ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:feature/kanidm
Branches Tags
ahuston-0:main ahuston-0:feature/kanidm ahuston-0:feature/avahi ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:3b03217f4949b89a9b6f6d966ea1fccd6a5503e1
Branches Tags
ahuston-0:feature/kanidm ahuston-0:main ahuston-0:feature/avahi ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes

1 Commits
feature/ka ... 3b03217f49

Author SHA1 Message Date
github-actions[bot]
3b03217f49 automated: Update flake.lock
Some checks failed
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 7s
Details
Check Nix flake / Perform Nix flake checks (pull_request) Failing after 5m29s
Details 
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].

[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
 2026-04-27 12:17:48 +00:00
28 changed files with 79 additions and 787 deletions
Expand all files Collapse all files

8
.gitconfig
View File

@@ -1,9 +1,11 @@
# run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :) # run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
# run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured # run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
# the command below intentionally avoids nested shell quoting because git config parsing is strict # if for whatever reason the below doesn't work, try modifying the mergetool command as below
# find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
# replace: ./utils/sops-mergetool.sh
[mergetool "sops-mergetool"] [mergetool "sops-mergetool"]
cmd = $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh $BASE $LOCAL $REMOTE $MERGED cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
[merge] [merge]
tool = nvimdiff tool = nvimdiff
[mergetool "nvimdiff"] [mergetool "nvimdiff"]
layout = (LOCAL,BASE,REMOTE)/MERGED layout = MERGED

169
.github/workflows/update-claurst.yml vendored
View File

@@ -1,169 +0,0 @@
name: "Update claurst"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 14 * * 1" # Every Monday at 14:00 UTC
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
update_claurst:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get current claurst version
id: current
run: |
VERSION=$(grep 'version = ' pkgs/claurst/default.nix | head -1 | sed 's/.*version = "\(.*\)".*/\1/')
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Current version: $VERSION"
- name: Get latest claurst release
id: latest
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const release = await github.rest.repos.getLatestRelease({
owner: 'Kuberwastaken',
repo: 'claurst',
});
const tag = release.data.tag_name.replace(/^v/, '');
core.setOutput('version', tag);
core.info(`Latest release: ${tag}`);
- name: Check if update needed
id: check_update
run: |
CURRENT="${{ steps.current.outputs.version }}"
LATEST="${{ steps.latest.outputs.version }}"
if [ "$CURRENT" = "$LATEST" ]; then
echo "No update needed (current: $CURRENT, latest: $LATEST)"
echo "update_needed=false" >> $GITHUB_OUTPUT
else
echo "Update needed (current: $CURRENT, latest: $LATEST)"
echo "update_needed=true" >> $GITHUB_OUTPUT
fi
- name: Update claurst if new version available
if: steps.check_update.outputs.update_needed == 'true'
id: update
run: |
NEW_VERSION="${{ steps.latest.outputs.version }}"
# Backup original file
cp pkgs/claurst/default.nix pkgs/claurst/default.nix.bak
# Update version placeholder with empty hash to compute it
sed -i "s/version = \"[^\"]*\"/version = \"$NEW_VERSION\"/" pkgs/claurst/default.nix
# Try to fetch the new src hash
echo "Computing src hash for v$NEW_VERSION..."
SRC_HASH=$(nix-prefetch-url --unpack "https://github.com/Kuberwastaken/claurst/archive/refs/tags/v$NEW_VERSION.tar.gz" 2>/dev/null | tail -1 || echo "")
if [ -z "$SRC_HASH" ]; then
echo "Failed to compute src hash, reverting"
mv pkgs/claurst/default.nix.bak pkgs/claurst/default.nix
exit 1
fi
SRC_HASH="sha256-$SRC_HASH"
echo "New src hash: $SRC_HASH"
# Update src hash
sed -i "s|hash = \"sha256-[^\"]*\"|hash = \"$SRC_HASH\"|" pkgs/claurst/default.nix
# Compute cargoHash - this requires building
echo "Computing cargo hash..."
CARGO_HASH=$(nix build \
--no-eval-cache \
--expr "(import ./pkgs/default.nix { nixpkgs = import <nixpkgs> { }; }).mkPkgs \"x86_64-linux\" | .claurst" \
2>&1 | grep -oP 'got:\s*\K[^"]+' | head -1 || echo "")
if [ -z "$CARGO_HASH" ]; then
echo "Failed to compute cargo hash, trying with attribute substitution..."
CARGO_HASH=$(nix eval \
--impure \
--expr "
let
pkgs = import <nixpkgs> { config.allowUnsupportedSystem = true; };
claurst = import pkgs/claurst { inherit pkgs; };
in claurst.cargoHash
" 2>&1 | tail -1)
fi
if [ ! -z "$CARGO_HASH" ]; then
echo "New cargo hash: $CARGO_HASH"
sed -i "s|cargoHash = \"[^\"]*\"|cargoHash = \"$CARGO_HASH\"|" pkgs/claurst/default.nix
fi
rm -f pkgs/claurst/default.nix.bak
echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
- name: Validate nix flake
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Running nix flake check..."
nix flake check --show-trace || true
- name: Build claurst to verify changes
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Building updated claurst package..."
nix build ".#artemision.config.environment.systemPackages" --no-eval-cache 2>&1 | tail -20 || true
- name: Generate PR body
if: steps.check_update.outputs.update_needed == 'true'
id: pr_body
run: |
cat > pr_body.md << 'EOF'
# Claurst Update
Automated claurst package update.
**Changes:**
- Version: `${{ steps.current.outputs.version }}` → `${{ steps.update.outputs.version }}`
- Source hash updated
- Cargo hash updated
Auto-generated by [update-claurst.yml][1].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
EOF
cat pr_body.md
- name: Create Pull Request
if: steps.check_update.outputs.update_needed == 'true'
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
add-paths: pkgs/claurst/default.nix
body-path: pr_body.md
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: "automated: Update claurst to ${{ steps.update.outputs.version }}"
commit-message: |
automated: Update claurst to ${{ steps.update.outputs.version }}
- Bumped version from ${{ steps.current.outputs.version }} to ${{ steps.update.outputs.version }}
- Updated src and cargo hashes
Auto-generated by [update-claurst.yml][1].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
branch: update-claurst
delete-branch: true
pr-labels: |
dependencies
automated
- name: Print PR result
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Pull request created successfully"
echo "Version updated: ${{ steps.current.outputs.version }} → ${{ steps.update.outputs.version }}"
permissions:
pull-requests: write
contents: write

105
AGENTS.md
View File

@@ -1,105 +0,0 @@
> Note: This document was AI-generated and reviewed by a maintainer.
# AGENTS Guide for nix-dotfiles
This file is the quick-start map for coding agents working in this repository.
Use this first, then follow the linked source files for full detail.
## Purpose and Scope
- Repository type: flake-based NixOS + Home Manager dotfiles/infrastructure.
- Primary goals: safe system/user config edits, reproducible builds, and clean secrets handling.
- Default assumption: preserve existing module patterns and avoid broad refactors unless requested.
## Source of Truth
Read these files before substantial changes:
- `.github/copilot-instructions.md`: Full repository guide for structure, workflows, dynamic system generation, module patterns, and SOPS handling.
- `.github/instructions/ai-doc-attribution.instructions.md`: Markdown rule for top-of-document attribution when docs are fully AI-generated.
- `flake.nix`: Flake inputs/outputs entrypoint; system generation begins here.
- `lib/systems.nix`: Core dynamic config assembly (`genSystems`, `constructSystem`, and wrapper generators).
- `systems/<hostname>/default.nix`: Per-host parameters (users, home, sops, server role, extra modules).
- `systems/<hostname>/configuration.nix`: Main host config.
- `modules/*.nix`: Global modules automatically imported into all systems.
- `users/<username>/home.nix` and `users/<username>/default.nix`: Home Manager and user account configuration.
- `hydra/jobs.nix` and `hydra/jobsets.nix`: CI/build orchestration details.
## Repo Mental Model
- `systems/` contains host-specific configs.
- `modules/` contains global modules applied across hosts.
- `users/` contains user and home-manager configs.
- `lib/systems.nix` auto-discovers hosts and composes final configs.
- SOPS secrets are colocated with hosts/users via `secrets.yaml` files.
## Dynamic Configuration Rules
- Hosts are auto-discovered from subdirectories in `systems/`.
- Each host's `default.nix` feeds `constructSystem` parameters.
- Effective module merge order matters. High-level order is: 1) base external
modules, 2) host essentials (`hardware.nix`, `configuration.nix`), 3)
host-specific modules from `systems/<host>/default.nix`, 4) global
`modules/*.nix`, 5) optional SOPS and Home Manager/user layers.
- Global modules load after host config, so explicit overrides may require `lib.mkForce` depending on target option.
## Editing Conventions
- Keep changes minimal and scoped to the requested behavior.
- Preserve existing Nix style and option naming patterns.
- Prefer module options + `lib.mkIf` toggles over hard-coded behavior.
- Use `lib.mkDefault` for soft defaults and `lib.mkForce` only when necessary.
- Do not commit plaintext secrets.
- Update docs when behavior/workflow changes.
## Validation and Workflow
Typical local sequence:
1. Make targeted edits.
2. Evaluate and build with `nix flake check` and `nix build .#<hostname>`.
3. Optionally deploy/apply with `nh os switch` or `nh home switch`.
4. For secrets-related changes, edit with `sops .../secrets.yaml` and validate expected `config.sops.secrets` evaluation paths.
## Secrets and Safety
- Secrets live in `systems/<hostname>/secrets.yaml` and `users/<username>/secrets.yaml`.
- Use SOPS for create/edit/rekey operations.
- During merge conflicts in encrypted files, prefer repository SOPS merge tooling (`utils/sops-mergetool.sh`, `utils/sops-mergetool-new.sh`).
## Agent and Tool Routing
When a specialized agent is available, route work by intent:
- `Explore`: Fast read-only repository exploration and Q&A.
- `dependency-auditor`: Flake/module dependency security and CVE-oriented audits.
- `security-researcher`: Read-only server security configuration audits.
- `server-architect`: Server integration/review planning for `palatine-hill` style infra changes.
Use Nix lookup tooling for package/options discovery; prefer `unstable` channel when channel selection is available.
## Where To Look Next (By Task)
- Add a new host: see `.github/copilot-instructions.md` sections on "Adding a New NixOS System", plus `systems/<new-host>/default.nix`, `hardware.nix`, and `configuration.nix`.
- Add/modify a global capability: see `modules/*.nix` and the `.github/copilot-instructions.md` section "Adding a Global Module to modules/".
- Change user/home-manager behavior: see `users/<username>/home.nix` and `users/<username>/default.nix`.
- Modify build/release automation: see `hydra/jobs.nix` and `hydra/jobsets.nix`.
- Work with secrets: see `.sops.yaml`, `systems/*/secrets.yaml`, `users/*/secrets.yaml`, and the `.github/copilot-instructions.md` section "Secrets Management".
- Validate module composition/debug evaluation: see `lib/systems.nix` and `nix eval .#nixosConfigurations.<host>...`.
## Documentation Attribution Rule
For Markdown docs (`**/*.md`):
- If a document is fully AI-generated, include explicit attribution near the top.
- Accepted label includes "AI-generated documentation" wording.
- Do not imply fully human authorship for fully AI-authored content.
## Quick Command Reference
- `nh os build`
- `nh os switch`
- `nh home switch`
- `nix build .#<hostname>`
- `nix flake check`
- `nix eval .#nixosConfigurations.<hostname>.config.<path>`

