🏡 my personal home lab
it works
+445
-125
+15
.sops.yaml
+15
.sops.yaml
···
1
+
keys:
2
+
- &personal age1ukx4wxssue9d5y72tt7wk0nqg86wjhcnsy80ky0kkwf5m8p72a7su87kf3
3
+
- &cm4-node-1 age1hnzrlvwx7ej6yyg8uvuwmx0vln37n554ksp6ryarne2qhqm2ggxqta3sra
4
+
- &cm4-node-2 age1yk9d90hd37thd3w56urke49jdat6yehfj6dsh3m77y3edpy0pppsp5s7wj
5
+
- &rk1-node-1 age1h2due5w4mfp9es3p34znk8yujn73n856jrypnwkaszaf66tpma4qv7wajq
6
+
- &rk1-node-2 age1m8hxem565mprflphn5e3yrwxdsz3q06x4nzc6xpju0y6knudfuwsz2g8w2
7
+
creation_rules:
8
+
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
9
+
key_groups:
10
+
- age:
11
+
- *personal
12
+
- *cm4-node-1
13
+
- *cm4-node-2
14
+
- *rk1-node-1
15
+
- *rk1-node-2
+5
README.md
+5
README.md
+25
-18
flake.lock
+25
-18
flake.lock
···
3
3
"deploy-rs": {
4
4
"inputs": {
5
5
"flake-compat": "flake-compat",
6
-
"nixpkgs": "nixpkgs",
6
+
"nixpkgs": [
7
+
"nixpkgs"
8
+
],
7
9
"utils": "utils"
8
10
},
9
11
"locked": {
···
54
56
},
55
57
"nixpkgs": {
56
58
"locked": {
57
-
"lastModified": 1743014863,
58
-
"narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=",
59
-
"owner": "NixOS",
60
-
"repo": "nixpkgs",
61
-
"rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f",
62
-
"type": "github"
63
-
},
64
-
"original": {
65
-
"owner": "NixOS",
66
-
"ref": "nixpkgs-unstable",
67
-
"repo": "nixpkgs",
68
-
"type": "github"
69
-
}
70
-
},
71
-
"nixpkgs_2": {
72
-
"locked": {
73
59
"lastModified": 1770617025,
74
60
"narHash": "sha256-1jZvgZoAagZZB6NwGRv2T2ezPy+X6EFDsJm+YSlsvEs=",
75
61
"owner": "nixos",
···
88
74
"inputs": {
89
75
"deploy-rs": "deploy-rs",
90
76
"nixos-hardware": "nixos-hardware",
91
-
"nixpkgs": "nixpkgs_2",
77
+
"nixpkgs": "nixpkgs",
78
+
"sops-nix": "sops-nix",
92
79
"turing-rk1": "turing-rk1"
80
+
}
81
+
},
82
+
"sops-nix": {
83
+
"inputs": {
84
+
"nixpkgs": [
85
+
"nixpkgs"
86
+
]
87
+
},
88
+
"locked": {
89
+
"lastModified": 1770683991,
90
+
"narHash": "sha256-xVfPvXDf9QN3Eh9dV+Lw6IkWG42KSuQ1u2260HKvpnc=",
91
+
"owner": "Mic92",
92
+
"repo": "sops-nix",
93
+
"rev": "8b89f44c2cc4581e402111d928869fe7ba9f7033",
94
+
"type": "github"
95
+
},
96
+
"original": {
97
+
"owner": "Mic92",
98
+
"repo": "sops-nix",
99
+
"type": "github"
93
100
}
94
101
},
95
102
"systems": {
+49
-58
flake.nix
+49
-58
flake.nix
···
4
4
inputs = {
5
5
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
6
6
nixos-hardware.url = "github:nixos/nixos-hardware/master";
7
-
deploy-rs.url = "github:serokell/deploy-rs";
7
+
deploy-rs = {
8
+
url = "github:serokell/deploy-rs";
9
+
inputs.nixpkgs.follows = "nixpkgs";
10
+
};
11
+
sops-nix = {
12
+
url = "github:Mic92/sops-nix";
13
+
inputs.nixpkgs.follows = "nixpkgs";
14
+
};
8
15
turing-rk1 = {
9
16
url = "github:GiyoMoon/nixos-turing-rk1";
10
17
inputs.nixpkgs.follows = "nixpkgs";
···
18
25
deploy-rs,
19
26
nixos-hardware,
20
27
turing-rk1,
28
+
sops-nix,
21
29
...
