luks migration, home migration fixes

add argiletum
2026-05-03 17:33:56 -04:00 · 2026-05-03 14:09:35 -04:00 · 2026-05-03 13:59:56 -04:00 · 2026-05-03 13:29:39 -04:00 · 2026-05-03 12:40:53 -04:00 · 2026-05-03 12:34:42 -04:00
35 changed files with 656 additions and 382 deletions
@@ -1,9 +1,11 @@
 # run `grep -Pv "^#" .gitconfig >> .git/config` to append the merge config to your repo file :)
 # run `git mergetool --tool=sops-mergetool <path to secret>/secrets.yaml` to use this once configured
-# the command below intentionally avoids nested shell quoting because git config parsing is strict
+# if for whatever reason the below doesn't work, try modifying the mergetool command as below
 #   find: $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh
 #   replace: ./utils/sops-mergetool.sh
 [mergetool "sops-mergetool"]
-	cmd = $(git rev-parse --show-toplevel)/utils/sops-mergetool.sh $BASE $LOCAL $REMOTE $MERGED
+	cmd = bash -c "$(git rev-parse --show-toplevel)/utils/sops-mergetool.sh \"\$BASE\" \"\$LOCAL\" \"\$REMOTE\" \"\$MERGED\""
 [merge]
 	tool = nvimdiff
 [mergetool "nvimdiff"]
-	layout = (LOCAL,BASE,REMOTE)/MERGED
+	layout = MERGED
@@ -0,0 +1,32 @@
 ---
 description: "Use when working with SOPS secrets files (secrets.yaml). Never modify secrets.yaml files directly — always prompt the user to make changes using sops edit."
 applyTo: "**"
 ---
 # SOPS Secrets Files — Read-Only
 Never modify any `secrets.yaml` file in this repository. These files are SOPS-encrypted and editing them directly (without `sops edit`) will corrupt the encryption and make the secrets unrecoverable.
 ## Rules
 - **Do NOT edit `secrets.yaml` files** using file editing tools, even for renaming keys, restructuring blocks, or adding new entries.
 - **Do NOT suggest patches or diffs** that target `secrets.yaml` files.
 - **Always prompt the user** to make the change themselves using:
  ```bash
  sops edit <path-to-secrets.yaml>
  ```
 - When a new secret key is needed (e.g., for a new SOPS reference in Nix code), tell the user the exact key name and value to add, and ask them to add it via `sops edit`.
 - You may **read** `secrets.yaml` files (e.g., with grep to check key names) — reading is safe. Only writing is forbidden.
 ## Example
 Instead of editing `systems/palatine-hill/secrets.yaml` directly, say:
 > Please run `sops edit systems/palatine-hill/secrets.yaml` and add the following under the `kanidm:` block:
 >
 > ```yaml
 > kanidm:
 >   gitea_oidc_client_secret: "<your-generated-secret>"
 > ```
@@ -9,6 +9,10 @@ keys:
    - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
    - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
    - &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
    # argiletum: replace placeholder after first boot with:
    #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
    # then run: sops updatekeys systems/argiletum/secrets.yaml
    - &argiletum age1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    # cspell:enable
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
@@ -55,3 +59,9 @@ creation_rules:
            - *admin_alice
          age:
            - *palatine-hill
    - path_regex: systems/argiletum/secrets.*\.yaml$
      key_groups:
        - pgp:
            - *admin_alice
          age:
            - *argiletum
@@ -1 +1,13 @@
-{}
+{
  "servers": {
    "honeycomb": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp.honeycomb.io/mcp"
      ],
      "type": "stdio"
    }
  },
  "inputs": []
 }
@@ -3,7 +3,7 @@
 This repository contains the flake required to build critical and personal
 infrastructure running NixOS. The setup can be explored as follows.
-This repo supports `x86_64-linux` and (theoretically) `aarch64-linux`.
+This repo supports `x86_64-linux` and (theorically) `aarch64-linux`.
 ## Setting Up
@@ -0,0 +1,206 @@
 > Note: This document was AI-generated and reviewed by a maintainer.
 # ADR 0001 — ZFS Native Encryption: Non-Interactive initrd Key Loading
 | | |
 |---|---|
 | **Status** | Accepted |
 | **Date** | 2026-05-03 |
 | **Deciders** | Alice Huston |
 | **Affects** | `systems/palatine-hill/hardware-changes.nix`, `systems/palatine-hill/zfs.nix` |
 ---
 ## Context
 `palatine-hill` uses ZFS native encryption for the `/nix` dataset (`ZFS-primary/nix`). The ZFS encryption key was stored on a separate LVM volume (`/crypto/keys/zfs-nix-store-key`) inside the same LUKS container as root.
 This created a forced ordering dependency: the `/nix` dataset could not be unlocked until root (`/`) and `/crypto` were both mounted, even though logically they are independent. Two custom initrd units worked around this:
 - `zfs-import-zfs-primary` — polling import loop (duplicates NixOS-native logic)
 - `zfs-load-nix-key` — reads key from `/sysroot/crypto/keys/zfs-nix-store-key` after `sysroot.mount`
 Additionally, `boot.zfs.requestEncryptionCredentials` was forced off entirely, and a `postBootCommands` fallback ran
 `zfs load-key -a` after stage 2 as a belt-and-suspenders measure. LUKS unlock was also interactive, requiring manual
 passphrase entry at boot.
 ### Current initrd dependency graph (before this ADR)
 ```mermaid
 flowchart TD
    A([initrd start]) --> B[systemd-udev-settle]
    A --> C["LUKS unlock nixos-pv\n⚠ interactive"]
    C --> D[LVM activate]
    D --> E["sysroot.mount\n/ on ext4"]
    D --> F["sysroot-crypto.mount\n/crypto on LVM volume"]
    B --> G["zfs-import-zfs-primary\n(custom polling loop, 60s timeout)"]
    E --> H["zfs-load-nix-key\n(reads /sysroot/crypto/keys/zfs-nix-store-key)"]
    F --> H
    G --> H
    H --> I["sysroot-nix.mount\nZFS-primary/nix"]
    I --> J([initrd-fs.target])
    E --> J
    J --> K([stage 2])
    K --> L["postBootCommands:\nzfs load-key -a"]
 ```
 ### Problems with the old approach
 1. **Cross-filesystem key dependency**: `/nix` unlock depends on root mount, coupling two logically independent operations.
 2. **Duplicated pool import logic**: the custom unit reimplements a polling loop that NixOS already generates natively; upstream fixes don't apply automatically.
 3. **Native credential handling fully disabled**: `requestEncryptionCredentials = false` makes the configuration opaque to NixOS module evaluation.
 4. **Double key load**: `postBootCommands` is a workaround indicating the initrd path is not reliable.
 5. **Interactive LUKS unlock**: manual passphrase entry required at every boot — defeats unattended operation.
 ---
 ## Options Considered
 ### Option A — Key embedded in initrd (`boot.initrd.secrets`)
 Store the ZFS key directly inside the initrd cpio archive. The key is available from the very start of stage 1 without mounting anything.
 **Pro**: Eliminates the cross-mount dependency; re-enables native NixOS ZFS handling; zero new infrastructure.
 **Con**: Key lives in the initrd on `/boot`, which is an unencrypted vfat partition. Anyone with physical or boot-partition read access has the key. Does not solve interactive LUKS unlock.
 ### Option B — Tang network key fetch (Clevis) ✅ Chosen
 Encrypt both secrets (LUKS passphrase and ZFS key) as Clevis JWE blobs. At boot, the initrd reaches a Tang server
 on the LAN to decrypt them. NixOS's `boot.initrd.clevis` module natively supports `luks`, `zfs`, and `bcachefs` —
 **no custom unit is needed for ZFS**.
 **Pro**: Key never present on disk in plaintext; unified unlock surface for both LUKS and ZFS; no cross-mount dependency; JWE blobs on disk are useless without the Tang server.
 **Con**: Adds Tang server as a boot dependency; server won't boot if Tang is unreachable.
 ---
 ## Decision
 **Option B (Tang/Clevis) is adopted** for both the LUKS root device and the ZFS `/nix` dataset.
 `boot.initrd.clevis.devices` handles both unlock targets natively. The custom `zfs-load-nix-key` unit is deleted
 entirely. The `zfs-import-zfs-primary` unit is retained — the pool must still be imported before Clevis can load the
 dataset key.
 Static networking is configured in the initrd using systemd-networkd with a static IP (`192.168.76.2/24`). DNS
 resolution (`192.168.76.1`, the OPNsense router running Unbound) allows the Tang URL to be `http://tang.lan`.
 ### New initrd dependency graph
 ```mermaid
 flowchart TD
    A([initrd start]) --> N["initrd-networkd\neno1: 192.168.76.2/24\nDNS: 192.168.76.1"]
    A --> B[systemd-udev-settle]
    N --> T["Tang server\ntang.lan"]
    T -->|"boot.initrd.clevis\n.devices.nixos-pv"| C["LUKS unlock nixos-pv\n(Clevis/Tang — unattended)"]
    T -->|"boot.initrd.clevis\n.devices.ZFS-primary/nix"| Z["ZFS-primary/nix key load\n(Clevis/Tang — unattended)"]
    C --> D[LVM activate]
    D --> E["sysroot.mount\n/ on ext4"]
    B --> G["zfs-import-zfs-primary\n(custom polling loop — retained)"]
    G --> Z
    Z --> I["sysroot-nix.mount\nZFS-primary/nix"]
    E --> J([initrd-fs.target])
    I --> J
    J --> L([stage 2 — fully unattended])
 ```
 ### Files changed
 | File | Change |
 |---|---|
 | `systems/palatine-hill/hardware-changes.nix` | Removed `requestEncryptionCredentials = mkForce false`, removed `postBootCommands`, added `boot.initrd.clevis` block for both devices, added `boot.initrd.systemd.network` with static IP + DNS, removed `/crypto` from `/nix` depends |
 | `systems/palatine-hill/zfs.nix` | Removed `zfs-load-nix-key` unit, added `boot.zfs.requestEncryptionCredentials = false` |
 ### Comparison
 | | Before | After |
 |---|---|---|
 | Custom initrd units | 2 (import + key load) | 1 (import only; key load is native Clevis) |
 | Key source | `/crypto` LVM volume (disk) | Tang server (network) |
 | Disk-based key exposure | Key on LVM volume inside LUKS | `.jwe` blob only; useless without Tang |
 | Cross-mount dependency | Yes | No |
 | LUKS interactive unlock | Yes | No (Clevis/Tang) |
 | Unattended boot | No | Yes (when Tang reachable) |
 ---
 ## Consequences
 - Boot requires Tang server to be reachable on `tang.lan`. If Tang is down, boot stalls at the Clevis timeout. Maintain Tang server uptime accordingly.
 - The `.jwe` files are safe to commit to the repository — they are encrypted blobs that are useless without the Tang server's private key.
 - Rolling back to a generation without Clevis (pre-ADR) requires manual LUKS passphrase entry at the console; ensure prior generations remain in the bootloader during initial cutover.
