ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:feature/kanidm
Branches Tags
ahuston-0:main ahuston-0:feature/kanidm ahuston-0:feature/avahi ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:f7d85cb4f73423698916e02c1091d8dee4694b84
Branches Tags
ahuston-0:feature/kanidm ahuston-0:main ahuston-0:feature/avahi ahuston-0:feature/mvpf ahuston-0:feature/stoneblock ahuston-0:feature/add-jessica ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/add-unpackerr ahuston-0:feature/onboarding-kubernetes

1 Commits
feature/ka ... f7d85cb4f7

Author SHA1 Message Date
github-actions[bot]
f7d85cb4f7 automated: Update flake.lock
All checks were successful
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 9s
Details
Check Nix flake / Perform Nix flake checks (pull_request) Successful in 3m38s
Details 
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].

[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
 2026-04-28 12:11:33 +00:00
27 changed files with 67 additions and 775 deletions
Expand all files Collapse all files

8
.gitconfig
View File

@@ -1,9 +1,11 @@
# run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
# run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
# the command below intentionally avoids nested shell quoting because git config parsing is strict
# if for whatever reason the below doesn't work, try modifying the mergetool command as below
# find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
# replace: ./utils/sops-mergetool.sh
[mergetool "sops-mergetool"]
cmd = $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh $BASE $LOCAL $REMOTE $MERGED
cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
[merge]
tool = nvimdiff
[mergetool "nvimdiff"]
layout = (LOCAL,BASE,REMOTE)/MERGED
layout = MERGED

169
.github/workflows/update-claurst.yml vendored
View File

@@ -1,169 +0,0 @@
name: "Update claurst"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 14 * * 1" # Every Monday at 14:00 UTC
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
update_claurst:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get current claurst version
id: current
run: |
VERSION=$(grep 'version = ' pkgs/claurst/default.nix | head -1 | sed 's/.*version = "\(.*\)".*/\1/')
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Current version: $VERSION"
- name: Get latest claurst release
id: latest
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const release = await github.rest.repos.getLatestRelease({
owner: 'Kuberwastaken',
repo: 'claurst',
});
const tag = release.data.tag_name.replace(/^v/, '');
core.setOutput('version', tag);
core.info(`Latest release: ${tag}`);
- name: Check if update needed
id: check_update
run: |
CURRENT="${{ steps.current.outputs.version }}"
LATEST="${{ steps.latest.outputs.version }}"
if [ "$CURRENT" = "$LATEST" ]; then
echo "No update needed (current: $CURRENT, latest: $LATEST)"
echo "update_needed=false" >> $GITHUB_OUTPUT
else
echo "Update needed (current: $CURRENT, latest: $LATEST)"
echo "update_needed=true" >> $GITHUB_OUTPUT
fi
- name: Update claurst if new version available
if: steps.check_update.outputs.update_needed == 'true'
id: update
run: |
NEW_VERSION="${{ steps.latest.outputs.version }}"
# Backup original file
cp pkgs/claurst/default.nix pkgs/claurst/default.nix.bak
# Update version placeholder with empty hash to compute it
sed -i "s/version = \"[^\"]*\"/version = \"$NEW_VERSION\"/" pkgs/claurst/default.nix
# Try to fetch the new src hash
echo "Computing src hash for v$NEW_VERSION..."
SRC_HASH=$(nix-prefetch-url --unpack "https://github.com/Kuberwastaken/claurst/archive/refs/tags/v$NEW_VERSION.tar.gz" 2>/dev/null | tail -1 || echo "")
if [ -z "$SRC_HASH" ]; then
echo "Failed to compute src hash, reverting"
mv pkgs/claurst/default.nix.bak pkgs/claurst/default.nix
exit 1
fi
SRC_HASH="sha256-$SRC_HASH"
echo "New src hash: $SRC_HASH"
# Update src hash
sed -i "s|hash = \"sha256-[^\"]*\"|hash = \"$SRC_HASH\"|" pkgs/claurst/default.nix
# Compute cargoHash - this requires building
echo "Computing cargo hash..."
CARGO_HASH=$(nix build \
--no-eval-cache \
--expr "(import ./pkgs/default.nix { nixpkgs = import <nixpkgs> { }; }).mkPkgs \"x86_64-linux\" | .claurst" \
2>&1 | grep -oP 'got:\s*\K[^"]+' | head -1 || echo "")
if [ -z "$CARGO_HASH" ]; then
echo "Failed to compute cargo hash, trying with attribute substitution..."
CARGO_HASH=$(nix eval \
--impure \
--expr "
let
pkgs = import <nixpkgs> { config.allowUnsupportedSystem = true; };
claurst = import pkgs/claurst { inherit pkgs; };
in claurst.cargoHash
" 2>&1 | tail -1)
fi
if [ ! -z "$CARGO_HASH" ]; then
echo "New cargo hash: $CARGO_HASH"
sed -i "s|cargoHash = \"[^\"]*\"|cargoHash = \"$CARGO_HASH\"|" pkgs/claurst/default.nix
fi
rm -f pkgs/claurst/default.nix.bak
echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
- name: Validate nix flake
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Running nix flake check..."
nix flake check --show-trace || true
- name: Build claurst to verify changes
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Building updated claurst package..."
nix build ".#artemision.config.environment.systemPackages" --no-eval-cache 2>&1 | tail -20 || true
- name: Generate PR body
if: steps.check_update.outputs.update_needed == 'true'
id: pr_body
run: |
cat > pr_body.md << 'EOF'
# Claurst Update
Automated claurst package update.
**Changes:**
- Version: `${{ steps.current.outputs.version }}` → `${{ steps.update.outputs.version }}`
- Source hash updated
- Cargo hash updated
Auto-generated by [update-claurst.yml][1].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
EOF
cat pr_body.md
- name: Create Pull Request
if: steps.check_update.outputs.update_needed == 'true'
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
add-paths: pkgs/claurst/default.nix
body-path: pr_body.md
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: "automated: Update claurst to ${{ steps.update.outputs.version }}"
commit-message: |
automated: Update claurst to ${{ steps.update.outputs.version }}
- Bumped version from ${{ steps.current.outputs.version }} to ${{ steps.update.outputs.version }}
- Updated src and cargo hashes
Auto-generated by [update-claurst.yml][1].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/update-claurst.yml
branch: update-claurst
delete-branch: true
pr-labels: |
dependencies
automated
- name: Print PR result
if: steps.check_update.outputs.update_needed == 'true'
run: |
echo "Pull request created successfully"
echo "Version updated: ${{ steps.current.outputs.version }} → ${{ steps.update.outputs.version }}"
permissions:
pull-requests: write
contents: write

