luks migration, home migration fixes

add argiletum
2026-05-03 17:33:56 -04:00 · 2026-05-03 14:09:35 -04:00 · 2026-05-03 13:59:56 -04:00 · 2026-05-03 13:29:39 -04:00 · 2026-05-03 12:40:53 -04:00 · 2026-05-03 12:34:42 -04:00
21 changed files with 599 additions and 48 deletions
@@ -0,0 +1,32 @@
 ---
 description: "Use when working with SOPS secrets files (secrets.yaml). Never modify secrets.yaml files directly — always prompt the user to make changes using sops edit."
 applyTo: "**"
 ---
 # SOPS Secrets Files — Read-Only
 Never modify any `secrets.yaml` file in this repository. These files are SOPS-encrypted and editing them directly (without `sops edit`) will corrupt the encryption and make the secrets unrecoverable.
 ## Rules
 - **Do NOT edit `secrets.yaml` files** using file editing tools, even for renaming keys, restructuring blocks, or adding new entries.
 - **Do NOT suggest patches or diffs** that target `secrets.yaml` files.
 - **Always prompt the user** to make the change themselves using:
  ```bash
  sops edit <path-to-secrets.yaml>
  ```
 - When a new secret key is needed (e.g., for a new SOPS reference in Nix code), tell the user the exact key name and value to add, and ask them to add it via `sops edit`.
 - You may **read** `secrets.yaml` files (e.g., with grep to check key names) — reading is safe. Only writing is forbidden.
 ## Example
 Instead of editing `systems/palatine-hill/secrets.yaml` directly, say:
 > Please run `sops edit systems/palatine-hill/secrets.yaml` and add the following under the `kanidm:` block:
 >
 > ```yaml
 > kanidm:
 >   gitea_oidc_client_secret: "<your-generated-secret>"
 > ```
@@ -9,6 +9,10 @@ keys:
    - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
    - &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
    # argiletum: replace placeholder after first boot with:
    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
    # then run: sops updatekeys systems/argiletum/secrets.yaml
    - &argiletum age1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    # cspell:enable
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
@@ -55,3 +59,9 @@ creation_rules:
            - *admin_alice
          age:
            - *palatine-hill
    - path_regex: systems/argiletum/secrets.*\.yaml$
      key_groups:
        - pgp:
            - *admin_alice
          age:
            - *argiletum
@@ -1 +1,13 @@
-{}
+{
  "servers": {
    "honeycomb": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp.honeycomb.io/mcp"
      ],
      "type": "stdio"
    }
  },
  "inputs": []
 }
@@ -0,0 +1,206 @@
 > Note: This document was AI-generated and reviewed by a maintainer.
 # ADR 0001 — ZFS Native Encryption: Non-Interactive initrd Key Loading
 | | |
 |---|---|
 | **Status** | Accepted |
 | **Date** | 2026-05-03 |
 | **Deciders** | Alice Huston |
 | **Affects** | `systems/palatine-hill/hardware-changes.nix`, `systems/palatine-hill/zfs.nix` |
 ---
 ## Context
 `palatine-hill` uses ZFS native encryption for the `/nix` dataset (`ZFS-primary/nix`). The ZFS encryption key was stored on a separate LVM volume (`/crypto/keys/zfs-nix-store-key`) inside the same LUKS container as root.
 This created a forced ordering dependency: the `/nix` dataset could not be unlocked until root (`/`) and `/crypto` were both mounted, even though logically they are independent. Two custom initrd units worked around this:
 - `zfs-import-zfs-primary` — polling import loop (duplicates NixOS-native logic)
 - `zfs-load-nix-key` — reads key from `/sysroot/crypto/keys/zfs-nix-store-key` after `sysroot.mount`
 Additionally, `boot.zfs.requestEncryptionCredentials` was forced off entirely, and a `postBootCommands` fallback ran
 `zfs load-key -a` after stage 2 as a belt-and-suspenders measure. LUKS unlock was also interactive, requiring manual
 passphrase entry at boot.
