mrsnowy.dev / dotfiles
My dotfiles for my nixos machines and infra
2
fork

Configure Feed

Select the types of activity you want to include in your feed.

man ive been not commiting for quite some time jolly goshy

MrSnowy 78ae23f9 2e1ce9f0

+1560 -377
+1
.envrc
··· 1 + use nix
+3
.gitignore
··· 1 + .direnv/ 2 + 1 3 result/ 2 4 result 3 5 iso ··· 5 7 # For nixos-vms 6 8 *.qcow2 7 9 *.fd 10 + modules/private
+22 -5
default.nix
··· 1 1 let 2 - pins = import ./npins; 2 + pins = import ./modules/npins; 3 3 4 - nlib = import ./lib { 4 + nlib = import ./modules/lib { 5 5 inherit pins; 6 6 lib = import "${pins.nixpkgs-stable}/lib"; 7 7 }; ··· 17 17 config.allowUnfree = true; 18 18 }; 19 19 }; 20 + 21 + temp_pkgs = import pins.nixpkgs-stable { }; 20 22 in 21 23 22 24 { 23 25 hosts = { 24 26 25 27 desktop = nlib.nixosHost rec { 26 - nixpkgs = pins.nixpkgs-unstable; 28 + 29 + nixpkgs = temp_pkgs.applyPatches { 30 + name = "nixpkgs_pathced"; 31 + src = pins.nixpkgs-unstable; 32 + patches = [ 33 + (temp_pkgs.fetchpatch2 { 34 + url = "https://github.com/NixOS/nixpkgs/pull/497870.patch"; 35 + sha256 = "sha256-JF1mojt455HJU2TlNAOAK48jVJgsxybySixn1cI1Xg0="; 36 + }) 37 + ]; 38 + }; 39 + 27 40 system = "x86_64-linux"; 28 41 29 42 specialArgs = { 30 43 inherit repos; 31 44 args = { 32 - # inherit pins; 45 + inherit pins; 33 46 inherit nixpkgs; 34 47 flakes = nlib.gen_flakes [ 35 48 "hjem" 36 49 "hjem-rum" 37 50 "zen-browser" 51 + "helium" 38 52 "nix-gaming-edge" 53 + "sops-nix" 39 54 ]; 40 55 }; 41 56 }; ··· 54 69 args = { 55 70 # inherit pins; 56 71 inherit nixpkgs; 57 - # flakes = nlib.gen_flakes []; 72 + flakes = nlib.gen_flakes [ 73 + "sops-nix" 74 + ]; 58 75 }; 59 76 }; 60 77
+21 -10
hosts/desktop/default.nix
··· 12 12 ./system/networking.nix # Network config 13 13 ./system/services.nix 14 14 ./hjem-rum/snowy.nix # :3 15 - ../private/desktop.nix 15 + ../../modules/private/desktop.nix 16 16 17 17 # /mnt/SnowData/snowy/Documents/repos/nixpkgs/nixos/modules/services/networking/tetrd.nix 18 18 19 19 args.flakes.hjem.nixosModules.default 20 20 args.flakes.nix-gaming-edge.nixosModules.default 21 + # (import "${args.pins.lix-nixos-module}/module.nix" ({ 22 + # lix = args.pins.lix; 23 + # # versionSuffix = "pre${builtins.substring 0 8 args.pins.lix.lastModifiedDate}-${ 24 + # # args.pins.lix.shortRev or args.pins.lix.dirtyShortRev 25 + # # }"; 26 + # })) 27 + 28 + # (import "${args.pins.lix-nixos-module}/module.nix" { lix = args.pins.lix; }) 29 + # 30 + ../../modules/sops/snowflake.nix 31 + ../../modules/snownet 21 32 ]; 22 33 23 34 nixpkgs = { ··· 41 52 pkgs.proton-cachyos 42 53 ]; 43 54 44 - drivers.mesa-git = { 45 - enable = false; 46 - enableCache = false; 47 - cacheCleanup = { 48 - # protonPackage is null by default - thus Proton caches are not cleaned by default. Must define a protonPackage to clear Proton / engine caches 49 - enable = true; 50 - protonPackage = pkgs.proton-cachyos; # or variation 51 - }; 52 - }; 55 + # drivers.mesa-git = { 56 + # enable = true; 57 + # enableCache = false; 58 + # cacheCleanup = { 59 + # # protonPackage is null by default - thus Proton caches are not cleaned by default. Must define a protonPackage to clear Proton / engine caches 60 + # enable = true; 61 + # protonPackage = pkgs.proton-cachyos; # or variation 62 + # }; 63 + # }; 53 64 54 65 hjem = { 55 66 clobberByDefault = true;
+14 -4
hosts/desktop/hjem-rum/snowy.nix
··· 8 8 9 9 { 10 10 users.users.snowy.packages = with pkgs; [ 11 + fluxer-desktop 12 + 11 13 # factorio 12 14 # factorio-space-age 13 15 args.flakes.zen-browser.packages."${stdenv.hostPlatform.system}".twilight 16 + args.flakes.helium.packages.x86_64-linux.default 14 17 zed-editor 15 18 vscode 16 19 helix 20 + gh 21 + nix-output-monitor 22 + glow 23 + delta 24 + nixpkgs-review 17 25 18 26 ctop 19 27 waypipe ··· 41 49 # d-spyd 42 50 # bustle 43 51 52 + vesktop 53 + 44 54 rustup 45 55 gcc 46 56 just ··· 54 64 papers 55 65 loupe 56 66 gnome-clocks 57 - helvum 58 - krita 67 + # helvum # deprecated 68 + crosspipe 69 + # krita 59 70 # orca-slicer 60 71 protonplus 61 72 protontricks ··· 66 77 heroic 67 78 # hydralauncher 68 79 69 - wineWowPackages.staging 80 + wineWow64Packages.stagingFull 70 81 easyeffects 71 82 72 83 monocraft ··· 147 158 }; 148 159 }; 149 160 }; 150 - 151 161 }; 152 162 }; 153 163 }
+7 -7
hosts/desktop/system/configuration.nix
··· 27 27 nixPath = [ "nixpkgs=${args.nixpkgs}" ]; 28 28 registry.nixpkgs.to = { 29 29 type = "path"; 30 - path = args.nixpkgs; 30 + path = args.pins.nixpkgs-unstable.outPath; 31 + # narHash = args.pins.nixpkgs-unstable.narHash; 31 32 }; 32 33 33 - package = pkgs.lix; 34 + package = repos.unstable.lixPackageSets.git.lix; 34 35 channel.enable = false; 35 36 settings = { 36 37 experimental-features = [ ··· 54 55 55 56 gc = { 56 57 automatic = true; 57 - dates = "daily"; 58 + dates = "weekly"; 58 59 persistent = true; 59 60 options = "--delete-older-than 3d"; 60 61 }; ··· 74 75 supportedFilesystems = [ "ntfs" ]; 75 76 # kernelPackages = pkgs.linuxPackages_cachyos-rc; 76 77 # kernelPackages = pkgs.linuxPackages_cachyos; 77 - kernelPackages = pkgs.linuxPackages_lqx; 78 + # kernelPackages = pkgs.linuxPackages_lqx; 79 + kernelPackages = pkgs.linuxPackages_zen; 78 80 79 81 kernelParams = [ 80 82 "amdgpu.noretry=0" ··· 275 277 NetworkManager-wait-online.enable = false; 276 278 # firewall.enable = false; 277 279 }; 278 - 279 - 280 280 281 281 xdg = { 282 282 portal = { ··· 511 511 prismlauncher 512 512 signal-desktop 513 513 qbittorrent 514 - wireshark-qt 514 + wireshark 515 515 scrcpy 516 516 glogg 517 517
+3 -2
hosts/desktop/system/networking.nix
··· 20 20 # }; 21 21 22 22 networking = { 23 - hostName = "Snowflake"; 23 + hostName = "snowflake"; 24 24 # wireless.enable = true; 25 25 networkmanager.enable = false; 26 + useNetworkd = true; 26 27 # networkmanager.wifi.backend = "iwd"; 27 28 # wireless.iwd.enable = true; 28 - useDHCP = true; 29 + # useDHCP = true; 29 30 30 31 # dhcpcd = { 31 32 # enable = true;
+3 -1
hosts/desktop/system/services.nix
··· 1 1 { pkgs, ... }: 2 2 { 3 3 services = { 4 + timesyncd.enable = true; 5 + 4 6 pipewire = { 5 7 enable = true; 6 8 alsa.enable = true; ··· 81 83 desktopManager.gnome.enable = true; 82 84 83 85 # Enable the COSMIC desktop environment 84 - desktopManager.cosmic.enable = true; 86 + desktopManager.cosmic.enable = false; 85 87 86 88 sunshine = { 87 89 enable = true;
+23
hosts/homelab/default.nix
··· 11 11 "${args.nixpkgs}/nixos/modules/profiles/minimal.nix" # Disables some options by default for a minimal installation: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/minimal.nix 12 12 ./system/configuration.nix 13 13 ./ports.nix 14 + ../../modules/sops/homelab.nix 15 + ../../modules/snownet 16 + ./services 14 17 ]; 15 18 16 19 nixpkgs = { ··· 25 28 (final: prev: { 26 29 }) 27 30 ]; 31 + }; 32 + 33 + virtualisation.vmVariant.virtualisation = { 34 + memorySize = 4096; 35 + cores = 4; 36 + forwardPorts = [ 37 + { 38 + from = "host"; 39 + proto = "tcp"; 40 + host = { 41 + port = 2222; 42 + }; 43 + guest = { 44 + port = 22; 45 + }; 46 + } 47 + ]; 48 + qemu.guestAgent.enable = true; 49 + useEFIBoot = false; 50 + diskSize = 15360; 28 51 }; 29 52 }
+7
hosts/homelab/ports.nix
··· 6 6 type = lib.types.attrsOf lib.types.anything; 7 7 default = { 8 8 home_assistant = 3000; 9 + 10 + garage = { 11 + s3_api = 3014; 12 + web_api = 3015; 13 + admin = 3016; 14 + rpc = 3901; 15 + }; 9 16 }; 10 17 }; 11 18 }
+6
hosts/homelab/services/default.nix
··· 1 + { 2 + imports = [ 3 + ./garage.nix 4 + ./samba.nix 5 + ]; 6 + }
+58
hosts/homelab/services/garage.nix
··· 1 + { 2 + config, 3 + pkgs, 4 + ... 5 + }: 6 + { 7 + # todo! garage-webui :3 8 + services.garage = { 9 + enable = true; 10 + package = pkgs.garage_2; 11 + settings = { 12 + db_engine = "sqlite"; 13 + compression_level = 18; 14 + replication_factor = 2; 15 + consistency_mode = "degraded"; 16 + metadata_fsync = false; 17 + data_fsync = false; 18 + allow_world_readable_secrets = true; 19 + 20 + metadata_dir = "/mnt/silo/garage/meta"; 21 + data_dir = "/mnt/silo/garage/data"; 22 + 23 + rpc_bind_addr = "[::]:${toString config.ports.garage.rpc}"; 24 + rpc_public_addr = "${config.snownet.currentHost.ipv6}:${toString config.ports.garage.rpc}"; 25 + rpc_secret_file = config.sops.secrets."garage/rpc_secret".path; 26 + # rpc_public_addr_subnet = "fdd8:e380:437e::/112"; 27 + 28 + bootstrap_peers = [ ]; 29 + 30 + s3_api = { 31 + api_bind_addr = "[::]:${toString config.ports.garage.s3_api}"; 32 + s3_region = "Europe-1"; 33 + root_domain = "s3.mrsnowy.dev"; 34 + }; 35 + 36 + s3_web = { 37 + bind_addr = "[::]:${toString config.ports.garage.web_api}"; 38 + index = "index.html"; 39 + root_domain = "garage.mrsnowy.dev"; 40 + }; 41 + 42 + admin = { 43 + api_bind_addr = "[::]:${toString config.ports.garage.admin}"; 44 + admin_token_file = config.sops.secrets."garage/admin_token".path; 45 + metrics_token_file = config.sops.secrets."garage/metrics_token".path; 46 + metrics_require_token = true; 47 + }; 48 + 49 + # k2v_api = { 50 + # api_bind_addr = "[::]:3904"; 51 + # }; 52 + }; 53 + }; 54 + 55 + # systemd.services.garage.serviceConfig = { 56 + # # Dynamicuser = false; 57 + # }; 58 + }
+56
hosts/homelab/services/samba.nix
··· 1 + { 2 + config, 3 + # pkgs, 4 + ... 5 + }: 6 + { 7 + # for Web Services Dynamic Discovery host daemon. 8 + services.samba-wsdd = { 9 + enable = true; 10 + openFirewall = true; 11 + }; 12 + 13 + # samba 14 + services.samba = { 15 + enable = true; 16 + openFirewall = true; 17 + settings = { 18 + global = { 19 + security = "user"; 20 + }; 21 + # public = { }; 22 + private = { 23 + "path" = "/mnt/silo/samba/private"; 24 + "browsable" = "yes"; 25 + "comment" = "Private share"; 26 + "read only" = "no"; 27 + "guest ok" = "no"; 28 + "valid users" = "samba_user"; 29 + }; 30 + }; 31 + }; 32 + 33 + users = { 34 + groups.samba_user = { }; 35 + users.samba_user = { 36 + description = "samba user for the private samba share"; 37 + group = "samba_user"; 38 + isSystemUser = true; 39 + }; 40 + }; 41 + 42 + system.activationScripts = { 43 + # The "init_smbpasswd" script name is arbitrary, but a useful label for tracking 44 + # failed scripts in the build output. An absolute path to smbpasswd is necessary 45 + # as it is not in $PATH in the activation script's environment. The password 46 + # is repeated twice with newline characters as smbpasswd requires a password 47 + # confirmation even in non-interactive mode where input is piped in through stdin. 48 + init_samba_user_smbpasswd.text = '' 49 + /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${ 50 + config.sops.secrets."samba/samba_user".path 51 + })\n$(/run/current-system/sw/bin/cat ${ 52 + config.sops.secrets."samba/samba_user".path 53 + })\n" | /run/current-system/sw/bin/smbpasswd -sa samba_user 54 + ''; 55 + }; 56 + }
+32 -30
hosts/homelab/system/configuration.nix