2
README.md
View File

@@ -3,7 +3,7 @@
This repository contains the flake required to build critical and personal This repository contains the flake required to build critical and personal
infrastructure running NixOS. The setup can be explored as follows. infrastructure running NixOS. The setup can be explored as follows.
This repo supports `x86_64-linux` and (theoretically) `aarch64-linux`. This repo supports `x86_64-linux` and (theorically) `aarch64-linux`.
## Setting Up ## Setting Up

24
flake.lock generated
View File

@@ -76,11 +76,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1777348977, "lastModified": 1777262571,
"narHash": "sha256-9aKuCI5TKHKnP073B1VzBdLRLAQJE7R9rbJWaSFXr3M=", "narHash": "sha256-ni1Cz9BChOXO6C0H4cRAq6bJRQIUV40Yet306ZOEEHs=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "a314975f42bfa9665bf77d1586ee0e123790ed27", "rev": "0827fcbe30e591e79b0554ecc5be9c79ba71a86b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@@ -240,11 +240,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777349711, "lastModified": 1777258755,
"narHash": "sha256-PGKgo2dO6fK603QGI+DWXdKmS09pbJjjTxwRHdhkGZA=", "narHash": "sha256-EC07KwADRE2LdIk7vEDyAaD3I0ZUq24T9jQF9L0iEPk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c1140540536d483e2730320100f6835d62c94fdf", "rev": "7f8bbc93d63401e41368d6ddc46a4f631610fa90",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -594,11 +594,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777346187, "lastModified": 1777259803,
"narHash": "sha256-oVxyGjpiIsrXhWTJVUOs38fZQkLjd0nZGOY9K7Kfot8=", "narHash": "sha256-fIb/EoVu/1U0qVrE6qZCJ2WCfprRpywNIAVzKEACIQc=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "146e7bf7569b8288f24d41d806b9f584f7cfd5b5", "rev": "a6cb2224d975e16b5e67de688c6ad306f7203425",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -614,11 +614,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1777338324, "lastModified": 1776771786,
"narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=", "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5", "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598",
"type": "github" "type": "github"
}, },
"original": { "original": {

10
flake.nix
View File

@@ -164,23 +164,19 @@
lib = self; lib = self;
} }
); );
packageSetup = import ./pkgs/default.nix { inherit nixpkgs; };
inherit (packageSetup) localPackagesOverlay;
inherit (lib.adev.systems) genSystems getImages; inherit (lib.adev.systems) genSystems getImages;
inherit (self) outputs; # for hydra inherit (self) outputs; # for hydra
in in
rec { rec {
inherit lib; # for allowing use of custom functions in nix repl inherit lib; # for allowing use of custom functions in nix repl
overlays.default = localPackagesOverlay;
hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; }; hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt); formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt);
nixosConfigurations = genSystems inputs outputs src (src + "/systems"); nixosConfigurations = genSystems inputs outputs src (src + "/systems");
homeConfigurations = { homeConfigurations = {
"alice" = inputs.home-manager.lib.homeManagerConfiguration { "alice" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = packageSetup.mkPkgs "x86_64-linux"; pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [ modules = [
inputs.stylix.homeModules.stylix inputs.stylix.homeModules.stylix
inputs.sops-nix.homeManagerModules.sops inputs.sops-nix.homeManagerModules.sops
@@ -207,7 +203,9 @@
qcow = getImages nixosConfigurations "qcow"; qcow = getImages nixosConfigurations "qcow";
}; };
packages = forEachSystem packageSetup.mkPackages; packages.x86_64-linux.lego-latest =
nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
{ };
checks = import ./checks.nix { inherit inputs forEachSystem formatter; }; checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
devShells = import ./shell.nix { inherit inputs forEachSystem checks; }; devShells = import ./shell.nix { inherit inputs forEachSystem checks; };

1
lib/systems.nix
View File

@@ -172,7 +172,6 @@ rec {
modules = [ modules = [
inputs.nixos-modules.nixosModule inputs.nixos-modules.nixosModule
inputs.nix-index-database.nixosModules.nix-index inputs.nix-index-database.nixosModules.nix-index
{ nixpkgs.overlays = [ outputs.overlays.default ]; }
(genHostName hostname) (genHostName hostname)
(configPath + "/hardware.nix") (configPath + "/hardware.nix")
(configPath + "/configuration.nix") (configPath + "/configuration.nix")

2
pkgs/bitwarden-rofi/default.nix
View File

@@ -19,7 +19,6 @@
libnotify, libnotify,
}: }:
let let
maintainers = import ../maintainers.nix;
bins = [ bins = [
jq jq
bitwarden-cli bitwarden-cli
@@ -65,7 +64,6 @@ stdenv.mkDerivation {
description = "Wrapper for Bitwarden and Rofi"; description = "Wrapper for Bitwarden and Rofi";
homepage = "https://github.com/mattydebie/bitwarden-rofi"; homepage = "https://github.com/mattydebie/bitwarden-rofi";
license = licenses.gpl3; license = licenses.gpl3;
maintainers = [ maintainers.alice ];
platforms = platforms.linux; platforms = platforms.linux;
}; };

52
pkgs/claurst/default.nix
View File

@@ -1,52 +0,0 @@
{
lib,
fetchFromGitHub,
rustPlatform,
pkg-config,
openssl,
alsa-lib,
dbus,
libxkbcommon,
libxcb,
}:
let
maintainers = import ../maintainers.nix;
in
rustPlatform.buildRustPackage rec {
pname = "claurst";
version = "0.0.9";
src = fetchFromGitHub {
owner = "Kuberwastaken";
repo = "claurst";
rev = "v${version}";
hash = "sha256-bTQHtZGZxhEAki0JxSC8smAC3w+otm8ubHvZ9MvwDaE=";
};
cargoRoot = "src-rust";
cargoHash = "sha256-6+B43spqmUZ983YMl5UBH5647DcUOS2ngw5ChMIPFFo=";
buildAndTestSubdir = "src-rust";
doCheck = false;
nativeBuildInputs = [
pkg-config
];
buildInputs = [
openssl
alsa-lib
dbus
libxkbcommon
libxcb
];
meta = with lib; {
description = "Terminal coding agent written in Rust";
homepage = "https://github.com/Kuberwastaken/claurst";
license = licenses.gpl3Only;
mainProgram = "claurst";
maintainers = [ maintainers.alice ];
platforms = platforms.linux;
};
}

35
pkgs/default.nix
View File

@@ -1,35 +0,0 @@
{ nixpkgs }:
let
localPackagesOverlay = final: _prev: {
lego-latest = final.callPackage ./lego-latest/default.nix { };
claurst = final.callPackage ./claurst/default.nix { };
bitwarden-rofi = final.callPackage ./bitwarden-rofi/default.nix { };
};
mkPkgs =
system:
import nixpkgs {
inherit system;
overlays = [ localPackagesOverlay ];
};
mkPackages =
system:
let
pkgs = mkPkgs system;
in
{
inherit (pkgs)
lego-latest
claurst
bitwarden-rofi
;
};
in
{
inherit
localPackagesOverlay
mkPkgs
mkPackages
;
}

8
pkgs/maintainers.nix
View File

@@ -1,8 +0,0 @@
{
alice = {
name = "Alice Huston";
email = "aliceghuston@gmail.com";
github = "ahuston-0";
githubId = 43225907;
};
}

