felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: felixalb:main
Branches Tags
felixalb:main felixalb:nixos-25.11
..
compare: felixalb:1113693fc76acad191fa15805cc0fa4600c6e36d
Branches Tags
felixalb:main felixalb:nixos-25.11

1 Commits
main ... 1113693fc7

Author SHA1 Message Date
Felix Albrigtsen
1113693fc7 leonard: init host 2025-10-17 20:59:34 +02:00
57 changed files with 598 additions and 466 deletions
Expand all files Collapse all files

6
.sops.yaml
View File

@@ -1,5 +1,4 @@
keys: keys:
- &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
- &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct - &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
- &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773 - &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
@@ -12,7 +11,6 @@ creation_rules:
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf
@@ -21,7 +19,6 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *host_burnham - *host_burnham
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf
@@ -29,7 +26,6 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *host_challenger - *host_challenger
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf
@@ -37,7 +33,6 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *host_defiant - *host_defiant
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf
@@ -45,6 +40,5 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *host_morn - *host_morn
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf

3
README.md
View File

@@ -37,9 +37,8 @@ Other installed packages and tools are described in the config files (like ./hos
## Networking ## Networking
- I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)). - I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
- A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix). - I recently switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix) and [here](./hosts/burnham/services/wireguard.nix).
- PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking. - PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
## Monitoring ## Monitoring

2
common/auto-upgrade.nix
View File

@@ -7,7 +7,7 @@
flags = [ flags = [
# Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs. # Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
"--refresh" "--refresh"
"--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11" "--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.05"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable" "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
"--no-write-lock-file" "--no-write-lock-file"
]; ];

6
common/wireguard-peers.nix
View File

@@ -1,4 +1,10 @@
[ [
{ # Sulu
publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
allowedIPs = [
"10.100.0.3/32"
];
}
{ # Worf { # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So="; publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [ allowedIPs = [

132
flake.lock generated
View File

@@ -18,11 +18,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1747046372, "lastModified": 1673956053,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -36,11 +36,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1681202837,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -56,36 +56,35 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764776959, "lastModified": 1758463745,
"narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=", "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e1680d594a9281651cbf7d126941a8c8e2396183", "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.11", "ref": "release-25.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"matrix-synapse-next": { "matrix-synapse-next": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": "nixpkgs"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1765214213, "lastModified": 1753216555,
"narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=", "narHash": "sha256-qfgVfgXjVPV7vEER4PVFiGUOUW08GHH71CVXgYW8EVc=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "82959f612ffd523a49c92f84358a9980a851747b", "rev": "099db715d1eba526a464f271b05cead5166fd9a9",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "dali99", "owner": "dali99",
"ref": "v0.7.1",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"type": "github" "type": "github"
} }
@@ -93,20 +92,20 @@
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs-darwin" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1764161084, "lastModified": 1749744770,
"narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=", "narHash": "sha256-MEM9XXHgBF/Cyv1RES1t6gqAX7/tvayBC1r/KPyK1ls=",
"owner": "nix-darwin", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "e95de00a471d07435e0527ff4db092c84998698e", "rev": "536f951efb1ccda9b968e3c9dee39fbeb6d3fdeb",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-darwin", "owner": "lnl7",
"ref": "nix-darwin-25.11", "ref": "nix-darwin-25.05",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@@ -115,16 +114,14 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": "nixpkgs_2"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1764813963, "lastModified": 1734314370,
"narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=", "narHash": "sha256-9PhjDAAuXP4tuJg+kM1AozKwBFyHHJ8ZqhQD+peqGtg=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "491200d6848402bbab1421cccbc15a46f08c7f78", "rev": "616634de04e87b621bc3d495af114c4e9c6ccd36",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -135,22 +132,22 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1764677808, "lastModified": 1706098335,
"narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", "rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "id": "nixpkgs",
"ref": "nixos-25.11", "ref": "nixos-23.11",
"repo": "nixpkgs", "type": "indirect"
"type": "github"
} }
}, },
"nixpkgs-2211": { "nixpkgs-2211": {
"locked": { "locked": {
"lastModified": 1658083977,
"narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=", "narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
@@ -160,29 +157,13 @@
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
} }
}, },
"nixpkgs-darwin": {
"locked": {
"lastModified": 1764806471,
"narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-25.11-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1764667669, "lastModified": 1760038930,
"narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=", "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "418468ac9527e799809c900eda37cbff999199b6", "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -192,6 +173,38 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1715266358,
"narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f1010e0469db743d14519a1efd37e23f8513d714",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1759994382,
"narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"extra-config": "extra-config", "extra-config": "extra-config",
@@ -199,9 +212,8 @@
"matrix-synapse-next": "matrix-synapse-next", "matrix-synapse-next": "matrix-synapse-next",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-minecraft": "nix-minecraft", "nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_3",
"nixpkgs-2211": "nixpkgs-2211", "nixpkgs-2211": "nixpkgs-2211",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
@@ -213,11 +225,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764483358, "lastModified": 1752544651,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c", "rev": "2c8def626f54708a9c38a5861866660395bb3461",
"type": "github" "type": "github"
}, },
"original": { "original": {

28
flake.nix
View File

@@ -2,22 +2,18 @@
description = "Felixalb System flake"; description = "Felixalb System flake";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; # Remember to update ./common/auto-upgrade.nix
nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin";
nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11"; nix-darwin.url = "github:lnl7/nix-darwin/nix-darwin-25.05";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-25.11"; home-manager.url = "github:nix-community/home-manager/release-25.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release matrix-synapse-next.url = "github:dali99/nixos-matrix-modules/v0.7.1";
matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.url = "github:Infinidoge/nix-minecraft";
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
extra-config.url = "git+file:///home/felixalb/nix-extra-config"; extra-config.url = "git+file:///home/felixalb/nix-extra-config";
@@ -33,7 +29,6 @@
, nix-darwin , nix-darwin
, nixpkgs , nixpkgs
, nixpkgs-2211 , nixpkgs-2211
, nixpkgs-darwin
, nixpkgs-unstable , nixpkgs-unstable
, sops-nix , sops-nix
, extra-config , extra-config
@@ -57,7 +52,7 @@
{ {
nixosConfigurations = let nixosConfigurations = let
normalSys = name: hostConfig: nixpkgs.lib.nixosSystem { normalSys = name: hostConfig: nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; # TODO - Handle system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
@@ -80,6 +75,13 @@
}; };
in { in {
# Networking / VPN Gateway
burnham = normalSys "burnham" {
modules = [
./common/domeneshop-dyndns.nix
];
};
# Media / storage server # Media / storage server
challenger = normalSys "challenger" { challenger = normalSys "challenger" {
modules = [ modules = [
@@ -99,7 +101,7 @@
fa-t14-2025 = normalSys "fa-t14-2025" { }; fa-t14-2025 = normalSys "fa-t14-2025" { };
# Web host # Web host
leonard = normalSys "leonard" { }; malcolm = normalSys "malcolm" { };
# General application server # General application server
morn = normalSys "morn" { }; morn = normalSys "morn" { };

2
home/base.nix
View File

@@ -32,7 +32,7 @@
programs.git = { programs.git = {
enable = true; enable = true;
settings = { extraConfig = {
pull.rebase = true; pull.rebase = true;
push.autoSetupRemote = true; push.autoSetupRemote = true;
color.ui = "auto"; color.ui = "auto";

40
hosts/burnham/configuration.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
# Infrastructure
./services/wireguard.nix
# Other
./services/dyndns.nix
./services/nginx.nix
./services/thelounge.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "burnham";
defaultGateway = "192.168.11.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.11.109"; prefixLength = 24; }
];
};
hostId = "8e24f235";
};
sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "23.11";
}