··· 18 18 ./services.nix 19 19 ]; 20 20 21 - virtualisation.vmVariant.virtualisation = { 22 - memorySize = 4096; 23 - cores = 4; 24 - forwardPorts = [ 25 - { 26 - from = "host"; 27 - proto = "tcp"; 28 - host = { 29 - port = 2222; 30 - }; 31 - guest = { 32 - port = 22; 33 - }; 34 - } 35 - ]; 36 - qemu.guestAgent.enable = true; 37 - useEFIBoot = false; 38 - diskSize = 15360; 39 - }; 40 - 41 21 # Enable zram (compressed ram) 42 22 zramSwap = { 43 23 enable = true; ··· 80 60 81 61 boot = { 82 62 enableContainers = true; 83 - kernelModules = [ ]; 63 + kernelModules = [ 64 + "wireguard" 65 + 66 + # docker 67 + "xt_tcp" 68 + "overlay2" 69 + ]; 84 70 85 71 supportedFilesystems = [ 86 72 "zfs" ··· 105 91 }; 106 92 }; 107 93 108 - # zfs = { 109 - # enabled = true; 110 - # }; 94 + zfs = { 95 + extraPools = [ "silo" ]; 96 + }; 111 97 112 98 blacklistedKernelModules = [ 113 99 # Obscure network protocols ··· 143 129 time.timeZone = "Europe/Berlin"; # Set your time zone. 144 130 i18n.defaultLocale = "en_US.UTF-8"; # Select internationalisation properties. 145 131 132 + # man pages good 133 + documentation = { 134 + enable = true; 135 + man.enable = true; 136 + }; 137 + 146 138 environment = { 147 139 defaultPackages = [ ]; # Disable any default installed packages 148 140 149 141 systemPackages = with pkgs; [ 142 + waypipe 143 + 150 144 fastfetch 151 - wget 152 145 btop 153 146 dysk 147 + gdu 154 148 git 155 149 helix 150 + tree 151 + eza 152 + erdtree 153 + zellij 154 + 155 + smartmontools 156 156 ]; 157 157 }; 158 158 159 159 fonts = { 160 160 fontconfig.enable = false; 161 161 162 - packages = with pkgs; [ 163 - monocraft 164 - ]; 162 + # packages = with pkgs; [ 163 + # monocraft 164 + # ]; 165 165 }; 166 166 167 167 system = { ··· 185 185 }; 186 186 187 187 security = { 188 - lockKernelModules = true; 189 - protectKernelImage = true; 188 + lockKernelModules = false; 189 + protectKernelImage = false; 190 190 191 191 # use sudo-rs instead of sudo 192 192 sudo.enable = false; ··· 209 209 shell = pkgs.fish; 210 210 openssh.authorizedKeys.keys = [ 211 211 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2za6psnuIMZ6FrdUehhyQlqYvy05+wv8dKER+Lctna snowy@Snowflake" 212 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPNLNK5h3nZ2UQO8ElWTA7E0j1iC8FlJFDudo6QgfWC u0_a231@localhost" 212 213 ]; 213 214 }; 214 215 ··· 216 217 shell = pkgs.fish; 217 218 openssh.authorizedKeys.keys = [ 218 219 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2za6psnuIMZ6FrdUehhyQlqYvy05+wv8dKER+Lctna snowy@Snowflake" 220 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPNLNK5h3nZ2UQO8ElWTA7E0j1iC8FlJFDudo6QgfWC u0_a231@localhost" 219 221 ]; 220 222 }; 221 223 };
+11 -1
hosts/homelab/system/network.nix
··· 3 3 networking = { 4 4 hostName = "snowlab"; 5 5 hostId = "2c77257e"; 6 + useNetworkd = true; 6 7 7 8 # Some good default dns servers 8 9 nameservers = [ ··· 37 38 443 38 39 ]; 39 40 }; 41 + }; 42 + 43 + # networking.nftables.ruleset = '' 44 + # table inet filter { 45 + # chain input { 46 + # type filter hook input priority -100; policy accept; 40 47 41 - }; 48 + # tcp dport ${toString config.ports.garage.rpc} log prefix "GARAGE_RPC_DENIED: " reject 49 + # } 50 + # } 51 + # ''; 42 52 }
+3 -1
hosts/server/default.nix
··· 30 30 ./containers 31 31 ./services 32 32 33 - ../../sops 34 33 args.flakes.home-manager.nixosModules.home-manager 34 + 35 + ../../modules/sops/vps.nix 36 + ../../modules/snownet 35 37 ]; 36 38 37 39 }
+19
hosts/server/services/broadcastbox.nix
··· 1 + { 2 + config, 3 + ... 4 + }: 5 + { 6 + services.broadcast-box = { 7 + enable = true; 8 + openFirewall = true; 9 + web.port = config.ports.broadcast_box; 10 + 11 + settings = { 12 + UDP_MUX_PORT = 9070; 13 + INCLUDE_PUBLIC_IP_IN_NAT_1_TO_1_IP = true; 14 + STUN_SERVERS = "stun.l.google.com"; 15 + NETWORK_TEST_ON_START = false; 16 + DISABLE_STATUS = false; 17 + }; 18 + }; 19 + }
+57 -17
hosts/server/services/caddy.nix
··· 1 1 { 2 2 config, 3 + lib, 3 4 ... 4 5 }: 5 - let 6 - hestia_ip = "10.0.100.65"; 7 - in 6 + # let 7 + # hestia_ip = "10.0.100.65"; 8 + # in 8 9 { 9 10 services.caddy = { 10 11 enable = true; 12 + logFormat = lib.mkForce "level DEBUG"; 11 13 globalConfig = '' 12 14 13 15 ''; 14 16 15 17 extraConfig = '' 16 18 mail.mrsnowy.dev, fpps4.net, www.paradijs-in-hongarije.nl, paradijs-in-hongarije.nl, smarty.nl, www.zendojaku.nl, zendojaku.nl { 17 - reverse_proxy https://${hestia_ip} { 18 - transport http { 19 + reverse_proxy https://hestia.local { 20 + header_up Host {host} 21 + 22 + transport http { 19 23 tls_insecure_skip_verify 20 24 } 21 25 } ··· 56 60 } 57 61 58 62 hestia.mrsnowy.dev { 59 - reverse_proxy https://${hestia_ip}:8083 { 63 + reverse_proxy https://hestia.local:8083 { 64 + header_up Host {host} 60 65 transport http { 61 66 tls_insecure_skip_verify 62 67 } ··· 66 71 api.fpps4.net { 67 72 encode zstd gzip 68 73 69 - reverse_proxy https://${hestia_ip} { 74 + reverse_proxy https://hestia.local { 75 + header_up Host {host} 70 76 transport http { 71 77 tls_insecure_skip_verify 72 78 } ··· 132 138 reverse_proxy :${toString config.ports.ente.embed} 133 139 } 134 140 135 - minio.ente.mrsnowy.dev { 136 - reverse_proxy :${toString config.ports.ente.minio.api} 137 - } 141 + # minio.ente.mrsnowy.dev { 142 + # reverse_proxy :${toString config.ports.ente.minio.api} 143 + # } 138 144 139 - minio-web.ente.mrsnowy.dev { 140 - reverse_proxy :${toString config.ports.ente.minio.web} 141 - } 145 + # minio-web.ente.mrsnowy.dev { 146 + # reverse_proxy :${toString config.ports.ente.minio.web} 147 + # } 142 148 143 149 headscale.mrsnowy.dev { 144 150 reverse_proxy :${toString config.ports.headscale} ··· 153 159 } 154 160 155 161 *.s3.mrsnowy.dev, s3.mrsnowy.dev { 156 - reverse_proxy :${toString config.ports.garage.s3_api} 157 - # header { 158 - # Access-Control-Allow-Origin * 159 - # } 162 + tls { 163 + ciphers TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 164 + } 165 + 166 + @h2 protocol h1 167 + reverse_proxy :${toString config.ports.garage.s3_api} { 168 + flush_interval -1 # low-latency mode 169 + # request_body { 170 + # max_size 5GB # raise for large object uploads 171 + # } 172 + # 173 + 174 + transport http { 175 + keepalive_idle_conns_per_host 0 176 + read_buffer 1MiB 177 + write_buffer 1MiB 178 + compression off 179 + # versions 1.1 180 + } 181 + } 182 + } 183 + 184 + http://s4.mrsnowy.dev { 185 + 186 + reverse_proxy :${toString config.ports.garage.s3_api} { 187 + flush_interval -1 # low-latency mode 188 + # request_body { 189 + # max_size 5GB # raise for large object uploads 190 + # } 191 + # 192 + 193 + transport http { 194 + keepalive_idle_conns_per_host 0 195 + read_buffer 1MiB 196 + write_buffer 1MiB 197 + compression off 198 + } 199 + } 160 200 } 161 201 ''; 162 202 };
+1
hosts/server/services/default.nix
··· 5 5 ./caddy.nix 6 6 ./garage.nix 7 7 ./postgres.nix 8 + ./broadcastbox.nix 8 9 ]; 9 10 }
+7 -7
hosts/server/services/garage.nix
··· 10 10 package = pkgs.garage_2; 11 11 settings = { 12 12 db_engine = "sqlite"; 13 - compression_level = 18; 14 - replication_factor = 1; 15 - consistency_mode = "consistent"; 16 - metadata_fsync = true; 17 - data_fsync = true; 13 + compression_level = 0; 14 + replication_factor = 2; 15 + consistency_mode = "degraded"; 16 + metadata_fsync = false; 17 + data_fsync = false; 18 18 allow_world_readable_secrets = true; 19 19 20 20 data_dir = [ ··· 24 24 } 25 25 ]; 26 26 27 - rpc_bind_addr = "[::]:3901"; 28 - # rpc_public_addr = "127.0.0.1:3901"; 27 + rpc_bind_addr = "[::]:${toString config.ports.garage.rpc}"; 28 + rpc_public_addr = "${config.snownet.currentHost.ipv6}:${toString config.ports.garage.rpc}"; 29 29 rpc_secret_file = config.sops.secrets."garage/rpc_secret".path; 30 30 31 31 bootstrap_peers = [ ];
+6 -2
hosts/server/services/postgres.nix
··· 1 1 { 2 2 config, 3 3 pkgs, 4 + lib, 4 5 ... 5 6 }: 6 7 7 8 { 8 9 services = { 10 + 9 11 postgresql = { 10 12 enable = true; 11 13 package = pkgs.postgresql_18; ··· 32 34 #type database user address auth-method [auth-options] 33 35 host ente_db ente localhost scram-sha-256 34 36 ''; 35 - 36 - initialScript = config.sops.secrets.postgres_sql.path; 37 37 }; 38 38 39 39 postgresqlBackup = { ··· 47 47 }; 48 48 }; 49 49 50 + # Hijack the systemd service to add our custom script in :P 51 + systemd.services.postgresql-setup.script = lib.mkAfter '' 52 + psql -f "${config.sops.secrets.postgres_sql.path}" -d postgres 53 + ''; 50 54 }
+11 -2
hosts/server/services/random.nix
··· 15 15 authorizedKeysInHomedir = false; 16 16 settings = { 17 17 PasswordAuthentication = false; 18 - AllowTcpForwarding = false; 18 + AllowTcpForwarding = true; 19 19 TCPKeepAlive = false; 20 20 PermitRootLogin = "no"; 21 21 MaxAuthTries = 3; ··· 76 76 # }; 77 77 # }; 78 78 79 - tailscale.enable = true; 79 + tailscale = { 80 + enable = true; 81 + extraSetFlags = [ 82 + "--advertise-exit-node" 83 + ]; 84 + }; 80 85 }; 86 + 87 + systemd.services.tailscaled.serviceConfig.Environment = [ 88 + "TS_DEBUG_FIREWALL_MODE=nftables" 89 + ]; 81 90 }
+12 -1
hosts/server/system/configuration.nix
··· 56 56 57 57 # Use grub so it works on both EFI and BOOT 58 58 boot = { 59 + # prevent system waiting on networking 60 + initrd.systemd.network.wait-online.enable = false; 61 + 59 62 enableContainers = true; 60 63 # kernelPackages = pkgs.linuxKernel.packages.linux_hardened; 61 64 kernelModules = [ 65 + "wireguard" 62 66 # "overlay2" 63 67 ]; 64 68 ··· 154 158 # wget 155 159 btop 156 160 dysk 161 + zellij 162 + gdu 157 163 ]; 158 164 }; 159 165 ··· 182 188 }; 183 189 184 190 security = { 185 - lockKernelModules = true; 191 + lockKernelModules = false; 186 192 protectKernelImage = true; 187 193 188 194 # auditd = { ··· 223 229 224 230 virtualisation = { 225 231 docker = { 232 + storageDriver = "overlay2"; 233 + autoPrune.enable = true; 226 234 rootless = { 227 235 enable = true; 228 236 setSocketVariable = true; ··· 280 288 }; 281 289 282 290 systemd = { 291 + # Dont make the system wait on networking... 292 + network.wait-online.enable = false; 293 + 283 294 # Make docker only run for the "snow" user. 284 295 user.services.docker.unitConfig.ConditionUser = lib.mkForce "snow"; 285 296 };
-1
hosts/server/system/hardware-configuration.nix
··· 4 4 { 5 5 config, 6 6 lib, 7 - pkgs, 8 7 modulesPath, 9 8 ... 10 9 }:
+103 -11
hosts/server/system/network.nix
