diff --git a/docs/deploying.md b/docs/deploying.md index 010192ac..43e748ff 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -2,10 +2,19 @@ We use [deploy-rs](https://github.com/serokell/deploy-rs) to deploy changes. Currently this process is not automated, so configuration changes will have to be manually deployed. -To deploy, make sure you have a [working development shell](./development-shell.md). Then, run deploy-rs with the hostname of the server you want to deploy: +To deploy, make sure you have a [working development shell](./development-shell.md). Then, run `deploy-rs` with the hostname of the server you want to deploy: +For nachtigall.pub.solar: ``` deploy '.#nachtigall' ``` -You'll need to have SSH Access to the box to be able to do this. +For flora-6.pub.solar: +``` +deploy '.#flora-6' +``` + +You'll need to have SSH Access to the boxes to be able to do this. + +### SSH access +Ensure your SSH public key is in place [here](./public-keys/admins.nix) and was deployed by someone with access. diff --git a/docs/mailman.md b/docs/mailman.md new file mode 100644 index 00000000..8ac07d59 --- /dev/null +++ b/docs/mailman.md @@ -0,0 +1,21 @@ +# Mailman on NixOS docs + +- add reverse DNS record for IP + +Manual setup done for mailman, adapted from https://nixos.wiki/wiki/Mailman: + +``` +# Add DNS records in infra repo using terraform: + +# https://git.pub.solar/pub-solar/infra-vintage/commit/db234cdb5b55758a3d74387ada0760e06e166b9d + +# Generate initial postfix_domains.db and postfix_lmtp.db databases for Postfix + +sudo -u mailman mailman aliases + +# Create a django superuser account + +sudo -u mailman-web mailman-web createsuperuser + +# Followed outlined steps in web UI +``` diff --git a/flake.lock b/flake.lock index 1eb34c26..21619ae4 100644 --- a/flake.lock +++ b/flake.lock @@ -122,6 +122,21 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -280,6 +295,7 @@ "nixos-flake": "nixos-flake", "nixpkgs": "nixpkgs", "nixpkgs-2205": "nixpkgs-2205", + "triton-vmtools": "triton-vmtools", "unstable": "unstable" } }, @@ -313,6 +329,30 @@ "type": "github" } }, + "triton-vmtools": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "dir": "vmtools", + "lastModified": 1698443513, + "narHash": "sha256-wX2JIJ3JmJn6MAurdyjwZU+FZjLCwBArMrVSeeCb/ZU=", + "ref": "main", + "rev": "0d039dcf06afb8cbddd7ac54bae4d0d185f3e88e", + "revCount": 85, + "type": "git", + "url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools" + }, + "original": { + "dir": "vmtools", + "ref": "main", + "type": "git", + "url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools" + } + }, "unstable": { "locked": { "lastModified": 1698318101, diff --git a/flake.nix b/flake.nix index 7006190e..5627cb82 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,9 @@ keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main"; keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs"; + + triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools"; + triton-vmtools.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs@{ self, ... }: @@ -82,8 +85,15 @@ deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations { nachtigall = { + # hostname is set in hosts/nachtigall/networking.nix sshUser = username; }; + flora-6 = { + hostname = "flora-6.pub.solar"; + sshUser = username; + # Example + #sshOpts = [ "-p" "19999" ]; + }; }; }; }; diff --git a/hosts/default.nix b/hosts/default.nix index 8a2913b1..22a4f32a 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -13,6 +13,16 @@ self.nixosModules.docker ]; }; + + flora-6 = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./flora-6 + self.nixosModules.overlays + self.nixosModules.core + ]; + }; }; }; } diff --git a/hosts/flora-6/apps/caddy.nix b/hosts/flora-6/apps/caddy.nix new file mode 100644 index 00000000..a241de2f --- /dev/null +++ b/hosts/flora-6/apps/caddy.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: +{ + systemd.tmpfiles.rules = [ + "d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -" + ]; + + services.caddy = { + enable = lib.mkForce true; + group = "hakkonaut"; + email = "admins@pub.solar"; + enableReload = true; + globalConfig = lib.mkForce '' + grace_period 60s + ''; + virtualHosts = { + "ci.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :4000 + ''; + }; + "obs-portal.