1
shell.nix
View File

@@ -42,7 +42,6 @@ forEachSystem (
packages = with pkgs; [ packages = with pkgs; [
deadnix deadnix
pre-commit pre-commit
openssl
treefmt treefmt
statix statix
nixfmt nixfmt

1
systems/artemision/programs.nix
View File

@@ -7,7 +7,6 @@
amdgpu_top amdgpu_top
android-tools android-tools
bitwarden-cli bitwarden-cli
bitwarden-rofi
bfg-repo-cleaner bfg-repo-cleaner
brightnessctl brightnessctl
btop btop

46
systems/palatine-hill/backup.nix
View File

@@ -1,46 +0,0 @@
{ config, pkgs, ... }:
{
# Restic backups to the local REST server (docker/restic.nix, port 8010, private repos).
# Each service gets its own repo: rest:http://localhost:8010/<username>/
# REST credentials are injected via sops templates as an EnvironmentFile.
# Add new jobs below following the same pattern.
sops = {
secrets."restic/kanidm_password" = { };
secrets."restic/kanidm_rest_password" = { };
# Compose a KEY=VALUE env file for the restic systemd service.
templates."restic-kanidm-env" = {
content = ''
RESTIC_REST_USERNAME=kanidm
RESTIC_REST_PASSWORD=${config.sops.placeholder."restic/kanidm_rest_password"}
'';
};
};
services.restic.backups = {
kanidm = {
repository = "rest:http://localhost:8010/kanidm/";
passwordFile = config.sops.secrets."restic/kanidm_password".path;
environmentFile = config.sops.templates."restic-kanidm-env".path;
# Checkpoint the SQLite WAL before backup so the snapshot is consistent.
backupPrepareCommand = ''
${pkgs.sqlite}/bin/sqlite3 /var/lib/kanidm/kanidm.db "PRAGMA wal_checkpoint(FULL);"
'';
paths = [ "/var/lib/kanidm" ];
timerConfig = {
OnCalendar = "04:00";
Persistent = true;
};
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
};
}

3
systems/palatine-hill/configuration.nix
View File

@@ -9,7 +9,6 @@
./acme.nix ./acme.nix
./attic ./attic
./docker ./docker
./garage.nix
./gitea.nix ./gitea.nix
./firewall.nix ./firewall.nix
./haproxy ./haproxy
@@ -21,8 +20,6 @@
./nextcloud.nix ./nextcloud.nix
#./plex #./plex
./postgresql.nix ./postgresql.nix
./backup.nix
./kanidm.nix
./samba.nix ./samba.nix
./zfs.nix ./zfs.nix
]; ];

4
systems/palatine-hill/docker/default.nix
View File

@@ -10,11 +10,11 @@
#./firefly.nix #./firefly.nix
#./foundry.nix #./foundry.nix
./glances.nix ./glances.nix
./haproxy.nix # ./haproxy.nix
./minecraft.nix ./minecraft.nix
./nextcloud.nix ./nextcloud.nix
# ./postgres.nix # ./postgres.nix
./restic.nix # ./restic.nix
./torr.nix ./torr.nix
# ./unifi.nix # ./unifi.nix
]; ];

17
systems/palatine-hill/docker/haproxy.cfg
View File

@@ -50,7 +50,6 @@ frontend ContentSwitching
acl host_minio hdr(host) -i minio.alicehuston.xyz acl host_minio hdr(host) -i minio.alicehuston.xyz
acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
acl host_attic hdr(host) -i attic.nayeonie.com acl host_attic hdr(host) -i attic.nayeonie.com
acl host_s3 hdr(host) -i s3.nayeonie.com
acl host_minio hdr(host) -i minio.nayeonie.com acl host_minio hdr(host) -i minio.nayeonie.com
acl host_minio_console hdr(host) -i minio-console.nayeonie.com acl host_minio_console hdr(host) -i minio-console.nayeonie.com
#acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz #acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
@@ -58,7 +57,6 @@ frontend ContentSwitching
acl host_prometheus hdr(host) -i prom.alicehuston.xyz acl host_prometheus hdr(host) -i prom.alicehuston.xyz
acl host_gitea hdr(host) -i git.alicehuston.xyz acl host_gitea hdr(host) -i git.alicehuston.xyz
acl host_gitea hdr(host) -i nayeonie.com acl host_gitea hdr(host) -i nayeonie.com
acl host_kanidm hdr(host) -i auth.nayeonie.com
# Backend-forwarding # Backend-forwarding
use_backend www_nodes if host_www use_backend www_nodes if host_www
# use_backend ldapui_nodes if host_ldapui # use_backend ldapui_nodes if host_ldapui
@@ -69,14 +67,12 @@ frontend ContentSwitching
use_backend nextcloud_nodes if host_nextcloud use_backend nextcloud_nodes if host_nextcloud
use_backend hydra_nodes if host_hydra use_backend hydra_nodes if host_hydra
use_backend attic_nodes if host_attic use_backend attic_nodes if host_attic
use_backend garage_nodes if host_s3
#use_backend nextcloud_vol_nodes if host_nextcloud_vol #use_backend nextcloud_vol_nodes if host_nextcloud_vol
# use_backend collabora_nodes if host_collabora # use_backend collabora_nodes if host_collabora
use_backend prometheus_nodes if host_prometheus use_backend prometheus_nodes if host_prometheus
use_backend minio_nodes if host_minio use_backend minio_nodes if host_minio
use_backend minio_console_nodes if host_minio_console use_backend minio_console_nodes if host_minio_console
use_backend gitea_nodes if host_gitea use_backend gitea_nodes if host_gitea
use_backend kanidm_nodes if host_kanidm
#frontend ldap #frontend ldap
# bind *:389 # bind *:389
@@ -146,10 +142,6 @@ backend minio_console_nodes
mode http mode http
server server 192.168.76.2:8501 server server 192.168.76.2:8501
backend garage_nodes
mode http
server server 192.168.76.2:8502
# backend foundry_nodes # backend foundry_nodes
# timeout tunnel 50s # timeout tunnel 50s
# mode http # mode http
@@ -185,15 +177,6 @@ backend gitea_nodes
mode http mode http
server server 192.168.76.2:6443 server server 192.168.76.2:6443
backend kanidm_nodes
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Host %[req.hdr(host)]
acl internal src 192.168.76.0/24 192.168.191.0/24
http-request deny unless internal
server server 192.168.76.2:8443 ssl verify none
#backend netdata_nodes #backend netdata_nodes
# mode http # mode http
# server server 192.168.76.2:19999 # server server 192.168.76.2:19999

2
systems/palatine-hill/docker/haproxy.nix
View File

@@ -23,6 +23,8 @@
}; };
dependsOn = [ dependsOn = [
"nextcloud" "nextcloud"
"grafana"
"foundryvtt"
"glances" "glances"
"mc-router" "mc-router"
]; ];

48
systems/palatine-hill/garage.nix
View File

@@ -1,48 +0,0 @@
{
config,
pkgs,
...
}:
let
vars = import ./vars.nix;
basePath = "${vars.primary_minio}/garage";
in
{
services.garage = {
enable = true;
package = pkgs.garage;
logLevel = "info";
settings = {
metadata_dir = "${basePath}/meta";
data_dir = "${basePath}/data";
db_engine = "sqlite";
replication_factor = 1;
rpc_bind_addr = "127.0.0.1:8504";
rpc_public_addr = "127.0.0.1:8504";
rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
s3_api = {
api_bind_addr = "127.0.0.1:8502";
s3_region = "us-east-1";
root_domain = ".s3.nayeonie.com";
};
admin = {
api_bind_addr = "127.0.0.1:8503";
admin_token_file = config.sops.secrets."garage/admin-token".path;
};
};
};
systemd.tmpfiles.rules = [
"d ${basePath}/meta 0750 garage garage -"
"d ${basePath}/data 0750 garage garage -"
];
sops.secrets = {
"garage/rpc-secret" = { };
"garage/admin-token" = { };
};
}

46
systems/palatine-hill/gitea.nix
View File

@@ -37,10 +37,6 @@ in
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;
}; };
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = false;
};
log = { log = {
LEVEL = "Trace"; LEVEL = "Trace";
ENABLE_SSH_LOG = true; ENABLE_SSH_LOG = true;
@@ -75,48 +71,6 @@ in
after = [ "docker.service" ]; after = [ "docker.service" ];
}; };
systemd.services.gitea-kanidm-oidc-bootstrap = {
description = "Bootstrap Gitea Kanidm OIDC auth source";
wantedBy = [ "multi-user.target" ];
requires = [ "gitea.service" ];
after = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
path = [
config.services.gitea.package
pkgs.coreutils
pkgs.gnugrep
];
script = ''
set -eu
APP_INI="${config.services.gitea.customDir}/conf/app.ini"
if gitea admin auth list --config "$APP_INI" | grep -Fq "Kanidm OIDC"; then
exit 0
fi
gitea admin auth add-oauth \
--config "$APP_INI" \
--name "Kanidm OIDC" \
--provider openidConnect \
--key "gitea" \
--secret "$(<${config.sops.secrets."kanidm/gitea_oidc_client_secret".path})" \
--auto-discover-url "https://auth.nayeonie.com/oauth2/openid/gitea/.well-known/openid-configuration" \
--scopes openid \
--scopes profile \
--scopes email \
--full-name-claim-name name \
--group-claim-name groups \
--required-claim-name groups \
--required-claim-value gitea-users \
--admin-group gitea-users
'';
};
networking.firewall.allowedTCPPorts = [ 6443 ]; networking.firewall.allowedTCPPorts = [ 6443 ];
sops.secrets = { sops.secrets = {