··· 1 - { ... }: 1 + { config, ... }: 2 2 { 3 3 networking = { 4 4 hostName = "snow-den"; 5 5 domain = "mrsnowy.dev"; 6 + useNetworkd = true; 7 + 8 + hosts = { 9 + "10.0.100.65" = [ "hestia.local" ]; 10 + }; 6 11 7 12 nameservers = [ 8 13 # Mullvad ··· 34 39 }; 35 40 }; 36 41 42 + # wireguard = { 43 + # enable = true; 44 + # interfaces = { 45 + # # network interface name. 46 + # # You can name the interface arbitrarily. 47 + # snownet0 = { 48 + # # meow 49 + # # fdd8:e380:437e::/48 50 + # ips = [ 51 + # "fdd8:e380:437e::1/128" 52 + # "100.0.10.1/32" 53 + # ]; 54 + 55 + # listenPort = 51820; 56 + 57 + # privateKeyFile = config.sops.secrets."wireguard/key".path; 58 + 59 + # peers = [ 60 + # { 61 + # name = "snowlab"; 62 + # # publicKey = "ejmbag/fcc9OLp8K62zfV0NCbp056DnA0qpNixLXwCo="; 63 + # publicKey = "otQG6qBjzt/yjqdLtiCM0M5P8eljpywmGe95bEajNjY"; 64 + # presharedKeyFile = config.sops.secrets."wireguard/snowlab_pre".path; 65 + # allowedIPs = [ 66 + # "fdd8:e380:437e::2/128" 67 + # "100.0.10.2/32" 68 + # ]; 69 + # # endpoint = "192.168.1.56:51820"; 70 + # # ToDo: route to endpoint not automatically configured 71 + # # https://wiki.archlinux.org/index.php/WireGuard#Loop_routing 72 + # # https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 73 + # # Send keepalives every 25 seconds. Important to keep NAT tables alive. 74 + # persistentKeepalive = 25; 75 + # } 76 + # ]; 77 + # }; 78 + # }; 79 + # }; 80 + # it’s not imperative but it does not know how to do it : 81 + # sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1 82 + # the ip adresse 11: external and 192: local. 83 + 37 84 # interfaces = { 38 85 # ens18 = { 39 86 # ipv4 = { ··· 49 96 50 97 firewall = { 51 98 enable = true; 99 + checkReversePath = "loose"; 52 100 trustedInterfaces = [ 53 101 "hestia-bridge" 102 + "tailscale0" 54 103 ]; 55 104 56 105 # extraCommands = '' ··· 66 115 22 67 116 335 68 117 665 118 + 119 + config.ports.garage.s3_api 69 120 70 121 # LXD 71 122 8443 ··· 95 146 7777 96 147 8888 97 148 149 + # meow 150 + 9999 151 + 98 152 # VALHEIM 99 153 2456 100 154 2457 ··· 113 167 80 114 168 443 115 169 170 + # wireguard 171 + 51820 172 + 51826 173 + 174 + # tailscale 175 + config.services.tailscale.port 176 + 116 177 # mumble 117 178 64738 118 179 ··· 130 191 27015 131 192 27016 132 193 194 + 25565 195 + 25564 196 + 133 197 # mc 134 198 41448 135 199 8100 136 200 ]; 137 201 }; 138 202 203 + nftables = { 204 + ruleset = '' 205 + table ip nat { 206 + chain PREROUTING { 207 + type nat hook prerouting priority dstnat; policy accept; 208 + iifname "ens3" udp dport 9999 dnat to 100.126.229.18:7777 209 + # iifname "ens3" tcp dport 27765 dnat to 10.0.20.2:25565 210 + } 211 + 212 + chain OUTPUT { 213 + type nat hook output priority dstnat; policy accept; 214 + udp dport 9999 dnat to 100.126.229.18:7777 215 + # tcp dport 27765 dnat to 10.0.20.2:25565 216 + } 217 + 218 + chain POSTROUTING { 219 + type nat hook postrouting priority srcnat; policy accept; 220 + oifname "tailscale0" masquerade 221 + # oifname "rawrsnet0" masquerade 222 + } 223 + } 224 + ''; 225 + }; 226 + 139 227 nat = { 140 228 enable = true; 141 229 # internalInterfaces = [ "hestia-bridge" ]; 142 230 externalInterface = "ens3"; 231 + internalInterfaces = [ 232 + "tailscale0" 233 + "hestia-bridge" 234 + ]; 143 235 # externalInterface = "wg0"; 144 236 forwardPorts = [ 145 237 # SSH ··· 150 242 } 151 243 152 244 # meow ;3 153 - { 154 - sourcePort = 7777; 155 - proto = "tcp"; 156 - destination = "100.126.229.18:7777"; 157 - } 158 - { 159 - sourcePort = 7777; 160 - proto = "udp"; 161 - destination = "100.126.229.18:7777"; 162 - } 245 + # { 246 + # sourcePort = 9999; 247 + # proto = "tcp"; 248 + # destination = "100.126.229.18:7777"; 249 + # } 250 + # { 251 + # sourcePort = 9999; 252 + # proto = "udp"; 253 + # destination = "100.126.229.18:7777"; 254 + # } 163 255 164 256 # IMAP 165 257 {
+1
hosts/server/system/ports.nix
··· 30 30 s3_api = 3014; 31 31 web_api = 3015; 32 32 admin = 3016; 33 + rpc = 3901; 33 34 }; 34 35 35 36 syncthing = 3020;
+30 -2
justfile
··· 1 + # deploy target: 2 + # nh os switch --file ./default.nix hosts.{{ target }} --target-host {{ target }} --build-host {{ target }} 3 + 4 + set shell := ["bash", "-c"] 5 + 1 6 deploy target: 2 - nh os switch --file ./default.nix hosts.{{ target }} --target-host {{ target }} --build-host {{ target }} 7 + nixos-rebuild switch --file ./default.nix -A hosts.{{ target }} --target-host {{ target }} --build-host {{ target }} --sudo |& nom 8 + # preview {{ target }} 9 + 10 + # nixos-rebuild switch --store-path xxx --target-host {{ target }} --build-host {{ target }} --sudo &| nom 11 + 12 + preview target: 13 + #!/usr/bin/env bash 14 + nixos-rebuild build --file ./default.nix -A hosts.{{ target }} --target-host {{ target }} --build-host {{ target }} --no-flake | tee /tmp/build |& nom 15 + export build=$(cat /tmp/build) 16 + ssh {{ target }} "nix run nixpkgs#dix -- --color always /run/current-system $build" 17 + 18 + read -p "Continue deploying? (y/n)\n" ans 19 + if [[ "$ans" = "y" ]]; then 20 + # ssh {{ target }} "nixos-rebuild switch --store-path $build --sudo" 21 + nixos-rebuild switch --target-host {{ target }} --build-host {{ target }} --sudo 22 + fi 3 23 4 24 deploy-homelab: 5 - nh os switch --file ./default.nix hosts.home-server --target-host root@snowlab.local --build-host root@snowlab.local 25 + nixos-rebuild switch --file ./default.nix -A hosts.home-server --target-host root@snowlab.local --build-host root@snowlab.local |& nom 6 26 7 27 deploy-server: 8 28 nh os switch --file ./default.nix hosts.server --target-host server --build-host server 29 + 30 + wireguard_gen: 31 + #!/usr/bin/env nix-shell 32 + #!nix-shell -i bash -p wireguard-tools 33 + key=$(wg genkey) 34 + pub=$(echo $key | wg pubkey) 35 + psk=$(wg genpsk) 36 + echo -e "key: $key\npub: $pub\npsk: $psk"
lib/default.nix modules/lib/default.nix
+149
modules/npins/sources.json
··· 1 + { 2 + "pins": { 3 + "flake-compat": { 4 + "type": "Git", 5 + "repository": { 6 + "type": "Forgejo", 7 + "server": "https://git.lix.systems/", 8 + "owner": "lix-project", 9 + "repo": "flake-compat" 10 + }, 11 + "branch": "main", 12 + "submodules": false, 13 + "revision": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1", 14 + "url": "https://git.lix.systems/lix-project/flake-compat/archive/549f2762aebeff29a2e5ece7a7dc0f955281a1d1.tar.gz", 15 + "hash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=" 16 + }, 17 + "helium": { 18 + "type": "Git", 19 + "repository": { 20 + "type": "GitHub", 21 + "owner": "amaanq", 22 + "repo": "helium-flake" 23 + }, 24 + "branch": "master", 25 + "submodules": false, 26 + "revision": "9d3ef138f70b3540397320d25ead6aa96101371d", 27 + "url": "https://github.com/amaanq/helium-flake/archive/9d3ef138f70b3540397320d25ead6aa96101371d.tar.gz", 28 + "hash": "sha256-OxeMEMxRJ6dF3UGXVJoNRwxU/F1nOVbdcyX9n8S3Mxk=" 29 + }, 30 + "hjem": { 31 + "type": "Git", 32 + "repository": { 33 + "type": "GitHub", 34 + "owner": "feel-co", 35 + "repo": "hjem" 36 + }, 37 + "branch": "main", 38 + "submodules": false, 39 + "revision": "4d0d0e4dc99245ffaa0d51acf69e288fb59fb0f1", 40 + "url": "https://github.com/feel-co/hjem/archive/4d0d0e4dc99245ffaa0d51acf69e288fb59fb0f1.tar.gz", 41 + "hash": "sha256-bPTW00Tkp8c7HJbhNC7wLO3fcngFXBpuX7LZByE/F8c=" 42 + }, 43 + "hjem-rum": { 44 + "type": "Git", 45 + "repository": { 46 + "type": "GitHub", 47 + "owner": "snugnug", 48 + "repo": "hjem-rum" 49 + }, 50 + "branch": "main", 51 + "submodules": false, 52 + "revision": "3506a77b5cbb35640f7dac595f98b10bdbe07b15", 53 + "url": "https://github.com/snugnug/hjem-rum/archive/3506a77b5cbb35640f7dac595f98b10bdbe07b15.tar.gz", 54 + "hash": "sha256-xM7gYCLOUH2fnPgdst7HcPpEn6GlEOf7nelJVxJZ040=" 55 + }, 56 + "home-manager": { 57 + "type": "Git", 58 + "repository": { 59 + "type": "GitHub", 60 + "owner": "nix-community", 61 + "repo": "home-manager" 62 + }, 63 + "branch": "release-25.11", 64 + "submodules": false, 65 + "revision": "5c0f63f8d55040a7eed69df7e3fcdd15dfb5a04c", 66 + "url": "https://github.com/nix-community/home-manager/archive/5c0f63f8d55040a7eed69df7e3fcdd15dfb5a04c.tar.gz", 67 + "hash": "sha256-rK0507bDuWBrZo+0zts9bCs/+RRUEHuvFE5DHWPxX/Q=" 68 + }, 69 + "nix-gaming-edge": { 70 + "type": "Git", 71 + "repository": { 72 + "type": "GitHub", 73 + "owner": "powerofthe69", 74 + "repo": "nix-gaming-edge" 75 + }, 76 + "branch": "nightly", 77 + "submodules": false, 78 + "revision": "a6644fdb35fb66e3f15ed1ce5dd5e56ea64ddf06", 79 + "url": "https://github.com/powerofthe69/nix-gaming-edge/archive/a6644fdb35fb66e3f15ed1ce5dd5e56ea64ddf06.tar.gz", 80 + "hash": "sha256-aKwGEGa3UffChR91GNkk/TnVNXWQth8mmZATAgrG0Yc=" 81 + }, 82 + "nixpkgs-stable": { 83 + "type": "Git", 84 + "repository": { 85 + "type": "GitHub", 86 + "owner": "NixOS", 87 + "repo": "nixpkgs" 88 + }, 89 + "branch": "nixos-25.11", 90 + "submodules": false, 91 + "revision": "3e20095fe3c6cbb1ddcef89b26969a69a1570776", 92 + "url": "https://github.com/NixOS/nixpkgs/archive/3e20095fe3c6cbb1ddcef89b26969a69a1570776.tar.gz", 93 + "hash": "sha256-SEzUWw2Rf5Ki3bcM26nSKgbeoqi2uYy8IHVBqOKjX3w=" 94 + }, 95 + "nixpkgs-unstable": { 96 + "type": "Git", 97 + "repository": { 98 + "type": "GitHub", 99 + "owner": "NixOS", 100 + "repo": "nixpkgs" 101 + }, 102 + "branch": "nixos-unstable", 103 + "submodules": false, 104 + "revision": "c06b4ae3d6599a672a6210b7021d699c351eebda", 105 + "url": "https://github.com/NixOS/nixpkgs/archive/c06b4ae3d6599a672a6210b7021d699c351eebda.tar.gz", 106 + "hash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=" 107 + }, 108 + "sops-nix": { 109 + "type": "Git", 110 + "repository": { 111 + "type": "GitHub", 112 + "owner": "Mic92", 113 + "repo": "sops-nix" 114 + }, 115 + "branch": "master", 116 + "submodules": false, 117 + "revision": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784", 118 + "url": "https://github.com/Mic92/sops-nix/archive/d1ff3b1034d5bab5d7d8086a7803c5a5968cd784.tar.gz", 119 + "hash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=" 120 + }, 121 + "wire": { 122 + "type": "Git", 123 + "repository": { 124 + "type": "GitHub", 125 + "owner": "mrshmllow", 126 + "repo": "wire" 127 + }, 128 + "branch": "stable", 129 + "submodules": false, 130 + "revision": "53dad75b2503b8d9bb09ea3fbd9d87a0ab14bcf2", 131 + "url": "https://github.com/mrshmllow/wire/archive/53dad75b2503b8d9bb09ea3fbd9d87a0ab14bcf2.tar.gz", 132 + "hash": "sha256-eIi3o3TiYFlgk831lkWilNw9vTrO26PNaNwbG2UAF60=" 133 + }, 134 + "zen-browser": { 135 + "type": "Git", 136 + "repository": { 137 + "type": "GitHub", 138 + "owner": "0xc000022070", 139 + "repo": "zen-browser-flake" 140 + }, 141 + "branch": "main", 142 + "submodules": false, 143 + "revision": "9346698c4562819f61b4e5097151ec0b17729fab", 144 + "url": "https://github.com/0xc000022070/zen-browser-flake/archive/9346698c4562819f61b4e5097151ec0b17729fab.tar.gz", 145 + "hash": "sha256-L1yMYmFffHfZNP+hKJGRBmrFKkn/VDhu7jEbVftBQuM=" 146 + } 147 + }, 148 + "version": 7 149 + }
+177
modules/snownet/default.nix
··· 1 + { 2 + lib, 3 + config, 4 + pkgs, 5 + ... 6 + }: 7 + 8 + let 9 + ipv6_sub = "fdd8:e380:437e"; 10 + ipv4_sub = "10.0.10"; 11 + interface = "snownet0"; 12 + 13 + hosts = 14 + lib.mapAttrs 15 + ( 16 + name: value: 17 + value 18 + // { 19 + ipv6 = "${ipv6_sub}::${value.id}"; 20 + ipv4 = "${ipv4_sub}.${value.id}"; 21 + endpoint = if value ? endpoint then value.endpoint else null; # set a default val for endpoint 22 + } 23 + ) 24 + { 25 + "snow-den" = { 26 + id = "1"; 27 + endpoint = "[2a0a:4cc0:0:1eb::c0ff:ee]:51820"; 28 + PublicKey = "lAmtCO55kZjkiH4NKBdlSQYtIvvAp6qKDH0mjw7R2iM="; 29 + PrivateKeyFile = config.sops.secrets.wireguard_key.path; 30 + }; 31 + "snowlab" = { 32 + id = "2"; 33 + PublicKey = "otQG6qBjzt/yjqdLtiCM0M5P8eljpywmGe95bEajNjY="; 34 + PrivateKeyFile = config.sops.secrets.wireguard_key.path; 35 + }; 36 + "snowflake" = { 37 + id = "3"; 38 + PublicKey = "V+hXqlL1Rybl02PfkGObyW0A1l/UhETSeRvTQ0SG2nk="; 39 + PrivateKeyFile = config.sops.secrets.wireguard_key.path; 40 + }; 41 + }; 42 + 43 + preshared_keys = { 44 + "snow-den_snowlab" = config.sops.secrets.snow-den_snowlab.path; 45 + "snow-den_snowflake" = config.sops.secrets.snow-den_snowflake.path; 46 + "snowlab_snowflake" = config.sops.secrets.snowlab_snowflake.path; 47 + }; 48 + 49 + peers = lib.removeAttrs hosts [ config.networking.hostName ]; 50 + currentHost = hosts."