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000 + ''; + }; + }; + }; + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/hosts/flora-6/apps/drone.nix b/hosts/flora-6/apps/drone.nix new file mode 100644 index 00000000..e8408e79 --- /dev/null +++ b/hosts/flora-6/apps/drone.nix @@ -0,0 +1,116 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + age.secrets.drone-secrets = { + file = "${flake.self}/secrets/drone-secrets.age"; + mode = "600"; + owner = "drone"; + }; + age.secrets.drone-db-secrets = { + file = "${flake.self}/secrets/drone-db-secrets.age"; + mode = "600"; + owner = "drone"; + }; + + users.users.drone = { + description = "Drone Service"; + home = "/var/lib/drone"; + useDefaultShell = true; + uid = 994; + group = "drone"; + isSystemUser = true; + }; + + users.groups.drone = {}; + + systemd.tmpfiles.rules = [ + "d '/var/lib/drone-db' 0750 drone drone - -" + ]; + + systemd.services."docker-network-drone" = let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in { + serviceConfig.Type = "oneshot"; + before = ["docker-drone-server.service"]; + script = '' + ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24 + ''; + }; + + virtualisation = { + docker = { + enable = true; # sadly podman is not supported rightnow + extraOptions = '' + --data-root /data/docker + ''; + }; + + oci-containers = { + backend = "docker"; + containers."drone-db" = { + image = "postgres:14"; + autoStart = true; + user = "994"; + volumes = [ + "/var/lib/drone-db:/var/lib/postgresql/data" + ]; + extraOptions = [ + "--network=drone-net" + ]; + environmentFiles = [ + config.age.secrets.drone-db-secrets.path + ]; + }; + containers."drone-server" = { + image = "drone/drone:2"; + autoStart = true; + user = "994"; + ports = [ + "4000:80" + ]; + dependsOn = ["drone-db"]; + extraOptions = [ + "--network=drone-net" + "--pull=always" + ]; + environment = { + DRONE_GITEA_SERVER = "https://git.pub.solar"; + DRONE_SERVER_HOST = "ci.pub.solar"; + DRONE_SERVER_PROTO = "https"; + DRONE_DATABASE_DRIVER = "postgres"; + }; + environmentFiles = [ + config.age.secrets.drone-secrets.path + ]; + }; + containers."drone-docker-runner" = { + image = "drone/drone-runner-docker:1"; + autoStart = true; + # needs to run as root + #user = "994"; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + dependsOn = ["drone-db"]; + extraOptions = [ + "--network=drone-net" + "--pull=always" + ]; + environment = { + DRONE_RPC_HOST = "ci.pub.solar"; + DRONE_RPC_PROTO = "https"; + DRONE_RUNNER_CAPACITY = "2"; + DRONE_RUNNER_NAME = "flora-6-docker-runner"; + }; + environmentFiles = [ + config.age.secrets.drone-secrets.path + ]; + }; + }; + }; +} diff --git a/hosts/flora-6/apps/forgejo-actions-runner.nix b/hosts/flora-6/apps/forgejo-actions-runner.nix new file mode 100644 index 00000000..2f7cba4c --- /dev/null +++ b/hosts/flora-6/apps/forgejo-actions-runner.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + age.secrets.forgejo-actions-runner-token = { + file = "${flake.self}/secrets/forgejo-actions-runner-token.age"; + mode = "644"; + }; + + # forgejo actions runner + # https://forgejo.org/docs/latest/admin/actions/ + # https://docs.gitea.com/usage/actions/quickstart + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances."flora-6" = { + enable = true; + name = config.networking.hostName; + url = "https://git.pub.solar"; + tokenFile = config.age.secrets.forgejo-actions-runner-token.path; + labels = [ + # provide a debian 12 bookworm base with Node.js for actions + "debian-latest:docker://node:20-bookworm" + # fake the ubuntu name, commonly used in actions examples + "ubuntu-latest:docker://node:20-bookworm" + # alpine with Node.js + "alpine-latest:docker://node:20-alpine" + # nix flakes enabled image with Node.js + "nix-flakes:docker://git.pub.solar/pub-solar/nix-flakes-node:latest" + ]; + }; + }; +} diff --git a/hosts/flora-6/configuration.nix b/hosts/flora-6/configuration.nix new file mode 100644 index 00000000..dc208455 --- /dev/null +++ b/hosts/flora-6/configuration.nix @@ -0,0 +1,71 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: let + psCfg = config.pub-solar; +in { + imports = [ + "${flake.inputs.unstable}/nixos/modules/services/continuous-integration/gitea-actions-runner.nix" + "${flake.inputs.unstable}/nixos/modules/services/web-servers/caddy/default.nix" + ]; + disabledModules = [ + "services/continuous-integration/gitea-actions-runner.nix" + "services/web-servers/caddy/default.nix" + ]; + + config = { + # Override nix.conf for more agressive garbage collection + nix.extraOptions = lib.mkForce '' + experimental-features = flakes nix-command + min-free = 536870912 + keep-outputs = false + keep-derivations = false + fallback = true + ''; + + # # # + # # # Triton host specific options + # # # DO NOT ALTER below this line, changes might render system unbootable + # # # + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Force getting the hostname from cloud-init + networking.hostName = lib.mkDefault ""; + + # List services that you want to enable: + services.cloud-init.enable = true; + services.cloud-init.ext4.enable = true; + services.cloud-init.network.enable = true; + # use the default NixOS cloud-init config, but add some SmartOS customization to it + environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = '' + datasource_list: [ SmartOS ] + + # Do not create the centos/ubuntu/debian user + users: [ ] + + # mount second disk with label ephemeral0, gets formated by cloud-init + # this will fail to get added to /etc/fstab as it's read-only, but should + # mount at boot anyway + mounts: + - [ vdb, /data, auto, "defaults,nofail" ] + ''; + + # We manage the firewall with nix, too + # altough triton can also manage firewall rules via the triton fwrule subcommand + networking.firewall.enable = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.05"; # Did you read the comment? + }; +} diff --git a/hosts/flora-6/default.nix b/hosts/flora-6/default.nix new file mode 100644 index 00000000..6511a005 --- /dev/null +++ b/hosts/flora-6/default.