105
AGENTS.md
View File

@@ -1,105 +0,0 @@
> Note: This document was AI-generated and reviewed by a maintainer.
# AGENTS Guide for nix-dotfiles
This file is the quick-start map for coding agents working in this repository.
Use this first, then follow the linked source files for full detail.
## Purpose and Scope
- Repository type: flake-based NixOS + Home Manager dotfiles/infrastructure.
- Primary goals: safe system/user config edits, reproducible builds, and clean secrets handling.
- Default assumption: preserve existing module patterns and avoid broad refactors unless requested.
## Source of Truth
Read these files before substantial changes:
- `.github/copilot-instructions.md`: Full repository guide for structure, workflows, dynamic system generation, module patterns, and SOPS handling.
- `.github/instructions/ai-doc-attribution.instructions.md`: Markdown rule for top-of-document attribution when docs are fully AI-generated.
- `flake.nix`: Flake inputs/outputs entrypoint; system generation begins here.
- `lib/systems.nix`: Core dynamic config assembly (`genSystems`, `constructSystem`, and wrapper generators).
- `systems/<hostname>/default.nix`: Per-host parameters (users, home, sops, server role, extra modules).
- `systems/<hostname>/configuration.nix`: Main host config.
- `modules/*.nix`: Global modules automatically imported into all systems.
- `users/<username>/home.nix` and `users/<username>/default.nix`: Home Manager and user account configuration.
- `hydra/jobs.nix` and `hydra/jobsets.nix`: CI/build orchestration details.
## Repo Mental Model
- `systems/` contains host-specific configs.
- `modules/` contains global modules applied across hosts.
- `users/` contains user and home-manager configs.
- `lib/systems.nix` auto-discovers hosts and composes final configs.
- SOPS secrets are colocated with hosts/users via `secrets.yaml` files.
## Dynamic Configuration Rules
- Hosts are auto-discovered from subdirectories in `systems/`.
- Each host's `default.nix` feeds `constructSystem` parameters.
- Effective module merge order matters. High-level order is: 1) base external
modules, 2) host essentials (`hardware.nix`, `configuration.nix`), 3)
host-specific modules from `systems/<host>/default.nix`, 4) global
`modules/*.nix`, 5) optional SOPS and Home Manager/user layers.
- Global modules load after host config, so explicit overrides may require `lib.mkForce` depending on target option.
## Editing Conventions
- Keep changes minimal and scoped to the requested behavior.
- Preserve existing Nix style and option naming patterns.
- Prefer module options + `lib.mkIf` toggles over hard-coded behavior.
- Use `lib.mkDefault` for soft defaults and `lib.mkForce` only when necessary.
- Do not commit plaintext secrets.
- Update docs when behavior/workflow changes.
## Validation and Workflow
Typical local sequence:
1. Make targeted edits.
2. Evaluate and build with `nix flake check` and `nix build .#<hostname>`.
3. Optionally deploy/apply with `nh os switch` or `nh home switch`.
4. For secrets-related changes, edit with `sops .../secrets.yaml` and validate expected `config.sops.secrets` evaluation paths.
## Secrets and Safety
- Secrets live in `systems/<hostname>/secrets.yaml` and `users/<username>/secrets.yaml`.
- Use SOPS for create/edit/rekey operations.
- During merge conflicts in encrypted files, prefer repository SOPS merge tooling (`utils/sops-mergetool.sh`, `utils/sops-mergetool-new.sh`).
## Agent and Tool Routing
When a specialized agent is available, route work by intent:
- `Explore`: Fast read-only repository exploration and Q&A.
- `dependency-auditor`: Flake/module dependency security and CVE-oriented audits.
- `security-researcher`: Read-only server security configuration audits.
- `server-architect`: Server integration/review planning for `palatine-hill` style infra changes.
Use Nix lookup tooling for package/options discovery; prefer `unstable` channel when channel selection is available.
## Where To Look Next (By Task)
- Add a new host: see `.github/copilot-instructions.md` sections on "Adding a New NixOS System", plus `systems/<new-host>/default.nix`, `hardware.nix`, and `configuration.nix`.
- Add/modify a global capability: see `modules/*.nix` and the `.github/copilot-instructions.md` section "Adding a Global Module to modules/".
- Change user/home-manager behavior: see `users/<username>/home.nix` and `users/<username>/default.nix`.
- Modify build/release automation: see `hydra/jobs.nix` and `hydra/jobsets.nix`.
- Work with secrets: see `.sops.yaml`, `systems/*/secrets.yaml`, `users/*/secrets.yaml`, and the `.github/copilot-instructions.md` section "Secrets Management".
- Validate module composition/debug evaluation: see `lib/systems.nix` and `nix eval .#nixosConfigurations.<host>...`.
## Documentation Attribution Rule
For Markdown docs (`**/*.md`):
- If a document is fully AI-generated, include explicit attribution near the top.
- Accepted label includes "AI-generated documentation" wording.
- Do not imply fully human authorship for fully AI-authored content.
## Quick Command Reference
- `nh os build`
- `nh os switch`
- `nh home switch`
- `nix build .#<hostname>`
- `nix flake check`
- `nix eval .#nixosConfigurations.<hostname>.config.<path>`

2
README.md
View File

@@ -3,7 +3,7 @@
This repository contains the flake required to build critical and personal
infrastructure running NixOS. The setup can be explored as follows.
This repo supports `x86_64-linux` and (theoretically) `aarch64-linux`.
This repo supports `x86_64-linux` and (theorically) `aarch64-linux`.
## Setting Up

10
flake.nix
View File

@@ -164,23 +164,19 @@
lib = self;
}
);
packageSetup = import ./pkgs/default.nix { inherit nixpkgs; };
inherit (packageSetup) localPackagesOverlay;
inherit (lib.adev.systems) genSystems getImages;
inherit (self) outputs; # for hydra
in
rec {
inherit lib; # for allowing use of custom functions in nix repl
overlays.default = localPackagesOverlay;
hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt);
nixosConfigurations = genSystems inputs outputs src (src + "/systems");
homeConfigurations = {
"alice" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = packageSetup.mkPkgs "x86_64-linux";
pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [
inputs.stylix.homeModules.stylix
inputs.sops-nix.homeManagerModules.sops
@@ -207,7 +203,9 @@
qcow = getImages nixosConfigurations "qcow";
};
packages = forEachSystem packageSetup.mkPackages;
packages.x86_64-linux.lego-latest =
nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/lego-latest/default.nix
{ };
checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
devShells = import ./shell.nix { inherit inputs forEachSystem checks; };

1
lib/systems.nix
View File

@@ -172,7 +172,6 @@ rec {
modules = [
inputs.nixos-modules.nixosModule
inputs.nix-index-database.nixosModules.nix-index
{ nixpkgs.overlays = [ outputs.overlays.default ]; }
(genHostName hostname)
(configPath + "/hardware.nix")
(configPath + "/configuration.nix")

2
pkgs/bitwarden-rofi/default.nix
View File

@@ -19,7 +19,6 @@
libnotify,
}:
let
maintainers = import ../maintainers.nix;
bins = [
jq
bitwarden-cli
@@ -65,7 +64,6 @@ stdenv.mkDerivation {
description = "Wrapper for Bitwarden and Rofi";
homepage = "https://github.com/mattydebie/bitwarden-rofi";
license = licenses.gpl3;
maintainers = [ maintainers.alice ];
platforms = platforms.linux;
};

52
pkgs/claurst/default.nix
View File

@@ -1,52 +0,0 @@
{
lib,
fetchFromGitHub,
rustPlatform,
pkg-config,
openssl,
alsa-lib,
dbus,
libxkbcommon,
libxcb,
}:
let
maintainers = import ../maintainers.nix;
in
rustPlatform.buildRustPackage rec {
pname = "claurst";
version = "0.0.9";
src = fetchFromGitHub {
owner = "Kuberwastaken";
repo = "claurst";
rev = "v${version}";
hash = "sha256-bTQHtZGZxhEAki0JxSC8smAC3w+otm8ubHvZ9MvwDaE=";
};
cargoRoot = "src-rust";
cargoHash = "sha256-6+B43spqmUZ983YMl5UBH5647DcUOS2ngw5ChMIPFFo=";
buildAndTestSubdir = "src-rust";
doCheck = false;
nativeBuildInputs = [
pkg-config
];
buildInputs = [
openssl
alsa-lib
dbus
libxkbcommon
libxcb
];
meta = with lib; {
description = "Terminal coding agent written in Rust";
homepage = "https://github.com/Kuberwastaken/claurst";
license = licenses.gpl3Only;
mainProgram = "claurst";
maintainers = [ maintainers.alice ];
platforms = platforms.linux;
};
}

35
pkgs/default.nix
View File

@@ -1,35 +0,0 @@
{ nixpkgs }:
let
localPackagesOverlay = final: _prev: {
lego-latest = final.callPackage ./lego-latest/default.nix { };
claurst = final.callPackage ./claurst/default.nix { };
bitwarden-rofi = final.callPackage ./bitwarden-rofi/default.nix { };
};
mkPkgs =
system:
import nixpkgs {
inherit system;
overlays = [ localPackagesOverlay ];
};
mkPackages =
system:
let
pkgs = mkPkgs system;
in
{
inherit (pkgs)
lego-latest
claurst
bitwarden-rofi
;
};
in
{
inherit
localPackagesOverlay
mkPkgs
mkPackages
;
}

8
pkgs/maintainers.nix
View File

@@ -1,8 +0,0 @@
{
alice = {
name = "Alice Huston";
email = "aliceghuston@gmail.com";
github = "ahuston-0";
githubId = 43225907;
};
}

1
shell.nix
View File

@@ -42,7 +42,6 @@ forEachSystem (
packages = with pkgs; [
deadnix
pre-commit
openssl
treefmt
statix
nixfmt

1
systems/artemision/programs.nix
View File

@@ -7,7 +7,6 @@
amdgpu_top
android-tools
bitwarden-cli
bitwarden-rofi
bfg-repo-cleaner
brightnessctl
btop

46
systems/palatine-hill/backup.nix
View File

@@ -1,46 +0,0 @@
{ config, pkgs, ... }:
{
# Restic backups to the local REST server (docker/restic.nix, port 8010, private repos).
# Each service gets its own repo: rest:http://localhost:8010/<username>/
# REST credentials are injected via sops templates as an EnvironmentFile.
# Add new jobs below following the same pattern.
sops = {
secrets."restic/kanidm_password" = { };
secrets."restic/kanidm_rest_password" = { };
# Compose a KEY=VALUE env file for the restic systemd service.
templates."restic-kanidm-env" = {
content = ''
RESTIC_REST_USERNAME=kanidm
RESTIC_REST_PASSWORD=${config.sops.placeholder."restic/kanidm_rest_password"}
'';
};
};
services.restic.backups = {
kanidm = {
repository = "rest:http://localhost:8010/kanidm/";
passwordFile = config.sops.secrets."restic/kanidm_password".path;
environmentFile = config.sops.templates."restic-kanidm-env".path;
# Checkpoint the SQLite WAL before backup so the snapshot is consistent.
backupPrepareCommand = ''
${pkgs.sqlite}/bin/sqlite3 /var/lib/kanidm/kanidm.db "PRAGMA wal_checkpoint(FULL);"
'';
paths = [ "/var/lib/kanidm" ];
timerConfig = {
OnCalendar = "04:00";
Persistent = true;
};
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
};
}