 ---
 ## Implementation Notes
 ### Prerequisites
 1. Deploy a Tang server on the LAN and create a DNS host override in OPNsense:
   - Services → Unbound DNS → Host Overrides → `tang` / `lan` / `<tang IP>`
 2. Verify DNS from palatine-hill before rebooting:
   ```bash
   resolvectl query tang.lan
   ```
 ### Create the JWE files
 Run from the repository root on a machine that has the LUKS passphrase and access to the running `/crypto` volume:
 ```bash
 # LUKS passphrase JWE — substitute your actual passphrase
 echo -n "your-luks-passphrase" | \
  clevis encrypt tang '{"url":"http://tang.lan"}' \
  > systems/palatine-hill/nixos-pv.jwe
 # ZFS dataset key JWE — key file from the running system
 clevis encrypt tang '{"url":"http://tang.lan"}' \
  < /crypto/keys/zfs-nix-store-key \
  > systems/palatine-hill/nix-store.jwe
 ```
 ### Commit and build
 ```bash
 git add systems/palatine-hill/nixos-pv.jwe systems/palatine-hill/nix-store.jwe
 git commit -m "feat(palatine-hill): add Clevis JWE files for Tang-based boot unlock"
 nix build .#palatine-hill   # verify build succeeds
 ```
 ### Deploy
 ```bash
 nh os switch   # keep previous generation in bootloader for rollback
 ```
 ### Verify after reboot
 ```bash
 # Confirm ZFS dataset was unlocked automatically
 zfs get keystatus ZFS-primary/nix
 # Expected: keystatus = available
 # Check Clevis log output
 journalctl -b | grep -i clevis
 # Confirm Tang was reached during initrd
 journalctl -b | grep -i tang
 ```
 ### Rollback procedure (if needed)
 Select the previous generation from the systemd-boot menu at boot. You will be prompted interactively for the LUKS passphrase — this is expected for the old generation.
@@ -68,6 +68,26 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1777713215,
        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "firefox-addons": {
      "inputs": {
        "nixpkgs": [
@@ -565,6 +585,7 @@
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
@@ -38,6 +38,11 @@
    systems.url = "github:nix-systems/default";
    # flake inputs with dependencies (in alphabetic order)
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
      inputs = {
@@ -167,6 +167,7 @@ rec {
          outputs
          server
          system
          home
          ;
      };
      modules = [
@@ -3,6 +3,7 @@
  inputs,
  outputs,
  server,
  home,
  system,
  ...
 }:
@@ -22,6 +23,9 @@
    mutableUsers = lib.mkDefault false;
  };
  networking.firewall.enable = lib.mkDefault true;
 }
 // lib.optionalAttrs home {
  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
@@ -34,5 +38,4 @@
    };
  };
  networking.firewall.enable = lib.mkDefault true;
 }
@@ -3,7 +3,6 @@ let
  localPackagesOverlay = final: _prev: {
    lego-latest = final.callPackage ./lego-latest/default.nix { };
    claurst = final.callPackage ./claurst/default.nix { };
    bitwarden-rofi = final.callPackage ./bitwarden-rofi/default.nix { };
  };
  mkPkgs =
@@ -22,7 +21,6 @@ let
      inherit (pkgs)
        lego-latest
        claurst
        bitwarden-rofi
        ;
    };
 in
@@ -42,7 +42,6 @@ forEachSystem (
      packages = with pkgs; [
        deadnix
        pre-commit
        openssl
        treefmt
        statix
        nixfmt
@@ -0,0 +1,37 @@
 { lib, ... }:
 {
  imports = [ ./disk.nix ];
  time.timeZone = "America/New_York";
  networking = {
    hostId = "c3798ccc";
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 ];
    };
    useNetworkd = true;
  };
  # Raspberry Pi 4 uses U-Boot / extlinux — disable both GRUB and systemd-boot
  # TPM 2.0 HAT: systemd initrd required for tpm2-device auto-unlock
  # After first install, enroll with:
  #   systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --recovery-key /dev/mmcblk0p3
  boot = {
    useSystemdBoot = lib.mkForce false;
    loader.grub.enable = lib.mkOverride 0 false;
    initrd = {
      systemd.enable = true;
      luks.devices."cryptroot".crypttabExtraOpts = [ "tpm2-device=auto" ];
    };
  };
  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };
  services.tang.enable = true;
  system.stateVersion = "26.11";
 }
@@ -0,0 +1,12 @@
 { inputs, ... }:
 {
  system = "aarch64-linux";
  server = true;
  home = false;
  sops = true;
  users = [ "alice" ];
  modules = [
    inputs.nixos-hardware.nixosModules.raspberry-pi-4
    inputs.disko.nixosModules.disko
  ];
 }
@@ -0,0 +1,56 @@
 {
  disko.devices = {
    disk = {
      # SD card — change device to /dev/sda if booting from USB instead
      main = {
        type = "disk";
        device = "/dev/mmcblk0";
        content = {
          type = "gpt";
          partitions = {
            # Raspberry Pi firmware partition — must be vfat and first
            firmware = {
              size = "256MiB";
              type = "EF00";
              priority = 1;
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot/firmware";
                mountOptions = [
                  "fmask=0077"
                  "dmask=0077"
                ];
              };
            };
            # NixOS boot partition — holds kernels/initrds for each generation
            boot = {
              size = "1GiB";
              priority = 2;
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/boot";
              };
            };
            # Root filesystem — LUKS-encrypted, unlocked via TPM 2.0 HAT
            root = {
              size = "100%";
              priority = 3;
              content = {
                type = "luks";
                name = "cryptroot";
                settings.allowDiscards = true;
                content = {
                  type = "filesystem";
                  format = "ext4";
                  mountpoint = "/";
                };
              };
            };
          };
        };
      };
    };
  };
 }
@@ -0,0 +1,7 @@
 # TODO: after first boot, regenerate with:
 #   sudo nixos-generate-config --no-filesystems
 # (disko owns fileSystems; do not add them here)
 { ... }:
 {
  swapDevices = [ ];
 }
@@ -40,6 +40,9 @@
    dbus = {
      enable = true;
      implementation = "broker";
      packages = with pkgs; [
        gcr
      ];
    };
  };
@@ -7,7 +7,6 @@
    amdgpu_top
    android-tools
    bitwarden-cli
    bitwarden-rofi
    bfg-repo-cleaner
    brightnessctl
    btop
@@ -1,46 +0,0 @@
 { config, pkgs, ... }:
 {
  # Restic backups to the local REST server (docker/restic.nix, port 8010, private repos).
  # Each service gets its own repo: rest:http://localhost:8010/<username>/
  # REST credentials are injected via sops templates as an EnvironmentFile.
  # Add new jobs below following the same pattern.
  sops = {
    secrets."restic/kanidm_password" = { };
    secrets."restic/kanidm_rest_password" = { };
    # Compose a KEY=VALUE env file for the restic systemd service.
    templates."restic-kanidm-env" = {
      content = ''
        RESTIC_REST_USERNAME=kanidm
        RESTIC_REST_PASSWORD=${config.sops.placeholder."restic/kanidm_rest_password"}
      '';
    };
  };
  services.restic.backups = {
    kanidm = {
      repository = "rest:http://localhost:8010/kanidm/";
      passwordFile = config.sops.secrets."restic/kanidm_password".path;
      environmentFile = config.sops.templates."restic-kanidm-env".path;
      # Checkpoint the SQLite WAL before backup so the snapshot is consistent.
      backupPrepareCommand = ''
        ${pkgs.sqlite}/bin/sqlite3 /var/lib/kanidm/kanidm.db "PRAGMA wal_checkpoint(FULL);"
      '';
      paths = [ "/var/lib/kanidm" ];
      timerConfig = {
        OnCalendar = "04:00";
        Persistent = true;
      };
      pruneOpts = [
        "--keep-daily 7"
        "--keep-weekly 4"
        "--keep-monthly 3"
      ];
    };
  };
 }
@@ -19,10 +19,9 @@
    ./minio.nix
    ./networking.nix
    ./nextcloud.nix
    ./otel.nix
    #./plex
    ./postgresql.nix
    ./backup.nix
    ./kanidm.nix
    ./samba.nix
    ./zfs.nix
  ];
@@ -10,11 +10,11 @@
    #./firefly.nix
    #./foundry.nix
    ./glances.nix
-    ./haproxy.nix
+    # ./haproxy.nix
    ./minecraft.nix
    ./nextcloud.nix
    # ./postgres.nix
-    ./restic.nix
+    # ./restic.nix
    ./torr.nix
    # ./unifi.nix
  ];
@@ -58,7 +58,6 @@ frontend ContentSwitching
  acl host_prometheus hdr(host) -i prom.alicehuston.xyz
  acl host_gitea hdr(host) -i git.alicehuston.xyz
  acl host_gitea hdr(host) -i nayeonie.com
  acl host_kanidm hdr(host) -i auth.nayeonie.com
  # Backend-forwarding
  use_backend www_nodes if host_www
 #  use_backend ldapui_nodes if host_ldapui
@@ -76,7 +75,6 @@ frontend ContentSwitching
  use_backend minio_nodes if host_minio
  use_backend minio_console_nodes if host_minio_console
  use_backend gitea_nodes if host_gitea
  use_backend kanidm_nodes if host_kanidm
 #frontend ldap
 #  bind *:389
@@ -185,15 +183,6 @@ backend gitea_nodes
  mode http
  server server 192.168.76.2:6443
 backend kanidm_nodes
  mode http
  option forwardfor
  http-request set-header X-Forwarded-Proto https
  http-request set-header X-Forwarded-Host %[req.hdr(host)]
  acl internal src 192.168.76.0/24 192.168.191.0/24
  http-request deny unless internal
  server server 192.168.76.2:8443 ssl verify none
 #backend netdata_nodes
 #  mode http
 #  server server 192.168.76.2:19999
@@ -23,6 +23,8 @@
      };
      dependsOn = [
        "nextcloud"
        "grafana"
        "foundryvtt"
        "glances"
        "mc-router"
      ];
@@ -37,10 +37,6 @@ in
      service = {
        DISABLE_REGISTRATION = true;
      };
      openid = {
        ENABLE_OPENID_SIGNIN = true;
        ENABLE_OPENID_SIGNUP = false;
      };
      log = {
        LEVEL = "Trace";
        ENABLE_SSH_LOG = true;
@@ -75,48 +71,6 @@ in
    after = [ "docker.service" ];
  };
  systemd.services.gitea-kanidm-oidc-bootstrap = {
    description = "Bootstrap Gitea Kanidm OIDC auth source";
    wantedBy = [ "multi-user.target" ];
    requires = [ "gitea.service" ];
    after = [ "gitea.service" ];
    serviceConfig = {
      Type = "oneshot";
      User = "root";
      Group = "root";
    };
    path = [
      config.services.gitea.package
      pkgs.coreutils
      pkgs.gnugrep
    ];
    script = ''
      set -eu
      APP_INI="${config.services.gitea.customDir}/conf/app.ini"
      if gitea admin auth list --config "$APP_INI" | grep -Fq "Kanidm OIDC"; then
        exit 0
      fi
      gitea admin auth add-oauth \
        --config "$APP_INI" \
        --name "Kanidm OIDC" \
        --provider openidConnect \
        --key "gitea" \
        --secret "$(<${config.sops.secrets."kanidm/gitea_oidc_client_secret".path})" \
        --auto-discover-url "https://auth.nayeonie.com/oauth2/openid/gitea/.well-known/openid-configuration" \
        --scopes openid \
        --scopes profile \
        --scopes email \
        --full-name-claim-name name \
        --group-claim-name groups \
        --required-claim-name groups \
        --required-claim-value gitea-users \
        --admin-group gitea-users
    '';
  };
  networking.firewall.allowedTCPPorts = [ 6443 ];
