rebase

No more ../../../../../../

base/default.nix

@@ -1,9 +1,9 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, fp, ... }:
 
 {
   imports = [
-    ../users
-    ../modules/snakeoil-certs.nix
+    (fp /users)
+    (fp /modules/snakeoil-certs.nix)
 
     ./networking.nix
     ./nix.nix

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729281548,
-        "narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=",
+        "lastModified": 1731746438,
+        "narHash": "sha256-f3SSp1axoOk0NAI7oFdRzbxG2XPBSIXC+/DaAXnvS1A=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "a6a3179ddf396dfc28a078e2f169354d0c137125",
+        "rev": "cb64993826fa7a477490be6ccb38ba1fa1e18fa8",
         "type": "github"
       },
       "original": {
@@ -28,11 +28,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1729619392,
-        "narHash": "sha256-olNCSjGLN6W2aIjdMeFrV5gIDrAx8PbUhhiF7LcL+ms=",
+        "lastModified": 1730249639,
+        "narHash": "sha256-G3URSlqCcb+GIvGyki+HHrDM5ZanX/dP9BtppD/SdfI=",
         "ref": "refs/heads/main",
-        "rev": "355d2ad13d355225fbedf8bb08dc49e9b5f4b9f2",
-        "revCount": 31,
+        "rev": "80e0447bcb79adad4f459ada5610f3eae987b4e3",
+        "revCount": 34,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/greg-ng.git"
       },
@@ -119,11 +119,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1729307008,
-        "narHash": "sha256-QUvb6epgKi9pCu9CttRQW4y5NqJ+snKr1FZpG/x3Wtc=",
+        "lastModified": 1731663789,
+        "narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a9b86fc2290b69375c5542b622088eb6eca2a7c3",
+        "rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36",
         "type": "github"
       },
       "original": {
@@ -135,11 +135,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1728156290,
-        "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "17ae88b569bb15590549ff478bab6494dde4a907",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
         "type": "github"
       },
       "original": {
@@ -151,11 +151,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1729308112,
-        "narHash": "sha256-Ap+cPeiluam2KFZO+OWuFTl/IkIJfyGYGMgkT2pVCRY=",
+        "lastModified": 1731745710,
+        "narHash": "sha256-SVeiClbgqL071JpAspOu0gCkPSAL51kSIRwo4C/pghA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "61253596816c4cd65e2a0f474cbc0ac0c6e0f7cf",
+        "rev": "dfaa4cb76c2d450d8f396bb6b9f43cede3ade129",
         "type": "github"
       },
       "original": {
@@ -249,11 +249,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1728345710,
-        "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
+        "lastModified": 1731748189,
+        "narHash": "sha256-Zd/Uukvpcu26M6YGhpbsgqm6LUSLz+Q8mDZ5LOEGdiE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
+        "rev": "d2bd7f433b28db6bc7ae03d5eca43564da0af054",
         "type": "github"
       },
       "original": {

flake.nix

@@ -59,6 +59,7 @@
           specialArgs = {
             inherit unstablePkgs inputs;
             values = import ./values.nix;
+            fp = path: ./${path};
           };
 
           modules = [

hosts/bekkalokk/configuration.nix

@@ -1,10 +1,10 @@
-{ pkgs, values, ... }:
+{ fp, pkgs, values, ... }:
 {
   imports = [
     ./hardware-configuration.nix
 
-    ../../base
-    ../../misc/metrics-exporters.nix
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
 
     ./services/bluemap/default.nix
     ./services/gitea/default.nix
@@ -19,7 +19,7 @@
     ./services/well-known
   ];
 
-  sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;
+  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/bekkalokk/services/gitea/default.nix

