peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:586529e23df4fde651c24aa3363a968800ba7920
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:d971ab334ea9a2de48d3ce3a53cb728e538ca767
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

14 Commits
586529e23d ... d971ab334e

Author SHA1 Message Date
Giulio De Pasquale
d971ab334e fix(backup.nix): remove /secrets from backup paths 2024-12-06 22:59:34 +00:00
Giulio De Pasquale
0b4b32c290 feat(restic): switch to age-protected secrets 2024-12-06 22:58:46 +00:00
Giulio De Pasquale
b4f4c69c42 feat(nextcloud): switch to age-protected secrets 2024-12-06 21:17:00 +00:00
Giulio De Pasquale
273b694e4f feat(secrets): added host key for architect and rekeyed secrets 2024-12-06 21:11:16 +00:00
Giulio De Pasquale
0348df9a1e fix(secrets): rekeyed secrets with new pubkeys 2024-12-06 21:08:06 +00:00
Giulio De Pasquale
0622417fec refactor(architect/default.nix): centralize public keys in pubkeys.nix 2024-12-06 21:06:17 +00:00
Giulio De Pasquale
b0df5717b5 Deleted deluge and keycloak 2024-12-06 20:57:03 +00:00
Giulio De Pasquale
3f3b3d0604 refactor(teslamate.nix): update secrets file path and add age secret configuration 2024-12-06 20:55:44 +00:00
Giulio De Pasquale
847677fc2f refactor(matrix.nix): centralize matrix-synapse secrets and remove hardcoded database name 
- Added `age.secrets.matrix` to manage secrets in a centralized `.age` file
- Removed hardcoded `db_name` and used `extraConfigFiles` to include the database configuration from the `.age` file
- Updated comments to reflect changes
 2024-12-06 20:50:09 +00:00
Giulio De Pasquale
9b1cef61f2 feat(secrets): add initial secrets.nix configuration 2024-12-06 20:49:18 +00:00
Giulio De Pasquale
8fbd2cc84a Revert "hello" 
This reverts commit 6c6a9aa447.
 2024-12-06 17:40:57 +00:00
Giulio De Pasquale
6c6a9aa447 hello 2024-12-06 17:40:31 +00:00
Giulio De Pasquale
82c3dd24b3 Revert "hello" 
This reverts commit 19a029156c.
 2024-12-06 17:40:02 +00:00
Giulio De Pasquale
19a029156c hello 2024-12-06 17:39:54 +00:00
17 changed files with 301 additions and 172 deletions
Show Stats Expand all files Collapse all files

136
flake.lock generated
View File

@ -1,5 +1,26 @@
{
"nodes": {
"agenix-flake": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"cachix": {
"inputs": {
"devenv": [
@ -14,7 +35,7 @@
"teslamate-flake",
"devenv"
],
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1728672398,
@ -31,13 +52,35 @@
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"devenv": {
"inputs": {
"cachix": "cachix",
"flake-compat": "flake-compat",
"git-hooks": "git-hooks",
"nix": "nix",
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1732298876,
@ -182,15 +225,36 @@
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1732319136,
"narHash": "sha256-wpmPl6FkAF9Jj5C/rzANgpUjfzQrUYOn267LnzKU2uI=",
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f8831cc700030e11fc91da9ef6270593e6440edc",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1733482664,
"narHash": "sha256-ZD+h1fwvZs+Xvg46lzTWveAqyDe18h9m7wZnTIJfFZ4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e38d3dd1d355a003cc63e8fe6ff66ef2257509ed",
"type": "github"
},
"original": {
@ -236,7 +300,7 @@
],
"flake-parts": "flake-parts",
"libgit2": "libgit2",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"nixpkgs-23-11": [
"teslamate-flake",
"devenv"
@ -267,11 +331,11 @@
},
"nixos-unstable": {
"locked": {
"lastModified": 1732377093,
"narHash": "sha256-vJ7axNT6AOtzH2B+nDvObibKuzPImIgYjumk2uG9PyE=",
"lastModified": 1733505731,
"narHash": "sha256-B3jYxAIMhBdH5ayiSVoXsi4zvInRbZB5eEUac5mboUQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9c4b9f2f99ea64aeb0dd466e2974bf8aa240a117",
"rev": "f145dbde156efee66276502a2ecbfd60ed81c18d",
"type": "github"
},
"original": {
@ -283,11 +347,27 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1732377064,
"narHash": "sha256-d7iJuzyWeeFYP1HTsS/jMmyD4X2dfi02uKWcju6AaJU=",
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e10d3ce766fc170730ceaeb5a913ebb3bd70f840",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1733506536,
"narHash": "sha256-hmTCczt4tDKyKNtm0UOp78oHSDnJU3qZHX80KEEu1lI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "260a02d2ee673c2e4a4cfe8bc6c78ce8ea39c08c",
"type": "github"
},
"original": {
@ -297,7 +377,7 @@
"type": "github"
}
},
"nixpkgs_2": {
"nixpkgs_3": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
@ -313,7 +393,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1717432640,
"narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=",
@ -329,7 +409,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1716977621,
"narHash": "sha256-Q1UQzYcMJH4RscmpTkjlgqQDX5yi1tZL0O345Ri6vXQ=",
@ -345,7 +425,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1732014248,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
@ -384,10 +464,11 @@
},
"root": {
"inputs": {
"home-manager": "home-manager",
"agenix-flake": "agenix-flake",
"home-manager": "home-manager_2",
"local-unstable": "local-unstable",
"nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nvidia-patch": "nvidia-patch",
"teslamate-flake": "teslamate-flake"
}
@ -407,12 +488,27 @@
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"teslamate-flake": {
"inputs": {
"devenv": "devenv",
"devenv-root": "devenv-root",
"flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs_5",
"nixpkgs": "nixpkgs_6",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@ -453,7 +549,7 @@
},
"utils": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,

