From 21b6bc56fb7cc4a3ecc240bab8deeaa049f2502f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sat, 29 Jul 2023 23:40:41 +0200 Subject: [PATCH 1/3] feat: add nougat-2 to pub.solar/infra branch --- flake.nix | 6 + hosts/nougat-2/acme.nix | 79 ++++++++++ hosts/nougat-2/caddy.nix | 181 ++++++++++++++++++++++ hosts/nougat-2/concourse.nix | 137 ++++++++++++++++ hosts/nougat-2/configuration.nix | 136 ++++++++++++++++ hosts/nougat-2/default.nix | 7 + hosts/nougat-2/ex-domain.nix | 1 + hosts/nougat-2/gitea.nix | 124 +++++++++++++++ hosts/nougat-2/hardware-configuration.nix | 64 ++++++++ hosts/nougat-2/keycloak.nix | 64 ++++++++ hosts/nougat-2/nougat-2.nix | 23 +++ hosts/nougat-2/pubsolar-domain.nix | 1 + 12 files changed, 823 insertions(+) create mode 100644 hosts/nougat-2/acme.nix create mode 100644 hosts/nougat-2/caddy.nix create mode 100644 hosts/nougat-2/concourse.nix create mode 100644 hosts/nougat-2/configuration.nix create mode 100644 hosts/nougat-2/default.nix create mode 100644 hosts/nougat-2/ex-domain.nix create mode 100644 hosts/nougat-2/gitea.nix create mode 100644 hosts/nougat-2/hardware-configuration.nix create mode 100644 hosts/nougat-2/keycloak.nix create mode 100644 hosts/nougat-2/nougat-2.nix create mode 100644 hosts/nougat-2/pubsolar-domain.nix diff --git a/flake.nix b/flake.nix index 616432b4..0fbba471 100644 --- a/flake.nix +++ b/flake.nix @@ -188,6 +188,12 @@ path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.barkeeper; }; }; + nougat-2 = { + sshUser = "yule"; + hostname = "nougat-2.b12f.io"; + fastConnect = true; + profilesOrder = ["system" "direnv"]; + }; #example = { # hostname = "example.com:22"; # sshUser = "bartender"; diff --git a/hosts/nougat-2/acme.nix b/hosts/nougat-2/acme.nix new file mode 100644 index 00000000..e75a7bf9 --- /dev/null +++ b/hosts/nougat-2/acme.nix @@ -0,0 +1,79 @@ +{ + config, + lib, + pkgs, + self, + ... +}: let + exDomain = (import ./ex-domain.nix) lib; + pubsolarDomain = import ./pubsolar-domain.nix; + + hostingdeProviderConf = { + dnsProvider = "hostingde"; + credentialsFile = "${pkgs.writeText "hostingde-creds" '' + HOSTINGDE_API_KEY_FILE=${config.age.secrets."hosting.de-api.key".path} + ''}"; + }; +in { + age.secrets."hosting.de-api.key" = { + file = "${self}/secrets/hosting.de-api.key"; + mode = "440"; + group = "acme"; + }; + + systemd.tmpfiles.rules = [ + "d '/data/acme' 0750 root acme - -" + ]; + + users.groups.acme = {}; + ids.uids.acme = 997; + ids.gids.acme = 997; + + containers.acme = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.101.0"; + localAddress = "192.168.106.0"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::6"; + + bindMounts = { + "/var/lib/acme" = { + hostPath = "/data/acme"; + isReadOnly = false; + }; + + "${config.age.secrets."hosting.de-api.key".path}" = { + hostPath = "${config.age.secrets."hosting.de-api.key".path}"; + isReadOnly = true; + }; + }; + + config = { + networking.nameservers = ["1.1.1.1"]; + users.groups.acme = config.users.groups.acme; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@benjaminbaedorf.eu"; + defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + defaults.group = "acme"; + + certs."b12f.io" = hostingdeProviderConf; + certs."mail.b12f.io" = hostingdeProviderConf; + certs."transmission.b12f.io" = hostingdeProviderConf; + + certs."${exDomain}" = hostingdeProviderConf; + certs."mail.${exDomain}" = hostingdeProviderConf; + + certs."${pubsolarDomain}" = hostingdeProviderConf; + certs."www.${pubsolarDomain}" = hostingdeProviderConf; + certs."auth.${pubsolarDomain}" = hostingdeProviderConf; + certs."git.${pubsolarDomain}" = hostingdeProviderConf; + certs."ci.${pubsolarDomain}" = hostingdeProviderConf; + certs."list.${pubsolarDomain}" = hostingdeProviderConf; + certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf; + }; + }; + }; +} diff --git a/hosts/nougat-2/caddy.nix b/hosts/nougat-2/caddy.nix new file mode 100644 index 00000000..6b36eeb5 --- /dev/null +++ b/hosts/nougat-2/caddy.nix @@ -0,0 +1,181 @@ +{ + config, + lib, + pkgs, + self, + ... +}: let + pubsolarDomain = import ./pubsolar-domain.nix; + # Machine user for CI pipelines +in { + networking.firewall.allowedTCPPorts = [80 443]; + networking.networkmanager.unmanaged = ["interface-name:ve-caddy"]; + networking.nat = { + enable = true; + + internalInterfaces = ["ve-caddy"]; + externalInterface = "enp0s31f6"; + + # Lazy IPv6 connectivity for the container + enableIPv6 = true; + }; + + systemd.tmpfiles.rules = [ + "d '/data/www' 0750 root www - -" + "d '/data/caddy' 0750 root caddy - -" + ]; + + users.groups.caddy = {}; + users.groups.www = {}; + users.users.hakkonaut.extraGroups = ["www"]; + ids.uids.www = 996; + ids.gids.www = 996; + + fileSystems."/var/lib/caddy" = { + device = "/data/caddy"; + options = ["bind"]; + }; + + fileSystems."/srv/www" = { + device = "/data/www"; + options = ["bind"]; + }; + + containers.caddy = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.101.0"; + localAddress = "192.168.103.0"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::3"; + + forwardPorts = [ + { + containerPort = 443; + hostPort = 443; + protocol = "tcp"; + } + { + containerPort = 80; + hostPort = 80; + protocol = "tcp"; + } + ]; + + bindMounts = { + "/srv/www/" = { + hostPath = "/data/www"; + isReadOnly = false; + }; + + "/var/lib/caddy/" = { + hostPath = "/data/caddy"; + isReadOnly = false; + }; + + "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory" = { + hostPath = "/data/acme"; + isReadOnly = false; + }; + }; + + config = { + users.groups.caddy = {}; + users.groups.www = {}; + users.groups.acme = {}; + users.users.caddy.extraGroups = ["www" "acme"]; + + networking.firewall.allowedTCPPorts = [80 443]; + environment.etc."resolv.conf".text = "nameserver 1.1.1.0"; + + services.caddy = { + enable = lib.mkForce true; + + globalConfig = lib.mkForce '' + auto_https disable_certs + ''; + + virtualHosts = { + "dashboard.nougat-2.b12f.io" = { + extraConfig = '' + reverse_proxy :2019 + ''; + }; + "www.b12f.io" = { + extraConfig = '' + redir https://pub.solar{uri} + ''; + }; + "mail.b12f.io" = { + extraConfig = '' + redir / /realms/pub.solar/account temporary + reverse_proxy :8080 + ''; + }; + + "${pubsolarDomain}" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + # PubSolarOS images + handle /os/download/* { + root * /srv/www + file_server /os/download/* browse + } + # serve base domain pub.solar for mastodon.pub.solar + # https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/ + handle /.well-known/host-meta { + redir https://mastodon.