@@ -1,4 +1,4 @@
-{ config, values, pkgs, lib, ... }:
+{ config, values, fp, pkgs, lib, ... }:
 let
   cfg = config.services.gitea;
   domain = "git.pvv.ntnu.no";
@@ -6,6 +6,7 @@ let
 in {
   imports = [
     ./ci.nix
+    ./gpg.nix
     ./import-users
     ./web-secret-provider
   ];
@@ -173,8 +174,8 @@ in {
     };
 
     script = let
-      logo-svg = ../../../../assets/logo_blue_regular.svg;
-      logo-png = ../../../../assets/logo_blue_regular.png;
+      logo-svg = fp /assets/logo_blue_regular.svg;
+      logo-png = fp /assets/logo_blue_regular.png;
       extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
         <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
         <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>

hosts/bekkalokk/services/gitea/gpg.nix

@@ -0,0 +1,38 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea;
+  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
+in
+{
+  sops.secrets."gitea/gpg-signing-key" = {
+    owner = cfg.user;
+    inherit (cfg) group;
+  };
+
+  systemd.services.gitea.environment = { inherit GNUPGHOME; };
+
+  systemd.tmpfiles.settings."20-gitea-gnugpg".${GNUPGHOME}.d = {
+    inherit (cfg) user group;
+    mode = "700";
+  };
+
+  systemd.services.gitea-ensure-gnupg-homedir = {
+    description = "Import gpg key for gitea";
+    environment = { inherit GNUPGHOME; };
+    serviceConfig = {
+      Type = "oneshot";
+      User = cfg.user;
+      PrivateNetwork = true;
+    };
+    script = ''
+      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
+    '';
+  };
+
+  services.gitea.settings."repository.signing" = {
+    SIGNING_KEY = "0549C43374D2253C";
+    SIGNING_NAME = "PVV Git";
+    SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
+    INITIAL_COMMIT = "always";
+  };
+}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, config, values, pkgs-unstable, ... }: let
+{ pkgs, lib, fp, config, values, pkgs-unstable, ... }: let
   cfg = config.services.mediawiki;
 
   # "mediawiki"
@@ -210,8 +210,8 @@ in {
         '';
       };
 
-      "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
-      "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
+      "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
+      "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
       "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
         buildInputs = with pkgs; [ imagemagick ];
       } ''
@@ -219,7 +219,7 @@ in {
           -resize x64 \
           -gravity center \
           -crop 64x64+0+0 \
-          ${../../../../assets/logo_blue_regular.png} \
+          ${fp /assets/logo_blue_regular.png} \
           -flatten \
           -colors 256 \
           -background transparent \

hosts/bekkalokk/services/webmail/snappymail.nix

@@ -1,8 +1,8 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, fp, pkgs, ... }:
 let
   cfg = config.services.snappymail;
 in {
-  imports = [ ../../../../modules/snappymail.nix ];
+  imports = [ (fp /modules/snappymail.nix) ];
 
   services.snappymail = {
     enable = true;

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -62,6 +62,33 @@ in {
       WorkingDirectory = galleryDir;
       User = config.services.pvv-nettsiden.user;
       Group = config.services.pvv-nettsiden.group;
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
     };
   };
 }

hosts/bicep/configuration.nix

@@ -1,10 +1,10 @@
-{ pkgs, values, ... }:
+{ fp, pkgs, values, ... }:
 {
   imports = [
     ./hardware-configuration.nix
 
-    ../../base
-    ../../misc/metrics-exporters.nix
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
     ./services/nginx
 
     ./services/mysql.nix
@@ -15,7 +15,7 @@
     ./services/matrix
   ];
 
-  sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
+  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/bicep/services/calendar-bot.nix

@@ -1,16 +1,16 @@
-{ config, lib, pkgs, ... }:
+{ config, fp, lib, pkgs, ... }:
 let
   cfg = config.services.pvv-calendar-bot;
 in {
   sops.secrets = {
     "calendar-bot/matrix_token" = {
-      sopsFile = ../../../secrets/bicep/bicep.yaml;
+      sopsFile = fp /secrets/bicep/bicep.yaml;
       key = "calendar-bot/matrix_token";
       owner = cfg.user;
       group = cfg.group;
     };
     "calendar-bot/mysql_password" = {
-      sopsFile = ../../../secrets/bicep/bicep.yaml;
+      sopsFile = fp /secrets/bicep/bicep.yaml;
       key = "calendar-bot/mysql_password";
       owner = cfg.user;
       group = cfg.group;

hosts/bicep/services/matrix/coturn.nix

@@ -1,14 +1,14 @@
-{ config, lib, pkgs, secrets, values, ... }:
+{ config, lib, fp, pkgs, secrets, values, ... }:
 