3
systems/palatine-hill/configuration.nix
View File

@@ -9,7 +9,6 @@
./acme.nix
./attic
./docker
./garage.nix
./gitea.nix
./firewall.nix
./haproxy
@@ -21,8 +20,6 @@
./nextcloud.nix
#./plex
./postgresql.nix
./backup.nix
./kanidm.nix
./samba.nix
./zfs.nix
];

4
systems/palatine-hill/docker/default.nix
View File

@@ -10,11 +10,11 @@
#./firefly.nix
#./foundry.nix
./glances.nix
./haproxy.nix
# ./haproxy.nix
./minecraft.nix
./nextcloud.nix
# ./postgres.nix
./restic.nix
# ./restic.nix
./torr.nix
# ./unifi.nix
];

17
systems/palatine-hill/docker/haproxy.cfg
View File

@@ -50,7 +50,6 @@ frontend ContentSwitching
acl host_minio hdr(host) -i minio.alicehuston.xyz
acl host_minio_console hdr(host) -i minio-console.alicehuston.xyz
acl host_attic hdr(host) -i attic.nayeonie.com
acl host_s3 hdr(host) -i s3.nayeonie.com
acl host_minio hdr(host) -i minio.nayeonie.com
acl host_minio_console hdr(host) -i minio-console.nayeonie.com
#acl host_nextcloud_vol hdr(host) -i nextcloud-vol.alicehuston.xyz
@@ -58,7 +57,6 @@ frontend ContentSwitching
acl host_prometheus hdr(host) -i prom.alicehuston.xyz
acl host_gitea hdr(host) -i git.alicehuston.xyz
acl host_gitea hdr(host) -i nayeonie.com
acl host_kanidm hdr(host) -i auth.nayeonie.com
# Backend-forwarding
use_backend www_nodes if host_www
# use_backend ldapui_nodes if host_ldapui
@@ -69,14 +67,12 @@ frontend ContentSwitching
use_backend nextcloud_nodes if host_nextcloud
use_backend hydra_nodes if host_hydra
use_backend attic_nodes if host_attic
use_backend garage_nodes if host_s3
#use_backend nextcloud_vol_nodes if host_nextcloud_vol
# use_backend collabora_nodes if host_collabora
use_backend prometheus_nodes if host_prometheus
use_backend minio_nodes if host_minio
use_backend minio_console_nodes if host_minio_console
use_backend gitea_nodes if host_gitea
use_backend kanidm_nodes if host_kanidm
#frontend ldap
# bind *:389
@@ -146,10 +142,6 @@ backend minio_console_nodes
mode http
server server 192.168.76.2:8501
backend garage_nodes
mode http
server server 192.168.76.2:8502
# backend foundry_nodes
# timeout tunnel 50s
# mode http
@@ -185,15 +177,6 @@ backend gitea_nodes
mode http
server server 192.168.76.2:6443
backend kanidm_nodes
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Host %[req.hdr(host)]
acl internal src 192.168.76.0/24 192.168.191.0/24
http-request deny unless internal
server server 192.168.76.2:8443 ssl verify none
#backend netdata_nodes
# mode http
# server server 192.168.76.2:19999

2
systems/palatine-hill/docker/haproxy.nix
View File

@@ -23,6 +23,8 @@
};
dependsOn = [
"nextcloud"
"grafana"
"foundryvtt"
"glances"
"mc-router"
];

48
systems/palatine-hill/garage.nix
View File

@@ -1,48 +0,0 @@
{
config,
pkgs,
...
}:
let
vars = import ./vars.nix;
basePath = "${vars.primary_minio}/garage";
in
{
services.garage = {
enable = true;
package = pkgs.garage;
logLevel = "info";
settings = {
metadata_dir = "${basePath}/meta";
data_dir = "${basePath}/data";
db_engine = "sqlite";
replication_factor = 1;
rpc_bind_addr = "127.0.0.1:8504";
rpc_public_addr = "127.0.0.1:8504";
rpc_secret_file = config.sops.secrets."garage/rpc-secret".path;
s3_api = {
api_bind_addr = "127.0.0.1:8502";
s3_region = "us-east-1";
root_domain = ".s3.nayeonie.com";
};
admin = {
api_bind_addr = "127.0.0.1:8503";
admin_token_file = config.sops.secrets."garage/admin-token".path;
};
};
};
systemd.tmpfiles.rules = [
"d ${basePath}/meta 0750 garage garage -"
"d ${basePath}/data 0750 garage garage -"
];
sops.secrets = {
"garage/rpc-secret" = { };
"garage/admin-token" = { };
};
}

46
systems/palatine-hill/gitea.nix
View File

@@ -37,10 +37,6 @@ in
service = {
DISABLE_REGISTRATION = true;
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = false;
};
log = {
LEVEL = "Trace";
ENABLE_SSH_LOG = true;
@@ -75,48 +71,6 @@ in
after = [ "docker.service" ];
};
systemd.services.gitea-kanidm-oidc-bootstrap = {
description = "Bootstrap Gitea Kanidm OIDC auth source";
wantedBy = [ "multi-user.target" ];
requires = [ "gitea.service" ];
after = [ "gitea.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
path = [
config.services.gitea.package
pkgs.coreutils
pkgs.gnugrep
];
script = ''
set -eu
APP_INI="${config.services.gitea.customDir}/conf/app.ini"
if gitea admin auth list --config "$APP_INI" | grep -Fq "Kanidm OIDC"; then
exit 0
fi
gitea admin auth add-oauth \
--config "$APP_INI" \
--name "Kanidm OIDC" \
--provider openidConnect \
--key "gitea" \
--secret "$(<${config.sops.secrets."kanidm/gitea_oidc_client_secret".path})" \
--auto-discover-url "https://auth.nayeonie.com/oauth2/openid/gitea/.well-known/openid-configuration" \
--scopes openid \
--scopes profile \
--scopes email \
--full-name-claim-name name \
--group-claim-name groups \
--required-claim-name groups \
--required-claim-value gitea-users \
--admin-group gitea-users
'';
};
networking.firewall.allowedTCPPorts = [ 6443 ];
sops.secrets = {

38
systems/palatine-hill/haproxy/auth.nix
View File

@@ -1,38 +0,0 @@
# HAProxy routing stubs for Kanidm.
# These are ADDITIVE fragments — merge into your main haproxy config.
# Assumes:
# - HAProxy terminates TLS using the acme-nayeonie.com certificate
# - Kanidm HTTPS listens on [::1]:8443
# - Kanidm LDAP compat listens on [::1]:3890
# - ACL-based routing by SNI / Host header
#
# In your main frontend (or add a dedicated one):
#
# acl host_kanidm hdr(host) -i auth.nayeonie.com # internal/admin only
#
# use_backend kanidm if host_kanidm
#
# --- Kanidm backend ---
#
# backend kanidm
# mode http
# option forwardfor
# http-request set-header X-Forwarded-Proto https
# http-request set-header X-Forwarded-Host %[req.hdr(host)]
# acl internal src 192.168.76.0/24 192.168.191.0/24
# http-request deny unless internal
# server kanidm [::1]:8443 ssl verify none check
#
# --- Forward-auth pattern for protecting other backends with Kanidm ---
#
# To protect an existing backend with Kanidm OIDC, add oauth2-proxy.
# The simplest
# path for HAProxy is:
#
# 1. Deploy oauth2-proxy (services.oauth2-proxy) configured against
# Kanidm as OIDC provider (issuer https://auth.nayeonie.com).
# 2. In HAProxy frontend, redirect unauthenticated requests to
# oauth2-proxy before forwarding to the real backend.
#
# This is left as a follow-up — get Kanidm running first.
{ ... }: { }