${pubsolarDomain}{uri} + } + # pub.solar website + handle { + root * /srv/www/pub.solar + try_files {path}.html {path} + file_server + } + # minimal error handling, respond with status code and text + handle_errors { + respond "{http.error.status_code} {http.error.status_text}" + } + ''; + }; + "www.${pubsolarDomain}" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + redir https://${pubsolarDomain}{uri} + ''; + }; + "auth.${pubsolarDomain}" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + redir / /realms/${pubsolarDomain}/account temporary + reverse_proxy 192.168.104.0:8080 + ''; + }; + "git.${pubsolarDomain}" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + redir /user/login /user/oauth2/keycloak temporary + reverse_proxy 192.168.105.0:3000 + ''; + }; + "ci.${pubsolarDomain}" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy 192.168.101.0:8080 + ''; + }; + }; + }; + }; + }; +} diff --git a/hosts/nougat-2/concourse.nix b/hosts/nougat-2/concourse.nix new file mode 100644 index 00000000..c14c55b4 --- /dev/null +++ b/hosts/nougat-2/concourse.nix @@ -0,0 +1,137 @@ +{ + config, + lib, + pkgs, + self, + ... +}: let + pubsolarDomain = import ./pubsolar-domain.nix; + + getSecret = name: + lib.attrsets.setAttrByPath [name] { + file = "${self}/secrets/${name}.age"; + mode = "600"; + owner = "concourse"; + }; + + keys = [ + "concourse-session-signing-key" + "concourse-worker-key" + "concourse-tsa-host-key" + ]; + + secrets = + [ + "concourse-secrets" + "concourse-db-secrets" + ] + ++ keys; +in { + age.secrets = lib.lists.foldl (a: b: a // getSecret b) {} secrets; + + users.users.concourse = { + description = "Concourse Service"; + home = "/var/lib/concourse"; + useDefaultShell = true; + group = "concourse"; + isSystemUser = true; + }; + + users.groups.concourse = {}; + users.groups.postgres = {}; + ids.uids.concourse = 995; + ids.gids.concourse = 995; + + systemd.tmpfiles.rules = [ + "d '/data/concourse/db' 0770 root postgres - -" + ]; + + system.activationScripts.mkConcourseNet = let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in '' + ${dockerBin} network inspect concourse-net >/dev/null 2>&1 || ${dockerBin} network create concourse-net --subnet 172.20.0.0/24 + ''; + + containers.concourse = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.101.0"; + localAddress = "192.168.107.0"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::7"; + + bindMounts = { + "/var/lib/postgresql/14" = { + hostPath = "/data/concourse/db"; + isReadOnly = false; + }; + + "${config.age.secrets.keycloak-database-password.path}" = { + hostPath = "${config.age.secrets.keycloak-database-password.path}"; + isReadOnly = true; + }; + }; + + config = { + networking.nameservers = ["1.1.1.1"]; + + virtualisation.oci-containers = { + containers."concourse-db" = { + image = "postgres:14"; + autoStart = true; + user = builtins.toString config.ids.uids.postgres; + volumes = [ + "/data/concourse/db:/var/lib/postgresql/data" + ]; + extraOptions = [ + "--network=concourse-net" + ]; + environmentFiles = [ + config.age.secrets.concourse-db-secrets.path + ]; + }; + + containers."concourse" = { + image = "concourse/concourse:7.9.1"; + autoStart = true; + user = builtins.toString config.ids.uids.concourse; + ports = [ + "8080:8080" + ]; + dependsOn = ["concourse-db"]; + extraOptions = [ + "--network=concourse-net" + ]; + volumes = [ + "${config.age.secrets.concourse-session-signing-key.path}:/keys/session_signing_key" + "${config.age.secrets.concourse-worker-key.path}:/keys/worker_key" + "${config.age.secrets.concourse-tsa-host-key.path}:/keys/tsa_host_key" + ]; + + environment = { + CONCOURSE_EXTERNAL_URL = "https://ci.${pubsolarDomain}"; + + CONCOURSE_ADD_LOCAL_USER = "crew:changeme"; + CONCOURSE_MAIN_TEAM_LOCAL_USER = "crew"; + + # instead of relying on the default "detect" + CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER = "overlay"; + CONCOURSE_X_FRAME_OPTIONS = "allow"; + CONCOURSE_CONTENT_SECURITY_POLICY = "*"; + CONCOURSE_CLUSTER_NAME = "pub.solar"; + CONCOURSE_WORKER_CONTAINERD_DNS_SERVER = "8.8.8.8"; + + CONCOURSE_SESSION_SIGNING_KEY = "/keys/session_signing_key"; + CONCOURSE_TSA_HOST_KEY = "/keys/tsa_host_key"; + CONCOURSE_TSA_AUTHORIZED_KEYS = "/keys/worker_key"; + + # For ARM-based machine, change the Concourse runtime to "houdini" + CONCOURSE_WORKER_RUNTIME = "containerd"; + }; + environmentFiles = [ + config.age.secrets.concourse-secrets.path + ]; + }; + }; +} diff --git a/hosts/nougat-2/configuration.nix b/hosts/nougat-2/configuration.nix new file mode 100644 index 00000000..22050617 --- /dev/null +++ b/hosts/nougat-2/configuration.nix @@ -0,0 +1,136 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + pkgs, + lib, + ... +}: let + psCfg = config.pub-solar; +in { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=135.181.179.123::135.181.179.65:255.255.255.192:nougat-2.b12f.io::off" + ]; + networking.hostName = "nougat-2"; + + # The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner', + # but the hostname for each machine may be different, and mdadm's HOMEHOST + # setting defaults to '' (using the system hostname). + # This results mdadm considering such disks as "foreign" as opposed to + # "local", and showing them as e.g. '/dev/md/hetzner:root0' + # instead of '/dev/md/root0'. + # This is mdadm's protection against accidentally putting a RAID disk + # into the wrong machine and corrupting data by accidental sync, see + # https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward. + # We do not worry about plugging disks into the wrong machine because + # we will never exchange disks between machines, so we tell mdadm to + # ignore the homehost entirely. + environment.etc."mdadm.conf".text = '' + HOMEHOST + ARRAY /dev/md/SSD metadata=1.2 name=nixos:SSD UUID=f8189c09:cb247cc7:22b79b5f:df888705 + ARRAY /dev/md/HDD metadata=1.2 name=nixos:HDD UUID=85ed8a8e:9ddc5f09:c6ef6110:c00728fa + ''; + # The RAIDs are assembled in stage1, so we need to make the config + # available there. + boot.initrd.services.swraid.enable = true; + boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text; + + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + port = 22; + authorizedKeys = + if psCfg.user.publicKeys != null + then psCfg.user.publicKeys + else []; + hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; + }; + + # Network (Hetzner uses static IP assignments, and we don't use DHCP here) + networking.useDHCP = false; + networking.interfaces."enp0s31f6".ipv4.addresses = [ + { + address = "135.181.179.123"; + prefixLength = 26; + } + ]; + networking.defaultGateway = "135.181.179.65"; + + networking.interfaces."enp0s31f6".ipv6.addresses = [ + { + address = "2a01:4f9:3a:2170::1"; + prefixLength = 64; + } + ]; + networking.defaultGateway6 = { + address = "fe80::1"; + interface = "enp0s31f6"; + }; + + networking.nameservers = ["1.1.1.1"]; + + # Initial empty root password for easy login: + users.users.root.initialHashedPassword = ""; + users.users.root.openssh.authorizedKeys.keys = + if psCfg.user.publicKeys != null + then psCfg.user.publicKeys + else []; + + users.users.hakkonaut = { + home = "/home/hakkonaut"; + description = "CI and automation user"; + useDefaultShell = true; + group = "hakkonaut"; + isSystemUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6" + ]; + }; + + users.groups.hakkonaut = {}; + ids.uids.hakkonaut = 998; + ids.gids.hakkonaut = 998; + + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + + pub-solar.core.disk-encryption-active = false; + pub-solar.core.lite = true; + + virtualisation = { + docker = { + enable = true; + }; + + oci-containers = { + backend = "docker"; + }; + }; + + security.sudo.extraRules = [ + { + users = ["${psCfg.user.name}"]; + commands = [ + { + command = "ALL"; + options = ["NOPASSWD"]; + } + ]; + } + ]; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/nougat-2/default.nix b/hosts/nougat-2/default.nix new file mode 100644 index 00000000..2a45f0ed --- /dev/null +++ b/hosts/nougat-2/default.nix @@ -0,0 +1,7 @@ +{suites, ...}: { + imports = + [ + ./nougat-2.nix + ] + ++ suites.nougat-2; +} diff --git a/hosts/nougat-2/ex-domain.nix b/hosts/nougat-2/ex-domain.nix new file mode 100644 index 00000000..9ceabd2b --- /dev/null +++ b/hosts/nougat-2/ex-domain.nix @@ -0,0 +1 @@ +lib: lib.concatStrings (lib.lists.reverseList ["et" ".n" "zz" "wd" "h"]) diff --git a/hosts/nougat-2/gitea.nix b/hosts/nougat-2/gitea.nix new file mode 100644 index 00000000..6ee23f32 --- /dev/null +++ b/hosts/nougat-2/gitea.nix @@ -0,0 +1,124 @@ +{ + config, + lib, + pkgs, + self, + ... +}: let + pubsolarDomain = import ./pubsolar-domain.nix; +in { + age.secrets.gitea-database-password = { + file = "${self}/secrets/gitea-database-password.age"; + mode = "600"; + group = "gitea"; + }; + + # age.secrets.gitea-mailer-password = { + # file = "${self}/secrets/gitea-mailer-password.age"; + # mode = "600"; + # owner = "gitea"; + # }; + + systemd.tmpfiles.rules = [ + "d '/data/gitea/db' 0770 root postgres - -" + "d '/data/gitea/gitea' 0770 root gitea - -" + ]; + + users.groups.postgres = {}; + users.groups.gitea = {}; + ids.uids.gitea = 994; + ids.gids.gitea = 994; + + containers.gitea = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.101.0"; + localAddress = "192.168.105.0"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::5"; + + bindMounts = { + "/var/lib/postgresql/14" = { + hostPath = "/data/gitea/db"; + isReadOnly = false; + }; + + "/var/lib/gitea" = { + hostPath = "/data/gitea/gitea"; + isReadOnly = false; + }; + + "${config.age.secrets.gitea-database-password.path}" = { + hostPath = "${config.age.secrets.gitea-database-password.path}"; + isReadOnly = true; + }; + }; + + config = { + networking.nameservers = ["1.1.1.1"]; + + services.gitea = { + enable = true; + package = pkgs.forgejo; + appName = "pub.solar git server"; + database = { + type = "postgres"; + passwordFile = config.age.secrets.gitea-database-password.path; + }; + lfs.enable = true; + # mailerPasswordFile = config.age.secrets.gitea-mailer-password.path; + settings = { + server = { + DOMAIN = "git.${pubsolarDomain}"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.${pubsolarDomain}"; + }; + mailer = { + ENABLED = false; + PROTOCOL = "smtps"; + SMTP_ADDR = "mx2.greenbaum.cloud"; + SMTP_PORT = 465; + FROM = ''"pub.solar git server" ''; + USER = "admins@pub.solar"; + }; + "repository.signing" = { + SIGNING_KEY = "default"; + MERGES = "always"; + }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + }; + # uncomment after initial deployment, first user is admin user + # required to setup SSO (oauth openid-connect, keycloak auth provider) + service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + service.ENABLE_NOTIFY_MAIL = true; + session.COOKIE_SECURE = lib.mkForce true; + }; + }; + + # See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea + # Required for gitea server side gpg signatures + # configured/setup manually in: + # /var/lib/gitea/data/home/.gitconfig + # /var/lib/gitea/data/home/.gnupg/ + # sudo su gitea + # export GNUPGHOME=/var/lib/gitea/data/home/.gnupg + # gpg --quick-gen-key 'pub.solar gitea ' ed25519 + # TODO: implement declarative GPG key generation and + # gitea gitconfig + programs.gnupg.agent = { + enable = true; + pinentryFlavor = "curses"; + }; + # Required to make gpg work without a graphical environment? + # otherwise generating a new gpg key fails with this error: + # gpg: agent_genkey failed: No pinentry + # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675 + environment.variables = { + GPG_TTY = "$(tty)"; + }; + }; + }; +} diff --git a/hosts/nougat-2/hardware-configuration.nix b/hosts/nougat-2/hardware-configuration.nix new file mode 100644 index 00000000..32aae64b --- /dev/null +++ b/hosts/nougat-2/hardware-configuration.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "dm-snapshot" + "xhci_pci" + "ahci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "dm-raid" + "e1000e" + ]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + boot.initrd.luks.devices."ssd" = { + device = "/dev/disk/by-id/md-uuid-f8189c09:cb247cc7:22b79b5f:df888705"; + }; + + boot.initrd.luks.devices."hdd" = { + device = "/dev/disk/by-id/md-uuid-85ed8a8e:9ddc5f09:c6ef6110:c00728fa"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/cb88e8b9-be51-43eb-a51a-cd021c90771c"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/3F6D-065E"; + fsType = "vfat"; + }; + + fileSystems."