+12 -5

hosts/marvin/default.nix

reviewed

··· 42 42 ]; 43 43 nix.settings = { 44 44 max-jobs = 12; 45 45 - secret-key-files = config.age.secrets.cache-key.path; 46 45 }; 47 46 fileSystems = { 48 47 "/" = { 49 48 fsType = "btrfs"; 50 49 device = "/dev/disk/by-uuid/f15e4072-80dc-414e-a1fc-158ea441aebd"; 51 51 - # options = [ "subvol=@" ]; 52 50 }; 53 51 "/boot/efi" = { 54 52 fsType = "vfat"; ··· 87 85 ''; 88 86 programs.nix-ld.enable = true; 89 87 90 90 - age.secrets.cache-key = { 91 91 - file = ./services/secrets/cache-key.age; 92 92 - group = "nixbld"; 88 88 + age = { 89 89 + identityPaths = [ 90 90 + "/etc/ssh/ssh_host_ed25519_key" 91 91 + "/run/agenix/marvin-pq-privkey" 92 92 + # Note: When provisioning, this must be manually copied from zaphod in order to decrypt the below key originally. 93 93 + # That way, all secrets stay fully PQ-Encrypted end-to-end. Else, secrets would be encrypted without PQ encryption, 94 94 + # as age does not support using SSH keys for PQ-capable encryption. 95 95 + "/tmp-zaphod-privkey" 96 96 + ]; 97 97 + secrets.marvin-pq-privkey = { 98 98 + file = ./services/secrets/marvin-pq-privkey.age; 99 99 + }; 93 100 }; 94 101 }

+18 -6

hosts/marvin/services/jellyfin.nix

reviewed

··· 6 6 }: 7 7 let 8 8 cfg = config.services.jellyfin; 9 9 + 10 10 + exporterFlags = builtins.concatStringsSep " " [ 11 11 + "--jellyfin.address=http://localhost:8096" 12 12 + "--collector.disable-defaults" 13 13 + "--collector.media" 14 14 + "--collector.system" 15 15 + "--collector.activity" 16 16 + "--collector.storage" 17 17 + "--collector.transcoding" 18 18 + "--web.listen-address=:30103" 19 19 + ]; 9 20 in 10 21 { 11 22 services.jellyfin = { ··· 39 50 ]; 40 51 description = "Jellyfin Metrics Exporter for Prometheus"; 41 52 serviceConfig = { 42 42 - ExecStart = "${lib.getExe self'.packages.jellyfin-exporter} @${config.age.secrets.jellyfin-exporter-config.path}"; 43 43 - ReadOnlyPaths = [ config.age.secrets.jellyfin-exporter-config.path ]; 53 53 + ExecStart = "${lib.getExe self'.packages.jellyfin-exporter} ${exporterFlags}"; 44 54 Restart = "always"; 45 55 DynamicUser = true; 46 56 User = "jellyfin-exporter"; 47 57 Group = "jellyfin-exporter"; 48 58 StateDirectory = "jellyfin-exporter"; 49 49 - CacheDirectory = "stalwart-mail"; 59 59 + CacheDirectory = "jellyfin-exporter"; 60 60 + EnvironmentFile = [ config.age.secrets.jellyfin-exporter-secrets.path ]; 50 61 51 62 # Hardening 52 63 MemoryDenyWriteExecute = true; ··· 64 75 RestrictSUIDSGID = true; 65 76 }; 66 77 }; 67 67 - age.secrets.jellyfin-exporter-config = lib.mkIf cfg.enable { 68 68 - file = ./secrets/jellyfin-exporter-config.age; 69 69 - mode = "444"; 78 78 + age.secrets.jellyfin-exporter-secrets = lib.mkIf cfg.enable { 79 79 + file = ./secrets/jellyfin-exporter-secrets.age; 80 80 + owner = "jellyfin-exporter"; 81 81 + group = "jellyfin-exporter"; 70 82 }; 71 83 }

