+5 -1

README.md

reviewed

··· 13 13 | Host | Domain | Type | Description | 14 14 |------|--------|------|-------------| 15 15 | **alastor** | `alastor.hogwarts.channel` | NixOS (x86_64) | VPS hub - tunnels, status, reverse proxy (Mad-Eye Moody) | 16 16 - | **remus** | `remus.hogwarts.channel` | Darwin (aarch64) | MacBook Pro M4 - proxied via alastor over Tailscale | 16 16 + | **remus** | `remus.hogwarts.channel` | Darwin (aarch64) | MacBook Pro M4 - My daily driver | 17 17 + | **dippet** | `dippet.hogwarts.channel` | Darwin (aarch64) | Mac Mini - assorted services | 17 18 18 19 ### Domain Structure 19 20 ··· 21 22 - `*.tun.hogwarts.channel` — dynamic tunnel subdomains 22 23 - `alastor.hogwarts.channel` — alastor services (status API, etc.) 23 24 - `remus.hogwarts.channel` — reverse proxy to remus via Tailscale 25 25 + - `dippet.hogwarts.channel` — reverse proxy to dippet via Tailscale 24 26 - `knot.jaspermayone.com` — Tangled Knot git server 27 27 + - `atuin.hogwarts.dev` - Atuin server 28 28 + 25 29 26 30 ## Secrets Management (agenix) 27 31

+1

flake.nix

reviewed

··· 142 142 # Available through 'darwin-rebuild switch --flake .#hostname' 143 143 darwinConfigurations = { 144 144 remus = mkDarwin "remus" "aarch64-darwin"; 145 145 + dippet = mkDarwin "dippet" "aarch64-darwin"; 145 146 }; 146 147 147 148 # Formatters

+41

hosts/dippet/default.nix

reviewed

··· 1 1 + # Dippet - Mac Mini 2 2 + { config, pkgs, lib, inputs, hostname, ... }: 3 3 + 4 4 + { 5 5 + # Host-specific overrides go here 6 6 + # Most configuration is inherited from darwin/default.nix and home/default.nix 7 7 + 8 8 + # Agenix identity path (use user SSH key on macOS) 9 9 + age.identityPaths = [ "/Users/jsp/.ssh/id_ed25519" ]; 10 10 + 11 11 + # Agenix secrets for bore client 12 12 + age.secrets.bore-token = { 13 13 + file = ../../secrets/bore-token.age; 14 14 + path = "/Users/jsp/.config/bore/token"; 15 15 + owner = "jsp"; 16 16 + mode = "400"; 17 17 + }; 18 18 + 19 19 + # Atuin encryption key for auto-login 20 20 + age.secrets.atuin-key = { 21 21 + file = ../../secrets/atuin-key.age; 22 22 + path = "/Users/jsp/.local/share/atuin/key"; 23 23 + owner = "jsp"; 24 24 + mode = "400"; 25 25 + }; 26 26 + 27 27 + # Dippet-specific homebrew casks 28 28 + homebrew.casks = [ 29 29 + # Add Mac apps specific to this machine 30 30 + # "raycast" 31 31 + # "arc" 32 32 + # "1password" 33 33 + ]; 34 34 + 35 35 + # Any dippet-specific system defaults 36 36 + # system.defaults = { }; 37 37 + 38 38 + # Set the hostname 39 39 + networking.hostName = "dippet"; 40 40 + networking.computerName = "Dippet"; 41 41 + }

secrets/atuin-key.age

reviewed

This is a binary file and will not be displayed.