/data" = { + device = "/dev/disk/by-uuid/824341f0-fd56-4db7-bb7e-4f161d94144b"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/f37e9f96-0174-4cac-a0bb-b63b2a67a4ad";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nougat-2/keycloak.nix b/hosts/nougat-2/keycloak.nix new file mode 100644 index 00000000..df24ac1f --- /dev/null +++ b/hosts/nougat-2/keycloak.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + inputs, + pkgs, + self, + ... +}: let + pubsolarDomain = import ./pubsolar-domain.nix; +in { + age.secrets.keycloak-database-password = { + file = "${self}/secrets/keycloak-database-password.age"; + mode = "770"; + group = "keycloak"; + }; + + systemd.tmpfiles.rules = [ + "d '/data/keycloak/db' 0770 root postgres - -" + ]; + + users.groups.postgres = {}; + users.groups.keycloak = {}; + ids.uids.keycloak = 993; + ids.gids.keycloak = 993; + + containers.keycloak = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.101.0"; + localAddress = "192.168.104.0"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::4"; + + bindMounts = { + "/var/lib/postgresql/14" = { + hostPath = "/data/keycloak/db"; + isReadOnly = false; + }; + + "${config.age.secrets.keycloak-database-password.path}" = { + hostPath = "${config.age.secrets.keycloak-database-password.path}"; + isReadOnly = true; + }; + }; + + config = { + networking.nameservers = ["1.1.1.1"]; + + services.keycloak = { + enable = true; + database.passwordFile = config.age.secrets.keycloak-database-password.path; + settings = { + hostname = "auth.${pubsolarDomain}"; + http-host = "0.0.0.0"; + http-port = 8080; + proxy = "edge"; + }; + themes = { + "pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; + }; + }; + }; + }; +} diff --git a/hosts/nougat-2/nougat-2.nix b/hosts/nougat-2/nougat-2.nix new file mode 100644 index 00000000..f23982e6 --- /dev/null +++ b/hosts/nougat-2/nougat-2.nix @@ -0,0 +1,23 @@ +{ + config, + pkgs, + lib, + self, + fix-atomic-container-restartsModulesPath, + ... +}: +with lib; let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; +in { + imports = [ + ./configuration.nix + + ./acme.nix + ./caddy.nix + ./keycloak.nix + ./gitea.nix + # ./concourse.nix + # "${fix-atomic-container-restartsModulesPath}/virtualisation/nixos-containers.nix" + ]; +} diff --git a/hosts/nougat-2/pubsolar-domain.nix b/hosts/nougat-2/pubsolar-domain.nix new file mode 100644 index 00000000..86b39dee --- /dev/null +++ b/hosts/nougat-2/pubsolar-domain.nix @@ -0,0 +1 @@ +"pub.solar.b12f.io" -- 2.44.2 From fd07ef9a84041d6577471e26518988af656a7a28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Sun, 30 Jul 2023 02:14:14 +0200 Subject: [PATCH 2/3] fix: add secrets to nougat-2 --- flake.nix | 5 ++++ hosts/nougat-2/acme.nix | 8 +++--- hosts/nougat-2/default.nix | 10 +++---- hosts/nougat-2/nougat-2.nix | 6 +++++ secrets/hosting.de-api-key.age | 21 +++++++++++++++ secrets/hosting.de-api.key | 20 ++++++++++++++ secrets/keycloak-database-password.age | 37 +++++++++++++------------- secrets/secrets.nix | 1 + 8 files changed, 79 insertions(+), 29 deletions(-) create mode 100644 secrets/hosting.de-api-key.age create mode 100644 secrets/hosting.de-api.key diff --git a/flake.nix b/flake.nix index 0fbba471..d239164f 100644 --- a/flake.nix +++ b/flake.nix @@ -188,11 +188,16 @@ path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.barkeeper; }; }; + nougat-2 = { sshUser = "yule"; hostname = "nougat-2.b12f.io"; fastConnect = true; profilesOrder = ["system" "direnv"]; + profiles.direnv = { + user = "barkeeper"; + path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.barkeeper; + }; }; #example = { # hostname = "example.com:22"; diff --git a/hosts/nougat-2/acme.nix b/hosts/nougat-2/acme.nix index e75a7bf9..cf224d3e 100644 --- a/hosts/nougat-2/acme.nix +++ b/hosts/nougat-2/acme.nix @@ -15,8 +15,8 @@ ''}"; }; in { - age.secrets."hosting.de-api.key" = { - file = "${self}/secrets/hosting.de-api.key"; + age.secrets."hosting.de-api-key.age" = { + file = "${self}/secrets/hosting.de-api-key.age"; mode = "440"; group = "acme"; }; @@ -43,8 +43,8 @@ in { isReadOnly = false; }; - "${config.age.secrets."hosting.de-api.key".path}" = { - hostPath = "${config.age.secrets."hosting.de-api.key".path}"; + "${config.age.secrets."hosting.de-api-key.age".path}" = { + hostPath = "${config.age.secrets."hosting.de-api-key.age".path}"; isReadOnly = true; }; }; diff --git a/hosts/nougat-2/default.nix b/hosts/nougat-2/default.nix index 2a45f0ed..26e74f8a 100644 --- a/hosts/nougat-2/default.nix +++ b/hosts/nougat-2/default.nix @@ -1,7 +1,5 @@ -{suites, ...}: { - imports = - [ - ./nougat-2.nix - ] - ++ suites.nougat-2; +{...}: { + imports = [ + ./nougat-2.nix + ]; } diff --git a/hosts/nougat-2/nougat-2.nix b/hosts/nougat-2/nougat-2.nix index f23982e6..0ed911d0 100644 --- a/hosts/nougat-2/nougat-2.nix +++ b/hosts/nougat-2/nougat-2.nix @@ -3,6 +3,7 @@ pkgs, lib, self, + profiles, fix-atomic-container-restartsModulesPath, ... }: @@ -13,6 +14,11 @@ in { imports = [ ./configuration.nix + profiles.base-user + profiles.users.root # make sure to configure ssh keys + profiles.users.barkeeper + + ./acme.nix ./caddy.nix ./keycloak.nix diff --git a/secrets/hosting.de-api-key.age b/secrets/hosting.de-api-key.age new file mode 100644 index 00000000..648b725c --- /dev/null +++ b/secrets/hosting.de-api-key.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw mpeEJ0Pmd9BR/HQ6tcY4H38pCNrel+8L6WgnPj77ByQ +UdF11WoYedaNjDwLhGplUlHYtAW9wSTLrf6BMSQGXa8 +-> ssh-ed25519 BVsyTA V8CrvHHBOPuJE6xqdQlC+dLoc5CU625aysWOk8oS6Sw +jJtQYWFVhCwwBGpQph8WNKPNLWrXiJVJj05EY0PZFzw +-> ssh-rsa kFDS0A +QXSYUXN04FSQofXobqNcPEApTKsDcUJV6eXYpS+9HffRE1PDt5JKRXWMk+3RMw0Z +fBlWPBMmS4M/letqH3PHG1gFv6MFrGaddfJbZo4FYUzMNeT+Fh5ZWM2bQO6iczd9 +WUYYKonOzgRd8Nwg3DAHxJ8zXzocHp6F+cAqnw4y1ou50erVDMEIQ+wc16R8yT3t +OEKfz2Vr8FadAsCw2JBqouwyvdM6bd/+AjnJZbFrIq/gKlgIe0KuSZK1lr08v2aL +Nbk0bykb83N22kIG7kecYuY9Tz/Jh0geotkti7MIcsLez6OQW0+IC9bDZ/Swl/Cb +oXJdrjRCZipD1PKGdxzyb+bXZHmk778kc9WHB8NRas8ICFcOS0Pu0JMjhEfU2rER +QQoYAmk1mmJGDW1DVv90VUb2RokpF6QuzgIjfJUi7R7JLPcahBvfJRa8gytC33OP +Nr733zR5NP06b3LMdjjUyiYyf0cyZG9Qxra8aN2kAlT/mHZe+v9m4piHrJ1b+j73 +pyZPNa9w5AXl942fV5DbERRpXtP1kc3bO776All8X7ARy5GaHpHmvmEE1ooDhicS +iSvEm5c/BvgTBijXqsXk/SkIoFiLrGQ4wkTjNpeTsX25ghZc1W5gHrcDY7QtdDLz +RotNg5klu2XZR5mB7hFPUoXwGhwYc5l1mf05/2tEkVs +-> E>o)tKn-grease T9%P;\g +y6At0SwlBQ5jKI7Rj9ceRCqW3gH+b+7K0rLp0w +--- ABiFxl1ZHUSZJPkagpG0QNgvWeWrJsBtCvDImCQHULQ +a$ t/\hPD߸Ay]pF#HM%g3p)^c~]PK4:,cF5Ɖ \ No newline at end of file diff --git a/secrets/hosting.de-api.key b/secrets/hosting.de-api.key new file mode 100644 index 00000000..32c936ba --- /dev/null +++ b/secrets/hosting.de-api.key @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-rsa kFDS0A +MLbUT2OZ5uLq2uC4GdBNhQqrN8BjF3FibWT5NpfcL+ryr5wI1HfHnTINQR1SfcP6 +e7YF2+lJXiI+Clp+V3/eG5mDMXo358lr1usQPo3AJp0L/F+ZXuYgXIYgp/H6CpX7 +ztVM3BavlwvKibiFzpJVESIQW/aMp+fotTG5BBCzQ9P5ejpRCyBnw023VXG4bul6 +kSBbjaclmXAB/kErB/CBrQX8khYzy/sPWMeyKfNpQNRebwHfwifSKtwvl9CrII0S +6UAK6oKhi+5heqCtn0t2ToY+Jo9ccMjf1tKuQkUkT9gxJqalYakK9Z/Cn1YjteS1 +/QBE+pVNJYtqeND2kWoh7GDgHMN3RpSOZTTfLYWMatfwdZn78y5Qnri6GxKMMpcH +HJjFR3/u08sa5Z6QJN5ajMCze5QEVCfkbP7OUvdD77JagoR2TGphJXHWuHBBjNT0 +67GnaVjtjBSkPc2wHaB9jXCLcpkYtx2JwvcYIBmyzu+uw3dVXekT54dXMckW04B9 +2A+zH35yNX7cG1BdAaqXsj0q8XHLi+ZyyZBB/OSXFaz07JI8Uo7V17MU6N+yFCbn +UeIh82gingQU1+OBRSi1Qbee76RqRGOB9oJywxWYoj0tfCb5j+CW0UH18rKRCy1p +nbyIY2mp1pVMVnkv+UH5HDJZYTVt6H8HllKZcqy8tUQ +-> ssh-ed25519 cakP9w r7YM3I761Ly8mdPE5Aue4piOtU2WuBCX/ZkuODcC11E ++FGBvDNQiChuuYWGzo9lKiFGWtkGpd+h+zbi0fjR610 +-> f(eo)$--grease = zT ssh-ed25519 Y0ZZaw 6Ab765r1KhdPSNomPyArPOa9EpOK1gJH1O/2ImGovDE -AbIsUHJvTypKJbOE3LuLFXYkIzfTXxRmiLFy91HzaUE --> ssh-ed25519 BVsyTA tCs+TlkHQMbqgeN28U2aLo3luZNHRemLKbsqX8gOSWU -PU1JXT1JjKeSZ5cybTuq+WOipWWmqhHGLtEVHi1/8pg -> ssh-rsa kFDS0A -TQbtZUL6l+DJxir6AVNUWMNPXrzJ6Ns3xb2C9s+lXsvlTlm834H8nt/JxJBCeRoH -ymH0PcXKHCk54iPypW5KqFRIwoDYBTi3t3fSqjyLQk4eFNBjByGy+IVAaF6dcS5y -+pYwpZxgshv8u6iSEiRgLvqp0bIs/g/tPHowZ6ezlpyKOzh3+KRYK7e82dJFznwb -Q9V+PdWZJLqobbo4bmz7nT3qNlS75tpcVk2FAwsNB1pk3Q4ucbQb33eslSny93s9 -DjGCQFOMCkSZwKk98jV8aV01Liu4+tgMty5Sb6+Ei/tt+4TvjlX3t6hl9kvCVQNn -gXjc1y2FxfuwN7hTnFYM6QAwB4ETUPwsyqoOAzfFWzpQNpit+ZOtRMw42gcSkhA7 -RcyHeYGtQCeK+MKU9YaWZrDZjFjwpA7oxVkBGk6Xd6drVfw0tMurXpruuIzswo2Q -iwdSGNsyAmMAKIoAWrjyxuXodgAwii8JgLr93IfkEuOQ/izQQ5sJCFP4Q4pB/Svk -8yG62fflaJ6epTn2uEBD9EDqlNCGpDwNwdBnASdpcSCeooCqcqDIHpk0VJly+HiQ -VyxpD+3ZfaguUkiVC44oxAkQocitj8ypNmuGqphG+1ReN4ew8xi74f0WWq4lxkY4 -DieriNG+NG4JS7SgUTz5ZStYbOuIJJ/n82TcejWkJGM --> dqJ?-grease .CNJ%TkE -D6Hq2UnwetlWfmLWLcijubdNB2uJNjRRIw ---- +wyqgdU3ahUepcqy53z01275bJE6CadK4+yXH0bSvuI -򡈜ÿV-j^/uy{j7@h$pQ'kz#:,4v}1rjeV \ No newline at end of file +DWQcu9+8Tt6PbnhhtjaEh4JwKckPzGp8T886OitKmT36ONeX1xm4rxUV1BlZJESH +bBUorgCjlVeNadhrvMH6f79iq84Itz3wFsRn3wtXTHPjyOjXKq3mBFCZchkNQXrQ +kAlHVSU4KxArWdDgxZlSDDjqVKUO2otOax0jQIrATyoyXxydv3IrY+I/QJNXyMVV +TWWur2MjLfRtXf8pKhKHhZMGthOtnYRYJplR638hw4TQ0j4/7J34qcZZgNoo4pUY +FHO1xLqxdRzMiE5Kn7drhJ667QeEANZUr1sPjejXahMx/oYatpZ7YxDk2l8P4bcO +qAiQ5Z3h1wfhfhHJWLCXac9jBifZeMXXsi43lB7/A+8OCPPZbJam6ng9Nqi6q52S +nCwY54c50mDp1iS8b8coBnVqr4JPA+mipy31KGmbysxjKRV7SovYuPq6xzGzL9gO +nAxpvwGuPShuKQMQ373u0NL5Fx3gnSwBpDax9Q8ZIvkn/iGIjntQj8IaDDXUtOUg +6r3wQD8m8C54q8hdOeb8dvDTb8YkXJGumikOwx04KhhX/MJbIMpwSmhZGHdCY44v +qhTQcnudnPUskTZsenY4pw9LOdzuVeLqGL2359qvw8w8KTNtZfeif0xCpWBKMOw8 +F3wdYRaowGp0Hqi1wb+mKtiz4Tyx93crkflrpxs5hT8 +-> ssh-ed25519 cakP9w m4+f1g38ZLRWqO1eKOSnu/0wJ+ou4j/4VgR8IJhh9Bc +1MkqVLAk5hZyyvjVSU7ScIitGkIiQlCl7oxJCBw7xmE +-> Bp=k^MJA-grease +iP4iWQsV1F2QEiShf0j9AhCUq+SXOxQ +--- d1wE82sM45YxhJkxchil/8TFhZMjyDVSySvgS6BQCck +dVQrJ8rg( +if6O#Wj,d q Date: Sun, 30 Jul 2023 03:04:01 +0200 Subject: [PATCH 3/3] fix: rekey all secrets --- flake.nix | 2 +- hosts/nougat-2/acme.nix | 2 +- secrets/drone-db-secrets.age | 41 +++++++++++++------------ secrets/drone-secrets.age | Bin 1480 -> 1565 bytes secrets/gitea-database-password.age | Bin 1119 -> 1346 bytes secrets/gitea-mailer-password.age | Bin 1110 -> 1183 bytes secrets/hosting.de-api-key.age | 41 +++++++++++++------------ secrets/hosting.de-api.key | 20 ------------ secrets/keycloak-database-password.age | Bin 1008 -> 1259 bytes secrets/mailman-core-secrets.age | Bin 1453 -> 1457 bytes secrets/mailman-db-secrets.age | Bin 1184 -> 1323 bytes secrets/mailman-web-secrets.age | Bin 1370 -> 1509 bytes secrets/secrets.nix | 4 +++ 13 files changed, 50 insertions(+), 60 deletions(-) delete mode 100644 secrets/hosting.de-api.key diff --git a/flake.nix b/flake.nix index d239164f..e06b2970 100644 --- a/flake.nix +++ b/flake.nix @@ -190,7 +190,7 @@ }; nougat-2 = { - sshUser = "yule"; + sshUser = "barkeeper"; hostname = "nougat-2.b12f.io"; fastConnect = true; profilesOrder = ["system" "direnv"]; diff --git a/hosts/nougat-2/acme.nix b/hosts/nougat-2/acme.nix index cf224d3e..1af6c539 100644 --- a/hosts/nougat-2/acme.nix +++ b/hosts/nougat-2/acme.nix @@ -11,7 +11,7 @@ hostingdeProviderConf = { dnsProvider = "hostingde"; credentialsFile = "${pkgs.writeText "hostingde-creds" '' - HOSTINGDE_API_KEY_FILE=${config.age.secrets."hosting.de-api.key".path} + HOSTINGDE_API_KEY_FILE=${config.age.secrets."hosting.de-api-key.age".path} ''}"; }; in { diff --git a/secrets/drone-db-secrets.age b/secrets/drone-db-secrets.age index 769002b0..95e8e9d7 100644 --- a/secrets/drone-db-secrets.age +++ b/secrets/drone-db-secrets.age @@ -1,21 +1,24 @@ age-encryption.org/v1 --> ssh-ed25519 Y0ZZaw aeKyGeq9/rWQneJZIkrovdlgAdRTqYuUeqPIhT5dEwk -pkwICt3TV2RSMo93GMqVNZ6kYorTE48yyVuSdbLlLDc --> ssh-ed25519 BVsyTA nNb8z1VNBdzeojDeQ0aRO9W12LVN/Zc5mQmN+jOxInc -VeoBXWSz2ZbXcFTNc+XtWFtWUomC+PaG8pUrRoF1CCU +-> ssh-ed25519 Y0ZZaw 4IYDRUd6wQzWDLzyFLPzy/t8L1V1UT/KwgfMLvDn5GQ +4lKiqrafTVNtmcbbWdDsEkPSaN0/1Ud1k+rW1p0Wi0I +-> ssh-ed25519 BVsyTA 5kVXS829ZZONa7iqxXQXpcQ4eoKEH14Aah6Oo6plWjE +Rv06OqEOnVjrlwBy8JtfV+v+arbqrO2Cv6paIx0Bzf0 -> ssh-rsa kFDS0A -h7Wk2206zM8zX9RE1DSSmaEiMI/v3A3p7h+uQB5uLz9nK+l7z92H9nHMExErdA9u -CjS2/uG8pjHtktNk5/nOyx64myrr3Y/HvJlHKhshiQF26CKiANO1LZa+Vy+P/LyM -8uI1T+bvqSJLPVr0CJ4gJ32YL9CPp0BJCpR27RHtXhdni9n08biBaib8c6loaD8K -fZr7TPH40F1mrn9+3paR9vKedJuPwEj2dKiHKcqC2zHr4GW28HwL03xNfCtdWw7x -Zxjyxk1cagVfPHeG9ObliJOohWZSQB/B4byVaRs6EyhYI0noqg/hl60VcizMmu/+ -PvXxOq2llAnOF0A5gA5b5LtFQD1xRPNLwe6F+rt076Fgt2qn3q3BQGKOahRv0vy6 -d3fEGiZvSgiMFlB6JRHIz2PDbpYHHIAUDEPP3M7a5mdwgKyYyFjsboc5MbRSK609 -oM1QmZg+14fdddisGjuzz96p2SYwcbQu7i4Haf/4i142FYUHYYLtreMTGsW3oCYq -Qa/SQ2Ip07BFBhGve73W8XXzNyYUW+GLsZOcX/NrxSjAYoVFKMzMVv8DGrt6SXap -yu6aR6065HJgKEWdssWce/g4xkVpYv7frXnYLdDseMFz7ZfMOc7ieAKYpS5Sb9r3 -LMifMXPRAXkam5JMbVr6aF2k3FkTzeDKrhlH6aKgh5Q --> ;cm1-grease -TvutGCeP ---- +a2HtxLwZbsg0VlFHB2tIo/ULFcjS6VZ+4EhyvnDVq8 -uDzlTN?