Cloonar/nixos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Cloonar:d7287222747b89e0c246f0adf05f058219432c5c
Branches Tags
Cloonar:master
..
compare: Cloonar:master
Branches Tags
Cloonar:master

44 commits
d728722274 ... master

Author SHA1 Message Date
Dominik Polakovics
470f84a4b9 feat: update repos to new forgejo 2026-02-01 16:05:54 +01:00
Dominik Polakovics
d140a20ed9 feat: remove tmux from dev and add claude resume shortcut 2026-02-01 15:47:41 +01:00
Dominik Polakovics
0af3423147 feat: add dev host to fleet 2026-02-01 15:36:29 +01:00
Dominik Polakovics
646bbde71c feat: forgejo alerts 2026-02-01 15:23:25 +01:00
Dominik Polakovics
f5a0bc582d feat: fw final switch to forgejo 2026-02-01 15:23:10 +01:00
Dominik Polakovics
25580ded3b feat: nb change networking and add projects 2026-02-01 14:23:27 +01:00
Dominik Polakovics
cb67ba33ac feat: fw changes for dev server 2026-02-01 14:06:46 +01:00
Dominik Polakovics
91fabfe857 feat: dev fix mkcert and ddev reachability 2026-02-01 14:03:32 +01:00
Dominik Polakovics
6d7db643bc feat: add dev host 2026-02-01 10:52:59 +01:00
Dominik Polakovics
cabf453a5d fix: forgejo use github for actions url 2026-01-31 19:55:11 +01:00
Dominik Polakovics
766943bbb1 fix: secrets for forgejo runner 2026-01-31 15:04:47 +01:00
Dominik Polakovics
bb8e720ddf feat: fw add forgejo runner 2026-01-31 15:04:35 +01:00
Dominik Polakovics
b11d9b2fb9 feat: ha add morning active automation 2026-01-31 15:04:23 +01:00
Dominik Polakovics
d83f4ec903 fix: ha coming home prompt 2026-01-30 23:36:54 +01:00
Dominik Polakovics
1ca4a59fe5 feat: fw add moltbot 2026-01-30 08:59:52 +01:00
Dominik Polakovics
190c2ee5c5 feat: changes to home assistant getting home 2026-01-30 08:59:36 +01:00
Dominik Polakovics
eba36f9d56 fix: forgejo ip 2026-01-27 00:52:16 +01:00
Dominik Polakovics
9d7b8082c0 feat: add initial forgejo 2026-01-26 23:35:07 +01:00
Dominik Polakovics
11e7b74140 fix: git runner memory increase 2026-01-26 23:34:52 +01:00
Dominik Polakovics
8324aed9e0 feat: upgrade to nextcloud32 2026-01-25 15:42:13 +01:00
Dominik Polakovics
307e8f2307 feat: add redis for authelia session storage 2026-01-25 15:24:13 +01:00
Dominik Polakovics
c589a47353 fix: firefox and thunderbird scaling 2026-01-25 15:23:53 +01:00
Dominik Polakovics
b2b263013a feat: add codex to nvim 2026-01-25 14:41:13 +01:00
Dominik Polakovics
68273a7259 fix: grafana alerts 2026-01-25 14:41:04 +01:00
Dominik Polakovics
b0cbb5a3b4 fix: pyload user bash 2026-01-25 14:40:41 +01:00
Dominik Polakovics
f6a9a9e0ff feat: update claude-code 2026-01-20 13:35:09 +01:00
Dominik Polakovics
64e3b4c557 fix: ddclient 2026-01-20 11:42:45 +01:00
Dominik Polakovics
89b70fe6f7 feat: nas add audiobookshelf 2026-01-18 20:41:17 +01:00
Dominik Polakovics
edbf5dcbbc feat: fw some changes 2026-01-18 20:41:00 +01:00
Dominik Polakovics
694c11bcd5 feat: fw wg and ha add fairphone 2026-01-17 20:13:53 +01:00
Dominik Polakovics
c478c2ea66 feat: web add php82, php83 and php84 2026-01-08 13:05:52 +01:00
Dominik Polakovics
025adf4142 feat: add project 2026-01-05 10:45:45 +01:00
Dominik Polakovics
21c5c6dbd5 fix: alerting 2026-01-05 10:45:38 +01:00
Dominik Polakovics
ed451e3b95 feat: fw add export for ai-mailer service alert 2026-01-04 19:02:28 +01:00
Dominik Polakovics
e83aa3c893 feat: webarm: normalize service alerts 2026-01-04 19:02:11 +01:00
Dominik Polakovics
336ddb13f8 fix: fueltide hosting 2026-01-03 17:55:06 +01:00
Dominik Polakovics
8ae96c9b38 fix: nas pyload filebot service 2025-12-31 15:07:47 +01:00
Dominik Polakovics
5dba628040 feat: nb, nvim config, install apps 2025-12-31 15:07:32 +01:00
Dominik Polakovics
4bc85210f9 fix: dominik thunderbird calendar invitation mail 2025-12-29 00:24:25 +01:00
Dominik Polakovics
f75f9d1a51 feat: web-arm add fueltide vhost 2025-12-28 22:35:20 +01:00
Dominik Polakovics
4709d34b3e feat: changes to battery warning 2025-12-28 12:33:51 +01:00
Dominik Polakovics
6e28a799cc fix: change cyberghost for speed 2025-12-27 11:49:09 +01:00
Dominik Polakovics
bbc0cc1d4a fix: add autoupgrade to nas 2025-12-27 11:49:03 +01:00
Dominik Polakovics
4d343623c7 feat: update claude code 2025-12-27 11:48:44 +01:00
68 changed files with 1919 additions and 1184 deletions
Download patch file Download diff file Expand all files Collapse all files

4
fleet.nix
View file

@ -51,6 +51,10 @@
username = "nas";
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICS6b97LPUpr7/kWvOcI40s5e+gfbfz0I2/hAPL6zTmU";
}
{
username = "dev";
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICS6b97LPUpr7/kWvOcI40s5e+gfbfz0I2/hAPL6zTmU";
}
{
username = "amzebs-01";

3
hosts/amzebs-01/configuration.nix
View file

@ -60,6 +60,9 @@
};
};
# Systemd services to monitor
services.victoriametrics.monitoredServices = [ "mysql" "nginx" "phpfpm-.*" ];
# backups - adjust repo for this host
borgbackup.repo = "u149513-sub10@u149513-sub10.your-backup.de:borg";

1
hosts/dev/channel Normal file
View file

@ -0,0 +1 @@
https://channels.nixos.org/nixos-25.11

112
hosts/dev/configuration.nix Normal file
View file

@ -0,0 +1,112 @@
{ config, lib, pkgs, ... }:
let
projectsDir = "projects"; # Relative to /home/dominik
repositories = [
{ url = "gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git"; path = "cloonar/wohnservice-wien"; }
# Add repos here: { url = "git@..."; path = "relative/path"; }
];
cloneScript = pkgs.writeShellScript "clone-repos" ''
set -eu
export PATH="${pkgs.openssh}/bin:$PATH"
export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh"
HOME_DIR="/home/dominik"
PROJECTS_DIR="$HOME_DIR/${projectsDir}"
mkdir -p "$PROJECTS_DIR"
chown dominik:users "$PROJECTS_DIR"
${lib.concatMapStrings (repo: ''
if [ ! -d "$PROJECTS_DIR/${repo.path}" ]; then
${pkgs.sudo}/bin/sudo -u dominik -E ${pkgs.git}/bin/git clone ${repo.url} "$PROJECTS_DIR/${repo.path}" || true
fi
'') repositories}
'';
in
{
imports = [
./modules/dev-tools.nix
];
networking.hostName = "dev";
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
system.stateVersion = "22.05";
time.timeZone = "Europe/Vienna";
# User configuration
users.users.dominik = {
isNormalUser = true;
uid = 1000;
home = "/home/dominik";
extraGroups = [ "wheel" "docker" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
};
users.groups.users = {};
services.openssh.enable = true;
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
# Welcome message with Claude Code reminder
users.motd = ''
Welcome to dev
Claude Code: claude or cr (resume last session)
'';
# Short alias for resuming Claude sessions
programs.zsh.shellAliases = {
cr = "claude --resume";
};
# Passwordless sudo for dominik
security.sudo.extraRules = [{
users = [ "dominik" ];
commands = [{
command = "ALL";
options = [ "NOPASSWD" ];
}];
}];
# Clone repos as dominik user on boot
systemd.services.clone-repos = {
description = "Clone configured git repositories";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = cloneScript;
RemainAfterExit = true;
};
};
# Create ddev global config to bind on all interfaces (allows access from other devices)
systemd.services.ddev-config = {
description = "Create ddev global config";
after = [ "local-fs.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "dominik";
Group = "users";
};
script = ''
mkdir -p /home/dominik/.ddev
if [ ! -f /home/dominik/.ddev/global_config.yaml ]; then
cat > /home/dominik/.ddev/global_config.yaml << 'EOF'
router_bind_all_interfaces: true
EOF
fi
'';
};
}

53
hosts/dev/modules/dev-tools.nix Normal file
View file

@ -0,0 +1,53 @@
{ pkgs, ... }:
{
nixpkgs.overlays = [
(import ../utils/overlays/packages.nix)
];
environment.systemPackages = with pkgs; [
# Development tools
ddev
docker-compose
git
git-lfs
mkcert
screen
# PHP
php
# Node.js
nodejs_22
# AI coding
claude-code
# Utilities
jq
unzip
vim
wget
curl
htop
];
# Persistent SSH sessions with tmux
programs.tmux = {
enable = true;
clock24 = true;
historyLimit = 50000;
terminal = "screen-256color";
extraConfig = ''
# Enable mouse support
set -g mouse on
# Start windows and panes at 1, not 0
set -g base-index 1
setw -g pane-base-index 1
'';
};
# Docker for ddev
virtualisation.docker.enable = true;
users.users.dominik.extraGroups = [ "docker" ];
}

1
hosts/dev/utils Symbolic link
View file

@ -0,0 +1 @@
../../utils

10
hosts/fw/configuration.nix
View file

@ -32,17 +32,19 @@
# microvm
./modules/microvm.nix
./modules/gitea-vm.nix
./modules/forgejo-runner.nix
./modules/dev-microvm.nix
# ./modules/vscode-server.nix # Add VS Code Server microvm
./modules/ai-mailer.nix
# ./modules/wazuh.nix
./modules/moltbot.nix
# web
./modules/web
# git
./modules/gitea.nix
./modules/forgejo.nix
# ./modules/fwmetrics.nix
# ha customers
@ -76,6 +78,9 @@
networkPrefix = "10.42";
# Systemd services to monitor
services.victoriametrics.monitoredServices = [ "ai-mailer" "container@forgejo" "microvm@fj-runner-" ];
nixpkgs.overlays = [
(import ./utils/overlays/packages.nix)
];
@ -88,6 +93,7 @@
"mongodb"
"ai-mailer"
"filebot"
"claude-code"
];
# Intel N100 Graphics Support for hardware transcoding

1
hosts/fw/dev Symbolic link
View file

@ -0,0 +1 @@
../dev

20
hosts/fw/modules/ddclient.nix
View file

@ -2,20 +2,26 @@
{
services.ddclient = {
enable = true;
usev4 = "if, if=wan";
usev4 = "ifv4, ifv4=wan";
usev6 = "disabled";
protocol = "hetzner";
# server = "https://dns.hetzner.com/api/v1/";
username = "dominik.polakovics@cloonar.com";
passwordFile = config.sops.secrets.ddclient.path;
zone = "cloonar.com";
domains = [
"fw.cloonar.com"
"vpn.cloonar.com"
"git.cloonar.com"
"palworld.cloonar.com"
"matrix.cloonar.com"
"audiobooks.cloonar.com"
"element.cloonar.com"
"tinder.cloonar.com"
"foundry-vtt.cloonar.com"
"foundry-ha.cloonar.com"
"fw.cloonar.com"
"git.cloonar.com"
"jellyfin.cloonar.com"
"matrix.cloonar.com"
"palworld.cloonar.com"
"support.cloonar.com"
"sync.cloonar.com"
"vpn.cloonar.com"
];
};

73
hosts/fw/modules/dev-microvm.nix Normal file
View file

@ -0,0 +1,73 @@
{ lib, pkgs, config, ... }:
let
hostname = "dev";
in
{
# Create persist directories on the host
# UID 1000 = dominik user inside the microvm
systemd.tmpfiles.rules = [
"d /var/lib/microvm-persist 0755 root root -"
"d /var/lib/microvm-persist/dev 0755 root root -"
"d /var/lib/microvm-persist/dev/home 0755 root root -"
"d /var/lib/microvm-persist/dev/home/dominik 0700 1000 100 -"
];
microvm.vms.dev = {
# Use host's pkgs which already has overlays applied
inherit pkgs;
config = {
imports = [
../dev/configuration.nix
./network-prefix.nix
];
networkPrefix = config.networkPrefix;
microvm = {
mem = 4096;
vcpu = 2;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/var/lib/microvm-persist/dev";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}
{
source = "/var/lib/microvm-persist/dev/home";
mountPoint = "/home";
tag = "home";
proto = "virtiofs";
}
];
volumes = [{
image = "rootfs.img";
mountPoint = "/";
size = 51200;
}];
interfaces = [{
type = "tap";
id = "vm-${hostname}";
mac = "02:00:00:00:02:01";
}];
};
systemd.network.networks."10-lan" = {
matchConfig.PermanentMACAddress = "02:00:00:00:02:01";
address = [ "${config.networkPrefix}.97.15/24" ];
gateway = [ "${config.networkPrefix}.97.1" ];
dns = [ "${config.networkPrefix}.97.1" ];
};
};
};
}

6
hosts/fw/modules/dnsmasq.nix
View file

@ -97,11 +97,13 @@
"/invidious.cloonar.com/${config.networkPrefix}.97.5"
"/fivefilters.cloonar.com/${config.networkPrefix}.97.5"
"/n8n.cloonar.com/${config.networkPrefix}.97.5"
"/dev.cloonar.com/${config.networkPrefix}.97.15"
"/.ddev.site/${config.networkPrefix}.97.15" # Wildcard for ddev projects
"/home-assistant.cloonar.com/${config.networkPrefix}.97.20"
"/mopidy.cloonar.com/${config.networkPrefix}.97.21"
"/snapcast.cloonar.com/${config.networkPrefix}.97.21"
"/lms.cloonar.com/${config.networkPrefix}.97.21"
"/git.cloonar.com/${config.networkPrefix}.97.50"
"/git.cloonar.com/${config.networkPrefix}.97.55"
"/feeds.cloonar.com/188.34.191.144"
"/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112"
"/allywatch.cloonar.com/${config.networkPrefix}.97.5"
@ -137,6 +139,8 @@
# multimedia
"/dl.cloonar.com/${config.networkPrefix}.97.5"
"/jellyfin.cloonar.com/${config.networkPrefix}.97.5"
"/audiobooks.cloonar.com/${config.networkPrefix}.97.5"
"/moltbot.cloonar.com/${config.networkPrefix}.97.5"
"/deconz.cloonar.multimedia/${config.networkPrefix}.97.22"

4
hosts/fw/modules/firewall.nix
View file

@ -118,7 +118,7 @@
iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 tcp dport { 1883 } counter accept
# Forward to git server
oifname "server" ip daddr ${config.networkPrefix}.97.50 tcp dport { 22 } counter accept
oifname "server" ip daddr ${config.networkPrefix}.97.55 tcp dport { 22 } counter accept
oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept
# lan and vpn to any
@ -167,7 +167,7 @@
chain prerouting {
type nat hook prerouting priority filter; policy accept;
iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255
iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.50
iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.55
iifname "wan" tcp dport { 80, 443 } dnat to ${config.networkPrefix}.97.5
iifname "wan" tcp dport { 5000 } dnat to ${config.networkPrefix}.97.51
iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to ${config.networkPrefix}.97.201

87
hosts/fw/modules/forgejo-runner.nix Normal file
View file

@ -0,0 +1,87 @@
{ config, lib, pkgs, ... }: let
# Short names to fit Linux interface name limit (15 chars for vm-fj-runner-1)
runners = ["fj-runner-1" "fj-runner-2"];
# Offset by 5 to avoid conflicts with Gitea runners (01-02)
runnerOffset = 5;
in {
microvm.vms = lib.mapAttrs (runner: idx: {
config = {
microvm = {
mem = 8096;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/run/secrets";
mountPoint = "/run/secrets";
tag = "ro-token";
proto = "virtiofs";
}
];
volumes = [
{
image = "rootfs.img";
mountPoint = "/";
size = 51200;
}
];
interfaces = [
{
type = "tap";
id = "vm-${runner}";
mac = "02:00:00:00:00:0${toString (idx + runnerOffset)}";
}
];
};
systemd.network.networks."10-lan" = {
matchConfig.PermanentMACAddress = "02:00:00:00:00:0${toString (idx + runnerOffset)}";
address = [ "${config.networkPrefix}.97.5${toString (idx + runnerOffset)}/24" ];
gateway = [ "${config.networkPrefix}.97.1" ];
dns = [ "${config.networkPrefix}.97.1" ];
};
networking.hostName = runner;
virtualisation.podman.enable = true;
services.gitea-actions-runner.instances.${runner} = {
enable = true;
url = "https://git.cloonar.com";
name = runner;
tokenFile = "/run/secrets/forgejo-runner-token";
labels = [
"ubuntu-latest:docker://git.cloonar.com/infrastructure/gitea-runner:1.0.0"
];
settings = {
container = {
network = "podman";
};
cache = {
enabled = true;
host = "${config.networkPrefix}.97.5${toString (idx + runnerOffset)}";
port = 8088;
};
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 8088 ];
};
system.stateVersion = "22.05";
};
}) (lib.listToAttrs (lib.lists.imap1 (i: v: { name=v; value=i; }) runners));
sops.secrets.forgejo-runner-token = {};
}

149
hosts/fw/modules/forgejo.nix Normal file
View file

@ -0,0 +1,149 @@
{ config, pkgs, ... }:
let
cids = import ../modules/staticids.nix;
domain = "git.cloonar.com";
networkPrefix = config.networkPrefix;
user = {
isSystemUser = true;
uid = cids.uids.forgejo;
group = "forgejo";
home = "/var/lib/forgejo";
createHome = true;
};
group = {
gid = cids.gids.forgejo;
};
in
{
users.users.forgejo = user;
users.groups.forgejo = group;
security.acme.certs."git.cloonar.com" = {
group = "nginx";
};
containers.forgejo = {
autoStart = true;
ephemeral = false; # because of ssh key
privateNetwork = true;
hostBridge = "server";
hostAddress = "${networkPrefix}.97.1";
localAddress = "${networkPrefix}.97.55/24"; # Different from gitea's .50
bindMounts = {
"/var/lib/forgejo" = {
hostPath = "/var/lib/forgejo/";
isReadOnly = false;
};
"/var/lib/acme/forgejo/" = {
hostPath = config.security.acme.certs.${domain}.directory;
isReadOnly = true;
};
"/run/secrets/forgejo-mailer-password" = {
hostPath = config.sops.secrets.forgejo-mailer-password.path;
};
};
config = { lib, config, pkgs, ... }: {
imports = [
../fleet.nix
../modules/cloonar-assistant-config-server.nix
];
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking = {
hostName = "forgejo";
useHostResolvConf = false;
defaultGateway = {
address = "${networkPrefix}.96.1";
interface = "eth0";
};
firewall.enable = false;
nameservers = [ "${networkPrefix}.97.1" ];
};
services.nginx.enable = true;
services.nginx.virtualHosts."${domain}" = {
sslCertificate = "/var/lib/acme/forgejo/fullchain.pem";
sslCertificateKey = "/var/lib/acme/forgejo/key.pem";
sslTrustedCertificate = "/var/lib/acme/forgejo/chain.pem";
forceSSL = true;
extraConfig = ''
client_max_body_size 2048M;
'';
locations."/" = {
proxyPass = "http://localhost:3001/";
};
};
services.forgejo = {
enable = true;
stateDir = "/var/lib/forgejo";
settings = {
DEFAULT = {
APP_NAME = "Cloonar Forgejo server";
};
server = {
ROOT_URL = "https://${domain}/";
HTTP_PORT = 3001;
DOMAIN = domain;
};
repository = {
DEFAULT_BRANCH = "main";
};
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.cloonar.com";
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_NOTIFY_MAIL = true;
REQUIRE_SIGNIN_VIEW = false;
};
mailer = {
ENABLED = true;
FROM = "Forgejo Cloonar <gitea@cloonar.com>";
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "mail.cloonar.com";
SMTP_PORT = 587;
USER = "gitea@cloonar.com";
};
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github"; # Pull actions from GitHub
};
attachment = {
MAX_SIZE = 2048; # 2GB in MB for general attachments
};
packages = {
ENABLED = true;
};
};
};
# Configure mailer password
systemd.services.forgejo.serviceConfig.EnvironmentFile = "/run/secrets/forgejo-mailer-password";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
users.users.forgejo = user;
users.groups.forgejo = group;
system.stateVersion = "23.05";
};
};
sops.secrets.forgejo-mailer-password = {
owner = "forgejo";
restartUnits = [ "container@forgejo.service" ];
};
}

2
hosts/fw/modules/gitea-vm.nix
View file

@ -7,7 +7,7 @@ in {
microvm.vms = lib.mapAttrs (runner: idx: {
config = {
microvm = {
mem = 4048;
mem = 8096;
shares = [
{
source = "/nix/store";

27
hosts/fw/modules/home-assistant/coming-home.nix Normal file
View file

@ -0,0 +1,27 @@
{
services.home-assistant.config = {
rest_command = {
moltbot_home_arrival = {
url = "https://moltbot.cloonar.com/hooks/agent";
method = "POST";
headers = {
Authorization = "!secret moltbot_home_arrival";
Content-Type = "application/json";
};
payload = ''{"message":"Home arrival. Read memory/arrival-reminders.json silently. For each item: if it's a task (fetch weather, check calendar, look something up, etc.), execute it. If it's a simple reminder, include it. Combine everything into ONE message with just the results - no preamble, no explanations, no mentioning files or process. Then clear the file. If empty: reply NO_REPLY","name":"HomeArrival","deliver":true,"channel":"whatsapp","to":"+436607055308"}'';
};
};
"automation home_arrival" = {
alias = "home_arrival";
trigger = {
platform = "zone";
entity_id = "person.dominik";
zone = "zone.home";
event = "enter";
};
action = {
service = "rest_command.moltbot_home_arrival";
};
};
};
}

3
hosts/fw/modules/home-assistant/default.nix
View file

@ -101,6 +101,9 @@ in
./shelly.nix
./sleep.nix
./snapcast.nix
./coming-home.nix
./morning-active.nix
];
networking = {

19
hosts/fw/modules/home-assistant/locks.nix
View file

@ -1,7 +1,6 @@
let
devices = [
"device_tracker.dominiks_iphone"
"device_tracker.dominiks_mp01"
persons = [
"person.dominiks"
];
in {
services.home-assistant.extraComponents = [
@ -13,18 +12,12 @@ in {
alias = "house_door";
mode = "restart";
trigger = {
platform = "state";
entity_id = devices;
from = "not_home";
to = "home";
platform = "zone";
entity_id = "person.dominik";
zone = "zone.home";
event = "enter";
};
action = [
{
service = "script.turn_on";
target = {
entity_id = "script.turn_on_circuits";
};
}
{
service = "lock.unlock";
target = {

76
hosts/fw/modules/home-assistant/morning-active.nix Normal file
View file

@ -0,0 +1,76 @@
{
services.home-assistant.config = {
# Track if morning hook already triggered today
input_boolean = {
morning_active_triggered = {
name = "Morning Active Triggered";
icon = "mdi:weather-sunny";
};
};
# REST command to call Moltbot
rest_command = {
moltbot_morning_active = {
url = "https://moltbot.cloonar.com/hooks/agent";
method = "POST";
headers = {
Authorization = "!secret moltbot_home_arrival"; # reuse same token
Content-Type = "application/json";
};
payload = ''{"message":"Morning briefing. Give a brief, friendly summary: 1) Today's weather for Vienna 2) Calendar events for today (check CalDAV) 3) Any pending reminders. Keep it concise, no fluff. Just the info.","name":"MorningBriefing","deliver":true,"channel":"whatsapp","to":"+436607055308"}'';
};
};
# Main automation: detect morning activity
"automation morning_active" = {
alias = "morning_active";
trigger = [
{
platform = "state";
entity_id = "light.toilet_lights";
to = "on";
}
# Future: add kitchen motion sensor here
# {
# platform = "state";
# entity_id = "binary_sensor.kitchen_motion";
# to = "on";
# }
];
condition = [
{
condition = "time";
after = "05:00:00";
before = "12:00:00";
}
{
condition = "state";
entity_id = "input_boolean.morning_active_triggered";
state = "off";
}
];
action = [
{
service = "input_boolean.turn_on";
target.entity_id = "input_boolean.morning_active_triggered";
}
{
service = "rest_command.moltbot_morning_active";
}
];
};
# Reset automation: reset triggered state at 3:00 AM
"automation morning_active_reset" = {
alias = "morning_active_reset";
trigger = {
platform = "time";
at = "03:00:00";
};
action = {
service = "input_boolean.turn_off";
target.entity_id = "input_boolean.morning_active_triggered";
};
};
};
}

10
hosts/fw/modules/home-assistant/power-saving.nix
View file

@ -23,12 +23,10 @@
"automation arrive home power" = {
alias = "arrive home power";
trigger = {
platform = "state";
entity_id = [
"device_tracker.dominiks_iphone"
];
from = "not_home";
to = "home";
platform = "zone";
entity_id = "person.dominik";
zone = "zone.home";
event = "enter";
};
action = [
{

58
hosts/fw/modules/moltbot.nix Normal file
View file

@ -0,0 +1,58 @@
{ config, pkgs, lib, ... }:
with lib;
{
# Moltbot - AI assistant with WebChat
# Container with browser support for web automation
virtualisation.oci-containers.backend = "podman";
# Secret for gateway authentication token
sops.secrets.moltbot-gateway-token = {
key = "moltbot-gateway-token";
};
# Persistent directories on host for backup
# UID 1000 is the 'node' user inside the container
systemd.tmpfiles.rules = [
"d /var/lib/moltbot 0755 1000 1000 - -"
"d /var/lib/moltbot/home 0755 1000 1000 - -"
"d /var/lib/moltbot/extensions 0755 1000 1000 - -"
"d /run/moltbot 0700 root root - -"
];
virtualisation.oci-containers.containers.moltbot = {
image = "ghcr.io/moltbot/moltbot:main";
# Run gateway mode, bind to all interfaces in container
cmd = [ "dist/index.js" "gateway" "--bind" "lan" "--port" "18789" "--allow-unconfigured" ];
ports = [
"${config.networkPrefix}.97.1:18789:18789" # Gateway/WebChat
"${config.networkPrefix}.97.1:18790:18790" # Bridge
];
volumes = [
"/var/lib/moltbot/home:/home/node:rw"
"/var/lib/moltbot/extensions:/app/extensions:rw"
];
environment = {
HOME = "/home/node";
TERM = "xterm-256color";
MOLTBOT_STATE_DIR = "/home/node/.moltbot";
CLAWDBOT_STATE_DIR = "/home/node/.moltbot";
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD = "false";
};
extraOptions = [
"--pull=newer"
"--network=server"
"--ip=${config.networkPrefix}.97.60"
"--init"
# Chrome sandbox capabilities
"--cap-add=SYS_ADMIN"
"--security-opt=seccomp=unconfined"
];
};
}

2
hosts/fw/modules/staticids.nix
View file

@ -8,6 +8,7 @@
pyload = 10006;
jellyfin = 10007;
filebot = 10008;
forgejo = 10009;
};
gids = {
unbound = 10001;
@ -18,5 +19,6 @@
pyload = 10006;
jellyfin = 10007;
filebot = 10008;
forgejo = 10009;
};
}

