min
/
infra
1
0
Fork 0
Code Issues 15 Pull Requests Packages Projects Releases Wiki Activity

Update for 2026 

Signed-off-by: min <minish@riseup.net>
This commit is contained in:
minish 2026-01-23 20:18:51 -05:00
parent 9e7855ceb4
commit d832f0670c
Signed by: min
SSH Key Fingerprint: SHA256:mf+pUTmK92Y57BuCjlkBdd82LqztTfDCQIUp0fCKABc
30 changed files with 347 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.sops.yaml
View File

@ -4,6 +4,11 @@ keys:
- &eidola age1uqxzduupzes3tgfrrlret0n6thyldmlef60nqfzk689lmg6yayvsqpwxj6 - &eidola age1uqxzduupzes3tgfrrlret0n6thyldmlef60nqfzk689lmg6yayvsqpwxj6
- &silver age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3 - &silver age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3
creation_rules: creation_rules:
- path_regex: secrets/ca\.key$
key_groups:
- age:
- *min
- *min-two
- path_regex: secrets/eidola/[^/]+$ - path_regex: secrets/eidola/[^/]+$
key_groups: key_groups:
- age: - age:

20
.vscode/settings.json vendored
View File

@ -1,12 +1,10 @@
{ {
"nix.enableLanguageServer": true, "nix.enableLanguageServer": true,
"nix.serverSettings": { "nix.serverSettings": {
"nil": { "nil": {
"formatting": { "formatting": {
"command": [ "command": ["alejandra"]
"alejandra" }
] }
} }
} }
},
}

22
.zed/settings.json Normal file
View File

@ -0,0 +1,22 @@
{
"languages": {
"Nix": {
"language_servers": ["nil", "!nixd"],
"formatter": {
"external": {
"command": "alejandra",
"arguments": ["--quiet", "--"]
}
}
},
"JSONC": {
"tab_size": 2
},
"YAML": {
"tab_size": 2
},
"Shell Script": {
"tab_size": 2
}
}
}

59
flake.lock
View File

@ -9,11 +9,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748064728, "lastModified": 1764916461,
"narHash": "sha256-X2XBfe+BUBWsnaLm0E8vkc6aFD4RMT1CbXII0uWsz6Q=", "narHash": "sha256-DPCh+/tXkNF4bIDL117APMjPuNSFdxayXL5fWbqNIPs=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "471649fdec9104cad4a86efa365ab616620bf859", "rev": "cd1b845695ef39f7c4e3bfeb221dd28d99f74d24",
"revCount": 72, "revCount": 77,
"type": "git", "type": "git",
"url": "https://git.min.rip/min/breeze.git" "url": "https://git.min.rip/min/breeze.git"
}, },
@ -61,11 +61,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1727447169, "lastModified": 1766051518,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -81,11 +81,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747742835, "lastModified": 1768923567,
"narHash": "sha256-kYL4GCwwznsypvsnA20oyvW8zB/Dvn6K5G/tgMjVMT4=", "narHash": "sha256-GVJ0jKsyXLuBzRMXCDY6D5J8wVdwP1DuQmmvYL/Vw/Q=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "df522e787fdffc4f32ed3e1fca9ed0968a384d62", "rev": "00395d188e3594a1507f214a2f15d4ce5c07cb28",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -97,11 +97,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1733328505,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -115,11 +115,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1743550720, "lastModified": 1768135262,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5", "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -176,32 +176,33 @@
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"repo": "impermanence", "repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1748162331, "lastModified": 1769089682,
"narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", "narHash": "sha256-9yA/LIuAVQq0lXelrZPjLuLVuZdm03p8tfmHhnDIkms=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", "rev": "078d69f03934859a181e81ba987c2bb033eebfc5",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-25.05", "ref": "nixos-25.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1743296961, "lastModified": 1765674936,
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -251,11 +252,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747603214, "lastModified": 1768863606,
"narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -314,11 +315,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1731533236,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {

13
flake.nix
View File

@ -2,7 +2,7 @@
description = "computer systems infrastructure"; description = "computer systems infrastructure";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
@ -15,7 +15,7 @@
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence/4b3e914cdf97a5b536a889e939fb2fd2b043a170";
breeze.url = "git+https://git.min.rip/min/breeze.git"; breeze.url = "git+https://git.min.rip/min/breeze.git";
breeze.inputs.nixpkgs.follows = "nixpkgs"; breeze.inputs.nixpkgs.follows = "nixpkgs";
@ -24,7 +24,7 @@
sim-breeze.inputs.nixpkgs.follows = "nixpkgs"; sim-breeze.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = inputs @ {self, ...}: outputs = inputs:
inputs.flake-parts.lib.mkFlake {inherit inputs;} { inputs.flake-parts.lib.mkFlake {inherit inputs;} {
flake = let flake = let
hosts = import ./nixos/hosts {inherit inputs;}; hosts = import ./nixos/hosts {inherit inputs;};
@ -34,12 +34,7 @@
systems = ["x86_64-linux"]; systems = ["x86_64-linux"];
perSystem = { perSystem = {pkgs, ...}: {
system,
pkgs,
inputs',
...
}: {
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
sops sops

18
nixos/hosts/eidola/configuration.nix
View File

@ -24,9 +24,11 @@
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# Basic networking # Basic networking
networking.firewall.enable = true; networking.firewall = {
networking.firewall.allowedTCPPorts = [5201]; enable = true;
networking.firewall.allowedUDPPorts = [5201]; allowedTCPPorts = [5201];
allowedUDPPorts = [5201];
};
# Locales # Locales
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
@ -68,6 +70,16 @@
port = 22; port = 22;
} }
]; ];
hostKeys = [
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
}
];
}; };
# My modules # My modules