30
hosts/burnham/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
#networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

12
hosts/burnham/home.nix Normal file
View File

@@ -0,0 +1,12 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "23.05";
}

11
hosts/burnham/services/dyndns.nix Normal file
View File

@@ -0,0 +1,11 @@
{ config, pkgs, lib, ... }:
{
sops.secrets."domeneshop/netrc" = { };
services.domeneshop-dyndns = {
enable = true;
domain = "site2.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path;
};
}

0
hosts/leonard/services/nginx.nix → hosts/burnham/services/nginx.nix
View File

0
hosts/morn/services/thelounge.nix → hosts/burnham/services/thelounge.nix
View File

38
hosts/burnham/services/wireguard.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
let
cfg = config.networking.wireguard.interfaces."wg0";
in {
networking = {
nat = {
enable = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ cfg.listenPort ];
wireguard.interfaces."wg0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/burnham.private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
peers = [
{ # Defiant
publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI=";
persistentKeepalive = 120;
allowedIPs = [
"10.100.0.1/32"
"192.168.10.0/24"
];
endpoint = "site3.feal.no:51902";
}
] ++ (import ../../../common/wireguard-peers.nix);
};
};
}

17
hosts/challenger/backup.nix
View File

@@ -33,22 +33,13 @@
"/var/lib/calibre-server" "/var/lib/calibre-server"
]; ];
# Other system backups (NB: Large!)
hostBackups = localJob "hostBackups" [
"/tank/backup"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
media = localJob "media" [ media = localJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music" "/tank/media/music"
"/tank/media/books"
]; ];
media-remote = cloudJob "media" [ media-remote = cloudJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music" "/tank/media/music"
"/tank/media/books"
] // { ] // {
pruneOpts = [ "--keep-monthly 12" ]; pruneOpts = [ "--keep-monthly 12" ];
}; };
@@ -57,7 +48,6 @@
nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ]; nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ]; nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
# Postgresql databases
postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // { postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
}; };
@@ -68,11 +58,10 @@
# Transmission metadata/config # Transmission metadata/config
transmission = localJob "transmission" [ "/var/lib/transmission" ]; transmission = localJob "transmission" [ "/var/lib/transmission" ];
# TODO: timemachine # TODO: timemachine, komga
}; };
sops.secrets."restic/calibre" = { }; sops.secrets."restic/calibre" = { };
sops.secrets."restic/hostBackups" = { };
sops.secrets."restic/media" = { }; sops.secrets."restic/media" = { };
sops.secrets."restic/nextcloud" = { }; sops.secrets."restic/nextcloud" = { };
sops.secrets."restic/postgres" = { }; sops.secrets."restic/postgres" = { };

2
hosts/challenger/configuration.nix
View File

@@ -13,8 +13,8 @@
./filesystems.nix ./filesystems.nix
# ./services/archivebox.nix # ./services/archivebox.nix
./services/audiobookshelf.nix
./services/calibre.nix ./services/calibre.nix
# ./services/ersatztv.nix
./services/jellyfin.nix ./services/jellyfin.nix
./services/komga.nix ./services/komga.nix
./services/nextcloud.nix ./services/nextcloud.nix

57
hosts/challenger/services/audiobookshelf.nix
View File

@@ -1,57 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "audiobooks.home.feal.no";
host = "127.0.1.2";
port = 5016;
in {
fileSystems = {
"/var/lib/audiobookshelf" = {
device = "/tank/media/audiobookshelf/config";
options = [ "bind" ];
};
};
services.audiobookshelf = {
enable = true;
dataDir = "audiobookshelf";
inherit host port;
};
systemd.services.audiobookshelf = {
requires = [ "var-lib-audiobookshelf.mount" ];
serviceConfig = {
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/audiobookshelf"
"/tank/media/audiobookshelf"
];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
}

27
hosts/challenger/services/ersatztv.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, lib, pkgs, ... }:
let
domain = "etv.home.feal.no";
bind = "127.0.0.1:8409";
in {
virtualisation.oci-containers.containers.ersatztv = {
autoStart = true;
image = "jasongdove/ersatztv:latest-nvidia";
volumes = [
"/var/lib/ersatztv:/root/.local/share/ersatztv"
"/tank/media/other/ersatztv:/media" # Filler, watermarks, etc.
];
ports = [
"${bind}:8409"
];
environment = {
TZ = "Europe/Oslo";
};
extraOptions = [
"--device=/dev/dri"
];
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://${bind}";
};
}

2
hosts/challenger/services/nextcloud.nix
View File

@@ -5,7 +5,7 @@ let
in { in {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud32; package = pkgs.nextcloud31;
inherit hostName; inherit hostName;
home = "/tank/nextcloud"; home = "/tank/nextcloud";
https = true; https = true;

20
hosts/defiant/backup.nix
View File

@@ -12,34 +12,14 @@
"--keep-monthly 3" "--keep-monthly 3"
]; ];
}; };
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in { in {
postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // { postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
}; };
postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
gitea = (localJob "gitea" [ "/tank/services/gitea" ]); gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]); matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]); vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
}; };
# TODO: home-assistant, pihole # TODO: home-assistant, pihole

4
hosts/defiant/configuration.nix
View File

@@ -18,16 +18,18 @@
./services/wireguard.nix ./services/wireguard.nix
# Services # Services
# ./services/flame.nix
./services/gitea.nix ./services/gitea.nix
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/home-assistant.nix ./services/home-assistant.nix
./services/keycloak.nix ./services/keycloak.nix
# ./services/koillection.nix
./services/matrix ./services/matrix
./services/microbin.nix ./services/microbin.nix
# ./services/minecraft/home.nix # ./services/minecraft/home.nix
./services/monitoring ./services/monitoring
# ./services/rtl-tcp.nix # ./services/rtl-tcp.nix
# ./services/searx.nix ./services/searx.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
]; ];

2
hosts/defiant/services/dyndns.nix
View File

@@ -5,7 +5,7 @@
services.domeneshop-dyndns = { services.domeneshop-dyndns = {
enable = true; enable = true;
domain = "site2.feal.no"; domain = "site3.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path; netrcFile = config.sops.secrets."domeneshop/netrc".path;
}; };
} }

22
hosts/defiant/services/flame.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${host}:${port}";
};
}

59
hosts/defiant/services/koillection.nix Normal file
View File

@@ -0,0 +1,59 @@
{ config, pkgs, lib, ... }:
let
domain = "koillection.home.feal.no";
port = 5023;
in {
virtualisation.oci-containers.containers = {
koillection = {
image = "koillection/koillection";
ports = [
"127.0.1.2:${toString port}:80"
];
environment = {
APP_DEBUG = "0";
APP_ENV = "prod";
HTTPS_ENABLED = "0";
UPLOAD_MAX_FILESIZE = "512M";
PHP_MEMORY_LIMIT = "512M";
PHP_TZ = "Europe/Oslo";
CORS_ALLOW_ORIGIN = "https?://(localhost|koillection\\.home\\.feal\\.no)(:[0-9]+)?$";
JWT_SECRET_KEY = "%kernel.project_dir%/config/jwt/private.pem";
JWT_PUBLIC_KEY = "%kernel.project_dir%/config/jwt/public.pem";
DB_DRIVER = "pdo_pgsql";
DB_NAME = "koillection";
DB_HOST = "host.docker.internal";
DB_USER = "koillection";
# DB_PASSWORD = "koillection"; # Set in sops envfile
DB_PORT = "5432";
DB_VERSION = "16";
};
environmentFiles = [
config.sops.secrets."koillection/envfile".path
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
];
};
};
sops.secrets."koillection/envfile" = { };
services.postgresql = {
ensureDatabases = [ "koillection" ];
ensureUsers = [ {
name = "koillection";
ensureDBOwnership = true;
} ];
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://127.0.1.2:${toString port}";
};
}

