From 0e9b76da4831dcc7ad23f2c93b39a91727ea74f0 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sun, 13 Jul 2025 20:36:26 +0200 Subject: [PATCH 01/26] fix: some deprecations --- home/modules/zsh.nix | 2 +- nixos/configurations.nix | 37 +++- nixos/modules/profiles/base.nix | 4 +- nixos/modules/profiles/laptop.nix | 2 +- nixos/stolas/default.nix | 297 ++++++++++++++++++++++++++++++ 5 files changed, 335 insertions(+), 7 deletions(-) create mode 100644 nixos/stolas/default.nix diff --git a/home/modules/zsh.nix b/home/modules/zsh.nix index 96364ff..7a0cd6c 100644 --- a/home/modules/zsh.nix +++ b/home/modules/zsh.nix @@ -34,7 +34,7 @@ in }; plugins = [ ]; - initExtra = '' + initContent = '' source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh source ${pkgs.fzf}/share/fzf/key-bindings.zsh source ${pkgs.fzf}/share/fzf/completion.zsh diff --git a/nixos/configurations.nix b/nixos/configurations.nix index adacb51..14780f1 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -31,6 +31,39 @@ let }; in { + stolas = + let + system = "x86_64-linux"; + in + nixosSystem { + inherit nixpkgs system; + + extraModules = [ + # TODO lanzaboote.nixosModules.lanzaboote + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + dadada.pkgs = self.packages.${system}; + dadada.inputs = inputs // { + dadada = self; + }; + } + nixos-hardware.nixosModules.framework-amd-ai-300-series + home-manager.nixosModules.home-manager + ( + { pkgs, ... }: + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [ + { dadada.home.helix.package = pkgs.helix; } + ]; + home-manager.users.dadada = import ../home; + } + ) + ./stolas + ]; + }; + gorgon = let system = "x86_64-linux"; @@ -46,12 +79,10 @@ in dadada = self; }; } - nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1 - home-manager.nixosModules.home-manager ( - { pkgs, lib, ... }: + { pkgs, ... }: { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index b681d72..0976788 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -13,8 +13,8 @@ in ./upgrade-pg-cluster.nix ]; - boot.tmp.useTmpfs = true; - boot.tmp.tmpfsSize = "50%"; + boot.tmp.useTmpfs = lib.mkDefault true; + boot.tmp.tmpfsSize = lib.mkDefault "50%"; i18n.defaultLocale = mkDefault "en_US.UTF-8"; console = mkDefault { diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index d9f0bde..8e0b52f 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -48,7 +48,7 @@ with lib; alsa.support32Bit = true; pulse.enable = true; }; - hardware.pulseaudio.enable = false; + services.pulseaudio.enable = false; dadada.backupClient.gs = { enable = true; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix new file mode 100644 index 0000000..e526eff --- /dev/null +++ b/nixos/stolas/default.nix @@ -0,0 +1,297 @@ +{ config, lib, pkgs, ... }: +{ + + imports = [ + ../modules/profiles/laptop.nix + ]; + + ### TODO double check with generated hw-config + + boot = { + # TODO lanzaboote = { + # enable = true; + # pkiBundle = "/var/lib/sbctl"; + #}; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; + initrd = { + availableKernelModules = [ + "nvme" + "ehci_pci" + "xhci_pci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + # TODO disable for lanzaboote + systemd.enable = true; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + #boot.loader.systemd-boot.enable = lib.mkForce false; + luks.devices = { + root = { + # TODO + device = "/dev/disk/by-uuid/todo"; + allowDiscards = true; + # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL + #crypttabExtraOpts = [ "fido2-device=auto" ]; + }; + }; + }; + }; + + environment.systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + + # TODO compare with nixos-generate-config --show-hardware-config + fileSystems = { + "/boot" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "vfat"; + }; + + "/" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "subvol=root" + "compress=zstd" + ]; + }; + + "/home" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + options = [ + "compress=zstd" + "subvol=home" + ]; + }; + + "/home/dadada" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + options = [ + "compress=zstd" + "subvol=home/dadada" + ]; + }; + + "/nix" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "noatime" + "compress=zstd" + "subvol=nix" + ]; + }; + + "/nix/var/nix/builds" = { + device = "none"; + fsType = "tmpfs"; + options = [ + # Max 80% of available RAM + "size=80%" + # Only owner (nix daemon may write) + "mode=755" + ]; + }; + + "/root" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "compress=zstd" + "subvol=root" + ]; + }; + + "/var" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "compress=zstd" + "subvol=var" + ]; + }; + + "/var/lib/paperless" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "compress=zstd" + "subvol=var/lib/paperless" + ]; + }; + + "/var/swap" = { + # TODO + device = "/dev/disk/by-uuid/todo"; + fsType = "btrfs"; + options = [ + "noatime" + "subvol=swap" + ]; + }; + + # NOTE: /tmp is tmpfs because of config in base.nix + }; + + # TODO btrfs filesystem mkswapfile --uuid clear /var/swap/swapfile + # swapDevices = [{ + # device = "/var/swap/swapfile"; + # size = 80*1024; # Creates an 80GB swap file + # }]; + + hardware = { + # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features + bluetooth.enable = true; + framework.laptop13.audioEnhancement.enable = true; + graphics = { + enable = true; + extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + ]; + }; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "schedutil"; + # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod? + powerUpCommands = '' + echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold + ''; + }; + + networking = { + hostName = "stolas"; + firewall = { + enable = true; + allowedTCPPorts = [ + 22000 # Syncthing + ]; + allowedUDPPorts = [ + 21027 # Syncthing + ]; + }; + }; + + nix = { + settings.max-jobs = lib.mkDefault 16; + }; + + # TODO dadada.backupClient.backup1.enable = true; + # dadada.backupClient.backup2 = { + # enable = true; + # passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path; + # sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; + # repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup"; + # }; + + programs = { + adb.enable = true; + firefox = { + enable = true; + package = pkgs.firefox-wayland; + }; + gnupg.agent.enable = true; + ssh.startAgent = true; + wireshark.enable = true; + }; + + services = { + avahi.enable = true; + desktopManager.plasma6.enable = true; + displayManager = { + sddm.enable = true; + sddm.wayland.enable = true; + }; + gnome.gnome-keyring.enable = lib.mkForce false; + smartd.enable = true; + printing = { + enable = true; + browsing = true; + }; + paperless = { + # TODO migrate DB + enable = true; + passwordFile = config.age.secrets.paperless.path; + }; + tlp.enable = false; + }; + + system = { + stateVersion = "25.05"; + }; + + systemd.tmpfiles.rules = + let + cfg = config.services.paperless; + in + [ + ( + if cfg.consumptionDirIsPublic then + "d '${cfg.consumptionDir}' 777 - - - -" + else + "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ) + ]; + + systemd.services = { + modem-manager.enable = lib.mkForce false; + "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; + }; + + systemd.sleep.extraConfig = '' + HibernateDelaySec=1h + ''; + + virtualisation.libvirtd.enable = true; + + users = { + users = { + dadada = { + isNormalUser = true; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "adbusers" + "kvm" + "video" + "scanner" + "lp" + "docker" + "dialout" + "wireshark" + "paperless" + ]; + shell = "/run/current-system/sw/bin/zsh"; + }; + }; + }; + + age.secrets = { + paperless = { + file = "${config.dadada.secrets.path}/paperless.age"; + mode = "700"; + owner = "paperless"; + }; + }; + + # Create compressing swap space in RAM + zramSwap.enable = true; +} From 0b08beee355add707010e684267bdf77bc2dc834 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sun, 13 Jul 2025 20:41:06 +0200 Subject: [PATCH 02/26] feat(stolas): set initial hashed password --- nixos/stolas/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index e526eff..56b3bcb 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -264,6 +264,7 @@ users = { users = { dadada = { + initialHashedPassword = "$y$j9T$43qGBeY6hg6AXQmcVkS131$6AeRDOe6XAnmgA/AkJGaSIYTj5dbQLd9vrQ7zSyi5TA"; isNormalUser = true; extraGroups = [ "wheel" From e58a47af3f383f6358309f80aae39b9a8ad86e77 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sun, 13 Jul 2025 21:53:21 +0200 Subject: [PATCH 03/26] feat(stolas): disko for disk setup --- flake.lock | 21 ++++++++ flake.nix | 4 ++ nixos/configurations.nix | 2 + nixos/stolas/default.nix | 110 +-------------------------------------- nixos/stolas/disks.nix | 99 +++++++++++++++++++++++++++++++++++ 5 files changed, 127 insertions(+), 109 deletions(-) create mode 100644 nixos/stolas/disks.nix diff --git a/flake.lock b/flake.lock index a2f410e..4bab678 100644 --- a/flake.lock +++ b/flake.lock @@ -67,6 +67,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1752113600, + "narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=", + "owner": "nix-community", + "repo": "disko", + "rev": "79264292b7e3482e5702932949de9cbb69fedf6d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-registry": { "flake": false, "locked": { @@ -225,6 +245,7 @@ "inputs": { "agenix": "agenix", "devshell": "devshell", + "disko": "disko", "flake-registry": "flake-registry", "flake-utils": "flake-utils", "home-manager": "home-manager", diff --git a/flake.nix b/flake.nix index 6ccece0..622f9f0 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,10 @@ inputs = { nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; flake-utils = { url = "github:numtide/flake-utils"; inputs.systems.follows = "systems"; diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 14780f1..38c38da 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -1,6 +1,7 @@ { self, agenix, + disko, home-manager, homepage, nixos-hardware, @@ -40,6 +41,7 @@ in extraModules = [ # TODO lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko { nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; dadada.pkgs = self.packages.${system}; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 56b3bcb..04fd504 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -3,10 +3,9 @@ imports = [ ../modules/profiles/laptop.nix + ./disks.nix ]; - ### TODO double check with generated hw-config - boot = { # TODO lanzaboote = { # enable = true; @@ -47,113 +46,6 @@ pkgs.sbctl ]; - # TODO compare with nixos-generate-config --show-hardware-config - fileSystems = { - "/boot" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "vfat"; - }; - - "/" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "subvol=root" - "compress=zstd" - ]; - }; - - "/home" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - options = [ - "compress=zstd" - "subvol=home" - ]; - }; - - "/home/dadada" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - options = [ - "compress=zstd" - "subvol=home/dadada" - ]; - }; - - "/nix" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "noatime" - "compress=zstd" - "subvol=nix" - ]; - }; - - "/nix/var/nix/builds" = { - device = "none"; - fsType = "tmpfs"; - options = [ - # Max 80% of available RAM - "size=80%" - # Only owner (nix daemon may write) - "mode=755" - ]; - }; - - "/root" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "compress=zstd" - "subvol=root" - ]; - }; - - "/var" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "compress=zstd" - "subvol=var" - ]; - }; - - "/var/lib/paperless" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "compress=zstd" - "subvol=var/lib/paperless" - ]; - }; - - "/var/swap" = { - # TODO - device = "/dev/disk/by-uuid/todo"; - fsType = "btrfs"; - options = [ - "noatime" - "subvol=swap" - ]; - }; - - # NOTE: /tmp is tmpfs because of config in base.nix - }; - - # TODO btrfs filesystem mkswapfile --uuid clear /var/swap/swapfile - # swapDevices = [{ - # device = "/var/swap/swapfile"; - # size = 80*1024; # Creates an 80GB swap file - # }]; - hardware = { # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features bluetooth.enable = true; diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix new file mode 100644 index 0000000..6b07f9b --- /dev/null +++ b/nixos/stolas/disks.nix @@ -0,0 +1,99 @@ +{ + disko.devices = { + nodev."