22
30
}:
23
-
{
24
-
nixosConfigurations = {
25
-
cm4-node-1 = nixpkgs.lib.nixosSystem {
26
-
system = "aarch64-linux";
27
-
modules = [
28
-
nixos-hardware.nixosModules.raspberry-pi-4
29
-
./hosts/cm4-node-1.nix
30
-
];
31
-
};
32
-
cm4-node-2 = nixpkgs.lib.nixosSystem {
33
-
system = "aarch64-linux";
34
-
modules = [
35
-
nixos-hardware.nixosModules.raspberry-pi-4
36
-
./hosts/cm4-node-2.nix
37
-
];
38
-
};
39
-
rk1-node-1 = nixpkgs.lib.nixosSystem {
40
-
system = "aarch64-linux";
41
-
modules = [
42
-
turing-rk1.nixosModules.turing-rk1
43
-
./hosts/rk1-node-1.nix
44
-
];
45
-
};
46
-
rk1-node-2 = nixpkgs.lib.nixosSystem {
47
-
system = "aarch64-linux";
48
-
modules = [
49
-
turing-rk1.nixosModules.turing-rk1
50
-
./hosts/rk1-node-2.nix
51
-
];
52
-
};
53
-
};
31
+
let
32
+
inherit (nixpkgs) lib;
54
33
55
-
deploy.nodes = {
34
+
hosts = {
56
35
cm4-node-1 = {
57
-
hostname = "10.0.0.11";
58
-
profiles.system = {
59
-
sshUser = "root";
60
-
user = "root";
61
-
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.cm4-node-1;
62
-
};
36
+
ip = "10.0.0.11";
37
+
hardware = nixos-hardware.nixosModules.raspberry-pi-4;
63
38
};
64
39
cm4-node-2 = {
65
-
hostname = "10.0.0.12";
66
-
profiles.system = {
67
-
sshUser = "root";
68
-
user = "root";
69
-
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.cm4-node-2;
70
-
};
40
+
ip = "10.0.0.12";
41
+
hardware = nixos-hardware.nixosModules.raspberry-pi-4;
71
42
};
72
43
rk1-node-1 = {
73
-
hostname = "10.0.0.13";
74
-
profiles.system = {
75
-
sshUser = "root";
76
-
user = "root";
77
-
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.rk1-node-1;
78
-
};
44
+
ip = "10.0.0.13";
45
+
hardware = turing-rk1.nixosModules.turing-rk1;
79
46
};
80
47
rk1-node-2 = {
81
-
hostname = "10.0.0.14";
82
-
profiles.system = {
83
-
sshUser = "root";
84
-
user = "root";
85
-
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.rk1-node-2;
48
+
ip = "10.0.0.14";
49
+
hardware = turing-rk1.nixosModules.turing-rk1;
50
+
};
51
+
};
52
+
53
+
mkSystem =
54
+
name: host:
55
+
lib.nixosSystem {
56
+
system = "aarch64-linux";
57
+
specialArgs = {
58
+
inherit host hosts name;
86
59
};
60
+
modules = [
61
+
host.hardware
62
+
sops-nix.nixosModules.sops
63
+
./hosts/${name}.nix
64
+
];
65
+
};
66
+
67
+
mkDeploy = name: host: {
68
+
hostname = host.ip;
69
+
profiles.system = {
70
+
sshUser = "root";
71
+
user = "root";
72
+
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.${name};
87
73
};
88
74
};
75
+
in
76
+
{
77
+
nixosConfigurations = lib.mapAttrs mkSystem hosts;
78
+
79
+
deploy.nodes = lib.mapAttrs mkDeploy hosts;
89
80
90
81
packages.x86_64-linux = {
91
-
deploy-rs = deploy-rs.packages.x86_64-linux.deploy-rs;
92
-
default = self.packages.x86_64-linux.deploy-rs;
82
+
default = deploy-rs.packages.x86_64-linux.deploy-rs;
83
+
sops = nixpkgs.legacyPackages.x86_64-linux.sops;
93
84
};
94
85
95
86
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+1
-1
hardware/cm4/default.nix
+1
-1
hardware/cm4/default.nix
+1
-7
hardware/cm4/hardware-configuration.nix
+1
-7
hardware/cm4/hardware-configuration.nix
+4
-9
hosts/cm4-node-1.nix
+4
-9
hosts/cm4-node-1.nix
···
1
-
{
2
-
config,
3
-
lib,
4
-
pkgs,
5
-
...
6
-
}:
7
-
1
+
{ ... }:
8
2
{
9
3
imports = [
10
4
../hardware/cm4
11
5
../modules/common.nix
6
+
../modules/tailscale.nix
7
+
../modules/caddy.nix
8
+
../modules/ddclient.nix
12
9
];
13
-
14
-
networking.hostName = "cm4-node-1";
15
10
16
11
system.stateVersion = "23.11";
17
12
}
+4
-10
hosts/cm4-node-2.nix
+4
-10
hosts/cm4-node-2.nix
···
1
-
{
2
-
config,
3
-
lib,
4
-
pkgs,
5
-
...