6
hosts/defiant/services/matrix/synapse.nix
View File

@@ -84,14 +84,10 @@
issuer = "https://iam.feal.no/realms/feal.no"; issuer = "https://iam.feal.no/realms/feal.no";
client_id = "matrix-synapse"; client_id = "matrix-synapse";
client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path; client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
user_mapping_provider.config = { user_mapping_provicer.config = {
localpart_template = "{{ user.preferred_username }}"; localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}"; display_name_template = "{{ user.name }}";
}; };
attribute_requirements = [{
attribute = "matrix-roles";
value = "matrix-user";
}];
backchannel_logout_enabled = true; backchannel_logout_enabled = true;
enable_registration = false; enable_registration = false;
} }

10
hosts/defiant/services/monitoring/prometheus.nix
View File

@@ -17,12 +17,14 @@ in {
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"burnham.home.feal.no:9100"
"challenger.home.feal.no:9100" "challenger.home.feal.no:9100"
"constellation.home.feal.no:9100"
"defiant.home.feal.no:9100" "defiant.home.feal.no:9100"
"leonard.home.feal.no:9100" "edison.home.feal.no:9100"
"morn.home.feal.no:9100" "malcolm.home.feal.no:9100"
"sisko.home.feal.no:9100" "mccoy.home.feal.no:9100"
"scotty.home.feal.no:9100"
"sulu.home.feal.no:9100"
]; ];
} }
]; ];

15
hosts/defiant/services/nginx.nix
View File

@@ -54,7 +54,6 @@ in {
''; '';
} // overrides; } // overrides;
in { in {
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"cloud.feal.no" = publicProxy "" { "cloud.feal.no" = publicProxy "" {
locations."/" = { locations."/" = {
proxyPass = "http://challenger.home.feal.no"; proxyPass = "http://challenger.home.feal.no";
@@ -63,11 +62,17 @@ in {
''; '';
}; };
}; };
"feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; }; "feal.no" = publicProxy "http://mccoy.home.feal.no:8090/" {
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; }; serverAliases = [ "www.feal.no" ];
};
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" {
default = true;
};
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { }; "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { }; "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; }; "kinealbrigtsen.no" = publicProxy "http://192.168.11.106:80/" {
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { }; serverAliases = [ "www.kinealbrigtsen.no" ];
};
"wiki.wackattack.eu" = publicProxy "http://192.168.11.108:80/" { };
}; };
} }

12
hosts/defiant/services/wireguard.nix
View File

@@ -22,7 +22,17 @@ in {
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
''; '';
peers = (import ../../../common/wireguard-peers.nix); peers = [
{ # Burnham
publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
persistentKeepalive = 60;
allowedIPs = [
"10.100.0.2/32"
"192.168.11.0/24"
];
#endpoint = "site2.feal.no:51902";
}
] ++ (import ../../../common/wireguard-peers.nix);
}; };
}; };
} }

2
hosts/fa-t14-2025/desktop.nix
View File

@@ -29,7 +29,7 @@
fontDir.enable = true; fontDir.enable = true;
packages = with pkgs; [ packages = with pkgs; [
noto-fonts noto-fonts
noto-fonts-color-emoji noto-fonts-emoji
noto-fonts-cjk-sans noto-fonts-cjk-sans
font-awesome font-awesome
fira-code fira-code

1
hosts/fa-t14-2025/home.nix
View File

@@ -44,6 +44,7 @@ in {
hyprlock hyprlock
hyprpaper hyprpaper
hyprshot hyprshot
hyprswitch
nautilus nautilus
rofi-rbw-wayland rofi-rbw-wayland
swaynotificationcenter swaynotificationcenter

24
hosts/leonard/configuration.nix
View File

@@ -7,22 +7,8 @@
../../common/metrics-exporters.nix ../../common/metrics-exporters.nix
../../common/auto-upgrade.nix ../../common/auto-upgrade.nix
./hardware-configuration.nix ./hardware-configuration.nix
./services/mysql.nix
./services/nginx.nix
./services/postgresql.nix
./services/wiki-wackattack-eu.nix
./services/www-feal-no
./services/www-kinealbrigtsen-no.nix
./services/www-amalie-mansaker-no
]; ];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = { networking = {
hostName = "leonard"; hostName = "leonard";
defaultGateway = "192.168.10.1"; defaultGateway = "192.168.10.1";
@@ -32,16 +18,6 @@
]; ];
}; };
hostId = "b99c12d1"; hostId = "b99c12d1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
}; };
sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml; sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;

20
hosts/leonard/services/postgresql.nix
View File

@@ -1,20 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = false;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

38
hosts/leonard/services/wiki-wackattack-eu.nix
View File

@@ -1,38 +0,0 @@
{ config, ... }:
let
bindIP = "127.0.1.2";
port = 5051;
cfg = config.services.wiki-js;
in {
# sops.secrets."wikijs/envfile" = {
# restartUnits = [ "wiki-js.service" ];
# };
services.wiki-js = {
enable = true;
# environmentFile = config.sops.secrets."wikijs/envfile".path;
settings = {
inherit bindIP port;
db = {
type = "postgres";
host = "/run/postgresql";
db = "wiki-js";
user = "wiki-js";
};
};
};
services.postgresql = {
ensureDatabases = [ "wiki-js" ];
ensureUsers = [{
name = "wiki-js";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."wiki.wackattack.eu" = {
locations."/" = {
proxyPass = "http://${bindIP}:${toString port}";
};
};
}

11
hosts/leonard/services/www-amalie-mansaker-no/default.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."amalie.mansaker.no" = let
siteContent = pkgs.callPackage ./site.nix { };
in {
locations = {
"/".root = siteContent;
};
};
}

26
hosts/leonard/services/www-amalie-mansaker-no/site.nix
View File

@@ -1,26 +0,0 @@
{ stdenv, fetchgit, hugo }:
stdenv.mkDerivation {
name = "www-amalie-mansaker-no";
src = fetchgit {
url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
fetchSubmodules = true;
rev = "15142c93da33414a0be49384a03b704ad95e31be";
hash = "sha256-oq5NC11UDYjYKToPsEXovCiIBD5adamVwi3scOFzpHM=";
};
nativeBuildInputs = [ hugo ];
buildPhase = ''
cp -r $src/* .
${hugo}/bin/hugo
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r public/* $out/
runHook postInstall
'';
}

26
hosts/leonard/services/www-feal-no/default.nix
View File

@@ -1,26 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."feal.no" = {
default = true;
serverAliases = [
"www.feal.no"
];
locations = {
# TODO: Reinstate actual website
"/".return = "302 https://git.feal.no/";
"^~ /.well-known/" = {
alias = (toString ./well-known) + "/";
};
"/cc/" = {
alias = "${pkgs.cyberchef}/share/cyberchef/";
index = "index.html";
};
"= /cc".return = "302 /cc/";
};
};
}

5
hosts/leonard/services/www-feal-no/well-known/matrix/client
View File

@@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://matrix.feal.no:443"
}
}