5
nixos/hosts/eidola/mounts.nix
View File

@ -9,6 +9,7 @@ _: {
"/var/log" "/var/log"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/containers"
"/var/db/sudo" "/var/db/sudo"
"/etc/zfs" "/etc/zfs"
@ -32,6 +33,10 @@ _: {
depends = ["/persist"]; depends = ["/persist"];
neededForBoot = true; neededForBoot = true;
}; };
"/var/lib/containers" = {
depends = ["/persist"];
neededForBoot = true;
};
"/persist".neededForBoot = true; # no further config is needed, disko handles the rest "/persist".neededForBoot = true; # no further config is needed, disko handles the rest
}; };
} }

2
nixos/hosts/eidola/nebula.nix
View File

@ -14,7 +14,7 @@ in {
enable = true; enable = true;
enableLighthouse = false; enableLighthouse = false;
cert = ../../keys/n-srv-eidola.crt; cert = ../../keys/eidola.crt;
key = config.sops.secrets."nebula-key".path; key = config.sops.secrets."nebula-key".path;
extraInbound = [ extraInbound = [

18
nixos/hosts/silver/configuration.nix
View File

@ -29,7 +29,11 @@ in {
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# Basic networking # Basic networking
networking.firewall.enable = true; networking.firewall = {
enable = true;
allowedTCPPorts = [5201];
allowedUDPPorts = [5201];
};
# Networking - IP configuration # Networking - IP configuration
networking = { networking = {
@ -81,8 +85,6 @@ in {
speedtest-cli speedtest-cli
]; ];
environment.variables.EDITOR = "vim"; environment.variables.EDITOR = "vim";
networking.firewall.allowedTCPPorts = [5201];
networking.firewall.allowedUDPPorts = [5201];
# Enable ssh server # Enable ssh server
services.openssh = { services.openssh = {
@ -95,6 +97,16 @@ in {
port = 22; port = 22;
} }
]; ];
hostKeys = [
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
}
];
}; };
# My modules # My modules

16
nixos/hosts/silver/mounts.nix
View File

@ -1,8 +1,10 @@
_: { _: {
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; # it doesn't make a difference if mounts
# are hidden from GNOME because we aren't
# using that
hideMounts = false;
directories = [ directories = [
# "/etc/secureboot"
"/etc/ssh" "/etc/ssh"
"/etc/secrets" "/etc/secrets"
@ -27,10 +29,20 @@ _: {
fileSystems = { fileSystems = {
"/".neededForBoot = true; "/".neededForBoot = true;
# this only works on older versions
# of impermanence (which i'm pinned to)
# it's better to use `RequiresMountsFor`, maybe
"/etc/ssh" = { "/etc/ssh" = {
depends = ["/persist"]; depends = ["/persist"];
neededForBoot = true; neededForBoot = true;
}; };
# this fixed "var-lib-containers.mount" reload failure
# when i was upgrading 25.05->25.11. i am not sure
# if it is a good idea or necessary or not
"/var/lib/containers" = {
depends = ["/persist"];
neededForBoot = true;
};
"/persist".neededForBoot = true; # no further config is needed, disko handles the rest "/persist".neededForBoot = true; # no further config is needed, disko handles the rest
}; };
} }

17
nixos/hosts/silver/services/bustaguard.nix Normal file
View File

@ -0,0 +1,17 @@
{config, ...}: {
sops.secrets."svc-bustaguard-ghcr-token" = {};
sops.secrets."svc-bustaguard-config" = {};
virtualisation.oci-containers.containers.bustaguard = {
image = "ghcr.io/harborseals/bustaguard:latest";
extraOptions = ["--rm"];
login = {
registry = "ghcr.io";
username = "minishd";
passwordFile = config.sops.secrets."svc-bustaguard-ghcr-token".path;
};
volumes = [
"${config.sops.secrets."svc-bustaguard-config".path}:/app/config.yaml"
];
};
}

5
nixos/hosts/silver/services/default.nix
View File

@ -1,4 +1,4 @@
{pkgs, ...}: { _: {
imports = [ imports = [
./vcnotifier.nix ./vcnotifier.nix
./breeze.nix ./breeze.nix
@ -14,6 +14,7 @@
./wireguard.nix ./wireguard.nix
./shim-navidrome.nix ./shim-navidrome.nix
./shim-maloja.nix ./shim-maloja.nix
./bustaguard.nix
]; ];
security.acme = { security.acme = {
@ -23,9 +24,7 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
package = pkgs.nginxQuic;
recommendedZstdSettings = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedBrotliSettings = true; recommendedBrotliSettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;

2
nixos/hosts/silver/services/nebula.nix
View File

@ -13,7 +13,7 @@ in {
enable = true; enable = true;
enableLighthouse = true; enableLighthouse = true;
cert = ../../../keys/lh-silver.crt; cert = ../../../keys/silver.crt;
key = config.sops.secrets."svc-nebula-key".path; key = config.sops.secrets."svc-nebula-key".path;
extraInbound = []; extraInbound = [];

20
nixos/hosts/silver/services/wireguard.nix
View File

@ -6,14 +6,16 @@
interface = "wg0"; interface = "wg0";
wgPort = 49090; wgPort = 49090;
in { in {
sops.secrets."svc-wireguard-key" = {}; sops.secrets = {
sops.secrets."svc-wireguard-psk-0-2" = {}; "svc-wireguard-key" = {};
sops.secrets."svc-wireguard-psk-1-1" = {}; "svc-wireguard-psk-0-2" = {};
sops.secrets."svc-wireguard-psk-1-2" = {}; "svc-wireguard-psk-1-1" = {};
sops.secrets."svc-wireguard-psk-1-3" = {}; "svc-wireguard-psk-1-2" = {};
sops.secrets."svc-wireguard-psk-2-1" = {}; "svc-wireguard-psk-1-3" = {};
sops.secrets."svc-wireguard-psk-3-1" = {}; "svc-wireguard-psk-2-1" = {};
sops.secrets."svc-wireguard-psk-4-1" = {}; "svc-wireguard-psk-3-1" = {};
"svc-wireguard-psk-4-1" = {};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true; boot.kernel.sysctl."net.ipv4.ip_forward" = true;
@ -40,7 +42,7 @@ in {
''; '';
preShutdown = '' preShutdown = ''
${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT
${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT
${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.4.1 -p tcp -m multiport --dports 49022 -j ACCEPT ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.4.1 -p tcp -m multiport --dports 49022 -j ACCEPT
${iptables} -D FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ${iptables} -D FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${iptables} -D FORWARD -i ${interface} -o ${interface} -j DROP ${iptables} -D FORWARD -i ${interface} -o ${interface} -j DROP