/nix/var/nix/builds" = { + fsType = "tmpfs"; + mountOptions = [ + "size=80%" + "defaults" + "mode=755" + ]; + }; + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-uuid/TODO"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + # TODO tmpfs for nix/var/nix/builds + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + allowDiscards = true; + #keyFile = "/tmp/secret.key"; + }; + #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "relatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/dadada" = { + mountpoint = "/home/dadada"; + mountOptions = [ + "compress=zstd" + "relatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/var" = { + mountpoint = "/var"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/paperless" = { + mountpoint = "/var/lib/paperless"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "64G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} From f602f150ba45a81e336b8773d6d30f57e118e2b4 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Thu, 17 Jul 2025 21:38:11 +0200 Subject: [PATCH 04/26] feat(stolas): add backup config --- nixos/modules/borg-server.nix | 8 ++++++++ nixos/stolas/default.nix | 12 +++++------- secrets/secrets.nix | 2 ++ secrets/stolas-backup-passphrase.age | 7 +++++++ secrets/stolas-backup-ssh-key.age | 8 ++++++++ 5 files changed, 30 insertions(+), 7 deletions(-) create mode 100644 secrets/stolas-backup-passphrase.age create mode 100644 secrets/stolas-backup-ssh-key.age diff --git a/nixos/modules/borg-server.nix b/nixos/modules/borg-server.nix index 594f356..e498cd1 100644 --- a/nixos/modules/borg-server.nix +++ b/nixos/modules/borg-server.nix @@ -39,6 +39,14 @@ in path = "${cfg.path}/gorgon"; quota = "1T"; }; + "stolas" = { + allowSubRepos = false; + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC/mVYd3o7oA0dsA58CgkqR40CSfeuU+rikleSrSXFz dadada@gorgon" + ]; + path = "${cfg.path}/stolas"; + quota = "1T"; + }; "surgat" = { allowSubRepos = false; authorizedKeysAppendOnly = [ diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 04fd504..3a370c3 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -85,13 +85,11 @@ settings.max-jobs = lib.mkDefault 16; }; - # TODO dadada.backupClient.backup1.enable = true; - # dadada.backupClient.backup2 = { - # enable = true; - # passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path; - # sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; - # repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup"; - # }; + dadada.backupClient.backup1.enable = true; + dadada.backupClient.backup2 = { + enable = true; + repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup"; + }; programs = { adb.enable = true; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1da186e..a3255e1 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,6 +7,7 @@ let ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos"; pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas"; surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat"; + stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV1LSH8jeMnXJ/eqhJCebbwxenJmxNoeB6UGrBmRjZk root@stolas"; }; backupSecrets = hostName: { "${hostName}-backup-passphrase.age".publicKeys = [ @@ -88,3 +89,4 @@ in // backupSecrets "pruflas" // backupSecrets "surgat" // backupSecrets "agares" +// backupSecrets "stolas" diff --git a/secrets/stolas-backup-passphrase.age b/secrets/stolas-backup-passphrase.age new file mode 100644 index 0000000..ff9d514 --- /dev/null +++ b/secrets/stolas-backup-passphrase.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 OgKXZA A8XAP2YQw/CnN//rHPM9m9p1A/l4IiWV1Qhc9+RHdxQ +mcpcULPCQUMtoCiTwiAU2AXD5UVrQkF5LxZqCJ3VEMA +-> ssh-ed25519 Otklkw UzdSM3CCvzQ4owHWWmrBfiC6NuBAu0onns6s4nlR9Vs +UQ4TBW/4O5rVi0xpS2lAS6M7zgUcWtGlXeL+i748KYE +--- tqrtKyZVDght0KJQZDSDVdnEL38KZjPA2xZ3LjeKlI0 +2lC@(N3-igaH?~Fnqc ɝ<ۼ#F7aB%&t}vr_< \ No newline at end of file diff --git a/secrets/stolas-backup-ssh-key.age b/secrets/stolas-backup-ssh-key.age new file mode 100644 index 0000000..cb98c8d --- /dev/null +++ b/secrets/stolas-backup-ssh-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 OgKXZA gTx4Ozd2BU13T8GpiBxSCZdjAwJ/zb10xqW62QMTwms +M9y1f/ndVYnujqIDo0rocQEX/8Isg0vn97mQm8K83iE +-> ssh-ed25519 Otklkw 2hyKMpf/Z8wgBowMgxwb77cj9B5b0/a7q4hq3CxWp0M +jFLwfV72isKUdtr5m2n5303KZiJDKTJny9koUOHLLLg +--- GQfIExiJTJEQTnesTVqF3X7AcorV+SH8TQ9uo5xLwso +u`6^|&Q[KPFAƇшU*n55Ozv傺-C0r;6JC={'@Ժ9O'b#Rw-(؊RjF[=uD3vڝ5bWxiz͢={S; r.O2|jtOrpK297Y/?8&pP:g Date: Thu, 17 Jul 2025 21:38:35 +0200 Subject: [PATCH 05/26] fix: move paperless config to module --- nixos/stolas/default.nix | 21 ++------------------- nixos/stolas/disks.nix | 1 - nixos/stolas/paperless.nix | 20 ++++++++++++++++++++ 3 files changed, 22 insertions(+), 20 deletions(-) create mode 100644 nixos/stolas/paperless.nix diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 3a370c3..b72f6be 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -4,6 +4,7 @@ imports = [ ../modules/profiles/laptop.nix ./disks.nix + # TODO ./paperless.nix ]; boot = { @@ -32,7 +33,7 @@ luks.devices = { root = { # TODO - device = "/dev/disk/by-uuid/todo"; + device = "/dev/disk/by-uuid/TODO"; allowDiscards = true; # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL #crypttabExtraOpts = [ "fido2-device=auto" ]; @@ -115,11 +116,6 @@ enable = true; browsing = true; }; - paperless = { - # TODO migrate DB - enable = true; - passwordFile = config.age.secrets.paperless.path; - }; tlp.enable = false; }; @@ -127,19 +123,6 @@ stateVersion = "25.05"; }; - systemd.tmpfiles.rules = - let - cfg = config.services.paperless; - in - [ - ( - if cfg.consumptionDirIsPublic then - "d '${cfg.consumptionDir}' 777 - - - -" - else - "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ) - ]; - systemd.services = { modem-manager.enable = lib.mkForce false; "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix index 6b07f9b..3ecb67d 100644 --- a/nixos/stolas/disks.nix +++ b/nixos/stolas/disks.nix @@ -25,7 +25,6 @@ mountOptions = [ "umask=0077" ]; }; }; - # TODO tmpfs for nix/var/nix/builds luks = { size = "100%"; content = { diff --git a/nixos/stolas/paperless.nix b/nixos/stolas/paperless.nix new file mode 100644 index 0000000..7591f0a --- /dev/null +++ b/nixos/stolas/paperless.nix @@ -0,0 +1,20 @@ +{ config }: +{ + services.paperless = { + # TODO migrate DB + enable = true; + passwordFile = config.age.secrets.paperless.path; + }; + systemd.tmpfiles.rules = + let + cfg = config.services.paperless; + in + [ + ( + if cfg.consumptionDirIsPublic then + "d '${cfg.consumptionDir}' 777 - - - -" + else + "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ) + ]; +} From d618890198fedd909887b0cf7dde6a79e54938e9 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 17:22:31 +0200 Subject: [PATCH 06/26] feat(stolas): add name of NVME device --- nixos/stolas/disks.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix index 3ecb67d..5d48d17 100644 --- a/nixos/stolas/disks.nix +++ b/nixos/stolas/disks.nix @@ -11,7 +11,7 @@ disk = { main = { type = "disk"; - device = "/dev/disk/by-uuid/TODO"; + device = "/dev/nvme0n1"; content = { type = "gpt"; partitions = { From d81761e519a255025b5adeecf95307b3521943b0 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 17:39:21 +0200 Subject: [PATCH 07/26] fix(stolas): update hardware config --- nixos/stolas/default.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index b72f6be..6733652 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -7,6 +7,10 @@ # TODO ./paperless.nix ]; + nixpkgs = { + hostPlatform = "x86_64-linux"; + }; + boot = { # TODO lanzaboote = { # enable = true; @@ -17,11 +21,10 @@ initrd = { availableKernelModules = [ "nvme" - "ehci_pci" "xhci_pci" + "thunderbolt" "usb_storage" "sd_mod" - "rtsx_pci_sdmmc" ]; # TODO disable for lanzaboote systemd.enable = true; @@ -50,6 +53,7 @@ hardware = { # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features bluetooth.enable = true; + cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; framework.laptop13.audioEnhancement.enable = true; graphics = { enable = true; From 502d9aa4dc2a1a3371cee33f35abdf7eca432a45 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 18:14:56 +0200 Subject: [PATCH 08/26] fix(stolas): add UUID for root luks device to kernel commandline --- nixos/stolas/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 6733652..10302eb 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -36,7 +36,7 @@ luks.devices = { root = { # TODO - device = "/dev/disk/by-uuid/TODO"; + device = "/dev/disk/by-uuid/81dfbfa5-d578-479c-b11c-3ee5abd6848a"; allowDiscards = true; # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL #crypttabExtraOpts = [ "fido2-device=auto" ]; From b8be17a9a9df21886b89c1a625f639d20933a741 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 20:05:29 +0200 Subject: [PATCH 09/26] fix(stolas): enable lanzaboote and additional firmware --- flake.lock | 165 +++++++++++++++++++++++++++++++++++++++ flake.nix | 4 + nixos/configurations.nix | 3 +- nixos/stolas/default.nix | 22 +++--- 4 files changed, 181 insertions(+), 13 deletions(-) diff --git a/flake.lock b/flake.lock index 4bab678..572619e 100644 --- a/flake.lock +++ b/flake.lock @@ -25,6 +25,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -87,6 +102,43 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-registry": { "flake": false, "locked": { @@ -123,6 +175,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -157,6 +231,32 @@ "url": "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1737639419, + "narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "a65905a09e2c43ff63be8c0e86a93712361f871e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.2", + "repo": "lanzaboote", + "type": "github" + } + }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -241,6 +341,49 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -250,6 +393,7 @@ "flake-utils": "flake-utils", "home-manager": "home-manager", "homepage": "homepage", + "lanzaboote": "lanzaboote", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", @@ -258,6 +402,27 @@ "treefmt-nix": "treefmt-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 622f9f0..73686ce 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,10 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; homepage = { url = "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz"; diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 38c38da..7a4185a 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -4,6 +4,7 @@ disko, home-manager, homepage, + lanzaboote, nixos-hardware, nixos-generators, nixpkgs, @@ -40,7 +41,7 @@ in inherit nixpkgs system; extraModules = [ - # TODO lanzaboote.nixosModules.lanzaboote + lanzaboote.nixosModules.lanzaboote disko.nixosModules.disko { nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 10302eb..5ee2a4a 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -12,12 +12,17 @@ }; boot = { - # TODO lanzaboote = { - # enable = true; - # pkiBundle = "/var/lib/sbctl"; - #}; + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; kernelModules = [ "kvm-amd" ]; extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + loader.systemd-boot.enable = lib.mkForce false; initrd = { availableKernelModules = [ "nvme" @@ -26,16 +31,8 @@ "usb_storage" "sd_mod" ]; - # TODO disable for lanzaboote - systemd.enable = true; - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - #boot.loader.systemd-boot.enable = lib.mkForce false; luks.devices = { root = { - # TODO device = "/dev/disk/by-uuid/81dfbfa5-d578-479c-b11c-3ee5abd6848a"; allowDiscards = true; # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL @@ -54,6 +51,7 @@ # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features bluetooth.enable = true; cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + enableAllFirmware = true; framework.laptop13.audioEnhancement.enable = true; graphics = { enable = true; From fc2f547919332fa8b56ecde0c663b888a9723b8e Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 20:07:54 +0200 Subject: [PATCH 10/26] fix(stolas): allow unfree firmware --- nixos/stolas/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 5ee2a4a..db1f640 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -9,6 +9,7 @@ nixpkgs = { hostPlatform = "x86_64-linux"; + config.allowUnfree = true; }; boot = { From 427b62fe07963a6d2dd753d0fc02ccf678466e09 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 21:02:08 +0200 Subject: [PATCH 11/26] fix(stolas): name of dm-crypt container --- nixos/stolas/default.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index db1f640..197795e 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -32,14 +32,6 @@ "usb_storage" "sd_mod" ]; - luks.devices = { - root = { - device = "/dev/disk/by-uuid/81dfbfa5-d578-479c-b11c-3ee5abd6848a"; - allowDiscards = true; - # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL - #crypttabExtraOpts = [ "fido2-device=auto" ]; - }; - }; }; }; From ae419eb19a2c1884e57697d2ef437b8770f74e3b Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 21:15:35 +0200 Subject: [PATCH 12/26] chore: rekey --- secrets/agares-backup-passphrase.age | 16 +++++++--------- secrets/agares-backup-ssh-key.age | Bin 898 -> 741 bytes secrets/agares-wg0-key.age | 15 ++++++--------- secrets/ddns-credentials.age | Bin 521 -> 466 bytes secrets/etc-ppp-chap-secrets.age | 16 ++++++---------- secrets/etc-ppp-telekom-secret.age | Bin 407 -> 370 bytes secrets/gorgon-backup-passphrase-gs.age | Bin 403 -> 343 bytes secrets/gorgon-backup-passphrase.age | 16 +++++++--------- secrets/gorgon-backup-ssh-key.age | Bin 791 -> 721 bytes secrets/hydra-github-authorization.age | 15 ++++++--------- secrets/ifrit-backup-passphrase.age | 15 ++++++--------- secrets/ifrit-backup-ssh-key.age | Bin 775 -> 733 bytes secrets/initrd-surgat-ssh_host_ed25519_key.age | Bin 820 -> 721 bytes secrets/miniflux-admin-credentials.age | 16 +++++++--------- secrets/ninurta-backup-passphrase.age | 15 ++++++--------- secrets/ninurta-backup-ssh-key.age | Bin 759 -> 741 bytes secrets/ninurta-initrd-ssh-key.age | Bin 890 -> 721 bytes secrets/paperless.age | Bin 396 -> 355 bytes secrets/pruflas-backup-passphrase.age | Bin 419 -> 355 bytes secrets/pruflas-backup-ssh-key.age | Bin 844 -> 721 bytes secrets/pruflas-wg-hydra-key.age | Bin 446 -> 367 bytes secrets/pruflas-wg0-key.age | 16 +++++++--------- secrets/pruflas-wg0-preshared-key.age | 17 +++++++---------- secrets/secrets.nix | 2 +- secrets/stolas-backup-passphrase.age | Bin 371 -> 371 bytes secrets/stolas-backup-ssh-key.age | Bin 721 -> 721 bytes secrets/surgat-backup-passphrase.age | 15 +++++++-------- secrets/surgat-backup-ssh-key.age | Bin 790 -> 721 bytes secrets/surgat-ssh_host_ed25519_key.age | Bin 806 -> 720 bytes secrets/wg-privkey-vpn-dadada-li.age | Bin 403 -> 367 bytes 30 files changed, 73 insertions(+), 101 deletions(-) diff --git a/secrets/agares-backup-passphrase.age b/secrets/agares-backup-passphrase.age index d538c5a..3139105 100644 --- a/secrets/agares-backup-passphrase.age +++ b/secrets/agares-backup-passphrase.age @@ -1,10 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 L7f05w RayKtknLNvFu88aFp4QL7ZMLAh5VmHmlr1DWVsWBziE -rckeFrazZJ3TxY/yD2wlzRVLh9L4x1bV2Nk7Q0S/RWM --> ssh-ed25519 Otklkw oub7OICQalIkCqAZh4/FfXB9PPBe7j2IpBP7WF/UXGk -gAwxU97b0Js6UPv59/1389/qdPGQb4koa49R14c3UjA --> mU.rG&?F-grease V? d a}mj5 ^&dc?