  sops.secrets = {
@@ -1,38 +0,0 @@
 # HAProxy routing stubs for Kanidm.
 # These are ADDITIVE fragments — merge into your main haproxy config.
 # Assumes:
 #   - HAProxy terminates TLS using the acme-nayeonie.com certificate
 #   - Kanidm HTTPS listens on [::1]:8443
 #   - Kanidm LDAP compat listens on [::1]:3890
 #   - ACL-based routing by SNI / Host header
 #
 # In your main frontend (or add a dedicated one):
 #
 #   acl host_kanidm hdr(host) -i auth.nayeonie.com   # internal/admin only
 #
 #   use_backend kanidm if host_kanidm
 #
 # --- Kanidm backend ---
 #
 # backend kanidm
 #   mode http
 #   option forwardfor
 #   http-request set-header X-Forwarded-Proto https
 #   http-request set-header X-Forwarded-Host %[req.hdr(host)]
 #   acl internal src 192.168.76.0/24 192.168.191.0/24
 #   http-request deny unless internal
 #   server kanidm [::1]:8443 ssl verify none check
 #
 # --- Forward-auth pattern for protecting other backends with Kanidm ---
 #
 # To protect an existing backend with Kanidm OIDC, add oauth2-proxy.
 # The simplest
 # path for HAProxy is:
 #
 #   1. Deploy oauth2-proxy (services.oauth2-proxy) configured against
 #      Kanidm as OIDC provider (issuer https://auth.nayeonie.com).
 #   2. In HAProxy frontend, redirect unauthenticated requests to
 #      oauth2-proxy before forwarding to the real backend.
 #
 # This is left as a follow-up — get Kanidm running first.
 { ... }: { }
@@ -1,11 +1,7 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 {
  boot = {
    zfs.requestEncryptionCredentials = lib.mkForce false;
    postBootCommands = ''
      ${pkgs.zfs}/bin/zfs load-key -a
    '';
    initrd = {
      services.lvm.enable = true;
      luks.devices = {
@@ -16,6 +12,28 @@
        };
      };
      clevis = {
        enable = true;
        useTang = true;
        devices = {
          # Unlock LUKS root device via Tang
          "nixos-pv".secretFile = ./nixos-pv.jwe;
          # Unlock ZFS native-encrypted dataset via Tang
          "ZFS-primary/nix".secretFile = ./nix-store.jwe;
        };
      };
      # Static networking needed in initrd so Tang is reachable before any disk mounts
      systemd.network = {
        enable = true;
        networks."10-initrd-eno1" = {
          matchConfig.Name = "eno1";
          address = [ "192.168.76.2/24" ];
          routes = [ { Gateway = "192.168.76.1"; } ];
          dns = [ "192.168.76.1" ];
          linkConfig.RequiredForOnline = "routable";
        };
      };
    };
  };
@@ -37,10 +55,7 @@
      "dmask=0077"
    ];
-    "/nix".depends = [
+    "/nix".depends = [ "/" ];
      "/"
      "/crypto"
    ];
  };
 }
@@ -6,6 +6,8 @@
 let
  hydra_notify_prometheus_port = "9199";
  hydra_queue_runner_prometheus_port = "9200";
  postgres_exporter_port = 9187;
  zfs_exporter_port = 9134;
 in
 {
  systemd.services.hydra-notify.serviceConfig.EnvironmentFile =
@@ -96,11 +98,24 @@ in
      enable = true;
      webExternalUrl = "https://prom.alicehuston.xyz";
      port = 9001;
-      exporters.node = {
+      exporters = {
        node = {
          enable = true;
          enabledCollectors = [ "systemd" ];
          port = 9002;
        };
        postgres = {
          enable = true;
          listenAddress = "127.0.0.1";
          port = postgres_exporter_port;
          runAsLocalSuperUser = true;
        };
        zfs = {
          enable = true;
          listenAddress = "127.0.0.1";
          port = zfs_exporter_port;
        };
      };
      scrapeConfigs = [
        {
          job_name = "palatine-hill";
@@ -119,6 +134,18 @@ in
            }
          ];
        }
        {
          job_name = "postgres-local";
          static_configs = [
            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; }
          ];
        }
        {
          job_name = "zfs-local";
          static_configs = [
            { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}" ]; }
          ];
        }
        {
          job_name = "hydra-external";
          scheme = "https";
@@ -1,127 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  domain = "nayeonie.com";
  authDomain = "auth.${domain}";
  aliceSshKeys = config.users.users.alice.openssh.authorizedKeys.keys;
 in
 {
  services = {
    kanidm = {
      package = pkgs.kanidm_1_9.withSecretProvisioning;
      server = {
        enable = true;
        settings = {
          origin = "https://${authDomain}";
          inherit domain;
          bindaddress = "0.0.0.0:8443";
          ldapbindaddress = "0.0.0.0:3890";
          tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
          tls_key = "/var/lib/acme/${domain}/key.pem";
          db_fs_type = "zfs";
        };
      };
      # Reuse the existing secret during migration; rotate/rename in a follow-up.
      provision = {
        enable = true;
        instanceUrl = "https://${authDomain}";
        adminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
        idmAdminPasswordFile = config.sops.secrets."kanidm/admin_password".path;
        acceptInvalidCerts = false;
        groups = {
          gitea-users = {
            present = true;
          };
        };
        persons = {
          alice = {
            displayName = "Alice";
            mailAddresses = [ "aliceghuston@gmail.com" ];
            present = true;
            groups = [ "gitea-users" ];
          };
        };
        systems.oauth2.gitea = {
          present = true;
          displayName = "Gitea";
          public = false;
          basicSecretFile = config.sops.secrets."kanidm/gitea_oidc_client_secret".path;
          originUrl = "https://nayeonie.com/user/oauth2/kanidm/callback";
          originLanding = "https://nayeonie.com/";
          preferShortUsername = true;
          scopeMaps = {
            gitea-users = [
              "openid"
              "email"
              "profile"
            ];
          };
          claimMaps.groups.valuesByGroup = {
            gitea-users = [ "gitea-users" ];
          };
        };
      };
    };
  };
  sops.secrets = {
    "kanidm/admin_password".owner = "kanidm";
    "kanidm/gitea_oidc_client_secret".owner = "kanidm";
  };
  # Certs are currently group-readable by haproxy for docker HAProxy.
  users.users.kanidm.extraGroups = [ "haproxy" ];
  systemd.services.kanidm-person-ssh-keys-bootstrap = {
    description = "Bootstrap Kanidm SSH public keys for alice";
    wantedBy = [ "multi-user.target" ];
    requires = [ "kanidm.service" ];
    after = [ "kanidm.service" ];
    serviceConfig = {
      Type = "oneshot";
      User = "root";
      Group = "root";
    };
    path = [
      config.services.kanidm.package
      pkgs.coreutils
      pkgs.gawk
      pkgs.gnugrep
    ];
    script = ''
            set -eu
            url="https://${authDomain}"
            password="$(<${config.sops.secrets."kanidm/admin_password".path})"
            state_dir="/var/lib/kanidm/ssh-bootstrap"
            mkdir -p "$state_dir"
            chmod 700 "$state_dir"
            export HOME="$state_dir"
            # Authenticate idm_admin for CLI operations.
            printf '%s\n' "$password" | kanidm login -H "$url" -D idm_admin >/dev/null
            existing_keys="$(kanidm -H "$url" -D idm_admin person ssh list-publickeys alice || true)"
            i=0
      ${lib.concatMapStringsSep "\n" (
        key:
        "      i=$((i + 1))\n      if ! printf '%s\\n' \"$existing_keys\" | grep -Fq ${lib.escapeShellArg key}; then\n        kanidm -H \"$url\" -D idm_admin person ssh add-publickey alice \"home-key-$i\" ${lib.escapeShellArg key} >/dev/null\n      fi"
      ) aliceSshKeys}
    '';
  };
  networking.firewall.allowedTCPPorts = [
    3890
    8443
  ];
 }
@@ -0,0 +1,117 @@
 {
  config,
  ...
 }:
 {
  # node_exporter (port 9002) and Prometheus (port 9001) are already configured
  # in hydra.nix — we just scrape the existing exporter here.
  services.opentelemetry-collector = {
    enable = true;
    settings = {
      receivers = {
        # Host-level system metrics
        hostmetrics = {
          collection_interval = "60s";
          scrapers = {
            cpu = { };
            memory = { };
            disk = { };
            filesystem = { };
            network = { };
            load = { };
            processes = { };
          };
        };
        # Scrape node_exporter for per-systemd-unit service state
        prometheus = {
          config = {
            scrape_configs = [
              {
                job_name = "node-exporter";
                scrape_interval = "60s";
                static_configs = [
                  {
                    targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
                    labels = {
                      host = "palatine-hill";
                    };
                  }
                ];
              }
              {
                job_name = "postgres-exporter";
                scrape_interval = "60s";
                static_configs = [
                  {
                    targets = [ "localhost:${toString config.services.prometheus.exporters.postgres.port}" ];
                    labels = {
                      host = "palatine-hill";
                    };
                  }
                ];
              }
              {
                job_name = "zfs-exporter";
                scrape_interval = "60s";
                static_configs = [
                  {
                    targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
                    labels = {
                      host = "palatine-hill";
                    };
                  }
                ];
              }
            ];
          };
        };
      };
      processors = {
        batch = { };
        # Attach hostname and other system resource attributes
        "resourcedetection/system" = {
          detectors = [ "system" ];
          system.hostname_sources = [ "os" ];
        };
      };
      exporters = {
        "otlp/honeycomb" = {
          endpoint = "api.honeycomb.io:443";
          headers = {
            # Expanded at runtime from the environment file
            "x-honeycomb-team" = "\${HONEYCOMB_API_KEY}";
          };
        };
      };
      service = {
        pipelines = {
          metrics = {
            receivers = [
              "hostmetrics"
              "prometheus"
            ];
            processors = [
              "resourcedetection/system"
              "batch"
            ];
            exporters = [ "otlp/honeycomb" ];
          };
        };
      };
    };
  };
  # Inject the Honeycomb API key at runtime — never stored in the Nix store
  systemd.services.opentelemetry-collector.serviceConfig.EnvironmentFile =
    config.sops.secrets."honeycomb/api-key".path;
  sops.secrets = {
    "honeycomb/api-key".owner = "root";
  };
 }
@@ -34,7 +34,6 @@ in
        local  /.*arr-main  /.*arr  scram-sha-256
        local  /.*arr-log  /.*arr  scram-sha-256
        local  jellyseerr  jellyseerr  scram-sha-256
        host   all  all  192.168.76.0/24  ldap ldapserver=127.0.0.1 ldapport=3890 ldapbasedn="dc=nayeonie,dc=com" ldapsearchattribute="uid"
      '';
      # initialScript = config.sops.secrets."postgres/init".path;
@@ -1,79 +1,76 @@
 hydra:
-    environment: ENC[AES256_GCM,data:6Qje83f1eXNwBDrGEeq4itNWrDSSGlD3Qmz0Ni3AeMBfJ1Q/9bSeG0icCOynb0UkQfTccKYMECMG2Fn6NlP8sD/9nVyu3CSM7OO7+pJY7F/7vDl8p03e+aatIV+g34pzQygO1UYrfMrk1MDhmu+e05kugyHHFtmBAGeSc7o4cgH1tWQCY470CTtPv4HiLDFHyz1RYrXE6nZD+NynnNJGKGNYqBK85+pb9xJXgtwqB0J9kl0ZsCOyt8zs1WcFaXo+dK73Bpogv/clru6ckTo+bfY=,iv:imdrJ+CZxK7AQwbEsKyL/YfvgsXkUSfA/3AOz9FQeyc=,tag:8i4hFyrxZXBcOPT5MqjijA==,type:str]
+    environment: ENC[AES256_GCM,data:G/6DOeRdjjp5PGpsHCHneW2X/OQzSH6gozKmgOlK6/bSdQltv4U00AYNOrUYYlH9Yab7JSYBfQinsqRKyDVEp7LLPdlxBaztJiSZGGAdio+JHWwR7UAhAEXSgOh4qFq0SjdZzQduEOdfSYfksut3dJiAvpj6oo6hxuo8mkW4+UacpBmvpnrzHjJHeYYbb3krIhKG6bBqHLT403rLf5oYjnY16XUuYO7deAH99JkfCJKlKnDf3GLfnX78XoXSdOMUyf57PPq5EKA8mFdtZsbAmis=,iv:s903rYHyocGtVJ594+HtCyULGtuom6aUVDcbXPbH93I=,tag:YFkFAIU7cNHSuYnN+lShgA==,type:str]
 nix-serve:
-    secret-key: ENC[AES256_GCM,data:fdZRXT0jnZMUtMTi32gPXfTJiV/xqhf0C6XnAf0hyQIVRof80P1zo5BTVt388NfBXIj0DHmsaH3Fx7m2Psoigo+B1YyUmobCQwe7NAjE281Aad2+r0xNa+YDNo1A5sKofTBORUUuAVBmQKHxByw=,iv:BrFOGZFzFNVuXUez/0bpklXAWOBy6dWYtmumVKXCOFo=,tag:pzy9q0uGxQioxxbxbrTTLw==,type:str]
+    secret-key: ENC[AES256_GCM,data:M8MJHHO8Hd/Gm6Nxy7/IPr0s6jHEDBB9LpZq8lIWQirvZPpgNrMrnP2xFJWEuJF/ND9hU09ZHA3efIBej2siRPOWSEu4gE65W/GMtpCcwEXF0hR/ISvBsH0fci/6KGbUCVg1x9AJpjJsqevPN7I=,iv:Weuziu2me+kdB9zk68nvLnyxv0ICwB1qA4z0Q39tT6k=,tag:nhcFfRQOxEandrf6CivahA==,type:str]
 attic:
-    secret-key: ENC[AES256_GCM,data:nSKTRRZ9SeGv+kFPzu9EGPHlr6oy6cFDMqZ6t43MxQduVGliHlpnYTSwrDg3ybqov9ihP7JTEwlir/+goA5cPm6TZusYT8bczlMMWNgp10kbOGhAY+Ybv/FjiWjor6PSdGz6gXo3QSIKcUEs4CTxuSbNeoVno6x4EJltHWg/QNWDT4iAZB381SAxDGweMz+Hu0aXUKY0EMhXStcgr+b0h0JIv8KKjnatXDEQ/4r+jeRm8Qx47nUed8ZvEe/lHkK7D6ZV5O/yN7+QWw++SXEisuv3O0jGoiZ5oqdx99HfeLz2fw+3IrxZhg==,iv:PvQlzbYCCRuCbiV7SrVwulO4QX3OEYNkccIWFniQLfg=,tag:5sV3f+2WJmuJy0Wa62pZTQ==,type:str]
+    secret-key: ENC[AES256_GCM,data:/wYnCD7qggeHdsNqkp1rZK839o/1olhJUlT1lrZpv1hTOZDduP2OGhz8kh2PrQR6Mq2Y/ALgHG3cFpJs7G64xDK0qRVGIDlC/9sTQIcF2JL49Free8vADe5ads64EN3vWgfmFoBMPmL0mc4qnDBGnBkDueFN5gy+1szK9tWK23tMl1wEWVsiqBwhuWqQBNRxeaHR2tQXI2Yg3fefq5+laOUjnSe1a8Kx4dJ7rXZuXe+H4uyU7roYFxlLpI8qZig0eUO9WUMX9WP0tKOr5OjsbJzBbdVlVT7lZ9ROYUceoxmcWecLlcyv3Q==,iv:DjH78Getnt3zzK9QLj+HS0cF1wtaBeadxSTrRb1uic0=,tag:KMPtWCq1KT1SSthh3fdsew==,type:str]
-    database-url: ENC[AES256_GCM,data:w1jHgn/PETG3SRRTZQvdPHnoUY1y4tHl2BpCwu03XncEPDjNP5J873mm78A2fFH/uQjuBhqRxtlK,iv:abwCrA9tgLHefCm+BVgwh4+g5CU9/Kskhvyka8/nbg8=,tag:3wJXL3u5cl/9WIVXdulHbA==,type:str]
+    database-url: ENC[AES256_GCM,data:WHdAxNbkRxvNvfUWdPSbgeQXOS7f46OuDKTRuxf3cEyhbU5NAsGlCgfarUBXsHrCH79t7zDGlcRE,iv:trOxDY/ifsibKoX5YPOfKvX/q2ny6SgykiIBusgHxag=,tag:Cx9hhiJIhDLiojJmDdSDtg==,type:str]
