diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..40cca66 --- /dev/null +++ b/.prettierignore @@ -0,0 +1 @@ +secrets/sops/** diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..b787859 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,35 @@ +--- +keys: + - &christoph_trek age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + - &christoph_zero age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + # generate with: `ssh 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' | nix run nixpkgs#ssh-to-age` + - &machine_tank age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + - &machine_fort age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 + - &machine_zero age1xdd0mzt7mhr30rzvt34ygxurlvdvs53svg7lxd6843lx83vy0guqew578d + +creation_rules: + - path_regex: secrets/sops/(acme|restic)\.yaml + key_groups: + - age: + - *christoph_trek + - *christoph_zero + - *machine_tank + - *machine_fort + - path_regex: secrets/sops/(grafana|home-assistant|navidrome|sourcehut|tank|vaultwarden)\.yaml + key_groups: + - age: + - *christoph_trek + - *christoph_zero + - *machine_tank + - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|wireguard)\.yaml + key_groups: + - age: + - *christoph_trek + - *christoph_zero + - *machine_fort + - path_regex: secrets/sops/zero\.yaml + key_groups: + - age: + - *christoph_trek + - *christoph_zero + - *machine_zero diff --git a/README.md b/README.md index 2f963f6..2cbb8a7 100644 --- a/README.md +++ b/README.md @@ -30,14 +30,6 @@ - `system/home-manager`: home-manager configuration. -### Notable files - -- `default.nix`: Morph deployment definitions - -- `flake.nix`: Nix development shell definition - -- `sources.nix`: Contains all Nix package/module source definitions - ## Hacking `nix develop` will provide an ephemeral shell with all tools needed. @@ -48,4 +40,4 @@ The code is released into the public domain. Other conditions apply to the following files: -- `extra/sway/background.png`: [Photo](https://unsplash.com/photos/wQLAGv4_OYs) by [Lucas Kapla](https://unsplash.com/@aznbokchoy), [Unsplash License](https://unsplash.com/license) +- `pkgs/sway-background-image/background.jpg`: [Photo](https://unsplash.com/photos/wQLAGv4_OYs) by [Lucas Kapla](https://unsplash.com/@aznbokchoy), [Unsplash License](https://unsplash.com/license) diff --git a/default.nix b/default.nix deleted file mode 100644 index a3c7950..0000000 --- a/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -let - inherit (import ./sources.nix) defaultPkgs overlays; - - pkgs = import defaultPkgs { inherit overlays; }; - inherit (pkgs) lib; - - mkMachine = name: - { tags, pkgs ? null }: - { config, ... }: { - _module.args = { - machineName = "${name}.c8h4.io"; - my = import ./secrets/my.nix; - inherit (config.deployment) secrets; - }; - imports = [ (./machines + "/${name}.nix") ./modules ]; - nixpkgs.pkgs = lib.mkIf (pkgs != null) pkgs; - deployment = { - substituteOnDestination = true; - inherit tags; - }; - }; - - machines = { - back = { tags = [ "external" "server" "baremetal" ]; }; - fort = { tags = [ "external" "server" "vm" ]; }; - tank = { - tags = [ "homelab" "server" "baremetal" ]; - pkgs = import defaultPkgs { - inherit overlays; - # https://nixos.wiki/wiki/Home-assistant#OpenSSL_1.1_is_marked_as_insecure.2C_refusing_to_evaluate - config.permittedInsecurePackages = [ "openssl-1.1.1w" ]; - }; - }; - trek = { tags = [ "desktop" ]; }; - zero = { tags = [ "desktop" ]; }; - }; -in { - network = { - inherit pkgs; - description = "c8h4.io infrastructure"; - }; -} // (builtins.mapAttrs mkMachine machines) diff --git a/flake.lock b/flake.lock index 681dce5..d59e8d8 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,37 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -65,6 +97,43 @@ "type": "github" } }, + "nixinate": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708891350, + "narHash": "sha256-VOQrKK7Df/IVuNki+NshVuGkTa/Tw0GigPjWcZff6kk=", + "owner": "MatthewCroughan", + "repo": "nixinate", + "rev": "452f33c60df5b72ad0858f5f2cf224bdf1f17746", + "type": "github" + }, + "original": { + "owner": "MatthewCroughan", + "repo": "nixinate", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1714465198, + "narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "refs/heads/master", + "repo": "nixos-hardware", + "rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1714514312, @@ -82,15 +151,119 @@ "type": "github" } }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-sourcehut": { + "locked": { + "lastModified": 1712771850, + "narHash": "sha256-Wb/xWLVSi5rZCRna2IUs43NVdquTlaQ/YNyx2IU79SQ=", + "owner": "christoph-heiss", + "repo": "nixpkgs", + "rev": "6729c6c653f17a5f9f1dcf5439d3e98652406042", + "type": "github" + }, + "original": { + "owner": "christoph-heiss", + "ref": "refs/heads/sourcehut-fix", + "repo": "nixpkgs", + "rev": "6729c6c653f17a5f9f1dcf5439d3e98652406042", + "type": "github" + } + }, "root": { "inputs": { "flake-utils": "flake-utils", "home-manager": "home-manager", "nixgl": "nixgl", + "nixinate": "nixinate", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", + "nixpkgs-sourcehut": "nixpkgs-sourcehut", + "simple-nixos-mailserver": "simple-nixos-mailserver", + "sops-nix": "sops-nix", "treefmt-nix": "treefmt-nix" } }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1689976554, + "narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "refs/heads/master", + "repo": "nixos-mailserver", + "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e", + "type": "gitlab" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1713668495, + "narHash": "sha256-4BvlfPfyUmB1U0r/oOF6jGEW/pG59c5yv6PJwgucTNM=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "09f1bc8ba3277c0f052f7887ec92721501541938", + "type": "github" + }, + "original": { + "owner": "Mic92", + "ref": "refs/heads/master", + "repo": "sops-nix", + "rev": "09f1bc8ba3277c0f052f7887ec92721501541938", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -125,6 +298,21 @@ "repo": "treefmt-nix", "type": "github" } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 8688dbb..f9514e8 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,28 @@ rev = "2b87a11125f988a9f67ee63eeaa3682bc841d9b5"; # 06-05-2024 inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-hardware = { + type = "github"; + owner = "NixOS"; + repo = "nixos-hardware"; + ref = "refs/heads/master"; + rev = "68d680c1b7c0e67a9b2144d6776583ee83664ef4"; # 30-04-2024 + }; + nixpkgs-sourcehut = { + type = "github"; + owner = "christoph-heiss"; + repo = "nixpkgs"; + ref = "refs/heads/sourcehut-fix"; + rev = "6729c6c653f17a5f9f1dcf5439d3e98652406042"; + }; + simple-nixos-mailserver = { + type = "gitlab"; + owner = "simple-nixos-mailserver"; + repo = "nixos-mailserver"; + ref = "refs/heads/master"; + rev = "c63f6e7b053c18325194ff0e274dba44e8d2271e"; # 21-07-2023 + inputs.nixpkgs.follows = "nixpkgs"; + }; nixgl = { type = "github"; owner = "guibou"; @@ -31,10 +53,24 @@ url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + nixinate = { + url = "github:MatthewCroughan/nixinate"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + sops-nix = { + type = "github"; + owner = "Mic92"; + repo = "sops-nix"; + ref = "refs/heads/master"; + rev = "09f1bc8ba3277c0f052f7887ec92721501541938"; # 21-04-2024 + inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs-stable.follows = "nixpkgs"; + }; }; - outputs = - { self, nixpkgs, home-manager, nixgl, flake-utils, treefmt-nix, ... }: + outputs = { self, nixpkgs, home-manager, nixos-hardware, nixpkgs-sourcehut + , simple-nixos-mailserver, nixgl, flake-utils, treefmt-nix, nixinate + , sops-nix }: flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system: let pkgs = import nixpkgs { inherit system; }; @@ -43,69 +79,23 @@ treefmt = treefmt-nix.lib.evalModule pkgs { projectRootFile = "flake.nix"; programs = { - nixfmt.enable = true; - stylua.enable = true; - statix.enable = true; deadnix.enable = true; + nixfmt.enable = true; + prettier.enable = true; shellcheck.enable = true; + statix.enable = true; + stylua.enable = true; }; }; - mkMorphDeploy = selector: name: - pkgs.writeShellScript "deploy-${selector}-${name}" '' - set -x - ${pkgs.morph}/bin/morph deploy --show-trace --passwd --${selector} "${name}" ./default.nix switch - ''; - - mkMorphBuild = selector: name: - pkgs.writeShellScript "build-${selector}-${name}" '' - set -x - ${pkgs.morph}/bin/morph build --show-trace --${selector} "${name}" ./default.nix - ''; - - mkMorphUploadSecrets = selector: name: - pkgs.writeShellScript "deploy-${selector}-${name}" '' - set -x - ${pkgs.morph}/bin/morph upload-secrets --show-trace --passwd --${selector} "${name}" ./default.nix - ''; - mkHomeManagerFlake = name: pkgs.writeShellScript "hm-flake-${name}" '' set -x ${pkgs.home-manager}/bin/home-manager switch --flake .#${name} -b bak ''; - machines = [ "back" "fort" "tank" "trek" "zero" ]; - tags = [ "baremetal" "desktop" "external" "homelab" "server" "vm" ]; in { - apps = (builtins.listToAttrs (map (name: { - inherit name; - value = { - type = "app"; - program = "${mkMorphDeploy "on" name}"; - }; - }) machines)) // { - tags = builtins.listToAttrs (map (name: { - inherit name; - value = { - type = "app"; - program = "${mkMorphDeploy "tagged" name}"; - }; - }) tags); - build = builtins.listToAttrs (map (name: { - inherit name; - value = { - type = "app"; - program = "${mkMorphBuild "on" name}"; - }; - }) machines); - upload-secrets = builtins.listToAttrs (map (name: { - inherit name; - value = { - type = "app"; - program = "${mkMorphUploadSecrets "on" name}"; - }; - }) machines); + apps = (nixinate.nixinate.${system} self).nixinate // { maui = { type = "app"; program = "${mkHomeManagerFlake "maui"}"; @@ -119,9 +109,70 @@ formatter = treefmt.config.build.wrapper; - devShells.default = - pkgs.mkShell { inputsFrom = [ treefmt.config.build.devShell ]; }; - }) // (let inherit (import ./sources.nix) overlays; + devShells.default = pkgs.mkShell { + inputsFrom = [ treefmt.config.build.devShell ]; + nativeBuildInputs = with pkgs; [ age sops ]; + }; + }) // (let + overlays = [ + (import ./pkgs) + (self: super: { + vimPlugins = super.vimPlugins + // (import ./pkgs/vim-plugins.nix self super); + }) + (_: super: { + inherit (import nixpkgs-sourcehut { inherit (super) system; }) + sourcehut; + }) + ]; + machines = { + back = { }; + fort = { }; + tank.extraModules = [{ + disabledModules = [ "services/misc/sourcehut" ]; + imports = + [ "${nixpkgs-sourcehut}/nixos/modules/services/misc/sourcehut" ]; + }]; + trek.extraModules = + [ nixos-hardware.nixosModules.framework-12th-gen-intel ]; + zero = { }; + }; + mkSystem = name: + { extraModules ? [ ], system ? "x86_64-linux" }: + nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + sops-nix.nixosModules.sops + simple-nixos-mailserver.nixosModules.mailserver + { nixpkgs = { inherit overlays; }; } + home-manager.nixosModules.home-manager + { + home-manager.useUserPackages = true; + home-manager.useGlobalPkgs = true; + } + # who doesn't love a bit of composability + ({ config, ... }: { + _module.args = { + inherit (config.sops) secrets; + my = import ./secrets/my.nix; + nixinate = { + host = name; + sshUser = "christoph"; + buildOn = "local"; + substituteOnTarget = true; + }; + }; + + imports = [ (./machines + "/${name}.nix") ]; + networking.hostName = name; + sops.age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + }) + ] ++ (builtins.attrValues self.nixosModules) ++ extraModules; + }; in { homeConfigurations.maui = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { @@ -131,5 +182,8 @@ modules = [ ./machines/maui.nix ]; }; + + nixosConfigurations = builtins.mapAttrs mkSystem machines; + nixosModules = import ./modules; }); } diff --git a/machines/fort.nix b/machines/fort.nix index 3c9f2d1..46fe4a8 100644 --- a/machines/fort.nix +++ b/machines/fort.nix @@ -19,16 +19,13 @@ let in { imports = [ ../secrets/machines/fort.nix - ../secrets/morph/acme.nix - ../secrets/morph/matrix.nix - ../secrets/morph/restic.nix - ../secrets/morph/wireguard ../services/alertmanager.nix ../services/conduit.nix ../services/fail2ban.nix ../services/matrix-hookshot.nix ../services/nginx.nix ../services/node-exporter.nix + ../services/restic-client.nix ../services/web/c8h4-io.nix ../system/virtual-machine.nix ]; @@ -73,26 +70,12 @@ in { environment.systemPackages = with pkgs; [ wireguard-tools ]; networking.hosts = my.homelab.hosts; - - networking.firewall.allowedUDPPorts = with my.wireguard.netdevs; [ - c8h4.wireguardConfig.ListenPort - airlab.wireguardConfig.ListenPort - ]; - networking.useDHCP = false; systemd.network = { enable = true; - networks = { - "10-wan" = hetznerWanNetwork // { - address = [ "128.140.95.112/32" "2a01:4f8:c17:6f57::1/64" ]; - }; - "40-wg-c8h4" = my.wireguard.networks.c8h4; - "41-wg-airlab" = my.wireguard.networks.airlab; - }; - netdevs = { - "40-wg-c8h4" = my.wireguard.netdevs.c8h4; - "41-wg-airlab" = my.wireguard.netdevs.airlab; + networks."10-wan" = hetznerWanNetwork // { + address = [ "128.140.95.112/32" "2a01:4f8:c17:6f57::1/64" ]; }; }; } diff --git a/machines/tank.nix b/machines/tank.nix index fcd8795..33139a1 100644 --- a/machines/tank.nix +++ b/machines/tank.nix @@ -3,10 +3,6 @@ { imports = [ ../secrets/machines/tank.nix - ../secrets/morph/acme.nix - ../secrets/morph/home-assistant.nix - ../secrets/morph/restic.nix - ../secrets/morph/sourcehut ../services/grafana.nix ../services/home-assistant.nix ../services/navidrome.nix @@ -15,9 +11,10 @@ ../services/paperless.nix ../services/postgresql.nix ../services/prometheus.nix + ../services/restic-client.nix ../services/sourcehut.nix - ../services/vaultwarden.nix ../services/tt-rss.nix + ../services/vaultwarden.nix ../system/baremetal-server.nix ../system/ucode-amd.nix ../system/zfs.nix @@ -85,6 +82,8 @@ powerManagement.cpuFreqGovernor = "powersave"; + networking.nat.externalInterface = "enp4s0"; + services.dashboard-icons = { enable = true; virtualHost = { diff --git a/machines/trek.nix b/machines/trek.nix index 012fa58..e61f7e8 100644 --- a/machines/trek.nix +++ b/machines/trek.nix @@ -1,12 +1,7 @@ { pkgs, ... }: -let - nixosHardwareCommit = "a6aa8174fa61e55bd7e62d35464d3092aefe0421"; - nixosHardware = fetchTarball - "https://github.com/NixOS/nixos-hardware/archive/${nixosHardwareCommit}.zip"; -in { +{ imports = [ - "${nixosHardware}/framework/12th-gen-intel" ../system/bluetooth.nix ../system/desktop.nix ../system/laptop.nix diff --git a/machines/zero.nix b/machines/zero.nix index f7d6bdc..c40c5dc 100644 --- a/machines/zero.nix +++ b/machines/zero.nix @@ -2,6 +2,7 @@ { imports = [ + ../secrets/machines/zero.nix ../system/automation-target.nix ../system/desktop.nix ../system/ucode-amd.nix diff --git a/modules/default.nix b/modules/default.nix index 11c7dfe..39c58e8 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,9 +1,7 @@ { - imports = [ - ./services/dashboard-icons.nix - ./services/filebrowser.nix - ./services/homer.nix - ./services/matrix-hookshot.nix - ./services/nextcloud.nix - ]; + dashboard-icons = import ./services/dashboard-icons.nix; + filebrowser = import ./services/filebrowser.nix; + homer = import ./services/homer.nix; + matrix-hookshot = import ./services/matrix-hookshot.nix; + nextcloud = import ./services/nextcloud.nix; } diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 9fa07d6..3b3ff5b 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -5,8 +5,8 @@ let cfg = config.my.services.nextcloud; - defineContainer = { name, package, hostName, port, hostAddress, localAddress - , adminUser, dataPath, dbName, settings, ... }: { + defineContainer = { package, hostName, port, hostAddress, localAddress + , adminUser, dataPath, dbName, adminpassFile, secretFile, settings, ... }: { autoStart = true; privateNetwork = true; @@ -23,16 +23,20 @@ let hostPath = dataPath; isReadOnly = false; }; - "/secrets".hostPath = "/var/secrets/nextcloud/${name}"; }; + extraFlags = [ + "--load-credential=adminpass:${adminpassFile}" + "--load-credential=secretfile:${secretFile}" + ]; + config = { lib, ... }: { services.nextcloud = { enable = true; inherit hostName package; autoUpdateApps.enable = true; maxUploadSize = "4G"; - secretFile = "/secrets/secrets.json"; + secretFile = "/run/secrets/secretfile"; datadir = "/data"; caching.redis = true; configureRedis = true; @@ -48,7 +52,7 @@ let }; config = { adminuser = adminUser; - adminpassFile = "/secrets/adminpass"; + adminpassFile = "/run/secrets/adminpass"; dbtype = "pgsql"; dbuser = dbName; dbname = dbName; @@ -61,13 +65,18 @@ let }; }; + systemd.tmpfiles.settings."50-nextcloud-secrets"."/run/secrets".d = { + user = "nextcloud"; + group = "nextcloud"; + mode = "0750"; + }; + systemd.services.nextcloud-setup = { - wantedBy = mkForce [ ]; + serviceConfig.LoadCredential = + [ "adminpass:adminpass" "secretfile:secretfile" ]; preStart = '' - # wait for postgresql to be reachable - while ! ${pkgs.postgresql}/bin/psql -h ${hostAddress} -U ${dbName} -c 'select 1;'; do - sleep 1 - done + cp -vf $CREDENTIALS_DIRECTORY/adminpass /run/secrets/ + cp -vf $CREDENTIALS_DIRECTORY/secretfile /run/secrets/ ''; }; @@ -161,6 +170,24 @@ in { ''; }; + adminpassFile = mkOption { + type = types.str; + description = '' + The full path to a file that contains the admin's password. Must be + readable by user `nextcloud`. The password is set only in the initial + setup of Nextcloud by the systemd service `nextcloud-setup.service`. + ''; + }; + + secretFile = mkOption { + type = types.str; + description = '' + Secret options which will be appended to Nextcloud's config.php file (written as JSON, in the same + form as the [](#opt-services.nextcloud.extraOptions) option), for example + `{"redis":{"password":"secret"}}`. + ''; + }; + settings = mkOption { type = types.submodule { freeformType = (pkgs.formats.json { }).type; }; @@ -178,7 +205,9 @@ in { description = "Instances of Nextcloud to run as native NixOS containers"; }; - config = lib.mkMerge [{ + config = { + boot.kernelModules = [ "veth" ]; + containers = lib.mapAttrs' (name: value: let srvName = "nc-${name}"; @@ -203,5 +232,5 @@ in { (builtins.attrNames cfg.instances); enableIPv6 = true; }; - }]; + }; } diff --git a/pkgs/default.nix b/pkgs/default.nix index 603ef64..48f2bce 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -7,4 +7,5 @@ _: super: git-multi-shortlog = super.callPackage ./git-multi-shortlog.nix { }; homer = super.callPackage ./homer { }; neomutt-export-patches = super.callPackage ./neomutt-export-patches.nix { }; + sway-background-image = super.callPackage ./sway-background-image { }; } diff --git a/extra/sway/background.jpg b/pkgs/sway-background-image/background.jpg similarity index 100% rename from extra/sway/background.jpg rename to pkgs/sway-background-image/background.jpg diff --git a/pkgs/sway-background-image/default.nix b/pkgs/sway-background-image/default.nix new file mode 100644 index 0000000..5651835 --- /dev/null +++ b/pkgs/sway-background-image/default.nix @@ -0,0 +1,14 @@ +{ stdenv }: + +stdenv.mkDerivation rec { + pname = "sway-background-image"; + version = "0.1"; + dontUnpack = true; + + installPhase = '' + runHook preInstall + mkdir -p $out/share + cp -v ${./background.jpg} $out/share/background.jpg + runHook postInstall + ''; +} diff --git a/secrets/.gitattributes b/secrets/.gitattributes index 5ccf582..d8b7a09 100644 --- a/secrets/.gitattributes +++ b/secrets/.gitattributes @@ -1,2 +1,3 @@ * filter=git-crypt diff=git-crypt .gitattributes !filter !diff +sops/** !filter !diff diff --git a/secrets/machines/fort.nix b/secrets/machines/fort.nix index 81a9e08..fef8f5d 100644 Binary files a/secrets/machines/fort.nix and b/secrets/machines/fort.nix differ diff --git a/secrets/machines/tank.nix b/secrets/machines/tank.nix index f1d8cba..719a48d 100644 Binary files a/secrets/machines/tank.nix and b/secrets/machines/tank.nix differ diff --git a/secrets/machines/zero.nix b/secrets/machines/zero.nix new file mode 100644 index 0000000..78df784 Binary files /dev/null and b/secrets/machines/zero.nix differ diff --git a/secrets/morph/082c30fc-8120-4e3d-9b2a-85026e73657f b/secrets/morph/082c30fc-8120-4e3d-9b2a-85026e73657f deleted file mode 100644 index 325202d..0000000 Binary files a/secrets/morph/082c30fc-8120-4e3d-9b2a-85026e73657f and /dev/null differ diff --git a/secrets/morph/0de59e58-ee8d-4288-b55d-d4d0c3ca5dbd b/secrets/morph/0de59e58-ee8d-4288-b55d-d4d0c3ca5dbd deleted file mode 100644 index 02ab573..0000000 Binary files a/secrets/morph/0de59e58-ee8d-4288-b55d-d4d0c3ca5dbd and /dev/null differ diff --git a/secrets/morph/1036e80d-b11e-4020-95b7-f037c01dc826 b/secrets/morph/1036e80d-b11e-4020-95b7-f037c01dc826 deleted file mode 100644 index aef93e6..0000000 Binary files a/secrets/morph/1036e80d-b11e-4020-95b7-f037c01dc826 and /dev/null differ diff --git a/secrets/morph/1e330e41-2d10-47cb-adb7-c94f487d9c4a b/secrets/morph/1e330e41-2d10-47cb-adb7-c94f487d9c4a deleted file mode 100644 index d770cfc..0000000 Binary files a/secrets/morph/1e330e41-2d10-47cb-adb7-c94f487d9c4a and /dev/null differ diff --git a/secrets/morph/25dd1d32-7843-454d-9bbd-26b2a07954b9 b/secrets/morph/25dd1d32-7843-454d-9bbd-26b2a07954b9 deleted file mode 100644 index 1df511a..0000000 Binary files a/secrets/morph/25dd1d32-7843-454d-9bbd-26b2a07954b9 and /dev/null differ diff --git a/secrets/morph/3cfdc72a-4a82-4b61-a44e-47112456bc98 b/secrets/morph/3cfdc72a-4a82-4b61-a44e-47112456bc98 deleted file mode 100644 index 69bde3b..0000000 Binary files a/secrets/morph/3cfdc72a-4a82-4b61-a44e-47112456bc98 and /dev/null differ diff --git a/secrets/morph/6ed0075c-e3f8-443e-8ad1-335831ab677f b/secrets/morph/6ed0075c-e3f8-443e-8ad1-335831ab677f deleted file mode 100644 index f31df44..0000000 Binary files a/secrets/morph/6ed0075c-e3f8-443e-8ad1-335831ab677f and /dev/null differ diff --git a/secrets/morph/75738a3b-bd54-44a4-8641-b327c58bd49e b/secrets/morph/75738a3b-bd54-44a4-8641-b327c58bd49e deleted file mode 100644 index 7629412..0000000 Binary files a/secrets/morph/75738a3b-bd54-44a4-8641-b327c58bd49e and /dev/null differ diff --git a/secrets/morph/8b8ff290-8ea6-4828-b03d-79ef1f612e34 b/secrets/morph/8b8ff290-8ea6-4828-b03d-79ef1f612e34 deleted file mode 100644 index 3993d9e..0000000 Binary files a/secrets/morph/8b8ff290-8ea6-4828-b03d-79ef1f612e34 and /dev/null differ diff --git a/secrets/morph/95ac8ad7-ef00-493e-9b14-c26763047b31 b/secrets/morph/95ac8ad7-ef00-493e-9b14-c26763047b31 deleted file mode 100644 index 60be66a..0000000 Binary files a/secrets/morph/95ac8ad7-ef00-493e-9b14-c26763047b31 and /dev/null differ diff --git a/secrets/morph/a589e4ea-b3c2-4a89-b91c-d3258dabb818 b/secrets/morph/a589e4ea-b3c2-4a89-b91c-d3258dabb818 deleted file mode 100644 index fc0d996..0000000 Binary files a/secrets/morph/a589e4ea-b3c2-4a89-b91c-d3258dabb818 and /dev/null differ diff --git a/secrets/morph/acme.nix b/secrets/morph/acme.nix deleted file mode 100644 index e992640..0000000 Binary files a/secrets/morph/acme.nix and /dev/null differ diff --git a/secrets/morph/c9ebe668-dfe5-4e59-8e8c-cd56aa34ad5d b/secrets/morph/c9ebe668-dfe5-4e59-8e8c-cd56aa34ad5d deleted file mode 100644 index 300e581..0000000 Binary files a/secrets/morph/c9ebe668-dfe5-4e59-8e8c-cd56aa34ad5d and /dev/null differ diff --git a/secrets/morph/cf88e3e5-dc4e-4a7a-a5de-6c3453c8192d b/secrets/morph/cf88e3e5-dc4e-4a7a-a5de-6c3453c8192d deleted file mode 100644 index a1f647a..0000000 Binary files a/secrets/morph/cf88e3e5-dc4e-4a7a-a5de-6c3453c8192d and /dev/null differ diff --git a/secrets/morph/d4951bb3-4986-4ade-b399-96412c986284 b/secrets/morph/d4951bb3-4986-4ade-b399-96412c986284 deleted file mode 100644 index 09b9699..0000000 Binary files a/secrets/morph/d4951bb3-4986-4ade-b399-96412c986284 and /dev/null differ diff --git a/secrets/morph/e4ebe370-c85d-4687-a93f-40b7453377e1 b/secrets/morph/e4ebe370-c85d-4687-a93f-40b7453377e1 deleted file mode 100644 index ae5b08c..0000000 Binary files a/secrets/morph/e4ebe370-c85d-4687-a93f-40b7453377e1 and /dev/null differ diff --git a/secrets/morph/hetzner-acme b/secrets/morph/hetzner-acme deleted file mode 100644 index 27f6c99..0000000 Binary files a/secrets/morph/hetzner-acme and /dev/null differ diff --git a/secrets/morph/home-assistant.nix b/secrets/morph/home-assistant.nix deleted file mode 100644 index 8afebe7..0000000 Binary files a/secrets/morph/home-assistant.nix and /dev/null differ diff --git a/secrets/morph/matrix.nix b/secrets/morph/matrix.nix deleted file mode 100644 index b227c4f..0000000 Binary files a/secrets/morph/matrix.nix and /dev/null differ diff --git a/secrets/morph/restic.nix b/secrets/morph/restic.nix deleted file mode 100644 index 49c4a2d..0000000 Binary files a/secrets/morph/restic.nix and /dev/null differ diff --git a/secrets/morph/sourcehut/default.nix b/secrets/morph/sourcehut/default.nix deleted file mode 100644 index ce087e4..0000000 Binary files a/secrets/morph/sourcehut/default.nix and /dev/null differ diff --git a/secrets/morph/sourcehut/network-key b/secrets/morph/sourcehut/network-key deleted file mode 100644 index bd7ca5d..0000000 Binary files a/secrets/morph/sourcehut/network-key and /dev/null differ diff --git a/secrets/morph/sourcehut/oauth-client-secret b/secrets/morph/sourcehut/oauth-client-secret deleted file mode 100644 index 31fc270..0000000 Binary files a/secrets/morph/sourcehut/oauth-client-secret and /dev/null differ diff --git a/secrets/morph/sourcehut/pgp-privkey b/secrets/morph/sourcehut/pgp-privkey deleted file mode 100644 index 23c8e12..0000000 Binary files a/secrets/morph/sourcehut/pgp-privkey and /dev/null differ diff --git a/secrets/morph/sourcehut/pgp-pubkey b/secrets/morph/sourcehut/pgp-pubkey deleted file mode 100644 index 1ed0af0..0000000 Binary files a/secrets/morph/sourcehut/pgp-pubkey and /dev/null differ diff --git a/secrets/morph/sourcehut/service-key b/secrets/morph/sourcehut/service-key deleted file mode 100644 index f9871fe..0000000 Binary files a/secrets/morph/sourcehut/service-key and /dev/null differ diff --git a/secrets/morph/sourcehut/webhooks-private-key b/secrets/morph/sourcehut/webhooks-private-key deleted file mode 100644 index 8d878c1..0000000 Binary files a/secrets/morph/sourcehut/webhooks-private-key and /dev/null differ diff --git a/secrets/morph/wireguard/default.nix b/secrets/morph/wireguard/default.nix deleted file mode 100644 index 40b2695..0000000 Binary files a/secrets/morph/wireguard/default.nix and /dev/null differ diff --git a/secrets/morph/wireguard/fort-airlab.priv b/secrets/morph/wireguard/fort-airlab.priv deleted file mode 100644 index 02d3503..0000000 Binary files a/secrets/morph/wireguard/fort-airlab.priv and /dev/null differ diff --git a/secrets/morph/wireguard/fort-airlab.psk b/secrets/morph/wireguard/fort-airlab.psk deleted file mode 100644 index 0bbca5c..0000000 Binary files a/secrets/morph/wireguard/fort-airlab.psk and /dev/null differ diff --git a/secrets/morph/wireguard/fort-c8h4.priv b/secrets/morph/wireguard/fort-c8h4.priv deleted file mode 100644 index d7884a5..0000000 Binary files a/secrets/morph/wireguard/fort-c8h4.priv and /dev/null differ diff --git a/secrets/morph/wireguard/fort-maui.psk b/secrets/morph/wireguard/fort-maui.psk deleted file mode 100644 index c0ea188..0000000 Binary files a/secrets/morph/wireguard/fort-maui.psk and /dev/null differ diff --git a/secrets/morph/wireguard/fort-quix.psk b/secrets/morph/wireguard/fort-quix.psk deleted file mode 100644 index 7173425..0000000 Binary files a/secrets/morph/wireguard/fort-quix.psk and /dev/null differ diff --git a/secrets/morph/wireguard/fort-trek.psk b/secrets/morph/wireguard/fort-trek.psk deleted file mode 100644 index 20ae4bc..0000000 Binary files a/secrets/morph/wireguard/fort-trek.psk and /dev/null differ diff --git a/secrets/morph/wireguard/fort-wort.psk b/secrets/morph/wireguard/fort-wort.psk deleted file mode 100644 index bbb355f..0000000 Binary files a/secrets/morph/wireguard/fort-wort.psk and /dev/null differ diff --git a/secrets/my.nix b/secrets/my.nix index 09cebf6..d4cdae6 100644 Binary files a/secrets/my.nix and b/secrets/my.nix differ diff --git a/secrets/sops/acme.yaml b/secrets/sops/acme.yaml new file mode 100644 index 0000000..b4da9a0 --- /dev/null +++ b/secrets/sops/acme.yaml @@ -0,0 +1,49 @@ +acme: + token: ENC[AES256_GCM,data:AjN5ii6lsk8wWnpZn9EalVv7ixS3NuTKitXoKbaVo20GnnQkpm9xoj/VqZ+MOxEK,iv:qBNo6Dt7Amr4HG3xzzy7MW10OxywoNMJb9kg0TVsUv4=,tag:MhphDVk5vbZVjes+SiM2gQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcEJkTDZEV0o3NXV5cVFm + OHd6a1NXNkNGcnZsQXlUTTZwUTZwOWtpL1dBCm5hd0RvVURsc3Z2M2VQa0lUY3lK + S3lGU3NRMFp1QVE3OUJpR1J6TkQ2YUEKLS0tIGRlMm5FeGVuaXVIT2JCS1BqQkxO + S2tMaGF6cEFyZ0l0T0NBMmp3WTg2eEUKgCLtBCkzTdwvKLPDshIpdetTDuQQ8Zpl + kyA+/XaMns9ktzSMzkpRgGfjV1Ku9EhDFZCKppJZftiffNItyCOQew== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdTQvSDcxRXZJMXFSTVUx + akRxRFREME0rTHhoSFcwYkl3SFdiMXZjSW5VCkVWWklRckwrNExWSjJYNXRPWm9G + RjFoQ0F2QTNDQXpOckN5bVRMWjFCcVEKLS0tIG1EelhsRlVvWDJqaTNFamNaOEQy + T0pPdVE1SEU2TVd6Wi9IbzRBUXA4WXMKe5jdQPe13zhceh2xO9h9ergfaXzpuuSo + iIw8luW2olJ9lxnYpws46zTQczVFx2TG3wcExS+vKsDrf4o7R/133w== + -----END AGE ENCRYPTED FILE----- + - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ1pVYTl3bkR6eGZDZGJm + ODJFQnAvS1Zyd2JWMEVHVGtBaDh0cTRnLzBrCmpJY2FhNFBSNElGZGxWZ1FFY0FX + SjJ3TmQ0dFNUMThWa3pOTmR3Z2FiVWcKLS0tIGZNckcxRUdObWNVRDF6cFFHSnhv + WWNLMjhjNjVPbXV3V2k4NUJBUFRiazAKXPjQFiFKXkiDSgFE0UiUW/ULZQSW4uyZ + X7qK4l7mWrvqStsK8Zv/wIUd9jkJpOh73X/jsBRDQUZF0V18lnDn3Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcDNWa0tZenFDZ1pVMGxO + Qm9IV0ZnL1BGVFlDOTl4SzBtN0RaUHJ5S3lNCkN6OU1jSU9Wd2czNWRXOHUzYVNt + NXJ3S3pCbWZEN05zcWhXbjZpVnprWmsKLS0tIHdWdnE5ZlRoRjhNakZUdElSTkZp + dFVvTjJqV0JFbUNWQ3NOOTZhMTlJcjQKIi6lDhbpM/ndyB7RsAN3q5PkdHL7RnF0 + u+bGTffWfiplvO+rASMaGoahez+VsEDb5MM00SoGzTMcYkrR2kruYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-30T21:41:49Z" + mac: ENC[AES256_GCM,data:ffmmRSAXvvsCK8WhmhclUz7eIVFM1Aw8eidvmSDofe+6H8PJvqJB4CQUphqQTDgfFKK9LHQzvU1vRZWtg6CqXy/SqLLUUcN3PfxZ7l895YDDi/9p7HJPUloxw/G8ovIJAAeHgJh2nQHHAbKcVAAILmB6UssCmTLeU9MzWcMTJmY=,iv:+jtQIqL+Mf88Akjkj09xvpk9cZ4GFl6w/Vx8gR3Gk8Y=,tag:qBc0i/vrLSc7EbErTLCz7Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/alertmanager.yaml b/secrets/sops/alertmanager.yaml new file mode 100644 index 0000000..d257916 --- /dev/null +++ b/secrets/sops/alertmanager.yaml @@ -0,0 +1,40 @@ +alertmanager: + env: ENC[AES256_GCM,data:Fr/L5I8t83pHPHdP3eXGnvFfl7C/N2Iw64Zpamr3Z3gLevsoD8pSSbWDqb1CuhATrYY5mR3M6vpyNh+UJPHqGbgMHiW6LZWClPvesJEU3xs4clo+YM+pYwG5oSpHiuN/raXQUpaQuOmeHK3OKLELJpSkY90FIiBvd9si43xCP4FYAdhCprxWJQtINSRGCrGmzvlNScCkXyhH/QOQsDOIWFAXn2+yGH85zOiBQEzmluclI2oWpZOUbHgk4MdMBu1tHRA7g/UF6AoXrTOyqgzo/w==,iv:yvHlQAOSCMtBBXHmqfEJu4//gTZp+9du9EWodheITqQ=,tag:T1vLhmTmCINGBvh1bBA5ig==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QTZNUW00U0xpM3dmR0RS + QXY2TGQ5MUFORHNwVWxsNjB0UjBZQmZkUlZZCnZIQzBFYXBESjNMYys0TXRMNUUz + VUVHZXFyNFhTdG1ZaWduRkp6ekVqbE0KLS0tIGVKTlBHYTVEWXFkWlR3MFdMajNj + bEs5V0F4Z2JpYTFTallaeGJGcGg5K2sKl7hxy3Tr6rkoe1MJm7VMBur9NeOwPHXo + hxGURTZdf9M7wjueXw5oYRm0fuvj1Iu40JfJ3XqhnqATohTnsHwbmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTzJHWmMxNVlLR0d5UnB1 + ZUdjN1lWQk1kOTN5TjczMVdjZDgwNVlUZjFnCnlwNTQ5YjYrOU5HRXlmbWdWeVox + MGZJa2RNTDBVQkFJTmFsUXhnZDBhYmcKLS0tIE9Ld2VmMkxFK2dabVQycDAzOXVJ + S3lsczU5eWtMSEJDdVMrOHFOd3N6UFEKskBDsioCfKT4qjQ1jOHYniE9I5YxzTRF + Hb/KoReUEW6DHsiOZKRcJt9KdE0iTguWiFjjQqIlDWgTfeDsyf8ySg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWlpmOUVkWU5WL0drMXZm + NEEwVkxDOHl1L0wyQkljSUcvRnRac1NCbXlnCnp1bzR3RllEYnprMkU5WmFBRlpK + QnhHZThheXVnSjk0Nlg4VU9zREpxQU0KLS0tIEcxVTZ5NjFzVE14YUJRQThzeU5w + cjdQVWM0bDEwb09XR2ZiTzRiN21wQkkKxDEhpgyYLs2HOnmNdumNpFVTuLuXnHey + c32B0ENhJgL7XNV3V/lHa7leQqA42e/R5u6v68OEelvTPqtxNPFktQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-06T22:12:26Z" + mac: ENC[AES256_GCM,data:ntbiXYuquh5vQxiv3A9wspLdXY+Wp3yCSkDtdIj4SMKlh84uyQ+oAfWo2Y0TqW9GVemzzWJs3JeEs7oMZXXP8PGRGiHShfBQ+DbIF3lsKVG6rZbaKkEnSPnDqdm2PdbuzNvr3f3sOOYVutmFxO3HHFNgu4NdFw6EQqubmS7qZxs=,iv:a42Tm/pVZ8ffJHRC6iMMkZEmKn/6Vkr8sp8sQQgyx24=,tag:jVHHgsBb9OHBee9nhoLRtw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/fort.yaml b/secrets/sops/fort.yaml new file mode 100644 index 0000000..69fb708 --- /dev/null +++ b/secrets/sops/fort.yaml @@ -0,0 +1,40 @@ +restic: + repo-password: ENC[AES256_GCM,data:Gdz45xcUbtoKsDBi+2U4ogi32zFMvq2CNuvSotOYIFg6wYFOQjt9MDdY4w2Mo7L0Cbhem8YgBE3qpJS9yaWozjfFzWT8ya3SqMDksgju6KwSoiS5WvWdsAXsgSu/jIqvLhWTfbt7SXmDQ8Dd4d/qPNKmtphnA1Jc0ttp3+ieE8U=,iv:7MHy52gC0xXoUBAj7ZB/yoOUS8EmPW1SPjTTtkcnWvQ=,tag:LZH/IElQ0ovP/ettxhP5Gw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzc0orOGppOFpKZ3hJbnRS + UFJ2ZzBjNnNZVXp4SENGd0F5elJONkNrbmhJCnk3dDN5Ritjc2NiZis2SGNkbGVC + aHJPT3R2ZytDQ2JlOUtJcUlEVjkvN0kKLS0tIFNuanJYc2JLVlBmNU9rT3l1TWhN + RVRVYnRVS1lCeWRsdy9nYUtoUmk0RFEK+tSoWfpyeYW4exEz1/t2mgd/kcIrxZYH + kygnj220NqLJcEHwnrUMjCvvPSlmDkTGCKZv0uBTmwg4zJpnORTRfg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwM1JNSkY4YkdtZUkzNTFG + L2FUQXk0RGNiVlBocGN1Qzl1bHB1allVWmdVCnMvdUpsekFTa09yWkNVVWlRazZI + YU0vV0FUVWpReVhBVUdvOFJ6OWgrUGMKLS0tIGIzTFJHV3lwaE9EVXFqdzZaR2VL + U2s1emNXZC8vSmpjaTJoNU92MEtsYWsKWAfGDwHnT7ly5kr4N1ZzK4l1UvYExcbT + YgDn0GH0nMHARjYnIB0ZeqleZCC9Q1S00t4ly5SeLeCcrawgy/6OAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZDJocG9PaDlCcjNHaVJT + MmF6RFNZUFVYeG5RRm8zQVdQZWsyRHVyZVQwCk9ydEJEdEtYSWhHNTI3MDhDWjJK + dTFEa0E1Mjd2QUYzK01WMDBnVWpnSFEKLS0tICtuTG9ZYmp3Mk91eXN1VEgvQVFZ + Z3pDUlZwcDNDdXN0MURnUEdLY3VZTkEKa/D6UQfoBJqEb/xQHT4f14kkahjAKBXP + O9CtZPQ0TzfIFKPA2doXTD+dhxYAzgipsYfe7zwDn/kYEoz1uJ9hIA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-03T12:52:36Z" + mac: ENC[AES256_GCM,data:woldat8qOV5j48rCLMp6cc1d9BIcQgsh+QCN5SkBSsI+gu5MSVhwix3zQhCDrqNURwyc0e6cEMQAJQcTjIOU/ZAYZhEp+CwuDN3X8cwP0Rs8i2cH1dfWMi/r1obpodihm2nLUExX+6saY2afJw6sQLlt4DkqdUwq0f/9h4pBzbQ=,iv:dbsHPc5ZNyxXDuqVf6sBiPvEqOn/k0DvyFHiZYzcHR0=,tag:s/7b3GU/nZnhhSQjSaJLGg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/grafana.yaml b/secrets/sops/grafana.yaml new file mode 100644 index 0000000..74152e9 --- /dev/null +++ b/secrets/sops/grafana.yaml @@ -0,0 +1,40 @@ +grafana: + secret-key: ENC[AES256_GCM,data:Hvc/Svt+22kjVQ5WeHj0ubFQBSivZBk75QWZa4jdYDK5vcH/CZsmZXLbaEIhY6aB+z8Mp0g3e9/WI1k9AIpIE5bZ89sPCpfxnfSdX8lF8uqRCOWRQ0Z6AUk/FXjzmZhWEotcHKqHE3dY3HZ0/VCLEsXNhNub9YCdm7FgLjEI+/I=,iv:E0yPJpPWSr6C7dVU2ZgY2gxna0Zt1BzX1CsHB86KULg=,tag:HZvimLJqijpk0cr6+zWNAg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YUxTanZxTTNYQ3FQZUZ3 + bFB3S01xWGZrQVVlQncwelNNbjV6ZWtOWmdjClJiSWR2TXVTYkNzMzJPdDUxanpG + MlZYY25ZTE54M1JYUTU1eHBYSEZkNzgKLS0tIEpUbjhHblBYS1cwWEpoTVo5SFN2 + UTRLamVqZmhOd3hVZFlnLzZpOTdVYVEKaOkEAvGyBdsskjYwROeFzZb9y9csJTYg + I0foVxkx6z9pgsBCXLpK1Ij5W1w9JSWo7KZhEQP+aX3980TryWdsnQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYXpUaW5iSDRaNVdXV3hM + N1JaWmlvMmpQQ1diLzE2NXc2TTdiU0ZDalR3ClFMWnM1dVJHTmVReE1uc3dXeHVs + VndhN1FEcVZQKzExM1pqQjY0a1ZaanMKLS0tIDUrZUZmTktkU1NqUmVKOTA4bU9B + SDdBNlF0R1UrVlk2SElmU3RFbjBLanMKyzxYnV/MzZDV8b9pNwQ7p2F08pLkYB0Q + NXykeRTWpjTVnU/ZPI17aVaRT5S2FZqJ6BQhs/H7DPcsq/rncRmeuw== + -----END AGE ENCRYPTED FILE----- + - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWNkRyMDNYdmZTM1JqT2FD + RkNFc0N5WnhreFRQSDA2VTQyMmpFMEZhSFQ4CmUvLzE4dlBoVTZRWE1NajFpcll4 + YUZRaXNmMHp5RUdNMkJPbFIvV1N4TVkKLS0tIFZjVUt2V0RkVlNzRGIvRTU3VXVR + dU5pN3VINExuamttNVQ3OUhMN1dleFEKA4/43ktlCmreJqBqbiFc/uzUppZoaUSm + 1Ywifo2FCsH+7kF1DxFlv36o3kNVkbkAse+Upiep+gqayJFZRgN32A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-03T13:18:57Z" + mac: ENC[AES256_GCM,data:4MR71js5gK84Ta/UQhElkBZOuIKl8dQkbUqgE8+Ygi+W74vYnHEcNt1yk9usQJmn5qKa+nptWjTV2nHt6yn0HPCdFPAKGuL4d80VZozFbY181oGVYbuK45ZmTLAiP3ZVfztWp4IYHnoTBBh6EjOxrbKnCXN6Shratt8/Gq7PxBc=,iv:OmmyA5x0zEeKJpfi3IxAorPpw2jatT1JECU/kSOcEUI=,tag:xYQG+5DLtnbq3MWNNgpkuw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/home-assistant.yaml b/secrets/sops/home-assistant.yaml new file mode 100644 index 0000000..196daf4 --- /dev/null +++ b/secrets/sops/home-assistant.yaml @@ -0,0 +1,43 @@ +home-assistant: + automation-sshkey: ENC[AES256_GCM,data:yvVdExvti+4oKF1Ptb5OoMsz0e1ifY7k9Fts/cp6ygE3z8NjYY6HKOvgZe2NkXQHaNbifcbZTQ3FbgBi2dG19qpkri8hWmpFvdWEf69GQVl+OwhOmRm5hXCiNRZDSbqoHVUQve2J74C4Xzzyh3O5jkX34myhC2H4ua3dvUXsngn2WOUYXzaCgqvqWZdUas+MU1amX7CW8ebgOZJH7we0Hc6/QDjHPeD02NDlDYf8HeycEOWemuMZj27kii58dQQsdGXkzlTPvaE0kMOYyDaG5DWEwVNnpE53voeY/Jp8J699Q5gS1XKihOU2j7NN1EwkPA6r/v3UL1R7rpzdok11IEJbFQB7gxZtzrwZz9+Vmpw3FzmAflaoeYMl3t31plF8o/A+ug5BSBW/VsSeOs4LtmaV4J+r7GsAcvDWkPd4VFuL7XvKDfGzpqb8tOK6dyzKdDXxhYiR8m72U3my3L6KHznosKLfyivkI5+SoGz6u36fa7Ya8euLRyghAbtAx+oW1CvTOf6AkNhgUiIl2OZpglmG2Mpa255WV0i03UYYlrmVLxA=,iv:h2MUNcqxZaV4t1q3TzMt8NHUgp85YllsRRtiQt9n3gA=,tag:T/aPmhG8kHvc4It4KkVF/w==,type:str] +mosquitto: + home-assistant-password: ENC[AES256_GCM,data:En92egO+/kPWb9V8M0cwsFvwcl2mKunNM+g7qsUx9MzXLbQyiAqHaZDGNv/3vZ96tBQfWXt/xPx3LECQ0OYuAUS5nf47wpmiQ3vtJRpJ6dqZ4E3FjLmGg6iPx7M8xlzNtoO6uOT+pkWVOm7qmWTxkg==,iv:38y0Y0Znt4zAF8AuYBn3aHvE74ezB0fZKLbN7zBk8mk=,tag:33L7DWP5Ec1U9nFAVehYbg==,type:str] + tasmota-password: ENC[AES256_GCM,data:oUUgz09Pn+ts+RsKO+axdNlvtZ6r5pDErsZq8GCtyXzuoeQQRFiOqgbv/mC4S1mKQfUOM3ZEjv+VdkqueUDAT/LpbmStiTsXtttU7JrLx+oU++ZbwLK4Nsl5GkvsUnz33c1rpqGtoB3AALXqg8qSqw==,iv:tHPM9u5ckDiFIk1HxeNxvfl/GqTJRYxoQaVc4svIGFk=,tag:Ez8dBL3RL1ygLPHb45VfUA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEc3YnpvK3ZhanJmUk9y + SitEUklMT1ZKRHh4aE5JWFh3bTl5TE5tWGlvCi9EWS95ZjF4RzM4eWNHU1NiUUlx + dFRzVkFuNjh2Q3NpOFQvR3pQSzBXSU0KLS0tIEw0RDlxZ2JlWGZ1UzlGODBmS3NJ + bWh5SU1iM1JGeXVMT1QrTDhvcHpLeDgKzJbbv7e4b/Em/be7469UIPw0pmm0KskS + LTsXUitjzoaa6lQRZCjf2/mP4JOl3BGNxeqWiMfym/hjow2Oam42HA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bktyQ05OOUVLM25RVTlW + UnRJS29PaytTaTRHZUluMzNraHdleFlSMFhjClVId0VIcXVJZVYyWi9ONjIybC9k + eG1uMGw4SzQvZUhEQ0pQRnh3LytHWFUKLS0tIEtxYmw2TGpuM1UzMHB3QnYzV3da + Zlc3b1Rxa0ZaYnNMWTdRQlZ4WWZjUkkKp2D67jhQgVbCRYLEQzoz8jA8n69CspOr + 8jjvPNJE1eXLJQG179E70ZDccF/yG5mHYSoOshLwtGM4xrURxf0jBw== + -----END AGE ENCRYPTED FILE----- + - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwN3A5Uy9rYkxiRlhsdkFL + RXBta0Rja3NGSEkzVTBCcTlINmdlejlmN2pZCnBuS1RZb3dRQTlLOHVpc2RNOG1T + ZHpGd0Uvd1lZZU5lUEMvVHVFb0JvNTgKLS0tIDlhNjAvSHNyZ1dWc2U5VlpqTmNW + ZVBwcHZWK3BRY2VlSVB2YVVBaFZxNFkKkn2H/I6sKCpcgmoiqG+0qtrA2PTyEuRW + N4Oxr+fcVq4+leme6d38yB/Eryjbd+trrnMxLR8AEi3rIiDx+gJWcg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-08T15:50:28Z" + mac: ENC[AES256_GCM,data:8fpPTyxewb0awHMeUh/qjFxzWRyhDRwULWJK4RphVfqFKIzPSiCwKE6qhgYFi69J+BLXFnIteChP2KxBASzZGrtOD0jDGHsO/c4UTtl3BWAwWVRGZ8ZFBbhYCICGDULyHygtT4vcgS/Umft6wv0eOWTCS6W4HSJsC2TfhgnVkzU=,iv:PKVTbjvmkZ/nY0Duy7mW8BSgHNExml0sKcL2JPoRnEI=,tag:kkTSB12eGIVPwJrYgUDvVw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/matrix-hookshot.yaml b/secrets/sops/matrix-hookshot.yaml new file mode 100644 index 0000000..d51b9dc --- /dev/null +++ b/secrets/sops/matrix-hookshot.yaml @@ -0,0 +1,41 @@ +matrix-hookshot: + env: ENC[AES256_GCM,data:vqm+Flo+y7XROiB51SordqeXh9wpWrTZ/80MBOCOGmdGbTVMvH0K06n0sr4AscXn9Gw+6L91B35kl1rIJiDUKriP9mA3lYUS2j4tKsWGESngeKeP0pngzPf3V27a+U4v93ReDfq/kUfdBNMLiNiWSXtKapVdz1IB4WNxTTsnYtfRi/dGndch28I0G2o2VLf2ghKungvW33U=,iv:9bBl7kyz7U3GtIeqUk22SDkxe9MhEc6XM5dCSUvUwjE=,tag:aHx5W79v/YzHmIBOQeHWNg==,type:str] + passfile: ENC[AES256_GCM,data:MZ9aVmDaEq8rbPGsPkrZJA0rOUL94+Wl7I4P58Ls1/qZljBRpwvTQg+kmyIBMBwshxvgLd0bVUuXuMEhulvvTEBugdJasNmnqsPYGJP9IXHkGCG5v4N8qpPQOV9Z+N9wqpjosEYiXfgNBqSe+uqIuf0yeRdLYvAlkeza/Bw28aUWDsdOXujsx1rzapX1dV7FFU45hZ1luOUIq/e7DteXlPDw/51Q443LvuYDC67GJaMfz/q+cfS2O26v5wekZLOQUk/8HRJch97c0UobGGZ5mrxE3y3fQCRG6mSnpqBQdw/u7+H2PZ7/AgF0YcWzh5putLzHM+zE7sFd9cwKWS5GrUUEmCZ6CLwEED3UuhAHlk05zzu4gMPK8D+/yNdKznBM+owmGpIEyj/uftaCj1Zv6jqCjtEIqQH8PpggBEv9Odavke4CpqT64L/XxAjBFb+lBnFOAs+guDmi7xhn3eW8ixSxjqDq4VZG0pwHj55rQIKADsRcIl6qpm2hbf6zM/IMSl2pbNphWErvs6XtcGu1eCgvm74DbSOauyzbQusKJyXATQQz2woqeFR6+nAOylSghjs5NZEmz0KDFN/VtBv7qtG8zVnqQAJ+kJTIuXhvV17HCfiQL1oaQX/ctSQHRrK7vBrgzDjHnuQtlxscfKghERDg1cMRA1AKQEnN1JXjCJI0npJqoXBTYdDlORkIy8SM7i1bZq4vDbvU3/cBrE39qAAcDOvZFk/FnP+SVtxL83EZyv2c5lS/ityX/7cjPkSRwD3LnAmwB4+BSQQo9iGE6JbVqZ8ehwaiaSDYl8wSDNl1LBJUsAvWi4zrRPMs+sxf9RGhHHBZdWc88bnSuwraxW2SzZ5JJE5U4upvBowngeQMYGBsPHNQA7Zcifvsm+0StMYHl4dqF36BVrz8NTgkwrQhg179MnZomULRsfgck1J1D+HqddDImTlzhSd7+VHp/460HR/vC54D6+vE86f2WWCVCE8zvXxB00n31jgFnKSEN1HGaYYhyeUFJQQHixGzKyntDWNaVOqniP9TAauFQxkO9YeaBF5foe0MUSJw+PGuxGo/9Y4GVoihYcXdwYZOS+qna2AbZ/hLQjDspJHPVJ5fFLiUGpWS/umPbPrZyJCSozQYYQGmBJ7MVvg2US5TQrHxNGpzgl8MMkWSF1miVSY4fQVJ7l4iT+OzmcMkqbDf+aV9S8hJHOTrcK++hJqS2gYPrCkdgQhPye8W08NE6nxb05UXI+p/8eN4gNBdGvZZztXpjLyZ8/53Sdd+b3V7LRDmSSkAjibhD98XjBxIlgRW6qa3G4UAHSrMu3EGXl65ZNe0pn0mI2f90LS6LrD7mmIX/kiXXUtgloieh1QAIDrOK6reJs3pT8kr2UCMQEOpAZ+gTuF/XK52muZYyGFu1g7mzVat1uSX7vDPWjJK5cTmNWtdzjxg3qqtZO9B9M1OT2fPnqY8xm5F24yqIa4FAJXBnJ5HkLTlW4wn0iQ87EJl47GzUU4QVXmo1pyocqHlYQAKkr6JGToqu7NkddJoBWcuFBdQJY0qnidL47K3lhraqhfVEf5F2m806IvAT/hab4ZRqmNFNYltBgzVAKhBxrloV+89OFJJp2aIMcLiYKZWn8nOAr1TZYpyodFbcsll4pSzZVvjkaKTnrrs6w/geRCTzMrJSLNAOpQYukWPZWGiKSVyeggy+PAcjHcOlQJWB85Xxm6Zdr/p+NtzSwXZhj6v3RatEtyir8SHELLhEze7WTAeXgaD4pnIDMmDXMQgN7jHHJ/J1wndqFotHPDXvWjF6XjLcEjDbqL/Te6PElq2JDmZM8S55f61sGNl3YIuXZoccQ4xxQpC/tewEbgfUVvt1mAdhPbsLx3h+QiS+9ERIQixPTZudh2N1kfoSmL/3+qKMteMSRLan1mSHGHgFTfGBqJu6hRYnFq060GCOg8HBFDNzOJjbpRRo7y/kywx1VuJ8GvuQaiFUORRVUyD7c9fhs0VywZlGk9Lu9YGbCUxH3Z0Pq0tf6GvW8yc83JLjJbCotfNCPAx67iGDbAHyX8RhepG0NnDQxV0xw+k7fqbN7edY08MRRZgZFjQoGGM9jshGuQZGXClGgDk0+uWSJ8uoR/tVALB2mkaskOUll92qDd7Oi0+KJOoFx7jQ1iriPIaZm/QQtHGlVMOdNecWYDycfadQbCWgKa9YEBe7o1qDAkqYP4HJGjsOMvQBJUqLjjqz/7p5JrW12pO+Nysx2AfKCE79OG8u2zEO+yFynWPhdgjepG6p/5S9UgV0ZEZyNYznazTsiIX0h5N2Wymc1VNGcmGrDjWvHqNqP1rrEkm+mbihd7unCqPyVPudaYONA3rN5biEOV8BUPMZMwQCQ6xLBU0yY4fpNCdI+xcAvyX2SjeZsbPgKGeuHCKGUJ63+gxKzDSVYyAPEUz8OSJ3LOHCi7T3m3lqaSt0zRHx6oRiRfRF+jpw/4uqT8TMax3LlaNmS72b70JK+zzjAsKUwrov3QVPa5TKb58fxZDow6NkIVaknf0cbYdNHmNgup+J9ByA8YRUq8RmMjqqHTi1SW0WE+/aI1/gl9bT+5vlRPMXkvwJwjHPSwYr8dPl8TajY4zh6x+EqUeoOyVid3Nxqkp7ttG18JKMCN5jUjjiabp5euYiDZTFU/F5FX/HKZpgBjSaPKsmnW7d2J85dkaf9G4y5EhOiz2Md8ksyNZBsPTNaeJihKRmB1Bz7PqFWziaYKEzao7qe98SNbtPUPBedOaAwB7HH86vOuIrAc7NtyVThhsNfcXybybApRNy4LqrEyTxkDw/oXjWfnvsnqivcqlwfRynjoQyAiiRVarNLFYPAhvvfenO/K0Pyt4p7LZWcCzxTyZvCSZkbaJiQj8fy1bzSK/jqsSNcW91xG0I4N/LdWTjC753SsYnUon8CazAn/+UQHwWHUdWsiZmxKdrJ2FbHmU2p/yQ8u8QWkpk/6SIpsdDJ92vxgYwXGOc06JwvKUgXsciyOtVDclovkqz8zjyIUQWLG8D2OVsS4Qvscf5tt1iU2+e6DX0idNeSKxY9ej/MohXz4laffrshNx5ZNurVNlbZH0O3KTgvOzntoFAPvsMaPtFfZTpQmK1asC9nihaIFXplSaPcpTIaDvmqjB1/yrb6ARjGAfWiF5XU2crXl8eiHlzytkbntquCymhgBOOQc7vAYfn1itMYSXnV5kOWByj3s33/hQv14VIqc8bJigIapSqfeShTd3gltTc8KwnmixjMU9N/pRRkXDkF8+zAoWsyvoNUmz53on2Dhnrw1FFD5Obh1rwjD8LVSwYRIy1NdkpGLXgUS4fX5rZMX9qUKiQx0D8+vaQAXgv7R/oHtzrhvx1FHXe6KhKjs5nPDGhL+qADac4inemUNMm1XRYV1HNmoWrDmaLCwWIeIe8KLBmvFr+NbvBY88CczxN7EhetR7Hq1fzRC2fa+yxVlnnYJSLjKK5MVu3GVrNct4uLXhh24+Pos9LQx16QG1HSIfeE4tCKPgNJRgQCB1p0tRK4EkSk5rwJH9ZGomEibUrEzKcj26xtqkwLCVOAHKaucDwVhDT35l1Vr1BbqlLctD1XSb5WzPM53K08e24yo96dgvWbgJP+hgX8guhOHKct0/xu6O1WzpTXTTVKd3ooi/KXqEGz6boGpcSrE6/uvKYqinXNozLvBa+8AoC7gI+kX37xBWsV9HkUZ9aYetdPdJQHArgbbW3zDOMMJls0XH0cYd1hEplB3mkXgWyH6z6OHG1tQ9z8pUpS9nx21r4NwmOMInlcuLFC9Ua8LzPFcinJ4FZCt7yKBOMKUeeE4CG4JzT0XwBOJz3bIvPGQFk8f0ur1DujLMSWXLdNZiyOxw2Lf0NvFn3oyoHPplxYjhQ5m/KZ4eE7K0KcSiY8TlxiV+a+D9Lo077mjIppd8dfEhY1ANXYet72fnNIfb5La4lfa6hUHNFQzlCisPbD3B5aBDy/o4UyvudDgagntoqyM5BoNEZgW48KHrj3PE+UmpKbh81CdomUkHl9jTaOQcfXIXCVhoe/qaFPGPz5+7M2o50ejF36c97NM7IVuLwsTT6kOv4VOXI0STC4bnH/NUyreLrMdIbXHWYlYV/YcOlycvs3J+Sa2lxR65GIhK402bsALCuU1wZwVvmlRVeYI7ykm0nq4/5cNw6LkFja26G/gy7GFr56WhqL+udKc8lnLA/mjdH4TcgJvgea8xsamQrxJlzAkQDjvnpdwHfj1hjeY7JRyRf7sFedfT/U1NBeWbYUoSppz9+veON/MsK73jHe/5oX+kBHblnfxWTg5Qdy7gJBONslv1sKl9os5RfchoUDAldmlQADgpigOUCiKJellLhA==,iv:hWTkuVCPiSO6aclZM1cU2PotQBjaO8Uq3O0XNnGDm6o=,tag:k0oCxolcwNA+GtJfaBZVBw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0US9hL0RMK0hSZmxHMCtn + V01TcnJTOTZJODYycm84ODZIM1ZIQU9EWVZJCkh1aFFNN0ZKclJid1AyK1QxR21a + ZmZRRGxzZk9UVitCeU1wN29yeTZHSUEKLS0tIGNkL1dFN2oyaHBKcmJvWjBkbGZ6 + Z0FyUjBPZGNjdWx6STBQa2lnUGtzNlUKYRiugiqHyqS4/5Leji9044a6FXy0R7ZM + n+uscxe/OnFcoasx4TFAOUCwa1s6fvtq/SOJTxL2New+8BgLV9nxCA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RUttWTlJN0pwMWFSNWVX + TnZiSHFmUnh3WXZNUGRlOHhzelFneTQrY1MwClJyalhaci9hU0J4V05YMnB3VGY2 + WFdqK3VIQzh1aVZWQ1djRVJGMC9mRWsKLS0tIEpYVFREMVEwTzFFOFBPNit6ck0w + cGh6eGtPZGpCN1ZMZ3F4KzZmNFluQm8KYfyCDrTJy5T8fNpLg4cyPJlE0AOV0OUu + l0ACXuq7WzQnM9svHjijYkKWeYvdAPF8CBRA57s00aCd2r9kOi1Szg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZ1l2MnVETUN0WGwyMkN1 + SWhreFhMSnIyUnJReWhxQkYvSlNqVFdSd0NrCmp5U1Q3ckZVM05pbm8wcHBqY0xZ + Y3ZxaE5uZXhHWHRmNWlKdG5tcmM0S00KLS0tIEVCN0x0SkV5VS9ZWWt1VE5iNXBN + VHh4K1JhOGROOG1oM3ZnR3VoTkoxNmMKHAJQuIImN5NLRpzgL82ZH+wF02XJQmXH + dPUp0aYr0vSd/PGxAyDpsMPt64NXPDqKQ9n1zrPV8Jd3+FsIDhwnXQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-30T21:40:56Z" + mac: ENC[AES256_GCM,data:6weRfuKB5HJo06VSfFEDh8/YPwZejJlcK5BnGCYFOr2V7JmnpcjnWiEps1axkzzdiUq3gkdwu51PO1/jiJs/mCLFNrUq/KjqpYupoCYosF3p9ZDZc8LPteO1vj77tqMO6dcrNd51wYK896v2E2xT8ePRUDtQ7bO13fAdaN8f9pg=,iv:vlNvvlckY+i9+VlyTv2ZqO4tAujr9qsC7paWA7BGT4A=,tag:VIuvWvnnPmi4df/QliTn+Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/navidrome.yaml b/secrets/sops/navidrome.yaml new file mode 100644 index 0000000..9bdf44b --- /dev/null +++ b/secrets/sops/navidrome.yaml @@ -0,0 +1,40 @@ +navidrome: + env: ENC[AES256_GCM,data:+4uLJIdX/JPTjset854P1+lrbgLi0WydExsFwLs3B13DICDcgRie/PF8z0BxXXLh0aSWfq9pAMpvXEpJBTmRu6iK8eqsUbZO21bOy0x9zSYBQweN2FMsBvV4GmJwS8ko/fhKGJ+EevGZDJE6muSX0094vGR/l0X51cUYa5fusxcbk+HIepOXOkF1ucUFNGDEgO3ruwOZiCmU9Kr4ihAlUe6/qQmfJLiAVjFtpZNLslkq6epe8A+qOtqHji2qZwL71plaV3lvdp1TEGLgvoHjkr/yP1tVpEp+lIE=,iv:z69DLHfWAinJEJ8sUusmqGxEaUeZx3iSngYcA0j+Snk=,tag:bDR5tT1Q0iwfYRKO8+DI6A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYU5XR2U1THZWMWZ1Lys2 + N25mUkxDSnlQd1Q3clFhdGtPaW9iTW9yWGdBCmN4S1VVS3llL1ZlSDFqUGNXWlBo + bkxCaGxCZGQ3VWV2eU1LcTFNSTA1S28KLS0tIDdZSEhFbTZ5cnpwaGdJRFd4Y2c3 + eUlmaHRlMGJCZk8wR0lyenl0NENBU2sKah3v9tYW5ZK0AaM5qP0tH50MjsgaEV4G + D9b0Kn7mTT3QiO8RxlS/S0KgGQDZsraK+pY5x+568NLBIAF2aUZ6GA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3d1FOK3FSckFITVZwaUpj + ZWVjdkF1TUhsQ0U1MjNiTEFqdFVLUzQxU2xjCnZHZzUzU3dEalJxUlVFelNuK0tM + UWZhMHEwZ21oc3Z6T1BZcVlpNTRTZEUKLS0tIGdDajRlVGptcFcyY0lWVXpKMXJk + SUNOWHNlNDNqZ3RwYTJaWWYzTnBRY0UKVpvec0GUgSXRfPzZBRySsRxoVe3DEHEN + 99bUlaTtHYWzWpU0hXkvjCe5Z7eQwqwor9/CJaeZIdt8PJ9nAAeRmQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBub2dTc1RReUFTYU9NMFJn + bVgvUVBta21BMVNQRnN1SU8xbXMwZEcvV2kwCnYzL2xWcUc5TmZGN3k4NTVramZV + bU1hU0pjNm1ndFBQbm5LcTE1N2NDR1EKLS0tIGdRb3o5dVEvNXB4dXdiVllIRU5G + cWlRUkVkSFpRY2NyOTI3YlpnTEVSc3MKkUZKvhBErMZOhukmNarYCTqIoBgYP8i+ + bGaVfqOR6zCiWncN5j327BvM3Z+0wPWDbT6PUOwsRddzigRwB6E0Tg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-03T13:22:57Z" + mac: ENC[AES256_GCM,data:L2lWeSVK7wsvrLirgEvEl7A3a2+N95N4GzjTl0joE0AWQ/4V/QgPLmo+teg/oucgpitWTIhCPkfa6P2+2vVMwIdk1mhKTorhT1D2n8TjkBN4rpJ8SaxgUG4/awS89YGoQcy2HCWssV+16GOoo7veJg8TLfMGIRGKuRYjG+Y/d/o=,iv:icoLwQgjLSGtZ0M7eyXMqwQl1YBpFuW+KUwEImI8qYI=,tag:ecfpXcAqA9/JH0ECNsIJLQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/restic.yaml b/secrets/sops/restic.yaml new file mode 100644 index 0000000..cdc68a9 --- /dev/null +++ b/secrets/sops/restic.yaml @@ -0,0 +1,50 @@ +restic: + rest-env: ENC[AES256_GCM,data:HPVJE/y4Jxh4ibfJwdqXqWXpyDIu0FJTf+PzFcANmu9q8m/KFhThu8IWkBYysZb67a+utYT0F/m22q0sm/xJ/4RKE1qHrDcepHf9Cv8d1WYwmh84mzgwaWmyj7iRZuUHdS3anQbIxXaWnLhugs1FrPypw31/LDbety6O2TdTfxN8gdpSTIfa7TWCXu+AQtHiViyZVLeRIpKsYYvdGfUmbL1KnpEzIN0CgyFqies9DJ0lzdE=,iv:HdzmjH1B5zVS2l1EHJBnVTBotjWZldzV7ErVuDuyQKo=,tag:++0dfGGVTugAPm4NpoykeQ==,type:str] + backup-bot-env: ENC[AES256_GCM,data:OG1VqtFVISGeZgZ9mKSBMLJgQpILriXDlWCuMVoiiX3/YObidOD781VZF5haWbAuVP68dIr0Fux8UExcJWyZsrw=,iv:74+UBOYeUHqw5WHBSLel9op+Jj3PzXiU5v5v15aNpMU=,tag:Ui30VnSTiLOi8siB9csCsw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UXlPSEk0RmNMNmlpVUxo + YXNZSVlDRDFpY1MxNi9MRThSVm9YbXEzK0JJCjdINXhhV00vS3ZBaWQxQ3NMdE4w + N1JtbVpHRW1SbGE4UkhtUWVsanZ3TUEKLS0tIHJySXVCbXYxME41NFVET0pxMENs + STNWcitXM0NQL3ZFdENDVGxzMEY2NFkKQp/XDzlkZP+pCEpcBfO9rMKZV/1qIv8T + mpSV3924dwZ8XmyGhRUM7egMMJ8/2ifBhxNVoeccG1O7x3K/1R5bJg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WmVINVpudk5ON2UyUkFD + bG1ianZoYVAydWJ5ZWdwUHNMZENneUpldmxNCk1qNVcvK2doeklkQzdFaTFDNDQy + WU9TRERGT0g2RG55MnlLM04vaU81K0EKLS0tIERGQ205bHVzVCtoVVJUcnAwNU4z + OGtvV3ZyVG1ManU5a2MyVXp2cTR4M0EKvyQ2AIju+tF+R4PRWyB6fnX0CJhQ+6Ug + hP5d42y2XMhUaSGs1/K7Ad9XnMKt1com3fY5mCfpLYQyoklS+bGeKA== + -----END AGE ENCRYPTED FILE----- + - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTVVSTHN2OWViVlRlQlNy + cXZQVmZmbzI3anJWYXIrcGUrVFdkRURHRlZ3CmtJOHZNQWMxVEw0ZzhFb3BiTXVF + bXUyZ3BhV0x0MWNzcVZ0Z3M5MFA5d28KLS0tIDdCQmxSbjIyQ0JUU1JFNnQ4b0Rj + S25zUDAvbFhoa1F3UEFUOWRSQzJ3VEUKn9Fy2TxYKGliELukaUURj8HsEY6ty49f + N1H4wqCKJSLJ5hM6YhtMosYrhaCjAoIHnp24iRihRL9ZoVwd0Azh3A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bU1MSWRKMDFsU2tPNHdh + ZFdOUndTYUN3bkMwVHBXSlo2anp4ZHJEWDJnClhVbTBjdWR1b3RZTnRaTEZITzZL + V1BCMWIyS3lkL1N2dm1RUlVwN2ZOd0EKLS0tIHRuUzZidlBXb3R6RXlOV1pDUG9n + eVJpeDEvenVMYW5FUzdyNmg0NUVmT2sKTVGZsXZw6ZsWkfS9b22JerQD3QyPX872 + tn+RuOH3/OjuXtEgAf6l0blEbAVZtWoaJeHIx2D9w5zB6EYWSkuUoQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-30T22:18:59Z" + mac: ENC[AES256_GCM,data:0HBs76F4J4RALM1LHraqQFk11T/O+QcV3eJoDt4M/k1LnQSMmuQMwwGXqk9YW3uRwQ4fFR/3jCIFNge9qWmQPRId6dv1sFUHbUFFQXJpaOAa8BPDkTFHl3jZlqEnQTMNT73oP/SKOYTKB0h076zqY+bU7c/ymuLIYpfyGFV37xY=,iv:zk+67VYRFRauSK3AT8WQmc5F6Sf316Ba7Ev3iNm2ma0=,tag:9EESzZJBWW8yuZ2svcMuSQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/sourcehut.yaml b/secrets/sops/sourcehut.yaml new file mode 100644 index 0000000..c41482e --- /dev/null +++ b/secrets/sops/sourcehut.yaml @@ -0,0 +1,45 @@ +sourcehut: + network-key: ENC[AES256_GCM,data:pOldp+kOVzZIVzZlt+7ki7dk8XoJENIr2KR6PmrLY91nOIouVwa6UGmTjQU=,iv:LKJOP4/1w3FQA0O3n4gTXE+WoB0TBg9Ny2Ck3h+qtqk=,tag:DujbySk6edtEMb5RMloftw==,type:str] + service-key: ENC[AES256_GCM,data:0uTVZ8Gpvtfxtqptkw+vjX6qEeTC5gWW0eogfE+cRjmc7iedAWMcpkZ7xD4=,iv:9xmaBYiW5/3183VRVJiQWPcWtOrfWIo8nZovZuVwaMU=,tag:KeL1vx1YKStZN2OlIM5J6Q==,type:str] + oauth-client-secret: ENC[AES256_GCM,data:h2gcfUnkDjWu6gmDP5W5bXDN4wNqFv5aNQKAmrXIsqgdSOJpDbzOpO+9wQs=,iv:MJyxYdHS+OJLPlylsGT1rkTzS/2XPH+jB4SEAKSNi0M=,tag:gm/jjNW02nF1qTSso7uCqA==,type:str] + webhooks-privkey: ENC[AES256_GCM,data:/6hBT+yvNlrS8yIta6TJMpn9IwlPEZ/0cDmNKtQWEFjdIYM8q+LjxslvTRo=,iv:Fj8xnHwF15rJv5uPXHQVvJGb9GVmL4WxxZU4sivRBMo=,tag:rv84e7SVM2F9DR1wvoScOA==,type:str] + pgp-pubkey: ENC[AES256_GCM,data:dohYPYgc1y1hw06GJ4Le5u3jmr8096urjkYgaYyZczfdX41pOEXkJH6jPpyRGaa8erFSO9Mtdeix8TFFLaIkhPPG91Pc+S2QqY7iO2NlCPd7ScnCLQLX4XRMJ1C5oR8vlVebhV+JySYzpMCiC/g0qqJ83vI3O+SJae1DVbT5AgTgmfRsIeCnP3/1Mbes05n0p7eHlD1O3szyO0cn3P/cOynFlj7XGRRdkbFcffOIq27cLJ3khitq0wEQLfLeingNCggrRMpJDNG0OBwwh9zgn5OITpPXbuwFRoidt3IOQDLuvFELIHYthkGPCMtBS2dokv4po6jPLC7fYM3vMitznDMHfXgSoFq7d1QP43djpCiMaPxOxqAoPJ7cIYMKf7Wo1kTPYpMjYpYOAq4BfO1lcme5wD0B1+kO3E3suoUfBHZHexG/pLGULdA9yjekd6XWstRumSsr/DxhL0qOPXjTvsdJixUEc+cajWQx0PnvMsFRWyh20vWlCkiuqquxx4ukUhK7KW91hdRQwW7izaS09RhzQKEQuFamCzY9UaXOkGYTLVRB73jQtbRfTCPqFdu9j+q5XbNpaN25JNj4jT9PNAfAcyzqhsG2KfXotoJK6IhK923MvYQi0nE6CArmpwBqmz1RVt4bQop9qBbuumSnL9eLSJrswBmkavtMvrZVe7odQWlIgBg8hcAeGGqTgSGo9rxzlGc8X//i0NgJq2u5uzJLQXgtR4g1k8tWyni4x04zJSlkttQi3pRrwMDjmvdImBoL4Du+hH+w7+826atrD8XcdVWuk7QAvjPwRqsBqTwcsdQHNQq9wkjaZq5sh1y24HazWrTIyz/t90A4QO8uSByzdjoNwcnOdDE8aidG2PUs89jxDnbq3IaV0zwJaJQWwYlYlud/LTpewdAqOal5jjhy5/aDlMFV2pWFleF9u6CZmbMZjiATVEt7+ZMJ0IW3TP5aKl26biufvuly/AjqnOMdQy8g7bkTXCREBp3a4z9QbS7PYNQYzZ3KjFSPSTEV/IPtKi2zA3SCv5VP4gvbRuEq6pMWMJ3qcQfJjkKlRlTDYC6dDFOahHMQsd5856/xVrU+pFDvw9rnuXyqko84oP8qq26t0PnI0A9TnIXjWAEiIt5uQELlE74uqfwloV6XNa6qIf/LwIyeItyYpUxgX76M5jL5QCG/uzXfiV+MR5gQxYyDvLsqiO9VkntPTmJBfc52c6u8Ebg8qdpIHydRk4p16cthKvyUm2Zh8HGQCLC7JWSoBB5yoV0TBzhpfJtd6mpv2TXLJVhyGb5kHo0H4ocU2px0EvhfTl/2qVumcTG+1iDtDrGiy5ZbD5+6tnD7H27c4FFR69O3P0yOGCUsJeauKnxvoTA4ZZKdX0CgYS1XwkElUW5ws2bkfy0up07Uo8xICoNeOr3yiJyQPe+3EBm1ZOADljm4VdwtdGNZMDJuBC6PhZIRiSIBkddlLXf5OMdfGCdzromc+IqpQ/WScrNFhUzrMdc3zT/rgsrHtACNBN69aMMV36Lm3Nz/aRt7rB0ZHYrEKyOjUWjHZN4QMVttJR2DTMUqCEzYxQxKyE2u/Hfl4xsnoH1+9KY6zJRMrBDf7VdbtQI+sh6bllyuoM2eoLJFLwEFgVomUHuQiLaw/hbOq0b6dijtRmz5cIYAOc8EFrnhIZJQvD5aPb1s6P53wngtdjz0VG/0fUO8gAs+mR7OdFrV/akVPicZzdghFqPbNj1C/WFkZsYYZlO9rxOicb99vBBAH9490n3mKmH6OoL3OACCZ5X3H7NWQC2NgmAfF5PDurgnfVN0iNkHUM7Kkk81oPnYyEUsNjMcMUyXZ6Zcw6VxCWyx5nmec9EgwyAFAIxxMg2zqRCY4d83/RlRNCfvggAEuMhcn6FVRLl8hmaAw97U1Xo5lFSVtTgqXhXIiHQrl4C8TAojs3QPYXFRZKOBkyACjP/w32mOSjf2Wr5bww86bOOydCGll8M8ZEHgrgLYXrW2ocCx2A1yQPfwUTwWMtbXEVL8x6gPo0kdPWj165ghSF//z5XriuPCQnLrfgsljeXc9ysSo75DeVnqd0c4XipQQDSda5QsL0B/OpVAQbKvs+pIrq+sjzIzZ0sR3uMu3Xl8hAEB1s0iIH9OpcQMKjR02gfrNMMkEDmCh+F6G0jQQgsjL3vM6n9Gq1pKACxu79O79nWYmF01VuRXZeiJSEXYPfZ5ztUQXDe8dZIQPduy5McXf5GTP1RTO7SDPxhtPtXGOK9zJHTOP0hPxRvgAtDWjqvGgeYPeBCzd1t2csxIKBsdC56fLi6qXypQ9SV5caOTAImkPUJdgvB0SKR6ei1Z6CoTJRXwyLAR17nsT65RzZWaOBnjnL+0fg0Hc/jlcwgOHziHyCK3mkW5AV89ADLX5LKES3kiZ//+ina/tKWm7D9rRYuxRi7DOF8+JQiKGQGWnzZPaA/+3ZarcS5bofAMaqdQ3/mvNZob4nVDl+QFZxfAxA9hGrowYfTTjH2cXxd8KUnrzUQ03ImlH9BhSuJQAiWRe428IFk0NzxGIbkDUGM42pPzv6b8oEixTLVAuRQTXKjDzbFrt6m+tUOnYF7iUDudvpAcZPKDhD4RohROK8usAZDsH8gNMOzBDPChGLuv/edvTPduySUkRTiuBFTNgowKedKtfS7ejX3vo6zJxFzNK9VPXDguMRcjh6aJMgp5APdWsLL9bZmfHphSob3Vmqic9XXRGdhCmmWixKjhUKfFky/fMK33cFERfjX8mV8nH8Y2jnyPgY1zuhrAiHe4WQP1hIwRggsdtM29S8DN7NUWcIHij8ljWZnPzdb1jlhXe7WYlNtNYLBy4vEaDkZ9DtgwyLRPgeGBfzSIjuZNOcw4tF1dpw91UfRlXoLTm/qemju3sFU0S2v9caea35Ygxumvk2pi5jGToqS6qgzOUSrzvMaYT8VLbQlRGN45dAtIeqkK77NpsIZVqGXSW+X9WpxjVxkshF1ucM9Mhpy882xW5sTfCAhUI2qcMt6LYGXysmM3DPe2kkrCH26Z/lV7NivTPUQ8/kNgRSibm8z9IikDL2lOM0KAPhBOCf66uUCT/8BZCOyhBoEOrSXT1bl2MtMcX6gh+nuaD5dgyGXy2pRSuu7JiXqRcWGDLwiaf0Q1KBCLtkq5l29p3wI3NUffa4yJu5yG9mGoT2JyRGhRbyAFtdHx2t3b9daNro14tWWPpe1ayD4LnV0Q6WnqGaF17epWFLoHy+dd08rk0FxpmIGRqnZRoRsw9okLE+OxUzPn2LDIePmqvyaUBSJakxpmWjoKaNU1XRPW8kMCVTVv5KL9QE9ut+aHV+7KZ+O35ZdXMop/FHukxcafZYHx2R9LjYiFZ/0aO+qkqAnqImttp/0e0rHlReLoYY44vmmAOWbmENUgM5e18mr+2nwO+rz+9sC/MDTrToyKpVBtLufzxPdsL6T1IyP+ILFMRnc9gGkZfZv8xXiVQfhEETqMBIoZ+BFLJjcpvptyVqA1zQIVyVTE8K7eUgP/J8CRoTUoOTYViR+6ZVhCdcmFpfBbQa0i+cHHpweWAoC2GdLx1OxDHIum+RyVV3c2Gyr1RjG7Eq1KRWGsCRlw7aL1GQlKm/KF1L0q+0JzYv/zZcZMX4BkTr9HQsYK5a9uYKeGyqBJ9jRBHP8jA83dUiXZLiXIn+DMDWADRNUdcnWgpTtwIyB7NLnn4SECH6VXs1Xia5roXzBwkWaldeJVbjSN55fX2dWOovqvVqq7th9UiJyjiwKNOxNA0deeAkqra6BQIRUZnLrnS0q0n7d5QamCEAwIpnJ6IYy3XAzAaho3IFbSxve+5mL99hzk/4VMG/QfdaRviJK3+5TYhCPPVZc6uk3FGC8kkc7BhvTZ0Gl/M3uzGuEb0HSnI75Cmf96iVRBoI37aCJrAMYLdG30EtG+s0qrsBboM4ulJK7SpqYiy6byU1gy32IqPdZmriOfW0tvkTMye9uZ/5P4OYhxPeqGz4yQWqaZUt2pJOy21QqKpzDlGt65BDWM9dDahxuDqsgkssi0sDssf+0toJfL8SAUYPXW4BAwk3q8PUkuiwJUTf/odJA25u3OC9Qpgfn5xFZ7WGMUemrrbkdBG3dIJOF86JCOo/OBOjNqTGjdmbORUq6BiGFbkWZnjig75e+EmcXXMcP0mH94qg==,iv:TEBv1NrLZsR7RPKD8VSCqVdAgYcvphU0KxQRvmrEH1k=,tag:x0LkFq+e2mOIAaTQZiAHfw==,type:str] + pgp-privkey: ENC[AES256_GCM,data:AIOWnDUHMUt+EK/ajFsS97E03VuI0jR8b9krLSmaNDDCGBT/Gk8nw60MzFvlsCP1VvfVEkJzd/yY+wuhCxLVVl5RNOJGuHp4gqupdV9xxOMERBkjtHxWxYDvkaNkYvv43m1fdKIi02FmuWTKvXidGLs5Pn6/5LuCQ2o6j9nQDYiHBvqpbNsKUHWjLTADm1RIj3ZcuVDQ56Os9xC7WZJULFmYe7JYL80p17QWSpBloEAfS8abZcryrPdFq+r5Ef1d0lMdtMUSe3s1XAeVbGkCHAtuSw7sX8UqIe37oW+8+oiIQijN+NX7BIJHyq1UXB2CYBaCcqxqUa7a7AgstDuU1wD8RV39NXT5f7nKWc3bRO84hP7axjqdJiOMnepN0wpL5PI2mkFzHqXG5jToWG1KmvqkNeqmXDrrxYebNHWLWNyUf/uFN6ma4c7/G2SzPjTUIqcBseAbB4gESZ8BhtRiK3tGOrfVOGNIyV0QFYtIJTd7qPogsRjXHLwayW0vld2ueRKDW6GE3GDKvOIOVMzexx7vC1BQcK12GTmrg067f/+SgekT+axh7qywIUYIQMifu6tH+DXap3BirUhVOB8hpAmaCcnwbaH5jGTEwW0mxRfLi/0uNuPQC8X3lB1gj7Hq0/WuU6Uf2G/Ii5fJ04opO6KrG36uV8DpMmke9V+o758mD2h6saqXloZ6efbUEfPqR75Dk1iEJmM3Hx8uSmTIIVnF2lfNXd0npdouR6wiSFitJiR7zF3MgmsEhkVxt53P1lJEzEu8YRGNdWA2qZwsoKb+ANp7pMvOKVRE+fpGVgQVNejKo2l+OwJyWvjVVAjp26S0eBZjUOip7ALQkjSIoANU/5CxkGF+x03xtGy6fnHzyjWoIPsRS+wU4cLtefgSnwTt7z8VmgTS4/T5XxRU4ARonGfMN+FdxMjRswYJmG+JnwCd52cYKUKilt7FYcM3TFBaE3pSwsk7fiJhXBAsDCQLiwy0smQ9yErIOPlrgbl2qgGxUBtoNS8sd8nlC4LCa/tRL4FcS1QybNy6AP6VqYEa2XJCMEbPwwvSnKBD8oiJyi3U+kO2UwbImSSmH8QPz7MTDWME2/N1vCcGtU9VL4utQQT+nJlSjvU5V/6oN92F9RSWpJ1XToILr4nP5a5Cb+H5Js5Tvf92qLjVY8AqrmKujx/dqs5Brsi1Tcw4qJ1yZd0oNyyXJrdp1ykjzcktZq3JgKSCP97e6Vp/a52wXD9co53GZREGxnDrRAjDVd9zgS9ByL8WtywJ/lFAp2mUSXGb2w0RhN9/ax8x3XOA0U6KPTdksUDQuVjq0TRA05+KE+ciKHpQDB+v8dHmQhke9JIho2JNGLDqs5pZeU62RIguLJAXT5WbmuaUVxnLHwrTYIl1ZIxvzyG8NLpNEkpOEWgP7KJbjaJ7uT68cDgx50zQSRDT7lv26wrBKnYER6+7Epnc+gzllriIsyIzG+dtSVixzknXLWOIq1Zl61us41WuImA1VGEEpbGyEsZvtgAJF5CH85rXZfPcEjLiS5V8nFvolO3c1uF5KG35Pq4Ev5jZjozKSABhNTzoiOd7POID69KWrHkw0Y2wDRg9BmW8WrH4kTpDkDCQVKkKa3IEx/kGDlIIW3ES2OXaiipFOt/M7I0KA3IiqItwAvXXwfsT8qNygJmsE1WCWCpEfQzteSrP400SprigEjVZPc7LMr2nZ0XaDt4QxyF4BsfXZDHtDoPQfSmeduUB/yQ/G5+jT+UD4hrmEvUn0amtOYjiJmak2z9Rd8Rb6JVhbTNCNeZm7qxiNuhBT6tSipv29SBHVZJnx41pjvftPWEaxHKMv0hMoZs0KGgsdK78gYlc2e/O6QYU/TLIVcmznRR39KRdODvbXCA2HvuBg7DEPDDSTyiuxdDIrFQa30Z6JayBIdRf9VLddCdVzfT+Ued6wB2ZDCbW3Ysp3JYqG/UgO0BQEWsDz4NPUHmgX7VyKIS7fjNt6zphfc4uCa3yp6J7Zs8QjIX6ShMxeSG2JInuXUfDuGyj50inDEeee9sTPPD37UHLavqJ1vV+/yTROX3mYw3mqMfGsfrk1OEFwq3Fd9A71SrO3/M6bUCt9Cm2aipvCUuN09aGQLDywWGKOcKsafEGJcwFWKNYfZpa3tXwirs9a7l/JiUb0wEEF5wKcPs3StPZ9BwBli1LHujN9rfTU+K8V6XvSl+DkkqYDBHpDur8AEGKKiQcfRBV+GprN46XnOnUwsdQrAOAmATMQ8mKIUEP0hA0mEmFoaCT9HRAEwqniFWTry++fv3Q0GVamSyJAU76WWIN3A5hAg13+Hc2sBfqOk9ddAkcbREywi1H5dUqBPgpw58rBXt8wIEv8VitkFPe5FxjM5Nxr7eVAS6tWrwPCOwRBCSZvBBlq7PHRxpd0iMddeGdMX7b8mBBc9Y3ts3zwze3mPUDUXJqWrfBTvaULOlxjGsfErpMRVODYMA80wATnVm9XVqSPKrChOHfxc1QUO3zRy2cxzz5ftwdGOGx4VODUGv7iD0mc3cZGA0A595OzHtr57LpRWuoYqpqqlKEe+/+t8ThwibuEj84NpRvPoyLhToLYy+jfC2LkwxvAO1strHM0el7YqOveXXTu3pRZeLt/jtuIUMmdiQtYMqGINAhRoTpQxuyI13BgsFvTiZXx3BP/V4G57O7Ye8POLGKBF1wdyO3UPpf2ldjwTjwhvqTCDMFmNj0WkwVU5/jFbELURrULSycjFQhEOeTrROUjzPaODOH+gyo+4mDgioJbzmQLI0JxrrqquppPcMXwIxsVam4d0Thh1PUMnvPk09GZN7bWLz5KTaAq/EdGW4b2uI15Q2dq58u2JHszMfix8I2TwRl2KKoq/FcYooJmrIGjO9bciT4xKFA/tM8tJKSl2/Ch/0PRNWqBv7gL2SQL+wMUeuthufegWNZwOob9AG1+bvFdRRIqXLRHOoxspiZbhPz9ZsaP25CuOeqdBxQ8KUwnhpVbUAxLjUYC/bnZb/+8AKQvkxOBev08FRyT858PADsCyMUO6A0Ca2OWth39gfGg2HuAXh+UDJrVPZ/QzO3UJ+nzSJDIZrA/Ah40GOijtx2ijr/8onL1445//V1drNCH1uj/UCGH8Npxe9pi39mMcCGXkcXixxKru5GRW8prGOURONTPWGiPcR6zNGYDgDHJjoh9MGwIcf5VU64D82qPP4Z9rd1YQRXhn4kkdZ0GXC26fJLk51EnqjkBp/IZRkIa79iZDwO3ivJ+sRaeqC1ShRn/jpKUSO9/GpsP7WNTPsA0rgefT2mt5c4zkNPR0XNx3JICugYbDzUhzw8pJMmBDij9fnkvhGib6i2jjpijFwGYUiJUSirr6KHRArLtbRC8DVc6q4S9hihOvmOW0vWEwUcIae6Wh8cqiEFPULjGcz+FTZMEkcbM6HbSQ6MsUr8jPs5y/PW7K04DKOYKC6UfhIPSUsUU91NgbJGJ0xi7tR4Kpu5ZrQj56Kz02Kl+KfGh/t7MBH08EFqtdIfAKBgCwMgnLHq0aRomdLdBpruXnFDdXXj39GYo//DpOeWOwJYcDCxwXjqa4WCpgFsvw3aBFCwkxoEsblE+sYhR0twmYLfqkSmGm2DTNx0dKz2INDPR8wFhqtFmQtn7N7qXkxm48gFclUtMumJPJ6RlFjxtCFEJ0sZswtQh2JbUE/O75QW5BFoGzu+6TDupXmqARrAVquulcdW/eKe1wjV9XJSA0CIrCiZzFDlQZcpKgRNBba4NqBJViFONCBLiYzxrgpWxdKSFGdr47Kwr2gp7CZmlBjZOknGiHn+/oZa6D2Ub/jvZxm2CNWF/alZjhKAJD0SBA72GWJTfwCa8VCejJKpi4epHOqVKdyCo6cNHPuY+JTJtWHjYI+NL3RHfgtCu3sM/GePRCFjUd9kkFaQrLjegnA1p2e2mOTMgf/DpCIEObJ8iPlLn8aJ/Fg1BqGD1C5XonIkBiSV3Zht9YBthNoFJMMb+uT7pGzaGkkn5TLW4LpU8eaYeU5yl/IPT5G8iObroB2pkilFp4Lh1qOKakRV5pznwyv+2DNNeYtiFGLnvLkyExS5DLKypO20ZDsZqkgIhxX2HjTEu8d6t1Snjx27aQk1X6p5YmWEcz77aUlsO3bbTrIaz9QJJITeGRwJcZMBw+PUW5krqzK89t3jAI8eejT8qDZZFsa0WCzMAvRq+HuqVS+5ohPtE8sNmS2UQ3Xj3hVHMEZgL+muMaAYRB88DgCAaHywgE0D1uY1/msA4Dcw/pKdFfzxUmHdmEbg7Yj75V14MycPHxNtTflN4RMHt1WdogOgvvsD4bGAZe59Jxpwaokusjfs3oGmha9oJv0fUcvjglaHit1G2fJHdiVuXhHlpGDa1eOdSLYbO/+NXGf2RWAVChPnLH6ipYbZDZewB7cyKbwyr+dQM3Oa4RXUasQiv+Kaq6avCnyV4xhTP1HOJkXh5hzyP6FiWxjsl0Oi+EEBia8hwq6kQ6ueDwrnlBaYhRNP8Oa7qRT/ZS+LhdQjA7c4jdntzMZKKZNCrjIdPahIE0R4Oul9T9nvknjToTEK51sYdE+wJ7TGQLYI7+e0/5H0eYbHBZW6+165s+A71AH2n0XhNBZe3kkkGMjeXwKw43cvh0b+i3jRwaq837CBKb78/7WzEk74yp9KvzASPjls0uqP+OTTRf2Y2PsJgilPQlKYk1uAtK8sB6o+foz5ifL29B6GcrEyyDUs8KE+6TSkP1sjzrCdTmnl17GvSnbRJwMQMtUnoMpaay4Tc4OQ1QlffVb62zmIzVO7HYk/HCQPw9jvmhSrh0BGi+CXXjwdyjmAjqyr+H9f4CxfAt6KjDv4En8AcV1OO3YXj1+yxhQXft767ZC3esYcbxwAR6h7FQrU7KAJu04jarZmjO9IRh/W661UbwtIMOqheb828/VD/zmZuUJvWRIXSMNI1mUJ8VzWBKH4fiMNTEcijZ7Jv3Yvdbz7gyi/aIpLY7cZoNTrKeTDj4k5AqZ89IdnWVGF1o+7gwtpwKm4/nNnfMavKzIV7r7wxPWtR4n3D7z2NBPtRyiJdfPyfY3a3I543GPIualCb2eY2k53HTwGK7QKrblp+CJkFH3dE9nmUN0zRqvHt4LX0cF5SS2VbtajUZhEWyqoJ5/H9U9/fKfHTwiynPkopN1Q0wyAQv/mRqbDCgUkSEBYDEQeDwDpLX4g+SmCyzMGhf9jEWhbGmQOoKJSJBjIfNSjM52vxj4Nek/717/h+mSuV+IeH5NOfjA6xcIhfgVq6m0DV8+HwkUZKIZzrCClWKimpTclfjV9XTCdNVi7KCGQBLs8EMnNHR0/Qxd7feeMY3jlmhAGehJyq3XMUXlQAr0e227OCl3Hz00lV44asTAd/0cfclyTp+rAk16Qe1z/qVYr7G2rseGMB+IbOHtwldit1Z8riJVktv6q6JaaEHE/dtAkZA/Wx+lc7S9ouzQcsiK+0KMJYJjnB/aqjvs8XtskKUm5dNbbsAvw0WAXRmAlhPkD/ZdcAFYr8OTkeJjWYgM0Tsgs5+KtBeW4xLeWD6niE6fNpiWuz6Mez/VuCLNgaf7/0tkV65i/BfGpgzQZvoCyLrP222jotHl2IHitimLRhtCj5hrUAjX9Jmi/gXELehx17E+4C2Jp93AYC1u103mLkdzUnlEjHCAGucR1QwvmKucFDFITL6Cw6Iv2hKIIb67P4Eke15WZa6KpFHnyvj5IMtONcZHpygHYxyUTne84SXFeLrLtbTgwm8CIgt+/rTQ2sD7pgz1YaLppbNavI6Yq+OuDTzyD4rXKFkPCSUBKwcyC+HY7SxmGJGFRuY48k1ImgW+qxxpZcm5iI3jRjmJDJ1Rt6JgUJiw3ytGsX3s4ibn8i9IxLemxpNQ6gHmn3nfEwIMPIxJ5LwBq+va7qAeh/s4PBtwstO1mTfkKjbsMj3GJVtDGVmhzKad9mVsXy9dXbz+ToD90a0NVLD9H2tZZ6FKOFnejlqYzYL8ny6etMYq4SAkP5K2eYddSWJC4nTFht1PECVRdc2n5PmwNgh3cIXDnKJjJRCB0Azf7tk9g87zxB/K1kgD/QEM+RCo6fUSI4wpWpyl8MiUxdWBK0gc6vSy7SQbmp0DbH1DnCIxqT3XUUgcy5qGiK3vzxsFes24Dgq0wg0ocdDMrpNs4QMHlajKluqBmEAaSSpCe0CkzOqcJ2mEl3MDRpS940FIlUAVqz899lYF1aRG+OEFpe4Cq/0jEV+28XPZgxcAcdAcvvoCs5WZHxn7g1IgFFG1zUMcaLRJkyTnmWhhJdEbQB/Q3wnpCA0A3TJJ7u0umIH0Y+vm6fTf/Z4CtD63rlGo9GDqclhM/iM/L6aPjlodOg0+gz4fxAsv5884Rkaj4epe9FJvoXfLQVY2tosK/UzDRrMiXdYDUC6JG1oJAOyu77KxClQTgxNAocKET0vWetwaTHnvZT/6wrJe5csVGHfrvxfIiiIDvkgOUqGko3FLSHlXd1e7HXGpmWofqBkhfnSNPNL8M7xYxihish7p4nolBegjAjxWo6g2CnD60HJ/GrIoV7SAlA/WnaZRQl6UDjmUvS+ceBBgGq8g1rrzs+ZIwIHO42EO98XM7O09UG7QsbikszcL9wmaOvlZW/ZmVCaVeecmreZ5yK8Fu+BW+uQ8MvDRZ30VJ3LFggrQ9zL3jSX1kAV0YpwSxyqdI80J3lDTWAYG8zJlZf4hakhORIRdvXQJM1dQChJLIBUVjhC019KhbHwLevbLv1l62ygzlBDhnBSyoSQUBuMbh4GjaazAgSSaPESqFsoabKNgm4OAZaA2bojxuKbzyhS9fYjcBLPZlHrve/ZSDcphiz1qXp6q1MeeallrfI2oIJ8a4qC1QNTYRjMRoPqAjhtWvhhOk9dl8kUItA6L7cZCJzPqrbFY0VSiMziMG4mhGCOo/MvElrDrSjrfTIbvRhpmElVybhsPh4qQoNMAhOYaUiAAnn6zFJF7zNG7xd3pr/pPP0sMHgcrvyHkAAaTG8RRMuwsmwWsBBpC7f5NWjaBZanXBi58ts4vNCzNSbfBHZrFUA6a0wknhqqLlaJIuA3dATLLwsn/BGSkKYN1xHTfUfNe+4vOIhYctJ0NVScGE3U6+VzidvhwHgjUOrQbOkcdzXyIaDH/M9A/tubI13OUFDZw812mlrJKuvgi0NwkSJj+OlUsCSmYM70WBUTSlYuAt+9KKUSKYPUxhc7PzXbeEMFzOkn4Q9SusHpgepDA9P9C8c1Xrm7yIdYBkGMjrjQmWnspaUt6+Xloa3sUIcus3xDf68OZkcQRoIEGI6lcWbLxM+hAcJ9gW3eRPG61y9/ZgpWf/hzCU+IuK04Nyk0BCfv94HMe9mhMm+914aPssEKjm3k/BVXpYV/k4r1OL+2+Dg4nryywLFeKZlIGLuMcgWeQ7ieI+wP+KKuXCOZ5gcpHSkdvDjvtscet55aUmXAnknJQZxiK9hOy/9MbNpPyQl04es9aFDVfUtp61RvKuFAuwvK1C0WZN9jaKjkJWfoKdk5X8nSUBK21RM5cLVYIFD36gLXCyvlh19kAryMynh450/HXa/sWfiEFEfCmpXHO97Az1rhRl4VDEYZcUqKWGNOMac1iPxljDozy6GWoBGBn6sm94MtrCI/QKLNOsfAyOxTLvIORjK05qC6NaUp+9rh1G/zYcrcQQ5sN631bkoQiFtyNA6EL/QcHM/0GcHpcExdF1MdrUoI87RAnHfRkCgxX038sXcRI3/uvf8Qj25hTEP9bP7vgzyYzyVt3YRo8g6fGJeKua0lZw6pvRHcxfizbhDRs+xyt1JYdqx4ppUo2y/6+sh7pyeGh7K1D9iq7fWL+T3+aHFLQwcZbKVJj4Q3pBwJaVGJO1AUlKYNcZyUMQbVcWiIMTNH5p8pPYf0bpCeKqNsb93TAeSdzjNsNvmIa4BLAgepRg5yNxkh6pOnO5czDiSK9ia9gJFvZuPKOfa1StFaqrqrCseiJOh0obJemkEUvSL/dbm1cBWY6fDDMODrBxYpFSWHGJCIhkPns5iIbMLXXJDKg759bYiuqdfn4aWZczYnLwb4LU63/2YDFH9ufXIjKzqoPNJXNo3+x5ge0a+GVVH0yHcCXv5QzaA8WQD9lu03vZmbeHYbTHc5N1oGkzsvwDcaqKzSjz7rWbSZBhHUvRDimezY1y6Q5jXZxev/O+8LdGDcC0QS7DDVNaJ6fmxJBj4WVAuWtdt/e60bkad0NHZplxJdr9Sn7ZvTfaiJ6RrD7qFrtGGLy9uNXS4UxrRgLwAOXWT9LxYyc+OKj0fYmY+XXo88xQk6GiDlUQA4xhJYtXnMOfYKIx7TaLXP/zmimEaAONKch06arVruvgjhXLCFtk6lClRXvDGzSLUue5NYKNUgL1irKoauQqpuDjNyjgOLZIM4a7nSN75jwDSQ8/k9EMtMW/AceeVK1VRDo3zNpc80xXBTeMhBHC7toJ2flfBPGy9FtyW3fPYy+0BZvvC46hqakXXoScEeNnWuiFMYskPcKxiq747mhFlPxbd4IKDD291vZFcxy3wI5iRUtCSbRJJhCMpL2abfZiJ5F1zOPzAXfkPt+wpbEUJqoT6QlSyB36Vd+9khxjjEeXfBKZSdtAF6yFQsz4rs0JyHmhYsmgzZWDZcCblxYyWRTldiNuR9X+W1MaNz/mIBOFtUjw6x2ypTi1DsP+EUKG2RgDfnni6ThT+htvlovoteYxqVP7FWhcIyTNYEawcdGnjF8E9pwMxk1fMosj22BP6nxc9qJoQxcgYwGK7lfHuh+DykbccWqwkzglrZtezfIGoFZ5J5OngLtIuvz80Lfi4qr9,iv:D5LebN86MH9RVW0zMrh5oxMDRQS93yDVShFe1NtOmKs=,tag:X/LS13/qp2ztc8Y1FuUHFg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneGMxamROZ2NHN0NEV3Ri + NEN2MzlIdjZBTktwaVQxRDhYL2VSeUpCdXl3CnlwMWY4MWc5SGJPQ1BsQU9WSWph + UlJxMEZVOTFIaGVnK0k1OTAyczNmM28KLS0tIFlGamFOWnhyMi9Nb29Rby9pNkhG + QXNnR1V5a01KWmcwYzRTaVFpK2NtczQKUO+IM85x9VeTik2kcVSB3AJTvuFz8Swt + WFIea2a/rpUgw+QZ1RELUUNEfSMG/hk4owm/MnhzH5goa0ysr8Q3jw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TXRGdkZZa21JSFR3K1Zt + azBUN3FnaVJYU0lLS0s5bUhYOXRHVG9ySlhFClh4dVl1cjlnVmlPREZvMEhuc01C + Nkh1TzZTR3cwaUc0NkxYcVI4THZqYUUKLS0tIFA4a242MG14dEtNU21WYnRwTGI4 + VzZuSG1rVjVZMm5pdUFJb2FRTUE5azAKwtgEqaEPru1hvwuHB8V/9QyncgtfIv0C + WSFUzEzaZK0RcoVFZ6Ju89ETl5UNTobBb0GcIGsP+Qqd7b86AxAPMg== + -----END AGE ENCRYPTED FILE----- + - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2a0JNTkdvNXpnL3MzWExo + azJ5MVhBenp2bThLWEFjUTBVT285REhiVkZRClZBTExUSkgwRkVpNnB4ZXI4NXVD + cHlQUG5BWVIrMldscnNEekdYYWtOTEkKLS0tIFk5MlZaeHdZWEVVQ1kxQkx3S3Mz + NUtTcSszZVBmNENUTG93RTNKQ0hTM0EK0S/7zGnCfTBCVAlE3YRWQCQNIjAX79UF + U1k4n/Kdg8tVN79FFmBCzUe6guO/fN+c4nXxPDs/9LoUZD4+AMziyw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-30T21:42:09Z" + mac: ENC[AES256_GCM,data:hgIj9PJoq+43GOrSOJ69lNLFHxNSQem43F4xI3mLH+gPNcGIs240CV74ivgbK4Lxeb4t/wyFOUf2JOxMBDyXJQE1tpC9EhUmkolIDBcWOwlOFrBWQvFsRSt9d8AKPCuop9FCy+o1QF+U/8v4sBj9OwacAQ5mkwY5wogkbLbldIE=,iv:CMd9XCL524XNlnAii5OvdIYa09hIWm0zY1ZtXyFfR6o=,tag:jV56YXSqqTPhE/7J74qi9g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/tank.yaml b/secrets/sops/tank.yaml new file mode 100644 index 0000000..ed50704 --- /dev/null +++ b/secrets/sops/tank.yaml @@ -0,0 +1,47 @@ +home-assistant: + prometheus-token: ENC[AES256_GCM,data:RcAjtXbaFwf3uJFO1/M15UXxK+Dae3kjwznYL9MBRDXbi9QLGPfmFKrV0su8G0GDpoAMZ8Eg/jdU5KuiGD7DL8bNzicpE4+CI/GWdDShLmw+Yj3H3bfUY+2E9ZOG0ZUUoeo5I+i1SH2LbKpAxVwt0z6LawArUVtK8LFSgYpHE3ACHCNcDOToJYbYHBcJjBIl+TWbFvRTzUPaKhreOn37bvmKhIRKI8GqC7jCa8qRhyMZYI/cv8W0,iv:rXpIaPkQVj7I69bdZ9d75VMhriGIm42Fwmmn1uUAgs8=,tag:ACoFQ4O7fUYffisvz9FvQQ==,type:str] +restic: + repo-password: ENC[AES256_GCM,data:Lpm3ewlYz5ZNHEqkT1Z8IuKo8t/AVgGeFpTwPahdCIY437lAhKuuXso6F9Yi9M9g4xv6zirX2UJ2hdqtnUH3oaSZZJGJo4xpTqx3EYQumQM3aF7zcCH31eQbynwWV3BuYlsRqRDI7NzP/EkuHqfTTm0xU8znBSLIkcMF6rTdavQ=,iv:zcGD0yroyyet80Z/9YQmB4i+72/OsY0AnN6qgP4ZihU=,tag:h2DduuJc+QQXXYwse7/Ryw==,type:str] +nextcloud: + #ENC[AES256_GCM,data:0vQ6wCqKtkDt8AiFObVEe0MQLxoWOYcrYn8sp2rDn50DyehAXQ==,iv://ePZvGMpgVTByRjTKXpc5SNPSQGAbFnmECPqZ7hxps=,tag:DASalULgBJtcFy8Zn99Pjw==,type:comment] + 842fd10d-4277-4f73-b37a-f2082987d0b3: + secretfile: ENC[AES256_GCM,data:8iYXj6xZBJS2tAvJ9l7pQWdVsvwDtkHG8PopbeMlbfborJQEEXRTxgwMRaDSa9KvUzF+/IgnEnTLTxFjS+SuPm9E8boH4igIDK8eEJxbV178IleI4RqYFyulbtMquCFPQzIsNuR5219JSFwfFThcdL4H6WJbgG8YWECu6BqkNZMohEQfFXAV9zR+fb3K2ZdeVP09wYKu0a0VBcO8Xyvu/wmto71eFZ//x0L/c3sOnUEzmPnlVE9FRY4E7zFhVt+w6MoOOTRF1jwypavgs7pd/odW6GSF/9b+xRvmkt2OCHxTomXUa2i9d6Svchg/O7hLOAB3LgIarg==,iv:Hb27e9oBjJLZmlZ5xKiiZ9VwB6B2S3mXVx4egcvgCGM=,tag:uoa/nj5sAEcEZ5oXCuZIaA==,type:str] + adminpass: ENC[AES256_GCM,data:SntQz/z73eiQxt5yskKZNJNkYifj4yqJ8+IDG+uOc9JseFhFdb++r55GTOWIKwXS8T/jYMM+l6KyZtOUM+hZjzHGKujvkuZ8CNOVLLedJUwhI6ysVSH2l3wZSVxNdVtx3b3iyVMwcOpvWZSz6tRJaUSrapFzASBvF7euiODZP8A=,iv:prW1yBa6mBTjIiZCSfVAu6/8Ea7542f30ibDnsX37nE=,tag:fLKjfeUoKwAmR+nK1u54Qg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldU9tSlk4Rm9qYk5xMkU5 + aFllMVlXMFVOZlA4WnV2eU1xWVBIalJTczBNCnNMMjl6d3B2WnhtMGdBV0J0WWk3 + eVdvNXhTT1pFWUFKWDAzd0xHVzNwbnMKLS0tIHNEQ29DN25nODRmYmhBVWJ2aXRW + Sk43ajhwZll3L3NCWmZUbktxUFNUZXcKXNdUkkuor/0pCWzsWDpb7329D03qJOca + W3nLFEApBkKFd/UE2duprkZMIfrTFiUowS0L3XUuaMoLXVZU2ftOqg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyS1d4Vk5oZWN4WGdxSmM1 + ZWFuSnFKZzBXWWxpdXZRSG44dmdLMnhpMUFrCmFzcFJqTEU3QUJ4Q20vTTRkR1ha + cFRlamhQYzFML21mU1ZDYkFvVVlJMlkKLS0tIEl0TGp6YndCbjRWakNDTlA5R3F6 + aDRHM2hDelNHUjFCMk9xZlA1RGE4RXcKRMxp94CWD85NTFZZe6d/rlummb1SHHWu + QaTuGfYv+sB/lzUmChujUc8UBjN9Rg9XHVgXhpIJE1dR/NSzK42Gbw== + -----END AGE ENCRYPTED FILE----- + - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzS2VqOVdKNkcyRndML2Qv + QVgyMWp0V281TUVJRU5BM05XRGFYMkJpeWpVCkVWZEptSUk3dVZHOVhZcWFXQ3B3 + M0ZCQXNuNFdpY2lLaFZET3ZnSHhsZEUKLS0tICtiM0krNEg1MjhqcXkvYUtxTnJo + UklDUGdkWWxxVHhQTGdNL2hNRm94Sk0KdtYGJQdTzDO/CBB/4B1vEjgnCDuiTrJ3 + tshBxNWTCRUarMKYiCkxMAIXr/ws42rV5zSZeZLpuUZ1ny6fUG1z2A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-07T10:10:00Z" + mac: ENC[AES256_GCM,data:+KTX7YUOpOzaQiON5m+eeS24MrPV+USvIyUbbXUlj1HT8ryfqP4pSof58po4S7rKD8xGVduYVGT5yFKZBXMe/pQXey0Y2vuxnG9zNX4Lc0wisvh2lxsQxLYzdcnnjR/YjGCRJDxX8+eQuGonR4EEe0aaf7x4zHL1xOY5aXLyE34=,iv:bp1W9AUeLHC0yro0ayCht9PV/rH6XhyXz/kZGRmOGxE=,tag:xHMw+g2L//PDjEW1cfPwZg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/vaultwarden.yaml b/secrets/sops/vaultwarden.yaml new file mode 100644 index 0000000..416201c --- /dev/null +++ b/secrets/sops/vaultwarden.yaml @@ -0,0 +1,40 @@ +vaultwarden: + env: ENC[AES256_GCM,data:0Ayxqf30Gto5ek5l4ECbTrgwg7XVfA9L+viFX2FfHJsEfmAg4PY7aO/43JvQEfYOMz0Hnpus1bEDgUUSiuiRFB830GkQ9f/70GcMP8V4GjZyM0JDpOt7Mr585cWow0Z7zC4oGCXamFeFL0tsMZbtpWp0rftP/RBiK8zlLYT/ggJkC+6R6wtN7nqXpvwO+0ttyhsiB9oDLWnLawnxa2R6+zcd+r/Agk8eVG+yDrY=,iv:mH9MC80np5TVzN+u3IddBei05lye2oqH4CKFeBI2/hY=,tag:p5kBU3AQWsz7tlsznp6ZMg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETVJvWEtjUnNzMlZUMkYr + QTk5bVhPYjBFWU5mRzJLR2RQUlFIK0ZaQnlNCnI3NnVIS2xRQUFkUVR0K0xWVExP + WjB5S0Z6WlliOW9ORjk1ZnMxT1pvNzQKLS0tIHVxVFZSTDJlc2dSUUx2Z1V3QXI1 + N2FLTU1udTU5RU9ZNzhaNXAzcHcvMUUKyqiyDv/k7rQ+MLDlWdYAsHValDTK3jS8 + 1V870Xhu3HYc1yMYrPw1PvNdQ5BHT+a18h4MRwhG/f2SyJUsvdo7bQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aE9qK2R3bVozTDRGNUtw + KzBETkplaVB2aTJ6a052YUpGVWxTV2xaTm5BClhySjUrd1pqME5jS0ZMYW1FcVdw + U1NwSHZHZ2VpQUlxT1VMU3lJdXFCM1UKLS0tIHVhcTBsbjVzVElSam16Y3RsWDdX + S0FrN3dTdjFETzEweVdJTEJvNzlHYTQKUmggWKUhl1dXR2+gRyCpKG0sNf++zmnf + 2GGdj2UTNs2reAUaz/Q/Ytb37mZ1gNYNUCLiuGVAwmiAOYVKsoxD+w== + -----END AGE ENCRYPTED FILE----- + - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSlFHdmY3VVlTWXA4VmpT + aDlvYm1LajdrWjZvZGFXMDAxTGRnRXRCRkFjCkd2TDNpQVBhTWdCWXdmaEtHbExX + TWJLL0R6R0l4ODVMRUVIemJmKzc5eUkKLS0tIHlaZE0wTExuaDdoQktDNzlhS25z + b0VQbTV4QXJwbGxuSUY3UTltOE54cmsKPvF1SVinNyg55qWPJdKHrBjymVnG5Ovj + /UaIg2/ZZTuycf2Vbpl22ICLWNjEQUJ/0p9Yqe/orXLUFd/27vsB6g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-03T13:14:32Z" + mac: ENC[AES256_GCM,data:xRCSk5E/sl0A2//xh1Qi91whUrAeN/ZMHuxAVdSeT0YxKQWQ9RKMaQQzZAm/fiiQzeEhm45LLg24X5iPNeu3nQbEwO0CZlAuWLgDCYsIaw2mNtZKQSNl7W5hEwXamqlDqQVSjyctuQ70AZEacIixrnn+o2XABW8EZeExhvzDTGg=,iv:1p97jbZB0zHn6invGdjuy0q34P1ToMx+ZHyITfMGKJk=,tag:BD5ZjIRFJ0zYKg8YewLRWQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/wireguard.yaml b/secrets/sops/wireguard.yaml new file mode 100644 index 0000000..4b5a0fe --- /dev/null +++ b/secrets/sops/wireguard.yaml @@ -0,0 +1,53 @@ +wireguard: + #ENC[AES256_GCM,data:OLWr/KieDmV+/dSiUBp2xs6gLSIo8g==,iv:Qzzsu4iYSd0AhNO+VWpiV4FZekQb/aaGK5QQbLguh5E=,tag:HqhA5VW1jiIizKrpQcNr8Q==,type:comment] + 5b2b3c29-2dcc-48cd-957c-c7e9d3d02d1d: ENC[AES256_GCM,data:OoexGaislazlqlabTSXKrj9eZOqd2V+IQw6jGOsbI7A99zWmZYLFmHH0Bng=,iv:1Uqcd16bnrt7tcAPZSntGXAUyQfZlWzNIDtBOeckVL0=,tag:ZOP8EqC1Vz6pV3OiybkypQ==,type:str] + #ENC[AES256_GCM,data:o6ONW1W1c7gPnUZIb/+GcUYd8sH0VVS6,iv:JGFmr71CzrusnGF6qBI2ZPq9MjuhpM+KFU7e62A291o=,tag:kf4GKCI2fPmMd2ULsNCGYg==,type:comment] + 7f249c50-7b40-4657-972c-e0a5adc1e1fc: ENC[AES256_GCM,data:kTIXnvmHkzhm2vgiEH8Bcac1VqZzLDp8FJArd9vrIaSLg+BZkaz7U21buYs=,iv:5r7Aba02tBjWe6pevo9TRi5zYc6BNQ4DQdAp2IpcvZc=,tag:uxhlSFeQ7jG1Bnc8j2ZTTg==,type:str] + #ENC[AES256_GCM,data:0EIWbVmp3xI3VMN8mnKzQbc6VUNCIgy4,iv:dungCF6Ovt3rxt8xf5T1e8j+FZGi7VISc70938dcLSI=,tag:7P/SFaLIbWNKMpYHhZiCGQ==,type:comment] + da994091-27db-4547-a05c-c2bf4e6e87e9: ENC[AES256_GCM,data:k1Cqp9KE3PHOXe9H2Uy4AkcxzLQCkrQNSc+aLj45LI1ftJg/+4sdLKXk+/Y=,iv:hZO16KCfc/YmyOoLzE+n5qEeX/Qtgsg7ZHvbfd8JnhI=,tag:BLKJfQmHy8U6jzOIpNClxA==,type:str] + #ENC[AES256_GCM,data:UuYULtcN+UHUIEVdLKYVis2B0O4ZaZ3c,iv:9sLo6QKMwDX3UWyBGEeRrhIN9Jm/aSvlPptxAO2hoyc=,tag:ZqwO3FG3zta/WSYwkIwqUA==,type:comment] + b2b7693d-35ac-4c49-bc35-4b99b075d891: ENC[AES256_GCM,data:mo9axAdQ7hVepzT2bDDfc+L0Ju0R5hOUFJeoEi03ARTyNJux69tCgLUf6bI=,iv:KxMnQ1IttECX85HUvIQHmF4cEANnpzHVuCRpVC7dDkE=,tag:ZzjAKJAXR9porTVtVoTgLQ==,type:str] + #ENC[AES256_GCM,data:/n/QFVcAVIonCSPWjFyBD6YZn+Rbr6dL,iv:i+dLc6SBshnght0ULDsRNYy2VP5CiKiMVN91q7TpcPM=,tag:EOwRpwUq56oj3LGX9QnD9w==,type:comment] + fe1f7024-198e-43f0-8bd8-461a5565f424: ENC[AES256_GCM,data:2F2qo9NxfLtgnhimmF4niOcykgM3ZDYiy3kyjIzCXlD4+moHrLd7ae01wDg=,iv:Q6z779xQtcleJqWR5B831w1lFKIYuuGNK65HBaHFm9Q=,tag:wnL47S2S7o1xB1OWTjstyQ==,type:str] + #ENC[AES256_GCM,data:6OUepIquZtsTJWl8L7+JXDIqNb/RimG3,iv:2sdUGTPG3ERfvzxldZI5J6vSSPmLk9eI7CwsrTTOyrU=,tag:r389p8njBW70LhkZSAr7Fw==,type:comment] + 7a57b7be-18d0-45e1-8432-a711d803358f: ENC[AES256_GCM,data:hR1VBdrHxVEWjfvtoZlFQTOSSW3E3oH1+hN40S1OhAOSScQOsn0pbQD4A60=,iv:26Woek+VoATD3ak9MP22fZr6kcfS8eWDlczulizGrkc=,tag:7Jkwwim/mXV7B9BX3DZp4A==,type:str] + #ENC[AES256_GCM,data:ziJN0QffpjSBfGeAwvLM9hNrIwEB3v3sJf8=,iv:s2B14RLbiM8GxALb4GWiZvJFmnfRoJI6jAwv0BBRQ6s=,tag:qIBgaSDebDY0jp4Lje/xgA==,type:comment] + a2ffe63a-d381-49ef-8cf2-deb469245582: ENC[AES256_GCM,data:3zospTsIAvR6+k6pTyPNabtaEvEISai9ZvaJk5l9S2owX4QmooQzQlm8CVk=,iv:iq96xIVybMD09dhE2n9ppI7wAwEqdOkSFOIu1gNdcfI=,tag:HHGbFSCCUKo2AINmY+CNOw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMlV2TFpxZVFkRjJ0R01S + NGJMbWt0Y1lGUFoyRFUwS3UyMnY3Z3B5S0NJCkh1cHU3WU9Qc1VEblNqUFJqNEtS + RVdBZ0YxM3Vnbi9IUDhyVHRCd3JWZXMKLS0tIE53aVBMNXRMcC9kMDQ4RHdKWEYv + MnNEOXNjYVk2Z2JueXZ5Z1pDY0M5WE0KflcFLEX+7N4ptKNshQvrk5ogvM3hA0gc + AadoiuqKaWbWnEv5jIa1UAYep4lwzguNXqBhMuGI5ywVRBrMSridHQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhV1N0enZJUUUyQzFVRnpy + ZEtsKzRralgzR2JnRmxIV0ZhSFRpRGZtclFRCjJ6Y3JVZ0p5Rm95MVFXR1pUMjd3 + eUxPWFVWcFFFd3RlRVdRcm9lVGRCS3cKLS0tIFBPa1lmR0xnZlNWYWc4eTIwR1gy + SnNScEdQR1FJTk4wSVhYMjVFeThXTUEKAeUIAIQFNVvDGRpG5DbuXOOIyowAdBuB + gT78lwqP5nIhVyqIrO6qsz6WTYqbpueu85cDXwocMn1bP16/NsB9XA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcUVPc3lzYkRSZ2duZHJs + VmxDSHNURTlKMUtnWGRUcFgyVDUzaENKVW1JCjlJSjRMcjJMbnh2VlBEOVl0MzNh + S3VwOGhSKzI0K3pER0hTTVE5MGdjclEKLS0tIEVDenArRGZHdnc3R3NnTmlrZjlu + Y2F4OTROcjdzdlJTdnRZYXFxYlV2aVUK8sRR07aL3Ig3t39zqXxm+5igWG9xLXlo + DXf8yCXNhpI22NWmGMmG79b9mw7rmkfc9rRsgZnj/BZsCHmRkvFUlQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-30T22:14:44Z" + mac: ENC[AES256_GCM,data:eI1XcAhJVOvsaNFZN1SfsL/kTLDPHUbTR7Vdi6ipLT7vXfCmmbdj6LWy6lxEtsNlW4lGEX7i1vI7uh5/C0u2ijiWJjIkw/Ds5nbKGJXw7Bqll3fURrlG+2l1hOAXKghbXFh5BeZhVsGx7IGLVhUm64mZ1Z9AvWShW6wGpIWj6+c=,iv:MwuBIVpU+Zs4iRrP6/3haoEMX6FiFiPDK+NtiCJOoto=,tag:69iks/MDaKT93xfb7cBB9A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sops/zero.yaml b/secrets/sops/zero.yaml new file mode 100644 index 0000000..54ff086 --- /dev/null +++ b/secrets/sops/zero.yaml @@ -0,0 +1,40 @@ +openvpn: + f0ba6a23-4d01-4309-bb8a-7c0549f2b999: ENC[AES256_GCM,data:eR/AF0hQlpTjcaJWBUn/6QYg6meXPDQdnn3e9z88j6wdzC2lViGeaigx3MHhsoQRK7FQl0NABWwGqEG8Ebj42Aqjk6gzKmkIZNbOMOnf6rtbsE8eI9zRiDNvyDljx0eq0WNbklA1th4fNJPlVWhPe7wca+aLtNgborhM2yg1fOTxHgBbpcK4FCAU79+B92lBJVSUDk0nGI9RjcfPLXvdj5d9khWXZ4INYDffOeulm4h9rZFQrUQoVDymsAxFVxW0lkjEstcVectJoacx2roPNGiB8uWsAUd9aAS5gGe/V5KPJXuDoCsifwz/QODfHfHrjsPRUIAyIDU53f72MGyNNH+NfZ4jUgzwdj4GMJ6jBVPdJgG4ugUtIPb5/F+2GnAO5uqS0D3cnE2NQA+oJYTFr5+V6BwvyAW75VEgg/XZ6X9CggQ41R0lIT9ljT/tCKStClXMx4lOGJz7hmkECbkrD2yKSxCwPHK+HZ6JPE1jF8PWhkoaF0S9IkZCfmEzVlziD88bA4kakyJV783fFqITPUqygQUtJvzTeK88RKFw6oj13F62foMACHQze83at5qFDuARMzJTP+F/esA8I9vGz3FBLj+LCg+zGGnQmMHkwRI9imBjpWI2ANx1gULRXd8Pf+WByn0C6/IgE9/ZGqWYpKmJgaJa5+50MYeI1Afs1HwkXbJ8Rm1lZHaIWiT9szBo57JF0OxWIEO9/28XkRFdE5rsAGPMAK6LAIe7+D+k9G++fbbj1IpFF0pb2DB9yb+qJEyYTGq3USXDsOQBk/cGSnRpxfjrvD7DgFG/D8L1fW9zoasMBWeZlxLHV/c0VlHzFOabpeEvORUrdUwCQP93VpvMa/p5g+Pqrzm4aXsgEE5HIjPzHpiOBuNV2sPlV8iUHaa01kN1uex/M3BAstz1JkQZnPgXzqs+X7Wt2BCT3vYi+sGVTEne3/S4GoSWZu+IfyVAoxM84z7qA6ZSF1p81ZKk/oPErx9ALvcHnUJPMBmmAkXnXPBcvV0PlY/A2Q9DSP7dCNvdnMrd21Fj4cTTcOEqlvWEPL5baC8YtBcFUkt+5qzU7W4ICUMMZLa+o2KjMK1wo/qsT6xikJlACZBnuFcYRDifWnAVhq8hhbFZOj6vXx7q6mBTroB1BD/DxofvDhD/f5Sd/6ysP0kfrZJOMT45WxboAbWU+tc96guZJozZctdn+66MfTFFbSiXCYtOfC5myiu2BCKSt0m2VkwGyPUOvV9qdGL4rOAqn9tnbX/raNjGv5gWXNtKOjmQTiDNlvy3b6egTnce0FaA3rvrxpnS/e9pSwvhweYuK9mCG4AgF90mqRGDLREh44MegtdEGZKJhFF0YoitfbeMteX6IhDpRCW4S15hP1FusKaMeuniyM/rBNx54Nt+Q2Ar5pz0cbRutI+RjeWwZQvJ/y4vNKy52hy1HJ+Zr9VPJTrTPjMDPNEcpnxat/LUJr2E4s3Uc3iQS3SX00n8AbOWO6lZOOW7oh6yat9GqAO1GPlT8521J9AH56CYrqA4ASt01bfFxyW5qAYzkYFZDO9TE09mE9cSfKB+YiYDcx413Vq0YJQHapuQ4zKmYVG5SzkNb4upU4jaOy4wNxbB14JBcEiMR7CLFd1o6+83pQoBmHVZfK/omI4fDZUGHfZyXRrebUtprQxVRwdORKKhm0s+VHVI/42c5af9hXTw7JHZFwiq7KHzBMIX6VLQVrMz1tNP5tjZ7xQRZ4dvLQcNTHSYh2tKB2jcf4+kkOOMHsJeOKVlRwNhcyGtNEii1BZIaYKLhw3TPPq9yU5prxWfc1nSO4qB1AwMP9cqtamxxluGwp8NvWShHEV/LfatPcysAhhu2IAWhorjtPdw2BvVejHLDZ8aV87H3H1dcksPy74zZY0HjUZTsAoVk7x25yc21TXRZMsfkDuHvo8iYZHKRSrCGStNLRDjMFs3yIHz18LhKrArGhfp7KaODVw7hOqNif/jKf0aF7zQYq91NCXN5gcMQAvJTCxkYHe19r5orbDBZug2SPURxrMPeNpu42NUSh7VPg4wcdqAn0nBhSGnIZgi0y+1c/2uPcZZHJNilDrbIRG85mFsdnE6SoDMPfPpCK+BuH+ndOU3jqLP/Cw/qb6GHeGxSAQJxd7kSRHVt9RTTssOs3IJtvVXXMoyweDwmJWIovasQ6OwG2EAspu3ztQt53IOQG793Mpmrm97/7MDvYl47ktlz7HbMCujsr0dUvcsV88tiLx0nVXEkNLa/r6w5Z03FOXoV4UyMJAnRk2Jtv+ROD8m/sZ3TR+nTCreW6v7sgrDMXNfCAt18DmkoC44ksy2uCPJXUm/V40t0xcMvaJfmDCJAR8yJ/iokL2YnqwuSfmQKnwHvtUKHemZ1yVXsNv6QzATRD4/QCXNWG56uHmMFwsYSMJTc4d/izsM4lhrkQVxFgsBSQ/vi0PB9/tWzTNOl3qtqVcEqjDYlJHFkao8J+e+PZFG6kE8B4vnfy5u0bFDzGhfrvE3lDCWs0SW4vVIuLwVMW+JBwFzZVTDHSVIWv4QskX1+68NQckMTjLLqYIEpb5IyxI38swsvLJuqg/+Kttigj4e1XQ6u+rPM6WR9+k5V9J+bc6AmlA7oyZFKpe7XvSc6G4qCs0Ob2U7xdebe7ye4Vvl9ejiSnauzvk5VeGMsyWKUka7ubZOaYf80Vvi9sgvb2XNzUsO0WwE4lu/qemez89cIADZWWepA8ltQSq1dZFuQ6lvbmP4MO9rT1Y5VFQjwWhem8KXApi+ChAlOQIET4BnXyOeWTR84gG13fdQeug8HTq3L8hLeZB+lgwD6Gsv+a4lLKGA1Lv4AnskUN49J9qTx2Txid1Z7yg9YRtSXpFRvY/E+rl+dzdlu5iVGBIH8YSDDoe/8bdZB7IJOEzzfqw5khz+Ozh9oNisIuWTWWdShqbvKUOUINHFC0zjfs0GuKXw0vnJ6JCkwvcM/+W/Ebu2ezrBFlezp9yUE8/36eQuFup23GY7Ijh3Vbc21LdsmNYko2Klh+mXotfcM8ELawcJyyI6w/xp8cDuztJXxQe8elMjk02zyRdecYu3+MWFhZQ2XmJ2k1JGI/IOUDKDxev3Q43t9JUMBAP5UIx4/jlnMLJufYsLjmDj6YE9/bDqvzqNwfGALymLWw7CJ/QlwTYTc0snBmmEUfagWO7x4TBXiFlWriLjPgJiQ/yItI9s/dxWjD7NvV0Y3YoCsr8fZwlqvrRKRRq92QdjM4/PBRs7r2WHgmYokkbSfz1yknvKEAUdQIn27w4zJu/dlEOZPA3TGeaOe8uW/TcLU2mMDzKvLo0xRO/Cg0IbkYJ23cColZcjKshPxCifI98lfptqR6VceoqzO/j5BVlq34Fh5S2OKYo5hLfhcLCJieQk/rNOktQIwRcwYML82ZP9FNPXIWJY7yACS3uQFUMPmm3G+/ESJL1EpHbfr59FcsmuogoMMb1Uo9OcrmzfTs0RRzZ89edTgVgVej4C1WLTev/ptEoPMNEmu3JDuDHbXCgPXKhtHQR6I8iCHxUULMFOJD+jEABbi/cwBJj1Dof0s5skjFJEyLjumEiiRBQp6JWCCMbpFbeLv/nl89ysj7ZYfRRXHY/7jztv1gkCo4hNHxZuNZn72zFqx3n0vTUTK0lnOtZhkIZdI5bOEb1TraCx1ORvJv0uiOluns5nVLnU9k+KXDEpPu3s1bKeTCzIwxI9yHFYZz/5v9e8foHZA/3dKPrPQ58uf4gdK+mGbT5lYfSYGnuYS5+NgwV4KUVE0u8I4grZlMwUImms4AyA+t32bcbjwiJLnGyAzgNuAchRa2ax7cv21pBfUzLinbQPsGwAGQWODiV2o/vdffdnc2tJ6k9GHkisVMQ00F0WvLWJiEi76PmoUyDY90QtVKlod2I/35kXroRMxrmn3jToZ1o4RvExOgxzt6wWCDjkEMRj5r5oWdPUKT2q0pwOFP9DRtQRzIB5aBSJnpjJ+FUOx0ueINQFKD/oDDpvtGACiyJGFTF8YhbVGS0B0KEstC9z2Ycp01/wHJRvLZrnQ30mJXxtA6AkZgjq8GHbLKLOpbcRevo0T0Pce1srILbITNKkzQAqymGrZwU50+kzeA7meLJw9rSN2ytagakTZlQtsBSg+9TRp6j/91XkHlxMbWt4U6Zt4E0gbWHfb+AD8uzV8v08NMp3p94E68EtSilpXyY/SEWJIgrfE0ExBlT0ZBuUkF0VpSnZn5pvuX99h/LUU7wbwJcupSczVkIzRNVNrBrUKSKs6TOwXnPtoB8lA+lHdu7H+rNL9V2Bz9P4k/BK1J8iAgbcVDZ5qo71jsuGslE8SYFOvi/ilrFHO73RreLMeuVMiCUAAIUlxocTXvt9BZsC5sMF1xSEwUqXM+oEmog4j0+buMWBdciIlFSLJn8J7yjGboMXo44g9mEmxEqdbMmYy2FN0t8EXQPpAiyBqqdBhp8xb6IiB+FW7gmpvGfEhsLOJlM/UHDhE7qgktsVSmUmHPrkb2grO3gb9QMSdKYk2ZToB4g//1yS6+rEZGftCI/o6KFMySwnHppUVvzvim77gLuTZEVkznv2WCbJYTZvQdAENWs9MSpLuViBYIK+lvKSkaXce8IEk2i6gxlB8pLA3dxGwJ+KGDk09XKU+L+DlnyPPJyAJiRXJ00I7zhawJPRXRkFS4f39CsiGEwTasgyK8HgaAWC0jbLpi0JfP4/ZrFy9qR69P9aUG1Hku3lMpNVeXLKl/ipYP0OS7dQ9n9Q3+6dx27QkD5gVqk8bE7Xae82JmdF8IcPsc6WgL43nwkJF53KMJoI+XIXnqwt12sGZ1VUEb1SLhHoJwgYKD9GsXdcSI/AJpMvueRsctkvFAXs2XG1aYvNuHRcANmS0ggTfz5loOvDf/CPPGuKtPqxvtwJ9s6HOO6u+4aZ23IgZS5bj5jFA5/4u+qPmP1GdjqfjadSiHa2IoTFBPFuBli3u1+NO5CqI98TmQvS22qiCFsFAWE8jnC3YsZisjPcr0pj5kj++Fg6IZMPwoqshOj7Txdf1Jxu3erChRjtw+mu+v0/55GPqhXPq7++vrwYPrvsbN1Apu4F7m8iE1Xk4iRRVpEU1SWPXtmiRWqjvNkDXOp3sVBPjKFdTEp3WTh43x/APBowEOnmG5NrvW+404yH98JFzedxox/nvcy5bVccp7sg3qvjsXQlTZ3QSMfIt57bBzNSS/P0IkS8q3vqS301rNEjVMcAjFy8sHx62FmaIpdenp320tkdsrTAMNppJXaekyJxmS9omrk/c7SDjFPDp086W6+618N+6BjtKL5RwQvlrc3CpSswYkEuu9BizTngU1Ksqe2oAQ67bnm5X/uoBCuPHOMsKTuD0yIVmODwHRF/V4m1kQbTm9LhgPO8A3n+kctGyFPHl0EoAvGrSdI3qR1bO2Ei9E/8gkCdSTL+RtfopULs2wa+rnKO/0uX0ci6ZoHHH1f3VYwCx2qAase5RCGJluZg+9DbLjtDadNFIEIxTYJEbzuPAj0701tuJNKO3y1Pj3peFhxzNShDlnLKS3tR2djDgWDSQI8bV5ks9VzWzoVq/kU7waKVnrM2P55/0NiWozJA2RBUny/swHcg0ILKH4V3lV3xtGwvkuXPIB4+icQSrFRA0HGZ3JgGqcxHjbxuoid80VqKTqZV//6EsvNEolO1NjhDR+V7Sm+CHyFjqyIYYOfBcMIH0T6+aSNTLkhoB9DtF1CGzAAzvGlE0igeRIyKhvXlri+yiZdJJSDmKlcC8K3kzi5h0pv1b1luvpLDB3XbRLDZjXYKf/9sn17bqQB/eSX3r+3lOQoU2SDOCIhMvrhl2uzDJMnuJqR1hyWKlc8t+Nvp50dhbL45+rXRLu1rgbyFoYZaSMHg2pMu3Md0s9q29WaEwmOj43gBKGXD//CgHgVUduNCsx5zo/YeaIiSNLL2uy/pV9JV/yqrmQZT/TIMLBAzzm6HJbGYnnOhl/DPbOn2HoLqNVmhHDdHdVdVF5R+v63jNGrI25KbfQjWzjP3YwbafkdM5Vl0jg0jK9jO/uPw7BtINyiqJnX7A634L7GRWUkHJ+WIAQGyDSJ9eCbT0ToQA++NZdVH5W3y+USbROEELnb7T2Q5iY566apBj8F3qr5mnRWhqkexrIPs9auyfNMfOQFkw+AaVTnP8kVkR4m1hoDd1//JwbZiB4Qa/kjXXSb/JRrAGuhgLdacrLZ1dqby5c800UH5KM3MqFQ/v7O4Ln6ZLWPzeZjuZ9KMSB1q8+hX+cgCCeXHw3KdfvDbp5JL5cElnAORJQLroZ/tbCMTOZE0+o3u9MTerhBGBXrodO8ejTOxrvSU8vWvXBI/LxnY4SY0mZqSv2hrWPckNoQncXyH0aeqdQUYNEaEccrGl2e3fhUFmvUEpaplS+tPD5KXDOYlMlyMqcAo6Drvp0Dfu6qJu6Z6ldZ2Kk7SnI1DV+01rRBPDqChp7Tk1Fyli88tc50nwU1JvGLcUNYgCLBzrjrwRXgA8/u+cmi8uJmBS8oiSqyyTfQGWPLJvk7pxjUQuGQ41hMoy0H6k1aRyBhaeaItUuEC3as4f2a2nULUrxeaEMZtyLJVnkbUbDDSXED2FWGhqZ/Pqugo9IhHFSJzRqmiRz83KvuFPgoRqNW38aHsSmv8ajIQQQaIH+26qOutPFDVq+Vn7hvVIJFCIyTmRFSZHat5ugSRRTDRjQKIVjobdjFIYVK6UVuYvb5jfN2qcpaM1u3KTq4x1sw2eHbzfKn03p7V8GZPj5jzJPBId1tR0P6znoR3EcSCm2qnu6lvzitnP85K6ly+cjPj9cC9l+S0Np1KgmdDIJoU1dOhXQAeCwMCJzXSinWi3emWw1cDJX0Y2ohvdISjOJaPEbcO3/rqxdiqD0Z9hpXJmdqU8uNjJK6QaqN360rg/F8xA6Q6GQfiObkMRIfGLexVy8Vvxbe1QHNOP+rLSK6ceZ5DnNQkuDuvBZPwN4eVJcZOmtIEr2gZtFxzz2zGNPzCaaRqifoCs7gkYBaZPsz5CKZczZTj55FCtCBj4E/ZgMc7IEIFKyCmFPlPMBzWhQcq+ZlTZPWLtedHEBQGv0qxCJVxBdFdzVHPNVPzVhSMtGKs4ac4xHQR5t5X7owXiChrT9inTSc/IfVdvV2HQahiu69HG4lHbvRLp/mcTW3NpavP4GdT+zM4uLVCkTVt73pspETW6gZUmBty08bPQfcdBq7C1KW1zhlmg0aecLmoFIDyggnE1HaMibHwvLPluzrJyb4B6luJ/0vhLhT/aJV2eSJURW3iKq7jAVaGUdXMLu5w92tABITObMDaezkjPN4T2I7ZPCao8tQx9f/eXVdcXQII5g8mW6PlOZeGaKchpIEqhqDkf0umWjEjJ1fB/3Y5j9kN2ZWlsT8MfdrkZOvchxSkZGTCODEeyGdaef6tfHxEBi9nJqs/60mLG6p05FsElPYp8nV1tai9VixhAiHjShNteOhDfNOhCJtuv1rhyU47sJdjb895C+R5ridy2UeDJ6lx247RSFwpExJInD3alAOJ74hsFhXuL0dnEbyOSFXgfr5z8zQxJKcf4ewauf3tOPrfUxOZFt3QimD8Doz2ujF92KnwCXmwIw2Xoy20KL3btkywI8QkBxU3H5fO3zbApNvQPmxI+8uwmcKdhU352ltBIT1OPLtySAjE5dd26XxC+R5+6m/5O53k9/vZSANvR16FMkeJBlcXFU3ae6ccuPKlDozAfvWcZj2MsSbcFGQGcPUEePx1r6mj0UCoY4eq1M7qp/J9JuZ1+XKedF1kI2WRssuEZCnn7UNiPD+kD61xKW4uY53ImS6lkg+OUePIEzdqp+uz49hiYfFMyN0ZBozRsb//CK1wjAodRDK1HoKiatNA8Y8OswkFgqlUvYvpSTAxosXAD9eHDUEutsKwjTpu7gzGjTT0mgQZUQNQBWYGeeS+3VGyXdJ1ZJ15arnlX6u+EwyKaap7xJKaEpIEV4Og4aKwXhqt7GKPCZyV9l3dkkUkOiy2zU7qzaC5gKDD214anduSd59PuR50h+rSga4i4kuFtpLWP3V+IAxgdN3bU1a7nQGRnQfRUcvS8mcuvIKSfFbNyXYXVl/wbMcSumJHAAwuYGp8WPdFblLBlS3v8FRPGwCMezeR8RDiK4Aqzr+FcjH0yCnxx9WoKClLNPe7MDi7qdBINcjwTaYY3i+k7O81w1b9Oc1GcBZIawB4YF3NWy0ZTeFYANUbvKKgRybrl8o6yr2Z3Rfzejc8TQlYp795tgNShLmGsd1IhII7i9NbYnsKmtP101crnDjOkxHA8iplKbnqGXSoDzKUjOeD05dN3mTAQKkcvlJqfnE8TbSh+tUGLqBnNl9FLQF0J8Chec8Szsxwc2tLtTuZu+LlvV7qIH2T0T6ktmsaPSiFM6QZBwsdWRK+ZsMjurAHcAFBQlFsD6yF/fxdwvchCYj9lWens7jcRhyrAcArAO19qVrmCESV4oAJk25F3wgmUFlzg367ddkK9xP1HW4qbLhk3dyajtd+/ewlofycXXlrEhD7JGfVNkizxfxgzLrXaVvRsNssowjmFGLYgctp5SFriGMmZBQMmw/lcNsNIZWnI3crLc4dhpC8yEw7pMJRtUWqbAiD/LlwVWv8cEB7ait4sZ9SUS0+l0HogB76XJm9w+7rGIcWAbUe4rgGEw+mDI0Pluk9pn6XEmL+Yuvnq5zgnCz+FvTJxSWHRSPXz1Z9WFbL1p6VR09r3N7YWkZCyvtH3quDwmSmnBbtROPZ24wYT3WHHC3VsmQMtHFRtsNEruBcAkMH/4/S6BN/BL0JBAAsFnflcnj0AVV1vXQreEp7jBYom5QUME4pua8JJ3+i839Mx/iDvA7U6JNXRQMRtbsNOSQDPp8RakmtfPS8/EKX9ClAg3URNJ9nfSvWm8foCivP0siw7nZ+mdYlswkoDMr1cxqThs/kthzMXwrCC+MiV5HVmhM2rQIKG+yFsrsHrT3g2wmRUcsXpw1oCy2S/LkMUDy+9OcK6h2C64/A6uaPz9f85ZD9a0KAiQewcwMD79fJH57Bs1kpumzv5dCo2lZHdKzWT6sCzvkCdi+lP61e81UZCwnYdBWtCAL6YmF3bokvEYnYIJqL+RZso+lvDhyZRp7cxkvjJf35hd8jHqrt