diff --git a/.gitignore b/.gitignore index 0b9a70e..bd24e28 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ .null*.nix -.commit diff --git a/.sops.yaml b/.sops.yaml index 04c9755..3f5a435 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -16,27 +16,30 @@ creation_rules: - path_regex: ^[^/]+\.yaml$ key_groups: - age: + - *tuxedo - *dominik - - path_regex: hosts/git.cloonar.com/[^/]+\.yaml$ + - path_regex: computers/git.cloonar.com/[^/]+\.yaml$ key_groups: - age: + - *dominik - *git-server - - path_regex: hosts/web-01.cloonar.com/[^/]+\.yaml$ + - path_regex: computers/web-01.cloonar.com/[^/]+\.yaml$ key_groups: - age: + - *dominik - *web-01-server - - path_regex: hosts/home-assistant.cloonar.com/[^/]+\.yaml$ + - path_regex: computers/home-assistant.cloonar.com/[^/]+\.yaml$ key_groups: - age: - *dominik - *home-assistant-server - - path_regex: hosts/ldap.cloonar.com/[^/]+\.yaml$ + - path_regex: computers/ldap.cloonar.com/[^/]+\.yaml$ key_groups: - age: - *dominik - *ldap-server-arm - *ldap-server-test - - path_regex: utils/modules/lego/[^/]+\.yaml$ + - path_regex: modules/lego/[^/]+\.yaml$ key_groups: - age: - *dominik @@ -47,33 +50,33 @@ creation_rules: - *ldap-server-test - *testmodules - *netboot - - path_regex: utils/modules/bitwarden/[^/]+\.yaml$ + - path_regex: modules/bitwarden/[^/]+\.yaml$ key_groups: - age: - *dominik - *web-01-server - - path_regex: utils/modules/drone/[^/]+\.yaml$ + - path_regex: modules/drone/[^/]+\.yaml$ key_groups: - age: - *dominik - *git-server - - path_regex: utils/modules/zammad/[^/]+\.yaml$ + - path_regex: modules/zammad/[^/]+\.yaml$ key_groups: - age: - *dominik - *web-01-server - - path_regex: utils/modules/plausible/[^/]+\.yaml$ + - path_regex: modules/plausible/[^/]+\.yaml$ key_groups: - age: - *dominik - *web-01-server - - path_regex: utils/modules/openldap/[^/]+\.yaml$ + - path_regex: modules/openldap/[^/]+\.yaml$ key_groups: - age: - *dominik - *ldap-server-arm - *ldap-server-test - - path_regex: utils/modules/home-assistant/[^/]+\.yaml$ + - path_regex: modules/home-assistant/[^/]+\.yaml$ key_groups: - age: - *dominik diff --git a/README.md b/README.md index 4e3102a..7f106e2 100644 --- a/README.md +++ b/README.md @@ -2,22 +2,22 @@ - install ubuntu 20.04 - get age key from SSH ```console -nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age' +$ nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age' ``` - fix secrets files ```console -nix-shell -p sops --run "sops updatekeys -y secrets.yaml" +$ sops': nix-shell -p sops --run "sops updatekeys -y secrets.yaml" ``` - run install command ```console -./install.sh example.com +$ ./install.sh example.com ``` # 2. Web Server specific - change the permissions for /var/www ```console -chown nginx:nginx /var/www -chmod 755 /var/www +$ chown nginx:nginx /var/www +$ chmod 755 /var/www ``` # 3. Net data diff --git a/fleet.nix b/fleet.nix index 377eafa..23ea3ad 100644 --- a/fleet.nix +++ b/fleet.nix @@ -17,8 +17,8 @@ users = [ { - username = "git.cloonar.com"; - key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkydX9KuRLbLcqYFn/giWZc0vPCx77oh7/9X4oPJtUkWROw1uyZh91iNCxSzV1AZay6rRM8FEwy7PPeAJ7bjsJgHRranqbxHk27H4YXOojw5H9lBozkhcMq7Z6Lz6OMoHdVhZnE525btVLKHWeGtCuoO0pbN5/BsyXEavlGZEaTQbCTjr5sk+f6mG8GqwtuC5yyEY6fGpSs1i72CiwxavLim7nB4vNlbZdWIhmV6MhyAyY5mgt57xJps/mXqXj+/eRqtS7U8KPtJq3uxwsE4cWInToP7TX9GPce1qz4U6+blNwYjt5LTGQs4/kw0IHnJk6IMh+R5kp5L6d6kBeuj0HjMA/Jxei4tD4fsSaHN6gTMSnh2ZwRDwm8Vsk3UJKAWP2heyQAX+axfxHAK4nDGnoFsX/dQV1pUoCD1MdpVS8oyGhDH1ton8oHw7Hsij8AxLgpoEIGa3fKVXaRKQx+YOnpUwoFuHrKh9XH8I7HhrAR6kQWuxaWjFWBgooqlF/iBM= root@git"; + username = "nb-epicenter"; + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"; } ]; in { diff --git a/hosts/git.cloonar.com/configuration.nix b/hosts/git.cloonar.com/configuration.nix deleted file mode 100644 index a7733fd..0000000 --- a/hosts/git.cloonar.com/configuration.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, pkgs, ... }: -{ - imports = [ - ./utils/modules/sops.nix - ./utils/modules/lego/lego.nix - # ./modules/gogs.nix - ./utils/modules/gitea.nix - ./utils/modules/drone/server.nix - ./utils/modules/drone/runner.nix - ./utils/modules/borgbackup.nix - ./utils/modules/netdata.nix - ./utils/modules/tang.nix - - ./fleet.nix - - ./utils/modules/autoupgrade.nix - - ./hardware-configuration.nix - ]; - - nixpkgs.overlays = [ (import ./utils/overlays/packages.nix) ]; - - sops.defaultSopsFile = ./secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - boot.loader.grub.device = "/dev/sda"; - - networking.hostName = "git"; - - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" - ]; - - environment.systemPackages = with pkgs; [ - bento - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - ]; - - # backups - borgbackup.repo = "u149513-sub3@u149513-sub3.your-backup.de:borg"; - - networking.firewall = { - enable = true; - allowedTCPPorts = [ 22 80 443 8000 ]; - }; - - system.stateVersion = "23.05"; -} diff --git a/hosts/git.cloonar.com/fleet.nix b/hosts/git.cloonar.com/fleet.nix deleted file mode 120000 index 5b16de1..0000000 --- a/hosts/git.cloonar.com/fleet.nix +++ /dev/null @@ -1 +0,0 @@ -../../fleet.nix \ No newline at end of file diff --git a/hosts/git.cloonar.com/hardware-configuration.nix b/hosts/git.cloonar.com/hardware-configuration.nix deleted file mode 100644 index 0ee9d79..0000000 --- a/hosts/git.cloonar.com/hardware-configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/4973f85d-da13-4094-8c71-936c275e24d0"; - fsType = "ext4"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/049162b7-81f0-4f2d-a440-5956a0958337"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/git.cloonar.com/secrets.yaml b/hosts/git.cloonar.com/secrets.yaml deleted file mode 100644 index 6e8a8b0..0000000 --- a/hosts/git.cloonar.com/secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -borg-passphrase: ENC[AES256_GCM,data:Rlb6pyuZjcR7qYt/O4o5AVjfZixKRWbdiHhR4wiwjLIKpPhgjO2ea2WaMP+XVcy5tDFA3Z30BxBloVIwK9rD6w==,iv:Jm9TIfxI7Tae3KN60VPrnIXvYpOCuquKB0Jf6wmp1oE=,tag:Ca/0FerPFn4+7WWhht1irw==,type:str] -borg-ssh-key: ENC[AES256_GCM,data:KsgiBHWDVFj7s1ueP6r/U0r2s/4aq+NmhGKMDd0rOgpkwn2SnkKCc3c5qsRp57AcDqyF2Vt9fsDCYNNg2mhBLmSbZ9VNy2EawounD5FINJ8gPI0EW9NgQHHEAdmGviH7eMRSoSTAAzPNM9T4I92iVYOjogdSTaHU/uSmJnxNOwVTdb8RGrHfXrj1bAvEYF3teNpdRsPh0Q+bNCCAp7aas9fSuV4NPyiCTwlXkLhM8P5hfCtNuFtpLvzLxMaLv2Z/OZAKjd6Kf/wNKyMdccUtGS/wdOn7fYTNlpmMB8cYprn37fqBmvbQhGOGG6ea6HTVrU6hrOaoDsOP/tXI7xGQW7YVrq6w5/bXQyf1xXbKp+QuVWwamERbh/NZUyJLBoS9rV8JG3vJyjn829mhm7F+UfGS5nBoY8dskKdHT86OBf3+K12mQWU4fS17hc4ugm3SGXMpv1/X8nB/Tv2ok65W+5kehx4Dk1NHu+gaEJ2j3KNZPupX5HOHK/SIkjU9ybUdDxzTQOCsb6kud1D18SZQV/14z8H1dMjxMY9tnqhNX37+yNhjTkFjoYHTbj4Tg4afhvMXWFIAw6dck6tVEMIAJ3L73MlfzaDjvSSxrbNPlfMu9B45FR27YMwBc57pHZ90lvROnEBdJ3NY3inYMNuC9EVAnFPDfGixG61qA54xGJuRF+hUPx5lF1cKxlMC4QDR3lW2oAt4x19irUKa/3ayEcIKj49lfv++pSlj+cP1/2z1/1+kJgxxmSoSanycLPIc8bvcn+RGnaoRkATR27WTGQ18Ga1kGlS106wIBsaxoZvOWghET/OPt1Xm6Y7n/x5vJTeeizFBe36vv1MqtER8oedcfn51vjVuCDVwndi0iyvm4qvlKKfl+DCz4JKOpCDc0uvdpHddQsXjiysZ8z2YVhgpj1ceaWQwU/MlIwK6pIra/mUYpdYXVMODgWNl8Mhtw9CA1BfPqTpUcDuO+sEC2CdgG7T/0GFVAfBiSl6LX4nBElaWQccjWQlxzDotW8xuBXlKvWoGKe9VztLwoJ1LN870mA+btESnIExiGQS2BAQoEWlqyfSB/y6RXuLHvIjuR6tCmkSawDrnS+GtXhPIcacRmSZGG+OsJAhE2JPOct9YSHInepyyn9cOEBsIlsBfDP+bI+cnRsMkYeQkwqQsWJVxRtXMmtj+qJUqU9Bznp3twLqvZIbfK/pE1nVf8lkYExxWrZzp62Rxplbil5UuBTYtaDHeKaSJSFxTSYat4Ap4jcL682h2Ubdssnw0u14u+CGliea3L5Tik09+3R/hKaOPU+zjWLd5GiPLhqoFADSu7NtbTqH/4yphq5tlpaIc9FVD5cheaX5oxVSnXeX3Bb8r/JWL2duNfRaUr+sjJtn5afinCxAR8xJJBFvRDQq5kG3V0iXlbh4KjUr0sridkjjZAq1dNc2zA0w/Y/2+SCGAs8y5IbwqjEBuOCklwlWxjV//3K/vanZIg/qX3mKDBOtVwyoecAzoekdgRhC4A6NSMDzuloQIaLWlwsvcYIvRr7g00BDUBLkwzlCxT+T8xLp3aXKZK8ZHniVdtniHKT52uHsPG5erMr272Bf67rxficStoRRW+h4bqz5DQ7PvGjBQil5DujeckjgIcyqaqNxq7iHaTUUutDQ6oa4UmCEyxzazS+IB89UyjdgQZL+8C4ho+ETFmqnDp7kFsl+qfuesgzaRsj/wb3fECMfUzQo0TBiE41/yiKKoz3Dq6yrESTw6BHBfp2518JUP3Jk21+ZOr0BjRVoZ0PRqFk3nw0QlBcb7eowysC+n/20ysnQ8TOYDfbFsa3//gnyMrv8/VBd004olvq5Om4BYZoOlkpzpwshsZz7ysZyKZlbb/Uxf4aDNVsFUcUdJHqIZE4bzResj0j2OrN3r5s51dm8vJLc8POTkWkCJ8oRmebjfqEwrXi98+LygB+jYUvJzMnrf02X9aBZy+QWDRCeOIyuCRkgnt3v5JS2k4v+vKphs7yg7iy6RbI7X/5QaOZlfBdd2zzOLlID3sRfz7QOXKNvZFFxADGmr2Eek2xUEF+TFfnJYxDVYl1OIQ2Rm3/908nWsLqUWhMhvcsTA/7kzlWDXHxEilvDMQcBsoEdEUoKREwEUJSi4Uxv+RmVG7QbfAjpuVe3QwvjRKntFvRZIinDUgWeqcifVr2A0P+9hnXGJDZzA+f6HRNbyieI9t1CLODU91tyoTXCpS3SmLmwUEx+F2M+Vu4ZLj/hmCiQg5s5380zBAd4wZx+EJ1MutK+VHAfK5yZ2F4HTAIoKW77vXbM998IH4CaH4X+lN0/1PdPqtsj+VvAhP3NP7G2xG4GsCTE1Xf+xgW4Oin+MiEwgPDXBaG6g/1ByqqgAo5iIVZ4tWVaHO9UF18GEu+O+XFGE39YUkEvo9GlLj4oZKRe50W7w5R9fr3DSIrsBj2XWF2Jhhui2KQ7oLrwdrQfuHbz7aS8i3PUTwQacCilLdbxc1joe+mYYQ+Y5Y3GPLebCwzaIWxrMHxIO1WtjDzpZTwj/i1PrwQsK+P9iUlJIo69awfnX6I6J2RNgipdECvLIVFi+gTaZ+XwbbV8WzYNo55fRAaSAEgaCsvUgFlyIlgajKkVVHJNwvffeg8p0hQ/cInBf3QPUBnb5MbYD7UO0p7VnWLGwcsWj1Yd+IuGy89gPzVBTyQcxpVZi0CYxAJ58JZ/8K/HzHKXa2bSOb0RM3C/6Z3HFW80AY20nwq+l0clh8BVbDCov1JwlxKuF6Ri21II2JRj7++ZQ2/9/Jl3Pk2e5DRU/ZQ6LWHAoYZ8zOb5pQxFJa1Mj++TYZhw7pNgIXui2o2ZCvKEVacz3wGND69EUZsxv+xLPH1tJFS/SPCFPBzNQDuVj7jMypFbNqlk8kzuasjUg9zFNcJ8+Uy3xaVOsekJnkjz/xfcwh+0/mjWBAaDxyLQK8AryuQFLfk1/MhY/MqrKcu1K0w7ttgXMdciMwGDJMwOrtHzTt1mf7ZLUgQBu/0cLrKp6Lo8KMKjWj9M52yVY3OKOdcrVxy95Fcu4iAkoAcxa526dcOrH0wtxVeRFJbqpuXhcq7tTstmgDenpzjjAa9mVUhOAX6x7h1oa2ku9p48xTGAMz2TsdAZmoKfruKFhVC0Exp7/4plxWFxl53u40e5cbmvXntFfqHR6/WUv8YTPH+bKyEYCgUbs1wyg9gjjmnGekPYx8ebnr+P91vAsR8VWEqgK4qWrv3NFoUFcttvns0iwTYiT0wrLVHT3l8xtrITKG39JxYruq69SfApQrsfyHi3Hj+bkyBw7+b4IA9L0ndt0K0iF93SmiO+HVk1Z8mw7CvmiJaCaZ8164X66MnVJny5wmlk+vO9hoQ1K8Tnh65q4jPLNQeiDykLFvuZN7tGUDW0SQRnjON+e6IGAxAxmYyd5uO587qC7xTfoBSQS0tYP56DvTULR5LfZDXEIdbtBglwmmQgZ7A==,iv:D+umppfFfO+t0h4Eq4gP+gVd4n1yKxegnELWqsvQVuQ=,tag:018/WLt77v80jG1wZ5RL7g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WTlsdFVJcjFBL0x5ZHI1 - alMwWVA4YkpTMDE5NmdLVjYvaFkzRnhJVEU0CmJ5U3pSZzZSR3B1ZE1TelZncXJx - KzBNUGszNlVld2ZJNmx0YnpZVnMzbGsKLS0tIEhKbEtFYTRST3BWTEF0d3NnTFVZ - WHlMYjlEUGZQR1pYUTFEWnNVcCtLYzAKc3Mp4M3DMys3XYomui+RVrdbTgs6lTQz - +e4NJH9/9fL73HfaoiMMiZZSrXObboh8Wl+iwpfZ6b6rWatBTLAn3A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-12T17:45:33Z" - mac: ENC[AES256_GCM,data:grOUX0hyU+F717M6Y86jnHKEInjRlwDB96G6IxB0E45hNy9kT2nYfDwnevu+swhgYb0GYTqJvLbmvhNPFXtL9x3Uc8aecW96a043YhQPUvUSa0dluCYGTInL6tsiuzAqpS2UgLRdF15lx8otvnCs2Gi+77SS8U7MoaIeKaFKN5s=,iv:MYpxbmM23soEd3t5uieLuMt6hpjiRmAn1sRPeHt50/0=,tag:9GFBtyAt3DxMMJunQlLHvg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/hosts/git.cloonar.com/utils b/hosts/git.cloonar.com/utils deleted file mode 120000 index 6b18391..0000000 --- a/hosts/git.cloonar.com/utils +++ /dev/null @@ -1 +0,0 @@ -../../utils \ No newline at end of file diff --git a/hosts/nb-epicenter/configuration.nix b/hosts/nb-epicenter/configuration.nix new file mode 100644 index 0000000..4a8e0e3 --- /dev/null +++ b/hosts/nb-epicenter/configuration.nix @@ -0,0 +1,207 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: +{ + nixpkgs.config.allowUnfree = true; + + imports = + [ # Include the results of the hardware scan. + # ./utils/modules/clevis.nix + + ./utils/modules/sops.nix + ./utils/modules/nur.nix + ./utils/modules/sway/sway.nix + # ./modules/gnome.nix + ./utils/modules/nvim/default.nix + ./utils/modules/autoupgrade.nix + + # ./pkgs/howdy/howdy-module.nix + # ./pkgs/howdy/ir-toggle-module.nix + + # ./modules/howdy + + ./hardware-configuration.nix + ./utils/bento.nix + ]; + + nixpkgs.overlays = [ (import ./utils/overlays/packages.nix) ]; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + ]; + + # security.sudo.wheelNeedsPassword = false; + # services.clevis.uuid = "7435d48f-f942-485b-9817-328ad3fc0b93"; + + # nixos cross building qemu + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + boot.supportedFilesystems = [ "ntfs" ]; + # boot.plymouth.enable = true; + # boot.plymouth.theme = "breeze"; + # boot.kernelParams = ["quiet"]; + # boot.loader.systemd-boot.netbootxyz.enable = true; + # boot.plymouth.themePackages = [ pkgs.nixos-bgrt-plymouth ]; + # boot.plymouth.theme = "nixos-bgrt"; + # allow hibernation + security.protectKernelImage = false; + + nixpkgs.config.permittedInsecurePackages = [ + "openssl-1.1.1u" + "electron-13.6.9" + "nodejs-14.21.3" + ]; + + sops.defaultSopsFile = ./secrets.yaml; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + sops.secrets.epicenter_vpn_ca = {}; + sops.secrets.epicenter_vpn_cert = {}; + sops.secrets.epicenter_vpn_key = {}; + sops.secrets.wg_private_key = {}; + sops.secrets.wg_preshared_key = {}; + sops.secrets.wg-cloonar-key = {}; + + virtualisation.docker.enable = true; + virtualisation.virtualbox.host = { + enable = true; + enableExtensionPack = true; + }; + + networking.hostName = "ew-nb-01"; # Define your hostname. + networking.resolvconf.enable = true; + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.extraHosts = '' + 10.25.0.25 archive.zeichnemit.at epicenter.works en.epicenter.works + 10.25.0.100 download.intra.epicenter.works + 127.0.0.1 wohnservice.local mieterhilfe.local wohnpartner.local wohnberatung.local wienbautvor.local wienwohntbesser.local + 127.0.0.1 wohnservice-wien.local mieterhilfe.local wohnpartner-wien.local wohnberatung-wien.local wienbautvor.local wienwohntbesser.local + 127.0.0.1 diabetes.local + ''; + + # Set your time zone. + time.timeZone = "Europe/Vienna"; + console.keyMap = "de"; + + users.users.dominik = { + isNormalUser = true; + extraGroups = [ "wheel" "disk" "video" "audio" "mysql" "docker" "vboxusers" "networkmanager" "onepassword" "onepassword-cli" "dialout" ]; # Enable ‘sudo’ for the user. + }; + + environment.systemPackages = with pkgs; [ + bento + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + docker-compose + drone-cli + wireguard-tools + libftdi1 + ]; + + environment.variables = { + TERMINAL_COMMAND = "foot"; + }; + + services.blueman.enable = true; + + services.printing.enable = true; + services.printing.drivers = [ pkgs.brlaser ]; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + ensureUsers = [ + { + name = "dominik"; + ensurePermissions = { + "*.