felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-01-19 09:29:13 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: felixalb:gluttony
Branches Tags
felixalb:main felixalb:gluttony felixalb:syntax_error felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim
..
compare: felixalb:nettsiden-postgresql
Branches Tags
felixalb:gluttony felixalb:main felixalb:syntax_error felixalb:alps felixalb:fix-bluemap-markers felixalb:nix-topology felixalb:gitea-robots-txt felixalb:bindmount-postgres-mysql-dirs felixalb:nettsiden-postgresql felixalb:gitea-vaskepersonalet felixalb:errorpages felixalb:create-flake-input-exporter felixalb:gitea-runners-secrets felixalb:nom felixalb:add-skrott felixalb:pvvvvv felixalb:gitea-show-license-in-list-view felixalb:dagali-heimdal-openldap-sasl-stack felixalb:gitea-navbar-get-started felixalb:backup-databases felixalb:openwebui felixalb:setup-openvpn-tunnel felixalb:gitea-gpg-signing felixalb:sleipner-authorised-keys felixalb:openstack-image-builder felixalb:elysium felixalb:smartd-notifs felixalb:systemd-journald-remote felixalb:skrot felixalb:deploy-doorbell felixalb:misc-gitea-fixes felixalb:spotifyd felixalb:remote felixalb:setup-bikkje-login felixalb:ozai-prod felixalb:add-bluemap felixalb:ozai felixalb:setup-postfix-for-service-machines felixalb:fix-gitea-ci-runner-network-issues felixalb:heimdal-openldap-sasl-testing-on-salsa-on-buskerud felixalb:gitea-metrics felixalb:misc1 felixalb:add-simple-saml-theme felixalb:misc-extra-gitea-setup felixalb:setup-kerberos felixalb:setup-home-areas felixalb:shark-kanidm felixalb:prometheusexim

2 Commits
gluttony ... nettsiden-

Author SHA1 Message Date
Øystein Tveit
f580a3ddce WIP 2025-12-16 17:49:23 +01:00
h7x4
91f02c7b75 flake.lock: bump minecraft-kartverket 2025-12-17 01:48:32 +09:00
92 changed files with 2583 additions and 3388 deletions
Expand all files Collapse all files

32
.gitea/workflows/build-topology-graph.yml
View File

@@ -1,32 +0,0 @@
name: "Build topology graph"
on:
push:
branches:
- main
jobs:
evals:
runs-on: debian-latest
steps:
- uses: actions/checkout@v6
- name: Install sudo
run: apt-get update && apt-get -y install sudo
- uses: https://github.com/cachix/install-nix-action@v31
- name: Configure Nix
run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
- name: Build topology graph
run: nix build .#topology -L
- name: Upload topology graph
uses: https://git.pvv.ntnu.no/Projects/rsync-action@v2
with:
source: result/*.svg
quote-source: false
target: ${{ gitea.ref_name }}/topology_graph/
username: gitea-web
ssh-key: ${{ secrets.WEB_SYNC_SSH_KEY }}
host: pages.pvv.ntnu.no
known-hosts: "pages.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2QjfFB+city1SYqltkVqWACfo1j37k+oQQfj13mtgg"

57
.sops.yaml
View File

@@ -1,39 +1,38 @@
keys: keys:
# Users # Users
- &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - &user_danio age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
- &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
- &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
- &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
- &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
- &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
# Hosts # Hosts
- &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633 - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
- &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
- &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
- &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0 - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
- &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
- &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
- &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
- &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9 - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
- &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
- &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
- &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
creation_rules: creation_rules:
# Global secrets # Global secrets
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_jokum
- *user_danio - *user_danio
- *user_felixalb - *user_felixalb
- *user_eirikwit - *user_eirikwit
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt
@@ -48,7 +47,6 @@ creation_rules:
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt
@@ -61,7 +59,18 @@ creation_rules:
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm pgp:
- *user_oysteikt
- path_regex: secrets/jokum/[^/]+\.yaml$
key_groups:
- age:
- *host_jokum
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
pgp: pgp:
- *user_oysteikt - *user_oysteikt
@@ -74,7 +83,6 @@ creation_rules:
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt
@@ -87,7 +95,6 @@ creation_rules:
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt
@@ -100,7 +107,6 @@ creation_rules:
- *user_pederbs_sopp - *user_pederbs_sopp
- *user_pederbs_nord - *user_pederbs_nord
- *user_pederbs_bjarte - *user_pederbs_bjarte
- *user_vegardbm
pgp: pgp:
- *user_oysteikt - *user_oysteikt
@@ -112,31 +118,6 @@ creation_rules:
- *host_lupine-3 - *host_lupine-3
- *host_lupine-4 - *host_lupine-4
- *host_lupine-5 - *host_lupine-5
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/bakke/[^/]+\.yaml$
key_groups:
- age:
- *host_bakke
- *user_danio
- *user_felixalb
- *user_pederbs_sopp
- *user_pederbs_nord
- *user_pederbs_bjarte
- *user_vegardbm
pgp:
- *user_oysteikt
- path_regex: secrets/skrott/[^/]+\.yaml$
key_groups:
- age:
- *user_danio - *user_danio
- *user_felixalb - *user_felixalb
- *user_pederbs_sopp - *user_pederbs_sopp

61
README.MD Normal file
View File

@@ -0,0 +1,61 @@
# PVV NixOS configs
## Hvordan endre på ting
Før du endrer på ting husk å ikke putte ting som skal være hemmelig uten å først lese seksjonen for hemmeligheter!
Etter å ha klonet prosjektet ned og gjort endringer kan du evaluere configene med:
`nix flake check --keep-going`
før du bygger en maskin med:
`nix build .#<maskinnavn>`
hvis du vil være ekstra sikker på at alt bygger så kan du kjøre:
`nix build .` for å bygge alle de viktige maskinene.
NB: Dette kan ta opp til 30 minutter avhengig av hva som ligger i caches
Husk å hvertfall stage nye filer om du har laget dem!
Om alt bygger fint commit det og push til git repoet.
Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
som root på maskinen.
Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
## Seksjonen for hemmeligheter
For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
readable i nix-storen, bruker vi [sops-nix](https://github.com/Mic92/sops-nix)
For å legge til secrets kan du kjøre f.eks. `sops secrets/jokum/jokum.yaml`
Dette vil dekryptere filen og gi deg en text-editor du kan bruke for endre hemmelighetene.
Et nix shell med dette verktøyet inkludert ligger i flaket og shell.nix og kan aktiveres med:
`nix-shell` eller `nix develop`. Vi anbefaler det siste.
I tilegg kan du sette opp [direnv](https://direnv.net/) slik at dette skjer automatisk
for å få tilgang til å lese/skrive hemmeligheter må du spørre noen/noe som har tilgang til hemmelighetene
om å legge til age eller pgp nøkkelen din i [`.sops.yaml`](https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/.sops.yaml)
Denne kan du generere fra ssh-nøkkelene dine eller lage en egen nøkkel.
### Legge til flere keys
Gjør det som gir mening i .sops.yml
Etter det kjør `sops updatekeys secrets/host/file.yml`
MERK at det ikke er `sops -r` som BARE roterer nøkklene for de som allerede er i secretfila

62
README.md
View File

@@ -1,62 +0,0 @@
# PVV NixOS config
This repository contains the NixOS configurations for Programvareverkstedet's server closet.
In addition to machine configurations, it also contains a bunch of shared modules, packages, and
more.
> [!WARNING]
> Please read [Development - working on the PVV machines](./docs/development.md) before making
> any changes, and [Secret management and `sops-nix`](./docs/secret-management.md) before adding
> any credentials such as passwords, API tokens, etc. to the configuration.
## Deploying to machines
> [!WARNING]
> Be careful to think about state when testing changes against the machines. Sometimes, a certain change
> can lead to irreversible changes to the data stored on the machine. An example would be a set of database
> migrations applied when testing a newer version of a service. Unless that service also comes with downwards
> migrations, you can not go back to the previous version without losing data.
To deploy the changes to a machine, you should first SSH into the machine, and clone the pvv-nixos-config
repository unless you have already done so. After that, checkout the branch you want to deploy from, and rebuild:
```bash
# Run this while in the pvv-nixos-config directory
sudo nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake .# --upgrade
```
This will rebuild the NixOS system on the current branch and switch the system configuration to reflect the new changes.
Note that unless you eventually merge the current changes into `main`, the machine will rebuild itself automatically and
revert the changes on the next nightly rebuild (tends to happen when everybody is asleep).
## Machine overview
| Name | Type | Description |
|----------------------------|----------|-----------------------------------------------------------|
| [bekkalokk][bek] | Physical | Our main web host, webmail, wiki, idp, minecraft map, ... |
| [bicep][bic] | Virtual | Database host, matrix, git mirrors, ... |
| bikkje | Virtual | Experimental login box |
| [brzeczyszczykiewicz][brz] | Physical | Shared music player |
| [georg][geo] | Physical | Shared music player |
| [ildkule][ild] | Virtual | Logging and monitoring host, prometheus, grafana, ... |
| [kommode][kom] | Virtual | Gitea + Gitea pages |
| [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation
- [Development - working on the PVV machines](./docs/development.md)
- [Miscellaneous development notes](./docs/development-misc.md)
- [User management](./docs/users.md)
- [Secret management and `sops-nix`](./docs/secret-management.md)
[bek]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bekkalokk
[bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
[brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
[geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
[ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche

9
base/default.nix
View File

@@ -16,23 +16,17 @@
./flake-input-exporter.nix ./flake-input-exporter.nix
./services/acme.nix ./services/acme.nix
./services/uptimed.nix
./services/auto-upgrade.nix ./services/auto-upgrade.nix
./services/dbus.nix ./services/dbus.nix
./services/fwupd.nix ./services/fwupd.nix
./services/irqbalance.nix ./services/irqbalance.nix
./services/journald-upload.nix
./services/logrotate.nix ./services/logrotate.nix
./services/nginx.nix ./services/nginx.nix
./services/openssh.nix ./services/openssh.nix
./services/polkit.nix
./services/postfix.nix ./services/postfix.nix
./services/prometheus-node-exporter.nix
./services/prometheus-systemd-exporter.nix
./services/promtail.nix
./services/roowho2.nix
./services/smartd.nix ./services/smartd.nix
./services/thermald.nix ./services/thermald.nix
./services/uptimed.nix
./services/userborn.nix ./services/userborn.nix
./services/userdbd.nix ./services/userdbd.nix
]; ];
@@ -54,7 +48,6 @@
gnupg gnupg
htop htop
nano nano
net-tools
ripgrep ripgrep
rsync rsync
screen screen

4
base/flake-input-exporter.nix
View File

@@ -45,8 +45,8 @@ in
allow ${values.hosts.ildkule.ipv6}/128; allow ${values.hosts.ildkule.ipv6}/128;
allow 127.0.0.1/32; allow 127.0.0.1/32;
allow ::1/128; allow ::1/128;
allow ${values.ipv4-space}; allow 129.241.210.128/25;
allow ${values.ipv6-space}; allow 2001:700:300:1900::/64;
deny all; deny all;
''; '';
}; };

2
base/services/auto-upgrade.nix
View File

@@ -9,8 +9,6 @@ in
enable = true; enable = true;
flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"; flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
flags = [ flags = [
"-L"
"--refresh" "--refresh"
"--no-write-lock-file" "--no-write-lock-file"
# --update-input is deprecated since nix 2.22, and removed in lix 2.90 # --update-input is deprecated since nix 2.22, and removed in lix 2.90

24
base/services/journald-upload.nix
View File

@@ -1,24 +0,0 @@
{ config, lib, values, ... }:
let
cfg = config.services.journald.upload;
in
{
services.journald.upload = {
enable = lib.mkDefault true;
settings.Upload = {
# URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
ServerKeyFile = "-";
ServerCertificateFile = "-";
TrustedCertificateFile = "-";
};
};
systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
IPAddressDeny = "any";
IPAddressAllow = [
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
}

19
base/services/nginx.nix
View File

@@ -40,25 +40,6 @@
}; };
services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable { services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
listen = [
{
addr = "0.0.0.0";
extraParameters = [
"default_server"
# Seemingly the default value of net.core.somaxconn
"backlog=4096"
"deferred"
];
}
{
addr = "[::0]";
extraParameters = [
"default_server"
"backlog=4096"
"deferred"
];
}
];
sslCertificate = "/etc/certs/nginx.crt"; sslCertificate = "/etc/certs/nginx.crt";
sslCertificateKey = "/etc/certs/nginx.key"; sslCertificateKey = "/etc/certs/nginx.key";
addSSL = true; addSSL = true;

15
base/services/polkit.nix
View File

@@ -1,15 +0,0 @@
{ config, lib, ... }:
let
cfg = config.security.polkit;
in
{
security.polkit.enable = true;
environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
polkit.addAdminRule(function(action, subject) {
if(subject.isInGroup("wheel")) {
return ["unix-user:"+subject.user];
}
});
'';
}

23
base/services/prometheus-node-exporter.nix
View File

@@ -1,23 +0,0 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.prometheus.exporters.node = {
enable = lib.mkDefault true;
port = 9100;
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = lib.mkIf cfg.enable {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
}

26
base/services/prometheus-systemd-exporter.nix
View File

@@ -1,26 +0,0 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.systemd;
in
{
services.prometheus.exporters.systemd = {
enable = lib.mkDefault true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ cfg.port ];
}

38
base/services/promtail.nix
View File

@@ -1,38 +0,0 @@
{ config, lib, values, ... }:
let
cfg = config.services.prometheus.exporters.node;
in
{
services.promtail = {
enable = lib.mkDefault true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}];
};
};
}

12
base/services/roowho2.nix
View File

@@ -1,12 +0,0 @@
{ lib, values, ... }:
{
services.roowho2.enable = lib.mkDefault true;
systemd.sockets.roowho2-rwhod.socketConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
values.ipv4-space
];
};
}

103
docs/development-misc.md
View File

@@ -1,103 +0,0 @@
# Miscellaneous development notes
This document contains a bunch of information that is not particularly specific to the pvv nixos config,
but concerns technologies we use often or gotchas to be aware of when working with NixOS. A lot of the information
here is already public information spread around the internet, but we've collected some of the items we use often
here.
## The firewall
`networking.firewall` is a NixOS module that configures `iptables` rules on the machine. It is enabled by default on
all of our machines, and it can be easy to forget about it when setting up new services, especially when we are the
ones creating the NixOS module.
When setting up a new service that listens on a TCP or UDP port, make sure to add the appropriate ports to either
`networking.firewall.allowedTCPPorts` or `networking.firewall.allowedUDPPorts`.
You can list out the current firewall rules by running `sudo iptables -L -n -v` on the machine.
## Finding stuff
Finding stuff, both underlying implementation and usage is absolutely crucial when working on nix.
Oftentimes, the documentation will be outdated, lacking or just plain out wrong. These are some of
the techniques we have found to be quite good when working with nix.
### [ripgrep](https://github.com/BurntSushi/ripgrep)
ripgrep (or `rg` for short) is a tool that lets you recursively grep for regex patters in a directory.
It is great for finding references to configuration, and where and how certain things are used. It is
especially great when working with [nixpkgs](https://github.com/NixOS/nixpkgs), which is quite large.
### GitHub Search
When trying to set up a new service or reconfigure something, it is very common that someone has done it
before you, but it has never been documented anywhere. A lot of Nix code exists on GitHub, and you can
easily query it by using the `lang:nix` filter in the search bar.
For example: https://github.com/search?q=lang%3Anix+dibbler&type=code
## rsync
`rsync` is a tool for synchronizing files between machines. It is very useful when transferring large
amounts of data from a to b. We use it for multiple things, often when data is produced or stored on
one machine, and we want to process or convert it on another. For example, we use it to transfer gitea
artifacts, to transfer gallery pictures, to transfer minecraft world data for map rendering, and more.
Along with `rsync`, we often use a lesser known tool called `rrsync`, which you can use inside an ssh
configuration (`authorized_keys` file) to restrict what paths a user can access when connecting over ssh.
This is useful both as a security measure, but also to avoid accidental overwrites of files outside the intended
path. `rrsync` will use chroot to restrict what paths the user can access, as well as refuse to run arbitrary commands.
## `nix repl`
`nix repl` is an interactive REPL for the Nix language. It is very useful for experimenting with Nix code,
and testing out small snippets of code to make sure it behaves as expected. You can also use it to explore
NixOS machine configurations, to interactively see that the configuration evaluates to what you expect.
```
# While in the pvv-nixos-config directory
nix repl .
# Upon writing out the config path and clickin [Tab], you will get autocompletion suggestions:
nix-repl> nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts._
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.bekkalokk.pvv.ntnu.no-nixos-metrics
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.idp.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.minecraft.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pvv.org
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.pw.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.roundcubeplaceholder.example.com
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.snappymail.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.webmail.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.wiki.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.ntnu.no
nixosConfigurations.bekkalokk.config.services.nginx.virtualHosts.www.pvv.org
```
## `nix why-depends`
If you ever wonder why a certain package is being used as a dependency of another package,
or another machine, you can use `nix why-depends` to find the dependency path from one package to another.
This is often useful after updating nixpkgs and finding an error saying that a certain package is insecure,
broken or whatnot. You can do something like the following
```bash
# Why does bekkalokk depend on openssl?
nix why-depends .#nixosConfigurations.bekkalokk.config.system.build.toplevel .#nixosConfigurations.bekkalokk.pkgs.openssl
# Why does bekkalokk's minecraft-server depend on zlib? (this is not real)
nix why-depends .#nixosConfigurations.bekkalokk.pkgs.minecraft-server .#nixosConfigurations.bekkalokk.pkgs.zlib
```
## php-fpm
php-fpm (FastCGI Process Manager) is a PHP implementation that is designed for speed and production use. We host a bunch
of different PHP applications (including our own website), and so we use php-fpm quite a bit. php-fpm typically exposes a
unix socket that nginx will connect to, and php-fpm will then render php upon web requests forwarded from nginx and return
it.
php-fpm has a tendency to be a bit hard to debug. It is not always very willing to spit out error messages and logs, and so
it can be a bit hard to figure out what's up when something goes wrong. You should see some of the commented stuff laying around
in the website code on bekkalokk for examples of how to configure php-fpm for better logging and error reporting.

169
docs/development.md
View File

@@ -1,169 +0,0 @@
# Development - working on the PVV machines
This document outlines the process of editing our NixOS configurations, and testing and deploying said changes
to the machines. Most of the information written here is specific to the PVV NixOS configuration, and the topics
will not really cover the nix code itself in detail. You can find some more resources for that by either following
the links from the *Upstream documentation* section below, or in [Miscellaneous development notes](./development-misc.md).
## Editing nix files
> [!WARNING]
> Before editing any nix files, make sure to read [Secret management and `sops-nix`](./secret-management.md)!
> We do not want to add any secrets in plaintext to the nix files, and certainly not commit and publish
> them into the common public.
The files are plaintext code, written in the [`Nix` language](https://nix.dev/manual/nix/stable/language/).
Below is a list of important files and directories, and a description of what they contain.
### `flake.nix`
The `flake.nix` file is a [nix flake](https://wiki.nixos.org/wiki/Flakes) and makes up the entrypoint of the
entire configuration. It declares what inputs are used (similar to dependencies), as well as what outputs the
flake exposes. In our case, the most important outputs are the `nixosConfigurations` (our machine configs), but
we also expose custom modules, packages, devshells, and more. You can run `nix flake show` to get an overview of
the outputs (however you will need to [enable the `nix-flakes` experimental option](https://wiki.nixos.org/wiki/Flakes#Setup)).
You will find that a lot of the flake inputs are the different PVV projects that we develop, imported to be hosted
on the NixOS machines. This makes it easy to deploy changes to these projects, as we can just update the flake input
to point to a new commit or version, and then rebuild the machines.
A NixOS configuration is usually made with the `nixpkgs.lib.nixosSystem` function, however we have a few custom wrapper
functions named `nixosConfig` and `stableNixosConfig` that abstracts away some common configuration we want on all our machines.
### `values.nix`
`values.nix` is a somewhat rare pattern in NixOS configurations around the internet. It contains a bunch of constant values
that we use throughout the configuration, such as IP addresses, DNS names, paths and more. This not only makes it easier to
change the values should we need to, but it also makes the configuration more readable. Instead of caring what exact IP any
machine has, you can write `values.machines.name.ipv4` and abstract the details away.
### `base`
The `base` directory contains a bunch of NixOS configuration that is common for all or most machines. Some of the config
you will find here sets defaults for certain services without enabling them, so that when they are enabled in a machine config,
we don't need to repeat the same defaults over again. Other parts actually enable certain services that we want on all machines,
such as `openssh` or the auto upgrade timer.
### Vendoring `modules` and `packages`
Sometimes, we either find that the packages or modules provided by `nixpkgs` is not sufficient for us,
or that they are bugged in some way that can not be easily overrided. There are also cases where the
modules or packages does not exist. In these cases, we tend to either copy and modify the modules and
packages from nixpkgs, or create our own. These modules and packages end up in the top-level `modules`
and `packages` directories. They are usually exposed in `flake.nix` as flake outputs `nixosModules.<name>`
and `packages.<platform>.<name>`, and they are usually also added to the machines that need them in the flake.
In order to override or add an extra package, the easiest way is to use an [`overlay`](https://wiki.nixos.org/wiki/Overlays).
This makes it so that the package from `pkgs.<name>` now refers to the modified variant of the package.
In order to add a module, you can just register it in the modules of the nixos machine.
In order to override a module, you also have to use `disabledModules = [ "<path-relative-to-nixpkgs/modules>" ];`.
Use `rg` to find examples of the latter.
Do note that if you believe a new module to be of high enough quality, or the change you are making to be
relevant for every nix user, you should strongly consider also creating a PR towards nixpkgs. However,
getting changes made there has a bit higher threshold and takes more time than making changes in the PVV config,
so feel free to make the changes here first. We can always remove the changes again once the upstreaming is finished.
### `users`, `secrets` and `keys`
For `users`, see [User management](./users.md)
For `secrets` and `keys`, see [Secret management and `sops-nix`](./secret-management.md)
### Collaboration
We use our gitea to collaborate on changes to the nix configuration. Every PVV maintenance member should have
access to the repository. The usual workflow is that we create a branch for the change we want to make, do a bunch
of commits and changes, and then open a merge request for review (or just rebase on master if you know what you are doing).
### Upstream documentation
Here are different sources of documentation and stuff that you might find useful while
writing, editing and debugging nix code.
- [nixpkgs repository](https://github.com/NixOS/nixpkgs)
This is particularly useful to read the source code, as well as upstreaming pieces of code that we think
everyone would want
- [NixOS search](https://search.nixos.org/)
This is useful for searching for both packages and NixOS options.
- [nixpkgs documentation](https://nixos.org/manual/nixpkgs/stable/)
- [NixOS documentation](https://nixos.org/manual/nixos/stable/)
- [nix (the tool) documentation](https://nix.dev/manual/nix/stable/)
All of the three above make up the official documentation with all technical
details about the different pieces that makes up NixOS.
- [The official NixOS wiki](https://wiki.nixos.org)
User-contributed guides, tips and tricks, and whatever else.
- [nix.dev](https://nix.dev)
Additional stuff
- [Noogle](https://noogle.dev)
This is useful when looking for nix functions and packaging helpers.
## Testing and deploying changes
After editing the nix files on a certain branch, you will want to test and deploy the changes to the machines.
Unfortunately, we don't really have a good setup for testing for runtime correctness locally, but we can at least
make sure that the code evaluates and builds correctly before deploying.
To just check that the code evaluates without errors, you can run:
```bash
nix flake check
# Or if you want to keep getting all errors before it quits:
nix flake check --keep-going
```
> [!NOTE]
> If you are making changes that involves creating new nix files, remember to `git add` those files before running
> any nix commands. Nix refuses to acknowledge files that are not either commited or at least staged. It will spit
> out an error message about not finding the file in question.
### Building machine configurations
To build any specific machine configuration and look at the output, you can run:
```bash
nix build .#nixosConfigurations.<machine-name>.config.system.build.toplevel
# or just
nix build .#<machine-name>
```
This will create a symlink name `./result` to a directory containing the built NixOS system. It is oftentimes
the case that config files for certain services only end up in the nix store without being put into `/etc`. If you wish
to read those files, you can often find them by looking at the systemd unit files in `./result/etc/systemd/system/`.
(if you are using vim, `gf` or go-to-file while the cursor is over a file path is a useful trick while doing this).
If you have edited something that affects multiple machines, you can also build all important machines at once by running:
```bash
nix build .#
```
> [!NOTE]
> Building all machines at once can take a long time, depending on what has changed and whether you have already
> built some of the machines recently. Be prepared to wait for up to an hour to build all machines from scratch
> if this is the first time.
### Forcefully reset to `main`
If you ever want to reset a machine to the `main` branch, you can do so by running:
```bash
nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
```
This will ignore the current branch and just pull the latest `main` from the git repository directly from gitea.
You can also use this command if there are updates on the `main` branch that you want to deploy to the machine without
waiting for the nightly rebuild.

160
docs/secret-management.md
View File

@@ -1,160 +0,0 @@
# Secret management and `sops-nix`
Nix config is love, nix config is life, and publishing said config to the
internet is not only a good deed and kinda cool, but also encourages properly
secured configuration as opposed to [security through obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity).
That being said, there are some details of the config that we really shouldn't
share with the general public. In particular, there are so-called *secrets*, that is
API keys, passwords, tokens, cookie secrets, salts, peppers and jalapenos that we'd
rather keep to ourselves. However, it is not entirely trivial to do so in the NixOS config.
For one, we'd have to keep these secrets out of the public git repo somehow, and secondly
everything that is configured via nix ends up as world readable files (i.e. any user on the
system can read the file) in `/nix/store`.
In order to solve this, we use a NixOS module called [`sops-nix`](https://github.com/Mic92/sops-nix)
which uses a technology called [`sops`](https://github.com/getsops/sops) behind the scenes.
The idea is simple: we encrypt these secrets with a bunch of different keys and store the
encrypted files in the git repo. First of all, we encrypt the secrets a bunch of time with
PVV maintenance member's keys, so that we can decrypt and edit the contents. Secondly, we
encrypt the secrets with the [host keys]() of the NixOS machines, so that they can decrypt
the secrets. The secrets will be decrypted and stored in a well-known location (usually `/run/secrets`)
so that they do not end up in the nix store, and are not world readable.
This way, we can both keep the secrets in the git repository and let multiple people edit them,
but also ensure that they don't end up in the wrong hands.
## Adding a new machine
In order to add a new machine to the nix-sops setup, you should do the following:
```console
# Create host keys (if they don't already exist)
ssh-keygen -A -b 4096
# Derive an age-key from the public host key
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# Register the age key in .sops.yaml
vim .sops.yaml
```
The contents of `.sops.yaml` should look like this:
```yaml
keys:
# Users
...
# Hosts
...
- &host_<machine_name> <public_age_key>
creation_rules:
...
- path_regex: secrets/<machine_name>/[^/]+\.yaml$
key_groups:
- age:
- *host_<machine_name>
- ... user keys
- pgp:
- ... user keys
```
> [!NOTE]
> Take care that all the keys in the `age` and `pgp` sections are prefixed
> with a `-`, or else sops might try to encrypt the secrets in a way where
> you need both keys present to decrypt the content. Also, it tends to throw
> interesting errors when it fails to do so.
```console
# While cd-ed into the repository, run this to get a shell with the `sops` tool present
nix-shell
```
Now you should also be able to edit secrets for this machine by running:
```
sops secrets/<machine_name>/<machine_name>.yaml
```
## Adding a user
Adding a user is quite similar to adding a new machine.
This guide assumes you have already set up SSH keys.
```
# Derive an age-key from your key
# (edit the path to the key if it is named something else)
nix-shell -p ssh-to-age --run 'cat ~/.ssh/id_ed25519.pub | ssh-to-age'
# Register the age key in .sops.yaml
vim .sops.yaml
```
The contents of `.sops.yaml` should look like this:
```yaml
keys:
# Users
...
- &user_<user_name> <public_age_key>
# Hosts
...
creation_rules:
...
# Do this for all the machines you are planning to edit
# (or just do it for all machines)
- path_regex: secrets/<machine_name>/[^/]+\.yaml$
key_groups:
- age:
- *host_<machine_name>
- ... user keys
- *host_<user_name>
- pgp:
- ... user keys
```
Now that sops is properly configured to recognize the key, you need someone
who already has access to decrypt all the secrets and re-encrypt them with your
key. At this point, you should probably [open a PR](https://docs.gitea.com/usage/issues-prs/pull-request)
and ask someone in PVV maintenance if they can checkout the PR branch, run the following
command and push the diff back into the PR (and maybe even ask them to merge if you're feeling
particularly needy).
```console
sops updatekeys secrets/*/*.yaml
```
## Updating keys
> [!NOTE]
> At some point, we found this flag called `sops -r` that seemed to be described to do what
> `sops updatekeys` does, do not be fooled. This only rotates the "inner key" for those who
> already have the secrets encrypted with their key.
Updating keys is done with this command:
```console
sops updatekeys secrets/*/*.yaml
```
However, there is a small catch. [oysteikt](https://git.pvv.ntnu.no/oysteikt) has kinda been
getting gray hairs lately, and refuses to use modern technology - he is still stuck using GPG.
This means that to be able to re-encrypt the sops secrets, you will need to have a gpg keychain
with his latest public key available. The key has an expiry date, so if he forgets to update it,
you should send him and angry email and tag him a bunch of times in a gitea issue. If the key
is up to date, you can do the following:
```console
# Fetch gpg (unless you have it already)
nix-shell -p gpg
# Import oysteikts key to the gpg keychain
gpg --import ./keys/oysteikt.pub
```
Now you should be able to run the `sops updatekeys` command again.

50
docs/users.md
View File

@@ -1,50 +0,0 @@
# User management
Due to some complications with how NixOS creates users compared to how we used to
create users with the salt-based setup, the NixOS machine users are created and
managed separately. We tend to create users on-demand, whenever someone in PVV
maintenance want to work on the NixOS machines.
## Setting up a new user
You can find the files for the existing users, and thereby examples of user files
in the [`users`](../users) directory. When creating a new file here, you should name it
`your-username.nix`, and add *at least* the following contents:
```nix
{ pkgs, ... }:
{
users.users."<username>" = {
isNormalUser = true;
extraGroups = [
"wheel" # In case you wanna use sudo (you probably do)
"nix-builder-users" # Arbitrary access to write to the nix store
];
# Any packages you frequently use to manage servers go here.
# Please don't pull gigantonormous packages here unless you
# absolutely need them, and remember that any package can be
# pulled via nix-shell if you only use it once in a blue moon.
packages = with pkgs; [
bottom
eza
];
# Not strictly needed, but we recommend adding your public SSH
# key here. If it is not present, you will have to log into the
# machine as 'root' before setting your password for every NixOS
# machine you have not logged into yet.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjiQ0wg4lpC7YBMAAHoGmgwqHOBi+EUz5mmCymGlIyT my-key"
];
};
}
```
The file will be picked up automatically, so creating the file and adding the
contents should be enough to get you registered. You should
[open a PR](https://docs.gitea.com/usage/issues-prs/pull-request) with the new
code so the machines will be rebuilt with your user present.
See also [Secret Management](./secret-management.md) for how to add your keys to the
system that lets us add secrets (API keys, password, etc.) to the NixOS config.