38
systems/palatine-hill/haproxy/auth.nix
View File

@@ -1,38 +0,0 @@
# HAProxy routing stubs for Kanidm.
# These are ADDITIVE fragments — merge into your main haproxy config.
# Assumes:
# - HAProxy terminates TLS using the acme-nayeonie.com certificate
# - Kanidm HTTPS listens on [::1]:8443
# - Kanidm LDAP compat listens on [::1]:3890
# - ACL-based routing by SNI / Host header
#
# In your main frontend (or add a dedicated one):
#
# acl host_kanidm hdr(host) -i auth.nayeonie.com # internal/admin only
#
# use_backend kanidm if host_kanidm
#
# --- Kanidm backend ---
#
# backend kanidm
# mode http
# option forwardfor
# http-request set-header X-Forwarded-Proto https
# http-request set-header X-Forwarded-Host %[req.hdr(host)]
# acl internal src 192.168.76.0/24 192.168.191.0/24
# http-request deny unless internal
# server kanidm [::1]:8443 ssl verify none check
#
# --- Forward-auth pattern for protecting other backends with Kanidm ---
#
# To protect an existing backend with Kanidm OIDC, add oauth2-proxy.
# The simplest
# path for HAProxy is:
#
# 1. Deploy oauth2-proxy (services.oauth2-proxy) configured against
# Kanidm as OIDC provider (issuer https://auth.nayeonie.com).
# 2. In HAProxy frontend, redirect unauthenticated requests to
# oauth2-proxy before forwarding to the real backend.
#
# This is left as a follow-up — get Kanidm running first.
{ ... }: { }

127
systems/palatine-hill/kanidm.nix
View File

@@ -1,127 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
domain = "nayeonie.com";
authDomain = "auth.${domain}";
aliceSshKeys = config.users.users.alice.openssh.authorizedKeys.keys;
in
{
services = {
kanidm = {
package = pkgs.kanidm_1_9.withSecretProvisioning;
server = {
enable = true;
settings = {
origin = "https://${authDomain}";
inherit domain;
bindaddress = "0.0.0.0:8443";
ldapbindaddress = "0.0.0.0:3890";
tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
tls_key = "/var/lib/acme/${domain}/key.pem";
db_fs_type = "zfs";
};
};
# Reuse the existing secret during migration; rotate/rename in a follow-up.
provision = {
enable = true;
instanceUrl = "https://${authDomain}";
adminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
idmAdminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
acceptInvalidCerts = false;
groups = {
gitea-users = {
present = true;
};
};
persons = {
alice = {
displayName = "Alice";
mailAddresses = [ "aliceghuston@gmail.com" ];
present = true;
groups = [ "gitea-users" ];
};
};
systems.oauth2.gitea = {
present = true;
displayName = "Gitea";
public = false;
basicSecretFile = config.sops.secrets."kanidm/gitea_oidc_client_secret".path;
originUrl = "https://nayeonie.com/user/oauth2/kanidm/callback";
originLanding = "https://nayeonie.com/";
preferShortUsername = true;
scopeMaps = {
gitea-users = [
"openid"
"email"
"profile"
];
};
claimMaps.groups.valuesByGroup = {
gitea-users = [ "gitea-users" ];
};
};
};
};
};
sops.secrets = {
"kanidm/admin_password".owner = "kanidm";
"kanidm/gitea_oidc_client_secret".owner = "kanidm";
};
# Certs are currently group-readable by haproxy for docker HAProxy.
users.users.kanidm.extraGroups = [ "haproxy" ];
systemd.services.kanidm-person-ssh-keys-bootstrap = {
description = "Bootstrap Kanidm SSH public keys for alice";
wantedBy = [ "multi-user.target" ];
requires = [ "kanidm.service" ];
after = [ "kanidm.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
path = [
config.services.kanidm.package
pkgs.coreutils
pkgs.gawk
pkgs.gnugrep
];
script = ''
set -eu
url="https://${authDomain}"
password="$(<${config.sops.secrets."kanidm/admin_password".path})"
state_dir="/var/lib/kanidm/ssh-bootstrap"
mkdir -p "$state_dir"
chmod 700 "$state_dir"
export HOME="$state_dir"
# Authenticate idm_admin for CLI operations.
printf '%s\n' "$password" | kanidm login -H "$url" -D idm_admin >/dev/null
existing_keys="$(kanidm -H "$url" -D idm_admin person ssh list-publickeys alice || true)"
i=0
${lib.concatMapStringsSep "\n" (
key:
" i=$((i + 1))\n if ! printf '%s\\n' \"$existing_keys\" | grep -Fq ${lib.escapeShellArg key}; then\n kanidm -H \"$url\" -D idm_admin person ssh add-publickey alice \"home-key-$i\" ${lib.escapeShellArg key} >/dev/null\n fi"
) aliceSshKeys}
'';
};
networking.firewall.allowedTCPPorts = [
3890
8443
];
}

1
systems/palatine-hill/postgresql.nix
View File

@@ -34,7 +34,6 @@ in
local /.*arr-main /.*arr scram-sha-256 local /.*arr-main /.*arr scram-sha-256
local /.*arr-log /.*arr scram-sha-256 local /.*arr-log /.*arr scram-sha-256
local jellyseerr jellyseerr scram-sha-256 local jellyseerr jellyseerr scram-sha-256
host all all 192.168.76.0/24 ldap ldapserver=127.0.0.1 ldapport=3890 ldapbasedn="dc=nayeonie,dc=com" ldapsearchattribute="uid"
''; '';
# initialScript = config.sops.secrets."postgres/init".path; # initialScript = config.sops.secrets."postgres/init".path;