6
-
}:
7
-
1
+
{ ... }:
8
2
{
9
3
imports = [
10
-
../hardware/cm4/hardware-configuration.nix
4
+
../hardware/cm4
11
5
../modules/common.nix
6
+
../modules/matrix.nix
7
+
../modules/mumble.nix
12
8
];
13
-
14
-
networking.hostName = "cm4-node-2";
15
9
16
10
system.stateVersion = "23.11";
17
11
}
+1
-9
hosts/rk1-node-1.nix
+1
-9
hosts/rk1-node-1.nix
+1
-9
hosts/rk1-node-2.nix
+1
-9
hosts/rk1-node-2.nix
+68
modules/caddy.nix
+68
modules/caddy.nix
···
1
+
{
2
+
config,
3
+
hosts,
4
+
...
5
+
}:
6
+
{
7
+
services.caddy = {
8
+
enable = true;
9
+
enableReload = true;
10
+
globalConfig = ''
11
+
grace_period 1m
12
+
'';
13
+
virtualHosts = {
14
+
"(acme_tls)".extraConfig = ''
15
+
tls ${config.security.acme.certs."goo.garden".directory}/fullchain.pem ${
16
+
config.security.acme.certs."goo.garden".directory
17
+
}/key.pem
18
+
'';
19
+
"goo.garden".extraConfig = ''
20
+
import acme_tls
21
+
22
+
handle /.well-known/matrix/server {
23
+
header Content-Type application/json
24
+
respond `{"m.server": "matrix.goo.garden:443"}`
25
+
}
26
+
handle /.well-known/matrix/client {
27
+
header Content-Type application/json
28
+
header Access-Control-Allow-Origin "*"
29
+
respond `{"m.homeserver": {"base_url": "https://matrix.goo.garden"}}`
30
+
}
31
+
32
+
handle {
33
+
respond "hi :3"
34
+
}
35
+
'';
36
+
"*.goo.garden".extraConfig = ''
37
+
import acme_tls
38
+
abort
39
+
'';
40
+
"matrix.goo.garden".extraConfig = ''
41
+
reverse_proxy ${hosts.cm4-node-2.ip}:6167
42
+
'';
43
+
"mumble.goo.garden:64738".extraConfig = ''
44
+
reverse_proxy ${hosts.cm4-node-2.ip}:64738
45
+
'';
46
+
};
47
+
};
48
+
49
+
security.acme.certs."goo.garden" = {
50
+
extraDomainNames = [ "*.goo.garden" ];
51
+
group = config.services.caddy.group;
52
+
reloadServices = [ "caddy" ];
53
+
};
54
+
55
+
networking.firewall = {
56
+
allowedTCPPorts = [
57
+
80
58
+
443
59
+
60
+
# mumble
61
+
64738
62
+
];
63
+
allowedUDPPorts = [
64
+
# mumble
65
+
64738
66
+
];
67
+
};
68
+
}
+43
-4
modules/common.nix
+43
-4
modules/common.nix
···
1
-
{ config, lib, pkgs, ... }:
1
+
{
2
+
config,
3
+
name,
4
+
pkgs,
5
+
...
6
+
}:
2
7
3
8
{
9
+
# set name from flake host list
10
+
networking.hostName = name;
11
+
4
12
nixpkgs.config.allowUnfree = true;
5
13
6
-
nix.settings.experimental-features = [ "nix-command" "flakes" ];
14
+
nix.settings.experimental-features = [
15
+
"nix-command"
16
+
"flakes"
17
+
];
7
18
8
19
# Set your time zone.
9
20
time.timeZone = "Europe/Zurich";
···
14
25
];
15
26
};
16
27
17
-
environment.systemPackages = with pkgs; [ vim btop ];
28
+
environment.systemPackages = with pkgs; [
29
+
vim
30
+
btop
31
+
];
18
32
19
33
networking.networkmanager.enable = true;
20
34
···
25
39
settings.PermitRootLogin = "prohibit-password";
26
40
};
27
41
42
+
networking.nftables.enable = true;
28
43
networking.firewall = {
29
44
enable = true;
30
-
allowedTCPPorts = [ 22 80 443 ];
45
+
allowedTCPPorts = [ 22 ];
46
+
};
47
+
48
+
security.acme = {
49
+
acceptTerms = true;
50
+
defaults = {
51
+
server = "https://acme-v02.api.letsencrypt.org/directory";
52
+
email = "dev@stehlik.me";
53
+
dnsProvider = "desec";
54
+
extraLegoFlags = [ "--dns.propagation-wait=300s" ];
55
+
credentialFiles = {
56
+
# dont forget to add needed subdomains to token policy
57
+
DESEC_TOKEN_FILE = config.sops.secrets.desec-acme-token.path;
58
+
};
59
+
};
60
+
};
61
+
62
+
sops = {
63
+
defaultSopsFile = ../secrets/secrets.yaml;
64
+
defaultSopsFormat = "yaml";
65
+
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
66
+
};
67
+
68
+
sops.secrets = {
69
+
desec-acme-token = { };
31
70
};
32
71
}
+25
modules/ddclient.nix
+25
modules/ddclient.nix
···
1
+
{
2
+
config,
3
+
...
