From 043099eb373c6755b7daaff4b3712ec1755bb39e Mon Sep 17 00:00:00 2001 From: Albert Date: Sun, 20 Jul 2025 04:02:39 +0200 Subject: [PATCH] hosts/lupine: init Co-authored-by: h7x4 --- .sops.yaml | 21 +++ flake.nix | 11 +- hosts/lupine/configuration.nix | 35 +++++ .../hardware-configuration/lupine-1.nix | 40 ++++++ .../hardware-configuration/lupine-2.nix | 40 ++++++ .../hardware-configuration/lupine-3.nix | 40 ++++++ .../hardware-configuration/lupine-4.nix | 34 +++++ .../hardware-configuration/lupine-5.nix | 40 ++++++ hosts/lupine/services/gitea-runner.nix | 45 +++++++ secrets/lupine/lupine.yaml | 124 ++++++++++++++++++ values.nix | 20 +++ 11 files changed, 449 insertions(+), 1 deletion(-) create mode 100644 hosts/lupine/configuration.nix create mode 100644 hosts/lupine/hardware-configuration/lupine-1.nix create mode 100644 hosts/lupine/hardware-configuration/lupine-2.nix create mode 100644 hosts/lupine/hardware-configuration/lupine-3.nix create mode 100644 hosts/lupine/hardware-configuration/lupine-4.nix create mode 100644 hosts/lupine/hardware-configuration/lupine-5.nix create mode 100644 hosts/lupine/services/gitea-runner.nix create mode 100644 secrets/lupine/lupine.yaml diff --git a/.sops.yaml b/.sops.yaml index ca04545..2601489 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,6 +15,11 @@ keys: - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2 - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8 - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly + - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e + - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n + - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9 + - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k + - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu creation_rules: # Global secrets @@ -104,3 +109,19 @@ creation_rules: - *user_pederbs_bjarte pgp: - *user_oysteikt + + - path_regex: secrets/lupine/[^/]+\.yaml$ + key_groups: + - age: + - *host_lupine-1 + - *host_lupine-2 + - *host_lupine-3 + - *host_lupine-4 + - *host_lupine-5 + - *user_danio + - *user_felixalb + - *user_pederbs_sopp + - *user_pederbs_nord + - *user_pederbs_bjarte + pgp: + - *user_oysteikt diff --git a/flake.nix b/flake.nix index 019e361..58f4860 100644 --- a/flake.nix +++ b/flake.nix @@ -170,7 +170,16 @@ inputs.gergle.overlays.default ]; }; - }; + } + // + (let + machineNames = map (i: "lupine-${toString i}") (lib.range 1 5); + stableLupineNixosConfig = name: extraArgs: + nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs; + in lib.genAttrs machineNames (name: stableLupineNixosConfig name { + modules = [{ networking.hostName = name; }]; + specialArgs.lupineName = name; + })); nixosModules = { snakeoil-certs = ./modules/snakeoil-certs.nix; diff --git a/hosts/lupine/configuration.nix b/hosts/lupine/configuration.nix new file mode 100644 index 0000000..54f2910 --- /dev/null +++ b/hosts/lupine/configuration.nix @@ -0,0 +1,35 @@ +{ fp, values, lupineName, ... }: +{ + imports = [ + ./hardware-configuration/${lupineName}.nix + + (fp /base) + (fp /misc/metrics-exporters.nix) + + ./services/gitea-runner.nix + ]; + + sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // { + matchConfig.Name = "enp0s31f6"; + address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ]; + networkConfig.LLDP = false; + }; + systemd.network.wait-online = { + anyInterface = true; + }; + + # There are no smart devices + services.smartd.enable = false; + + # Do not change, even during upgrades. + # See https://search.nixos.org/options?show=system.stateVersion + system.stateVersion = "25.05"; +} diff --git a/hosts/lupine/hardware-configuration/lupine-1.nix b/hosts/lupine/hardware-configuration/lupine-1.nix new file mode 100644 index 0000000..73c33c7 --- /dev/null +++ b/hosts/lupine/hardware-configuration/lupine-1.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/81D6-38D3"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lupine/hardware-configuration/lupine-2.nix b/hosts/lupine/hardware-configuration/lupine-2.nix new file mode 100644 index 0000000..67bec68 --- /dev/null +++ b/hosts/lupine/hardware-configuration/lupine-2.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/4A34-6AE5"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lupine/hardware-configuration/lupine-3.nix b/hosts/lupine/hardware-configuration/lupine-3.nix new file mode 100644 index 0000000..cff7016 --- /dev/null +++ b/hosts/lupine/hardware-configuration/lupine-3.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/63FA-297B"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lupine/hardware-configuration/lupine-4.nix b/hosts/lupine/hardware-configuration/lupine-4.nix new file mode 100644 index 0000000..d425781 --- /dev/null +++ b/hosts/lupine/hardware-configuration/lupine-4.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lupine/hardware-configuration/lupine-5.nix b/hosts/lupine/hardware-configuration/lupine-5.nix new file mode 100644 index 0000000..4e5bff5 --- /dev/null +++ b/hosts/lupine/hardware-configuration/lupine-5.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/F372-37DF"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lupine/services/gitea-runner.nix b/hosts/lupine/services/gitea-runner.nix new file mode 100644 index 0000000..9c46f35 --- /dev/null +++ b/hosts/lupine/services/gitea-runner.nix @@ -0,0 +1,45 @@ +{ config, lupineName, ... }: +{ + # This is unfortunately state, and has to be generated one at a time :( + # To do that, comment out all except one of the runners, fill in its token + # inside the sops file, rebuild the system, and only after this runner has + # successfully registered will gitea give you the next token. + # - oysteikt Sep 2023 + sops = { + secrets."gitea/runners/token" = { + key = "gitea/runners/${lupineName}"; + }; + + templates."gitea-runner-envfile" = { + restartUnits = [ + "gitea-runner-${lupineName}.service" + ]; + content = '' + TOKEN="${config.sops.placeholder."gitea/runners/token"}" + ''; + }; + }; + + services.gitea-actions-runner.instances = { + ${lupineName} = { + enable = true; + name = "git-runner-${lupineName}"; + url = "https://git.pvv.ntnu.no"; + labels = [ + "debian-latest:docker://node:current-bookworm" + "ubuntu-latest:docker://node:current-bookworm" + ]; + tokenFile = config.sops.templates."gitea-runner-envfile".path; + }; + }; + + virtualisation.podman = { + enable = true; + defaultNetwork.settings.dns_enabled = true; + autoPrune.enable = true; + }; + + networking.dhcpcd.IPv6rs = false; + + networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353]; +} diff --git a/secrets/lupine/lupine.yaml b/secrets/lupine/lupine.yaml new file mode 100644 index 0000000..dc3153d --- /dev/null +++ b/secrets/lupine/lupine.yaml @@ -0,0 +1,124 @@ +gitea: + runners: + lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str] + lupine-2: null + lupine-3: null + lupine-4: null + lupine-5: null +sops: + age: + - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncnd2NVdqdjU1WWx4YWJr + RUVuSThBWWdyVnpFT0kzZjBrVjZiN1FiU0ZBCmNCbGVZK09YaFNGSUE2QWpidEFw + aEZEVndkODRzYmNLWDRzSGMzOWZKajAKLS0tIE00b3NiclFrOEk3R1lkeWM0VHY3 + dUFQcG04bWNwYjRjTlNWV0pXNnlTN28KEc8nM7jzMuh2B6Q9vDS9apmVZDH9fAGi + dyze2SHCvfbr6So6GtJnZQy5J7tPoHBd3zwjojYV11kR9Ci1GszrVw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVzdFdXdETEN3bjdIY0hi + TUV3YjFSUHBhNTIyUDd6MC93R2xRZmZGTkd3CkZuNWRZY25nY1FMZjV1QzJuUUZN + d0hzMUplY0w4c0hVK0dCbHVzVURvUm8KLS0tIGt2UEozYTdzMDRGUlRYeWpLY0Q3 + bmFMZGRhWGZQZlpwMFZsV3VwdEljRUkKwS1gGaLCY/+wv2blCiDWHXOTl7eRVDPH + NPk33fXDa0y4AxFmwJ9caHL+UHWhSCVvi6odl1F6OA4blNLHRZAyzQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdmZXREhrUk5kWHgyMzI0 + RnR0bVE1cm9GQkpwc0VWZ3ZmUjMxMzF2WVhFCkcrcEI4enlRN09wNzF4M0tTNXZi + TWg1TTkwUlNYUU1ReUVSU1dTdFoxeWcKLS0tIGZaMmVmZ1kxbFVVMmsxTzczYU9j + N3Y3Qm9SQ2Z0bWNhM043czdnWC9RR0kK61W5sqXybAbjTUR8D05dYMInLl683Rzj + G+0MZEzvfYONGU1gduRB5quHAwZLG5b9N6zorRSFON1meni+v/Ciww== + -----END AGE ENCRYPTED FILE----- + - recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBod1RDR1NLZlhQQWw4Nk8z + TTZHZitTNjFxUHVIZWY3N2VDd3pXRGt4N0JFClNzQ2REbSt5T0FXaVBhS09zcS9y + TW5PTW1mSzlyOHppSm1yMWp6by9ZUWMKLS0tIFVsYkJZbHE3K3B5TS95amJhbDYy + dFV1REdKYmIweWw1MDJ4L3p0cW9nVWMKQndDoniGQOn01SnscX7u7y6l119Eb++q + JoTZELALPIyGdI4pXd6zCfRyLFaqWd4CO0RFtl8FTcm75W+ETmqqlQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdlhET094ZGJsZU9tZnhz + d20wcnltVU1MS09Qb3lzV2RjNi9OZjhDdFRBCndRY3hwQ3VHQWF2MVRFUU1MQkhh + bGRQdEVaSzF0YTgxTGdITGN2dDlYc1kKLS0tIEw1MmFkUHJaKzZGRU93T2VTTkxK + VU0xV0gwQ1NnbVIrS3lHTnJ5bU9IcGMKDWSWfA7iBQ+8iclmXDVf5Qjv67D2WbJg + ovrYcT1F5+qE4xkuUkzVaGn9vgT+/kkzFucBz0c0iD5KCoa52z5AlQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtV2R5VzdCbkFDTGRJUG81 + bUk3Y3F6NkJGYUk1VW1XQnFOSTlwMTduL0Y0CjJ4N1Q5MXZjQXhsTk5Hbk40U1pU + aFNxeFIyaGJpd3dMZFpQL0R2M1dHbk0KLS0tIGpUVGMyRSt6aDZVOERRWnRSY1Ns + dXptcUNmeGRHcEs3WStpL3BuZUtJbjAKhqJEec4vjSC18oRl1dTNkF2Ev4YtudE4 + Lp2vbcSHXwrZhqbFlQ8stCpUJvjCBEr2cT/shrG38aP0MzgeSmMacQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURXhRWEFHU2Rtd0pyZGUw + b09VQ1JhYjhJYlpnY2FCZndEcU1Ed3k1K0UwCit1NVIyL2xuZlAzbEJwY3V0UTB3 + Unk1L3p6cHlVWjllMjcvcTdDcnlxcGcKLS0tIGdGa3MvTmJiSGF4YnBZbE1wdGEv + eFArZE5MaXlvOE9XN1I4eEtNMEpzcU0KVNUfcUJM+IVY/+b8mQiHKvuFnsih+zHx + ZdUD+FPjghqrzJB4MOl/PYAxJ4lga6gPbcRWD5UUDuyDGOUwRpOt7w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUnhIOHVLUG1meWFlZ24w + SVlFenR1aWZXK21HSXpHU1NSZ2llQ1EwSnpnCmJYRXR3b3IvclZvaGpGdEpOUk9D + eDg2eFFJQ0M4TEJqZDVUQUZGa2h3V3cKLS0tIEhWTzhoMVg1UEM2M1k1TVZTUDlL + RDE1RCtUV2dDR3haclBMZDFhYXcyV2sKjwEI2dY4rluumihyEggLYDDvZZAK4SZw + FWkwIUpMCZzg2fCeDMnTSAWfAZbiDcPLoCieJ2bpGXPTzyasRlOakg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxamdXMXJ4K3hMV2g1WmUy + Ry80dG5wdWlLc1paY1VoSE8vWk1ra1g5cldFClN1eXlVUGVndnovQ3dxQTdzQjRV + Wm9NNWg5VVR4NVNsRjM0VHFya1FQeWsKLS0tIG43bTdKVjNrQlBUWHJoNjIyOW85 + TGd1Tng1akExRDd0TFZmQ3JnS3FtK3cKn2t7/4yIDZT2oy8fyJibF62usPjhuBOb + 9qQjChRm5h5mNSWdAzyf48wID7czzJiZjqtfE4vjLYLsWKMzz9j3xg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQm5UalBhV1NWa2ZQNzVQ + OEZXODkrYXRGR2lRMzMwSk5KV01WK3pLZlZ3ClNwZTV6aGRvZlV2UXJaNm9IOVVR + VFZscVZhVkFaMlk5a1ZCcWJReVN5YWcKLS0tIEhHMnRKdWJvTkREbFlWb25YRXg3 + YU5mMDlRckJCMDAzcHYyMWN1clRJRVEK77PiAQP+2+WblGYEgAf6bx6RTh0JHiSZ + /jPIN/rbAKNv36wpZDbuLV8tcMuvhleNMRSSqbIloLSzww+Z5nOU4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-30T18:29:08Z" + mac: ENC[AES256_GCM,data:47cki5ucPTVd4JuEyK0QkDCCEqj1pW6SA5I6ihC/MEja6TIuHTcEPFpje8+LvpGjpP9uobKX4g3UcyvkJ63j/k3hU0xPYQX3Z1ee00KIMKB0GHNjUR8ENtnwd3TU7kp5ohtXeCtcyzCjdFFuXp8AINGv3vpbU2MzauctUxn5B1Y=,iv:1mpk/f1QlRtHfA9dqyNLBrvfVPgtLnZ7ibj8qNrEGD8=,tag:drEK1+qeJy97rgeQJyqucA==,type:str] + pgp: + - created_at: "2025-07-30T18:27:50Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA0av/duuklWYAQ/9HdDiIXAQjcAbokD7yliGC+p7j+RxD2FDh5aXtDIS14dM + pF7wdTdY7PvcXoSCQ5ZC7bjIY86MDfD+BT63MwjOczIgBJJ9wrGDZ2o9DnzzYsI1 + XdUgQscjtbAycNlaczI6IXrYlWqjt6qpp/OADXdMXZo3W+pTR3aSdrj/FcMzJad1 + AMQt8raqrD5LxIj0yWEYvob5z7NA6slBvVJRszsbYgz3aJWqG2DhlUBph6j2Rgmq + /W796+fywrunmY/dmzptT5Epp5gZ55BAqg09qHj/+crTxIt7SNpsfps2ki8JBVq0 + 4ooaUktBBMnhsZBA8NIauesokZkLO0MvyvjMBPGR8jun2EXoNtFmWZqUqD1fb0B5 + xe0SVg8XIzS/AFnKVAWfj6h9lM4guLL/kxu3aPAJwOj+YtIAXx4vojs81Led8nlQ + jXvfy7Y94EQhKTLWuK12QC+bw2vy4V9L98nyDKB3ZuN2l3A2CN1ZLXArk/oez56d + 5t/0C43qEPfzQH87kygGuuQmlZvQupnHN4iCvExmoiX362/3S9h1wS5QcKdC3Lk/ + f3yr0+r1uOYuoQuofwitLZaq66aCmqYUmXhLvGujPjg8YuNXQ5k1MlOilDqoZnxk + 0V8RQbTpvUcqRLgczofC0ovgE2W13khS2BGxG3ZPmAbUGiaIP9OkfebI7hJJE7LS + XgE4cU06C5jj4wLkOj3y4nEKwaFrEGRO3YQa1kl5/sExOg0Jd7fehozVh8+opGOZ + MhmVHghd/RYZzBi3NZL28xnAvsawE1m6h6WEGk6JaVEdJh9W009AQCtVyChs9Og= + =4gbo + -----END PGP MESSAGE----- + fp: F7D37890228A907440E1FD4846B9228E814A2AAC + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/values.nix b/values.nix index 9eab664..9453a35 100644 --- a/values.nix +++ b/values.nix @@ -68,6 +68,26 @@ in rec { ipv4 = pvv-ipv4 240; ipv6 = pvv-ipv6 240; }; + lupine-1 = { + ipv4 = pvv-ipv4 224; + ipv6 = pvv-ipv6 224; + }; + lupine-2 = { + ipv4 = pvv-ipv4 225; + ipv6 = pvv-ipv6 225; + }; + lupine-3 = { + ipv4 = pvv-ipv4 226; + ipv6 = pvv-ipv6 226; + }; + lupine-4 = { + ipv4 = pvv-ipv4 227; + ipv6 = pvv-ipv6 227; + }; + lupine-5 = { + ipv4 = pvv-ipv4 228; + ipv6 = pvv-ipv6 228; + }; }; defaultNetworkConfig = {