\ -B0k6BjXmH0cm74+rjQrzJwKa1dcFwTdmlgltZ70oHctwA3+E4/CQ1ChH9UHzkHGG -Fb62klB5XYePywsvxLo2nIGVIvhBgsfIvUpq ---- ONLpuXfKtuCB+VD5IQ5KeSPyqgEb4a2y26+n5E8Ph3E -uD{r ژR9P j?hD -u#F2N +Ys\ \ No newline at end of file +-> ssh-ed25519 L7f05w ZwPKXDj4QV+9GrvwgEI9vwhwwoHgZlnveG5GwpyeAQ0 +f4iPzhbR2HCeAQ8cUDUqcYmVPoQ9vKMvkFQyVo1T/Qo +-> ssh-ed25519 Otklkw 3y/RbwOR4wv6Iwq9+jMSZ1ntAD6G5jgeMx0PoBq3UwI +CyHATiRIbyj+yzVyhh8ccnL6j4I8BHhiBi8l3RV+mKs +--- 69+YwES2m/Lz68QMJTANOjgIPWmmjgFTrBGoEdHuaPY + +LwJT;&)IjYjzGRmv4A}2dL-6%ZDfJ@g-p}06h zH#Nn`)YQ;Y!M`LsC%arBFV(ozF}2hw*Ey{qGs8mPqCVWiAX(ep&)GZI&&(`6%Qz{; z#lR)q&&wc?%Ook)w@}}$u+qRa$;G?G!==C}(=))$x1hwyAl$;l!pYL#Ft4aQ*`zX( zOIKG{!Q3e|J2=B4E8I6NH$B|I(Ie3#GC#>9tkP89JzU$Z(zn!4KeDPMBrvO(%ZBrc z{vHFZfA!VOm+wArJ<&U7k8jqmsZKLvmOa?hY}z#Sis!XCp}MECm;H+he-N`FJMYWs z&ZAE~?2<0-FF2_m{~_;JXAZQEZZ`%Jge9{BR9myJwMIU(K|88+ae{)tjr)E zWL=t*bx@G2ZhBE_VsWZMxTBqZY@SUdSCW}imaDe8Z&*cMp^L9+NRgjodSG~FV0Khu zWTA6?MN(O0kfpI%u0>Fko1sahc5Z2slet?`uw`MsL7AVEu@9HGzf(q*cT~Qqeqy9$ zaAu{Sb8dLLkDqx#XrxPuk#m@5T2*3HXkngbexb3pS5;P$Sw@L=rjK@INWPnPRk$w~ zm#(g^LV=@Kg}daYtEmNW@^%L;xwbA4yWWTOdFCRD%NCuq-i{f(CSWuqNM$_sx^YY3Lv z65D_ALj8mCg4arMS6(ZIJ-R097e3<=>*w&(6Vm3(G8}IIHI3nY0%zH;?S=_6{~n$C zTTAPB+pi}q_x^heTy}j~DtLTP;@e+25ifu2So1qA;`rWA@!NGaT;ZJkHU8EGqidh5 z49eNJC{;c8NN}j0HBar?C;6tIX_=BHf3o$u+V>^w`&6E?tG+=g{PvfO$&us&P}F@by9H+_UOQZNXzht(J&D_=iywTylJ(Q#c)m@6eKYFQ z5r^bM$*zHmpRV` z2^7Zix4!V`Us&+E{44Y1U8-#r$`iS=o!@z@_L}_?I(c!PbFI=k+1moFM|bmHHa#X> NucEW!@0;3|1^~5_Y;*ts diff --git a/secrets/agares-wg0-key.age b/secrets/agares-wg0-key.age index 9938b85..c673a58 100644 --- a/secrets/agares-wg0-key.age +++ b/secrets/agares-wg0-key.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 L7f05w ENcdsQ43v/xIe1Ej4BYjb/nTjIk76N2DR/zj754Puz0 -vIDFk+A/m8rOnBNXcvfBX4SJNxT6LP64s674v5pJtcQ --> ssh-ed25519 Otklkw lLwVf/2E67Bue+VBu+EMupLjuv6wfR656CD1st71GRM -AsXHvpANM0mOiSW3LTqzbEneVQSKNb0TvsMY2WCPfbk --> DJZq-grease 9))O09 z2- -ZFxd5v9Bma6VVIvpw8VK0DSR55lHUNOTh6cNxFJAezXn1apmjvuZPdMSXZ7OrE23 -qlqnskWvo+SX3JF7NH0yQf53dZJU ---- pSa5IqZmIDAHJkcPgqrS0WUwnD1ipE2pGr87qhTmrjk -(E/P(|Jؑҋz`JO2Ԗd3qO!8HN3\i \ No newline at end of file +-> ssh-ed25519 L7f05w KLdcD878do/oYEztzNfCgKtfh4QCFmCMSZiapueB5Hg +wnSioiBtYXjASmU+6WUGn26ga6Q3REbFC7DxA29PQno +-> ssh-ed25519 Otklkw WstJ3pNxaazVPxNjTx3NsXQFnW8sy51CYoB5WVxwHWo +YOmD3exRcPoNer1y7Me2t3nOtUY9Hc2Oywl5sXMlTWw +--- tCVr+COM2orioyWJZvvwbK4oTlRErsQLywIoCVGrO1Q +/a>0L|3`.@awG֗i}=KƮ$3?rtle ߩb}CqרUbc!P \ No newline at end of file diff --git a/secrets/ddns-credentials.age b/secrets/ddns-credentials.age index 9ae8b774111398e0cee5d98039d21bb154a69c3e..b306c21d933f5e38ebf3b7953e23b8ddca3f81f3 100644 GIT binary patch delta 412 zcmeBVxx_p{r#`XBEkN7VQ9m=IqSUA|EvU*YJep--7~7#(kZDRET|;K$0^bz)F?CEl}p!7p}06h zH#Nn`)YQ;Y!OJYjzpPv#vn;|nJD@l>&?qRUFf7S6(#_ATC@I@8EGon(%+u9Xztlf6 zC$YFB)uN)DtJFC$$uTX$($gs-E!WG-G)UVhqSCS?DmPF&&pEvy%gHZ7+tNQ(->brP z;z#lN9Q~}|VB@?@*F^8Id?SCi5<|CeH#fJ6uxyJABg?e(Z0(}#wpV~dFLpyF~aU0q!TXA>WzbPr3z z$`YSMZ{K{6;F6Nu;>t*0uhdE}Gxx$U_v9k)B;zP^r-*O^E+*y3d~Q|IPfG$&9| GVF>_~iHp(z delta 468 zcmcb_+{rRQr(WN~FI_*#ysF&2(96*+JIFL7HOZyiFT1!bIUprHzce5#E4!>bBs4EC zpUb--F(fP5)7>>cCAZkrFf!erGBL>CIWM==FDKn2#I4N4KP5QJEyu*WDm}!+I5;~g z%fqwEE6XjPtH3lc!{0Z^-w;H0rr3ObwDV4IB-U{fbRJ%ei!Qbrp&YeF_5g zO+8XdEX+$YLJbYvvdc4_jVjAMOmoVj3J*02| diff --git a/secrets/etc-ppp-chap-secrets.age b/secrets/etc-ppp-chap-secrets.age index 6a4d954..eb705d9 100644 --- a/secrets/etc-ppp-chap-secrets.age +++ b/secrets/etc-ppp-chap-secrets.age @@ -1,11 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 L7f05w 6Ct4ARdph2N0g7ZFljPbEAg4R2gP5z2qMupI288AF3c -NaQUNkEt7XsV0A4nNR5uguwK6C2KN26FJjeNB0mtz8U --> ssh-ed25519 Otklkw uyRTZRjgzleuEFqGJDiO84c5yXFV0XtQci7PdroNzAE -vl80LseOwmKyR+d+VXWseuszqao56GjnbyN6XzETKt0 --> {D^ar+U-grease bvk{ `4v Tc? Fv -m/JnzLsIbh8nYWSIvbBl7GwnZQPvAyuHSbmNWiN5pzS7O+wFs9xWwl26Vn6Y/lEf -JL9+Ra5MHsiR7C9XRf7or1rd62SPuIKyaWlq+Z4Vqr4Of4jWyJqQtNo ---- 5cNGpnlhGc0NNriUIZ5KYGR7Erh/fPqV8/8qnpqEn+8 -sqD&L=7miأ%Sf(#re)ڧ^vc$gyyAk6̦F8J=J -W \ No newline at end of file +-> ssh-ed25519 L7f05w +3ivAltBBSpHDV8MI0WvxF+sQ4a7YAdPQy0YrpVtNEM +JnMWRY55x5/ZGtgZY2Wex+/bfa+/q2cIV/z9OMTIPiA +-> ssh-ed25519 Otklkw hLGKbMeImUkJEXZGW9KeqNNncBCltrVwIipE+wndQlE +zOHgtuhd2EHFfBKry8RORwe/w6naEUK976OuUqywvVU +--- fKBvXBk0gulWSTgRkQBBdSrV7loB+P6YKsdcVWAiofc + ~hWb+$^,5_m,!Pi$cwMY L ̏]?P4 6LMVL \ No newline at end of file diff --git a/secrets/etc-ppp-telekom-secret.age b/secrets/etc-ppp-telekom-secret.age index a97dc40a488de8c7f143cbcc249894bf34c88c55..e3ea72bcf1757feb3e73b5893be562449a0ba3f9 100644 GIT binary patch delta 335 zcmbQv{E2CTPJNb%cZExoerA=0muYE=dx&RlhMS3}MS7}JSZTOvXh~I6phDwwY^gIhU@TLUD11 zZfc5=si~o*f`3VNPIkFMMS6y7x^roMsaIZ_Ur~}*R=u%PVN_PJwwqg(U%7dDet3$7 zON3vdZ@yzXS9xA(gr}o_WpZU!c%Z9!PV5p^UWL0n| zm#(g^f~QAdVO2m#uvbY)mW72^SWr=fPld5(q<*q@m}^mKNkK`be|d0FT3NCQmxPVE zscm)MYmcqxT8>>;NxXJK%W!q(dc%3j%PxJq5n!QyPvWL!g3pXi=D*(Cvwp2LTW`80 iOfEP!<>~J1N$KHlJTwB*{`L#LtJeB<^tDb>BL@H*_Ij28 delta 372 zcmeywG@W^ZPJL01W14<|Q&FBzWO{a{QDTmPpJ7s>U#ex6MWAtHWqM^cX{u+qaiwK>MNx)FctlZ!Yi?wwueU{5rjKiKdS#iZV`xUEzllYdE0?aFLUD11 zZfc5=si~o*f`3VNPIkG1v3XFbX+WS`m}8!iWqGBaYkjDbr)jxGm4}gqe~Q0PUUs6s zZ*s0%Zdil?S7b?&Nw}lGc}S4Cp=EeMv16%GnWt+-s$WWxr$=yTl74uUM@~qliDwYl zx|rN>%PQUUqSVCVRD~K9CACO}+G* Q!NcckrG7_lU3EPH09*8gEdT%j diff --git a/secrets/gorgon-backup-passphrase-gs.age b/secrets/gorgon-backup-passphrase-gs.age index 24beb4001c319a7a7f2465532add0d647fa78741..1ee5a873d11148b47401d58a3c9e52d3d6807191 100644 GIT binary patch delta 308 zcmbQte4S~6PJO0-Zf06(fPaLAV_;O0K~}n1d1QErWoThoVNsQ(fxe@8c2z`rZbVp4 zGM87FQFw^9xtYE}mXoEIM^>(jdyrX_dx(i?Sbng%iEDv(N};!*iEo-?D3`9CLUD11 zZfc5=si~o*f`3VNPIkG1r=eedriq7VX{t$ipr=J)X?&lbH$~8ot3E(4FWDZ{`@-N5;@u3 Go(BNplWNES delta 368 zcmcc4G?{sVPJL2xd0?rrQ%GuINJOM@MsiuAYlUfLYF1%No@sHBSF&$tkWp4ZrbR(u zAXm1diLYtCetw!!xL1mKwsEDGS7MSuPKsxFluxNgSwvZmUwTn#W|B*(Czr0BLUD11 zZfc5=si~o*f`3VNPIkFMa-wmhL1IBvP=QNmNLENvdVOM2fnjBmr$@f0Q<%S_MNvk6 zdWlzPSz=W_SD1fVaD|7zNtUZYva^waSCoEkqhe>2m>46lOHe4mK$2un+!uqf?-$kOskA8n`bDDAv5 zUw!RNqw;hvU0q!TkAPr*w ssh-ed25519 0aOabg rRJrTkyZU+Fmx05c4FvTCW2xrGKVzqqkECywb99OLwg -AELU54TN2oUxQ9r2Zx2CltVvyKh+7kCJnccnENtAZyE --> ssh-ed25519 Otklkw i9UGmqESZAaz3x1B5OjJq/ILEQnDRWsGbgHtnICrBl4 -plEjZljaiRmeOhqFxblzfFcy/VqViE18hSwPrxgHm6Q --> Ukp-grease CP.W -MZp3tfA9p0SwGxc1gaphv1XUPi3jj4dfeiBmiVl/FB7DYubrLzbJZ2Zviz3S2h5l -upLMFRZsTyhskVQ0lCfXFXb86xLXTc6pXM0klBwGajJrJFbF5Q ---- JZS2Vh+BBv5memqLMM+onaaldFUFm6keKFQooGSmL04 -.oT 2b‹k,Ex|g1h;\}8=e)л'Jp( \ No newline at end of file +-> ssh-ed25519 0aOabg Bnv1ysgdcDayoKij0c1pB3s2I+p6Ps9s06SB/NBtQWQ +g7r0THpvT3Gl/yhfuejugvvuEzbl9wupseQuc+Fj6xE +-> ssh-ed25519 Otklkw Uto76sjDKrpHnCfH9wLauXX7hj6eWkiu2ps33lJtbA4 +27yu6fZEFYg2qvFtPvERDUpLVNAO7nVYMP2+5cBL/W8 +--- fmqPTiddDg9/oU6PYfuuB1Me2gDQQBzk5T/2a5GdgBE +HEA"U PZMi~׊P)߸C +ߖ kb,c{ҷ=8&bc0bz\5-p>`O4 ;/9; \ No newline at end of file diff --git a/secrets/gorgon-backup-ssh-key.age b/secrets/gorgon-backup-ssh-key.age index 64ae67527617004f823eec7b5ba94e69efcb3782..6fdd034e5db07d8ca215e0205c1842eb9a07f13e 100644 GIT binary patch delta 689 zcmbQvc9C_0PJK>6uy$~;V}-wqg;9P;X=+G7QlW=uo|loCmzQH0lY5F^c6wx>yK|+l zucxJNWo~FOSEfObqeZg0cAXuiXe}0|o(b5%97u`J`*t%FpLRoS9 zWAC4}iZ^C!Z)>Q{*UAa}JA3+?3ufGFTqXJ~Sq)Fid@LzYs=w!&aHVjqbo|q&FXTBo z|0;-XZ*!Nspj&LaZWHU$9R06{-pq9K0-=)2F#VeTV2(@o!@*c zX7<|Cn?vp!Sw_fQKAz_`C+NJF*V5%lcl7>02$gaFC?0CJWx{6PnVt=qYqc~xo32F& zN~ksZ&SjfYH(@8^nk7@~FWr)9xye3RV~T#t(^Sz{p$y+ltFEtnRw}3YblcsNKkpjy z|6qL=eBCAE;^}3gJ^MQT%n=newCLNO7^W8?+R^+W?3TC5qJQ@f@XopB`{3gV^U_eR z8NrbX r-`#`@Rd;Xf*`~qqZ1XSe**B~kr_B4bO0f0n{c`ovmW++t%;HJ`DH9ng>gYf zD3`vrPnlm}QLb~KkC8z}QhI56Ubd;RS)g%Qka4banwwLavtM$OdrGoTAeXM4LUD11 zZfc5=si~o*f`3VNPIkFMp^r;Isb5}!LAr5rp;uW(P`#P6f4*UOxPC-vhDo?~dP-ql zu3=7Ul2b$=m%e3oRfTg=U|x}hZ+LK3RG5WddQg;WfSFfOl)p)ohkK^6VNq&osi|c? z$U2?GDDO%e-Snc=#Nt$iBEy^#9j>&*jIcb@3ZD>5M*|lVkKD*AM<0LxJSS%ZLzBwl zitN1l#GEh>qcmr4CnrO%axPt6T?Ic!edn_B)DTB6=a51tU!Te}1JB$@6YubJ!%EK( z=fEm$eG`x3$YS#XSFY}}2X{?6^PtbxBHi(i6g(_q=2B(zY1T~ z9xu9@^yb*oJAXe%%#Ajj-Ek(prZ+_3vU>ln`-MLB8#YQ#yLjUC>b+WJy)W)`9$I=d zi)GKF4@=lSeF^{S(D!-Oy*)R)Y-R;>p7oyUyxR2j(#ub_7VJJ#I7{XI6g_2wW8p2n zLZ;_lPH$T+Cv?h5Dkg5T-xh8Tg_vL8E4LNhlCYc4`F#Hg(a1x858JIy)Ry>{I3Ze9 znX_&Av&OHNj%7O5f2mS=%@biDO2)8g~eTN~b=mRc!Yke(ssA!*iK zXd|ONikfX z!KC}#jhF1bJ-rXVdiu`% KWwrX)r+)x(9ZFUJ diff --git a/secrets/hydra-github-authorization.age b/secrets/hydra-github-authorization.age index a78cf11..d610670 100644 --- a/secrets/hydra-github-authorization.age +++ b/secrets/hydra-github-authorization.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw UYOoBfgeJfHWWDn9c6YZx5/eKpcESIZ1x5D7YhAzagQ -OLx4uxTWxL3iQqf7PuM4TzEjglyoWc42vcdCQ9wp2CY --> ssh-ed25519 Otklkw UwQM85450Qyg7FzrEYV75tYuD8xylkixRPfkpy36QQ0 -Tr8JHaK5OvsNrFcKujYjFbCnj4mK6C2FHpqWWwmUdY4 --> \rgn:U-grease >9e'r xm jK|e1 X"X -YvR9JDrsZLbAW2LpDP7j6IbGQCfe/FHk9eDvBsiN25yaKOODExRKr3KBTsc+GxK4 -j7Ulhp+uVGLJWxhI7sREmjfM0jthwwEKphPSNj/f3Qyelj/kxboIqfRZp1A ---- elz+4e81h73AF11NOXuhxNwtA0Qnc40N6/oeMPdIwpU - +,Gp4"AIE;_:Tۋިء% mm(曺g~xf"}&L-A҈܁+v* NJįg/7o@oh=9ݑΌ?P \ No newline at end of file +-> ssh-ed25519 J6ROvw KPY6Uy86G3ixSpmC5jZQccfG931lfJj4ti4rJI4cxDU +mpuAukp6Wbrp+y5/FDeqI8rf30L29VYc3lGHeKOes0g +-> ssh-ed25519 Otklkw gez68dma7MQQ2WAKht9Gakj3XL2seZGusRscwrjcdFw +kLzSfbi3HVws7CBpH71abUe/IItakGZ2W7zGh7UfycA +--- 1eLDLEU93FE2kvXoz+FsgObQpyclU9XVnP/ElbBc0wU +Fw%DW~ɱy@&{gkt8NMq/sB:)*a|Ϣ0'<<9Bg ztY Ppvz* ۓ~6Ǡ}ہ${-697 zs<36t2fzQ :Aͼ)p \ No newline at end of file diff --git a/secrets/ifrit-backup-passphrase.age b/secrets/ifrit-backup-passphrase.age index 640ac05..d908a11 100644 --- a/secrets/ifrit-backup-passphrase.age +++ b/secrets/ifrit-backup-passphrase.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 yMjj5g FtHlFiQa2xr57K9GiS2VX+NYI/2kP73wWXVBsr61cD8 -Gokj4dzQP6AB9YWRBvmXL8/Sts7NO6g6wP1hIYkKdp4 --> ssh-ed25519 Otklkw UB1L2gKr0wnsGktaVlnbr+nSUZQ34g7JO4uuHYhuuyM -X4AT5taAJBtFia62IUTDa1cdbZtwaxYRQFCDez8aK8k --> r;DMOG-grease h"Tb e?z^VJ icNa -/0ZIHqI0whHoBw2Qs15bxY7o1sudscitKuUB3ysyFwUVsIG4nzTOS2GFuXTQ1WuD -5pH2CQfp33hvqrqV ---- vji5ZWP7+BLgpmyX2Sxgdv7Ht37NvQ8DuY1/t3cvvuI -]eޛ,% qnAM{DJWLG@/gGo.V4 \ No newline at end of file +-> ssh-ed25519 yMjj5g JOFZJRGtrC1G4btVZ/D/XiKqwqSrpQpOiI6UdfFE+no +1GBByaq2ojp2Xm+FNsIXm3iNcd8BCIo6uBThZEne8/E +-> ssh-ed25519 Otklkw Otqt6BlhQSzreJy5NlCTo/9at9stWnlVN73zNi0xVW8 +5aUfPsoYZEgc8PJXd41wtpeETCTe0LtGPxqAm15Pg90 +--- h2S6vdReOwpqA/C3kr3rnuSeaWKr+3Nvc0vQ53WVNHA +*O%C\[+Vz/GB e3]< *kO?1\i%j \ No newline at end of file diff --git a/secrets/ifrit-backup-ssh-key.age b/secrets/ifrit-backup-ssh-key.age index 6611b7aa089abeb577c81e8011b04df0c812d410..d7059202b2de26c9d7b6c2c4eb86f181046ab2d3 100644 GIT binary patch delta 701 zcmZo?yURL3r#`AEH!(3N%q-tH*V8C6-Pk+8(BC`PrO47eD!Du?H^SAeJTJ1)(jYwD zlgr7&-zT{&DkICK!oxe;v7p!_px87#%HPq@+{G+aztG4m(l6ZA&p$Y#oJ-eEp}06h zH#Nn`)YQ;Y!M`LsC%arB&@iwl*vQc!!mudNJIlw&vc4kKJTRps+ug4!+0jYcFC!<} z*Eu&i%sDilE8L?f%{$0K+tSfDJHt0COW)C@+&MD6AUh!4G1pK(uh1yO%q6YLurl9~ zOIKG{Aw1V3s30h$Ai%RUH$B~_+%>4wIKtbw$gQHpIVan&(!$%tyjZ(1r$FD4OU-sq zh*qDBNWHm!#ia#T=JQ|YX80J{qsl7#ZRPwuZfxP_gfr*wJblfDm-VUbPL^Wtor=ZN zdyC30{hrm_E8u|sO+ z*Rm`2yuW$n_}iDf;IsGVvSwd^JbML=7g}oM2?n{@LclsQY*0>{e zS76p5F;~UtIt7=b^+$AeN*b(LaOo%4-hY9Dn~wO;yShp|?Na4`+xcD=yCz@PGMuTD zdiRvSNrTAI6}JwHZ(kebds)bM>F$iSiRzv@H$Uz){m;B8L-g(JR&R-YSAKO(V|pS} z_FJC6^rvmLq;tZ)HOy}xvZguc#2m>D+-@x8{QCT>#XH&OcD(lHTCHAe7L;e4{W4RU z>++sgZTs5~aRk4vzIlqpO6ty&lj8H%X0{(o{r2hF(O$jlx3+d)KEI;8RHE?qK0^TQ CN+JdT delta 743 zcmcc1+RipXr`|QM)U+@%D>=xwG}FZ>J2pLa5d>0s`|!_sBRlld4fTt6moGA5HP z+hgMG6BpceHF6m(-J~0%ob^dR<++{nsTrQv6dE3}KP|lPZ_6dCd3}~=e^=t z%=mh(z_;$6vN!h^Y}@hI#9TTvCtm$jiVJIf)EV7>oBngACuQ-@bK32v~QhtfTFP4rCw(RnwO diff --git a/secrets/initrd-surgat-ssh_host_ed25519_key.age b/secrets/initrd-surgat-ssh_host_ed25519_key.age index 32dbcbf2ce1b0961f179ad26bb2a5577f8e340cc..ded499016d73087d35b30f46e0eeaf6d2caacc57 100644 GIT binary patch delta 689 zcmdnOc9C_0PJN_7P(!aYU3sNTi>cw@F!%d1Zk`X0dN@x|egH z1y@#7s;_66pHsPIYKgmfL9wr?i?OzQZjnK%Pei1vMR`taiwWMm3y!S zm#(g^LPcq^i-}{UX>ov2QdU*AMPinpNpgC)lYT~INt#KbQL(deh>?+3MU{mCmsrKz zC1+}i?$wt}?T(tUc;>c@>vofvZ``|_xJI;Z&5;*xC)R6K>VC|!EIqW={?nvt9urAL zqdUnzb?)7r$b8H6Xn0-8uX`HaZPV>ylb`2G-(ySN{9{U@Re{Zl9jokP9w*$9S!={A zd0lu%xRg2Hxzy5dQQ~Q&%WG61zEv$EwJ#&2tgO&FThWd-^5B7RR&Q`l~z+#C{ zW8h5ZjrLY^EV(>I#C18FcWrwi!_Sepey>@b4v%VE2G7pPc1hjaOZ2Yi=`B8W`n%3) ztKvH!eU9IVNb|Bu=B_+uW_8<&|N77Vqav?AGqX#l%({B@AJa_!d1s!a zaN0Az=!;*TsDv?JusSAJ-@4?ZkIYJ`N1K$Q?@8y#$KUa=DB2)Z%lF=R!-DBf+_zWV zo>J$r^OQjS%Nda$PAr|Yj_cI&O(&NsOz#tWJa^UprHA>d^ViC3t~1pPIrih$nqR*b z99n!VqF}~sO|cU`dlv;;W?Fr(iJx)!