349
hosts/fw/modules/unbound.nix
View file

@ -1,349 +0,0 @@
{ config, pkgs, ... }:
let
cids = import ../modules/staticids.nix;
domain = "ns.cloonar.com";
adblockLocalZones = pkgs.stdenv.mkDerivation {
name = "unbound-zones-adblock";
src = (pkgs.fetchFromGitHub {
owner = "StevenBlack";
repo = "hosts";
rev = "3.0.0";
sha256 = "01g6pc9s1ah2w1cbf6bvi424762hkbpbgja9585a0w99cq0n6bxv";
} + "/hosts");
phases = [ "installPhase" ];
installPhase = ''
${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u > $out
'';
};
cfg = {
remote-control.control-enable = true;
server = {
# include = [
# "\"${adblockLocalZones}\""
# ];
interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes";
access-control = [
"127.0.0.0/8 allow"
"${config.networkPrefix}.96.0/24 allow"
"${config.networkPrefix}.97.0/24 allow"
"${config.networkPrefix}.98.0/24 allow"
"${config.networkPrefix}.99.0/24 allow"
"${config.networkPrefix}.101.0/24 allow"
"0.0.0.0/0 allow"
];
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
local-zone = "\"cloonar.com\" transparent";
local-data = [
"\"localhost A 127.0.0.1\""
"\"localhost.cloonar.com A 127.0.0.1\""
"\"localhost AAAA ::1\""
"\"localhost.cloonar.com AAAA ::1\""
"\"fw.cloonar.com A ${config.networkPrefix}.97.1\""
"\"fw A ${config.networkPrefix}.97.1\""
"\"www.7-zip.org A 49.12.202.237\""
"\"pc.cloonar.com IN A ${config.networkPrefix}.96.5\""
"\"omada.cloonar.com IN A ${config.networkPrefix}.97.2\""
"\"switch.cloonar.com IN A ${config.networkPrefix}.97.10\""
"\"mopidy.cloonar.com IN A ${config.networkPrefix}.97.21\""
"\"deconz.cloonar.com IN A ${config.networkPrefix}.97.22\""
"\"wazuh-manager.cloonar.com IN A ${config.networkPrefix}.97.31\""
"\"wazuh-indexer.cloonar.com IN A ${config.networkPrefix}.97.32\""
"\"wazuh.cloonar.com IN A ${config.networkPrefix}.97.33\""
"\"brn30055c566237.cloonar.com IN A ${config.networkPrefix}.96.100\""
"\"snapcast.cloonar.com IN A ${config.networkPrefix}.97.21\""
"\"home-assistant.cloonar.com IN A ${config.networkPrefix}.97.20\""
"\"web-02.cloonar.com IN A ${config.networkPrefix}.97.5\""
"\"matrix.cloonar.com IN A ${config.networkPrefix}.97.5\""
"\"element.cloonar.com IN A ${config.networkPrefix}.97.5\""
"\"support.cloonar.com IN A ${config.networkPrefix}.97.5\""
"\"tinder.cloonar.com IN A ${config.networkPrefix}.97.5\""
"\"git.cloonar.com IN A ${config.networkPrefix}.97.50\""
"\"sync.cloonar.com IN A ${config.networkPrefix}.97.51\""
"\"feeds.cloonar.com IN A 188.34.191.144\""
# "\"paraclub.cloonar.dev IN A 49.12.244.139\""
# "\"api.paraclub.cloonar.dev IN A 49.12.244.139\""
# "\"module.paraclub.cloonar.dev IN A 49.12.244.139\""
# "\"tandem.paraclub.cloonar.dev IN A 49.12.244.139\""
"\"stage.wsw.at IN A 10.254.235.22\""
"\"prod.wsw.at IN A 10.254.217.23\""
"\"piwik.wohnservice-wien.at IN A 10.254.240.109\""
"\"wohnservice-wien.at IN A 10.254.240.109\""
"\"mieterhilfe.at IN A 10.254.240.109\""
"\"wohnpartner-wien.at IN A 10.254.240.109\""
"\"new.wohnberatung-wien.at IN A 10.254.240.109\""
"\"new.wohnpartner-wien.at IN A 10.254.240.109\""
"\"wohnberatung-wien.at IN A 10.254.240.109\""
"\"wienbautvor.at IN A 10.254.240.109\""
"\"wienwohntbesser.at IN A 10.254.240.109\""
"\"b.wohnservice-wien.at IN A 10.254.240.109\""
"\"b.mieterhilfe.at IN A 10.254.240.109\""
"\"b.wohnpartner-wien.at IN A 10.254.240.109\""
"\"b.wohnberatung-wien.at IN A 10.254.240.109\""
"\"b.wienbautvor.at IN A 10.254.240.109\""
"\"b.wienwohntbesser.at IN A 10.254.240.109\""
"\"a.wohnservice-wien.at IN A 10.254.240.109\""
"\"a.wohnpartner-wien.at IN A 10.254.240.109\""
"\"a.stage.wohnservice-wien.at IN A 10.254.240.110\""
"\"a.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"a.stage.wienbautvor.at IN A 10.254.240.110\""
"\"a.stage.wienwohntbesser.at IN A 10.254.240.110\""
"\"b.stage.wohnservice-wien.at IN A 10.254.240.110\""
"\"b.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"b.stage.new.wohnberatung-wien.at IN A 10.254.240.110\""
"\"b.stage.new.wohnpartner-wien.at IN A 10.254.240.110\""
"\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"b.stage.wienbautvor.at IN A 10.254.240.110\""
"\"b.stage.wienwohntbesser.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\""
"\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""
"\"conf.wrwks.at IN A 10.254.240.105\""
"\"web.hilgenberg-gmbh.de IN A 91.107.197.169\""
"\"web.lenaschilling.at IN A 159.69.3.18\""
# gaming
"\"foundry-vtt.cloonar.com IN A ${config.networkPrefix}.97.5\""
"\"deconz.cloonar.multimedia IN A ${config.networkPrefix}.97.22\""
"\"metz.cloonar.multimedia IN A ${config.networkPrefix}.99.10\""
# "\"ps5.cloonar.multimedia IN A ${config.networkPrefix}.99.12\""
"\"xbox.cloonar.multimedia IN A ${config.networkPrefix}.99.13\""
# "\"switch.cloonar.multimedia IN A ${config.networkPrefix}.99.14\""
#living room
"\"shellyuni-livingroom-1.cloonar.smart IN A ${config.networkPrefix}.100.8\""
"\"shellyswitch25-livingroom-1.cloonar.smart IN A ${config.networkPrefix}.100.9\""
"\"shellyplug-s-living-1.cloonar.smart IN A ${config.networkPrefix}.100.10\""
"\"shellyplug-s-living-2.cloonar.smart IN A ${config.networkPrefix}.100.11\""
# kitchen
"\"shellyplug-s-kitchen-1.cloonar.smart IN A ${config.networkPrefix}.100.17\""
"\"shellyrgbw2-kitchen-1.cloonar.smart IN A ${config.networkPrefix}.100.18\""
#bedroom
"\"shelly1-bedroom-1.cloonar.smart IN A ${config.networkPrefix}.100.33\""
"\"shellybutton1-bedroom-1.cloonar.smart IN A ${config.networkPrefix}.100.34\""
"\"shellybutton1-bedroom-2.cloonar.smart IN A ${config.networkPrefix}.100.35\"" # todo
"\"shellyrgbw2-bedroom-1.cloonar.smart IN A ${config.networkPrefix}.100.36\""
"\"shellyrgbw2-bedroom-2.cloonar.smart IN A ${config.networkPrefix}.100.37\""
"\"shellyrgbw2-bedroom-3.cloonar.smart IN A ${config.networkPrefix}.100.38\""
# bath
"\"shellyswitch25-bath-1.cloonar.smart IN A ${config.networkPrefix}.100.49\""
"\"shelly1pm-bath-1.cloonar.smart IN A ${config.networkPrefix}.100.52\""
"\"shellyht-bath-1.cloonar.smart IN A ${config.networkPrefix}.100.53\"" # todo
# hallway
"\"shelly1-hallway-1.cloonar.smart IN A ${config.networkPrefix}.100.65\""
"\"shellyem3.cloonar.smart IN A ${config.networkPrefix}.100.70\""
"\"shellypro-1.cloonar.smart IN A ${config.networkPrefix}.100.71\""
"\"shellypro-2.cloonar.smart IN A ${config.networkPrefix}.100.72\""
# toilet
"\"shelly1-toilet-1.cloonar.smart IN A ${config.networkPrefix}.100.81\""
"\"shellybulbduo-toilet-1.cloonar.smart IN A ${config.networkPrefix}.100.82\""
# storage
"\"shelly1-storage-1.cloonar.smart IN A ${config.networkPrefix}.100.97\""
"\"shellyplug-storage-1.cloonar.smart IN A ${config.networkPrefix}.100.98\""
"\"brn30055c566237.cloonar.multimedia IN A ${config.networkPrefix}.99.100\""
"\"ddl-warez.to IN A 172.67.184.30\""
"\"cdnjs.cloudflare.com IN A 104.17.24.14\""
];
local-data-ptr = [
"\"127.0.0.1 localhost\""
"\"::1 localhost\""
"\"${config.networkPrefix}.97.1 fw.cloonar.com\""
"\"${config.networkPrefix}.97.20 home-assistant.cloonar.com\""
"\"${config.networkPrefix}.97.21 snapcast.cloonar.com\""
"\"${config.networkPrefix}.97.22 deconz.cloonar.com\""
"\"${config.networkPrefix}.97.50 git.cloonar.com\""
"\"10.254.235.22 stage.wsw.at\""
"\"10.254.217.23 prod.wsw.at\""
"\"10.254.240.109 wohnservice-wien.at\""
"\"10.254.240.110 a.stage.wohnservice-wien.at\""
"\"172.67.184.30 ddl-warez.to\""
"\"104.17.24.14 cdnjs.cloudflare.com\""
];
# ssl-upstream = "yes";
};
forward-zone = [
{
name = "local.ghetto.at.";
forward-tls-upstream = "no";
forward-addr = [
"10.43.97.1"
];
}
{
name = "ghetto.at.local.";
forward-tls-upstream = "no";
forward-addr = [
"10.43.97.1"
];
}
{
name = "epicenter.works.";
forward-tls-upstream = "no";
forward-addr = [
"10.50.60.1"
];
}
{
name = "akvorrat.at.";
forward-tls-upstream = "no";
forward-addr = [
"10.50.60.1"
];
}
{
name = "epicenter.intra.";
forward-tls-upstream = "no";
forward-addr = [
"10.14.1.1"
];
}
{
name = "intra.epicenter.works.";
forward-tls-upstream = "no";
forward-addr = [
"10.14.1.1"
];
}
{
name = ".";
forward-tls-upstream = "yes";
forward-first = "no";
forward-addr = [
"9.9.9.9@853#dns9.quad9.net"
"149.112.112.11@853#dns11.quad9.net"
];
}
];
};
in {
users.users.unbound = {
group = "unbound";
isSystemUser = true;
uid = cids.uids.unbound;
};
users.groups.unbound = {
gid = cids.gids.unbound;
};
security.acme.certs."${domain}" = {
group = "unbound";
};
security.acme.certs."fw.cloonar.com" = {
group = "unbound";
};
services.resolved.enable = false;
services.unbound = {
enable = true;
settings = cfg;
};
systemd.services.unbound-sync = {
enable = true;
path = with pkgs; [ unbound inotify-tools ];
script = ''
#!/usr/bin/env bash
set -euo pipefail
# readFile and readFileUnique as before…
function readFile() {
if [[ "''\$2" == "A" ]] ; then
cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
do
echo "''\${address},''\${hostname}"
done
else
cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source
do
echo "''\${address},''\${hostname}"
done
fi
}
function readFileUnique() {
readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname
do
if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then
echo ''\${hostname} ''\$2 ''\${address}
unbound-control local_data ''\${hostname} ''\$2 ''\${address} > /dev/null 2>&1
if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} > /dev/null 2>&1
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} > /dev/null 2>&1
done
fi
else
if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do
if [[ "''\${hostname}" != "" ]]; then
domain=cloonar.com
if [[ "''\${ip2}" == 99 ]]; then
domain=cloonar.multimedia
fi
if [[ "''\${ip2}" == 100 ]]; then
domain=cloonar.smart
fi
if [[ "''\${hostname}" != *. ]]; then
unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address} > /dev/null 2>&1
else
unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address} > /dev/null 2>&1
fi
fi
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} > /dev/null 2>&1
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} > /dev/null 2>&1
done
fi
fi
done
}
function syncLeases() {
# 1) nuke all of our old lease records from unbound
unbound-control list_local_data \
| grep -E 'cloonar\.(com|multimedia|smart)|ip4\.arpa|in-addr\.arpa' \
| while read -r name type data; do
unbound-control local_data_remove "$name" "$type" "$data" \
> /dev/null 2>&1
done
# 2) re-push every current lease
readFileUnique "/var/lib/kea/dhcp4.leases" A
# if you need IPv6:
# readFileUnique "/var/lib/kea/dhcp6.leases" AAAA
}
while true; do
syncLeases
sleep 10
done
'';
wants = [ "network-online.target" "unbound.service" ];
after = [ "network-online.target" "unbound.service" ];
partOf = [ "unbound.service" ];
wantedBy = [ "multi-user.target" ];
};
networking.firewall.allowedUDPPorts = [ 53 5353 ];
}

60
hosts/fw/modules/web/proxies.nix
View file

@ -4,7 +4,8 @@
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "https://git.cloonar.com/";
proxyPass = "http://${config.networkPrefix}.97.55:3001/";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts."foundry-vtt.cloonar.com" = {
@ -57,15 +58,6 @@
enableACME = true;
acmeRoot = null;
# Restrict to internal LAN only
extraConfig = ''
allow ${config.networkPrefix}.96.0/24;
allow ${config.networkPrefix}.97.0/24;
allow ${config.networkPrefix}.98.0/24;
allow ${config.networkPrefix}.99.0/24;
deny all;
'';
locations."/" = {
proxyPass = "http://${config.networkPrefix}.97.11:8096";
proxyWebsockets = true;
@ -82,4 +74,52 @@
'';
};
};
services.nginx.virtualHosts."audiobooks.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://${config.networkPrefix}.97.11:13378";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering for better streaming performance
proxy_buffering off;
'';
};
};
services.nginx.virtualHosts."moltbot.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
# Restrict to internal networks only (LAN + VPN)
extraConfig = ''
allow ${config.networkPrefix}.96.0/24;
allow ${config.networkPrefix}.97.0/24;
allow ${config.networkPrefix}.98.0/24;
deny all;
'';
locations."/" = {
proxyPass = "http://${config.networkPrefix}.97.60:18789";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
}

4
hosts/fw/modules/wireguard.nix
View file

@ -29,6 +29,10 @@
publicKey = "yv0AWQl4LFebVa7SvwdxpEmB3PPglwjoKy6A3og93WI=";
allowedIPs = [ "${config.networkPrefix}.98.204/32" ];
}
{ # FairPhone
publicKey = "tLsvuXo6Cp8tzjJau1yJZ9apeQvYa+cGrnAXBBifO3Y=";
allowedIPs = [ "${config.networkPrefix}.98.205/32" ];
}
];
};
wg_epicenter = {