1
hosts/leonard/services/www-feal-no/well-known/matrix/server
View File

@@ -1 +0,0 @@
{"m.server": "matrix.feal.no:443"}

49
hosts/malcolm/configuration.nix Normal file
View File

@@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../common/auto-upgrade.nix
../../common/metrics-exporters.nix
./services/mysql.nix
./services/nginx.nix
./services/www-ctf-feal-no.nix
./services/www-kinealbrigtsen-no.nix
];
networking = {
hostName = "malcolm";
bridges.br0.interfaces = [ "ens18" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.11.106"; prefixLength = 24; }
];
hostId = "620c42d0";
defaultGateway = "192.168.11.1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
# virtualisation.oci-containers.backend = "docker";
# systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([
# "-F DOCKER-USER"
# ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [
# "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT"
# "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT"
# "-A DOCKER-USER -j RETURN"
# ]);
system.stateVersion = "24.05";
}

30
hosts/malcolm/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,30 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7240554f-d9d9-457a-91d5-c70c09d96595";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/88C2-BAC8";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

12
hosts/malcolm/home.nix Normal file
View File

@@ -0,0 +1,12 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "24.05";
}

0
hosts/leonard/services/mysql.nix → hosts/malcolm/services/mysql.nix
View File

17
hosts/malcolm/services/nginx.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
clientMaxBodySize = "100m";
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."kinealbrigtsen.no".default = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

14
hosts/malcolm/services/www-ctf-feal-no.nix Normal file
View File

@@ -0,0 +1,14 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."ctf.feal.no" = {
locations = {
"/".return = "302 https://www.feal.no/";
"/cc/" = {
alias = "${pkgs.cyberchef}/share/cyberchef/";
index = "index.html";
};
"= /cc".return = "302 /cc/";
};
};
}

0
hosts/leonard/services/www-kinealbrigtsen-no.nix → hosts/malcolm/services/www-kinealbrigtsen-no.nix
View File

4
hosts/morn/configuration.nix
View File

@@ -8,11 +8,9 @@
../../common/auto-upgrade.nix ../../common/auto-upgrade.nix
./hardware-configuration.nix ./hardware-configuration.nix
./services/nginx.nix
./services/glance ./services/glance
./services/miniflux.nix ./services/miniflux.nix
./services/thelounge.nix ./services/nginx.nix
]; ];
networking = { networking = {

2
hosts/morn/services/miniflux.nix
View File

@@ -9,7 +9,7 @@ in {
enable = true; enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/env".path; adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = { config = {
CREATE_ADMIN = true; CREATE_ADMIN = "1";
LISTEN_ADDR = listen_addr; LISTEN_ADDR = listen_addr;
BASE_URL = "http://${domain}"; BASE_URL = "http://${domain}";

1
hosts/sisko/configuration.nix
View File

@@ -39,6 +39,7 @@
programs = { programs = {
alvr = { alvr = {
enable = true; enable = true;
package = pkgs.unstable.alvr;
openFirewall = true; openFirewall = true;
}; };

2
hosts/sisko/desktop.nix
View File

@@ -34,7 +34,7 @@
nerd-fonts.hack nerd-fonts.hack
noto-fonts noto-fonts
noto-fonts-cjk-sans noto-fonts-cjk-sans
noto-fonts-color-emoji noto-fonts-emoji
]; ];
}; };

5
hosts/sisko/home.nix
View File

@@ -16,6 +16,7 @@
emacs-gtk emacs-gtk
feishin feishin
gqrx gqrx
jellyfin-media-player
kitty kitty
libreoffice libreoffice
lutris lutris
@@ -33,7 +34,7 @@
swayimg swayimg
thunderbird thunderbird
tor-browser tor-browser
bolt-launcher unstable.bolt-launcher
exiftool exiftool
ghidra ghidra
@@ -48,6 +49,7 @@
hyprlock hyprlock
hyprpaper hyprpaper
hyprshot hyprshot
hyprswitch
nautilus nautilus
networkmanager networkmanager
rofi-rbw-wayland rofi-rbw-wayland
@@ -103,6 +105,7 @@
rofi = { rofi = {
enable = true; enable = true;
theme = "iggy"; theme = "iggy";
package = pkgs.rofi-wayland;
}; };
zsh = { zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";

15
hosts/worf/configuration.nix
View File

@@ -111,6 +111,13 @@
}; };
# firewall settings
alf = {
# 0 = disabled 1 = enabled 2 = blocks all connections except for essential services
globalstate = 1;
loggingenabled = 0;
};
# dock settings # dock settings
dock = { dock = {
autohide = true; autohide = true;
@@ -126,16 +133,12 @@
}; };
}; };
# firewall settings
networking.applicationFirewall = {
enable = true;
blockAllIncoming = true;
};
system.keyboard = { system.keyboard = {
enableKeyMapping = true; enableKeyMapping = true;
remapCapsLockToControl = true; remapCapsLockToControl = true;
}; };
# nix.package = pkgs.nix;
system.stateVersion = 5; system.stateVersion = 5;
} }

4
hosts/worf/home.nix
View File

@@ -26,7 +26,7 @@
prismlauncher prismlauncher
restic restic
snicat snicat
# spotify # TODO - broken in 25.11 spotify
tldr tldr
w3m w3m
zellij zellij
@@ -61,7 +61,7 @@
apps = pkgs.buildEnv { apps = pkgs.buildEnv {
name = "home-manager-applications"; name = "home-manager-applications";
paths = config.home.packages; paths = config.home.packages;
pathsToLink = [ "/Applications" ] ; pathsToLink = "/Applications";
}; };
in in
lib.hm.dag.entryAfter [ "writeBoundary" ] '' lib.hm.dag.entryAfter [ "writeBoundary" ] ''

1
hosts/worf/yabai.nix
View File

@@ -5,6 +5,7 @@ let
in { in {
services.yabai = { services.yabai = {
enable = true; enable = true;
package = pkgs.unstable.yabai;
enableScriptingAddition = true; enableScriptingAddition = true;
config = { config = {