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./configuration.nix + ./triton-vmtools.nix + + ./apps/caddy.nix + + ./apps/drone.nix + ./apps/forgejo-actions-runner.nix + ]; +} diff --git a/hosts/flora-6/hardware-configuration.nix b/hosts/flora-6/hardware-configuration.nix new file mode 100644 index 00000000..6b107689 --- /dev/null +++ b/hosts/flora-6/hardware-configuration.nix @@ -0,0 +1,45 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = []; + + boot.initrd.availableKernelModules = ["ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + }; + + fileSystems."/data" = { + device = "/dev/disk/by-label/ephemeral0"; + fsType = "ext4"; + options = [ + "defaults" + "nofail" + ]; + }; + + swapDevices = []; + + networking.useDHCP = lib.mkDefault false; + networking.networkmanager.enable = lib.mkForce false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/flora-6/triton-vmtools.nix b/hosts/flora-6/triton-vmtools.nix new file mode 100644 index 00000000..77c8048e --- /dev/null +++ b/hosts/flora-6/triton-vmtools.nix @@ -0,0 +1,9 @@ +{ + pkgs, + flake, + ... +}: { + environment.systemPackages = with pkgs; [ + flake.inputs.triton-vmtools.packages.${pkgs.system}.default + ]; +} diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 8d61f8d1..114dcf6a 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -35,17 +35,17 @@ boot.initrd.availableKernelModules = [ "igb" ]; - # Set your time zone. - time.timeZone = "Etc/UTC"; - - environment = { - # just a couple of packages to make our lives easier - systemPackages = with pkgs; [ vim ]; - }; - # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets systemd.services.zfs-mount.enable = false; + # Declarative SSH private key + age.secrets."nachtigall-root-ssh-key" = { + file = "${flake.self}/secrets/nachtigall-root-ssh-key.age"; + path = "/root/.ssh/id_ed25519"; + mode = "400"; + owner = "root"; + }; + # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/modules/default.nix b/modules/default.nix index 16ac03f7..b8a037db 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -9,7 +9,7 @@ terminal-tooling = import ./terminal-tooling.nix; users = import ./users.nix; - core = { + core = { pkgs, ... }: { imports = [ nix networking @@ -17,6 +17,19 @@ users ]; + environment = { + # Just a couple of global packages to make our lives easier + systemPackages = with pkgs; [ git vim wget ]; + }; + + # Select internationalization properties + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + time.timeZone = "Etc/UTC"; + home-manager.users.${self.username} = { home.stateVersion = "23.05"; }; diff --git a/modules/networking.nix b/modules/networking.nix index bd27877c..44cf17cd 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -1,15 +1,40 @@ { pkgs, ... }: { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - services.openssh.settings.PasswordAuthentication = false; + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + # Add back openssh MACs that got removed from defaults + # for backwards compatibility + # + # NixOS default openssh MACs have changed to use "encrypt-then-mac" only. + # This breaks compatibilty with clients that do not offer these MACs. For + # compatibility reasons, we add back the old defaults. + # See: https://github.com/NixOS/nixpkgs/pull/231165 + # + # https://blog.stribik.technology/2015/01/04/secure-secure-shell.html + # https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + }; + }; services.resolved = { enable = true; + # DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS + # when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579 extraConfig = '' DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net Domains=~. DNSOverTLS=yes + DNSSEC=false ''; }; } diff --git a/modules/users.nix b/modules/users.nix index 0b9a08c8..5f8b43cb 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -25,12 +25,6 @@ users.groups.hakkonaut = {}; users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32"; - age.secrets."nachtigall-root-ssh-key" = { - file = "${flake.self}/secrets/nachtigall-root-ssh-key.age"; - path = "/root/.ssh/id_ed25519"; - mode = "400"; - owner = "root"; - }; security.sudo.wheelNeedsPassword = false; } diff --git a/overlays/default.nix b/overlays/default.nix index 7bfa77b7..97c9bc70 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -9,6 +9,7 @@ nixpkgs.overlays = [ (final: prev: { mastodon = inputs.mastodon-fork.legacyPackages.${prev.system}.mastodon; + forgejo-actions-runner = inputs.unstable.legacyPackages.${prev.system}.forgejo-actions-runner; }) ]; }); diff --git a/secrets/drone-db-secrets.age b/secrets/drone-db-secrets.age new file mode 100644 index 00000000..9496198c --- /dev/null +++ b/secrets/drone-db-secrets.