+v7Q<%1g?2?s#r9t=o;sFKpq=D-E_HTJKIe t?N=zClb+M|xU_x4CI~Rz;M4K~`~LfU|a#wnapcNmf>#pM|q?IhU@TLUD11 zZfc5=si~o*f`3VNPIkG1Yg(?4b74TRc5+T+u~&AHaebt*Tc&qNsz-7_W~EnPv1vd^ zWr~lPiJyBiSA}^RFu0qEskNFQvJ|WkE$rQGRtyPNBu~@tddOMunePoCqu5vtkeQGZKndC%rG+_b5AZ^U0sDx zL&uV&((;fr=g6$ev@HFAN`2$R>_8t=LzgPQ5|8jK180Naq5{L>ib$>pdUg*USIRf^ zu6-N7(qwqq+U5YP2ZeFR$F{l<9p$gGdI~R+rbwu zvU%=1qYF|$zu*0IUEHaw{YS$gxbCIL4R>SSVg~GDLz0T() lO_{kJ_&tx`VPGp>SX3Rk)t^s6CE8@FSp-wL)e4)+BLJ5`MV$Zu diff --git a/secrets/miniflux-admin-credentials.age b/secrets/miniflux-admin-credentials.age index 06ff0e0..76b2fab 100644 --- a/secrets/miniflux-admin-credentials.age +++ b/secrets/miniflux-admin-credentials.age @@ -1,10 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 jUOjpw Tuaz2+fgz5f2ZacAYc3TdREIurh+XG5RjjKpaEFgtGo -gB1iaKV+xAv0PGdjZwmBCxMbxgCqZrM2JBDiEWCl//8 --> ssh-ed25519 Otklkw ocyFHtGzclF+7S9I7uSqsfn5weqxj5Wq32y4c6VDiSA -hDX5Viym/WdFZE5rXzToFhqtGvj+Ft3Hh7oiuzCuG/Q --> b&-grease 2u ~R j4C 3|h`M}/ -fdhnmlw+wqO8nb86f8jdDNW2P2SxzdwuljpRrlG/ZxXcC4QxtnO6RwK9NAS9UBQr -OAxJ6v3P+cMYJcsPNLAr90rEzXfTV2VONZgoNwOKN2l5n/JX8aGCt5i/vVI ---- sYjj24oaGUMZPD4TV8JKfjSPHeYOKh+OpueLZT/TxCQ -TO&DdC2ƔW^˻Z &b ssh-ed25519 jUOjpw sM3nHEEUDrSNaDx2kl18pqwabNSVj4Jbl8DXRKpmhjc +pQDiAqXXAxheyYa14lEGmOFs0hrMgJgvU/ChpmZTNVY +-> ssh-ed25519 Otklkw 4hsEjZuZu32qujYfjP6XXbeEqbQqkN0AgO2lM/hMomE +e4tcDQ1NSd78ob9QNKdOOcoov/xbW0DzvOKCkMGM3HM +--- 8H+daxTtO86AApWyBd18ju2Mwquc07I5vOH8Q8FVsmM +$0\eg؃#> l՞QQ [bu,Z5 + 8߃_Q+Y083ؠL*LK0 \ No newline at end of file diff --git a/secrets/ninurta-backup-passphrase.age b/secrets/ninurta-backup-passphrase.age index be260fe..716f621 100644 --- a/secrets/ninurta-backup-passphrase.age +++ b/secrets/ninurta-backup-passphrase.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw KcokdqclkdrsGZ9qXKbUw+Ewygu/btIG1wp8Zdto7BY -AUIReE3WEkpAFAiiB4nBLpuWIrdgnY1yMxwkrt5cNyc --> ssh-ed25519 Otklkw MO/KVWqohrCV4wcwsaFauzFypDRSwHnU6tz6RZ+1RWU -yJ7leSr7FN2cavJpU19YujUevF+YUxbktoKSnPZxspY --> N8)-grease ! ) -BWnkSuqZDraoIZC2crwtr2uAE0r4AN3ykXJEKy2Ma52VfNgyJXPIpoXngh/eBPOp -1ScTs8U471TjgpwfDw ---- 54cVfZ6HDGsHRxe5tTZqc17rtKD7THHAKaF++J5kFLc -&gF(xRO:J/`3͹ 쎓j҅o 57K \ No newline at end of file +-> ssh-ed25519 J6ROvw bBg0Jetav225RYL3Ck7MD07JIipkn4wZUHuelLT3tAM +wU2v+LX2QHxcMJ9IMrwNS9yzgCbtEdotKZAavawLBn8 +-> ssh-ed25519 Otklkw zAXdEcOs8sBXtjXAIGl8g6HV+UGo/9OmFt/L5dCVbU8 +pKqm8UlBICMkPr40q9p7mzGZD+qIN+bHA4ZKJAfp9vk +--- VdMIW9DbF7ca2D/a0fABz3EhUzuAZ0vKIFWA1FTiBGc +%&1v CUp Ѡ%L#Q8Aw?V1Aw6 pI& \ No newline at end of file diff --git a/secrets/ninurta-backup-ssh-key.age b/secrets/ninurta-backup-ssh-key.age index 30a2b2e203856d5cd722e549c17249f84b350695..df1657f6e37807706c2630caa705cb8f02eeb0f6 100644 GIT binary patch delta 709 zcmey)`jmBoPJOAjpP7GET8>e&iAzw9pQ%@2cBn~6PNjEckbZemYJNs!xvRN_Q*o4Y zI#;lMq;p`JSE;MNxr@HGpG97|Yni`6riFn|uBTT>qEVVuR(HTR(N2EXI^q~aB-Dyp-*`} zm#(g^Lb{28QL>SbdxUAOc0^fOzO$F9k%6OsfO)=lPH4VkU|4dLTUn}SqGh%LSClO` z$E0eGkb3d-uwU1>cV(SnUU&Y1O!)eRv)-;YJE0+vd*kC`yLZPvww|t=_C0Yz&xiDa z>$a;8Wi_mSd%yFoRfcNEls#Ej_TF8)OlyAGjhxKw;py8J`s8hKn#}V?%)z;Ep z8ohjvSM2vY`=UO&yVUHHa#4%cFY{7fKlz5}_SChwCA~X; zGTBP%^ofs)PN#i8q28|BS+Qc-WGmiFHX#kaoG#=)nX>20e8%GsAI`B@=e6wQpZ_P0 z#ynHLH|Ijp%G28>tPo{VwObU}7pKWNq-GtnmM`v delta 727 zcmaFL`ki%xPJMAyn0|;wMuA(oYgMvOXh2bDXh}t6sCHtqnX_B2QKW~Pc2R(dPiDT6 zBUgrhXt{}Hd00TOYnV%hcUV?-sh?Yhenvn_MQKDvN?uNYrAKa9QCP7>K9{bYLUD11 zZfc5=si~o*f`3VNPIkG1S%sN-YKmb-rlDm>RDO1dXT5f5WS*<5vxljRaeir1c0@q7 zpSe+bNlugqN9FURJm( z$U1#Pd)@S+)WqUcuCU@jE?r$+g{0IROGCrJ5bvOn+=+Mi4St}f3VGd)cBEmUYOnP`$|VG z164%Q_*X9VD=OmheE(PP=Y-Ad5=w`bTvWX2+IQ z@hj~*8Xrq0-%&M@eO}JI^1Ai`8q6 zplyeOapL=@E>g!XoOrUW=jBU_d1VvUA6q9Eo}hg0mF#lK{`C&OoGSkPojB{2n9`lJ zJ-ZZ-gzWz1eO>p?j{1vJ{Fvf?U-I?Nujq{&aC&oqI5=iCQ dof;jVkit~-e`f8$WL^=5U}J&hw{d zCs$Z-PNadiL12nOm~*hZXOW>xsds3qVOC&}nU{x2im^v{g?o5jwrNFqD3`9CLUD11 zZfc5=si~o*f`3VNPIkG1k&#b$aH?0bMWvBpeo#ezPJOmdd4{8jetuL{kbY5yOL{?B zZlQjKX-;K6SCK_&N`SvhvQc40fM0fGx}$GSv2kI#S8|qqYGJm4iEnV8c3Eh?TV#>} zm#(g^LS}kyM52*}zGZrjS+Q|IPDWHfVybVlcX3!+PI_*7a0 zuaj@T@LpHU+-@^t=7gZWl_F0z)oiFykoX~A@ncfzeKN#$Opp7g0 z!MDGsx+q%)#e)E$Nooq`*~fjNft@?ewDFmO8N2`R?Cn5H@^O> zuV`)`|CMDoyfxoEQcddGQU7$){o9u&=r&!<4lVn5{;RO_J%c|lc3fuoq-b@%>-ioR z|LuQ`(~g&&lN0h=5TR_i^Yp8|X4`r-|JjQdM=`eczkQmKKD+s zch0KnfDqq9F_KzM`|p35pHv-T@apCD^amd|>3$B=p6jV_^ui+5Wg4|_C*~dZ)9PHl uxQVG0)GkUsTW;5q;ya5#Ga delta 859 zcmcb}`ipIXPQ9r|iK}r%u18i$aCuQgNm-SlS5Z<`R!&qzc|}2~L1>|Vwv%^gM1WbS z373gWae898Nv?->nMaC?iFcBJkY_}mW2Je1S#X{~g@voXMPXsEeo&F4BbTn7LUD11 zZfc5=si~o*f`3VNPIkFMl1WZLh+l=TVL)bfZdp~HSAAuLnNMF`bc~-80g_&!(Z+3=}duoPunR|tqQ9)#-vvYY_Xiz|MroK-g z$T}CTF#oIq12x_BqSVCVR0ZoaU)vOgD#e6QEA?mvk$WPa_xK(4gEXXRj3BbmOvMcQ@1UvPhRKGw+f@gG472 zH?9aLPah+bVt4IO-yn;k5SNU?P~*aqe0Mjq6bo;oV#}&b?K~5U&^+(t@W{%PC}-2` zQp2jOOrxYCzj9wkE?r$+g@A(eL^J=wur!nUh$xdVCqwgWZDU{KP=mloA4>~;ay)qI?O&eb^GV94AZ-VDW#SyCZ(< zwimCi^#0G?@ GS_S}}onyQJ diff --git a/secrets/paperless.age b/secrets/paperless.age index d2c2d86e184c4de8be4ef80c6125d9533dc2c02b..9de2ffe698260b627b099c0e0b0217880ff6afaa 100644 GIT binary patch delta 320 zcmeBSe#|sMr#{M~IIqeeqP)n_xXipXDcdtB)3hY3GStmI%G|Hgy(q%X#WN~N+dnYW zgv-?+)S@Ij(7?akHOnQ*EI1%C%fv4!KheL+DaFqtvnt0gxT4e~u{6LjkW1H2p}06h zH#Nn`)YQ;Y!M`LsC%arB*}}}%EG^PE%FVDMEW+13t-d71R6E-&yuvHUx57Li)x@~K zxhTjqA~3_1%hNqCB{$66(ahVe!o@4s(%jI|BPh@y!d1WAJvgr*%3M3iDY&B4FW4lM zOIKG{A=4l%CppqHKR?Ys%SAsgvnVnoBi%2>qR1<#Dm^4wyTBmJ#YwxW(zG;`t0C}& zLd`jCIm_awX4St|l=p=!d*1NefQ|jSk+$}VTgof<6fgR_>(ucHb_}IqN`JH19_{A4 TH}P!rA+Ggavap delta 361 zcmaFN)WbYMr`{|u#3C`JqA0M!-MPZD+{`N~AUnyq*x6S>oJJ0&r)D4;UkI4{-0*VD(DLo{z$fqhhG2AJ;!lEG4AV}NYJJBpN&)coa&Be4NKer$!$GAKn zWSwSuxUYe~ZhBE_VsWZMrmB)ci4#|HX^xYVkE5wmiGF~8qGdUkuCA^^SV={Sg-5Yl zUY1i*j#+Ait4V02Uw)9GbE3YNqh)B0w|=;*wwqseZa_&kS5g>H+4PS6RvWt{6EoBv znEXle^IEddDE7q7YDHDUzYlhLCdSl8r0%aUtdod;wn=GL5z}p*lUY{&_MaZs@7njx F6aYcoeLw&J diff --git a/secrets/pruflas-backup-passphrase.age b/secrets/pruflas-backup-passphrase.age index 7750b1cf6c94258bf30d125c19be3d922b5c97e5..e6297c3b8dcfc4a4e8559577ec9b7beb8261cda9 100644 GIT binary patch delta 320 zcmZ3?{FrHiPJLO4tEE@6ce;6AfJKIl1hDSwIMTWUy zGM9;SSYl9Mig%)SVpU2}ZlZQ%p;?YchFh3dP)3D$uBCTml#_p|QI?xmB$uw8LUD11 zZfc5=si~o*f`3VNPIkG1tFv25q<>LRMwUlrqF;tvc70ZfOKO&@b6Rd@NN8oEe_lzB zxpufyW^uSLmtlo(POf)Bl8;xozFVnDSfHPCmcBtmN_M4tenD|YP=-ZTnWIlcWJG2$ zm#(g^f>CyMfth7meppqcYe__^XL_Kkk*Rl}Q&?r9Q-ObefvJCauB($vlwXl6SL1Od z!-wls0xbJBbp-}-F?n`pBxkplnf>^(o=tbcDUKsYqE5-mSAAeR-C3Nh&F}X26!YtQ SU-lefxYkuEyX1$8nLhwF3k1V~K@xpqpnLnq>ov?x3^KEt9xQ-L0OKIW2%`+AeXM4LUD11 zZfc5=si~o*f`3VNPIkFMRJy6Tkx`mYU`}XBN{MGuKz)IBa%8GYsCjvsSFT@pk$+T@ zWoDqGL27m~S7e2=ziX7McTj$AS+aq#sk387PGNypWHUg7RPw%QS&mp{EW1GlZ(p{ zr-)+njL2fHiAv%;hfKpg)=aRBx~s@w`kh@kPJVB1fWPXrt@FLyCcbpM8Oop$B>Lms d?h@G|U#nTSUmh=6cfCpD_@xWZ{~6}Q0|21chCToQ diff --git a/secrets/pruflas-backup-ssh-key.age b/secrets/pruflas-backup-ssh-key.age index dd41e2881141ac9ee1cdfe6f225fc3c52888654f..0fcacff217b502d9ca98d0254223018dbd665815 100644 GIT binary patch delta 689 zcmX@Zc9C_0PQ6i?ud!#AcTq%vS3zQ+iFUGuzf*ZhaG9^ClRu0L~>D-MM-X1a!PJqma}VyE0?aFLUD11 zZfc5=si~o*f`3VNPIkG1wvk_QNqSOMVW_J|S!!rdaD8f2c(#W}aBzyRp{09CnNw1z zdzxEnMWkCcSBY0}qNho2R77xIu)l|qzLR#IWu$LNn3J)wrB9WUhl_q{dWvDHTVhc; zm#(g^LWG;MxoeVPuBBm~XH;cGNr-DsWLR=yKuB_8ig{vjW^!6;p?+X+nO}(sm#*IT zBiYKLef10${jC4iSbr6~@_+vFTUVdNpLqN9kLO+JTA z6Bg%3JnB`-dh(;#fXia#s}-U4B8OQ^*V%W4o>>3jbn(1jVf9`CW;_PFo-NoBAmKeh zOCYwn_pwfhBgrrzf}EXn>v&1UugNrO)k$jf4+a~X&Ep6U0YN;uWfN;xG%_aO=gZRqn0ys zn9&3K0e z|1{T1h)0yAF1-7z%k^zT&2Q_CUS>7x4=xXBeej^W;Z?JFS+(eNg@z>pQ@r@rZfTx< zKd>WMuJKx2ROLs>gAJea4o}^tm(f05^{UV^qpwq$*BPB$_ON$vMXgD%Kl^(vpO@1< t%kJE@bGo%-?4=VD2mF;J%QQ?X4I&T7&iK?lj$=ROZM21OSBZE%X2Y delta 813 zcmcb}dWLO+PQ8A(SCFA!RY0b`b4XEflxeX?Rat3JR8fdaq;_z2M5ULxadwu4QHWbr zF;{`1Wp;>xNw!OXzqgZHdSbSJqGf?;cBGkUiBGP(Z((vtL3nANexA0eE0?aFLUD11 zZfc5=si~o*f`3VNPIkG1k)eA?hI6T*Z*X~eXmDkKQ@yWWUSfD+ig&PIhI43I9Ka-LS;~-;wW0Ncc*AOmUU0nr}fT~dK%JKqJQ}cYE@WPzXe6!3DugIXZP!nGx zmka|}3vb7qG{3A0UlXnb1Ch3;nUW%Ljo10=_r)1)wY6`woXYp!=GfL{p+@r`G5=5& zNv^x}=k^?hPlo3!EFaaWCtKN8uM4<2^=vNB#h9ARr3dXl^`APo!~aQQ>?n6(O7H&Hs5_<90;(gl|U3jy?=k2VvQf?Xldy#Q1Hf!eC{%yVZ zDd0joOGHBV0`-H5D_BLJyp8v9a7nRZB42AlF0 zySW%}`}!X>qf;^C>YuaD1> KVVUzfsS*H&)K)V9 diff --git a/secrets/pruflas-wg-hydra-key.age b/secrets/pruflas-wg-hydra-key.age index be57748a9fe32e160c462ee89c2cdeef18ef72eb..5695f548fb6eb9d2d96d60bd71708e678f8d280e 100644 GIT binary patch delta 332 zcmdnT{GMroPJMAoML~&IYNokGM5cMZQ$%5gsfTHjS6QNgzk#87Zg!Y^m9dF&SZGC- zBbT3Bm4%m2o_~ZzVUSsAU_g?oVL(+yqoQm{v%M_8_9endrJ zaH6A2T3A&+mt#q$VOB(iK}tYio_SVYp_zYU?uQe|P=xTD)%4*W>rr*Zt#>W;>h`#@6e)&v%_iUT)~EARmsHlMaWZ4_KHqsNOlt gZGHIdmZ0bl2mf_y-~G5K{jb6Gb-|I(BwAJj00C!vPXGV_ delta 412 zcmaFQw2yg$PJMoQaI#xYu2W@Vuu*}3R$7{&w~4lgU$TE#zKOPPfO)=wSy4u1T2M}K zF;|FlNT!cdP`+FQ2H4K)>MpjI^|3Cl3z` zm!Q!4va$>(k1)&99K-a&@Ph2fEDJ;Z%s?((U0sF5;DXFVXSb^2+)y{|5|bj=lx!zg zBj-q8CxhJ3^6;YUP>-?{ZGRI-_i`@95}!$4JLf38?VZ>fuw{CH)doM)ZzumKWlh<4 zHeKr*Ls8>Jq21Q88|^Y*PyA%FCeqJ;yU9fbr&Xd_{W@24jh^bq9O)C*c;vigOThkR F(*Q~mk&*xa diff --git a/secrets/pruflas-wg0-key.age b/secrets/pruflas-wg0-key.age index 122adcd..56c3796 100644 --- a/secrets/pruflas-wg0-key.age +++ b/secrets/pruflas-wg0-key.age @@ -1,10 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw R+xnmMAoVmaJi9UMYBSX5CKk21LhI9iIionc6Nh8ZWg -eR+OpFfB6BIOzOUeeY5IzmXerCCiqOYS9ZAGIb0UAS0 --> ssh-ed25519 Otklkw HYpIGulRkcfpKhSdb1mF/hbBHiXCUzYR6/b0KspgHTU -1HAtdynQZ10AVgGqh4cw3qDqSh6Suum3zYo6/G7qKw4 --> +YMQ-grease -wyHx9k+fMnxTm1LMDhmmMye/ ---- g1F7i8Y0foxjDp6qbBtjhY3A/vyxM2R/zIQJZTG2F5o -.]n"wjkYd<2{N N0`XUsPxV)nfOg \ No newline at end of file +-> ssh-ed25519 J6ROvw JrDRK2NkcPjUf7Owco978Saj3FlPGLL9RcOW3aSB7Hs +o/WPV/rBvvc89c5qln+XLVslVed65EGZOkQoYeGgvpQ +-> ssh-ed25519 Otklkw fvLeR4YnqmXYGu8krDmCGDLa0Xh+X+HpCTcqodxOtEA +L304iO2/Xq5TJ3Ui8F3EIR0mXVRmAMAleGexBxWoJN8 +--- B71HeCVbIOOnvWXWwMSk0A19qnsE31Lo36lKOkXLQhI +%>TsS(pfAT+ $ R_(NN1xL7F^V +opSj \ No newline at end of file diff --git a/secrets/pruflas-wg0-preshared-key.age b/secrets/pruflas-wg0-preshared-key.age index 7528977..c9fc294 100644 --- a/secrets/pruflas-wg0-preshared-key.age +++ b/secrets/pruflas-wg0-preshared-key.age @@ -1,11 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw wkW16tPBMBW6C6OPU6Dbq9mfk8w1hdTNB1lEP7r3ym4 -oeGp1/oGD5R208ZutBsJUsA+A94hOASnm0JavDjsHvU --> ssh-ed25519 Otklkw AQCgfaxhvd59oOf/nH75WhHtYt6RXuO/U/c+pKemGDQ -Jx5pffK1rX2Yyal+ZvTTGiMm2PsMZQVIRguHpDU2iig --> ^-grease ' -xxEd1+U8pgjgcmgxRJqbLIHNoga8kUdwaSVsypHL1UB+kPAPFIdZF4KMOj7hshzC -vmaUOinUhDiWXQ ---- A5Ig3NOr1MW/FXwh7xDkITEd3o/LU8TxBdrIq5xLsZc -Ce\BN^ġ&.+k,x)TTS:h򎪳SN mgׂٔ _a W -/ \ No newline at end of file +-> ssh-ed25519 J6ROvw Csza+rGQxYUDFvGEYm1fWXWb5LjLgnm40FX6ji8iSwk +6WBO1waHHHtS4JXAIWyeAglajZWC9RBGiL4s8jD27k4 +-> ssh-ed25519 Otklkw XUwET0Fnwhv6ZT/LfRJqgJAbMo/+0/klLXZPO52/gBk +he627Zlp56L+u55f4OiaOvFbYBIfabbpOIcymrgfhBI +--- 1KjO/MX2lKusD1cGiyJCoo7XNwNGrXkoxa36k2ROPB8 +c"tr ,%&|j +$>UZ9&ᏅpeAa^o[Zn9z \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a3255e1..88f46bd 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,7 +7,7 @@ let ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos"; pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas"; surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat"; - stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV1LSH8jeMnXJ/eqhJCebbwxenJmxNoeB6UGrBmRjZk root@stolas"; + stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObI38cB8gTDXmDb5GcK4pLm5xM+nnvGeSfEpB4lVEwE root@stolas"; }; backupSecrets = hostName: { "${hostName}-backup-passphrase.age".publicKeys = [ diff --git a/secrets/stolas-backup-passphrase.age b/secrets/stolas-backup-passphrase.age index ff9d5146f9f253078b6c2230ffce80ac842abec0..ab532e3730c4fd6e5087d85a64162bed8169f69f 100644 GIT binary patch delta 343 zcmey&^qFabYJIquv#*PzLTHt#zfnk`M{rSQmRprsW@TD>ZkmsoQK7f9w^u}HWua?8 zc5!h;N>zv_mqlq&uuHl}V7^;wioa!^o4Jv5pl`O9cY#}OsIgI!Z<1enc9l_BvSW5J zm#&>cadC!jYKoDmsiCEUe@S*ucDX`|uYrY;OH{B+RDDu;n3H9gfrUY(zE_T8PEMtx zmvNPQnp;?;Yeq$8u3;osT9i>zX{BF8W|F0gccs5qT6Uy`mtUwyiLYyNXoYrCXjD#V zkdte0eyIVMuCA^^h+#>Pr9q}=rln_+L6kv;TaurPPjOCOvXQ%IzENh0QJ7~yglm{_ zqP_vw%z&9Y8Qd#w-8=D#@4Ri{hu5E0F5Qv4eG`M?F+RSVrFT=dKa@&M_@FuC--=Jg r7ZmeS3zmMq9~vYj=<)K1+@!QQp_Z&y?F=7ytd&o-`|{}9m+1@uXa9eE delta 343 zcmey&^qFabYQ2BDcSMw zvZZ#AM@mH?S8j4aa;Q&$b6}`%NxpMtNO`7XsF7oYi)mcadC!jYKoDmsiCEUe@S*ucDX`mRZ6h0v9ohoRehjIez`|@cy5tXTBfs^U#XL0 zsX=~TUa?uRNnTEnWmqv+XrM`mQ@Fl~ziClera?tPuu+aQ= zrn!lQccd$quCA^^NnufmcV$$VOL|6$fwxy+luNKnSW2F&kFkY!R91kaQAL!oPgbgT zj;8_Fj{u{toW;%#6aRf#pfUGxpQPVwETq4dEW+m9#n rd^|aK&hvLRzi;nh{iy6V%UtS8qLb>nX%c;ECEIHkl@-O?yb}cgoPmA` diff --git a/secrets/stolas-backup-ssh-key.age b/secrets/stolas-backup-ssh-key.age index cb98c8df76663f8f4e8d5e50fb5a9ca3f691ecfd..022ef30981a92c26365c6d6a63f8951bb842764d 100644 GIT binary patch delta 696 zcmcb}dXaU4YJIquv#*Pzf?ttunMFWol}S{fdq|>*sYzjuQ$SdbzGGRSubF;!c44`p zp_7xhsd0`gm$_SNQDvf$MY^SNlD}tSNo0Jsk2A6e^O;;xW7@FL4~7ZR7P?# zm#&>cadC!jYKoDmsiCEUe@S*ucDX`@S(sy(X?Q?rP<>8bv1vw{c2#y-q_25)PE>Gs zL7_#sXGNK7dP!!fd3G{ac3D)0qiKpqYMDi4q<@%iMN+xGVO6$YP=ukkahO*`m9vM5 zzGGOad9W*&uCA^^kcYlYVwFXyd%8uKYo2+2XoX*@flH}=k&APMXNbRPmbPb(Z4?}H{XFs7Yu?3#OCJIC~&S#;p6 z?8CmtKPw($ez)|h-&xc4hU&)Pw;cyel3x9hnWePK{Mh<>jyi6ocbCq;F`D=%L*T5N zl8w1yvvIELOW98f<=nRCe`s7{wtus#z+&G|0iLcknND;5MShhqK6U+rt&OPk{(xC? z!sA@E`rgmgdY^d7WT)=TPfs?q7vU#(Ze`q1|> z$IMWXch(m-yga7zqP|;Ia&^EamS5*hf_r}^OoCA`^`UYNUQ%! z&ELdZ8T#(CVAAayr=tAlmPvYS>}`Je{=~s8>!0s?6wp^~z!y`#jju#)v6cu=8e?MQ zg!;W6I~Hx!k~#j||I55)$A7QW&mQ*DUHQVQhs)zDPj937#m7Bg^{$y3Rv+Ifc4xIy wepQm8K}BJ> znNgr`NO^8Cm#<}|VVZtkN?2rGX;z`9OTIx-esZ8|guaDmak@cSo~3ziV6KI?g>j}U zm#&>cadC!jYKoDmsiCEUe@S*ucDaI4My0oJL7IM)MSXd?Q+~N`dPRAXxp{JyrITrr zfqtTSp-D!ev2#Uufq^eqmYYv`T9~;}X0dl@N=cDvu2G(;v4OF7RHm1UcZgSBrDb-0 zsK1Agk54+6uCA_vdtjQUYelA4h?i?