flake.lock

@@ -27,6 +27,22 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "deploy-rs": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -128,6 +144,22 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
@@ -328,6 +360,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-23_05": {
+      "locked": {
+        "lastModified": 1704290814,
+        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.05",
+        "type": "indirect"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1714640452,
@@ -340,6 +387,21 @@
         "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1705856552,
+        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -354,10 +416,37 @@
         "nixos-flake": "nixos-flake",
         "nixpkgs": "nixpkgs",
         "nixpkgs-2205": "nixpkgs-2205",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
         "triton-vmtools": "triton-vmtools",
         "unstable": "unstable"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat_2",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-23_05": "nixpkgs-23_05",
+        "nixpkgs-23_11": [
+          "nixpkgs"
+        ],
+        "utils": "utils_2"
+      },
+      "locked": {
+        "lastModified": 1706219574,
+        "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-23.11",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -475,6 +564,21 @@
         "repo": "flake-utils",
         "type": "github"
       }
+    },
+    "utils_2": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -38,6 +38,9 @@
     element-stickers.url = "git+https://git.pub.solar/pub-solar/maunium-stickerpicker-nix?ref=main";
     element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
     element-stickers.inputs.nixpkgs.follows = "nixpkgs";
+
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
+    simple-nixos-mailserver.inputs.nixpkgs-23_11.follows = "nixpkgs";
   };
 
   outputs =
@@ -123,6 +126,10 @@
               hostname = "10.7.6.2";
               sshUser = username;
             };
+            metronom = {
+              hostname = "49.13.236.167";
+              sshUser = username;
+            };
             tankstelle = {
               hostname = "80.244.242.5";
               sshUser = username;

hosts/default.nix

@@ -59,6 +59,19 @@
         ];
       };
 
+      metronom = self.nixos-flake.lib.mkLinuxSystem {
+        imports = [
+          self.inputs.agenix.nixosModules.default
+          self.nixosModules.home-manager
+          ./metronom
+          self.nixosModules.overlays
+          self.nixosModules.unlock-zfs-on-boot
+          self.nixosModules.core
+
+          self.inputs.simple-nixos-mailserver.nixosModule
+        ];
+      };
+
       tankstelle = self.nixos-flake.lib.mkLinuxSystem {
         imports = [
           self.inputs.agenix.nixosModules.default

hosts/metronom/backups.nix

@@ -0,0 +1,13 @@
+{ flake, ... }:
+{
+  age.secrets."restic-repo-droppie" = {
+    file = "${flake.self}/secrets/restic-repo-droppie.age";
+    mode = "400";
+    owner = "root";
+  };
+  age.secrets."restic-repo-storagebox" = {
+    file = "${flake.self}/secrets/restic-repo-storagebox.age";
+    mode = "400";
+    owner = "root";
+  };
+}

hosts/metronom/configuration.nix

@@ -0,0 +1,34 @@
+{
+  flake,
+  config,
+  pkgs,
+  ...
+}:
+{
+  boot.loader.systemd-boot.enable = true;
+  boot.supportedFilesystems = [ "zfs" ];
+
+  boot.kernelParams = [
+    "boot.shell_on_fail=1"
+    "ip=dhcp"
+  ];
+
+  boot.initrd.availableKernelModules = [ "igb" ];
+
+  # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
+  systemd.services.zfs-mount.enable = false;
+
+  # Declarative SSH private key
+  #age.secrets."metronom-root-ssh-key" = {
+  #  file = "${flake.self}/secrets/metronom-root-ssh-key.age";
+  #  path = "/root/.ssh/id_ed25519";
+  #  mode = "400";
+  #  owner = "root";
+  #};
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/metronom/default.nix

@@ -0,0 +1,13 @@
+{ flake, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+
+    ./networking.nix
+    ./mail.nix
+    ./wireguard.nix
+    #./backups.nix
+  ];
+}

hosts/metronom/hardware-configuration.nix

@@ -0,0 +1,48 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "usbhid"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "root_pool/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/2083-C68E";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/metronom/mail.nix