44
secrets/burnham/burnham.yaml
View File

@@ -1,44 +1,40 @@
domeneshop: domeneshop:
netrc: ENC[AES256_GCM,data:iN9TEMRQpEUbq5kQRXKNG1pFr2rtQtCBXuK1w/7Wn6FAiWkGmCu8GIjPSDnMkZ4+l3kxJhNSix3AzIQwp6oayV1hIoFTWgz/OHKrq2TtQIFy5gs0u0Ump2tmQZFP3GgxSEagfp+c6MbQkjCh0t/PKiPE5MRJJnOJ4/0D,iv:Ta7T5lnQQpMwO+zYgFE9izs78+gtleolk6l7DDnrMoo=,tag:UXeoR+tW5t4DMazb26FsHw==,type:str] netrc: ENC[AES256_GCM,data:iN9TEMRQpEUbq5kQRXKNG1pFr2rtQtCBXuK1w/7Wn6FAiWkGmCu8GIjPSDnMkZ4+l3kxJhNSix3AzIQwp6oayV1hIoFTWgz/OHKrq2TtQIFy5gs0u0Ump2tmQZFP3GgxSEagfp+c6MbQkjCh0t/PKiPE5MRJJnOJ4/0D,iv:Ta7T5lnQQpMwO+zYgFE9izs78+gtleolk6l7DDnrMoo=,tag:UXeoR+tW5t4DMazb26FsHw==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct - recipient: age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTkptaHV0QVRIR3l2MmhG YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSGdKelVWY29UbXQvZzdv
OE4rTitWMDQxaFVmVW9YNDdNSDNFZFRUYVhjClhQNVNSN1daMGJTcGxhN3NDM2lm RmM3cnhUUzNDVXowcHEzWjYxalFRcUdqckhrCldQRDJEOFNBOUtYSG44QUwxQkdv
RmFQL0t1MWwycWRjNGZ2RjAxWTQrWkEKLS0tIG1VREFJWE9SZjdFamN5bzB3R2hK N1Iwa0J3Zys1Mi9BS0Jwc3VxcEpEQjQKLS0tIEhLZE9JNyswT0dhdmlJWEkyblpZ
bEZpNXh4SENwMHcxYWZRajFCc3BGMDQKXzZCHsdK5cDWf6NszonfMcZBTI1z0fvn RCs1ejl0NXJNcEpXRDlCa3VYZkpSWU0KHO1KGqLZ6FRUNCi7sK+YpbeSTCYfnCOc
wod71wiDaJV9pO8Za+9aKrE7V3SnKnO1F7Vjz8SjEYtNPd5wNV6vaQ== ruNPNxW7/WPRzsL3xnqGLtiFUm9x36j4apTHcTxns5xtsLPlBx1QBA==
-----END AGE ENCRYPTED FILE-----
- recipient: age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Qm8weVQxQXd5RTlGVk1w
NHoraisrUElKMUMvVFZkckF3U2llQVNScUdZCmRwWjlXT2MzUmFrb3l4UDQxOEta
QmtXM2NCbmRVN3hlVkkvZHgyb0xvWVEKLS0tIFdla25GcndNTGN0U0djSmZHaFZr
YXI2aGJzZkZvZ1FHY3d2WnZHSVZrc1kK1qJN+uLLwMQteaHILB68PXIqhh4fPCZn
V+NrCUKyCkxAWdr10oXnswdaqwEpwlsm/ZzingrWN6cVIFC2DiYArQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl - recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWmEvb2dZRFJEczl4YlVP YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZkMzOFlZaDN5a3pIclYw
YnNFdWYvZitzLzNaR1NHK0lhYktoR3QwNWlvCnZ6QjZDNWU3aDJpZm5DYVBvSEpB dlphY1NYb2JBaVBvL1dlYW1GNlNRTlIxL2lRCmlVUXlSeXBYeTAzY1J0V1JONVNF
akVTTCtoZTlMVGNnN2o5ODZFY3pXa0EKLS0tIFpLRENwb2hXR2RCYk96UTF3cnFQ UlQ0WVpYVXd2MkM0aXY2YkJIRkJWdDQKLS0tIDJ3cnNYdG1XYk4zR0RWMmZqd1BN
UXczQWdMcnZuaUxyUFMxYTd0UHVrTGcKW4b7Bdr1gFZDSQtW3WAy1c1LRJhZijSM bGd2NXBEM25OUkZ3SzYrUEROTEYzQ3cK7zPaaoJwQ8SBMM8MKFhMMq2WB3R7E7lh
wcLl4SHtiaLKwtulOaH5jx6T2pbbMRztDK9LJ/7qc/hVT80kFNgrGA== VxksH4/6+5FAg0skiZi2dzUhJ0qqL5C5AR+vPW4qJIWWo34Gv45CQg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRb0lNdW5ITXN4a2RSRjdp YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2OVlIUUpsTDVWOXFXSGts
ZHl2dzI4bjZGQUhEYzZiUkV6QTloU0xOQUZVCk5YMmVObW1vL0lQKzhCaktoMk0y SExkSEFRa1E0YzhiYnkxclZzQTk1bXA1M0RrCm54V1pzblhDbnV5RncwSVJXQ1VC
OUtrTTBRTzlqaEhKOEdxZy80QnRoUDQKLS0tIGR6NHlkQzRDMXpQdDc5eEpkSEpL UGhORXl2a0w0OER2YUdnYUFJN2RKcTQKLS0tIDB4MWVGbmhvakVSMEl5NndrWHpi
OXFLenpUNUhyek5ZRm0wUWFnaGNxeDgKw3TZWAA7rc2gRv74NVXrdDbQrBBah4ZH TFprZS8zckJJOEhqQVhUc0RXNGdhRFUKHxGMfEUJA2sN7Lw1YrV2s0hx3iwKrpKq
4bS5+2kXdE+UINw9OZtuDYeXWr1NWP707R+JFuyKRSrFOUk0913y0Q== oV6X4CYZ92w2tPqgRrZ59DNXNEdVR7U/dEy2Ta+5jIA+cnnKu48BFw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-08T00:11:46Z" lastmodified: "2024-09-08T00:11:46Z"
mac: ENC[AES256_GCM,data:/LgohCkIf5CSHdKVsBWzVbTwul7+HtFeG5a+qA9gjhTzdBaV985IeVPB0Vithmwu+h7BgsL3AGy2EADxGy7UtyhB7+UbcdDoPxHOFtiqv0Rjp4mNMirwjHcMSk42DWMw6+Wgfdy0FZlRkz4pOutZ2bRgehpQP2IYqlm8pjs9TiE=,iv:21wgEwUVRZvqW7uNjeANK8MJLbzy6LOb+iBXcHsp/H4=,tag:lV2qPE6gMNQsS1zom54sgg==,type:str] mac: ENC[AES256_GCM,data:/LgohCkIf5CSHdKVsBWzVbTwul7+HtFeG5a+qA9gjhTzdBaV985IeVPB0Vithmwu+h7BgsL3AGy2EADxGy7UtyhB7+UbcdDoPxHOFtiqv0Rjp4mNMirwjHcMSk42DWMw6+Wgfdy0FZlRkz4pOutZ2bRgehpQP2IYqlm8pjs9TiE=,iv:21wgEwUVRZvqW7uNjeANK8MJLbzy6LOb+iBXcHsp/H4=,tag:lV2qPE6gMNQsS1zom54sgg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