10
flake.nix
View File

@ -4,6 +4,7 @@
nixos-unstable.url = "github:NixOS/nixpkgs/master";
local-unstable.url = "path:///home/giulio/dev/nixpkgs";
teslamate-flake.url = "github:teslamate-org/teslamate/v1.32.0";
agenix-flake.url = "github:ryantm/agenix";
home-manager = {
url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
@ -14,7 +15,7 @@
};
};
outputs = { self, nixpkgs, nixos-unstable, local-unstable, home-manager, teslamate-flake, nvidia-patch }:
outputs = { self, nixpkgs, nixos-unstable, local-unstable, home-manager, teslamate-flake, nvidia-patch, agenix-flake }:
let
sysLinuxX64 = "x86_64-linux";
sysDarwin = "aarch64-darwin";
@ -50,10 +51,16 @@
overlays = extOverlays;
};
agenixPkgs = import agenix-flake {
inherit system config;
overlays = extOverlays;
};
overlays = [
(final: prev: { inherit unstablePkgs; })
(final: prev: { inherit localPkgs; })
(final: prev: { inherit teslamatePkgs; })
(final: prev: { inherit agenixPkgs; })
] ++ extOverlays;
};
@ -91,6 +98,7 @@
}];
imports = [
teslamate-flake.nixosModules.default
agenix-flake.nixosModules.default
];
};
};

17
hosts/architect/backup.nix
View File

@ -1,13 +1,22 @@
{ config, lib, ... }:
{ config, ... }:
{
age.secrets = {
restic-passwords = {
file = ../../secrets/restic-passwords.age;
};
restic-environment = {
file = ../../secrets/restic-environment.age;
};
};
services.restic.backups = {
backblaze = {
initialize = true;
passwordFile = "/secrets/restic/data.key";
environmentFile = "/secrets/restic/credentials.txt";
passwordFile = config.age.secrets.restic-passwords.path;
environmentFile = config.age.secrets.restic-environment.path;
repository = "b2:architect:/";
paths = [ "/var/lib" "/secrets" "/services" ];
paths = [ "/var/lib" "/services" ];
pruneOpts = [
"--keep-daily 45"
"--keep-weekly 12"

7
hosts/architect/default.nix
View File

@ -1,9 +1,8 @@
{ config, pkgs, lib, ... }:
let
pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
];
macbookPubkey = (import ../pubkeys.nix).macbook;
pubkeys = [ macbookPubkey ];
domain = "devs.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
@ -42,6 +41,8 @@ in
./postgres.nix
];
age.identityPaths = [ "/root/.ssh/id_ed25519" ];
architect = {
networks.lan = {
interface = "enp6s0";