@@ -0,0 +1,26 @@
+{ config, flake, ... }:
+
+{
+  age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";
+
+  mailserver = {
+    enable = true;
+    fqdn = "metronom.pub.solar";
+    domains = [ "pub.solar" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'
+    loginAccounts = {
+      "hensoko@pub.solar" = {
+        hashedPasswordFile = config.age.secrets.mail-hensoko.path;
+        aliases = [ "postmaster@pub.solar" ];
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@pub.solar";
+}

hosts/metronom/networking.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+
+  networking.hostName = "metronom";
+  networking.domain = "pub.solar";
+  networking.hostId = "00000002";
+
+  networking.enableIPv6 = true;
+  networking.useDHCP = false;
+  networking.interfaces."enp1s0".useDHCP = true;
+
+  # TODO: ssh via wireguard only
+  services.openssh.openFirewall = true;
+}

hosts/metronom/wireguard.nix

@@ -0,0 +1,54 @@
+{
+  config,
+  pkgs,
+  flake,
+  ...
+}:
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age";
+
+  networking.wireguard.interfaces = {
+    wg-ssh = {
+      listenPort = 51820;
+      mtu = 1300;
+      ips = [
+        "10.7.6.3/32"
+        "fd00:fae:fae:fae:fae:3::/96"
+      ];
+      privateKeyFile = config.age.secrets.wg-private-key.path;
+      peers = flake.self.logins.admins.wireguardDevices ++ [
+        {
+          # flora-6.pub.solar
+          endpoint = "80.71.153.210:51820";
+          publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+          allowedIPs = [
+            "10.7.6.2/32"
+            "fd00:fae:fae:fae:fae:2::/96"
+          ];
+        }
+        {
+          # nachtigall.pub.solar
+          endpoint = "138.201.80.102:51820";
+          publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
+          allowedIPs = [
+            "10.7.6.1/32"
+            "fd00:fae:fae:fae:fae:1::/96"
+          ];
+        }
+      ];
+    };
+  };
+
+  #services.openssh.listenAddresses = [
+  #  {
+  #    addr = "10.7.6.3";
+  #    port = 22;
+  #  }
+  #  {
+  #    addr = "[fd00:fae:fae:fae:fae:3::]";
+  #    port = 22;
+  #  }
+  #];
+}

lib/deploy.nix

@@ -8,7 +8,7 @@
 { lib, inputs }:
 let
   # https://github.com/serokell/deploy-rs#overall-usage
-  system = "x86_64-linux";
+  system = "aarch64-linux";
   pkgs = import inputs.nixpkgs { inherit system; };
   deployPkgs = import inputs.nixpkgs {
     inherit system;

