Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Cloonar:351d36b217103df4d56553c0e6f2e1a13a77ebce
Branches Tags
Cloonar:master
..
compare: Cloonar:master
Branches Tags
Cloonar:master

51 Commits
351d36b217 ... master

Author SHA1 Message Date
Dominik Polakovics
10fb8e88ce fix: change click and load package name 2025-12-10 13:36:33 +01:00
Dominik Polakovics
5f300d9e7b feat: nb initial click and load 2025-12-10 12:49:30 +01:00
Dominik Polakovics
99ac2ea3b0 feat: nas move archive extraction to filebot script 2025-12-10 11:40:19 +01:00
Dominik Polakovics
2caa36c0ab fix: nas filebot and add extraction passwords 2025-12-10 11:29:05 +01:00
Dominik Polakovics
55c15c790d fix: fw lightning 2025-12-10 11:28:08 +01:00
Dominik Polakovics
450d9d6457 fix: claude.md update 2025-12-07 12:59:43 +01:00
Dominik Polakovics
e08bf42eaa fix: nas leds and disks 2025-12-07 12:59:27 +01:00
Dominik Polakovics
8e0e5c0d16 feat: add disks to monitoring 2025-12-05 21:57:58 +01:00
Dominik Polakovics
ada9db7942 feat: add disks to nas 2025-12-04 15:01:47 +01:00
Dominik Polakovics
5995612407 fix: amzebs add mysql port 2025-12-04 12:46:28 +01:00
Dominik Polakovics
5762916970 feat: add mcp server 2025-12-04 11:39:17 +01:00
Dominik Polakovics
dd456eab69 feat: update pyload 2025-12-04 11:39:08 +01:00
Dominik Polakovics
18a8fde66e feat: add uv for mcp 2025-12-04 11:38:22 +01:00
Dominik Polakovics
f97c9185c1 docs: update claude 2025-12-02 11:28:05 +01:00
Dominik Polakovics
8bf4b185a1 feat(nas): update to 25.11, add software, add storage plan 2025-12-02 11:27:52 +01:00
Dominik Polakovics
8424d771f6 feat(fw): update to 25.11 2025-12-02 08:34:57 +01:00
Dominik Polakovics
840f99a7e9 feat(amzebs-01): update to 25.11 2025-12-01 23:02:35 +01:00
Dominik Polakovics
1b27bafd41 feat(web-arm): update to 25.11 
- Migrate logind.extraConfig to logind.settings.Login
- Update dovecot alert for service rename (dovecot2 → dovecot)
- Fix sa-core buildGoModule env attribute for CGO_ENABLED
 2025-12-01 22:48:02 +01:00
Dominik Polakovics
4770d671c0 docs: add commit footer convention to CLAUDE.md 2025-12-01 22:25:08 +01:00
Dominik Polakovics
28a7bed3b9 feat(mail): update to 25.11 with TLS hardening 
- Upgrade NixOS channel from 25.05 to 25.11
- Fix dovecot systemd service rename (dovecot2 -> dovecot)
- Convert postfix numeric settings to integers (25.11 requirement)
- Remove insecure 512-bit DH params, fix 2048-bit DH params
- Update postfix ciphers to modern ECDHE/DHE+AESGCM/CHACHA20
- Require TLS 1.2 minimum for OpenLDAP
- Remove weak ciphers (3DES, RC4, aNULL) from OpenLDAP
 2025-12-01 22:24:57 +01:00
Dominik Polakovics
170becceb0 fix: nvim 2025-12-01 22:05:24 +01:00
Dominik Polakovics
6e8f530537 feat: amz add cron job 2025-12-01 16:17:45 +01:00
Dominik Polakovics
209bafd70f feat: test-configuration script get real errors 2025-12-01 16:17:28 +01:00
Dominik Polakovics
1d182437db feat: nb update to 25.11 2025-12-01 16:17:10 +01:00
Dominik Polakovics
6c046a549e feat: change pushover emergency on alerts 2025-12-01 13:29:37 +01:00
Dominik Polakovics
0a30a2ac23 fix: ai-mailer restart on secret change 2025-12-01 13:29:26 +01:00
Dominik Polakovics
82c15e8d26 feat: pyload config change, cyberghost change 2025-11-30 19:53:13 +01:00
Dominik Polakovics
f277d089bd feat: add cyberghost module 2025-11-30 19:29:33 +01:00
Dominik Polakovics
7ed345b8e8 feat: add pyload extraction passwords 2025-11-30 19:29:24 +01:00
Dominik Polakovics
bd6b15b617 changes 2025-11-29 22:42:09 +01:00
Dominik Polakovics
3282b7d634 fix: monitoring 2025-11-29 22:42:00 +01:00
Dominik Polakovics
21ed381d18 fix: pyload 2025-11-29 22:41:48 +01:00
Dominik Polakovics
4500f41983 feat: add ugreen nas leds 2025-11-29 13:12:18 +01:00
Dominik Polakovics
1d30eeb939 feat: update victoriametrics secret 2025-11-28 23:51:33 +01:00
Dominik Polakovics
537f144885 feat: add smart alerting and noatime to disks 2025-11-28 23:50:24 +01:00
Dominik Polakovics
dbada3c509 feat: change harddisk nas 2025-11-28 21:17:07 +01:00
Dominik Polakovics
c8be707420 fix: nas handling 2025-11-28 20:54:12 +01:00
Dominik Polakovics
fdba2c75c7 feat: add nas host 2025-11-28 20:53:47 +01:00
Dominik Polakovics
55d600c0c0 feat: add nas to fleet 2025-11-28 18:49:56 +01:00
Dominik Polakovics
71c5bd5e6c change claude 2025-11-28 01:57:30 +01:00
Dominik Polakovics
998f04713f fix(nb): additional sops.lua bug fixes 
- Use nvim_buf_get_name(args.buf) instead of vim.fn.expand("%:p") in BufReadPost
- Add timeout to encrypt operation to prevent infinite hangs
- Add microsecond precision to temp file names to prevent collisions
- Strip trailing newline before vim.split to avoid extra empty lines
- Add trailing newline when writing temp file for POSIX compliance

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-28 01:54:20 +01:00
Dominik Polakovics
6935fbea8b fix: sops implementation 2025-11-28 01:32:23 +01:00
Dominik Polakovics
301e090251 feat: add Claude.md 2025-11-28 01:00:55 +01:00
Dominik Polakovics
58d8ef050c feat: install own claude-code 2025-11-27 22:10:05 +01:00
Dominik Polakovics
41cb2ec791 fix: update script for claude-code 2025-11-27 22:09:48 +01:00
Dominik Polakovics
1faec5b2d1 feat: add updated claude code 2025-11-27 21:49:24 +01:00
Dominik Polakovics
111b8cec97 feat: change rustdesk for epicenter 2025-11-27 21:49:11 +01:00
Dominik Polakovics
3aaebdb1c4 fix: filebot 2025-11-27 12:50:00 +01:00
Dominik Polakovics
3e7b8c93e3 feat: split pyload 2025-11-26 22:39:07 +01:00
Dominik Polakovics
3e2f46377e fix: pyload and filebot 2025-11-26 21:08:58 +01:00
Dominik Polakovics
38bead3dc8 fix: pyload 2025-11-26 12:48:24 +01:00
84 changed files with 4169 additions and 896 deletions
Expand all files Collapse all files

8
.mcp.json Normal file
View File

@@ -0,0 +1,8 @@
{
"mcpServers": {
"nixos": {
"command": "uvx",
"args": ["mcp-nixos"]
}
}
}

11
.sops.yaml
View File

@@ -16,6 +16,7 @@ keys:
- &gpd-win4 age1ceg548u5ma6rgu3xgvd254y5xefqrdqfqhcjsjp3255q976fgd2qaua53d
- &nb age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
- &amzebs-01 age1xcgc6u7fmc2trgxtdtf5nhrd7axzweuxlg0ya9jre3sdrg6c6easecue9w
- &nas age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
creation_rules:
- path_regex: ^[^/]+\.yaml$
@@ -80,6 +81,14 @@ creation_rules:
- *dominik2
- *nb
- *amzebs-01
- path_regex: hosts/nas/[^/]+\.yaml$
key_groups:
- age:
- *bitwarden
- *dominik
- *dominik2
- *nb
- *nas
- path_regex: hosts/mail/[^/]+\.yaml$
key_groups:
- age:
@@ -129,6 +138,7 @@ creation_rules:
- *netboot
- *fw
- *fw-new
- *nas
- *amzebs-01
- path_regex: utils/modules/victoriametrics/[^/]+\.yaml$
key_groups:
@@ -142,4 +152,5 @@ creation_rules:
- *netboot
- *fw
- *fw-new
- *nas
- *amzebs-01

100
CLAUDE.md Normal file
View File

@@ -0,0 +1,100 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Repository Overview
This is a NixOS infrastructure repository managing multiple hosts (servers and personal machines) using a modular Nix configuration approach with SOPS for secrets management and Bento for deployment.
## Build and Test Commands
```bash
# Enter development shell (sets up MCP configs)
nix-shell
# Test configuration before deployment (required before PRs)
./scripts/test-configuration <hostname>
./scripts/test-configuration -v <hostname> # with --show-trace
# Edit encrypted secrets
nix-shell -p sops --run 'sops hosts/<hostname>/secrets.yaml'
# Update secrets keys after adding new age keys
./scripts/update-secrets-keys
# Format Nix files
nix run nixpkgs#nixpkgs-fmt .
# Compute hash for new packages
nix hash to-sri --type sha256 $(nix-prefetch-url https://example.com/file.tar.gz)
```
## Architecture
### Host Structure
Each host in `hosts/<hostname>/` contains:
- `configuration.nix` - Main entry point importing modules
- `hardware-configuration.nix` - Machine-specific hardware config
- `secrets.yaml` - SOPS-encrypted secrets
- `modules/` - Host-specific service configurations
- `fleet.nix` → symlink to root `fleet.nix` (SFTP user provisioning)
- `utils/` → symlink to root `utils/` (shared modules)
Current hosts: `fw` (firewall/router), `nb` (notebook), `web-arm`, `mail`, `amzebs-01`, `nas`
### Shared Components (`utils/`)
- `modules/` - Reusable NixOS modules (nginx, sops, borgbackup, lego, promtail, etc.)
- `overlays/` - Nixpkgs overlays
- `pkgs/` - Custom package derivations
- `bento.nix` - Deployment helper module
### Secrets Management
- SOPS with age encryption; keys defined in `.sops.yaml`
- Each host has its own age key derived from SSH host key
- Host secrets in `hosts/<hostname>/secrets.yaml`
- Shared module secrets in `utils/modules/<module>/secrets.yaml`
**IMPORTANT: Never modify secrets files directly.** Instead, tell the user which secrets need to be added and where, so they can edit the encrypted files themselves using:
```bash
nix-shell -p sops --run 'sops hosts/<hostname>/secrets.yaml'
```
### Deployment
The Git runner handles deployment automatically when changes merge to main. A successful `./scripts/test-configuration <host>` dry-build is the gate before pushing.
## Custom Packages
When creating a new package in `utils/pkgs/`, always include an `update.sh` script to automate version updates. See `utils/pkgs/claude-code/update.sh` for the pattern:
1. Fetch latest version from upstream (npm, GitHub, etc.)
2. Update version string in `default.nix`
3. Update source hash using `nix-prefetch-url`
4. Update dependency hashes (e.g., `npmDepsHash`) by triggering a build with a fake hash
5. Verify the final build succeeds
Example structure:
```
utils/pkgs/<package-name>/
├── default.nix
├── update.sh # Always include this
└── (other files like patches, lock files)
```
**IMPORTANT: When modifying a custom package** (patches, version updates, etc.), always test by building the package directly, not just running `test-configuration`. The configuration test only checks that the Nix expression evaluates, but doesn't verify the package actually builds:
```bash
# Build a custom package directly to verify it works
nix-build -E 'with import <nixpkgs> { overlays = [ (import ./utils/overlays/packages.nix) ]; config.allowUnfree = true; }; <package-name>'
```
## Workflow
**IMPORTANT: Always run `./scripts/test-configuration <hostname>` after making any changes** to verify the NixOS configuration builds successfully. This is required before committing.
## Conventions
- Nix files: two-space indentation, lower kebab-case naming
- Commits: Conventional Commits format (`fix:`, `feat:`, `chore:`), scope by host when relevant (`fix(mail):`). Do not add "Generated with Claude Code" or "Co-Authored-By: Claude" footers.
- Modules import via explicit paths, not wildcards
- Comments explain non-obvious decisions (open ports, unusual service options)
- **Never update `system.stateVersion`** - it should remain at the original installation version. To upgrade NixOS, update the `channel` file instead.

2
README.md
View File

@@ -39,7 +39,7 @@ cat ~/.ssh/id_rsa.pub | ssh -p23 u149513-subx@u149513-subx.your-backup.de instal
# 4. Add new Host
```console
sftp host.cloonar.com@git.cloonar.com:/config/bootstrap.sh ./
sftp host@git.cloonar.com:/config/bootstrap.sh ./
```
# 5. Yubikey

5
fleet.nix
View File

@@ -47,6 +47,11 @@
username = "gpd-win4";
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILjfS2DtS8PQgkf86dU+EVu5t+r/QlCWmY7+RPYprQrO";
}
{
username = "nas";
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICS6b97LPUpr7/kWvOcI40s5e+gfbfz0I2/hAPL6zTmU";
}
{
username = "amzebs-01";
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkFZ60SPl8pzEtGrFq1+n6ZkDuNe3xJaccJMjr3y/q";

1
hosts/amzebs-01/channel Normal file
View File

@@ -0,0 +1 @@
https://channels.nixos.org/nixos-25.11

6
hosts/amzebs-01/configuration.nix
View File

@@ -3,10 +3,12 @@
./utils/bento.nix
./utils/modules/sops.nix
./utils/modules/nginx.nix
./utils/modules/set-nix-channel.nix
./modules/mysql.nix
./modules/web/stack.nix
./modules/laravel-storage.nix
./modules/laravel-scheduler.nix
./modules/blackbox-exporter.nix
./modules/postfix.nix
./modules/rspamd.nix
@@ -67,7 +69,7 @@
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 22 80 443 3306 ];
# Allow MariaDB access only from specific IP
extraCommands = ''
@@ -75,5 +77,5 @@
'';
};
system.stateVersion = "23.11";
system.stateVersion = "25.11";
}

51
hosts/amzebs-01/modules/laravel-scheduler.nix Normal file
View File

@@ -0,0 +1,51 @@
{ config, lib, pkgs, ... }:
# Daily scheduled Laravel artisan jobs
# Runs artisan finish:reports at 01:00 for production and staging APIs
let
php = pkgs.php82;
sites = [
{
domain = "api.ebs.amz.at";
user = "api_ebs_amz_at";
}
{
domain = "api.stage.ebs.amz.at";
user = "api_stage_ebs_amz_at";
}
];
mkArtisanService = site: {
name = "artisan-finish-reports-${site.domain}";
value = {
description = "Laravel artisan finish:reports for ${site.domain}";
after = [ "network.target" "mysql.service" "phpfpm-${site.domain}.service" ];
serviceConfig = {
Type = "oneshot";
User = site.user;
Group = "nginx";
WorkingDirectory = "/var/www/${site.domain}";
ExecStart = "${php}/bin/php artisan finish:reports";
};
};
};
mkArtisanTimer = site: {
name = "artisan-finish-reports-${site.domain}";
value = {
description = "Daily timer for artisan finish:reports on ${site.domain}";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* 01:00:00";
Persistent = true;
};
};
};
in
{
systemd.services = builtins.listToAttrs (map mkArtisanService sites);
systemd.timers = builtins.listToAttrs (map mkArtisanTimer sites);
}

21
hosts/amzebs-01/modules/postfix.nix
View File

@@ -3,15 +3,16 @@
, config
, ...
}:
{
# Header checks file for validating email headers
environment.etc."postfix/header_checks".text = ''
let
headerChecksFile = pkgs.writeText "header_checks" ''
# Warn about missing critical headers (but don't reject from localhost)
# These help identify misconfigured applications
/^$/ WARN Missing headers detected
'';
in
{
services.postfix = {
mapFiles."header_checks" = headerChecksFile;
enable = true;
hostname = "amzebs-01.amz.at";
domain = "amz.at";
@@ -34,20 +35,20 @@
compatibility_level = "2";
# Only accept mail from localhost
mynetworks = "127.0.0.0/8 [::1]/128";
mynetworks = [ "127.0.0.0/8" "[::1]/128" ];
# Larger message size limits for attachments
mailbox_size_limit = "202400000"; # ~200MB
message_size_limit = "51200000"; # ~50MB
mailbox_size_limit = 202400000; # ~200MB
message_size_limit = 51200000; # ~50MB
# Ensure proper header handling
# Reject mail that's missing critical headers
header_checks = "regexp:/etc/postfix/header_checks";
header_checks = "regexp:/var/lib/postfix/conf/header_checks";
# Rate limiting to prevent spam-like behavior
# Allow reasonable sending rates for applications
smtpd_client_message_rate_limit = "100";
smtpd_client_recipient_rate_limit = "200";
smtpd_client_message_rate_limit = 100;
smtpd_client_recipient_rate_limit = 200;
# Milter configuration is handled automatically by rspamd.postfix.enable
};

2
hosts/fw/channel
View File

@@ -1 +1 @@
https://channels.nixos.org/nixos-25.05
https://channels.nixos.org/nixos-25.11

7
hosts/fw/configuration.nix
View File

@@ -7,8 +7,10 @@
./utils/modules/nginx.nix
./utils/modules/autoupgrade.nix
./utils/modules/victoriametrics
./utils/modules/promtail
./utils/modules/borgbackup.nix
./utils/modules/set-nix-channel.nix
# fw
./modules/network-prefix.nix
@@ -25,7 +27,6 @@
./modules/podman.nix
./modules/omada.nix
./modules/ddclient.nix
./utils/modules/victoriametrics
# ./modules/wol.nix
@@ -49,7 +50,7 @@
./modules/firefox-sync.nix
./modules/fivefilters.nix
./modules/pyload.nix
# ./modules/pyload
# home assistant
./modules/home-assistant
@@ -103,7 +104,7 @@
time.timeZone = "Europe/Vienna";
services.logind.extraConfig = "RuntimeDirectorySize=2G";
services.logind.settings.Login.RuntimeDirectorySize = "2G";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml;

2
hosts/fw/modules/ai-mailer.nix
View File

@@ -104,6 +104,8 @@
restartTriggers = [
"/etc/ai-mailer/config.yaml"
config.sops.secrets.ai-mailer-imap-password.path
config.sops.secrets.ai-mailer-openrouter-key.path
];
};
}

1
hosts/fw/modules/dnsmasq.nix
View File

@@ -73,6 +73,7 @@
"02:00:00:00:00:04,${config.networkPrefix}.97.6,matrix"
"ea:db:d4:c1:18:ba,${config.networkPrefix}.97.50,git"
"c2:4f:64:dd:13:0c,${config.networkPrefix}.97.20,home-assistant"
"6c:1f:f7:8e:a9:86,${config.networkPrefix}.97.11,nas"
"1a:c4:04:6e:29:02,${config.networkPrefix}.101.25,deconz"
"c4:a7:2b:c7:ea:30,${config.networkPrefix}.99.10,metz"

9
hosts/fw/modules/home-assistant/light.nix
View File

@@ -396,7 +396,13 @@
all = true;
entities = [
"light.livingroom_switch"
"light.living_room"
"light.living_bulb_1"
"light.living_bulb_2"
"light.living_bulb_3"
"light.living_bulb_4"
"light.living_bulb_5"
"light.living_bulb_6"
# "light.living_room"
];
}
{
@@ -410,6 +416,7 @@
all = true;
entities = [
"light.kitchen_switch"
"light.kitchen_bulb_1"
"light.kitchen"
];
}

300
hosts/fw/modules/pyload.nix
View File

@@ -1,300 +0,0 @@
{ config, pkgs, ... }:
let
cids = import ./staticids.nix;
networkPrefix = config.networkPrefix;
# FileBot post-processing script
filebotScript = pkgs.writeShellScript "filebot-process.sh" ''
#!/usr/bin/env bash
set -euo pipefail
# FileBot AMC script for automated media organization
# Arguments: $1 = download directory (passed by pyload)
DOWNLOAD_DIR="''${1:-/downloads}"
OUTPUT_DIR="/multimedia"
LOG_FILE="/var/lib/filebot/amc.log"
EXCLUDE_LIST="/var/lib/filebot/amc-exclude-list.txt"
# Ensure log directory exists
mkdir -p "$(dirname "$LOG_FILE")"
touch "$EXCLUDE_LIST"
echo "$(date): Starting FileBot processing for: $DOWNLOAD_DIR" >> "$LOG_FILE"
# Run FileBot AMC script
${pkgs.filebot}/bin/filebot \
-script fn:amc \
--output "$OUTPUT_DIR" \
--action move \
--conflict auto \
-non-strict \
--log-file "$LOG_FILE" \
--def \
excludeList="$EXCLUDE_LIST" \
movieFormat="$OUTPUT_DIR/movies/{n} ({y})/{n} ({y}) - {vf}" \
seriesFormat="$OUTPUT_DIR/tv-shows/{n}/Season {s.pad(2)}/{n} - {s00e00} - {t}" \
ut_dir="$DOWNLOAD_DIR" \
ut_kind=multi \
clean=y \
skipExtract=y
# Clean up empty directories
find "$DOWNLOAD_DIR" -type d -empty -delete 2>/dev/null || true
echo "$(date): FileBot processing completed" >> "$LOG_FILE"
'';
pyloadUser = {
isSystemUser = true;
uid = cids.uids.pyload;
group = "pyload";
home = "/var/lib/pyload";
createHome = true;
};
pyloadGroup = {
gid = cids.gids.pyload;
};
jellyfinUser = {
isSystemUser = true;
uid = cids.uids.jellyfin;
group = "jellyfin";
home = "/var/lib/jellyfin";
createHome = true;
extraGroups = [ "render" "video" ];
};
jellyfinGroup = {
gid = cids.gids.jellyfin;
};
filebotUser = {
isSystemUser = true;
uid = cids.uids.filebot;
group = "filebot";
home = "/var/lib/filebot";
createHome = true;
extraGroups = [ "pyload" "jellyfin" ]; # Access to both download and media directories
};
filebotGroup = {
gid = cids.gids.filebot;
};
in
{
users.users.pyload = pyloadUser;
users.groups.pyload = pyloadGroup;
users.users.jellyfin = jellyfinUser;
users.groups.jellyfin = jellyfinGroup;
users.users.filebot = filebotUser;
users.groups.filebot = filebotGroup;
# Create the directory structure on the host
systemd.tmpfiles.rules = [
"d /var/lib/downloads 0755 pyload pyload - -"
"d /var/lib/multimedia 0775 root jellyfin - -"
"d /var/lib/multimedia/movies 0775 jellyfin jellyfin - -"
"d /var/lib/multimedia/tv-shows 0775 jellyfin jellyfin - -"
"d /var/lib/multimedia/music 0755 jellyfin jellyfin - -"
"d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
"d /var/lib/filebot 0755 filebot filebot - -"
];
# FileBot license secret
sops.secrets.filebot-license = {
mode = "0440";
owner = config.users.users.root.name;
group = config.users.groups.root.name;
};
containers.pyload = {
autoStart = true;
ephemeral = false;
privateNetwork = true;
hostBridge = "server";
hostAddress = "${networkPrefix}.97.1";
localAddress = "${networkPrefix}.97.11/24";
# GPU device passthrough for hardware transcoding
allowedDevices = [
{
modifier = "rwm";
node = "/dev/dri/card0";
}
{
modifier = "rwm";
node = "/dev/dri/renderD128";
}
];
bindMounts = {
"/dev/dri" = {
hostPath = "/dev/dri";
isReadOnly = false;
};
"/run/opengl-driver" = {
hostPath = "/run/opengl-driver";
isReadOnly = true;
};
"/nix/store" = {
hostPath = "/nix/store";
isReadOnly = true;
};
"/var/lib/pyload" = {
hostPath = "/var/lib/pyload";
isReadOnly = false;
};
"/var/lib/jellyfin" = {
hostPath = "/var/lib/jellyfin";
isReadOnly = false;
};
"/downloads" = {
hostPath = "/var/lib/downloads";
isReadOnly = false;
};
"/multimedia" = {
hostPath = "/var/lib/multimedia";
isReadOnly = false;
};
"/var/lib/filebot" = {
hostPath = "/var/lib/filebot";
isReadOnly = false;
};
"/var/lib/filebot/license.psm" = {
hostPath = config.sops.secrets.filebot-license.path;
isReadOnly = true;
};
};
config = { lib, config, pkgs, ... }: {
nixpkgs.overlays = [
(import ../utils/overlays/packages.nix)
];
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"unrar"
"filebot"
];
environment.systemPackages = with pkgs; [
unrar # Required for RAR archive extraction
filebot # Automated media file organization
];
# Intel graphics support for hardware transcoding
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vpl-gpu-rt
intel-compute-runtime
];
};
# Set VA-API driver to iHD (modern Intel driver for N100)
environment.sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
};
networking = {
hostName = "pyload";
useHostResolvConf = false;
defaultGateway = {
address = "${networkPrefix}.97.1";
interface = "eth0";
};
nameservers = [ "${networkPrefix}.97.1" ];
firewall.enable = false;
};
services.pyload = {
enable = true;
downloadDirectory = "/downloads";
listenAddress = "0.0.0.0";
port = 8000;
};
services.jellyfin = {
enable = true;
openFirewall = true;
};
# Override systemd hardening for GPU access
systemd.services.jellyfin = {
serviceConfig = {
PrivateUsers = lib.mkForce false; # Disable user namespacing - breaks GPU device access
DeviceAllow = [
"/dev/dri/card0 rw"
"/dev/dri/renderD128 rw"
];
SupplementaryGroups = [ "render" "video" ]; # Critical: Explicit group membership for GPU access
};
environment = {
LIBVA_DRIVER_NAME = "iHD"; # Ensure service sees this variable
};
};
# Disable SSL certificate verification
systemd.services.pyload = {
environment = {
PYLOAD__GENERAL__SSL_VERIFY = "0";
# Enable ExtractArchive plugin
PYLOAD__EXTRACTARCHIVE__ENABLED = "1";
PYLOAD__EXTRACTARCHIVE__DELETE = "1";
PYLOAD__EXTRACTARCHIVE__DELTOTRASH = "0";
PYLOAD__EXTRACTARCHIVE__REPAIR = "1";
PYLOAD__EXTRACTARCHIVE__RECURSIVE = "1";
PYLOAD__EXTRACTARCHIVE__FULLPATH = "1";
};
# Bind-mount DNS configuration files and system tools into the chroot
serviceConfig = {
BindReadOnlyPaths = [
"/etc/resolv.conf"
"/etc/nsswitch.conf"
"/etc/hosts"
"/etc/ssl"
"/etc/static/ssl"
# Make all system packages (including unrar and filebot) accessible
"/run/current-system/sw/bin"
];
};
};
# FileBot processing service
systemd.services.filebot-process = {
description = "FileBot media file processing";
serviceConfig = {
Type = "oneshot";
User = "filebot";
Group = "filebot";
ExecStart = "${filebotScript}";
};
};
# Watch for completed downloads and trigger FileBot
systemd.paths.filebot-watch = {
description = "Watch for completed downloads";
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathModified = "/downloads";
Unit = "filebot-process.service";
};
};
# Ensure render/video groups exist with consistent GIDs for GPU access
users.groups.render = { gid = 303; };
users.groups.video = { gid = 26; };
users.users.pyload = pyloadUser;
users.groups.pyload = pyloadGroup;
users.users.jellyfin = jellyfinUser;
users.groups.jellyfin = jellyfinGroup;
users.users.filebot = filebotUser;
users.groups.filebot = filebotGroup;
system.stateVersion = "24.05";
};
};
}

153
hosts/fw/modules/pyload/default.nix Normal file
View File

@@ -0,0 +1,153 @@
{ config, pkgs, ... }:
let
cids = import ../staticids.nix;
networkPrefix = config.networkPrefix;
filebotScript = pkgs.callPackage ./filebot-process.nix {};
pyloadUser = {
isSystemUser = true;
uid = cids.uids.pyload;
group = "pyload";
home = "/var/lib/pyload";
createHome = true;
extraGroups = [ "jellyfin" ]; # Access to multimedia directories
};
pyloadGroup = {
gid = cids.gids.pyload;
};
jellyfinUser = {
isSystemUser = true;
uid = cids.uids.jellyfin;
group = "jellyfin";
home = "/var/lib/jellyfin";
createHome = true;
extraGroups = [ "render" "video" ];
};
jellyfinGroup = {
gid = cids.gids.jellyfin;
};
in
{
users.users.pyload = pyloadUser;
users.groups.pyload = pyloadGroup;
users.users.jellyfin = jellyfinUser;
users.groups.jellyfin = jellyfinGroup;
# Create the directory structure on the host
systemd.tmpfiles.rules = [
"d /var/lib/downloads 0755 pyload pyload - -"
"d /var/lib/multimedia 0775 root jellyfin - -"
"d /var/lib/multimedia/movies 0775 jellyfin jellyfin - -"
"d /var/lib/multimedia/tv-shows 0775 jellyfin jellyfin - -"
"d /var/lib/multimedia/music 0755 jellyfin jellyfin - -"
"d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
# PyLoad hook scripts directory
"d /var/lib/pyload/config 0755 pyload pyload - -"
"d /var/lib/pyload/config/scripts 0755 pyload pyload - -"
"d /var/lib/pyload/config/scripts/package_extracted 0755 pyload pyload - -"
"L+ /var/lib/pyload/config/scripts/package_extracted/filebot-process.sh - - - - ${filebotScript}/bin/filebot-process"
];
# FileBot license secret
sops.secrets.filebot-license = {
mode = "0440";
owner = "pyload";
group = "pyload";
};
containers.pyload = {
autoStart = true;
ephemeral = false;
privateNetwork = true;
hostBridge = "server";
hostAddress = "${networkPrefix}.97.1";
localAddress = "${networkPrefix}.97.11/24";
# GPU device passthrough for hardware transcoding
allowedDevices = [
{
modifier = "rwm";
node = "/dev/dri/card0";
}
{
modifier = "rwm";
node = "/dev/dri/renderD128";
}
];
bindMounts = {
"/dev/dri" = {
hostPath = "/dev/dri";
isReadOnly = false;
};
"/run/opengl-driver" = {
hostPath = "/run/opengl-driver";
isReadOnly = true;
};
"/nix/store" = {
hostPath = "/nix/store";
isReadOnly = true;
};
"/var/lib/pyload" = {
hostPath = "/var/lib/pyload";
isReadOnly = false;
};
"/var/lib/jellyfin" = {
hostPath = "/var/lib/jellyfin";
isReadOnly = false;
};
"/downloads" = {
hostPath = "/var/lib/downloads";
isReadOnly = false;
};
"/multimedia" = {
hostPath = "/var/lib/multimedia";
isReadOnly = false;
};
"/var/lib/pyload/filebot-license.psm" = {
hostPath = config.sops.secrets.filebot-license.path;
isReadOnly = true;
};
};
config = { lib, config, pkgs, ... }: {
nixpkgs.overlays = [
(import ../../utils/overlays/packages.nix)
];
imports = [
./pyload.nix
./jellyfin.nix
];
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"unrar"
"filebot"
];
networking = {
hostName = "pyload";
useHostResolvConf = false;
defaultGateway = {
address = "${networkPrefix}.97.1";
interface = "eth0";
};
nameservers = [ "${networkPrefix}.97.1" ];
firewall.enable = false;
};
# Ensure render/video groups exist with consistent GIDs for GPU access
users.groups.render = { gid = 303; };
users.groups.video = { gid = 26; };
users.users.pyload = pyloadUser;
users.groups.pyload = pyloadGroup;
users.users.jellyfin = jellyfinUser;
users.groups.jellyfin = jellyfinGroup;
system.stateVersion = "24.05";
};
};
}

89
hosts/fw/modules/pyload/filebot-process.nix Normal file
View File

@@ -0,0 +1,89 @@
{ pkgs }:
pkgs.writeShellScriptBin "filebot-process" ''
#!/usr/bin/env bash
set -euo pipefail
# FileBot AMC script for automated media organization
# Called by PyLoad's package_extracted hook with parameters:
# $1 = package_id
# $2 = package_name
# $3 = download_folder (actual path to extracted files)
# $4 = password (optional)
PACKAGE_ID="''${1:-}"
PACKAGE_NAME="''${2:-unknown}"
DOWNLOAD_DIR="''${3:-/downloads}"
PASSWORD="''${4:-}"
OUTPUT_DIR="/multimedia"
LOG_FILE="/var/lib/pyload/filebot-amc.log"
EXCLUDE_LIST="/var/lib/pyload/filebot-exclude-list.txt"
# Ensure FileBot data directory exists
mkdir -p /var/lib/pyload/.local/share/filebot/data
mkdir -p "$(dirname "$LOG_FILE")"
touch "$EXCLUDE_LIST"
# Install FileBot license if not already installed
if [ ! -f /var/lib/pyload/.local/share/filebot/data/.license ]; then
echo "$(date): Installing FileBot license..." >> "$LOG_FILE"
${pkgs.filebot}/bin/filebot --license /var/lib/pyload/filebot-license.psm || true
fi
echo "===========================================" >> "$LOG_FILE"
echo "$(date): PyLoad package extracted hook triggered" >> "$LOG_FILE"
echo "Package ID: $PACKAGE_ID" >> "$LOG_FILE"
echo "Package Name: $PACKAGE_NAME" >> "$LOG_FILE"
echo "Download Directory: $DOWNLOAD_DIR" >> "$LOG_FILE"
echo "===========================================" >> "$LOG_FILE"
# Check if download directory exists and has media files
if [ ! -d "$DOWNLOAD_DIR" ]; then
echo "$(date): Download directory does not exist: $DOWNLOAD_DIR" >> "$LOG_FILE"
exit 0
fi
# Check if there are any video/media files to process
if ! find "$DOWNLOAD_DIR" -type f \( -iname "*.mkv" -o -iname "*.mp4" -o -iname "*.avi" -o -iname "*.m4v" -o -iname "*.mov" \) -print -quit | grep -q .; then
echo "$(date): No media files found in: $DOWNLOAD_DIR" >> "$LOG_FILE"
echo "$(date): Skipping FileBot processing" >> "$LOG_FILE"
exit 0
fi
echo "$(date): Starting FileBot processing" >> "$LOG_FILE"
# Run FileBot AMC script
set +e # Temporarily disable exit on error to capture exit code
${pkgs.filebot}/bin/filebot \
-script fn:amc \
--output "$OUTPUT_DIR" \
--action move \
--conflict auto \
-non-strict \
--log-file "$LOG_FILE" \
--def \
excludeList="$EXCLUDE_LIST" \
movieFormat="$OUTPUT_DIR/movies/{n} ({y})/{n} ({y}) - {vf}" \
seriesFormat="$OUTPUT_DIR/tv-shows/{n}/Season {s.pad(2)}/{n} - {s00e00} - {t}" \
ut_dir="$DOWNLOAD_DIR" \
ut_kind=multi \
clean=y \
skipExtract=y
FILEBOT_EXIT_CODE=$?
set -e # Re-enable exit on error
if [ $FILEBOT_EXIT_CODE -ne 0 ]; then
echo "$(date): FileBot processing failed with exit code $FILEBOT_EXIT_CODE" >> "$LOG_FILE"
exit 0 # Don't fail the hook even if FileBot fails
fi
echo "$(date): FileBot processing completed successfully" >> "$LOG_FILE"
# Clean up any remaining empty directories
find "$DOWNLOAD_DIR" -type d -empty -delete 2>/dev/null || true
echo "$(date): All processing completed" >> "$LOG_FILE"
exit 0
''

36
hosts/fw/modules/pyload/jellyfin.nix Normal file
View File

@@ -0,0 +1,36 @@
{ lib, pkgs, ... }: {
# Intel graphics support for hardware transcoding
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vpl-gpu-rt
intel-compute-runtime
];
};
# Set VA-API driver to iHD (modern Intel driver for N100)
environment.sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
};
services.jellyfin = {
enable = true;
openFirewall = true;
};
# Override systemd hardening for GPU access
systemd.services.jellyfin = {
serviceConfig = {
PrivateUsers = lib.mkForce false; # Disable user namespacing - breaks GPU device access
DeviceAllow = [
"/dev/dri/card0 rw"
"/dev/dri/renderD128 rw"
];
SupplementaryGroups = [ "render" "video" ]; # Critical: Explicit group membership for GPU access
};
environment = {
LIBVA_DRIVER_NAME = "iHD"; # Ensure service sees this variable
};
};
}

69
hosts/fw/modules/pyload/pyload.nix Normal file
View File

@@ -0,0 +1,69 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
unrar # Required for RAR archive extraction
p7zip # Required for 7z and other archive formats
];
services.pyload = {
enable = true;
downloadDirectory = "/downloads";
listenAddress = "0.0.0.0";
port = 8000;
};
# Configure pyload service
systemd.services.pyload = {
# Add extraction tools to service PATH
path = with pkgs; [
unrar # For RAR extraction
p7zip # For 7z extraction
];
environment = {
# Disable SSL certificate verification
PYLOAD__GENERAL__SSL_VERIFY = "0";
# Download speed limiting (150 Mbit/s = 19200 KiB/s)
PYLOAD__DOWNLOAD__LIMIT_SPEED = "1";
PYLOAD__DOWNLOAD__MAX_SPEED = "19200";
# Enable ExtractArchive plugin
PYLOAD__EXTRACTARCHIVE__ENABLED = "1";
PYLOAD__EXTRACTARCHIVE__DELETE = "1";
PYLOAD__EXTRACTARCHIVE__DELTOTRASH = "0";
PYLOAD__EXTRACTARCHIVE__REPAIR = "1";
PYLOAD__EXTRACTARCHIVE__RECURSIVE = "1";
PYLOAD__EXTRACTARCHIVE__FULLPATH = "1";
# Enable ExternalScripts plugin for hooks
PYLOAD__EXTERNALSCRIPTS__ENABLED = "1";
PYLOAD__EXTERNALSCRIPTS__UNLOCK = "1"; # Run hooks asynchronously
};
# Bind-mount DNS configuration files into the chroot
serviceConfig = {
BindReadOnlyPaths = [
"/etc/resolv.conf"
"/etc/nsswitch.conf"
"/etc/hosts"
"/etc/ssl"
"/etc/static/ssl"
];
# Bind mount multimedia directory as writable for FileBot hook scripts
BindPaths = [ "/multimedia" ];
# Override SystemCallFilter to allow @resources syscalls
# FileBot (Java) needs resource management syscalls like setpriority
# during cleanup operations. Still block privileged syscalls for security.
# Use mkForce to completely replace the NixOS module's default filter.
SystemCallFilter = lib.mkForce [
"@system-service"
"@resources" # Explicitly allow resource management syscalls
"~@privileged" # Still block privileged operations
"fchown" # Re-allow fchown for FileBot file operations
"fchown32" # 32-bit compatibility
];
};
};
}

22
hosts/fw/modules/web/n8n.nix
View File

@@ -19,21 +19,19 @@
};
# n8n service configuration
services.n8n = {
enable = true;
settings = {
database.type = "postgresdb";
database.postgresdb.host = "/run/postgresql";
database.postgresdb.database = "n8n";
database.postgresdb.user = "n8n";
executions.pruneData = true;
executions.pruneDataMaxAge = 168; # 7 days
};
};
services.n8n.enable = true;
# Configure git integration via environment variables
# Configure n8n via environment variables
systemd.services.n8n = {
environment = lib.mkForce {
# Database configuration (migrated from services.n8n.settings)
DB_TYPE = "postgresdb";
DB_POSTGRESDB_HOST = "/run/postgresql";
DB_POSTGRESDB_DATABASE = "n8n";
DB_POSTGRESDB_USER = "n8n";
EXECUTIONS_DATA_PRUNE = "true";
EXECUTIONS_DATA_MAX_AGE = "168"; # 7 days
# Other settings
N8N_ENCRYPTION_KEY = ""; # Will be set via environmentFile
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
N8N_DIAGNOSTICS_ENABLED = "false";

2
hosts/fw/modules/web/proxies.nix
View File

@@ -41,6 +41,7 @@
# Restrict to internal LAN only
extraConfig = ''
allow ${config.networkPrefix}.96.0/24;
allow ${config.networkPrefix}.97.0/24;
allow ${config.networkPrefix}.98.0/24;
deny all;
'';
@@ -59,6 +60,7 @@
# Restrict to internal LAN only
extraConfig = ''
allow ${config.networkPrefix}.96.0/24;
allow ${config.networkPrefix}.97.0/24;
allow ${config.networkPrefix}.98.0/24;
allow ${config.networkPrefix}.99.0/24;
deny all;