56
hosts/architect/deluge.nix
View File

@ -1,56 +0,0 @@
{ lib, config, pkgs, ... }:
let
domain = "htdel.giugl.io";
listenPorts = [ 51413 51414 ];
in
{
architect.firewall = {
openTCP = listenPorts;
openUDP = listenPorts;
};
services = {
deluge = {
enable = true;
group = "media";
declarative = true;
config = {
download_location = "/media/deluge";
max_upload_speed = 20;
# full-stream
enc_level = 1;
# forced
enc_in_policy = 0;
# forced
enc_out_policy = 0;
max_active_seeding = 100;
max_connections_global = 1000;
max_active_limit = 100;
max_active_downloading = 100;
listen_ports = listenPorts;
random_port = false;
enabled_plugins = [ "Label" "Extractor" ];
};
web.enable = true;
authFile = "/secrets/deluge/auth";
extraPackages = [ pkgs.unrar ];
};
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "tailscale" ];
locations = {
"/" = {
allowLan = true;
port = 8112;
allow = [
tailscale.net
];
};
};
};
users.groups.media.members = [ "deluge" ];
}

81
hosts/architect/keycloak.nix
View File

@ -1,81 +0,0 @@
{ pkgs, lib, config, ... }:
let
domain = "auth.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = {
keycloak = {
enable = true;
initialAdminPassword = "giulio";
database.passwordFile = "/secrets/keycloak/database.key";
settings = {
hostname = domain;
proxy = "edge";
http-port = 6654;
https-port = 6655;
hostname-strict-backchannel = true;
};
};
postgresql = {
ensureDatabases =
[ "${toString config.services.keycloak.database.name}" ];
ensureUsers = [{
name = "${toString config.services.keycloak.database.username}";
ensurePermissions = {
"DATABASE ${toString config.services.keycloak.database.name}" =
"ALL PRIVILEGES";
};
}];
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations = {
"/" = { return = "301 https://${domain}/realms/master/account"; };
"/admin" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/js" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/realms" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/resources" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/robots.txt" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
};
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

10
hosts/architect/matrix.nix
View File

@ -2,18 +2,22 @@
let
domain = "runas.rocks";
db_name = "matrix-synapse-runas.rocks";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
age.secrets.matrix = {
file = ../../secrets/matrix-synapse.age;
owner = "matrix-synapse";
};
services = {
matrix-synapse = {
enable = true;
# Database config is in the .age file
extraConfigFiles = [ config.age.secrets.matrix.path ];
settings = {
server_name = "${domain}";
database.args.database = db_name;
public_baseurl = "https://${domain}";
registration_shared_secret = "runas!";
url_preview_enabled = true;

15
hosts/architect/nextcloud.nix
View File

@ -8,6 +8,17 @@ let
inherit (utilities) architectInterfaceAddress;
in
{
age.secrets = {
nextcloud-admin = {
file = ../../secrets/nextcloud-admin.age;
owner = "nextcloud";
};
nextcloud-database = {
file = ../../secrets/nextcloud-database.age;
owner = "nextcloud";
};
};
environment.systemPackages = with pkgs; [
nodejs-18_x
libtensorflow
@ -68,8 +79,8 @@ in
dbuser = "nextcloud";
dbhost = "localhost";
dbname = "nextcloud";
dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/dbpass.txt";
dbpassFile = config.age.secrets.nextcloud-database.path;
adminpassFile = config.age.secrets.nextcloud-admin.path;
};
};
};

7
hosts/architect/teslamate.nix
View File

@ -8,6 +8,11 @@ let
allowWAN = false;
in
{
age.secrets.teslamate = {
file = ../../secrets/teslamate.age;
owner = "teslamate";
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "tailscale" ];
locations = {
@ -43,7 +48,7 @@ in
port = teslamatePort;
listenAddress = "127.0.0.1";
secretsFile = "/secrets/teslamate/teslamate.env";
secretsFile = config.age.secrets.teslamate.path;
virtualHost = domain;
postgres.enable_server = true;
grafana = { enable = true; port = grafanaPort; listenAddress = "127.0.0.1"; urlPath = "/grafana"; };