${config.networking.hostName}"; 51 + 52 + cfg = config.snownet; 53 + 54 + in 55 + { 56 + options.snownet = { 57 + enable = lib.mkOption { 58 + default = true; 59 + example = false; 60 + description = "Whether to enable the snownet."; 61 + type = lib.types.bool; 62 + }; 63 + 64 + currentHost = lib.mkOption { 65 + type = lib.types.attrs; 66 + readOnly = true; 67 + default = currentHost; 68 + }; 69 + 70 + ipv4_subnet = lib.mkOption { 71 + type = lib.types.str; 72 + readOnly = true; 73 + default = ipv4_sub; 74 + }; 75 + 76 + ipv6_subnet = lib.mkOption { 77 + type = lib.types.str; 78 + readOnly = true; 79 + default = ipv6_sub; 80 + }; 81 + 82 + interface = lib.mkOption { 83 + type = lib.types.str; 84 + readOnly = true; 85 + default = interface; 86 + }; 87 + }; 88 + 89 + ###### implementation 90 + 91 + config = lib.mkIf cfg.enable { 92 + environment.systemPackages = [ 93 + pkgs.wireguard-tools 94 + ]; 95 + 96 + # Add some common rules for inside of the snownet 97 + networking.firewall.extraInputRules = '' 98 + iifname ${toString cfg.interface} tcp dport ${toString config.ports.garage.rpc} accept comment "Trusted ${toString cfg.interface} connection" 99 + ''; 100 + 101 + # nftables is pretty blackmagic 102 + networking.nftables.ruleset = '' 103 + table inet filter { 104 + chain prerouting { 105 + type filter hook prerouting priority raw ; policy accept ; 106 + 107 + iifname != { "${cfg.interface}", "lo" } ip saddr ${cfg.ipv4_subnet}.0/24 log prefix "SPOOF-V4-DROP: " drop 108 + iifname != { "${cfg.interface}", "lo" } ip6 saddr ${cfg.ipv6_subnet}::/112 log prefix "SPOOF-V6-DROP: " drop 109 + } 110 + } 111 + ''; 112 + 113 + networking.hosts = lib.concatMapAttrs (name: value: { 114 + "${value.ipv6}" = [ "${name}.mrsnowy.dev" ]; 115 + "${value.ipv4}" = [ "${name}.mrsnowy.dev" ]; 116 + }) peers; 117 + 118 + systemd.network = { 119 + # add "snownet" wireguard interface 120 + networks."50-${cfg.interface}" = { 121 + matchConfig.Name = cfg.interface; 122 + 123 + address = [ 124 + "${currentHost.ipv6}/112" 125 + "${currentHost.ipv4}/24" 126 + ]; 127 + }; 128 + 129 + # add "snownet wireguard netdev 130 + netdevs."50${cfg.interface}" = { 131 + netdevConfig = { 132 + Kind = "wireguard"; 133 + Name = cfg.interface; 134 + }; 135 + 136 + wireguardConfig = { 137 + ListenPort = 51820; 138 + 139 + # ensure file is readable by `systemd-network` user 140 + PrivateKeyFile = currentHost.PrivateKeyFile; 141 + 142 + # To automatically create routes for everything in AllowedIPs, 143 + RouteTable = "main"; 144 + 145 + # FirewallMark marks all packets send and received by wg0 146 + # with the number 42, which can be used to define policy rules on these packets. 147 + # FirewallMark = 42; 148 + }; 149 + 150 + # Add the wireguard peers in the snownet 151 + wireguardPeers = ( 152 + lib.mapAttrsToList ( 153 + name: value: 154 + { 155 + PublicKey = value.PublicKey; 156 + 157 + PresharedKeyFile = 158 + preshared_keys."${config.networking.hostName}_${name}" 159 + or preshared_keys."${name}_${config.networking.hostName}"; 160 + 161 + AllowedIPs = [ 162 + "${value.ipv6}/128" 163 + "${value.ipv4}/32" 164 + ]; 165 + 166 + PersistentKeepalive = 25; 167 + } 168 + // lib.optionalAttrs (value ? endpoint && value.endpoint != null) { 169 + Endpoint = value.endpoint; 170 + } 171 + ) peers 172 + ); 173 + }; 174 + }; 175 + }; 176 + 177 + }
+84
modules/sops/.sops.yaml
··· 1 + # This example uses YAML anchors which allows reuse of multiple keys 2 + # without having to repeat yourself. 3 + # Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml 4 + # for a more complex example. 5 + keys: 6 + - &admin_snowyboo D40CE1579C09BFD7EF4AB7E631250420834310B5 7 + - &root_vps age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg 8 + - &root_homelab age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0 9 + - &root_snowflake age1qqex87tl6kq68hszp66z49n95zurcxcvveumpxjvh5w2yhx8g47q5s24ya 10 + 11 + creation_rules: 12 + - path_regex: \.pub$ 13 + key_groups: 14 + - pgp: 15 + - *admin_snowyboo 16 + age: 17 + - *root_vps 18 + - *root_homelab 19 + - *root_snowflake 20 + 21 + - path_regex: \.pub$ 22 + key_groups: 23 + - pgp: 24 + - *admin_snowyboo 25 + age: 26 + - *root_vps 27 + - *root_homelab 28 + - *root_snowflake 29 + 30 + - path_regex: garage/.*\.(yaml)$ 31 + key_groups: 32 + - pgp: 33 + - *admin_snowyboo 34 + age: 35 + - *root_vps 36 + - *root_homelab 37 + 38 + - path_regex: psk/snow-den_snowflake\.key 39 + key_groups: 40 + - pgp: 41 + - *admin_snowyboo 42 + age: 43 + - *root_vps 44 + - *root_snowflake 45 + 46 + - path_regex: psk/snowlab_snowflake\.key 47 + key_groups: 48 + - pgp: 49 + - *admin_snowyboo 50 + age: 51 + - *root_homelab 52 + - *root_snowflake 53 + 54 + - path_regex: ^all/.*$ 55 + key_groups: 56 + - pgp: 57 + - *admin_snowyboo 58 + age: 59 + - *root_vps 60 + - *root_homelab 61 + - *root_snowflake 62 + - path_regex: ^vps/.*$ 63 + key_groups: 64 + - pgp: 65 + - *admin_snowyboo 66 + age: 67 + - *root_vps 68 + - path_regex: ^homelab/.*$ 69 + key_groups: 70 + - pgp: 71 + - *admin_snowyboo 72 + age: 73 + - *root_homelab 74 + 75 + - path_regex: ^snowflake/.*$ 76 + key_groups: 77 + - pgp: 78 + - *admin_snowyboo 79 + age: 80 + - *root_snowflake 81 + 82 + # - key_groups: 83 + # - pgp: 84 + # - *admin_snowyboo
+44
modules/sops/all/default.nix
··· 1 + { 2 + # config, 3 + # lib, 4 + # pkgs, 5 + args, 6 + ... 7 + }: 8 + 9 + # Nix secrets hehe :3 10 + { 11 + imports = [ 12 + args.flakes.sops-nix.nixosModules.sops 13 + ]; 14 + 15 + sops = { 16 + age.generateKey = false; 17 + 18 + secrets = { 19 + wireguard_snowlab_pub = { 20 + format = "binary"; 21 + sopsFile = ../homelab/wireguard.pub; 22 + 23 + mode = "0400"; 24 + owner = "systemd-network"; 25 + }; 26 + 27 + wireguard_snow-den_pub = { 28 + format = "binary"; 29 + sopsFile = ../vps/wireguard.pub; 30 + 31 + mode = "0400"; 32 + owner = "systemd-network"; 33 + }; 34 + 35 + wireguard_snowflake_pub = { 36 + format = "binary"; 37 + sopsFile = ../snowflake/wireguard.pub; 38 + 39 + mode = "0400"; 40 + owner = "systemd-network"; 41 + }; 42 + }; 43 + }; 44 + }
+50
modules/sops/all/default.yaml
··· 1 + #ENC[AES256_GCM,data:6mNsfa7CFk85yw==,iv:1+mG8GGysHrgJlXhfbrYugcFhz+gBg4KaPNCevrWdkI=,tag:WfWop9TbknHElJ2yQVooOA==,type:comment] 2 + wireguard: 3 + snowden_pub: ENC[AES256_GCM,data:mSmk6wX8YUUm3ELLEJkqB364gIcg4ahRN/TUq+l152+PEsuhIuIZrWiGw/M=,iv:9hj1xYu+W0yl2xqAnFAWEllRZyipU356pzjGGxiWAsU=,tag:uVHOMeuAtSxXsXdKSYywYg==,type:str] 4 + snowlab_pub: ENC[AES256_GCM,data:rOy9hZOdmmCpBnYfjtyiIc1ZDB8lqrb0/6UPE8ZVj1vRt9oBzFyV9gtuChY=,iv:pa+3b5WpRilvaKh124gNK0qv0swKt3qK5fv2HkwEMQw=,tag:doaee3t7uajbUs4wT+0V1A==,type:str] 5 + snowden_snowlab_psk: ENC[AES256_GCM,data:LadonlAz3C58rq4pT60W6Q34n+5dBEGEahkaN/hpkhlwhjogMX/crbH7au4=,iv:f2thDX7xU8b1m/XrCqq95zwS3mBtSMwWMJy5LSoMS1U=,tag:ArgrzoWhox46yJPkLlK5vg==,type:str] 6 + sops: 7 + age: 8 + - recipient: age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg 9 + enc: | 10 + -----BEGIN AGE ENCRYPTED FILE----- 11 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQalNYV01GUEkvUEMyb1RH 12 + eXpGS2lRenZsZ3JpN2paamcvb0ZhbWY2TGtnCkE4N1A4YVltZC9xNTV6SGNkdUhw 13 + S0dBR1Y5ZHdpV3JrNnpPcldqK21pb0UKLS0tIFNTN0RqaG1NMEppWlRRcHFCUlkv 14 + bkRXeDErNmEzYlBhM0pSU3VDd0MzYncK8hqlDq3LeXyNFCcyqiW8gpI9uCxxhtMq 15 + 8Qp26G+Okx4TFeVt1MNeP1wBKYykmCewrDMf8jRqaunfX5xX2lma0g== 16 + -----END AGE ENCRYPTED FILE----- 17 + - recipient: age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0 18 + enc: | 19 + -----BEGIN AGE ENCRYPTED FILE----- 20 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2aElXeDB3TkZQMGJPbXRv 21 + bGdyQjBjcGg0TE9zOXVMTHBoak5KTzBkUFNRCnZaRkFtR25MQzNCb2VMdkRKQ0k3 22 + Q1dTUG1uT3o1VjJ2S0hObWRsMUxyNE0KLS0tIEZUMU92WUlCNnltMHlCWDM2UjFZ 23 + NnpjNkFCdHhPMmRLaGExWTJia29pTDgKq8XpdFHMUrvZvSelywiBsXe1c3hBgaC7 24 + CgCzS/ib0APkcrvZU49WpMEBj8vvA2bACbHdICKPaFYjvRfcRQdDcw== 25 + -----END AGE ENCRYPTED FILE----- 26 + lastmodified: "2026-02-08T01:29:18Z" 27 + mac: ENC[AES256_GCM,data:lH19MAC3bxAL7XVo+xfd7SYKHKZ6//P/VpXNmTRzhgGv1NlO3UpSy5/J+0ACixOphYMQTy1vnqhroi590QBePEQo8m6l8DwMhH1AFXzd98e6waBp/H5e2PnSFdROmhg6To6j4MybdGiANcG5wkgLbrfgIkV57A4JzvZ44bfGbPo=,iv:qnwp7ofkvmO79a1yFU0zApq45VO6fEFnVbJ7IcUBBxo=,tag:/Dd2NkgAJMsRDhonhQeIeg==,type:str] 28 + pgp: 29 + - created_at: "2026-02-06T18:24:46Z" 30 + enc: |- 31 + -----BEGIN PGP MESSAGE----- 32 + 33 + hQILA09oKgMfawMUAQ/3RgFIkv6I4Y1DgCHHciYYRdEV5j9dyzm+qFYglLhht6C6 34 + V8WaK2t1P+S8FvArJOUp/dtQDQ470saWlcJTu08a51DSCKSTKnfnJJ4uMtwqvkCj 35 + TCqZtzmPc1g0QsfwnEEXVjeBEd9dZwn8ieZWkP6Vny/lG1RFfXuCLWQSAt8Zzvw4 36 + bs8wBge9/TSivceuM29EA2g6X13Xy9wks/NMT7kJokGVGrjOGC5R1KQvGOBRxXGz 37 + 4CL/WhnJCitvYPioEqf9Ocv6C8fWdxOQL9jQxLiedx9t6Sv99SbXUTe4zJUMF571 38 + skbEOt/Jh+8rciorGFIZ4EEVPak0WcLmeGoqUTBLjTYUm9SF7E3K8TWeL/MSoAuL 39 + FFVLOsNMUjt8TraH5GeCosodyb8vR7qv6NGDXoi5Ibt1CsjRyxlDd0JoVW396PoI 40 + 2uRkeDL6qayMlHAgH2qj94IyVQXNPyut1PUK+JpQYf5wEFndHu7OMfsp5TL/7OYt 41 + ytyPFChuCVISd/8fLzrygPkuq24shHazDts5BdXhojNTD5vvWf5/YT7rykwCm+Ex 42 + obu91lWhxCA9TSjylskxy9VZAw6Sn/TSy9/9COWwlVEVVAgXTfEowMOdX5BfdEZc 43 + +GocsYbMjc7L5a2BYmc2YO0nKNhsn9fmyE3v9cnpIVUo4OmOogu78yhqWKxPitJe 44 + Ad6CSHR6ClEM1NffPth0+FH6SiUE7I7q/3YiaRb42cxfS3mrnJZ/K+TCw+06oEQQ 45 + FYQrPMXzzfcB1leUbVZpdEEyGrpGALzQHmTvO2cCG+0UFmLZCV8QFKNLr2G6xw== 46 + =ozhG 47 + -----END PGP MESSAGE----- 48 + fp: D40CE1579C09BFD7EF4AB7E631250420834310B5 49 + unencrypted_suffix: _unencrypted 50 + version: 3.11.0
+31
modules/sops/garage/default.nix
··· 1 + { 2 + sops.secrets = { 3 + "garage/rpc_secret" = { 4 + mode = "0440"; 5 + group = "sops_garage"; 6 + sopsFile = ./default.yaml; 7 + }; 8 + 9 + "garage/admin_token" = { 10 + mode = "0440"; 11 + group = "sops_garage"; 12 + sopsFile = ./default.yaml; 13 + }; 14 + 15 + "garage/metrics_token" = { 16 + mode = "0440"; 17 + group = "sops_garage"; 18 + sopsFile = ./default.yaml; 19 + }; 20 + }; 21 + 22 + users.groups = { 23 + sops_garage = { }; 24 + }; 25 + 26 + systemd.services = { 27 + garage.serviceConfig.SupplementaryGroups = [ 28 + "sops_garage" 29 + ]; 30 + }; 31 + }
+53
modules/sops/garage/default.yaml
··· 1 + #ENC[AES256_GCM,data:hRxhcI4d9bZ7xQ==,iv:2Hm4Dfzfnc7ARqEaZ1cNmLMcH7BK//GyZXoCZgvt3vs=,tag:kRJiR0a/t2Q4F2SWwbc1Sw==,type:comment] 2 + garage: 3 + #ENC[AES256_GCM,data:AaGRk88oXeNsEBMwCprWaMgbiVAoLl2l0tXmU4RJyIuFLw==,iv:MMLb9lnZAs36AyELtMdoW63fxhJmpfcjHsHk4bdPhX8=,tag:iQLGgoKk4LwhedSKQSSnbQ==,type:comment] 4 + rpc_secret: ENC[AES256_GCM,data:7owLQIvgJseja2tzV0YV579Q/a00eZWGAQIfPdTDDtVi1ytf9jiRrFW5juVkh2zq9j1c62XhslmfNDmoPUYxVg==,iv:jmXqlWsuuNMVRV+nHtBwAbDnBXW0fUd4afb8VTuZgYo=,tag:GlgeUMNH+Og7UtYBdGc6KA==,type:str] 5 + #ENC[AES256_GCM,data:GwIxZOH+JtAt0lPy9y7pqv6V9VIDSnItW7xeZabQcPiVNz5oSlAHKPSWPxw=,iv:jMhdJ/vAz1jCiRj1w1W2YAujq0jsElSI/4s4hnetV0c=,tag:x11mVA53tb443gjNnlGyog==,type:comment] 6 + admin_token: ENC[AES256_GCM,data:PbIEfM2Y32uvQKWTfnzsOQW3KIu+njj91SpDfFvjMvd07fahYF/rDBqIbKfraj/unNQjEBCu97SNhuWtziS/xQ==,iv:kbOnicCUtTA+EjoCF/fbn8O0Rj7W4pOke/NZXBtZqzE=,tag:dUACXTjjekqQjWv29H8uaQ==,type:str] 7 + #ENC[AES256_GCM,data:q/J1guMs0WwvA7/1GLdMNpRF8GYPP8X0auOXz6gl5xB2A+dBhzQNmn8Uzm0=,iv:inQvjJPg+bAQg+X+bXRn3T5S5yeD0J/4bGOulb5FSts=,tag:wts6UOpFvizeQ0KLCieypg==,type:comment] 8 + metrics_token: ENC[AES256_GCM,data:8xGgPEXo/laDMCBVAfI8WjfWMoTk/PwhJGOuqzi/BwaYXmFSgSpWyW8BpWylU3P7JeaT42VzdNgjmYMjsb48sg==,iv:JF8E9ZGy4zhNLw3KfsU0xb8dj8M8rjZIJaEAuiHuxe0=,tag:tiDGOjlZ3F0TryPslK2QXw==,type:str] 9 + sops: 10 + age: 11 + - recipient: age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg 12 + enc: | 13 + -----BEGIN AGE ENCRYPTED FILE----- 14 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1ODNRNUZpbkk5RitwS1pR 15 + RXQ2bW44Vmw5TEhJYVVxVEZwSkZ0allTN1FvCnNvbGowdUViZzFnNHpzM0dvU3By 16 + SkZqM3dSZ0ZjRW84aHdIYWJxUUNKclkKLS0tIDhZMDNjWDQrUjN5aTFaTFNRdG96 17 + bFBFbG9odkYyditnc0tMenR0bWsvd1kKxL/545sb9g76aztnWYNLIwZjdlVPY3YO 18 + pOLW/YCx4EjbsWl6lXgOpnYPiEFt3uja9d43FIHBh8+b7cN+O+/X6A== 19 + -----END AGE ENCRYPTED FILE----- 20 + - recipient: age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0 21 + enc: | 22 + -----BEGIN AGE ENCRYPTED FILE----- 23 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeThwNXNKZlliajRKMlE4 24 + QmpXU0Z3VmQvUXdzYm9SUTl2TGkrekRsaW13CkpSQ1ZmUlZydXdZUDBjRE5tYXl6 25 + OGY5VHZKc2ZyWlRERUpLVFhtSCtwZjQKLS0tIGVNMmdZbHUxS0hqRjJQSXJkd2V3 26 + M1QyMEhEOFZFdlhFbmNmQ1gyWFFQbWsKHPkTQg+K4km9ZmT34uXSTKhhEpiTktvB 27 + Xm551+BlT2nmBo2kPys44nAn8nuS0XrZjV/wSUjGeXUpFINimkZ7+w== 28 + -----END AGE ENCRYPTED FILE----- 29 + lastmodified: "2026-02-12T14:48:58Z" 30 + mac: ENC[AES256_GCM,data:V957fpONHWjWdCR4I7OQNo/nHl2PWHbfO5bS3a/nu0Av1UktowyAn3rHnRH8pdf6Vzf7+iycGxLDmrDLvVcnSsJhg7XVeh2nhzEv3/YfVnfl/uoxGd7CAnVrF4lP3utn7xkoxMubJmQ52BK1P+F26E8UTWkBOO8BMGYcwKbXU3Q=,iv:au8JqR2qi0PMiv7N+N+OYbzvrGuWQK0J1MrVpEl2JJ0=,tag:SJbRnxC59ZN+dPktYhb5eA==,type:str] 31 + pgp: 32 + - created_at: "2026-02-12T14:48:50Z" 33 + enc: |- 34 + -----BEGIN PGP MESSAGE----- 35 + 36 + hQIMA09oKgMfawMUAQ//aXFrxN5r0yI24FvPRNYV8hfMc2o+pEGdUwuwFEv3z9lb 37 + n8estmEJXyzAxd7F/lh4riRqypwyNoOmHHF7JnL/SHjwCCtUpTnbeXDFAYWwnhCr 38 + mgONbD6b9HRhjDik9ivVMo3G1Jm+Orxb76J/YLRJakSmFtjXNaGIyiBHJ30+AgL3 39 + 9LitFif2+w8ZvhmnrdxaWHD8HA9Wzroei1eA95spFaZ33I6E4dPzd/I6W2yfxLvn 40 + uQ8cMRHWDTld21wXJ6uG+p6cvlKTQKiV4HW7IM4QdE7Wo0YeuluE66dCT3hwaNZe 41 + yz85H7sPzj7+04w6WVDhJHVX0QsRa8/5OwsfQU5sLSBi+Boqsh75AcaTyszNeoKY 42 + S3vXyoNzOlHLcN2Q8kvks9J/HPLqAJquNIM2VkfEsjzN6GYEZD/MygNe0eLp9jUY 43 + 1d6G99jPxoqSjCMJu8Jwttk14PA4xG6fsmqT0q8cEmFd0zdwbwEp2522i3Kl1h23 44 + fs+sQiiox6Wf+IkzSxIdee2wcvp/4Xk6Q4jRzt+zhLNwSsBZv7xYolAtPVFp8GMm 45 + p9/tM7MUkCyHsM5DsI6OVqfh0xJyDY0QctDzmanDWQkcqFru/VxLhDwjRTQFW7BU 46 + blTDrknsuAN/pw9TqxxeKty3TgYpUMD+cUb5jn8rBpXCQFJxwKEBp64JsV71m7rS 47 + XgHfybmWWHbhO764Ba+jJ78sAF1D0WVC9yJj8cCgqhdPjdkYRHXB7B2gxjjUDj+G 48 + AXpHTxq0SWXcTvzM6smDct16MDJFRafhHnitnNXEaUJTlXPiVQCzJpPD+m7FqPo= 49 + =ZbXI 50 + -----END PGP MESSAGE----- 51 + fp: D40CE1579C09BFD7EF4AB7E631250420834310B5 52 + unencrypted_suffix: _unencrypted 53 + version: 3.11.0
+44
modules/sops/homelab.nix
··· 1 + { 2 + imports = [ 3 + ./all 4 + ./garage 5 + ]; 6 + 7 + sops = { 8 + age.keyFile = "/root/.config/sops/age/keys.txt"; 9 + 10 + defaultSopsFile = ./homelab/default.yaml; 11 + 12 + secrets = { 13 + wireguard_key = { 14 + format = "binary"; 15 + sopsFile = ./homelab/wireguard.key; 16 + 17 + mode = "0400"; 18 + owner = "systemd-network"; 19 + }; 20 + 21 + snow-den_snowlab = { 22 + format = "binary"; 23 + sopsFile = ./psk/snow-den_snowlab.key; 24 + 25 + mode = "0400"; 26 + owner = "systemd-network"; 27 + }; 28 + 29 + snowlab_snowflake = { 30 + format = "binary"; 31 + sopsFile = ./psk/snowlab_snowflake.key; 32 + 33 + mode = "0400"; 34 + owner = "systemd-network"; 35 + }; 36 + 37 + "samba/samba_user" = { 38 + mode = "0400"; 39 + owner = "root"; 40 + # group = "root"; 41 + }; 42 + }; 43 + }; 44 + }
+41
modules/sops/homelab/default.yaml
··· 1 + #ENC[AES256_GCM,data:jjIjrPrLhyO1tRzG8g==,iv:+4hIgcYnm/51n30FpC8Tbl1j4pqIevceEQf9tA45rl4=,tag:LlW131iOk+UZrtPtZSL8wg==,type:comment] 2 + wireguard: 3 + key: ENC[AES256_GCM,data:TZG68pWFZW5T+UxoCXhmLgp2SYhvN/kKeLLgjRf48M79pzZVWnwQT2769Cc=,iv:WmfvM9H0zwYUTnM4DszQRA3W+si0eULNpW4ZJqAjtyk=,tag:UBultWSGxv1spMeBtknmUg==,type:str] 4 + samba: 5 + samba_user: ENC[AES256_GCM,data:iaWzLYgvJPMKjrqBPt3YjiWhS073oQ/kpg88pUuMUj0kfuXSZ9sjTmwr2HUam0Gpod8Zujj76HpxxH9N5Cqiqg==,iv:uLeZ4v3PhCZ7hZ7NTDpsGx76WBlIQinfvU4iN2YMjVQ=,tag:DYdFVPTunMzDg60sSB3Lpg==,type:str] 6 + sops: 7 + age: 8 + - recipient: age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0 9 + enc: | 10 + -----BEGIN AGE ENCRYPTED FILE----- 11 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUU1kNkpKdGVpQ2FDREY0 12 + Ymc1ZWFQVzlXTmt0MlJYdXJYNDIyaTZZV1NvCk1qV2o1b3NTNzNzcEkwaGQvZzFz 13 + OW9hU1lMRFBwZ1d5QXRyWVpIN2loTE0KLS0tIEJuazdYTHJxYjgvSmVSSUdFVnUr 14 + UXhYeElvSTNaV21CY2s2c29tOFplakkKdSQ+SSMQje7l3AmNndI/PAmMVzmJe7sm 15 + snnqYTs6E1sKfBklznsYbcZrXeuDzgPt6XhtC1XIgHP0bxTFVYSPRA== 16 + -----END AGE ENCRYPTED FILE----- 17 + lastmodified: "2026-03-19T13:26:55Z" 18 + mac: ENC[AES256_GCM,data:bI/dov0roY6UVz/DwJa7GpYD2oLy7KKx6QiAiePKIy+gsp2qgVFVar2R+98mU6JkRTO4qVCF3mjpIqXmb0ezJOJZKKJTzMrIA3TpTJJcfhiw2WLA7LpxLKi7o80NdvbXBQxFKsZCaEBJoJxwxqMbch/0lltZAgClu7MW/FW7WG4=,iv:taiX25EYw0spPzBg6thtJJWEKy0j9gt5w8orC/uhd+4=,tag:ECN3I7vgFUwXOrFsSffL/g==,type:str] 19 + pgp: 20 + - created_at: "2026-02-06T18:21:16Z" 21 + enc: |- 22 + -----BEGIN PGP MESSAGE----- 23 + 24 + hQIMA09oKgMfawMUAQ/9ERw3FmlBF7prJrAhzqKDG7EvignzZalzU0xwGQjtaGM+ 25 + lculJ/5W61tr+L6Nsnw4Wqa+lrQGodmhLmamhepl4pFHEjmhg4ammjRJfQ46efGi 26 + QnT/UktFTrRmvyx8wWii0KmujrIKeGtq4WClmmp4KUjrtlAyONBRssbIUOoyTadA 27 + RjbJr56cAzeFPYdpll8V6cgnRzfmI2uTNHMS6YnusfTZ2xUt1nKmRzjq6X9w3xlG 28 + 15eYalRfXayEynma4xYUJDIJ1ArtZaitvuaRtkDNi75SmYhk5ajvS8F/NVRBN+IJ 29 + q4pYzIzZxhm6b1vWFMmIszHsubZ7PoF/Y9ydm/sDXEk0YbYIXW15O/ufpuX9Vbkl 30 + dV8BVICoVkCP1fiX5ip9v0Ajs2Rjq92JmbEwwgDyz2RqN+yTnobSYvacglpj+hWT 31 + jQIK/ytdvb1XOzgXavJheZjiA62/+xh35UOMqn0UY+0YS2EeTeEhChNwvWp2MtXC 32 + BgeZ+6XpdDxpubD/0OnyDHb23fp1fPcvMRh8NLxnYFZoC++5ju8sKf5E8w6uztGb 33 + 2cs++QY/Tb69M/pO1F9ByynK/MGE3mJwjxEd2rgARVdjPPg5kYh/ND6MJFRQHdaX 34 + EMKxjo421+pCn9YzK/2kdWm+x+VnRCVjTb/WsVh+gmxqHYNEwF6FCqieJX6HPCTS 35 + XgHKoJsBW5uycRdQLzVkkmKcuoEzcgEjhq3U5a2r5UiCNw4KMWE8Ws4VnngmqQeq 36 + Xy8PsrpSGrGQ+RMTMtMCmoUxZyGcZkaLO7L3MTpoZ4fbioRKYezyk0y2L1T/TV4= 37 + =OsGE 38 + -----END PGP MESSAGE----- 39 + fp: D40CE1579C09BFD7EF4AB7E631250420834310B5 40 + unencrypted_suffix: _unencrypted 41 + version: 3.12.1
+21
modules/sops/homelab/wireguard.key
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:9IlJBWB51p5jeRnF+mlci9Y/v5H1dqApIOxcBZTOvM8q2AkfkQqjPIkYqhgJ,iv:MyHhZM8EdnnJko1xKe6vcc/yoDo2PfuEmfr4NvxnwSo=,tag:McRopBG5bsKw/uj4IpKvYg==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTzlvZ3BqVWtrQU1qNmxm\nYlJhUVduYUdrdmJUQ0tLeTlkaWp2SUVEM2g4Cm10WEdybldVb3VoTTBxbjZhSEpw\nRncxSG1GRzg3NGdpVmpQSXhlZWMzSWsKLS0tIDB6OSt6L3hibmVxQkUyT1NVdjVQ\ncFloVUVEbU50alcrbHo5ZjIxbjRHQmsKYtuWpN4tVTSwCni+dAh9X2kL64Dh15kG\nW3GhnNaqXhPOIUPN6U/emEs4/HeMpcD5pAh9Jlpx0ydsY1IKqzVNQA==\n-----END AGE ENCRYPTED FILE-----\n" 8 + } 9 + ], 10 + "lastmodified": "2026-02-08T01:40:57Z", 11 + "mac": "ENC[AES256_GCM,data:+J5tkO+Tr/74o52p///V5JuX1buPk8s9jXdmPeCCBmjq6cHBji2QZPqmxLUX2hYforgumjh0bkemPPlnzaAAABBABzx5BWDe6qyaBPw/WIgyS+4hLSo6pl0oL5AgMqO0x6ABViqURWVNZ8RjhKvJruNuVvwti7kYHm6WkFMre0g=,iv:z/8qUQ76acybWMtmAlKFNt9X+eQl98uaaLp616hGC98=,tag:6x2s12SStB18zoSa/GM8MA==,type:str]", 12 + "pgp": [ 13 + { 14 + "created_at": "2026-02-08T01:40:49Z", 15 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ//Rat/wV5un/mwwpKiEs5ct8od/K/M7vI3rqYWYVeuWLjI\n97zp1pPP+7e4oc2P89KoUIogknxHbBmOBr46cMbJBzVp+d+W7+ll51yIZMDlUXfo\nPl4hJaUuUfu0fJD9nrhVuPLWiExDblapCt0qUmZH8JCdnKvodpEIWO1zUT7+nCZG\n7/oUNSPUVBz+VpVz58x/NH3WQ9LdUoJN9lHX+IfrV2GiwuQZpdRUfJA0jB4Uef8V\nC5hkMOMGmJmDQN0PLf26iApN+4AB7xrkz9zFCyfyUjUyfDwCMmlc8+5f5Uta2toL\nje0YcOVxxpzSc2UkpJ7xZfrriOYNGJkE9myKwQtrU62vP4LLsGJ5+JLAsVYqHhja\njgDaohivVhYF3q6sL/KjZA53tMa5eI788prRI/pkdQEsvzrGX41rrsT6ZramavJq\nQnX0EiGPVHmWZNDGqPo/Yk1kPIv5crW0IwSt9v2NtCyG7VA8sADZxTcsAFnAylK6\njRfWQ5DfHvwZwmks69CT+04kKadQkkaRFmLmVT5XKocgwjtrgN6zeVNff8qMlK0Y\neJN4QMMj84drrbbHE9vimWu9tL+0yHNe/rqQaWnLp4hQJQxGUCn2SDD54pCnu/qG\nxmR4eASRle5azcTTbJP4cO7s4woX1/5QVcrI4S8qrRl1t71uM3wWsEdbGk6wdO7S\nXAHZs024tUSeWWhXyoPXF0oVbWbFdUFNf+sHHkjpwTAR5qVVGOohQfRTUB4tI9Gw\n1YGG6rqxWOM/wTE+xdOFSNZCXHhzR9y/x/VhRLlEwiS2y8xHxvadzRh8qI2X\n=7qza\n-----END PGP MESSAGE-----", 16 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 17 + } 18 + ], 19 + "version": "3.11.0" 20 + } 21 + }
+30
modules/sops/homelab/wireguard.pub
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:jCdPCYrl+PwEW/bxMP2WWQxoDNVK+GASNeZH6vg2POV4daPkFrGJszFYuZLX,iv:ShWZdKmh+Bj+j9VSjCOdGczGuZkGdLdqUCm0CMZzRyw=,tag:YC1OksX5L84FmGIGs50O9w==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISXJYVVdPZzU2MDdRSnM2\nTVJnVEpqTi9oRnh0aXJqWUxrU2M0U2N4a0drCkZQY2c2dmJ4cjlnWTlWaTEwY3Fj\nVmRTeWIwMTlpNHFocEQ2RGFRTVQ1NEUKLS0tIG9rWnRkWkVvM1ltdVVKcXhGUFNM\nT3M4ZGhGeS9XNk1JZFgxMVdDcnNPbUkK6Gne3KeWLL/3ErwI4LH0KQ97KkJYnhps\nOO+V04sbQzdDO0aIDV/4JKO+F/0quRp7ouRCDg0pKnxwhfTZsald4w==\n-----END AGE ENCRYPTED FILE-----\n" 8 + }, 9 + { 10 + "recipient": "age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0", 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyaWRpNHFTekhOK1l0bWZJ\nMDA0TWM3NnJCbUpKcUh4czVJK252R2x0RlNNClJ6WDh4SnZxcmR6a0duYXU3KzRH\nSUZycDNXS1duUnhnYTlOL2wvME54VDAKLS0tIG1IVmRKNlg1a0tPQ0E1QUQwSGFj\nUmdIaTZQL0pyRnRIZU54LzN4Vk1IbXcKhj43PwkvdKAf+vdpjSQ9Eg4pEDxvja8e\nKkfNl6bfMBOcN7xaG+qiPDMQPyFBAoNgACJ36RLCHB32bpJULLjKtA==\n-----END AGE ENCRYPTED FILE-----\n" 12 + }, 13 + { 14 + "recipient": "age1qqex87tl6kq68hszp66z49n95zurcxcvveumpxjvh5w2yhx8g47q5s24ya", 15 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrN0V3SGpsUGNNTFFJM0Q0\nSFppUEZCUGdDV0oyT3ErMGpUN0lLZVR6OUJBCkdCZFdTYi9IL2o4Q0x6QXNWd3pO\ndFNmb0tEK2dNNnBuNStOZS9YVEUwaEEKLS0tIEthWng2aG10dmhFL0NDOVVtQkNt\nM2E1b2hwSFg1UTI4a1Ezb1E4TkEwTk0KL5DRcCfktSML0UR/DClDpwV2VyHT6slR\njbi/Oel2TSHvrM5gdZBf4P29em2JSnQsi9UPrOB++MXAj+Obo7xgEg==\n-----END AGE ENCRYPTED FILE-----\n" 16 + } 17 + ], 18 + "lastmodified": "2026-02-08T01:58:50Z", 19 + "mac": "ENC[AES256_GCM,data:eWbUlQ3oFmqRCl8HYNfqL/JUXWfzF6RaTBjJ3QdNZhrqIFEkZ1aa7WjaVKZceXrcr5ZueBvhm78iJAUgA/z/ovmgmU13vhRjDXJqeJ3sqY2LAheTvzFRe/LPehzOwW4D4/sYosRrZZJ6wx5xnMBCTzFmaSPaCC+6MTXSiOb99C8=,iv:l4Ke6xyBoMQyw83Xf3xEegs0zXgHzxppsjqv0ZWeOkE=,tag:3BpnxUBR0jGfoat2A9V9kQ==,type:str]", 20 + "pgp": [ 21 + { 22 + "created_at": "2026-02-08T02:54:22Z", 23 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ//cVrx478PUOMF4QOVAt5EngXzk4DSiAy2T/egJAeAOSxc\n8fPcZkDEm2DNjd5Juo1TCd5J0X9aa/JK7F7g1Vlq2liR1GxJnTKccgorAggcCXYA\nrYAgPAcq8fKeosmLJpgjNMJztmp2qG1ovp9JeaHDboTU5FhEwyg4IH3cAjLVLrxF\nEW/BzoMMYWveNywOH8n0cdbHj1Qr5Laymyl286inl05XSNYyHiF4u7owgGQs+vku\n7OkEoRvU5AyMjl4k5W55JuOGWk1UQeV66ND7sJCVG9fccs0i3yTBJouPPIIvIkmr\nj8MvWBuqWAiJaI/HOvEO1RxmGOhbvSodfwCVC9A795KSItdS4C7X7Nn0TVhMCdcd\nse1KC11FrK8ao5jzAzPQTodDZtoRConRLV/gtFpqpLavkK5+qDgtzlVsMf+/GFv6\nAGBJHiDgS18tbXvHmQOPnKQD5A5ratrPCNFBaYn1Yi4GgZLOh9w/mANJFfweZCxS\n5w1eWwkNRBxW63Hak7VoUvEySrJJzNuB5lj8Ge1c8IN2XlUDBZPwLiZSYOz9bQb4\nW0VCQibtUI9dxTW3HhrW68JwRrIT9zH0DHppR+kJ6FWCkWoLAV8gry6+zJvb1Swc\nX1/vakMtmqOY636aHMrm3N/DF3a8KjHYaIMYTA0/peA5wwlim3nLfUy3muUHHCrS\nXgF3Ton57GVLoviXQR8kL1nG5XEjd2LJo1g8phusBGg+4sGrIdhvVW8gEDj8CSyx\n1rRrllz2Eg/vKrERpClIQD7r4a/SruglwgUwSJLLfsRxZLNlqtkLq/LXeeseV1A=\n=VyHo\n-----END PGP MESSAGE-----", 24 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 25 + } 26 + ], 27 + "unencrypted_suffix": "_unencrypted", 28 + "version": "3.11.0" 29 + } 30 + }
+26
modules/sops/psk/snow-den_snowflake.key