98
hosts/fw/secrets.yaml
View File

@@ -1,69 +1,69 @@
ai-mailer-imap-password: ENC[AES256_GCM,data:mZrq13pJLpscWxNRAm5B/nU60w==,iv:Y6DV+5upNLg5csxqCWKPV8dHXhl+eGJNBI5tar7OV3o=,tag:enTXX8Y2ZM30UmGA6h+8rA==,type:str]
ai-mailer-openrouter-key: ENC[AES256_GCM,data:6zeI8NlawmLppsaGY9V1tY8ExfAXNMRHDcthKpSSyaKcaGGh6Mrb2ZxB4IWNnyzziI1VPLE7MAW/rrszIi2y6bFayENZXMlJoA==,iv:bVNQGwN7c7KxuH3D70ScB9SR+82iFxAZyUPD6qCDjkE=,tag:gO0Vbb7Ac79DiGdjeNPFQw==,type:str]
borg-passphrase: ENC[AES256_GCM,data:M3dTj9TYbpB89gJSAGy0Q2mfb6OijFGN/lQsSsws4Ggy1AzLlMyP/l1YTADOS/j7enBYyoatQ2x/Bxm7inM5OK7LCO8=,iv:CMKjg7Oa9GlpeqSg1WsYfB26Fy2C2n8FOzpx3ryfn+A=,tag:OdENe09TTLOdMXbw0tzU+Q==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:TtaSmHzEaTPV+U4EwMupHh9pjUWDoNPoxSjmLLP0KvUEHMrkLLlF1WRi3M5+uM8eLZAtjiezuNOa0yndevG5WisuBZd3dgOkojEoyoIrjbmW+ZYe4/z0TLmdmG8NofnV8Tl9Ygu2bTwLdGGQYhXxz0dmeaiilzM6l6uA6gjdQ43aqQGY87BMIDRgMoHLraebF6NL9k+LcFv2S9UPah3ovK2zx6aoaFxul5nvZjZ1Kj8bTrGuTWsK35McTjJAiXHYtTG5rTMSISOc/AZSmleDcfVZ28bT15I11pnB5ZUEo9ugNqGiRcwFhnqsoAqck4ke0H72ieecnZUVSot5Jk1ebA1fAgRvkCdruFzfw0TSgPJ4bjj3FILNKDazYIjTbIo5ApKbo04ZjrUCILeUFDEFtLlt2cLLYrk/aAqHdh1wmu5YBcRGvALWClymG0GDPxYiqSd+rNCwBJgbgS2O+fbmH1NpbhiGzVnLTSmw/RhHizoK7LXwPHaJ/EGaFHv+AoHLbB9XyOPWqxJKLCo/7Zc7VzahvKNIJZIXjuz3pSVHAcCJngTqeZ5Giwxm84wqgf3ewLthG2PH1WRM/L+u1fuM+e1xo+QSndBjXc+54Hvd+e8Bh9g93PgCK9gGChaFQRgnwySx3WA0IyjoRvUsAfSZ2Ev0CwX6BPQHsf3HZxzCyGUD/z0ndpl5YGz36c3huMQ0tvz9okOg7ZBAeN/VL4kypWr8auaXH2vDlJoSmid3EbwLXBJ6i3//gF8b13zJSEzCdqOfdHdYgyhSAVl4UF4yptcZmX0Q8BhFuw6RXb/HU/ZPN9cxrYBhUFszzjazA1ZLP/uhSni2AkOBpeki2uBbmdJecTStEBFK6RmtIShhF1hVWcE2pbXMkQM4xj9yG0wvlPK8Qy60W89gK5gXhyMPY+WrOFiBx5O0YboO1SLMrxRAOIrGulNQKGhF8cAmR1O7Qhr8lA6o9K+KpN8QGxYayOVnxML+DZuqxa/eqp92Gequi4KOH8WHtGthEom9fmozS6DvIEf1m/sL2f41WhzClDTDrb7SvAxmuk1Cr2afzWpODCrx1GRtF2OdsPee4B2Kt2L6gInMzUrsGHW/ve+1SOJ1gJ8PN7MTk64wu/6Jw4BpUtICAwQuchKYFkP8Dg+vqa3C7c7QNB0HdEuaQI18wY2oxe83wfckVPf8ZH2yBdxHVlksW8pOnwGTqZIRWZzejmCQoZaQsjnXm0MxN4eXfcgQ1rxPP8D5Dsdn/xQbj0ydCK6dBJY4sj2eTTSWoW06kHYZVwNoPrk3mLEc0jQJ1WsEzD8GHMcaxYVkFZ4WHC88Kt3WurYGhNCBNSP8B+trcUi0HrSf+m/9mgjwfbv5NLByON49uNNyJZfc8sxOlvXzqTpn6gLh5gvkX/ABBBjdNElh9MwmiOiyi7V3+aypYfg/VPTUWipSY6VVYNuFVVklHirS8ZSUQc2U0IpyIUTrYeCKX9+kjTpT+jFm+KW63AhioFah9ndNGrGmyng8qJB69rwTxxbS5XCFmx5jbu+wD8AB6hZmaUv4rxOWM8ztUK6ZMnQhe61dojd8YFZif3G2+dtJ3wdr3YuHCRObuGCwrcnLImgdCnkIKDdMpwpKSi4qIiyk/w2kKzJyZvCYdVyLl3XLfYuvdNtCkM7L+EXklWPpdYIda7+wp2QUB6txdU6/6PNrwZNr4jQZ6oGpLd/rz1wdFJQIyf9QLXxzNwmDMrCTkeYV/nVw8PQUo0gH6qthYufdPFckzomUcCLXyHexPlRWzU2/sEUqDfE3lhghC6kzUrBfnRVglOkDi4xct0FdDx3i1VXJ9YmvhWgt45aLRr7aeOWXF98XMKuFDuP3ooIhOybAVK9JJxKo0oWStc8Llxy7hK5lb3c9l+UT7cC2sv5rJZ94fNPcCQ5ylCyT9qPvWgOgagA4oxqsZLlLNm2xk+8Zn1gS7yCEXB5nfGbFGZ8O8rm17C1JUgpNEFmtlZqNasbfh+DrSGIK494M/GJnenL7Ufhor4eBYd7oi+Zg4jvvOsxSB/P3jRPkISrtsdRr5ccLxQOaLTQRcROaJF8zTqiBA0axo/cnKgziuuJ3FmzbAG4pao0ftEWw+awim290F3KfNOPEWbtcCXDoU0GSdcsGdM1MNcmDfFyPrtrLBIsszTLt9PVDlOxIVFLhyj93tq6ZMull4U9+fjYvMmSqwdyk3u/DFQSYWUoEILJU4bFkS+QvNYwh0WuPRmvubAaEH/+DaEeFPi68yBr8VgmkmMH14CHGVrB2K1C6Fqy5PzA109BVakn4egT6gTWsnySTTqjF6vlHgk3CDikQeiA6A0sbk8Bq8SIj/RskAEiVXy3SRU9Q2CDoK+uYEIKOt2+NsBFyCwoMRNcwV1HojIK85xwq6Nf5Up0qKhLbTD+cw4Dd2Zto4M2W3lnmQiM2wF/JCHx4hDvVMVh1CCfbUG28d1Mn8LTtXaLxYi7rl57itttPxnVwnGSGNtL3WFoI12pfzkbAl6Qjjs+m4dP1j9cQFStzzGPJ2gWivH6CLftKROGph3dmH+bgXwgMM16XOMPzj5/+DQrcdPh9yApdasCoYCeg2GALWExgWjFFQYDK7RL3SKMWvDg7jrUpVKkzrdz8DEPcBS8qHgWaZFieJkbNJFv6URxiOBMka658LYLyXrneHgQiC1R55xV6j0SnvGZ4iRnvTUcr8sxQApeL9XOn45ce5ccWu6bokgxdPIe/NjkzhGNC+4C051uw+DCNPnIE4OqTr0gjVWWhim+rcDneP5L9Xc4DtyYMh84oplacwRiTTM4hduhQu5nZBZeHrYFU141R7CW4nHGJSkJMCKfiXSPkid4sxfGY4VS3Jc6mMT5PBb5dazbDrPwVQl6S0Yg+e3mQZ/N1KKWEPNSzgBnbb6S0u4pyJVM9F3ZwQsUNb4+dP/I399nPVKjqz06FpdkewcNG8wnrgH82GktJRi6A657vMcq1xP2lWPFE1IB4KyAzSmXfDircX29ItoIyvTFm3T9wUqHsc59/YKk8ztOiieQkul+83boe31R/Henb20q3SQ7x0cZ7kS1wZpaxE3+LedlGj16o96nd77gda98/rRUpFoc825aV9ttt2kW7MxGeVwJ1fuNrA0mdWVgSGSI2HL2r4chU3H8dTFOagzetnYlf7ho8W8ytThvumIYqiP4LEFHiGeZbxhPl+LnAlTw+w+ANKzlYEV1Q4ZkGoboY9AnKsudR2ePIKSeApRv/lo8X2PZpBDasLCHz4UOo1iq8eRhZTBnXH/GeL2S94Zxm1iagjnTnNdoMFG6MR1dwHh4cZgky5BUjVnZqgjkpZfXEQijf4T4i/O7UILa3EmeWdioRKES+gevof5hvOkWNg9YMINcZv9sRL6VL46KfhvFrqOVDfL2f7gE1c2ILuJOgAWSQxvCKdJ7z/G8vFxYbFVjerFprQsTD19rLN+q1c+tTwsXCJ94How==,iv:j9VYSEdwLNYw2vWFOvCldUQPxyoDP4LmTd6hh1gvOKs=,tag:ITNYqqAqVRIjd/tK3PBquw==,type:str]
ddclient: ENC[AES256_GCM,data:FlO5vdUYS4AZPxnoebpjd5SqfDA35DPPc7+idiFFhTQ=,iv:WqoNjfQ6OPJ4GVYI3/o0LoYjZIW5kqbf2rVGQyBtxxQ=,tag:yvKAakq2+a4Wl6H1ZT/qhA==,type:str]
filebot-license: ENC[AES256_GCM,data:sV2yaCnSja67UqHVFQJlUHXDvxqv2FeJzXvslinr8ucFvUsoxI07gtFjlk+R0cw2BMtlKaqNK5XKuCtCF/MdGIPHymhpZGgxF3OUfv0f9OXPhIOxuI5o5WBSbgY+WngrLz3E3gMcJ4CKhwkg4CpAgdSRcQqTbYEWCA8/MDbsA5fbOuZJvzZnWNgaq0qNLUntOUzRB3Ae2C/nMaxL0PEMw5NriuauHohvqeKcZ/XMZXgEewHhKlSFSXWRVXnqCcd/kOrYVKfD85N6XL67SAkijlyIoFDRUnb1bBiUlAnVEAVO/hoeKg2IANdcnRtuyP1BY4/fCsdOVMCQcO8SaqbkJke/fiEXu9vr52dqzeJYwrHDIs7G7aRkKmoq7wF4dhg8NPoWEh/UULbGhhArXpgJOON+9xSQm0aMbtj/7pAPoT6Na1gFK1zO0yg6mG32mkogy//hCqtdCZL47JrbvIhWzlDz6z3hW1mHDJ74uf12buvv9bAdhjwFFjSNr5QCI6fhpA//mwD8JIfdQfylwcMmH0t0fCWOyG1vGvhFCscC/MFMzuH6EyZx8nJfzPGutdbuaMmzGBD57u9G25VDpu/G91AWGsXTXFUG/CdZg+k1JsCDKpoE7CeQoGTsJidcg+WmLRfmQz+v5oG5fslOTHMWYj9sSAE9m4d4dYxscLvpUGwsyL+p9MQWqc5p18iMW7TtJFJZa3dPYswmBkumYgAxFQaCBEAjsr5llFMnt+2NBcz+u7lidh2AergETf5jSrZ4DDI+UhVrgBEF/kmsiVV3i2Yiz+DZ/CqqrKUPKSSmfVJ1lAteUPUhSZJuqJdRPA06Z9aTx7J4JFEPGg+tgB0NQCUoz6iHemeTYsHEw22g7ObGsg/kiFGzxopJtw9eoJM=,iv:tTaw+Hy0HPuOSf7Gl2S+fR/YrQtUrQo8hAhc9S1bOL8=,tag:jG8skiISKFNenuut8aCFkw==,type:str]
gitea-mailer-password: ENC[AES256_GCM,data:We58w80t0CfxdGXe2eGjLop/Eg/46u5jNAtBvnJznTJ9CB4U9+0A+KvsimNowqrhKzCEaLsXzy9wMtEmfj79tZTR,iv:f1QE2i6NrCWs1qcmbO2j5WjuH4p8324DsPR206nK8cE=,tag:ccX/W5bsfsi0CHa4lPUuxQ==,type:str]
gitea-runner: ENC[AES256_GCM,data:9v3IWNyf8JxX4GbXPSCKHInhnaBqjbs0CpIHtu97+TtKTCZQ/1tU6SmX3KzNLtc8LtQnOiHo5Zq8M9yI32b32/yrL9460CwRmUVfhSiFb+JoLFWpSIlsDfHjSY6ciPWyBvuf41Iy3BuvJpV/r/8YdrqkcO5ceevk3qfRhgbWI05ODS4+786OlGFXZnDJ7i2u4eilmb4S5uye5fgHMGS2yTZgNWWThz8K2W9XSwWggdvQ2g/pgKPqEndLrPMmKtmCa6wXqECArKhkvM2MTH/AHz8=,iv:TMEL9bD/Uir8B2k+ASyWPaDwlCi1CvN3hCkvTzh+eNE=,tag:6pjHIYTUEVffAVR9yBXufQ==,type:str]
gitea-runner-token: ENC[AES256_GCM,data:tC9YVqv2lBvPdem2j++HvNtqYYaFLWgy+nNgrjNvrubbenRjcB77EXT2g2k6CvI=,iv:8bhDPdsF72QAiacS3MuZBTv75mMWtxTAxTiENFxHo9M=,tag:meY+r5AMpdotR06l9IMIBA==,type:str]
home-assistant-ldap: ENC[AES256_GCM,data:X5rz/mJG9A9wfaHkZy7cDoNRD9eR3mRX5+ROCdWJrA8ka81+gdofn9oSha2IjwdPoxikAAhYR73n5hZIEdZKbQ==,iv:Ol31hI+XKRjbZVS4GPiMyzdKvJVe9aQDjnWYQl7uJrw=,tag:IMt5ZCZnDdBz9kcG8Khi7A==,type:str]
home-assistant-secrets.yaml: ENC[AES256_GCM,data:AQ8gs3glsTWw/UyiBu2eNzP7dFy/SHPP7T0e1gyevx5JQTYbKwbOMjTqv55hM50Qoiy1RKoYyyvTkc9B9BcRpX82S+joEZx8K3eV7yrXpVAk4/JbFk++mDT8Ty38sb+/dszi+D9Tv0p7m6HfrtZCup7ojCOaF6TwMIdYjG9MJ7IyT+4m0lTZv2/1Sr24gaIYRyZ+vrlJ8mSpe1ZWWtKeGZys1aE6OwzR0TrCqg0wEf0m9VUNeVr9uZYZseWQtE/RiDOpN112vv5c1A==,iv:sJjWPZUFvFxAgTmKsOclW1x3tvef9SfTUrDvqgYh/hE=,tag:1prKFB8iNgoBhr4C7gFAwA==,type:str]
piped-db-password: ENC[AES256_GCM,data:rF9jfxZtfyEPG1W2k6SgcS58Z7Z/wEhZtPnjpmB/ngbYVynUXuYmL5bOVMc=,iv:mF6tCzyMEj4ZOIuODi9v+Z8aUICfWxZYRzdD5lVbx04=,tag:FDlMlXvhvfmXa3t6jMqX2A==,type:str]
pushover-api-token: ENC[AES256_GCM,data:nni7mP/oQ3qvyBfbQF141/FkOZispnon/iaw9LU2,iv:FXpPAPv0hms0dfusil2Plk2BJYslqv0OwmJltkUUDY0=,tag:GYMw2k6Mz93cBoWGkZOVHw==,type:str]
pushover-user-key: ENC[AES256_GCM,data:q/Cr+Y104tZADBgoTSnocaiRaNPox2Z4zMgQwpYE,iv:MmoX3zCs60Uwc2Sijv/weny6bBVVUFTpphXzWtMo4ww=,tag:bG2BdC+CQXa9slLEcFQ6hw==,type:str]
wrwks_vpn_key: ENC[AES256_GCM,data:oiRzOI1qXesCVG9X4c+sNVpCdfa9rTahJVQaLsi7+bsfc2Kc50tioBJ4YJrggGYI2KSjBe7Q4Sy1zhUKvuTmbA==,iv:KVa3tJJ0NeR4MM+LcL0IwysH/NvH8HvlbVoLOUdkp3w=,tag:lMHRTA9wsMbpfAJdJaBc+g==,type:str]
wg_cloonar_key: ENC[AES256_GCM,data:tg+dVsUfK/XodSs0rcUGjg+J/uNmhdWcTFImFKsPDprkCy6JldVF4opsYb0=,iv:kWXpVp3xn80S2JaRnbW/qp75tTI47Mvrn5fHYkjuNEE=,tag:8748Qu8hG4/dmdFC1pvlYA==,type:str]
wg_epicenter_works_key: ENC[AES256_GCM,data:izKZBqbLUrziALVK88LOkDDU2oVfClpCc7t8kJmQHaq+gKmUJzep1Eqic4M=,iv:KBQcHarvWLONLgyEm7O/4uiShNYAKWFx0Z41G1zMyXk=,tag:Mg4QgntbapqdDOYagoXjTw==,type:str]
wg_epicenter_works_psk: ENC[AES256_GCM,data:kVXJk/lPHV8RM72BSmursA2HDLc2DsSzutDBy/LIY9AXwa8hqFUdY1/h6aE=,iv:9fwIGtOefdAUFpvARLhhmycbwd5wf0SeynLZtFhNm+A=,tag:vuHXT7HPnZqNI0FQxDAf3A==,type:str]
wg_ghetto_at_key: ENC[AES256_GCM,data:KKYAWcW0xcBLvZedJdQlifE0lSkachW2H5dwEQmpsDF9ViBayYOkkgL36jc=,iv:6NgbeaHoptvsLTA81IyF9THPvu0BwFrTOzhhRI4/PRo=,tag:BvjfBVgxdfG1f13jgghC3w==,type:str]
matrix-shared-secret: ENC[AES256_GCM,data:FK0PAhskPL7fjwTrjHTjnr/lpIS4bxETRMrtM0SeVEcw6CRtLCAiSgXvZqdn58CoFZvpd9iRvpFAe4FZdA==,iv:I793hCj1FkluSy/EYISde5h+b3Tsm7FJL9SIXjBxLkM=,tag:2J1vAEjuUIIG74gh/916ng==,type:str]
phpldapadmin: ENC[AES256_GCM,data:IpZCNla1mejWKF5o1bomeh92Pji6HBc7OJSoVS7vZFn/GVreJmLzFceML1cMGHCT3veFdI+epJ/R4dtY/R4Efyb3zkpNnEeLnwOBnOq3KC9oYB7btyTQAs+zIwZXo9Kot2rVe84OtwkccdwaeA51/LZqvM4MnCTP76SeBhqk7Z4bHahbqTznJ7hkcBg3608RJmI7n3TcXJhrwDO7AiaQrm18LKMLhmpycyljyD2lvlF6FnB9kdXI2DRt/uYHHO02/XlgFt9e3fDT7mj8N9Cu5YO1Y3rjq0+oc0W2VLsYS5eNS786p2JM1JgNLae9WmulVRpT5enwg39JzL/S9bWqVvkuzLyliMNA,iv:vjtMwMRu9xODXJmiVnq7/Zj0kD8m7p6wJxjfpLTWRFc=,tag:RED3fQqc2jRMqYDIU9fJ8w==,type:str]
palworld: ENC[AES256_GCM,data:J+HADBl7JmGxWiDf5HjYHt+mFrimm8yNxFG1AGol+R7FFimwqJYfq4ObxUUPDdaJacqwjalQVDylz/NDuxQrFtkeeQOZ0gExpKkkgPVFQjnKPFIBc8yafC1F4SNCegDpMQOdDSaQLWWS2Q0UNMl0W8+Zj1ofuKAsZrpIbojeSWKAfFrdu1vGV+uJm7ftf23BK/moKBl+AUQhDEGVJiynXUAlA2i1YxqBoxeweKu1f6hMJc6nu4iXEDPpHF9cHPPPPkfIJypwbWR3aIqSJAvfhKy3QyJBeHdtuMKrAxZxC/N6T0H/SijEIvkUSt5JzAU6V5gTPRWMjs4BdaMI+EcdYMQzTc++pNjYwvDG0hOl5Fbny8klHDXTTMuWzMoCgI4Rg8QbvlhATd3ueCc4e8JtIC+4ANL93UHh7uBhc/Ya0QbRVCGL17Vt/mZCuuelwSAh3dkm58aafIvQrRJz4sA4FVNeoC5JGPUzL3e82AbIrZFELvWRQqmcnk9ehqHcLCICXsIukAYU5dlO9oogobsLXR/Dft2uVJeq9NLpu2H5ZGUNg0EegxwchS4xhNjCWQga5DBDmhpvrJYSeaH/py+5+er+s+tPzZcm6qA8AgpduqJVDJcbNDE5maFanncU0p2ELphVTaIkcp9ED9qeLL4Agi9K+oMndtPZzqzAlPluZFr/5Ni+t2rcryvNiXpXnmDT+ChxXAO9Qv0dnF35VQ==,iv:cYXRFxXGjXKLbmokEn8MhkoyT52wI/mpW/FgpLjyu34=,tag:O53Q8pnAtv/2EC2ubuXgfw==,type:str]
ark: ENC[AES256_GCM,data:MIoUBI3iImXLozkgcVszqfjlofNAWp7BRnLmQvM+gXAyJ/OUaQiQETeMH48FVL9Y2AzPcILQ1ocIeXUClXU1XxYo5ItqRMQY8XWTApF4MKedyen+eVPtB7L14zlCZR3HwhA8Mb8AWhg+vhpDyD3ANTP4bETVjcxFlxqQ5n3YaCL6jGWSWAkwiuzQU2uQsFQzrJia8ybx/wrKGUhX4+SKDbupSzvkRzLkOsa7PT6chL8/REO7WYlFbwj0Wex6BdtoVAYb7NMTCQR8VqrU,iv:h/qId8ZHbpT0Bkql871Sv9yZfw5DKbsp94vAh0HMxQ0=,tag:sZYfTi9kiFATGT7trNreDQ==,type:str]
firefox-sync: ENC[AES256_GCM,data:8zD3QcZmex4F2EBSyUc7Lw0teWpz0o/R6mK8utuvgVjWKW6JkdsbtI5+IvH5TQtJHmwwq1Mh2Q2VZk5HsVA38dST4XM/XVlA15tIveQCprTaQrOxw8jHqJ/DLxw2xGz+2OlFagof46eu9lcsrYg4uLdfmLVcuhjhTHM5z72GxFiE/QIcoZLllhdTb7/1dqs=,iv:KBHX4iSlMASmEKjJNdH7gX6QBTvMmHUtubNErK2PsVY=,tag:G1CJkdLe3a9mnSG4PFByGA==,type:str]
knot-tsig-key: ENC[AES256_GCM,data:MXA1qLfUJ9O3Fvd0WGi2wInuVjgYkfH2cVRLogLQ+B0TRG1YbnVqVEp7P+s=,iv:zxBCr/hSHH1zqxBGzQ53nArcUfBcq/LIpqgWllTi6ks=,tag:6G5eL4i9Cjrw0CF5JJotCg==,type:str]
mopidy-spotify: ENC[AES256_GCM,data:ow7WgSwgbGqxRFWkDXsgKBvxMx2uF7lH2DHUDXhGVz1kLORGqp7wQl04SiYxnYpWJoFl+Suxia7hZ0riQF0bgMDi3SqQQrDimQZI6U2m04QAGJyBoaxratnwyFNe246GWiYgXxvtjPi10N6skPQBym6sJquBF/gE,iv:70hs89+g2dr/dmI3YPyIL+3B49ol7ltByk3kKCz3ASg=,tag:jy9Sn9dAYfs6wk3KoX3ylg==,type:str]
lms-spotify: ENC[AES256_GCM,data:RcoVtWO6kt1Lx6sK15tLsr8GOL1j304UmLE4CCzNMTLFyN29dKvpC/Sn5CsxWf9TCclYlNJsuz9kZ/ZiL2qVCGYWyoH9vIs+o1iINkYJzhZT8wwsNpN7Y41OuB2tm+mCjm3hKuDnciI+bX9W8TC/szJ+W9pbgYdK1ggIPOyl99NiLKeDNz4ELpc8eCqtBjung1hPbM7OkJcDMwC9txEBIXL+dDjuoi5MMZoQp8NnbM6BaKgalMzrxUpkUBf/1+G05C1NWzIBXA==,iv:sIgS6I0Vto1v564wbJU6HFoSo4/aoRxmJjfJ7w/ZZQ8=,tag:BFGn+eGm6Gc9cEua+auUjw==,type:str]
ai-mailer-imap-password: ENC[AES256_GCM,data:q9eJ9Tom+X6KxQJhWQTUB61k5A==,iv:FH+IUWi2yZBBgMiL/kNW470GEVHEG3fImf0bel9og/c=,tag:RSlcpXwmNyLB8Oc/K2Epvw==,type:str]
ai-mailer-openrouter-key: ENC[AES256_GCM,data:EvI0BuCBA1uYOderjAVcB8RSk7un7tiKmgsSe70KQcmfu3CxmQerP/2kQsRTJ0/6pWf4QqNpaes691O3nf+UG1qgG2CUcIaYRQ==,iv:OYEy0xMs+vkGa0qMtY4UP/iol5JPQ0eFVyPpPXLAmUE=,tag:5PeXZcI8TRSUOyuKs0STWg==,type:str]
borg-passphrase: ENC[AES256_GCM,data:GGmf09zX5wQ8Fih1EyP1p3up9ckFjVKsktU6ZFwvuZnG/O2OyOod66qXc/IXx8GQordubZ3TgisOeMLNnSowp2qylh8=,iv:fFgw/x8Ww9cInkNlPIoE3stUfISbfk46PBj7aimuXNA=,tag:hnNYrkLgt1qJc+gN5s9L2Q==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:I7hErgUwWDIxKLdw2FPKuTx9aOcqF/EhOIyU3pfd5QA9sQZkZT/c+IU3b0rNdi6OL6KYDQ8+pMhFuDB7Tcna17etB5HQYnWR6L/QDv5rZTHAHbhTNUEk8w+4zIsvffKJlfObM6qnKZhZbCZT4CvbbvFqmg1KxkFqhpMZSOfR4hpvsNVqEmagygYxuPUSamWgb0y8+CFBxgR8FVEz36tJW8bH7110ZupfkF3P/DNgw9Mci5tYHdrzu6CU5YhbpW+hx88U62rvenWc4T0r7gVcEZYjkVExPJRKs994UVCZO22e8Kx8cy9OZo0S4FBgFfT8Kx8HkYX5viBnwxZrWRsw1ober2LIa48Yc9Sh1cuf1HqD3HSwEc90LuXP0EFKwJLm8MJ3Y26fLLz+NMQhVtug6lAt2cUZj1qapgMiSznw1RJv7nEJNKRx4rKGDdzf4gJ1Nn1DcuS1gPe+WMd2K1WoGB+QiBRIvCvv8f6YrnanNS5YDt5W11vrh2YK6u4JVjehbScoG32ikv2YAYD6HxkNmIyPAwKXM1hIdk91d55bk/feXDLSGsnlBcSdQ7AgBDKEy4UDLEvUPKwNgxur2t9PgEa+AHXZSjhQOpYVEHQI7qzALgSR5v9lEpPLvz4Oa26VwglMwyKcCxB6vYhz5CXnRXXuypBi0TAEtnWsQaUQrcYNduEkNTi5BwtGYJSwD0nVxOFQhqxwbCvQSbW4iT1QBHbvfEGhKtsDIetZrx2DL96aQ0maj9B08O5ODsiQsZzyc68vyS80Ctn6dd/7BIeJka1ciCbXrZiWXHa4Ibrfp4pdjTfLVXhvqocNolLQupwqxXdCMI7pmZYrcQEY6VmyYmuePWOQr76/ed4QG3mhmAJN16SZw3SlDo02LxF7qiQV1oCojpeqxdWnr0jh+tG8z2hzK4cODvwnNx1XCq8O1P8A2vcuk7mzCnB3tTMtLdIGh6kF0V8I6l4zidJkDPRhqB/LonbK6Gj1OixqgL9aJ3Od0ahF3rOq/SnMQWg+MJkJUv0CV9KJCJZ5FoHv9JfChzTG76PsrXtAFGoXwHMsrjJi/1E1UxSFV7TuD48FB1fRleWrt1Zhbefaq6aDfYPCiRLbpNbQlepnX8mRzMfXleq/ESZqXHKaG2dza9R7hiaJFOd5OTXrqoaf3spIRCdhSAhvd6ChpD+NtFssqUWaAXmZuVQhg/udVOGGW+mOgd6pRKoFjOXkD5bnVf27KY+w1EHTOUNoKWtZlLWmmsbJBF8MGc3E5XIGM+Mlq0E5mNSWB/XwnionuUTGg1+gUUCcCbcmOm7P6J3k4l3ZLhuu4ilw+wV31pjednAnw/IIw9r4lMGL0RN+zJL7leE6FT+fFqdjRx3ZCdCFGxjrmJgugtfZECjgR6nHQWk2zLv81fi6OD38wBFeeMe7Bm7fV0A7+oHYrTXyvxuo5aXfv3pOacAGnUulbhWUIcsN/GTFzcGio5iBlIOI7yI6EeW6VcLbXm+ISw2YHv/zhMFCDrOeXn5jYCI5zwi31+T+XTIuku0DOr+k7WnS8WKWQhdlhuLUp8XpNdUVwegfrZoU3xWo46WbUWrtOcpBoQguvjGvVYelb/FHWx6k8mQy/9Ke7juaPXgrhKclAA1pyKuOvFjO8UuUI/KBMZGTWtnAxrS+cOTdf8CBhw5smJ782wyvYkxQJfddfcUU42TWGLSpLUJUYc0kAjbbAEfKkWQw73tCPH68VPSq4/3nWH6lS95bMayn5yj9B8pnl5Ml1Fv7q1SAj/F5FrC5uLB7QBUP8alKQoLvpCCkXwRQn6FHPzTPoKMmkmRCuqrVmG0blyyY1PtZq+hzfYw2oM7kPwElXKUMo+Pd7bJKerRcTRir0odIMyKXNXCu+OC2/WhcLLfwuiW9PH5clbCt3gjjM4XSMsz/vxxwasuN+WnzFHuTlL2DN21rSFNKjPR7b9FfifQObQQCfEE+GBAeid8OsLU+7Uk+0PvjWq072HOMU+fkbgdISLp1wmafOjjt68hsnxx/dtsqTxaE+mBCTnLlBdSJOHi9JvcAC8QZD/fHUVGd0EpItUQJCePaWSVjkg3Sd5wYR5zko7WHAW0iuGXqZUQkNJpMm93w8cygkAiNJMffM4FkCM3yXpSwBqpjN6+OHNtcHzDIjwwUCMigyqHKvCkalcsgSLus0451Z7m6FsUnOvlkIZxWovQEQVqVDwa42g7EqPyaVghaUmIsUo23Dlz/eNPM/HmgqtdQN6+vJTgK4kdkX2HBqEpPvNn7Faa1hW/gfLIVl2cknNUNDNnkmqkvJLPSUS8Fi9lNhM5HDt0hCr4JmmGJrvgo2TlxnMpBGUPi4UkfxEuFIgxmzvpNhSpyDJNF+nFp0UD0ztcCdtAta1lpoGQ0zZEiTr6Mwwc0fozxerGtxFLPm2pTSgjXKI65JyRGJjNHAHG2XeOC/7dWnwo4GthFCZBKPB8/W5EsaOeuSsWfDAP8n3GW0AIVwIh8Pmf3tdml7dKU1J7ciVnLqoHE9NcXfmnRW6liJ05Ca1UUgcrtQasQKETbSEIBBM/hvZAMd8aaazyIBRJwNc67TIEkKBpvC6dRxpUYEJ5ZwVvWGrJIkh4WekDEV+fFZDyH6V8sngTmnT6Z3GCyRContJLg8Gx+CE6fLnZ69OUXVZ0FU6C0K7GUqueB8l60ccJa5AniiEqhRk/5WQAJBrcpYAYrYU/WTEKkyt7EtBnxeWPCyb7CpnF/11i2JOk33WAcYeXUK0IIfVaPmW5cBQFDVZ9JX5W/kfEMwufizXqjWSMXIKnON3ICD74iOJRmnMevaT9/ruVtMlXx/7M4iQVMeIl8+0He5S5+U/1kUZVvx4OmvQBdfgIQrjso6fTDeGMziM5jeQeCUUWJg/cBV9VGrMsGlELiZiCWvVI3Ysa/H2LkutKa1dIRHtvhZNBan4y1GYq7hcDpkmBJ6e0WHV2gQxhgbwgWpOrf0nww+KUivUJySz2uTdRunrujkwCMDIt7zDXHrItuI0xAfrENYWXvp+KyOMeWUbjUrOUc0IdeAD4DIBywKVgZD/2j5xtew53d0wv8LmcBe89dKSyMHWm09ZPjbwm5FL+qafFLFZZYSlfr/7f+MFg0kK1Fd51rh1pmO9vpgha15MrzgK1KQ7FBsShG5UZ/7l57CPGV7+TS8B6ujDbFvX3vvmwJ9LMhPsOkeh2f8yQGjZppaOjx7WorqCnjP7K4HP5gfbz+GC90jZ8xEabm5p95t3tnOw0NBG8peE0bObUosd5phJN3PuahcCYGNF9WBtCAsDR9WzC4vJgwpSRl1qVZydm/F5c5N29cszRViM2yG1vIqzbUo3uGkN4+Dvr82YB5rRhn25pdV7Z79xroJMnx9mDGAM5ShQPDloEZeG32i/rGB3PKruyfCYNaWUT48qrvt8S9FTrt0etZVJrxFp1v9M7Ct4ojw+OQPW+bh+bTIWd1UqY4TGhAeg==,iv:f7rBK8aNqX8dGyzjoeRX6yl20XsnLU8b4gitaw9+O+0=,tag:WvfUw1JgFBAtS3vsVIvM6Q==,type:str]
ddclient: ENC[AES256_GCM,data:dS6TVVNb6R7EE1JVMDfSnRYCZyHHqEPvwaYpkTSj+VA=,iv:9uMo+9X7dFdVW4wuSgrqIAaQelXuA4cek2oif0GRHow=,tag:ncQq4UeUzWtjPNxEUOlqNA==,type:str]
filebot-license: ENC[AES256_GCM,data:jY7E29fFJ/h9NIgIjuX++WBhnLk6Mm4iRfMh4P0pUDdqH231gXDsTZ6pJ1rpFXdEHSuNN4LfznDTKgZ2azKid4WprDUzGkN0uJD6CfSR8gTIx5Rq0M8vkRah51LC36bop4hTMzECYQd1YA47hOBV/gfyg3RIw95coWamV9FebnQjIBgWYxE+wTvO5iRvWpiCHd6VZQfkiiR0KF1DrkYkuxlX0piGEKmIgyYCiKMFZ4nrrIe58x5lEQA9uPVjE7vmq3c3ge6tJzjVVaaNocbJhxhA18GLMqTSHfnBsOLRlA8qSQ3xX/VRzKQmaYQHIM77Ylb9ZQsvFt6EDlzQMl5NqT7OJZUW/0jwNaEXHURjeTOC3Hr1HugiDGm+uLXEraaJ6Na2AbFDn28o+3J22p9xNg6vWL0FElzKuaz5TFDzdZLZsD9HOPQm95/ZM8JymDjN4qxkkd2o9rEKY6to1MVDarj+lDxIHhf4pL23YhZsn3esNlEbFswzHQiH7nMsu9Jg6a0rPu7IYylDnH/soBjxSKmf2dhH1LLsDm8It9K/7NnXwmvncFXaqNBqm/e7JzCDBCCyVUf/BXbBc3xwLwZf5MiirZ/iYiYnRtUssveh7BV7ICigRj5Ewtr+n97+IGI+FyonkvOgM0bn8nHf79ZzJCKMuntcw3FlGd1nIkmcehkC79PlKIS95oV/wypl1OmU0CVel+D8hsMuONmF9NPHgFk/ztp4GF+XXRO4ExNotX1XrUlvLOccoHDsl1TedUOISzgAK71edxfI8y110shIe9OfsCEUAbmWMmjGVWH2fKu/IrYYQTry6pYFOjG2bIEUXMaiIP0lALbq/QNgleqMNPY8wGzFbP+/jaYzTbw9KXH4bwYQCl1hSI8THfV7lLE=,iv:4ik/aQqi/hIqH8ix3ejgUiXGY7ycw0ymdVrV+CEQe1o=,tag:7ymc4QZEezJVPlYTlU4H/g==,type:str]
gitea-mailer-password: ENC[AES256_GCM,data:lEv5euTCHG6pyNqrVtKK7oE8wLvk+q8ABXOzFSizQ2TVFi35lyGPzOTel/dCCC0Je5GAHE1KQQ4Y4/iHghZgb5Ft,iv:gt/mCzLbDrHFNqW+Lkd2dy9nRIBKO+rqsVuXM45zJ8k=,tag:gCxTSzY7GZ+jQP9SCsdUtw==,type:str]
gitea-runner: ENC[AES256_GCM,data:HLjSETmu2C2ROf6kqUuIzQl/t4Fe5EOVkMqdTeLNnb6AJ95l6M/WUk//dnPMrWVvEq7rV07awUiyvyJcYQzMgPNddCrfcn2Xr0dYK4XFenz/sdhknVex9uS/RhK8fOqdYJ6djpynikMKddZMQr9AOVfpF5mea//87+Az9rOrlzLdgNtf5HyBEAFKaOFbkZboAsP+jlxyyYurGHPr8LxxikewDVxnpB+XzMc6RAnesrZPOTDQlkMiPZ2t2o0klhD/4VomgiHEklULxCCmIAHaqDo=,iv:1FwTespqVTnKFbyf9Unbbod08D36MKsVbDhIBNGBkHg=,tag:rgVvyxUCwzYB2CqWm2fwgg==,type:str]
gitea-runner-token: ENC[AES256_GCM,data:pzJp7j1Ktz+27oU+qtESk7D32w7+BSEUkPSX4xuFml0i10z12Gzu0QHXL9s3734=,iv:U77b5515H1URfz5BCdzuY03zVkhSRsL9d+HdHUJFx9U=,tag:QvooaT4TS/X5R5KGdaVpVQ==,type:str]
home-assistant-ldap: ENC[AES256_GCM,data:4kofJzPbiLXILxjuAZWiTb9hu2Gver/IHBCXDnrmrKuCSII6SJ9FrSi67nl7SHdoA6xe22GSMfmPrKzy5sGiow==,iv:F8mIHhWHpaI6kzRV9du6uW/Fj07PbEIU1goSDmeSD5E=,tag:6NIC6sN8OclinribZhrLLw==,type:str]
home-assistant-secrets.yaml: ENC[AES256_GCM,data:rns9heAmVMxB6WWlGMXvF/ianFUnja3FObiLTEKJmodePNsJ8ah3OhuCAX5jON+/7NZ+3JN/hIJjXsORC5WYhr01DvO9meykf0aMpbmAnYI+cmPEPvcunF4NNInl96rpcI519nMiHDSh5J7pD74CxHZcXSV4c9ZR5UBymchrwmHyZMF6dVrD9Jbr9yph1r7iq6S5wlI2ZImWRjaoGDZ1x+ZU8XnsUmYcP4pa1Yt8JBxSnyUw5gxgBkVCh4eSZBsUCt0cd9P0i7qWVg==,iv:YXQsawXZsQb9ZUt1/lkpfTa4tfKIQrLkkyShFtBRaIQ=,tag:/vSnipGiMntdMqHLePSEQw==,type:str]
piped-db-password: ENC[AES256_GCM,data:5atQccdHYDEf638bpiON9VO14jqNDtzZ8nnXVW0/cqtWkZJc8RYn9N7QhAw=,iv:Gwyf1R+mpmX+TFuoYLPHjXwSDwzJhSEpnj5ZsJgmrtk=,tag:zm4zNkzbqbCyTN6o3lQQfg==,type:str]
pushover-api-token: ENC[AES256_GCM,data:cMBDdySEBQ7vS7FUC2DsCcSvEMpapWvMFmnuCsY6,iv:SVDrrDm2pcAfwUVAC5j47YwF4s/FWNARlZdIZ1Wgwgw=,tag:w7ZeNMPXWc9j+zVaSxq1cQ==,type:str]
pushover-user-key: ENC[AES256_GCM,data:fjoA2YQxmeWEbSKWWE5iyi+CUh1vtW9usVCm5EGk,iv:p4YwYIhpgn/bY9t61//CDrDmZrsj9B/naZit62lCpwo=,tag:pqEw3pDlX7i87tE0Nsy0/Q==,type:str]
wrwks_vpn_key: ENC[AES256_GCM,data:VEHqnr/bDtmyLzs0wnmZ0jCWS0BGJWu6Wjq0ZHJuEz8PH3j/E54S9NUe6WRIo+BJCsh1PlRqw/PD9xSqlW5uPg==,iv:OMP0s8Lc2CmFgwRuwB3UWJVuQFqvpy+BiyhnIKbVIb8=,tag:x1LvSf6i8khd8jKgv/284g==,type:str]
wg_cloonar_key: ENC[AES256_GCM,data:1OfHD8yX+pgCXqqxn7cddnnCA9HBjGra4eht7uLxdcbdG9vDvxUoE1x6aWg=,iv:/NBEbmA3wP/zwrqCeBKDzaoSMqz3f4ZeMlWbu81R5Pg=,tag:Apt8x/j0qiJAKR4UEVSkrA==,type:str]
wg_epicenter_works_key: ENC[AES256_GCM,data:CTZkVGEVRlCdt6W0BGPmX0SZbuBBH5IIlUsi44SGXi7gdmrZNwv2zDv6zjA=,iv:4ZDDKqR6pBq8cjX763tBxOvWFaS2IiGaBxJu6L2JYig=,tag:H8p63BvXSx1SKPFw5gnptw==,type:str]
wg_epicenter_works_psk: ENC[AES256_GCM,data:K0SDlDWfUk9vIGP5U1j8p6TJ9GsydJTuKPb4kMgde1CILOia0S9/+4AkMWY=,iv:ITwLoWZXR6NxRFF3eBvOogiWHLmXnf7S1e2FW0ofr/M=,tag:2OVi3OBFYT0nlCx8gf2AdA==,type:str]
wg_ghetto_at_key: ENC[AES256_GCM,data:+bonpVjV1hxwaqtR7ywshmoDxCnFPD11q0OiNLzxUJIaYrDeS1srpyo6rlE=,iv:Djn16kuXTWqJZy/AT77GpH8RcNtUMZ6zcIdKIMHv+PM=,tag:LP2JCaPKpzeOKvBc2bMr4w==,type:str]
matrix-shared-secret: ENC[AES256_GCM,data:nVSHwPa8xYUaDCxL+5neFtzc11DDNzJtoDCSHYXZ+bZXVAAbp6/Pjx6UkTdAA8B2GOM09nFAsBuLnQfJ3w==,iv:WU3hnRlWVwx7Qin3ejw7V4VhAmYLf6oXzVk6xQgZPgA=,tag:O2hJ2q8XDxYF+rHPNgATgA==,type:str]
phpldapadmin: ENC[AES256_GCM,data:94jCcgGJ89Er5ENLqhFZ1qY44Qp709SuUhBUuED6v/a7mPPjrJGDmi0Gm3r1Hb4CDPGkWf+x4NStY7LSQ2bHEzjyMPMS23wvSLTmC5b2TVca1UI8vZRTD1R7OvdWo8d1oNweSpYEnAXGv3USYF0NZo8DrPLM5G8lG5Tk/rKS/mxU5ZRhPyA60rbmIiy3Mk4yNcs1tvTEckxU/zMVl7zUPAsOOlmYGuwJrHmmh9p7YIWHGIgZNiLs3U0BvSKzN7WktmlwqjfWpeLn4dusqgov4SSQ2otAkxLHIH8mGhyotd1wgXJDZc6tilMe+WPHQDz9db7FT0VdeKggQ94FD+8rP0OsIjR4AdjZ,iv:C8X10wtA9jPgS41pxasaZJTO/XFcRymOyTDZCWJlhmg=,tag:xkMJsGubny+Di+GucAqypQ==,type:str]
palworld: ENC[AES256_GCM,data:iR9nceVotLKrFHnPIVskCYVLev9OzGLLlmfCGQq5hqB1HveXjhjkfm/NMmqnSi9o776+Ezy7l3kkS0R+0cFJ2B9kaWGsdJtdYDwQevmf6Nq5eaBYmvu8kTnaatqZ5e/1BQzcF3to6MA061XL54YGqsAV5FpnDVLhyyzIvaR3gMvMqJ748NL7K+hbBqMFuWcSH3hKXwxtDK7SLtcgx93W5ZgXkZMMumtlH9hSSlZL4yxuQDAQUwHrEBL+rdphA0m27dyS87DA3Av5ZL1MZ+Vlm4uAHM68T+rtVYXTakNImDTc0WrhIP8FZD/UKTAhVYAbA9oz6cbeC574vchuEY1z19SY9+2HshZZBOiPDMqdvrqyszMQCo5I9dUzAJCemQQTlYG8ekREQ0wxARnBYi3iy5PbmgDQWdM3+ff4yhMmGiHtiMQLHzrquKy8nvS9lDp9uT7njkaI0QAt3eNWa2DAQRqXQAtmuRVob5+GS2Nt6XMTWRkbeEb1phwbTqZD5mH4p2TiyMKCn6KOXsgQTxqGr35Izbe+bfptCmUeyscTKq01IZg77w/dvg3AX4iHAcMNgJ9LIHDLibGHQzu9fGN6alpeyy788GDwRY4glYyKxPhCasKkBSj/uhcDAtdg+c63vDTBhqRjNr6+v1NeRW6lVBzrgq+f9QvO5RVKrvdsVHnTA3CMGQzUPAaluNZMpzV5KqxqIrpAAPXnN0ktig==,iv:kkcm/alLHwC84IKK//OJpa36ec9ddOARTIM+KJlOHHs=,tag:jV1DjfNzRgNaCGgJTKIy5g==,type:str]
ark: ENC[AES256_GCM,data:TRTwxqkeUGbtgrWuj1YEFr73+nxCXmt/fR5vVnYR+k4FpNBB2FoY/gXl0kqeFKPDcajwn8nYBs8YE9vmYtAX/Qs4g5OyU9qC/pkmSV7/gbGfqLLqcbIlbWrZzeM8gRW0fp6h1TMPsGO8/iYdF4bmInfuZW+fKr0i7ZRgrtOpPiRCOI/ztPGkFaduuwGIy+yVoS64b9r7ZLRnOZT7ghVv80GKorJuuOQIipNAJMzEqtSA2IqaxWeb13v8wdQoKuMNcD6dCYVJnvgwf4R+,iv:+F9+yJUZBzPSSIt4uLHxjjXAjzRojLxKAyrd8grMXkk=,tag:VrIr4FFbIGTq9RBJMz8/Ig==,type:str]
firefox-sync: ENC[AES256_GCM,data:guNgEVi9n8uJuLkkX2Z3tMY/NVqzQ2tdIutZAqleah9qBri0/3dzVHF2xvztLeAgm/59tN7TtAlAH2SMK6gcfAZDasAWOJ/rGEASxLi6VRjqCe25glDMp2YrA0/mcqZVYMCg+QZ5OPA56b55WDqPHPoBJkPDuTm9axwm6AOxdNi5BkDzMw12fVBxlJL/Rm8=,iv:yD+MkZK5vvZ85vYGd9X2Dv6KkSvMUsMGLrwlJ1pRqlk=,tag:YA379QupHh7aJZKcQxB7bA==,type:str]
knot-tsig-key: ENC[AES256_GCM,data:CBFaRKPr+HRVM01fA9/OLWeD1O33axQKEKJuqDRfcGmuDeP3oXf+ccEJhQE=,iv:2O5y24YenpiMc9txPx8kz8x0aO37LpLjIcwlNywPEak=,tag:J4bVZ7RNSR9fiOBQ2HKpnQ==,type:str]
mopidy-spotify: ENC[AES256_GCM,data:irBeIh2FieNkdf6Hls/Oj+qYxj1U7R7/Ffq6dx+JCS0PdOiFWIHXtccY+PXPKP7RhhaQOgZtIcgPyqTiML52P0c8AwN6UHMl7kgUcKnk60AI0IUZNWorCBZluHhEpf2e2OISlFzDGjSHk+zAzh2eDS1lJ9lCRYEC,iv:r6aZmlVHdRsA9DxkelcIVVpwwm32jaOgP429h61NL/U=,tag:FvPIr0HX/V7+G9kal4nO8w==,type:str]
lms-spotify: ENC[AES256_GCM,data:E53aUSNxE30SSrG6Y6SWKVzmsv0lu8aZvjk1RBgSj3q4m65dPLwGM9HcagN3BPoVTc0tKJaccrjoL2k5FOMnwcTXIz3qgiZGbnB6hVCoOhMrrkoFRN2JzSIA5WxKOT8VuMoC4/a6WaWbY8SWAdhgRQb9uq1hUxdkMCoNRLNJnPqR/0w07lCDVHvkj8XuBV4rGl93VVT3rCzjVTL+Vigv38WZ2il2aANkCz3joNeN8Uod3K/HA5uXLw3cLFmD7eI7LBDSTHpMEg==,iv:iRKrij3TRaufB5BXy7Xhiu3asClZ6hpkbMV14aod7jk=,tag:hpUwP/OHygqfgI6j6q2sKQ==,type:str]
sops:
age:
- recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkT0thSi85UWJlREkyNVVC
NWtzSU9DWXRqbWhYSW82aUtyb29LZGswV1ZVCjFPZXIvcDBIVXFzOSt2UUxiM2kv
MXFoY2NWSE9lVnRzYlNsYndLYVZnOFkKLS0tIFlLMExqYkt5ZlpUK1lJOCtQZW9t
MVZSV0JwUW9GWVIzekV3a1RibGF1bEkKBoNNseldjYfL8QPSFnOa3f5IlQ+0Tntm
kOTf0oH380WM5856TQchND26wX0rHAMllx40yWBzjlkJMX5wvXBYWg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTDFvM2l3Tm5lU0paWXpF
cjVBSFhENW5mNG9DSFM1NXh3UHdaKzlKMGlZCnRmNFBFVWY4N0FqLzF1bUMyUDdL
U091VENiVFhYeEJ5K0xodXlHVkhHKzgKLS0tIGxta3A2TjJiMUtiR2RzcU02Rys5
U1c0SjRKK2UwbTVIQUMrT1pOOVFmOVkKY3UyGNIPZJLE8GG124y0pLgqGub9SMCq
plK5H+kASOB1X6pK+3PBFuDYT1AbsRxXvWgAEMvVI7eBcxQlSrrB4Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYW9NeGo1a09oVjVBTGFr
V3JWc3NHRDcvYXVDMFVMNUl1Q0h5ZXJ5dzFnClZGbGhyME1Id0RETEdtMkN3RWZt
VVFVOEphZEpJQ29YRjd2WGltWkdmYUkKLS0tIFBOOVdhM2RMSTdWM1lKT2hGTHYz
c1FGaE1KZkhxbmRmVEFCRGUzR3gyZXcKMvtkOvb35ocdQHfq/cN0wuu59d8e6GM2
9AqDummh/D0NQ69X2Hoojgmt9tl5TKnhYwvfWU6gwAd5RKYIAcRghQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaXBqMGl1UytNL3BkZEhQ
S3RFL3lZRVZKTGVRTGFMNlFlWFRCNDNvRTM4CnpWZWovSDZaclQvN2Vwa0dWZGgz
Q1ZLM0sveXBxOVpvNHkycWJWWXdmVE0KLS0tIHl2bFk3RE03N01IdDJPWk5HT1Np
Qm82Sit3Q0haaDdnbzFjendMUm04Wk0KYp09dxXjzvC4IlH6Ilip8YjTz0mFeu/0
5IDMYjT1BuW5YiKgIJVd+UgOd6ysZLFFwk+Us2AcV7z110xk/askqQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRTJvZkNoYjVMaCtkZEN2
OEpMRUZ3TE9SSHplZjRMaFhESXJNZjk4MUM4CmVBVWNrakxvdEtGVFZmMiszVjBz
aTNJK1pHNXVpcnZNbjg2QWYwcXFZQlUKLS0tIDdIK01VVDRSZlB4ZFB4WHpaZG1N
Z1ZGVUROeXZGMm0xclF4N1A0S3BIeTgKVYwnDmneB4dljyvmxgXxTu/ftk0b1Z9I
ENyOiKIgN0YPOq1a1GOr9OCUOoNM5onTB0fkrUFzkChSB/3xDpUHlA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Wkd0YnBQRnExeVdUTGFu
N3o3MnF2aTY2NlBmdDJYT01zRytWZ2w1dFg0ClAzcnJ0NFYrVWlBM2JQU1B0SEJi
MGE5aVh6KzNmaEoxaHFOTW90K0VmMGsKLS0tIDNkOGZyVmMzME80TlBWMzI5UVR2
djB3Y2FIRDFKWlEwTnRBUnRIT3M2OXcK+SIt/7DRdQi6H1AZooJN2Pt2g1EwVTZe
Q14cEt0sLyVYzLJugfz2JWRHDZX6wPueYcTSEs7w3wAPVwvJWju8bg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRVlHQ1h3eDlKd3FuN2Q4
Q2RuUVpKeHJqYldWRlNlWDFPQ2U2TzQ4MG5ZClFLVlBwYy9xU1lzbGMvNE9kdVI3
VHpxeEtwOHgvS3NhZWdKaVp3RHh6aUUKLS0tIHUrOWRibGhJckFycVJwalJsSFA3
UXEzSHMxVVc4b0FOU0NycElaV3VMOWMKpq9KFfdu0kEWhlT7Of5aOrAhM8FmOuzo
1RRxsDAtpfjw3dYbvS8ISrFP+nEr84qi4Hdrr1Y35ye5fR30gvQycw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQXhNSFBnNUtMdkpwR0th
M1NmOVorcUdlZTFDM3dVRHZlYWpJcDZiakVnCit6eTFOeW92SzhPYzJxR0VTem9r
MSs4cWxRbzVBQmlWaHIwMjB5RUlJMXcKLS0tIHNSVTloOEVVVndDWkVrWmQrYXlD
NTd1WGFJWHVLTnFNT3hYbDdtSnMzTTAKBmJOayZLbjmBejwVzVtUSYPki+qPkYwG
xdO3L7n0Z8Cv/kVYZpkuG5GqOUL+nCJuYDjF0g4PaLb6WWd0W8ZGFA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-25T19:16:56Z"
mac: ENC[AES256_GCM,data:kaeDCxG+z6NqzcaZTBsEkPhlXts47iEhQp7MGsRrYMP9X4vYsLBkzKgeHugcN2VnaZI+Uw27Tn1Fgt4Eaqty7j07iZKa33B/SOnFu3fKacP3Ae3vGAgzda/5HyOPsPxEgiHUEbJqTnhahh9sYckwdaMPg/PdSEAJyJN1b2WYy+0=,iv:E65Baxjw2mV6Tm59Ka4l1Q640PoS7IDLggNLmO9ij0k=,tag:+5Rx9nUEWsLIsLfEg/TcfA==,type:str]
lastmodified: "2025-12-01T11:01:54Z"
mac: ENC[AES256_GCM,data:taGX5HHZCL7Zo4taS2Jz/5WxhvpBNNKZ13ZCtS3x/P17tC1Nrk2UDcxbOZ1pPVbVvvaAHJtDb3owFvBOM4nr2Eve0M9zT4HbXh3hke7AviQ6U7CT1ru6LjY7W8lBjbQ6uCt+Ldxd1PRPPGiyKdK5GAUPKg6avFjpJbhEikh8Gww=,iv:NNs5usVJ5izYvHKnNm1IgjSt4dg0QFQ7cClJ6zh+3wM=,tag:sYYbEWIUgOWthEItdy5PFg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