%NM34jNLZnpafG>Ja(+>mcCd#%{Mh|+vY#*M%C=H z)~8Lobe$&~OgdF$ZFbaaN7E+hInK7#{c`Hx_c&bHW%w>~^l?{b!B_Tq|GbSJSenmxHs^Ar zKKsY{tS4UZzhtw2WFfa_bCcTk9|ec62F$feZ$JKD%I5O9jD`2av@*SaN(J3ovFGIK z+vkIOl^ox8Xn*I`R#UD2AaUI?t|c(2>+Jtnff+5_kBYyjPy669)n($;E~jPlmTx~A z$GT+p!jqTZGFdbAiq*-UIQNXhKbni__^l50=&vjK*3J1 ssh-ed25519 jUOjpw zb9yidyhlOj2LnVSCjNwq0MBj8Ik7zdT+6vs5k2vdTY -lxFHzj+mUpW8ogGkfpZZWZRPfMp38Sb2GYojBUrxGB0 --> ssh-ed25519 Otklkw G3tj2S2BM+jmGg5ajD2hTIKAWJMAhuHAT4jpFpu2YmQ -XDLRUWirSzXQ55HnWdICzICPQDL8pyJC9SnS9ODwhdM --> v#M-grease -rEp5i85i+0HA+Rx31HR27NU ---- 2Q+j2Vh/Tbv6NYYg614YL1+yP8hff++2zAuWV7dHDe8 -HY\ \;m~qoz85Z̯e9Ia䔝Y \ No newline at end of file +-> ssh-ed25519 jUOjpw hXl01CaHYYlY/orHilx2gv0Fyh1eMXgN1NBzV1vSw1g +B35trnqYoFwg0xhw/QPw56N4VjxMyQAlNGyRFKdHfKE +-> ssh-ed25519 Otklkw SRtMspvRR63U17LRd2aqU0m6f5bnpY7kaUl9uP94hhk +e3XD/s3fY78uxzA7YVs4F4LBFYJOIHZ28Odnnj8Zeac +--- eVNBDHFoU3kBN+SE1osblaJ0yWTv1ZOjJEXKtsI8054 + u'~ʕv'V}nfuE.JͥhxI ^X7Y +E74 \ No newline at end of file diff --git a/secrets/surgat-backup-ssh-key.age b/secrets/surgat-backup-ssh-key.age index 7523e7a3e6e10f57997494739baa6e0039f40107..37cb2a54f553d7c132c2a7b6ed743af2d384fff9 100644 GIT binary patch delta 689 zcmbQnc9C_0PQ5`$l8K{vc(ReHg=ukyTY5mcXOLl@XP&!3ctv_hrmJaaX-<|=m8-L1 zBv)o)cu2WlsIg;UplMZ=QBGKXO1N2yk6B1~XkMmgdaz$XiIHKXx1oPZK9{bYLUD11 zZfc5=si~o*f`3VNPIkFMUZO=-fmx(mSdw?HVNhwYWqnmzcA}$KMrK4omak`ea;BwM zfoWlBKv+aFS42>1RdS@EepyaRL0W;UXOyQ)MRHhfW>$emR&Y*IM7VcQQn^KdS)p?= zm#(g^LSbHBnTKygcu0|#slTD6aYcZ$v!hFaf0m=8QFv0elShD~lV47GNLH>1*Quf& zjl;_h*4LNpSezmE+tMlj{!U5$_{J=)`7%=yofX2;`mI%pS1LS{yr|~TVBz>VwRqBu zHQe9#8co;Rbf!^*$LqxD?$vualJe5|oH={ZyyQW*NO?uiV zvVLtew^gr$uXNUwjT-M}`sr9It%$0WGM=*W(l^Vqhi)#r_)V$!w|I=>>#seRjTrh? zp6A%mwSSVtwm;9BpUZuzzw+Ur*&n-k8S|5BgO{|vlU({fC-KV8dxr`f_#2O$cw4sb z=HeAMoo?N2$#eW};rA~kew*5!cb1oL-Zh&2qMubd&+){@=khz;e=uK9xp3l>M;-IK zM*Yj``RwOjoZ4A^J!;GM6qeb{tD>zcG{1#@dAK`n{*j)WP5;?l3-adab$@Tydb(J` tzV&Cg>MWzztDnUN|Jc%`|J;gqWsv>#9OccbLSEMYg4MP@`n1TR2LO?0GU5OL delta 758 zcmcb}I*o0DPJKy9j6PD?e#b#Sb&a<|?{^#(c2#uH9 z&KL@GT?~2YbzUd4-`1J;Vf%`eRRUax*H+AmXJU>M6i?X|BNG}d@G_#J-$|nM9haki zbk_E@rw`uy{$OSE_gNPvuFUwWljrg0Wx&LutPdPFPqv;o!NTIPIQ^*lTrZ}+RYv*G zY)_UPd4E_ZbVdEeTQQehOjfU5^ZEX2jey79(uS4mA&`*Ka7d&KA ztx@s(uzitApJwk`8)>KfMfVK$UrbT$QLboz)pNJR$Sh~|O3s%NZ}VKOH;P=)FKMl^ z+tIZ4*GqvZndfxoKmIQ9W6IsR0@f{dr9QGHFYZ`xeVvM~jX&J-jBgWzS9j89E;~JYRmN zF=WHF7t6MOI=laE?UIEK<}rtVSVq@5Twk9baJs?LQ>1g^a)st2)dHFw%YFu~Ud9uq I%AoQD04mT%2mk;8 diff --git a/secrets/surgat-ssh_host_ed25519_key.age b/secrets/surgat-ssh_host_ed25519_key.age index c664303a55a0feff21e5efbc94439ac2b7441f74..1e58cc84eaa73f0283d0c1d349e6e0071802ed40 100644 GIT binary patch delta 688 zcmZ3+c7b(*PQ8C|Rk5j?XOx9kc5%A9pL3XVenF;jMN&qIhhdO^qD#J|c4nYOse6V| zGM7biVwPV-YO+sIx_LxVn4epIsFAj7nn9IIl#^Ffig|`>vVVl7r@3iVB$uw8LUD11 zZfc5=si~o*f`3VNPIkG1Z?1DiihEUAMw*{tafwHTXT58cqiK{$K$wM7nQKmVWlo7x zzF%2{r&mZmmybnYV31{4Vp?dKiLbUtp?O3~gl~nmc9w;Ov$0WFk&$mohNWkAKw60b zm#(g^LS})Pxl?&nV4!byNMJy&zE4s`WO7PSSXfk+Ye8y+u}M}$KzX)%c)4*XmzrIy zDBJe;o9d@0iKH{Cf8tB35T9vTBl~Ut?}VkxB)Pb+lONn;xH5`(v5@n5Q>c)1hQ)@)048 o^So0Hx;D9fU(2$p`O+~aY2A~@@-3EfEx0i8{RTBvi6uq505y*tm;e9( delta 774 zcmcb>x{PgtPJM`(X})8!r)ha{xwBVE{ zC$o~`6r*hI!T{3@KVL5w?Ii8U>we6FJj7m8T_e76=|wm9%%rQp{Ex@(-8 zlFjBEyexKn`necare`lVWH&lF`{y0eJnmq8a$-G?gOBUEo*mh_mtSt~mHhL&>}`G0 z^Oenu-Yr~lY^k%}*1$s=mM>;A9@>6YJnlk?0(XgfzzgHrTd8|LP4~{!d&Uxec4Dxh z#44{gy^o zIC0-p&BZ@n2cB3Nd*j3|m-a7eKZ{Nrh-PGDt6UP)=fLqoN^)n5VsFI7)gB(R{o)*DXqJs{WL=Zs6JNYys^2lut2vZI<%(_c znH`STBh!04JR`5SWw!il-Yi%0U-4bLHd`}qUjOM-roV#U%?-coGtHXn%{^7RUU5yO zFL$~6%Jmk)-F}Ja56~nO7Jdq)5G>pmf7tq;rcYGCBH6) XMd;e(Eq_B@;xARGFz;MR zIah{nN_v^4XK0{Xg=KbBs+)zIdrDb^NvNlxhli6%nxji%V3A=^R#C^qicGKt5aSG5@ql$pEBm(s>5zJZ_fJZf#;Oq}!$0B0I`9{>OV delta 368 zcmaFQG?{sVPQ8mqah{W#g{iS`ZgFLL1K<8 z$T~~i^rF()UB)L^e#PS)n&S~@lv2wS7-RoBjx|6CGXM8iodfe)Z(tRr$Ip4 NEQRur`}dRzT>)h)hoJxf From 49722f705ab5bed23a7c304e9a50048e0d65dcd7 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 21:20:12 +0200 Subject: [PATCH 13/26] fix(stolas): disable GS location backup --- nixos/gorgon/configuration.nix | 4 ++++ nixos/modules/profiles/laptop.nix | 5 ----- nixos/stolas/default.nix | 1 + 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index d34d0e7..82bb694 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -43,6 +43,10 @@ in sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path; repo = "u355513-sub1@u355513-sub1.your-storagebox.de:/home/backup"; }; + dadada.backupClient.gs = { + enable = true; + passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path; + }; nixpkgs.config.android_sdk.accept_license = true; diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index 8e0b52f..2c5accb 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -50,11 +50,6 @@ with lib; }; services.pulseaudio.enable = false; - dadada.backupClient.gs = { - enable = true; - passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path; - }; - age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age"; } diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 197795e..8f23e9f 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -81,6 +81,7 @@ settings.max-jobs = lib.mkDefault 16; }; + dadada.backupClient.gs.enable = false; dadada.backupClient.backup1.enable = true; dadada.backupClient.backup2 = { enable = true; From a45a48cf17ec3f45c0a5013bfe991f329c5921a1 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 21:21:53 +0200 Subject: [PATCH 14/26] fix(stolas): comment out paperless secrets config --- nixos/stolas/default.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 8f23e9f..e1f115b 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -154,13 +154,14 @@ }; }; - age.secrets = { - paperless = { - file = "${config.dadada.secrets.path}/paperless.age"; - mode = "700"; - owner = "paperless"; - }; - }; + # TODO + # age.secrets = { + # paperless = { + # file = "${config.dadada.secrets.path}/paperless.age"; + # mode = "700"; + # owner = "paperless"; + # }; + # }; # Create compressing swap space in RAM zramSwap.enable = true; From 215f4313bd67fdd6b0312606ab7b5667eab7f2d5 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Mon, 21 Jul 2025 21:25:30 +0200 Subject: [PATCH 15/26] fixup: backup secrets --- nixos/gorgon/configuration.nix | 4 ++++ nixos/modules/profiles/laptop.nix | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index 82bb694..16f8130 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -5,6 +5,7 @@ ... }: let + secretsPath = config.dadada.secrets.path; xilinxJtag = pkgs.writeTextFile { name = "xilinx-jtag"; text = '' @@ -48,6 +49,9 @@ in passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase-gs".path; }; + age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = + "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age"; + nixpkgs.config.android_sdk.accept_license = true; programs.ssh.startAgent = true; diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index 2c5accb..9cdc314 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -5,7 +5,6 @@ }: let inputs = config.dadada.inputs; - secretsPath = config.dadada.secrets.path; in with lib; { @@ -49,7 +48,4 @@ with lib; pulse.enable = true; }; services.pulseaudio.enable = false; - - age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = - "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age"; } From 77cdf773c0af1726693964fd16e033eec9499044 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 13:43:39 +0200 Subject: [PATCH 16/26] feat(stolas): enable TPM2 LUKS keyslot --- nixos/stolas/default.nix | 2 ++ nixos/stolas/disks.nix | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index e1f115b..3c72921 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -32,6 +32,8 @@ "usb_storage" "sd_mod" ]; + # Ensure that TPM module is loaded + kernelModules = [ "tpm" ]; }; }; diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix index 5d48d17..01cf635 100644 --- a/nixos/stolas/disks.nix +++ b/nixos/stolas/disks.nix @@ -30,10 +30,12 @@ content = { type = "luks"; name = "crypted"; - #passwordFile = "/tmp/secret.key"; # Interactive settings = { allowDiscards = true; - #keyFile = "/tmp/secret.key"; + crypttabExtraOpts = [ + "tpm2-device=auto" + "tpm2-pin=true" + ]; }; #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { From 5f9eac570088bee40057219ad0bd1989e905cddf Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 15:45:37 +0200 Subject: [PATCH 17/26] chore(flake): update lockfile --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 572619e..8c964f5 100644 --- a/flake.lock +++ b/flake.lock @@ -89,11 +89,11 @@ ] }, "locked": { - "lastModified": 1752113600, - "narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=", + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", "owner": "nix-community", "repo": "disko", - "rev": "79264292b7e3482e5702932949de9cbb69fedf6d", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", "type": "github" }, "original": { @@ -204,11 +204,11 @@ ] }, "locked": { - "lastModified": 1752286566, - "narHash": "sha256-A4nftqiNz2bNihz0bKY94Hq/6ydR6UQOcGioeL7iymY=", + "lastModified": 1753470191, + "narHash": "sha256-hOUWU5L62G9sm8NxdiLWlLIJZz9H52VuFiDllHdwmVA=", "owner": "nix-community", "repo": "home-manager", - "rev": "392ddb642abec771d63688c49fa7bcbb9d2a5717", + "rev": "a1817d1c0e5eabe7dfdfe4caa46c94d9d8f3fdb6", "type": "github" }, "original": { @@ -295,11 +295,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1752048960, - "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=", + "lastModified": 1753122741, + "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806", + "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22", "type": "github" }, "original": { @@ -311,11 +311,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751984180, - "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=", + "lastModified": 1753429684, + "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0", + "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d", "type": "github" }, "original": { @@ -327,11 +327,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1752298176, - "narHash": "sha256-wY7/8k5mJbljXxBUX1bDHFVUcMrWdrDT8FNDrcPwLbA=", + "lastModified": 1753505055, + "narHash": "sha256-jQKnNATDGDeuIeUf7r0yHnmirfYkYPHeF0N2Lv8rjPE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d3807bc34e7d086b4754e1c842505570e23f9d01", + "rev": "7be0239edbf0783ff959f94f9728db414be73002", "type": "github" }, "original": { @@ -460,11 +460,11 @@ ] }, "locked": { - "lastModified": 1752055615, - "narHash": "sha256-19m7P4O/Aw/6+CzncWMAJu89JaKeMh3aMle1CNQSIwM=", + "lastModified": 1753439394, + "narHash": "sha256-Bv9h1AJegLI8uAhiJ1sZ4XAndYxhgf38tMgCQwiEpmc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "c9d477b5d5bd7f26adddd3f96cfd6a904768d4f9", + "rev": "2673921c03d6e75fdf4aa93e025772608d1482cf", "type": "github" }, "original": { From 2e8aa80b706e1798b3744af0a6e80dcf5386d128 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 16:04:21 +0200 Subject: [PATCH 18/26] feat(stolas): enable admin module --- nixos/modules/admin.nix | 4 ++-- nixos/modules/profiles/laptop.nix | 2 +- nixos/stolas/default.nix | 13 ++++++++----- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/nixos/modules/admin.nix b/nixos/modules/admin.nix index 07323da..eb37116 100644 --- a/nixos/modules/admin.nix +++ b/nixos/modules/admin.nix @@ -97,8 +97,8 @@ in services.openssh.openFirewall = true; users.users = mapAttrs (user: keys: { - shell = shells."${keys.shell}"; - extraGroups = extraGroups; + shell = lib.mkDefault shells."