luks migration, home migration fixes

Reviewed-on: #225

.github/instructions/sops-secrets-readonly.instructions.md

@@ -0,0 +1,32 @@
+---
+description: "Use when working with SOPS secrets files (secrets.yaml). Never modify secrets.yaml files directly — always prompt the user to make changes using sops edit."
+applyTo: "**"
+---
+
+# SOPS Secrets Files — Read-Only
+
+Never modify any `secrets.yaml` file in this repository. These files are SOPS-encrypted and editing them directly (without `sops edit`) will corrupt the encryption and make the secrets unrecoverable.
+
+## Rules
+
+- **Do NOT edit `secrets.yaml` files** using file editing tools, even for renaming keys, restructuring blocks, or adding new entries.
+- **Do NOT suggest patches or diffs** that target `secrets.yaml` files.
+- **Always prompt the user** to make the change themselves using:
+
+  ```bash
+  sops edit <path-to-secrets.yaml>
+  ```
+
+- When a new secret key is needed (e.g., for a new SOPS reference in Nix code), tell the user the exact key name and value to add, and ask them to add it via `sops edit`.
+- You may **read** `secrets.yaml` files (e.g., with grep to check key names) — reading is safe. Only writing is forbidden.
+
+## Example
+
+Instead of editing `systems/palatine-hill/secrets.yaml` directly, say:
+
+> Please run `sops edit systems/palatine-hill/secrets.yaml` and add the following under the `kanidm:` block:
+>
+> ```yaml
+> kanidm:
+>   gitea_oidc_client_secret: "<your-generated-secret>"
+> ```

.sops.yaml

@@ -9,6 +9,10 @@ keys:
     - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
     - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
     - &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
+    # argiletum: replace placeholder after first boot with:
+    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+    # then run: sops updatekeys systems/argiletum/secrets.yaml
+    - &argiletum age1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
     # cspell:enable
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
@@ -55,3 +59,9 @@ creation_rules:
             - *admin_alice
           age:
             - *palatine-hill
+    - path_regex: systems/argiletum/secrets.*\.yaml$
+      key_groups:
+        - pgp:
+            - *admin_alice
+          age:
+            - *argiletum

.vscode/mcp.json

@@ -1 +1,13 @@
-{}
+{
+  "servers": {
+    "honeycomb": {
+      "command": "npx",
+      "args": [
+        "mcp-remote",
+        "https://mcp.honeycomb.io/mcp"
+      ],
+      "type": "stdio"
+    }
+  },
+  "inputs": []
+}