2
hosts/mail/channel
View File

@@ -1 +1 @@
https://channels.nixos.org/nixos-25.05
https://channels.nixos.org/nixos-25.11

6
hosts/mail/modules/dovecot.nix
View File

@@ -240,11 +240,11 @@ in
sops.secrets.dovecot-ldap-password = { };
systemd.services.dovecot2.preStart = ''
systemd.services.dovecot.preStart = ''
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
'';
systemd.services.dovecot2 = {
systemd.services.dovecot = {
wants = [ "acme-imap.${domain}.service" ];
after = [ "acme-imap.${domain}.service" ];
};
@@ -257,7 +257,7 @@ in
"imap-test.${domain}"
"imap-02.${domain}"
];
postRun = "systemctl --no-block restart dovecot2.service";
postRun = "systemctl --no-block restart dovecot.service";
};
networking.firewall.allowedTCPPorts = [

4
hosts/mail/modules/openldap.nix
View File

@@ -17,10 +17,10 @@ in {
olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCipherSuite = "HIGH:!aNULL:!MD5:!3DES:!RC4";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
olcTLSProtocolMin = "3.3";
olcSecurity = "tls=1";
};

14
hosts/mail/modules/postfix.nix
View File

@@ -128,16 +128,16 @@ in
compatibility_level = "2";
# bigger attachement size
mailbox_size_limit = "202400000";
message_size_limit = "51200000";
mailbox_size_limit = 202400000;
message_size_limit = 51200000;
smtpd_helo_required = "yes";
smtpd_delay_reject = "yes";
strict_rfc821_envelopes = "yes";
# send Limit
smtpd_error_sleep_time = "1s";
smtpd_soft_error_limit = "10";
smtpd_hard_error_limit = "20";
smtpd_soft_error_limit = 10;
smtpd_hard_error_limit = 20;
smtpd_use_tls = "yes";
smtp_tls_note_starttls_offer = "yes";
@@ -151,14 +151,13 @@ in
smtpd_tls_key_file = "/var/lib/acme/mail.cloonar.com/key.pem";
smtpd_tls_CAfile = "/var/lib/acme/mail.cloonar.com/fullchain.pem";
smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix512.path;
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix2048.path;
smtpd_tls_session_cache_database = ''btree:''${data_directory}/smtpd_scache'';
smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
smtpd_tls_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
smtpd_tls_mandatory_ciphers = "medium";
tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
tls_medium_cipherlist = "ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20:DHE+CHACHA20";
# authentication
smtpd_sasl_auth_enable = "yes";
@@ -225,8 +224,7 @@ in
security.dhparams = {
enable = true;
params.postfix512.bits = 512;
params.postfix2048.bits = 1024;
params.postfix2048.bits = 2048;
};
security.acme.certs."mail.${domain}" = {

2
hosts/mail/modules/rspamd.nix
View File

@@ -119,7 +119,7 @@ in
# systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ];
systemd.services.dovecot2.preStart = ''
systemd.services.dovecot.preStart = ''
mkdir -p /var/lib/dovecot/sieve/
for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do
dest="/var/lib/dovecot/sieve/$(basename $i)"

60
hosts/nas/STORAGE.md Normal file
View File

@@ -0,0 +1,60 @@
# NAS Storage Notes
## Current Issue: XFS Metadata Overhead
The XFS filesystem on `/var/lib/multimedia` uses ~100GB more than the actual file data due to metadata overhead.
### Root Cause
The filesystem was created with advanced features enabled:
```
rmapbt=1 # Reverse mapping btree - tracks block ownership
reflink=1 # Copy-on-write support
```
These features add metadata that scales with **filesystem size**, not file count. On a 5TB filesystem with 700GB of data, this results in ~100GB (~2%) overhead.
### Diagnostic Commands
```bash
# Compare file data vs filesystem usage
du -sh /var/lib/multimedia # Actual file data
df -h /var/lib/multimedia # Filesystem reports
# Check XFS features
xfs_info /var/lib/multimedia
# Verify block allocation
xfs_db -r -c "freesp -s" /dev/mapper/vg--data-lv--multimedia
```
## Recommendation: LVM + ext4
For media storage (write-once, read-many), ext4 with minimal reserved space offers the lowest overhead:
```bash
# Create filesystem with 0% reserved blocks
mkfs.ext4 -m 0 /dev/vg/lv
# Or adjust existing ext4
tune2fs -m 0 /dev/vg/lv
```
### Why ext4 over XFS for this use case
| Consideration | ext4 | XFS (current) |
|---------------|------|---------------|
| Reserved space | 0% with `-m 0` | N/A |
| Metadata overhead | ~0.5% | ~2% (with rmapbt) |
| Shrink support | Yes | No |
| Performance for 4K stream | Identical | Identical |
A single 4K remux stream requires ~12 MB/s. Any filesystem handles this trivially.
## Migration Path
1. Backup data from XFS volumes
2. Recreate LVs with ext4 (`mkfs.ext4 -m 0`)
3. Restore data
4. Update `/etc/fstab` or NixOS `fileSystems` config

1
hosts/nas/channel Normal file
View File

@@ -0,0 +1 @@
https://channels.nixos.org/nixos-25.11

100
hosts/nas/configuration.nix Normal file
View File

@@ -0,0 +1,100 @@
# NAS host configuration
{ config, lib, pkgs, ... }:
let
impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
in {
nixpkgs.config.allowUnfree = true;
imports = [
"${impermanence}/nixos.nix"
./utils/bento.nix
./utils/modules/sops.nix
./utils/modules/set-nix-channel.nix
./utils/modules/victoriametrics
./utils/modules/promtail
# ./modules/cyberghost.nix
./modules/pyload.nix
./modules/jellyfin.nix
./modules/power-management.nix
./modules/disk-monitoring.nix
./modules/ugreen-leds.nix
./hardware-configuration.nix
];
nixpkgs.overlays = [
(import ./utils/overlays/packages.nix)
];
# Hostname
networking.hostName = "nas";
# Timezone
time.timeZone = "Europe/Vienna";
console.keyMap = "de";
# SSH server
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
# Firewall
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 22 ];
# SOPS configuration
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml;
# Btrfs maintenance
services.btrfs.autoScrub = {
enable = true;
interval = "monthly";
fileSystems = [ "/nix" ];
};
# Impermanence - persist important directories
# Note: /var/lib/downloads and /var/lib/multimedia are mounted from LVM on RAID
environment.persistence."/nix/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/pyload"
"/var/lib/jellyfin"
"/var/log"
"/var/lib/nixos"
"/var/bento"
"/root/.ssh"
];
files = [
"/etc/machine-id"
{ file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
{ file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
{ file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
{ file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
];
};
# System packages
environment.systemPackages = with pkgs; [
vim
screen
];
# Nix settings
nix = {
settings = {
auto-optimise-store = true;
experimental-features = [ "nix-command" "flakes" ];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 14d";
};
};
system.stateVersion = "24.05";
}

1
hosts/nas/fleet.nix Symbolic link
View File

@@ -0,0 +1 @@
../../fleet.nix

103
hosts/nas/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,103 @@
# Hardware configuration for NAS
# TODO: Update disk labels/UUIDs after installation
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.loader.systemd-boot = {
enable = true;
configurationLimit = 5;
};
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Power management kernel parameters
boot.kernelParams = [
"intel_pstate=passive" # Better with powersave governor
"i915.enable_rc6=1" # GPU deep sleep states
"i915.enable_dc=2" # Display C-states (deepest)
"i915.enable_fbc=1" # Frame buffer compression
];
# RAID 1 arrays for data storage
boot.swraid = {
enable = true;
mdadmConf = ''
DEVICE /dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1MAZ0E7-part1
DEVICE /dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1M9Z0E7-part1
DEVICE /dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_8582A01SF4MJ-part1
DEVICE /dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_75V2A0H3F4MJ-part1
'';
};
# Tmpfs root filesystem (ephemeral - resets on reboot)
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "size=8G" "mode=755" ];
};
# Boot partition - EFI
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/BOOT";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "/dev/disk/by-partlabel/NIXOS";
fsType = "btrfs";
neededForBoot = true;
options = [
"subvol=@"
"compress=zstd:1"
"noatime"
"commit=120"
];
};
fileSystems."/nix/store" = {
device = "/dev/disk/by-partlabel/NIXOS";
fsType = "btrfs";
neededForBoot = true;
options = [
"subvol=@nix-store"
"compress=zstd:1"
"noatime"
"commit=120"
];
};
fileSystems."/nix/persist" = {
device = "/dev/disk/by-partlabel/NIXOS";
fsType = "btrfs";
neededForBoot = true;
options = [
"subvol=@nix-persist"
"compress=zstd:1"
"noatime"
"commit=120"
];
};
# LVM volumes on RAID array
fileSystems."/var/lib/downloads" = {
device = "/dev/vg-data-fast/downloads";
fsType = "ext4";
};
fileSystems."/var/lib/multimedia" = {
device = "/dev/vg-data-slow/multimedia";
fsType = "ext4";
options = [ "noatime" ];
};
# DHCP networking
networking.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

103
hosts/nas/modules/cyberghost.nix Normal file
View File

@@ -0,0 +1,103 @@
{ config, pkgs, ... }:
let
localNetwork = "10.42.96.0/20";
in
{
# SOPS secrets for CyberGhost credentials
sops.secrets.cyberghost-auth = {
mode = "0400";
owner = "root";
};
sops.secrets.cyberghost-ca = {
mode = "0400";
owner = "root";
};
sops.secrets.cyberghost-cert = {
mode = "0400";
owner = "root";
};
sops.secrets.cyberghost-key = {
mode = "0400";
owner = "root";
};
environment.systemPackages = [ pkgs.openvpn ];
# OpenVPN client service
services.openvpn.servers.cyberghost = {
autoStart = true;
updateResolvConf = true;
config = ''
client
dev tun
proto udp
remote 87-1-hu.cg-dialup.net 443
resolv-retry infinite
nobind
persist-key
persist-tun
# Authentication
auth-user-pass ${config.sops.secrets.cyberghost-auth.path}
ca ${config.sops.secrets.cyberghost-ca.path}
cert ${config.sops.secrets.cyberghost-cert.path}
key ${config.sops.secrets.cyberghost-key.path}
# Security
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
remote-cert-tls server
script-security 2
# Connection
ping 5
explicit-exit-notify 2
route-delay 5
# Split tunnel: Don't pull routes from server, we'll set our own
route-nopull
# Route all traffic through VPN except local network
route 0.0.0.0 128.0.0.0 vpn_gateway
route 128.0.0.0 128.0.0.0 vpn_gateway
# Keep local network route direct
route ${localNetwork} net_gateway
verb 4
'';
};
# Kill switch: Block outgoing traffic if VPN is down
networking.firewall = {
extraCommands = ''
# Allow traffic to local network
iptables -A OUTPUT -d ${localNetwork} -j ACCEPT
# Allow traffic through VPN tunnel
iptables -A OUTPUT -o tun+ -j ACCEPT
# Allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections (for responses)
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow OpenVPN to establish connection (UDP 443)
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
# Drop all other outgoing internet traffic (kill switch)
iptables -A OUTPUT ! -d ${localNetwork} -j DROP
'';
extraStopCommands = ''
iptables -D OUTPUT -d ${localNetwork} -j ACCEPT 2>/dev/null || true
iptables -D OUTPUT -o tun+ -j ACCEPT 2>/dev/null || true
iptables -D OUTPUT -o lo -j ACCEPT 2>/dev/null || true
iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
iptables -D OUTPUT -p udp --dport 443 -j ACCEPT 2>/dev/null || true
iptables -D OUTPUT ! -d ${localNetwork} -j DROP 2>/dev/null || true
'';
};
}

199
hosts/nas/modules/disk-monitoring.nix Normal file
View File

@@ -0,0 +1,199 @@
# Disk monitoring for NAS
# - S.M.A.R.T. metrics collection (respects disk spindown)
# - mdadm RAID array status
# - Exports metrics via node_exporter textfile collector
{ config, lib, pkgs, ... }:
let
# Disk identifiers from hardware-configuration.nix
disks = [
"/dev/disk/by-id/ata-ST18000NM000J-2TV103_ZR52TBSB"
"/dev/disk/by-id/ata-ST18000NM000J-2TV103_ZR52V9QX"
"/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_8582A01SF4MJ"
"/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_75V2A0H3F4MJ"
"/dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1MAZ0E7"
"/dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1M9Z0E7"
];
textfileDir = "/var/lib/prometheus-node-exporter";
# Script to collect S.M.A.R.T. and mdadm metrics
collectMetricsScript = pkgs.writeShellScript "collect-disk-metrics" ''
set -euo pipefail
TEXTFILE_DIR="${textfileDir}"
METRICS_FILE="$TEXTFILE_DIR/disk_health.prom"
TEMP_FILE="$TEXTFILE_DIR/disk_health.prom.tmp"
mkdir -p "$TEXTFILE_DIR"
: > "$TEMP_FILE"
# Timestamp of collection
echo "# HELP disk_metrics_last_update Unix timestamp of last metrics collection" >> "$TEMP_FILE"
echo "# TYPE disk_metrics_last_update gauge" >> "$TEMP_FILE"
echo "disk_metrics_last_update $(date +%s)" >> "$TEMP_FILE"
echo "" >> "$TEMP_FILE"
echo "# HELP smart_device_active Whether the disk was active (1) or sleeping (0) when checked" >> "$TEMP_FILE"
echo "# TYPE smart_device_active gauge" >> "$TEMP_FILE"
# S.M.A.R.T. metrics for each disk
for disk in ${lib.concatStringsSep " " disks}; do
if [[ ! -e "$disk" ]]; then
echo "Warning: Disk $disk not found, skipping" >&2
continue
fi
# Resolve symlink to get actual device (needed for hdparm/smartctl)
device=$(readlink -f "$disk")
# Extract model+serial from disk-by-id path for stable labeling
# ata-ST18000NM000J-2TV103_ZR52TBSB ST18000NM000J-2TV103-ZR52TBSB
# nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1MAZ0E7 KIOXIA-EXCERIA_PLUS_G3_SSD-7FJKS1MAZ0E7
disk_id=$(basename "$disk")
serial=$(echo "$disk_id" | sed 's/.*_//')
model=$(echo "$disk_id" | sed 's/^[^-]*-//; s/_[^_]*$//')
short_name="$model-$serial"
# Check power state without waking disk
power_state=$(${pkgs.hdparm}/bin/hdparm -C "$device" 2>/dev/null | grep -oP '(standby|active/idle|active|idle)' | head -1 || echo "unknown")
if [[ "$power_state" == "standby" ]]; then
# Disk is sleeping - don't wake it, report inactive
echo "smart_device_active{device=\"$short_name\",serial=\"$serial\"} 0" >> "$TEMP_FILE"
echo "Disk $short_name is in standby, skipping S.M.A.R.T. collection" >&2
continue
fi
# Disk is active - collect S.M.A.R.T. data
echo "smart_device_active{device=\"$short_name\",serial=\"$serial\"} 1" >> "$TEMP_FILE"
# Get S.M.A.R.T. health status
if ${pkgs.smartmontools}/bin/smartctl -H "$device" 2>/dev/null | grep -q "PASSED"; then
health=1
else
health=0
fi
# Get S.M.A.R.T. attributes
smartctl_output=$(${pkgs.smartmontools}/bin/smartctl -A "$device" 2>/dev/null || true)
# Parse key attributes
# Format: ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
get_raw_value() {
local attr_id="$1"
echo "$smartctl_output" | awk -v id="$attr_id" '$1 == id { print $10 }' | head -1
}
reallocated=$(get_raw_value "5")
power_on_hours=$(get_raw_value "9")
temperature=$(get_raw_value "194")
reallocated_event=$(get_raw_value "196")
pending_sector=$(get_raw_value "197")
offline_uncorrectable=$(get_raw_value "198")
udma_crc_error=$(get_raw_value "199")
# Output metrics
cat >> "$TEMP_FILE" << EOF
# S.M.A.R.T. metrics for $short_name
smart_health_passed{device="$short_name",serial="$serial"} $health
EOF
[[ -n "$reallocated" ]] && echo "smart_reallocated_sector_ct{device=\"$short_name\",serial=\"$serial\"} $reallocated" >> "$TEMP_FILE"
[[ -n "$power_on_hours" ]] && echo "smart_power_on_hours{device=\"$short_name\",serial=\"$serial\"} $power_on_hours" >> "$TEMP_FILE"
[[ -n "$temperature" ]] && echo "smart_temperature_celsius{device=\"$short_name\",serial=\"$serial\"} $temperature" >> "$TEMP_FILE"
[[ -n "$reallocated_event" ]] && echo "smart_reallocated_event_count{device=\"$short_name\",serial=\"$serial\"} $reallocated_event" >> "$TEMP_FILE"
[[ -n "$pending_sector" ]] && echo "smart_current_pending_sector{device=\"$short_name\",serial=\"$serial\"} $pending_sector" >> "$TEMP_FILE"
[[ -n "$offline_uncorrectable" ]] && echo "smart_offline_uncorrectable{device=\"$short_name\",serial=\"$serial\"} $offline_uncorrectable" >> "$TEMP_FILE"
[[ -n "$udma_crc_error" ]] && echo "smart_udma_crc_error_count{device=\"$short_name\",serial=\"$serial\"} $udma_crc_error" >> "$TEMP_FILE"
done
# mdadm RAID array status (doesn't access disks)
echo "" >> "$TEMP_FILE"
echo "# HELP mdadm_array_state RAID array state (1=clean/active/resyncing, 0=degraded/other)" >> "$TEMP_FILE"
echo "# TYPE mdadm_array_state gauge" >> "$TEMP_FILE"
echo "# HELP mdadm_array_devices_total Total devices in RAID array" >> "$TEMP_FILE"
echo "# TYPE mdadm_array_devices_total gauge" >> "$TEMP_FILE"
echo "# HELP mdadm_array_devices_active Active devices in RAID array" >> "$TEMP_FILE"
echo "# TYPE mdadm_array_devices_active gauge" >> "$TEMP_FILE"
# Find RAID arrays
for md_device in /dev/md/*; do
[[ -e "$md_device" ]] || continue
array_name=$(basename "$md_device")
# Get array details
mdadm_output=$(${pkgs.mdadm}/bin/mdadm --detail "$md_device" 2>/dev/null || continue)
# Parse state
state=$(echo "$mdadm_output" | grep "State :" | sed 's/.*State : //' | tr -d ' ')
if [[ "$state" == *clean* ]] || [[ "$state" == *active* ]]; then
state_value=1
else
state_value=0
fi
# Parse device counts
total_devices=$(echo "$mdadm_output" | grep "Raid Devices" | awk '{print $4}')
active_devices=$(echo "$mdadm_output" | grep "Active Devices" | awk '{print $4}')
echo "mdadm_array_state{array=\"$array_name\",state=\"$state\"} $state_value" >> "$TEMP_FILE"
[[ -n "$total_devices" ]] && echo "mdadm_array_devices_total{array=\"$array_name\"} $total_devices" >> "$TEMP_FILE"
[[ -n "$active_devices" ]] && echo "mdadm_array_devices_active{array=\"$array_name\"} $active_devices" >> "$TEMP_FILE"
done
# Atomically replace the metrics file
mv "$TEMP_FILE" "$METRICS_FILE"
echo "Disk metrics collection complete"
'';
in
{
# Required packages
environment.systemPackages = with pkgs; [
smartmontools
hdparm
mdadm
];
# Node exporter with textfile collector
services.prometheus.exporters.node = {
enable = true;
enabledCollectors = [
"textfile"
];
extraFlags = [
"--collector.textfile.directory=${textfileDir}"
];
};
# Systemd service to collect metrics
systemd.services.disk-metrics = {
description = "Collect S.M.A.R.T. and RAID metrics";
path = with pkgs; [ coreutils gawk gnugrep gnused ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${collectMetricsScript}";
# Run as root to access disk devices
User = "root";
};
};
# Timer to run every 20 minutes (5min buffer for 15min spindown)
systemd.timers.disk-metrics = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/20"; # Every 20 minutes
RandomizedDelaySec = "1min";
Persistent = true;
};
};
# Ensure textfile directory exists and is persisted
systemd.tmpfiles.rules = [
"d ${textfileDir} 0755 root root -"
];
}

186
hosts/nas/modules/filebot-process.nix Normal file
View File

@@ -0,0 +1,186 @@
{ pkgs }:
pkgs.writeShellScriptBin "filebot-process" ''
#!/usr/bin/env bash
set -euo pipefail
# FileBot AMC script for automated media organization
# Called by PyLoad's package_extracted hook with parameters:
# $1 = package_id
# $2 = package_name
# $3 = download_folder (actual path to extracted files)
# $4 = password (optional)
PACKAGE_ID="''${1:-}"
PACKAGE_NAME="''${2:-unknown}"
DOWNLOAD_DIR="''${3:-/var/lib/downloads}"
PASSWORD="''${4:-}"
OUTPUT_DIR="/var/lib/multimedia"
LOG_FILE="/var/lib/pyload/filebot-amc.log"
EXCLUDE_LIST="/var/lib/pyload/filebot-exclude-list.txt"
PASSWORD_FILE="/var/lib/pyload/extraction-passwords.txt"
# Ensure FileBot data directory exists
mkdir -p /var/lib/pyload/.local/share/filebot/data
mkdir -p "$(dirname "$LOG_FILE")"
touch "$EXCLUDE_LIST"
# Install FileBot license if not already installed
if [ ! -f /var/lib/pyload/.local/share/filebot/data/.license ]; then
echo "$(date): Installing FileBot license..." >> "$LOG_FILE"
${pkgs.filebot}/bin/filebot --license /var/lib/pyload/filebot-license.psm || true
fi
echo "===========================================" >> "$LOG_FILE"
echo "$(date): PyLoad package hook triggered" >> "$LOG_FILE"
echo "Package ID: $PACKAGE_ID" >> "$LOG_FILE"
echo "Package Name: $PACKAGE_NAME" >> "$LOG_FILE"
echo "Download Directory: $DOWNLOAD_DIR" >> "$LOG_FILE"
echo "===========================================" >> "$LOG_FILE"
# Check if download directory exists
if [ ! -d "$DOWNLOAD_DIR" ]; then
echo "$(date): Download directory does not exist: $DOWNLOAD_DIR" >> "$LOG_FILE"
exit 0
fi
# --- Archive Extraction ---
# Try extraction with passwords, then without
try_extract() {
local archive="$1"
local outdir
outdir="$(dirname "$archive")"
# Try each password from file
if [ -f "$PASSWORD_FILE" ]; then
while IFS= read -r pass || [ -n "$pass" ]; do
[ -z "$pass" ] && continue
case "$archive" in
*.rar) ${pkgs.unrar}/bin/unrar x -p"$pass" -o+ "$archive" "$outdir/" >/dev/null 2>&1 && return 0 ;;
*.7z) ${pkgs.p7zip}/bin/7z x -p"$pass" -aoa -o"$outdir" "$archive" >/dev/null 2>&1 && return 0 ;;
*.zip) ${pkgs.p7zip}/bin/7z x -p"$pass" -aoa -o"$outdir" "$archive" >/dev/null 2>&1 && return 0 ;;
esac
done < "$PASSWORD_FILE"
fi
# Try without password
case "$archive" in
*.rar) ${pkgs.unrar}/bin/unrar x -o+ "$archive" "$outdir/" >/dev/null 2>&1 && return 0 ;;
*.7z) ${pkgs.p7zip}/bin/7z x -aoa -o"$outdir" "$archive" >/dev/null 2>&1 && return 0 ;;
*.zip) ${pkgs.p7zip}/bin/7z x -aoa -o"$outdir" "$archive" >/dev/null 2>&1 && return 0 ;;
esac
return 1
}
# Delete all parts of a split RAR archive
delete_rar_parts() {
local first_part="$1"
local base dir
dir="$(dirname "$first_part")"
# Extract base name: "foo.part1.rar" -> "foo", "foo.part01.rar" -> "foo"
base="$(basename "$first_part" | ${pkgs.gnused}/bin/sed -E 's/\.part[0-9]+\.rar$//')"
# Delete all parts matching the pattern
find "$dir" -maxdepth 1 -type f -iname "''${base}.part*.rar" -delete
echo "$(date): Deleted all parts: ''${base}.part*.rar" >> "$LOG_FILE"
}
# Extract archives in directory
extract_archives() {
local dir="$1"
local extracted=0
# 1. Handle split RAR archives (*.part1.rar or *.part01.rar - first part only)
while IFS= read -r -d "" archive; do
echo "$(date): Extracting split RAR: $archive" >> "$LOG_FILE"
if try_extract "$archive"; then
echo "$(date): Extraction successful" >> "$LOG_FILE"
delete_rar_parts "$archive"
extracted=1
else
echo "$(date): Extraction FAILED: $archive" >> "$LOG_FILE"
fi
done < <(find "$dir" -type f \( -iname "*.part1.rar" -o -iname "*.part01.rar" \) -print0 2>/dev/null)
# 2. Handle single RAR files (not part of split archive)
while IFS= read -r -d "" archive; do
echo "$(date): Extracting RAR: $archive" >> "$LOG_FILE"
if try_extract "$archive"; then
echo "$(date): Extraction successful, deleting: $archive" >> "$LOG_FILE"
rm -f "$archive"
extracted=1
else
echo "$(date): Extraction FAILED: $archive" >> "$LOG_FILE"
fi
done < <(find "$dir" -type f -iname "*.rar" ! -iname "*.part*.rar" -print0 2>/dev/null)
# 3. Handle 7z and zip archives
while IFS= read -r -d "" archive; do
echo "$(date): Extracting: $archive" >> "$LOG_FILE"
if try_extract "$archive"; then
echo "$(date): Extraction successful, deleting: $archive" >> "$LOG_FILE"
rm -f "$archive"
extracted=1
else
echo "$(date): Extraction FAILED: $archive" >> "$LOG_FILE"
fi
done < <(find "$dir" -type f \( -iname "*.7z" -o -iname "*.zip" \) -print0 2>/dev/null)
[ "$extracted" -eq 1 ] && return 0 || return 1
}
# Run extraction (loop to handle nested archives)
echo "$(date): Starting archive extraction..." >> "$LOG_FILE"
for i in 1 2 3; do
extract_archives "$DOWNLOAD_DIR" || break
done
echo "$(date): Archive extraction complete" >> "$LOG_FILE"
# --- Media Processing ---
# Check if there are any video/media files to process
if ! find "$DOWNLOAD_DIR" -type f \( -iname "*.mkv" -o -iname "*.mp4" -o -iname "*.avi" -o -iname "*.m4v" -o -iname "*.mov" \) -print -quit | grep -q .; then
echo "$(date): No media files found in: $DOWNLOAD_DIR" >> "$LOG_FILE"
echo "$(date): Skipping FileBot processing" >> "$LOG_FILE"
exit 0
fi
echo "$(date): Starting FileBot processing" >> "$LOG_FILE"
# Run FileBot AMC script
set +e # Temporarily disable exit on error to capture exit code
${pkgs.filebot}/bin/filebot \
-script fn:amc \
--output "$OUTPUT_DIR" \
--action move \
--conflict auto \
-non-strict \
--log-file "$LOG_FILE" \
--def \
excludeList="$EXCLUDE_LIST" \
movieFormat="$OUTPUT_DIR/movies/{n} ({y})/{n} ({y}) - {vf}" \
seriesFormat="$OUTPUT_DIR/tv-shows/{n}/Season {s.pad(2)}/{n} - {s00e00} - {t}" \
ut_dir="$DOWNLOAD_DIR" \
ut_kind=multi \
clean=y \
skipExtract=y
FILEBOT_EXIT_CODE=$?
set -e # Re-enable exit on error
if [ $FILEBOT_EXIT_CODE -ne 0 ]; then
echo "$(date): FileBot processing failed with exit code $FILEBOT_EXIT_CODE" >> "$LOG_FILE"
exit 0 # Don't fail the hook even if FileBot fails
fi
echo "$(date): FileBot processing completed successfully" >> "$LOG_FILE"
# Clean up any remaining empty directories
find "$DOWNLOAD_DIR" -type d -empty -delete 2>/dev/null || true
echo "$(date): All processing completed" >> "$LOG_FILE"
exit 0
''

51
hosts/nas/modules/jellyfin.nix Normal file
View File

@@ -0,0 +1,51 @@
{ lib, pkgs, ... }: {
# Intel graphics support for hardware transcoding
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vpl-gpu-rt
intel-compute-runtime
];
};
# Set VA-API driver to iHD (modern Intel driver)
environment.sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
};
# Jellyfin user with render/video groups for GPU access
users.users.jellyfin = {
isSystemUser = true;
group = "jellyfin";
home = "/var/lib/jellyfin";
createHome = true;
extraGroups = [ "render" "video" ];
};
users.groups.jellyfin = {};
# Create jellyfin directory
systemd.tmpfiles.rules = [
"d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
];
services.jellyfin = {
enable = true;
openFirewall = true;
};
# Override systemd hardening for GPU access
systemd.services.jellyfin = {
serviceConfig = {
PrivateUsers = lib.mkForce false; # Disable user namespacing - breaks GPU device access
DeviceAllow = [
"/dev/dri/card0 rw"
"/dev/dri/renderD128 rw"
];
SupplementaryGroups = [ "render" "video" ]; # Critical: Explicit group membership for GPU access
};
environment = {
LIBVA_DRIVER_NAME = "iHD"; # Ensure service sees this variable
};
};
}

24
hosts/nas/modules/power-management.nix Normal file
View File

@@ -0,0 +1,24 @@
# Power management for NAS
# - CPU powersave governor (scales up on demand for transcoding)
# - Disk spindown after 15 minutes idle
{ config, lib, pkgs, ... }:
{
# CPU Power Management - powersave scales up on demand for transcoding
powerManagement.cpuFreqGovernor = "powersave";
# Disk spindown - hdparm for Seagate 18TB drives
environment.systemPackages = [ pkgs.hdparm ];
services.udev.extraRules = ''
# Seagate 18TB NAS drives - APM 127 allows spindown, -S 180 = 15 min
ACTION=="add", KERNEL=="sd[a-z]", SUBSYSTEM=="block", \
ATTRS{model}=="ST18000NM000J*", \
RUN+="${pkgs.hdparm}/bin/hdparm -B 127 -S 180 /dev/%k"
# Toshiba 20TB NAS drives - same settings
ACTION=="add", KERNEL=="sd[a-z]", SUBSYSTEM=="block", \
ATTRS{model}=="TOSHIBA MG10ACA2*", \
RUN+="${pkgs.hdparm}/bin/hdparm -B 127 -S 180 /dev/%k"
'';
}

120
hosts/nas/modules/pyload.nix Normal file
View File

@@ -0,0 +1,120 @@
{ config, pkgs, lib, ... }:
let
filebotScript = pkgs.callPackage ./filebot-process.nix {};
in
{
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"unrar"
"filebot"
];
environment.systemPackages = with pkgs; [
unrar # Required for RAR archive extraction
p7zip # Required for 7z and other archive formats
];
# Create directory structure
systemd.tmpfiles.rules = [
"d /var/lib/downloads 0755 pyload pyload - -"
"d /var/lib/multimedia 0775 root jellyfin - -"
"d /var/lib/multimedia/movies 0775 jellyfin jellyfin - -"
"d /var/lib/multimedia/tv-shows 0775 jellyfin jellyfin - -"
"d /var/lib/multimedia/music 0755 jellyfin jellyfin - -"
"d /var/lib/multimedia/audiobooks 0775 jellyfin jellyfin - -"
# PyLoad hook scripts directory (package_finished triggers after download completes)
"d /var/lib/pyload/config 0755 pyload pyload - -"
"d /var/lib/pyload/config/scripts 0755 pyload pyload - -"
"d /var/lib/pyload/config/scripts/package_finished 0755 pyload pyload - -"
"L+ /var/lib/pyload/config/scripts/package_finished/filebot-process.sh - - - - ${filebotScript}/bin/filebot-process"
];
# FileBot license secret (only if secrets.yaml exists)
sops.secrets.filebot-license = {
mode = "0440";
owner = "pyload";
group = "pyload";
path = "/var/lib/pyload/filebot-license.psm";
};
# Extraction passwords for filebot-process script (one password per line)
sops.secrets.pyload-extraction-passwords = {
mode = "0440";
owner = "pyload";
group = "pyload";
path = "/var/lib/pyload/extraction-passwords.txt";
};
# PyLoad user with jellyfin group membership for multimedia access
users.users.pyload = {
isSystemUser = true;
group = "pyload";
home = "/var/lib/pyload";
createHome = true;
extraGroups = [ "jellyfin" ];
};
users.groups.pyload = {};
services.pyload = {
enable = true;
downloadDirectory = "/var/lib/downloads";
listenAddress = "0.0.0.0";
port = 8000;
};
# Configure pyload service
systemd.services.pyload = {
# Add extraction tools to service PATH
path = with pkgs; [
unrar # For RAR extraction
p7zip # For 7z extraction
];
environment = {
# Disable SSL certificate verification
PYLOAD__GENERAL__SSL_VERIFY = "0";
# Download speed limiting (150 Mbit/s = 19200 KiB/s)
PYLOAD__DOWNLOAD__LIMIT_SPEED = "1";
PYLOAD__DOWNLOAD__MAX_SPEED = "19200";
# Disable ExtractArchive plugin (extraction handled by filebot-process script)
PYLOAD__EXTRACTARCHIVE__ENABLED = "0";
# Enable ExternalScripts plugin for hooks
PYLOAD__EXTERNALSCRIPTS__ENABLED = "1";
PYLOAD__EXTERNALSCRIPTS__UNLOCK = "1"; # Run hooks asynchronously
# DdownloadCom plugin: don't fall back to free if premium fails
PYLOAD__DDOWNLOADCOM__FALLBACK = "0";
};
serviceConfig = {
# Bind-mount DNS configuration files into the sandboxed service
BindReadOnlyPaths = [
"/etc/resolv.conf"
"/etc/nsswitch.conf"
"/etc/hosts"
"/etc/ssl"
"/etc/static/ssl"
"/run/secrets" # SOPS secrets access for FileBot license
];
# Bind mount multimedia directory as writable for FileBot hook scripts
BindPaths = [ "/var/lib/multimedia" ];
# Override SystemCallFilter to allow @resources syscalls
# FileBot (Java) needs resource management syscalls like setpriority
# during cleanup operations. Still block privileged syscalls for security.
SystemCallFilter = lib.mkForce [
"@system-service"
"@resources" # Explicitly allow resource management syscalls
"~@privileged" # Still block privileged operations
"fchown" # Re-allow fchown for FileBot file operations
"fchown32" # 32-bit compatibility
];
};
};
# Open firewall for PyLoad web interface
networking.firewall.allowedTCPPorts = [ 8000 ];
}

285
hosts/nas/modules/ugreen-leds.nix Normal file
View File

@@ -0,0 +1,285 @@
# UGREEN DXP4800 LED control
# Based on https://github.com/miskcoo/ugreen_leds_controller
{ config, lib, pkgs, ... }:
let
# Disk mapping: ata port -> LED name
# DXP4800 has bays 1-4, all populated
diskMapping = {
"1" = "disk1";
"2" = "disk2";
"3" = "disk3";
"4" = "disk4";
};
# LED colors (R G B)
colors = {
healthy = "0 255 0"; # Green
activity = "0 255 0"; # Green blink
standby = "0 0 255"; # Dim blue when sleeping
fail = "255 0 0"; # Red
network = "0 255 0"; # Green
power = "255 255 255"; # White
};
brightness = 255;
standbyBrightness = 30; # Dim when in standby
refreshInterval = "0.1"; # Seconds between activity checks
powerCheckInterval = 30; # Seconds between power state checks
# Script to initialize LEDs on boot
initLedsScript = pkgs.writeShellScript "ugreen-leds-init" ''
set -euo pipefail
PATH="${lib.makeBinPath [ pkgs.ugreen-leds-cli ]}:$PATH"
# Wait for i2c device to be available
for i in $(seq 1 30); do
if [ -e /dev/i2c-0 ]; then
break
fi
sleep 1
done
# Initialize power LED - solid white
ugreen_leds_cli power -on -color ${colors.power} -brightness ${toString brightness} || true
# Initialize network LED - will be controlled by netdevmon
ugreen_leds_cli netdev -off || true
# Initialize disk LEDs based on mapping
${lib.concatStringsSep "\n" (lib.mapAttrsToList (ata: led: ''
ugreen_leds_cli ${led} -off || true
'') diskMapping)}
echo "UGREEN LEDs initialized"
'';
# Disk activity monitoring script
diskMonitorScript = pkgs.writeShellScript "ugreen-diskiomon" ''
set -euo pipefail
PATH="${lib.makeBinPath [ pkgs.ugreen-leds-cli pkgs.coreutils pkgs.gnugrep pkgs.gawk pkgs.smartmontools pkgs.hdparm ]}:$PATH"
# Build device -> LED mapping by checking ata ports
declare -A devices
declare -A diskio_data
declare -A disk_healthy
declare -A disk_standby
# Discover disks based on ata port mapping
for path in /dev/disk/by-path/pci-*-ata-*; do
[ -e "$path" ] || continue
# Skip partitions
[[ "$path" == *-part* ]] && continue
# Extract ata port number (e.g., ata-2 -> 2)
ata_port=$(echo "$path" | grep -oP 'ata-\K[0-9]+' | head -1)
case "$ata_port" in
${lib.concatStringsSep "\n " (lib.mapAttrsToList (ata: led: ''
${ata})
device=$(readlink -f "$path")
short_name=$(basename "$device")
devices["${led}"]="$short_name"
echo "Mapped $short_name (ata-${ata}) -> ${led}"
;;'') diskMapping)}
esac
done
if [ ''${#devices[@]} -eq 0 ]; then
echo "No disks found matching ATA ports, exiting"
exit 1
fi
# Set initial LED state for discovered disks
for led in "''${!devices[@]}"; do
device="''${devices[$led]}"
# Check SMART health (this will wake the disk at boot, which is acceptable)
if smartctl -H "/dev/$device" 2>/dev/null | grep -q "PASSED"; then
disk_healthy["$led"]=1
ugreen_leds_cli "$led" -on -color ${colors.healthy} -brightness ${toString brightness} || true
else
disk_healthy["$led"]=0
ugreen_leds_cli "$led" -on -color ${colors.fail} -brightness ${toString brightness} || true
fi
# Initialize tracking
diskio_data["$led"]=""
disk_standby["$led"]=0
done
echo "Starting disk activity monitoring for ''${#devices[@]} disk(s)"
# Function to update LED based on current state
update_led() {
local led="$1"
local device="''${devices[$led]}"
# Check power state without waking disk
local power_state
power_state=$(hdparm -C "/dev/$device" 2>/dev/null | grep -oP '(standby|active/idle|active|idle)' | head -1 || echo "unknown")
if [[ "$power_state" == "standby" ]]; then
if [[ "''${disk_standby[$led]}" != "1" ]]; then
# Disk just went to standby - dim the LED
disk_standby["$led"]=1
ugreen_leds_cli "$led" -on -color ${colors.standby} -brightness ${toString standbyBrightness} || true
echo "Disk $device entered standby, dimming LED"
fi
else
if [[ "''${disk_standby[$led]}" == "1" ]]; then
# Disk woke up - restore health-based color
disk_standby["$led"]=0
if [[ "''${disk_healthy[$led]}" == "1" ]]; then
ugreen_leds_cli "$led" -on -color ${colors.healthy} -brightness ${toString brightness} || true
else
ugreen_leds_cli "$led" -on -color ${colors.fail} -brightness ${toString brightness} || true
fi
echo "Disk $device woke up, restoring LED"
fi
fi
}
# Background power state checker
check_power_states() {
while true; do
sleep ${toString powerCheckInterval}
for led in "''${!devices[@]}"; do
update_led "$led"
done
done
}
# Start power state checker in background
check_power_states &
POWER_CHECK_PID=$!
trap "kill $POWER_CHECK_PID 2>/dev/null || true" EXIT
# Main activity monitoring loop
while true; do
for led in "''${!devices[@]}"; do
device="''${devices[$led]}"
stat_file="/sys/block/$device/stat"
if [ -f "$stat_file" ]; then
new_stat=$(cat "$stat_file" 2>/dev/null || echo "")
if [ -n "$new_stat" ] && [ "''${diskio_data[$led]}" != "$new_stat" ]; then
# Activity detected - disk must be awake now
if [[ "''${disk_standby[$led]}" == "1" ]]; then
disk_standby["$led"]=0
if [[ "''${disk_healthy[$led]}" == "1" ]]; then
ugreen_leds_cli "$led" -on -color ${colors.healthy} -brightness ${toString brightness} || true
else
ugreen_leds_cli "$led" -on -color ${colors.fail} -brightness ${toString brightness} || true
fi
fi
# Trigger LED blink for activity
if [ -e "/sys/class/leds/$led/shot" ]; then
echo 1 > "/sys/class/leds/$led/shot" 2>/dev/null || true
else
ugreen_leds_cli "$led" -blink 100 100 2>/dev/null || true
sleep 0.05
ugreen_leds_cli "$led" -on 2>/dev/null || true
fi
fi
diskio_data["$led"]="$new_stat"
fi
done
sleep ${refreshInterval}
done
'';
# Network activity monitoring script
netMonitorScript = pkgs.writeShellScript "ugreen-netdevmon" ''
set -euo pipefail
PATH="${lib.makeBinPath [ pkgs.ugreen-leds-cli pkgs.coreutils pkgs.iproute2 ]}:$PATH"
INTERFACE="$1"
CHECK_INTERVAL=60
echo "Starting network monitoring on $INTERFACE"
# Configure LED to trigger on network activity
led_path="/sys/class/leds/netdev"
while true; do
# Check if interface is up
if ip link show "$INTERFACE" 2>/dev/null | grep -q "state UP"; then
# Link is up - set green
ugreen_leds_cli netdev -on -color ${colors.network} -brightness ${toString brightness} || true
# Try to enable hardware trigger for activity indication
if [ -e "$led_path/device_name" ]; then
echo "$INTERFACE" > "$led_path/device_name" 2>/dev/null || true
fi
if [ -e "$led_path/rx" ]; then
echo 1 > "$led_path/rx" 2>/dev/null || true
fi
if [ -e "$led_path/tx" ]; then
echo 1 > "$led_path/tx" 2>/dev/null || true
fi
else
# Link is down - turn off
ugreen_leds_cli netdev -off || true
fi
sleep $CHECK_INTERVAL
done
'';
in
{
# Load i2c-dev kernel module for LED controller communication
boot.kernelModules = [ "i2c-dev" ];
# Install CLI tool
environment.systemPackages = [ pkgs.ugreen-leds-cli ];
# LED initialization service - runs once at boot
systemd.services.ugreen-leds-init = {
description = "Initialize UGREEN NAS LEDs";
wantedBy = [ "multi-user.target" ];
after = [ "local-fs.target" "systemd-modules-load.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${initLedsScript}";
};
};
# Disk activity monitoring service
systemd.services.ugreen-diskiomon = {
description = "UGREEN disk activity LED monitor";
wantedBy = [ "multi-user.target" ];
after = [ "ugreen-leds-init.service" "local-fs.target" ];
requires = [ "ugreen-leds-init.service" ];
serviceConfig = {
Type = "simple";
ExecStart = "${diskMonitorScript}";
Restart = "always";
RestartSec = "5s";
};
};
# Network activity monitoring service (template for interface)
systemd.services."ugreen-netdevmon@" = {
description = "UGREEN network LED monitor for %i";
after = [ "ugreen-leds-init.service" "network-online.target" ];
requires = [ "ugreen-leds-init.service" ];
serviceConfig = {
Type = "simple";
ExecStart = "${netMonitorScript} %i";
Restart = "always";
RestartSec = "10s";
};
};
# Enable network monitoring for primary interface
systemd.services."ugreen-netdevmon@enp2s0" = {
wantedBy = [ "multi-user.target" ];
};
}