309
flake.lock generated
View File

@@ -1,27 +1,5 @@
{ {
"nodes": { "nodes": {
"dibbler": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768138611,
"narHash": "sha256-KfZX6wpuwE2IRKLjh0DrEviE4f6kqLJWwKIE5QJSqa4=",
"ref": "main",
"rev": "cb385097dcda5fb9772f903688d078b30a66ccd4",
"revCount": 221,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -29,55 +7,19 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736864502, "lastModified": 1764627417,
"narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=", "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "0141aabed359f063de7413f80d906e1d98c0c123", "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "v1.11.0",
"repo": "disko", "repo": "disko",
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1765835352,
"narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "a34fae9c08a15ad73f295041fec82323541400a9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"gergle": { "gergle": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -85,16 +27,15 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1767906545, "lastModified": 1764868579,
"narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=", "narHash": "sha256-rfTUOIc0wnC4+19gLVfPbHfXx/ilfuUix6bWY+yaM2U=",
"ref": "main", "ref": "refs/heads/main",
"rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd", "rev": "9c923d1d50daa6a3b28c3214ad2300bfaf6c8fcd",
"revCount": 23, "revCount": 22,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git" "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
}, },
"original": { "original": {
"ref": "main",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git" "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
} }
@@ -107,16 +48,15 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1767906494, "lastModified": 1764868843,
"narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=", "narHash": "sha256-ZXYLXKO+VjAJr2f5zz+7SuKFICfI2eZnmTgS/626YE0=",
"ref": "main", "ref": "refs/heads/main",
"rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e", "rev": "c095533c50e80dd18ac48046f1479cf4d83c631c",
"revCount": 61, "revCount": 52,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git" "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
}, },
"original": { "original": {
"ref": "main",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git" "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
} }
@@ -130,14 +70,13 @@
"locked": { "locked": {
"lastModified": 1764867811, "lastModified": 1764867811,
"narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=", "narHash": "sha256-UWHiwr8tIcGcVxMLvAdNxDbQ8QuHf3REHboyxvFkYEI=",
"ref": "master", "ref": "refs/heads/master",
"rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3", "rev": "c9983e947efe047ea9d6f97157a1f90e49d0eab3",
"revCount": 81, "revCount": 81,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git" "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
}, },
"original": { "original": {
"ref": "master",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git" "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
} }
@@ -167,20 +106,18 @@
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ]
"rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1767906976, "lastModified": 1756124334,
"narHash": "sha256-igCg8I83eO+noF00raXVJqDxzLS2SrZN8fK5bnvO+xI=", "narHash": "sha256-DXFmSpgI8FrqcdqY7wg5l/lpssWjslHq5ufvyp/5k4o=",
"ref": "main", "ref": "refs/heads/main",
"rev": "626bc9b6bae6a997b347cdbe84080240884f2955", "rev": "83760b1ebcd9722ddf58a4117d29555da65538ad",
"revCount": 17, "revCount": 13,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git" "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
}, },
"original": { "original": {
"ref": "main",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git" "url": "https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git"
} }
@@ -192,16 +129,15 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1768749374, "lastModified": 1765903589,
"narHash": "sha256-dhXYLc64d7TKCnRPW4TlHGl6nLRNdabJB2DpJ8ffUw0=", "narHash": "sha256-JRLmckeM4G2hkH2V3VdfjHrrsWgJ8j7rZDYYjHTkRqA=",
"ref": "main", "ref": "refs/heads/main",
"rev": "040294f2e1df46e33d995add6944b25859654097", "rev": "7c86d342e68506fcd83cb74af3336f99ff522a0a",
"revCount": 37, "revCount": 24,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git" "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
}, },
"original": { "original": {
"ref": "main",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git" "url": "https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git"
} }
@@ -213,77 +149,39 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1767906352, "lastModified": 1743881366,
"narHash": "sha256-wYsH9MMAPFG3XTL+3DwI39XMG0F2fTmn/5lt265a3Es=", "narHash": "sha256-ScGA2IHPk9ugf9bqEZnp+YB/OJgrkZblnG/XLEKvJAo=",
"ref": "main", "ref": "refs/heads/main",
"rev": "d054c5d064b8ed6d53a0adb0cf6c0a72febe212e", "rev": "db2e4becf1b11e5dfd33de12a90a7d089fcf68ec",
"revCount": 13, "revCount": 11,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git" "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
}, },
"original": { "original": {
"ref": "main",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git" "url": "https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git"
} }
}, },
"nix-topology": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768068512,
"narHash": "sha256-pH5wkcNOiXy4MBjDTe6A1gml+7m+ULC3lYMBPMqdS1w=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "4367a2093c5ff74fc478466aebf41d47ce0cacb4",
"type": "github"
},
"original": {
"owner": "oddlama",
"ref": "main",
"repo": "nix-topology",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1768555036, "lastModified": 1764806471,
"narHash": "sha256-qJTh3xrFsqrXDzUmjPGV0VC70vpsq/YP25Jo6Fh7PTs=", "narHash": "sha256-Qk0SArnS83KqyS9wNt1YoTkkYKDraNrjRWKUtB9DKoM=",
"rev": "1d2851ebcd64734ef057e8c80e05dd5600323792", "rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4104.1d2851ebcd64/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.896.6707b1809330/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz" "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1765674936,
"narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1768553552, "lastModified": 1764854611,
"narHash": "sha256-YeNMZDAxdQUMLcqZmoc+/WzYrJxTEg6Y7uNALUcF1dE=", "narHash": "sha256-MVzFp4ZKwdh6U1wy4fJe/GY3Hb4cvvyJbAZOhaeBQoo=",
"rev": "a6b8b0f0ceb6d4f5da70808e26c68044099460fd", "rev": "3a4b875aef660bbd148e86b92cffea2a360c3275",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre928681.a6b8b0f0ceb6/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre906534.3a4b875aef66/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -299,14 +197,13 @@
"locked": { "locked": {
"lastModified": 1764869785, "lastModified": 1764869785,
"narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=", "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
"ref": "main", "ref": "refs/heads/main",
"rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2", "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
"revCount": 23, "revCount": 23,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git" "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}, },
"original": { "original": {
"ref": "main",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git" "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
} }
@@ -318,44 +215,21 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1768636400, "lastModified": 1757332682,
"narHash": "sha256-AiSKT4/25LS1rUlPduBMogf4EbdMQYDY1rS7AvHFcxk=", "narHash": "sha256-4p4aVQWs7jHu3xb6TJlGik20lqbUU/Fc0/EHpzoRlO0=",
"ref": "main", "ref": "refs/heads/main",
"rev": "3a8f82b12a44e6c4ceacd6955a290a52d1ee2856", "rev": "da1113341ad9881d8d333d1e29790317bd7701e7",
"revCount": 573, "revCount": 518,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
}, },
"original": { "original": {
"ref": "main",
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/nettsiden.git" "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
} }
}, },
"qotd": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1768684204,
"narHash": "sha256-TErBiXxTRPUtZ/Mw8a5p+KCeGCFXa0o8fzwGoo75//Y=",
"ref": "main",
"rev": "a86f361bb8cfac3845b96d49fcbb2faea669844f",
"revCount": 11,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/qotd.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/qotd.git"
}
},
"root": { "root": {
"inputs": { "inputs": {
"dibbler": "dibbler",
"disko": "disko", "disko": "disko",
"gergle": "gergle", "gergle": "gergle",
"greg-ng": "greg-ng", "greg-ng": "greg-ng",
@@ -364,38 +238,13 @@
"minecraft-heatmap": "minecraft-heatmap", "minecraft-heatmap": "minecraft-heatmap",
"minecraft-kartverket": "minecraft-kartverket", "minecraft-kartverket": "minecraft-kartverket",
"nix-gitea-themes": "nix-gitea-themes", "nix-gitea-themes": "nix-gitea-themes",
"nix-topology": "nix-topology",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"pvv-calendar-bot": "pvv-calendar-bot", "pvv-calendar-bot": "pvv-calendar-bot",
"pvv-nettsiden": "pvv-nettsiden", "pvv-nettsiden": "pvv-nettsiden",
"qotd": "qotd",
"roowho2": "roowho2",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
"roowho2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1768140181,
"narHash": "sha256-HfZzup5/jlu8X5vMUglTovVTSwhHGHwwV1YOFIL/ksA=",
"ref": "main",
"rev": "834463ed64773939798589ee6fd4adfe3a97dddd",
"revCount": 43,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
}
},
"rust-overlay": { "rust-overlay": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -404,53 +253,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1767840362, "lastModified": 1764816035,
"narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=", "narHash": "sha256-F0IQSmSj4t2ThkbWZooAhkCTO+YpZSd2Pqiv2uoYEHo=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "d159ea1fc321c60f88a616ac28bab660092a227d", "rev": "74d9abb7c5c030469f90d97a67d127cc5d76c238",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"minecraft-heatmap",
"nixpkgs"
]
},
"locked": {
"lastModified": 1766371695,
"narHash": "sha256-W7CX9vy7H2Jj3E8NI4djHyF8iHSxKpb2c/7uNQ/vGFU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "d81285ba8199b00dc31847258cae3c655b605e8c",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_3": {
"inputs": {
"nixpkgs": [
"roowho2",
"nixpkgs"
]
},
"locked": {
"lastModified": 1767322002,
"narHash": "sha256-yHKXXw2OWfIFsyTjduB4EyFwR0SYYF0hK8xI9z4NIn0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "03c6e38661c02a27ca006a284813afdc461e9f7e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -466,34 +273,18 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1768481291, "lastModified": 1764483358,
"narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=", "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e085e303dfcce21adcb5fec535d65aacb066f101", "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "Mic92", "owner": "Mic92",
"ref": "master",
"repo": "sops-nix", "repo": "sops-nix",
"type": "github" "type": "github"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

153
flake.nix
View File

@@ -5,48 +5,36 @@
nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"; nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"; nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
sops-nix.url = "github:Mic92/sops-nix/master"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko/v1.11.0"; disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs"; disko.inputs.nixpkgs.follows = "nixpkgs";
nix-topology.url = "github:oddlama/nix-topology/main"; pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
nix-topology.inputs.nixpkgs.follows = "nixpkgs";
pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git?ref=main";
pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs"; pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git?ref=main"; pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs"; pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
dibbler.inputs.nixpkgs.follows = "nixpkgs";
matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0"; matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
matrix-next.inputs.nixpkgs.follows = "nixpkgs"; matrix-next.inputs.nixpkgs.follows = "nixpkgs";
nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git?ref=main"; nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/Drift/nix-gitea-themes.git";
nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs"; nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main"; minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git";
minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs"; minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main"; greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git";
roowho2.inputs.nixpkgs.follows = "nixpkgs";
greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
greg-ng.inputs.nixpkgs.follows = "nixpkgs"; greg-ng.inputs.nixpkgs.follows = "nixpkgs";
gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main"; gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git";
gergle.inputs.nixpkgs.follows = "nixpkgs"; gergle.inputs.nixpkgs.follows = "nixpkgs";
grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master"; grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git";
grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs"; grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git?ref=main"; minecraft-kartverket.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs"; minecraft-kartverket.inputs.nixpkgs.follows = "nixpkgs";
qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
qotd.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs: outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -69,16 +57,6 @@
in { in {
inputs = lib.mapAttrs (_: src: src.outPath) inputs; inputs = lib.mapAttrs (_: src: src.outPath) inputs;
pkgs = forAllSystems (system:
import nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
[
"nvidia-x11"
"nvidia-settings"
];
});
nixosConfigurations = let nixosConfigurations = let
unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux; unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
@@ -86,30 +64,23 @@
nixpkgs: nixpkgs:
name: name:
configurationPath: configurationPath:
extraArgs@{ extraArgs:
system ? "x86_64-linux",
specialArgs ? { },
modules ? [ ],
overlays ? [ ],
enableDefaults ? true,
...
}:
lib.nixosSystem (lib.recursiveUpdate lib.nixosSystem (lib.recursiveUpdate
{ (let
system = "x86_64-linux";
in {
inherit system; inherit system;
specialArgs = { specialArgs = {
inherit unstablePkgs inputs; inherit unstablePkgs inputs;
values = import ./values.nix; values = import ./values.nix;
fp = path: ./${path}; fp = path: ./${path};
} // specialArgs; } // extraArgs.specialArgs or { };
modules = [ modules = [
configurationPath configurationPath
] ++ (lib.optionals enableDefaults [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
inputs.roowho2.nixosModules.default ] ++ extraArgs.modules or [];
]) ++ modules;
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
@@ -118,29 +89,21 @@
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"
]; ];
overlays = (lib.optionals enableDefaults [ overlays = [
# Global overlays go here # Global overlays go here
inputs.roowho2.overlays.default ] ++ extraArgs.overlays or [ ];
]) ++ overlays;
}; };
} })
(builtins.removeAttrs extraArgs [ (builtins.removeAttrs extraArgs [
"system"
"modules" "modules"
"overlays" "overlays"
"specialArgs" "specialArgs"
"enableDefaults"
]) ])
); );
stableNixosConfig = name: extraArgs: stableNixosConfig = name: extraArgs:
nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs; nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
in { in {
bakke = stableNixosConfig "bakke" {
modules = [
disko.nixosModules.disko
];
};
bicep = stableNixosConfig "bicep" { bicep = stableNixosConfig "bicep" {
modules = [ modules = [
inputs.matrix-next.nixosModules.default inputs.matrix-next.nixosModules.default
@@ -153,7 +116,7 @@
inputs.pvv-calendar-bot.overlays.default inputs.pvv-calendar-bot.overlays.default
inputs.minecraft-heatmap.overlays.default inputs.minecraft-heatmap.overlays.default
(final: prev: { (final: prev: {
inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element; inherit (self.packages.${prev.system}) out-of-your-element;
}) })
]; ];
}; };
@@ -166,19 +129,15 @@
bluemap = final.callPackage ./packages/bluemap.nix { }; bluemap = final.callPackage ./packages/bluemap.nix { };
}) })
inputs.pvv-nettsiden.overlays.default inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default
]; ];
modules = [ modules = [
inputs.pvv-nettsiden.nixosModules.default inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
inputs.qotd.nixosModules.default
]; ];
}; };
ildkule = stableNixosConfig "ildkule" { }; ildkule = stableNixosConfig "ildkule" { };
#ildkule-unstable = unstableNixosConfig "ildkule" { }; #ildkule-unstable = unstableNixosConfig "ildkule" { };
shark = stableNixosConfig "shark" { }; shark = stableNixosConfig "shark" { };
wenche = stableNixosConfig "wenche" { }; wenche = stableNixosConfig "wenche" { };
temmie = stableNixosConfig "temmie" { };
kommode = stableNixosConfig "kommode" { kommode = stableNixosConfig "kommode" {
overlays = [ overlays = [
@@ -217,16 +176,6 @@
inputs.gergle.overlays.default inputs.gergle.overlays.default
]; ];
}; };
skrott = stableNixosConfig "skrott" {
system = "aarch64-linux";
modules = [
(nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
inputs.dibbler.nixosModules.default
];
overlays = [
inputs.dibbler.overlays.default
];
};
} }
// //
(let (let
@@ -239,7 +188,6 @@
})); }));
nixosModules = { nixosModules = {
bluemap = ./modules/bluemap.nix;
snakeoil-certs = ./modules/snakeoil-certs.nix; snakeoil-certs = ./modules/snakeoil-certs.nix;
snappymail = ./modules/snappymail.nix; snappymail = ./modules/snappymail.nix;
robots-txt = ./modules/robots-txt.nix; robots-txt = ./modules/robots-txt.nix;
@@ -272,70 +220,15 @@
simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { }; simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
bluemap = pkgs.callPackage ./packages/bluemap.nix { };
out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { }; out-of-your-element = pkgs.callPackage ./packages/out-of-your-element.nix { };
} } //
//
# Mediawiki extensions
(lib.pipe null [ (lib.pipe null [
(_: pkgs.callPackage ./packages/mediawiki-extensions { }) (_: pkgs.callPackage ./packages/mediawiki-extensions { })
(lib.flip builtins.removeAttrs ["override" "overrideDerivation"]) (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
(lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}")) (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
]) ])
// // lib.genAttrs allMachines
# Machines (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
lib.genAttrs allMachines
(machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
//
# Skrott is exception
{
skrott = self.nixosConfigurations.skrott.config.system.build.sdImage;
}
//
# Nix-topology
(let
topology' = import inputs.nix-topology {
pkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [
inputs.nix-topology.overlays.default
(final: prev: {
inherit (nixpkgs-unstable.legacyPackages.x86_64-linux) super-tiny-icons;
})
];
};
specialArgs = {
values = import ./values.nix;
};
modules = [
./topology
{
nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
modules = [
inputs.nix-topology.nixosModules.default
./topology/service-extractors/greg-ng.nix
./topology/service-extractors/postgresql.nix
./topology/service-extractors/mysql.nix
./topology/service-extractors/gitea-runners.nix
];
}) self.nixosConfigurations;
}
];
};
in {
topology = topology'.config.output;
topology-png = pkgs.runCommand "pvv-config-topology-png" {
nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
} ''
mkdir -p "$out"
for file in '${topology'.config.output}'/*.svg; do
${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
done
'';
});
}; };
}; };
} }

25
hosts/bakke/configuration.nix
View File

@@ -1,25 +0,0 @@
{ config, pkgs, values, ... }:
{
imports = [
./hardware-configuration.nix
../../base
./filesystems.nix
];
sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "bakke";
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
system.stateVersion = "24.05";
}

83
hosts/bakke/disks.nix
View File

@@ -1,83 +0,0 @@
{
# https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
# Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
content = {
type = "gpt";
partitions = {
ESP = {
size = "500M";
type = "EF00";
content = {
type = "mdraid";
name = "boot";
};
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid1";
};
};
};
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
raid1 = {
type = "mdadm";
level = 1;
content = {
type = "gpt";
partitions.primary = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
}

26
hosts/bakke/filesystems.nix
View File

@@ -1,26 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives:
boot.swraid.enable = true;
# ZFS Data pool:
environment.systemPackages = with pkgs; [ zfs ];
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# NFS Exports:
#TODO
# NFS Import mounts:
#TODO
}

52
hosts/bakke/hardware-configuration.nix
View File

@@ -1,52 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
fsType = "btrfs";
options = [ "subvol=nix" "noatime" ];
};
fileSystems."/boot" =
{ device = "/dev/sdc2";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

7
hosts/bekkalokk/configuration.nix
View File

@@ -4,11 +4,11 @@
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
./services/alps.nix ./services/bluemap/default.nix
./services/bluemap.nix
./services/idp-simplesamlphp ./services/idp-simplesamlphp
./services/kerberos.nix ./services/kerberos
./services/mediawiki ./services/mediawiki
./services/nginx.nix ./services/nginx.nix
./services/phpfpm.nix ./services/phpfpm.nix
@@ -16,7 +16,6 @@
./services/webmail ./services/webmail
./services/website ./services/website
./services/well-known ./services/well-known
./services/qotd
]; ];
sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml; sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;

22
hosts/bekkalokk/services/alps.nix
View File

@@ -1,22 +0,0 @@
{ config, lib, ... }:
let
cfg = config.services.alps;
in
{
services.alps = {
enable = true;
theme = "sourcehut";
smtps.host = "smtp.pvv.ntnu.no";
imaps.host = "imap.pvv.ntnu.no";
bindIP = "127.0.0.1";
};
services.nginx.virtualHosts."alps.pvv.ntnu.no" = lib.mkIf cfg.enable {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/" = {
proxyPass = "http://${cfg.bindIP}:${toString cfg.port}";
};
};
}

98
hosts/bekkalokk/services/bluemap.nix → hosts/bekkalokk/services/bluemap/default.nix
View File

@@ -3,7 +3,10 @@ let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world"; vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { }; format = pkgs.formats.hocon { };
in { in {
# NOTE: our versino of the module gets added in flake.nix imports = [
./module.nix # From danio, pending upstreaming
];
disabledModules = [ "services/web-apps/bluemap.nix" ]; disabledModules = [ "services/web-apps/bluemap.nix" ];
sops.secrets."bluemap/ssh-key" = { }; sops.secrets."bluemap/ssh-key" = { };
@@ -11,6 +14,7 @@ in {
services.bluemap = { services.bluemap = {
enable = true; enable = true;
package = pkgs.callPackage ./package.nix { };
eula = true; eula = true;
onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
@@ -21,101 +25,71 @@ in {
inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export; inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
in { in {
"verden" = { "verden" = {
extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
settings = { settings = {
world = vanillaSurvival; world = vanillaSurvival;
dimension = "minecraft:overworld";
name = "Verden";
sorting = 0; sorting = 0;
start-pos = {
x = 0;
z = 0;
};
ambient-light = 0.1; ambient-light = 0.1;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
marker-sets = {
_includes = [ (format.lib.mkInclude "${bluemap-export}/overworld.hocon") ];
};
}; };
}; };
"underverden" = { "underverden" = {
extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
settings = { settings = {
world = vanillaSurvival; world = "${vanillaSurvival}/DIM-1";
dimension = "minecraft:the_nether";
name = "Underverden";
sorting = 100; sorting = 100;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#290000"; sky-color = "#290000";
void-color = "#150000"; void-color = "#150000";
sky-light = 1;
ambient-light = 0.6; ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000; remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true; cave-detection-uses-block-light = true;
render-mask = [{ max-y = 90;
max-y = 90; marker-sets = {
}]; _includes = [ (format.lib.mkInclude "${bluemap-export}/nether.hocon") ];
};
}; };
}; };
"enden" = { "enden" = {
extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
settings = { settings = {
world = vanillaSurvival; world = "${vanillaSurvival}/DIM1";
dimension = "minecraft:the_end";
name = "Enden";
sorting = 200; sorting = 200;
start-pos = {
x = 0;
z = 0;
};
sky-color = "#080010"; sky-color = "#080010";
void-color = "#080010"; void-color = "#080010";
sky-light = 1;
ambient-light = 0.6; ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000; remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
marker-sets = {
_includes = [ (format.lib.mkInclude "${bluemap-export}/the-end.hocon") ];
};
}; };
}; };
}; };
}; };
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
ExecStartPre = let
rsyncArgs = lib.cli.toCommandLineShellGNU { } {
archive = true;
compress = true;
verbose = true;
no-owner = true;
no-group = true;
rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
};
in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = { services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
kTLS = true;
http3 = true;
quic = true;
http3_hq = true;
extraConfig = ''
# Enabling QUIC 0-RTT
ssl_early_data on;
quic_gso on;
quic_retry on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
'';
}; };
networking.firewall.allowedUDPPorts = [ 443 ]; # TODO: render somewhere else lmao
systemd.services."render-bluemap-maps" = {
preStart = ''
mkdir -p /var/lib/bluemap/world
${pkgs.rsync}/bin/rsync \
-e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
-avz --no-owner --no-group \
root@innovation.pvv.ntnu.no:/ \
${vanillaSurvival}
'';
serviceConfig = {
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
];
};
};
} }

165
modules/bluemap.nix → hosts/bekkalokk/services/bluemap/module.nix
View File

@@ -13,32 +13,11 @@ let
(format.generate "${name}.conf" value)) (format.generate "${name}.conf" value))
cfg.storage); cfg.storage);
generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }: mapsFolder = pkgs.linkFarm "maps"
assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { }); (lib.attrsets.mapAttrs' (name: value:
lib.pipe settings ( lib.nameValuePair "${name}.conf"
(lib.optionals (extraHoconMarkersFile != null) [ (format.generate "${name}.conf" value.settings))
(settings: lib.recursiveUpdate settings { cfg.maps);
marker-placeholder = "###ASDF###";
})
]) ++ [
(format.generate "${name}.conf")
] ++ (lib.optionals (extraHoconMarkersFile != null) [
(hoconFile: pkgs.runCommand "${name}-patched.conf" { } ''
mkdir -p "$(dirname "$out")"
cp '${hoconFile}' "$out"
substituteInPlace "$out" \
--replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
'')
])
);
mapsFolder = lib.pipe cfg.maps [
(lib.attrsets.mapAttrs' (name: value: {
name = "${name}.conf";
value = generateMapConfigWithMarkerData name value;
}))
(pkgs.linkFarm "maps")
];
webappConfigFolder = pkgs.linkFarm "bluemap-config" { webappConfigFolder = pkgs.linkFarm "bluemap-config" {
"maps" = mapsFolder; "maps" = mapsFolder;
@@ -46,18 +25,18 @@ let
"core.conf" = coreConfig; "core.conf" = coreConfig;
"webapp.conf" = webappConfig; "webapp.conf" = webappConfig;
"webserver.conf" = webserverConfig; "webserver.conf" = webserverConfig;
"packs" = cfg.packs; "packs" = cfg.resourcepacks;
}; };
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" { renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
"maps" = pkgs.linkFarm "maps" { "maps" = pkgs.linkFarm "maps" {
"${name}.conf" = generateMapConfigWithMarkerData name value; "${name}.conf" = (format.generate "${name}.conf" value.settings);
}; };
"storages" = storageFolder; "storages" = storageFolder;
"core.conf" = coreConfig; "core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; }); "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig; "webserver.conf" = webserverConfig;
"packs" = value.packs; "packs" = value.resourcepacks;
}; };
inherit (lib) mkOption; inherit (lib) mkOption;
@@ -131,7 +110,7 @@ in {
metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use"; metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
}; };
}; };
description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/core.conf)."; description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
}; };
webappSettings = mkOption { webappSettings = mkOption {
@@ -148,7 +127,7 @@ in {
webroot = config.services.bluemap.webRoot; webroot = config.services.bluemap.webRoot;
} }
''; '';
description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/webapp.conf)."; description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
}; };
webserverSettings = mkOption { webserverSettings = mkOption {
@@ -168,31 +147,19 @@ in {
default = { }; default = { };
description = '' description = ''
Settings for the webserver.conf file, usually not required. Settings for the webserver.conf file, usually not required.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/webserver.conf). [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
''; '';
}; };
maps = mkOption { maps = mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { type = lib.types.attrsOf (lib.types.submodule {
options = { options = {
packs = mkOption { resourcepacks = mkOption {
type = lib.types.path; type = lib.types.path;
default = cfg.packs; default = cfg.resourcepacks;
defaultText = lib.literalExpression "config.services.bluemap.packs"; defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order."; description = "A set of resourcepacks/mods/bluemap-addons to extract models from loaded in alphabetical order";
}; };
extraHoconMarkersFile = mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Path to a hocon file containing marker data.
The content of this file will be injected into the map config file in a separate derivation.
DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
'';
};
settings = mkOption { settings = mkOption {
type = (lib.types.submodule { type = (lib.types.submodule {
freeformType = format.type; freeformType = format.type;
@@ -201,74 +168,43 @@ in {
type = lib.types.path; type = lib.types.path;
description = "Path to world folder containing the dimension to render"; description = "Path to world folder containing the dimension to render";
}; };
name = mkOption {
type = lib.types.str;
description = "The display name of this map (how this map will be named on the webapp)";
default = name;
defaultText = lib.literalExpression "<name>";
};
render-mask = mkOption {
type = with lib.types; listOf (attrsOf format.type);
description = "Limits for the map render";
default = [ ];
example = [
{
min-x = -4000;
max-x = 4000;
min-z = -4000;
max-z = 4000;
min-y = 50;
max-y = 100;
}
{
subtract = true;
min-y = 90;
max-y = 127;
}
];
};
}; };
}); });
description = '' description = ''
Settings for files in `maps/`. Settings for files in `maps/`.
See the default for an example with good options for the different world types. See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf). For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
''; '';
}; };
}; };
})); });
default = { default = {
"overworld".settings = { "overworld".settings = {
world = cfg.defaultWorld; world = "${cfg.defaultWorld}";
dimension = "minecraft:overworld";
name = "Overworld";
ambient-light = 0.1; ambient-light = 0.1;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
}; };
"nether".settings = { "nether".settings = {
world = cfg.defaultWorld; world = "${cfg.defaultWorld}/DIM-1";
dimension = "minecraft:the_nether";
name = "Nether";
sorting = 100; sorting = 100;
sky-color = "#290000"; sky-color = "#290000";
void-color = "#150000"; void-color = "#150000";
sky-light = 1;
ambient-light = 0.6; ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000; remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true; cave-detection-uses-block-light = true;
max-y = 90;
}; };
"end".settings = { "end".settings = {
world = cfg.defaultWorld; world = "${cfg.defaultWorld}/DIM1";
dimension = "minecraft:the_end";
name = "The End";
sorting = 200; sorting = 200;
sky-color = "#080010"; sky-color = "#080010";
void-color = "#080010"; void-color = "#080010";
sky-light = 1;
ambient-light = 0.6; ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000; remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
}; };
@@ -276,36 +212,31 @@ in {
defaultText = lib.literalExpression '' defaultText = lib.literalExpression ''
{ {
"overworld".settings = { "overworld".settings = {
world = cfg.defaultWorld; world = "''${cfg.defaultWorld}";
name = "Overworld";
dimension = "minecraft:overworld";
ambient-light = 0.1; ambient-light = 0.1;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
}; };
"nether".settings = { "nether".settings = {
world = cfg.defaultWorld; world = "''${cfg.defaultWorld}/DIM-1";
dimension = "minecraft:the_nether";
name = "Nether";
sorting = 100; sorting = 100;
sky-color = "#290000"; sky-color = "#290000";
void-color = "#150000"; void-color = "#150000";
sky-light = 1;
ambient-light = 0.6; ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000; remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
cave-detection-uses-block-light = true; cave-detection-uses-block-light = true;
max-y = 90;
}; };
"end".settings = { "end".settings = {
world = cfg.defaultWorld; world = "''${cfg.defaultWorld}/DIM1";
name = "The End";
dimension = "minecraft:the_end";
sorting = 200; sorting = 200;
sky-color = "#080010"; sky-color = "#080010";
void-color = "#080010"; void-color = "#080010";
sky-light = 1;
ambient-light = 0.6; ambient-light = 0.6;
world-sky-light = 0;
remove-caves-below-y = -10000; remove-caves-below-y = -10000;
cave-detection-ocean-floor = -5; cave-detection-ocean-floor = -5;
}; };
@@ -333,7 +264,7 @@ in {
description = '' description = ''
Where the rendered map will be stored. Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead. Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
[See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/common/src/main/resources/de/bluecolored/bluemap/config/storages) [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
''; '';
default = { default = {
"file" = { "file" = {
@@ -349,12 +280,12 @@ in {
''; '';
}; };
packs = mkOption { resourcepacks = mkOption {
type = lib.types.path; type = lib.types.path;
default = pkgs.linkFarm "packs" { }; default = pkgs.linkFarm "resourcepacks" { };
description = '' description = ''
A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order. A set of resourcepacks/mods to extract models from loaded in alphabetical order.
Can be overriden on a per-map basis with `services.bluemap.maps.<name>.packs`. Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
''; '';
}; };
}; };
@@ -375,23 +306,21 @@ in {
systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender { systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
CPUSchedulingPolicy = "batch";
Group = "nginx"; Group = "nginx";
UMask = "026"; UMask = "026";
ExecStart = [
# If web folder doesnt exist generate it
''|test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs''
]
++
# Render each minecraft map
lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps
++ [
# Generate updated webapp
"${lib.getExe cfg.package} -c ${webappConfigFolder} -gs"
];
}; };
script = ''
# If web folder doesnt exist generate it
test -f "${cfg.webRoot}" || ${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
# Render each minecraft map
${lib.strings.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps)}
# Generate updated webapp
${lib.getExe cfg.package} -c ${webappConfigFolder} -gs
'';
}; };
systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender { systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {

30
hosts/bekkalokk/services/bluemap/package.nix Normal file
View File

@@ -0,0 +1,30 @@
{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
version = "5.7";
src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-8udZYJgrr4bi2mjRYrASd8JwUoUVZW1tZpOLRgafAIw=";
};
dontUnpack = true;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
runHook postInstall
'';
meta = {
description = "3D minecraft map renderer";
homepage = "https://bluemap.bluecolored.de/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ dandellion h7x4 ];
mainProgram = "bluemap";
};
}

0
hosts/bekkalokk/services/kerberos.nix → hosts/bekkalokk/services/kerberos/default.nix
View File

88
hosts/bekkalokk/services/kerberos/krb5-conf-format.nix Normal file
View File

@@ -0,0 +1,88 @@
{ pkgs, lib, ... }:
# Based on
# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
let
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in submodule {
freeformType = attrsOf section;
options = {
include = mkOption {
default = [ ];
description = mdDoc ''
Files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
includedir = mkOption {
default = [ ];
description = mdDoc ''
Directories containing files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
module = mkOption {
default = [ ];
description = mdDoc ''
Modules to obtain Kerberos configuration from.
'';
type = coercedTo path singleton (listOf path);
};
};
};
generate = let
indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str);
formatToplevel = args @ {
include ? [ ],
includedir ? [ ],
module ? [ ],
...
}: let
sections = removeAttrs args [ "include" "includedir" "module" ];
in concatStringsSep "\n" (filter (x: x != "") [
(concatStringsSep "\n" (mapAttrsToList formatSection sections))
(concatMapStringsSep "\n" (m: "module ${m}") module)
(concatMapStringsSep "\n" (i: "include ${i}") include)
(concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
]);
formatSection = name: section: ''
[${name}]
${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
'';
formatRelation = name: relation:
if isAttrs relation
then ''
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else formatValue name relation;
formatValue = name: value:
if isList value
then concatMapStringsSep "\n" (formatAtom name) value
else formatAtom name value;
formatAtom = name: atom: let
v = if isBool atom then boolToString atom else toString atom;
in "${name} = ${v}";
in
name: value: pkgs.writeText name ''
${formatToplevel value}
'';
}

90
hosts/bekkalokk/services/kerberos/krb5.nix Normal file
View File

@@ -0,0 +1,90 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
inherit (lib.types) bool;
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
The option `krb5.${name}' has been removed. Use
`security.krb5.settings.${name}' for structured configuration.
'';
cfg = config.security.krb5;
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
in {
imports = [
(mkRemovedOptionModuleCfg "libdefaults")
(mkRemovedOptionModuleCfg "realms")
(mkRemovedOptionModuleCfg "domain_realm")
(mkRemovedOptionModuleCfg "capaths")
(mkRemovedOptionModuleCfg "appdefaults")
(mkRemovedOptionModuleCfg "plugins")
(mkRemovedOptionModuleCfg "config")
(mkRemovedOptionModuleCfg "extraConfig")
(mkRemovedOptionModule' "kerberos" ''
The option `krb5.kerberos' has been moved to `security.krb5.package'.
'')
];
options = {
security.krb5 = {
enable = mkOption {
default = false;
description = mdDoc "Enable and configure Kerberos utilities";
type = bool;
};
package = mkPackageOption pkgs "krb5" {
example = "heimdal";
};
settings = mkOption {
default = { };
type = format.type;
description = mdDoc ''
Structured contents of the {file}`krb5.conf` file. See
{manpage}`krb5.conf(5)` for details about configuration.
'';
example = {
include = [ "/run/secrets/secret-krb5.conf" ];
includedir = [ "/run/secrets/secret-krb5.conf.d" ];
libdefaults = {
default_realm = "ATHENA.MIT.EDU";
};
realms = {
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = [
"athena01.mit.edu"
"athena02.mit.edu"
];
};
};
domain_realm = {
"mit.edu" = "ATHENA.MIT.EDU";
};
logging = {
kdc = "SYSLOG:NOTICE";
admin_server = "SYSLOG:NOTICE";
default = "SYSLOG:NOTICE";
};
};
};
};
};
config = mkIf cfg.enable {
environment = {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};
};
meta.maintainers = builtins.attrValues {
inherit (lib.maintainers) dblsaiko h7x4;
};
}

1543
hosts/bekkalokk/services/kerberos/pam.nix Normal file
View File

File diff suppressed because it is too large Load Diff

6
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -130,12 +130,6 @@ in {
$wgVectorDefaultSidebarVisibleForAnonymousUser = true; $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
$wgVectorResponsive = true; $wgVectorResponsive = true;
# Experimental dark mode support for Vector 2022
$wgVectorNightMode['beta'] = true;
$wgVectorNightMode['logged_out'] = true;
$wgVectorNightMode['logged_in'] = true;
$wgDefaultUserOptions['vector-theme'] = 'os';
# Misc # Misc
$wgEmergencyContact = "${cfg.passwordSender}"; $wgEmergencyContact = "${cfg.passwordSender}";
$wgUseTeX = false; $wgUseTeX = false;

6
hosts/bekkalokk/services/qotd/default.nix
View File

@@ -1,6 +0,0 @@
{
services.qotd = {
enable = true;
quotes = builtins.fromJSON (builtins.readFile ./quotes.json);
};
}

1
hosts/bekkalokk/services/qotd/quotes.json
View File

@@ -1 +0,0 @@
["quote 1", "quote 2"]

50
hosts/bekkalokk/services/website/default.nix
View File

@@ -18,16 +18,11 @@ in {
restartUnits = [ "phpfpm-pvv-nettsiden.service" ]; restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
}); });
security.acme.certs."www.pvv.ntnu.no" = {
extraDomainNames = [
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
};
services.idp.sp-remote-metadata = [ services.idp.sp-remote-metadata = [
"https://www.pvv.ntnu.no/simplesaml/" "https://www.pvv.ntnu.no/simplesaml/"
"https://pvv.ntnu.no/simplesaml/"
"https://www.pvv.org/simplesaml/"
"https://pvv.org/simplesaml/"
]; ];
services.pvv-nettsiden = { services.pvv-nettsiden = {
@@ -60,8 +55,10 @@ in {
DOOR_SECRET = includeFromSops "door_secret"; DOOR_SECRET = includeFromSops "door_secret";
DB = { DB = {
DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no"; # DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
USER = "www-data_nettsi"; # USER = "www-data_nettsi";
DSN = "pgsql:dbname=pvv_nettsiden;host=postgres.pvv.ntnu.no";
USER = "pvv_nettsiden";
PASS = includeFromSops "mysql_password"; PASS = includeFromSops "mysql_password";
}; };
@@ -74,39 +71,28 @@ in {
ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password"; ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
TRUSTED_DOMAINS = [ TRUSTED_DOMAINS = [
"www.pvv.ntnu.no" "www.pvv.ntnu.no"
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
]; ];
}; };
}; };
}; };
services.phpfpm.pools."pvv-nettsiden".settings = { services.phpfpm.pools."pvv-nettsiden".settings = {
# "php_admin_value[error_log]" = "stderr"; "php_flag[display_errors]" = true;
"php_admin_value[error_log]" = "syslog";
"php_admin_flag[log_errors]" = true; "php_admin_flag[log_errors]" = true;
"catch_workers_output" = true; "catch_workers_output" = true;
}; };
services.nginx.virtualHosts."pvv.ntnu.no" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts."www.pvv.org" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts."pvv.org" = {
globalRedirect = cfg.domainName;
redirectCode = 307;
forceSSL = true;
useACMEHost = "www.pvv.ntnu.no";
};
services.nginx.virtualHosts.${cfg.domainName} = { services.nginx.virtualHosts.${cfg.domainName} = {
serverAliases = [
"pvv.ntnu.no"
"www.pvv.org"
"pvv.org"
];
locations = { locations = {
# Proxy home directories # Proxy home directories
"^~ /~" = { "^~ /~" = {

3
hosts/bicep/configuration.nix
View File

@@ -4,11 +4,12 @@
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
./services/nginx ./services/nginx
./services/calendar-bot.nix ./services/calendar-bot.nix
#./services/git-mirrors #./services/git-mirrors
./services/minecraft-heatmap.nix #./services/minecraft-heatmap.nix
./services/mysql.nix ./services/mysql.nix
./services/postgres.nix ./services/postgres.nix

1
hosts/bicep/services/git-mirrors/default.nix
View File

@@ -66,7 +66,6 @@ in
package = pkgs.callPackage (fp /packages/cgit.nix) { }; package = pkgs.callPackage (fp /packages/cgit.nix) { };
group = "gickup"; group = "gickup";
scanPath = "${cfg.dataDir}/linktree"; scanPath = "${cfg.dataDir}/linktree";
gitHttpBackend.checkExportOkFiles = false;
settings = { settings = {
enable-commit-graph = true; enable-commit-graph = true;
enable-follow-links = true; enable-follow-links = true;

4
hosts/bicep/services/matrix/coturn.nix
View File

@@ -6,14 +6,12 @@
key = "synapse/turnconfig"; key = "synapse/turnconfig";
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group; group = config.users.users.matrix-synapse.group;
restartUnits = [ "coturn.service" ];
}; };
sops.secrets."matrix/coturn/static-auth-secret" = { sops.secrets."matrix/coturn/static-auth-secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "coturn/static-auth-secret"; key = "coturn/static-auth-secret";
owner = config.users.users.turnserver.name; owner = config.users.users.turnserver.name;
group = config.users.users.turnserver.group; group = config.users.users.turnserver.group;
restartUnits = [ "coturn.service" ];
}; };
services.matrix-synapse-next = { services.matrix-synapse-next = {
@@ -44,7 +42,7 @@
security.acme.certs.${config.services.coturn.realm} = { security.acme.certs.${config.services.coturn.realm} = {
email = "drift@pvv.ntnu.no"; email = "drift@pvv.ntnu.no";
listenHTTP = "${values.services.turn.ipv4}:80"; listenHTTP = "129.241.210.213:80";
reloadServices = [ "coturn.service" ]; reloadServices = [ "coturn.service" ];
}; };

1
hosts/bicep/services/matrix/hookshot/default.nix
View File

@@ -18,7 +18,6 @@ in
sops.templates."hookshot-registration.yaml" = { sops.templates."hookshot-registration.yaml" = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
group = config.users.groups.keys-matrix-registrations.name; group = config.users.groups.keys-matrix-registrations.name;
restartUnits = [ "matrix-hookshot.service" ];
content = '' content = ''
id: matrix-hookshot id: matrix-hookshot
as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}" as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"

1
hosts/bicep/services/matrix/mjolnir.nix
View File

@@ -6,7 +6,6 @@
key = "mjolnir/access_token"; key = "mjolnir/access_token";
owner = config.users.users.mjolnir.name; owner = config.users.users.mjolnir.name;
group = config.users.users.mjolnir.group; group = config.users.users.mjolnir.group;
restartUnits = [ "mjolnir.service" ];
}; };
services.mjolnir = { services.mjolnir = {

4
hosts/bicep/services/matrix/out-of-your-element.nix
View File

@@ -9,22 +9,18 @@ in
"matrix/ooye/as_token" = { "matrix/ooye/as_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/as_token"; key = "ooye/as_token";
restartUnits = [ "matrix-ooye.service" ];
}; };
"matrix/ooye/hs_token" = { "matrix/ooye/hs_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/hs_token"; key = "ooye/hs_token";
restartUnits = [ "matrix-ooye.service" ];
}; };
"matrix/ooye/discord_token" = { "matrix/ooye/discord_token" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_token"; key = "ooye/discord_token";
restartUnits = [ "matrix-ooye.service" ];
}; };
"matrix/ooye/discord_client_secret" = { "matrix/ooye/discord_client_secret" = {
sopsFile = fp /secrets/bicep/matrix.yaml; sopsFile = fp /secrets/bicep/matrix.yaml;
key = "ooye/discord_client_secret"; key = "ooye/discord_client_secret";
restartUnits = [ "matrix-ooye.service" ];
}; };
}; };

4
hosts/bicep/services/matrix/synapse.nix
View File

@@ -124,8 +124,8 @@ in {
"fec0::/10" "fec0::/10"
# NTNU # NTNU
values.ntnu.ipv4-space "129.241.0.0/16"
values.ntnu.ipv6-space "2001:700:300::/44"
]; ];
}; };
}; };

2
hosts/bicep/services/mysql.nix
View File

@@ -48,8 +48,6 @@
IPAddressAllow = [ IPAddressAllow = [
values.ipv4-space values.ipv4-space
values.ipv6-space values.ipv6-space
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
]; ];
}; };
} }

47
hosts/bicep/services/postgres.nix
View File

@@ -1,15 +1,15 @@
{ config, pkgs, values, ... }: { config, pkgs, ... }:
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_15; package = pkgs.postgresql_15;
enableTCPIP = true; enableTCPIP = true;
dataDir = "/data/postgresql";
authentication = '' authentication = ''
host all all ${values.ipv4-space} md5 host all all 129.241.210.128/25 md5
host all all ${values.ipv6-space} md5 host all all 2001:700:300:1900::/64 md5
host all all ${values.hosts.ildkule.ipv4}/32 md5
host all all ${values.hosts.ildkule.ipv6}/32 md5
''; '';
# Hilsen https://pgconfigurator.cybertec-postgresql.com/ # Hilsen https://pgconfigurator.cybertec-postgresql.com/
@@ -74,40 +74,11 @@
}; };
}; };
systemd.tmpfiles.settings."10-postgresql"."/data/postgresql".d = { systemd.services.postgresql.serviceConfig = {
user = config.systemd.services.postgresql.serviceConfig.User; LoadCredential = [
group = config.systemd.services.postgresql.serviceConfig.Group; "cert:/etc/certs/postgres.crt"
mode = "0700"; "key:/etc/certs/postgres.key"
};
systemd.services.postgresql-setup = {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
]; ];
serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
};
};
systemd.services.postgresql = {
after = [
"systemd-tmpfiles-setup.service"
"systemd-tmpfiles-resetup.service"
];
serviceConfig = {
LoadCredential = [
"cert:/etc/certs/postgres.crt"
"key:/etc/certs/postgres.key"
];
BindPaths = [ "/data/postgresql:/var/lib/postgresql" ];
};
}; };
environment.snakeoil-certs."/etc/certs/postgres" = { environment.snakeoil-certs."/etc/certs/postgres" = {

1
hosts/brzeczyszczykiewicz/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
./services/grzegorz.nix ./services/grzegorz.nix
]; ];

1
hosts/georg/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
(fp /modules/grzegorz.nix) (fp /modules/grzegorz.nix)
]; ];

53
hosts/gluttony/configuration.nix
View File

@@ -1,53 +0,0 @@
{
config,
fp,
pkgs,
lib,
values,
...
}:
{
imports = [
./hardware-configuration.nix
(fp /base)
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
systemd.network.enable = lib.mkForce false;
networking =
let
hostConf = values.hosts.gluttony;
in
{
hostName = "gluttony";
tempAddresses = "disabled";
useDHCP = lib.mkForce true;
search = values.defaultNetworkConfig.domains;
nameservers = values.defaultNetworkConfig.dns;
defaultGateway.address = hostConf.ipv4_internal_gw;
interfaces."ens3" = {
ipv4.addresses = [
{
address = hostConf.ipv4;
prefixLength = 32;
}
{
address = hostConf.ipv4_internal;
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = hostConf.ipv6;
prefixLength = 64;
}
];
};
};
system.stateVersion = "25.11"; # Don't change unless you know what you are doing.
}

45
hosts/gluttony/hardware-configuration.nix
View File

@@ -1,45 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/mapper/pool-root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/D00A-B488";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

2
hosts/ildkule/configuration.nix
View File

@@ -4,10 +4,10 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
./services/monitoring ./services/monitoring
./services/nginx ./services/nginx
./services/journald-remote.nix
]; ];
sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml; sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;

58
hosts/ildkule/services/journald-remote.nix
View File

@@ -1,58 +0,0 @@
{ config, lib, values, ... }:
let
cfg = config.services.journald.remote;
domainName = "journald.pvv.ntnu.no";
in
{
security.acme.certs.${domainName} = {
webroot = "/var/lib/acme/acme-challenge/";
group = config.services.nginx.group;
};
services.nginx = {
enable = true;
virtualHosts.${domainName} = {
forceSSL = true;
useACMEHost = "${domainName}";
locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
};
};
services.journald.upload.enable = lib.mkForce false;
services.journald.remote = {
enable = true;
settings.Remote = let
inherit (config.security.acme.certs.${domainName}) directory;
in {
ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
TrustedCertificateFile = "-";
};
};
systemd.sockets."systemd-journal-remote" = {
socketConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.ipv4-space
values.ipv6-space
];
};
};
networking.firewall.allowedTCPPorts = [ cfg.port ];
systemd.services."systemd-journal-remote" = {
socketConfig = {
LoadCredential = let
inherit (config.security.acme.certs.${domainName}) directory;
in [
"key.pem:${directory}/key.pem"
"cert.pem:${directory}/cert.pem"
];
};
};
}

2
hosts/ildkule/services/monitoring/prometheus/mysqld.nix
View File

@@ -10,7 +10,7 @@ in {
inherit (config.sops) placeholder; inherit (config.sops) placeholder;
in '' in ''
[client] [client]
host = mysql.pvv.ntnu.no host = bicep.pvv.ntnu.no
port = 3306 port = 3306
user = prometheus_mysqld_exporter user = prometheus_mysqld_exporter
password = ${placeholder."config/mysqld_exporter_password"} password = ${placeholder."config/mysqld_exporter_password"}

2
hosts/kommode/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea ./services/gitea
./services/nginx.nix ./services/nginx.nix
@@ -30,3 +31,4 @@
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

8
hosts/kommode/services/gitea/customization/default.nix
View File

@@ -24,15 +24,10 @@ in
script = let script = let
logo-svg = fp /assets/logo_blue_regular.svg; logo-svg = fp /assets/logo_blue_regular.svg;
logo-png = fp /assets/logo_blue_regular.png; logo-png = fp /assets/logo_blue_regular.png;
extraLinks = pkgs.writeText "gitea-extra-links.tmpl" '' extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
<a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
'';
extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
<a class="item" href="https://www.pvv.ntnu.no/">PVV</a> <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
<a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a> <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
<a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a> <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
''; '';
project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" { project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
@@ -54,7 +49,6 @@ in
install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
"${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/ "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/

6
hosts/kommode/services/gitea/customization/labels/projects.json
View File

@@ -35,12 +35,6 @@
"color": "#ed1111", "color": "#ed1111",
"description": "Report an oopsie" "description": "Report an oopsie"
}, },
{
"name": "developer experience",
"exclusive": false,
"color": "#eb6420",
"description": "Think about the developers"
},
{ {
"name": "disputed", "name": "disputed",
"exclusive": false, "exclusive": false,

1
hosts/kommode/services/gitea/default.nix
View File

@@ -15,7 +15,6 @@ in {
defaultConfig = { defaultConfig = {
owner = "gitea"; owner = "gitea";
group = "gitea"; group = "gitea";
restartUnits = [ "gitea.service" ];
}; };
in { in {
"gitea/database" = defaultConfig; "gitea/database" = defaultConfig;

25
hosts/kommode/services/gitea/gpg.nix
View File

@@ -4,23 +4,9 @@ let
GNUPGHOME = "${config.users.users.gitea.home}/gnupg"; GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
in in
{ {
sops.secrets = { sops.secrets."gitea/gpg-signing-key" = {
"gitea/gpg-signing-key-public" = { owner = cfg.user;
owner = cfg.user; inherit (cfg) group;
inherit (cfg) group;
restartUnits = [
"gitea.service"
"gitea-ensure-gnupg-homedir.service"
];
};
"gitea/gpg-signing-key-private" = {
owner = cfg.user;
inherit (cfg) group;
restartUnits = [
"gitea.service"
"gitea-ensure-gnupg-homedir.service"
];
};
}; };
systemd.services.gitea.environment = { inherit GNUPGHOME; }; systemd.services.gitea.environment = { inherit GNUPGHOME; };
@@ -32,7 +18,6 @@ in
systemd.services.gitea-ensure-gnupg-homedir = { systemd.services.gitea-ensure-gnupg-homedir = {
description = "Import gpg key for gitea"; description = "Import gpg key for gitea";
before = [ "gitea.service" ];
environment = { inherit GNUPGHOME; }; environment = { inherit GNUPGHOME; };
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@@ -40,8 +25,7 @@ in
PrivateNetwork = true; PrivateNetwork = true;
}; };
script = '' script = ''
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path} ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key".path}
${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
''; '';
}; };
@@ -50,6 +34,5 @@ in
SIGNING_NAME = "PVV Git"; SIGNING_NAME = "PVV Git";
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no"; SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
INITIAL_COMMIT = "always"; INITIAL_COMMIT = "always";
WIKI = "always";
}; };
} }

1
hosts/lupine/configuration.nix
View File

@@ -4,6 +4,7 @@
./hardware-configuration/${lupineName}.nix ./hardware-configuration/${lupineName}.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runner.nix ./services/gitea-runner.nix
]; ];

1
hosts/shark/configuration.nix
View File

@@ -4,6 +4,7 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
]; ];
sops.defaultSopsFile = fp /secrets/shark/shark.yaml; sops.defaultSopsFile = fp /secrets/shark/shark.yaml;

73
hosts/skrott/configuration.nix
View File

@@ -1,73 +0,0 @@
{ config, pkgs, lib, fp, ... }: {
imports = [
# ./hardware-configuration.nix
(fp /base)
];
boot = {
consoleLogLevel = 0;
enableContainers = false;
loader.grub.enable = false;
kernelPackages = pkgs.linuxPackages;
};
# Now turn off a bunch of stuff lol
system.autoUpgrade.enable = lib.mkForce false;
services.irqbalance.enable = lib.mkForce false;
services.logrotate.enable = lib.mkForce false;
services.nginx.enable = lib.mkForce false;
services.postfix.enable = lib.mkForce false;
# TODO: can we reduce further?
system.stateVersion = "25.05";
sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
sops.secrets = {
"dibbler/postgresql/url" = {
owner = "dibbler";
group = "dibbler";
};
};
# zramSwap.enable = true;
networking = {
hostName = "skrot";
interfaces.eth0 = {
useDHCP = false;
ipv4.addresses = [{
address = "129.241.210.235";
prefixLength = 25;
}];
};
};
services.dibbler = {
enable = true;
kioskMode = true;
limitScreenWidth = 80;
limitScreenHeight = 42;
settings = {
general.quit_allowed = false;
database.url = config.sops.secrets."dibbler/postgresql/url".path;
};
};
# https://github.com/NixOS/nixpkgs/issues/84105
boot.kernelParams = [
"console=ttyUSB0,9600"
# "console=tty1" # Already part of the module
];
systemd.services."serial-getty@ttyUSB0" = {
enable = true;
wantedBy = [ "getty.target" ]; # to start at boot
serviceConfig.Restart = "always"; # restart when session is closed
};
}

39
hosts/temmie/configuration.nix
View File

@@ -1,39 +0,0 @@
{ config, fp, pkgs, values, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
(fp /base)
./services/nfs-mounts.nix
];
# sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
# sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "temmie"; # Define your hostname.
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.11"; # Did you read the comment?
}

30
hosts/temmie/hardware-configuration.nix
View File

@@ -1,30 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A367-83FD";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

21
hosts/temmie/services/nfs-mounts.nix
View File

@@ -1,21 +0,0 @@
{ pkgs, lib, ... }:
{
fileSystems = let
# See microbel:/etc/exports
shorthandAreas = lib.listToAttrs (map
(l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
[ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]);
in { }
//
(lib.mapAttrs (_: device: {
inherit device;
fsType = "nfs";
options = [
"nfsvers=3"
"noauto"
"proto=tcp"
"x-systemd.automount"
"x-systemd.idle-timeout=300"
];
}) shorthandAreas);
}

1
hosts/ustetind/configuration.nix
View File

@@ -3,6 +3,7 @@
{ {
imports = [ imports = [
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
./services/gitea-runners.nix ./services/gitea-runners.nix
]; ];

11
hosts/wenche/configuration.nix
View File

@@ -4,16 +4,11 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
(fp /base) (fp /base)
(fp /misc/metrics-exporters.nix)
(fp /misc/builder.nix)
]; ];
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml; sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";

11
misc/builder.nix Normal file
View File

@@ -0,0 +1,11 @@
{ ... }:
{
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"armv7l-linux"
];
}

80
misc/metrics-exporters.nix Normal file
View File

@@ -0,0 +1,80 @@
{ config, pkgs, values, ... }:
{
services.prometheus.exporters.node = {
enable = true;
port = 9100;
enabledCollectors = [ "systemd" ];
};
systemd.services.prometheus-node-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
services.prometheus.exporters.systemd = {
enable = true;
port = 9101;
extraFlags = [
"--systemd.collector.enable-restart-count"
"--systemd.collector.enable-ip-accounting"
];
};
systemd.services.prometheus-systemd-exporter.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
"127.0.0.1"
"::1"
values.hosts.ildkule.ipv4
values.hosts.ildkule.ipv6
];
};
networking.firewall.allowedTCPPorts = [ 9100 9101 ];
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [
{
url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}
];
};
};
}

86
misc/rust-motd.nix Normal file
View File

@@ -0,0 +1,86 @@
{ pkgs, lib, config, ... }:
{
environment = {
systemPackages = with pkgs; [
rust-motd
toilet
];
loginShellInit = let
motd = "${pkgs.rust-motd}/bin/rust-motd /etc/${config.environment.etc.rustMotdConfig.target}";
in ''
# Assure stdout is a terminal, so headless programs won't be broken
if [ "x''${SSH_TTY}" != "x" ]; then
${motd}
fi
'';
etc.rustMotdConfig = {
target = "rust-motd-config.toml";
source = let
cfg = {
global = {
progress_full_character = "=";
progress_empty_character = "=";
progress_prefix = "[";
progress_suffix = "]";
time_format = "%Y-%m-%d %H:%M:%S";
};
banner = {
color = "red";
command = "hostname | ${pkgs.toilet}/bin/toilet -f mono9";
};
service_status = {
Accounts = "accounts-daemon";
Cron = "cron";
Docker = "docker";
Matrix = "matrix-synapse";
sshd = "sshd";
};
uptime = {
prefix = "Uptime: ";
};
# Not relevant for server
# user_service_status = {
# Gpg-agent = "gpg-agent";
# };
filesystems = let
inherit (lib.attrsets) attrNames listToAttrs nameValuePair;
inherit (lib.lists) imap1;
inherit (config) fileSystems;
imap1Attrs' = f: set:
listToAttrs (imap1 (i: attr: f i attr set.${attr}) (attrNames set));
getName = i: v: if (v.label != null) then v.label else "<? ${toString i}>";
in
imap1Attrs' (i: n: v: nameValuePair (getName i v) n) fileSystems;
memory = {
swap_pos = "beside"; # or "below" or "none"
};
last_login = let
inherit (lib.lists) imap1;
inherit (lib.attrsets) filterAttrs nameValuePair attrValues listToAttrs;
inherit (config.users) users;
normalUsers = filterAttrs (n: v: v.isNormalUser || n == "root") users;
userNPVs = imap1 (index: user: nameValuePair user.name index) (attrValues normalUsers);
in listToAttrs userNPVs;
last_run = {};
};
toml = pkgs.formats.toml {};
in toml.generate "rust-motd.toml" cfg;
};
};
}

2
modules/gickup/update-linktree.nix
View File

@@ -16,8 +16,6 @@ in
# TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service) # TODO: update symlink for one repo at a time (e.g. gickup-linktree@<instance>.service)
systemd.services."gickup-linktree" = { systemd.services."gickup-linktree" = {
after = map ({ slug, ... }: "gickup@${slug}.service") (lib.attrValues cfg.instances);
wantedBy = [ "gickup.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = let ExecStart = let

26
modules/grzegorz.nix
View File

@@ -1,4 +1,4 @@
{config, lib, pkgs, unstablePkgs, values, ...}: { config, lib, pkgs, unstablePkgs, ... }:
let let
grg = config.services.greg-ng; grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui; grgw = config.services.grzegorz-webui;
@@ -44,12 +44,8 @@ in {
"${machine}.pvv.org" "${machine}.pvv.org"
]; ];
extraConfig = '' extraConfig = ''
# pvv allow 129.241.210.128/25;
allow ${values.ipv4-space}; allow 2001:700:300:1900::/64;
allow ${values.ipv6-space};
# ntnu
allow ${values.ntnu.ipv4-space};
allow ${values.ntnu.ipv6-space};
deny all; deny all;
''; '';
@@ -71,12 +67,8 @@ in {
"${machine}-backend.pvv.org" "${machine}-backend.pvv.org"
]; ];
extraConfig = '' extraConfig = ''
# pvv allow 129.241.210.128/25;
allow ${values.ipv4-space}; allow 2001:700:300:1900::/64;
allow ${values.ipv6-space};
# ntnu
allow ${values.ntnu.ipv4-space};
allow ${values.ntnu.ipv6-space};
deny all; deny all;
''; '';
@@ -94,12 +86,8 @@ in {
"${machine}-old.pvv.org" "${machine}-old.pvv.org"
]; ];
extraConfig = '' extraConfig = ''
# pvv allow 129.241.210.128/25;
allow ${values.ipv4-space}; allow 2001:700:300:1900::/64;
allow ${values.ipv6-space};
# ntnu
allow ${values.ntnu.ipv4-space};
allow ${values.ntnu.ipv6-space};
deny all; deny all;
''; '';