{pAjKSzUn.CpQYou.?k9';|ڀ>Qlhd )Sˀ75?ț+p".(rDɝP@0+;Wh ' \ No newline at end of file +dvnz72ZtLpuBJfJEoXBb9TyQuEtNK1VZBXtSq9X7RL4fg4rbvGWRiGwl+IH1u8Tp +6TPephD603lGkxhglh9KlmVp7vqZ4ILRN9836b4Ic0kPttK7iCWoRQsLzHMpwQyD +Lb8ViRCIj+a2ZWfThaxjSXjXgDR5ZJGrnSwHhxsK9R3A4YUhT8jLvVRCfrUYhtPu +9AhhT3P9FceflBJzIrD0lozYyaFi5eV4dySAgGyuuBzPXmdWZiOoEbArV9M/N1ss +LJ/Nf23Ki39qe8w6YelcbhZTi6D2zfOA34Rd+QO8xzZFKKk0iZVSJ0ODk0I42itY +rxiOQFX3Mpv2/FoqOzJY9WeFHHw61pfZid5UkjFLaongel60a0QSrJvhNoz8J5Jp +k1GitKbBJl9V69XDY8RqQyDspImOkf7M7497C3OjdUtQkzC2cHzIfbDIi36Oifyp +254KLVyCtArCqKZClnwcXAl9KtP4d9FM1TL7vSsJM67wfSpWakm5gptSM3WyYsZy +Y2NkVU/Mk1AQLyrYKz+jtEwTmcrGo8zUFwKQZrXkytNV+vlWxwUAjZupNef5Ih7F +6okWpmRTjozIZzdJgAHSJ96nnbu5QZt0GmmJ+LtCfIZ+1W3M156hODwCaN9Qg6Ki +30MR/njAjWE7o5TB+gI6iV2OYxd0/Yqyy9lIdEEllFk +-> ssh-ed25519 cakP9w usfEkp11W/3dAIKp0EcTL0NJe8cMHLJamShjSEbc+EA +cVK/YSYLIvcXeZWpqEUHkwufHxOIR4uYOvZGi2eMNz4 +-> ym-grease +INN4gag+EYKDUsKFd8N2CrLBWtRGC/BKP4IEfaAt4a5L1FFUAeEaRRAfuQ5ZWvnG +vV0T8ASMwsMJ07X2X2faghc +--- 7BrGKq+40E31/Jz0C6jg7Jequ0k4W+71wjLGLdR+9vg +" чdRY$Zw2 AKM./U!j'$ 8n`5D0J<ہ߈*Y>Rf͕|/lSJ`2[ \ No newline at end of file diff --git a/secrets/drone-secrets.age b/secrets/drone-secrets.age index 80a14ef4ea7ec3125b6dfbabe1b9cb7a2354ba68..0b2206dcfb990239e9b94bb31b42872b58053f49 100644 GIT binary patch literal 1565 zcmZA0{qNia0mpGPPDwWy6U8NSdXNB`=DS{>?yizBd%fQE?)q@OUfXNYk-O`|_1a#q z*N1D51PG#{?nx%bk?+P=MT6iNdjL!ZO9+o4h(xy`5fh^Xl+DDUBxG4Y{9(WN7rc^B z-k*VOu9(x&JfFo*Fx?i+Z779-m75DuG+r?c1jk{bpcQp}uqf!wqDJ-Vqud%oWUpTx zvJ0PpLw`OD{g~2C$4MJyiRO991*Qx?p4V7M7GZk?83|Ht$RIn98r_*CsuW9g8N0(1 zX6`QjU#lun-XjZUr7O=Q*lq9w*Uw#=sPy3ostaGa1_w+?gMwL2 z%x7fU4l>bD$0epS8KA=+G{w?d#6pcwMf;XcU()8$py1YPQjr8~$DYxIWiPczYI_V> z4s4i5A;R(?DMl+=g0{23AG=*~B3pS76p3YV7U)_fgHdkWF9VrWcRXp-iLD$@MavGg zx*zeanS^yCW0Kc6(3fkm3gU5Kdu6Dy(3eOl#jcZ(Jzj}Ax`?8 zgbxOcq|Oc4F)0ueYZT(56-w3Ph25Llv+)Gslzzj&at5G81Fnoc8h1Q1(>q0R!g$kS zD$HnKg)yg=P)O5N5txrdAW&$EfSUTQ%PUM=7Ii9|W)*U|l(j}6 zh0p@dhko0bCTuHA8MuzBG)i+8AB-wCn1HRCRsu<&JMQxl=Y2e6iLNfQg;9;j5X#t; z)LLC36syKi>kY%qaT3-gyAaoDJE1~U4KmE=VA2ODx->wNslyFYuqWuMj+@OF3fd zO1C`5fEmkmr(M}fRVggOX)*v8Ma9j!SPwH=M(nXFw~*K+G}O5NX}3?kuXDtTJvRrD z37||bo6IGxX{xl%i@IkCi8pL}6T>l7w$!GkYD+UT10>Sku+Nv>RvY3)U}a^cFsV8+ zB6kAMgyVJwx4;USR;qp;)L6re6)aFbPPKwAQ%eK1d$(`pp1ksbSKs{Rh6^w3eBzBK zAA9_(|M=PG8z*<~=)Kde?%s0rv*6h)?mM+}qj2IU?;c%u@cP%+h==xQon615AG&qZ z-@pCE2REnG;#uH9#?KD_q+;^?;KiG0h4$Ks3sA;f!sg!<;cl}2;3^gQxb{m9!- zPp+~qYo9v)om+mrse0znb2q)b`im7m+;RBjznuHRnf=$T|LL2L;Q7A&+Yemv_8kW{ z9N)h2m)ZfPaPF4t#b3R5@#66>KO3Iido!||>aVW<`LSJlpE?G=yZKxs@prcNT+W_9 z^zcV_iwDmP4l$VW?0d)ee5LWo*G})c0lDqUgQe&9udV;!kM);MzH-$kPw#x?Z$EgZ z@Z)d%_0}CH*6sb?Z_nOzkU4VuceiZ#+~wx#m)?K$cwW;lIvo%b-77S8w}1`d=8AKXd>9 literal 1480 zcmZ9LTd3Ov0EYEUr)CHabwj74OhslrYtpnys#Djr=`HCcX_}^Gu;rdMNz){4ZlWM~ znGTt#AP$BOFB8-`&;vTD+LTHjC_}17^zhctZT&hI3xT z<`ZJs_V8lA3$sPFK5FF01IE?ZJg`%uCLQ3Cr4LeF+ls*)ouzTf zQO8hb+_Lk2AwNdSFc(cbtVL$Pl-8+XHZ5Q>QU$84P^yCj+a~H#)M8_cvgt<0^&~f~ z1Sr;RIT6MuRg|p;VP8+Ri=a~AY|AYZMgw&QT|hq)h^ka z^l)w{n>vP=1fNS22CrJ4JjO=`Ce&Rd$4wO)pin66#p+NP2zai}v*j|#3`ELA{X#P8 zc}}uGjB{#fltQOnhB7A2p*8KwM2jEO%(T%Q13HXSwMs}uKFm$&ZX7~>yPpIZKchl% zpOV1xSR3MTKU*iugFKB+IjB|Onvo#&+C~hP09Vqcm3kSD2SbbYN~Xmja7c)#7y6+{ zVI|KHn$5g|6(KUT%VrLXs+~xXt137eA_&g|{WL7s^oti6*J2E}YfPOD0BI&cWtn|KngHybesq73#vex#&j1p=MTN1t=Ln{uEh79z4;H|;16;B#&CYy ziR;!$o9-2NUwOpcUU}3$diHSU`0kB6)x+Y>T{o$zcNZP1RnMKi_1XQ~f4#7G%?rct z4&6V$U|;L8PnPU>;+2O95vo%rNEYj4?gRS2}n zw;^Klnrr7)p1I=HGyCtjZ-qNQb7YUTZq3WgnV(>I zIdoDxxqj#Tm4Cgxana(+<&s=-$>m9r=AFy?ak)!U=un4> zgKG!D2X=4~#X%6!O$E`V+OdO9LVeRgoUB6^|ANm4zMroh`e%Ob)_r-{7x@cC9ZrrQ zaQ5=3X`(aVgAfEHM&{JA?9(VqVFRI&lST+buP0eBut!iB!$?oB3L0YS=pbY;Dv9$1 z-~(dtP)!_;q*@TJE#R|clX>te#)^8s8{>0>U$-Pd;q?D$q}KGi`6wwn!_b1PICiwj zk!#1Y5OhHbhXfM?vC$TkC!kifRUj3RRIC$;N>4>yw;kWo;fb4Kgbv2F(}ViTjPaBw zSIdcgdPJ)mdz35}%5)Ae0ePsvDuC+UDj4HlFA~d25erUpxtQwHj;W`)&w6?y8_^tR z&FvDNcUs~U3R7tm4n*KgUrB*k3TEh2&Q1ZR0wZ!*YJw6u9OE_S=<6NDo>qcMYxT~h z+_q|~(B!!|VM7@}68`As>7$4t~i1a-B#F6(tTE{uk%kmcMv`Vxw3(0UYG`aWTq-;qw$;g@SgdfS9Aehaf|+9- zBM_QO6CgrS-f77-C2LrQE9AmG($)gQD|xnKWOK!p5L7Pgq|MoN-53+0nha^s*O@>R zCD=uP4Hn8~qY7n&_Mw{()Nx&lR+tPecw7p{sm>pywku^S-!`NpNgc6Sw>zg@^<%9B zZRalF zZ0u>XM_|9}DAj`EsSA3irHZtv5g#1b#`LK<6Bufp+ICyoB|+4S4LqL~lc=GYVF8Sh zoX)qdfNWPh=ZQL-%9ZUnb>ur?Y1aO5aPdeaU47p?>iE$|T|1G8(7#U;$$qqG1(^)S?)0i_K#Q3zkTb?r@q_&_1g0vzjMjF z_QjWqY8yk1;l;(-#dWo0s5i(8cc$AoOoc7KMEZt4EK+V@ZNtLWfoT6{ zt7>UXl~QsX%?EiNr-wXBn55n*hDiht3;E?p^j1GO3O`X;?v`% zhXD`?7%GQ+lf5ZXMR4hs9^(|qMQD}1cRuzA3nd1cn9)!xXgVb{B$q3K3|xt$4k!(D zSyah#C!;9ij?u~XKnM{fgxzE?=AShy?;%K;Mog;DPbrshaS88IDE5YqA}j{u=&hpiIZ{}i!;~vJ8##MKv@Hvq`GE;8 z>U7PevUYBr)uAd%PFHP0wYC`AgSdH^d+U<66^k;89!4lFY2;>qbY;avEMPTU_7o9Y zMGvmm@|@S)lfR`SxUUk^jXJVeXI@Cr<$xHi9JWW9G$IN%WJjtFy~Ha(W5J7{WfAhE zC%i5Y1p(2yB02Ol81`H;pykcnV8?{&vA|SHpb%V1)#|+F5x7J16M#EJ<+)bsT?l+E zN(pDjl>|mZail73e~IYUAaYU_N>l##$FFU!;Q1`9e7E)iSHEGi*#yo&?6kFeXrqkP zV%-Totge_NFAAh4n49jb0?rKhuPNJ@w8L@BjSE_m95){Q3j*`t@(_-F^1M2k(A1T>p6Y f_b>3<*bl~=FTZly+qZ5#_TA*(qX$1#e|-86t15w| diff --git a/secrets/gitea-mailer-password.age b/secrets/gitea-mailer-password.age index 8677fa145006268ff3c4a70f3e23825d60dfa2f7..46d28f8a3ade5fffdb192237f835e80785602225 100644 GIT binary patch literal 1183 zcmZA0I}7V%0LJk}L;?=NfwR`R)ZA~NN0R1kuFa)s(lj8F`#ourHfaJ*egsE1LG(K~ zIx7fH4h|0Dq=Jj1I-JE%@EiWm6J*IQX`^Ae-HWb$uNyLWLZRKO%{b<}B*sV*Wj9yE z_k($(K90Es zH0Am#LS#s`COX7UNr4RU4LK@cwENj=N~gKhdgMsuI*p)$gLdd%Yr`09s)Jx79CS)A zDvsN#6v!By%{YwaG!^Gc4JD`Y)S|zbVkTGs))_p9A(gxBbcOg zb7GaH+^WL!(5A-K>2U0#O!p^P1wYE>0`m=}&Ig~lF@YR)qMJo}VakjP*;uZVSg#yvhNBLazUBlfm#4Djh0JpFg}uA>B{%&rtSU{QCm$mU2|5B=8Wke2CV_9`z5}zfz(Gc(}w4p zpsllKW;rF9su$3KKBSX+8jciCwH&cun0(k;(UaeUD?hq%1I24sf?R1}JBs)mgsXX4 z>Hv+MF;0)n-C7qS&tM|trp6BOfBX0zt~ohi^xQmZL2Qux%-i)bNRzX_n2&k^ zV-eBX!yQ0DNv+kaiH8#yPm3))4jOe`$5c$*EmWc+%E`{OwWN3@LJ#kHG3#en49qY( z?Q36Xd06bX0S>mS;sUWf1X;)10>I$%wnre<RO@p8RR=so)4Mf=n3>*=$f-+cGa@4qpAc;~mTKKl0KjphIf-HL1x!o_7ei{fmpW*m@bLjHrQE@ZmbP5V^`lUD5|gvI90zqd zlkp^uE*cYeAHf`-K^9e}}wC--Jfy9=dFAz$XmxN+jabsJlpech{JK8IaKke8v%T(BHvVE4L4(23Zx2@#n z#ZDzAIXqrd2$XK%yfl-yELExI(ZM-}cC3!2!-g_9CQk=@EDtRJE_J+S2PNzdt3CfH zz0t5EM|V}VEflFJD)oT3hpQ#>Dl{_P7(J4$YN_;z(8Sz|3^u+6PMv3n*C=KHRL)No zL}+?)FIW8uY;jo}sstv$uJt72ha$Tc6ed`z9w>#a#Wn@NO+93qHB(RL7>gB0;MyGk z9)~)5a))3}CbC|gj{jYp@BQ-atG8c#_s)>NTKw?