48
hosts/nas/secrets.yaml Normal file
View File

@@ -0,0 +1,48 @@
pyload-extraction-passwords: ENC[AES256_GCM,data:zOvPYcnvcg2OwJaCZovYQz87ZN9DdpKX1Re1/v24daw0WGBG3sGeJn1q+LDfjPIMy487CdY=,iv:loWfUcIw30kVXchmXwAts10FNUGxSsTY2UVRKs0RTJ8=,tag:WlTYugSv2ApR496Uc1KPEg==,type:str]
cyberghost-auth: ENC[AES256_GCM,data:v8PlO2qi06p2FZR1iFbHAVPr0k+X/A==,iv:oEzIIZ7KiVJ5EpMT2YMgvMZSJZwtIsnTWwkMXxl/R4w=,tag:+NOMggSKloW0SOYxopHrYA==,type:str]
cyberghost-ca: ENC[AES256_GCM,data:BAYpZ2xQgD05MNn4ZNmIGPByF0ERMLaIIC+iY6MDFC1rbfy50zqDKvzx8fdSYJp0hmUd7M+QnJUDDtq9dJkNcY90A1jiXhWK43gxBSeklcEhj5+l8tzmXuYGe7XtALu7D+Kee2NIUBEY7NHZOYP0Tj9BVFVzmyAKhgu6vs7UEwNt518LeIlH33eDO/809/vXVW2VhX3HoMytit9kkhczDRh/oCnMzmC7SKsKwouCQAcOSLLaNyAHy3jOFi78CPqBPuuv3i6wsAgKByvdQ3QpMGO7xx9MbEZsRZJiDJRRhP5BOy4DX/H6PwsR89E4QqqL0fU9P82p+3FlmVyHED8MJO905T0SC4PPVKAUlbtCbOvoAZOSXTouKhLNLY7WMiwXEEVhrBlu/Ml40yCwUJ7QCiU7DQBEBvOvo8l8pBU1nx1JzbzGopDsOVE9csF6H5g6Dxf24YqAsDeB6cmeDXNuDXJcr+6AeDtMyw8d+SiTLKmPa58eTqM6JEYY2yn/1DNkRyyyc5bFykdRUacWOUuqXKnzT/oSxfrEZHMN2YMRJU4Vo/K5WQ0ymiSv5miFSnZnm60Ha7G+S54swjFaUUmcMh15Rva3LUw4N0uM9QuXiLko1VqJlPtzv+eveCBCM7UiET9d45PAOjbk4FCjmzONSCNdjQhI0B6OwuZ6G0aP9rrGV+vOCijfBBqy6Y/wLKV166OZ4GYXkdBuQJ8VnSjoxA0vbtLOXA/L8PdvVMbRbZ7kYTFbtLQJsO+gCpEJOKB3VxnEVXcnLqyCpwEOtYVf8e9haTOVr09WvYJ1xLx0kjDKlp5g3X3s1CLAJiBnm97bLH8T/j6FCqijSLZwVjZtF6HEM+gn9G6nT78QastOOIfGE9YTWTPEl4t4dQRwK/Sv0OoaLokYN18gXEtAHxGLhHjzjeCeTZz8o1dE2ILA0t/xk56nzPWb8KzJFvjyWfUpyZuWNvEftxWhtV9c4i+Na3uyt8JAAySljpEcefWDYn10lr9RrixDgpU094Z34PMZCoLvViIn8Winxe1WIjQlchUlgTyBKse0A/q0Xr52jyOuMms2GUS2ssDnBIocER3RT6EetJzLvTjFh5EeQbRr6EgdXsvWzrN46n10WfqyN85DzBZneKLPT/XWlYSZPE4aJj2KGPT9Gic8Yoouf5y22exXnQkfRZsCM32THg5ug075Qzkf77aQLPx7gFzGEWrJo/hjRb178yJW/Hhc8IYPPK9HdA6iRZm0LKfrEWi3gUFzkQO76fj9/wbYe57bHuYJW8B1516fyjvWPaz0fqdA//xLIfEgV6QS/iE122TYAqPk4OCraR7RbQ4stVutrI6o+ZJDSkCc4FI8McECtReVe7TN+pEzeVGlOa5s49L0QxEhP4ne5Y0gfJy5vBsD5HKSrLpZxww0P73UTUZdDCjKAnAhCFfYBmk8+VOFybazZS6Rv4zF2fvNPQ11Hacx1V2NGHA1uxrRpr+nUdeCIMPR6dtX67WTv4juIbr0oQBuJMsutzX265JQ+Rt2aC12FFpfN9TCBprFgkgRdgBUJWRcFfRwjD6jjzyQZGQ+nGuibogi7TIn3QPpVMNuwbe8a2Ks9BC5XjVhmym0mhS01DUmITLD1DPyVh3wGodB+4OQ5miJOwJeA11HBq1B44sTjC7vTSom4Dk/AOH91WnJrW1bG7Yw+j/DH/bc5efXlho3cHOQoQSWC7EQdLMzV5TXqY06idTwOQ+wo9l61qPCh9gqJLPlnNUrUqyEfc0zkwWvIt7gu26qykjET2Mt4cyXoFyHORqNywff37e3WSroo+meAVtO+xDPIJ5fI0AOsfwXRKiT+B/nmtE3VGL7duZt7yIbav7WnKn3zU+dEGdeQSt6cYNVGUtaVvsTO7RKermIIkA/8g/q+OVihf7MvCG5WTYBspu51swP9tN0NRcmmoRyI0bs6DEv8qHplpiC5eUUmyZU3wbhrXXLcyCDpNfwjq4vrotM1BG8maR2BLtVuTzpfKO0NMHA99pT0tateSLNC8YARCIjY/9njmHlVti/XHnjWm977syI3SGf06FUcTK52Vrxaoyp3x96VzGhdPLye8dDQ4MD9B8+B5qdzHF+m6rOeDZpbJmDMea6L4W+LiJLNSq6QolmM+aya3sQvQyCcSve2d+i7QLtIPKPmJkPPnwrbjCn6PHzE8KCAa7jmmd4pfUOAayp2NEWn5AS5qSGMZ4etUMde7BdHWWR3i632XCzrllMzOdOsLu9WF8SlcC4Nt6WQxDLXqhkl8pIeBe6rmy+AXc5wgkj/q60qYK96M12EHaB3dDfwYx/Ijx3Q1qqmMRFR8LGrmsryUsQm2sxQZUeE6I3EJqHD1vbQSZdt7TjLUaITOiRka/BNxQ4frThhiyUvm9zWaZKcoF/mdNdinxYxDE243535Yv/cquQFgKwoZ2/mU83CWyd3D9/8gYOJqrw6acNn1zlFXc4JSWnDaSqn1mSGZyw5PMPPKL1Pv2M9acV0t3d1asB5agohfVVpHgGp6/fQ7xbF/q5/07MaN/XRgbJHwo39q25Q1uec7PP/0qT0XlS0fPYEnDr9m9odfisw7Ku1MSJgic+eaNHXtkIRy3K5tLM9AM793Usn5PJeyS3+imOkit59gSAUlZzv2+IyJeZJIpgptPxVvvLzMpZ3+2PLvFNkmwlsJi+Nn7Fk7+BdzggNkIQMyBApWrZARbMhHxrtVLj3k1XoRciiEwNz11xFDwlyeXnxkikkt8pMQQIW/OMZJoenjbHlMdm4FM+gQ27cHbOu2OVFqeGAlgxIQJK66MglG52M4tHhSgvbdEReHY79AWXjGyy3nXpJx2CSB+Rvlvhsfgb21MjyGxChygxh1wTuKtHVz3F/ya60NLWRAHKQskZB5S6VgsZlgslan4v0mJzBemlh8AUp6g/P8skhLzeNh4JV4vshwIq9+mzTjUli1gzhKA8JP4WbNq+45DMwmURiB1sMalmT91uq9REage2Jx+pQ1PjC5DweFe8y6Bd4G4=,iv:mWBG6fP3do+VzwyBlCVXsWiywRNiyMiWNaxlYFTkms0=,tag:94YPWZtVy1viq0KbclF6LA==,type:str]
cyberghost-cert: ENC[AES256_GCM,data:U2QtxwqqPpuTvawmbUmaFjM4muDJptsdAp1GJrxiFsEtQJJYWJWf2zSNL857asH8/yzTkkaHNAHn8fHpN5GgDqXsHn7A9L1gWQ40OVDYoY8C3KevgyPlqQQgmgpk+F/ogWC6ZSBZIk2ayTe8E1qtOI/KpVjzPoteiXB6akD6OBBsysXAEr56MvdU1c9OnqxauHsFZr1BskYM9fqFXm6b7KzMpzA2BPfxtpuGrnTDzMwciRuQXqJM95h2tDs4KoHMGwhgQjyIrti2eZrXb5GK1N54Hi+fmTCRvEDYrYiOE058uROdYV0oCmXJmZ9LFu+ti7zTZzoIq3jqshLh6QAEBxxi1eWqQ8Qq/zkjZDdOOQIacURBK6UGYRzZTqEQB34m/5+NCuyTq+bhFORNXuEDPf+JYWlvnqDGQ6FAnM+Wg4LmSFALnDL7UHPIHWas+VU/EZ2QwVQQ46AZ8tnyWwsp/0VSZepZuPXOyle/tp7jHOT1aTVFAD5AdUIgB5g5CjTo0Aw4tBVAGfnQEcjClZU/ccpTHeS3agDNte+fvpodIC548hm1tHDHJL98ZsxcE6C4zzc5Kq7nIl4Pqc6bDurHtmk+/O9stDqZGTpb4NERTsFBLaQYgWd1bbQEXXx4YFnoSKQZZVNxVqG0mVHwYuYSLZiGIwj/msKsIqZW7RRZfnfNfc9Er5/KC4SJbQLKcwbJY00gGKHCr+WQZ4wtxFoEefyefabyJkFjQonvVcAN1yjJGq9fN9ZaVrQ92vxFQy3rNHuTyvWvTDhZLedu0ukK3jC/Fc1yuzEcvv308gvoJROS5O8Jk/nfVtfPDZeSkIY52sYKpTQP4gAyn4+56RO2HROBnFvmvIFq/4jb4AZR/GUWV6v2u1zvHw/gX84uI7WyqG6TvC5tPuQKQ5se+xg+bbt3xL+8h+ieBB/a26asFk8M5CnweHB1rg4NkcqrSa4vU9wf7Kd20HH8Odrb4Q9xc876s4HhSqPAE22ZAvTDhGUO4R+pAU86YZzKt2TuPXlR1S7l3v1gzyMgMq95G/VzxOVkV2zY63KjGc72U/u6ia4oIida8QMASckchB7+V+Uas8YUJj22VVvxYq38Nm2e/wUDSLFUoPk/k05D1hGvkoejcfbwmnVoBWDC+sifjuImOLwZ0V2EV1S3Qgxf5OnAbjPKe+gfqnmrVvF+67jJUyRpNmxhq1TBnn28X3QMVu3/cW6kxpaYPXT1OgPdTZ0OeKonnXGAh314XSWH9kTrTgIB2f6xBOD95Xquu1UDMTaMZopljjplX6y63xoRIugeOIXS5wxL+jQz7fTH6l6DCHN9yPp+YM+lKqyLx4KerpjDwB43QOaiqFdk3wEj6u0N+UvHWDaKjhHi5K5FQP+VekuHbBgbj/kG1u6HPZNyeiJ11h4LDvV3ZCdZetUOzTcn4g2S+ai5SryOKKXh9+lVb467swTCtCrE+3+7dplE82HYbTaF7A4k0jwOXvWYLS3EW93pIZsYwsanxNRWInQk85GO+9hSkJSD3InTDUaFWs4m6Y8wbZCr6kQ9XMsjCJlGcJ89k5ump8m+IWhDjEWlKv8+8Fves/ktF2TS2Nij+eL/GUaUSLm8EkRj7vKTsKOfFk8uyn9z6dxjDQ04jhJDPLZ/h4UtiQhQntGAjCuTX9psRiNTHr+b3uge3UszH43+F0SUuqMS6+ytGNeQvC5jSE6CAi1I4DP9bQXUIKm0UC6gPuStgUnWnszy/wf785Ryt6X6Wbj+v65iPfb365AifDozhD99NKabiIvzRfqAP7sVLUh1e9dMa2NjagnC092oNrgkoIJuLlpjaxu9KszRRP38b4KwMbz8A99Y/Rom/BUIU6n0jzzvbAEAw6/mdng7E1GTUXMUQF1lrm4ZBuhanX72akG6fx4mFzaTZuN2a+psuwJYtbl9ewBkWYu8pif3K9mBe/eJ2eoxA6jR1wmjfmDXYTINd/HDjZK2n90j0ZgdxySa1bgqoBWf2VftxWhm+jkVQDXJixZTj4FKfGBmvl2lvkQBMyo1l/tifqAkpzQa6BJFfPBy167B1OuhhEFpQlXgW+e7Hs70htjp3izTRg8/0msDfMTcB/f3kBODpRxnUbZdfNu3adYjzo2DMdBLfJ+DSR08aMVueSXij9sNShXqEWEkX+XKL0lQYKeErqQlwpoy13CjjxpDzmI2M0OaQ9Ow9aIs4H60CTPM2vg9KsyJR+RrgpP2kFFaDnd6+pY4rdE8/yUcTs94tQ6QEouF3/Pvvz0t66+unQT23i1zMEUENiJXUaznhtLRpfj+NJyCh/2CAHRTu95oBg89wqxDfG3B23SuiWwzXqAFnj/GMgXo0O27H2GplYW8rgXnzYwMeEDlbK4V+BtzOUN2sEOZOq1Gu4GY5Dw60V5vL2P0RUsUOyDEeSnAFoEioLU2quswjZMl1/3NCXF5dYV1jUTn3WDEZhE1VF7LRNT/dCG+8+QUf9KiFrkTG+DfY6X3qOSIWXtGWtDMk1Cmj321+NyWdtV78eEg0E3BYDz8B0DndRm/oxBA6UOU+wAcdVRS+zKKOQykdS89NhofqFyAAA8nQY2TwdwrETQOYIjjJAEnIB9C77IkwDvMwK0RO0X5r4RlNlFPaFgFF5yu8NdYTUKmr/kcR0aM5x9rPllRFaYWGCN2EHYTrqin3dflgBooFkNbTEo8J3Mo8agTFfonR3o4YBaCxbxTS0AMo7QoKj6Jm8t4fFl48YKFgtAJX/x2QRm5sTQ6KKsz/rz6beLia7iP8ookdoNkkTkDAmNZJTZMOTeLmGGh4AvGbZz0H8GjGBnhRajl37eed81m5lEVRJUowv9lK2cp/e5rWKheUOpFSULIvj5xnmhTcS+77jLXoUcdMZLwJlceeDaF+HanqaKKgvrKFa6g6xpe4WyuK1+0gE7x9HAmdn+aoUqCDChzCBXgBo9jkuBYviYJTGfLgDx7ZCptdl5xEX4wLbGChjaVCeXsOEqRdewnV3TnQRBAnd/IMlSSgrtWljSQCp667wuSvl40SHQ5zgb0hjcsep5av5u+Cx+L4J8VeKQjSmk383c/2drqC9V+SZaR3rK4p8Hb0qFnDreS4KOT3VQqtshJOrwUfa1EYPqeLXqZ6Ar9YcUpZTFAgcWf3oDLXQ==,iv:kavsBNAUcK7vHOJnj9nyX4D9dHzgP3aBwCLQb9umBJo=,tag:aeTpc2vpO72R45cjBR+cFw==,type:str]
cyberghost-key: ENC[AES256_GCM,data:135n9JkLyNluYlINp4j8/R1gMn8dGX9YPpdpvq8y/KYT7x1Yr/MzD9ogfXFDWTcrfkcRIu+sSeSLFLSifgRQ0oje33VNLUGIBXAN68sLvA1UybBrZzKdOywVHiCl0DDjQ20Mjk0fA9rTAV6+zm3KfutNtjjpBojNmrujosZC8YBbb3O189aiy7Ppq4DF8Q3gF5iaOiDDtgdjH9ASW7yAz5ufcTy9vX9qtbEItShE6spvjbQJ47wUyhDQ2M9eSK85EGSX7VjoMSGgxtKs+XVORXHSoSErtlhXSt8wNJoY7Nl6uB5iz7BdlfVKqsx4ab4aVnenZ1v1boTsUNQ3+ABXNFlgG2FEpGiu3Vnx0yqfc224ogxIOa3hf+IaMdysI1xCkdCOv1Ix7kf6osJ2kspU/DsZNobDZvRsGJQjjHDD45WIVxnI7efnJORVOcWlU67/XmpH16KhN1RKCG6vgXSPwvcjq4SDFhgUNktqD7DaZlRdkEvat/7nMjRT/ReysyBLzsu0HXesewjYw1WskOtdza+nctv47GtBwWwk+PrbmylDe31Iv8k1w0FcyxkhpOTANneeLW1u1EGOo7+sTK2Oei83xmIFHK1ODsP6WflRaELoLE09PrXERk/ohfDzTb515oKAJKd4Wso6vXFYK87CZCnIou+/bAUlk6tl0fXPNTPDUH82KuoEnUEgkyjvthBOq+st7vUbJG4eVoELG95vh9iCjJg5U4ldCd37s3YSH3osJRtNziW5/ZityMRCuePZs35fWGGviRZnhqOM4obz1hz3a5no9UXBWfgOO08nYbpQsVEAPg2qKo7ljRnBhtiQJcxP6/+Kcr0ZXEfVjfmENxhRWUO9IscUJ+ZCk09J4JnvAcgALy6qmIAjgBAvVAIEeJ89KM/972XuFPj7ebTfBmCInYq41hahs8AaPanQAywQTx5Av4ir0G5KpaDt5k8eda5BKANuTPAjZRDxGq+dCXczLjVIk0TTfwHnHlFt7twyxKnQlUCOI+v3dnVVbzjNWdVhp5Gdw7Jij/woEep/zLLHLONmD9qznEczr6sIl/wECJXNcLAMrsNqo70rZ529e0S0+ym3x2TI30jwMhhk/7br+1voku8CBdAEZign+3+GxPGCxQHQOWnHkPslQgm0Uyxu736e8/OKJWNDlC3U/UygPtv6fEnrbb/1BjV9NG1+SErR84Aau44YbCMnBofI7LhJsDXle/XD6FCHlURWPtJi2Tl5tm00sVQhap0LnYb6JunDECbJDwOprOfjqc+fmd2Ja9nj7s5c7ywrHeV4SXbml+FQMCXwh5PAQ/QGM21OShUh9wDkrt37K23d2zginG7ua2c5tPhu2ZOQS7XBBzGDPLUQUb0acPQhd6mFl5DLCt3P6p/o7uiQB48b4OfQRlgSlxoaTCrD3M58zNQYoJ+aa+dY9OxQBL49/bIhf8i9j2uA4mtwzLHE3cBN9A0s+t4VoXeeNz/telVebNlCNpWVM8oFpMAsK8qRtRxGMpsgH1usp9yzL3tzpSkFChXMjL/uKDK8N6VJauBPpnKNcWVPATMI77/apAYV9bttMj+LmR2tzjsetYELqES5MVcxOKENvRtSdX7Xdm71uQH1pIoG0bPVMF/BpysTGoOSBNjG0Sm47B5XzUSsEFavgHFo26a4vi2tRV5RcjEQOC4NxC3uMNc7IkFg0s94EIy5uDEn9r6AXpONG+/kGV0LCPgh4W5a3PTHeHd9Zczq6ZwoAANSVsCH9VHlUUH4Gaz1/HVotsJJWarM/8zVbVTUpSesW3L2DRh8948LP51scIgi05jBLOJq4pmXK3bQNjjFtVU2sVYMUicSGi19hpCsimqm467RKh0ynfATknyruudD9/98Ug8EnXy9scPWNaVeNHPkKidD0vFmoh2I9JpfTrH4Q4z/UCAPyBLG8IWLZnWHysu3w1TW+ro/pkYqCC9HkVXxDbPsfHhKwZsonV6cuZ7JEfjzKWwOZqs5CbtEamOegVtFOUgW4FMwyUYgIQdkKdtidnIINQk0JhfGtnK1MR/oxAB6jsuA4i3XL+cdnCqdncH9HqfEkSA3NhczmEQbY0Nm814gaItORFlXXUgp2TzccOETJETBegCVIwNp1mQ70FKgLu2xAxNrOQwloizJh5aiLLJJ2E8/OFjDUpLLxGDwJfrhzV/kY8b+e6U2BFY4qM8DIXjy4Ris7NBkwgwrgN9Xp3FtP2IGxP4jWvRP6JdW0vP9OnN+nxoE928eQj0Pmh2ZTPwC2ZOJPcKVr8YWXn0BW7SeAcS/vCl3J8KjDLXofFchg94K41J3l17STVlvPTXzLVcED9zzcNIZalDj5KYI7vDC3L9C3gdqtOzT4vO1BEf5GaCSz3xDVYAmS4LoRmXprsNZ4VqEYSQQsuLwFBRwyP1JyNVKa4XGSJDqhhEUYkNB1hQ5llDdLANXz1vsD1DYP57snJxJjgFRIw8paTZdSqA1kOeY8iMtetA62+jKvazyoFmYm6r+TCcVY67qujHODr5eNf9yjqvcV0FX6CcxIcnKsU08k2CWl3E3AqqK8C9Pkw3amVXsHXCgo00ubrZXcNpVxYruuDbrHSr6irLBcXMik9QZuiYj8afaD2sxGjRFsWwMGS0X2f/DJLR8qXLaqh0wrZvf4P75UtBp2mBZJoZGu3Y5AThJyLW2lsdGU5Ij0YLsbEQN17W0oGMgR17+5blOiiWLG7WvRW858odxCPmUcamsQxWdIAIVxfbqpyaxnIX5/Cqnm2ZvU54ULq2SgIPh30yJ/xm1TfDGmHrcawx+wMULcx4GL63OQ5SIp6/UEY4WNtCAHyHB1Ft9qgmuH+S83PkqFR+7cZ7eAxBNhdMwYPPfB4N8F7zB21/f6oMbb8H13fpxtpCRfItf9NLqvEULy1stacaI93ClrpAzS2T7er8Vgr1WS8O3kWRdQH1Bhxxil/xfTTXqXuXYm3BdGr2qOK6AkX+16aaQcTmaGt+LSAFHsezKUKrfBK6xAElR6+7qIeyfJQeZyi08G6kuTj54HpEHJXgOV7Rm2i2Z2cXaBPPLwFrASeCKqGTYXOzP2uI0LC+rl0zyzD7rbwtoqssc9HldMaUDHNrs8ijZ8QrTgwYj4b/QOQU3s549pP16PeGy1GR7catxWJiAACv7VyEq99mMzVMvf2r6QJCIO01DwCRdZswqhRZO1h6Q8S2W3HGdy0rzAWnPoCAQzPKHtKqX9TvgF3NcSL3hfUfDX/vLeLQE35G+xI6IrMT00KYUt5tyK6NKIJ/F29zgF9hZRxWirIf4tsIVxDWRLFAsrB5Kk1Rf4cWCygQ7vJHZBTP7tcWZim1AqXXIJsgdyJcBZ+5FKclIokG45e9La3kbviuevsIuDXsGXvUSuUN5QO9liSe2ZAHcQdEgg9XqMiiJ9xnIi9I+RyE5r7sFSSBGGdsv+OhXDuG7XbOGALfsaGxs3CGAC3JTgDBXxW1xCcSkcFT0pGa1a/FDSH/BVklOt70g4hbp4m36oPa2JCq1dcLqcFqLP1A5aXow7nlRCag64ssG7qAtnTA7/Q7WUj3XXmYFMtNWdIfO0PkcDWcx0BOrmaCbSgp0O6wX8PT9II4tZ/E0KokVqvFEwRCG+IfQzzPW8Il8+52RNFePjPFXnFss+mu/nzDhb+tRi6nviArXMmmSK9fj81JqbnIAS+3qZvow18fbU1uNc2smmmT2tAHyLqefokafqehwIaTXuAI+aeJs/gwG5JlIqcAcrU5lFhYfy2pyUld1nRd3N5ejDInNgdqbpdMTIehgU2MDQBsa87ian8ZDUsoiBu5zKzHn3opoG+tHQYyzifZEF0nSTXfchAJwiTMusy4JeEgIsquQOB6MJJgaPueHiwwuOCfOAuSL8tC+EJI7GyhfXesSO+sfpVfBPnZDeWty14rQarT/3gxB75IaXnkubJuOOXZ2oeq81iqNXl9G8nLenhXFg9GQjl695YsF6DgqMsYwsB9I0Z5wM2RLP28d245tJ8Fw4pMxPf4jfUgFcpuqGKXJZyS5/X1eUiVhz3JU5aUahZvolmPPASGMZL2HJdyyb7/4KdBZVESSE2dM9rXcJITgB7UbNccF8EamFUr053hBCYiwN/W80H+4pKhIRUjwTPgXs0S0spakIngHGcCnvr5tpV7gru51ghyJnnD68JzUxvjZoihJUIzqkyYqRC/YVpV6Q9WMIbWefIcDIadqU+deOX05p5pVNkJEHeRQMIywrkW8mjdpHP0yDQdN2rPNQrmCQZwPKFt0ye1HaRVte9BGfCjsIdKWS+KoF++dXYVzGDjJr0/hjQWQYSZmPloX9Q5M+fUPKFzW0LWcKVfeUdsXXOcCqfRRX24=,iv:DmcNUOhsi9doTYta+s65BFpuIgiK7QAjAorfVq/VGLA=,tag:c/mZS7ZnasX5XX4HIx80AA==,type:str]
filebot-license: ENC[AES256_GCM,data:Ib+NXsb0dJfBqm5GYvXxGMOQk3zL28oeS3VXsk4pFIGV5XsakqZRZb307X1oJnafMVXva/eQppraI8CqjwBDzy3AZSnwpFgj96/zvPWZi12IWemnqhFUDFZGaMG4Scg6Ugcq8hwJqU39Mf5JehSbJ/PoULg/Ovekj8R0nG7WlmQsqxpZWXWeAdfYZHw1/4MQTX/IGZG82SdsdFc4J9jTedks0yvW5MLkS3azZSFDqY2WXAMVa5J9jXEcie58k6p0QqAUpWGltoXz1tdN/mTnVV7PA35wReS/Ejm11KS5AsjkTIZRLeJ14BL0vALUh3z6JSdr8kPG1S31MMYxarzGBqjI78LfFmFynGonAlqj/jPoxA7AXOew5xRfoEqnxf8lSUf2F2n7PF+B1SgY/hwFvwUeoaA4ep8uFugT7pCvg3N+FmfsV4TAP6tfU75WjwZ07UKQ0t63C/aDI1lZZjfKDzXDFqliD6omhFPUVxhGIo9gBkvOZj6ujdn7ErWohxAc7JSVsDJ8nBKqVGXMMgecWHyqU5LB9+3CKkE32vMy6fbGVlHhgRI4EofVCiuCn2Opg8txCz7Rh8eU297xotIjfCzhPjaY0CmD0dm/8SVLT9Tt3qQMDzlzolcWg+9o3e4bbjSOzliR+4c4fCGBPxZvBPd4kZ87eo22m6WqtS18tMTD1tq+8nVjpHFyrsyyMZtfv9/QXug0SFhJpUz6izCcl+iiNiQIb+DBi4Oifhr88Ji+Y4iQrj7mPUGzNr/T1x/uSBabv83HPsZUa5+OBrlbvp/Ya2ktIagiyv+JrHmcFMkVGYvFK4idLsREcvteduP7XeWaOXuJZJ5GOPZPDM+8DSxv3eOULH1B25J1/838vaVKZM3ukQkiybYTJWVV2co=,iv:G6bhfqx0go6vbJ2zwXkSbHLt5WdDRwu2o4BsCXw5Rlw=,tag:msCGdlefM3M8lbQWJPcOgA==,type:str]
sops:
age:
- recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvemExcjFLT2tjTlhtMlFl
UFlCQWhtUDc5YmFHU21SdDBoMXNCV2dlbXl3CnJzVmpMcXUwbWx1a1VLUVRhSnFu
MmtmYjVESVJpdFh1UmtwSWl5WE5WZFkKLS0tIE5wZzQ0MENna2EwMzVDUU9QcDlk
bitkdVVwM0l4ajJVYldWM2JqV05tUzgKsJem/g4ckwrmiTJgwtHc98zALWlwmVgH
+O0nH3kcU54SjDQYVRKUWdaCNbsXHEN9wqICS9q0Ill7pD2K0ElZLg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb1dtSlJMKzFreWtmclBE
YUgvYXBQb1FtaFhZRjlqTWk1aUZkcjhCbjBFCi9rSUMzdWFkL3I3c3E0bUxERkVN
TDFaUCtHWE5xNEN4NzNXTlBWWnpYR2sKLS0tIDQ5dTM3S0JQdGJvaE0rTkZYWXNN
aTJQNUZuMW5kZVNJQ0lObkZRdzVyZ3MKwfD8PgUM1kHCa1aaDAp0Iv3zaSGsOWS8
f3W8gUMV2Qv1FC4hBccbYH2bHuq5ENVhkleIyE51GT+Ckwt5oR14vw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dE5zaEpBSEYvVE5QTjVF
dldFY2t3YThTalowbkMrckhUWjhGdXFVNG1BCldqV2lOS280Z0xjQXo4THlPenQ2
WVRiWDAxSFgzQUkvSjVZUEpBNzZkR0kKLS0tIC9rOHAvSUZadCs5OXhheFpERzlx
QmRCYldBUW9zeTF3cmtUOXVuV2pOMEEKDJC7lyekw9TQmuwfPRb9UsUgqdbAVaxy
tZYmhSYhUFBOUyJ7xwiIfMgOu5A4D2p/q+T2MPCmeOSLUDyycE8Zuw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdkUramxKVFVZQVJVMU9E
a1pYck8yOEhpZWZGcktxYkR0U290dll6VmdnCnZWZU9uWXFWZ2ZrVnp0cDBteGdr
azVGVHg5Y0VuZi82UUtkWUtLeDA3UWcKLS0tIDNJZGJQNmpHdFpQUVdiMHh3djhP
WURRbGNNWWJvKzZabGxyd3NXN3lKZ2cKryVInc722ZsjoiYel0YYAQZUsgXDx0by
Ds65yQDcI0ttbmMyFN8oYqD7pnOaD1aZYg6cxqzUVPen9iqCkclMwg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-08T12:02:01Z"
mac: ENC[AES256_GCM,data:K1kelYSO6R1kU3hLQVmlPI3vn9p4uEHDQnb7eVgn5PH/HFlqJrRj9HfagD/yKT0hBIehC3R8rxv73SeXacBcCaBx+A1Ty1fj/K18oQdEpFlOWxYhIvRX23NHaaqudFdVRiVg23spOoTgP48+mSzJdE4dk3jQcm94yxiUQy9kBSw=,iv:iSL9knAzk0SLXDJ1m6xy+Vkv6RqtUP2lzcluQTdKG5g=,tag:Z8I+UY/taf/uq4sQ7qIUEg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

1
hosts/nas/utils Symbolic link
View File

@@ -0,0 +1 @@
../../utils

2
hosts/nb/channel
View File

@@ -1 +1 @@
https://channels.nixos.org/nixos-25.05
https://channels.nixos.org/nixos-25.11

4
hosts/nb/configuration.nix
View File

@@ -35,6 +35,8 @@ in {
./cachix.nix
./users
./modules/epicenter.nix
# ./modules/steam.nix
./modules/fingerprint.nix
./modules/set-nix-channel.nix
@@ -305,7 +307,7 @@ in {
'';
};
services.xserver.desktopManager.gnome.extraGSettingsOverrides = ''
services.desktopManager.gnome.extraGSettingsOverrides = ''
[org.gnome.desktop.interface]
cursor-size=24
'';

2
hosts/nb/hardware-configuration.nix
View File

@@ -115,7 +115,7 @@
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
vaapiVdpau
libva-vdpau-driver
libvdpau-va-gl
libva
libva-utils

5
hosts/nb/modules/desktop/bitwarden.nix
View File

@@ -26,14 +26,13 @@ in
description = "Bitwarden Desktop";
after = [ "graphical-session.target" "network-online.target" ];
wantedBy = [ "graphical-session.target" ];
serviceConfig.ExecStart = "${pkgs.bitwarden}/bin/bitwarden";
serviceConfig.ExecStart = "${pkgs.bitwarden-desktop}/bin/bitwarden-desktop";
serviceConfig.Restart = "on-abort";
};
#### Handy tools #############################################################
environment.systemPackages = with pkgs; [
goldwarden
bitwarden
bitwarden-desktop
bitwarden-cli
fprintd
lxqt.lxqt-policykit

7
hosts/nb/modules/desktop/default.nix
View File

@@ -9,7 +9,6 @@ in {
./thunderbird.nix
./bitwarden.nix
./rustdesk.nix
./rustdesk-epicenter.nix
./flatpak-packages.nix
];
@@ -58,10 +57,10 @@ in {
netflix
networkmanagerapplet
nextcloud-client
onlyoffice-bin
onlyoffice-desktopeditors
obs-studio
pavucontrol
pinentry
pinentry-gnome3
rbw
rofi-rbw
swayimg
@@ -104,7 +103,7 @@ in {
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk-sans
noto-fonts-emoji
noto-fonts-color-emoji
nerd-fonts._0xproto
nerd-fonts.droid-sans-mono
open-sans

38
hosts/nb/modules/desktop/rustdesk-epicenter.nix
View File

@@ -1,38 +0,0 @@
{ config, pkgs, lib, ... }:
let
wrapperScript = pkgs.writeShellScriptBin "rustdesk-wrapper" ''
CONFIG_FILE="$HOME/.config/rustdesk/RustDesk2.toml"
CONFIG_DIR="$(dirname "$CONFIG_FILE")"
if [ ! -f "$CONFIG_FILE" ]; then
${pkgs.rustdesk-flutter}/bin/rustdesk &
RUSTDESK_PID=$!
sleep 3
kill $RUSTDESK_PID 2>/dev/null || true
sleep 1
fi
if [ -f "$CONFIG_FILE" ]; then
sed -i "s|^rendezvous_server = .*|rendezvous_server = 'tools.epicenter.works:21116'|" "$CONFIG_FILE"
sed -i "s|^custom-rendezvous-server = .*|custom-rendezvous-server = 'tools.epicenter.works'|" "$CONFIG_FILE"
sed -i "/^key\s*=.*/d" "$CONFIG_FILE"
fi
# Launch RustDesk
exec ${pkgs.rustdesk-flutter}/bin/rustdesk "$@"
'';
rustdeskEpicenterDesktopItem = pkgs.makeDesktopItem {
name = "rustdesk-epicenter";
desktopName = "RustDesk Epicenter";
exec = "${wrapperScript}/bin/rustdesk-wrapper";
icon = "rustdesk"; # Using the standard rustdesk icon
categories = [ "Network" "RemoteAccess" ];
comment = "Remote desktop software configured for Epicenter";
};
in {
environment.systemPackages = [
rustdeskEpicenterDesktopItem
];
}

26
hosts/nb/modules/development/claude-code.nix
View File

@@ -20,14 +20,24 @@ in {
fi
'';
home.activation.addChromeDevtoolsMCP = lib.hm.dag.entryAfter [ "installClaudeCli" ] ''
# Add via STDIO transport: Claude spawns `npx -y chrome-devtools-mcp ...`
# Browser must be running with remote debugging on 127.0.0.1:9222.
if ${config.home.homeDirectory}/.nix-profile/bin/claude mcp add --help >/dev/null 2>&1; then
${config.home.homeDirectory}/.nix-profile/bin/claude mcp add --scope user chrome-devtools \
-- npx -y chrome-devtools-mcp --executablePath=${pkgs.ungoogled-chromium}/bin/chromium --isolated=true --headless=true --chromeArg=--ozone-platform=wayland --chromeArg=--enable-features=UseOzonePlatform --chromeArg=--force-device-scale-factor=1 || true
fi
'';
# Disabled: chrome-devtools MCP spawns headless Chromium for every Claude session.
# For frontend projects, enable per-project with:
# claude mcp add --scope project chrome-devtools \
# -- npx -y chrome-devtools-mcp \
# --executablePath=${pkgs.ungoogled-chromium}/bin/chromium \
# --isolated=true --headless=true \
# --chromeArg=--ozone-platform=wayland \
# --chromeArg=--enable-features=UseOzonePlatform \
# --chromeArg=--force-device-scale-factor=1
#
# home.activation.addChromeDevtoolsMCP = lib.hm.dag.entryAfter [ "installClaudeCli" ] ''
# # Add via STDIO transport: Claude spawns `npx -y chrome-devtools-mcp ...`
# # Browser must be running with remote debugging on 127.0.0.1:9222.
# if ${config.home.homeDirectory}/.nix-profile/bin/claude mcp add --help >/dev/null 2>&1; then
# ${config.home.homeDirectory}/.nix-profile/bin/claude mcp add --scope user chrome-devtools \
# -- npx -y chrome-devtools-mcp --executablePath=${pkgs.ungoogled-chromium}/bin/chromium --isolated=true --headless=true --chromeArg=--ozone-platform=wayland --chromeArg=--enable-features=UseOzonePlatform --chromeArg=--force-device-scale-factor=1 || true
# fi
# '';
};
}

4
hosts/nb/modules/development/coding.nix
View File

@@ -5,7 +5,7 @@ let
};
in {
environment.systemPackages = with pkgs; [
unstable.claude-code
claude-code # Using custom overlay with version 2.0.55
unstable.code-cursor
unstable.vscode
# android-studio-full
@@ -20,7 +20,7 @@ in {
nixpkgs.config.android_sdk.accept_license = true;
programs.adb.enable = true; # sets up udev + adb group
services.udev.packages = [ pkgs.android-udev-rules ];
# android-udev-rules removed in 25.11 - superseded by built-in systemd uaccess rules
users.users.dominik.extraGroups = [ "adbusers" ];
}

8
hosts/nb/modules/development/default.nix
View File

@@ -38,6 +38,7 @@ in {
rbw
sops
unzip
uv
vim
wget
wireguard-tools
@@ -52,11 +53,6 @@ in {
# Socket activation - only start when needed to save battery
onBoot = "ignore";
onShutdown = "shutdown";
qemu = {
ovmf = {
enable = true; # Enable OVMF firmware support
};
# swtpm.enable = true; # enable if you need TPM emulation, etc.
};
# qemu.swtpm.enable = true; # enable if you need TPM emulation, etc.
};
}

3
hosts/nb/modules/development/nvim/config/init.lua
View File

@@ -1,3 +1,6 @@
-- Set leader key before any other mappings
vim.g.mapleader = " "
-- vim.opt.expandtab = true
-- vim.opt.hidden = true
-- vim.opt.incsearch = true

49
hosts/nb/modules/development/nvim/config/lspconfig.lua
View File

@@ -1,54 +1,31 @@
local status, lspc = pcall(require, 'lspconfig')
if (not status) then return end
lspc.clangd.setup{}
local buf_map = function(bufnr, mode, lhs, rhs, opts)
vim.api.nvim_buf_set_keymap(bufnr, mode, lhs, rhs, opts or {
silent = true,
})
end
local protocol = require('vim.lsp.protocol')
local on_attach = function(client, buffnr)
if client.server.capabilities.documentFormattingProvider then
vim.api.nvim_create_autocmd("BufWritePre", {
group = vim.api.nvim_create_augroup("format", { clear = true }),
buffer = buffnr,
callback = function() vim.lsp.buf.formatting_seq_sync() end
})
end
end
-- LSP Capabilities (for nvim-cmp integration)
local capabilities = vim.lsp.protocol.make_client_capabilities()
capabilities.textDocument.completion.completionItem.snippetSupport = true
capabilities = require('cmp_nvim_lsp').default_capabilities(capabilities)
local servers = { 'ts_ls', 'lua_ls', 'cssls', 'yamlls', 'intelephense', 'gopls' }
for _, lsp in pairs(servers) do
require('lspconfig')[lsp].setup {
-- on_attach = on_attach,
-- Global LSP configuration
vim.lsp.config('*', {
capabilities = capabilities,
}
end
})
lspc.yamlls.setup({
-- Server-specific configurations
vim.lsp.config('clangd', {})
vim.lsp.config('yamlls', {
settings = {
yaml = {
keyOrdering = false,
},
},
});
})
-- autoformat json files with jq
-- Enable all LSP servers
vim.lsp.enable({ 'clangd', 'ts_ls', 'lua_ls', 'cssls', 'yamlls', 'intelephense', 'gopls' })
-- JSON file formatting with jq
vim.api.nvim_create_autocmd("FileType", {
pattern = "json",
callback = function(ev)
vim.bo[ev.buf].formatprg = "jq"
print("It's a json file")
end,
})
-- lspc.intelephense.setup()

46
hosts/nb/modules/development/nvim/config/project.lua
View File

@@ -1,41 +1,13 @@
config = {
---@usage set to false to disable project.nvim.
--- This is on by default since it's currently the expected behavior.
active = true,
on_config_done = nil,
---@usage set to true to disable setting the current-woriking directory
--- Manual mode doesn't automatically change your root directory, so you have
--- the option to manually do so using `:ProjectRoot` command.
manual_mode = false,
---@usage Methods of detecting the root directory
--- Allowed values: **"lsp"** uses the native neovim lsp
--- **"pattern"** uses vim-rooter like glob pattern matching. Here
--- order matters: if one is not detected, the other is used as fallback. You
--- can also delete or rearangne the detection methods.
-- detection_methods = { "lsp", "pattern" }, -- NOTE: lsp detection will get annoying with multiple langs in one project
detection_methods = { "pattern" },
---@usage patterns used to detect root dir, when **"pattern"** is in detection_methods
patterns = { ".git", "_darcs", ".hg", ".bzr", ".svn", "Makefile", "package.json", "pom.xml" },
---@ Show hidden files in telescope when searching for files in a project
show_hidden = false,
---@usage When set to false, you will get a message when project.nvim changes your directory.
-- When set to false, you will get a message when project.nvim changes your directory.
silent_chdir = true,
---@usage list of lsp client names to ignore when using **lsp** detection. eg: { "efm", ... }
ignore_lsp = {},
}
local status_ok, project = pcall(require, "project_nvim")
local status_ok, project = pcall(require, "project")
if not status_ok then
return
end
project.setup(config)
project.setup({
use_lsp = false, -- Use pattern matching only (equivalent to old detection_methods = { "pattern" })
manual_mode = false,
patterns = { ".git", "_darcs", ".hg", ".bzr", ".svn", "Makefile", "package.json", "pom.xml" },
show_hidden = false,
silent_chdir = true,
ignore_lsp = {},
})

91
hosts/nb/modules/development/nvim/config/sops.lua
View File

@@ -44,7 +44,7 @@ vim.api.nvim_create_autocmd("BufReadPre", {
pattern = secrets_patterns,
callback = function(args)
-- Set filetype to yaml before the file is read so syntax highlighting works
vim.bo.filetype = "yaml"
vim.bo[args.buf].filetype = "yaml"
end,
})
@@ -53,7 +53,7 @@ vim.api.nvim_create_autocmd("BufReadPost", {
group = sops_group,
pattern = secrets_patterns,
callback = function(args)
local filepath = vim.fn.expand("%:p")
local filepath = vim.api.nvim_buf_get_name(args.buf)
-- Only decrypt if file exists and has content
if vim.fn.filereadable(filepath) == 1 and vim.fn.getfsize(filepath) > 0 then
@@ -98,26 +98,27 @@ vim.api.nvim_create_autocmd("BufReadPost", {
return
end
-- Detach LSP clients BEFORE replacing buffer to prevent sync errors
detach_lsp_clients(args.buf)
-- Replace buffer content with decrypted content
vim.api.nvim_buf_set_lines(0, 0, -1, false, vim.split(result, "\n"))
-- Strip trailing newline to avoid adding extra empty line
vim.api.nvim_buf_set_lines(args.buf, 0, -1, false, vim.split(result:gsub("\n$", ""), "\n"))
-- Mark buffer as not modified (since we just loaded it)
vim.bo.modified = false
vim.bo[args.buf].modified = false
-- Restore cursor position
pcall(vim.api.nvim_win_set_cursor, 0, cursor_pos)
-- Disable swap, backup, and undo files for security
vim.bo.swapfile = false
vim.bo.backup = false
vim.bo.writebackup = false
vim.bo.undofile = false
vim.bo[args.buf].swapfile = false
vim.bo[args.buf].backup = false
vim.bo[args.buf].writebackup = false
vim.bo[args.buf].undofile = false
-- Ensure filetype is set to yaml for syntax highlighting
vim.bo.filetype = "yaml"
-- Detach LSP clients to prevent sync errors when buffer content is replaced
detach_lsp_clients(0)
vim.bo[args.buf].filetype = "yaml"
vim.notify("SOPS: File decrypted successfully", vim.log.levels.INFO)
else
@@ -132,17 +133,22 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
group = sops_group,
pattern = secrets_patterns,
callback = function(args)
local filepath = vim.fn.expand("%:p")
local filepath = vim.api.nvim_buf_get_name(args.buf)
if not is_secrets_file(filepath) then
return
end
if is_secrets_file(filepath) then
-- Guard against double-execution
if currently_saving[filepath] then
return
end
currently_saving[filepath] = true
-- Use pcall to ensure guard is always cleared, even on unexpected errors
local ok, err = pcall(function()
-- Get current buffer content
local lines = vim.api.nvim_buf_get_lines(0, 0, -1, false)
local lines = vim.api.nvim_buf_get_lines(args.buf, 0, -1, false)
local content = table.concat(lines, "\n")
-- Check buffer content size before encrypting
@@ -153,8 +159,6 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
string.format("SOPS: Buffer content too large (%sMB > %sMB limit). Cannot encrypt.", size_mb, limit_mb),
vim.log.levels.ERROR
)
-- Don't write anything, leave buffer marked as modified
currently_saving[filepath] = nil
return
end
@@ -162,22 +166,21 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
-- This avoids /dev/stdin issues while keeping secrets secure (not in /tmp)
local dir = vim.fn.fnamemodify(filepath, ":h")
local filename = vim.fn.fnamemodify(filepath, ":t")
local temp_file = string.format("%s/.%s.sops_tmp_%d", dir, filename, os.time())
local temp_file = string.format("%s/.%s.sops_tmp_%d_%d", dir, filename, os.time(), vim.loop.hrtime() % 1000000)
-- Write plaintext content to temp file
local temp_f, temp_err = io.open(temp_file, "w")
if not temp_f then
vim.notify("SOPS: Failed to create temp file: " .. (temp_err or "unknown error"), vim.log.levels.ERROR)
-- Don't write anything, leave buffer marked as modified
currently_saving[filepath] = nil
return
end
temp_f:write(content)
temp_f:write(content .. "\n")
temp_f:close()
-- Encrypt temp file with filename override so SOPS matches .sops.yaml rules
-- Uses real filepath for rule matching, temp file for content
local cmd = string.format("sops --encrypt --filename-override %s %s",
local cmd = string.format("timeout %d sops --encrypt --filename-override %s %s",
SOPS_TIMEOUT,
vim.fn.shellescape(filepath),
vim.fn.shellescape(temp_file))
local encrypted = vim.fn.system(cmd)
@@ -186,16 +189,25 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
-- Always clean up temp file, even on error
os.remove(temp_file)
-- Check for timeout (exit code 124 from timeout command)
if sops_exit_code == 124 then
vim.notify(
string.format("SOPS: Encryption timed out after %d seconds.", SOPS_TIMEOUT),
vim.log.levels.ERROR
)
return
end
if sops_exit_code == 0 then
-- Write encrypted content directly to file
local file, err = io.open(filepath, "w")
local file, file_err = io.open(filepath, "w")
if file then
local success, write_err = file:write(encrypted)
file:close()
if success then
-- Mark buffer as saved
vim.bo.modified = false
vim.bo[args.buf].modified = false
vim.notify("SOPS: File encrypted and saved successfully", vim.log.levels.INFO)
-- Re-decrypt to show plaintext in buffer
@@ -207,37 +219,38 @@ vim.api.nvim_create_autocmd("BufWriteCmd", {
-- Save cursor position
local cursor_pos = vim.api.nvim_win_get_cursor(0)
-- Detach LSP clients BEFORE replacing buffer to prevent sync errors
detach_lsp_clients(args.buf)
-- Replace buffer with decrypted content
vim.api.nvim_buf_set_lines(0, 0, -1, false, vim.split(decrypted, "\n"))
-- Strip trailing newline to avoid adding extra empty line
vim.api.nvim_buf_set_lines(args.buf, 0, -1, false, vim.split(decrypted:gsub("\n$", ""), "\n"))
-- Mark as not modified since we just saved
vim.bo.modified = false
vim.bo[args.buf].modified = false
-- Restore cursor position
pcall(vim.api.nvim_win_set_cursor, 0, cursor_pos)
-- Detach LSP clients to prevent sync errors when buffer content is replaced
detach_lsp_clients(0)
else
vim.notify("SOPS: Could not re-decrypt after save. Buffer may show encrypted content.", vim.log.levels.WARN)
end
-- Clear guard after successful save
currently_saving[filepath] = nil
else
vim.notify("SOPS: Failed to write encrypted content: " .. (write_err or "unknown error"), vim.log.levels.ERROR)
-- Don't mark as saved, keep buffer marked as modified
currently_saving[filepath] = nil
end
else
vim.notify("SOPS: Failed to open file for writing: " .. (err or "unknown error"), vim.log.levels.ERROR)
-- Don't mark as saved, keep buffer marked as modified
currently_saving[filepath] = nil
vim.notify("SOPS: Failed to open file for writing: " .. (file_err or "unknown error"), vim.log.levels.ERROR)
end
else
vim.notify("SOPS: Failed to encrypt file - NOT SAVED! Error: " .. encrypted, vim.log.levels.ERROR)
-- Don't write anything, leave buffer marked as modified
currently_saving[filepath] = nil
end
end)
-- Always clear guard, even if pcall caught an error
currently_saving[filepath] = nil
-- Re-throw unexpected errors so they're visible
if not ok then
vim.notify("SOPS: Unexpected error during save: " .. tostring(err), vim.log.levels.ERROR)
end
end,
})
@@ -247,7 +260,7 @@ vim.api.nvim_create_autocmd("BufLeave", {
group = sops_group,
pattern = secrets_patterns,
callback = function(args)
if vim.bo.modified then
if vim.bo[args.buf].modified then
vim.notify("Warning: Unsaved changes in secrets file!", vim.log.levels.WARN)
end
end,