4
packages/bluemap.nix
View File

@@ -2,11 +2,11 @@
stdenvNoCC.mkDerivation rec { stdenvNoCC.mkDerivation rec {
pname = "bluemap"; pname = "bluemap";
version = "5.15"; version = "5.2";
src = fetchurl { src = fetchurl {
url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar"; url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
hash = "sha256-g50V/4LtHaHNRMTt+PK/ZTf4Tber2D6ZHJvuAXQLaFI="; hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
}; };
dontUnpack = true; dontUnpack = true;

28
packages/mediawiki-extensions/default.nix
View File

@@ -33,13 +33,13 @@ in
lib.mergeAttrsList [ lib.mergeAttrsList [
(mw-ext { (mw-ext {
name = "CodeEditor"; name = "CodeEditor";
commit = "6e5b06e8cf2d040c0abb53ac3735f9f3c96a7a4f"; commit = "9f19fe510beb671d6ea3076e2e7cbd1025451924";
hash = "sha256-Jee+Ws9REUohywhbuemixXKaTRc54+cIlyUNDCyYcEM="; hash = "sha256-Bl0evDM4TpsoU5gvZ02UaH5ehFatJcn8YJPbUWRcK9s=";
}) })
(mw-ext { (mw-ext {
name = "CodeMirror"; name = "CodeMirror";
commit = "da9c5d4f03e6425f6f2cf68b75d21311e0f7e77e"; commit = "050d8257c942dfd95b98525c0a61290a89fe8ef4";
hash = "sha256-aL+v9xeqKHGmQVUWVczh54BkReu+fP49PT1NP7eTC6k="; hash = "sha256-3DnY9wlaG9BrnSgt8GMM6fzp3nAAPno49vr2QAz50Ho=";
}) })
(mw-ext { (mw-ext {
name = "DeleteBatch"; name = "DeleteBatch";
@@ -53,13 +53,13 @@ lib.mergeAttrsList [
}) })
(mw-ext { (mw-ext {
name = "Popups"; name = "Popups";
commit = "7ed940a09f83f869cbc0bc20f3ca92f85b534951"; commit = "4c22b8604b0dca04f001d9e2bc13b1ea4f934835";
hash = "sha256-pcDPcu4kSvMHfSOuShrod694TKI9Oo3AEpMP9DXp9oY="; hash = "sha256-mul9m5zPFSBCfBHZJihJrxP55kFMo/YJ18+JLt5X6zA=";
}) })
(mw-ext { (mw-ext {
name = "Scribunto"; name = "Scribunto";
commit = "e755852a8e28a030a21ded2d5dd7270eb933b683"; commit = "4a917ed13212f60c33dbc82d3d18c7f5b8461fdc";
hash = "sha256-zyI5nSE+KuodJOWyV0CQM7G0GfkKEgfoF/czi2/qk98="; hash = "sha256-3qQgXyPb00V9McN8fxgZlU+MeBzQm5ikH/vkXazibY8=";
}) })
(mw-ext { (mw-ext {
name = "SimpleSAMLphp"; name = "SimpleSAMLphp";
@@ -69,8 +69,8 @@ lib.mergeAttrsList [
}) })
(mw-ext { (mw-ext {
name = "TemplateData"; name = "TemplateData";
commit = "fd7cf4d95a70ef564130266f2a6b18f33a2a2ff9"; commit = "1b02875f3e668fa9033849a663c5f5e450581071";
hash = "sha256-5OhDPFhIi55Eh5+ovMP1QTjNBb9Sm/3vyArNCApAgSw="; hash = "sha256-vQ/o7X7puTN1OQzX3bwKsW3IyVbK1IzvQKV9KtV2kRA=";
}) })
(mw-ext { (mw-ext {
name = "TemplateStyles"; name = "TemplateStyles";
@@ -84,12 +84,12 @@ lib.mergeAttrsList [
}) })
(mw-ext { (mw-ext {
name = "VisualEditor"; name = "VisualEditor";
commit = "032364cfdff33818e6ae0dfa251fe3973b0ae4f3"; commit = "3cca60141dec1150d3019bd14bd9865cf120362d";
hash = "sha256-AQDdq9r6rSo8h4u1ERonH14/1i1BgLGdzANEiQ065PU="; hash = "sha256-HwbmRVaQObYoJdABeHn19WBoq8aw+Q6QU8xr9YvDcJU=";
}) })
(mw-ext { (mw-ext {
name = "WikiEditor"; name = "WikiEditor";
commit = "cb9f7e06a9c59b6d3b31c653e5886b7f53583d01"; commit = "d5e6856eeba114fcd1653f3e7ae629989f5ced56";
hash = "sha256-UWi3Ac+LCOLliLkXnS8YL0rD/HguuPH5MseqOm0z7s4="; hash = "sha256-U5ism/ni9uAxiD4wOVE0/8FFUc4zQCPqYmQ1AL5+E7Q=";
}) })
] ]

99
secrets/bakke/bakke.yaml
View File

@@ -1,99 +0,0 @@
hello: ENC[AES256_GCM,data:+GWORSIf9TxmJLw1ytZwPbve2yz5H9ewVE5sOpQzkrRpct6Wes+vTE19Ij8W1g==,iv:C/WhXNBBM/bidC9xynZzk34nYXF3mUjAd4nPXpUlYHs=,tag:OJXSwuI8aNDnHFFTkwyGBQ==,type:str]
example_key: ENC[AES256_GCM,data:ojSsrFYo5YD0YtiqcA==,iv:nvNtG6c0OqnQovzWQLMjcn9vbQ4PPYSv2B43Y8z0h5s=,tag:+h7YUNRA2MTvwGJq1VZW8g==,type:str]
#ENC[AES256_GCM,data:6EvhlBtrl5wqyf6UAGwY8Q==,iv:fzLUjBzyuT17FcP8jlmLrsKW46pu6/lAvAVLHBxje6k=,tag:n+qR1NUqa91uFRIpALKlmw==,type:comment]
example_array:
- ENC[AES256_GCM,data:A38KXABxJzMoKitKpHo=,iv:OlRap3R//9tvKdPLz7uP+lvBa/fD0W8xFzdxIKKFi4E=,tag:QKizPN1fYOv5zZlMVgTIOQ==,type:str]
- ENC[AES256_GCM,data:8X2iVkHQtQMReopWdgM=,iv:2Wq3QOadwd3G3ROXNe7JQD4AL/5H/WV19TBEbxijG/8=,tag:tikKT9Wvzm4Vz5aoy6w9WQ==,type:str]
example_number: ENC[AES256_GCM,data:0K05hiSPh2Ok1A==,iv:IVRo61xkKugv4OiPm0vt9ODm5DC1DzJFdlgQJb1TfTg=,tag:o3xXygVEUD4jaGSJr0Nxtw==,type:float]
example_booleans:
- ENC[AES256_GCM,data:zoykmQ==,iv:1JGy1Cg5GdAiod9qPSzW+wsG6rUgUJyYMEE4k576Tlk=,tag:RUCbytPpo78bqlAVEUsbLg==,type:bool]
sops:
age:
- recipient: age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOE50MkkxV1p0UlVUT0dE
WCtLMEk0ZSttY25UMjNHSHB1QzJ4N2l5WnpFCkNpdmlCY1VxWVo0ZStVclZ0amo4
dGhSRWY1SElRZXZzdWo5UDNjUHMzUjAKLS0tIDI3elNXSXJHQU5qb3hCSHYwWnoy
N3BhNmJQZjIrbWlVRytxZ3dFMjBtL1kKn7/DTPfJtdBomSplnBomYhsxJbX7kJQa
1Qsr+bmugWxHFIPhoDwPIBpChQkLvAo8exQpduos18FsXgvMmB0guQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdnNSSEJoaUQwdTNTMDY4
QUxuLzRIWVNkM25QNTZ5VTBwQlYvT2p3SURzCnJmd2g1YUY0cmdLL3FkQTQ4NURL
YncyY3VROTFUeDc5ZlB1aWdXVGNNdjgKLS0tIEtXeDdRLzl4RXhpS2o5ZUE4YkpI
RjBObVhlWncrRnVidEtGN2N0ZitzNlUK/ooEeWCY5nDgny43q45wvl/e6qq/X4B/
7Q/DPj13BcrWRgoCYeHlq6VlIerz5ERNgxyR/qKuVSGAVroSVY6spA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRy9CaHY1WEEzOXdUSjd2
aFlGU3NGcW5MeHg3U2d0UEk0SXJIcmg4RVFzCkpwODhBWld6T1VNS2haSkpxL0hn
b0VRWVNFcTE5c0t3VkFZQ1R1d2dnbmMKLS0tIDdNMHBrU0RRSmlBZUJobXQxZUt2
MzZSYlM5bjYzUlRYNXkzNzZlWmx3L0UKkH6WOXHFRRbCprSjxcONSVUN/9NEQvtS
Jg+dJSMviq6GvUfUNmNvPJHfyy+CYT6a2Zd+4NdYCetRLsRJPc6p3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUckpiMzYrU1NnNFJ4MGps
OEt0c0o3Ty9QejhEM29wZFMrNTNyMHlHWlRBCnBHUUdvcmxoL0FqVEtBSHlma25P
c2tITUtZTGVzOGdidC84OUYvRlpxSjAKLS0tIFNMVmdiWmJNZUdLS1g3T3ZINUh6
Mjg5RHdKYnV3Z2V0L3E3ZlA2WDB0WlkKJr4Vg6rnKqGpL6N143QYfLqS4lQIED/J
SYQds8mCiyCNGvV6ON4k096jXcuMAZ1w+0bA16AHlTXnqgIgfaHpKA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL1QvSUlWUTN4OTBKOURa
VkVVb29McWgxa3gwb2lkVTdSZmUrVVZpSERjCm9oTTFRckg3SUM1a0tJRVlaU3RL
dUtsU0FpY1JyNkx6K1U1MWcrSjNYbUUKLS0tICtvTjJVdG1PSXF4TVltZ204SnVu
VE9aT3l2dGgxMWNHUXQ0bDN2RjVOek0KwOa/vczHZa+SRr8j6KvkfZZ0kajxXOq0
5AoDz2Mtcs+qBctTuogdLCZoL2ZpRVV7v1dGI+Fm1cVLoutV19IvTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVFp0ZlRhU29DNUhMSmRy
Y3VVV2pmajJmaU9qN0tHR1E3ekFMS3o0K2pRClIwek5GYzNNZEliK2ZTT1NVZklQ
YWpqY3poN0E1ZTVOTVRhL3FQSVZmZW8KLS0tIHpuWktoa1EwcXc1bEJJYk5VbEw3
blE2VXBuTDdlbHJTVjRzOWdyem1UWTQKg5uZRhcLpmiVcadqdJoscqsBD2u6UGx+
qT0IoSVOzsBlJw2t9rH1zR7WfRSlCXT1NYzu9aTWGqQaB8qvEtyk4g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdjhMM1ZpM2xFVXlvOXZK
MlRZT2U5YzhMUVR1L0FqVVdiSTFTYUpyN25rCjB6ajMwTnNTaWk5d21vM0Zza243
dHhSOHM0c3cwS1c5dGxhbzBNVm9DeFEKLS0tIEpOY1lWVE04UkNYNDdCcUdnTUhI
NC9xOENWZUNyay9SeXRjSUdkMlE4UXcKiygSIWelRUZQPbiK2ASQya7poe1KCXmo
XIlgOaUe1+lvY8s2bjdud0+7QlPOKeyciCSFNNqIxzHMYSEKwNCbpg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-15T21:42:17Z"
mac: ENC[AES256_GCM,data:2gH/ZaxSA6ShRu53dxj7V3jk7FsVdYS+PSHQyFT8qMvKM1hsQ/nWrKt00PUl9I7Gb4uomP9Ga3SyphYOXRBzKoV+x52oEWOJE3Q4iPrwdCkyHlxEezhTd/ZRQVatG6dvHpLuDNS9Dyph4f7Mw5USI+m4WeVdgCvHTydw+4KIfP4=,iv:yimfq96WVsagvKr8HTg1RdZBSrVGcCWPvv8XOXkOfcg=,tag:zHzdrE0PX5+AeD2lpqeJVQ==,type:str]
pgp:
- created_at: "2026-01-16T06:34:38Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/+O1tft/OfS52K8cmcQE7I7aFb85P2L+7u1TdmTjHwNFkC
3jhvzPkNDQDkMIc5EPZKX5WLUS8F1UaqCw4b8zZtqoTqKDpu0S92KL500iXwBxft
D3cRMFFb6GBoSlPJVBt6LMRJjGLWCkBihlYL1AknoVV7VERj8m1cvcstdp3qbEd7
c+X6t5B+7N0/QPdh2KyrHWXyCzFc/6emVjNGy2EoXRt7idFF2yTbafobCs/hZ8LZ
RJyhpGyR9QPtAwFP9Und62tCd4ZwG5FazZBLevRrmD7AOW1WnQhyYvxBvqQp/Oz+
lFmhcirLw5CaC1AbF2k3uNoAHXVWyexaQeu2gsNYXq+lpsdCWT8WtrAtNCyC2StI
PtdrdQ9oikJptmoWQ0zEBXKXdV8AhukLSX0wtis74KbmcS+2YyNKvQksGF2ZfHBh
U9ycfJr1kwm7TAg5Lg6XOmKrdOJkPoIcUCk2QW7MfS3nwwMLt3BjhhpRVUfeUmjB
Jjjs+jUXEusnmwmvGGgEU2pT944FLuFClSI8JTnIZ61YkjF7zAtrURvsNKlqu/UG
JLrWR+dnnh1YK0qQEcqt6giNSX2IWrw5SpJ8Jekt0TWfB1HDHybQUyFC/n/je/XK
0ouAeDL9oqh0eRU3ng4KKhOXNn+WO3/HrnG//KFwokc//BNNvP8qM0CTtPQbQ1HS
XgFjhTfzV0T4LyUryuict4rLVI+DDbzWGRp0umdobvQE1CGLhKCanrd2/Ng6fAny
9G09vYF5zK95uzqFBCTh1zFr6+rhfbMI501TwBu1KxOaJdYs3vzLiTGWoyI48JM=
=5fyo
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1

99
secrets/bekkalokk/bekkalokk.yaml
View File

@@ -39,87 +39,78 @@ sops:
- recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMVM0T0Y4Wjg1OGNsR0Iv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQjZvVEplU2pMQmgrQXE2
VmxoNmRMcjlWRHFhc3l2Sy9aZnF4b0ZsTnhnCkd6UnEvWi9kRU9qSmVLZkdiWGJh Qy9FY1NRZEhpSTVCdy9rVEFHekM4NHJEVlRvCkNnVUlCQzdGenlKOW56ZGY4bzJm
SW1SS3FDWnZTZnBhTmFvTW5FMCtUK0UKLS0tIFJDdHFoT3pPaEJLZmR3R2Jsd2pt K1c1N25ZbDFNMDY0YzlGMTlMN2htSEEKLS0tIEYvWEVoMUVtVDRkeEt5eWFZckJs
R0RmcXJwRlkvSVhRbGwxZytLNmlqeFkKw/0nGPzgzH39udFyJVkjNTMTmffiQh6/ aFRsYmhNMkQwdFlDa1ROWXdhWGFKUUEKqixofKZBMXpV8q801HtVoHzZWJhsifSB
HT1O7imvPymx5kXrnfciAP9bnCV4o/HiVkuDxBP7gG5nBUgY6PIC7Q== DLPHbOAWpXjKygNJ1ogi66FWBFfRL0KGffQEuaIozTA1r1NafSCLKA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV2ptWkhqNjcrM0hXOWEv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1YmhFNHNuaXlFZXMxNmtR
Y21GNkVJUXY3dHV1OUdUdlJZNHhka3g3QVdNCk9vak0wSDBhS3pZSWk2anVsMnVY S3ZIM25xVnYxNE5kL0RJR0lpNWo1c2ZTczFRCkRKakRNek8xdVcxcFN5Wkc1VDJ5
UmVuamF3ZGw1MGZ5M3ppSThWK3FPR2sKLS0tIDlQRENlQjh6THZRZlpEWnE0djNo QjJuQjcwZ25RVkpoMXFpQXltU21MOTQKLS0tIFVrNVJ1alAwM1RtTy9zUUIzMkpi
cXl3S2tRdExvSjRNUHpwbFNzVXdQVmcK65zb8MPh67TyHkjLA2vLgv2eOQOSUDih bnFVWG5xWW1hSDZob0NzZVZNOHdqRTAKci5uPZI7K/ljVRZ1j2qQFABpf+Anuj2a
JeHkryWGQXzlYL5tZZ24ae1mqYiYQ6DsbWXopA0q0OmndYByXct6FA== yqz92A7DbMUSUqmUNCHWg2vKmMwuRL3CXLPzZoXgIN07dpYQlk6qgg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSnU5dml1bjY5ejZHUGRQ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZExMODZvbUo5VWt4UWs4
V1pNQnBXWUx0c1R5WkY5d3NFOFlKTkFrMUN3CkNqMjc5NDRMb05tSW9wV3lkUUVU ZXRXWkdDczQxcGRJbUFyU3V5bDllampVWTF3CndVSzZESmlwUFcxMjZKODhPY1pz
Mml0VWc5N2NBZDQzVXMrWGpqVzY4NUEKLS0tIHBoNTZlOVBMdFJXOC9QRjJ4bHh2 WHo5aC9JOUg0VndhdGIxeU1PU2t2QWMKLS0tIExQelVMSWUrMkUrY3htMVIxTHFo
SzM4Rml4dFNjMWxxYXlVdTdxTTB1ZzQKvoBpb4PPNM5yl85wTcTTqZmkXmwZGyvS blNkNG02ZTFHR1ZjL1dBbjlDNXk5VmMK+EbzW0Rdq5cxIm8EnQ2P87BTxfMKywyM
PMPFNqEkzcZFtC1BfYGIlKAuisGhQ6rFAkyTZXTLP0HjPEcH00+WMw== Q3LGAw4RDR/Gstj9hzpTPnNjb4D5tMcQmeQlAvBriZPFXCrmq5WCXA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbGdTVUU3UVUwZytQancy YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSGFIdjJwTkpRdzdIQ2Iz
ZXY1Ullmck9qZ0dsSmZqUHF0NGpSZlJWRjBJCndmbGh6Y3lUWmdEWUdHNkZwd0dM WW1jamZFY1JrTTBZRjM5enZmNkNEMTRaQ24wCjdJY2l4OVJyU2pVR3dQZFg0cHRl
OWpaTk4xdzlLak1iMFhhU3BnT1NYTE0KLS0tIElxOFVmUnVDUXhUeVBEVjJhR0Rv dU1xS0gwbWM0MktPL2d6dG1wN1ZsWEkKLS0tIHJscElDRVFrakJCZmtMbk0xaVp4
NmloODFNNXU1TG9FeWxKYTBGOG5qR1kKXGAQyRVO6Sh0LNlFD5nx0F3m2KYP8hYl MDBoekhiMWZaeU9IWkcybFNWczVtUUUK4BOBttXkGhmUYTjR68ZvaT0BpbIw67rr
/g3mwi4NI4UIR2dYXsgNJuF7axxP1IbaZ/j2NLNYbVe2+iZvscvBTw== Ls5XV6Azkid7GAttNayqb/OjshUco1xIbAyGRz77b5uzMzM1cM6+dA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWkVyLzJWM01ybHB3cmpq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSmVyNkNiWkxob05lakJI
cTJTM3VWaEk3djcxb0RnbVZXUGRyMWQxcWlFCmhQUmtGZm0wczdsLzZUNHFqRnZW N1dWVWl4bnd0cWV0bzlzQTdhMTZ6aWZJMFU4CkYwc29NTW5PODVVTU5DNFdCV0RO
R0JaUDhmUXB6OTBwNEFja2xhbm1JNXMKLS0tIHNVUFltMjZjalJya2x2UzVHcUoy RTJHaDVmbWZ1WFdSRVE4Tk9SbHhsdUkKLS0tIFhiN3M1aGJtY2ZqTkIwYjB6S095
RGs3aStCRUJmMG9JRFZyRFJWeTZKWGsK8oTccCGCXPsQEGnn57ml5IwYCHgYoBpC WkpCQWlab2s5anVIa2Vlak1vNzI5U0kKRhPzmr9IW0fVDRKzfR1du7KgevNUchxJ
2U7uT/Z10crtrqgPGi3/jYr5IEacLBvbuGLBwSlCo7NGz/6XnVIyaQ== GDz5B/EekvwZwhcAGvkE6uwHIAIMaau49S9iwqK4NjIcBIGagoqiDQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTlJPQk9DTFNKMjA2bTRj YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSXJKL3RzUEMzZXN5Qmsw
OE5uaWxEQkhUdmRvT2h4TDJvREo4TlQ4MFZrCjNjd2ErOXcxQkJrNzlOdGNFSDNW aFRrMXE2b2dNU05NeWNuaEZOdkcyMWpvUlM0ClVkMVJoS3Y5SnJxQ3RtaUtncDcw
S1gyaG1SSGpyNmtXZXpqZzVnN3o2MkUKLS0tIGdkbEROYUNjNk54RmFuR2VkK0Zq cWRKYjdFbEJ3aWE1ei9wYnpVRGhBd00KLS0tIFFycFgyWGVvMFc3azN3T2Z4aHln
RlRMc0R3dDllUGRHcmNDTDBSS09mUUUKhdxXMEuwLviNY134uA4SELXiHo4rCC9h UzR0dUp5MHFWdDFya0hlRXM4M1d5YVUKhaXAFsId/SGv5wmKvjTLSAAlDNuSH80H
pT2iqOV+VDquwE99h9OIo2Kfmblzje/TGpok1i4cxytg8fly3LZD+Q== SahjRm7nj5Z6ZHJfBZu9cGoZ5ZdvPsr1DtLgErSndnOnh7TWA8SgGQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcHVjN3MvVUEwazNraXFQ
anVTbU1EY1JUQ0FyeSt3bWJ6TVcwY1UwZ1cwClRtOTE1QWNXaUdzejh5a3BUdTFv
M25HcGZBY1IrVkdXV21vWnVMTHY2VXcKLS0tIGVKMFFCRjhJaGJPWjhlNEFna1hB
SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-09T21:18:23Z" lastmodified: "2024-12-09T21:18:23Z"
mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str] mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:44Z" - created_at: "2025-12-01T10:58:17Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/7BX4o2qvoL2bJN4zkyjqUBgFi0rS3UXsP2D81nxDmlEYP hQIMA0av/duuklWYAQ/+IxSo/UF0bv0ktR4aYDhZF/7y8Xv56jaZbW+bI8os57SY
iAm7uQ56/QLbxQ4nW+aBy+ijy4+a9w6yOEfy4DBwXQLebWJUFn2BJ88+6rOlAz51 mk7MbCqMmujf31gDlWwvytn3sEBTs69tre2rJH0JhDnfxrfL4uHJqD2Idtfhejgv
hxHlAOAkN7aFm5a2Y8SQVGnsM/HFx3xJJU5seD5QhJgoPcaDlD/f3zrmmKzvgwX9 6ezh37/aFy0GgkUKUMpVG3sksZjQrKrSvJiHgfIAaiEiNU6grc6EDLPqDrgO0s1V
CHPI4lmQjzwjyG8BJRDlCdXtjXqYT2prs0raLUESwt9p3Hu+zZ5DZfZcnx0s5F2y RBUiv2VMyg6a2MBf6TSrdoHw/HtK/PvOgrQ/C3q3jjUzVLUnScIsewwTq0zdmVf6
nj7cFncmFci204EUzCoYrJNkjYKZSDhlNGyzZzF+7ve6LYW2snet86gDFWNsJqfj WPG5/sTjKoIYRdjrEZOIZglU61Q2/d0GTGkI7nkr5xl+iJicRO8O4cYmZ2NivMLt
/1Xp+pDSZVFs3Sp2iSTKqG0wQaRgmyP/r9IagNwTJxjgCjJall2qmdrj4xi4EJef pjsYGQ+Kyuxzmgqjh2aRv5uu7p4g1fYIBZdcqmm14Jc/IznNUAdfpgoRGUxEbnGW
40ZGn9BGmk5EBAVhErqwFwZTlEDuGRWSzStRMpyi8YMA8DMd/mNxdXetrg7zw+ro R6C2eTzvhZGFj0+jssLwcWtGxa2xxPAHL8TbAvroffzx7W9IdyWkmOEaMuyHFAWT
iaj+izF+FDjPAm2dCaO9r1zZiFKZk84Q2tYNVAs+2t3a/GJYGAs0qzqWcyJzYk8q FpsdlSkYmQs1H5YCdRnapFkNbaIPsQy/c4dQhzYakrheMdpXo6efSPmk9RdjKZrd
CHpXUDHVGFXFjgm067nowjtETLyBtegM1bIfoFJEqJUgWT+NU9kON638Dp0HuV/X HvJaepwJA7Uf9+eY+LgPVTKY4ObJziJEEIM8QwmBW4h7ZujbntUHXhL1dt2Bc8nZ
DkBbwYCRCRSnumslEHlUxw/I1pZijCiJf6m0hbjWEKxUM8N0fKLLxdoYLSY36/8L 5foSRmLA0lsd59QSPA3lg30TpJARC8aq4dlYsTFqQgHVTHA2W1m5gYvIgNKlhR/F
kyA9T59+qwNIfpKmpF9jvyIX7/Chers8ebgwwpJrP1UwueKQoxhO2mL99by9+P3S NGNaAWW0+3V6NeQF5UVp/ug4RbJK+qbrQw/+jeyRaPj3TWaFobOfs+Ad5zcL5QfS
XgE5D3lqS+OQqJfRd5VMjy6Skq5N1kRhtP+dujwBnX/MxClrh1HbgVaNKqwiBKBj XgG1ix1Re4pnbeGbTE0QsFQ/Ir0mwPGuNzr1CFuVQWvPUYqA4iv8nlxIj2E43gcL
CV9oTxtI8LDC06KOws841HmUuGe9/4H0MNu/dz+VMh62RD0MVher7JYs5fuFHVo= 4ihGEE6dKrrwLJuALNq4p7mqnCMJ7/kjLNTRUSmWY8fHaVmX/QL0uGZwYH1Y5P4=
=7yLr =2j4b
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