3
nixos/hosts/silver/services/xray.nix
View File

@ -32,14 +32,11 @@ in {
}; };
# assign user/group to xray # assign user/group to xray
users.users.${user} = { users.users.${user} = {
isSystemUser = true; isSystemUser = true;
inherit group; inherit group;
}; };
users.groups.${group} = {}; users.groups.${group} = {};
systemd.services.xray.serviceConfig = { systemd.services.xray.serviceConfig = {
User = user; User = user;
Group = group; Group = group;

10
nixos/keys/ca.crt
View File

@ -1,5 +1,5 @@
-----BEGIN NEBULA CERTIFICATE----- -----BEGIN NEBULA CERTIFICATE V2-----
CjgKBm1pbmZyYSj8vdjBBjD88ubuBjogzzw7qn0fU8HJtJpdr49EKLgMhTLFCbgA MIGGoCCABm1pbmZyYaEHBAUKDQAAEIQB/4UEaXQMj4YEcPjaj4Igt49Xxopbdu1x
HK1WJ8LZDN9AARJAYFxxJPsQfUI+bNDOb3HMwegSpSoWpyZp0FpDI14BcnuTbasO M2lOkkKqlKSeK/aHv8DRSwwYrCOs6PuDQN9kGNLshq2P7NkNfjUlXvjIgTHB+SK2
DalRbIntnfs0485zdHVEEETeBBRr3rCmziY/DA== onsMVPWahwj7i3V60S/NlkGNfQU32Y6HaEtwwgOcDV39YHTmOTPMoAE=
-----END NEBULA CERTIFICATE----- -----END NEBULA CERTIFICATE V2-----

6
nixos/keys/eidola.crt Normal file
View File

@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MIGxoEuABmVpZG9sYaEHBAUKDQEBEKMKDAhpbnRlcm5hbIUEaXQTj4YEbTZ6j4cg
9J44UzZAMiD+WYDfBX8y9RzUppN5cB12we3ReFPboE2CIKNJsgonkA5Qti7MjnMs
C6dK082bmc72WnRIKbIo7iNdg0D26pZpZQAv9yjUf0ajUE+sBT9MmpY1K1+Iilak
edChqrbLLAwUOpoJTlObAmKAEnEl3j9bmijfLiPj7SMtS7AL
-----END NEBULA CERTIFICATE V2-----

6
nixos/keys/lh-silver.crt
View File

@ -1,6 +0,0 @@
-----BEGIN NEBULA CERTIFICATE-----
CnAKCWxoLXNpbHZlchIJgYC0UICA/P8PIghpbnRlcm5hbCjvvtjBBjD78ubuBjog
5jO2THNsXEv59VasXZnNpZh6s2b3mo1WlvHC3jrCHW5KICkUiAsYMUJqlkZMvhPb
Zcs48ZEdpMaH8ZQR+/YrCR94EkB6OOguIBOxqcmfuGbNDPZap6euF+oiYT5QhfPh
6HyEIZ1eRZkW0Q9v4QUKFdDbxKQfK0moxor6KlkLGLp9E2cL
-----END NEBULA CERTIFICATE-----

6
nixos/keys/n-srv-eidola.crt
View File

@ -1,6 +0,0 @@
-----BEGIN NEBULA CERTIFICATE-----
CnMKDG4tc3J2LWVpZG9sYRIJgYK0UICA/P8PIghpbnRlcm5hbCidv9jBBjD78ubu
Bjoga6Kii9Vqn9bB4mQnBUPHfQwvvJlUrKCTzbMZNsvDDTBKICkUiAsYMUJqlkZM
vhPbZcs48ZEdpMaH8ZQR+/YrCR94EkDQbthaT5aNgviM2RQH7/J3rMtRCcW8bWVW
anDTFdvSW8BLRTet38jrRT9TBiyB2AokYuHxCLcmePMmwGbh6yoO
-----END NEBULA CERTIFICATE-----

6
nixos/keys/silver.crt Normal file
View File

@ -0,0 +1,6 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MIGxoEuABnNpbHZlcqEHBAUKDQABEKMKDAhpbnRlcm5hbIUEaXQNQ4YEbTZ0Q4cg
9J44UzZAMiD+WYDfBX8y9RzUppN5cB12we3ReFPboE2CIBsnWV1JH2xAuS3pIr4r
gLi10CzWDIYqupE/Va760nMQg0B35mxnvbj3Z3b8FlObhlLaB2jd0OvKP/1U8KHT
DPrCCFhRx4WlrdbJmyKTd87tIix/dNh/3fBDuVE8m6nhZj4B
-----END NEBULA CERTIFICATE V2-----

3
nixos/modules/default.nix
View File

@ -25,8 +25,9 @@
nixos.enable = false; nixos.enable = false;
}; };
# Immutable users # User management
users.mutableUsers = false; users.mutableUsers = false;
services.userborn.enable = true;
### Nix settings ### ### Nix settings ###
nix = { nix = {

2
nixos/modules/nebula/default.nix
View File

@ -48,7 +48,7 @@ with lib; let
}; };
}; };
baseClient = let baseClient = let
lhs = {"10.13.0.1" = ["66.23.198.122:4242"];}; lhs = {"10.13.0.1" = ["66.23.198.122:4242"];}; # TODO: hardcoding
lhsInternal = attrNames lhs; lhsInternal = attrNames lhs;
in { in {
lighthouses = lhsInternal; lighthouses = lhsInternal;