*" = "ALL PRIVILEGES"; + }; + } + ]; + }; + + system.stateVersion = "22.11"; # Did you read the comment? + + security.polkit.enable = true; + systemd = { + user.services.polkit-gnome-authentication-agent-1 = { + description = "polkit-gnome-authentication-agent-1"; + wantedBy = [ "graphical-session.target" ]; + wants = [ "graphical-session.target" ]; + after = [ "graphical-session.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; + Restart = "on-failure"; + RestartSec = 1; + TimeoutStopSec = 10; + }; + }; + }; + + + # networking.firewall = { + # allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport + # # if packets are still dropped, they will show up in dmesg + # logReversePathDrops = true; + # # wireguard trips rpfilter up + # extraCommands = '' + # ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN + # ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN + # ''; + # extraStopCommands = '' + # ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true + # ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true + # ''; + # }; + # networking.wireguard.interfaces = { + # wg0 = { + # # Determines the IP address and subnet of the client's end of the tunnel interface. + # ips = [ "10.42.98.201/32" ]; + # listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + # + # # Path to the private key file. + # # + # # Note: The private key can also be included inline via the privateKey option, + # # but this makes the private key world-readable; thus, using privateKeyFile is + # # recommended. + # privateKeyFile = config.sops.secrets.wg-cloonar-key.path; + # + # peers = [ + # { + # publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q="; + # allowedIPs = [ "0.0.0.0/0" ]; + # endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + # persistentKeepalive = 25; + # } + # ]; + # }; + # }; + + # Facial recognition "Windows hello" + # services.ir-toggle.enable = true; + # services.howdy = { + # enable = true; + # device = "/dev/video2"; + # }; + nix = { + settings.auto-optimise-store = true; + # autoOptimiseStore = true; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + # Free up to 1GiB whenever there is less than 100MiB left. + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + +} + diff --git a/hosts/nb-epicenter/hardware-configuration.nix b/hosts/nb-epicenter/hardware-configuration.nix new file mode 100644 index 0000000..e5cd502 --- /dev/null +++ b/hosts/nb-epicenter/hardware-configuration.nix @@ -0,0 +1,63 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" "amdgpu" ]; + boot.kernelParams = [ "psmouse.synaptics_intertouch=0" ]; + boot.extraModulePackages = [ ]; +# Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Setup keyfile + boot.initrd.secrets = { + "/crypto_keyfile.bin" = null; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/7c6a872a-457c-40db-9426-d9137aea48a1"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-4a2ed977-1753-469b-b0d4-6d75996f21fc".device = "/dev/disk/by-uuid/4a2ed977-1753-469b-b0d4-6d75996f21fc"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/F4F2-7864"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + hardware.opengl.driSupport = true; + # For 32 bit applications + hardware.opengl.driSupport32Bit = true; + + hardware.opengl.extraPackages = with pkgs; [ + amdvlk + ]; + # For 32 bit applications + # Only available on unstable + hardware.opengl.extraPackages32 = with pkgs; [ + driversi686Linux.amdvlk + ]; +} diff --git a/hosts/nb-epicenter/secrets.yaml b/hosts/nb-epicenter/secrets.yaml new file mode 100644 index 0000000..c7fb4ee --- /dev/null +++ b/hosts/nb-epicenter/secrets.yaml @@ -0,0 +1,35 @@ +epicenter_vpn_ca: ENC[AES256_GCM,data:DUvpuL92zpQkK0auXGdHDw+f5gzjMARMroBknmgR+eq1LV5aISdA0XOCw7d3VFpMtHY+tPM4pDEWlnGJDoHDJBSFAUdmbLkDq2DvoDR1RBbsidmlXpvu7UnL4OyCgrN9G3I65HQmCh64/453T0Y5MZKUiFZXn9SZJgOU3h0qOnAiIKTQADXmUo6imhLuUdPxjwiLkNp8zHNystbfUuZkF15J+TXV9yndy/E8E4sFs4uysK9E+VM84v0q75zTf48cheE+cBGI9xOP5QMvSND6MloyGYUTPZOiQyz8M9AmJObvQFryysKf5Q1W1GBiTz9FVuSsr1IM7meljdBYwfxQaA5MurdsXVFYfdRgL6NyL5x7WOd367pgtBBwuVyT+cygg5ITIBc6YTuT8thp/q0BsJkq1OdVQrLa4PK12Tg2IOUg2Za/tLJxxiNWqs1gAmTWEIGAeJWmNgCZAjJIISwTGcdbpdWqhjAEgaaLf9ZD0hUXQ5MmSO+KXzP7lIGgqCXoMEc7W7rn3R2VkIrvaVgCBK3psTg6+CxoPQwnYbUKgPLG7ys54eECJyRfc8YPH1957Q67pYkVD166ZP/sDJfplOGH19QyFnaaSLRLoXCAfWuO72NwO/fSljN4+pmB6Ev1cRCe4mXicz7TTqGG740VOam/JW4OJCrnHVs67cs9/MsVSNZOsI+x44TKJjaFph4onaodDh5P7e52IkfRnHnjK6FjEvYPasUr9YDqUR3ucHxhD9UqvINDwhp3L/zyFb2HRuO1KzEQLzmG96xiJpJxBVl8GOTeNrK2owOf6cCuh6o3iPaAFjFok26gI1ujX/mPbBigOxB6S0cLOLoA7oA+E6L22nsoYdIwjU4b6Y/DQvndgsZFnycLsSA4TRYHUH1Q51fGU3S/zAlB66rYchsw3JqODD51axxEdo5uu/2a6K9c8BSDo+stHBPmGvty6IorhM+17IGwSVrnxBFbSICja/Mi9eHmkUuUQWaXe5iWiNGYOIe0Xsbu4PQANhDE0f4U1LboVdI46uVhBV36zLSRJ5hUYARdmaz+aUSfNSE20xwCQiqd4U1cb2W6ZRER5WOfNFa8LCjk1YyhDY1yKCbo5tZrYZtmo4T47EuH/2uyW9vPtDlAhpZWmJJ0LEbZMhl9hIEAgGYmhnxPIVItJWHgq4O+YavYWvu1qgbdBC/FZJ8xx0uSy48oKCbuTUbIBUHQ37/6wp+IC+FAoYc2CDgCKzYvYjGrjMr+l/bhWE6KqI2DE/8yG4sOZIyrKNOYRq/aqDRkaeu96bLSYZECoLpohEKRNLTFQ+J8btjGX+xak0HRNEX9bxx8Zs3ml8mDKfh11uy05zPMVU4jaLrc5VtvmNdCg1EffbtEIRhi88aP5K2flRLxvSsYODd8iisqJ3CEqa8/C/FoHhWqgs7vk9UeRs46CJjGQ2Nx7UeQhAK8ey8FwqqSPQ6hp6jFnAv5ha583GZm3G8CsapajioHOpNcyYRhUW/ekdQ1E7DafOLRRO0hdWws8fsP/96uuWJ1Ir1ec2pepmh8s9zCZl/CKSU6+PUjX03Y9buZDnAYao5nDFsF5hgi2nLCTRbHnCh/S5C4NL/Lss2gi/9HdQUWr3KNONgoGbdRNS4MHtK/t9MtxQT8FOS54fM76XLygYZhQEQuDHUr3vaihOPKXncPNx+M4IGd+tsOoGADfpZk7W4OLd5jl8OiCulKvmRXzGCrmyofifh6XBE/EDa97j4eXt/fZPhUh+kv7i39mLKiccPUqpq9WYA/pqlMc84PAsewRerk3Z7jygFb2oX8LwYX2vDer565q+74n/y+oqz/CQ7jypoGBC8f9a16h2e2ZuvjQZ2sUdBB0xKwmLHC5mXLRkJYZ8Myt0Bzp0iVnC8P,iv:0GfL3sG36nsg/4BPw32kKMB78TmbN+mLq/mqEFp0yas=,tag:x+kxJsS+Fn7VO3MlOmqgwQ==,type:str] +epicenter_vpn_cert: ENC[AES256_GCM,data:y94SNCZISKCGbG3dtMZKPntzHvmvAK9fr0+TASNUPp+RG0o7sWRZHrAk+zs4x6tTJpRMCN3VJUzH0bkSHrsKHsYLwVOT5Sb3l7y0CUjjT463NWj1ZipaMU94NRbtDC6Q4sMkFQPaLEefaOhjQu2a2qMx0FkQ9OA3T4f4u5GVN72/PTftHw3SybhptlF5L1e3Q69J3H0uVGRuXmmrws6HcLb2th9sAYPAi82yEimdzPa154DKIRcBY78QVkRz4X7VVyLFY3X34TMvGTmKP7MsW5lApVd/qoML0MkqvrWdEClMWG7i4jMRjSUSRIVr33DE8ds4aBx565tKQ9rVZT7KPZU7IbFqgKP6TQN8w7g5mY3aImPlRMB/xb7V8a+qBScOgBiwCgdAnz+PKGaCwcaBba80q0m/gONkxgVy+QKLLdALjb3iUpKiGvWFLwsKr/hQ1O0h7MBFDTGqWniiXZbyb39HABZNVtKAC/4qouG/G+hP6fpk/+TMtjRNSh6wWtyiYvTeFOtCWfi6YEC7IZFautr3vcu24soA+Q4vFwYr6lIEPnQYlpBCr/TLVzEvxWEjsR8G2RaBSWGm2E0tre8qVSFkJwz+niL8FQgaQTjnsYmJGHFS8sxseGuAakuSH+gzopc75H6y2pEnZrpQMOMyDq0GMkIW8xGk7x5Ewq1DZ8ji13Y8xtnbLqiJkhPc19JDoXdpls/40K4Ymrz6dOO8zxzvW8SHF47gOYvp+a5d3vqwXFZH2qDUvdScV5eATmK8ltfGod9PbZWgFzhp336dkba5aAspXlyzAlRRqrVhvpff+V8cyHTIz9qA8fhXv+v2pN0E/Es1NTJhtQo09OGnZn82lfVyR93hLtr6AgbDggwhvAOlJr/pAt0YZ5FhehhhnH0+ekUJC0YemUMj0QVbpxIWc4rt5n7nqewSHC8feo6Zfc4NHfE8sWemGGm2sUOdf6C2F9k0h+Snwfyu95XIWccMAC/Ii14ciu/nj0L67bbj8XAECjWCIlhhCJcMXlpxfU3lZX7zEy4WH+IqV1399KmtvUssuObBb9uAMwHjZl0l2GVQPo3clDea2ZP5HDO9B3kWRqpvIrjawh4IM73O43jbIDgjNXMijnH0GJu8FH8igS+7JOhRHrOBQiNc0unx6EgAfXHo3v6o8ktzbtRcUwU8k+wldU1cu9ugpVpG9j8O+zvPYkaH+0xfdAdxDKXz+4e8462O5zr3IVRp63CBBNtnTn6fcwnxgD9ouhgyyLBylzrwCmRAODHyukJovkNARWmhcYCAnYhrYf9KqaCoeRLmFq8sLMeiYGDTJ/+PTyheZMHboaoZbUbnRtrvuXQiCHqDKxSan0OACW+oXgCBgZSshj8lb58A+zjpMVy4Wis8s6K9HFpiPSP4tmHxXvOod2+qL/eZBV4LhLoahO0gg3+DUPTeJVO+4I7YZYLVXBhf0OC7z8jMGf8Q4SjO8p6Vufx2KXIEpcITto0IJFsIAv9UVfsKVyvVeuGaGGi8VQWhexdQxjDtoURRts91EFNpJ86o9HPbQCAWXBx9hlnBH2zZntqPd5eVA57s67i1dWpuudD/oBzGn3fBv3Fck9tpArMNSrOtbtl3sBc6Calo/5+HWSY4tz1Hnrlv0/IxD2EcgzH5dFu6klTn3gaMdgd288/kRPDzfdcVGqlvV8rQJjTD1XN48FK/Zp2ydCede+SKLidqrqz1ISXOwsya0ivfc4Vdk3hhnnkTnqZT3qR88Z69X+9QkYCVNaoojTiBoRCekqNDI3Ev8MKp1eX0E3rXT3AG3E7xEFGulhe2C9RdMwQg0QG/Ws7n/CtTeVwpv+JG73TlDnBzoVHN6fqKBVchbGPtcObM90N2itJ/wf3jXefhrrsQudLch+Mwp72YcvCKqOMsrO3egvNxIiLKrrVOI8buo0NJrPoQE3/+rZQFzx2r0AHkrwEUHGUvr2oHDJyXwSY2/7zCYbewN44Zjo7n5ofOhSUsaGJNySHgC6V74gyU0UCUEBnF8fZK/Y6QgdtT9gApHVtJwXRvLig2P11bIlyWZjISRaAVAUAMKdS8ir8l+P3NL8kBZstfpH2eeYFHIWeZ7VrVTs4CaHDzkyMizui0EBfvf5irWeJvIekCWnetfo047QKJvrKr+6239QxH5ni7wlzWxiZNcewaOfCK2SqOvYz6NIRp+/blZuxL2pXhTInB/XxbP2zHH64dC8AVvViU8bI2DR/HhzbbpEylzD4ttvil7hLt6AMpugFrmAgWd6JU5yM9lXoTSprmXZ7awYTLcQlCQu9cUNXF0JdtELA/oQipEEUz+2lRt3B+0abYGVWb,iv:MVId1jgmyhY/iUxnjca5IpYwlzUAsa6Nwchg52AKgRc=,tag:1RASj3dFAYVNphJ4zjXxtA==,type:str] +epicenter_vpn_key: ENC[AES256_GCM,data:Kt33OLiauTrkzSwib2px/rZoQO6tlCzsy2exxIrZb91ukUDo716+JaZ2dB6FEjx/z0jaUEiU8u3lZbq4gkhwXe/hwUnr7pIW+V1InJhuGOAENfnusDkSu6P5pVpE5FNBKYF6u77/h5pdWwI/bHo7Hfi7f1xVtPkAeSqDScprUOVIoEYeJ0AXo0L9xCQVPSIAsdrh2jZQPe1S4iCLqQTTYK5CvP4/1wjwA2C4PheXEK5Z74Xkxd3pRI0cogpt711+ujMbh01siQNs9tk5+pk8vbXV6M5duzQlJar6iF47GsaomFkLNsk4QvTVZ7kKIMWEfOzwgwniI8YGtDgjxCvd13H1agaeDjsboFxR3i5aI0ZKC4sP7aTASDQbWwTQxoFdMlHjbkMvVWAT1CxUw/phUfwA8L5xLBxzauvHgE0B/R2rW5FU+qaDZfyUts9RyIJzaF+bESz6YKV27i1ZQNp00YPH9jy05uYDjPldLo2PLzgLQHMsSwZ60KKlHU68gGtVI7qtH9fpy34h0/6IsCRAJF1mRHEHHzC8Ny4Q7dtN3GenMPVT07dwgEYczONjbtrpyKoLDHnAf5JguUydLIKvcxDwNmfXlaAcOzX9seEO0L+Wy2sjG5SCKjPA0wTwIvpWuthTpTaptde0KDBauzJZZvkx3FnABF5Ho2VHCY9MkQxnc61488rQXv15FNM2WaTKcI97b/kc+PXK0XbvKD1OKJ/fyNloaLPAJKB7Q+Nu9sSK91nyM5WOALhkp/5PiKQhSO75X1qsd2S35mWY6upES887He2rdmNjt0YPVzETVXhDk48OHwNNcqKTG0qs354/bF00lQJ7asQaHZ9vnomZTy3F+vWdadmUntu3r0lz/74ZEA1rWe+CIyINkuGcT0q48FMwlzms6XXYe4qnVjG1Yu/PknI6XfIpEAHN3aR/dVkpvwSDKzJD9mUr18IoXf7mcbRmhc0yAz7dmoT+Z5x+/z4G5u5xmMa9lvtHOnaXn0RhbMQP/Gziy9hB7GySGyztnBxOLghO6pnY17Etxcd+RDGkHb+PAZY2tJi3ObTry10dT3Zcx4aHNp69EcOjTQ1+629jFatFB2dhgIt2JdWbpgwppE2QB0g5cFY3e8s3rdriHfXsZNFt1xF7aaBYBUb/Z29EeC3EGUyV1fjhG0ZMDuZAw/7UEOObWS1Mx+z707OWWwGXy+5BYdSC/sYzUF9aMfGXjfttsqr36Cza9aSia6Qin5vMmJtpLYl1WGA3TjcgnglVhgKmg9DvEijm/pa1gy5hMX9SQgV0SuHtWfGIo+uleBr3n38CGJ8BOVJbZ4pHR4JQWrAjxE5MHIzZRF1UmbxWUoqL73IyTGZQovPrLO+z6rl+Djd7bGcQgpsBd8nJaOG5qoSH3Y40+onrlAz4WmKWPaSAclSgSPdHE4OEHIPzzrzLOaJWrI9B04