104
systems/palatine-hill/secrets.yaml
View File

@@ -1,80 +1,72 @@
hydra: hydra:
environment: ENC[AES256_GCM,data:6Qje83f1eXNwBDrGEeq4itNWrDSSGlD3Qmz0Ni3AeMBfJ1Q/9bSeG0icCOynb0UkQfTccKYMECMG2Fn6NlP8sD/9nVyu3CSM7OO7+pJY7F/7vDl8p03e+aatIV+g34pzQygO1UYrfMrk1MDhmu+e05kugyHHFtmBAGeSc7o4cgH1tWQCY470CTtPv4HiLDFHyz1RYrXE6nZD+NynnNJGKGNYqBK85+pb9xJXgtwqB0J9kl0ZsCOyt8zs1WcFaXo+dK73Bpogv/clru6ckTo+bfY=,iv:imdrJ+CZxK7AQwbEsKyL/YfvgsXkUSfA/3AOz9FQeyc=,tag:8i4hFyrxZXBcOPT5MqjijA==,type:str] environment: ENC[AES256_GCM,data:G/6DOeRdjjp5PGpsHCHneW2X/OQzSH6gozKmgOlK6/bSdQltv4U00AYNOrUYYlH9Yab7JSYBfQinsqRKyDVEp7LLPdlxBaztJiSZGGAdio+JHWwR7UAhAEXSgOh4qFq0SjdZzQduEOdfSYfksut3dJiAvpj6oo6hxuo8mkW4+UacpBmvpnrzHjJHeYYbb3krIhKG6bBqHLT403rLf5oYjnY16XUuYO7deAH99JkfCJKlKnDf3GLfnX78XoXSdOMUyf57PPq5EKA8mFdtZsbAmis=,iv:s903rYHyocGtVJ594+HtCyULGtuom6aUVDcbXPbH93I=,tag:YFkFAIU7cNHSuYnN+lShgA==,type:str]
nix-serve: nix-serve:
secret-key: ENC[AES256_GCM,data:fdZRXT0jnZMUtMTi32gPXfTJiV/xqhf0C6XnAf0hyQIVRof80P1zo5BTVt388NfBXIj0DHmsaH3Fx7m2Psoigo+B1YyUmobCQwe7NAjE281Aad2+r0xNa+YDNo1A5sKofTBORUUuAVBmQKHxByw=,iv:BrFOGZFzFNVuXUez/0bpklXAWOBy6dWYtmumVKXCOFo=,tag:pzy9q0uGxQioxxbxbrTTLw==,type:str] secret-key: ENC[AES256_GCM,data:M8MJHHO8Hd/Gm6Nxy7/IPr0s6jHEDBB9LpZq8lIWQirvZPpgNrMrnP2xFJWEuJF/ND9hU09ZHA3efIBej2siRPOWSEu4gE65W/GMtpCcwEXF0hR/ISvBsH0fci/6KGbUCVg1x9AJpjJsqevPN7I=,iv:Weuziu2me+kdB9zk68nvLnyxv0ICwB1qA4z0Q39tT6k=,tag:nhcFfRQOxEandrf6CivahA==,type:str]
attic: attic:
secret-key: ENC[AES256_GCM,data:nSKTRRZ9SeGv+kFPzu9EGPHlr6oy6cFDMqZ6t43MxQduVGliHlpnYTSwrDg3ybqov9ihP7JTEwlir/+goA5cPm6TZusYT8bczlMMWNgp10kbOGhAY+Ybv/FjiWjor6PSdGz6gXo3QSIKcUEs4CTxuSbNeoVno6x4EJltHWg/QNWDT4iAZB381SAxDGweMz+Hu0aXUKY0EMhXStcgr+b0h0JIv8KKjnatXDEQ/4r+jeRm8Qx47nUed8ZvEe/lHkK7D6ZV5O/yN7+QWw++SXEisuv3O0jGoiZ5oqdx99HfeLz2fw+3IrxZhg==,iv:PvQlzbYCCRuCbiV7SrVwulO4QX3OEYNkccIWFniQLfg=,tag:5sV3f+2WJmuJy0Wa62pZTQ==,type:str] secret-key: ENC[AES256_GCM,data:/wYnCD7qggeHdsNqkp1rZK839o/1olhJUlT1lrZpv1hTOZDduP2OGhz8kh2PrQR6Mq2Y/ALgHG3cFpJs7G64xDK0qRVGIDlC/9sTQIcF2JL49Free8vADe5ads64EN3vWgfmFoBMPmL0mc4qnDBGnBkDueFN5gy+1szK9tWK23tMl1wEWVsiqBwhuWqQBNRxeaHR2tQXI2Yg3fefq5+laOUjnSe1a8Kx4dJ7rXZuXe+H4uyU7roYFxlLpI8qZig0eUO9WUMX9WP0tKOr5OjsbJzBbdVlVT7lZ9ROYUceoxmcWecLlcyv3Q==,iv:DjH78Getnt3zzK9QLj+HS0cF1wtaBeadxSTrRb1uic0=,tag:KMPtWCq1KT1SSthh3fdsew==,type:str]
database-url: ENC[AES256_GCM,data:w1jHgn/PETG3SRRTZQvdPHnoUY1y4tHl2BpCwu03XncEPDjNP5J873mm78A2fFH/uQjuBhqRxtlK,iv:abwCrA9tgLHefCm+BVgwh4+g5CU9/Kskhvyka8/nbg8=,tag:3wJXL3u5cl/9WIVXdulHbA==,type:str] database-url: ENC[AES256_GCM,data:WHdAxNbkRxvNvfUWdPSbgeQXOS7f46OuDKTRuxf3cEyhbU5NAsGlCgfarUBXsHrCH79t7zDGlcRE,iv:trOxDY/ifsibKoX5YPOfKvX/q2ny6SgykiIBusgHxag=,tag:Cx9hhiJIhDLiojJmDdSDtg==,type:str]
adm: ENC[AES256_GCM,data:oPsk2Ks7zqIEGznU5iH5pplxFa85B8dj24lDx0tqy7Mt6ED1GHj7YLt37GGYaGQOM/YdFv3wmGG4Y4rSCLwE4kiM5iOFEcKnlePre1eoER1bf+tvFZOPyGq/SsFiYTSYqHTShfk0scHHkomwVf+gRwD3k4DjXbkjTof2ulg6Pce36E3oOEJaRzKBOrVprwpgPn8GKm1zcM5Ssr5z1ljXGx+JbtK2VtLKd2Q0kc+ikMe/cYo6YT3SlJNEKAmGRVtR/dtkkBwseBYhU7yfHbLqLGFO3EFZjYIkNfTRvDKEu6BB5wlcoKtxi4yjrz8iB2XNX5GCL7gXUWO2ZIsk4ZZMJFthqi9jYDrl,iv:f0YPT4avkVZPuo13wdNyglxW1Ea5cjKXcGa4eaPuMus=,tag:mGBnfXWCfJSHoYXH3gAsHA==,type:str] adm: ENC[AES256_GCM,data:mP4xFGK3+YwyiUMwFaG6tY3tWLGY2YTGa4DRuHzW5Za3McmwEFUzlQQ4hGS2bPKOKwM2Pe5HYBwJnFkd6KRwx5civqsBMwFt4dfZ31xDEi9RxpEm9jCnCcvB1CY8cxNARIhceC12X/ZR8ianUpoINYSjOj4BRy4TEEigi5+V4DkAXeG8+x8SWjj/mRMQMcZud4i69Ul7tpzbjUHm0s/Aasvmib13u4ZbGX/AyoOX8pQwkRHoyfMK2OvRbaeQf9fPcQxOSBALYOIXk9mEGxN1FTFHrTvrY5s0w+hC1mAjX4qm4ZM77RneAI0fJaq1hHSZETIpJOCiQfR3bLuyzWKVestOE29V8Pwq,iv:bjK1QkWUc2vs+oUoC5Z0AKR1/tmrhSLvP8BP8gzghOg=,tag:dmSDM+gbsJMDkqgIPWBfGQ==,type:str]
postgres: postgres:
init: ENC[AES256_GCM,data:6a+xTs7S36ka64S7wGd9Wpfre2CW1CoQmnqfXqPolBcYOv9m0DmCmmyfMQsrRV+LQK3Yf+sYcy0=,iv:b5wD8XgPI8kjP8n5j144mMisJl3dhrx8nWF1P+gr0qo=,tag:wG+Hlu55WwJT1aairSFVlg==,type:str] init: ENC[AES256_GCM,data:trwA30EswHEPa6V2GuHsGgU4NK/j/UQveldwHng0Ilwyqh9aZCgF3axP48MmcciBssux8DZ4O5U=,iv:VC+tpG5yuiBE7pjZ85lYCwHG/bTePxeXQDz2zyLyLYA=,tag:5+jwWTv5T5YWwQpR58QfOA==,type:str]
gitea: gitea:
dbpass: ENC[AES256_GCM,data:CN6uBXrpSYFiKxt9UfSwgw==,iv:71tgEcT+/246dPujwLwg2Z5SPICnGJUfeSA+uDgOmdU=,tag:melKWxmiE+XnukVtSt/iNg==,type:str] dbpass: ENC[AES256_GCM,data:8jECcEJ8JnK7fztTckzLrQ==,iv:yQMp5VrierOKXwiop0NUA7Qbn2eH5iUCVlKppZwKLIQ=,tag:rI9WT7zLIaFxVcTu3ufW4g==,type:str]
minio: ENC[AES256_GCM,data:D6kLP4FEc7U4H4eg5IaXYZn9Z2eSMbsKUafJnTwhHrxVYUq6L7F61iBzONgkCMrwSma6H4RVq32TeRea1gZPVoRD2yryNRrxStkJUuf7t0cjwcS/6E+x0yI/v2osmf0LQYTmGRtH,iv:dFTBhjbpfzs82KCq1m40eu0j7GPpZmzt50qLvRzy6xo=,tag:cuRmYkXz7X4iaW0x4ASkJw==,type:str] minio: ENC[AES256_GCM,data:LxY6AD+CZ9VQEl5FrG6o0XiOiizLcwiLiyH1WJD8mMCPWhDjGzt+k+YPOm1BpWzTZF8+2EoxR9oKFJu9mzTibl2Ieits0/RNwh1VdQALXw3FwfRym7CFS+Z5S8H9kGMoXWRrr+I5,iv:g/wq0r2HKfX2AwirT4hm/H1Ms/mtbf4ZuFLISikRyoI=,tag:he99s/WpKoN+lHR8r4K30w==,type:str]
upsmon: upsmon:
password: ENC[AES256_GCM,data:gA10207c1NzBSK45ezth4C6N,iv:kjiY2M3Vy61iDH2ueQooVI4JA2CwfKN0rQsI0Ch4D7s=,tag:caRjEDvLpsx0sZFUfft6QQ==,type:str] password: ENC[AES256_GCM,data:52Rxsh7KUq+aYjQORBC+Yq5B,iv:F05g/a5bv7DQ+eLlMqsNeRHLxzl7AyXU1zAlmFevQ6o=,tag:xkGDD3hDF+u5fUbP33OrlA==,type:str]