##aBQ6?Em%|_2Tv4fq89F diff --git a/secrets/hosting.de-api-key.age b/secrets/hosting.de-api-key.age index 648b725c..f62deb65 100644 --- a/secrets/hosting.de-api-key.age +++ b/secrets/hosting.de-api-key.age @@ -1,21 +1,24 @@ age-encryption.org/v1 --> ssh-ed25519 Y0ZZaw mpeEJ0Pmd9BR/HQ6tcY4H38pCNrel+8L6WgnPj77ByQ -UdF11WoYedaNjDwLhGplUlHYtAW9wSTLrf6BMSQGXa8 --> ssh-ed25519 BVsyTA V8CrvHHBOPuJE6xqdQlC+dLoc5CU625aysWOk8oS6Sw -jJtQYWFVhCwwBGpQph8WNKPNLWrXiJVJj05EY0PZFzw +-> ssh-ed25519 Y0ZZaw 20k6EMk3iFO98VaGMQVxAxLuCIKp8M8DN3SucCtNNlM +Za5+geQFA/CVkj/IADKmrj3EIsKcj4l9jETuvQbApCE +-> ssh-ed25519 BVsyTA vqpU3pzGierKMAKK0Gn/xvEkdebGgfahP5CmRE8tZTY +ZsmYvYgFzOL2PL1mLJ8vwoWiT1bngJq1Y4P3MBYcbbI -> ssh-rsa kFDS0A -QXSYUXN04FSQofXobqNcPEApTKsDcUJV6eXYpS+9HffRE1PDt5JKRXWMk+3RMw0Z -fBlWPBMmS4M/letqH3PHG1gFv6MFrGaddfJbZo4FYUzMNeT+Fh5ZWM2bQO6iczd9 -WUYYKonOzgRd8Nwg3DAHxJ8zXzocHp6F+cAqnw4y1ou50erVDMEIQ+wc16R8yT3t -OEKfz2Vr8FadAsCw2JBqouwyvdM6bd/+AjnJZbFrIq/gKlgIe0KuSZK1lr08v2aL -Nbk0bykb83N22kIG7kecYuY9Tz/Jh0geotkti7MIcsLez6OQW0+IC9bDZ/Swl/Cb -oXJdrjRCZipD1PKGdxzyb+bXZHmk778kc9WHB8NRas8ICFcOS0Pu0JMjhEfU2rER -QQoYAmk1mmJGDW1DVv90VUb2RokpF6QuzgIjfJUi7R7JLPcahBvfJRa8gytC33OP -Nr733zR5NP06b3LMdjjUyiYyf0cyZG9Qxra8aN2kAlT/mHZe+v9m4piHrJ1b+j73 -pyZPNa9w5AXl942fV5DbERRpXtP1kc3bO776All8X7ARy5GaHpHmvmEE1ooDhicS -iSvEm5c/BvgTBijXqsXk/SkIoFiLrGQ4wkTjNpeTsX25ghZc1W5gHrcDY7QtdDLz -RotNg5klu2XZR5mB7hFPUoXwGhwYc5l1mf05/2tEkVs --> E>o)tKn-grease T9%P;\g -y6At0SwlBQ5jKI7Rj9ceRCqW3gH+b+7K0rLp0w ---- ABiFxl1ZHUSZJPkagpG0QNgvWeWrJsBtCvDImCQHULQ -a$ t/\hPD߸Ay]pF#HM%g3p)^c~]PK4:,cF5Ɖ \ No newline at end of file +chQyiXGW3eND86nYKKZVX3Tr3MKVYJXoQccbYn5yGEmXw17U67z2YgbgXcKJGszE +FiOKe6fWCbrnCi/GkktM+bbnbJtfCOFK/J2VlVQrHScibel0z4+yd0aeH02EVHla +34vcv2Tdi09BVn5Me2Gh94/CKgzAiIIHmvDfYFsBZNQOalAbn0PvpHFJcVnf2DsR +bVgOKL8l4mHz/gihI5cCr5snz3ClhHv/aFbTR2QpHPKAfz5aRi0pe9phpqv9TDb9 +3taeIDZ2dIVpASyqIBxzxzep6liJrupldmQQGpzleKpRfqPWrM5BAmMHr6/LiP24 +caHaP7SOVTr1s1wo4Qh8x97LrXYe2AEmJogteoLJddYYgqYhJuoCS62dDbyry32D +3BHJTcxl2OsgFDP9Q9uABhwNExdu9z7ohbvyOwZ3ZkgEbpFOKPAOExKK0FV6C5R3 +nKox0yPZGIsTP0wjjyWlZAwUkNIj1m5gXL6l3h4930EnPZFe7vg+lfC/4v2V21pE +l5U1a+LqBzOk7qCgVgtbAZZEIvK8s0kZYLmPmtMyjIm/mnl6yxY80Kwf6oTlb6KN +bFopzuBfmCZk3hVzkrVDmpxpWTcFclSG7H/R+1SSibHOL0RcLuULhrVHd4qOPYrQ +I4jDt3nmUKU1si1IhOQe20NKG3DokMGDQk3balKIMfU +-> ssh-ed25519 cakP9w zXYz3ME+JJqwpWGFlnHzTxNTvpGMXAZB00rrh0MN1wc +tgNVf1JJWPkU7TxYcakGE+omp1fNqwXVzyQBpPAdVCU +-> Sq|yWUT-grease N>}A9 +TvMfldFuvLXmFvEmgZTd8zXY2iH9Sw +--- jyypo7T4RplBaZ94/suJgMliWbt4tQNMhrDUv/YMaYE + S=8ƸkCU܎2eX}$G-o؞Cl=Q_r)dyHiǐ[*a R +X \ No newline at end of file diff --git a/secrets/hosting.de-api.key b/secrets/hosting.de-api.key deleted file mode 100644 index 32c936ba..00000000 --- a/secrets/hosting.de-api.key +++ /dev/null @@ -1,20 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa kFDS0A -MLbUT2OZ5uLq2uC4GdBNhQqrN8BjF3FibWT5NpfcL+ryr5wI1HfHnTINQR1SfcP6 -e7YF2+lJXiI+Clp+V3/eG5mDMXo358lr1usQPo3AJp0L/F+ZXuYgXIYgp/H6CpX7 -ztVM3BavlwvKibiFzpJVESIQW/aMp+fotTG5BBCzQ9P5ejpRCyBnw023VXG4bul6 -kSBbjaclmXAB/kErB/CBrQX8khYzy/sPWMeyKfNpQNRebwHfwifSKtwvl9CrII0S -6UAK6oKhi+5heqCtn0t2ToY+Jo9ccMjf1tKuQkUkT9gxJqalYakK9Z/Cn1YjteS1 -/QBE+pVNJYtqeND2kWoh7GDgHMN3RpSOZTTfLYWMatfwdZn78y5Qnri6GxKMMpcH -HJjFR3/u08sa5Z6QJN5ajMCze5QEVCfkbP7OUvdD77JagoR2TGphJXHWuHBBjNT0 -67GnaVjtjBSkPc2wHaB9jXCLcpkYtx2JwvcYIBmyzu+uw3dVXekT54dXMckW04B9 -2A+zH35yNX7cG1BdAaqXsj0q8XHLi+ZyyZBB/OSXFaz07JI8Uo7V17MU6N+yFCbn -UeIh82gingQU1+OBRSi1Qbee76RqRGOB9oJywxWYoj0tfCb5j+CW0UH18rKRCy1p -nbyIY2mp1pVMVnkv+UH5HDJZYTVt6H8HllKZcqy8tUQ --> ssh-ed25519 cakP9w r7YM3I761Ly8mdPE5Aue4piOtU2WuBCX/ZkuODcC11E -+FGBvDNQiChuuYWGzo9lKiFGWtkGpd+h+zbi0fjR610 --> f(eo)$--grease = zTsTno1+dU zXVl~@CdNzdXM@PkPFi`SsX8+M&8#-?{ZC>`oxdXA1zzWuB1? zLvV{2Pm*+6jCrN%?m^$|XABgb*-W{2Sh)~}!3mn#d8W>J4l+rTRD?4v06Mk*GLW3O4Qmg`cWy(_wAmi<@i{wD7-I_E+ zLO9En`V{UtaiEOM-6sM%)^nVRovk~Lt77Cu^6q%NE(ug2bEGMxDo*b@Z7{nHi%9x< zVkd~=v0<}QRYZmcRa+v`pcl+den9i&nwi_&CiGZ+tOrA258gZ~;pHTnmWUxl=h3iF z09Ri7tq|5{r=DlrGu%fxn-kvV!h~iL&-&R$EQ7IiX=B{M9T`fYMV|wR%$RoUYI|l4 zLysn#2#Axiy*iYpGUu~)2{S@iJ<$DD)`Oxpmh-BjWUrDW5wEMP8Eh8pe7H%>6%J_S02@R%I6z}Ndz)&~eaROgx=O$X?YLC=KHu@AfvF4^Bg-MQj zAPbRf^9smdR+1K)KU{+;S&mv)lA5tImTNtAaEJ~i+`2@1#lh$~id9a%8D2s;;4*5B zU#Xke5B+uSNL9yN`H=UTLMRTYSEP3j(iJP9sjdhZGU;S@KJQA^4)wF<;? zB2uWFWvuKK3ZH$&3I&@uT*-FiY7+y2q7TlYNsyxiAr#{0lj3acspg<8ks^PFh`1%jCeWF-9I)E|-hW zLFXu(z}-VP5q6wi7{z4JTN;YpQyLZ;hKGE(bChU})W1?c{9%4#|MjZMzhHm*r629j ze|zt(pI<~DonHi>z47jM$?xpT_rLkD{`$w=?Mw9g;?>(9|NRy6&&y|A{O70NzWFcM C)TFck literal 1008 zcmXxiJ@2bj0D$qq#o%Dv9PaQ>Tuf?hDF=E;)P$Fo0;NEq6c}!#yd9vt({gCy>|$IT zoQ#XByW9N&CdS!8qnj}?G10h~cpdx#&$Il3G@i#**iFrl)z!OomoDxkG5_GH@6o*L zgQsFET1$=)&t`aIXV4xP<5D3sH4d)5GxAB#UA3i3ek=GPDh{UG znMA=|caC)eD(1R#B&OKETB4Y@j(XBp^`HlMnVWLQ*;75ac#7_n+<7y3VJZiA(j14d z&*xjW((-+B9NYvpDpGgI*Q5dIL**SkrMVs%3ZfC%<}wG1wL*b5^!@Zu*PuCh#CE5X zc;Dja_|UQqtyb%(Lkh#J&3MBd{8LBvMjq#GfHb_QyN>I2}-6)*+ZK#ExodcN*FyFg!Hl$ z8#1%t1%@?WIc*0NgPWCEGf|`}m6xfuHS&!ZVAh1bd@rg+CdqjV73o%Hg+AgXP!Vz$nsSk~X0%G=OS?$$0Jsw^vdyr%MU`>t3)}DG$^*^F z?)B(#bK-p~?N=1dw)YW^P_++(pTt?R#6olCRZSluv8BeyI|lVAHOpO_k>h1nszdew z_Jmm~?26>tHMpmd4gYr>M=P2p*{3il40e1f!7L$D3i|uwxz)*7)vfBbSdPl9zJYuJ zob(7~1tFFX2~sOsXU`Qh@~7#ZzXZ6pLOC0xLe9*qa9!6}5%_V9%gui`zInfRt|{C+ z?c$)1iOc}m+3X#1yD~SKg_32?a!5F}Gt1SnNzCW-r-&RkaMf#o_ApWk9HQ*HfcEyK z&3qCaYqIXC#qg#O7DVK{`1(8Zvrd68{`sr>JAM1BpWpoLW8&E>zh*yun!Nryqkr?( kkH5U}=Q)4p+aIFW+Rxv^U%vW>{{1JQj0Kjd#Q-40aZxt-k%9HHIbUxP`FueOHK&6S<7y}Mnsd>xQVpd%>i=3*2vQ!; zDaIm+qCvSPQ&~sWSx8}tpz9VIJq-qD4BVx$p;jWiY109ah0`QsLRKsFDVLfx52`4> zV<8RMDtbw~gD7S(EqnMV!_RAepyZr7(T8w=kvVOW1hlObioRqDgGqf})eB*V^wR;a zclk0}nX*B#MNjcDXklHCTTmj(fV0f3&xIC%6Ixp>@)fZy=jG za|PLExO`rNs9L*M5}8gURUx_*%&IY5^f`bc(X=xY^076X4lG#0!Ukiop_MS6fI{_< zmP(PiLmbABi_vIUYqx5V2^(;4X6n^(8i;u^ z3v><&%$Ct-8%;0>f@+0hJ!ybgexyObv>kgvpXH5KjmRfiTO}-7C0i5<7X!giX{_ZU zSU)a74pdOYa#Jz+5!+bw=*pbdbzK6ac0PkD*uOQKs&0eh$d8&REfDx<%w`cOx6K+O zTCOG`0@F((PvphgXwaBN)3AlQEf7eWiS1^HPBQfZ6ZQKp8O7ne?Fa%rAe zA<$J=8JEFskQY_NkixWG^r^Us=^zr7Mucj>AgLQ9@aE*)bNAajYnR{n#DR;R`QpXD zcb@+39ck;XmFF&YKVNstl6sap3STn&=-}TsKTN$%>^t7usKt-2c{+V;(?cI@(D2iz zjxXqSm%ebp>crLWSpVVbbng|P9r^a-pS|njO^3)mSMR&?!FSKTS$N}zt*tK)U6{P^ zz+cxLxM`*2KYs1H3zp9%%Wqd#az{3=5_gvV-2c(GGb=wrH-*c?^iwq2|2nt#6MgTI zTkl%~isQ9i#@Q(RT$_h0V4lR95oqS-|y(RsTdm5!1zutVyhTF#{!YlW$ z`r_Ls9XQh8+x^aZ`^=^8r<3(}A3pKT4XcddhIw>2+jZx!f1r0Az5Lksg1zJ5SEs@4 zPv2I^_8mKAui2P>{_;Ke{IV^p)*jq_U=v%|{`>MvCto{#)fKVt|nL`4u3oI@r%$ixYXsEmOVr-Dpn>fCfFsPl4A!3zwhPJHmiU+}$r>eyH@yiu6V zV$1ig^TTm50fCj9mZNC0V(4WE0@3ARNm0~v8LzeF38~R;#;aNEmd1M0E~{u#V3n#L z=>$QSo3p&om(nrNAN6?