127
systems/palatine-hill/kanidm.nix
View File

@@ -1,127 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
domain = "nayeonie.com";
authDomain = "auth.${domain}";
aliceSshKeys = config.users.users.alice.openssh.authorizedKeys.keys;
in
{
services = {
kanidm = {
package = pkgs.kanidm_1_9.withSecretProvisioning;
server = {
enable = true;
settings = {
origin = "https://${authDomain}";
inherit domain;
bindaddress = "0.0.0.0:8443";
ldapbindaddress = "0.0.0.0:3890";
tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
tls_key = "/var/lib/acme/${domain}/key.pem";
db_fs_type = "zfs";
};
};
# Reuse the existing secret during migration; rotate/rename in a follow-up.
provision = {
enable = true;
instanceUrl = "https://${authDomain}";
adminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
idmAdminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
acceptInvalidCerts = false;
groups = {
gitea-users = {
present = true;
};
};
persons = {
alice = {
displayName = "Alice";
mailAddresses = [ "aliceghuston@gmail.com" ];
present = true;
groups = [ "gitea-users" ];
};
};
systems.oauth2.gitea = {
present = true;
displayName = "Gitea";
public = false;
basicSecretFile = config.sops.secrets."kanidm/gitea_oidc_client_secret".path;
originUrl = "https://nayeonie.com/user/oauth2/kanidm/callback";
originLanding = "https://nayeonie.com/";
preferShortUsername = true;
scopeMaps = {
gitea-users = [
"openid"
"email"
"profile"
];
};
claimMaps.groups.valuesByGroup = {
gitea-users = [ "gitea-users" ];
};
};
};
};
};
sops.secrets = {
"kanidm/admin_password".owner = "kanidm";
"kanidm/gitea_oidc_client_secret".owner = "kanidm";
};
# Certs are currently group-readable by haproxy for docker HAProxy.
users.users.kanidm.extraGroups = [ "haproxy" ];
systemd.services.kanidm-person-ssh-keys-bootstrap = {
description = "Bootstrap Kanidm SSH public keys for alice";
wantedBy = [ "multi-user.target" ];
requires = [ "kanidm.service" ];
after = [ "kanidm.service" ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
path = [
config.services.kanidm.package
pkgs.coreutils
pkgs.gawk
pkgs.gnugrep
];
script = ''
set -eu
url="https://${authDomain}"
password="$(<${config.sops.secrets."kanidm/admin_password".path})"
state_dir="/var/lib/kanidm/ssh-bootstrap"
mkdir -p "$state_dir"
chmod 700 "$state_dir"
export HOME="$state_dir"
# Authenticate idm_admin for CLI operations.
printf '%s\n' "$password" | kanidm login -H "$url" -D idm_admin >/dev/null
existing_keys="$(kanidm -H "$url" -D idm_admin person ssh list-publickeys alice || true)"
i=0
${lib.concatMapStringsSep "\n" (
key:
" i=$((i + 1))\n if ! printf '%s\\n' \"$existing_keys\" | grep -Fq ${lib.escapeShellArg key}; then\n kanidm -H \"$url\" -D idm_admin person ssh add-publickey alice \"home-key-$i\" ${lib.escapeShellArg key} >/dev/null\n fi"
) aliceSshKeys}
'';
};
networking.firewall.allowedTCPPorts = [
3890
8443
];
}

1
systems/palatine-hill/postgresql.nix
View File

@@ -34,7 +34,6 @@ in
local /.*arr-main /.*arr scram-sha-256
local /.*arr-log /.*arr scram-sha-256
local jellyseerr jellyseerr scram-sha-256
host all all 192.168.76.0/24 ldap ldapserver=127.0.0.1 ldapport=3890 ldapbasedn="dc=nayeonie,dc=com" ldapsearchattribute="uid"
'';
# initialScript = config.sops.secrets."postgres/init".path;