99
secrets/bicep/bicep.yaml
View File

@@ -15,87 +15,78 @@ sops:
- recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeFE5T1FHeVczVU1aVmhC YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWXVrN3MwSkh4RUJHcmRu
UE9aKzRHVWdDOG4xMXBtV1Y5dW5sVmZzcWtVCjd1ck1CRmZxZHduZmMzRnRodi9n V0YrMkhIVGZtLzFsbEZ4dmNSV1FmT1Y2M3prCnhWOSs5VElEOUhuQU1xa2FmRlIw
ZVRNckIyQzErVmJUaDdDb1A1bkRUNkEKLS0tIEJWL3EzTkFYQ2tNRnliRWJISHVr YXQvZFpGYXh1eTMwVkZEempxdHA5eGsKLS0tIHlGQXlHc1ZJaWlPNitrSlQ3R25h
aCtGUFhRYkdPdG1uTVdGN3lITzJJc2MKt9TDBg1CV3a6FhlROVZ3ruKVdehQcuSN a28xWWRwbTlaZjIrbUpxUDJzMnp1alkK3awAxPMvmrh42Pwhv4mBUvWH5ev+OK+i
hv0vUdbR1uOX89+P1oqNMRMQJI0V4oWi138m+uqA+jozvz+Vn5z/3w== nKWXHOMyYPudYg062Ex7iAHS5WTw71bsMkUEwmU0Mt5XbopkXCyyZA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYUNsemZ4TDR3S3EzcnNI YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZ3k1VjN4SlVPcHhkNXpw
eTduanpyc09XYnBSTk04dEZSME8rYjdvalZFCnd5dDluWStCR0lvRFlkYnpKUVlz MTFncDF6cDdKVmVSQUdDQUQwNW5scjZ6TUdFCnY0UkJjdE5DaUFNZm00VEVmZG92
dzR6cHU4T01TUGdFamRqZlBGb2NBYUEKLS0tIGRCTTdjVnU4ZjY1czZjZnhJdzdw U0VINHJqbDd4RGFnOWdxaVhoMjRYN0EKLS0tICtESEFUbHBDamFJelphbTlMNmNQ
M0swSS9wQVpIQ29XeGRJelk3aHVNcTQKv2Nuia6fkUIu+P2RcP/iHonc6B3y5GJL amJIdU5iaWNLQ28wYXJxZ0ptVUxRQVEKZtVEIcBrGHpmg/wGCzDshYZ83pJUf5CY
eiGHywJ5QnQAVOkaNiMZSNfo6OWL/49GnULWJwvbaS/Hong/ax9GBQ== I4hmsoPRnq7Zh45eCuE7j+RNhGiQWGi8q/+sUnSJQMGjzIHf0QfVkA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOHJGNWN4ajA0Q2xrWHlX YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TXZuS2pvOTd0RmdtU1ZE
UkZYVGRtcXkrTkl0YWRVd2JOa3o3b215cWlBCkRjWlJCWXlmWTdia1pUOTIvdlNI MmIzUUxFV2NKcXJtempJdVpUQVZwWVBlZm5ZCkJZeVZiUjNPdW1XZlJ0YWxDa092
aHowK29KT3d3a2xuTWlwd01JK3VPZ0kKLS0tIGkxUElSUVVXODZtZHFuTGpqZTd1 aGs5R3VUYkdBbVQ0V2dzcGV5alZxQ00KLS0tIHJqdGExb05DVFhka3duRTY1dFhz
TzIwUHBIRG0vSHRpM05vQUJYQ01HYVEKFrDzolWZAsiOLhls4hdIkjRXAsYYVq9k MGFxVlJDcEZjc0Jxc3loV1ZjNkl0TjQKu+gUS5uyfWBNn67WFt1NwjzkwYWG4r04
aKbS+DAKVP6AnhMC+Xz8zp7N1bvcXI6tKTmrlg+mo7bsc+vOl12AGg== hFh9hxB8efiMxYiDp2fc9EKvn1FlTBQJE1KWyiD88twzhKDKaDqQJg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZmg1a3d0ZU9idCtMelYw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQTF3bXhXa1AxazZqZWZv
YnZlaFZSc0pCWG4yYVMrZXNkN3RVOXhJTFFVClBXa0NqZjB6TDFCWGRRaG9JWHZx dWFpWGwyUDZkZnczc2NpbnBWeTJGQUVBSFFzCkwyRFVVa0l3dS9GaGN3Mm5TY3dh
SVZ0SXExU3hBb08xNVQvU3FRRkRXSFkKLS0tIFlmUXJSc25jZVVhaFFNejY5d1Ux Z0VkRU1uZGVscnlLNXArZVMyVFhxTWMKLS0tIHV2ZExtVnFONTlQRVNMTFRzQnFu
TWVyQVRjWFBpOGc2Z0xCRlBBclVmQlEKwdADPZ/JtBznYW5ngAehdFD7dJKjy826 ZmtGTVJqKzlGWDBaUWs1Qk1PSnc2WE0KrIJy3b1TdI7ur02ZzOfWJGWl6WuSUFV4
G9JaApg1xGj3OQzB88rlyQwE+WSV9yCdJ1BzIK8HVSaBOsitRoJDKQ== h9Bb3uSpVZLWb0MRKTK5RIeedQZ0NuVOqAP3hCglzzNkZ10/r7ly2Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ05hM2N0QUNHWmpHMHdq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5L0hVVnE0bVp4d3MwQXo3
cHJLTWdaMkIxSlRsZ205VjJYU0IwNmtEb0h3CmhBN3hmQ0pscFVQMmNwemY2UnhT bnl5aWMxajZRNHFHQzhXVDZtK2k3TjJGRlFZCnRORzNTVEJOeTZ6OGZFNDNlQzZG
OFlRL1VPa01NaDh4Q2xxdUYzU1E1QzgKLS0tIDB4ZjEwRmtSb1hXWFpSdHA1ZzZL MmFHRFpQMW0vSVl1c29yTFoySFEyNEkKLS0tIHVPUlhIdHlxWHV3a1Nra0lEN21Z
YStGSVJYUGE2cDhiYkJhY3dMQ1F0dEEKLexDk8xrQ/7SGGUjGIjt+PiL98LeIm6z cWxLUTBIeEZ0Sy9Ta2Jsajh5eVd4bTQKvmpiIPGbgPjqssx4sc/bqaCLeGIPcRfF
Bs+2xr/egd8X8ISwPTjgTutDqTM4Oc6HaDJ/mG8H3ewic4ey7TmuPQ== BVWm8tEpDmpjvFPgRKhgIKFAQZXumd/9ykWAJE02OWeOOD/LjfSSMA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNkxBQjBDSEt2MllQbzJL YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUczg1MEI0VFhFNUxYcCtj
VzJrUFhHRzduTDZLUGlTZlBFVUozc1VlY1g4CjM5VzIrbTdZMlJzcTh3MWlGNWNK UXZZaUhPNEZ3cDkvc2lZMm9ZYnZGTit4U3lnCmR0cC94dDVQcjJYWTh0Zkhkclps
amVnbnJwbzFxalNSYUJQRjZ0dFllL28KLS0tIFV2SmV3TkNxSEhDTTAweStMUVIy WkVrZmdCSE0wdzYwNXMra0hLYWEzU1UKLS0tIHY5MG1LZkFpeisxeDNXQkFrdm9J
UHVhenNpRGxweWpIQXl6N1B2NEtuYXcKgE62N2ThlFFp+b0T2Rix+H+rmBwrfQDx dndlQmsyTFBOQlIrcnJlOVdWS214aTAK4RSsxV89Ccb5K8JP20J+R621LWdtuQJ6
5jXxPFWOdeEowXMM6kUi4xzeUH7/CGXlg+5uNF9jWMpJ09eAKPoO/g== vwWhWkbtBU1Ck3NeEa4UanRqFJxl0bkpdFzHWoQnCm9TmzRf+Oikfw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIa3dxbkQwWktRcFI2ZW80
S0N5MXZWaWxBTmkwV1o2bzVvZlQ2MldiY0d3CmFyRWk1clJCeEptNkcwVkdwUURR
MGVzcldGbUpxWDN6K2RGT3ErajBZRU0KLS0tIFZadXVXbDNsT2Q5eGtJaEtOaTlX
U3IrZTB3YUJiREZDQkgzUFMvb3VxU1kKJhYYVcCT8hNJkEK1nD3GBekVGDOI3Nin
iBat3LwB4Ijzx1jA+jKJ1Ilf4MgdoL2ox6l/uWft27vvsRaQ501VvA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-25T12:27:53Z" lastmodified: "2025-08-25T12:27:53Z"
mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str] mac: ENC[AES256_GCM,data:GoJ2en7e+D4wjyPJqq7i1s8JPdgFO3wcxrtXOgSKTxi6HTibuIcP4KQcKrCMRAZmXOEL1vpnWFA2uk7S00Av7/QOnzP0Zrk3aPBM6lbB+p9XSabN0sOe1UpZDtAM3bzvS9JZzyztT5nHKvO/eV2rP71y/tYbsT6yvj7Y9zxpvKg=,iv:tQiCr7zpo7g5jZpt2VD9jtFKo32XUWs94Jay+T4XWys=,tag:npBqmlbUUfN+ztttajva3w==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:45Z" - created_at: "2025-12-02T00:51:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ//Wr/FkredBdFTg1pft56pSfVNVScGeETZXT/EVr0esNb1 hQIMA0av/duuklWYAQ//eMoBqyI6G8T7c+LwLWl0KxVl4bPv8B1w6l2h+DbwYbki
8bO2SUxWSSKAFaHy5YJ/C7B9Ok267dmecvDiCpBN/UwAVKnbXIwMwQVEpdwFI7Zp s/u0EToWGFKNTcoio1Xwwhb8pVnUprLONKe1LHgDSsWhvZXBaq3OHxWJuGQ+T0lS
g41BaxZ87ogphyXmmPmTtekbV6hJZE1FJ2D1rDlEuIHECGhn+lViuF2T+WmCE5iN 1nEOZt1aRp9ff4RA4BLS2LIB5+2lkVvQ2jWhgzzrEgC4FXI+d5XMhgXtPlO8Dgv7
UvcU194RjL5cWy4Rgap7bo9UaowDXRHYTuvc0lEBkoCaNbb252KhC+C/4OXIjV3z Dwp+zTkYyCRny3FzL/AhHCYkqxHuuH19u4j9taN5VidKp9a1EKvjYZW4+xPM0gek
BoOxF3jF7xLgeK/7swMfwVpQjwD/aM1IKkCLFdf7GbUfUjdKdEiPCpRCMSmSUtXk 9AR89EIzVeLGMSVUFToAfmZ2jFOfMj42pmbQg29Dr3iUVvOZ1sP+w6Jt/1j4FoNe
JDAJz7lzej6r/fCHSsmntSf2RoaHDk3kKMNSvqR9UkCiF/LHBhIeDz2rJiOx+suR iylriaZtSMLb6kjqN6xf0TnA6exa7hHuAlK3WbPv6JAYrGxs7+l9lGLJkgdXqkzt
gPQLehedeF66+A6m7WwQarklPqMhPRw/IiVxXgsDR8Ws7Dr5wPmNkuQ+LvO4rPEG oxyJTilv1+YJuXy4O2oW6hV8yymOfAKGHt/dkEnPX6UtddH+RDCo+HdWmXWy1Feo
iC8pOTs2+Eb0ulxtjY9o3DNkCbXGzorSLZ6MBkhQhNUmCuubVQ0gpw6RR7uflgGL skEfvwsbzKPCHInPGbo9Yq5NIgJgaisJlHVf5XHxuVVWdEgmpPZ1XxRvmk5B/9lu
AYvv8GYpoY+uWWAbsnVdeK8XuGccjP5toK25PiOKzIdRXczngGMLdhNpQmS2cfh/ gvr+kG4nN2ZxjBC8sZmHQrvuF93x3mXmHIyu/W2LV5era7Q7tUjaikBMba3a3Rpo
A69QRFprjTt1/sAqzbe9V68PZ1Opa3EH/fvWgXbUTJbxhAMJoZy03KGnQC8kNw0O OQw0auB1OBSmZOFWMa4ppWU3H5V1hOBoD6tygpJvRvuKxJIVGMg1XWBuLJuAhLF8
RFMSmX2fnK4ppmahnO5rn+5InF1TGSd34O9yPacSB9glb3hvClmNOsC9b/Ow/FnS Sdz9AtHR7zeHtNG+4/da/5iYFLi8e0j0H16TlKlW+BuN9kXfmuw1UC1cl+gRLPrS
XgGY8d7IGU6zlCwJyIEKsekexJ+UiooT1AoyORHvzHw1J9jlrybSZTK+IzSGlpzf XAEXT6KxURapNNTZTbM66rJNdP60J4u8LhvBD4RLQNGXYQe8Q6RrOdrVRCYO1cjx
bfiUk6yOyYNU82LhJBc+gdl6QVeO7VoQrN8iJq752A9yrk5eZsBWOeZybezJQos= 71Sydx+N+XLbNHfgi1AnaVXmWmZ5PRsAxt4xXPWZb0lV8heh8T1FBKeQM35p
=WTmp =Ur6q
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

99
secrets/bicep/matrix.yaml
View File

@@ -22,87 +22,78 @@ sops:
- recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx - recipient: age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVGNjVTQyWHloRkxWWjJy YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPL2Z6RVEyWnBPSXZXZFNn
ODJ1cEg0aCt3YjkwY2pKa2d4a2N1VUwzcXhVCkpKbkFsZ3lNY2tkdXhuRXRLeTdU dTlKd2xPREVLVjIrcnB4MTRHNU9LQklodGo4CjNuZmwrV2hCSlBXbWMzQk56WStE
b3U1OThkT1BubUVnbHBOaDY3ZDB5enMKLS0tIGZYUU9QeHFRT1BwRVpDdDZRUXVn MW9uVk1ZOWtZb0dFQjZFS1VUZ2ZOd2cKLS0tIFkvU0s4L0h4TS9zemVLc1JyTVhB
M2lmWTRiMG5oaUs4NFZCb1NXUVdUZ0kKq28skWDPKQ8U4H+vRu7N3I8vURHj5eMX WEU3d1ZsMVdyYXNFNVpyallMSk1QaG8KYtDGiTY2Cf5YmmAKgr2s0FNeZDRpUCUD
XKYf6wQ8kyrpT2+nZhWeVP26kpDvHcsMSqQR1ldHOGQAq7fAz8Qwyg== vJEm+1XFJI4fkOytpOZt0ZywTDZZd6JkXD1V713Kvr+sDCvuT6HW2A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZSt0QnRMb0lvYlBYTnVq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeTFLdGNER2lRZWlWT3RS
RHNha08xWS9KNURKTTRpQkZUYVJTeXMwc2xNCkplb0JDU2hyakFCN1JjdWd3elZ5 RXQ5UmMyNm4wRklwRTUyK2RsVlRxMUU3RGdJCmtLa0VTNmFoSWRsc3Nhc0ZhQklJ
QUtzSksrVjhZajJ2Rm5HbkF4aGo3TnMKLS0tIFR3ZFpGZVRNY0MxTEIwbm4wL2oy MVV6M3pvQzdtVTR5Lyt4VmpjMkFhcGcKLS0tIDZzcnpDclZLM21MYjFlbkRKUi9P
VFdEczZXV2ZlbElQSjR2MER1YzhMV0EKHT3aX1BnddpVNuzzCKf7f4lqe4hTYPYt L1NFL3RQSlh5c0hjVXJ4RWZObUExaWsKyU9dDDimP60N7aF8wda4g+Uqw1Hcx13R
+udTQ6pc0XqXEiJmEJN/XrhkS1BOtMBbP4rIse4x663KHREEG1K1OQ== 9kuemMqS1cj9HPRuEhCOINAHIqtnYGmHaow6UlEc/nuKrsV6Ibbvmw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZEluNjRwRjNHaEZzNHR5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFphcGt3V2I1UGdVcFJW
ZW5RVll2K0NwUWtOTERwL05HZXJuMUxhUDNZCld6Yjh3Y1N6NHRzSG50Wmh1cUxv RUt2cXNIaUlJbjE3bVRLcFlRalhZODM4ajNrCjdjSC92a0cweG0yWFVBR3BBOUsz
MW1OWXB6aWR6cHdHUU0rNGZML3pocVkKLS0tIHA5a0JmdFQ3cUdQYXBKTWxpdUty OVloN1craG1PdGVnTFdXSllOVkpRb2sKLS0tIDI0UE1QMFpwUG9Xemp2TjJRWTRS
dFJhWnBsSzVyVkdMSHhEcWNvUmp1WG8KRB4/5AeDmkJ9I/ZMvqs9Rnrtl0FmOpYP UUFYczFnSExjZEJkQzhYc0M3ZFJOOVEKxqyXt/2CmKiuIBKdA24atjD8Ns84mV3C
hwV87Zznh0jA7vxqB21wH4spqu47VrFo9A7OhTp8e/ogtSJjyJkQHA== 6i2H1P7+XCDTjT+MyaRV7TlOyGPv/AqcXnAgKxk0CNX5O3qoAXmjqg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocEU3amQvazVLRjFzOE1X YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVTVyMy9mOGtnK01hRG02
dHpkQXlIWFptTFNTZmJtak84ODVZZThKSDNzClJrYzBrU01TK3ZNM2prQk5mU01H TG56MSt6Mzk5Qm9jNE1uTVQ4bUh6M1ZJS3hJCkxlZ004TXJwZUxIYTQrRy9KaGdQ
T1Zyd2N3YVcwQkpsMWJIK3hKaUVQWm8KLS0tIFU2QnZVaHRaZjR3RVlveEVmTjdu U0VHdHptVmIzazBMMmVjMmt1WXhlOFUKLS0tIGJpNHZxbEhFWENhdDNBS3JZbVBO
SVlaajJ0SThZdUpQUTZBZks4RDcxNnMK33zYR5DuSOe1gJQmaW61Z/CNRvSV5LzC WFdFdjNPNXRRdUFBZERjRVhLbWhYa1kKDULOz7tab3nP/o3W+2lYQVZy+5R1r5dg
+UeqdUsYxOPUzFHRLwUd1YD/uPO+wfQph/WVDh8ELqsG4i0o/l3ycQ== V82DVkqygJwhjMD+UHV9KnkHSnaSfwQxF1pVKq1ZZN1l+mgNcISbjA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYTRCeXJpVi81WE4xWGli YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaFl6VUtDN0JFeDB5ODUx
TDQ5M0g0MDRYb2ovbzFjbkloeG5LWmdBTUI0CmZSV1FleDhtb3Q3WGhwcEN2OEhN Q3dEeUFlWWtCV3p3TWUyWHFMc0pTamo2Q1RNCllyR211ZmdTaTdRNzBDVXhqc2xi
YW1rVEJNVGtWeTNmWnpsQ0J4b1k2b0EKLS0tIHBkVU15a09DdHBQa0x5L3p2THd1 Rk1Tc2thTGZLNW1hejJzdUpOOTBDUDAKLS0tIEFhb3BPQTcrMXhlenZpeExCNHNH
VFBQUFZXZ1pKVVoycHVuNnVxem9Gd3cKW6ZqzSjbVZDZcv/cWN31AF+5HlyvbThj OU9sN3hoTHIxWXUxRGFQekJDaVB2S1UK20kKBwClp4zSlgMShCC5l9EmhbTZ4jwT
W/qDquapYsf6dybP9F3GJ3pyDdSJbkVvInBL1aZWz/mzvny4SPSJLA== m82tXz1tCuYqJeyklyHW5vol4jE5To2AL3im7WyepD9C5pgA1xNiZA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhN2V0ajNZTWhlb2RlTllF YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQjFGZVdKTGRXdHBtMjY4
KzdCd29lenR3dEJTclhvTnJDTkFNbVA5QUNFCjd3VFFtOUZxeFR2TmNLTGlZQ3k0 Yi83alRTNnpZTnl1c1R2ajJYRXYrRnZUYUY0CkE5THJVSXYwT0lHTGZvMGFCcnY2
SStaKzJHRHdYVEVqTDNnQyttVWFPZm8KLS0tIHNQMHk5QXJQQUZyUmZyUzE1czZk YTJhS3ZyY1ZqNTZmL0ZnZHRUNmhmWmcKLS0tIC9nc0xIMmIzSGl3aG9kaEM1Kzlo
ZmNETDhaT01VL0pQTDhXQnRxUUpWdVUKLxDyNyTKs5hl9CkPGQLOe4JVz1EZN6sR aENqOUhnSjZpNi93SDBaRy96MWhjblUKqvy6v1CdL1pqOt3N1gEPCT01ypwd/SG5
drKTDoEOPdMT+ki0DwfLUcmEOJGg2ZOtmlee6s5jalBIrPZ8MXEndg== dVaVKV2nEWoAS0/+mho0KmdHQNJi1Qejhk5RSkoaZRd/jSC8sR8hdA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSUNaM0gzTzJ2d2VQUWd3
RlVCdkNUblBKcnV3VEx3dmFXeTI0VEJHMUY4CmpoWHVsdHJzZlJXcjRNWCtVa29E
dkNLcnExUUJLQ1NiYWVhSkhMMXFnczAKLS0tIFlhd3c4clBYNDNDKzNuZkhRNmhW
Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T21:23:24Z" lastmodified: "2025-06-21T21:23:24Z"
mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str] mac: ENC[AES256_GCM,data:bEJoCzxph/MOnTOJKdrRiQmbVWmAgsKy8vbD5YBeWagWUCJPDAZNDFLzEzmPvt0jDBol04JosrSIKZS1JzJIIm0zRkcOWSqERQCgjgtGdAYmfp0V6ddseDUVfKlZYJDkt6Bdkqg+9LzrP8dDVm2tMDXpo8vzs02o9dTYFm7imVQ=,iv:buP/297JMfvEm9+IdMWRGV7AgZwF0+G6Z2YIeYw/z1o=,tag:+zG612MJA4Ui8CZBgxM+AQ==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:46Z" - created_at: "2025-12-02T00:51:22Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/+L4rjUWtF3NuYc9UlnyPpwSQvsLbw7gsPuLHYd4cq2VGd hQIMA0av/duuklWYAQ//ScZ/w12TKrcPdjlPMgE25vVMG3oH5ozWfVdnzSpDJF/O
p8s0Vreq6smVJlFV64PySIJjFuFhc1IuDDYtgym2Lf4PTOSv3brbO3ypMb+J2yKC ELT0FRqoDOQfW+XCi6os3ovWQUqDSxuflLdLUkWJFC801LV9gn63loCZlwvMga5C
pH7xwOQBn+YzKfLu4sX26S2IGSKeytXdHv6hlkt9Ca1i5RKS0ymYfn94vf6e56ZX TWcw1ZwGw+El4I8GklzHc5t+vcWvfICjBj9c0s6b+NlmPhRDt9k9cCtvX2QTHbTm
SLVjq2GprTTt4oNymxkZ5JvDNXyG8XjW3MjowfQcNHUqAhmYN8ngv7HMdiIb7GGN 9tO9371o3CuEwzPCBou1WvAvhQHH61j6KmWo+gfaGv2MjF+spB2CDhKGlQZAfaPy
JL9u999H4MCi932Nyc1+/OP4nPdUkiqFxDfo4Zgmj/F+LketzV6QCiV7Es9Vmz1I Q5SspigrBwv6JhqqqrBMT364OI/mNUfm+y8yX+EdQ/4ZIDmA9JCLmDmA1GMaXBqS
OX/NXzYKYnEl2FLvPZLEtge2qTFs6/Ur+VBPz5tOP9J0Xejmz62+HgtwaJI7Q4mP XjANHb0rGStNuQKhluUmqYEguzicDWpHDaoFXiJ4C3x9NF2u56cb8IauJ5rBqdC1
O+5FCOh/Jxf0QWq+OPQf+Rxj/dxuMHUfXF9IELmBwpGDslKcyxTOCR0kw3aZO+1F xyeCc1Ja8dUIHQkTwEvIOXfyxtDrVT2B8gM1AYHHTxNjRgJTXIVBUo826ccN4Uyb
Zs3QOoUpz46fTXs94h+7dLoboppug0P4jAwKLbdqmyEDTqiWOfR/ZIbp7RCLFq0F GdprWu7Dy0RjC8v2IyVvQiDGzekE4l5ddSgz1N9HIAfbo+j/6vCMTycdsp2FRJ9O
wNPWnB03RTgSKRIXyBhNqP62ZOohHhFSA0oo+IDPzqFWOLTnD8FBJ3SPDFjpHwNJ 1CHzgcQfBRnIgOkgSfxh+b7eKKkL11x4SbT36f9zWL+wSSCtO6p66BxK5kJgQO0X
3bjzqZRPU15dk286S3hMkp47H2iIBW3hlhl9g03UTdlt+MRiUHIXyt053TK2cbuo ACWE1gqKdJJlgw3QcBZwCxFT/cIGjfqRE9Rwyi26NvHyd4EnH/BU6xcKtZ3cZkIl
Jy7YiQr+dq09NoBBVxEo5hszJ154NNF9JxvN1TNHwouw3DxokQWokRtF4g9MSPbS D599+UTygoyWz7l2s6h0O2t5KFNP0DarcRHlv6BPJ4KuNwq0+nGa1E54kDHeqfzS
XgFrAw/VlobYHBXNczlKyIaTdHQbosz9EZ7wO8Q1jLlzGF8a2e8F5ca+2I3begns XgEg7wqYz9QXtiHHofPEgVOo2MD6FTYNTBQ3Fj91CW65ME0hBfzsliqoLq9B2mvZ
CM4iU9uUpReZC4672sqHX622dZAGf7m0Dt3vVaNjGj90rezeGuajNMnYOEd+PAU= 3t7SL3uR1vngmtFaXxCyERcsAnAQz1ClSK9Ee5vzAWLazC58xvctwam1eXKkuew=
=Lgup =G9kW
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

99
secrets/ildkule/ildkule.yaml
View File

@@ -12,87 +12,78 @@ sops:
- recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0 - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRm5XY3kydDJSRUYrcmRk YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVFo0QzdTbnE3QUN3NGwz
K21WUEZSSEpYOHFrVkFyOVJYYnRUSU1aYkV3CkVEUllvUm0wZjlmOFU0VSt3OStL VlYwYkVMd1ZWMlVZcm10cGtDVTdFZGxBdGd3ClArQWRxZ0V5RWY1dXF5MUorTS9P
Tmdkc3JHRWplS3lnQWlkT3ROVkxkVUEKLS0tIFRJRkFEeE15Q3A1Z24wQzNlbUx1 RjhMaXFKaThud3ROcTYrTmt1aUZkSjgKLS0tIGZZczNJVFMrNlBRKzN0dE9rZUsv
a2tmd21zSWUzbmw5NDdSRUVDcmVwbHcKn+DJ1PnlQApX8fwJoN9DtMqeKzoih6Hr bkx4ZVg4OXFUWUhPcTRmRERSQmZDUlUK4jdVIeagp0RJ0511jqT8GL9Y2gezzWD6
sSh2z6rsTj1UmXocbBm1SduattqZFjvO5XGpp25mM9ZBlpcnVjB/hg== hIYAXFePO/CkN/RA7DF0Y72fawmRWdPjipaFOMMZcKn7FClsZzqVtw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaEdlWnJCdHVpM0ZHTlJj YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcnBRdEJodU8wbGZlV01t
WmNrQnIxYmxmWlJ4Z29WKytHd1plUURPSDBFCnBHU1MyMS9FNnRCMmJ6Ymd4UWcr VDBPOXRJY2NtK1l0UTZhSHFDQk1JWHVtcWlBCnBEeWRkZnUvbnZMV0hNbjkrNkZD
RGV6QmhrbDFObDM1MW1NdTdDU3ZIVU0KLS0tIEtBR01OOVdITExFcUN1dHEyaklD MjFwaUFyVjlkN3o4SHMxMlFpcnpEZlEKLS0tIFFxN0doOExOak5kUFhyZWVtWWRk
TVFnZXRva3FUZjcxYlRuQnpFTDhpZzQKxZM0ZB6dVwFr5QkT6YmEA+3RhhsX0pl4 QlEyZUlveXVvZ2d3M1dqSkVlV0s2djgK4QAE3eKNYKN12CBteu897jQ8+4sbxBAM
SolLZXFal1BluDERtZ2Clb5VzrcV3PUfFo8Yx6ncFjcisyFXUHVnYg== wC/mzVvdlf2WXIF6m+R1ugDyQdWZeWZiGcZMX+BwwqE7Qu2egUdxqg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYmNZSTBrUzg5d3NPSHhM YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZHNYRldRR3N2eVR0TFhO
Z2s4KzlVZldKVitmL3RFNHFiQnJlcmlCS3k0CkZ4YlBvbW1DTzEzRTZMUVBOWDNT bi83WnNRT2lRUUVUSDhhQXg5U2RmQTN6RW0wCkswRlgycCs2RWxVQUVTcWcreTVp
SHQwcTBQL0NQbXA3WHVZcFhjZW5ZeE0KLS0tIHU2TVErZ0I0dGRuTGIzZkVoeDJC R1JScWViT1FXUGhVYW1KNTZ6eFdaeEEKLS0tIFpyeCtmRDZtOWY0OEZRZk4vVUhh
MHJkcXlGdFN2Y1p4Q08rT0phODlLOVEKhSEO8hUZ0d3SA1tFvXN2HuZR35SRzhUq VnlnZFFDOHNKejBQNEUvUG5xTkphOW8KXskAnKTfKQmQOhgcmGsIA3XXfWfubBeA
+J3eN/qUBu0LcuiBq+qbGYIAHggXy9ZSGCGfrNw35czzGpzfbK/fwQ== QQQ3YSlLKPd9czV13SpSo9IDr/jWCUHF5SblpOD4t/ZFZR4ajV/VQQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdDBxd3J5MWZ0R1IwVWRw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQTdHaXRLTFROWVE3dVR5
cklOOENFM2R4Q01JdFd2cDZCQ2pSTGNucmhrClgra0tCSGdqZExLbWNoaDZkSzJD YlV4VGNsd0hCNjc1U3ZOZFVHRVB1cFF3QXdnCkExQTlqalJXVkp1Umt4SDZJME5q
aDc3YXdOZi9jMDdwc1duTWdKbEdUVDgKLS0tIGxKbTYzRnAyRVlwbUxGS3JySFJS R2tmbmNaKzRISkRQN2MrQXY3OGdINU0KLS0tIEtjcDI5WlVPQmFVU1NzNWxZSHQw
VXNrSldhMDV4V2preEJ3ZDk5UlZ1YzgK8K2R4LETFFKpUZVdofJoE6eXw/tlz3+9 dE9kZW9OK3FPRHc3YUVobjlwZVpUNDgKeIL32Sbecv/d0FFX+FKYxQqyyiipZbW4
k0iXQX6zMj1uSDmenjztU04FIfRxzIur5xifd8hCJnWmxlOCFDqLag== GxOVsjUaZsifGsCdT9V2xNlXsuYmoc98azFqRHq9W1VbXP+sUuk9mg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPc2dCdGNSeWo4RkovV1Vn YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Q3lUUS9wMGI5V1NiOWZZ
ckRYYW1xZldjVDRuSjM4elQyRVFROWduL1QwCmNSVzk3aG90MHNWZWlzVDg5RE55 dXppS0ZsL0VXODdsZTlnZW9OS1VjWGticHlzClZPNFBmWjA1dXFvMXlPekZoOEpr
L3JKODZlMDJudTZYNGVNQldaNEhPcjQKLS0tIE41dDYxWE84Wk9XbG9iMUhpMHBu NHJtSEIxNU1nb1VDcFdqd3BCWVFEYkUKLS0tIEEwczZSSS80U1MyaW5yTnFZWDFO
VlJZM1VMYkRkQXNlSVVoT3RYZXRaRU0KqqIjxe05oO67IUt/LMIYsUAaZw1qQFNv eVRpUDB1VjZkZTNVSFRRSFlqVUpBVUkK6X6Y0du2C6eslGR9O7r5Wg0P6GO/KBP7
mmVu5GvHdpSrp3PttxlZC7OiP84Jzj7zM/idj0wBIeVCWedWO59aKQ== HQibU10/HhLOjdzj0LKQldHWDnDUzisUHQH2srRSzCg+RQ/FL+BmUg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHL3RId3Q4SGJkYjM5STJu YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUFZ1N01mQzZUOGdQemhM
ZU9BbkgxaXdva3g5ek1hZUF5YWcvZHI5c0VRClhLazhueTRLU2N0T2c2REllT0R1 VUYvSW53U3VpSnZIN2pHMlBlVzN2UFBiSzJZCkFUeGd2QTRud0tSWHZSSXVNT2dp
LzFrdDdiVVhLQ3BPdkwvVTg1RjdscG8KLS0tIHRYTmg4NFF2c2FpVHphUFdqWmhH Z2UrTFFZeTV0dTNUSW0wbkFHV2tqZ1EKLS0tIHJJWGZYeEdSS2hSemtnMmh2c0xt
TFNhSDNUMEo0Z05mbmlwRUs5VHhUWHMKJUCyLDJx2voDttv4UrpFKYyNz+HhtyFj MkZJS1JJUGZBSkU2bWRONHVNK1ZjNTQKbwBOAnmCTTlILx4MVZjt4qg4yIENrrgv
X3OrNbmJQYuNpq4hzQs7jN5UD/4YCtFi9mb5pmFr8MTHLb6UsZN++A== x3IogdZAHt5TNBM6TzFT7eEpvmS1WWMveeetT9jFb/rlTVroturzqQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKNzZ4Y2U2NXpXWHA3Y3Zw
S1BKbTNXaGxRaE55QkZNSFV6b3VURFBXWlEwCmpJUjM3VVJRc0dwdjFLOGdQQTlz
a0hVUC9tSXNDQ3NyTnlnVlNNalFOZmcKLS0tIFNXYThsRHd2eUQyOGtVT1RLaTdR
RmlST2JZS2gwbDBpZ2xMblpWNzB5ZWcKTkKF9aonrBMolxqcj9a5d9JLoCj229KU
It2KjhlzBcgcJUIiIPWMoV9VbEpKkTsCLkWxFSLle++ryOUYh3kgaA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-16T20:08:18Z" lastmodified: "2025-03-16T20:08:18Z"
mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str] mac: ENC[AES256_GCM,data:C2tpWppc13jKJq5d4nmAKQOaNWHm27TKwxAxm1fi2lejN1lqUaoz5bHfTBA7MfaWvuP5uZnfbtG32eeu48mnlWpo58XRUFFecAhb9JUpW9s5IR3/nbzLNkGU7H5C0oWPrxI4thd+bAVduIgBjjFyGj1pe6J9db3c0yUWRwNlwGU=,iv:YpoQ4psiFYOWLGipxv1QvRvr034XFsyn2Bhyy39HmOo=,tag:ByiCWygFC/VokVTbdLoLgg==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:50Z" - created_at: "2025-12-01T10:58:21Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYARAAgrn0irD12kqDfIEvpLpa0Ys/hMG9GwCMeU186iFfJ193 hQIMA0av/duuklWYAQ//fm0H3oXbEcd0f5QwmAggrRzyy49KMXXpZVFm3xa9K2AX
72UVEzx2GwIfSt0qQlpBFZtueL9Bb7ka81IrqhAepq8J5//WxEGvv6H9aIm8V7ov W9+GJb9YDiCQ2shiKYas1QNcwxF8EQKWqDGGP5vHpUNb3el89sfE54qnz+MGcAiS
ZkS4eZpFksu0ZRFP5HWQvEQwRKj8WxYQY/TS/5QGNSPeHOZYnpQcBhAVLjn9Uj/O eVqggFbtHlDFG6iYt4Rgng4CmVnPv+CKdFuRs0WWO4ouNbG8NKIuqXuDrGw7yxBE
6ojnIVoKxDdo235fuDQdiLwCpPXsKi2OQuSFOwq7Acg/fm1pvc76h9dqr5DqrspZ i4AvIynHHkrQ8Bu4KAgjhZOCTAd53TH6EFPa4qy1x9fe8Ki1QTJsBcNk4KXIT5ws
c3stdbYwVOedgYjRrdSYpkplGSqNeVtYYJ3apdauMSRNaKmgMwbkxkzXO9YrWASa LUzbcCFths5JzpEdCLEViaFP7joSSlXBKQ7AtAXdznmmrX5JhoiBIEHusYY7Hjoe
beYilvhNgr0rnQB617IhgBZrgik9CvqrqGZqim0fWI+s4bcbgfvK8UORt4+QgJjO urzppufh38LF6KFCRAl7EltJPlenA6NhMlTg4jEEi2v6IjqcEGrj9kyAgBnS3uz8
FPqAtVE6sNGzElKQ6ZZPWZoXeK7vfIfxwxU+oLcijAnUmLy88zqIUjUZKzmyhDZa MtFovJ2IzENgsIWZxUxr9vbQQY5PYy9ZcJpEPBRVRDfP+tlNs+kA58AD5ZqLkZwM
YAAwxBL1nh+UzIbn4GGeVbYHLbKJ6XnznF7zfTWph6GbeFfdWuaSwxmnGjE6n1y2 NOZmQZyjRP0L+8HfCiWRBt3dSJGabO4jNIBydKU40/2bTOIY8MnnYR9pss3qIRzf
ye3GQaW2aeq7RKoqyLJO3oIHyGHZXFe4pB4adz60uKNPJz47/gtA5OofNs0qbxqQ TpePQd7PoGwcU446FV3py3yKecBUMEfb8uA0TYfp+7WMbJqetuQ+fGxCCNDDJKar
Dp5fmrvZZtDa/TYIV9o1bSp7cYk49TGKHPbX7tLjEIIfRxd4y6rYgwNpPdukjZsk gMSEhFhduTSvQQPGjZemI89qZhO/0HCxyMMYpIPNYwiohqIGXFfFzCjz+CCt9xOj
bbdxypWrJkMx+9xk84DGo3e+RY738JgLjc0ylDO+pIzThUruBOcDjUKeGNmVQYnS 5eTg+MSV6R8njgbiOpYyrNJE1K9LpKtCZop6QWNtSusaoKOT1jCVQLhvFSNfOeTS
XAGofG3JSI97wFdYOB+4yoYPqs5rovgPbkGGuT5SBIxH5zVv3X+SE4wCGu3CLFC4 XAFdZOYFB/qtaxBF5Uu++jz2MkFZKbSkD+1niVgmusJV/dGwNUU+pvX6Ua1tH3mi
A4cdwXmuERPxszVZW+V8CSGq9XnH/OzrpiWVhzqXCRH03F2BmnAx9Fp/zMTH WAN4e6EtqtlL2BTIOAv6xPqMFYe7wQw5fdky8J8diGbBd1v77YXpibZoNWfd
=DooK =Z56A
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