7
hosts/pubkeys.nix Normal file
View File

@ -0,0 +1,7 @@
rec {
architect = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICu7rSsZ+d3BkppimNHJj8xL5jfl5RxMU0+Q5cue0LUu root@architect";
architectHostKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGLLAtRzLtCExHLhpsC+vH1nXcla3wibbMOFRCwXfXjtn2A9DjewHBwcbQbYQa6yuaEa3vmvUyrUtW6RUAiGSNhDMUPz7swr5tujgO/6ToPf0vKDDeOCwK5wqmNoUlDf7qzkxwCiI0dPYuCr7uGt00/ebSGfp+F1zmgC9MxuefYMdX5Q5I7HoHOYbBC9q9ue5mc0g+F8GnmD+Pd2pDDiHpCflT+iOzLJH0gCcW/0e5q7XYKGs09Cm/L1zroHIb14Borndu0Mby7x2FlnSeap5KXr9rkKVyr3amX0mksb4N0T36MMJwLYcrvE0S8utFdHEusoYEkP3fjSgsKKHKEgiZbqaeA0oZHddG49JNBsCLmmrN8T142t1fftP4NdFyKpcI9gYsbXhZf6bheV1wQ/cpv3KkLGG7JlZeORRAc4xgT33BHvVXTcWCE2EYcNmdscrMOEw3mcDESu7S14iXZgGIUgYISZ3GTZ5+mNB6OoEwxqK+eYzYMyDpNBxv6/LlEvc= root@architect";
macbook = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230";
groups.architect = [ architect architectHostKey ];
}

BIN
secrets/matrix-synapse.age Normal file
View File

Binary file not shown.

BIN
secrets/nextcloud-admin.age Normal file
View File

Binary file not shown.

27
secrets/nextcloud-database.age Normal file
View File

@ -0,0 +1,27 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
JFZ512g1V5fHSCDuxPcpFGSSAzI6326lbmmQaepxfPyTzZpK5Qo7WaUeF0dCmwi1
mwS038cbo57hPnuGapJtrqggiVm8B53rli7xlwFQCydVkxnKPSvcERI8KphEn1K5
1YGeU6XdqqNyv1NSV9V8A4Y74LMk1H+igWR5sWZnO6sQi7LLAwfL+BsskdwY0ZuW
9TOzkeZtgU5qy9IbN6liouEMliO660q1sb+OxQFP8pVIS3xt9mD2IE4W3hP9aZyF
JHUZPizwF+HvspR8oMV4R7JI4gexBwnMVeu4HVu+ayY2udQvr2DNxQNHM66zClPo
7G67rblH6IfCOrOieqIVvYrbJQuSZip4npnQyXVXzg/wQ6CGu0k4E8wF1xHFYKAO
LGWK8uUxffC1ITEfNMaSs/3AKMuqBsJcDXYYe4yq4lJYxSfwXbu+G6aqOgHYAe7p
LBQgl5Dn19r/7zKRLJTK4eJ0ah8bnWWTU9FcHAJbqKFYK6DW+syqFYinXfwt9AQI
g0w5apgPm/B3PX0wKiabci8c4AZ6n2JVWvI9sJkhcL5t93JS9uBsgxzc3Hv4nu3E
zD1Skp648In+oQ+6xuDmIuEuu8xIhGwU3jhJeIiTZwX54wj35v/gNLU2sH1hK/90
vyJcZClmpGDsOu/vHeKPSfP29MEzlahA5dZS0DDkt58
-> ssh-ed25519 7eGqHw AJlmB4Up3Zs4gNdfRRt8zZ5r1M8DcXSdj7B09VUlYCk
Vteh5QnSqhIrXm10zdOjP+Lhm3qwABqGgQFHfrnrjH4
-> ssh-rsa tO3rGg
VPAsazrTmffI7Y0LOsLwAoeOtz9lnDm3vYTDcFi8DoJcHsXDh2cYib1hET4noWLf
gFQiP30rNKTvkBDeThdH5opyZbO9BfDX1IgJo5Fm7yO3LdSWB44fL3Mn8HoMKGkn
d6TKM0ZxDZAkApTMcKHjHlcnWgy5sGxW0pHDnBvCCqsQHqRywcGDZTVhmxshLxQw
giQo3ZI8fzD436bY+rWYJtqWKcOnBLGEiFoWJr9qfLcG2FwB0xLppfX7S6htLQpn
btqafMtA8HgGVkVGC+uADqghPGzO/rN/z571xvZ6F4GyeB1/2RbVX62N4jN8FlPc
+6UWe3kgxM9cOedpwYPqte3gIETWBxlfpspOfVaRv6qMx6ZM1mPsP1qTpQNUabm2
2Ale/EkLnfYzwXmaiql0/oEuqq7Dp806XP5AcKxZHNUJeZHRdqOUHGCNJzfAO3H4
uazZGDtZR+pSq0QwEZqp1GoodtzCbBnbko5ZwVYXIXc1gSbwvP6ZW/5HiPEM0jaM
--- TXLi+4AqW9L3grKPVMBDb75OHyjatQzBxUlI4Xe1eMw
ÛÞÁ }ccn‡ó…¹'ÏF¥At«5ËT Ƶ E]Òx7írÑ|kô§ÿ<C2A7><C3BF>µI°¼ú×%}´¿‰<C2BF>¬#=<3D>J.