 {
   sops.secrets."matrix/synapse/turnconfig" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "synapse/turnconfig";
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;
   };
   sops.secrets."matrix/coturn/static-auth-secret" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "coturn/static-auth-secret";
     owner = config.users.users.turnserver.name;
     group = config.users.users.turnserver.group;

hosts/bicep/services/matrix/discord.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, fp, ... }:
 
 let
   cfg = config.services.mx-puppet-discord;
@@ -7,11 +7,11 @@ in
   users.groups.keys-matrix-registrations = { };
 
   sops.secrets."matrix/discord/as_token" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "discord/as_token";
   };
   sops.secrets."matrix/discord/hs_token" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "discord/hs_token";
   };
 

hosts/bicep/services/matrix/hookshot/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, unstablePkgs, inputs, ... }:
+{ config, lib, fp, unstablePkgs, inputs, ... }:
 
 let
   cfg = config.services.matrix-hookshot;
@@ -11,11 +11,11 @@ in
   ];
 
   sops.secrets."matrix/hookshot/as_token" = {
-    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "hookshot/as_token";
   };
   sops.secrets."matrix/hookshot/hs_token" = {
-    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "hookshot/hs_token";
   };
 

hosts/bicep/services/matrix/mjolnir.nix

@@ -1,8 +1,8 @@
-{ config, lib, ... }:
+{ config, lib, fp, ... }:
 
 {
   sops.secrets."matrix/mjolnir/access_token" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "mjolnir/access_token";
     owner = config.users.users.mjolnir.name;
     group = config.users.users.mjolnir.group;

hosts/bicep/services/matrix/synapse.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, values, inputs, ... }:
+{ config, lib, fp, pkgs, values, inputs, ... }:
 
 let
   cfg = config.services.matrix-synapse-next;
@@ -10,13 +10,13 @@ let
 in {
   sops.secrets."matrix/synapse/signing_key" = {
     key = "synapse/signing_key";
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;
   };
 
   sops.secrets."matrix/synapse/user_registration" = {
-    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "synapse/signing_key";
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;

hosts/bob/configuration.nix

@@ -1,16 +1,16 @@
-{ config, pkgs, values, ... }:
+{ config, fp, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base
-      ../../misc/metrics-exporters.nix
+      (fp /base)
+      (fp /misc/metrics-exporters.nix)
       ./disks.nix
 
-      ../../misc/builder.nix
+      (fp /misc/builder.nix)
     ];
 
-  sops.defaultSopsFile = ../../secrets/bob/bob.yaml;
+  sops.defaultSopsFile = fp /secrets/bob/bob.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/brzeczyszczykiewicz/configuration.nix

@@ -1,10 +1,10 @@
-{ config, pkgs, values, ... }:
+{ config, fp, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base
-      ../../misc/metrics-exporters.nix
+      (fp /base)
+      (fp /misc/metrics-exporters.nix)
 
       ./services/grzegorz.nix
     ];

hosts/brzeczyszczykiewicz/services/grzegorz.nix

@@ -1,6 +1,6 @@
-{ config, ... }:
+{ config, fp, ... }:
 {
-  imports = [ ../../../modules/grzegorz.nix ];
+  imports = [ (fp /modules/grzegorz.nix) ];
 
   services.nginx.virtualHosts."${config.networking.fqdn}" = {
     serverAliases = [

hosts/georg/configuration.nix

@@ -1,12 +1,12 @@
-{ config, pkgs, values, ... }:
+{ config, fp, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base
-      ../../misc/metrics-exporters.nix
+      (fp /base)
+      (fp /misc/metrics-exporters.nix)
 
-      ../../modules/grzegorz.nix
+      (fp /modules/grzegorz.nix)
     ];
 
   boot.loader.systemd-boot.enable = true;

hosts/ildkule/configuration.nix

@@ -1,16 +1,16 @@
-{ config, pkgs, lib, values, ... }:
+{ config, fp, pkgs, lib, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base
-      ../../misc/metrics-exporters.nix
+      (fp /base)
+      (fp /misc/metrics-exporters.nix)
 
       ./services/monitoring
       ./services/nginx
     ];
 