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:J0pHqduu1EgZx9xYtrSml8un2sRzVE1xwNTqZLeVulwKJG4Af8e/t2ip9BQV,iv:xILmyGfnpQQvVfiuDcaS7Z6tHqVaX6Lqweqn+OHvSjw=,tag:yFHAtmGmBvoz8xzdC69wqA==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eUFYc0ZLNDkrZWJUaDlD\nRVZyL0JNSmJhbjZUV2wrWStteW1WWFhMRjBVCmxtRkh5c21iekZ6aUF5cGo2S3NV\nVmZlUWJWVEVoV09qZEdhMkVka1VJZU0KLS0tIDl2TzNPN2Y1a1BkM3JDS1Y1U2Yr\nQ3gvYXdnUDFNVFgxTVVXRkNZK1hVME0KZEvNxEnrPdU1gYEnILYIvBML5J/jY6FQ\nTLhhTAF0jiJeuHVec5pGdzYk+Qi7TyrEZM9XEAjagSmD3ME5PWHOuA==\n-----END AGE ENCRYPTED FILE-----\n" 8 + }, 9 + { 10 + "recipient": "age1qqex87tl6kq68hszp66z49n95zurcxcvveumpxjvh5w2yhx8g47q5s24ya", 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTmFySW1JQm1uRWg2UkpO\neDBlbFM2eVZEb2hWay9DaU5GR3IvRkJrMWkwClhnYWd6eHg3T2RBQmRDTFRtbXQv\nSjVLYkhZZWU0U041cGw5TzRTVVZIQVEKLS0tIGJEVFYzalBUVXNIRWgvdWdIVFZF\nK05mZ2hVZ240eG1mZGZRNHBKQVdzU3cK8gOIktkGpaU01U9u3JX8vS7ki7i9zCnp\n+bc6Ok6y2FLlLCvhZGsXHdjNRMQO/G+qwSzu9ErosVAN3J919dUXEA==\n-----END AGE ENCRYPTED FILE-----\n" 12 + } 13 + ], 14 + "lastmodified": "2026-02-08T02:04:00Z", 15 + "mac": "ENC[AES256_GCM,data:LwhoPV3B7QiSdgdh+epC0cee36iQka+hBo7/9F8MN/lkLlutCwVizerFEhjZpeWLYnfNmYu0kBkGEepJ2QXozNJM2mCwoaXvhHnlRRJAO9bUQ2vZK5DCY2t27owD1ytWVBv0Gb44UTokuch+qbgT/1BCz7kE2NXG9/H98Gryw30=,iv:WoxJcInLYq2ImwF2yP5aNxOCbG1ydQ936/dUDXdcnL4=,tag:+ghwOQGeWCXTlu9AdC02Bw==,type:str]", 16 + "pgp": [ 17 + { 18 + "created_at": "2026-02-08T02:46:47Z", 19 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ/+OnXuCujp9/y4/moU7WahItgTxH7/YknRvrFNmcpjCQpa\nq9IzsobQGyD9vf9sUIXvviIo8XU/iEJR6euPlP7Xo74+9Vv++Upn9nXGgTaGMVvH\nao3A4klCjkRBJZOpEIVJJwVW7BOEOH9YE2o41k6oGZ5GhTvELWY9Dwxs7Eh4F38c\nQZspjfZm1NVKCRgoqTQysb2c7e8G4bFLCq5bavu5aCM9LN7+UIaQFK1JvgxFhInq\ngTq4o6sdIvHjvdhjMn4YlcBYW7NiUpvy2mZWTXmOK9de8IIBle8t4vfbD+KnLUiY\nLQtYiqGNa+binI4VsjCF8tifhQSqtC5KHldWq1I2mNAQccwMlnQRrwbeQGsD4eiM\n8G6SNclVtpxBf5H967GBv+S/CclI1+l/6s2xu7hoGjZaeYCY5KNrlcnlkxQwmP6B\ngGnqxRINyZVR37+7SapbfMG+7HftQ6xeXkdxVxj/+AK/BzTY34kqktvn1P1qKhMM\nYK5tg8aJRyQsgkwfQUq06xw9xe0HNq84FEiBEB/ZAmsnO1UbfOft/7/nWle8FeIy\n3iaOrCTL1z2p/9it4MdSbABR3U4rCa7uebrNvmxDyfTxQja9J/76FMsUWCqjMcGv\nbRuWk1UK0VOuoiFGl/MWgZlNq1tRW6eh+9mhZhOUQ9gQ4T2gu3h58VwH2pRJoI7S\nXgEa6U9VlyH7xB+vUoL92nRzAMbGwQoqdBH6gjNo0+X5M/fRM55ULdPqQ0ynAZvW\nLTnBQjEtFwtp88tCpQL/M5BrYOzrb5iEcEZEPX3zpf0lc/lq6/kITsHYhKU5ilk=\n=G68Z\n-----END PGP MESSAGE-----", 20 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 21 + } 22 + ], 23 + "unencrypted_suffix": "_unencrypted", 24 + "version": "3.11.0" 25 + } 26 + }
+25
modules/sops/psk/snow-den_snowlab.key
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:yaIFiaaJLxt9ycdzEjnwoSKfDsREq30XAx5P2moAARGZxrNtzzahl3Pq2+5u,iv:3pxuuQBXxSaypf8BV5cmERcUJquxvF/wR7Xat+Zc50Y=,tag:PFo2WTO65uKRFdN5ZwP36g==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dHdUR1doU28wdXg0YkVu\nTTdLYytMdXZLSUdOV21SaUFhb3p3TitoeTFvCjBCdzNhSkNKYnFBaVdmNTh0MmJN\nUHNsTUJHbUlmT1M4cFp1MXlDUUN4UEkKLS0tIE1UN2g1WTRRTDljSysydHFRbW42\nUG9QZXFaZUw0dkhjQXE4N290YUx3YWcKDt0RbDT7XaRtAOfMFyZtLTfXqpEC/nbv\nYeiNMfGHww4hGzHHaCXeepIUWPKQQqOtnU8Qz6W3VBzXP+AgkKdsTw==\n-----END AGE ENCRYPTED FILE-----\n" 8 + }, 9 + { 10 + "recipient": "age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0", 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQi9mSHdTRmNXeENrL2Mw\nZkFCNHBCSGlLdS8xOXRBMVNMYmd6VnlxQldnCmZzQ0R1SUxEcTFtWDhoMFFOZlo0\nTjl0Z1Zkdkw3a2FNajFScEo2eTNLekEKLS0tIHc4NHVrL3BXbFp3QjEwUDBhdVpk\ndzJPWmxJQWwwNElxb2gwb3NaU3plSWcKLMmhfQPs8DY/kQz+eHgtVS6kqw/nzaOS\ng2qLyrQq9p2wq4XsguCNCPP6e7Q+rqNmBSOnkWGa1hXWoetytIliQg==\n-----END AGE ENCRYPTED FILE-----\n" 12 + } 13 + ], 14 + "lastmodified": "2026-02-08T02:02:40Z", 15 + "mac": "ENC[AES256_GCM,data:5SeqBOk9g/qjLyt4jhgOQvFB/H+6AVEvvqVheTH9MXJboz0q2jufcAwDdVjd8mMAoW+/pDRYoq4zkz7prwINMYTnPEXsP0QZA8nCMu8FWZT31tCor9WJhLnig7pJZCF55GoJct7fKDyLzRjZZEg+GZySUQZDx2oeiHM8Wj/Hdlg=,iv:XkXBxyq115QZxiYkYrqx7BTqmS1tpH+Ist/yuwuWtJM=,tag:QZRKjd/4peq/FICQ6ZsMpQ==,type:str]", 16 + "pgp": [ 17 + { 18 + "created_at": "2026-02-08T02:02:10Z", 19 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ//VsHEsmjd+xq8CCuNuXmlB1I9VwqroU7YghttwMI8iw7J\nNE1pjJwVC1hWjHVGt0n1xlIvhG9UTTligFveEBKjhAir3nJJbcQRlmLqBKuQuwBv\nZXU9HdJZLQcNHKI9NRu5w84aWQ+k81xP20Z1o6cowE9isHrIY+tGon/qH9KtuCFI\nt1HyihU6VnG1yqE0JLayZZkWnNSgIrgQPe3aW6GzmYP7Gc7PuPmUjtM6LJVz77bq\njgspfJUsqhSGLFKpWvy0+zLMFDnBZO/oqsB2WBX8ihT7q/Rbl/sQH6Y+WkFz2ZGP\nPXLvM0mHZt1bqXmnOFtx+DmSojoLdX6QKAyeO7sKXgaPbnmmZ3KBR+JUiXyHz0W+\n+FWbWvuEtrx3Vamir+GARH0mPmtiPw+xctLMeRj9OEy8oMTqNVXNWihQ4E3t5Ong\nyokyyPUgEZgDl8igaYW0pWYXC6m7pQlAGptSEvot/+es0xxYfy6XSS+jchOpYGl7\nYv78oQ2ck4qpU45Spm+4H5XvrQQwietNcy80UKWe+TB215UU6OMgNE7QmXBbhrng\ne4xuJS1RrZbf7cuxJgKP7biMKsJp98ZlambDek9/18vgO0MGrpLGv6wc8E1cxS0+\nCWwerICyYme2sR1yz2bo45pxDT/48LcVLyOkBEWx6l7gV7OEWhrh+dvzVU6JVKDS\nXgF/plfxXJL7SCPLbdkuPT9kQZ53pR8AIFYlSnTVmtqwjp91O3vttRO9noMRhd1I\nuh2B+Wg3cbNxjpdd7CkVpCMOAPiDrm+vSAlGrz4EeNxCeWdLsuBvdrs2IrjoATQ=\n=+z1l\n-----END PGP MESSAGE-----", 20 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 21 + } 22 + ], 23 + "version": "3.11.0" 24 + } 25 + }
+26
modules/sops/psk/snowlab_snowflake.key
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:xBs1CZRSQn/Ro5lob8IpPO7Xr66HhPgX4cE2vqH3TJQCoj1sOcVgAR36z9le,iv:D6F4MEI2qi9vBSjWYFJx0j4siAzgEo+nnwl0n2bm2K4=,tag:2mHTx/W8bH2hc1zGV6a7Ew==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTeU02RjVDUXBmT3Z0d1hi\nU0J2TXppOVZsNHBGbFhubGxPeVVBd1hPU0h3CjRTRzdYZVByKzRVOUgwSzhNbzIw\nSDB4Q1ZKZTVCUFFxajUrckoyZi9PdUkKLS0tIDh1QVlnTVkrV1dobUFHZ2p3S2xY\nRGZRZ0ZzbjZuaTRjd0JxK0J2NjJBRmMKhH7TqgI6wI2Qt0fYC2P6KAIB6w1j+gES\nFiawU4VXRLrJ5KUCjb1hxXNiauwJEqvYR9HDKGbuvXzr8YlXkwlVIg==\n-----END AGE ENCRYPTED FILE-----\n" 8 + }, 9 + { 10 + "recipient": "age1qqex87tl6kq68hszp66z49n95zurcxcvveumpxjvh5w2yhx8g47q5s24ya", 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLU08zZE9pcWNEa2lRaWNl\nTzJBb0liZGs5NC9zWjRRRGZHYWZjLzRPWGtFClZud0lKZDAxUVVhdE0ySXlsaGlQ\nNDR2VFpSQ3FKcTQ1aXJOR0tGZEFONUEKLS0tIEZMSDJSem5tRGdBM3BLb3FnT3l5\nN08zRkJEcDNMOXJhYjJiT1RldmJ4dEEKC5HWHTewhY5n7B+726sOud//mem57NhA\nZEun5JxxBEokNSwBwIrBq9j99MWXeTvNYmTZqqozM7fWIIFBB3OfIA==\n-----END AGE ENCRYPTED FILE-----\n" 12 + } 13 + ], 14 + "lastmodified": "2026-02-13T13:07:21Z", 15 + "mac": "ENC[AES256_GCM,data:R8WLJukVG1aZg1D5qCXDtHeuRtq1sRr2ngIncWiMkR3jVXQTk1HhXiMyBM38DsxQOkb/xeIxDcva4nHLHzJeT7DObmwiUkse7dVju0SJFSWm7bPj8Ud/SBpla5V8oS7Y8ZrMYK8afO3H7ho+2XDY1hHCT/JvhKQu+t9vGgCArwI=,iv:mJDcoBkSl6zZhLqfgjQ7CUfHCm9qeH47En3tfEiqTHc=,tag:83UHK78ycExU2/5Hxw5qHw==,type:str]", 16 + "pgp": [ 17 + { 18 + "created_at": "2026-02-08T02:47:25Z", 19 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ/9HmsvMsLaf1jg/CSSyO19+/YxPJbuu7Q72FCmmRQ1EIUt\nWwkMz6+U8JrCQM58mk4xV+STfBRXPtgmvZ12dA5wuOVi2LnPf7xX7fZAvn/5mQdR\nDQFnVk818AhHrpnVaHVcc+wi0rjmjy5LcL5lq4PC9aINyu27mo/dcQYtKrq8KLRG\n5Lw/OQoHWwvO2eL+XzR6VUjRrgGJqbsKjgKYqBKoEIMXJhzixR7Q+bLqjDpXZZqR\n4QyktIig4njND+Wn5tGLSu8ZyqI9q56Wk7ln01Nu30mX8iKIiy8htvgb7EgrJxl8\nycgbx1Kcgd32lk+B9T+f3UFJEEYmNGLJr+9ZJ9Kg38tyMCk+CrvWHBpRGzfocPjy\n8+x5+SpLLnZMmCLmEpZFKjvLKa0rnjsWFNJN5jDBiJ/uffP9RCDIHuzWkEJMbCo7\nd3XZqUE3WW45PjbFr+Me9dNT5EaENm0g8675vVYAzea55kCEH5HeQhp7NLgx1v7i\niDbimQzRJu+3fz7NE37izUNSVM/M1SBdYmTrNDCrvvcqhbJvcRG94OWYoOG0G7t0\nKr7aeEoe+rozj1mDjmxIuZDWlSS11tRVBZ7+usTjLu2W1T4T8wjgy9vyL6HHQhM8\nGmWcaPgThVij+0UpwefX5RFDdkjZtLibSO4Cgu8BXkiY7sovikxrqKopyrMcy1XS\nXAH6fLueBBX/QqUMiR7W43Dltbh2NGGEmTk7bpxqsKvY5WxcruHbERKdIAVaGwV9\nZkjYLhTmuSQo5IX+ViNlpVvhLEFsCV6MN8V25ekHpIKL8WjE73lqS6OcbloM\n=/xk3\n-----END PGP MESSAGE-----", 20 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 21 + } 22 + ], 23 + "unencrypted_suffix": "_unencrypted", 24 + "version": "3.11.0" 25 + } 26 + }
+37
modules/sops/snowflake.nix
··· 1 + { 2 + imports = [ 3 + ./all 4 + ]; 5 + 6 + sops = { 7 + age.keyFile = "/root/.config/sops/age/keys.txt"; 8 + 9 + defaultSopsFile = ./homelab/default.yaml; 10 + 11 + secrets = { 12 + wireguard_key = { 13 + format = "binary"; 14 + sopsFile = ./snowflake/wireguard.key; 15 + 16 + mode = "0400"; 17 + owner = "systemd-network"; 18 + }; 19 + 20 + snow-den_snowflake = { 21 + format = "binary"; 22 + sopsFile = ./psk/snow-den_snowflake.key; 23 + 24 + mode = "0400"; 25 + owner = "systemd-network"; 26 + }; 27 + 28 + snowlab_snowflake = { 29 + format = "binary"; 30 + sopsFile = ./psk/snowlab_snowflake.key; 31 + 32 + mode = "0400"; 33 + owner = "systemd-network"; 34 + }; 35 + }; 36 + }; 37 + }
+23
modules/sops/snowflake/wireguard.key
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:85yFVsktex3Y5H+tRzNSSyWkL1XxGvT25oOhjDLVMoJ4VBUuAPlF8bmL+KnD,iv:4WRrTHc9i9b4BHmBQIvSje4eML+Ave4m5DywQvvMLJ4=,tag:wC5ccSnvmq7iAA/KaGAw6w==,type:str]", 3 + "sops": { 4 + "shamir_threshold": 1, 5 + "age": [ 6 + { 7 + "recipient": "age1qqex87tl6kq68hszp66z49n95zurcxcvveumpxjvh5w2yhx8g47q5s24ya", 8 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3djl0UUhNT21rU3p4eDl6\nSU5OOGx0cGZHT1lUMkJBTzB2bTZnZnQwdGxrCldxNTZlc1RQamZPRFJIY0FMUTRS\nMExwM0wrNmkram1JdFFwN1p4ZXgwWEEKLS0tIGh0dWhMS1Y1MmJHNm0yNVdWTUdG\nbUZmZ3BtZjlPUEF1K0lMd2htRVlPUmMKn4Va0+leR4mDIYYoGc9GPh2jCovwLwNS\ntxdpFMsiz3wKNsmTyhkxUqE66uCyywKvi5XwJDzJbA6bRdwGT6uYtw==\n-----END AGE ENCRYPTED FILE-----\n" 9 + } 10 + ], 11 + "lastmodified": "2026-02-08T02:19:15Z", 12 + "mac": "ENC[AES256_GCM,data:dBtZ9uBySQ0eJsDDyDCPSHFV5JgHBcaU4Jl9QpSFhjsmQ8Q8O3Wo/7AXkTB+eXewdzWoR3Oyvxq2GWRiPnhAQlxVVJ6sb6eCv0LU4my1aK4Zw49UB9PEOpCpM2ZZOHSJYvul45aVlGoBZeJqOCFoT/Mr7AjIiEmo8tcOKdFE1VE=,iv:RZEM5KahLMEjUA14NaCrcktzTJFHmBlGbdm2bJbFroI=,tag:eZFB4H2900wHtA4IodHDog==,type:str]", 13 + "pgp": [ 14 + { 15 + "created_at": "2026-02-08T02:44:49Z", 16 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ//R9mSlPb6fA1xzUBVxCI5kqFKcuqWCPuTWn7ENMfkf/hU\n4i7IOb9wLhwwa8TPubQBQ5aI3R+c5+0zv0cnEKwEk6mbiLJL7OK4aeglp6TpBi5N\nFA7qpykxSmX/3BhU/nmLwVPJDH/ISS1MdIqeIGcRQA7eZJ8a+A3bDoXX8Xw4C/rY\naIaVwEgoEiCAjutmmX3oxqEF2s2p8u5qtP3E2LncvB5T7UG1eRdp3Xlnwr3LV1Z/\niqHuJ0jamCumm4NKUjjRHdW898UlNN7wkheew6W/78zlj67Bf4O0x8uZ/Y18aoDy\nNA5Y8Gi8uClRs9kdlHJHDdI32aEXHlfSBfBe3xjSHk2lFkf6vgzR8dlx79rrXepK\nk2z4A0MJGJ5h16UIKQ2NbsT/PoFLMW0Y5MD8J+1mSTPfPOUHGWUfuMwWsDWUJQbz\n3zk+J6sBrvlgPSYFC9nj3faYLNT1Csvm3Hr3x1HJsnX7eiPSINFSBEJuoGeOYmTc\n46M80djveSRjXRFfenbPx9vx0nKevccbh7GDYuNjvrsidKqe59Hyx0ztYyFxDIbd\nJuWcWPbZfwqRir5XqbIE1/TBXB8R7D06JKPDzA5yq3yE3YwHpIt41tEAVE/Hu1eE\nE3XC2WtSHDdcM6kgElTx80g+XG3Pyf56Biy0hF+nl8uYmUMuzdlLH/pmhrS0RG7S\nXgHKJ9d9SMXfnw4w41rh0RWklhiWMT01JXtC+UMZfkWae3La0J7cEMqxwlGtpdjj\na8W281zj/RJMQDf6nuYaznStclJyCjtOGD06OXLfnMaiTmfMTJ065gsNSXOcU3I=\n=rRPm\n-----END PGP MESSAGE-----", 17 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 18 + } 19 + ], 20 + "unencrypted_suffix": "_unencrypted", 21 + "version": "3.11.0" 22 + } 23 + }
+30
modules/sops/snowflake/wireguard.pub
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:U3sZs+RdHFScp6oWpMZLhPJldAmftzzDQ9wxTUkXW109bluXNphU2HRO3N7T,iv:ZFPdtU4yNCMbuKctEU4t39a3wGrPWtupgZjYLjEleRE=,tag:Yi/AtWyhksQqLuyLf2TEfw==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQWo3UGg0RnhJT05MbEZW\nei9mVlcvR1pCdXVkeTZXVFc0ZVhpdXJkNFhzClZQQnJLankwNU9obEZFYUYyaUln\nTFg1Tkpab3lnelVzWVdRS0lTbmYzNFUKLS0tIGRoUlErbGx0SzE2OHUvMzJENFpX\nMFduNnNTdlh3MkQxQUpSZTdXL3JMdlUKp9kpRBma40MQ66rtzUV7tpGZr0I/+UxW\nRKhg1huyhPjqQmuTsroM3/nzwJNzFHUhNPZ1Hj7wnia4oA26jRZ7kQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 + }, 9 + { 10 + "recipient": "age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0", 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ODhwK3IxZS93c3dla29o\nYnZ6SVdEb2xKQ3hidnk1QW55QjBHREhvNFhrCkZ2OEJvbHZxQjZqQit6YmpLeCtn\ndVo5ODJ1UzRwOFVvejBLZXVtZCtuelkKLS0tIGhNdTVrWDRVSkRBRFFGYUdOQXly\nTml3amNmS2pXSFNnKzZsVmFnbVY4TG8KMePUBF8OdojcQnc6YfcrmJNTWwJbz0vH\nQOQ+/ILS1VqDsKa1H87rvmVkR2wvgGPN6jNyppZdHgSvYk4rE4P3cg==\n-----END AGE ENCRYPTED FILE-----\n" 12 + }, 13 + { 14 + "recipient": "age1qqex87tl6kq68hszp66z49n95zurcxcvveumpxjvh5w2yhx8g47q5s24ya", 15 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa3JMS2NxZk1QditZMk0x\najNkaDJSZWg4NHVORWpuV3VNaGdLL1BycTMwClZkTkhrR0RhazRCdDk2VTU2YlZk\nNnMxbDdPTW85cG9weUcramRDZUNmQjgKLS0tIHlObTBSUG13VG8wUS83bzBXRS9m\nWjZQc0pGQzlBTHJ3TDFzNk1FK0pId0kK6++CNGRDKYGpRwc6ghLszFsLfzLe+kWq\nCiPWLMUXJq9DDLTnT/VQJp5LgrF9uNPDuEb8A7DbmlzxG8N1eMIf/A==\n-----END AGE ENCRYPTED FILE-----\n" 16 + } 17 + ], 18 + "lastmodified": "2026-02-08T02:19:24Z", 19 + "mac": "ENC[AES256_GCM,data:iayJu4tu0mewoeyxC4m2HjJY9210yDtOIu2TUW5J40z/udz4K4un6LLfYwHaKwtucp1NozbXBx9/Dx2sUxK9l7RZptbihyc9Dcqc+EFrQyX4b9LjelI7P+aEcxTA/7PCkHhKnLDwNasz6SG8lUP2NffD2F5RJApROcKsY8agS74=,iv:eau4tvefeB7AB40lm7lANPypXqGPYRDpe55J4jTzoFU=,tag:v5h4sx2szEu94tMzjkmkxg==,type:str]", 20 + "pgp": [ 21 + { 22 + "created_at": "2026-02-08T02:41:19Z", 23 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ/8D63lggrqGhwGwNKaNx2yVrcV3hg7MloKq4xELUqOv0pO\nQNzexI/BORR4tJB6+FgG0/5EBPE4rpS4THmrFf7HAdZ8r7WyBf+AJSGbMVyPmBL5\nQPohT+ul830ZyAFjjmsDQ0JEc8tq+FOli6rmX4WZJoHdVLTG0pZE1fmXi7+cSu5I\nFxHF/Ln9Yt252zRqSz3caclsCdXKZ4SP+WEqdycGyL5A2IUkDY9wPdW9cJXA/lpY\nf3Cu+69gj1couaUFc/8BeXG8lrlzKn/iMZze5inznyP8xbrXQryb2pisPwSoZtX6\nxQIFB7UPbsmtrvHD8FVzh5kc4ku7997rlNgK8B7cdY/jH4P0oj0Dds1HziyVtIM2\nFE/cEWtYaf/xZd6xsVToOYg42MJbu7Iyal6gUX3w+/ELe4/CL51xjfrfScbI7QjO\nxoWL9pTQotJ6a9qtEjyRHrqYgymeLNR3hJIlJsMbbaLQarzGWqaSl9ksMq905NFD\nMi2TNfTdRVWrkFGMB+QKqPf2DtTkonGntJ3z49M5xH7K1bEOfv7EATz1HapXn9A0\n3cM54zpvJD73Hmg335ylL0BxFMnL6PMscOz6F509CGKTtMOMueImK+1liwSZ/s2H\nrdpHjJyLwlhIsDBcodj+27KyhNjQTbrESXnB93ytqImzJa0HCS+o9g3CrOp9Xe3S\nXgFXI2VBbOXHaE5Pa3YJv1l9zK90NoUwtDvw6bvxYvR+/3X7YWHPUbMjQ8c74xa+\nyK7NPE5hR5nplFWnXELHcCEKFCR3vymDs1V4aNrG83wmi6AW9klRPyHDNpQEw8s=\n=uPKQ\n-----END PGP MESSAGE-----", 24 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 25 + } 26 + ], 27 + "unencrypted_suffix": "_unencrypted", 28 + "version": "3.11.0" 29 + } 30 + }