minio: minio:
credentials: ENC[AES256_GCM,data:C4qbzvteveYpC84v013GDlKWYg6JHHaZuXirpaZ54u/mS6FZusC2qTBvdHz0pmFc95NbMb/wjcvZvYenMuSnU2V5BsK33XQ1UlSKzamt9v2IRAlllTT1vRCJ4EhCs/QEL0/pfGGJkxtUVW0NYFkJI67F6c3sFJUDfHYD,iv:FMRn/52gUfysGrsGhu5qF0OBDmGex6Ye/zfQyY215Xs=,tag:9tdvOcPgR28n+L+0zhMMbg==,type:str] credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
loki: ENC[AES256_GCM,data:4wza/33eESjF4C1mcl4NIqGnvYg3Mg==,iv:Bt1ORiuuIUnnGk4XlemhCdmjBNRLZo9ikH1rqrTbS/g=,tag:AYUO/JllKIQszTNpEuEDBw==,type:str] loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
docker: docker:
minecraft: ENC[AES256_GCM,data:sAEACU9U51uafNJ2RlPBwN4/+EyEI3X9jXffMvrBYI+BgzmzQumhRMvUqYk4R4oFDtvz0RwTL2vGWMorFt1YaVQN+anfHDM=,iv:UXCicw5gC4hQUNqxbeuqtidMwJY0kvH55nMkEop5Ytc=,tag:X5b06FBnybFr4qSxU6NtmQ==,type:str] minecraft: ENC[AES256_GCM,data:krSM870t/IATwpUWNuKX8D5HHEvk+HeimKgodXssIYcBmdF1SZAwjUsSlx9fL3JiRtxfu0jSbhyD/2jLHMWqcix1WQGOVgs=,iv:ZTMxmzeSLQRCBF2t6r3dCDlcZ5BsBwZen6jOZN/HvGU=,tag:SES3lhRrRI8zBH1jnaV82w==,type:str]
foundry: ENC[AES256_GCM,data:CmMkfKPTq+oszR66vs+AshEdPDy81DA4OiPI/sgU2UwwXcgNTyuvmJRX7QNxsmiRQPb6EX+H6pcTESQtaqjYbCeo7n47b3BqyrTe/QrwkCAAtsdleWNNpTmmvIJi0RmxsagKheg=,iv:WxfWLsFqkTZajJT49CSi1ThQVrgYZl0vlsQo+MhrYsE=,tag:3XPErBxipOMkvze4pCerCg==,type:str] foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
nextcloud: ENC[AES256_GCM,data:zAntt5+pFGhLMmC4T10F8ocj1+kYSnH0k+6H1Wk4WxiPTJvHQ/t+hZ+QzjmlKkiTvcaAoYWyrMJIB4U2MaIrrKAPN8vHtq1ihodBWlFifO+P6zfxCgQl3dbAMqXwini4ziKBZCw28x8dvFEozztIk7/a/TGNGj05fvGR9XUBHtVkt23ubXJqqZ4no6aGU8wgGizJ4OhQd/xTnM6m5ZvGPcv4vmtYXP0ts9eccx7nxDLmNgCHwIQSHEgR3JLUGKBcHZsc5jLQWdUPrhWXVmsAN1DKONrh5XC6rmN0/h1s5/qYCwx92XBzM6EssNBWKCtbmQ9ytSLAS90ygIs/Cr7Pu0qV9c0By+gimw054izWv4Ey2q/d/sJ9rblcmYFndgD1IOySFN8OUOO3Jd15DK6lojqrWtReVNcK/PbBPAvW+nNG3408YhQNC0eo5XMoK2RWiH8Npr39kykR/g/iDgR2cwrycbr/tnZp/OrPEGJx2axg1+om69joIfPBRL1Xe3KFKDmzTH8Cg0Wk78/6e71I3t8CheFfK8Ge6NfCti6nfUGd95Vp8ZS2LxQevloYDboV4mliOxK+JM4rRYHOCWZYAe8lZEqfdwjhYiYHfkKy2DJg,iv:YLyg9+YdggHV43oLs6Mq0unUVkjXJnPA0jwvFbjUMfs=,tag:jxIEVqENGHFrAANH4ZUFPg==,type:str] nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
redis: ENC[AES256_GCM,data:b2pCrTVQqfIQEUv39imLrDFGu6KU1Dx/KD6Njcvt+x8=,iv:EHYRESYo8oTIiguay/SNbbuSVaok7szug5uiNNW0XEE=,tag:H+eQ+YvQDUOLHQJfX6qM2A==,type:str] redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
act-runner: ENC[AES256_GCM,data:4y61oMlpGQf6GSJACyRwLQVOKJTg9jSkOW4sqYOWI1+D0ObIllFNyYiFQvuIf3Vdo/ymhReWH50vKS0mMAdH+3BgBlbf0tjMsUBNlnjNbnXQXS+M0gia9RVcFxSuA+QGKIED37s5OrBJWbWk2HZIX04=,iv:x6SUtA0n56AazXDdsdhym0R8e4vY4q/5zzZ5fddZXPg=,tag:PlAjXV/ndmhX3iQ3AM3Eiw==,type:str] act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
collabora: ENC[AES256_GCM,data:3dcTIqpZtUEtEg/FG2zIyKfouLx/Yq0djOeNlS+78PltZipLYVT3jKhdVeb7,iv:wNKZF/DeKdJtZJRIXLj2AjT2cab5DQ1sr+wCYqgnNqg=,tag:AS0XIntMaGDv27TB7bRs5g==,type:str] collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
delugevpn: ENC[AES256_GCM,data:Dn+2Bk2fS0ptFYLQ0CFc+bTdJbXbE0j/Dy8N/5Up7MBP2Bk8MF1MdaY3ZFMU7RgDT+zvrgOjmiwGu8JCu2svDkq0SlqmiTZ8,iv:kPDQhEatzK/6Q1qjQGTru+bpOKQWD5R/VKndZrNlLbU=,tag:c4hzv9Ipjv9bIkAyqrgiQw==,type:str] delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
protonvpn-start-script: ENC[AES256_GCM,data:Hx/bYQg5qsx6z4G9yni+EzLCMKLAVxCHi+PYVl10PGOImfYlnG/puiSBRzu3zw68rcRg4fIz0yZgEjcYk3lu7kInx3GPrYCKSC0ej84W+j9vtEuYXC4WgXvqwTi/6P5428UhFP2FWiN5wV87pFp/LnEkVxi48uTI5r47ogkA06Gl37sQ7TZHvwGoQ106La7G3xYLDfvvdMVeASnDkIepDD6KduTI29C53l/XEoUcXQjOEtz5fmhRyVb7m0xs+DM2wRybEIUVALcIxjdWeiBoxxdVXxGD0+P277Gdy0uJPBt3iDg8dd3AAzwvTceyW+qe/8+RENySQ73cWblGyLzcqLRILCL/1YN82w==,iv:MgIyq8fltzPW9vww2gKvKQs84KkSMn4MFEvTMywTXvc=,tag:vjaH+8Pzpjx8y+7QJMP47Q==,type:str] protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
notifiarr: ENC[AES256_GCM,data:FMAr9EAiSeoibw8Dh9O+JGDtSg026hO3JSZseATzNAaHs8m+0SUTIksek5wwvheF,iv:3WMVFwIonJyEEsBSqIusALWw5C31oVNvxIGntd102Ng=,tag:ty246WK5TasOj04/sA+Qaw==,type:str] notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str]
bazarr: ENC[AES256_GCM,data:pCEIR+B33UPpjVNONzhNYVIHmMCCrdLED32c+jp+P7BLW60MK84TjPPTXi+touoRENaVgenYIv8qlsntL8Q=,iv:+ymGcWvrxedlrwT5ZF3dFrPOJ9DmiS5g05K0P097Lc0=,tag:qSr3i736oxpofnReUqfV2g==,type:str] bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str]
prowlarr: ENC[AES256_GCM,data:CzAf8AHWVV5fQNCTtycv4NuT5wwiyj9+qWbJEv9Gd5zCBazHe/x0lB7LW6FbBgQQnEqC/xjHBLGA1/0WWrraxmN8hfVBrKRqaqiRilO12isrhlFf,iv:moyDOW2l44AT1tFzTbx0PgPWGRBfZG6GI5tMeScEa8g=,tag:5CVhEW4fU9kkKO4YBuGb4g==,type:str] prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str]
radarr: ENC[AES256_GCM,data:a+Bt+rzWl6+Wheq6YpBQAxBpNmVJno4Eh11y3B6S5b9PEiXrmuVn+Druid1/y5P02yqhLA5vTvmPOHWmHERvN+L7WBiHL5ekZ36r+7wn,iv:102LIy/3hxdi6mk0BSIf+xl8k33yrpUGgI26WnJvCTQ=,tag:EmNE/JF3s7vgIZhHxru3Qw==,type:str] radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str]
sonarr: ENC[AES256_GCM,data:+VU8F7/aFTgMiGs+dejnqa5LJn6BH/V218oc0i5dQL1RcDXOfPdh414Px7coQg9vNoCfc2ZxFaCyHS100ee5dPiyfRHrdHKA72p2zrVF,iv:BIG/u+Eo1RonarTZ2jEEg7xzfkNd3A2agdP4ljEK2eY=,tag:05FzDAp0G09DVXoeOQqJSA==,type:str] sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
