diff --git a/.sops.yaml b/.sops.yaml index 4b38475..c164f0d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,9 +7,6 @@ keys: - &swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - &hosts - &winters age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - - &twothreetunnel age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d - - &liliputsteps age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx - - &stoicclub age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm - &belchsfactory age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 - &eagleland age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 - &hintbooth age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x @@ -17,6 +14,7 @@ keys: - &toto age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl - &surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy + - &milkywell age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h - &moonside age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh creation_rules: - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ @@ -25,9 +23,6 @@ creation_rules: - *swarsel age: - *winters - - *twothreetunnel - - *liliputsteps - - *stoicclub - *belchsfactory - *eagleland - *hintbooth @@ -35,6 +30,7 @@ creation_rules: - *toto - *surface - *nbl + - *milkywell - *moonside - path_regex: secrets/repo/[^/]+$ key_groups: @@ -42,9 +38,6 @@ creation_rules: - *swarsel age: - *winters - - *twothreetunnel - - *liliputsteps - - *stoicclub - *belchsfactory - *eagleland - *hintbooth @@ -52,6 +45,7 @@ creation_rules: - *toto - *surface - *nbl + - *milkywell - *moonside - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -59,9 +53,6 @@ creation_rules: - *swarsel age: - *nbl - - *twothreetunnel - - *liliputsteps - - *stoicclub - *belchsfactory - *eagleland - *hintbooth @@ -158,44 +149,18 @@ creation_rules: - - path_regex: secrets/stoicclub/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/milkywell/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *swarsel age: - - *stoicclub - - path_regex: hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc + - *milkywell + - path_regex: hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc key_groups: - pgp: - *swarsel age: - - *stoicclub - - - path_regex: secrets/liliputsteps/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *swarsel - age: - - *liliputsteps - - path_regex: hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *liliputsteps - - - path_regex: secrets/twothreetunnel/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *swarsel - age: - - *twothreetunnel - - path_regex: hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc - key_groups: - - pgp: - - *swarsel - age: - - *twothreetunnel + - *milkywell - path_regex: hosts/nixos/x86_64-linux/summers/secrets/ key_groups: diff --git a/SwarselSystems.org b/SwarselSystems.org index 61821f7..042da43 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -24,6 +24,7 @@ I used to have two separate files (=Emacs.org= and =Nixos.org=) because the NixO This configuration is part of a NixOS system that is (nearly) fully declarative and can be found here: - [[https:github.com/Swarsel/.dotfiles][~SwarselSystems~ on github.com]] +- [[https:swagit.swarsel.win/Swarsel/.dotfiles][~SwarselSystems~ on swagit.swarsel.win]] This literate configuration lets me explain my choices to my future self as well as you, the reader. I go to great lengths to explain the choices for all configuration steps that I take in order for me to pay due diligence in crafting my setup, and not simply copying big chunks of other peoples code. Also, the literate configuration approach is very convenient to me as I only need to keep of (ideally) a single file to manage all of my configuration. I hope that this documentation will make it easier for beginners to get into Emacs and NixOS as I know it can be a struggle in the beginning. @@ -788,7 +789,7 @@ Concerning the =flake = _:= part: forEachLinuxSystem = f: lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: f pkgsFor.${system}); readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}"); - readNix = type: lib.filter (name: name != "default.nix" && name != "optional" && name != "darwin") (lib.attrNames (builtins.readDir "${self}/${type}")); + readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}")); mkImports = names: baseDir: lib.map (name: "${self}/${baseDir}/${name}") names; }; @@ -982,6 +983,7 @@ The rest of the outputs either define or help define the actual configurations: inputs.lanzaboote.nixosModules.lanzaboote inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm + inputs.niri-flake.nixosModules.niri inputs.nix-index-database.nixosModules.nix-index inputs.nix-minecraft.nixosModules.minecraft-servers inputs.nix-topology.nixosModules.default @@ -1064,6 +1066,7 @@ The rest of the outputs either define or help define the actual configurations: }; modules = [ inputs.stylix.homeModules.stylix + inputs.niri-flake.homeModules.niri inputs.nix-index-database.homeModules.nix-index # inputs.sops-nix.homeManagerModules.sops inputs.spicetify-nix.homeManagerModules.default @@ -1597,50 +1600,49 @@ Otherwise, I define the function =mkTemplates= here which builds a named attribu Defines a formatter that can be called using =nix flake format=. While a nice utility, I have stronger tools to perform this job. #+begin_src nix-ts :tangle nix/formatter.nix - { inputs, ... }: - { - imports = [ - inputs.treefmt-nix.flakeModule - ]; + { inputs, ... }: + { + imports = [ + inputs.treefmt-nix.flakeModule + ]; - perSystem = { pkgs, ... }: { - # formatter = pkgs.nixpkgs-fmt; - # formatter is set by treefmt to: - # formatter = lib.mkIf config.treefmt.flakeFormatter (lib.mkDefault config.treefmt.build.wrapper); - treefmt = { - projectRootFile = "flake.nix"; - programs = { - nixfmt = { - enable = true; - package = pkgs.nixpkgs-fmt; - }; - deadnix.enable = true; - statix.enable = true; - shfmt = { - enable = true; - indent_size = 4; - simplify = true; - # needed to replicate what my Emacs shfmt does - # there is no builtin option for space-redirects - package = pkgs.symlinkJoin { - name = "shfmt"; - buildInputs = [ pkgs.makeWrapper ]; - paths = [ pkgs.shfmt ]; - postBuild = '' - wrapProgram $out/bin/shfmt \ - --add-flags '-sr' - ''; - }; - }; - shellcheck.enable = true; + perSystem = { pkgs, ... }: { + # formatter = pkgs.nixpkgs-fmt; + # formatter is set by treefmt to: + # formatter = lib.mkIf config.treefmt.flakeFormatter (lib.mkDefault config.treefmt.build.wrapper); + treefmt = { + projectRootFile = "flake.nix"; + programs = { + nixfmt = { + enable = true; + package = pkgs.nixpkgs-fmt; }; - settings.formatter.shellcheck.options = [ - "--shell" - "bash" - ]; + deadnix.enable = true; + statix.enable = true; + shfmt = { + enable = true; + indent_size = 4; + simplify = true; + # needed to replicate what my Emacs shfmt does + # there is no builtin option for space-redirects + package = pkgs.symlinkJoin { + name = "shfmt"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.shfmt ]; + postBuild = '' + wrapProgram $out/bin/shfmt --append-flags '-sr' + ''; + }; + }; + shellcheck.enable = true; }; + settings.formatter.shellcheck.options = [ + "--shell" + "bash" + ]; }; - } + }; + } #+end_src ** TODO Modules @@ -2165,17 +2167,16 @@ My work machine. Built for more security, this is the gold standard of my config ./disk-config.nix ./hardware-configuration.nix - "${self}/modules/nixos/optional/amdcpu.nix" - "${self}/modules/nixos/optional/amdgpu.nix" - "${self}/modules/nixos/optional/framework.nix" - "${self}/modules/nixos/optional/gaming.nix" - "${self}/modules/nixos/optional/hibernation.nix" - "${self}/modules/nixos/optional/nswitch-rcm.nix" - "${self}/modules/nixos/optional/virtualbox.nix" - "${self}/modules/nixos/optional/work.nix" - ]; + swarselmodules = { + optional = { + amdcpu = true; + amdgpu = true; + hibernation = true; + }; + }; + swarselsystems = { lowResolution = "1280x800"; highResolution = "2560x1600"; @@ -2223,6 +2224,10 @@ My work machine. Built for more security, this is the gold standard of my config } // lib.optionalAttrs (!minimal) { swarselprofiles = { personal = true; + optionals = true; + work = true; + uni = true; + framework = true; }; } @@ -2420,10 +2425,6 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se ./disk-config.nix ./hardware-configuration.nix - "${self}/modules/nixos/optional/gaming.nix" - "${self}/modules/nixos/optional/nswitch-rcm.nix" - "${self}/modules/nixos/optional/virtualbox.nix" - ]; swarselsystems = { @@ -2445,6 +2446,7 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se isSwap = true; rootDisk = "/dev/nvme0n1"; swapSize = "4G"; + hostName = config.node.name; }; home-manager.users."${primaryUser}" = { @@ -2643,7 +2645,7 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:8ad68406-4a75-45ba-97ad-4c310b921124 :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/winters/default.nix - { lib, minimal, ... }: + { lib, config, minimal, ... }: { imports = [ @@ -2672,6 +2674,7 @@ This is my main server that I run at home. It handles most tasks that require bi isNixos = true; proxyHost = "moonside"; server = { + inherit (config.repo.secrets.local.networking) localNetwork; restic = { bucketName = "SwarselWinters"; paths = [ @@ -2800,14 +2803,12 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:dc2233df-cd78-43cc-bb45-57568a83fb24 :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/default.nix - { self, inputs, lib, config, minimal, nodes, globals, ... }: + { inputs, lib, config, minimal, nodes, globals, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix - - "${self}/modules/nixos/optional/microvm-host.nix" ]; boot = { @@ -2834,6 +2835,9 @@ This is my main server that I run at home. It handles most tasks that require bi }; swarselmodules = { + optional = { + microvmHost = true; + }; server = { diskEncryption = lib.mkForce false; # TODO: disable nfs = false; @@ -3070,11 +3074,8 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:b9af4b1c-f35a-48a5-afa7-030c2be9c808 :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix - { self,lib, minimal, ... }: + { lib, minimal, ... }: { - imports = [ - "${self}/modules/nixos/optional/microvm-guest.nix" - ]; swarselsystems = { info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM"; @@ -3086,6 +3087,12 @@ This is my main server that I run at home. It handles most tasks that require bi server = false; }; + swarselmodules = { + optional = { + microvmGuest = false; + }; + }; + microvm = { mem = 1024 * 4; vcpu = 2; @@ -3105,7 +3112,7 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:624b3c6a-6e31-4734-a6ea-7c5b461a3429 :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/default.nix - { lib, minimal, ... }: + { lib, config, minimal, ... }: { imports = [ @@ -3125,6 +3132,9 @@ This is my main server that I run at home. It handles most tasks that require bi rootDisk = "/dev/sda"; swapSize = "8G"; networkKernelModules = [ "igb" ]; + server = { + inherit (config.repo.secrets.local.networking) localNetwork; + }; }; } // lib.optionalAttrs (!minimal) { @@ -3601,7 +3611,9 @@ This machine mainly acts as my proxy server to stand before my local machines. isBtrfs = true; isNixos = true; isLinux = true; + proxyHost = "moonside"; server = { + inherit (config.repo.secrets.local.networking) localNetwork; restic = { bucketName = "SwarselMoonside"; paths = [ @@ -3797,13 +3809,11 @@ This machine mainly acts as my proxy server to stand before my local machines. :END: #+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/belchsfactory/default.nix - { self, lib, minimal, ... }: + { lib, config, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; node.lockFromBootstrapping = lib.mkForce false; @@ -3825,7 +3835,9 @@ This machine mainly acts as my proxy server to stand before my local machines. isNixos = true; isLinux = true; isCloud = true; + proxyHost = "belchsfactory"; server = { + inherit (config.repo.secrets.local.networking) localNetwork; garage = { data_dir = { capacity = "150G"; @@ -3848,7 +3860,6 @@ This machine mainly acts as my proxy server to stand before my local machines. }; swarselmodules.server = { - ssh-builder = lib.mkDefault true; postgresql = lib.mkDefault true; attic = lib.mkDefault true; garage = lib.mkDefault true; @@ -4008,74 +4019,105 @@ This machine mainly acts as my proxy server to stand before my local machines. } #+end_src -**** Stoicclub (OCI) +**** Milkywell (OCI) +:PROPERTIES: +:CUSTOM_ID: h:d8869eca-cbde-45f0-9e54-9da8320b6a31 +:END: ***** Main Configuration +:PROPERTIES: +:CUSTOM_ID: h:314601a0-e1b7-4996-a96c-663b121f9377 +:END: -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/default.nix - { self, lib, minimal, ... }: +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/milkywell/default.nix + { lib, config, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; + node.lockFromBootstrapping = false; + sops = { + age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; topology.self = { icon = "devices.cloud-server"; }; - swarselmodules.server.nginx = false; + networking = { + domain = "subnet03112148.vcn03112148.oraclevcn.com"; + firewall = { + allowedTCPPorts = [ 53 ]; + }; + }; + + system.stateVersion = "23.11"; swarselsystems = { flakePath = "/root/.dotfiles"; - info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; + info = "VM.Standard.E2.1.Micro"; isImpermanence = true; isSecureBoot = false; - isCrypted = true; - isSwap = false; - rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3"; + isCrypted = false; + isSwap = true; + swapSize = "8G"; + rootDisk = "/dev/sda"; isBtrfs = true; isNixos = true; isLinux = true; - isCloud = true; - isBastionTarget = true; + server = { + inherit (config.repo.secrets.local.networking) localNetwork; + }; }; } // lib.optionalAttrs (!minimal) { swarselprofiles = { server = true; }; - swarselmodules.server = { - nsd = true; - nginx = false; - }; } #+end_src ***** hardware-configuration +:PROPERTIES: +:CUSTOM_ID: h:b1f37b5b-aa18-405a-bf76-4d95642b5acc +:END: -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix { lib, modulesPath, ... }: + { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; boot = { initrd = { - availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; - kernelModules = [ ]; + availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + kernelModules = [ "dm-snapshot" ]; }; - kernelModules = [ ]; + kernelModules = [ "kvm-amd" ]; extraModulePackages = [ ]; }; - nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } + #+end_src ***** disko +:PROPERTIES: +:CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d +:END: -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/disk-config.nix +#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/milkywell/disk-config.nix { lib, pkgs, config, ... }: let type = "btrfs"; @@ -4197,388 +4239,6 @@ This machine mainly acts as my proxy server to stand before my local machines. fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; } - -#+end_src -**** Liliputsteps (OCI) - -***** Main Configuration - -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/default.nix - { self, lib, minimal, ... }: - { - imports = [ - ./hardware-configuration.nix - ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" - ]; - - topology.self = { - icon = "devices.cloud-server"; - }; - - swarselsystems = { - flakePath = "/root/.dotfiles"; - info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; - isImpermanence = true; - isSecureBoot = false; - isCrypted = true; - isSwap = false; - rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885"; - isBtrfs = true; - isNixos = true; - isLinux = true; - isCloud = true; - mainUser = "jump"; - }; - } // lib.optionalAttrs (!minimal) { - swarselprofiles = { - server = true; - }; - - swarselmodules.server = { - nginx = false; - bastion = true; - # ssh = false; - }; - - # users.users.swarsel.enable = lib.mkForce false; - # home-manager.users.swarsel.enable = lib.mkForce false - } - -#+end_src -***** hardware-configuration - -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix - { lib, modulesPath, ... }: - { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; - } -#+end_src -***** disko - -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix - { lib, pkgs, config, ... }: - let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; - in - { - disko = { - imageBuilder.extraDependencies = [ pkgs.kmod ]; - devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = lib.mkIf (!config.swarselsystems.isCrypted) { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - luks = lib.mkIf config.swarselsystems.isCrypted { - size = "100%"; - content = { - type = "luks"; - name = "cryptroot"; - passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh - settings = { - allowDiscards = true; - # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 - crypttabExtraOpts = [ - "fido2-device=auto" - "token-timeout=10" - ]; - }; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - } - -#+end_src -**** Twothreetunnel (OCI) - -***** Main Configuration - -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/default.nix - { self, lib, minimal, ... }: - { - imports = [ - ./hardware-configuration.nix - ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" - ]; - - topology.self = { - icon = "devices.cloud-server"; - }; - - swarselsystems = { - flakePath = "/root/.dotfiles"; - info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM"; - isImpermanence = true; - isSecureBoot = false; - isCrypted = true; - isSwap = false; - rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d"; - isBtrfs = true; - isNixos = true; - isLinux = true; - isCloud = true; - }; - } // lib.optionalAttrs (!minimal) { - swarselprofiles = { - server = true; - }; - - swarselmodules.server = { - nginx = false; - }; - - } - -#+end_src -***** hardware-configuration - -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix - { lib, modulesPath, ... }: - { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; - } -#+end_src -***** disko - -#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix - { lib, pkgs, config, ... }: - let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; - in - { - disko = { - imageBuilder.extraDependencies = [ pkgs.kmod ]; - devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = lib.mkIf (!config.swarselsystems.isCrypted) { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - luks = lib.mkIf config.swarselsystems.isCrypted { - size = "100%"; - content = { - type = "luks"; - name = "cryptroot"; - passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh - settings = { - allowDiscards = true; - # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 - crypttabExtraOpts = [ - "fido2-device=auto" - "token-timeout=10" - ]; - }; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - } - #+end_src **** Eagleland (Hetzner) :PROPERTIES: @@ -4591,19 +4251,63 @@ This machine mainly acts as my proxy server to stand before my local machines. :END: #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/eagleland/default.nix - { self, lib, minimal, ... }: + { lib, config, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; topology.self = { icon = "devices.cloud-server"; }; + networking = { + useDHCP = lib.mkForce false; + useNetworkd = true; + dhcpcd.enable = false; + renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) ( + config.repo.secrets.local.networking.networks or { } + ); + }; + boot.initrd.systemd.network = { + enable = true; + networks = { + inherit (config.systemd.network.networks) "10-wan"; + }; + }; + + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = + let + netConfig = config.repo.secrets.local.networking; + in + { + "10-wan" = { + address = [ + "${netConfig.wanAddress4}/32" + "${netConfig.wanAddress6}/64" + ]; + gateway = [ "fe80::1" ]; + routes = [ + { Destination = netConfig.defaultGateway4; } + { + Gateway = netConfig.defaultGateway4; + GatewayOnLink = true; + } + ]; + matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac; + networkConfig.IPv6PrivacyExtensions = "yes"; + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + }; + + swarselmodules.server.mailserver = true; swarselsystems = { flakePath = "/root/.dotfiles"; @@ -4619,11 +4323,11 @@ This machine mainly acts as my proxy server to stand before my local machines. isNixos = true; isLinux = true; proxyHost = "eagleland"; + server = { + inherit (config.repo.secrets.local.networking) localNetwork; + }; }; } // lib.optionalAttrs (!minimal) { - - swarselmodules.server.mailserver = true; - swarselprofiles = { server = true; }; @@ -5591,11 +5295,6 @@ in "nginx" "virtualHosts" ] - [ - "swarselsystems" - "server" - "dns" - ] ]; attrsForEachOption = @@ -5716,8 +5415,7 @@ in if netSubmod.config.cidrv6 == null then null else - # if we use the /32 wan address as local address directly, do not use the network address in ipv6 - lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6; + lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; }; }; }) @@ -5831,10 +5529,6 @@ in main = mkOption { type = types.str; }; - externalDns = mkOption { - type = types.listOf types.str; - description = "List of external dns nameservers"; - }; }; }; }; @@ -5912,7 +5606,7 @@ in }) // (lib.optionalAttrs modules.emacs { emacs-radicale-pw = { owner = mainUser; }; github-forge-token = { owner = mainUser; }; - }) // (lib.optionalAttrs (modules ? optional-work) { + }) // (lib.optionalAttrs modules.optional.work { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { anki-user = { owner = mainUser; }; @@ -5953,7 +5647,7 @@ in }; } #+end_src -**** General NixOS settings (nix config, stateVersion) +**** General NixOS settings (nix, stateVersion) :PROPERTIES: :CUSTOM_ID: h:24c9146f-2147-4fd5-bafc-d5853e15cf12 :END: @@ -5987,148 +5681,144 @@ A breakdown of the flags being set: #+begin_src nix-ts :tangle modules/nixos/common/settings.nix { self, lib, pkgs, config, outputs, inputs, minimal, globals, ... }: - let - inherit (config.swarselsystems) mainUser; - inherit (config.repo.secrets.common) atticPublicKey; - settings = if minimal then { } else { - environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' - assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false; - { } - ''; + let + inherit (config.swarselsystems) mainUser; + inherit (config.repo.secrets.common) atticPublicKey; + settings = if minimal then { } else { + environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" '' + assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false; + { } + ''; - nix = - let - flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; - in - { - settings = { - connect-timeout = 5; - bash-prompt-prefix = "$SHLVL:\\w "; - bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; - fallback = true; - min-free = 128000000; - max-free = 1000000000; - flake-registry = ""; - auto-optimise-store = true; - warn-dirty = false; - max-jobs = 1; - use-cgroups = lib.mkIf config.swarselsystems.isLinux true; - }; - gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 10d"; - }; - optimise = { - automatic = true; - dates = "weekly"; - }; - channel.enable = false; - registry = rec { - nixpkgs.flake = inputs.nixpkgs; - # swarsel.flake = inputs.swarsel; - swarsel.flake = self; - n = nixpkgs; - s = swarsel; - }; - nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; - }; + nix = + let + flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; + in + { + settings = { + connect-timeout = 5; + bash-prompt-prefix = "$SHLVL:\\w "; + bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; + fallback = true; + min-free = 128000000; + max-free = 1000000000; + flake-registry = ""; + auto-optimise-store = true; + warn-dirty = false; + max-jobs = 1; + use-cgroups = lib.mkIf config.swarselsystems.isLinux true; + }; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 10d"; + }; + optimise = { + automatic = true; + dates = "weekly"; + }; + channel.enable = false; + registry = rec { + nixpkgs.flake = inputs.nixpkgs; + # swarsel.flake = inputs.swarsel; + swarsel.flake = self; + n = nixpkgs; + s = swarsel; + }; + nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + }; - services.dbus.implementation = "broker"; + services.dbus.implementation = "broker"; - systemd.services.nix-daemon = { - environment.TMPDIR = "/var/tmp"; - }; + systemd.services.nix-daemon = { + environment.TMPDIR = "/var/tmp"; + }; - }; - in - { - options.swarselmodules.general = lib.mkEnableOption "general nix settings"; - config = lib.mkIf config.swarselmodules.general - (lib.recursiveUpdate - { - sops.secrets = lib.mkIf (!minimal) { - github-api-token = { owner = mainUser; }; - }; + }; + in + { + options.swarselmodules.general = lib.mkEnableOption "general nix settings"; + config = lib.mkIf config.swarselmodules.general + (lib.recursiveUpdate + { + sops.secrets.github-api-token = lib.mkIf (!minimal) { + owner = mainUser; + }; - nix = - let - nix-version = "2_30"; - in - { - package = pkgs.nixVersions."nix_${nix-version}"; - settings = { - experimental-features = [ - "nix-command" - "flakes" - "ca-derivations" - "cgroups" - "pipe-operators" - ]; - substituters = [ - "https://${globals.services.attic.domain}/${mainUser}" - ]; - trusted-public-keys = [ - atticPublicKey - ]; - trusted-users = [ - "@wheel" - "${config.swarselsystems.mainUser}" - (lib.mkIf config.swarselmodules.server.ssh-builder "builder") - ]; - }; - # extraOptions = '' - # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins - # extra-builtins-file = ${self + /nix/extra-builtins.nix} - # '' + lib.optionalString (!minimal) '' - # !include ${config.sops.secrets.github-api-token.path} - # ''; - # extraOptions = '' - # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { - # buildInputs = [config.nix.package pkgs.boost]; - # patches = o.patches or []; - # })}/lib/nix/plugins - # extra-builtins-file = ${self + /nix/extra-builtins.nix} - # ''; + nix = + let + nix-version = "2_30"; + in + { + package = pkgs.nixVersions."nix_${nix-version}"; + settings = { + experimental-features = [ + "nix-command" + "flakes" + "ca-derivations" + "cgroups" + "pipe-operators" + ]; + substituters = [ + "https://${globals.services.attic.domain}/${mainUser}" + ]; + trusted-public-keys = [ + atticPublicKey + ]; + trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ]; + }; + # extraOptions = '' + # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins + # extra-builtins-file = ${self + /nix/extra-builtins.nix} + # '' + lib.optionalString (!minimal) '' + # !include ${config.sops.secrets.github-api-token.path} + # ''; + # extraOptions = '' + # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { + # buildInputs = [config.nix.package pkgs.boost]; + # patches = o.patches or []; + # })}/lib/nix/plugins + # extra-builtins-file = ${self + /nix/extra-builtins.nix} + # ''; - extraOptions = - let - nix-plugins = pkgs.nix-plugins.override { - nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; - }; - in - '' - plugin-files = ${nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - '' + lib.optionalString (!minimal) '' - !include ${config.sops.secrets.github-api-token.path} - ''; - }; + extraOptions = + let + nix-plugins = pkgs.nix-plugins.override { + nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; + }; + in + '' + plugin-files = ${nix-plugins}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + '' + lib.optionalString (!minimal) '' + !include ${config.sops.secrets.github-api-token.path} + ''; + }; - system.stateVersion = lib.mkDefault "23.05"; + system.stateVersion = lib.mkDefault "23.05"; - nixpkgs = { - overlays = [ - outputs.overlays.default - (final: prev: - let - additions = final: _: import "${self}/pkgs/config" { - inherit self config lib; - pkgs = final; - homeConfig = config.home-manager.users.${config.swarselsystems.mainUser}; - }; - in - additions final prev - ) - ]; - config = { - allowUnfree = true; - }; - }; + nixpkgs = { + overlays = [ + outputs.overlays.default + (final: prev: + let + additions = final: _: import "${self}/pkgs/config" { + inherit self config lib; + pkgs = final; + homeConfig = config.home-manager.users.${config.swarselsystems.mainUser}; + }; + in + additions final prev + ) + ]; + config = { + allowUnfree = true; + }; + }; - } - settings); - } + } + settings); + } #+end_src **** Setup home-manager base @@ -7204,96 +6894,6 @@ I use sops-nix to handle secrets that I want to have available on my machines at } #+end_src -**** Remote building - -#+begin_src nix-ts :tangle modules/nixos/client/remotebuild.nix - { lib, config, globals, ... }: - let - inherit (config.swarselsystems) homeDir mainUser isClient; - in - { - options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine"; - config = lib.mkIf config.swarselmodules.remotebuild { - - sops.secrets = { - builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; }; - nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; }; - }; - - nix = { - settings.builders-use-substitutes = true; - distributedBuilds = true; - buildMachines = [ - (lib.mkIf isClient { - hostName = config.repo.secrets.common.builder1-ip; - system = "aarch64-linux"; - maxJobs = 20; - speedFactor = 10; - }) - (lib.mkIf isClient { - hostName = globals.hosts.belchsfactory.wanAddress4; - system = "aarch64-linux"; - maxJobs = 4; - speedFactor = 2; - protocol = "ssh-ng"; - }) - { - hostName = "eu.nixbuild.net"; - system = "x86_64-linux"; - maxJobs = 100; - speedFactor = 2; - supportedFeatures = [ "big-parallel" ]; - } - ]; - }; - programs.ssh = { - knownHosts = { - nixbuild = { - hostNames = [ "eu.nixbuild.net" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM"; - }; - builder1 = lib.mkIf isClient { - hostNames = [ config.repo.secrets.common.builder1-ip ]; - publicKey = config.repo.secrets.common.builder1-pubHostKey; - }; - jump = lib.mkIf isClient { - hostNames = [ globals.hosts.liliputsteps.wanAddress4 ]; - publicKey = config.repo.secrets.common.jump-pubHostKey; - }; - builder2 = lib.mkIf isClient { - hostNames = [ globals.hosts.belchsfactory.wanAddress4 ]; - publicKey = config.repo.secrets.common.builder2-pubHostKey; - }; - }; - extraConfig = '' - Host eu.nixbuild.net - ConnectTimeout 1 - PubkeyAcceptedKeyTypes ssh-ed25519 - ServerAliveInterval 60 - IPQoS throughput - IdentityFile ${config.sops.secrets.nixbuild-net-key.path} - '' + lib.optionalString isClient '' - Host ${config.repo.secrets.common.builder1-ip} - ConnectTimeout 1 - User ${mainUser} - IdentityFile ${config.sops.secrets.builder-key.path} - - Host ${globals.hosts.belchsfactory.wanAddress4} - ConnectTimeout 5 - ProxyJump ${globals.hosts.liliputsteps.wanAddress4} - User builder - IdentityFile ${config.sops.secrets.builder-key.path} - - Host ${globals.hosts.liliputsteps.wanAddress4} - ConnectTimeout 1 - User jump - IdentityFile ${config.sops.secrets.builder-key.path} - ''; - }; - }; - } -#+end_src - **** Theme (stylix) :PROPERTIES: :CUSTOM_ID: h:e6e44705-94af-49fe-9ca0-0629d0f7d932 @@ -8190,7 +7790,7 @@ Auto login for the initial session. comment = "Sway compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/sway"; }; - niri = lib.mkIf (config.swarselmodules ? niri) { + niri = { prettyName = "Niri"; comment = "Niri compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/niri-session"; @@ -8201,6 +7801,45 @@ Auto login for the initial session. } #+end_src +**** Niri +:PROPERTIES: +:CUSTOM_ID: h:58162d08-3ded-441d-861e-2ebf30e32538 +:END: + +Auto login for the initial session. + +#+begin_src nix-ts :tangle modules/nixos/client/niri.nix + { lib, config, pkgs, ... }: + let + moduleName = "niri"; + in + { + options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings"; + config = lib.mkIf config.swarselmodules.${moduleName} { + + environment.systemPackages = with pkgs; [ + wl-clipboard + wayland-utils + libsecret + cage + gamescope + xwayland-satellite-unstable + ]; + + + programs.niri = { + enable = true; + package = pkgs.niri-unstable; # the actual niri that will be installed and used + }; + } // { + niri-flake.cache.enable = true; + programs.niri = { + package = null; + }; + }; + } +#+end_src + *** Server :PROPERTIES: :CUSTOM_ID: h:e492c24a-83a0-4bcb-a084-706f49318651 @@ -8373,7 +8012,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in #+begin_src nix-ts :tangle modules/nixos/server/nginx.nix { pkgs, lib, config, ... }: let - inherit (config.repo.secrets.common) dnsProvider dnsBase; + inherit (config.repo.secrets.common) dnsProvider; inherit (config.repo.secrets.common.mail) address3; serviceUser = "nginx"; @@ -8436,12 +8075,9 @@ Here we just define some aliases for rebuilding the system, and we allow some in ]; sops = { - secrets = { - acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; - }; + secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; templates."certs.secret".content = '' - ACME_DNS_API_BASE=${dnsBase} - ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token} + CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token} ''; }; @@ -8555,10 +8191,6 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; - AllowUsers = [ - "root" - config.swarselsystems.mainUser - ]; }; hostKeys = [ { @@ -8570,12 +8202,10 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) - # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; users.users.root.openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) - # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; security.sudo.extraConfig = '' Defaults env_keep+=SSH_AUTH_SOCK @@ -8584,120 +8214,6 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t } #+end_src -**** Bastion - -#+begin_src nix-ts :tangle modules/nixos/server/bastion.nix - { self, lib, config, ... }: - { - options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server"; - config = lib.mkIf config.swarselmodules.server.bastion { - - users = { - groups = { - jump = { }; - }; - users = { - "jump" = { - isNormalUser = true; - useDefaultShell = true; - group = lib.mkForce "jump"; - createHome = lib.mkForce true; - openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - (self + /secrets/keys/ssh/builder.pub) - ]; - }; - }; - }; - - - services.openssh = { - enable = true; - startWhenNeeded = lib.mkForce false; - authorizedKeysInHomedir = false; - extraConfig = '' - Match User jump - PermitTTY no - X11Forwarding no - PermitTunnel no - GatewayPorts no - AllowAgentForwarding no - ''; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = lib.mkDefault "no"; - AllowUsers = [ - "jump" - ]; - }; - hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - - home-manager.users.jump.config = { - home.stateVersion = lib.mkDefault "23.05"; - programs.ssh = { - enable = true; - enableDefaultConfig = false; - matchBlocks = { - "*" = { - forwardAgent = false; - }; - } // config.repo.secrets.local.ssh.hosts; - }; - }; - }; - } -#+end_src - -**** ssh builder config - -Restricts access to the system by the nix build user as per https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834. - -#+begin_src nix-ts :tangle modules/nixos/server/ssh-builder.nix - { self, pkgs, lib, config, ... }: - let - ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" "; - - wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" '' - case $SSH_ORIGINAL_COMMAND in - "nix-daemon --stdio") - exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio - ;; - "nix-store --serve --write") - exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write - ;; - ,*) - echo "Access only allowed for using the nix remote builder" 1>&2 - exit - esac - ''; - in - { - options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server"; - config = lib.mkIf config.swarselmodules.server.ssh-builder { - users = { - groups.builder = { }; - users.builder = { - useDefaultShell = true; - isSystemUser = true; - group = "builder"; - openssh.authorizedKeys.keys = [ - ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}'' - ]; - }; - }; - - }; - } -#+end_src - **** Network settings :PROPERTIES: :CUSTOM_ID: h:0ff3acc5-9ce8-4b22-a2e2-f6f1e69d47a5 @@ -8708,41 +8224,29 @@ Generate hostId using =head -c4 /dev/urandom | od -A none -t x4= #+begin_src nix-ts :tangle modules/nixos/server/network.nix { lib, config, ... }: let - netConfig = config.repo.secrets.local.networking; - netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}"; + inherit (config.swarselsystems.server) localNetwork; in { - options = { - swarselmodules.server.network = lib.mkEnableOption "enable server network config"; - swarselsystems.server = { - localNetwork = lib.mkOption { - type = lib.types.str; - default = ""; - }; - netConfigName = lib.mkOption { - type = lib.types.str; - default = netName; - readOnly = true; - }; - }; + options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + options.swarselsystems.server.localNetwork = lib.mkOption { + type = lib.types.str; + default = "home"; }; config = lib.mkIf config.swarselmodules.server.network { - swarselsystems.server.localNetwork = netConfig.localNetwork or ""; - - globals.networks.