secrets/mail/hensoko.age

@@ -0,0 +1,44 @@
+age-encryption.org/v1
+-> ssh-ed25519 UE5Ceg F7J2BMCNuOUcZhcbEyXBbFHkOI4sVA0qXbRmCWYNBAE
+Na/iuNS8cxz0qEiosflBEB9TAF87sQgwBbUl0/fhmZo
+-> ssh-ed25519 uYcDNw Xd8D3eCNMcXrxlYef4kj1N4CD16b5Xs3pfA/J8RJQDk
+UoBSRBj4wS1cxnDV37JjW5kBP2XWWo7seJJsU0y0cEA
+-> ssh-rsa f5THog
+OxPFa8NRWqy2ShVfYtxqZWfJAmgkYd2xg2E8vNCPoWafo/6hBob7C+4hDiKRZPZa
+EVLw0wgTe/nlMzBLOO3FlgZ0Ceb/uA2n4nu7st6mjwYQpsmVXwZoap88B2b+GYCs
+GG4sgybkZ/BrfFgm94TIcC1lr2lMjA6C4xhC9Mphf2iEQf1wjL4N1msOC4gTAW8Q
+zaH+K+qNEbTXne5Pox9wp6FjApSx33ldqRxOSzcf7RUuL2ew/63fTywW8ZdHcUgm
+usKqBZX9vyhLdsHzZWSXwetybMfKWs1ry5kU3ekf9EmAAkSiukFxFdr7PON3l+VV
++hNFxi7RBKGC2u+ZE2Oh/MdXkKHMIVuJE1yhUJyiirH9/Mj2S6gOpSL7pjXIQdbC
+RoGoE4fHWtp14Yn5X2YQCeGYPS+y87md9qKlVTzf29u95UjVkN4V8xwquOssWp/P
+qlBJscmU3cp+U3W4Gzh1k1IwdBQ7B26rUOFEwa2/DI8VsBd/x4WmLQGiIe0VnOIB
+YCekxeLrl4AAf/XTEc/qNTaXcn3OguMMq6KzyeWMTdKsrcw7/P7j+06SbK+Co57D
+7zt/h2dDeAEz1eo7yGLu/zd2s2iyEBNxnzvSqvRpYAkcNNI7DvNfdotDYWj0kbuW
+rKfPKnXOUvf9tKsjbd1BRI563TpcoL3ebnokhBfu+v4
+-> ssh-rsa kFDS0A
+k8vywS465lFJyN/RvPMx3OUSl3UG2phrlZ0QY9BL2Gqf79tiSqMrWFCKqeZ8Djg6
+yDNC8F62IwWSQB030iWQMhQfI3FM9BFepmMpVE3zviyg1WRTNgLl9vdpjLP4FuNi
+Il5S3T49RmUgAzsPGMs0UWLhEudm9tJOU3tI3XD32tG7mYVrMcimtog8/1zasFf1
+GE3H3MyBiuawfSu0uMnQ267rxYiGF75bI8Er1nI7zIF55Lw7twHLjN+KOlSed3Vk
+VU7tNeRKfbircTrfxXo0I6SVPuX21SfBP5RWq4KrO/h4chW36OLxza2eiRvy74lY
+/MekrH3PgO0q7y+uqeSbiGAcvL1UXeZFFdItv5pKxMC95vpdsEhoywO8Rj6dd+9q
+iQjmy5RS/HC6uDzbqAl0HQSq1fZXO3UO0fQg5Rv3whpKMBHVMTU/PVimP93oAu4J
+rXnUUpqpKJqecVDYQT4XSuMDK5Iw+S+7RLxBk6hIYsg0jtywqgwD+zF1S8RHi9kK
+BEX5mR3NC/B+LdHAzphYQkHuY6UOk5AcgMO5jYCLtVK4vqlvTJPVbTSgdO86rmdy
+nZXZmi0Uqgz8QEdOgIp0ego8WdqGkZF0aQwMUw11Bi+78Asx5+hy+fUncw0qZndZ
+04ayMacztVL0cEaQ1AeOf85z0MPOugcVYFvih/XkgjE
+-> piv-p256 vRzPNw AyKY9szzF5MMfOBUISqtfu4EVk3GWOQ2WSqwgn8tCE9B
+uoSrnNdzVP1WO3uZflc+Va6cT8y5AfUpm8P3njiSQzo
+-> piv-p256 zqq/iw Atu7Vk8b6dyNLZcLFtnOkAlYxOMN033PV/bv8O77LORR
+jbYx5/YXY6LwoFvOfXHHPhTiMOMLwgbENvFzFmGf6ak
+-> ssh-ed25519 YFSOsg BCuhqDI2VVkG3gk927TjEOLLOQNeURfxVbGodW/Xh2c
+lUEeZrF5FSC/e6XRxWNQq5B7oC70mKit56AIrWMTKCY
+-> ssh-ed25519 iHV63A Job9bw0T6OJpmgeizCOyNGqA9YHrcbml8sj+9kadKVw
+4+pfaDyrgXuj8DKQzMj04nk2KRfobvQ6Z+E7RDOUm24
+-> ssh-ed25519 BVsyTA 2cN+HWBYc7mSbSEziFpyuDfHs7cbVd5Vdfj7NYNJ6Uk
+8+APjCiQmu9hoqffuqdJKk09wtk0Ywa3NqeURnP+n+M
+-> ssh-ed25519 +3V2lQ h+MbnwkJqmQbk2gtkyWvU/8gqJHYIG90lUH3AMENonk
+wXsXHxzIsP9kSsi3mxmr5oujWL0Grj7y5inECZNSuIk
+--- hkrqXuu9Lldhr675cyYUX5peiFT2s5ZMjIrOi7oRIyw
+ê®è( <¾i0þøÃk$bL
+ø+ë©€¯ï¬]–†úß…ÑÇEÄ¢¦wêíÆÈ	»µ¬YÞ†é!0$šiôKÜà0DXæJdBÍÕ¦O.V×S¿‚ºd€Ä8çSƒ©¢