${keys.shell}"; + extraGroups = lib.mkDefault extraGroups; isNormalUser = true; openssh.authorizedKeys.keys = keys.keys; }) cfg.users; diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index 9cdc314..4d02bb0 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -25,7 +25,7 @@ with lib; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - users.mutableUsers = mkDefault true; + users.mutableUsers = true; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = mkDefault true; diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 3c72921..46ae536 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -83,11 +83,14 @@ settings.max-jobs = lib.mkDefault 16; }; - dadada.backupClient.gs.enable = false; - dadada.backupClient.backup1.enable = true; - dadada.backupClient.backup2 = { - enable = true; - repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup"; + dadada = { + admin.enable = true; + backupClient.gs.enable = false; + backupClient.backup1.enable = true; + backupClient.backup2 = { + enable = true; + repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup"; + }; }; programs = { From cfb4b8d160e5632d803344db61637f77526fa055 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 18:16:17 +0200 Subject: [PATCH 19/26] fix(stolas): wheel needs password to sudo --- nixos/modules/admin.nix | 2 +- nixos/modules/profiles/laptop.nix | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/admin.nix b/nixos/modules/admin.nix index eb37116..05acc43 100644 --- a/nixos/modules/admin.nix +++ b/nixos/modules/admin.nix @@ -93,7 +93,7 @@ in services.sshd.enable = true; services.openssh.settings.PasswordAuthentication = false; - security.sudo.wheelNeedsPassword = false; + security.sudo.wheelNeedsPassword = lib.mkDefault false; services.openssh.openFirewall = true; users.users = mapAttrs (user: keys: { diff --git a/nixos/modules/profiles/laptop.nix b/nixos/modules/profiles/laptop.nix index 4d02bb0..7089f4e 100644 --- a/nixos/modules/profiles/laptop.nix +++ b/nixos/modules/profiles/laptop.nix @@ -48,4 +48,5 @@ with lib; pulse.enable = true; }; services.pulseaudio.enable = false; + security.sudo.wheelNeedsPassword = true; } From 8908833eb36982d9c5e7125b730d74f79e0a4ff2 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 18:22:00 +0200 Subject: [PATCH 20/26] feat(stolas): migrate paperless --- nixos/stolas/default.nix | 2 +- nixos/stolas/paperless.nix | 10 +++++++++- secrets/secrets.nix | 3 ++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 46ae536..5f7dfaf 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -4,7 +4,7 @@ imports = [ ../modules/profiles/laptop.nix ./disks.nix - # TODO ./paperless.nix + ./paperless.nix ]; nixpkgs = { diff --git a/nixos/stolas/paperless.nix b/nixos/stolas/paperless.nix index 7591f0a..a5fa69f 100644 --- a/nixos/stolas/paperless.nix +++ b/nixos/stolas/paperless.nix @@ -1,4 +1,4 @@ -{ config }: +{ config, ... }: { services.paperless = { # TODO migrate DB @@ -17,4 +17,12 @@ "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -" ) ]; + + age.secrets = { + paperless = { + file = "${config.dadada.secrets.path}/paperless.age"; + mode = "700"; + owner = "paperless"; + }; + }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 88f46bd..f449646 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -46,7 +46,8 @@ in dadada ]; "paperless.age".publicKeys = [ - systems.gorgon + #systems.gorgon + systems.stolas dadada ]; "initrd-surgat-ssh_host_ed25519_key.age".publicKeys = [ From 651ecbc9c4a9455196294cdef9b860c669fc606c Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 18:28:19 +0200 Subject: [PATCH 21/26] chore(secrets): rekey --- secrets/agares-backup-passphrase.age | 13 ++++++------- secrets/agares-backup-ssh-key.age | Bin 741 -> 741 bytes secrets/agares-wg0-key.age | 12 ++++++------ secrets/ddns-credentials.age | Bin 466 -> 466 bytes secrets/etc-ppp-chap-secrets.age | Bin 374 -> 374 bytes secrets/etc-ppp-telekom-secret.age | Bin 370 -> 370 bytes secrets/gorgon-backup-passphrase-gs.age | Bin 343 -> 343 bytes secrets/gorgon-backup-passphrase.age | Bin 372 -> 372 bytes secrets/gorgon-backup-ssh-key.age | Bin 721 -> 721 bytes secrets/hydra-github-authorization.age | Bin 426 -> 426 bytes secrets/ifrit-backup-passphrase.age | 12 ++++++------ secrets/ifrit-backup-ssh-key.age | Bin 733 -> 733 bytes secrets/initrd-surgat-ssh_host_ed25519_key.age | Bin 721 -> 721 bytes secrets/miniflux-admin-credentials.age | 13 ++++++------- secrets/ninurta-backup-passphrase.age | Bin 355 -> 355 bytes secrets/ninurta-backup-ssh-key.age | Bin 741 -> 741 bytes secrets/ninurta-initrd-ssh-key.age | Bin 721 -> 721 bytes secrets/paperless.age | Bin 355 -> 355 bytes secrets/pruflas-backup-passphrase.age | Bin 355 -> 355 bytes secrets/pruflas-backup-ssh-key.age | Bin 721 -> 721 bytes secrets/pruflas-wg-hydra-key.age | 13 +++++++------ secrets/pruflas-wg0-key.age | 13 ++++++------- secrets/pruflas-wg0-preshared-key.age | Bin 367 -> 367 bytes secrets/stolas-backup-passphrase.age | Bin 371 -> 371 bytes secrets/stolas-backup-ssh-key.age | Bin 721 -> 721 bytes secrets/surgat-backup-passphrase.age | 13 ++++++------- secrets/surgat-backup-ssh-key.age | Bin 721 -> 721 bytes secrets/surgat-ssh_host_ed25519_key.age | Bin 720 -> 720 bytes secrets/wg-privkey-vpn-dadada-li.age | Bin 367 -> 367 bytes 29 files changed, 43 insertions(+), 46 deletions(-) diff --git a/secrets/agares-backup-passphrase.age b/secrets/agares-backup-passphrase.age index 3139105..d710a45 100644 --- a/secrets/agares-backup-passphrase.age +++ b/secrets/agares-backup-passphrase.age @@ -1,8 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 L7f05w ZwPKXDj4QV+9GrvwgEI9vwhwwoHgZlnveG5GwpyeAQ0 -f4iPzhbR2HCeAQ8cUDUqcYmVPoQ9vKMvkFQyVo1T/Qo --> ssh-ed25519 Otklkw 3y/RbwOR4wv6Iwq9+jMSZ1ntAD6G5jgeMx0PoBq3UwI -CyHATiRIbyj+yzVyhh8ccnL6j4I8BHhiBi8l3RV+mKs ---- 69+YwES2m/Lz68QMJTANOjgIPWmmjgFTrBGoEdHuaPY - -Lw ssh-ed25519 L7f05w Sof4o2JYLqx59paPpBJWFek1IwCHb4VhuOcPpBkut20 +QNsXS0H2z5NCnKcDuxDVvY+AnTV27/Ijeo/kd12nkoQ +-> ssh-ed25519 Otklkw WZt99A5jBrb7MNqzpCuGiJ8wJ/NxZrJE5Q02hvcVEVo +yYlAifPMGC01CGpke5ABasi/sJ8O4r3+5SyoVpbpmM4 +--- vIe/LRs2QxPpZJUrdOFuTBNanHcMyzh7iAFRalWd2dU ++]GHuUʈQ&3'Eg܃Z‘\~e) 1׻ya \ No newline at end of file diff --git a/secrets/agares-backup-ssh-key.age b/secrets/agares-backup-ssh-key.age index 67d570eccb08988e2411b3cc47f33ad972613d05..32c7885d624db13191978fe5165a23397a923261 100644 GIT binary patch delta 709 zcmaFL`jmBoPJNZJLAX(+mv>%xh>uIMxodb~Qk9dDad~D=WO`|Cc}7M+c5z;4iLr}Q zIag%3S5{nzw#MRb^JbPpU~+ew0Chae9P7p=WYhP^v*iRj`+%Yn8bp*O~aU zb)hfvdh3H1IXtQ;-ccShU&!+0f~(&;f22ls1(}OUq=lsSP5#NefTfb{f!7IN9+j^x zYO)i)Sou2cpZ}2I_Wb9M3JNN=#PZIW;hnp6!w(a~J@elx-RNDgLu!%o-qdd|Pq*($ zU-RJ9%pl$!Z}puEqVF*6Ve8l?a`MtN&MAxcUpc~d*tm*ayPj2d_b&BYW)iPH?OWb9 z|Mrw5TiJUjzMhmRjZZgZ?|71FcAo7nm)n)^Z3oY@J!vAG6l`| zU$h-v6Z3!9rjM*AVpdEL;E-_CN$P*TvgeXs^4;c8zlJH#8-Kptro#O?orBzcLxbneAqVoj7IbFOK&dhUhw=*%?sr~) z&uxHI>{iEOK_L%(VuBkI?G00s1ZjyMY`gMobr$xFCWXXL#Usd;azWlirGbgjW zKh!_})kTX72X1K!NFKZKF8!_-Yb9S^&rQjF&ji;Mzd92tbIvkoXZNbEs$Wk#?XFBI ziIv%q`uE}Gr1y!@K{GU&%qNR%I_ve-rRDzS7oTfh>)uK3K9IY^G-pc7{B?r;f2V(n PPQ0kBs@#|4Z@n1+MV3OK delta 709 zcmaFL`jmBoPQ9C#MOZ*esdj0hp>b4Rwz*lVi?OMDh`T|)Phw?Nptf_Wzjl70tATH3 zGFO>@V2MRxKyFy6QChL9wrhGuc%qq$d1^pqa#W?aWt3N8MNW2hx>0zP0hg|wLUD11 zZfc5=si~o*f`3VNPIkFMUaE1aV``~Wu5(&JW`>2nMSZx3L9({HpR;$apP5;DmT^*w zi-AkJpO--(mq}8pZ=t?hVWojciNMKemmks9? z{XGU+|LUumFW-IMdZKsE9^b5AQ=MkUEPJr0*|cfu70+vPLUm7NFZ&l2{vc*UcHWoM zokyQ~*d<-uUvN@C{zKjyS-Gy;KYC88v-90*>fW+Qn<1lc>-|4E&$T0-PW|)JFLqI8 z_si9b&$d?QUj5p_eCXDioEN(G(YG}7J=2$qXXHgMcsbiQwf=3S$5O*J1zDPb_VFg~ zYy>C2wtrvrG}L7Bh6{3&-M*Z#oIpFyfjU&^mOTPgERqWFT?&J`Md-n_q-yxl!J`p&b67semt zRT4W@|10+9eLQn@o9nSD^;1`CE6C0jk-xgL_j^pBNrWkT!-VTv z2SjaW9TK&Zcb~x(Y981veym&c{WTV$7~Xx>uIpm5A|k&F*{h{BJKmX-HNj4Os*;LF zdw$5W178lc{CxOq!xvlgm9k ssh-ed25519 L7f05w KLdcD878do/oYEztzNfCgKtfh4QCFmCMSZiapueB5Hg -wnSioiBtYXjASmU+6WUGn26ga6Q3REbFC7DxA29PQno --> ssh-ed25519 Otklkw WstJ3pNxaazVPxNjTx3NsXQFnW8sy51CYoB5WVxwHWo -YOmD3exRcPoNer1y7Me2t3nOtUY9Hc2Oywl5sXMlTWw ---- tCVr+COM2orioyWJZvvwbK4oTlRErsQLywIoCVGrO1Q -/a>0L|3`.@awG֗i}=KƮ$3?rtle ߩb}CqרUbc!P \ No newline at end of file +-> ssh-ed25519 L7f05w Nj0zjzK+5vf4YfUxLPNcBBY4ZC57tH9+rEVCv/ycNWo +5Sk99vaYclDFwTnVKB6IOcTVYJ3SGTuLVJxyjb1W4tM +-> ssh-ed25519 Otklkw ogKGpgcz0Gekw7p4LnmIKU2CEdhlkjypRGVZmFda8TI +nkOU/yc7F5BCBRakevYDXyD8akGqYwD67C+9VDxUgyE +--- zuz8UjdxI+CbMr33Z4P5ga1UoRe+oDXzVWgFUhUH1qE +b#sPDF%|Ul e9f_UZ5oeeK}M`aM!5R@j}~3ZҾ͒\ \ No newline at end of file diff --git a/secrets/ddns-credentials.age b/secrets/ddns-credentials.age index b306c21d933f5e38ebf3b7953e23b8ddca3f81f3..e749a1b3c4d67f7309b01e4da0d18d906eefa50f 100644 GIT binary patch delta 412 zcmcb_e2IC2PQ6=MWNMB{nU_zFv!lL~Pm)EINuXJYV^U#hYJpF_rFK@4en`HNSGlLN z373gaj)`Ykh_hd1Wny`xWv+j6s(+Y=er1?Zk#k5+vT1siWm!;Ac|~fGCzr0BLUD11 zZfc5=si~o*f|ps4e_6SLab#AcueoP=rdyzUkc(@EnVXYqzL9@!s&}A8rlV7YkwtNO zcA`l{er{MgS5R(BV2Zz4hEs;CYgL6`Mv05FOJSZ_s!2#iUS?FFf3{&(dXZB^h;u>y z#E;_jshOE(5hmFg&VH4imJzO%M*3CWWte<{-MVH5r!G1hQ4VQW`&03+T|tgK|Ueg#^DB$23eMYT+6I?Es5&Sy0A^-K3Cnl z*76-!cd>nXasSi3avsmm%OY3ZeQ@uOa@O=xy|$Dop7R60-iu|G`@hxa@Z*WvPdK=y I1*R(l0JM&j;s5{u delta 412 zcmcb_e2IC2PJLpLTY$E!qkd*aMX6C`T2Pf)dX{flvPrgOR#AqTwsxssQIKa!VP=wX zAeUi)v7v>fYne%^M^2eXxqDhcPF00vx@T0erBhNtSWrodk5i;cs8MFRE0?aFLUD11 zZfc5=si~o*f|ps4e_6RgW?6)Dc0h4%pixjxVOWxDq??~vQBt;HSX78nn5V0&eyM+C zPGWIMszpUPSE+Mil4DwgrKeLwTCSIuX^^&2M5Sd(RBoVlo^yIZmXlwEwxxfnzE_3o z#E;_jIr>?_!Nz%+u8H1Z`9}V3C5CR{Zfg?DOlj)#|5M81okOR}MH zIah92Vw!fSlar5GVxWgjNkLMTQ>CdzQGHs3OJrqYdPY^Gsc}_CNJ)6M zr%6^)rn8YNSCna*n?ZzGxnWj;d03QtUSd^5XpwWekyn7RWpF@JNu+a_k8ze~Xs&ZM zm#(g^Lbj`^kxxiKR%n)IXjyT&Nl|f5QC3EBM3}R7L0WQ@QMRdten3z~R!C+b*PC0B zCY+nM@A4^fJ2<=ftXBG|vy7~>|EGA)K5z)ap|G;-oF3bl2FtC1E diff --git a/secrets/etc-ppp-telekom-secret.age b/secrets/etc-ppp-telekom-secret.age index e3ea72bcf1757feb3e73b5893be562449a0ba3f9..ece12f8c5e37605e00319fd5a82aad16c3ab9131 100644 GIT binary patch delta 335 zcmeyw^oePLPJMD!MnQg9d5N~RX_S+Hc&=MeQl+WCadBj5q(OM3No821Sz)nDv5$7R z1y{PKzQ3V!RkD+NVqRc?zq@vxw{~8zc4b9~d4)-SMu~f_Q@N2*m1$X2D3`9CLUD11 zZfc5=si~o*f`3VNPIkG1Ym~EFYMPUqVSsl;MwnrMYrSVya#ntJxJN~nS-zu*S(&zR zSW={OhC!eSSDtsVd0>9Be@c#LQhsD&Nu*mzo`rUSyLXsZQgV_{Np4Y!lc7tpL5Za+ zm#(g^LPe=xhKXU3Uy8nmp`VGidqt^1iBn~imw!Z>er0lsd3btYRz+rcnx{uO*W1Z^ zmhRYa%gw`)>*?p((+QG)D{7B!o4<^e;SZm7%cgHOYg&2E{SErJ&!f)K^RU}|s{o0- jUAY{mKA-XGcb~WWbo1YD1|bI)bxeQyRj%Yp&a&?S%yEBV delta 335 zcmeyw^oePLPJNb%cZExoerA=0muYE=dx&RlhMS3}MS7}JSZTOvXh~I6phDwwY^gIhU@TLUD11 zZfc5=si~o*f`3VNPIkFMMS6y7x^roMsaIZ_Ur~}*R=u%PVN_PJwwqg(U%7dDet3$7 zON3vdZ@yzXS9xA(gr}o_WpZU!c%Z9!PV5p^UWL0n| zm#(g^f~QAdVO2m#uvbY)mW72^SWr=fPld5(q<*q@m}^mKNkK`be|d0FT3NCQmxPVE zscm)MYmcqxT8>>;NxXJK%W!q(dc%3j%PxJq5n!QyPvWL!g3pXi=D*(Cvwp2LTW`80 iOfEP!<>~J1N$KHlJTwB*{`L#LtJeB<^tDb>BL@JHy?XEf diff --git a/secrets/gorgon-backup-passphrase-gs.age b/secrets/gorgon-backup-passphrase-gs.age index 1ee5a873d11148b47401d58a3c9e52d3d6807191..416b011d4f1dc17d3442427c915332a46414e481 100644 GIT binary patch delta 308 zcmcc4be(B}PJOvgs-JnTfv3BRf3{;uiE(P6VWEq8vA(aLS+<{VmcEmISiV7&x4%n> z0atmbr%$}hUlvkRwS*E9ZXjFhnR=R$v zZ<=d%s%1nmSEx&gr&(^2eql&zT47~TMMRKec2;NqBa8NN8bhMP;Nb*P7Xz zGkC&Z&eQegDORj9J__mVpt5AMIY`#>&Ey6^?ZCk?3=Hl0`G9$odADxcEua^Lqo G@+ttG3vY7( delta 308 zcmcc4be(B}PJO0-Zf06(fPaLAV_;O0K~}n1d1QErWoThoVNsQ(fxe@8c2z`rZbVp4 zGM87FQFw^9xtYE}mXoEIM^>(jdyrX_dx(i?Sbng%iEDv(N};!*iEo-?D3`9CLUD11 zZfc5=si~o*f`3VNPIkG1r=eedriq7VX{t$ipr=J)X?&lbH$~8ot3E(4FWDZ{`@-N5;@u3 Go(BLkKWhsB diff --git a/secrets/gorgon-backup-passphrase.age b/secrets/gorgon-backup-passphrase.age index ec7c98de8197f0e8e9264bbccba84a026c167fae..68cc452398bcf4e902958dac2ed5dac0e77bad15 100644 GIT binary patch delta 337 zcmeyu^o41HPJOUpU{S-q2UR*{EyWum@$T2N+)cR;CE zo|mhsx36n4SGbo+Vqv~-szp$VnMHC)WmdAGYl($len4V=u1i>Cwr_DjYI=E*Z1 zm#(g^LV$^BNnufiQ@XcVu5(CmW}dG{Sz%(OX_B!?Mp=n}lz(wrfL}_nlVwsmSKo`U z50a-GIJ|r~B_4Pc&KF#ne&pGa<1ec(cvk4dpKFkj;**!0dX=?v%GV?V`DdIA`eh&g k+5WUUTu`?y%d72_(BTa#Q@%3HoS7EJryk{9cdX$X03}v?B>(^b delta 337 zcmeyu^o41HPQ6oJnPFvddP=fOVr9N}W|l#+VS$rzv5}{CfmuMYWwC)-u#>)@Q%PWW zAXmD1kwJ(@L0O2gdyal(Mp|iVR%v=!S*dGPQjTSLX+d#nU}>_pTb5acE0?aFLUD11 zZfc5=si~o*f`3VNPIkFMXi2`gS#g$&cTs^yo^zUqWqr9%VrfK#c}A95YIt^LsZl|( zv2l)9Ns^-pmyvm8saaZ-t6OBcQDK=|NkExvkV|NRPne&hzjOq8ws~=YV^~qJiC1P;q=9pxNma00HkYoQLUD11 zZfc5=si~o*f`3VNPIkFMNL5~uxxR;UQASBnd3c&jaeZW|rE6iRN3pR{ahAEZX`YF( zc6y|bqh+`+SC+QBQ+P#0esR8+W1xAVOQnUIf22=Hib=AGL1w6FT3VI6b5)6Fij!qB zm#(g^Lb`!|qLX)pOHfF9zHf54NnWC9x=Bh!l0~^^WSXyUa)6t6szsu6v5&JS*W=hr z-xjgvm)6(5=g{I?nio}FZg}R?oeaLPx@Eop*QGMYlbFPWc`Xy|S3+(ev`TE!>lW z*flM>5~ebDZrt`u=lE*2t*md0-4=2``R2SYLHgUDg_bfu>UWf%o7AznvRqHfrJ;2} zNz$Fz;Od2vbCV@}_GfJSi}qaDy+LW}!&7UV9&GGhc6@1K+3(2) zJ~w=>J6!uZ-|7vA^X}Q@?!ogdwycOw}QJ zF0=1foO~S0Z{BI4rM|!_WzF9!yMAsi6*)F_uE5U~8MD)~Ub-J>4Smrfqc73=->r<8o_q!YUcUv-89d+EV!+9@9LpZMr0K?QN)c^nh delta 689 zcmcb}dXaU4PJK>6uy$~;V}-wqg;9P;X=+G7QlW=uo|loCmzQH0lY5F^c6wx>yK|+l zucxJNWo~FOSEfObqeZg0cAXuiXe}0|o(b5%97u`J`*t%FpLRoS9 zWAC4}iZ^C!Z)>Q{*UAa}JA3+?3ufGFTqXJ~Sq)Fid@LzYs=w!&aHVjqbo|q&FXTBo z|0;-XZ*!Nspj&LaZWHU$9R06{-pq9K0-=)2F#VeTV2(@o!@*c zX7<|Cn?vp!Sw_fQKAz_`C+NJF*V5%lcl7>02$gaFC?0CJWx{6PnVt=qYqc~xo32F& zN~ksZ&SjfYH(@8^nk7@~FWr)9xye3RV~T#t(^Sz{p$y+ltFEtnRw}3YblcsNKkpjy z|6qL=eBCAE;^}3gJ^MQT%n=newCLNO7^W8?+R^+W?3TC5qJQ@f@XopB`{3gV^U_eR z8NrbX r-`#`@Rd;Xf*`~qqZ1XSe**B~kr_B4bO0f0n{c`ovmW++t%;HJ`!h|XS diff --git a/secrets/hydra-github-authorization.age b/secrets/hydra-github-authorization.age index d61067028612eced2b1a26fe4c80f7ffb9c32234..ef32814975a317ef885fdd1114fe2d8f4e8a41c1 100644 GIT binary patch delta 392 zcmZ3*yoz~(PQ816YMMc~cR^95e@ddEc3{3^zOj>2nZKL1n|D#Tzh#z-f2L2MhoyO5 zF_%YpzGp;-YOZ?>sRp^K-FNu^(2h(%^jNmXLGYo&>s1(&X!LUD11 zZfc5=si~o*f`3VNPIkG1Pi2O4c6Mm4nUhPpv$wBzQoWhKv2#d7MWl0fo}*`&evqqq zxq*dQrLVCCSFoR_Nv3guqfb_vw|7XCm%e_8tFfDxbGo}%etN30VW_J|zDs_wvu~aW zm#(g^LWH@gVXC>aOQl(Xk#m4=q<3JNw~4oQfq8zIkCS_ahjUJZyHA8yuyc?J*Sh}s z*KP9kF4wP0&8c}KT*}b$_r(cCW|OX`OZ;bDD4bUlq_D*9!2Yy=Z@v=9EUz93L= zGqmO4i|^qZ!W`22^%pR=TVLI_vPCW;@z}5Ox65;~7SztaI5$G6h~L9a-Sg@-?&#$& qOgU!0-x0p5e?hUOxP5R~Ovm+wr<44mmbeJHGQE`k(9|EpC;KoI+w1ULUD11 zZfc5=si~o*f`3VNPIkFMdTN!KMM`d>xo=>gQMjXbMtzB;dt!E$afFXiacY!%X>m|- za(Pi!a*A6ySGG@8a9UEPu}4^WvAMHTfrq(aVp3?TzNcqNVzzsfQMh@Pdxm*vT4k~$ zm#(g^f?=wUi;rulrLmiSYCj>Yfh3=vO#$$*B7_) z<*LFia`oX)>P~K~yw2gER(;~^hxBd7vr9Hvuw3yw?OUi{>|~|6R4cKq=KP|sEC%W} zHkM8z=@WK;m*TA|iTw1AXHtON#)7|PPgYiG@$A1nc|TK~+3^L>4%gmpRC(Mjdb3*B ptXb63ocl>tvCX3daW diff --git a/secrets/ifrit-backup-passphrase.age b/secrets/ifrit-backup-passphrase.age index d908a11..b4e55eb 100644 --- a/secrets/ifrit-backup-passphrase.age +++ b/secrets/ifrit-backup-passphrase.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 yMjj5g JOFZJRGtrC1G4btVZ/D/XiKqwqSrpQpOiI6UdfFE+no -1GBByaq2ojp2Xm+FNsIXm3iNcd8BCIo6uBThZEne8/E --> ssh-ed25519 Otklkw Otqt6BlhQSzreJy5NlCTo/9at9stWnlVN73zNi0xVW8 -5aUfPsoYZEgc8PJXd41wtpeETCTe0LtGPxqAm15Pg90 ---- h2S6vdReOwpqA/C3kr3rnuSeaWKr+3Nvc0vQ53WVNHA -*O%C\[+Vz/GB e3]< *kO?1\i%j \ No newline at end of file +-> ssh-ed25519 yMjj5g pE3otZ4+5k1GxhoU7FocCMvcHZ9PFzTRqRYiVXXq/H4 +aKCBiwVwbfetSTRaTJ31iTRsvNnbm2JYFQnqTOgCyOA +-> ssh-ed25519 Otklkw jn4ZUyWFIeAt+XpxmlqckovK4/jit6SR+Xaouv7gfTU +8yJLyWHk1m9KInOWozqRWXi3kiirgQ7c/ONOwgHk/Z8 +--- 8TS+ZFZfHvgcgOYBE3nzSxbCCmCOtqPWyldlegSu6QU +:{ 4~NtXRl =>$8DQ @G1FAOtΫ \ No newline at end of file diff --git a/secrets/ifrit-backup-ssh-key.age b/secrets/ifrit-backup-ssh-key.age index d7059202b2de26c9d7b6c2c4eb86f181046ab2d3..9d2879cb605da0ab76611423aea197bf7358c368 100644 GIT binary patch delta 701 zcmcc1dY5&APQ67?xIsmpXJCbKN`Q~ElY6CGQet9Zl~Jm5M3F&hm|IeKiJwKfL1jp$ zFIQ!iNqA;*iMyMrNwTGDXjV>Mfv;C)T1iAkkz0;$N})+upkqj2Vw$gaD3`9CLUD11 zZfc5=si~o*f`3VNPIkFMnMHn)bCq{_R8p~5vPY^@S-roXak;ms<@X8|!C>eyiK5&Z8bC#?