108
secrets/kommode/kommode.yaml
View File

@@ -5,8 +5,7 @@ gitea:
database: ENC[AES256_GCM,data:nDZqnSBKijyhslBjhSu9weqLVJzUiBD8Ltu/nmllicadraeISylyEk3pOA==,iv:XFzM1pGv98jehdgvlZN217LrsK8TcAMFK5eDrPi2bm0=,tag:+YpXqMmvMTrnt7cDK/Sa7A==,type:str] database: ENC[AES256_GCM,data:nDZqnSBKijyhslBjhSu9weqLVJzUiBD8Ltu/nmllicadraeISylyEk3pOA==,iv:XFzM1pGv98jehdgvlZN217LrsK8TcAMFK5eDrPi2bm0=,tag:+YpXqMmvMTrnt7cDK/Sa7A==,type:str]
email-password: ENC[AES256_GCM,data:tasMZ2Zu449o/mH6uSSPM7cFOlBg4vC+,iv:lDNMvXh5P3HNy9pW6nBsSLCyij/3HiSRunVuLeKAmbI=,tag:ApqGWYE9MSE8m6iYLK6Yww==,type:str] email-password: ENC[AES256_GCM,data:tasMZ2Zu449o/mH6uSSPM7cFOlBg4vC+,iv:lDNMvXh5P3HNy9pW6nBsSLCyij/3HiSRunVuLeKAmbI=,tag:ApqGWYE9MSE8m6iYLK6Yww==,type:str]
passwd-ssh-key: ENC[AES256_GCM,data:VOp8vqVoX9IFJhzpKy0J+AzyX3TvxEIBvv3dXpD1f8szmUyPwd4gDOlaFpqTSDu8ebmK3m/D0FMTkfBkPVhUG6XTPo7YIV37gLhfsBF6CuwCMXxTQAd23nfpwJKcDIn3R5h8Mu4MMme2Ev/4PNDztktmIYv3KoEbPglzBMS4LrZqJsDilvIYKEIDUExhSAkESKQZiIzK1TdtWDQSUzvUZ3OsbxONZgaTw5e+xz3qk/q+IR5eRNp9fpeZQ8EkpC7aa/JDIwxzNIuMFi8W9PWh6ANmAOm6GK7JSKiHYQL8GofVifhUGUanAnjgDTYkIWpDiSsuHjfDPGupFCeONNd+Wd4NpJZsej3p9ldLOVxa01Le2tIVYY80jUWT0dpV9IJ5syp4gVaky5Vk6i2QhvjunDoEUnArSRGyMTxWfxAxZLvbLYMNAJDoWzy25vf3jteNB43lVHckEW1F8w/RtzoKzbjKYiANHg+eNLVq0HK67gX2twpblNN4OBt9d03ZbV2lZjTMXGzJXHGFT5ZPDwTkxcDooNvoRuCMe8t8dpuksHFaIp4=,iv:3sgiIgGD9pmCMLVRk0Q8+7GZajYIWsokDUx9JuNrO2c=,tag:WDXyNYtqjdAMePEsnA0hbw==,type:str] passwd-ssh-key: ENC[AES256_GCM,data:VOp8vqVoX9IFJhzpKy0J+AzyX3TvxEIBvv3dXpD1f8szmUyPwd4gDOlaFpqTSDu8ebmK3m/D0FMTkfBkPVhUG6XTPo7YIV37gLhfsBF6CuwCMXxTQAd23nfpwJKcDIn3R5h8Mu4MMme2Ev/4PNDztktmIYv3KoEbPglzBMS4LrZqJsDilvIYKEIDUExhSAkESKQZiIzK1TdtWDQSUzvUZ3OsbxONZgaTw5e+xz3qk/q+IR5eRNp9fpeZQ8EkpC7aa/JDIwxzNIuMFi8W9PWh6ANmAOm6GK7JSKiHYQL8GofVifhUGUanAnjgDTYkIWpDiSsuHjfDPGupFCeONNd+Wd4NpJZsej3p9ldLOVxa01Le2tIVYY80jUWT0dpV9IJ5syp4gVaky5Vk6i2QhvjunDoEUnArSRGyMTxWfxAxZLvbLYMNAJDoWzy25vf3jteNB43lVHckEW1F8w/RtzoKzbjKYiANHg+eNLVq0HK67gX2twpblNN4OBt9d03ZbV2lZjTMXGzJXHGFT5ZPDwTkxcDooNvoRuCMe8t8dpuksHFaIp4=,iv:3sgiIgGD9pmCMLVRk0Q8+7GZajYIWsokDUx9JuNrO2c=,tag:WDXyNYtqjdAMePEsnA0hbw==,type:str]
gpg-signing-key-public: ENC[AES256_GCM,data:WgEr+ehNJa9ivlPYnsTD2772MUmsu3uvGtuwn2htqHtNxJwNG6rlnAWr1zG5D69A3G01u61mWCxLYETzjg6GsLW3rKadzUSP934kl5VQMISW2iW3XDaPLpO8dPfk2IaT4oXpui0zk0z+Viy87yl/p6JVLJ2HHFTwh7QTl+gZj8JXF5zpst8Y1op+JuBlePCUgBIE4YCF/m1kKuCDEUnZ5b4QKrogOtlN8AXwIKgrEADGgufXee5B+mg/KYBfX3/JB6evfz3rAn3gLyT8nO9T8V7RJjVeastHw0tPEx7Ep12rQxZ7uOQ66n1D0WIYB5FgiqDoY9AJxMJi02roiW1d2bqvkKfikWnYkk8zkKPWzbLWkL/gaXR5wrvK4x5kLg3GUdNzGKLUrNOy/3QjCUOe4RDXBDPgvB+LNmoME9hGGhtPRBzAsM5n7HKCTRksDRHWnArP2JsNhxeUoJWp09lBIbQ6qoF5x9C/mcxdbfuzP8+PrWiTNbxb7ZWwfhc/NYzS2YYYBUdc30xJwqgPVtJdo2FHLwQFlLNnQzvSTL/ed11EGLaNDQ4ybLVymJE1NGdsqTxzhkh0bejIkl5AcYmuw7qdzjc4bKEokT7EixVNqzw9wohyLrOfaN1fSWt8hWgULkeYNbxUMAicLIyrrBxz0D88wrug6LzNhxAC28RRs4ALhFhXpYQKnr8ldLWgoDUq8uefnWiRCiXPBB6u8BhzwTUR68lbjXjZDTUOLEubdBavRtHsWF2sy7nex8oVcMuD5+YGb+coEB4Js/QhcBSf/ewWFMmg/UIGfCkIpzpsbRTJZtHIgI7eQ8RQ0zRFlNPDeQ0Us05Qza8YcGEtIwyZgc7rJXZ2+6VtQrGuCkOAHiZzlkauDD0RZkB+oAI9RW3HoW0HdfXNwLAlHldNEMNkl2lf5fYNfZIXv6GbHXVnhGo13K8arLMqo6o5DUO3f57PWUk821kNaw5vr6dMb92rx0k0yNp1kxAug8JWYWmUcBypJHNEHTvNiMDO45HwS1C7e670NB8c2MWE2akimbSZTWF1U3RiSAD3MRUjMnT4yvpumhJlKlC9tRsKmE5WapCvwNxwIkGhFV2c0rml+8wBae0Y9CxVGWVwDnJc,iv:LpQufJB8jurx+2b1zvMd87z+byT3kKCITN0PQlW6yE4=,tag:K9tdQyFwbmk8J/6yHz27lQ==,type:str] gpg-signing-key: ENC[AES256_GCM,data:AyafTF3H8p1qDk9xsNvT68BksoKGLwE2uE3hjz0TrT2XPxCRDOIlfAVYEPSu2Ih6l5a2uruEJhHPtU2fPCB2hln3Bv3gZfFGLb3GFWkSvdePIYFxG56uqGK5dE1KaMccc2cTi+raDImKqSTbp7Qpdo/c6C0WYVglYrD+2l8Y4QOiFuazyLY9zwcX0qG7pIjJ+akCUjfE4rJDAW6H/v+OqvHpcED3q4iXOYuw9sj/UeIgZfJ5Xc/uVrRmPewP4yALnA8o9gsaaLdjWRFIILe7VRwPr0YqwQ6XGgc+pEartkV8AzxjCq6DOtifOOzmu8EI1U1yoaOViYCAMbSHfP6SIKr7pJbrdU+YDBq9mvRx8KPXWUU2uNGrMObATEzlqMYAYA/HJeOdV4w3Axvq8RG2FLkJxJJniwNP5VZRF3bbbI3w+hprRP2yAwgeQw19KBU8yF8upKga/GdMNScpKJvRyVLjZtI0rsfvSC81lHawouuje6aPXT3dH1S5ROJBHMTeV0sP0vK6liBevz9RZpvNs6JVyNCgiRRtRSSYqsgwPJonDKuPeI/Zpgih7HboA8HqhIibqpO96h5/4yO69oJAbLUYV3zlKQcMDTaqadL4Ox5Z+8ygSAL3l1ufZIFGSj73SNHGQqQlIS/a3dAccRi5fPqv0gOmGFAAUJPKfeauFn3TclwojKzu5vwmQxZ5g50txEpTSTaYOy++qq6UZa/dXEyDC7fle75dXhqXyqMCf9kDwZZl5E9eBsabNdTF+auQCp82iLQivdBy7uJX2hkJFSg84fF9MLgH4mOcMQc2E/z961uNzEgoyvVhbDY6+SIJ+6SGmnardbFW7mYrj/QqnSUiMc4tHukAB4NGQYHgjOYRZMpHfVO/6dLbjmTOljnPsnfQUCepvb9rGim8NazvnARaVzezx4t3tfbNR8uLQudSeLZzn/Fu1mKSQvpP+IjdglmyAgp6QhB4OCDPbiaMRDUtOQIzlVILdz1/geUVzhZkJ4xzkm5klGukhtv+3TqjiTcEnoVJC+A1jRvxBQUfEE92GFuupJUfrw8bIDqsWQLkHPCNUMgdoKa/q2OkrWeQz2zm2yUqMAJn1/puoLHdSH5aCELUggx1gQZoc480pSBUvSCML+Qc4B4Cd6hX2PPp+/KQeKtfqHIsKz2I+DMT6KDirReX6WHxqk+s2DtLw7Wx/j65PWCIWLCz,iv:c9BDRxQImWTmwq11+T2CW0S00Dixd8d0od5xn5zZmY8=,tag:brnMedsdTwlkbaHaLa2w2g==,type:str]
gpg-signing-key-private: ENC[AES256_GCM,data:WoFK9E4vCkQ68WTgSrmTwf3qaDfpjd/MVi1wSEiwJLqtWvm6BhWzTD+LQlgqrqZkSbX7bEcRwY2XT2DDLqK32xA8NgmOFinf3Xj3XsVTxTUWB7QoEksl1FVtrzTiJV+5Ztk/irhRnyCBnWSl6dHallY9RxbPVRMdgFzYP09FKhgJ90nmTtbfRzTO+jVsUp886kRwrJhitjie+nJlNrZwdh7YtqazJrmggPs6Z8cF/GkQrpSZpVHPGh6uNWRyxf50R8dcjLTHOHgVMuPo8UHX2w4lSGmEfNVa6VKKiZg86laTr998H1oUzC00erII5RENDb+PulVe3Gy8aSxd+swybM+3QTSGg/2q6hk2rS/uDQ8nDN80xKqho9T5IDqSbVamS9X5n/adY2wDoJMwlF7oha6mrmaUiGaWVoRkhw0YpwH4xY9US5O5BfUgJ+NAAo4U+YQGAJvQkO1txkFifv/lLptRRexvfRQJ5nNP0Dn0Yvolz/Xwx78IykWIHzv1mx3odKc8wDDKfzPEA9Y3KgiSHb8B3CL4XQqcW0ADAO1gfeLRBWTy0wtrgoYKdLW+eNTjy/WW5qWf81CrrjDb0hDwRQRaO0elCjS3tg1FYQYfyc2dg0XPANhCACbBajP9l6MShzpj9+0WWBTrc1e+bKy42FiteYk42f3oI5k9EGsYqlpyTCUyk0Iezwskl5ui/3Jce9G8BhpWH5YQpIg8iXiKkLwaAMDgfrZe5I8ad44L798LVZM+0kXjBW1pbt6ok2PkhQh75sDKubiNKFGVyR70QguQyAfr1FKGC2W351OzX/2CMJ2426/M2IXBfaXxZLDjlMN1KMhwGAGQOPRv8EqZABvPUUP8fIDhUhtAn0AhLs7cga1Xoz0DmY2x+0aVvfYjZIPzrrJA1LIJtTFvJzUltpf6e3UWX+r6MoDfpp4vNLi2x3mDWM8sC75Ouv4jKL2o3VA3C0EuIUK8L/aDh+V53L0Yvc0AZxv+eV3cZjveEgcwSBhv6hXpZYYOHrAOSrHQFns5jUqxZcGMWGDOtl/tmKW9cRuxeSHKB9bNHoJWtMDX2ojcU0l4APCFeM2RRXFSohJRS/0lDgWz0JwI9xXkqDfdB8r7WS0cLKxcHmAxF+d9+qoJRwMc5AVIRFfH8NyDhS5ngFJgeVE1ae0ng6nIauxwjpmtjdWl7a2XOKAtbh+jwHe0OqlG20/i,iv:D7QmF6bx/r9JX2S1Tb8IpDqX/yD3deNPqqNHXJHrhqs=,tag:NSEP9RCcaZBgbaRnmR/p7g==,type:str]
ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str] ssh-known-hosts: ENC[AES256_GCM,data:P6hKaCpcZdXIy4rE/1b1+66Md/3Kmviileb0OIT3Vz4IVsDLecBh3IiadHq66V4KocXC4LBUNFjcrxlVVGIonHJ3qd6VpQUwG0n83yhj6LD5hgxmZ5phAyR77Ri8BiH1lWUcg51L2k0U+WJFPP6JkumT9MEz1t1+JYr5Imij6GKRWRKFwTbU6QJwFH4tCA/iGw0ElrzIjSHiNiwIKfbm8yas9vlOhr4y7vCeV10hVyvV,iv:dZ8hQxhn7pokWbQG/8rQ2vFDpPYut7WCG3xy9g6kzNs=,tag:xMyPtJJoh8kjJcOT4t9aRA==,type:str]
import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str] import-user-env: ENC[AES256_GCM,data:9SE2k3/IJqbdexj0QFSQBQ1+u1AduWNjt+0XIHryJlxIEdvv9a+6hP4EXPo+31GnaE4=,iv:qZlWOBV5owr3ESTyFaV/R8VwlGl04kaui80I2zYk4zY=,tag:PhjRfEC1xoHaYyl648yCVw==,type:str]
secret-key: ENC[AES256_GCM,data:YqwSJazPqz1OOsUVIPKsGvIHbX7SyJqryan1KWSRGRJkt9yZlaiRtQG/mQugAM6IvLFD3pj+gPTcXyqenaAQKA==,iv:nyPnL7wuhpb0kl0tm1JhOHmF7KI9vVcTN1SRGTgD2o8=,tag:Rt/IPC/YtBcmTx5osGlbBg==,type:str] secret-key: ENC[AES256_GCM,data:YqwSJazPqz1OOsUVIPKsGvIHbX7SyJqryan1KWSRGRJkt9yZlaiRtQG/mQugAM6IvLFD3pj+gPTcXyqenaAQKA==,iv:nyPnL7wuhpb0kl0tm1JhOHmF7KI9vVcTN1SRGTgD2o8=,tag:Rt/IPC/YtBcmTx5osGlbBg==,type:str]
@@ -17,88 +16,79 @@ sops:
- recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly - recipient: age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVmVrZyt6cDE5SUp4OFVm YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQXdwU1FtbkZ0MUw3UXg4
c1hhb3BjNVByaFJEMEZ0Wk41OTIzNmJvd2xjCmtlV2tRNzFUUmdoejJHWXNXRzMy WmJWdUFKT0NaTkpjUWFlWTN2cFk0dmJNTG53ClVzUE9jS3RQcjN5WHBacERlZ09N
M0QxSWd4WkV6V0JrVzJ3V2QwbDdRekEKLS0tIFpHbXlGMEdvY1J0MjYyVHR3OFlw eHRRcnVMaitpeVBGVjNmMzBkNVVBOFUKLS0tIFFxcjBUTjNmVDVLNGw0VENpL1pK
U2FlRW9SS2RSbm9DeE5WWlJuSWUvcFEKrdtH3UVnpfayfViq459RC93otXzaZBYH NDJCVVNUNG5samc5WTlyYVZvYUNZVGMKvd5QBRv+HRc/DDILlmyhQVqhEDk/ZbBg
O4P1Jb35qjcN5p5+LSMmODPLTawsvil9/Pl4wiK65PbvnY41pJkUMA== nsqPf4wmzhqg7l1Fu8FQcjcSwTv/0nCKyWpLC+TvYjnQ5ZSn/eukFA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMzRKU0s3L2s3UFJyTVJz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRHo0UHhmZmUxdS9KUS9P
VFdlOE83c1JiWk40MU9xeFpObVFZQnl1dG1nCnovRTA1NUFORzVKblJLRDBNWU1E TDk3Uk1NL2pxSjJYTDlLaTFCRmhzbXZueFI0ClNWTEttaFNmbTNZQWRROEl5OUdr
ckpOVE9oNWxHMHRMZmtYWVF0VXRkd2sKLS0tIHpIb1RmVUlYdWpBa1ptOG1GcXZa c1RTRW9IaEtXakZSMTYrTERPK0dCRWsKLS0tIHZzSVI3WW5EaE1rRDNmamZnRkhG
b1c4djEzRWc4UEdURVFBY0dDNGtFbFEKwV9RWuW9gdfiVoIW+eD1XL1Lox1eqXmj QTVMaEJxMzB6dFRlY3BXbEl3Mm9CM0EKZ2pXa04/YjjrEPo5SRzFHeT5twZkTqRP
d1U3T61W/qTElUGEo55TPcphCBRdqwGUm22xfc4GZltrBOUmxYWAGg== mcIO5tm9dmZOXPoauFh8iu1ElbNicfQjELnhAwYLlkjzHcw6HKHnEA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QnM5NFVJZ3ZYdlBzZTFJ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdVkyOTRQWEhrSmYzaDNi
dWVSU2s2NTBqUXEzTlEvR1UwRG4yMm9xdVhJCm1vRStmZUN6RTRlcWx1WllXTDNw K2RJMEJHK0JNYkFETXRZN1ZQbHVQeDZmY1VFCjdNdXBWL0ZTZ1RFbFp3TzdkNENu
cjlmWUd1cUhEYlMralArbUdKQ3lUT0EKLS0tIEtXZmp1WWN3VXZPeFFjM3YrWlBE STV3SktsVDBuTVMveFVTZUU3dTROem8KLS0tIHRFU3B4K2lETnRPZDJpd2R3ZVh4
ZDhPKzh1NkxyZWd5UkhkWjJhakJEbVUKWQcJR4w84ZVodBBEkQ4AS4jrJz8l2MqJ eHJEUU1WS2R2TTY0Y0xWY3lzT3FTVncKb6dOw1CM7Z1XzdOfjJug7StgdM2HSYDd
xX1mjv0TnAlMF273/NiYB5OiivqFMjFR/slnZ1k1j2FWGhVKyyN1vw== wHCqZEF5Fbz/wLLnNdUExyOysw5jjemBStCsy3TNZ1bJOEGE6ST2cQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Nktja0Z6N09IdkQvTHE3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0N0paRTJhSk8zak9pYVdk
VllabDY5aTd2NE9aQnlDRFlRbTV6WlNnZ2xrCitNM2VOT0NndTk3THRma2ROWXJ0 YXFITC9qb2NuM01udUhBL2ZKbGZMUFU2aG1zCkRHVmlVb2lvdVM3c3NMMnNWb2ZX
WUlLZ3dqYndOVDNLaThaNmNobTZkTTQKLS0tIFdaWU95LzhQa0txTTh0Q2k5WklI b1VhZjFzTjFxak5vbEJmWW5tSHJoTlUKLS0tIDBmSStwTmtWdVhUc1NtV3E0MTFH
OTdZOHdUSEVQU1N5RkE1QzVXT3R5V0UKtvPQD1HHUBA/C2Fzxixtwc+nJvTwXfGt bVBqRk94byt5M1Y3LzdhajBhZTZuTlEKCDchRx9INlVgBz80g5FYP8hrMuDlWBHT
cg4nYSgFcMTud3VLhcMQuRf++gO3J3xuLepBlhUeD/3Li4MDDZF5vw== hN7jLWcbvzJBsVWTOGMaraEKmebSpOuCSakbu9iYE0lKIZa/YbedlA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSWVMTnlVNWxYRXVuWmVZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnU0Z4eklkNUpJVnh5ZkRD
K1ZIMnpWRUZ2SDFML25wZVpxMXpLcnFHckNrClVmaWlIRlFDSEg2OERBbDJaUlYx YVUrYjlidTRFRy9BRTBnRUFKMXBwcnBxeW5JCkFiK25UTlY0b0FaZ21jUitsSXdB
dEZ5OVpDYUxFZk81R2piWEVKRkcwOTAKLS0tIHhHSlRKU3VWZm5sRFk0RHhXR2Vz SmM3Sm5FOWFNK1hVbC9VWTk1WHFQQTAKLS0tIDN2a2EraldQRWxzSThGa1AvTVk1
SCtwa25aL3BhUUtGOU5UZk5sWU91RzQKJh7ldnkCBgztyWIwdUjtu5EpEWhRemVG eFhPcnlBQW5tVCtBSmtjUU9rS2kwQ3MKwuktSYQpOPyj43kks2XL4Vs++Kdw+FJ6
QzjezfDmeSnOd0n0OVwSan62OaUJzJjDpIDb9CT2fvE/qRg8j8rEmA== xoZjfxmyUi5dOl+GPB7+AKyAXWUU4eQPcGHDPp7x+FZfa49jvE4aRA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOXVkenREdWQwUEJka2tE YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0T1ZnRFliTE96alg1eDFt
d1ZiNXF6QUxMdldUZzc1UXMzWEV3WHd4WkVVCkxTR2JqQzVaVGo5QnZpY0U0eFQ1 dCsvelJHTUxyQUFPemZjbjZOeTRmWTd6ampNCkVTdTdoeGdjcHpzelJDbU1tNWll
MmtqVVpmZWNQZE52NGthei9ZTEdQc1kKLS0tIGdTb0hxZzY3R3ZtQ1pxMnI4bDFO b1hHTGZSbTVzNWU3YWJ1YmVHU2RKT0EKLS0tIEs1Qm92N1NCZFI1TjR4Z2pxMzZT
QUtySXBaNmlESHdXZUt4TkNKeC80SW8KRuCXbe2TA4pLOk0Z6E2UI7hwuWo942Oc ZWRCSXpESTNpbnQzU3A3VG1xSE1BeXcKDr35W9phmGfEQtNb7V/f+g4GIcbk/klU
qpb0DEdv3rX5+yH1WEos0gvOKnx4q/gra7wYj2toUMW+C2VfKdl6Nw== +1EJsJ+jK1qCSDgO7omQge5Jx1XqSAg8H+21fnHA4JLhfIeZbntBTQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune lastmodified: "2025-08-03T01:35:52Z"
enc: | mac: ENC[AES256_GCM,data:wQPIW9zRhB6IjK1OQy69Ln+dj6OMNLnNKIzFIhv/vbQ4GllMJ3N/gZjuzMJIumcVND+jEY/qiYnsCFSptStlDYtB3/zHWo1e6It2pM4igtoTP29uiQME0vPJSz0guakZlDMa20mOTN0vVZODEbeBiQNXWtnTbl93R2JVJlZrWcI=,iv:L9Dk5S+hbBO0LTM0irfLuqjLYHzVtY5Tq+Q7m65u6p8=,tag:0GT9IyPeGY5YM6PP/LNs/Q==,type:str]
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRVhkS2RkczdQZ1pKc2Uw
bTkrSjg1QzhSOGx1cjNicGgxb2ltMDcybEZjClltMVk5bHZGNHpQNnAxZXVON0RC
Rmp2eFZ1dmlZSmgxa0xWOFhRNVI1TGsKLS0tIHlXWHBxb2tSSUlkSWczWndhSXRR
cUNweDFqOFpYd05EVGxlRythRDczQ2cK7VR9UmJHrgRRuKkqQfptDSLwKUOYjSQ9
U7Yb1Zk3cEymdTQlnvX0/h1uavWDnJ1fIaqOIJMuTO/sAk1fcJtGDA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-22T06:35:29Z"
mac: ENC[AES256_GCM,data:Tvj7CzTOFGTMJyNMTjx4XTmrBGBTkOKb2kIHNEtvhCfc5fSbAjzl/keONaq6LGMhyc83jp0XZpM22vN8d+TqTsUiFGwlXIEJ9aa2N/IFlixd/FGRIZUihQj65Uctbk1x5y0LHUDl53aUa/FFEeuF7aPlUB70Q2SiLME1ATtG9+0=,iv:b0Fp4fQUzhgmSKH7caegMXbstWkj2by/8ABQXUJjdIQ=,tag:uzkkvggilx6KWaeMhYRBEQ==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:50Z" - created_at: "2025-12-01T10:58:24Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYARAA2prIKKdT6eIJQM06tm+VZ6wqD3+ch4pz6vKVrf2+XINy hQIMA0av/duuklWYAQ//TluENVomEd/KwhRiN54IeFeknRyVGWqkTMm2bCV3BGs5
g+nMlOyJfRu2tntJt6OrG9VTeBLtnvivUMAz54QNqPplDHdHelZQerkmKgBzOllq 1ehbfO+9djAXfDeOfq+66XUWOjKs1arhrv2MeQdxhuJ7Ywa73UGMGSMi+sEobTXv
/XQxbH8KJE3G6izBrpWuRHR7rLMRTXLHhI1If+fH8f0SaB9dhS9jHzxJdYJYcDXY w6iYRxJpzCkcpqhmX3L/FbXDWOVBzJv9Y5itc6sn8/0JXk9CHfZU8CfDB1U9A2H9
Kz1maOxXzlfaiYC+sARwhQnxEHbE5Z4t66JNSiVhaK4jG85Wl16RDY6Q5bvWmwaG oRlCT4bTRsAfLirZLZss389zjtV+84cJ+zCnekEZD0pS+wcoo8MICPW3DkFBM76a
7S79Qwf0T2USWHJmQ/KI+NggB2dtXLL3vEo3FV4OVJE6rltxuFTGIcxdD5rp81Fc EJLe8Asx3xlaxht5uxEpWrBseaBfKLEXTgtDW8MZYM7A50aDEvSJ8zolWBH1GTX/
DNpj/tNeepnjwCUJtitIDn05v2e4nxbHZEbtsLeHxX/tqH02arOPrRqJIntV0Uay 6kCvKyTRqbm+mEQ08fktNJW5hd1799+XH9U9gOPP7fme79H98cMrFMNk4cTV8p9I
ESxv7NTgrdgEDzFMx6qaNvZx7cscFuaR61BgdrL1qHu96bMVt2llypA2BVP0SM6+ 5W3RXROwgnlRdVQIHj6lfkOP+kx7YYrL7UqtKPj3vIVpNeAXEvx0RpnIjJGqOpTP
EGrkRCDX3w+lAl6ZKSJi4myrRv5EMH606zLwj1V3+//0Ndh0cZmK8TlhvQd9j40H QZWHBUM+UT6QyRTAFsWuNPjo3MwItOfP1WyD0480FKKWFVmwdj8SSk9dsjPhNNv/
UG5ywugyLEom7V/rCdh2uHxWY+t2CD9RVfgz3uGP+tAHB5eTLi0imPRyqGay+U+E SiYzJ2elr3/i1R7jf4PqaxSDRjyC1JMmRtKxhhklNi1tIvb1xf2H6EGJLYZpNAxA
y8x0l0QnKwll5Uq8M/25L3efJakUrLvf6Sf3UIyCdmHpRXNjOorqkgKDscVo8IsC 14q8A9i0GUSaxD2xMaQeF7eVmgMyhcHxNHBydCG8mzP9xuPmOlpkYRBNuB2EBDyd
XbYSgjopPh5lUsdjicmp1iD9nb/LvukmgHPiPFGN/xw5bvxtqyBPs3qjbd8uHi3S 77gGy6xad7KEu4sGaheB/XbHzFSAw6Yet/bvafP3+jKimPP1OsmKhkat/NuueGLS
XAGnd1uAMEcGhAhAL3XmPA7Wb9U6Oa918crBl8vOAJzTuvtu9i6lME1LOc1myv+P XAGt64/PXo8iDY6iPOifElmFEbepxMaE20Xp1GbF2P5acvBp7v3uDeB4cwUU27QV
WsLtp/Kh20xwbOM+LmYMYSEg6lON82TJ+uaXAw8poVFnCQ4uI1Js7ToONSM3 lTX8wlmKIH3m3nCwk20CBuEnGD1j+/eviUu91Pkz7VAgZrRxOJnPQ3qhH7v5
=ZTqn =fg2d
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.10.2