104
systems/palatine-hill/secrets.yaml
View File

@@ -1,80 +1,72 @@
hydra:
environment: ENC[AES256_GCM,data:6Qje83f1eXNwBDrGEeq4itNWrDSSGlD3Qmz0Ni3AeMBfJ1Q/9bSeG0icCOynb0UkQfTccKYMECMG2Fn6NlP8sD/9nVyu3CSM7OO7+pJY7F/7vDl8p03e+aatIV+g34pzQygO1UYrfMrk1MDhmu+e05kugyHHFtmBAGeSc7o4cgH1tWQCY470CTtPv4HiLDFHyz1RYrXE6nZD+NynnNJGKGNYqBK85+pb9xJXgtwqB0J9kl0ZsCOyt8zs1WcFaXo+dK73Bpogv/clru6ckTo+bfY=,iv:imdrJ+CZxK7AQwbEsKyL/YfvgsXkUSfA/3AOz9FQeyc=,tag:8i4hFyrxZXBcOPT5MqjijA==,type:str]
environment: ENC[AES256_GCM,data:G/6DOeRdjjp5PGpsHCHneW2X/OQzSH6gozKmgOlK6/bSdQltv4U00AYNOrUYYlH9Yab7JSYBfQinsqRKyDVEp7LLPdlxBaztJiSZGGAdio+JHWwR7UAhAEXSgOh4qFq0SjdZzQduEOdfSYfksut3dJiAvpj6oo6hxuo8mkW4+UacpBmvpnrzHjJHeYYbb3krIhKG6bBqHLT403rLf5oYjnY16XUuYO7deAH99JkfCJKlKnDf3GLfnX78XoXSdOMUyf57PPq5EKA8mFdtZsbAmis=,iv:s903rYHyocGtVJ594+HtCyULGtuom6aUVDcbXPbH93I=,tag:YFkFAIU7cNHSuYnN+lShgA==,type:str]
nix-serve:
secret-key: ENC[AES256_GCM,data:fdZRXT0jnZMUtMTi32gPXfTJiV/xqhf0C6XnAf0hyQIVRof80P1zo5BTVt388NfBXIj0DHmsaH3Fx7m2Psoigo+B1YyUmobCQwe7NAjE281Aad2+r0xNa+YDNo1A5sKofTBORUUuAVBmQKHxByw=,iv:BrFOGZFzFNVuXUez/0bpklXAWOBy6dWYtmumVKXCOFo=,tag:pzy9q0uGxQioxxbxbrTTLw==,type:str]
secret-key: ENC[AES256_GCM,data:M8MJHHO8Hd/Gm6Nxy7/IPr0s6jHEDBB9LpZq8lIWQirvZPpgNrMrnP2xFJWEuJF/ND9hU09ZHA3efIBej2siRPOWSEu4gE65W/GMtpCcwEXF0hR/ISvBsH0fci/6KGbUCVg1x9AJpjJsqevPN7I=,iv:Weuziu2me+kdB9zk68nvLnyxv0ICwB1qA4z0Q39tT6k=,tag:nhcFfRQOxEandrf6CivahA==,type:str]
attic:
secret-key: ENC[AES256_GCM,data:nSKTRRZ9SeGv+kFPzu9EGPHlr6oy6cFDMqZ6t43MxQduVGliHlpnYTSwrDg3ybqov9ihP7JTEwlir/+goA5cPm6TZusYT8bczlMMWNgp10kbOGhAY+Ybv/FjiWjor6PSdGz6gXo3QSIKcUEs4CTxuSbNeoVno6x4EJltHWg/QNWDT4iAZB381SAxDGweMz+Hu0aXUKY0EMhXStcgr+b0h0JIv8KKjnatXDEQ/4r+jeRm8Qx47nUed8ZvEe/lHkK7D6ZV5O/yN7+QWw++SXEisuv3O0jGoiZ5oqdx99HfeLz2fw+3IrxZhg==,iv:PvQlzbYCCRuCbiV7SrVwulO4QX3OEYNkccIWFniQLfg=,tag:5sV3f+2WJmuJy0Wa62pZTQ==,type:str]
database-url: ENC[AES256_GCM,data:w1jHgn/PETG3SRRTZQvdPHnoUY1y4tHl2BpCwu03XncEPDjNP5J873mm78A2fFH/uQjuBhqRxtlK,iv:abwCrA9tgLHefCm+BVgwh4+g5CU9/Kskhvyka8/nbg8=,tag:3wJXL3u5cl/9WIVXdulHbA==,type:str]
adm: ENC[AES256_GCM,data:oPsk2Ks7zqIEGznU5iH5pplxFa85B8dj24lDx0tqy7Mt6ED1GHj7YLt37GGYaGQOM/YdFv3wmGG4Y4rSCLwE4kiM5iOFEcKnlePre1eoER1bf+tvFZOPyGq/SsFiYTSYqHTShfk0scHHkomwVf+gRwD3k4DjXbkjTof2ulg6Pce36E3oOEJaRzKBOrVprwpgPn8GKm1zcM5Ssr5z1ljXGx+JbtK2VtLKd2Q0kc+ikMe/cYo6YT3SlJNEKAmGRVtR/dtkkBwseBYhU7yfHbLqLGFO3EFZjYIkNfTRvDKEu6BB5wlcoKtxi4yjrz8iB2XNX5GCL7gXUWO2ZIsk4ZZMJFthqi9jYDrl,iv:f0YPT4avkVZPuo13wdNyglxW1Ea5cjKXcGa4eaPuMus=,tag:mGBnfXWCfJSHoYXH3gAsHA==,type:str]
secret-key: ENC[AES256_GCM,data:/wYnCD7qggeHdsNqkp1rZK839o/1olhJUlT1lrZpv1hTOZDduP2OGhz8kh2PrQR6Mq2Y/ALgHG3cFpJs7G64xDK0qRVGIDlC/9sTQIcF2JL49Free8vADe5ads64EN3vWgfmFoBMPmL0mc4qnDBGnBkDueFN5gy+1szK9tWK23tMl1wEWVsiqBwhuWqQBNRxeaHR2tQXI2Yg3fefq5+laOUjnSe1a8Kx4dJ7rXZuXe+H4uyU7roYFxlLpI8qZig0eUO9WUMX9WP0tKOr5OjsbJzBbdVlVT7lZ9ROYUceoxmcWecLlcyv3Q==,iv:DjH78Getnt3zzK9QLj+HS0cF1wtaBeadxSTrRb1uic0=,tag:KMPtWCq1KT1SSthh3fdsew==,type:str]
database-url: ENC[AES256_GCM,data:WHdAxNbkRxvNvfUWdPSbgeQXOS7f46OuDKTRuxf3cEyhbU5NAsGlCgfarUBXsHrCH79t7zDGlcRE,iv:trOxDY/ifsibKoX5YPOfKvX/q2ny6SgykiIBusgHxag=,tag:Cx9hhiJIhDLiojJmDdSDtg==,type:str]
adm: ENC[AES256_GCM,data:mP4xFGK3+YwyiUMwFaG6tY3tWLGY2YTGa4DRuHzW5Za3McmwEFUzlQQ4hGS2bPKOKwM2Pe5HYBwJnFkd6KRwx5civqsBMwFt4dfZ31xDEi9RxpEm9jCnCcvB1CY8cxNARIhceC12X/ZR8ianUpoINYSjOj4BRy4TEEigi5+V4DkAXeG8+x8SWjj/mRMQMcZud4i69Ul7tpzbjUHm0s/Aasvmib13u4ZbGX/AyoOX8pQwkRHoyfMK2OvRbaeQf9fPcQxOSBALYOIXk9mEGxN1FTFHrTvrY5s0w+hC1mAjX4qm4ZM77RneAI0fJaq1hHSZETIpJOCiQfR3bLuyzWKVestOE29V8Pwq,iv:bjK1QkWUc2vs+oUoC5Z0AKR1/tmrhSLvP8BP8gzghOg=,tag:dmSDM+gbsJMDkqgIPWBfGQ==,type:str]
postgres:
init: ENC[AES256_GCM,data:6a+xTs7S36ka64S7wGd9Wpfre2CW1CoQmnqfXqPolBcYOv9m0DmCmmyfMQsrRV+LQK3Yf+sYcy0=,iv:b5wD8XgPI8kjP8n5j144mMisJl3dhrx8nWF1P+gr0qo=,tag:wG+Hlu55WwJT1aairSFVlg==,type:str]
init: ENC[AES256_GCM,data:trwA30EswHEPa6V2GuHsGgU4NK/j/UQveldwHng0Ilwyqh9aZCgF3axP48MmcciBssux8DZ4O5U=,iv:VC+tpG5yuiBE7pjZ85lYCwHG/bTePxeXQDz2zyLyLYA=,tag:5+jwWTv5T5YWwQpR58QfOA==,type:str]
gitea:
dbpass: ENC[AES256_GCM,data:CN6uBXrpSYFiKxt9UfSwgw==,iv:71tgEcT+/246dPujwLwg2Z5SPICnGJUfeSA+uDgOmdU=,tag:melKWxmiE+XnukVtSt/iNg==,type:str]
minio: ENC[AES256_GCM,data:D6kLP4FEc7U4H4eg5IaXYZn9Z2eSMbsKUafJnTwhHrxVYUq6L7F61iBzONgkCMrwSma6H4RVq32TeRea1gZPVoRD2yryNRrxStkJUuf7t0cjwcS/6E+x0yI/v2osmf0LQYTmGRtH,iv:dFTBhjbpfzs82KCq1m40eu0j7GPpZmzt50qLvRzy6xo=,tag:cuRmYkXz7X4iaW0x4ASkJw==,type:str]
dbpass: ENC[AES256_GCM,data:8jECcEJ8JnK7fztTckzLrQ==,iv:yQMp5VrierOKXwiop0NUA7Qbn2eH5iUCVlKppZwKLIQ=,tag:rI9WT7zLIaFxVcTu3ufW4g==,type:str]
minio: ENC[AES256_GCM,data:LxY6AD+CZ9VQEl5FrG6o0XiOiizLcwiLiyH1WJD8mMCPWhDjGzt+k+YPOm1BpWzTZF8+2EoxR9oKFJu9mzTibl2Ieits0/RNwh1VdQALXw3FwfRym7CFS+Z5S8H9kGMoXWRrr+I5,iv:g/wq0r2HKfX2AwirT4hm/H1Ms/mtbf4ZuFLISikRyoI=,tag:he99s/WpKoN+lHR8r4K30w==,type:str]
upsmon:
password: ENC[AES256_GCM,data:gA10207c1NzBSK45ezth4C6N,iv:kjiY2M3Vy61iDH2ueQooVI4JA2CwfKN0rQsI0Ch4D7s=,tag:caRjEDvLpsx0sZFUfft6QQ==,type:str]
password: ENC[AES256_GCM,data:52Rxsh7KUq+aYjQORBC+Yq5B,iv:F05g/a5bv7DQ+eLlMqsNeRHLxzl7AyXU1zAlmFevQ6o=,tag:xkGDD3hDF+u5fUbP33OrlA==,type:str]
minio:
credentials: ENC[AES256_GCM,data:C4qbzvteveYpC84v013GDlKWYg6JHHaZuXirpaZ54u/mS6FZusC2qTBvdHz0pmFc95NbMb/wjcvZvYenMuSnU2V5BsK33XQ1UlSKzamt9v2IRAlllTT1vRCJ4EhCs/QEL0/pfGGJkxtUVW0NYFkJI67F6c3sFJUDfHYD,iv:FMRn/52gUfysGrsGhu5qF0OBDmGex6Ye/zfQyY215Xs=,tag:9tdvOcPgR28n+L+0zhMMbg==,type:str]
loki: ENC[AES256_GCM,data:4wza/33eESjF4C1mcl4NIqGnvYg3Mg==,iv:Bt1ORiuuIUnnGk4XlemhCdmjBNRLZo9ikH1rqrTbS/g=,tag:AYUO/JllKIQszTNpEuEDBw==,type:str]
credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
docker:
minecraft: ENC[AES256_GCM,data:sAEACU9U51uafNJ2RlPBwN4/+EyEI3X9jXffMvrBYI+BgzmzQumhRMvUqYk4R4oFDtvz0RwTL2vGWMorFt1YaVQN+anfHDM=,iv:UXCicw5gC4hQUNqxbeuqtidMwJY0kvH55nMkEop5Ytc=,tag:X5b06FBnybFr4qSxU6NtmQ==,type:str]
foundry: ENC[AES256_GCM,data:CmMkfKPTq+oszR66vs+AshEdPDy81DA4OiPI/sgU2UwwXcgNTyuvmJRX7QNxsmiRQPb6EX+H6pcTESQtaqjYbCeo7n47b3BqyrTe/QrwkCAAtsdleWNNpTmmvIJi0RmxsagKheg=,iv:WxfWLsFqkTZajJT49CSi1ThQVrgYZl0vlsQo+MhrYsE=,tag:3XPErBxipOMkvze4pCerCg==,type:str]
nextcloud: ENC[AES256_GCM,data:zAntt5+pFGhLMmC4T10F8ocj1+kYSnH0k+6H1Wk4WxiPTJvHQ/t+hZ+QzjmlKkiTvcaAoYWyrMJIB4U2MaIrrKAPN8vHtq1ihodBWlFifO+P6zfxCgQl3dbAMqXwini4ziKBZCw28x8dvFEozztIk7/a/TGNGj05fvGR9XUBHtVkt23ubXJqqZ4no6aGU8wgGizJ4OhQd/xTnM6m5ZvGPcv4vmtYXP0ts9eccx7nxDLmNgCHwIQSHEgR3JLUGKBcHZsc5jLQWdUPrhWXVmsAN1DKONrh5XC6rmN0/h1s5/qYCwx92XBzM6EssNBWKCtbmQ9ytSLAS90ygIs/Cr7Pu0qV9c0By+gimw054izWv4Ey2q/d/sJ9rblcmYFndgD1IOySFN8OUOO3Jd15DK6lojqrWtReVNcK/PbBPAvW+nNG3408YhQNC0eo5XMoK2RWiH8Npr39kykR/g/iDgR2cwrycbr/tnZp/OrPEGJx2axg1+om69joIfPBRL1Xe3KFKDmzTH8Cg0Wk78/6e71I3t8CheFfK8Ge6NfCti6nfUGd95Vp8ZS2LxQevloYDboV4mliOxK+JM4rRYHOCWZYAe8lZEqfdwjhYiYHfkKy2DJg,iv:YLyg9+YdggHV43oLs6Mq0unUVkjXJnPA0jwvFbjUMfs=,tag:jxIEVqENGHFrAANH4ZUFPg==,type:str]
redis: ENC[AES256_GCM,data:b2pCrTVQqfIQEUv39imLrDFGu6KU1Dx/KD6Njcvt+x8=,iv:EHYRESYo8oTIiguay/SNbbuSVaok7szug5uiNNW0XEE=,tag:H+eQ+YvQDUOLHQJfX6qM2A==,type:str]
act-runner: ENC[AES256_GCM,data:4y61oMlpGQf6GSJACyRwLQVOKJTg9jSkOW4sqYOWI1+D0ObIllFNyYiFQvuIf3Vdo/ymhReWH50vKS0mMAdH+3BgBlbf0tjMsUBNlnjNbnXQXS+M0gia9RVcFxSuA+QGKIED37s5OrBJWbWk2HZIX04=,iv:x6SUtA0n56AazXDdsdhym0R8e4vY4q/5zzZ5fddZXPg=,tag:PlAjXV/ndmhX3iQ3AM3Eiw==,type:str]
collabora: ENC[AES256_GCM,data:3dcTIqpZtUEtEg/FG2zIyKfouLx/Yq0djOeNlS+78PltZipLYVT3jKhdVeb7,iv:wNKZF/DeKdJtZJRIXLj2AjT2cab5DQ1sr+wCYqgnNqg=,tag:AS0XIntMaGDv27TB7bRs5g==,type:str]
delugevpn: ENC[AES256_GCM,data:Dn+2Bk2fS0ptFYLQ0CFc+bTdJbXbE0j/Dy8N/5Up7MBP2Bk8MF1MdaY3ZFMU7RgDT+zvrgOjmiwGu8JCu2svDkq0SlqmiTZ8,iv:kPDQhEatzK/6Q1qjQGTru+bpOKQWD5R/VKndZrNlLbU=,tag:c4hzv9Ipjv9bIkAyqrgiQw==,type:str]
protonvpn-start-script: ENC[AES256_GCM,data:Hx/bYQg5qsx6z4G9yni+EzLCMKLAVxCHi+PYVl10PGOImfYlnG/puiSBRzu3zw68rcRg4fIz0yZgEjcYk3lu7kInx3GPrYCKSC0ej84W+j9vtEuYXC4WgXvqwTi/6P5428UhFP2FWiN5wV87pFp/LnEkVxi48uTI5r47ogkA06Gl37sQ7TZHvwGoQ106La7G3xYLDfvvdMVeASnDkIepDD6KduTI29C53l/XEoUcXQjOEtz5fmhRyVb7m0xs+DM2wRybEIUVALcIxjdWeiBoxxdVXxGD0+P277Gdy0uJPBt3iDg8dd3AAzwvTceyW+qe/8+RENySQ73cWblGyLzcqLRILCL/1YN82w==,iv:MgIyq8fltzPW9vww2gKvKQs84KkSMn4MFEvTMywTXvc=,tag:vjaH+8Pzpjx8y+7QJMP47Q==,type:str]
notifiarr: ENC[AES256_GCM,data:FMAr9EAiSeoibw8Dh9O+JGDtSg026hO3JSZseATzNAaHs8m+0SUTIksek5wwvheF,iv:3WMVFwIonJyEEsBSqIusALWw5C31oVNvxIGntd102Ng=,tag:ty246WK5TasOj04/sA+Qaw==,type:str]
bazarr: ENC[AES256_GCM,data:pCEIR+B33UPpjVNONzhNYVIHmMCCrdLED32c+jp+P7BLW60MK84TjPPTXi+touoRENaVgenYIv8qlsntL8Q=,iv:+ymGcWvrxedlrwT5ZF3dFrPOJ9DmiS5g05K0P097Lc0=,tag:qSr3i736oxpofnReUqfV2g==,type:str]
prowlarr: ENC[AES256_GCM,data:CzAf8AHWVV5fQNCTtycv4NuT5wwiyj9+qWbJEv9Gd5zCBazHe/x0lB7LW6FbBgQQnEqC/xjHBLGA1/0WWrraxmN8hfVBrKRqaqiRilO12isrhlFf,iv:moyDOW2l44AT1tFzTbx0PgPWGRBfZG6GI5tMeScEa8g=,tag:5CVhEW4fU9kkKO4YBuGb4g==,type:str]
radarr: ENC[AES256_GCM,data:a+Bt+rzWl6+Wheq6YpBQAxBpNmVJno4Eh11y3B6S5b9PEiXrmuVn+Druid1/y5P02yqhLA5vTvmPOHWmHERvN+L7WBiHL5ekZ36r+7wn,iv:102LIy/3hxdi6mk0BSIf+xl8k33yrpUGgI26WnJvCTQ=,tag:EmNE/JF3s7vgIZhHxru3Qw==,type:str]
sonarr: ENC[AES256_GCM,data:+VU8F7/aFTgMiGs+dejnqa5LJn6BH/V218oc0i5dQL1RcDXOfPdh414Px7coQg9vNoCfc2ZxFaCyHS100ee5dPiyfRHrdHKA72p2zrVF,iv:BIG/u+Eo1RonarTZ2jEEg7xzfkNd3A2agdP4ljEK2eY=,tag:05FzDAp0G09DVXoeOQqJSA==,type:str]
lidarr: ENC[AES256_GCM,data:90+0hbCF65gmYlvEkZnmtwUUnmFPv7AlzkBKr68UmF7i2yXz4L/OsEU2gFp/en7KOTNKioXXsdP887x9RzyAShO4TRzXkcb1um3DuKAo,iv:PvEsHuUlx8jxqNysoJIL5qb3kEaIbVHLFzRKS7TfL3g=,tag:s8IoyumcA0sB1c7drG5UNQ==,type:str]
jellyseerr: ENC[AES256_GCM,data:G+l6VjgOCUk4c95o5rGo2QUJizw7Ph66cJMqwY4YxYXDjNzZ3+be4GmDQyOzTV/+,iv:gbowrAmLLwAe2poU+H4l8mmpVLfrgQRICWNmLNBUADY=,tag:HI6r+9dBdNLkJnE7eC8BAQ==,type:str]