docs/ADRs/0001-zfs-initrd-key-design.md

@@ -0,0 +1,206 @@
+> Note: This document was AI-generated and reviewed by a maintainer.
+
+# ADR 0001 — ZFS Native Encryption: Non-Interactive initrd Key Loading
+
+| | |
+|---|---|
+| **Status** | Accepted |
+| **Date** | 2026-05-03 |
+| **Deciders** | Alice Huston |
+| **Affects** | `systems/palatine-hill/hardware-changes.nix`, `systems/palatine-hill/zfs.nix` |
+
+---
+
+## Context
+
+`palatine-hill` uses ZFS native encryption for the `/nix` dataset (`ZFS-primary/nix`). The ZFS encryption key was stored on a separate LVM volume (`/crypto/keys/zfs-nix-store-key`) inside the same LUKS container as root.
+
+This created a forced ordering dependency: the `/nix` dataset could not be unlocked until root (`/`) and `/crypto` were both mounted, even though logically they are independent. Two custom initrd units worked around this:
+
+- `zfs-import-zfs-primary` — polling import loop (duplicates NixOS-native logic)
+- `zfs-load-nix-key` — reads key from `/sysroot/crypto/keys/zfs-nix-store-key` after `sysroot.mount`
+
+Additionally, `boot.zfs.requestEncryptionCredentials` was forced off entirely, and a `postBootCommands` fallback ran
+`zfs load-key -a` after stage 2 as a belt-and-suspenders measure. LUKS unlock was also interactive, requiring manual
+passphrase entry at boot.
+
+### Current initrd dependency graph (before this ADR)
+
+```mermaid
+flowchart TD
+    A([initrd start]) --> B[systemd-udev-settle]
+    A --> C["LUKS unlock nixos-pv\n⚠ interactive"]
+
+    C --> D[LVM activate]
+    D --> E["sysroot.mount\n/ on ext4"]
+    D --> F["sysroot-crypto.mount\n/crypto on LVM volume"]
+
+    B --> G["zfs-import-zfs-primary\n(custom polling loop, 60s timeout)"]
+
+    E --> H["zfs-load-nix-key\n(reads /sysroot/crypto/keys/zfs-nix-store-key)"]
+    F --> H
+    G --> H
+
+    H --> I["sysroot-nix.mount\nZFS-primary/nix"]
+    I --> J([initrd-fs.target])
+    E --> J
+    J --> K([stage 2])
+    K --> L["postBootCommands:\nzfs load-key -a"]
+```
+
+### Problems with the old approach
+
+1. **Cross-filesystem key dependency**: `/nix` unlock depends on root mount, coupling two logically independent operations.
+2. **Duplicated pool import logic**: the custom unit reimplements a polling loop that NixOS already generates natively; upstream fixes don't apply automatically.
+3. **Native credential handling fully disabled**: `requestEncryptionCredentials = false` makes the configuration opaque to NixOS module evaluation.
+4. **Double key load**: `postBootCommands` is a workaround indicating the initrd path is not reliable.
+5. **Interactive LUKS unlock**: manual passphrase entry required at every boot — defeats unattended operation.
+
+---
+
+## Options Considered
+
+### Option A — Key embedded in initrd (`boot.initrd.secrets`)
+
+Store the ZFS key directly inside the initrd cpio archive. The key is available from the very start of stage 1 without mounting anything.
+
+**Pro**: Eliminates the cross-mount dependency; re-enables native NixOS ZFS handling; zero new infrastructure.
+
+**Con**: Key lives in the initrd on `/boot`, which is an unencrypted vfat partition. Anyone with physical or boot-partition read access has the key. Does not solve interactive LUKS unlock.
+
+### Option B — Tang network key fetch (Clevis) ✅ Chosen
+
+Encrypt both secrets (LUKS passphrase and ZFS key) as Clevis JWE blobs. At boot, the initrd reaches a Tang server
+on the LAN to decrypt them. NixOS's `boot.initrd.clevis` module natively supports `luks`, `zfs`, and `bcachefs` —
+**no custom unit is needed for ZFS**.
+
+**Pro**: Key never present on disk in plaintext; unified unlock surface for both LUKS and ZFS; no cross-mount dependency; JWE blobs on disk are useless without the Tang server.
+
+**Con**: Adds Tang server as a boot dependency; server won't boot if Tang is unreachable.
+
+---
+
+## Decision
+
+**Option B (Tang/Clevis) is adopted** for both the LUKS root device and the ZFS `/nix` dataset.
+
+`boot.initrd.clevis.devices` handles both unlock targets natively. The custom `zfs-load-nix-key` unit is deleted
+entirely. The `zfs-import-zfs-primary` unit is retained — the pool must still be imported before Clevis can load the