29
secrets/restic-environment.age Normal file
View File

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
muUhcAzcKFoopF3H69fYU/CzBezvnBhgBKUqmFqjWVpLpzU/h75DPUMZcpT59dP1
rjJw8KEevEn6wnEG6KM5X1qKlQGKNYv1Ei8bFZ2KkIHQol77KA4UwfJOkZ75miNI
ZqYN2YT1acBtZVQn4Z1nsg3BKMKBFQVEvBmNh2tV38Zgnw3bPU06BKX07/gbaYvd
JGFWDik92eVkgHO5LPiIgQEhP/blCv28ELZ9CkRJXmz6Z+r7AINfSUwhRTLSG3E9
D5mYFcFF7mdmH7BFEvuk1kJiIxlrQoMgDa/8csmAYr/ma8jAb0fUK1vih4vdYPGL
Q2lHQPXJ7eJoYtn9mP3Bo8mRVuwYHyaSyKMxt3UEgCPJ4QI6N23Z7+7j9hJw9rNK
z9yheUaw8srCDz+ZLeSFvZ/gNLT7moTBYnjYPnsx3kYqKLNHyzTBKtbtQhI0PIkO
9ezOmH6GBqocEjA8XZ49VgB9+NWr/UVXI9qx+TNUTTzFyAZstcqOn32xCaRzPSBw
cpgPyIgWJ7wVOAWsevBSNqSntew0PCrStWKODiHGen3Z3lOCKeQloD9ANuF90iT8
7Ub0aGHMSlb3V6vX6lexc6mLF//ybtpvZ2FSyZfnj2iJRu8FAGdYpN5Ci9pfaTgF
v5CcQ+PqyyvPTgWBY4R244Vg4WKfvua65GAL8oxTERs
-> ssh-ed25519 7eGqHw I5j3zjd1QQzfFQXjZx8bC+wH3HkGOx2tJHlYax8pfTI
0+fXs8fEBjTXvLaTZH2QDWUIOT6+ZakpVyWGhOIm5Z0
-> ssh-rsa tO3rGg
OjfxuSAoX27FdTmDHfx7lYwYLP526SHbwNMuLwg2jdQlBbHZ3jsIDrTwTBpm2Q8R
K4T5wOUlicWvHz2RLQmjlrU9F0ksElhE6ZaqjgvBa1fIFFPNDm3Pl01Zs/NHnNGn
tetIDCkgWHqS/LtQv/RNzHlqb1H360fQLwPNamxR+kECpR7jy2aujsQxcilzPW+h
+s29T1CRTFd3kksW0cmiEXAH+nz8Orhz4GdJfFiIYmzUD/U/XsfF7V81ABrYBtxG
DxVqk5zwjYlCckyegMhjkKkpcJuZgkF0OpC9znxgy1s49irgJ1LNHuL9XvuSn81Z
U8/7qIXwumpx8hl2Fp52/qfu+z/Sgb4sNGdDwDabryVMM0iA44sW3A8968aEnU4+
ij4+MHuoiif9Gjd1OzxIpugg565hmbrpJHmLz/bwxSVuj/Q7EqfN4Q6WoXA4LPm+
D4U74W1rCqUY2lidiLG9xHjh48WVCyPaMMDTm/fryfUmbDU6tfgl+HedMQShFuut
--- AOqar+uICSyq8I8qWgkRiMW2dY73yezKi0RHaTmsbC4
 Qcv"àð·i;ïÕ`6Ï?]ÎÐ…èǹ# {œÛ¡<C39B>ËÎ^Q†Y<E280A0>;<¯ª:¬³~Þr~bœ¨Á_ÈÊÅ#š>é­3¨`RtYk™“”†»è~Cú<43>S÷tô5Êt<C38A>Úå1}ÊBQññ
Ç †l
²Ý„›!87ùP