101
hosts/fw/secrets.yaml
View file

@ -1,69 +1,72 @@
ai-mailer-imap-password: ENC[AES256_GCM,data:q9eJ9Tom+X6KxQJhWQTUB61k5A==,iv:FH+IUWi2yZBBgMiL/kNW470GEVHEG3fImf0bel9og/c=,tag:RSlcpXwmNyLB8Oc/K2Epvw==,type:str]
ai-mailer-openrouter-key: ENC[AES256_GCM,data:EvI0BuCBA1uYOderjAVcB8RSk7un7tiKmgsSe70KQcmfu3CxmQerP/2kQsRTJ0/6pWf4QqNpaes691O3nf+UG1qgG2CUcIaYRQ==,iv:OYEy0xMs+vkGa0qMtY4UP/iol5JPQ0eFVyPpPXLAmUE=,tag:5PeXZcI8TRSUOyuKs0STWg==,type:str]
borg-passphrase: ENC[AES256_GCM,data:GGmf09zX5wQ8Fih1EyP1p3up9ckFjVKsktU6ZFwvuZnG/O2OyOod66qXc/IXx8GQordubZ3TgisOeMLNnSowp2qylh8=,iv:fFgw/x8Ww9cInkNlPIoE3stUfISbfk46PBj7aimuXNA=,tag:hnNYrkLgt1qJc+gN5s9L2Q==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:I7hErgUwWDIxKLdw2FPKuTx9aOcqF/EhOIyU3pfd5QA9sQZkZT/c+IU3b0rNdi6OL6KYDQ8+pMhFuDB7Tcna17etB5HQYnWR6L/QDv5rZTHAHbhTNUEk8w+4zIsvffKJlfObM6qnKZhZbCZT4CvbbvFqmg1KxkFqhpMZSOfR4hpvsNVqEmagygYxuPUSamWgb0y8+CFBxgR8FVEz36tJW8bH7110ZupfkF3P/DNgw9Mci5tYHdrzu6CU5YhbpW+hx88U62rvenWc4T0r7gVcEZYjkVExPJRKs994UVCZO22e8Kx8cy9OZo0S4FBgFfT8Kx8HkYX5viBnwxZrWRsw1ober2LIa48Yc9Sh1cuf1HqD3HSwEc90LuXP0EFKwJLm8MJ3Y26fLLz+NMQhVtug6lAt2cUZj1qapgMiSznw1RJv7nEJNKRx4rKGDdzf4gJ1Nn1DcuS1gPe+WMd2K1WoGB+QiBRIvCvv8f6YrnanNS5YDt5W11vrh2YK6u4JVjehbScoG32ikv2YAYD6HxkNmIyPAwKXM1hIdk91d55bk/feXDLSGsnlBcSdQ7AgBDKEy4UDLEvUPKwNgxur2t9PgEa+AHXZSjhQOpYVEHQI7qzALgSR5v9lEpPLvz4Oa26VwglMwyKcCxB6vYhz5CXnRXXuypBi0TAEtnWsQaUQrcYNduEkNTi5BwtGYJSwD0nVxOFQhqxwbCvQSbW4iT1QBHbvfEGhKtsDIetZrx2DL96aQ0maj9B08O5ODsiQsZzyc68vyS80Ctn6dd/7BIeJka1ciCbXrZiWXHa4Ibrfp4pdjTfLVXhvqocNolLQupwqxXdCMI7pmZYrcQEY6VmyYmuePWOQr76/ed4QG3mhmAJN16SZw3SlDo02LxF7qiQV1oCojpeqxdWnr0jh+tG8z2hzK4cODvwnNx1XCq8O1P8A2vcuk7mzCnB3tTMtLdIGh6kF0V8I6l4zidJkDPRhqB/LonbK6Gj1OixqgL9aJ3Od0ahF3rOq/SnMQWg+MJkJUv0CV9KJCJZ5FoHv9JfChzTG76PsrXtAFGoXwHMsrjJi/1E1UxSFV7TuD48FB1fRleWrt1Zhbefaq6aDfYPCiRLbpNbQlepnX8mRzMfXleq/ESZqXHKaG2dza9R7hiaJFOd5OTXrqoaf3spIRCdhSAhvd6ChpD+NtFssqUWaAXmZuVQhg/udVOGGW+mOgd6pRKoFjOXkD5bnVf27KY+w1EHTOUNoKWtZlLWmmsbJBF8MGc3E5XIGM+Mlq0E5mNSWB/XwnionuUTGg1+gUUCcCbcmOm7P6J3k4l3ZLhuu4ilw+wV31pjednAnw/IIw9r4lMGL0RN+zJL7leE6FT+fFqdjRx3ZCdCFGxjrmJgugtfZECjgR6nHQWk2zLv81fi6OD38wBFeeMe7Bm7fV0A7+oHYrTXyvxuo5aXfv3pOacAGnUulbhWUIcsN/GTFzcGio5iBlIOI7yI6EeW6VcLbXm+ISw2YHv/zhMFCDrOeXn5jYCI5zwi31+T+XTIuku0DOr+k7WnS8WKWQhdlhuLUp8XpNdUVwegfrZoU3xWo46WbUWrtOcpBoQguvjGvVYelb/FHWx6k8mQy/9Ke7juaPXgrhKclAA1pyKuOvFjO8UuUI/KBMZGTWtnAxrS+cOTdf8CBhw5smJ782wyvYkxQJfddfcUU42TWGLSpLUJUYc0kAjbbAEfKkWQw73tCPH68VPSq4/3nWH6lS95bMayn5yj9B8pnl5Ml1Fv7q1SAj/F5FrC5uLB7QBUP8alKQoLvpCCkXwRQn6FHPzTPoKMmkmRCuqrVmG0blyyY1PtZq+hzfYw2oM7kPwElXKUMo+Pd7bJKerRcTRir0odIMyKXNXCu+OC2/WhcLLfwuiW9PH5clbCt3gjjM4XSMsz/vxxwasuN+WnzFHuTlL2DN21rSFNKjPR7b9FfifQObQQCfEE+GBAeid8OsLU+7Uk+0PvjWq072HOMU+fkbgdISLp1wmafOjjt68hsnxx/dtsqTxaE+mBCTnLlBdSJOHi9JvcAC8QZD/fHUVGd0EpItUQJCePaWSVjkg3Sd5wYR5zko7WHAW0iuGXqZUQkNJpMm93w8cygkAiNJMffM4FkCM3yXpSwBqpjN6+OHNtcHzDIjwwUCMigyqHKvCkalcsgSLus0451Z7m6FsUnOvlkIZxWovQEQVqVDwa42g7EqPyaVghaUmIsUo23Dlz/eNPM/HmgqtdQN6+vJTgK4kdkX2HBqEpPvNn7Faa1hW/gfLIVl2cknNUNDNnkmqkvJLPSUS8Fi9lNhM5HDt0hCr4JmmGJrvgo2TlxnMpBGUPi4UkfxEuFIgxmzvpNhSpyDJNF+nFp0UD0ztcCdtAta1lpoGQ0zZEiTr6Mwwc0fozxerGtxFLPm2pTSgjXKI65JyRGJjNHAHG2XeOC/7dWnwo4GthFCZBKPB8/W5EsaOeuSsWfDAP8n3GW0AIVwIh8Pmf3tdml7dKU1J7ciVnLqoHE9NcXfmnRW6liJ05Ca1UUgcrtQasQKETbSEIBBM/hvZAMd8aaazyIBRJwNc67TIEkKBpvC6dRxpUYEJ5ZwVvWGrJIkh4WekDEV+fFZDyH6V8sngTmnT6Z3GCyRContJLg8Gx+CE6fLnZ69OUXVZ0FU6C0K7GUqueB8l60ccJa5AniiEqhRk/5WQAJBrcpYAYrYU/WTEKkyt7EtBnxeWPCyb7CpnF/11i2JOk33WAcYeXUK0IIfVaPmW5cBQFDVZ9JX5W/kfEMwufizXqjWSMXIKnON3ICD74iOJRmnMevaT9/ruVtMlXx/7M4iQVMeIl8+0He5S5+U/1kUZVvx4OmvQBdfgIQrjso6fTDeGMziM5jeQeCUUWJg/cBV9VGrMsGlELiZiCWvVI3Ysa/H2LkutKa1dIRHtvhZNBan4y1GYq7hcDpkmBJ6e0WHV2gQxhgbwgWpOrf0nww+KUivUJySz2uTdRunrujkwCMDIt7zDXHrItuI0xAfrENYWXvp+KyOMeWUbjUrOUc0IdeAD4DIBywKVgZD/2j5xtew53d0wv8LmcBe89dKSyMHWm09ZPjbwm5FL+qafFLFZZYSlfr/7f+MFg0kK1Fd51rh1pmO9vpgha15MrzgK1KQ7FBsShG5UZ/7l57CPGV7+TS8B6ujDbFvX3vvmwJ9LMhPsOkeh2f8yQGjZppaOjx7WorqCnjP7K4HP5gfbz+GC90jZ8xEabm5p95t3tnOw0NBG8peE0bObUosd5phJN3PuahcCYGNF9WBtCAsDR9WzC4vJgwpSRl1qVZydm/F5c5N29cszRViM2yG1vIqzbUo3uGkN4+Dvr82YB5rRhn25pdV7Z79xroJMnx9mDGAM5ShQPDloEZeG32i/rGB3PKruyfCYNaWUT48qrvt8S9FTrt0etZVJrxFp1v9M7Ct4ojw+OQPW+bh+bTIWd1UqY4TGhAeg==,iv:f7rBK8aNqX8dGyzjoeRX6yl20XsnLU8b4gitaw9+O+0=,tag:WvfUw1JgFBAtS3vsVIvM6Q==,type:str]
ddclient: ENC[AES256_GCM,data:dS6TVVNb6R7EE1JVMDfSnRYCZyHHqEPvwaYpkTSj+VA=,iv:9uMo+9X7dFdVW4wuSgrqIAaQelXuA4cek2oif0GRHow=,tag:ncQq4UeUzWtjPNxEUOlqNA==,type:str]
filebot-license: ENC[AES256_GCM,data:jY7E29fFJ/h9NIgIjuX++WBhnLk6Mm4iRfMh4P0pUDdqH231gXDsTZ6pJ1rpFXdEHSuNN4LfznDTKgZ2azKid4WprDUzGkN0uJD6CfSR8gTIx5Rq0M8vkRah51LC36bop4hTMzECYQd1YA47hOBV/gfyg3RIw95coWamV9FebnQjIBgWYxE+wTvO5iRvWpiCHd6VZQfkiiR0KF1DrkYkuxlX0piGEKmIgyYCiKMFZ4nrrIe58x5lEQA9uPVjE7vmq3c3ge6tJzjVVaaNocbJhxhA18GLMqTSHfnBsOLRlA8qSQ3xX/VRzKQmaYQHIM77Ylb9ZQsvFt6EDlzQMl5NqT7OJZUW/0jwNaEXHURjeTOC3Hr1HugiDGm+uLXEraaJ6Na2AbFDn28o+3J22p9xNg6vWL0FElzKuaz5TFDzdZLZsD9HOPQm95/ZM8JymDjN4qxkkd2o9rEKY6to1MVDarj+lDxIHhf4pL23YhZsn3esNlEbFswzHQiH7nMsu9Jg6a0rPu7IYylDnH/soBjxSKmf2dhH1LLsDm8It9K/7NnXwmvncFXaqNBqm/e7JzCDBCCyVUf/BXbBc3xwLwZf5MiirZ/iYiYnRtUssveh7BV7ICigRj5Ewtr+n97+IGI+FyonkvOgM0bn8nHf79ZzJCKMuntcw3FlGd1nIkmcehkC79PlKIS95oV/wypl1OmU0CVel+D8hsMuONmF9NPHgFk/ztp4GF+XXRO4ExNotX1XrUlvLOccoHDsl1TedUOISzgAK71edxfI8y110shIe9OfsCEUAbmWMmjGVWH2fKu/IrYYQTry6pYFOjG2bIEUXMaiIP0lALbq/QNgleqMNPY8wGzFbP+/jaYzTbw9KXH4bwYQCl1hSI8THfV7lLE=,iv:4ik/aQqi/hIqH8ix3ejgUiXGY7ycw0ymdVrV+CEQe1o=,tag:7ymc4QZEezJVPlYTlU4H/g==,type:str]
gitea-mailer-password: ENC[AES256_GCM,data:lEv5euTCHG6pyNqrVtKK7oE8wLvk+q8ABXOzFSizQ2TVFi35lyGPzOTel/dCCC0Je5GAHE1KQQ4Y4/iHghZgb5Ft,iv:gt/mCzLbDrHFNqW+Lkd2dy9nRIBKO+rqsVuXM45zJ8k=,tag:gCxTSzY7GZ+jQP9SCsdUtw==,type:str]
gitea-runner: ENC[AES256_GCM,data:HLjSETmu2C2ROf6kqUuIzQl/t4Fe5EOVkMqdTeLNnb6AJ95l6M/WUk//dnPMrWVvEq7rV07awUiyvyJcYQzMgPNddCrfcn2Xr0dYK4XFenz/sdhknVex9uS/RhK8fOqdYJ6djpynikMKddZMQr9AOVfpF5mea//87+Az9rOrlzLdgNtf5HyBEAFKaOFbkZboAsP+jlxyyYurGHPr8LxxikewDVxnpB+XzMc6RAnesrZPOTDQlkMiPZ2t2o0klhD/4VomgiHEklULxCCmIAHaqDo=,iv:1FwTespqVTnKFbyf9Unbbod08D36MKsVbDhIBNGBkHg=,tag:rgVvyxUCwzYB2CqWm2fwgg==,type:str]
gitea-runner-token: ENC[AES256_GCM,data:pzJp7j1Ktz+27oU+qtESk7D32w7+BSEUkPSX4xuFml0i10z12Gzu0QHXL9s3734=,iv:U77b5515H1URfz5BCdzuY03zVkhSRsL9d+HdHUJFx9U=,tag:QvooaT4TS/X5R5KGdaVpVQ==,type:str]
home-assistant-ldap: ENC[AES256_GCM,data:4kofJzPbiLXILxjuAZWiTb9hu2Gver/IHBCXDnrmrKuCSII6SJ9FrSi67nl7SHdoA6xe22GSMfmPrKzy5sGiow==,iv:F8mIHhWHpaI6kzRV9du6uW/Fj07PbEIU1goSDmeSD5E=,tag:6NIC6sN8OclinribZhrLLw==,type:str]
home-assistant-secrets.yaml: ENC[AES256_GCM,data:rns9heAmVMxB6WWlGMXvF/ianFUnja3FObiLTEKJmodePNsJ8ah3OhuCAX5jON+/7NZ+3JN/hIJjXsORC5WYhr01DvO9meykf0aMpbmAnYI+cmPEPvcunF4NNInl96rpcI519nMiHDSh5J7pD74CxHZcXSV4c9ZR5UBymchrwmHyZMF6dVrD9Jbr9yph1r7iq6S5wlI2ZImWRjaoGDZ1x+ZU8XnsUmYcP4pa1Yt8JBxSnyUw5gxgBkVCh4eSZBsUCt0cd9P0i7qWVg==,iv:YXQsawXZsQb9ZUt1/lkpfTa4tfKIQrLkkyShFtBRaIQ=,tag:/vSnipGiMntdMqHLePSEQw==,type:str]
piped-db-password: ENC[AES256_GCM,data:5atQccdHYDEf638bpiON9VO14jqNDtzZ8nnXVW0/cqtWkZJc8RYn9N7QhAw=,iv:Gwyf1R+mpmX+TFuoYLPHjXwSDwzJhSEpnj5ZsJgmrtk=,tag:zm4zNkzbqbCyTN6o3lQQfg==,type:str]
pushover-api-token: ENC[AES256_GCM,data:cMBDdySEBQ7vS7FUC2DsCcSvEMpapWvMFmnuCsY6,iv:SVDrrDm2pcAfwUVAC5j47YwF4s/FWNARlZdIZ1Wgwgw=,tag:w7ZeNMPXWc9j+zVaSxq1cQ==,type:str]
pushover-user-key: ENC[AES256_GCM,data:fjoA2YQxmeWEbSKWWE5iyi+CUh1vtW9usVCm5EGk,iv:p4YwYIhpgn/bY9t61//CDrDmZrsj9B/naZit62lCpwo=,tag:pqEw3pDlX7i87tE0Nsy0/Q==,type:str]
wrwks_vpn_key: ENC[AES256_GCM,data:VEHqnr/bDtmyLzs0wnmZ0jCWS0BGJWu6Wjq0ZHJuEz8PH3j/E54S9NUe6WRIo+BJCsh1PlRqw/PD9xSqlW5uPg==,iv:OMP0s8Lc2CmFgwRuwB3UWJVuQFqvpy+BiyhnIKbVIb8=,tag:x1LvSf6i8khd8jKgv/284g==,type:str]
wg_cloonar_key: ENC[AES256_GCM,data:1OfHD8yX+pgCXqqxn7cddnnCA9HBjGra4eht7uLxdcbdG9vDvxUoE1x6aWg=,iv:/NBEbmA3wP/zwrqCeBKDzaoSMqz3f4ZeMlWbu81R5Pg=,tag:Apt8x/j0qiJAKR4UEVSkrA==,type:str]
wg_epicenter_works_key: ENC[AES256_GCM,data:CTZkVGEVRlCdt6W0BGPmX0SZbuBBH5IIlUsi44SGXi7gdmrZNwv2zDv6zjA=,iv:4ZDDKqR6pBq8cjX763tBxOvWFaS2IiGaBxJu6L2JYig=,tag:H8p63BvXSx1SKPFw5gnptw==,type:str]
wg_epicenter_works_psk: ENC[AES256_GCM,data:K0SDlDWfUk9vIGP5U1j8p6TJ9GsydJTuKPb4kMgde1CILOia0S9/+4AkMWY=,iv:ITwLoWZXR6NxRFF3eBvOogiWHLmXnf7S1e2FW0ofr/M=,tag:2OVi3OBFYT0nlCx8gf2AdA==,type:str]
wg_ghetto_at_key: ENC[AES256_GCM,data:+bonpVjV1hxwaqtR7ywshmoDxCnFPD11q0OiNLzxUJIaYrDeS1srpyo6rlE=,iv:Djn16kuXTWqJZy/AT77GpH8RcNtUMZ6zcIdKIMHv+PM=,tag:LP2JCaPKpzeOKvBc2bMr4w==,type:str]
matrix-shared-secret: ENC[AES256_GCM,data:nVSHwPa8xYUaDCxL+5neFtzc11DDNzJtoDCSHYXZ+bZXVAAbp6/Pjx6UkTdAA8B2GOM09nFAsBuLnQfJ3w==,iv:WU3hnRlWVwx7Qin3ejw7V4VhAmYLf6oXzVk6xQgZPgA=,tag:O2hJ2q8XDxYF+rHPNgATgA==,type:str]
phpldapadmin: ENC[AES256_GCM,data:94jCcgGJ89Er5ENLqhFZ1qY44Qp709SuUhBUuED6v/a7mPPjrJGDmi0Gm3r1Hb4CDPGkWf+x4NStY7LSQ2bHEzjyMPMS23wvSLTmC5b2TVca1UI8vZRTD1R7OvdWo8d1oNweSpYEnAXGv3USYF0NZo8DrPLM5G8lG5Tk/rKS/mxU5ZRhPyA60rbmIiy3Mk4yNcs1tvTEckxU/zMVl7zUPAsOOlmYGuwJrHmmh9p7YIWHGIgZNiLs3U0BvSKzN7WktmlwqjfWpeLn4dusqgov4SSQ2otAkxLHIH8mGhyotd1wgXJDZc6tilMe+WPHQDz9db7FT0VdeKggQ94FD+8rP0OsIjR4AdjZ,iv:C8X10wtA9jPgS41pxasaZJTO/XFcRymOyTDZCWJlhmg=,tag:xkMJsGubny+Di+GucAqypQ==,type:str]
palworld: ENC[AES256_GCM,data:iR9nceVotLKrFHnPIVskCYVLev9OzGLLlmfCGQq5hqB1HveXjhjkfm/NMmqnSi9o776+Ezy7l3kkS0R+0cFJ2B9kaWGsdJtdYDwQevmf6Nq5eaBYmvu8kTnaatqZ5e/1BQzcF3to6MA061XL54YGqsAV5FpnDVLhyyzIvaR3gMvMqJ748NL7K+hbBqMFuWcSH3hKXwxtDK7SLtcgx93W5ZgXkZMMumtlH9hSSlZL4yxuQDAQUwHrEBL+rdphA0m27dyS87DA3Av5ZL1MZ+Vlm4uAHM68T+rtVYXTakNImDTc0WrhIP8FZD/UKTAhVYAbA9oz6cbeC574vchuEY1z19SY9+2HshZZBOiPDMqdvrqyszMQCo5I9dUzAJCemQQTlYG8ekREQ0wxARnBYi3iy5PbmgDQWdM3+ff4yhMmGiHtiMQLHzrquKy8nvS9lDp9uT7njkaI0QAt3eNWa2DAQRqXQAtmuRVob5+GS2Nt6XMTWRkbeEb1phwbTqZD5mH4p2TiyMKCn6KOXsgQTxqGr35Izbe+bfptCmUeyscTKq01IZg77w/dvg3AX4iHAcMNgJ9LIHDLibGHQzu9fGN6alpeyy788GDwRY4glYyKxPhCasKkBSj/uhcDAtdg+c63vDTBhqRjNr6+v1NeRW6lVBzrgq+f9QvO5RVKrvdsVHnTA3CMGQzUPAaluNZMpzV5KqxqIrpAAPXnN0ktig==,iv:kkcm/alLHwC84IKK//OJpa36ec9ddOARTIM+KJlOHHs=,tag:jV1DjfNzRgNaCGgJTKIy5g==,type:str]
ark: ENC[AES256_GCM,data:TRTwxqkeUGbtgrWuj1YEFr73+nxCXmt/fR5vVnYR+k4FpNBB2FoY/gXl0kqeFKPDcajwn8nYBs8YE9vmYtAX/Qs4g5OyU9qC/pkmSV7/gbGfqLLqcbIlbWrZzeM8gRW0fp6h1TMPsGO8/iYdF4bmInfuZW+fKr0i7ZRgrtOpPiRCOI/ztPGkFaduuwGIy+yVoS64b9r7ZLRnOZT7ghVv80GKorJuuOQIipNAJMzEqtSA2IqaxWeb13v8wdQoKuMNcD6dCYVJnvgwf4R+,iv:+F9+yJUZBzPSSIt4uLHxjjXAjzRojLxKAyrd8grMXkk=,tag:VrIr4FFbIGTq9RBJMz8/Ig==,type:str]
firefox-sync: ENC[AES256_GCM,data:guNgEVi9n8uJuLkkX2Z3tMY/NVqzQ2tdIutZAqleah9qBri0/3dzVHF2xvztLeAgm/59tN7TtAlAH2SMK6gcfAZDasAWOJ/rGEASxLi6VRjqCe25glDMp2YrA0/mcqZVYMCg+QZ5OPA56b55WDqPHPoBJkPDuTm9axwm6AOxdNi5BkDzMw12fVBxlJL/Rm8=,iv:yD+MkZK5vvZ85vYGd9X2Dv6KkSvMUsMGLrwlJ1pRqlk=,tag:YA379QupHh7aJZKcQxB7bA==,type:str]
knot-tsig-key: ENC[AES256_GCM,data:CBFaRKPr+HRVM01fA9/OLWeD1O33axQKEKJuqDRfcGmuDeP3oXf+ccEJhQE=,iv:2O5y24YenpiMc9txPx8kz8x0aO37LpLjIcwlNywPEak=,tag:J4bVZ7RNSR9fiOBQ2HKpnQ==,type:str]
mopidy-spotify: ENC[AES256_GCM,data:irBeIh2FieNkdf6Hls/Oj+qYxj1U7R7/Ffq6dx+JCS0PdOiFWIHXtccY+PXPKP7RhhaQOgZtIcgPyqTiML52P0c8AwN6UHMl7kgUcKnk60AI0IUZNWorCBZluHhEpf2e2OISlFzDGjSHk+zAzh2eDS1lJ9lCRYEC,iv:r6aZmlVHdRsA9DxkelcIVVpwwm32jaOgP429h61NL/U=,tag:FvPIr0HX/V7+G9kal4nO8w==,type:str]
lms-spotify: ENC[AES256_GCM,data:E53aUSNxE30SSrG6Y6SWKVzmsv0lu8aZvjk1RBgSj3q4m65dPLwGM9HcagN3BPoVTc0tKJaccrjoL2k5FOMnwcTXIz3qgiZGbnB6hVCoOhMrrkoFRN2JzSIA5WxKOT8VuMoC4/a6WaWbY8SWAdhgRQb9uq1hUxdkMCoNRLNJnPqR/0w07lCDVHvkj8XuBV4rGl93VVT3rCzjVTL+Vigv38WZ2il2aANkCz3joNeN8Uod3K/HA5uXLw3cLFmD7eI7LBDSTHpMEg==,iv:iRKrij3TRaufB5BXy7Xhiu3asClZ6hpkbMV14aod7jk=,tag:hpUwP/OHygqfgI6j6q2sKQ==,type:str]
ai-mailer-imap-password: ENC[AES256_GCM,data:gLSr5s/9YGd8DOD23k/MGZU58Q==,iv:ELdtCuD7Geofd9ElapMVX4UZ0gZgTtVvJpaDmY2NUq0=,tag:g4/ENc7/0PyUvY4VSg+mqQ==,type:str]
ai-mailer-openrouter-key: ENC[AES256_GCM,data:2y9JyDBYzo9Tcx+t8rrr/TleS9Lq2D6jOVSCnm99DBMauJ1QlfLIJ4zXpX0gebxGb8BPA0jBYnJdNQxHfjvYJVmnG7+qIw7zCA==,iv:ytkagoqtrT9kGqUFo6xrXNJp4LKSO6UNGjWZemCg2A4=,tag:0OoSoYchvMUYNUi1MclWOQ==,type:str]
borg-passphrase: ENC[AES256_GCM,data:ajkDfsz1sLcxcM5VEsU8z8opB4qLXZr6BdOc5IxX4OKb/8cckd341+mXk431IWuN6bLpd1XmINimLRLin9bnb6y29L0=,iv:w8VsAJrbkBLIjR8o5L3L1l6xgsLEa1cdyEAVqfCE8y0=,tag:PvhBSrp4n9oyqskekEDBQA==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:V+jg1s8E55AVRYcz+tMACmr5KszQRjvKXFBmnJPzzhRcSaes/WvtkY6gm+wvoDwMSVb97eMFwQ1GWiK5+kZ3eEN9kVYZweZde757+Pdd4wBy/sfGQ8OUpHG9mBM45g9tftLb8l7lHSkEk49GGQiot5seorAz5z+sa8pwkOaltdtBxcqqhkuvrDZRQO0tv+5zGZ+PWx2dMZThDnR1s+Tuum6bMI+5Aoat/MsQT53LprpFbwS5NYNg5fzQACoRam504dtCWqS8+mwITDJaR7LFqjZGMAmfARC2L8pIDWrt1XrsPx47/MHzBA1+h62CilczsTcpXex5vKB1TyPUKAWfIiF6/NtRBWIMSSDMlZlq0WABcs1CxNe6e/mISoQpKkH5YX8jQUC4t2nwE7WECYmllubsp8fxFCMs9yFWQ8915I54OutOkFQd8/eq0Hu2o/+jTTfelnjbxDXdPdHdMKGhJKvb2Nqs3B1oiga6SIeXJ5nDm9/K/0NQ6yjnysqBUZM10hK0Ii8oH7guMKScUrNcGgtLNMgMR4REA/zhv1hmed/86N2GZsUIpfri3aly62RmlN33ZQdKGk30KcMDikm1zDWGbH3dyhOgDfzVYTXIp+Xq+3qD00LH5F/dptad9/kCdh+shDTt5yTQdyi5zOfl4k5LGcxhP7BStsIhitVA49LL9uVkgnm2DBeUO1C29oIrSBIDIgACU6Jq/oDbqeltJqsoWmYZ1roEJXq4dFJ7P9e2UcDL06y7+HBBhHHnGC7gNZhV3uO8w/GH+tuasyeHbGSEyg9YG23Z9dkJ9azLtVUCROv4/8/4cSerlCWtIQkZ+GURW1zfWTFX3t8f1LebSeMLvyWmoglFhAk5TpNPW6ShSUqRX2yr3yUyP77pTU2EYHp4g7pztb5LpJh8VlB1PR7XQS4zcMsKJdu0yfYAh4/sJoLS7f9gJvdC3Urr2YkF2LAtFRivNY+Tlyb3rSZvh/vEl8aGWtSfjeByAR9e07riMwdpoWxLGRAha/omKW/UuFKBiUAj5A/JFNRgb5UkcOlA7O4ft5P67217mtx33QsADZSNcyuLyN9Gu/JCIV74isgWm4pZdBKi/7H2EviO9hL57MXcHdZcObqZnl0EprZYvS3lqdeXHthUQgFu/qU0QprKDgYOpF+FGZ4y9AK02WQePMiaK+JuVe1Wp4kl9U/HGTdN9o6s/JBKMaFP4f6kvw/OTV5BGG8bypntYc4eUMnTumBiDF/vUdSsAHimpqe9S1s+vnX2GQgj0eshm/LKmbqMJMRAcxKLjoSmYEhWoeQv6+G6tKND6TjZc9HF6yjfvWnk5iV+G1/4qce3Rbnu0TxPTC4kZPiSi3Yp7OU97oH1MVYw9iMIlrA9BaB6sYDtoLWd34GgPlOVVZAwb1hqQE7OZ0vQn8umjFZPbCA4A1rzgjaRmcUOTY+wpIAcaRr2FaLMRjZPzBizav4Lf/uKXRUniFsBZr3kReiaWGYDcR3HrvNQVJTxJJyWC/jSAPz/9JKvLbZQYkX2vDGfSOYLcFaYxNpgyEN0epeJRIDRUpmugYw/Or3j2BjIW+YqAN3uwW7UuxZHcpN0bJuuqHf2mjr5kBvrTzwHwaRDj2mATKQjisqHUY6jbf0L+AmaTOk7e2Dr/dUREr1LMBYX7bxXGRCN5a1bFxM9D89fWFuZNqgJ8DmY/lDF3yLgaCXGEuFgQw+HrY2uSBRJ0FfxvKvChPTCBSUHwAtABtD/v3Kx5N9DPN8ocZnJtO8bQeokWJBtaxhre9b+TawmVJsVURG/3ImZCOtY07hU0jRF+sxjNfG4xJLHnfoeF0CiK1JuoDKg7Ej2EBZgRB4XB2VJN2or12ozvxj1EuCDjoAtUmVKog/6JUxje5atCKaDmj6pkAq7N6XRUUUbZvPHj87osBYLkch3YzUBM/IgDKLDV/eowfbCueajI8dk0pGRio5zBIjrW5dHCCk2byswFehC+f+SGJJ+bdi0eB4jCjswAE6x+TiGVohq9XLxWW+EHJQh0ZezO4Q6BI7qAxmuXcFwPa8B27xIEqKMmJScKBH6Hv66zQkLgyDTkoWpv/xxyaLoKAU7uW4hJa1pfRZH9OUpZbfI+7u42mRMPv6erMuZngKTtTtRCV8RpXKaKiFVAdd6hVc0Rgdje9D8WW1rkn7C3JfSR9WhNOPajIMg5gwRKZBUCvGCHYp/RsZiwOzdjKNlzPjSi1oDEmf4LtkyaZdFrqIHdgvGoaIcFi4AlXWaCpBHmbty8aTyl1CWFlLYnMslXHoaXVnVimBL28LVxV8rQfzig7TJI5GVD70rgMZnlLWgBKOMjJNR7w60JkVcsBlplYPibj7FxD8p+F2Ywou1UgrhLrberdJfgOk8TQwLPKhyZHzcHS82o97A2bp9jpvpV0XsOfhSvLkdEFWvn5FePSWhxDvO81M0V/J84OBVJowQ6NVGiECKlUkx0wiXrbMPscxaww1DDiVwvGjl7mzGvmhCeoKtcNihLst5h5ng7LIKriUpdImj9QSHC39IYgxqBSAuoHrdQs25Mxd5jKbLJF3OIotxDe6Vtw0DtwHxJySD2I4neAeUVfP/UkQ+pWYY5afGgWymBcOhK6tOStV7MN61bSFJ7t9c+oITfcsvQSJ3IGBSCf50nO5am+aLtJgx81PKv54PqWywZsALElC+IhebVtc/LNDCgAXdfZPY+TFDA+q+c0XHbEZKRihwTn5hGVqPQv8N7sPI+Gzc/garIxGUB207n3rjsGdtufy0w1LCn/hGJCzKglNg9SymDstymKHNH0Jp67dPWIJ4oWdQ3cKpNJklAzFN2J12TkVRFljut8Lr4O7uWYHNtbDLZxvl7vgMoETsQeRigzI7YvsVb75ismfIjRZ4wU1XPDSKonAOYmBzeQ8CfXrweaQGSH1bHP4B43oNh9bGZEySHlcHxjl4yabsqsIMhYN7JiemUetAnXjluhlSUD2Uf9QD0jjzYBpcBJ2pMqH010VM+BxmV+86HjOcMFCOkdQ3CjD9BBXbHbdH9MiPdx5+CZ5hX0ybont55L2ElI4Ue/sIT9jU3Z3rG+P7wCSzAATpqNzyOJdYIlK/fb6ivdwh++CtI7snAqbo5HTOXoMQ9mFMkAnJuZFCMAJEL08s+rGq3HOEH8B9fu4frAI0lExlRAv0bTdyb0CvyCIN8HAhKT26G83rUHhhlaxutgPW93/qeS9TC/QWgGOFJ/5dyDzHBupTh3Vex5Nu22lP5pSAbUoDBjCXjlZSdq7qIXVAsMon9NiXbPrNWoboLoc9XlzQM9gRDqWSn5QUFRUdqg07jFgSUf/heOV934Bez7RTL6L2rXh7rbHXZWTe4p70Q68zo7mUQDuQBO1y/Jx2l8rfUND9Gt1wnGUAZO9tgL6oqn4to9bp0o4dO1jWefdNHh/KbZckRuTtbEddPasBs0xc9MCu/C20ceAtREnDRNu41YtgSw==,iv:XOQg3GqMhWAWJdLgcw6wLi/Jw0KZp4YpuoY5MhzizoU=,tag:2AHG2lyRClCa96qBZM9MLA==,type:str]
ddclient: ENC[AES256_GCM,data:bB0gOu82+124M8d+AcTrhnaexZn3IRx18OM7JkdXpdo=,iv:o7pI+mMlD11TVK7dpf1pIKLWZjFoJE0BUW+FWB1CNkk=,tag:2eiyrhFAfCRwh8kx+ox6VA==,type:str]
filebot-license: ENC[AES256_GCM,data:twfY90M2Qq4T0B2yXwFw1hW94JIjCsgXDtXw+sjJxxCwn3t3A7cil64jJ4cjSFHf7gnT6/ijgGVBh70+DzurSI5F5XhIg9vpl+NtNvbvNRwVfO+tvBgFsDpmhZ4iAY+9b4uJFSF3BRHF6cNfK7imRkQCrNLBxxrRKdL3TWqWrSyz8k8OCs9oVHXUTLv1qkdcOn8R0a3c9CM+u1/FA3d7wFVAhdgj8T7mubbBAtv4CJFrU9Qm0KZSx1PpRFrwjHTIzLL1on40SExhQLrKMzQs/Abv2+p6QeSAMWRFc7RKuWOyQUF+Cti+a7q63DZn/IlOUeDvdnjzqtv6xTdh2jcBb7zujXgkkBOvo9PosF4hYL5LMpl5IKKz67lVplo9CHiDOWDdjgfel331ItVJrPnwQFpv0EanzjyWC98/WVjOrLqAK+zXsayDrVpYOGGAiCmBe5ucJSy7xQV/z1qMQxVDqw+zt6e2HLz4zfMBWLTzxtOjX/eLSk/omcrpPx+wDWjXBjFJtcLHvTtdq3nU8i/a7XFCKsywu9UkyShqaYj0zS3+pg4GkolcpohH9c/fQTX1HFOdRXFgMoRd5pgvhHE3aAGXr83d+Euvdo/NuKnQWbU6XYWeOwJLRevayoACd8luIAB/gm+1lTJux0Vjxj6VEbDxJEXIqL7C9tDF2ikfYcrMytCrA/ZcBRJujIBLoOpCTiFhbHjT6F03T6Np49qOxYRIHSA/GaZzGHhBpb7srZVsSi5qhTfOl+EiiShsgmZjhse0lXoyNWBllo5Dy3E9vB26d2QL0lEI30kqrO4XdgaLtZuCC4lWP/RxHXbYSah1xm5K3T8z454mGBRHJqMHrCMEhuk1NHdX07xLbVeGM8qnfX9y519hzQEPSf6Cmz0=,iv:wWL5EcM25VSjsAB79FO5lv+8/q5JBYd34dhIyyjJiuY=,tag:MyaQAWslwW3caXE/XiRdNw==,type:str]
forgejo-mailer-password: ENC[AES256_GCM,data:anUrMCIKbWCqNSN5HJKjMaqhlXVT+QsKfi1YdW4sDKACzL9LpMbdT4cThr779QDSvGFhbRuTysEs0jEQjDUdam00,iv:pBlGfyuPbKzp+QXHlR3eZpvy6Uhcj5rM3T1rx47P+us=,tag:lCcNRj7xo90kx0dknRU4Vw==,type:str]
forgejo-runner-token: ENC[AES256_GCM,data:HPn7kdxG570G0R74oT8IhGb+ZgIOgiqzio+GAPBXuO1Enq5ygm9xsFPeY+m7kBM=,iv:Sc9oRZctOAe9JEAy+JotKFFErMA3J0lc+0S6N1W+MGo=,tag:PY8G6SasJgpZUP25CP1r1g==,type:str]
gitea-mailer-password: ENC[AES256_GCM,data:ahsBBVjmUse9VrZOGQ++3C4WVOkFHJdTPYg3b3PGowdHheZkoSe2uEeKmnflDPHGD+lMtFoLAES18pIv8G2/tDAr,iv:QADR4/YZ4ikJskcHwfqiGvnCKB7WG4VTDtJkVuNaho0=,tag:E8WSmvw6IwLa6CxaVu9GhA==,type:str]
gitea-runner: ENC[AES256_GCM,data:eoGF7AlQqGWUQT1mtbgGFhloDd8WJp9qcc6XNohWz4oLS3Y3hdx2hcBL6VnF/vgtXZOHLZ9Bib3JFEzViYDf1p1gouvcfsK/4hKNfsoe5rswKvPRb3m4jDJnuOUf8JCFoh5XYBjCH6X9EG7WHtWTzYprRJ9EzMLwIHUyGULT2BmfLNHkEBDkfPffp5Rh2Kc/d2VpGM/qBDkDb6eDskiXC0UeOHfPyIyDsORD9bWx+1YYiUu1S7fpLD5nlN0JW3eaw683yvczNsgSoR1DWl5/6/I=,iv:UtRDVC1TATS2I0wWXHfOrfgFTJpML9TS9AN2sXGqtPA=,tag:XhDdZl66RRvxGNWYK8iQTg==,type:str]
gitea-runner-token: ENC[AES256_GCM,data:7z3aE/HNuZ0H8wsc/cy5ZiX0cBjtEUYPU7vabkh9AXgOBd0Gfv+bCyrCzvN8MyI=,iv:VYfJw/g2R5Unok+e9/wJjHS4gYNmbF+yxoRzyHsm8iU=,tag:mLwUu1GSWcq7vzc9PEJKWQ==,type:str]
home-assistant-ldap: ENC[AES256_GCM,data:P+yqFcbfqQvgzNj3wu488HgTUFd7bE35cQCpe2nWUQ1SqsXVT4+Q8i+WlnpWaxLAP0QlWQqKBzqUJiU3/k9PWA==,iv:VjlAXLAs134gopU4oaKaPoHfTKoEK5SUlD+IuMw+3hQ=,tag:G0RFhr4AOXbhCSJPJA35Kg==,type:str]
home-assistant-secrets.yaml: ENC[AES256_GCM,data:naM/fFaLtlRWEkVaCkfUa1RvdYK/pJl3mREGSI3QA+3vqOGRj46yTDdTvBhcdi6hKRatJr9HJMj229gyJSneUUFIb1cz+rPyrXnIxBMl9fsjQfBF8s7YoZy1UJxO8TIrdBkgKPKg+olk8aoR2jkafEwix96g8JR8C3nqJF86JT+LgJ4jeoPDBLUG3Ae01fRNkhKWbo1JK3RCp61m/cR6Mp9H+EbgO1bQ9puRCAXESabEwF/TgcQQuv56h9v1glU9kqfe602zOzyUxuUOo1VB9+lRCiAV462vtZ99kKxIvRbNWd4PQ0xoPI5j7mTkXIpxZSUkrIsXdrbZuAYvHERD,iv:KycHSWt6nXdf9MoRf7cNWJgQ3e3JYK6gbJhSnHu3/2Q=,tag:QmiYIF1FYjDa3I86KB9oMA==,type:str]
moltbot-gateway-token: ENC[AES256_GCM,data:TIw7yqHbyNLdka0PHCrX1UNgK+PYj13sjJY9QoyMVIuMvFhFh1Fg9I8vTqD5/AWCypkcmmQullx3t/rOU/NI3Q==,iv:fkZn4u81Q+ZdEBM8l4YVhDVpAqdLEMFXRQMuZ3mdeC0=,tag:/ZFOiNCvI1holTkOtvgF9Q==,type:str]
piped-db-password: ENC[AES256_GCM,data:JM1ZyHOhYDo+fgiVRrYB+iF6ITL+hSpVY+h/xVH+aP85HEoaF+Ryo3iFxpk=,iv:iM67fueJ1ebGF79Mj/6YH8mEDc6uz0uTUGsKF43xhAI=,tag:oPBws8hO0fmS+o859RdsMQ==,type:str]
pushover-api-token: ENC[AES256_GCM,data:EBdqKj3ac/H9vYWdMWBKuRo18ucuAZHXEiS2LNLW,iv:vIx2/15QgfT14GcYFVdUcsNEk3On5nZ8jbqeP5fFwG8=,tag:sR+j0iqjbMPaFePWVRID4g==,type:str]
pushover-user-key: ENC[AES256_GCM,data:/dKxdB/eM0MtNSVcr4NYGv7tw1Cvkge8p/HcWv/+,iv:RzLuLyg+2KSGH9UW2495KeKEyiTo5OzMWtlZhgg48uw=,tag:2q7rAvy8bWyLPLNONmagig==,type:str]
wrwks_vpn_key: ENC[AES256_GCM,data:8LmRG8yVFfMTwgRnT5dQg5H0b5Yaz/fM15l4TsaVaEQ0PZsSHY2PvVacv+6iZdDZOeyVZfslg+12dCD5OicN3g==,iv:QGRs/d8HK77PwJRpGFu+7ciX7sqs8ZV+3KEh2BlHZ/M=,tag:EwebFPtI4TfAR7b9ps7vJw==,type:str]
wg_cloonar_key: ENC[AES256_GCM,data:9FgI8sAGXgn680jhzUvWY1IsmcuGfk2lPalE5xWN7iFi2KnSbj6inawwJmQ=,iv:qahuBL2U2ncS4SPUPYNJ4Eqaq4hc2zkgVAiyF7+0jVM=,tag:Ony3Fd1F08Dxy3fTGmp2sA==,type:str]
wg_epicenter_works_key: ENC[AES256_GCM,data:2gtqs64Zzz3Uy7RPWHszideTtzooA3YMaw4+WfmTxBbQNKREaeySV2+Vdls=,iv:sE0CRkgz7FCiH3cWg3ozzgjEMjQ1PxSm06wFKqqi/DY=,tag:DkgJISsUh0v2yIGZFVcQzA==,type:str]
wg_epicenter_works_psk: ENC[AES256_GCM,data:gl/6kg+QT+y3InIcx6OcVlEckhyKYzDvCFbc62CjFTLq7pCDuNbAMSpLJFA=,iv:0QuR2twfIMuyhT11tblvZ7A6BHqBJzZcx4IprTVlqw0=,tag:oJlLXnsy8w1Dcbs81MGsjA==,type:str]
wg_ghetto_at_key: ENC[AES256_GCM,data:mpKsGzoWz8U/v/aZdN+z/U4z9kzlSo6IRK81yEkGjrOqhc4IHEuYe6U6I1s=,iv:qityQlwmZMo+Dst48hGhegN04cpMwyB0soeWRiZiVZI=,tag:uBtl/jdXF7BihNfIYlqJ5w==,type:str]
matrix-shared-secret: ENC[AES256_GCM,data:IyeA3VvLhgGzEpTrQC85MlK5ngrPMvw/GmQhk9mWQ58NJsC942t8LcQO4AGMQBtrq17eLv6Ke2rOuoxlRA==,iv:zLKhiv01ViSH8dN9j3XJA520KdgBFQWO1bo/cuJVDuM=,tag:fiQ4NWhr+TtNN+AbGAtjxg==,type:str]
phpldapadmin: ENC[AES256_GCM,data:Xv7G0iCfuPG7rXWfddgLV2Ztftwh1/lCY1KU+hGJDSGxbXKMkjThS9HL8+2BkOwHr46YVp0JHtxEcK4dxOQ/QTCF0xU6eo92dneXJ8ZyPe4UVWX+3x26vp1iOEpaDqL5n55FqKX0vJHffJBUS0mBu403fkJS463Mgyd8i9GPYBGZrGiiiApj49DUqA4bKdnxZMfOvY1SLk5wLfoY10uUuWlG/hwKrp3y5EkyQdUuD43kyDUMG0Zcka5ovz9TFGCQqGERWWnasOlduYTlR057h3w6TKi/I4wupbp2IHu+hyvrRtkM2/EcVPXpvWgEE/i+EFto3ku/Go+L5yjahJoJEhog0oIsZOg3,iv:26JI37tNe85LM88gg/AOoTqmSPjXD4hXbePwSJQrqWw=,tag:pFwr+73n5s/cGFwNnBlLsg==,type:str]
palworld: ENC[AES256_GCM,data:ihtdcEXcqiSr2RqsYreg9HlYB9SVkPdNTDThZTU390Lxu8SfNkbruYmYAALo8H8N2nMX83FAyuLGQ0OHlN0qSPzroK8QVUF2oI+JAcyjMnKB/gqhLMMgr9UN+72X2/3K2OwH+rY873uiBVAVbTBtfOJzDGDCgINERSjVtyw00n1Wxzlz7JWti80b8Hdilpg6LZj7VshAZf19s0VWljxz/drGBHCetWLn9dCop5Q00Hqd7dC4rn+efVelL0M7OT8KiGfYyoUL5cQhGb4ihYXa5+QuvIazm6C5hoQn0Ou7PFQGitB13gziwTu/OXkZeNLm4+xuayr52G3Min3HwzEtiGVP0DtYJmx+ONUOal/scZXuhkC1fjtkIdSQZi3L78CKvvkxQz6VGXi2gWxeZ63fvxGEitiEhE4JG1XwERDQQup1OneKIeelNqiQKSaYmQe3nJjn8lrFW+TKoj2hgFHw9u2xH4Qad2HcsJPiz8w2MdwBVj5H88vBSBWGUWyi6D2cxC7uaJ+qEINzjkWodgdUfD+OyPrRqQcuB6geRgadYpmpr+fqH4sIbYg31GfUgXtEfCxm9muAywMzhhmEq4173F2JNTYHGJG+R+2CoMpw9nJSidQJNaSJnZRPpNlShmBbgPt2rvqrFVXeKpaIpk4OjT57U+vlV6OzP0x8CnYe77cspCntm5VcP5lzqTJ+Xn4AZWY8gPolQM87VZ+oOQ==,iv:7M4FSofk3eYlLKuVIdxL49g4bwTF4ju8omO0PLMnZVw=,tag:5E9q+as6oLdF++dapuG6TA==,type:str]
ark: ENC[AES256_GCM,data:M3ztO6/LUCD6Zik+g1SuKf+2ne4ZSDaaD0R/kWX+qwHJZ8Scfzku63a8qAfytfICQ/XhTEF+f6s5pxTkiN1mgPMfdIda73d+Rv2yeVTkdgsamY9kTrTx9v3wZHiNyUvQM+IjNUje2CsF4iivMzyJhIF0112qYH7bMuvbKydHO5EQw4WPBonIXfLC1vd5wqAXWgyuQmvHTwHLgTQXSLiKbP/MhoBrpuzQtNM479VjMNVy5FpCf8+hl9ffj9MEcsORCB/hbG7HT7tdkP4w,iv:EU0ofqpq6qDCgwc9wrI32o1f20bhIASVcymYSuUMy2I=,tag:tvtVedgFpyosA/kMsxIGGw==,type:str]
firefox-sync: ENC[AES256_GCM,data:ctJxQDELOxkXJAJusvwGT70jShSr2o+xtAFvX9EuWe5DxfXrXeUVdHo1tELp8kofPMnYq1dMGDvj0iBNzK6MPQ75jeehZSO+RVyeRQopEmIJUOOFKR/goCeP0gcTOkuKmyr1p01OBjUTIp1UWvcsY6QC0ZHjF602WsmEZ+KeWw3uBnR18+7dA5tAkvoy1O4=,iv:/eVCI11oCbRxuhQpX3BEgwJCaoPHPTBE0s1XgVT1rHE=,tag:USu3y/CGQlliVJzeloCtQQ==,type:str]
knot-tsig-key: ENC[AES256_GCM,data:JXz7YJGgxoEJV9KiaaaiDgE50cVcZhOyXmknOxpV4zdgximUrM+TsNXmd9k=,iv:hhOThVcAMWTwp0bqC+7JMDS6O1iZzpE50AxvDB0sy2c=,tag:IAdZlLxgNjACBZxKXCrh/A==,type:str]
mopidy-spotify: ENC[AES256_GCM,data:/InQ6bFDZMyP2Np6f8zOh/Ssdgr27tcrwaOZhodR7Gagau2RQCJ8QHYK42x8P/3TEDXLbR2umySv48cOa/XtI8CTQaPAttfw++11QLIaXGfiiKgw4NyjNAAnhB+qlvXBDaLrGyk2PuDcPBkXm1x87hh3Rtou0Wa/,iv:35drh5LsdQLhd3v5VfK1IeVOeTRM29PdZSY/dH9b7ZI=,tag:lqkiE1rUlUq3Ym5sl5Nsog==,type:str]
lms-spotify: ENC[AES256_GCM,data:7yiuiZc6/65ppPjzK5ngt6DOvFtnD0HRgKca+TfsZ8rI0CaNywVZceW1lA0v6l9a4FJaOcMegNIs+2cNa7BkVpia53uFRL0ikHTDyI0nB9XLIhmbnzlbGSJ26MMeczJNS3J6rEX758BcEXme9pAvEmSWUga/GTlRcjfuFkvbToEpbVe6oEhthtnf0kucH2Yr/7ETUOMJLaUfb8NhvUUt6+BOb4zy52cXRBmB+IWo1qM4djx4L15ESP7MAo7iah83lktyyJgn5g==,iv:Y0mWmoW5xxlKDEjX7NIFG36AhTfO8Yuz9nqwwvK/s9E=,tag:pQl6V3q/DojdqmJuMZBJHA==,type:str]
sops:
age:
- recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTDFvM2l3Tm5lU0paWXpF
cjVBSFhENW5mNG9DSFM1NXh3UHdaKzlKMGlZCnRmNFBFVWY4N0FqLzF1bUMyUDdL
U091VENiVFhYeEJ5K0xodXlHVkhHKzgKLS0tIGxta3A2TjJiMUtiR2RzcU02Rys5
U1c0SjRKK2UwbTVIQUMrT1pOOVFmOVkKY3UyGNIPZJLE8GG124y0pLgqGub9SMCq
plK5H+kASOB1X6pK+3PBFuDYT1AbsRxXvWgAEMvVI7eBcxQlSrrB4Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRjRJU3ZXYk1wbndIRTRV
WmNTY1BxdTdtMThwbnNNYmVwdlBVV21UeEhZCjFpY0VMWjZSdlFWNjFkVjNrcXVY
NGIyR1QwOWYvbzA0bjBGdVljYURJUVUKLS0tIG0valMrZm5GLzVHL1ZFWFR6WEE4
SFZidDhhTGRWZ3N1OVRIck0zdU44enMKcvt5966NSlt6heJmmOk0BRHOZnimLzi+
EPD1lnQH/Pq56Bcb+aFY4qymUwWov3TbshVBhh7CTiNtF8OSkgoEsw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaXBqMGl1UytNL3BkZEhQ
S3RFL3lZRVZKTGVRTGFMNlFlWFRCNDNvRTM4CnpWZWovSDZaclQvN2Vwa0dWZGgz
Q1ZLM0sveXBxOVpvNHkycWJWWXdmVE0KLS0tIHl2bFk3RE03N01IdDJPWk5HT1Np
Qm82Sit3Q0haaDdnbzFjendMUm04Wk0KYp09dxXjzvC4IlH6Ilip8YjTz0mFeu/0
5IDMYjT1BuW5YiKgIJVd+UgOd6ysZLFFwk+Us2AcV7z110xk/askqQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBNSthOTgzZUhCVjBVb0tn
RnM4TWRPZmFvdzNMVUJuanlXdDZIMnpkMng0ClRrdHRNblNQQTRSdkZ0dzFWQW83
azA2UkdqOFFxTDdTOGJEdXhXWkZQSWMKLS0tIGdyRndDOXd3MnI4cDAyRmQvZElW
Y25yZXdwQXJ4a1NGbzFlVi9oMWJOYVkKjMFhePSmIyDjjzn9y5wJN2yEx+88KGhM
W2W3iUGBjLOhnsUdNzDtrc5mDM+OH6jckvAz3UQpAUBtEaf+TUv3VA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Wkd0YnBQRnExeVdUTGFu
N3o3MnF2aTY2NlBmdDJYT01zRytWZ2w1dFg0ClAzcnJ0NFYrVWlBM2JQU1B0SEJi
MGE5aVh6KzNmaEoxaHFOTW90K0VmMGsKLS0tIDNkOGZyVmMzME80TlBWMzI5UVR2
djB3Y2FIRDFKWlEwTnRBUnRIT3M2OXcK+SIt/7DRdQi6H1AZooJN2Pt2g1EwVTZe
Q14cEt0sLyVYzLJugfz2JWRHDZX6wPueYcTSEs7w3wAPVwvJWju8bg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBib3l5NVZMMWlVbEc1Y29N
THBXTmt6YVpnMG4xVjVNb3BJampuUVJoY3dnCnRMNk5wQnJzcWVLS0IyUk9ta2cv
U3dVWVJ1Tm1US2pROHphOGlidmxUK1kKLS0tIGtFdUpWdm9KMTVLS0tUdjBMZDlY
Vzl6QVE3azNtQm5IblVnMnBadkVCcFEKSbU+++fmAfh5oXPnjHbXK9XYDoLbtn9Z
qREcR1NZjTliJd5jJ8sgMMxDKo6+ml6nOsRLqyCqITllJpgFzSLe5A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQXhNSFBnNUtMdkpwR0th
M1NmOVorcUdlZTFDM3dVRHZlYWpJcDZiakVnCit6eTFOeW92SzhPYzJxR0VTem9r
MSs4cWxRbzVBQmlWaHIwMjB5RUlJMXcKLS0tIHNSVTloOEVVVndDWkVrWmQrYXlD
NTd1WGFJWHVLTnFNT3hYbDdtSnMzTTAKBmJOayZLbjmBejwVzVtUSYPki+qPkYwG
xdO3L7n0Z8Cv/kVYZpkuG5GqOUL+nCJuYDjF0g4PaLb6WWd0W8ZGFA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YzIxSkEvUHdlL0FYcDhm
OTlTR0ExNVRPZzVTdlhFUWZ3YS9ncm1ObWw0CkQwWGZyRG5iN2FHNk9lVnpvUlFt
eTJKbzJYbXBuSjZwTitrRWtERnJyWHcKLS0tIDRZZU8rTUxCQnI3QkVhZ0h6WC9y
U1BDd1V3M1VnK0dqamVndGdVUysvbDAKPipxKNbjkE5VugEvKxt5If1iFules5ul
WLH7rH8M7R4uTOufBomXAqx3vMxxaCqUQlfbqhUkN7AT8vDPt5gqFg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-01T11:01:54Z"
mac: ENC[AES256_GCM,data:taGX5HHZCL7Zo4taS2Jz/5WxhvpBNNKZ13ZCtS3x/P17tC1Nrk2UDcxbOZ1pPVbVvvaAHJtDb3owFvBOM4nr2Eve0M9zT4HbXh3hke7AviQ6U7CT1ru6LjY7W8lBjbQ6uCt+Ldxd1PRPPGiyKdK5GAUPKg6avFjpJbhEikh8Gww=,iv:NNs5usVJ5izYvHKnNm1IgjSt4dg0QFQ7cClJ6zh+3wM=,tag:sYYbEWIUgOWthEItdy5PFg==,type:str]
lastmodified: "2026-01-31T13:59:03Z"
mac: ENC[AES256_GCM,data:Nr7KPjlCuzWE4aAZj1MqD8Nm5TsC5FZWBpc9qQJMUOGjQMHYqwZU0fttRcY5Ik6MIH7+f+lPxHyRqqoy9ufYOqtAs5+fTDIgTGpYsBqN/MYqFLtwqAqOKoM3M+q0V8zmIotA13MQR8UxCF4WXCg37vwWKFKbNXlilpGOMOr1lHA=,iv:cjtfFHhqelIeNM7Xh6HIOJuQB2QzFp/vw8LcZujo6c0=,tag:Kb78AF9dswbO/MqjHDoQRg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