+46
modules/sops/vps.nix
··· 1 + { 2 + imports = [ 3 + ./all 4 + ./garage 5 + ]; 6 + 7 + sops = { 8 + age.keyFile = "/root/.config/sops/age/keys.txt"; 9 + 10 + defaultSopsFile = ./vps/example.yaml; 11 + 12 + secrets = { 13 + wireguard_key = { 14 + format = "binary"; 15 + sopsFile = ./vps/wireguard.key; 16 + 17 + mode = "0400"; 18 + owner = "systemd-network"; 19 + }; 20 + 21 + snow-den_snowlab = { 22 + format = "binary"; 23 + sopsFile = ./psk/snow-den_snowlab.key; 24 + 25 + mode = "0400"; 26 + owner = "systemd-network"; 27 + }; 28 + 29 + snow-den_snowflake = { 30 + format = "binary"; 31 + sopsFile = ./psk/snow-den_snowflake.key; 32 + 33 + mode = "0400"; 34 + owner = "systemd-network"; 35 + }; 36 + 37 + postgres_sql = { 38 + format = "binary"; 39 + sopsFile = ./vps/postgres.sql; 40 + 41 + mode = "0400"; 42 + owner = "postgres"; 43 + }; 44 + }; 45 + }; 46 + }
+39
modules/sops/vps/example.yaml
··· 1 + #ENC[AES256_GCM,data:VCoJrRdEXtuZG4hsS2oTFv16IC7wX1gHKnfh,iv:EAFpXE1fm3A0a1gPk+GOs7eblCOAN58cJ9aDZfg4qvI=,tag:1oMrvTDE7GeGS7eFiZkBuA==,type:comment] 2 + #ENC[AES256_GCM,data:dzZsbdI=,iv:CR6RVtXEO7c81r5cOsanbem9jFAoj1jpOdYFB3n16Ik=,tag:bP2/jVzcDP39ioKrdVQf2g==,type:comment] 3 + meow: ENC[AES256_GCM,data:7HTnsw==,iv:EZ87XxIfKrsz8m1pj69MoPeLh+S0CyW6Wmr4127ctoU=,tag:b5n3dJAgXAP6UE7D6k1Fuw==,type:bool] 4 + sops: 5 + age: 6 + - recipient: age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg 7 + enc: | 8 + -----BEGIN AGE ENCRYPTED FILE----- 9 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTDYwLy9Sanh4aWttNnVk 10 + WGJHQ1lmcDcwLzlEY3hhKzBmQkgyb0lwdGlrCjZXVm1hT1hKOU11ZndIVVhuRHFO 11 + SDN4ZDJYSGRQMldZa2dPNmQyelR5cjQKLS0tIHVPNVBqT3pmWVdySlZPK001c3p5 12 + dUp2cU1wMU1Kd2J2cmlBMmlnbjVJV2sKkKx5nO2auold0qB6066aY1KXAjC2slna 13 + G+Cy8EcjgRh29w5RFRyx541jOGvtf+wuz11R1dUY1o/NHdn2wFhJTg== 14 + -----END AGE ENCRYPTED FILE----- 15 + lastmodified: "2026-02-12T14:48:29Z" 16 + mac: ENC[AES256_GCM,data:hKiqjg4at8pkPxG7qBYnHtHNBbEcb1DjWaQCc7MULoJAylTV4nEh5GvPRgaMg56zBE3rNCV7QHZbwD6jt1mC4N2Vybs98j0PBOkCDBSJQR6oSrikcS68CXpIJOA2LS6wuciQSJI4M5OILVGc7vlvXCrs/C8HynDh919JQVFfpAY=,iv:VINinyGPXLyYBnlPLLeTNUHAwpV5Rg9Jn73FxCJxZaE=,tag:TVh43nQQquii698YBCdlmg==,type:str] 17 + pgp: 18 + - created_at: "2025-12-19T16:08:52Z" 19 + enc: |- 20 + -----BEGIN PGP MESSAGE----- 21 + 22 + hQIMA09oKgMfawMUAQ//WkbrA+iFyXsH1YRr1hT2gxG406yD+c4jfTBY/CAzARgj 23 + vyyjJ5rVcltzXQBKNzgnBFsn6GW95vWVKh98Q7KksC3Qm72NOZtPc5iai3y151Z2 24 + qxiwNFKD/VBIpuxX86MypkbwEuZn3N0teiGTaTx9dKxc9/y4WqjusD5Xp6O2T4oO 25 + 617JWKTTp+66Ca8t8SuUZQ+bl1nNmJOETn7a8Ws+HZe6n0Pcx9VCfHnAGPziVYTc 26 + x5n6z5FnGWf+kmBpExmRiE+37Waa3+YMm7SOY7HlsompVWNww1WyiMnPGs9cAUOj 27 + XsfMnMnoxiGoPeTvFbsLobeY0S8TcpIfJ43LmPqurK4a3/Cd8Z5rKS8BqrpchFy1 28 + uqPzQ/4oKmduzWcTdzmqxBDe1AsUXZZs7Tq2ypJ9oFdQy226baur85PJb9skLe2k 29 + UcJaJ/UTxlnUv4LTCBOXbBglpoFLcwIQeT54MyoozhMBY2Cndj9ffto8UaZwMq2l 30 + ppnfAGbUVVk1OFd/DNTzflXDb0W1ZN7e2+4voYlggplFfqqDVEi5b1WyJc6EE0ep 31 + uhJjeokdtKbAwSbrN78+WWnrGFIb6x3w6jh9VTqLw3zFlHL0YIcz5pyJMrA++Wh8 32 + qJwDGpPNVkrq5a1vJovYqtQM34Ih9MGLQvf7cCbHDoO+1OqGULGlm3jXtev+/0/S 33 + XgE2h3SCo2eCXBGaGYttIq+s0QDFNueT7luAvr81wTHBiKnMdg7cnjkJPebE4AM3 34 + OJKxYUb7ie7MsDTZBiR6Wgpp0Ygqo1J+YTcyQPeKy/HbmLiv9jlAmRKqxxIVHjg= 35 + =JhLZ 36 + -----END PGP MESSAGE----- 37 + fp: D40CE1579C09BFD7EF4AB7E631250420834310B5 38 + unencrypted_suffix: _unencrypted 39 + version: 3.11.0
+21
modules/sops/vps/wireguard.key
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:RyUklSzCpA+PYuACvc0c0EdB9gAjjP2fdtMAFgzTD3sUK99DPZzqrGwGK2Ha,iv:BYJaC6VK3D/P7RZtrzoneOUvJMJ68aHYrTMGk63PGMA=,tag:CeVP/aFn3ZxO5LLrvE8iuQ==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWnp2NWw3SzRnZFVDNW9W\ncTkyRDVIcEZ3MEtIWW0xdnZLNmFSaDFQRUFvCkxIMldGRWtsOGlKRnhMNXpwSHpT\nbFgydnFHNHNGZW5vZGJQZG50QkgxaE0KLS0tIG1ZS0Q2R01wQ29sdnZmYUI2NWkz\nMFc0aWdabXB4WXduWFVzUjA4aGpkZGMKbJ4Q9k9jSNqGmdiaF9wZNdNO6ajOcnZs\n5nYFfq+6XcOyl073VQq/GTuHbVszEFLbKJxFedww5fm1wDurZ9T2EQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 + } 9 + ], 10 + "lastmodified": "2026-02-08T01:42:44Z", 11 + "mac": "ENC[AES256_GCM,data:W3+ZQFVUR/NCtLqWYUMmxbv1lnOiR8JclUdpitjgJRD6KmXUGvcEjv25SkZh9QfHuES3/giu88FpavYcITNGGQ8avOQAD2pfejNSJRAS9FBD1nCE0S1e3V03rXdlqbpmr9DTZar4ydWGUhNUrdzzv+ajVlYw/VoO7YQyFoEPSCc=,iv:XWsExRyNp1c/DcCkE2lv0Mj7hgY3OUvTBktA4gw4ViE=,tag:f+gNIFPutevzji67QYYrhQ==,type:str]", 12 + "pgp": [ 13 + { 14 + "created_at": "2026-02-08T01:42:39Z", 15 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ//RTwldlRKuKXTE8Uxq4yMp/uTJAwOzzRoYefJOjb+sRHZ\n2CJgD6cnIytozeP4By5HUINxyu8X6qHLAjWIrcA+BHpBrk4MA3MromMCFRbczKqD\nO5IHv5qHhg5ti0+jD1IOHLIsMc6YFZUVcaQeR3B1srBP/MgdNxnPZNgqsFF2qoTJ\nixpyvB24pjQbVFxJhLuzph/zfuHFk6kTnrgk7ChFAjX0vAyvgJDT5pBvpIHtjPfk\n8QuwJGVtVCnrnT1UDuRkWtOp7IUpXQzwknbaA/ApIXx/XABLUNRNnCrf0EHHLnGo\nkr0l6MpFngCFIceoygbjzY5f+Qg4fxAcNBf6zQ5Rvz3u4AnF5Yw2EgzxGUWyjl5H\niCksZJpmMvd30mDrj5Uq4wAq4055SP2MCyY2N8mjBFqlihJWYr7f4x+MXge/TXas\nngPPtETTvmji780FvLEiggy6ldCblHS8HYa1tTtfqXGC7AG3JJmLvSKEE7FWVtZ+\nV8ZDUKNz0qg6rEuNt03JA3e5MY671DoQW0ZR534OSsD24t+ZLF83epbtsEGq0ILc\nhVoJsCX2WjTfelWQ0geGMcZON9Z8RNjIDQ9gmkeuKR79iXcgql64kiJjUeXGx8+v\nwMBJcgalOpwmgydn+5OoHb6gUbe/0bYsSd1/HT31T5gaiwT3G9VnVxjkRd2vESHS\nXgEJb5tG4LLcDGbZMTbRJdJ95l+qvUmr7yNfosLQzke594ixXXMekonzKwY4B2uQ\nONZ67UHa9CY2pSv0hB8jcUm31XnyKwfFqmc0PtNF26Z/n5qLiPaK63wvtpMiD2Y=\n=8F5t\n-----END PGP MESSAGE-----", 16 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 17 + } 18 + ], 19 + "version": "3.11.0" 20 + } 21 + }
+30
modules/sops/vps/wireguard.pub
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:B9eWxHa/tEtEU0zaKPjkQ3DMiFlJFcC7dloSaoUJteFFExQSK8mQjUSL70N+,iv:q0PwSQAlEkoZ5kXVradG0rChJcUuRjqQdDQDSVQWvRg=,tag:srGF8fH6qLW/cJ9nCwbsVQ==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtT1cvMUZQRlBLcmh3UzFS\nTDhySmd3N3p5MkNZN3ZORnBoT3pJd1ZoQzE4CjRsVjRIaXp2Qnl6VTFZN2F1UmxC\nWmpHTHpDcER6VS9nWGo0K1BkWTIwODAKLS0tIDNTZysvUjF2NC83a2VqK2x1cUFi\nMHZDbllsL0VKUjNFZjF5VG1LWWZqUGMKeeTgjarg1/cxs9CzuEzoDez6pEbdVXHk\n3nwYvh/2hMLe8XlNE0Xn1EhNdH1kjwI8wFkp7KGyCVdLIHu/aF1qfA==\n-----END AGE ENCRYPTED FILE-----\n" 8 + }, 9 + { 10 + "recipient": "age1yjv3ngyz26qqggvef3ekwdw60dfvcmfd0l6n88vs3axux6vusdhsyzlts0", 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM1pXMy9EM1NaWXlzK3B0\nV0JmU0xrTFRPZTkyZ0xxUzBILzJlSzZzZXpvCm5FQTFsZXBtajluY2lGMDgrMnJt\nR01sdHJaQnRlZU1FT0l6Z0FWWjhzK28KLS0tIHppYU1GLzBEbXMzbG9oWTFWeEVn\nS2VjRDR0OTRMcE4wbXo4RjQ4UkJJWjgKREn0YQtKboqI3uVZC/NwpIVsD3xBXKm0\ng+iKHbA5w0g35v9o6onlhe64b/Qx38OPLXux1wzzBb436qLcWjk1lg==\n-----END AGE ENCRYPTED FILE-----\n" 12 + }, 13 + { 14 + "recipient": "age1qqex87tl6kq68hszp66z49n95zurcxcvveumpxjvh5w2yhx8g47q5s24ya", 15 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFV0h5V3JlQkx6Zm1RbEU4\nSVlkYXZuNG5mS2dzMlF1UFNLcjBpWmIzdHd3CjNCQXo0WGVGcUxTcEt2VCthU0RC\nUGtnRHVpSGwrT3h5VFlMUlhtL3JUQjAKLS0tIDF0UlFJdnUwaUh1b1F4RHFTaDkv\neFExQTNOZGZUSSt4c0pHZ0wxREF0ckEK+HlPhQliQwbCbbmg1Kkk1CxClJMx5em6\nibryd1pJES4KBllt+Ng2OB120UZz6bB4EjgEU86KODsKIwjJaRC1aw==\n-----END AGE ENCRYPTED FILE-----\n" 16 + } 17 + ], 18 + "lastmodified": "2026-02-08T01:58:36Z", 19 + "mac": "ENC[AES256_GCM,data:gvm626g2HSA2ABdwsHbupJ9lqcIkOem+ban+GkkpTSCY9FxeuEKnr74Z8RIb3oQyG9bbAupobadMpW+Cs91xg72dnzhag5Lz6p3p7xKa8HMs2zwVTNrWzNPOLW9ffxhsYxWslk1guOHGwpZoabFqs8O9b/v3x+usXdVibygE6K0=,iv:guw/5tN6KGbZTCOWW4TnUHUgrODmlAVOHIfGb/5kB+A=,tag:VaVN6b2fyEwajtrrfTX2WA==,type:str]", 20 + "pgp": [ 21 + { 22 + "created_at": "2026-02-08T02:54:14Z", 23 + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ//aE/V4HZGdbTTtU+eF5R07O/I91VJuOC2DoaX8mz9ktj7\nGjX6AdpXZ68DZ73CYqjROy8ol63tfXN/vEe2F5RY9jnxwGa6rcdkyMJoyzAjdnYs\nQnzd2BqcuFhK6p2Wde39QBoVHKzmPxsPtpK1ljui2uMDC0CXYBmh72nBkQGcSPcD\nZdm7Q6oWpNGi6pPM+1aoFCeWqoac5yo17nb7ZEu4/MCwyeNH38fR+qk1HKGhukPT\ntwtYgzQbbTvgGm+iM406JU3+3VKlP4OTVf9oe7K6b9XhGEVlnDFqbEmWFpnzGUM/\nvPwyx7WtAQFXnoYKNS8jzu1PXG8yg/oetx8sNqMZqAldyqQ33fFT2Gl7mdYK1ZH7\nk1E9B5CaS7ShW/B0thi+KYNlTOKYUVHdaFDSWSEYpijsdne7RXjusDrqGFfiNxDs\nvWRyl3LYQidjX8VCWaPaIJ/YGvBuJcfxIFb67+CGe07TurqYpUgbQFYLmEyop95b\nrerW80pp+rhQMD4Ro2mZVfVuXL/rvIe1IDEkqjvl0Rw+NmXsHajFP8AplL+J1RJB\nGxG7+Kn5sycsK2ouDXXYCnXSClUjEA0qy0LJ3kUwYcb4qX/MK7KzpKN6sdAb60/f\nq6VbG9/lqd0a8vkCQE7+S+OUJQBhdHHIlNAgCtC6uAVI2M5tCG4zvh5tdNAyAszS\nXgEJFf0HX8NjvK1A3irELFf51HiJ9UOwIhJWUvxhechbRiopX0mnNO4stNF1/FNi\nJtL/osH5BvUj5KKDLosI8nITaeD6M2CoUGlp3xpHPZgA4nQ3Eyoka76aDbepYXY=\n=f6Jv\n-----END PGP MESSAGE-----", 24 + "fp": "D40CE1579C09BFD7EF4AB7E631250420834310B5" 25 + } 26 + ], 27 + "unencrypted_suffix": "_unencrypted", 28 + "version": "3.11.0" 29 + } 30 + }
npins/default.nix modules/npins/default.nix
-149
npins/sources.json