54
secrets/challenger/challenger.yaml
View File

@@ -4,51 +4,41 @@ nextcloud:
adminpass: ENC[AES256_GCM,data:DL5SnyPPUxiVjfIHZ/ZYJi2pNu6x,iv:/bThFVYgHsN3Yr2EJf0+YWhAVIei9ENaHfAH1ADC5Ws=,tag:bNp+2trtwFNYOqruvqPRGw==,type:str] adminpass: ENC[AES256_GCM,data:DL5SnyPPUxiVjfIHZ/ZYJi2pNu6x,iv:/bThFVYgHsN3Yr2EJf0+YWhAVIei9ENaHfAH1ADC5Ws=,tag:bNp+2trtwFNYOqruvqPRGw==,type:str]
secretsjson: ENC[AES256_GCM,data:xmdwWBe8LWsSEI64KhSeXbA1B0ahfoGwNmgl33JWteF4AakdI73zfbdIhUBqqlqfbL0uCGlqCiOyRA02h8197mk=,iv:ncKz9ObwoFoVjT0qMzBJ0BqVBNx0ScdMRl82ZNQp4FI=,tag:6S8fqHhvE/gaknxsb+q3Jg==,type:str] secretsjson: ENC[AES256_GCM,data:xmdwWBe8LWsSEI64KhSeXbA1B0ahfoGwNmgl33JWteF4AakdI73zfbdIhUBqqlqfbL0uCGlqCiOyRA02h8197mk=,iv:ncKz9ObwoFoVjT0qMzBJ0BqVBNx0ScdMRl82ZNQp4FI=,tag:6S8fqHhvE/gaknxsb+q3Jg==,type:str]
restic: restic:
calibre: ENC[AES256_GCM,data:wAvhB303cUm0rJKwQ31pd8lYHJSlOzBW8BiCygF3JC8=,iv:kUFEiP8sTcaiAIW4QZ7ZfA4aqjJsIIA5mq+gVzgryaU=,tag:STHLWF+T4XeQIDSt4F63Lw==,type:str]
hostBackups: ENC[AES256_GCM,data:lUK1oi+efynRbweO7sg6ayr3LI3G4aXyx5s4n+rtw3A=,iv:oPZLmCXh2G0xnFrmOokx8yixbRSwlmz5NY1s9pJGDgs=,tag:imKUkCfPGeOjRh6reODG7g==,type:str]
media: ENC[AES256_GCM,data:JwIX2r/ebE+LMS49s1xqbRjA8yfMRDEAnln5eN57L4o=,iv:zqxeEv7ogujMqBPZnRF7STDjVlKqMa1rGLjMY5iusgU=,tag:O9PofkyovSYH7qlX6r97DQ==,type:str]
nextcloud: ENC[AES256_GCM,data:O7qT07ns9FodnZu63cPwBqHGslfMIafFvyPPrTrYEdk=,iv:fJ7A5gLThuVumnteL1P82Gq1EtiSAPGXoCZgzJKqVQs=,tag:Hp/kI3TeZQCaM+gP1W1i7w==,type:str]
postgres: ENC[AES256_GCM,data:AZv28LIbGC2oAKjbU1H4gaCZF28utJJFXlKNO/BkL0U=,iv:xOJCIoFGtnEqV80rmiBBMa3dMZnPjaDIce+MAZkGZdo=,tag:dLTwE004KGfP3z9EoMVCCw==,type:str]
transmission: ENC[AES256_GCM,data:UUf8/WV7Q7vbs05lEeqflcSj0uH9abilFF1daATyrwU=,iv:WQZ7hGRQ3/3t34aO7K5Az1AOZtR6qG4p1CqZTdsEqZA=,tag:2ELh2bYVi1sgW66FbSnVHg==,type:str] transmission: ENC[AES256_GCM,data:UUf8/WV7Q7vbs05lEeqflcSj0uH9abilFF1daATyrwU=,iv:WQZ7hGRQ3/3t34aO7K5Az1AOZtR6qG4p1CqZTdsEqZA=,tag:2ELh2bYVi1sgW66FbSnVHg==,type:str]
postgres: ENC[AES256_GCM,data:AZv28LIbGC2oAKjbU1H4gaCZF28utJJFXlKNO/BkL0U=,iv:xOJCIoFGtnEqV80rmiBBMa3dMZnPjaDIce+MAZkGZdo=,tag:dLTwE004KGfP3z9EoMVCCw==,type:str]
nextcloud: ENC[AES256_GCM,data:O7qT07ns9FodnZu63cPwBqHGslfMIafFvyPPrTrYEdk=,iv:fJ7A5gLThuVumnteL1P82Gq1EtiSAPGXoCZgzJKqVQs=,tag:Hp/kI3TeZQCaM+gP1W1i7w==,type:str]
calibre: ENC[AES256_GCM,data:wAvhB303cUm0rJKwQ31pd8lYHJSlOzBW8BiCygF3JC8=,iv:kUFEiP8sTcaiAIW4QZ7ZfA4aqjJsIIA5mq+gVzgryaU=,tag:STHLWF+T4XeQIDSt4F63Lw==,type:str]
media: ENC[AES256_GCM,data:JwIX2r/ebE+LMS49s1xqbRjA8yfMRDEAnln5eN57L4o=,iv:zqxeEv7ogujMqBPZnRF7STDjVlKqMa1rGLjMY5iusgU=,tag:O9PofkyovSYH7qlX6r97DQ==,type:str]
sops: sops:
age: age:
- recipient: age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773 - recipient: age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOFI2QUZFNHVIcVM0QzRP YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxK2JPa1lKejhtTWl6QWdC
V2o3cmJGcUVPakYzdmNrMzBvRFJtTWdZczJRClpETzVMdUlaQ2NmdndYMFkvbCtw VE1hRWpZRW84Sm56TEZVejVEVE9oamFRejM4Ci9tTTFhTVRUUEVybmYvVzNldDZ2
eThKOG1nZ1pyQVhZRHVaTllId2lqZ00KLS0tIDdDYmkzOUZacE5KRjIvT1pqRjBy eCtDSURVQVpkblJ3T0VSR3NZSzZZV3cKLS0tIHVncTVEMlhGSHU0RFNkWGJNUWwx
bVh2Sm9jbnUzMnRiamJUTHdDd1d3SlUK3CZ4aIkXcz3HG/Wyo901H7pMtG9g/3PX TmhsZ2VMSkNCdFU4MDZtb1hQU1dhYjgKjZRvO8LCey5cBwNYUra1ZHq/gwcvT9yl
+Ug+1oZaUovfb9isYcKX7KeTY8sF0G2VeFCunHwjR6K0FyW8CY0eWg== 2VsJa5ayEycFjyC9lcS6D+A5VrlKLHwc3r++QWx0Ab2GNfj6VOvoXA==
-----END AGE ENCRYPTED FILE-----
- recipient: age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQzVuYWhoSEIrR2twR0tE
Ri9acHErS3dlZUYxWGRWeE5VeitvRk1mZHdBCjh2SEtQZ3pMNzFzamQ2MjJZaWpF
ZVNvOHNnYkZ1aFFtb2ovdWJQK1A3dVEKLS0tIFdoVzZURDlFTk5wUGlzK24wZ255
VTlybXUyeHlqakdaRW9vcFpIRGNvVzQKmp8mEAdoaNPYyqVMj0VLnibEXTaYOWRC
see+8vrIjQRVePvHbb4jMzH4/pqQ2BEnbh4p5MVDsYd2Od/tfjaLhA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl - recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVUtLS2hpVUtwM3FiTDZl YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRTV4SzJ5VHdjckRmM0pT
cmY3cWV3MXJ0ODJzRkFnVExESmkwY3lRWHc0CnhKVWR5YThaRnljbitsWWh2am43 eXZiQmxWZFZJZllWVkJ3VytmM2ZQZURoTXdzCkFTTFhoTkhPeUlyenV1R01yTld3
S3NpakVld3VqNlNxUi9lcDZvWDlDTkkKLS0tIEhpL0xOK2I3SEhHeGtDL0ErcVlz RCthTjlpR3Z2R00wNGlzSHBUVFhCaEkKLS0tIERYa0g4TEJKTG9pNEgzbzgwbXFj
WlpUZWV2MmJORWpNQ3hoSzlRWnNOVmMKbFX/mlFp2uMoRcdptQvV36D2yoDK9u5m TlpiT0N3VTFscHh0dVA4Q0NTb3p1Q0kKdRNi6JfIXqw/CmQtFBXtwphR9SiL/0Hd
6fcg6rcXa3BLVSQa81dhSFUrWZtWeW1pLV27k3iF3/zJ6FtL826Qvw== RMDMVDeGRoJHhlK6ml1/NLk8ygar1fwWzg5Ff/2xL40ZL9AsoLsFGA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZGdsbUttSG80RFpyRmkv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnSGJPS2VPOGxQR0tWSWgr
T1lFc2hJTXlGdlFBdHFxZEZ1eUhjT3RmazMwCmo5em56eG9rRmhkSkIyeGRsbEhz bm84dTNITFlzdWdRNDJzQTRqRTk2aTI2a2k4CnBLdTJLTStvaFBKaWk1NkZBdzBK
OW5rVjlERWlNYndySVlHWFVtUk0xb1kKLS0tIDl5NnY2QnA3TEtvK2VsWG0zRk1X T0o4UDBJVHRQVStOQXpsRldhQU9jREEKLS0tIFRPc3hPaEkwN0JBcG4ySUkxZHUr
aXkxd2s2WUV0WnV6TGFodXhyNmN1eE0KfOnhI4/4rS5cD+UXuGV4AyZm32LoUw5O QUFVam5VSkxLVmhsdU02eWtoWmdoeG8KXnixIU8SaD1DCe9Z1doBdwGs1sqv5k8W
PVdfXxuksQl5jQ7BJv4cyBe7F/cb+Knd8F37T/5OqxEbtm3bBUfmyw== WLNGcfKXW4sMU712nYSz05SVl99sCJSzUMJFEQWjdVAaR9TRO6Qz8w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-18T21:43:12Z" lastmodified: "2025-07-30T21:51:23Z"
mac: ENC[AES256_GCM,data:Bt5CrMY2Etl3iSZRVl58PN1ogYpLn3eXhuVCB0j4MKMphyLVJP1qxiQimpa5wriycJKqwBwvCDzJ7pLTxpHDOZaG6R3YfNYPEZlLAIiyOjZvF1ZBTbnF7cFp0thDuzPoFlEHeTFmY6Pe5GwXmSeUFo4ijghvbsFQ5IYXfWNoYz0=,iv:NCwLoI9g7poYbCME0/fUOZegMNOhc3ZvGpAhYoVeLMc=,tag:fiops2KveC/u3Nrmrftk/Q==,type:str] mac: ENC[AES256_GCM,data:oVHx7fjXjqBVVPSP6Ei7BnOuRieaIpJNjTKbeP2tU7PDB7quhngEgb7K07dJvpAz7MB7dIkLx5e5oL408zy4xMHBHdTst4Qbzpieh0FmJ9LfueQs37IO2OaVL7HcWf4cTF1sV4o2CldGQoL/724s9kOB1wDGVz9/KDGCR/X2gSI=,iv:UP1k9GJ3oRqzNZxwEosaeIrncpE0Om4tI1YqLvLvweI=,tag:Ys/nMJ28Y3IbySiKj/qqHw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.10.2