3
hosts/mail/modules/metrics/default.nix
View file

@ -5,4 +5,7 @@
./postfix-exporter.nix
./dovecot-exporter.nix
];
# Systemd services to monitor
services.victoriametrics.monitoredServices = [ "postfix" "dovecot" "openldap" "wireguard-wg_cloonar" ];
}

3
hosts/nas/configuration.nix
View file

@ -12,10 +12,12 @@ in {
./utils/modules/set-nix-channel.nix
./utils/modules/victoriametrics
./utils/modules/promtail
./utils/modules/autoupgrade.nix
./modules/cyberghost.nix
./modules/pyload.nix
./modules/jellyfin.nix
./modules/audiobookshelf.nix
./modules/power-management.nix
./modules/disk-monitoring.nix
./modules/ugreen-leds.nix
@ -63,6 +65,7 @@ in {
directories = [
"/var/lib/pyload"
"/var/lib/jellyfin"
"/var/lib/audiobookshelf"
"/var/log"
"/var/lib/nixos"
"/var/bento"

16
hosts/nas/modules/audiobookshelf.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }: {
# Audiobookshelf user with jellyfin and pyload groups for multimedia access
users.users.audiobookshelf = {
isSystemUser = true;
group = "audiobookshelf";
extraGroups = [ "jellyfin" "pyload" ];
};
users.groups.audiobookshelf = {};
services.audiobookshelf = {
enable = true;
openFirewall = true; # Opens default port 13378
host = "0.0.0.0"; # Listen on all interfaces
port = 13378;
};
}

7
hosts/nas/modules/cyberghost.nix
View file

@ -1,7 +1,8 @@
{ config, pkgs, ... }:
let
localNetwork = "10.42.96.0/20";
vpnServer = "87-1-hu.cg-dialup.net";
# vpnServer = "87-1-hu.cg-dialup.net";
vpnServer = "87-1-AT.cg-dialup.net";
in
{
# SOPS secrets for CyberGhost credentials
@ -37,8 +38,8 @@ in
config = ''
client
dev tun
proto udp
remote 87-1-hu.cg-dialup.net 443
proto tcp
remote ${vpnServer} 443
resolv-retry infinite
nobind
persist-key

2
hosts/nas/modules/disk-monitoring.nix
View file

@ -7,8 +7,6 @@
let
# Disk identifiers from hardware-configuration.nix
disks = [
"/dev/disk/by-id/ata-ST18000NM000J-2TV103_ZR52TBSB"
"/dev/disk/by-id/ata-ST18000NM000J-2TV103_ZR52V9QX"
"/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_8582A01SF4MJ"
"/dev/disk/by-id/ata-TOSHIBA_MG10ACA20TE_75V2A0H3F4MJ"
"/dev/disk/by-id/nvme-KIOXIA-EXCERIA_PLUS_G3_SSD_7FJKS1MAZ0E7"

4
hosts/nas/modules/pyload.nix
View file

@ -52,6 +52,7 @@ in
home = "/var/lib/pyload";
createHome = true;
extraGroups = [ "jellyfin" ];
shell = pkgs.bashInteractive; # Required for filebot-process script
};
users.groups.pyload = {};
@ -90,6 +91,9 @@ in
};
serviceConfig = {
# Disable PrivateTmp so unrar can use system /tmp for extraction
PrivateTmp = lib.mkForce false;
# Bind-mount DNS configuration files into the sandboxed service
BindReadOnlyPaths = [
"/etc/resolv.conf"