 ### Current initrd dependency graph (before this ADR)
 ```mermaid
 flowchart TD
    A([initrd start]) --> B[systemd-udev-settle]
    A --> C["LUKS unlock nixos-pv\n⚠ interactive"]
    C --> D[LVM activate]
    D --> E["sysroot.mount\n/ on ext4"]
    D --> F["sysroot-crypto.mount\n/crypto on LVM volume"]
    B --> G["zfs-import-zfs-primary\n(custom polling loop, 60s timeout)"]
    E --> H["zfs-load-nix-key\n(reads /sysroot/crypto/keys/zfs-nix-store-key)"]
    F --> H
    G --> H
    H --> I["sysroot-nix.mount\nZFS-primary/nix"]
    I --> J([initrd-fs.target])
    E --> J
    J --> K([stage 2])
    K --> L["postBootCommands:\nzfs load-key -a"]
 ```
 ### Problems with the old approach
 1. **Cross-filesystem key dependency**: `/nix` unlock depends on root mount, coupling two logically independent operations.
 2. **Duplicated pool import logic**: the custom unit reimplements a polling loop that NixOS already generates natively; upstream fixes don't apply automatically.
 3. **Native credential handling fully disabled**: `requestEncryptionCredentials = false` makes the configuration opaque to NixOS module evaluation.
 4. **Double key load**: `postBootCommands` is a workaround indicating the initrd path is not reliable.
 5. **Interactive LUKS unlock**: manual passphrase entry required at every boot — defeats unattended operation.
 ---
 ## Options Considered
 ### Option A — Key embedded in initrd (`boot.initrd.secrets`)
 Store the ZFS key directly inside the initrd cpio archive. The key is available from the very start of stage 1 without mounting anything.
 **Pro**: Eliminates the cross-mount dependency; re-enables native NixOS ZFS handling; zero new infrastructure.
 **Con**: Key lives in the initrd on `/boot`, which is an unencrypted vfat partition. Anyone with physical or boot-partition read access has the key. Does not solve interactive LUKS unlock.
 ### Option B — Tang network key fetch (Clevis) ✅ Chosen
 Encrypt both secrets (LUKS passphrase and ZFS key) as Clevis JWE blobs. At boot, the initrd reaches a Tang server
 on the LAN to decrypt them. NixOS's `boot.initrd.clevis` module natively supports `luks`, `zfs`, and `bcachefs` —
 **no custom unit is needed for ZFS**.
 **Pro**: Key never present on disk in plaintext; unified unlock surface for both LUKS and ZFS; no cross-mount dependency; JWE blobs on disk are useless without the Tang server.
 **Con**: Adds Tang server as a boot dependency; server won't boot if Tang is unreachable.
 ---
 ## Decision
 **Option B (Tang/Clevis) is adopted** for both the LUKS root device and the ZFS `/nix` dataset.
 `boot.initrd.clevis.devices` handles both unlock targets natively. The custom `zfs-load-nix-key` unit is deleted
 entirely. The `zfs-import-zfs-primary` unit is retained — the pool must still be imported before Clevis can load the
 dataset key.
 Static networking is configured in the initrd using systemd-networkd with a static IP (`192.168.76.2/24`). DNS
 resolution (`192.168.76.1`, the OPNsense router running Unbound) allows the Tang URL to be `http://tang.lan`.
 ### New initrd dependency graph
 ```mermaid
 flowchart TD
    A([initrd start]) --> N["initrd-networkd\neno1: 192.168.76.2/24\nDNS: 192.168.76.1"]
    A --> B[systemd-udev-settle]
    N --> T["Tang server\ntang.lan"]
    T -->|"boot.initrd.clevis\n.devices.nixos-pv"| C["LUKS unlock nixos-pv\n(Clevis/Tang — unattended)"]
    T -->|"boot.initrd.clevis\n.devices.ZFS-primary/nix"| Z["ZFS-primary/nix key load\n(Clevis/Tang — unattended)"]
    C --> D[LVM activate]
    D --> E["sysroot.mount\n/ on ext4"]
    B --> G["zfs-import-zfs-primary\n(custom polling loop — retained)"]
    G --> Z
    Z --> I["sysroot-nix.mount\nZFS-primary/nix"]
    E --> J([initrd-fs.target])
    I --> J
    J --> L([stage 2 — fully unattended])
 ```
 ### Files changed
 | File | Change |
 |---|---|
 | `systems/palatine-hill/hardware-changes.nix` | Removed `requestEncryptionCredentials = mkForce false`, removed `postBootCommands`, added `boot.initrd.clevis` block for both devices, added `boot.initrd.systemd.network` with static IP + DNS, removed `/crypto` from `/nix` depends |
 | `systems/palatine-hill/zfs.nix` | Removed `zfs-load-nix-key` unit, added `boot.zfs.requestEncryptionCredentials = false` |
 ### Comparison
 | | Before | After |
 |---|---|---|
 | Custom initrd units | 2 (import + key load) | 1 (import only; key load is native Clevis) |
 | Key source | `/crypto` LVM volume (disk) | Tang server (network) |
 | Disk-based key exposure | Key on LVM volume inside LUKS | `.jwe` blob only; useless without Tang |
 | Cross-mount dependency | Yes | No |
 | LUKS interactive unlock | Yes | No (Clevis/Tang) |
 | Unattended boot | No | Yes (when Tang reachable) |
 ---
 ## Consequences
 - Boot requires Tang server to be reachable on `tang.lan`. If Tang is down, boot stalls at the Clevis timeout. Maintain Tang server uptime accordingly.