+TwzZt6jZR3Ei9/Ldj1DUyhp1uef3m3Pg160PNC2Ak/NukkkSnUWmbG9WAHluWjbLe7EYikVz1wAuHKr+iiwOBppNFFnkhJi9QiiBc0QIW/rsbvdENNSRVPy7tfblCRBTUJU5/spUMgpkm8CiYkj3velwZv6t5hrw8f+4Wauf5MIV/+FlWaDEVU65BWnaxnSWgqDsBGwdAkb8SjDF3xIqcdS/ylCuHH2i1svsA9bDprbRlj/qZ9zcZGjlmx1+QbHNNr0A73DzAVS/E1BEjI1PZ89bkEhC8rueKjrBHA7feJXN2Sgxsw/67eVpmmtok480gZVfzYcTskdpfK0Kj42+Cqql3A0t3J6L4NDr4U8QUVAyPB1ADpNXHe8uLupzzFOn7uveA+J4/z90X0+dAcLjpGcIkZMMHb5qenKQD0oQXflBGIuxB/Q5FkMkqt8hhlUnukCBiGUSR/YU4exp0RJ789srYydtOHj2GiiRJxOH2gRfbE+aqE8XlwtCYWiWkQLbiZiyNyhdoIuZcgJtvCmLcX0ErmhEFQyOoEw/8eyKSrWN8UsLB9cXxQpei9nFDahLhUmm4gTtzKKdo/W8+k+qxBnLapMOi7s0Mndjf63dgwrImGGzM0d5R9YF1wJHRxko22kBFjZzuix4t5Mvp3McqCjPC83WaAZfjRtYb3aDrd6JtaV9mmqwzxEhUlzJARAhE6NT1yw9UsdKiPRNMkYnjw0ByVRPPFmdoU6t/Kbnu8ftDtDKfTxR70J8+YzwLf8QAQc9iCO4PfPjpQ4TvPFr6HdKGKfKMP1NxLrazjI4nhBNwHDbbyfH/ZIQ7M7mnYsEp9lEhloYGxHXI4fc2W7hakgiaJT2O8yXcY0/ZNpLHMlFSgx3cixqqAihh+2OTusVLUC64MZADMx8tIlCWUvkLdGNSNUZmbx3jYIAAoeA+7ydYjLd8MBGX0BqWlX4s8bUY5JOYSKyTqbIxww+hwt2am7poYDlREJmeDdwStYnnVe0VmNXbU3Zl3cTPV+SI5NjmNeFUNNYHJeGUcsBk2FcNxExwe9jQfFp0HEeOsx0BpVBNbf76xnTsDHB6TkQ6k8f0E4sOIWTTaJRF94Vr3dYx7Q9dJWVkoshz7ghYjD4PBWr4aXCN4i9XVHCSp3+RZ9S8UrV5rD8ZZVYM9v+esdwyddeoq1y6OKOD7YVpjH72pi09jzghbbOutLQ2pwHm7OG9dqqStx5YILfQ6dGkklaj/8bneB/cxIIi1rvvUW4ymnV/+QA19lwqg/eUaKqRA3Zm0I5hI0e01wquvnpnbzCUSnXvEPbJCAmNmbVDHVKG98b6G9/jNMOWtYi40D55bt5goiFsxVxmuPMrm1WQimtsoEBNIVVQzT5K0xFXtL6IZgCPaRPZzIxXabaaqn11c6WX506NicWoGCVZRL9rPLA7BxUQTLK+7ZawrCV7G5Ft4GclW4GXuZdCPKYpot3vaS9hLGf6vU8CeTHPebs8kttgey1gWhqWf9UrjeCHk1BzMInt6apT30jdFhd8GcQ9lGGzL5L5pu5emurCHrJ1MKnOpcj0vZru7IWfcAn0RNzIw2pdmIQwIVxuQOGg7uIaE9e7j2CZnFQ4Jho3aad4erG720+JHz6k8F4KzaVD2ilhs4LBLBazZrOUJrtBjKP+newjrqieV3JCau7ZTBE2Pcuz9bUwfXGSoo8zBYjjtAPzaRIe6GxuhHSPZXBynmPW5VD4BuZAqZy3NALgJgJ+YsEl8ZBvXCpxKA+8PgY51++foP74PZ81+zqfKn1bhQTo3aR5Wq/WWWNBtfirBkHAba4dBR4LJL6axIjpFAGFXmXXsRoGdI8VOeDB+3odFTCUf5KA9a3GCi92R1c7msGMn3VaI5OR2O5r05rnE3TZKaZP1jFNJ7QXrYg5Hy8U0RSuPDMquYdGvZRJvs33j1xaCRLUVvWBgMXWrAyEo08LMc69XlyYMrRpIloF2W0guTRNnIV43SjhFRvYYSB98m4QOKEdcxZXEHw4yi7Y4dGtRKBY29OTwtikGQwU5PvJDRNoLjOmj1xI2GefWWOn4tLbpn9dfqRVpvru4eRYSxbSem31lqbyCB0RVd+I40ti6C67RWUjij4unPSTSVRy0xcb1ZSBBVnpHrUPjP58Jg2UVKjWXpG15ZOSFq3cjiv+webH8ikupzEtkaQm2RMqDkS2QJKqapUdPzg/YaemAXAV50kRmxZIwLGJoLj9Rvt8usN2LJHL0VnffggkrmwKuGdDSnY5nGDhIcPhegxUEXiM+FbCr55CXt0ivi44Txs3+eKmcTCWGHQj2h4AoWKxZEBDs58TrtUFF/Gj52fhLd/RkZsC2hFaCZkTKMyE4WLIUckJd/C031mefBT9ZG+h3E55z5RAIob4b9RgilKr4OgUkax6hhe/ZyEIxAu0kDMeE+JQWldLwjpR4CDBZkz5A46ZCpnSyxMa2HcjFdVKAYU5P/KPEgZd8SGKZ4zf+ZS3oQBAQ/D+5/xRr8XJf2WGAbMm5oTtC0zPh840WDRYk7KBL8ketm5WcFERpKuiaDzBTvo/oknaJ4gEVA7OdHbQQ15Tem88ONSoQKPLYeCRFVW+JqyWoSkq9S72ZJO4BxyuAZdVL8oHcrf8lKgemgFtxu+glODJqD4NIW+5WVNxTKuh79MCROyw99c4k1L9gHKO9cVBismZJsaHJ0XIG8axCVpu5sdpGWAAYZ6onqKmTHCg3MPm3hDc+vGO+Jkk8Lu4FSOpjZGF4iewm2i14eBi1r52EYbMf25Xp/pw+ULuG2zNeik/2ptyYu7j4g56P0kLqtZVPdiJdAqbpmEhgO5uo6Gvr/6YEjn6/zgw5NxoIzKKGoIegD3addO0v1zFjf2jAV42e4OuYO5YJRY2zUiI88bZYb3TH4gKPzi9YmIkzKqMoQVwMKeeOFSWciaqJn6Ecr7yxzUY1Yb8DQKJ+L3oXHfCIpRZk1htF6Fbbw1HJRvQ1+NrkrnluUl5epGLCEoalWA4+qIFr875hR8vBO0BpzR0HXRwhvF9H/tfTnfIunKVorUcqMuf6NLsvNAHdhe1wirzb/0LvFIxhCfLYAr//VISp5UpXp/Aa4IRumT5+k7dQ0OVP1oaBN1OLBOfW1eHSeYpAW048ZUZ6e6xT75+LTQ+h7I1I9wweFzCs50YgTA6duVKqTO4/1OUIXm8Wr0nrTkFmHZI8A5ErOBvrDP1GQ3AzuPHRL4IWiQSRkuIKiM0q+ay/LpK+Rd3eOReu60zs0USwuBnPlnKb5vn9/Inx5Ppq5OLlL8IDnecYRjBCtz/ksuAJhwrgiPUsHRN34baWbc0LYRJ7KNewIfk44no5khVI/5UFFTszd2NzEWZY7lb+Oxh6YA08enyccYztqxZy5FqsPy7G92oMFl+jPwlHZkneSmZUlwFxTj/JRAckYdb7HJhONk7LCXD/ElHN/X8Irk96/IK5Iy1/wohugulK9D4ntYs0pakR7vGIqDa1FGvhac8c7VU9nKz0/mfS1FQq31ru5mI/W9EVXCIcW0e8fs6RdAt9z2aMcP7Pq7AxS+gcJI7XGTU42M+2GIBRTdB1xt7ABEoySoIWQ/5SRbEbXOUrV77rL0GqY7Px1JVvg+vhFrBtIyaHLc/u8IDYQ5GF6nq7ywQMOdPhJNsx9qnZZzkfBEZJNkXM3jIwyx17Hr04n1VzSEpTZz1NqS48gg4aunA0DEw1b8HL5/hYZJMbi9lyBQ41EyfllGwYVIhDXbqUxTiJV/P/amEEEOW6nomGwEEM7/jv7Uhiqzv49JpfK6h8xDDwdWsQr+Vv7y2j1C1ZLZRpWs7cDUdO4I07PKcjD+dURt3g5WETwoFz4x6dAVGhvCsdfESVmocLbO6VHozAUGX/1yG3mdKJKbeWlrI10z4m7b+cPWpH14+PKx0j3eQreXBcHFZ1MDiUWNMGraNydSxPJd1dNRnLUopo57vqc2oz3t9vG3vuOSkh2PLbUHGjlx82S+9INm7X19/2HYSitLgGmALp4Hz/tGm6NbMReP70KzOJolRVFORruWcQEFNGzyZF9ObMKu2TONOTksRd6lr+TJep3XFoFWWTZFhUpDXrHO0O84E7PMm7ZTyZkKjoLLzDJdU2GHIOIccfjNFp1n0YSu9ZQxOZdFDJcyKVx192qxwTDKcdcslKRqjwggu7Mz2l+QDFOo3KJRPfsYgmK6xI1WOq5gGxApJSXHxW08sg55HaZRYdJ1UU7ngtZyfYX39lbEKohUsTO11CnsqxcpcM11yzbK4cn0mc2gTlOqNFESeb/qB2FE05U9aVj5hM2dw5th3UBbiqWuksWqhj+XOYrvh+RvOMUvEJz9FHnsyaJXAGvoD3W0Pn8F6ej9xU6oXX6FMEBn8n++qFxJZv1GJkIcPxs0FFKKCnbupUERjd/J3SJIq+raDSVaaD6qWSWhOBSPIpgL137/JFmfkq85418WRhiCCEceMQJwZAoB/8I6xgQmj/Kf+fV1iPseeqcpelbKNvvdFQpAjxw+RdOg2OFwGVW4agt1OwVYJl2GKgALoRm1TGafdSanPGIGgkLLVHOi79sWQrhqpx3ssu9isxxT744A+jWWOIGHQhtNpum9/Lni6uGJVAl4/6O39vW2WvbEXqrdEzbUERgvCDzTa6a5EyDy0DZ4Pp19p/3wr3hkVq6MtFKaInpDi3Tigm//+utbAZz5egUc00tkmruTkITbcj1QdIjA0s9B2zeplJgxN4SKdt3QPH7I4DClMnnLOWBkm1czJ9XsGUbzz2/Q9Pk//DhJlKWh0QDTfZhJ+iO4QrDBQwWtNsr0u/Q9bSWpyr4Kq6D3gyCZXBEb7bHh6s8B1qd+c8BWV2UOERO62ZrryZTmsOXf5cRSV4mrPp6Q5ZuWCMryVtErhkkCmfO8sHNOW/aJ9U9lVIS4gIjEat0Lb6qoeyzTdcoKnC4NOvZfCgwg4OZSutBVqYWVjy0LbeVFgqFJ5X/khgZkgSK2OpF7AWlFrs3YB7Aosg+zbGA1856uW2ooG6nC+fm8Wk6ymXKNkolCCtZI54+hOaIT9JUlle3r7K17d6IKOSv85E5TpxG8PYUJ0cfToSU+U5iMciBw4TSX3bSgmTNfTBuF4NvSXL7wsvBP+JFoZDVforBbcLM15NK8JI+3xqHyW+vRhedlLZTW3+wBcua2mYpP160mFmOwOSpFjqzW4V+FL4gGjHKuh4gwujcN3cvlRsTdo2ZwWO7vl3dAKw=,iv:6uOo+Nc/Yqq1HE2+QWUHkdXsbm3s0KxNoLwvMR/JyAE=,tag:qDkZfbxQg67NDCcV8U9UtQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOQXVIQkI1WWw1SkZVSXVR + a292LzNsa2d1SmFodDVnSzBnb1FsL2NIeG1RCitxOHBaY09SclBTaEpGODAxak4y + aHJma3VoR3ExU3RHMmI4blRGdVBKRlkKLS0tIGh3K0ZNOVcyOXpQZ1kxT2RTcjJE + OGpTRjM0OVFoZkg5MGEwcXdDdzNxMUkK5pWT7Tvu5cdFzh1jPlo0di1CnwS9WJNw + xeaSLUyXmkmU52vTBFg8+Ww+Ql2C/7tNMXeNvQ+x4BurJ/JvmL41Kg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5c0c1Q0pLQnBlUXdvWXlM + NklDU2R0WUpuTGhnM3BYRHdPd3ZwZVdvNXlJCkZwdnk1R3QvT3hEWWxqVnB3a3E1 + aktqM3VyTU9TV0ZHOUhBZHQzemYweWsKLS0tIE83cEZBL1gvRHl3VHp3VWhkUUpW + OHBFVE82TzEzUVJibCt2RzFWLytEREEK3te5Di1Be+tued2x2L3l3E3bopcgoumM + 3lW5R4WdeMKdppDqIVgIpFKfQxp6C0wsG6qoBOtLoMeMMVdTps0Pbw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xdd0mzt7mhr30rzvt34ygxurlvdvs53svg7lxd6843lx83vy0guqew578d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFN1BpT3dRb0gzeEpWUnph + RXFMdGZ2aXZ1NVNlQW5sNlhldWYwL3FWZWw0CkJyenpyQU14TkFaRXlvVWJMM0NH + eDNiR1BxTVBZdS9Wd21NSmxuS1pNOTgKLS0tIHpzS2hHUjVMNmRCcDd2MHNseHBs + cWY5Ui8zUWlwY0RHaUZXWmtpT2lqQmcKfN4Hkfdn28agLdfLfmIa916sV6k3b7s3 + Jo7OMYmRzZOAkl2umSWjlK2DRrwVC9cwqBYIQl6pg3fOJwIT3tFAag== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-02T20:44:21Z" + mac: ENC[AES256_GCM,data:Tn4o4NYvKvZLzA+LpwwchTuPjLsMNozHeZ1lfDGRIrzub+tHxUj+yAclSHAgTk7tf4zZMPLOYEaHi80eCQ1ktzf8woHRL6pLyUmC0gMvMsf9N1yjAu1uvPngknDCuhNZjPSdMHdebuUbDihmGp0gbI3ZC4f63mEEGaoRq73B6M4=,iv:tbM+tYcN8SvjBR0DltSYoQQDAU780hzsjabjLWiKT6U=,tag:QMUZBYztfSeEha7QNoeGng==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/services/alertmanager.nix b/services/alertmanager.nix index d22ba30..dc001a1 100644 --- a/services/alertmanager.nix +++ b/services/alertmanager.nix @@ -4,6 +4,11 @@ let toConfigFile = name: cfg: pkgs.writeText name (lib.generators.toYAML { } cfg); blackboxExporterCfg = config.services.prometheus.exporters.blackbox; in { + sops.secrets."alertmanager/env" = { + sopsFile = ../secrets/sops/alertmanager.yaml; + restartUnits = [ "alertmanager.service" ]; + }; + services.prometheus = { enable = true; checkConfig = "syntax-only"; @@ -123,7 +128,7 @@ in { listenAddress = "[::1]"; logLevel = "info"; webExternalUrl = "https://alertmanager.${my.domain}"; - environmentFile = secrets.alertmanager-env.destination; + environmentFile = secrets."alertmanager/env".path; checkConfig = false; configuration = { route = { diff --git a/services/conduit.nix b/services/conduit.nix index 072e0d0..4ffa31f 100644 --- a/services/conduit.nix +++ b/services/conduit.nix @@ -1,4 +1,4 @@ -{ config, pkgs, my, ... }: +{ config, pkgs, my, secrets, ... }: let conduitSettings = config.services.matrix-conduit.settings; @@ -109,32 +109,30 @@ in { }; }; - services.restic.backups.matrix-conduit = - let resticCfg = my.homelab.services.restic; - in { - inherit (resticCfg) environmentFile; - initialize = true; - repository = "${resticCfg.repositoryBase}/${config.networking.hostName}"; - passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}"; - paths = [ - "/var/backup/matrix-conduit/conduit.db.zst" - "/var/lib/matrix-conduit/media" - ]; - timerConfig.OnCalendar = "*-*-* 4:05:00"; # daily at 04:05 - backupPrepareCommand = '' - set -euo pipefail - umask 0077 - f=$(mktemp) + services.restic.backups.matrix-conduit = { + environmentFile = secrets."restic/rest-env".path; + initialize = true; + repository = + "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}"; + passwordFile = secrets."restic/repo-password".path; + paths = [ + "/var/backup/matrix-conduit/conduit.db.zst" + "/var/lib/matrix-conduit/media" + ]; + timerConfig.OnCalendar = "*-*-* 4:05:00"; # daily at 04:05 + backupPrepareCommand = '' + set -euo pipefail + umask 0077 + f=$(mktemp) - # consistency is provided by the internal locking of sqlite - ${pkgs.sqlite}/bin/sqlite3 /var/lib/matrix-conduit/conduit.db ".backup $f" - ${pkgs.zstd}/bin/zstd --compress -9 --rm --force \ - -o /var/backup/matrix-conduit/conduit.db.zst $f - ''; - backupCleanupCommand = my.mkResticBackupNotificationCmd { - name = "matrix-conduit"; - inherit pkgs; - inherit (my.notifications.backup-bot) environmentFile; - }; + # consistency is provided by the internal locking of sqlite + ${pkgs.sqlite}/bin/sqlite3 /var/lib/matrix-conduit/conduit.db ".backup $f" + ${pkgs.zstd}/bin/zstd --compress -9 --rm --force \ + -o /var/backup/matrix-conduit/conduit.db.zst $f + ''; + backupCleanupCommand = my.mkResticBackupNotificationCmd { + name = "matrix-conduit"; + inherit pkgs secrets; }; + }; } diff --git a/services/grafana.nix b/services/grafana.nix index a271423..0785ad0 100644 --- a/services/grafana.nix +++ b/services/grafana.nix @@ -1,6 +1,12 @@ { config, my, pkgs, secrets, ... }: { + sops.secrets."grafana/secret-key" = { + sopsFile = ../secrets/sops/grafana.yaml; + owner = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + services.grafana = { enable = true; declarativePlugins = with pkgs.grafanaPlugins; [ ]; @@ -19,7 +25,7 @@ enforce_domain = true; }; security = { - secret_key = "$__file{${secrets.grafana-secret-key.destination}}"; + secret_key = "$__file{${secrets."grafana/secret-key".path}}"; disable_gravatar = true; cookie_secure = true; content_security_policy = true; diff --git a/services/home-assistant.nix b/services/home-assistant.nix index e78afad..f93dba3 100644 --- a/services/home-assistant.nix +++ b/services/home-assistant.nix @@ -1,7 +1,22 @@ { my, pkgs, secrets, ... }: -let trimNewlines = builtins.replaceStrings [ "\n" ] [ "" ]; +let + trimNewlines = builtins.replaceStrings [ "\n" ] [ "" ]; + mosquittoSecret = { + sopsFile = ../secrets/sops/home-assistant.yaml; + owner = "mosquitto"; + restartUnits = [ "mosquitto.service" ]; + }; in { + # https://nixos.wiki/wiki/Home-assistant#OpenSSL_1.1_is_marked_as_insecure.2C_refusing_to_evaluate + nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ]; + + sops.secrets."home-assistant/automation-sshkey" = { + sopsFile = ../secrets/sops/home-assistant.yaml; + owner = "hass"; + restartUnits = [ "home-assistant.service" ]; + }; + services.home-assistant = { enable = true; config = { @@ -41,7 +56,7 @@ in { schedule = { }; shell_command.poweroff_zero = trimNewlines '' ${pkgs.openssh}/bin/ssh - -i ${secrets.automation-sshkey.destination} + -i ${secrets."home-assistant/automation-sshkey".path} -o StrictHostKeyChecking=no automation@zero poweroff ''; @@ -78,6 +93,9 @@ in { systemd.services.home-assistant.after = [ "postgresql.service" ]; + sops.secrets."mosquitto/home-assistant-password" = mosquittoSecret; + sops.secrets."mosquitto/tasmota-password" = mosquittoSecret; + services.mosquitto = { enable = true; listeners = [ @@ -85,8 +103,7 @@ in { address = "::1"; users.homeassistant = { acl = [ "readwrite #" ]; - hashedPasswordFile = - secrets.mosquitto-home-assistant-password.destination; + hashedPasswordFile = secrets."mosquitto/home-assistant-password".path; }; } { @@ -98,7 +115,7 @@ in { ]; users.tasmota = { acl = [ "write tasmota/discovery/#" ]; - hashedPasswordFile = secrets.mosquitto-tasmota-password.destination; + hashedPasswordFile = secrets."mosquitto/tasmota-password".path; }; } ]; diff --git a/services/matrix-hookshot.nix b/services/matrix-hookshot.nix index 718729a..c0355f2 100644 --- a/services/matrix-hookshot.nix +++ b/services/matrix-hookshot.nix @@ -1,4 +1,4 @@ -{ config, my, ... }: +{ config, secrets, ... }: let conduitCfg = config.services.matrix-conduit.settings.global; @@ -11,11 +11,20 @@ let resources = [ "webhooks" ]; }; in { + sops.secrets = builtins.listToAttrs (map (n: { + name = "matrix-hookshot/${n}"; + value = { + sopsFile = ../secrets/sops/matrix-hookshot.yaml; + owner = config.services.matrix-hookshot.user; + restartUnits = [ "matrix-hookshot.service" ]; + }; + }) [ "env" "passfile" ]); + services.matrix-hookshot = { enable = true; - inherit (my.services.matrix-hookshot) environmentFile; + environmentFile = secrets."matrix-hookshot/env".path; settings = { - inherit (my.services.matrix-hookshot) passFile; + passFile = secrets."matrix-hookshot/passfile".path; bridge = { domain = conduitCfg.server_name; url = "http://[${conduitCfg.address}]:${toString conduitCfg.port}"; diff --git a/services/navidrome.nix b/services/navidrome.nix index 55e3511..1edbc5a 100644 --- a/services/navidrome.nix +++ b/services/navidrome.nix @@ -1,10 +1,16 @@ { config, my, pkgs, secrets, ... }: { + sops.secrets."navidrome/env" = { + sopsFile = ../secrets/sops/navidrome.yaml; + restartUnits = [ "navidrome.service" ]; + }; + services.navidrome = { enable = true; settings = { Address = "[::1]"; + BaseUrl = "https://music.