}FH2A*26ctN+yUFyAUI(nywLUrb8PCv&K&eXcKUw}7o)6? zEl&(Lme80T4^h4ky-_g^{{ECF?>71H=U)v@uXOQ?72n-M|`^swTq96S&m& zV}yvCI5%=CDr8xah!ZZQ8Vv3>M+Mme$oN|90O54oZfft8}nseHmHW|0l?85~j) z)$*gF;Bb0tE=CX)R#0nNDGbfjjSp^`lc-`jTtno;s3J7lPJy&^5w9~CG>cih zCKA1wX7l9+p_;7_jhf87-+^RB(gbfr5joH_ML|t{GZxP>*`Y8}F~D#f?4fDZMU zoi|yR8TCUEnUCi35bO{n7-=!?ccppJMuDu?X0gtM@40h6vn9>*t)f$&)Y7uwFmt!W z^ysEgWXlvXjyi;;Aw*Y*N0~B5a4zpnRG{JwL*A#|6i0?EE;~393TW4v2f?sl2t7lQ z#X(o@I+@rqRajCStH+6R42q=U@r^v=nkc~z4H7Tq<&H%5f>M%AzyfGj z-5z0UMva-##bHu`$Z$eY!2qgK6%y#Rq_pahF09W}FLn$b8$q&QiXLeBLdN+zEL7t# zcWAWU9w;`?u~;kjFMSQoZlYWg&r)-N-IWwVy zg@^q67$&w(w*+CfG7b$jG61>3F)$fAxyGX=?U!drK@}Lal-RLT=`6|`s)JG3wPM54 z7D)#(?ID#G8K~DwHKvbOf$DS;n*kQuXbEkB9E#C#0Oze)!RQ&It^+qbL*=EW#g2iM zm6c@;?x+h%GoWP3p;pr9m7!@vHmEKPhgPd!b1BF3ae9C%V_?In7iXuv|NV)Rm$K`= zKKS>E*N>jJ=cC=qV|Q*kvgzzkUfpzRYx(#iJC7X;*LLr@k}Lu37u@Xmm)_jueg5+f zeQC+tyY9yCk6ixgN3Y%e`>mS~pRup9?RNOK-@S*<&yW9b=;)*1ORt}^?rh+PE!!`y zuZG`d_f^k*ci+oTeJnOa?)aZqJpR+t!+Cb^=LdFPFx-`%q;IaT?|=B+q4uF$jzmvx z=I)`XNk29C!W6d(JMb3CL8yDar&tj*WUo2amz2? z2zP9FZd+l?#y!gywgCUlACIqY-L^s2K7)_l|4#VCAJ(VWBL{w6evsaO(b8q~B^%!h zj-0&a%x4F`eYt+ecKx2+YkxiX@v8WTxAm0=_OW|sf9>COUORhZ|Mm|azHIHlTL+b^ fq0Q?q9UQ!N^(yX=EYFr!4?liZ3p)JmT`&9tpHmwE diff --git a/secrets/mailman-db-secrets.age b/secrets/mailman-db-secrets.age index 9a8581be6771e7706973ebc9d7339f5dbe05b22e..43583dfc34590ccb3253c75c0371fcfb2a2ed73f 100644 GIT binary patch literal 1323 zcmZ9L&CA;a0Ea<6MTE^4L3gp})M2R2cUoZ^Nz*h*(|k8gs@q7DG)bGL`D)TuVHXGP zB;qbRC__+TIMKnx;b91SK@^69hzP>a%MKo7BDfu#^RSEj{(y%cJdYFjO+Rt-ZCXaF z^A9%~du*z`RF$Kg)Hh9(oIZd9&3jlyzg2`Ct9S;QJ2 zwFcBi2DJqc=B~ocMJO9OtVC#Yh{|LV6`@|r5gbg-yM)WtDk;22Qom($ zMi0ZMT1e>3)R^=_^#Ls}oW_D>bch1dIS8YkNN{AJEW*|lttRrW)P|(#>AiU2)0jRl zW|I(!C#zvP57&{p9y#lc5Q8a2SrY&y{i?^i)RIZ^7y(P#%37U8o^LT`n%bI34tJPg z&+Vn2Ace*-9+tI?3Z7b?Sg$ATK2TH{oQ*?fK@}pAZ+59{g1w@L^tO{t+22627o=o= zxTJ&(HuGg$8nG=<3Q@Bymdvu;0Z_XP{ON448Z#Q3Fw?O_GHcL~I>so)hH*MnM%i3Y z7;{;e_ct)K%3XlNc4RoS4yRN=U+5T;QZrI#Qi&imXFagOFld-rg+DLy4Zl%1wKXV$ zM0TTSjJKIQK`LoWizsW_n?BG5h25agVw6%-g~(P`h4XM)M^IFCwGL%ZDx&*}7PlZ+TV?VI3WI-7DKq{2NUSeckE z_qS2i$Ffdj-T$&6C_snp7;i0V3Ty>C7c#v-UAlS4WBvBLizT>TIIKqPauD%Be$FAi zFiM2Dr?K^h5eP5?D8?73T`FZLWI2%NXo9$K3L`8SiKMxJ$c<=1tD37MxqjgBgGOCv zp>*novxQP|NTDN-Z;@8XcKX4r+zy;d@Y@|J^U|GdDi~jz8_IQv)OEbYq*e?8$;xnh>m1dfgGMR)oPMtfrfJ%|+dK|)V+g`P zCmuXZoDWbOZXkG6*~x=2r;}ZG@Gy^pD1!~udGO*t@cDe;`?Y)*ODZQDgXaZBL)C4XmTIxLv%=6Zetu|EVxEO zMKKrzc7Rg<*|OYjg+oRKDL_o>qK?)CvNT6lCe12#G0WXVqvwIRNJnr|qjAsTRkEJ3 zfgjgqf4>uUxipaZ*>G7IfN#*-M8ySkmdTl93G8&j@0kHNiq;c4E(e)vvFo`b6dWuSOqAr}uFx}Q@+iWPjn+pR14 z_E6RtO)D=&)sg{Hi5+7iE=y3g)=JyOh5{W`5IYcMydtrXjX{@_m}#LU&}Prl3~iL7 zAuFQ<4s8=21Oj^uRXexcrV$CznI60b=OQZUEZ6XMY$J3;B{&7)s;kx_&ZJ4sn{=^N zM*9hD(hdwHj00M0%~rR2uXL2u8*_AqG|Qd1q>JT_&{;%~1GgQ*rHCr7wOkU&RG5iz zf$U4kEdeGBV_u&Vi$LHxf7$2vImp|Xi3Kh)(Z&YLYSVHL~htMzyV`DpR>x&(^ zMtifF0oa;qk@>a(6$nlPa=Of#hVKe^vYN1=->AK*wb_M8PnyOIFY%SU6N9ua{Uw0~ zOuCQ&FLsqe+sUM!;8;?(6VSL{Z#5)^w@utw^+ia8v6&Xw<-b3kA?uExd3Nr#4puE8 z0Qdp~I-O1nx<8wmv};b*D_ROL&~_IfWo=cmf!xY3wwalXbJ|mpF%Y(Iod5WV_YZaZ zh5Ni@|9$PJ@~gMP4=zs*|0beu-#Pok>7(aPo`39Wc>UftN1i!!Apdgn^siUXy!-5d z^OAY|@h?6*{^K>{=&4JOEdF}o!h5IQ_~X{$!^m~RyZhzkcfP(m(l5V!<8|ftYp?xz z@Z6IpPMlG@pMG2430{5k;=?s?^VaRB9;!Zi`s~Szf%U+ZM~@x3usZk2=igm=@cUyQ K-eYh7%>M)a%a=_6 diff --git a/secrets/mailman-web-secrets.age b/secrets/mailman-web-secrets.age index a3157552d32b437bcc7a85d818933c74da63334b..1306822b4ca5626cf0ee038ff47c6b3aa5871dba 100644 GIT binary patch literal 1509 zcmZA0+3Vzl0S9nzB$V|)v|E)9_@Frac5+S~H8v2iwXc?C{+2s|F$^MWW6(6MycVv-@t|@@$=6hbE~V5jmWeB9 zi&klih&g9Qj-t^+PJvZm=tBCm=^&ovU?@9+RkJ1Iok?JmkQi@Lv7VzrI-lu%A^X18 z(z0?y)mmz>0jYGFXzsYKI1z8fs4<;O_Hu692CaK$!dT71@u>`;Fs&oE(kg6?IL@rE z7DHc^q+X9w>#5VWi#T$dl|^7oI6I-GnN^!HZ3U!&kguar`fWn8?UzMo%`<{vAXvA( z5~nZ?GJ%+oSwlwqNzWe#ais(difg^TJ#Klq<%2*T@er*@L7f%zqFHPNf`ui@S#Cgr z-&pfR@fX3;RoThNcv;u!uH1!3s}_efasZC!a%1AJHg(8R_-K@_{SHo7p33DV zwaH5`n9w1fC`%1t9U%w=x*lLW9T!+j2pG`;#*L^mY3po=_Lp-S6$wXinbn96x@xNu z>>*S*y_j@7!FTkHI>^wzY(**6n~g%RvSJ9Bs|1yoO?l1G8q2A}WikkhHKh-7!Wc$v zk(()!M!WrG!pS0T&>X1{vLRuGVZ%X+BLJ)!brrYf@+4eGZFGWx6`7Mwo-#xu73HWu zhsH~?V7bMB2J8MBrY8%=B!UPNW?@$>fQ4)DRfM~QVq&cT84O^oa1}$Q2pnqgsKxl5 zMk7TOCyr;T-}Hh6&SSc6t{afvb;mK#rq#@L79>8qR?;Sy8t4oDtuH`(PT4gwM$k5*ie5*rC~ z+Z=yl$0t7OSTl*tYpQ4JgWgQg(+GqbGezd1K_g$qTn}F7xt5`>s>YeM(AXJ3=@G9> zP%!OsE?+5P3emVNm~DMs8UZLmOxEgyP}7=_$#>e$mY2F#=GG$JyS!Bbn?^S?G!rVP zMja|wNbY2^t$VaQ%qAexR0w$GR9XN&EFjz`vnR27L!FHUc)u?q{tw23VzUE9myR22m;%saqG=j{LC zb+xX$;OjTMpX}XtZ?D*U!}-I>nfL$qszc}eR6F*cON{-0JlA^vRP4PMsCTy?-TM*t z*o}7{{PgItcXyuq@W%%(qq1){QpJUu(v Kd+Sa8pZ^C|d>d~7 literal 1370 zcmZA0+pp6E0D$oX0b_$0A2cyRodh&84sF-VR)a^jw!5@z*R9)n@e;fBvP;))?Ygct zf*OhNM8L!tB!FC^5{# zy=XY@y3RV+v%m=q%*-ZyzcXX#DGY;&gaWCm7AD*fQ5nY23Y0czTSOOy$K63J^?5Yn zYGAt1rX@2b+pQkb04Qgw^|MHj0Yy~BjkHzN9jI6lroA)~MmAj&VV@);GhQdEfD*-|e+Cdte;54k$eH1W^Y@gwSJnHsR7y(Tj z327SOfG!||I*+`H*D!UX5SIGJ;N&#@sIXOn!bm$ZhJ zY+r9lZNZ-+j9aWm0!i7b!`nQAc1wY*(6~r*5HJZsX<8MsL}g-0xeVC{CAZe<7=tkr z$9)rq^@0eMi$1EC>XDo2`jA4a^&Vc5EeqwS3c!y`zSU=41QN7zqdMuypxN;nqDQLa zH1G@<%jIhwq~5aFR&EeGBGYH(m=;D6fhh&32*?d6PfZ=h=E}UOFmjaZxlAQ4gRNA( zk->@@udrfECI%_Fo|*^_Hr5!b*!A3GH{ToOe4xQe+Js5xTVtISlU=rd1S4Y)+2Lkw%7Z@6Y<@{t@($kz1b5amb$wEj4 zj61NrbQfi6iW!>CZrVyUBf2ibb-h)Q1sh{T0RTsQ27^4aQvvI(T&iZb5mjv@Z7N@8 z29gtXFee(t6TIaYYFxI%DfWaxu%VtFcE?3r8UrJu(Lj?uIn!ov3-sDyRvCjGXi)LO zVN`+jVLLT$z*7`3DX83zOS2UK^~V;Z7h^S zBA%EjEgMm!K8!R1G326Ou4x&LNL8xfKM&5#BuJOZvYuaza~#$1LnXvhPBv(ZQbQR; zIaI{`d+MCemO0%aYmKo$IG(-+Jdy>TLhV#}B@K;+~_&F1$Qm zzkto{J8V~_8T;~$Bl4YF&Le|McP!m-<_vO9<$inR%jc(yp51O^mv+4U?ytL!SLt2i z%@=J9m^;7orUGw$^e<@dnF;mkW3Mf~cADLTA6dPFUG~Z4OE=E#I&gpM)Gs_Ry}oX`Rta1 MEB5ChDY-TAHy20r761SM diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 303427b6..37607b93 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,16 +3,20 @@ let b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw=="; teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; flora-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@pub-solar-infra-vm-1"; + nougat-2-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINELr5Bvr15GqCHevg9QP8oYFgmaRUUHcPFf4MZho9gI root@nougat-2"; allKeys = [ flora-6 teutat3s-dumpyourvms b12f-bbcom + nougat-2-host ]; + deployKeys = [ flora-6 teutat3s-dumpyourvms b12f-bbcom + nougat-2-host ]; in { "gitea-database-password.age".publicKeys = deployKeys; -- 2.44.2