gluetun: ENC[AES256_GCM,data:sW3NXQ9GEGRA+j3+olbYNCVmLReHoRWC1oBhHcOCZ6zwx3jqvihEEZQgxgbEpPZ36NVVHTQgh9dX8wtYKUj1OzPBXuBh6V/AgTIMmrDurNUxul/jC2JVIZIka4RI58S1SKm/Ehz85Xx6lRR+VAKEyGg7R1I5+ciNjsZX8Sn/xHpGMAW4VCy/Iths0hdZWmkbJAG6XTsU1ZM01StI8s/ru/fphgcbLHws6mBMDEViKsATcGUcLMrjBT/xCeDXh24cyBCCba0rge4PtDekQwMT+aGS18cUjMF9LntCJJfdYp+gNDYrA6mprJrFJn6nrUjzT4RUSs0/+nQmuoyYvGE7RLM6lCGUZvkpQwaUJU2djzFBAHrpqqFF86ghbryt7vz6DZO2NaKpUsexAfDOsLFSXYacAVpZmm6aHsBm8woRzH67gGkxj51bIvzS1VWLjiEBxIJfChkWPqSbYh9I9mnKQdOxSSKCg0UlVCdWc5hB8NDDfZObJ2o5Ascw4eILR8lgjXm1XQxc08ZjEV9sqSlH8tr8IMSbWLAcVCHrATVfxsAG5bTbTOy/jyBGXjG7f7WQlN2RvHpHVrd8ppkYgPWJ0qbRsl6YJcvmEqeghLB+c0uYLXfoGMPOy8mb9SAfSLUMI/ODRy0=,iv:f46r4KA7IXFX3Xb5b6fxSPf+pkFjI126Ecie1S9Ggos=,tag:+Xzjz+FwIiC51J7dBcJBVQ==,type:str]
gluetun-qbitvpn: ENC[AES256_GCM,data:Ep8mXRdxEetIjkV+a5/yqbANPKOcvp2+WQ1YeTGeqiTxiskuHHnWhP6gJN9yN/oBJfFdNKssbC6CbLPAvuL/aJRGveWzzrr9iHZ5vo/+3NzDWUReSDFVCgstbDB2eBomd2wHVJm+hbEUUtmO3iNBEarEInRqq+5+HWSt1d4/pW61WgJ8buzNhdFjmjEEBoOUYCj5mfRl2kP7UC+WUvJRvl5l2RMt8fEDv0M4Z7RQLEbJtWRVpbIhauWpTbrMDDC+VA9lcvbXpRsxntWz5Va8Ya4GWBkJfM0bJX30TyFo9Iy+XZhlQ4rzbWtfdO9Dx/TCc9i6NQt9FBUZGy+jTt/rTAulB5mgDaIq3AfNsWbfDUYZ47U6S0hXW7qAKbJ6/KjDe9dac9Jttx1ihJhXK0lt/uM6E76AxCqOtutmKryo6mScNOxkRjeYqYwwpasNWpnZ47ytctAy3ZXt5Y5xAl77dqAv+UnMczUy1pzg/oNWZrtN55tFmT2Om0FjHW5lDPQSEfxr/qKEvsBdaofw6xWpqkrU0lejSpvFSFsVPMr2M5ZOlCbGm/BGo5yQ5P+Z3u3xGoXumwvpP5KfxFpVAiJb40F6wCcEVbxX8wITprv3+5E=,iv:HlrRrq1667jpnApWFS+4G1rUBYxL1nVbiocy27cCiec=,tag:A2yIHv5yl05CVROglOqUqA==,type:str]
gluetun-qbitperm: ENC[AES256_GCM,data:prNClo+0UtscI+TMwXRBdVflRWm5WLYT2kexJDoRTX37cMi9BzWYIRLwr86q/1xUIbcIraCGwHGd11CbOaY8xtfllW3oe4+YhNivAc87GJYz6mAhCiejvXJvyEySInbDq3jp0OJIPx8ROnzPCf7w5AZK9Jlfn3G3JwDYdYF/Cx8HYGv2V5JCFLLxdOG/KNnOOhSYW0IXoWVTcyT1/s62LrOMZ4KKza/yDKXn9XsWVt8+NSKXcc3HjuxhodZtCHptD0Ymqf04WOJNq100Xq++2BtiDsty86pMe45gC1vv2NiNdiBGnTQBhhkhllUM6R7t0zeZu9ROh50PGs1ozERs5WCktDsb4yfZlKtmkmPFwe5gSnHXu1t/n+8lounatfUnzKAk4nIs8KMnPxaEDPDY3DWoRXDgZU6a41/dxesOSt4wMISz0u45jKyNjZ4WFKjopLxYzekRZT9gnIu8qeLwT9G8PlqFjHrM6qxmAqMR0/Y6CHtuIHAoEWzepbZQ7MngOvUH6784r3DKTbAQetRIJHqJBsxRraOODTP9BPoPRb+hVYZm/g2264BtwmMFIs5pAtMpbjkRIMxKllUCBmf+/lL9+7TJ6EOJoIXiqOZNVQ4=,iv:pzhCttJCn2OGozuP/A0jKffdGBwkJnaH/QVnZEq7HJI=,tag:hGTxieZ6SI594FBwRjXAVQ==,type:str]
minecraft: ENC[AES256_GCM,data:krSM870t/IATwpUWNuKX8D5HHEvk+HeimKgodXssIYcBmdF1SZAwjUsSlx9fL3JiRtxfu0jSbhyD/2jLHMWqcix1WQGOVgs=,iv:ZTMxmzeSLQRCBF2t6r3dCDlcZ5BsBwZen6jOZN/HvGU=,tag:SES3lhRrRI8zBH1jnaV82w==,type:str]
foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str]
bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str]
prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str]
radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str]
sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
gluetun: ENC[AES256_GCM,data:ryhYVOYEZl5zDs+xMgbWI6q/Ei2AiNZJMxT/TcaHzTEocINgbczWk9GKeeZKno71vFXiF9/tPpYavLqvjWNL77doWDB+wiYrtBJ97PkQ70dqWntua9E8eCalYlIZpRbLsl5OA9ZHorIMPjjSB2CRYLCqq30PPi5I2TtRvs/g6LRUN4sZ/E2TTUjz7AEY7228ZEuHt1UkU+dY/jEbx6fwrm/ocP8xKvYUuAR1/Cx/z4N0mqmVl+FX/5dRSkmhpfAxO9ss898XKiJW4rewQIbG5ccYal+reZZr70TaEJQqg5KIfAnbp6dEjAsSXnRiEF801JXM0h+d14ECT4tQmdyvYBdCVnJ/Ibqw9D15cViHmeDbR68spqOCj67FSMKxgCVx4KFrxPOualsULX7RL/UbHq2cwyziSFkH4n2ljFlKohyj39F7EparJbiCOumNfhRWknDDwvXY+BjJhbAe19ccKP6QWrS68uBp0cTXqb0rVN/qlfz6Sj5EYj5M/u0rl6d5xctnKmOzfLjI2m5+E9WfDJaAUcP/Ihs+p2eD7aSQTIj+O7I66ju+UAz66D9ZoU1U3uVQ9gaPI5dOMmYdLKS3b19EVytwW2W13d0WXKIw5Vfb7MvFh9I0iPWq+ntL4jQzMYSwV5Y=,iv:Cy3h5I3vbqKORdqw91SHL4tRMeGHMLsXgQ0USJ2jtzk=,tag:0J/p1sUQfXR4ujjY7VzZuQ==,type:str]
gluetun-qbitvpn: ENC[AES256_GCM,data:3IdmuLvWs5YRQZuG9y1GRTMKMbR7OynUUVluezviDOV22EkABvo3Ic/+xZrWi/lzAhQRwRsCGjinlUJf7lBvPLg53HaIplbzSIyd3IPLbKzEVAK32WYB/M5cGNQW+XV8TiKK72HO8+WG588A0bsuvp/wQ86ohpRHVrnlboANLS3diCNXI3VdFIHPGpvM77TqB3/vo2AFLKjxi2es4l6KRam8cEUFAz0eH03tTUYaxy+ewA5IZCQSbMURLFKKdh0EATTG5jIz3jFp372fnk8UBgFPeH8+N9VHNM6rnV6zAsC2Vlj2E1YQRTRqOwSK0NRAAV5NBbr7zumS3VS0rVUpIbZVrW/C2BSAVbzowkHuo5o1B7UFsryb3s2FJJGF2biaDoL+ijM5a0Qi4LfNeaSLNKrzaTin0wYq8rPrQKOUBZL4t6FsRbG7KHmfwM4uYdWqV5h1syjI9WWReuePVb416YvqSH9p8HhNsDTka8IGgYkHcYAXYuuxUc6sgQONBwrsdeN5Dhq1IedhuOW+3qAV+hHl8qmVgiWZ8Ss+nmo016nsikifEp08N7J8t3f86/SFZO+YMBxQ/K9PJLsJzR2jsBcf2aTlq0cuzXDvb4cMtro=,iv:N9zdyKJDsj049j5hZOSnAkS/VTWlC3crTODJKIpYYko=,tag:uYHq3CZj0P/BAv+0Ak5ZEw==,type:str]
gluetun-qbitperm: ENC[AES256_GCM,data:kzSrILs78UkzNeAvxoDU3QsLKdapQNyQW9nq0it+7HhhwDQ0MJB1s2Ek8zKErTatpwzG8xiUK0HwX5hFLgNZYc+OE0CH4PUrgX1t6dykuPLD2rKQL7veElNgqhX0/39xNyopyJk2UMVFNSqoV1DCC/ja9MqX9+jBYk++7DeX7v1Gl1ntjzJ+zIscg0nOTN1eQAHtiOWtFU0COC/aA8KS+HLIsMkjrIk9UD4C/DE8AOS07s+gDxPRtl6L7324FRqjEHNyxAobWOOLeG711RZcskF7dlminVJu4aVGbBwIy/zDdHFxRwO6yaLr/AqrTlRVOa2O8Qu2Ydpv8ZNj2F6fHrVNNmVwvMEKYibV6oMVo72uT+DTz/mFaYuTUeuJfkdCy7tnQYhBnpbd5J4mKfVb8uOF9Tx02kL2fTFKyvtET3nrtakQUjv8mEqHn4F8136O2JvUBN5RmC3B3vRdFjYgdfwy8hUT9b0Cmi8w0Zzs+XGMRdvWv2g6b5fmlAn0K+a0KB1fdDLhvbIXhY+sYzR3yOH01K0lW3xVdnl1eMIFjZkUGRTi32HyCYb0SUA1EcXmtA4XmyZ6HHFEXFA5y2guVqU4xLyXXldM+lGB7yGLMcM=,iv:kuueHxYafrEdyBxGUBoU2ks7kdr/rWMnXZmE3Kx/iK4=,tag:bNIfP3H5/Kh3ofuCGGx5Hg==,type:str]