6
hosts/nb/modules/development/nvim/config/utils.lua
View File

@@ -1,7 +1,7 @@
-- none-ls
local status_ok_nls, none_ls_module = pcall(require, "none-ls")
-- none-ls (module is still named "null-ls" for backward compatibility)
local status_ok_nls, none_ls_module = pcall(require, "null-ls")
if not status_ok_nls then
vim.notify("none-ls plugin not found or failed to load. Check Nix config and plugin paths.", vim.log.levels.WARN)
vim.notify("null-ls plugin not found or failed to load. Check Nix config and plugin paths.", vim.log.levels.WARN)
else
local nb = none_ls_module.builtins
none_ls_module.setup({

189
hosts/nb/modules/development/nvim/config/which-key.lua
View File

@@ -1,5 +1,3 @@
vim.g.mapleader = " "
local function smart_quit()
local bufnr = vim.api.nvim_get_current_buf()
local modified = vim.api.nvim_buf_get_option(bufnr, "modified")
@@ -27,122 +25,77 @@ end
local wk = require("which-key")
wk.setup({})
wk.register({
["<leader>"] = {
[";"] = { "<cmd>Alpha<CR>", "Dashboard" },
["w"] = { "<cmd>w!<CR>", "Save" },
["q"] = { "<cmd>smart_quit()<CR>", "Quit" },
["/"] = { "<Plug>(comment_toggle_linewise_current)", "Comment toggle current line" },
["c"] = { "<cmd>BufferKill<CR>", "Close Buffer" },
["f"] = { find_project_files, "Find File" },
["h"] = { "<cmd>nohlsearch<CR>", "No Highlight" },
["t"] = { "<cmd>TodoTelescope keywords=TODO,FIX<CR>", "Find TODO,FIX" },
b = {
name = "Buffers",
j = { "<cmd>BufferLinePick<cr>", "Jump" },
f = { "<cmd>Telescope buffers<cr>", "Find" },
b = { "<cmd>BufferLineCyclePrev<cr>", "Previous" },
n = { "<cmd>BufferLineCycleNext<cr>", "Next" },
-- w = { "<cmd>BufferWipeout<cr>", "Wipeout" }, -- TODO: implement this for bufferline
e = {
"<cmd>BufferLinePickClose<cr>",
"Pick which buffer to close",
wk.setup({
preset = "classic",
delay = 0,
triggers = {
{ "<auto>", mode = "nxso" },
{ " ", mode = "n" }, -- literal space character
},
h = { "<cmd>BufferLineCloseLeft<cr>", "Close all to the left" },
l = {
"<cmd>BufferLineCloseRight<cr>",
"Close all to the right",
},
D = {
"<cmd>BufferLineSortByDirectory<cr>",
"Sort by directory",
},
L = {
"<cmd>BufferLineSortByExtension<cr>",
"Sort by language",
},
},
-- " Available Debug Adapters:
-- " https://microsoft.github.io/debug-adapter-protocol/implementors/adapters/
-- " Adapter configuration and installation instructions:
-- " https://github.com/mfussenegger/nvim-dap/wiki/Debug-Adapter-installation
-- " Debug Adapter protocol:
-- " https://microsoft.github.io/debug-adapter-protocol/
-- " Debugging
g = {
name = "Git",
g = { Lazygit_toggle, "Lazygit" },
j = { "<cmd>lua require 'gitsigns'.next_hunk({navigation_message = false})<cr>", "Next Hunk" },
k = { "<cmd>lua require 'gitsigns'.prev_hunk({navigation_message = false})<cr>", "Prev Hunk" },
l = { "<cmd>lua require 'gitsigns'.blame_line()<cr>", "Blame" },
p = { "<cmd>lua require 'gitsigns'.preview_hunk()<cr>", "Preview Hunk" },
r = { "<cmd>lua require 'gitsigns'.reset_hunk()<cr>", "Reset Hunk" },
R = { "<cmd>lua require 'gitsigns'.reset_buffer()<cr>", "Reset Buffer" },
s = { "<cmd>lua require 'gitsigns'.stage_hunk()<cr>", "Stage Hunk" },
u = {
"<cmd>lua require 'gitsigns'.undo_stage_hunk()<cr>",
"Undo Stage Hunk",
},
o = { "<cmd>Telescope git_status<cr>", "Open changed file" },
b = { "<cmd>Telescope git_branches<cr>", "Checkout branch" },
c = { "<cmd>Telescope git_commits<cr>", "Checkout commit" },
C = {
"<cmd>Telescope git_bcommits<cr>",
"Checkout commit(for current file)",
},
d = {
"<cmd>Gitsigns diffthis HEAD<cr>",
"Git Diff",
},
},
l = {
name = "LSP",
a = { "<cmd>lua vim.lsp.buf.code_action()<cr>", "Code Action" },
d = { "<cmd>Telescope diagnostics bufnr=0 theme=get_ivy<cr>", "Buffer Diagnostics" },
w = { "<cmd>Telescope diagnostics<cr>", "Diagnostics" },
-- f = { require("lvim.lsp.utils").format, "Format" },
i = { "<cmd>LspInfo<cr>", "Info" },
I = { "<cmd>Mason<cr>", "Mason Info" },
j = {
vim.diagnostic.goto_next,
"Next Diagnostic",
},
k = {
vim.diagnostic.goto_prev,
"Prev Diagnostic",
},
l = { vim.lsp.codelens.run, "CodeLens Action" },
q = { vim.diagnostic.setloclist, "Quickfix" },
r = { vim.lsp.buf.rename, "Rename" },
s = { "<cmd>Telescope lsp_document_symbols<cr>", "Document Symbols" },
S = {
"<cmd>Telescope lsp_dynamic_workspace_symbols<cr>",
"Workspace Symbols",
},
e = { "<cmd>Telescope quickfix<cr>", "Telescope Quickfix" },
},
a = { "<cmd>lua require('telescope.builtin').lsp_code_actions()<cr>", "Code Actions" },
d = { "<cmd>lua require('telescope.builtin').lsp_document_diagnostics()<cr>", "LSP Diagnostics" },
k = { "<cmd>lua vim.lsp.buf.signature_help()<cr>", "Signature Help" },
P = { "<cmd>lua require'telescope'.extensions.projects.projects{}<cr>", "Signature Help" },
}
})
wk.register(
{
["/"] = { "<Plug>(comment_toggle_linewise_visual)", "Comment toggle linewise (visual)" },
},
{
mode = "v", -- VISUAL mode
prefix = "<leader>",
buffer = nil, -- Global mappings. Specify a buffer number for buffer local mappings
silent = true, -- use `silent` when creating keymaps
noremap = true, -- use `noremap` when creating keymaps
nowait = true, -- use `nowait` when creating keymaps
}
)
wk.add({
-- Single key mappings
{ "<leader>;", "<cmd>Alpha<CR>", desc = "Dashboard" },
{ "<leader>w", "<cmd>w!<CR>", desc = "Save" },
{ "<leader>q", smart_quit, desc = "Quit" },
{ "<leader>/", "<Plug>(comment_toggle_linewise_current)", desc = "Comment toggle current line" },
{ "<leader>c", "<cmd>BufferKill<CR>", desc = "Close Buffer" },
{ "<leader>f", find_project_files, desc = "Find File" },
{ "<leader>h", "<cmd>nohlsearch<CR>", desc = "No Highlight" },
{ "<leader>t", "<cmd>TodoTelescope keywords=TODO,FIX<CR>", desc = "Find TODO,FIX" },
-- Buffers group
{ "<leader>b", group = "Buffers" },
{ "<leader>bj", "<cmd>BufferLinePick<cr>", desc = "Jump" },
{ "<leader>bf", "<cmd>Telescope buffers<cr>", desc = "Find" },
{ "<leader>bb", "<cmd>BufferLineCyclePrev<cr>", desc = "Previous" },
{ "<leader>bn", "<cmd>BufferLineCycleNext<cr>", desc = "Next" },
{ "<leader>be", "<cmd>BufferLinePickClose<cr>", desc = "Pick which buffer to close" },
{ "<leader>bh", "<cmd>BufferLineCloseLeft<cr>", desc = "Close all to the left" },
{ "<leader>bl", "<cmd>BufferLineCloseRight<cr>", desc = "Close all to the right" },
{ "<leader>bD", "<cmd>BufferLineSortByDirectory<cr>", desc = "Sort by directory" },
{ "<leader>bL", "<cmd>BufferLineSortByExtension<cr>", desc = "Sort by language" },
-- Git group
{ "<leader>g", group = "Git" },
{ "<leader>gg", Lazygit_toggle, desc = "Lazygit" },
{ "<leader>gj", "<cmd>lua require 'gitsigns'.next_hunk({navigation_message = false})<cr>", desc = "Next Hunk" },
{ "<leader>gk", "<cmd>lua require 'gitsigns'.prev_hunk({navigation_message = false})<cr>", desc = "Prev Hunk" },
{ "<leader>gl", "<cmd>lua require 'gitsigns'.blame_line()<cr>", desc = "Blame" },
{ "<leader>gp", "<cmd>lua require 'gitsigns'.preview_hunk()<cr>", desc = "Preview Hunk" },
{ "<leader>gr", "<cmd>lua require 'gitsigns'.reset_hunk()<cr>", desc = "Reset Hunk" },
{ "<leader>gR", "<cmd>lua require 'gitsigns'.reset_buffer()<cr>", desc = "Reset Buffer" },
{ "<leader>gs", "<cmd>lua require 'gitsigns'.stage_hunk()<cr>", desc = "Stage Hunk" },
{ "<leader>gu", "<cmd>lua require 'gitsigns'.undo_stage_hunk()<cr>", desc = "Undo Stage Hunk" },
{ "<leader>go", "<cmd>Telescope git_status<cr>", desc = "Open changed file" },
{ "<leader>gb", "<cmd>Telescope git_branches<cr>", desc = "Checkout branch" },
{ "<leader>gc", "<cmd>Telescope git_commits<cr>", desc = "Checkout commit" },
{ "<leader>gC", "<cmd>Telescope git_bcommits<cr>", desc = "Checkout commit(for current file)" },
{ "<leader>gd", "<cmd>Gitsigns diffthis HEAD<cr>", desc = "Git Diff" },
-- LSP group
{ "<leader>l", group = "LSP" },
{ "<leader>la", "<cmd>lua vim.lsp.buf.code_action()<cr>", desc = "Code Action" },
{ "<leader>ld", "<cmd>Telescope diagnostics bufnr=0 theme=get_ivy<cr>", desc = "Buffer Diagnostics" },
{ "<leader>lw", "<cmd>Telescope diagnostics<cr>", desc = "Diagnostics" },
{ "<leader>li", "<cmd>LspInfo<cr>", desc = "Info" },
{ "<leader>lI", "<cmd>Mason<cr>", desc = "Mason Info" },
{ "<leader>lj", vim.diagnostic.goto_next, desc = "Next Diagnostic" },
{ "<leader>lk", vim.diagnostic.goto_prev, desc = "Prev Diagnostic" },
{ "<leader>ll", vim.lsp.codelens.run, desc = "CodeLens Action" },
{ "<leader>lq", vim.diagnostic.setloclist, desc = "Quickfix" },
{ "<leader>lr", vim.lsp.buf.rename, desc = "Rename" },
{ "<leader>ls", "<cmd>Telescope lsp_document_symbols<cr>", desc = "Document Symbols" },
{ "<leader>lS", "<cmd>Telescope lsp_dynamic_workspace_symbols<cr>", desc = "Workspace Symbols" },
{ "<leader>le", "<cmd>Telescope quickfix<cr>", desc = "Telescope Quickfix" },
-- Direct LSP shortcuts
{ "<leader>a", "<cmd>lua require('telescope.builtin').lsp_code_actions()<cr>", desc = "Code Actions" },
{ "<leader>d", "<cmd>lua require('telescope.builtin').lsp_document_diagnostics()<cr>", desc = "LSP Diagnostics" },
{ "<leader>k", "<cmd>lua vim.lsp.buf.signature_help()<cr>", desc = "Signature Help" },
{ "<leader>P", "<cmd>lua require'telescope'.extensions.projects.projects{}<cr>", desc = "Projects" },
-- Visual mode mappings
{ "<leader>/", "<Plug>(comment_toggle_linewise_visual)", desc = "Comment toggle linewise (visual)", mode = "v" },
})

2
hosts/nb/modules/development/nvim/default.nix
View File

@@ -13,7 +13,7 @@ in
environment.systemPackages = with pkgs; [
nodePackages.typescript-language-server
sumneko-lua-language-server
lua-language-server
nest
nodePackages.intelephense
nodePackages.vscode-langservers-extracted

78
hosts/nb/modules/epicenter.nix Normal file
View File

@@ -0,0 +1,78 @@
{ lib, pkgs, ... }:
let
wrapperScript = pkgs.writeShellScriptBin "rustdesk-epicenter-wrapper" ''
# Grant epicenter user access to the Wayland socket
${pkgs.acl}/bin/setfacl -m u:epicenter:x "$XDG_RUNTIME_DIR"
${pkgs.acl}/bin/setfacl -m u:epicenter:rwx "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
# Run rustdesk as epicenter user with absolute path to Wayland socket
exec /run/wrappers/bin/sudo -u epicenter \
WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" \
XDG_RUNTIME_DIR=/run/user/1001 \
${pkgs.rustdesk-flutter}/bin/rustdesk "$@"
'';
rustdeskEpicenterDesktopItem = pkgs.makeDesktopItem {
name = "rustdesk-epicenter";
desktopName = "RustDesk Epicenter";
exec = "${wrapperScript}/bin/rustdesk-epicenter-wrapper";
icon = "rustdesk";
categories = [ "Network" "RemoteAccess" ];
comment = "Remote desktop software for office user (Epicenter)";
};
in {
environment.systemPackages = [
rustdeskEpicenterDesktopItem
];
users.users.epicenter = {
isNormalUser = true;
extraGroups = [ ]; # Minimal groups
};
users.groups.epicenter = {};
# Allow dominik to run rustdesk as epicenter user without password
security.sudo.extraRules = [
{
users = [ "dominik" ];
runAs = "epicenter";
commands = [
{
command = "${pkgs.rustdesk-flutter}/bin/rustdesk";
options = [ "NOPASSWD" "SETENV" ];
}
];
}
];
home-manager.users.epicenter = {
home.stateVersion = "24.05";
home.username = "epicenter";
home.homeDirectory = "/home/epicenter";
# Add rustdesk to the epicenter user's packages
home.packages = with pkgs; [
rustdesk-flutter
];
# Declaratively configure RustDesk for Epicenter server
home.file.".config/rustdesk/RustDesk2.toml" = {
force = true;
text = ''
rendezvous_server = 'rustdesk.helsinki.tools:21116'
nat_type = 1
serial = 0
unlock_pin = '''
trusted_devices = '''
[options]
av1-test = 'N'
key = '8jkD3HoWK+flkWcAMIqRnyn0jr4r9VPb+JYIbBtb+7k='
api-server = 'https://rustdesk.helsinki.tools'
custom-rendezvous-server = 'rustdesk.helsinki.tools'
'';
};
};
}