 - The `.jwe` files are safe to commit to the repository — they are encrypted blobs that are useless without the Tang server's private key.
 - Rolling back to a generation without Clevis (pre-ADR) requires manual LUKS passphrase entry at the console; ensure prior generations remain in the bootloader during initial cutover.
 ---
 ## Implementation Notes
 ### Prerequisites
 1. Deploy a Tang server on the LAN and create a DNS host override in OPNsense:
   - Services → Unbound DNS → Host Overrides → `tang` / `lan` / `<tang IP>`
 2. Verify DNS from palatine-hill before rebooting:
   ```bash
   resolvectl query tang.lan
   ```
 ### Create the JWE files
 Run from the repository root on a machine that has the LUKS passphrase and access to the running `/crypto` volume:
 ```bash
 # LUKS passphrase JWE — substitute your actual passphrase
 echo -n "your-luks-passphrase" | \
  clevis encrypt tang '{"url":"http://tang.lan"}' \
  > systems/palatine-hill/nixos-pv.jwe
 # ZFS dataset key JWE — key file from the running system
 clevis encrypt tang '{"url":"http://tang.lan"}' \
  < /crypto/keys/zfs-nix-store-key \
  > systems/palatine-hill/nix-store.jwe
 ```
 ### Commit and build
 ```bash
 git add systems/palatine-hill/nixos-pv.jwe systems/palatine-hill/nix-store.jwe
 git commit -m "feat(palatine-hill): add Clevis JWE files for Tang-based boot unlock"
 nix build .#palatine-hill   # verify build succeeds
 ```
 ### Deploy
 ```bash
 nh os switch   # keep previous generation in bootloader for rollback
 ```
 ### Verify after reboot
 ```bash
 # Confirm ZFS dataset was unlocked automatically
 zfs get keystatus ZFS-primary/nix
 # Expected: keystatus = available
 # Check Clevis log output
 journalctl -b | grep -i clevis
 # Confirm Tang was reached during initrd
 journalctl -b | grep -i tang
 ```
 ### Rollback procedure (if needed)
 Select the previous generation from the systemd-boot menu at boot. You will be prompted interactively for the LUKS passphrase — this is expected for the old generation.
@@ -68,6 +68,26 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1777713215,
        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "firefox-addons": {
      "inputs": {
        "nixpkgs": [
@@ -565,6 +585,7 @@
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
@@ -38,6 +38,11 @@
    systems.url = "github:nix-systems/default";
    # flake inputs with dependencies (in alphabetic order)
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
      inputs = {
@@ -167,6 +167,7 @@ rec {
          outputs
          server
          system
          home
          ;
      };
      modules = [
@@ -3,6 +3,7 @@
  inputs,
  outputs,
  server,
  home,
  system,
  ...