LG9qMfhtpMNse/O4XT76QBfgaeDtKHO4Pv7T9PjIHYC4dPljkvrthEPQeJwo1zywDw2uu+I+WyxWuEGuR9JByJ8s7vaSLcDSP1BRkAq+i+YDDB4/a9iWmF4db/mKjVn6c+NRJjmugoCPeVbzyAfkxBm0nXVjQpOAsYGvGneAN53xHJmZ4kO91wrx+i+lXfRsnU3pgYYfHOePEhCUZoFXSVCFy0ksZKSHQSZb+v4x6CsvtpomUP6u0LIukZgZEgNsrpHXn4oQ0uzrts9LwKECAjGpgRINdJ6XCD8uxcIE+uuS5wyOWg/m1TmC5MThTwe4UfpxD0erMiqgGSSJ+xWuwmnjSS62XmLHnfe+VWEiLOk/7vWQxLy3bdHSfSXCee76isRcFpRKY+x59/Tj02I3F5onVuqAehtLkL4zUgdavmLmKI/81uKRTcMtXdFnYuCR+4xBZYauVtL3t7yhozhZwSZe/02mBahe61dwhZIIbAbAqivbrw210H5cKi9R9i+dR85ISJTrGFlXwT1EX/kD8BWdWPZrg9s5JD2jzrl56dKu+oeNPCZNuD6qlCaFBytJOixj/WkggyMGtOcy2do7MZZfuswbLLdD8ClzUx2D+nrRfae7Mze0s7KhyArmtjRyAfh8xqD+vTR7/yh8mgp2k5XOBw2bdCqH79ctq50drdBnpLuILKuruO/A1isS6YkjD0vxXQZh3yt5D3iqlAAOHdIzaWf8q0zUQsHp0aOgZG0WSlVPg44oHEG40O+laDu62fgcI4JisL6KwdJIPidw==,iv:pB/cNgmHi14ugi6kd+J6poWXX79LMHiiakNa03ibZ0Q=,tag:nLfjOesXDm5/QtwHznJROw==,type:str] +wg_private_key: ENC[AES256_GCM,data:A80vGf9aMxowC2xME4FIVTmKpSRLNB2tWiUQeP1v8vCRk6Gt8BKYOuXYt04=,iv:vr7qvfr78syrI5pIytjLouPwZcw4xvBTvEUzzv7ibnQ=,tag:qjALlFkd8JocLJqMKFERaw==,type:str] +wg_preshared_key: ENC[AES256_GCM,data:bhXoD95ahDRawoHd5Z35FY0G6Xv0PHwWJf300fHQ5jNsGN1TQKHsIswx8YI=,iv:fBsIWkVZUt8pahuO9daaRBIEEIWsSnFW5Velj9uP2ZY=,tag:RvbCYhnRv0OrjTxjsNFW6g==,type:str] +wg-cloonar-key: ENC[AES256_GCM,data:ZMEeIZApOD0ij3nPMZeQRwJ4MwVx0sHu08F+m/u6IMHBGid5YwMgxZ7qbLk=,iv:OfIZ9TqBLjToIQi7zRUBATrynBtu0bzXeGVI/EAUPhQ=,tag:mJICT/ak5U76JE/IxJsCKw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17c4swm58zt07axl5u6kkxrwtr5haqkvu4ye4t98qdph98qdclgtq2cyzkq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5YU9aUnQ0UGFpQXd1K2Iv + L2N6SGxHdUFyYWJ1VXJaYVhSWXc4cWxCR2swCjAveDVHOTlZUFFTTmpsWVZBL2pK + WC9RQXBzSnhCRER6YUxOYUhsYlVkdXMKLS0tIDBQbEd5cEZaL0hPYnRuTko0K0xj + eG5OS3VxejJ5TlRzZ3J5bEpOYUdYVkEKa2vD9530ZmtJF4WpR5RG7pE28ItBbGl5 + p1+5ywz1j2VPLNLEPMJ5b2T+XlqsG5k7gagGVQkkCcwEUEF+PH7MwQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRFVuLyt2YnFMWktPRzd2 + V1prSDlhVGtJQlVPdjNZWitib3RGLy93UndjCjZzSnlHd2V0MUZJU2laaDM0QWNw + S25sQ0pGSzhic1V3ZHVnaVZGUzZ1Q2sKLS0tIHVtNjFLSGtIbGdmKzlDVTlhYXRO + QTVtNWg4NnV2d0l5ZXpnblFlQXpVRXMKL6ra16PdbJiw0vqo4wA/AwN48rGSDcWD + B9xb/vORVGhGbbQvZmqMHcegkYSydprGPI/Xc2JcKyOUy4oimvrgQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-30T08:33:24Z" + mac: ENC[AES256_GCM,data:/vJdDVpv+iM66wANeLLl+CPtg2j1OCyKlGHhsQQT/RphUj4IlIsjKj+j59lmM6bRBfebTTRt1scFgz8CCPoyfSH0KrAyPLPs1SPxZT6Le87PkmO2rfH0MpNCrBDUdtpMgKs+kbxSzbqnh6X3+juXnOL3oUB3K0cdF6hAr4cP5xU=,iv:3IxaC/8y8FwKxO3mPP7f/byjYih3O6zZU6HJK2cAPvw=,tag:g8crhgnYs670wLPcC3HIhw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/nb-epicenter/utils b/hosts/nb-epicenter/utils new file mode 120000 index 0000000..7d6b64a --- /dev/null +++ b/hosts/nb-epicenter/utils @@ -0,0 +1 @@ +../../utils/ \ No newline at end of file diff --git a/utils/modules/drone-runner.nix b/utils/modules/drone-runner.nix new file mode 100644 index 0000000..04ba91a --- /dev/null +++ b/utils/modules/drone-runner.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: + +{ + virtualisation.docker.enable = true; + + systemd.services.drone-runner = { + description = "Drone Server (CI CD Service)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.docker ]; + + serviceConfig = { + # Type = "simple"; + Name = "drone-runner"; + User = "drone-server"; + Group = "drone-server"; + Restart = "always"; + ExecStartPre= '' + -${pkgs.docker}/bin/docker stop %n \ + -${pkgs.docker}/bin/docker rm %n \ + ${pkgs.docker}/bin/docker pull drone/drone:1 + ''; + ExecStart= '' + ${pkgs.docker}/bin/docker run --rm --name %n \ + --volume=/var/run/docker.sock:/var/run/docker.sock \ + --env=DRONE_RPC_PROTO=https \ + --env=DRONE_RPC_HOST=drone.cloonar.com \ + --env=DRONE_RPC_SECRET=super-duper-secret \ + --env=DRONE_RUNNER_CAPACITY=2 \ + drone/drone-runner-docker:1 + ''; + }; + }; +} diff --git a/utils/modules/drone-server.nix b/utils/modules/drone-server.nix new file mode 100644 index 0000000..9be2448 --- /dev/null +++ b/utils/modules/drone-server.nix @@ -0,0 +1,57 @@ +{ config, pkgs, ... }: + +{ + virtualisation.docker.enable = true; + + users.users.drone-server = { + isSystemUser = true; + group = "drone-server"; + home = "/var/lib/drone-server"; + createHome = true; + }; + users.groups.drone-server = { }; + users.groups.docker.members = [ "drone-server" ]; + + systemd.services.drone-server = { + description = "Drone Server (CI CD Service)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.docker ]; + + serviceConfig = { + # Type = "simple"; + Name = "drone-server"; + User = "drone-server"; + Group = "drone-server"; + Restart = "always"; + ExecStartPre= '' + -${pkgs.docker}/bin/docker stop %n \ + -${pkgs.docker}/bin/docker rm %n \ + ${pkgs.docker}/bin/docker pull drone/drone:1 + ''; + ExecStart= '' + ${pkgs.docker}/bin/docker run --rm --name %n \ + --env=DRONE_AGENTS_ENABLED=true \ + --env=DRONE_GOGS_SERVER=https://git.cloonar.com \ + --env=DRONE_GIT_ALWAYS_AUTH=true \ + --env=DRONE_RPC_SECRET=super-duper-secret \ + --env=DRONE_SERVER_HOST=drone.cloonar.com \ + --env=DRONE_SERVER_PROTO=https \ + --env=DRONE_USER_CREATE=username:dominik.polakovics,admin:true \ + -v /var/lib/drone-server:/data \ + --publish=8080:80 \ + drone/drone:2 + ''; + }; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."drone.