36
scripts/install.sh
View File

@ -1,7 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# fail on errors # fail on errors
set -e set -eo pipefail
die() { die() {
echo >&2 "$@" echo >&2 "$@"
@ -9,32 +9,34 @@ die() {
} }
# parse args # parse args
POSITIONAL_ARGS=() I_ARGS=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
-c|--nixos-config) -c|--nixos-config)
NAME="$2" I_CONFIG="$2"
shift # past argument shift # past argument
shift # past value shift # past value
;; ;;
-k|--key-dir) -k|--key-dir)
KEYDIR="$2" I_KEYDIR="$2"
shift # past argument shift # past argument
shift # past value shift # past value
;; ;;
*) *)
POSITIONAL_ARGS+=("$1") # save positional arg I_ARGS+=("$1") # save positional arg
shift # past argument shift # past argument
;; ;;
esac esac
done done
# check args # check args
[ ! -f "$KEYDIR/host.pub" ] && die "host pubkey missing!" [ -z "$I_CONFIG" -o -z "$I_KEYDIR" -o ${#I_ARGS[@]} -eq 0 ] \
[ ! -f "$KEYDIR/host" ] && die "host privkey missing!" && die "usage: $0 -c|--nixos-config <config> -k|--keydir <keydir> <nixos-anywhere args>"
[ ! -f "$KEYDIR/host_initrd.pub" ] && die "host pubkey (initrd) missing!" [ ! -f "$I_KEYDIR/host.pub" ] && die "host pubkey missing!"
[ ! -f "$KEYDIR/host_initrd" ] && die "host privkey (initrd) missing!" [ ! -f "$I_KEYDIR/host" ] && die "host privkey missing!"
[ ! -f "$KEYDIR/luks-pw" ] && die "luks pw missing!" [ ! -f "$I_KEYDIR/host_initrd.pub" ] && die "host pubkey (initrd) missing!"
[ ! -f "$I_KEYDIR/host_initrd" ] && die "host privkey (initrd) missing!"
[ ! -f "$I_KEYDIR/luks-pw" ] && die "luks pw missing!"
# temp work dir # temp work dir
temp=$(mktemp -d) temp=$(mktemp -d)
@ -47,25 +49,25 @@ trap cleanup EXIT
echo "Preparing host keys.." echo "Preparing host keys.."
dir="$temp/persist/etc/ssh" dir="$temp/persist/etc/ssh"
install -d -m755 "$dir" install -d -m755 "$dir"
cp "$KEYDIR/host" "$dir/ssh_host_ed25519_key" cp "$I_KEYDIR/host" "$dir/ssh_host_ed25519_key"
cp "$KEYDIR/host.pub" "$dir/ssh_host_ed25519_key.pub" cp "$I_KEYDIR/host.pub" "$dir/ssh_host_ed25519_key.pub"
chmod 600 "$dir/ssh_host_ed25519_key" chmod 600 "$dir/ssh_host_ed25519_key"
# prepare host keys (initrd) # prepare host keys (initrd)
echo "Preparing host keys.. (initrd)" echo "Preparing host keys.. (initrd)"
dir="$temp/persist/etc/secrets/initrd" dir="$temp/persist/etc/secrets/initrd"
install -d -m755 "$dir" install -d -m755 "$dir"
cp "$KEYDIR/host" "$dir/ssh_host_ed25519_key" cp "$I_KEYDIR/host" "$dir/ssh_host_ed25519_key"
cp "$KEYDIR/host.pub" "$dir/ssh_host_ed25519_key.pub" cp "$I_KEYDIR/host.pub" "$dir/ssh_host_ed25519_key.pub"
chmod 600 "$dir/ssh_host_ed25519_key" chmod 600 "$dir/ssh_host_ed25519_key"
# nixos-anywhere # nixos-anywhere
echo "Starting install.." echo "Starting install.."
nixos-anywhere \ nixos-anywhere \
--disk-encryption-keys "/tmp/luks-pw" "$KEYDIR/luks-pw" \ --disk-encryption-keys "/tmp/luks-pw" "$I_KEYDIR/luks-pw" \
--extra-files "$temp" \ --extra-files "$temp" \
--flake .#$NAME \ --flake .#$I_CONFIG \
"${POSITIONAL_ARGS[@]}" "${I_ARGS[@]}"
echo -e "Finished install.\n" \ echo -e "Finished install.\n" \
"Make sure to delete the SSH host keys from here if you are done with them." "Make sure to delete the SSH host keys from here if you are done with them."

14
scripts/make_base_keys.sh
View File

@ -1,7 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# fail on errors # fail on errors
set -e set -eo pipefail
die() { die() {
echo >&2 "$@" echo >&2 "$@"
@ -9,11 +9,11 @@ die() {
} }
# set up target folder # set up target folder
P="$1" TARGET="$1"
[[ -z "$P" || -d "$P" ]] && die "specify a non-existent path as a first argument" [[ -z "$TARGET" || -d "$TARGET" ]] && die "specify a non-existent path as a first argument"
mkdir "$P" mkdir "$TARGET"
pushd "$P" >/dev/null pushd "$TARGET" >/dev/null
# host keys # host keys
echo "Generating SSH host keys.." echo "Generating SSH host keys.."
@ -32,5 +32,5 @@ echo -n "$(openssl rand -base64 24)" > ./luks-pw
# we are done # we are done
popd >/dev/null popd >/dev/null
echo "Finished generating keys." \ echo -e "Finished generating keys." \
"Delete them or put them somewhere else once you're done with them." "Delete them or put them somewhere else once you're done with them."