151
hosts/nas/secrets.yaml
View file

@ -1,48 +1,143 @@
pyload-extraction-passwords: ENC[AES256_GCM,data:zOvPYcnvcg2OwJaCZovYQz87ZN9DdpKX1Re1/v24daw0WGBG3sGeJn1q+LDfjPIMy487CdY=,iv:loWfUcIw30kVXchmXwAts10FNUGxSsTY2UVRKs0RTJ8=,tag:WlTYugSv2ApR496Uc1KPEg==,type:str]
cyberghost-auth: ENC[AES256_GCM,data:v8PlO2qi06p2FZR1iFbHAVPr0k+X/A==,iv:oEzIIZ7KiVJ5EpMT2YMgvMZSJZwtIsnTWwkMXxl/R4w=,tag:+NOMggSKloW0SOYxopHrYA==,type:str]
cyberghost-ca: ENC[AES256_GCM,data:BAYpZ2xQgD05MNn4ZNmIGPByF0ERMLaIIC+iY6MDFC1rbfy50zqDKvzx8fdSYJp0hmUd7M+QnJUDDtq9dJkNcY90A1jiXhWK43gxBSeklcEhj5+l8tzmXuYGe7XtALu7D+Kee2NIUBEY7NHZOYP0Tj9BVFVzmyAKhgu6vs7UEwNt518LeIlH33eDO/809/vXVW2VhX3HoMytit9kkhczDRh/oCnMzmC7SKsKwouCQAcOSLLaNyAHy3jOFi78CPqBPuuv3i6wsAgKByvdQ3QpMGO7xx9MbEZsRZJiDJRRhP5BOy4DX/H6PwsR89E4QqqL0fU9P82p+3FlmVyHED8MJO905T0SC4PPVKAUlbtCbOvoAZOSXTouKhLNLY7WMiwXEEVhrBlu/Ml40yCwUJ7QCiU7DQBEBvOvo8l8pBU1nx1JzbzGopDsOVE9csF6H5g6Dxf24YqAsDeB6cmeDXNuDXJcr+6AeDtMyw8d+SiTLKmPa58eTqM6JEYY2yn/1DNkRyyyc5bFykdRUacWOUuqXKnzT/oSxfrEZHMN2YMRJU4Vo/K5WQ0ymiSv5miFSnZnm60Ha7G+S54swjFaUUmcMh15Rva3LUw4N0uM9QuXiLko1VqJlPtzv+eveCBCM7UiET9d45PAOjbk4FCjmzONSCNdjQhI0B6OwuZ6G0aP9rrGV+vOCijfBBqy6Y/wLKV166OZ4GYXkdBuQJ8VnSjoxA0vbtLOXA/L8PdvVMbRbZ7kYTFbtLQJsO+gCpEJOKB3VxnEVXcnLqyCpwEOtYVf8e9haTOVr09WvYJ1xLx0kjDKlp5g3X3s1CLAJiBnm97bLH8T/j6FCqijSLZwVjZtF6HEM+gn9G6nT78QastOOIfGE9YTWTPEl4t4dQRwK/Sv0OoaLokYN18gXEtAHxGLhHjzjeCeTZz8o1dE2ILA0t/xk56nzPWb8KzJFvjyWfUpyZuWNvEftxWhtV9c4i+Na3uyt8JAAySljpEcefWDYn10lr9RrixDgpU094Z34PMZCoLvViIn8Winxe1WIjQlchUlgTyBKse0A/q0Xr52jyOuMms2GUS2ssDnBIocER3RT6EetJzLvTjFh5EeQbRr6EgdXsvWzrN46n10WfqyN85DzBZneKLPT/XWlYSZPE4aJj2KGPT9Gic8Yoouf5y22exXnQkfRZsCM32THg5ug075Qzkf77aQLPx7gFzGEWrJo/hjRb178yJW/Hhc8IYPPK9HdA6iRZm0LKfrEWi3gUFzkQO76fj9/wbYe57bHuYJW8B1516fyjvWPaz0fqdA//xLIfEgV6QS/iE122TYAqPk4OCraR7RbQ4stVutrI6o+ZJDSkCc4FI8McECtReVe7TN+pEzeVGlOa5s49L0QxEhP4ne5Y0gfJy5vBsD5HKSrLpZxww0P73UTUZdDCjKAnAhCFfYBmk8+VOFybazZS6Rv4zF2fvNPQ11Hacx1V2NGHA1uxrRpr+nUdeCIMPR6dtX67WTv4juIbr0oQBuJMsutzX265JQ+Rt2aC12FFpfN9TCBprFgkgRdgBUJWRcFfRwjD6jjzyQZGQ+nGuibogi7TIn3QPpVMNuwbe8a2Ks9BC5XjVhmym0mhS01DUmITLD1DPyVh3wGodB+4OQ5miJOwJeA11HBq1B44sTjC7vTSom4Dk/AOH91WnJrW1bG7Yw+j/DH/bc5efXlho3cHOQoQSWC7EQdLMzV5TXqY06idTwOQ+wo9l61qPCh9gqJLPlnNUrUqyEfc0zkwWvIt7gu26qykjET2Mt4cyXoFyHORqNywff37e3WSroo+meAVtO+xDPIJ5fI0AOsfwXRKiT+B/nmtE3VGL7duZt7yIbav7WnKn3zU+dEGdeQSt6cYNVGUtaVvsTO7RKermIIkA/8g/q+OVihf7MvCG5WTYBspu51swP9tN0NRcmmoRyI0bs6DEv8qHplpiC5eUUmyZU3wbhrXXLcyCDpNfwjq4vrotM1BG8maR2BLtVuTzpfKO0NMHA99pT0tateSLNC8YARCIjY/9njmHlVti/XHnjWm977syI3SGf06FUcTK52Vrxaoyp3x96VzGhdPLye8dDQ4MD9B8+B5qdzHF+m6rOeDZpbJmDMea6L4W+LiJLNSq6QolmM+aya3sQvQyCcSve2d+i7QLtIPKPmJkPPnwrbjCn6PHzE8KCAa7jmmd4pfUOAayp2NEWn5AS5qSGMZ4etUMde7BdHWWR3i632XCzrllMzOdOsLu9WF8SlcC4Nt6WQxDLXqhkl8pIeBe6rmy+AXc5wgkj/q60qYK96M12EHaB3dDfwYx/Ijx3Q1qqmMRFR8LGrmsryUsQm2sxQZUeE6I3EJqHD1vbQSZdt7TjLUaITOiRka/BNxQ4frThhiyUvm9zWaZKcoF/mdNdinxYxDE243535Yv/cquQFgKwoZ2/mU83CWyd3D9/8gYOJqrw6acNn1zlFXc4JSWnDaSqn1mSGZyw5PMPPKL1Pv2M9acV0t3d1asB5agohfVVpHgGp6/fQ7xbF/q5/07MaN/XRgbJHwo39q25Q1uec7PP/0qT0XlS0fPYEnDr9m9odfisw7Ku1MSJgic+eaNHXtkIRy3K5tLM9AM793Usn5PJeyS3+imOkit59gSAUlZzv2+IyJeZJIpgptPxVvvLzMpZ3+2PLvFNkmwlsJi+Nn7Fk7+BdzggNkIQMyBApWrZARbMhHxrtVLj3k1XoRciiEwNz11xFDwlyeXnxkikkt8pMQQIW/OMZJoenjbHlMdm4FM+gQ27cHbOu2OVFqeGAlgxIQJK66MglG52M4tHhSgvbdEReHY79AWXjGyy3nXpJx2CSB+Rvlvhsfgb21MjyGxChygxh1wTuKtHVz3F/ya60NLWRAHKQskZB5S6VgsZlgslan4v0mJzBemlh8AUp6g/P8skhLzeNh4JV4vshwIq9+mzTjUli1gzhKA8JP4WbNq+45DMwmURiB1sMalmT91uq9REage2Jx+pQ1PjC5DweFe8y6Bd4G4=,iv:mWBG6fP3do+VzwyBlCVXsWiywRNiyMiWNaxlYFTkms0=,tag:94YPWZtVy1viq0KbclF6LA==,type:str]
cyberghost-cert: ENC[AES256_GCM,data:U2QtxwqqPpuTvawmbUmaFjM4muDJptsdAp1GJrxiFsEtQJJYWJWf2zSNL857asH8/yzTkkaHNAHn8fHpN5GgDqXsHn7A9L1gWQ40OVDYoY8C3KevgyPlqQQgmgpk+F/ogWC6ZSBZIk2ayTe8E1qtOI/KpVjzPoteiXB6akD6OBBsysXAEr56MvdU1c9OnqxauHsFZr1BskYM9fqFXm6b7KzMpzA2BPfxtpuGrnTDzMwciRuQXqJM95h2tDs4KoHMGwhgQjyIrti2eZrXb5GK1N54Hi+fmTCRvEDYrYiOE058uROdYV0oCmXJmZ9LFu+ti7zTZzoIq3jqshLh6QAEBxxi1eWqQ8Qq/zkjZDdOOQIacURBK6UGYRzZTqEQB34m/5+NCuyTq+bhFORNXuEDPf+JYWlvnqDGQ6FAnM+Wg4LmSFALnDL7UHPIHWas+VU/EZ2QwVQQ46AZ8tnyWwsp/0VSZepZuPXOyle/tp7jHOT1aTVFAD5AdUIgB5g5CjTo0Aw4tBVAGfnQEcjClZU/ccpTHeS3agDNte+fvpodIC548hm1tHDHJL98ZsxcE6C4zzc5Kq7nIl4Pqc6bDurHtmk+/O9stDqZGTpb4NERTsFBLaQYgWd1bbQEXXx4YFnoSKQZZVNxVqG0mVHwYuYSLZiGIwj/msKsIqZW7RRZfnfNfc9Er5/KC4SJbQLKcwbJY00gGKHCr+WQZ4wtxFoEefyefabyJkFjQonvVcAN1yjJGq9fN9ZaVrQ92vxFQy3rNHuTyvWvTDhZLedu0ukK3jC/Fc1yuzEcvv308gvoJROS5O8Jk/nfVtfPDZeSkIY52sYKpTQP4gAyn4+56RO2HROBnFvmvIFq/4jb4AZR/GUWV6v2u1zvHw/gX84uI7WyqG6TvC5tPuQKQ5se+xg+bbt3xL+8h+ieBB/a26asFk8M5CnweHB1rg4NkcqrSa4vU9wf7Kd20HH8Odrb4Q9xc876s4HhSqPAE22ZAvTDhGUO4R+pAU86YZzKt2TuPXlR1S7l3v1gzyMgMq95G/VzxOVkV2zY63KjGc72U/u6ia4oIida8QMASckchB7+V+Uas8YUJj22VVvxYq38Nm2e/wUDSLFUoPk/k05D1hGvkoejcfbwmnVoBWDC+sifjuImOLwZ0V2EV1S3Qgxf5OnAbjPKe+gfqnmrVvF+67jJUyRpNmxhq1TBnn28X3QMVu3/cW6kxpaYPXT1OgPdTZ0OeKonnXGAh314XSWH9kTrTgIB2f6xBOD95Xquu1UDMTaMZopljjplX6y63xoRIugeOIXS5wxL+jQz7fTH6l6DCHN9yPp+YM+lKqyLx4KerpjDwB43QOaiqFdk3wEj6u0N+UvHWDaKjhHi5K5FQP+VekuHbBgbj/kG1u6HPZNyeiJ11h4LDvV3ZCdZetUOzTcn4g2S+ai5SryOKKXh9+lVb467swTCtCrE+3+7dplE82HYbTaF7A4k0jwOXvWYLS3EW93pIZsYwsanxNRWInQk85GO+9hSkJSD3InTDUaFWs4m6Y8wbZCr6kQ9XMsjCJlGcJ89k5ump8m+IWhDjEWlKv8+8Fves/ktF2TS2Nij+eL/GUaUSLm8EkRj7vKTsKOfFk8uyn9z6dxjDQ04jhJDPLZ/h4UtiQhQntGAjCuTX9psRiNTHr+b3uge3UszH43+F0SUuqMS6+ytGNeQvC5jSE6CAi1I4DP9bQXUIKm0UC6gPuStgUnWnszy/wf785Ryt6X6Wbj+v65iPfb365AifDozhD99NKabiIvzRfqAP7sVLUh1e9dMa2NjagnC092oNrgkoIJuLlpjaxu9KszRRP38b4KwMbz8A99Y/Rom/BUIU6n0jzzvbAEAw6/mdng7E1GTUXMUQF1lrm4ZBuhanX72akG6fx4mFzaTZuN2a+psuwJYtbl9ewBkWYu8pif3K9mBe/eJ2eoxA6jR1wmjfmDXYTINd/HDjZK2n90j0ZgdxySa1bgqoBWf2VftxWhm+jkVQDXJixZTj4FKfGBmvl2lvkQBMyo1l/tifqAkpzQa6BJFfPBy167B1OuhhEFpQlXgW+e7Hs70htjp3izTRg8/0msDfMTcB/f3kBODpRxnUbZdfNu3adYjzo2DMdBLfJ+DSR08aMVueSXij9sNShXqEWEkX+XKL0lQYKeErqQlwpoy13CjjxpDzmI2M0OaQ9Ow9aIs4H60CTPM2vg9KsyJR+RrgpP2kFFaDnd6+pY4rdE8/yUcTs94tQ6QEouF3/Pvvz0t66+unQT23i1zMEUENiJXUaznhtLRpfj+NJyCh/2CAHRTu95oBg89wqxDfG3B23SuiWwzXqAFnj/GMgXo0O27H2GplYW8rgXnzYwMeEDlbK4V+BtzOUN2sEOZOq1Gu4GY5Dw60V5vL2P0RUsUOyDEeSnAFoEioLU2quswjZMl1/3NCXF5dYV1jUTn3WDEZhE1VF7LRNT/dCG+8+QUf9KiFrkTG+DfY6X3qOSIWXtGWtDMk1Cmj321+NyWdtV78eEg0E3BYDz8B0DndRm/oxBA6UOU+wAcdVRS+zKKOQykdS89NhofqFyAAA8nQY2TwdwrETQOYIjjJAEnIB9C77IkwDvMwK0RO0X5r4RlNlFPaFgFF5yu8NdYTUKmr/kcR0aM5x9rPllRFaYWGCN2EHYTrqin3dflgBooFkNbTEo8J3Mo8agTFfonR3o4YBaCxbxTS0AMo7QoKj6Jm8t4fFl48YKFgtAJX/x2QRm5sTQ6KKsz/rz6beLia7iP8ookdoNkkTkDAmNZJTZMOTeLmGGh4AvGbZz0H8GjGBnhRajl37eed81m5lEVRJUowv9lK2cp/e5rWKheUOpFSULIvj5xnmhTcS+77jLXoUcdMZLwJlceeDaF+HanqaKKgvrKFa6g6xpe4WyuK1+0gE7x9HAmdn+aoUqCDChzCBXgBo9jkuBYviYJTGfLgDx7ZCptdl5xEX4wLbGChjaVCeXsOEqRdewnV3TnQRBAnd/IMlSSgrtWljSQCp667wuSvl40SHQ5zgb0hjcsep5av5u+Cx+L4J8VeKQjSmk383c/2drqC9V+SZaR3rK4p8Hb0qFnDreS4KOT3VQqtshJOrwUfa1EYPqeLXqZ6Ar9YcUpZTFAgcWf3oDLXQ==,iv:kavsBNAUcK7vHOJnj9nyX4D9dHzgP3aBwCLQb9umBJo=,tag:aeTpc2vpO72R45cjBR+cFw==,type:str]
cyberghost-key: ENC[AES256_GCM,data:135n9JkLyNluYlINp4j8/R1gMn8dGX9YPpdpvq8y/KYT7x1Yr/MzD9ogfXFDWTcrfkcRIu+sSeSLFLSifgRQ0oje33VNLUGIBXAN68sLvA1UybBrZzKdOywVHiCl0DDjQ20Mjk0fA9rTAV6+zm3KfutNtjjpBojNmrujosZC8YBbb3O189aiy7Ppq4DF8Q3gF5iaOiDDtgdjH9ASW7yAz5ufcTy9vX9qtbEItShE6spvjbQJ47wUyhDQ2M9eSK85EGSX7VjoMSGgxtKs+XVORXHSoSErtlhXSt8wNJoY7Nl6uB5iz7BdlfVKqsx4ab4aVnenZ1v1boTsUNQ3+ABXNFlgG2FEpGiu3Vnx0yqfc224ogxIOa3hf+IaMdysI1xCkdCOv1Ix7kf6osJ2kspU/DsZNobDZvRsGJQjjHDD45WIVxnI7efnJORVOcWlU67/XmpH16KhN1RKCG6vgXSPwvcjq4SDFhgUNktqD7DaZlRdkEvat/7nMjRT/ReysyBLzsu0HXesewjYw1WskOtdza+nctv47GtBwWwk+PrbmylDe31Iv8k1w0FcyxkhpOTANneeLW1u1EGOo7+sTK2Oei83xmIFHK1ODsP6WflRaELoLE09PrXERk/ohfDzTb515oKAJKd4Wso6vXFYK87CZCnIou+/bAUlk6tl0fXPNTPDUH82KuoEnUEgkyjvthBOq+st7vUbJG4eVoELG95vh9iCjJg5U4ldCd37s3YSH3osJRtNziW5/ZityMRCuePZs35fWGGviRZnhqOM4obz1hz3a5no9UXBWfgOO08nYbpQsVEAPg2qKo7ljRnBhtiQJcxP6/+Kcr0ZXEfVjfmENxhRWUO9IscUJ+ZCk09J4JnvAcgALy6qmIAjgBAvVAIEeJ89KM/972XuFPj7ebTfBmCInYq41hahs8AaPanQAywQTx5Av4ir0G5KpaDt5k8eda5BKANuTPAjZRDxGq+dCXczLjVIk0TTfwHnHlFt7twyxKnQlUCOI+v3dnVVbzjNWdVhp5Gdw7Jij/woEep/zLLHLONmD9qznEczr6sIl/wECJXNcLAMrsNqo70rZ529e0S0+ym3x2TI30jwMhhk/7br+1voku8CBdAEZign+3+GxPGCxQHQOWnHkPslQgm0Uyxu736e8/OKJWNDlC3U/UygPtv6fEnrbb/1BjV9NG1+SErR84Aau44YbCMnBofI7LhJsDXle/XD6FCHlURWPtJi2Tl5tm00sVQhap0LnYb6JunDECbJDwOprOfjqc+fmd2Ja9nj7s5c7ywrHeV4SXbml+FQMCXwh5PAQ/QGM21OShUh9wDkrt37K23d2zginG7ua2c5tPhu2ZOQS7XBBzGDPLUQUb0acPQhd6mFl5DLCt3P6p/o7uiQB48b4OfQRlgSlxoaTCrD3M58zNQYoJ+aa+dY9OxQBL49/bIhf8i9j2uA4mtwzLHE3cBN9A0s+t4VoXeeNz/telVebNlCNpWVM8oFpMAsK8qRtRxGMpsgH1usp9yzL3tzpSkFChXMjL/uKDK8N6VJauBPpnKNcWVPATMI77/apAYV9bttMj+LmR2tzjsetYELqES5MVcxOKENvRtSdX7Xdm71uQH1pIoG0bPVMF/BpysTGoOSBNjG0Sm47B5XzUSsEFavgHFo26a4vi2tRV5RcjEQOC4NxC3uMNc7IkFg0s94EIy5uDEn9r6AXpONG+/kGV0LCPgh4W5a3PTHeHd9Zczq6ZwoAANSVsCH9VHlUUH4Gaz1/HVotsJJWarM/8zVbVTUpSesW3L2DRh8948LP51scIgi05jBLOJq4pmXK3bQNjjFtVU2sVYMUicSGi19hpCsimqm467RKh0ynfATknyruudD9/98Ug8EnXy9scPWNaVeNHPkKidD0vFmoh2I9JpfTrH4Q4z/UCAPyBLG8IWLZnWHysu3w1TW+ro/pkYqCC9HkVXxDbPsfHhKwZsonV6cuZ7JEfjzKWwOZqs5CbtEamOegVtFOUgW4FMwyUYgIQdkKdtidnIINQk0JhfGtnK1MR/oxAB6jsuA4i3XL+cdnCqdncH9HqfEkSA3NhczmEQbY0Nm814gaItORFlXXUgp2TzccOETJETBegCVIwNp1mQ70FKgLu2xAxNrOQwloizJh5aiLLJJ2E8/OFjDUpLLxGDwJfrhzV/kY8b+e6U2BFY4qM8DIXjy4Ris7NBkwgwrgN9Xp3FtP2IGxP4jWvRP6JdW0vP9OnN+nxoE928eQj0Pmh2ZTPwC2ZOJPcKVr8YWXn0BW7SeAcS/vCl3J8KjDLXofFchg94K41J3l17STVlvPTXzLVcED9zzcNIZalDj5KYI7vDC3L9C3gdqtOzT4vO1BEf5GaCSz3xDVYAmS4LoRmXprsNZ4VqEYSQQsuLwFBRwyP1JyNVKa4XGSJDqhhEUYkNB1hQ5llDdLANXz1vsD1DYP57snJxJjgFRIw8paTZdSqA1kOeY8iMtetA62+jKvazyoFmYm6r+TCcVY67qujHODr5eNf9yjqvcV0FX6CcxIcnKsU08k2CWl3E3AqqK8C9Pkw3amVXsHXCgo00ubrZXcNpVxYruuDbrHSr6irLBcXMik9QZuiYj8afaD2sxGjRFsWwMGS0X2f/DJLR8qXLaqh0wrZvf4P75UtBp2mBZJoZGu3Y5AThJyLW2lsdGU5Ij0YLsbEQN17W0oGMgR17+5blOiiWLG7WvRW858odxCPmUcamsQxWdIAIVxfbqpyaxnIX5/Cqnm2ZvU54ULq2SgIPh30yJ/xm1TfDGmHrcawx+wMULcx4GL63OQ5SIp6/UEY4WNtCAHyHB1Ft9qgmuH+S83PkqFR+7cZ7eAxBNhdMwYPPfB4N8F7zB21/f6oMbb8H13fpxtpCRfItf9NLqvEULy1stacaI93ClrpAzS2T7er8Vgr1WS8O3kWRdQH1Bhxxil/xfTTXqXuXYm3BdGr2qOK6AkX+16aaQcTmaGt+LSAFHsezKUKrfBK6xAElR6+7qIeyfJQeZyi08G6kuTj54HpEHJXgOV7Rm2i2Z2cXaBPPLwFrASeCKqGTYXOzP2uI0LC+rl0zyzD7rbwtoqssc9HldMaUDHNrs8ijZ8QrTgwYj4b/QOQU3s549pP16PeGy1GR7catxWJiAACv7VyEq99mMzVMvf2r6QJCIO01DwCRdZswqhRZO1h6Q8S2W3HGdy0rzAWnPoCAQzPKHtKqX9TvgF3NcSL3hfUfDX/vLeLQE35G+xI6IrMT00KYUt5tyK6NKIJ/F29zgF9hZRxWirIf4tsIVxDWRLFAsrB5Kk1Rf4cWCygQ7vJHZBTP7tcWZim1AqXXIJsgdyJcBZ+5FKclIokG45e9La3kbviuevsIuDXsGXvUSuUN5QO9liSe2ZAHcQdEgg9XqMiiJ9xnIi9I+RyE5r7sFSSBGGdsv+OhXDuG7XbOGALfsaGxs3CGAC3JTgDBXxW1xCcSkcFT0pGa1a/FDSH/BVklOt70g4hbp4m36oPa2JCq1dcLqcFqLP1A5aXow7nlRCag64ssG7qAtnTA7/Q7WUj3XXmYFMtNWdIfO0PkcDWcx0BOrmaCbSgp0O6wX8PT9II4tZ/E0KokVqvFEwRCG+IfQzzPW8Il8+52RNFePjPFXnFss+mu/nzDhb+tRi6nviArXMmmSK9fj81JqbnIAS+3qZvow18fbU1uNc2smmmT2tAHyLqefokafqehwIaTXuAI+aeJs/gwG5JlIqcAcrU5lFhYfy2pyUld1nRd3N5ejDInNgdqbpdMTIehgU2MDQBsa87ian8ZDUsoiBu5zKzHn3opoG+tHQYyzifZEF0nSTXfchAJwiTMusy4JeEgIsquQOB6MJJgaPueHiwwuOCfOAuSL8tC+EJI7GyhfXesSO+sfpVfBPnZDeWty14rQarT/3gxB75IaXnkubJuOOXZ2oeq81iqNXl9G8nLenhXFg9GQjl695YsF6DgqMsYwsB9I0Z5wM2RLP28d245tJ8Fw4pMxPf4jfUgFcpuqGKXJZyS5/X1eUiVhz3JU5aUahZvolmPPASGMZL2HJdyyb7/4KdBZVESSE2dM9rXcJITgB7UbNccF8EamFUr053hBCYiwN/W80H+4pKhIRUjwTPgXs0S0spakIngHGcCnvr5tpV7gru51ghyJnnD68JzUxvjZoihJUIzqkyYqRC/YVpV6Q9WMIbWefIcDIadqU+deOX05p5pVNkJEHeRQMIywrkW8mjdpHP0yDQdN2rPNQrmCQZwPKFt0ye1HaRVte9BGfCjsIdKWS+KoF++dXYVzGDjJr0/hjQWQYSZmPloX9Q5M+fUPKFzW0LWcKVfeUdsXXOcCqfRRX24=,iv:DmcNUOhsi9doTYta+s65BFpuIgiK7QAjAorfVq/VGLA=,tag:c/mZS7ZnasX5XX4HIx80AA==,type:str]
filebot-license: ENC[AES256_GCM,data:Ib+NXsb0dJfBqm5GYvXxGMOQk3zL28oeS3VXsk4pFIGV5XsakqZRZb307X1oJnafMVXva/eQppraI8CqjwBDzy3AZSnwpFgj96/zvPWZi12IWemnqhFUDFZGaMG4Scg6Ugcq8hwJqU39Mf5JehSbJ/PoULg/Ovekj8R0nG7WlmQsqxpZWXWeAdfYZHw1/4MQTX/IGZG82SdsdFc4J9jTedks0yvW5MLkS3azZSFDqY2WXAMVa5J9jXEcie58k6p0QqAUpWGltoXz1tdN/mTnVV7PA35wReS/Ejm11KS5AsjkTIZRLeJ14BL0vALUh3z6JSdr8kPG1S31MMYxarzGBqjI78LfFmFynGonAlqj/jPoxA7AXOew5xRfoEqnxf8lSUf2F2n7PF+B1SgY/hwFvwUeoaA4ep8uFugT7pCvg3N+FmfsV4TAP6tfU75WjwZ07UKQ0t63C/aDI1lZZjfKDzXDFqliD6omhFPUVxhGIo9gBkvOZj6ujdn7ErWohxAc7JSVsDJ8nBKqVGXMMgecWHyqU5LB9+3CKkE32vMy6fbGVlHhgRI4EofVCiuCn2Opg8txCz7Rh8eU297xotIjfCzhPjaY0CmD0dm/8SVLT9Tt3qQMDzlzolcWg+9o3e4bbjSOzliR+4c4fCGBPxZvBPd4kZ87eo22m6WqtS18tMTD1tq+8nVjpHFyrsyyMZtfv9/QXug0SFhJpUz6izCcl+iiNiQIb+DBi4Oifhr88Ji+Y4iQrj7mPUGzNr/T1x/uSBabv83HPsZUa5+OBrlbvp/Ya2ktIagiyv+JrHmcFMkVGYvFK4idLsREcvteduP7XeWaOXuJZJ5GOPZPDM+8DSxv3eOULH1B25J1/838vaVKZM3ukQkiybYTJWVV2co=,iv:G6bhfqx0go6vbJ2zwXkSbHLt5WdDRwu2o4BsCXw5Rlw=,tag:msCGdlefM3M8lbQWJPcOgA==,type:str]
pyload-extraction-passwords: ENC[AES256_GCM,data:YAIw1GI1vQ8netbOiYx9h/2rrXXgj4Cqq+5/JdINbXx4boo8OyXKPQ0BmtNwwHBR1K+nngxY5aUPh/Ao0P61YSrt,iv:LtfoocZebY6ZtVCjw2jclG2vlwH0pAI9WwiTQJdrqqk=,tag:4ZfjJNUp4jywtEtu52s9dw==,type:str]
#ENC[AES256_GCM,data:AiUvhDGbKiNVf10clEehkHg1iQ==,iv:cHDIZAkbjX5z5dUlyMa+yZfXQrFSROM1MqCeTXkXXTU=,tag:Gzxrmp10mPNLCOvTBCREKA==,type:comment]
#ENC[AES256_GCM,data:A8jpbbNQ3gkulMC1LJu/,iv:Mx7udL0LnsL3X1+u5qiFU04S9FhlcS53L9bnBj7Qxtc=,tag:CRFfUGHZTC0R42GU7RDN1w==,type:comment]
#ENC[AES256_GCM,data:g/i0RZzvmXDSs3kKSXSe,iv:77lW0RzLQXTXFcAr5wYLp7VmZQ8HQ7YQpYMMr3Wgxq4=,tag:3FQwFZW+oxjdP3e3oqR3cg==,type:comment]
cyberghost-auth: ENC[AES256_GCM,data:XfzciqTCL62vyaSYPv/iGohjhjWZ1Q==,iv:/uurkgFWmaGyceXBW9Qa9vPN4uHQ8jVqk1xVBMkOWmA=,tag:rfh55YNFni3ppNzKX5g4Zw==,type:str]
cyberghost-ca: ENC[AES256_GCM,data:hWsS8ceIBPG7yLbJdkbVMTcfTUghPWEJgJPzWyyloU8vdoJTTS1WDl+/f+G3KBWGztc7qX1j5bXfP+kw5w55sjjzJ/QnZayHf7HTAxD10PCCMGr35oQ7mIabk6jimaYUt/DJb9HfIPwG/AYQ4rF0pSgK+aMr43XL0urqPrwq0X9XB5dzLtPzx621DZvs55/41i0ETq/kaxvm5x9+gY+bJ5zsIkpwmaxMJaRReyAP9nNPacJ0ZaV2qw+W1rVkkCCv/A229fDXmlr4W8RkdNiXWpLvb/w02cTdC9105Xaydoh2Al7hz7ZKxPoWNiBp08HGhBHIvJcekZb8QhpNBIsi5hl7TaJKF+4j9Pg2IBwNdxAAMjm4LYzrwRzYUGr/Q787d8LHrwDifuFdXIg6rWOHK80KEMqIAXbBwTFe37i+bIY276uBfvnkvXu7548sg1EIvBCn5CwtQ3IWk+H6o5c5xXIBGW7tvWO67UqVnJVhPdqourMwDlieocuWxrkbTjFddhXVbAHDnwscjySzoY0VoewIdJjQ3h1s2UW8LBNaIjL+oDh/X+ZyfYzQiKZAuepuWvSuJQdh6WDjBHR4Yx5fH65DcV8Zm7C+WzlRsJDrBNu+bDrPt2wwvqFpwjMAFMdHv1Cr7ImkoTOFL1hJh3anm+iPlcLKDAzJ/CofnhIXkm6H4MNiOEbeWpHklUyD+aH8J4ek8g6L3dZUaHa5UpC0q5Tacxi+SxY157+5R+7julvoO0KxG2orxn58EvWUgBOU9p5oR8eGnVzh2/UiYA9mW9Lqa7/xsEyNtqLltKOB+jC9N2Z6S3KgfGRjTXOsajJHgtGC2XVEf9V/zJiUw5T8Yh4jFWXQufYvhiUduH3UEk3iPeRkxOZmMH80v0ey6hBAy8V7cXLeFEcRB+oQSszyTRW6Dme8npYiOqZJwrRmNq5KTHsT8C2QSFLd10x8Lj475Apt930gbcTNL2oMdoXca5WEMTSUZFpszzFhEW8cJs8QaujrDSlJF7bcZ9VGCtSe0/u5AeGscGG00/xBGyJ0IobbBnLtxvp4pWfx8KotQ6VabWPCYwG6T04VkNA9Au9KeW7TJPJC8R9s3uOYP1cCuwjqBOmsRq7JsR3W9iz8IkoDjN+4/PDAuPfYG+0cVAvJRd/aFZ48UX1TZEdbT3q+co8GH1vEdmzjlUODsn4K8HyZpmeSuCFi5Mp88YPzrZ3eKaXizWRNcPOztmUPhVSbazi8JHUoDz0kuMvyb137Tt1U95de2Sv9jI7f92k9D3f6ynXPG5r9/DoeLYM48nK1aTq22tZG1XgMNARhKqH+oDN371yNWOVziMAz5A5eyFbL3SOn50WUPF3d0s5e6fokhzMT541LjbHQ+ZSoBFJy2bMGdwKZEvz6sWGEDcW/lFUibUqPtiwnlQPWBCyRFrtDUfxx8AGrVlsjNofkUaL09eMtZOF7f+tbMQ9vXF3Amis1TEb3+CpWXRUVrEwMfAIx8lZPVTXQvjPd//XCO1LBUvXrTBcwqS5hX2okgIo9hv/otrcNce2JrYwv4JVOoGWAdvbCebaH8JEosS+Q0S4iYk1EFl5je3mOXWc6s+T51Trui0Bt4RKRb0eSdNScRIAvNy47CY9Z+H99jHEj6QtIGZtfAxGQKNS5xvCGqehMDa/Ld0jYYRxsSk+R50Eq2jOnNhs6NZ5W9AVRDTWsmq74e4GdJIIrRWmIdO4RW2VGFdkKMbsghiYL+2Gben+3RdkkGGMTxVQHc3FdKcYM4VgFpXfMyafUCyeL0mgXP66gMwuP6jwFVNVtrCEX4l0RuaqFSplLikEykkX8aACbiGxzcxEIg9L+7s+6mbNdb+nMbDorLB1WJfJmWSI9zc9oIuHuit+a6N6Gw2QQzgMXKmMxNlzjZ2ZGvzOebo0ixOhe1/sdQpvyMMnkKZWoEZ9WUA4WdTSx//wswbBxKdjbP9uoqQFlVqXPq13qb33pC7PzmYOiDF17+kjHwV4dl5lvLOvYI+uYv6eEKhur8WLTeFFEjfwJHKTVvlhBCx6GDmlnWvGQh/tlNN+CChDZHUcAXk/EkLQQbfAk1RzrMNWEi/2D531Xw9O03TWIDqI2WTuDftiC/mm7xPihnh5Yc6GngQeNyqKavL8JPKVHkenhgAA89ykPtlIAW5A4hqAfZTItvSCK6ij+l2sj3fpp+FIvSa6leXw+GdGptfz3+ktN8UxM+r2F+/JKVSIuLlad8Oh6z38tW9AaWalv5GSJmr2GoVHntyIjCgxOIwCROISkvcS7yW/sjV23Xfl35GieysqoXfjvqDqNT9IlY+aNCeJeb7fEn6PVOvqtX7XMectDeqn+p9dwA+YW0iMWipD706C2iFoBEiW9xfzyQ5uxV81/ouBfWKw0i9FQUVrzoGGUbIMzqh+dU7xiQoeaZ9J02Fwgf9rFjCfU3vhrArv/Y/uBU54rN0hiGAwPnB6QqgtiVMH6R17A7z6q92tMVs4OMGNgy+Vr1/UsnQB+RqBmBz3i1AN6RJWAChViR1usqQVmKo1d2F8O6y5rkrydJvcJZ8lxapedrRdPfFcevCcJpGXGd9vceuWG6fovNSKgIqijTeVfSQAJY8CoqJOKjOCEfSVfR/qGk+Xf++c4GpSFiJO0HqiUN0HtzDde42B0JAUzudUwFhvgWWwgN+Naxdc8T8+YIbe3e8gMgwUN3y84Iamc6AXAPzCiJohFtcWdNse3lB2j7obauMvo7CFUrlHdGRzuI484Jwr/8NI4IqV5ElX/760ybLHn+w7iKXFQtv11KKz3OAvp0kloy5DdIj10Z2ZRBL1kqTCxyXyUqUpHrhLd8J9kE+6z8JOa45pTcpreldb4sGbr1nHyQfmi2SjffC3ZMh21Jf9zOWf7S1/w5JWYQkXHBqVsSBKLiewtRAymU5wqFbYEkAuKu5BqVMQbxxgd8iBjIqBCOFnCFSZyGYvskNffQ/kSlPEiJzXv2nYuVg0hYhBzAs+S+hWOFBpXKxzzCB/tTFgppP5/ZvI=,iv:LetwDzkXB6huYJLZtekvwCXBoPOr2BmZZ15Nt5yqKRw=,tag:Qtos9VfWsdc38qZSQr/1/w==,type:str]
cyberghost-cert: ENC[AES256_GCM,data:lgLBEwD4adeGYpzrZF2oGmovMAwBNNYnLl26+YLl6EbtpIblfnTTKtY8cbzty4XmC/x9CHSMqcStNxxKmJN881aTxUhZVwLndeZBRZFy6d8CZK6o/juEomDrbsIYK6DQvZqrCpQK2gYnVRDiSYULVXAwOuccCx3lXmgqqcSVfHRjoW8A5OLUAf2lycdr4E3MksVogk0w8jN9WLCZyiZrBprw8dtiXfJu+GBPAulxL9sxFtNTJCf8sMLkB7MeIQNZpya2RfkJmtFtCy6vGUiGAo97cK41lm+aieUeX7aItj1emNc9206XMhXYa1ERXIU/XLTt1tMIZAeX9b80aJvcXxJV7LyxfNi5j06BwWu+MfIsk8V8zYl0hudX1TZ1thuR72ts6ZnHjlYHudFV/K6my+I5LNqP8swaUd5NXhb5rnL7dOecwKElXxJ7I6X9kZom2xqTU4p3caxpAyqmKrGTfeEUjR7823XWfuC/EP0aH5APU0u+TJgEKIgGN35Fsx6cpdqqWC1NIPRvAxRDrdFBHFP+C1cxQkgfF4rWqSnib5b2uA8DFSU4Sz+bfNKCpP4mi6c3K1u8yNelVHHmisYDemRB+iyUcKW1Ax6hwyi0m0BlfKl2fydaBcgnswX2kivIlm0XVGt59RqyG1vnyy0XRvAPR4p/40L4ZoBWc6DBhh08Yb54snS+shQH5/7NDpZ6YRna6d0yOGDO5rACxkg0teecKOo+5ZUflTAj3vxDwBYxNCwhTf2sS0zEFiT1VinusHDDb34sXcWO3ed9tCM6PAxbqW6Rl10A54g0dD3XXrARV1++NjrFa2WoodVujbHwGtkZYitAAqCIWdS5C7i2VFO+RborZTwfy0UCU7aIU7SLiggeEERSOfP5XKzMD1KUSt3srPsVKbQAtb0tO0PIWFl/1pGYmlkE5hwdVM4CsFsaC1zrgBMAQkV3XvV36RmPl0tp/qGuqB4Xvl96lBKJcnJBeMPnvV2/UWoG2BsJVLVvAD5K3jGE2Qk6FRKpy3yXCCuy/Uqj6JIMK85fjusm6K8qWFul/2CBCIViR0nk4N9UiYUeiJ0U6o4NwE6MzTqsaL1MrjiYjTE3FdOIPxN1lAMjf8mD92PuK4/n613KBe+gAmK5n+H2Oc6MCQ12o1EFXH/9I29zd9tKzq7/IZkcjTPIU3Tu/aJ0Alof+JJCpEmfco8DKYvqhPi9fxO8W9rJosQ7NT2opiilNqI9MtlU+XiYNRzs8PeYz5JN0cAdof5BB+Syx7vKHrdMsNumw8hj5qOgMoYkwsbv5Z9lPlB/Ehm6IVSzhqTjsInWFLd3OFb6zI8sqhSjOxTgI/LO8NwvxfMzSVa+nSKcr8AncX3H4qppfYHrp94OkRkZZY/sgmmAVkRyZgTizek8uCAeEnQIOwV6W52FArZOBNytHBwHcL3l4Q6czSKzz/LJ8KHkirTECO4ambKwMqOg3lkW+/DGjKyI3s1xWzCg3wIyNx7Tk6/Tf+PR2eajdIFt8pazdrxBamKmQ0iyQ1LrSkI3OB31C/ly+oeHZW96+8+5GETxaIDcONFbKgvX1SPp+Fmns5WtdKGO3JoSRiqPqL2CGnwrwA8kHTM6v49mMgBGraw8pzIZYekfYmV2eLh43TJrieIw6UKXiE1Lm/eCEjAq/wvbTE9j5sL+aNMkta8QDvNdgvpKV6bCOFhXf03En1CWgFn9Sg6ZpkbbKvRGrDPbnV61oOWB0DFVzoe+cJ6xS6y/UrPjqHHgsqHOTBFJ9vRfpMpUfyDC8NkvGuiA4RNrCj5qPutv6GqEH2Lykh8uFMY4zWDjzh80TB4Pq19YRljviS6ONLGk4YmDGcK8C4Z+gM0oFGFigHS+Yx2GXi5o3VqwgorNxG+DxF9viVjm3mO2dqoTFYwawKWmMJw8RMxznJtneMQouFYl9bY97cI5qfZTQKI7qEGm8+9oQnC4QqboV3Y1h0zKeXZMj5b1cPfImhtSACvl2UukBtp3RLK7nYVpLZDkMxniWFsH7cTVmbkfMXnGlfjQzNCb6MYW0KoXVRmNrqG4VRmAC3KOxYmR09FNhyodsMP0XFA4hqs3FpOEf3F01VvTvFFV20HcbM0CaVTm0uweSTwHcTvWU+4OL+1qcffrUd2QIDD/VyUGaDRFZzN5bT/ZF9U35eXZD7e65/cNJblQJm0Pv2eN0ZxJ5yujMfValEuSFu+rX5S3PiVOqW73pxsekSIBFlc3y6TOsepik+7/dIaTZzyuOHz/ljDAO6pXpCBSPvH5ErH8DeG2sx0uVRUzryU4o4oKeXscVRv+W8+ztTOFWjlLb6GvG9ZKWo0DtFjtEPOJHGBLiILy1FT+/1dr8vBRlgwi0vAjiyj/wyWAdh2oBM49s73utPWhkty6/WyBQCzF4Uj/JxMjgzGroWgnG9oi0IcJDzumuNc/uN6H1llMdttVSbnOmdWnpdQuoX32QfPEfUNnCMuwoCbA6bUVrBRyAa7XgFT9TKx+1q8Ll9leMefOCUfEu3q04k66XnstCnDbwvCe0S+bYC2ZL+FgDP2STZ1BGHSBlAXYv+8oaTOP3E1J+SW63kjo6AkZ23tozv+5doS10BFqwhEiMB85cWPnC0eJximekIQ/Dfz6SeLfhdD/FtfdQAe6nv7M1HAxc05HK+G0Z0xD+eyEME9WGbrtMuVGu6WYoPrta6n8XA5e0o0KV/sbxO44y9qyXNSh1SWd4nlVyEyKw0g6rZmxhOjH9p1saW4IKnFWVyR98c+nqTB2MRsrd6xs1uAGp+mTUoQKnDjXl7BWfKeoaFExPqoVlNCrk9SU3Lo/Q+E7EX6dH4+L1ovsUQlkubR6KtLmgK38zjv8E1KOYFKY3Un3fdup3cEilgkQpLX8N5u/LAw4wGfW/Q5qMtEQT/DZi8V7N0FS4wdLe8YPp4H6y0zDh+NUtbTPqrSPc/9YskJ8LXmorZwoiMwCa4lks6gXDCR5fzmCRm37pVmxZ9GlXWyDb8U7ZnLbdz0ZVQJKbfYwSLOqB6NdzdV+BiEHnAuZP+2zrCvYBcpU7M0ST/TY2PEEWPfBnrhxue7Ag/NqYk6d3w+6Q+mlDHeDEtUKkHs/ki69HXB/ODTPbAe9RbypyQ9YlewoY8zXjZdOhp0oTTAvF/HsQjwUTQ==,iv:kXQn6HaQbglJXi70xo88BUlS7qRFwiHshmywWGRMw3U=,tag:bleGSWRsu6rwcETv7Au5MA==,type:str]
#ENC[AES256_GCM,data:sHIXwB3Ebuv2B1UqYc/zkpcSyg==,iv:htsZYVCx1nLI+sk2lRGI/W03eWSjg7EqB3LgiTbe7t8=,tag:dqX4wUvsMK7etZumV+m3QQ==,type:comment]
#ENC[AES256_GCM,data:MMecGi8zooPpOkSj28OmAUU2wUqQGM1Jhe2UPxmplrs=,iv:z4GtQGGWALWRrtuCwgsemHumP7uts4kmiTaylLKzGxU=,tag:xwjeqYkP2mTHvbxFzXLb6g==,type:comment]
#ENC[AES256_GCM,data:Y0ve3H6gMxAcnABMhDLcg1FXq9RXvAAwNcy7v0BKAFtz+PWb60pb7bxS9H0i3Xo9J2y0feNlQ4eZ67a/IDNKSbzTEcfA,iv:P1eyOxSBeudZcSAnQpEAYgpE4aKb/viDsgbOFOIbDUk=,tag:1lE/qG+88xPHcg3v4SEVAw==,type:comment]
#ENC[AES256_GCM,data:/D2CEMzfVy4gWxv9opHdI7O1oAXJSpXXUSYq2/38E3W+a3/OeLglEpfX4w78JVxhV1WlEDBGDZuvQQUFPr1l5h9xqrOo,iv:A0Yd2ShQOgZ/78vDjObmxueA9PPTw8+Nwm8K2+jf6ik=,tag:+GqUedPwGlNVniwVNdkzKA==,type:comment]
#ENC[AES256_GCM,data:GzVCQ0TvVhQ7EEHxES2y58zvcuY3gVypGCpBgeZNl8+ibj8403xlm06Th8798VYzSOCDxaNnm4RHBnpAivPdGcbgR0dI,iv:foZ/MByWatS69b3klSomBo70PXQR3LabBGIzoybcLO4=,tag:SCC8f7We47/ZO177VvEmLA==,type:comment]
#ENC[AES256_GCM,data:FUhLossgDjizyKAnGEaIgtSbcfAqbdl43hkIUdt/qzYksfxu9dPoHrX7YyzzQ7imAsvbd7iVLYcsiLB9FKS02c481G1/,iv:koXSyIsAJXiehCCKADuiSFV3MQ76+qXVNMcW+YqX4gs=,tag:wetQdcBt1zroLY4Yxw/LNg==,type:comment]
#ENC[AES256_GCM,data:BJTQxWXfg/odNFnA5K/0zRKLrrJ8t58d4Wk2PHNb3MTl3ORSr8DhcRu68ZrPLxOg65+k6p/IeIEfd1eD24j3Bzv06wCY,iv:GqUYSh+W2QnrpzMuXUkmrR2HQHZ3ToiklaKNLrB4Rdc=,tag:OzN7usqKtja2xwwWxRWjlg==,type:comment]
#ENC[AES256_GCM,data:Ir+nUbAtii7IR707Fehz/QGqb6qpYygEjVlzN/VM1p0r8RIHeH5FZHKu8AOPH/j14aKEg9jAcW7zYzOjdnJ7TPO98aUG,iv:EmQcRqgHgLdNqP/XB+myOI4l96YjoDHsVce31AKhRDI=,tag:E9Ms7vSO7XvTiONqyeDakg==,type:comment]
#ENC[AES256_GCM,data:73yACFLMtDaPGxwCr1CcMBtKypzZ8bRX259ELP4ruzkorUbMQlxYhTg2OLQc0fgohwpM8KGk/E5seImfUPheP90Kvhpb,iv:PXi0+lOxbh5ReUc228VPTzwHm4Kwuwl5E7UVyXgqqHc=,tag:R8ZOg1QN0XnryOUFkBccKA==,type:comment]
#ENC[AES256_GCM,data:O855e5J9a+4Lahv8fpdrlawF8j6rCVXpV6I2gNgC42sjrM5SWdfbXWs8DkNygh8M4+JIEZH9Ib0nQzs2lxYamjjU4X+6,iv:8CIdyE2r74hoUXB3D1CJr8mSSaLW1cpkNrpSyXhyRWQ=,tag:xm0JU5dLC38/9YX20Q873w==,type:comment]
#ENC[AES256_GCM,data:cytsTKtODcVaexEsKJS1X6K2kGAin8l+pxdzEks6FmRj8nMgj/X7k53DlHvH8sKluQXP1HuPfB94N2G2vecDUa0Tftx9,iv:pB9KRIyV6g/lQ+auO14VWsOvHkGz/WX+DZbrE2QqLo8=,tag:JCj5zkr248l45Rue+KKtUw==,type:comment]
#ENC[AES256_GCM,data:BYPOzqAolBtxXdNqqA+kCUiAaqk7u1ZAOm0Vjlv8hfmsMvpcM8biErRV5QUflMcrV09DHrJ+3Mf0RnESr9/+X04nmr/v,iv:ANcSi0sBdaUDXfM7MJat9SLV8H4f83ZIFPHNhc3ACJ0=,tag:T7Gyk0oxeg1eSobbqF7QyQ==,type:comment]
#ENC[AES256_GCM,data:DqA4OIlyGSJteozi5jPvuGjFtnbaUw2LuG8TXNvKkl1qLP3iKP8925DtvW4InKjX1x2957SLRWSaTbUlGohR+hra54lt,iv:NaafFKn0pfknzeJPI2yMmYwtGglKaw8boGu6yRG+eZk=,tag:NrBIOGA2d9Mr23DTBpeYDA==,type:comment]
#ENC[AES256_GCM,data:nxNSMp1w7LZ6mdOmO38xzyqPKKqI8Ib+BgMIVrJ/lKmvY+kuMhkrKi98M6EwzbpnrGV8Up/N5gC6gD3nVpVq814x94R9,iv:Zy08/hF/xGECIjGLta0nOeMvhP6KPivowHphRAlkDNI=,tag:eAl77isC5I9Arr05rg7HPA==,type:comment]
#ENC[AES256_GCM,data:ZTDCukzebTSY76xi40vNrvv+XxFZSj4QfdkPKL5uMeTVCA394s6FjOG2QflscmEsUaLIXqbNaBB4jv2L2qw+7S0EcZpr,iv:0OktweURWm0PGNX6LApOhu7PGf0Tw9499H7RorEjthg=,tag:f6U5Vxk+bnYTksKSqAGdlg==,type:comment]
#ENC[AES256_GCM,data:R/HWi6LbUpWD2WEWB/9G3n8VLpKe+l473pP7Z5kNYjREIbDRUwvsl1sjFUdxN36CqhEgcrTYCNAAjvh6O++i/y/IgNIu,iv:/e/gKFDgDzcIrw/SmSKVrLkhLgDIaR20CT21WsCX+M0=,tag:QZVVyyRBrv6oZncrmQQhmA==,type:comment]
#ENC[AES256_GCM,data:8ykXJbXKMV7VRMig9NYaoC3/Jk3x2dQTjPb5ASF+hflB3hqn+4U4JI9AIwEHem+L9WRlsVi6x2/5S/hfZd7Mjk6kWYUN,iv:g2idJPzft+Pdbv3E73FH9cbCAREJgrLcksjJ9CqauSE=,tag:5MvAm0QQ4lV2rQIy1hakTg==,type:comment]
#ENC[AES256_GCM,data:A6HpTXvMzIW6teDPrAfKj2NtJB2fdp+OX6B5u1rDa+iBBXJF8zb+04yJj9eQc0wqiDe10KbxqQ5IJPAkAPCVQRrdfaWj,iv:k23+0W0QcaAP2O4YZzA6naUfnjNY5MU8WKkH9xK+HZg=,tag:q+kslC0BYhe9WBQxMiuPxA==,type:comment]
#ENC[AES256_GCM,data:5sMRYp9U0YKRQgxM6kFHKP6mXj4UYUncC+XM4TWOCunX9WK0JU+d8y2nz6KZeKg5BcBnGuMrNCF6qJU5b6VtvIvryDxt,iv:ZLJXLhNuKfLVnDgJTy/+wvZEIUlhUL7nNOGuDMBLQuw=,tag:sLy/6r6VeJkWDG1P/OSGWA==,type:comment]
#ENC[AES256_GCM,data:7QUHlFBuFgghNwyaAswAG6oBx37WPmZWTzA8MX2OvdTJYiDJPgqGVQdGLBrTgpLNghTNjwP9GZKtpp92hvCSULpTNBER,iv:NNB2er6VHxWkDU57jf9sXGT50202STT8v1JDLVqpzHs=,tag:vbCb2Ecd6KhAwPYQ+2Y7UQ==,type:comment]