${netName}.hosts.${config.node.name} = { - inherit (netConfig.networks.${netConfig.localNetwork}) id; - mac = netConfig.networks.${netConfig.localNetwork}.mac or null; + globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = { + inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id; + mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null; }; globals.hosts.${config.node.name} = { inherit (config.repo.secrets.local.networking) defaultGateway4; - wanAddress4 = netConfig.wanAddress4 or null; - wanAddress6 = netConfig.wanAddress6 or null; + wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null; + wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null; }; networking = { - inherit (netConfig) hostId; + inherit (config.repo.secrets.local.networking) hostId; hostName = config.node.name; nftables.enable = lib.mkDefault false; enableIPv6 = lib.mkDefault true; @@ -8787,8 +8291,8 @@ lspci -k -d 14c3:0616 #+begin_src nix-ts :tangle modules/nixos/server/disk-encrypt.nix { self, pkgs, lib, config, globals, minimal, ... }: let - localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4; - subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4; + localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4; + subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4; gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key"; @@ -8823,7 +8327,7 @@ lspci -k -d 14c3:0616 files = [ hostKeyPathBase ]; }; - boot = lib.mkIf (!config.swarselsystems.isClient) { + boot = lib.mkIf (!config.swarselsystems.isLaptop) { kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; @@ -8875,20 +8379,6 @@ lspci -k -d 14c3:0616 } #+end_src -**** BTRFS - -#+begin_src nix-ts :tangle modules/nixos/server/btrfs.nix - { lib, config, ... }: - { - options.swarselmodules.btrfs = lib.mkEnableOption "optional btrfs settings"; - config = lib.mkIf config.swarselmodules.btrfs { - boot = { - supportedFilesystems = lib.mkIf config.swarselsystems.isBtrfs [ "btrfs" ]; - }; - }; - } -#+end_src - **** Router :PROPERTIES: :CUSTOM_ID: h:b54f2bbb-0088-46b2-957d-fd8234b772c3 @@ -8972,7 +8462,7 @@ lspci -k -d 14c3:0616 calibre ]; - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9045,7 +8535,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9123,7 +8613,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9491,7 +8981,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9840,7 +9330,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -9922,7 +9412,7 @@ lspci -k -d 14c3:0616 options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10013,7 +9503,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10372,7 +9862,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10571,7 +10061,7 @@ This section exposes several metrics that I use to check the health of my server options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10820,7 +10310,7 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -10920,7 +10410,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -11037,7 +10527,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -11204,7 +10694,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; @@ -11311,7 +10801,7 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid/ s3:/// 0; - message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys"; + message = "If Garage is enabled, at least one key must be specified in atro.garage.keys"; } { assertion = @@ -13121,7 +12611,7 @@ or 2) use classic path addressing =aws s3 cp s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// s3:/// toolkit.legacyUserProfileCustomizations.styleshe Sets environment variables. Here I am only setting the EDITOR variable, most variables are set in the [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] section. #+begin_src nix-ts :tangle modules/home/common/env.nix - { lib, config, confLib, globals, ... }: + { lib, config, nixosConfig ? config, ... }: let - inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; - inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; - inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain; + inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; + inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; + inherit (nixosConfig.repo.secrets.common) fullName openrouterApi; inherit (config.swarselsystems) isPublic homeDir; DISPLAY = ":0"; @@ -15542,12 +14882,6 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; FLAKE = "${config.home.homeDirectory}/.dotfiles"; } // lib.optionalAttrs (!isPublic) { - SWARSEL_DOMAIN = globals.domains.main; - SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain; - SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain; - SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain; - SWARSEL_INSTA_DOMAIN = instaDomain; - SWARSEL_SPORT_DOMAIN = sportDomain; SWARSEL_MAIL1 = address1; SWARSEL_MAIL2 = address2; SWARSEL_MAIL3 = address3; @@ -15560,7 +14894,7 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var SWARSEL_CAL3NAME = source3-name; SWARSEL_FULLNAME = fullName; SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses; - GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path; + GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path; OPENROUTER_API_KEY = openrouterApi; }; }; @@ -15830,10 +15164,10 @@ Eza provides me with a better =ls= command and some other useful aliases. Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]]. #+begin_src nix-ts :tangle modules/home/common/git.nix - { lib, config, globals, minimal, confLib, ... }: + { lib, config, globals, minimal, nixosConfig ? config, ... }: let - inherit (confLib.getConfig.repo.secrets.common.mail) address1; - inherit (confLib.getConfig.repo.secrets.common) fullName; + inherit (nixosConfig.repo.secrets.common.mail) address1; + inherit (nixosConfig.repo.secrets.common) fullName; gitUser = globals.user.name; in @@ -16117,7 +15451,7 @@ lib.mkMerge [ zshConfigEarlyInit zshConfig ]; Currently I only use it as before with =initExtra= though. #+begin_src nix-ts :tangle modules/home/common/zsh.nix - { config, pkgs, lib, minimal, inputs, globals, confLib, ... }: + { config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }: let inherit (config.swarselsystems) flakePath isNixos; crocDomain = globals.services.croc.domain; @@ -16246,8 +15580,8 @@ Currently I only use it as before with =initExtra= though. ''; sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) { CROC_RELAY = crocDomain; - CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})"; - GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; + CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})"; + GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins"; # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox"; }; @@ -17624,10 +16958,10 @@ Currently I only use it as before with =initExtra= though. Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here. #+begin_src nix-ts :tangle modules/home/common/mail.nix - { lib, config, inputs, globals, confLib, ... }: + { lib, config, inputs, globals, nixosConfig ? config, ... }: let - inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; - inherit (confLib.getConfig.repo.secrets.common) fullName; + inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; + inherit (nixosConfig.repo.secrets.common) fullName; inherit (config.swarselsystems) xdgDir; in { @@ -17766,7 +17100,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address4; userName = address4; realName = fullName; - passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}"; + passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}"; mu.enable = true; msmtp = { enable = true; @@ -17795,7 +17129,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address1; userName = address1; realName = fullName; - passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}"; + passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}"; gpg = { key = "0x76FD3810215AE097"; signByDefault = true; @@ -17809,7 +17143,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address2; userName = address2; realName = address2-name; - passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}"; + passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}"; } defaultSettings; @@ -17819,7 +17153,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl address = address3; userName = address3; realName = address3-name; - passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}"; + passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}"; } defaultSettings; @@ -18968,7 +18302,7 @@ I am currently using SwayFX, which adds some nice effects to sway, like rounded Currently, I am too lazy to explain every option here, but most of it is very self-explaining in any case. #+begin_src nix-ts :tangle modules/home/common/sway.nix - { config, lib, vars, confLib, ... }: + { config, lib, vars, nixosConfig ? config, ... }: let eachOutput = _: monitor: { inherit (monitor) name; @@ -19351,7 +18685,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se export XDG_CURRENT_DESKTOP=sway; export XDG_SESSION_DESKTOP=sway; export _JAVA_AWT_WM_NONREPARENTING=1; - export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path}; + export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path}; '' + vars.waylandExports; # extraConfigEarly = " # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK @@ -19398,6 +18732,226 @@ Currently, I am too lazy to explain every option here, but most of it is very se } #+end_src +**** Niri +:PROPERTIES: +:CUSTOM_ID: h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb +:END: + +#+begin_src nix-ts :tangle modules/home/common/niri.nix + { config, pkgs, lib, vars, ... }: + { + options.swarselmodules.niri = lib.mkEnableOption "niri settings"; + config = lib.mkIf config.swarselmodules.niri { + + programs.niri = { + package = pkgs.niri-unstable; # which package to use for niri validation + settings = { + xwayland-satellite = { + enable = true; + path = "${lib.getExe pkgs.xwayland-satellite-unstable}"; + }; + prefer-no-csd = true; + layer-rules = [ + { matches = [{ namespace = "^notifications$"; }]; block-out-from = "screencast"; } + { matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; } + ]; + window-rules = [ + { + matches = [{ app-id = ".*"; }]; + opacity = 0.95; + default-column-width = { proportion = 0.5; }; + shadow = { + enable = true; + draw-behind-window = true; + }; + geometry-corner-radius = { top-left = 2.0; top-right = 2.0; bottom-left = 2.0; bottom-right = 2.0; }; + } + { matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; } + { matches = [{ app-id = "Gimp"; }]; opacity = 1.0; } + { matches = [{ app-id = "firefox"; }]; opacity = 0.99; } + { matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; } + { matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; } + { matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; } + { matches = [{ app-id = "^blueman$"; }]; open-floating = true; } + { matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; } + { matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; } + { matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } + # { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } + { matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } + # { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } + { matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; } + { matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screencast"; } + { matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; } + { matches = [{ title = "^Add$"; }]; open-floating = true; } + { matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; } + { matches = [{ title = "Syncthing Tray"; }]; open-floating = true; } + { matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; } + { matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; } + { matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } + { matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } + ]; + environment = { + DISPLAY = ":0"; + } // vars.waylandSessionVariables; + screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png"; + input = { + mod-key = "Super"; + keyboard = { + xkb = { + layout = "us"; + variant = "altgr-intl"; + }; + }; + mouse = { + natural-scroll = false; + }; + touchpad = { + enable = true; + tap = true; + tap-button-map = "left-right-middle"; + natural-scroll = true; + scroll-method = "two-finger"; + click-method = "clickfinger"; + disabled-on-external-mouse = true; + drag = true; + drag-lock = false; + dwt = true; + dwtp = true; + }; + }; + cursor = { + hide-after-inactive-ms = 2000; + hide-when-typing = true; + }; + layout = { + background-color = "transparent"; + border = { + enable = true; + width = 1; + }; + focus-ring = { + enable = false; + }; + gaps = 5; + }; + binds = with config.lib.niri.actions; let + sh = spawn "sh" "-c"; + in + { + + # "Mod+Super_L" = spawn "killall -SIGUSR1 .waybar-wrapped"; + "Mod+z".action = spawn "killall -SIGUSR1 .waybar-wrapped"; + "Mod+Shift+t".action = toggle-window-rule-opacity; + # "Mod+Escape".action = "mode $exit"; + "Mod+m".action = focus-workspace-previous; + "Mod+Shift+Space".action = toggle-window-floating; + "Mod+Shift+f".action = toggle-windowed-fullscreen; + "Mod+q".action = close-window; + "Mod+f".action = spawn "firefox"; + "Mod+Space".action = spawn "fuzzel"; + "Mod+Shift+c".action = spawn "qalculate-gtk"; + "Mod+Ctrl+p".action = spawn "1password" "--quick-acces"; + "Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm"; + "Mod+h".action = sh ''hyprpicker | wl-copy''; + # "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png"; + # "Mod+s".action = screenshot { show-pointer = false; }; + "Mod+s".action.screenshot = { show-pointer = false; }; + # "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"; + # "Mod+Shift+s".action = screenshot-window { write-to-disk = true; }; + "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; }; + # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv"; + + "Mod+e".action = sh "emacsclient -nquc -a emacs -e '(dashboard-open)'"; + "Mod+c".action = sh "emacsclient -ce '(org-capture)'"; + "Mod+t".action = sh "emacsclient -ce '(org-agenda)'"; + "Mod+Shift+m".action = sh "emacsclient -ce '(mu4e)'"; + "Mod+Shift+a".action = sh "emacsclient -ce '(swarsel/open-calendar)'"; + + "Mod+a".action = spawn "swarselcheck-niri" "-s"; + "Mod+x".action = spawn "swarselcheck-niri" "-k"; + "Mod+d".action = spawn "swarselcheck-niri" "-d"; + "Mod+w".action = spawn "swarselcheck-niri" "-e"; + + "Mod+p".action = spawn "pass-fuzzel"; + "Mod+o".action = spawn "pass-fuzzel" "--otp"; + "Mod+Shift+p".action = spawn "pass-fuzzel" "--type"; + "Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type"; + + "Mod+Left".action = focus-column-or-monitor-left; + "Mod+Right".action = focus-column-or-monitor-right; + "Mod+Down".action = focus-window-or-workspace-down; + "Mod+Up".action = focus-window-or-workspace-up; + "Mod+Shift+Left".action = move-column-left; + "Mod+Shift+Right".action = move-column-right; + "Mod+Shift+Down".action = move-window-down-or-to-workspace-down; + "Mod+Shift+Up".action = move-window-up-or-to-workspace-up; + # "Mod+Ctrl+Shift+c".action = "reload"; + # "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower"; + # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'"; + # "Mod+r".action = "mode resize"; + # "Mod+Return".action = "exec kitty"; + "Mod+Return".action = spawn "swarselzellij"; + "XF86AudioRaiseVolume".action = spawn "swayosd-client" "--output-volume" "raise"; + "XF86AudioLowerVolume".action = spawn "swayosd-client" "--output-volume" "lower"; + "XF86AudioMute".action = spawn "swayosd-client" "--output-volume" "mute-toggle"; + "XF86MonBrightnessUp".action = spawn "swayosd-client" "--brightness raise"; + "XF86MonBrightnessDown".action = spawn "swayosd-client" "--brightness lower"; + "XF86Display".action = spawn "wl-mirror" "eDP-1"; + "Mod+Escape".action = spawn "wlogout"; + "Mod+Equal".action = set-column-width "+10%"; + "Mod+Minus".action = set-column-width "-10%"; + + "Mod+1".action = focus-workspace 1; + "Mod+2".action = focus-workspace 2; + "Mod+3".action = focus-workspace 3; + "Mod+4".action = focus-workspace 4; + "Mod+5".action = focus-workspace 5; + "Mod+6".action = focus-workspace 6; + "Mod+7".action = focus-workspace 7; + "Mod+8".action = focus-workspace 8; + "Mod+9".action = focus-workspace 9; + "Mod+0".action = focus-workspace 0; + + "Mod+Shift+1".action = move-column-to-index 1; + "Mod+Shift+2".action = move-column-to-index 2; + "Mod+Shift+3".action = move-column-to-index 3; + "Mod+Shift+4".action = move-column-to-index 4; + "Mod+Shift+5".action = move-column-to-index 5; + "Mod+Shift+6".action = move-column-to-index 6; + "Mod+Shift+7".action = move-column-to-index 7; + "Mod+Shift+8".action = move-column-to-index 8; + "Mod+Shift+9".action = move-column-to-index 9; + "Mod+Shift+0".action = move-column-to-index 0; + }; + spawn-at-startup = [ + # { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; } + # { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; } + # { command = [ "anki" ]; } + # { command = [ "obsidian" ]; } + # { command = [ "nm-applet" ]; } + { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; } + ]; + workspaces = { + # "01-Main" = { + # name = "Scratchpad"; + # }; + "99-Scratchpad" = { + name = ""; + }; + }; + }; + }; + + } // { + programs.niri = lib.mkIf (!config.swarselmodules.niri) { + package = null; + config = null; + settings = null; + }; + }; + } +#+end_src + **** Kanshi :PROPERTIES: :CUSTOM_ID: h:eb94df98-2bcd-4555-9f88-e252f93b924f @@ -19589,9 +19143,9 @@ When setting up a new machine: This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways. #+begin_src nix-ts :tangle modules/home/common/gammastep.nix - { lib, config, confLib, ... }: + { lib, config, nixosConfig ? config, ... }: let - inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude; + inherit (nixosConfig.repo.secrets.common.location) latitude longitude; in { options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings"; @@ -19643,10 +19197,10 @@ This service changes the screen hue at night. I am not sure if that really does :END: #+begin_src nix-ts :tangle modules/home/common/obsidian.nix - { lib, config, pkgs, confLib, ... }: + { lib, config, pkgs, nixosConfig ? config, ... }: let moduleName = "obsidian"; - inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters; + inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters; name = "Main"; in { @@ -19805,7 +19359,7 @@ This service changes the screen hue at night. I am not sure if that really does #+begin_src nix-ts :tangle modules/home/common/anki.nix - { lib, config, pkgs, globals, inputs, confLib, ... }: + { lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }: let moduleName = "anki"; inherit (config.swarselsystems) isPublic isNixos; @@ -19830,11 +19384,11 @@ This service changes the screen hue at night. I am not sure if that really does syncMedia = true; autoSyncMediaMinutes = 5; url = "https://${globals.services.ankisync.domain}"; - usernameFile = confLib.getConfig.sops.secrets.anki-user.path; + usernameFile = nixosConfig.sops.secrets.anki-user.path; # this is not the password but the syncKey # get it by logging in or out, saving preferences and then # show details on the "settings wont be saved" dialog - keyFile = confLib.getConfig.sops.secrets.anki-pw.path; + keyFile = nixosConfig.sops.secrets.anki-pw.path; }; addons = let @@ -19880,7 +19434,7 @@ This service changes the screen hue at night. I am not sure if that really does #+begin_src nix-ts :tangle modules/home/common/element.nix - { lib, config, globals, ... }: + { lib, config, ... }: let moduleName = "element-desktop"; in @@ -19892,7 +19446,7 @@ This service changes the screen hue at night. I am not sure if that really does settings = { default_server_config = { "m.homeserver" = { - base_url = "https://${globals.services.matrix.domain}/"; + base_url = "https://swatrix.swarsel.win/"; }; }; UIFeature = { @@ -19918,10 +19472,10 @@ This service changes the screen hue at night. I am not sure if that really does #+begin_src nix-ts :tangle modules/home/common/hexchat.nix - { lib, config, confLib, ... }: + { lib, config, nixosConfig ? config, ... }: let moduleName = "hexchat"; - inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1; + inherit (nixosConfig.repo.secrets.common.irc) irc_nick1; in { options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings"; @@ -20200,7 +19754,7 @@ This service changes the screen hue at night. I am not sure if that really does :END: #+begin_src nix-ts :tangle modules/home/common/opkssh.nix - { lib, config, globals, ... }: + { lib, config, ... }: let moduleName = "opkssh"; in @@ -20215,7 +19769,7 @@ This service changes the screen hue at night. I am not sure if that really does providers = [ { alias = "kanidm"; - issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh"; + issuer = "https://sso.swarsel.win/oauth2/openid/opkssh"; client_id = "opkssh"; scopes = "openid email profile"; redirect_uris = [ @@ -20326,230 +19880,6 @@ Akin to the [[#h:f9aa9af0-9b8d-43ff-901d-9ffccdd70589][Optional]] NixOS modules. } #+end_src -**** Niri -:PROPERTIES: -:CUSTOM_ID: h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb -:END: - -#+begin_src nix-ts :tangle modules/home/optional/niri.nix - { inputs, config, pkgs, lib, vars, ... }: - { - imports = [ - inputs.niri-flake.homeModules.niri - ]; - options.swarselmodules.niri = lib.mkEnableOption "niri settings"; - config = lib.mkIf config.swarselmodules.niri - { - - programs.niri = { - package = pkgs.niri-unstable; # which package to use for niri validation - settings = { - xwayland-satellite = { - enable = true; - path = "${lib.getExe pkgs.xwayland-satellite-unstable}"; - }; - prefer-no-csd = true; - layer-rules = [ - { matches = [{ namespace = "^notifications$"; }]; block-out-from = "screencast"; } - { matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; } - ]; - window-rules = [ - { - matches = [{ app-id = ".*"; }]; - opacity = 0.95; - default-column-width = { proportion = 0.5; }; - shadow = { - enable = true; - draw-behind-window = true; - }; - geometry-corner-radius = { top-left = 2.0; top-right = 2.0; bottom-left = 2.0; bottom-right = 2.0; }; - } - { matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; } - { matches = [{ app-id = "Gimp"; }]; opacity = 1.0; } - { matches = [{ app-id = "firefox"; }]; opacity = 0.99; } - { matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; } - { matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; } - { matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; } - { matches = [{ app-id = "^blueman$"; }]; open-floating = true; } - { matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; } - { matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; } - { matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } - # { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } - { matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screencast"; } - # { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; } - { matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; } - { matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screencast"; } - { matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; } - { matches = [{ title = "^Add$"; }]; open-floating = true; } - { matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; } - { matches = [{ title = "Syncthing Tray"; }]; open-floating = true; } - { matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; } - { matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; } - { matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } - { matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; } - ]; - environment = { - DISPLAY = ":0"; - } // vars.waylandSessionVariables; - screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png"; - input = { - mod-key = "Super"; - keyboard = { - xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - }; - mouse = { - natural-scroll = false; - }; - touchpad = { - enable = true; - tap = true; - tap-button-map = "left-right-middle"; - natural-scroll = true; - scroll-method = "two-finger"; - click-method = "clickfinger"; - disabled-on-external-mouse = true; - drag = true; - drag-lock = false; - dwt = true; - dwtp = true; - }; - }; - cursor = { - hide-after-inactive-ms = 2000; - hide-when-typing = true; - }; - layout = { - background-color = "transparent"; - border = { - enable = true; - width = 1; - }; - focus-ring = { - enable = false; - }; - gaps = 5; - }; - binds = with config.lib.niri.actions; let - sh = spawn "sh" "-c"; - in - { - - # "Mod+Super_L" = spawn "killall -SIGUSR1 .waybar-wrapped"; - "Mod+z".action = spawn "killall -SIGUSR1 .waybar-wrapped"; - "Mod+Shift+t".action = toggle-window-rule-opacity; - # "Mod+Escape".action = "mode $exit"; - "Mod+m".action = focus-workspace-previous; - "Mod+Shift+Space".action = toggle-window-floating; - "Mod+Shift+f".action = toggle-windowed-fullscreen; - "Mod+q".action = close-window; - "Mod+f".action = spawn "firefox"; - "Mod+Space".action = spawn "fuzzel"; - "Mod+Shift+c".action = spawn "qalculate-gtk"; - "Mod+Ctrl+p".action = spawn "1password" "--quick-acces"; - "Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm"; - "Mod+h".action = sh ''hyprpicker | wl-copy''; - # "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png"; - # "Mod+s".action = screenshot { show-pointer = false; }; - "Mod+s".action.screenshot = { show-pointer = false; }; - # "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"; - # "Mod+Shift+s".action = screenshot-window { write-to-disk = true; }; - "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; }; - # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv"; - - "Mod+e".action = sh "emacsclient -nquc -a emacs -e '(dashboard-open)'"; - "Mod+c".action = sh "emacsclient -ce '(org-capture)'"; - "Mod+t".action = sh "emacsclient -ce '(org-agenda)'"; - "Mod+Shift+m".action = sh "emacsclient -ce '(mu4e)'"; - "Mod+Shift+a".action = sh "emacsclient -ce '(swarsel/open-calendar)'"; - - "Mod+a".action = spawn "swarselcheck-niri" "-s"; - "Mod+x".action = spawn "swarselcheck-niri" "-k"; - "Mod+d".action = spawn "swarselcheck-niri" "-d"; - "Mod+w".action = spawn "swarselcheck-niri" "-e"; - - "Mod+p".action = spawn "pass-fuzzel"; - "Mod+o".action = spawn "pass-fuzzel" "--otp"; - "Mod+Shift+p".action = spawn "pass-fuzzel" "--type"; - "Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type"; - - "Mod+Left".action = focus-column-or-monitor-left; - "Mod+Right".action = focus-column-or-monitor-right; - "Mod+Down".action = focus-window-or-workspace-down; - "Mod+Up".action = focus-window-or-workspace-up; - "Mod+Shift+Left".action = move-column-left; - "Mod+Shift+Right".action = move-column-right; - "Mod+Shift+Down".action = move-window-down-or-to-workspace-down; - "Mod+Shift+Up".action = move-window-up-or-to-workspace-up; - # "Mod+Ctrl+Shift+c".action = "reload"; - # "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower"; - # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'"; - # "Mod+r".action = "mode resize"; - # "Mod+Return".action = "exec kitty"; - "Mod+Return".action = spawn "swarselzellij"; - "XF86AudioRaiseVolume".action = spawn "swayosd-client" "--output-volume" "raise"; - "XF86AudioLowerVolume".action = spawn "swayosd-client" "--output-volume" "lower"; - "XF86AudioMute".action = spawn "swayosd-client" "--output-volume" "mute-toggle"; - "XF86MonBrightnessUp".action = spawn "swayosd-client" "--brightness raise"; - "XF86MonBrightnessDown".action = spawn "swayosd-client" "--brightness lower"; - "XF86Display".action = spawn "wl-mirror" "eDP-1"; - "Mod+Escape".action = spawn "wlogout"; - "Mod+Equal".action = set-column-width "+10%"; - "Mod+Minus".action = set-column-width "-10%"; - - "Mod+1".action = focus-workspace 1; - "Mod+2".action = focus-workspace 2; - "Mod+3".action = focus-workspace 3; - "Mod+4".action = focus-workspace 4; - "Mod+5".action = focus-workspace 5; - "Mod+6".action = focus-workspace 6; - "Mod+7".action = focus-workspace 7; - "Mod+8".action = focus-workspace 8; - "Mod+9".action = focus-workspace 9; - "Mod+0".action = focus-workspace 0; - - "Mod+Shift+1".action = move-column-to-index 1; - "Mod+Shift+2".action = move-column-to-index 2; - "Mod+Shift+3".action = move-column-to-index 3; - "Mod+Shift+4".action = move-column-to-index 4; - "Mod+Shift+5".action = move-column-to-index 5; - "Mod+Shift+6".action = move-column-to-index 6; - "Mod+Shift+7".action = move-column-to-index 7; - "Mod+Shift+8".action = move-column-to-index 8; - "Mod+Shift+9".action = move-column-to-index 9; - "Mod+Shift+0".action = move-column-to-index 0; - }; - spawn-at-startup = [ - # { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; } - # { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; } - # { command = [ "anki" ]; } - # { command = [ "obsidian" ]; } - # { command = [ "nm-applet" ]; } - { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; } - ]; - workspaces = { - # "01-Main" = { - # name = "Scratchpad"; - # }; - "99-Scratchpad" = { - name = ""; - }; - }; - }; - }; - - } // { - programs.niri = lib.mkIf (!config.swarselmodules.niri) { - package = null; - config = null; - settings = null; - }; - }; - } -#+end_src - **** Gaming :PROPERTIES: :CUSTOM_ID: h:84fd7029-ecb6-4131-9333-289982f24ffa @@ -20558,12 +19888,13 @@ Akin to the [[#h:f9aa9af0-9b8d-43ff-901d-9ffccdd70589][Optional]] NixOS modules. The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming]]. #+begin_src nix-ts :tangle modules/home/optional/gaming.nix - { config, pkgs, confLib, ... }: + { lib, config, pkgs, nixosConfig ? config, ... }: let inherit (config.swarselsystems) isNixos; in { - config = { + options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings"; + config = lib.mkIf config.swarselmodules.optional.gaming { # specialisation = { # gaming.configuration = { home.packages = with pkgs; [ @@ -20603,7 +19934,7 @@ The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming gamescope umu-launcher ]; - steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam; + steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam; winePackages = with pkgs; [ wineWow64Packages.waylandFull ]; @@ -20634,428 +19965,398 @@ When setting up a new machine: #+end_src #+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes - { self, inputs, config, pkgs, lib, vars, confLib, ... }: + { self, inputs, config, pkgs, lib, vars, nixosConfig ? config, ... }: let inherit (config.swarselsystems) homeDir mainUser; - inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; - inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; + inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses; + inherit (nixosConfig.repo.secrets.local.work) mailAddress; certsSopsFile = self + /secrets/certs/secrets.yaml; in { - options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption; - config = { - home = { - packages = with pkgs; [ - stable.teams-for-linux - shellcheck - dig - docker - postman - # rclone - libguestfs-with-appliance - prometheus.cli - tigervnc - # openstackclient + options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings"; + config = lib.mkIf config.swarselmodules.optional.work + ({ + home = { + packages = with pkgs; [ + stable.teams-for-linux + shellcheck + dig + docker + postman + # rclone + libguestfs-with-appliance + prometheus.cli + tigervnc + # openstackclient - vscode - dev.antigravity + vscode + dev.antigravity - rustdesk-vbc - ]; - sessionVariables = { - AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path; - }; - }; - systemd.user.sessionVariables = { - DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; - } // lib.optionalAttrs (!config.swarselsystems.isPublic) { - SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; - SWARSEL_MAIL_WORK = lib.mkForce mailAddress; - }; - - accounts.email.accounts.work = - let - inherit (confLib.getConfig.repo.secrets.local.work) mailName; - in - { - primary = false; - address = mailAddress; - userName = mailAddress; - realName = mailName; - passwordCommand = "pizauth show work"; - imap = { - host = "outlook.office365.com"; - port = 993; - tls.enable = true; # SSL/TLS - }; - smtp = { - host = "outlook.office365.com"; - port = 587; - tls = { - enable = true; # SSL/TLS - useStartTls = true; - }; - }; - thunderbird = { - enable = true; - profiles = [ "default" ]; - settings = id: { - "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth - "mail.server.server_${id}.authMethod" = 10; # oauth - # "toolkit.telemetry.enabled" = false; - # "toolkit.telemetry.rejected" = true; - # "toolkit.telemetry.prompted" = 2; - }; - }; - msmtp = { - enable = true; - extraConfig = { - auth = "xoauth2"; - host = "outlook.office365.com"; - protocol = "smtp"; - port = "587"; - tls = "on"; - tls_starttls = "on"; - from = "${mailAddress}"; - user = "${mailAddress}"; - passwordeval = "pizauth show work"; - }; - }; - mu.enable = true; - mbsync = { - enable = true; - expunge = "both"; - patterns = [ "INBOX" ]; - extraConfig = { - account = { - AuthMechs = "XOAUTH2"; - }; - }; - }; - }; - - # wayland.windowManager.sway.config = { - # output = { - # "Applied Creative Technology Transmitter QUATTRO201811" = { - # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; - # }; - # "Hewlett Packard HP Z24i CN44250RDT" = { - # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; - # }; - # "HP Inc. HP 732pk CNC4080YL5" = { - # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; - # }; - # }; - # }; - - wayland.windowManager.sway = - let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; - in - { - config = { - keybindings = - let - inherit (config.wayland.windowManager.sway.config) modifier; - in - { - "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; - "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; - }; - }; - }; - - stylix = { - targets.firefox.profileNames = - let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; - in - [ - "${user1}" - "${user2}" - "${user3}" - "work" + rustdesk-vbc ]; - }; - - programs = - let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; - in - { - openstackclient = { - enable = true; - inherit clouds; - }; - awscli = { - enable = true; - package = pkgs.stable24_05.awscli2; - # settings = { - # "default" = { }; - # "profile s3-imagebuilder-prod" = { }; - # }; - # credentials = { - # "s3-imagebuilder-prod" = { - # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; - # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; - # }; - # }; - }; - git.settings.user.email = lib.mkForce gitMail; - - zsh = { - shellAliases = { - dssh = "ssh -l ${user1Long}"; - cssh = "ssh -l ${user2Long}"; - wssh = "ssh -l ${user3Long}"; - }; - cdpath = [ - "~/Documents/Work" - ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = path1; - }; - - sessionVariables = { - VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})"; - VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})"; - GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})"; - GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})"; - GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})"; - GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})"; - GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})"; - GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})"; - GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})"; - GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})"; - }; - }; - - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; - - firefox = { - profiles = - let - isDefault = false; - in - { - "${user1}" = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "${site1}|${site2}"; - }; - } - vars.firefox; - "${user2}" = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "${site3}"; - }; - } - vars.firefox; - "${user3}" = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - vars.firefox; - work = lib.recursiveUpdate - { - inherit isDefault; - id = 4; - settings = { - "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; - }; - } - vars.firefox; - }; - }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; + sessionVariables = { + AWS_CA_BUNDLE = nixosConfig.sops.secrets.harica-root-ca.path; }; }; + systemd.user.sessionVariables = { + DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; + } // lib.optionalAttrs (!config.swarselsystems.isPublic) { + SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; + SWARSEL_MAIL_WORK = lib.mkForce mailAddress; + }; - services = { - kanshi = { - settings = [ - { - # seminary room - output = { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; + accounts.email.accounts.work = + let + inherit (nixosConfig.repo.secrets.local.work) mailName; + in + { + primary = false; + address = mailAddress; + userName = mailAddress; + realName = mailName; + passwordCommand = "pizauth show work"; + imap = { + host = "outlook.office365.com"; + port = 993; + tls.enable = true; # SSL/TLS + }; + smtp = { + host = "outlook.office365.com"; + port = 587; + tls = { + enable = true; # SSL/TLS + useStartTls = true; }; - } - { - # work main screen - output = { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.0; - mode = "3840x2160"; + }; + thunderbird = { + enable = true; + profiles = [ "default" ]; + settings = id: { + "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth + "mail.server.server_${id}.authMethod" = 10; # oauth + # "toolkit.telemetry.enabled" = false; + # "toolkit.telemetry.rejected" = true; + # "toolkit.telemetry.prompted" = 2; }; - } - { - # work side screen - output = { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; + }; + msmtp = { + enable = true; + extraConfig = { + auth = "xoauth2"; + host = "outlook.office365.com"; + protocol = "smtp"; + port = "587"; + tls = "on"; + tls_starttls = "on"; + from = "${mailAddress}"; + user = "${mailAddress}"; + passwordeval = "pizauth show work"; }; - } - { - profile = { - name = "lidopen"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" - ]; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.5; - position = "1462,0"; - } - { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "90"; - position = "-2480,0"; - } - ]; + }; + mu.enable = true; + mbsync = { + enable = true; + expunge = "both"; + patterns = [ "INBOX" ]; + extraConfig = { + account = { + AuthMechs = "XOAUTH2"; + }; }; - } - { - profile = + }; + }; + + # wayland.windowManager.sway.config = { + # output = { + # "Applied Creative Technology Transmitter QUATTRO201811" = { + # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; + # }; + # "Hewlett Packard HP Z24i CN44250RDT" = { + # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; + # }; + # "HP Inc. HP 732pk CNC4080YL5" = { + # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; + # }; + # }; + # }; + + wayland.windowManager.sway = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; + in + { + config = { + keybindings = let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + inherit (config.wayland.windowManager.sway.config) modifier; in { + "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; + "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; + }; + }; + }; + + stylix = { + targets.firefox.profileNames = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; + in + [ + "${user1}" + "${user2}" + "${user3}" + "work" + ]; + }; + + programs = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; + in + { + openstackclient = { + enable = true; + inherit clouds; + }; + awscli = { + enable = true; + package = pkgs.stable24_05.awscli2; + # settings = { + # "default" = { }; + # "profile s3-imagebuilder-prod" = { }; + # }; + # credentials = { + # "s3-imagebuilder-prod" = { + # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; + # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; + # }; + # }; + }; + git.settings.user.email = lib.mkForce gitMail; + + zsh = { + shellAliases = { + dssh = "ssh -l ${user1Long}"; + cssh = "ssh -l ${user2Long}"; + wssh = "ssh -l ${user3Long}"; + }; + cdpath = [ + "~/Documents/Work" + ]; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = path1; + }; + + sessionVariables = { + VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})"; + VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})"; + GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})"; + GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})"; + GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})"; + GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})"; + GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})"; + GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})"; + GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})"; + GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})"; + }; + }; + + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in + { + "${user1}" = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "${site1}|${site2}"; + }; + } + vars.firefox; + "${user2}" = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "${site3}"; + }; + } + vars.firefox; + "${user3}" = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + vars.firefox; + work = lib.recursiveUpdate + { + inherit isDefault; + id = 4; + settings = { + "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; + }; + } + vars.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + + services = { + kanshi = { + settings = [ + { + # seminary room + output = { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + }; + } + { + # work main screen + output = { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.0; + mode = "3840x2160"; + }; + } + { + # work side screen + output = { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + }; + } + { + profile = { name = "lidopen"; exec = [ "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" ]; outputs = [ { criteria = config.swarselsystems.sharescreen; status = "enable"; - scale = 1.7; - position = "2560,0"; + scale = 1.5; + position = "1462,0"; } { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; + mode = "1920x1200"; + transform = "90"; + position = "-2480,0"; } ]; }; - } - { - profile = { - name = "lidclosed"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" - ]; - outputs = [ + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - position = "-2480,0"; - } - ]; - }; - } - { - profile = - let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; - in - { + name = "lidopen"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" + ]; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.7; + position = "2560,0"; + } + { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + position = "10000,10000"; + } + ]; + }; + } + { + profile = { name = "lidclosed"; exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" ]; outputs = [ { @@ -21063,241 +20364,272 @@ When setting up a new machine: status = "disable"; } { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; + mode = "1920x1200"; + transform = "270"; + position = "-2480,0"; } ]; }; - } - ]; - }; - }; - - systemd.user.services = { - pizauth.Service = { - ExecStartPost = [ - "${pkgs.toybox}/bin/sleep 1" - "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" - ]; - }; - - teams-applet = { - Unit = { - Description = "teams applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in + { + name = "lidclosed"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + ]; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + position = "10000,10000"; + } + ]; + }; + } ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }; }; - onepassword-applet = { - Unit = { - Description = "1password applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" + systemd.user.services = { + pizauth.Service = { + ExecStartPost = [ + "${pkgs.toybox}/bin/sleep 1" + "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" ]; - PartOf = [ "graphical-session.target" ]; }; - Install = { - WantedBy = [ "graphical-session.target" ]; - }; + teams-applet = { + Unit = { + Description = "teams applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; + }; - Service = { - ExecStart = "${pkgs._1password-gui}/bin/1password"; - }; - }; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; - }; - - services.pizauth = { - enable = true; - extraConfig = '' - auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; - error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; - token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; - ''; - accounts = { - work = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}"; - }; - }; - - }; - - xdg = - let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; - in - { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + Service = { + ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }; }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_work = { - name = "Firefox (work)"; - genericName = "Firefox work"; - exec = "firefox -p work"; - inherit terminal categories icon; - }; - "firefox_${user1}" = { - name = "Firefox (${user1})"; - genericName = "Firefox ${user1}"; - exec = "firefox -p ${user1}"; - inherit terminal categories icon; - }; - - "firefox_${user2}" = { - name = "Firefox (${user2})"; - genericName = "Firefox ${user2}"; - exec = "firefox -p ${user2}"; - inherit terminal categories icon; - }; - - "firefox_${user3}" = { - name = "Firefox (${user3})"; - genericName = "Firefox ${user3}"; - exec = "firefox -p ${user3}"; - inherit terminal categories icon; - }; - + onepassword-applet = { + Unit = { + Description = "1password applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = "${pkgs._1password-gui}/bin/1password"; + }; + }; + }; - swarselsystems = { - startup = [ - # { command = "nextcloud --background"; } - # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } - # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } - # { command = "anki"; } - # { command = "obsidian"; } - # { command = "nm-applet"; } - # { command = "feishin"; } - # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } - # { command = "1password"; } - ]; - monitors = { - work_back_middle = rec { - name = "LG Electronics LG Ultra HD 0x000305A6"; - mode = "2560x1440"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-10"; - output = name; - }; - work_front_left = rec { - name = "LG Electronics LG Ultra HD 0x0007AB45"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-7"; - output = name; - }; - work_back_right = rec { - name = "HP Inc. HP Z32 CN41212T55"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-3"; - output = name; - }; - work_middle_middle_main = rec { - name = "HP Inc. HP 732pk CNC4080YL5"; - mode = "3840x2160"; - scale = "1"; - position = "-1280,0"; - workspace = "11:M"; - # output = "DP-8"; - output = name; - }; - work_middle_middle_side = rec { - name = "Hewlett Packard HP Z24i CN44250RDT"; - mode = "1920x1200"; - transform = "270"; - scale = "1"; - position = "-2480,0"; - workspace = "12:S"; - # output = "DP-9"; - output = name; - }; - work_seminary = rec { - name = "Applied Creative Technology Transmitter QUATTRO201811"; - mode = "1280x720"; - scale = "1"; - position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse - workspace = "14:T"; - # output = "DP-4"; - output = name; + + services.pizauth = { + enable = true; + extraConfig = '' + auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; + error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; + token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; + ''; + accounts = { + work = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}"; + }; }; + }; - inputs = { - "1133:45081:MX_Master_2S_Keyboard" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; + + xdg = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; + in + { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + }; + }; + desktopEntries = + let + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; + in + { + firefox_work = { + name = "Firefox (work)"; + genericName = "Firefox work"; + exec = "firefox -p work"; + inherit terminal categories icon; + }; + "firefox_${user1}" = { + name = "Firefox (${user1})"; + genericName = "Firefox ${user1}"; + exec = "firefox -p ${user1}"; + inherit terminal categories icon; + }; + + "firefox_${user2}" = { + name = "Firefox (${user2})"; + genericName = "Firefox ${user2}"; + exec = "firefox -p ${user2}"; + inherit terminal categories icon; + }; + + "firefox_${user3}" = { + name = "Firefox (${user3})"; + genericName = "Firefox ${user3}"; + exec = "firefox -p ${user3}"; + inherit terminal categories icon; + }; + + + }; }; - # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { - # dwt = "enabled"; - # tap = "enabled"; - # natural_scroll = "enabled"; - # middle_emulation = "enabled"; - # drag_lock = "disabled"; - # }; - "1133:50504:Logitech_USB_Receiver" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; + swarselsystems = { + startup = [ + # { command = "nextcloud --background"; } + # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } + # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } + # { command = "anki"; } + # { command = "obsidian"; } + # { command = "nm-applet"; } + # { command = "feishin"; } + # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } + # { command = "1password"; } + ]; + monitors = { + work_back_middle = rec { + name = "LG Electronics LG Ultra HD 0x000305A6"; + mode = "2560x1440"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-10"; + output = name; + }; + work_front_left = rec { + name = "LG Electronics LG Ultra HD 0x0007AB45"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-7"; + output = name; + }; + work_back_right = rec { + name = "HP Inc. HP Z32 CN41212T55"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-3"; + output = name; + }; + work_middle_middle_main = rec { + name = "HP Inc. HP 732pk CNC4080YL5"; + mode = "3840x2160"; + scale = "1"; + position = "-1280,0"; + workspace = "11:M"; + # output = "DP-8"; + output = name; + }; + work_middle_middle_side = rec { + name = "Hewlett Packard HP Z24i CN44250RDT"; + mode = "1920x1200"; + transform = "270"; + scale = "1"; + position = "-2480,0"; + workspace = "12:S"; + # output = "DP-9"; + output = name; + }; + work_seminary = rec { + name = "Applied Creative Technology Transmitter QUATTRO201811"; + mode = "1280x720"; + scale = "1"; + position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse + workspace = "14:T"; + # output = "DP-4"; + output = name; + }; }; - "1133:45944:MX_KEYS_S" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; + inputs = { + "1133:45081:MX_Master_2S_Keyboard" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { + # dwt = "enabled"; + # tap = "enabled"; + # natural_scroll = "enabled"; + # middle_emulation = "enabled"; + # drag_lock = "disabled"; + # }; + "1133:50504:Logitech_USB_Receiver" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + "1133:45944:MX_KEYS_S" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + }; + + }; + } // lib.optionalAttrs (inputs ? sops) { + sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { + harica-root-ca = { + sopsFile = certsSopsFile; + path = "${homeDir}/.aws/certs/harica-root.pem"; + owner = mainUser; }; }; - }; - } // lib.optionalAttrs (inputs ? sops) { - sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { - harica-root-ca = { - sopsFile = certsSopsFile; - path = "${homeDir}/.aws/certs/harica-root.pem"; - owner = mainUser; - }; - }; - - }; + }); } @@ -21309,27 +20641,29 @@ When setting up a new machine: :END: #+begin_src nix-ts :tangle modules/home/optional/uni.nix :noweb yes - { confLib, ... }: + { config, lib, nixosConfig ? config, ... }: { - config = { - services.pizauth = { - enable = true; - accounts = { - uni = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}"; + options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings"; + config = lib.mkIf config.swarselmodules.optional.uni + { + services.pizauth = { + enable = true; + accounts = { + uni = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}"; + }; }; }; }; - }; } #+end_src @@ -21342,9 +20676,10 @@ When setting up a new machine: This holds configuration that is specific to framework laptops. #+begin_src nix-ts :tangle modules/home/optional/framework.nix - _: + { lib, config, ... }: { - config = { + options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings"; + config = lib.mkIf config.swarselmodules.optional.framework { swarselsystems = { inputs = { "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = { @@ -21378,24 +20713,12 @@ TODO: check which of these can be replaced but builtin functions. options.swarselsystems = { proxyHost = lib.mkOption { type = lib.types.str; - default = config.node.name; - }; - isBastionTarget = lib.mkOption { - type = lib.types.bool; - default = false; + default = ""; }; isCloud = lib.mkOption { type = lib.types.bool; default = false; }; - isServer = lib.mkOption { - type = lib.types.bool; - default = config.swarselsystems.isCloud; - }; - isClient = lib.mkOption { - type = lib.types.bool; - default = config.swarselsystems.isLaptop; - }; withHomeManager = lib.mkOption { type = lib.types.bool; default = true; @@ -21723,17 +21046,17 @@ In short, the options defined here are passed to the modules systems using =_mod :CUSTOM_ID: h:a33322d5-014a-4072-a4a5-91bc71c343b8 :END: #+begin_src nix-ts :noweb yes :tangle modules/shared/config-lib.nix - { config, lib, globals, nixosConfig ? null, ... }: + { config, lib, globals, ... }: { _module.args = { confLib = rec { - addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost"; + addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4 else "localhost"; domainDefault = service: config.repo.secrets.common.services.domains.${service}; proxyDefault = config.swarselsystems.proxyHost; - getConfig = if nixosConfig == null then config else nixosConfig; + getConfig = config; gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec { servicePort = port; @@ -22774,8 +22097,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then green "Adding ssh host fingerprints for git{lab,hub}" - $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts" - $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts" + $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts" + $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts" fi # -------------------------- @@ -23941,6 +23264,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a lowBattery = lib.mkDefault false; network = lib.mkDefault true; networkDevices = lib.mkDefault true; + niri = lib.mkDefault false; nix-ld = lib.mkDefault true; nvd = lib.mkDefault true; packages = lib.mkDefault true; @@ -23949,7 +23273,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a ppd = lib.mkDefault true; programs = lib.mkDefault true; pulseaudio = lib.mkDefault true; - remotebuild = lib.mkDefault true; security = lib.mkDefault true; sops = lib.mkDefault true; stylix = lib.mkDefault true; @@ -24017,6 +23340,34 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src +**** Optionals +:PROPERTIES: +:CUSTOM_ID: h:07086976-8c36-4d3e-a9fe-693348411b53 +:END: + +#+begin_src nix-ts :tangle profiles/nixos/optionals/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; + config = lib.mkIf config.swarselprofiles.optionals { + swarselmodules = { + optional = { + gaming = lib.mkDefault true; + virtualbox = lib.mkDefault true; + nswitch-rcm = lib.mkDefault true; + }; + }; + + home-manager.users."${config.swarselsystems.mainUser}" = { + swarselprofiles = { + optionals = lib.mkDefault true; + }; + }; + }; + + } + +#+end_src **** Hotel :PROPERTIES: :CUSTOM_ID: h:b79fbb59-9cf2-48eb-b469-2589223dda95 @@ -24076,6 +23427,87 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a #+end_src +**** Work +:PROPERTIES: +:CUSTOM_ID: h:cb3631a8-9c1b-42f2-ab01-502c7b4c273d +:END: + +#+begin_src nix-ts :tangle profiles/nixos/work/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; + config = lib.mkIf config.swarselprofiles.work { + swarselmodules = { + optional = { + work = lib.mkDefault true; + }; + }; + home-manager.users."${config.swarselsystems.mainUser}" = { + swarselprofiles = { + work = lib.mkDefault true; + }; + }; + + }; + + } + +#+end_src + +**** Uni +:PROPERTIES: +:CUSTOM_ID: h:87a83b10-3c2f-407c-89aa-922ad77748a4 +:END: + +#+begin_src nix-ts :tangle profiles/nixos/uni/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; + config = lib.mkIf config.swarselprofiles.uni { + # swarselmodules = { + # optional = { + # uni = lib.mkDefault true; + # }; + # }; + home-manager.users."${config.swarselsystems.mainUser}" = { + swarselprofiles = { + uni = lib.mkDefault true; + }; + }; + + }; + + } + +#+end_src + +**** Framework +:PROPERTIES: +:CUSTOM_ID: h:eb272c99-842a-4095-bc65-283562749300 +:END: + +#+begin_src nix-ts :tangle profiles/nixos/framework/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; + config = lib.mkIf config.swarselprofiles.framework { + swarselmodules = { + optional = { + framework = lib.mkDefault true; + }; + }; + home-manager.users."${config.swarselsystems.mainUser}" = { + swarselprofiles = { + framework = lib.mkDefault true; + }; + }; + + }; + + } + +#+end_src + **** Server :PROPERTIES: :CUSTOM_ID: h:dfc076fd-ee74-4663-b164-653370c52b75 @@ -24186,6 +23618,7 @@ This holds modules that are to be used on most hosts. These are also the most im kitty = lib.mkDefault true; mail = lib.mkDefault true; mako = lib.mkDefault true; + niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; @@ -24263,6 +23696,7 @@ This holds modules that are to be used on most hosts. These are also the most im kitty = lib.mkDefault true; mail = lib.mkDefault false; mako = lib.mkDefault false; + niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; @@ -24301,6 +23735,28 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src +**** Optionals +:PROPERTIES: +:CUSTOM_ID: h:0554a271-f8ec-4885-b46f-2a02dfd967bd +:END: + +#+begin_src nix-ts :tangle profiles/home/optionals/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; + config = lib.mkIf config.swarselprofiles.optionals { + swarselmodules = { + optional = { + gaming = lib.mkDefault true; + uni = lib.mkDefault true; + }; + }; + }; + + } + +#+end_src + **** Minimal :PROPERTIES: :CUSTOM_ID: h:26512487-8c29-4b92-835b-d67394c3f5ef @@ -24377,6 +23833,93 @@ This holds modules that are to be used on most hosts. These are also the most im #+end_src +**** toto +:PROPERTIES: +:CUSTOM_ID: h:e1d4f141-af11-448a-9796-fc822a8f77ec +:END: + +#+begin_src nix-ts :tangle profiles/home/toto/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.toto = lib.mkEnableOption "is this a toto (setup) host"; + config = lib.mkIf config.swarselprofiles.toto { + swarselmodules = { + general = lib.mkDefault true; + sops = lib.mkDefault true; + ssh = lib.mkDefault true; + kitty = lib.mkDefault true; + git = lib.mkDefault true; + }; + }; + + } + +#+end_src + +**** Work +:PROPERTIES: +:CUSTOM_ID: h:7b091523-a5b0-48b6-8b03-4dc2405e2d81 +:END: + +#+begin_src nix-ts :tangle profiles/home/work/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; + config = lib.mkIf config.swarselprofiles.work { + swarselmodules = { + optional = { + work = lib.mkDefault true; + }; + }; + }; + + } + +#+end_src + +**** Uni +:PROPERTIES: +:CUSTOM_ID: h:56f509b9-3271-4212-b5ea-482dbe288bda +:END: + +#+begin_src nix-ts :tangle profiles/home/uni/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; + config = lib.mkIf config.swarselprofiles.uni { + swarselmodules = { + optional = { + uni = lib.mkDefault true; + }; + }; + }; + + } + +#+end_src + +**** Framework +:PROPERTIES: +:CUSTOM_ID: h:712b9d7f-16c0-42b3-b02b-6d79ee15cfcc +:END: + +#+begin_src nix-ts :tangle profiles/home/framework/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; + config = lib.mkIf config.swarselprofiles.framework { + swarselmodules = { + optional = { + framework = lib.mkDefault true; + }; + }; + + }; + + } + +#+end_src + **** Local Server :PROPERTIES: :CUSTOM_ID: h:8027b858-369e-4f12-bbaf-f15eeee3d904 @@ -26714,13 +26257,9 @@ This adds elfeed, a neat RSS reader for Emacs. I use this as a client for [[#h:9 (setq elfeed-protocol-enabled-protocols '(fever)) (setq elfeed-protocol-fever-update-unread-only t) (setq elfeed-protocol-fever-fetch-category-as-tag t) - - (let ((domain (getenv "SWARSEL_RSS_DOMAIN"))) - (setq elfeed-protocol-feeds - `((,(concat "fever+https://Swarsel@" domain) - :api-url ,(concat "https://" domain "/api/fever.php") - :password-file "~/.emacs.d/.fever")))) - + (setq elfeed-protocol-feeds '(("fever+https://Swarsel@signpost.swarsel.win" + :api-url "https://signpost.swarsel.win/api/fever.php" + :password-file "~/.emacs.d/.fever"))) (define-key elfeed-show-mode-map (kbd ";") 'visual-fill-column-mode) (define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next) @@ -27645,7 +27184,7 @@ This provides a beautiful calender to emacs. :init ;; set org-caldav-sync-initalization (setq swarsel-caldav-synced 0) - ;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar") + ;; (setq org-caldav-url "https://schedule.swarsel.win/swarsel/calendar") ;; (setq org-caldav-calendars ;; '((:calendar-id "personal" ;; :inbox "~/Calendars/leon_cal.org"))) @@ -27719,66 +27258,59 @@ This sets up the =dashboard=, which is really quite useless. But, it looks cool :config (dashboard-setup-startup-hook) ;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*"))) + (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal + dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package + dashboard-set-file-icons t + dashboard-items '((recents . 5) + (projects . 5) + (agenda . 5)) + dashboard-set-footer nil + dashboard-banner-logo-title "Welcome to SwarsEmacs!" + dashboard-image-banner-max-height 300 + dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" + dashboard-projects-backend 'projectile + dashboard-projects-switch-function 'magit-status + dashboard-set-navigator t + dashboard-startupify-list '(dashboard-insert-banner + dashboard-insert-newline + dashboard-insert-banner-title + dashboard-insert-newline + dashboard-insert-navigator + dashboard-insert-newline + dashboard-insert-init-info + dashboard-insert-items + ) + dashboard-navigator-buttons + `(;; line1 + ((,"" + "SwarselSocial" + "Browse Swarsele" + (lambda (&rest _) (browse-url "instagram.com/Swarsele"))) - (let ((files-domain (getenv "SWARSEL_FILES_DOMAIN")) - (music-domain (getenv "SWARSEL_MUSIC_DOMAIN")) - (insta-domain (getenv "SWARSEL_INSTA_DOMAIN")) - (sport-domain (getenv "SWARSEL_SPORT_DOMAIN")) - (swarsel-domain (getenv "SWARSEL_DOMAIN")) - ) - (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal - dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package - dashboard-set-file-icons t - dashboard-items '((recents . 5) - (projects . 5) - (agenda . 5)) - dashboard-set-footer nil - dashboard-banner-logo-title "Welcome to SwarsEmacs!" - dashboard-image-banner-max-height 300 - dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" - dashboard-projects-backend 'projectile - dashboard-projects-switch-function 'magit-status - dashboard-set-navigator t - dashboard-startupify-list '(dashboard-insert-banner - dashboard-insert-newline - dashboard-insert-banner-title - dashboard-insert-newline - dashboard-insert-navigator - dashboard-insert-newline - dashboard-insert-init-info - dashboard-insert-items - ) - dashboard-navigator-buttons - `(;; line1 - ((,"" - "SwarselSocial" - "Browse Swarsele" - (lambda (&rest _) (browse-url ,insta-domain))) - - (,"" - "SwarselSound" - "Browse SwarselSound" - (lambda (&rest _) (browse-url ,(concat "https://" music-domain))) ) - (,"" - "SwarselSwarsel" - "Browse Swarsel" - (lambda (&rest _) (browse-url "https://github.com/Swarsel")) ) - (,"" - "SwarselStash" - "Browse SwarselStash" - (lambda (&rest _) (browse-url ,(concat "https://" files-domain))) ) - (,"󰫑" - "SwarselSport" - "Browse SwarselSports" - (lambda (&rest _) (browse-url ,sport-domain))) - ) - ( - (,"󱄅" - ,swarsel-domain - ,(concat "Browse " main-domain) - (lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain)))) - ) - )))) + (,"" + "SwarselSound" + "Browse SwarselSound" + (lambda (&rest _) (browse-url "sound.swarsel.win")) ) + (,"" + "SwarselSwarsel" + "Browse Swarsel" + (lambda (&rest _) (browse-url "github.com/Swarsel")) ) + (,"" + "SwarselStash" + "Browse SwarselStash" + (lambda (&rest _) (browse-url "stash.swarsel.win")) ) + (,"󰫑" + "SwarselSport" + "Browse SwarselSports" + (lambda (&rest _) (browse-url "social.parkour.wien/@Lenno"))) + ) + ( + (,"󱄅" + "swarsel.win" + "Browse swarsel.win" + (lambda (&rest _) (browse-url "swarsel.win"))) + ) + ))) #+end_src diff --git a/files/emacs/init.el b/files/emacs/init.el index 26d3439..f095b6a 100644 --- a/files/emacs/init.el +++ b/files/emacs/init.el @@ -1201,13 +1201,9 @@ create a new one." (setq elfeed-protocol-enabled-protocols '(fever)) (setq elfeed-protocol-fever-update-unread-only t) (setq elfeed-protocol-fever-fetch-category-as-tag t) - -(let ((domain (getenv "SWARSEL_RSS_DOMAIN"))) - (setq elfeed-protocol-feeds - `((,(concat "fever+https://Swarsel@" domain) - :api-url ,(concat "https://" domain "/api/fever.php") - :password-file "~/.emacs.d/.fever")))) - +(setq elfeed-protocol-feeds '(("fever+https://Swarsel@signpost.swarsel.win" + :api-url "https://signpost.swarsel.win/api/fever.php" + :password-file "~/.emacs.d/.fever"))) (define-key elfeed-show-mode-map (kbd ";") 'visual-fill-column-mode) (define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next) @@ -1715,7 +1711,7 @@ create a new one." :init ;; set org-caldav-sync-initalization (setq swarsel-caldav-synced 0) - ;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar") + ;; (setq org-caldav-url "https://schedule.swarsel.win/swarsel/calendar") ;; (setq org-caldav-calendars ;; '((:calendar-id "personal" ;; :inbox "~/Calendars/leon_cal.org"))) @@ -1778,66 +1774,59 @@ create a new one." :config (dashboard-setup-startup-hook) ;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*"))) + (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal + dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package + dashboard-set-file-icons t + dashboard-items '((recents . 5) + (projects . 5) + (agenda . 5)) + dashboard-set-footer nil + dashboard-banner-logo-title "Welcome to SwarsEmacs!" + dashboard-image-banner-max-height 300 + dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" + dashboard-projects-backend 'projectile + dashboard-projects-switch-function 'magit-status + dashboard-set-navigator t + dashboard-startupify-list '(dashboard-insert-banner + dashboard-insert-newline + dashboard-insert-banner-title + dashboard-insert-newline + dashboard-insert-navigator + dashboard-insert-newline + dashboard-insert-init-info + dashboard-insert-items + ) + dashboard-navigator-buttons + `(;; line1 + ((,"" + "SwarselSocial" + "Browse Swarsele" + (lambda (&rest _) (browse-url "instagram.com/Swarsele"))) - (let ((files-domain (getenv "SWARSEL_FILES_DOMAIN")) - (music-domain (getenv "SWARSEL_MUSIC_DOMAIN")) - (insta-domain (getenv "SWARSEL_INSTA_DOMAIN")) - (sport-domain (getenv "SWARSEL_SPORT_DOMAIN")) - (swarsel-domain (getenv "SWARSEL_DOMAIN")) - ) - (setq dashboard-display-icons-p t ;; display icons on both GUI and terminal - dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package - dashboard-set-file-icons t - dashboard-items '((recents . 5) - (projects . 5) - (agenda . 