+9 -6

secrets/bore-token.age

reviewed

··· 1 1 age-encryption.org/v1 2 2 - -> ssh-ed25519 1uIO/w kgtJCVfjvOBrUkiw1xsqQEBXbnc0y92rz2N0jxgMVnk 3 3 - BJvjlS+aU54yl2B8QTnZb5XDhj9tR1tIgFtAX/jnDuY 4 4 - -> ssh-ed25519 U0D80g 88LdiR3+48uJDzEWmhpvnZs3fdC6YSjapqxFJBTYkww 5 5 - MtBF/Dsyv0Er8hs/J+WHZR8/ZMTrHoiU2jlQnkOpdQk 6 6 - --- PZaQT1UqSej74ow859pJUqFbniWBgHHD8Z9T9X8IJ+0 7 7 - \���I�6�Ӽ3k���J�S^%ߖ�3 sp�]YD��;B]��d��_�j]��s_��p�k����$�|73�^�W������1��g<���d]z>�� 2 2 + -> ssh-ed25519 1uIO/w robefc1N1+VHZvvyR36eiihBIq1GPOiqYWforSIMxnM 3 3 + 9wczFTt/k8yv6RdCY51NUs0zX7HGJ5cWynXOqfPFHmQ 4 4 + -> ssh-ed25519 U0D80g Cn/CX4UkzG1OmSHmW+/XKTWXBCwFP2lbnOJbMHblmG4 5 5 + V/1GvkA6Yeqhnve8coBw0omvt+BqbcxEhSJ8l9tJpOY 6 6 + -> ssh-ed25519 JCO7mw 3g6EGMUfARiDbK0ppveQQef75qlb8YM8+SwhzfVz+yM 7 7 + xZn+Xi3J+laSvBDw6MzwDkV9vbHb7/E4GNbRWwyCCS4 8 8 + --- p30hkUogl4tIXXnazItlWhIf53CH9PkdgmIzZILXYLI 9 9 + ��Ԉ����� ����>���$��t��lp`~<� 10 10 + �
��o8G�g��M���[BB{��M�5�Z���� >��� � B�����ȝƤ�J=���

secrets/cloudflare-credentials.age

reviewed

This is a binary file and will not be displayed.

secrets/espanso-secrets.age

reviewed

This is a binary file and will not be displayed.

secrets/frps-token.age

reviewed

This is a binary file and will not be displayed.

secrets/github-token.age

reviewed

This is a binary file and will not be displayed.

secrets/knot-secret.age

reviewed

This is a binary file and will not be displayed.

secrets/npmrc.age

reviewed

This is a binary file and will not be displayed.

+7 -6

secrets/pds-mailer.age

reviewed

··· 1 1 age-encryption.org/v1 2 2 - -> ssh-ed25519 1uIO/w W6WA04cNzsL4xnE1dtNW/WgH8M2LiVqQVCV/qOAV9lQ 3 3 - FnvaOrLr5tkMyNTDozrCg3TlABl8Zenmf3+hs+Y/WTc 4 4 - -> ssh-ed25519 U0D80g 7R/smpectFFeze5znBxZ+lbIKny5uOhFX3a6onONLi8 5 5 - zY5bqAAnveLXnQY+K38BBy3qj+757v8KF/OkKFr++uQ 6 6 - --- gHM7VeNcBE0xHBvM85WuxPhN/PxYnM1LK3lIF9zX4CQ 7 7 - GD�����f���F������x�7�/{ID[Q���������S�fhw��6
Va��yf6J��+�eH�5R�7�I������D�������.3��{�ED�� �VIO��-����;�G�����հ�����\j�d(KM��YP3�e�����8���V���������O=���9�� 2 2 + -> ssh-ed25519 1uIO/w leQR9XuPdmyd3lyi3tCNQa1htHgZm5LESgi1rERdCQ4 3 3 + EPG8GEUcviIiV33XnXOkabpynTEfzMWrbGrn9UX3fSw 4 4 + -> ssh-ed25519 U0D80g 9X4qr7KI2XCBMObbP+KhI4Z2SQGymRNGM0wXSzsqHFY 5 5 + l4i7lPedKIpy5YgK6Vj3wfVXD9wW8ppByGLa3t7FHpQ 6 6 + --- mYIJVe7I1tSJhSsCnJfFuAmzc4dQsQT/zbyaB55d+C4 7 7 + �Հn�v�[Ck��Ab�A�;��
���X7F[Y������­O��&���o]%�c��˶��ыc����;�ޜ���G�JI��9�<I�*r89�[l_�Jʐ@}6�@w1��{���O�Lw�v\Ҡ 8 8 + ����{�Cge��'wѱ-yj9��(�?1�5(�?@��

secrets/pds.age

reviewed

This is a binary file and will not be displayed.

