + X/uMM7cWcaXcmNZOz166HUIPcJ5cabJ48Sv8sDfMPOcTiJkMiESBnRYTwdUcp08m + nGipSrUeW3pVOC1bGyukZb6sF84pTtCpqS+kOSfKFlxFFdAEcpzFIPuOMeo2dbKj + GSGPDemZFC2yFq883yk9/mZbgjOUsqrj0ZP3rCD5ZHpfUM5IxGQ+mKaOucTXYmif + lrTPMYnAc7pHxKZ87BgiKBYrfRAZvorLYKv8zG8YagAUw8iCtc68YUUdvLW9haQf + rwWCU1z+sszYSac7I57gfqICQhMUbs1n9S2Cn0C0xo4q2Lu36ysip4rEVGg6TmUu + znXYu+3orodw2TwC0tGxXHYKwmlr7EGnBCbdVKpDoCbV6cYkDYoPUFg0alqIPd5r + KCkee9MaCLLX7IdBrbLf1lkHGwSAs81GfZRMLBauM7/hn+hMUeIJnMbtJnVIB9Je + AdT2nSH06+POnjvxa2t0dUasnG/6ISBRSk6FgBBZ+pdVlrvaB4javgWGpiAWCUu6 + b2CMZF3HullmLj+wwAKlsZsIOXGICN5GeQxLHYF8Kx7Doj68Owu/zGM5MS+7XQ== + =wYdb + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml b/hosds/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml new file mode 100644 index 0000000..7470995 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml @@ -0,0 +1,57 @@ +wireguard-private-key: ENC[AES256_GCM,data:3T0ZoPAs/OIkhdZlH171d9d2Ycxtp4WfI92pTBI3vRw7BVvEgQZKu5DCvbA=,iv:gsczaGwcI3JocOazMIEsgHFruEKDPxOTUQzx+rdCaio=,tag:/Sw7QsZ4fV+BMWdfcUevBA==,type:str] +sops: + age: + - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySStkZDlPL3JYTFlYVXVD + VGx0U2xxeDNXcTdwaFZsRWZoblk5eEttZWtNCmJQa3NvUHNwYmFZUG8wMlNxWE8z + bkcvNTNhWnozV2Y4Wk1lZmhmMDdEZm8KLS0tIHBkalp0M0NuU3JQQ1FMRmJNQlJX + Zlo4akUyVW0yM3FLNG9jQnBHY1BQN2cK48vxR3pPY3LJlTIEx+dy3ZZRfwFyvQGe + EuUI7TuLa0ib8JnO287Ay4gp3GH38jtkGcux4yP5Q8eY/M9GNlEK8A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTmFTbmNBWldmY2FGSThG + K1E5b1RTZE5NTll6WkZvbDhxaUk4d2N5bjNBCm04YkxSTE1FdFNFMGNFREtRbFVE + MHFuT1VONzUxcVdoK2kvUFRkc2xXbFkKLS0tIERlWE95MXVnVWk2Tk0xdG1EZUIy + cEdOaXNUQmt3KzUvZmRJWkpTdVpHdW8Kv64ZWzQbpmINagumpuHXscRf9stxO4Of + DSkGxFyLgq7yDg1iaiWy/mwxQZVw5i4ieR2+VDgi6Web2y6t81jayw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-03T05:23:18Z" + mac: ENC[AES256_GCM,data:u9N7GzLPDW7cHT4mkUAC9Diq1RdV5iSwcz/fqzXQKRmic09eVydAgyk2g6NbJ+4tBbAjIfeUch8Bhf5eG0sGzeDkb1qWAMEnP8EPmQ64OdRyN2SxJgxkc8KFGxkrGz9slS2ozWth6q/tKBSsOYbo8WDlCqXhmYp+zBxvYFR30Mg=,iv:HC1e2i0E7dV9/au+A0kHd+UXDhw3xf7RbTpwJI+hjpY=,tag:dPCDh9qalNtbHIhs//cBpg==,type:str] + pgp: + - created_at: "2026-01-04T23:02:15Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/+OHyevGNQqVV8RMOgLxV7CSBCdzCgRiEyDt8/A2twNG1x + 8lM5boYrVJowPbqd1EV2hfZ8gl3vvWhGMQdR96J+Mt1PWG/lok/Opf8Sdjl5hzpq + 5AjNWz8p0NQ0e2UAGDuRXy+tjeMWKox86KVhxA/L3Td4S+jV5W+3zRSkRB7g1eIH + NJiyFe+jl29mSSABKk5TclzoB/GoojAkO+8iXsjMZYd3upHyQdriipQKkJJGEaxH + 8fWBYcFB3H+3nMmwi6bz8xhUpOCpKzRbvwmqWYcendqINvDU/sQxQmxcqgMiluzQ + ocHNba+K//ptmtJHeL/8o69ljqk49A9mZ3ukRZZ9htWewv5n5T71majA/lJseGv7 + tsAuKYTHlSkhOVzXuBnIaGrBgF3mB0ag+9/VIlBXCZpEMdjp3C9GJBUQuxoRSwbX + 3oREyM97O/rtOo9JaqzqX63S59aHPwt83WH6dp2n2hcXF0tpYff3Esw9Vg3Uq+Fp + GCSjb4jFQTu25ZbpiiUaaFib+03Y6gGrnzU7W6460cxd4iZNEPGqE1refsQGYUPC + 6L7R/mkT0SBtC/8lyOvuIpzYHiAkCqdLbrVTmBHUG+a4fIP16IilIFBh8haVKqY0 + pgBDyLZDVwLzslp3AK+7pusU8STqCazFISe5GPQswwjwo+J3URmQKbCNHXVRyb2F + AgwDC9FRLmchgYQBD/94rHN8+Rqod5qxDxa0JR2ZYKSUBdzkkEqYnjp0efn/dY8x + m0WUQZEy+L4ZeAmFFL/mQ/Mxk7EW2Vghwy8j8tGTogJtVS7e0GYirKAHr6fgxxpa + 5BoaUSK75xybQTzWe/CETfpRlDEFmYt/hwMldfCHXwnqZxXNVHj1MN2kVNFbPfwo + Ml8RYG8ZllyOVAVgXGsV6kiJp7jKblpuKCDQPkdbE1hFBed0SKW7olUtuBE4ho7Y + J1g1gXOAqAWud+crA21bA7Uow7ZYaC0/WzTY2PrgAuS6kpVx52uUj0xqMfK+/Cco + r+KFHleJL4b8pIsImsExJv6rDKFohC7E5n5XxLLorTXB6YYie8FkpvmbWK03j+hj + Q7xwFLKWYLlPGtdhe+YpL9yiwHWaQbGUjarVH0UAZgSwJCt1cZoiL6++dp1USb3N + aV9HS0Milhbseas9YjiSoVvBXrDYEnjShJ7uWOu3Rbh4hx7jvJijLPrPcd7cym+A + tjaxFFeD0mTEj1JcjVMk3fEN0wj++oY/l+piVvYvZWvMscq83Sb6CxxDprVw8xt0 + sECqmgT0yVZrbDNpANwyWMXaHs5SZm5LaW7uDIcr0egkVA6Abn6twaR12660ptjm + mcv5K+ubzRomwxgzr/5NcwSg/k8qZ3WMfV/yuNsKIkHK2UI0y49SuBuCGGa1wtJe + AenE+Zn4xyF6cpEFXNKNXFDCy2fgHQrdiQ7XawrFAPJupn1JbGXg1gBN7yQI4YW+ + BuVCb07GtuU/faiT7cIxUQ1nhc1alSE/edfqAPAPqxA/MXhoC7xT9vFmvUPAuw== + =moK4 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc b/hosds/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc new file mode 100644 index 0000000..f17c97b --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:jaTRcoqOd3SNxwmzAcsqWyuvhYO0YipQPH2K2SM5OxhWWlUHTWQXqXmuAy0+efNnZlC8xqUWIoU//XXzUq/b7Lhi9bv9WyP7aHLOQNLFZ50Rt3b7yidFA/mxcRo2ZuGUR9mGoP8e1VtiQVVuzZQbJWqTCKtxb8s1f35aZx6NjaqeBFogfhHPwsVPL0lWdaxW2aYj/iwWb65xaxhcXa5mWpYgzfvuTXCkABFhrPxYG+NZpCyG7lt8MWpJ3yYWE0OEr/1Fe0TNfBjp7cih1wvMGIBj9uZRoJWkVwn6T+nldf52WpHCRZCdLhsjXCzM5T0g6Jj1HHatiISYZY3KLVAYKj63nSS3GkHk+BfoiAnJROcE2Aak0w7Op2csbNrNz807kU0x1A3ccbc50PKOGPFAh3JaJJUc0K+pGaIZ+FJhpIT8UyfQ7/YA7CDIvQObI9X7idsWPeuU3YN8VifgsGPznLWHyIgaUW7QmUtH1+KJdO0lo68C13FFnzEoMUroxMoUdS9Bvo1ncC9cITOr3Iuvb9nWQyg+wemyTJ5AOIx7dBh81PxMBYJ3JOTmxiO8LZapyqSbNhcbpo/3Q3s8J2DhIzgR2Ty7EI2tFxoGbzvpzBpWf/c7/rWWO67YDCfmB618w31Phes0/TTK2gxjviH917Q=,iv:M+S2woApVJAglQmvr0X1ZNvezNNl/nvxKjADWWXLiGY=,tag:CT4zP0qyJtbWCBJqqS7F5w==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXc3VHa0p2MVdIdHRrbEVi\ndUwxMXA3cFpDODA0Z0MyUC9aemF4U2RXeUhrCmZjSDBLZ0twRk5rZG16blorQVVZ\nRE5SNE51bGlhYTVqcThFUVIvTWxwOW8KLS0tIEVHZ3Z6VVZHK2FUQWZQNVlOTkpL\nYUpNUSsyQllQL0lUa0FaODZiSjBDSk0KSJHdYoiOuma7YFjLpssAgw8BfBo5tl+o\nRvNt9rsXUlXEwMlcmYpkgUlsSAJnus+uE9AdBSvTyFRb9Wo696YFRg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-23T09:27:50Z", + "mac": "ENC[AES256_GCM,data:fuYSElvGFbFIdkQaTwNuXqaXxMuOmpT8moN9m/Yl+6u3e0sU9AMJLK95Azl0xffjScc79PAPXitILrK7gUwUdo4PvTpQo14IoSCzIQ4lcJFlrWXgn9dPFrc97iooMtBMk4hWmTzYL1mHkT/ab7NP3aE7j81N4HJcYwZqzVkdXaI=,iv:hpkTsdwJ+N/NVHEM5LdXC1iwZXT77OwZ+fM9mu3l3Bc=,tag:dxv4T9x9q8g8m5Imcurnag==,type:str]", + "pgp": [ + { + "created_at": "2025-12-15T22:09:23Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAqmY5oZvXtdqhGl8COqgT8PIzArT5A8HbFwrG8Sz269wi\n7naQrwQnn3jugsUsaCQUHNBICe0xR0RO49e7YnuRN4WWaC7gdn4K9PDmTc5HLJQy\nzlVhvmrZhTHI94C1mLF0032idDgw+bvAb8a05pEuG6czghz1a7e+EMkskScRTlaI\nWKVhZ13vuXfo7dv4zL2SmP2crdrCk1gMJg3UYBBhcz3ql7qDVqV2B8MLgPtsTQIV\nDSktLAuuQTPwGke0wb7ajbea88CkGGTdDSB0NdXG6O/cskSULRxw6TtmCgL42Vqp\nnBbKfnK28y5ZXl9vLPZsLDM+T/E0qdR1nYloxL0kV0D/ESwX4dSyyRYglt9yZmAS\n2N4+7rpL0UwcmiWi/iQbOzZARVEREUlnTnX/5URFks4sQayL5Mk8gHMt/aCBvlPJ\nLWdp6owZVf8XM9e72TXOu+1NvXz0UxIC/sYObMReRQmkNf05r1nt8J71TOmtyEv7\noIURLjgeShNK7PbUoIIDe23xWiNuyEATXmw/MARbc/HSu3bHlUZO+Lx7LrQaQ8aI\n8yZC00WZDgsuOKIyPMNMWhvQOjP5bdLSdbLdtAqz2+d0hUw0PlIHXk4dOqOrkiai\nGjjgGG4OKrenkMDEPFKPW9zKvZbklglGI8mjZTFYwXIi7oILqI4AXcuHXHrFZSeF\nAgwDC9FRLmchgYQBD/wISMziWFXVsP3SRpgOO7WZY9extkRQZJd8veeHzhKPShfR\niIdON6j0SvGaKLb2zhyIIsxvb0HVrExysLyqLWyUvDMobS935jCNmHb5yo+FKMNz\nrZCxzt6vurRR9Cd3K9Z0RJkPrBQ/FyJQHQR2WMTlqXg/kXobR8ob3ix9pSh3/9L3\n3HVBvrOA8eXbajwGg/8FYmimO8zuckO5BYHdVTsHb4MpdcEINpxhBgO/STyUoKfC\nAg+IW1wW0YxQl1rlmuMkcYRFAOUE1zTrxSsA4UuhdyQ8UYF5LozM6qzNFXZYbH/W\nelKZUIUe96Ap+fXwsu4hgYoVUMzVyTO0C3ZqSqzrZmFHC5CR1EcnRowU1IAUNsGT\nmpUD4SKu9aqenr1kTxsDi0kd6i5XXHEXSQdKRgZd25ov/Q++MlDrkEp+/qK4S1wl\nZvXprBBx0aHhnIMtSV2hLgh1CVaMnaWQYn0rSjR7P4p0dd5pSfR8j4aJfn+ErN2q\nRlOpy9/r2n3yLs3lQ+GML3f2KMAlVaxY0UEu2muZQI5cjKvs/MjGVmcDeo8B50oo\nlF6SBdIMssR57D2J99aivmS3VDvyTg5ha9pvpQRDWA+LQYcDvkvRITVF4kOMeQ3t\noUF1C0ndRcr9k9fRJ95QicjpVHBj9soceYd3OgtgZJ+AX/0B3gkmejYyF/jAwdJc\nAWgbKZlvBzB2Hx+c0U30K91HjI+tpVH1ivEAAh+ogbLH3Ox2doUVis7syE4AMfoe\nCCC2K+2ODEYHdJxo4g5DtcTpZL3Xla0sdlSxn8OeIuJkuvMl3oxRI0Jr4rw=\n=2r0D\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml b/hosds/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml new file mode 100644 index 0000000..13001f3 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml @@ -0,0 +1,53 @@ +wireguard-private-key: ENC[AES256_GCM,data:DBCK92h8mGxDshB5OIEbyUENc6a4jmvzKPvljUn50AM1I5vBm/bSTDRStIM=,iv:K/OiPnAlXNt3RqBiBiiZqIY8vqsIw0kmKE+aeeVhr+Q=,tag:eloCJ7yjI2tpHMxwNxZDDw==,type:str] +#ENC[AES256_GCM,data:3lP1BqtvBwyeOvq4K5HTaQ==,iv:j1xenUUIkyJDaeLlX7LGhjFdhNlfTXF6r6v2+XbJlOU=,tag:TsGKu6VfF6D8I2p4kb63/A==,type:comment] +#ENC[AES256_GCM,data:LItVBIEQVz0x8ZARRlMVRPa0vdEe1Kv0CZaEnauUWw3P+NZv6WZkXw0SjuW+k9oqlDOTPR6gQ0Aa4GoX51NRFFmtlCVU0YL/RmdfrC6nkSea2S5btXCG4pptSusmQx42Rn+RfttcLDIXBAOIDSA/kKiBYvDhsZe0XOHAzj7jTAshSeGlccEOUIs8SctS8b13OAiSs4ceuMRPz6J45f6RVKG6COgiUEav5U6RFa1ZOLv8A/EFsqOsEZ45aYqngLM0/7gZ5Wqwpft8a+7dLRmakUjTOxH+wtVn6CV7wItUJAoz6BjLR/jtDr9EUm/QesZSHhuxs3eu0iXPXzaQgUt5Qz2knxSvzsEKYUx5bPsNBSb4uWgG3b/vKzPUKKYP5CrOwvPxsqI=,iv:z1YrJmuMaiiQpAc8ajoa7A1GH5Z2D2holm3lBCiBqOU=,tag:ghl+1BN9Tyxpwr9KXre5jw==,type:comment] +#ENC[AES256_GCM,data:NmWQFYRt2QvzZSXUhOCBWtvjpCPo9bOlxEXjVJUVbV8JibPtiP+EJ7oOYEi0thi2SGVeqqbRyQTT9K/4KwmfB+TT34EPMfSxJJ/p6JbxtbVr7zcgcbD6yWdBmaxB8V0iMXK6m3SuhTKHQjUin8gkYkHeaCo60wWCv7qoUTWePP5LwS09o1to2ckSmiszm6kg0TF5TJpCcyMWzjfmE7r1Rd48A1Z6Gf/B8sbERe42K4FSF+NjKTJEMZNngvUyKuLKhwhqhh09pbt8/lSL+MjzwPvTlriDOb54ZmN14dRFDFfdmpdJKAPT48Vbl9mXRJZHzpaP5qOFOwq+Z3977pMRuOen/BaEZZOf/Yucp9lnzNSdUb3hx26Fn7rA4/AszyZpbFB8RAnw,iv:oIK0td0LJf1+6K5wlD6KkdP0HxB2bTTQ7tIfd560oOE=,tag:WuBa7peCY19021YyQparcg==,type:comment] +#ENC[AES256_GCM,data:R05LNs2Ga+spsXQbD60xSrIlCPERGPF3jjP8oNRPL+7RqJNqKAcS6/7tQrqO66Bqsj7ywuxADxie7OzkJhUYpl8grEHhO2Hsw2QA4vTHYdKtjpNxity3qG3KTUrTYsRmhGoiTeDxX+/BMOi3p2nmNZM/1TJ6o6CVO2rD2zz3dQJyKPS/6gbOyN44HTbJA0s00p/3lHvULoP/VIw53ehko+T3N4LUgpvrVQZ2LDodOtqnQUFKiJPUrZddAka5Wo0KRFNDsCz7Z5FgaWjqMeC0oZxidISbTAK207km/QyexhTGtOhu9vANvzej65fkOlhuQbUur3ZxcLdiLA6TStWJyonrH7EQnabNzzv1kSTXiNYG6TPdVb2CMj7P0SHThG9d0WvArh+n,iv:oBH5R5k2vgaBzwTVeUnjSScJC/E0yh3f9317sCAk1/U=,tag:TKwU80zceuH/Tsw8v9fq0w==,type:comment] +firezone-gateway-token: ENC[AES256_GCM,data:qucZ0VF/vR8Y7NNbXP15SZd95Vr3oYKx07JMtdfO9/bBWFEFTeC+0mFmTaNpedj+lWhgqJhtlIr/0S3drJ350iRsXWuRSis9Eiz8zz2OaqO88NOA8HP3h1UgSVG63pOkhmTpnXOezV/rK107ow0QfvlS+XLZYVni+xRZ6mDkle9q5tbmwDLQtuVZ5+BMHjLGpYezMtOUPZDeRw2+ywhYqbgHQ+n224Je144rGJYnn21mKxBRVD33Ei/ganmvh8IbRuwuB5kXlnc5Q21qBp9r81yReL+4Q0tdHNfmkyuS9LLuguaTTQlUTuwzrBCdIw7xM+9UDdsYXbdzhGPgIR3+dVjde+7k4nOZ71f7trw=,iv:wYD6ih5x4i+Z5Nj1zkQ1az0ie7qGyswpa+nuoiDbyPQ=,tag:AG9nOIuR8B7+eLr1XZOwQA==,type:str] +sops: + age: + - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTzZxNUdxbWUzbkp5eDE4 + a3NGaWwrRXZxaXRvTmJjQUZHZU5wY3FpTTNrCmNxN21hU0dBd2piZUNCNndNaUNo + K252RGYyWVpXanZiVGMveXRnc0ViOFEKLS0tIFQ1T0dXUjlYdUNOcXJYZzA2YmtN + YWlkK0xrclpXYTkxUXFiNGMxU1NnMGcKCZzLfTPjeeGxyD43dOGDYsQVsw24cyHI + jz0B9VV07p33OP448eLyLgwpVFaNG0q+hXPH+0fb3V3foBT2QSeuPA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-02T14:09:53Z" + mac: ENC[AES256_GCM,data:YnFSQiC/gucCsfrVgcle1d9WOkDDsXZdhDem+yBWOlTxE5S0I3iFrzz+xj6aMqPH0IeEZsw+aSfL7BnCHoamJbLk5xlZ2U6UH/DdM50lBFafNF7dd25J1ndFSCB7Py4FogNLARKf2a1HiV2W7A1Ph0n3xj1fYqu7K92u2aSLTOY=,iv:yhrNVMt/HfT00bWYIsUEckvwngzglbYnbfiXasQzEOA=,tag:NwRio/QrFk/XPvF3WZDbuQ==,type:str] + pgp: + - created_at: "2025-12-22T08:56:58Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/9E8KBoKOUyeIflZzmSriaoQ2/I0EnqKd9cLLFyqFFd4Gp + ZyOfaTqQE9/NWOG3KkG3iuHyCEdHjP14QolJDPPfuqjVnIkc0hKJ/TqwWb5OXurZ + hbkFZEYtuGWXGNugL0T/BnSUqXhd5sFBJueZD0LU7xBsmaDqMFlY//iheNEgq0RA + a3HeQL9gH4d1eUPje9XfcJ+onj9yYgejQ905ZIOAyrYTLVjnSc9HKJ3kz+rpin1J + 2JHULBZEzigNiFXE2XmAatIM6PNBVJ21VL7CEPTt/qauRVHLsrz4PKcR/VMTzwJ/ + A0hdMrYbYRKOL0rHDYyjpoeuKsUDNV0Gi//WQDXN9DGMREG5P4PH7+yPBcc+vgLK + E7B6RJcUFyuRh/n/KPGzKk1KX3KOQMjIKUaUGy7Ru91K8rG+/EH1ker6csDpe2aY + bYjtPnjiIvd/dR++JLALQJfCuFC6pUhGAC71Bchr4U2Rg+s9pRZBOYco7pJMJubd + rkt61MYFNpcZkyQ9mYAVCd13JcmoTsAtwmUkdU098tfCVA8sMRgFF1f2DK8iyRrq + jfh6pX1/UqFtOug8hElBJHMQkl9eAKla6COQeGtZC3LkxkKhkNLTcMLf4I5Tzf8o + ftxFw1eW4174Psg9vo+/T1zcOYQTVIUfnlPuK/oiCJIAWZ2U92HnCa9pwQe8nkSF + AgwDC9FRLmchgYQBD/4lFaFk9tlyBnTWY5yWJmpcV1gPSwLyeMnax/89/Nnixu1/ + 205CvMGEReFEQ4CDTp+WXwp7DA3PKqhg/hEq/x9cmH0kAkQg1n9QoJcd2UzDadfp + 89ABsW5fBZJSLdHn3P06VIihe516GnsDA/KL88PdkYXpElgfqWXC8g2URKW6QeO5 + j/XzOXDiMdO2+K37NcbwSQsMd0pc2BAJ4mmjvjm0aZe6ddF1917WYFkOZi09clNh + iYW8Vk4hmOkGqEO3zNjQkzZ6Ra9Cm4qr1BG7k+n4sxuwoae2T14/DlCSYh/llSTw + N25tWEeXeaAtQgVwoWYLrmSdCKYtxyACPrt6uEYaGE7wbXgBgCX91HuznlHiUvnG + uagiFMxr0x4G2Q+C8OuptKBneBcR6a21q3HaGdl/99F3fM7C2bvzv2y+ZScBP6fH + LvZjF/r3qrLONCqtaQ4Kw9LPzow8wMkCkshC7K0KNRq10ww7s9kbY8io4+QVLv3p + ZHbN+U+9BheVOAF8uX8V+OQfeFdp0VTbPZa7v1mLdbjshPNi7SEhlCjrtB8yqRtd + cl2tinqfWAosYt0xdUmH9uoY7bz9+BKIZ6FVl1huP2DEa5JAjnVItyLG+n2GpIqN + 1SBaC/OCbJFawPmZgaWou+kxpLr7hu6kmPdCcdtHa4TYuanLkOTk0r0mztzhjNJe + Af5UVQLJJ7tduvLAB+vh/z91qgv0ftVDq4Kkr7Ma37OYAx4VzuHwEXNLKu2C6CwE + M7sp4ZglesyABMbOEhwxqg/kCYGS76kThwkrJfrgf82FgnMdUyYCMhhgy6iFow== + =izPI + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/hotel/default.nix b/hosds/nixos/x86_64-linux/hotel/default.nix new file mode 100644 index 0000000..02b9c48 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hotel/default.nix @@ -0,0 +1,62 @@ +{ self, config, pkgs, lib, minimal, ... }: +let + mainUser = "demo"; +in +{ + + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + { + _module.args.diskDevice = config.swarselsystems.rootDisk; + } + ]; + + environment.variables = { + WLR_RENDERER_ALLOW_SOFTWARE = 1; + }; + + topology.self.interfaces."demo host" = { }; + + services.qemuGuest.enable = true; + + boot = { + loader.systemd-boot.enable = lib.mkForce true; + loader.efi.canTouchEfiVariables = true; + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + }; + + networking = { + hostName = "hotel"; + firewall.enable = true; + }; + + swarselmodules = { + server = { + network = lib.mkForce false; + diskEncryption = lib.mkForce false; + }; + }; + + swarselsystems = { + info = "~SwarselSystems~ demo host"; + wallpaper = self + /files/wallpaper/landscape/lenovowp.png; + isImpermanence = true; + isCrypted = true; + isSecureBoot = false; + isSwap = true; + swapSize = "4G"; + rootDisk = "/dev/vda"; + isBtrfs = false; + inherit mainUser; + isLinux = true; + isPublic = true; + isNixos = true; + }; + +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + hotel = true; + minimal = true; + }; +} diff --git a/hosds/nixos/x86_64-linux/hotel/disk-config.nix b/hosds/nixos/x86_64-linux/hotel/disk-config.nix new file mode 100644 index 0000000..5131677 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hotel/disk-config.nix @@ -0,0 +1,128 @@ +# NOTE: ... is needed because dikso passes diskoFile +{ lib +, pkgs +, config +, diskDevice ? config.swarselsystem.rootDisk +, ... +}: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = diskDevice; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + + environment.systemPackages = [ + pkgs.yubikey-manager + ]; +} diff --git a/hosds/nixos/x86_64-linux/hotel/hardware-configuration.nix b/hosds/nixos/x86_64-linux/hotel/hardware-configuration.nix new file mode 100644 index 0000000..a6aefd7 --- /dev/null +++ b/hosds/nixos/x86_64-linux/hotel/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosds/nixos/x86_64-linux/hotel/options-home.nix b/hosds/nixos/x86_64-linux/hotel/options-home.nix new file mode 100644 index 0000000..4fdd76d --- /dev/null +++ b/hosds/nixos/x86_64-linux/hotel/options-home.nix @@ -0,0 +1,2 @@ +_: +{ } diff --git a/hosds/nixos/x86_64-linux/hotel/options.nix b/hosds/nixos/x86_64-linux/hotel/options.nix new file mode 100644 index 0000000..4fdd76d --- /dev/null +++ b/hosds/nixos/x86_64-linux/hotel/options.nix @@ -0,0 +1,2 @@ +_: +{ } diff --git a/hosds/nixos/x86_64-linux/pyramid/default.nix b/hosds/nixos/x86_64-linux/pyramid/default.nix new file mode 100644 index 0000000..d0a9059 --- /dev/null +++ b/hosds/nixos/x86_64-linux/pyramid/default.nix @@ -0,0 +1,21 @@ +{ self, inputs, ... }: +{ + + imports = [ + inputs.nixos-hardware.nixosModules.framework-16-7040-amd + + ./disk-config.nix + ./hardware-configuration.nix + + # "${self}/modules-clone/nixos/optional/amdcpu.nix" + # "${self}/modules-clone/nixos/optional/amdgpu.nix" + # "${self}/modules-clone/nixos/optional/framework.nix" + # "${self}/modules-clone/nixos/optional/gaming.nix" + "${self}/modules-clone/nixos/optional/hibernation.nix" + # "${self}/modules-clone/nixos/optional/nswitch-rcm.nix" + # "${self}/modules-clone/nixos/optional/virtualbox.nix" + # "${self}/modules/nixos/optional/work.nix" + # "${self}/modules/nixos/optional/niri.nix" + # "${self}/modules/nixos/optional/noctalia.nix" + ]; +} diff --git a/hosds/nixos/x86_64-linux/pyramid/disk-config.nix b/hosds/nixos/x86_64-linux/pyramid/disk-config.nix new file mode 100644 index 0000000..a3e2361 --- /dev/null +++ b/hosds/nixos/x86_64-linux/pyramid/disk-config.nix @@ -0,0 +1,81 @@ +{ + disko.devices = { + disk = { + nvme0n1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "boot"; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + label = "luks"; + content = { + type = "luks"; + name = "cryptroot"; + extraOpenArgs = [ + "--allow-discards" + "--perf-no_read_workqueue" + "--perf-no_write_workqueue" + ]; + # https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html + settings = { crypttabExtraOpts = [ "fido2-device=auto" "token-timeout=10" ]; }; + content = { + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "subvol=root" "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "subvol=home" "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ]; + }; + "/log" = { + mountpoint = "/var/log"; + mountOptions = [ "subvol=log" "compress=zstd" "noatime" ]; + }; + "/swap" = { + mountpoint = "/swap"; + swap.swapfile.size = "64G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems = { + "/persist".neededForBoot = true; + "/home".neededForBoot = true; + "/".neededForBoot = true; # this is ok because this is not a impermanence host + "/var/log".neededForBoot = true; + }; +} diff --git a/hosds/nixos/x86_64-linux/pyramid/hardware-configuration.nix b/hosds/nixos/x86_64-linux/pyramid/hardware-configuration.nix new file mode 100644 index 0000000..8d1ed05 --- /dev/null +++ b/hosds/nixos/x86_64-linux/pyramid/hardware-configuration.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + # Fix Wlan after suspend or Hibernate + # environment.etc."systemd/system-sleep/fix-wifi.sh".source = + # pkgs.writeShellScript "fix-wifi.sh" '' + # case $1/$2 in + # pre/*) + # ${pkgs.kmod}/bin/modprobe -r mt7921e mt792x_lib mt76 + # echo 1 > /sys/bus/pci/devices/0000:04:00.0/remove + # ;; + + # post/*) + # ${pkgs.kmod}/bin/modprobe mt7921e + # echo 1 > /sys/bus/pci/rescan + # ;; + # esac + # ''; + + boot = { + # kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages; + # kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages_latest; + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + # kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + binfmt.emulatedSystems = [ "aarch64-linux" ]; + initrd = { + availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usb_storage" + "cryptd" + "usbhid" + "sd_mod" + "r8152" + "drm" + "drm_kms_helper" + "ttm" + "gpu_sched" + ]; + # allow to remote build on arm (needed for moonside) + kernelModules = [ "sg" ]; + luks.devices."cryptroot" = { + # improve performance on ssds + bypassWorkqueues = true; + preLVM = true; + # crypttabExtraOpts = ["fido2-device=auto"]; + }; + }; + + kernelModules = [ "amdgpu" "kvm-amd" ]; + kernelParams = [ + # deep sleep is discontinued by amd + # "mem_sleep_default=deep" + # supposedly, this helps save power on laptops + # in reality (at least on this model), this just generate excessive heat on the CPUs + # "amd_pstate=passive" + + # Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled) + # TODO: figure out if this is worth it + # test PSR/PR state with 'sudo grep '' /sys/kernel/debug/dri/0000*/eDP-2/*_capability' + # ref: + # https://old.reddit.com/r/framework/comments/1goh7hc/anyone_else_get_this_screen_flickering_issue/ + # https://www.reddit.com/r/NixOS/comments/1hjruq1/graphics_corruption_on_kernel_6125_and_up/ + # https://gitlab.freedesktop.org/drm/amd/-/issues/3797 + "amdgpu.dcdebugmask=0x410" + ]; + + extraModulePackages = [ ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp196s0f3u1c2.