5)) - dashboard-set-footer nil - dashboard-banner-logo-title "Welcome to SwarsEmacs!" - dashboard-image-banner-max-height 300 - dashboard-startup-banner "~/.dotfiles/files/wallpaper/swarsel.png" - dashboard-projects-backend 'projectile - dashboard-projects-switch-function 'magit-status - dashboard-set-navigator t - dashboard-startupify-list '(dashboard-insert-banner - dashboard-insert-newline - dashboard-insert-banner-title - dashboard-insert-newline - dashboard-insert-navigator - dashboard-insert-newline - dashboard-insert-init-info - dashboard-insert-items - ) - dashboard-navigator-buttons - `(;; line1 - ((,"" - "SwarselSocial" - "Browse Swarsele" - (lambda (&rest _) (browse-url ,insta-domain))) - - (,"" - "SwarselSound" - "Browse SwarselSound" - (lambda (&rest _) (browse-url ,(concat "https://" music-domain))) ) - (,"" - "SwarselSwarsel" - "Browse Swarsel" - (lambda (&rest _) (browse-url "https://github.com/Swarsel")) ) - (,"" - "SwarselStash" - "Browse SwarselStash" - (lambda (&rest _) (browse-url ,(concat "https://" files-domain))) ) - (,"󰫑" - "SwarselSport" - "Browse SwarselSports" - (lambda (&rest _) (browse-url ,sport-domain))) - ) - ( - (,"󱄅" - ,swarsel-domain - ,(concat "Browse " main-domain) - (lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain)))) - ) - )))) + (,"" + "SwarselSound" + "Browse SwarselSound" + (lambda (&rest _) (browse-url "sound.swarsel.win")) ) + (,"" + "SwarselSwarsel" + "Browse Swarsel" + (lambda (&rest _) (browse-url "github.com/Swarsel")) ) + (,"" + "SwarselStash" + "Browse SwarselStash" + (lambda (&rest _) (browse-url "stash.swarsel.win")) ) + (,"󰫑" + "SwarselSport" + "Browse SwarselSports" + (lambda (&rest _) (browse-url "social.parkour.wien/@Lenno"))) + ) + ( + (,"󱄅" + "swarsel.win" + "Browse swarsel.win" + (lambda (&rest _) (browse-url "swarsel.win"))) + ) + ))) (use-package vterm :ensure t) diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index 4c4fef3..f4a557a 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -329,8 +329,8 @@ $ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519 if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then green "Adding ssh host fingerprints for git{lab,hub}" - $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts" - $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts" + $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /home/$target_user/.ssh/known_hosts" + $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win | tee /root/.ssh/known_hosts" fi # -------------------------- diff --git a/hosts/nixos/aarch64-linux/belchsfactory/default.nix b/hosts/nixos/aarch64-linux/belchsfactory/default.nix index cd85107..d1a510a 100644 --- a/hosts/nixos/aarch64-linux/belchsfactory/default.nix +++ b/hosts/nixos/aarch64-linux/belchsfactory/default.nix @@ -1,10 +1,8 @@ -{ self, lib, minimal, ... }: +{ lib, config, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; node.lockFromBootstrapping = lib.mkForce false; @@ -26,7 +24,9 @@ isNixos = true; isLinux = true; isCloud = true; + proxyHost = "belchsfactory"; server = { + inherit (config.repo.secrets.local.networking) localNetwork; garage = { data_dir = { capacity = "150G"; @@ -49,7 +49,6 @@ }; swarselmodules.server = { - ssh-builder = lib.mkDefault true; postgresql = lib.mkDefault true; attic = lib.mkDefault true; garage = lib.mkDefault true; diff --git a/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc index efc25e8..2900ace 100644 --- a/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc +++ b/hosts/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:8qaX0CjyxK8qoAyVyxwfXlejWyGSY579EVmmUCi9PPyB5LyPjfDvXxlRFCOlC6eYbSJ1AWLqqZ6yYgZaimUHkOTh7dL+D4wSkmGeRnxZoQhq9n9sYZPJUfqEhMwEGxlrAvchXJuruZG+Tp9+Ev0if9f9J9qdU1y+yLGQxc2vnibMg2uxdpfYjHaDWa9bybRQZxINkD//um8uxkRs0xvWgZu63ReQZMPjx9K3vNtdJTZsW5+ZUB368QA2mnry2Zf60PWJT/+NsNKIwyzjhUNJ/eTFxjNJ4zPj/AnXFezfGvpVu6XFYsLk5uPb3XfpUlCj4mTVvmVlA40lf4rOhyoRRAW8d28puJArBf3nPzIkWQUfmFwO5EE3qPDkjMlaRa/RdRx0dvrbLDv7Ujt1XaK8bl3Vkz77oumCYFPV7J4mAeu3/LFBAoWKik6Wj8WQE+QwUWo=,iv:ZQaOO2Blpqn+Xnzt4fcPu+rNAvEdluwJEYRxPVItLcU=,tag:rKJ5g27ZK1wCpcyCVfffpA==,type:str]", + "data": "ENC[AES256_GCM,data:asdaPhz9nquyhCH8NuvAMdgEXW/RxPCEpqwFbyCYxfjMeWjvEe8yzWJDjVlTjP+73ql/CGSRajcahRNhOd1rgGoyMm71HJGxSWA2rbn7oNmll9lOquUJkDwXLHk5ApgIrTbvUX1C5rha/L/JSli5Hiy59WU/FB4WWDizhcN3XFSVdNYIKoA992JT0GjJ1dzHvzi+rw/8Mw+BJzm592t1CxhpS8qXRTpuyPSh09IWACNSJYBuEoEwA7aB9EVwG6SskUJKvU3bwyaI9nuc0iXHGbL5VLVJ95e2fcn7K3w2OEq1oigu4q5bpNUazX+mhLv7S8HN3c6/JJn69LaCkQeXhnNmrfy8J5+6i6fnXCdvXxHy00DI2p7fIeEM/MqaymhqoxoGxQs+vBcb2iY1OmvI6zrPRPKEghAo2zvzKHQF7ykRTi3ed6V6aVMSpu1rO1Z0UwwVbvEzSHtVnEU/gp4=,iv:lSRKdYmGE/XeGcalDIM0yuU+GaXMrxJrjqfVhHd7lIY=,tag:dD9LkrzuHLsoa2UcGfXHWA==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-28T14:15:06Z", - "mac": "ENC[AES256_GCM,data:TxnVPtRHzUEr9StM3RlOgqD11036yM74HL1Q8ZkNSU89geAaUoDj8LJD1QKglDT5UNzfKeaZD4DT6bqill+H5FUuonOgLPxNoFKMyWhppQkMWM5F/bw8JUulacmE28b2Rd5zRVOYe3TkE11kMAbxRD+CvqEFBrLsZAndr9QdfUc=,iv:uzjzk1FUN52oAE0cuw7OLLmMRxE/VLQ+tUExxYQjwTQ=,tag:+BOG6wRb0h/jhyy7l8ZA/A==,type:str]", + "lastmodified": "2025-11-24T23:34:04Z", + "mac": "ENC[AES256_GCM,data:O7COFKQkK6aGkX8fp/ihHBxRVV8UM3khi549O6RWMFGDxgwMTh1qr3hNIJa3B4sTfhFuvOxpfxLjR4Yw02JH6wuwuuzANFzQ9uiVsVv5UDVDD0msYneTXVbSBo92gLFr4ZXcAoTtf9AKitkjwWjLK2sTJcZ608NjQSpOo+rSJ3o=,iv:s5wB+8B+igS7PhDTHL6XS17QBdhvobXFgCzHxHu52q4=,tag:ulySxIPinWRRRY8XbE8pWg==,type:str]", "pgp": [ { "created_at": "2025-11-25T18:32:49Z", diff --git a/hosts/nixos/aarch64-linux/liliputsteps/default.nix b/hosts/nixos/aarch64-linux/liliputsteps/default.nix deleted file mode 100644 index dc866d7..0000000 --- a/hosts/nixos/aarch64-linux/liliputsteps/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ self, lib, minimal, ... }: -{ - imports = [ - ./hardware-configuration.nix - ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" - ]; - - topology.self = { - icon = "devices.cloud-server"; - }; - - swarselsystems = { - flakePath = "/root/.dotfiles"; - info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; - isImpermanence = true; - isSecureBoot = false; - isCrypted = true; - isSwap = false; - rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885"; - isBtrfs = true; - isNixos = true; - isLinux = true; - isCloud = true; - mainUser = "jump"; - }; -} // lib.optionalAttrs (!minimal) { - swarselprofiles = { - server = true; - }; - - swarselmodules.server = { - nginx = false; - bastion = true; - # ssh = false; - }; - - # users.users.swarsel.enable = lib.mkForce false; - # home-manager.users.swarsel.enable = lib.mkForce false -} diff --git a/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix b/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix deleted file mode 100644 index 2278aaf..0000000 --- a/hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; -} diff --git a/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc deleted file mode 100644 index bd5dbdf..0000000 --- a/hosts/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc +++ /dev/null @@ -1,22 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:GntHmFTkr7OKUlAVPP1aPeGJEoM1/W9xoZzdXG/udBrKB8eadaOsdsT9/I4Q4zydLnAUZAb+k+/pu3inqiGPClNWU0LUMj7wTwPuVe57EyLaO2oaN4z2nvWhJnwfatvdLrFICz3MN7XLnpEe3D+3ovN2hmys1pd6cAJtEKDtmLJ3RNAhEXrMwOZ0MSzylApoi9yXULH8PqNBX7jPOZYYZ0jlnIbZB267Ln19ES0bZcK7L0608NdB+Q3xb3TQ+oSfnvsdxKyPkPqjxAto40feG97UYVW6AgYV1KlRp9etjEhIRZgn1qDvigGM/Y4HLgLxPM83h79LIVHDj1OySMyYR4bfwAR1U+Ij2nX0Wv6Q/nKx0Nmghen40AqLYp762ACLVRd30DALthhtMxhsiYIT6za3dNFRNnL1Lfss1+IwDm+XHBehBQsjXbs06nZcQURfszW03Y9KH1h5ePIS93gmkdUyH5Ya1JT609s8faukz4fcNmnXlZcnCW4fUawW3YS1zpWPGDNm54GFI06vii5JuVORrf6m2HJEIyYSzeYASC+rZOfEF8gXGjyaeh/B9nAzSq2Q/Nfm+fsceXfOkhD+ZD/nYg+whYPPfA38B5oWvwnSNRNipJLYVvdLLd6M9pTV2FHuEsFKpXwumuwMAhl287jpDVb5B6gYPnWm4zOXYX3KXd68KVFNOGCC1XrrlqVBwQqraozD+1e77eCK4OEyF8R2Wt+mCFDwrMp5hKiiFCHEX67RYqWwmZVx2hS1bovBfacoXknUaSQnfpUd5GYIVYqonyqo6cdn6LKR/0d+7wR+JuL+PO83XcEQvegfHXAXmxIEzPdsL2PqVWGL2B/qyyAZGb3hoY7hmrpEeCCefYhSkxewVDCuvL7xLBCFjq0PsPJw0CqYE0KDIgXxcGLQ5f+pn6O07YDfN+7PVPrPAaN/UTwd+2Xa9UfVELdKKhAWiywsiDCUVO9vkpvgSoYYSrtB8Ceg3RXWohbO8VrjF6UhUxnslAw8TBnBx4FtaSuI73UiJnkg9V1es47NmOA7,iv:JYRzdtAYu24aWIL/hfWLbkS8xpcPw3ylZROuuUMVmIY=,tag:Ot7G/QiTLhmnlYe7Z9aOTQ==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU5HTGhyL0ZBRXkzZ3hq\ndzBMd1JZTktZbWNFMGRzcXhFK3RHb090cFdBCmpMa0FNMWFCenBjYk9FaDIrTkFS\nSnN6S210ejN5SVVhd2FWRG1SUHB4WWcKLS0tIDV2K0h1QWxwUXkwVnZlYnR6eEtl\nUVR0UGJOR1hadUtNcjYyWE9wblAwWFUKVM+J/pqtZFADYTQHfWCdvPzlhtgR6zAy\nu0EWk77+K2J0GeBuDr1W5yblUCknht6WZCJZcO6fW7AuWSQK3e/EVA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-12-01T16:51:40Z", - "mac": "ENC[AES256_GCM,data:SWLGPgFcdiGSvN5BTmE8Nq7+pBiNJM05H1hhqJY6wJqYZehKhQrQRj6/DSlYWPvYE/DdWo5Tiuc3RNY3NANwhki+7kl0OBxHoaHqBgOTa96rdPwe6V3s55v++jtm0xg/qLHEPCqrKqw/aiBAQLJkDOh/IykeEXBMW3S6EM+aQ0U=,iv:2wn4jQHdWWhIzOyGhZxow8WG6W0VgA2gwhb5X+k9ja0=,tag:8g4wQb0u7vbIPkVX8Ey0eA==,type:str]", - "pgp": [ - { - "created_at": "2025-12-01T15:59:42Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cl6I+s/JLwwTCX7WKdzeOIkrsK9DpY3pXBuzoZRSRSJE\nwFJO99Uc7/uH1DSsEB/25CWI6eWx7k6l7YDbcbXQgi5ZNoAt7BePeCu2LK/3coZB\nJe4SManP0sPqxrSd92Tnm6Zl9EL4cJ/5D2C2RBTWOaOtZHR8gyxx5+rzCotCoTXA\nJseGE4B8r/M0O7PAS9+oD14AwCndhuvkmFOq0Y1/wXldV6yCdgc//0oJBSTCBJUZ\nYMSQLovEYGvF9bFfpWYU8J53WqlGn7QKVccDN0/gfi8IVGVZGccUA58VaVqkzR41\ndYlRZ/sjtd+VXmOg8Fx79bOlzTn+RBCp9y+q5yKnzUKGe0/Lrnt6+j7+ieIowi76\npBd0bEaoh6wqdCJ7GSjsj5kdSXRop3Ae0ff+J0pBQNctehpcWj5/TpeA1zyslwEC\nD1B/KVN+Gh0XBCg636dUkt2E4NPNDckSRuvTLy+8IkTm7aQqTjqDu3WUOSPzZiZK\nBUGZWwXAS+xPPMH26X6gPTfZj+7Gdv6yxTVIwkphDbWfihxIP//WNbKX1QN4VSHf\nCmoPOrriIdgZ7d2olZEJxPgEVzavkRkiMSFQbQgzjx5Af3ccdav3mxlubjXldmpe\n689Joj8cgBPg1Yfk/yl7tVK9TFJgYXTqKfsXwscrSlsV+dRAN0pHuq1uo9cTE/SF\nAgwDC9FRLmchgYQBEADCJ5IVMNp+PgUDOiajCfpNq3/HsntzIWG0tIjCb5L9TFWQ\nMA2LQWhcU5CRBh7Sakf8IFi/U40SD+dILUh8JR/7g2i9mCS+1e0pkUwSIYxzAI+z\nQeycuyOrdQJFrk+nFbTdZVAerElxew/wQUiC2uoI8tA5+XyNeNfipaptPh9FpFuz\nXhFbkZDJ4kapGzsAn4FgUdmdqAgZ5n2W46WAmDmVKM0W1F0zZdkBEdkEKkv1gRpZ\nRntb/mVEiGAdXv6yAzvHrxgIBkxazzstRmCMXa252RUIakXqvkP1vw7B6ChSFQR+\nq9WNo9x0EYXivd/+ROjHT7WNhEToWems/3CQpQd1LEFXajLdpAWd875acqhBJqtY\nkpKqUG5F4JmTZ7hMuGI0g30nOofMtmFhDX/gCpJ97lEudHyNrHe0KWaQAwtRknz+\nrcPrZQmGRRcf4xcBVe/EDUNlkp9fPWEhFAwKMsVkkvCAADZbvdhLR6URJMmUj5KG\nOuwglHnSOMxCovAQUd3vCtNkkAnRPNOW/WMThr+qfjq8oKdDIaYBxjzjSz1FIsho\nKiz4W3flRzUcALjKTXadQl/jJEhpP3C6Ivh0d29SiKyrWG+Y4KlDIRctub9UjH46\nb2wqbnBzSrC8u9xJINIB4yryXsZiQyP5b39guSKIPjURebus7LBxq+0I7Z1OptJe\nAYk5htmFDe9Sgc+Do1L0kdxjblaoWOc0OiwYshQ9cMv+/IsU0U6T7w2A+8QkzPFc\nGVEmrW1Jyz2O3eMpq/Nl2IsmPDYTEPqhkRtAshBuYsoZJUz73/EovcSxyJ2moA==\n=o5Pw\n-----END PGP MESSAGE-----", - "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.11.0" - } -} diff --git a/hosts/nixos/aarch64-linux/moonside/default.nix b/hosts/nixos/aarch64-linux/moonside/default.nix index 1c3cf3f..f339b23 100644 --- a/hosts/nixos/aarch64-linux/moonside/default.nix +++ b/hosts/nixos/aarch64-linux/moonside/default.nix @@ -137,7 +137,9 @@ in isBtrfs = true; isNixos = true; isLinux = true; + proxyHost = "moonside"; server = { + inherit (config.repo.secrets.local.networking) localNetwork; restic = { bucketName = "SwarselMoonside"; paths = [ diff --git a/hosts/nixos/aarch64-linux/stoicclub/default.nix b/hosts/nixos/aarch64-linux/stoicclub/default.nix deleted file mode 100644 index 217d272..0000000 --- a/hosts/nixos/aarch64-linux/stoicclub/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ self, lib, minimal, ... }: -{ - imports = [ - ./hardware-configuration.nix - ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" - ]; - - topology.self = { - icon = "devices.cloud-server"; - }; - swarselmodules.server.nginx = false; - - - swarselsystems = { - flakePath = "/root/.dotfiles"; - info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM"; - isImpermanence = true; - isSecureBoot = false; - isCrypted = true; - isSwap = false; - rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3"; - isBtrfs = true; - isNixos = true; - isLinux = true; - isCloud = true; - isBastionTarget = true; - }; -} // lib.optionalAttrs (!minimal) { - swarselprofiles = { - server = true; - }; - - swarselmodules.server = { - nsd = true; - nginx = false; - }; -} diff --git a/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix b/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix deleted file mode 100644 index 9a98cce..0000000 --- a/hosts/nixos/aarch64-linux/stoicclub/disk-config.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ lib, pkgs, config, ... }: -let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; -in -{ - disko = { - imageBuilder.extraDependencies = [ pkgs.kmod ]; - devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = lib.mkIf (!config.swarselsystems.isCrypted) { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - luks = lib.mkIf config.swarselsystems.isCrypted { - size = "100%"; - content = { - type = "luks"; - name = "cryptroot"; - passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh - settings = { - allowDiscards = true; - # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 - crypttabExtraOpts = [ - "fido2-device=auto" - "token-timeout=10" - ]; - }; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; -} diff --git a/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix b/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix deleted file mode 100644 index 2278aaf..0000000 --- a/hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; -} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix deleted file mode 100644 index 8a30e09..0000000 --- a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ self, lib, minimal, ... }: -{ - imports = [ - ./hardware-configuration.nix - ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" - ]; - - topology.self = { - icon = "devices.cloud-server"; - }; - - swarselsystems = { - flakePath = "/root/.dotfiles"; - info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM"; - isImpermanence = true; - isSecureBoot = false; - isCrypted = true; - isSwap = false; - rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d"; - isBtrfs = true; - isNixos = true; - isLinux = true; - isCloud = true; - }; -} // lib.optionalAttrs (!minimal) { - swarselprofiles = { - server = true; - }; - - swarselmodules.server = { - nginx = false; - }; - -} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix b/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix deleted file mode 100644 index 9a98cce..0000000 --- a/hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ lib, pkgs, config, ... }: -let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; -in -{ - disko = { - imageBuilder.extraDependencies = [ pkgs.kmod ]; - devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = lib.mkIf (!config.swarselsystems.isCrypted) { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - luks = lib.mkIf config.swarselsystems.isCrypted { - size = "100%"; - content = { - type = "luks"; - name = "cryptroot"; - passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh - settings = { - allowDiscards = true; - # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 - crypttabExtraOpts = [ - "fido2-device=auto" - "token-timeout=10" - ]; - }; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; -} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix b/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix deleted file mode 100644 index 2278aaf..0000000 --- a/hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; -} diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc deleted file mode 100644 index e82a9a3..0000000 --- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc +++ /dev/null @@ -1,22 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:G3Q+Hn7QkvBZeXzNR+0Bax+Va5sK5E0K3hNTkdsNJx4C6pIwrBEBOt3IKv/c00QhpAnPqo9gbKqWU9gv7I56nEOwVtVH3lrMlbxNl9LIiSv9SvSxVkTOow2msSJV/U+1KpjNQ/LnOo2Fxebfz1yiRtgi7hSazzqzIazZAFBldlKkjLR5SFCG8t5s/nccqZU+cLmS7hJDS5LtgW1XeunqUY7jnKuh7gT2I6fPsu15Vy+YeKLmYIt0a20bWGePBIlyiGRtpnMgtIt5gk5+OpSndO8P/GMgUzRwRZEL1b8U57jbhkPLdnwwy/iV6rEFCD9i6qB0ufVW/euc+y5mN0dx8op9FwJVzkJhUIIy9Qbbc8WOjjjWlwbKJNkWfYX7pTtx+xfBKuPF+IwaoMS9j+C3etkoYe5QCr9YGYM5Xer/HL0otYNacQU5S0VqPBzDnLu7NxzB4i22,iv:aFPDBmZasoqEFCbhrRtA2QMB27khuT3rdfCGAafjov0=,tag:GQGuHL5aYPc98tzc6Bb5mA==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-12-01T22:45:54Z", - "mac": "ENC[AES256_GCM,data:b2sWPq+S5qqSM6lON+9A//LehgR7Wy7x8EfqeiFOFo9RT3niwaKjfp/Jnf6nKbXF43XM4dsn+dIX52fgxyd0KVLnJTqinhz97sSSs7hYFdXa2FGRhI+VwmuGVvr2ylAJODQgTn+MD7I+s/3DTfh6h0V47IZvxrUpYgg7tJrxzBc=,iv:g4XVN24+COVtRQPzTiI4iki1crjBUVc7vpnJ/vucd2A=,tag:gcnfSvPWvLqG2wTZELRMsg==,type:str]", - "pgp": [ - { - "created_at": "2025-12-01T23:06:36Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RhpX1uVa49yA8FIfj/y/2C92Z7iBl+l1TGjaYMnuLAp5\nYybqAHwi1gzbnhKvpqO3ndm7qHNwbPBuYBDhu1ZDkQnzyzIthx3JA2G+je4Jem+N\nF8XWUglO+lEUpHD62s9JdOSS2dNRHSd/mcu/GV+k0/DzkXDn3TzzOciKBLn1u03+\n6T3mipG5cm00EEstR+iX46FSzOPX3M2+hYY+HY9rQa1RKUrUUsBBdCEYWgMsQOA9\nDGyweibxkcyxIGZIc882gxa06QxM07ON7NuZjW7vvUz3k7CI3bf5IBfaCvDywaDL\n0AKeTAVGVLnzdapZoP9lZmu6T639wu8BKMxSHiGeUenOrhs/Gl+CA2iCU5XimZCw\nbwPvKRbOGLu2eiBL/BHEMg1XpRw6bh24o3vNIchGRqDKbXICgkKr2gXhvli3qPrH\nCXokXF48e51bERfr9YWi0ryW5tgVEMwyubRi85cYnslwqfT78xzKMNRwF8wJ6PxG\ngwT6bEJ/f7QzXkw9VPY2HbaBBhe7XUBRDhLnV5sPBiZW2JDOt9rXH1LqWQLo7Ot6\nLWvOicAtmY5vnRIm9x1pPFKipmTWj7NzRCLEq5yt0borQsPO5RTC6fvhL/1Lpe1B\nzjAIjJBfQptEn4xjA0unZk6x45UDp9KpJz5zdKF43DSvGOkEF8NuTdEXNpeYHzCF\nAgwDC9FRLmchgYQBEADA36phB2C1d2DvEzi7AB7lK5gGExmaYSCzMJkSfjNQ4SO5\nwMhvRZZyIf5PT9wdJ6hCtOSqqhh0cubmZadrFnz/qjXLVSv9aTD4PFshF5lYgT0x\n2GkiIOkrVZ6vuP6/iIW/p+CqztDymVRR6DAhNNX6gx2NARdhii2K/hitW0QejoJk\nWY07qUIb2z0fPVp5TfAf3Nr87u3faYr0usW8GGABFA7IzJwCK1VA1284UZm4zj6Z\naHm+0wK/1g7Ck2sjzbhqzK3HlZVKd6lBIhmwdzcG1y0Ua5L7PIauLR6ArZkFD3WO\naHyyZ5hyNmoyOMjuTvPCIhiZ3T+aQK2f8pzyOApEWX4piCNhIvcSSy9AQ/f5hvVd\nWLG68dIMnmOWYxHX68jdNttSCcc9oJKNboOPKDdmEblZxGx5HZpYYL7X+Q0JKoMO\nqCXVc7GlIVLX0GghAvgC9Xww8XMQTWgJJJAVOa0tlTDJ4ybvCiyy850+ZPTevlHV\nfvlKSSCGHtjVIuZ5b+jMtBqg0aPDY0OqNFSvJ6x6wk0uICMesv2LNAKF7tUkMvHF\ncHljW96IOLocW96bwVR+nQG7U/ZY7/P6+2Nva8AgbrCd0erEZ/2lIvRV4IEzCk2g\nVzuzg+7pjkh1iHYUX+VX6CbyIPyx2Ic+VNaMrbqtC1YiPK6Bx+SF3eYHw9DYJ9Jc\nASJeqALtG3vg/TOKZwOfTp1GNvSExTUKqhEHpcCCty1UxIpNCPByvvsUqY0Q63DA\nyJ4TVO1QLCLwKz8nK8NWSRGrZ29jNJfAjcNDV/FrPiFqSPHVAErd4Vnbeu8=\n=Yn71\n-----END PGP MESSAGE-----", - "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.11.0" - } -} diff --git a/hosts/nixos/x86_64-linux/bakery/default.nix b/hosts/nixos/x86_64-linux/bakery/default.nix index 3927663..98252bc 100644 --- a/hosts/nixos/x86_64-linux/bakery/default.nix +++ b/hosts/nixos/x86_64-linux/bakery/default.nix @@ -10,10 +10,6 @@ in ./disk-config.nix ./hardware-configuration.nix - "${self}/modules/nixos/optional/gaming.nix" - "${self}/modules/nixos/optional/nswitch-rcm.nix" - "${self}/modules/nixos/optional/virtualbox.nix" - ]; swarselsystems = { @@ -35,6 +31,7 @@ in isSwap = true; rootDisk = "/dev/nvme0n1"; swapSize = "4G"; + hostName = config.node.name; }; home-manager.users."${primaryUser}" = { diff --git a/hosts/nixos/x86_64-linux/eagleland/default.nix b/hosts/nixos/x86_64-linux/eagleland/default.nix index baa5bd5..47ef03e 100644 --- a/hosts/nixos/x86_64-linux/eagleland/default.nix +++ b/hosts/nixos/x86_64-linux/eagleland/default.nix @@ -1,16 +1,60 @@ -{ self, lib, minimal, ... }: +{ lib, config, minimal, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix - - "${self}/modules/nixos/optional/systemd-networkd-server.nix" ]; topology.self = { icon = "devices.cloud-server"; }; + networking = { + useDHCP = lib.mkForce false; + useNetworkd = true; + dhcpcd.enable = false; + renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) ( + config.repo.secrets.local.networking.networks or { } + ); + }; + boot.initrd.systemd.network = { + enable = true; + networks = { + inherit (config.systemd.network.networks) "10-wan"; + }; + }; + + systemd = { + network = { + enable = true; + wait-online.enable = false; + networks = + let + netConfig = config.repo.secrets.local.networking; + in + { + "10-wan" = { + address = [ + "${netConfig.wanAddress4}/32" + "${netConfig.wanAddress6}/64" + ]; + gateway = [ "fe80::1" ]; + routes = [ + { Destination = netConfig.defaultGateway4; } + { + Gateway = netConfig.defaultGateway4; + GatewayOnLink = true; + } + ]; + matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac; + networkConfig.IPv6PrivacyExtensions = "yes"; + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + }; + + swarselmodules.server.mailserver = true; swarselsystems = { flakePath = "/root/.dotfiles"; @@ -26,11 +70,11 @@ isNixos = true; isLinux = true; proxyHost = "eagleland"; + server = { + inherit (config.repo.secrets.local.networking) localNetwork; + }; }; } // lib.optionalAttrs (!minimal) { - - swarselmodules.server.mailserver = true; - swarselprofiles = { server = true; }; diff --git a/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc index 7407819..e7516a5 100644 --- a/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:nIgv3b+6o5Ce9X9xZtBK62f6dgsAGLPqq7aVFCw2qjD9UiHCrAY9vTn5NSW2O2pbLAfx6h7falS3/0yU+AkJ2H3zhxBy7ZxQ0m9dLoQGrYY/E9Z45xZmdFRxtzexCaxr2DxbP8haJKomQ22cHk07HGsrEZ/CFGkyjRxUr3Y4rewgZPBXahVtM75mWbNpVGApc8cs/W4JbjuXw3qlCQcACz8sZVPHKCjbEypypo6nTmU7NO7worrAJ2QgU75oGJ9g96wp9paFMEDofVp2Y25IVYReGg8T1Qi/kTcZzfzGfSpEwnQBB/ZCW6gNYhMK3shfB8DxKy6+romVXm1K+/0yUmwsCM8xC5zJX0GsO8Uu63YFrW/Y2E6aYZfBHdIgfy4lYOFKC2o0ixirw9EO8HyfsDt47QYB970vLPjYZfKNAZBgltbV3KPsOHxmgiZbTbAl0cb9zRc+jV2voH9T5VhFiUWdfaLBY1HUAVAjU7h62uZoCsi1HWyAroEROKS96npTD+3/vHehYuEGBf1IxYnLwHnKeqsr/Bqoukf3OecOH2EkMTTFQ7E0k9s0keRypoHmeYIh2a3dRcaXXbNEgiAMfabhgUh1NNcYKSZhcIekN8WN8azXjbVIrfEakJ8S+PUf5fJdspN/3Ppm06fDLv7yLHnLc8Eae2COOR8vYKIo3Onu4doxNjisfpHujLXYaCGhWpINEGWF7fkeC1B7,iv:v9MxvhcHg+P00UnOWujSgVlMNcOnDm/gK8kNcN54E2E=,tag:XnPMzsDeGJMt9yv6GnFzqg==,type:str]", + "data": "ENC[AES256_GCM,data:vLTAWtyZJVHtXifwicSRYRYj1PjoEiumhE3bcsMuhj5P0PjyT9f2wzse7GDtusUFXDNWQXNWMNwk1V0auQmWayJa0zvpfRGtnGJrwdl/dImK+UN7ddJ6x6tNU6kjNZ05UplaUsJAJ9tm4eg050muY7KLBuEw1E4Ki9clDDxhxULXv4bdv5QpXaYSiK33ZORnD2EWcYvqUJayU/d8zSRTHV456ePHDIJPfXo22XQSLY7//q1v44ZMKDptOwlktxVQr9/asvE4eLDjdDTA5DXHTfsAGBDZCHqPI33CxZbHENM9UOHw7S0qYpKW2f232Huwv4J7llmsOIT8Axppz6fC8neBKOFPH+n4bZQTaZUL/xSLCQrF/T8k8k84lKJ3eBJdfyTpU8oInu8VAe/w+s2lC+n/zAjGoSGIF412xQ5VS0fsG1Wi/veRDr50KybYUuYQNjwtIXle3fUibUaMGFwd4Y9uSlxrWwWQxJhFpoZhoPPfeNMrT+7BSpVax27HvM7p9+VKkLfWtHiwuSZNSI3HKRmrsxHJVUxuJdXO87TCbabQAvPWoqR6qKMwixN/gvN1JNZ6Ml59HPSe6SKBAh5SI95kzXaBMZ9d7Yy7bUy/xkbbFHNYLwXR62H89XyK3yW6CMr+M7JLSC0WErAVHkUEuIEkWILBIiTeqU3Q,iv:KoTbJUnhbZp7jX/jPmX8gBobDJDoLPAvhBU9j9RYr/g=,tag:qhd6OAHNkbn0xN7wJhF1Fw==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-28T10:50:22Z", - "mac": "ENC[AES256_GCM,data:lwkkp8YSzX8NM7E65kmPpF/q9Vn+FnCTeePLswDH6AVgndo/7QOy0GtJeXmiwt2YsA4AhRqxexWl2R8tjEysP35pyfQJ4vEkVi+V2tEnoLgftriNJzpoeVuRNXLxTPhPezOZgAcTDDL4yyqJXpcFj0PE1DPHKxazT28BoilaBYE=,iv:3dcAqkw/y6rAPL8wb5iewz37S4xszYFGHxvQiQ98sLk=,tag:SEmbptei6GrTXXyb7zwrIg==,type:str]", + "lastmodified": "2025-11-25T15:44:12Z", + "mac": "ENC[AES256_GCM,data:EqEvcd75Si3I0Tgxm0ffeVRKrKNqaFNI+NqZcB02mKPYPWTR6fX4VT2oVhLIxvn+5MQY2BBR/VzSxblcX6K149REpk/22aGuHfk45giq8q1xBnZeNzEQDuhoY8XZd8dzqxk1pHmQFS+jL/zl42a2Qib/jVmlnPof0bcwa/HlZDU=,iv:5V2zSQOCG/XkRF7zgFe1oDuzrP3dx6pWZpsvdVT8hz8=,tag:DYHQIFEedflw43aCTT/ACA==,type:str]", "pgp": [ { "created_at": "2025-11-23T15:25:41Z", diff --git a/hosts/nixos/x86_64-linux/hintbooth/default.nix b/hosts/nixos/x86_64-linux/hintbooth/default.nix index dbb6c6b..4f3412c 100644 --- a/hosts/nixos/x86_64-linux/hintbooth/default.nix +++ b/hosts/nixos/x86_64-linux/hintbooth/default.nix @@ -1,4 +1,4 @@ -{ lib, minimal, ... }: +{ lib, config, minimal, ... }: { imports = [ @@ -18,6 +18,9 @@ rootDisk = "/dev/sda"; swapSize = "8G"; networkKernelModules = [ "igb" ]; + server = { + inherit (config.repo.secrets.local.networking) localNetwork; + }; }; } // lib.optionalAttrs (!minimal) { diff --git a/hosts/nixos/x86_64-linux/milkywell/default.nix b/hosts/nixos/x86_64-linux/milkywell/default.nix new file mode 100644 index 0000000..3945349 --- /dev/null +++ b/hosts/nixos/x86_64-linux/milkywell/default.nix @@ -0,0 +1,46 @@ +{ lib, config, minimal, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + ]; + node.lockFromBootstrapping = false; + sops = { + age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; + + topology.self = { + icon = "devices.cloud-server"; + }; + + networking = { + domain = "subnet03112148.vcn03112148.oraclevcn.com"; + firewall = { + allowedTCPPorts = [ 53 ]; + }; + }; + + system.stateVersion = "23.11"; + + swarselsystems = { + flakePath = "/root/.dotfiles"; + info = "VM.Standard.E2.1.Micro"; + isImpermanence = true; + isSecureBoot = false; + isCrypted = false; + isSwap = true; + swapSize = "8G"; + rootDisk = "/dev/sda"; + isBtrfs = true; + isNixos = true; + isLinux = true; + server = { + inherit (config.repo.secrets.local.networking) localNetwork; + }; + }; +} // lib.optionalAttrs (!minimal) { + swarselprofiles = { + server = true; + }; + +} diff --git a/hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix b/hosts/nixos/x86_64-linux/milkywell/disk-config.nix similarity index 100% rename from hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix rename to hosts/nixos/x86_64-linux/milkywell/disk-config.nix diff --git a/hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix b/hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix new file mode 100644 index 0000000..61b6d63 --- /dev/null +++ b/hosts/nixos/x86_64-linux/milkywell/hardware-configuration.nix @@ -0,0 +1,26 @@ +{ lib, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + kernelModules = [ "dm-snapshot" ]; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc similarity index 57% rename from hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc rename to hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc index e292b25..d5c5740 100644 --- a/hosts/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/milkywell/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:4C3fdXBKI/x/7B56b2n6OshGRaGgwYc4HQv4CRgXi+Y83hQj6wfbcqA55Xm9cXOfGAm2NNGIcUrVyuGHKlur7lUkvoNYe+a5A4GEkXVxiAoJKGcHa2nqfmR+GQJRAE6gNm9wgUL24CfKonEb09NgFBFfL7srXtkU8R1TMduUiYvzH7eNy45jQnWdQ3xgNYkb65iIZ3KCkcbjKrlOtN1Qu8+PuQmMl175gUVJcaLmpMgsz5IPetyHUWIkmqjgwhim4CyTZGwOaQW376Xq2mZUf9IOhdqLyR8GcKFLsY/GLDzp1eGfx9xUpAu3NMmjblHDdIyRcv0EjS+Cj/EUQwTrw3R2szXAb1m33sIVyloGT8RyVsu1J+RSIQOEKpVLaTxsCoulIfyBj5h9vajMVFdMmyqAFPJTVF8fNmy57VuBiDR1WYY5WT2QkBwe4A5ZZLpRmudeZAqEjD+R8Itcin4Ce8K4LtkpfLZeCUpnoaWk1u0CH5QuFCyd+s2+S2DBnFqfBmhTVzEtwXyd6zEeLo+LGCh2Eu2XwYi+DV5Xfdp4leTwEXQ+63MB2ZtOQkoxT6pi/w1rSlEcVknJJIc0HRhrRSx685i29qmcWGfjw765ECxCM2RKJKdwtYHwyLQGyTkGgzNlWr/EzskD7wwtanR0K0NUBS3MGbBaSmeI+bJ+B1ld2n7Efp1eg8AdMz/VHywvFQpS6HY5ItPCWNcDB9DMerUQINO1EtP1Dd57vafzQGGcduUKW+ywuwUdOU/XTXPaVP7VWdX9EFIlv/RMK4UX/l3Yy/Vf6iciT45zouIgoFECRe59Uz0185BHTn9xeE9oYGiLfKzlnxhNpXNaNmYGVRxKxKwfMNrA+hRtuoGrD0uE/Ev6F5ytMYMZGsQ5D6TJOHXPfAVWo5MzPA1Q2dgoCF9zZvYgCaOcSZTntoJY9X1MiwMkYIbtOtTQ4jJOI9DfXX+kOp/fejHrQEyAasCvh2zxCW2FjMckREdqtYxPEDsHGc8+0BDGgj+00a5wC19U60jolvdLsUwy41inmirgxBMaQhuavMXEpFXT0hEecZfJn8eJqPVPDVLC8LvlB+C593ByHeoR3VOIfFVv3bgCP+cQudAR+U/b8YO4gSpuVV4WF7JXLCwRCi0Flw7EzAuhuR9JYd8GKUEDctGmAYiPy1YiQCLFnAWmZvHQ2q6TeVDTQ5LPmjqM1b4iqoqn3AHhMu9HWswy4LFNujZblSo0hSHRZ+2P/+Xjrgfz2d3QF66ngEjW1tanw7hxGmiZJXXyPN+2bdB04B8ZnL/gBzQ2661fGYGYCBU=,iv:mU4ydooaOySi7MTe+b/DGfs1fzpDXbkASUo1cDsh4O8=,tag:Jh18+kJPLJFlGx5HymywOw==,type:str]", + "data": "ENC[AES256_GCM,data:pikVONWg81bulGRM+enUyBGxFw4C51177O3WrhRzvCiWpulc9RHVH12AfVh4uAkoOANrPyLZuEUGdu8hvFgcTWBzJXPSPZ2sMfAjx593RhSsW+VM58IS0Oa+N9XxwpYnKiUBHrvAxgJD3vhVgCIrL+1LSylZG/RF4Wj6fw4dkttlCqioRkyNPufBtpMEN+MTw9IFsAKaCV5LTFnetIzm6wUPepExaPOpdFhf61JYyzsHkKZslA4FKs1cWgK5ggJkfQS1aA3KCh8pU8vU6uXRgl4ixyUzn/l1HnGZRhFxjcc0x4RqrJYFW9Qyj7oehHU6AxuzD2bf0vuVxZn7nQy8MrDfsvYL5yU34MSdokwrvg3IBXvPogbmjWoBLl6+0WSlV5s6o8GbTkhFi0kWv5H9AKcywY54ltyzoxAQ/9hsZa9IIGCNMFjVfcrKPQKAfrdLbYQxdioq62lHX0LbXKWU9WPRhiG9eRsETudIPan8VRMvHx/6qS6bXSaEjYkKsVSmUOhcVYp7bp58wl9JKu4qYUOLyE2T00IdmbUWrQ+MP14lj6XKNyLN6//8qFyTyhDBLPBJ5DxOMt6qn1qe/lqD4R8Iqvvj63IFq3/psdDXHu+WNmq2/LQH3Y8GTxIoEQ+uPK/I7Tqdh2DXQgKYK162ybczcqsQwGwQWe+DWtno8fauypNrFp6Wgd7c62pxY+8nJzTU9gYSyAIHWEHmRW1LV231X+7kB+JwB2AxfDFXRChuNtJkOK9pdwo4SSS/tGDS5RLmsO4VpE2mPmhxA78IuU88c0LF/e4fC8N5hteecXjMMsSswbC1VUO/3B0JfN8nI0/BnE5Hhau8McSZ1Z06/GsxC+6ArX+zIXthcLIr95nAnLDgJUOKOU7XvLQ9Y22u4lmYWedSTg+vjdljjUG3aBNyp5ZI2xXQmOOgL21aE9aQgBN27GQGqgzECrNEbK0osBefjw14sxv/aZlWU9hHlVROLVbpyWl3edN9ZEMYSJDCpMPwFkEOshlkZ78IfQw7fWRKoBW3W9uHyRPEFeldy8KQ2Lux8A5KwokgFFrp4JI92gjUSubfFsCZp/NHrV5k5UltfMz50QdaKw==,iv:5tRqYZwfz4AeC/HSetPfDaysniUoAgklLl7mEiWBqiM=,tag:7TnVeBMtP8Q81eqeRu02gg==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZzY0QVQ4ZUxxZkdhQ2Zn\nOHpmTnRaR0R3cXh2Z2JFM1RDVDB2QnE3M3prCm43NjQyOS93UTZKaUlUUmhVcTdG\nUWp1YU1kVmZPc0tBN2FMY2FFVkI1a0UKLS0tIFovZi9FQlhMaXpvcnRYN2FiSm16\nTzJESjNyZ1NzajJRNDR6ZTd2TitoQTgKe2hC6OpYIzgqzhmeJuHWe0yXNE+/Ek26\nGt7s1B6OKnrj+S3es84ePOjAbLHr/ez282b/h0y55ws4R7jMemUIrQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-01T12:12:55Z", - "mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]", + "lastmodified": "2025-11-25T15:37:26Z", + "mac": "ENC[AES256_GCM,data:nZoyO4iZKAgecFiQ0tBdTEogMIDhe+Tg28L73DLVGCDTaG4QTR4ulvh77R3+Guun6eV5CsH86hTgENgDvybEVJV9bZmJWVbVQ0a+QYsZKIVDcH+o1ZK5EiOoaUb+Tfze1CGey2aw8zBgz3hl7ZeVjb5XNsKOhQz00Oc8xQ7z2CQ=,iv:x7oSgep++DVe2JQ1PPORcqfgBpCRbjO+MNPpDVSlzeI=,tag:JlibH3nTCf64bqxpnCxJAg==,type:str]", "pgp": [ { "created_at": "2025-11-20T01:03:05Z", diff --git a/hosts/nixos/x86_64-linux/pyramid/default.nix b/hosts/nixos/x86_64-linux/pyramid/default.nix index d5e9942..1d5b350 100644 --- a/hosts/nixos/x86_64-linux/pyramid/default.nix +++ b/hosts/nixos/x86_64-linux/pyramid/default.nix @@ -10,17 +10,16 @@ in ./disk-config.nix ./hardware-configuration.nix - "${self}/modules/nixos/optional/amdcpu.nix" - "${self}/modules/nixos/optional/amdgpu.nix" - "${self}/modules/nixos/optional/framework.nix" - "${self}/modules/nixos/optional/gaming.nix" - "${self}/modules/nixos/optional/hibernation.nix" - "${self}/modules/nixos/optional/nswitch-rcm.nix" - "${self}/modules/nixos/optional/virtualbox.nix" - "${self}/modules/nixos/optional/work.nix" - ]; + swarselmodules = { + optional = { + amdcpu = true; + amdgpu = true; + hibernation = true; + }; + }; + swarselsystems = { lowResolution = "1280x800"; highResolution = "2560x1600"; @@ -68,5 +67,9 @@ in } // lib.optionalAttrs (!minimal) { swarselprofiles = { personal = true; + optionals = true; + work = true; + uni = true; + framework = true; }; } diff --git a/hosts/nixos/x86_64-linux/summers/default.nix b/hosts/nixos/x86_64-linux/summers/default.nix index 347a7d0..ebc92ff 100644 --- a/hosts/nixos/x86_64-linux/summers/default.nix +++ b/hosts/nixos/x86_64-linux/summers/default.nix @@ -1,11 +1,9 @@ -{ self, inputs, lib, config, minimal, nodes, globals, ... }: +{ inputs, lib, config, minimal, nodes, globals, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix - - "${self}/modules/nixos/optional/microvm-host.nix" ]; boot = { @@ -32,6 +30,9 @@ }; swarselmodules = { + optional = { + microvmHost = true; + }; server = { diskEncryption = lib.mkForce false; # TODO: disable nfs = false; diff --git a/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix index 7363993..a08c95c 100644 --- a/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix +++ b/hosts/nixos/x86_64-linux/summers/guests/guest1/default.nix @@ -1,8 +1,5 @@ -{ self, lib, minimal, ... }: +{ lib, minimal, ... }: { - imports = [ - "${self}/modules/nixos/optional/microvm-guest.nix" - ]; swarselsystems = { info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM"; @@ -14,6 +11,12 @@ server = false; }; + swarselmodules = { + optional = { + microvmGuest = false; + }; + }; + microvm = { mem = 1024 * 4; vcpu = 2; diff --git a/hosts/nixos/x86_64-linux/winters/default.nix b/hosts/nixos/x86_64-linux/winters/default.nix index 2fb27c2..58c6bc2 100644 --- a/hosts/nixos/x86_64-linux/winters/default.nix +++ b/hosts/nixos/x86_64-linux/winters/default.nix @@ -1,4 +1,4 @@ -{ lib, minimal, ... }: +{ lib, config, minimal, ... }: { imports = [ @@ -27,6 +27,7 @@ isNixos = true; proxyHost = "moonside"; server = { + inherit (config.repo.secrets.local.networking) localNetwork; restic = { bucketName = "SwarselWinters"; paths = [ diff --git a/modules/home/common/anki.nix b/modules/home/common/anki.nix index 995cd3a..4c857b7 100644 --- a/modules/home/common/anki.nix +++ b/modules/home/common/anki.nix @@ -1,4 +1,4 @@ -{ lib, config, pkgs, globals, inputs, confLib, ... }: +{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }: let moduleName = "anki"; inherit (config.swarselsystems) isPublic isNixos; @@ -23,11 +23,11 @@ in syncMedia = true; autoSyncMediaMinutes = 5; url = "https://${globals.services.ankisync.domain}"; - usernameFile = confLib.getConfig.sops.secrets.anki-user.path; + usernameFile = nixosConfig.sops.secrets.anki-user.path; # this is not the password but the syncKey # get it by logging in or out, saving preferences and then # show details on the "settings wont be saved" dialog - keyFile = confLib.getConfig.sops.secrets.anki-pw.path; + keyFile = nixosConfig.sops.secrets.anki-pw.path; }; addons = let diff --git a/modules/home/common/element.nix b/modules/home/common/element.nix index 0398726..f9ba831 100644 --- a/modules/home/common/element.nix +++ b/modules/home/common/element.nix @@ -1,4 +1,4 @@ -{ lib, config, globals, ... }: +{ lib, config, ... }: let moduleName = "element-desktop"; in @@ -10,7 +10,7 @@ in settings = { default_server_config = { "m.homeserver" = { - base_url = "https://${globals.services.matrix.domain}/"; + base_url = "https://swatrix.swarsel.win/"; }; }; UIFeature = { diff --git a/modules/home/common/env.nix b/modules/home/common/env.nix index 4fb6ae4..b58be8a 100644 --- a/modules/home/common/env.nix +++ b/modules/home/common/env.nix @@ -1,8 +1,8 @@ -{ lib, config, confLib, globals, ... }: +{ lib, config, nixosConfig ? config, ... }: let - inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; - inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; - inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain; + inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses; + inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name; + inherit (nixosConfig.repo.secrets.common) fullName openrouterApi; inherit (config.swarselsystems) isPublic homeDir; DISPLAY = ":0"; @@ -18,12 +18,6 @@ in DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; FLAKE = "${config.home.homeDirectory}/.dotfiles"; } // lib.optionalAttrs (!isPublic) { - SWARSEL_DOMAIN = globals.domains.main; - SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain; - SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain; - SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain; - SWARSEL_INSTA_DOMAIN = instaDomain; - SWARSEL_SPORT_DOMAIN = sportDomain; SWARSEL_MAIL1 = address1; SWARSEL_MAIL2 = address2; SWARSEL_MAIL3 = address3; @@ -36,7 +30,7 @@ in SWARSEL_CAL3NAME = source3-name; SWARSEL_FULLNAME = fullName; SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses; - GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path; + GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path; OPENROUTER_API_KEY = openrouterApi; }; }; diff --git a/modules/home/common/gammastep.nix b/modules/home/common/gammastep.nix index 07d6644..c8862c8 100644 --- a/modules/home/common/gammastep.nix +++ b/modules/home/common/gammastep.nix @@ -1,6 +1,6 @@ -{ lib, config, confLib, ... }: +{ lib, config, nixosConfig ? config, ... }: let - inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude; + inherit (nixosConfig.repo.secrets.common.location) latitude longitude; in { options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings"; diff --git a/modules/home/common/git.nix b/modules/home/common/git.nix index cda162b..1fb7ad8 100644 --- a/modules/home/common/git.nix +++ b/modules/home/common/git.nix @@ -1,7 +1,7 @@ -{ lib, config, globals, minimal, confLib, ... }: +{ lib, config, globals, minimal, nixosConfig ? config, ... }: let - inherit (confLib.getConfig.repo.secrets.common.mail) address1; - inherit (confLib.getConfig.repo.secrets.common) fullName; + inherit (nixosConfig.repo.secrets.common.mail) address1; + inherit (nixosConfig.repo.secrets.common) fullName; gitUser = globals.user.name; in diff --git a/modules/home/common/hexchat.nix b/modules/home/common/hexchat.nix index 97f70c0..f0d813a 100644 --- a/modules/home/common/hexchat.nix +++ b/modules/home/common/hexchat.nix @@ -1,7 +1,7 @@ -{ lib, config, confLib, ... }: +{ lib, config, nixosConfig ? config, ... }: let moduleName = "hexchat"; - inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1; + inherit (nixosConfig.repo.secrets.common.irc) irc_nick1; in { options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings"; diff --git a/modules/home/common/mail.nix b/modules/home/common/mail.nix index 6c46e4a..5d067d4 100644 --- a/modules/home/common/mail.nix +++ b/modules/home/common/mail.nix @@ -1,7 +1,7 @@ -{ lib, config, inputs, globals, confLib, ... }: +{ lib, config, inputs, globals, nixosConfig ? config, ... }: let - inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; - inherit (confLib.getConfig.repo.secrets.common) fullName; + inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4; + inherit (nixosConfig.repo.secrets.common) fullName; inherit (config.swarselsystems) xdgDir; in { @@ -140,7 +140,7 @@ in address = address4; userName = address4; realName = fullName; - passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}"; + passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}"; mu.enable = true; msmtp = { enable = true; @@ -169,7 +169,7 @@ in address = address1; userName = address1; realName = fullName; - passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}"; + passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}"; gpg = { key = "0x76FD3810215AE097"; signByDefault = true; @@ -183,7 +183,7 @@ in address = address2; userName = address2; realName = address2-name; - passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}"; + passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}"; } defaultSettings; @@ -193,7 +193,7 @@ in address = address3; userName = address3; realName = address3-name; - passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}"; + passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}"; } defaultSettings; diff --git a/modules/home/optional/niri.nix b/modules/home/common/niri.nix similarity index 99% rename from modules/home/optional/niri.nix rename to modules/home/common/niri.nix index 5873b62..699881f 100644 --- a/modules/home/optional/niri.nix +++ b/modules/home/common/niri.nix @@ -1,8 +1,5 @@ -{ inputs, config, pkgs, lib, vars, ... }: +{ config, pkgs, lib, vars, ... }: { - imports = [ - inputs.niri-flake.homeModules.niri - ]; options.swarselmodules.niri = lib.mkEnableOption "niri settings"; config = lib.mkIf config.swarselmodules.niri { diff --git a/modules/home/common/obsidian.nix b/modules/home/common/obsidian.nix index 03219bc..5020502 100644 --- a/modules/home/common/obsidian.nix +++ b/modules/home/common/obsidian.nix @@ -1,7 +1,7 @@ -{ lib, config, pkgs, confLib, ... }: +{ lib, config, pkgs, nixosConfig ? config, ... }: let moduleName = "obsidian"; - inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters; + inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters; name = "Main"; in { diff --git a/modules/home/common/opkssh.nix b/modules/home/common/opkssh.nix index 1481701..9d5b86d 100644 --- a/modules/home/common/opkssh.nix +++ b/modules/home/common/opkssh.nix @@ -1,4 +1,4 @@ -{ lib, config, globals, ... }: +{ lib, config, ... }: let moduleName = "opkssh"; in @@ -13,7 +13,7 @@ in providers = [ { alias = "kanidm"; - issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh"; + issuer = "https://sso.swarsel.win/oauth2/openid/opkssh"; client_id = "opkssh"; scopes = "openid email profile"; redirect_uris = [ diff --git a/modules/home/common/settings.nix b/modules/home/common/settings.nix index c624b34..3e5e47a 100644 --- a/modules/home/common/settings.nix +++ b/modules/home/common/settings.nix @@ -40,11 +40,7 @@ in trusted-public-keys = [ atticPublicKey ]; - trusted-users = [ - "@wheel" - "${mainUser}" - (lib.mkIf config.swarselmodules.server.ssh-builder "builder") - ]; + trusted-users = [ "@wheel" "${mainUser}" ]; connect-timeout = 5; bash-prompt-prefix = "$SHLVL:\\w "; bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ "; diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix index e575925..562f68a 100644 --- a/modules/home/common/ssh.nix +++ b/modules/home/common/ssh.nix @@ -1,7 +1,7 @@ -{ inputs, lib, config, confLib, ... }: +{ lib, config, nixosConfig ? config, ... }: { options.swarselmodules.ssh = lib.mkEnableOption "ssh settings"; - config = lib.mkIf config.swarselmodules.ssh ({ + config = lib.mkIf config.swarselmodules.ssh { programs.ssh = { enable = true; enableDefaultConfig = false; @@ -18,15 +18,11 @@ serverAliveCountMax = 3; hashKnownHosts = false; userKnownHostsFile = "~/.ssh/known_hosts"; - controlMaster = "auto"; + controlMaster = "no"; controlPath = "~/.ssh/master-%r@%n:%p"; - controlPersist = "5m"; + controlPersist = "no"; }; - } // confLib.getConfig.repo.secrets.common.ssh.hosts; + } // nixosConfig.repo.secrets.common.ssh.hosts; }; - } // lib.optionalAttrs (inputs ? sops) { - sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { - builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; }; - }; - }); + }; } diff --git a/modules/home/common/sway.nix b/modules/home/common/sway.nix index 83f894a..12ebb83 100644 --- a/modules/home/common/sway.nix +++ b/modules/home/common/sway.nix @@ -1,4 +1,4 @@ -{ config, lib, vars, confLib, ... }: +{ config, lib, vars, nixosConfig ? config, ... }: let eachOutput = _: monitor: { inherit (monitor) name; @@ -381,7 +381,7 @@ in export XDG_CURRENT_DESKTOP=sway; export XDG_SESSION_DESKTOP=sway; export _JAVA_AWT_WM_NONREPARENTING=1; - export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path}; + export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path}; '' + vars.waylandExports; # extraConfigEarly = " # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK diff --git a/modules/home/common/yubikey.nix b/modules/home/common/yubikey.nix index 095e90c..3a5507b 100644 --- a/modules/home/common/yubikey.nix +++ b/modules/home/common/yubikey.nix @@ -1,4 +1,4 @@ -{ lib, config, inputs, confLib, ... }: +{ lib, config, inputs, nixosConfig ? config, ... }: let inherit (config.swarselsystems) homeDir; in @@ -9,8 +9,8 @@ in pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) { ids = [ - confLib.getConfig.repo.secrets.common.yubikeys.dev1 - confLib.getConfig.secrets.common.yubikeys.dev2 + nixosConfig.repo.secrets.common.yubikeys.dev1 + nixosConfig.repo.secrets.common.yubikeys.dev2 ]; }; } // lib.optionalAttrs (inputs ? sops) { diff --git a/modules/home/common/zsh.nix b/modules/home/common/zsh.nix index 7f7b6e3..50ce19a 100644 --- a/modules/home/common/zsh.nix +++ b/modules/home/common/zsh.