+4 -3

secrets/secrets.nix

reviewed

··· 4 4 # Run `agenix -e <secret>.age` to create/edit secrets. 5 5 6 6 let 7 7 - # User SSH public keys (from ~/.ssh/id_ed25519.pub or similar) 7 7 + # User SSH public keys 8 8 jsp = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHm7lo7umraewipgQu1Pifmoo/V8jYGDHjBTmt+7SOCe jsp@remus"; 9 9 10 10 - # Host SSH public keys (converted to age format with ssh-to-age) 10 10 + # Host SSH public keys 11 11 alastor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwkC1CiWpLB10NNVaJwu4LSyiL0wM7ExI1VoKqIsgeG root@alastor-vnic"; 12 12 + dippet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqi0ZRAHUqBL4zolSeVTgp1oZ6HKD+Hq5AktpLolely jsp@Dippet"; 12 13 13 14 # Groups for convenience 14 15 allUsers = [ jsp ]; 15 15 - allHosts = [ alastor ]; 16 16 + allHosts = [ alastor dippet ]; 16 17 all = allUsers ++ allHosts; 17 18 in 18 19 {

+4 -4

secrets/wakatime-api-key.age

reviewed

··· 1 1 age-encryption.org/v1 2 2 - -> ssh-ed25519 1uIO/w m52++A58clBVm2dzmE7x5iKPs242NVNgfqi21mptFjY 3 3 - 9vRAQhAbIrEfuvVVx1XIrv8On7C6l+fr1e1/Rhv582g 4 4 - --- jrvlYmttUD56ylPNJRdhtmyTwBjkRK9fkqVZGQzCIwc 5 5 - �(��Nkl���x�� X&.�9F5`���r})lۑa��R_-�}RN|���V籱U��3��;;�i��� 2 2 + -> ssh-ed25519 1uIO/w iZUeedRlG09EWCCiO0PdRX2i+keEljvzDIolnjVl4kA 3 3 + Sc6gh6sVqLapo2VXuPHBIYay6XPqSC6cGoYy27qhQAE 4 4 + --- v74FfYNRtscxqXUuotHe01/5vhFxcON2cNbhRr7WeFA 5 5 + �저��6b�>�&u#�e"�>��L�{!)����.f��>z�ZJeJ#"s̔�?�C�2�a�v/�Ho��5�|

+9 -6

secrets/wifi-passwords.age

reviewed

··· 1 1 age-encryption.org/v1 2 2 - -> ssh-ed25519 1uIO/w DrzrAcy9kciPmXwb4TuGdXFhPSxJY+L4D3ubFfWN4h8 3 3 - +BhseJljsJ/2dWS5+R7HddsmYEWcn2V/6ZhuizBNVtY 4 4 - -> ssh-ed25519 U0D80g g5fqwm5oanWL0uGP3CzSFhN7UQo+vg7vQU0xJaVeMAQ 5 5 - Qfr4fjTn2tXjTgQ3+XNJBByGBPoKyLQDXxjWjamvgZM 6 6 - --- R7lujDVqbMClYfaFD3wIz5PCpOiP0tmLnact+pKt/zk 7 7 - i{�qS�ܺ�NU�:���^����ҕ�<��m�( �pK�s�D9�̦L��x
��3�K�:����^Z�y��ŵ���Z��G 2 2 + -> ssh-ed25519 1uIO/w nZ4twDTrNS0YVQh1Yw0RJJ8SvMLSFJBwS88Ep6c3ZWU 3 3 + XaefKqmy0pPGCeBzK3taRvHwaEkYdiNnRZYlMoYZTxM 4 4 + -> ssh-ed25519 U0D80g umOVAsLyF6USY1c/GV+xVhfhx49lXAcQOXeaJZbhdHc 5 5 + hMJ6fUty/7XwM6j3ZfIrCKKd+2AwikFV/+5S8MTr8Cw 6 6 + -> ssh-ed25519 JCO7mw yfxhlI4Sp0P/+Z1i57TTiD6oYPDAfDobHTWJjv3kABo 7 7 + D3BMf65LqJoAfUQb1jF+5DrxoMk9k2rZjxwe4Df0vyg 8 8 + --- Cf67Jud5fqx4JfgCwiIx8W7GJgEBCg8DRvK1hAlMxKo 9 9 + y���*�>k~�4�-�l8����: 10 10 + �_\��|���r�܄'��"�ԥ��&��]���2���l�����g�P'S;׈Γ-4��