lidarr: ENC[AES256_GCM,data:90+0hbCF65gmYlvEkZnmtwUUnmFPv7AlzkBKr68UmF7i2yXz4L/OsEU2gFp/en7KOTNKioXXsdP887x9RzyAShO4TRzXkcb1um3DuKAo,iv:PvEsHuUlx8jxqNysoJIL5qb3kEaIbVHLFzRKS7TfL3g=,tag:s8IoyumcA0sB1c7drG5UNQ==,type:str] lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
jellyseerr: ENC[AES256_GCM,data:G+l6VjgOCUk4c95o5rGo2QUJizw7Ph66cJMqwY4YxYXDjNzZ3+be4GmDQyOzTV/+,iv:gbowrAmLLwAe2poU+H4l8mmpVLfrgQRICWNmLNBUADY=,tag:HI6r+9dBdNLkJnE7eC8BAQ==,type:str] jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
gluetun: ENC[AES256_GCM,data:sW3NXQ9GEGRA+j3+olbYNCVmLReHoRWC1oBhHcOCZ6zwx3jqvihEEZQgxgbEpPZ36NVVHTQgh9dX8wtYKUj1OzPBXuBh6V/AgTIMmrDurNUxul/jC2JVIZIka4RI58S1SKm/Ehz85Xx6lRR+VAKEyGg7R1I5+ciNjsZX8Sn/xHpGMAW4VCy/Iths0hdZWmkbJAG6XTsU1ZM01StI8s/ru/fphgcbLHws6mBMDEViKsATcGUcLMrjBT/xCeDXh24cyBCCba0rge4PtDekQwMT+aGS18cUjMF9LntCJJfdYp+gNDYrA6mprJrFJn6nrUjzT4RUSs0/+nQmuoyYvGE7RLM6lCGUZvkpQwaUJU2djzFBAHrpqqFF86ghbryt7vz6DZO2NaKpUsexAfDOsLFSXYacAVpZmm6aHsBm8woRzH67gGkxj51bIvzS1VWLjiEBxIJfChkWPqSbYh9I9mnKQdOxSSKCg0UlVCdWc5hB8NDDfZObJ2o5Ascw4eILR8lgjXm1XQxc08ZjEV9sqSlH8tr8IMSbWLAcVCHrATVfxsAG5bTbTOy/jyBGXjG7f7WQlN2RvHpHVrd8ppkYgPWJ0qbRsl6YJcvmEqeghLB+c0uYLXfoGMPOy8mb9SAfSLUMI/ODRy0=,iv:f46r4KA7IXFX3Xb5b6fxSPf+pkFjI126Ecie1S9Ggos=,tag:+Xzjz+FwIiC51J7dBcJBVQ==,type:str] gluetun: ENC[AES256_GCM,data:ryhYVOYEZl5zDs+xMgbWI6q/Ei2AiNZJMxT/TcaHzTEocINgbczWk9GKeeZKno71vFXiF9/tPpYavLqvjWNL77doWDB+wiYrtBJ97PkQ70dqWntua9E8eCalYlIZpRbLsl5OA9ZHorIMPjjSB2CRYLCqq30PPi5I2TtRvs/g6LRUN4sZ/E2TTUjz7AEY7228ZEuHt1UkU+dY/jEbx6fwrm/ocP8xKvYUuAR1/Cx/z4N0mqmVl+FX/5dRSkmhpfAxO9ss898XKiJW4rewQIbG5ccYal+reZZr70TaEJQqg5KIfAnbp6dEjAsSXnRiEF801JXM0h+d14ECT4tQmdyvYBdCVnJ/Ibqw9D15cViHmeDbR68spqOCj67FSMKxgCVx4KFrxPOualsULX7RL/UbHq2cwyziSFkH4n2ljFlKohyj39F7EparJbiCOumNfhRWknDDwvXY+BjJhbAe19ccKP6QWrS68uBp0cTXqb0rVN/qlfz6Sj5EYj5M/u0rl6d5xctnKmOzfLjI2m5+E9WfDJaAUcP/Ihs+p2eD7aSQTIj+O7I66ju+UAz66D9ZoU1U3uVQ9gaPI5dOMmYdLKS3b19EVytwW2W13d0WXKIw5Vfb7MvFh9I0iPWq+ntL4jQzMYSwV5Y=,iv:Cy3h5I3vbqKORdqw91SHL4tRMeGHMLsXgQ0USJ2jtzk=,tag:0J/p1sUQfXR4ujjY7VzZuQ==,type:str]
gluetun-qbitvpn: ENC[AES256_GCM,data:Ep8mXRdxEetIjkV+a5/yqbANPKOcvp2+WQ1YeTGeqiTxiskuHHnWhP6gJN9yN/oBJfFdNKssbC6CbLPAvuL/aJRGveWzzrr9iHZ5vo/+3NzDWUReSDFVCgstbDB2eBomd2wHVJm+hbEUUtmO3iNBEarEInRqq+5+HWSt1d4/pW61WgJ8buzNhdFjmjEEBoOUYCj5mfRl2kP7UC+WUvJRvl5l2RMt8fEDv0M4Z7RQLEbJtWRVpbIhauWpTbrMDDC+VA9lcvbXpRsxntWz5Va8Ya4GWBkJfM0bJX30TyFo9Iy+XZhlQ4rzbWtfdO9Dx/TCc9i6NQt9FBUZGy+jTt/rTAulB5mgDaIq3AfNsWbfDUYZ47U6S0hXW7qAKbJ6/KjDe9dac9Jttx1ihJhXK0lt/uM6E76AxCqOtutmKryo6mScNOxkRjeYqYwwpasNWpnZ47ytctAy3ZXt5Y5xAl77dqAv+UnMczUy1pzg/oNWZrtN55tFmT2Om0FjHW5lDPQSEfxr/qKEvsBdaofw6xWpqkrU0lejSpvFSFsVPMr2M5ZOlCbGm/BGo5yQ5P+Z3u3xGoXumwvpP5KfxFpVAiJb40F6wCcEVbxX8wITprv3+5E=,iv:HlrRrq1667jpnApWFS+4G1rUBYxL1nVbiocy27cCiec=,tag:A2yIHv5yl05CVROglOqUqA==,type:str] gluetun-qbitvpn: ENC[AES256_GCM,data:3IdmuLvWs5YRQZuG9y1GRTMKMbR7OynUUVluezviDOV22EkABvo3Ic/+xZrWi/lzAhQRwRsCGjinlUJf7lBvPLg53HaIplbzSIyd3IPLbKzEVAK32WYB/M5cGNQW+XV8TiKK72HO8+WG588A0bsuvp/wQ86ohpRHVrnlboANLS3diCNXI3VdFIHPGpvM77TqB3/vo2AFLKjxi2es4l6KRam8cEUFAz0eH03tTUYaxy+ewA5IZCQSbMURLFKKdh0EATTG5jIz3jFp372fnk8UBgFPeH8+N9VHNM6rnV6zAsC2Vlj2E1YQRTRqOwSK0NRAAV5NBbr7zumS3VS0rVUpIbZVrW/C2BSAVbzowkHuo5o1B7UFsryb3s2FJJGF2biaDoL+ijM5a0Qi4LfNeaSLNKrzaTin0wYq8rPrQKOUBZL4t6FsRbG7KHmfwM4uYdWqV5h1syjI9WWReuePVb416YvqSH9p8HhNsDTka8IGgYkHcYAXYuuxUc6sgQONBwrsdeN5Dhq1IedhuOW+3qAV+hHl8qmVgiWZ8Ss+nmo016nsikifEp08N7J8t3f86/SFZO+YMBxQ/K9PJLsJzR2jsBcf2aTlq0cuzXDvb4cMtro=,iv:N9zdyKJDsj049j5hZOSnAkS/VTWlC3crTODJKIpYYko=,tag:uYHq3CZj0P/BAv+0Ak5ZEw==,type:str]
gluetun-qbitperm: ENC[AES256_GCM,data:prNClo+0UtscI+TMwXRBdVflRWm5WLYT2kexJDoRTX37cMi9BzWYIRLwr86q/1xUIbcIraCGwHGd11CbOaY8xtfllW3oe4+YhNivAc87GJYz6mAhCiejvXJvyEySInbDq3jp0OJIPx8ROnzPCf7w5AZK9Jlfn3G3JwDYdYF/Cx8HYGv2V5JCFLLxdOG/KNnOOhSYW0IXoWVTcyT1/s62LrOMZ4KKza/yDKXn9XsWVt8+NSKXcc3HjuxhodZtCHptD0Ymqf04WOJNq100Xq++2BtiDsty86pMe45gC1vv2NiNdiBGnTQBhhkhllUM6R7t0zeZu9ROh50PGs1ozERs5WCktDsb4yfZlKtmkmPFwe5gSnHXu1t/n+8lounatfUnzKAk4nIs8KMnPxaEDPDY3DWoRXDgZU6a41/dxesOSt4wMISz0u45jKyNjZ4WFKjopLxYzekRZT9gnIu8qeLwT9G8PlqFjHrM6qxmAqMR0/Y6CHtuIHAoEWzepbZQ7MngOvUH6784r3DKTbAQetRIJHqJBsxRraOODTP9BPoPRb+hVYZm/g2264BtwmMFIs5pAtMpbjkRIMxKllUCBmf+/lL9+7TJ6EOJoIXiqOZNVQ4=,iv:pzhCttJCn2OGozuP/A0jKffdGBwkJnaH/QVnZEq7HJI=,tag:hGTxieZ6SI594FBwRjXAVQ==,type:str] gluetun-qbitperm: ENC[AES256_GCM,data:kzSrILs78UkzNeAvxoDU3QsLKdapQNyQW9nq0it+7HhhwDQ0MJB1s2Ek8zKErTatpwzG8xiUK0HwX5hFLgNZYc+OE0CH4PUrgX1t6dykuPLD2rKQL7veElNgqhX0/39xNyopyJk2UMVFNSqoV1DCC/ja9MqX9+jBYk++7DeX7v1Gl1ntjzJ+zIscg0nOTN1eQAHtiOWtFU0COC/aA8KS+HLIsMkjrIk9UD4C/DE8AOS07s+gDxPRtl6L7324FRqjEHNyxAobWOOLeG711RZcskF7dlminVJu4aVGbBwIy/zDdHFxRwO6yaLr/AqrTlRVOa2O8Qu2Ydpv8ZNj2F6fHrVNNmVwvMEKYibV6oMVo72uT+DTz/mFaYuTUeuJfkdCy7tnQYhBnpbd5J4mKfVb8uOF9Tx02kL2fTFKyvtET3nrtakQUjv8mEqHn4F8136O2JvUBN5RmC3B3vRdFjYgdfwy8hUT9b0Cmi8w0Zzs+XGMRdvWv2g6b5fmlAn0K+a0KB1fdDLhvbIXhY+sYzR3yOH01K0lW3xVdnl1eMIFjZkUGRTi32HyCYb0SUA1EcXmtA4XmyZ6HHFEXFA5y2guVqU4xLyXXldM+lGB7yGLMcM=,iv:kuueHxYafrEdyBxGUBoU2ks7kdr/rWMnXZmE3Kx/iK4=,tag:bNIfP3H5/Kh3ofuCGGx5Hg==,type:str]
acme: acme:
bunny: ENC[AES256_GCM,data:uepw99ne34B4l9JAvCMiAXdFlwLjOYB1jCVgKNxb8vWDpMTTQZiwRDeJCcLk0zUSQcRujUwVaWKoPg0jvFYMONoC572NXRBh2F6HYO/avvnW5BkBN1Of,iv:w+84IMQSLkNxkKVJxNCOXhLRkh+DZ23aewAsLrvWn/s=,tag:DCPF9lgeNFZLcF48TSk5pg==,type:str] bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
dnsimple: ENC[AES256_GCM,data:5Xs337NsbdBIF4oN33q2kgJUZuVRklGtdTm4LsimRyvh/8yZeVRjmDSyl3ZX79YOvVgrVZKTLUXsG4Tuqp06J64=,iv:2Ca2wxA59nqWuy0GtbRyWnPA5nQsM1UOXUfCUoY195E=,tag:zQ3AEfmy9FNMvq3rVRQ5rA==,type:str] dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
server-validation: server-validation:
webhook: ENC[AES256_GCM,data:3uISyfwu4wYlvc0XjtZAikrwh/zeL4akh9/7FE4gJHoxL8o/JcV9tVyyYMNzs0d2jqndLeuS5i3KgEzwZiMy8qtDTD3E1rPvyBxKvwRj4DdnH2BcGgXtpexSk9Tgkc0BoTTQ4M6cYSxUR8i7mqk9AEiDYPgb1FtP2n0Y6bm5IvusjbQGtjImHBx4r77e,iv:WyRLzE5i+HG2jgp+CI2SRc3am3WsLDOoCCvUoIb8Jpc=,tag:kMdZAevE6qL8bpeifmcqdw==,type:str] webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
typhon: typhon:
hashedPassword: ENC[AES256_GCM,data:Uy/pYazlkvQycWTrYKv1/566EgRIqek/pfjaJnifIqA1GUbTASBOENINnDx4ffJRwXoBzbIe+wSsalxwP9r7k9QERKaWpzr3Gppb+iI3Bpy1scy+R2sAjaR5fU0MKI+USppJSh2ARP1ZMA==,iv:iIGaAp9jX8dUAjiDBjrz/GDaD8x4/VDXJ9F2DN4cgmA=,tag:KrsqkjTdMJjLtsdqNiAsnw==,type:str] hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str]
garage:
rpc-secret: ENC[AES256_GCM,data:EOc5kBoZTPBFDyuvJ+iOm50htGggmgRfDmGTgFlyDgVGUYEtGVimQxlRipxDIexVnbG876u9JHtEXKAgiEK44w==,iv:eSUZ/Db7NZxiaIt9lRSbhKmX2i492o3e7lmDq4NeDXw=,tag:/QGSu3g6MIpaI3Y1uIE8pQ==,type:str]
admin-token: ENC[AES256_GCM,data:BvajakvOkU25kLTBmfAWJHkIPvfbgxJsV44D2jLE9w9+n175dnvPV79198c=,iv:oOvtberNXzMhzKXGHPPizQjIozsor7wnM3XiwVgLiBo=,tag:YlGJf1sHk/s7bjRaOZH0iA==,type:str]
kanidm:
admin_password: ENC[AES256_GCM,data:5xIjsjn9t0sAXLq+qi8LSyPVde99VV519fw+kZVX,iv:n6VjDeEaV6+Ai0zr52Dw1E5OD5DNzK826bFQtFhe3hg=,tag:MKD+PuczuDoH/PKN4cY+xA==,type:str]
gitea_oidc_client_secret: ENC[AES256_GCM,data:cr5HGHOwAvJ6LLBPWmfuRxltzJJ8t28vxnzB9sPKC+VwrYZ97ZJjfqtfY+7KyJNfI1knwrNKYNQu+bOqO8lhVQ==,iv:KT/1eiI4VnR8RG/pLCUhypVRctoLdM6hQunzpE8P05c=,tag:NV54JL5A3S8VVkbY7BIbhQ==,type:str]
restic:
kanidm_password: ENC[AES256_GCM,data:Zz+SOj9RBgVba8kNgCxhs5z7iuUPcYdE/a/FLJuJw46rquX290NvyH+4eDU=,iv:em9S1dzQ6Kgc4pZglLZlLPzSvAfey3Y6ZQhzNYIt2Ew=,tag:umN1oi4Fm1L/tFvFpt/RZA==,type:str]
kanidm_rest_password: ENC[AES256_GCM,data:alv88Ebr2BmfXjJ+cZfRgRXBPezCrFBYR+DpxOnjAo7hjP2V0sB+B7WTJhtt8z61lKHUoZDS1brxrDa3T8i30JFUjATTDeGs7FY+D8Wn8uIlj4YPQy4gIA==,iv:kxI8npRdyCeb/IbTUKXdF3lsQoPmQBP8S+di7bDKByc=,tag:/2Qc19/hcxiw62tDAsoW9A==,type:str]
sops: sops:
age: age:
- recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VkhzZ3cyNkFUYnppYnFa YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcWo4V1QyZS9HbHNwT3Jl
NWtLNTJXSU5BS1V5d2xySlBxbjhtRzloOGxnClBVVjhINnNsWkxod2pNL3BIU0VE ZktNR2gwZ3BiWnYwZHpLUzR2YTlmN0ZUeEhnCkF6ekdkN0U2VGM1RFVhdTM0RW5u
b2F4NVpZK045NmphNzlwQkozMmU5S1UKLS0tIDlHcUEwMmVQSjZIVDFiVXNCRXZL bWdreGZrU0JwNDY1TnR2S1M3OTdKaWcKLS0tIEVBekE2eU8rcEhpVkhhWmxPc3JN
NExqdmo4Q0ZNVzUyWkZFVUl6NFdETk0Kd8zrbv2zC610vfDMCejxYv1UCvIvsOqM cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
bmvQ/wG/X1HqE4B8Yt6/5wNsM2/baLuXIBpGYAh7mgUaOQEkptZwMw== LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-02T16:58:48Z" lastmodified: "2026-01-17T01:50:50Z"
mac: ENC[AES256_GCM,data:ca+UYNGmlLgu5mLfES/ZUf+XyuRtwk8GKeeu/UtbgNGqSoGXlsTmPdiGfKhO+qUFmpTv7ZAs/zbXD7C6rScNjudtlXB2lNAlLFWnudCjD4cDxokhOWoWYf+1ezw/IubAeqbW3lHUGUeK/hpVp5Suk/93fEVRUpnZM4r9/WizNfE=,iv:BipesRJv/P/iPEOW7bTxv42ABwo9efvwFgBvEX+TokA=,tag:uHxfZML61MYll77pYUuMrg==,type:str] mac: ENC[AES256_GCM,data:8TGSqwEcfmrW1PjuzTVNyDTNs6s3oWbT0tI+rg7u2w5Dcw1EEU+SjJ6VpNY06AZHTjSD6E0O7NzUxybtMpslHUGitOGWwQCk+sbqRJuUseFe7bWFboEVoJpEoYGN5pnn52opMT+NeHGkXumaxjhDjCxfwn1RBHR7TgD4ZHEH6pE=,iv:szBUnn3HL/osWhmTwYmHrUghobWdBR60Lc6uUD/eGMY=,tag:6vgdJeJjL4ZYKc8WjixClg==,type:str]
pgp: pgp:
- created_at: "2026-05-02T16:58:48Z" - created_at: "2024-11-28T18:56:39Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DQWNzDMjrP2ISAQdAPCymqFWzYGcr+bPFS6IusIV2LHdy5g2ROGtXCoTmah4w hF4DQWNzDMjrP2ISAQdAPOYlp/3ZJrcXZbu5+XI+BHNzMbzw7+YhTYOfNgujU1gw
AezxMLS7d5zT9p277Vfoqwa1KFvrhoXbb3ORKAl4ONmACZpWOO3TobSkP0FvyEqi QfJDWAhiMd8cZF5PpX+RdN+Zrk5CCMgZH4hotv9gjf1oxitWuF2hv14k/RlAx8kr
0l4BrPiYgcK3Lz01cotP4KwfW1I/w7uW4OpxF0gUBiQe8pvxMgcO77S3pA3WdA4U 1GgBCQIQB+LOoKIo7AHeucdV9NsM6H4Akv+Bzy8boarA4BGcyvgRWhS2u8zOQJc5
MmbwWW3dxGaora+gCSZjyx+y7vy5nDieUSjSskM1lYYsZQ52qRjiPVENzorEHDLD RKfRonTO51yjlKm0MEspvwrClO+aIuBaNNemuHdk4yhDUnNKVBFyLLOuqXbsFd+G
=3fFC aSTmqvI3a/T5Cw==
=ph+p
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330 fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.2 version: 3.11.0

1
systems/palatine-hill/vars.nix
View File

@@ -21,5 +21,4 @@ rec {
primary_plex_storage = "${zfs_primary}/plex_storage"; primary_plex_storage = "${zfs_primary}/plex_storage";
primary_ollama = "${zfs_primary}/ollama"; primary_ollama = "${zfs_primary}/ollama";
primary_mattermost = "${zfs_primary}/mattermost"; primary_mattermost = "${zfs_primary}/mattermost";
primary_kanidm = "${zfs_primary}/kanidm";
} }

1
users/alice/home.nix
View File

@@ -90,7 +90,6 @@
gocryptfs gocryptfs
awscli2 awscli2
claurst
]; ];
}; };