38
scripts/make_vpn_ca.sh Executable file
View File

@ -0,0 +1,38 @@
#!/usr/bin/env bash
# fail on errors
set -euo pipefail
# operate from root of repository
SCRIPT_DIR="$(dirname "$0")"
ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
pushd "$ROOT_DIR" > /dev/null
# constants
KEY_PATH="./secrets/ca.key"
CRT_PATH="./nixos/keys/ca.crt"
# move old files
[ ! -f "$KEY_PATH" ] || mv "${KEY_PATH}" "${KEY_PATH}.old"
[ ! -f "$CRT_PATH" ] || mv "${CRT_PATH}" "${CRT_PATH}.old"
# generate ca
nebula-cert ca \
-duration 35040h0m0s \
-name minfra \
-networks 10.13.0.0/16 \
-out-crt "$CRT_PATH" \
-out-key "$KEY_PATH"
# encrypt ca key
encrypt_fail() {
echo "failed to encrypt ca key with sops!"
rm "$KEY_PATH"
rm "$CRT_PATH"
}
sops -i -e "$KEY_PATH" || encrypt_fail
# done
popd >/dev/null
echo -e "Generated new VPN CA.\n" \
"(Don't forget to regenerate node keys)"

77
scripts/make_vpn_keys.sh Executable file
View File

@ -0,0 +1,77 @@
#!/usr/bin/env bash
# fail on errors
set -eo pipefail
die() {
echo -e >&2 "$@"
exit 1
}
# read arguments
while [[ $# -gt 0 ]]; do
case $1 in
-n|--name)
I_NAME="$2"
shift # past argument
shift # past value
;;
-h|--network)
I_NETWORK="$2"
shift # past argument
shift # past value
;;
-i|--internal)
I_GROUPS="internal"
shift # past argument
;;
*)
shift # past argument
;;
esac
done
# check arguments
[ -z "$I_NAME" -o -z "$I_NETWORK" ] \
&& die "usage: $0 -n|--name <name> -h|--network <network> [-i|--internal]\n" \
"+ note: network cidr should match lighthouse.\n" \
"+ ex: for an ip of 10.13.1.1, use 10.13.1.1/16"
# operate from root of repository
SCRIPT_DIR="$(dirname "$0")"
ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
pushd "$ROOT_DIR" > /dev/null
# constants
CA_KEY_PATH="./secrets/ca.key"
CA_CRT_PATH="./nixos/keys/ca.crt"
CA_KEY_DECR_PATH="./secrets/.decrypted~ca.key"
# output
OUT_CRT_PATH="${I_NAME}.crt"
OUT_KEY_PATH="${I_NAME}.key"
# decrypt ca
echo "Decrypting CA.."
sops -d --output "$CA_KEY_DECR_PATH" "$CA_KEY_PATH"
# generate key
echo "Generating keys.."
nebula-cert sign \
-duration 17520h0m0s \
-name "$I_NAME" \
-networks "$I_NETWORK" \
-groups "$I_GROUPS" \
-ca-crt "$CA_CRT_PATH" \
-ca-key "$CA_KEY_DECR_PATH" \
-out-crt "$OUT_CRT_PATH" \
-out-key "$OUT_KEY_PATH"
# delete decrypted key
echo "Removing decrypted CA.."
rm "$CA_KEY_DECR_PATH"
# we are done
popd >/dev/null
echo -e "Generated VPN keys.\n" \
"(Delete *.key file once it's added as a secret)"

9
scripts/rekey.sh
View File

@ -1,12 +1,17 @@
#!/usr/bin/env bash #!/usr/bin/env bash
shopt -s globstar # fail on errors
set -euo pipefail
# operate from root of repository
SCRIPT_DIR="$(dirname "$0")" SCRIPT_DIR="$(dirname "$0")"
ROOT_DIR="$(realpath "$SCRIPT_DIR/..")" ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
pushd "$ROOT_DIR" > /dev/null pushd "$ROOT_DIR" > /dev/null
# allow globstar
shopt -s globstar
# rekeying
rekey_dir() { rekey_dir() {
find $1 -type f | xargs -i sops updatekeys -y {} find $1 -type f | xargs -i sops updatekeys -y {}
} }

18
secrets/ca.key Normal file
View File

@ -0,0 +1,18 @@
{
"data": "ENC[AES256_GCM,data:LbJEEB8K0cfp2W3OBBwiEYEVWApVzqDEr4E2pTVMUJmZWhZogMM3d32HqQtvudDiV0RDAv+LbsbNnCUwm7b4EIWhJI+9oqCguyblS8X9dEWdC00cz3OpugFKtQyUyVLMYPqKcaOmngffkJnVJpT0Qiwap9lD0tBE/eqc30r67n5WwLPM6FTAvOkcqcfT17uLwSVwxbJie3EqwZmMn1gBauk6dH8ZOlPtD9IJ86NR,iv:7Npy1qZuVVbt3a4I1spDSRQSR/VR0lF7NAdBvvAYsAM=,tag:74qB+CJacdfdPABpSS4NJg==,type:str]",
"sops": {
"age": [
{
"recipient": "age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IGpBdE54USBBcE10U3dM\nelNXR3AzaTF4RURlSUwzL3pLSUlxeUZ2SHBkK2d1bVk5aEJpMgpVUHF4bVI0L3dC\ncm80blpKQTg0TlJDN1pmZ1BhT0J4Q1M0cktWQXhjQ2g4Ci0tLSAxRHdOQXNES0g4\nU3h0SFliNTlzRVN5UFJjS1BwZUxSU2lPcEg2SjNoU0w0CqXKsEktdPWkZOmjyb9f\nWC0gNpnH2bi8u2WSoXXBZHUiSBY5TkDVfD2A//RlMEdkF2kDxib9BvMPGg5Ar0mP\n6HY=\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1yjqjfdpajzg8a2cj4e5ax6wcg5rq3337rm9jwsfzug2tr7yj8yfq27vteh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZ0RTQlc5c2NMcTFOb3Vw\nRTJaaFE3d0ZpcytxWHRRS1B0ZE45eXl0NDM4Ck9ScFdDMm9PWjIwcXhIUzVUL0tR\nQm0rRFAvMnM1bFZPbFVZeTRrWmhXQW8KLS0tIG9ZV0Y5d2FHdzdqMXUxN1I1RmZ2\nT1JwL0lWK2xMTFpQS2NVbnZ4NUh2Q0EK14BXrinNYVKC4f2+ZUIAdUtMgeCBWlwJ\nfMJd1qEfSWoijo8tYfw4EFxzu5B3SutIFkvod8Z+jlbbVN5AYqAyAw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-01-24T00:04:31Z",
"mac": "ENC[AES256_GCM,data:ZXO5WI4eb43SYSS8gl5252QV6CobOTkll85/h19SRfkZnwfiSVd7vINh7t1CCh+Y5gTQgRYyEOwBW2f9vqlNjNZTbKC+x+ZUvy4dF92I5DonRlRTzVvr0Mu1nk7kk7DB+EvR5c+sW57i9DF7yz9g52W7Bi767qErbbS76mawBwY=,iv:yimQlZwL1S7PQjtkTXPLWjO+6iH7sbZqtnVYryNnD7Y=,tag:QVSggpmecUckWuqYqQzpvA==,type:str]",
"version": "3.11.0"
}
}