#Icxc{$ZgI`i?{pw%mIVZe4{9%REZMEGlMt;t`8WTj> z{(UsuT5#a1Oi}Jt{Y)=qpWtmZsSJ+mCrZ!CGv8SAW#2USvc*jY1E**@$gIDsx3%O@ zdhH0$v>qFs{IK>j@AY+J`&th!kTd-495~r)nd~T}`<;y0C%zCzz$o06t?F6-?LpOUua zd2<|Jy3Vab)ZuIs-vXZEh+H99ZtT5jEW`DbzC{;X9C z#eCMzV?VmKDEQIeMHl4S`t)*km{;4cD?jC@a4J?dZK1Q(xfRQHy)zUkdYOLuiB7B8 z+3#BnuDUFq|L}$I;^5?)tY?FF-ATMK-KYCi#N^a}=WF-8t0{SDAK|;3KirHzf7!`D zuO((KayzpwqE*`?_H4z1-tG<6jE-BkMc3`$XTEIZ`RGY;XaC+|d>(#*cS(Qk@3h)e E03m8H#Q*>R delta 701 zcmcc1dY5&APJL8SZen6km|4DYuBTCCy0LeFp}%*oOOd5{RC0M(ZiK5_d0u3pr9pVQ zCzq3lzfW>mR7RFdg@<>xV?nV=K(T3fl)s~)xrUq(){ zuXAp4m~&`8SGY$}ns<;xoc3VafG*Vky}NHb56ElrG>YPd9ik3PJzB7mzwRK z5UoBLk$Q9eic1Tw%;&$(&G0d@N0n9f+sgTS+}Og;31`mVdHR|QFY8m=oh-%PI~9wk z_ZF31`aP?;SH!WbE%LBzzU)=s>32d!o0My`>>XRSr?{sX#~7cKpT|41--p|&Vu#es zuVq*4d4KcD@wYE|!DsK!WzYO)E3-kJY6xH5Om_{jIoes7qgd+~p}+Gh2YGxHmkcuin=G$&`n zuFsD?R#|+UbM5aw5rtVog&8TQFDoAMSQS4{*Zq)d=H7pE3VSW4+?Osf@ANq)t#L={ zuE4BAVy=qObqX#=>yPN{lr&hg;L=a7z5fCQHy!bxcXgF`+NH|>w)4F#c1^ynWjIqQ z_3kNulLnEaD{dVY-@Z1=_p*@j(%l(t6V*L+ZhqWp`k#4GhUnYbt=i8+!RxZPOF`Stl%i+8fm?Rf3YwOYN{EGW-7`(>sy z*X2F0+V-~};s}0See)EHmDHUlC&lNj&1^rG`t8%TqrH09Z*A?qe11iFsYK!JeTD$m C8zNf( diff --git a/secrets/initrd-surgat-ssh_host_ed25519_key.age b/secrets/initrd-surgat-ssh_host_ed25519_key.age index ded499016d73087d35b30f46e0eeaf6d2caacc57..36c4b0c9e5804a35d70aed58a226074e53afc21c 100644 GIT binary patch delta 689 zcmcb}dXaU4PQ7bDp=*kdxxZhiv$t=QNq9!CIiA#8)iLriwo2iAjt3i}o zHkYw}L5hWktC?wbs*i6-n2EW+fpJkmrjK(~lt)r&hP$U>rJu8Fq-%&pGMBEMLUD11 zZfc5=si~o*f`3VNPIkG1QITdtpBNT5%$ zkDp!SH4L>dAN~xYF=h>q)S<0l5@UEQBYx(uVaQ`riWvgyFo^Ja%zxwN=kkx zm#(g^LU^T1VX?D|vtN*lMNXP|c~D|`M5(u*YekZgv!SuCiAQ0Ed!JmO;`N8z=t)2Dd{XhGbPn@pmI7yDh zbJBf|y!fpSSrabbt$OL|y(D~nY3dc;B!O|)xHT==tMUPpj^Ri#c`ug|1JQ0Srmpb+x+%5Xr z_sc)dowqi)<>{Y!x9vsrc{T3F(r|gc@Z!Tw8>h$w_02HM5Ie?x&twDcsVhqL5&bMEhdwf*#M#pj=nz2sVWl=HkpITn_s7LGT3*Pk$(!aYU3sNTi>cw@F!%d1Zk`X0dN@x|egH z1y@#7s;_66pHsPIYKgmfL9wr?i?OzQZjnK%Pei1vMR`taiwWMm3y!S zm#(g^LPcq^i-}{UX>ov2QdU*AMPinpNpgC)lYT~INt#KbQL(deh>?+3MU{mCmsrKz zC1+}i?$wt}?T(tUc;>c@>vofvZ``|_xJI;Z&5;*xC)R6K>VC|!EIqW={?nvt9urAL zqdUnzb?)7r$b8H6Xn0-8uX`HaZPV>ylb`2G-(ySN{9{U@Re{Zl9jokP9w*$9S!={A zd0lu%xRg2Hxzy5dQQ~Q&%WG61zEv$EwJ#&2tgO&FThWd-^5B7RR&Q`l~z+#C{ zW8h5ZjrLY^EV(>I#C18FcWrwi!_Sepey>@b4v%VE2G7pPc1hjaOZ2Yi=`B8W`n%3) ztKvH!eU9IVNb|Bu=B_+uW_8<&|N77Vqav?AGqX#l%({B@AJa_!d1s!a zaN0Az=!;*TsDv?JusSAJ-@4?ZkIYJ`N1K$Q?@8y#$KUa=DB2)Z%lF=R!-DBf+_zWV zo>J$r^OQjS%Nda$PAr|Yj_cI&O(&NsOz#tWJa^UprHA>d^ViC3t~1pPIrih$nqR*b z99n!VqF}~sO|cU`dlv;;W?Fr(iJx)!+v7Q<%1g?2?s#r9t=o;sFKpq=D-E_HTJKIe t?N=zCl ssh-ed25519 jUOjpw sM3nHEEUDrSNaDx2kl18pqwabNSVj4Jbl8DXRKpmhjc -pQDiAqXXAxheyYa14lEGmOFs0hrMgJgvU/ChpmZTNVY --> ssh-ed25519 Otklkw 4hsEjZuZu32qujYfjP6XXbeEqbQqkN0AgO2lM/hMomE -e4tcDQ1NSd78ob9QNKdOOcoov/xbW0DzvOKCkMGM3HM ---- 8H+daxTtO86AApWyBd18ju2Mwquc07I5vOH8Q8FVsmM -$0\eg؃#> l՞QQ [bu,Z5 - 8߃_Q+Y083ؠL*LK0 \ No newline at end of file +-> ssh-ed25519 jUOjpw 6ThewcuTvg2mn/jC1eqR0KFDXdN8G3JIUBLLiBabkFI +lstfGPvJgaUOp0jriP2nsi4IvgwRjs8dnRye7+ihD/Q +-> ssh-ed25519 Otklkw N0ozjfxbOBq7EIvxP4TRa2XyMQ8fINCiHjK0MFq2X0w +tEeua88G2aN6REaUN6xTlkRLy0GFgNfj7v0VXhqddc4 +--- N9V7UfSDvrOAeOr3MRXiCwIu8JJt3NSL3FrGyPapLrM +E"K?>VÄbXdg!ѹ) B f\=[2LxwXH*l9w \ No newline at end of file diff --git a/secrets/ninurta-backup-passphrase.age b/secrets/ninurta-backup-passphrase.age index 716f621b44bba11e2ab533e5f094e847f7b581f2..6b89f138fb608501c4fdcf85daeceed46688e0bb 100644 GIT binary patch delta 320 zcmaFN^q6UaPQ6Qxb5**ZdzqzUT1j4DZeek8UX)u@WR!1VR#=Lsc0rPJR<>)nk6DJ1 zD_4+{t8ZASsiRLyn07^4ezsYOrL(hBepZ@iMp95gV5WYRwz;KYfJbIxI+w1ULUD11 zZfc5=si~o*f`3VNPIkG1d2nE$zpHDmn_GFhNuZy73SAln7u0?2$lc%$9c0iGdL7`=Vd2W?^l#6zur=NC`hoec9x0hpDfn`}X zm#(g^LRgBgXSk(HlAC#QqLGV!qCuLYQ=mHk-aF$Hq|+_fak}>1*$&Efd|+B5wdVB?|eGWW|n?ccz~%_nyF8cSGH$qMuAb8PkB&Qxu1c#N1>Nbp|-w@1(&X!LUD11 zZfc5=si~o*f`3VNPIkG1d0|+Hp;1vBOK4^? zm#(g^LWZ+vo_1U9LsfLE>K6qwUY~L8t;JUcuHH?p z{IBl*?D(xMA0j{d=Zt6b!uIqX{9JVK|D#^v8|!8*VVYL&+g05fW^lN3iGD z3kt@yi|)AEx7j#DAYb-p_}^cwzXSOD7Ccr-ylTGv%!ic|3`}{BTv@biqo7P8w-SS~ z)wB0q85R0vSrV4g5v+Cf_G{ycnAa(bbZ1_FH%H}ElIV;OrpvD4ruQ@UCTdQ$6tEAm z{j}9-!_nw#-!9B#P@eF%ZRO;{j|{h0q+6^?(b72M!tlj#qxrONib-48`)XYtX6%Yz z(V@9qOqloM6qj@bH^ewxfZZTP2o9ulIKkZM{>|=7eldSUr(Iq Na_3mR;%PU>M*yPyHAVmc delta 709 zcmaFL`jmBoPJOAjpP7GET8>e&iAzw9pQ%@2cBn~6PNjEckbZemYJNs!xvRN_Q*o4Y zI#;lMq;p`JSE;MNxr@HGpG97|Yni`6riFn|uBTT>qEVVuR(HTR(N2EXI^q~aB-Dyp-*`} zm#(g^Lb{28QL>SbdxUAOc0^fOzO$F9k%6OsfO)=lPH4VkU|4dLTUn}SqGh%LSClO` z$E0eGkb3d-uwU1>cV(SnUU&Y1O!)eRv)-;YJE0+vd*kC`yLZPvww|t=_C0Yz&xiDa z>$a;8Wi_mSd%yFoRfcNEls#Ej_TF8)OlyAGjhxKw;py8J`s8hKn#}V?%)z;Ep z8ohjvSM2vY`=UO&yVUHHa#4%cFY{7fKlz5}_SChwCA~X; zGTBP%^ofs)PN#i8q28|BS+Qc-WGmiFHX#kaoG#=)nX>20e8%GsAI`B@=e6wQpZ_P0 z#ynHLH|Ijp%G28>tPo{VwObU}7pKWNq-G5z&WS@ diff --git a/secrets/ninurta-initrd-ssh-key.age b/secrets/ninurta-initrd-ssh-key.age index 9558a151ac2ff36e9f70a61c466dd8ae766fab61..bdb981ffd84a56374217dabc719fb9317f016f69 100644 GIT binary patch delta 689 zcmcb}dXaU4PQ6KaPHKu-MWTD9OOCUJQ&?$wTCzn%MU-=4S(ZtFe{eyGXJ~Mlms?^; zIhSWhfO&GFw~N1TlwWX4sGmWiW1^E=qIZs~nMIyYrCC)*c(7+mah|bXHkYoQLUD11 zZfc5=si~o*f`3VNPIkG1aaxH_RY_K$U#VMFPI_{2a(zTaQblF5L0MRtk4u$%nuTMs ze|mnIZ$+Rlm#KeLNQ8eyP?^7JahQRpSwT@^VquD3j<$tqm8WZEn2C>{TWDs!g;7R2 zm#(g^LT+TKNmN#`r-?^yxqeltQ?W}~N=3Pset3F8NRoSUs(-LcVp@KBR7FuJ*S0HD zQe*#zeym^87_Jd}qNn_`g!8wmk_^X3F}AyerWMSnzOkp8qhF!g`gEW5PBWPWi{|~C zxXC8yam`Tg$#EJSO;^73DSS$HtIH9CFwbP3N=>aF7q!2t zF|*G4A{l8mZ+fs1mqG(&` z7sa2U3>Eli;;WDWu_x{b;0Fbf4(16GY@z@TcoM|^2_zbOx1VXZq1hc zQkc_or}mC~?ds){e}k0&oyoV{3u?(qnI@SkjuqWxmmd zCs$Z-PNadiL12nOm~*hZXOW>xsds3qVOC&}nU{x2im^v{g?o5jwrNFqD3`9CLUD11 zZfc5=si~o*f`3VNPIkG1k&#b$aH?0bMWvBpeo#ezPJOmdd4{8jetuL{kbY5yOL{?B zZlQjKX-;K6SCK_&N`SvhvQc40fM0fGx}$GSv2kI#S8|qqYGJm4iEnV8c3Eh?TV#>} zm#(g^LS}kyM52*}zGZrjS+Q|IPDWHfVybVlcX3!+PI_*7a0 zuaj@T@LpHU+-@^t=7gZWl_F0z)oiFykoX~A@ncfzeKN#$Opp7g0 z!MDGsx+q%)#e)E$Nooq`*~fjNft@?ewDFmO8N2`R?Cn5H@^O> zuV`)`|CMDoyfxoEQcddGQU7$){o9u&=r&!<4lVn5{;RO_J%c|lc3fuoq-b@%>-ioR z|LuQ`(~g&&lN0h=5TR_i^Yp8|X4`r-|JjQdM=`eczkQmKKD+s zch0KnfDqq9F_KzM`|p35pHv-T@apCD^amd|>3$B=p6jV_^ui+5Wg4|_C*~dZ)9PHl uxQVG0)GkUsTW;5q=XSU6Dt diff --git a/secrets/paperless.age b/secrets/paperless.age index 9de2ffe698260b627b099c0e0b0217880ff6afaa..318a9f94cd6d1ffcfb7acf155c6c3b114041f4c3 100644 GIT binary patch delta 327 zcmaFN^q6UaYJIquv#*Pzf}e|%c9da8LAi%cadC!jYKoDmsiCEUe@S*ucDX{Ok8f~VW=UF7M7_U7VNhYBSGjjZg_%W=fuom4 zaY#|BK}3$9QATNLN_ZrfS7d&=dr7E)k553dSAm~pet529psRs*WwudehF@+)QCND0 zftRmaL53@ruCA^^fqR94MOKDIq?fZxs%u%Md1h3iSwTcmPIUwVkIWpnT;8Rz&dOXSALi~KpBPi!_xN!w+wAx{ ZtCfH4zO8V7(jaxn@B3SaTi(*lH2{c4b^rhX delta 327 zcmaFN^q6UaYP~_Ce_~R)LX<~wUX?*ad6A=WnR#hawr5bLX-QUPsGEC~xnHGwQG}a| zXH=55e_*Hym#aajMM-#|fq%JcmP?XZa6n|1iCcadC!jYKoDmsiCEUe@S*ucDX{bg_*BeTBL83TfJdLScI>6T1kqjcD7k~g;$Vo zg?T`#iE)8*QIKgwV1_G~r+Z#XZkV~FnYUYoi&w6txuK&+P@qACtA4qAa9%-_xptCM za7C$Kut_MFuCA^^ra@Rva-?T|ewu%li+)~aQDjI)x?hS#kylVvdPuT%fkBpwlXg|5 zX=x}|gG1m6g_?8Pa>Y;0s(-C0?+aP>yy3Y48~b%5ZS57elvnO4Ui5d@spAvu7)ryG a{${Z~+Rb-w;@Rj!YHJ(~(vSab{t5uAGX5pve`ToX>0C{PB?~?fd`Kdn1olSn+h5MVE?{t{=;>6S8AvU$@qMOGVnz T&l#dWzUDrO@N!R$S6~4EpCNPe delta 320 zcmaFN^q6UaPJLO4tEE@6ce;6AfJKIl1hDSwIMTWUy zGM9;SSYl9Mig%)SVpU2}ZlZQ%p;?YchFh3dP)3D$uBCTml#_p|QI?xmB$uw8LUD11 zZfc5=si~o*f`3VNPIkG1tFv25q<>LRMwUlrqF;tvc70ZfOKO&@b6Rd@NN8oEe_lzB zxpufyW^uSLmtlo(POf)Bl8;xozFVnDSfHPCmcBtmN_M4tenD|YP=-ZTnWIlcWJG2$ zm#(g^f>CyMfth7meppqcYe__^XL_Kkk*Rl}Q&?r9Q-ObefvJCauB($vlwXl6SL1Od z!-wls0xbJBbp-}-F?n`pBxkplnf>^(o=tbcDUKsYqE5-mSAAeR-C3Nh&F}X26!YtQ SU-lefxYkuEyX1$8nLhx9rE=T= diff --git a/secrets/pruflas-backup-ssh-key.age b/secrets/pruflas-backup-ssh-key.age index 0fcacff217b502d9ca98d0254223018dbd665815..57e57c899c5451bced9ccbc208933dbc1053b44f 100644 GIT binary patch delta 689 zcmcb}dXaU4PJNWNYejINvwmTwepyaJ`XdRi=+&a*#)cNuhRWTAHVc zZ-rrCc44^*SE)r-Q9x;OYI>!=V|J8&dZ~|#Uw&#xv9FPSaiB$Bp|(e)L9wxUx@TB9 zm#(g^LVmHKbAGl(a8X5el}SOMb83#Ud8(_4pJ$MhcAAr`o0+zcMVgVhr(=>Q*R#Hb z=g%|quC4#9#@%atL$Q4E>U|c^=0)FozD2s`#Ak`EKR(;BJ(iyE|GSXRA1BMJq6c3| zh@Lq7=|$+~3daN4wFkPwrhb&ueyDQxT)XkJW8rx@C--sgWdBtC;h^+8T^?n&wVu&Q z29uuc)Y*PDx*+D!(?<=}KO3~ZF-Ly;f4QUZcGZsmg3?n?Zmjyl#=efJwJIB?hK4VRtN zt4)t?=cJ0}uZ(T+eX_~>LH&{LwEQzmmfun8tqZLTJ{tQk_phn}r>BRVf@t}>h@YWd zSNdlhI`Ca(Vfx$mw^Cg;OxP05xA|w=XPsp?C$xPmZw}Vpb>n$Vh2VyNCL#}Q@8+~` zI_Rn;^+tK=fH1m0`bp;n0QiA5DgXcg delta 689 zcmcb}dXaU4PQ6i?ud!#AcTq%vS3zQ+iFUGuzf*ZhaG9^ClRu0L~>D-MM-X1a!PJqma}VyE0?aFLUD11 zZfc5=si~o*f`3VNPIkG1wvk_QNqSOMVW_J|S!!rdaD8f2c(#W}aBzyRp{09CnNw1z zdzxEnMWkCcSBY0}qNho2R77xIu)l|qzLR#IWu$LNn3J)wrB9WUhl_q{dWvDHTVhc; zm#(g^LWG;MxoeVPuBBm~XH;cGNr-DsWLR=yKuB_8ig{vjW^!6;p?+X+nO}(sm#*IT zBiYKLef10${jC4iSbr6~@_+vFTUVdNpLqN9kLO+JTA z6Bg%3JnB`-dh(;#fXia#s}-U4B8OQ^*V%W4o>>3jbn(1jVf9`CW;_PFo-NoBAmKeh zOCYwn_pwfhBgrrzf}EXn>v&1UugNrO)k$jf4+a~X&Ep6U0YN;uWfN;xG%_aO=gZRqn0ys zn9&3K0e z|1{T1h)0yAF1-7z%k^zT&2Q_CUS>7x4=xXBeej^W;Z?JFS+(eNg@z>pQ@r@rZfTx< zKd>WMuJKx2ROLs>gAJea4o}^tm(f05^{UV^qpwq$*BPB$_ON$vMXgD%Kl^(vpO@1< t%kJE@bGo%-?4=VD2mF;J%QQ?X4I&T7&iK?lj$=ROZM21OSh;E%*Qc diff --git a/secrets/pruflas-wg-hydra-key.age b/secrets/pruflas-wg-hydra-key.age index 5695f54..7c1333d 100644 --- a/secrets/pruflas-wg-hydra-key.age +++ b/secrets/pruflas-wg-hydra-key.age @@ -1,7 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw sdxptJei78Xi7oBXqh5H5bJva0O017mkVGz343VUxjA -NFz8JLnOX8qR6uQPb51PzxYGfg3AW+0nJvO4Ex2/N9M --> ssh-ed25519 Otklkw nyXNF0WhpAk6mezLPiQpdFQbSHqHVm9oXxQSaADfVzo -Ati1jXx0dPQn7jnq6Ol73yKpy90iBlgtoWlXimbbq0s ---- RI/9aP5kvkJVacr5IAx5QCBGR+rLg8f8FybfZ2uGtd8 -ƛ'~ޯ~ dVEMHnmURL\@84% ;R[+g0׮SY \ No newline at end of file +-> ssh-ed25519 J6ROvw xzey0OqH2HSPLdz9sUHX2d9Xb3j/xnvuz0ekjE5MGh8 +cvfzziAX7cVSJAwRr0Avxeaa5ogXhMxz4c6EcpyIrMM +-> ssh-ed25519 Otklkw qlfHwO86ojlvmdfLHtuZwvpIDCxAFgnOQ4tvsz7VTiI +3eVexGX09ALqANLrZm/3WvzZTIhEs/hWLpvYR5oQFYE +--- /+Xv0iaeal+E0g5+Fphqw260kmzHE/BEWA9UWZqkxpM +Q$ +'HQ6E%&҉>0e[Gbg5@oy~ V`yFu~< \ No newline at end of file diff --git a/secrets/pruflas-wg0-key.age b/secrets/pruflas-wg0-key.age index 56c3796..1312de7 100644 --- a/secrets/pruflas-wg0-key.age +++ b/secrets/pruflas-wg0-key.age @@ -1,8 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 J6ROvw JrDRK2NkcPjUf7Owco978Saj3FlPGLL9RcOW3aSB7Hs -o/WPV/rBvvc89c5qln+XLVslVed65EGZOkQoYeGgvpQ --> ssh-ed25519 Otklkw fvLeR4YnqmXYGu8krDmCGDLa0Xh+X+HpCTcqodxOtEA -L304iO2/Xq5TJ3Ui8F3EIR0mXVRmAMAleGexBxWoJN8 ---- B71HeCVbIOOnvWXWwMSk0A19qnsE31Lo36lKOkXLQhI -%>TsS(pfAT+ $ R_(NN1xL7F^V -opSj \ No newline at end of file +-> ssh-ed25519 J6ROvw jC7rwmoizfZqenUwlrMlLRyN9yQnog2X3KIJ2GgRZB8 +yGoiZTNfrPm6+fb1BcZGH6Lzm8Pj4aeyjWtLNYbGSFg +-> ssh-ed25519 Otklkw a2/N7JOiOY/orGyCogBIj48EjTltThv7AAHuMHK7Xzo +PTP9vaEpFf7PXoRobHJgAkNVBh+u3+7rUMKiMj+fadQ +--- KR51LRGHd6jWP4rUWvQqXskwEGfxb0tSCNKtnFT255A +Gw)HkG F&e[{RGh"L{\{H~{.uWMaZ \ No newline at end of file diff --git a/secrets/pruflas-wg0-preshared-key.age b/secrets/pruflas-wg0-preshared-key.age index c9fc294bd7ebb3f8c6d5409272dd820703c4ca27..94f9a881e2cfc98cacc143846c7cc7682de7fb34 100644 GIT binary patch delta 332 zcmaFQ^qy&gPQANuWl=zAc5Y>`OO#`lQB{FsYEe#Qfon=}X=#*yN>ODf*VmgT z?4EUXO1rkV$RAzvN0YucxI-%Pz%Q5mgq^Z(fy-{NdEw62*= fD!b2{E%~JBUrnWC!w%1<&5z{kTQojim>&WF>K}S% delta 332 zcmaFQ^qy&gPQ7z+Ribv0dtgOmsEb>fyK7{wVOn@Zc#^44mQQ+Ku8DzLgjrUmMP_h$ zHkVnrlfPkkqKAh^NwA4mgrjG8WvXL(PGVM6xU*%DlY6F*NwGzii;;P@374*&LUD11 zZfc5=si~o*f`3VNPIkFML}&KGKpVz-r|qT{~sOoO)yW;lC=r|xuA9T diff --git a/secrets/stolas-backup-passphrase.age b/secrets/stolas-backup-passphrase.age index ab532e3730c4fd6e5087d85a64162bed8169f69f..4b4a687efc68ccff5d2228c8e42b3e7b9ebcdecf 100644 GIT binary patch delta 336 zcmey&^qFabPQ6Efd6}grQlsnQwY%kej2qt6NrJq+xPI zIhU(pQmT=;g`;n2Sz1ViQ%Z`LfmcRkQe=^Lae7&5L{wNnS+J+OlV5?Q0hg|wLUD11 zZfc5=si~o*f`3VNPIkG1qpw9$l5duNsAaO7g`akqOMPN#P-u3UscV>Pd1bhJUXp=N zT7H#FabZs!6Jag}$M0RaCZns((d6n6GzIfWApN zm#(g^g0`D}fN#2SP^nL1ly;JTQHWc1Nw8;8XktlfR7y&KXJUk@OHhPciletHm;6sCm6Hud!F;4n@3AmmKz4C)L`qeN zCznNOQLsz8M_|5NYKp&Qo}0OmbD(dwmv@0%Zm6+Ql5dh8My|VwWs{Y1UuqQzpd|QyoMfEV{#@CiHHdQ=~%XlP&XqMowgr6E^$UA(wx2 z$&H7+vp-4i2yYO+{eSPriB_Gv?b;R?-JSe!%C3aFMv>Fjgx$F%nDOQ7vbc%Mf3h-d zoqM6ZwVksfX5(Rlt&WpS7VbE}Zu@Hcx~FRET$Zsr^RExx=3Rg7S8keROUXXl+>bl@ z3@)AutbOJ--*jnVz~36)h4&TDJQ6iI75KN4#m00&xq$MHM>Ud@YdJF`Wdy@&zoj=a zANUcXc$aC}ymcH8Ps8ZpdDl|XnVy?@c zf}4*89;9X*yq%!_zueg6@2a;s43Wajl?%e-O>~0)#B7^%p>~?by~~dU)@yZVg#U51 rmdoYat?};3|1Xs-5409{xMxL~ zYkEm$sd;uXS9V!chNEeUM{1cxWu$+YZ$(nMzF}3iUr>ahw{e(PM3u9LiN0f4sd=y~ zm#(g^LXd~POJbEpse8Ibm}{PSerSbXs)0+XevylFg=dJrX_mHUlv{>DfTf=+S9lHU zA+76r(e;(fo*H>}^W0SX(LHHt`Ldeer2^B3gz6k=YMEiVzz&?s=#93PXV5;HJMIx{zZP3Fg|ttgRPCI^!|WZbHd|Xwff%A z^ffzpy!vs6A2UO82dA-F_qUUNCtUu8>+~M9Rn|-DajMbj(qFAt!