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }: +{ config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }: let inherit (config.swarselsystems) flakePath isNixos; crocDomain = globals.services.croc.domain; @@ -127,8 +127,8 @@ in ''; sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) { CROC_RELAY = crocDomain; - CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})"; - GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; + CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})"; + GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})"; QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins"; # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox"; }; diff --git a/modules/home/optional/framework.nix b/modules/home/optional/framework.nix index 3d4baab..9e8a9d8 100644 --- a/modules/home/optional/framework.nix +++ b/modules/home/optional/framework.nix @@ -1,6 +1,7 @@ -_: +{ lib, config, ... }: { - config = { + options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings"; + config = lib.mkIf config.swarselmodules.optional.framework { swarselsystems = { inputs = { "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = { diff --git a/modules/home/optional/gaming.nix b/modules/home/optional/gaming.nix index 04b2817..d9657db 100644 --- a/modules/home/optional/gaming.nix +++ b/modules/home/optional/gaming.nix @@ -1,9 +1,10 @@ -{ config, pkgs, confLib, ... }: +{ lib, config, pkgs, nixosConfig ? config, ... }: let inherit (config.swarselsystems) isNixos; in { - config = { + options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings"; + config = lib.mkIf config.swarselmodules.optional.gaming { # specialisation = { # gaming.configuration = { home.packages = with pkgs; [ @@ -43,7 +44,7 @@ in gamescope umu-launcher ]; - steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam; + steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam; winePackages = with pkgs; [ wineWow64Packages.waylandFull ]; diff --git a/modules/home/optional/uni.nix b/modules/home/optional/uni.nix index a841620..ef2d2c4 100644 --- a/modules/home/optional/uni.nix +++ b/modules/home/optional/uni.nix @@ -1,22 +1,24 @@ -{ confLib, ... }: +{ config, lib, nixosConfig ? config, ... }: { - config = { - services.pizauth = { - enable = true; - accounts = { - uni = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}"; + options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings"; + config = lib.mkIf config.swarselmodules.optional.uni + { + services.pizauth = { + enable = true; + accounts = { + uni = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}"; + }; }; }; }; - }; } diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix index 26b377a..c7611a5 100644 --- a/modules/home/optional/work.nix +++ b/modules/home/optional/work.nix @@ -1,425 +1,395 @@ -{ self, inputs, config, pkgs, lib, vars, confLib, ... }: +{ self, inputs, config, pkgs, lib, vars, nixosConfig ? config, ... }: let inherit (config.swarselsystems) homeDir mainUser; - inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; - inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; + inherit (nixosConfig.repo.secrets.local.mail) allMailAddresses; + inherit (nixosConfig.repo.secrets.local.work) mailAddress; certsSopsFile = self + /secrets/certs/secrets.yaml; in { - options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption; - config = { - home = { - packages = with pkgs; [ - stable.teams-for-linux - shellcheck - dig - docker - postman - # rclone - libguestfs-with-appliance - prometheus.cli - tigervnc - # openstackclient + options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings"; + config = lib.mkIf config.swarselmodules.optional.work + ({ + home = { + packages = with pkgs; [ + stable.teams-for-linux + shellcheck + dig + docker + postman + # rclone + libguestfs-with-appliance + prometheus.cli + tigervnc + # openstackclient - vscode - dev.antigravity + vscode + dev.antigravity - rustdesk-vbc - ]; - sessionVariables = { - AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path; - }; - }; - systemd.user.sessionVariables = { - DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; - } // lib.optionalAttrs (!config.swarselsystems.isPublic) { - SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; - SWARSEL_MAIL_WORK = lib.mkForce mailAddress; - }; - - accounts.email.accounts.work = - let - inherit (confLib.getConfig.repo.secrets.local.work) mailName; - in - { - primary = false; - address = mailAddress; - userName = mailAddress; - realName = mailName; - passwordCommand = "pizauth show work"; - imap = { - host = "outlook.office365.com"; - port = 993; - tls.enable = true; # SSL/TLS - }; - smtp = { - host = "outlook.office365.com"; - port = 587; - tls = { - enable = true; # SSL/TLS - useStartTls = true; - }; - }; - thunderbird = { - enable = true; - profiles = [ "default" ]; - settings = id: { - "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth - "mail.server.server_${id}.authMethod" = 10; # oauth - # "toolkit.telemetry.enabled" = false; - # "toolkit.telemetry.rejected" = true; - # "toolkit.telemetry.prompted" = 2; - }; - }; - msmtp = { - enable = true; - extraConfig = { - auth = "xoauth2"; - host = "outlook.office365.com"; - protocol = "smtp"; - port = "587"; - tls = "on"; - tls_starttls = "on"; - from = "${mailAddress}"; - user = "${mailAddress}"; - passwordeval = "pizauth show work"; - }; - }; - mu.enable = true; - mbsync = { - enable = true; - expunge = "both"; - patterns = [ "INBOX" ]; - extraConfig = { - account = { - AuthMechs = "XOAUTH2"; - }; - }; - }; - }; - - # wayland.windowManager.sway.config = { - # output = { - # "Applied Creative Technology Transmitter QUATTRO201811" = { - # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; - # }; - # "Hewlett Packard HP Z24i CN44250RDT" = { - # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; - # }; - # "HP Inc. HP 732pk CNC4080YL5" = { - # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; - # }; - # }; - # }; - - wayland.windowManager.sway = - let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; - in - { - config = { - keybindings = - let - inherit (config.wayland.windowManager.sway.config) modifier; - in - { - "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; - "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; - }; - }; - }; - - stylix = { - targets.firefox.profileNames = - let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; - in - [ - "${user1}" - "${user2}" - "${user3}" - "work" + rustdesk-vbc ]; - }; - - programs = - let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; - in - { - openstackclient = { - enable = true; - inherit clouds; - }; - awscli = { - enable = true; - package = pkgs.stable24_05.awscli2; - # settings = { - # "default" = { }; - # "profile s3-imagebuilder-prod" = { }; - # }; - # credentials = { - # "s3-imagebuilder-prod" = { - # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; - # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; - # }; - # }; - }; - git.settings.user.email = lib.mkForce gitMail; - - zsh = { - shellAliases = { - dssh = "ssh -l ${user1Long}"; - cssh = "ssh -l ${user2Long}"; - wssh = "ssh -l ${user3Long}"; - }; - cdpath = [ - "~/Documents/Work" - ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = path1; - }; - - sessionVariables = { - VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})"; - VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})"; - GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})"; - GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})"; - GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})"; - GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})"; - GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})"; - GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})"; - GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})"; - GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})"; - }; - }; - - ssh = { - matchBlocks = { - "${loc1}" = { - hostname = "${loc1}.${domain2}"; - user = user4; - }; - "${loc1}.stg" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.staging" = { - hostname = "${loc1}.${lifecycle1}.${domain2}"; - user = user4; - }; - "${loc1}.dev" = { - hostname = "${loc1}.${lifecycle2}.${domain2}"; - user = user4; - }; - "${loc2}" = { - hostname = "${loc2}.${domain1}"; - user = user1Long; - }; - "${loc2}.stg" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "${loc2}.staging" = { - hostname = "${loc2}.${lifecycle1}.${domain2}"; - user = user1Long; - }; - "*.${domain1}" = { - user = user1Long; - }; - }; - }; - - firefox = { - profiles = - let - isDefault = false; - in - { - "${user1}" = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "${site1}|${site2}"; - }; - } - vars.firefox; - "${user2}" = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "${site3}"; - }; - } - vars.firefox; - "${user3}" = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - vars.firefox; - work = lib.recursiveUpdate - { - inherit isDefault; - id = 4; - settings = { - "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; - }; - } - vars.firefox; - }; - }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; + sessionVariables = { + AWS_CA_BUNDLE = nixosConfig.sops.secrets.harica-root-ca.path; }; }; + systemd.user.sessionVariables = { + DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; + } // lib.optionalAttrs (!config.swarselsystems.isPublic) { + SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses; + SWARSEL_MAIL_WORK = lib.mkForce mailAddress; + }; - services = { - kanshi = { - settings = [ - { - # seminary room - output = { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; + accounts.email.accounts.work = + let + inherit (nixosConfig.repo.secrets.local.work) mailName; + in + { + primary = false; + address = mailAddress; + userName = mailAddress; + realName = mailName; + passwordCommand = "pizauth show work"; + imap = { + host = "outlook.office365.com"; + port = 993; + tls.enable = true; # SSL/TLS + }; + smtp = { + host = "outlook.office365.com"; + port = 587; + tls = { + enable = true; # SSL/TLS + useStartTls = true; }; - } - { - # work main screen - output = { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.0; - mode = "3840x2160"; + }; + thunderbird = { + enable = true; + profiles = [ "default" ]; + settings = id: { + "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth + "mail.server.server_${id}.authMethod" = 10; # oauth + # "toolkit.telemetry.enabled" = false; + # "toolkit.telemetry.rejected" = true; + # "toolkit.telemetry.prompted" = 2; }; - } - { - # work side screen - output = { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; + }; + msmtp = { + enable = true; + extraConfig = { + auth = "xoauth2"; + host = "outlook.office365.com"; + protocol = "smtp"; + port = "587"; + tls = "on"; + tls_starttls = "on"; + from = "${mailAddress}"; + user = "${mailAddress}"; + passwordeval = "pizauth show work"; }; - } - { - profile = { - name = "lidopen"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" - ]; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.5; - position = "1462,0"; - } - { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "90"; - position = "-2480,0"; - } - ]; + }; + mu.enable = true; + mbsync = { + enable = true; + expunge = "both"; + patterns = [ "INBOX" ]; + extraConfig = { + account = { + AuthMechs = "XOAUTH2"; + }; }; - } - { - profile = + }; + }; + + # wayland.windowManager.sway.config = { + # output = { + # "Applied Creative Technology Transmitter QUATTRO201811" = { + # bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; + # }; + # "Hewlett Packard HP Z24i CN44250RDT" = { + # bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; + # }; + # "HP Inc. HP 732pk CNC4080YL5" = { + # bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; + # }; + # }; + # }; + + wayland.windowManager.sway = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress; + in + { + config = { + keybindings = let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + inherit (config.wayland.windowManager.sway.config) modifier; in { + "${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}"; + "${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}"; + }; + }; + }; + + stylix = { + targets.firefox.profileNames = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; + in + [ + "${user1}" + "${user2}" + "${user3}" + "work" + ]; + }; + + programs = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; + in + { + openstackclient = { + enable = true; + inherit clouds; + }; + awscli = { + enable = true; + package = pkgs.stable24_05.awscli2; + # settings = { + # "default" = { }; + # "profile s3-imagebuilder-prod" = { }; + # }; + # credentials = { + # "s3-imagebuilder-prod" = { + # aws_access_key_id = "5OYXY4879EJG9I91K1B6"; + # credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key"; + # }; + # }; + }; + git.settings.user.email = lib.mkForce gitMail; + + zsh = { + shellAliases = { + dssh = "ssh -l ${user1Long}"; + cssh = "ssh -l ${user2Long}"; + wssh = "ssh -l ${user3Long}"; + }; + cdpath = [ + "~/Documents/Work" + ]; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = path1; + }; + + sessionVariables = { + VSPHERE_USER = "$(cat ${nixosConfig.sops.secrets.vcuser.path})"; + VSPHERE_PW = "$(cat ${nixosConfig.sops.secrets.vcpw.path})"; + GOVC_USERNAME = "$(cat ${nixosConfig.sops.secrets.govcuser.path})"; + GOVC_PASSWORD = "$(cat ${nixosConfig.sops.secrets.govcpw.path})"; + GOVC_URL = "$(cat ${nixosConfig.sops.secrets.govcurl.path})"; + GOVC_DATACENTER = "$(cat ${nixosConfig.sops.secrets.govcdc.path})"; + GOVC_DATASTORE = "$(cat ${nixosConfig.sops.secrets.govcds.path})"; + GOVC_HOST = "$(cat ${nixosConfig.sops.secrets.govchost.path})"; + GOVC_RESOURCE_POOL = "$(cat ${nixosConfig.sops.secrets.govcpool.path})"; + GOVC_NETWORK = "$(cat ${nixosConfig.sops.secrets.govcnetwork.path})"; + }; + }; + + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in + { + "${user1}" = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "${site1}|${site2}"; + }; + } + vars.firefox; + "${user2}" = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "${site3}"; + }; + } + vars.firefox; + "${user3}" = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + vars.firefox; + work = lib.recursiveUpdate + { + inherit isDefault; + id = 4; + settings = { + "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}"; + }; + } + vars.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + + services = { + kanshi = { + settings = [ + { + # seminary room + output = { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + }; + } + { + # work main screen + output = { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.0; + mode = "3840x2160"; + }; + } + { + # work side screen + output = { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + }; + } + { + profile = { name = "lidopen"; exec = [ "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" ]; outputs = [ { criteria = config.swarselsystems.sharescreen; status = "enable"; - scale = 1.7; - position = "2560,0"; + scale = 1.5; + position = "1462,0"; } { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; + mode = "1920x1200"; + transform = "90"; + position = "-2480,0"; } ]; }; - } - { - profile = { - name = "lidclosed"; - exec = [ - "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" - "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" - ]; - outputs = [ + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - position = "-2480,0"; - } - ]; - }; - } - { - profile = - let - monitor = "Applied Creative Technology Transmitter QUATTRO201811"; - in - { + name = "lidopen"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'" + ]; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.7; + position = "2560,0"; + } + { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + position = "10000,10000"; + } + ]; + }; + } + { + profile = { name = "lidclosed"; exec = [ - "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/botanicswp.png --mode ${config.stylix.imageScalingMode}" + "${pkgs.swaybg}/bin/swaybg --output 'Hewlett Packard HP Z24i CN44250RDT' --image ${self}/files/wallpaper/op6wp.png --mode ${config.stylix.imageScalingMode}" ]; outputs = [ { @@ -427,240 +397,271 @@ in status = "disable"; } { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; + mode = "1920x1200"; + transform = "270"; + position = "-2480,0"; } ]; }; - } - ]; - }; - }; - - systemd.user.services = { - pizauth.Service = { - ExecStartPost = [ - "${pkgs.toybox}/bin/sleep 1" - "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" - ]; - }; - - teams-applet = { - Unit = { - Description = "teams applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" + } + { + profile = + let + monitor = "Applied Creative Technology Transmitter QUATTRO201811"; + in + { + name = "lidclosed"; + exec = [ + "${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/navidrome.png --mode ${config.stylix.imageScalingMode}" + ]; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + position = "10000,10000"; + } + ]; + }; + } ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }; }; - onepassword-applet = { - Unit = { - Description = "1password applet"; - Requires = [ "tray.target" ]; - After = [ - "graphical-session.target" - "tray.target" + systemd.user.services = { + pizauth.Service = { + ExecStartPost = [ + "${pkgs.toybox}/bin/sleep 1" + "//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'" ]; - PartOf = [ "graphical-session.target" ]; }; - Install = { - WantedBy = [ "graphical-session.target" ]; - }; + teams-applet = { + Unit = { + Description = "teams applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; + }; - Service = { - ExecStart = "${pkgs._1password-gui}/bin/1password"; - }; - }; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; - }; - - services.pizauth = { - enable = true; - extraConfig = '' - auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; - error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; - token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; - ''; - accounts = { - work = { - authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; - clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; - clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; - scopes = [ - "https://outlook.office365.com/IMAP.AccessAsUser.All" - "https://outlook.office365.com/SMTP.Send" - "offline_access" - ]; - loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}"; - }; - }; - - }; - - xdg = - let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3; - in - { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + Service = { + ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }; }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_work = { - name = "Firefox (work)"; - genericName = "Firefox work"; - exec = "firefox -p work"; - inherit terminal categories icon; - }; - "firefox_${user1}" = { - name = "Firefox (${user1})"; - genericName = "Firefox ${user1}"; - exec = "firefox -p ${user1}"; - inherit terminal categories icon; - }; - - "firefox_${user2}" = { - name = "Firefox (${user2})"; - genericName = "Firefox ${user2}"; - exec = "firefox -p ${user2}"; - inherit terminal categories icon; - }; - - "firefox_${user3}" = { - name = "Firefox (${user3})"; - genericName = "Firefox ${user3}"; - exec = "firefox -p ${user3}"; - inherit terminal categories icon; - }; - + onepassword-applet = { + Unit = { + Description = "1password applet"; + Requires = [ "tray.target" ]; + After = [ + "graphical-session.target" + "tray.target" + ]; + PartOf = [ "graphical-session.target" ]; }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = "${pkgs._1password-gui}/bin/1password"; + }; + }; + }; - swarselsystems = { - startup = [ - # { command = "nextcloud --background"; } - # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } - # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } - # { command = "anki"; } - # { command = "obsidian"; } - # { command = "nm-applet"; } - # { command = "feishin"; } - # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } - # { command = "1password"; } - ]; - monitors = { - work_back_middle = rec { - name = "LG Electronics LG Ultra HD 0x000305A6"; - mode = "2560x1440"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-10"; - output = name; - }; - work_front_left = rec { - name = "LG Electronics LG Ultra HD 0x0007AB45"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-7"; - output = name; - }; - work_back_right = rec { - name = "HP Inc. HP Z32 CN41212T55"; - mode = "3840x2160"; - scale = "1"; - position = "5120,0"; - workspace = "1:一"; - # output = "DP-3"; - output = name; - }; - work_middle_middle_main = rec { - name = "HP Inc. HP 732pk CNC4080YL5"; - mode = "3840x2160"; - scale = "1"; - position = "-1280,0"; - workspace = "11:M"; - # output = "DP-8"; - output = name; - }; - work_middle_middle_side = rec { - name = "Hewlett Packard HP Z24i CN44250RDT"; - mode = "1920x1200"; - transform = "270"; - scale = "1"; - position = "-2480,0"; - workspace = "12:S"; - # output = "DP-9"; - output = name; - }; - work_seminary = rec { - name = "Applied Creative Technology Transmitter QUATTRO201811"; - mode = "1280x720"; - scale = "1"; - position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse - workspace = "14:T"; - # output = "DP-4"; - output = name; + + services.pizauth = { + enable = true; + extraConfig = '' + auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; + error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; + token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state"; + ''; + accounts = { + work = { + authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; + clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584"; + clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"; + scopes = [ + "https://outlook.office365.com/IMAP.AccessAsUser.All" + "https://outlook.office365.com/SMTP.Send" + "offline_access" + ]; + loginHint = "${nixosConfig.repo.secrets.local.work.mailAddress}"; + }; }; + }; - inputs = { - "1133:45081:MX_Master_2S_Keyboard" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; + + xdg = + let + inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3; + in + { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + }; + }; + desktopEntries = + let + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; + in + { + firefox_work = { + name = "Firefox (work)"; + genericName = "Firefox work"; + exec = "firefox -p work"; + inherit terminal categories icon; + }; + "firefox_${user1}" = { + name = "Firefox (${user1})"; + genericName = "Firefox ${user1}"; + exec = "firefox -p ${user1}"; + inherit terminal categories icon; + }; + + "firefox_${user2}" = { + name = "Firefox (${user2})"; + genericName = "Firefox ${user2}"; + exec = "firefox -p ${user2}"; + inherit terminal categories icon; + }; + + "firefox_${user3}" = { + name = "Firefox (${user3})"; + genericName = "Firefox ${user3}"; + exec = "firefox -p ${user3}"; + inherit terminal categories icon; + }; + + + }; }; - # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { - # dwt = "enabled"; - # tap = "enabled"; - # natural_scroll = "enabled"; - # middle_emulation = "enabled"; - # drag_lock = "disabled"; - # }; - "1133:50504:Logitech_USB_Receiver" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; + swarselsystems = { + startup = [ + # { command = "nextcloud --background"; } + # { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; } + # { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; } + # { command = "anki"; } + # { command = "obsidian"; } + # { command = "nm-applet"; } + # { command = "feishin"; } + # { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; } + # { command = "1password"; } + ]; + monitors = { + work_back_middle = rec { + name = "LG Electronics LG Ultra HD 0x000305A6"; + mode = "2560x1440"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-10"; + output = name; + }; + work_front_left = rec { + name = "LG Electronics LG Ultra HD 0x0007AB45"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-7"; + output = name; + }; + work_back_right = rec { + name = "HP Inc. HP Z32 CN41212T55"; + mode = "3840x2160"; + scale = "1"; + position = "5120,0"; + workspace = "1:一"; + # output = "DP-3"; + output = name; + }; + work_middle_middle_main = rec { + name = "HP Inc. HP 732pk CNC4080YL5"; + mode = "3840x2160"; + scale = "1"; + position = "-1280,0"; + workspace = "11:M"; + # output = "DP-8"; + output = name; + }; + work_middle_middle_side = rec { + name = "Hewlett Packard HP Z24i CN44250RDT"; + mode = "1920x1200"; + transform = "270"; + scale = "1"; + position = "-2480,0"; + workspace = "12:S"; + # output = "DP-9"; + output = name; + }; + work_seminary = rec { + name = "Applied Creative Technology Transmitter QUATTRO201811"; + mode = "1280x720"; + scale = "1"; + position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse + workspace = "14:T"; + # output = "DP-4"; + output = name; + }; }; - "1133:45944:MX_KEYS_S" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; + inputs = { + "1133:45081:MX_Master_2S_Keyboard" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + # "2362:628:PIXA3854:00_093A:0274_Touchpad" = { + # dwt = "enabled"; + # tap = "enabled"; + # natural_scroll = "enabled"; + # middle_emulation = "enabled"; + # drag_lock = "disabled"; + # }; + "1133:50504:Logitech_USB_Receiver" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + "1133:45944:MX_KEYS_S" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + }; + + }; + } // lib.optionalAttrs (inputs ? sops) { + sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { + harica-root-ca = { + sopsFile = certsSopsFile; + path = "${homeDir}/.aws/certs/harica-root.pem"; + owner = mainUser; }; }; - }; - } // lib.optionalAttrs (inputs ? sops) { - sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { - harica-root-ca = { - sopsFile = certsSopsFile; - path = "${homeDir}/.aws/certs/harica-root.pem"; - owner = mainUser; - }; - }; - - }; + }); } diff --git a/modules/nixos/optional/niri.nix b/modules/nixos/client/niri.nix similarity index 86% rename from modules/nixos/optional/niri.nix rename to modules/nixos/client/niri.nix index 80b5c5a..4724319 100644 --- a/modules/nixos/optional/niri.nix +++ b/modules/nixos/client/niri.nix @@ -1,11 +1,8 @@ -{ inputs, lib, config, pkgs, ... }: +{ lib, config, pkgs, ... }: let moduleName = "niri"; in { - imports = [ - inputs.niri-flake.nixosModules.niri - ]; options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings"; config = lib.mkIf config.swarselmodules.${moduleName} { diff --git a/modules/nixos/client/remotebuild.nix b/modules/nixos/client/remotebuild.nix deleted file mode 100644 index 0ce54c3..0000000 --- a/modules/nixos/client/remotebuild.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ lib, config, globals, ... }: -let - inherit (config.swarselsystems) homeDir mainUser isClient; -in -{ - options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine"; - config = lib.mkIf config.swarselmodules.remotebuild { - - sops.secrets = { - builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; }; - nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; }; - }; - - nix = { - settings.builders-use-substitutes = true; - distributedBuilds = true; - buildMachines = [ - (lib.mkIf isClient { - hostName = config.repo.secrets.common.builder1-ip; - system = "aarch64-linux"; - maxJobs = 20; - speedFactor = 10; - }) - (lib.mkIf isClient { - hostName = globals.hosts.belchsfactory.wanAddress4; - system = "aarch64-linux"; - maxJobs = 4; - speedFactor = 2; - protocol = "ssh-ng"; - }) - { - hostName = "eu.nixbuild.net"; - system = "x86_64-linux"; - maxJobs = 100; - speedFactor = 2; - supportedFeatures = [ "big-parallel" ]; - } - ]; - }; - programs.ssh = { - knownHosts = { - nixbuild = { - hostNames = [ "eu.nixbuild.net" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM"; - }; - builder1 = lib.mkIf isClient { - hostNames = [ config.repo.secrets.common.builder1-ip ]; - publicKey = config.repo.secrets.common.builder1-pubHostKey; - }; - jump = lib.mkIf isClient { - hostNames = [ globals.hosts.liliputsteps.wanAddress4 ]; - publicKey = config.repo.secrets.common.jump-pubHostKey; - }; - builder2 = lib.mkIf isClient { - hostNames = [ globals.hosts.belchsfactory.wanAddress4 ]; - publicKey = config.repo.secrets.common.builder2-pubHostKey; - }; - }; - extraConfig = '' - Host eu.nixbuild.net - ConnectTimeout 1 - PubkeyAcceptedKeyTypes ssh-ed25519 - ServerAliveInterval 60 - IPQoS throughput - IdentityFile ${config.sops.secrets.nixbuild-net-key.path} - '' + lib.optionalString isClient '' - Host ${config.repo.secrets.common.builder1-ip} - ConnectTimeout 1 - User ${mainUser} - IdentityFile ${config.sops.secrets.builder-key.path} - - Host ${globals.hosts.belchsfactory.wanAddress4} - ConnectTimeout 5 - ProxyJump ${globals.hosts.liliputsteps.wanAddress4} - User builder - IdentityFile ${config.sops.secrets.builder-key.path} - - Host ${globals.hosts.liliputsteps.wanAddress4} - ConnectTimeout 1 - User jump - IdentityFile ${config.sops.secrets.builder-key.path} - ''; - }; - }; -} diff --git a/modules/nixos/client/uwsm.nix b/modules/nixos/client/uwsm.nix index 5c9d66e..28888f0 100644 --- a/modules/nixos/client/uwsm.nix +++ b/modules/nixos/client/uwsm.nix @@ -13,7 +13,7 @@ in comment = "Sway compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/sway"; }; - niri = lib.mkIf (config.swarselmodules ? niri) { + niri = { prettyName = "Niri"; comment = "Niri compositor managed by UWSM"; binPath = "/run/current-system/sw/bin/niri-session"; diff --git a/modules/nixos/common/globals.nix b/modules/nixos/common/globals.nix index 9cae3d7..b152069 100644 --- a/modules/nixos/common/globals.nix +++ b/modules/nixos/common/globals.nix @@ -82,8 +82,7 @@ let if netSubmod.config.cidrv6 == null then null else - # if we use the /32 wan address as local address directly, do not use the network address in ipv6 - lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6; + lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; }; }; }) @@ -197,10 +196,6 @@ in main = mkOption { type = types.str; }; - externalDns = mkOption { - type = types.listOf types.str; - description = "List of external dns nameservers"; - }; }; }; }; diff --git a/modules/nixos/common/home-manager-secrets.nix b/modules/nixos/common/home-manager-secrets.nix index f853132..d55fac5 100644 --- a/modules/nixos/common/home-manager-secrets.nix +++ b/modules/nixos/common/home-manager-secrets.nix @@ -25,7 +25,7 @@ in }) // (lib.optionalAttrs modules.emacs { emacs-radicale-pw = { owner = mainUser; }; github-forge-token = { owner = mainUser; }; - }) // (lib.optionalAttrs (modules ? optional-work) { + }) // (lib.optionalAttrs modules.optional.work { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { anki-user = { owner = mainUser; }; diff --git a/modules/nixos/common/nodes.nix b/modules/nixos/common/nodes.nix index fe667aa..a2d1ad7 100644 --- a/modules/nixos/common/nodes.nix +++ b/modules/nixos/common/nodes.nix @@ -34,11 +34,6 @@ let "nginx" "virtualHosts" ] - [ - "swarselsystems" - "server" - "dns" - ] ]; attrsForEachOption = diff --git a/modules/nixos/common/settings.nix b/modules/nixos/common/settings.nix index 2ab4bbe..52fe175 100644 --- a/modules/nixos/common/settings.nix +++ b/modules/nixos/common/settings.nix @@ -59,8 +59,8 @@ in config = lib.mkIf config.swarselmodules.general (lib.recursiveUpdate { - sops.secrets = lib.mkIf (!minimal) { - github-api-token = { owner = mainUser; }; + sops.secrets.github-api-token = lib.mkIf (!minimal) { + owner = mainUser; }; nix = @@ -83,11 +83,7 @@ in trusted-public-keys = [ atticPublicKey ]; - trusted-users = [ - "@wheel" - "${config.swarselsystems.mainUser}" - (lib.mkIf config.swarselmodules.server.ssh-builder "builder") - ]; + trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ]; }; # extraOptions = '' # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins diff --git a/modules/nixos/optional/amdcpu.nix b/modules/nixos/optional/amdcpu.nix index 64ea60d..9051b9d 100644 --- a/modules/nixos/optional/amdcpu.nix +++ b/modules/nixos/optional/amdcpu.nix @@ -1,6 +1,7 @@ -_: +{ lib, config, ... }: { - config = { + options.swarselmodules.optional.amdcpu = lib.mkEnableOption "optional amd cpu settings"; + config = lib.mkIf config.swarselmodules.optional.amdcpu { hardware = { cpu.amd.updateMicrocode = true; }; diff --git a/modules/nixos/optional/amdgpu.nix b/modules/nixos/optional/amdgpu.nix index f81461c..7af14c6 100644 --- a/modules/nixos/optional/amdgpu.nix +++ b/modules/nixos/optional/amdgpu.nix @@ -1,6 +1,7 @@ -_: +{ lib, config, ... }: { - config = { + options.swarselmodules.optional.amdgpu = lib.mkEnableOption "optional amd gpu settings"; + config = lib.mkIf config.swarselmodules.optional.amdgpu { hardware = { amdgpu = { opencl.enable = true; diff --git a/modules/nixos/server/btrfs.nix b/modules/nixos/optional/btrfs.nix similarity index 100% rename from modules/nixos/server/btrfs.nix rename to modules/nixos/optional/btrfs.nix diff --git a/modules/nixos/optional/framework.nix b/modules/nixos/optional/framework.nix index cade27e..5f0d00d 100644 --- a/modules/nixos/optional/framework.nix +++ b/modules/nixos/optional/framework.nix @@ -1,13 +1,7 @@ -{ self, config, ... }: +{ lib, config, ... }: { - config = { - - home-manager.users."