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw FLHjNYq0CIlbPUKpJgrw4Dka33LIBW9p2E93v8RGdl8 +aw0LoWNfjAx1nXK9+SwFMLRxpd/KZL5Y0XJQqIZG0+E +-> ssh-ed25519 uYcDNw dbVXX0Nj5fq5nr/7yaC3ZQnPIk5MQAQpT5RJmz2IMCM +t9ci+WVCroHprSfoud7LKuaTjk5NeiS/Mp2LqhcOrdI +-> ssh-rsa kFDS0A +RZaFU9rClM9C7SUyYx4e1dZmntzPxoB60gJU2XUXFwkAp54dXL8fxs2cHcRxUQMo +HpzCCMiPo2QowUe9O4VQFlOPraub+aTc/nkMmy/spKM50DeVHlK11aoGkJ2j8uj9 +FPAzdI47DFpLWN6ncndtKHvYeV2ip2qv9oOgbl84aQ5DqeACb5BHtGS0edWa8YwM +8B6GX9ZpDGB6oW17Ko4IIjeBRnwmY+66mzl6cqhYsGWK2vOYBDLmx4JmGH2LqHL7 ++8kQBaq+hNkRlpgLZC7RIrnaW41yMmRZbyr6hPIXaLnlYp6+7+A8krnZKTJXPgBf +Cpv4SSd+igSSjUGUSrnOM2LqOAOcqBAmnIDAyIsVMPnjOkCFxyEj1ynfiSwM1qb0 +QqTi0TZRHZsfpiGcvHVoBCWBFQ8d391MFQAiija0iW6QR/eRiGC4mcSA/6vP6X9G +p7BNJoP+mt0pYpVXCA85Rv5K+0JKR2VqlluHl4V2rnwqCGGelG9oYz2D1pQz7Obs +vVgjJaWxzzLGrCCDwk6LjuXv5UMobwlTw7YEGad7AnKPjtrhLuWm1Xs8STZ5oMJp +BhYLDuTUtLFvYciITEEWK/46IBI4m8iJmKpHOMXjWhSuBGKj9q9ifwxeLOmkZgt/ +AojO4dtmmfzVNLGIIoUdFYjbp/Kr92p78y8jBIIkcMs +-> ssh-ed25519 YFSOsg TvpVdCtlBkpCBOPgiy8wKZo/0JxzQFDFRh16SXsdm1Q +SSHyUUNu2S1Sq7c89DZAlx43zoab32mUenqgitqEfXw +-> ssh-ed25519 iHV63A YjDcxJ0Jt1Ifc22kDk5qiPNv333ZVdHizPdc3e0QgGQ +nqXiCnVH9x7xAlEhIlqD2ThvglFLaHyd5yMzun7m7Xk +-> ssh-ed25519 BVsyTA eZZW8nsBoPJEDgH0tJNKMHyQgyOD5gpuf/gAGfaycj8 +Ss82nrDGaf/ZB4hq9bVYwmTdh7Z1zl10w8bpr5cN3Dg +-> %o-grease g0_~ |]P[H&% }+ +XEDXb/UfDFfY/NGfgrttIHoE0Q/0S2xvBwpy0p1SJb4h1/xOb/E/3uIWT7OlQQgO +8Q +--- 0DdGRYR7j5NAQX63wD6e4LxW3xHTTiBekFtxYFCcK10 +U2J3fKxsx;1.S ^d3+r{Y1&' اۮ)_4/u\TeF tRss%\s| \ No newline at end of file diff --git a/secrets/drone-secrets.age b/secrets/drone-secrets.age new file mode 100644 index 00000000..be23c359 Binary files /dev/null and b/secrets/drone-secrets.age differ diff --git a/secrets/forgejo-actions-runner-token.age b/secrets/forgejo-actions-runner-token.age new file mode 100644 index 00000000..a3c00ef1 --- /dev/null +++ b/secrets/forgejo-actions-runner-token.age @@ -0,0 +1,29 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw DpFuuPR7C+Kge5mFO+yDjHgY/3dTiolNAGcxNGnsGwc +S2NQAjZPFfCNGzniArPAJVLKCmSz7Ii2xO7REsNOnr4 +-> ssh-ed25519 uYcDNw 6NlxLCxVu+/tX5FFMLTEoKLx7Ug78TvKufBw/fpLeF4 +3GK+lFy+zxF08TW8ZWZ/cDBq5AFTTOLikvy0HNjgNWA +-> ssh-rsa kFDS0A +RLH5jnzacTt4265aOntkuTGMGVpjJhGZhbdPjmiyBMBLOwUZnzY7vSwjyU29XTyS +/7goXuNAMvY00fDMG5FXyeAD7QaVHNa/tAw3Bmtu9rfFUZX4ftJeXQg2QTq4Ulrw +n3IKd62Ew3iMeI1h9H2JdXlse5tlkCkWdZQD+s7rCMeJDEe0m8r7bFPMdXjJMO3f +T3UzjeNFJYsIEPKDCpC6zaA4aRlaVSdoPLIIooB4A//A4aG4ywzvN27JODK2nTB4 +ttjbHK5HGzNLmeJP9wS79bOX/Fg2QUl0bGoOdCiWqFtYkdPzxjstuRd+7OT9E5BM +5h4gqZjxs/k4NZawlIfLeUe5biWkThEqaruzkmgfjY7kch0chqNnpDghOBkUL1VF +KnECE98nmy9huoeDtCUL0yag3yi/Kx7MMaZaNCTJFYpjA3sadvg6nco//e6nA6Pm +vcPcUz8xiZI2Wzx0fPVwVMOozKjf4yEqjERRjo7haGF6vYtxV/zSf5tzxiQsEOGv +/G67BnT6Az46eh3K2EYVRRBTb5sni3ObsO5V/K9ms/MM9eI4qEBRqKag8jRoXVmF +BZKjLwGOU8tOZbupj1Z3JKULqP3FiDLXh+NxM4KE5TjE71eAt8teEytvWYdlwKtO +YjWNheyxxqklTYgzkNQfj8Ks6LujyMdpFtm8toFMVgk +-> ssh-ed25519 YFSOsg GE4K+tP7cjKpq+bxf01vCttDnZAzqtIfwzJ+Zw4D4UI +KG5CNA+FsmC+PhjpifvqRiOWUFHaKQe9QLXydlTFjCw +-> ssh-ed25519 iHV63A +WzV34WwVL+tamwELQY9fuHlBLvzOeTiFjK+LK9d1Rw +KAP3JhagG72qUSWzodRhr/jzFiDaN4GkIuLf+9VuJrE +-> ssh-ed25519 BVsyTA BnkoBmSm2zSm8QtCcN0iFzP5iliTDct36iruHE6FbF0 +9J13BMVSlLRjfZw9i4nSj0ccsY4P+xEvYl/MYUgYZPw +-> S!:G3-grease 0 *v3U# : mPvcuGUl +L3/27eEyArXmM1arietTmN3cao01kBkBXBZXsN1HtnTC8sMXVhq+WVD3QozgDd2k +ws04Y08VFgbfM2ErCsRfKz8T +--- ekItTZTtoj93NT1Xe7zky72aG+rzhAcD/cqNxGAnPHg +ɽlX5),Zٕ+z + xm\c59e\"xm\@K<|,B17FJXlk \ No newline at end of file diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age index 54f6e4f1..8624eb01 100644 --- a/secrets/forgejo-database-password.age +++ b/secrets/forgejo-database-password.age @@ -1,27 +1,27 @@ age-encryption.org/v1 --> ssh-ed25519 iDKjwg RIy4MC1iLzjOVc1ENd8Hic3b6yVsey1jGKKfpH5QznI -jCdBc7BcfAa0/BxN40P9neRJcRyz/mbXCHkQZ98MjqI --> ssh-ed25519 uYcDNw bmxhArWdUbbC2zCb1FQmtz5UXBKM9nYdGnmRQNVjsiY -IUsRWcBZf2HJpibhqaqBUGTaOTL865Y2ZR2ZM8Ocmr0 +-> ssh-ed25519 iDKjwg IFEv1dHKgnrQp6jjxwv6cmEeFRDLEGrnVaJkQ58ZaiU +OzmsmKDfl0h5O0gtPeV0B/O6rySog0PVok5H6544mJA +-> ssh-ed25519 uYcDNw M6IIbbZ07S6k8Gn1ZdMoQjjRZ2veA5aavAofofH4mWA +Zg3luviCp3PRNajja/DDxWmJm3bUEtNzm2MG6WFMwas -> ssh-rsa kFDS0A -XuCHi1ekeI+EG3JpNpze/XZWImIFHd4itCzjxApHINBdUqRA7yqVq1k557GcXU3S -dSW4Li2yQaGTDfWYbks5gyOxHjJ75mQ+McnzROdMuMTNYYpTs5CDmGUKDs7Fp86l -/YLfoo/hYd7/sKObJLSC/STEk/ObAxDNIe2eEK+esbAlBC0Lym9mi/vtuY8WzWAY -dsPvGk6497ap5lcZiLiJRChqumYSoTryKAMAvfiTtytcNCFh7hWnw5DFKcA/vlkx -cGDrM99itWtEO01oWA6SAVL6JfpWyjpQZqEKt3f3U0xsJbLUXEEiH+kUWpros6Nk -PJKVR2mcW3DiBKpR2QJDIkXJ5tUWzDn9Dgw54NniF2D91xs3MzQuvScrfb+/XR6H -Xc9BiytdOP/WW3PnvAu2jfMzXJlmlUJTQTWYRZs5tp8daKFN7MP3cIMwx/r+qc+o -JbqFxOewnNO0hEwfwYPCFnMEam8rmRmU8GI1RiBAGpQbBv02ihX4U5eWuLXrpmHK -0VOgkesWsAOHpV+tRJ3cxA8t/pjIWmN0nccRz+qz/1Ec6O5circBneVBgJow/MKh -M0f0b+HPr+ld0z4FA7rDESGhgQHEsyU9UUWU8U++Mdh64c/mRMCnYokoemve0w1G -9cJjR0rcknDgo+KQutinh3pTqbvYrtfP4iuzWBd8LV8 --> ssh-ed25519 YFSOsg m6r2ew7bjrpbA0QMs7O5MhSm0UpKCWHEJTlwm384MxI -a/mnaNz14aFuZCtcq46ANVydKRJw0e61N5e+kGGkuYQ --> ssh-ed25519 iHV63A MQu2VYkY/Cs5bhYe95wpdlpLfe/lHwhk60WA9EgN3wc -gbZyVF9l0W8+BO59ddsZ7c+VgzdPkNbq9U9oG0Kjebo --> ssh-ed25519 BVsyTA XWMWR2qUI1KFhcZxGgxuWOq+DLrTwHvEpI7xee/GD3I -jVckHGgjXWlz0kvad6EDZ1vDrXGjBM2dxT5qJswX2Kc --> W},tK-grease -4P6Gr7nsS9raE/XVkCkDawtWkS7a3o7r7tXe9w ---- de3b3x+RtRpsIBf3Sh72AydLgEHUcGeRvoDE0rPFZ2o -Z8pMAʨ$[󥟏<tIOrqoce,;MK_3-Ӎߘ\RQ&GᒷR} \ No newline at end of file +Qt9Q+RTtl07p6O9RjpGeM/AcK9MregnLFxd2VCOJfE4RtLD/euEA3+u0Ad/SNHtF +UdtELgQeWQn1RRSTycmfo2FOu80do408uNjk9HueA+bxuVB/W3hLmCADsfNt4AcA +h9ioCA7zrCfei5UhbThUgpU79n++IWv+fPZQ1XUndTpRDrLFBCmZIYvupYezPYYL +/QxpCQVZWmPe5LK7Cs/hsVp8SII0wk6pT+Gh3ZR2lqTanhcVA1pBkhcMjZLCW+m0 +gE6P0LOP72DoTH/Wq5krpjUkmTkAaQnedxMbRqUmqQ4E9XWprplzqe11ijItWD9c +k3Eqc9Rw3uBhDe6u7Uk0zfD+q5MX2tjCSZVrU8yf3YDIM0ZXgcLYZycwlVF165ob +Si7nk+0q3Y7cfizKTIr04KAxiM0S+z6vv0zAVulQwU8tzt4whovh+A5w0X0NqsfM +VKySv2EZ7T0HnDHtCN9aB6BRs+8BIipfMcb76obHWa1z5xDYmawebtztvwt4hw0o +V7VdC9SoVDwq3nFMLQD3+5jhbqfGtRFhSGLzbh9SbNg8Uyrtdq7vucmcLfXZVIJd +qJgtlxSYyhRgc3W4C5VU0imEw6OI9pU+wtKdxy0dkEwwDTtwbLm705ecGEZZncgK +FJoN9Ekmeys+XVvRQDg5mB6dLURYfAmpA1m4Z5n6o/U +-> ssh-ed25519 YFSOsg 3GMmeCYAYaauIAfmYa03QvngaHWoCplNNTQiriiacGo +PFnOJAATB5pW9uiMnZUG/aEpVowHOzfq8RYmOUkFHGI +-> ssh-ed25519 iHV63A 1lR+ZHsXw2sJqCHcbdYPR77w0k+LU9PEFT+bR4J+wzc +7p0YQW0xNUme7oOLsKPomx86i5mVexoFnsol75hI7Ro +-> ssh-ed25519 BVsyTA Y9X469NMDgT/KRWQKxg7+TUXW08jQ1ACXYpvWCPYBlM +hUojIB1Wk2yki2cgWMO+CUF4hAEmIwdgNeiXPjsYdmM +-> _w:{-grease Gg:\L| ~7 op[S^L: +qL+WeYvxxEUUSX2b1xSa +--- HDOAUEyo2WtEf2roCfMkEKNx48ZX08b0Tj1BMUbOJDM +mͧ{pYW{HGp[oL ~15 |#%NWD5'ws=Dlndoa۽ZC}ׂ_ő|:Q \ No newline at end of file diff --git a/secrets/forgejo-mailer-password.age b/secrets/forgejo-mailer-password.age index fd4a5c16..f93ee026 100644 --- a/secrets/forgejo-mailer-password.age +++ b/secrets/forgejo-mailer-password.age @@ -1,27 +1,28 @@ age-encryption.org/v1 --> ssh-ed25519 iDKjwg qOInns0pyNkaFNGoodX1QrRCSRDL5ncmJWSyDxCo7Rc -8mJO69rBO8IaVRYG94hidY6MU7UEn+ENejdHOkzn7h8 --> ssh-ed25519 uYcDNw FdZ8Z50hcHrRVuBC7HPnVPNdnJgyudepe/smnTkcmzg -ELojSvwv3K6YVLXEAmjoQxt5szvs68oRZ9fZ+QcaVEU +-> ssh-ed25519 iDKjwg YnMyPihQVexMn+Fo3GFLVdDdovAEGSlhcHtJKYsk2T8 +nGU7ENvUew6N4gzZAfSEqM5el6M4abC4fR535KZsjyY +-> ssh-ed25519 uYcDNw lPE7/R9GhYEinW9LNJ1c8N9oiTmIFesCML6fbom4NQc +cxwc9AdLwqOtBmb7853LQ8uxWovT9FvpqvOYKS1zbVc -> ssh-rsa kFDS0A -cbDwTYbZf9SZJ4SmjdBD7hSWMZWi87KUbAHTS2snWi1wjf0m5KngbdlWVcTOgwE5 -Gnn1m9cZKx6z7s/AUsPRRQizoYsUY91osPmc7lNVZ8mjJ6ztLhX1JhAy3PobmxDi -BI3WsZtMpL+JihSE1DfJ05dkY/tWYZu/yXDmaig/E54YsuyXeATikm/IzxbSXDDT -crSOE2YVS0+GjhEfJft6ckw9YdbzqjoXwdutrzQWdivvXU17xH11cM3xC579OUNF -c+EobYRjCfzsk27vFGxieV+0mAmJSM5V5mBQ9VBaqDiZ43gI5enCIVJIkK36f4P3 -lt9PQ9UmWJ8RPQis+Aaq5Ld5y8aVho16BQjCqDzsRoFTalVNYa5ElrB2nuJPYQIw -DV9Hj3R2wG4IZSIEq5WnLtk7Gda2x4VlfdlMhGXixPJ0xjYKWg8Sj0qlmCAVqqEc -QyWpVFEu1ogk8Gw2jQK6TvrxUT94UAyEBwqBbumqaB3JfsnDaxbFlLG1wWr10nXh -axplDvM7tuU5RvjPGSwUezkryfn8SjEod+04rQRLhe9JMD5C33JBI1p5JNi2ZAB/ -SyujIVCh+DRzq9IjMYCgCYmYp5P7pJlk+GZCeeMSbvf2d45mX1P2D6PrCm8uSL8m -Fw7mOliDyBGPizpQ2lOJaL1q4A5KGjAaRVuRJSaNlBg --> ssh-ed25519 YFSOsg c3VN03glwExVKBi83ftg6jNZ2Yzx4PGmRiQOpgQl9AI -sKrGt7U5XwNkyydwmXBxPvHwKloY6V/mn+5ipq2GYZo --> ssh-ed25519 iHV63A mH5q5q6ZPlddNsil1NjVLcT2gIxh+PlhA6JT9HBD/VE -O9OxtyCtIhNMFMUPCyPL4ycT75t/g1nvli6XXVifXGo --> ssh-ed25519 BVsyTA iPdUjSRVamrCzUJVhpzMyUhyxHisRofkKswvCb/qUCo -Z5UOndKbp5GPIzxB4xsNlGqC30dnMx557n07NkS3aOk --> fqFqA!-grease >^roC?oN -kKQNtgmcdmj4h1fFB4Fse21BfLrq73SdIZ/cyD1qxBR8VUtIPReLpiYJSm30Eg ---- mUQvto08o1xaSIbSE+zi9IPCIuZZF5G9xlwKUApylMY -6MU܈GWR"*#BwK`Ȍtsoga3r_T9 \ No newline at end of file +cX8p4DJIRP378pFp9Tk4di4VBTdIQ281PhD8lBF+mOrsdxEphlFJ0dpDdlRNYN2U +C/ku2yYVDdQjpwV2i16J99swGNR7Ui3g7BewySk2VeA2Zp1iVHYrxUcLHTU4FkTy +rO654ndMR9nMOF/eMw8q40fdvDR0Dgtz26uqKHqabpHQrmvtRZ+O///4PSLyTpUq +C0Rej1q9hsq38t1SwjYyyR4jZKi2eqUzNI8ZPriDJFwbOf+bKmFx2yxjN/DwjtTZ +P2iajSqXj7bTxarWUOlTEbq8CMEpCTk5GU4G6YVJdFRSyw+KOmCbQccH45gsAsn9 +DDhhDC1nc2WRFEBbSCQdzmdEYLQa/vsmdL9Uk2CENAmqJ4s7YeaOltYxIQuIIlhW +hDRW3MJnjaA3Z5FUyGGEF9G9/puWk+flFqaxdmPImR2MlclMokGFWQrb0LfBTKBN +OHyLa78pCrskgK7xvRN92jepoO3iiBx1cHDgBzNIkEKt+xSissSexRlTwmc0QOom +x9wEqBoMLy/CczRQisHRfRvVvbiu9S9ptn7jKfUExMmF5kZ3zMGnhwIKFARKyeRU +xrJ5xJXOc2jWtK8HyhOObj4JgZYwCgC5yZg0f/0tTwhmD2Rg7l/Z14Qc8z4uSr7a +ZI44yVR6NrnwvxCZc2VMRpS4BKYWZdor29A2I3Mf6es +-> ssh-ed25519 YFSOsg y7SH3xV54A8jRPDALbUgkI/kfG+7Dim9bQ3RoE9dElQ +upTzhcltID98iwyIvAV43TNkn1JiPPTZKYQDXs5nVrU +-> ssh-ed25519 iHV63A OvowvvUTzN/ZZMYciY8PL4jNTsFxvdqo0HZGhrKvpQE +6+vZnlXisJLgHsT973Mv5TW0CNaH7+95u2OLHcNRMTs +-> ssh-ed25519 BVsyTA AXiFtvrUa0SZJIDO128oZ/1EzuQCf/MTXSS8+JXRbBE +L1aePz98wwpswYTwyIi+qlMG5PKaC8YTQ+yBNURV0o0 +-> C-grease Xr"nY_F? L*?