}`$oGRMqNk$2V? zH@rNi@}gT+a&^Eamik}kO@e!Sl&kr8a^gcD=axx&Z0v1*`ToSgE$g4}dlb-DZNL{(zKyR$ZLyXJPa0!l ssh-ed25519 jUOjpw hXl01CaHYYlY/orHilx2gv0Fyh1eMXgN1NBzV1vSw1g -B35trnqYoFwg0xhw/QPw56N4VjxMyQAlNGyRFKdHfKE --> ssh-ed25519 Otklkw SRtMspvRR63U17LRd2aqU0m6f5bnpY7kaUl9uP94hhk -e3XD/s3fY78uxzA7YVs4F4LBFYJOIHZ28Odnnj8Zeac ---- eVNBDHFoU3kBN+SE1osblaJ0yWTv1ZOjJEXKtsI8054 - u'~ʕv'V}nfuE.JͥhxI ^X7Y -E74 \ No newline at end of file +-> ssh-ed25519 jUOjpw FXHC9VzSKIkbJ9JVge5vsGHiGtxBnxB7Nvqqi4OsRHA +1zhd0kCd37fXmWtq9kRx1vQvjTT4i5HsQ9DibyGmNUI +-> ssh-ed25519 Otklkw ZKy9Vbf1W1UpejNy8nh+eGss19XLqJuHL6qJuG1KP20 +t5C0Jw//1vK5iiG3+tJK6bu/SBR7StHRDog9ivlfVAI +--- 08Q8bBFnJF2TFV62trgPig/VL3RwKN0dyw4PBgg5LDU +F` 4tۭ ٧o9~}ق)7#a/W\;l2Рl \ No newline at end of file diff --git a/secrets/surgat-backup-ssh-key.age b/secrets/surgat-backup-ssh-key.age index 37cb2a54f553d7c132c2a7b6ed743af2d384fff9..2abfeacb6afea853c955f0b51900d3245325554a 100644 GIT binary patch delta 689 zcmcb}dXaU4PJN}RMU-iZsgpr!n1NT2bB?E1W|>=dsAEoPUV*n^X_;}9ep*<0x_+KV zHdk_mQ<8apVv4zUig{phqFaz_WtM+hl5>z#j)}LnWnf{FMNvwLN4d6sGMBEMLUD11 zZfc5=si~o*f`3VNPIkG1qoajuws)zQkz=BNR!XpOQN3S&v1OQ1nM-1S42cmYOrTWxwcbqp;Nkfnwe2}WRgW_RC=USie+j+o{_$Xr+I}_fNOCi zm#(g^fw1qvt#&hy<{k*Lo zKCI*WE^<$~%l>o730>DGp8{hhzV*$#sN`&ZWw!l|D`h*4;)P;gHMS}GtWp>F`F=;Z z!OigI!nRLmykA>xh`hZuTI*unB86AG9~Q`OPWn{cm80abtv+n?7WG9r3?h7TjeirY z)syDSzC7EJoAUfxKy{VAy4-b>N6VFJlNi3Zs2Vx^yYi!E)$S|ZEH>%pd0$=Sx6aKh zx*Q>`CVM|xX3F`!qMQQZ{H?T&rNHi;{})Se*Ul+;|u zcJBdm7uVmnec4J4B{!^NCY+h%X|W(S)wuhTy_wAwi?ut_tfm!x|7Lt8z2u5rX70WQ z!JO$kv^Ra+`AuGJUbie?g|_>n?GKXcl58uPPu5K&011-SI)iA r@hz4s%20_fZRw6@%?nqgukK0IoNV&u_BHX=_urpPP~DbmdT{{&@RuxD delta 689 zcmcb}dXaU4PQ5`$l8K{vc(ReHg=ukyTY5mcXOLl@XP&!3ctv_hrmJaaX-<|=m8-L1 zBv)o)cu2WlsIg;UplMZ=QBGKXO1N2yk6B1~XkMmgdaz$XiIHKXx1oPZK9{bYLUD11 zZfc5=si~o*f`3VNPIkFMUZO=-fmx(mSdw?HVNhwYWqnmzcA}$KMrK4omak`ea;BwM zfoWlBKv+aFS42>1RdS@EepyaRL0W;UXOyQ)MRHhfW>$emR&Y*IM7VcQQn^KdS)p?= zm#(g^LSbHBnTKygcu0|#slTD6aYcZ$v!hFaf0m=8QFv0elShD~lV47GNLH>1*Quf& zjl;_h*4LNpSezmE+tMlj{!U5$_{J=)`7%=yofX2;`mI%pS1LS{yr|~TVBz>VwRqBu zHQe9#8co;Rbf!^*$LqxD?$vualJe5|oH={ZyyQW*NO?uiV zvVLtew^gr$uXNUwjT-M}`sr9It%$0WGM=*W(l^Vqhi)#r_)V$!w|I=>>#seRjTrh? zp6A%mwSSVtwm;9BpUZuzzw+Ur*&n-k8S|5BgO{|vlU({fC-KV8dxr`f_#2O$cw4sb z=HeAMoo?N2$#eW};rA~kew*5!cb1oL-Zh&2qMubd&+){@=khz;e=uK9xp3l>M;-IK zM*Yj``RwOjoZ4A^J!;GM6qeb{tD>zcG{1#@dAK`n{*j)WP5;?l3-adab$@Tydb(J` tzV&Cg>MWzztDnUN|Jc%`|J;gqWsv>#9OccbLSEMYg4MP@`n1TR2LLURGaLW_ diff --git a/secrets/surgat-ssh_host_ed25519_key.age b/secrets/surgat-ssh_host_ed25519_key.age index 1e58cc84eaa73f0283d0c1d349e6e0071802ed40..7400a57f293740d6889f74b8bb858d55bf1aac5c 100644 GIT binary patch delta 688 zcmcb>dVzICmqnDhS7b@9bCG$9uVZjwrGZa~tC_y3NkK?vZe+GuX;P87M|f1FacV&* zm#(g^LVmERrDsq?idVV0M_{N$PO^)oTWM-yS+ag*Vp(uuRDfepXpWg%kdcKiS7B@v zn?vx^)%AC-Ek5$=lB?#&-}w*k%Sl>#F`xN-iYmK*E%!>aq9Y-@o zw-kKMPM)B-+B}cfBEsOm%_HlUgWq;dWtL`re0_SM`R&Vs%<_Bk+$t7Z_{Gj!ci=6maZ&E(y8{=56K3prlvmQOF~ zeR7d;dD0h7;S&|0+a~bRqK}HA?a%+^%NlE%$I3W` qiNDHwXQx?p{uLYd61FXz`@#bYG-FTv5fedVzIvVVl7r@3iVB$uw8LUD11 zZfc5=si~o*f`3VNPIkG1Z?1DiihEUAMw*{tafwHTXT58cqiK{$K$wM7nQKmVWlo7x zzF%2{r&mZmmybnYV31{4Vp?dKiLbUtp?O3~gl~nmc9w;Ov$0WFk&$mohNWkAKw60b zm#(g^LS})Pxl?&nV4!byNMJy&zE4s`WO7PSSXfk+Ye8y+u}M}$KzX)%c)4*XmzrIy zDBJe;o9d@0iKH{Cf8tB35T9vTBl~Ut?}VkxB)Pb+lONn;xH5`(v5@n5Q>c)1hQ)@)048 o^So0Hx;D9fU(2$p`O+~aY2A~@@-3EfEx0i8{RTBvi6uq50HeSi!2kdN diff --git a/secrets/wg-privkey-vpn-dadada-li.age b/secrets/wg-privkey-vpn-dadada-li.age index 479dd4f988e140a5a019bfac8e7e3b9cfb3bc570..4bd9044298b6e50ec3dd263568956efdd00c6235 100644 GIT binary patch delta 332 zcmaFQ^qy&gPJLvie!gd!hlzQSp?PFbWLjuig>k7@Qc7r~PpXe&v2&(LfOC1iMRsT4`W@h)R zIah{nN_v^4XK0{Xg=KbBs+)zIdrDb^NvNlxhli6%nxji%V3A=^R#C^qicGKt5aSG5@ql$pEBm(s>5zJZ_fJZf#;Oq}!$0No#XdH?_b From 66fceb6b15442843cb62c0b54d2448ae802845dc Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 20:12:12 +0200 Subject: [PATCH 22/26] feat(stolas): add snapper snapshots --- nixos/stolas/default.nix | 46 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 5f7dfaf..4383cd0 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -118,6 +118,46 @@ browsing = true; }; tlp.enable = false; + snapper = { + cleanupInterval = "1d"; + snapshotInterval = "hourly"; + configs = { + home = { + SUBVOLUME = "/home/dadada"; + ALLOW_USERS= ["dadada"]; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_MIN_AGE = "1800"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "0"; + TIMELINE_LIMIT_MONTHLY = "0"; + TIMELINE_LIMIT_YEARLY = "0"; + }; + var = { + SUBVOLUME = "/var"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_MIN_AGE = "1800"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "0"; + TIMELINE_LIMIT_MONTHLY = "0"; + TIMELINE_LIMIT_YEARLY = "0"; + }; + paperless = { + SUBVOLUME = "/var/lib/paperless"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_MIN_AGE = "3600"; + TIMELINE_LIMIT_HOURLY = "10"; + TIMELINE_LIMIT_DAILY = "10"; + TIMELINE_LIMIT_WEEKLY = "10"; + TIMELINE_LIMIT_MONTHLY = "10"; + TIMELINE_LIMIT_YEARLY = "10"; + }; + }; + }; }; system = { @@ -133,6 +173,12 @@ HibernateDelaySec=1h ''; + systemd.tmpfiles.rules = [ + "v /var/.snapshots 0755 root root - -" + "v /var/paperless/.snapshots 0755 root root - -" + "v /home/dadada/.snapshots 0755 root root - -" + ]; + virtualisation.libvirtd.enable = true; users = { From a26418c9c32d3793bffd43b8aba4fed3a5187b19 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 20:18:03 +0200 Subject: [PATCH 23/26] fix(ninurta): only run snapshots daily to limit noise --- nixos/ninurta/configuration.nix | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index d4eed97..46562a8 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -237,33 +237,38 @@ in services.snapper = { cleanupInterval = "1d"; - snapshotInterval = "hourly"; + snapshotInterval = "daily"; configs.home = { SUBVOLUME = "/home"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_LIMIT_HOURLY = "24"; - TIMELINE_LIMIT_DAILY = "13"; - TIMELINE_LIMIT_WEEKLY = "6"; - TIMELINE_LIMIT_MONTHLY = "3"; + TIMELINE_MIN_AGE = "1800"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "0"; + TIMELINE_LIMIT_MONTHLY = "0"; + TIMELINE_LIMIT_YEARLY = "0"; }; configs.var = { SUBVOLUME = "/var"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_LIMIT_HOURLY = "24"; - TIMELINE_LIMIT_DAILY = "13"; - TIMELINE_LIMIT_WEEKLY = "6"; - TIMELINE_LIMIT_MONTHLY = "3"; + TIMELINE_MIN_AGE = "1800"; + TIMELINE_LIMIT_HOURLY = "5"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "0"; + TIMELINE_LIMIT_MONTHLY = "0"; + TIMELINE_LIMIT_YEARLY = "0"; }; configs.storage = { SUBVOLUME = "/mnt/storage"; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; - TIMELINE_LIMIT_HOURLY = "24"; - TIMELINE_LIMIT_DAILY = "13"; - TIMELINE_LIMIT_WEEKLY = "6"; - TIMELINE_LIMIT_MONTHLY = "3"; + TIMELINE_LIMIT_HOURLY = "10"; + TIMELINE_LIMIT_DAILY = "10"; + TIMELINE_LIMIT_WEEKLY = "10"; + TIMELINE_LIMIT_MONTHLY = "10"; + TIMELINE_LIMIT_YEARLY = "10"; }; }; From 5d55e620daf163818cff3ac356ee465d39b50409 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 20:56:40 +0200 Subject: [PATCH 24/26] chore: fix formatting and add treefmt --- .envrc | 2 ++ .github/dependabot.yml | 2 +- .github/workflows/nix-flake-check.yml | 30 ++++++++++++-------------- .github/workflows/nix-flake-update.yml | 3 +-- devshell.nix | 2 +- nixos/configurations.nix | 17 +++++++-------- nixos/stolas/default.nix | 11 +++++++--- outputs.nix | 5 +++-- pkgs/default.nix | 5 +++-- treefmt.nix | 8 +++++++ 10 files changed, 49 insertions(+), 36 deletions(-) create mode 100644 treefmt.nix diff --git a/.envrc b/.envrc index 3140b68..6a37c4f 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1,5 @@ +#!/bin/sh + watch_file devshell.nix use flake diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 49f19df..512e01e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,4 +4,4 @@ updates: directory: "/" schedule: interval: "weekly" - assignees: [ "dadada" ] + assignees: ["dadada"] diff --git a/.github/workflows/nix-flake-check.yml b/.github/workflows/nix-flake-check.yml index b0c0fa3..28b1d3c 100644 --- a/.github/workflows/nix-flake-check.yml +++ b/.github/workflows/nix-flake-check.yml @@ -1,26 +1,24 @@ name: Continuous Integration - on: pull_request: push: branches: [main] - jobs: checks: name: "Checks" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v26 - with: - nix_path: nixpkgs=channel:nixos-stable - extra_nix_config: | - experimental-features = nix-command flakes - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - system-features = nixos-test benchmark big-parallel kvm - - uses: cachix/cachix-action@v14 - with: - name: dadada - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - run: nix flake check + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v26 + with: + nix_path: nixpkgs=channel:nixos-stable + extra_nix_config: | + experimental-features = nix-command flakes + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + system-features = nixos-test benchmark big-parallel kvm + - uses: cachix/cachix-action@v14 + with: + name: dadada + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - run: nix flake check diff --git a/.github/workflows/nix-flake-update.yml b/.github/workflows/nix-flake-update.yml index 9045f91..33843d1 100644 --- a/.github/workflows/nix-flake-update.yml +++ b/.github/workflows/nix-flake-update.yml @@ -3,7 +3,6 @@ on: workflow_dispatch: # allows manual triggering schedule: - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00 - jobs: lockfile: runs-on: ubuntu-latest @@ -16,6 +15,6 @@ jobs: uses: DeterminateSystems/update-flake-lock@v21 with: pr-title: "Update flake.lock" # Title of PR to be created - pr-labels: | # Labels to be set on the PR + pr-labels: | # Labels to be set on the PR dependencies automated diff --git a/devshell.nix b/devshell.nix index ebdfb12..1fbad07 100644 --- a/devshell.nix +++ b/devshell.nix @@ -24,7 +24,7 @@ name = "format"; help = "Format the project"; command = '' - nixpkgs-fmt . + treefmt . ''; category = "dev"; } diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 7a4185a..95b894e 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -21,15 +21,14 @@ let nixpkgs.lib.nixosSystem { inherit system; - modules = - [ - { - nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; - } - ] - ++ (nixpkgs.lib.attrValues self.nixosModules) - ++ [ agenix.nixosModules.age ] - ++ extraModules; + modules = [ + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + } + ] + ++ (nixpkgs.lib.attrValues self.nixosModules) + ++ [ agenix.nixosModules.age ] + ++ extraModules; }; in { diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 4383cd0..696f55f 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { imports = [ @@ -124,7 +129,7 @@ configs = { home = { SUBVOLUME = "/home/dadada"; - ALLOW_USERS= ["dadada"]; + ALLOW_USERS = [ "dadada" ]; TIMELINE_CREATE = true; TIMELINE_CLEANUP = true; TIMELINE_MIN_AGE = "1800"; @@ -213,7 +218,7 @@ # owner = "paperless"; # }; # }; - + # Create compressing swap space in RAM zramSwap.enable = true; } diff --git a/outputs.nix b/outputs.nix index aea7953..c860d3c 100644 --- a/outputs.nix +++ b/outputs.nix @@ -5,12 +5,14 @@ nixpkgs, agenix, devshell, + treefmt-nix, ... }@inputs: (flake-utils.lib.eachDefaultSystem ( system: let pkgs = import nixpkgs { inherit system; }; + treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; in { devShells.default = @@ -26,7 +28,7 @@ in import ./devshell.nix { inherit pkgs extraModules; }; - formatter = pkgs.nixfmt-tree; + formatter = treefmtEval.config.build.wrapper; packages = import ./pkgs { inherit pkgs; } // { installer-iso = self.nixosConfigurations.installer.config.system.build.isoImage; @@ -34,7 +36,6 @@ } )) // { - hmModules = import ./home/modules.nix { lib = nixpkgs.lib; }; nixosConfigurations = import ./nixos/configurations.nix inputs; diff --git a/pkgs/default.nix b/pkgs/default.nix index 9cd9053..9f52a8a 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,3 +1,4 @@ -{ pkgs }: { - citizen-cups = pkgs.callPackage ./citizen-cups.nix {}; +{ pkgs }: +{ + citizen-cups = pkgs.callPackage ./citizen-cups.nix { }; } diff --git a/treefmt.nix b/treefmt.nix new file mode 100644 index 0000000..75acdfa --- /dev/null +++ b/treefmt.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + projectRootFile = "flake.nix"; + programs.nixfmt.enable = true; + programs.shellcheck.enable = pkgs.hostPlatform.system != "riscv64-linux"; + programs.shfmt.enable = pkgs.hostPlatform.system != "riscv64-linux"; + programs.yamlfmt.enable = true; +} From 763d8f478343d903b4f873c318d5ba869ae6a678 Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 21:21:46 +0200 Subject: [PATCH 25/26] fix(admin): set shell always from admins.nix --- nixos/modules/admin.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/admin.nix b/nixos/modules/admin.nix index 05acc43..bd03ba7 100644 --- a/nixos/modules/admin.nix +++ b/nixos/modules/admin.nix @@ -97,7 +97,7 @@ in services.openssh.openFirewall = true; users.users = mapAttrs (user: keys: { - shell = lib.mkDefault shells."${keys.shell}"; + shell = shells."${keys.shell}"; extraGroups = lib.mkDefault extraGroups; isNormalUser = true; openssh.authorizedKeys.keys = keys.keys; From 76f29fae245b723584999732fc9e3187c2f581bf Mon Sep 17 00:00:00 2001 From: Tim Schubert Date: Sat, 26 Jul 2025 21:22:08 +0200 Subject: [PATCH 26/26] fix(ninurta): remove unused postresql backup --- nixos/ninurta/configuration.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index 46562a8..39bdca7 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -149,13 +149,6 @@ in startAt = "daily"; }; - services.postgresqlBackup = { - enable = true; - backupAll = true; - compression = "zstd"; - location = "/var/backup/postgresql"; - }; - age.secrets."ninurta-backup-passphrase" = { file = "${secretsPath}/ninurta-backup-passphrase.age"; mode = "400";