#ENC[AES256_GCM,data:kQPmVuaIG9GKYCkPAr3r6we7vOMymTNH8HnmN02Q7JrEANiKsH9NQQdgPrXsInFyma3970J5/RgiaMRSpIt2j205U7P9,iv:BLKf3GGn4zscC6dWdCbvAEHG645LI77nIlV8q63ePgk=,tag:1CnCkP3330eg0bF+esJsTQ==,type:comment]
#ENC[AES256_GCM,data:yo+kP+PD3OA0YGOhNU0RfKyzr/VbjGH5i5xVyFxJrCtQmaVhaTACfggPVu7OCqOYKBZLXJruBbP+I1u9ivKLFBNV0Cvt,iv:MksSrxf4ja3HsADUbc6Vbdq1m+ZNqM620H/XABnFPwc=,tag:FdBy95bNp4GSccD/1TE7sQ==,type:comment]
#ENC[AES256_GCM,data:GdGtmSqLFD9ph8vCx+cNVGXQQDl/+PtdiFG21Co4BS/mHTl46u63UT8LMNTqCBQJH3AXIPSZiPZIPdreBhXTMAvcsLeV,iv:DR1HdQSmQ4bAAiDiqfou//0eplcH2xLY1oBwVd0IR2M=,tag:WY9t4974U+wETwKvONoZyw==,type:comment]
#ENC[AES256_GCM,data:8T/If88L8TKJnOUncF9j7uLB4lqDIXvuQczogvVkM+K4Ye6U5E64kok1I5X14fN6I8IgPsd3ezTd/WvY6OIeBdpi2aVv,iv:1eKt3j1kP+C2TQe8Y3gqK3N3T+og0Pibf94Tv7+RxT0=,tag:PVSuPIxSys+s9N/KyacyXA==,type:comment]
#ENC[AES256_GCM,data:iUiQkdm0yKxJGnCEAovcF0Afv+eP/NeomRh4KZ7q9v/LOOoVSbcGfu4D+qBSOUujEuM7h5DmYOdVRBge7Q3/xQdBc3Gr,iv:X++jpJpmfnjr4YZfiJdWg4yMlYrLh/OXRhCLAzncFM4=,tag:XgZCvk9QV/PpAy+apqSV9Q==,type:comment]
#ENC[AES256_GCM,data:vKIpSUjoqnJRmXpOYLv/vdQq8eZn44gJj/pIIY009RYFP5FmBEqTrJaJqCme/xIa60cKXwSHpOtAR+SfX5TGfWobL+9d,iv:QFhA1NuzVjE45QdiUvjxq6rmxT+zSN5jhiUxy1lVMwI=,tag:SLUlN7O+rrpmCNfzW7JkIw==,type:comment]
#ENC[AES256_GCM,data:WXYXebZR9+nHRYBHVeOtY3qoeMYDg5laHGn5gLxQHb+AMLYiWRhVRQMQ7hcdhpPBWQgv1Ma1XEyiWzp9bpI0SwhyTlHB,iv:wa51Mk/UllMooZnG+h5xcyOrbCvfRX1md6pMM00KvMg=,tag:WsmW2fO1d+Kphz8+22Tkag==,type:comment]
#ENC[AES256_GCM,data:kBCFML5g24zc9pSd6Ax5tr7PMhqcRndi92jL2+043ayNhiqQ5FGsVoyNiz4zaxsss5tgCwcDiEe7wc9vvYOikcjxoJjY,iv:SokzH35erfVYrr3unLU80rkOwt04ckPN1qOjbxg7n7w=,tag:7akUpbwcNIzyIpa7VGJpEA==,type:comment]
#ENC[AES256_GCM,data:LCzq2TaNLiT0r7w6C5cDPYHND+5jMdXp/u4ymCarj3LEvh/Sye2+Gs5170FzZNQ1at1U9uou73KrDQLERN3gR2n5Iav7,iv:yAzB+3XfI7SdRnlHLB5dFyiAXqyVbtQ2zSh98PkjiTE=,tag:4c3P+CMMJHwTSXp8m5OBQA==,type:comment]
#ENC[AES256_GCM,data:biD9i+suor4XV9dSb/Wgq6YMcHM1p1V2n9Bb6UMUPFXZzT6bn83C4HvskOABycdys2h+9F+lnUn0wVybQMU+oh6xpScH,iv:w6gRANQXH//z9gUuFz8HUuib4xJ5DUyijY+xGU/EV8Q=,tag:cRYHR61Qa5zDFuIxYzW8Ag==,type:comment]
#ENC[AES256_GCM,data:G1mBf1cxIDV5xO2n/fzwbTgy/7+T8EfMO8DhBNBayOJRVRyLVLRtET0Q5T4gsAIFzFubjPuqNCDzFAjAoCZ0iODY/+cb,iv:HcT5ATkDFDMaTT2nY4fVQjg/ywF45mh8GeEM5CHX4jQ=,tag:PR4uJsjrAVhaQCPzCFMSmw==,type:comment]
#ENC[AES256_GCM,data:tFByW7XbFKUb77lrhGpYSpYSoVcpWzLIzkMcgIcRT0vbPDJe0VTUZ7SpArP9p7NaE7+vj8Rn5Gb5zqMDCxMPsAsU3KIR,iv:CL3nF8MyUa0DJ+zHbCqBk5wWJZMQPaV3fVZGPmE5wr8=,tag:pkVXP6yMaXzRjzxsYNKh+Q==,type:comment]
#ENC[AES256_GCM,data:okfYGm0lhVNOq0Ma9Yul4E4jTLhPhcicmeeIl/FtonyEPoFjwiHBpCmWXUg2jpfA3ciluJUlBOrA+RPCOkQh8rcLyRmf,iv:JiTsAOR8GFO/gBt5cJenG7VBJHIavAcWZWfPsmfTGwM=,tag:BCBSRZD0wbBGYLYIDA7j8w==,type:comment]
#ENC[AES256_GCM,data:xLVY1TK4EN9B6JCYV1QdObuggOPSXkh+ZgU7oMtzo+pG96jLxqLOeWey//693hSTILNSdziNRzkeLL9mDM1huVknDSAI,iv:gEK9acp5+jHTwoLsv6ZVuZCZ2h4Mg7c9g3z1CCyvsFk=,tag:NbCI3u8kDtUFkT6tOGZxRA==,type:comment]
#ENC[AES256_GCM,data:uUFbL/FfBpNtZd+u+LbNSRbV/Pjldin4Fr/+igIXj7SuJsz/tUh0qmmw1vE9dZ/Uc/bUYtV21McE9uV/KUA0jj4+Sx8t,iv:YCQhIeNltodLtLkcmwdRJZ+treQfA8UhD46v7VSrAlI=,tag:AnLEzJjOg/xqqE81kUXPYg==,type:comment]
#ENC[AES256_GCM,data:C1VoFYugfCoOv/OesA78VtVNOGSL8/sSu/SxyWCZL1oq7OBJlj9OZazlts8CusO0vrf8TMQAg+IYfGGEgwhgPOQ698VC,iv:MjBnT5Y/6zoLMBxo2pZMi5XwLpxGZDcjNtp7FVrLq7E=,tag:WhT9z9U+YaRNcC4sSDrKEg==,type:comment]
#ENC[AES256_GCM,data:25QquCUZwdPa9KlED8cjp8TqdLCQ4sY+9vaeBc4IaeF5Go79BTNECQ7S4A6ijdQUzKCktqbpliNvgik4GWXlQDq6yAwt,iv:Pp32KfaXWwapjPZRltEX3IQO7PJMOXkn6zQ3VLuA/oQ=,tag:sg6aMGkI6InEdLQ5Ie/bjg==,type:comment]
#ENC[AES256_GCM,data:JgEsketsuFAIgLSOKfX51A+s7YM5S5cilZLll2c8umfubBor6g==,iv:i96glV73Pu0E4govH72dC7kInvAr/22wZ99bPQZCyOY=,tag:dhJFczdKDOGXRX2AcidbVA==,type:comment]
#ENC[AES256_GCM,data:Cuz2T/ZHmG6czj01mYSkseNjHHVzkc7nCRziFl3J,iv:s4z2J7quVzo+34nymk2hUxwQ36VONnfOxOTmUFnjnKw=,tag:O2DvKSEPABZQuEWFUXI80A==,type:comment]
cyberghost-key: ENC[AES256_GCM,data:hY2NnD+SubQ5/+IgwSFnrk7pgLPW/M5pm1euSfdaT7jT8BnYo/KzXc3AgRGXCAhPHDBeM+CE6ClT6T5aeslNaiezyJBXBbIPCcN2g0MQHB2dv26LKUnNfIX14/+BPTdwkNMiIKnw80P82dZjic3WHmtHW5MRMrAxtJW/q7JiAJid14G+J2nnJeqNUzD9ZxPLSFgIFcD8ysZ6zaLc1jdL8gWCxQipbULmPKqf82mrvdutWweJBhQzL/JazbUD24+Aq5NQGip/aB8huBZA00e6c96JduIxV+N7SYRbJrQu9ay1dMfi9mNTetJc/RBZFTWGnoPy1FhqnH/wMMvirGekzSoAIZPnFYCnQ1yrQE+hPtpkTqq1tdli5aet1xitj6RsgIOxRG6rkejpeLqBNUtWY8ClElf1qQut+T7eyPHEnTba7/rYW8X9jFwZeI1+YipmBqmdZZeqaOLcu4qNrXHDYZr+2nNXQ7MKNgsfhAf+r9jfmHzSJJDEkxCuKiYRpUfJqJLSsUeVDqMkZ+1grcM5uxnev8RU5I2aTTUSUFgNdLKfHTCpFiPtcKDLSwPcaEKPkP2pOTe+B/Xf4z+JpuiW+Yw4cWBRTgxUYdlnEKeO5M14YHS9asTfJ18wJ7uxrDwMkQEWk+TmLqjNhfng6QW3fehuaYWDbHmMjHyXMn0cC78SKMLIE7Yusy2eKeqRUbn1I3ud2c6S+7U1HK7PoWIwDXFvcrDj12DPqRvGlndE6t1gD770g1qkDf5RYNoodrXODxQOdBiycu4sTXGc/Ncz2G9P9b9pK0PNF9TRg0wvDFY4mHKj+lyiNgsjgEyXJSIY8yRYV3RlTD9S/lFK3d/3ujLMZBupI4o63T3exN6Pz/F0/bEoCjHFmHn4MN1na6CIUsibKlTXfQl6Oxk9xGop4rcg4Nfygan33VSBwO2O/MEnQ5sePtsivx0SE1bR9edYhI8HyF5XrAUBEffL4qOTTpiqui+112IzSwN/uHK2RGZYB1rgLpGQKPgdkghcDz/rbQ8AqPxkqvQSgjZ0B7ZsRMVjOXHSc0WCdmEl2AkZblULrd6soujVhPTlTIRvo9NRcpmQliQRrd6Q2Oj4nrItJzSgIvMeABUH9Vz74KE6gwBwhuFOuQaSLEgT1kUobuswGWQuUkV8oGFbdCnlzIHmvlYIpQG950y+82a4fA5AJvefyCtT0XdHqvaQK/xHSv0n/MdHTUlRbxcsL5Z3aIZQ3FnHKAeouLbPZpaXIKLcc4fahMxeIZqPV/cX6KnETKbj2m8rb02izrduuZWbdZqQ7qqwMzrUFS8WROcum7LpGnKIo9570JNUxRrBDyVb97RKsmShjtdd0H8U+FSxlZnM4OASR+Cx3BncI8KIqMDkvqdwgICuMEjENMG1fe6E/S3Tz3zi0BlJZrQfQJ0oxKlKXDBb9NCsoyBmWaWvp/WhRUV8vSFOiaCK+J0esonULXQQnA/tsKAhP7DmmdgSvc66+IQl70ArIAFS9b+rIZCAK5ObH7P6PjxNt6bLu4MQajvcAI/LUuflcka3YUPRwpCWH4zoIckwSgLAGUVx1Pv7f+shmZDveShG+bOx1mj8g9hwrCkTJHoT3szSsCtNkwQ4cn+PUPbqlLS2kjZaiLFUhP+sSH4dvt1Co6VEfdWkNCCVWxADzSP35mSnY0J91oV7QatGSl2/kWEaZ85Fo1EgVpyUWD0d2FdsWqrDI4L+INFGgWSMzcomu5BVbn/XExCBZA4XG6/CW/dBIGucdYtHLTAGkhuJ1FrzlNGj8dCu7bGsls/tMv4K6WGgefXlRIJiW1/7ad5yRPjKdY8EA3S7/JGNhEqQJXyUETcM0sDmQ6eVJTMm6JoxFfUzpqTskEuF1OrQU7al/QL5swXykqIyypJeEmaLbRborE/jfR3X7x52CYjDLofcRyVfwec76tFvg0uOEE6c7L1eq/6MYQNv8RZ7QTjFphjHVzs3zMEsd/SNivzOq5fTKzUu1Ji0+9rpbcs3Mz0psXDjmRbrK2gO5orG9VQur1+9ZvUNFVFZiNVkmynRyFqMdoQsZ5nXXsfzGifoW//F1tnXZIDx+pLWsCwg9639aRpIAMNANsmMJgzEJUAbBtVDDJp4Kl70bTJsSEOhZB0NSHcayfOSpMEKU/DTri3b5JtxRD8pQSMoxJRbFbTXBIYrp3XbJhDiOiYcW8aFyIGrlED8hMjVF1IL0lQwfpBY658/SHdf2mguL9+aclv5YcOdLmyc8vNC1ur0VSI58Y1+eNjER4iYsx4J7ez9znQuQ1pZVyni5TN4uEgkcbD922aC85TnCxdDS+vltXe3I+z/RZyJMWO/4EfQZ3Bw+CrHQJ/y80ZYan9x0nARDIwFfBTl5UyalGMhU8lGjxznn9blfmx2Mn6LgE0y296A8GNL6Re4QiMf5RkCXY+5OzUDiVbpvyiGCr930EaP0zTi85PE3aN06lvuwPoD9/LzQtl/AjaMGnER9whicj0i3NGlmHOQ7vECqGe/YkFexNi5m+9mJg6reWzU4RtOhfztr08JZMIXwSxMu5jYPOJUxLn9Ui7BIQr3CsdVV0zYkY6XiRXNQ5HYDtbHPh8MY2QTKkmkVQmr0MSIrjCnmiIEyl5U/BvaUtBNTPrE8vKMBOm99EGFPZgt7Nr1k7d4khpyeNEFvMk1Y6rzRr6J2HdE/iD65URYQrxZMU/FxXyS0sjcXfifpc6pGYkb3naW9Q4zKJt8Ipw8tDLBIsHFux+dJn0IKdpJ8b9f+ftGqUOLicC1Gp35cn9fbGhpQ/Z+bdJkQlCOTVivAEVWiL5Tm7FX6eYe9Ad84dezy7sRKG0FAZpdbiCrpJGtsZ6q8zJBUspT0y4kXbIwtkk4N7kOkIOwR6ZotRiLQKx/LMO4gQGCMWxY1NzrbX7ny4N0KbGDJXPnnGwllSKv+4j/tjjWLKAI8AXlq/Yriq4NOiBt1Yw1nDDd/meI5v77hNJL5rRQYN3qRSolnwu7E5qbfjb+kPME5b1ZvTCmVIBO9zdHDvLlrJkKF+i7U7+0+dVJztMmuAWNaT3iXN0Hgi3HfIlm4Tb5bj8FOhTx6hiQoAOj1HrdUG8HATC9DPV30JDBqAs+U0s10x1bJZtlDCzl5zGkw1zxtYLg6K9cVO4QEp8PSaxp3t1x57LrtUMimYL5o508RMgSMp+jRtv6yX7tP61qP/IDuH2dvNtYaUOKKLAqYIbfWsqe5nrZn1YYuxWPxHfV5D9joSMHFAyYwkOjc6GNefMRyg4Dv/vYeieaYfILrMauoNfEp6YXsHjxvl14qwOt+dhML3iRY46QLO/1xNWeRUUfmD01dRyJBGfDq4hBiSXJCZh1a323uoZVUqgMrwwX3qiNNVc3KjSJgosf2BIQA+Q0WdKI45ejIyhl7dayVILyCy3eI+5RcByjwiMH1BRb3Y+Y94bQcxE5avyv/kCaW+1gA5kbqCz3+SueTh0T1x4q9IdHVhMK9ipmlkaf70eH3zUK0DipNjoT0PA/xR2mvKITW+ZrVPV3ZVua1ZShvgmOkwOAsLEe3H4BKiPKipRANuws3mEzLnnDeL/DiZFnCM9eeunBEHxELs/+qLQmesDxcsLSxI7+9i9Bz5gL8jnGxSXCoB7uhQFZtFq+W891GWZFrW9FL9dqRFlyaxrjePEqyAL75+6RHTEnkPSZmA+Xb/TMK3FSl13/WFFnibPj9feG0Yrfe3cCud0u6WWyyaGJZFE8YxzRAHn5v6pjWO+D1r27A0klIorvUE8vEkJZS/RbnkQubPvAvKuPN20WpQYlYMNJeQztQ18+HuW3gaDiVFTHFJu0QCy6+k+Ht4Z3ADJBxmRGAeMmgAkOEyFcU4OP2I3X77qk7M0YIFD16+KQjXtmH4pT7/msurjSO68TttUdh8Z9HIQra9QbiJz383obCDEQPjMG51hnVaPlKN/DOV/gxVmJdaulAHCMMpYAMU6jUZN2krGh5zAJLdSR750teawXluCulYtzjtrLUauUN9c4dV/70HVHJZKZZSOdFHyh8bjJFrm7eLcscnv7QFjjDad5+VzgIh6PqYnWYFXUJxwqJ6uj8lg4MeJdwoJCFQEjvEQS82E8WFXwzlR/M1ts3d7M6z7B/cWQ/DeXTLuZmdd6DB43pHYSZ+z7ANzjssTdIuYA8q234w/AIt5+iG1Gb6ttVN8rc3dMhfpG92x2/3JEUyj/m/HBhpHjlOYAn8M74L5NNl25EpCCDSaaMCxP8X9M0MJANGD3ZUheWjrxcB/b9MeoZL+NNKr8hlyRNUQd/Y28wvubF0+HLC+nXhghqIk5DC23XzRmdiBbmrsAM1u7KRsGCOM4EdYRZXSxcIdAcW2DVCRHiMdP,iv:izyclzkGY+/IFS9WyTO0O+1/puRnHdpJ0zQ22Y/R8hM=,tag:Dc8IKjbf294dKCN5TGERQg==,type:str]
#ENC[AES256_GCM,data:u0XjrBhByODbAIY3rw8sxevg,iv:vH1W0C/u58itloVKJ1XZ7WqShTeUzoSR0s8zMkkSRDw=,tag:I79fNiLpYV8A70ax5ekddg==,type:comment]
#ENC[AES256_GCM,data:YLneC0aKJCSIHgYNB1/SgSnLgC4hEjkNIlrNdwYB1Q0=,iv:SN9TkvmNsX5ntncd6M25TvybPCwKPi3+6snUE/eeO1U=,tag:bUVrZ+xXxfC8vwkbt2HTQQ==,type:comment]
#ENC[AES256_GCM,data:NNKAoCsyk4MLx6Wk1pBJqgmih0SWjOa5wmBMVLBcK4t9IpsP5rq+03eUT7bLCLoHQHKlDEAdrfbFkNvkFYjtz7eK69Sv,iv:60yZR8iVpq3iB85YFpy8Lp70O2o3hQNlUQH7CKqF63o=,tag:dTBxRSyFYS6q+iM5Zo2KbQ==,type:comment]
#ENC[AES256_GCM,data:Di/aKcBppy1l2om1LE02QZJcZlc7B9QD3LUJpnXfIVVcLbc1UdhzgX7DoxhgNMuJ1O2xoglTkCTuClCtmup6aMkoF/ZY,iv:c6XcEsKj847k6O0fTQu87vPHgMwHn7ZUzZEnhdLJunI=,tag:WcnM3WvcauwCQXvSOnoS9A==,type:comment]
#ENC[AES256_GCM,data:3EgUhcXCon9P+0kCbflSWoLA+U8ku9765GJS9TQDTkOlsK2GjlPCfix8/D/z7y2uNdtNdAOonQz2veKqsImG9Cmy1V5+,iv:q35S/ksqCnFJEKdQJMoFFqCuPy/YE1WlXVtYOPy92ws=,tag:RaW9PjNQk6s2+rW4O++/bw==,type:comment]
#ENC[AES256_GCM,data:zoWAthL0gnzRVzWqpgtBlpzcF2q4/UIIuXRIsuEYwt3FYwlvSmasuRa/tNDEJ60gYqN0pho5Tey03S7Iq99+HZ+x61f9,iv:UvmuuTsA5AP/3xmWK165uFHxbFpSOR6C/Azg1/2jS6I=,tag:DBaK/lB8Kw+WslTyfnmuIw==,type:comment]
#ENC[AES256_GCM,data:qjh0lLOirgkI6cMeCPW95G9H0fSHN92ImXA41S1dmEAgs/dxVKslIDP9PsDUMjLmPRmCfvI/26NKidV9U4AB9bYG1gya,iv:zgZEpFRXDihvfxtmz4qywZhsvVvehk8HBZQNcNNbpPY=,tag:+QfUTQTMggVRBIek6f2sAg==,type:comment]
#ENC[AES256_GCM,data:yrKGYOat9F3vqIvMwd+DwgDcNtgwG0ufB3wc/+Vfq9TgkiCu+k5niEN+ZJlpRru9ie2yAFpSS9WewrWKRgL34GlOoomO,iv:XWGKWApPptltsTeg5Ycfxwv3qmCZukatUkpn9eGS2/0=,tag:HDRo8/HaCEgU8CYYvZ64WQ==,type:comment]
#ENC[AES256_GCM,data:G632NRFgypp9mATV4jTolGVjEUkDE1K7x3F1hJJWLSpYWgkk5gp4JjWOs8ev/N0HZ3bPhJlbKyGPPVcxhnLwVxWGkSKe,iv:FyyvYK52YL/lbojDc/Jr1OB9pRKfoHnAUPoMRgLeAIU=,tag:8rGQeXqfDcF7+FYps0EDjA==,type:comment]
#ENC[AES256_GCM,data:CGCk3s/QNlA6dbOT6CMsbIQP3yF0SAvnb4tQ+HKmo1XnkENx77jG8zRwO61uP6IVOKB0vMeN+1C5e+xRdf4k3lpQGDxz,iv:6pUd7vb4Mb8KIFTBJcwRNhYO1KiFXIODfvzynNIa6TM=,tag:BME0UKST5xH4MTawyfXpHg==,type:comment]
#ENC[AES256_GCM,data:Kq/lvJYUM27F900bgRZ2RYRKkTZA8VgJTCI1+Vl8yI7E10CQhk6lH5NTNPDYqxWWIl+jpihAlR6To1R2Z3U43q3lRaE4,iv:6zaJJnnbQg0deodTq9rx3eEz7PH0GdZScIKlT+0nimM=,tag:2KhMAolLYAcqhdC/tRFqXQ==,type:comment]
#ENC[AES256_GCM,data:hMoad5zwcWe4dq/86HIbq55exoVNbll7BjkuVTQdNJFbGxGG7KbxrndRE0HUTLEIYVNYwEQGb33mljamy9WZF29KhviD,iv:pDt+YIpGc36a9G24yJOT6MzJ5ggvuooVDJyoZw73ElI=,tag:g67gRvlPRDVaTrwU+BaqBQ==,type:comment]
#ENC[AES256_GCM,data:zkL3UAYHY+0CQlQKn2qxSWlpEk1Y4rJRA/hseFhXO+oHHGJqtP6Z9dkaee129aiEu4ZKKXYlDNtpzsNBZNavNcYvMBpD,iv:FlFEgJiMAdo9s4/KdLjLaifXa8t2nJ+ugdly+IZJpyM=,tag:RIZCVZSzB8msjZ3CiZnRoA==,type:comment]
#ENC[AES256_GCM,data:aSeuVQyxpo6JsczVW78z3Fj3UKwR3RnSOGH/6xu9ZzA96NUknm/d65oa3Z5TpVqiVOf6OVYvkVh0LmJV4mrfPm9dlxMV,iv:dclSy2ZegvPUIcVVUK4BTg3628hMz3elh39oAYPbSXY=,tag:W2bZGtAKTJihqL+2YtOoyQ==,type:comment]
#ENC[AES256_GCM,data:U3QlhauSgyTeo8Ab+l8D5O30lvlAk3kzqhEx/dCpvjReT4z60/wPVzPp5da8D2VLMEk3/H59zkqhlFwxTBqjJ/XR5Dm9,iv:eg/qixxp5i7S3gw7Ub+WSqXe6tCpWccsKd5zmoXrK6g=,tag:CPr0o3vBdSXqX8yD+JA08A==,type:comment]
#ENC[AES256_GCM,data:IsFocr818QLO5ut7IUrvLvtvB9rzSFk+AiBlJlhSbecpvVL5s/hu8jrvcGnH42ja4diqZspoNiBUJdo7L/H1s4PSc8g5,iv:X52W07jiX9EllpXXHDMq7f29gBddJFhSS/dCIx5e35I=,tag:KcarpmPBpzNgeIKooBdRjQ==,type:comment]
#ENC[AES256_GCM,data:KZGze8BTXPtvSx7ILLdTAvuyqsR+X5S3LEybznpGj4eUufVPZEcIVYB6VRL4AQVeHD/LSozcecOajQYtUASPKeuDM7ar,iv:fTvESlbXvHHkI7blRULmlxQJTOe5uGCXvR6a8WsMCf4=,tag:m12Oj7OWKEmzwn+c/2lDgw==,type:comment]
#ENC[AES256_GCM,data:47tQXJXNbsN/nHJnRhktiH8opVBneNDnhnHP1KaPbSH1GnBamNU9DNuDjWVfUVZUaFkkOuKbu/UKnMMSehTWntl9unvs,iv:gDw2ozica309CIDC9/AifkwL/YDwpImHFebk9QLGqUk=,tag:GzhqjpAPLAc2YSrAo1310w==,type:comment]
#ENC[AES256_GCM,data:1V/vciDyiw8+MleW+ULAxXfRk+S84ZSSgSohxqMgZfApuI70S4opJbo7VEGX/WxaDe7jj7Hwjt9O4p6xyBu7ijfgWBy7,iv:s6Ozm7ek9L+SH4Nc68ubYXUwe1EqeursZGQyxSJHi44=,tag:mIu9vK19sh8M/kl72IcOUw==,type:comment]
#ENC[AES256_GCM,data:jqyJ79BdcRNj8XUcZlNq394bwRLglCc379RVQzspNQO2dvtzb/pF/hhMALxGYVmElFX59sdUKKy7+socscnMMWrnXf5A,iv:nPZmTR9VJYqej2Oua3R6Ta48WlQfHDJunh9zqSEwqco=,tag:RqmgdKzIVSH1KpspXg04Kg==,type:comment]
#ENC[AES256_GCM,data:zyFx0m4ZufrzDRhA9NMa6cLU5r8mju1JE4I2/NRDw5PGPz327TJ3rrSUOjunU+CxA9Sy/Xb3nMlQjcjvGHZJsSEG7DHk,iv:x/inJ//qRL8noOFMMG3R0U0N7MF0EzyIHNNf1NYevyY=,tag:BaMom2wr09zrRJMeaTVMfg==,type:comment]
#ENC[AES256_GCM,data:JMKZktB4ryZ2Y1fLpQCowkAgD81DM3b9qoDJqpociIsRXvsaIOb0+Jtzm5s+FGwsoz6x1j+om1bJ4H4jxRVrnu0Ag1UI,iv:h8zH+zpqmIlmQef8y3QY6ID1oxY+7qtTLgk8yWf1Mfc=,tag:Nh/jYF7rypESthdG+itASQ==,type:comment]
#ENC[AES256_GCM,data:nc/f7QUaJeBW74P6SiYAtPz56tdcPDzs4x2b1P9c7tCdN7AqKPfh4ZcCSPfIDl+Esuh81eMKZXppgC69ugM0Eq7hlkAK,iv:9PEZkgkQi0Z1OTM2GR6YaTXillOCb/l5qZS8btuamSM=,tag:LxaiPjq15NMiEPdEM3kwuw==,type:comment]
#ENC[AES256_GCM,data:Cb+vpJV+PFsIut0NBvn5UjFpDE0wFfKFSCOg5OtpnUhzME3eFKHTWQY4OYHYjhKwhlZpOpARhbvoNYfEJvoUtPSnvwPe,iv:Mr8c+TP4YABP4hiDoS4y0lHq1xUm+b6MzS782bbCAYM=,tag:Q6/mYYpcokafX02kwL+o8Q==,type:comment]
#ENC[AES256_GCM,data:FBKMZPaleAPrxX1ncpdTP4/fYS0J/Ac3J03iKtYZvsFxZJiNUhaYStUVu6stzsEL1eCuCBuoe/aZ0YKx1d97IKfUnc+T,iv:eDWe5W1LN96YlfcrInFjg+zlAw8RDfXfIzM+4pdNlfE=,tag:LTrc29LOcb7/Oqcok4siEw==,type:comment]
#ENC[AES256_GCM,data:BoTcxe4+NC5A6K9ozueJ3YS9n7BAn+kzwjuOnsAUght+nAM7lLfn8xDkujfIdLqwYGKB5d4XriVusMQeN3uZfqjikCtW,iv:hye5bTzhSdd016DX4hOMFGvt0bRteQRutNaO6GzzrsI=,tag:SN9tuYEADZzdpy28+FVPYQ==,type:comment]
#ENC[AES256_GCM,data:QioUKc3QYeBrcwjshyAEFtqeclXygWKp9gPiUAKKoVTe4fu84WtPYhSt/HLGSda6oWyMXCQ5NqUBMWi9HK4QKvJ61tSA,iv:zv719W+PB6PsDgyHhfuaPjliIWqd62cWglUJLkGDcKQ=,tag:GNwzSqvufaNuEUUUu4t7bQ==,type:comment]
#ENC[AES256_GCM,data:LvU8yxoFojdTTgpXH8KkLcRMMOC1b9l5EstrjRvnjqLTAJo6vI1G+SCQ0O4PQyuH9XDfjD3SfQcLtK69PYiDPDDppqmn,iv:hRfvkWxw+bAIZMxXhYteFk0B873Sam86+/hMNrCqS5c=,tag:5WFIXiUkRCbfdIl5gs+VIA==,type:comment]
#ENC[AES256_GCM,data:uiCDpAX4I7tXVryvhnMOUlkJIeLCYSkORAkPDDRQ4ZKXgu1nxHhVoGFGYHFA2wsBGkULdst33ttTSYeApZJMDYgLX+rj,iv:sTr0YXbJx5jBDFwQ4hRnT/AQPzWq3ukxRWjg3aHYjFg=,tag:e6jsm2Le7R3EdLVzZW58RQ==,type:comment]
#ENC[AES256_GCM,data:YZrREVMOKkrVafgV1e4l2zf6c3b24uJ4B4uvP+Ho6AFxs3xdxjmzGmTktPDfEzETEFvOA1G1cOu8KR7BJVV7Rns/l740,iv:IzSo8Y5jI6u1ApKPGwRj+Y35qyChQ4Rm2UCUOmMT5r0=,tag:raCeJx4FkUC0lw2h7JlPiA==,type:comment]
#ENC[AES256_GCM,data:ojDgdzToEgTRhPajQKiVmXL0OCVviv70gBaTcJQi7KeB2k3h976yIzt8Y1eTliU7r5yVcUXiCuWUQBOZmmqvEbe8rQ5u,iv:u3GctKl/40idqour5hd7JJarypZC57/EJaKG+xgW6Rc=,tag:JfY1wZdrm6aNpcGOikTimA==,type:comment]
#ENC[AES256_GCM,data:rUbCaEZYE/MlF+ZvVoX0NfDWh5CgwWVt/kchfC0aAbn4jgEcYB7aOYXr10roqCcL1IIzE9fqboeR4uIoSc+kQ5NPGKIL,iv:p44nuigZwKF6WJ915hSeMvEeV6hOBvGs3GYJMWZcums=,tag:jbNQ+QhXPMdY7EkA7v8iBw==,type:comment]
#ENC[AES256_GCM,data:XUqPWj3OiBZMj8uCPbCX9mzpbiBFrHqspYzdW4pKzW7mYS/ZYDRla1i3ZW2Zi44KMRNwptgvkMXwE1C5e281fcn6Xyqc,iv:SneTuyiok1WPnTUfCVZa3lZfmf0ty+vjyt5gFnJGoTU=,tag:sSXbjIVdx5Pn63K3BLdinQ==,type:comment]
#ENC[AES256_GCM,data:ESizsRC4W2jae5CxXSNt5yiusq6+NEID/D5vOxiPtQxCXpk8jh1ka1TI8/SoQTBJkuXAIGQ1N0Ej4EUBTDy7A1h0TjKA,iv:pHz5ShHtJqylzOeUG4fmLzPP9Heb/mbLoFB1QrF9qsc=,tag:DKObC3vienXDccxaR79TLQ==,type:comment]
#ENC[AES256_GCM,data:AFQKW4cH1xL4udZlyQayPbv8Xb8pn/aMzwlL/+R6fiLMPM2dI+/9747mMAsK3bPStxSNcWuVsGTuV6yzFdWAS8Bl1SWq,iv:chk28nzEUk+pYFUJ/n5A5M4EaIjnQySkV54Gx1lnTfo=,tag:V7BtvEdz+1vZ/3VOzjRE/Q==,type:comment]
#ENC[AES256_GCM,data:5fp8AZxaS5BEhhQruSnvGUA52jDHi2NJd273ygHosJX5sK8OwdCx545CZ8DTvVC3w9gXaYMdPCQse6er1YOoSytx125E,iv:z4QwgjWjylEuMrSZbVsONOmX8pjboI3DqJ6MuxZBZwE=,tag:ZUXdUcJkavc8ucLoCuQkfw==,type:comment]
#ENC[AES256_GCM,data:Q8iG/NBsnYSHCPpsY+1EzvBBS4p+IBEi2XrO30HFH7nyGajNLVAUQ+8RLluBDkusEmNL7Lpo/ryduUDD3eIJ+FJ4LD8u,iv:sqkdLHQDK8OqNSTiTeyAvJH1KUoBlbu91+ddp13Bsbs=,tag:TNhNTnOm6vnD+wEz+ihZ4Q==,type:comment]
#ENC[AES256_GCM,data:u2BhbD8zppsei1S3m4NVhgGTmoIV58LuQDIjUhocIixeEuXB7FzQrS5bNOhTgtMiQQR+Qizt12wsPdD703aQvFoWTHWL,iv:mBkK8OjFFqL8vD/FeNr9vTVVs4AvyA8lt4xKRMwDVeY=,tag:hWJtGcx0dFco9tyu2VSrbw==,type:comment]
#ENC[AES256_GCM,data:KPDDIhmcZ9WJGSKh14a7/ev9fzg/+CoPjs1454xRDyoEIpFcH0WCXaam4IFyi1uFajkQkZcMuQeRqGO9uGATHLedVFJ6,iv:5HhUNzs9RTrMyv5fHSFM/vC+ejYWwdl7qMgmgFtyhYs=,tag:210fYB+i77sfz+X2/+9/cA==,type:comment]
#ENC[AES256_GCM,data:6j2Rwrex6R7oFgUnCGE1aGQW34RYiHyAmZmUIgmgUFv7c7d5XGnV+f7jouX33gzasMTt6EElZLeWKJ79HcoFtPTkWxRE,iv:3wTU8N2Luyw8m9sXRXpYj6c8rfY9VxgbD7h6ISzJMo8=,tag:AQ1mxk/zV3y7k0+bVdGbcA==,type:comment]
#ENC[AES256_GCM,data:LKaWXyxJEmFrbQ/ITxAuQBMvmbow3bPD1i1O4beg6sKo8A1XHvLIJd/5sUgB1KGWdUbwHFxT+WECnvfizHl9Rxi3Xapu,iv:kvj1965+madvaAA52d15170ef4sNnS3MyQkY3WpCQFo=,tag:C7NL952CqPnfpGhbBsFxww==,type:comment]
#ENC[AES256_GCM,data:j6r7Yto6EknUEKR/Fh2dZBBWH9APlXyBuue60JeMQ1PtXm8ha7mzRj25T6kKP9RVG0VMgFD3v8qfb7z52mdaLND28cjp,iv:gN910mK/iZBlf9Vev9Ld8y36XWrhU4tlLKNnyoDJiTs=,tag:auAdVxU1sK5NUMAnzeUUcw==,type:comment]
#ENC[AES256_GCM,data:McfSlBLpe0kvmRu8Pg4N+8jy0m2gMw6s4bsXKzvG9GvtDHiQkUxh2hv05gq0AjJyHYzl5OVY3a4A+N2JIdaqBV3cVE75,iv:CIEHXB6UaiL9QWbX1aZcFlJq1VrXbT7ebsn0Md8D/Mw=,tag:yYRkB9NmvpVPLlv5avCTYA==,type:comment]
#ENC[AES256_GCM,data:TNEd3ACXMnT+9KCoaMECEIrGppL1UTu72DxbnnxnG7EwQsIxtQ58diLIZGpSKguWjRBQQhoUoJvE53isKFHy0SodoEPf,iv:DoxyAmnhn31Mzg6l5ZMLcAwzQQm2dUnOp1zaEmjcOb0=,tag:rEODR5e+0HQq/DyDo59T1g==,type:comment]
#ENC[AES256_GCM,data:iJjY12EireQuj7jBOLgsjw9sLrw8iA2QF3KcKjjVDiv/4kIyPWfL7iWNpkqZ/7lOvp3svYmkLixoBeynU3QYEP9ZO0oc,iv:rz6lJzmErOg2acisHOei7NKVwTy2WEY+V0xSfb7KNyg=,tag:VJz+X+i04+cU8s8zgog/Tg==,type:comment]
#ENC[AES256_GCM,data:wzJggZAB8CGxWfrVSUjrD+rQdo7GYTh2/Qy1EzMXwJB2PNzmmnMMRg1eHawsnUXZDyYq+SFhNcs92drYoTJDpYTLbrmF,iv:3xnt3iISR0Dqqqde6BttnHtFzo07gIBQK1va0l7gyLI=,tag:L2fY8hY23cdYRu5fbjkz+Q==,type:comment]
#ENC[AES256_GCM,data:Ra3+7MNyv5eIyNUoyvyk1diD9F2ezD7+38hcMUkwFfEG0LrNZyAYMYdRZbJsRcnWBRU8+TXtbYNyf8XTbQYbP+vBfGiV,iv:Vk/ashcQdIwglcrwCFki47NoDI+PBKhuumZTzEubbv4=,tag:hWkMU+MHfRb0hvsuA8gp2Q==,type:comment]
#ENC[AES256_GCM,data:hBo3XPiw2wTnFf6iiInD995LCth4MoCrDE5Bz+SsagYFG5muh2V+4OSTTDXUCwudIYp508lX4Q4vJ9D+zTtxD12jBUpX,iv:I3z4AcG2ZrSFB9+2+LScLpkGCkQqO2ry7LubiDnRGWc=,tag:XhUrRAlHnwAEfzHvGWZ/dg==,type:comment]
#ENC[AES256_GCM,data:F5jxqXP/rcu6FlZuUV2iuXx2RLXeb6vmwwQ9xGAELts+Bphair6MLLDhGuF9nSz2L4oAXYYs+WVJ4e1ITqhMS62u6MFz,iv:+UTbP1qm4FqsArUNC3+mJkzMfFZt1UrfQMSAzjDBYS8=,tag:izynW2aZn7thVPJCVl3kcg==,type:comment]
#ENC[AES256_GCM,data:h7lHLsEpm0AE77oa/59vC4+F8RIkSMRuTxJxj5wMvElcK2qFkPQsmo6laenKgObOOQU/a7vE8symMw3LI+ZyIsjejDPv,iv:LTt+33tebAQmWX1Mt0WSoj4qZXvclx+Uz11e0jpNP+0=,tag:4kPgwgzDJlSS6n7eCxUWjg==,type:comment]
#ENC[AES256_GCM,data:ONtwydPbpb8YmmN+xESRaKH1suOUpGUISZU6A2Yf2S3yg1pbo2eD+Gd0td0HX9WAdbfkVa5JhDxQidssbo/2cXLZnxyg,iv:7rwWnXj/8Ei26DjxGJPxy3BgEiQinzm2IpxnjGrjAjM=,tag:EOaD+hiihZKoIbfcPlGA4g==,type:comment]
#ENC[AES256_GCM,data:DIx61nolHcn26hmeWg3IsJJoQca0VgamSknvPCwfnmnfMl/T9Q==,iv:wJPXMTER0SRmKB5EF1beX3GID7K8tcZIO/e02HpCKCc=,tag:oGeoYoQT4IIstoXq7FSWkQ==,type:comment]
#ENC[AES256_GCM,data:fIdL8pOxs07JSRVJxqmLZ5G502pTk9yx6Zu4KRvm,iv:KDgg9EjXBOHf6YMttZsL7IM11AaFkqBdsFFrliIRY7I=,tag:25m6m5dNqbLuX8ze6ieZFg==,type:comment]
filebot-license: ENC[AES256_GCM,data:iBcze+YKbRqgSc07PJ9iSV7+H/eeyX0JWbIk7ftGzvIuaDeZkNjhBGYWtcg7MEagN9fG9V9QBGOYbbxxWoG30pMwMvc35KCQntFSrxWNN09BlZ8eijdQDeWlIIEA/+sTrDNo/Cw4yS4cMDy3QDbOdMNh3If29ewT0hyrvbu+HWasNR9Y8KAytdHvCCcgxTRFHV25sqOyeLXrKRzMDndsF8gZ+kGyeKu9Ft4NMwZFaS/ZYPWHNFhWuZ+c0OeAoD40v/+Ay3DdEGRUIiNo+u4GIHfEbg3xGSrkARl2Bn81rxUawcaKD4YRS0kpVz25PShK3aPuwZAQ7nUcLV84xZLijaF6yz3a7I2bFnDrKQu+ZihBuXuHEAz4HAou1qLIcnXp8Z1R5cMWIjEfP2PsqorgqtuDXZLEaEWBFObug9Ve3kJH8N05DLZlkB8UR9YDIymXsoMxMANCDA57FbL3GgOy7gJmX9xsOn5kmLsTbXPfkGYo+Sf8YRkkTTs9OA+f4JummXvKe2xjJitm4De+Lqe3jzgNkDYEN2E7IdDBqpsw8D+HTYny9plEHlGEkZKCgF/77IWKLak0ACnz13ZEaHdo2rKIkzXcTWQG+D1ZELd2H7zemU4fChdERAl15L8D+TWP0K3zInDRROFeAyudQeXFDL55lBGTfKDxY+DKcCJRX1gb38wMIMlPd2t55cmvBN07DCWvV3JRWTtUfjlH/vL+WWMY0j+cb5aMtg3YXcjmzYlhqhQ4mTNA/cJIatbs9soutAGt2x6lC6PAU4o8tSwFMXYf2zoQznxDygiQ/iQ933CVndbhnQNLdmpQ7Rovl+AJHoNOoUXZUnmKZhPfn8Q9WmKDAe+d3Amhc82Jm+d1W7U16eJ7ULSAkcqSK1cDRbk=,iv:xbvkcdhZRAPwmJqyYf8nFudi13GUEMSE5X306xhMXNA=,tag:jHWjDRIAlV8rEyr/UwFoQA==,type:str]
sops:
age:
- recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvemExcjFLT2tjTlhtMlFl
UFlCQWhtUDc5YmFHU21SdDBoMXNCV2dlbXl3CnJzVmpMcXUwbWx1a1VLUVRhSnFu
MmtmYjVESVJpdFh1UmtwSWl5WE5WZFkKLS0tIE5wZzQ0MENna2EwMzVDUU9QcDlk
bitkdVVwM0l4ajJVYldWM2JqV05tUzgKsJem/g4ckwrmiTJgwtHc98zALWlwmVgH
+O0nH3kcU54SjDQYVRKUWdaCNbsXHEN9wqICS9q0Ill7pD2K0ElZLg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOEJEOEpRWTZRS0VVOTcz
T0pFQlFtQkd3WjZEa1BVR3oyY29qckJZZVE4ClNLZkRDclNPRTlNQ0I1YXlzQUtH
UTNmdWx3bGkrRW5DRDdaMEd6VEExd00KLS0tIFVhSGhneFJ6NFFLZ2M0cEdSc2xI
a1JNZWo3WjRYdjRmS1RaQUZKYjVmOE0KwD5B1U3YPp8qn8q/OvbEIBVM4E6uV3Ml
GwOi/vNGlvevDR++AHOVJ+tzlhCjLo5S4FmFJfNCTkDCz0AifB4Bjg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1exny8unxynaw03yu8ppahu5z28uermghr8ag34e7kdqnaduq9stsyettzz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb1dtSlJMKzFreWtmclBE
YUgvYXBQb1FtaFhZRjlqTWk1aUZkcjhCbjBFCi9rSUMzdWFkL3I3c3E0bUxERkVN
TDFaUCtHWE5xNEN4NzNXTlBWWnpYR2sKLS0tIDQ5dTM3S0JQdGJvaE0rTkZYWXNN
aTJQNUZuMW5kZVNJQ0lObkZRdzVyZ3MKwfD8PgUM1kHCa1aaDAp0Iv3zaSGsOWS8
f3W8gUMV2Qv1FC4hBccbYH2bHuq5ENVhkleIyE51GT+Ckwt5oR14vw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbHJBUnhjRzlMNHd3NFdt
eXhDWEF1OFF3RWhCUEE1QnhSY0ZUSWFnL240CmRnbGhmMXZXdHVuaUl0V1lTTnFv
dVVYcnZ5b083RTA2dnYxbEY2SlZnU1EKLS0tIGFWRzRtZWhEYkRwVWY5dEJ4ekdL
TWJpMFNHT1lRNXYxSVJuRGtsK3ZvQzAKM6QKBmkddZAjdNdS4Cb1kEuOWm2NLnG3
fLmTx6e5Q0zGQ4KQdPsiKPbGXEXWKRG9qLaf90c7RbRGPEesTUPhTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dE5zaEpBSEYvVE5QTjVF
dldFY2t3YThTalowbkMrckhUWjhGdXFVNG1BCldqV2lOS280Z0xjQXo4THlPenQ2
WVRiWDAxSFgzQUkvSjVZUEpBNzZkR0kKLS0tIC9rOHAvSUZadCs5OXhheFpERzlx
QmRCYldBUW9zeTF3cmtUOXVuV2pOMEEKDJC7lyekw9TQmuwfPRb9UsUgqdbAVaxy
tZYmhSYhUFBOUyJ7xwiIfMgOu5A4D2p/q+T2MPCmeOSLUDyycE8Zuw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeXY1bkl2d3FOaVk0YWdS
R1lYLzNFcXhHN1QvN3dMZjN3MC8yWGU0WGlVCk1ydEJIMlFQWUkrNkxGcDdNVnpM
U0pvWmJPdVIvTGRoU3ZadFBONGMzTFUKLS0tIFIxMVdkTFBuSHFpMmZYaFlsMTBS
eVBaOW9URjJJZHM4UHRvSWRtalc3R3MKp1EjLf9Hh3I9dF3Z+LlI84A26erCLmh/
VK4+X+itppbZ2y5FOnM4I21WlabC+0O6yizjarqC7fByHNeMHc2x1g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1x3elhtccp4u8ha5ry32juj9fkpg0qg7qqx4gduuehgwwnnhcxp8s892hek
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdkUramxKVFVZQVJVMU9E
a1pYck8yOEhpZWZGcktxYkR0U290dll6VmdnCnZWZU9uWXFWZ2ZrVnp0cDBteGdr
azVGVHg5Y0VuZi82UUtkWUtLeDA3UWcKLS0tIDNJZGJQNmpHdFpQUVdiMHh3djhP
WURRbGNNWWJvKzZabGxyd3NXN3lKZ2cKryVInc722ZsjoiYel0YYAQZUsgXDx0by
Ds65yQDcI0ttbmMyFN8oYqD7pnOaD1aZYg6cxqzUVPen9iqCkclMwg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWnFhNi95VUJNUnlHcGo0
eEI0RVczNUliQTJFVEhzOEsxQXlWQ3Qzd0JrCmtJOUg0dFJ1MVNIbjI5MEl2eDJD
eUdyV0t4WWRMKzF5WEVlQUpDY0ZhY1kKLS0tIGltVU83YThiU1lPY3VrRjVFOXRr
YjEvWGZvVlIvcHY2MXVCbjRsTmkrZUkKwnSybPXDYmVjK0wxh3j/TjKK5yudMOGv
yqsn6nOVuJ2EJmVyN1sYZnlIx5qbwYV2DoUusrEDjFKYqVGjXmPXbw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-08T12:02:01Z"
mac: ENC[AES256_GCM,data:K1kelYSO6R1kU3hLQVmlPI3vn9p4uEHDQnb7eVgn5PH/HFlqJrRj9HfagD/yKT0hBIehC3R8rxv73SeXacBcCaBx+A1Ty1fj/K18oQdEpFlOWxYhIvRX23NHaaqudFdVRiVg23spOoTgP48+mSzJdE4dk3jQcm94yxiUQy9kBSw=,iv:iSL9knAzk0SLXDJ1m6xy+Vkv6RqtUP2lzcluQTdKG5g=,tag:Z8I+UY/taf/uq4sQ7qIUEg==,type:str]
lastmodified: "2025-12-25T19:24:57Z"
mac: ENC[AES256_GCM,data:WKwg2pSXlqk4ESacn/e73WVZy2JTdAvEMYvm6OLlEZCOA2Q6iSANE6c5Eq+/QblhD5dGU5YY8jH+zL9xX9UotgE0IpAP8uMDvTVGI92hA6z38wSOS454duSftz5aW++EswmkcJY2Y/oIr+kx8qKxVyNoNyY3s+u4tMeHIKx3KJg=,iv:m35hc/0Mt2+sFA4ua0E4DngK4OBn/Z4xVxDp57+HHaQ=,tag:cigcOoVu8fsSMMb2XdWyZw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