+dataset key.
+
+Static networking is configured in the initrd using systemd-networkd with a static IP (`192.168.76.2/24`). DNS
+resolution (`192.168.76.1`, the OPNsense router running Unbound) allows the Tang URL to be `http://tang.lan`.
+
+### New initrd dependency graph
+
+```mermaid
+flowchart TD
+    A([initrd start]) --> N["initrd-networkd\neno1: 192.168.76.2/24\nDNS: 192.168.76.1"]
+    A --> B[systemd-udev-settle]
+
+    N --> T["Tang server\ntang.lan"]
+
+    T -->|"boot.initrd.clevis\n.devices.nixos-pv"| C["LUKS unlock nixos-pv\n(Clevis/Tang — unattended)"]
+    T -->|"boot.initrd.clevis\n.devices.ZFS-primary/nix"| Z["ZFS-primary/nix key load\n(Clevis/Tang — unattended)"]
+
+    C --> D[LVM activate]
+    D --> E["sysroot.mount\n/ on ext4"]
+
+    B --> G["zfs-import-zfs-primary\n(custom polling loop — retained)"]
+    G --> Z
+
+    Z --> I["sysroot-nix.mount\nZFS-primary/nix"]
+
+    E --> J([initrd-fs.target])
+    I --> J
+    J --> L([stage 2 — fully unattended])
+```
+
+### Files changed
+
+| File | Change |
+|---|---|
+| `systems/palatine-hill/hardware-changes.nix` | Removed `requestEncryptionCredentials = mkForce false`, removed `postBootCommands`, added `boot.initrd.clevis` block for both devices, added `boot.initrd.systemd.network` with static IP + DNS, removed `/crypto` from `/nix` depends |
+| `systems/palatine-hill/zfs.nix` | Removed `zfs-load-nix-key` unit, added `boot.zfs.requestEncryptionCredentials = false` |
+
+### Comparison
+
+| | Before | After |
+|---|---|---|
+| Custom initrd units | 2 (import + key load) | 1 (import only; key load is native Clevis) |
+| Key source | `/crypto` LVM volume (disk) | Tang server (network) |
+| Disk-based key exposure | Key on LVM volume inside LUKS | `.jwe` blob only; useless without Tang |
+| Cross-mount dependency | Yes | No |
+| LUKS interactive unlock | Yes | No (Clevis/Tang) |
+| Unattended boot | No | Yes (when Tang reachable) |
+
+---
+
+## Consequences
+
+- Boot requires Tang server to be reachable on `tang.lan`. If Tang is down, boot stalls at the Clevis timeout. Maintain Tang server uptime accordingly.
+- The `.jwe` files are safe to commit to the repository — they are encrypted blobs that are useless without the Tang server's private key.
+- Rolling back to a generation without Clevis (pre-ADR) requires manual LUKS passphrase entry at the console; ensure prior generations remain in the bootloader during initial cutover.
+
+---
+
+## Implementation Notes
+
+### Prerequisites
+
+1. Deploy a Tang server on the LAN and create a DNS host override in OPNsense:
+   - Services → Unbound DNS → Host Overrides → `tang` / `lan` / `<tang IP>`
+2. Verify DNS from palatine-hill before rebooting:
+
+   ```bash
+   resolvectl query tang.lan
+   ```
+
+### Create the JWE files
+
+Run from the repository root on a machine that has the LUKS passphrase and access to the running `/crypto` volume:
+
+```bash
+# LUKS passphrase JWE — substitute your actual passphrase
+echo -n "your-luks-passphrase" | \
+  clevis encrypt tang '{"url":"http://tang.lan"}' \
+  > systems/palatine-hill/nixos-pv.jwe
+
+# ZFS dataset key JWE — key file from the running system
+clevis encrypt tang '{"url":"http://tang.lan"}' \
+  < /crypto/keys/zfs-nix-store-key \
+  > systems/palatine-hill/nix-store.jwe
+```
+
+### Commit and build
+
+```bash
+git add systems/palatine-hill/nixos-pv.jwe systems/palatine-hill/nix-store.jwe
+git commit -m "feat(palatine-hill): add Clevis JWE files for Tang-based boot unlock"
+
+nix build .#palatine-hill   # verify build succeeds
+```
+
+### Deploy
+
+```bash
+nh os switch   # keep previous generation in bootloader for rollback
+```
+
+### Verify after reboot
+
+```bash
+# Confirm ZFS dataset was unlocked automatically
+zfs get keystatus ZFS-primary/nix
+# Expected: keystatus = available
+
+# Check Clevis log output
+journalctl -b | grep -i clevis
+
+# Confirm Tang was reached during initrd
+journalctl -b | grep -i tang
+```
+
+### Rollback procedure (if needed)
+
+Select the previous generation from the systemd-boot menu at boot. You will be prompted interactively for the LUKS passphrase — this is expected for the old generation.