+,=6 >>* +btUoGPkIUxNHjEV0cngeRklh2GEiS3m1v9wMkX8CH2gDeFF2M6TTroCpsqRG191/ +oUAA7nf95TEVqPIENOEh2w+U+Q0AMxUvGdps+w +--- q922LPdFDFgQBvP6ZX4Zr8+bc2Rb2z3Ru45K/bPN6yw +ErG5 ssh-ed25519 iDKjwg MIpZgS2K0KZ6NXSvHKaUs5IOwMK8C+THuH+OXGKgpk4 -rwBSIPZ6pHczmeEuNsPgTJIdzE7yHBglYHGbOSd772I --> ssh-ed25519 uYcDNw EY2Zk/jYWxYBPY/g6IH7aSIFvMuOwSplkmaeRC1aNSU -YCSThBBXbmozEZmUDgjA8xuFG9D2lGENZcWvCnRQk+c +-> ssh-ed25519 iDKjwg AEmgV4RMWvoL7IS0h33S86bBpCy1jxuo4Ey8SUakEzs +N3eK1K1BE2hLGF5qwQH4XVZN7y0s4pikYoxeltP1w4s +-> ssh-ed25519 uYcDNw eZrJo1AE7zcNjOn3YceDtRkumV0rwPOR5bk5s5SF+m0 +n9+J1xLDD6carZMRg05BDmaQG/78O8P8QVscKRHy6+I -> ssh-rsa kFDS0A -Z8Xs3hFGUElQdNlxlcnJIA8814TZJYqga/SUXjxG/uvdzv9uExEiNp8FJ5emnT0u -zAaFv5aYiBa1b7aYEVdk30wjmWPT7leOPTFF5qAUdiPHxII+jHtx+eCnum72po42 -SR03IjznH9fKaKiT0VNXDIVZnkP2SaAKhIj57XSUeE/weiU5apBmTMPzMQAkz7KR -sm7uFYYv8zY7LFC0ByPnFkYi6O+mc9LzunlGQVMAQe/fmoEfzI2dmrGhcG2iUbM5 -6Oegjh5B4iKc/fktouHhh3Wc/K63DM9C0A9mkqtqrQJPfV+FseQoQbFwvInXY4u6 -HMT4oymagXt5ifcc1WzyTde+Dz6OIOowpIXXJ0PjQ+KOn0PTG7+OfU/h1Hh/ozg4 -G+finffzeffxdXSjITi+lmoWUFaZAwiico2IjH8cqDWnl8XGNfukZbsNsI6CukY2 -aqffAZiu7MR1+kcMUjjG4OF1S4bRNYkqQej7GUdDmHn+dkJEuiN3ggXt+TW/mYPb -xPvPGOqDxwdOiyViZFBvZ+0ZAij8rnMdToNsY7x68B7C+Ew+cVomiIIkT1ghzmTu -T/ymvlqFlXIS3PFdUPQYd/+Ttw22n72yVxHH+61Ze/aQlt0nKdViEn4D03k3uNVg -K8VYuDwXIFdFIga5Hsw/ozp6tKZdxSzJsQJvAm0JFVk --> ssh-ed25519 YFSOsg M0H0AhDNYpa8nD2nrDyFJOsm/SpfJ7YJXYyKZMIyxl4 -YiocldCbP7HwuRi3AWfnFkqpWhuIuAwjjTzV2utwmn8 --> ssh-ed25519 iHV63A xhkCLcpQhqQxWacnI1M1652hNc/MaeCXL3e5fPGhXHo -0G5lFUE/gGHIz5giRjQPVWAIrHQ8LvxPpfVSBM3GEBM --> ssh-ed25519 BVsyTA aAdMnpKatd4CTcFhtqSj+fiA0ofy+zhbnuN5nk5/umA -LuidYMCiM7IvA/M7k7pMqo5HJmNNmHrzl6kcud+ZS74 --> 0d%YFa-grease |F -fhLc8y67dmyhWtiOEKrZThfm4sTsNP8 ---- /qZszkP7mR5whTTbCQ6JKKh2Ce+aySjeDX3HdDZag1g -~an@ܩ>x$sk)[JHFEhd^3A5_QpLNR*[]GXY\atU+\9bN6B\Wĉ.?N'Hf jcTAWAOM X݅"v \ No newline at end of file +b3klbHjUczTIudayv7wKpiK0IVPUjphuV451U5pEyRXKElJxcAKLae3h4eY30v0N +sCEu32zw7aBdlQRsJrubOdn2RY7ogDsUirM31xEHx/UcDsFFgm806usYAoZ2dpT9 +XELWPs/ZbPuoHf7aJnDXLTtL0KziichCJx5RwpqmKWTDliIcoGLyNVauOU4jq8rK +QuwKadE09U+HvxcTuyVog6lFRGqx+Ak2qRLyPnxDSAkiazj3gqop+G2IWD5Q9nQX +0GFAsoWVdBG/ghEl4A5ruSC/dVgXM7wGkgD8Fim7LgNm0HowmEyLPLYI8PAVp5Vq +z1/uScM/a/2zeZaY7C9JmRHCDb5weiOliSBHLQSKPiF55bgBQKRBsN2WsxYMArr6 +1YhpfIhs3eDiiTRALtyLOQrUS4xm5634ijEJ2gTzpr6XzmGJM9PPOdgbgyj2QtqG +3AaSjknieubNWcfa2/nA0dRnvjjvvG8xfMJOOkX545jkyK7BVAC3/EE88XXuRMZL +u2AkObphlClkW8zzF/2dTFofcjh7Ydvv3ggQBEnsuZO6LWsciuvWR3GA6uUvEAaQ +EbTFsLdIVxzUo4BtQ3Yk6789MPF6CZ+k3UAvFWHq+842lzPp/SzBWctkXTzixsVW +RNqqSHo9a/PEJ5FsdeUoCpov2DzQXRNtK+ia88+IDqc +-> ssh-ed25519 YFSOsg +eCKRumOVPPd3GEt1IoGq2We7jMXxfKgD2KM4iyMMj0 +5QOorpolodGux3vMT1XoCqK/0S22kpBUztPmtOF0fzo +-> ssh-ed25519 iHV63A /iWGqn9ON5KWrOiiWw1r693J90gFmkW1mdgq2aF2HUI +iFzt9DBS5KsmtIjDdiIcS30ysUM2X12NdHuTbD5zvok +-> ssh-ed25519 BVsyTA xcKWN2iiYPQ2pCRML9DYYyyeXgoJ90cupU8gVyRtGxw +gfLMdWnj42h3iv+zGP7uFRxZFqRmO4npNNMk6WGaQc0 +-> #6ut)P5-grease qB$ $ t5c +JEVAGQ7XDVC6hig+ +--- 0yiMTzXw2ijpPVSdSyqxIpu3wM85mYT8cVxDBhn1egw +>S効DF"UݗC!-4XOǫ $UK !wy| Jk-tYzF ssh-ed25519 iDKjwg hUHxNz0ZfR/cgTXIfrOobhUPxcFo8zyxD3idF/bpP3E -H6aIW7YO27ONIIcnmViIWaXiByJMmPFo6E8jsH1Xq2Q --> ssh-ed25519 uYcDNw +D81Yz9zAmCEeIUIxLirpd/OVnWmHQnALp3GWyxUshc -reldI2bJQ2Jq3JxHZ7wWnm6I1pTISQ9G+jjupCrhQ0Q +-> ssh-ed25519 iDKjwg ycwObMB/N2ylOd0U58mHULNc7FBfI6D6+DjafoQG9BQ +DXYakb6Bevbr+ZO2uNWFOJYcXe4QohqyrNhW6oS7GLI +-> ssh-ed25519 uYcDNw PH5y1lhGq6Wh0+bKIyJhWLDKfQQEtQX56k10CzZW5UY +sOvcq5Va4kOBLHTNJ8mQxaxgQWxSWM7VZ8PLTLD+2jA -> ssh-rsa kFDS0A -BYla6U3WqibQOXQFIQrs0d37pmGNvVulP0p18jjTXfA61vth/icCTu3V5VAHz5ST -A8o2gHhQfGXpFm9GMPMVe+OKHnD4Ws4cWowW8/GLMg2XgqPBdvownVwl6hspjmwr -Mxrw1PQL63fiYmCiB49UFaQV0OIxyo3mo7kmF9KKRfdTQ1kF/vjiZuw3Tiz8ubDk -DoaK0g062iI1/GPeGH3blaZj6cFstT9UjoPbdOU9WLkDMUc0d73ih1u6a3VmIY/B -tToYCJuwcjAUvX9Y3Xolx9vKpg8dVD48T1GlPADZCyajY2fEPbJdS29jP7NwQsZ2 -8sgmFkNzUq3Okjbz4lem/g4nlXQN++wdRIYgTLUfJWKOx5+bxSneRvvP6p4HyKZJ -O0OzJTg2ZUTqcpHvxj6DBTbg0e2KW44AkjMLIBwGxdfz3ogrfM2au0bA4SizXCsA -XL03eRmVbzgrBKNUUi6UbQ7iKp+OjWbM6jyZuNEwfepbedLqwDeTXHfm2gZBxUyM -JTk7iTERU5908VhlbNZY5rjXShkPzB9L5jgV23I9CwFlzYSC3mvPS7HMtWcgo8e4 -EBBH5QptHOvaZtDtDqYia8tzKG1KUg75fP4PzKB7+DjGv1phvTyzJDd51qAVrdJH -PheURbBliQOQaqNnTdYfpBC4tdHAMYEp85Y8uMMihYc --> ssh-ed25519 YFSOsg SJDEy0M+3X5SmXsr9C3CDbpWfyhnmu8IUIzNOshE830 -g7jSKtpI+jUO5OC7vd6TJWOTWsIk/x9yL4RKL1lAv5g --> ssh-ed25519 iHV63A tSREgTvnNiKMGWldq/Pp2EVWBmcs18j3zFDwtoBrQiM -kT4SzAuXqbdQSgmxbAy3BogMbh5tOPI3fuGWWQMK7fk --> ssh-ed25519 BVsyTA k4rwyukpUYOGvtG9bm2dpw51P2udNnFSSldm8eCJP0E -C4Cm0eFg0KeXNf/BGX+vXIeAbsdYmN/97gj5snvRSzs --> `rk-grease -Y6ohmk9v8XByEpy/oqM1aXpmeFS2ynIRyGiHfMMez4ONC54ZGOCmr1xUwEGxv7BG -SOltfLTf/rk/0ibNlvMoTqbUUhT1A/CBzSUH1tBy1w ---- DB1jba9WqtcKIEXV24rL0XmFmv1U23dEYaOYd1w9B4E -{.hP;v' ֍mFftʒn -4Z !E+B Lr"ȿCT''wɶj>bf;˕T˩ru;j&b14;&ң81_"o8]_  kbVAGy8Y|g \ No newline at end of file +fI5w3V5O4EHlG7bZGuiNyUPZ4nbl3ZqZjPttUkOMYGjw84Rcxu2Rqg2i53OEG9wC +mrxUdu744kMSxbP5iwLbnPGIhMbtY/HmggdaFI5JzPUrEE37GkUAFtaXCBjYoBFv +7UyhgYgwfvsZXL0TiEOA6k0FikfkfPKLheXZcvIRRRXz7QDufzit5M+XieLwYbxS +uiJYgc7ibuHQolTO6EFJf4+irdlXIWjWXg5M8mnEzDAY11PLYe+2CxguetrJyEmV +5MQNYNEfGkAa8/IfYe0LtnOiUNr8WcHDHQGoRqrKiN7yxjJZaMR6KCMC4khkhGL9 +e8Q9WphxHxA7Rg4TidyzQNd6dOkIWhcDUYd05rm7CldUr+E81dhB3ojYUUfuQN6O +26+wraYVb8SWS4l45gJhtNhIDRJ+gBufdQafPFtxZTjlq36y9qqhJ4LKA2/mD/Yj +tVrjAKJHbwQiulAmBiQPloDU3jGsbFlh70zWvUeFRmKEHQUU46GK1RdvuT29QkaD +WleEEp5BK8nuc+Zauf7xEqLRK4uoZncYGiw4tZxzhneYEBPbkK99b31c680NVB9R +gNYlIutc1ApzOlt9eIUnF/K5CudoDsfk90gIcZjpAZ9rCZ6O2z083PJ1YzpFejdc +hH/u3v21m5zCqGygFUkWs8w8DmhZbmOCjKbIzM8hZ8s +-> ssh-ed25519 YFSOsg LWTJhISwOh1w8Ll3MzCTiQcP+sUbcrwyCIbvTYPoIGE +gcxCieyITgqnCvRAomzKq+um5lTusjxEt8CPNxkXcDI +-> ssh-ed25519 iHV63A yHjOEwLCaPQu/abuyy8mH9W5wmuNrtoSps4yddnljHc +Xazda+HQS2mIk3BTP9ZhgpaQQe9BhcLX7VQpCMATjwo +-> ssh-ed25519 BVsyTA lOR29G60mxkWt2tvKaRBUTohXr0byt7WOnEHQajBwy4 +bq0RS0rjmOp/3jm/vJ7/pln+XU5RrpD7wPIRg0pJtME +-> 29Tg,l-grease d{) e6z s +CqQnPxWIn/038/5/a0duF854yEgjZwNDuKrJwW/V7AkJJ5boEAUZJvwRkQ8giKHT +db/YoP41cx8Vpqib/pv6Aa4fb+ovwoamkAhFp/NnD1KNJwtl8wTR9WRTFI0A +--- US3xOlecmIleG6Ye/LjcV8CSvsVK4oh8+SXoeK1qUZk +KAWj_i㝖ے(?J@e{cžo-Sܥqy0D3 G)>6 92n/9ryĤYK2uoNg-:gKy !x]fUiM!}RzE$MvѠ x( \ No newline at end of file diff --git a/secrets/mastodon-smtp-password.age b/secrets/mastodon-smtp-password.age index 90ca4a0b..a1671554 100644 Binary files a/secrets/mastodon-smtp-password.age and b/secrets/mastodon-smtp-password.age differ diff --git a/secrets/mastodon-vapid-private-key.age b/secrets/mastodon-vapid-private-key.age index 64d25411..921e4163 100644 Binary files a/secrets/mastodon-vapid-private-key.age and b/secrets/mastodon-vapid-private-key.age differ diff --git a/secrets/mastodon-vapid-public-key.age b/secrets/mastodon-vapid-public-key.age index d2321eb9..50f1b9e1 100644 Binary files a/secrets/mastodon-vapid-public-key.age and b/secrets/mastodon-vapid-public-key.age differ diff --git a/secrets/matrix-mautrix-telegram-env-file.age b/secrets/matrix-mautrix-telegram-env-file.age index 2497dfdf..f52fc7c6 100644 Binary files a/secrets/matrix-mautrix-telegram-env-file.age and b/secrets/matrix-mautrix-telegram-env-file.age differ diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/matrix-synapse-secret-config.yaml.age index eb1dc12a..276c7b57 100644 Binary files a/secrets/matrix-synapse-secret-config.yaml.age and b/secrets/matrix-synapse-secret-config.yaml.age differ diff --git a/secrets/matrix-synapse-signing-key.age b/secrets/matrix-synapse-signing-key.age index 51eab61c..f64be4aa 100644 Binary files a/secrets/matrix-synapse-signing-key.age and b/secrets/matrix-synapse-signing-key.age differ diff --git a/secrets/nachtigall-root-ssh-key.age b/secrets/nachtigall-root-ssh-key.age index 359a86f7..d1514e6f 100644 Binary files a/secrets/nachtigall-root-ssh-key.age and b/secrets/nachtigall-root-ssh-key.age differ diff --git a/secrets/nextcloud-admin-pass.age b/secrets/nextcloud-admin-pass.age index 30d16298..66deda80 100644 --- a/secrets/nextcloud-admin-pass.age +++ b/secrets/nextcloud-admin-pass.age @@ -1,27 +1,27 @@ age-encryption.org/v1 --> ssh-ed25519 iDKjwg 1a8hvqTn2un3yxJkdltenSSfEhKMHxXAKlfSnD9vCWo -xOzDWr87QMnE9UgnNimz/C+5aKhspG38RQDhhRqg/EE --> ssh-ed25519 uYcDNw Grc5lFL8+r+Evi3bDl5sCidZMZzLU1K8qiZ+Mhqc8gc -mu0L16Ar7H6ZGsSMGw9W9AwS+JusygM8fM6LMtMsCo4 +-> ssh-ed25519 iDKjwg bydjKoMlcmku7EeLcXflr3Jtjttr3DHhxGz3EwFS810 +RULNHIfG1ueMpePeFe88QKElCRI4Co0ZuoqvViFxecs +-> ssh-ed25519 uYcDNw vOSLnWbhNa9jo/95PrtI+XrS0Pj7CdhIZ3TWJSbQEGk +AmIGuPhrQVDJcAx9T6mg/RwRu/DIeeGjmzlnnXAa1mk -> ssh-rsa kFDS0A -nJnBVo6ArUYVRYUDRAPfBdxPPjCaOqM8fi+7LNLtThnyDzRm31Fgq/07Xy7ual2O -0k10QbXZv3nnhjW+qimfOK9qDpnub0bULBAMKxAGrapb8KdTqpMgMhK7tuySHH+P -L8VTLt5woBz+hkla6P0o1s7pcPCmmQ6vITpGDUEGwFS/orYZdGbAe7+sPanagBx7 -3xh8JRh1VszNa7pRhkRLM9wwLtDCGETT1+5iwdxR18IijvJRbVKkONX6UYkCzy0t -8UmVlfO7m7FN7sdvX+59+70nxhxeECuwZh52TZHaio2NyNvIioFquFZ3SfiLzdd8 -hpUGH1/fPTHvlCTtvI95lXbB370Ta6vpR4uOvAiHz1Oc6aAhbl6QPcZuUr6pFHK0 -5zxlOgc0+3nN9Iv41KbNfoyJYrEVVuMCizdbeyFGTJe+kKjdKbBblJSla0hUGINB -ZsKhzLG5jmCXDo/WC3vVImBN2R+0AWvqoL2jME+jrOmbAcqYToJrv886cEkxdaxs -O3DeXLO2hIGpVMVsrsMyHrF7cBPQ0lahM1tlIzdlzbMeDjM6HO/WYa2fz8XGwXu8 -puBTtRyg0DL/06s9Hr9WqzE1WiEPVl2jhze8jsIzshcN1yCoV/dKnmOVBPj6rBxd -dl5XfpO1d6AOtHx1RquWa2BQWp3nkWvYMgTRaPbpK44 --> ssh-ed25519 YFSOsg eqXDfDhoOgy4g7nb1X1mfT20kfPkixWs9QqpaaDwCyg -+4aFNWh+b1BeKUqPGU79R9EkbFDp/YMSBYMMunV2YrI --> ssh-ed25519 iHV63A F0kH/Uq+wX9F+RDZwTQW4MF8hSo+nwOSTH4vOQF53nA -d20TVZfePKn9y5PWZ0XWV2Xr7N2Ma6V3eSroOiZcgXM --> ssh-ed25519 BVsyTA VvabFmOpUc+TCAFKQYFmlPokmFyqYiD0W9hELvOXv24 -QJ3LX0bqOgujAB/2T//oCctA/fv1Jc8WugVu6iM9gxE --> x\:P|P,}-grease @YO [b'lw5 *.WKU -hfTYY2Pu ---- vCfB3aNBGwwBSvtdjzAUKCzCt/z7YvufcAf/VhaZfcg -a9r_GMSs#(;a(y&|!wiG!e4xc \ No newline at end of file +fDuHqn9LdtgpO3AYo07P2i9rewpURoco22wY1SnDhEHls7MkFBqPUTO2EAXMc+OY +tZSSs1rREZyECH9DG8ngZ3E06t/Z0Uk9azr4RDaFmhzh9rb1KFCJkpLscuDDO7kJ +OiHT7MwNuRPWZxwT1srxX2T3jc8jKFlNUXsOpQrtzRqKWmeKbOJzpNHjmUlrvw3V +fBnVN0ai7vlvo1L9mbTgQpu+3/08CKvE7N7rFteNe+jYQRLC13iI3j3rHeOj+UVE +09rTqwijRtJbkTBxt9hrFDUSA592akYHuKAt+bklbQQlFHZ9bZScE+P+mAC1+ySB +Q/XQhTr2FOO3G+2ieEOb0RGekozOGwJB3XK0sm+rVMsfMhtU/+nfbQGydFIkTgbq +BKnAk+l94h6F3W3WmpOQTBbYVlfou3hmv2aodOYfFYpUHi8kQR0y6dFkARU//zz/ +cS8gs7w23JwGinBVSfsISkCMaM1/lnR5ZRnYtHIaU8aG5RAZhx39+vjBYHsJPKDp +DoaATj1bskIcSTzqPIu7s4B8gI9MuEid8eUAjgBeuxAJCa59k5OxbtVAVx17DGn2 +QkLd/kn0xrJOPyY81fjqS7fapq9+gvxLqdyyznPQA6WKkUJ4DumAxL5lLq70a9I/ +dzk/AC5Jtf6SxqRzX1eUJR5SGI5aSJxo3Hih3m6nuLs +-> ssh-ed25519 YFSOsg +N6SyzhtCailgt6y4C4/0mlGjuxWS0bWHakRX/Bbliw +bkQi60J0nfB/ujoYu8SiIxXp0Ff48MuNzoW0/CDd7AM +-> ssh-ed25519 iHV63A nrHBLzAxmvsxKvEKH6oqS0XIQ1K2kFmPZdOVmzKT00A +R8t/WCmvSO9SBR4gDxfNArdo55NuolHCKYRNtF5oPTs +-> ssh-ed25519 BVsyTA H0lSXGJX+7TplHCmePj3AKeHLf+6GnE4pPKc81fANG8 +ESTz1sB2HWity5dnao69KuFBa5JGeTEgkqYg8lFQICE +-> ^D4?