31
hosts/nb/configuration.nix
View file

@ -40,6 +40,7 @@ in {
# ./modules/steam.nix
./modules/fingerprint.nix
./modules/set-nix-channel.nix
./modules/networking.nix
./hardware-configuration.nix
];
@ -249,36 +250,6 @@ in {
};
};
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.42.98.201/32" ];
# publicKey: YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=
privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
peers = [
{
publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
allowedIPs = [
"10.42.96.0/20"
# wohnservice-wien
"10.254.240.0/24"
"10.254.235.0/24"
# epicenter.works
"10.14.0.0/16"
"10.25.0.0/16"
"188.34.191.144/32" # web-arm
"91.107.201.241" # mail
];
endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
persistentKeepalive = 25;
}
];
postSetup = ''
printf "nameserver 10.42.97.1\nsearch cloonar.com" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0 -x
'';
};
};
# pgp
services.pcscd.enable = true;
programs.gnupg.agent = {

1
hosts/nb/modules/desktop/default.nix
View file

@ -19,6 +19,7 @@ in {
fontforge
freecad
firefox
handbrake
openscad
orca-slicer

5
hosts/nb/modules/development/default.nix
View file

@ -25,6 +25,10 @@ in {
glib
gnumake
# mobile
flutter
supabase-cli
air
go
@ -35,6 +39,7 @@ in {
nix-prefetch-git
nodejs_22
php
postgresql
rbw
sops
unzip

4
hosts/nb/modules/development/nvim/config/terminal.lua
View file

@ -3,7 +3,7 @@ local config = {
on_config_done = nil,
-- size can be a number or function which is passed the current terminal
size = 60,
open_mapping = [[<M-t>]],
open_mapping = nil,
hide_numbers = true, -- hide the number column in toggleterm buffers
shade_filetypes = {},
shade_terminals = true,
@ -42,7 +42,7 @@ local config = {
{ vim.o.shell, "<M-1>", "Float Terminal 1", "float", nil },
{ vim.o.shell, "<M-2>", "Float Terminal 2", "float", nil },
{ "claude", "<M-3>", "Claude Terminal", "float", nil },
{ vim.o.shell, "<M-4>", "Float Terminal 4", "float", nil },
{ "codex", "<M-4>", "Codex Terminal", "float", nil },
{ vim.o.shell, "<M-5>", "Float Terminal 5", "float", nil },
},
}

63
hosts/nb/modules/networking.nix Normal file
View file

@ -0,0 +1,63 @@
{ config, lib, pkgs, ... }:
{
# Enable systemd-resolved with split DNS for ddev.site
services.resolved = {
enable = true;
dnssec = "false";
extraConfig = ''
DNS=127.0.0.1:5353
Domains=~ddev.site
'';
};
# Integrate NetworkManager with systemd-resolved
networking.networkmanager.dns = "systemd-resolved";
# Local dnsmasq for .ddev.site resolution only (port 5353)
services.dnsmasq = {
enable = true;
settings = {
port = 5353;
listen-address = "127.0.0.1";
bind-interfaces = true;
no-resolv = true;
address = "/.ddev.site/127.0.0.1";
};
};
# WireGuard VPN configuration
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.42.98.201/32" ];
# publicKey: YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=
privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
peers = [
{
publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
allowedIPs = [
"10.42.96.0/20"
# wohnservice-wien
"10.254.240.0/24"
"10.254.235.0/24"
# epicenter.works
"10.14.0.0/16"
"10.25.0.0/16"
"188.34.191.144/32" # web-arm
"91.107.201.241" # mail
];
endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
persistentKeepalive = 25;
}
];
# Use resolvectl for systemd-resolved integration
# Note: No postDown needed - systemd-resolved automatically handles interface removal
postSetup = ''
${pkgs.systemd}/bin/resolvectl dns wg0 10.42.97.1
${pkgs.systemd}/bin/resolvectl domain wg0 cloonar.com
'';
};
};
}

21
hosts/nb/modules/sway/sway.nix
View file

@ -37,8 +37,10 @@ let
capacity=$(cat "$cap_file")
status=$(cat "$status_file" 2>/dev/null || echo "Unknown")
if [[ "$capacity" -lt 20 && "$status" != "Charging" && "$status" != "Full" ]]; then
stamp="/run/user/$(id -u)/.battery_swaynag_stamp"
pidfile="/run/user/$(id -u)/.battery_swaynag_pid"
if [[ "$capacity" -lt 20 && "$status" != "Charging" && "$status" != "Full" ]]; then
now=$(date +%s)
last=0
if [[ -f "$stamp" ]]; then
@ -46,10 +48,27 @@ let
fi
# Avoid spamming: at most once every 5 minutes
if (( now - last >= 300 )); then
# Kill previous battery swaynag if still running
if [[ -f "$pidfile" ]]; then
old_pid=$(cat "$pidfile" 2>/dev/null || echo "")
if [[ -n "$old_pid" ]] && kill -0 "$old_pid" 2>/dev/null; then
kill "$old_pid" 2>/dev/null || true
fi
fi
echo "$now" > "$stamp"
swaynag -t warning -m "Battery low: ''${capacity}% - plug in the charger." -b "Dismiss" "true" &
echo $! > "$pidfile"
disown || true
fi
else
# Charging or battery OK - close any existing warning bar
if [[ -f "$pidfile" ]]; then
old_pid=$(cat "$pidfile" 2>/dev/null || echo "")
if [[ -n "$old_pid" ]] && kill -0 "$old_pid" 2>/dev/null; then
kill "$old_pid" 2>/dev/null || true
fi
rm -f "$pidfile" "$stamp"
fi
fi
'';

4
hosts/nb/users/configs/project_history
View file

@ -1,3 +1,6 @@
/home/dominik/projects/infrastructure/actions
/home/dominik/projects/infrastructure/forgejo-mcp
/home/dominik/projects/cloonar/chatgpt.vim
/home/dominik/projects/cloonar/ai.nvim
/home/dominik/projects/cloonar/gitea.nvim
@ -13,6 +16,7 @@
/home/dominik/projects/scana11y/sa-core
/home/dominik/projects/cloonar/cloonar-fit
/home/dominik/projects/cloonar/ai-image-alt
/home/dominik/projects/cloonar/bookmap
/home/dominik/projects/home-automation/lego-hetzner-bridge
/home/dominik/projects/home-automation/ghetto-nixos

117
hosts/nb/users/dominik.nix
View file

@ -20,16 +20,16 @@ let
"calendar.ui.version" = 3;
"calendar.timezone.local" = "Europe/Vienna";
"calendar.week.start" = 1;
"layout.css.devPixelsPerPx" = "1.25";
"layout.css.devPixelsPerPx" = "-1.0";
};
thunderbirdCalendarPersonal = {
# Base calendar settings (without identity)
thunderbirdCalendarPersonalBase = {
"calendar.registry.cloonar-personal.cache.enabled" = true;
"calendar.registry.cloonar-personal.calendar-main-in-composite" = true;
"calendar.registry.cloonar-personal.color" = "#232323";
"calendar.registry.cloonar-personal.disabled" = false;
"calendar.registry.cloonar-personal.forceEmailScheduling" = true;
"calendar.registry.cloonar-personal.imip.identity.key" = "id6";
"calendar.registry.cloonar-personal.name" = "Personal";
"calendar.registry.cloonar-personal.readOnly" = false;
"calendar.registry.cloonar-personal.refreshInterval" = 30;
@ -38,6 +38,19 @@ let
"calendar.registry.cloonar-personal.uri" = "https://nextcloud.cloonar.com/remote.php/dav/calendars/dominik.polakovics@cloonar.com/personal/";
"calendar.registry.cloonar-personal.username" = "dominik.polakovics@cloonar.com";
};
# Generate identity key the same way Home Manager does
mkIdentityKey = email: "id_${builtins.hashString "sha256" email}";
# Calendar for cloonar/work profiles (sends notifications via dominik.polakovics@cloonar.com)
thunderbirdCalendarPersonalCloonar = thunderbirdCalendarPersonalBase // {
"calendar.registry.cloonar-personal.imip.identity.key" = mkIdentityKey "dominik.polakovics@cloonar.com";
};
# Calendar for private profile (sends notifications via dominik@superbros.tv)
thunderbirdCalendarPersonalPrivate = thunderbirdCalendarPersonalBase // {
"calendar.registry.cloonar-personal.imip.identity.key" = mkIdentityKey "dominik@superbros.tv";
};
thunderbirdCalendarEpicenterEmployees = {
"calendar.registry.epicenter-employees.cache.enabled" = true;
"calendar.registry.epicenter-employees.calendar-main-in-composite" = true;
@ -76,7 +89,7 @@ let
"signon.rememberSignons" = false;
"identity.sync.tokenserver.uri" = "https://sync.cloonar.com/1.0/sync/1.5";
# "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"layout.css.devPixelsPerPx" = "1.25";
"layout.css.devPixelsPerPx" = "-1.0"; # auto-detect from Wayland compositor
"media.ffmpeg.vaapi.enabled" = true;
"media.ffmpeg.vaapi-drm-display.enabled" = true;
"gfx.webrender.all" = true;
@ -300,6 +313,10 @@ in
# Chathub
id = "iaakpnchhognanibcahlpcplchdfmgma";
}
{
# Claude in Chrome
id = "fcoeoabgfenejglbffodgkkbkcdhcgfn";
}
];
};
@ -319,7 +336,7 @@ in
# Remember and auto-resolve merge conflicts
# https://git-scm.com/book/en/v2/Git-Tools-Rerere
rerere.enabled = true;
"url \"gitea@git.cloonar.com:\"" = {
"url \"forgejo@git.cloonar.com:\"" = {
insteadOf = "https://git.cloonar.com/";
};
};
@ -332,21 +349,21 @@ in
isDefault = true;
settings = lib.mkMerge [
thunderbirdSettings
thunderbirdCalendarPersonal
thunderbirdCalendarPersonalPrivate
thunderbirdContactsPersonal
];
};
cloonar = {
settings = lib.mkMerge [
thunderbirdSettings
thunderbirdCalendarPersonal
thunderbirdCalendarPersonalCloonar
thunderbirdContactsPersonal
];
};
work = {
settings = lib.mkMerge [
thunderbirdSettings
thunderbirdCalendarPersonal
thunderbirdCalendarPersonalCloonar
thunderbirdCalendarEpicenterEmployees
thunderbirdContactsPersonal
];
@ -586,55 +603,59 @@ in
ssh-keygen -R git.cloonar.com
ssh-keyscan git.cloonar.com >> ~/.ssh/known_hosts
git clone git@github.com:dpolakovics/soundscape-sync.git ${persistHome}/projects/cloonar/soundscape-sync 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/yaapi.git ${persistHome}/projects/cloonar/yaapi 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/chatgpt.vim.git ${persistHome}/cloonar/chatgpt.vim 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/gitea.nvim.git ${persistHome}/cloonar/gitea.nvim 2>/dev/null
git clone gitea@git.cloonar.com:myhidden.life/web.git ${persistHome}/projects/myhidden.life/myhidden.life-web 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/yaapi.git ${persistHome}/projects/cloonar/yaapi 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/chatgpt.vim.git ${persistHome}/cloonar/chatgpt.vim 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/gitea.nvim.git ${persistHome}/cloonar/gitea.nvim 2>/dev/null
git clone forgejo@git.cloonar.com:myhidden.life/web.git ${persistHome}/projects/myhidden.life/myhidden.life-web 2>/dev/null
git clone git@github.com:dpolakovics/glazewm.git ${persistHome}/cloonar/glazewm 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/phishguard.git ${persistHome}/projects/cloonar/phishguard 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/phishguard-frontend.git ${persistHome}/projects/cloonar/phishguard-frontend 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/gitapi.git ${persistHome}/projects/cloonar/gitapi 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/ai.nvim.git ${persistHome}/cloonar/ai.nvim 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/cloonar-assistant.git ${persistHome}/projects/cloonar/cloonar-assistant 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/cloonar-assistant-customers.git ${persistHome}/projects/cloonar/cloonar-assistant-customers 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/updns.git ${persistHome}/projects/cloonar/updns 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/phishguard.git ${persistHome}/projects/cloonar/phishguard 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/phishguard-frontend.git ${persistHome}/projects/cloonar/phishguard-frontend 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/gitapi.git ${persistHome}/projects/cloonar/gitapi 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/ai.nvim.git ${persistHome}/cloonar/ai.nvim 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/cloonar-assistant.git ${persistHome}/projects/cloonar/cloonar-assistant 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/cloonar-assistant-customers.git ${persistHome}/projects/cloonar/cloonar-assistant-customers 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/updns.git ${persistHome}/projects/cloonar/updns 2>/dev/null
git clone git@github.com:dpolakovics/mcp-servers-nix.git ${persistHome}/cloonar/mcp-servers-nix 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/ldap2vcard.git ${persistHome}/projects/cloonar/ldap2vcard 2>/dev/null
git clone gitea@git.cloonar.com:ScanA11y/sa-core.git ${persistHome}/projects/scana11y/sa-core 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/ai-image-alt.git ${persistHome}/projects/cloonar/ai-image-alt 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/ldap2vcard.git ${persistHome}/projects/cloonar/ldap2vcard 2>/dev/null
git clone forgejo@git.cloonar.com:ScanA11y/sa-core.git ${persistHome}/projects/scana11y/sa-core 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/ai-image-alt.git ${persistHome}/projects/cloonar/ai-image-alt 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/bookmap.git ${persistHome}/projects/cloonar/bookmap 2>/dev/null
git clone forgejo@git.cloonar.com:infrastructure/actions.git ${persistHome}/projects/infrastructure/actions 2>/dev/null
git clone ssh://git@codeberg.org/razormind/forgejo-mcp.git ${persistHome}/projects/infrastructure/forgejo-mcp 2>/dev/null
git clone gitea@git.cloonar.com:dominik.polakovics/typo3-basic.git ${persistHome}/cloonar/typo3-basic 2>/dev/null
git clone gitea@git.cloonar.com:renovate/renovate-config.git ${persistHome}/cloonar/renovate-config 2>/dev/null
git clone forgejo@git.cloonar.com:dominik.polakovics/typo3-basic.git ${persistHome}/cloonar/typo3-basic 2>/dev/null
git clone forgejo@git.cloonar.com:renovate/renovate-config.git ${persistHome}/cloonar/renovate-config 2>/dev/null
git clone git@github.com:dpolakovics/bento.git ${persistHome}/cloonar/bento 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/freescout.git ${persistHome}/projects/cloonar/freescout 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/support-invoiced.git ${persistHome}/projects/cloonar/support-invoiced 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/nixos.git ${persistHome}/projects/cloonar/cloonar-nixos 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/website.git ${persistHome}/projects/cloonar/cloonar-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git ${persistHome}/projects/cloonar/wohnservice-wien 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/wohnservice-gdpr.git ${persistHome}/projects/cloonar/wohnservice-gdpr 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/gbv-aktuell.git ${persistHome}/projects/cloonar/gbv-aktuell 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/fit.git ${persistHome}/projects/cloonar/cloonar-fit 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/freescout.git ${persistHome}/projects/cloonar/freescout 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/support-invoiced.git ${persistHome}/projects/cloonar/support-invoiced 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/nixos.git ${persistHome}/projects/cloonar/cloonar-nixos 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/website.git ${persistHome}/projects/cloonar/cloonar-website 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git ${persistHome}/projects/cloonar/wohnservice-wien 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/wohnservice-gdpr.git ${persistHome}/projects/cloonar/wohnservice-gdpr 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/gbv-aktuell.git ${persistHome}/projects/cloonar/gbv-aktuell 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/fit.git ${persistHome}/projects/cloonar/cloonar-fit 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/cloonar-technologies-website.git ${persistHome}/projects/cloonar/cloonar-technologies-website 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/cloonar-technologies-website.git ${persistHome}/projects/cloonar/cloonar-technologies-website 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/api.git ${persistHome}/projects/cloonar/paraclub/paraclub-api 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/frontend.git ${persistHome}/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/website.git ${persistHome}/projects/cloonar/paraclub/paraclub-website 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/module.git ${persistHome}/projects/cloonar/paraclub/paraclub-module 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/ai-mailer.git ${persistHome}/projects/cloonar/paraclub/paraclub-ai-mailer 2>/dev/null
git clone forgejo@git.cloonar.com:Paraclub/api.git ${persistHome}/projects/cloonar/paraclub/paraclub-api 2>/dev/null
git clone forgejo@git.cloonar.com:Paraclub/frontend.git ${persistHome}/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null
git clone forgejo@git.cloonar.com:Paraclub/website.git ${persistHome}/projects/cloonar/paraclub/paraclub-website 2>/dev/null
git clone forgejo@git.cloonar.com:Paraclub/module.git ${persistHome}/projects/cloonar/paraclub/paraclub-module 2>/dev/null
git clone forgejo@git.cloonar.com:Paraclub/ai-mailer.git ${persistHome}/projects/cloonar/paraclub/paraclub-ai-mailer 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-api.git ${persistHome}/projects/cloonar/amz/amz-api 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git ${persistHome}/projects/cloonar/amz/amz-frontend 2>/dev/null
git clone gitea@git.cloonar.com:hilgenberg/website.git ${persistHome}/projects/cloonar/hilgenberg-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git ${persistHome}/projects/cloonar/korean-skin.care 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/lena-schilling-website.git ${persistHome}/projects/cloonar/lena-schilling-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/dialog-relations-website.git ${persistHome}/projects/cloonar/dialog-relations-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/imperfect-perfect.com.git ${persistHome}/projects/cloonar/imperfect-perfect.com 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/amz-api.git ${persistHome}/projects/cloonar/amz/amz-api 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/amz-frontend.git ${persistHome}/projects/cloonar/amz/amz-frontend 2>/dev/null
git clone forgejo@git.cloonar.com:hilgenberg/website.git ${persistHome}/projects/cloonar/hilgenberg-website 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/korean-skin.care.git ${persistHome}/projects/cloonar/korean-skin.care 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/lena-schilling-website.git ${persistHome}/projects/cloonar/lena-schilling-website 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/dialog-relations-website.git ${persistHome}/projects/cloonar/dialog-relations-website 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/imperfect-perfect.com.git ${persistHome}/projects/cloonar/imperfect-perfect.com 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/lego-hetzner-bridge.git ${persistHome}/projects/home-automation/lego-hetzner-bridge 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/ghetto-nixos.git ${persistHome}/projects/home-automation/ghetto-nixos 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/lego-hetzner-bridge.git ${persistHome}/projects/home-automation/lego-hetzner-bridge 2>/dev/null
git clone forgejo@git.cloonar.com:Cloonar/ghetto-nixos.git ${persistHome}/projects/home-automation/ghetto-nixos 2>/dev/null
git clone gitea@git.cloonar.com:ownstash/api.git ${persistHome}/projects/ownstash/ownstash-api 2>/dev/null
git clone forgejo@git.cloonar.com:ownstash/api.git ${persistHome}/projects/ownstash/ownstash-api 2>/dev/null
ssh-keygen -R gitlab.epicenter.works
ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts

4
hosts/web-arm/configuration.nix
View file

@ -58,7 +58,9 @@
screen
ucommon
php
php83
(writeShellScriptBin "php82" ''exec ${php82}/bin/php "$@"'')
(writeShellScriptBin "php83" ''exec ${php83}/bin/php "$@"'')
(writeShellScriptBin "php84" ''exec ${php84}/bin/php "$@"'')
];
time.timeZone = "Europe/Vienna";

18
hosts/web-arm/modules/authelia.nix
View file

@ -5,6 +5,21 @@ let
system = pkgs.system;
};
in {
# Redis for Authelia session persistence
services.redis.servers.authelia = {
enable = true;
user = "authelia-main";
unixSocket = "/run/redis-authelia/redis.sock";
unixSocketPerm = 660;
settings = {
appendonly = "yes"; # Enable AOF persistence
appendfsync = "everysec"; # Sync every second
};
};
# Add authelia user to redis group for socket access
users.users.authelia-main.extraGroups = [ "redis-authelia" ];
sops.secrets.authelia-jwt-secret = {
owner = "authelia-main";
};
@ -106,6 +121,9 @@ in {
inactivity = "45m";
remember_me_duration = "1M";
domain = "cloonar.com";
redis = {
host = "/run/redis-authelia/redis.sock";
};
# todo: enable with 4.38
# cookies = [
# {

58
hosts/web-arm/modules/grafana/alerting/service/amzebs_mysql_down.nix
View file

@ -1,58 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "amzebs-mysql-service-down-alert-uid";
title = "MySQL Service Down on amzebs-01";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"mysql.service\", instance=\"amzebs-01:9100\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "MySQL service is down on amzebs-01";
summary = "MySQL Service Down on amzebs-01";
};
labels = {
severity = "critical";
host = "amzebs-01";
};
}
];
}

58
hosts/web-arm/modules/grafana/alerting/service/amzebs_nginx_down.nix
View file

@ -1,58 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "amzebs-nginx-service-down-alert-uid";
title = "Nginx Service Down on amzebs-01";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"nginx.service\", instance=\"amzebs-01:9100\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "Nginx service is down on amzebs-01";
summary = "Nginx Service Down on amzebs-01";
};
labels = {
severity = "critical";
host = "amzebs-01";
};
}
];
}

58
hosts/web-arm/modules/grafana/alerting/service/amzebs_phpfpm_down.nix
View file

@ -1,58 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "amzebs-phpfpm-service-down-alert-uid";
title = "PHP-FPM Service Down on amzebs-01";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=~\"phpfpm-.*\\\\.service\", instance=\"amzebs-01:9100\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "min";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "One or more PHP-FPM services are down on amzebs-01";
summary = "PHP-FPM Service Down on amzebs-01";
};
labels = {
severity = "critical";
host = "amzebs-01";
};
}
];
}

24
hosts/web-arm/modules/grafana/alerting/service/default.nix
View file

@ -1,26 +1,6 @@
{ lib, pkgs, config, ... }:
let
giteaDownAlertRules = (import ./gitea_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
giteaRunnerDownAlertRules = (import ./gitea_runner_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
postfixDownAlertRules = (import ./postfix_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
dovecotDownAlertRules = (import ./dovecot_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
openldapDownAlertRules = (import ./openldap_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
wireguardDownAlertRules = (import ./wireguard_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
# amzebs-01 service alerts
ambebsMysqlDownAlertRules = (import ./amzebs_mysql_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
ambebsNginxDownAlertRules = (import ./amzebs_nginx_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
ambebsPhpfpmDownAlertRules = (import ./amzebs_phpfpm_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
allServiceRules = giteaDownAlertRules
++ giteaRunnerDownAlertRules
++ postfixDownAlertRules
++ dovecotDownAlertRules
++ openldapDownAlertRules
++ wireguardDownAlertRules
++ ambebsMysqlDownAlertRules
++ ambebsNginxDownAlertRules
++ ambebsPhpfpmDownAlertRules;
servicesDownAlertRules = (import ./services_down.nix { inherit lib pkgs config; }).grafanaAlertRuleDefinitions;
in
{
services.grafana.provision.alerting.rules.settings.groups = [
@ -28,7 +8,7 @@ in
name = "Service Alerts";
folder = "Service Monitoring";
interval = "1m";
rules = allServiceRules;
rules = servicesDownAlertRules;
}
];
}

57
hosts/web-arm/modules/grafana/alerting/service/dovecot_down.nix
View file

@ -1,57 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "dovecot-service-down-alert-uid";
title = "Dovecot Service Down";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"dovecot.service\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "Dovecot service is down on {{ $labels.instance }}";
summary = "Dovecot Service Down";
};
labels = {
severity = "critical";
};
}
];
}

57
hosts/web-arm/modules/grafana/alerting/service/gitea_down.nix
View file

@ -1,57 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "gitea-service-down-alert-uid";
title = "Gitea Service Down";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"container@git.service\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "Gitea service is down on {{ $labels.instance }}";
summary = "Gitea Service Down";
};
labels = {
severity = "critical";
};
}
];
}

57
hosts/web-arm/modules/grafana/alerting/service/gitea_runner_down.nix
View file

@ -1,57 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "gitea-runner-service-down-alert-uid";
title = "Gitea Runner Service Down";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"microvm@git-runner-1.service\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "Gitea Runner service is down on {{ $labels.instance }}";
summary = "Gitea Runner Service Down";
};
labels = {
severity = "critical";
};
}
];
}

57
hosts/web-arm/modules/grafana/alerting/service/openldap_down.nix
View file

@ -1,57 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "openldap-service-down-alert-uid";
title = "OpenLDAP Service Down";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"openldap.service\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "OpenLDAP service is down on {{ $labels.instance }}";
summary = "OpenLDAP Service Down";
};
labels = {
severity = "critical";
};
}
];
}

57
hosts/web-arm/modules/grafana/alerting/service/postfix_down.nix
View file

@ -1,57 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "postfix-service-down-alert-uid";
title = "Postfix Service Down";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"postfix.service\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "Postfix service is down on {{ $labels.instance }}";
summary = "Postfix Service Down";
};
labels = {
severity = "critical";
};
}
];
}

96
hosts/web-arm/modules/grafana/alerting/service/services_down.nix Normal file
View file