4
+
}:
5
+
let
6
+
tld = "goo.garden";
7
+
in
8
+
{
9
+
services.ddclient = {
10
+
enable = true;
11
+
ssl = true;
12
+
interval = "10min";
13
+
protocol = "dyndns2";
14
+
server = "update.dedyn.io";
15
+
16
+
usev4 = "webv4, webv4=https://checkipv4.dedyn.io/";
17
+
usev6 = "webv6, webv6=https://checkipv6.dedyn.io/";
18
+
19
+
username = tld;
20
+
passwordFile = config.sops.secrets.desec-dyndns-token.path;
21
+
domains = [ tld ];
22
+
};
23
+
24
+
sops.secrets.desec-dyndns-token = { };
25
+
}
+26
modules/matrix.nix
+26
modules/matrix.nix
···
1
+
{ config, pkgs, ... }:
2
+
{
3
+
services.matrix-continuwuity = {
4
+
enable = true;
5
+
settings = {
6
+
global = {
7
+
server_name = "goo.garden";
8
+
address = [
9
+
"0.0.0.0"
10
+
"::"
11
+
];
12
+
port = [ 6167 ];
13
+
allow_registration = false;
14
+
allow_encryption = true;
15
+
allow_federation = true;
16
+
trusted_servers = [
17
+
"matrix.org"
18
+
"events.ccc.de"
19
+
"kabelsalat.ch"
20
+
];
21
+
};
22
+
};
23
+
};
24
+
25
+
networking.firewall.allowedTCPPorts = [ 6167 ];
26
+
}
+28
modules/mumble.nix
+28
modules/mumble.nix
···
1
+
{ config, ... }:
2
+
{
3
+
services.murmur = {
4
+
enable = true;
5
+
openFirewall = true;
6
+
port = 64738;
7
+
environmentFile = config.sops.secrets.mumble-env.path;
8
+
9
+
hostName = "mumble.goo.garden";
10
+
registerName = "📞 mumble.goo.garden";
11
+
welcometext = "more like John Goo";
12
+
13
+
password = "$MUMBLE_PASSWORD";
14
+
users = 50;
15
+
16
+
sslCert = "${config.security.acme.certs."mumble.goo.garden".directory}/fullchain.pem";
17
+
sslKey = "${config.security.acme.certs."mumble.goo.garden".directory}/key.pem";
18
+
};
19
+
20
+
security.acme.certs."mumble.goo.garden" = {
21
+
group = config.services.murmur.group;
22
+
};
23
+
24
+
sops.secrets.mumble-env = {
25
+
sopsFile = ../secrets/mumble.env;
26
+
format = "dotenv";
27
+
};
28
+
}
modules/pds.nix
modules/pds.nix
This is a binary file and will not be displayed.
+38
modules/restic.nix
+38
modules/restic.nix
···
1
+
{ config, pkgs, ... }:
2
+
3
+
{
4
+
environment.systemPackages = [ pkgs.restic ];
5
+
6
+
services.restic.backups = {
7
+
homeserver = {
8
+
initialize = true;
9
+
10
+
repository = "sftp:user@synology-ip:/volume1/backups/homeserver";
11
+
12
+
passwordFile = "/etc/restic/password";
13
+
14
+
paths = [
15
+
"/home"
16
+
"/var/lib"
17
+
];
18
+
19
+
exclude = [
20
+
"/var/lib/docker"
21
+
"*.tmp"
22
+
".cache"
23
+
];
24
+
25
+
timerConfig = {
26
+
OnCalendar = "daily";
27
+
Persistent = true;
28
+
RandomizedDelaySec = "1h";
29
+
};
30
+
31
+
pruneOpts = [