63
hosts/nb/secrets.yaml
View File

@@ -1,46 +1,47 @@
epicenter_vpn_ca: ENC[AES256_GCM,data:DUvpuL92zpQkK0auXGdHDw+f5gzjMARMroBknmgR+eq1LV5aISdA0XOCw7d3VFpMtHY+tPM4pDEWlnGJDoHDJBSFAUdmbLkDq2DvoDR1RBbsidmlXpvu7UnL4OyCgrN9G3I65HQmCh64/453T0Y5MZKUiFZXn9SZJgOU3h0qOnAiIKTQADXmUo6imhLuUdPxjwiLkNp8zHNystbfUuZkF15J+TXV9yndy/E8E4sFs4uysK9E+VM84v0q75zTf48cheE+cBGI9xOP5QMvSND6MloyGYUTPZOiQyz8M9AmJObvQFryysKf5Q1W1GBiTz9FVuSsr1IM7meljdBYwfxQaA5MurdsXVFYfdRgL6NyL5x7WOd367pgtBBwuVyT+cygg5ITIBc6YTuT8thp/q0BsJkq1OdVQrLa4PK12Tg2IOUg2Za/tLJxxiNWqs1gAmTWEIGAeJWmNgCZAjJIISwTGcdbpdWqhjAEgaaLf9ZD0hUXQ5MmSO+KXzP7lIGgqCXoMEc7W7rn3R2VkIrvaVgCBK3psTg6+CxoPQwnYbUKgPLG7ys54eECJyRfc8YPH1957Q67pYkVD166ZP/sDJfplOGH19QyFnaaSLRLoXCAfWuO72NwO/fSljN4+pmB6Ev1cRCe4mXicz7TTqGG740VOam/JW4OJCrnHVs67cs9/MsVSNZOsI+x44TKJjaFph4onaodDh5P7e52IkfRnHnjK6FjEvYPasUr9YDqUR3ucHxhD9UqvINDwhp3L/zyFb2HRuO1KzEQLzmG96xiJpJxBVl8GOTeNrK2owOf6cCuh6o3iPaAFjFok26gI1ujX/mPbBigOxB6S0cLOLoA7oA+E6L22nsoYdIwjU4b6Y/DQvndgsZFnycLsSA4TRYHUH1Q51fGU3S/zAlB66rYchsw3JqODD51axxEdo5uu/2a6K9c8BSDo+stHBPmGvty6IorhM+17IGwSVrnxBFbSICja/Mi9eHmkUuUQWaXe5iWiNGYOIe0Xsbu4PQANhDE0f4U1LboVdI46uVhBV36zLSRJ5hUYARdmaz+aUSfNSE20xwCQiqd4U1cb2W6ZRER5WOfNFa8LCjk1YyhDY1yKCbo5tZrYZtmo4T47EuH/2uyW9vPtDlAhpZWmJJ0LEbZMhl9hIEAgGYmhnxPIVItJWHgq4O+YavYWvu1qgbdBC/FZJ8xx0uSy48oKCbuTUbIBUHQ37/6wp+IC+FAoYc2CDgCKzYvYjGrjMr+l/bhWE6KqI2DE/8yG4sOZIyrKNOYRq/aqDRkaeu96bLSYZECoLpohEKRNLTFQ+J8btjGX+xak0HRNEX9bxx8Zs3ml8mDKfh11uy05zPMVU4jaLrc5VtvmNdCg1EffbtEIRhi88aP5K2flRLxvSsYODd8iisqJ3CEqa8/C/FoHhWqgs7vk9UeRs46CJjGQ2Nx7UeQhAK8ey8FwqqSPQ6hp6jFnAv5ha583GZm3G8CsapajioHOpNcyYRhUW/ekdQ1E7DafOLRRO0hdWws8fsP/96uuWJ1Ir1ec2pepmh8s9zCZl/CKSU6+PUjX03Y9buZDnAYao5nDFsF5hgi2nLCTRbHnCh/S5C4NL/Lss2gi/9HdQUWr3KNONgoGbdRNS4MHtK/t9MtxQT8FOS54fM76XLygYZhQEQuDHUr3vaihOPKXncPNx+M4IGd+tsOoGADfpZk7W4OLd5jl8OiCulKvmRXzGCrmyofifh6XBE/EDa97j4eXt/fZPhUh+kv7i39mLKiccPUqpq9WYA/pqlMc84PAsewRerk3Z7jygFb2oX8LwYX2vDer565q+74n/y+oqz/CQ7jypoGBC8f9a16h2e2ZuvjQZ2sUdBB0xKwmLHC5mXLRkJYZ8Myt0Bzp0iVnC8P,iv:0GfL3sG36nsg/4BPw32kKMB78TmbN+mLq/mqEFp0yas=,tag:x+kxJsS+Fn7VO3MlOmqgwQ==,type:str]
epicenter_vpn_cert: ENC[AES256_GCM,data:y94SNCZISKCGbG3dtMZKPntzHvmvAK9fr0+TASNUPp+RG0o7sWRZHrAk+zs4x6tTJpRMCN3VJUzH0bkSHrsKHsYLwVOT5Sb3l7y0CUjjT463NWj1ZipaMU94NRbtDC6Q4sMkFQPaLEefaOhjQu2a2qMx0FkQ9OA3T4f4u5GVN72/PTftHw3SybhptlF5L1e3Q69J3H0uVGRuXmmrws6HcLb2th9sAYPAi82yEimdzPa154DKIRcBY78QVkRz4X7VVyLFY3X34TMvGTmKP7MsW5lApVd/qoML0MkqvrWdEClMWG7i4jMRjSUSRIVr33DE8ds4aBx565tKQ9rVZT7KPZU7IbFqgKP6TQN8w7g5mY3aImPlRMB/xb7V8a+qBScOgBiwCgdAnz+PKGaCwcaBba80q0m/gONkxgVy+QKLLdALjb3iUpKiGvWFLwsKr/hQ1O0h7MBFDTGqWniiXZbyb39HABZNVtKAC/4qouG/G+hP6fpk/+TMtjRNSh6wWtyiYvTeFOtCWfi6YEC7IZFautr3vcu24soA+Q4vFwYr6lIEPnQYlpBCr/TLVzEvxWEjsR8G2RaBSWGm2E0tre8qVSFkJwz+niL8FQgaQTjnsYmJGHFS8sxseGuAakuSH+gzopc75H6y2pEnZrpQMOMyDq0GMkIW8xGk7x5Ewq1DZ8ji13Y8xtnbLqiJkhPc19JDoXdpls/40K4Ymrz6dOO8zxzvW8SHF47gOYvp+a5d3vqwXFZH2qDUvdScV5eATmK8ltfGod9PbZWgFzhp336dkba5aAspXlyzAlRRqrVhvpff+V8cyHTIz9qA8fhXv+v2pN0E/Es1NTJhtQo09OGnZn82lfVyR93hLtr6AgbDggwhvAOlJr/pAt0YZ5FhehhhnH0+ekUJC0YemUMj0QVbpxIWc4rt5n7nqewSHC8feo6Zfc4NHfE8sWemGGm2sUOdf6C2F9k0h+Snwfyu95XIWccMAC/Ii14ciu/nj0L67bbj8XAECjWCIlhhCJcMXlpxfU3lZX7zEy4WH+IqV1399KmtvUssuObBb9uAMwHjZl0l2GVQPo3clDea2ZP5HDO9B3kWRqpvIrjawh4IM73O43jbIDgjNXMijnH0GJu8FH8igS+7JOhRHrOBQiNc0unx6EgAfXHo3v6o8ktzbtRcUwU8k+wldU1cu9ugpVpG9j8O+zvPYkaH+0xfdAdxDKXz+4e8462O5zr3IVRp63CBBNtnTn6fcwnxgD9ouhgyyLBylzrwCmRAODHyukJovkNARWmhcYCAnYhrYf9KqaCoeRLmFq8sLMeiYGDTJ/+PTyheZMHboaoZbUbnRtrvuXQiCHqDKxSan0OACW+oXgCBgZSshj8lb58A+zjpMVy4Wis8s6K9HFpiPSP4tmHxXvOod2+qL/eZBV4LhLoahO0gg3+DUPTeJVO+4I7YZYLVXBhf0OC7z8jMGf8Q4SjO8p6Vufx2KXIEpcITto0IJFsIAv9UVfsKVyvVeuGaGGi8VQWhexdQxjDtoURRts91EFNpJ86o9HPbQCAWXBx9hlnBH2zZntqPd5eVA57s67i1dWpuudD/oBzGn3fBv3Fck9tpArMNSrOtbtl3sBc6Calo/5+HWSY4tz1Hnrlv0/IxD2EcgzH5dFu6klTn3gaMdgd288/kRPDzfdcVGqlvV8rQJjTD1XN48FK/Zp2ydCede+SKLidqrqz1ISXOwsya0ivfc4Vdk3hhnnkTnqZT3qR88Z69X+9QkYCVNaoojTiBoRCekqNDI3Ev8MKp1eX0E3rXT3AG3E7xEFGulhe2C9RdMwQg0QG/Ws7n/CtTeVwpv+JG73TlDnBzoVHN6fqKBVchbGPtcObM90N2itJ/wf3jXefhrrsQudLch+Mwp72YcvCKqOMsrO3egvNxIiLKrrVOI8buo0NJrPoQE3/+rZQFzx2r0AHkrwEUHGUvr2oHDJyXwSY2/7zCYbewN44Zjo7n5ofOhSUsaGJNySHgC6V74gyU0UCUEBnF8fZK/Y6QgdtT9gApHVtJwXRvLig2P11bIlyWZjISRaAVAUAMKdS8ir8l+P3NL8kBZstfpH2eeYFHIWeZ7VrVTs4CaHDzkyMizui0EBfvf5irWeJvIekCWnetfo047QKJvrKr+6239QxH5ni7wlzWxiZNcewaOfCK2SqOvYz6NIRp+/blZuxL2pXhTInB/XxbP2zHH64dC8AVvViU8bI2DR/HhzbbpEylzD4ttvil7hLt6AMpugFrmAgWd6JU5yM9lXoTSprmXZ7awYTLcQlCQu9cUNXF0JdtELA/oQipEEUz+2lRt3B+0abYGVWb,iv:MVId1jgmyhY/iUxnjca5IpYwlzUAsa6Nwchg52AKgRc=,tag:1RASj3dFAYVNphJ4zjXxtA==,type:str]
epicenter_vpn_key: ENC[AES256_GCM,data:Kt33OLiauTrkzSwib2px/rZoQO6tlCzsy2exxIrZb91ukUDo716+JaZ2dB6FEjx/z0jaUEiU8u3lZbq4gkhwXe/hwUnr7pIW+V1InJhuGOAENfnusDkSu6P5pVpE5FNBKYF6u77/h5pdWwI/bHo7Hfi7f1xVtPkAeSqDScprUOVIoEYeJ0AXo0L9xCQVPSIAsdrh2jZQPe1S4iCLqQTTYK5CvP4/1wjwA2C4PheXEK5Z74Xkxd3pRI0cogpt711+ujMbh01siQNs9tk5+pk8vbXV6M5duzQlJar6iF47GsaomFkLNsk4QvTVZ7kKIMWEfOzwgwniI8YGtDgjxCvd13H1agaeDjsboFxR3i5aI0ZKC4sP7aTASDQbWwTQxoFdMlHjbkMvVWAT1CxUw/phUfwA8L5xLBxzauvHgE0B/R2rW5FU+qaDZfyUts9RyIJzaF+bESz6YKV27i1ZQNp00YPH9jy05uYDjPldLo2PLzgLQHMsSwZ60KKlHU68gGtVI7qtH9fpy34h0/6IsCRAJF1mRHEHHzC8Ny4Q7dtN3GenMPVT07dwgEYczONjbtrpyKoLDHnAf5JguUydLIKvcxDwNmfXlaAcOzX9seEO0L+Wy2sjG5SCKjPA0wTwIvpWuthTpTaptde0KDBauzJZZvkx3FnABF5Ho2VHCY9MkQxnc61488rQXv15FNM2WaTKcI97b/kc+PXK0XbvKD1OKJ/fyNloaLPAJKB7Q+Nu9sSK91nyM5WOALhkp/5PiKQhSO75X1qsd2S35mWY6upES887He2rdmNjt0YPVzETVXhDk48OHwNNcqKTG0qs354/bF00lQJ7asQaHZ9vnomZTy3F+vWdadmUntu3r0lz/74ZEA1rWe+CIyINkuGcT0q48FMwlzms6XXYe4qnVjG1Yu/PknI6XfIpEAHN3aR/dVkpvwSDKzJD9mUr18IoXf7mcbRmhc0yAz7dmoT+Z5x+/z4G5u5xmMa9lvtHOnaXn0RhbMQP/Gziy9hB7GySGyztnBxOLghO6pnY17Etxcd+RDGkHb+PAZY2tJi3ObTry10dT3Zcx4aHNp69EcOjTQ1+629jFatFB2dhgIt2JdWbpgwppE2QB0g5cFY3e8s3rdriHfXsZNFt1xF7aaBYBUb/Z29EeC3EGUyV1fjhG0ZMDuZAw/7UEOObWS1Mx+z707OWWwGXy+5BYdSC/sYzUF9aMfGXjfttsqr36Cza9aSia6Qin5vMmJtpLYl1WGA3TjcgnglVhgKmg9DvEijm/pa1gy5hMX9SQgV0SuHtWfGIo+uleBr3n38CGJ8BOVJbZ4pHR4JQWrAjxE5MHIzZRF1UmbxWUoqL73IyTGZQovPrLO+z6rl+Djd7bGcQgpsBd8nJaOG5qoSH3Y40+onrlAz4WmKWPaSAclSgSPdHE4OEHIPzzrzLOaJWrI9B04LG9qMfhtpMNse/O4XT76QBfgaeDtKHO4Pv7T9PjIHYC4dPljkvrthEPQeJwo1zywDw2uu+I+WyxWuEGuR9JByJ8s7vaSLcDSP1BRkAq+i+YDDB4/a9iWmF4db/mKjVn6c+NRJjmugoCPeVbzyAfkxBm0nXVjQpOAsYGvGneAN53xHJmZ4kO91wrx+i+lXfRsnU3pgYYfHOePEhCUZoFXSVCFy0ksZKSHQSZb+v4x6CsvtpomUP6u0LIukZgZEgNsrpHXn4oQ0uzrts9LwKECAjGpgRINdJ6XCD8uxcIE+uuS5wyOWg/m1TmC5MThTwe4UfpxD0erMiqgGSSJ+xWuwmnjSS62XmLHnfe+VWEiLOk/7vWQxLy3bdHSfSXCee76isRcFpRKY+x59/Tj02I3F5onVuqAehtLkL4zUgdavmLmKI/81uKRTcMtXdFnYuCR+4xBZYauVtL3t7yhozhZwSZe/02mBahe61dwhZIIbAbAqivbrw210H5cKi9R9i+dR85ISJTrGFlXwT1EX/kD8BWdWPZrg9s5JD2jzrl56dKu+oeNPCZNuD6qlCaFBytJOixj/WkggyMGtOcy2do7MZZfuswbLLdD8ClzUx2D+nrRfae7Mze0s7KhyArmtjRyAfh8xqD+vTR7/yh8mgp2k5XOBw2bdCqH79ctq50drdBnpLuILKuruO/A1isS6YkjD0vxXQZh3yt5D3iqlAAOHdIzaWf8q0zUQsHp0aOgZG0WSlVPg44oHEG40O+laDu62fgcI4JisL6KwdJIPidw==,iv:pB/cNgmHi14ugi6kd+J6poWXX79LMHiiakNa03ibZ0Q=,tag:nLfjOesXDm5/QtwHznJROw==,type:str]
wg_private_key: ENC[AES256_GCM,data:A80vGf9aMxowC2xME4FIVTmKpSRLNB2tWiUQeP1v8vCRk6Gt8BKYOuXYt04=,iv:vr7qvfr78syrI5pIytjLouPwZcw4xvBTvEUzzv7ibnQ=,tag:qjALlFkd8JocLJqMKFERaw==,type:str]
wg_preshared_key: ENC[AES256_GCM,data:bhXoD95ahDRawoHd5Z35FY0G6Xv0PHwWJf300fHQ5jNsGN1TQKHsIswx8YI=,iv:fBsIWkVZUt8pahuO9daaRBIEEIWsSnFW5Velj9uP2ZY=,tag:RvbCYhnRv0OrjTxjsNFW6g==,type:str]
wg-cloonar-key: ENC[AES256_GCM,data:ZMEeIZApOD0ij3nPMZeQRwJ4MwVx0sHu08F+m/u6IMHBGid5YwMgxZ7qbLk=,iv:OfIZ9TqBLjToIQi7zRUBATrynBtu0bzXeGVI/EAUPhQ=,tag:mJICT/ak5U76JE/IxJsCKw==,type:str]
cyberghost_user_pass: ENC[AES256_GCM,data:Eaz8iEV9vNZh/bJePmacQ06zU8FfIA==,iv:GcnU10VLVJsoeIU6t6eVjopLsBamvk12DpMbM9BsBv0=,tag:rLYoghkD8O9JepnopJfiuw==,type:str]
cyberghost_ca: ENC[AES256_GCM,data:9PHq2qHLsCvAmJR3S4J2ccNk6ec/LDauR6KoIpvvHX2v7w87m9aoADw9nSbQtuBwJWjSGi/hqUAz4fa/pT6y1TjLiJxUDBmr7axjsc7b9IQMmQCO6zmCK4XR7TkVFWorwdQxJ0HVdXBFAkbzet1EZ4zv9QtwXuXK8MkH50dzI0HVLgX7EtHljnrANJ/EtJ6TsxBvMr7HMhNITUy7iHbiUQvFKanZ3FmwLgCO/K443szXa3+qKQmr4YxKOUqF41QnmpikjksgMw5rfJOhuxe2YTdswt3urWTOtVfRACUjkcivqjWZIz7PCULvJHTwqDDLR+mc1bxxgkyIfElx7Tv7+tjbZxCsWarekPmjg/lETRFxTkg30yyBsgXqFjYbxwBFTjZkkozpnBJbxZDq7VkgEIi3hl1ts1gUsj5Y9v4CDffKwAST18iDgq/Rb831878kujdiMH1qeMOgHVpFtrfjleK2MPjDYcTkXY0sOdOCzkFgFE92/dp2q50er3FTaIq69c8dYR3DkSt/KPVb5Og7j1hKRtGaBpgfEYVqKzB1aMm45ORfmUR9ZPzTZvGzk8jecFL5wxFK69QmP5/cMr29SASdm8repcE002hUJYKp6RALcRpo/e+Cvc5yetvwdFUwnghLgvmyW6CTzn87OsJQJPgl2X/b/iDJrlzaa56QCrH4rmulDf54RS4tQZol2tRAgnSrxhvKOlqSeuVRwczxqOeGNi2Mfel/HIHoc26GONUtHtF0dqCm1ZJvKPr5JOKRguEXcLo4ZSqcMCNg9PcfPBVV7C69K6kmA7+vqRr0I8Qv9Ls8ZDoywZ3L5CsaXYMFaOcTeDaKdmZiQnLPr+NjPuFmHn04EgjgWuk2VHCENB7w7m8nh35xDQaPaZbU0RdNahGJrVdUHKBs43dgCor+SNhnnV0UjjLLpD5off5xdgpxNNXEeNfxq3Y//XoNM4TQzk91em+KScuPW108Rylk0IYavOxIgNettmr7tTEb59UTK92ogEnQKNZOv0S1lEGwzQnD8R6tNUoESWIpyMc2FDlEd7UAuPNXGIebQnleMTNdp0FkJHSKXjhcKXf0WOD36RGw6D6KiX6A/tkO4EvBt0hn3pJ1nfqcZdhrRUivx9quyEWYbiosLduT1jj1q5jy/1nq+sA7bkNrx2af2Hp0h1+8nteWV/4kWCwpX7aEfv7oraoFQM52luF707caKX5hRr3sRK/Kw8ad589EZxDn+R9L9tx+T5ItPBNItNS+1T/dFxDeEEhiIPB5qeubVrwSTo6e+lJ7QErMOfsyIbG8vuIhj3J0nc6Iy6lvdPkCQi3J4/w0WRqLU9X2h0RiQhiwDdogE1bE1oPFUje07uk5FEwyzmfKQxx/4s1hBvFklKtV5LHcXAo+QkirwZYOpyIrNalmIK1CeQ/GGW57AcBNaCLd5W0MXzpai8h2wWtltezqzCz1izGV1SZpgXBqGhi+s7aVgIW4aNiBVhnf2JoIvIuLyZvbAo+45wk2Hh0WXgAxHaZ/mReRyT8BWbjWtIqQKCw4UTbl0kS+xsl2mblRD0nhv7K6d7xuuq+5BnBPhn07aOowwW8qcqzsvcJPMesErpzQy0umg4ODX3J7GEfjjMIoUosRP8gAE+4ReT9y9ApoB3krb5W9WTAfKt1nnMJxiycM0QU2DVaad57N+RNF4MhjyPXDvOM57xDbfzFmoRun+TqGNzmBsblnPkRXqvunRrTW7U+fn8fRBxZAVgrD5LQoUbp9hA1aY0xsM+D8l8xpFH7PRTDqItTkIP7J1IXbVSlc9hkLHVnz9MbdiE+ihjTVXjzkMCVwbMgFza+fSZw0bnnOLNsX5zXl8H5Z6jbkDmoFcaABEQdABY5kgTtE3Hizzzz8rUt9mxku3/Way3mDF5t96qi3rR+CByOz9JIRiAAEXJci2JG9tIgnFM31OA/zmshFVlBO0IYeRvSIF+QYd9ACH2ZUfeUPdQ/Js7fwLFqa9N0yyWIuj/8X8sSLO8b7kk7/2aotdK9RolMRj5pj0+lrr1Gdxk+EdcviHfL8Uig5snIR/tegZIZJLYT9HOIdrFYkTHds7/dQs92EqJNvKZmsA3H8CJoOIST1JyB5AAPn7Ad/qN9f33T6++RUKJTnMDnV/HfEkpIrkjAwQ4mLT+Mc6R1JBaLVPJ1qaH5rzkaZNyI/DX7g0DaMC2FOyAGPLYb2PieOPWXpoRSTvA18UidYu8msk77u/M/S4S4EqAT1dZgmkg9DvetgQ9GGRGQ4t/F2Evr6lGHdZQKC5aAF9GDPAHXbjv9zLllb+dlZR5TLmzrspgBcCzdKhpjKTCEpxLOyFhPzfzzDzOdHI2iQlKkFRmmPC22fKk+OqNFM58dA6qiPEMDcIcKWZ0kCyH0rV4Fpzx8WlBPLD1SoU2HADmz/1CePRK0jywWCd529wvjdEjFYaiWOmqAywxJQG7bvkx+68P4AosqUVvv6mso7L0maQVVFsSPiuR91b7al4luq/QZulZcOG/I8fLDJ3YvQIXHW11NlljHCCKiTh9Q80bJrx/pJxjKz1Ct6AffZshUq5l3TZrC0XWZNg8erO4QnKjSZ3yYivg/77BGj3WQTS6lkhHFNsQe29+seIwbV1zZQNc7l4WNkuiYBDAgXiN4xAthHZZmETWFU/Wqd2gAosTiOstxvN+GMXSjotRxnAMn+Pew5Jly4uh7EvOnGa1k1oq+CzVcTnh1bV6U1br3I55P1saN0QkyC1ua8ATlcEP8tB89IK+SeXOeXk/koSnjoAAuuTFFwsxdBjq+D2SGQ/YXoUkohG4ULvMyPq8CfCKOWWKAS7xAXiVgGrBDIZZ32I9sC+2vJkglKkCX+fr+j9eh8lokqTsfmUB07kTEsl2GmBEEpLwikeEVhM2ZFWzPcBEZS8+pfSe6dm1n6nfUqo1lOi23/FL6AlrfbbjX3iAqBE6vt77RFMqi58RnH8GmR7Zyg3CXfGSPQwqgCiBdymXZaSdi/ybLKhsQ642bb37XceVjtlu4=,iv:8uQbG4ObsDSS0DeKx24lt1vpfeSms2v7KGRQrKoWwds=,tag:2RoiW5VWLXfMgXA4cbnKBg==,type:str]
cyberghost_cert: ENC[AES256_GCM,data:hXplfGZvyQDf6m0YFWgtdHCLy0178BZNbDFxoAvj6J/R2Dv27YZQ+kn7au6Z11xFNA1A0K3pQCfzuSeuNtLm6OqHU/QAsXcYF3DQnfrotod1i8FTT+UqLvFTXGp5smUQzpKzzJQHxfMOsXXMMyHwLiytCbpWHapyVJuG2EDdai4MScHqtepqaWsHAj0TYaED3QJFfn6vC3VqHlfe3WMY/fpy7brpAyccjbTYEdYiUOzYzzgjk00Jw1zByLNld5CeuXsiYto+Ce66CK/i7aN9OlDF7F/hibosk1AAPwqAvboGGcervEO1qtNVoKkprzvyHAQyf4HRpSNbsaEFPrzog3YW4vvu6dQlXujQuYF1ZRqCejgUGYSihC/NaZW2O8F3eJKkXVnRQkcbr2GzLRpawQZ6E5i0X5PgSHaFQsGJ5UsANbWY2tJJomQdtmQEsjJDbwG1RTBW9VvMLAdTj2daasixA13inqxbUK2o23tp9HRscSbho2de0lOH+JT+j0j+Mi4VOoCQMWc0Ln1YDFvjZMfUNtlR7Qd1Q2MySAUcGRf4w8Wf3waIb6x+BhBYghdJGsAiV1jyq+Pp8bOLuoTXYhdDI1H4gemtCSemsojPuvXgKQky75uZBRvuGSwHTCFu3WA42xU/bMNaRg8mRZSxQLMqWkWHVLBBFyiHAHjCXicTfsKhU9YQMEm9sA2Ecc3osM38guXU3/jqh0AbEGt4QOy6WMhV/xDy+eLU63vtR7YSD/DY0Nij7OnTG3GbQuyMu22j0zFW1UbX26m/pxESkPv9zQ8ilz6lNj2yxfIJz71pIjWLRrC/797Bdah+bRTeyfAQXsT3AoBuogNARNamcrdPkKQHQGEMY5UjNn/4VoFClXzeZGGeABjxLIk2hvWU10n2OiDmnj30YTrPQvRIXJQGtBNrrlPKwR1FPt8QCkeoFXwxbHQTf+rBllbAgAlfic3yUoT/foqy4c+lbXByaC0aJmwmgA1mJ9j8sFkX2znNtnbkKxesNRXWqeorUUhEafIF3lJ/tg+lwaUNtmy0Ig9NAS59iNklbNASyKjXzMzflI6H7SRsKkFeO48LMWtGH6Jo4QMvZ5sWvZSVaqWOlh1QAMZMxVzpz1eXv5TAsTpfc4anv+MgrpeHsXs3vQv2ytkale2YdukuGBuqlIQcZrw8yC8u+TvAPqDFZUAiyh8uOAwETOvQvNuttRF2qbjiIA8ZVp2Utf+ggaIPf+vE1mtWit4/rrqBSCT0XuR75duWSIS109B4iZer3rhINqIk1XTAzqO0fmyCZriw1c8T/87N4y9Z2MqIXNaLLk+UbYFd4NWuvuHUGSbsQZ8EtkWzaUPPHx/wzIVWu3ajmjUv6QFgSY9PS4eY8xKqqHxt2i98ePwfivhM6G1eBedAutLWF1m1Omjw9k72z30coa/UcfzF0fo2kQVcw8z1kJBuH1WYfk13D77soxcWLFWZ2ropRzFI52XfvXwxiyyd/sVByWt7ZyNDuUyyuyDeU7Tpzbf4N0ek2qfwBlllfTLCePqWcGAJ3zn1vYajyXFYm35YzWZh3oj0CEN1p1udyxUQ3YIvtUHHk4FPSYjuHSu3Hn8vft2gR3CYa4RvkvcxHbmH4WiSBlAlt6Lcv6TYkZ98K0/Z2bX2FMhItFE8bQoy7C+hUXek55aAwB/UQ4Fjf+2xTsckrCig+eSvM0ZJDnon4K+eUbOF6hSGbRzcX1VfqPStyHhtCUxOckccVLbWFv6sYyzuDZyvo/Nmljx3M0CjDZ5u16aVBxk3ycnlSM7WcSl5h7bjbZkZv8W0sWke/bXakBuelcvfpnzkcT0NmRT0awusSxQk+WH2iiiAT8NTijbQC3F6OPB43M9tad14WXg9cyroEcPgsm4hDwl6wsrZeWlQZ4dDwtLPF8mB5Q3cWsttUJHLrTmZJ1HyXThD8Vp9JO4jF10pE+MsDbu6vqSNOFa/X2tho24NkXElZqUXG4wZYrU964wr+pgxEvFsRx0hqeZ4OUThosJJdFGEW50RBP6UPEw7mWelpi3Q/kbVL4ulZ3And2U5N1faQIFbvWk2Kx4RP3Don78I/LLzqI9q6WAQ8HES6ulieDNu81DBd0u9128j3ZVhEBmnKpRHdGqCjA704zidAl8/+wrpgt7GdOW9AD42jU1F0aDuQujsPRszpFagmdlR6psFDOOBA4e1vTqovIrmWxbFtTr1d9oi6Bv5vDmg9d/RzS6Cu6DoSped+9uCATwRBlqP+QCO5Lz2cBuzVcqf8jAkdUlHBJxcz21xPzOJJOnR/Mx70E9h+BVfwWC9S+8REi+lFNq9nvWaAcOcDL3Pnj/GpYbO+quIGtE1RuJqW2uFd4wXiwbrk4qcVbxds0gH5DDQjOtsF9zRgV/Vmno07jJ8dZmpNq/it3Ou5eErZ/Y9BHerRCUBpWQn2r1XhgLV7Uslhunde387/ohQQeT9GlNLm6wyLLa9thhqLFxlvzRWRg+7HkutPlA2N9c/xvixs45SCfWWWKC7QTCVZR2OIxQFB0prfcmRC80nCxBi3ZdX1Oselgi1iEi3+FnqP7DNCjkXJWIasFhiRNcOw91IGKs5yaiFvCIe7kprf8Ew1xun+39H1W0AWdjaBWFSQU7kelyql4qsxh+skLuT4nss5wXh5InrYALZbvJBpBGmUAPNHGPkvcCSCaMeayqpiKoUUW7Wy8EPWY9kI1we+rpN3KhueQHqtus8nLEABduXpi1w6AGfDsslm6nRysllADNB76p/v0j2q5i/lQxM/Ks7pIA/hJGp6RKKmUZg3VlZ/GI/TXz89Ha6XHI4IOGzx15UhHPq5xuCDk2THIy0ryeHIBteVuU8uj+uoZVYMCfjqUxSe4Kvzk1QBrxntAWFb4ObVt+Mdw84YR9p33EQXPiX5JfsUULdsc2VlR7ccvL57c45GFPNGFjUJfR968GJLw3DGx65jtQWHQgUElB7Oy/UJVhdTSReZTULoh0qD0Ol473SmVx6EOcXQSVjfmBGjVkaurs8TY+OFwUQaBBCBN2T/jT+V+Y+qWf18uwaE/w+Nwe+E0QqK6uMYXvBP86QM/pSvjNJKHZZNJfnUOCx0EFml4bRUQROvucJzQLolui/DR4PP2MBRKi6rjhwMTYYCGLGjgSDsQ==,iv:vYJer+NYyRo/jcpGb66askFA42T+TmSfWTm3DKOIIt4=,tag:RlvqzLfvtJN0HloJZTJb1Q==,type:str]
cyberghost_key: ENC[AES256_GCM,data:qfPwy1DSooR6eo9O7j6h43wILh4PzxE2X0pdbzh3gw1D98rR8GWEj8sukK/L0TzfGYqYWDPy15OeymaGdm6p1WtevBOlkZtQcXmo7jg3+k0TFUnUctNDm2cOjuKck7CGDFtwbMsOHtCxwhwYouCmes9sQ6KSfolVkutVcvEfI1qhjOvJabsZt4O0P5wB4dQUMQfcPwXYKLuW3xlP2MvIn+Q6XZzfLOqoHnAwQhyxfGsOeMkPV2GXzMsqcCuDhfItU7d1GHzMCOLQsWspwNr1jJd0a56YhY+oPHs+yRSEvzFeL08ZyQjPr7YX/p5w84aJrY7THDlBcAK3d35EQOPvAEghrbmas/aKSxDXPL2W3GKKhok9ztpX6QDywkgwUbetXs+oVUF3sHK+UlyiW4RLPsKoQQPtHYBvgIwtT9ym21PJvgFy4dOJF+XW3CfpZcAOONB2L2mxrhB04CV0is3i+SnQE4tVIqGfQBVrDeuGB/+7Pjy2cW0zkEOAHrwGbdlqG0kgdHFOdbDp2fJl5zTRd9hBhYeXT9mbFtlJ+50KyGOAkJZf9a3O0BwgYRR0sdaEWfOLDMsz5L1DlvzidrChGBwFbHAyuFkjE/hkhddAH+1xiCfRCb+mGqs03rDhIpJbEMZLRZFsLWu+hlXKZ4AXamkuOvkk9KvrYL8KVjkVk1GIIeQqVFE1tiSCtlGeODYblA/5HPTCH1wPrLBNCRS6xkxEwHs/qZx6J0qN6j94lWDWa/Q83g7L3OKL8JTlsyr+D9100veMUVhvo8RiJy85Z7tTqXXEckEWKgnC53dZ1ruILNzupytUYa9rYjNcQ1KXy0dwYbMDQ4kvLCpJtO47pXo1i9V9bDFrYCLipCtyg+s2RUzYOnW4GXpn+de9MDEJ5oOp0pMZ25HG3fpnZDvaIyPyytpyj7apx3VDf62Eq5Rodd49uKuDjlbWDezaaU6MjRqhmpv8dbs7c/7pogZmaztxKTbs+EZ/6l66cek24GS7GjQj0e+N32vY1ACcQUCjg9smCGvhKs0H5kL1YOJkopN9ZWVV9p32p0IsbQHsRebSOHablHT8q6tyYfP6ctHH6BNfoUlfZjHtR52VEiY0OstmnjsJxE2hYPX+l4tpUGNGv18nQ4C2ez3baMWHNXzRTXo+g4zjVkW0Ggi0ecd7I5vR5vUNNA74Hv5Mrd+oAYkf/65XGlTJu5VIM0f7IvlSintmmM0pLB1rmCgnZenlhhbY+0862xS2j1YcZIapox8JT/W2IRUYKnJ7j7B3bc/57JWDzaBM/AukhZvERqdm12fhh9jNrNDjK25HmNwdh4Bsf7IyVqXh/nSsH5MtTCASonn/DG+6pGLwOCxKiQdNmlYD8yiZ2RkSfFs14glr0frUYcgCEOFb18IeF/e6srzKSocRVJqKAoCQhnu4qNMy7YDXpmucnzhWuwcFeKC6gaTKBPj6pxM8OSXM7uqe27So4flZIbNU8yvDp0Ub0LYco/EJGUEL9lwitMydSV0F3gjc8zvEbYMs7qlYg9dD1jxJd5vaPkx59DHCpEMOHn1CjVxazZNvexJLG7j4FBkM6PhF131/C7C4cly8ASLQd5E6nZb54GZdKqDp6MVgipeKJ1Z8A/onBC/Glal1bl6ASeAO2Mkfq7PBJ54CKXaxiQ+TFpCfy7DrOArQzaBJ9s/Gy14EoGfb/o0VuXhj4vwChig16x7vu5MnEFdItPjkfRa638KkILeS4OXm0ae+KKxBUchCwXdRyGK+wn7Kz9E9xOjcKMI/kiDnAB/mTkLC+IA5wRuXgtVyFk3BuvrJaYIHsJVZofP5lYz0JLmXXtPyytI3r/IwSL3B0jupo/KHUZx6MBwjBYG/fKJgTQvvbGDePNFHfk5y/At96P7QZIVO+QlmQg1em0pRpYbO30GVhcDko9LvNG5rLPB7a6SNB/pllOgBjbEKWoNPVwFVe17ILzA2Hl/egkW+wxiJM39bG7Ll1bMN5Q32yNZlUAzWBHDSd4DhM14ock9irRGtLqrhHH0QyMr1WlVoMRXTGT7aMLUBc4IEY7kXnx4Sw/RILqOFZsML6Kz5EEroTR/gzDpr1xYxcIRrRmaBS2YMc6wgfIRstsspMT2kUUT5n3MBJlur2CpyNEpqh5o0oRpACQyqdc9P35BVc5NYdAIg6zYKHtiTpl3I/Py+XDSDT/wC1OrKRJjuw0ES/wgDoygbPxieqdUGCqDkEjuM/UZqmIILAHBBvqniMVB5QLO53NO4lhrTbhmBWDXzw9dpJ77O6In8DmQ6cmuBsOAC1JqlGhFHpp1YMKtlQlOpwsORZSdwc/sfMkai/dXjhoh9Ptpk1fUKH+3AHzd+Ulb6Y7daInVgutnO/XFj832l8WwHzyZPLBTpbRbHeeSQevIHM/x/jLDZlUGVktrN04Dj4CJJstyeETIegzILTrXUhIq/W9cEd9vEdlSRRwTn5Z/E8zfET5fxLWSrMRTTQWOh1jIh7FI+P9d3x0K0fk0CR+vclyvVm506zAgF8KCBPjljDZYgeXyPMJ/icU9QhA72++IGo/XoT81fpB34Zt513PQk4WGmUGhAgiQP1EObnQ/YNaTcdUU8fhvq7YcyUlRA+vfaKMS1S18a8RKfYs0yWxCG4CuCb9pWhRK2ALjNeqYS70dFeeiAHI7UKjV+I5CbtLdIt0/oGDFKokH5xRVl6JkLq8iVPCaCyCOc0FCfBVyPBF3Qaisvh3GyIpCPbx0mp8fDRsiXLJShyqaqC6hpD88PnTDE2mvMyB/bH8Quzh5OrLp2CTDeOvWtg1GxYowiL0CC77ogUQhfM1ut8g+tvjgsmuiXU1uEzpHCsIXnSnUvwJW6tV37S0YUePoVAi6hVJTr60M2s4+0J2IxDnb9h2GVZqmusyQU74cKXJrEOC6r5apkhH2GG2jdVQGn2ETY/b/cbFtI38EtT4IbOa/OQDLf9F0UJPuYi5Ne0mII4asEmWdfco9P5oU4Ssr39WmTfmrBLvEQ0IhPSwKmtZlA1x85FSv5+wKauBYw3GTZa/tsp7E2MHhkyRWG1eMMziceCOrTD7NgRRLQIgN+ejm43i+OdMzi9vjzf1vg+barXOOd34yjY6zqpX9hEAJuxYgT2s8fGj59ljZsqp/qSICBIiImOyjxgKou1nh+AJY0Qs4fIGVTstf7aG540IiOGNTy41sVWdtKBeeahez9FB2lxMZ+A/83IRtmlnMcqXKhIgS7c3ajaRrgjesO/fbHnE557Ocz2A6SdoOn9rqVXD6VGvM2fkbj8no0ooCnvNtQ8JEMu6hyVipSqgRxcZlnW05NGOTtWxV3xRI3RK5tNguYgqqLIQvSARDDgm/HtJoJgom8lqSkLXswGjbxpJ1GP9lWpyov+muy9viwLQZQgEma7w2M0gIB84s3FOuYMIz7pKEDntUO7jRUl5+T8gJoJ9ex32InELTLWgksB8mb4ZuSCOmoISEEaBsPYtSG9wo5bWg5uz0/ToudFf+WRA9JT/MesSzVhehqFx1eMGAKHoRd02oMOtwIzQuc0Xp0DuYBTWOk/aHyRDxfluaFSIyAR/KBkO7fc9jKTu1JJifPCXZWInRXvPogmafCyYicC3gc2ITNumezK+oD8fjbWHW0gDIvk9qQjxhQJz99N0XYiRLTl1SssGMKADMzauPWSMDwn1VQ8t9Yc+NvT9i+9TB5YL7E3XhD3aqqwLbLOlIjvlaEhWeMjoaGlaVaz7u2n6g4zAGcVG5/uocZ2QI7byppVE/8rpjBAs1zQr3A/ajvcgCQ3+3g+sy+3w6C1KmYJj3kyF14FhTDLWekAyX1VlEQCB1BUeB7lc3CuPftTDSRKLU/vOygvIdzLMJdsQu/98qjOawsKwEVSXtSrrLXTcyhHRKvkRhUOOD6z1WRl0UTmSrqnzGraEV737vDQrMzMyq06r3mlV6xnho19F4aH2pHgI0uJcFB7efPz7nxOKtlhoc1BiAb88+sDksRJd7/+4+32hSkFQ/2MfC+wwlryo9NXtgSbUnMBYZqQIW0PfoArFTY6La9mrhPpAZ5HLmj3H6xRGhSyLJGBoW+jDltI6pic6G7oBODfUOmUei+CeQ2JKYGfjMcXmndU1qmR2Wj8ytS7yK/J2SxWRGAgmUiGI0gv5nnoe+aHa20yOL54k9XZLSMin5sghcXzTxtLcNz5sfBUIF3sQzhwYUGR9UfNYx3OkeL0HOXQlcICC6cUFan/zIc+8GXHhxLd6NabTiZiTXdYRuAoJeIt1qNUeK0xvLNm08fHiT3eGXbS7NVjtPTw/nYUx6Ca8LaM9eZBfgNowfn47LvoAuliQP2vLAjuatyjlcC/hFfu9Surfcb9LUM/ZsyMFM=,iv:EgSXZvyWmcBxBkAe6asJ2B12FKaLQPy4tRAtCvkys3M=,tag:B0lyX7IRNHX1CqlvBZaSpg==,type:str]
openai_api_key: ENC[AES256_GCM,data:lH5Jf/xvtRRwuGYPM3g39J5DTQJowSKVqLtObgXRo+GOfpY/BKb46/R25rkWrOUv5pYK8PXmSm7obEkVBfoaYG0WufR6SzGH+R7hjrNgCzBA6g5pxmlE7CWPlPy6C6XqVgblL8aP2vD9qxJmIw8FYCLRgFHt5hK4d+Gd23BeBnkmPWIH23xyRFhCcb891CoiEEdXL5p1LNAOAW5ePmAyavc/Dlk=,iv:lWXy8/LlWeRVSect87/qsG2nOkmL5W7jpw/DVSnAbEs=,tag:n3pWUJ5uEMXtgt/kHG8J8w==,type:str]
mcp-brave-env: ENC[AES256_GCM,data:FND006AIjGjSkJqx12RVd8NnyDIhqdUBgZxucaAOFlnt7ZRYAHj4xQqgSJuFxg==,iv:Fn/663cGELKYQWg+Ok1uCtNCeIP7zZBJgxhhcsR/Q8M=,tag:v8K6JQ15CYwcLj7vSjyN6g==,type:str]
rustdesk-cloonar-key: ENC[AES256_GCM,data:nn1PKpOvhs3E1Lqtbx+W3oWon8+j74CrB4KuB+BqjfaHAaKdj+KMstYAv+0=,iv:UGjTZ9LauAALRMvJnqKkHYqGH6rjZMTZPQs0O7/aDd0=,tag:g6IZMCsE1dqZh3QYRuitzw==,type:str]
clicknload-proxy-config: ENC[AES256_GCM,data:lGoX0iItw21nFT6n5qZRddiz9O0KGjaktXzHamSBmpE7nZv0INhIic1etwrluOnv4n4+0pn6qGeqLcEYsN3S9zDDshdYgrxmPl1xwpVUkvCIA8MGMSg1rdLByYjMOA==,iv:F0sBov54Rk8te34n70s4pPitQXjCfrKQT1+SgQO4ZZk=,tag:x50kpNEr5hYipdIknRQ99A==,type:str]
epicenter_vpn_ca: ENC[AES256_GCM,data:qWq8Y2JRQIdEzVOKki8YmSMhpxFmFougQSJtGTaSgak2uP4MRzgrwpKGqDqhkPfqXeD1GSHRJNPe4plIv6//en0IEjV4vvupUrJuSp5cwmjhvbJLWWpUSQOhhDM/sN/ODDPLy+JucUoQRIt3bgrOoWRWro3cPuorGcFJfOedOy2tc7oTrpQBYNyx32kDfh3IHzuaasSFtCAnE2y5TVEXsLcMzkzvBIpTGzHUOG+9tn/nR5Ro7EodQKXfs11pL3mvr/iMlRX4QTSGYfl3pJE4O+Jssn1+/zDd0bNrSU1kKunDsuKDlv9Nkp0hIjpCzc55v74Jrda+UATB3f0muLLgULbsFA3JfaqqufLP/rgYjkFZ14qidjby55Z2+IkoH6U6et2jL1O6BcUaxYo7dbsE8kbNPdk4XPoV+5WYSOKOQrx0xXiW33fQnWq0R1x3k6YJ1oVO1CoxMLadbaAkjhoZeAP+VFviKHoX/GqMGlkox5KgdO4dUz4UcJon6F69wG/LzXf+gb1VBacqx1MltrdN+nUFNTowFor0AofUofWMM6xpn4Xy+gLy3AFQi2+3hkBmPbtgcWEWnTuekhixuPUrO8h7CwXMRgpiBBqeJTQVVoQ1puY/1Rw+K1KXY4QdRwd5laynkU4owvJtgHk1jogUIBpfAOtIq18gOznS1HhgH8s0Af0eU7lSAAPDfRoe5awydb9Wejpjed2LypMwtYE0qEC+tR0cq+NTYnINg9bcAwDz5iRSpKtGPmy8Xj320LAlH5eDyhcxQjF4ZHCtJ9/3QcpbBJoIwWlS2+R0fk4qOLq1/q4RqnP2aDc0CLd0MKx+tJs9yBZyMU8dLJtqTnd7z28odhrZ9E7PmJ/Ky2t7WsLNZF9lOWWbJ2og2Mxsu85HCmntQxjX8Jk17Eyl6jOl5NFnFEWMTPfSsaf3J5HcwffGV3RjdM/XAleHCoNP+ydM/hPra+HsFqoyMYqT/HuZPv6ZMLY1KogBy/17OdgO6Pava7kB717v6t9/eO2FH0LGKYrPUJBha8Yq7vUJFhpABO29vTJSdG6gfrRpPafgKjZig5z8BXNU+R03DiGrL9LdraFUFnu+HSF4YVXd0EGrVfQF7mw7KrH/TsAOc1KOtlHaXFkP/SgZ+etwyC48xCy1sgQi/7t2kozPtM+RcAQJMhF0DHGFQUWwj1HesHsKaOl/HdM+eU7DcMwN01is2lD1HUp63HC5OBItET374DcdqfVUBBjiOt3srd1OWuE+FkrqKpCaxLihu2dHP8SR3DYMlSIrGwy8U09Q3iIe1hD863HVOCcn3uQZHj+g1GOXpUytouUhE9EEC0THEaPNwygNQvSu9AmG+YnFaXn6ZWVokbvf4xfttSc9KUD50qK54gd7Aa32fvzsPH9O6gMtQ18wPmeCzTzVEMBFUO33BI38UKpmKB4/r5k6F53L5YOOvVsD6R5H/0ABoIjXPF8gFW2f8RkGuAH+8dOS3VdOWFvk7ZUQxa8QjMrg09n+khjZ4kPPz42W9uaRVQeXAWLhcNOBeT7U/pT23Z0M3Qfs+NK6JRXhIOj1Os77uSkLYVKuf8yfhbI+1J1/Y7WVe7/W3BkHi7SN7Unyt30QntY+FrAfbFb59aqNptkSlmDX0TbVTWxAeD7NGi/nBnZSJyE40iJ86YzqDjv2E/oS3BWRV023tfp8iljRKKD3lLinheKwaFoZE5s+h2MY1tGkO/LeZlRhxsBznouCinQoqxdxinNxCiSpP8tTxcZ1VW5W9/JxWwoRhTR/WyDVa38vVHaVMVmhCruMDCHlckHMU5qo1+5xNkDNM2kirADqIJ5CygRI+qc5CLVWqmmve/ICG5cGff3JvMTENnptNhkWIzHDemMukJpaPCF5pmH9mP6b,iv:HiTBKc+JD2NETPL4JYOfYCHjNmagZXscpWV0o1QXyfE=,tag:SM+tAq6NfBG5xDnrfqN96A==,type:str]
epicenter_vpn_cert: ENC[AES256_GCM,data:rjeAhg3/0eVfxryVw5ToSAo7IAlV2CPprM4uPPZxyy96fH2YyXLdcz4Pajn6XHRS69bfFJY3Vq0zJwI7t+RJR3lpCdg46fis5lcjlWx20WVPzbkmwhvGIf4JqZsoTKkAT8PKwMsjS2BGjIo5uq3Fw9u17szBkBdijDwgFXJ3lcQhXstF8lvbPLD6lgJPULwX82MoqTMh+WwVBYEihPpP0HOJJpDyZ0Tk/YasrNM0Dvdc7sQBaTTir4OefJeLMpM1U/dEyvKpiP0PjEa1tos7rPWuxfDb80oMTBQGrZE9Nh+Mg7moXurAktqImcbQNFLjsIjTd12zzXdFq1x7oKrNMNCMIi4J8rt47TxGth2vY/Cn1rclI68rcd97s1MCAYGUJ43zsjDpUQLsbcDTAGevsvvXyehT2hRhX+rvWKDsXgz15n8EWbv49yDyCPGAl/KRu/gfZpF4Xbfmg4rTCYFgMO20XLqGjZybdmpexsrni4s+1DsCzp5xi/j3PNWHQEmL873tWd7iapbHcJtjE8UzazdT4Q9/Zog/10iS7NFhCCEWodO0/qZtKWLDDipDstRAoGh6CAPV7hv4ECCI8X9BuMA3H3OOGRKCNTo9a0ipJEY6h8UhqXV+ZtJiqp3UjYU9QH6Ve52oOLQhuBDfTrhsgDGkchZ+AZpsjxQl8bxa8RmOXt/0sFSnR/u4aYNzJupeVk7abvHGnVRdWUrpqdPXVmLjk/yk1qgwxavW6mDWUh36h8xd70cGXqTxUXGb4gQeK/GGxr94XscB5yy/F2wtxc/9T14xQ/mOTG17S+oDCxtTAJNEoDwbmhlzwUKrCUm4Mi7fd/WFJeodBU9mvwomRCvI2mq1sp/1dkV5X1+5c+f00o5Bn+Yrx+QmZosby/wiV5i0c/4OqrueO571c8+FsenD/xVSoEY4q395A6yfwEbblRRA0y1KSF9DmFxLqW2Rokt47XLfKjV5Q3lrmiUJrkzBNrdd5cppLwH1YEoE0rPUCWEJHM3G6+62hcT/XRdN5Ky1BVSH5QplbxrGb0ojUf1MwsO8KepvQNwfXNdJx5k72eUOhLa24LD/Mh3IWHuwJB0fM/BulLxZWjaKFNWrhunH2wBHycTHrp9YuBuX7A3KLhuWS6aZuEHWxwcTO//MmGx0bfVwkd12Xoi9HCFWfVsBqJ4hhdS1i4IXBOqg4HhvAOr984/S7eOfkpqN8Qh2z/5ZyxZPkIWZT2/R7Zb+WdHCpS73P/GJwMXPO0ptBj6dJgHhlkM+GGePvY56zkj6u6e1FtUHZjVgwZmCNSoY9QExgCLnhS5A6duKFWDO3jUR0NVEyexQZ+WKpG8wHaKCqzaP5+IJ5ptLvH0eQ41uUHKovVsK5GkhRFiu6aYfvgpMb9VaB2npv+0UgDgFQYg8ryinfFMr8ZpzOQi4YlS0H6wXf2ty1ysuEwV73amhpX9sqdNtVvagixqmLGm6KicDQLcW65x0UB0Ea926SMG1FTH/6Hh1AbPyHRQCVqebK8gM7LmbzK+oR+Xc+TF/HrMEu4a6CJm9cc+Sq3GiWXUpxp+NkaXg6MmI6ES3xC8jonibg6BtPAgBq23Wb1v1peLtbmgXB5a1YCHqvpapbp/tLcGqp1NNt7DMj9kqMMnO+1asQLryK5Hux1F0rniRz1ZqfERj4FP2gPtMZnvEknePvdpMqHnkWDFtdYNoJnxvyehN7kbFKugQuI4MXyzjymM+U5kVfGanX1is5WUmTtablF/cPxI3u4xHGq/hs+UHHwwlYK3MkEWI1WESkMOgvBxMqypDDQtmOHvffuQqAfjr30CdUDz40IHhvosvg84W/ciV/CNheMY31XDlcvrM3u7+i/5jNSup5vFL8c2tWwh7MVgAwrtoSr3YmKiTOrD74RVTwyHUaz/GPAHXCKGlGsyyhj0sxLV/yaZabJE7CPdIT/iCqX8K5/q51XAhlZ2zC4BhDM9KwBlasI8RRez6Sb2e/B4LxuwK12b2c49fqz/O/dAKWG4GVEDr2xGIUNC/MQI7Yw8UwIXweAMDbpZ8o8mLaxoGsBkaZlC5NDnwctUHehARasST+r99zRNNMIi+F5XykpazmK6VFxkB38zBWdwCqFJqlJ7/Q0dKig5o0kNom7p1SI/ewKmyIX+ojGt0pLW3VkEpGg+C2bZvyGI6gLSCZ6BjLAVIEaHFbBgQyu4uMDPeboa08+JPTUPKj5r3GHLeMSI3N60puG2t1Fl60L6AihwJM+XyAmKlbAht7GFlNlvbcI+Rpy+3zVAk8qLziuftSMVBq1Fm34wyPd/0cTni4CFuKXydZwajjFMf2gl48j+bUc9Z,iv:jUlERMQxELOGGZBu9ZZ5Z3pIaNdpiV38BnSCfvkS5wg=,tag:k7I+eceH9Kuk45yHjV9EHA==,type:str]
epicenter_vpn_key: ENC[AES256_GCM,data:7soGqQhQgGN53fCb9CmF3+NlXoI6fcihnNPFNBYlNPpdg8Ww8mCZmAmKMR50HZ0/dxeveyi0YMuUPYqFYBBJxZHIEHvYe1Jzwq6/IZs5Glh1TcWHU/Uz7I5mY21GG6eH1ob1sxSF+QHDmTa5/+FiLqf2EsOW6fOkTiVO6fCWlCp81j+Xc7VWuBy0eSYaIohab0IeUDOJyY9Vj4xgwSULgVh/hywbSUcucGUFPDAoNFJ/B00eQgfjpPv7QLrv2F6CPBjj6rJSo/WVii0qhQJC2B0NZ9ZNbcvZbsMAkRIf3F2uXi2L9w7lAtIFsA+oKe+hr+Uft8kpB2qO+YY1n2enh75lCM62lZJKb2FRV5Pl1VuSfPP+Tjymv0kLJmFTCM6TCyArNQVSSFf3fAqo70dzAHVvIrHhP2DdW0E5tzHgTlD+M7R77T78reHjui1wiwL3brOx42tMzLYqIlwLNnh7JJIvyC7b2BuLOi0mjG1bvBg6f5sUiRl9jV+wdepdmHTwwgQxRp1swatzRP5/5qd+fJ0ldg4a6lG8R95LERvnyc90GyJzAcubNEI261n+g2J3DnnWI9ryfOuBSO7aoPU1yHK6fWpC4l9bZc1zYl6xdoWjJGw9awCipujK03V9iNLGwCk1u6O0ZBmDuPQGTVhVVK7rfSdi0fDpml+2pLTfzLg6FG7Ribx7F/B3UQ1X+h3JNpuqwvla1a0D8eEbi8f0p6LPVN3RfTmAngGQIGtqX5FrC6zceN30yy2qHOPLNzbB9nSvE78zCiyNLLFlywM+hTq9m1GpIqqtofDdZ/iOSQJYhI3D/sCFX+BUDOujAJfe7rTKZLo3ZfGc8OjnNLOqBzMZOCpONMgcWZnYxQIlIx7C26XrZxdYf9dprfquF2A4aaQNTqBP/K+p124piimxLaFx+aERxnjVOFC5DnL1tduvKEDagky4og3wls0Q27P/KY0qo7ILyOYKzaUGIjYH2lwHH+7CGHXNJO8PA44RKw1t9VEnHNBfFijEcOct6hHCQo3F83MLA4qFq2HWb3sEtWTyq8uJf5iNuMUy/kEHtm+IQ4NjMkXLZJ3Us2VvPYosZrK04BpXHftHknHoQhSVm80llRdxOb6KbFqFRZYxbxp+ODXam5/GLFS+W3MTC4cTgAP6Njz6N5WClPZqEoTiun1tVWEiwHNC6hPZfqYVtIkqCv0SQ9QO0iBR0Ss1DQTSJJrA6sT/+Mh5PPwaZeh871aQWg7uzczmZXjfL3HPVgcerEPrKEfES0lJ6NVXSW5rNjUOkyF7lZqbOQ7uVutZ7pOUYzj3VflZApCUj1rIUejORJ09FO+A6XhENztL548PKerHk0Y+t30rOHtrQkRo2BXDL6wm9AegPJge8b7sVeMdfoLP8DNn5eM+1ID2WeQKxwfGp4izxwFehe28xjGKR4p49ruzkG4kwmaKT9ZeO3qszLMVSNbduO7OEnU/EuFfaoaQL6L9LOV3p57cqOx80VKAlMwJd9hztXJAHWDlDLfBRFJsW4nNkOxETBLMucCanX+y4ByoEKanXaq2pdLssUW1nc4HMrHCXTi+Oo2d3HxKRedx/pbjeKJJVY0NP+BoWWrLDZa75efPuspc2fKWMzmiBjMALCq5EqsN8JzWrwZF1Kf6AxTRSSlXhp7TL20nnN5uZLtexOpjJH1p3F97qVF94bPaU0gZcxbIEKXcg9MULn89NknVVIINV1gvpj27sLCX6BLKugItgP68TGLJvUyKnuynx6ucDjLgC3RnQ73LFniHFktBSQipDQm8x97td+xc6++qiNDhidzfWweTl9Sz/O9cERmvbhfyTMXMk+jwB0pp3pmbpnGCg/Echll2/gQEiE4ugq1BnbGCq08C7jYnZVNzWEkaiBNRW6vTcBcNRkcJ047Xcj+zDNioph/zrNq7wshgh/aKmEsxN84LKSluyLzYkqYTXUy3FQUDvVhF28wzB9Hz2hd/FyVOC/COnbbFQdqA0/ynGJ4L60PlFekAN2LCVXc2BCR4HTpjIIPDDfJ/O/jKs+EV+oe7GOFPJ5WgmXoOCfBTfoXJzMWOxE1GNnYPsdLAuyH/5iSQnAFUtC86WLktny2KXXwW/CrLkpYDb5ZKDEHHhLCiwoqpe23ebi1AzADFr6U285MLSzbgfKdRmDr19b5w7AwncAbgXH/D7ySO08d0zLu1jtkFMXwADJxunvc4SSBtnpouvbsDmVmZuRKP7mj+DQ==,iv:IAxV9RV1hqq1Fn6e78a1Iv353mVZ1Qb/yFpzkeFtvjQ=,tag:deb0M9hJPqzsL0shaDJ1Pg==,type:str]
wg_private_key: ENC[AES256_GCM,data:XJ2dZINMd+gKlqdQtI9XZw7nQ5UIx0IWbYdj+HWIa4x/zERGPZy35EWcK4c=,iv:6YWnWwuHHw69S1gq4xrS3p0DXpF6lJt1lmZZ7NJ4uGU=,tag:gpgMkD/e2p7XOy7uacv1WA==,type:str]
wg_preshared_key: ENC[AES256_GCM,data:k7NdIMYTes35HKKCpDcPCCoGo3SdO5KlwB8C2EvSAJmRM7VFOfum6TYNae8=,iv:gbYR7OTOsIaFQtchYxblHcoj7dc9D5qz+N8F4+Ru9os=,tag:FfxMVal5j1593s/HHprlYg==,type:str]
wg-cloonar-key: ENC[AES256_GCM,data:lHJdTGPA+XexVKA3JCckUkGXQm+ev2p5VhPnHpsYfRiao+rr5+N3byoBw3I=,iv:q2djx79niGelafKNl03OBPfMAcIAyPhEqsiN0UUum3k=,tag:96CU7iCd+Dd1iAKmHWcEkw==,type:str]
cyberghost_user_pass: ENC[AES256_GCM,data:ogaoPZDUosjpoCVmiIrvSnVEcCYSUg==,iv:QS8HQbcv4t/Utv3RwVi2xS2mSvnr44z0YwaqKGHGXPk=,tag:bwh91qZDkE4N0So2dbd8iQ==,type:str]
cyberghost_ca: ENC[AES256_GCM,data:hLsCa+H7RYQio6J5O+6TqWE/Ug1URHBXrgl+WNqrBYJJDNFr1ibDE57+LAdPfSWDVISjkuadfvleIzkDIe1RSlfMVN5oFoIoSDhzm3t/CZlMUjoAOU6QsutrzM6/Obfh/B70SideuBbG3IPm//6bgQ0eiiKvYmR1vyYGGyK8tFm26t3WVLdMKUde2SGRUA/Iexmcejmy1lXm+320vA9YD1BfMeOqtRJMAnrvyNPMKkWNV2hK6E+BXxiWCQK12k1RBw1Y7Y2uLfdImAWHzM4S9XZpy/Jqdi3EcSjKIA7IRXjtQQ/aaeU7JkMlbfHCOs+NElcJWlwtvsgfloMCvvljFtzALPSPbqRkpD6VqiknDvS1bWBW/8Tzz16Z+DP0UPnlSJOiiqEbuhmC8a0v5DilH/MZroKHqIzySwtG80JvHDiAFsN+OborWITefaHCl/oaOjDwM6jT6O61GbqJbwUgiCVKRcCv0gKuDrl1n05XEejCAyTE8z6y5Oo6ULd3unBvr3tn7GO6nVzFWzGSb7WY5Hw8pY1/1uJP9xufkkhY/YdYvoi1xdE2P2x1CEF6c7jgEFB0K/T2I4BfxPGLve9Rn6O7jZQEALHxj0B+JR8EBf7frK4WweyBOLz2pXLctA0OM9kpdutzfzS5tODgsC66/FZsHVyuY8VWnv368V6vXPhJOFZDMeLawXrv2BjMRHiHxI9Q4fWPutoF/4l6LVLBV/Ci8QU+gJvVZuzAcBSYSJXL40GcKQnRG7U2WWgF5ChAUSdSDUMd/NXQU0YhqHoxOmXTwM//tHVv2fo8xy+x++zKW+91H3VxVWa8nBVdI1c7d/uifHhjf0fTUyTXdbVmEo+EM7P13Pt6vnr9RmnWA1ZPo7KBe3m0+OUslwL+TK2wrCP3TaxhRy6xcpZdNZUnLeByIn+ck6PJOVfl3bObOIcmrzx+KbX0D6IYAlMF4P90B+miYe2cw2XFDmtaLDzc2U9JyxtmsfW+TzQqSFgrQyGiIEUZ78l0DrIcCIhaZv374ItMpW4vExpYsZbjk6+Ard0ZhkKuV4bOWwh0kpa3cZ+1sKi/6fd1ChkrbjNryLCRDU+ByrxRq3RaKhffG/tiJ8d6XESkMHODy6CwFTEDsxCbVfguwKiu91cWm/2P8fc5d1PjrKcljboSGgs9CX8c7MzWsGiNzCMJSFUMqB+kdH8W3Wz8lZzmvxSQ9n/5SIbvEz8gmEBxcwCW7imLegigwySVyEKO/NVi6HwETKXSAG5rZQgLtzRkiLLJWAL6PluoDXOlH2y/TLrmYINncYe2+36z1mFxnNqNVMLLIvkPihP+fA2P2CU7BFMzZ+GP36B4QuoDvW/o9YKLHQvQqOeVWbEBXSmp3ve5iisWS2CxiCICIXTrRgeg8jjMpVppuHIdIFgar6S3/T/0Lz2BlVacA78n/NG9dy4IDtlfKFYw3MOH5J0p5xd9bOx0TcZlzrPEcIwnw3lDms3DWiFLdeX6eOrXTM7F3UTYqIDUVjKTfI/YCZPupTOXkmPcuMcPiyrsAg58IsREN6KEsbhXuUD49J5oJWhrr2UPkxLwb87jiELIvWr2XIWBvsdwTfs/J5jh1hYJ8Pis52inxcJdmyxsoBH8W16xMj6EfG24HUpGc42H4puAkCVkKsrF/k4RAZXsSwWT+zkOnoNyIgnwAURICZl6LlR9Bfw5veXqSztQLzc/GsJnQEQYap3cxNxO39oGUunYWYZYqUI9tIotNr7VLr8Y02cu77xRGk9e8EzSX6IS3KF/9p4PRao2Jr/ZPHPl/pCtb1yy6g72kV8ymLTtWlHV4pvZSl6W4AMPo/c6V3s1Rh83+04H5qjFX8mSV6ePTdrojfq/QUjaUAbrhYzKWVW9a8TfA/BakoywEnNaUzItfs+X0RWrTIqoGeHaDO7kst1DDi/0fTZSCwIEPOMGSaPI668/0mgCZ1Dp4joAM9TZPDJVeFLySaD606PXTR2NHO0FoAwN6+dNo7L8ZSuyPVfbQi4DfHNQt5rFlHsTP9Iotw40632XmrHnz2xmTH5gqFm+FeV2s0ZDVvDigz7b7OXGtJ1m85qBP1vfTaEoF2jrpA6OJbBWxa/oEET5uC7al2gSFkTHqcUlP1UMzC0WlqddH1Bm8Jsk6rIlVyrx6SQgZ86lOoS65U65oZJbaLB3LtJFsIlHEBCokqwUugvvNYcw22II85cql6A4n1U7nfdmNwy0+iAreKg7ZuPJcSLhLT5uc1VRm2pyLN2WF0RPSeg3T0kPKyGuVE6/9+EKFOLzCJ/ECI828saUJslcOInOUSBUG7PFvqpEkChcajPTtllIgtUVode7dezTXkuyhv2SdfImwV7SXI2Q5j35ApXYg6dmS1ny4u1Z667qoeWuecTH0cTSun74zCa/GrT27JB4MhPHXk6CCmZpiupTcHLyylfwtP09f8MRwpE7k67+6pBQpKCRwDFJAtgSQlP4nklqNUGSQxMqwSQUg3EzwiVqk246vGimlYELBn+riO2pzFj/I/49thuHtmAe/1mXq3rjUYEg/NFKZrcJWIlwd9rP/XYr0FbAX5V7GeYoYk3pOKQWusUiWWmtkRaE0YKYemwOyMCu0L2Omi6mFNF9bQoTrfQ3WID8PDHMyzPlWYViUnq/iB1scox9fMRZLmnu8O3318YOMR9O4/ipDYkgrClX1T0qu4m8u2ETQ7OSh2G2OeYOpUby47MG0VTHSXNYV0ey3rJVa42Crs0ixRWHdBJxHk3JxJ8mlR4voOECPl6Ydge9cXfaP9S5m9CXslSPdRt5azXihhAJGHnCYaHNVutecbVVe7EoI4+zi+blr1KxTrAHX84a9Jz9jpDL6OJJorwEgSYqzJP+EG/Vx9EU0787JSr/axF5NQVcaR+rMZqlh+S+cwt6waaYf9k5trdSrsHh0N5uTOzUjHOIDloDTGqgzwbHIx2XYw0tmHsNq+qUTRCnHmxaLhURyrTbFd7ygj7VWiFNpbDhKJOP1PJ8zxrBSdKfzE2AElc=,iv:n1d++hy58nH4kZHEyXrELMCdQ3botkc3tHUA/Czm6iw=,tag:Fcd9qGgOwqQ5uZGbbObhLg==,type:str]
cyberghost_cert: ENC[AES256_GCM,data:s9vDBZHY4Qq/i+er92w5q426t1xqoV/hXUNV/6JSEuT1yE7Welv2BIAmvRNriWESCgYO/IzHGARekwL8sflEumLBylkIsMV8ijk5VGkN+ppzOMPH33NYTxQa1r2H2cXLpePZTEpkIZ4cbaJe3LlIcpndFEgU3BF2pgAa8gF2whLwNNOYTy4BhK+ztMJKF8G7JCNOSiSQXPyvX7ybrjaf68u+q0mZYq6CHDhTjAmhpUvOkRw4ldZLhmG6Dut79MXkx5T/SoDtPVEwA0FC1wd6DuM3GiIvi9mtLJP09zY5sBvv9YW+YMcQLzCb7lg+EH7CddaLBjYrQPlkL+0T00lpYzXyrnJQuXxYRA5iPpmxpWQ+4SF+95Bfm9NUQ/i+UUkkjWxrJ8L4QlgJcwv7EQM+aR0kCyexjrbiv2JSI1OBtQP59ugCrOCPSb5BkbVTZu9mEg6PT1jCqp+3hPO709dNkugUni/xybdGY3syH51EjfIRanrBublCBEQnYJVBnF0U8lzTehNfcEvkiYV+x+RivE+OE3v3dEIPQ4LjuzWGUA+8KmK+MqQaP9buFth5eP/XtvbWIFxvvT4y6jhz1TlI2LGjLNUANr0Y5vVa9LdbEq3ao79iiNowPgPx02VNy68gUhcLcyjnCxFnDxtFp/03aHrsUYUP8rmqNRbtvfTSqP/CWLl1C9W7vpZPTUk7YrfUVH6DBtFjw2EyGnB+qAflbBDkLS4zWZNk1RYSssF/P1TUxys6lSlRU5CXw/2RxJN8c4mRTv1QP+rkoEGibFwlLr2aGCZqdU7aDBHBbMO8HZpMkeo9rne/VkbqNbiMjuUnizsdPxSSv/btJ7DLobD0ujehr/B+5MH6x5j4u8t3PICp6Wnu+DS6yDa0K5o5MGfymoc2KqZiWAeV5kvO3JeUqqBuQnO2ufuY2bpmpXjDa8HT6TZLxWAHbFMvV0F/g3lk/jdiY8xj/G5/x0O+LZYnGQm/JJnIV1/lAhK14leKs0kphOrZuTK8afSE/ybE+1B7B+YxLKA6ACnYf3WrJOOQT7Ghr+iinl1flcD3AaY0OkoVXaKwSRbup4pxJ6IvZweYPvLHE/oTh9kp56G4X6rc3OCqBPQB068exc+M3awrtAI3CBZy94c1u2Wu8Qv1ebUmMRtDO1o2N3g6Pa/6Yr5Aa/pbrOKZAA+WRr8Tad9Pr+PUszhPO9u9D1QVRJkY0LmDN/UG8gH8idaHBP+/SH16YDMYHYR1lYjGMAUY3437sAyJdRWtLiyyE7TAEwiEsjUH76hXgAAbovLHrwNqVfTu5ZmoaJbnWz1sn4U1gu0nfouNNypgXV+CbeQmpD59PHLGdBGcDbusVsM/sbfFiMJM1mK835t2mV/wHsKi9itXKiBaYNXk3qhFTovl0cr3PwygNy07w8N+RadwsneHJwxHWOpkV6bfE6fFPuzadkc925mu+kbr67ozEguSTcNfvttn3aVCbheYUHVPGjBhn295vV38EPmCkV2F4nDzWzabsxXIB/P+quDtkAIVBBj43GD7GtnhqKAEAXw8oJvvQhqd4yYFmHC0yQnhCv/cYoshO9StTdE+bo9TfAQ8c2HBJkloXNs98B5kb62d7eKjw8tJtD4dnsq3HPuQEOImhGlsL6arT8U9LtBBAqjkYy1YE7H2ySQihchqqdNLe57On4S1x0HuGfx3LybUkhY8oYcBU0sWmF/d0k6/wSnQfE72j87Oe+CG5kCI8jPKIczo1tx3uWhBlCw48tJ+CI7fCEpMwECOPxl1AjhE5wEQocdr3xVU2f2Ufh3O4QS+Vve1axHSuVwG7sPDrRydqaiwXNYO2RpYwsW0AYhuySDi/ezBFHrrl6tvGfixSWscn4uk7xECDb6IBW/9BZs27M9w/VdDD0HqS5jm8rlr80Gtlq1yziFezWElDJ8ZaMPmzSzuJ5uUK4/6uao/3bBJ71JLrTaJZsicZdTDDJxQc9mA1RQZBgYo/lYvFN7UrnS+RQHtOvCuwMGWv6IwkYJBfllbJIEZ54eZmruzjtt5xyhOtQbrp8lnhHm4ft6p7TjUigfPuuKerAQMDwsZnkl/KNdyqdZmN7FjsTiNwBf5wr7NEWHobaW8+pUD97j8unqifHC5HHee0ZdX7R3IP3qP3j1TmHeCoyHX2B38on7s4T0Yg/ZTT159UyC/bXJh4nAeNq4TgfDURZ+lxR1wv6BIszLkt7gpQa965rjlZguFxguMbDqjCDRX1DgoY8kgMoS7OcCjwrfwdrbpyARS6IBuCD8WJTXqhCHNcgSmvrK6fB60WE3BHdP69uIdrhAVXXW6uJwC4MwOXsGllq/Pzl9zPuGDLSDEjn/aqDWs+RPK5eCuczMBS0SMuz7X18cuJ7+c4XDXDiNaZkjFLiajfd/Y5ODXxkIKlMWohnl4eGeHhxbrJZJWp0SOmQ9pl59HwFqIK4sgwZPx1md/iGE8T5eqr0H+gdTYwBMuqvu8R38O/t10KotLYgF9MgD8aXhWuGNYHEiIfKSIIZaoOOmcS4SWmKrI+fk31o2YBPt97W9oCalEeikMFt+iCOeNm/tmvg3bORNo5GNPCCk+uPhXvVems8fe2xekUkrH5Z8+auxMQE4QyzR5KoiJgHRMK3Xa4XGo6X1NyJp2rNL0cQotJHQHmKThpAZ0q62evO0nhRJW658NefW91Pc/oBi/p/HOjVOrJWdCvid9pQeTc6GJqyuR3M/twccfZK8YawJ7i25KByX8jeQxdXl3qoYhySJI2SIi3y79qmnLeJ1u+PKIHRc8CkUSgWumFtrOFsTjznsIqPUs5kTRImTP964go5HBP87bRbfnBJ07MD4pqtV7SZc/5Sr6MmdMTwkGyTbG5/kg6Zook9pCrSww9YQodrWhTOtk5xZnFtxB0zucF1SpWOk5UjaqB/C3JjobEUrFCmeQRIQoeNwnDD47N/HTEhufngp9bspwswjuBH3fm9rK/o9PBLvz9PDKNGO6MbV/8pGL/SXOZhndRsMMeGdxkblhgWjClhm7BBqZOXvJHVxsRa67v2GdGXztAHm6ngDk/YlioDgh5+VQdIwm57Sn2GALKUspAeAaidQJWEPpSzSO0BXPgrxHbp3zIMRJ9NhM0Ynx7DIkv36L6Mgmky8Enh5H1mUUAA==,iv:YokQRmSP1F43BhS51wOry5iiQa3f78Rvs50STxeyphY=,tag:k+ZxxVSmurIr2PiJJIoFjQ==,type:str]
cyberghost_key: ENC[AES256_GCM,data:756vFyRjKUgh2mZYadTUaxGA5KwAe7NriRYGS59e5a0uWxPLe5VNeYV01V4z6nHgWVolsEmTDglsLwRZnMwkHhfBbRM4D3JU5py6t0ANznwclOdTy/5vpFML5uujSv3MsloqUXmpR0Bmt0QZRSfa0GNKzXI+q3HZoiQrlDW11oInBVH5wg3Pi5eemAb5f/+wJ7m1i6Je7AaHAwOwPDIumUQc8OzgxJB/R1CFEXg4UgQ7Kkd0fqiVyzxNm/G40+07LV8hqenA/qE6KgdGjR4hE3Jj5BCeSnYJsQ4dIjpDE0s5etxWAg/apZMQUvnvp626ZXhGhzbzOyOYVUaLML3hrCnIYYz6ipdpQCXEtK+Elx/fXz4R+fkmqTuASqRVenEwDwQBl8zGBeyURYP29DqFJtIhDrmLRJLlU6hI3v4PpZaInQbVy10LQmvMX2M1zeW7hL84z9UBW4Gr8i4SzDc6B2xypLCGdUdmThW9jDeQEEkNIbAF3W0LNDZFghxsDeTnIh7fiyrUPWvCJtY92kr+L2v/4bkuJbyC6Ag4dEVnpfdg58qJTW/z7EgqaG/gaB1tWPG8bwXNJeD7IJWLSrTDPG0XJkbQbFH5Ihar8kw+bIUa+0SH/IYVOGzcYkVsvmXEHp5x4akH0bekd3bA+MsRvQc858KAaUcaStQQLYYeWH8azQrGtWdfqlYhT8uqYQk35G2Uti38hTXeiUmm/KkEGUTmoDrdvYRF0C3E6pkxBwcZa0CTvF1oeXptUz8Uk+xrLC+svp8C9fLNb3eWJQ0fgwKiM5t37mJwDw4uH6qhA9ujshrZhATdkSHGT3ZfDYrgBnM1yEAtf591OzKzMsMXTKZmEx4HaVhpTFBk1gi7WF5lFm5NYYFcTN5btDt7CUZDvYZKGYyxWJukg797sR5SLdcjNTNFNdKFJHWfRgTfojOE5KIXZ5GN5TekAL1fE8890zGRsb2lVJF6Nr8aCuluMhZvghPu5Qn554mxaeAx8TVLjSikjgFDAMjca1bhv+5d2CemHx1K4zBrEPBtdttCl4wnJjwLBePIHj5qxzQXsXdSvCxeP7y3KwV3pweGcuNzXZrHgynIAx7NVw9abrtyftIEaUzQvBl9UFQYJDHEsYO5VHISlLtpbN+1TJpOGP3fJwtMfCHAtfvFxzg4O6B8esIl2VSYeA/bNbaYBL2RsA3XPmCwPf3VBfyI/At2DXbHUFIzcgmsKTs7q5fkZUQgCGHvf+eobiaWGRuFDrUulpeQfAE/KpCkkO/dBgUDfWaeoJE46KK9Yo901eIWycPwpTCNtuA+7esjnZpjmV/hyOaF2bi9XTbHKeM+mQRZ96LepyCr1cUhAblDP+F6tI+TdUyRv7iV7sPcikV7p9EOHS9nw6miPTDGNBUKCVXHnWH/SHkMnUMikDbu/FvzTJwnULucaEbHHpFt31xOqWM3T4KdyZiKIQnHUvNQEQCTQwr1u1uj6GPqW/xTKKjIKsd4Gxzws4GsEvr6hE23fy6eHwqab/RvGLBMZkUpvIAqwN1otkL1H3WbkiaYTeaIucuB/QxQu1xigmSrmfW0sv5qFmhRy1Ry+mIvjXs6IG3TYWb31kcLy5xmJRssdhgHSPCnPqHLzetNxMyZ7pd+X/4otlypzyLjuY8BZWp3wst2HXHzq9eqmeclecsCXlVvKOEmIW8Vdd31bJbGeczBgU433ZPmlAmcGO0okFzHsMnBBopHr5cU/18xitGwKGcC6rM0fpnGGQ8+4QUYjlUOl1kms0B7hqlrTOkv7gKEMazChuuB9Mpgw6xmD2cFS7ZW68QbtxUvsXGAOkRMIOpzKviV1aERabCIIccuFyNAdNwgsHopblkdvg5EIE2MH3tRTS2uaJsixrZ1xTDjLql7J2n0FqM1D1iTRK8moi8NFrFWt/ahiCZgj9sQ7HNFU1EdmA11G1F4AFkFHiOQHzHu2k5SiOmN2uY4TO5dlooJefud9aiuGGqk/uX2YiexrYi2XukLAFg9cToG48WOS8HJMKziyxBG5c+bn3uWrgFOC0bqJ7+be7rZGINdxMQXz9xJj3cPayRZFkhS6EP4kBLnJ6OhTR3xBeDNUC3F4QZIqnkEEAT0wHQ6TbgkZpkKgGP2Scs37zb1Q8/ubqniwdg9RdQbCvNOQiyDsX14yTXSAUpJUhF1GGPlTXVuO0gXO0tLxu/SBj0SdZciNyKRP8tDTZYB7/mU35t0v1ZgU47j6HKKrNXR10Ioewmf+ggrKTXzyKbgsBgZpYX8VZVb63rMsOFBQWIsaypiEGmNd9o5wF36/R5IBb8yfHmSdsTbQ9PbY9Bf6BHa2oc8oUW9QzQoUdpCLmnfmX0NIzykhyxFSnL+t1vR6cezPdqEqu3FfIqGJlCkhROKnNTXhQEz0j7BjHoDJjNIBk5kUohR5EsTB1CPUVriHdVtXbpfrLDDgbl/NNOCyEcu4cUHDt1BX2gtZSWd//EzrrYzNgD7jHUlM7VpfhiX1TWnexEGe6VMdGzxVNYyNOHaK7mpL0E5y0tBcJPym1MuYHM3nx7D2RmF6wd4P11qaVHp7qhQvYzcAikjQmk1QeHdxV2Bzva8ZM59N+DTuMQG+G76LH1XkYwHTl7S6ipZeKWaSzCKwkzCUvwHFUBGQqe8xT66ILoqhBO6ECooxbSg2DHP8lPO+yCmuFaVT2yS3j6BVGKiKKKhhKXJqmBAq3SJpKNCag+jBEyB0xjpNNi0NKTN6n1TNhYnsyGIMwK141/8T+D95lKt82smF6KgizrYB/HjQmc8gDJolf1+robTOFV0oqg0vNuLA8iVw1I5b1wkbGwkh5P9//Mxdpi4dVT5zXJwmAzgHNylsNU9IGD7AbQdc50PptILxbdQIRxcVK5+B14iysYMOsnOIOEysp+f24eGx806HTWUBtHjNZFo5iOKMmNgbwy0u3HGL2019bdmwc4gOtRMXLNMKSWHuNeHPbjd82xGoBkgFwnYQPdd12JKOrZTF4sgFfcSRkabd1L0cK+Qac+L0m9pGSCQiIP/uqZPOZtYS49zXiRdIj/TL29dMSm05tsPi+q8qAj9eqg6Tpodnpp4v9lY6RscY7Oj+qYvzxo9ZX0a0YhljE2G2hduip+Fmy5WWqYI8c4l08eecQgBgl7qr/BfCQdkWuM+XQEn+cUuOqGMiCPUnGGO3t/Cs5BjH2jvsIA7p7U+wI/1WkIEH0c3pEfNp32kvL9gIrK7uriERh29Qt+pYFX8m8lsMn8F5VOl4KKhvG3JSzsa/HvyE9PzCQ9Hui5vVqPIQnc66Fw+ra66KQ7GhiRYHfl2cqSR7PSacG1SDdUToFsBpY7LxFBkmJtV5Y6BzTKMKKGMwJ88QKv+2OQe+1vgMhKejUztbLCYUG5lhDmGVPadpQTfwjwImSh/3HAV8zWxI+nqlTCo23ojjGJcqrvK6+7IxMHL/xNYkYwmODg5+q4Fq00/qKomq4U0xUJyoThN3E+pgKoEyWJE0WeJod3EVHw6gl6/XaA/JaDCtzJ+DTG9RityVuEk8DP2u0I4zEg5KpFEOz1h485Gk5xcqAARR3oWs3KpG6mQ3j2zZEckFqpkXvZNFlzjV9tCVyOd8VDx6kypJnm70U1bSEjjBnHw8FREtusT4R1FCRKmuNMyYFHwz08tY8E9kQl3loUuXXxnLS7N8cpeibcRLAPGMIO6MBzYZb6ra3Ttkgqzk1bSY5Er/1rrKq+0HRSBYUkiCsbRKyYPOJ2mBTunu1ah8T5Pc34+x9IKhKPfl2wuaUDHEyY05JXkIs+9eacr+iCZIp2VObkM62KRPA7UZq+57mhJ8KzNu0mXTIMGD8qS1ozBk9JC4nP+AGFoYAVJ10cOfWXbt9lIiAB9oTVQ9IKiw3rehedOirLitmBYKaMIYfG01LDu+4mL6IdTa4SsVkxfSxuHFUylfHixbAQT/m3qZtb/qqX+GvIH+awhGvWG5Y63U9lZvvCl4405vRuxmnQ++fMpv0DHgGj8sQnzIJJ6u0qscxG7MkvKND4F0Pdk+aeiJQaE8Ak7BPdUStTXoqhE3znFbTw+CR1d79rzkAk0OPMbnN3KDd0ZuercIemCkpstE7apIaayUYPkgDgPp2nKEqlnKCp1tz8NRDvf6oU1V43LLE1atMkXmHsG7lzH6oLVdKvlGtl2Hf4kJaxVuJtqdFHiAhZF0roKW+S/W2yXjRgr3zQmEiowNT4VCljwm30OC8GpwsvsCX0RoSrTFKeVq8eOIs6mIMul66zLb4CRJtR9/XHaKMTqf6aMhnsVqhuIkriHdsOC0Bn6+pYVTwy9ck1DidN46VwZ+avybsxXjxZrxCpkwiirso1yjicLoMjiLe0J5gjElOw=,iv:LPskqYo7V7SMKD8HdEXDNwxyiLFLaLr5AdrU5x53R4Q=,tag:zhEYACY4xhl0ba+dBUBT1A==,type:str]
openai_api_key: ENC[AES256_GCM,data:Z5AiYIRQoFSmjErwgJ7mxkxmp5BVOgVy72xwag+PJeRiQAddgNMeeqOh1ka0nP/HLPnbbWgSBgzdXxD+Kx4m6dX3W2AtzO0QE68XDyuM+PKts2pUSDYDmFSWZ7FFlQSQrpuHgnit1xjorpQqRjgVkHXgNObYGvs1wUZwhfUg4zPd9UdTU7daXcUdJ1c9t5G6FuJLMNF3gmqr6j7hMYXPcCGrx18=,iv:SMy/19Jw1CX9OYEQ3VABisZ61fYyVVbGzgeIwlqdtRs=,tag:oakwiviNCiu5jWIwuAQP6Q==,type:str]
mcp-brave-env: ENC[AES256_GCM,data:JAMYqb9rOYDLM8y8HABGQIvEGZUUKWt/iRJXwLZ/UftHd5iMPLDAHDcRva1MpQ==,iv:wFWJr74H6nX2nOaCUWHdeQkjBDYTEltxE84BTQfqy7I=,tag:cAj9Cjjo9WBVot2rklRWZQ==,type:str]
rustdesk-cloonar-key: ENC[AES256_GCM,data:genBO0paccI1pcH8//X8q+88yBeBFfgEd8jKmglEHbvnf2f9DDxfWVrHlX8=,iv:FEHkJ2wPBAKZFhoRRBbLzjkv28DRDJ4npBkTGVEK6l4=,tag:hx9FPzlyDf96BuMhrEXLEQ==,type:str]
sops:
age:
- recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYWRBbk1wckFYbkZxQllS
T09LUEljM0VKbUw2cW5hLys1OUZZdFBBSXlnClRvc3YyRFpaQW9GOTVjR1dpdU1Q
TWVsYmwyZ3Nxb29HZVdTSXhmV3F2MWMKLS0tIGNZM0cyWmRiMUNFUkhVUkJhUjRR
SHpCTVR6VW9pdzFTMDBtWkxxY2VIWmMKrReAwG9+6W/R1AoUr8JFw2QQ9WZ+e+Pn
wuTlcKayDrNHuM1ldW6BEYQAV+8Z4Nhbj1ygo+2tqOsXm2YL6uzlBA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeDBlZ00wSDkxaVc1K3Qr
aGt2YXlHdXJ5UXNhM3R4dnRQT2ZiNGdvcmtNCmxmdDZYQWt6NktVdGNwQjlUOEZG
My9mUHFBT3lWOFc0N0JNcWh2dm00a0kKLS0tIFhud215VVA1SWVFdVZDZHZjY3ZK
ektUZVQ0aTVKRUFnQWUyUUtzYUs5QkUKkLJ2e2+a3VYcVepB2QIrD4Dsv/Vw0WiV
ZXqudx8UqY4xbsYaWehEVrIBIaQ/cLqVP+0YKaS6CFvIWHhP+lu/2Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCYk9zVTZUUUl3YWJobFNu
bndaSGJyTWdoOWxUZHZYVDNMTjdkQVdyaFY4ClFEUjZuaTJRdVdlcEU5UFIzbmlC
OE44MFhLOGh4ZkJmeFl1QlNCM05kYVkKLS0tIFNCWnJhMFJ3MG1hKzZVRXlpODl5
R1dpWnZKNHR4RERSdm5OclI1SncvYkUKBDZKeh6xlTn3tRnZOCD6oe2uFP1NeQe9
b7JuigPRPnhah0rWZ6jPjnk38Jp6z/I1Oqh5UJ94H4KNi/h3HKqMSw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4R1I0RjBxUWdrelAwY1Nt
Qjk2UXRqVS91MHhDY0xFaVR4THFLVXM2MGhJCmNaeHhwQ0I4bGNsMi9ySi9YMkg1
NWVrb0pKN0FaZ3QxUkJSSDd0VWQ4M2MKLS0tIHIwYnEvYVhONDhGazZ2ekJ3TnVx
WE44dU43QmxPTncycHVGNHNlTG83MU0KQPJWz3YF8RXwxp8SUFRuo39NN/2tSzw2
bMuv5JWSI8i3TNiWmOELF/Lt34Z4p5yZZ7OA8mfx1bbTsZOJ35I0LA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTkdSM3hoTWdlcE9McDFt
engvOU5hZUtKaVZjUEFnT0huNWpMWnBjUFZnClZxZ1JrMThrT2kyejFkUnlUVUhU
bVhTNUovM0ZRZVRRemRsNml2RXcrNk0KLS0tIDZWYWJUTHlXWUFMcE82YlZBby9E
clM4RXI2V1pIRVZNeWdaM24xZlFJSjQKY1+Nw3X0FynI6BhhLE5caUpDENqa6S6d
HMRhiL7SIZQrmkdIeCSikjRCkvqBFIgn7sff3S+7neYxgGkFp1nzGg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcUFXVi8yOTBWWVhLbjZ4
VU9YazRzWW8zTmNzalArcVNtQXpLdVJ0U2kwCnY0ci9nSE5qZTZpSk93MlNpR2pp
WGVENTdWbHUrdTN0K1ZHaTZEUkdpemcKLS0tIFhseFdlL3BpZHFQbE0rNlo3c1dO
SmtzUnk3V0pCakpXcmhvZWVTWURKK3MKuB/3RDvEZh1o7WHmJHFh5njBdjICO34G
o8KdfkLcAwTnSbOy0mEVLhQjLayhRq/ifMWwJfN4/MUZo1cSBwO+iQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-05T16:28:03Z"
mac: ENC[AES256_GCM,data:NNYwveO78Q4cWOPPt3Pyqh6AtbfRj/ax6D4t2KlVXWSLzKTUZKKaULXGY5PBp/jI2pyhPp5yEMhEyjRPWC8Xhvxjv+NLb6KltgaMfzIBS/jfSNk3dcYx6i8Y2oSG1efLJrRMc2Q/uACeztyivtjV9A7JCrEtb84Wb9HzkI4nZVs=,iv:Q8cTw+/RMJ3WHrkB9lyaAyI2K3O1ZhDnAMUYMJ4JMRk=,tag:JvrLiaKKYXiOmud4oZZZ1w==,type:str]
lastmodified: "2025-12-07T23:35:10Z"
mac: ENC[AES256_GCM,data:5tRkzTUeiKf3WQBFJZBBCa3vnPGVLspbCF/bf+rQEGuQ0ehA5uZXLlc3nBlC3fBqQh3JQUyVw1xcqYJc8Ziu1a5pcG28Mdls6IWr8JOzh+h2fAgqWbn9UGqEU9fNJE0aSzHSptpKA5fqgJYqmb3voz8tFn3jMNrPsGenHFn20C0=,iv:s6lOchFabWnyW2gkoYaXBhOkJyhhXyh2ZbnFTwj83bs=,tag:HosULSsgllcEzoBifQLYSA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0