secrets/metronom-wg-private-key.age

@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 UE5Ceg 1YUuuRDXFkGG2ZNYrRUro+Bx2GNGVTTCha+P9+T46DE
+gTxW/j5xNSxjSq5wze7fhNJm1SB5/YEizO65jG4Q9Tw
+-> ssh-ed25519 uYcDNw 7lGPy/ykR0Vnye8NYSBKcTRR2UzJ0lw2EXY6d/5gBjQ
+SHbqjmcN4TNzFbQb3AgHgzzm8Yhr0LHSFQHXMLyTDVM
+-> ssh-rsa f5THog
+IKJVe3MhHIFyivBHwYuf+COke576b1h0ARtu44ycuLSS71C2kteigviIwstXz97M
+GIHz9+aC0xJCa/gZ4WWZ5t5qO4XSmkIYCHPsV5UhjCEj6AAL27rP5oqXZKCTvPV6
+7bEw4dNJmVyjAGYP0h4M+HaAFwe8nlKO291lyJ3NoyZcMR+KjEFiBK22W0oEqvS6
+tvh3GgPp1iiHUvhF5uSUTxOqu30S7ogY1jtPLxQvEEJZwbXdCKZ/0BltfRGqKUWu
+DKBcKERUeEa+fSYRtxZqd0GGGOi0Xq3UKjTSmt5w58cBkrntbQeRTNYfnvvqXJJ7
+a0uRylsK2vnMjLXjlZryvL3ug+Ylpup/BuIMwzwpNEjasCqQt97v066Ho0qB0uej
+rwslyXSjwlOsvblf6UovUzQ3GIG17X9POOavsW6md7wxZFCNtioo+qb7fegKK5Tr
+W/H5GoB7g79pCbBUCMJP6MgPpMUVGH+5jDkWAQbik4lTH9ehD4Wu9V2hnyBub6fW
+CjEtrWzpwH+yHFkm7R5IjI8DWoE4CWsb8KI+GUgr2R3AjdNuXINbJy+ya+wpuMLh
+d5Q5tQbteQ2uBKJxXRrR8nNiiLqtQvRYsyF5G+BdXmAqAB0cBuH8yMmjUKju5tH9
+lSmdqUScCcVY11T6Hccath065f8Jtvwj3nJE9f2iPfo
+-> ssh-rsa kFDS0A
+RVoy79ijvAmU9XlEsbmiOOWUfenL+hITb6tXELUGjZjYIg+JPDneg7m1plUnRpBM
+sfLrTSzOLisWfct5rbXWb4QbNnD7biX0/uAPk8Jk3tmUfJsM1oLmNaRGGgo7RkFh
+J28PG0n5+eumauoS0Yf11GIgWUpC8FeVJMrNM5r4yV65EJEyyjRxFHjIGl5Jh6Rq
+bkJWpDsuFb2eb2BdZACV/M/aDYn+XGJW0oozNW91rryrQfsAHc3GzKoX2HtqNxua
+3Z348+NTS7jCKKhEwwNwibgTSz1PT2ynyaXi2N60KZ8IDc1xwtn1Ybj2/S1no64h
+P1GCjzKmwizgINoWQ8LYQ3nHxRXQjFdS4X63YUSXKcZ2TKMNydlB3IGL9N+xKflo
+w5EMqFTuHInpyOfz73WDg2LKuzlWabjn8KIlx2bYG8Etn5alSX+oQGD5zTUkDt4p
+/J3b8kLCdRSfVxwBudftXnk8CDg5gzM7LD0NOQ8/VK8lyTVE1dCCty1NUcM0o4mc
+VgdlcJn9ISZSd3UAt6BDUHEMYdxktJnlPr8Gsw1iDU44Gu2fPUY2OpmAnIz6FshR
+KkSThN08FL2EgEO99fbJ/8NiD+bml5duUNJQnjlQ8NC9w1S/4ADXpHSrJARQY0pn
+DfTvCz2CJnPqojb2vDb0knqvhPNLu1lmtrlyqMygmLg
+-> piv-p256 vRzPNw AlRMMj08FZgVJAcUdKDVtQzrrZWqOah1fq0xeLFOFYh/
+fySXnGSZYyKOX75bwaByIAqaiatXpFF4zsuE7JEH//c
+-> piv-p256 zqq/iw A7dI4n0fDq3z6OG/iuU8z4euPvx77lJJC9OlZG/RMPRc