-  sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
+  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

hosts/ildkule/hardware-configuration.nix

@@ -3,7 +3,14 @@
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
   boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
   boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
+    fsType = "ext4";
+  };
+  fileSystems."/data" = {
+    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
+    fsType = "ext4";
+  };
 
   networking.useDHCP = lib.mkDefault true;
 }

hosts/ildkule/services/monitoring/loki.nix

@@ -2,6 +2,7 @@
 
 let
   cfg = config.services.loki;
+  stateDir = "/data/monitoring/loki";
 in {
   services.loki = {
     enable = true;
@@ -16,7 +17,7 @@ in {
       ingester = {
         wal = {
           enabled = true;
-          dir = "/var/lib/loki/wal";
+          dir = "${stateDir}/wal";
         };
         lifecycler = {
           address = "127.0.0.1";
@@ -48,12 +49,12 @@ in {
 
       storage_config = {
         boltdb_shipper = {
-          active_index_directory = "/var/lib/loki/boltdb-shipper-index";
-          cache_location = "/var/lib/loki/boltdb-shipper-cache";
+          active_index_directory = "${stateDir}/boltdb-shipper-index";
+          cache_location = "${stateDir}/boltdb-shipper-cache";
           cache_ttl = "24h";
         };
         filesystem = {
-          directory = "/var/lib/loki/chunks";
+          directory = "${stateDir}/chunks";
         };
       };
 
@@ -64,14 +65,14 @@ in {
       };
 
       compactor = {
-        working_directory = "/var/lib/loki/compactor";
+        working_directory = "${stateDir}/compactor";
       };
 
       # ruler = {
       #   storage = {
       #     type = "local";
       #     local = {
-      #       directory = "/var/lib/loki/rules";
+      #       directory = "${stateDir}/rules";
       #     };
       #   };
       #   rule_path = "/etc/loki/rules";

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -1,4 +1,6 @@
-{ config, ... }: {
+{ config, ... }: let
+  stateDir = "/data/monitoring/prometheus";
+in {
   imports = [
     ./gitea.nix
     ./matrix-synapse.nix
@@ -10,9 +12,15 @@
 
   services.prometheus = {
     enable = true;
+
     listenAddress = "127.0.0.1";
     port = 9001;
 
     ruleFiles = [ rules/synapse-v2.rules ];
   };
+
+  fileSystems."/var/lib/prometheus2" = {
+    device = stateDir;
+    options = [ "bind" ];
+  };
 }

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -2,6 +2,7 @@
 let
   cfg = config.services.uptime-kuma;
   domain = "status.pvv.ntnu.no";
+  stateDir = "/data/monitoring/uptime-kuma";
 in {
   services.uptime-kuma = {
     enable = true;
@@ -17,4 +18,9 @@ in {
     kTLS = true;
     locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
   };
+
+  fileSystems."/var/lib/uptime-kuma" = {
+    device = stateDir;
+    options = [ "bind" ];
+  };
 }

hosts/shark/configuration.nix

@@ -1,13 +1,13 @@
-{ config, pkgs, values, ... }:
+{ config, fp, pkgs, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base
-      ../../misc/metrics-exporters.nix
+      (fp /base)
+      (fp /misc/metrics-exporters.nix)
     ];
 
-  sops.defaultSopsFile = ../../secrets/shark/shark.yaml;
+  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;