2
hosts/nb/users/default.nix
View File

@@ -1,6 +1,6 @@
{ config, pkgs, ... }:
let
home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-24.11.tar.gz";
home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz";
in

36
hosts/nb/users/dominik.nix
View File

@@ -7,6 +7,8 @@ let
config = { allowUnfree = true; };
};
clicknload-proxy = pkgs.callPackage ../utils/pkgs/clicknload-proxy {};
thunderbirdSettings = {
"extensions.activeThemeID" = "thunderbird-compact-dark@mozilla.org";
"browser.theme.content-theme" = 0;
@@ -135,11 +137,11 @@ let
{ name = "q"; value = "{searchTerms}"; }
];
}];
iconUpdateURL = "https://perplexity.ai/favicon.ico";
icon = "https://perplexity.ai/favicon.ico";
definedAliases = [ "@perplexity" ];
};
"Google".metaData.hidden = true;
"Bing".metaData.hidden = true;
"google".metaData.hidden = true;
"bing".metaData.hidden = true;
};
};
@@ -160,6 +162,9 @@ in
sops.secrets.openai_api_key = {
owner = "dominik";
};
sops.secrets.clicknload-proxy-config = {
owner = "dominik";
};
programs.fuse.userAllowOther = true;
programs.zsh = {
@@ -172,7 +177,7 @@ in
home-manager.users.dominik = { lib, pkgs, ... }: {
# imports = [ "${impermanence}/home-manager.nix" ];
/* The home.stateVersion option does not have a default and must be set */
home.stateVersion = "24.05";
home.stateVersion = "25.05";
home.enableNixpkgsReleaseCheck = false;
home.sessionVariables = {
MOZ_ENABLE_WAYLAND = "1";
@@ -228,9 +233,9 @@ in
Restart = "always";
};
};
pyload-tunnel = {
clicknload-proxy = {
Unit = {
Description = "SSH tunnel for pyLoad Click'n'Load";
Description = "Click'n'Load proxy for pyLoad";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
@@ -238,7 +243,7 @@ in
WantedBy = [ "graphical-session.target" ];
};
Service = {
ExecStart = "${pkgs.openssh}/bin/ssh -N -L 9666:10.42.97.11:9666 -o ServerAliveInterval=60 -o ServerAliveCountMax=3 root@fw.cloonar.com";
ExecStart = "${clicknload-proxy}/bin/clicknload-proxy --config ${config.sops.secrets.clicknload-proxy-config.path}";
Restart = "always";
RestartSec = "10s";
};
@@ -301,26 +306,23 @@ in
programs.git = {
enable = true;
lfs.enable = true;
package = pkgs.gitAndTools.gitFull;
userName = "Dominik Polakovics";
userEmail = "dominik.polakovics@cloonar.com";
package = pkgs.gitFull;
# signing = {
# key = "dominik.polakovics@cloonar.com";
# signByDefault = false;
# };
iniContent = {
settings = {
user.name = "Dominik Polakovics";
user.email = "dominik.polakovics@cloonar.com";
# Branch with most recent change comes first
branch.sort = "-committerdate";
# Remember and auto-resolve merge conflicts
# https://git-scm.com/book/en/v2/Git-Tools-Rerere
rerere.enabled = true;
};
extraConfig = {
"url.gitea@git.cloonar.com:" = {
"url \"gitea@git.cloonar.com:\"" = {
insteadOf = "https://git.cloonar.com/";
};
};
};
programs.thunderbird = {
@@ -525,7 +527,7 @@ in
settings = firefoxSettings;
# userChrome = firefoxUserChrome;
search = firefoxSearchSettings;
extensions = firefoxExtensions;
extensions.packages = firefoxExtensions;
};
social = {
id = 1;
@@ -560,7 +562,7 @@ in
id = 3;
};
};
extensions = firefoxExtensions;
extensions.packages = firefoxExtensions;
};
};
};

2
hosts/web-arm/channel
View File

@@ -1 +1 @@
https://channels.nixos.org/nixos-25.05
https://channels.nixos.org/nixos-25.11

2
hosts/web-arm/configuration.nix
View File

@@ -63,7 +63,7 @@
time.timeZone = "Europe/Vienna";
services.logind.extraConfig = "RuntimeDirectorySize=2G";
services.logind.settings.Login.RuntimeDirectorySize = "2G";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml;

2
hosts/web-arm/modules/grafana/alerting/service/dovecot_down.nix
View File

@@ -15,7 +15,7 @@
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"dovecot2.service\"} OR on() vector(0)";
expr = "node_systemd_unit_state{state=\"active\", name=\"dovecot.service\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";

17
hosts/web-arm/modules/grafana/alerting/storage/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{ lib, pkgs, config, ... }:
let
smartAlertRules = (import ./smart_alerts.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
raidAlertRules = (import ./raid_alerts.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
allStorageRules = smartAlertRules ++ raidAlertRules;
in
{
services.grafana.provision.alerting.rules.settings.groups = [
{
name = "Storage Alerts";
folder = "Storage Alerts";
interval = "5m"; # Check every 5 minutes (metrics collected every 20 min)
rules = allStorageRules;
}
];
}

102
hosts/web-arm/modules/grafana/alerting/storage/raid_alerts.nix Normal file
View File

@@ -0,0 +1,102 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
# RAID array degraded - critical
{
uid = "raid-array-degraded-uid";
title = "RaidArrayDegraded";
condition = "D";
data = [
{
refId = "A";
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 300; to = 0; };
model = {
expr = ''mdadm_array_state == 0'';
instant = false;
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "D";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$C == 0";
};
}
];
for = "0s";
noDataState = "NoData";
execErrState = "Error";
annotations = {
summary = "RAID array {{ $labels.array }} is degraded";
description = ''
RAID array {{ $labels.array }} on {{ $labels.instance }} is in state "{{ $labels.state }}".
The array is not in a healthy state. Check for failed disks immediately!
'';
};
labels = {
severity = "critical";
category = "storage";
};
}
# RAID missing devices - critical
{
uid = "raid-missing-devices-uid";
title = "RaidMissingDevices";
condition = "D";
data = [
{
refId = "A";
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 300; to = 0; };
model = {
expr = ''mdadm_array_devices_active < mdadm_array_devices_total'';
instant = false;
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "D";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$C > 0";
};
}
];
for = "0s";
noDataState = "NoData";
execErrState = "Error";
annotations = {
summary = "RAID array {{ $labels.array }} has missing devices";
description = ''
RAID array {{ $labels.array }} on {{ $labels.instance }} has fewer active devices than expected.
A disk may have failed or been removed. Check array status immediately!
'';
};
labels = {
severity = "critical";
category = "storage";
};
}
];
}

298
hosts/web-arm/modules/grafana/alerting/storage/smart_alerts.nix Normal file
View File

@@ -0,0 +1,298 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
# S.M.A.R.T. overall health failed - critical
{
uid = "smart-health-failed-uid";
title = "DiskSmartHealthFailed";
condition = "D";
data = [
{
refId = "A";
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 300; to = 0; };
model = {
expr = ''smart_health_passed == 0'';
instant = false;
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "D";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$C == 0";
};
}
];
for = "0s";
noDataState = "NoData";
execErrState = "Error";
annotations = {
summary = "S.M.A.R.T. health check FAILED on {{ $labels.device }}";
description = ''
Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has failed its S.M.A.R.T. health check.
This indicates imminent disk failure. Replace the disk immediately!
'';
};
labels = {
severity = "critical";
category = "storage";
};
}
# Reallocated sectors - warning (any count > 0 is concerning)
{
uid = "smart-reallocated-sectors-uid";
title = "DiskReallocatedSectors";
condition = "D";
data = [
{
refId = "A";
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 300; to = 0; };
model = {
expr = ''smart_reallocated_sector_ct > 0'';
instant = false;
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "D";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$C > 0";
};
}
];
for = "0s";
noDataState = "NoData";
execErrState = "Error";
annotations = {
summary = "Reallocated sectors detected on {{ $labels.device }}";
description = ''
Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has reallocated sectors.
This indicates disk surface damage. Monitor closely and plan replacement.
'';
};
labels = {
severity = "warning";
category = "storage";
};
}
# Current pending sectors
{
uid = "smart-pending-sectors-uid";
title = "DiskPendingSectors";
condition = "D";
data = [
{
refId = "A";
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 300; to = 0; };
model = {
expr = ''smart_current_pending_sector > 0'';
instant = false;
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "D";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$C > 0";
};
}
];
for = "0s";
noDataState = "NoData";
execErrState = "Error";
annotations = {
summary = "Pending sectors detected on {{ $labels.device }}";
description = ''
Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has pending sectors.
These sectors could not be read and may be reallocated. Monitor for increase.
'';
};
labels = {
severity = "warning";
category = "storage";
};
}
# Offline uncorrectable errors
{
uid = "smart-offline-uncorrectable-uid";
title = "DiskOfflineUncorrectable";
condition = "D";
data = [
{
refId = "A";
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 300; to = 0; };
model = {
expr = ''smart_offline_uncorrectable > 0'';
instant = false;
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "D";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$C > 0";
};
}
];
for = "0s";
noDataState = "NoData";
execErrState = "Error";
annotations = {
summary = "Offline uncorrectable errors on {{ $labels.device }}";
description = ''
Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has offline uncorrectable errors.
This indicates data integrity issues. Consider replacement.
'';
};
labels = {
severity = "warning";
category = "storage";
};
}
# High temperature (Seagate enterprise: warning at 50C)
{
uid = "smart-high-temperature-uid";
title = "DiskHighTemperature";
condition = "D";
data = [
{
refId = "A";
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 600; to = 0; };
model = {
expr = ''smart_temperature_celsius > 50'';
instant = false;
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "D";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$C > 0";
};
}
];
for = "10m";
noDataState = "NoData";
execErrState = "Error";
annotations = {
summary = "High temperature on {{ $labels.device }}";
description = ''
Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} temperature exceeds 50°C.
Check cooling and ventilation.
'';
};
labels = {
severity = "warning";
category = "storage";
};
}
# UDMA CRC errors (cable/connection issues)
{
uid = "smart-udma-crc-errors-uid";
title = "DiskUDMACRCErrors";
condition = "D";
data = [
{
refId = "A";
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 86400; to = 0; };
model = {
expr = ''increase(smart_udma_crc_error_count[24h]) > 0'';
instant = false;
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "D";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$C > 0";
};
}
];
for = "0s";
noDataState = "NoData";
execErrState = "Error";
annotations = {
summary = "UDMA CRC errors on {{ $labels.device }}";
description = ''
Disk {{ $labels.device }} ({{ $labels.serial }}) on {{ $labels.instance }} has new CRC errors.
This typically indicates SATA cable or connection issues. Check cables.
'';
};
labels = {
severity = "warning";
category = "storage";
};
}
];
}

17
hosts/web-arm/modules/grafana/dashboards/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{ lib, pkgs, ... }:
let
smartDashboard = import ./smart-dashboard.nix { inherit lib pkgs; };
dashboardDir = pkgs.linkFarm "grafana-dashboards" [
{ name = "smart.json"; path = smartDashboard; }
];
in
{
services.grafana.provision.dashboards.settings = {
apiVersion = 1;
providers = [{
name = "nix-dashboards";
type = "file";
options.path = dashboardDir;
}];
};
}

463
hosts/web-arm/modules/grafana/dashboards/smart-dashboard.nix Normal file
View File

@@ -0,0 +1,463 @@
{ lib, pkgs }:
let
datasourceUid = "vm-datasource-uid";
# Helper to create a panel with common defaults
mkPanel = { id, title, type, gridPos, targets, options ? { }, fieldConfig ? { }, ... }@args:
{
inherit id title type gridPos targets;
datasource = { uid = datasourceUid; type = "prometheus"; };
options = options;
fieldConfig = {
defaults = fieldConfig.defaults or { };
overrides = fieldConfig.overrides or [ ];
};
} // (builtins.removeAttrs args [ "id" "title" "type" "gridPos" "targets" "options" "fieldConfig" ]);
# Dashboard definition
dashboard = {
uid = "smart-disk-health";
title = "S.M.A.R.T Disk Health";
description = "S.M.A.R.T metrics and RAID array status";
tags = [ "disk" "smart" "storage" "nas" ];
timezone = "browser";
editable = false;
refresh = "5m";
schemaVersion = 39;
version = 1;
# Variables
templating.list = [
{
name = "host";
label = "Host";
type = "query";
datasource = { uid = datasourceUid; type = "prometheus"; };
query = "label_values(smart_health_passed, instance)";
regex = "";
sort = 1;
refresh = 1;
includeAll = true;
multi = false;
current = { selected = true; text = "All"; value = "$__all"; };
}
];
# Panels
panels = [
# === OVERVIEW ROW ===
{
id = 1;
type = "row";
title = "Overview";
collapsed = false;
gridPos = { x = 0; y = 0; w = 24; h = 1; };
panels = [ ];
}
# Alert Status - Shows firing disk alerts
{
id = 5;
title = "Alert Status";
type = "alertlist";
gridPos = { x = 0; y = 1; w = 6; h = 5; };
options = {
alertInstanceLabelFilter = "";
alertName = "Disk";
dashboardAlerts = false;
groupBy = [ ];
groupMode = "default";
maxItems = 20;
sortOrder = 1;
stateFilter = {
"error" = true;
firing = true;
noData = false;
normal = false;
pending = false;
};
viewMode = "list";
};
}
# Health Status - Stat panel
(mkPanel {
id = 2;
title = "Disk Health Status";
type = "stat";
gridPos = { x = 6; y = 1; w = 6; h = 5; };
targets = [{
expr = ''smart_health_passed{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "A";
}];
options = {
reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
orientation = "horizontal";
textMode = "auto";
colorMode = "background";
graphMode = "none";
};
fieldConfig = {
defaults = {
mappings = [
{ type = "value"; options."1" = { text = "PASSED"; color = "green"; index = 0; }; }
{ type = "value"; options."0" = { text = "FAILED"; color = "red"; index = 1; }; }
];
thresholds = {
mode = "absolute";
steps = [
{ color = "red"; value = null; }
{ color = "green"; value = 1; }
];
};
};
};
})
# Temperature Gauge
(mkPanel {
id = 3;
title = "Disk Temperatures";
type = "gauge";
gridPos = { x = 12; y = 1; w = 6; h = 8; };
targets = [{
expr = ''smart_temperature_celsius{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "A";
}];
options = {
reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
orientation = "auto";
showThresholdLabels = false;
showThresholdMarkers = true;
};
fieldConfig = {
defaults = {
unit = "celsius";
min = 0;
max = 70;
thresholds = {
mode = "absolute";
steps = [
{ color = "green"; value = null; }
{ color = "yellow"; value = 45; }
{ color = "red"; value = 55; }
];
};
};
};
})
# RAID Status - Stat panel
(mkPanel {
id = 4;
title = "RAID Array Status";
type = "stat";
gridPos = { x = 18; y = 1; w = 6; h = 8; };
targets = [{
expr = ''mdadm_array_state{instance=~"$host"}'';
legendFormat = "{{array}}";
refId = "A";
}];
options = {
reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
orientation = "horizontal";
textMode = "auto";
colorMode = "background";
graphMode = "none";
};
fieldConfig = {
defaults = {
mappings = [
{ type = "value"; options."1" = { text = "Healthy"; color = "green"; index = 0; }; }
{ type = "value"; options."0" = { text = "Degraded"; color = "red"; index = 1; }; }
];
thresholds = {
mode = "absolute";
steps = [
{ color = "red"; value = null; }
{ color = "green"; value = 1; }
];
};
};
};
})
# Sector Health Table - Promoted to overview for visibility
(mkPanel {
id = 13;
title = "Sector Health";
type = "table";
gridPos = { x = 0; y = 6; w = 12; h = 4; };
targets = [
{
expr = ''smart_reallocated_sector_ct{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "A";
format = "table";
instant = true;
}
{
expr = ''smart_current_pending_sector{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "B";
format = "table";
instant = true;
}
{
expr = ''smart_offline_uncorrectable{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "C";
format = "table";
instant = true;
}
];
options = {
showHeader = true;
cellHeight = "sm";
};
transformations = [
{ id = "merge"; options = { }; }
{
id = "organize";
options = {
excludeByName = { Time = true; __name__ = true; instance = true; job = true; serial = true; };
renameByName = {
device = "Device";
"Value #A" = "Reallocated Sectors";
"Value #B" = "Pending Sectors";
"Value #C" = "Offline Uncorrectable";
};
};
}
];
fieldConfig = {
defaults = {
thresholds = {
mode = "absolute";
steps = [
{ color = "green"; value = null; }
{ color = "yellow"; value = 1; }
{ color = "red"; value = 10; }
];
};
custom = { displayMode = "color-background-solid"; };
};
};
})
# === DETAILED METRICS ROW ===
{
id = 10;
type = "row";
title = "Detailed Metrics";
collapsed = false;
gridPos = { x = 0; y = 10; w = 24; h = 1; };
panels = [ ];
}
# Temperature Time Series
(mkPanel {
id = 11;
title = "Temperature Over Time";
type = "timeseries";
gridPos = { x = 0; y = 11; w = 12; h = 8; };
targets = [{
expr = ''smart_temperature_celsius{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "A";
}];
options = {
legend = { displayMode = "list"; placement = "bottom"; showLegend = true; };
tooltip = { mode = "multi"; sort = "desc"; };
};
fieldConfig = {
defaults = {
unit = "celsius";
custom = {
drawStyle = "line";
lineInterpolation = "smooth";
fillOpacity = 10;
pointSize = 5;
showPoints = "auto";
};
thresholds = {
mode = "absolute";
steps = [
{ color = "green"; value = null; }
{ color = "yellow"; value = 45; }
{ color = "red"; value = 55; }
];
};
};
};
})
# Power On Hours
(mkPanel {
id = 12;
title = "Power On Hours";
type = "stat";
gridPos = { x = 12; y = 11; w = 12; h = 8; };
targets = [{
expr = ''smart_power_on_hours{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "A";
}];
options = {
reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
orientation = "horizontal";
textMode = "value_and_name";
colorMode = "none";
graphMode = "none";
};
fieldConfig = {
defaults = {
unit = "h";
};
};
})
# === RAID DETAILS ROW ===
{
id = 20;
type = "row";
title = "RAID Details";
collapsed = false;
gridPos = { x = 0; y = 19; w = 24; h = 1; };
panels = [ ];
}
# RAID Devices
(mkPanel {
id = 21;
title = "RAID Array Devices";
type = "stat";
gridPos = { x = 0; y = 20; w = 12; h = 4; };
targets = [
{
expr = ''mdadm_array_devices_active{instance=~"$host"}'';
legendFormat = "{{array}} Active";
refId = "A";
}
{
expr = ''mdadm_array_devices_total{instance=~"$host"}'';
legendFormat = "{{array}} Total";
refId = "B";
}
];
options = {
reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
orientation = "horizontal";
textMode = "value_and_name";
colorMode = "value";
graphMode = "none";
};
fieldConfig = {
defaults = {
unit = "short";
};
};
})
# UDMA CRC Errors
(mkPanel {
id = 22;
title = "UDMA CRC Errors";
type = "timeseries";
gridPos = { x = 12; y = 20; w = 12; h = 4; };
targets = [{
expr = ''smart_udma_crc_error_count{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "A";
}];
options = {
legend = { displayMode = "list"; placement = "bottom"; showLegend = true; };
tooltip = { mode = "multi"; sort = "desc"; };
};
fieldConfig = {
defaults = {
unit = "short";
custom = {
drawStyle = "line";
lineInterpolation = "stepAfter";
fillOpacity = 0;
pointSize = 5;
showPoints = "auto";
};
};
};
})
# Last Update Timestamp
(mkPanel {
id = 30;
title = "Last Metrics Update";
type = "stat";
gridPos = { x = 0; y = 24; w = 6; h = 5; };
targets = [{
expr = ''time() - disk_metrics_last_update{instance=~"$host"}'';
legendFormat = "Age";
refId = "A";
}];
options = {
reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
orientation = "horizontal";
textMode = "value";
colorMode = "value";
graphMode = "none";
};
fieldConfig = {
defaults = {
unit = "s";
thresholds = {
mode = "absolute";
steps = [
{ color = "green"; value = null; }
{ color = "yellow"; value = 1800; }
{ color = "red"; value = 3600; }
];
};
};
};
})
# Device Activity Status
(mkPanel {
id = 31;
title = "Device Activity";
type = "stat";
gridPos = { x = 6; y = 24; w = 18; h = 5; };
targets = [{
expr = ''smart_device_active{instance=~"$host"}'';
legendFormat = "{{device}}";
refId = "A";
}];
options = {
reduceOptions = { values = false; calcs = [ "lastNotNull" ]; fields = ""; };
orientation = "horizontal";
textMode = "auto";
colorMode = "background";
graphMode = "none";
};
fieldConfig = {
defaults = {
mappings = [
{ type = "value"; options."1" = { text = "Active"; color = "green"; index = 0; }; }
{ type = "value"; options."0" = { text = "Standby"; color = "blue"; index = 1; }; }
];
thresholds = {
mode = "absolute";
steps = [
{ color = "blue"; value = null; }
{ color = "green"; value = 1; }
];
};
};
};
})
];
};
in
pkgs.writeText "smart-dashboard.json" (builtins.toJSON dashboard)

42
hosts/web-arm/modules/grafana/default.nix
View File

@@ -31,10 +31,13 @@ in
./alerting/system/default.nix
./alerting/service/default.nix
./alerting/websites/default.nix
./alerting/storage/default.nix
./datasources/victoriametrics.nix
./datasources/loki.nix
./dashboards/default.nix
./alert-cleanup.nix
];
@@ -102,11 +105,12 @@ in
contactPoints = {
settings = {
apiVersion = 1;
contactPoints = [{
contactPoints = [
{
orgId = 1;
name = "cp_dominik";
name = "cp_dominik_emergency";
receivers = [{
uid = "dominik_pushover_cp_receiver";
uid = "dominik_pushover_emergency";
type = "pushover";
settings = {
apiToken = "\${PUSHOVER_API_TOKEN}";
@@ -117,12 +121,28 @@ in
expire = "2m";
sound = "siren";
okSound = "magic";
message = ''
{{ template "default.message" . }}
'';
message = ''{{ template "default.message" . }}'';
};
}];
}
{
orgId = 1;
name = "cp_dominik_normal";
receivers = [{
uid = "dominik_pushover_normal";
type = "pushover";
settings = {
apiToken = "\${PUSHOVER_API_TOKEN}";
userKey = "\${PUSHOVER_USER_KEY}";
device = "iphone";
priority = 1;
sound = "siren";
okSound = "magic";
message = ''{{ template "default.message" . }}'';
};
}];
}
];
};
};
@@ -130,7 +150,15 @@ in
settings = {
apiVersion = 1;
policies = [{
receiver = "cp_dominik";
receiver = "cp_dominik_normal";
repeat_interval = "999d";
routes = [
{
receiver = "cp_dominik_emergency";
matchers = [ "alertname = HostDown" ];
repeat_interval = "999d";
}
];
}];
};
};

2
hosts/web-arm/pkgs/sa-core.nix
View File

@@ -17,7 +17,7 @@ buildGoModule rec {
subPackages = [ "." ];
# Optional tuning
CGO_ENABLED = 0;
env.CGO_ENABLED = "0";
ldflags = [ "-s" "-w" ];
doCheck = false;

33
scripts/test-configuration
View File

@@ -19,9 +19,9 @@ fi
HOSTNAME="$1"
# Check if 'nixos-rebuild' command is available
if ! command -v nixos-rebuild > /dev/null; then
echo "ERROR: 'nixos-rebuild' command not found. Please ensure it is installed and in your PATH." >&2
# Check if 'nix-instantiate' command is available
if ! command -v nix-instantiate > /dev/null; then
echo "ERROR: 'nix-instantiate' command not found. Please ensure Nix is installed and in your PATH." >&2
exit 1
fi
@@ -38,27 +38,42 @@ if [ ! -f "$CONFIG_PATH" ]; then
exit 1
fi
# Check for host-specific channel file
CHANNEL_PATH="$SCRIPT_DIR/../hosts/$HOSTNAME/channel"
CHANNEL_OPT=""
if [ -f "$CHANNEL_PATH" ]; then
CHANNEL_URL=$(cat "$CHANNEL_PATH")
# Append /nixexprs.tar.xz to get the actual tarball URL
TARBALL_URL="${CHANNEL_URL}/nixexprs.tar.xz"
echo "INFO: Using channel '$TARBALL_URL' from '$CHANNEL_PATH'."
CHANNEL_OPT="-I nixpkgs=$TARBALL_URL"
else
echo "WARNING: No channel file found at '$CHANNEL_PATH'. Using system default." >&2
fi
echo "INFO: Attempting dry-build for host '$HOSTNAME' using configuration '$CONFIG_PATH'..."
if [ "$VERBOSE" = true ]; then
echo "INFO: Verbose mode enabled, --show-trace will be used."
fi
# Execute nixos-rebuild dry-build
# Store the output and error streams, and the exit code
NIX_OUTPUT_ERR=$(nixos-rebuild dry-build $SHOW_TRACE_OPT -I nixos-config="$CONFIG_PATH" --show-trace 2>&1)
# Execute nix-instantiate to evaluate the configuration
# nix-instantiate fetches fresh tarballs and catches all evaluation errors
# unlike nixos-rebuild which may use cached results
NIX_OUTPUT_ERR=$(nix-instantiate $SHOW_TRACE_OPT $CHANNEL_OPT -I nixos-config="$CONFIG_PATH" '<nixpkgs/nixos>' -A system 2>&1)
NIX_EXIT_STATUS=$?
# Check the exit status
if [ "$NIX_EXIT_STATUS" -eq 0 ]; then
echo "INFO: Dry-build for host '$HOSTNAME' completed successfully."
if [ "$VERBOSE" = true ]; then
echo "Output from nixos-rebuild:"
echo "Output from nix-instantiate:"
echo "$NIX_OUTPUT_ERR"
fi
exit 0
else
echo "ERROR: Dry-build for host '$HOSTNAME' failed. 'nixos-rebuild' exited with status $NIX_EXIT_STATUS." >&2
echo "Output from nixos-rebuild:" >&2
echo "ERROR: Dry-build for host '$HOSTNAME' failed. 'nix-instantiate' exited with status $NIX_EXIT_STATUS." >&2
echo "Output from nix-instantiate:" >&2
echo "$NIX_OUTPUT_ERR" >&2
exit "$NIX_EXIT_STATUS"
fi

105
utils/modules/promtail/secrets.yaml
View File

@@ -1,88 +1,97 @@
promtail-password: ENC[AES256_GCM,data:DykxIRTXttQgJ6vv3oBOhX1h2PrPimLz+dEHZwjFvg34UEGWfQu5nODw7h6qAJrKIGR5217LgTGZzg1HedbM4Dsb2OJW9c39bXIga730eVvGCm6RcMbpv8GDHPuVCfO1NwQox9Fba8veDWDNqNisHQuYDRQrNZrg1QEiKsujZdY=,iv:kM5Ec376USXMoXCVF/4g7F1NbJNbWfTMVd7LKsTnTuE=,tag:y8aEF+Q6/Cm16W2LYF+orA==,type:str]
promtail-password: ENC[AES256_GCM,data:jooCw16EEw9JC+W19bXvoOjnCo/KP0H1Bpc0UqfGN+mCqFLK98TDU80hNu54pYQowcAtgjB5ZM64gWt+stqFKWVWihF0d4A3KuTTfpxmXGdGi6ThRcAXhMmXLH5SYR4N96d4WsvHNsFTRGItnUlp2juQMKHnZ2At9RQWgBQqK6Q=,iv:HFttRHz2fIU9qZzP5r24/AKMHTWwDhhIrgQpxw6Ol/Q=,tag:umq2lzodL2nijayGms7ciw==,type:str]
sops:
age:
- recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQTkrMDlpM3RnZ0pNZVlM
dkNya243OFlycmRRS1o3c3Z1Vm1UNWxBbkVBCmw4dDUrQkg0NExaTHJaSk1JYnpY
UDNHa09Rd081N1FVbXgyRHVWbUtna1EKLS0tICszQ2Z4aWpNV1U5RVNibllGdGlY
alFRNFZVNDlOUTJRbVQ0T3dRTTlJZUEKx+ftKJc+RMmxXoRxLd6gsvN6Jfnn5Xre
48TolLwPoBSr6uSmfWfcXIL+2uzo5cTGhMReCEQrlHOWGxhk+XDmfw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFT21QaTZ5ditZekVmaitY
b2locXR6M1NNSXhIL0pjK3Y4dzlYcjRXMlFNCnVtelpDdWovc0FiUGQwWm5TRlk1
b1pka2paQ1NBd2c3WG12U0N3N24vbHMKLS0tIHgrMHdxS3J1WWZNdGdiaVRaWjBm
cmh0VEx3UDRocFVlckFUN21YblpEb0kKKF7CPzXn6e9o1+BctLSHcLZTWYdYiXQs
dwX8ohGJc/Q5Ewrrdmm77gu3ttg7Ml/70ToG/yTBExH1lwGb1z7Qag==
-----END AGE ENCRYPTED FILE-----
- recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSjAvWC9haUh3blQ2bHJj
cnh5YkkvUWhEYXFFV3RNbURwVlROZk1yUmc0CjdMdXExWE52WWNyRGdyVFRzT1o1
Umo4OWhMYTZjTkJvbW9UaHJVaE1YNG8KLS0tIHBSOEdmQjFCZ25jNGlHMmZoalpW
c0FZUzBVYXRTMHFZSGYxVDdzS2d5a0kK1a/FQ841bIKuXHjVAjV2YPTpkmI0R7fX
ohkPSQneoOnwZPXby69PJLSYwX0IcQCckkGXa1z6KLr6iueSpyM6JA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3R2hwWmtZVjlTSFZTMUd5
cXpqbXkwTmQrYS9TT1NYaXZ4azFjRTlOZ0Y0ClBIUGk5R0JGenBrSXhNbExLaWkr
eUJLUVBYYzBFbHg3Z2l4N2JINTBSVjAKLS0tIHFTa3JKUTVPNFM2TktUbm9mSkVo
Vno4TER6SFR4bDM3L3FYSkw1UHJoeXcK0mR/ysz38ZhEAqhEZZXmuH3rykMUeFk4
tPvIV3LpRXpU+yiT3zpLJXVi3GDy9vaq/h/uG7rDhE/nPoaIIVBBhg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYUNabzVBcFpIdFhUTW85
ZlVjamVZUERSMGNMUkhlUUVVd2ozUkFLWHlzCnh0c2gweU1ud2cxS2p1eXUxNy9j
d2tCTVR0YjY5bktQa09tUmFvM0F3aEkKLS0tIFVWMVFUU1RMV1FoaklnS3Z0VzBJ
bitzcStWdzM3TXBMbGJKNGVZQTNVZ0EK0qjI7PKk9lUDG+0ZeCL/9ILI9KRIEU+z
6o4AcdGcd44QkUjYboLTwGvdf4QdKZvyfBk6xliUIzn0tbX0CrEHOA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtV2tlLzhqQWlDd2FaZ0lJ
dEt5Q2YvTWR6Q3pBUHl1elJEN3lJcE01YTBrCm1IWlVVd1poVk1Gazd3NnBCa21L
UXByN05KNGdUTW9uckhvNUE4bFVMME0KLS0tIDVSRCtJNnRSdmFzcWVNNHEzV092
NHFYYTFRdUVXNFh5Tlc0U2twYWpuWDQKTqRXFxn/OuYrjVSlGNyHWtCwmaV+4PMr
+wpjkS+3pEWYaMtRhoBKJmPXhbE9e0SSzFV/HEYILswUfIWuQNpNUQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdmhqdXpIblh0QVRuSGdl
WmpaV20za2d5MFdYbTNTRTEzR3BUVFJLU2tRCkdHT1JFNmVEZGNkRGJ1S1cwU1Ru
MEp3ck1MN0tYRXBPY2xQR3JIMURpWkEKLS0tIEF2UERsV2J6UzZYUm5sTFdPWGlo
NjVGSDdndDRsQkx4V3U3N3FjNldUTTgKY8ohcy0H+fxkmBksfWzVLZsbfqDfWUzA
5FUdmqCHdg47Mct3K8qXHSEbvegn/8Hp4vSgkVQcEA2YFcf4J5GRpw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RFl5UHpOcUIrdEVoREFn
ZmloRG5nb2d3eHpScmRWVjVLUXpveW9pZzJrClRVa3h1Y2dIL0RCZFJpM3NvTndu
VzVMT1dwbWJEOXFKZDNVdEgwV3RHZE0KLS0tIElkTUk1SHRGcFp2d3BpUDgxZWVG
RE5UQktjTEtzd2I1SmVZWE8xWm5SSDAKOfrr3seS8+UqGZXiJfraGh9wTqx7zFnH
GMBBlCj2SLAHP56efITiPJ6kFISFoc6QgBj024oUXop2HT3CQh5hJw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbFMrNzVMYmlHWE1yb1hj
eGw2SS9qNTdKTDdSQUlTNjhnS1dZaTd4NFFzCll6SEhzVnY5UnJUbUtlUzJzZS9N
cUZMYnV0bU5DRjU0MW8vSFpIN2pNT00KLS0tIFdTTlBPT3J0cmF6Y0lnaGRpQW4r
TjRsa2dlR3hrZkVQTFFWQm1xR1pLQUkK2Kio6ShvcsbJ2n1UG97gxt5AcdqKolMq
3sdoF7b87Crd3QSzDKx2Rm97EjeQskOBOgpasF2W8GoRYCol05Y0bQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMWhoa1lKWU8yRHZnSUNm
cVhycko2MFczWE56UlNDUGlNdndXNnY0blhvCmlIeGRHUjRuODhCNk5lVlVqZmR1
ZEpMTUl6dnpoUkhGbTBsOUNzdDliM0UKLS0tIDRHWjllMEZyaDN1OTY0RXpzWUVZ
WklqZW5DT09DclBBOUZ4VmpIMVdCRU0K5c8JtZ5dfzxmtMlnL+3637/6YBWN9qdP
+/l78vhb0KVt1SOI2d6ZnfkKEXSO/PyBpOkz+AOubxdpQMNOyQsgcA==
-----END AGE ENCRYPTED FILE-----
- recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZGZobW1aaThidmkxSEk1
VXVzdEdIMENnRC9sTGpXQUNwSElPWVlLTVFNClRuQ2pYanFibEJoSllXYVhmSk90
QVlGUVBjMkN4RG9BempCRDlFZHJPancKLS0tIEc3Q29tUzhzYzViMkpzS1RNczBE
djdYNVdvZHRkOHBWMGk1N3dlb3JLUFEKiruFC9YV3gloPaP9+wY0Sir2xA9NUcPN
matBs8oPjlB5dlrCoiHi8kl1i5ROnlu4tlNpLB0PcO9fCUMP1ypAQQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3N1BEMjFsZG03K3gxUVli
b1hEUEY0NDRRc0xDUkErOXExa05uMkdDK1J3Cm1WUFNRNzZGMWdOOU5kb2kyOFNs
Y2I1aC90SEZqSER3TXU0RTlVd3VOTHMKLS0tIGFMdDM0YWpJVTFFVEFYcUl3b1Nl
dlEwNWRmVllHSmtsRWVvb2h3ZGJaZUkKrEzfrlYGgB05NWxc3h6olIzGmdRCYDWj
mr5PEAWo0KGcvPK61lxwpHdThp3NGV0pqAHUU5+7Td/PbguHvaEPhA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcFNWb2EvQWF3czQrVVg3
Wm1hVm16bEtYS2pnM0R4elhGMUlqRUZXcUdvCnlJN3dxU2VKUk9JTk10SjdubmVO
NlgwU3hqMEp2cmF6R0pmdU9EZllJVTAKLS0tIFNwMC9jdjh0MXJpYzU5cE5mc0Jr
KzJoVGlKTUNZYXhpV1NMcVVuVXI3SHcK7PIY6HznGsckYauyFGVxmU344FqkPYhm
1x74NydHuGLAkMd3H7AchnxP9tVzSX3sOD9AqYqgg3nRS7yaIet+sw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBandodFZnbU05SVN5cVlO
V1BVaWtLNWdJMmRtUWxaMGdITmNKUDdXdHlRCk5HbGdSWlFnKytTVWxOcWtPZ3VJ
bi9EZ2p3VURkeEZuN2xsbEhkcWovUUEKLS0tIGtzTnJFOXFsTittUlZ1eCtjWTVX
SXdWczV0ZnI2a24zeElIZUsvU0ZSeUEKNX9qLko/2aFcrwW5LaMjvg9IJlNszSKi
7nl1d1fTLGCeMUvgwZU1uBIyCm/p0HTikBaDob5L5fJAVlSQNZxiBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBROTV4Y1dQMkZtM1RUQ1lD
QVdyUXY1TVRxWURBZlRsZWVYTEhnQ0lMYUU4ClFLcVdUZ01YcDc1OUYwMWpJRUpy
NHVMM1FrK1B4TEU1QUhsbjdCL3M0dmMKLS0tIFRFSndnZ0V0a2VKV2VXY0N2Qjgz
dFZQbm13d3JOWlZiSXZTcUpkSSsyVTgKI1GJ1uRRcTH/13lkAiUxNhBNmDgf4MFA
5nk6z1/nJglnvajYyGXlAlZF7XofbUtUWZeBbtWwbeWImjIa/+KaSw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdDdBTEpMZEI4NFc2aU1F
aGlwcDk3ajd6NjE0UUhXbW5WT1RCSmR0M1hzCk1zVVV5V3UvUmx5REZuRk1RT3pW
WUVocW9iOXppWFBqRkVlZE1TZzFUbmMKLS0tIDlzLzdnWEhkWWFFQm1seVJlVHBw
THlweWtPcFNyT2RCNk9UQVc3Y0lnNFEK/d2fvmsIrRTHc3kBH2sAUBg0MCp4nXNT
imm7SINgt6aH390yL7BWHMBKzdgNHO6hn3plLV8EW8upsETwJCbrfA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvc3ZteDRVQ0xsRUpxY24x
Wmt4MS9ZL1cybUY4cHdPbC9rQU16WGtESkU4ClhoMnhuY2NrT0xyNzl6Z2hJR3dt
VHhLa2hCeUhCcjFPZTkxeUVaazFWa1kKLS0tIEVndkhYaS9GbDJKSzFIb0xQUzQ0
V2EzOXNWNnYwaXc5dkg5b0RDdjBpa1EKfIC1OigtPBRWIgXUyb4SSjpbO2Koqaiw
TQT+hnR+VkThbcfyWPZ+Zpe4lZzfcdMGfr3m7tdv/xY8epwrThInjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xcgc6u7fmc2trgxtdtf5nhrd7axzweuxlg0ya9jre3sdrg6c6easecue9w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUhiU0RnMTAyV0xycnNL
V2xSWEttejB0SWhJR0FoNTZKL2x6MEJkcUZzCnFjVUVWNGV2SW1NZEpkN24rUVpX
dUJ3Wkx5aUlsWDByOTlpaERpNEpIa0UKLS0tIDExTVVJeDFEUStzamw3RGU5cHdE
WlNqQm1jRnpLWXBzRVRZUjc3Z0c4dncKonlHRgH7P4da+RJkGdWHRPiN76oPbH5U
DzNuS7mPsRAuajnCAGeqodzqllsGJatZUOVKFem8Of56Wm3pw3yLhg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WHdpbGJNcmZhK3ExRi9t
K3ZHTld5QmxMYnZXTFZmNFVIbEZtS0pFRDM4CmJPK1BURU83UmFVdVNoam1reG0x
NlpLbDVQY1FNR1RyWm1TWkQrUHcrNUUKLS0tIFpVVGVscFFPclVTMG5IblkvWXlr
ek5lNTFkMVUvSU5McTFDS2tWWmZ1UmsKyhUXdaSGxKFFZnATRlTh7GzDu7eZ/mkq
V+9pqaob2fshwQ3tNVZtXmWTHv1geyIBxmQCFVSOaHIPVLpiC4Bhow==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-14T11:28:03Z"
mac: ENC[AES256_GCM,data:PBPNSGj6UaGoxH1Jq25bD4q/d42HrnBNhe5KFo1MoQCp/bzsphN8v6+tbHIdGh/VAoU7auRZVWXYALOl/3cGnpL52zvJGDaMlPlDVdzz6wHkl24z1ousWM7FKPwBtvGuAWAknYQW7KpQTtpobbBr8QHy/O4dB/NqxXTj/MSsbxY=,iv:1QOFK1LiKPnAuXeXNBJbeL0d73nsMq+DJCpeVruDumE=,tag:hJH3S3ZurYd0hcoWyWOocw==,type:str]
lastmodified: "2025-11-29T19:44:44Z"
mac: ENC[AES256_GCM,data:pRol7WdkK+Vr3fEc7UaEhoHlLvwwm0KdGOCReS6Rz12gD0Fw2UuNYsPnaj1XTdSLSfJITpEorFTmt455BpC6wMCszICSkqRn+EBgu4WWFZrv5v1m6BjSOTsU8bj1iAggiqsx57WS9opMThCzCOSIJD/EEzQmk5/qva/aBIJni/c=,iv:jorZE1XG0xJDGsXgw8EvuX7AL7yCuSynrqaeveCF4SE=,tag:btZHuaiPdZhdRj/+JU9dSA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