139
secrets/lupine/lupine.yaml
View File

@@ -10,123 +10,114 @@ sops:
- recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOTAzdEFVNmRWUFNzY211 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVlBuRVBBRFVndWV4L3ZJ
NUpoMnpoVmpCeFIzU3JacDIxcjNYUTBCZTFrCnpFMUtydndyUDY3emdVVEp4dUpy eE1qWEZWdUpRd1pOQ3VjVExEQjFWcCtmdkM4CmZyQVJWTEw3NnFGeHcxZjRta3ox
ZWhTRGEvdG9pQ2JvQ3pGL2s0M3Z1WHcKLS0tIExjaWh3MHk5WEZVQS9lYnkyemxE eTVaNmZ4WC9wTVpYeGpLNHpXbStteUUKLS0tIFZTL3BNZFR5YVNDZE1zKzJLZWNM
UjhRL0swUnBJNmNzaGtUMjE2WlZ2VDAKYV8T2iXVEr77e0vuV8e8xpbhStxUoM9l UkJyek9tcWdwejVqR3hzSDFiaW1zdDgKNqzd1dNco9Ynys03GNOpuKmL9Kyea2Ko
Jpn3XiYuoWHk/bmQyjQIQzjB4oqx4TqEnHccSmN3XtUIPGr296zwMg== xzsDBG08XQc9wpAcjTzXbqujhVvLQJi3IOSUQW4LOAx3BxTsZBHaQw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n - recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVVdmdEdZcTYxajVHQmtF YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTnFTSUlSWE9vNmc3Ui9p
L1pad0ZxVUdlWXVjNHl3eEIxZlNtdlY2WGlBCi9NUUVEakZLV044dldDSkZzaFhS MFJsNnU5MzdaRGdoMUNlSW5qVi95Z3pFTG5jClBRRXNabUZWKy8xTmVpYllXT0d1
U3FJanBaL0JGV3AyS2daTFNrM0J1M1EKLS0tIGs5ZjRZcVREenN0L2RPaWp5c0s1 a25zY1BmQW5VdTRrT2l0Q3VqSmFYL2cKLS0tIGVvK1luSWNsVnBBd3N3L2Z1VlY1
U3AxOEpvdmozU3RRMGYzZGZOZGVhSWsKHEz+eL/fHgLUuixFIeA2dUAjZekzRIHy WThsUEhIUE0wV01XR1dMS08vQW1oNDQKRu2REcJeR2vTbbiU8Mt7aVjCgpT33lUg
NgYmzaWhY7IlPg4mZRIW7hW+ckfr9brdgOR3Gn5Fp3tPbAL9GO7bnQ== N+UW2oYPh8G+DmLLy203+WeyktuAZR1+b+1pyeaF0O3SWNvgxnyMLw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9 - recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5THp4MkRiUGd0VDVERjU2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVT0JmS2FPbE4xMU5MbHdt
bmR5OWlkTFFmQUM2QmRNWU5DSUI3eFV4djBVCnF3dTV1aGlMUTd2UWlyUWtXcnlG cktSSitNU21XblBXWldPR3hsam5rYXF0Q0Y4CnkyWnk4K0VndG1WRndMUm00azls
TFFRdUp4dnpXZ2FLSGZoRUsvRlR6ekUKLS0tIDVBMC9oUnBuQXpkcEZHSUd0NzNp aURrbFh0MWlwUGQ4ajZoNXRubFQ1R2MKLS0tIGtlcGwrQzNEc3Y5cTNuSHplZFRV
U2czY3YxRG10aW9hVGJsbkJwWTEwV0kKaNQRm6qmIIbztzrmw6nZSA131lxw7PA9 SnhzRFIycVdSaTh2OWRmVDJDWmltemsKc1M2gWp+RQ1LYPI3u3Z+qqPLhB/2vQtZ
MBPmPQmskIbGJ/bQCfZ7Sp/Pe51sL3moA8tWMqGZEVa+xuxa/KEKSQ== HieQVRYITLdZ73RKn7jhgvu8cGNdvhkWRNFBcsZ7JsqW1FQ3qs9wLw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k - recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmYUJkQkhJbjU4a3ZNbzJM YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNHlSbmRyejljUzc0VFdZ
NGFXS2ZDSjM0Nk9BVVVCNUx0Um9mbmVXT21BCmRjL0pNcUs1NWdxYkQyc25nMG53 VW9SV1E1ZGREZWZ6bUMvYWExR3FIUTB2NUNRCnFmdUtjUjJiUHRQbG1vZDB5S0xq
c1lkaHVyRnloRGZmWk82K3RZVzNnTjAKLS0tIERndWk2TFJWSFUraldwczFOVm13 bDVkai9EdW5IUjE1alBiL2JST2dTblUKLS0tIE56SFhxU2IvNmFxS0YzYUNnQTFv
NWRDWGdMNXFraE5ueTM0ZG9hMHpKTjgK4xTJKPcrk3EHwMoXlTHzqeDgx9ZJl962 M09tSCtCVTlndkNZSWtQc1lrV3FxeTgKfgJuAE34QcFnnL1/MajJU9Kv2ygDhHlA
8lyQMOSeICyXLzRgKQWuXssDMuev0CZfvnXeWp8megmXuU5Eq1GW5A== LVlfRAfrNsJf4JGus8VuADbsSPpvGJMJMq6UAY10FbMO7KfNaIVA6w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu - recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY1p6QjViNmdHcjY2and5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVVQzRG5ySzNLb2xvMTAw
aEYvOXpxWEtqUnRTNEgxeE44NzZ3VW00OEZFCjJVN0Q4c0FJNEZEaDVXZlNkMTlr K2RORGxzVU1YWnFteVZadTdTU3BVZW04VWg4CjNBMHFwUmpSaEs2S3ZneFhBNVBO
cGQ1WWhMY0JCTEVLUDNGMHZFZDAvOU0KLS0tIDE4ZklUMWtKL3JlbzlrUXdvekJt ZHVaTXQrQVBQaHZhT3RiNVJ5QVV3VGsKLS0tIDFTSGNuVFpsK0txeENkQjI0cXpZ
cjhrRmQrQ3g0UG8wKzZHMllidmRaQ0EKVG9D8Fh7xMzNPXecdX6zTfank2/ZNnjl NFF0VHl2V2NSNzN5L3FhcUZwR2RjanMKKLZVnAGuv1tcAUzFabvgf0i5N4Jtyujm
mwxCXnM2e5udtviQURJstLvlCElNtvdY5WdMkUoCXwHoMspPwGByFw== /oYMZHJy0nETeSpDb/tCEwFThQoEY/qdEmvbg4FOOVZH6tfV0nLnuA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NGpoWUVmK2ttVno2cG44 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDJ3WUEyZmJIdGxhcmkv
aGRVSStsc280cGFZL0xERUdrNjJVV01HemdBCmZBSEg0V3FHNVEzWDBId1RYck4w M0VSK3NCZ2FVRTB6RnlSZlVXRUNzR0xpZHpJCkJZVXlXbUhEZHI0MlhMK0FtUlhU
dEd3WnVhUk0wdHRxOE9WUnpaUThLa2MKLS0tIHhWbXJmZ1Y4RWZ3Y1g3dTI0MzMw ZmZBZXdpTURWQTZEWGgrQ0c2RG1JQVUKLS0tIFhkaGxGVVV4NzBKOU5PVURnWmwz
eGdwemRYSCtoM0FseXhLd0Fzc1dzUG8KdPDyA/XJSgjHFycEwSg7KWX4fMA30CDq MFBiNUtvakhISUR4SjJ3OWhSeUVsT0UKJbo5zlvD17GYTlRzkNCC7zCCCWSyKRUg
GIWYDVDicgzbxjNKcQdGzFvL02B1igogHtuIJn1qE/bNrK6L9PQ3pA== IChEvMpUKNgYA1xKHOwfPuXuZ4RtcJq/ra4GeVD4OmIGrnXpPWah8A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTG81cS96bWtOWHJTK0RC YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGemlWOHMwR0RFRGk3alN5
WlAzWWdiZkhncWRBVXZtVXdQeTR4WEl5MVJ3CkY5NEpnMmdpVnh1eXBCajhPT1Rr ek9idytadU1NeEtzUmpyNnNFM2hZek80S1dBCkxYeEtDdlRac1hvcjZZVEdqY3BR
ZWpkUm40WHpFcVdQcStWWVZWZU41VjgKLS0tIGRyUnBsb3FnRE9IL3RkTktjN3dO Ynp5MlBycW9MSGlnMWx3QldTZzZ6cDgKLS0tIGNweEh0cDhOZHZvY2RUYXVJMTcy
ZEY3d0I3WVVhQUNPcmhKYW1sVlBGSmsKTsZwHdholYxIhOn49WTdb3pnjT8oTkH5 S1J5Ujd6Y1gxTExuVzhaZ1UwazhHd0EKAgDI4cNTj2txorTKKwwQIAvgUPRaMlzU
mfayWji2cOBRRRB9X40OaVg8SCIhVAQNdvbn64XaJWqWbXFtXamgLw== 4j/JTrNjlFLQrxdigAY0toJfX8ByWWOGMLWm5G7knAi9zR/KH95wNg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhejJHU2N3cVF0TnNqZytD YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQys4dFZDZ2pnQ1ZlWUc5
UERpTmNnT0FJMysvbVYvNGM5ejNVcE5wemhjCjhyYVpsaDJlNHI2aVg1eXZtV21a YmtJNk1VZGExNDk3VTJ3V0ZDcjdOTFZkQ1dNCjVESFFjb09PWG94eU9BQWFDMEg0
eHVFL1ljWXRkYlFrTkgvWHhKS2NZOHcKLS0tIEVLRFhKR0tyeUJ3Z3ZoREY2c2VI SHZXU1Fla252eGtNbFk1OFE0T2R6ZlEKLS0tIEIybTFFWGp2T2NiWHFMdlVkVWkw
c29MWkcvUFlzU0VCTnFTV01rWkxDVGsKcyKsGo6Ep7f2dBwaUYoMsqSqQrn3Obzm bjFkSTR2OWNCV2NadGZJSmxxUG9FVW8KTeF00gXMc9ws3QbvHXvRIIDa3KCYh5/H
sDovKBx+Y7+Yn6fnxy3ISQ9FUjupMtKffiO2AAK7AAI3MFjDOUb9zg== 5mdUFmOBO1JYrab6M5HRVF9DovyMMM7IrBBL8KOtxUk3UeOpijZioA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVGVOcE9TdVFDYURFeEE5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdGZQZDBPUmFMK2JhNE9G
M0t1Zm95SUZpNzdFR0N3UVYwdG1yOWErUTNBCjB4WWtRdXNJV1FVd0xNODUzTDZD d0gweTV0b3lRNkQyRTlHYWtrZ3lwSzlMM3kwCmRPTUN4WTEydy91ZDQxNkkyelhH
ZXRteEpwendneS95alVhckJyMXZucXMKLS0tIDZLNFdGUTNMTm5KUkF2TWxPNk1O UEFsd1ZRQUc3emg5Qk50Z2xSZzZjNlUKLS0tIFVsNWs4Und6bjgxZWt0ZllwRTlk
V0FISGRYNmZ0N3dXc3RHdGNpQldOVE0Kkc7MRhVvpKlIVGKRvvPGyW/DzatxM7+Z SzJ0YlIrK0Jlazkzc3F5U3dXT3dIcG8KkaqYMrJqDGlLN+JwvnJfcGJt1ot+X7ep
VP4kAf0Vu6DyKZINDXH5XQh6qxeAccYXhv/QhxdSuCW4bjplMMBSnw== 8st2H2uwLo8groSw1bEnwJhoqaBgu5dBFUCKhSbHMYVIfT7M0JHPGw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVDZVbDBOR0d2VDJHY0Q5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZUtqMHgrakhhQ3k3dCtN
VkdETUV2dFVWcUM0N3pwU0dlekJqYzZPZEhZCkZWd0dVS25jYm5Eb1hES3Z5SmFk T3cranZIVFdLRWJlOWMzaDF0NTZCM3poWFFjCkY4TFdmOXdwK1pLcWQzWENTNHR4
WnVEYmFtRURTa2FUYXhpQkNLUnhjbFUKLS0tIForS3RPcFkvenJNaW9wMFAyOEpP TkpWNEt4VTdWUG5XdzEwOXY1ZzVsbFEKLS0tIC9RR1MvdmJoYlFiMWM4TUEzNHNv
c2g3UlRHc1ljVGZaWVRlTUVORzNoczQKFvxD6ty10YobBU2BuyVpDsqGI1nie4Oh RjQxS2g4QStNeXpKcmFqK21MNGdvM3MKOCnDVWJa5F1Vss2D7l7GMq1xCNurjfRz
eQbvBEqfTN3zR38ujT6/tLfyNrtj71oGzI9M+vUUGbrmob+/y2VABg== vvK8S091itHZVy6wamTz2/jAj7YYXDjSu0V1sKPOLdThKNZZcBe1hw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOblRZRERwT1k0cUVkeXlF
bXZ6VnU1TmE2dFlaU1IwMXV0V09FZjR1bUFFCnFUa0hzeXhvTjlaSk9lZFZHT1d2
RU5NQXJBb1FISTVnSFJheEZLTFNWa28KLS0tIFEzUWFvOXE4WGRkWmxtd1hvUGZu
QlBkaCsxdlEyT1hhbVA0c3J4bkhHU0EKbdPpiKgu416P0Ciacs3wkH0OAeHKyzQE
ekyNhHHKT7IqJSvEl47PpTIsgk99SrLgImNKY8sDieOqDVuM0bhgTA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-04T05:53:51Z" lastmodified: "2025-12-04T05:53:51Z"
mac: ENC[AES256_GCM,data:o55keAaJEXVOAGvoMp8FWvtlxMgfF/qR50FGnNM1whYz+5+naRJ1dAOW9NKYHWbtOa/ZXEMTkjoFrTJidAaIXza1Ot8llbTGYh56fsnu0FKZfVM+rvecRDhXKWxiAqyiLUvtUfA2fSg9LGveh2U+0dulcU25sb3Wf0RcFrtM3xI=,iv:3/UllekmGIaluv8y8I6Azd/52dJzk+C5ah6XLJj7Zik=,tag:T5ILXiC5hK++0jGOnHCMYA==,type:str] mac: ENC[AES256_GCM,data:o55keAaJEXVOAGvoMp8FWvtlxMgfF/qR50FGnNM1whYz+5+naRJ1dAOW9NKYHWbtOa/ZXEMTkjoFrTJidAaIXza1Ot8llbTGYh56fsnu0FKZfVM+rvecRDhXKWxiAqyiLUvtUfA2fSg9LGveh2U+0dulcU25sb3Wf0RcFrtM3xI=,iv:3/UllekmGIaluv8y8I6Azd/52dJzk+C5ah6XLJj7Zik=,tag:T5ILXiC5hK++0jGOnHCMYA==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:51Z" - created_at: "2025-12-01T10:58:24Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ//S5CPlAJka09zfxhQCKY9SnHOlkNL3mQxSN9EcxiKFgQD hQIMA0av/duuklWYARAAmW8iNyzlWC9aeHxLSs3OuZza2Sxmmm+RbtA/n1X2M/iI
G2/qlFze7CiswTr608TXNQ/lPb+SJHgLrJvcBwISh0MCKKOZtyNjfSIIdR1A/JTE FeQsvO4m+HB0Y6H7cy8hjyJHa/kGwL4kenDCF+unqJCfF6XQQm+S740+uWndFVFi
OaA/JCJ76j2W7YWYrL18dY57n7DOMmhf/BZj0hI4PtDqh+dB2vX/U2i3kWdODb/K u02svjncMnGTTrkxazj90ULASXxT0Z5Z+2heCkuQe/spfX+qVJVa5RvzTPBj/Bjm
fowmPrqustOLGAXOhuKegtQ8K5KLsP3NHjrp5TiOYmI7fDVkwvBnqXj52n94pw3n k2NafAW0cfM5MyyeVkF1Rei1LJ860b442vUMpNmU1Av+fbgIyG4f/LEswv/upJWX
o+HpvmyWFSm7QExGsjbbMbtDEmJJ/u8arx+Tb+ELumrz7QgwXt9ZGoPpJnmz9SsC UdNFvU5yW98FXvUDP6ThJRg6OJqN1ZIYix2UJ6OakUuJN51sywVO4LBZmdsJ21SY
4MoTF8Ul4HRwMoMyGEQAzb1J32THFKWSUtWaLjNDOW91l/eiLpY0Kk5f1BTVcD4W cdEjyi+vvAoOsBD2jX+64KzvzoSHkV2MWcez19ZMPguaCwNU9wmrdGD/vVKq8WOl
GsA63BsSqnIDB4Tisz4ZRhaRGY6sxyXHDSnHzVQmKrv3kwTJm8ODA18gu+HZ021h Zs/0BOnOCJ0nEbprzCUCE+RtRZxkKUYmDKYxbu70FSsHWCnRyybKsj7CVak59EZE
ShG+m81PYrGkeqYwJHnEMfSo4XY4/lHdsZ0yldF8eSjZ2raPbsw+lmadot8mc1eE Ok7IuK6mQ0HT00FQfOCy4ZytgTQSB2fXEGyZsVv65RDdorfapAkwMM1TYVc4j2mD
leiEJOP6+ZOs60dJ+dOwaeCb5CDjFaCrq6c0+6ESWpN354tN9L9DZGLlYIt2AlcM ImoY85xMo/E/KwfAhzL2E2lJLXpAamvBj86RcNW/FEytEEI+l5CIZr6l6UDSDO+W
/N/5DO5F81jxlBbxI4IFwRvBDBwO81eQlVtjQB5V1+dbeIaZYS6GN72xHUSjICNJ ETYbNcqK8utLTmH539czbXGZ9Cid8i0+QyLtZ8ApHn7s1FsFOAzMpxMyKPYKRSnA
0Wv8iDwxKRjQI2uol7KmPN0Vr9siMIMAP4yCppnmdxF5VcGbLWNu9lZfxlj5o4fS VospnGQ3TbdPbbOfVHQvD32iaGw8idP1xb3XNXelD0RZ9OuVxHGELO7re7n/G2jS
XgHq8TJTMWKGF2Yq25/5rKmIb/8cCOU8XLNZ3xT4X2dErqV+nWtmXgmNySCphn+C XgEOiTCRtyQONpfIiii1s7613OfbliWWe5ufhnm0Qsr6Om7jSsm3JfLkSmd/alxf
xK/cKHseztzXzffdqCrJCaeo2KmTou+gMyDEmJrVLhrcIMayptt9dc0dgJ12N3s= cEk3MFResmtancl1D/2sGhM1ROR6huUChxtgGmz6ZdE2sb8JIXtQOFHzfRw9xo4=
=pLWS =3liy
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

75
secrets/skrott/skrott.yaml
View File

@@ -1,75 +0,0 @@
dibbler:
postgresql:
url: ENC[AES256_GCM,data:rHmeviBKp5b33gZ+nRweJ9YSobG4OSOxypMcyGb3/Za5DyVjydEgWBkcugrLuy1fUYIu1UV93JizCRLqOOsNkg7ON2AGhw==,iv:mWgLeAmnVaRNuKI4jIKRtW5ZPjnt2tGqjfDbZkuAIXk=,tag:iHSkFcMmTWEFlIH7lVmN1Q==,type:str]
sops:
age:
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aGQwRlJxN2w0Kzh6OFhC
RXFFN1g2RXlmbVpCYTF1Ulg3bHlkSmlZTERBCndWbmNibUZUSjh5MkdwNGQyeDdz
dDRVZTliQy80aGxUYWFaQnFqMEEzbkkKLS0tIGVURnFUd0dtVlMvN1lDVUIvaGJy
QmZDdk9JOTdDeXg1NUJIcllIdXk5ZHMKFROfzKzo9y1e6siuWsU5q4WiIUhkQTDi
05fhUbrS8/OZQfG+KncuF1n3bWQis/USqwW1vEsTDkn6RlU9nGP9hQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QmVRSVMwdkQzT2dJTUlu
NDIvUHJvaWNwKzBZaE0wVEVnQml5NHU1Y0Z3CkdhbVpFSG1Oc3lERlVpMDArRnhP
SFp0dGtSbVBUcnZpQkd5cGVUWXhXQlEKLS0tIDVBckwvUGtBVGc5RVJjN1F4cDJ2
a1NiREtXMG9kcXFMeFNnMk0rQ2c5Z2MKKWK3+P9QshvgP2TCa2H5SFE+ZesaUZ9M
qBhPT6t44/dr7foowgVGyEVvnuaUu4GHnSKyYiwZ+bjp6E3Wm2fMRA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkdCQ1dtQWJtWEJsU2ZU
bzdpTzZnUUlrbmU3eDNvRlJ4bEk3RmF4cTJRCkNZTEdTWHVHUUU3eEpJNEJFRXM1
Si9RZjNVQUpNaVU1Y1owTU1zakpvRzQKLS0tIENSUTFDNktpeWR3VCtpY1pFdXQy
aWE0UkRBL29wMTh0RGZUUjdNdDloQlUK9+3fPifkgB3jsqaZrWvp5GoogwOiGuMQ
VA8JNJ9Nlph7pom0oxu6wc50WLbUdyOerz37TowXwys9+Lu/XJVGRw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTb2xWOWY4V3Mxd1Z5bklT
RXI1bjNtZ3hORkpOOUpFSXUrQ0lpODhsWHlFCmhteWJWam5mU2Nhc2tlTURRbC9i
OE1SUE5iczkvdWRTdDRKd2NVNGhHS1kKLS0tIFZWYXA4TnF0dHc4K1FlYW9Cemta
a0lzbUNKMzVrcmgwQWIyUWo2VExMYWcKAOwJ8tA9L/jQ1lCPaUMNNJaYz14tLbMH
4c+lYZJX3PKjfkc5UnteWNsaXTF/vXoALDnaPBRwBFWFfCVsX5XYnQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZGpMbC9yVTdObFEyZ1pH
a0ZOMXhDVGdFNUNOMmJldjZKTElzdHI2bmljCnJtcEUyY1hDUnczZkFSNGErbEtE
Y1lyZnFOVTVIL1FKczJ4dUIwdjg2T0kKLS0tIEpSZmN3YUJDUjB1ZnNtT2hCb3c2
ZE5tMXJOYlFMOVNJU3FEZFB4TlZ1U00KHnunzKMy91oc92ptcaKCE1sfkhFGvf0S
vRX/nyQnBGqD3X3yfvkt+aQnoLxcjoanpJVM9VeigyPu1mRg0OOxXg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-11T17:28:43Z"
mac: ENC[AES256_GCM,data:l43vquKg33LndSXOm0hsPcalQRXjqbb30QvptXuBsmQrcEVVh20Aqp92l+rwgv60P03ZtK4SKxm/udVVoqViFTwCLYtCC5GEn4OqbD94LQKzl+XLe7yLWwv2WF8ueu170YpZ97uFxUrhOoaOaKUgnAV+4CocixG5hfadpqA3yYE=,iv:a6RRILzz4gDUuiSZPVoqjlIMu4NZG+D5Q+brusfh9PU=,tag:Y8nKbnctjka44eH15x8oCA==,type:str]
pgp:
- created_at: "2026-01-11T17:12:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/9EOJGjNnLgEPo+/pP/4TVt8ECLRRbxsjwpnxuRf2QcmtF
p+ZnX+X5mBVdriuTUTFyUvPXBPwG2byrc7w/+zZBvYGWdSZgi+ACBRiAzvXMUYUq
ZCY6z4v4dkvbbVW2QE1JmzfZFVC4Vdwup6q+OXtXvQe6n2/GgIHRfyMnG3dynldt
1cmEY8ujuZzv+St5tInaGod5pZ4i2/RDvQSk7JHtb9LqsyyIKdxYa1Sc8U7WN9qx
Ucwo56HZ9tlAvA4nEqYIaZFGM4XDXO3BV6ltsa57dMXJSzYjG8qYB7Z4CCTmn6HL
h7A4NK8yj7El5q9EScbSzJQ8LNMYAPhLMhvOGYio/k2Jnn3woioozCdUEvg4aoAT
Y+UVyl/O5MrM6ZcgWVQ7gbhYvAHSyiyr5hlEfzjtxwiETkIXFPiWtOpyq1GIYa7w
k93OvrFbbTevzY2ea4gQh4pmzGDfXEqtBm9DjQwUmiTM877bR/sY4b0HV/CA3Txh
Xz22dLp8pfvAtBtHuEARJeQ8DeFslICuZZSiDscNe63dqxg9tWmwFqWecOGb5DXG
xEbLTyO0YBESsk3jt7JCtx8Dfnb9fVOqCiQN2Ywd1TkSMnM1H627MpaZJNKEXQPT
+gWa7QqthW84Vc42wuAYmLAw+1Ob/BgPojogV8XUIr2johzp1tY2jdsDJko84PPS
XgEprHVVj49JHRR5ixjJwoO4WbYsN4Tqej7I2Ns00tCzHAKPFQvFlHNLt1CrM88X
0HRLTEn7z1F5r54inNP0DIvDJlTSqJdJDA5k0HChQA7by2le+ERpvI4CmTkNyvk=
=c+Rd
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.11.0