52
secrets/defiant/defiant.yaml
View File

@@ -18,47 +18,45 @@ restic:
vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str] vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str]
keycloak: keycloak:
postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str] postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str]
koillection:
envfile: ENC[AES256_GCM,data:3wq6xiULzELDxtDsBfPbKrnEsAEoG9oQREyaEoe0AVpJziVMrhEQruLCl1F/,iv:IscSmKD8nwQ2HmNnC+54rZrWMimdYPLCArmt/ToTdNM=,tag:J3QYTUtJhpn+R8hpqkA9zg==,type:str]
searx: searx:
envfile: ENC[AES256_GCM,data:BlLVb7C2z/kFxULQnNsGucFZg/R57i0GGMZ6PUhkG1fmYGdY0q31948Z1NoMMaEcwQEdOX6Z8+m96o/RjRTt7K3V+n5+cI1OX9pfoTBwDcJ7/w==,iv:MM+t38IZFdzCXM4jG7jH0uZZP8Zs8kyH8Xe3bPiVmUM=,tag:0ezofl1dDXm1o974f2wRrw==,type:str] envfile: ENC[AES256_GCM,data:BlLVb7C2z/kFxULQnNsGucFZg/R57i0GGMZ6PUhkG1fmYGdY0q31948Z1NoMMaEcwQEdOX6Z8+m96o/RjRTt7K3V+n5+cI1OX9pfoTBwDcJ7/w==,iv:MM+t38IZFdzCXM4jG7jH0uZZP8Zs8kyH8Xe3bPiVmUM=,tag:0ezofl1dDXm1o974f2wRrw==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 - recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSS82bDZyaTJ4WldUd29U YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3YUtSSkNIRlV3ek44bzFq
akY5Z2ZaeDJldHFQUXlRbUdSeTFRR3VCYjJJCkZ1UXZreG51Yi8xMGh5N0I1ZVhE OEtjM3FiWEVjeDV4YWFHcVpHTXhzejdISUNjCnU3RFl4bWdLd0JHYWZOS2drck14
WVpHbjdCRmMvNHZGN1VQdXdQdllxOFkKLS0tIFowdzk4d0RkYXJrdUFGTjF3bGJE WG1HM3JjcCt4V3hJRE5vYkxINjI3NzAKLS0tIFlTRjRQU245YlpPbk9OVVBoTTNy
NFdGMkwxbVMrb0NjZXUwVUpRWXl6REEKWLriQM+2Fp64v3r1HJQu5gKR+SY+qa40 MWNsNVphclByb2lYWWJ6aFRnVFd1czQKMNHrQtWQy6cqXyb0wJBYYoULfZjAV+vn
0lI7gsQj01WMpTb8sja2K5QN7cQOauMQUU6ceVQtzY4LMDLTxDz92g== 9Qz2t6qF+klTxY25TkDFBF+Jcmojn1rfTeT4/c39bE3spf/XgBYw7Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxR0liazVRR0JaUW03TG5T
MVR4UzM3V3ZTbVRkYzdFTFNWdmhIVFBKK2t3CmRmNmF6WjZoZUt6WkpwMUVla2FF
OHBYdkFaWHI0bzRyUVhmN2dzdlJuYXMKLS0tIFNOUEUydXNRR252QzJKOUJhMU1D
RXdlMG1Lc00yaDY4b1N3SU1NdkIzN0kKaRGpGQUcq45DHuyb+6WQ+tMuDikt+Bra
pEwiB3gXODDyRw+vB3NPoOvno6QGzt4tqPFgx3qEUT37tESrOZXOhQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl - recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQnFVc3VwTDNDbW0rQkJX YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESExuSFl2SUJYTzIvbEp4
UVFZaXVGR2d3SklqWUQyWHVCZlFOckQ1czBFCmNSQ2ZkVENmZ2RpY2MydmorWDFD a00rNGo4VnpvVkl5cit4NnBqQTA2TW1sL2k4ClMrUFNMS1QzY2NQVlR6Vk1oZE5L
WGs1K3NIZUxDZVROVUx3Vm85QlRLRzQKLS0tIDNXd1E5WkpUMVpXYml1Z0svQk0z SGdaWThMZ2FKYVZyRWl6YzZrMXRoRUUKLS0tIDRBNUZMRW9Jb0h1bXZ2WTBmU3NU
RVpCUDVSclNTdEVWOU5UbGdhclo1K1kKbSECXCnCxsAJUcbz1/64FBtkVGRA6oWO dDNUWVVaSHBRTHg3MGJNSlpBeVBPS1EKPwtufnjNTMVqDJlthcFEmdmdLpwiLLrT
qL0g67gyIV5ycd0s9f8sz+r54zxwdQXiJ1BFyewGPZD4CzepeM6SBA== o+68EGQDTZtzzZunfMHEecl8lOylgIdoVDU4J8Q2TOPaI7mUBd1B3A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsU0VRUDhqZjJhSkl5dk41 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlR0ZOakd0bkxCSG4zbkFJ
U292RXNOUlUvcjhwM09zZlpOejhiWFg1WjJVCmFlSzJWb0dhQk45U3dBY0dOS0F6 ejZ1ZEkxODRBckpLV3p0eVNFa3JHYkhHcVZZCk11RjlmL2pqLzNNL1Q0bHhmK0Jy
OFBrNlFNNG9rZDJLajVaaVA3c0lkNGMKLS0tIGc0blBuMzRMbmdxU2VTc1pNenlY YkpIdlN2KzdGaFlTdlNCNVRJZmZ4ZHMKLS0tIHR4UzFsNUcyVytxY0FPYVhSZmpn
ZVp5RHU2U1ppakJCMFozWUNGSXhvNkkKDVPJGjPDaX+n3v27PBdMyk9kuzXnRIop VVpkM0dwMnRwMlZhbGRWaE1tRVZLbWMKhDnvP1GLD6LqXJ4PnQFF8TsVzVAeAvQ7
h5XGRkJHTC4emo8zgKpBfByEb2fkBSL3k2ffZbVYtxrpupVBmT1Uqw== W2QzaoZGysaO06NMqJg1039RVJ7Tm7ZdEfqZLavYxk/tS4Wt3EGr4A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-14T22:36:00Z" lastmodified: "2024-12-31T11:50:02Z"
mac: ENC[AES256_GCM,data:H//LCiMw1wE7IDFvKf/QEhOlAjx83R4bxGCE9g4lG0dg2V9LD2bWOq2FVGUrMxw350Rj8CFIWaS5ZolGOvUetbDiQTlqayXi7OArGKBkJphoAdr2rskGYVULmB90a4wp1Fq9oIW2ZjbeURQkwybGJzBTCXFRNWp1VcY1STxzlR8=,iv:DWNLKAcscWIUZ9n46I3dssCM7416oGdsY/mPy1YzrJA=,tag:Q03jAMKSDJw5HmFb9i3Hxg==,type:str] mac: ENC[AES256_GCM,data:skTdbNg8f9c0YiSzv8v9j5duCqcd2sR/tmomeZz8iWM9FQHHs9EO/SMjGQBWIlYjIJS5Pv9g6/yI5WT8L3D/vK+Ajih32397X6noqSjTFv7yfJCaQh8NxNOC6Q8RRyPT5mNjB76HQb6IxHnQYg74zi5CUjMLXwsCAIOBJvcFyiE=,iv:wZtw3DN+g/2zjDpLGkwHLFnsZQ4zQY3oifOFWhsPTE4=,tag:aDeTeCxl7I132jhRrtpVMg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.9.2