 }:
@@ -22,6 +23,9 @@
    mutableUsers = lib.mkDefault false;
  };
  networking.firewall.enable = lib.mkDefault true;
 }
 // lib.optionalAttrs home {
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
@@ -34,5 +38,4 @@
    };
  };
  networking.firewall.enable = lib.mkDefault true;
 }
@@ -0,0 +1,37 @@
 { lib, ... }:
 {
  imports = [ ./disk.nix ];
  time.timeZone = "America/New_York";
  networking = {
    hostId = "c3798ccc";
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 ];
    };
    useNetworkd = true;
  };
  # Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
  # TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
  # After first install, enroll with:
  #   systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
  boot = {
    useSystemdBoot = lib.mkForce false;
    loader.grub.enable = lib.mkOverride 0 false;
    initrd = {
      systemd.enable = true;
      luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
    };
  };
  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
  services.tang.enable = true;
  system.stateVersion = "26.11";
 }
@@ -0,0 +1,12 @@
 { inputs, ... }:
 {
  system = "aarch64-linux";
  server = true;
  home = false;
  sops = true;
  users = [ "alice" ];
  modules = [
    inputs.nixos-hardware.nixosModules.raspberry-pi-4
    inputs.disko.nixosModules.disko
  ];
 }
@@ -0,0 +1,56 @@
 {
  disko.devices = {
    disk = {
      # SD card — change device to /dev/sda if booting from USB instead
      main = {
        type = "disk";
        device = "/dev/mmcblk0";
        content = {
          type = "gpt";
          partitions = {
            # Raspberry Pi firmware partition — must be vfat and first
            firmware = {
              size = "256MiB";
              type = "EF00";
              priority = 1;
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot/firmware";
                mountOptions = [
                  "fmask=0077"
                  "dmask=0077"
                ];
              };
            };
            # NixOS boot partition — holds kernels/initrds for each generation
            boot = {
              size = "1GiB";
              priority = 2;
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/boot";
              };
            };
            # Root filesystem — LUKS-encrypted, unlocked via TPM 2.0 HAT
            root = {
              size = "100%";
              priority = 3;
              content = {
                type = "luks";
                name = "cryptroot";
                settings.allowDiscards = true;
                content = {
                  type = "filesystem";
                  format = "ext4";
                  mountpoint = "/";
                };
              };
            };
          };
        };
      };
    };
  };
 }
@@ -0,0 +1,7 @@
 # TODO: after first boot, regenerate with:
 #   sudo nixos-generate-config --no-filesystems
 # (disko owns fileSystems; do not add them here)
 { ... }:
 {
  swapDevices = [ ];
 }
@@ -40,6 +40,9 @@
    dbus = {
      enable = true;
      implementation = "broker";
      packages = with pkgs; [
        gcr
      ];
    };
  };
@@ -19,6 +19,7 @@
    ./minio.nix
    ./networking.nix
    ./nextcloud.nix
    ./otel.nix
    #./plex
    ./postgresql.nix
    ./samba.nix
@@ -1,11 +1,7 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 {
  boot = {
    zfs.requestEncryptionCredentials = lib.mkForce false;
    postBootCommands = ''
      ${pkgs.zfs}/bin/zfs load-key -a
    '';
    initrd = {
      services.lvm.enable = true;
      luks.devices = {
@@ -16,6 +12,28 @@
        };
      };
      clevis = {
        enable = true;
        useTang = true;
        devices = {
          # Unlock LUKS root device via Tang
          "nixos-pv".secretFile = ./nixos-pv.jwe;
          # Unlock ZFS native-encrypted dataset via Tang
          "ZFS-primary/nix".secretFile = ./nix-store.jwe;
        };
      };
      # Static networking needed in initrd so Tang is reachable before any disk mounts
      systemd.network = {
        enable = true;
        networks."10-initrd-eno1" = {
          matchConfig.Name = "eno1";
          address = [ "192.168.76.2/24" ];
          routes = [ { Gateway = "192.168.76.1"; } ];
          dns = [ "192.168.76.1" ];
          linkConfig.RequiredForOnline = "routable";
        };
      };
    };
  };
@@ -37,10 +55,7 @@
      "dmask=0077"
    ];
-    "/nix".depends = [
+    "/nix".depends = [ "/" ];
      "/"
      "/crypto"
    ];
  };
 }
@@ -6,6 +6,8 @@
 let
  hydra_notify_prometheus_port = "9199";
  hydra_queue_runner_prometheus_port = "9200";
  postgres_exporter_port = 9187;
  zfs_exporter_port = 9134;
 in
 {
  systemd.services.hydra-notify.serviceConfig.EnvironmentFile =
@@ -96,10 +98,23 @@ in
      enable = true;
      webExternalUrl = "https://prom.alicehuston.xyz";
      port = 9001;
-      exporters.node = {
+      exporters = {
-        enable = true;
+        node = {
-        enabledCollectors = [ "systemd" ];
+          enable = true;
-        port = 9002;
+          enabledCollectors = [ "systemd" ];
          port = 9002;
        };
        postgres = {
          enable = true;
          listenAddress = "127.0.0.1";
          port = postgres_exporter_port;
          runAsLocalSuperUser = true;
        };
        zfs = {
          enable = true;
          listenAddress = "127.0.0.1";
          port = zfs_exporter_port;
        };
      };
      scrapeConfigs = [
        {
@@ -119,6 +134,18 @@ in
            }
          ];
        }
        {
          job_name = "postgres-local";
          static_configs = [
            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; }
          ];
        }
        {
          job_name = "zfs-local";
          static_configs = [
            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}" ]; }
          ];
        }
        {
          job_name = "hydra-external";
          scheme = "https";
@@ -0,0 +1,117 @@
 {
  config,
  ...