-    adm: ENC[AES256_GCM,data:oPsk2Ks7zqIEGznU5iH5pplxFa85B8dj24lDx0tqy7Mt6ED1GHj7YLt37GGYaGQOM/YdFv3wmGG4Y4rSCLwE4kiM5iOFEcKnlePre1eoER1bf+tvFZOPyGq/SsFiYTSYqHTShfk0scHHkomwVf+gRwD3k4DjXbkjTof2ulg6Pce36E3oOEJaRzKBOrVprwpgPn8GKm1zcM5Ssr5z1ljXGx+JbtK2VtLKd2Q0kc+ikMe/cYo6YT3SlJNEKAmGRVtR/dtkkBwseBYhU7yfHbLqLGFO3EFZjYIkNfTRvDKEu6BB5wlcoKtxi4yjrz8iB2XNX5GCL7gXUWO2ZIsk4ZZMJFthqi9jYDrl,iv:f0YPT4avkVZPuo13wdNyglxW1Ea5cjKXcGa4eaPuMus=,tag:mGBnfXWCfJSHoYXH3gAsHA==,type:str]
+    adm: ENC[AES256_GCM,data:mP4xFGK3+YwyiUMwFaG6tY3tWLGY2YTGa4DRuHzW5Za3McmwEFUzlQQ4hGS2bPKOKwM2Pe5HYBwJnFkd6KRwx5civqsBMwFt4dfZ31xDEi9RxpEm9jCnCcvB1CY8cxNARIhceC12X/ZR8ianUpoINYSjOj4BRy4TEEigi5+V4DkAXeG8+x8SWjj/mRMQMcZud4i69Ul7tpzbjUHm0s/Aasvmib13u4ZbGX/AyoOX8pQwkRHoyfMK2OvRbaeQf9fPcQxOSBALYOIXk9mEGxN1FTFHrTvrY5s0w+hC1mAjX4qm4ZM77RneAI0fJaq1hHSZETIpJOCiQfR3bLuyzWKVestOE29V8Pwq,iv:bjK1QkWUc2vs+oUoC5Z0AKR1/tmrhSLvP8BP8gzghOg=,tag:dmSDM+gbsJMDkqgIPWBfGQ==,type:str]
 postgres:
-    init: ENC[AES256_GCM,data:6a+xTs7S36ka64S7wGd9Wpfre2CW1CoQmnqfXqPolBcYOv9m0DmCmmyfMQsrRV+LQK3Yf+sYcy0=,iv:b5wD8XgPI8kjP8n5j144mMisJl3dhrx8nWF1P+gr0qo=,tag:wG+Hlu55WwJT1aairSFVlg==,type:str]
+    init: ENC[AES256_GCM,data:trwA30EswHEPa6V2GuHsGgU4NK/j/UQveldwHng0Ilwyqh9aZCgF3axP48MmcciBssux8DZ4O5U=,iv:VC+tpG5yuiBE7pjZ85lYCwHG/bTePxeXQDz2zyLyLYA=,tag:5+jwWTv5T5YWwQpR58QfOA==,type:str]
 gitea:
-    dbpass: ENC[AES256_GCM,data:CN6uBXrpSYFiKxt9UfSwgw==,iv:71tgEcT+/246dPujwLwg2Z5SPICnGJUfeSA+uDgOmdU=,tag:melKWxmiE+XnukVtSt/iNg==,type:str]
+    dbpass: ENC[AES256_GCM,data:8jECcEJ8JnK7fztTckzLrQ==,iv:yQMp5VrierOKXwiop0NUA7Qbn2eH5iUCVlKppZwKLIQ=,tag:rI9WT7zLIaFxVcTu3ufW4g==,type:str]
-    minio: ENC[AES256_GCM,data:D6kLP4FEc7U4H4eg5IaXYZn9Z2eSMbsKUafJnTwhHrxVYUq6L7F61iBzONgkCMrwSma6H4RVq32TeRea1gZPVoRD2yryNRrxStkJUuf7t0cjwcS/6E+x0yI/v2osmf0LQYTmGRtH,iv:dFTBhjbpfzs82KCq1m40eu0j7GPpZmzt50qLvRzy6xo=,tag:cuRmYkXz7X4iaW0x4ASkJw==,type:str]
+    minio: ENC[AES256_GCM,data:LxY6AD+CZ9VQEl5FrG6o0XiOiizLcwiLiyH1WJD8mMCPWhDjGzt+k+YPOm1BpWzTZF8+2EoxR9oKFJu9mzTibl2Ieits0/RNwh1VdQALXw3FwfRym7CFS+Z5S8H9kGMoXWRrr+I5,iv:g/wq0r2HKfX2AwirT4hm/H1Ms/mtbf4ZuFLISikRyoI=,tag:he99s/WpKoN+lHR8r4K30w==,type:str]
 upsmon:
-    password: ENC[AES256_GCM,data:gA10207c1NzBSK45ezth4C6N,iv:kjiY2M3Vy61iDH2ueQooVI4JA2CwfKN0rQsI0Ch4D7s=,tag:caRjEDvLpsx0sZFUfft6QQ==,type:str]
+    password: ENC[AES256_GCM,data:52Rxsh7KUq+aYjQORBC+Yq5B,iv:F05g/a5bv7DQ+eLlMqsNeRHLxzl7AyXU1zAlmFevQ6o=,tag:xkGDD3hDF+u5fUbP33OrlA==,type:str]
 minio:
-    credentials: ENC[AES256_GCM,data:C4qbzvteveYpC84v013GDlKWYg6JHHaZuXirpaZ54u/mS6FZusC2qTBvdHz0pmFc95NbMb/wjcvZvYenMuSnU2V5BsK33XQ1UlSKzamt9v2IRAlllTT1vRCJ4EhCs/QEL0/pfGGJkxtUVW0NYFkJI67F6c3sFJUDfHYD,iv:FMRn/52gUfysGrsGhu5qF0OBDmGex6Ye/zfQyY215Xs=,tag:9tdvOcPgR28n+L+0zhMMbg==,type:str]
+    credentials: ENC[AES256_GCM,data:5Z/cTmxSuMq8BfRgYLGZZJ7o6AtmrQM3yNjR17YHr29S7ZWvGsjfM7DsLKectem01nvv3HoT4uyWSdhkOmZahzDb5OF1NEgjJhLqkKlCETMu0mmpwe1cx6iOd7kjB3E6Az/MWpXqZ/TrryL9FrQD2nnx9bHyWWIHRQv8,iv:jiYZXfU+OssC0rh/3yFZLEzD1+5mVDDl6gQ3oyk76E4=,tag:bevDszFv1zSa+/2qQIgC0w==,type:str]
-    loki: ENC[AES256_GCM,data:4wza/33eESjF4C1mcl4NIqGnvYg3Mg==,iv:Bt1ORiuuIUnnGk4XlemhCdmjBNRLZo9ikH1rqrTbS/g=,tag:AYUO/JllKIQszTNpEuEDBw==,type:str]
+    loki: ENC[AES256_GCM,data:ShC6hfsKifVaxLWRo1fqaOpsrYh4+w==,iv:KVSlPd0mBvPZikg/Agnl6q0UhxTmsNOeYdercYOhqMg=,tag:cj6ex9m7vDjInTJDGUlqFQ==,type:str]
 docker:
-    minecraft: ENC[AES256_GCM,data:sAEACU9U51uafNJ2RlPBwN4/+EyEI3X9jXffMvrBYI+BgzmzQumhRMvUqYk4R4oFDtvz0RwTL2vGWMorFt1YaVQN+anfHDM=,iv:UXCicw5gC4hQUNqxbeuqtidMwJY0kvH55nMkEop5Ytc=,tag:X5b06FBnybFr4qSxU6NtmQ==,type:str]
+    minecraft: ENC[AES256_GCM,data:krSM870t/IATwpUWNuKX8D5HHEvk+HeimKgodXssIYcBmdF1SZAwjUsSlx9fL3JiRtxfu0jSbhyD/2jLHMWqcix1WQGOVgs=,iv:ZTMxmzeSLQRCBF2t6r3dCDlcZ5BsBwZen6jOZN/HvGU=,tag:SES3lhRrRI8zBH1jnaV82w==,type:str]
-    foundry: ENC[AES256_GCM,data:CmMkfKPTq+oszR66vs+AshEdPDy81DA4OiPI/sgU2UwwXcgNTyuvmJRX7QNxsmiRQPb6EX+H6pcTESQtaqjYbCeo7n47b3BqyrTe/QrwkCAAtsdleWNNpTmmvIJi0RmxsagKheg=,iv:WxfWLsFqkTZajJT49CSi1ThQVrgYZl0vlsQo+MhrYsE=,tag:3XPErBxipOMkvze4pCerCg==,type:str]
+    foundry: ENC[AES256_GCM,data:5Z0FvVhJBzTwDPRN6c//caZokiTnkdqiLGFFuyen+tYsdjbQ3AXH5y7HfxKbxsJvU5uShOuIg0jVMvow2NYmzyYDDKBKPOz0bgXOmFq06wzCJubjyZmR/mDcWBBDzAFzaazpyW8=,iv:6wLS00zhX0tjJUe5uADAjzEshJP8QOkF2i4Aw+Y9RSk=,tag:sNr/exY1u3evYGcImyCUlA==,type:str]
-    nextcloud: ENC[AES256_GCM,data:zAntt5+pFGhLMmC4T10F8ocj1+kYSnH0k+6H1Wk4WxiPTJvHQ/t+hZ+QzjmlKkiTvcaAoYWyrMJIB4U2MaIrrKAPN8vHtq1ihodBWlFifO+P6zfxCgQl3dbAMqXwini4ziKBZCw28x8dvFEozztIk7/a/TGNGj05fvGR9XUBHtVkt23ubXJqqZ4no6aGU8wgGizJ4OhQd/xTnM6m5ZvGPcv4vmtYXP0ts9eccx7nxDLmNgCHwIQSHEgR3JLUGKBcHZsc5jLQWdUPrhWXVmsAN1DKONrh5XC6rmN0/h1s5/qYCwx92XBzM6EssNBWKCtbmQ9ytSLAS90ygIs/Cr7Pu0qV9c0By+gimw054izWv4Ey2q/d/sJ9rblcmYFndgD1IOySFN8OUOO3Jd15DK6lojqrWtReVNcK/PbBPAvW+nNG3408YhQNC0eo5XMoK2RWiH8Npr39kykR/g/iDgR2cwrycbr/tnZp/OrPEGJx2axg1+om69joIfPBRL1Xe3KFKDmzTH8Cg0Wk78/6e71I3t8CheFfK8Ge6NfCti6nfUGd95Vp8ZS2LxQevloYDboV4mliOxK+JM4rRYHOCWZYAe8lZEqfdwjhYiYHfkKy2DJg,iv:YLyg9+YdggHV43oLs6Mq0unUVkjXJnPA0jwvFbjUMfs=,tag:jxIEVqENGHFrAANH4ZUFPg==,type:str]
+    nextcloud: ENC[AES256_GCM,data:dm2Cha+CvFORgdcBvJAzzdOGcJ95vLJYTZcUJnjNp6HOQIIoJrDone1NOAYJh9rdWG/17/ntOmd+TysAj4AsD0dw/PatZmy3I+dcVghkt2XNTc7jD64QjctIHzR+om1joAbKemG1R3St7qDU68TWYxoxIfYZcJvg3ds/lJcYgFRh079UZ/IRlGVR6sWPEXyY+UUrwtk0Fr+y8UtwwWZiLp0akUbIV06huRGiAp/PeWETuPPuacl2++ayIgJFZkJjUl/a52RI1Q0nLG5iyK6QYpY1JSRJTOkiQQ4PB5GRdLCdoM5/ZXTQ6gGcoM5jXFllsTn+yRicNRucuBp7Z2achbk6eITCdjjdXVI7zM4YXpzVLu5fJckLAu07aEIGYCBT7ZXd7TRgfB68POwtwaJGBozg+nuhq8xEH04yi8jFODH6aFplIgJ+bbaP72zw+92lzZa33FEtOwKdtx+YUv0eLLDJs+8Z6Sn6RyN8prwIz1/9LuIMx39g4R7id9W2bV2MXqTU4nN8f0TXWqe+hnb5pDLBaZOBMkwbRka6Vptsi4dbL5Lnexa2DoIHZ2unyxZ+4SkRt9LH39j8fXf2w5JPFCSLstf7+Zu7xzRS0TTCug7k,iv:oOWcFdQJb/+KZKJmQChhJ5jOCcM3o+ojZSMyiRnO9n8=,tag:PWGQkwPe0juLgAdlKiWKpg==,type:str]
-    redis: ENC[AES256_GCM,data:b2pCrTVQqfIQEUv39imLrDFGu6KU1Dx/KD6Njcvt+x8=,iv:EHYRESYo8oTIiguay/SNbbuSVaok7szug5uiNNW0XEE=,tag:H+eQ+YvQDUOLHQJfX6qM2A==,type:str]
+    redis: ENC[AES256_GCM,data:c+55cN6IpUNeKd+wC2zv3eunYjBsmZtXTczokqaxB2Q=,iv:M3pwNUlT9kUMv4JDE6bp/gub9CdBGxdApIvpOt3JpgE=,tag:3rPlV3U0AP9zAeF7xDouKw==,type:str]
-    act-runner: ENC[AES256_GCM,data:4y61oMlpGQf6GSJACyRwLQVOKJTg9jSkOW4sqYOWI1+D0ObIllFNyYiFQvuIf3Vdo/ymhReWH50vKS0mMAdH+3BgBlbf0tjMsUBNlnjNbnXQXS+M0gia9RVcFxSuA+QGKIED37s5OrBJWbWk2HZIX04=,iv:x6SUtA0n56AazXDdsdhym0R8e4vY4q/5zzZ5fddZXPg=,tag:PlAjXV/ndmhX3iQ3AM3Eiw==,type:str]