8
secrets/eidola/default.yaml
View File

@ -1,6 +1,6 @@
root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAFWzZ7kUqOr8IQpEpCXyguYClIGExt0SztbRze8YPu9NilcUmYH7QmI+8oaEanYkvwpT5jyBU/M2eG0U9pMzcGI6hl2Ew==,iv:2HmGvFkRrnwYi5gjB4Na/ZayGoCFEsM4TDoqKlzhZUg=,tag:NLuval5PJ6AnDLvPGVvm7w==,type:str] root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAFWzZ7kUqOr8IQpEpCXyguYClIGExt0SztbRze8YPu9NilcUmYH7QmI+8oaEanYkvwpT5jyBU/M2eG0U9pMzcGI6hl2Ew==,iv:2HmGvFkRrnwYi5gjB4Na/ZayGoCFEsM4TDoqKlzhZUg=,tag:NLuval5PJ6AnDLvPGVvm7w==,type:str]
user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str] user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str]
nebula-key: ENC[AES256_GCM,data:kJeN4hkXIAqxszpsCznGn1ZCz/crVQL6oNVu0hKQ/Nrp6c6vSUE8zmjdhKGp26sNtSOwhz4nCXCSkUkGClfrnz+WtnI1S+nKxaXgCg1tcyGX90/NqiSsgjVUNMIFBOg/2eurJYoTLCv2bLGH2ED+BtqPky1rqYGkhllwq9Mu,iv:jgcdrQ815vyVdRRBYMa4vpRq5HQ9kK54Oi1AGXohYz0=,tag:fBysvfkA77pN4zcnYgeGLA==,type:str] nebula-key: ENC[AES256_GCM,data:ult/inutRoz/MBJxlUlPqdiDn41OUvByDaedSPiPIM0ZIq5NbuBdBmf2dHArj0qDWQAMZLgr/ZBNwPs1eVScuqUVHtqlnhZGqji8G1c0psX/zS19rpLR8SZzorcyLPgiCuEQ8K7rhQlgkt7oSKM8LGD1QxO0a5Z9BnN9avVg,iv:LuLH1PWLYps5CIGjBjcuKT//b0SXrOrQPOr5RiWUXf4=,tag:3179IgcCs29jvu/b0tza+w==,type:str]
terra-key: ENC[AES256_GCM,data:pQRlvltiRr83ndfSjX/I8n1WekS9jY2K1QyLTTcYn14TRupRVgvX47rsus1QA9QAbpT/9f0ZYld3aCrR5J0rxg==,iv:mkiu/+uLKOHG9gDjv72T7JGz6/3oaimDawAOqGs3Koo=,tag:c9Ubj3i5rDj5vaLBRpAUkQ==,type:str] terra-key: ENC[AES256_GCM,data:pQRlvltiRr83ndfSjX/I8n1WekS9jY2K1QyLTTcYn14TRupRVgvX47rsus1QA9QAbpT/9f0ZYld3aCrR5J0rxg==,iv:mkiu/+uLKOHG9gDjv72T7JGz6/3oaimDawAOqGs3Koo=,tag:c9Ubj3i5rDj5vaLBRpAUkQ==,type:str]
wireguard-key: ENC[AES256_GCM,data:aM76YT/0gbfw87x3ThrwFMuf9DxC0IJ5aCeEFDtL+JWPGsZk3XtrN+kxW6w=,iv:ssh+sGPxMU55ubNZlWcWh+3fXvhjhJ6cNJhPZJVXEyw=,tag:2PdoFb2CyeTkV0EKfcpZiQ==,type:str] wireguard-key: ENC[AES256_GCM,data:aM76YT/0gbfw87x3ThrwFMuf9DxC0IJ5aCeEFDtL+JWPGsZk3XtrN+kxW6w=,iv:ssh+sGPxMU55ubNZlWcWh+3fXvhjhJ6cNJhPZJVXEyw=,tag:2PdoFb2CyeTkV0EKfcpZiQ==,type:str]
wireguard-psk: ENC[AES256_GCM,data:fEDfzuZVvEC8/HHbV4k0fSZHucRk3PLc/jaf/wl5Np+4OB1SiK6VnSyoW2o=,iv:2QnunJjHxt8V/DBG2KAuzwGQsJnmrspj6x01ufiJteY=,tag:teEVG+TuRg+QsY4jMg2DzQ==,type:str] wireguard-psk: ENC[AES256_GCM,data:fEDfzuZVvEC8/HHbV4k0fSZHucRk3PLc/jaf/wl5Np+4OB1SiK6VnSyoW2o=,iv:2QnunJjHxt8V/DBG2KAuzwGQsJnmrspj6x01ufiJteY=,tag:teEVG+TuRg+QsY4jMg2DzQ==,type:str]
@ -35,7 +35,7 @@ sops:
eWRoSXlMamNjTHVaenpMR3dEOXNuWDAKSmbC+fGeKYcKy0eQdWPVVMpyBVYtogur eWRoSXlMamNjTHVaenpMR3dEOXNuWDAKSmbC+fGeKYcKy0eQdWPVVMpyBVYtogur
A0fYIBLXi+HMN+/7LXFb80vSnXN3v42KGQ/tzsWJo0ed3Q16wJ4eUA== A0fYIBLXi+HMN+/7LXFb80vSnXN3v42KGQ/tzsWJo0ed3Q16wJ4eUA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-27T20:27:35Z" lastmodified: "2026-01-24T00:34:58Z"
mac: ENC[AES256_GCM,data:cM953KDX815uNvRr7LnoVhXdfLi3UY1F6yoaibCqRg7c8Ai0rBcrXyKqa7ny6u+ltH3wzlaFfIhYtrVRhFwpfL1X4jz/WKKejaxT+PRX/ow1ht8CwMGPLcEF68gVje0Cs6BqTF/WPmXRdCwladjbetF/LyFal9LCgrfrhIgIdAM=,iv:VC5cdEVb/WONMzpoTdTZB2qLnnl7leVL38v9gcckM0Q=,tag:PMYghtOP7RTV/d/Qh+f0kg==,type:str] mac: ENC[AES256_GCM,data:g/t+H+GpBRNN8NeWwRdoxVXkprkk9JWdPOE887XKfaaupenxE1jyFXs3j4g69Vyg0+FvNZoodDveks9VQJdEOhfTRe+ln4bC4rA8HeRc93pNcs1pdduowzyHIKzvMZf8x9Vc3s6U6VnOjJH7aGWkKXJKcwX3CAsG0h2o158XwX8=,iv:CV/sgtRtfbVUF1N3mEsKeIDFRVbJbT70HHi2wPdvrCo=,tag:mRy83EbR0A5SOr/LxDwedg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.11.0