flake.lock

@@ -68,6 +68,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1777713215,
+        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "firefox-addons": {
       "inputs": {
         "nixpkgs": [
@@ -565,6 +585,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "firefox-addons": "firefox-addons",
         "flake-compat": "flake-compat",
         "flake-parts": "flake-parts",

flake.nix

@@ -38,6 +38,11 @@
     systems.url = "github:nix-systems/default";
 
     # flake inputs with dependencies (in alphabetic order)
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     firefox-addons = {
       url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
       inputs = {

lib/systems.nix

@@ -167,6 +167,7 @@ rec {
           outputs
           server
           system
+          home
           ;
       };
       modules = [

modules/base.nix

@@ -3,6 +3,7 @@
   inputs,
   outputs,
   server,
+  home,
   system,
   ...
 }:
@@ -22,6 +23,9 @@
     mutableUsers = lib.mkDefault false;
   };
 
+  networking.firewall.enable = lib.mkDefault true;
+}
+// lib.optionalAttrs home {
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;
@@ -34,5 +38,4 @@
     };
   };
 
-  networking.firewall.enable = lib.mkDefault true;
 }

systems/argiletum/configuration.nix

@@ -0,0 +1,37 @@
+{ lib, ... }:
+{
+  imports = [ ./disk.nix ];
+
+  time.timeZone = "America/New_York";
+
+  networking = {
+    hostId = "c3798ccc";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 ];
+    };
+    useNetworkd = true;
+  };
+
+  # Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
+  # TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
+  # After first install, enroll with:
+  #   systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
+  boot = {
+    useSystemdBoot = lib.mkForce false;
+    loader.grub.enable = lib.mkOverride 0 false;
+    initrd = {
+      systemd.enable = true;
+      luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+
+  services.tang.enable = true;
+
+  system.stateVersion = "26.11";
+}

systems/argiletum/default.nix

@@ -0,0 +1,12 @@
+{ inputs, ... }:
+{
+  system = "aarch64-linux";
+  server = true;
+  home = false;
+  sops = true;
+  users = [ "alice" ];
+  modules = [
+    inputs.nixos-hardware.nixosModules.raspberry-pi-4
+    inputs.disko.nixosModules.disko
+  ];
+}

systems/argiletum/disk.nix

@@ -0,0 +1,56 @@
+{
+  disko.devices = {
+    disk = {
+      # SD card — change device to /dev/sda if booting from USB instead
+      main = {
+        type = "disk";
+        device = "/dev/mmcblk0";
+        content = {
+          type = "gpt";
+          partitions = {
+            # Raspberry Pi firmware partition — must be vfat and first
+            firmware = {
+              size = "256MiB";
+              type = "EF00";
+              priority = 1;
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot/firmware";
+                mountOptions = [
+                  "fmask=0077"
+                  "dmask=0077"
+                ];
+              };
+            };
+            # NixOS boot partition — holds kernels/initrds for each generation
+            boot = {
+              size = "1GiB";
+              priority = 2;
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/boot";
+              };
+            };
+            # Root filesystem — LUKS-encrypted, unlocked via TPM 2.0 HAT
+            root = {
+              size = "100%";
+              priority = 3;
+              content = {
+                type = "luks";
+                name = "cryptroot";
+                settings.allowDiscards = true;
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

systems/argiletum/hardware.nix

@@ -0,0 +1,7 @@
+# TODO: after first boot, regenerate with:
+#   sudo nixos-generate-config --no-filesystems
+# (disko owns fileSystems; do not add them here)
+{ ... }:
+{
+  swapDevices = [ ];
+}

systems/artemision/desktop.nix

@@ -40,6 +40,9 @@
     dbus = {
       enable = true;
       implementation = "broker";
+      packages = with pkgs; [
+        gcr
+      ];
     };
   };
 

systems/palatine-hill/configuration.nix

@@ -19,6 +19,7 @@
     ./minio.nix
     ./networking.nix
     ./nextcloud.nix
+    ./otel.nix
     #./plex
     ./postgresql.nix
     ./samba.nix

systems/palatine-hill/hardware-changes.nix

@@ -1,11 +1,7 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 {
 
   boot = {
-    zfs.requestEncryptionCredentials = lib.mkForce false;
-    postBootCommands = ''
-      ${pkgs.zfs}/bin/zfs load-key -a
-    '';
     initrd = {
       services.lvm.enable = true;
       luks.devices = {
@@ -16,6 +12,28 @@
         };
       };
 
+      clevis = {
+        enable = true;
+        useTang = true;
+        devices = {
+          # Unlock LUKS root device via Tang
+          "nixos-pv".secretFile = ./nixos-pv.jwe;
+          # Unlock ZFS native-encrypted dataset via Tang
+          "ZFS-primary/nix".secretFile = ./nix-store.jwe;
+        };
+      };
+
+      # Static networking needed in initrd so Tang is reachable before any disk mounts
+      systemd.network = {
+        enable = true;
+        networks."10-initrd-eno1" = {
+          matchConfig.Name = "eno1";
+          address = [ "192.168.76.2/24" ];
+          routes = [ { Gateway = "192.168.76.1"; } ];
+          dns = [ "192.168.76.1" ];
+          linkConfig.RequiredForOnline = "routable";
+        };
+      };
     };
   };
 