+    act-runner: ENC[AES256_GCM,data:gdrqXBBzdMW26MgNfP6P1c/m7pLANCXjcZLvVsxlWcgpAZd8IaO2FUqomL3xFI3UDPveQh0UvC3044ueoWhYJOq7ZmKJGvdf0ZrpP1MkXZKvjFjbTsuf/6/SYKhPqnP28HqznUWIVJYcRmP+A2oVeJY=,iv:/yOqJYDpxbqCm1whqcypp7Ba1Xlaebrv+h6lHr57Qa8=,tag:PzVqxP+QwQq69jqhmagj3w==,type:str]
-    collabora: ENC[AES256_GCM,data:3dcTIqpZtUEtEg/FG2zIyKfouLx/Yq0djOeNlS+78PltZipLYVT3jKhdVeb7,iv:wNKZF/DeKdJtZJRIXLj2AjT2cab5DQ1sr+wCYqgnNqg=,tag:AS0XIntMaGDv27TB7bRs5g==,type:str]
+    collabora: ENC[AES256_GCM,data:LPRkzPEv5qfzeWSDbf+L+0asfmiK5Mhj8jCdfVyvVQAaD75Cbo4qLD0Nc80z,iv:/l2vAyYYJChhv6T+JkHT4I74ZpdhvbVqxlDWIM4Y4bw=,tag:/+uzn1vtd1RnO9/lGiQAKA==,type:str]
-    delugevpn: ENC[AES256_GCM,data:Dn+2Bk2fS0ptFYLQ0CFc+bTdJbXbE0j/Dy8N/5Up7MBP2Bk8MF1MdaY3ZFMU7RgDT+zvrgOjmiwGu8JCu2svDkq0SlqmiTZ8,iv:kPDQhEatzK/6Q1qjQGTru+bpOKQWD5R/VKndZrNlLbU=,tag:c4hzv9Ipjv9bIkAyqrgiQw==,type:str]
+    delugevpn: ENC[AES256_GCM,data:YGkgaQUuA9oteKD77tnFzxZSHctyOQjMNlfvJr3mPWAl2P8wfcshiUoa6SNp69pagxbzRV6mfuzwzinbkQCoZN3lw7uF76y0,iv:Bro0H4tFR+3wi9DGGq9a6ge4o4uPlVXBUF7h17zyqg8=,tag:N1kVNFasqGMx8R9qTq2dJA==,type:str]
-    protonvpn-start-script: ENC[AES256_GCM,data:Hx/bYQg5qsx6z4G9yni+EzLCMKLAVxCHi+PYVl10PGOImfYlnG/puiSBRzu3zw68rcRg4fIz0yZgEjcYk3lu7kInx3GPrYCKSC0ej84W+j9vtEuYXC4WgXvqwTi/6P5428UhFP2FWiN5wV87pFp/LnEkVxi48uTI5r47ogkA06Gl37sQ7TZHvwGoQ106La7G3xYLDfvvdMVeASnDkIepDD6KduTI29C53l/XEoUcXQjOEtz5fmhRyVb7m0xs+DM2wRybEIUVALcIxjdWeiBoxxdVXxGD0+P277Gdy0uJPBt3iDg8dd3AAzwvTceyW+qe/8+RENySQ73cWblGyLzcqLRILCL/1YN82w==,iv:MgIyq8fltzPW9vww2gKvKQs84KkSMn4MFEvTMywTXvc=,tag:vjaH+8Pzpjx8y+7QJMP47Q==,type:str]
+    protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
-    notifiarr: ENC[AES256_GCM,data:FMAr9EAiSeoibw8Dh9O+JGDtSg026hO3JSZseATzNAaHs8m+0SUTIksek5wwvheF,iv:3WMVFwIonJyEEsBSqIusALWw5C31oVNvxIGntd102Ng=,tag:ty246WK5TasOj04/sA+Qaw==,type:str]
+    notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str]
-    bazarr: ENC[AES256_GCM,data:pCEIR+B33UPpjVNONzhNYVIHmMCCrdLED32c+jp+P7BLW60MK84TjPPTXi+touoRENaVgenYIv8qlsntL8Q=,iv:+ymGcWvrxedlrwT5ZF3dFrPOJ9DmiS5g05K0P097Lc0=,tag:qSr3i736oxpofnReUqfV2g==,type:str]
+    bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str]
-    prowlarr: ENC[AES256_GCM,data:CzAf8AHWVV5fQNCTtycv4NuT5wwiyj9+qWbJEv9Gd5zCBazHe/x0lB7LW6FbBgQQnEqC/xjHBLGA1/0WWrraxmN8hfVBrKRqaqiRilO12isrhlFf,iv:moyDOW2l44AT1tFzTbx0PgPWGRBfZG6GI5tMeScEa8g=,tag:5CVhEW4fU9kkKO4YBuGb4g==,type:str]
+    prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str]
-    radarr: ENC[AES256_GCM,data:a+Bt+rzWl6+Wheq6YpBQAxBpNmVJno4Eh11y3B6S5b9PEiXrmuVn+Druid1/y5P02yqhLA5vTvmPOHWmHERvN+L7WBiHL5ekZ36r+7wn,iv:102LIy/3hxdi6mk0BSIf+xl8k33yrpUGgI26WnJvCTQ=,tag:EmNE/JF3s7vgIZhHxru3Qw==,type:str]
+    radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str]
-    sonarr: ENC[AES256_GCM,data:+VU8F7/aFTgMiGs+dejnqa5LJn6BH/V218oc0i5dQL1RcDXOfPdh414Px7coQg9vNoCfc2ZxFaCyHS100ee5dPiyfRHrdHKA72p2zrVF,iv:BIG/u+Eo1RonarTZ2jEEg7xzfkNd3A2agdP4ljEK2eY=,tag:05FzDAp0G09DVXoeOQqJSA==,type:str]
+    sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
-    lidarr: ENC[AES256_GCM,data:90+0hbCF65gmYlvEkZnmtwUUnmFPv7AlzkBKr68UmF7i2yXz4L/OsEU2gFp/en7KOTNKioXXsdP887x9RzyAShO4TRzXkcb1um3DuKAo,iv:PvEsHuUlx8jxqNysoJIL5qb3kEaIbVHLFzRKS7TfL3g=,tag:s8IoyumcA0sB1c7drG5UNQ==,type:str]
+    lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
-    jellyseerr: ENC[AES256_GCM,data:G+l6VjgOCUk4c95o5rGo2QUJizw7Ph66cJMqwY4YxYXDjNzZ3+be4GmDQyOzTV/+,iv:gbowrAmLLwAe2poU+H4l8mmpVLfrgQRICWNmLNBUADY=,tag:HI6r+9dBdNLkJnE7eC8BAQ==,type:str]
+    jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
-    gluetun: ENC[AES256_GCM,data:sW3NXQ9GEGRA+j3+olbYNCVmLReHoRWC1oBhHcOCZ6zwx3jqvihEEZQgxgbEpPZ36NVVHTQgh9dX8wtYKUj1OzPBXuBh6V/AgTIMmrDurNUxul/jC2JVIZIka4RI58S1SKm/Ehz85Xx6lRR+VAKEyGg7R1I5+ciNjsZX8Sn/xHpGMAW4VCy/Iths0hdZWmkbJAG6XTsU1ZM01StI8s/ru/fphgcbLHws6mBMDEViKsATcGUcLMrjBT/xCeDXh24cyBCCba0rge4PtDekQwMT+aGS18cUjMF9LntCJJfdYp+gNDYrA6mprJrFJn6nrUjzT4RUSs0/+nQmuoyYvGE7RLM6lCGUZvkpQwaUJU2djzFBAHrpqqFF86ghbryt7vz6DZO2NaKpUsexAfDOsLFSXYacAVpZmm6aHsBm8woRzH67gGkxj51bIvzS1VWLjiEBxIJfChkWPqSbYh9I9mnKQdOxSSKCg0UlVCdWc5hB8NDDfZObJ2o5Ascw4eILR8lgjXm1XQxc08ZjEV9sqSlH8tr8IMSbWLAcVCHrATVfxsAG5bTbTOy/jyBGXjG7f7WQlN2RvHpHVrd8ppkYgPWJ0qbRsl6YJcvmEqeghLB+c0uYLXfoGMPOy8mb9SAfSLUMI/ODRy0=,iv:f46r4KA7IXFX3Xb5b6fxSPf+pkFjI126Ecie1S9Ggos=,tag:+Xzjz+FwIiC51J7dBcJBVQ==,type:str]
+    gluetun: ENC[AES256_GCM,data:ryhYVOYEZl5zDs+xMgbWI6q/Ei2AiNZJMxT/TcaHzTEocINgbczWk9GKeeZKno71vFXiF9/tPpYavLqvjWNL77doWDB+wiYrtBJ97PkQ70dqWntua9E8eCalYlIZpRbLsl5OA9ZHorIMPjjSB2CRYLCqq30PPi5I2TtRvs/g6LRUN4sZ/E2TTUjz7AEY7228ZEuHt1UkU+dY/jEbx6fwrm/ocP8xKvYUuAR1/Cx/z4N0mqmVl+FX/5dRSkmhpfAxO9ss898XKiJW4rewQIbG5ccYal+reZZr70TaEJQqg5KIfAnbp6dEjAsSXnRiEF801JXM0h+d14ECT4tQmdyvYBdCVnJ/Ibqw9D15cViHmeDbR68spqOCj67FSMKxgCVx4KFrxPOualsULX7RL/UbHq2cwyziSFkH4n2ljFlKohyj39F7EparJbiCOumNfhRWknDDwvXY+BjJhbAe19ccKP6QWrS68uBp0cTXqb0rVN/qlfz6Sj5EYj5M/u0rl6d5xctnKmOzfLjI2m5+E9WfDJaAUcP/Ihs+p2eD7aSQTIj+O7I66ju+UAz66D9ZoU1U3uVQ9gaPI5dOMmYdLKS3b19EVytwW2W13d0WXKIw5Vfb7MvFh9I0iPWq+ntL4jQzMYSwV5Y=,iv:Cy3h5I3vbqKORdqw91SHL4tRMeGHMLsXgQ0USJ2jtzk=,tag:0J/p1sUQfXR4ujjY7VzZuQ==,type:str]
-    gluetun-qbitvpn: ENC[AES256_GCM,data:Ep8mXRdxEetIjkV+a5/yqbANPKOcvp2+WQ1YeTGeqiTxiskuHHnWhP6gJN9yN/oBJfFdNKssbC6CbLPAvuL/aJRGveWzzrr9iHZ5vo/+3NzDWUReSDFVCgstbDB2eBomd2wHVJm+hbEUUtmO3iNBEarEInRqq+5+HWSt1d4/pW61WgJ8buzNhdFjmjEEBoOUYCj5mfRl2kP7UC+WUvJRvl5l2RMt8fEDv0M4Z7RQLEbJtWRVpbIhauWpTbrMDDC+VA9lcvbXpRsxntWz5Va8Ya4GWBkJfM0bJX30TyFo9Iy+XZhlQ4rzbWtfdO9Dx/TCc9i6NQt9FBUZGy+jTt/rTAulB5mgDaIq3AfNsWbfDUYZ47U6S0hXW7qAKbJ6/KjDe9dac9Jttx1ihJhXK0lt/uM6E76AxCqOtutmKryo6mScNOxkRjeYqYwwpasNWpnZ47ytctAy3ZXt5Y5xAl77dqAv+UnMczUy1pzg/oNWZrtN55tFmT2Om0FjHW5lDPQSEfxr/qKEvsBdaofw6xWpqkrU0lejSpvFSFsVPMr2M5ZOlCbGm/BGo5yQ5P+Z3u3xGoXumwvpP5KfxFpVAiJb40F6wCcEVbxX8wITprv3+5E=,iv:HlrRrq1667jpnApWFS+4G1rUBYxL1nVbiocy27cCiec=,tag:A2yIHv5yl05CVROglOqUqA==,type:str]