··· 1 - { 2 - "pins": { 3 - "flake-compat": { 4 - "type": "Git", 5 - "repository": { 6 - "type": "Forgejo", 7 - "server": "https://git.lix.systems/", 8 - "owner": "lix-project", 9 - "repo": "flake-compat" 10 - }, 11 - "branch": "main", 12 - "submodules": false, 13 - "revision": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1", 14 - "url": "https://git.lix.systems/lix-project/flake-compat/archive/549f2762aebeff29a2e5ece7a7dc0f955281a1d1.tar.gz", 15 - "hash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=" 16 - }, 17 - "hjem": { 18 - "type": "Git", 19 - "repository": { 20 - "type": "GitHub", 21 - "owner": "feel-co", 22 - "repo": "hjem" 23 - }, 24 - "branch": "main", 25 - "submodules": false, 26 - "revision": "9d0c8d4b44f661910595b07e6480557644c1431c", 27 - "url": "https://github.com/feel-co/hjem/archive/9d0c8d4b44f661910595b07e6480557644c1431c.tar.gz", 28 - "hash": "sha256-cKETEBrseo7Iz+bOzflwy1xTpDuUj3QaLA+P49yJw8k=" 29 - }, 30 - "hjem-rum": { 31 - "type": "Git", 32 - "repository": { 33 - "type": "GitHub", 34 - "owner": "snugnug", 35 - "repo": "hjem-rum" 36 - }, 37 - "branch": "main", 38 - "submodules": false, 39 - "revision": "edac54b7d57ad72cc4b124da2f44e7b2e584f3c6", 40 - "url": "https://github.com/snugnug/hjem-rum/archive/edac54b7d57ad72cc4b124da2f44e7b2e584f3c6.tar.gz", 41 - "hash": "sha256-P+59TbVusYqdx2Jt2liwvQ+hslUzU6M1ezRDy6c66Tc=" 42 - }, 43 - "home-manager": { 44 - "type": "Git", 45 - "repository": { 46 - "type": "GitHub", 47 - "owner": "nix-community", 48 - "repo": "home-manager" 49 - }, 50 - "branch": "release-25.11", 51 - "submodules": false, 52 - "revision": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", 53 - "url": "https://github.com/nix-community/home-manager/archive/366d78c2856de6ab3411c15c1cb4fb4c2bf5c826.tar.gz", 54 - "hash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=" 55 - }, 56 - "nix-gaming-edge": { 57 - "type": "Git", 58 - "repository": { 59 - "type": "GitHub", 60 - "owner": "MrSn0wy", 61 - "repo": "nix-gaming-edge" 62 - }, 63 - "branch": "nightly", 64 - "submodules": false, 65 - "revision": "cbf0780954e15ef909140773eeb92370237655eb", 66 - "url": "https://github.com/MrSn0wy/nix-gaming-edge/archive/cbf0780954e15ef909140773eeb92370237655eb.tar.gz", 67 - "hash": "sha256-o6VHnCp6E8aFkEF7jTAnw/cBJ3T3z1eNNTUhDF6l7AY=" 68 - }, 69 - "nix-index-database": { 70 - "type": "Git", 71 - "repository": { 72 - "type": "GitHub", 73 - "owner": "nix-community", 74 - "repo": "nix-index-database" 75 - }, 76 - "branch": "main", 77 - "submodules": false, 78 - "revision": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f", 79 - "url": "https://github.com/nix-community/nix-index-database/archive/82befcf7dc77c909b0f2a09f5da910ec95c5b78f.tar.gz", 80 - "hash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=" 81 - }, 82 - "nixpkgs-stable": { 83 - "type": "Git", 84 - "repository": { 85 - "type": "GitHub", 86 - "owner": "NixOS", 87 - "repo": "nixpkgs" 88 - }, 89 - "branch": "nixos-25.11", 90 - "submodules": false, 91 - "revision": "fa83fd837f3098e3e678e6cf017b2b36102c7211", 92 - "url": "https://github.com/NixOS/nixpkgs/archive/fa83fd837f3098e3e678e6cf017b2b36102c7211.tar.gz", 93 - "hash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=" 94 - }, 95 - "nixpkgs-unstable": { 96 - "type": "Git", 97 - "repository": { 98 - "type": "GitHub", 99 - "owner": "NixOS", 100 - "repo": "nixpkgs" 101 - }, 102 - "branch": "nixos-unstable", 103 - "submodules": false, 104 - "revision": "bfc1b8a4574108ceef22f02bafcf6611380c100d", 105 - "url": "https://github.com/NixOS/nixpkgs/archive/bfc1b8a4574108ceef22f02bafcf6611380c100d.tar.gz", 106 - "hash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=" 107 - }, 108 - "sops-nix": { 109 - "type": "Git", 110 - "repository": { 111 - "type": "GitHub", 112 - "owner": "Mic92", 113 - "repo": "sops-nix" 114 - }, 115 - "branch": "master", 116 - "submodules": false, 117 - "revision": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff", 118 - "url": "https://github.com/Mic92/sops-nix/archive/c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff.tar.gz", 119 - "hash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=" 120 - }, 121 - "wire": { 122 - "type": "Git", 123 - "repository": { 124 - "type": "GitHub", 125 - "owner": "mrshmllow", 126 - "repo": "wire" 127 - }, 128 - "branch": "stable", 129 - "submodules": false, 130 - "revision": "53dad75b2503b8d9bb09ea3fbd9d87a0ab14bcf2", 131 - "url": "https://github.com/mrshmllow/wire/archive/53dad75b2503b8d9bb09ea3fbd9d87a0ab14bcf2.tar.gz", 132 - "hash": "sha256-eIi3o3TiYFlgk831lkWilNw9vTrO26PNaNwbG2UAF60=" 133 - }, 134 - "zen-browser": { 135 - "type": "Git", 136 - "repository": { 137 - "type": "GitHub", 138 - "owner": "0xc000022070", 139 - "repo": "zen-browser-flake" 140 - }, 141 - "branch": "main", 142 - "submodules": false, 143 - "revision": "e97c8e719c7e2567ccf86d279f73ade1dbf72373", 144 - "url": "https://github.com/0xc000022070/zen-browser-flake/archive/e97c8e719c7e2567ccf86d279f73ade1dbf72373.tar.gz", 145 - "hash": "sha256-wD3QwqGZ1cqZDkDQanwy3HgoVL4Dooqlgta3jOu3Mng=" 146 - } 147 - }, 148 - "version": 7 149 - }
+13 -4
shell.nix
··· 1 1 let 2 - sources = import ./npins; 2 + sources = import ./modules/npins; 3 3 pkgs = import sources.nixpkgs-stable { }; 4 - wire = import sources.wire; 4 + unstable_pkgs = import sources.nixpkgs-unstable { }; 5 + # wire = import sources.wire; 5 6 in 6 7 pkgs.mkShell { 8 + strictDeps = true; 7 9 packages = [ 8 - wire.packages.${builtins.currentSystem}.wire 9 - pkgs.npins 10 + # wire.packages.${builtins.currentSystem}.wire 11 + unstable_pkgs.npins 12 + pkgs.just 10 13 ]; 14 + 15 + shellHook = '' 16 + export NPINS_DIRECTORY="modules/npins" 17 + 18 + # export PS1="(dotfiles) $PS1" 19 + ''; 11 20 }
-14
sops/.sops.yaml
··· 1 - # This example uses YAML anchors which allows reuse of multiple keys 2 - # without having to repeat yourself. 3 - # Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml 4 - # for a more complex example. 5 - keys: 6 - - &admin_snowyboo D40CE1579C09BFD7EF4AB7E631250420834310B5 7 - - &root_server age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg 8 - creation_rules: 9 - - path_regex: secrets/* 10 - key_groups: 11 - - pgp: 12 - - *admin_snowyboo 13 - age: 14 - - *root_server
-58
sops/default.nix
··· 1 - { 2 - # config, 3 - # lib, 4 - # pkgs, 5 - args, 6 - ... 7 - }: 8 - 9 - { 10 - imports = [ 11 - # Nix secrets hehe :3 12 - args.flakes.sops-nix.nixosModules.sops 13 - ]; 14 - 15 - sops = { 16 - defaultSopsFile = ./secrets/example.yaml; 17 - 18 - age = { 19 - keyFile = "/root/.config/sops/age/keys.txt"; 20 - generateKey = false; 21 - }; 22 - 23 - secrets = { 24 - "garage/rpc_secret" = { 25 - mode = "0440"; 26 - group = "sops_garage"; 27 - }; 28 - 29 - "garage/admin_token" = { 30 - mode = "0440"; 31 - group = "sops_garage"; 32 - }; 33 - 34 - "garage/metrics_token" = { 35 - mode = "0440"; 36 - group = "sops_garage"; 37 - }; 38 - 39 - postgres_sql = { 40 - format = "binary"; 41 - sopsFile = ./secrets/postgres.sql; 42 - 43 - mode = "0400"; 44 - owner = "postgres"; 45 - }; 46 - }; 47 - }; 48 - 49 - users.groups = { 50 - sops_garage = { }; 51 - }; 52 - 53 - systemd.services = { 54 - garage.serviceConfig.SupplementaryGroups = [ 55 - "sops_garage" 56 - ]; 57 - }; 58 - }
-45
sops/secrets/example.yaml
··· 1 - #ENC[AES256_GCM,data:VCoJrRdEXtuZG4hsS2oTFv16IC7wX1gHKnfh,iv:EAFpXE1fm3A0a1gPk+GOs7eblCOAN58cJ9aDZfg4qvI=,tag:1oMrvTDE7GeGS7eFiZkBuA==,type:comment] 2 - #ENC[AES256_GCM,data:+b7sZjD7+b6SgA==,iv:x6SjxKlIOSH6CgT7Yb9e31p4bHlPZuRJ9FBMKpir+3k=,tag:j8gk26rDYzMIr/zUM+tKDQ==,type:comment] 3 - garage: 4 - #ENC[AES256_GCM,data:Yx8PEnI/5OpHx6iVtE1oASzXSMJpEdgdX5V+5zUGDP6R1g==,iv:ggeiDdg3uzZKwRyw/yFFWg1ohxGbrHiSrhXbydhG10g=,tag:RrwmHXYdERfyh0JE1xEq0g==,type:comment] 5 - rpc_secret: ENC[AES256_GCM,data:4pv/pkXGajsUxxcQ/qrn4S5rB1sVATgTlDK58aZmtR7vu777DhnMnC+kIYijKt/Sr/fKbbfcNnYHVx1XV0LnhA==,iv:WY+V7viT7LSoKLbEgjncyzih82zQvFjWlvDDpDEuwb0=,tag:Fd98GTbXnqYWw5Onh1BR6A==,type:str] 6 - #ENC[AES256_GCM,data:Df0g74tf3/UB0jOq1tIwxzyipJ66ZVdt4Qe17kS4ou635wM0jTyxuqw0hIM=,iv:M91CxwA7PsUJse7sIwWEdF54a0o+ZuOyT5IS5UGaWdk=,tag:CrCbgoPh1dHCmC/BxaVBtw==,type:comment] 7 - admin_token: ENC[AES256_GCM,data:RAftH7+QvGbGiY3V+COPFwsSiiqfcg3w0JTOgabLNujcK+6eXz25mveeSQd6kBe8wbZm3+nC21fq1Q3SRXo10w==,iv:1Hy9p6c+0N/pu8m+AevCcWQj2AwWtKcL9/W43R1XDn0=,tag:Aaj1vFWsBqhiyz0fdohokA==,type:str] 8 - #ENC[AES256_GCM,data:Df0g74tf3/UB0jOq1tIwxzyipJ66ZVdt4Qe17kS4ou635wM0jTyxuqw0hIM=,iv:M91CxwA7PsUJse7sIwWEdF54a0o+ZuOyT5IS5UGaWdk=,tag:CrCbgoPh1dHCmC/BxaVBtw==,type:comment] 9 - metrics_token: ENC[AES256_GCM,data:aMEA+JL+Dnd+S4v6ypA/eMocI1nOOHLvGrOtaKN0Vkx2U6c9EYnOZ09DfpPb4n+r9p0X/cOt09zW+ZSQEJqS7A==,iv:a5UUHkybp87dO0Gk6vbta9L5C4EbYZ3oRQS8ItlQILE=,tag:4HCPGq5+jmVsgpODBxefPg==,type:str] 10 - sops: 11 - age: 12 - - recipient: age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg 13 - enc: | 14 - -----BEGIN AGE ENCRYPTED FILE----- 15 - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTDYwLy9Sanh4aWttNnVk 16 - WGJHQ1lmcDcwLzlEY3hhKzBmQkgyb0lwdGlrCjZXVm1hT1hKOU11ZndIVVhuRHFO 17 - SDN4ZDJYSGRQMldZa2dPNmQyelR5cjQKLS0tIHVPNVBqT3pmWVdySlZPK001c3p5 18 - dUp2cU1wMU1Kd2J2cmlBMmlnbjVJV2sKkKx5nO2auold0qB6066aY1KXAjC2slna 19 - G+Cy8EcjgRh29w5RFRyx541jOGvtf+wuz11R1dUY1o/NHdn2wFhJTg== 20 - -----END AGE ENCRYPTED FILE----- 21 - lastmodified: "2026-01-29T17:40:50Z" 22 - mac: ENC[AES256_GCM,data:c3vUBN3tku/Z3t7blgYqOHdMwfFOPpEz+VaXb9up2+RrdtMTdUJ20ixKPSOvmle4jIb3q8u6aIsRC1NNb6ZCheIRy5orDHEOvLKnNmTHAIx+UXC2sN0oqJl3bs/NQefVAr9fwPqwuMLEXZ64fKg1yowLpmNZgkb49Xj1tKlm9tk=,iv:ITV4UPdRo7jwCSFw3QUHAvLx6E74EeD5FAE+pqf6JYA=,tag:Kc33MOhklLYdqhjtHefKRQ==,type:str] 23 - pgp: 24 - - created_at: "2025-12-19T16:08:52Z" 25 - enc: |- 26 - -----BEGIN PGP MESSAGE----- 27 - 28 - hQIMA09oKgMfawMUAQ//WkbrA+iFyXsH1YRr1hT2gxG406yD+c4jfTBY/CAzARgj 29 - vyyjJ5rVcltzXQBKNzgnBFsn6GW95vWVKh98Q7KksC3Qm72NOZtPc5iai3y151Z2 30 - qxiwNFKD/VBIpuxX86MypkbwEuZn3N0teiGTaTx9dKxc9/y4WqjusD5Xp6O2T4oO 31 - 617JWKTTp+66Ca8t8SuUZQ+bl1nNmJOETn7a8Ws+HZe6n0Pcx9VCfHnAGPziVYTc 32 - x5n6z5FnGWf+kmBpExmRiE+37Waa3+YMm7SOY7HlsompVWNww1WyiMnPGs9cAUOj 33 - XsfMnMnoxiGoPeTvFbsLobeY0S8TcpIfJ43LmPqurK4a3/Cd8Z5rKS8BqrpchFy1 34 - uqPzQ/4oKmduzWcTdzmqxBDe1AsUXZZs7Tq2ypJ9oFdQy226baur85PJb9skLe2k 35 - UcJaJ/UTxlnUv4LTCBOXbBglpoFLcwIQeT54MyoozhMBY2Cndj9ffto8UaZwMq2l 36 - ppnfAGbUVVk1OFd/DNTzflXDb0W1ZN7e2+4voYlggplFfqqDVEi5b1WyJc6EE0ep 37 - uhJjeokdtKbAwSbrN78+WWnrGFIb6x3w6jh9VTqLw3zFlHL0YIcz5pyJMrA++Wh8 38 - qJwDGpPNVkrq5a1vJovYqtQM34Ih9MGLQvf7cCbHDoO+1OqGULGlm3jXtev+/0/S 39 - XgE2h3SCo2eCXBGaGYttIq+s0QDFNueT7luAvr81wTHBiKnMdg7cnjkJPebE4AM3 40 - OJKxYUb7ie7MsDTZBiR6Wgpp0Ygqo1J+YTcyQPeKy/HbmLiv9jlAmRKqxxIVHjg= 41 - =JhLZ 42 - -----END PGP MESSAGE----- 43 - fp: D40CE1579C09BFD7EF4AB7E631250420834310B5 44 - unencrypted_suffix: _unencrypted 45 - version: 3.11.0
+3 -3
sops/secrets/postgres.sql modules/sops/vps/postgres.sql
··· 1 1 { 2 - "data": "ENC[AES256_GCM,data:51QF5BtvJgkRYqTwTHVHZqLbNhcyBER8biszh1KGmzvzcJ56bFxxMmFXxb+kNDUeBqN4e3N29q9mCS6L6Powms4FqaI1bd0cUVhGsAhmmdYAqBQFHT+5I5Qh6vPxoZ8xlekFv6xSSaS9+k5xCldajm0Tsf2X0K14qjvvDS3QKf6o6bBQS0zEa6cNZFLqokJGxEPDbiw=,iv:8mZzroAJYRAbRxX3WOGTEcoIMmmASp9GVm+4E2/5NI0=,tag:qGOZauuZEKdSndi6Qys9lA==,type:str]", 2 + "data": "ENC[AES256_GCM,data:Fdzo5TicNuQkpAM43ok+2GhGr4PEwwzYvzWKi3I92FBn7/Cs5t4BVHe3seAkqVLbpBthZlemrpjzmsa3ZiFCXOqNyTyYui/tdkhSRNwncFd6UUaDcaR+PkK3XIjZvKnqOaeFT6KZYqw8SSP5ajU7JHw4gPR485Bh2hCvvECnVig4obZm8XLeGAYI70btQurjz1F26QiiAXCBpTTOP7/N272pIH56lp26ZcEVJPbzwjZ7dfpAEbxxqbpovw==,iv:YJZvRAL3TW+7LihY7wgN0KLIMNAVub6m3qzKlEV3Fhg=,tag:vLv1V2AY49iJBf5QvEsoFQ==,type:str]", 3 3 "sops": { 4 4 "age": [ 5 5 { ··· 7 7 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdVpaenUrYVpMeEpRZlBl\nTndhYmkvUEcxQWZ5UjZFUHFUcGpqMXdoZ2xFCkFLUmY4YlhRRTdIUmpQTzNPYSsz\nZ2JaZ0JTM3NHNWNwMHdiR2J2M1RRb1kKLS0tIERXbGtkRUlRSnFybExqYlVoQjVz\ndFdNQ0kxU3FMT0Y1ZnRhZkxWZWcrbEEK8hSNNXzhRXLrqEUHsXnPM6p+2ZynT/is\nLT+kR1IhJjuAB0uFjlGDtL19OsQdwb85TV79i2shQZIxwftqVwYoeg==\n-----END AGE ENCRYPTED FILE-----\n" 8 8 } 9 9 ], 10 - "lastmodified": "2026-01-29T18:35:32Z", 11 - "mac": "ENC[AES256_GCM,data:y/VHDvRfwUaGyHCAIvOFNisyRwJYxoMk3ThurJmzf9804rkwVHaQFSXfVKzE13YhidG8kpI+6ELkidNzaew65M+VhWlw5atwqhWouIEp+Fib6OIWvhpd1dOKlEJe10ByibcsOKk3tCP/+xnE2LHnYnd7Bliio4wRt9v5Tb2KLDY=,iv:xF9UWM4Jr9yFGFDOzAdgE0D8JIAgrykLXrF+vp3N/Ls=,tag:C9mdtos0DoSztvpnRU1mfw==,type:str]", 10 + "lastmodified": "2026-02-03T13:26:20Z", 11 + "mac": "ENC[AES256_GCM,data:NtWhYA2B4hfBHZMEZShWzaeWCGmFCmINV2jhe+fQ03OtPmRG4yVsN/MPOhreRbg69Fu6G81xRnWDa3+o+kFq/qb/oQzzxkfifEJXpD6i24zkF44ezOI6vu5sGVMCSSRo59NZ6lzI7H+IOv8ctlH4bF92O1m8ojmFqJ4dtpVBduQ=,iv:I+s5ukAPu6lpASLypmXO+RBqMIQBvaistcbV2Mi8VL8=,tag:zZ8BXwuMlLv/u+AbNivuuA==,type:str]", 12 12 "pgp": [ 13 13 { 14 14 "created_at": "2026-01-29T17:28:29Z",