@@ -37,10 +55,7 @@
       "dmask=0077"
     ];
 
-    "/nix".depends = [
-      "/"
-      "/crypto"
-    ];
+    "/nix".depends = [ "/" ];
 
   };
 }

systems/palatine-hill/hydra.nix

@@ -6,6 +6,8 @@
 let
   hydra_notify_prometheus_port = "9199";
   hydra_queue_runner_prometheus_port = "9200";
+  postgres_exporter_port = 9187;
+  zfs_exporter_port = 9134;
 in
 {
   systemd.services.hydra-notify.serviceConfig.EnvironmentFile =
@@ -96,10 +98,23 @@ in
       enable = true;
       webExternalUrl = "https://prom.alicehuston.xyz";
       port = 9001;
-      exporters.node = {
-        enable = true;
-        enabledCollectors = [ "systemd" ];
-        port = 9002;
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" ];
+          port = 9002;
+        };
+        postgres = {
+          enable = true;
+          listenAddress = "127.0.0.1";
+          port = postgres_exporter_port;
+          runAsLocalSuperUser = true;
+        };
+        zfs = {
+          enable = true;
+          listenAddress = "127.0.0.1";
+          port = zfs_exporter_port;
+        };
       };
       scrapeConfigs = [
         {
@@ -119,6 +134,18 @@ in
             }
           ];
         }
+        {
+          job_name = "postgres-local";
+          static_configs = [
+            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; }
+          ];
+        }
+        {
+          job_name = "zfs-local";
+          static_configs = [
+            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}" ]; }
+          ];
+        }
         {
           job_name = "hydra-external";
           scheme = "https";

systems/palatine-hill/otel.nix

@@ -0,0 +1,117 @@
+{
+  config,
+  ...
+}:
+{
+  # node_exporter (port 9002) and Prometheus (port 9001) are already configured
+  # in hydra.nix — we just scrape the existing exporter here.
+
+  services.opentelemetry-collector = {
+    enable = true;
+    settings = {
+      receivers = {
+        # Host-level system metrics
+        hostmetrics = {
+          collection_interval = "60s";
+          scrapers = {
+            cpu = { };
+            memory = { };
+            disk = { };
+            filesystem = { };
+            network = { };
+            load = { };
+            processes = { };
+          };
+        };
+
+        # Scrape node_exporter for per-systemd-unit service state
+        prometheus = {
+          config = {
+            scrape_configs = [
+              {
+                job_name = "node-exporter";
+                scrape_interval = "60s";
+                static_configs = [
+                  {
+                    targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
+                    labels = {
+                      host = "palatine-hill";
+                    };
+                  }
+                ];
+              }
+              {
+                job_name = "postgres-exporter";
+                scrape_interval = "60s";
+                static_configs = [
+                  {
+                    targets = [ "localhost:${toString config.services.prometheus.exporters.postgres.port}" ];
+                    labels = {
+                      host = "palatine-hill";
+                    };
+                  }
+                ];
+              }
+              {
+                job_name = "zfs-exporter";
+                scrape_interval = "60s";
+                static_configs = [
+                  {
+                    targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
+                    labels = {
+                      host = "palatine-hill";
+                    };
+                  }
+                ];
+              }
+            ];
+          };
+        };
+      };
+
+      processors = {
+        batch = { };
+
+        # Attach hostname and other system resource attributes
+        "resourcedetection/system" = {
+          detectors = [ "system" ];
+          system.hostname_sources = [ "os" ];
+        };
+      };
+
+      exporters = {
+        "otlp/honeycomb" = {
+          endpoint = "api.honeycomb.io:443";
+          headers = {
+            # Expanded at runtime from the environment file
+            "x-honeycomb-team" = "\${HONEYCOMB_API_KEY}";
+          };
+        };
+      };
+
+      service = {
+        pipelines = {
+          metrics = {
+            receivers = [
+              "hostmetrics"
+              "prometheus"
+            ];
+            processors = [
+              "resourcedetection/system"
+              "batch"
+            ];
+            exporters = [ "otlp/honeycomb" ];
+          };
+        };
+      };
+    };
+  };
+
+  # Inject the Honeycomb API key at runtime — never stored in the Nix store
+  systemd.services.opentelemetry-collector.serviceConfig.EnvironmentFile =
+    config.sops.secrets."honeycomb/api-key".path;
+
+  sops.secrets = {
+    "honeycomb/api-key".owner = "root";
+  };
+}