${my.domain}"; FFmpegPath = "${pkgs.ffmpeg}/bin/ffmpeg"; ImageCacheSize = "500MB"; ScanSchedule = "@every 10m"; @@ -13,29 +19,27 @@ }; systemd.services.navidrome.serviceConfig.EnvironmentFile = - [ secrets.navidrome-env.destination ]; + [ secrets."navidrome/env".path ]; - services.restic.backups.navidrome = - let resticCfg = my.homelab.services.restic; - in { - inherit (resticCfg) environmentFile; - initialize = true; - repository = "${resticCfg.repositoryBase}/${config.networking.hostName}"; - passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}"; - paths = [ "/var/backup/navidrome.sql.zst" ]; - timerConfig.OnCalendar = "*-*-* 4:10:00"; # daily at 04:10 - backupPrepareCommand = '' - set -euo pipefail - umask 0077 - # consistency is provided by the internal locking of sqlite - ${pkgs.sqlite}/bin/sqlite3 /var/lib/navidrome/navidrome.db .dump \ - | ${pkgs.zstd}/bin/zstd --compress -9 \ - >/var/backup/navidrome.sql.zst - ''; - backupCleanupCommand = my.mkResticBackupNotificationCmd { - name = "navidrome"; - inherit pkgs; - inherit (my.notifications.backup-bot) environmentFile; - }; + services.restic.backups.navidrome = { + environmentFile = secrets."restic/rest-env".path; + initialize = true; + repository = + "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}"; + passwordFile = secrets."restic/repo-password".path; + paths = [ "/var/backup/navidrome.sql.zst" ]; + timerConfig.OnCalendar = "*-*-* 4:10:00"; # daily at 04:10 + backupPrepareCommand = '' + set -euo pipefail + umask 0077 + # consistency is provided by the internal locking of sqlite + ${pkgs.sqlite}/bin/sqlite3 /var/lib/navidrome/navidrome.db .dump \ + | ${pkgs.zstd}/bin/zstd --compress -9 \ + >/var/backup/navidrome.sql.zst + ''; + backupCleanupCommand = my.mkResticBackupNotificationCmd { + name = "navidrome"; + inherit pkgs secrets; }; + }; } diff --git a/services/nginx.nix b/services/nginx.nix index 7950b5a..e2c3ac4 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,6 +1,13 @@ { config, pkgs, secrets, ... }: { + sops.secrets."acme/token" = { + sopsFile = ../secrets/sops/acme.yaml; + owner = "acme"; + inherit (config.security.acme.defaults) group; + mode = "0440"; + }; + services.nginx = { enable = true; enableReload = true; @@ -17,12 +24,19 @@ networking.firewall.allowedTCPPorts = [ 80 443 ]; - security.acme.acceptTerms = true; - security.acme.defaults = { - dnsProvider = "hetzner"; - dnsResolver = "hydrogen.ns.hetzner.com:53"; - reloadServices = [ "nginx" ]; - environmentFile = secrets.hetzner-acme.destination; + security.acme = { + acceptTerms = true; + defaults = { + email = "contact@christoph-heiss.at"; + dnsProvider = "hetzner"; + dnsResolver = "hydrogen.ns.hetzner.com:53"; + reloadServices = [ "nginx" ]; + environmentFile = secrets."acme/token".path; + }; + certs."c8h4.io" = { + domain = "*.c8h4.io"; + extraDomainNames = [ "c8h4.io" ]; + }; }; systemd.services.nginx = { diff --git a/services/paperless.nix b/services/paperless.nix index 38349e6..a3ab78d 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -1,4 +1,4 @@ -{ config, lib, my, pkgs, ... }: +{ config, lib, my, pkgs, secrets, ... }: let paperlessEnv = config.services.paperless.settings; @@ -67,23 +67,21 @@ in { users.users.paperless.extraGroups = [ "restic-backup" ]; - services.restic.backups.paperless-media = - let resticCfg = my.homelab.services.restic; - in { - inherit (resticCfg) environmentFile; - initialize = true; - repository = "${resticCfg.repositoryBase}/${config.networking.hostName}"; - passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}"; - user = "paperless"; - paths = [ - "/var/lib/paperless/media/documents" - "/var/lib/paperless/classification_model.pickle" - ]; - timerConfig.OnCalendar = "*-*-* 4:00:00"; # daily at 04:00 - backupCleanupCommand = my.mkResticBackupNotificationCmd { - name = "paperless-media"; - inherit pkgs; - inherit (my.notifications.backup-bot) environmentFile; - }; + services.restic.backups.paperless-media = { + environmentFile = secrets."restic/rest-env".path; + initialize = true; + repository = + "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}"; + passwordFile = secrets."restic/repo-password".path; + user = "paperless"; + paths = [ + "/var/lib/paperless/media/documents" + "/var/lib/paperless/classification_model.pickle" + ]; + timerConfig.OnCalendar = "*-*-* 4:00:00"; # daily at 04:00 + backupCleanupCommand = my.mkResticBackupNotificationCmd { + name = "paperless-media"; + inherit pkgs secrets; }; + }; } diff --git a/services/postgresql.nix b/services/postgresql.nix index f441b4e..8e2151e 100644 --- a/services/postgresql.nix +++ b/services/postgresql.nix @@ -1,4 +1,4 @@ -{ config, lib, my, pkgs, ... }: +{ config, lib, my, pkgs, secrets, ... }: { services.postgresql = { @@ -17,20 +17,18 @@ users.users.postgres.extraGroups = [ "restic-backup" ]; - services.restic.backups.postgresql-15 = - let resticCfg = my.homelab.services.restic; - in { - inherit (resticCfg) environmentFile; - initialize = true; - repository = "${resticCfg.repositoryBase}/${config.networking.hostName}"; - passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}"; - user = "postgres"; - paths = [ "/var/backup/postgresql/all.sql.zstd" ]; - timerConfig.OnCalendar = "*-*-* 4:30:00"; # daily at 04:30 - backupCleanupCommand = my.mkResticBackupNotificationCmd { - name = "postgresql-15"; - inherit pkgs; - inherit (my.notifications.backup-bot) environmentFile; - }; + services.restic.backups.postgresql-15 = { + environmentFile = secrets."restic/rest-env".path; + initialize = true; + repository = + "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}"; + passwordFile = secrets."restic/repo-password".path; + user = "postgres"; + paths = [ "/var/backup/postgresql/all.sql.zstd" ]; + timerConfig.OnCalendar = "*-*-* 4:30:00"; # daily at 04:30 + backupCleanupCommand = my.mkResticBackupNotificationCmd { + name = "postgresql-15"; + inherit pkgs secrets; }; + }; } diff --git a/services/prometheus.nix b/services/prometheus.nix index bc849fd..8a8c2df 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -43,7 +43,7 @@ scrape_interval = "60s"; metrics_path = "/api/prometheus"; authorization.credentials_file = - secrets.homeassistant-prometheus-token.destination; + secrets."home-assistant/prometheus-token".path; static_configs = [{ targets = [ "tank:${toString my.services.home-assistant.port}" ]; }]; diff --git a/services/restic-client.nix b/services/restic-client.nix new file mode 100644 index 0000000..1649d5d --- /dev/null +++ b/services/restic-client.nix @@ -0,0 +1,12 @@ +{ + sops.secrets = builtins.listToAttrs (map (n: { + name = "restic/${n}"; + value = { + sopsFile = ../secrets/sops/restic.yaml; + group = "restic-backup"; + mode = "0440"; + }; + }) [ "rest-env" "backup-bot-env" ]); + + users.groups.restic-backup = { }; +} diff --git a/services/sourcehut.nix b/services/sourcehut.nix index bdfe1b6..1a76d71 100644 --- a/services/sourcehut.nix +++ b/services/sourcehut.nix @@ -1,13 +1,37 @@ -{ config, my, pkgs, ... }: +{ config, my, pkgs, secrets, ... }: let - secretsPath = "/var/secrets/sourcehut"; inherit (my) domain; fqdn = "srht.${domain}"; - inherit (import ../sources.nix) sourcehutPkgs; + srhtServices = [ + "metasrht" + "metasrht-api" + "metasrht-daily" + "metasrht-webhooks" + "gitsrht" + "gitsrht-api" + "gitsrht-periodic" + "gitsrht-webhooks" + ]; + secretNames = [ + "network-key" + "service-key" + "oauth-client-secret" + "webhooks-privkey" + "pgp-pubkey" + "pgp-privkey" + ]; in { - disabledModules = [ "services/misc/sourcehut" ]; - imports = [ (sourcehutPkgs + /nixos/modules/services/misc/sourcehut) ]; + sops.secrets = builtins.listToAttrs (map (n: { + name = "sourcehut/${n}"; + value = { + sopsFile = ../secrets/sops/sourcehut.yaml; + owner = "root"; + group = "sourcehut"; + mode = "0440"; + restartUnits = map (srv: "${srv}.service") srhtServices; + }; + }) secretNames); services.sourcehut = { enable = true; @@ -34,8 +58,8 @@ in { global-domain = fqdn; owner-name = "Christoph Heiss"; owner-email = "christoph@c8h4.io"; - network-key = "${secretsPath}/network-key"; - service-key = "${secretsPath}/service-key"; + network-key = secrets."sourcehut/network-key".path; + service-key = secrets."sourcehut/service-key".path; }; "meta.sr.ht".origin = "https://meta.${fqdn}"; @@ -47,7 +71,7 @@ in { "git.sr.ht" = { oauth-client-id = fqdn; - oauth-client-secret = "${secretsPath}/oauth-client-secret"; + oauth-client-secret = secrets."sourcehut/oauth-client-secret".path; outgoing-domain = "https://git.${fqdn}"; origin = "https://git.${fqdn}"; }; @@ -55,56 +79,48 @@ in { mail = { smtp-from = "srht@c8h4.io"; pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD"; - pgp-pubkey = "${secretsPath}/pgp-pubkey"; - pgp-privkey = "${secretsPath}/pgp-privkey"; + pgp-pubkey = secrets."sourcehut/pgp-pubkey".path; + pgp-privkey = secrets."sourcehut/pgp-privkey".path; }; - webhooks.private-key = "${secretsPath}/webhooks-private-key"; + webhooks.private-key = secrets."sourcehut/webhooks-privkey".path; }; }; security.acme.certs."c8h4.io".extraDomainNames = [ "*.${fqdn}" ]; # Binds the sourcehut secrets path read-only into services that require them - systemd.services = let - services = [ - "metasrht" - "metasrht-api" - "metasrht-daily" - "metasrht-webhooks" - "gitsrht" - "gitsrht-api" - "gitsrht-periodic" - "gitsrht-webhooks" - ]; - in builtins.listToAttrs (map (name: { + systemd.services = builtins.listToAttrs (map (name: { inherit name; - value.serviceConfig.BindReadOnlyPaths = [ secretsPath ]; - }) services); + value.serviceConfig.BindReadOnlyPaths = + map (n: secrets."sourcehut/${n}".path) secretNames; + }) srhtServices); services.openssh.settings.AllowUsers = [ "git" ]; + users.groups.sourcehut = { }; + users.users = { git = { # Disable login for `git` user password = "*"; - extraGroups = [ "restic-backup" ]; + extraGroups = [ "restic-backup" "sourcehut" ]; }; + metasrht.extraGroups = [ "sourcehut" ]; }; - services.restic.backups.gitsrht = let resticCfg = my.homelab.services.restic; - in { - inherit (resticCfg) environmentFile; + services.restic.backups.gitsrht = { + environmentFile = secrets."restic/rest-env".path; initialize = true; - repository = "${resticCfg.repositoryBase}/${config.networking.hostName}"; - passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}"; + repository = + "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}"; + passwordFile = secrets."restic/repo-password".path; user = "git"; paths = [ "/var/lib/sourcehut/gitsrht" ]; timerConfig.OnCalendar = "*-*-* 4:15:00"; # daily at 04:15 backupCleanupCommand = my.mkResticBackupNotificationCmd { name = "gitsrht"; - inherit pkgs; - inherit (my.notifications.backup-bot) environmentFile; + inherit pkgs secrets; }; }; } diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 9cfce15..fa8ff5d 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -1,12 +1,18 @@ { lib, my, secrets, ... }: { + sops.secrets."vaultwarden/env" = { + sopsFile = ../secrets/sops/vaultwarden.yaml; + owner = "vaultwarden"; + restartUnits = [ "vaultwarden.service" ]; + }; + services.vaultwarden = { enable = true; - environmentFile = secrets.vaultwarden-env.destination; + environmentFile = secrets."vaultwarden/env".path; dbBackend = "postgresql"; config = { - DOMAIN = "https://vaultwarden.${my.domain}"; + DOMAIN = "https://vault.${my.domain}"; DATA_FOLDER = "/var/lib/vaultwarden"; DATABASE_URL = "postgresql:///vaultwarden"; SIGNUPS_ALLOWED = false; diff --git a/sources.nix b/sources.nix deleted file mode 100644 index 6ecb347..0000000 --- a/sources.nix +++ /dev/null @@ -1,33 +0,0 @@ -let - sourcehutPkgs = fetchGit { - name = "nixpkgs-sourcehut-updated"; - url = "https://github.com/christoph-heiss/nixpkgs"; - ref = "refs/heads/sourcehut-fix"; - rev = "6729c6c653f17a5f9f1dcf5439d3e98652406042"; - }; -in { - defaultPkgs = fetchGit { - name = "nixos-unstable"; - url = "https://github.com/NixOS/nixpkgs"; - ref = "refs/heads/nixos-unstable"; - rev = "bdeca2c42d6c16adc216ffb87bbe27ebebbd5705"; # 31-03-2024 - }; - - homeManager = fetchGit { - name = "nixos-home-manager-unstable"; - url = "https://github.com/nix-community/home-manager"; - ref = "refs/heads/master"; - rev = "820be197ccf3adaad9a8856ef255c13b6cc561a6"; # 31-03-2024 - }; - - inherit sourcehutPkgs; - - overlays = [ - (import ./pkgs) - (self: super: { - vimPlugins = super.vimPlugins - // (import ./pkgs/vim-plugins.nix self super); - }) - (_: _: { inherit (import sourcehutPkgs { }) sourcehut; }) - ]; -} diff --git a/system/home-manager/default.nix b/system/home-manager/default.nix index 5e4bf12..f903b63 100644 --- a/system/home-manager/default.nix +++ b/system/home-manager/default.nix @@ -1,9 +1 @@ -let inherit (import ../../sources.nix) homeManager; -in { - imports = [ (import "${homeManager}/nixos") ]; - - home-manager.useUserPackages = true; - home-manager.useGlobalPkgs = true; - - home-manager.users.christoph.imports = [ ./common.nix ]; -} +{ home-manager.users.christoph.imports = [ ./common.nix ]; } diff --git a/system/home-manager/sway.nix b/system/home-manager/sway.nix index b75cdad..52ac204 100644 --- a/system/home-manager/sway.nix +++ b/system/home-manager/sway.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: let - backgroundImgPath = "~/.local/share/sway/background.jpg"; - setSinkVolume = pkgs.writeShellApplication { name = "set-sink-volume"; runtimeInputs = with pkgs; [ bc jq pulseaudio ]; @@ -174,7 +172,8 @@ in { repeat_delay = "150"; repeat_rate = "50"; }; - output."*".background = "${backgroundImgPath} fill #5fb2d0"; + output."*".background = + "${pkgs.sway-background-image}/share/background.jpg fill #5fb2d0"; seat."*" = { hide_cursor = "when-typing enable"; }; left = "d"; down = "h"; @@ -192,8 +191,6 @@ in { ''; }; - xdg.dataFile."sway/background.jpg".source = ../../extra/sway/background.jpg; - services.swayidle = { enable = true; events = [{ @@ -218,7 +215,7 @@ in { settings = { daemonize = true; ignore-empty-password = true; - image = backgroundImgPath; + image = "${pkgs.sway-background-image}/share/background.jpg"; scaling = "fill"; show-keyboard-layout = true; };