+    gluetun-qbitvpn: ENC[AES256_GCM,data:3IdmuLvWs5YRQZuG9y1GRTMKMbR7OynUUVluezviDOV22EkABvo3Ic/+xZrWi/lzAhQRwRsCGjinlUJf7lBvPLg53HaIplbzSIyd3IPLbKzEVAK32WYB/M5cGNQW+XV8TiKK72HO8+WG588A0bsuvp/wQ86ohpRHVrnlboANLS3diCNXI3VdFIHPGpvM77TqB3/vo2AFLKjxi2es4l6KRam8cEUFAz0eH03tTUYaxy+ewA5IZCQSbMURLFKKdh0EATTG5jIz3jFp372fnk8UBgFPeH8+N9VHNM6rnV6zAsC2Vlj2E1YQRTRqOwSK0NRAAV5NBbr7zumS3VS0rVUpIbZVrW/C2BSAVbzowkHuo5o1B7UFsryb3s2FJJGF2biaDoL+ijM5a0Qi4LfNeaSLNKrzaTin0wYq8rPrQKOUBZL4t6FsRbG7KHmfwM4uYdWqV5h1syjI9WWReuePVb416YvqSH9p8HhNsDTka8IGgYkHcYAXYuuxUc6sgQONBwrsdeN5Dhq1IedhuOW+3qAV+hHl8qmVgiWZ8Ss+nmo016nsikifEp08N7J8t3f86/SFZO+YMBxQ/K9PJLsJzR2jsBcf2aTlq0cuzXDvb4cMtro=,iv:N9zdyKJDsj049j5hZOSnAkS/VTWlC3crTODJKIpYYko=,tag:uYHq3CZj0P/BAv+0Ak5ZEw==,type:str]
-    gluetun-qbitperm: ENC[AES256_GCM,data:prNClo+0UtscI+TMwXRBdVflRWm5WLYT2kexJDoRTX37cMi9BzWYIRLwr86q/1xUIbcIraCGwHGd11CbOaY8xtfllW3oe4+YhNivAc87GJYz6mAhCiejvXJvyEySInbDq3jp0OJIPx8ROnzPCf7w5AZK9Jlfn3G3JwDYdYF/Cx8HYGv2V5JCFLLxdOG/KNnOOhSYW0IXoWVTcyT1/s62LrOMZ4KKza/yDKXn9XsWVt8+NSKXcc3HjuxhodZtCHptD0Ymqf04WOJNq100Xq++2BtiDsty86pMe45gC1vv2NiNdiBGnTQBhhkhllUM6R7t0zeZu9ROh50PGs1ozERs5WCktDsb4yfZlKtmkmPFwe5gSnHXu1t/n+8lounatfUnzKAk4nIs8KMnPxaEDPDY3DWoRXDgZU6a41/dxesOSt4wMISz0u45jKyNjZ4WFKjopLxYzekRZT9gnIu8qeLwT9G8PlqFjHrM6qxmAqMR0/Y6CHtuIHAoEWzepbZQ7MngOvUH6784r3DKTbAQetRIJHqJBsxRraOODTP9BPoPRb+hVYZm/g2264BtwmMFIs5pAtMpbjkRIMxKllUCBmf+/lL9+7TJ6EOJoIXiqOZNVQ4=,iv:pzhCttJCn2OGozuP/A0jKffdGBwkJnaH/QVnZEq7HJI=,tag:hGTxieZ6SI594FBwRjXAVQ==,type:str]
+    gluetun-qbitperm: ENC[AES256_GCM,data:kzSrILs78UkzNeAvxoDU3QsLKdapQNyQW9nq0it+7HhhwDQ0MJB1s2Ek8zKErTatpwzG8xiUK0HwX5hFLgNZYc+OE0CH4PUrgX1t6dykuPLD2rKQL7veElNgqhX0/39xNyopyJk2UMVFNSqoV1DCC/ja9MqX9+jBYk++7DeX7v1Gl1ntjzJ+zIscg0nOTN1eQAHtiOWtFU0COC/aA8KS+HLIsMkjrIk9UD4C/DE8AOS07s+gDxPRtl6L7324FRqjEHNyxAobWOOLeG711RZcskF7dlminVJu4aVGbBwIy/zDdHFxRwO6yaLr/AqrTlRVOa2O8Qu2Ydpv8ZNj2F6fHrVNNmVwvMEKYibV6oMVo72uT+DTz/mFaYuTUeuJfkdCy7tnQYhBnpbd5J4mKfVb8uOF9Tx02kL2fTFKyvtET3nrtakQUjv8mEqHn4F8136O2JvUBN5RmC3B3vRdFjYgdfwy8hUT9b0Cmi8w0Zzs+XGMRdvWv2g6b5fmlAn0K+a0KB1fdDLhvbIXhY+sYzR3yOH01K0lW3xVdnl1eMIFjZkUGRTi32HyCYb0SUA1EcXmtA4XmyZ6HHFEXFA5y2guVqU4xLyXXldM+lGB7yGLMcM=,iv:kuueHxYafrEdyBxGUBoU2ks7kdr/rWMnXZmE3Kx/iK4=,tag:bNIfP3H5/Kh3ofuCGGx5Hg==,type:str]
 acme:
-    bunny: ENC[AES256_GCM,data:uepw99ne34B4l9JAvCMiAXdFlwLjOYB1jCVgKNxb8vWDpMTTQZiwRDeJCcLk0zUSQcRujUwVaWKoPg0jvFYMONoC572NXRBh2F6HYO/avvnW5BkBN1Of,iv:w+84IMQSLkNxkKVJxNCOXhLRkh+DZ23aewAsLrvWn/s=,tag:DCPF9lgeNFZLcF48TSk5pg==,type:str]
+    bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
-    dnsimple: ENC[AES256_GCM,data:5Xs337NsbdBIF4oN33q2kgJUZuVRklGtdTm4LsimRyvh/8yZeVRjmDSyl3ZX79YOvVgrVZKTLUXsG4Tuqp06J64=,iv:2Ca2wxA59nqWuy0GtbRyWnPA5nQsM1UOXUfCUoY195E=,tag:zQ3AEfmy9FNMvq3rVRQ5rA==,type:str]
+    dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
 server-validation:
-    webhook: ENC[AES256_GCM,data:3uISyfwu4wYlvc0XjtZAikrwh/zeL4akh9/7FE4gJHoxL8o/JcV9tVyyYMNzs0d2jqndLeuS5i3KgEzwZiMy8qtDTD3E1rPvyBxKvwRj4DdnH2BcGgXtpexSk9Tgkc0BoTTQ4M6cYSxUR8i7mqk9AEiDYPgb1FtP2n0Y6bm5IvusjbQGtjImHBx4r77e,iv:WyRLzE5i+HG2jgp+CI2SRc3am3WsLDOoCCvUoIb8Jpc=,tag:kMdZAevE6qL8bpeifmcqdw==,type:str]
+    webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
 typhon:
-    hashedPassword: ENC[AES256_GCM,data:Uy/pYazlkvQycWTrYKv1/566EgRIqek/pfjaJnifIqA1GUbTASBOENINnDx4ffJRwXoBzbIe+wSsalxwP9r7k9QERKaWpzr3Gppb+iI3Bpy1scy+R2sAjaR5fU0MKI+USppJSh2ARP1ZMA==,iv:iIGaAp9jX8dUAjiDBjrz/GDaD8x4/VDXJ9F2DN4cgmA=,tag:KrsqkjTdMJjLtsdqNiAsnw==,type:str]
+    hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str]
 garage:
-    rpc-secret: ENC[AES256_GCM,data:EOc5kBoZTPBFDyuvJ+iOm50htGggmgRfDmGTgFlyDgVGUYEtGVimQxlRipxDIexVnbG876u9JHtEXKAgiEK44w==,iv:eSUZ/Db7NZxiaIt9lRSbhKmX2i492o3e7lmDq4NeDXw=,tag:/QGSu3g6MIpaI3Y1uIE8pQ==,type:str]
+    rpc-secret: ENC[AES256_GCM,data:Q2ZaAXcntD3yK6DynEpxab2TITByMZ7ECVrq1pb0ZU7hXOZnhaBmjdty/Os6len8l+GBl6+WaC0An6cFkhQTlQ==,iv:E8C4bnxMLXK9fky+KC7q8sHpmrEU5un0TEAwxVUBiLk=,tag:PiSiU+9NpyilH2aMs2Qc/Q==,type:str]
-    admin-token: ENC[AES256_GCM,data:BvajakvOkU25kLTBmfAWJHkIPvfbgxJsV44D2jLE9w9+n175dnvPV79198c=,iv:oOvtberNXzMhzKXGHPPizQjIozsor7wnM3XiwVgLiBo=,tag:YlGJf1sHk/s7bjRaOZH0iA==,type:str]
+    admin-token: ENC[AES256_GCM,data:Xjm8Xq99aDseR0jN50Uj3gLpeDaq2IGXzJCS0o1H0RgKX9LGdP8w508nWWE=,iv:+L9T3TEUSbIz+jo08ykjGHVhuz5ecmzrlhzD2iv48HE=,tag:7P2rY4F8cWFdG4Lm9n/etQ==,type:str]
-kanidm:
+honeycomb:
-    admin_password: ENC[AES256_GCM,data:5xIjsjn9t0sAXLq+qi8LSyPVde99VV519fw+kZVX,iv:n6VjDeEaV6+Ai0zr52Dw1E5OD5DNzK826bFQtFhe3hg=,tag:MKD+PuczuDoH/PKN4cY+xA==,type:str]
+    api-key: ENC[AES256_GCM,data:k+Z3tmF8pYwD6RokdZauQ/fMlhD5GbW1ekxzRnj0gEpQFlfGB8gQ6BPwbd7qk12ZhsCA4XdqmvsysAWJldYWrPo=,iv:dNAK/vbQYL7ir4UXhZMTWraZF1E6ps9EOF3skYe5wOk=,tag:5UJfCji/RmB5DIuR4179uw==,type:str]
    gitea_oidc_client_secret: ENC[AES256_GCM,data:cr5HGHOwAvJ6LLBPWmfuRxltzJJ8t28vxnzB9sPKC+VwrYZ97ZJjfqtfY+7KyJNfI1knwrNKYNQu+bOqO8lhVQ==,iv:KT/1eiI4VnR8RG/pLCUhypVRctoLdM6hQunzpE8P05c=,tag:NV54JL5A3S8VVkbY7BIbhQ==,type:str]
 restic:
    kanidm_password: ENC[AES256_GCM,data:Zz+SOj9RBgVba8kNgCxhs5z7iuUPcYdE/a/FLJuJw46rquX290NvyH+4eDU=,iv:em9S1dzQ6Kgc4pZglLZlLPzSvAfey3Y6ZQhzNYIt2Ew=,tag:umN1oi4Fm1L/tFvFpt/RZA==,type:str]
    kanidm_rest_password: ENC[AES256_GCM,data:alv88Ebr2BmfXjJ+cZfRgRXBPezCrFBYR+DpxOnjAo7hjP2V0sB+B7WTJhtt8z61lKHUoZDS1brxrDa3T8i30JFUjATTDeGs7FY+D8Wn8uIlj4YPQy4gIA==,iv:kxI8npRdyCeb/IbTUKXdF3lsQoPmQBP8S+di7bDKByc=,tag:/2Qc19/hcxiw62tDAsoW9A==,type:str]
 sops:
    age:
        - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VkhzZ3cyNkFUYnppYnFa
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcWo4V1QyZS9HbHNwT3Jl
-            NWtLNTJXSU5BS1V5d2xySlBxbjhtRzloOGxnClBVVjhINnNsWkxod2pNL3BIU0VE
+            ZktNR2gwZ3BiWnYwZHpLUzR2YTlmN0ZUeEhnCkF6ekdkN0U2VGM1RFVhdTM0RW5u
-            b2F4NVpZK045NmphNzlwQkozMmU5S1UKLS0tIDlHcUEwMmVQSjZIVDFiVXNCRXZL
+            bWdreGZrU0JwNDY1TnR2S1M3OTdKaWcKLS0tIEVBekE2eU8rcEhpVkhhWmxPc3JN
-            NExqdmo4Q0ZNVzUyWkZFVUl6NFdETk0Kd8zrbv2zC610vfDMCejxYv1UCvIvsOqM
+            cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
-            bmvQ/wG/X1HqE4B8Yt6/5wNsM2/baLuXIBpGYAh7mgUaOQEkptZwMw==
+            LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-02T16:58:48Z"
+    lastmodified: "2026-05-03T16:28:04Z"
-    mac: ENC[AES256_GCM,data:ca+UYNGmlLgu5mLfES/ZUf+XyuRtwk8GKeeu/UtbgNGqSoGXlsTmPdiGfKhO+qUFmpTv7ZAs/zbXD7C6rScNjudtlXB2lNAlLFWnudCjD4cDxokhOWoWYf+1ezw/IubAeqbW3lHUGUeK/hpVp5Suk/93fEVRUpnZM4r9/WizNfE=,iv:BipesRJv/P/iPEOW7bTxv42ABwo9efvwFgBvEX+TokA=,tag:uHxfZML61MYll77pYUuMrg==,type:str]