+waoyEH8qBDeUmCugy7ZnMj6tgLx/1+slhJTAJ4uXMNQ
+-> ssh-ed25519 YFSOsg 99jNRmoZlrfV1ytKu8Pj41vBTNHED3dG99mjWnYe9Ec
+p+Q3Dik27t8LRb5Mr17EzVwxdSQIZBeO+ezJVvFqg00
+-> ssh-ed25519 iHV63A 1V4hJI/P7TkMWDbZb0NMdCSULS8XddPl6gGvc1gJ91I
+CKzsgmbASOGWYRFSyYBvY90HrmLfQNKcrTPLvf5m0es
+-> ssh-ed25519 BVsyTA tJu2Y42CtsqGMLf5VObT+nEMYHyujU2nmJQfWOTZsg8
+MGxxNMPHyRNRDVurqovUkptzqfsemX9mCLSLu0RL7b4
+-> ssh-ed25519 +3V2lQ vHPgK6xOUrH/1fqjkw2rhg10O0izPSTPX7b02v7J22A
+A/V11elKo6YNiFHYMQrWBnUTsaz21MNH9jcY78dTlmU
+--- QV+btlc1pzitb681enVVR/tT/kwE3s2sV1qB7yYJ/3Q
+Y¥DgIx,ìµ´âÙËœ!à¢ptë m•ŠÂòä"$ú•‚™€¿¦aZTÔ4'Äû`õejüÊúKøAÕ£t×
WÚS÷&){i–_íSŽ

secrets/secrets.nix

@@ -3,6 +3,7 @@ let
 
   nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
   flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
+  metronom-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLX6UvvrKALKL0xsNnytLPHryzZF5evUnxAgGokf14i root@metronom";
   tankstelle-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdF6cJKPDiloWiDja1ZtqkXDdXOCHPs10HD+JMzgeU4 root@tankstelle";
 
   adminKeys = builtins.foldl' (
@@ -14,6 +15,8 @@ let
   tankstelleKeys = [ tankstelle-host ];
 
   flora6Keys = [ flora-6-host ];
+
+  metronomKeys = [ metronom-host ];
 in
 {
   # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
@@ -22,6 +25,7 @@ in
   "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
   "tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys;
   "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys;
+  "metronom-wg-private-key.age".publicKeys = metronomKeys ++ adminKeys;
 
   "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;
   "mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
@@ -72,4 +76,7 @@ in
 
   "obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys;
   "obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys;
+
+  # mail
+  "mail/hensoko.age".publicKeys = metronomKeys ++ adminKeys;
 }