105
utils/modules/victoriametrics/secrets.yaml
View File

@@ -1,88 +1,97 @@
victoria-agent-env: ENC[AES256_GCM,data:m+o9GgDSm2qYVk90199H6J+RqE0fZH92G7uFjP0Al1JlvclOFjHnNlFJ7y8YfgBcPUFutIU45HN4+I2X2k0+GFyKlrKxevH3wUKNIWG/l/6VlOmZr7SMRQAlVv88aT0EeBIEh+AOilCcWsD4egQPS/faP5yolsqrm/sXltsdbdI6i7EVXBKUUryBjogE6tv5nroN0ter0hXtyspkV4oBxcZIqTK4/t6staEq1OcY/augdpqz6z1aBFVun3c0q70vS5VBP1KIKd+nKVABWWwt,iv:7mnSPuP3jh06uIFQbWUI2VRFF5wbGFLoTS4rf7PUF7M=,tag:BtVruJm2+9pGNYOzQOV32A==,type:str]
victoria-agent-env: ENC[AES256_GCM,data:kkbtEi4nVqv7jvL0Y3XCsil0InrVsL1zasBcOSKpA32ix73q0bRIwT8JVXX5hI6G8REYvp1oGNRlMBmSPy7H5YxxUd3RsK/5SbLkPfifTAxl8qz1STKPOmq6dZn016809AIkBiDWuu4FOHvzoSVkaO5EXluzb9wVwGH1HM/5pYBDFzqtkgWbCGbeGRXComgD4bqlFjDg/HRX2CaZf0sBByFQxH+NFvXCwdBeEZ82x5gBmXsaPnsAmh8fJotK7Eyu4+Urnahcp8V/4cTadhvg,iv:eizMQCL7vuTn3F0lY23fQfsvxiE8P3CdHqImth9X4JA=,tag:BMltfLO93YMEKv3sycDF2A==,type:str]
sops:
age:
- recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaFZ6dXVqbHppZ21NeWFi
NU1kV2FOUkVDWlc4RVdUdGNZU21jODdUUXpVCnU4aDdTbXlWNlZ2OUVaOGEwcDkr
aGNrSzVuZTVyU1BMNXArZTBSWnBacG8KLS0tIFVCMUNDeWdTL0VxLzdYNjgyMHY3
QmNCNGdaeFRHOTY4S2Z4RE9LZVB4TG8KQAe6ensRM4QVJKnDgbnFk9ZYoLk4L7iQ
4V8jODObt9m2WDCqASJdt/8m/l84E7FTw4g9aimr4fBOU4zOqpGe2w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSjNMUlh2TFB4L2JBSWU3
U2xyQTVoUmlQYUV5R1Y5MWtOa3VSVkkyTURzClN6QVFpZjZDdXdrU2ZUWDUyZDN0
S2RIY1pjdk9vSjg2cUZyTUpQbE51a28KLS0tIDFxSUNiZTQ3UWMySnNCWVZ0MzNZ
NnI1RFhXN3pqdTYyQ0NFZG95UHdvWkUKD23hIRYhZ0BRamLcjfKOpcHIzeatwEFb
0dvIm8RWcZEYK4w96GY5EQPkJsvcoBNWIyMFrJkgtcRfie3+W6kdag==
-----END AGE ENCRYPTED FILE-----
- recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCYnhvamdLYjN2SG9DRVl1
aEdGSWxQTUwrSTBtQURLS3RiQjl3by8xN1hzCjVLc2hQV1dCbTd1UkRaUC9ZN25V
aDJMczFSNGhCZTZFWnpLSW9sSENoWUEKLS0tIG5wRnBvRytKTXo5TXZ3bEdlVkVX
bDF4UUR5bE1JK0tGejJWanFkVDJCMUUKuIbnEMXPsDkJ2eDriJ6gKmwC4gj4ijfU
vmuAEsdpjo2UzP2Sjvm6tFSK85LvZi9lDu5NXdVTdwcq13+OYX1TLw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5dlY4c1FPU21VbkI2bzMx
WS9BNDJSU0JyTEVvY1VFQkU4L3J4U0hrd0NZCmlkQWw1N3RxU1MyZVVuNVZpVStk
UXlyLzlUaFlWTEdDdUZBV2Q5RGpvV28KLS0tIFRHTkwxWTRuMlFJWTV1SVQwU0Ji
c3JnQmlPd1JMQU9pcnVoaG9teVlBWWcKMOIDN36cLqOemzP62uRgKe/myhRs4F4g
MiNVYUL+d3WR3HQEvhovUU5RowlCD84U6Za8z+ss2sApJ6jdUcSP5A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aHJlbDFBZlAvbjhRNHkr
angxd01kWkpVckZHcXA3VzJCa0xRSEpuZWlRCjNrUVV5NnM5VWV0YkRmQnE4aU1y
SDc1eXBDM1hsZHh4UkFYREZmTTFLMW8KLS0tIEJZSmhWa1l2SFpqdXVQWHZuWkc2
ZFNPcDhyc3dIaWx6TlhTMlIrK1NLWmsKhMpNkZEvlaIKWauZsVoLzwYWx0k1sbmk
KO+pNAUz2RMX+N4ykCRgFfeV6SDMxbaOACFm1/6yyDXHgvaI7zrQTQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMS9CbzFrZENWam5BOW5t
K3ExNGplNWZLNTVqMndnQ2ZSOFVIL2YvdHlvClkyS1RvZ3FaQWVkNjlWWExkbDZQ
NFVPWmkyNkdoTXdjY0xvS3QrMmFLeXMKLS0tIDhHV2hmMmIzY3dKeTVsUnB5ZGhR
cXpPcklDUDRkcytIcytDY1NYYXNQcTAKvjGjCCrj//KRijPCLOEDAxiexY0CnnqY
80l7bSnQPOOs27HO/9YlJerQlhPBRZo/KJ+cY3T2fAIfad/f7XN04g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1WkQxb3h1aUVDVGJTMUd1
RWdXMUQvWUk2TDYwbzd3ZW5ZSEVGZFhUOVg0CmxEd0lOV3EvN014NUFQUEdaWjNq
ZVE5MGZ4SVpXNTRwRnplMHhrQlBHMm8KLS0tIFpUeWZQZmQvWlBrcG9oNERIVEZt
UlBxcFgxVlc2WFRxVkhjWmZCdUdjSEUKPbadYyvWy0Kfbs5EovcpL3Aukj7wiZPJ
VlDkELrTtbvFYp1aAASFZOQb+0NYUyOCtM/OI5qNYigR7TgJBAf/Ig==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMHUrQWZMNmxtSWtxVllM
U1VsMGxVOGt4UmtJSTE5TUdQaEdXUVRIc1FBCk1vTlU2c0lHUDh4VmYwMlFwZU44
Q1p6N1l5ZWlveGY3VFZJNDNpTFpqNEEKLS0tIHJxdlJtTDkrWHFTcmZXbnVCQ0ti
K2ovOUo4UTN0Y0dubllQM013SW05QmMKQUN03J+ju/JVs6geEMWLnnnlzjPfZOqS
rn3ldZv1aC7ckAp2JiVoznkpsBHFOV8T0pxE9vnmDipAU263k/4ktg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcnZrUklWYUZBbm11S2RX
b0F6UjNGQVlXQm83NDBCTFoybHhhTWd6NWs4ClM2dXNXT3pPZkpOYnpRR1BwV1k1
NWlXNXpBeFJHalhxaExybTJ5NG5nMlkKLS0tIDdXa09CKzdVeVp6TFdpei9PempS
dVNPL051aXpYN09EVVErZkV6czI2dkEK2UZPimVhLwjgjXjj1m7Qc/w36xYDe7sQ
D/5gub0EFuycIQj3lw0y59Jds4GoxBImExC0AKIaX9XBGW1BfBFtPQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa1hoalhrQVdsc0NrNzN6
ZU5JVTdDRjhBWFUzMXhJM2FiaU5HcmlvZzE4CnJ5NDlUYmZmbzZsdC9jYXJBc3Rx
c1RDZDFOdnVHYjZSc2VNc2tOTGF4aTgKLS0tIFhEK1JaRWk3VzhtUE1GYUxoOVJD
ODRHRUxheVRuaEVoZ01sQkNOZGkzMUEKUBpUd30EjSkRFK2cbCARdycf9hHamoVG
XjCfIf1BLGe76+c88zDKaPvp/iAWfGypQkA71tRUoe6pEtrAT8sRgQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKM29sYklYMDUxTGJRZGlw
V2tVQTFaZXhoa0xSb2VNZldpUER5a0hWQVVVCktiVDRORDBPM25xSjVucTFsOUha
dHdVMjMxWDcvbVVoTDR5czFrMnVXd00KLS0tIEc2V3RtUVJBbHpKWkhneFRzcCti
NkN5SkZNWlp2dFBmclNjcW1iWXZZY2cK6fqN6xbVFLSTRPfDhvRALVt1yxizvyzI
C32AxiKQo9XrXGBmD5Zi6dtTy+Kdm4PqZjk7M1vW0LOJCErlVI0AjQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a1d1UVVmNDVkaWtiOWlN
enA5RS9WSGgyT0ZqNWNvZ0lVbGpkcWxESzNJClFMMlJJRDJDSnRyVVZmRUZIU0JU
RFlTUm1nSzBFWVFEOGtROFVWMit1R1UKLS0tIEtRRXZvZFBKa0kxaDRXazJEcW1P
ajdFVHVpSWtjVU1ZSmlmUmxIY2NxMmcKVMc+JpeCxXs9RGjg7RN6c1TC9ndIOvWw
uFCTBRbTZJHyDC5fYrQQdhMQprm8UT3Fr51i1RWVWjsHz8GZEBwQVg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT1dBY3kycWVINUV1Wm93
VEMvNTRSQzV5U2N4ODhiSERHcnVVK3c3Q0hFCmxwWXE3Q1BCRFpIMUlFemRQOTRB
TERiVzdOZGZDbmxXT2ZYZHdhY0FpOEEKLS0tIHRVVkYvVW9nYnJ3WkFhNEQ4UkVY
US96T0JUUlJjVFcxc1ZSUjY1aVg4NmMKc4jD2CtrKc43wArBm566h117ko1vrsHG
ONq9zOp4z90WPvY9octFOEn9cZ2tJvcGYDhWyBGH3rVRYN5hzTRLdg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTm8xeUlpbC8xRndpSGQw
S2RDSE93ZG8wcnlHZFBXbjNzMXlpeWRIVjBBCnlVRDMzL2paRmFWL2toZVFBOFRk
bi9LRjhWM2ZBcTBFMk9ydTFhaTdrblEKLS0tIFQzUjRpSGR5NzNYcFNVNUNVUks0
R3AreG1Cd3d1NDNIWnlkcm94L3h6NGcKurqFEsNJklMgu3G7mDNq449o2vMX/2t1
aUOLRLzi5GTJoQzmuJbveQA+HIgv/B9aNC762YH6df4N0Yk1GRt7pw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUd241b3c1MFUvUTRRc2R3
dFNLREZ0Qi9kcWlVait0bVhJZ05PZ21ScEFjCitab1NaWDlEWkEwZlpzTmFFQ3RV
YTVWUmx4VEJ2Q1J1TllZZ2VTaVF0OFUKLS0tIGZxdGNaM1Q0Z1JEbkFpQm0xaW5T
bHkyeHVtbCtzb2pKOTUvcm91MnBockkKCrwgT0auKuuRYNwajiqBVzpgG13li8KO
W52Fy9lIc9poyxEnvyIqpPz29gQdL4aqGHX735f2+n2fq/SIgiKHfw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUHZ0Yk14c2NBQm9SelNR
cjY0K0xYUWREUkhWQVNRUVFUczlvZjZ4V1VnClV2b3hhMnlhTUt2U1FLTERlVThv
K2Nqd0dPVWZLTXI2Y2VhaG9Yano1d1kKLS0tIExRY3NlZ0x2VWtDZWhJc0dyM0ow
dlp5SzFqZmNncGQzYzR0THkyeVR6WXcKUb9DJ1u3/VnYKXIgzpTdImSgE2lWdCOD
yVOJXwY5IrU6NJgBYbZlbIysIS+ihO9pLodjaYhbZduNCasdrhwu7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cFJka2xuSDhyaXowSzVw
cXJSR1ZUWnhDdWRwbFpmenJDZURmbXhDNVhRCm1GMTZ3VHA1S0o3ekVsR2loS3Bi
SmJrOEFBUzJZVUlxazh1TVhkZ0kzVm8KLS0tIDZwajVOUWlIS1FHWHNpZy9jSXhK
RHBjNjRBRzVaUlMrL0d5ZGZTdUcvYkUK0hf09zou0OqZSV81G8HMeNRx+uz9Nade
dhyQ1CRVWT5Q5HW/4t/abB0hSxFId8+X7ufJIjjVSbywLZ7WHLKCSw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xcgc6u7fmc2trgxtdtf5nhrd7axzweuxlg0ya9jre3sdrg6c6easecue9w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNzB5bHVMU2MySmtaOHA4
K0N3RnZINWpTbkxiTWJnVTZ4Z3d1L1N3T0hjCmxieHdhc1VFWXM1WHExdWNPdW16
ZVQwTzdGcFVWamMva1RpZGV6U2hpSUEKLS0tIER1T3ZJYUQ0RE5TVTk2dVdmYXhU
eUNKWkczb3dwMnB3SS8rVjRHU1VBQkkKOdh1+qrx9WX0NGSVrGdptFNU8C1ZZFNi
3lJmzNvJRyVMxXNjWqpXUfCDWQONvCKEGuAvt7Zra+z7/2GtcFTNZw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndjYrRnFRd2RDeTRDQ2Uz
UXk2WE1ORERTOWtOcXI3eXVHZzJJQ2RMRTMwClBPR2J6cmMzSzR1cXJWaHJJUlJa
ZVd1S3hpWEdFYXpvUXd3ZUs3SVJrZHcKLS0tIGN5MUFET0M3WWZkcHRlV1QyTEQx
eTFJUnZpM2haMUZBekh3SjBQRGFsQUUKUI4laym7zGzu1iIlMYnnKjyDHUqblcn6
K49AdBT+U8WUnVNwAOc5Irf86GfNvJ0S0qk6+v4CpPDgKFksc3flFg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-14T12:05:25Z"
mac: ENC[AES256_GCM,data:DuD/sqYIwfW2XW+QojfuwLOKI+Y3lXCYOmI5ayCqQlWU9F0W3H1WSnVyfp4YanwY9zjNJukZy9vQNB7wk7DoPGrYTgPihEFmt1GWV10kCFhOxQCMaB9Pt8a7JucF1k8+4jbT4SW282KLAoITDqIAe4qXBPEKKx1+SH34VhKZh3Y=,iv:j5U41i0LHVntwyhTjHExkS65K/gWpBdNy68Cb+bIXmg=,tag:Wu46HI+T+ZzeTb4Rf35vdg==,type:str]
lastmodified: "2025-11-28T22:51:04Z"
mac: ENC[AES256_GCM,data:pXXNkrHSC4mp+K2NfiJ7RucJ299BkVv7wQiWlV2SboLwS7le753CKf2yBGsOYEgxelhLAnIFW3biDR/v+P+7kvUinRUPIYyxeYzMT864Rz8Fb+FBjf4Bd/j/oBdSWk1QM6aOPQRcAiNAol+AcdajhSmy68prUp/lR0gvDPGuczA=,iv:t18AtziHtA58uMoVSsDXsn4PPQUSJCNCG6jg9VBvM0w=,tag:RKQRWjI3NE3Rzb+JdMrOng==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

4
utils/overlays/packages.nix
View File

@@ -5,16 +5,18 @@ self: super: {
openaudible = (super.callPackage ../pkgs/openaudible.nix { });
openmanus = (super.callPackage ../pkgs/openmanus.nix { });
ai-mailer = self.callPackage ../pkgs/ai-mailer.nix { };
claude-code = self.callPackage ../pkgs/claude-code { claude-code = super.claude-code; };
# Python packages
python3 = super.python3.override {
packageOverrides = pself: psuper: {
aia-chaser = pself.callPackage ../pkgs/aia-chaser { };
mini-racer = pself.callPackage ../pkgs/mini-racer.nix { };
};
};
python3Packages = self.python3.pkgs;
pyload-ng = self.callPackage ../pkgs/pyload-ng-updated.nix { pyload-ng = super.pyload-ng; };
pyload-ng = self.callPackage ../pkgs/pyload-ng { pyload-ng = super.pyload-ng; };
# vscode-insiders = (super.callPackage ../pkgs/vscode-insiders.nix { });
}

32
utils/pkgs/aia-chaser/default.nix Normal file
View File

@@ -0,0 +1,32 @@
{ lib
, buildPythonPackage
, fetchPypi
, cryptography
}:
buildPythonPackage rec {
pname = "aia-chaser";
version = "3.3.0";
format = "wheel";
src = fetchPypi {
pname = "aia_chaser";
inherit version format;
dist = "py3";
python = "py3";
hash = "sha256-L0aBV3kfAVI1aJH7VgiiEXzGBSP/HU2zAlahkHeT8hk=";
};
dependencies = [
cryptography
];
pythonImportsCheck = [ "aia_chaser" ];
meta = with lib; {
description = "Retrieve missing certificates to complete SSL certificate chains";
homepage = "https://github.com/dirkjanm/aia-chaser";
license = licenses.mit;
maintainers = [ ];
};
}

30
utils/pkgs/claude-code/default.nix Normal file
View File

@@ -0,0 +1,30 @@
{ lib, pkgs, runCommand, claude-code }:
let
version = "2.0.55";
src = pkgs.fetchzip {
url = "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-${version}.tgz";
hash = "sha256-wsjOkNxuBLMYprjaZQyUZHiqWl8UG7cZ1njkyKZpRYg=";
};
# Create a modified source with our package-lock.json
srcWithLock = runCommand "claude-code-src-${version}" {} ''
cp -r ${src} $out
chmod -R +w $out
cp ${./package-lock.json} $out/package-lock.json
'';
in
(claude-code.override {}).overrideAttrs (oldAttrs: {
inherit version;
src = srcWithLock;
npmDeps = pkgs.fetchNpmDeps {
src = srcWithLock;
hash = "sha256-cFvPoCmh3XpJe/5LPZizfBz6F6xAPYnBNimrK4+VbPw=";
};
# Remove the old postPatch since srcWithLock already includes package-lock.json
postPatch = "";
})

319
utils/pkgs/claude-code/package-lock.json generated Normal file
View File

@@ -0,0 +1,319 @@
{
"name": "claude-code",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"dependencies": {
"@anthropic-ai/claude-code": "^2.0.55"
}
},
"node_modules/@anthropic-ai/claude-code": {
"version": "2.0.55",
"resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-2.0.55.tgz",
"integrity": "sha512-IVY6J2KgTP5BiCbLmuP3kAl8jbXfd6yGoXtvc0L0eiZwxJUMa+cubUU0U8qHRnVkNmDAis+O4P00KmeuGzSLWg==",
"license": "SEE LICENSE IN README.md",
"bin": {
"claude": "cli.js"
},
"engines": {
"node": ">=18.0.0"
},
"optionalDependencies": {
"@img/sharp-darwin-arm64": "^0.33.5",
"@img/sharp-darwin-x64": "^0.33.5",
"@img/sharp-linux-arm": "^0.33.5",
"@img/sharp-linux-arm64": "^0.33.5",
"@img/sharp-linux-x64": "^0.33.5",
"@img/sharp-linuxmusl-arm64": "^0.33.5",
"@img/sharp-linuxmusl-x64": "^0.33.5",
"@img/sharp-win32-x64": "^0.33.5"
}
},
"node_modules/@img/sharp-darwin-arm64": {
"version": "0.33.5",
"resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.33.5.tgz",
"integrity": "sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ==",
"cpu": [
"arm64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": "^18.17.0 || ^20.3.0 || >=21.0.0"
},
"funding": {
"url": "https://opencollective.com/libvips"
},
"optionalDependencies": {
"@img/sharp-libvips-darwin-arm64": "1.0.4"
}
},
"node_modules/@img/sharp-darwin-x64": {
"version": "0.33.5",
"resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.33.5.tgz",
"integrity": "sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q==",
"cpu": [
"x64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": "^18.17.0 || ^20.3.0 || >=21.0.0"
},
"funding": {
"url": "https://opencollective.com/libvips"
},
"optionalDependencies": {
"@img/sharp-libvips-darwin-x64": "1.0.4"
}
},
"node_modules/@img/sharp-libvips-darwin-arm64": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.0.4.tgz",
"integrity": "sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg==",
"cpu": [
"arm64"
],
"license": "LGPL-3.0-or-later",
"optional": true,
"os": [
"darwin"
],
"funding": {
"url": "https://opencollective.com/libvips"
}
},
"node_modules/@img/sharp-libvips-darwin-x64": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.0.4.tgz",
"integrity": "sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ==",
"cpu": [
"x64"
],
"license": "LGPL-3.0-or-later",
"optional": true,
"os": [
"darwin"
],
"funding": {
"url": "https://opencollective.com/libvips"
}
},
"node_modules/@img/sharp-libvips-linux-arm": {
"version": "1.0.5",
"resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.0.5.tgz",
"integrity": "sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g==",
"cpu": [
"arm"
],
"license": "LGPL-3.0-or-later",
"optional": true,
"os": [
"linux"
],
"funding": {
"url": "https://opencollective.com/libvips"
}
},
"node_modules/@img/sharp-libvips-linux-arm64": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.0.4.tgz",
"integrity": "sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA==",
"cpu": [
"arm64"
],
"license": "LGPL-3.0-or-later",
"optional": true,
"os": [
"linux"
],
"funding": {
"url": "https://opencollective.com/libvips"
}
},
"node_modules/@img/sharp-libvips-linux-x64": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.0.4.tgz",
"integrity": "sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw==",
"cpu": [
"x64"
],
"license": "LGPL-3.0-or-later",
"optional": true,
"os": [
"linux"
],
"funding": {
"url": "https://opencollective.com/libvips"
}
},
"node_modules/@img/sharp-libvips-linuxmusl-arm64": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.0.4.tgz",
"integrity": "sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA==",
"cpu": [
"arm64"
],
"license": "LGPL-3.0-or-later",
"optional": true,
"os": [
"linux"
],
"funding": {
"url": "https://opencollective.com/libvips"
}
},
"node_modules/@img/sharp-libvips-linuxmusl-x64": {
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.0.4.tgz",
"integrity": "sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw==",
"cpu": [
"x64"
],
"license": "LGPL-3.0-or-later",
"optional": true,
"os": [
"linux"
],
"funding": {
"url": "https://opencollective.com/libvips"
}
},
"node_modules/@img/sharp-linux-arm": {
"version": "0.33.5",
"resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.33.5.tgz",
"integrity": "sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ==",
"cpu": [
"arm"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"linux"
],
"engines": {
"node": "^18.17.0 || ^20.3.0 || >=21.0.0"
},
"funding": {
"url": "https://opencollective.com/libvips"
},
"optionalDependencies": {
"@img/sharp-libvips-linux-arm": "1.0.5"
}
},
"node_modules/@img/sharp-linux-arm64": {
"version": "0.33.5",
"resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.33.5.tgz",
"integrity": "sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA==",
"cpu": [
"arm64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"linux"
],
"engines": {
"node": "^18.17.0 || ^20.3.0 || >=21.0.0"
},
"funding": {
"url": "https://opencollective.com/libvips"
},
"optionalDependencies": {
"@img/sharp-libvips-linux-arm64": "1.0.4"
}
},
"node_modules/@img/sharp-linux-x64": {
"version": "0.33.5",
"resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.33.5.tgz",
"integrity": "sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA==",
"cpu": [
"x64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"linux"
],
"engines": {
"node": "^18.17.0 || ^20.3.0 || >=21.0.0"
},
"funding": {
"url": "https://opencollective.com/libvips"
},
"optionalDependencies": {
"@img/sharp-libvips-linux-x64": "1.0.4"
}
},
"node_modules/@img/sharp-linuxmusl-arm64": {
"version": "0.33.5",
"resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.33.5.tgz",
"integrity": "sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g==",
"cpu": [
"arm64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"linux"
],
"engines": {
"node": "^18.17.0 || ^20.3.0 || >=21.0.0"
},
"funding": {
"url": "https://opencollective.com/libvips"
},
"optionalDependencies": {
"@img/sharp-libvips-linuxmusl-arm64": "1.0.4"
}
},
"node_modules/@img/sharp-linuxmusl-x64": {
"version": "0.33.5",
"resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.33.5.tgz",
"integrity": "sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw==",
"cpu": [
"x64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"linux"
],
"engines": {
"node": "^18.17.0 || ^20.3.0 || >=21.0.0"
},
"funding": {
"url": "https://opencollective.com/libvips"
},
"optionalDependencies": {
"@img/sharp-libvips-linuxmusl-x64": "1.0.4"
}
},
"node_modules/@img/sharp-win32-x64": {
"version": "0.33.5",
"resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.33.5.tgz",
"integrity": "sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg==",
"cpu": [
"x64"
],
"license": "Apache-2.0 AND LGPL-3.0-or-later",
"optional": true,
"os": [
"win32"
],
"engines": {
"node": "^18.17.0 || ^20.3.0 || >=21.0.0"
},
"funding": {
"url": "https://opencollective.com/libvips"
}
}
}
}

73
utils/pkgs/claude-code/update.sh Executable file
View File

@@ -0,0 +1,73 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p nodejs nix-prefetch cacert
set -euo pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
# Get latest version from npm
version=$(npm view @anthropic-ai/claude-code version)
echo "Latest version: $version"
# Update version in default.nix
sed -i "s/version = \".*\";/version = \"$version\";/" default.nix
# Fetch and update source hash
echo "Fetching source tarball..."
url="https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-${version}.tgz"
hash=$(nix-prefetch-url --unpack --type sha256 "$url" 2>/dev/null)
sri_hash=$(nix-hash --type sha256 --to-sri "$hash")
# Update only the source hash (in fetchzip block)
sed -i "/src = pkgs.fetchzip/,/};/ s|hash = \"sha256-.*\";|hash = \"$sri_hash\";|" default.nix
# Generate new package-lock.json
echo "Generating package-lock.json..."
npm i --package-lock-only @anthropic-ai/claude-code@"$version"
rm -f package.json
# Set placeholder for npmDepsHash only (in fetchNpmDeps block)
sed -i "/npmDeps = pkgs.fetchNpmDeps/,/};/ s|hash = \"sha256-.*\";|hash = \"sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\";|" default.nix
echo ""
echo "Updated to version $version"
echo "Source hash: $sri_hash"
echo ""
# Go to repo root (3 levels up from utils/pkgs/claude-code)
repo_root="$(cd ../../.. && pwd)"
cd "$repo_root"
# Build to get the correct npmDepsHash
echo "Building package to determine npmDepsHash..."
build_output=$(NIXPKGS_ALLOW_UNFREE=1 nix build --impure --no-link --expr 'with import <nixpkgs> {}; callPackage ./utils/pkgs/claude-code { inherit lib pkgs runCommand claude-code; }' 2>&1 || true)
# Extract the hash from build output
npm_deps_hash=$(echo "$build_output" | grep -oP "got:\s+sha256-[A-Za-z0-9+/=]+" | tail -1 | awk '{print $2}')
if [ -z "$npm_deps_hash" ]; then
echo "Error: Could not determine npmDepsHash from build output"
echo "Build output:"
echo "$build_output"
exit 1
fi
echo "npmDepsHash: $npm_deps_hash"
# Update npmDepsHash in default.nix
cd "$repo_root/utils/pkgs/claude-code"
sed -i "/npmDeps = pkgs.fetchNpmDeps/,/};/ s|hash = \"sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\";|hash = \"$npm_deps_hash\";|" default.nix
# Verify the build works
echo ""
echo "Verifying build..."
cd "$repo_root"
if NIXPKGS_ALLOW_UNFREE=1 nix build --impure --no-link --expr 'with import <nixpkgs> {}; callPackage ./utils/pkgs/claude-code { inherit lib pkgs runCommand claude-code; }'; then
echo ""
echo "✓ Successfully updated claude-code to version $version"
echo " Source hash: $sri_hash"
echo " npmDepsHash: $npm_deps_hash"
else
echo ""
echo "✗ Build failed after updating hashes"
exit 1
fi

297
utils/pkgs/clicknload-proxy/clicknload-proxy.py Normal file
View File

@@ -0,0 +1,297 @@
#!/usr/bin/env python3
"""
Click'n'Load proxy - receives CNL requests and forwards to pyLoad API.
Implements the Click'n'Load protocol:
1. GET /jdcheck.js -> responds with jdownloader=true
2. POST /flash/addcrypted2 -> decrypts links and sends to pyLoad
"""
import argparse
import base64
import html
import json
import re
import sys
import traceback
import urllib.request
import urllib.parse
from http.server import HTTPServer, BaseHTTPRequestHandler
from Crypto.Cipher import AES
def log(msg):
"""Log with immediate flush for systemd journal visibility."""
print(f"[CNL] {msg}", flush=True)
def fetch_package_name(url):
"""Fetch package name from source page by extracting <h2> tag (like JDownloader)."""
if not url or not url.startswith("http"):
return None
try:
log(f"Fetching package name from {url}")
req = urllib.request.Request(
url,
headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"}
)
with urllib.request.urlopen(req, timeout=10) as resp:
content = resp.read().decode("utf-8", errors="ignore")
# Extract <h2> content like JDownloader does
match = re.search(r'<h2[^>]*>([^<]+)<', content)
if match:
name = html.unescape(match.group(1)).strip()
log(f"Extracted package name: {name}")
return name
log("No <h2> tag found on page")
return None
except Exception as e:
log(f"Failed to fetch package name: {e}")
return None
def extract_package_name_from_links(links):
"""Extract package name from common prefix of link filenames."""
if not links:
return None
# Extract filenames from URLs
filenames = []
for link in links:
parsed = urllib.parse.urlparse(link)
path = urllib.parse.unquote(parsed.path)
filename = path.split("/")[-1] if path else ""
# Remove extension
if "." in filename:
filename = filename.rsplit(".", 1)[0]
if filename:
filenames.append(filename)
if not filenames:
return None
if len(filenames) == 1:
# Single file - use its name
name = filenames[0]
log(f"Single file, using name: {name}")
return name
# Find common prefix among all filenames
prefix = filenames[0]
for filename in filenames[1:]:
while prefix and not filename.startswith(prefix):
# Remove last character or segment
if "." in prefix:
prefix = prefix.rsplit(".", 1)[0]
elif "-" in prefix:
prefix = prefix.rsplit("-", 1)[0]
elif "_" in prefix:
prefix = prefix.rsplit("_", 1)[0]
else:
prefix = prefix[:-1]
# Clean up trailing separators
prefix = prefix.rstrip(".-_ ")
if prefix and len(prefix) >= 3:
log(f"Common prefix from {len(filenames)} files: {prefix}")
return prefix
# Fallback: use first filename
name = filenames[0]
log(f"No common prefix, using first filename: {name}")
return name
class ClickNLoadHandler(BaseHTTPRequestHandler):
pyload_url = None
pyload_user = None
pyload_pass = None
def log_message(self, format, *args):
log(f"{self.command} {self.path}")
def send_cors_headers(self):
"""Add CORS headers to allow cross-origin requests."""
self.send_header("Access-Control-Allow-Origin", "*")
self.send_header("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
self.send_header("Access-Control-Allow-Headers", "Content-Type")
def do_OPTIONS(self):
"""Handle CORS preflight requests."""
self.send_response(200)
self.send_cors_headers()
self.end_headers()
def do_GET(self):
if self.path == "/jdcheck.js":
self.send_response(200)
self.send_header("Content-Type", "text/javascript")
self.send_cors_headers()
self.end_headers()
self.wfile.write(b"jdownloader=true;")
else:
self.send_response(404)
self.send_cors_headers()
self.end_headers()
def do_POST(self):
if self.path == "/flash/addcrypted2":
content_length = int(self.headers.get("Content-Length", 0))
post_data = self.rfile.read(content_length).decode("utf-8")
params = urllib.parse.parse_qs(post_data)
jk = params.get("jk", [""])[0]
crypted = params.get("crypted", [""])[0]
source = params.get("source", ["Click'n'Load"])[0]
# Get actual page URL from Referer header
referer = self.headers.get("Referer", "")
log(f"Received addcrypted2: source={source}, referer={referer}")
log(f" jk_len={len(jk)}, crypted_len={len(crypted)}")
try:
links = self.decrypt_links(jk, crypted)
if links:
# Try to get package name: referer page -> link filenames -> source
package_name = (
fetch_package_name(referer) or
extract_package_name_from_links(links) or
source
)
self.add_to_pyload(links, package_name)
self.send_response(200)
self.send_cors_headers()
self.end_headers()
self.wfile.write(b"success")
else:
log("Error: No links found after decryption")
self.send_response(500)
self.send_cors_headers()
self.end_headers()
self.wfile.write(b"No links found")
except Exception as e:
log(f"Error: {e}")
log(traceback.format_exc())
self.send_response(500)
self.send_cors_headers()
self.end_headers()
self.wfile.write(str(e).encode())
else:
self.send_response(404)
self.send_cors_headers()
self.end_headers()
def decrypt_links(self, jk, crypted):
"""Decrypt Click'n'Load encrypted links."""
# Extract hex key from JavaScript function
# Format: function f(){ return '...hex...'; }
match = re.search(r"return\s*['\"]([0-9a-fA-F]+)['\"]", jk)
if not match:
log(f"Could not extract key from jk: {jk[:100]}...")
raise ValueError("Could not extract key from jk")
key_hex = match.group(1)
key = bytes.fromhex(key_hex)
log(f"Extracted key: {len(key)} bytes")
# Decrypt (AES-128-CBC, key is also IV)
cipher = AES.new(key, AES.MODE_CBC, iv=key)
encrypted = base64.b64decode(crypted)
decrypted = cipher.decrypt(encrypted)
# Remove PKCS7 padding
pad_len = decrypted[-1]
decrypted = decrypted[:-pad_len]
# Split into links
links = decrypted.decode("utf-8").strip().split("\n")
links = [l.strip() for l in links if l.strip()]
log(f"Decrypted {len(links)} links")
return links
def add_to_pyload(self, links, package_name):
"""Add links to pyLoad via API using HTTP Basic Auth."""
if not self.pyload_url:
log("No pyLoad URL configured, printing links:")
for link in links:
log(f" {link}")
return
log(f"Adding package to pyLoad at {self.pyload_url}")
# Build Basic Auth header
credentials = f"{self.pyload_user}:{self.pyload_pass}"
auth_header = base64.b64encode(credentials.encode()).decode()
# Add package using new API endpoint with HTTP Basic Auth
add_url = f"{self.pyload_url}/api/add_package"
add_data = json.dumps({
"name": package_name or "Click'n'Load",
"links": links
}).encode()
req = urllib.request.Request(
add_url,
data=add_data,
headers={
"Content-Type": "application/json",
"Authorization": f"Basic {auth_header}"
}
)
try:
with urllib.request.urlopen(req, timeout=10) as resp:
result = resp.read().decode()
log(f"Added package to pyLoad: {result}")
except urllib.error.HTTPError as e:
body = e.read().decode() if e.fp else ""
log(f"Failed to add package: {e.code} {e.reason} - {body}")
raise
except urllib.error.URLError as e:
log(f"Failed to add package: {e}")
raise
def main():
parser = argparse.ArgumentParser(description="Click'n'Load proxy for pyLoad")
parser.add_argument("--port", type=int, default=9666, help="Port to listen on")
parser.add_argument("--host", default="127.0.0.1", help="Host to bind to")
parser.add_argument("--pyload-url", help="pyLoad URL (e.g., https://pyload.example.com)")
parser.add_argument("--pyload-user", help="pyLoad username")
parser.add_argument("--pyload-pass", help="pyLoad password")
parser.add_argument("--config", help="Config file with pyLoad credentials (JSON)")
args = parser.parse_args()
# Load config from file if provided
if args.config:
with open(args.config) as f:
config = json.load(f)
args.pyload_url = config.get("pyloadUrl", args.pyload_url)
args.pyload_user = config.get("pyloadUser", args.pyload_user)
args.pyload_pass = config.get("pyloadPW", args.pyload_pass)
ClickNLoadHandler.pyload_url = args.pyload_url
ClickNLoadHandler.pyload_user = args.pyload_user
ClickNLoadHandler.pyload_pass = args.pyload_pass
server = HTTPServer((args.host, args.port), ClickNLoadHandler)
log(f"Click'n'Load proxy listening on {args.host}:{args.port}")
if args.pyload_url:
log(f"Forwarding to pyLoad at {args.pyload_url}")
else:
log("No pyLoad URL configured, will print links to stdout")
try:
server.serve_forever()
except KeyboardInterrupt:
log("Shutting down")
server.shutdown()
if __name__ == "__main__":
main()

34
utils/pkgs/clicknload-proxy/default.nix Normal file
View File

@@ -0,0 +1,34 @@
{ lib
, python3
, makeWrapper
}:
let
python = python3.withPackages (ps: [ ps.pycryptodome ]);
in
python3.pkgs.buildPythonApplication {
pname = "clicknload-proxy";
version = "1.0.0";
format = "other";
src = ./.;
nativeBuildInputs = [ makeWrapper ];
propagatedBuildInputs = [ python3.pkgs.pycryptodome ];
installPhase = ''
mkdir -p $out/bin
cp clicknload-proxy.py $out/bin/clicknload-proxy
chmod +x $out/bin/clicknload-proxy
wrapProgram $out/bin/clicknload-proxy \
--prefix PYTHONPATH : "${python}/${python.sitePackages}"
'';
meta = with lib; {
description = "Click'n'Load proxy that forwards links to pyLoad";
license = licenses.mit;
mainProgram = "clicknload-proxy";
};
}

9
utils/pkgs/pyload-ng-updated.nix → utils/pkgs/pyload-ng/default.nix
View File

@@ -6,12 +6,17 @@ pyload-ng.overridePythonAttrs (oldAttrs: rec {
src = fetchFromGitHub {
owner = "pyload";
repo = "pyload";
rev = "3115740a2210fd57b5d050cd0850a0e61ec493ed"; # [DdownloadCom] fix #4537
hash = "sha256-g1eEeNnr3Axtr+0BJzMcNQomTEX4EsUG1Jxt+huPyoc=";
rev = "71f2700184ee9344dc313d9833ca7a6bb36007db"; # [DdownloadCom] fix #4537
hash = "sha256-XAa+XbC3kko+zvEMZkPXRoaHAmEFGsNBDxysX+X06Jc=";
};
patches = [
./patches/declarative-env-config.patch
];
# Add new dependencies required in newer versions
propagatedBuildInputs = (oldAttrs.propagatedBuildInputs or []) ++ (with python3Packages; [
aia-chaser
mini-racer
packaging
pydantic

38
utils/pkgs/pyload-ng/patches/declarative-env-config.patch Normal file
View File

@@ -0,0 +1,38 @@
--- a/src/pyload/core/__init__.py
+++ b/src/pyload/core/__init__.py
@@ -130,6 +130,14 @@ class Core:
else:
self._debug = max(0, int(debug))
+ # Process core config environment variables (NixOS declarative config)
+ for env, value in os.environ.items():
+ if not env.startswith("PYLOAD__"):
+ continue
+ parts = env.removeprefix("PYLOAD__").lower().split("__", 1)
+ if len(parts) == 2 and parts[0] in self.config.config:
+ self.config.set(parts[0], parts[1], value)
+
# If no argument set, read storage dir from config file,
# otherwise save setting to config dir
if storagedir is None:
@@ -226,6 +234,20 @@ class Core:
self.acm = self.account_manager = AccountManager(self)
self.thm = self.thread_manager = ThreadManager(self)
self.cpm = self.captcha_manager = CaptchaManager(self)
+
+ # Process plugin config environment variables BEFORE AddonManager (NixOS declarative config)
+ # This must happen before AddonManager reads the enabled flag to decide which addons to start
+ # Build case-insensitive lookup map for plugin names
+ plugin_name_map = {name.lower(): name for name in self.config.plugin.keys()}
+
+ for env, value in os.environ.items():
+ if not env.startswith("PYLOAD__"):
+ continue
+ parts = env.removeprefix("PYLOAD__").lower().split("__", 1)
+ if len(parts) == 2 and parts[0] in plugin_name_map:
+ actual_plugin_name = plugin_name_map[parts[0]]
+ self.config.set_plugin(actual_plugin_name, parts[1], value)
+
self.adm = self.addon_manager = AddonManager(self)
def _setup_permissions(self):

15
scripts/update-pyload-hash → utils/pkgs/pyload-ng/update.sh
View File

@@ -7,9 +7,10 @@ GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
# Script and repo directories
cd "$(dirname "${BASH_SOURCE[0]}")"
PKG_DIR="$(pwd)"
REPO_ROOT="$(cd ../../.. && pwd)"
# Check if commit SHA is provided
if [ $# -ne 1 ]; then
@@ -34,7 +35,7 @@ fi
echo -e "${GREEN}==> Updating pyload-ng to commit: ${COMMIT_SHA}${NC}"
# File to update
PKG_FILE="$REPO_ROOT/utils/pkgs/pyload-ng-updated.nix"
PKG_FILE="$PKG_DIR/default.nix"
if [ ! -f "$PKG_FILE" ]; then
echo -e "${RED}Error: Package file not found: $PKG_FILE${NC}"
@@ -53,7 +54,8 @@ echo " ✓ Updated hash in $PKG_FILE"
# Step 3: Build package to discover the correct hash
echo -e "${YELLOW}Step 3: Building package to discover hash...${NC}"
BUILD_OUTPUT=$(nix-build --impure -E "with import <nixpkgs> { overlays = [ (import $REPO_ROOT/utils/overlays/packages.nix) ]; }; callPackage $PKG_FILE { }" 2>&1 || true)
cd "$REPO_ROOT"
BUILD_OUTPUT=$(nix-build --impure -E "with import <nixpkgs> { overlays = [ (import ./utils/overlays/packages.nix) ]; }; callPackage ./utils/pkgs/pyload-ng { }" 2>&1 || true)
# Extract hash from error message
HASH=$(echo "$BUILD_OUTPUT" | grep -oP '\s+got:\s+\Ksha256-[A-Za-z0-9+/=]+' | head -1)
@@ -74,7 +76,7 @@ echo " ✓ Updated hash in $PKG_FILE"
# Step 5: Verify the build succeeds
echo -e "${YELLOW}Step 5: Verifying build with correct hash...${NC}"
if nix-build --impure -E "with import <nixpkgs> { overlays = [ (import $REPO_ROOT/utils/overlays/packages.nix) ]; }; callPackage $PKG_FILE { }" > /dev/null 2>&1; then
if nix-build --impure -E "with import <nixpkgs> { overlays = [ (import ./utils/overlays/packages.nix) ]; }; callPackage ./utils/pkgs/pyload-ng { }" > /dev/null 2>&1; then
echo " ✓ Build verification successful"
else
echo -e "${RED}Error: Build verification failed${NC}"
@@ -83,7 +85,6 @@ fi
# Step 6: Test configuration for fw host (which uses pyload)
echo -e "${YELLOW}Step 6: Testing fw configuration...${NC}"
cd "$REPO_ROOT"
if ./scripts/test-configuration fw > /dev/null 2>&1; then
echo " ✓ Configuration test passed"
else