${config.swarselsystems.mainUser}" = { - imports = [ - "${self}/modules/home/optional/framework.nix" - ]; - }; - + options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings"; + config = lib.mkIf config.swarselmodules.optional.framework { services = { fwupd = { enable = true; diff --git a/modules/nixos/optional/gaming.nix b/modules/nixos/optional/gaming.nix index 09dcec1..5f28872 100644 --- a/modules/nixos/optional/gaming.nix +++ b/modules/nixos/optional/gaming.nix @@ -1,13 +1,7 @@ -{ self, pkgs, config, ... }: +{ pkgs, lib, config, ... }: { - config = { - - home-manager.users."${config.swarselsystems.mainUser}" = { - imports = [ - "${self}/modules/home/optional/gaming.nix" - ]; - }; - + options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings"; + config = lib.mkIf config.swarselmodules.optional.gaming { programs.steam = { enable = true; package = pkgs.steam; diff --git a/modules/nixos/optional/hibernation.nix b/modules/nixos/optional/hibernation.nix index 29c9675..d6f0758 100644 --- a/modules/nixos/optional/hibernation.nix +++ b/modules/nixos/optional/hibernation.nix @@ -1,5 +1,6 @@ { lib, config, ... }: { + options.swarselmodules.optional.hibernation = lib.mkEnableOption "optional amd gpu settings"; options.swarselsystems = { hibernation = { offset = lib.mkOption { @@ -12,7 +13,7 @@ }; }; }; - config = { + config = lib.mkIf config.swarselmodules.optional.hibernation { boot = { kernelParams = [ "resume_offset=${builtins.toString config.swarselsystems.hibernation.offset}" diff --git a/modules/nixos/optional/microvm-guest.nix b/modules/nixos/optional/microvm-guest.nix index a90a2cf..8650fbc 100644 --- a/modules/nixos/optional/microvm-guest.nix +++ b/modules/nixos/optional/microvm-guest.nix @@ -1,9 +1,11 @@ -_: +{ lib, config, ... }: { + options.swarselmodules.optional.microvmGuest = lib.mkEnableOption "optional microvmGuest settings"; # imports = [ # inputs.microvm.nixosModules.microvm + # "${self}/profiles/nixos" + # "${self}/modules/nixos" # ]; - - config = + config = lib.mkIf config.swarselmodules.optional.microvmGuest { }; } diff --git a/modules/nixos/optional/microvm-host.nix b/modules/nixos/optional/microvm-host.nix index 2948824..97a9059 100644 --- a/modules/nixos/optional/microvm-host.nix +++ b/modules/nixos/optional/microvm-host.nix @@ -1,7 +1,10 @@ -{ config, lib, ... }: +{ lib, config, ... }: { + options = { + swarselmodules.optional.microvmHost = lib.mkEnableOption "optional microvmHost settings"; + }; # imports = [ - # inputs.microvm.nixosModules.host + # inputs.microvm.nixosModules.host # ]; config = lib.mkIf (config.guests != { }) { diff --git a/modules/nixos/optional/nswitch-rcm.nix b/modules/nixos/optional/nswitch-rcm.nix index 00fb2c1..3af88db 100644 --- a/modules/nixos/optional/nswitch-rcm.nix +++ b/modules/nixos/optional/nswitch-rcm.nix @@ -1,6 +1,7 @@ -{ pkgs, ... }: +{ lib, config, pkgs, ... }: { - config = { + options.swarselmodules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings"; + config = lib.mkIf config.swarselmodules.optional.nswitch-rcm { services.nswitch-rcm = { enable = true; package = pkgs.fetchurl { diff --git a/modules/nixos/optional/systemd-networkd-server.nix b/modules/nixos/optional/systemd-networkd-server.nix deleted file mode 100644 index 059072b..0000000 --- a/modules/nixos/optional/systemd-networkd-server.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ lib, config, globals, ... }: -{ - networking = { - useDHCP = lib.mkForce false; - useNetworkd = true; - dhcpcd.enable = false; - renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) ( - config.repo.secrets.local.networking.networks or { } - ); - }; - boot.initrd.systemd.network = { - enable = true; - networks."10-${config.swarselsystems.server.localNetwork}" = config.systemd.network.networks."10-${config.swarselsystems.server.localNetwork}"; - }; - - systemd = { - network = { - enable = true; - wait-online.enable = false; - networks = - let - netConfig = config.repo.secrets.local.networking; - in - { - "10-${config.swarselsystems.server.localNetwork}" = { - address = [ - "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv4}" - "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv6}" - ]; - routes = [ - { - Gateway = netConfig.defaultGateway6; - GatewayOnLink = true; - } - { - Gateway = netConfig.defaultGateway4; - GatewayOnLink = true; - } - ]; - networkConfig = { - IPv6PrivacyExtensions = true; - IPv6AcceptRA = false; - }; - matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac; - linkConfig.RequiredForOnline = "routable"; - }; - }; - }; - }; -} diff --git a/modules/nixos/optional/uni.nix b/modules/nixos/optional/uni.nix deleted file mode 100644 index 1edf3b4..0000000 --- a/modules/nixos/optional/uni.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ self, config, ... }: -{ - config = { - - home-manager.users."${config.swarselsystems.mainUser}" = { - imports = [ - "${self}/modules/home/optional/work.nix" - ]; - }; - }; -} diff --git a/modules/nixos/optional/virtualbox.nix b/modules/nixos/optional/virtualbox.nix index 2d70471..dc5aa61 100644 --- a/modules/nixos/optional/virtualbox.nix +++ b/modules/nixos/optional/virtualbox.nix @@ -1,6 +1,7 @@ { lib, config, pkgs, ... }: { - config = { + options.swarselmodules.optional.virtualbox = lib.mkEnableOption "optional VBox settings"; + config = lib.mkIf config.swarselmodules.optional.virtualbox { # specialisation = { # VBox.configuration = { virtualisation.virtualbox = { diff --git a/modules/nixos/optional/vmware.nix b/modules/nixos/optional/vmware.nix index d79ff04..4236080 100644 --- a/modules/nixos/optional/vmware.nix +++ b/modules/nixos/optional/vmware.nix @@ -1,7 +1,8 @@ -_: +{ lib, config, ... }: { - config = { + options.swarselmodules.optional.vmware = lib.mkEnableOption "optional vmware settings"; + config = lib.mkIf config.swarselmodules.optional.vmware { virtualisation.vmware.host.enable = true; virtualisation.vmware.guest.enable = true; }; diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix index ccfbe7a..edec1bb 100644 --- a/modules/nixos/optional/work.nix +++ b/modules/nixos/optional/work.nix @@ -1,4 +1,4 @@ -{ self, lib, pkgs, config, ... }: +{ self, lib, pkgs, config, configName, ... }: let inherit (config.swarselsystems) mainUser homeDir; iwd = config.networking.networkmanager.wifi.backend == "iwd"; @@ -6,24 +6,18 @@ let sopsFile = self + /secrets/work/secrets.yaml; in { + options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings"; options.swarselsystems = { hostName = lib.mkOption { type = lib.types.str; - default = config.node.name; + default = configName; }; fqdn = lib.mkOption { type = lib.types.str; default = ""; }; }; - config = { - - home-manager.users."${config.swarselsystems.mainUser}" = { - imports = [ - "${self}/modules/home/optional/work.nix" - ]; - }; - + config = lib.mkIf config.swarselmodules.optional.work { sops = let secretNames = [ diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix index 6c283b3..f9ca2cd 100644 --- a/modules/nixos/server/ankisync.nix +++ b/modules/nixos/server/ankisync.nix @@ -9,7 +9,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/attic.nix b/modules/nixos/server/attic.nix index 3cd0a69..0a2f005 100644 --- a/modules/nixos/server/attic.nix +++ b/modules/nixos/server/attic.nix @@ -10,7 +10,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/atuin.nix b/modules/nixos/server/atuin.nix index ab782c8..9cb6747 100644 --- a/modules/nixos/server/atuin.nix +++ b/modules/nixos/server/atuin.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/bastion.nix b/modules/nixos/server/bastion.nix deleted file mode 100644 index 3d797d7..0000000 --- a/modules/nixos/server/bastion.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ self, lib, config, ... }: -{ - options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server"; - config = lib.mkIf config.swarselmodules.server.bastion { - - users = { - groups = { - jump = { }; - }; - users = { - "jump" = { - isNormalUser = true; - useDefaultShell = true; - group = lib.mkForce "jump"; - createHome = lib.mkForce true; - openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - (self + /secrets/keys/ssh/builder.pub) - ]; - }; - }; - }; - - - services.openssh = { - enable = true; - startWhenNeeded = lib.mkForce false; - authorizedKeysInHomedir = false; - extraConfig = '' - Match User jump - PermitTTY no - X11Forwarding no - PermitTunnel no - GatewayPorts no - AllowAgentForwarding no - ''; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = lib.mkDefault "no"; - AllowUsers = [ - "jump" - ]; - }; - hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [ - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - ]; - }; - - home-manager.users.jump.config = { - home.stateVersion = lib.mkDefault "23.05"; - programs.ssh = { - enable = true; - enableDefaultConfig = false; - matchBlocks = { - "*" = { - forwardAgent = false; - }; - } // config.repo.secrets.local.ssh.hosts; - }; - }; - }; -} diff --git a/modules/nixos/server/croc.nix b/modules/nixos/server/croc.nix index bc15734..67e2508 100644 --- a/modules/nixos/server/croc.nix +++ b/modules/nixos/server/croc.nix @@ -17,7 +17,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/disk-encrypt.nix b/modules/nixos/server/disk-encrypt.nix index 54e678a..61fb055 100644 --- a/modules/nixos/server/disk-encrypt.nix +++ b/modules/nixos/server/disk-encrypt.nix @@ -1,7 +1,7 @@ { self, pkgs, lib, config, globals, minimal, ... }: let - localIp = globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4; - subnetMask = globals.networks.${config.swarselsystems.server.netConfigName}.subnetMask4; + localIp = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4; + subnetMask = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".subnetMask4; gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key"; @@ -36,7 +36,7 @@ in files = [ hostKeyPathBase ]; }; - boot = lib.mkIf (!config.swarselsystems.isClient) { + boot = lib.mkIf (!config.swarselsystems.isLaptop) { kernelParams = lib.mkIf (!config.swarselsystems.isCloud) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix index b97ba94..dc5eece 100644 --- a/modules/nixos/server/firefly-iii.nix +++ b/modules/nixos/server/firefly-iii.nix @@ -11,7 +11,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix index d9d4123..f1f029d 100644 --- a/modules/nixos/server/forgejo.nix +++ b/modules/nixos/server/forgejo.nix @@ -9,7 +9,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix index d136f6c..75787b4 100644 --- a/modules/nixos/server/freshrss.nix +++ b/modules/nixos/server/freshrss.nix @@ -8,7 +8,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/garage.nix b/modules/nixos/server/garage.nix index b84fb50..1f3f410 100644 --- a/modules/nixos/server/garage.nix +++ b/modules/nixos/server/garage.nix @@ -54,11 +54,11 @@ in assertions = [ { assertion = config.swarselsystems.server.${serviceName}.buckets != [ ]; - message = "If Garage is enabled, at least one bucket must be specified in swarselsystems.server.${serviceName}.buckets"; + message = "If Garage is enabled, at least one bucket must be specified in atro.garage.buckets"; } { assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0; - message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys"; + message = "If Garage is enabled, at least one key must be specified in atro.garage.keys"; } { assertion = @@ -71,7 +71,7 @@ in } ]; - nodes.stoicclub.swarselsystems.server.dns.${baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${baseDomain}.subdomainRecords = { "${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; "${subDomain}admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6; "${subDomain}web" = dns.lib.combinators.host proxyAddress4 proxyAddress6; @@ -121,7 +121,7 @@ in rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}"; # we are not joining our nodes, just use the private ipv4 - rpc_public_addr = "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}"; + rpc_public_addr = "${globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}"; rpc_secret_file = config.sops.secrets.garage-rpc-secret.path; diff --git a/modules/nixos/server/homebox.nix b/modules/nixos/server/homebox.nix index 1d1c9ea..065454d 100644 --- a/modules/nixos/server/homebox.nix +++ b/modules/nixos/server/homebox.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix index 674ce80..455a9e5 100644 --- a/modules/nixos/server/immich.nix +++ b/modules/nixos/server/immich.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/jellyfin.nix b/modules/nixos/server/jellyfin.nix index b5c078f..5a2899b 100644 --- a/modules/nixos/server/jellyfin.nix +++ b/modules/nixos/server/jellyfin.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/jenkins.nix b/modules/nixos/server/jenkins.nix index f6bc9b1..20c7e25 100644 --- a/modules/nixos/server/jenkins.nix +++ b/modules/nixos/server/jenkins.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix index 5bb4472..ba4e8f8 100644 --- a/modules/nixos/server/kanidm.nix +++ b/modules/nixos/server/kanidm.nix @@ -31,7 +31,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix index bc5decd..8da5e2e 100644 --- a/modules/nixos/server/kavita.nix +++ b/modules/nixos/server/kavita.nix @@ -11,7 +11,7 @@ in calibre ]; - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix index 1c89adf..d6c6f89 100644 --- a/modules/nixos/server/koillection.nix +++ b/modules/nixos/server/koillection.nix @@ -14,7 +14,7 @@ in config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; sops.secrets = { diff --git a/modules/nixos/server/mailserver.nix b/modules/nixos/server/mailserver.nix index 06270b2..a19777b 100644 --- a/modules/nixos/server/mailserver.nix +++ b/modules/nixos/server/mailserver.nix @@ -11,7 +11,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix index 24b4865..02f0d60 100644 --- a/modules/nixos/server/matrix.nix +++ b/modules/nixos/server/matrix.nix @@ -20,7 +20,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/microbin.nix b/modules/nixos/server/microbin.nix index 06b830f..8e5517f 100644 --- a/modules/nixos/server/microbin.nix +++ b/modules/nixos/server/microbin.nix @@ -10,7 +10,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/minecraft/default.nix b/modules/nixos/server/minecraft/default.nix index dbb7d27..bc90c47 100644 --- a/modules/nixos/server/minecraft/default.nix +++ b/modules/nixos/server/minecraft/default.nix @@ -8,7 +8,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix index 4a115a5..ac7f5af 100644 --- a/modules/nixos/server/monitoring.nix +++ b/modules/nixos/server/monitoring.nix @@ -16,7 +16,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix index e64dfd1..2abd922 100644 --- a/modules/nixos/server/navidrome.nix +++ b/modules/nixos/server/navidrome.nix @@ -6,7 +6,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/network.nix b/modules/nixos/server/network.nix index 91e9608..4ef8d14 100644 --- a/modules/nixos/server/network.nix +++ b/modules/nixos/server/network.nix @@ -1,40 +1,28 @@ { lib, config, ... }: let - netConfig = config.repo.secrets.local.networking; - netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}"; + inherit (config.swarselsystems.server) localNetwork; in { - options = { - swarselmodules.server.network = lib.mkEnableOption "enable server network config"; - swarselsystems.server = { - localNetwork = lib.mkOption { - type = lib.types.str; - default = ""; - }; - netConfigName = lib.mkOption { - type = lib.types.str; - default = netName; - readOnly = true; - }; - }; + options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; + options.swarselsystems.server.localNetwork = lib.mkOption { + type = lib.types.str; + default = "home"; }; config = lib.mkIf config.swarselmodules.server.network { - swarselsystems.server.localNetwork = netConfig.localNetwork or ""; - - globals.networks.${netName}.hosts.${config.node.name} = { - inherit (netConfig.networks.${netConfig.localNetwork}) id; - mac = netConfig.networks.${netConfig.localNetwork}.mac or null; + globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${localNetwork}".hosts.${config.node.name} = { + inherit (config.repo.secrets.local.networking.networks.${localNetwork}) id; + mac = config.repo.secrets.local.networking.networks.${localNetwork}.mac or null; }; globals.hosts.${config.node.name} = { inherit (config.repo.secrets.local.networking) defaultGateway4; - wanAddress4 = netConfig.wanAddress4 or null; - wanAddress6 = netConfig.wanAddress6 or null; + wanAddress4 = config.repo.secrets.local.networking.wanAddress4 or null; + wanAddress6 = config.repo.secrets.local.networking.wanAddress6 or null; }; networking = { - inherit (netConfig) hostId; + inherit (config.repo.secrets.local.networking) hostId; hostName = config.node.name; nftables.enable = lib.mkDefault false; enableIPv6 = lib.mkDefault true; diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix index aac65d8..f313593 100644 --- a/modules/nixos/server/nextcloud.nix +++ b/modules/nixos/server/nextcloud.nix @@ -10,7 +10,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index a869b23..a321c21 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -1,6 +1,6 @@ { pkgs, lib, config, ... }: let - inherit (config.repo.secrets.common) dnsProvider dnsBase; + inherit (config.repo.secrets.common) dnsProvider; inherit (config.repo.secrets.common.mail) address3; serviceUser = "nginx"; @@ -63,12 +63,9 @@ in ]; sops = { - secrets = { - acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; - }; + secrets.acme-dns-token = { inherit (config.swarselsystems) sopsFile; }; templates."certs.secret".content = '' - ACME_DNS_API_BASE=${dnsBase} - ACME_DNS_STORAGE_PATH=${config.sops.placeholder.acme-dns-token} + CF_DNS_API_TOKEN=${config.sops.placeholder.acme-dns-token} ''; }; diff --git a/modules/nixos/server/nsd/default.nix b/modules/nixos/server/nsd/default.nix index 6e79fad..d10179b 100644 --- a/modules/nixos/server/nsd/default.nix +++ b/modules/nixos/server/nsd/default.nix @@ -1,7 +1,10 @@ -{ lib, config, globals, dns, confLib, ... }: +{ inputs, lib, config, globals, dns, confLib, ... }: let - inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6; - inherit (config.swarselsystems) sopsFile; + inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName; + # servicePort = 53; + # serviceDomain = config.repo.secrets.common.services.domains."${serviceName}"; + # serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4; + in { options = { @@ -11,7 +14,7 @@ in lib.types.submodule { options = { subdomainRecords = lib.mkOption { - type = lib.types.attrsOf dns.lib.types.subzone; + type = lib.types.attrsOf inputs.dns.subzone; default = { }; }; }; @@ -20,69 +23,14 @@ in }; }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - - sops.secrets = { - tsig-key = { inherit sopsFile; }; - }; - - # services.resolved.enable = false; - networking = { - # nameservers = [ "1.1.1.1" "8.8.8.8" ]; - firewall = { - allowedUDPPorts = [ servicePort ]; - allowedTCPPorts = [ servicePort ]; - }; - }; - services.nsd = { enable = true; - keys = { - "${globals.domains.main}.${proxyAddress4}" = { - algorithm = "hmac-sha256"; - keyFile = config.sops.secrets.tsig-key.path; - }; - "${globals.domains.main}.${proxyAddress6}" = { - algorithm = "hmac-sha256"; - keyFile = config.sops.secrets.tsig-key.path; - }; - "${globals.domains.main}" = { - algorithm = "hmac-sha256"; - keyFile = config.sops.secrets.tsig-key.path; - }; - }; - interfaces = [ - "10.1.2.157" - "2603:c020:801f:a0cc::9d" - ]; zones = { - "${globals.domains.main}" = - let - keyName4 = "${globals.domains.main}.${proxyAddress4}"; - keyName6 = "${globals.domains.main}.${proxyAddress6}"; - keyName = "${globals.domains.main}"; - transferList = [ - "213.239.242.238 ${keyName4}" - "2a01:4f8:0:a101::a:1 ${keyName6}" - "213.133.100.103 ${keyName4}" - "2a01:4f8:0:1::5ddc:2 ${keyName6}" - "193.47.99.3 ${keyName4}" - "2001:67c:192c::add:a3 ${keyName6}" - ]; - - in - { - outgoingInterface = "2603:c020:801f:a0cc::9d"; - notify = transferList ++ [ - "216.218.130.2 ${keyName}" - ]; - provideXFR = transferList ++ [ - "216.218.133.2 ${keyName}" - "2001:470:600::2 ${keyName}" - ]; - - # dnssec = true; - data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; }); - }; + "${globals.domains.main}" = { + # provideXFR = [ ... ]; + # notify = [ ... ]; + data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; }); + }; }; }; diff --git a/modules/nixos/server/nsd/site1.nix b/modules/nixos/server/nsd/site1.nix index 8cf0deb..925bbf8 100644 --- a/modules/nixos/server/nsd/site1.nix +++ b/modules/nixos/server/nsd/site1.nix @@ -1,35 +1,40 @@ -{ config, globals, dns, proxyAddress4, proxyAddress6, ... }: +{ config, globals, dns, ... }: with dns.lib.combinators; { SOA = { nameServer = "soa"; - adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin") - serial = 2025120201; # update this on changes for secondary dns + adminEmail = "admin@${globals.domains.main}"; + serial = 2025112101; }; useOrigin = false; NS = [ - "soa" - "srv" - ] ++ globals.domains.externalDns; + "soa.${globals.domains.name}." + "ns1.he.net" + "ns2.he.net" + "ns3.he.net" + "ns4.he.net" + "ns5.he.net" + "oxygen.ns.hetzner.com" + "pola.ns.cloudflare.com" + ]; - - A = [ config.repo.secrets.local.dns.homepage-ip ]; + A = [ "75.2.60.5" ]; SRV = [ { service = "_matrix"; proto = "_tcp"; port = 443; - target = "${globals.services.matrix.subDomain}"; + target = "${globals.services.matrix.baseDomain}.${globals.domains.main}"; priority = 10; - weight = 5; + wweight = 5; } { service = "_submissions"; proto = "_tcp"; port = 465; - target = "${globals.services.mailserver.subDomain}"; + target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; priority = 5; weight = 0; ttl = 3600; @@ -38,7 +43,7 @@ with dns.lib.combinators; { service = "_submission"; proto = "_tcp"; port = 587; - target = "${globals.services.mailserver.subDomain}"; + target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; priority = 5; weight = 0; ttl = 3600; @@ -47,7 +52,7 @@ with dns.lib.combinators; { service = "_imap"; proto = "_tcp"; port = 143; - target = "${globals.services.mailserver.subDomain}"; + target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; priority = 5; weight = 0; ttl = 3600; @@ -56,7 +61,7 @@ with dns.lib.combinators; { service = "_imaps"; proto = "_tcp"; port = 993; - target = "${globals.services.mailserver.subDomain}"; + target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; priority = 5; weight = 0; ttl = 3600; @@ -66,7 +71,13 @@ with dns.lib.combinators; { MX = [ { preference = 10; - exchange = "${globals.services.mailserver.subDomain}"; + exchange = "${globals.services.mailserver.baseDomain}.${globals.domains.main}"; + } + ]; + + CNAME = [ + { + cname = "www.${glovals.domains.main}"; } ]; @@ -79,11 +90,6 @@ with dns.lib.combinators; { } ]; - TXT = [ - (with spf; strict [ "a:${globals.services.mailserver.subDomain}.${globals.domains.main}" ]) - "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}" - ]; - DMARC = [ { p = "none"; @@ -91,10 +97,21 @@ with dns.lib.combinators; { } ]; - subdomains = config.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords // { - "www".CNAME = [ "${globals.domains.main}." ]; - "_acme-challenge".CNAME = [ "${config.repo.secrets.local.dns.acme-challenge-domain}." ]; - "soa" = host proxyAddress4 proxyAddress6; - "srv" = host proxyAddress4 proxyAddress6; + TXT = [ + (with spf; strict [ "a:${globals.services.mailserver.baseDomain}.${globals.domains.main}" ]) + "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}" + ]; + + DMARC = [ + { + selector = "mail"; + k = "rsa"; + p = "none"; + ttl = 10800; + } + ]; + + subdomains = config.swarselsystems.server.dns.${globals.domain.main}.subdomainRecords // { + "minecraft" = host "130.61.119.12" null; }; } diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix index 1c838b7..e4cdf49 100644 --- a/modules/nixos/server/oauth2-proxy.nix +++ b/modules/nixos/server/oauth2-proxy.nix @@ -119,7 +119,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix index 7a249a4..3b2e201 100644 --- a/modules/nixos/server/paperless.nix +++ b/modules/nixos/server/paperless.nix @@ -11,7 +11,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix index b71ea61..db5a9a5 100644 --- a/modules/nixos/server/radicale.nix +++ b/modules/nixos/server/radicale.nix @@ -9,7 +9,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/shlink.nix b/modules/nixos/server/shlink.nix index 1ed909c..99ed6fd 100644 --- a/modules/nixos/server/shlink.nix +++ b/modules/nixos/server/shlink.nix @@ -12,7 +12,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/slink.nix b/modules/nixos/server/slink.nix index fe61faa..4edfa0b 100644 --- a/modules/nixos/server/slink.nix +++ b/modules/nixos/server/slink.nix @@ -10,7 +10,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/snipe-it.nix b/modules/nixos/server/snipe-it.nix index aad544f..03b9666 100644 --- a/modules/nixos/server/snipe-it.nix +++ b/modules/nixos/server/snipe-it.nix @@ -11,7 +11,7 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/nixos/server/ssh-builder.nix b/modules/nixos/server/ssh-builder.nix deleted file mode 100644 index 3791bf7..0000000 --- a/modules/nixos/server/ssh-builder.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ self, pkgs, lib, config, ... }: -let - ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" "; - - wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" '' - case $SSH_ORIGINAL_COMMAND in - "nix-daemon --stdio") - exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio - ;; - "nix-store --serve --write") - exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write - ;; - *) - echo "Access only allowed for using the nix remote builder" 1>&2 - exit - esac - ''; -in -{ - options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server"; - config = lib.mkIf config.swarselmodules.server.ssh-builder { - users = { - groups.builder = { }; - users.builder = { - useDefaultShell = true; - isSystemUser = true; - group = "builder"; - openssh.authorizedKeys.keys = [ - ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}'' - ]; - }; - }; - - }; -} diff --git a/modules/nixos/server/ssh.nix b/modules/nixos/server/ssh.nix index 41b1e23..a588edf 100644 --- a/modules/nixos/server/ssh.nix +++ b/modules/nixos/server/ssh.nix @@ -9,10 +9,6 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; - AllowUsers = [ - "root" - config.swarselsystems.mainUser - ]; }; hostKeys = [ { @@ -24,12 +20,10 @@ users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) - # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; users.users.root.openssh.authorizedKeys.keyFiles = [ (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) - # (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub)) ]; security.sudo.extraConfig = '' Defaults env_keep+=SSH_AUTH_SOCK diff --git a/modules/nixos/server/syncthing.nix b/modules/nixos/server/syncthing.nix index 3babd67..09986d3 100644 --- a/modules/nixos/server/syncthing.nix +++ b/modules/nixos/server/syncthing.nix @@ -42,7 +42,7 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { - nodes.stoicclub.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { + swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = { "${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; diff --git a/modules/shared/config-lib.nix b/modules/shared/config-lib.nix index ba5e8bf..4ecc055 100644 --- a/modules/shared/config-lib.nix +++ b/modules/shared/config-lib.nix @@ -1,14 +1,14 @@ -{ config, lib, globals, nixosConfig ? null, ... }: +{ config, lib, globals, ... }: { _module.args = { confLib = rec { - addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 else "localhost"; + addressDefault = if config.swarselsystems.proxyHost != config.node.name then globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4 else "localhost"; domainDefault = service: config.repo.secrets.common.services.domains.${service}; proxyDefault = config.swarselsystems.proxyHost; - getConfig = if nixosConfig == null then config else nixosConfig; + getConfig = config; gen = { name, user ? name, group ? name, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec { servicePort = port; diff --git a/modules/shared/options.nix b/modules/shared/options.nix index 911cf5b..0367bd9 100644 --- a/modules/shared/options.nix +++ b/modules/shared/options.nix @@ -3,24 +3,12 @@ options.swarselsystems = { proxyHost = lib.mkOption { type = lib.types.str; - default = config.node.name; - }; - isBastionTarget = lib.mkOption { - type = lib.types.bool; - default = false; + default = ""; }; isCloud = lib.mkOption { type = lib.types.bool; default = false; }; - isServer = lib.mkOption { - type = lib.types.bool; - default = config.swarselsystems.isCloud; - }; - isClient = lib.mkOption { - type = lib.types.bool; - default = config.swarselsystems.isLaptop; - }; withHomeManager = lib.mkOption { type = lib.types.bool; default = true; diff --git a/nix/formatter.nix b/nix/formatter.nix index 88bb5a6..a716372 100644 --- a/nix/formatter.nix +++ b/nix/formatter.nix @@ -28,8 +28,7 @@ buildInputs = [ pkgs.makeWrapper ]; paths = [ pkgs.shfmt ]; postBuild = '' - wrapProgram $out/bin/shfmt \ - --add-flags '-sr' + wrapProgram $out/bin/shfmt --append-flags '-sr' ''; }; }; diff --git a/nix/hosts.nix b/nix/hosts.nix index 858322a..c27c011 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -20,6 +20,7 @@ inputs.lanzaboote.nixosModules.lanzaboote inputs.microvm.nixosModules.host inputs.microvm.nixosModules.microvm + inputs.niri-flake.nixosModules.niri inputs.nix-index-database.nixosModules.nix-index inputs.nix-minecraft.nixosModules.minecraft-servers inputs.nix-topology.nixosModules.default @@ -102,6 +103,7 @@ }; modules = [ inputs.stylix.homeModules.stylix + inputs.niri-flake.homeModules.niri inputs.nix-index-database.homeModules.nix-index # inputs.sops-nix.homeManagerModules.sops inputs.spicetify-nix.homeManagerModules.default diff --git a/nix/lib.nix b/nix/lib.nix index c3f0338..6ca74b6 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -78,7 +78,7 @@ let forEachLinuxSystem = f: lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: f pkgsFor.${system}); readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}"); - readNix = type: lib.filter (name: name != "default.nix" && name != "optional" && name != "darwin") (lib.attrNames (builtins.readDir "${self}/${type}")); + readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}")); mkImports = names: baseDir: lib.map (name: "${self}/${baseDir}/${name}") names; }; diff --git a/profiles/home/chaostheatre/default.nix b/profiles/home/chaostheatre/default.nix new file mode 100644 index 0000000..1bcb3fb --- /dev/null +++ b/profiles/home/chaostheatre/default.nix @@ -0,0 +1,44 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.chaostheatre = lib.mkEnableOption "is this a chaostheatre host"; + config = lib.mkIf config.swarselprofiles.chaostheatre { + swarselmodules = { + packages = lib.mkForce true; + ownpackages = lib.mkForce true; + general = lib.mkForce true; + nixgl = lib.mkForce true; + sops = lib.mkForce true; + yubikey = lib.mkForce false; + ssh = lib.mkForce true; + stylix = lib.mkForce true; + desktop = lib.mkForce true; + symlink = lib.mkForce true; + env = lib.mkForce false; + programs = lib.mkForce true; + nix-index = lib.mkForce true; + direnv = lib.mkForce true; + eza = lib.mkForce true; + git = lib.mkForce false; + fuzzel = lib.mkForce true; + starship = lib.mkForce true; + kitty = lib.mkForce true; + zsh = lib.mkForce true; + zellij = lib.mkForce true; + tmux = lib.mkForce true; + mail = lib.mkForce false; + emacs = lib.mkForce true; + waybar = lib.mkForce true; + firefox = lib.mkForce true; + gnome-keyring = lib.mkForce true; + kdeconnect = lib.mkForce true; + mako = lib.mkForce true; + swayosd = lib.mkForce true; + yubikeytouch = lib.mkForce true; + sway = lib.mkForce true; + kanshi = lib.mkForce true; + gpgagent = lib.mkForce true; + gammastep = lib.mkForce false; + }; + }; + +} diff --git a/profiles/home/dgxspark/default.nix b/profiles/home/dgxspark/default.nix index 81c41e0..9a9a4c2 100644 --- a/profiles/home/dgxspark/default.nix +++ b/profiles/home/dgxspark/default.nix @@ -30,6 +30,7 @@ kitty = lib.mkDefault true; mail = lib.mkDefault false; mako = lib.mkDefault false; + niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; diff --git a/profiles/home/framework/default.nix b/profiles/home/framework/default.nix new file mode 100644 index 0000000..b4c28e2 --- /dev/null +++ b/profiles/home/framework/default.nix @@ -0,0 +1,13 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; + config = lib.mkIf config.swarselprofiles.framework { + swarselmodules = { + optional = { + framework = lib.mkDefault true; + }; + }; + + }; + +} diff --git a/profiles/home/optionals/default.nix b/profiles/home/optionals/default.nix new file mode 100644 index 0000000..697de20 --- /dev/null +++ b/profiles/home/optionals/default.nix @@ -0,0 +1,13 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; + config = lib.mkIf config.swarselprofiles.optionals { + swarselmodules = { + optional = { + gaming = lib.mkDefault true; + uni = lib.mkDefault true; + }; + }; + }; + +} diff --git a/profiles/home/personal/default.nix b/profiles/home/personal/default.nix index c9ce74f..e04e2af 100644 --- a/profiles/home/personal/default.nix +++ b/profiles/home/personal/default.nix @@ -29,6 +29,7 @@ kitty = lib.mkDefault true; mail = lib.mkDefault true; mako = lib.mkDefault true; + niri = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; diff --git a/profiles/home/toto/default.nix b/profiles/home/toto/default.nix new file mode 100644 index 0000000..2f1473a --- /dev/null +++ b/profiles/home/toto/default.nix @@ -0,0 +1,14 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.toto = lib.mkEnableOption "is this a toto (setup) host"; + config = lib.mkIf config.swarselprofiles.toto { + swarselmodules = { + general = lib.mkDefault true; + sops = lib.mkDefault true; + ssh = lib.mkDefault true; + kitty = lib.mkDefault true; + git = lib.mkDefault true; + }; + }; + +} diff --git a/profiles/home/uni/default.nix b/profiles/home/uni/default.nix new file mode 100644 index 0000000..e816f45 --- /dev/null +++ b/profiles/home/uni/default.nix @@ -0,0 +1,12 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; + config = lib.mkIf config.swarselprofiles.uni { + swarselmodules = { + optional = { + uni = lib.mkDefault true; + }; + }; + }; + +} diff --git a/profiles/home/work/default.nix b/profiles/home/work/default.nix new file mode 100644 index 0000000..a89b300 --- /dev/null +++ b/profiles/home/work/default.nix @@ -0,0 +1,12 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; + config = lib.mkIf config.swarselprofiles.work { + swarselmodules = { + optional = { + work = lib.mkDefault true; + }; + }; + }; + +} diff --git a/profiles/nixos/chaostheatre/default.nix b/profiles/nixos/chaostheatre/default.nix new file mode 100644 index 0000000..31ce621 --- /dev/null +++ b/profiles/nixos/chaostheatre/default.nix @@ -0,0 +1,50 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.chaostheatre = lib.mkEnableOption "is this a chaostheatre host"; + config = lib.mkIf config.swarselprofiles.chaostheatre { + swarselmodules = { + packages = lib.mkForce true; + general = lib.mkForce true; + home-manager = lib.mkForce true; + xserver = lib.mkForce true; + users = lib.mkForce true; + sops = lib.mkForce true; + env = lib.mkForce true; + security = lib.mkForce true; + systemdTimeout = lib.mkForce true; + hardware = lib.mkForce true; + pulseaudio = lib.mkForce true; + pipewire = lib.mkForce true; + network = lib.mkForce true; + time = lib.mkForce true; + stylix = lib.mkForce true; + programs = lib.mkForce true; + zsh = lib.mkForce true; + syncthing = lib.mkForce true; + blueman = lib.mkForce true; + networkDevices = lib.mkForce true; + gvfs = lib.mkForce true; + interceptionTools = lib.mkForce true; + swayosd = lib.mkForce true; + ppd = lib.mkForce true; + yubikey = lib.mkForce false; + ledger = lib.mkForce true; + keyboards = lib.mkForce true; + login = lib.mkForce true; + nix-ld = lib.mkForce true; + impermanence = lib.mkForce true; + nvd = lib.mkForce true; + gnome-keyring = lib.mkForce true; + sway = lib.mkForce true; + xdg-portal = lib.mkForce true; + distrobox = lib.mkForce true; + appimage = lib.mkForce true; + lid = lib.mkForce true; + lowBattery = lib.mkForce true; + lanzaboote = lib.mkForce true; + autologin = lib.mkForce true; + }; + + }; + +} diff --git a/profiles/nixos/framework/default.nix b/profiles/nixos/framework/default.nix new file mode 100644 index 0000000..060c3ec --- /dev/null +++ b/profiles/nixos/framework/default.nix @@ -0,0 +1,18 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.framework = lib.mkEnableOption "is this a framework brand host"; + config = lib.mkIf config.swarselprofiles.framework { + swarselmodules = { + optional = { + framework = lib.mkDefault true; + }; + }; + home-manager.users."