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://localhost:8080"; + }; + }; +} diff --git a/utils/modules/lego/secrets.yaml b/utils/modules/lego/secrets.yaml index 4b4078b..2f9fa60 100644 --- a/utils/modules/lego/secrets.yaml +++ b/utils/modules/lego/secrets.yaml @@ -8,74 +8,74 @@ sops: - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMa25OMldLMUc0ZytiTFBF - MUhORDRON3NreEJoczdMUzMyNnNBYnc2YjA0CmZDWUJ4YzR5NzNhL1pQcUFIWW45 - LzU1cHM2RGQ4YXVKb2tyYVRrSWRQdm8KLS0tIGJ3Z0ZLUkp5d014NTNGS0lIaVdC - WVZjSHNmZGFXVkdmODdvVS9sU2Jpa1EKxSatL9wJrjYCYNKUS8MFTWjJJSTcw8YV - ngJQYegskmVzGxt+CnUcgTmyQpJq6Y89pnxZQWJV8zZws1BQR5IlCg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocUx0b1VtSlF4SVpvMXpr + NjZSSHdkaDVoeDRCTC9LRFI1bkJRQTMyUFdJCjJvN2NyY1JLMkVtUTF2eGN3Lzh5 + R3M4NUk2WUpFMTM4MHQxM2k0dkdxUWcKLS0tIFkrMUVSaHVCaEYydERacFBtQVVt + dXFENTFldVFWN3RQWTBKZHVtc0tza1kKeKGChclZahfDACUJxPsTn+4XomqifXP4 + VH+BxqmwkhgryRDoRrVy+vQnyK95WaDo3S/UIR2zgUR+cezt1DzR2A== -----END AGE ENCRYPTED FILE----- - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdFprbFhLem11VjRaV21G - V0JjUmltcWFVWVdZSG9rWTFxVlJMUkUyaFNvCkNhZHcrT0ZVaWFRMGgrQmRnak55 - RjVNM1l3NVp1TTQ0STBXKzZ5YWJ6K2cKLS0tIFlmaS9qTmxWeUxnbnMyUjNrcktS - NnBYRzFkZThIc28zaWpyTFNaQVFPRE0KfhwBlHvsWBQ2FOqvQ7p8ZGdVfd/qWQvy - 1GAR1bdzqwdXLECWd1XJdYarjvaSNr6iBJHEfGCgi+NR15MfR5JwPw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnckpCQVZaOE9NT084d0Zk + TUtXN3EvcFZoOCs1aFloK2RSTVFyT2RWUzBVCjdCQzNGaWpqejhNdUtnZTl6RHpY + b2dvMjZIV2ZGYkwyNVpxaHRPUmt3bmsKLS0tIHJReVpvTzBqYS9PVThmRzZzZUtI + WjZmMXIxOWFScGlNSFdwbXdQcXB3d1UKHAkThsJ2unza8Yz/l0umryT8li74LKre + dQuP41RQOQBHisUUZhWeYkM+wJzayXr426IK19zAHPuNeutqcewYcA== -----END AGE ENCRYPTED FILE----- - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QjZXUExlYmlCTHdLSmVC - d3M5NzJ4TktWb1BMc2h5WnJkaHhYSHhQY2tNCnJXUXp3WEdqL0VhSmQvZTUyOFZk - N0dyOE5NYWpYZEUvOHRJY1hlNTYrYWsKLS0tIEt1WkxzNFVsdDMwUzVRNWhqbjRz - SDZsTWJzMnRGVnQ0V0dhOGxaSWVqM2sK7LCVJp1pIp5j8ZoSRVw9dXI8rSHQdxMh - lN5uRziTv3Bqs5ECPTzCvN0mbfQ0xfgaBQbAZ+KT4ZZkfhsZTzWQ/g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSGhiSkFKbHpGcjljZ3Uw + ZWZ5MS82Wk9YRnZlQVk2V2laMzRkK3dBdWg4CjJ5Wkd0bnNXbVpMYVUxSVR1Nnpn + dkFnbTV4eTYwWmdzWU9PZlozNytBWk0KLS0tIGVTL1RFbzBBM25nbFVtOEVQMmVm + bmQvemhIeU8wTGswTEN2ZjA2RjdaTW8KlorFf+agQuSwbN3Fkr5bUC2Ca6Sz8hHy + Faq+uNlMWHCrvE1DBP34D41LxCLDaDMYIJyUG7A4MZE2WUrJZ9c0vQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MWVGaDBtazAzZzQwTDhn - TStpYjlROUVOd2RKRlZlQ2ZpcTYvNFNtRHlrCkt1eHpaR2tMMVhZSjYwQlFlRmZC - a2xYdEUrOE5wazg5Qm1hbFM4bWE3Y2cKLS0tIDVoOVd0ajFwTS90U1NGdVZDS2xV - anUrNHVKZnVIbE1DYXVDeTUvU2J0b00KOr649SlYRBTSToUA3bSU3X0QyGQB7T9r - inmOmTW7JtOifvWqVPwV/v8hMJf1HACsEkqd1wKIySYm0yZ2rJCViw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnT2VQd2VKeTFsQ3BPbXNq + cWRTREx0UE54RmNDSlBwK082azRZalQ0aUhVCk1HV0Y3RnFYbS83NXcvY3IwSGVG + ZElxcm1ETlFvVkhjR3RVNnNJQmR2dzAKLS0tIGpoYytWL25nQkFSMm5hQ29yYUd3 + UEp1cndyMG9Ba0RnT3NRdHAzRzBjdDAKIHXX0rnPkEz6Smw3sH8RgDdS92yOoFxz + 6uFUrqbxAW1+6EpgSPCi4GioAZyFayHdeuXQ5J9vApCDhHdsd6jMzw== -----END AGE ENCRYPTED FILE----- - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTHl5cHdIUTJGUFNOZFFK - RHVnR1RMeVZBSlFhNXhXb09obDVaaWM2TVVjCjQwUDc1dXkrNy9iaHBIVUJKNmp3 - c0ZZWC9wcUpSa3hrbVE4Qy9tMDRPUVUKLS0tIExmU1padnQ1cjdoNXVrQUlqK2VR - eDlxVXFkVzFNckxJL3VibUl4STNOeFkK6hkVHf3Tmxqy1VR+HaL9xOaBR9csWRHT - 0/K1HyqIekOh7igqCf8DTZToEIywxosavpr+vHMXBtXcOt08BHwSTg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRVEyK3M2aXdwV3RTMGJy + NlBUaWFKemJDRHB3ck5xVG1BWW1CUjc1OEdZCnUzSktiUkRmcTNwOWZXTFhnUCtD + bHFCZ1ZhKytGc1hoOVQ0SFFyUkpmOHMKLS0tIGNWV3Vrd2J2TTYrUUhaSW0yak5W + UTRGd0FaZUk1RVFqS3NXWHZ6SFQ4MTAKsIWMYxczPfDg7G/H5Rcm7sD/2zPXWJfl + c2PiNSeZAfuCqAU/a9/2rz0kk3LdAW7d+foBOPeMkWnKs2pFJxNMXw== -----END AGE ENCRYPTED FILE----- - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdG5LZHdsUG5OR0NVV0lY - MGc3NVZ5R3JWbEZKWi9XclA2RnpJVUl2cFdZCi9xSmR0SUdkV1doYjZSdVA3d1Zx - NHA3ZjJxNnQ5eCtITzEvcFkyaVNVbmsKLS0tIHRNTzh2YVQwMDc4MWJXbm5WTnRz - SkxOUHZTNEVJaGpXMXloL2R4Y3QwQW8K3QNXkFv5z3SnoDVAIkaA7Tw6xyKQH1CW - IAjHKsPytmnuiedyjpu9JFCJuH4ug7+qWpxtfqDI95jNN+3tatOKMA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUTZKRGdzSHgybnB6ZExx + UVRCNTROS3QyOFBYSFc5blFEQythTndRSHhrCjJxcTNqejUxQWxRZzhhZVhNcjlR + MFY4LzdicGUwMm13R1k2ZUdDc0VrY2MKLS0tIFVyNGlJU3NyQnkzZEg4SEM1T1NZ + RHNUd053UUJyMnprbi9DR0JnSEQ5YjQKeXRdvnQRtkLs6yqVKlul4wp4PXQTpktZ + cUUWEaajUmXoEeHjFkfNqtsJkVG6ixnzs9tu/GeOCbTCZ9eFokUg2g== -----END AGE ENCRYPTED FILE----- - recipient: age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UC9Pakh2NmFPb3FzTTRO - V2lPNjNPYzFEZ1Q0d3F4RHd4RER3L3RSS2lnClNiQ3g2NUJxM0hITUlnVHhQdTJ3 - NGp5b20xUUlNcTNjTHVHbTRwSHhrUFkKLS0tIGVqVnkxR0dBdVk5aDJubUVISG1O - d0RHdm9nN3NPSkFhYWJiNEhWOXc4bFUK1VI77uEymXLZ64wdlG6GsaPcMwcvVBCE - iuWfqCAIHEH7Xw4O2GDRiS5tBVVFbcSaExqodyXE9iNSKlEaKb8Jug== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNHJFa0ltM0JiQ1hOa0pQ + K3FndzhxaTBwZWgzNWg4RXBQdDV0WlZNZ1g4CkVhUlA2d0JjanorSlpyYVBUaEli + Mnl2VmJTNG9DcnZsSXZpUFZXTDZQRVUKLS0tIEtDZ2J3L0RtV1BybEJDZ0k2bGZV + YWY5QjlZZ1J2OEw2U0luZHNWQVFmRjQKZ9A54c5AXSm2aNasBinaWPDIo/xDXFqZ + 7+ZTJ82QiWBXpaLIpmPim3e9JHVzZ8NKdN0Y7imsYdR2gXRsxyv1SQ== -----END AGE ENCRYPTED FILE----- - recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eGFjalNOUDhUYjQwSStW - MFljZmhDS2hzV3J3Nk9RSWVPN1NocHdDdTMwCmRtdEVtQTc5K1kveUxLOFEwQkw1 - VXFVbXpwaXgwTnRBclloNmZmMStCMzQKLS0tIGlDYkhNVUVITzJHWjlocC9OM2I3 - UkVOTnljenJZOVI1dGVJREwzN0g0SWcKwgUkz38fbZ/BOKtttEIKVhQtqcccegM5 - 99tarUUdVj9nw4PFD7YHbT68fiUbxSzFi3KVyKDuVBw+2GPVVhrtVA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1K1RSTVZOYmFxalFxc1g1 + OHpaUXNLOHF2WnQ1VUxLUENwclJoQXl2b20wCnJnOUs0cXlMTDRXdktJZ2x6bjNJ + UWJjYkZwR2ZKNnpsaVN0bzBWODZNL3MKLS0tIEUraytIc1d6dVVqa0VaSWJpcWRn + UWswVG5PaTdDZHlybGxpZ2tKb1liOWsKOuMm2+kofwGqC95KhfEecjwzjNCHPRRk + /61zp39+U6PeqP0gTbcy959aSDhfucrZKhBKP2VsTgP0BLDfZR2K4Q== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-11-09T07:12:13Z" mac: ENC[AES256_GCM,data:gqsD5gTtE5ZqWzWKAAIscecvIsGSC9j4Cnbik6Yk7Jf7Z5/NIxbkInzDsLmlU3ObbLZAhGAlOAKIrUVy37rCcEZ+I04ICXK1dmUdsVud6E4SvTdDjh9qlXTbEkcDCY2YqXlTuQl6IZyveaPuF6fRe1FMh8JEpDv/foZTl8+AuQQ=,iv:+nV6YW9m1B0qo7xbB1lw9dgiQ877GQ6OxMqjk7lei10=,tag:NmeSwBWRKpqlwZxYYC7trg==,type:str] diff --git a/utils/modules/openldap/secrets.yaml b/utils/modules/openldap/secrets.yaml index cb93cf3..c6432b7 100644 --- a/utils/modules/openldap/secrets.yaml +++ b/utils/modules/openldap/secrets.yaml @@ -9,29 +9,29 @@ sops: - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpVTJycytvY2tkKytBaHgw - TXp2bzFqcFM0UXhzRXJjQyt4aml5RnlZdzBZCm1tU29VMlBrUEdYZ2g1ay85NWJp - dkVMbVYxcXlDd0hjNGZ0Uk4xY254SW8KLS0tIDM4Vzd2VkF5dmc3ZFZwT3pLMTVj - YmtnR2p3NXFwR0J1S09jY01HZnF6N1kKEpkBQeQ9ksOa4XBo17MS1/EOcW8svd1r - Uhx0/SItWM2IR2BLAra4g+2YZ222xX/Gqi9m10ZNS7lO6pPhB3EVSA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcnBXWk1JaE9McXlzMUk3 + bXZHRXRQbDdsK25MNTY1MHA0UWhCcWJRdlVVCmlzcDE0L1ZOQzB6MVBPYUdncUZr + M0FGSkdxaFpiY2NUTlRBSUZZdUJmRzgKLS0tIGs3UlNwUDJYVTFHTXcvZkJCS0w5 + cGJic1JZTHE2NnkxN2JuYXY0TmZUWjAKN6orRU5LnJbl84HtKy0MBNA/PiuEmuhO + JL/tpFX+LiOScFHrvb40Ka6YvnyER+rufZXi1xknBzW1uyDt+lSyQw== -----END AGE ENCRYPTED FILE----- - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVmhqT016WFBlZDltNmJx - ckZOR25MSWZkQmlMMGpxc3c5YWdJWTExdlUwCkowVG1xeXNiQmRoeTdudm03NXlw - bTQrVHBzZ2JxSWFpQ29TZTFzSWZwelkKLS0tIFV4d20wT2dKRjhLYy81YlBMSWgy - RnRYTnpIeFRXQ0ZVUkRhVTZmc2VQUVUKbphgbiHXjV/t80UWIOOK+aDP2cM3i5al - oqyDwh9bhhUIJ/aZsv/ICwcWCun56eQ4zPNp9P+toqAbf9n8FJoylw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1RWNUenVwS2xISmRQK3RN + ZEc5TGF2MGNocnZWNkhHQ1lGOU1adlFCZlJ3CmdOWC8vQVd4aEdLVTJtNTZCM1R5 + VndOM3RJRy9laW1pa1k0TUt5UTEyVmsKLS0tIFB5aDNZQXlTRlYvUkJaOXI3NVky + VHFINVFjVVVsTXViTDV0QmFBWTRsbVkKJCjMI1GImwSKpgTDVwF5xAdnbUqBkxUO + vYFySQg5p12lZ7RtMbxdql24a52J9Jm/2dMMKKph339vw/rcW7YRXQ== -----END AGE ENCRYPTED FILE----- - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2UWJZVmFEckJ6RHZXRnBU - N3lvZDBUaHN4VTVsK0kvZ2tKdHRsVndXVW44CnVUM3Blc05EVE0wSWQwU0luUEtG - a2k3OG8zR0dTQmVpYVk1a3l5cXB1YXMKLS0tIDJDYzhRY3R2RWpSZHBTMzgwSVZN - OTZ6ZnRDSG5JcXc5dWVwOGlqWlV6VnMKlzFF4MYIki9p9h1Um55ugMwsFJIleQ7w - hXohGDgWuDKA6CtR6lEUQ8y0AjPcWIp3VW0H2tCSpBSTEKaQK/FzhQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdXJGOFgzZFhFWXEvZkNB + OWI3MDQxVGZ5dGpXM245ZUlHZHJhRnR0UWl3CnNKeGhLNVdYVWdoWWFBaC90ZUhj + Mjc4MDQxa0ZaMnVaSndWRDFrTjVpZmMKLS0tIG9rZGJJb0J6SE1lSjdWSHc0V2FH + dGJqSzB5NE5ESzE1L0ZxTDBORnpvRUUKtKejHfzBGnrOJzPStRUcjD/cRq3BqsdP + PtSh9ujx/aazn1O86wMYuIgb1WfWL3ZyTtoPCukGKth9KT1JweU1eA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-01-22T20:44:32Z" mac: ENC[AES256_GCM,data:nKR47o4Evt4TPyndEwZlnP/ctGaaz6wwn0k+JnDCL3FW1TO64spNL7xDcoxWwPuRLrgjgtazsm4Tevplzc3J/N4dhnPAdiPtZOQd3tKibIJKDkxG+6upGvzMMrXXInzoGVqwFMrZmdIqlpLAgqX/1VwY4Tnrf0IfiwJ8wWmSZe8=,iv:FUL/gcDZBZrclYupzstSFG86NOnEOvvgr8ou7wVQ3AY=,tag:KPXm0HHwc8v64dnqGqlFUQ==,type:str]