32
+
"--keep-daily 7"
33
+
"--keep-weekly 4"
34
+
"--keep-monthly 6"
35
+
];
36
+
};
37
+
};
38
+
}
+28
modules/tailscale.nix
+28
modules/tailscale.nix
···
1
+
{ config, ... }:
2
+
{
3
+
services.tailscale = {
4
+
enable = true;
5
+
useRoutingFeatures = "server";
6
+
extraSetFlags = [
7
+
"--advertise-exit-node"
8
+
"--advertise-routes=10.0.0.0/24"
9
+
];
10
+
};
11
+
12
+
networking.firewall = {
13
+
enable = true;
14
+
trustedInterfaces = [ "tailscale0" ];
15
+
allowedUDPPorts = [ config.services.tailscale.port ];
16
+
checkReversePath = "loose";
17
+
};
18
+
19
+
systemd.services.tailscaled.serviceConfig.Environment = [
20
+
"TS_DEBUG_FIREWALL_MODE=nftables"
21
+
];
22
+
systemd.network.wait-online.enable = false;
23
+
boot.initrd.systemd.network.wait-online.enable = false;
24
+
boot.kernel.sysctl = {
25
+
"net.ipv4.ip_forward" = 1;
26
+
"net.ipv6.conf.all.forwarding" = 1;
27
+
};
28
+
}
+15
secrets/caddy.env
+15
secrets/caddy.env
···
1
+
DESEC_ACME_TOKEN=ENC[AES256_GCM,data:2T3zS1LIM/ML1lD8UULhgVG0U0zyd+HYyEA12A==,iv:jCQHSzWRrAyV2OOONiPsY/y/TPt6/0XR3XVl5dQuq2w=,tag:u9tmmN6wJt+NSknt4WqqOQ==,type:str]
2
+
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWNjREcm5NcmRnd1c3V2dW\ndjkxK2FZdndyUzFrblJsVm83Snc3NUhiTWdVClpCK0dKTXJMUU9VQUtJUTBUc3Fw\ncEZJSXVTbitOaS9NQ0pVb1pNdG9TSFEKLS0tIEZGeEpSek53LzQweml0bExwVkI3\nWGM3OEJvcXlvcGNrbEpyOUN1YThrdEEKI6dcjKVr/fKNKF+vwFevY71cSl3bJz0Y\npxdoZwf1SMv05m26ounrE159WIAPaNWaWYamdmxarMbsaAZtHP7wMA==\n-----END AGE ENCRYPTED FILE-----\n
3
+
sops_age__list_0__map_recipient=age1ukx4wxssue9d5y72tt7wk0nqg86wjhcnsy80ky0kkwf5m8p72a7su87kf3
4
+
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaEhUL2Y4TTZaZVU5ZDRL\nNFMxSnhDelZ2Mk1vYU1PL1hpUkl6Wnp4aUVRCm0wUS90T1o2cWg0bnI5TjVaNlNu\nMHRnb20rbTVtaW5QVXU5NjlLMXE1dncKLS0tIHVzYnJ3ajhuNXI2ZCtoRGxaYXFv\nOWVXWnNPK1ZKcXp3ai8zUmwvaENGMlkKU1Yolq9r/ZbmmKqupdsK0iqMmco0LKRK\npcSUeN01bUQx6CdH3MpvLtlRwgvI+CjHMg5VvAZhRm1mep9Bu7STdg==\n-----END AGE ENCRYPTED FILE-----\n
5
+
sops_age__list_1__map_recipient=age1hnzrlvwx7ej6yyg8uvuwmx0vln37n554ksp6ryarne2qhqm2ggxqta3sra
6
+
sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNDdvemgzeUJpN3BWMXVu\nSFZvb0hhNzlINEZNOEhNTklTNDA1TVZxbUJZCnUva1hhVjdBbndZTWxmcUJoeUN6\neEl1MnJ2TGFhWUdOOFRjeXczOHFJemsKLS0tIDc5czlDQjZQenhPczNZMHdqaSs2\nREF3aTNvTTB5NHgrQi9PeTlNcGo5VGcKNfK3sivq9AtXUYkSsuiDMWsjaDXsYJ9B\n7emGcphgU0654xllbUyDYmNPXlCUmiuYGdeq+4IwDfiA2AjIOrAPpg==\n-----END AGE ENCRYPTED FILE-----\n
7
+
sops_age__list_2__map_recipient=age1yk9d90hd37thd3w56urke49jdat6yehfj6dsh3m77y3edpy0pppsp5s7wj
8
+
sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c2xIM1dsUkh3ZndKaFMr\nYzJORzhadzNydGNjT0JDTytMUDc1KzdHc1ZrCkg3NWF0bExUVEh5RDRnVUVXSHpq\nY1gwS3poeGpLVEd4elZNdkFJN3pKcVUKLS0tIFhMKzlQQUFOckx3WjI4eUk3L0V3\nbjJJREhPa1hLL1RhYzB2NWxRc1BsaEkKZKH1Wvkmrz8gNMBz8sqHoWrBGi4zjFCt\nTUVIEjy1eJ30sHN9yrM/UlUc0wUKnZqgWpWYSGC3RSmDpyjwf8oGqw==\n-----END AGE ENCRYPTED FILE-----\n
9
+
sops_age__list_3__map_recipient=age1h2due5w4mfp9es3p34znk8yujn73n856jrypnwkaszaf66tpma4qv7wajq
10
+
sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2aTVTT3dsMHJJY1ZWOGs0\nMld1dWNFdVJrY0dCWVlNNE82WHlYODgvRWpRClJxa0pJVmZ0YVVsMFQ3YVByODRz\nbmJTMVAzcGlCRzhYakNzOWpNY1NRUkkKLS0tIE5MaDNsM2RmTEpLOHlJbXY1U21v\nSzhuMUVzNHNJTEFsTkplTXk2YWJITm8KzeNpqbStY6blpjPq3L17e8vJ9/W7Qe4i\nv5n/NnRx8fqJPSNMpjg2QxMnKcYgSe5UZ3MM+bGlcF2oZFPUCvLHww==\n-----END AGE ENCRYPTED FILE-----\n
11
+
sops_age__list_4__map_recipient=age1m8hxem565mprflphn5e3yrwxdsz3q06x4nzc6xpju0y6knudfuwsz2g8w2
12
+
sops_lastmodified=2026-02-11T16:13:37Z
13
+
sops_mac=ENC[AES256_GCM,data:hLZ0Z6psu0HG2DRxLG0UnCIF16UQsqyeef9H03cUjuD37sraE5RRptXn+DgDNorSk54hGZudaIYIly270FJxgKjFQ1GpqvHgdgXouvq2zzHK1B9QEDilDhNu4NrNkeANbb5FW9QDfYlBAMx0q2A4aa7QldKkP0zzZyG1t5+8QSE=,iv:VJmFr6dURPbbONhxBQdmTFFhn/lt+/s4Ebmre+94F6A=,tag:cKa9fEIFJKkJzgrfMJnLeA==,type:str]
14
+
sops_unencrypted_suffix=_unencrypted
15
+
sops_version=3.11.0
+15
secrets/mumble.env
+15
secrets/mumble.env
···
1
+
MUMBLE_PASSWORD=ENC[AES256_GCM,data:uqUYN1jNGw==,iv:cE40sGxWl+PenP5LDICKcSAfIBCtWs5aYbM47QDFLiU=,tag:JR+RfJOQxcr+MlNvdmIfmg==,type:str]
2
+
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcEZWRHdlSXVaczBMQUJS\ncjdNTUc3Q25LWkRoblNHUFUxR1VKQll3YW5FClltTkVGYzU2ZSsySjBURTcwYytu\nS2VjSm5Ed2V1T0NHcWsyc3YxdElSamMKLS0tIFBzTGJML3BBU3REbWFub1ZId3RR\nU3BBb1Jna09CbzlVV0VOZ2xISDlGUEEKTqlwcYH13mqu/M6JFPwlyMBchMB+VB8a\njNfu49y3l+Bl7pfQBMxNg5hp1duBe6pTjZfKxNfVGzVmzSM8ZtHoUQ==\n-----END AGE ENCRYPTED FILE-----\n
3
+
sops_age__list_0__map_recipient=age1ukx4wxssue9d5y72tt7wk0nqg86wjhcnsy80ky0kkwf5m8p72a7su87kf3
4
+
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQmpQYmlSS0lLdjQxOSt4\nY2Zhbmo4dzVVbWpUYy9aZGxnUzlOeTRkNTBrCmtGajI2aDFuK29LRngwbTk2Z2ov\nckZEZ3VkdkRBNUYySktYdEFiWnd5eG8KLS0tIEJCaHZRcURGcStnOEZWckttRFZW\nSjAxSU9sV2w0MkdFQkQvUEQ3ZEl2czQKXtsJZDEb7F/x3VCk7P5y65PmhtEju4kC\ntDX0llNau8FUhU/E2Lo8fq3dBAAZkDWIMpn7cpsWAjhK2EvxhLhK6A==\n-----END AGE ENCRYPTED FILE-----\n
5
+
sops_age__list_1__map_recipient=age1hnzrlvwx7ej6yyg8uvuwmx0vln37n554ksp6ryarne2qhqm2ggxqta3sra
6
+
sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUDFUYlFCcng4eG1SMndu\nbFBwdFVHWGVxM0w0Mm5Lb08wNDFqOHhhT3lnCjMwU1Z4M0xKcTk4bHRqTUk3dzQx\nMGl6VVZyQURkdkhkUWM2SjAwdGFPcWsKLS0tIE1sU0FwU2lFdk45NG5aU2dxNkx1\nbFVKeXV5L0o1blZWeUxJbVl5eDhuYjQKbq5NTBdmaCwbxPBJBpPzwsTqdWKn+9MX\ndya0jogDbNX/3cbVjOq5f6jx4gex/uz5ZppXJhAJPzTAl9R2ps7PEw==\n-----END AGE ENCRYPTED FILE-----\n
7
+
sops_age__list_2__map_recipient=age1yk9d90hd37thd3w56urke49jdat6yehfj6dsh3m77y3edpy0pppsp5s7wj
8
+
sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZWxiSXA1K3NSaHYra1A0\nektGZ2ovcWJsckJqNlE0Yy9HdytSOEdWUUIwCnhoWFZkc2NHSzhNRkVEQ2ZtUlJ1\nTjBmUVlnL2pkTzVkZkl5Qkg0VmU3eWMKLS0tIDZqWkFRVkhtNnc1RDg5cVJZeW41\neVE0OTdVR1oxdGtnR29sbzFKZDlBZmcKqwbYMWNx4uQufQKOv2xiAN0L1Ln8DQkN\nvkqteqnhP1S4j21jkT160BBj0ki3YhJF9OXjJVT/IGX9ET8VIrOm+w==\n-----END AGE ENCRYPTED FILE-----\n
9
+
sops_age__list_3__map_recipient=age1h2due5w4mfp9es3p34znk8yujn73n856jrypnwkaszaf66tpma4qv7wajq
10
+
sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU3hvWDloWkRPaUxxTDBl\nQ3dnOHlBK3didDhhME4yNHVVOHAvV2wraEhvClVJMHdKVXc5REpIbW9NeCtRRDh6\nZHhhYmVHWjlWNmZneW5oQloyU0N4NkkKLS0tIHp4bUovNmhWWkVZcHo1V2JhM29p\naEplQzRYRzBWeGJ6OTZHMWhKR0JyN1EK0AcptWFtOIoywbIbepGT1wcozGLKU3/i\neC7SKFlyE7W+R9zdq0HRxVzOibvGLR2LOjKyMcHU1x8iOEugOp6Q4g==\n-----END AGE ENCRYPTED FILE-----\n
11
+
sops_age__list_4__map_recipient=age1m8hxem565mprflphn5e3yrwxdsz3q06x4nzc6xpju0y6knudfuwsz2g8w2
12
+
sops_lastmodified=2026-02-11T15:57:26Z
13
+
sops_mac=ENC[AES256_GCM,data:wtwCA9S9XfquG4hQwxDbkknSg2YiHUwV/uBruDFLl041oAeIpqrZQfUZCEuR4C8Ht8j0d4QJoda3VbyVMpSSXXry42GMROthnljWki6VEB8Po8Jn8CtWKae79t4rR1X3w7mIETeEO6DM+E7pkm3cEEOwp7YNpjiWOEBK5DUcUJM=,iv:BeXgqqhn18rvb6LxrGAGrjspPNSq9dYs3wtJzDzQdOM=,tag:KUNsD8Y+yrENLXrCBbA0iw==,type:str]
14
+
sops_unencrypted_suffix=_unencrypted
15
+
sops_version=3.11.0
+53
secrets/secrets.yaml
+53
secrets/secrets.yaml
···
1
+
desec-dyndns-token: ENC[AES256_GCM,data:8LFSK6fGrIaznn+s9ldxNdYXE/34NwyeMhZ9vw==,iv:Ro5BWqXPKBCSNt/oUMJbSaEoOsDMt0e4JSADU0S8w4A=,tag:GQXZA+Yj4zT4NqGezgZh5g==,type:str]
2
+
desec-acme-token: ENC[AES256_GCM,data:ou543u/k1uWC5Xg54K/7Q/mZnVdN7GIEea0/iA==,iv:TEPB708bn7uijs+r2Ekn3lQPw7rEdnMiJ53p3CFTwhw=,tag:10qQXFS3aVOKcx6Erxde3A==,type:str]
3
+
sops:
4
+
age:
5
+
- recipient: age1ukx4wxssue9d5y72tt7wk0nqg86wjhcnsy80ky0kkwf5m8p72a7su87kf3
6
+
enc: |
7
+
-----BEGIN AGE ENCRYPTED FILE-----
8
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY01PNkRmRUJLaFIwWjRD
9
+
RHZ2dGxsaUsxRW51VERHdno4a2RxQmFCZ0JZCkEyUk5qMjlUdXhkSW1aTXBiSWNH
10
+
amlXRHphblVPZTkyb2VadGVtRmNxMncKLS0tIDJLRWx6V0o1c3crUDUvVHlhM3Ey
11
+
aDJNaGZ5ZGJEMUdGL2VMV0psY0NGN2cKOhD1w8vUD/CFz7vzaBQFmw0H82hmfGQ8
12
+