@ -0,0 +1,96 @@
{ lib, pkgs, config, ... }:
let
# Add services here - each entry generates an alert rule
# instance = which node exporter to query (hostname:9100)
monitoredServices = [
{ name = "AI-Mailer"; service = "ai-mailer.service"; instance = "fw:9100"; }
{ name = "Postfix"; service = "postfix.service"; instance = "mail:9100"; }
{ name = "Dovecot"; service = "dovecot.service"; instance = "mail:9100"; }
{ name = "OpenLDAP"; service = "openldap.service"; instance = "mail:9100"; }
{ name = "Forgejo"; service = "container@forgejo.service"; instance = "fw:9100"; }
{ name = "Forgejo Runner 1"; service = "microvm@fj-runner-1.service"; instance = "fw:9100"; }
{ name = "Forgejo Runner 2"; service = "microvm@fj-runner-2.service"; instance = "fw:9100"; }
{ name = "WireGuard"; service = "wireguard-wg_cloonar.service"; instance = "fw:9100"; }
{ name = "MySQL"; service = "mysql.service"; instance = "amzebs-01:9100"; }
{ name = "Nginx"; service = "nginx.service"; instance = "amzebs-01:9100"; }
{ name = "PHP-FPM"; service = "phpfpm-.*[.]service"; instance = "amzebs-01:9100"; }
];
# Extract host from instance (e.g., "fw:9100" -> "fw")
getHost = instance: lib.head (lib.splitString ":" instance);
# Generate a unique UID from service name
mkUid = name: "${lib.toLower (lib.replaceStrings [" " "@" "."] ["-" "-" "-"] name)}-down-uid";
# Check if service pattern uses regex (contains special chars)
isRegex = svc: lib.hasInfix ".*" svc || lib.hasInfix "\\" svc;
# Build the PromQL expression
# For regex patterns: use min() to alert if ANY matching service is down
# For single services: use OR vector(0) to handle missing metrics
mkExpr = svc:
let
nameMatch = if isRegex svc.service
then "name=~\"${svc.service}\""
else "name=\"${svc.service}\"";
baseQuery = "node_systemd_unit_state{state=\"active\", ${nameMatch}, instance=\"${svc.instance}\"}";
in if isRegex svc.service
then "min(${baseQuery})"
else "${baseQuery} OR on() vector(0)";
mkServiceAlert = svc: {
uid = mkUid svc.name;
title = "${svc.name} Service Down on ${getHost svc.instance}";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = mkExpr svc;
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "${svc.name} service is down on ${getHost svc.instance}";
summary = "${svc.name} Service Down";
};
labels = {
severity = "critical";
host = getHost svc.instance;
};
};
in {
grafanaAlertRuleDefinitions = map mkServiceAlert monitoredServices;
}

57
hosts/web-arm/modules/grafana/alerting/service/wireguard_down.nix
View file

@ -1,57 +0,0 @@
{ lib, pkgs, config, ... }:
{
grafanaAlertRuleDefinitions = [
{
uid = "wireguard-service-down-alert-uid";
title = "WireGuard Service Down";
condition = "C";
data = [
{
refId = "A";
relativeTimeRange = {
from = 300;
to = 0;
};
datasourceUid = "vm-datasource-uid";
model = {
editorMode = "code";
expr = "node_systemd_unit_state{state=\"active\", name=\"wireguard-wg_cloonar.service\"} OR on() vector(0)";
hide = false;
intervalMs = 1000;
legendFormat = "__auto";
maxDataPoints = 43200;
range = true;
refId = "A";
};
}
{
refId = "B";
datasourceUid = "__expr__";
model = {
type = "reduce";
expression = "A";
reducer = "last";
};
}
{
refId = "C";
datasourceUid = "__expr__";
model = {
type = "math";
expression = "$B < 1";
};
}
];
noDataState = "Alerting";
execErrState = "Alerting";
for = "5m";
annotations = {
description = "WireGuard service is down on {{ $labels.instance }}";
summary = "WireGuard Service Down";
};
labels = {
severity = "critical";
};
}
];
}

6
hosts/web-arm/modules/grafana/alerting/storage/raid_alerts.nix
View file

@ -12,7 +12,7 @@
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 300; to = 0; };
model = {
expr = ''mdadm_array_state == 0'';
expr = ''mdadm_array_state < 1'';
instant = false;
};
}
@ -35,7 +35,7 @@
}
];
for = "0s";
noDataState = "NoData";
noDataState = "OK";
execErrState = "Error";
annotations = {
summary = "RAID array {{ $labels.array }} is degraded";
@ -84,7 +84,7 @@
}
];
for = "0s";
noDataState = "NoData";
noDataState = "OK";
execErrState = "Error";
annotations = {
summary = "RAID array {{ $labels.array }} has missing devices";

14
hosts/web-arm/modules/grafana/alerting/storage/smart_alerts.nix
View file

@ -12,7 +12,7 @@
datasourceUid = "vm-datasource-uid";
relativeTimeRange = { from = 300; to = 0; };
model = {
expr = ''smart_health_passed == 0'';
expr = ''smart_health_passed < 1'';
instant = false;
};
}
@ -35,7 +35,7 @@
}
];
for = "0s";
noDataState = "NoData";
noDataState = "OK";
execErrState = "Error";
annotations = {
summary = "S.M.A.R.T. health check FAILED on {{ $labels.device }}";
@ -84,7 +84,7 @@
}
];
for = "0s";
noDataState = "NoData";
noDataState = "OK";
execErrState = "Error";
annotations = {
summary = "Reallocated sectors detected on {{ $labels.device }}";
@ -133,7 +133,7 @@
}
];
for = "0s";
noDataState = "NoData";
noDataState = "OK";
execErrState = "Error";
annotations = {
summary = "Pending sectors detected on {{ $labels.device }}";
@ -182,7 +182,7 @@
}
];
for = "0s";
noDataState = "NoData";
noDataState = "OK";
execErrState = "Error";
annotations = {
summary = "Offline uncorrectable errors on {{ $labels.device }}";
@ -231,7 +231,7 @@
}
];
for = "10m";
noDataState = "NoData";
noDataState = "OK";
execErrState = "Error";
annotations = {
summary = "High temperature on {{ $labels.device }}";
@ -280,7 +280,7 @@
}
];
for = "0s";
noDataState = "NoData";
noDataState = "OK";
execErrState = "Error";
annotations = {
summary = "UDMA CRC errors on {{ $labels.device }}";

2
hosts/web-arm/modules/grafana/default.nix
View file

@ -115,7 +115,6 @@ in
settings = {
apiToken = "\${PUSHOVER_API_TOKEN}";
userKey = "\${PUSHOVER_USER_KEY}";
device = "iphone";
priority = 2;
retry = "30s";
expire = "2m";
@ -134,7 +133,6 @@ in
settings = {
apiToken = "\${PUSHOVER_API_TOKEN}";
userKey = "\${PUSHOVER_USER_KEY}";
device = "iphone";
priority = 1;
sound = "siren";
okSound = "magic";

12
hosts/web-arm/modules/nextcloud/default.nix
View file

@ -1,11 +1,5 @@
{ pkgs, config, ... }:
let
nextcloud30 = pkgs.nextcloud30.overrideAttrs (oldAttrs: {
src = pkgs.fetchurl {
url = "https://download.nextcloud.com/server/releases/nextcloud-30.0.2.tar.bz2";
sha256 = "sha256-kpu4BF6WIW/iKmXc1mJ55b17oauynZm/QB1CO2RqRF8=";
};
});
in
{
sops.secrets.nextcloud-adminpass.owner = "nextcloud";
@ -16,14 +10,14 @@ in
enable = true;
hostName = "nextcloud.cloonar.com";
https = true;
package = pkgs.nextcloud31;
package = pkgs.nextcloud32;
# Instead of using pkgs.nextcloud27Packages.apps,
# we'll reference the package version specified above
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) calendar contacts deck groupfolders mail richdocuments tasks;
oidc_login = pkgs.fetchNextcloudApp rec {
url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.1.1/oidc_login.tar.gz";
sha256 = "sha256-b/tKk+y+ZypCHGNDtunDua2msYD6/TzA0haoC0k85F4=";
url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.5/oidc_login.tar.gz";
sha256 = "sha256-Qtqcw1OspTHg0QRIgDMxNru6ZGL8y5XhJ5gdgqn6/Wc=";
license = "gpl3";
};
};

8
hosts/web-arm/modules/prometheus.nix
View file

@ -118,10 +118,10 @@
description="homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}"
}
ALERT gitea
IF rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3
ALERT forgejo
IF rate(promhttp_metric_handler_requests_total{job="forgejo", code="500"}[5m]) > 3
ANNOTATIONS {
description="{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes"
description="{{$labels.instance}}: forgejo instances error rate went up: {{$value}} errors in 5 minutes"
}
''
];
@ -198,7 +198,7 @@
];
}
{
job_name = "gitea";
job_name = "forgejo";
scrape_interval = "60s";
metrics_path = "/metrics";

111
hosts/web-arm/secrets.yaml
View file

File diff suppressed because one or more lines are too long

2
hosts/web-arm/sites/default.nix
View file

@ -13,6 +13,8 @@
./support.cloonar.dev.nix
./stage.cloonar-technologies.at.nix
./fueltide.io.nix
./stage.scana11y.com.nix
./scana11y.com.nix

75
hosts/web-arm/sites/fueltide.io.nix Normal file
View file

@ -0,0 +1,75 @@
{ pkgs, lib, config, ... }:
{
# SOPS secret for fueltide.io DNS credentials (separate Hetzner API token)
sops.secrets.fueltide-lego-credentials = { };
# Override ACME credentials for fueltide.io domains
# These use a separate Hetzner DNS API token from the global default
security.acme.certs."app.fueltide.io" = {
credentialsFile = config.sops.secrets.fueltide-lego-credentials.path;
};
security.acme.certs."app.stage.fueltide.io" = {
credentialsFile = config.sops.secrets.fueltide-lego-credentials.path;
};
services.webstack.instances."fueltide.cloonar.dev" = {
enablePhp = false;
enableDefaultLocations = false;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
];
locations."/".extraConfig = ''
index index.html;
try_files $uri $uri/ /index.html;
'';
locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
};
services.webstack.instances."app.fueltide.io" = {
enablePhp = false;
enableDefaultLocations = false;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
];
locations."/".extraConfig = ''
index index.html;
try_files $uri $uri/ /index.html;
'';
locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
};
services.webstack.instances."app.stage.fueltide.io" = {
enablePhp = false;
enableDefaultLocations = false;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
];
locations."/".extraConfig = ''
index index.html;
try_files $uri $uri/ /index.html;
'';
locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
};
}

19
scripts/migrate-gitea-to-forgejo.env.example Normal file
View file

@ -0,0 +1,19 @@
# Gitea to Forgejo Migration - Environment Configuration
#
# Copy this file to migrate-gitea-to-forgejo.env and adjust values.
# Then run: ./scripts/migrate-gitea-to-forgejo.sh
#
# IMPORTANT: Ensure Gitea is stopped before running migration.
# Source (Gitea) - READ ONLY, never modified
# This is the original Gitea data directory
SOURCE_DATA=/var/lib/gitea
# Target (Forgejo) - where data will be copied
# Must be on a filesystem with enough space (1.2x source size)
TARGET_DATA=/var/lib/forgejo
# User/group for target files
# These should match your Forgejo service user
TARGET_USER=forgejo
TARGET_GROUP=forgejo

497
scripts/migrate-gitea-to-forgejo.sh Executable file
View file

@ -0,0 +1,497 @@
#!/usr/bin/env bash
#
# Gitea 1.25.4 to Forgejo Migration Script
#
# This script copies data from Gitea to Forgejo and rolls back the database
# schema from version 322/323 to 304, allowing Forgejo to run its own migrations.
#
# IMPORTANT: This script NEVER modifies source data. All operations work on copies,
# so the original Gitea instance can be restarted as a rollback.
#
# Usage:
# 1. Copy migrate-gitea-to-forgejo.env.example to migrate-gitea-to-forgejo.env
# 2. Edit the .env file with your paths
# 3. Stop Gitea
# 4. Run: ./scripts/migrate-gitea-to-forgejo.sh
# 5. Update NixOS config and deploy
#
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ENV_FILE="${SCRIPT_DIR}/migrate-gitea-to-forgejo.env"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
log_info() { echo -e "${BLUE}[INFO]${NC} $*"; }
log_success() { echo -e "${GREEN}[OK]${NC} $*"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
log_error() { echo -e "${RED}[ERROR]${NC} $*" >&2; }
# Load environment file
if [[ ! -f "$ENV_FILE" ]]; then
log_error "Environment file not found: $ENV_FILE"
log_info "Copy migrate-gitea-to-forgejo.env.example to migrate-gitea-to-forgejo.env and configure it."
exit 1
fi
# shellcheck source=/dev/null
source "$ENV_FILE"
# Verify required variables
: "${SOURCE_DATA:?SOURCE_DATA must be set in $ENV_FILE}"
: "${TARGET_DATA:?TARGET_DATA must be set in $ENV_FILE}"
: "${TARGET_USER:?TARGET_USER must be set in $ENV_FILE}"
: "${TARGET_GROUP:?TARGET_GROUP must be set in $ENV_FILE}"
echo "========================================"
echo "Gitea to Forgejo Migration Script"
echo "========================================"
echo ""
echo "Source: $SOURCE_DATA (read-only)"
echo "Target: $TARGET_DATA"
echo "User: $TARGET_USER:$TARGET_GROUP"
echo ""
# ============================================
# PHASE 1: Pre-flight Checks
# ============================================
log_info "Phase 1: Pre-flight checks..."
# Check if running as root (needed for chown)
if [[ $EUID -ne 0 ]]; then
log_error "This script must be run as root (for chown operations)"
exit 1
fi
# Verify SQLite version >= 3.35 (required for DROP COLUMN)
if ! command -v sqlite3 &> /dev/null; then
log_error "sqlite3 command not found. Please install SQLite."
exit 1
fi
sqlite_version=$(sqlite3 --version | cut -d' ' -f1)
sqlite_major=$(echo "$sqlite_version" | cut -d'.' -f1)
sqlite_minor=$(echo "$sqlite_version" | cut -d'.' -f2)
if [[ "$sqlite_major" -lt 3 ]] || { [[ "$sqlite_major" -eq 3 ]] && [[ "$sqlite_minor" -lt 35 ]]; }; then
log_error "SQLite $sqlite_version is too old. Need 3.35+ for DROP COLUMN support."
exit 1
fi
log_success "SQLite version: $sqlite_version"
# Verify rsync is available (needed for incremental copying)
if ! command -v rsync &> /dev/null; then
log_error "rsync command not found. Please install rsync."
exit 1
fi
log_success "rsync available"
# Verify source exists
if [[ ! -d "$SOURCE_DATA" ]]; then
log_error "Source directory not found: $SOURCE_DATA"
exit 1
fi
log_success "Source directory exists"
# Find source database (could be gitea.db or forgejo.db depending on setup)
SOURCE_DB=""
if [[ -f "$SOURCE_DATA/data/gitea.db" ]]; then
SOURCE_DB="$SOURCE_DATA/data/gitea.db"
elif [[ -f "$SOURCE_DATA/gitea.db" ]]; then
SOURCE_DB="$SOURCE_DATA/gitea.db"
else
log_error "Source database not found in $SOURCE_DATA/data/ or $SOURCE_DATA/"
exit 1
fi
log_success "Source database found: $SOURCE_DB"
# Verify source app.ini exists
SOURCE_INI=""
if [[ -f "$SOURCE_DATA/custom/conf/app.ini" ]]; then
SOURCE_INI="$SOURCE_DATA/custom/conf/app.ini"
elif [[ -f "$SOURCE_DATA/conf/app.ini" ]]; then
SOURCE_INI="$SOURCE_DATA/conf/app.ini"
else
log_error "Source app.ini not found in $SOURCE_DATA/custom/conf/ or $SOURCE_DATA/conf/"
exit 1
fi
log_success "Source app.ini found: $SOURCE_INI"
# Check disk space (need 1.2x source size)
source_size=$(du -sb "$SOURCE_DATA" | cut -f1)
required=$((source_size * 12 / 10))
target_parent=$(dirname "$TARGET_DATA")
mkdir -p "$target_parent"
available=$(df --output=avail -B1 "$target_parent" | tail -1)
if [[ "$available" -lt "$required" ]]; then
log_error "Not enough disk space. Need $(numfmt --to=iec $required), have $(numfmt --to=iec $available)"
exit 1
fi
log_success "Disk space OK: need $(numfmt --to=iec $required), have $(numfmt --to=iec $available)"
# Warn if target exists (rsync will sync incrementally)
if [[ -d "$TARGET_DATA" ]]; then
log_warn "Target directory exists: $TARGET_DATA"
log_info "rsync will perform incremental sync (only copying changed files)"
read -p "Continue with incremental sync? (y/N) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log_error "Aborted by user"
exit 1
fi
fi
# ============================================
# PHASE 2: Copy All Data
# ============================================
log_info "Phase 2: Copying data..."
mkdir -p "$TARGET_DATA/data"
mkdir -p "$TARGET_DATA/custom/conf"
# Copy database
log_info "Copying database..."
rsync -a --info=progress2 "$SOURCE_DB" "$TARGET_DATA/data/forgejo.db"
log_success "Database copied"
# Copy all data directories (preserve attributes, sync incrementally)
for dir in repositories avatars attachments packages lfs custom queues indexers; do
if [[ -d "$SOURCE_DATA/$dir" ]]; then
log_info "Syncing $dir..."
mkdir -p "$TARGET_DATA/$dir"
rsync -a --delete --info=progress2 "$SOURCE_DATA/$dir/" "$TARGET_DATA/$dir/"
log_success "Synced $dir"
fi
done
# Also check data/ subdirectory structure
for dir in repositories avatars attachments packages lfs; do
if [[ -d "$SOURCE_DATA/data/$dir" ]]; then
log_info "Syncing data/$dir..."
mkdir -p "$TARGET_DATA/data/$dir"
rsync -a --delete --info=progress2 "$SOURCE_DATA/data/$dir/" "$TARGET_DATA/data/$dir/"
log_success "Synced data/$dir"
fi
done
# ============================================
# PHASE 3: Database Schema Rollback
# ============================================
log_info "Phase 3: Rolling back database schema..."
TARGET_DB="$TARGET_DATA/data/forgejo.db"
# Show current schema version
current_version=$(sqlite3 "$TARGET_DB" "SELECT version FROM version WHERE id=1;")
log_info "Current Gitea schema version: $current_version"
log_info "Target version: 304"
# Create rollback SQL script
ROLLBACK_SQL=$(mktemp)
cat > "$ROLLBACK_SQL" << 'ROLLBACK_EOF'
-- ================================================================
-- Gitea 1.25.4 to Forgejo Rollback Script
-- Rolls back migrations 305-322 to allow Forgejo to migrate cleanly
-- ================================================================
-- Enable foreign keys check after we're done
PRAGMA foreign_keys = OFF;
-- ============================================
-- MIGRATION 305: Drop repo_license table
-- ============================================
DROP TABLE IF EXISTS repo_license;
-- ============================================
-- MIGRATION 308 & 317: Drop action table indices
-- (These are the main conflict source)
-- ============================================
DROP INDEX IF EXISTS IDX_action_r_u_d;
DROP INDEX IF EXISTS IDX_action_au_r_c_u_d;
DROP INDEX IF EXISTS IDX_action_c_u_d;
DROP INDEX IF EXISTS IDX_action_c_u;
DROP INDEX IF EXISTS IDX_action_au_c_u;
-- Alternative naming conventions
DROP INDEX IF EXISTS UQE_action_r_u_d;
DROP INDEX IF EXISTS UQE_action_au_r_c_u_d;
DROP INDEX IF EXISTS UQE_action_c_u_d;
DROP INDEX IF EXISTS UQE_action_c_u;
DROP INDEX IF EXISTS UQE_action_au_c_u;
-- ============================================
-- MIGRATION 309: Drop notification table indices
-- ============================================
DROP INDEX IF EXISTS IDX_notification_u_s_uu;
DROP INDEX IF EXISTS IDX_notification_user_id;
DROP INDEX IF EXISTS IDX_notification_repo_id;
DROP INDEX IF EXISTS IDX_notification_status;
DROP INDEX IF EXISTS IDX_notification_source;
DROP INDEX IF EXISTS IDX_notification_issue_id;
DROP INDEX IF EXISTS IDX_notification_commit_id;
DROP INDEX IF EXISTS IDX_notification_updated_by;
DROP INDEX IF EXISTS UQE_notification_u_s_uu;
-- ============================================
-- MIGRATION 313: Drop issue_pin table
-- (pin_order restoration handled separately)
-- ============================================
DROP TABLE IF EXISTS issue_pin;
-- ============================================
-- MIGRATION 306: Drop protected_branch column
-- ============================================
ALTER TABLE protected_branch DROP COLUMN IF EXISTS block_admin_merge_override;
-- ============================================
-- MIGRATION 310: Drop protected_branch column
-- ============================================
ALTER TABLE protected_branch DROP COLUMN IF EXISTS priority;
-- ============================================
-- MIGRATION 311: Drop issue column
-- ============================================
ALTER TABLE issue DROP COLUMN IF EXISTS time_estimate;
-- ============================================
-- MIGRATION 312: Drop pull_auto_merge column
-- ============================================
ALTER TABLE pull_auto_merge DROP COLUMN IF EXISTS delete_branch_after_merge;
-- ============================================
-- MIGRATION 315: Drop action_runner column
-- ============================================
ALTER TABLE action_runner DROP COLUMN IF EXISTS ephemeral;
-- ============================================
-- MIGRATION 316: Drop description columns
-- ============================================
ALTER TABLE secret DROP COLUMN IF EXISTS description;
ALTER TABLE action_variable DROP COLUMN IF EXISTS description;
-- ============================================
-- MIGRATION 318: Drop repo_unit column
-- ============================================
ALTER TABLE repo_unit DROP COLUMN IF EXISTS anonymous_access_mode;
-- ============================================
-- MIGRATION 319: Drop label column
-- ============================================
ALTER TABLE label DROP COLUMN IF EXISTS exclusive_order;
-- ============================================
-- MIGRATION 320: Drop login_source column
-- ============================================
ALTER TABLE login_source DROP COLUMN IF EXISTS two_factor_policy;
-- ============================================
-- SET VERSION TO 304
-- ============================================
UPDATE version SET version = 304 WHERE id = 1;
PRAGMA foreign_keys = ON;
ROLLBACK_EOF
log_info "Executing schema rollback..."
# SQLite doesn't support DROP COLUMN IF EXISTS, so we need to handle errors gracefully
# Execute each ALTER TABLE separately to handle missing columns
sqlite3 "$TARGET_DB" << 'SQL_PART1'
PRAGMA foreign_keys = OFF;
-- Drop tables
DROP TABLE IF EXISTS repo_license;
DROP TABLE IF EXISTS issue_pin;
-- Drop indices (these always work, even if index doesn't exist)
DROP INDEX IF EXISTS IDX_action_r_u_d;
DROP INDEX IF EXISTS IDX_action_au_r_c_u_d;
DROP INDEX IF EXISTS IDX_action_c_u_d;
DROP INDEX IF EXISTS IDX_action_c_u;
DROP INDEX IF EXISTS IDX_action_au_c_u;
DROP INDEX IF EXISTS UQE_action_r_u_d;
DROP INDEX IF EXISTS UQE_action_au_r_c_u_d;
DROP INDEX IF EXISTS UQE_action_c_u_d;
DROP INDEX IF EXISTS UQE_action_c_u;
DROP INDEX IF EXISTS UQE_action_au_c_u;
DROP INDEX IF EXISTS IDX_notification_u_s_uu;
DROP INDEX IF EXISTS IDX_notification_user_id;
DROP INDEX IF EXISTS IDX_notification_repo_id;
DROP INDEX IF EXISTS IDX_notification_status;
DROP INDEX IF EXISTS IDX_notification_source;
DROP INDEX IF EXISTS IDX_notification_issue_id;
DROP INDEX IF EXISTS IDX_notification_commit_id;
DROP INDEX IF EXISTS IDX_notification_updated_by;
DROP INDEX IF EXISTS UQE_notification_u_s_uu;
SQL_PART1
# Function to drop column if it exists
drop_column_if_exists() {
local table="$1"
local column="$2"
local exists
exists=$(sqlite3 "$TARGET_DB" "SELECT COUNT(*) FROM pragma_table_info('$table') WHERE name='$column';")
if [[ "$exists" -gt 0 ]]; then
log_info "Dropping column $table.$column..."
sqlite3 "$TARGET_DB" "ALTER TABLE $table DROP COLUMN $column;"
log_success "Dropped $table.$column"
else
log_info "Column $table.$column does not exist, skipping"
fi
}
# Drop columns added in migrations 306-320
drop_column_if_exists "protected_branch" "block_admin_merge_override"
drop_column_if_exists "protected_branch" "priority"
drop_column_if_exists "issue" "time_estimate"
drop_column_if_exists "pull_auto_merge" "delete_branch_after_merge"
drop_column_if_exists "action_runner" "ephemeral"
drop_column_if_exists "secret" "description"
drop_column_if_exists "action_variable" "description"
drop_column_if_exists "repo_unit" "anonymous_access_mode"
drop_column_if_exists "label" "exclusive_order"
drop_column_if_exists "login_source" "two_factor_policy"
# Check if pin_order column needs to be added back to issue table (migration 313 removed it)
log_info "Checking if pin_order column needs to be restored to issue table..."
has_pin_order=$(sqlite3 "$TARGET_DB" "SELECT COUNT(*) FROM pragma_table_info('issue') WHERE name='pin_order';")
if [[ "$has_pin_order" -eq 0 ]]; then
log_info "Adding pin_order column back to issue table..."
sqlite3 "$TARGET_DB" "ALTER TABLE issue ADD COLUMN pin_order INTEGER DEFAULT 0;"
log_success "Added pin_order column to issue table"
else
log_info "pin_order column already exists in issue table"
fi
# Set version to 304 (allows Forgejo to run migration 305 which converts two_factor.secret from TEXT to BLOB)
sqlite3 "$TARGET_DB" "UPDATE version SET version = 304 WHERE id = 1;"
log_success "Database version set to 304"
rm -f "$ROLLBACK_SQL"
# ============================================
# PHASE 4: Clear Regeneratable Data
# ============================================
log_info "Phase 4: Clearing regeneratable data..."
# Remove indexers (will be rebuilt on first start)
if [[ -d "$TARGET_DATA/indexers" ]]; then
rm -rf "$TARGET_DATA/indexers"
log_success "Removed indexers (will be rebuilt)"
fi
# Remove queues (will be recreated)
if [[ -d "$TARGET_DATA/queues" ]]; then
rm -rf "$TARGET_DATA/queues"
log_success "Removed queues (will be recreated)"
fi
# ============================================
# PHASE 5: Update Configuration
# ============================================
log_info "Phase 5: Updating configuration..."
# Copy app.ini
rsync -a --info=progress2 "$SOURCE_INI" "$TARGET_DATA/custom/conf/app.ini"
log_success "Copied app.ini"
# Update paths from gitea to forgejo
sed -i 's|/var/lib/gitea|/var/lib/forgejo|g' "$TARGET_DATA/custom/conf/app.ini"
log_success "Updated paths in app.ini"
# Check if WAL mode is already configured
if ! grep -q "SQLITE_JOURNAL_MODE" "$TARGET_DATA/custom/conf/app.ini"; then
# Add WAL mode after [database] section
sed -i '/^\[database\]/a SQLITE_JOURNAL_MODE = WAL' "$TARGET_DATA/custom/conf/app.ini"
log_success "Enabled SQLite WAL mode"
else
log_info "SQLite journal mode already configured"
fi
# ============================================
# PHASE 6: Set Permissions
# ============================================
log_info "Phase 6: Setting permissions..."
chown -R "$TARGET_USER:$TARGET_GROUP" "$TARGET_DATA"
chmod 750 "$TARGET_DATA"
chmod 640 "$TARGET_DATA/data/forgejo.db"
log_success "Permissions set for $TARGET_USER:$TARGET_GROUP"
# ============================================
# PHASE 7: Verify Database Integrity
# ============================================
log_info "Phase 7: Verifying database integrity..."
sqlite3 "$TARGET_DB" << 'VERIFY_SQL'
.headers off
.mode list
-- Verify version was set correctly
SELECT 'Version: ' || CASE WHEN version = 304 THEN 'PASS (304)' ELSE 'FAIL (version=' || version || ')' END
FROM version WHERE id = 1;
-- Check critical tables exist
SELECT 'Users: ' || CASE WHEN COUNT(*) > 0 THEN 'PASS (' || COUNT(*) || ' users)' ELSE 'WARN (empty)' END FROM user;
SELECT 'Repositories: ' || CASE WHEN COUNT(*) > 0 THEN 'PASS (' || COUNT(*) || ' repos)' ELSE 'WARN (empty)' END FROM repository;
SELECT 'Secrets: PASS (' || COUNT(*) || ' secrets)' FROM secret;
SELECT 'Runners: PASS (' || COUNT(*) || ' runners)' FROM action_runner;
SELECT 'Variables: PASS (' || COUNT(*) || ' variables)' FROM action_variable;
VERIFY_SQL
# Verify dropped tables are gone
repo_license_exists=$(sqlite3 "$TARGET_DB" "SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='repo_license';")
issue_pin_exists=$(sqlite3 "$TARGET_DB" "SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='issue_pin';")
if [[ "$repo_license_exists" -eq 0 ]]; then
log_success "repo_license table: DROPPED"
else
log_warn "repo_license table: STILL EXISTS"
fi
if [[ "$issue_pin_exists" -eq 0 ]]; then
log_success "issue_pin table: DROPPED"
else
log_warn "issue_pin table: STILL EXISTS"
fi
# ============================================
# PHASE 8: Print Next Steps
# ============================================
echo ""
echo "========================================"
echo -e "${GREEN}Migration complete!${NC}"
echo "========================================"
echo ""
echo "Data copied to: $TARGET_DATA"
echo "Database schema rolled back to version 304"
echo ""
echo "Next steps:"
echo ""
echo "1. Update NixOS configuration:"
echo " - Create hosts/fw/modules/forgejo.nix based on gitea.nix"
echo " - Change services.gitea to services.forgejo"
echo " - Update bind mount paths in container config"
echo " - Update runner configuration for Forgejo"
echo ""
echo "2. Deploy:"
echo " nixos-rebuild switch"
echo ""
echo "3. Monitor first startup:"
echo " journalctl -u container@git -f"
echo ""
echo "4. Verify functionality:"
echo " [ ] Forgejo starts without errors"
echo " [ ] Login via OpenID (auth.cloonar.com)"
echo " [ ] All repositories visible"
echo " [ ] Can push/pull to repositories"
echo " [ ] CI/CD runners connect"
echo " [ ] Workflow with secrets runs"
echo " [ ] Packages registry accessible"
echo ""
echo -e "${YELLOW}ROLLBACK:${NC} If anything fails, original Gitea data is untouched."
echo "Just revert NixOS config and restart Gitea container."
echo "========================================"

14
utils/modules/victoriametrics/default.nix
View file

@ -1,6 +1,9 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.victoriametrics;
serviceRegex = concatStringsSep "|" cfg.monitoredServices;
configure_prom = builtins.toFile "prometheus.yml" ''
scrape_configs:
# System metrics
@ -27,13 +30,20 @@ let
regex: 'node_systemd_unit_state'
action: keep
- source_labels: [name]
regex: '(container@git|microvm@git-runner-|postfix|dovecot|openldap|wireguard-wg_cloonar).*\.service'
regex: '(${serviceRegex}).*\.service'
action: keep
${concatStringsSep "\n" config.services.victoriametrics.extraScrapeConfigs}
${concatStringsSep "\n" cfg.extraScrapeConfigs}
'';
in {
options.services.victoriametrics = {
monitoredServices = mkOption {
type = types.listOf types.str;
default = [];
description = "List of systemd service name patterns to monitor (without .service suffix)";
example = [ "mysql" "nginx" "phpfpm-.*" ];
};
extraScrapeConfigs = mkOption {
type = types.listOf types.str;
default = [];

6
utils/pkgs/claude-code/default.nix
View file

@ -1,11 +1,11 @@
{ lib, pkgs, runCommand, claude-code }:
let
version = "2.0.55";
version = "2.1.12";
src = pkgs.fetchzip {
url = "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-${version}.tgz";
hash = "sha256-wsjOkNxuBLMYprjaZQyUZHiqWl8UG7cZ1njkyKZpRYg=";
hash = "sha256-JX72YEM2fXY7qKVkuk+UFeef0OhBffljpFBjIECHMXw=";
};
# Create a modified source with our package-lock.json
@ -22,7 +22,7 @@ in
npmDeps = pkgs.fetchNpmDeps {
src = srcWithLock;
hash = "sha256-cFvPoCmh3XpJe/5LPZizfBz6F6xAPYnBNimrK4+VbPw=";
hash = "sha256-iJwtwAYb/+1Une6Tjxek5ccf4ui3tYWy4kNlHES9He4=";
};
# Remove the old postPatch since srcWithLock already includes package-lock.json

8
utils/pkgs/claude-code/package-lock.json generated
View file

@ -5,13 +5,13 @@
"packages": {
"": {
"dependencies": {
"@anthropic-ai/claude-code": "^2.0.55"
"@anthropic-ai/claude-code": "^2.1.12"
}
},
"node_modules/@anthropic-ai/claude-code": {
"version": "2.0.55",
"resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-2.0.55.tgz",
"integrity": "sha512-IVY6J2KgTP5BiCbLmuP3kAl8jbXfd6yGoXtvc0L0eiZwxJUMa+cubUU0U8qHRnVkNmDAis+O4P00KmeuGzSLWg==",
"version": "2.1.12",
"resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-2.1.12.tgz",
"integrity": "sha512-oJlbUJc6iyuTA6X1z+Wsli4cYWqSHT9Ttc/jBXArrrBQcILPLb5lBOKfbVJJgcH3bNLxsXwnAkZjtmmM5SqtsQ==",
"license": "SEE LICENSE IN README.md",
"bin": {
"claude": "cli.js"