systems/palatine-hill/secrets.yaml

@@ -45,6 +45,8 @@ typhon:
 garage:
     rpc-secret: ENC[AES256_GCM,data:Q2ZaAXcntD3yK6DynEpxab2TITByMZ7ECVrq1pb0ZU7hXOZnhaBmjdty/Os6len8l+GBl6+WaC0An6cFkhQTlQ==,iv:E8C4bnxMLXK9fky+KC7q8sHpmrEU5un0TEAwxVUBiLk=,tag:PiSiU+9NpyilH2aMs2Qc/Q==,type:str]
     admin-token: ENC[AES256_GCM,data:Xjm8Xq99aDseR0jN50Uj3gLpeDaq2IGXzJCS0o1H0RgKX9LGdP8w508nWWE=,iv:+L9T3TEUSbIz+jo08ykjGHVhuz5ecmzrlhzD2iv48HE=,tag:7P2rY4F8cWFdG4Lm9n/etQ==,type:str]
+honeycomb:
+    api-key: ENC[AES256_GCM,data:k+Z3tmF8pYwD6RokdZauQ/fMlhD5GbW1ekxzRnj0gEpQFlfGB8gQ6BPwbd7qk12ZhsCA4XdqmvsysAWJldYWrPo=,iv:dNAK/vbQYL7ir4UXhZMTWraZF1E6ps9EOF3skYe5wOk=,tag:5UJfCji/RmB5DIuR4179uw==,type:str]
 sops:
     age:
         - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
@@ -56,8 +58,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-02T16:02:29Z"
-    mac: ENC[AES256_GCM,data:dDv33vEGVeEEeTSXZPcIG3BO0GjFOswBGUsOY+/6IJqAC8omHaSQ6hdcVaXKScC56kEn5w/494hfOOEEficJt1nGQBrnfE8u95tdBqcODtSmTWbonXgpfckX68jV7Y9iTSxisih6ciAwFToxovhiI36kLrWoeVlzs5DdfwJp1YU=,iv:jkThy/omE/9SyqfAr6ARrDYLGVhhACmSxm4EgM+Is1s=,tag:Key2xC4btvI8HqQglIcXkg==,type:str]
+    lastmodified: "2026-05-03T16:28:04Z"
+    mac: ENC[AES256_GCM,data:dJ00o+Ny6btbOn7Pt5dc4iLx6FHJiTTx7onZDhjxya7Ywg2qAwHTiNP2q2aP6348w5uenlEGrgnV0Dc8xyHfApNCkJwj4G6UnI17jxEGn3lc0ZFNzJJ7jO2CJcwHir0E2G4XdPjmbZUdB3aKmM34dI9EEUWWhNFXdps4X0dNQcM=,iv:vOU3kHq0axRBrkNfVicQ/8H77nF0DGIJlpoDuJmwRGQ=,tag:uvoFkmaaTM8zpr1g2FpCMA==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-

systems/palatine-hill/zfs.nix

@@ -7,6 +7,7 @@
 {
   boot = {
     zfs.extraPools = [ "ZFS-primary" ];
+    zfs.requestEncryptionCredentials = false;
     filesystem = "zfs";
     extraModprobeConfig = ''
       options zfs zfs_arc_min=82463372083
@@ -85,33 +86,6 @@
           fi
         '';
       };
-
-      zfs-load-nix-key = {
-        description = "Load ZFS key for ZFS-primary/nix in initrd";
-        wantedBy = [ "initrd-fs.target" ];
-        requires = [
-          "sysroot.mount"
-          "zfs-import-zfs-primary.service"
-        ];
-        after = [
-          "sysroot.mount"
-          "zfs-import-zfs-primary.service"
-        ];
-        before = [
-          "initrd-fs.target"
-          "sysroot-nix.mount"
-        ];
-        unitConfig.DefaultDependencies = "no";
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-        path = with pkgs; [ zfs ];
-        script = ''
-          key_file="/sysroot/crypto/keys/zfs-nix-store-key"
-          zfs load-key -L "file://$key_file" "ZFS-primary/nix"
-        '';
-      };
     };
   };
 

users/alice/non-server.nix

@@ -207,6 +207,14 @@ in
         };
       };
     };
+    rbw = {
+      enable = true;
+      settings = {
+        lockTimeout = 300;
+        pinentry = pkgs.pinentry-gnome3;
+        email = "snowinginwonderland@gmail.com";
+      };
+    };
   };
 