28
secrets/restic-passwords.age Normal file
View File

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
tEqh6kH9Ctbirf94dBBvdYkYABBvkQYqoZEo7a3/EnFlwvkDxZoo9O8WiQ+fLhOI
jrAmdezC11UcvZK0D4KN34S1VgnQWwChTuOMWy5oTl9195GJm/1PQq8iyHFmCK63
DdZXE+MPbawlA/T+rsQghBX3TwNMYhfPw8+qfMC4A+5KhWzDPLYVidUvM2QwnoDZ
Zthek8bAOhwF/wZH7SI7QTQwe3x3kUyP3SbVipwguctRP7mNtRj/roVrfUoig7/L
SywHYmeBG6Z3kuWABoQIjF6TKS4No5NH5VKdJCtGlsSRUqJHa1GojSZUzgu0ARRK
v/Z/E6b64CnDZ1E+nZLr54PmrgjRbStqyvMxoQwYzu01TE6NU0h7aAgvk+S0AncK
AYgEkmsXxkYMSM0qUFvcGILNU5ZtyvhwS61Q13bZNM3+0CGcSv8lhQmJFrZbePmV
A1Jh+8JCxVJnNyEXLGPoofM8ds5Gtc35Iu5it5z2ZzJ3V1pRwTPzVlSuY1AygSvh
OTKg9kH4V3J311M0HJfG8CkOp8W1AvAfWagB9Y+E2KsL9riKpd9W+Rz6qB+u+q6r
bjKNy8oBEJ2xp9RAihQASeaBjK7v5bsgKy7L5GVVs9505pcKFOyWTVnbNdKsYYKs
sHW/dTVAGxf/SYz1cEpsp3ZPUe15h5+CuLf7OhI1RzI
-> ssh-ed25519 7eGqHw ws0TYpN8wBvtmJE2EsFF0Oz0v0kp/SN8nrc9eibd6m4
JKrIKa7Qescecpw5jkFcW4SgTaTtW3CocEg57rdS3A8
-> ssh-rsa tO3rGg
rn6k067Nol861dqxTId9zzWeupTMHik0597AR1vfyHJ+kBJhwNgj9bBPQYePoXcq
Ll91m0dX8TDN2RAcbl+ddxqkoedrCqa9RX7GxNG4nkAkVLAzIR3+B7cCjX06m+Mm
iI817kBXgIfy46HUtdft4D9R9y8G3RlnoPkV2msvlAAlps+tAkAsvIcMaWyWZF4U
fxOChL+RcRHUJ6mWzPU3EOES9pwmK+B+fI/25NRoWMlZDUWEJ8BEstDuQ6IORxbC
+DRGiQQCSVLyHkPI7KkXUxPeYjmitNdfAw5Cl0kn8rdXUn1AhceTfUsausqZMUOh
pSL6L8swiByy/vxO3HaNeSSVPyPVM8L9Cr9kqDTOoLJY2l1wSpNjbZrLoVunouIG
w8MyFxPxxpbPS7jPBI90kyrRfSyoDO6Va2EIW/YsVfOhYXIlA7qYe3Bo0xoT3B9R
awPedZO/qBzXVd3p+BwNwSxIRaBi5qchXn5B0kvv84tOtAlawrnKGly4mU0H42gN
--- cnd5/PWhWOHduSN+0fU4D3V2iLQE70ZSwBN8dW+YCw8
üÂTˆç"ÌHI+Ø ã‡ó^qmÆtê³Ý Y6_é½& %`ɱÝúâ­/ý¹æÅbd‡œ‡ãy4kˆ
YՌ