10
secrets/silver/default.yaml
View File

@ -7,7 +7,7 @@ svc-breeze-deletion_secret: ENC[AES256_GCM,data:foilGTV7493fl7f/ZnN1bO7f4YLGapXl
svc-sim-breeze-upload_key: ENC[AES256_GCM,data:qm93iBzGhqp7IuZ01uZ6PyL5bL45+W0oOeDyQRGEzZw=,iv:5F7BV5Sg6GUxIGQychaEZSeG7xDFF+JdRL83PJULWJA=,tag:W/Q8vGaPoLNnj1Wyvc9Cnw==,type:str] svc-sim-breeze-upload_key: ENC[AES256_GCM,data:qm93iBzGhqp7IuZ01uZ6PyL5bL45+W0oOeDyQRGEzZw=,iv:5F7BV5Sg6GUxIGQychaEZSeG7xDFF+JdRL83PJULWJA=,tag:W/Q8vGaPoLNnj1Wyvc9Cnw==,type:str]
svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str] svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str]
svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str] svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str]
svc-nebula-key: ENC[AES256_GCM,data:utJO5t4mq4tmAkAv9A2tcClM3nxLxMSWiz/bUoq8PkbnDxbNjzvdoqD7ehQfpZtK7lQlySXePEcUkQJw2JREfYx8cexOvTyxlwiuxmx2QikTOVO/MALuTG54j9hUSvPeLYnhFNF88vIlFrrjwl0ox/DVjmlrXJbxZWRq/six,iv:C/ZQ2U/brbfrzHXt4nrxfjKIorlUcuBXp0kk5ObuyYE=,tag:/BSjrGcGNuTVVBi89mUwkw==,type:str] svc-nebula-key: ENC[AES256_GCM,data:cxNlWEzpzUG78XnuzXXo/LX0FixPe82IzBjat9+tEhf81qnVJVpafdGDbyqL1PLx3cncjqzeV/ntiTLOaBra8WCPrgC0YJ161JNPGjdrOt1pFT4C2E2Wjv0G3qONhxSUQ8BSht4QxOu+Sy0OMu8gKiRsAwvtJMDYsMy0J5CM,iv:+5OnTzeAYBcUQIf8zU9BHizgGy07KAUujMPALr52YZw=,tag:MrDn7z6MnW/c0MM+zIgAUg==,type:str]
svc-wireguard-key: ENC[AES256_GCM,data:dmxJ07UnQAtet4RtlVXEMFLVKxOU44XQcUW7h7UPbLG9chiQeXGkZkkTihs=,iv:bEA9+DYDBLo1dgrCSrIpa1ig9JJEtXeJF5ZmtdsAO3s=,tag:tyLB5Dd9uolalSzddC608A==,type:str] svc-wireguard-key: ENC[AES256_GCM,data:dmxJ07UnQAtet4RtlVXEMFLVKxOU44XQcUW7h7UPbLG9chiQeXGkZkkTihs=,iv:bEA9+DYDBLo1dgrCSrIpa1ig9JJEtXeJF5ZmtdsAO3s=,tag:tyLB5Dd9uolalSzddC608A==,type:str]
svc-wireguard-psk-0-2: ENC[AES256_GCM,data:0sTGYa3HUe70hYJZnPy9w0iG37aRDTplmdvGdc5C8KN8Dg5XbVc2CmVS1r4=,iv:9Dnr3BYhzKKOZ7S565HY4CkhgPv1JEd3Zk7662/cd9s=,tag:Dd0BLrIjfX0F2lBan59jUg==,type:str] svc-wireguard-psk-0-2: ENC[AES256_GCM,data:0sTGYa3HUe70hYJZnPy9w0iG37aRDTplmdvGdc5C8KN8Dg5XbVc2CmVS1r4=,iv:9Dnr3BYhzKKOZ7S565HY4CkhgPv1JEd3Zk7662/cd9s=,tag:Dd0BLrIjfX0F2lBan59jUg==,type:str]
svc-wireguard-psk-1-1: ENC[AES256_GCM,data:YbxjRleUWTr1+rZyzZ+5vB9Po/V0T1mYhH+H8igjascGV/Oo4lPn1xoYqLg=,iv:+fcWdpRqR7GU5UXug+6GCX9Be5DoE944T5PIm0csgEU=,tag:3mGEL3KYjfSJ9uM+i6Wirg==,type:str] svc-wireguard-psk-1-1: ENC[AES256_GCM,data:YbxjRleUWTr1+rZyzZ+5vB9Po/V0T1mYhH+H8igjascGV/Oo4lPn1xoYqLg=,iv:+fcWdpRqR7GU5UXug+6GCX9Be5DoE944T5PIm0csgEU=,tag:3mGEL3KYjfSJ9uM+i6Wirg==,type:str]
@ -16,6 +16,8 @@ svc-wireguard-psk-1-3: ENC[AES256_GCM,data:66Yw2km4aWUAiy5Gk4diyeUV5AcLh4iJX+nJJ