acme:
bunny: ENC[AES256_GCM,data:uepw99ne34B4l9JAvCMiAXdFlwLjOYB1jCVgKNxb8vWDpMTTQZiwRDeJCcLk0zUSQcRujUwVaWKoPg0jvFYMONoC572NXRBh2F6HYO/avvnW5BkBN1Of,iv:w+84IMQSLkNxkKVJxNCOXhLRkh+DZ23aewAsLrvWn/s=,tag:DCPF9lgeNFZLcF48TSk5pg==,type:str]
dnsimple: ENC[AES256_GCM,data:5Xs337NsbdBIF4oN33q2kgJUZuVRklGtdTm4LsimRyvh/8yZeVRjmDSyl3ZX79YOvVgrVZKTLUXsG4Tuqp06J64=,iv:2Ca2wxA59nqWuy0GtbRyWnPA5nQsM1UOXUfCUoY195E=,tag:zQ3AEfmy9FNMvq3rVRQ5rA==,type:str]
bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
server-validation:
webhook: ENC[AES256_GCM,data:3uISyfwu4wYlvc0XjtZAikrwh/zeL4akh9/7FE4gJHoxL8o/JcV9tVyyYMNzs0d2jqndLeuS5i3KgEzwZiMy8qtDTD3E1rPvyBxKvwRj4DdnH2BcGgXtpexSk9Tgkc0BoTTQ4M6cYSxUR8i7mqk9AEiDYPgb1FtP2n0Y6bm5IvusjbQGtjImHBx4r77e,iv:WyRLzE5i+HG2jgp+CI2SRc3am3WsLDOoCCvUoIb8Jpc=,tag:kMdZAevE6qL8bpeifmcqdw==,type:str]
webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
typhon:
hashedPassword: ENC[AES256_GCM,data:Uy/pYazlkvQycWTrYKv1/566EgRIqek/pfjaJnifIqA1GUbTASBOENINnDx4ffJRwXoBzbIe+wSsalxwP9r7k9QERKaWpzr3Gppb+iI3Bpy1scy+R2sAjaR5fU0MKI+USppJSh2ARP1ZMA==,iv:iIGaAp9jX8dUAjiDBjrz/GDaD8x4/VDXJ9F2DN4cgmA=,tag:KrsqkjTdMJjLtsdqNiAsnw==,type:str]
garage:
rpc-secret: ENC[AES256_GCM,data:EOc5kBoZTPBFDyuvJ+iOm50htGggmgRfDmGTgFlyDgVGUYEtGVimQxlRipxDIexVnbG876u9JHtEXKAgiEK44w==,iv:eSUZ/Db7NZxiaIt9lRSbhKmX2i492o3e7lmDq4NeDXw=,tag:/QGSu3g6MIpaI3Y1uIE8pQ==,type:str]
admin-token: ENC[AES256_GCM,data:BvajakvOkU25kLTBmfAWJHkIPvfbgxJsV44D2jLE9w9+n175dnvPV79198c=,iv:oOvtberNXzMhzKXGHPPizQjIozsor7wnM3XiwVgLiBo=,tag:YlGJf1sHk/s7bjRaOZH0iA==,type:str]
kanidm:
admin_password: ENC[AES256_GCM,data:5xIjsjn9t0sAXLq+qi8LSyPVde99VV519fw+kZVX,iv:n6VjDeEaV6+Ai0zr52Dw1E5OD5DNzK826bFQtFhe3hg=,tag:MKD+PuczuDoH/PKN4cY+xA==,type:str]
gitea_oidc_client_secret: ENC[AES256_GCM,data:cr5HGHOwAvJ6LLBPWmfuRxltzJJ8t28vxnzB9sPKC+VwrYZ97ZJjfqtfY+7KyJNfI1knwrNKYNQu+bOqO8lhVQ==,iv:KT/1eiI4VnR8RG/pLCUhypVRctoLdM6hQunzpE8P05c=,tag:NV54JL5A3S8VVkbY7BIbhQ==,type:str]
restic:
kanidm_password: ENC[AES256_GCM,data:Zz+SOj9RBgVba8kNgCxhs5z7iuUPcYdE/a/FLJuJw46rquX290NvyH+4eDU=,iv:em9S1dzQ6Kgc4pZglLZlLPzSvAfey3Y6ZQhzNYIt2Ew=,tag:umN1oi4Fm1L/tFvFpt/RZA==,type:str]
kanidm_rest_password: ENC[AES256_GCM,data:alv88Ebr2BmfXjJ+cZfRgRXBPezCrFBYR+DpxOnjAo7hjP2V0sB+B7WTJhtt8z61lKHUoZDS1brxrDa3T8i30JFUjATTDeGs7FY+D8Wn8uIlj4YPQy4gIA==,iv:kxI8npRdyCeb/IbTUKXdF3lsQoPmQBP8S+di7bDKByc=,tag:/2Qc19/hcxiw62tDAsoW9A==,type:str]
hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str]
sops:
age:
- recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VkhzZ3cyNkFUYnppYnFa
NWtLNTJXSU5BS1V5d2xySlBxbjhtRzloOGxnClBVVjhINnNsWkxod2pNL3BIU0VE
b2F4NVpZK045NmphNzlwQkozMmU5S1UKLS0tIDlHcUEwMmVQSjZIVDFiVXNCRXZL
NExqdmo4Q0ZNVzUyWkZFVUl6NFdETk0Kd8zrbv2zC610vfDMCejxYv1UCvIvsOqM
bmvQ/wG/X1HqE4B8Yt6/5wNsM2/baLuXIBpGYAh7mgUaOQEkptZwMw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcWo4V1QyZS9HbHNwT3Jl
ZktNR2gwZ3BiWnYwZHpLUzR2YTlmN0ZUeEhnCkF6ekdkN0U2VGM1RFVhdTM0RW5u
bWdreGZrU0JwNDY1TnR2S1M3OTdKaWcKLS0tIEVBekE2eU8rcEhpVkhhWmxPc3JN
cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-02T16:58:48Z"
mac: ENC[AES256_GCM,data:ca+UYNGmlLgu5mLfES/ZUf+XyuRtwk8GKeeu/UtbgNGqSoGXlsTmPdiGfKhO+qUFmpTv7ZAs/zbXD7C6rScNjudtlXB2lNAlLFWnudCjD4cDxokhOWoWYf+1ezw/IubAeqbW3lHUGUeK/hpVp5Suk/93fEVRUpnZM4r9/WizNfE=,iv:BipesRJv/P/iPEOW7bTxv42ABwo9efvwFgBvEX+TokA=,tag:uHxfZML61MYll77pYUuMrg==,type:str]
lastmodified: "2026-01-17T01:50:50Z"
mac: ENC[AES256_GCM,data:8TGSqwEcfmrW1PjuzTVNyDTNs6s3oWbT0tI+rg7u2w5Dcw1EEU+SjJ6VpNY06AZHTjSD6E0O7NzUxybtMpslHUGitOGWwQCk+sbqRJuUseFe7bWFboEVoJpEoYGN5pnn52opMT+NeHGkXumaxjhDjCxfwn1RBHR7TgD4ZHEH6pE=,iv:szBUnn3HL/osWhmTwYmHrUghobWdBR60Lc6uUD/eGMY=,tag:6vgdJeJjL4ZYKc8WjixClg==,type:str]
pgp:
- created_at: "2026-05-02T16:58:48Z"
- created_at: "2024-11-28T18:56:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQWNzDMjrP2ISAQdAPCymqFWzYGcr+bPFS6IusIV2LHdy5g2ROGtXCoTmah4w
AezxMLS7d5zT9p277Vfoqwa1KFvrhoXbb3ORKAl4ONmACZpWOO3TobSkP0FvyEqi
0l4BrPiYgcK3Lz01cotP4KwfW1I/w7uW4OpxF0gUBiQe8pvxMgcO77S3pA3WdA4U
MmbwWW3dxGaora+gCSZjyx+y7vy5nDieUSjSskM1lYYsZQ52qRjiPVENzorEHDLD
=3fFC
hF4DQWNzDMjrP2ISAQdAPOYlp/3ZJrcXZbu5+XI+BHNzMbzw7+YhTYOfNgujU1gw
QfJDWAhiMd8cZF5PpX+RdN+Zrk5CCMgZH4hotv9gjf1oxitWuF2hv14k/RlAx8kr
1GgBCQIQB+LOoKIo7AHeucdV9NsM6H4Akv+Bzy8boarA4BGcyvgRWhS2u8zOQJc5
RKfRonTO51yjlKm0MEspvwrClO+aIuBaNNemuHdk4yhDUnNKVBFyLLOuqXbsFd+G
aSTmqvI3a/T5Cw==
=ph+p
-----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted
version: 3.12.2
version: 3.11.0

1
systems/palatine-hill/vars.nix
View File

@@ -21,5 +21,4 @@ rec {
primary_plex_storage = "${zfs_primary}/plex_storage";
primary_ollama = "${zfs_primary}/ollama";
primary_mattermost = "${zfs_primary}/mattermost";
primary_kanidm = "${zfs_primary}/kanidm";
}

1
users/alice/home.nix
View File

@@ -90,7 +90,6 @@
gocryptfs
awscli2
claurst
];
};