-grease R ,*WNbA@u l$*s}U| +9LAkmaox13NiExiel18LqRT8hUryLKA +--- VuPVAYEmjv4FCkPmiFUCqdtznMOSAGslqarqFZnibuM +N>_m؝($j6PDBNa iՅraф$|t;CLx \ No newline at end of file diff --git a/secrets/nextcloud-secrets.age b/secrets/nextcloud-secrets.age index 937ccecc..6f3d10c0 100644 --- a/secrets/nextcloud-secrets.age +++ b/secrets/nextcloud-secrets.age @@ -1,28 +1,28 @@ age-encryption.org/v1 --> ssh-ed25519 iDKjwg GHVh1GUADEN6UVTUYntCaYfEqH+LX+gvaICkBHJ5OUY -rfoD++gVdnZ5HSlXbCOy8Pn7if6QM2WRaShpk0dCJ48 --> ssh-ed25519 uYcDNw kKeYQIaKjVDKMDBkluuxarRfv2wR9W5TKHzbu1DR2hQ -bfFYcbcQ7De5hwkCng/CIZXWLHgr/cum0+OfRs5ESvI +-> ssh-ed25519 iDKjwg Qpq2SP58ytg9NXD8eYvlgvVhaJMOQVnTxhDrydMNHjA +V6ES5O5wFL52G4Oc4dGFWkqdFMkb3DniEex3a/fljj8 +-> ssh-ed25519 uYcDNw Ll11H3DdUax5iCn6QNz4zZO7+R6ied79GEu4HEfXujs +G4TE/qDl1deBy4g50lNcKKVNvFxxj+9HpgYKVHt2km4 -> ssh-rsa kFDS0A -pAZ0JEVyYZk3U1vFH/STAuHucNECpbhDdnJR7asfMt2bgTs1dvI9ZA5XBpJs3U4a -PntBwgYebJyHhgeZ0L7q5NYE6eLVThkxnWvm5OP2NjPyTgGUxjp+NA7WNw+Fc/gA -mz//NLMmKVHuknKBVEaZn+2lBWaIXyTkD3KetqxChDcXSnKswesLa6LdHLfE97jP -gHX5Y+JVNeGOlHPn0Ds40I/aFGJJ56p3cD3nTsgoQyGpoQGVIVHO6ghRmVjhSkW4 -7ZfPluq9G0u3NbSD3YjnLrAmUzdJsLPmYme2vvu0YKJr40TG6i5m196DSDuvAtM4 -XhiClq7a2KJfmEF+epVdoXo/7GrPs/F9Bb+NV1S7bVJX7Q87gQ3bbFq2LISu8QvD -HUlx2hJh0fZXpBv6yHIqXutEL1g6XCtpkli15wrHBfEQHOxP6mB/pNeM3gCYwOLX -ZdVqpR46OzOErNDwXTniwQecuKrRB9ecTjmmRZycEZErgEcASEZgAlfu2Q8EIW30 -65byX4EWskm6qlhLxp6SfRXlVcA9XcwIg6q2E2UIoEukZQ5zJNKcFAYec7/xTXs0 -DrLyGkOO+8C0lmCDY8Escd4cge2hIbIcsnQdkfh3NQT1ZqXEXkef/XB6yMEzvysg -3Z13W4dcxwc0ylRFwm2VKcBQD9jDwCyeV4iKohFIyJk --> ssh-ed25519 YFSOsg X4DtlP1y5JXKyaYXJ/l18S7cOGIDlwk3vhrO0Vk6t3U -OXzEp3tRncra6pBvDoeiLkF4SlaHZ6E6j+UV0q1WB80 --> ssh-ed25519 iHV63A AYUNvys+v75VarEdcZ1g9r9bnW76Tfq91gWnyED7kB0 -zloI/t4Dfa4re850ldwdFEjbF1OR/5G8VBAl9n7umEs --> ssh-ed25519 BVsyTA glhHHYg1w7qntg8J3y+6zKJHBaC6PZWFQJnmiQR6axw -WiIDKiuzouGyiyANmEp25T1Dv2IRyRx+lovSpdFP/Dc --> wcj`iUv7-grease }SsQ!/4Y)V\Q\y_g+HڄHoN@wd @ <: NO X!/̬Y7_ ˂ʠѦA}^q -؃ ɐ`:/"iqjGc[>YtT:h$Oh#, R[ץF3a]{Jѷב"Ƣު \ No newline at end of file +gtXlJkXWTs2pvW6sm+FzDo+WaEh2S2ttIflw7x4Jswqaa7b/2VbnHn89NyYNG7J8 ++n/Un8IbG4wh7hVsbhKEOZA8S1BC0c8gXwLoexgF21GYmbWGUR5xdbhVIPnJmJpY +IPgp7Ai72BEv782CjAVlAORVNzr0umtfq3PUlq6NXiYiyb7MT5g6SNd5Avy5r73s +bUZWCUW6m63kDRoVNgfGhrSLHFi1AgLroIqhuuOiRWj16lTUVxh2VkLwRPERy6V8 +jUpb9nb1uAYzMMeMSAvRM5actTJxQA+5chSXUMhp6MR8XiB+EFFRpIDkcfs8O2Hi +0QytXBo3W/NBNLG2RUgLMfq2mnI3bXXvxJZXKfmNxE6e6RVR6tSg23LlzkFtmE3c +DGuYYBz3h4yxjkkjvKJ0VJ1IhQ5wvghdKs7kM+n1wHNOPBSKom/84uyHDvPrTr/0 +7S4Wx12l7DKZtTzv3UItPmBVRSEjbBOMZpQo/13rLQ1bx9WBeVVNSqjpy68W0Dlz +tI3oWX9WIPDUB7xyCXHebkxGJ0lBrza85jnFt5zASbHXeq3pbo7rjPWt6c5oWuiJ +X/OtIXKp0sxeXEgiOoAnNn+yVPBm/9b3ote+T0MwsVVLXQ3HCsYA5mXZCfRK5OA7 +w3nqorCBnBCyE//MCo7j+A1W9HKtDKAJltwfhemhtiQ +-> ssh-ed25519 YFSOsg kTmy8aPCd4THlnO6SWyW+Ifc21Ggau4fxdiQkjyvNwA +Ck6dc8IpHhnuD6FeHJ09vsdcgaoDfYGfqI5bvYV6CKA +-> ssh-ed25519 iHV63A lHVBVGdvw1yp3huhqfGstff4UKRHp4wmbGpZPJxHjwo +eWqfE+s06UgBSK0m9/GWWvhFf6ZcsN7vsygnxeXBF7k +-> ssh-ed25519 BVsyTA vUCYL+NZu8VT8G+bkd/LknxH/7cB3HwOalTZ4Escghw +p+RZhqg6voORDwSwWZ962NOpIn6kX3cryuhbqVD7rzc +-> LzOpAF&-grease mZ4f4.74 8%Wkxw +i6KRW+yK4flm+3fDrVbHAIMNzcbqErlGKHoAZJOwYrhl0tAaZBLk7IIPQ9bas3WQ +ZbJ6fgj/YYbgRhX0jUcmNwv/5tI +--- 3bobJwE4FKDA2SnlzdzzTfMO8NU5+PvG+5of6jN0eCQ +tF]+>`]H}T7VԾ`!&]Z^#ى҉]i`Tk|bRx&^n].|Ѧ$ږh4KL0x^q_P^`Z!pcB1}МxbYv"QAN`4UXYlЍWXe.dr[S폶Ħ,Q~CWb3f )$_MkP(PdxUo99h Ka7 ;M \ No newline at end of file diff --git a/secrets/searx-environment.age b/secrets/searx-environment.age index 76db5001..ff9993a9 100644 Binary files a/secrets/searx-environment.age and b/secrets/searx-environment.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 10e2a204..fa761b0a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,6 +7,7 @@ let teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; + flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6"; baseKeys = [ axeman-1 @@ -19,6 +20,10 @@ let nachtigallKeys = [ nachtigall-host ]; + + flora6Keys = [ + flora-6-host + ]; in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ baseKeys; @@ -32,6 +37,7 @@ in { "keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys; + "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ baseKeys; "forgejo-database-password.age".publicKeys = nachtigallKeys ++ baseKeys; "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ baseKeys; @@ -45,4 +51,7 @@ in { "searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys; "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys; + + "drone-db-secrets.age".publicKeys = flora6Keys ++ baseKeys; + "drone-secrets.age".publicKeys = flora6Keys ++ baseKeys; }