${config.swarselsystems.mainUser}" = { + swarselprofiles = { + framework = lib.mkDefault true; + }; + }; + + }; + +} diff --git a/profiles/nixos/optionals/default.nix b/profiles/nixos/optionals/default.nix new file mode 100644 index 0000000..ddb7846 --- /dev/null +++ b/profiles/nixos/optionals/default.nix @@ -0,0 +1,20 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.optionals = lib.mkEnableOption "is this a host with optionals"; + config = lib.mkIf config.swarselprofiles.optionals { + swarselmodules = { + optional = { + gaming = lib.mkDefault true; + virtualbox = lib.mkDefault true; + nswitch-rcm = lib.mkDefault true; + }; + }; + + home-manager.users."${config.swarselsystems.mainUser}" = { + swarselprofiles = { + optionals = lib.mkDefault true; + }; + }; + }; + +} diff --git a/profiles/nixos/personal/default.nix b/profiles/nixos/personal/default.nix index dc9583c..1d8f99a 100644 --- a/profiles/nixos/personal/default.nix +++ b/profiles/nixos/personal/default.nix @@ -26,6 +26,7 @@ lowBattery = lib.mkDefault false; network = lib.mkDefault true; networkDevices = lib.mkDefault true; + niri = lib.mkDefault false; nix-ld = lib.mkDefault true; nvd = lib.mkDefault true; packages = lib.mkDefault true; @@ -34,7 +35,6 @@ ppd = lib.mkDefault true; programs = lib.mkDefault true; pulseaudio = lib.mkDefault true; - remotebuild = lib.mkDefault true; security = lib.mkDefault true; sops = lib.mkDefault true; stylix = lib.mkDefault true; diff --git a/profiles/nixos/uni/default.nix b/profiles/nixos/uni/default.nix new file mode 100644 index 0000000..24fa649 --- /dev/null +++ b/profiles/nixos/uni/default.nix @@ -0,0 +1,18 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.uni = lib.mkEnableOption "is this a uni host"; + config = lib.mkIf config.swarselprofiles.uni { + # swarselmodules = { + # optional = { + # uni = lib.mkDefault true; + # }; + # }; + home-manager.users."${config.swarselsystems.mainUser}" = { + swarselprofiles = { + uni = lib.mkDefault true; + }; + }; + + }; + +} diff --git a/profiles/nixos/work/default.nix b/profiles/nixos/work/default.nix new file mode 100644 index 0000000..0740cc4 --- /dev/null +++ b/profiles/nixos/work/default.nix @@ -0,0 +1,18 @@ +{ lib, config, ... }: +{ + options.swarselprofiles.work = lib.mkEnableOption "is this a work host"; + config = lib.mkIf config.swarselprofiles.work { + swarselmodules = { + optional = { + work = lib.mkDefault true; + }; + }; + home-manager.users."${config.swarselsystems.mainUser}" = { + swarselprofiles = { + work = lib.mkDefault true; + }; + }; + + }; + +} diff --git a/secrets/belchsfactory/secrets.yaml b/secrets/belchsfactory/secrets.yaml index a199923..5c8aae5 100644 --- a/secrets/belchsfactory/secrets.yaml +++ b/secrets/belchsfactory/secrets.yaml @@ -1,6 +1,5 @@ #ENC[AES256_GCM,data:WqtrDDqt,iv:Ksv7cH9opsgWoXj+YnTct3VtAT6qbaAr78uaZxkN+zc=,tag:9KPeAi/JZvxjKh1w4scsdQ==,type:comment] -#ENC[AES256_GCM,data:kwewartySAHzmyssuWFPv0XODI/njYrSXxqEE2JBJvuCsJKwZrq4+EzKOtwOlyssEpAvaxxejmb7,iv:p3KO21NvM7zfp4U0s9TVW5jfnOzvQkn06mcFgHp9xVA=,tag:sn/zQwI8EdhWb2w9F+V4rw==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:Fj1V4MMKYJdXTur3xc7EDnYGXg8GBVPx8X/I6A7bRIdm7cX63yRrtw==,iv:Gaz6xYtEkQilaQG6+5Bz2gHWN3sIRQmCqLryZZYjefM=,tag:lGu+e1u6JOdxq8l8J+6+cw==,type:str] +acme-dns-token: ENC[AES256_GCM,data:KT8UnkuGVmCLm5TNPU5NUGhwBXF6/MN873BfLYxw9i9bdGsdXXZLFw==,iv:I1X/9UUABVEpHOhah0uwMPnIyFsZ8lXqipQ8JGNjXdo=,tag:SD4y7koXjsjRYqkrhO3Mzg==,type:str] #ENC[AES256_GCM,data:IaG0khKtH/NwwvpDAWwZ9kVhtxI=,iv:IFP93sRIw3Lkze3ut20VBYWxBC1/6euA+uJoggFP5SU=,tag:dq2cU1tB2MPA99BJtp0gZA==,type:comment] garage-rpc-secret: ENC[AES256_GCM,data:QzyqeNuJPjtG7MTyO+6f+KfquWhHbDGBJ6hrEGDh+3kg6wkCGx/0pUjeOMAaren1jMIwk1iKaAnSbq7NW1GcLA==,iv:WmCRD/kNtmBljkA78Vb5guUVrsQxdoZfRE2tNlt0iWQ=,tag:6wKCXlwbLzxvLpACJbACEg==,type:str] #ENC[AES256_GCM,data:guiRBJqw3HqM3e0Zw27bhc/h8sPcni0=,iv:J1Bc5LPzYdhlTUeenn8QqpBzrsoKGr+b499h8T+ilNo=,tag:kjXtd7tH5PzQLWt7EWbMaQ==,type:comment] @@ -20,8 +19,8 @@ sops: NHZwMEl2ZWVONkNuVWprUFhsek91NzQK84WqkK9mtR4q1G2wS6gKqflEUv0VefUJ jcQij+3T2O81paZytTzZNPX3JuebyyitC5KeEoz3Z99uSrCDaLuZAQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-28T17:45:56Z" - mac: ENC[AES256_GCM,data:t+L6NWHaZCrSbHJhFja28E0vSNGHf5hyH183J0KPL/SrJDcK/XuxwSbbCTfwMQtRiuhjprjPjH4ioqZV/eCiLEd3C3LikEwlXb7CutYknpjceNuhi3aJ5+oRVb8vwcrMAtbPKKB1ZJc7PNcRWIFk6oEF7M8NjkC92/3C4fSH9Q4=,iv:t/YjiqCEPJkyHz/W/p6T19An2Lyr8khmwsv8it/nnZM=,tag:lccvtgBMM4NgMfKwgWoeQw==,type:str] + lastmodified: "2025-11-27T01:18:20Z" + mac: ENC[AES256_GCM,data:WUZzmexNAz5PabpUDL7yHCrkZolDWWXhJ01PBWd+Q58xeJZrQLeoLrjx+Z9XflWCskxYwxb7OsxLLi1fN1CkE+M9n/ELeF/EuhAL3+IamUi64tb50HbMbCJ8XvuPH2rPhYlNo9Tt3nZHChsb7w+DQA1P602zy1UYbYOOgdpjbzQ=,iv:t4Xma1r/nJJjc95WcZaRTr6xi56FauZYzdIlAtUKlqk=,tag:00LKuFIKgv+QLu7vddf8qw==,type:str] pgp: - created_at: "2025-11-26T12:40:31Z" enc: |- diff --git a/secrets/certs/secrets.yaml b/secrets/certs/secrets.yaml index 7bc7436..f45c150 100644 --- a/secrets/certs/secrets.yaml +++ b/secrets/certs/secrets.yaml @@ -8,143 +8,116 @@ sops: - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0p3QlY2c1dGcGIvektO - c1BRWWFJTndub0dxUXhlMTlreDUyUlZ5U0NjCldCamVrN24yZ1QycksxTDV4Sk9V - aklIT1dGVHJKL0ZWNFN6WnhJN1Z4SzQKLS0tIC9lZUI0cE5aYzBHcWlWc3FkS041 - bTdlMU5qbHRBZ1V0ZXhjL3FKYmR0Z0EKpA48GyFC1W2+O3WL7Dgjb5dRRfkyJNFi - Yl3i2st6zBGH6OFJGdLlBAJ/lqw9LgHKxYbId7XcuAfMkDTNz4Fjjg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WDBMV3RUYUovS0ZmV0JJ - bWdqSWE1TTA4MjNvbzFtM1NoY1FsL0FIWm5nCkV5cSt5VWVzYmM1MytuTUJsVHBB - a2hoMTNwcXZaYzl4d3lmZUZIVDBQekUKLS0tIHlTcEFqR2pIQTBFU21EZ0h0Z3hL - UHN3QmtreUpUMmxTNy8vbXRnV25jRFEKTaCbReUitrOJGVncdR/VQBXmM+mTzTKj - HzRnYSUmuuRdkHC/ljjeYR4rkSjN4RJABX0fraKdARBfkoi+x5ulCQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM0k4SW96SXVJejBGcHJR - UVZneUVBT0VzZXNlazJKcU1DYWNPZGNiTFc0CmRtTEdCSkF6dTZZamhPWTF2dWlw - QmdNTmJ2Q2JiNXhJd3kxdTdZNXkzU1UKLS0tIHoyMEU0UUJEN3lkZDlGNjJKWjFI - Z3A1b1BJNVg3SDNXZ2JPUDZwOXpHTkEKv+NRRLHfnc8j4rVmBDrLdTTtNyb9sUUm - EhEmbKkXZfHUQtx3bYUJQeod2wd7CYGzvfrbU96xpFkTAqvUJtWAJw== - -----END AGE ENCRYPTED FILE----- - - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdXJzVkxzZDlZaStpQm0y - d3lyQnFZcUNaZDdrdm1sSW1HS1Y1VkN2cmdJClVuM2Z3ckF0RWsrQ3RkN1Q4SGFF - M0d6THFpRDlXTXZseWJjQzU2OCtCWUEKLS0tIGJ6ajNRSmJqNVMveFBSUWF3TmRh - VnlXdTd0VS9RSnUwWit5M2RqYk5FVzgKLD8+uG/KUxBUTu4WFcgl187eKapyPrVq - 0+nL/jITbzy0HA3cTdVR1b2pueKODohBdVIqD+JpPs86z8FaLro80Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Vzk2RWVCUk51cWtVRk1K + dXA4dmJSNGVMQ2VlUXJsbGZjbjRaMUFZdVJFCm1RMk1PbDQyOWpjaXVVdWoxVUJq + dGQxMmlVcEovZGZ4bzdnbS9kRE9NZHMKLS0tIFdEeHJVS0NjcElNQ2hDNkJNaURZ + VWR2RXZHd2ZON2VQZW9KL1NlME5hNDgKvEn7GMfQgA3FBDmimP32i8QQ8NuUAt4p + uM2Z7UJP8i75x6GWku6eEKWO3M+rNsTPFL1VJfYORjiG8JKGWb4IOw== -----END AGE ENCRYPTED FILE----- - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcUYwUHZYNmNLYjV0WGhV - N09HUVo5SUpvUS92UThaV3hvVlN1Tnc4RGhBCk9HL0pXalBiMnJtSWlaOEFKNVlX - S3g3eTVtYXJwRy8vSGtmUDBpOGlYMGsKLS0tIDBnMkJaTnBnUGx5d0hXLzJPNWVZ - aHc3KzhBT2I0YkNCNkpBdWZPTDB2cm8KSwgUwcFRqWFxEqGrnTd6a7sle5SBXI3J - KyfOOrS1agk+nTaUJNpxLOG3aUWPSG8DBlEvP4Z1Kx5kG4e7/kRapQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMHlrMUlkYnJWTkZPSEhq + VnpVd2c0VUxwZnJsaElxcXVCQldMblhoc1hVClJGOEZReVgyaDBTUndFUUhJaU9r + QkxySldYMFVpSjh2VVQ2aXBleUFFM0UKLS0tIEtZZW9KNS9sMzd6STdJTXQ4Vkxo + UU0rRTZDUnJsRkVrdFljRXlEanF6RTgKuXPEvoGgBtQX21yBJGBJSRnDw5uK7iUa + NIB6YUZjGpzzjgdStSrqBe74Q5Jz0z1uy41l5r1YW4SMs8xP9N2EzA== -----END AGE ENCRYPTED FILE----- - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRWdKL0VjSkJZRERNWWVD - eWNobG15RUtQUXpWMlZTYXNBbFowc3pQOEM0CndTK2cwc3ZRWGxiSjQvb2l6YXEy - SGdHNVQrZy9tc3k4emRBeVByZExmd1UKLS0tIEdBZFRMejVtalE0WGh0WTExM1Ay - R29XRC9wNE4wMUdyTTFpYkh6VnJ5NHcKEDsie612hQqxjH/IdM61a449jiSaqNvW - fG6x6U3GQxnjH6yM+Fn1S87c7ZihTIAPzbAmbIiTmVbv7cp8XVz/LA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjK2tQYVUzOGxlWGE3Ulc2 + TmFpMnVaanQrdFoyUW1iKzdjQkFra0JSUEZJCmxObElTWExJanBxNVVPV3dLZzZw + WThURHFkQUlpOXBEZGZFTUkxZ3lMbVkKLS0tIGI2QTg3UUhPRjlZVDFWQjZiT0px + MGdUdjR3S1k0V0FzTzFTQ3ZXSkxaMlUKxH8TdDacUtyTmG/rpDg7tmpN7XGUXzgj + Fqg5QSpDSB06945MGt+zgHGEArcg9v+PtfX0MbF/Lj6uW871J6Ihiw== -----END AGE ENCRYPTED FILE----- - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTkNHVmtwK2JOdHM1ZUJ6 - aWhTeUxpc0pFd0tXcThYb1NkS3V4V3pwU21NClA1Y29QN29nc2dsY0Z0SmdFZUtE - Rk9PdUVhU3ZvSmsxcVhGU3gyMktwcnMKLS0tIGF3dEs3dnBoa1VIWUorZjJwRkJl - SStnREZnTGFpMmFGZ1B2MVF2RWRqN2cK5HHfMKlmLG1UQpDYr1Gg8GU3Gg+oGebE - y2efhe+oiIwr2uo9+zielNVAykKg2hvwUmyAXBsXsl95sIXFfN2WQw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLa1hlZ2JuS0JOc01IZTBv + ZkUrQ25SeGU3VC9YcXFrbzlpeEtLZ09DLzJRClRZc1NuNG9OTlY1enphbjdrc1BZ + L0w1ZVR1SGNSekdSb0FSdXRYMDAvc28KLS0tIEJHSFo5YzZIVVNaNUdOa1pHamlq + bFNWM0g4MG9ZQnIwTG40VFVXL3ByS1kKPOt/Y66db5aZ/PRihBX1JMMjtZGV4RJd + s6REyW9R2VvwCtDQMewEFTSXZgeGQeyH6i3hEuYRDxb0VNZibXFHIQ== -----END AGE ENCRYPTED FILE----- - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRXRVSk1SRzdIZkpobFV4 - Qjg3K3NrTDRGY2VZWWNOTXhDLzlodVhTeG1FCjJvanhyN2pITnVBOXRINUtCbE10 - TlBEK1hoRHIzRGtoSDRCQmRnZVg4RUUKLS0tIGF3Q1RKL2h1WGdSRWc4MzF1cTBE - K3Z2TEZycktQRC9NN3R6bVVUSE9FTE0KOtBDjkAezsWR6wfrfnrdUcpdQgnCXm+s - WS/RX6Q5Jw5nOSgkR5SyhHqOpalYlCnYQdE0zmW7n3C/BqnX+53T1A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQXdwNWhEK3dodjNaK2Zm + cWVWQ3BsTWQybVRUOUx6TWNDcjhRam01ODFFCi9BcUFFSHN0UVZoOUdrQ3piejFY + R0grN3M1U0NLYXlFUEpjdEpVOEJmckUKLS0tIEtKc0N2OXF0aXg0bGhWMUZBNlJ6 + NTdWcmtVNHA4WUczb0xpZVc0TGczV0kKmnoGm9V6amumqlClGjlFcGIX05KeV2qW + f11xsg8pjGpPldzT/Wqb6vWYJDJL7c7J/AJkm9d8k/7GtJQ1qKngCg== -----END AGE ENCRYPTED FILE----- - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdXQxOWNveEtZUGkwclVp - aER3dERtUHZxRjBweDBYdERROVA3OTNYQTFjCjBZSEVYRGpEWFFUNnM1SU5aWjhs - MWNUdUt3UTQ5SUF3MVVHMW5Wam9KazAKLS0tIEtUekJPVlpyYjFzcmJ2Z200OXNs - N25JN3BJenVhNnhmYXdFVnZEM25mdXMKpzEJ0eqnUoiyboiy9FBeeZFBNHRrO52Y - RICf2lc1bx6i7fLjOhbV+ewjNk7p6ApdJPHaE6Pxa+jJ0O5vVVJjiw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUHJVd1BQeXYyQ1BzSlFv + bkpBYTA2Z0J0WGtWZ3NxOE5wYmZRSU92aFc4Clg4Ly9qREV6eGV6ZWk1WTY4SjBB + QzZTVmlRSTgwSlUxTVJTOWIrZnNKWnMKLS0tIGtiSTJ0Y3F4S09FSnR6WGdJaC9D + a2FvbEgwejlob0U3Q25lK1M2TDczT1kKTzSG1q51CEr/dBgYJ37HceXZYS5cnBtJ + 1zxmURZaXpsOtzB9KJn6iUt7FwpqIJss/+p1AELvHUZgjJI9DiFfkg== -----END AGE ENCRYPTED FILE----- - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NEpqQjN3WkFYSlNrOUZj - aXNDd1JSWnlXNEJCREN0VE04QktNK1gyOHhVCnhCcWdEV2NVYk9vK0xNY1RTRVdU - YS9kRWMrSnE1T04yUER1eGMrM1RsS1EKLS0tIFM4dWxCRTBJNExsakxCOTBQSUxQ - ZjRQRTQwK0k1bzdzQVBYalBlcE5OV3cK1vkdKETqGDbsj/WMjwLmjwUz38yPXh/H - vjJxq20D05HNI3PdBMzZZcaaBzVqf3hx+afk3jQPxggrDiysiRNWLg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVTzc5NjI0TnRYREVIZFIr + VDFkK1Q4WmJGNnBBLzN3SVJBQ3dZMTVrWkE0ClpselBZaEdNeEdjTGQ3SjJuUkhH + alpEbGF6TDRSRVZLelROcVJxcG5id0EKLS0tIFRPMG82VG45Qm9uNlBzQWVFdC9C + UzFWUGhINDRQUS9TZHRLblRybzBIU0kKV3nNWCLMZliDnW4PCZ/6HAMJSTy6arjE + Eh89+SCKBpVecZM+DrwPDQOYY3BSihTYD4bawfhbTxFI8RQXA/ljkw== -----END AGE ENCRYPTED FILE----- - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSnZNQlZVWlIrVm9HcDVa - Q0lCN1pKaVd1amkwdTFibU83bWlzcmdzM2xrCjU2bExsQ2JhN0laK2hocDVBUnNS - Y2MyTGp6WGUyUmkyc0VLa1JBSDIySHcKLS0tIHBVYXVQKzFUdEJjdGlBL2VHMldG - UzZhUDBCWC94b2lyWEdWeWpJK0tqcWsKH8QLyHTIIEwzUAZCTeUBbOAd78fNHlqk - uImJM5y/vjVw8490Uo7rkypQ5Faab+ekcWqPSj6sE/nFEBWTCKdSrA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQjlhcGtKRDdCdkFMZ1l5 + Mm4zUXJCTmdkMVh5TUpwc2dndFNOUHBLaTI0CmZGaDQxRHAwcWdyT1BtUDRQT2xq + NEZsYnNVOEpzckZYUEM5WTg4eU9yUjQKLS0tIDRzeFRkZHZUQkpiNGFjeSt5SThK + NXVYOUdMQk9NRjlKTFlHTU1leFZISkUK/hudtpolmk19shnGFstPflmotm3uvfF/ + 5ZiXoVKcptQne33YczlhY13+0QPpV7hXuXBw+YTHRRXvjGN3wrtgNA== -----END AGE ENCRYPTED FILE----- - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlNabmNqK29OQzZJWjFX - Sk5OM0FTcGxUVCs4OXV0VUE2dXNMVG5oZUJjCmtRR3l2SHlEd2xBQVFPcjlMMzFR - TCtDTmEwVS9ZMFV0Y1VOWEJGWGtSUlEKLS0tIExZUWVMWTVkUisvMEFmUy9QZ1VG - RnBDMFZ3TmJObElRYVg2SGFBaWxkZFEKq7un72Bpl2st9AUvAXE9rBir1mORSkAA - GnHQyN1tVPurKINQeAmuA8gIn7UlaIi5MxpIkaJFqmO1/6H5e7tkGg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1dHJTL2I4NEFxakJmTk5F + RURmSUVwcGEvR0NLRE8yNlkwbW9WRWV0c2hZCm5KUXROZ3k3ZzBpV1dQcnN0TWNI + R2lTbUNjaWlpQ3dXd0dVS3IrbmYzVjgKLS0tIHlHTk1ITDE0d0tnNW02T3Q1OFVM + UitSdTNFM1JTTVYycDNoeEdhSmpOajAK3G02xLW42AEcJxHKmqoSsmss33xXkH5j + 9ewQOxAAdR0teBoHRC8hE5wNrnL4u4xGTOAq3zXxhidEq0fMc0C9tg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-11-19T14:09:27Z" mac: ENC[AES256_GCM,data:tZ6QzVPivueZiC9Qfb3KNZAv02QatgHRNnlM+Y0iV4BZkYoBjxeDojutizvAMwUarnubUdk5I6m2OZK1mvVDZKXyI6zALX4JMeT2xYQWRHYzHpOygLhhGwTFVhV+0C4jN+eJFF2cNf9lu7NuZI9ylZSOY8I3YKUl+l0l3CkXUl4=,iv:JSGOUq+j9T/NXspn70dfu0J4ISV6vVFZUe/Z1CirrJk=,tag:Hm9N55f9qMc056nSTR1piw==,type:str] pgp: - - created_at: "2025-12-01T23:06:33Z" + - created_at: "2025-11-25T18:32:47Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAwDh3VI7VctTAQ/9HmPTBEVh2e92ES0g0sOUx7S9I1zoRFm3ONWNoaT6hld4 - UJiKqbHMQTyjr8m2IvkzT7MhXr6fPsspAFguxdXLAD6LSeWJUkBn6IBT43ISvbkZ - 1KrJnZHzwMjxMGe1MrBk4C17YPlAwB+CDNNehkKHWkSPfVqNurY4gtNoTrZn7HIz - 5Npvi9d5W984CeuFoCmY+w7DbKINk0J0YkgT9zBMdfGw1cVAV5aUS5lIBqvo0YAO - yIQf5tbG9aCa5CL3OH0JD72GBUkODLfWFzcTpzfjYtjx1rsbu6gqkLcH1eGFqTsa - cQ7+A0wbB+9iDN0OXmmPNVix+uMY1yQpxMve3r34v18R9KTCvsSK9gOpk0ilg/T1 - lBG5wFNEutJmwuXai1Zme5+MJLK0ggUQYywhYY9auGmwC74ZRtRQ48o3SsQ0HJTc - tLG0thDciyF/Xy2IPjqnp9vCfITnVw42ZsSIbXfHHYoEBYu4mYhqAP0pmHFzY3jE - rc8LzraecOslqfLVgdCPo/7moBpegIfJfCkX+gYxZKRJsuOHNiTVyFHceP2mztKu - F6MIVxsJsQjRnkavaHXEwNFr+X+YlzoOAid3UNzO78rKAGUw6mJ8PvLBekqw3wfI - zXOWNOgNR/aCUTAbSPn1VBLSM1kioGAKrs6+bAeRypmQGaYiLsDkvOU+qfNxtaKF - AgwDC9FRLmchgYQBD/9iq1JX0DpTayA4qSDo7i9qeET6MKK5VmrawaV2LqQpxOk/ - dEEIT8+ZBhAGjKRIPRZdF0bgcBP92IeOOduPvcdJcRstB1va3nyeKDXkYwaBN0XY - FPKMrTk2hifnmlGdBzN3RWGOXURDZdhqjsR0g4M1/85//0ZA1ogFnUsqtPI07TVd - oKoZqdt068pgBDgAxiwA4Y6WbSSdEo2xQIQ0JTRMGnIycHGnU8UYWElEjnusGKSc - jpC2jzc9TUABawOjCnauExHkBp6PhPRlAbzLA7Kq7v7lLkMKQdnJ0T7kIJUd5LlS - 7TVXSq97WvGBhtQ45cSIZTskjnXEx3TQip9gNrV+MkZ14ASOwc9Lmw1O4z6cVUte - IHzUELZsupE8KQPifgMOyx2Q4OQPQ/vv0CSYJwozbpK+g3XRAtsm70mSlagCtye2 - MsNNQFfZe3vSV4o+vQfbWQ/LMxP/8YcRmh1/2q02yXS6sjW4MWiAjcW6nTRCxJbI - SjMKmIbGNn60MOqn+9MNHA/S12SS1yI2cTPenebbhXAbMnCOHW31D5ufr/UR7Pkm - xiBXOT2jROYtvFozH35OpkIPr7tV0O4riUVvPw7swlqTVrJKR67Fi7ORsGJKbztv - YgUuZC3679TzXyWRMGauTmOPQO1+jZ0WD1QYtKkXPpTZNLx02a0XaGcc4if3gNJc - ATICbOTfcwy5HkC+KcLy0KADtfrO004fSIXV4TNrdfyXNnUshnutAmZBRAilvvdG - OQRfyr8P0jKoZw2UUoAFEGFU2GaNg8NvCoZTOesN2BNhSVIdA6QKjnZOzBI= - =HuIS + hQIMAwDh3VI7VctTARAAzpWulcVroUoACaD2ruC3zk49IbaTntS5BnduZgckvHWU + YREVjz48tuE2KLDm/AHkEdJAOlTS5jkhz5L2k74wg9MehqwVEzMfaLaJyDm7J9oW + CdsI16TPpr3j68m7yMn45GUwNMmMj0NBYfpd+ydFbqcswC4Is5vFn9hIPAlQgQLt + G3uKh8IWOxWT/6rHSL2ajQNGTg6h08yvgoIas8JBq3J7RPa5vPL/XJXh3yCUIjgF + wFNprivM9CiYf7rwJUEa9TUdjPoj0Vo4mfZIBh85YJ7LCI3hyxFLMgxqNNFtq+Op + NKrznWjpzyxDSrXGz4os2khg8bVWXEbV5H0pvvwtLf9ADRp9KhB7Jdd5VX61KHta + 0j32SuX86m3KAFzXV+s8xM/abVcfb3g2ECZIJ0qjX7kJ3q5F/Zzv99JoutjJ1Qko + Zv1XrsfdFPR9Z6XJyU2No4aegiYtFxKp3Uo8u5yAetXO8uG/aPXXVI1VphYAheuU + TKaWirIRC6jA9I2fI0WEk9pKi0vcjbK/RdkYUyfeTmxzE8F50rCuclXRkR4yVWCm + 09xrcyZK04BkYdgSx5ldhq3LpW0DqtP79KFZ9M2Vr8+9wOcJFkA2g5jQh+/b/0U0 + 0lOUVg+PRkBQ4SEi4UauFmhgnt/nrMfXwty5XyW6MvTUSZo3N1SW4CaSmBEGxUKF + AgwDC9FRLmchgYQBD/9iknczA7d6KW/t1Ek/R2MIcvHN4lndzcLzzctR5CpJVbne + dHuz6DEFb/x/134iSPZhkJHLLUgCBaasgEzL8vniaoWq6uccdxYL6nK/P11z2fVA + NFUwR4t1NWodi8xZ2lKiv6MFpDekjphS/9qL9NTmjdXxpyd6gnz+tRn3Kdnm4cSx + /ESJQ9DOVGxa04EEup6TN5HttGIoP/kxJfgGCTG93AAIYbCRJEQJaLqpoiuUZmL6 + EccOivMlqwEaV3fAFx93tPJzMOZwJeVO03qnAPjqrIsJpuFBSqerLZdxZcgipoia + skIW/FMI1ei5qTFgq29mJZvEixK0zu86jRi53pNmyPHKqNEaH9rRi5X7zJXk4Wij + 1KdeNl9XdbtXjNmqOQHD8D5cIV43Hko69ZAxCXVJ1dYq3tjM6OuDTUWAxhfXOcE4 + qfb9hdQ5l7NpPaK44NEVCjVZHyNYq9Tu2V/5od3uz18Y7L7RPX1EnnSq6swsE1Yk + qBg10Uh1a9vh3tu2gcoHA5qUrpukzX+ndWmtJ7P0k51VqdQGSkamo2YfPj1BYxQa + TJ0VMIo9936rcBPFy8WxemERhkOPtzWfIaeiK4sUREK/z6bQl1aY1y85pKS1vyPn + CFx+7lt4ITRgiuaTCGRgTQ3xYBhqUufA1+dtbLDf9WOT3kBtktXU3KNjC+QEWNJc + AQSLv5CljoYo/FV16RZKwmCWADMZ6qB5cuJTGpI/TDyiap7jDiVXYX0A97FbwS09 + a+XS7M5vCVpPLY+lXsM34m3Enn7uLnfsj8Y6GDFs+7vn43ajcsWJtuN1sbk= + =ySlA -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted diff --git a/secrets/eagleland/secrets.yaml b/secrets/eagleland/secrets.yaml index ec63b57..96c7a89 100644 --- a/secrets/eagleland/secrets.yaml +++ b/secrets/eagleland/secrets.yaml @@ -1,6 +1,5 @@ #ENC[AES256_GCM,data:TeJxdPs=,iv:M76JVBlBfgjjm1SuT/0tG/98FXpkIPpGng4u4F5p07I=,tag:RXAqa2R0HmEOjW0dD1treA==,type:comment] -#ENC[AES256_GCM,data:YczkPHAlYVsdVPPGyuByxK9wvRVbAuR6rR9rSFjMvMGxg0QUdIa/yo8o0ppe8I2ywwlLSROp3WLJ,iv:ltLRGMLZsOte9jQEi/VW4Diu/Od8kHPbzsmvPqVgLCE=,tag:YbtxLcYhvPZrC+QFfxtMrA==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:5U/74jeGpQH39kyjuVwLU3WBYk5MrCMZSFouRFRVbB5FhOkiJtqYBA==,iv:f1TgdiVVbAB+580AtQAe8mCXU0WuS9JX7AWukKbDYj4=,tag:Ut0tbtiNcV/NxfStyZA9XA==,type:str] +acme-dns-token: ENC[AES256_GCM,data:39nbceTlpOCKThRLBVvA0b39+ZMo7IQwXjRED3niNzVk8aCsOq077g==,iv:px8OoxEN+OsCN9ve87eXw0Zc8lhXVC9tOk3VVhoKlt0=,tag:hcUVsH2XkgclmfEsC+NeaA==,type:str] #ENC[AES256_GCM,data:dZiEtGPKsbsd9g==,iv:lNgXQHx/w7pm3EUTBwyFnqv2j0T7zQ59nFLom8F0hQ8=,tag:1cF89QMfjipYZgfl08qSOA==,type:comment] user1-hashed-pw: ENC[AES256_GCM,data:uPyDpGOVIqE6cCyvhXIM6v8sTqEx9dV96oqMYS7fRMLiR0kYlCmgNBEeDFmTNRskqwW/WGXrOBn555ZH,iv:KbHW2mOGzOw4t9aOrKLOIobkUNLWj69dk7fFuy1x3aQ=,tag:51+qAavIiM6K256MkhBaZw==,type:str] user2-hashed-pw: ENC[AES256_GCM,data:+BES2HwH+Jj6wl7MVzsdmPGxp6AuiPLx+XuOpJClksm9SlbAyqATAHeNokAHmj7yLS79rJF5C3YBBtT4,iv:bSX0PLcriKal3eir24DTyePfropgVhh83U0JdR6/2Cs=,tag:TiSKjApnJg3di+77vV9l6Q==,type:str] @@ -16,8 +15,8 @@ sops: SmZrb2xuVW5VVjM0b244U0lkVmlkVGcKin/6A8ONfW72fbQmvJWiNCzAZfGUtxCI WV0DaPvO7sO5y7q37QxVUOxgJgF0WpKiNel4Y9E06xbl3TK6jXk2MA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-28T17:45:38Z" - mac: ENC[AES256_GCM,data:dQYfZvGJukraN3/rPbu4JxItMxrsEIY2mkLf3ZWmC+wNZ1qLaI+EuqmLRDicNJqQ9cGljystJvrZouUhJXQNwsg4WNck5+WAfFZ4MRevxbZre+LqFfsFi4of6b65iwRTGIahtiLApNoSI6SfcjCt28i1CIofjuQIEk8LBrBlEys=,iv:fKeo9Ot8sG6qYOBE3gt06VqoYKM1/aXMs/jj9dNNFhs=,tag:sOuhoIO4SBUITo8WfCmwaw==,type:str] + lastmodified: "2025-11-24T13:05:23Z" + mac: ENC[AES256_GCM,data:/wmUX+WUP9Jbai9hv+a7/yqzJuL/y2BnjOjaONoce1RGD1ULZb3/qjXJr2NdqQNLbDDq6z3UafX1c+ki8CDs8Q3psO4P5jXrntcc9mgNuioy69TWJtCz8nWYaoZQLyOwe6sAClmJb3prGbSXmt1VO+5RBd3GN482eoA9+NWuhjg=,iv:tLfkcFYWMs+DErWocrT4c3YfBJtGtSGX+E3i8b+qKFM=,tag:QH6IMxpZPVvvKgFPTnis0Q==,type:str] pgp: - created_at: "2025-11-24T12:05:01Z" enc: |- diff --git a/secrets/general/secrets.yaml b/secrets/general/secrets.yaml index bc0079d..12d8016 100644 --- a/secrets/general/secrets.yaml +++ b/secrets/general/secrets.yaml @@ -31,151 +31,130 @@ github-nixpkgs-review-token: ENC[AES256_GCM,data:/4ssZAEwEc9fZeR69GCvLMm4eRv4uab #ENC[AES256_GCM,data:PI5MX6PgK1y0lqyoYA0=,iv:25UAvFaANHFD04GRafGlCzOc5h+15YPtSES2z2tmpXw=,tag:+XLwQ01+AtGWjtsSQhQ1AQ==,type:comment] anki-user: ENC[AES256_GCM,data:WoGaNDAHFw==,iv:ZSjHfKMIjlgOuvGl7hVxJc1fE80nfxxXYLgsKangBCs=,tag:UP8ZI7gzOrJJjNDHovIkyg==,type:str] anki-pw: ENC[AES256_GCM,data:z2SCsSvZIqN2/2VK1EdmcAnl42x5A15PAiK932k3n50Vj1jczGRoSw==,iv:keQCutY4vizVzu5YzPBJLgDLveYDb2VGeEnYmO7CeQw=,tag:KGplFfC5xktNAOTbIlt+Tg==,type:str] -#ENC[AES256_GCM,data:KCqwghIJ8tlGFxMt94svo6285cA1YRbYoeivx6A=,iv:qlZCGrCn5fU1xPQF9wfOMarU6Z7oa3mLtd1LzVzMbuI=,tag:Qq5lBtUsd3lQMx6ffk+kzQ==,type:comment] -builder-key: ENC[AES256_GCM,data:OOoA7oRIFJwS48qs42WmIXU4vLTQLRi6Nzb6IUNXAwnj7E9Q/uzOnmJ6ZihqUr3uP3/kqICdZqkB5Lf+lwUqrPmGi8PH8c4uq3L9ZVQyRTKRWvS5biYRMd/NI1ACRevxFJygKZ/q1dH8Cf++m26Jo9On24liepQbogwIctmN8bLXuXrUYVYMcLyGb2W2uznj5Jtwyji87S1xc/TTh/IOFexPY7yAnlwSZ7IoPTOj8o/00Hny8KIwRVf0uLBmtarIS8u4kfjkFUN38X9xmzQqhITaZNRmwerb3JDbD3SYapfsyeLzkzVgsDooOniCRehX1pg7KJu/qHnFM8t7e4qZe9u4PZP08aVAS3tqChuG/Nm4fv3vnF0SwctGQsar2HDmby1IXAw3fSNCW/v/l8VY4IaRX9s7e6c95gd5NX7/CJ2CJUDb4s3e7U0SkftOUz/B1zX47xBHSibZ2Js24N6Tvq/5S4OJFwryvt57Ed+cY+zSROlJwjrTgaGcuwH3MHLfHJlA,iv:2RpiHF4b7+520UJcHVobfJs165EjgxaTATSyOx7HJik=,tag:tGddPi0YeO3E0kHl+E7uGA==,type:str] -nixbuild-net-key: ENC[AES256_GCM,data:aAa6iyZsjH1sAb6ucSPJb2R+QiG2bTj46Csnjg58+2ngYdfuim6SzWEid8IHJV1+M0s/hVTbZWiPsU2KQ+JCdJ84as520avxs6I0URvNx+VmFi6DNGbBJJJJKdTXIKvtmLHqHobs9XtIHahQKoyUpXiSY88DcwAt4e2mUTa6olgrDv66+/fEGeexP4S7AVB0wYeegyMgWODRrA9gS/YLMxMdqk/VHuwIQpWkhxX+AY8mXkx7LalxrbtV/24qdNtr2GittrvYBAkYGWAVZYotBVKjaWVUVzqF3BU+wmg0c56OG5qtt9eD1THAqNauN3iIfUnV301S+TvVtYjpy7gOj3WzntO/kh4kD+7FnfleLXIVSLgBRc0vHhd+7HKKtVRnAINyPkyjaBpnnBa4cksBvHtI0uis0Pi+4JtObD3m+5dywTeL+HDQfHwu+7CgjvXHQYKvEaJ8z6alyXL88Q6uT2Ikaoyrkpi7OJsuIBiNbs5YzRReSfLVyepm8SAtA8UIwnMiTtgFvwGUEW19ne96,iv:2HN9X9CA1liWuY+LYqTCX6Zy3xARMS/TOL61r2UKsE8=,tag:XcPBwYrQjqhexI7u+0zXQw==,type:str] sops: age: - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeU14bE1QWGlneTBhYXJy - eFU5WTZwVlFXTlFOMVdmZGpYNkdMNFk4M1VzClhTeW8zdkRzcUhLRkpKdWxCZnVj - R0JaN3RvYk4wTjMrR2JzTU1taFE2blUKLS0tIElUaEVCVDNGbGtCZUZTZ2hwNEdZ - ZlhHZDBROW9HQUx0RE5KSlRFNkJVM00KVKIC6Il9Vq4lwNS4Va/Zy+EciImnjEE7 - uK9asNYPNFLWOGH8WRUYmcsDGupKBCtSJszd9+DoQ28nWo5f2DjHAg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSXA5YnZyQkJrUUI1UGp1 - TFdPZVhTS1RwNVJ6SVhNeWV6TzhMTnZJUnpRClZuRWxPNXdWUk9GS0ZIUUVsUVdJ - RFNtMjVQVURWVW9iQXhWblFRQTYxVUEKLS0tIExFMFZ1eUorbmxCeGFqV0lEa0ow - c1VSTjFXVCt6alprYlZaZkVCUHB5R2sKGrXDZrwhZ/IZhX5EheYrM0nBMrAvzKRC - o9lLy+KZg/0JTZFE9iz+lPLzzPBVnrSXMSC79Tj28YKTR7xOOPTBnw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYzAyZG85d3hRaUJrajZT - R0crcFJNT1Z2YjZEU3BuZEJwYnhleEZBMGd3CkxnNGppRVhqRjRjbWlpaTJRdWI1 - NVpiNVBJSW1OTWNMNGlRdFVIRW50bjQKLS0tIEQrVmlwdUkxajNtK2ZhV1l0ZXBt - Vnp4eDd3Y0RrUlhMbUxNcFpsTkZ3UGsKv1HuzJH4rm1onXAlV7KO0MLNIxndRVNX - hFFSSV4QelNtjdEmqYwGpqAuILRpZ7g2/wMLVMMQ7l978KrfL5BFZw== - -----END AGE ENCRYPTED FILE----- - - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRlNiY2ZRYy93SFZqWlZh - Q1NaUFlmQVhUMVE4bVp1Smw2cGNzSDJjQzJrClFEZ3BKdEUzVTZCT2tpb2NHNGVH - RzR3SzhvbFNzNzB2eU1oTUZEUmlsUVUKLS0tIEVzTlRodkZWOFpoc0pFendwS3dL - YUV0OHJiVDY5enhUYnIyYUZ3RG0weFkKIW1K8NVG4M/YvrGYwbGL6IyaV6dX7qtV - tFd57d/A8A3vugzQcMCYvRuiEl1uqqId9Npof+GdS//8AhGeH/LOQQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cmdUWlNuSDdOcWo3eHRD + c0tGY3FmWjdhclN0dFdJSlEveDJPbGxPSnlnCnlTM1dKNTY4SC82MWJqMVFLQ1pi + ZXNwaVAvNnJnRDlyQm5DRFM3MktRcmcKLS0tIGF2bTcxRFRGamZ0N3U4YnFoeXdT + ZENWbnBjM0VlSitYdXhCVVlUQ1ZKUjgKetWVsf1xLsqfAKkO0yQSJWDmxETYWBCQ + CSJn0mbabacvgLFZh9CIbm1GBm1CRR+pPVdygwy2ISQSpB27tbHApg== -----END AGE ENCRYPTED FILE----- - recipient: age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TUVkT0xrblI4V1NXVkl3 - am1FK2VsTTMyS0ZqT2lzTG1NYTdkS3pvNFV3CmdzakU5ZnpJdEdncEVFcXBaYVMv - dE5aMXlzRUVtZTJQSXJSWlArSzBtZzgKLS0tIFhxYVFWa1R1VFhDOGNyZmdPc1Rh - N2VRNE02ZTNxUDNVWnNMb0ttc0JEZzAKCSgy9q357fSjSjnivOEgaNmhocNpzaPK - TIzJqTsUoLvGBdpXa5bNSe+guuIZgZfm7PCohyKrcm1AUhFJOWZ5yQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAydTFkbFVtUGFQUFpBbjhx + cnZwVEVaWElKbVN4bWM0RnR5T1g3NndvejJrCngrY1NJVXpxNC9TN3dmK3VzZTFx + bG1FZEpubU8rSWYyU1NObW42TG1uancKLS0tIGg1dEowTVM0R2hKUWIyVVlRY3N6 + YitZNW5TamlJbWtNUFhiWmNoV3dXN00KDaQWoCLomSLPzt969bwa/pxOdlAUqPKg + 5jbzSJX22N671dhwzJY1IiGTRKNnh54hCZbb1Jvl0l2mUifkxZazIg== -----END AGE ENCRYPTED FILE----- - recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOEVyV0ZwSWREWDFab1RB - VFczcWxkckk4SkVZU2Nlc1c3UDREaEpHb2dNClIzN3hsMFgwT0VuZVM5aGFKcmx2 - azNBeXVrMGJyVmM2S0p6eWd6VHNPV2sKLS0tIE1JZVRWWTFnUjYwR3dTZUl1aCtu - RFpEREJhRVBacGEzRWhCY010NllET28KqGfrDBjMUogZLG8oGWxUi/J0MNql1Wb8 - vPbOdd5PI36qAjxWEoax/WMG1LBDWxgJJva5VgI2uNoQtpo6rWHTeg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMUlHOGE3cjVuVnkzSS9L + aFRWZExPbUJDZUhXL29oaVlyZ2JUSmtpV3pvCkhGREdZYWVPZ29KSkErSkgrUVBt + YjNPVXVaeXlyNXIrdzRBVFVEMDR0VEkKLS0tIHFNdHFlQUtwcWx4TDMrRDFac3hW + M2ozakkvSGxSTi80Q3YzV0lJbUx4eTQKC7bf1qkqKM2YkHYuk67Ub7XAO3engfBi + nk/kDjf47A5LWUzGFDYb7UizmaI7lkPjw2mOhWPLGfX6uFK7sZAt2Q== -----END AGE ENCRYPTED FILE----- - recipient: age1hsumymvh5mkqlaynrp9lv2w696yk3wtjzlyfmrpeuvh9u2tlwceqh3563x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlc1hldmx0cVJaQ3lkY2hR - TDcyQVJ0ampnWFdva05YTzdNZHB2VHdkR2trCmtMaDJUSEhPeUZFS2dXZjRSUEY2 - dER0T2N5cFpNSVNtVDBtU3Avb1JwZmsKLS0tIHhJY0ErOEhUMkNjTXVCbWFSeW0x - WmhYaFpXVXlFTWlhNzY3eVk5bFkvK0UKVf0W1kcQr8uHyY89KW5LfZxkb5tKhsEj - H8SwJ2pvLuY5aRudkmnbXQwpF1i7oL17DWKcQI8qIZovxtdJqovmtg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZOE1xRTJaWUR3cDBhS0ZX + eDJ3aW1vU1o1eW1yRW5UUWN4QWN6TFY2QUVnCnRGUkgvNmRFMkdFRHhPMlZrczB5 + VjRvb05NTHRxTkQ2Rmx3clJwUVovVTAKLS0tIGRzdm5vL2NTdTRpNmY1dUtXcGN2 + OEVSOEIydnRJaTdocVBNK3pQSk9lOVEKgD2xXVdgrk4Ur6UdbdEMsjCqu+w1VxTc + HIvvvx6JhXU5ZD7kjFru2eg2g9ZalikZuL7wt4OGfIkyZZrg0QwLZw== -----END AGE ENCRYPTED FILE----- - recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweWlhVGhyMUR5QTFlcytP - T1ZMSEkrbVNjdGNjZUU1VzB0Um52S3ZNd1FNCnBjRzUxMyt0VzFnQkJTWVM4YWw5 - NFhxR1dZeENndVhkU2lkdmQ5RWpoYlkKLS0tIDYzK1pzL29jTXI4SStKYmRWQjBW - MWt4NmhOdWlOckIzejJTYStnV01nN28K96etySWmQwVux8Xdo8pXFmCgT9qRq4ZJ - X1Bl/iIKZDkeFSZjt+wunABbgG2e086xUFsiUvAXclVKBEnuUf6RDQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTU9jZXBtanR3RFZxRk91 + OGNDcnJFSU5UTEZDMHFRTmh0bGg3VkxNdTJBCitDNzVQZ3NOSWtGR0RhS3NvdC9E + NTFyejl6TFAyZk9ZK0hBMXVLUHplNU0KLS0tIGwyWnl4aVZxZ1BoR09kZDE1Z1hP + UWhnZVdhaGNtekdqVWV4UENJTGhiWUUK2Mo/VAq6pTUC919opBOVoqe8rDhx+7YG + WEEbFrsuncwU5E7lTRveIhI3E9cEA2+Fy88dN/p8ntCR2doaZjlu8w== -----END AGE ENCRYPTED FILE----- - recipient: age16vzhcvz8tyxj8e0f47fy0z4p3dsg0ak4vl52ut3l07a0tz465cxslmhevl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0RjhEVkNhc3VUcm9zZXFY - djJ1QXc1UTJTUlltNHJpblU4TU5PQUZXM1d3CkUzWVVucWp5VGd6TmFQQ2oyaTEy - c21leUY1Qy9hMm9KajAyOWRCNERwVkkKLS0tIFlMeEFKRUZTZ1U5OVBvOGNpaUhQ - WWZPbWtyYTU1dFRoSWw5NTFRTG5IbzQKyDv4/mBPR8Ev3cGrHzHw/+nGnw39GkB3 - YGjqlKMpfX1Y8BGlPRxCVRH0c+iQqEBxdqVwOQDC/njKGcMXMT90tA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V1ZTYW9KUmFKWFdWanpH + Q0dTcDZVd0pDSTVUWlVYVGptRndkVU1sRjNFCnVmQ0ZFRnBVWGk0ZExHeW5oTFNN + eFRYVzV2SDA1RmNZRXlrRmV4SGMvZzgKLS0tIHpkZS9ZbnViYmtqa1A3WmZjU2x5 + M3FaM0RaeURQT1lCb1oyNVcvbU1iRUUKDk3bCkZf+xGf40JoiC/lLmI9xVVrkHaK + AwSeHtRHhvunWdFRyNlO5gLeeAqQuIBAUlwuMTgMdLYKzueOjdzJiQ== -----END AGE ENCRYPTED FILE----- - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcElsLy9WV2NmNVRwTi9G - YWM3MHZEYUdLMmI0NENTV0JXWXlneU9iOFdJCkxUWE14ZkJtUUF1VFNFcTRRU2hj - YmRoUkxJcStEcFQ2eUtPSnEya25xaU0KLS0tIHlweHZlTkovRVEzNkl5ZmppeEI2 - TTVQUGlaZzB6WjhEeFp3eUdzMGJIVWMK5dQgr7YfvilutGW5nieHcsyTQu3pxzVF - gYoCAmKUESrmIubSPOD0RifFBQTFObHJDU5xiDC4a+vampqH/5uOTw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMVB4N1NvWlN3d2IrYm84 + d09jWU00RUtUVTY4WTZ1d0w3N2tPZmcwVFFRCk9qNjM4UFB1b3NTTFowV3dmWGl5 + bEJNeE5LSlNGdGdGcjAzZ3A3RENqeE0KLS0tIDR2a0RXSVFQRHNSZzRjVThkVm5B + U1NhUjNYcmpVV1JBdGVEYWZha3dEbzQKeci1Kak+wj+tCEsQiKg52IvWbjrmx/aZ + ZEpwZOeuputFvxDVUAvkTtE/qthfstDjFnHYtKgTz2vtBUDachnhhw== -----END AGE ENCRYPTED FILE----- - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTzhUM3ZOaEdoT3ZqQ2p2 - VjBvS3RrVG11ZjVnKzVmM0grTlg0b0RKNVNzCjZhb254b3QyUHg5UFppc1o1bGZZ - M29yZDNvRnVKL0JqQWoxUGNKNHJXRncKLS0tIEdYWGQ0SmQwT256dGsxZEhqRGY0 - VThvSXAvMVA3cW9qMW53Q01TdHFtZm8KoiRiL8tDLUJeLocbRIfnGWuUG/0Up5pp - exdFlTaLNUej8UT7UCUPZvvYN89Zq1ea110xr9Nim5zzFBErJfRPKA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYmpJMFgwWmsySWlzZk8v + OGtTTG9xZXNQL0pHMnlSdWxNSDlWY0NKdmdzCkd5VG5vcTZKSTBOVnFYQkdGNzRB + M0lPOGdNamJHcWxHRUFXUEp0ejF6eFEKLS0tIFM1VVpFK2UrcDk0YWoxOXo1Z2JO + OWpGV09wOVBEWnZ0M0xBdmc4TFlnYTgKlPTvteJrwkEfNAPGOKK84WNXz0ZWEkFQ + irEIJV+SQD75KCfsFQRNL9s0Phd6t1wknqAbB5L4GLPdLAZKY2hf1A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OE5nYkFrbTZUWmdnVWN0 + YUhDNFRmblU2MFk4UFlXNmtoOVYvZkY2cWlRCmJ2VGwxUENxS0VKbnRXUVNRSWNW + ZlFTcTNVVnZKVXhqczc4ekF4M1FUTFEKLS0tIFhiR2QrYTFNcTZtZjduTWg3OFAz + aThXZ0c4MmNVU21NK2UyZGJjUkNQencKiyEdqY1J9MGYfbEQ6U/7xOulYFTemU9i + 2gg0P+3MhxBu1zcVTq+0+YbOxjw7O3/TKTO9Qj7MqdM3Gh1DXlix+A== -----END AGE ENCRYPTED FILE----- - recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNVZ1WGR6NnJtMC80STNH - dFZuRC9jT0lDdGlSWlFIZmJCUEFDanNib25RCm00YVZyakl0RkRBbUM2THNaWEpC - K0JtaUVtM2N5NEdyeEtpTDUyTElaQTQKLS0tIHcyN1Brd2hYYTdIZDNoeDBVMjZH - NS9yV0dlc3lVOXNIS3dVR2pmYnNwVjAKlbBNLNA7Pl7tUg0S9X3BTICkbehkmTP/ - mqVVce7F1Ml0dXi0t8AsxK6HyrR14ZF3QsFr2q9PgQ7qnLv9o4xzUw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQnZpbi80Qmx3WTYzc3p5 + TElMWkJYVlNLdlVZS0Q5cFNTei9ITVVkd0dZCldrdGQyZmxPUFFMLzFnL1c0VWpk + Z09XdktuNHQzTzh6ZnJueXoySHYwa28KLS0tIEc0ZXBHZ3ZvOVVlelVhNTZpS0hL + ZmhYMGhpcndEMlNFMWVPWmFUQitmRkEKQoi4hri+lEDo7FWiiYlbw11MK+PRnIbD + YYGmu44YDEMFZWAfszAaT6dYF0tJpyEuH0bOgcDEg7GlQf+BIIogtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T19:57:43Z" - mac: ENC[AES256_GCM,data:2CLFlduO1fsxtvF1fbH18kadQuawMwIYEjsJBvZ65tecIdjT5efPD07+czmysKWBh6FQuVPL8a3uVlqT2WUW57AjQZtxloCMAFS9m2S//I6I8GsLVccGnmudiHUdXFnt+gI1gtb6ukZMEps4m/LSqUHGSptVwqrIN2gBM6Yy9Mo=,iv:S/crBYhr2HTzMYn83bK2YYO7kwfDspF0gvkoiuI9J7o=,tag:+sO+jFMFGZSsCb7PGnlUmw==,type:str] + lastmodified: "2025-11-25T21:30:24Z" + mac: ENC[AES256_GCM,data:kdyRIJYzWvHJp6Zu/1+JySrcfhjZpD5JQPIAuyHM5mxuUKBdH3dQGhrcJ3I7MOJBUrF+Bby4zakA57L7NBzwshNXsCFv9kCFolvE6m/Vhpv0SW2mzE8SguwxiU1xFC0kx2849YN539plhOEXK2be4TBxgTaFlimVtD4TtoWqt8c=,iv:DHKISvoLH4PFwqrd/iYULl+dFG7DYC57WuPHB5OyrAQ=,tag:TzTu8PWUBBAIBUmg6/fK+A==,type:str] pgp: - - created_at: "2025-12-01T23:06:34Z" + - created_at: "2025-11-25T18:32:48Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAwDh3VI7VctTARAAq+50+eWOM8TOM93JkwnSjUFLjwO17fT5jfBwWxqLRULp - SgO5pCfJSCr2xFgzcuS40+c/ewP8NHwI+S8Mu8lcJ6Olyx279QyZJxdKvVba46Ti - 7Dgb31UzMQKjjOW8/nhf0JFIq6KH5HUQP+LmmQK59VEdoEnz4XYdxq7mGeJQsn26 - E0AG5UvIKjjSrZQXbx8zojIEwE3l1t7Ipw2oTzHCalWf5at41cXyWmfIzomWHElC - XPwO8mjcBY5LQXDeTu2Xv0mBvFzXNBIFaEhrdphFxJIvpfl1FLefK6LKCDLhQtal - HNDBziTORUAnvP9JiIviSr+OUhTHTkDqSMYE6SD3SFsvQ/nArQHRin/FvPPNMVhU - TD0yec1VgXTJDJGe0jq+PiWNTwwnxwSRmKdXutp2DPEuv0amRGVOkeAJNSQPADOk - ZUGBKqjr+trvcKWReCC+gi6jMTP5N7rpjemufQ/p0pOTKmPeapTcWitqtRvAvGQ9 - +Q59sDqTgG5w3oSAnvboDwITFil7Pr39Oiwn01btDDlGXj0+ieer1mHOT3vI+NPE - LSrFqUa/kMMW4+zZHGlwMoNHZbwLWHGX0O0KZFKauht3ypSsjrJbOeBIGgAq57S/ - 1U+oerlPbnCCrUTuP5Mns0Q86mEbOmQQyGMgfigJ0zFkMOlO3306T01keUv35giF - AgwDC9FRLmchgYQBD/4vNejy7yGJSxzL9ouoEDqEaIGx1+pzzAyU+P0GYXV4rwat - P6YL8a0CikYLdkjgUsVDfFV7/Ou2Q1aPBn8AGRG6eaMlaICYK1UX0xiP9196dENl - qxkm3zQWCfxAkgWyUFernSzzWeE1z9FgEfrTOqKaETprFVxxv5tUKVABcXHSPNqD - hYqllb8tL1tS2QrqvxIOcrL7KHAnRPhHimIFeByNN5lN81Z3hLFRQ1Bl3LwDPeF3 - /kEhVjmGqzw2jEkH60Am9I6xZ2nlSimF7Bi4pcu6QCWhN7PMwWEyGxj+Qu8Osr6F - 3ab4M2vkyTZyewUGsn9qO3CcPAHPxyvf+pyV/q87ejuE2e4wR8LYcJnk8BOKsNRJ - m3sJffhhmB+f58HLzy9TwvaQqMno+/KnbV118lJrdzf8iCJrlUNY62MEjBFo3QhQ - 2rc4vJXk9VINiZlHW3y9ZXV+dTus/gHKjN137dxq/RPU9tf/1Y3Ow407fDu39DT3 - YrAAXj3jfEK1aoTtHpLZAp563Q99NYyBQLt3C32X9YZb4VuYCXvGsi3kqjdQl/zg - ZxUVlB3Wzm1jhL2KPOu1SuPAT9HLwu1QdDw+kw050DNBWgeLJx9i8/U8LC05vF6z - VWyozdZIdIfAKnMrFOU/8pJ/lNYb6pXbIYwbpSIDslV3Cj60KWx7X6JgVUf6d9Je - AQZ83SkdK0sBXS3sfjwCewyY+ta7i8zWYcG8KDbW2s7hxRb05u2nYKhJZZJ5xLcK - eRhg3W/bMUWk1bYZ+Whz77uSIC3n/mgzIlsaRjMokiX9i0a1jXVyH4LEluPO5Q== - =MgE6 + hQIMAwDh3VI7VctTARAA2KVbwbh02Bofe+Fp5xuwOZ8vezg5dQp9ZRq57NlnvTcN + LgygtWBkBYhle9PtkU+GoaIxD12cTErEXjwt70HpFlUtSQso8xzi8/wo0cvSynDp + pN7j6SLF4jNjQzF8d0CP2Pw0nz/kK2yt20G3WOEAsRdvaHsbd+IefPWX91hhM0cr + svTkPU1sVT/svhyhgSw6MllAxxHQ8s35RJD456MIzoQMr/R28cJz539R+R3NGQ8s + ecLK+8qaqBrKWkXvucs2E4zOMyN41ND7vWDbxQGHy2RY5xpXzXSvpw3eDljK8mcY + 6MOiuWgGzLl20ww5TD/c7EwD/V3mecu+DO/qReWFe+UzAZOP7DdH4gcrbmDyvrIk + vM5Es3rkLwp+N31bBEZoBOX7ebD5CjToz4WUgWDgiaIpiSsAsCW5wO4e85Lc6L0+ + MgqqicIcLQrUHLK6t/X68lFTHCmjKttKCYFnvA3pVi0BCpcTjGJiF7ywHhbVeBEE + Zp4zjbrz6hP6Sg4yE6DUFBf7cK5BrTbdw9DNO6h6wre2SFCGan3AlWyr2l+U6gq4 + fCgtLHJcjchf41bIdCNod+FImRBrkJYGdIff+ZqFQ8a3C10blmqoaHXii72ig+RJ + vwR/ND0BQWsV56tNkviEapBr3n196xR4ueXFTuXe69PX0BI95jP4ybyQlUmx6rCF + AgwDC9FRLmchgYQBD/95o/4k1QFCtDhpD0H2RXtlP9HH3Mlul9vsd1Heqf9I4oZ/ + XcwrXcaep/3Sf3VWIzzYtiid3gkO4yO/jBdxaQUY06h+32v9EsEbbE8TcpRCjUXz + fh5TBtPIPCDaZjj8Zg8CbJPeQL/9ePg85OLk8OL3kwbS8j77cAYnJwk2ghoyHMAD + Ty4Vy/qzyxmSMXXK/V8WDBuUb8D41iD8lTk0swTUKkwPQmn9IZvpD4uHB3M2L4ll + GneOcFET5RqpltUmm72DOoy/wcOCAb19IzRz1j9Emtob4BElhYyMHShyXof/8JUr + PiwMm5PWj30YRD7GvsfWpEHhpmN+uTauoRlQ5WNSDIMuDIVjIMq5whEQ3cnO1Wp0 + LPqL2KqE8U7nl2lsxEp9siZpt8yawOBZlHRqXrqsdQ94UrgBa/AkfqNC/WgSHi/5 + mgFKulRqT82Y7Gr0HZYmfAF3M1z4NZ1xOk3/LsmhkEc5NvMV1sWqIEOahKrUMwL6 + EfhxIdfYZ4RBf19A+L1ZFV9cxeI7NhBTK8IZNgJypTpih7Ue3igECuYNHxOrtTON + tIAqRU3Ow8V/JvO5SGXYtDk3SmFyaEEPQXb/ZDTuh0c3nRhbeIaHjF26nD22krht + B4MxaK+/UOsD61W3OICanep5fBREUN+Ku6BuYyT8hvZUJ+Kjjnp0G+EvL3dKX9Je + AZkb6xguhuMcgbS0K+mEItPcrozbNZ6t6KN9Gk/dn+6D9kONypkSlRveETyQHPkx + +jPJtJnro7ADZyFHzQTF2/2o6pEnyG2xwn3m32n9UAU0vZ30gV04AQYE9zMa0g== + =Z5aJ -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted diff --git a/secrets/keys/ssh/builder.pub b/secrets/keys/ssh/builder.pub deleted file mode 100644 index a13b0ed..0000000 --- a/secrets/keys/ssh/builder.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0y5NPuZhHPvXUJANrg8JQTSq2x4dP5YNIsN75PCS/h dgx diff --git a/secrets/keys/ssh/jump.pub b/secrets/keys/ssh/jump.pub deleted file mode 100644 index 45355ef..0000000 --- a/secrets/keys/ssh/jump.