 }:
 {
  # node_exporter (port 9002) and Prometheus (port 9001) are already configured
  # in hydra.nix — we just scrape the existing exporter here.
  services.opentelemetry-collector = {
    enable = true;
    settings = {
      receivers = {
        # Host-level system metrics
        hostmetrics = {
          collection_interval = "60s";
          scrapers = {
            cpu = { };
            memory = { };
            disk = { };
            filesystem = { };
            network = { };
            load = { };
            processes = { };
          };
        };
        # Scrape node_exporter for per-systemd-unit service state
        prometheus = {
          config = {
            scrape_configs = [
              {
                job_name = "node-exporter";
                scrape_interval = "60s";
                static_configs = [
                  {
                    targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
                    labels = {
                      host = "palatine-hill";
                    };
                  }
                ];
              }
              {
                job_name = "postgres-exporter";
                scrape_interval = "60s";
                static_configs = [
                  {
                    targets = [ "localhost:${toString config.services.prometheus.exporters.postgres.port}" ];
                    labels = {
                      host = "palatine-hill";
                    };
                  }
                ];
              }
              {
                job_name = "zfs-exporter";
                scrape_interval = "60s";
                static_configs = [
                  {
                    targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
                    labels = {
                      host = "palatine-hill";
                    };
                  }
                ];
              }
            ];
          };
        };
      };
      processors = {
        batch = { };
        # Attach hostname and other system resource attributes
        "resourcedetection/system" = {
          detectors = [ "system" ];
          system.hostname_sources = [ "os" ];
        };
      };
      exporters = {
        "otlp/honeycomb" = {
          endpoint = "api.honeycomb.io:443";
          headers = {
            # Expanded at runtime from the environment file
            "x-honeycomb-team" = "\${HONEYCOMB_API_KEY}";
          };
        };
      };
      service = {
        pipelines = {
          metrics = {
            receivers = [
              "hostmetrics"
              "prometheus"
            ];
            processors = [
              "resourcedetection/system"
              "batch"
            ];
            exporters = [ "otlp/honeycomb" ];
          };
        };
      };
    };
  };
  # Inject the Honeycomb API key at runtime — never stored in the Nix store
  systemd.services.opentelemetry-collector.serviceConfig.EnvironmentFile =
    config.sops.secrets."honeycomb/api-key".path;
  sops.secrets = {
    "honeycomb/api-key".owner = "root";
  };
 }
@@ -45,6 +45,8 @@ typhon:
 garage:
    rpc-secret: ENC[AES256_GCM,data:Q2ZaAXcntD3yK6DynEpxab2TITByMZ7ECVrq1pb0ZU7hXOZnhaBmjdty/Os6len8l+GBl6+WaC0An6cFkhQTlQ==,iv:E8C4bnxMLXK9fky+KC7q8sHpmrEU5un0TEAwxVUBiLk=,tag:PiSiU+9NpyilH2aMs2Qc/Q==,type:str]
    admin-token: ENC[AES256_GCM,data:Xjm8Xq99aDseR0jN50Uj3gLpeDaq2IGXzJCS0o1H0RgKX9LGdP8w508nWWE=,iv:+L9T3TEUSbIz+jo08ykjGHVhuz5ecmzrlhzD2iv48HE=,tag:7P2rY4F8cWFdG4Lm9n/etQ==,type:str]
 honeycomb:
    api-key: ENC[AES256_GCM,data:k+Z3tmF8pYwD6RokdZauQ/fMlhD5GbW1ekxzRnj0gEpQFlfGB8gQ6BPwbd7qk12ZhsCA4XdqmvsysAWJldYWrPo=,iv:dNAK/vbQYL7ir4UXhZMTWraZF1E6ps9EOF3skYe5wOk=,tag:5UJfCji/RmB5DIuR4179uw==,type:str]
 sops:
    age:
        - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
@@ -56,8 +58,8 @@ sops:
            cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
            LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-02T16:02:29Z"
+    lastmodified: "2026-05-03T16:28:04Z"
-    mac: ENC[AES256_GCM,data:dDv33vEGVeEEeTSXZPcIG3BO0GjFOswBGUsOY+/6IJqAC8omHaSQ6hdcVaXKScC56kEn5w/494hfOOEEficJt1nGQBrnfE8u95tdBqcODtSmTWbonXgpfckX68jV7Y9iTSxisih6ciAwFToxovhiI36kLrWoeVlzs5DdfwJp1YU=,iv:jkThy/omE/9SyqfAr6ARrDYLGVhhACmSxm4EgM+Is1s=,tag:Key2xC4btvI8HqQglIcXkg==,type:str]
+    mac: ENC[AES256_GCM,data:dJ00o+Ny6btbOn7Pt5dc4iLx6FHJiTTx7onZDhjxya7Ywg2qAwHTiNP2q2aP6348w5uenlEGrgnV0Dc8xyHfApNCkJwj4G6UnI17jxEGn3lc0ZFNzJJ7jO2CJcwHir0E2G4XdPjmbZUdB3aKmM34dI9EEUWWhNFXdps4X0dNQcM=,iv:vOU3kHq0axRBrkNfVicQ/8H77nF0DGIJlpoDuJmwRGQ=,tag:uvoFkmaaTM8zpr1g2FpCMA==,type:str]
    pgp:
        - created_at: "2024-11-28T18:56:39Z"
          enc: |-
@@ -7,6 +7,7 @@
 {
  boot = {
    zfs.extraPools = [ "ZFS-primary" ];
    zfs.requestEncryptionCredentials = false;
    filesystem = "zfs";
    extraModprobeConfig = ''
      options zfs zfs_arc_min=82463372083
@@ -85,33 +86,6 @@
          fi
        '';
      };
      zfs-load-nix-key = {
        description = "Load ZFS key for ZFS-primary/nix in initrd";
        wantedBy = [ "initrd-fs.target" ];
        requires = [
          "sysroot.mount"
          "zfs-import-zfs-primary.service"
        ];
        after = [
          "sysroot.mount"
          "zfs-import-zfs-primary.service"
        ];
        before = [
          "initrd-fs.target"
          "sysroot-nix.mount"
        ];
        unitConfig.DefaultDependencies = "no";
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
        };
        path = with pkgs; [ zfs ];
        script = ''
          key_file="/sysroot/crypto/keys/zfs-nix-store-key"
          zfs load-key -L "file://$key_file" "ZFS-primary/nix"
        '';
      };
    };
  };
@@ -207,6 +207,14 @@ in
        };
      };
    };
    rbw = {
      enable = true;
      settings = {
        lockTimeout = 300;
        pinentry = pkgs.pinentry-gnome3;
        email = "snowinginwonderland@gmail.com";
      };
    };
  };
  services.gnome-keyring.enable = true;
@@ -268,7 +276,7 @@ in
    nextcloud-client
    bitwarden-cli
-    bitwarden-menu
+    rofi-rbw-wayland
    wtype
    obsidian
    libreoffice-qt-fresh
@@ -10,6 +10,8 @@ alice:
    attic-nix-cache-admin: ENC[AES256_GCM,data:xHJGeU4EUn1HRy2nIValiJ6iLZnYmmT6Njv/cGMh15Q0hJXKNBSsi8f0mAfLI7EX+GaC299VKh2uTlU25jptrAvogLxNJIc+LZBLsSkyGE/ojqqevHMKmZ/6eciLZRQL5ey9TM3V9HHyDOhGaFgdfawtwg/vyvbV13lZBKpqneAX9T3gPRuKRjV4/Uc/5cUckiOF8bQ50xVFN8Cql9HgGDJEGWgg4XUTPu5eYspof2EN63pYvU7wg6HD2begeLDvqc2/i2DIcsc0wqc5DgkY/dH2YtcssBtU8AR9vKpl+HmH/wvt6dfaEyZ7hF7ITGwWnOO6H2ko3SjYRfHkFK3XDmm1YRRjfkptnw==,iv:BdVgNyZ1azl5tKfH+RTeXuNV/rYY6hPvrareKlIXSeQ=,tag:/ar87eAjMod4TmQXoerNBQ==,type:str]
    gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
    gitea-pr-token: ENC[AES256_GCM,data:ybTya4X2wd65pNFSGbQkg73lu66GNtSba4yf8J6tT8XkuOtfvtBS4g==,iv:39mJiAlw4kud4l06jOpxOCRumChE/5q8IBNsPHG1rMc=,tag:MEvHD2b9E3fVHLlz7haNyw==,type:str]
    honeycomb-id: ENC[AES256_GCM,data:PndCclCbSMrgmlYdQ5a8//IB+hg9uB0ZwidIZFiKN6w=,iv:mxFcGPnY0eCliugvQT5HR9aGzJIvXZI6FTo8rphVQMM=,tag:3huIaIy7da0gx2G/BVJJLQ==,type:str]
    honeycomb-secret: ENC[AES256_GCM,data:x2MZPgAJz3I1m+rjSVpINZdQVbu50XiwEtPGEX/kbJw=,iv:bPNNtXIES0pCLc4Nu/886nwoOVXaZgyTxndSpyWWU0E=,tag:igdd/NPCDpcvzSd9LO4hyw==,type:str]
 sops:
    age:
        - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
@@ -39,8 +41,8 @@ sops:
            ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
            7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-07T23:43:57Z"
+    lastmodified: "2026-05-03T16:20:31Z"
-    mac: ENC[AES256_GCM,data:ygQzxSpGJqXwkOq7jGDeflA2FTSSxnre/PXm0LxmxzQQW5s7LeIVSI75fMqWir0WU3Pi/xroYGEWjpCG6JvxV5RiJycTONk8VE7c3jtw3AbrHSS0b1K5tJ+Sf+q3rHJFWWk/COrPk8IsRFNb+taqH4jnaH3AAVNo5u0C1CHKMes=,iv:FO2GVDXE8SjjA81/9cDwc+dX8kJ2oHt5kqkhNBuMb54=,tag:hgzRAmsh32SCvJEvKyV+vg==,type:str]
+    mac: ENC[AES256_GCM,data:/Ui0H0wgENYnzVB7V2aAbj4dIbE+sjRpPoso75xyKepmeeMp8nv8CJLKmLmtbp+rtX287teVw4hKxb/z8M6ZHIWmgt9Zgui8/+hw5hwuMmyjPeGqJQjFH8s4zcXkOKLDoFPA65gva5gaPsreqPwOSqgqYwmds5gOcxBI3Tqdh6E=,iv:ugtug8Vb7DRUp1eC2M6ooCoPFjbqZo8htHOV4AXIcSI=,tag:4sMJsh/r57Z4VFoOBmUmXw==,type:str]
    pgp:
        - created_at: "2024-09-05T06:10:22Z"
          enc: |-
@@ -55,4 +57,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.10.1
+    version: 3.12.2
Author	SHA1	Message	Date
ahuston-0	b4233b8f1c	luks migration, home migration fixes Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 9s Details Check Nix flake / Perform Nix flake checks (pull_request) Successful in 3m49s Details	2026-05-03 17:33:56 -04:00
ahuston-0	43c026c451	add argiletum Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 9s Details Check Nix flake / Perform Nix flake checks (pull_request) Failing after 2m17s Details	2026-05-03 14:09:35 -04:00
ahuston-0	9222be4052	add argiletum	2026-05-03 13:59:56 -04:00
ahuston-0	24d451f825	add tang and clevis to palatine-hill	2026-05-03 13:29:39 -04:00
ahuston-0	f5d0f97400	Merge pull request 'add otel and honeycomb' (#225 ) from feature/otel-host into main Check flake.lock / Check health of `flake.lock` (push) Successful in 43s Details Check Nix flake / Perform Nix flake checks (push) Successful in 2m30s Details Reviewed-on: #225	2026-05-03 12:40:53 -04:00
ahuston-0	5dad72daa4	add otel and honeycomb Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 2m41s Details Check Nix flake / Perform Nix flake checks (pull_request) Successful in 5m6s Details	2026-05-03 12:34:42 -04:00