39
secrets/morn/morn.yaml
View File

@@ -5,38 +5,29 @@ sops:
- recipient: age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx - recipient: age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVnNjRlZCdkZFZnN3dkcv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMzBkNUlHM1NENVA1aDcz
UmF4Zi9SZzM2bi9IRWJIMHlHOGVTMmx2dm5VCkdGc015dXlDVUV5d0NnQlRCNXlQ MnVvbWZWNnB2SVVUeElJNGdFYjNycmRGd2lvCldvL1pwcjZqQklSZ2pINC9Hd1RJ
N2lsYkR5N2E5RUprdlBHNitNQmpSK0kKLS0tIEJYSzZ3M1lBY3QremY0Y0dLd05Z RnJHcHUrRVpBeHhER1hhQUsyZTRmaHcKLS0tIHB1ZzlvdE9CMFI5ZGl1cVA3Q3d2
V0xJQWRJbkpOQ00wa3ZHOXZxdFN2UDAKrFMAg+Di9aF4TEqDlPgsAi1635CfRIIg dm9WS1hkV1VidFFUdUxKMkpFZ050d2sKySDZkjDii9zc2Im3uT0kaTILvB6Ya6/B
ryyL44l38QPz5CBhh7JPbl7g54l8/jksPOOF0DCmglRnsL+2obur5Q== DC7NMt1E0UFz8HYNdJ+Go2icNWSyJeilBisTPaLQkMxfgHfNVwdAZw==
-----END AGE ENCRYPTED FILE-----
- recipient: age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbDUxL2xaaVNaK2FadHVK
ODZNY2tlOVVuZFlkQUVsZzlqaER2ZXFIK0c0CkR5eVdGM3laS0JkeDdYQzh5VW84
Q1NVclJyeEhabUhId3NWdnB0aDVZQzQKLS0tIGlsTVdFOHV5eUgyeVNrUXRCNXRO
TWw2aC91ZmJieHhma1NndGJDTktSUFEKZBn9zXNmtx768QUENvAero8KJqK9CA4F
DESvmF2ewLSes0bHVsDNTMdchr+TH29jSzHvDbvP50r0v393JhXu7A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl - recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOMXVUV3NOUXZXaWtNdmFx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZjdVcmFIUDdLTjhqVnV4
MzRDZE9PSU5GTlNyTnNYdWdKa1R3UjJvSDBFCjFLd2QwdVJPakt5aGF6OHViQm1l UHRUUTg0Ni9JTUx6bnh5emltTHhDSlozdFRZCllhZTVjZWRjVzhLanRuYzVpWWw5
S2pabnRPVUxFNmtsQWJETU1TVHV1SHcKLS0tIDZrUmlQbGtxWjV5bTE5bzk1ditP SEtiNlBhRmVRK1FYaHg2SW9MNWNpczQKLS0tIEVGeTM5TGI2SGttdEhPOXgxRXNU
VTZONVdCR29YYUxNUmlJNmJhZS9yQ1EKXD9V8ExQ3Pi1FafzQpq+P88V5/ZG0Tkc dWxKOXN4d2VUNG9YZGNPZW9jc1l2T1UKxeEn1BTTkxNK5gmyg/AkN0XUIA5+7bsh
uZSngEfhkd4r4wqUozwYvKR2cMKo6v7tvYTU8D4KevIx11QtSylGcQ== G4mbFMw8Ypaiyq+Gc5qP+GgMbTX7lu/UXyFSeW6DToIVjaxk94uyAA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveWM1VGVNYjdaTWFPUFBO YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneDQ0SGcrbDUwK211WVBs
Q0J4bFlaSE5SallBdFRTZUF1VU9uQVI0TGpZCnE1L08rMm9WNVhyREtDaHc5N1o2 QXZneEVkK0drQkNMOHAxR1k4cVIzUHhaZmt3Cm5CaHdubFFSbjNNRnhBYmQ3b01s
ZmxwSHdiK2tla3B0d3djRzBzMjZZNTAKLS0tIHRnOG1hRFc2SFFDZUs3SjhVM1Bm ODRoNHdBQ1dmTzBaWFJZS0pxNnRCTzAKLS0tIDE4c2xtQk1PRGg0NkFKT3Z5ZHJ2
bEt2SktTaU1xY2NNSnR3N0VldlFiV2MKmmAeQab5dehY8FpXcusXf9KVFqS4M67Y Sy94cTA1d280YUZpUy8xd2F4RG56elkK90ZHB/0UlmwnzJTv9R01xx+MRTsJMIqJ
ITX0N8pASmDxevvNOBl0cTJ5WCg/22/22Yq8hXuUvnqBZqA0P05Wpw== 1wc8f8sng/g8kKbmUv0z9hXkOyrShfI4ZRiwoi2JXvwdDTArgz00Hg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-06T21:55:46Z" lastmodified: "2025-07-06T21:55:46Z"
mac: ENC[AES256_GCM,data:GQ6c/T5eEXmN/exfzi7YJx8GIpN9hAPL1obJ/RSs2UEOhPKhzp5wrsUYAVMmowMDMswjJ995GhonWcMoBfw2tXymBeZ4lcutqtu3i8awTRAV3VrdXmk2Hvi2Kv6bNYh+rZtKKU5a9rAmZAENBomjOM8C/u7ykWG2Iqk46bc/UuM=,iv:hoaYUguhuECsDjYQQ9tHugoIiBvjP8PlQV4+IjgnfSQ=,tag:u+W7P8MzYOx8/OD7K/Lh7w==,type:str] mac: ENC[AES256_GCM,data:GQ6c/T5eEXmN/exfzi7YJx8GIpN9hAPL1obJ/RSs2UEOhPKhzp5wrsUYAVMmowMDMswjJ995GhonWcMoBfw2tXymBeZ4lcutqtu3i8awTRAV3VrdXmk2Hvi2Kv6bNYh+rZtKKU5a9rAmZAENBomjOM8C/u7ykWG2Iqk46bc/UuM=,iv:hoaYUguhuECsDjYQQ9tHugoIiBvjP8PlQV4+IjgnfSQ=,tag:u+W7P8MzYOx8/OD7K/Lh7w==,type:str]