camHqoFi1Z41xOrwLefh1haN00EZiqMaVkDxXjuX9E7qJeynmbOslQ==
13
+
-----END AGE ENCRYPTED FILE-----
14
+
- recipient: age1hnzrlvwx7ej6yyg8uvuwmx0vln37n554ksp6ryarne2qhqm2ggxqta3sra
15
+
enc: |
16
+
-----BEGIN AGE ENCRYPTED FILE-----
17
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdFMrUlh2UHRDbWNCSzcr
18
+
NnRrY29QaUFYN1YwZVBEd2pZaHMxdzFJZTBJClFVSTdIOWc2dXVYOXkrYTdmZ1Nz
19
+
L2VRSUhaaU1hUlF6TnZRZU05Ly9BVm8KLS0tIHBkeFlFM2lZM2F2T3BqSFlRQlVN
20
+
cFVlV3BIQisxUFBIWU5JeEJKMkI3aEUKuzVi8MtnJ2nH3ZtQGR6IoQ4NeqY3/CAm
21
+
7LXjwDHDro552z/Cdk8AgDR7mQGMazusgOYSx0jlcZyJbOD9cgfOeg==
22
+
-----END AGE ENCRYPTED FILE-----
23
+
- recipient: age1yk9d90hd37thd3w56urke49jdat6yehfj6dsh3m77y3edpy0pppsp5s7wj
24
+
enc: |
25
+
-----BEGIN AGE ENCRYPTED FILE-----
26
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGV2NTMWUvRTkxSlBxb2d0
27
+
T013Uit6ZTlrNUFOZndiNFBLcm00cE5mRm1vCnpWREd1d3lONHBYYytQa2w0L0lE
28
+
ZWRtWlozNjNDVEZ1elBReVRKcHBvbXMKLS0tIC9jTzlmV2JRbUY1eEh1cGFyWFRD
29
+
UjBMNHVONlFkNGdjd01nbEJXR2g1OTAKMJe+Dgndz4uJq8OSzBl2koN/Od+Am1L1
30
+
tZ6TNnUG6lPSyzFB7uvo90fMrPwmbOtFfUgu4pJQBN5rwFfIVsABNA==
31
+
-----END AGE ENCRYPTED FILE-----
32
+
- recipient: age1h2due5w4mfp9es3p34znk8yujn73n856jrypnwkaszaf66tpma4qv7wajq
33
+
enc: |
34
+
-----BEGIN AGE ENCRYPTED FILE-----
35
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzelZsQU1vWS9SRjJ3QmFL
36
+
SkFXUmo1VGdCcDYvem95cHBhMXBhTHZsSG1nCkhTZ2MxcnErNGcrZ2JkN2JRcjJo
37
+
dkNzWFNwNWw5ME9vM3g1UURlVzg3WUEKLS0tIE0yV01STU9ER3laeFRDV09ZcDNw
38
+
VWFzNVJlTE12THJxNHptQlRHV3ROY1UK4RwaohgC8nTpC5mgsH0Jwyi5YSrYePVU
39
+
YZgz77KZkXsJwEewbDlTcrVLoIAu3RPsGqAUS/44IYC4GDGgU2leCQ==
40
+
-----END AGE ENCRYPTED FILE-----
41
+
- recipient: age1m8hxem565mprflphn5e3yrwxdsz3q06x4nzc6xpju0y6knudfuwsz2g8w2
42
+
enc: |
43
+
-----BEGIN AGE ENCRYPTED FILE-----
44
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTGpaRE5GeldJbStMalJB
45
+
SG4wSkNJTWRmTDNhUWhsRUdFS1pVWmtHRzJZCkFNa280YzdTRTZ1RzNjaU5ZSkt5
46
+
WkQ5T3RFTU5NWW5PMkZvTEp0cVhFbDgKLS0tIGQ0KzNrVXI5d1BBTHZrdjczK0JU
47
+
cXdka1dhbXUzbDRsTlhUbGRsVXlzNjgK1iD6hVbUpwRonRzgo/eeLECI9SB4mduW
48
+
1RejiCfpGsA55eeiohD9s7fK/5bAb67xDQZRGZqa/H4brNz/v7+yRA==
49
+
-----END AGE ENCRYPTED FILE-----
50
+
lastmodified: "2026-02-11T16:13:56Z"
51
+
mac: ENC[AES256_GCM,data:mxvAZ6VnZD51RRPyGEHPD5i9CiZEUuCQ7mgWljtKUZdO6rCvexJeJX4S+6rJsMn4f0Vaw0ah7+iAA3+BMo77UYVeIOZ3sqziy/m0KxQIRdrr9b/MOgnyvhg/EP4KeXcEr2zAXVSzmwKj/aORtWq4KEU4ffVXppy5N70yA2UVU2M=,iv:L4vNOMbswjHNalSDaly61j1x0RllSnq2+q6LnHQ5yfg=,tag:Q6J0+dUYUaElsDWtRJ+N3A==,type:str]
52
+
unencrypted_suffix: _unencrypted
53
+
version: 3.11.0