+    mac: ENC[AES256_GCM,data:dJ00o+Ny6btbOn7Pt5dc4iLx6FHJiTTx7onZDhjxya7Ywg2qAwHTiNP2q2aP6348w5uenlEGrgnV0Dc8xyHfApNCkJwj4G6UnI17jxEGn3lc0ZFNzJJ7jO2CJcwHir0E2G4XdPjmbZUdB3aKmM34dI9EEUWWhNFXdps4X0dNQcM=,iv:vOU3kHq0axRBrkNfVicQ/8H77nF0DGIJlpoDuJmwRGQ=,tag:uvoFkmaaTM8zpr1g2FpCMA==,type:str]
    pgp:
-        - created_at: "2026-05-02T16:58:48Z"
+        - created_at: "2024-11-28T18:56:39Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DQWNzDMjrP2ISAQdAPCymqFWzYGcr+bPFS6IusIV2LHdy5g2ROGtXCoTmah4w
+            hF4DQWNzDMjrP2ISAQdAPOYlp/3ZJrcXZbu5+XI+BHNzMbzw7+YhTYOfNgujU1gw
-            AezxMLS7d5zT9p277Vfoqwa1KFvrhoXbb3ORKAl4ONmACZpWOO3TobSkP0FvyEqi
+            QfJDWAhiMd8cZF5PpX+RdN+Zrk5CCMgZH4hotv9gjf1oxitWuF2hv14k/RlAx8kr
-            0l4BrPiYgcK3Lz01cotP4KwfW1I/w7uW4OpxF0gUBiQe8pvxMgcO77S3pA3WdA4U
+            1GgBCQIQB+LOoKIo7AHeucdV9NsM6H4Akv+Bzy8boarA4BGcyvgRWhS2u8zOQJc5
-            MmbwWW3dxGaora+gCSZjyx+y7vy5nDieUSjSskM1lYYsZQ52qRjiPVENzorEHDLD
+            RKfRonTO51yjlKm0MEspvwrClO+aIuBaNNemuHdk4yhDUnNKVBFyLLOuqXbsFd+G
-            =3fFC
+            aSTmqvI3a/T5Cw==
            =ph+p
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
@@ -21,5 +21,4 @@ rec {
  primary_plex_storage = "${zfs_primary}/plex_storage";
  primary_ollama = "${zfs_primary}/ollama";
  primary_mattermost = "${zfs_primary}/mattermost";
  primary_kanidm = "${zfs_primary}/kanidm";
 }
@@ -7,6 +7,7 @@
 {
  boot = {
    zfs.extraPools = [ "ZFS-primary" ];
    zfs.requestEncryptionCredentials = false;
    filesystem = "zfs";
    extraModprobeConfig = ''
      options zfs zfs_arc_min=82463372083
@@ -85,33 +86,6 @@
          fi
        '';
      };
      zfs-load-nix-key = {
        description = "Load ZFS key for ZFS-primary/nix in initrd";
        wantedBy = [ "initrd-fs.target" ];
        requires = [
          "sysroot.mount"
          "zfs-import-zfs-primary.service"
        ];
        after = [
          "sysroot.mount"
          "zfs-import-zfs-primary.service"
        ];
        before = [
          "initrd-fs.target"
          "sysroot-nix.mount"
        ];
        unitConfig.DefaultDependencies = "no";
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
        };
        path = with pkgs; [ zfs ];
        script = ''
          key_file="/sysroot/crypto/keys/zfs-nix-store-key"
          zfs load-key -L "file://$key_file" "ZFS-primary/nix"
        '';
      };
    };
  };
@@ -207,6 +207,14 @@ in
        };
      };
    };
    rbw = {
      enable = true;
      settings = {
        lockTimeout = 300;
        pinentry = pkgs.pinentry-gnome3;
        email = "snowinginwonderland@gmail.com";
      };
    };
  };
  services.gnome-keyring.enable = true;
@@ -268,7 +276,7 @@ in
    nextcloud-client
    bitwarden-cli
-    bitwarden-menu
+    rofi-rbw-wayland
    wtype
    obsidian
    libreoffice-qt-fresh
@@ -10,6 +10,8 @@ alice:
    attic-nix-cache-admin: ENC[AES256_GCM,data:xHJGeU4EUn1HRy2nIValiJ6iLZnYmmT6Njv/cGMh15Q0hJXKNBSsi8f0mAfLI7EX+GaC299VKh2uTlU25jptrAvogLxNJIc+LZBLsSkyGE/ojqqevHMKmZ/6eciLZRQL5ey9TM3V9HHyDOhGaFgdfawtwg/vyvbV13lZBKpqneAX9T3gPRuKRjV4/Uc/5cUckiOF8bQ50xVFN8Cql9HgGDJEGWgg4XUTPu5eYspof2EN63pYvU7wg6HD2begeLDvqc2/i2DIcsc0wqc5DgkY/dH2YtcssBtU8AR9vKpl+HmH/wvt6dfaEyZ7hF7ITGwWnOO6H2ko3SjYRfHkFK3XDmm1YRRjfkptnw==,iv:BdVgNyZ1azl5tKfH+RTeXuNV/rYY6hPvrareKlIXSeQ=,tag:/ar87eAjMod4TmQXoerNBQ==,type:str]
    gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
    gitea-pr-token: ENC[AES256_GCM,data:ybTya4X2wd65pNFSGbQkg73lu66GNtSba4yf8J6tT8XkuOtfvtBS4g==,iv:39mJiAlw4kud4l06jOpxOCRumChE/5q8IBNsPHG1rMc=,tag:MEvHD2b9E3fVHLlz7haNyw==,type:str]
    honeycomb-id: ENC[AES256_GCM,data:PndCclCbSMrgmlYdQ5a8//IB+hg9uB0ZwidIZFiKN6w=,iv:mxFcGPnY0eCliugvQT5HR9aGzJIvXZI6FTo8rphVQMM=,tag:3huIaIy7da0gx2G/BVJJLQ==,type:str]
    honeycomb-secret: ENC[AES256_GCM,data:x2MZPgAJz3I1m+rjSVpINZdQVbu50XiwEtPGEX/kbJw=,iv:bPNNtXIES0pCLc4Nu/886nwoOVXaZgyTxndSpyWWU0E=,tag:igdd/NPCDpcvzSd9LO4hyw==,type:str]
 sops:
    age:
        - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
@@ -39,8 +41,8 @@ sops:
            ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
            7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-07T23:43:57Z"
+    lastmodified: "2026-05-03T16:20:31Z"
-    mac: ENC[AES256_GCM,data:ygQzxSpGJqXwkOq7jGDeflA2FTSSxnre/PXm0LxmxzQQW5s7LeIVSI75fMqWir0WU3Pi/xroYGEWjpCG6JvxV5RiJycTONk8VE7c3jtw3AbrHSS0b1K5tJ+Sf+q3rHJFWWk/COrPk8IsRFNb+taqH4jnaH3AAVNo5u0C1CHKMes=,iv:FO2GVDXE8SjjA81/9cDwc+dX8kJ2oHt5kqkhNBuMb54=,tag:hgzRAmsh32SCvJEvKyV+vg==,type:str]
+    mac: ENC[AES256_GCM,data:/Ui0H0wgENYnzVB7V2aAbj4dIbE+sjRpPoso75xyKepmeeMp8nv8CJLKmLmtbp+rtX287teVw4hKxb/z8M6ZHIWmgt9Zgui8/+hw5hwuMmyjPeGqJQjFH8s4zcXkOKLDoFPA65gva5gaPsreqPwOSqgqYwmds5gOcxBI3Tqdh6E=,iv:ugtug8Vb7DRUp1eC2M6ooCoPFjbqZo8htHOV4AXIcSI=,tag:4sMJsh/r57Z4VFoOBmUmXw==,type:str]
    pgp:
        - created_at: "2024-09-05T06:10:22Z"
          enc: |-
@@ -55,4 +57,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.10.1
+    version: 3.12.2
Author	SHA1	Message	Date
ahuston-0	b4233b8f1c	luks migration, home migration fixes Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 9s Details Check Nix flake / Perform Nix flake checks (pull_request) Successful in 3m49s Details	2026-05-03 17:33:56 -04:00
ahuston-0	43c026c451	add argiletum Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 9s Details Check Nix flake / Perform Nix flake checks (pull_request) Failing after 2m17s Details	2026-05-03 14:09:35 -04:00
ahuston-0	9222be4052	add argiletum	2026-05-03 13:59:56 -04:00
ahuston-0	24d451f825	add tang and clevis to palatine-hill	2026-05-03 13:29:39 -04:00
ahuston-0	f5d0f97400	Merge pull request 'add otel and honeycomb' (#225 ) from feature/otel-host into main Check flake.lock / Check health of `flake.lock` (push) Successful in 43s Details Check Nix flake / Perform Nix flake checks (push) Successful in 2m30s Details Reviewed-on: #225	2026-05-03 12:40:53 -04:00
ahuston-0	5dad72daa4	add otel and honeycomb Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 2m41s Details Check Nix flake / Perform Nix flake checks (pull_request) Successful in 5m6s Details	2026-05-03 12:34:42 -04:00