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosds/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc b/hosds/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc new file mode 100644 index 0000000..ca62d84 --- /dev/null +++ b/hosds/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:OZmHnFz6gd7Pl+K3DZi4DcowLK05sXxSzxze2k3s2gg+cNf48wUawu+yGT/DGtSE2LeOpDemSkZpV51v8aepr2N60OnW4kTBVlFt9XUS2vjjga6ftApl/pMzCgeP8PR9JRZH9xSRL6Kb8muBo5rqDXmLBmkZGwgp2UfotTB48a+vMn6XXQVfMzTvduGGpjn+4x79tvps4O31AoyWBSvvhAw4bka8u1gv5pOfaLb+F8K9I1Jo1qV5sWpo2Mg5BooJxTB0/XpMlbTCcYC/1hU+qIXZLxbfUYMnqV11EH+eb5VQTaxnM6FQH7V7KE1BIOGok6fhzNrgDyUQb65/IvV4EoXpqG1IXy4jhC2I5zD9jZqmJV4VX1B6hoh0vtqfpGE6Y/gSjSmPTe7uvKB7EPdJuKY6JUJnIAi6i5jRGm0nYHwgYLYdvgR4mYSPbVW6mK+/RuuE8cQ1EBx+IsP9ahUJ2afevpPkbk81v4SwryexGKtzdxTQyuHNr3hAlStAvXVaoK2hVuDAkGsEDrSelAtXPp6iKOj+VyqSbVlPmZ3+yyvidr6sn3NNeGGph74vV6zxYM6JvdcObEjkyoCRhbQ4RqsUEP/sUkOfb6rzeHWQCS7MY1gSkbvBplk3BIEY6ES8+Ssqdl2cA2/y93tIuitsMak0ttAKzoypEHE+xVLmjJbedcnm96qKcPF8rr9OX/4Bc9y17pbSL3bjXuGLl72wCQ9ypKPgfDO0k82Pt/rbUkWDetZQUMYMQhrTVCP2u1mNik9O5CPIaAjBizPHxz1PkdxCdn++btiUTRG1EVKEdXR9V7Xiy/dXArU8/4uyUiJ8+Z3K/aQ90ZlYtVtSc5n5RW4CzER0+qCFeOLPoqQQn7XeB25aPXERiAc9lSQ562BF3jaMdJ09W8w+NE7q08WvTeW9BB8A/2Q0RR2op/sV9V835ijZnohNoR6hlmDrUdslMhBQ1BlcXcJSa2qptDyEqCZb0SkS19DSLiz4rqgL4HxjJbo5Bi281Rx7crqp1o3ofz0URC7de1D1O9sq0g6X6CTKsgrcPaKtHcNdlzgWWMPdkMM1m4d0MjNOVdyvRzFj3yTGyZUXtyN0dcO7f7yeJShNZ/iIdciGs2+w66AybItlStKGZXKevnYZ7BVM7R0groLKTP7UKtiMwwbvWnVMPJsqoO3ym9bE5F8wuWolx4ghg3a8mZt6g7CuGPIIPhY/jiFlNwAuSJV1wrmN9/7vNqFVB+QmeOO2RG9YUe7XQR2W9U/M+TqHRZ3/rz8W3PZVCc7YmDHXYWQ+WBi+xqmGqupEnO6bgUZGdCx2KdDqy123RcndIqX0B6spv0tPxa+9rqJvsrGJodeK/InXxLj160k+hY7yJIJ5g28ckFdlJYOwOUdZ1uSEFetWI4++HQQf+B2Z6Q/C+MJ8J4hSnZbAOLHtCWZesHW5M0JVjlu8fd3dCNutpgQXkeh1jBFMTNfZ5tRTHrFxBZQs6UoFWC6nGEsFeEQwIFz/Gcl55VNvBT1A3mP7wxJAJsxngnovn9sMKcRXMudOmgakf3paBLkxiz6tpnwiIAZk20ARCK7PSiPvJPlWTlMVhwHxvCv6c/jlMukN/oyF3p+P6EW0nB7pDGrrKP6Ld/NZDuaxsh9qDk7WRN1DsyRSeT8naJErVQT9z32Ec8SlFsiZS0+k/1kUdcLDuZHw85gLXn8ijiPfc++he9GuQBaZ/SM123UJk1yRtyl29K2hqViVlcDreMl8ylvFjh0aqwBarUDx0KMdIrmb+dnIoH/DBghYpwsyazMZfWhROkUiquc9VPwnGk4Ri/ic4V+W0IzkS6W0c1sHbU2KvSgNuSVaYSfH0/tZhBr7WBeVNyfw6itKhtluo1L5PBON6cIQrQxgh4YdvmPlw8C4Ig1j//xKZDArXbJhqERyYdKoMc81UQDvYx8KPQJzR127eGtA5IITAmtRiv6oTxjVLzZUL+azj9cXTx+NwhI3Sa6ar0WHZwOpSkFBFCjVnOwOoQ3C4moveet//m/cfdkjRDL30vconEHujEYG673ZKVEgGIz1RZRpbnT46ktHiTiKLElJuVlzYlDYpg5NALjt+3tjmfpqSW76ZdTg3qvsc8t5JA25+HPogQmplMYxN9AfmdKOVgVrYKwupTd9KL8i0BJkV3javPOs7jRSXOLvvrPHSQ4k+NvTxUiShl/SUbth/+CrwAgaHw4pXKrrx+0fqxpKYlqt2L+BzCX4rwOsssoovUDEAUIIQv+EKQ/2uuhOlksws4zfq4NTcapY/Z5bpwjGq6L1Ohu7J40mIuEegmYrST4l4EopBOTV0kzNRlEEiD52i6OZfHAXDOlVL9qbKGfnWipkr54Gz+xYiPtD/QQprs3sNxV+ervceaEb7Tr9EK7coUsxPYRDCPOX3XBYbGbuDxxQFNe4et999EIUMkHeB51YkA/+Tf9RTA6L4vqbAtYn+xTokGQTUh1xToz6AWwyuyV0d/b8D7rfvTrrqgybMbpKCbwU+t0vucLC0CP9DacmipiBNg3IZc3ystiTwCJ1WRyeWnqZGraqj92AajPrHpdj7YPFjLRPK3hCWs6UFbaI9EWPBluYNNGKbUQct4wnWHxbLSbdLgT91jx02/S//55MdQSLWnOZWLVY0re+9CPaLEsC40QeFHLAD4cetp4Ytt37MxZNwLJzVz1U2hio8F0wK2G2uphfMaMROQI8yI31ClIJskz+eB9eqGRVTptZBIzDGHimV5jpNrTtOaBFWnAKjiwX+dn4v08VDz4rCeGNR3fuKHME109HKbdiMI0YBUHLCfhlXbYB3hmYf2jO3phfD1CklFcfgEFeRv8Ff2KAX2pqKUNii2H1BTRlLxnAAksPdz8dhDGgu+ihMx/04VpRL/Oxs4A/DTQziSI9HTKvdwg3GiD/UCfqnZ5PiMknlkcTeVzIGmt+qQg/afBQjjeG80WHs4eziO3WuHOjqbSATuUQQ2W8NcAwtqiTukm1lavxxKHAuSEOKhb8zhWVgtFxyH3V5koLLSWPP3XiHfP6EqEaEUzghsWEjv6ogK9q5Aj+kMBj/LHPu3t08KnuP7PON5+zeedsMdn+3UeYRJ388i5DKqz9oF+LjrHBVwunkm6FNp1zhsYUBj+Gev7faEnMSBJOeypqnuY8he5TMDvln90/WTaiQh6xsUFsTV7E131nTwDyTQzYWmjwBZFOEK4uJKDCTJcuQL9Y/rrkKMUr98M/L1NzJfBKVkrzRIJb5a8zsdTSVATNeTKNUpKgj/viWeoLCje4/KX5/k9l58h1TI4Gb4oJRU2WCioomFtT2uAxdxy38RJ5VquJ6c4UdiUGezKGaHP7K47Q2HcxD0cdTY/HyxdQacyXlqVRNXgVeJ7/tXT81CvWXvGvt8QToPQQ5iQt95EhxVW99grn1WKsvIB0kYL9czSuxVaX6PUrKVAzvI0p7AI/vY58qZzth2K5bd9DsTROX832H69O+L/uYUL7AHqNrluM/4CQgwrcPNmN/Enclo84jq+TUYJwoFwXk5cPLwg7R3epyZbz/HE8NKnOJThy8JjQEazbMd1GZXQVG6BZvnmKUFSg/Ibbj2DgZtNkxHwNDs/7t7mm8nEI0DecUo1QWjfVx7hJVLfh6aPViyDbsPyy5OWyJYQU4VFg/rE9QbeZbBGQ1l/V/09jkfomaZ/3fVVlKVLS8tGHOy0f0MZJ14usln83/L9VNdJc6DYs3h9hUgfv3HpdTAYoTPwJExF8xjEKL4mExcxo34BVrAlzEoUsGnhZ7b/tFA7DX2QeS8s/1OAhfFD1vFRQsGa3S2qYERv3jxSjEeE2qFy942M4v79kH/D8CZKnCCFfZ7pvZ6N1Q2elP9WM2kFxKjKK+haktGvhjmcLuCIVMwVLuMDDeAjx6LLKoIINK4IHhQ0Vw/JxIYiPgARwXMMcEHbTgJcOrp1pNs+DtYpSuxws/A/L6BT914sAmasa+WvBwiFgEwR3sWzagCLr0JXzyhllIow7OH6xdMfVUNVLJUVms1bgNr1qKgFSASuWHrkE3f4695jSzG5AucRatqw/l6dapNjTiKa3IYPQtKh7Z6qxSGZ8OYJ5rNusxJ+9IsrL28iePPmenGq87bqcTCygfWNIQ/5r0T3NlSv8sDZhqL5eUT33WpHLy1OAk78ufK0+scU3/QsXyZB7EpKQZujpyygrFASqHdEqUOc6GI+RNUpYSW2YVDWkQvbGIpSFQbJseM2C4JT99wz+V50gkcUAaXV7YDCsuqhNnR2sGfH7jj83kA4xTrCBGhZfZf8vbRAGCEUZqEthrYhX3X84xrMh2L2y1zBaR0H2pwAx7KASra30L+wcHt6xiTidzUpra5SPyTRjyMda775SkwkonCQh+FEUcxqkhMmzkmyXf16zOpw7VpcrUdp/KFkxdaqdYHsh9Ev2Rt88H4nY5Sgj0hi0dchIYwMzgoEabEtz4oGGpFHLI6k/HtxzwbqpR8Zj9TtX5KLMldbKLOqS/Dfb49zBP7SwVQsyyJ4oScqrfgp6M6GjANtuC0uO1uHMSfcDyZHfFWzNVcZqr5saN1bahzLQfQEjRqui02gWGhBgyPgQX8fyss4j//bilD2voE7nOHl27FGtMh2NyOCKrpY68rsEUy1d6FKPEFFtIDcKXyvnpkXtUpoYhM1CaAJfUUjKcGI13/PgHgEWDCUCnHOV9PqLi1WPttI4TwZkdA3S0jQaP7FlL5cAk34PeWm7TrI4uHZ3xgmg+jb+onCbgw/ZzrHlykIrkTUuMYcflm4htxVekjASa6ZlsSgr885pVvW1pE4oQf5U1H+OgqOAU7DR32Hc1TAlfcJmGtHYETu8jLBP/7DnR3k9Ep2r8KoeEfq1llTrzdCwTk66LYR6YPF1BT/VLD5WYbsnOjvf3rnEGh5yKBHbj/dda7jUwhfCG9U7dFAmtMPy+B9qtN/LVF4RTBcxodLeJQguDILKT1Le6tva3PhdcedVYgpq0AzVzekQfTvIt7z+YaQGwBYHeIC05Ym3IQxYDeGhuj/uEFk3qgceqP+f,iv:vJ9l0dJLFw81An47a152ah9daGl5p6Gyt5xZCVuyMlw=,tag:mNSjkEFSTinNTGnqykoSrg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTXhHajBUQnY4MzJuTW5u\nME4vWHJrRCtQMWhWQ1pvU3h1UWVielFQSFFRCkl2RmpTRDh5Z3Q5UWcwS3RCVHds\nM05GNi8vNnpwS3FZcDBGWVdlZEdyVEUKLS0tIEM1SWdtZGV4QjhpaktRNkw0NDl1\neWlYN0tDMUhsWG1OSm9xWlM2VWJKcXcKa9aySsFOXPdwkmrmFc6X+WZT67vcuJf0\ndd1soIklu7xRuNpGKMuZbNKKgyRZnGrcUZUwwGIlJ2KRDag2risOXw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-03-30T16:37:27Z", + "mac": "ENC[AES256_GCM,data:f8fnXvl1kQdHBgn6GtaXf/Y/CVXFDMc/ZIlXm/l6oDCnrCphIy61cQGpsYyoLgMeD9oHj3t0+mtZNA+5fdSLxgZdgAoNQbcOkxzly/Y+c+wFt+iaUUfQyFjHhqkU7EvyG2lLdDRr9RgN7yMDA3ptNItGaUBWJHumccFQJmjf9C0=,iv:vDZRJWdxmdI8ozpg7tXPMq9BPsRjJlT4Q39jsjokp3U=,tag:9mFVVoBxwF31aP7S9kceJg==,type:str]", + "pgp": [ + { + "created_at": "2025-12-02T14:58:23Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQILAwDh3VI7VctTAQ/3W4JR3l6Aiw+cfwFMgYLr/7AwJSwC1k4w2G1VCwXMBN3g\nmC6YPp67WDR1lOTb6zpviUqVTKAEy20BMJxU7JulAQPInd/zL8woaAHc1tp+cbFE\nr2mIHPKFGgA7tc2xuGxw9+WeWHzjrdjW42vWfvmjoL1crubSzWzr20onKgT/dMwJ\nbFMGEyD7gfDY8Z3TAlMGoRTNyGVzFrsKHkvL01kW4T6K+69ECSUDXyMimA4njPt0\nj+ukDmjojtyUjxHKEvyDtjfTZh8hT6f80w8o7cG+YSJF0h4lXEdvKay3WZ0RbwZg\n6ZUI9Ng9SkFEhcIDzePg3urdne+oJQQxDuFYfioh1Lm0aX1kt0GzU9r4p5pwjNoz\nAwoHuAPaVnwU553qYm6XtghzwsHGMIa4r4JFF4+/txlC21XN9u0sslIUc/CC2fyu\n1rNRgg/4TvipAFHfp0GRWMraf3FchDhFzRqPs4Ei6Vv1ffEKQGun8iykLnN7gC3f\nclCjiorc7pmh/ZVylyKuSvR+TTih3Ysttm9jCNMB3rIkCIdz4XaNYbCPUtb8sMub\niBxcqgTIDNCc5r7CnfDyalmHLZ8s+Q31H0Ci71I3EhHf+7c6KlfCLWuLHUpN4abX\nr5xv/q6kXJJHFOAirrUH8Sik1ydE9g6gLNr3udJzdDehkSflkHAd5mka+v/+n4UC\nDAML0VEuZyGBhAEP/jGuSsy8X3dCKtdbvnN+6SCspC/reKhptMGhyxLoItcyqku+\nXCjAe5yxfHEFjPzA+zMmOF2pmsc0FlZu5+eR2+karAuK+f0fzbv2krhEE06X9mpi\n3vJDoG+Vd03Wz+C/Y69xSIbGXY97msQo9XkUuuBcVjUcsFaf7je6NNLAFmj0Mmk5\nzKmXgCL0yjwFmGSGUnFIjrXlKil1gBrYHYWH+vkeFnNHbkbh1Ul7LYPkDrT81Occ\ne7D+yMp/URxTY5IjX7yVDSANCBhK3reGSSJ5M7a7K1LolGGKUtgMLKfWs9uSVqtJ\nA619Xvo19QYladZxmvhLNS4ZbZkR5mH7pcUmX9ltB6K6/kNpSdujaYALFFLnIgmv\nwBaUjZ9jmx4zkW5B0MFshh8SNrSfbPrmEJyBF/tOLGj1YGzj3TIq9Yf0OnDtmycW\narqmFyh0CWhMVfI/ekCjSCUI+LQTi22/itmfv1IFlrVXLWtWjVNN3y+MHz/9v+Cr\n5t8mWcTy01upfwNxSEcjsAFsjyAfvjdA/TZMBJWZ5ltnEQF3tZFV5WChmh++FNY+\n1GPqtEJdinTVxfv99N9CZIwZUap4+WSYVbXEmygVMUP41BVxNLjAPo4Z6PrDfnSB\nz27BqzIDnNwVz6Si+UreJDUhogGDH7lZua09Mjb+plUyBhAJEvT50Nj2XQyV0lwB\nky4gz5OsMQivfD+bWKOx0E29KnVWWSR2HW82uPaDfWI7uPxaON7YPIvI6Xd9pOUd\n7EdEmSiVVAfbqeplRRdClabiBL8Tm6QLiAnkQiImg38jGU02IeCNbXfzbA==\n=jGFv\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.12.1" + } +} diff --git a/hosds/nixos/x86_64-linux/pyramid/secrets/secrets.yaml b/hosds/nixos/x86_64-linux/pyramid/secrets/secrets.yaml new file mode 100644 index 0000000..83843d1 --- /dev/null +++ b/hosds/nixos/x86_64-linux/pyramid/secrets/secrets.yaml @@ -0,0 +1,48 @@ +home-wireguard-client-private-key: ENC[AES256_GCM,data:YL/nP4DGGjVc0wRrbJ0x+iyJfdqhE90Ws92QBl/lr3RnJzA+stcz0ey/Rk4=,iv:Ek/RVzDpcT7fqVh7OnNc9QXD3Tk/2bm6vSQDA38j+DI=,tag:G2dSpA3KZmbKAfIN+2d45w==,type:str] +sops: + age: + - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcVdIU1MwTlQrVlRMbDkw + WXZlclBlYmp4elMrTkFPZHRpMGlGZXBDNWc4CkliYkNuTnNuZzRieGlvSHV3SCs1 + S1Nmb0VJaVd4MFQzTU5XVVBuQldIVzQKLS0tIFpGUjNaSy93MDVQVEFvbXZzQnJp + Z1AzcVZpVlQ0WU9pNDNoTXoyR1RGUEEK0dfAegOiBXCnLakgBtWCYb7+hDqWFYUK + rXlXTBtICLgSzLWTtPbSVzrrZgT0SAM6vnLO/iNfAIXZlxjeOZrP8w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-05T10:37:12Z" + mac: ENC[AES256_GCM,data:RcvRagYaFGwMwrV63tffmYcA/m1GRjXpefR8Ab65jaldcWjfERiCWLFha9aQ1QlWUgSvCWbgC9/zFJkBBca1qVIvLOK1+nkI/ZjQ5rdUOJaP7mukLC3tcm+5f0Fe+GjTCDHGIZd/dUgkF+xVhN2XnFW1ExzRRt6q4a4pKvL6Ml0=,iv:EISJGqa2hQfjpu0X5wMJNZXzv0Loejj0Eb6kosXjU64=,tag:S81dIphr1rqQSO8jAZCABQ==,type:str] + pgp: + - created_at: "2025-12-02T14:59:04Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAlcSjeRYoj2Hhff3PbKtUdIisAyRHtX84+m5BYeRmcx5k + gwMmitFaYQO9IL8EJHXfwIlx+7gubTCHKVDEIJPT6+jwNjWPvdvRSdmelY+xIhPE + rISqzUlbpKdkhRco0vKNX1bqfLWPqcWPREyHLg0WsnPJjAmNHNz3GKDnqFJG4tip + CDMTp16dJWAnGF9uCPDZ6CcpuP7U4CHDBH5KcGnZFJoZg0VvQhqW1uTwmqI99j5G + pB54n/nhCuNbL2vktBZQp+vrwiykb4+1rZw+CcK2awcD2Ugk0d/7KieRSxRIKEbW + COIkJRxXkc3JbLjdVIZBQGUSNTtjG3Q6pUaPuECUhb+5SyUDIpiUmpR+/3iIitjo + OY+1nDWji5Q2d0BSkoRFiH9KeZn65vduQyEQRX6B0yrElBNk7etkvPdJ3bGoJ2WX + Qwlkx0YP+a2dwEtvlKav2D6aJ+uCH2MTAVVL6wEK5a6s2QYkc39qpGhzRv83nbsU + Bp0QnJ6ZSjf/C5fAealZldXO1ZDIDpbH5xObaanrYgZ5ufnUl2Q1sKUXNljTYigB + tN5z28AiDeV/INr7e1tPV+C6RtHDYi5Rxo9lfoehvdAWkbfdl/iucV2LkwWTKFLO + istGzbaxnPtJmlx6FXq+fk6g3GQcPvuv64ZqnIv76VclWcPZDYUK/EU87LAO8NiF + AgwDC9FRLmchgYQBD/4maY4LhehaKtNMt6r331YjlsnZxcv/4L5zJRc43XLeJJjf + 3xjU+TZ9RvjwsTaJ4bTeoVxu8OkFgugvRVhp9sQuu/tGfWbCpn3hWIxebivarQdI + 7L0SkuHg1Die2g3YqdbpDIzvnLueSvuNDJNmyUgekR8TdWJ0A/pwl/poAu8nZgtw + hiIXBdLt5xEUOihXVJwYIoHu8yjL6aZttDyZfHuDDTcCwXdqYqMHyTYmcNdGakrl + DG+x2TgsJMtipvYHT4WqcVtOYlVAH4VfgxfmcWvEIXT5u1ZpizntFqGAgsTwQwCS + vs8vbZ5WFqQTYZL2t1U0cX7ExWWdY7LZ+ap3uZ5/2R2VkT+FdplRz12DsobWMP9z + mjveWhiZx1TPa1rf5pigcvtFSQLllrLhS79Per37EoGUArS9iM6Iyhd9avHAqNTp + ywZnJ5JpQKVDeRsMZfpoKdN/C/wqSAl6O6NQX06aY3EIYvxKF8h6qK7u/4WdlVd5 + Ml4Yn18HyeTkbz616TlMLlGQMNuloDc+XVORVutVphvxI50faIwi4I4q06+7+yuX + A87uJatXS8K20mDkzygP/j+T3eSzEMB69mPLo+cbhOfcmk29x7Sg5pf/JYAOuYMS + XGlIpa/VmqHOVcbD32sm2/M3AOgZBz3D2Tr2tI2JyK4ZqW/7AIFYNhnv7siTXNJe + AXNBE4bU/FRXGOH4vOqoVFvBwYOd7Jlr8QnMpFQuBDMz/408lkIojd5njvLsu/4n + qE0HKP9Sq3XY8dP4012GbkN9U/m/ca2oqVUy7rrEhGc1gLddlISHMMjNa7GsBw== + =fGF1 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/hosds/nixos/x86_64-linux/summers/default.nix b/hosds/nixos/x86_64-linux/summers/default.nix new file mode 100644 index 0000000..4342d2b --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/default.nix @@ -0,0 +1,111 @@ +{ self, config, inputs, lib, minimal, confLib, ... }: +{ + + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + + inputs.nixos-hardware.nixosModules.common-cpu-intel + + "${self}/modules/nixos/optional/systemd-networkd-server-home.nix" + "${self}/modules/nixos/optional/microvm-host.nix" + ]; + + topology.self = { + interfaces = { + "lan" = { }; + "bmc" = { }; + }; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + hardware.enableRedistributableFirmware = true; + + swarselsystems = { + info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM"; + flakePath = "/root/.dotfiles"; + isImpermanence = true; + isSecureBoot = true; + isCrypted = true; + isBtrfs = true; + isLinux = true; + isNixos = true; + isSwap = false; + proxyHost = "twothreetunnel"; + writeGlobalNetworks = false; + networkKernelModules = [ "igb" ]; + rootDisk = "/dev/disk/by-id/ata-TS120GMTS420S_J024880123"; + withMicroVMs = true; + localVLANs = [ "services" "home" ]; # devices is only provided on interface for bmc + initrdVLAN = "home"; + server = { + wireguard.interfaces = { + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + }; + restic.targets = { + SwarselState = { + repository = config.repo.secrets.local.resticRepoState; + # nextcloud stores all data in state dir and has no data that needs backup + paths = lib.map (guest: "/Vault/guests/${guest}/state") (builtins.filter (name: name != "nextcloud") (builtins.attrNames config.guests)); + }; + SwarselStorage = { + repository = config.repo.secrets.local.resticRepoStorage; + paths = [ + "/Vault/Eternor/Pictures" + "/Vault/Eternor/Documents/paperless" + ]; + }; + }; + }; + }; + +} // lib.optionalAttrs (!minimal) { + + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + wireguard = true; + restic = true; + podman = true; + opkssh = true; + }; + + guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) ( + { } + // confLib.mkMicrovm "ankisync" { withZfs = true; } + // confLib.mkMicrovm "atuin" { withZfs = true; } + // confLib.mkMicrovm "audio" { withZfs = true; eternorPaths = [ "Music" ]; } + // confLib.mkMicrovm "firefly" { withZfs = true; } + // confLib.mkMicrovm "forgejo" { withZfs = true; } + // confLib.mkMicrovm "freshrss" { withZfs = true; } + // confLib.mkMicrovm "homebox" { withZfs = true; } + // confLib.mkMicrovm "immich" { withZfs = true; eternorPaths = [ "Pictures" ]; } + // confLib.mkMicrovm "jellyfin" { withZfs = true; eternorPaths = [ "Videos" ]; } + // confLib.mkMicrovm "kanidm" { withZfs = true; } + // confLib.mkMicrovm "kavita" { withZfs = true; eternorPaths = [ "Books" ]; } + // confLib.mkMicrovm "koillection" { withZfs = true; } + // confLib.mkMicrovm "matrix" { withZfs = true; } + // confLib.mkMicrovm "monitoring" { withZfs = true; } + // confLib.mkMicrovm "nextcloud" { withZfs = true; } + // confLib.mkMicrovm "paperless" { withZfs = true; eternorPaths = [ "Documents" ]; } + // confLib.mkMicrovm "radicale" { withZfs = true; } + // confLib.mkMicrovm "storage" { withZfs = true; eternorPaths = [ "Books" "Videos" "Music" "Pictures" "Software" "Documents" ]; } + // confLib.mkMicrovm "transmission" { withZfs = true; eternorPaths = [ "Books" "Videos" "Music" "Software" ]; } + ); + + networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "bmc" ]; + +} diff --git a/hosds/nixos/x86_64-linux/summers/disk-config.nix b/hosds/nixos/x86_64-linux/summers/disk-config.nix new file mode 100644 index 0000000..a4b5089 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/disk-config.nix @@ -0,0 +1,118 @@ +{ lib, config, ... }: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/ankisync/default.nix b/hosds/nixos/x86_64-linux/summers/guests/ankisync/default.nix new file mode 100644 index 0000000..1359ff4 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/ankisync/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 1; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + ankisync = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/atuin/default.nix b/hosds/nixos/x86_64-linux/summers/guests/atuin/default.nix new file mode 100644 index 0000000..7d4eeea --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/atuin/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 1; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + atuin = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/audio/default.nix b/hosds/nixos/x86_64-linux/summers/guests/audio/default.nix new file mode 100644 index 0000000..5f2ddd6 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/audio/default.nix @@ -0,0 +1,44 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 4; + vcpu = 2; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + navidrome = true; + spotifyd = true; + mpd = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/firefly/default.nix b/hosds/nixos/x86_64-linux/summers/guests/firefly/default.nix new file mode 100644 index 0000000..26ba724 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/firefly/default.nix @@ -0,0 +1,44 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 3; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + firefly-iii = true; + nginx = true; + acme = false; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/forgejo/default.nix b/hosds/nixos/x86_64-linux/summers/guests/forgejo/default.nix new file mode 100644 index 0000000..5d1822a --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/forgejo/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 1; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + forgejo = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/freshrss/default.nix b/hosds/nixos/x86_64-linux/summers/guests/freshrss/default.nix new file mode 100644 index 0000000..adf2eca --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/freshrss/default.nix @@ -0,0 +1,44 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 3; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + freshrss = true; + nginx = true; + acme = false; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/guest1/default.nix b/hosds/nixos/x86_64-linux/summers/guests/guest1/default.nix new file mode 100644 index 0000000..7363993 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/guest1/default.nix @@ -0,0 +1,22 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/modules/nixos/optional/microvm-guest.nix" + ]; + + swarselsystems = { + info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM"; + }; + +} // lib.optionalAttrs (!minimal) { + + swarselprofiles = { + server = false; + }; + + microvm = { + mem = 1024 * 4; + vcpu = 2; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/homebox/default.nix b/hosds/nixos/x86_64-linux/summers/guests/homebox/default.nix new file mode 100644 index 0000000..3f338f6 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/homebox/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 1; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + homebox = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/immich/default.nix b/hosds/nixos/x86_64-linux/summers/guests/immich/default.nix new file mode 100644 index 0000000..1a94a4f --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/immich/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 16; + vcpu = 14; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + immich = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/jellyfin/default.nix b/hosds/nixos/x86_64-linux/summers/guests/jellyfin/default.nix new file mode 100644 index 0000000..85a3fb1 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/jellyfin/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 3; + vcpu = 4; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + jellyfin = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/kanidm/default.nix b/hosds/nixos/x86_64-linux/summers/guests/kanidm/default.nix new file mode 100644 index 0000000..776e2f2 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/kanidm/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 4; + vcpu = 2; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + kanidm = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/kavita/default.nix b/hosds/nixos/x86_64-linux/summers/guests/kavita/default.nix new file mode 100644 index 0000000..91d20a3 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/kavita/default.nix @@ -0,0 +1,43 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 1; + vcpu = 2; + + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + kavita = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/koillection/default.nix b/hosds/nixos/x86_64-linux/summers/guests/koillection/default.nix new file mode 100644 index 0000000..b5e55c1 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/koillection/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 1; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + koillection = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/matrix/default.nix b/hosds/nixos/x86_64-linux/summers/guests/matrix/default.nix new file mode 100644 index 0000000..024399b --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/matrix/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 6; + vcpu = 2; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + matrix = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/monitoring/default.nix b/hosds/nixos/x86_64-linux/summers/guests/monitoring/default.nix new file mode 100644 index 0000000..b91ed1a --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/monitoring/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 3; + vcpu = 2; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + grafana = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/nextcloud/default.nix b/hosds/nixos/x86_64-linux/summers/guests/nextcloud/default.nix new file mode 100644 index 0000000..3fe0800 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/nextcloud/default.nix @@ -0,0 +1,44 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 3; + vcpu = 2; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + nextcloud = true; + nginx = true; + acme = false; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/paperless/default.nix b/hosds/nixos/x86_64-linux/summers/guests/paperless/default.nix new file mode 100644 index 0000000..8381a04 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/paperless/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 8; + vcpu = 4; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + paperless = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/radicale/default.nix b/hosds/nixos/x86_64-linux/summers/guests/radicale/default.nix new file mode 100644 index 0000000..74a6930 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/radicale/default.nix @@ -0,0 +1,42 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 1; + vcpu = 1; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + radicale = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/storage/default.nix b/hosds/nixos/x86_64-linux/summers/guests/storage/default.nix new file mode 100644 index 0000000..3531298 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/storage/default.nix @@ -0,0 +1,43 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 4; + vcpu = 2; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + nfs = true; + syncthing = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/guests/transmission/default.nix b/hosds/nixos/x86_64-linux/summers/guests/transmission/default.nix new file mode 100644 index 0000000..38b5503 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/guests/transmission/default.nix @@ -0,0 +1,38 @@ +{ self, lib, minimal, ... }: +{ + imports = [ + + "${self}/profiles/nixos/microvm" + "${self}/modules/nixos" + ]; + + swarselsystems = { + isMicroVM = true; + isImpermanence = true; + server = { + wireguard.interfaces = { + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + }; + }; + }; + + +} // lib.optionalAttrs (!minimal) { + + microvm = { + mem = 1024 * 4; + vcpu = 2; + }; + + swarselprofiles = { + microvm = true; + }; + + swarselmodules.server = { + transmission = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/summers/hardware-configuration.nix b/hosds/nixos/x86_64-linux/summers/hardware-configuration.nix new file mode 100644 index 0000000..bef7987 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/hardware-configuration.nix @@ -0,0 +1,28 @@ +{ config, lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + supportedFilesystems = [ "zfs" ]; + zfs.extraPools = [ "Vault" ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosds/nixos/x86_64-linux/summers/secrets/ankisync/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/ankisync/secrets.yaml new file mode 100644 index 0000000..7b604e9 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/ankisync/secrets.yaml @@ -0,0 +1,58 @@ +wireguard-private-key: ENC[AES256_GCM,data:oJkwX64LSXAaGXvEKbK5UPVtgFbFZSh9EQD3s634fUR155TT7yxI2YcHd1U=,iv:y666pwtBDTF7DMWx4vJu65VEBnuPBDCirGeVkntmVyQ=,tag:OZR6wxla3YYEZ2KtNbKnDw==,type:str] +anki-pw: ENC[AES256_GCM,data:CVZxqubgfojCeA0=,iv:Ux7k27srI1bMh3nBlGGkuimcJkKkmkjaNBph0X0o5vM=,tag:yUfVrCl1srD1V+3wXSbFug==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVmVIbWc3UzNvQmU5b0cz + Qy9wWjU2MlJQNWNFVlgrVEpJNE12SmJLL3hvCjhZN1JURjVBZVE0R2IwbXhtaGxI + c1U1MlJBMkdWRXRVM3cyUFdCQ3hrTHcKLS0tIGlFZE9Cc05qT0M2cXBRZHZ3L0lm + eWUxa0pZN0hyTjQxRWdzWlBjblh5ak0KmVuGpc7DA+6XZdxJDwHYrJeqs/2fMEUq + w9KscmTXOdWOjIQjexhvhUdKT3eodSEK8MD21K9ebdbyo6fht+xMyQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1kyue7mfvzuxprjz2g6ulz2mxlr57rgzg6lfpnrqedkelehley5ls3enwsd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdlBYTnQ5NTZSd3V0enFr + QjhCbFNDYks4OGpYVnlsd2oyQWVNZm9raUhzCndCNUpiUytOVTFkT1E3bjZkSk1J + enNpZXBwWlpIMHRKSmo3cHNJaFJLVDQKLS0tIDFyQTcxV3Z5WXpPWU9yZVRabW5u + OSt4dklrQWphdDBvZmtTaHc3MVlQeUUKJJD3xPgCRNqqFxPTENXfUU0CP7Jtc4m8 + gJFyP/XmwC0aGNpU0iQbuBYh74m/0n3dWa39kT0RDuAVxg/dfWtSMw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:02:47Z" + mac: ENC[AES256_GCM,data:bZ0SeyqYFrtn5P5lkuK1aVTKxoMVpN3+CHnvMFp+bIYW3eoDTEAey7otLh8psqS+0r9KnbsDTODTfVn2fX4xmRCI2bchflcJ/O6bnGhFjx0dVlmQXVzZg8LJe4+qvFxdGbwh5yXJnE503wdF5xN6xuvOBLa0Z5yOIsmd+X8c63c=,iv:8BXVbteOxr8ZA5Lo0sGN6JhFZF96gdwy2RjLMgfWPbg=,tag:pBCPHAUeleUaOCMJgGjx+w==,type:str] + pgp: + - created_at: "2026-01-12T22:05:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAvuxf0dkraa6xeMfzFlVXfzr0UB8Uz67oh9WrQ+HKIOJr + tFBvGqQn2jxMr1cQxfYLmiqDqcMCKkRUoTde+tlweguea2NlviHdie9cZe9BPFel + iz10v2cfGXLv608deaIxHPoXvr11YDm74EtXI3Jhh9q8WIsjjmH3sg/Aa92Y8P+1 + Bgc5lPI5lgtyQMUDTiJhLWTH05yfhSMZIbgemB3snxPY7gQS7IJ7a2j3smg/Yb+k + 9SFFl4l3D7Aml6K5ZHpAh1fgZmJWGev7qXMwii86g2B+tyY99cwgThlEKqHiTBHF + RaPo4oMHQ3UjHpOjwgD22wKunL3WJWJONA81ACInkyzPJza21CNtEqNLdElWymVF + IrK5oDDTEYlOfbDWFaJlAGAueTnZgHMMp6wDmLzmzkUDSfTYMoMiMoi9CzN878R2 + QA0CXa+8Jjks+lNqmzreoZjJN+Iwip3ojDo9oK7afx8cS+Gat5rU0oBY3lzUJkVU + 9Qo1Z5Td2AGUlrVVvpKDZ1BGuNpNgGVQjOLwysBfv2rFTCWE6feZXQS/He1sz+9C + n4+tHppw8DQMLcjGKOcWFQKooy23SJC6ozvEhV59nKU0S4WXsMIJBaAH9N7yGw+p + +gSZvRLELJyAy4rS73+JKDozxKd1D3m64HdkxCGky9P30kuNvz6AYHLD3Bp+OLKF + AgwDC9FRLmchgYQBD/4pMJqUXAs1grPDANrJULEH7LIRQEK6O+7FyBSrQvXgFICx + Cxagn5ErwDLxbJ6Wkx8vW8hfZ++N3eSVQz2UWMemvWxcakgR6HoAHGtjsmydSzAI + qMHuKTrap2hHRqAKW49R8/9ZVkAP8IitmhsVRw6HGNjMTAh2t9yNXM6yBFIwbKXH + y6LTrLjJ+MmFY2UvkqIx2qFZhgdn7AzNbHriGmE2vSAGC8HVNTIfymuEleNLciRV + l8uoUn81E5NC7OAokCAvBX5CjO3sG8ZP0+wqkax4F1xdiNo+piD5QEx3HbP+fQpH + hUFiw5ZBBMn8LZLTv8HlBXP2GkkaYUO00yjDxkFsws9PrJOs/h/pYi8olaFX5OF+ + o6cuM370tHyXC160aCOKGS5miED6yceT8ixWgj0E4jqyO4WP3RlBiu9OTOsz0J4X + ylFAHdT6Dzlx8q4G5GfjWtHXIjhcR4qOquCI/mk8WkVDDCaOXplme8Ja/EnGT/cj + KEqjebGOINZRW3e1Ip/QAzwXwxM34ZNo6ltBkPGe+QmYIpZVYpQ12mepItduaGXc + LmUxJMODx2p+sgEyZi9lyIFMq/Ny+VifZQ6ux68jPOTq7Act3JRs7irlg5W2BCps + iT/6YnGLvmQMMpEaGtN1QIuXNvpR0QxL0+5x3AxT/eu+3FXuzVDBmb2w3dpq+dJe + Ad1Ft708DUYEAjf05YPsNsS1RycS1rz+WBCx+4bku59v2EHLupK6N2jrXDJbA1YQ + F0RZ8HESgLy6SSZltZaTNfcT4dz5/RFJ2hmk7WRrhzs9k1bX9N8vdYPuc43fhg== + =HCKN + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/atuin/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/atuin/secrets.yaml new file mode 100644 index 0000000..d894aca --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/atuin/secrets.yaml @@ -0,0 +1,57 @@ +wireguard-private-key: ENC[AES256_GCM,data:CBL7h5Ip5Fp5tnY0Cg5iRC2MKlPjh6DG9BRVHbD6wuTO/EAV7O/OpSXxxG0=,iv:WnBTR+0GwmUO++JhMd/2alVuIPhXBT50Qwc7Z9umVC0=,tag:4j5ieGF0gedQUD8SWBEQ7g==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLb3VuQTBmWXNrSkVQcGZy + bWlSRDdmdUVGYVJ5d1Awc2orMHc0VDdTUDBBCi9ncWU4NWd5R0pqMStvb09NR0Nr + NTlNc3R3YnNmUm5XU01jVmd6OE8vZG8KLS0tIFNqa2xtVk5zWmJTZC9BbGFLQzN1 + aDNGUWo3Z1grUkJqbGlhV3pvNTNVREEKEito29fzKN6Gqzp2z0ZSfeTmYXnvTJGL + CZOLeeXMuaUf0jRD2hZnAJgGpglMjM4rIpEBvwCBHAUUN2/Nh1ONkA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qpgj3ell93rzkpjq0ezs6t669ds3nyxx67pj50smx597pspz6fqs4jc6pt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwb1Z2cVNjVHNINkMwZVhm + c2dVUHRicWJBV0k3dU11QnpLUVk0c05FV1VNCkUvRS9yNml6SjczMGF6c3A1VWtY + cjlTNGl0NkZmNXFKWmRVU1ZlZFdKTk0KLS0tIHo4TmxrYm5scEdjQ1V0RXVHYmFy + bjE0WUoydVRRWDRHRkJtTEtGSHZVRDAKhsuhfBoI1I7pi/DBs4pMSiNzZ3qa23IH + Px5rvj3lMqvBuUHUhKaYIKEs4haNW7lKdVTQt2KZLZ6SUwAhmKZqLA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-07T13:36:32Z" + mac: ENC[AES256_GCM,data:TQWNPos7lbjMFN3w8gMUBdik0YqMjW6Wa0qBPHwrnnJZvpOJqzKBmKK4boHD/7kvrOD3yo7RKdp/n2gAJBa0+atSdV6LLf8gFBPOHFa6YWEu2adOjtayDetQiCy8G9ygjC4x/RDt25SUC/+UbgeKuoMKsjN2lOZFe+/zwAYpF0A=,iv:6l9Ev9WQZQMrLhC26z6ydBmbBtQJpJHBM/s97X6I3hk=,tag:QTQVTjOz+R19xWgWOfWC2A==,type:str] + pgp: + - created_at: "2026-01-12T22:05:18Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAxBmEq+L+C7Oq0wjXp5pWt76/ItnTLuvY2LryA17mhIzj + 9g3/dAtwD1nUlWPVku7uEC+bBgb1N5jNMgo+D/9gpgT7xTwLBPP6lTdZDOlcLr+F + DF/IDuFJ7nMIbKQ9Q50wuGxppV+OscmYhOYZO4Q1VYydaVFiOa7zcwOQk9a9w09S + l67YN5FYU8jk6S6RDq60+kOHtMIIgo4321QBgq8bQtzpdz6ikQXZG12zfG0R6wqT + 66JiBF2e/EfAdWN92yZtDCfsDOosxmKnz1HNe8thHKOAAN2xXyV0lSKgJ5X80Wuf + WGb9vLKpyl3tkAqf6RLumvZjTm3CY1YAifEuNmvxLL1JKvr2dOatnfV8EurpDji9 + N4RTjDAdSZPKVzzv5bL7BzeJjlIT0zKP96IkmAGFCpMhrrQVL+qxs0Ov+xzYR6uu + bQc38cvIdE3xYclY6dMLwdBpAyb9uij0nb9p/wuNmLYkV1c1tOcErwq80Uban3v5 + YgQ6MaJ6sNYSQNDApxZpsdLi7TG25Pm9rDM4OCbUXIyD6CrHuI/S4kfoCAOv/CcI + 1SCmQIhqkc+tc4bRYSA3vnZ6pRDCzMI16xI4rc1D1gH0Kk5d8eeFtwICKFPh7IAH + p1mfDbkMg/P7yXuXh779YWUzT/p18Z8PErCvVIp5YldF0TMGjlDOTFVZw0HvHFqF + AgwDC9FRLmchgYQBD/wM5Jz6VXbgn52zZ4FN9JNRW6tapuWy7HDmlOrZSMmWPmeX + 5VVDjHZ2o53J21jI/Mm4QZsoKE9+C2JTFDFIOvDeGzrvGF+VTE2EdNGLtU9HzjwK + 0mFnSo0GzSoo6UtrhdI6E6Fa/NjoUXI7n7A8m4Zg87Iq+UrVmiT/DKC9+7dV2zWg + JqZIHmGMItvNTuoUcMZmYG1AQt7dke1eE8cmGyxROLRz+z4laB54pBTIlN30p9Cj + 0f+vqetUwYchZm/Zu8FRPAxD/+WNLmVb08CGU1uO98aE5e6dcglGGX3qlmJZXdbS + XIwTUGEtnQfwDE1FdHdzJGmvnnNUqGRP1/Ld3GMUOcQkqiJa4qgeb///oVBqd6uh + Kfr52CPVariPIfuUVs0nlfNZMnbgo0vN7ri3Thn+IVfIuV4IBp2GXnilbzKyoyOj + q+xDuz6GkUt5bNFAzh/e+xTvXC353F3MBrxuwJ1bQ67mhEUsDwjf2AO1biejLelK + nYID80VWhSFlvmLXuwJpuB87D4CiwqMJeFwzK128VYjxk6I9p4H/4vmhGhkIDqRB + t+vzjK9eTFXdUGz1TJAiIjE3DcQHJpfMfIoVbVOamfROGlPu97owiDGFonQf3XWm + Rgwowom3qmEL17zziCqAQ7i0YxYVo4322vI/IC7u42JZjs9AK3vJdm2Vo5iCkNJe + AVLhenywDkZRvIfNlz5HdV/HdNAl8VvOWoDZGADwTM5r/n9d/6CQkk2whE/uGrMT + i5NaKF8Zgv1CteuAPiXsZsIZsqW5W7neOFeYwToaQT5mOLM5UD9Ev2NZh9RzOQ== + =FbVY + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/audio/pii.nix.enc b/hosds/nixos/x86_64-linux/summers/secrets/audio/pii.nix.enc new file mode 100644 index 0000000..c6f45ec --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/audio/pii.nix.enc @@ -0,0 +1,25 @@ +{ + "data": "ENC[AES256_GCM,data:wIROKHVWuV052x4k858oCq+xZnub2DyGwVWEKbw5lwvIbat7q7GXawrYlX2owKXaPUBGjOmktOHdXIlal2TVvO1+9cXleYtcEXBsK7ifSfxTmLzDa3aOR9c2jqFehvxUlZ0NdFcAbvy4dAi+I8Olt/29gruDmRYZGXLUb129FeO2ugdzpNL2nAg9SAR5p+QWpo86TwwUFf2Lsil0YBBtMgdVVjcPHk2CP+BnZM3PNNqh+m1fU09BNpwTyXw0nEsL7L2eMYm3bjP/A72WqJckugdX0etN9ohqs1DdunQyuYnfOeMVMYlPQKQ=,iv:O4rR6PXzF5gflvcez4kjdPr718wDOacAhxVVMvZFKQo=,tag:n4xVVTe42NiUx7Gj/52mwQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwajBWMFFQNGkxMk1SVFI2\nakJnNVErdEEyNmliRVBwZ2tYUXNKeUVRU3cwCmhWSm5MbWlBaWRYRzNXODJ0QVhH\ndjNOVkNFdlZ2VmlMTVJmQzk2MmUzc2MKLS0tIHlCalVTaE0zODlzdUlWK1lHWU1L\nVm4xWllJeStzekwyMVlqdWxhY3J4NVkKgFf+DpK5+ChVdS9Mz7Xi5/8hk+IH0BrW\n6rMWdhK4uq4leM2b9UjJf9JJSQFj5/ZDmC+WF2naewVFwjM9B5rQZw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRTBWTi9yOU1icTFpbnR4\nKy9ES1FpbE5Gb1FTekE0aHVyYWdFTE1GUDFnClpCeDA3RnBtYzV6YlhRaEkzYjIv\nQW1GZHJ4b01ReFIvbGpmU2hMMkxXYjgKLS0tIG5tZEx5V1BnQjdIdE1sODhhOHor\nbFZmSy9Ya0FlMEtxcXRtUGNlU2VjZkkK4/ejnIqhbdC8BSDVrW2uw/Xrxh/lzX5N\nB15g52lsvdCbIrUdHzdXQwOQuqBfQ67sHpUZxCHoJvojQuc/dwB8qA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-08T08:04:51Z", + "mac": "ENC[AES256_GCM,data:xEn7TvlAZnYUuWOoI6e5gB5lNYC+xAmmRNdPis+2m/AGNhH+++c/hu5xfLTqYOMXfs1QhD50Y93xXCT9C60J38cFRjnSO86NGB8hITYLVVBVMCd5LIhYoAhUnwg1+6bZ+gTjvY+sseh7WJ1dbfLMa7liWwtpKEY2PbioekKOnjc=,iv:X7O1YAaFkB/+aKd+EP3HK9JHJeLb6jRTCkVKLoaNlW8=,tag:hydcLTO6vj6TIS29maniaQ==,type:str]", + "pgp": [ + { + "created_at": "2026-01-08T08:04:26Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9E5jKJGSxjC4tTGfMXcn7y0WeP6ieFqFUev+wKhv2Ko8Y\noODbbdmsv+lGF2RfgAnOUdZ5TlKxueMg3npLlSRDxCPretpkOaEjxwuhTkRK69O+\nZUClaiL/LAg7iVq8LSo/gDH4w1ObXPB/wuSguMuEqaVyqJNqIbOU+kKCy+jSMwoH\nc+65puznN5jUYd4mPKgoY0mLMYxuK+RBmRWMwDwLmRvm2ZjOqx/mgv1zdb7LZOfX\n4z5XRFfNMPV1qUo0tGC/KBxAXKie13qJu5diAZTWaqlf0s+rhZWCVdqlyEWmI00m\nUeArRnw+23uSKQgHOJ7dlqNiSCRdoKtcH1XjyQNfGMTYinnWQBSvHYuA5K6mTsEL\nQ+flp3jLj3AxlIPn4cV9KX5nZtRluSlnA2V3oY4U3amsFeJ1GhJ8+veNxd4YcIyj\n2ZY8lLfCS9saVf2tAWBdKjvhbLD9k3pTUXLNrbknAZjoVzqkkujUfmkg6oOyb4JK\nO1Q5h5EFlRyIs281iWR0u3kLyhA3Xi5s1NZWSGd51E9Kaf1y8wfGMK4xC1r0zBAQ\nMwOJcrNjlNQGfKdANkWfjnOC1RmGELJ9MoKR6TBDhtamShrdNRatFWxsPo7FX2MT\nzy2xWPx/yi/bbjjj98hyiKI6n7Osan/DQuxC17B/5FghjTXjO8QxY6ueF3Bj4l+F\nAgwDC9FRLmchgYQBD/0QnAEJRsUnyknJ+csmzHaLzYOVPXNcEaftkMLDFSrtFT5V\n2TLARxyBaOWCdszX1VnMNrlLfdMLzGO7oX2GnwDrR/K2e0m2RZ/Nj7InWFhatLUS\nkCdrqkeJmOTNVqN67jycCKthfiSp12sYjR/Ib1l8Yelf8NlVr51ULUlonaRcP7ji\nXr4UNlg+012M5sosE2HRx1f92dQWv9we9t5ZQz/y9RaDnOlx5jgFkOzbTt/JSYHK\nEoYNLfvzebwwsfuZU9++Q0TEcAQGJ0vGoqx6ijb8fHZ6dlV/PLZv2G2aFpr7A2bI\nXhgBT0e1HPR/UsLy+iqInjTNELL1DX37DPYrwCgMMQqtCuFOhm0PvHxWNHKHXYLo\nMKN5dnapaNTKbjaZxBjCEv/PGWkiYo8Ho3HAPrI5XAfGfvOQQfpNQI/vdFZ2YxjX\ncw/waW2gPkDz0UlsUeAo1FzFsu1esz7P1BIX4Xm8v+dplZqTv9rZ6o7qed+0vka/\nWIdHvYgcaSgvzhz6W0NQqGcOLaOX8pqYJ72ioEjuwXZjAaY+/ZVkoYeFHAa8Ujzd\nRvv7nYA3WQknaOeUALruaOXZUMT2fpxNylRYaGZ9sEgXbyTh7TI5x1QssTJoNGmI\nxYA/d04CAVGBvqMMT0n0TL/QIdAMfyO7iKNhcjaakgQi3CMwYxMRq/NkgZJxQ9Je\nAeG/i9KsMknPTDNndFNOO/omjosqhEOA+FxeWWbT+FHdtxvPbVvKHBt9+CBIYDru\nOca/A/eslrtYbiJkBaGzrZtskPi+opIf6Nrn417B8fl4q8QtaFK4ndq5B2YYbQ==\n=XdD+\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/summers/secrets/audio/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/audio/secrets.yaml new file mode 100644 index 0000000..52112ca --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/audio/secrets.yaml @@ -0,0 +1,58 @@ +wireguard-private-key: ENC[AES256_GCM,data:9elXuNwaA1gJ/KtVnlkFbovrDGmPUfiUAlzejwRzUlCL1nL5klXsjn5BUWY=,iv:38u4rFzoidMYBhEs4xXeeJH5RgnpRqdKKjbuVU3d1bA=,tag:HJqn/RqdSh5zDyxwBYST2A==,type:str] +mpd-pw: ENC[AES256_GCM,data:prKWr8XWo2jc3DBwqMcplwS5tUadHx4RWQ==,iv:jmUj+89dCc3cHjejikTfYIXlEI1K2/Uy3uSxzcx0wbk=,tag:/hXqt2ZH9pU0IY0gMmPl+g==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVFhPK0tVanQza3ZRZFRV + dVppUzJxeDF0T3Q1bVhwRG5LUUxjNmJuYkEwCkIwaW43WUJQeGhIZU9na3J5VGdv + MUZkT0c3TjhleEkxT1pTYXJEZlk5WUEKLS0tIHprTm9OUGVBbHVCVG5LcXdiRitO + WmNEZVAzb0Z3VmlJdUY2MmoxcS9FcGsKWX4LJd/06YtoplqG3gnXdn8Q3T/TXELM + WxGx8O0tFwCSWsW1qenMWtmHc4hA5edhdgpNY0Qng1KKc/8/IKibtQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1f63r2klnpfxmntswz5xydpa75ckgjqcs2yzkm0msqwqgz9aqgu0qwzr659 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5eUkrL1Bja2g2TDAzZkpr + Wm1IalhEdWNlTUxyd1lqL21pNWtZZmVhTUJFCll2V2ZTYjd3Z01vT3NQTTBpMk1Q + cGV5MjVuQjg0N3VvSzB5OEZnUzJDOVkKLS0tIG1hWCs0K0ptQ0N1WkFPNGNnRVJo + dC9HZnJuUGF1TElMckhTNS90VzBxVTQKt9wAUfJRc7fFLwzOiPN5ilDCY/nl1DPL + 0KGjEPHfATki2sq7pIjAeY7J2LWwdnxLT4/mdj0xCltPB4zCpvEFqw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:00:54Z" + mac: ENC[AES256_GCM,data:QMkeCVeiq7+b4ft6ykag3VO5FDqIQp0hsBTnSEduYiA0FIR4QYmDhGVHUipUSZH/xllflxMv/CXNQqtW852LWWy8PXn7GzEXn3nEjRBZi89sEOoh03I6SfQMDWYR5wjKBy1hL7e8dZfEGONZobViM7U9YynEFqYpkvd1fK97DB4=,iv:MbchKNzaDBMF/YbBxkEUwxA0Uc/+fju4dgl/28trVV8=,tag:VwfuskgULOyBdJmJ2LCVxg==,type:str] + pgp: + - created_at: "2026-01-12T22:05:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/8CK6XOO+aso5SPpmPytXSyMW0D2GPtsQGloehxIeSWcSC + oUKgC4PuiTB3RBKIrYkySo3a/5esJoCvB9U2oShIf8ONHHvdrqIU6+gl5n/4LcOo + V7vCy2qYs2qZkch/4KRQYDUsBbGomoEoOVachvrI5EQLViBcZ67JUiaX2vlrmycU + udDehrw9BeHWLPZ3B2cmVH4IH3ylZqFtU8xzV770IKqdCirbv5c/Rz8XynpIqKZv + dzzXIjVvWp/n0C9nLuNWj2XYFTSSDE//k3hXQ6zDXnuAM6/1tlp8Ym0/CxpRe1cf + rx2XKa41J3Tq6kJK5d+BKY2TzC9rimO2DAvvDe1dPYofQd/YGmXMII71j3xSitsm + MCyR9X4fA+MiY89kf+keAg/UggvyBPitbimvUJXiuDuSRdkMxPnpP7cNYnzPdyy+ + DK6nqujDsw0JvRGyP/vvMk50hmniJTVtJtg5g6VOrfZ8wVN/8lHqe75oTy4nr2Ai + /0vKWMw78K8xsD/Sok1T9KDquov5DpLz0r8HnbfpRShSOzHOsFAgAjJrVjTeDMuy + 9ZayxRVv9TLw5SDUmeCJsiiYjzySHKxw42qAVBb8XDRMTZXWoDczG0qtTpB6HhJj + ZNBpOTttnaKJDz8Njsdw36zEJnxtyRWGeR35g38ikrzaKJTUvRPx0f91D/o4kZCF + AgwDC9FRLmchgYQBEADLSYEbTJgmYy8eE5ut8SldIpx0FNlZ50cDsbX3SB7H0+Lh + nEhy8TFRm9nj0Hu839EpnmS7fydlV+ba+NztIFk7NvrDt6vsf2gETO1NJbOrGv2X + iDIX1fuSZPO0MGdX4Jtj3tgSbT3LR62mLZBwdDl45PaT27E1Kf/2N8FYcZVsU/Fw + CFxngjVm8vngjBMOBLRumG3LOzgL+AUMjfJNrIkPwCqrfvBfuAZR8QQbpnqbIMFn + Qko/qYQKT0Q7+Gc5VC6nqITuG1UegDTolKFKncr0CG+tV6ydvvMpp7GYhDv2iFrS + GK+Lc2QHnS1uzb7gWoEbemwirJ9jax1Vs51pTwH6JuxMux4CKx2V5xDhvjKqbutM + l7qGVJdfnfe7uooP9mPZMoyhbm1rzkQzN1yXkkEVl8v9QMNpCTSC/Z3WSJdhnXTT + WCz3XgOZNld8xfyP/DvmBOSIx1ywhVxPiWPcMRU/bQMFwKrapmDqEeOCT8cm8yMt + FIpBxzD/DO6qgcegWPgNPhs4GYrIxRIBUloinvDPDj1qPX0wAk/4LVm8UTG32Mo/ + oyBVWu6Z+OpqfOJqIjapRwpYcaZj3GPgJR7qt6JK+uSSHQZQdBdhXtBCdIivlRjs + qkn7YZqLYC1Xfo9XbC9aQDZNAaQcxxM4bMMJCkJiTN76kIl35XLG9ggUff8ncdJe + AbcUeV780SsPhEVmokT8Dl2QwJ9ndA5IVoYue7SA4/Aaj/iy0nlMMUSWi0xzoB+d + Ztu27YrQwkHeFSoVeePm7kNScQsz63mByZn8s8n1Cu9gKO+Klo7ewMLgjkhPfQ== + =WLga + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/firefly/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/firefly/secrets.yaml new file mode 100644 index 0000000..c9a2874 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/firefly/secrets.yaml @@ -0,0 +1,58 @@ +wireguard-private-key: ENC[AES256_GCM,data:PGK3JHj/xacJgxx6Ubwz/3bQlE2hYQXM6A2LvGlI+MeRzdLErTcZ4m0jJKw=,iv:fvDsmOJGvKzfoLhJzx6kab5S2kPQ+YwB4sXG+I4baRk=,tag:i7hHSnUA2n5fj4YK0L+9jQ==,type:str] +firefly-iii-app-key: ENC[AES256_GCM,data:Wu/gr1vzVcRXm96hTvSO9bIRsvZ//2ZsTVJ9igrPU1h5dGV0fkI4rwQfb+5zhy4f56Na,iv:5+c0DYC0qVNRQMwibCpWfN/ZIiDUTtjXhKuZxMq+qs8=,tag:Jx2axAZr95/EqvH2gl+rYA==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWkVMY3FMV2poVW4yMkpP + OE9idHFvd3RxOVM5QVp6RU15R01ocVpZalh3CjRuWGRwektMa0kvZ21ucXRCTnFL + TStZSHdLOUhjS2FZYkNJU3dZalhkT2sKLS0tIEhpRTBMVjZzcHBjYkdnMFhxYUZR + YVhteGpyM0szc3hFOGdlOG4zTzVPVEEKij1r1aB2Z1aSN7kYB+ZS7GExkSOzv6NJ + AdMEkwaO3v0zdPh1CM+4d4MwTDhtwUoRwkBjN8sbCPrPozp7wZz+gQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age17328xwk0z3znalpmma5rvp0lt5ghn5p8xfvnrtdxwsw80dqysacqj9j37q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYkFhWjlucDByY2U5M2R0 + THZhNGZOTEdwRW4rR2hqQ0t1anBydnpzaXhnCkZZbmt2MEZSSjdwUkxKVVlaNUpr + Qkp4OUVVd05jZEc1dSsxdXpZV2lSQkEKLS0tIHlNMzNlK2xVcVJVSVBlTGxtWUND + MU9HcURLQXJVVnhUbkozRUNYZDdjU3MKXGFS875yubuu5HJE5Iu1QMzdSM3BsnkH + YytEKFSIXQ+8Seu6lYSkGvdHgE3V7AQ8iamtWbO2Q7/6tUBw8EQ78w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:02:26Z" + mac: ENC[AES256_GCM,data:lqey6BT0Wf/manMLp7LyApRqtnerCHrPndo3w/9i3GBkpWeas9JLx6+sXZFdodc3tLjA00FF0MLm0sjDSWSz3fDfSclVNEYWUdrspH9W0a6p95GAdclJARna9ncVG2pn+Hk1QoD5EjEhvOayz2A7e3yIO2aBh8U6coc21h9L0lo=,iv:n68z6eL9UYI28eBJzYe+1QLOfkE4Fba69VgOCnFVELg=,tag:a6jli1+cn8s0Mlg65sVy8w==,type:str] + pgp: + - created_at: "2026-01-12T22:05:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAmUd73XL+lkM83C7ysNjtPbfHXiTVLUu1rgd9zyfM0iiY + yZ+t0FbgQ9fiRTz7myrry/EYTVo7iCWZGS+v6qYfXvOdQfRdn+0///VHZS3iL60+ + V3/idjs5029dpxQg47FS1DzwKs/Vyz8VEJz7ppOHFsuwE3Mb90+W0dccfXqE/MG9 + wCfidUaP2CQVtjcLQRUSpk7kAUONZF81nWQfLcR0jJA00hlyjNKftKTasEPouiWB + QbkDkvTLYZg+2PbCx7r648BlWlR+7gDhjanDZi40i+CarmUD2zutscza9hx8H6JA + 1PzYZ2BgW/A8Dogtmy6iJ5INB4Eyd9FiIr/CG4wizWbB6a/0QY8V9+iAI4aflvoU + 6/HQ/BYSgqd/C+NjlNAXBBEjSXhrFbtEo1K1Sb0Z+Q2OKK19sJrrv8shGl0gtUi2 + xSbVUUff2KnIWrX7tpNdveAkpX2Bs1ijzHxnQOVTwJyKetUoxVZB3ir3JnWqTfkF + XQwcJawvzwN7wHRIasBUh+FdZZSDsM9ujApKJiNKRz4ZIFaoallV95+YyU5cl00Y + g2wVfDgXdwnBQQKxa0NqNC+DGdEKc9Tfv01nz90rlbEUmTBKWD+sZGm/rsq4NV7c + yBqy6hLkE516wT0F6Z0osMtW8RmTARx2ayv1glwdRVTo9Qs8RkDxjRmy/r0/2dKF + AgwDC9FRLmchgYQBEACGlxYcVJzuJZn+oSMxRtirnpFNeKOgvlbgc5Jy/HmCQBge + I/h7QEaevr0XSmPc311OekXOWIVF6JOf6HJQsN0W6oU5uo7fXecqpEG5WqVQjouJ + +sVxcPAZVGbbhTycf9VXySilGXFbCbiM8nBHYF5VrCTrRYpnmJBnJ1qJ2qfzG+4C + Iys2UQHymHfumz5qj28VDv/j+DTn0ZbYEbIE9vhhtYngzXOBYkPdOX8YsWkQvGB8 + AhCO4OMGNbisIjufc6TTrVO2edqt2JcacXrSzOHj5lNpGqpK45a9lDKjm5eQAO2V + SJu5MPC5S9lLn4SjzHGMQBAr5WFH9GcftWs0WIPrPqJxRVXQt/av/fBMrnsoI0K8 + XEfyfOL56KcG95xnXFJzcgQJ1RnXAQzGPVv3fPvA39EyHDUu2VM4hN167+Y8Jgns + Iaxb2xMl1qXB6dUD/8mpyCzXdsp5JtK4jPGfOk6A2Uj4EWALbTpGhcGuPJ59Qe23 + Aao0N5Q6NU0EGzzgHMu4S+VMWk91Tol9tIgYCf80aXB30lQ1lFoXWhnItg7jrm81 + a1f+f25UKyDPQBMFmNwbmp4xjEsFqOTvGJJ1K3lI1OCGNnCeKuonpcBZlH2FovLi + c9+P8rvmmzucTndDt41ywXNaSqDl0yB+Qu/rTG4ov/17Y0vZ9sUn2kDJlfEtbdJe + AfHjxuXT9nVKeWi93hFn1Gea7oOXMeh18KqBMS440ZiymFrR5EPadXSTtQiK/LyX + 6VdwX+N/bGLdwMN+AQ3hMe/q5XtwaXle1MGTFqFdG6OjHlQDLgxng5gAP3k+5A== + =18JY + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/forgejo/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/forgejo/secrets.yaml new file mode 100644 index 0000000..074fe3e --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/forgejo/secrets.yaml @@ -0,0 +1,58 @@ +wireguard-private-key: ENC[AES256_GCM,data:2/usWvtboQJ3Yc5ixT/7ZUvk74aZqYr7ZUZVE78jvlSZzfsMrXWjWxC0Bug=,iv:4nwdd+4Cr2Kjbia/5s0f2C1O6vyaBxQR8TUSKyAqJhA=,tag:ymJLP2d6SGgVsw52S7q6uA==,type:str] +kanidm-forgejo-client: ENC[AES256_GCM,data:0S2Wt2/hP8e5qMXgI2cM3GApWoQ9pEHwiA==,iv:Utq8Q1LWk0TefpcwhSvXrulrgslCSnPanGGHSMPi/pA=,tag:ou/1y+DtFi/z4P54zzZ2Uw==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZmZSdzdjUm1wRlo2aEgz + QVU5VHp4OGJsZmZaaTJOOURlczgvd21oM0RvCndQM2ZHMXNNQ2dnc2tNU2RLcFRx + UDlUZlBTdmZSR3dRNXNxRHc2a3cwdmMKLS0tIFZLYjlQdUIyTjM3SEluUVFyMTFE + Ly9qUUFqYXpDSGVrN2VkYmEvUkQ3clUKpgrTAWRPGuwyZL1PGVBhskPLxXt/j3Ez + iCEGbfAhrVeXRZuX/KXhjzefrjfrAq8ClZqdLatWF19L9lrVU8ytDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qdzkn6v3xhrfjwe8jxz3945dhyyhevwal0narjtr8whf9y7nh3wsn524u5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaT2EwNlBDMHBXSEhNam9W + WTAzWlNxTHNoSm1ZcGZaV2liN2E0b3UvcUNnCkNOQmxXMHZveDgzVFAzL3NLRm1M + ZlBVUCtpUjJ0ZzFEL3N6Njk1VTlFUDQKLS0tIDRKRTdHcUJyRUZ4RDZHN3ZTWXZT + Nms2RkhTMmJyVlA0WWI1Y2Q2ZHpXV3MKQKvjzOvay04EATmgojC72aqbhq83c7jA + 0guRoaULHaszycMsqICteNRn+tdLBh8L6EHXZC1GlJzm0e9WMeAOsw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:03:05Z" + mac: ENC[AES256_GCM,data:Ko12SPrZ65B+T8JIERI8a08uN87wwVndIweIxbr+TkcEsRyLCPziB8tMsTGtDIZkTG7dJywT/SeZ9gqnMgiH9mvsk7Uqi0hrmEf65fsqCVGTOi17DBRGS2rwbXkEmT3xiSL2LSe6+9rjlZ5B9ZUfO3hdhw+jy7rSdcaLu7R8LL0=,iv:GPBDabdBLbCYuKr//XlC578Mpw9LGJ/gM1etek/PtWI=,tag:5/qXhTCHxiCRka4N2qYVzw==,type:str] + pgp: + - created_at: "2026-01-12T22:05:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//WFYndpAApuPwCK8Xotduipm1kp1m9/7oy5q3l+WDHR2N + RYQyVUPYSlqzLRfRd65xgy18MHZwUP8iavWU0cnKNveB2c82rMtMRrLU1mvHPTBQ + XmLkSDAepqhbcMcXfVpOQEDjcesIKNMqLiiZtmcOPFcT2RvoyCovx3EKxlvPd4R4 + 0CGiAiApgxz2XSOLoalzHF85p3I0/Sfvf/V9CfZ/oB199PCYF4qlPzq9Xn4D28qT + 67EglnxyFY4esd+9/QRt3B/5RRmzVK4Cc3+JxFO47V+PbkFo+GvF6tv8eUakzCI0 + Dn04VvLsQ9HhaZsjLU8WoX0GRrLjDD/1TaLmM+JFV6c97fN3IBGBSKZTdjOt55ZR + F/oAS8W6aOuqPSr4PaHEOgpzLwpu8IHZ4FNzjeHAGYlK8QjRGpq8Jm/Lz8A9Buy5 + XLS47JspVFLIU9FaWzOBHn6IIkewG/b3fM1kA51f3OFP6RprQ1OvX5g98epW8Eea + M/wFdVMU6HXS8FLAhQZ8Sll5iO0SYyzDM/tgXpXBo5/gjU17Ry1vkzJqQyWmuYWI + UqqxzHnOq/eUJIiXS8Qgkxo/WgMAEEJxLfH+KALzO/KD5PsIRmriSXVGJysXP3lY + tiJPouhDTt4+lapMjipV1bH4kHPoPlfr9fY0t7YSf7NOC5mDNqqTjSYMZXY8UKiF + AgwDC9FRLmchgYQBD/0ccxFMrAOMz4eXqQQXwTf2/nJh7Xz7GxgdhbiPprKDVSoq + mcnnyMfHTAFahRYdCczU0sIj9uX5CVZuSSCv/PqjeSZb+L3ib24EhF+TxgqEPRer + XruneHFK9yu1Y1h++3Li/77DKKDObnqgCZGrdKSgIuakkK2Ki6b9gcaTKLZN5Wmh + tE7zpYQcnRxGW3GdQAuOShsfPZqEO2YIzIecitodPxPaO8PzqTZRhoRclmL91MDT + MtthC4ik7MDEV9nz8oV/u4pqf1j+xJZ23u96Kl4KkowIK7rSE1OYU4onw2mKXgNR + FS+3xqw/BFXgXMkXW+F9GyGPZkxCWuztZozIh9UyCiOErpzPDG/5Hy7v6BzzKaJQ + YMlukdhUw3B9ciB86lKoJSgiZpHeU2J8LZ649lGQXNlplEZnWOkyWWS0/g1Bt2VC + B5egnFOA2ueFGWg1VUzKcIFq/DsqMOXnUMh63KuQrAIovuQnYLyDavGt2Il1LVHj + tiVE5svsFd3o9JyUE8YcP0VDKTcbr/kVJHYA3o+7fLtUD6TEdiQxp3Z/ZPHdCftE + o9t80iekS8k5TYOJ79XWlGw7o+Ip9Zh4G+NpHmKLZaLGrnEFuBMnDRVUsU0CxG0S + ZgUbjLwcX4QxdBEKEgnDip2ink1IdciSlNBpYX6btRt2EPDz6bxISGsI5kTKZtJe + AV6D7C/OYyDUPCfT8WlcDfF/hGiSnf5NWeIlZQ+g1DOuEYDt2jztNFhziVvhsQoO + VEC3iYgq28WyTrQog+3F/ktu4x883js1bbtFZ/b6o9ZM8oKbfuYtUO0v/7CmCg== + =5YlB + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/freshrss/pii.nix.enc b/hosds/nixos/x86_64-linux/summers/secrets/freshrss/pii.nix.enc new file mode 100644 index 0000000..590bc94 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/freshrss/pii.nix.enc @@ -0,0 +1,25 @@ +{ + "data": "ENC[AES256_GCM,data:tGnvFaZgx1Gi59DYlV/4+VswuvBY5K/XN6yomaFk9AnsslowtKAPKHyH5dM5rqe0n+Ua7kI=,iv:qwXybQUGanHXQXzDU+jJn/FI5mmi+PNUOCTsh97tmDg=,tag:jQtXaFNJL5jeTtSodMCmiA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TXJSbjhWcnVqaWlKV2M2\nQ2lNUW0ySkh2TFdLblhmMWxuWXhJSndFc0ZvCmkrRnBxT3VRc1JoQzMzWUVHMTlr\nc0N0R3R6SzVwOHYwQXI0eFVOakdQWlkKLS0tIHcrMXBBS0lRTzN3Nk5YaUhxOFk1\nS3FpRXFQRTBNL3hRMTdlSlFXSUdSQ0kK3OhWMXUSPhfADCmiuRfsIv+GJ0SY0sar\nVchVKmqPjGg+ALF/krwjaIcE2zrlK2tsngGja2rO5vZ8YS5BFzVQ0g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeEV3YXJqaCtoTUtVNzho\nNk9Dbmd2bmNXTUx2VS9rNzVhTmR4WEM2Q3hBCmo4QnlMN0ZuUHRvUjhZTHdET1o2\nTmw3TUZTMEVCMGpja01TSGRCTTExY1UKLS0tIFAzTDIwRHplNHFyMkVmUjVxNjNL\nWTQ3YWRkVnJoWGRucTJHaXpHMUN3VkkKFWSY1u7Ksv7SO04f0pzRYSk0GWz0lvXv\na3Pd+lGrH0q3CX1i7beq587bNgqxTdDlWzsSQSAxWkacqwb1eB3KAA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-08T08:05:49Z", + "mac": "ENC[AES256_GCM,data:sIUIH1PfvCnm2nlmUOCHX/CihlLTcNP6PWCRH3tqpwS13uYF1DHv7Km0DiZJ48YOBbCiXNwEVzCttem+BXCvi0eDkqUasAIjBOmWBp+W9Z8bnDk5luztxLeb6OKqO5/8rrR+bXgb5Z3cRiV4VquVMA0nOkHq4f7HvQ3UyTWtJTs=,iv:hmKYcWSfdnI+mjUvH6zO1PP/wDj04H454arzROjs/tE=,tag:zY+CBOj2DNRhKNkdwnYhPw==,type:str]", + "pgp": [ + { + "created_at": "2026-01-08T08:05:35Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmEfso+foaYdccWYWrumexWByHdZHdC2PzyiIWWUIddY2\neXifkUu4/x5lI2eRrAGqUTJqbtwlMloq4uUcZChkTRXhOv7NLLstnE6PAfhsCOOq\nG76DjeI3cVQnFdIP7krTHPyZYBrk/iq2KAh91EDYQnmBBKy8RT77/b0tzyJgpKOp\nIs1YqMQfP6RQJeDJXFGJy+KljTsyn6lxRjQ9Fa8N+UmbZjX8QW8ZNU+Za9J/r+5u\nlznZ/V02jB2tRpOOnJSORrLMy7mIMBN6j08hbb5T2dcHQUTnz9VEJx10FTHCY43I\nMFGzt6Etv1Pd/TkGQILlY6goIeyTzvlfa2Kd+M0N5YzA64MBhOHCJ00yB3rIAy0R\n5a6BWl6t9zlU+YxMTaC0bZdclBp9E/4uDJBVHWcWTRHKgiYndFbIq0uc+FUSQnXQ\ndXM7f6wSLOR0Gk8pUXSGyoi8rTYri5DKyVeRg6H0JddIkEKMLBx7UD9Z1u9kFpTE\nqlJuYip+95DSr7UbE3WSuoFmX+ZHv2XCK+rW9k8MNYu9EY2VbE+dmHCytITpdrlU\nJyAHfIvzteRm9Ub5KyYkZU8O2ARfP7V49p4IGZDVPM42IcERbpmYUORi83e3VlWt\nllYrORH/l4qYLd6LPQJVhPOguNlHk5GomWo5ozd1AQWmLXbX9E7uG+zvo3QVAgqF\nAgwDC9FRLmchgYQBD/0S7E4be6vcAb9P9WfwPWiYR2SGa5qZCGsgnXmroAYft3yc\nxFM0T/NP8Q2sFT4DU8rn06jBQnKG9sb7hIfMTOTbBzrERQEPwNOOlhRMesM7DlIi\nHG5VTvkYk1k3akYjk5L9WCE7GMU6ZUb93K3DamESt1bxwdRm/UwrcgdbEu8YHX4c\nm7rLg9T/f4OVojMh/gKZ9RrwkpZE+d769FSOql42gTLheYjGWarntE9TMFZGnOZ3\n5KTvl8AfZwN+j7/LIu/6EtMhvmHy4UHNR4wiadY1ONQ1hlPPapBbFdayy6ap1azb\nK4e1vYFOj+8FnDO0TUGidZM7JUoOSb039Tc6lcI6qc5dtusQTJyD6kBX7BJq+mgU\nCDbgMjmLdSU8d4nTHB1KWZimIDoGvste0+sF6f4cBHfYW+QzqPikYlw8TdZvRQ/1\n3Q01dEgg7LrgNBjMSUZvfaYYkcSz+Uqkhs0vq65XLmAMfGKIvqFrqPSjRuJ5vQV7\nByrRj+rL36th/3Jew25sBbR4RIjo4otfSWIga10epijVs+14D2g6c+bKPf3vk6ZF\nT04KP80pLpk7zTlYJI1OqxJFLMiONZs5LxHdfNSMFGw9euHuODQVPKZBE5c52KhQ\nn05tWLkOBzyiiAd50fzaVQxa628VBhCHFlIG75ZC+wCgV+urFasooBRoUhxAntJe\nAYhJ1fiT5W/vhYZy8AVDnidVPv6EpZ4DwF7E4wm0rx/Vy/np2jXiavraMGEL/m4/\nM62snldKaZgGFc6K8DTZdbrGBGySZ2LvAP8QYNGckQ5CW/5CiCCS+NEqEVKhZw==\n=FEUR\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/summers/secrets/freshrss/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/freshrss/secrets.yaml new file mode 100644 index 0000000..a327548 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/freshrss/secrets.yaml @@ -0,0 +1,60 @@ +wireguard-private-key: ENC[AES256_GCM,data:NrUaY1DMA+fOLEZ9kPJmrCIHUDZxg46XFjcxTkt2Y11WOTl1ky4BYEXElgI=,iv:VAPVXRtIsHQX2DitGwy24dK+9zq2IY0nL7BuZvl8xXw=,tag:bKC4BGI3CDl7qhM80ak0GA==,type:str] +freshrss-pw: ENC[AES256_GCM,data:nOwhGTTUN9tJkU8=,iv:6urp7o0LewW2yQep6LGEWUn7jxk92pLClOwWyT416R0=,tag:5V0xDwwjeEdIlaU0qNJ9nw==,type:str] +freshrss-oidc-crypto-key: ENC[AES256_GCM,data:nEoIHlKXpgKlJ1iFKLUdb6QVcU8fMRoZ+oghGlrnH1q39HjBrNrzmA==,iv:7LWlVkeaviBlsU6aEevF/icHgROR4uThxCD59txUmTM=,tag:P/+UQHHz+t8BckaWhjKYig==,type:str] +kanidm-freshrss-client: ENC[AES256_GCM,data:BTPaUyI7qrBpiB+0zQKJw9odT0fRLc+zFg==,iv:9u25+thsHm+0Ganm0z5QtsgFBGccpAIPQa0aYqqHkXA=,tag:cgCvMIs7jUMe7QiDPznbtA==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCclk0UDk1MDhkWXZZUGxM + Zkg4SVdpWmYwZGx1QW1uVWYzU1JZWUgzcVFvCml4RjBydWk0cUVaUkVhWENYSE1G + RC9pTHdPRzBNOEVSdUZnWWthQjFxajQKLS0tIDBtOHlxRTJTRENIMGR5SmUrTWpZ + RElERUIxWW1NZkdLa3M5ZkQrMkFuWTAKODsEiS7hjvztH4YYkiK8Fr4Do+wbroun + 5SGawFG8NmN8P0WWVURKpDDafP4plVHj5YOkoAZJXgo0NyoOLsXjmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1etgfym5m8hn3hxs6cgg757zcv5zg5n22wq38fuq59n7qk7nef5uqyg6vvs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUW4zTWhQOTEraldVeUp2 + ZHpVeStLRmlvcCtpOHlGTDFYZWVKYXpka1JVCk5IblN5OHZDRnZid1RwenlCRlJh + MnRYSVRXcEtyRHo1M2JNdEJHTkpNazQKLS0tIHUvMkUyQ24vSk9hWnl0cjlEQnlN + MTJsZzFzVDZoZ3lnKzVLNk5MZ3N4WmcKEziK8e7aqxGqJwOG4s8jfUmjiL+gs6sY + KEI5LugBaF66fAB3Qf9RX3XaaWWSQ3C/yuiv7h60kE5tEZLPtZxssA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:01:49Z" + mac: ENC[AES256_GCM,data:+RtsIjA8DXxCGeTqsb24DQdP04/8oEvviiYp+SSfvCiUL4nu/WkAIAHdcC+Gvw379vnq1N38JPycB3mQbyabC2lUJ85oEMmfn6YDdsoIxvdDuJuN5VGhLkqXdwgkfJZU+e1XUDkGmAalWeNFTlE7i51qecVevdjPf10YW/V1QZw=,iv:TEYHADkS50xgUCQ4ftWv5YcIqSX+cYgeNbPxSbp0+fI=,tag:+PoSBjFfV99vOZIkNJaXcQ==,type:str] + pgp: + - created_at: "2026-01-12T22:05:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//TVYAbB7pn/T+SaE0DRIYBFVG8PAiyh3zLt3LcJyYZcwy + sVqcJgbIMMTDqJck0XC/RCzIAGhHiSai2rK/TUh1Wm+xQxPIVu5YnmP5mZlX6jVU + EZ9KRuzBK2Kc6FTbinOR9KZlxHKre8QaUNKtXReha4J7A+qQ2wqt41uKupXXGGNv + /NejcbMjeyBUQjkIzT3H5bVZLTOeiv4/tc66Y24p/pz3vcSlUO0GubJ1/sbu3B4o + K/NZ2HC/OchsBJt2Y27PvEIbZJEzY7ysW9tOs6TNEBTCgx1o86WxeHAxvyx9PRGs + 6Rx2aSBLSiZe3AJSauOVmJJDQ1nIOg0vHAH86+vLjqeXGAAvJgJOOTo+/q9M059k + xKYmXSI6LNnqu+6vGPHutzv+oO/6Gv2vSy8n7zO1bahlAndluFMkOMKzkxqooCV6 + v6a1r6slW29Z8UeUlG1iRV5634NvvlQBhp4ig9euKwq8FEY+dz6XUFqnMbY+auE2 + NRwVstJTriTKuBo8stXP2tyvwdpfMem4A5ZSpl6kowx9gvWMiU7aG+U/CLEMHtHY + hWv66eNnjC99tLAJ3lqH8Bd4UY0m0i/P5NFZWRASESay/NSa2BFubNYI6krVWTo8 + uLuvUXSnS+QmlZnr6Bj8nuKUto7naMVkRbiT7t/IMe2vLZrX572c4Ye4/oJJIXKF + AgwDC9FRLmchgYQBEACLXg3KxCtZvfv9ACfHU0jR05aq4vq6/RNwb82KHNNjHSYb + LWSiEkBVl4bb5isRv4EK3CpuuTL1Jv2XIfmd/NjHjZsQRAu2gBcmftXNpBzX4VwT + rB0mBBKGyUWdeleGPOyXvucrAjOqJ4gOVJxrGp2RUbPcUG/aqpuSbmJFx8S5qpsb + ZEdMdNLVZfKzzP4Z7fpPuu5AXyJ+O3IPpFqvChdM04VMYAECGhoZZzIt6UIHkzrO + BBNaXLniznNZ5LKArog8G9WfYcC6egmEP50SYygGok+66QwkTdM0XttUq2M17KwP + xA2Ybgh8JuSI44LJOfx6zeLQqku0hBfmVuvyw9YVoicoZisN/jJYtkk9XOmILlPk + Fw0tn/cy6h51CqNbweGY0KTDxY6pZTEXP21CyLqAWQ+B01JB+zuEq6C7MEH+bfZU + L7Z61tN+j64IRvYGf0YP03Dj4D1vsJ+zp7asQ41MFu5HpAzfU7xcrpa3EgGRYxkT + 6b9m/eAyf8+olEbzVgLC0UkzofXvJLjxuk4zmxdF2WOuKoV+yt5kFjXQGaLozqTN + ypbERn5QCZ6hLYUFOvsqw9avfVLRPVq8JF1YLKEQfVjC20wo6BuwcosbwLeHLI08 + NAHCLHC/6iv2/Fji/57sKcy+qgoIYOhAvWE8wtqCU75379UUIORNFaERaqizy9Je + AXWoZICaEAb556k67dLO73IW5/2yhNiYGzMluHWRcczaKaVmKzrdjjFKhFx3mMof + SmR3Ga9QprYqOXas+Ouok4Qe/zj6YCW8BUcDHFB05OUl5pFRL5ksTNh5V1WrlA== + =RK/j + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/homebox/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/homebox/secrets.yaml new file mode 100644 index 0000000..d939671 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/homebox/secrets.yaml @@ -0,0 +1,57 @@ +wireguard-private-key: ENC[AES256_GCM,data:uDvv70RDyd0DEA0IAowsBLKew2k1TzMPmrVmIW1ZuMtSYxpstq8x5l2MPN8=,iv:02HfUl4lUkhlBzgOfvv+hRoyMMAaGcf9PooRAZzgjK0=,tag:dL/qhDLjzMP/4ENUcF3WHQ==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaE9zbmtDVHpBd3NYcWEv + aVVFVmlESDJJb1ZhaDJoei9VeVRQQURaanlVCjErQ2FUYkhyajczSUxSbmF6R2Z3 + em9RVUlnTHdrNXMzRzIvOTJ5UE84RFEKLS0tIDg2WFNQWktUQnAraW9HeDB5OXhT + MTMzMW5zWFloeGxpeGpjcFFZQktJc0EKnuwMW7Zrtr8XZCJM2E8M3WcH+0Ecxz6n + y1bQvo329+Ssx6Igf/NYLzaQVtTgrjrAVgQb4zSu93Ofa8tFRHbcaA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17mugmkdw0y768a3huuf37r45eff9apyknxvwk3agg6xzsjmqp96q57tcty + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJQ1F4NkdvTmpwQ2w2YUVX + WFV2MGkwb1dGT21Xa2c4TlJiZlUwUmgxWHpnCkVOcGZVV1pRSGhIUDhVUXRpM2E4 + dWRKM0VNRTdqN3V1b3hZSUVCRnEveXcKLS0tIGN6b3ppcmg4VFNyNzlSTHY4YzVh + REhGbStZeENKNStwVEZiZVpPRGRmYTQKCBks5jrHBOT8xMGtssxM0ojTED/j3KWP + d3vcpKALxweAgdYExZBYrfg54gL+swAqEB8rLW13+ZOB1xskrg/HkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-07T13:36:38Z" + mac: ENC[AES256_GCM,data:4ZeARGvSyuzNT2vFJ9ou0JeZ9wyTU443BLHINsEzchHDCB/xlMjhrt9N0DIX+EfkMZiRukUw5C56HNgBfD5uEBgt1lbdBfLQOnUgVlP3EC7HXPZXYEOtS9kj2j2VTBHnGFOZKDiBVgQNJkJ6QBmJtx2rEwQcCax3DeHO/RyLleY=,iv:sCrpoKKTN6X6GoxPQvSaCaiY3b4o9QzLWCus62ltLwk=,tag:kN4UXDS68/OvEi8ZYafLFA==,type:str] + pgp: + - created_at: "2026-01-12T22:05:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/+KFmJTYxoCvXPkfwNcE0+ikAQ82yGFshGAdcF78Hw0i1y + CxWY6qhMi9AmJ59Omqkh0IVHqETUicBLoEGvKIZTb6KBf304TYP6DYZs9+Azg/9O + acdJDz0rkYDP0c3CAKGhGic66acaxxiRiDvkYuYNtpiR+vzvZPmG07SDBw71uxfZ + GKug0y8+6i2vdQKx8ddfiNwey3IGTj6o/B1jW1f1HeRno/qfRjmb29O9HF0JcAnD + syWa2jjVY8hz1CcxErPx3iA5U+I7L2wMj4mIIG2x0kJo3hKRwnkRGG5o5pi4RbAg + tzR5t5Sg8TsLWGA5Btx4HJkTOIVEG3oIuwBUGwlGu/f5U43KCt8Pyf9wmQ9Zy793 + aDLTMpe6kQP/23vkzVSKQVPduNPMntvqmDXuq2iu3c9reO++Cri5z/uEM74gjdTF + b0raKr45o++YaZwbU0iCDSkUY39Ne9IUoqyiQTfKCS6VqtwzzpscgpzwV9ND8O6l + J5ynTpAHBQMUF91Tx108b7F0BKLs+8I/t28ehqv2WdkxvoNSfmHGwCmIzKuf/C6W + j/sIjUAFNU6qpjlYVa4n9Ko9jvmM2aL8WVO51QSFiqDT7OOWAr8vYKdYRaMOk81V + NIyqE7lPlR+MKBaYW+LJfp2JLoyYlvi5vrVnfZuxxVw6HWzf0ejiIDiTReRbg3CF + AgwDC9FRLmchgYQBEACs+xJcoHuykH7AUANoOgya6GKTENYbH5ICGmxwxGQbtA/q + Vs/wqmK3eWkLLOqiGKKHdynvUx1/jSUSqxSUtLY/KMb3905MOH8ar84K8fgJpPQF + Du3SJFWfuZJ7xni2HNLrmaR57hl9DN5evnJ3U043Gey4b6BQV4jeanvNCSF2F8oQ + v9Vc1EKZM02Ia0NjtYkDHVoGyjTKB1su2ah4vlyD8pqyjMu+WYtay4lTcWCOLxKA + ivR5X8QWfm9jFuINTTt8YdLkx9KsM9ecc3+NDgYOVY9RbrnReOaHPgYjmEXddVd8 + J+ok/ekoIw4wa6w/fiRYjNMYYAcenxc/mVBBVE10jeDaL9YwJUnwaa+8G/wGcrFL + iWjI9BeP54YJhpI08oaK3UWSFg5673XX6Na8p/pgbxPyIT88axoqNMU80VW0mvc1 + rd5j1LQiKNqDMEPV5hLbfBlKYrTzIG2V0F9YYlh9NWMzOyUdHoMmY75AmKKJB/p1 + M/Mz2ILI57ubuq3Oj0MAkX/fOsNefVs7VmTybuAdI2lViB9FzBGtb1TlFvTmW5LZ + cu19rt4N0vxfcrAbLhsVTAsA1zKwAnyQUSRRd9aRqXPVCRr4pPTLxEOZCPHnCBDZ + tTX8/27F85sUU4iozC8Nb8O37NRy7sRWL4BfPLeq9QWG8n7XmnH6zAn55V93Y9Je + Aaxk9LcteNGywk6hxyI50cBir4PEIEwQj9oRwy0URH7UIX7BUojRF1hV+Mus38is + Va1BiIOCn0YHfd7tBeggbjV5A+OkD6exDVCZBXaC4E7Ueoxd2udaYXsfHvjABA== + =tJZv + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/immich/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/immich/secrets.yaml new file mode 100644 index 0000000..e56b4c6 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/immich/secrets.yaml @@ -0,0 +1,57 @@ +wireguard-private-key: ENC[AES256_GCM,data:rTVAsx0XyI7i1coICpFjANV6CpWSjDTlvdOxu1yLggei/XZKeRuDmv1PsE8=,iv:P0S+juvE3LswavDMPpoxUYkKCzGlYaaEpIg7DBwvoc4=,tag:hIrOXG4F5qkK10VIjtiggg==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYXU2U1JseXZLZEVOanMr + RW52NlZJcTgrZTRpQkwvcG54YUFqYzJkSkZzCnhwczNqeXozSm90a2RkTDBiZnpW + RUpRUFpHd01uUWRhMVZ1UnBJQk9SZXcKLS0tIDNmQlF2YlkrWmxwWU5wb01odjdy + Mk93dFJnd0tDR1BOL3RBa00yOWd1OEEKL1DJeQo76MdgbZlq2N6yribiUtlD3wiV + 1UcZWDnGMM3uC7LjdR6xK2qDiG64SqWhlo8FSrHLL/42GTJ/1irfXw== + -----END AGE ENCRYPTED FILE----- + - recipient: age16gf76uustmyyksm3t56zcq9g6j8avy0wrngh8laknfq733s5welqedeg4x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0lrTWJielNmS1ZTMTh3 + bmx4anJ0NHdONlVGKzZPdGs2emlMck9lN2pvCmhVRHBWUFV1Y21STXYxaXRXWm9k + dDFhTU9qSTV3NW94Wk5CeFJJOXhGeWcKLS0tIFB6dFVzVm1oTmczYlgrVmphSngy + NitRanVvVS9XalBxYVJjT0dhSEVMK2MK4+NFlbWqdCEDSln+gSIsCqIsYwRXb/aN + 8GW2+Jl/4zrPiM6vG0s9IxZq/4qJkIO9UX1AIFuKemz3S63WYcpE2A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-07T13:36:39Z" + mac: ENC[AES256_GCM,data:KYqOMm6Xk04/1nwEXaX+Htkovwa+RbHtZH3Nd9S/K1bjdZZESpka7Kxib+mf9ezBnTdJTBzwacf0bgQnU+rpQWxBvWz65K8RAHcJms0JoNYEPWJkIeG9/KdV2iefPcml5SOFID8Xr/KpISfnayS4CGUWRFU8DyDtb30g9DQ2Peg=,iv:3QT6PqinySd6lUWBNxpxBxsY7VVmrnFqUxjLbsMMYR0=,tag:SLkWHWnnxNn0j+lnGnJGeQ==,type:str] + pgp: + - created_at: "2026-01-12T22:05:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//XiTwGjbH1zmdMP9/hLdvavEYfiVKD6TjtMiSKrGMOa9h + VIr7DRjrIzYm6E8j5sbpEFRNIjOu/vcHvr5NCoZN0tmwqXvbi56RE/QypbZcx7nt + fGtOj6hgFdm3deWU/JCx1uAXF0fFiyy7G0+YqrZEfzihaOzyPrUp6uqu+Bb4Eli2 + 2CuupTa6zBP1kAzJKToT+F8pGFPHGk4Ji55wWQTnaRe24A4xFQryGhAGTkrnMxpW + 796XN18IqRXcpvg4tOEADILzmjJ3WcNeYi2oF4WSqpRDUadEoUwWWo5Zdtt1SGFs + H77wIAArmoRHsPWojfjWGQNi6Xcfazy1F8HocaanEJ/dV0MwTiIfhXjeZSevo/WP + VDs1UsITkBGpG7FF1sYZv/9GhL3CE74e0LuAifx14tmPhRk46vAnNXjR3vHNSR8+ + iREIAZXluLnhWn63bC9TGBm2ROEP0hpXVyHELiBXS5Pa36DaPDnrJVxehjzwerTC + Ow/R7GkqAPDHqtOcXNpt1hJtMETKmZ8lXcauZWBWCHgHS2nDTBv03zsfk+7GwCpj + O49Gr40nxU4rSxPqoMuwJY1A4/dYeEAC0QpuDnddPq3O0tHgcvlFYgw4Tb0EAtWf + TYUN7hd6WCHc4QUjmoLq2b5Lt5DpNEfPhAqWX3sL9bEr1EBKRxuGxF1WuJ1Ki+2F + AgwDC9FRLmchgYQBD/0aedT/5S53nq2U49lJNxXhlo6X3bD9TD/NAmooQeiCqFgJ + xY9YJd/Z2eboKOQwoySXozrIM797WfIZ0W8ywUnGfYnboncojiQfASMvW483EHum + h3KdpTa2IOZ2cnqJmUQZrGVO7iG+gkiLXZJpRupGLp+XLVVaN7w4mN8bB1anQT4S + yn0i3+SFBstDgfFjHbvt7nrWE5KEavCzLbYAO5MJ0JYs0ei7ScZeyI0q0IvwaQLm + HL0cbnVXyrLtj70UpbgrIemRMZqjyGZ5IPmx62ssc7CuKgvnT76ybDmcw/REs1qv + bCibxeBaiWBAhZPz5bHEcTnFQgAFdqiycoXRXYgTUgM98tHjTv09sKTVVfZnxcMr + I+ca3bHXb7OxZjaoeYFqqV09vyBnibqVVJ9BsyLsRZtUSN5Fwih3d3Vw25oA/UOU + DCvwjL/V1gzOgLqfRWJRBxdNWbtbmzF4SbyK/P62PPX8pVE8EZbsISJZOkUajKXX + 5aT/IvDUHjo7aVdK8ulMK/ljlHyAM/DgqnhxnVCe6xfQMiEVB2iJwN1925eDm3MY + N0UAItV6SR4FaXLnzEsgO2Hkks3nWKVjdjGU++9AOawKdORLJPvrP+apxuftxb6k + szB6s+r59yjxVugKM8IHEPvUZ6n75Kr/FiQZP6vPnBMgh6vfaYcAXs3FvwBR29Je + Acfyypf9TzhI/s1a52FCX96etZj3e+CmLpBJVbbALPpWnggGKCcKpkIxEAa+CAoR + ZOZj1ZjcdHVc84U3lma8yi66pK9J1sVb2Td68oN5Axma0hQwG1GIjdfTPWklbg== + =Dv7n + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/jellyfin/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/jellyfin/secrets.yaml new file mode 100644 index 0000000..0f284c9 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/jellyfin/secrets.yaml @@ -0,0 +1,57 @@ +wireguard-private-key: ENC[AES256_GCM,data:5o3vhdHriS1Iau5/wS/QM2IKlIGn1Aua+M9blroPrOgfBWLtLxzhBcAzJ/A=,iv:zv4ZvP5gIJ5Y1dC2H0AqqMRIGFE/QJ8ztp6yG/QfDZE=,tag:W6BWuHk594xqd6WwEN6n4w==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbGwveGRMZ1pGRkJXTlB6 + cVQrdng4VHR1dUo5WnFBUTRSUERsT3ZmcTJnCjQrUWpaZ3JwNVYvOEMyTUNGTzF2 + VVE0aldqcWR3ZitNamloVVRCYVJEM1EKLS0tIGVGTEF3RDNJRGtzL0NtNytKd3N2 + d1kyZnhFY3llb3BCVjZqK3Z5WXMxMjQKrRw1Bc1TLgErVOgwfbAvZPFJiBfOExGl + Sri9+si8AmsqmtjRsXOHesI32LrCgJfSAnxUZgdXzJQeaIyhnxvDog== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fnvlmhzju0yq908xtgags0sy85q3tacl2sc3w3vdd3yfp27xv5aq06v948 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGazRvZnczUVp2MGhYOW9F + UkJlV3pxMjM5VkVwaEJMZFZTNmE5bDdxUHlBCm1HY3lVUVIwNGNUUUhnM2ZseVlj + ejJJNi9OTnhBZjJTbUsrUS9rd2d6TDAKLS0tIHNIMGpwT01BS2gxODZQMUhBUGRN + NE5IWnpBQUhsK3BVUjFOQUZnOWw2SlkK5KKCFPVNSM6ceIIMtmLqBUNyasu3y7Y1 + 6FR9AFTK/hP6s71OdVEChEG6GX3Gsm8ym3AiSFF573wfUPs9GM9gXw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-07T13:36:40Z" + mac: ENC[AES256_GCM,data:Ep/6toPN64tEaCGEnO8dIUd14x5JB5TSfw9A5J3KFkhCAhCoMW29yzuqHMy7iBRwS9VqJS3R0g7SL8x6dIzsHmT9sZ3m0gihGZsM9Psc24NOi6iWfOLyNApwTsI+LhL1CEcspb/quvm4Nh+xSnYXhap+3+rPtMGpyVtgyNgN2eU=,iv:zhi6NU4lPOJ+X5KIbVpDS3mz418psH9nu8qtguKQ7po=,tag:FjePycuZddog47Wwmu94wg==,type:str] + pgp: + - created_at: "2026-01-12T22:05:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAA0bPcknehmkuWwEODvm6Y8L/a/R3QyZWOnFYQF1RCeJ2U + w6VAkCLRjog8cpi8CiWLUY8JJo2Ui/Ei+0SiUYUuaxkIdlqonhddXa1VxOANRLLd + OIguTv+YQtGuZF6vmlABtV3ntUbC590iuZdHHjOa6BUBLFWJgqBNe4Adkrj5WP4e + 76uZgFTEtBt0paaijd7HuIhdYiAbM9pOKkWRbuHNqlMSdbJJSFCVspL6oBwHWJrs + xPCUVZIRR2rVjaj9VoQPKAucbLyxBc7TQVpZQlMNSJTNGRmeCaj2Dzm23rAvRch9 + 0t8YGsiovwDBe/JZLQPliqEYjIvst1r9+Fjd1YYuwPFJlYQLL5hj3tVL/RJ/XiOu + 8r4ftgKbwon9KMQCUALXvHzPnD/3+YzdXk2jr6/B7e/N8d93P46xIivCtu3wN+yY + zkpbJbtjLzyQ2Ixazo9zVFmammoGLt/amZdBwD1DRWNI1dE6a7l9Kelza6S8XEwg + 5OQ3bQU/n5/adjmyP3wdQW+1+lIZY0F7CQ1Lh0mBNFe84jVus3tg/sExuTD+rVpF + ACUKaoNhEK/S90TUMVTbRL86wSTE6gsdgg/NB2BS1W0rGnxpCAr49stebWRT+lCM + ic3qvni6b9EDz56bWYOWjPwsKjdxgnXTmcMHChDCRwoGNsJcDj3CxXiG1B48ltiF + AgwDC9FRLmchgYQBEACeYohAxHIrt66T7PChHNbvADgC9u+Q4fnk1w4sSZHYxcxk + r4UB4ocJb25VmUh8JhJTY3E2XmtsViMoSlu05cGyOsg8afgadl4Q35KXWhaU+UyV + n+gUWHycZxy3cyaa5o7m+Xk/jlz+dBHf25F2iUT0PVacQ/idjfSY/nlt9GhXYJfD + 5MVwLfJKgJ71xatgHwI60hg+a/im2TgP2t25lVlNotDoLfuGAXuCISLdtIN6k+xq + rX0spBd2PnF19joXqb+m/OTOM+4l+PcKAWcbkL8PWnUSO9w87soIlE4HdMN3sqlX + HJVuyI+Dra97P9ALr+z3jyzoObgQmx72xt8jGGxdMLbhDmXpYWJ9TnTMxOwF5/T9 + HUpg1cipbz2hCuFC2TtCyoE1yzZIuNvzyMRapK4yGwdeBlTzPBOEWVVokd5GS7wj + r9aqWDDbeC+oPTtufIcxRup6USlX3eEIVtF2zFPyg82XJKzzIT/4x4sY1pulm7NZ + fjHZNv6h2PUSfVqneMr92ViBPyn6nU5YA++6n60LAkntNSoDWtSbIi8hpQa1XIVs + LPGi3z1TVNO5fZtzXJFfyKID5dd9l4/Xjm/IBOXbLrVTJgb98Iop2XfssJhAxjGp + ydV7fxcUrVh9RbJe4NiDTFE5Pw9t+f0QxQnSyFcsS1jC+g786MPbM81X4Q/cWdJe + Abdk26c22iMEpRch7qJxo9tddXrao5P10Tr3FSy4WEUDScglb75NGxgTXloWNaiL + pKS56PaycTEJ7y2rb8T3e7c6dJj/Kx2N1rkxikI8UYO9DbRE1AU4czgVwRLUZA== + =hRaf + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/kanidm/pii.nix.enc b/hosds/nixos/x86_64-linux/summers/secrets/kanidm/pii.nix.enc new file mode 100644 index 0000000..a3d55ea --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/kanidm/pii.nix.enc @@ -0,0 +1,25 @@ +{ + "data": "ENC[AES256_GCM,data:C5d6taSxlSq3lOQMomUiIHWgibkiRuDYRSdmf4vJaSVdXcpEU5QfKsebaJOhRm4q/Z7A4QVb5s3NYeid0OTrAyt8hwjferxNMQpENsW+biIV30+c1u+B8Ft4b6kHO4B0qkDaAg5aFXJIc1hSGz5AKzq1RSkGH5psegcvKUymi7vEDusmPSKeesYHXMmkibrpRaZ4GkAScROFA07q6+3Qcn0unf9NTqH3zaAiO05IcvfetLCzl355BmQbiCdTZOLoooavk082oxzfKlYomgxnHaj0qaxjxCQ6sju3Bl/EsVdoRbAN2JloWJzUyGztVf1rHfTzAuswgBkj+VOmTajPqKiUK8oayL5FoCvHsZW2EAFlTCGsxtPEizqEAA5eXLSpWet7JleVTDh8jCCz6B/uonJDKi3SlE2b9Q4Pqm30c9kULcqSHppBoEdPF7wXCIcVCg7X2DGdAcjzi/UP8uOVHOt5XQEELRH3qXLQnVq1i9CtjRZADyBBFTASMm8WBySHIq5igKo+NdxKR4BxXERjTFmteqhBT4X5JfyUKc0gOkoN3OEuTgfWVTUATiLBJlGx5gUMWusfIPwog0g99D99J8PWJsrl4qrIH49Ns/QvNxEHUBXgdWvquZkfOiLMdjyapG+4yXM6yESz7+I4zGb7IC3VE4WPQAwpIzoy/wsioou1xOKtkFNX8fTszHY7GnkJVUcSGlspFCMLtF+zr5c1kEizVCEbu35i6gpP9+INAsy3LvJIFF4iegaSuD2jmCCpD3dK27B9bbwEHwrwYBHKexVlrbDrtcWBQSwB9jKTlVMhK0UbQU/+2yZ2/OZEgcesAl2q+sTG3hctddL37vnFcRR7FNvwGyEWorn+N/gpa6gIaZwCIzih1eHeraLq5cdzhHhRUtAbnBscfPntKTPOu7EMb/y0F/cGwV9iX/BSy7pbIfaiyOoVB4snyrty5r3tEi9ujghcqi7GObuySToGhJmekQbREUnGG6CRRel/9f0326FOCsiS5MEDXiaqO5mNVI0IcMunSnf9dGlwNAqi6B5+Zifrv6PPfi97LHklGjoLxG892R36lM1nqoU1VmEJneP6mmCJ695bTaZT8mUmasvoJJyhz67xrhEFLrRVl0gd8b5S4eXlghvP/WDBLd1mPe3uKmFzzqouhIO/JtbkL0D+IZWvdqShlGOWm+Sz17Au1YP7GHMWR20Hc6JLTVW+LMLk6UThzM3TnEgEyFgk6Xc5HsJG7L3Jn4aVzI1Ye3m18sHB1cVsWS7R,iv:sgvuk9gDz4fAzPae/pTkIklwUgI2h060SfBYRwcnzsU=,tag:cOUYD7HldKqLL8rxPElChQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUUh1YXJ0VXh4UHJkWGxy\nNE1nOGtnZDhGRjVDdmhTQWZHSGhWY3QwT1VFCkU0QkhicDZpTUdDMjNGY1NqR0x0\nYytac3ZZbHArZjl4MGZRWGVIQWkzREEKLS0tIEswTnRpT2hZdU5sSUxUcTFYMGxR\ndE1DNlh5c3g0NXorZTM2RUk0YmF3NnMK3JvfEq73WuuzrAXPbR2BB4orj39P+KU5\n0ICepOK4GXYWXbmTDqTb/vn88uB8iaTl3F93Wv7VC450miouEYmcxA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5elg1N1NoMDVXdGU2TzBW\neFl4K2E1dXlWZFlQUnhSekV3a2k1ZjNKYURJCmFZZ0taWFJuNUlrTjZvTUxTM0Zo\nZEVNcDFvdjhBN1FGRkpNWEE3bHpHM28KLS0tIC8xVFR2czNqd3FoREZPRkpqcStq\ncTF1dXJQWHdEaVF4YzNYREFZRVpOQ2MK6XoP4eXUJr/eHh9OwPoPzeYvCT1yAqBC\nY3Xdw+crV4XXR9PytImJua6j+eHdCeB9qPyHFcJOB0oOhhae4XOjxA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-08T08:04:16Z", + "mac": "ENC[AES256_GCM,data:QNIiEvJR1UTFt2Rtk5GBl8ALPx2DvSWUhl4Q9O96aCMTbJt6iwQpisGN9O8o4m4a/nHdeOV8auxmNnQ16j/HhPLwv6cEwdfvHcKZcB1F7e1bslBufA9hgcAnkfng9nbMIMmn6RbCF5vFjcTwCrNYNQ4QqluuuuSHrA8TQ+gkiOE=,iv:vmOsmY90VjkCULuorn3sKxn+JQKNXKo5INax66xa0n8=,tag:nIYcopB+0C5hkzvVao6Avw==,type:str]", + "pgp": [ + { + "created_at": "2026-01-08T08:03:56Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAzdR1BVqaHG2eDsDqPPCEA/jeKqAW6claqA7Ggx/aEeE2\nJlvka3MvrBS3YT9rlDbks/bMWoWeKWBu+dVW3lsMJEhAPhmJ6rWUg+13BPQWKblj\nli7xFqT9EOtlea9i/xZDDY+wjRAtj54dNZGft3X27IZLgWxaKMjxhmoqCzHk8Erk\nW+2Lwjfrs5u3v6f3l7DafzMr2uEB5QUOsLGvvEwW3pd9SLinZqRMqGxkRHjhoppD\nB9BEDQmkWFpm8QJWvlmixpgCVKYAB9bwyjmYbXvzpMS2Of2tgDcMTu3EC4Rkl1z5\n+SyImout9P8/ns9xur1u5NG2Ib8r3ydH0k3tmjTHtOl90P7jqvB889VpHXGj6YVZ\nCpFsGV7agvdG7LpxN2JdMouDirve2OLCukTc9Ksd8Z2VlFdg3SirEd3t57FRPxxQ\nFkV/iCNb2ajbVCNcPQzbtdCVxNg9xA7NKsISkGIy2hOnixklWRDYuagMkokx8PNM\nGWUAw3/wCFb5ugF71NQeuolpaE15cWoy02XQ7OwOP99nZS9ldavmQkTZkhcR5OeV\n1ka1/UyhW3tccWf45K9rCf+jVqgyhA4tp3u5wGfA/0Xj/7JeKCqzlhgyBwLPF3Ie\nBdjrzmCusU/HMnp0PphxGkOqiPkeCg0UkWVp/duYvVLaGr4wO+GJiCttSpHif0KF\nAgwDC9FRLmchgYQBD/9BeEvF3GN8Ns6cBfWswbfl9eY2XW+AaFZO8pRFLQshzm+n\nOUb3riii2LuPdMSKc2UkkdJugLem+QuRnf6fkoer08itQdP3KNYYS3Kr4M4aQwlh\nqPx1pmMSS25RFn3SlhKLRZPvK/x0zq2aiwkcoLkVUHgnwTbzerO5MLVmkvwlfokq\nPzwv43KzLCeOQOEMoalSEW4ljqQs/kziLSPHZdoTcsNx50vTpCl4P/cFdhugMbqt\n8YZzQIw9KTMcT7YXT2y86ZzZKXkfqpX6bRkT/JiDjp8iLqj/ILxUEiHjANQrQGSW\ncYOY52XTxdU/WVjfefzP/bnTz14Ww9vC99QQyZwgU+PgV4NwLP1IdmpsGZGQFlHk\nz3iDdGvB905i6Oco+dTBBbHRFUvIYO/PC2oVsOS2eua/IkZhtHIz2qmiC6RJHETh\nvBTVInfcz8PFuMCo9rjbXghy9E56RuOy3qVqTtypFrTzGF2hG8j1+s2ygCIYokIy\nRYHDZELy2M8dtgNNQiGvYFFFK0+Ww9K3i2IeESxjQ7mkCGVIiOadM5J1tLlWP9uf\n+ehkZPvCiPWlL03rz2jXdcufqwbcT0SMdsN+iq+a6v1YEAh639gD3kmM8Bk5W/AO\niMIxmRpnszvdO6sdZsdjcxtlm1mwPGixImVoGPWiGElXsx+hgFk7VYwrMqePetJc\nAdy8BhEL0rmZ8zNkZ3s11shzcGFxnI8DU5a4anK26WUaeRVdCIQV7cq7uZr2O6ob\nz3KOPtFS7CegmNnrO6WCGh5Dvixc3EQ1mOIwCt9DoY0tLZo8lUpILbc8Uc0=\n=YxFO\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/summers/secrets/kanidm/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/kanidm/secrets.yaml new file mode 100644 index 0000000..67cc06a --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/kanidm/secrets.yaml @@ -0,0 +1,67 @@ +wireguard-private-key: ENC[AES256_GCM,data:R8o48IzTOqAdSDGpdC+euQo+TdvxPY44iHgO7NGCwQnqnv87Tqbyqn/e6r8=,iv:sWhQJ3JiZRSFQoydNiZJ1UB0u+qdKdRoU9zapswqsbg=,tag:d5W5NOl/sB0MpZmaUiAAYA==,type:str] +kanidm-admin-pw: ENC[AES256_GCM,data:S/iBo56ONAB/m3Z7LfsD60cN4jx6rKdpMw==,iv:zX5g2yf8cL+YNv/rOKxaUFst49jTNv0/RC7dCmDxRq4=,tag:/+dXYKm1fIsWxPNf3Dte5Q==,type:str] +kanidm-idm-admin-pw: ENC[AES256_GCM,data:f+kENj9pvEzg6i0zdiNwVRgRXYgsNITlsg==,iv:+8rN4PJ6wdk8N8LZTlcuhv4lzY/ydi+mBfg4jp3kp4k=,tag:kVLFM845aNePnCWBlAhUFQ==,type:str] +kanidm-immich: ENC[AES256_GCM,data:5mLDFJ/8gyX7Ij2KjpqWbtMjB8v9ek0tuw==,iv:eUMCFjTrAh/Ws4pDYf6T2s1OgNLQnaDXMvbTDbZ7Wfg=,tag:qlp5qRtgdl+TYy8TK2kteA==,type:str] +kanidm-paperless: ENC[AES256_GCM,data:Jo/uMujrq5eHLClGoxVSyb4kJSIQW7MxSw==,iv:Ck6Z9V3IXUBpSF4RCoqKF3J8Vyo71PaS4itXOf3NNHg=,tag:/u0C34IaUlm0oOGHCgwN8A==,type:str] +kanidm-forgejo: ENC[AES256_GCM,data:DP6nGFVL/7lwANf2DyI3E+Qfh7b/SF+SrQ==,iv:zuNS5Hq1N8ntEi9z1fCz2Hpzev5F+WEGn8EOTwj+4EY=,tag:8/j1AWi+JUcp6YyBc0v1Vw==,type:str] +kanidm-grafana: ENC[AES256_GCM,data:o74mBnxhNRuQbqmKEWG/o19JE9M0bBNxKQ==,iv:J5HzDasytKMIvC3tLvWnv2Cu4HPlPHtukE48i2xwWik=,tag:63zpBuhRpnVL4oQjfA2f+g==,type:str] +kanidm-nextcloud: ENC[AES256_GCM,data:cDZFLh316tIQhsY9osPBvlc3msj+8h/cBQ==,iv:e0nEiOdjxy2an0J21wuc38Tns7kzUvZ//RxnQ0hhjfM=,tag:vKyPRlfFRyLA/PARXlWnFA==,type:str] +kanidm-oauth2-proxy: ENC[AES256_GCM,data:H6PS6WcMiH+gMsp1CYRYHqSdM9SqR4V/Aw==,iv:WnaEy32YxenO5KqQsEqhQm3jzsq0/HztYZrE99lVbb4=,tag:OPYDhTTKHJ63rHNLyjG7tQ==,type:str] +kanidm-freshrss: ENC[AES256_GCM,data:t2iIWLeyChAPFKfWeLkEnWC0zbpuSP/tmQ==,iv:fPpjO8RhgIHNRq7V5pYZN1VNeO9NkUi/1HWsHrS5iS0=,tag:v+W0yPtWNpl0CQIdyJuaBg==,type:str] +kanidm-firezone: ENC[AES256_GCM,data:/at/1dhYtPzeh6F7/juE1XyY6abq1OQIgw==,iv:Qp1QXBKHYoDJfTbZZYDRcdM+/GFu8WonhO6uSI7NdVA=,tag:lvSei5/yGk3aU7HX9KOgaw==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSc09FTHFDcWxidTFWTGJ5 + VEc5MGhEaDlvZzVXVVQxQ1ltcVJuVDNHaEg0Ck40UldXamFocS9zZVhicjQvMjcv + ajRuTDRiWUlJSEdaZHhjNEdPSUsxUncKLS0tIFJvdDJiL25tNXd1U0c0V202VGNr + YVoweFo0MWp3SGpTT3lDSzljL05MV28K3AH/JPtkI/zcJILPYmY90bDNplj8H9/h + 1Nn1ceS5frxOCYN8b2wS42NupId2yhFojfbJAGw73unHp+CJaNfnNQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s5gcxtatd9frwctzwg54fqycsx2sa73ll36k7qrpm9wwyknkldtst90gn4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WUxEWk94ekRXWGNoQVdm + K1A5cVJLUzNZK0JXMmJacGI0Z3Z0Nmo5KzJRCk8rZ0JINlpRbnFKMmIwejhyeldW + U3FWS1M4K1FZQzY3Wks0Ui9IRXA5TlUKLS0tIG9PQWhDR3ZXaDBLZVBpandxSXRO + Mi8zVFlmbldWVFZPRzV6eWpWMUZjMncK1x41Dvs5LXsSKdg69CPQJ44/x1eNwSHz + xGNb5lgtduTF7mDtlNnp+QdDYVLnMQCiwlUcYeyckej1KAdvOM2Sog== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:02:14Z" + mac: ENC[AES256_GCM,data:YRVfa2nuKJ392zbrVDB8XILDa7zsdmdKak4tXAiru5SY9vGzY68sHSu1R0pBr0RxPZ4Z0NYyvJwiH1ni2PKabuJzAIyZLV0KL6ekKIFg2B+2o5nMUT2s2+7yjQ8VJ9nZSdjN+Qk4O9yF3L6GTg3CMKk+wahrySAPuyMn4rTMzcQ=,iv:JoGWfR4Ld0QsTIWnm5bZKwma2vPutEsSL0x6Siz5eGY=,tag:zzGyZs2wSwEo2yTUgKgcpQ==,type:str] + pgp: + - created_at: "2026-01-12T22:05:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAsHsyz+edy6SFpx2p0aDsDGl1i1ehNruViAWEvFhuI59E + LGzqXZ+U1MN+O1s7Jyyv6CkbOXvQh7G/ebJVPViXz+fSS7XL0R9vLfJpvGbSGQSb + n+vCODar0cBQrqw+fa2LgoAILfyeSAemh3Ezu6NyI1T895RnS6Ns39C0//6qUYIM + QPoAVzCUFm3bb/5b38K8DhiXMpdaltdxD3RK20k9nUCde8+LRV7KiBfHZgmjX3TF + AK6078wXbmuyh9qIqJp4oQG/HBk2AbExGPsYTlmTJTcPUsN2iHE9s89G+lUm44+p + utCxf94b87gZuYaYRumrU2NtB+FJQg3UEq65CZB+hDGUg6G/jHmrAfFjzfq3gfI2 + NJL6bboUKdsrv4DKxNhnOA06RYgmoYh1K8OGZYruWwDBiPX8Reo7o51N0WkA5zhe + //iySBRY4js5QRwkz1HZ6JkK0/ag90GHKAdFxaSQ3RGrWKfzwypgvRgUHnFRv9am + sjYEI26c9srPUu7Q2bhBI+iO5pbiWvA7JGa0t1Sn3bMjCh/1tjgn8wyIqHQySwee + Mqu1BUufsYvU7aD8tUCqbSvT5g1LgoZovod923rY3P9e/jrOAQox3Ua2aKOGb9XD + C2hZb9H9n+4Nlh7h0m2wvsWWpvYjWo6uvJEfFrXwPzHP9s1A0/EaKEt6n8CkASWF + AgwDC9FRLmchgYQBD/9uUz0LLwg2G5EIV701wxQ0EPu8zVhVB9xl+4GBJ9mNDTT1 + P/4d9PCneah1lsxfw3p9SD5DWFwJm3YIqOr1OsiYqGKbH+GnrqoH+mDHCng+TgLR + 7cd0hCrjnYVBgiu5LlO7a8UgTemIhMkPRNOvzToecOwcJeCgLQkhJQ4bV5Z3cvxp + yI/tHcbmnXx1hmpNhDm5Hzbp9Yztv0YfXdem4jknl4aw+U8sTIq+HV3DUCuM23tT + 8wPKaXrAqq8ksMi20SQ5i7Ee2BIKxw3gNL7uGCg6asIvWtguTurKLRjXEgkcGoFr + 33RA420JoK1d2uDy1ksyfN3qW5ZknXgaoH2A/8DzB6L4k8I9s7MZareK63jEd9pq + uu/VKUoKbDXJd7j3UcS7+4TQlKN6qCpx8MZLcWWnLT8J4UHBeRwv+xO5F/E/N17E + lTJF/I7nkkdarlFM7jNTYTz1+Gc/war+E5L3UmgB1gVDDTn5vLKjM8ub/rdgeBCD + RE+p5KjvcsI8U8wWvhZIrLiZggNY1MANGytvICRWnpGSN2XgBMoTdrNJDTy4TiL7 + SlXH+GF25bx0H0MwV82KrWC7VbbhzcuXnO5ZybJmymlCPYKMPZ7PtuoUAv7ksUXh + UQUAe2Oigm2WFmAIWl8GCRltOKAfoDKmujJnIaOx8y32XM1dyPzk3i9K0uAjT9Je + AUw0GQ0X5FspwHYpHWeGC7FX4CNvM16BZdygt6BZlMvUMw/vm1ojz73mltc9xI0I + NlC8ou//9vW4FYenpYxnu+6KHi+9dAGp0D0vrsNp0by6EEcO3EwzfRCaZVfO7w== + =oNjr + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/kavita/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/kavita/secrets.yaml new file mode 100644 index 0000000..76f3cfd --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/kavita/secrets.yaml @@ -0,0 +1,58 @@ +wireguard-private-key: ENC[AES256_GCM,data:rZ4bOiYyBa2Pq9TuxNRifoZ9uRSeL1cRA2JK1FDBK1Wa2ZAd0ZHQfRI0D00=,iv:3L8JLV6D80EbI1ArawwQ77ndepEoq84JfvM9XAjg+/Y=,tag:nCXsqWAXhB9xTnKn8ZbL2A==,type:str] +kavita-token: ENC[AES256_GCM,data:yKwv9L24Ek4q8KNaTJcW3Xx6d1GCnEZ3LS+GkW2i7C+eE2XgBuG1Ff0L8xcdTPGFVkPPb2bvCP+CKVgnSVd5W+FFek/XQtVcFgWQVDUjG4mBbonQ3VnTKw==,iv:b/UfgHVBviUEMtt4Q6RQSkTVujH+qMIyuiZxD4mwMTc=,tag:rIVUGYOluyXU8fEd/dgQEw==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVGpSZzBhMElPZDVxQURn + Nkl4ZzU4SjVYRG9rYTBxQVNyQ1g1YVo5eURJCmorQzljcmtHRkwrajZOemR3MFRH + WTVnZkE4SGZ6YVlyd1RXak1TZ1huRk0KLS0tIDFacFBabHZUQlBrTW9SOHJTWG1K + Y29uUjJnYkJHNEl6M3NWMkF1U3N5N2sKKA5+GygCOBaISqK5SRL51q6YfjuXWr0z + bXpOVdppHXYWNb4jdR9yxc8KEf2T+eMHJtZF9/Ub6oRxo/1a5fmvOA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1d89878cvt7wsa07ydwtexspku5gppwstrpnpph4ufx5pcd4fadyqgf6lvl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcDFETHJjQkRDYy83WGJR + ZHdvbXorM3ZBSDRkV1pMb2xQSzI0Uys3aVhRCkpJQ2xnUVcyMVRFMHI4OVVqcFEx + clVZR1hrTGFEbVpaRUNleGU1aDFOYlkKLS0tIDhEbFFlUEZjUlpjWUpTd3pQTy9D + cmtZcHpBRTZCRXFqZjFBekdKRlorWmMK5D+TK1M4FXDh7v7wMH/sEmI+nzbMrchp + CPHs/Doxnx5lSXmXcqRC0HedbLJ1GQ1kL7PxRlAAsUg/UPN/OXPW6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T07:59:40Z" + mac: ENC[AES256_GCM,data:MpnXoqLkHYbPHvA6ZdfgJ2sPzM/BtmhbzEjymvnUp4zLIojE15pTEvYKXOedr2RKYZk1BCF+ksfyyVgJxy+HFZ28baC3dPXRMAHH7InEkf144N2Kmodv2czohz45gnbBz38d2DBU1/7pbpktc2Iuw1bQZTBbg5xAw5Nkd3pzKJw=,iv:O2vkWIDuzKzStrDLcVnVnWBa8Moy48fPE3YeSlV1scA=,tag:OreHXW+REVZC6sOa0t7idA==,type:str] + pgp: + - created_at: "2026-01-12T22:05:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/+KR1lX2Jc2XsR7qbHnRkvdAOtcV3ETYHj26zTuOt4YG2D + i1azOUcQA2aImfHj9jqB0SN2b2TJZ/JuVB0NqYG2oPtNhHzn/MtWLE8CCQN+dT4P + 3WyYjAeg4/LA9KysfdrIFPNfHGleaHHRpRBmWxSCLDgbdlcf9QLD8bHj2puKwVlv + 85KSMfdqQcfnI2ORfv68AkpO9DTeQhzg6YaJlePaM9ToUD20BfhhkRhCZqIbtpQt + OGr4oO6HyfE2cB0E16U0ICYnVbIyriNGkTM1fqMNVZ5MetmF8FAcxMZmOnEcDk34 + 7nnHuwA/129hsPwAIf7YnzAByPdMvDImAj6w4b+TfrEGqetqjrytGfi6BE97rwjo + CfOd3figRvBIPtwXwj5+WE3QgANVN10leJSLTqvWCX98XyMFS7A1yBuj4k0fhTk9 + z93TP6T9h3GitieiTFjMyz1dFt8WBbHbaOGz99sTsBFDWERSs6wx5OyUttLTM++N + iccyYTn0ETFZyEKaY6ZBCD3VH/FVepXRudM+822vcksy6PP2JcFm63k941jMltJA + t+MPQcX3haZp7UnIcPZ0bX1G7oiEcZNsp7vXVYZ3UBANWojqkfmQ9yE7x6mtC+Vd + 46/c4pH2mOJOETKguj/WkZrKbk4YlRKceUWYe2+ywKxUjGq3Q6nA0u9kfSn90HuF + AgwDC9FRLmchgYQBEACryx5GKRlJLHUlbnxkPoveKdWBdGrBDaNlGDy8qjhe7qPX + SriU7jgCq7ewpjEaxNZERSzhAhb1QC1HcqLwFwcxwNat+KbgkvKZxUixloE5Uk0Y + YUnekcLDjqh03T06dW6xlSyzICTRgd1YCSvT9qa3xTPyWhKFi36+VDrl5XqdDnlA + 4GZhSVXP887xneQYYBMyj4t4pIFpDVJ/6LxakmOr6o8TjfxA+4Wesd7Jy71EdEJS + kduGlGGxFAEXyAokWEuJhuD7L8n220/vHtY4FO5dGpuQZrHR5JQd+DAWXwj2ZMVT + DhXC3lBRJjcWACJ/6YiMoHLdmwuK91D6AmDCwunBlkHSiF1Rga+StnQQY3LOpP38 + GAZqBwqjVVYan0x+Z/yYZ0bGyNX9tJtw39yDOex6+hfZ/ciXnSYIb8FRcvbyKreG + wX/rdk1pOqHYXth4ghvodprFxify0ee7CYuJ73Gt7JelB7w2X3uepq3wc+hyptsc + v4feA/ZtKEKeeqaGuSA+M6fQw5ON2SrOTp6o9LTVBqlN1OR6gOik6Vh5NO88Olwf + 7OlosAIVwaFpA+45i/hftSgPghPKBgzrlclcg0KAxy0hZjbY4iqZZJgIbnEnGo7K + 3X4ml8LfrZuUSy99hNXztXZbBFt38QzxiUaQTzzKEJSbN5EjAsva3c+EoVr54tJe + AVO66ohfsV+GyAMgCbqKzIAOQPPLdgABcEtBoCSpH/fhEBfhffYEOdynKKP3IY64 + FQaEB+IM/7OofP8pSFYvvMz5qMb6zhkLMGgQvnTBm9abO4JoAAGzA37SxGEU3Q== + =BnuJ + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/koillection/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/koillection/secrets.yaml new file mode 100644 index 0000000..6290dec --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/koillection/secrets.yaml @@ -0,0 +1,59 @@ +wireguard-private-key: ENC[AES256_GCM,data:VOvcwYy6YVQ+QxTqiWD5bbnH0qNDZ66ZRfq2gY/W0DpjBlJiIcSx1zgaggA=,iv:d6TMF2DAebYt1mNZ0ijzIYNhub2P7sCkD0WRuVPupMI=,tag:9R9N7/rDj/9OHWF2Y3n5eQ==,type:str] +koillection-env-file: ENC[AES256_GCM,data:rELcMMdigW1SSCgyTyD4Tugqmv8nZCMnI1Pmwaf4MKA=,iv:/g/L+GfYR11rCg3QEJwIQQKXov4GqRIKdJvPcA1mst8=,tag:y6UMG24UdzONssovtFdbBg==,type:str] +koillection-db-password: ENC[AES256_GCM,data:GxqSXFrTR1am4vmJtW162v8ekM8=,iv:b4T8Rsy7HOnQt0OnFPuKKSByrWxzYKdIsSQntfbh9Pc=,tag:xZHJPexSvNQb9EgmTyxvEA==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMzl6R0tOQm96RUludWJU + TS9tRlJLNklZMkdPTElYR29IRGxZcE9XNDFnCmMxb1FmWHY2UmMyN0lldXpqUFZj + eVZ3RGdpUUZzNitwTXhCK2VnU0k2c2cKLS0tIFZNeE5vZ1JNdWgzdkRRY05DQU9O + V1BQeHFzZnVCRDFCLytxRmxtRWVrSEEKkzXol9r2TBJITL8mYtTpnFymYIpj7UMJ + RdrIn7k41fi0pzgROxKFg/HgDvquo4eNkI5WsOb+LnX/RZ/p69Of2Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ayupuxlrkepyvjk7xwgrd0pvcj3tfcha688mcuc8ees2hg3g2ersd0q3nc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSExMRnhucFE3eno3bDNu + VjJPV1FSTytwVnBUOGo1YzFoRi9HbEx4RlI4CnBhNEpqV0FzNDFpZDVrNVZRbkRj + ZWV2KzEzMjdDbFVBa2JoQitXZkdIb2cKLS0tIDdOZzZtY0ozNS93Y1JkZmQ2SlFJ + cjZiYU1qQUJoVFhGSEN5STVkUGkrMjQKhr4pF+7qjuo1t0wP8K8acJsPu8e+28/9 + E+ejqDL8XDOD0/K5aUWXHQk8lE/+w3mPSAypClZ/2szzeF76XJCTcg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:02:37Z" + mac: ENC[AES256_GCM,data:rjxF+XnvVS7Yo39xXq77aeCMttnMaIOB77o7LrZdTMlcL+doTJFh9uOA0dh7vfP4Q9Aq8JWS7IHP1f4D99+uAKBf0BxCmapPgFnFxomFLqxVXYnF0iC85XGZXdWSFZY78Lo7Ilfn7ahyjcvJI4UUdshQVULbJr8cpJfR+KNM3h0=,iv:XNXXxHLQuncyHp7rPiyRXlYBoqfsv1OSv9Z+ktvFUzg=,tag:SFmFapugipfG7feXsuUYfQ==,type:str] + pgp: + - created_at: "2026-01-12T22:05:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/+K8CydCXNDvfUCwILow8t6CNRmbEJ6ci+3JuAEwhYlfwq + XxUWWzl0asy6wNLs3izTv+puPFYcVWnbhK7+fgFIV4AotjrBRH9Xqh3irPJgoRsc + jA0pcfcdVGMrzsjFChoM4Lz6u8BF9jMobqsGo+yvttJf9v5CFGjVIVo4gLA1ZV9m + 34txfuZ6phOePCcs5ApmDJ2yuVSs+irAu5YkUXQI67RHstSwaRq48oZbTDnPP0bl + 2ZJM5GXdY3rXLLRHFj/skunwee6V9UPJe+hwiGY3j0oVZ4aQqHaQ8r5/6mD6Ba9N + bLLZsIHxl5gflQhnsejEUvwOzdivPc0X74Glam7QveeIyAhKxGXaBJ5UE3YV1GfY + FRlCLOwdC49DRMjZiF799BUxtvTLCwZVA77Lpg3E6egJb3hlVcdqx/GpRC8yZqG5 + WAPe+wYg8kxVAHWNtyWHhnQDYW4L/vQCzoAPDKUKQO8rh9LivcqensXy0O+Lb0nu + P1Lm8RGaZF/87FuzQrQbrO84TVgV6X1ZK26qTbZiBE2WXNtN+OTI2wSpQSn40rg2 + ifP865LtmE6yRvQAPcVwCa0/DK+GfJtVBXAOMZPYST/Di51Wdd+ze5TS0jIerZW7 + exl3cvGgxjNEKG+LZXfLB4k6pe969aZIaq7JhHVZ9vZCmgYLXVemSBUiZWx1nQmF + AgwDC9FRLmchgYQBEACHWLAdrmXaT7fcDjv5Oq7wwHLhK8L8cJOBX+EQ+nPtsYld + kZoKNJiQv0B50I00iJO5L5vuvgmlGSrrn5knTX8uswM/nMa+f0KeVGFJhRDt4+dt + U/HulFPtT58nWkaCiawWz7jXoBe6zcDN1TlmJI7fPHW+DoPi+V14IT/WIsgQ4PUD + cTbkvvMeMnYdV89RTQwponM6VTN0NFTdWofXIwQ+xyo5jsXTyYDO8HgmG477iZ7W + vKLaEuRk1iuHfYss4ThgFJYIafPa2C9GLIEryKLrQiYEWVJHPn697iqkBT7jegeO + OJ7fOfztlXpXL0ZMOvhaNWSdrQWVqtl6XdXYEGCF0SgQ+GGEF3ISQLEkq2dK4MMT + oFXNUSLl05Vb9+LIsLpZGIp2lO/pHaB4YVsT//+giwlOcqMOLsJfhhiySwA8qALY + +xliizf7u4CxY4eOZ4+nu2A9nEvsuK41j94RuLgwIxn4SXy1rOtEvXF1HpiNleV/ + U5115er5QSF76sFni4kVp7NHpGOViJnbTUlO3dferojCZ5NVEQd6Pi3mJBH8JqmV + 538hLqQCGardPtg14r1cvmJ3Fx1gEXM4+oeKlvhCioyrCT357jOo5/ceRW927zv4 + 5bQulS14zMRut8N0KtSuCEGAHrs69yv2Vvni++W9rX6S8WCUoRYIwu2348MYyNJe + AT8xotEr5YRoucZ257heJhG2V+N6pVz6zxMekW+6WKC0fRwPRq5k9MLGVINhVxTH + DODXFCVpDkT9zSXScajDOExDgKnV7Z9Rzjhom1ktVIqEXH5ylLo3D5W4YzzEpQ== + =hmtA + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/matrix/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/matrix/secrets.yaml new file mode 100644 index 0000000..b6a701f --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/matrix/secrets.yaml @@ -0,0 +1,62 @@ +wireguard-private-key: ENC[AES256_GCM,data:yWAKbF6rsLOCC/DfLH6F+XQLGb3fBRTN8asmyRgbkwSjk4c+BFYAt5+QBlk=,iv:6Cas9BbNIjoxgIB8Y+ILFjdMTRFtGz2dI6oiEiOLqsc=,tag:8+hgOBQAlMJOZ7Qhp/D+Sw==,type:str] +matrix-shared-secret: ENC[AES256_GCM,data:JW7AOGGD6faDpXflV5zOUppOFIswq2C6ydxwFYYMqmnypKrGN/6HPI9pkrsAQYnnJrkEKp6SGVIKClc/+QC+wg==,iv:UW67HFNDqgg3uOFA01xR0btzWnDrgxMRG2SSKwXBQzU=,tag:/OuKL+e6QGlEHgjC/o0xXw==,type:str] +mautrix-telegram-as-token: ENC[AES256_GCM,data:qUhoSZG6wY9XBc7FzM53Ia1jYb4pd0nnMJy4CXiQyUQKu7b3DJuQK92nSdb+Enlwrboui2Cs+zO3yzK69Evntw==,iv:jr7e+9JUSWUxOj/XiLTctc47Ticndzaj1dWBcT6KkHM=,tag:gRC+Bdn1rHb16LBxb0dVvA==,type:str] +mautrix-telegram-hs-token: ENC[AES256_GCM,data:PEeMGrKEV7+EO4g5GgFFIAeX2XUU3PbcKt/1Lm9bjTThmaDGA7eUSEObJMolVOmTMwyQc5szyjqOQ504rCZK/g==,iv:ycjxbl74QS9Y3ZNc0rvsbR+llLKaaUQtcefTfGbPbKw=,tag:o/BC/VLnzvsx0QuQulsHdw==,type:str] +mautrix-telegram-api-id: ENC[AES256_GCM,data:qAYbVdgeUw==,iv:D5AjnZdDQyDMGQe7FSVoPxWif9sfbkznXgBGDg+HkYU=,tag:5jQI9brdup/uQSaPVOWfHg==,type:str] +mautrix-telegram-api-hash: ENC[AES256_GCM,data:bwfQP/EuyS+iWGlx6IoC7VrJPYbYtsU5cmtnCn+L8z4=,iv:lardLJjfWVvQqXcPm4b4b6iS+U8De+P61GnyfqjkKDk=,tag:YbsSPAqeSqIWsUoxdjbyGQ==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaXMxY1hDa295WGNnd01t + czVWUFhKdjdWMzdTbnVBOWV2WFpDYktSVWtZCk9xYndvOWZZOExCV0dqQi9QWVB0 + ZDh1ZXpXVXMyN3llNVFuYW9XRyt2RFkKLS0tIFRDYnRiUE9kNG00Ri9oV3VMS2hr + Q0xDNzZRSHp3enJ5VFdEdkFZN0Zrd00Km6r0HfLe7PjRzFli8+J//R9IGQOb91A2 + rlvETneqiIqngJKAHEFglfMTpkg7pmaYkOxm2/GWpq34ozond74Rmw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cq7wxnugpfvjk6dgqpfmc8vemzhkg75drkgeaqjd9fuylz5qh40slazr4u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbnBWMk9FL2ZlcGZjMWR2 + Y1BkU3VpRS9jQWxsZUhOanNjZG9Gdjd3R1ZFCk9oK28xU0NVTXBCdml5SWw2ZDY2 + ZmlnZCtRbHdTelVEZjRJZ083M3pSVWcKLS0tIDdNYi9wYkh1OUt6MTRwOGdWOXJC + TWhPeDR0aFl3SnRQbDFsZHJyTFE1ZWMKRi8PfCZK00OKkA72WTjTXa1h73AOnziO + 2aHR7PRVsmiMpK8E5+uUqcX+k2yTIPmDwL8fH8yCdICWBM0hTPKsSg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T07:59:58Z" + mac: ENC[AES256_GCM,data:ZT6hdEn/UkUqa2SMgbN6rUj1Aq+x4kvmf8wyWdgnPiCM4+EzY6N9AP0QcaVTssPH6hO5jj37jPCY8W6FCJQFOkxU0VsF/mYUq0k36xuPMyS4ztZ8zTVSW+0oV6YHZFzE/epbhcIiXIHaoFSyIoVtlMawl/LeBZ92R8MU8kUn5MU=,iv:nDA22BM9tpFAMflconxFsf6mj07W/+tcS3nJHhzqpS8=,tag:jYEm3IpmlwIEGpQZYJ0mJQ==,type:str] + pgp: + - created_at: "2026-01-12T22:05:33Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//YzRg5yUkAGFzdYKhCL1JFnw8Zbz8CGI+FY5n3Kdk+WDN + Bu19M9fRZudImVj60GZpuS+08R6WMkayanmv70sGbVc4xYaHqwyAY6czCardkP2/ + KviTAQMQYNJlw843uwAn3R1e6JDA2490ZSTDoi/qubKBkL/6LXxl5o9psGq/nFIO + eR7i2sOzr1SF3j34U6hCqbFxKVDETQ36COaNzr5AlrF+Byyn9y5i81h9hVsDfay2 + PRGiuWWroVi99A38f6QWqgsf5vm/IcWaSjnQwarQajJAtmspKxPyohohWWmU0zuW + AYVwHKcwsLYbQIp68siRSnpEkzy8Mwp8Zj/K47mqXTdN2WiiCu0ybK5nMtU7VqV9 + CTSmpl7HFlC+tpQ+mSI/gcG9F/BvoQb3nhv9gSyRCJJ7kOy0jzXxKgfYy2X4VLWu + MVtPvJFeh84Ni7dWTzby2EErMlbEdNoP3dcFse1FJgrvaZdCxJgZ+tunoOaEPLC1 + ATDT7wrXt3h1m0mEaMo4PTmK5hkzvm3UdXW4mr3UUtVbf9rqedCmigjbBr1SEG4o + wjLoQaZtKK7FOcAADaXa9Qgk9WV8PyqQO1+AkV8GTt6YlyUDV2kab2pjqjUIB7t7 + VFbOWIwJVL/OiAhwIGu2UqQiekP5gB5TE39X9jzE1FHhbw61Deb6OK2TMhsmRuWF + AgwDC9FRLmchgYQBD/0SsgaBElWGqYpGJfr/dKSOb+5BivLlwT8V37GWcjjNY/RN + k7/5GpnlZdrQ+1cXLNdAMNghjlV+dXpqWxuu7DBav9alnyVnfgID1UtRSEyeAMFe + I4n5fNR2TQ45fDu/3Mj1HWruoypDyLCGIenpQ2jZrWIqm574qZ5VFWZQlWP2+m07 + lSnTSvIp+KjGq1EJ/ut+UuGupqwkYihgewrtisJ8BnDEIUMAHD81OLc11ZcPTaXQ + K88MrcJrqEEJpMG5kj+tMKUhpmkpCkjG2WJyOZtQh3FuTQDl68uCh1YcMUmVijig + PI/WdsA3A85Q6lwLgc6YTIr5AUi56PqJiWLgeYxPvWWSE1AnFrrnDYfHRPZdKexQ + VAWSPlQFcEt7LS6LK+hJAjKteMJNFviFnlCYam3eWTcIw/sSle03JmGf+2xhZJRp + ZwN63sCNLTd3JJlSmIhTW8LbypaNIXfDh1x80FHoIRh5xZXfdJxz59gS4yJGdS43 + NT1QRhg/AQrOX9oOKdOHF8L7tiDk740CU6DMvlwdv1hc045LcTBCXT8O+mIyl4KM + Mkgcnx8lpoIyEyvGAcBSAzZLE52ub3d8VNAK5ABhgLkaTTGWqiWwNKSU5GVEKB7O + OP5hWZn24cx6mAWk/5aUHvcM0cUktlpnzFkuG1m7XQbHxnYU8yi7w1YwGjKXB9Je + Acy13H85upSvPs1vyvIHf3WUVut00wdsUB0IrPaPLPYh0a+3rU+5B+JZ7hlBWRfm + ZyQY6VCrh/mP0w3YBfb+Og9jdaYFkDXEGB65kw/sw0pz/6WrGV+sX2mFXDPa+w== + =T86X + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/monitoring/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/monitoring/secrets.yaml new file mode 100644 index 0000000..6ab9580 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/monitoring/secrets.yaml @@ -0,0 +1,61 @@ +wireguard-private-key: ENC[AES256_GCM,data:bHFzF918KWIY7abTp4B71liKBpowEfdyPb2RmFhnER59ito1px5kccZe8CM=,iv:A/5EQ2NVCtPuDfJFAQgusd2Na95a6p4oWbIh78x/904=,tag:IiPzjZNwT7ZyPB0R8/AIjQ==,type:str] +grafana-admin-pw: ENC[AES256_GCM,data:lTpusl8gd7R7FP9QfIU=,iv:h+xtTtDp03JHHmZ3hX9czEqSWq4l8tRrB52qaKBX3yw=,tag:0MIWfhrkfhmL0Jn8bqY7Zw==,type:str] +prometheus-admin-pw: ENC[AES256_GCM,data:bdfXLIyuW2N4w5EHd4QD+js7KFF7RBv1mg==,iv:E8AseMXVEcrkCg2fzp2IGphZsMZiCPvTj8CGD2v1t2s=,tag:H+hgftqGwHpdEba5UAjd/Q==,type:str] +kanidm-grafana-client: ENC[AES256_GCM,data:ppEqUFZC59A1Fv55l6VroWPzUiKtMO+5XQ==,iv:8SUmgijE1PEOiyMUSbZuKUfLifTD3bsdsSGFCQiPjgQ=,tag:crHqsVLK3uC7vA/wkCXZLg==,type:str] +prometheus-admin-hash: ENC[AES256_GCM,data:6qIEAwDQQdMeiJ8oQsnRxvMV/x+p/rgHfViLMgGh9Lg5FoarzAoZjxNeyE63X87UzsjXY3+7/9khJ9PD,iv:O0VsqAUyiQ3YwLHSx2Pje3trlinz4CjxZ+h4lPPPRN4=,tag:fo2U43uEtfB8LWjP3zpkDA==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMm5NVnFKdjVDc1Z5WkI1 + bVBuU0sydTNHSEc0anVoSmwrbUI1TDV6RlYwCmhDTm53clJlOEZsVG8rWEZyTnlo + em9DdHUzUklZQmNlK3N6bzNuOVhkRVUKLS0tIG83QjJIZGFIakdTZ0tJYThDQU9j + a2theDZ6UUo0L1Evcy9FcmxnelZHNzQK6w6FdZ6kGFo3TE2UsJULOFds1/xT6/Ce + KB6H5rEXcU4fLreuLJA/tjQkq2CRPq58ACs25Y2GuA+tv0dBa5ud8A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vn6ya0japzpgc256jg57fldsqe4udmq50sj5hmkywn7rxfnskevsx2q96u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5SHJxYks4M3BZWWxsbURH + OVViZ1lLZDZGTXZ1ajNvN2hTVlRqZ0JGVFRRCmtYUW9zd2NGcHhvSzY2VExCMXVs + SjVjU0dsQ3loaFRTdnpQTXJtYVZHczQKLS0tIE5lRTlvUi9CM1IrUmJqWXkxV1JL + U1R6WEpIOEdMc1JJaXlIWGE3bk52eWMKV55X1Ub6xclaNVAGotUMHodOZxeCpjnr + dH2egZc78PacamhvBiTKpxZLscfqss7zhGSqLbFRjPNDpPGkUazAmw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:03:30Z" + mac: ENC[AES256_GCM,data:k/1raTPyx+paIzNg6vIuOh2GwAwyBuejMe8QTjRcmOU3Cb6rLovI4kElP8mmC5lNPZtK/z16UKONw9Wj4PJyXpeFr06wUpN64P7qHZ104lJWnixR6kisZ7Vv4AUGAUaRCVC/IebA8If0/Sm6/Vtz+QqoJXNY6vZRg/e4POavwOc=,iv:X40QnY6vzU7E5QmJGM7pHnPreLqUoD6shuqMnE0C1bA=,tag:QqTdb0hUjtWF5bBIiS1PLA==,type:str] + pgp: + - created_at: "2026-01-12T22:05:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//aFEsFOzREYPu1el49vp3ZBNP8fme7XcxiR9CSs+qfZqy + loMQyyv4rPGHlXBzEWL0Bas+56fqv+uSeW94h7fyR2dLzjtnkIe4DR7tDrGsODjB + mqQ/mUgPr3eUi4a3p/q2heRsxR5fYMZqjjK606NYh3zxGDFoIHKdI82xL/PcS0OD + mmDl++GbVN+qR+mcBVlPPL+H87klO+HZsLRiEnur07RDB1qLLVkTi+0YWeSzvneX + +MghbNOZ9WzAJ8DbDBjznIU6DnzxqNpiI9+acBVyZJgu2QmPG2VcoujlCkoP21F8 + 8mMiduh5hzK/XvNkYVAb0wj1Es6CjLWUR5zxNo7jZdd7wOBR2fchm+VTsY3xxdmR + +tnT14UneAxr87jVzSElhwAD/sNTTXZfdyEbWv9qp86mrz4MpH729vNFL6mPSo7Y + rpSZUHV8ic/Oz3t5E/qWu0TVVlzI8cra9XfvqzS5MCaWDHdT/+UKviYNzvYC0HDP + yIDQ1QMGcyO2mW4nOQFbf7+rrjSqUGufDs3rBhwv4ExNa+jZvGposFv09mClr26T + hZKudJQMBW7CHE1FZg+1fEqdfxu6M/0yckgNbs5p5/sgdxvI9E+q1IeidvtYSK0U + VaiAqavbL11BCcBgrND+7qN352aaA2VXtATqJwgrF5LhDkq28Gn4zNEj2/Sdj7mF + AgwDC9FRLmchgYQBD/9VlDer7Fl+R8WsF/BbAd9lHic4KIrxBS/jnHTIwL9q/d+7 + HM6C72HRggdFKkS6+lF0y8dMjYrKzV9VUzi/tSnbc2kIACk27hH0VMdrBUESDqag + ZI90TmvuaphzdHeyD5VFs5cZ6Oa1jE6TQbXYQ2ejmL2XS6Botjz1yG3me4b6pwDN + gK7bQ1pJyLoXJ+5cOWgYB0o5apFNFkeetBjT6YlSpz9FOojDmQYYfQw5juK/K1Db + vsiYaJDPbPz8Q5HXnVqP83PPMLoB5WzYW4sTrIsdY6Rr6gWSGqejoUKQo1WnqfkW + 5gkKgf11M2tzPJZ/Bm34TGcaml5oLSlVt8lK6g/CAOneTKExWIuYDYP705WHkA/5 + kzWPsWRS2f4oQbeVF+IgpOIs3gK+8kkMZz6UUuknoEKLnwhOCjuZwQvhaYgDb7UU + 64f1xceJycwxWPgttmL7ffhMGjMZc8NyHqxTbHacmHwHa3Ja3Q17eI9JMD0Qd2j3 + Yti/1oNOQcWh98aIaMiusnXeoFPZHxiLmNkrqZSH5g9/KLTkdX8RcNQShFBjRTWb + PUriECYANObFBVXt+6wHac4ULRAFDy9DoZ/skIP27EPdcbVPa2J0bSYmcIfo6O3M + tu4MzeRtOJEsVo+7KqEX8fMXpqsmSFiIZw3KPVQWYnAypmxh9Esqxt+REsw1ttJe + AR2F562k73ZXJs5sBAsTqY7Mqdj98I38yX9toOYfEMZeOYhCBK4MYhHefl1bmhyS + 4CTs7B04XKJBnxcZqwtWqAr0YFW89i1ej91W9sVLrwdvdAt0AXHhhIl3yZbs4w== + =gJhU + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/nextcloud/pii.nix.enc b/hosds/nixos/x86_64-linux/summers/secrets/nextcloud/pii.nix.enc new file mode 100644 index 0000000..a495fdc --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/nextcloud/pii.nix.enc @@ -0,0 +1,25 @@ +{ + "data": "ENC[AES256_GCM,data:0clUhOOUsJ15FkS92KGVth3EkH7TgSS0yb+FTEFpsJtUYNCziXVlXZvoFn0jicnSQw0=,iv:ekWADW1QtWU/Kge0avvMeOromJFsGzXNXNWsymZkZOQ=,tag:qoax3QtqzKoxU+8egb9lNw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTDNHWkRJYmszMFZSaHA2\nY0NmMlo0RG9waTRTL3BmOWRtY0Y3dlNDZ1JJClk3TWkvVDRGZCtJVjF1TldycW1U\nV1lkQjNxOExHcTZ0YXhJd3hZOU14c0EKLS0tIHhqY04xdTMzK2tSQnFGSDVnM2pX\neGhtL1N3VVFnSXZNQkJzTmUyTkhTN2MKkWFj7pEdbD+pPqR17MnYma8EC9PeXezX\n8sRLSVGlWb2YobSavwbA9AL+WFsXsT71gSFgTkAtsPh9paDTKSAMjg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTTnFJMURBQko0ZlhkZ2VO\nT2dNenNGU3FvVjA1VzRnQVJ5WDlTQXdoWkh3CmZOaWY3SUdNT2Rib2gyN1JKU2J3\nUEpmV1lqSlJiV0FsUWZpcmJYNHI3SFkKLS0tIHZ3UlFOOGN5T3VjVmNkaFkxY0FR\nQVRpRjdpVU1GWVdNMGdHSU5LYU1rUkkKrT+HGA8QauJT2U5RfuSIAOmQ5EHTlr6R\nLmGaKGPVoH1UrQJW7JpTKA9knYgweCPy4aEt4UhTrZxx7r3FKlM51A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-08T08:05:30Z", + "mac": "ENC[AES256_GCM,data:EilwuLJTnz6pgg8tn3bNc7MxYc+RQQodCoyHAb5RRLSNDqIp90XaWKgXwBdW2lMJxYnnkprkFTOZHGW2IoSQ04S1oeYRya/NvBCSnX45zd7wQxL8k85/oYsCFZAqEV29QXoJmagO2isiFN6DXEf6IJGtzOD+MJuYjj8PufaBzaE=,iv:l7LlbYrSY4mJaQeJ1uN8MKN0z3xu5GhzGmEf/femROc=,tag:QxyUjkSbOcKBqwzGcXV6tg==,type:str]", + "pgp": [ + { + "created_at": "2026-01-08T08:05:15Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9HZTVACE+U8I1i4bcSX7umSFfi6qEX+Cnpe2sbBQAddz+\nFAIAoImmymvOnBw/oF852vU1a7W71IHZ9723NH8yqngil/R4taLZGRVpg+f4ogEn\nFz1a2yJEjNy/Pkm32Y9w0RvKuVvuYaSk2XRj/GARSlwAgn/lGF84r2zUofuD4jnh\nzlVzvwDbc90GoFVN7rOAzgD88IOMHEC244IpxeQ0oVPaun6xhTThZD9twRUWVrqc\n1lpwMjdcNfr+AbL2BK+35uTxE8wA+kyF81yGXCGQZY0pGncUBCmXSiitMXLuU0V4\nXmydcKpB/pKQgdsIkZtfhxOEN9hdzb62GXiESg2jqF5fHBN7Qw7Solf5xtAHnUxD\n/yacrR9/uqhInVxVlxHzwZN4iZBQxQmtIz5uoA5NSgawrUf2DULLknYCWo6L5W2m\nIlqfzWnQIRDFKvpFjtouencQsdAM3jsxRPcq/+/AwoUdSsDnJsOhzIm7SfQmlr71\nMp3bD4M5ccZYVm0dH45N/fXssfWdFwRCBJ53veLfTyWRGpWiaS1ofsAkmVXemqur\nG/w7Dm4H4D8vn8mxPGg3l5VftxbjXU7mbq1PzzJBvktZM3p52VesTIAE91p17d6Y\n6zKSjmTMLKeWAnR/vXAFIJMXPROVd8jIrNHjhgflel+frBU2IGoo2jJNPr46Kw+F\nAgwDC9FRLmchgYQBEACqaN73KchQPMGgND1AdR/vupph0JF1uG0g9qA61xmvzBYa\nCfJob6Esb7wd5mf2ohfVkgEVNs36qGJZJ6/nes2X9BWb9InIYp7d5exVFI3uXNuZ\nccvGSUefPdZuRIK8XvdXWAsxCitcZZHNkJSstDUwpdDJpWMz+u+HTbRiLYp722QB\ndKTGhnsbpk9pnsIQPR3GHJh9iPLFyayM/Ej3y6N72ywQUN/pptZo+boWla3NO4JM\nHTXZHcUKbcNiCnhPgVK+xhP1gfgKjlyAC/STq8x1pOVvhNjtT/N1YuGiNQtxSLbE\nekLBkFK4VoH+fyDaHB8TFXK8dqq6+189Eg5kiTYGkMihR2g6g+0Sp5mbdHoRQEYv\ndpjHYauaKw4/V4c/UgcuQOT9WOUGqH5Lw0QohIhF+JLRU/GvppTxxk+wQm/yYWg0\nGrHU50wvV9udxIGxYxi/HICZ2CgqanWGOJDaTLejMK/Qi5bI3eAKkN4MDIJd0G+c\npVnr+Ry8uaKlmIzI0HV0LKdV5dAS4sbYOzp45Ze0M1geZrTwoWMUOyUNgjdGVj6/\nOz0eIXPK3e5IowfPUBW25sW0ztIg+Q3lfivC7xqoYBL3HCTgKevOGXgqnf5i1kZD\nrncVehBN+e33dnFLmLICPiawd09xWIckpGYlQ8NgtIXa8JaZPj27M04erhqzBNJe\nAS3cV3cwtBkuf16ZRgdI5CiUoSN5IyVuGb+q8GwKh9Hh5VLS4mwUNL8t034U/Azy\n68rN25cuZyAOcPmzTMW9xIhNacO4+gEW+X8MKalzbtOubOeGrkleTYuHyiuekA==\n=bjKZ\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/summers/secrets/nextcloud/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/nextcloud/secrets.yaml new file mode 100644 index 0000000..c6413ed --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/nextcloud/secrets.yaml @@ -0,0 +1,59 @@ +wireguard-private-key: ENC[AES256_GCM,data:k8HHv5NRBKJRNWRNHeQGr49ZrBrz/gwGL7qYXifmObYOeT1o3MfmG7wslOM=,iv:EYrcKjyRVxndG3puJ2HS++O1UbJSU4WN0vlD1yQQ3fs=,tag:Kc6VhUSw36ksSlfeZTwDIw==,type:str] +nextcloud-admin-pw: ENC[AES256_GCM,data:paK35a5bPIHioXMzGPZ9XU6t,iv:VkSLO1VhIbDTGs/NRGYbKcThP/uv6LzuptJcXFmY398=,tag:VC2q6p38JI2a9vBehoJeQA==,type:str] +kanidm-nextcloud-client: ENC[AES256_GCM,data:QOl4sP/+N3GIxrQMyD2TmyveZo4Wm88u7A==,iv:S409ur/y9j8HYLEbuVhUbSPO0JwD1zQST+J5035Cd2E=,tag:VgQs30NNosDdxwEL1iAvbg==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3R2F5WER0c3EvcDZQNlIx + RlFKTkdlVUoxekp2VlZMNFZnU1BFU1hBY21NCkdLQVljZ1FCaWdvNUEvVXZ4ZGo3 + aUtSSUJlbjBRbklLcVBCTFRkV0U1VVkKLS0tIEh1eDI2T3lNTHZnVFZjc0pWcHdT + Q3JPcmxnNWRLN3FTNUFxMGg5cUhnUXcKpv+VwF01Vh7wJes+cU71HV7lVh+ATd2i + +mbwlNTYORdpVa5+LX3gm4Q1O8AovMIB3k2/JUXurWdOQ1RCOr6bWQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1t7zagjfddns4yltupk7nx8xps4gh7mupyz85uuys0wd22cxj5qsq2hw0p7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMkZ6dW9sMHp2SW14Y3V1 + VXdPUUNJOTNQVlFUc01tb0hMYWlWZUtvaVdnCkVEVWtUL3lDMEdjdmtXMk5ObEh6 + SWQzRkppczdtTnFUT1d3R0lEcnE1VWsKLS0tIFNEamwzd1dQcDNVbXVxSkQ1dEZi + cnNFSk85YmVEQ2RGaFlZTER3a1l0eW8Kel7WlG6U58FDxWXA7mYxMPTCXs06sLaX + fX/sHr2SJpnRLfsIAl4vkxLY2UCdwDkPM5NNtrQdFIu2oVkj4xYkrQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:01:15Z" + mac: ENC[AES256_GCM,data:UdaDVFUew2OaFnmdD+sULrrXQlvhASqomUt6kUxCoyXydotNL//X8tc6U9iUOhrXLKXsLB1fWKpiIQGGTtkK02p9F/IjWtakeSN8AiSCw60vVBueIdG4dDFXpOvLf4JVkLG2FkRqcLxLqyWLGzgXSFEIaaCTK/tRLWLXlCxitZo=,iv:1VgXeCIlQx89J4dW7Mldae47yvmej3Wu1NRnKK31oPE=,tag:GKfotJ6uoq+Jhf5uh2L6OQ==,type:str] + pgp: + - created_at: "2026-01-12T22:05:35Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/8DGQDydqwLR9kOQC0Pbyq46HDI/MHIXjuicAJdPdVqW3J + euLBwcF7do2tbsPpEG3FyyD3uWpk1sSMeHq0ev1SheFozf0vwiGm5ksKt6LrhyVI + XJDPjqyDWC5+prHoYvSBvrc+nuv3uy8iCqYQKdT9ODx9HXg/3gBgEDerFiI7n4wB + m4cRMMlem6VIug5tyKlRzhhpWGXls7BXqNgFTAGqGt+vjVjWGIh7MON+ftePTupV + PxE3ZkmlyAPXvjeP02zWgJpKf/zCJGHmgay8NU03WEw0YdpzfIT9eAlDQOVOE4y1 + GSGA8fgOnhwTjS0Q8x6MxFEY+TgLpz+y78klDvIoax9fI+HQgNyf9OzPUrbMNXtf + Lyh5RoXbNneqJ/cuFuxefg81oor6r4JUaC/AAPd0xIrNtzETT+Bigy+3XYJAZUhx + S/PCEOuaKNq+i+0ptfmRZ+3bL9h0JlXExMDP8EpD5ychjEoWX41aSEWlOTxSEej+ + qfvcDoPeAyvJXU+VFhTXYzWog6V90qz91J/ULSJbV/ql+Dc94PBy08rD4I8O9YVd + 7slxT9wIqXuKg0U9dRfJZ2b9+Fattd+JMnr5bDfVhFfp6EQNTdWeo7f1hr2fzdE0 + CCmb/8x8RWUP/tez6mDQGBDBMBkxU9hNiQsaQv+JXit31uFTHJqW45Ci0VJmKzWF + AgwDC9FRLmchgYQBD/9e9rnpwFeVE/wMmoYzve0SuVCPbTByitZuNxQu0zjyTCy0 + Vyr5xqwg9vjEfY4kXZ2iypVlPTzDf1UurwTZMTkusbOYZP0yBwHnamqvirhCFKjN + V2sj+LkEwuBajXO3md0QL/eWNaPY+wQFxO3NRg9sjuJJgMR+Da8ZPV7U6y0U+Gtb + oARFsyDLaFmDiibczlGa9miCKriHidq6MjWJSxXeCSsA1ZqyyQ78jxfBELiQ6yuJ + RYixb8pNb9j24gQKJqKv0xcL7X0OD97QgfhRH+FVFyGbXSqMEVBqEHXUfHecrwE1 + Dq2LRZCNTuM2XsAOKIwOf1FrJu38TpO9g60UQq+NrTJxVeR6b2DcCzOm67I5pQhQ + MjMs20WmgVWM345PEOZ9OnADATzbZp9GDeJY5OKlX4OiklcEM4/xEeo9ebujoFSC + 3ChNvL8N4Vm14oPgEjZsJ4hPUJ/g49lGq/rhOSDr5tGqtfoO6DSN8wXP9nmS1uFK + ff7cbxBCVoPeiUSUOHXmg4KAw2cdlNh/cS0x9pndE5tLz+Nmo9QvpPE+5PowUMFs + edhr9OcEIPDCW20UhmiQ68eIZ50SIEXRqBZdL6uYdyHCVA80Ope8KJdGozzuiqfU + n6e/T0a/uisAG5M4D08yfMYdwALyZQUmWo/6wm0oAAIcErYCVzBT4D6HXwWq8tJe + AfCcM9w2NbTDTKqvlweAF2+PYoDqFFS+5flwQomnXxL1TQGNN7iFwDK7+PXg27tt + Ozjyq5rEir6GWdQwo4xWKLL+b3lQNpixHSF+ApL0e4pS9e1Zg/6I5dVsCfTTYw== + =cE28 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/paperless/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/paperless/secrets.yaml new file mode 100644 index 0000000..d8b97bb --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/paperless/secrets.yaml @@ -0,0 +1,59 @@ +wireguard-private-key: ENC[AES256_GCM,data:51Mpw8Wgq4SsUokL+AFRUwuKQq9UmXHc2glmiMdjKwa/kvu0JeI8R6pPVMg=,iv:VBqyAk1kNX8IAJhCjBnDNeEEGEKWmUHLkG4l10PMvMU=,tag:uGQ0u+11GuJ7f2T6AA2FHg==,type:str] +paperless-admin-pw: ENC[AES256_GCM,data:2t5nZmpPblts6nZ6Pm4JZMBpwxVMap2NGg==,iv:IbCUeNBX4D0tOIOVGVv71fLwzC9NZZaD7M153la2eIk=,tag:L1FbrYOuwHQBHcBwbhm5Qw==,type:str] +kanidm-paperless-client: ENC[AES256_GCM,data:mEJBDT1qEz6vHrjnT5b9iBjXYbRwcoG2sw==,iv:SL91pO4QgtD+458dy/7ra7+mQgW5P+n7qUdVaXxYbHM=,tag:dGD5mzVRNFLORrMgiVYJbg==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxd1NIOWR4WUFrWEdtMzNE + L1ptYlUxc1cvcEd2Si9NbVZQSUFWV1NUTkJRCmhNSzQ2SjhxeGhKTVNIRTdQMS9u + aDNIQ3FpOUloUjJ0SXJQT3N4WFdjbVUKLS0tIElZUmxlQTRFVTZuSDNrVFhlS1FD + SFNJc0xhZEFUektXOXRiQ2xZSFBWbHMKUXObVn6jjRIm197zdOWF7Y04VeyDJMDq + dXrY6aceQDtgbxlgdfDyU1TZ4pKCU4B5pFKJakvmyaDWHbJY9J0Z0w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rn0pxluh7m8dyeshek06d7scejqlrcewlk8xmyrwt5e5nev2dc2s3s78vq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRzRwVWh1SDVFUVpqbTg2 + c0xGY2dQSTZKelNpNS8vamE1Z1N1c3Q1eGprCnZDQ2dZN2x1YkN6R3RjYW5nN2hQ + Vzl4SWY0cjRYYzZpQWowS2tIaWwyZTQKLS0tIDNLTVdhWGVLai9LOTJGY2dDNE9a + L052WXVhQ21WckwvYmQyTWxhZUQvRTQKJFa0KXsbW3V8Spi6MC8i400tBAHs4d9o + oX5D4HSOUwmbxlzrc4OlNgx8lBrcur1St1RF7MBaarUiVAIpswaDnw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:00:28Z" + mac: ENC[AES256_GCM,data:ssSrHidYu6SUIVk07FMJ8p5W64INqRLdynQdizq+n37c69Ogj02LjcuRCH9W4vI0vIsbZv/Az0PnQRUfPwW9nHqJPtvWb5cUS9AK/kpQKRDd60QK8Le7+PPEzemvR61xeUv3CiUE5qh5Lf/AGUs0g/Mw1Ur8qSaj7FZUkKWMp7o=,iv:5KgI5vbEfquerHrKo0JpJbJaoAVJp7gblaUvQyr8TPg=,tag:BiGm5Lk53F0w79gnrBglbQ==,type:str] + pgp: + - created_at: "2026-01-12T22:05:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/6ArJY33wV19ZxD+05B8roXhBNUHr7BXI8zBLwtiVNHFTQ + XC7o/Ku/xbVtktWvUA/nRf2xwZoKKHUS34Bf67HZisb2ErTh1VJGRl0Ul56/Acd+ + CCe/usmQFxNKExlXsAV724LNhdC2ETcr1i25Ri3tuacNUfal86jG3P6OOSBMsH6u + VGvB/NO+Wg66piG2+VbkQ4XY/tBDtCHWibqPDDFR//FBZK6akzSj+nhOTaRyVjjp + NGOTLFHhoPNhn7VDtXpRBqTdsEvK9c91tN12n7urVDagPeHFLdJogtzJxwHO+nCB + uctTrhe3Vbo9nsIHIlYol4y4IQTAPddbtXsrQq7Iep8++eQlQSkg9ugjIDRRevZI + eu34dd0m205edZqpLARMvydqQe8L3l5MNH2Tugw2+N5BdbJQtcWk1AcC8HFS9agC + hEOzSVVbqvq1Vcq+UkPeEgG/O94BR6y/mRanSHqIBuzvyuuzEmpOygPG2CCiQJD3 + Oxy/MJ7JJ5hdQ6obFHnd8VST16OflJ8+PVacPiX3IhT7AUgMrGKKPZAJpRpKncJg + FKikVD2Hx9TZPhnL/EDG6tOnRY+C9lTALHYLIAntZRagBS7mv5zcaul1W7c+egRl + 1nvd5NVdGYdFBnV0L9HITm6EsbzCvikFGx5PUjNlku7SVKDTmqDESfzrRjCoMWCF + AgwDC9FRLmchgYQBEADCL1MqvU8w8jYqIvZg35Erm97HHuTBXQIvZgGRFNrZUNcn + nkw1e0gFGsDjBbsuSzKJtlY3y/BB3zhq9WJTtPM2Zlvosvo81eKr4rfJUEVN6s8Y + WjErjdLHRgm4NvH/sMMmX3NhBgFnBzXdN6K0icikjtv7JuoZ0FVQFMUbjispLtf4 + FzrzBnxO6OckJkcRlXurwuovfyT7VbYrPzy/SACwXRx29QcrxWXOB26bMEl7PIc5 + /wYxgIu34nQLqujPXsRH9yxwdB0ke49XFEjH5QpiRWiLGOMF65GFOwYPO615h4M8 + oEg6G06uzFASwEhru0craW5Axq9BgSDrQPsQJJkU+yE9Zl5HRmjBrykl7uidd2vw + z47VWMExNBWM9sUYlna7ztwxXwLQldgwaYlpsMgsdkKvSp6W91Qfuswg/64Nnzg2 + R/8gYv/AWGHwjIIVDBgi2N6/71Xqk6BFU0FxXs3SIGkGj4U6NcaJN1KXWM3kUmmn + utrhh5KNv+7CbSZimWH1ReJdPAmg1R/pz0LouQN/g6pQLvNN+zPO6bLCs3DKMKth + X7r6jBbxyc6iTY7VbPxna0hcmrZHIX2HVyYnPMsEarJcF9swTR3wdU2kxzNIa7Mg + ctMCuivTTnna/cizzvWISDyG0N9q05h6BKoim8V1v1iVtWtjg76+7IoDoP79d9Je + AXFEpO0QZrcY8uNw95b3u4bdM7m7Urd2/zDqAYltySM2MjrNcgwwNO6CYvL5fEkS + AFlYlvCtiqBIUQIxqk8lzxDWyy5DOb2/sSOWnf669a4CBNreOTHjaVaJvoD2LQ== + =ZVbl + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/pii.nix.enc b/hosds/nixos/x86_64-linux/summers/secrets/pii.nix.enc new file mode 100644 index 0000000..91992c6 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:F3RDXp9c69ZGzLlhWHDGDse6s3qYDbUjGQZi0iSS1J9Bb+K2SToOyxIg51UUp7K3TMQCiwj1OnwdP3FJlaA7CHpKYYEX+hL5/msA+ITs0dWNiuSaI7Hd0HE7kplU+jHVEOoFP36e6sdVlsUO1H2ICUTCIPU6zjQ9FqQkHBeKg9jPnOYkI1AV638F8261nqsfsmrN4yDS4bWgI7WsXBGAZJQ9nuvHIMUBXkLNOGI9o45vOZXW3LZmWLLJUddal8TNeitQ3tzJXnO+4pZbvlHhVxbkwB40Fc3mt/ZYqHfRK9W70dEDa63zYIVoyai8BlXmWl5mScxPerhvt05+NUeswV/yXf4UpsdAUttzNXuWenN7I9bIMrEODFocdPvELB/N/26smXaRFbtakSTeyDSuqwOefUashiZ+LyNB9lLpKyUXUiLxsOusucQIrL9kiMTvr2atPAXfEGJYC25uxNGOghffcwquitcMAKtGyLAMfnI606FkFE1MZxPc60OZo2y1yHhqV/QVFjoAwkFW5sSNUbe5DLoijuoNT+MZGxypwDUhgzCqWXzwz300jzpV3dla2tKeOjcJZk1JmlfXOrPsCNGkL1MtC5kRXFjA9HUV25fSHzrChDiyBek4fTCtZNphJz0yGBbNfX30vpY=,iv:w/D7rqHWsvBxUJaY4D2b3+aJRfoSfDwwU5L3facXFtY=,tag:3pwiviZYNiKe0FwteR7CxA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcWF5cDZnWlZBYko2UFV2\nNGRMNlNzejVGR3hJSXNjaFQrWk1FWU9WZDM4CjZBRW9PbG9XY0V2T0dZTVhGU1Nn\nOXpXSWdaeHRNbmd5S0xuUkVuLzlidTgKLS0tIGNXckVXK0d6R2dNKzFzYTNPZWVW\nT0QzY0kvNEJvSC9CWExaRjBsQjdVYU0KavAD19+DC502a44wxbtz8fbxwIgpgE2c\nU4LlkgvkrhtTTiu6d/LiAKfqM9PrSajBdO8YrTpFxkqYgfi1tMoC8w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-19T14:24:03Z", + "mac": "ENC[AES256_GCM,data:b87qyAxWtLycdtKTN2x+k9+CQB+JBUarfjDdrIiKBSaBwC0Gg05W5t2j1TRqi5NjA8GITYRRIHkzS0jx37zoLSmrJZqzSg4hTlbMDdjeGZiJt+zi7rDSv1HRSoOHz6CoG8XQYULNri1qcLzjBOCcdIFISh9EhXOTNbrwJ8uF/Eo=,iv:sFefD/bK514/SJ3PWJgL5a5Z4UHj6NKvJkLi0HhqpxI=,tag:v6CvJ1o8lKAAx1CApW6sdw==,type:str]", + "pgp": [ + { + "created_at": "2026-01-10T00:38:26Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAxZP0/unKQe/AK8lpaLcPSttcLwSXosaIa9PFoBpW1iJC\nZSGx+HcWufN/aniE5PMEa/ibI4VUESuhPtqolAf8DD1ofhIwMIHTcEFvZ8bLQscv\nt31mGECunSwMhmmszRkyJb6Ic5tx8I2mhcQ7Nn8BVTlTRUeq/NNk2gKVuadd1MLG\nb2C90uk2DQWgU3/Cu8k9s8xrxSVmDwUEDliyY9tKCStL+E1UKbsc7iR494eDWrc1\nUjV6e0DjbWVaMAJWCUSHBSaEEQYHEWYoaQHjLcosZoq1ihgmEQK69r/vKl5tY6/u\nkAwrjWK04szMJ6fWI8a/56lwtUTKP8+tP9afRE5r4D8/xSKbbwIFUCAFRoIMRJ7/\nRst5q/kiS5G+9UTkT5TrKp0sxTbEyfucREMzUiuaMK0hh82DJM3DoYl0BhtFiNUA\n0xjDbq9jDdxxf6qVc2+j7G4oBZsEpSGCGeBB8V2s60A04HAcPDl6KuJgdNn5UGKT\nztleh7CzQxupByprHh/a97XDvvNpvzz6VGYtsIv42IW4sINgDIImhUdYFYgmRn6j\nrtJ4f6WWC62YENjiwR5GRm3tPjK8iyPh4XtSokqKSLe8NRfLK9+Ix/ZAS9woEgtb\nyLejKc35I229Cdq79uDqzj+oDr34q2M5+4Q3mU/Hk4AO3BGb/++v68z6r7EeqziF\nAgwDC9FRLmchgYQBD/9pH6hLvPyM+pGNuRVWYVKg9xxLVu17hBKV1U+VR1flfT5s\nRhz2wvCE3/JRrTyNDKSwSnFiZDDoq9o1tGmHn+C7pgZGODTIBiIYdQoweF1h5l+o\nc0gdWb8PJROTHGJvl4PGZEeGsav0vhHlSvbh1MtmbldGgZQ+LFwdZWUMMXRtHzGZ\nwihOD+dyurdPHmyqKnylna/uvI6SYwLoW80LzZ2HDROknu21q3P61Pz27aUIX+9S\nBfM/JAlhdz21jgmWNinV/zKiSze2twFtpjniz92lb9avPNs34MRbOCp/q5b6rai0\nanEcSBigxcrZR8Og0cPTKYlVTwuHej3wjVEtH9PUTmihMwQoU5RQloySlaEyAKZR\nL9h8sdl+PVh+Yc+Em8WM0XvdFwYKwpVUqAbUeYQV1sBL/oE8qTKNG4xDXBnSUvwF\n4zSzZ2ulkTl2J3t7uNUKI3suU21T0A5+MKB2Tl1n6lK90djfKnlQnbvUsVu/l4HG\nOvOZgaR64wx7ZQymSinjqNnITuIpkOEZ6Gu0Kg+hJPOiXPBRwskpn0P5piUhsbvX\n80fyWZZvKxealQyqUCf3ZFKir/CNat6QDvPRvGgGpgYfIC9zOxznlcEMSZE77ZvG\nCHQBsRjgn7EdI9I3OQZvZuVBtuSQlPcUJXuOUqyptPG49frMtg9cOlI3Z7xRyNJe\nAXuQhlSzBIdRD/Calc9dlJE6ViFePryA6VAUYyF2KAsPdSXK0AzlG2tAQY8nbxfq\nLn/J5HToEODGX4W95mkBl/+qgjbDVQU53fZ7NDPrQLBBXiGgR2pZKMShs/jtzw==\n=Fg87\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/summers/secrets/radicale/pii.nix.enc b/hosds/nixos/x86_64-linux/summers/secrets/radicale/pii.nix.enc new file mode 100644 index 0000000..2455158 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/radicale/pii.nix.enc @@ -0,0 +1,25 @@ +{ + "data": "ENC[AES256_GCM,data:+gy58+DZWMwnfjFLa9rIoV1lpk2NtEd2OnTOKRgNqzTqYPo/DHsBhDNMvSDPpa8=,iv:pax5GFmUDJURjSoYVpuWPtTJHFJ938jb9+GlzFqtl9I=,tag:5VmVjszfJhNYPpa1FsDXiw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdk56TXBTMnkwSTVpcjJa\nQXVqbFBrVXg0alNVRU8vUTE0WVVhVWo2OWpNCkF6WTMxSHNpVS9HSThzbG1qckdr\nQjZscm1SeDZJRVhTbXZ3L1drbnNyemMKLS0tIDU5NW84dUhhMm9lcUFTeE1JSWtM\nZTRIK2RBZWFFdnFwRGRpVmFZa1p2ZDAKoTVtGfVUCibVZMdmSPuSB4+V/v3JoLdN\nJhkUyG4ZLlB0CVP/o8Iscs2R1+2uMTVGFtHISUpKv7pskfUdZgWGag==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UnZna3gxQ3JFTGRDMVdU\nUGtPWFRoWXNoMmpSTW5wWXl3RmcrOXdwSGwwCjYyVyticEllVlJhZHc4SlVjdkli\nOGJ2eGFrL05OTFJ2RDFGNENCZTJmWW8KLS0tIHpmcDN1bFpRSVkyS2ZkZHBiMW5L\nSGgyNFkrYVlaZGprZ2ZnQ204dkJLTGMK0A6Un1SDu0ipQZXfOALR/3izQLhr5u0x\nhNtU3Qgbv8LrO78PGxTq4bj2SSRvlQPnA66Nk9OCft1Tje50KoKciQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-08T08:05:10Z", + "mac": "ENC[AES256_GCM,data:dqrPYwYaz2xcD6OsTrqjSkyNT1g5ntlGr+3WViuhuV+UcwmGFSQ4T0M/vJE8tGiopoxElfxZJyYGZ97BnK+WppIUiFGOQc1hcJhzFavo/gzz6xQsourq17DiXJS34VKjejneXDY+ieIUG4xXUlGWsiyNnBCGbj3STGLYcxtvKt4=,iv:mozuoTM0gS8peTfe2Pm+HANZZJozenRCdQFcq2eCHC4=,tag:MrCV9VpZi4gKMC3eWYzgnw==,type:str]", + "pgp": [ + { + "created_at": "2026-01-08T08:04:56Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//QXKt4eibQonofUjKAWjH66ZuBNN6sVY9ioqAQH9SaKob\nOPZVTSxNn/4zcMulticYpPyQuSdvGx3GTAYx3gVOSXKHnHo8nKRiNEq9ZDx4A8CN\nJkvJ3R74/XLay6sO7gCGsfNe+nXeNiObanyV2wNwsigwr2NjItERHMCH4//sFm2N\n0Y0LnuxcRL6Bty5gQg29NZaBiYNWw2viaKIyhAqeC7ner9iIYeHre9eEhU8+Fouh\n1aegkvFSgDqzPAtBSFW2rP65HIiQEh+4FB6FlJmXqnIK/FCozDpH96xn0L1CMxVk\njRExv7K8s2tCKgkJ1pdbs1QBPJGuXKMFDagNPl1vVj9cTBG8XAaJ5td+Ye1Kf61f\n7SLdBu5Rov2kp8fhW2tKBWySpcPUxiVQkS73kL0j9L8xZMcw5e/d2KOSwXalCs6p\nxMF29SmraOSG93q4dFAyO73rbVwueE6MKe5Q+h/zFMK/V7U/WWprDaL3VoYHoQjZ\n6dknrYPPUcgAdMqGYGllY0CVDeysrQQ+QFgWnTPa9kfBn8EUSbNzhxaISrUJ6xYX\ndTkRa0f8qYCiGNZ5BuigA/yH3VDMIaUmJYB9XbpPAWi9ltZuA2Tt8cQ1oPWm5SDU\nq3ct8KP6UqwEXXawC75D57Z8R2mUz8dZGyACRKHWnkjEQZE892Rymq+R+BW/cu6F\nAgwDC9FRLmchgYQBD/9+U7ducieN9QpYX7ZBs7RP5xUCtzCV/dL4Ps7m5b3ZzlE2\n867eFCSn6TMu6/KBi1WmsJJ2eSkBvYw3S0fEp8O3n8pvVyYZBIgmUM49oTx+Xnjb\n/FKRj+TxMYjlQyAXIMFCXsrk49genJV0mGSODn5ZAKj5Rhx1Kaqm1tkZ+ZJ0zzJr\n79NYypQjMsuhA3VL+MkxE3zoipOeU60KPaR7o7uei/PHBtcUtSOLmJEvaZ1XVM2s\nwtnRQXeyQwxzzNE800wWGQF6PDMvjFp63o0Pj+Ie0dyVNS2UbebjJl5uR0pn22sq\nUtIFTi/IwwwRYUFI1i6Kkw7igfyaI6ThO3thxfVcBzi1/7pMNbD7yiIOBdZlcgoT\niCqrK0+uyfPQztJiseX0Sn9xhA9bQK6ob4OnZoHRF7EKXC7CU9C5ReGY+W7EKSJy\nrJ94IeEPHojjnkH1RgK4h5gxDiVJ+d6mQhbbmPmXomBHaaViL4y8gs7cHNXL4v2/\nDH46EUoljeyUxvxIQe5UDBaGB1AwoIrCQoByCmMVGZos1w2QKG2cUXWRfLY4vUgo\nA//hfPyGCwsM88265ohNqx1kMb9qFHd0P4uXaM5wX3hqnP8NlR9JhHOmtjXEXj0U\nPXuqLvNw18ytb1lQ/6lvIfB3nTz6Cd/CiiMtgcJU2AMFY1etgztcr7ZvvfcMVtJc\nAW4txy8U+ulr59a9uMFcjWl8MnEIW4fT2NqJSk27qWMxdkcf+O2prW9wilkazctC\nFIw1IKw0y9ahLQmCdjYwHw0iTqOAvpcJ/eQxhTAWrGY1pCAn7UZhpOmXMn4=\n=xDUO\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/summers/secrets/radicale/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/radicale/secrets.yaml new file mode 100644 index 0000000..d4f74ef --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/radicale/secrets.yaml @@ -0,0 +1,58 @@ +wireguard-private-key: ENC[AES256_GCM,data:1yvGiPIViIM7PZc8fi4MRFo6X4ZP0ospI4bx0SwduI30Lk+eWMeutvSjUso=,iv:mcefti2M/qe39zzLp21aMfMI5CrUXgl+c/BvncRHGdU=,tag:pO3TR0utUc55EEbQFiX9vA==,type:str] +radicale-user: ENC[AES256_GCM,data:BBo1TscIK622Whg=,iv:yRxEy4sVlZNzqGGML+dCeGzN2viMT7N9Eg9lWYSGljE=,tag:3cX1cfTzhxNYrtk1u3lLXw==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YU82S1BwWXJubVNNMFFu + VTN6Tm9TaTMzdjVmdzB4amVqYlRPemlHa0VnCkNqQ0JEQnBkYnMwZFVYZzlCQ1d1 + dlBXNDRCb05QSUNhS3EyOCswVjZ0bUEKLS0tIHhiTkdOTE9LNDRGRnE5Vit4MXBW + cXdtV1FCNWNZYkxvOWQ1NU1zbHlXVzAKWVblTzYX5NJ7GDZ1ma1L7fo3XU9K93w9 + /qVeTSiP8KhoE3BLueaEUZ5J9CTPXmb5SQ+4D7P9i2DQAqcVDtlccw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1gxg2peektn8x36kk3nsgmeawl73e54kaadqd649ygwrv43kkvejq2cw64z + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrd0tiT2gvbTNUMjQzM2ZN + aUl2MllvZlFsaVhjQ2FNR29wOWVmSnkycUNJClNsdnd3alpCSUROSXBkSEx4c1lr + b2lvVXJtWWZRT3RMaVpjendaSks1UjAKLS0tIHN5eVRXYkJWSm9pYmZXVnRab0Zr + OEpYaWt2TWFmWmUyZWx6NUJpZnVWYkEKJxAulYLyTBmFPBCcYhCLmgBUIGJgYaCh + NC4k7PzIdiKl29tAolW24aZO70EH8JVCirjpWQlKo8W5hPSaJv/q/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-08T08:03:16Z" + mac: ENC[AES256_GCM,data:z+ETj7inVkrg3lniueJNw4VwMp52S0wH+6kEH3bWPvMjml4Biy9wUqatlayi4cHsYQaEL/2ok8bi9rNuMrYYWs7qieLDZfRQuHEJNdylPxIKrQn0xn91ihbQJRyGMCweEtaHNR6uZY0uKH/wvvBlBLcZmuiXtPU9CGPIh72fTdA=,iv:41h4pi70SArumCJ+RqdLKlaiPwyqW0Kzro8u/GHNvxI=,tag:1kitWfua42WtVlWRrGJ/TA==,type:str] + pgp: + - created_at: "2026-01-12T22:05:39Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAArEo4xS5vSvBRMoU9IiazfF78cObwThwoes/HQL5wSnpX + 6rOOOIaFZv8MZDcfeS7IZCoUxBsuDIpCSHY6bo/iaGOzQ5616+wS8SZTz0x4aU6f + QLfmAIeqoNU0mcXVsGbm202d76XNYsGARpHprIktjhewzRFa2B0akZGxQ4RnuErT + 5lIkyFPKXB4FxXmakwdUnVj5lcx5VEbmyNtsrcqFpY81m+DH9hhRsI6Q3ac2Z2Wl + iC4vVmjGSgex//HXve/YDuUGndzfZQDtk0HmTgfD3+PU+YAWF8ikyE/GhtTV14mg + dFsqYhKEQLGziCxIkx91vejX2/80eh00uVSGWJ/XiYl/xaXwEz202pVfEIJNZE5t + LPe8mYw2IyYkq3CQy8iyB2DRZGqHKcMftXU5upP1jeDUXvzj3nUEaG95XTWT6hmy + 2tWS86ZjQpfTX2e/q28L/knl2yHI9/f7e/udpYG+5xIuVY/0732aIKwBNVmEDI6+ + y/08NcJJKRCE1aTdfGf3jNJteKQzUlnaQD+HThpFq06RW/e4PXitKyWvdDydAmfr + vKFVlQchdT81fA6J6SK1GohDa8/q9frbaX8iLpyV/l6c7KGJ8BgTUl/rMHCwZrhm + eJMweyc9KUgkjmhcSvZ0puyp5xhPPy6DD6EXwIGyWiAIbZ3sKLFuWC63CJwQQHqF + AgwDC9FRLmchgYQBD/9mRhx5N3zfewIc5ZKZLwo7gqv3qex0m8fLmRHMZxGREeDT + hH0hrvYoab0eddg/vywzIcvqzysErvKcT61Wdo6kv+XDAojJFCN1xAhGbgYF/M51 + LID3j3oo5TL4kMBU8NES6VQHieAtV/eUIYbx/G75X/bOIdloxL1V2MzKu59YOdEv + P8KgtkA2kfbdR/PLl724R1nHHoCrt707T7RdJP8vOAE6Vu1v4xPMC3Y2vgkrAr42 + K9/qecQg0RZQJRA73fEyX6IIsktJxjm7YaaznXSyBqw3YlqSsPSyT6sd8SDgTBju + N0n/SOcrgM+X8tnq38XTbQFVlT7dMr/e3Flh2a7igA+Ceaqn//gJi+fOzd/9kP4m + ESCG36+qBRYaqDyYK4BzLVJhhG4qr6pIHPd8t61UDB4QbjvwOmr70OQ/Dmsp4KOJ + +dADOOoIe5fHbpAr8Fc5Mj7hvkEwl3B5uOgkkaW7xfmwhbogsLBRKBu/ZhK7QAJL + LjmMzSOvbw/Vai7X1myDiBtkubnGHJ0zrWqXLIlagH7zts2jygL4VuYJftmCJ+R+ + kAQ/x/AYew6DgLdtOWJpOrs9lNX/T2uEtCQSNt5l8/7EfLAHp65LPSo4KgoBhflp + bRR4azACGhnH0VOzpQD6grn5XKLJmtRq2+LTRM80TNlNp4kCysm4HwijxgaxENJe + AfU03Aj5CVREQwC3sUllLtz1W2BPFh5jzisktuNU9QlExGZXGUPSxFuxv1Pi5m5Y + dRfutHRl+2kDAgXj+nP5b1rdFxTHLaxCVtrL1qsu2Xq/jJDpsfryqt+preZMyg== + =cyX1 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/secrets.yaml new file mode 100644 index 0000000..18099db --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/secrets.yaml @@ -0,0 +1,54 @@ +resticpw-SwarselState: ENC[AES256_GCM,data:rJrpeiNxdGZ3NF0=,iv:NHf5tp9h9lHDzTNogFkzhyBXgJVSbawT45sSvlSn27c=,tag:D36aXm3Q09cFiaNuJjL9SQ==,type:str] +resticpw-SwarselStorage: ENC[AES256_GCM,data:uj8smcKXrOzm+Sc=,iv:ASXoj5ZDgW26ri4LpxtbyUbPoc1IvxIYxjMcM/waLus=,tag:sP1Q3561lMKXYzuDkPC3HQ==,type:str] +resticaccesskey-SwarselState: ENC[AES256_GCM,data:boY2ai1iHwjaEUXFrpQK3Jpi47GhhTF+5A==,iv:qcYJE2BidxvesBOBJU/KI0PqXCpb9Fa5fr9gRcE4ox8=,tag:XAArkrmA6n0hGxU4+3OSGA==,type:str] +resticaccesskey-SwarselStorage: ENC[AES256_GCM,data:b3pHjKJP8+pNwoR/0nj8kidtKZcqUHAkkQ==,iv:MKEV6AkkTgbZrc63DipIxPvm4pl5/elInY6N0ewl3ac=,tag:OZVUdGBq5HYCX/NL7RJgrA==,type:str] +resticsecretaccesskey-SwarselState: ENC[AES256_GCM,data:2tC7RKRQM55dekqc6DLsgZqIBQbmWJySIXCOyUjTMw==,iv:a0bjCwmFTUZcJlz9WMp2vorwm9dUxg/7ulKWtL14LiU=,tag:7jbl6AGx7dguM8GmTD6MHw==,type:str] +resticsecretaccesskey-SwarselStorage: ENC[AES256_GCM,data:yjhLY7AuW3m5tOqfiAt6IbVHTnGkzSGzjkoqWD3wvQ==,iv:+2/dSke3LlWQpWa8adNS65M2sbfNw7DbiFCruMHnBRU=,tag:XgV4J9/c5yg0X1eBN1myXQ==,type:str] +wireguard-private-key: ENC[AES256_GCM,data:lP5wnI1YUSb2PJUo8LvCogz0gfwwnqgYtNEly2i8P4geQVGnsxCz2c0ZKgM=,iv:55gjJ2K15EB8i9iwNNsuKwzHZsX3RvsTKNAnr+Ac4to=,tag:GPscRLTJSj+TNJ/15pM1mw==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvVEgzdnZUTjlOM2Q1M3pI + VW1OWEtGczU3cHlXaU45MTk3MzNYNnh4L1FJCkVNOFBlVUFpZFZqOGhBVVBQR3gw + SzRXbEZyZWNoZlVwQWxZWVZUSFBEd00KLS0tIGs4bnd5M05DMWtOaFJDYlVaY1RU + cUpZZzBOZHlZdzRoS0l4SkRER1JQeTQKBeYA2sVQab9moaYlT0jE7/zMJvOJoC7V + QwHXwnkjZCavAC5HIn82PzJ0DNrMKSZ136AgA+F99X0ZFyFnEIFZCQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-19T14:12:00Z" + mac: ENC[AES256_GCM,data:VsZDoY88nMtY6S87Odi641VrenfVOraWDgfGuKVKKrcUJtTTF4hkwI5b8dZ4Qz/9g4IxW0Siht8qodqAEnA5bvDbMlabIgIRrbO4hAJjPYEtD3Q+J2n8PVvWLU94DusgN0A4rHXbEq1Am2bUjcXKWOg2FpkUGrkJyYfj6R4l6kk=,iv:ZPMPs71eoiEddKTDwIZbYUziKDVknXGMyw062i3X3oU=,tag:IiXOOiJzuN4M1jU6dZdTJg==,type:str] + pgp: + - created_at: "2026-01-10T00:38:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAupwKI+ZxJSXN856THn/72D4Exl6hY+Xs2SlU/MO3USYV + 1/2SuZK6x/yl8tXycUiAJ/G/2iPEkE7QIpou0Ck0Q5dCzGyEyjh8d6myEGpCXTyJ + +41bMOHrnRWpZ1IPeU2qfbp4RNF6i3i0VOSzT7Hi7i7xDGQCMoD6yRwo2NH5T03P + DNkssIZ2V4SbCF+uHF5wbNgOlBZcLex2I/0vfgQXBz2wClaVY/YAkKarjroARhI6 + K8zaueup2/uJr6UBvsbBXdroYSJDKkzl9cMl+g16RnqQKPj6BMKD12c3w/U9Jmb6 + dXGWjs2xLQJ0coD9pl7hpSuYBBZk3h4/wpI1Tyxf9s5qra4ARtJbvlhztkYbTnby + vrOR6zFrbqHuTqPIil2rCTkMGXxEgyJ0sMIWDWRF1PUb8LODBBhgfYSUHOZM3rvK + 1txWY7Wz1SOO2J+MjCmgvEUakW1Pp4c5hIDtmRTBwlEx0s1/Yb6S6sTPloNepDnW + ev0YJIDX4zdHn73yZaYOrPX6NsUSSHC9SPVHIZSOWO+nO7DdX/eSKd5NbZJEyKcf + xUQoKvF0+3Lg7Xh/p9yLfmaMEQvTxBcBhBmYOxboiKOFacJBVz4MbfSkCXm4IAeb + YW6ToixrOv7Dm92ii5uqfsOtnwP0LlMa+x54wc8S7lqND1Yw+CHGgt3AGoN9hDCF + AgwDC9FRLmchgYQBD/9OfpyzNpwlBkbqWXcygmkd9n121KhPdIWd174zcDmln0h9 + 3+1CM4MPerCOpqrLKI9KpYUct7b1ObwEcG21famUR3scKFSSgaPWst2sSz1W0YmT + eRJ3TZrO7gVHkWZ5pBjBFbYa3E7P0LbDYcXJrEa74OKiW+ukICYvtQp7s1bLMoH6 + Gy23xglPpgb1tMhLk6TXbPuj3p2rErUjhR+f/TNmStliVGfFmnYSigGlG3MZmhSp + q6/SFeTCbWg6qMqgCxz1xvG7zRTVxTKdTop5YF7lcpY25Jso+z9TPGfWV9xzOejy + ZKE4Jako6mrkNmgYZPL5E8y7R3n9AZnieXzgKC19d2QFergy5wp41Qwwpk+YCcpR + vSBLcIIgHDizDI1+1878MvBM3soRcyPhkq6Y/eg5SuUATvG8k11VxznO+iEXDv9B + G8JkK6IOYwYGhaawcsmwZedyrRq97DEZYgONemriaY/UB2MT3uY369NDV0UrIZgz + FNXp9GwuaXj+M5MJaG6//G36IKnhEBJqVvmqpR/FQiSIddnGYJrW7WkGEIYsHLEy + sF1vmblhE8f/4w3IrNv1SmBnE/IwrKe+OIT4b5SUFQaTFe8m1fuj7M6i+LRcsJmi + QQ/G3OFbZVycjjz+3Wm17sOez5UDzTCTgXfIxLlqselCPjEmNgB/xF/XNKvcxtJc + ARnZYFJHNPPnyvGgT5UO0unihVvYwjANSspdUVo9kYfgO7DV4ptN/eRYppZvnSIn + bGBYIVuHzTQyfjNzgukghJANWctbyaABv6wZPTO6/jjNtkMAI60+vjfKCTI= + =OxXr + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/storage/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/storage/secrets.yaml new file mode 100644 index 0000000..5f81b8e --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/storage/secrets.yaml @@ -0,0 +1,57 @@ +wireguard-private-key: ENC[AES256_GCM,data:IsQLebLnWOCmERQLSmZAASOgxyg8itWr0o3rt6062cbWIDLO+TPJTDtlWRE=,iv:bhhFTLjhHMTfEyynklpWPTU6KCpBZJZoRLlr0o+Pk7Q=,tag:j4pCfGDo2CQPpKmpn6gVyg==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQ1BZbTJZVEJRLzN2N0F5 + c0VWbDVTZE5WaGw4WmM1RzUvMnVXOXVvOUFVClBCK1N6NnlxS1VzN1FOY2I0OWpI + S0VCc2djck53NFZ2TXdqbE1GQnBTSk0KLS0tIG1XNnNpQXRnbnlsU2UyMG9VRU5E + WCszSmVmQWZncU50RThkcHQvdVFMQkEKVB6ETsGVlWYqTgwX00wgasCTucYUlamR + HqiwLA5dpoLCpTVoZvp4C7iIe4b3oQtXeY+5cAWF9hXvzAGybSM6DQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1kn34ny229gm0rg7wlcvxmcyjtz4gka6f2vd958fde6vmuzrxcvcsufra90 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeDhOUWN1SmRuZ1VaN2ha + SlduNWd0L3hBYjVGV1JMYUhEUzFPZHpwZXo4CkpRb0ZqeUFSemVSK3ZYRnNrUmty + dmpua0ZlVkhSOTdpMFRUdkg4bG5yYkEKLS0tIDU2SjFMRE45NS9KWTZyTzY2aUpi + NG9kUHZNaEF1R1BaMm4rc2NMSXdhd28KY45+ozWXWkKWaMQWh0QmkMheQiF2sqos + oEQ/q/heFzj/nK88GmlRfZY1UqGYflhBsPQqUz3RhWKGVuLWZXIe/Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-07T13:36:51Z" + mac: ENC[AES256_GCM,data:eRO2+uoeWo+qeZR1gf7QJbydXvrLWwQQytNDM0Hxo9S8ONrSK6uA6Vac050Tmo9JM3606pr9RR3RvtRn20jcKI9X1PNVayE/hhdgug7O2CzpR7Xnekh7PM2N9hLgdH8lKdOASPXTYMQxnvKfX0oWEjLnRa28kK48GzdyrLh2iU4=,iv:UQuaMAcVjgz+fD99lJPMRvcWNduYxCccKDnwPT1ikf0=,tag:7VgsxiXcYaHnQyUoOSvmoQ==,type:str] + pgp: + - created_at: "2026-01-12T22:05:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ//fL7J9QIrlwSjvG2jM/KqEkdJZ8RKiXGF3qcWMFeMJqoP + 0DYgX0/M1c9TAcr/JzFCSzBhKzd7O7v0FLHDLaEpD5I3NsoPjfpJZB3j5tfvJD9i + O7lR3cLKiBXvA5JCkuNifKok63fR+k6RNirLJVY0UJe126xL8K3gCb7GHxSd5EOy + OUZtO6caY48gxAboVn0biNtJRZBS5wo9kaNhAahy0xsHmf/K1DCxpznFlVTGgFMQ + plnIeLSNTVgDjX9gm7/E3574FOONeU3MsUgFqxEcm9wul9cLk4+0sDZ+5OVpxP8W + o3RDO1uLm+NhmfmFamo+grSbYLHRx+dfk3I2JrK2e7z9xDqsQ7a+ZRiLmNErpG52 + 0MZTIkbm5MZRt/QU5bLNs4W5dtEqwf114LG9Nkux9i6auKfuKkTCMaGvixncdcIc + mXDCjzqWriQFEIPpwTwpBpEqfXE2au2gnj4oC8Ayu9khG3hH5Oi2VU3PjFtrUOcy + saCFJi+3n34idHqFgCYzBnqQwtCG927EoDT+KYqXIGQuxLyEn2yO0JiTI9Z5so8L + +cPrJmOT4e3TfdsIGpLGPRNvysPc5TLO7neplLy00QzOMPy6RidQPeI3E68NCTjw + mvztc1x8pMqPQZ4skamnbF+xVGYCPJFrO0MRxvr2iRpCfPTRK5AsTnMTOC3lnaKF + AgwDC9FRLmchgYQBEACwiOm8QhxZh5/ODnAM8KhRpZPepFMx5QhgAcQsvpo9KExQ + JPd7BqDGNe6Vj5I+eqAg7KihXLiv5PiOZ0CFp8pEflJrLUmh2mdB8khoVs7Q/MvE + JgiZ29EmN6nowpJAPTWHRooo63vQADCVaPfzNgAGcDeC6lz7xOFLyI2FMMBDMM3T + /H3D3QnwU4l8lEWx49LNHIH/028wj/pccTvgk+zBgfCM3zhpGzQJM5wtno6Mfv25 + di53YEzx4PlPBeR/hqtdPm0LwpqIcAVPEzjHEX7Hwe6vZ9+OaqjHtna6fo1HMh1l + wUlKCwf6/p5vKGS2lOKkM3pmrU7ADIs5Bdn+uncTw4hRtF6ZdOY1ReJKKkxTzxN+ + jKLed4NeBIy659jzHKdKqtCDXradVT/Axt+RQ/zQguijVQmOjmfMPindCbaoGA9W + g09cRxiGV87hDOgj3cjX/PMDxAjkperYaIEh4p6zbrH2nwHzbjpQXTCgOhZSByJ+ + z6J39hvFjB4w2vF63xoceZoiQgh4iQdClU5API4vHX00tDBLoUSCEzMFOon0+yo9 + j0wOKt9UIAY/3pJL1WxOWf/3AoiTxdyBa6f9meji6OOtTupZ3TqFLR9lKKl1jd5Q + cn83a7FIXnyVto1Azql5d8Vd1VxAX/XkwH5mUiI5/D45wXbSoNtRu9P2+DeHs9Je + AbpwcZthRNHDncWRCs+wnLTlTANoSJrvdKI9xYWgfmFxnoAMhqnZF08EKxQLg3zD + /W///uyfXYRRnVwg7YH0zihBoKp042bp8bZPRuj1JgyyS8dzidSWSs+jCDed5g== + =7i0m + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/summers/secrets/transmission/secrets.yaml b/hosds/nixos/x86_64-linux/summers/secrets/transmission/secrets.yaml new file mode 100644 index 0000000..1cf7cb9 --- /dev/null +++ b/hosds/nixos/x86_64-linux/summers/secrets/transmission/secrets.yaml @@ -0,0 +1,58 @@ +wireguard-private-key: ENC[AES256_GCM,data:o3wV7UI5BSV9YU0uaumgfFWBJlgMewpUqOusvcGWxOW8dSrT/aqpT9iu1K0=,iv:fNf6fOL8KcYBxmfFLi5K/qPmNfon16HE1fgQ86qNDNU=,tag:BoRbtrw7jvENAn5wiP/sWQ==,type:str] +pia: ENC[AES256_GCM,data:9bMMSavvHTC5UM24W+Gsy69VQdc=,iv:pRd18+/Yy8BWp/kybOqM1VPpIkS7vLSWXZ93PZT+mAk=,tag:DYiiv3+zl8N9UR2X4Yv58A==,type:str] +sops: + age: + - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMUppRWJtOVdFa2hvQmtW + ZCtjUEwxTlVXTlJjUWpERVlJYjhQNTI5aFJFClRpaWFWbmExRC93dDFQNDVlRDNP + N3JHVzBGU1g0RVBHUVg3RGhBaitOOW8KLS0tIC9uTW9tcDFxSFppdEt5ZWpzUzd3 + dTVFelhnWUk2YVNCczA5ZVFEdmpHakEKBkd/XczNimSP/5kny3axRbXZOfPAhMVW + H0OSWxamGLQpnsSHgrYdSk93Bcq24ziuVzHEaPEDag6XC7UNvsNERQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y69f2elvmq39lc3t3ucq9y7wt675520n7rvug88qg368qsmmk47qvwrtny + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhYTV6MHNtOHdwSTdTaVlj + Q051M1A2eEVMZHhTRXNIRXVrSjJWZzlMTHhvCkNMaXZsRFlVTXlINGlIWjhZR25q + OTE0QXpiS3NiQ1JHVlZ5QXV1VEVNelUKLS0tIGNBR0dFRGZxYys1OUpSU2NHcWV0 + aEg5NzQxeVZPaUY1bTBBa1ZidXJrS2MKUCsDOnsmpOZTQsnvdYguDK8uH4FetcXq + nKzlSJ8zvYXzb91PfCcjYbp3ttUGeeJLVPnrD42+3i8H2U8btSrR8w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-28T11:27:02Z" + mac: ENC[AES256_GCM,data:7QTzIr3m0Gip66y+RNZrmmbUTn1jm+7PrEPerH/iw1resKHU5g+I3cumNqPt+iJYIbvNJmzfi5g6qLyjvcIjMFK8gy+RAkQ86r3zd9O0sWd9Nyd8OWstl/8srxGQNK8gWNEFIF97Dz2Hs26WYHa5NTWrZkyblFjJ2a1EiL+mNzo=,iv:aTF8ew4Ucu+QqiOz10F+KyuLb1Ukz6Q674SoSdYQxOM=,tag:5UeUHsJlKiwKfC7VwoEltg==,type:str] + pgp: + - created_at: "2026-01-12T22:05:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/+K/beVKMITwy7ZM0X3cUvtYuMzo0FaH7qEcoN7Ie9tuT6 + ZF6/BIBHVrS+953Gw0HJajWQENAKphKqL6TT8SHSpsdUpTns7rxJZlRm8C2FP3SV + eqrtQuzm2GhRVzm/69nOkq7vzrRJjP7/6ZmO+1E3gURiBLJla/MHRHi+NRrYrq+H + VdWWwBAe1T7Kd1WNRL+o7zxwkH+b9OIL5Ia6WI8jtQizDAI33iTbtfxO5ppXIyoL + PEV+2ePTWJxV+dJBbCfDHioY7l7I5yWCKkuVmVBp+CNrNGLPdU1Ta49wODt2Isy7 + 4F3YihAX3N8MDZ09aB8UeCmzNIDXt0Y+1Nrd8Z7ctIgu/Gji7Jyc5bBCgpi9Q9N7 + 2uVm6m8P6uSeifZ5e+obJUqYwaRUO4va2/tSX2TTWK5l5svIEQh/hPmWowJrCCSl + 1lh0cA24M8ljphdltBgxzfiByGobde3nNeak+8CGYZUZq7xIMwyIMoWTlnSy0Fno + oJxe6nasxZqQTIqBu3Dra4oBnSTxWJ6SWbuaeegbnGWRp8Pfjs1mGWF6oNYaBwoa + gvT2qzjzah/b6VEfo9m3mGnLAubU14a2zoSnQ2zZOZp3k7JUbkCB1Q90NACD3wl6 + Z+qCEP9YHA39Dga52jwy5yfYmxuZVKPIXJgtUrSAzGQrTGyBmOorN0NhbLFoD0WF + AgwDC9FRLmchgYQBD/9Ro2xVCqlyifNx7ec+yBLufPsgqq1x12EPOEEtDthfzUdc + FV3K/+kv0QmYveqfhBQsMqGvVUGW6UW4b4YijUMd2eoJin4UcwUJNpXUS9aKohcH + bHFH0gExhDGruRs0z1rBbjuZTWYhzeYv9kl9HdJx7Hh2eFJR+0T6DrLlJ6GoVERd + HKy4nmWtO8wbkVT1akSZVavZLwB3J/5EG0zH/CD6x15Spk+1aurWqbmPlEy8S0qA + Nf002A7RV1YD3ykZg/Ie8bPXt2ghuO7UU73mz83dTskoYggf+L01BXA3K/xd1ei9 + tTeLn+INrLcQ+3FNI+zl+b9HbWo1hIO0xG1IRyWWUDTbssU2HdVO5ppnmYC/15h0 + 6loY4EJeWAiMe/LZlXpeW9y3YdTPQvzjhKi63KYh184RoZNBjdRtrgIKX/zJJnyG + 4UqX8d6yQrbAABnBslradSNzsMuf9504MJ81ZKeJPF3JwDEtkW/i6VMnkRCgvDsG + FWMIsrWttTd3BcqvgHUkxHHwnGglvvmPh3SvkdPB4ctzYFGCxyQHV0ymFC8xmkNc + gP+U5cYj/tdGSbP0P7SW09cj8nbSClZ7OZMpHViQTSOyFkPvVQYOtjJt54WwJn09 + aXTIiK3+xSORpgKLxFJYeLRY7OjtFqyVPUh0VE5GlGA7LxqpAa18w1bfS1XR8NJe + AZKgUbEp1prBgI4aeLqTr7qk4LkdmaVPxjuAUX1mg6annIHOnPLlaY54GzWtG4Cn + 5/F6ZRNQK8pxr82lctEqGPN0I+/Fp7nky7xmBBzymV26LJLWG77UrQONeLlNWQ== + =gUDk + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosds/nixos/x86_64-linux/toto/default.nix b/hosds/nixos/x86_64-linux/toto/default.nix new file mode 100644 index 0000000..90955cc --- /dev/null +++ b/hosds/nixos/x86_64-linux/toto/default.nix @@ -0,0 +1,44 @@ +{ self, lib, ... }: +{ + + imports = [ + ./disk-config.nix + ./hardware-configuration.nix + ]; + + topology.self.interfaces."bootstrapper" = { }; + + networking = { + hostName = "toto"; + firewall.enable = false; + }; + + swarselprofiles = { + minimal = lib.mkForce true; + }; + + swarselmodules = { + server = { + network = lib.mkForce false; + diskEncryption = lib.mkForce false; + }; + }; + + swarselsystems = { + info = "~SwarselSystems~ remote install helper"; + wallpaper = self + /files/wallpaper/landscape/lenovowp.png; + isImpermanence = true; + isCrypted = true; + isSecureBoot = false; + isSwap = true; + swapSize = "2G"; + # rootDisk = "/dev/nvme0n1"; + rootDisk = "/dev/vda"; + # rootDisk = "/dev/vda"; + isBtrfs = true; + isLinux = true; + isLaptop = false; + isNixos = true; + }; + +} diff --git a/hosds/nixos/x86_64-linux/toto/disk-config.nix b/hosds/nixos/x86_64-linux/toto/disk-config.nix new file mode 100644 index 0000000..71838fc --- /dev/null +++ b/hosds/nixos/x86_64-linux/toto/disk-config.nix @@ -0,0 +1,127 @@ +# NOTE: ... is needed because dikso passes diskoFile +{ lib +, pkgs +, config +, ... +}: +let + type = "btrfs"; + extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "subvol=root" + "compress=zstd" + "noatime" + ]; + }; + "/home" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/home"; + mountOptions = [ + "subvol=home" + "compress=zstd" + "noatime" + ]; + }; + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/persist"; + mountOptions = [ + "subvol=persist" + "compress=zstd" + "noatime" + ]; + }; + "/log" = lib.mkIf config.swarselsystems.isImpermanence { + mountpoint = "/var/log"; + mountOptions = [ + "subvol=log" + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; + }; + "/swap" = lib.mkIf config.swarselsystems.isSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = config.swarselsystems.swapSize; + }; + }; +in +{ + disko.devices = { + disk = { + disk0 = { + type = "disk"; + device = config.swarselsystems.rootDisk; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + root = lib.mkIf (!config.swarselsystems.isCrypted) { + size = "100%"; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + luks = lib.mkIf config.swarselsystems.isCrypted { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh + settings = { + allowDiscards = true; + # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 + crypttabExtraOpts = [ + "fido2-device=auto" + "token-timeout=10" + ]; + }; + content = { + inherit type subvolumes extraArgs; + postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' + MNTPOINT=$(mktemp -d) + mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; + + environment.systemPackages = [ + pkgs.yubikey-manager + ]; +} diff --git a/hosds/nixos/x86_64-linux/toto/hardware-configuration.nix b/hosds/nixos/x86_64-linux/toto/hardware-configuration.nix new file mode 100644 index 0000000..3a8c56a --- /dev/null +++ b/hosds/nixos/x86_64-linux/toto/hardware-configuration.nix @@ -0,0 +1,27 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosds/nixos/x86_64-linux/winters/default.nix b/hosds/nixos/x86_64-linux/winters/default.nix new file mode 100644 index 0000000..570ccfb --- /dev/null +++ b/hosds/nixos/x86_64-linux/winters/default.nix @@ -0,0 +1,59 @@ +{ self, lib, minimal, globals, ... }: +{ + + imports = [ + ./hardware-configuration.nix + + "${self}/modules/nixos/optional/systemd-networkd-server.nix" + "${self}/modules/nixos/optional/nix-topology-self.nix" + ]; + + topology.self.interfaces."eth1" = { }; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + networking.hosts = { + ${globals.networks.home-lan.hosts.hintbooth.ipv4} = [ "server.hintbooth.${globals.domains.main}" ]; + ${globals.networks.home-lan.hosts.hintbooth.ipv6} = [ "server.hintbooth.${globals.domains.main}" ]; + }; + + swarselsystems = { + info = "ASRock J4105-ITX, 32GB RAM"; + flakePath = "/root/.dotfiles"; + isImpermanence = false; + isSecureBoot = false; + isCrypted = false; + isBtrfs = false; + isLinux = true; + isNixos = true; + proxyHost = "twothreetunnel"; + server = { + wireguard.interfaces = { + wgProxy = { + isClient = true; + serverName = "twothreetunnel"; + }; + wgHome = { + isClient = true; + serverName = "hintbooth"; + }; + }; + }; + }; + +} // lib.optionalAttrs (!minimal) { + + swarselprofiles = { + server = true; + }; + + swarselmodules.server = { + diskEncryption = lib.mkForce false; + }; + + networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "enp3s0" ]; + +} diff --git a/hosds/nixos/x86_64-linux/winters/hardware-configuration.nix b/hosds/nixos/x86_64-linux/winters/hardware-configuration.nix new file mode 100644 index 0000000..3222d17 --- /dev/null +++ b/hosds/nixos/x86_64-linux/winters/hardware-configuration.nix @@ -0,0 +1,45 @@ +{ lib, config, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + supportedFilesystems = [ "zfs" ]; + # zfs.extraPools = [ "Vault" ]; + }; + + fileSystems = { + "/" = + { + device = "/dev/disk/by-uuid/30e2f96a-b01d-4c27-9ebb-d5d7e9f0031f"; + fsType = "ext4"; + }; + + "/boot" = + { + device = "/dev/disk/by-uuid/F0D8-8BD1"; + fsType = "vfat"; + }; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/a8eb6f3b-69bf-4160-90aa-9247abc108e0"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosds/nixos/x86_64-linux/winters/secrets/acme.json b/hosds/nixos/x86_64-linux/winters/secrets/acme.json new file mode 100644 index 0000000..cabdcd4 --- /dev/null +++ b/hosds/nixos/x86_64-linux/winters/secrets/acme.json @@ -0,0 +1,28 @@ +{ + "swarsel.win": { + "fulldomain": "ENC[AES256_GCM,data:CVasUSMRn/KWzVRlcYfTO/RL+W5Cz2JpDj0JLAKITXrDZrl+Wsg46X8zv4hX6NLj/wAyvXQ=,iv:N3DL4JPX8vWTbllFWcpNulwtDJ57xpHrAwoUxWhTzxs=,tag:CYWoK9uT121rFXQ5h69CZA==,type:str]", + "subdomain": "ENC[AES256_GCM,data:uM457vEJa10IV4SovBDUzLLlW+mPwh1SiWr8thQisFoe6zAk,iv:Tdbd5a20Gv/thkPfsvNiAbI86JjcDs70MAfk4yCZLgs=,tag:MulJiRWPs215x0bc+1jBiA==,type:str]", + "username": "ENC[AES256_GCM,data:ePE2BEKL5uaXqzGngW9ArhwP3qwDzwULtfwUfb5Q56VGGURp,iv:/GZRbyXHorcq1PIYlhfOmUVwCg0I/N4ZraEzSrc8qmA=,tag:wM5B1U0BsRsBAJg3qNOXpA==,type:str]", + "password": "ENC[AES256_GCM,data:RGzdi8IMqm+rtiuU4RtWGQ4N/7FYBbp5Pir8/k2V1QEdM8z7SIn0FQ==,iv:ThFbY9eZuEZoyzcWV5DwtSi8ugNwM49JfRof560Qx/Y=,tag:sgMaLrPB8WgpXWPzaCwOBQ==,type:str]", + "server_url": "ENC[AES256_GCM,data:zJdXoO7ED7qeskYJ9Wu0Rdprbvj/uP+Z,iv:ce+QXocqCjNKCsZRyVt6koUyc2lsTwPNMcfQyqbktN0=,tag:bQSE4/6va+V0TORWANLdUA==,type:str]" + }, + "sops": { + "age": [ + { + "recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZ2Fhcnd4RnNIbExibGlr\nMGNoLzltYStyQjNDSG5jbCs2WkpqR0VINHhnClF0eW91OUVvSzhackNPS2JaUitJ\nSW9VSnEyWjRHM29hT0xHUUIwTkFQamMKLS0tIDJqRERxQ0l2NElxeUhScUQ4R2hS\nT1dhQnRTVWM0Y3dUMUxLTGRhZ1h0NkkKJI58M5YOldaj0gy67WywMK1vTNqBLz+T\nK+/0PuEooKZkcdd92+UUoMMU9JcfvnvzKmC8Ot9xwiaLaupb2Fb7Lw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-12-04T19:04:02Z", + "mac": "ENC[AES256_GCM,data:nWV/knCo/MeWTBrfq1VlV6SPEQ2i2P+le82S2So0BIxPfz8tqan0MdaIaKLFlapsT9VRJOv8ZCCXSLWeGcbEvfmEz4MP1E4iHcU/4YaO+n895D1JrjeyP1cgGisnXqe01xMXCsDY178sqxHcnDDlXp9foCem+mGjIlKGPYGu5Oo=,iv:qbavbW3MF4fx+E3aybBYaz/T/Hb63ggWml4Oe9WFz+I=,tag:05vBbBGDGRNaXJWoZn1bVw==,type:str]", + "pgp": [ + { + "created_at": "2025-12-04T21:07:49Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Owp3VI6TVHSb6hxNioVb4P/e80pnf2LZQxhLUOb4QAfd\nkXGJLcdC3rIDF7b0qfJJrH+hCHSZBqrE6in43wDXe3Cj2CzOWaU8kABqMWKoRhG8\nd5Lbrn5uMN9sOWQugjFwtDPQo/g38wkHjJRwtpp57K3W7t7A1Np1Hma9APLwf6NV\n4t/A5vkib6n3Ilyc8e4eNlZu2yV+9fkygcSQYd9QxCRdqAbH9yCgtQ/iYpW4wNXW\nB18ENwOi9KiyWO8zMtGdj8Modaw3yLo9qku2u5BkBnbvE/SDD2QzxVEy8dc2P2/9\nkT3GLI14WaoTc0uCHQfGG6FOKbyD8P7VMdk6K7LuBrAANEaqwb77NlsIulekCuff\nRHjWYzzLv14wumO8+3dXvSWwdG3or0/caH4oKfifTbwSOwSTVru6WAWBGx0reqwO\n4+CQ1WmqHM68aFzlQY40dcT6i0jCZpvL+kMncbOn40oZt2+7T6h6zfa/YyWN9n1Z\nc3LhbHTYjA/gyjc+hD88SKCyn1tFK076209KeOpAJnu37Vb/O0BB9T8cxe9KVkMa\nz7SBXE7BEq+vc1BKpHN51zVmCP9REbQ//2RS2JwfxuKxj5ti7xQNBfliCVn/04bj\nEYnortuIFKjXGhZBBrgWKddS7zaU4Ux+1Nj8NAou4u+Cpi+EwFfpVvp11136H5OF\nAgwDC9FRLmchgYQBD/9fuQYiGbtsS6dm4kQzS6Ptmx4+Yi1QYywY0aU/S0wz+LBc\nn3ECc3AypbLEemNU7OeoveOtPj7TyJ9Wth2AqeWSEizgA/xCttiX311+emK5LqjM\n4KtlxJe8P0Hun9vxbcGRVXIN9IKDk07MWPBVQ0nUPnPlNTzZtlu/ahW+Rsyxm8wY\nq035Wtyr97Ak+gtB72EU3sEJ7INpNbIsbfa+AAbda1drrhvtde5kgnVKsSdC3oBy\nTo6rgSjRT91MZoiY+L3oR1lwmxtu6snajhnCWHe/u4iuMMK8a3b3WAUNBxG/tbQd\ni9qOLYyjtdfuqRsNvSK6WsgpAqabfUmvBCYsvKlNUGx4LDMmKsMwLC5DfPSGk8FS\n1haVyfmMNoCkcG2RuT+mwDm4I6aX1VbeKbIFrCYBEAYuWh8Hdobw3TYNrjGvHScq\nVE47Q7bCsUeiMybmtHTcHH6WNI+LWx9EHVZCaccqT19FV1PAUDvU3Z9HO48kcrjs\nX2UM3HtmU84p+zgQQzk7I1ociHqFBnKQmVd5KVs52V3Sj0a4EhRMDrWOjoucgUqD\nqMPk9HpO8A8gL/Xoaxbs3EdaQJsy30aVKaeDUyTcTqTLvEAocUQApi1QQCKgoc5K\nT9Y2EqfC/ArWSJOtylcQk0sJfKSo317lBb50+h1XcFXC3gNcXgipxURTwUSqb9Jc\nATpFH2B+AS7/fG22KpHsop4b3Mwm4nNZKTnJ+5IY2iu1hg/96AYe+njp+7BtbrbH\nTxOiYyszqQ+E8WykRO7QwPxgGtlGkgW2fXRFmAxvCHMbnNVvf2YSQLefUPg=\n=MyHr\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/winters/secrets/pii.nix.enc b/hosds/nixos/x86_64-linux/winters/secrets/pii.nix.enc new file mode 100644 index 0000000..dc6fd8a --- /dev/null +++ b/hosds/nixos/x86_64-linux/winters/secrets/pii.nix.enc @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:xI9xiEWeszsdkCyGaaFxO3neMHj3f8kjiKyDJwVjQIVyBD+X+13vj5HoE1WsOOxNAOI8iXsE/Wpb08hIBLPxJjaip6Ordntl/kmv61uxEErQ4i8Kj9U+k7mTpPi/MOv5qlBBY3qhca4pW37UwRMUMl/BbM4YzCqUMGQfbkxuevNoIoeQPEQnbHtQDdVkFG8Ql4xv5tQ71IPAx9ktH5iVKqKumrPEL8/d3i4jmHg74Y9A2xHtX1D7/5FiNUGpo5nCEKVLB9RmY0QqKiC8V20VONld1q3b2K52A6cS6IYvFpWR7/IaBpitAKTbMldxK4cl1Llpy8CNeLNGlolFqEnv3As2bx/gdWagjLZ3/TWZIBq5xu/Am/5hrLnSlhvEGx6ZSJujIZS7htuADK9KjGn1NFFLxAWxRB0TUQmbN8jKsHxtk1QuwyWeRSV7WN8ybvE5uj/dnL61A9/dHvmqT6YY43TAIX70ahlEqCsHNLaPqEsFioBlP5Vl3+dRatFp2GMytL0MZsITwpq1Qx+sJilAJZESCZpwFBcEFzHrpjLm7WkyFXiLvdGPUlVDhpTA/R89xQzaNcLOte5A7OdyeV87X5awCdXJhk/csRXHTuZzaa00mTv5tEZnKJk9lvn6h6Pcy4wObSbRRFlsQQBmrm9TkG/E/i73C0o8FbB3AXth8dHdQVBoO6GlH9eQKh4y9j1zrTvjMh6YVRqt+i28NabYjBS8HehbcuWpZfhSqmgiVaaG4oXIe+40kEDrhyhxSHnRymy2lNtD2IXzE3T5ixEgvv52HxglUDATc2ydL9r7Vdyfypv6RK8EVUtcFWoxUKFs2W+Eev8cMHspfuwNee91sf4exRCA4Xdl17cQUYsy2l/tz+biI2nrQKLzq49J/guN++n1xWOnZyzyNjcrID1/Cbab1k07hCspxzgenlykaUeYCLvyB3K+AKGtKcf2/sv3Zq9TVumLzYgK4y2VNDV/fpqeAzFXagPXnBmEW8BEA2kJGcFLxEeMQnYVZI/pViwpFBZXXSwnHGBr1GbLG9D3D/OwrFJgCr0baE3hmQFm6EjK24hWTDvxKWzGUeetxNIt2hBWiaFuOcc+RNnItuTREYaKq7BW6I8h9FQR3igl3K6iN/y/ZGzjVq/15Jop1ZSj2h6jagRdq2u2uObmoMmrmkHKutR9nKqjQDRZp4K8TAq51xpXnNXI+avNFjMJqL4/zmaPVzibW4sJ0YUCf832cWmIt4pSZW+z2Q6UdbJXAjzlZ4GicIQAzgh5jQpYlpW8yVgUVJKyb8HEUQJ2KIep0PhRZDqhclyBGXoOdGk/IrRaw0sqNsMWx+uLh/wWO+fn6/3CrQd1WpJldHCFQIT1OF6sZ0DylYmIPAJb/pbiImes3df5VCIO2PrBILGJUDA1XTW53L7LovhQB+Pydeu4qjNVueUwHr6DEkBSvKdTBC7vJqSm2hAXdEG1/OYTliY2VdoqK4DfsmwapelLKzkQJ1k4neUt0N6A0wc+/Hpfg53u1gC4RFqvnYSXM1eW0BlvdxIwWbq48G3jqvrkLaxVsqeclGSE5I4pisxrMivj4iFjWG/z0vkAMQSoJTyveSUXxyA9f7uWArV79Usj0B7+2F/rK1Ej1KJEcKusji6Wl3QR2ZXBMZKlCrOPL6o0p2w2iZ/ovkJAHg2CYD6njg+OkigKYFj1rb6FhPhFSSuzxKsmEq7eJ7ABrs3NHE/MA7F/C6uZTnJNxiK3nxc+JLPb3CLoEgULT4DFvomDpbM+J6+frnblzCYirgq6bdpU5eTMhrd/pwVC0HOCJFsG4xDv2JwdYTKiOnoNr//4wyHF0xfyRb4g40Hit5dB5F5m3krTu7fIIGw7RuczSbV/LFd1vobomMwe1/GbWMAHLpiABAwYRz4e/6nNZtRrPfNMWTQ8ixNEZNAI8LW7VY2RwLF46feJIxuc4UfBRlg4EdxO2FdXjDSp47m1HgdtmXBmgyneGnIyeiWvgSYsSEClG0F7/6PWDMwiWsVO+KinaJ67nWG3OmO3bXu5JjxZi76vyAe5YdQx2O85vptUzs9EExile6s1+F1gTtUFytg183dpAkBc+ml9iEHv+5nGl/MOUMiu4CPFjyWlhp1Eo6Lm94ycAfI1ItqkOZg3v7sMTc12YBfX35ql62+C3DcqpCJiBreNytZnnF1l2lEPIAUVJ8pjsrblz38=,iv:kkH/Hy/0PNzkVdTfYTgKBAN6nYslP0OFIndsmORZVEg=,tag:j/fMiT9DCog0CHnM74MNMw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UFZTaXFNdjF2UmRFd3VL\nY2pZZ3ZaRkhZSjdVUjIraHV5ZlNaNGtwM3k0CkZ4OVRFcmR3MFBDcmdsbWFId3Iy\nVzQyUGI1eG44d3JFL2NvZEg4NnduT2cKLS0tIEdhOEZETk9nRTlVbmJ5UW9GalVx\nS00yaUpJZVFVNThFei8yRzJYejRkYk0Kf6Z8WnG8phRtFIUWIPys3PW0OImhAcF+\nUFLuL4Qr7zWaeItCRieYCs1yBn7KbUJHZNkJcvnkYW50NYvlEa8wBw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-02T22:52:45Z", + "mac": "ENC[AES256_GCM,data:p/m76sd+5HhD+tz7oSnoSzVRCnB1czTUTF90LSyLQuL6aVyTpVZp+p6/CnYc/fG+L/8wBUsLrwwajl22S2+MZAqvQFoYQwY/AiFb10wZNK2fzPEURW3P+QYzaf62nb4G3GlckjAcGxGyeGcU4TnL1qZEDgp/KcdZpsUwvVQvV/U=,iv:k7m4dOr13gczZTGlz7uHIQB/uFPEQJX19uHuLB1fupg=,tag:mzpbLMV5aun7IOvPIJv0ng==,type:str]", + "pgp": [ + { + "created_at": "2025-12-02T14:59:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//Qx2BW0k3Q/pAvbKZScmhoIoFpV5nb+ZB72J6+f2HQLSv\nVQP72XDoYyIfW7ERsY09gkNIJejZ5n/fgB5KkyEqsBRP4fYDXl+XfAvPTu3YuQOo\n9mA2baJ0HkBnsrikycaUQAIXMMCAUBS6Ooi1blQeYA9khqr5Kc361IwB4bv8WcIz\nGcBPSWBc3B86qK/v8l0Kle1mcUu9RFxNZkitjxKdf9GDn6gKo3yBWt+/8NJLDUTq\nHjrBH4WpqB8mVDupg/p6OUASc8y0pnNmbU0GK3is4IO/bk9QqPX/t2y4CUhlE3Bh\nnxYGYauohXGs/IbCGXtkd/wRcMwsXtgkZYT/wfu44/O2VW7V7MpBGVlTXmOWK5yI\n2dkqpAt2T5tFVDDX8bqDfZ2xbGgSLsY/XWwNzl60WSvcAnFoZSf4mu2RJFLAK5QZ\nGDz+N8shR8BgkzIWIjMwzBbUB+3snYkJVA7wm/idhernkB0E83JAOOHk+UGuHFWA\nkrrWPHRWf4Gy5ZEmkzVACfhzH9AbPP8yHbTh5y33I7Yv4E+4qjoVEwTNA1LSYy17\nlaMI410x7htrzxv8M06LlE47HrJPLu3+YHUPKQC/LzV831LB9IYymskYL3rYUHzn\n7BS+9Njfg+7cdHXjRABZk2yz2+XZlSLIyCC82Kbmybd3F+s8u/pP0N0TcBDTPrSF\nAgwDC9FRLmchgYQBEACaz79q7F+YshiA4MSiKoiwgVnq0HWruMtQ+exE9Ky/hTfT\nCnNn43KSE/s4KytcB8KPkXPpZ/BHSv+oxY/XGh1dNWnKQocyCHqEOax/QruAu7VS\n/CbxyUFYQS4sJIbfmQLkx/FEnaHenSOTjOBatlnVFQ3qn6MjXyq1LThyfGaMlH84\ntAUYnNG3MQsz/U7Pj2nkScfDZ0XGIu2rvB2ddVdkjr1H3acQVplAlw88yGD+lDOA\nqnafNS8FgUtXoXCPVe6SRdpqfWPGmn1jhvjCiCUtzZG3RPew2AV50RAlxP2AEXY0\n6cMeL+NJdqIGaP3Ttyn9oVbroW4N7p3rb/AGj4ZRy4QOXPkWI088qmhYgIpjJZM5\nI3g80gnkBfFrOaVM1RVfn1smT9KlCR/8noKTE3ajBaTZZJrzBclzATdkGi7rIaqS\nvAWH9LnEGFs30W/mj9avis8aJwiPYsO+1ah5sVMnNKMo8KND2MMy+EI6AvgwJKz1\nNQoIP7jHB3h8sw91Z9YhB0RTQ8yCG+IrpXnWGAVAcswtTtJbBQlXxc/h0jpT4Yw0\nV+J6xX5/PI/ZQbIbj/i5hgh+8lsvG3gRRh0zH8nSNf7yMTYQe6iAe9xHRH/kSHX/\nOwObvvrCzZcsX8b6gTXn9AzXYGST3j3wBa8sQH0NRkcZFsCh30FhEDApItQA8tJe\nAbaLVOZ9WKJCCVkTJCOBCus1zInXbFr1ZQjTciJ4WjnqedH6SVvPC9HmI9vDCXw4\nzonohAH+mjtmoRfwMGdiJO74IfX81p5MwOX94TwYB2gAp6ycyCHjZgUtpAFPKw==\n=wNQ4\n-----END PGP MESSAGE-----", + "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} diff --git a/hosds/nixos/x86_64-linux/winters/secrets/secrets.yaml b/hosds/nixos/x86_64-linux/winters/secrets/secrets.yaml new file mode 100644 index 0000000..fafcb97 --- /dev/null +++ b/hosds/nixos/x86_64-linux/winters/secrets/secrets.yaml @@ -0,0 +1,108 @@ +#ENC[AES256_GCM,data:2coSbGjKAg==,iv:QXAGBCUEBypVs93R6p9DpWsZ6i6VMmdlmeffQxPTGWI=,tag:2sfSIFT9W8anEunXHxP7oA==,type:comment] +kavita-token: ENC[AES256_GCM,data:T59wnJO0CClMP+jGd6LFtIDihYxDEZ6OATN1LizmLqYyPZ0Sxqoavgm3B3VWywLEIpSXyHfH3+qZKahnUA5/3c9okEbI1X3FFkiOYM0tVHe/E3lLQhHujw==,iv:ojm6RKZbxDjnGE377tjqZ6Zu3jkR6GHpxjZ7uZ3I5Y4=,tag:Y7KliDHxx2QIWoUdLbtH1A==,type:str] +#ENC[AES256_GCM,data:EnKPtPHaMw==,iv:6bKMTGB7CFBGzpcXv5bq1pPoN2dcfSsQn8CIAuawAEE=,tag:B7s6b5A1W8cr+rk12sfnzw==,type:comment] +matrix-shared-secret: ENC[AES256_GCM,data:ykgD+w6nxfegBhzVZmXmuxxsf1lIdV+0OOHlEt9V7YgmFFjHPw+SUxOsGnpwfTXB6Bwo70MDC9fLMSWZxtfIlQ==,iv:LoKIuJYvdKTE7QKrbJvAaKXucesrGgCZpVfmMNt1WhA=,tag:Q8EQSF28Cx/UMCBp5k+vCg==,type:str] +mautrix-telegram-as-token: ENC[AES256_GCM,data:nVragL+I4Fl0+0gG0nnSFoVt6PrDGCic8nh7AneOiJ8ktpsmq3wkuMzeg3aQkfM27HXTkkdhKBmCy/W+i9G2XA==,iv:ozhwDo8H87UCHIPEHCjWfnUtdK8L2jChz6y3NIO5j6Y=,tag:H2geLETkaUnM3xM/2Jvp7Q==,type:str] +mautrix-telegram-hs-token: ENC[AES256_GCM,data:bsuGGKASj65MkSri1MbZDEppRlr5qXzdRnpTF9gDshj4ahpvt0R1aLyr/dIaHk+OKdDvaeJ8JHkr2AVsJxMAzQ==,iv:ESnTEmOjkkOAJTJZq4CjPtPs17dBoc06fgI4T41Z1Hs=,tag:EC6CukTgFIDzlmeuOvLIWA==,type:str] +mautrix-telegram-api-id: ENC[AES256_GCM,data:GLaYJupsuA==,iv:EZ7i3jregI2puUAQbbkUK7OWA9Dnk0GdXRQuF/crD0Y=,tag:FL86Xji+YEkBPIm7m6sStw==,type:str] +mautrix-telegram-api-hash: ENC[AES256_GCM,data:vikwgZLPV7YBdKlzf8+LEUnNIMx950CfBMGXKOga2cs=,iv:16+qS4L1LEKyWQKC2+a9l4OugWLJou2I2t9oRfKjS24=,tag:zhjD2dyGkqfMQlAt/LTCzw==,type:str] +#ENC[AES256_GCM,data:3ZJfIpB7,iv:bS0q1SvUfAX8s6/R1z9IWoJ1vIitIDc2lGZUjS6P+Ao=,tag:Hc1HVrtkT6gNceN87PF/YA==,type:comment] +acme-dns-token: ENC[AES256_GCM,data:uSgEI33Pz8IsJMqtgNO5Q/HW1dRLMeGmXtJJNrbQ+PNVnAiTTRyS6Q==,iv:5ubDxwyDgEHxK/h50p2HK6S1+2TdfTUFH3yGv7/zcH4=,tag:P3b2b/h86TlgksjXB8Uccg==,type:str] +#ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment] +paperless-admin-pw: ENC[AES256_GCM,data:8s2WunvnlL0xE8XNN1Re6/9nBAM57AgM9g==,iv:Pol+RjNMKpNYCQWY0BZamRnob+MO/e/14jc8uArtDz4=,tag:FXRrlhR3DpZ+7lSlXb7wsw==,type:str] +kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str] +#ENC[AES256_GCM,data:RamYuA==,iv:4/LaPYi4hIvg2/ftF8Dh5eEVrsgtuOkmB75Cpm5oHJc=,tag:blCudo/EVHesDdUs1nLBhQ==,type:comment] +mpd-pw: ENC[AES256_GCM,data:/j++A2IrOwNse4+lvq7OI3Wde4KsdQ5UkQ==,iv:e0mjQyeefB3FFVsYQvTtjO9mewlmtQ8pl7O/ZmEllSU=,tag:SwbWBN8PqUrXTpKILhLquw==,type:str] +#ENC[AES256_GCM,data:7UtHAqAZLmzT,iv:xBbdv1aHFrSc5/H6o3VujZdtAN7JwHbpckDcoZ5z78M=,tag:0ZEFJcPa6RIwv+kIgNHj4A==,type:comment] +nextcloud-admin-pw: ENC[AES256_GCM,data:PN1K4gyosG9YQUbXrLt7okDe,iv:HpAQOmTXnixm3cd/gNOzICrR4xoSKxsYWavJReKnhvM=,tag:KhCQ+8HpTaFfzn7dFSwE+Q==,type:str] +kanidm-nextcloud-client: ENC[AES256_GCM,data:RJ5XSYvnJS6r2zzs2SOBZYx+GV7EVjB7XQ==,iv:KfinHenUiYgWrZtMBSGTuVUd5aZlfxvM7Rf8ocFv64k=,tag:WiknAlc29ohsLwnBCXzHpQ==,type:str] +#ENC[AES256_GCM,data:dyEwvFDSvI0=,iv:4LPFthS73mIYQt6MRLBTeNxCwKnJGc7sNFJfZCpMU3Y=,tag:X2mBwG1++2gcFIOi/xIgFA==,type:comment] +grafana-admin-pw: ENC[AES256_GCM,data:FBF/YEPTL7HAfLybMqg=,iv:SctfD7uRKeclHr7R831Ns87/ASCfhFE0yfDQrNxWOMU=,tag:UuaSMMs/y4h4ASueseywYA==,type:str] +prometheus-admin-pw: ENC[AES256_GCM,data:onPtYsfFbE1LFRpeDC5ipGJ7xnLRLbAPqQ==,iv:CDxzBfIzgF9naCQ0UDyTYWQGZ/J0Noia56YASsHLz3I=,tag:xs+PiGk5dfvUpGXVsDnAFQ==,type:str] +kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,iv:p0y/UyIrFBTvWZKHbfdOSEpbMun7dZ8FyB5W7VS0oSY=,tag:+jKD+d9cRGKJkapGYxUEnw==,type:str] +#ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment] +freshrss-pw: ENC[AES256_GCM,data:GU5rHmJCAb27pWo=,iv:f1YcUsf2jznGAk0zSX3L01lbB9kXiFKAKSgB/RMaq0U=,tag:xsB1QxhDQPX/B2VJV3Wi9g==,type:str] +freshrss-oidc-crypto-key: ENC[AES256_GCM,data:FvkaTTfOIo2wn5SnOCiMqy/g/4vcjSX7BjX6GIJrPsQUkqWHvL4LmQ==,iv:930d5Cgb6jly8NAdr21XO0lkWWCXujCho6fW+RYNlRI=,tag:fidIhKA25mwsxpORJOVeTA==,type:str] +kanidm-freshrss-client: ENC[AES256_GCM,data:jBplXWOX/mRTQf6cKmP3C5PZJoBAmb3mhg==,iv:5hcLNGuEQ0T9FiczznGKMul38Ftv8PmG3q0Vaao10oI=,tag:tpx+EDvA31HCnG1/XJOBWg==,type:str] +#ENC[AES256_GCM,data:Ur0/rfBv5g==,iv:eH+KbbkmtBWbobqAIUFF0jIrGhbHnk9g8hLZoxE3swI=,tag:3dnoA+O5GXW5Dvxcx4jiTw==,type:comment] +resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str] +resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str] +resticsecretaccesskey: ENC[AES256_GCM,data:j57l4p5viLZ2yL/KDrQpq1Dov69kpCRgzS4uEHgh4A==,iv:CYTxd4Vy1V+aW6EdaEOIma5vyDRL/VR6MlHqmAM1JQI=,tag:zLl0UZ50uN8YIrL+nOfurg==,type:str] +#ENC[AES256_GCM,data:rdFEksmLPA==,iv:JKhyW30sCngf1/wFv8HLPesiz61QjAGhcBuoIw3CUDk=,tag:MaMJ8V5uqV1uFokLzmTJ7g==,type:comment] +kanidm-admin-pw: ENC[AES256_GCM,data:cpSl4syzCcl8wohuNpZhwKZvY4x/YuSZUA==,iv:HmhoNL5IKMh4FMe69AcnviybQRXdZRwaNiZ10vRUbwA=,tag:VUgttt/1pcQtcCqR9Vea1A==,type:str] +kanidm-idm-admin-pw: ENC[AES256_GCM,data:nfDLBctWIBUn1iyidczfn37ncINlfXjf4g==,iv:0nVO9bTOZ/PEe9rFUhXZ74AbStsAoDDhRWsM4cPvB+s=,tag:hM4+x7TpLctDpdotVhx7RQ==,type:str] +kanidm-immich: ENC[AES256_GCM,data:is5Zx9FE9Qb/cajv6ZQU6B/0iKUgbBCp/g==,iv:vBU6wcrsO862oKgxdGfpOZXC/GJDhY9Rki2nLIy4IoM=,tag:6jNRNdQr/czoSihSQ+cHQg==,type:str] +kanidm-paperless: ENC[AES256_GCM,data:bJJC20q8aJVzmIMXAHWvOoH652lSCFXDNg==,iv:0ctoPwxzMD1cSpZ7DyjOv9qP+cYt0MJsk2cfuzft3n8=,tag:KX1MtgOvcMxt1QHhAcXWcg==,type:str] +kanidm-forgejo: ENC[AES256_GCM,data:zw0LcfNJw4q28l1E9q58D9bTKtl/CjGA3w==,iv:fYRGasFiM7PXeP5sWW6whj10CUKIqCfhIYQCNZjxQGo=,tag:sxQJa+ItPA+L3keWZ34SJA==,type:str] +kanidm-grafana: ENC[AES256_GCM,data:61PEA1fBcaRy8+x0dn9WrH9P0D+NOkbeZw==,iv:kbR3JWzHsmsef+VlFGciZmyforxJCdvzHijvGFvFwpk=,tag:K+6baLIKy0L37KrJEQUgPg==,type:str] +kanidm-nextcloud: ENC[AES256_GCM,data:9FjsOzBos18ouHBeuzrzHIpCDowFt0Aktw==,iv:iqUQUsWsO5N+KZqHyqNxMxSija/yPrrrAqvz4b1NG1M=,tag:/WC3wg/eYXV3hLJPRVWLog==,type:str] +kanidm-oauth2-proxy: ENC[AES256_GCM,data:DQ5tj7N+P1b8vFnF+MGhaUBvbVQoE4sVhQ==,iv:Xy4bdi8fSFuFHsQKgZ3PswFFYsqtiAeqeSRam1k/H0E=,tag:9W4LRPPYtDOrSpxRDK/7sg==,type:str] +kanidm-freshrss: ENC[AES256_GCM,data:4y0X3sSOfs5pKNCmZGJhxlAKH7GD1UACdw==,iv:LuQQCfOpsTqglwQvohHMFpNGaOjoZ8PKDgG50qBP02k=,tag:Z5mVYP/9nToerQ1qui1eWQ==,type:str] +kanidm-firezone: ENC[AES256_GCM,data:hQWySw7EZZN2AT7rM4R2go8DAGYHph32tQ==,iv:vASPrP7qM1G5c4tC1aaAbCigglXt4keThMYOJdRYhOg=,tag:f5jevrQtiHAQTbMY07iIrQ==,type:str] +#ENC[AES256_GCM,data:M9U+Mr1cAhlt7NpW,iv:LY19BZEwDdQD1Nhbmgdt9/9VNJjcTkOGP7SwEDE3Xwk=,tag:TlYrhu5dBj1D+Qd72r7Ofg==,type:comment] +firefly-iii-app-key: ENC[AES256_GCM,data:hzgl8eRL0irNRP5TO7G1rNtNM7fXCkmbcaX4QoTsM0xA1rgyKwiy6a4lYDjoXZyOMy5p,iv:q5eepIELwIecyQ56A6THUOu+rebK3irKVYb7/gNHlU8=,tag:+M/KTX1JzPzXeK4TRzW42w==,type:str] +#ENC[AES256_GCM,data:mBlfyJvQyrhTnpkJ,iv:hHnTCsHfzCgKuBO82JjNbjYYjWV8e7+0VRkbTGw+WRE=,tag:7Dp77Q2VjWJM5LydvpbJnQ==,type:comment] +koillection-env-file: ENC[AES256_GCM,data:X1dndR7XIhGCwbRQzET5MbzW71PT7WmyryNbOhCKx2I=,iv:bP/90aJT+eA8EmwoFZ7uXxOWfOprpHfc9CvL/A9Os5M=,tag:ZxFDInJBtFrulvOL9PwNJQ==,type:str] +koillection-db-password: ENC[AES256_GCM,data:5Ue4l8CMZpjRpcryEtzPyR2Zf7M=,iv:Ol/G6nFY5H/SIY7l4o5woqFVeLfnv3FJfaAZIqI4NHA=,tag:hYorZv2nyLvsJ8AT2xTkBA==,type:str] +#ENC[AES256_GCM,data:oTo0OgB8QQyPVxzEoEw38eM=,iv:V8UJrZvlAEUVxajLjty56LoiHqi9mvX2NxlZeYr0P0g=,tag:gSiHry8iRcYWAFi5Lt1GiQ==,type:comment] +anki-pw: ENC[AES256_GCM,data:h4RBhKV6ZzDQk7s=,iv:r21zH3sDKwRxfi8A1DPNEVhKTbb35qWv2mTGaXJxynM=,tag:kT4pVhz6pHxyBZ0iXdGx7w==,type:str] +#ENC[AES256_GCM,data:5jJoV7vZl1A=,iv:Uc9/nyvdzgH6USVxhDhVs6aDqy/k9D53AJP2AvTj3ZQ=,tag:K4zDz5RoLuHevTeLqxw/XQ==,type:comment] +kanidm-forgejo-client: ENC[AES256_GCM,data:2iXE/dmOQtY2NEsBgDqkqwD/brF0vJs+Ag==,iv:PBQ03z/E6R+u7Y56fPzJSnsoCa5PUYSiezZFOMLz4eo=,tag:jThgOC6h2hHJUclDju/MtQ==,type:str] +#ENC[AES256_GCM,data:JwCES+wj/NRGTw==,iv:sKjF9r+7FlHyzY0MTfzvrV4B49T6+50AxBuXXh8PNUc=,tag:WvSqYTR7yDuqbZKaPWfvvw==,type:comment] +wireguard-private-key: ENC[AES256_GCM,data:TdZwS+qF/sI8WV92N+pe/w8GYs3RmPgc8AABQ9FhpPPAcPTAHoUVo1Y3TkU=,iv:lgJyqYdtsuPzAKRUdnjiw5inHNAL2yMHFJwtUC8WB34=,tag:ub3PQ+xU7EmxohAL8GvuRA==,type:str] +#ENC[AES256_GCM,data:m0bvaZ5XHR4p,iv:4uMJCmguAIu1533g0g666BS0Hx4otlhzjVQT5Ny8DKU=,tag:jDuowQCXWJBJ3a2/pAxvGg==,type:comment] +radicale-user: ENC[AES256_GCM,data:UZaQbgYKjZxxBqw=,iv:ekmZvvOITSC37eNzy8WId7zeG9HPgVQ2Q/v8jezHuw0=,tag:YB41QXdZjIbEaFS4l+yuJw==,type:str] +#ENC[AES256_GCM,data:2IlXs0WZnFsribQ=,iv:KL+5KM8bEFiERA/SA6FwudqFJziax7pdbDdOex7aaFM=,tag:TAOlu5N/B2YyVFnFgJG/oQ==,type:comment] +prometheus-admin-hash: ENC[AES256_GCM,data:X9nTcdg+W08kT3aDfXQAf9luzPszZdz70ELkoTEoWoUrh5+Dv0D++OA4QKyBi4MMAGK5USdVZECKGa/0,iv:t9PmR6IsuEJuqdj0Zn0vbVCH+Ijz31t5vC7+9MkxB8A=,tag:bH9Zd1E3RpsU3QzwGouoXQ==,type:str] +snipe-it-appkey: ENC[AES256_GCM,data:3CZRYxbhXfw9VrbZPXuUbxmcy+FxUuOGNTxsdU7RNsx++GAbrqSNxppXCf8=,iv:/bI9mKan6mMlu9Pts976FFCboRD3nnjkePqTAEbvl+E=,tag:XMjs8hkXG1TYRK7UN1lFlA==,type:str] +snipe-it-db-password: ENC[AES256_GCM,data:ePhz/cE8kP3GVryiCfJwyuIljYc9cOmeg4q2Vi5cyiNWX0M=,iv:SHAG/TNaHx9/4wg5A19/LOnHYHq2Lnlc72b5WooHp1c=,tag:Kw9/PSEG2Bg726R8FCVSFA==,type:str] +#ENC[AES256_GCM,data:HluZDLxPjQ==,iv:Gjd8lM7gFu8c1EshHXD6nJvCkZJoRhh26IPIOn2fQnQ=,tag:/7wXjcLCGNa8Td8ELeH4pw==,type:comment] +garage-admin-token: ENC[AES256_GCM,data:RB1KaPCJkWNL6CSN5d2ClWedHCUgEMlTrb8DSLIN2guEJrMLyTIGRjXpwEs=,iv:2u/XszX7avx9m+0Ne7CbQjLpireP2pzKmKhuh/9RZRk=,tag:vf8XxjlTaE5/T0ccK1FTfQ==,type:str] +garage-rpc-secret: ENC[AES256_GCM,data:GiXPUfNYbmJJovSXO6qgeNQ5+jHJFSOc5392RzRmyseSXjImMxenQ1OPyLDga2b7I2dt3KgIu+f56qr52LKyuA==,iv:6RiK1eTQr1PR1M7TV84kjHSQtNXBiM94uBQffk5c8W8=,tag:KcJh/UQ6i0nSsmD+7dzJUQ==,type:str] +sops: + age: + - recipient: age1s0vssf9fey2l456hucppzx2x58xep279nsdcglvkqm30sr9ht37s8rvpza + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVL1FJNlFQeXBJWEoydWEy + dDZiNTYvSE9ZWE1Sb2xXZjRWMzhRYWQ1UENJCmkrSFNsZk51aGZtSnJoWlQzbURS + aGJQTVpQMVJFTldwYldzN0l0cnVTeWcKLS0tIDlSb3BwV1ViYU4ySWc1dzdPbTMx + c0lDa2EvQkUwM1ZIc1ppY1REZnlPKzQKJRXSl8SYQwzgPw+twNAFy3y+S2r7JwS0 + xESNBdFS4Ntg9gXENRBzCaGmoOJfiFtGditBlvWUwbDYwLdn/y3kIQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-24T13:09:23Z" + mac: ENC[AES256_GCM,data:BNaX6zXAxEzarm0+X5qDIIOOfLoUFIlhhLN7QATzHIYoujZaJCGFWlM/+k9cnnIcGak22b0hwydjCF+opgH2bbau8P4NFPbWGxJHVry1Nu+EyB+Qb4QnVZZDWMcDxEMChR5eZvLAFC/K2f6oLtJeL2kGtedb079jhwpJt9nr87s=,iv:90SerUCkSoBqDYH4J6SV7cRXwGeinW44NxhSnfJ0r2k=,tag:8VnRp2oAuctwp7Nk3U7OWw==,type:str] + pgp: + - created_at: "2025-12-02T14:59:44Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/+N3ZPYAsZ2e/nJZAxuSJd+kmlAk+JHJFrf0K4e/u6Cpct + T/UmlYpX4w3LMjkctSzNvBbih/aQgrSTlBfalffxh+B/NBqnWZQn3BfgcRtJYdxq + Oov3bCNXuJuvQvvc+J6FAZ3hJUnSOfZX//KAgO6osYQ0UePkE6a5mWjsflO0u7d7 + H8iPt0T9O427sN7mi6D3Nx4okjeRPLWEAyel1i4Obcr+w4xMTsDQJyTvCT9EnIfA + STTUAhIIbNYW9UU9OLhx5du+uar4TrEMzw0x709WXxyX5hZpjEsJ1XefqI62utLb + LseYg1XXkBtfnkbUzVGHjCzi2pifGaBYklZOlgYnd2gCIwxqlp8QQrBSsViPhSTw + p3Iee+FfAVeJLfk6Nn9M25j4v0WymyM5DcWVkHfG3X3Jmh0ZpvKeyN0PMl3OnwFd + Ol8gZGAvfj1d38XzP5RcG/ezDPXSKE2BMju+KpTlWCVSO2o5mJhN9DrDzgv4TaBj + QVOkA+XmeT3UXoU7qUPFm4pLGxLm2hSPLDDOSjRxSMcG9QmsRs3fK4FaxQ6+NELi + RtG3xY3ZtdIeMKGsrclaRI2TTDeXsO66IzRbfEh6Kb40IoXcEjMQB+EMGw6qVs1S + 1m81oKNquiN+MCyZST7WbGsQAGcW0h815V+1O0oBTzXvgNIvGIFBu2k2WjqsT/KF + AgwDC9FRLmchgYQBEADAP8JaZPeXM9n2rkVuiPijTBD8cutEbXQh6orb8susSzqS + ukflPweamJRFdWUkxzCFLZGbnx/Hxx+wjwyPTeYFJDGTafYj9Qbls+jlVPYycUJ7 + Mp0XaqTDBDKGJF6n2Qyl2RSrl1j2fB/94Z3eQLMmdR2ojuyAMUcVK3+/NtooV7yH + WcB89pIhLeRU+D+qvn6Yr64m0lc65FIVo4zYxGEVCf/RRYrC2nGEeAUxjfEAnAJo + OvO+yKPvmzL+Xn9Ecc/OC6axuzuxuDm/X89b0QE+TuvzqEPwm45s9RUkdco8nDJX + 23Ds5BhuX0h++2SjfWXUOAfj4VCgTPTUE+hWor96FDGdneKvpIt3rUVdEg/ggRae + SOpn5f0dXtin0K1QQZENcj38ldr4AremCaQVc0vg3IEl/3Qz0xNSX//YjJxUbHmC + 5WvFMXTrIbpnnEoVdk+UavAsaL9mOOhRRU8feyMSawztLV2mJLBDz91hQP7UE520 + 4k3DWf+6KF3D9V0B9WCfapTPWjiJZrHWI2jBZzJ2KAZx8LLoRrNlVDUJ79lYI/y+ + Xk3s9O0jq9BrLSLm/CLar5JwUY26ZxUb8buvzXovABqggjtWI+uUPdNR8CGrcFgH + 4pcyrzkUc0YqR+SkI/xVAAXuD3LqLA2OkJGCI47duEkv2GyHvLe/ZRh0/K66n9Je + AW0Rgbbszs5H51MG5OKM8PYg/fP9wkMlAjEoSvk7I853CFibR5frNhDwYY859Xsf + YEHROhyEE+2nCui16IJ2DkyEXK+yO33cPLyXJ0Z+kRb5toRALr5o3iOgo1x5rA== + =SXse + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/modules-clone/nixos/common/home-manager-secrets.nix b/modules-clone/nixos/common/home-manager-secrets.nix index 45af43b..7b16253 100644 --- a/modules-clone/nixos/common/home-manager-secrets.nix +++ b/modules-clone/nixos/common/home-manager-secrets.nix @@ -1,35 +1,27 @@ -{ lib, config, globals, withHomeManager, ... }: +{ config, globals, ... }: let inherit (config.swarselsystems) mainUser homeDir; inherit (config.repo.secrets.common.emacs) radicaleUser; in { - config = { } // lib.optionalAttrs withHomeManager { + config = { } // { sops = - let - modules = config.home-manager.users.${mainUser}.swarselmodules; - in { - secrets = (lib.optionalAttrs modules.mail { + secrets = { address1-token = { owner = mainUser; }; address2-token = { owner = mainUser; }; address3-token = { owner = mainUser; }; address4-token = { owner = mainUser; }; - }) // (lib.optionalAttrs modules.waybar { github-notifications-token = { owner = mainUser; }; - }) // (lib.optionalAttrs modules.emacs { fever-pw = { path = "${homeDir}/.emacs.d/.fever"; owner = mainUser; }; - }) // (lib.optionalAttrs modules.emacs { emacs-radicale-pw = { owner = mainUser; }; github-forge-token = { owner = mainUser; }; - }) // (lib.optionalAttrs (modules ? optional-noctalia) { radicale-token = { owner = mainUser; }; - }) // (lib.optionalAttrs modules.anki { anki-user = { owner = mainUser; }; anki-pw = { owner = mainUser; }; - }); + }; templates = { - authinfo = lib.mkIf modules.emacs { + authinfo = { path = "${homeDir}/.emacs.d/.authinfo"; content = '' machine ${globals.services.radicale.domain} login ${radicaleUser} password ${config.sops.placeholder.emacs-radicale-pw} diff --git a/modules-clone/nixos/common/home-manager.nix b/modules-clone/nixos/common/home-manager.nix index 711883a..c090ee9 100644 --- a/modules-clone/nixos/common/home-manager.nix +++ b/modules-clone/nixos/common/home-manager.nix @@ -15,8 +15,8 @@ inputs.swarsel-nix.homeModules.default { imports = [ - "${self}/profiles/home" - "${self}/modules/home" + "${self}/profiles-clone/home" + "${self}/modules-clone/home" { swarselprofiles = { minimal = lib.mkIf minimal true; diff --git a/modules-clone/nixos/common/lanzaboote.nix b/modules-clone/nixos/common/lanzaboote.nix deleted file mode 100644 index 41204ff..0000000 --- a/modules-clone/nixos/common/lanzaboote.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ lib, pkgs, config, minimal, ... }: -let - inherit (config.swarselsystems) isSecureBoot isImpermanence; -in -{ - options.swarselmodules.lanzaboote = lib.mkEnableOption "lanzaboote config"; - config = lib.mkIf config.swarselmodules.lanzaboote { - - environment.systemPackages = lib.mkIf isSecureBoot [ - pkgs.sbctl - ]; - - environment.persistence."/persist" = lib.mkIf (isImpermanence && isSecureBoot) { - directories = [{ directory = "/var/lib/sbctl"; }]; - }; - - boot = { - loader = { - efi.canTouchEfiVariables = true; - systemd-boot.enable = lib.swarselsystems.mkIfElse (minimal || !isSecureBoot) (lib.mkForce true) (lib.mkForce false); - }; - lanzaboote = lib.mkIf (!minimal && isSecureBoot) { - enable = true; - pkiBundle = "/var/lib/sbctl"; - configurationLimit = 6; - }; - }; - }; -} diff --git a/profiles-clone/nixos/localserver/default.nix b/profiles-clone/nixos/localserver/default.nix index e010a70..e1bb47a 100644 --- a/profiles-clone/nixos/localserver/default.nix +++ b/profiles-clone/nixos/localserver/default.nix @@ -4,7 +4,6 @@ config = lib.mkIf config.swarselprofiles.server { swarselmodules = { general = lib.mkDefault true; - lanzaboote = lib.mkDefault true; home-manager = lib.mkDefault true; xserver = lib.mkDefault true; time = lib.mkDefault true; diff --git a/profiles-clone/nixos/minimal/default.nix b/profiles-clone/nixos/minimal/default.nix index d6355d2..5f00f2f 100644 --- a/profiles-clone/nixos/minimal/default.nix +++ b/profiles-clone/nixos/minimal/default.nix @@ -6,7 +6,6 @@ general = lib.mkDefault true; home-manager = lib.mkDefault true; xserver = lib.mkDefault true; - lanzaboote = lib.mkDefault true; time = lib.mkDefault true; impermanence = lib.mkDefault true; security = lib.mkDefault true; diff --git a/profiles-clone/nixos/personal/default.nix b/profiles-clone/nixos/personal/default.nix index f8ab245..c9cb198 100644 --- a/profiles-clone/nixos/personal/default.nix +++ b/profiles-clone/nixos/personal/default.nix @@ -20,7 +20,6 @@ impermanence = lib.mkDefault true; interceptionTools = lib.mkDefault true; keyboards = lib.mkDefault true; - lanzaboote = lib.mkDefault true; ledger = lib.mkDefault true; lid = lib.mkDefault true; login = lib.mkDefault true;