14
secrets/secrets.nix Normal file
View File

@ -0,0 +1,14 @@
let
pubkeyModule = import ../hosts/pubkeys.nix;
pubkeys = [
pubkeyModule.macbook
] ++ pubkeyModule.groups.architect;
in
{
"matrix-synapse.age".publicKeys = pubkeys;
"teslamate.age".publicKeys = pubkeys;
"nextcloud-admin.age".publicKeys = pubkeys;
"nextcloud-database.age".publicKeys = pubkeys;
"restic-environment.age".publicKeys = pubkeys;
"restic-passwords.age".publicKeys = pubkeys;
}

27
secrets/teslamate.age Normal file
View File

@ -0,0 +1,27 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
IyHp/kqk6u/HazW25tlI9YykJ3AHySgPWFmQzIjh+BXyqo4qSKdNfQr1rIYFQGCJ
liIaMto8CWtbZUOiBXWtB/q3Z++Q0Qy8N1woYqVJ7gSlSbz1jKyDk2ZIrWCQ0CbT
zimI2gsdLEn5nkpV/NrkltH0/1aCW7HHzOo6UYp5YCQAwPO4eii636CYN9pFY8aD
wGuusZVsdEiP9+ETpxL8X0YDS6qWXAjrufEVSMmipxODGY9F9BncgrBXf6vNj4zv
/SudTaE4e1tfEQ8PjL+qE+aPMCVHITJsYWARiKIcUB4A2yLPxK4hEPuY+ikaV5nb
u2YBndS7RHA0c0xYAME1QZ2GOgFe995N+qgWM2pPmFhlFM7blzHLZPgNPQvQhaF1
dwv5mRnRhtLF27GWjtcPL0AaX2qWoVgWmjI03HY4m2RAXr+kPhs4asIb10iL5Zz2
I4GyupuX/yvds7ckTiVNc6HGPYgfN2re4ml0Lsgu+qMu6qkSSPwe4gdB8PRnlil4
JZS/rKXzLlqHW1P5PQLLaSO9DtiRIitbvNuWbTHdUK5bjEu8mjVzjT/u4JwHip7j
MpuWsSKEN6I+0hCfYfEwAWD4h6oTF+ckrRUXWg/p+K6IXBx4txCVHEZXymdBwf8I
eedRo2unHui7oT512HMXqx6DIIAPg/7Jr2/MWX+J6F8
-> ssh-ed25519 7eGqHw 9InUXz9Z8OvxNqVYckohNJYgFndSU5WH9VO9f4KnjhQ
lfE8tuSjZ5xJ19xzONy78dOzqZjqAk8RENdhBXoAXKY
-> ssh-rsa tO3rGg
t0P8ve/N9fxcBdIqmFajtIfQGTHXnwwaRRKJOoz/0PlH52Iat76P7IhdBipU9aJz
4lj2aFxYePD9Qz6+sLA4IibArW0Ej/XAehOwMiXU5NcD5ICcuc9dpBMekBzHTH6F
Z9fsz9ogKjBgfCulCDlf7XwQgXXx1+I2ar82y8Qix2esqO4fY4wXl7xQTONpKg0l
5Nethgwy6Xji2CBAsQDKm5xZ2FynUNWzk404pfDIkLvsU9NL53SHZwM8dzWiKxlq
g+uPlNYetfyFNWM1m018ev63adlrrBdzTwNBv+QTXF2fACarBxkqSPHLPrVn+DvM
mDPcXQJiORtMyOLJze2nt6ikZB/AqZWhGKFUpawI8MHx1HPlibG/cwKxLdmxexJz
Fk+EaGDeInyr7UflYjTQt2WlnaenittVwyIs08tqeJ/7mA/9uft6ThySIM/Cxsj0
sa85Pa6AnZhl5dpT7CIU3n1ZJIgk+ZLniMfZQdGxTVvZ2eqWhXqRhj9go0Obmk5G
--- fbeSdbhIc1G8BtYb99EUWMDa5Zgu2Pd1b2EL9mEs80Y
å‡; ÅÞøg üâ’gÔ1jìÔ·bý* g1<H<>/ -»óœ3¸Yøxó,oCÿ#^Nó<4E>Šý…€‰ˆ]¯ˆ$Çô«í½e· ãóPÿ\¦)X- Pþÿ¶Ê I•´Êä/íD]Bz¦ùB<C3B9>à ¾¶ôg¨rÓòž÷šT<>ý>ÁRéîæÌ…òå3½6