svc-wireguard-psk-2-1: ENC[AES256_GCM,data:+80iLdsHE0rtM1rVb4xUfzOwpMSOqgxtuKWg4d7Kj7kDuvrCrHPX83NruNo=,iv:HDfGq2o41qTyUU3PwfUvJJcb88JIcbW3yrfqRY8lBxY=,tag:+jWwRf5vqSriCOKdOu3Qag==,type:str] svc-wireguard-psk-2-1: ENC[AES256_GCM,data:+80iLdsHE0rtM1rVb4xUfzOwpMSOqgxtuKWg4d7Kj7kDuvrCrHPX83NruNo=,iv:HDfGq2o41qTyUU3PwfUvJJcb88JIcbW3yrfqRY8lBxY=,tag:+jWwRf5vqSriCOKdOu3Qag==,type:str]
svc-wireguard-psk-3-1: ENC[AES256_GCM,data:USX+fQeT+f+ZU8R7pgIXYPBd4f+8BGrFpuJwxCLprkhhxEY2U8kz85zg8Tw=,iv:QxzQyJEIqoT7szXBgE6M2qd0MeO8Y2e4wLRY9PH0x9M=,tag:kWLwR18SVfj52xkN4tJM7g==,type:str] svc-wireguard-psk-3-1: ENC[AES256_GCM,data:USX+fQeT+f+ZU8R7pgIXYPBd4f+8BGrFpuJwxCLprkhhxEY2U8kz85zg8Tw=,iv:QxzQyJEIqoT7szXBgE6M2qd0MeO8Y2e4wLRY9PH0x9M=,tag:kWLwR18SVfj52xkN4tJM7g==,type:str]
svc-wireguard-psk-4-1: ENC[AES256_GCM,data:gQmzz0CP3b6aLLe1ucGTHmSpTP9RHDAhpnqkQci8RLdm2gQNIxfU5ASmSW8=,iv:Klq6y+81EqjQXZNDpnmPKhq8+gCtWklq09bzlKwm9Ys=,tag:H0GoCLLcVMC8FtzFx9HyPA==,type:str] svc-wireguard-psk-4-1: ENC[AES256_GCM,data:gQmzz0CP3b6aLLe1ucGTHmSpTP9RHDAhpnqkQci8RLdm2gQNIxfU5ASmSW8=,iv:Klq6y+81EqjQXZNDpnmPKhq8+gCtWklq09bzlKwm9Ys=,tag:H0GoCLLcVMC8FtzFx9HyPA==,type:str]
svc-bustaguard-ghcr-token: ENC[AES256_GCM,data:43WidupowJWU3y9QorjXM1YDXzoSD8U+HawmI6vaw8jp4la2TJebnA==,iv:4k6usM+AI8pWAfa5Mq2mku+ccXVo6F3mvupYzZrUMrg=,tag:wqX8xtUCCO9/Z0eGykT9uw==,type:str]
svc-bustaguard-config: ENC[AES256_GCM,data:8xfbUvJFXNSmB0S9EiHGnqZcSzWEO618hjd/VeUNPd6zT3Zapg01ZfVgKJd3vrH+RcLmCeLVdo6Wmat49BhuheHswa20Tn3Aq89hS0+5t3JTpentjY5T,iv:tJPOJBa0O310BixH9cOMBRlQwSyHcwnMjDktPvAQCHs=,tag:B2O6j8HG48HSk3zzUc7SLQ==,type:str]
sops: sops:
age: age:
- recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj - recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj
@ -46,7 +48,7 @@ sops:
NVREcHJGWWIvY0Z1OGt4cGN6am1RaXMKAnlb8FOJ1wO5qtcmej57s7rhWjv5wqIn NVREcHJGWWIvY0Z1OGt4cGN6am1RaXMKAnlb8FOJ1wO5qtcmej57s7rhWjv5wqIn
nCUJX0R7s0/KH3aj98bX/4hQg2ZAw1l+xViOOIfwfRnzLWeyaAnk5A== nCUJX0R7s0/KH3aj98bX/4hQg2ZAw1l+xViOOIfwfRnzLWeyaAnk5A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-31T03:40:23Z" lastmodified: "2026-01-24T00:50:27Z"
mac: ENC[AES256_GCM,data:KXxw3HwdVnQcsVhYfTvn4zxlTjmEqHHdDkKqNkY2keZ99mhQVXhHLU7P63+I5VhZy6sid4ueQ/H2+fM38+twMyDo0xLYkhkJd0pXVGgi5GiN+5JcTVf4NvR1+hEt43XEEfTLzRfeEd3resexNu1C/C9LCEZX5LK3GsOlt/xL1s0=,iv:8T0XfBS+ZSOK7gzoQpBnTu+dMis739AI8s5f48DDy1c=,tag:5lr/C1rCsPChqPsfEu7JTQ==,type:str] mac: ENC[AES256_GCM,data:NH6rNg1HYF8R9tNwSWTRy382QWnrENrJYFaSZs+UvH1XX7swljmJFqtPpMCo1TqyquzInzEPqsidwwY14HUCNuEugr9D/mN1r8Yv1pbNTE2kjoXRQJ0tlfi6DrT+xoLKnO0lgMCYVd1pdSZwQ35/4LefcvL+nVmv81AyoDYOCvw=,iv:MI1pZ2dZhrCWkJJFe8ubkt0mlqlWA7O+s2OTE+u2dDg=,tag:CSmJP9nfd1AsbZUPWGM34Q==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.11.0