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICFHUnLmDa9lK5fTTPERGp+xsGAgSNrRE7/l+F/C4vyz jump diff --git a/secrets/liliputsteps/secrets.yaml b/secrets/liliputsteps/secrets.yaml deleted file mode 100644 index fb6586c..0000000 --- a/secrets/liliputsteps/secrets.yaml +++ /dev/null @@ -1,48 +0,0 @@ -jump-key: ENC[AES256_GCM,data:JLGy1LiNMjn1Kz0NmLYyiqarAj3evsoilCmiqXMc1JeZiFwLYoPiQjLYXg0b4Z77O5g71/OjRwKmocrLV3VBxo0rbw4rpnljGyZ8ehc/kyvoFQN44yGF+6EkKvVn9I8qTzwukTxCs4H7JgsjALAL8a4CGEowfXJlmZxk/a2SKsTr8qPB9XbCsUwrGBpBHa0bjIb52B/srXvKBfPAxIbWNlWdXFKuDyVJ01WNqlADj2sMAGRvI/X99o/EhyKL/3lMZ1rbSzq+RDlzKd6RFNyLM9751WRIc3xT+YHS13MYgpUu0B+2tKqJLXCSoGbRRSYlBw99JF66ns/fB3+Z/KnpoUGGfRN3S1orCnXkTp61UO8zskSIwU0MamrKGL8DM7kDJk1QLxTPU3usBZPXasTOxK4KAdOYo7nk8OvoZKtNj9xci6R9jeMfSh8CycKdxvcqsOw7vVeATUAGrml5Kf+/8AjYZdGdt2EiFL+7o0e8NgI/lkbiFzNISLBc/lrg0rk61pv/,iv:fPbPAptt3Gsgi7v1xCCHRClSJOXokBsvyCuLz/BoGP4=,tag:NhzeHRxwhQNI9HUFwLYMYg==,type:str] -sops: - age: - - recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM2J4a0pNZFRXQ0VjOFFQ - YVJIL3hFVlg0SlNFaXRvbkxMV3RhZm00Umg4CkszSnZLTXBXWUJHQTlmRllQRjhi - OENYMWRaVitPOFAvYXpJMFFYRnVYZ3MKLS0tIHk1UXhOL3FuZjZWNUxzNFdBT2E1 - R3MrQ2IvVWxGOCtkSDBPZWF1dWdHSk0Kz+zJhpJNmHHj6npV6tQ+n4F01A93haSm - nyT+MAs+VxRlRNNbAih8En2uxRlzSHjFekrLLaGbVYTrRtMfLiKyvg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T16:49:44Z" - mac: ENC[AES256_GCM,data:RIz594CVnEbUw3Zugj+WO82o6yqOD4JwSFzkqFOfd0M+LOFM68tT/14D7vxPitXEPqLvJC6MHG5vQ61PgU4fG9JoIEqxjvq4AAYmSdCwmB64MCeUIr+V4/fcYrRxuRyiXC79z+rJneO7SkGCX95pfVhGjaLftzSjfiNPPsC5pps=,iv:D345cMUSPCGzrL9uWuDwAkAqz2mTvVTL3QVqHesldGk=,tag:HkBF29S1c9g68aKKSYSWhA==,type:str] - pgp: - - created_at: "2025-12-01T15:59:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTAQ/6AsofKCzZ3PjJRHeHSt4XfdIVCCvWScjT1JuvOnq2fXIO - ZcgXPtVoDvd5vSv/fZed+1WJNRpiuNBdmD8cj7N+XqJotgCsQt3HwROCD1UC70Ww - cyHxh3MyukexrO/uIMbQ6ugtIHPVaeC7XyAOugJfHFWZG49aW9LYDkPRGluc0/zh - 7X/p+hZFLpljfL/qdZAakBDw2V0+yt1+5JW5V57jIXRX62BRSFoHqLrasHjvDgyX - h3ktgaIeDL+WssV7jra0oetGsXOL8+GPpo5PVgWONrOl4FBBS1qmNRAbLkJ77KVN - bBDV6Oy1DLqYvv/3UcqWy5XW9VxepEVsAaR+gtLzemMQo9e+qBmhE6tNR6Gvi0y4 - WmVqUZL/gF38sCHoYDT7oWq1cMJ7/zT9Xz5AXgXXSbtBKaxZAFs6QwZfw1rW7dj6 - Is1lXDNCtprsvc3Kxf/R4hHWT5nVFJN4xpKT+epLnumMA1YvkhWx0uziiky4ZH+6 - u+RkK9YZYpGdIYPg7ZK+xLmGLU0YwdIbgiyyH5Jo9JJcqgS405ftAe0iyQjHpiU4 - 0b9JvGMWPzJxWvi8rzwYcI/cfd2n7ZPchTT7KTgva9xeFbn4g1ZOlEKOWg/ZoBr4 - WhpI1SPS9kW0huGXS1k7Dsu0GzRBmv37AEm2mVtYPYwsK0PYLKfd4XGFQnrL0euF - AgwDC9FRLmchgYQBD/4jbW4xGw3JC4OLE7o+GqOoAFz5c034IHiEdgStYNx1RrFm - m4lstvzqUNL0DFyYdMi74iBtqnnFc+KymCTxiAlKiJThosMbV2sffc7e6CI/z9/Q - dsssJwPhv5h8XTbDSeGDk6gEr2kyKV1+9UZky9UYASHii4uzonofnV0RO+PdgTPk - mp36YufsnW2yVuKpsbCdMddEXqyaSYuhsU/bMAG2orlWFqqp7kyaARNrdI9hBnYQ - ITZTM4pPKQ334qhqUd/JYIR4luBbmBxJgTWSe5VqWqshK7u1aHr2mfXUip43+5hA - mxNEp0bmR0SnczKcxiZjZK2ZN+fBTqBnPQAxzCgsBjWrCd4a3CzIDOR/Uf3rEx2W - ccDJWRFI+cSpjLps1BphJvgkFjd31XcplLR41R78h28Mec1bE6xHMi21XUbGrITy - IuOmWAv4EDwRQtnfq+9qJ2DbmA3Ldo5pNPhldH7njET0TZVvB0ugq7EIvKxiNmX1 - kHcq0nV1udSRPr/ta/eHInBD0VbVwNhk/z13xzPGKQVkhpcgy1dJj9FeJnUXqzWt - 7xvHCqeGXVo46YeXYXglxUvEzBtdTGdEC2NTntEGhX6dEC1gl/g1VYcPfJJlk+S4 - RENvBpCa1Ji51ix8L6u18jT2epfbxcZcSFS/0Nv8a0IUktvOeLe6y6jdYJHYPtJc - AQk4Y0lgOBoqiaNtybNCd8c/rO/yQ8m+xIxmiyyghjmPGWzEX8fHrR9fE9TVY0s3 - 8iBJVVDZEwtiLiELlbce0zkdCIH4UiyyEovhP/EEwxF8BrnAXo0NnVzcDGI= - =2NIK - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/secrets/milkywell/secrets.yaml b/secrets/milkywell/secrets.yaml new file mode 100644 index 0000000..1177071 --- /dev/null +++ b/secrets/milkywell/secrets.yaml @@ -0,0 +1,51 @@ +#ENC[AES256_GCM,data:VljHjyZqPvnVxhuoEMhGrWA=,iv:nCHj+sdhAOJx37fGFkRzfrK+PsEP+tRELBhnP3bfoIU=,tag:fH5QNt5TeM3K4nXkeIC4wA==,type:comment] +anki-pw: ENC[AES256_GCM,data:TR3roG7I1213Lj8=,iv:bK3WIC8Q4Cm6cccXPFx4K25GRRUq7Le6bEAVdEZdNPA=,tag:LLC/agUxZT0MIKxk+TSevw==,type:str] +#ENC[AES256_GCM,data:EUHyFduvRqc=,iv:RHW3wsx8P1V4hkwnrl456qMgi9uz/1qoSOg5AvqwmhM=,tag:p26hGYMn5fbuNJ7Qr98E0Q==,type:comment] +kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str] +sops: + age: + - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNN3FrdkRTeUVOR2JsRWNT + QTV4bUw1TXN0SVRnNUREQ3VxNzdHN0duS0hRCm1FTGh0a1UxSDlLYnNxRndWNHpP + Um51WDlEZm9SMklXWDhjRFBRRHRkaE0KLS0tIDlkK0xhWXAvcTZjcmt2TUJyVGJ6 + cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY + UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-09T13:41:17Z" + mac: ENC[AES256_GCM,data:9SntfZTrKnCMwrQAncIcGO9qPXM4PT+ZWnmk0F6S0Lb2xx5O35/i39P9vYN/QMPMzKc5KmmLCzhictWvBE8mr4+17pfJBH0KgiAqaOm9Vgy8Zg79/xH4fCia8bwYDfKe5uNwvRwknM3u5/eXLNcr6MnkDspDYTusXhw/qTQav54=,iv:P+fHF35oMNP24vadFA/rAYDm6n0ieAMB43ovP+7vJCo=,tag:4gJqIhqRg+3P84aUgRIPbA==,type:str] + pgp: + - created_at: "2024-12-17T11:38:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTAQ/6AvUzw5v7J7zEN+rBs6A0CkOD4U9TG2akgch7eKkdKSB8 + FfVOheGz/R4IvrCx328yonhx1c6oNdaKE/zlQ4TZhzAiuKcPmAjYogi03OeIsPoH + X58lN44KrIIp47UGD0gPSfLDVjCy0M6UoNhXiYaDcvCngoQQT7o8KKPkqNCMK3Qd + yomU6Te4uO9A635z6N/dUeO6vmHK2Xt3ek/AaVdGbhjPzcLRq2t6vfsTT+fP1gLZ + V182+fPQ7aftyH0zuNCXOxrd2VbvCY8cmq/Sqztr7V/k2Wr1V2G2RTwlYo/VIEgL + 35Vpz0YXa/aUk27Ifvy40zscK31YH/N3UssgsCBzUHGl4JsbVntDtUrZmU/3Gi5r + yvz4icX4fXi/k3UyKxRcakfz+L5Lh0x/lI7+rCG/1AuxGawKxGBuBZzA4gsRNV8o + va1JzdxMvMDUkCx/kKCcH7Cn4vuDzmvhoLiATqWyMjjNSiBwaDL0Elc3Zydt9Y7B + 4ZKfeYW3wPxXqsqoxfKt9X2g6UYZZXSWoXmgcXhV66uUr66aPp2qqL9p47Mlm1tp + TpxuGYbtPnTCp5XT+AUHzUv4oFzTt0f6cpr82og0mOjOsy6huKZzpEC4O+QV5tX9 + aKbmSplCrcuUrELxqy1xec45N1lIHS0r5+BkIMirIrUwMDEgmkP8lBkVjyTr6ViF + AgwDC9FRLmchgYQBD/9ISXYyr89r9L1LchFKKSbffMn752vbUULJXa5/wY9yl3ad + jh9yLY//4Z317zMs1JjmVubjiwufYZvDEnHmZYdsREXzrpDTjGzdq7bg0pUp85rV + VXzX/1ZpQmYeCu6/DRSSHjGxbxWa5he77WtyKKhDK/uasHe6GFoSJTdi/I+/ps3K + mC0Famrj3QlC1G1RbyTMNUzUJO3+ggVdaDJhUIQUhQ4mYk/7p9VvmYbXUc49zyBY + tmkl5ULEfvwuYaDZumlfCtJwDuFBPVmZvB9c6pT1x+HD/t/+2hwpozQS88Kzvuwx + 6MblAjZiYiA0n4tteKjELjrQbmCrz0K+/euJi5DeIspAkjzJKac8/R6poVcDPuUk + OlpSe2mSJDyXjpK+zS46412eIyG7FtmtXscCFaru5PKU+7PCFWkXY0gErEZEyi9Q + LyrKhgsKAagaNhh87Ar9Sm/NKjhkRvgqk5lHkDp13hl7y7PX9qc5/tJukK0DIJEG + 08KGLjM6+vudjRJA0JljBNeCnlDljwcOLKNbxqVzeNQFLH7PVjOzC2O4QLJTxlE3 + 1QmPnVBewqfz4V5oQs6su52n81QTU+ywFJfhMjCr91+pqpZrh8j2fo7oMhHmR9QN + VYCVE61prZzV5B6rylXvk1aqyy9a1WMahBImqtsJS4xP6avNqXN41fog0B7FA9Jc + AexORDzza/Hp0SeiV4UQZlBpJ34HrONUiSUry9m2UZ4vbFAxBSXZdt6CVpBGHvCR + Dl4GxekAxaiaj2hvNNXJaVMupsMYpOCzyuUBayv0BFouCuaIFkoqOK9tAy0= + =pG8D + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/secrets/moonside/secrets.yaml b/secrets/moonside/secrets.yaml index 08480fc..d365eb7 100644 --- a/secrets/moonside/secrets.yaml +++ b/secrets/moonside/secrets.yaml @@ -1,6 +1,5 @@ #ENC[AES256_GCM,data:HCHFN2Q=,iv:Z3tD7Hn5eudPR9DuX6etamkpNnYB/NRYGppWdyuUDuM=,tag:tbuWEFDmh4HAyksOZOihLw==,type:comment] -#ENC[AES256_GCM,data:cEw0zCAIF5242UDWZeHCxNHVWQ18mnmaRyjd62orx2P+uq9fiaoDP39ez1Y+wGh1d+FyyYUlh2l4,iv:TfK44vaoHmvShckrn7ztRvWnEUftaMVNNf8O+c70sS0=,tag:/fDK7VrkBLrcWfbBe/A4wA==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:qajr+/1OpVno7yyt1z7cXuSFqjZ4aUW41RP6ww1ZxJ0FhZQxhF8OTA==,iv:8QxdzLc7T803XB0E7ZeVmSLnkUQICZP0Jk1zpoWjdqA=,tag:xERubWmq/vxwFk5V59o69w==,type:str] +acme-dns-token: ENC[AES256_GCM,data:lW/XJCHwApvIofSZHL5h7AUPISjARfmDnpSnprDBHQYzj0u5ZlZS5A==,iv:/y3gjgC9AEU3r+l8Uq6P7DAU2C8i+qTQ9DP4t0g8ZhE=,tag:v24WRudw8NB84b3XBFupHQ==,type:str] #ENC[AES256_GCM,data:XdLlonkGBN0b,iv:wimLW/7+a4MJCVg4zazY0ogakxXjdyPNZmZt0CzpXao=,tag:rg7FEi1qaYMkCXX+dwjFLA==,type:comment] wireguard-private-key: ENC[AES256_GCM,data:aBQSwDyASfVPhU+5/yT9P99DCEfgt4SvhVq/aLe+AUcXwSqMiI2DkM5THO4=,iv:iAW/OUihMXHoQpX8pX+f/mz2nclj+n/ygwYxx7PVxnQ=,tag:zhlxjoIkfa237RoFNblszw==,type:str] wireguard-home-preshared-key: ENC[AES256_GCM,data:yr4vO9Bn+3PJheJHbeNRHu0ozCkgxCGuKBJnb/3zzHVQAsI7GonXXQxFjBM=,iv:1r9QgfdLkXCtrRS+/2+f251FjHiAm9nf/Zfzu+CYuws=,tag:kWiXCTfj4Rrzhx+SpSp/dg==,type:str] @@ -30,8 +29,8 @@ sops: bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-28T17:44:47Z" - mac: ENC[AES256_GCM,data:h3skmRhVfBa/W6GB35O3sHdDLmo/4VQ3rgFbltdweDP+9qbQv+6tduRGknGiQjnyuaGGVyPlEOqfLKzYjP8Jsx+XnprblNfD75yiGckBFQaBKhd8l+hfcYVRNTrKCWkFUrYXIfCWgbrXNmq47SHn0+TBedXRw+9LoSyqsRdIJOk=,iv:Js2C7XfOD4d5fF+Otn7xJxBw0Nfh1cB7oLjyCrUA9es=,tag:4flxdWSlXyslNErlEFM2VA==,type:str] + lastmodified: "2025-11-27T14:38:31Z" + mac: ENC[AES256_GCM,data:PgNvIZeLRnGo6XYuzYsWhc/5pyKUpNQyXBwlgHk0F734lDlsX0ZPinekq35uDEn8NceWnh7Qi8ATZI/oFMsZn8EcB3SnMj8vzRH20Gm5bpESP2nu5Wxki/m0Eq+6afHFTc0k7dPnbvyQcL0MbUiA+nrembqHWRWo8lmrATWZrSc=,iv:Suf3RdzzeXTVebR4cSvhFCO2kWJV+ZECHy+REMa3KAs=,tag:2LSxZDge/aRMzzMcqWULOg==,type:str] pgp: - created_at: "2025-06-13T21:18:31Z" enc: |- diff --git a/secrets/repo/globals.nix.enc b/secrets/repo/globals.nix.enc index b9e9770..a1d18bb 100644 --- a/secrets/repo/globals.nix.enc +++ b/secrets/repo/globals.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:q80uSaX4Xyy7mMSskw8lnCagLIci19YvQC60/jqv1O877lEDHnHXh7DlK0XcWM6pa96mISk6zILfJk/eMxG0CyR12ryBlPHtzARmcpAQspD9oRaLKEuKDqvm57BmL5J5yItapJlBKfWQwQS/pEI4HJF8+xVrX8eTsMB+pBk/HsBLl7w1VU6Ob/hlEzyn8v5QMS+nB01v/61GTPuluslneXKnHC221A8ek2lyPN/D1uj6hXnifRsuo8DoPghe5asQ3VM8mOZa2SJ4NWEvWJ7V5SLbgPLvNGi0G+XfQ1kgb4qDSdNpBlCWY2hlqEquEO9YJoLjr9jNYGMysPtnmIGPEinGF5SLDLpQomph5krAZsQPxG/oTiB89SYN9hF5SuUzSHuuRJao5hVgWj4d/KPy/xjZ5rN9dOL7c35EiCuMViH+vsYBue1ehYSww7Y+JR49ho84+sSJeEHTdpnnhtogRxbekPawBbYs9w3gXx/pUhVGZJS8QqcNLsGeEvWgDGmfbsZagQHG9Mdib5wAVp8o8O318EFoptlf2TrRK07BS/ibSc7GE6KIOde31OVamVwfAYL0p5JopQNEDuW9YStMhDQa5YhfuRCrlZFteXqXAMh775uXQge14pwtETExTE5PxI3hBWKIqrb8XP5ke+j73cx4A0VsuG6TtXf7YfWohiuRBkcojp1r0FY12jzkCOstJ2DjBFBI+5u5dF0R6SbezQ9vZs8yWbYF0kICTtZ32cEWnE/pVgdS8S9CqVsVyflpjtM/DeedkpoLh9JtN1oKSDos7+SJA+r8/ilXIhRTwb7tt3hSBw0AFkZ/rnSHOGHTBRY4T5lH5IkOqOQqAqbH0ta6hhxPoDjKzj8R2JatCnZGOLzL6tK50w/Xm80Wtj0LxDmmzmYPxCRI14nUobeFqDi1aGU4jpqKUayUHZcnTVgfURtSV/lT5QrsXdTXt1k9ywwq+1oT37D8Irk6+gaSZNcI6PQG/KpBPzmeS7r2ubrKhwhVMNlwF0QxDGR3273+AD90rAZq9niuS2yJRINXs0pImPK8y20uKDiv77B1HSpP+CpoPlikGy4jAgCqbpyrUYyYUB0O5MMZ6VK4aLwJABsE12Ef+WGC8tbtGNxGTAGm3gxRZ3/iKNl++WKZWo3khVflHWb026iYqEl5oOnUif7TVmXGbEiccjos0QoygbEtxSqeN4IxxXg2QxRh5rbfxsFiURln6lhGhjUj7SrSnbRZT6o38xdhKrLqs1zM5ss6na/9W0rHel3wmy+Ocz6UgJ8Nj412EM2dwo/oQq3k0epRLOGBJE8f86qjQAn+GZXnq0pwGq8MijhRWJDc+4uBxoYLiHrFJIy9MvqNRgQ3QRwgMXDB0psnKpybMyHd7VDWmNd7GLopEfQEv/o6Fk53ZW6rLu6l6EdS9GuZONOJsjHB7rVoUl9qi/AjXWenzZYaDrqAY6P3lDWdoNZLmV4AQu+t4EIaMz1QjLfzeDhVG/v13+hZ7UbCIOtr/FQ6hfKjZ0A6l7sfLKcuerH5AwMs9/TYEcqEppfrcAKtBK47kJiB6Vnr0uVg13D3w3PlL/8kA54xuJzQUO3+ns73yPLjjhpqt52WfyzUmhpymzNo+3EPuUC/l8GWohvdNntb0rkx0ibJA3LirgGE1IQK6qzeZNkvXVHvY1pYVV1nDRWi3HlpsA3UCMI4IxRX+brFQqM49o0cqoE7CZPnEQR3UoUg9qQ0RJpiW3BlaIPUexxdgn1j9RbUt47zQsEI7+5gvg7EYLbj9ZPEJCxUH+UkukrPESHauKXPvI1EbbUncMd2sLyxn6IX7Zili26O9vON7PM1gL/Y1s25T3meBn2CqT76Zl0HjB2Mzh4XjuDGE01Agp4BETiKrCMprZB7+mR89PQywIyaJWS1mvDSmzbaTXk4VZVqH3lpwNC4QpaxOb1ZFjj80uPKErBZ4yeLKIEVaDW1fwQyjkXWjIwHhUle3AJgnAfxsM33fvxFucjGyc91FAJgX7IhTSATnjsf3dUm9FyW4xR4RXbJ1OCuZZ9C/M8LIHZSuXYNNmjOq0D7qUiCR2Lesth6hquHCnomLDxcPtzYlUlC7ZdF71jLyaop6QWk2n3nKbURLV5Vm+DrLi3Zuy6OAy2K/MLJhKEi1LhMw9pJYbNgq1z8SGFz8O+k96JXuZnIDZxzj9zdlTOjawkCu3WCGSAOqLcvPryZqe8LYOlozyVQcDQ7d1h9fTlz5gA6a6UViH9dl7uzkR0i0srEVbhuZLw/YTM4dEANtXT9MbKE/KoqG0jmzI4vf+mAux8mgIGNTQ04AfFxG+Coghn6WHWFJtEdOOT8hCfoZxs1qJA446Q2+ACCNeZgMiT4BE3x5L+wiS7Km/7d01XV3KCuOC4P5GwkVcH0l9WToJN0ViuM2bi6uz7JcEvgCb8AiVfpLk2NCE0YAcWY8nMV+aw1hOAKvuzIwt8vptTb3TApUQ==,iv:Xbgn+Nv6py85+Sl72aYxyDgfPEGsWK4+YqiYTQ/5pw8=,tag:CInhg7J3Au9HcgIWkisiOg==,type:str]", + "data": "ENC[AES256_GCM,data:4xUewD3bW8oAY4nG78bYXC6LxCyG9Wd8S6bzlvOBpUNkkVdNpQo5OarlkKZrP7dNOFDw3fYjthRympGhPiWS/0JGTgCocEZyvTFbYdHsqtGvS0MBSd7tWcaQNfYcGUS69ueQz2xa9WN5AL5r3XMvdZzXWdOX3uap0m/KmfnRmrKsF060pMO1Ll7TCCRSOrj31r64HPG6mcwSPYe3DhkuMeOCKQRUNsfpe5T3PaQqwfgFqGrtKturYGg3YzwN1p7l5m+jc2BEWAswIJg7IuKgTSRqqtgfbduTlGZADxTcGDpczJ+wazH3LGqhhRB/ZUKeA0l5oezBrML7sJdTEfgiM/7xHT4cpW2TQewCQoSNDPxnHBxOz+2wa1mz9gXrBx24gLFpeHKYSIu7X3k/t4sG1ll2a1DjFvV+I+B4ALEj6kVkMnlieTpzreI7zsnuWR7TbhTFIN5xiPSWPITZpRH5SkYwicwv6j8KZqPVDoMnEKBq7PSZnjEFODzchrrEXCkahEJ/1Hw27Lz8PSLIsA+HQyjzhYJ/35OkG6QCbSoms8FONnJ6uK0iNXNau8mBO7memlXJNSdnuPtU/jd5CiGrBc85BaWU0aTOlXPJA+kJ2FKaL66JkOtObIEYhQWqt9ao4FwH+gXupnZDdPyX0ZpP/4CGa95FlhqpSVV3vzOFZyXhUi/QN8bBC5ESa0WgnXOf2p8y4Z35+AHbJX/RMsjG5yk8gDQU0BDU7+aXWNYX+JrQZgVFShgba5KFN7G45oYz8hbFBfpkOjfe8i8xiEMoGPnov9QhqjRpEN9eRFoT/tD4fY/6ztfBMcqr4pPZuZCU+wcZGM8k1y6/eguX+cJ0sVPYhB7ZZ/pa6Dea3JVekRFUdqQJBElteRIloRGoNuNaU+LLNTfO+H3ys9f4rhMOVumU4sffWTmnSwgQCCoPxbY1A4a5G69N2DnnRQwsN5qtsbN7aUb9eRECfNHcmldpwhUeUYOlfoLVKaJitfEU8+GgXB0umpd0wr6LD6GlmxPYKA/NZfnDk8+mkzJx1eul/x1YweH79+ifqdu1+TURc5AYEFcB5P2vxz185Q3HiWYMLvjClO4jyKaWZ0IuNq8jENmBYjsk8/G7Cec+/tdHFBbV5Ctn7g0gzwziAJ9mPgDUpRF7BpNWgJOpW8E1giFkiBUdPJoO/zfKJHdV5CKY6Qyq4kAv/eLyi2qhfHhKTkSiuW4nCYpqHDsFi51QnGM=,iv:N3Bs1Arc+0g9tCd66OMsrPyeB2be+76EFYBPPSchIpE=,tag:h5zh01CkvZj3ikWWwbJXEQ==,type:str]", "sops": { "age": [ { @@ -39,8 +39,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHblFPenlYNDA2WnlVdFBm\nait3bEpqR2ZUUjlOM0tMT1Q4UEpFSXpNUGxFCmtvQjVyc3RUT2pMKzdBbHNwaFUz\nelFFRVZFVzdSekY3c2M3RmJvcDR1N28KLS0tIFZBazRsTW41N0tHdXJWZnpwUUJB\nNk1iMkxZOFFDY2JtVnM4WU5KUVVEVmsKHb8PCo8cTyipymup/F8Oue5DiP+uPznd\nXbD74jiB732WPPNOrXh+wU74Uj7EpYoazvTcs4tHu30cCpbCz6cqCw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-01T12:37:59Z", - "mac": "ENC[AES256_GCM,data:F9Ma+RYXq2sAYc+uPn2u/A6hxbhybc0wDDVVspFJNIYBu1aUi34xKjxPaPQ+H5hWJEa4V3FtUugCJnMSv63gbA9sKPdxHI/AXIUAK3f7b4aPXEs4RTAQaxuvlAz98wi8cU59BDmdzRpYxfN0+FsIeIxjT7lcDS1JIcFo3M2o6+U=,iv:qWMGQYH+DERoSiMTJ5i/eviFD0diTujCjHGK+c+U0y4=,tag:hvrPpfhzdD/g/JXLwKRrtg==,type:str]", + "lastmodified": "2025-11-24T23:32:32Z", + "mac": "ENC[AES256_GCM,data:OAAUaCDJF3BOex3Mwl3CViPvrvkyYosgiC+hj1yvVDstRxM1hdpztl4GXA68jEykH3cw7tvSAom5ldeIr0FvZfwQ0WZXoYad6zPcQVvrdmuqev3B1TVnclvYTDKnt4UaJJleM9rYXmWYUgZSkKOr8Fgntx/YITl07kvJ8fCeIqc=,iv:a9utBRpGmwlhneyZEKWDytM8sD1z31fHQ942MTXzZ+8=,tag:n4sp39nXsmYlOXl4y37b9Q==,type:str]", "pgp": [ { "created_at": "2025-11-23T20:29:01Z", diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc index 6e6edd2..2b632c9 100644 --- a/secrets/repo/pii.nix.enc +++ b/secrets/repo/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:+wL1DglgGMBEfAqSj3Vgtb4HFkDa/fa0dvH5BjSUWoRSnMHC+kj6PtF6w2xVryTsxrELIkpuUdCFwHQkuMeODTXR90ZgH5CpGGkoIKEMEqvoIGj6oULysrLsSPpkhhkgpQRRs5l+EEVDbHbi7XRJtMDh9E84+ZtAk+VvdusIlvyd9D1p2+8A0/lm+Oo3Bv1lt7S1Slnj6wmwgr82SHEmtn7Rof+9jEXuT4qi9M4zT2ogYHKsNNqI9DUXp4SQmLkQ4deZjo6aqNn+Uf3mTUSUUUJ89TjYIgcajw8ukJVBh34+bQb7rCqIjNGxJyUl9rHoiakO8zjD85zH2p+vZSFlR03gVx2ZLfaGhM7EXJfhuppYDh4z5C4/G0qzfQ4iV6nh2bt48XFrRKJ+JaJYi57hYRWPQa9OTChNMV5xHIaublcJE/Z+N5GSHEprdN7jna8F0kKNg3KkD33w3fQQ6mia1icAXEBForPRhhjvxUQprygvurLv3vD55gboVFhV9UCZKlqc8gRhSEfYs+rU7zirKA51jJA2uZ290zdrIXu+pprTo40/hxvuZPbEYD4T5zWxzL8vG1MjDDHwbTegah/WYczg+9F+pj/Q+ursF3qym9BGQ6SupvILl/MFpnV6yh7Qr9iWjdF+Q1etTK2crHNsTKLx82tEjT3VxdH46XE4QTZhZJWzBh4TWfeYtuTbAB0i3mqE1l+4pXgfAYv+H50hikDflViGtiFEyjPGPPPnzq5CitWhLZW003GEIATmTPBTpbUC1oPdBuNn52pGvBob09j1Ux9IeCE5sFYm8KFuZhqjMK3hrtsiE6Yj7ey1yMVdh1o8mvLIPZbmfXdAwvYlcGD+QLTXNpDjbsPEpjdXvtnYoR6IVnqPi/pPP8Vy7vBBFOYr+UPRNuKKXbBLNZ+0GOznbC0wNWeTib1roc8t6OIizNCWv6bOQslI0PqB5nJnbdE6NZJyQg4JgzbqDiJwNx84zC6TTLvxVDdYvgY3YVJhTF4xqcpLIADRAN0/hqeLpt+0hRTQzbcEDb+mHqRiNnlAcwG0yAbvJhuOVV3curU0w/CA4ilGnTssn7D9qZyCAcVdNlU1ccZff5vOHw+Fvh9h4w7Slu6LpRAP48lr9XPIZf6bxbBR8JzMJ0rss1Gp/ufuJdkm5UVF5VOpQVv2Je2g3Kv1PFvtTzFRpK504n1VlTsiZZPHSI755iHf/tKOlsoaH0DH5ImnihWbqH1hZ6XiNKtxOc50Q1x11O8PGYlsgjinqJzJPePMVWjySNryFX+a1AErRArGLeg70R1c+2bdO51CisBOtb+m4i74WTGKaPqf7k3pIyukd5/eP2G10LPm8ICltTgXV54PbojZmbn2uadO8E5/jwEIR/JNgehrKYCXF/DWF2EQDzvR81OWeGhK0WQ3NhxRA3tRpsva+DzOqk8zj9WAjlnBQVWxex02jWUKds0g56n/s1ST2qH0DBiTNwucgyhWBCuFdalP0ymsWAM5RFtO5GyEPRfYacFFJDYwJMxAlxK2ANtO1PIf+7hWdBq8Y4/N3kNeDrMvy5UR/gofPtLKEmEBtlDe2G2caka/2S2sjlGhCD+y1DWOs4bsEa28h2wu9isT9edBGQFjpOb4q9ug+WWEFwcU5Lw3PzbH4b8IQREZuEByrEUij/30uA+UcnHadvVfOakEVtrSbQ6vLEdKez1vn2dKAG5DECLW0d7sUZcN73EbeTl2edWONn9dboHuYRbAAkrV3L2U7wr9Gj01PgXA1yjQn+bhU1FJVcX6BnATWWlq1UHaNT+taH8Lq71+zJGDIVKOIuzloNTro0aR+kPkOseN4KzQkjD9eatT41vki3RlK3sz6/qwyas4YWQH+AJ8F3XKd5U0unng66MgaxZ/lFeKg0jn04CQxc9PgeHq1vBJ4br3WltqxEnXZFCHdP7CxxFKMlMWXgrSrBUFPCxICI7xyxhS3jTouQsROfMchLGvb4/7miwPBlLkGP4Nb61CA2uqQOByh/xxn2hp7KNf+YGufjwqm0eEPVol6TcZ0OBs5Ly92v82JwsnPPnsFd5IleS+iJexE4BKAoX7catJIrJQ6GHxonbR8O4toQAR9MTgJUYtVVc+65TCjFbThXwuG/4Us9p9heSr6qA47JgZXsX2PdDA4e04rX6jLpam0W0hE8nka8JvYa0PHtnv5SmeigobgVbWqscP6mV9UyoMU59BE4zrO3ygwRIuLxvQeRHBGfrly2RVWVreiuEZIBMOBY8E710qOU4Pd4ba6utxJfcS97895ZG6BgRf4U47eFPjIun/83QixvN1g9p7Ez04IT0Uu6kE2ju2D9UJuyiCtkiqwmuvZFLkqMeRalX81z4817DK2NRvw71OWW+3fZAyBnrr68OfIQnvkHQFFdtMOYVAVMhcgTezHFMDhcFzBfXgCKUL/fdoqtNCT4fabIO870iRS50cAlpqfYSJTu0r9UD93R4eoUlCAa+tc9IR8jPhTKdh62TQcVsRIW4WXMUMV4gt7GixlHUmnSGO/4hPvdzLey4ZLVL7mjgzHsjTvQdZ2KpF2DhK728vyYWh3AP0u/e12nuiPMzuTnXhB5W1JXevcYQWbVOyKeKJ+muFO6lgVcWTWeF25VJGBjlTAzSiGgA86Ef/gZcU1t0PxMH6gnvXqpI27AmFmRvYkyHJmy3ueVyFVbhOBvisX7XmX0QISRmaQ3VFCf6bN++L9K9oQyZkzYdDcOoLupIMSVGtXBxqdLyvJs2vRuoWx8YZI2nSn8ZeKpQSvfTtLllH5aBL6tOubfKwDvp5q46xHu4rhOAilXKfbDF2PpWn5ldUL/zS1lsba/MIBos3TtGdwvpDvBvEzjcgsEe2ffs69EArL4lCQB2Q5rUvSWfLNusnV4uY7KeYLlG+M9yuQH141LlRXE+cb0UiVroE55C2kRw+5oHATR2AUygDvd8zvuQhGVr8AFM6y66BAfvQG0y8LCO6VwR57uskLXLldZuTdXh2QKLHD6ljHQJ2CP6DYrnOwyry4Y1ZccvGy4yWbgmEPW5h1SZ08TbmCDM05fyrHPe5WInbJo3DPfHLAUFXjzFwGPMHB/OSlbST5u1pppCoOl6VtJo322W3k4h/DG7TxH5xyHlMWthKp3I7Y7EsHyo47LETN+4Ibu/q2N75buKvPoXs8GFn+26p14iVw7QpmJR1u3P4T5CB5aclBBfjvv2qsshVF/IjT61KL6EKeYAqJUpvcuzQJDu0dtHl7syVK/tDucV7ATV5kv+YUM2vxaGRSJjQhRzv7ehzOIoTKPKAhfRVGY7X01fLC9i9vDchbbLXqECMeiklbohQBaSzSdKpQhlBk03+eFuV0kkHMwY4blRx/MlY4+jP/hlP3UDO0FXsI5HcWICdul3jDyiiVtnf3SPf8bLs/r+Nnh1bPTn+cxszRm3sdwMf3j2ysewLmr6yOkSqZfyMEVVOjM6O6sy9uIF3GVZmZtpTm6etZ/BdUv+Z93DMvfaSPcaB59SCYkX4DVqr5BjAEmewaqdKyA0A9vBbvI+3zQGX06BN9VEZYDvIlbh60/MY2CSSyEQeD4KkdhuuKZgKNBXGdz3XQGqZcreWo7RKo8Ezigm1tUblNNwpD3705aPRQgpfFo/1YkBSsnIrPi/LCpoEU77ILYl5eu0zcIdMXMep1mba7Y+R6dJCdgtaJK6wnLgw+u0dT2cjilMLEIFPVPAU7qU6QrloVMPUQBuHRwwogb9T1L+tK9SFzyONpchhH+YLe40X5lTmdBDnH2dZ9xUrHOjFFhrwgXaM71e7qPoXqShw4a73l+e/x9e6w//g5nNmOLizYEMm+9XqsRGEICFWKsYStXOnBz9GJhPG1TwatYlJ3fo4/gtV2qdS7HIL1TopNoHuTIGafOvRctwd9ScxYM3syjudqPt1h6utYyy3VXvpc9bzY/pZUDMFXxhiEmrH9xIjWIbEdqu1D+nRns1GuVariV/cnmkjhqi7vRwuUJ+nx66fJt+kC8RzJIt3gvHQ9IrQN47W4ylAG1JEp8iEX6k78upwyO6msrwLklS1AB5rk+L2KUDwOcbFngsPZrDPs6Ia3ALDW3oJeTdK/9m0w/V6GJiFAEAtyiGLZUQTl+A0GGQF8dglKmIGNfRFutPmlYjUi9AmDhwoEvV+nqA7NW34oAfHWlF0e4Ru9ucaSZIDrqaylpGgeMzbuGC6s/6B5f8I6mqnUqUYBXuk2kUCtcdMbOnfhzEm76DUqh/YxFJI7DR2C3rEOBrlTBFnYNRQrtRk0tqP1al4anY7Kl4dkgfG98hRwyz3AjyRfkfehhY9g2MFBc1Wu5egIjODbeX7xIef5nFrSW6x6EPko3y788lO8gYSVwde5Rs+RJDCQTJw3ZSfTbUz2ycVKTrm8phJz7FPgzEmXuKnysVuStu6nC0RVShk6LZ0C4wjNX7Wt7DjqVwxtT6R69JKs9EkCd7dfIwDr6ezphh0PasZToQo0XT61gv6lMIGFZguBwOvqFn8TKVSsG3P2llFyGrzrvTQoYP0GlE1BVe2mEr2LZQOzg9NRFltQ4mw0seI7GuQm+L5CanfjruohTvlrtyYhoCHcth4iOKpJxpAS0lcwqv68DiTN+kcAbVkfGgJgIMxV85r977aXNS4hlV7SU1DFo8dm3jTO65ppo2csj8KLcFgf1eQyo2X8dq4KNs+Vp+tGtHUsPmHGXGoVkmAyr6Pz2BDMYr5FkIirAxeq32yg29vQWJwOe5FC+gTwVUX4Tv4NT7vVRqPhkC8zHITVoCLlXo+qGvfqBLd5srNYD10bGF1Wk2iV8det08xJHIbDP41xeJsMZWolENRDgEG3Vry+u7vQ1CmTCToO7f4iKCGeDWUXj8PkBPnapZ7K7vBnePayoKjE7MJUpn9u+85BNrrmSMK9UQciIOgUAqUQDc+HHbnpmzEKTeeUUyM6QOTo/kOHFQpjJRlIRoJnWhxefBRDBSqpAKTJPIOcpxMBb9cqvlJIyrBAE0VGpPqrPcd6qSxm9Of8qa4arBfLCdu7e2AGrUmiVAjPoVNFfMnjLh/riSM9mqOFpkpiR3LTGUwDMRNbuyd2uFboc2sz5Um0ZfriOwSwXVkbClLvAH0sz4iEm8ZVrBOHmt3QghGWCnb1v3OBiB3ibp+lvaqVcV04cbb76sCCu+T01kYTX5KmueyUIS4DuehafGd13h2qjPjBjwnvm6GUc/TwyKEhwuBuodoPORatYxCutNVoufzztyytOxPl61vQhjsDPT04V65PlKnCSVL+Kx/7712pqaqc/rItfJekOUFNFE9pF721Sh2EU6vinbWGL/J6X6uDFHYEmhvJN3oBJdWdN6HRsrY+pksoG1nRRREGVxNiL4b7u8+VI/Sp88/zIAhqjz6Kwij9K1MX7ZHVXMmbDLhJLehqXXJU51NEnDr8GdokErsBuzeP31Jgt1DfbUf7wZUe5dbQ3E7dyrZvI1lnAwe50TIXZNUzjAGzs5PQyRALJsErNKSdTN9HrJcDCaX88O9jTIjaSjkATpqVnFpEbgKKAv695yg1X0l8WMXVrWXF05rXT1ybCT5EzPIapPZkjiMB8Jty9yy7swJHgQfr1TxufzpONzGw3KXTR3vDvf2kU2h//1wl2e5ChsTirGXlukKxYKljfyc1avMxqezGkiqdqPXRK/it8P2HVBEEIkOBBJIHWmjdUHLUhyOltGaEELwFNU23fZC4XysX54QbJQwYsswhAufVZOXekABk30tUd+JNJu6fsKoWUVFJUYq9RpUh9VFzf1lCEnCqlsoV6+TGqN9zscvl6xh+jDMvlGYbM0ab2foJ6i6yzdr16ELa7jH6xLNteUE9+yimDrNfuwgwTFM/FQmunFcklaWt/D7i2bsChP/apuHXtatMxCpfIwvvgBz9X5yozxPLTFIPEbNPfxx6bcatOiG9YORp/E3MO9nrYI2I+dJ8hBXxBPvXj+KKIXOBXsXonRJq3QxPNnzWS0jKPtjmSolwsqU/ayY5eLZSlQ9AjbW0Myy2HXHbetORs4YtqXCneZcFDf80p1wxqjXCIskDRL2mXPTYkqEyzpkoLNhe44h3gu9XCK1FGTlwqp7uQgYjhydvJ4Zz6wwKxRsem7vvNeuHmm5iLhsO0BWqg1PF5R42UDmw+V96tojPLkdUnBne4D9XfgC8baY2W/ClCKwF1nusbu0G0X8RnM9Fx3KTOG14ng3KwXP4liNf7DlNMwo3iFvFFy/11dXNeVHFi7WFZ3HQhnZL7nalespqwoTrJ8PFzHE3emOFYUT78alzTeGbDs/3nZk8r0JD1l6d2+u/dZ/lbFjvilKtRvOLIcQfYfbzej+UHQgaWGiPUpT1AZZG48x7VX49ky41IuTMmLjZ0wwS3B228Etu9LuxcGyHNzpRTBroOKIMTL+ld3R24bH2efVHMFxNKNUUx+p3GGkOKCJRtzgI6AjYgl32WI0RkMI6OCf/M549ygNVdXohCtGOaD8oBuxi4ngfeXN7iK+KGRxFq3W79U2HaeTKkt1H8GTYXOQYrwX+c5YMO0yZWVkge7IJFTUerDJ+d9wMDXQMgCVq6DlKxpmUYR/lGkMGgPtW9z2hLnIKxrg6XUFCZdAR3hu4Fx2RtCoGMXRLbzeFA/FdjA+rWLciubnOXGrCwjKxeMEKgqB5jGNSZQK31RNczaUcA32wrYLgo3ee73m0JxrMRhteUgh78frtXGUCd3st/XhIuISGi6PdtwykH2YOWieN9PFjBoItTPhnl9F3530N5gZ2PXgIBD5uaulx8j2lBWzYTD+W1Ihkh+UFoxxpv0kV08ZtUwdF4GIPMdeyt5LCwfyUlRDkPUb2xEOVjhX9yZRi0xrLZ2xEkPT88Lzm1egHyCFY2xF0aBg9+QIJJWSgkc3pvgMfjZG0iYq3Th9cl1sB6v1neUUW7+0WYue7BHZ5j4w0Oi4sWGLHlYP8utJW1xuvHX6SxYYlHifmvJC7Wpq4mvL2lrfI2Er2IVBvmpeqEr1/k+jHVau7umaQapuyixBk7i1sgpiWG/cTJs/rY/uxVTWDjODTP0DoWKhGhvhYS4eiKCiwqjkquK3t5SQR5Wb0hTHjeGD6EiIet21yJ/GRExS1EXdd6nWGDHm6TwTI4IDyAG5EGtshjseJepJqrlLgAMP2m60VcIDddrTVDMy19ypi0QmEQylz08aIbs9i0S2mvAwn+NAae5Mc2JXH9A6E6UfWYY71W8j5mbSxFIlptOPWJORBvrFU7xsoXL/smKgATitf+E34sznQkUjcCA6JQ5uRnRcAV3fmpjiXeGp6xsbCfcTA+SyGNB90UVfMFKMwQ3LH7lcwgdhEaXaLlY+L6oEmk5DiaP0Q2ovWzMstrcT7WkviWtf5KyJbf3hHUOwQvG99yYYpzP0b91W1JtXUdxxPuY6GfIR6dDrB5fL+uE07pgXe/SsxFI18LxYrU1dmMjlrbwM16BIZnAyo87SwrLo6Ut4URxIF1YGycSFBkhbXL1rZIBNSd2+FIVQ+raGYdxVqzg/8fbSeftkgxW4BtojBKc+dUs2SAxXurpMhz1flUgdUT9aIUWRLccwiOA7B/lN7DhW7bN/QF1MajVzPedv0Ax7BxHB82DNAK1tkBBxleNGaBo4ptC1EKWGOvzf5FPRIjX0qSjL67eG+YpZGPfo3maW8jHT/ArGob4CaiAk1ZsMtJZET1zt1a7q9XNpQCCVmIWSApAemMO7NMv6WSlMGh9hkLL4RfFJhRiuoh2I6g6A0Q3hJii2RewVJRQhQVxMo9nIatC19mhNsVtcBPH3J58Qp9I11UFWugaUkyG3BryO7gvoh9hEzVYyIGpTZN+sVB9agNQLazbu7s4DpeLPn0Ze7qw3JRwgy/kAbAY1B9+Q38A66ztvr2q0sUIR0BdHxyXLp4Oxn0U7WbEth3dAH4OYyUEpR1uRVi+br6tYiwccSHl+bDjJki9lu+tnB1Vla2J8gTzSMDjUL9oRoAKd4prX5lr7elI52+EIiel7sHaefZ8gAKfyD15FnkoqDmNaGELvEfOKYU9yfabN5b5bNufKjth1dYKt+LUGLQ9gjV4LH7ABzyqL1aFb1218+nDDNWp3pegY8TXUWnYk1N1Q2Q874HuU8mc7NH+NYrSNYzWnk2faYpDv07423Qqa8LCed10fgJaG3dMYy8UQSx3HytGR/YlpupOUo7mXP5GVJblcVz7htHeCUMuL0rMP+N/u+QatcMunnzWAZTprNYSnCK/XKGcsb0xjLfkINWvja7a7c4asQ/rBdKFZPARFRyhl95VNNnqcj2Rp,iv:cyjC5VQUr4RK2YwZMysK70viAI41VheecfIkCOAFHm0=,tag:N6GPAKgBXYdLddHPv5mtrQ==,type:str]", + "data": "ENC[AES256_GCM,data:64kCBNazJSPYmdAr3f0t5VqXu7IeYXKOimQfXI+PGTdKq+GRfzXtm4c7Dn1ZS/qU+1fS6XvzrX5RMLwd5JEFFi8+UAvyfHQaggZ8hIAxbn90rfvYrdPwdzpBaX2DGvGRxtvA+7d44a2/QKkenwPvryfL+lkLmJ7s5bU8KGcSZtIqVO5AgQ8LvY4GN4GWJzVSdaksTnimywEyrzecNPByqMWxjVWJaxmfW1cc8sBeoXvxrg6rvAvqvVNNtMng2+O3rkIxC8w2EKf3WKVgjds8hSdML6yvShkVgI6rJAJq28dX6IG1Ju3orw4Ky+jc1qNWiPR+iKxvNzX9MmiUZR941I2znlfi9F5Z8fLzZO1oyiiJbTzqkOpVfP5UcIG7dk+JfHnW1JMg4BUmWX2i+KdwLUY/6X81CNedHpTgYnKsv8Ds9juAlgHvwGVF1Y0CoX6vhhKk0MPc2mKBdnz2VdXEdS9XMbkakLrF7CjsBSpuX9jJNJhRJ1lPKom0iezhyzUPNYwHmdulcGyI1Znu9XQZeQnMOXWa13PsQhae5Nx2lbIjaLtlabXPDIJNQGsUXkUGrumeh9OscAjuqvd2ld9AdRdXm/Irz/SifnkrFLiEefAlrhwUnViJOQ6trGDv3VD/1Py4PS2Ilq8Gevr6RPliVFatIMBLKnMUzviqO58cqoZw0hF4bRWUk8zX7ATCYx9l+SW7qCxvK9dIGzzS0IkXbiYYv1yaCYV/9FTiJJnKHiLQeOUmhiZgil7AW5A31klYesWAGNCMTKPkLQXqLCcQnwwEnM+wc7ud5+PbJZXr/Uy/0dzkcbcS4Q7NfIfn4N5MuOcV+FFKGS/brvrHSXfR+/tfFZrAe55px5OpxvO4Kt9PF4B/j49QmW7GxoAh2PpxkGaMfqAL91fJskrxx0YUa++ogxiI5XraUYbKPX5PJUjyHabC06P/mcwnw0mprdtJadhkVN3/9Xz67J4dpcLFFV3KF8JTimpnKgZVv3G7vmEuvitnUVERL7nG6mMFDOv2LkYrs6Rghg8tQHGTBybbIleOcdLeYk0kGtBuDNzjW4PN44syftMrBk17ALVRoeqVJxdvucLmRvhbpW70Whg9raJUwnuLj95cAGt2gH5lPLf6inX+iCxOxIojrUzH410hzqOLcLmTx/vZ5bxzWot/9WzyFlb4onk25lceJtDHF6LkoVx10rDaa3I0WPs95sCCN88ZfuDwMqaSm8ZeW/dZGgDsar45MBFWqJNSwxg25k19ifSFmUCxfbxd7nJfI8REXs8AOzsq12c8Ll9Z1UmoILla5QwRBnVGONqbl08AET99JPIoLUgmp8IbxRWhpzxpASH60zfzlZbbf79qGbP8B0EyCMdTzR2G98fxTyuIgHeCSA7sEiXuZtyZ/5yCGwPcAmy4sKZn55NdvANAWeyqYpXflMOqDtgyyyt0cHp8r6vwClB6T4nt6gvqmcx0fDh36yRyQmfpL/j5uIOSITq32OUw9C5FH+3uJi18QZPN7t6sdjI/OuoynFoXDTpjjRTzBQgItsaXPM1QdmkxMC68yvs/rMqNkdKZSzjVXKmM82QqtwObyiL41sJBj1Sqea29DMscSlKvdjJpHyDk5avO+ZBM6LdzU7sbr+E7DUOSKN0JPtrPnCfZV/OJjpNzsZjAeXXr4pMciRU0qHoKIpdvyA66gFTEvfZ1kenuOJ0jDuHR5+DqNUgVM/gvexRxpCMKESURomnJQCILjcHyAjpgQtuhLPyQQ2CUW/1b1JhULDIZBdjaTr8cIFyEtmOvnGMwCqo7glpmjmsy2tVqClqs7YK5wt5HjkWxUHl3xMwOxC2pFeZm+Qg7Cvh2nU7wP2hSQKCYl7HvxS6LlOQaA4ds0Nft1Iv0Af76d2C37pQUfCk02CheXub6glCDwnEwpgjMMRovuz3e+EJB5b9QZwBKY3tkiSs5vpcQa+PKrdEiSoUAagqEqeU4bakIkruLvQlfyV37qIw1GWf4btJP/i1zRNhKlBrK4ycd6Jxxcs141iyorrt1cH4wVDmLD9RZsJBJXXoq3bK5TDkqTSTBNtBSoMAB+Z4OPrd85NPlhbrIjN5rx7F2boP99j47rRS2Ja1bUHVoWoxqmG2I2ksEmgBGdwyQPNJXP2/uF9fGytQLT/J9wdkqt12Gse7Brrd//sFzk4tffkSdWrgwwRhTmxbR6MbDRWi3wT/6zvwQ2n5RQfmzA2aOyCBVMOvdymINc+DWT3F6tnqLkyv7hW5DZmf5OGnj3dOpdrt3no+TRrbF1O/tJ3fAOwrflJ17QOpBAVVSPIIU5CJ4hSUXszHhKwBUE3UXz+QRvN0n/ZfoQ0EwttpIF3fPV1Ob8PPQ6i6RJdIhFwYXSm0UwdUuW8Kb24LuLgSFJk5n7woX/5fquT2cV/4hTkSzV8vYotGic2sQzm+yyBR/VVVyO5r6Md1ippOg1kXeg5Yf3uBq5CCuXr0JeOEXDlcKPVGpTMAhvso2p10ylfhKvFdJRbVweUK3k5UADsMYqiAInThJZg1gxvVXWp6P6Oi/hwXCJvV0Zmu48A0T8q+AQ0FegwqoucbjatxUZVIJOtU35gFxiFxNvoVGslbzhDlZ7dmdv8Bsp3RR1CuNxKcTwXCb4q8JgEK3f2YlqnWSUmBNngYysx60AqYJ7+m+CKdaQyWsf0sMb+dkWgQ8ZZt/flyUT8AIMU/c6tcLRjpN9HgM+NXl8DfQnqXLOyJcVm56Ie5W4z8FLCnG9qPXanUQPuVD/LxRvUXlFPCnCCy91rhwSKP9uQAWi5NNuHq828EcKVZsJcqg5Cj5fAOdGJADQUnGyKM9Xdj91xnRXpnnUlbPG9kl72g/39epRfLonyhekCIgxeDWHPfLvS3YtXVnjtJ+CydcQ8/EpoYh9b22hcmgVXz1i7ufI9iwskb0VEtSxXE0cTpOL5e0XYkyMo1ZS51MSZamyrtkbsFXGYhWJEq1/yIdVQgTIHDU3SXmamoGWHZr4FJ29ErYk2BofzeLctmX3sATTyaYE3brA9X7q8LP3rYqf7bH+TzURE2SQmDysMCXs4dboww7RxjV5FjdeswLgkV0Sq2xaqxnUR4WzzvWeE+Yimz9ub1/T/oO6d2C1Qu5sEuVawrdeG94rleErp065EbiBcR6PK9/EZ4Ipls5qZ33GZ5NpL14J7ZWlLM91EPVtSsO+qDgh31pU9ZHGEwzmyYfLCh1ohA5yRyYJlNRUBbQg6vcbCj4R8Z1ufa1T7BdXm0onC85uQ4kRbRCfmY28uFPNXbVO9IOkajuiqwypl2Yp1DX7IjMCEwXsNlZtu+WSxSOsnciYSKRvKsgpXwx6C6dLiDIFx5fNCaWMeYIv95XoKYeH0ROB25JkKIA7RcwkyGegRkxQpVRk4UOLUm0MVuJtpDDzqG39BnereuNT8pmQelYWJTnVMUhx8Y2gtTjzp/EaRSyRuPddxsSvjT5gafuW47VaAKR+/iL1zLE6F+GcQS3J4rt22Kz6Y5M7cHXx0pqb3e6tRentbSjmTeVQDoqDIm7xbdxWJkMhM5Jlut1gqZHR3yAhr2+Jl8ouo9SA9Yu1A2VzyMBMOtG8fBDifvJY72RbhiZIwA2XMpBcHb8ll8gHgmiIS/lBAia4CsU6m+CVFdTntLQiD6xymqEAPGvVpQBiHqsivwKrqQTY2b7TVVgO4WUMRvJtvcyg5HOGwMS5tjkOw13ICEpUh+7pC54tGD/k/z1MeveJvv+EH5Ov59BtHXme3PCs8M4wHKbZOw/G344jI6ClkYt18u17dogo9FK9s2zlA6GVLhK/2R2w46bY1SN2xZ8vBATnJaeBXT66Ta3S21CqaiZ4VmweZ7TsVI/5nH7+d1NMOSnOHEojkg/vObtg4q5WNW2XeSY+ymOAWDH9tEz2wcKnAlWrLLITO0wVQiJkQqskLzqNvkrTrKEZplbxwd2+R+fiP8PivLXIV9ibThIvr0p2UhrCpSJ703nksYdzcYOt5+JAYYC0+2f3CGc1hd9fZ2Qlfc/1JgVrOHBhoixaJgYWqPQU6gAXWlPMnXepDrR0YXL/4yIi8VDNRCFmdOxFlG94kF4Ha6Q6NQGhONUajkT+JoYGFVHLnt+ZPOzcnLyCrNh/BCEEDr1vYfA625tUsTrol+7qP8UWH87qzRh6EdPwkaNOKSuMSIEyWV8hgZuephvfFdYSYf9VE9pkzQAtgFXvqwmI+6VW2vQ8XX0mGYuTk1DW8SFGYIcKmEUzAW6+mBk7F4uzD5Ziv0kmlYJbR5RifQpqgGDAN7LtmAr9ePcdzgErKxzNYwh9l28PRFyAZlNtQKXfom2XpmokyHFE/dLfMuab8/J12MOF2f4iECqyQSLBugNQCQFbDsmi4znRlP+YKvop7bI04VGe9Hd2bUYhb75xo8LMaU2bwuetW44NKjQa0lb/RK/oKHGVumcJhZsz2MbPNYCxoJ5E3W6IqtAY4QisGAh5YU0NEsgN6DTjFDMc8GxvbkD/H+HsONBfvErWvMQjOAa8I6/33bNJmlwDyw4JZkGjO0HAO9ng+lDIGZ0nAvFsgavVNRZJApXMnOKDFMHA2JeFPZCLl088C6MvG4t7b+4fJqlezbjavs/V7yXZ8h7fzWRr9ZFk2mBe7LwLCk/TVOPdNHD+DTjV+tMZPcL8ElhLPGHe29py8/TlS7KEJ7AsZ1VIbul+ljMJsuSFqjEwiIjJtaVi0AwSS64Afsj6NvxJhkgyNQC170gMCJx9xp/YEJpxw8w2skfnHaBc2XstSGDDkWTk1cgxIYtUR2aU1jxHraf+n9Y6HOz+QPYzezEMrBYscRK1OTjPlJ2+YDxicDcyiYBMtmREA+fJftwyffw2SjRWUinkM6Ax6QVCP3mbNRsrJivlhBrde2iLC7qyiJhjcz4o7oYz14AOIzJx8fDq1IxN2V5UMbBKwQQOarCqZwKW1k9kqVQ4orTqK6FHh7T1Qtiyy9p++cDv531y519l4nZZjL+OiCWASukIvN4du+VLNqiGMReh5ll218qwS6ldDV9dcYyTxL8TLNlNn43sF5HEP63tGEU4cQ35D7Ku/K62xp2dWWfvQay2F138jDjPem874iEd+bqKgxyOck24k/XRU8IsAUe7I1WkrJj7QtgLiQwohKedago3UOv3AZSgXCoeavSTngt+O95CUztCi2iH1mcHU+TIfqwP4v2GO2GbE5FWN5hE6Eqhf1FXZyvpE4qhVJ3wDg1vr9IQNsW+w/WQsQdRaP9hI31OS5YeIqTmqj57X7kkK6pa9vw0PJpcLOrdhETUdlThjMknlxxshXhKB1loBZa5YIQ0CAvgyFUFJMH7Ebe+NKKcmEReEs+kMqaf38cFJKuIDSrBvBkJvWqTAsOD38JiFJ8mT3OcKpHnOzCa18oulfe1jrXNnzXl9o7LnRQ3u0Cpyuo/07Z8+CM06aH2CMfUG7CG4E/xllKsvMfp/yf193j/gokYG8tfM3Tsxx167NgDYxuQ4T3m/eHDS9YjmvFzNOwQYTLV+uEYn4LniNYVtj3Z0tCSZcamA/UdayU3Xp3dE3qmjYCkIM9IynO+5m+d9iQhjNvG5L2oe7DXUoGfLFkDWb2TS9fBbpDekHSgXsWuEEgL7bYpcfZZmF18SNsT62JG//OJnWGrcRyPym4L7391jIrQuDsi7Uj5Mt1wSwEet9m/05b0kzro7EqegBsGJ50/3a5ou2ngJY0FDc6+ThgCTyjNNwfqt+Gv54KdpVgdRkEgWB0Q9VUPFxSmhV/u1EEveTHAX8Cwu0LvZrSFT5nT5D/r75+aqyAM7dmNJIrR4jiLa8h3eht+L0ROKXRny1uWz/ABKIHWPITM+UlxFF+ImRlDZpTzCZwXGzlSn53SP7k/clbLFJGdfJoQ04uV/NNA7Gs1IC4RFbXUAuAiLdMIVlbPfiBtJGw4MUkQ6qImrFjg4Gruch/1rTiHbCaVzc6yjQoRLAt3fVT93FbgcdSBIwqOH96PBI9GFKM2QF0T7/gt16zcjRrYtcspfGl2odzhql/lUrR0NysVSat5G2WBjPr2zLj/qZ2iVzTPf7rXUOaEoVMaNcrKKFhiplHTkuNV0xzrlN+xtBYy4mi1+GHw/rtqdeDnQS59y99T0ujhUFRMt7hR6Exv1vSw0PcrtOHWXRzPlpc7vKGjhvJi0NQxJi5L+iON1hFeozamvCoE4gCQsI3soCojavVRd8ywdx08ZCAHcpJkh1RVEuCGNng50IKOr48IP9jbaCO87RZTGjFUXVk3c7fn7nDIlCoKDM8O5apYYAbN0ueZF/n8qn8VJhC7fziUGkZye7oy6zGUMwSVPCYehsu/VE=,iv:kscgLxpTxzGmXqsLpjVzCQC/G7BAHVGskJwIW5bBbPI=,tag:CG29z/rzs9vhcWfzy6ZHkQ==,type:str]", "sops": { "age": [ { @@ -39,8 +39,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdC8yODJqc2dBZzFodlJw\ndEJUejNMbVZXZm1uQ0FHeFhKd0craG14N2o4CnlvVkp6eFVLcDlnYStHaVRoajlm\nb05yZXA2aGpNaXROY2paYmpqM0dCencKLS0tIEVhMDR3d0Fla1RKY3l5cXZsNEFP\nZk9vdGl4eGxhcnBxVE91Z3ZoZ3Zzd1UKavS6iLiXL5acrtOc34OT2V/Ol6lWLtCo\nZglO7H8Agh58FRhyQUvDu+bHXTGnxWIhOnyAjJYwP3XUk0p/3E4PPA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-01T23:39:07Z", - "mac": "ENC[AES256_GCM,data:WEVxtO3Y7YI/COpOvvadujDYV66MtcKKujiE9P5mrDqqdjG8p2fLwhSNJHVJUwPyV8xAIIxCTqIA3bKmVKJ7vRCn2GQo5tRsWljNVU6g44LcXcX5wSeIgExyvUNjBppLbWsjstvfuJatAZwqDBN7eP/Ntu0R7p3wlr4IddDe/t0=,iv:es5N9A7ypxtNB9wPYT9uumwpLZg7wT/gesO5Q6njtxA=,tag:kgxsF5ZiYvM0wHDq6C19PA==,type:str]", + "lastmodified": "2025-11-27T02:14:40Z", + "mac": "ENC[AES256_GCM,data:8APHtkscFHpzAzbvcjtsa6LpYPtTzH0nKDA59DDEZLxLT+IEDUSm+DD+HSF4GX4l7uawPCUGMMMZ9K++uvogi6ctfETFFwTN15a2P68r1DPU19tnrq3Oq4//08rSh0t6KXQXuwTeVda85WTQjd28eqNIcsMj7rtPIa7NzgS67Fs=,iv:JrKP9cU/hjWeN0f8EkNHQOq88GHRgmlmyxAQWc0IhP0=,tag:7MNCxxxCjpgOOhNkjK/qAw==,type:str]", "pgp": [ { "created_at": "2025-11-23T20:29:17Z", diff --git a/secrets/stoicclub/secrets.yaml b/secrets/stoicclub/secrets.yaml deleted file mode 100644 index 0f27848..0000000 --- a/secrets/stoicclub/secrets.yaml +++ /dev/null @@ -1,48 +0,0 @@ -tsig-key: ENC[AES256_GCM,data:E6fpwErUUmyLbtSyCItzLxvrUfq2UPV//5u1VxnMMn5+TWj/PMuwjvmClEQ=,iv:KJrXIgWMMcs7riIPotAK+Qtj94o/sGKrgi7sOxVs1rU=,tag:YAyz9tEf4vC2LnJV56DMpw==,type:str] -sops: - age: - - recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMREU0eVFEbnRaVEJlRG5L - QjhVQ2F2WHZFaXJOM2hsOTBPMTQ2ditVMXpVClA5bndRc1YzV29NUEorSFNDNUxE - eEFwMnJoMHhMbDJtY0J2UnNIME1DRVEKLS0tIHN1dVNLWGRvbTRsWE1rT3c5aS96 - VXBRUEc0eDlQOXg5YlNJSmhDL0ZiUW8KvzVC0PMvMRjBaAS9WhpYvsWc34coUupY - aoF/zkgPmPWj6SY1vURpgUHC5FHolHL3DYQS/SQxdOXSrXIDxlIJyQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-28T15:48:32Z" - mac: ENC[AES256_GCM,data:Rd9MTRKzK4AaqzPBsxztoY10pECecWjHZlQAtbQdzzdLVe2TL8hIjH8TlJ8Pju9nmS5gvb/gB2CoaQZcxJsOvYsEYVg27+B2/ITGHslkbK7ngVd8ARNYITbx/eGp9D6VIYIzPBqcz1TkNvtPIuBLZzjCnxrvhA4gX93ZEEAUknM=,iv:Lrhi7Zj2IqC1ApsRT0IwmhJHaHf3dopvi7/4etVOBuQ=,tag:fSTaLrVhJd9A87PsPV+z1A==,type:str] - pgp: - - created_at: "2025-11-28T00:26:23Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTARAAhPx3hRyNLnIXwbGsjD6lAwhdqhe1yfJikB3+kWa+vaKC - /WOu22h0HB8cQwzeU6+LKeieuy70fEMcE2EHh8HjTuAIoi6kCDFjXA37pEtyIKaJ - 9uAc7EBNPOcv2TzFEnHjJXlMIRX1M4RegiZpOiZbkVkJeC7lJSe1mQhvHEqw3wmT - 7ye3ohDvHB7y2W040AD5wymntNOO3BSxQJEVPaKo7sLmbkUSPXRCBj7H715dHyFe - jf6nWbAElfUVM9oSK/TiYZwVcZv4/LbexAivRrlkFmnPpQMTrTeafS8r0sUtOoDn - 8YKuBu0JQMVFJpLA0hUrH/MIkEalbgv3DWsC5DoEEni5oQY3vC/bd0nM7P0hETop - wGFoBHM/kvGK8AnhcRmWy1fj15/TNrzF4uXn1Xr2tOLFrlLTor3JKCqIYTBWUIAl - Ve98SrZcvEdZKRqQiRyAXueJ1S4R60pCtTp6AtKxc7RyJuw6YM3VD3jcKBeIWf2l - UZr8yKfu24Rhy1WAe8+HT/LBzkB6/RKacBtJZVd0Ffnp8Cjaid3BJN3OQTLSSRCc - /t037ctWN/nSC8M/P6F/ZbSN4xEHRxT75c/qGpSBaMJgtwlD0wNIBCS9McuYD8p6 - e74KFlmm4901fytpHJvrdeQl6IAJCPV80540z3N78cdSxfTOF4Qj4/Dr4Flcp4CF - AgwDC9FRLmchgYQBD/4vX3zwM6MDpwW7+zeKrAgXYsHjIj2TYz8EIJ+bIH5/sUPn - F+o8kZyVjAc/c4AnKcCyWz1aYR47p9iHnk7Tf3mh8+MzZ4LCkuZjKmYjlfExd3RI - J0upRtTak4M/k2nxfVnosYwwFJhUnJpBlIt9DIU1AcDshAHnAOOeysIsfV7ahNQB - iYMvk196d+2HGdIPFPIG5tgJOFqamY3TtHrPmFx5SSj1ep4V2IMPqDudZDoyMscn - /8dYZCgnSFBDTFY/X8ngftxaXsdyRE/0QJFjG+c2M6G5gkccfpxkNU0toAwz3m9p - hS3s2YYkrMem/VdkqEvGW3cHnmM3ZHAttrfO49z91nmRaWDMm2ocl4CNoAsiEmc9 - /pQN9spgQGonDLM/yMpiuHEZNT8Pv+1YDS7kN2FlHuodsTazAi2ZoMDOrvHQhXkG - 9mS8fgVIJncthfxwbswjz77OZo/zyF41WgYzet9Lr8g7RDegmA+nPeFIJ+EVDKXH - o+KMJVbRrCiGnSvcVtBXQtvhcuJLe/LWvXbnsAo18+HPqA1PyaJtuMgc3dihuddV - KXGtDIpiy7UFw5o2w7Plqs2T+N0wQI2MTEkKS/TdWVO5zTMoI1uPE+b5H7z56Cnj - Xa65aUphUxxLMN9rbVXBSfhTyZCFM+nj7fY9pFmoUgfhKSZ83j3w5XlVL6bz9tJR - AUc8r4d6z59EE5vsIuImiM7/jsSudYewau2wnMuli3FmYISiR6kU+bRBmm0nF6Q/ - Kqt5nLxrcGKz2ivRxU6Hxc9D4gRaekoTkeP5J0Cr0IYt - =D/qK - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/secrets/twothreetunnel/secrets.yaml b/secrets/twothreetunnel/secrets.yaml deleted file mode 100644 index c232a83..0000000 --- a/secrets/twothreetunnel/secrets.yaml +++ /dev/null @@ -1,56 +0,0 @@ -#ENC[AES256_GCM,data:Zj552Ho=,iv:uOiDvsLPsT3D6A1SLgDl8jbAyz5bK8s1h7mIc6WT10k=,tag:rTD510uyO65F/qcD/UTUpw==,type:comment] -#ENC[AES256_GCM,data:a8v9FPS8GcZOyREs74GhUpnAZlYF9Q9lRU3ZdsYERajtDiGncywKPLE61PlnH8o/h+QkkWjpsjy+,iv:Ck+7CaYym5fT4uy44b8yLw+b1FDvvjxrxql3ed+B2as=,tag:sb7vA0tVe1G+TDcJLhQ66g==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:9AvuFB/nYm2H6JK+pKY0wD658dHGZyV9w8B/+PeTKb5PkFJGlqdz0A==,iv:DeH3sRv9hCzhy38jnXVeGlAbUeXWOwf2avdINWuhJb8=,tag:jXjmtG+uoTonlXSSKLkY3g==,type:str] -#ENC[AES256_GCM,data:/+idD/eetpnX,iv:NNXMyIt6uUfT3JVU9g39xjUL71cw5UVmESKVIf54tqc=,tag:pz+D3tUk0gWTfAirJGhlkw==,type:comment] -wireguard-private-key: ENC[AES256_GCM,data:7cSHZL3c1P2oPPOX+HLFCDSg9gcWmdHY8LLb8kBVaRMsvRCk7gx/b2H6+Xg=,iv:YNKe76UGywvChY46X52nunFFHj3c4qJJVQRcU7bkRY0=,tag:uR4UZbtXSm6ywlVOZ4wQIg==,type:str] -wireguard-home-preshared-key: ENC[AES256_GCM,data:YeTvFuNDs7Yb9pvzcb/tHyYeQrVJGpvKzr0l1F+4ch6F1rTpk5ad37bi9kc=,iv:bI+KSgSwbanPjKi0zV38zhXamCo6Lnu9z0PhvA1n82U=,tag:4m7rJ5K0RSkU/dGm1bRInA==,type:str] -#ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment] -oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str] -kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str] -sops: - age: - - recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcDZzcEJTNE94amhZSEZk - Wlhkc0dXY0d5Y2Myd21YYURORlRnMDRlYTBzCkZ1UEhzSzdTZjJENzAvOHJBVFRH - MDBMb3VmTGhnUXhRRnpYS3p5NE5HYnMKLS0tIHpROEhpeDZQYUNJMkExTDBsNUh3 - NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS - ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T22:42:29Z" - mac: ENC[AES256_GCM,data:CTOMF/JUbJjKrO/WCaNqCgNVv/XuBGu5nD7ssRplhg7Fmfpqyg6+qQylZcVO4XXQPvpXsA7VfnACe0irflx2Rh/5eULLfaL6eSVnr15CmwTxxnJatMtvnn1V6tGDX7Fs2s3xdEM0G7Zu022A7WWgibiiVzv/tH09znKuxpNIdio=,iv:iYgbJLaOM3JZK1BGV8fVsq5wrh+7hpQwUdXBbsTQEj8=,tag:cPQdmBkZ+DAlQ3xAQts6BA==,type:str] - pgp: - - created_at: "2025-12-01T23:06:35Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAwDh3VI7VctTAQ/+O2d2BMDS3DVPfUHLD69K6VsdewczQkPoskMrS5JeQn0R - gDhR318J311UMClomIIrgDlbleoKS9tdC1rM3DoCaGFq4MyydK4MLy0+6wme1n3a - ZyOsQ1jSpdgkWUfbalbxL9/cWtQBwfahXve39L+ocqb34KT8jeLcRNZWORWAst7X - a6fHFp4gZrTnOjn26TJc7dJxYGWQIWk3WBYpzC8kpqkMaIemIy0FHaObNYy3DvM0 - Z++AYqmwEYiz+tG1bVRUZ1ck/z8kR+Zv1Wg0uVM5Jmg6rArrz75xSS297euPZhO3 - bQwEdJ2rcrdaz5LHC6zgsDrVz5LsfoTxilOwIgsqSGqOBIGAN6XttZXjjul6MVyE - XBlHqqrCVlLl+OCumWC0U6vr/bcGV6CaMJPE80Rh//wThtvyKVFRQey8EmJH7IGx - vHtfOaOScJc0sCCyXOx4HBeeGAYq0ogSRTlgK6Z+kXx/MkYRHiw6Vdrw0anmFF08 - 7lYB4SPafnEB4m2IPz1390ZSDXWGT5QmrhpnajuILIIcWwe0mNPfDbLQWF6CZALB - UJs0XvM/gfXhnqVnkayTXc9IrIHkLoKwyMh1g+st+d0fAYaUD2Wd9BI+zi22m4iR - J7Mw0bMBciO4MRIZEEFsCvuv4UzFjQ4mO9ib6LXI7y51sIJuYPkq3lllkntFdCuF - AgwDC9FRLmchgYQBD/9F+tb1K7aKNq73pk2YTmzH+WR2Dr3+MxNgnQlnIJMxdoTi - QE3C9U9UaO5ngdHbnG3ruBQKjGhLI8meFMTJatPwuOFcHPN+I3lEO+PkHGH0VkGQ - A1xkeFizc5l0tfTD9JpatOwaKKr1b4cERZP5hSTZ3MJsRJsykySKmLLpfmC1pZ7L - OWLdJ740YEPXXw76seRgZ66tKou1lADRBXAfHxmlj7yrt/MB2xg0FfPw6/i1HTlV - kwyobNlNO6whpgHjX16Qfcuj5YMRSDmyb+Ol5dheiA+DvoowhkijCGv04Mye10RI - bvjcmhVA+2lNP3tzF2duyIQi4nPDhQLcBs8djH8flKWDZOuz9Jt1QDTb4h6iJzfK - RkfU9j7/GjDiiksOdC0/yYgn90dGdPBI/iR890Uyuav/nwzF9Kz9aHQGPhCbwfRZ - gN7f3zyt9XPw7Qdyf5+zvaarg5xf8i3q6vhYZSGpOGC/ZrRdJcNfo5Sw4gVzrTOD - M9IGoeoyWkCHrjKPjYf8fVW8dDgMsddaT/ub8jh9OcM5YA6mrbeAGyf135mOurLd - PCsu/tNAA1GLImgc/MYplkPsOfC0+7fJ9gCSirXyRgT6Eir1VJLL7wE0zrPYfqdX - NOXYKdHQxfhtk33XlnxNJ73cJVGtBXy3B2kkM2DBHxY2Zj8ysO48zSri280RVdJc - ARILzsczZMXmJVYuR/r103j+doR/kMVEeH+gwhTSyj3yOgP06Ychawx4m8QrjF93 - FfpVVia8JmpXAymJ93fO1HCzpQgZwX+BuhjfGcUoa3kr+lJjzU4571CCI84= - =lNG0 - -----END PGP MESSAGE----- - fp: 4BE7925262289B476DBBC17B76FD3810215AE097 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml index a418558..9c3883a 100644 --- a/secrets/winters/secrets.yaml +++ b/secrets/winters/secrets.yaml @@ -7,7 +7,7 @@ mautrix-telegram-hs-token: ENC[AES256_GCM,data:bsuGGKASj65MkSri1MbZDEppRlr5qXzdR mautrix-telegram-api-id: ENC[AES256_GCM,data:GLaYJupsuA==,iv:EZ7i3jregI2puUAQbbkUK7OWA9Dnk0GdXRQuF/crD0Y=,tag:FL86Xji+YEkBPIm7m6sStw==,type:str] mautrix-telegram-api-hash: ENC[AES256_GCM,data:vikwgZLPV7YBdKlzf8+LEUnNIMx950CfBMGXKOga2cs=,iv:16+qS4L1LEKyWQKC2+a9l4OugWLJou2I2t9oRfKjS24=,tag:zhjD2dyGkqfMQlAt/LTCzw==,type:str] #ENC[AES256_GCM,data:3ZJfIpB7,iv:bS0q1SvUfAX8s6/R1z9IWoJ1vIitIDc2lGZUjS6P+Ao=,tag:Hc1HVrtkT6gNceN87PF/YA==,type:comment] -acme-dns-token: ENC[AES256_GCM,data:uSgEI33Pz8IsJMqtgNO5Q/HW1dRLMeGmXtJJNrbQ+PNVnAiTTRyS6Q==,iv:5ubDxwyDgEHxK/h50p2HK6S1+2TdfTUFH3yGv7/zcH4=,tag:P3b2b/h86TlgksjXB8Uccg==,type:str] +acme-dns-token: ENC[AES256_GCM,data:QyOHnPFiNiOXBK41pr6XfG9KCWRysTxzW4cjuUesbGdFOOFi8W4lCQ==,iv:Iuc77X4t5V1xFPu2F1njo93l4oaciou7UfOLBm18gaM=,tag:+40ELYAGxaQfwiTKPPwI4w==,type:str] #ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment] paperless-admin-pw: ENC[AES256_GCM,data:8s2WunvnlL0xE8XNN1Re6/9nBAM57AgM9g==,iv:Pol+RjNMKpNYCQWY0BZamRnob+MO/e/14jc8uArtDz4=,tag:FXRrlhR3DpZ+7lSlXb7wsw==,type:str] kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str] @@ -58,8 +58,8 @@ sops: MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-28T17:45:19Z" - mac: ENC[AES256_GCM,data:lIdIP+Js+FzjJCoClGxqP1epl5fVkPzfJmOVauFNlXKRxx90/E3478oQHi/KbP7eFgPoy+0hAbMwnBmo/1tOKb2ky80/6IMEkbftiO7YZqy8opbSbCtj6ypOOwwPf5rgtXHn0LV+EtDQZzIBY6GhcERO6IQpFRAXeIkSGcpM3TE=,iv:sphhFBg1xgupLGQzRovea0wvsTolzfW/z+gjj9CyklM=,tag:bdo9FlPPYKdl87lsBsiEsQ==,type:str] + lastmodified: "2025-07-09T20:28:09Z" + mac: ENC[AES256_GCM,data:tLAljNEDR4Ab27OXVJhvDuGmfuxE/L9KSFsJGDo25Vs3P56/HnjrI77y+ytLuf2sK/OHup7jXnlwBWUDAfNWIQzUdjIBtr/OiggkPHgWhr4rH55ayLM1IfZU1ex6MPvliz2yi0nU6jqHXoSlBCqu+hdfyTQri1EmZ9Bh811YDqs=,iv:4VmwBcmQIjQ16mwxYjgud3OUjQE0rH0wN72sAXXs3to=,tag:OQNYvxLZg+0hapvUYsexuA==,type:str] pgp: - created_at: "2024-12-17T16:24:32Z" enc: |- @@ -93,4 +93,4 @@ sops: -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.10.2