99
secrets/ustetind/ustetind.yaml
View File

@@ -8,87 +8,78 @@ sops:
- recipient: age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8 - recipient: age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYkhoL1F0VHhTN3ZKYnha YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTG0xUXQ2OTJDVnVtb2xp
eFJtSTlOalFEejNqdlRQWkZsQlRjTUZrMm5nCkFRbEpTNkk4UGdDRjI0TDdiaG1v M2NEaENPUDJvL1Y5QWtaQ1lQaTBRRzd4bmh3CkdZd3V4bzFJZHAvWVVNVGhZdzhn
WUZ6eTQ0TzFNRFBudVMrN1QzN2MwaGMKLS0tIEFNQmVlSHJ3ZWtPZ2d0VldWTlhy WTBoSmUzbUs5azZHZzIwVWtSSGFtNTAKLS0tIDFFb2lBbkdBRW4wZ0RkYTBsMDJj
YjNac29pT1RPazc4THcvQTI5dmVrbGcKp2TJ4NfI6x/C9LHj5e7VZ3PQHNUsF4FN TWlNa25udytHRkR4RW92TmRCRkxPR00KXf2XPR/+16GpNdIfaa1biMFSFJ48UIC8
yDmgTG2ys/k8vzN1j1dFdt+FA6NBkk5KBIoZYtP0vLKxotQWsAwI6g== 5+MLAu+2I/NROLKmg3tOfsxQ2xnlF4FGRdmMuxaeKTZGD580sYiQ6Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU21sVGNlWlZnOXZDcWk3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWZVFmMFZWeDBCS0dta3pR
NXZkR0VZNXE5cXlLdDB4YzVmUVFjUE1SUmpNCkU1MVQxUEMwSkZXdW1YcnZ2Uzh6 czJYV0ZhRmpMWVIvYVFEK2tVbHc3WENhTEhVCnpYSjIxZWtFcEc3ZHFVaDZmM1BD
QmxlanEzU3MxK1NlVzc4QkU3a0x1QlEKLS0tIEw5Sm5PcXkzQ0xGRmo3RDFOa3Zm aGNIWnp0aDVjeXZPdkdLdE40UjZNV28KLS0tIDg1Y3dYU3ZDWU50NlBoaWc4VUVx
VVF0Y1dRQVI1RGxkMVNPT1g3MFR6aU0KR8ubYMWQunbwnFcMUlRJzvHM3i6YiPVU dUk3VG9ZeWVmY1VwWGViUVU2dEtnb2cKo5sHSm3HQNOYlyYirZ1oMz/InAT0QT7x
4G2DHZDG8+DJvyALNaOFav86pSSLn/+OtzxC15U+i66J6oWAcaYZUQ== 8aYL0afUQ/D++gvX7tGDbBgIkO1Zud+KiKO9CGqz1Wn9krFL20cjJA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3JLYnNCYUJNWS9hWHJY YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdWxWTlFJSnA3VHljM0Ix
YmpXeUFUZlpodDNnTEgrb3ZXK1BEczdlUEhJCjFCMlpwd2c5dGUyR1VXNjM1MFNR SVN5aGdaREJEYjVWNWNUOWdGT2lDUklMZXlvCjNKaHBweDVpdUhuNlluUERzVDdq
aWJXUkNWS3RYK2FaZzFxM2luWEtwV0UKLS0tIHBJNTVGUitNQnpNa0lEakU4QitJ eVc2RlFKR1dHdGFDb2dRcGl0TDNqRGsKLS0tIDQzTFpYUk5LaTlPZUxxNHVZd0o4
THJ2ZU1paGdhUUhTMitGZTg4WG1WU28KvqBTNQn36JvCDuJFIg7cA/9UagFCv7bA dzNCbzdkdC9DNDFYZjVPSjNVd3ErbWcKkJcjk/4zy458WLyOs+NTXbrQ3EkxCBVH
wFCg7K/Ldc+j6ZMz4rqBgGP9US9M8SJAsAU1ZakX3gh5K2hibTpVvg== bX3+b5yH2YGyvTS2vHnCEY7Zis7KhuxAAIrdLobzKlwLf8LB+p14XQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUy9QUHFnTEdyWXJQbmtl YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydmhTM1Mrc1dpWkE4M09s
dzdDRkRxejM5Rm5ZWGZrQklDSEoxWmtnL0FZCnlvbE52RlJFL3VtNUhoN1pVY3lL MitqYjJuY0UwVVlITFRlTDB6UUFtdis5bFc0CjNIQURZaURwTEllQTVoZUZiS3BG
OEh6UU4xdm8xenVYQUlyVExmTDA1cEEKLS0tIE91ZUk5dzlxT1N4d2lMTFRaT2N2 blM5Y1F6VE5HZXBuNVFlNGtHaXJPem8KLS0tIGFUQ3JHb0dVVllIMlVnY2pZMFZE
OERvK25YdEZEd0FicmFQV1lLaEdlZE0KITNdS3ekChSbKyjSS55A//xBbpdfUOMD TU84Tkp3OWxoY1o0LzAvc3BrcXdyME0KyTv0mHUi9voKj0ZTXZ6CEkouTdupYl+F
QojnqFcYaBzv7CrM+tKh1bepkUKwncg+tzuc0uoCgQoRDjEVloQuIg== /wLMQn1h4D6Jl3kxh12h4yACLCE9mOAM9wuylzOf/MpbDLbakymWew==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzS1hiWVVqRzFlS0JjQzQr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ek5lZTdFK0ROYUNUeEtp
dnprcExlQyt5SC8zZFFCMTMrcEZPT2dLTkZ3CkdZNm9aSFJlR0JpRFAwSW16OVBw bHVhWUF6VkdEUWpUL0ltWW54dFg1Q2wxckZvCi9OYllUN2xnL1dEMlE0RVkrbEMw
KzcwbklvNklLN0U2ckN6NWVwV1NmMkUKLS0tIGhXcUlOYzdkbUdzV3B0QWx4M3dj dTd1SS8wQnhrdm1peWRMbVI4YXBzbnMKLS0tIFFIcVlIcWpxT2RPSlR0dzh3UHZ3
OUIwMFR1ZDVxWURIbzJzRXpZVVEreDgKSpQ23S+criRsNhT5WP6IxyoRXKMjZNr/ LzZLaDdMZlAzV0hBTHpWb1cwNElpUEEKrgfWuu6RKq9dolGP00CiGZsZ0me20PCX
8ZK6MvGpCw9oRlNciVOJP6uEcHXZ89FSzqfRB4C+pLOKFlH88XSftA== NKHY/eQ2RGF6YLF35v3rBGuH73d2cqmCh/6d0DELX+F/nzOi+ZWb1Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aGdBSFVjakJvSE42NkhI YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUkxPN0VIWUNydmJPRmZW
dUgzcENnMXJOTGFQdkQra1MyNU5KYkJzSlNFCkl0VFdnb21uWkdsd28rVXBsQ0Nj V0o3UmZGYkd2NktMdlc0dlpjS0htL24yVVN3ClVjbEViV25ibEwxb3c0TlNOSDB5
K09VT2FRU3JjZXM5UzZYeTJ4eTRNZXMKLS0tIE9HcFNjeDRZMlpYZlRBYnJyaExY SjlvNUpSZGpnU3R2aGVIaExBby9qYkEKLS0tIGtJNCtaOGw4OUQrc2JxZExnUHA1
QlVIRXJnSHpBb0hNUzZsRXB1eTdFUG8KsmZLEJHlA9rtxp3PpQDdmtI8L39ollvy bjBzby9HZjFKc2lEMzVLUGxJTndrSzQK7iOGVTi6XuodwBargQ7fUl2gtqIMEnL4
DKpfZjCTqj8fbNMHiIhCr0G515w0Ad++bS2DbIbPfZLufiAEuOW00Q== Ql0K8J2F2qXtk7/wMHxFAIxwDP5KS5O8uLFjcmOTdGJeAal7Cvv1hQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Ny9xTUpqZitYZXRDTjE0
am1XM1NkbXpPT1ZxM0tZd3Y5KzU2YjdwZ21nCjRySEJmMjAzcXUzSEFPMWtoQ1hn
UFdkTjNsMFBxYkVocjBUR1NURE15RlEKLS0tIGUwRG0rc3dZSWlLVHZpUzArTWZx
NmZOSGhlNlpiUzF6R29haGFaRVYyWjAKWjde4l2J5wb8zn5JBP5ETReRBni6DFwj
1uKU5ecrRrTwNkHGPPSifRB5HdC77PWe1ZLWZhHGmSXFan8fnKGc1Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-12T12:20:19Z" lastmodified: "2024-12-12T12:20:19Z"
mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str] mac: ENC[AES256_GCM,data:D9/NAd/zrF6pHFdZjTUqI+u4WiwJqt0w5Y+SYCS1o/dAXJE/ajHzse/vCSGXZIjP0yqe+S/NyTvhf+stw2B4dk6Njtabjd+PhG0hR4L0X07FtFqzB3u5pLHCb0bH9QLG5zWcyMkwNiNTCvhRUZzbcqLEGqqJ7ZjZAEUfYSR+Jls=,iv:5xPfODPxtQjgbl8delUHsmhD0TI2gHjrxpHV+qiFE00=,tag:HHLo5G8jhy/sKB3R+sKmwQ==,type:str]
pgp: pgp:
- created_at: "2026-01-16T06:34:52Z" - created_at: "2025-12-01T10:58:25Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYARAAmHD3R6tDuGGv1VTJ6S/HjLcVlt0+kXOmcjlqMMa8xA6l hQIMA0av/duuklWYAQ/+NLY+1iw6BqMfPzgcoiR3i7e/8G6MVP91zGjoUx3D6rGQ
L3hRSlJz5RGVgNny+AJvj1X7l8pzLMKvufShiNEwkG1dIDLGQqg0msJkhXVB5rIZ EhUrdz6xdRY5KnqC2Wt7BJLO4jl/pvKo+w530Ik3wEzXiaZg1AGiUjUi4JhqueUi
a8eG8zne3rYy9rb4MHJM6pvIK76PnzxoqltDYzmk+xXhGfTfcQ2ebc4NDeZPXllA EQk41mWYifS6nd9T84x8C6luAUjxYXmZDpIY1/lRDEeh4GG9qE4v32f/66+nxFdV
mS6TyqLabR6aI9O3eXqTDdgXtOqvMuces0MZ7T/1RT6wfG8QxZNHW/PZLicMYVLC icblN90D7Rz6KTinX7RWVYRXHd3Te74NHhzOTPYkouxwnwvFiS2qN4k+7oIKl3+S
ouojMBpDgHg5XSa2rk2apukphIxm26Y7tJ/ZZVFTTuS+H9h5In815l26Dl84+aDI OyYKeaAVSc3+nfVxuphNlVvl8ih9/f2tWz8XTPu7ohtck9T//5PXawvR51cateXe
i34deyKq2QkVesZV+rhPfOMD5AsaW3NzQD0Qlsg4DLk9qXofsGxS9lP+m6L2yKws 2A9HNgefysd90XyCozQ8N7uunZsUKxgngqPhzgP2f0FRYeNWqrIOUWjrmI7nYg+A
iA3JKskLC62boFFAlvsAuot/UNKGdYusDvy1Ez3N7B7aITFawyN34md/7q7fcyOh w7Z7TRQwVzptVUAe+v9WfWkWBYFreb3NlbfEQfEC0xAAFQ5TPqL66PlXXMJqyBhN
oDtsV9eGtlQfYDM0ZM1vkE4MPF1Yt1Ozdyxf8oI+ymSywLYV8sB8V5m15ureRfnC wWhBY50ETDBvhCv2hTghiRy9tczAgyBKoPr2yZNctqyNTuJlaql4o5LT6RTHusK+
Zl+sR/m8Qa52Du/RgxzuTElkF8hYK/3Vmiq4WneZq8YXslPgEmFbdWvhD643H843 vUGGYY/qj9XwrcQBi+bRr/Q9zHHjXowwKPr1/UVbdVa6ntMMjUL1D+T26QPhTT2Q
Ml/k9zcLjx0xB2KW8nr60WTFx2dqbQlTMrWMXSj9qSfEwg2M3ZlOav1Hlm8M/g7x 7gT57JmXLJKk85MUGyAG3y4TNNdCbxH096kb1Z1O7VwHZfQDNoYXhPXGhYvnz/4q
vtOvxgg6sZmFJGgt8BwFib2OD9Rt6w+Qj++vAZnT87xthiGkkbMgDq5SPCi5h8XS YWHnYLLApuGN6apqETbE8xizKkUR4k0ReXCjHNvsky/nf30k4iUetDeGBwLJRjzS
XAHnlbcp3okHQaJHxA7i2c1wt8BjZlF75B2STsi3F5KGrM/NONGSsbRcgnZUopx0 XAGCykcK7VviDM7YOMlXIbeUBK3Rb2rGsgkBby/cPiNh3zS8HzqOti2vn7ioLMbJ
emOo0W/1Ouq14juHG5aDwHOA8Uh5pNCT5RxeqO83ACXDYaYHU9qM0eorqfRD Peic2r2TAUUp/aVmU34YqREi071fKpL0zho75IJ2ZtavDOYmDPopEiluIVuV
=N3eL =JCHR
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

264
topology/default.nix
View File

@@ -1,264 +0,0 @@
{ config, pkgs, lib, values, ... }:
let
inherit
(config.lib.topology)
mkInternet
mkRouter
mkSwitch
mkDevice
mkConnection
mkConnectionRev;
in {
imports = [
./non-nixos-machines.nix
];
### Networks
networks.pvv = {
name = "PVV Network";
cidrv4 = values.ipv4-space;
cidrv6 = values.ipv6-space;
};
networks.site-vpn = {
name = "OpenVPN Site to Site";
style = {
primaryColor = "#9dd68d";
secondaryColor = null;
pattern = "dashed";
};
};
networks.ntnu = {
name = "NTNU";
cidrv4 = values.ntnu.ipv4-space;
cidrv6 = values.ntnu.ipv6-space;
};
nodes.internet = mkInternet {
connections = mkConnection "ntnu" "wan1";
};
nodes.ntnu = mkRouter "NTNU" {
interfaceGroups = [ ["wan1"] ["eth1" "eth2" "eth3"] ];
connections.eth1 = mkConnection "ntnu-pvv-router" "wan1";
connections.eth2 = mkConnection "ntnu-veggen" "wan1";
connections.eth3 = mkConnection "stackit" "*";
interfaces.eth1.network = "ntnu";
};
### Brus
nodes.ntnu-pvv-router = mkRouter "NTNU PVV Gateway" {
interfaceGroups = [ ["wan1"] ["eth1"] ];
connections.eth1 = mkConnection "knutsen" "em1";
interfaces.eth1.network = "pvv";
};
nodes.knutsen = mkRouter "knutsen" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
interfaceGroups = [ ["em0"] ["em1"] ["vpn1"] ];
connections.em0 = mkConnection "nintendo" "eth0";
# connections.vpn1 = mkConnection "ludvigsen" "vpn1";
interfaces.vpn1.network = "site-vpn";
interfaces.vpn1.virtual = true;
interfaces.vpn1.icon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/openvpn.svg";
interfaces.em0.network = "pvv";
interfaces.em1.network = "ntnu";
};
nodes.nintendo = mkSwitch "Nintendo (brus switch)" {
interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ];
connections = let
connections' = [
(mkConnection "bekkalokk" "enp2s0")
# (mkConnection "bicep" "enp6s0f0") # NOTE: physical machine is dead at the moment
(mkConnection "buskerud" "eth1")
# (mkConnection "knutsen" "eth1")
(mkConnection "powerpuff-cluster" "eth1")
(mkConnection "lupine-1" "enp0s31f6")
(mkConnection "lupine-2" "enp0s31f6")
(mkConnection "lupine-3" "enp0s31f6")
(mkConnection "lupine-4" "enp0s31f6")
(mkConnection "lupine-5" "enp0s31f6")
(mkConnection "innovation" "em0")
(mkConnection "microbel" "eth0")
(mkConnection "isvegg" "eth0")
(mkConnection "ameno" "eth0")
(mkConnection "sleipner" "eno0")
];
in
assert (lib.length connections' <= 15);
builtins.listToAttrs (
lib.zipListsWith
(a: b: lib.nameValuePair a b)
(lib.genList (i: "eth${toString (i + 1)}") 15)
connections'
);
};
nodes.bekkalokk.hardware.info = "Supermicro X9SCL/X9SCM";
nodes.lupine-1.hardware.info = "Dell OptiPlex 7040";
# nodes.lupine-2.hardware.info = "Dell OptiPlex 5050";
nodes.lupine-3.hardware.info = "Dell OptiPlex 5050";
nodes.lupine-4.hardware.info = "Dell OptiPlex 5050";
# nodes.lupine-5.hardware.info = "Dell OptiPlex 5050";
nodes.buskerud = mkDevice "buskerud" {
deviceIcon = ./icons/proxmox.svg;
interfaceGroups = [ [ "eth1" ] ];
interfaces.eth1.network = "pvv";
services = {
proxmox = {
name = "Proxmox web interface";
info = "https://buskerud.pvv.ntnu.no:8006/";
};
};
};
nodes.shark = {
guestType = "proxmox";
parent = config.nodes.buskerud.id;
interfaces.ens18.network = "pvv";
};
### Powerpuff
nodes.powerpuff-cluster = mkDevice "Powerpuff Cluster" {
deviceIcon = ./icons/proxmox.svg;
hardware.info = "Dell PowerEdge R730 x 3";
interfaceGroups = [ [ "eth1" ] ];
services = {
proxmox = {
name = "Proxmox web interface";
details.bubbles.text = "https://bubbles.pvv.ntnu.no:8006/";
details.blossom.text = "https://blossom.pvv.ntnu.no:8006/";
details.buttercup.text = "https://buttercup.pvv.ntnu.no:8006/";
};
};
};
nodes.kommode = {
guestType = "proxmox";
parent = config.nodes.powerpuff-cluster.id;
interfaces.ens18.network = "pvv";
};
nodes.bicep = {
guestType = "proxmox";
parent = config.nodes.powerpuff-cluster.id;
# hardware.info = "HP Proliant DL370G6";
interfaces.ens18.network = "pvv";
};
nodes.ustetind = {
guestType = "proxmox LXC";
parent = config.nodes.powerpuff-cluster.id;
# TODO: the interface name is likely wrong
# interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
network = "pvv";
# mac = "";
addresses = [
"129.241.210.234"
"2001:700:300:1900::234"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
### PVV
nodes.ntnu-veggen = mkRouter "NTNU-Veggen" {
interfaceGroups = [ ["wan1"] ["eth1"] ];
connections.eth1 = mkConnection "ludvigsen" "re0";
};
nodes.ludvigsen = mkRouter "ludvigsen" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
interfaceGroups = [ [ "re0" ] [ "em0" ] [ "vpn1" ] ];
connections.em0 = mkConnection "pvv-switch" "eth0";
interfaces.vpn1.network = "site-vpn";
interfaces.vpn1.virtual = true;
interfaces.vpn1.icon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/openvpn.svg";
interfaces.re0.network = "ntnu";
interfaces.em0.network = "pvv";
};
nodes.pvv-switch = mkSwitch "PVV Switch (Terminalrommet)" {
interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ];
connections = let
connections' = [
(mkConnection "brzeczyszczykiewicz" "eno1")
(mkConnection "georg" "eno1")
(mkConnection "wegonke" "enp4s0")
(mkConnection "demiurgen" "eno1")
(mkConnection "sanctuary" "ethernet_0")
(mkConnection "torskas" "eth0")
(mkConnection "skrott" "eth0")
(mkConnection "homeassistant" "eth0")
(mkConnection "orchid" "eth0")
(mkConnection "principal" "em0")
];
in
assert (lib.length connections' <= 15);
builtins.listToAttrs (
lib.zipListsWith
(a: b: lib.nameValuePair a b)
(lib.genList (i: "eth${toString (i + 1)}") 15)
connections'
);
};
### Openstack
nodes.stackit = mkDevice "stackit" {
interfaceGroups = [ [ "*" ] ];
interfaces."*".network = "ntnu";
};
nodes.ildkule = {
guestType = "openstack";
parent = config.nodes.stackit.id;
interfaces.ens4.network = "ntnu";
};
nodes.wenche = {
guestType = "openstack";
parent = config.nodes.stackit.id;
interfaces.ens18.network = "pvv";
};
nodes.bakke = {
guestType = "openstack";
parent = config.nodes.stackit.id;
interfaces.enp2s0.network = "pvv";
};
}

BIN
topology/icons/bind9.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
topology/icons/greg-ng.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 40 KiB

5
topology/icons/proxmox.svg
View File

@@ -1,5 +0,0 @@
<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
<svg width="800px" height="800px" viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg">
<circle cx="512" cy="512" r="512" style="fill:#e57000"/>
<path d="M512 497.8 342.7 311.6c6.6-6.6 14.2-11.7 22.9-15.5 8.7-3.8 18.1-5.7 28.1-5.7 10.7.1 20.4 2.2 29.3 6.3 8.9 4.1 16.6 9.8 23.1 17l65.8 71.9 65.4-71.9c6.8-7.2 14.7-12.9 23.6-17 9-4.1 18.7-6.2 29.2-6.3 10 .1 19.4 2 28.1 5.7 8.7 3.8 16.4 8.9 22.9 15.5L512 497.8m0 28.4L342.7 712.4c6.6 6.6 14.2 11.7 22.9 15.5 8.7 3.8 18.1 5.7 28.1 5.7 10.5-.1 20.2-2.2 29.2-6.3s16.9-9.8 23.6-17l65.4-71.9 65.8 71.9c6.5 7.2 14.2 12.9 23.1 17 8.9 4.1 18.6 6.2 29.3 6.3 10-.1 19.4-2 28.1-5.7 8.7-3.8 16.4-8.9 22.9-15.5L512 526.2M497.8 512 370.3 372.2c-7.4-7.9-16-14.1-25.9-18.7-9.8-4.5-20.5-6.8-31.9-6.9-11 .1-21.3 2.2-30.8 6.3-9.6 4.1-17.9 9.8-25.1 16.9L385.9 512 256.5 654.2c7.2 7.4 15.6 13.2 25.1 17.4 9.6 4.2 19.8 6.3 30.8 6.3 11.5-.1 22.2-2.4 32.1-6.9 9.9-4.5 18.5-10.8 25.7-18.7L497.8 512m28.4 0 127.5 140.3c7.2 7.9 15.8 14.1 25.7 18.7 9.9 4.5 20.6 6.8 32.1 6.9 11-.1 21.3-2.2 30.8-6.3 9.6-4.2 17.9-9.9 25.1-17.4L638.1 512l129.4-142.2c-7.2-7.2-15.6-12.8-25.1-16.9-9.6-4.1-19.8-6.2-30.8-6.3-11.4.1-22.1 2.4-31.9 6.9-9.8 4.5-18.5 10.8-25.9 18.7L526.2 512" style="fill:#fff"/>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.3 KiB

402
topology/non-nixos-machines.nix
View File

@@ -1,402 +0,0 @@
{ config, pkgs, lib, values, ... }:
let
inherit (config.lib.topology) mkDevice;
in {
nodes.balduzius = mkDevice "balduzius" {
guestType = "proxmox";
parent = config.nodes.powerpuff-cluster.id;
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
interfaceGroups = [ [ "ens18" ] ];
interfaces.ens18 = {
network = "pvv";
mac = "00:0c:29:de:05:0f";
addresses = [
"129.241.210.192"
"2001:700:300:1900::1:42"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
services = {
kdc = {
name = "Heimdal KDC";
info = "kdc.pvv.ntnu.no";
details.kdc.text = "0.0.0.0:88";
details.kpasswd.text = "0.0.0.0:464";
};
};
};
nodes.tom = mkDevice "tom" {
guestType = "proxmox";
parent = config.nodes.powerpuff-cluster.id;
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
interfaceGroups = [ [ "ens18" ] ];
interfaces.ens18 = {
network = "pvv";
mac = "00:0c:29:4d:f7:56";
addresses = [
"129.241.210.180"
"2001:700:300:1900::180"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
services = {
apache2 = {
name = "Apache2 - user websites";
info = "www.pvv.ntnu.no/~";
details.listen.text = "0.0.0.0:443";
};
};
};
nodes.hildring = mkDevice "hildring" {
guestType = "proxmox";
parent = config.nodes.powerpuff-cluster.id;
deviceType = "loginbox";
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
network = "pvv";
mac = "00:0c:29:e7:dd:79";
addresses = [
"129.241.210.176"
"2001:700:300:1900::1:9"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.drolsum = mkDevice "drolsum" {
guestType = "proxmox";
parent = config.nodes.powerpuff-cluster.id;
deviceType = "loginbox";
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
# TODO: the interface name is likely wrong
interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
network = "pvv";
# mac = "";
addresses = [
"129.241.210.217"
"2001:700:300:1900::217"
"2001:700:300:1900::1:217"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.microbel = mkDevice "microbel" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
hardware.info = "Supermicro X8ST3";
interfaceGroups = [ [ "eth0" "eth1" ] ];
interfaces.eth0 = {
mac = "00:25:90:24:76:2c";
addresses = [
"129.241.210.179"
"2001:700:300:1900::1:2"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
services = {
dovecot = {
name = "Dovecot";
info = "imap.pvv.ntnu.no pop.pvv.ntnu.no";
icon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/dovecot.svg";
details.imap.text = "0.0.0.0:993";
details.pop3.text = "0.0.0.0:995";
};
exim4 = {
name = "Exim4";
info = "mail.pvv.ntnu.no mailhost.pvv.ntnu.no";
details.smtp.text = "0.0.0.0:25";
details.smtps.text = "0.0.0.0:465";
details.starttls.text = "0.0.0.0:587";
};
nfs = {
name = "NFS";
info = "homepvv.pvv.ntnu.no";
details.rpcbind.text = "0.0.0.0:111";
};
};
};
nodes.innovation = mkDevice "innovation" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
hardware.info = "Dell Optiplex 9010";
interfaceGroups = [ [ "em0" ] ];
interfaces.em0 = {
mac = "18:03:73:20:18:d3";
addresses = [
"129.241.210.214"
"2001:700:300:1900::1:56"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
services = {
minecraft = {
name = "Minecraft";
icon = "services.minecraft";
info = "minecraft.pvv.ntnu.no";
details.listen.text = "0.0.0.0:25565";
details.directory.text = "/srv/minecraft-pvv";
};
};
};
nodes.principal = mkDevice "principal" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
# TODO: the interface name is likely wrong
interfaceGroups = [ [ "em0" ] ];
interfaces.em0 = {
# mac = "";
addresses = [
"129.241.210.233"
"2001:700:300:1900::1:233"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.homeassistant = mkDevice "homeassistant" {
deviceIcon = "services.home-assistant";
hardware.info = "Raspberry Pi 4B";
# TODO: the interface name is likely wrong
interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
# mac = "";
addresses = [
"129.241.210.229"
"2001:700:300:1900::4:229"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.sleipner = mkDevice "sleipner" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
interfaceGroups = [ [ "eno0" "enp2s0" ] ];
interfaces.enp2s0 = {
mac = "00:25:90:57:35:8e";
addresses = [
"129.241.210.193"
"2001:700:300:1900:fab:cab:dab:7ab"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.isvegg = mkDevice "isvegg" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
# TODO: the interface name is likely wrong
interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
# mac = "";
addresses = [
"129.241.210.175"
"2001:700:300:1900::1:a"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
services = {
mapcrafter = {
name = "Mapcrafter Minecraft Map";
info = "http://isvegg.pvv.ntnu.no/kart/";
details.directory.text = "/scratch/mckart/kart";
};
gophernicus = {
name = "Gophernicus";
info = "gopher://gopher.pvv.ntnu.no/";
details.directory.text = "/var/gopher";
};
};
};
nodes.ameno = mkDevice "ameno" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/ubuntu.svg";
hardware.info = "Raspberry Pi 2B 1.1";
interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
mac = "b8:27:eb:62:1d:d8";
addresses = [
"129.241.210.230"
"129.241.210.211"
"129.241.210.153"
"2001:700:300:1900:ba27:ebff:fe62:1dd8"
"2001:700:300:1900::4:230"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
services = {
bind = {
name = "Bind DNS";
icon = ./icons/bind9.png;
info = "hostmaster.pvv.ntnu.no";
details.listen.text = "0.0.0.0:53";
};
};
};
nodes.skrott = mkDevice "skrott" {
# TODO: the interface name is likely wrong
interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
# mac = "";
addresses = [
"129.241.210.235"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.torskas = mkDevice "torskas" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/arch_linux.svg";
hardware.info = "Raspberry pi 4B";
# TODO: the interface name is likely wrong
interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
# mac = "";
addresses = [
"129.241.210.241"
"2001:700:300:1900::241"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.wegonke = mkDevice "wegonke" {
deviceType = "terminal";
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
hardware.info = "ASUSTeK G11CD-K";
interfaceGroups = [ [ "enp4s0" ] ];
interfaces.enp4s0 = {
mac = "70:4d:7b:a3:32:57";
addresses = [
"129.241.210.218"
"2001:700:300:1900::1:218"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.demiurgen = mkDevice "demiurgen" {
deviceType = "terminal";
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
interfaceGroups = [ [ "eno1" ] ];
interfaces.eno1 = {
mac = "18:03:73:1f:f4:1f";
addresses = [
"129.241.210.201"
"2001:700:300:1900::1:4e"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.sanctuary = mkDevice "sanctuary" {
deviceType = "terminal";
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/windows.svg";
interfaceGroups = [ [ "ethernet_0" ] ];
interfaces.ethernet_0 = {
addresses = [
"129.241.210.170"
"2001:700:300:1900::1337"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
nodes.orchid = mkDevice "orchid" {
deviceType = "terminal";
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
hardware.info = "Ryzen1600 Nvidia GTX 1060";
# TODO: the interface name is likely wrong
interfaceGroups = [ [ "eth0" ] ];
interfaces.eth0 = {
addresses = [
"129.241.210.210"
"2001:700:300:1900::210"
];
gateways = [
values.hosts.gateway
values.hosts.gateway6
];
};
};
}

13
topology/service-extractors/gitea-runners.nix
View File

@@ -1,13 +0,0 @@
{ config, unstablePkgs, lib, ... }:
let
cfg = config.services.gitea-actions-runner;
in
{
config.topology.self.services = lib.mapAttrs' (name: instance: {
name = "gitea-runner-${name}";
value = {
name = "Gitea runner ${name}";
icon = "services.gitea";
};
}) (lib.filterAttrs (_: instance: instance.enable) cfg.instances);
}

11
topology/service-extractors/greg-ng.nix
View File

@@ -1,11 +0,0 @@
{ config, lib, ... }:
let
cfg = config.services.greg-ng or { enable = false; };
in
{
config.topology.self.services.greg-ng = lib.mkIf cfg.enable {
name = "Greg-ng";
icon = ../icons/greg-ng.png;
details.listen = { text = "${cfg.settings.host}:${toString cfg.settings.port}"; };
};
}

19
topology/service-extractors/mysql.nix
View File

@@ -1,19 +0,0 @@
{ config, unstablePkgs, lib, ... }:
let
cfg = config.services.mysql;
cfgBak = config.services.mysqlBackup;
in
{
config.topology.self.services.mysql = lib.mkIf cfg.enable {
name = "MySQL";
icon = "${unstablePkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/mysql.svg";
details.listen.text = "${cfg.settings.mysqld.bind-address or "127.0.0.1"}:${toString (cfg.settings.mysqld.port or 3306)}";
details.socket.text = cfg.settings.mysqld.socket or "/run/mysqld/mysqld.sock";
details.type.text = cfg.package.pname;
details.dataDir.text = cfg.dataDir;
# details.backup-time = lib.mkIf cfgBak.enable cfgBak.calendar;
# details.backup-location = lib.mkIf cfgBak.enable cfgBak.location;
};
}

19
topology/service-extractors/postgresql.nix
View File

@@ -1,19 +0,0 @@
{ config, unstablePkgs, lib, ... }:
let
cfg = config.services.postgresql;
cfgBak = config.services.postgresqlBackup;
in
{
config.topology.self.services.postgresql = lib.mkIf cfg.enable {
name = "PostgreSQL";
icon = "${unstablePkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/postgresql.svg";
details.listen.text = lib.mkIf cfg.enableTCPIP "0.0.0.0:${toString cfg.settings.port}";
details.socket.text = "/run/postgresql/.s.PGSQL.${toString cfg.settings.port}";
details.version.text = cfg.package.version;
details.dataDir.text = cfg.dataDir;
# details.backup-time = lib.mkIf cfgBak.enable cfgBak.startAt;
# details.backup-location = lib.mkIf cfgBak.enable cfgBak.location;
};
}

17
values.nix
View File

@@ -1,13 +1,8 @@
# Feel free to change the structure of this file # Feel free to change the structure of this file
let let
ntnu-ipv4 = suffix: "129.241.${toString suffix}"; pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
ntnu-ipv6 = suffix: "2001:700:300:${toString suffix}"; pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
pvv-ipv4 = suffix: ntnu-ipv4 "210.${toString suffix}";
pvv-ipv6 = suffix: ntnu-ipv6 "1900::${toString suffix}";
in rec { in rec {
ntnu.ipv4-space = ntnu-ipv4 "0.0/16"; # https://ipinfo.io/ips/129.241.0.0/16
ntnu.ipv6-space = ntnu-ipv6 ":/48"; # https://ipinfo.io/2001:700:300::
ipv4-space = pvv-ipv4 "128/25"; ipv4-space = pvv-ipv4 "128/25";
ipv6-space = pvv-ipv6 "/64"; ipv6-space = pvv-ipv6 "/64";
@@ -32,10 +27,6 @@ in rec {
gateway = pvv-ipv4 129; gateway = pvv-ipv4 129;
gateway6 = pvv-ipv6 1; gateway6 = pvv-ipv6 1;
bakke = {
ipv4 = pvv-ipv4 173;
ipv6 = pvv-ipv6 173;
};
bekkalokk = { bekkalokk = {
ipv4 = pvv-ipv4 168; ipv4 = pvv-ipv4 168;
ipv6 = pvv-ipv6 168; ipv6 = pvv-ipv6 168;
@@ -73,10 +64,6 @@ in rec {
ipv4 = pvv-ipv4 234; ipv4 = pvv-ipv4 234;
ipv6 = pvv-ipv6 234; ipv6 = pvv-ipv6 234;
}; };
temmie = {
ipv4 = pvv-ipv4 167;
ipv6 = pvv-ipv6 167;
};
wenche = { wenche = {
ipv4 = pvv-ipv4 240; ipv4 = pvv-ipv4 240;
ipv6 = pvv-ipv6 240; ipv6 = pvv-ipv6 240;