   services.gnome-keyring.enable = true;
@@ -268,7 +276,7 @@ in
 
     nextcloud-client
     bitwarden-cli
-    bitwarden-menu
+    rofi-rbw-wayland
     wtype
     obsidian
     libreoffice-qt-fresh

users/alice/secrets.yaml

@@ -10,6 +10,8 @@ alice:
     attic-nix-cache-admin: ENC[AES256_GCM,data:xHJGeU4EUn1HRy2nIValiJ6iLZnYmmT6Njv/cGMh15Q0hJXKNBSsi8f0mAfLI7EX+GaC299VKh2uTlU25jptrAvogLxNJIc+LZBLsSkyGE/ojqqevHMKmZ/6eciLZRQL5ey9TM3V9HHyDOhGaFgdfawtwg/vyvbV13lZBKpqneAX9T3gPRuKRjV4/Uc/5cUckiOF8bQ50xVFN8Cql9HgGDJEGWgg4XUTPu5eYspof2EN63pYvU7wg6HD2begeLDvqc2/i2DIcsc0wqc5DgkY/dH2YtcssBtU8AR9vKpl+HmH/wvt6dfaEyZ7hF7ITGwWnOO6H2ko3SjYRfHkFK3XDmm1YRRjfkptnw==,iv:BdVgNyZ1azl5tKfH+RTeXuNV/rYY6hPvrareKlIXSeQ=,tag:/ar87eAjMod4TmQXoerNBQ==,type:str]
     gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
     gitea-pr-token: ENC[AES256_GCM,data:ybTya4X2wd65pNFSGbQkg73lu66GNtSba4yf8J6tT8XkuOtfvtBS4g==,iv:39mJiAlw4kud4l06jOpxOCRumChE/5q8IBNsPHG1rMc=,tag:MEvHD2b9E3fVHLlz7haNyw==,type:str]
+    honeycomb-id: ENC[AES256_GCM,data:PndCclCbSMrgmlYdQ5a8//IB+hg9uB0ZwidIZFiKN6w=,iv:mxFcGPnY0eCliugvQT5HR9aGzJIvXZI6FTo8rphVQMM=,tag:3huIaIy7da0gx2G/BVJJLQ==,type:str]
+    honeycomb-secret: ENC[AES256_GCM,data:x2MZPgAJz3I1m+rjSVpINZdQVbu50XiwEtPGEX/kbJw=,iv:bPNNtXIES0pCLc4Nu/886nwoOVXaZgyTxndSpyWWU0E=,tag:igdd/NPCDpcvzSd9LO4hyw==,type:str]
 sops:
     age:
         - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
@@ -39,8 +41,8 @@ sops:
             ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
             7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-07T23:43:57Z"
-    mac: ENC[AES256_GCM,data:ygQzxSpGJqXwkOq7jGDeflA2FTSSxnre/PXm0LxmxzQQW5s7LeIVSI75fMqWir0WU3Pi/xroYGEWjpCG6JvxV5RiJycTONk8VE7c3jtw3AbrHSS0b1K5tJ+Sf+q3rHJFWWk/COrPk8IsRFNb+taqH4jnaH3AAVNo5u0C1CHKMes=,iv:FO2GVDXE8SjjA81/9cDwc+dX8kJ2oHt5kqkhNBuMb54=,tag:hgzRAmsh32SCvJEvKyV+vg==,type:str]
+    lastmodified: "2026-05-03T16:20:31Z"
+    mac: ENC[AES256_GCM,data:/Ui0H0wgENYnzVB7V2aAbj4dIbE+sjRpPoso75xyKepmeeMp8nv8CJLKmLmtbp+rtX287teVw4hKxb/z8M6ZHIWmgt9Zgui8/+hw5hwuMmyjPeGqJQjFH8s4zcXkOKLDoFPA65gva5gaPsreqPwOSqgqYwmds5gOcxBI3Tqdh6E=,iv:ugtug8Vb7DRUp1eC2M6ooCoPFjbqZo8htHOV4AXIcSI=,tag:4sMJsh/r57Z4VFoOBmUmXw==,type:str]
     pgp:
         - created_at: "2024-09-05T06:10:22Z"
           enc: |-
@@ -55,4 +57,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.10.1
+    version: 3.12.2