secrets/bekkalokk/bekkalokk.yaml

@@ -5,6 +5,7 @@ gitea:
     database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
     email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
+    gpg-signing-key: ENC[AES256_GCM,data:y/g1rpsEgiGEJ9BGii6te166ABpg1jgsyYMT1Ji5njLbT8/juBBMc7BFEM5BcIxKpQGijymsB+Htl8CZAN4Bl3FHSRyrnXGuMCnveJfw1qTVjMa6soriHv7EdTDFPCp3TYMbs1OgY/bhGJIvp8e4hCVd4F3x8eAlFmiwHhkxr62qQNHjH7SRNIyUNibf/TTttOeEcercxOy7FeUE99D+CWG4pnJNEYyRHDdddalgpSJyZIJvPpXoKmeCDk3futnxiZ15Vr7bDS5u4dqnE+no7DKoZ5fvk38f/77JH3w/Qom7NCYSG6L+unJ3r3RKuuGMRDjdz09TPZ4APpmrlyOElfGMmm134g6mdhgXmwNCo65Z7VOd1OKFA/uyZm2b7XsT3tCgRalE8gBa0R3MBMi3JK+5KUdS6ZUvYXDt8D8C68ldM3K9E7lyeeHn775rV6L4JIXcj/NL1O23sXtjeVuUPQmsUesgYlllRaiTSTfY7K+yOIG3wqqCuCDSAeILQICkvod4iw4xdVMQzd8eQtbD6bCjOzHwvBcu+rOSN6ti+xOQ7bJ9+6xhCgJJsiADkp2q09cUu8mDbUh+YJxfu+oZhPomOJVDMSqfS4qNXcVM9mbak/L9KPR4b83GqTpmXHnDMlGe4BHGXrkIUKPsBQ5TmdckXbpRDBQFrnjVvFT+Gfx3xwHxWc9fbxcFID2wp69EzQrGC77bDPCFxBT5vAVwffGYUezPQEo25bKRpCWxTFTpiIQfACrwzZc/O9cmwDgrYN7bTZyrrp8cbyBtllZGYmXxLDkDOzIqzpLG3b0yJC2jSnw0f1DkU6M2mD/j9FRTVW1MVymyLPiZQ7T9QyZ3MekHEEY1QqmyiJMIOekSzC5+3Us6Nl32MeBrIry6NuV8ewIQF5bcZEHtSmZ0k/wBtK0fpFHUuc/vETFuRUiQw/InhN5W8iH78vFvflxBfg61Qp7PzEx0k0axwEc6VAKbEg/uFNL+fhUKKt7sYiEBmwg2Vsj3pyZgdmjPZEsOQ86+psaxv+2feH94wog47jDHFRrc4iRC5w7kZ6UJXHfZt9lkBbwl4qNwiOLlPnUUcR+CpTBpPoKD9ulidQGfcYY49+iE+PM5dAI2CtisKpLQiwmrvjOzB1a/rC9QnH679frgH5Ebb57WRL4uSAVNRdIvIGzAF5MNwQOu+cxKoiW6ZmuNJSb547XUB1UO,iv:aKzrgAV30sLfPEpgdQ26ZzdM3+gYtoSpZ9mNyqCqf/M=,tag:vjywN4qxh2zsCE3RPG6Yrw==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
     runners:
@@ -97,8 +98,8 @@ sops:
             UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
             4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-12T21:56:27Z"
-    mac: ENC[AES256_GCM,data:bZ1BbVC6D+B6SFze2ReeCUcQamK/O14zH3YxCjWBwMC++w3niIiEx4Bq7Ulci5yuMld0luVsfUzHoqFN/+zvZbV2rGVk8lVRiTrpFoSZ78aUUgeHG9ROLXsR7T7rVhLWbl86y1G5LcKws7G55V0wAh6f58WjYYzwR8fnBmfW1Ko=,iv:7xtMdtXQB9uZirE/CkUSmeu0qnG++R7DUR7zn/Bo0lM=,tag:DH/BJPpAp//quDqKNXyHcg==,type:str]
+    lastmodified: "2024-11-24T02:02:00Z"
+    mac: ENC[AES256_GCM,data:hTye1yv7J/jEjLXtIyFPJZFuY3wol2tX1kZi7JtwTa6zs/JTg7piPL76/CkgWjVxGdv6DpSdlCt+AjIMQarbBpyKc/ux83zHrgI2BUZfYTtjwKLfoafsRjsjoz17ZRE55ozbjb6UHCCHLIJXUmHop35AeGwNcexx3UH267lpPZs=,iv:GhU0u7D9Dg/PqM4gEm7j9pPlCPGTxgWDMv0dNxr9HMk=,tag:fZHfgJdpKtT2mNaeOU7agg==,type:str]
     pgp:
         - created_at: "2024-08-04T00:03:28Z"
           enc: |-

users/alfhj.nix

@@ -0,0 +1,13 @@
+{pkgs, ...}:
+
+{
+  users.users.alfhj = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
+    ];
+  };
+}
+