-19

hosts/marvin/services/secrets/jellyfin-exporter-config.age

reviewed

··· 1 1 - age-encryption.org/v1 2 2 - -> ssh-ed25519 iqBxIA TYkyDIP1q7bJrSI0YsLBg1F78NF0AnWGTDBL5EdkexI 3 3 - wPDeCC6nUE2Y0xzepEc3p5DM4W5VmXgoUQ7Lxe7pEf4 4 4 - -> ssh-rsa fFaiTA 5 5 - OAT8CyT8DHsr5gkiqhaP5eg//9BAiIGFbiYtr3Wyj3gRv91qsjtRh+MKggqysSPk 6 6 - EN0z7NeoVujFe1mF3/dIFrQD5rcyVSomOnGytmL6R1aSDP677S0JoXUi1RaYfyYq 7 7 - NE59VXK27kCTwsnsD3F2Aish+xmYvBTmUSHDXU/DtKGRB7vgqRSBlMUC9nHCKYvn 8 8 - 9dBC7gzikMRBNJ7ciOLfB1m7cR3A31gw+4OpUYqlLXCvfdCuh5QPhToy4VDPFZOq 9 9 - 5C4upvtK1qcyy8ZBLL1mwfLpP79t9NIHZnbg0q5fNwSqUkmGfV+mAJHKH5bZMbxB 10 10 - 5soPF9yV3mXqXbhl4xEhOMVd50LJwE8t/CyWqkLmZ8CmQ1UovsI4qIDEXP3tLSmC 11 11 - PAT/RYqw84Pzb7Yd8RYELWnbWR/4BbzjkR5rbj7sklSo55be+A0N5YoWuU1ApBR8 12 12 - 8LKCKJMzaWnfHS6WNeMNHHP+j7SlBlKnqJWjbjfURJG1HyRx8TIJZ40jZUzfeFG1 13 13 - W4U0RFQZ83d6vz4MBLa9Fk0ms6NyJoO+Rgh0Wl45tritHtkkwYWyxxPL2yPivQ/w 14 14 - NDtBn08eliJzxhAGz0pAHETU8aHgNkLAXbMGku9U/hDaQ4XjGH3np6WOjwnCxJ0W 15 15 - W7ChuMLXcD7CopjGkJSwTUQB3W1McVLQ34yfD7ZroJM 16 16 - -> ssh-ed25519 wpmdHA JpxYf1dtrdlZEx4E8Su0scbGteAREMlKJ3OHfqDWyRc 17 17 - /ZVDz4HSKPT6OyeryIEkfplDLN2XIWm0b4ncg/xezfs 18 18 - --- oY4WmthKy5Ytp1j3hd81DRGFW1A2818Wr9pYmc14hRU 19 19 - �;�2����}�O3h�u5����缻�N��s}oVU���@��嬝��L�at��8�x��P�R��d�Rx{3�b��?o����x8`��V ܬ�"*����e�� #NV��?���aP��N��Iɥ�j��S��y3�i����hgп\�D�b��1;��\A<d��f9����A�g�J4؞��R����'תs�COCs� ���ŒN�v�"��vk>8,�DR���

+7

hosts/marvin/services/secrets/jellyfin-exporter-secrets.age

reviewed

··· 1 1 + age-encryption.org/v1 2 2 + -> mlkem768x25519 j94OOwqci7yaNckcJfJ9olSadlOlhzoif82EunimwNwgOT/ZkEVDDAxArp/WqhQ8gsDs9DZU2H8W0t2SI5gU89nnxYnNXEiVEPV3fTBmTAwsm/6951VywqSz9cILJaiD9LTjrrewndc8BQGKpFKcZJyiIP+k1u0P8MvsvwIgse46CzSjCRJD7xUynhxDC2XijKvguQWWOEcVhz7A4RhdLDn5Ay6WBm+yefQ7kiZqX/SGOZcE6Xdgoriw60JmmqK44wo/PhY1ZzZhWmJrzDhmb8ju0hLUUKkdfrJkv4saHlW1Ocv41ouHaIyJzeebRwmvwv5ITxdq7nMpNJirGAxMxleFs9cCJsgVKXbAIGPpXyTiY1EtBmOJ7woBtsypZVeHtaVSwyya+y5BWWuDueKMI1XHGKouMeET7C+wI3s5dl/loNUgxWk5nuthslVt9CGh6FICsBXhX5EVc59PzzUQlFIKsh7TQ21T4SaUbDmsF8nnxYqbhT75j8BmrxWdAHqvnVzkWbY0Y9KCVeQ2hkXLsfh8ycYAitU4X1R4W5ofGmoAgfZIEzD+Xd0qnOT0jm1yRvW6Nn2uek0ZVNAJysF39FDSOwoyT1ZsMOLm69Ay4UcOT/PLA/yOvTwY1A3FALei+br8Jb9EmuDXzL9gqUYgOw1W0Dv7UbXGiRP/n7pBzaxm1i65Zs/OBBQ4eAQESR2EjdJlIV+n5mtXH1U8x4rvRk4GAG9NXGlWNmFIot5W1i55k0xpyJN7/jWv9KZ36QNpjTWlIwhHVTIt1kK5NkAQHgXhDlaGWfHkjMmEeISXXtfgtXXpHrlIJOFY7xYSDW0O4NL3OemsuvUvivvWHwOP6UhJhmf4evQTGqFGlvSt/6M2c9ZHZHh1WUWgj4nMQJlwCKk7BrrAEz4UmbEv8jiQu+6lcnM2JIlnQvT9Xp/aeu/IMzfpMTdlpYKdHehgGEzvHJMsD9l+3aTFpGLiyBC1tBIycl3Tg4CxHPDyQp+SmD9yWt22OtxxVSYJInEgxTuh3eeYBvoJT05IZ1cwLYuhtjhmQr21KKE2sGgMviUo/F1OJjPr1orjYJ3+gHUSxi6XaFwtQwVjA6ggyZl+qi+ThrLbpgMooBHy3EUGivbIci48oKIbkdKxfqMDqYDWyLVpT2lDFv5lOSX4Kh9QBozgAOtCnLCPXA78+MMMHSJZ/epl2qM5bElixX/WNxLXB+mrz4BGDxPWkAxEa7croL2jl9UNGq1F7ds/9AXn0ObZZP/p90LYI+MHJOeGkY3gJ5EM3t7v/UTw3guOIfoGQ9gLiZCiP1A2LZLcnfYm5G/AaT0ayGW97gzGS6YcGIOO7v4LQhxca1wYonjUcwfzWPui9GGontSGMzNy0MBnNgqIzhTU3iC2/orE363BY8nFs963wDtSBCHnwImPFP88NySGMxWz9fMah67bWmtou0NJKlsupegPzaw2ncyvHmnsvksqpup4H46VD17DwrtaoYiJAg 3 3 + w19XLiKNk/7j31i2WJldC8uyeR9BMRGRoTip/U5vi30 4 4 + -> mlkem768x25519 +DZxHu4/QaYBe+CZ5w1ZftnwFmNYMfdcqVrNSme9XKIPqsdCjey853LR9m8am61D5FSmQGrMvzSRK0QTQXVPaCNa1eX4+zYsdQaNt2vYuC3gfR0YMbO7n4ro8UE7lCQFnz47Gtc9e0oUEzOsgnJAL/t6AOh4GdUax7bnL3OnEI1tVxF83tLYifwhW1olYakFULjT7H6uPuB4Wo32GkFEufhi6a9xoHAlfFyNaEgL0jmmB6jeqDJM2gix0SIjTZphdxHTwTFvZEa+53hvt673VtU7o4VgEwHlklScHj4uoQG/2aKtHJU6mXql89sv2EjaIfsR0otOAuXGaHdZj4hpevnZBuMc+889IYs/xNDVl73IEcqc+HE80YRh9bsKSJtr4BeyyKa5bJofI1jdoftetltrpeImDUDEdL8cVLN5mRs61n97KVpPbmRiNnprqpmekeeWyrgBLQcQm5nPTSQJKvLTh9hZx0LzsSQE1ZRFW22XFguJ0RXTIyacvBznJmWhIcgPmElwN6U62cdFNIEvpR7R1nBYNONFvwJ6ptMO7b2SKse95yB3UmZvu8+5f3G2Arjy4FiBc07yXn0nojkFWFLSl5qP4WdALW1EmFvtuRXcT7gwHutngY4W70vTllPCmA+OTfkOMXfwvlm1Z9MM0NxnVVXZgsaBjD1dAac4PcZSZP6wjTKjoatetXrz/3JhaEWkdQXkFhyxSxxL34Yroy4qxsMUfN2cnlKv5wSgD3gSXrQmmHgjle26KSxpWizzf/QlaKHjH6dkDot/kg1QiGaqRSEv8/4CQ/bJyvFvBp0bFsndBYsVYDI8ySBDkW31OW1kc5Ljk2w5okTTisLCsue1/nciO7uQ+XMYSxiY+0s/EEjMuxKfrMmfo9amx2pgpbfczOWuPtU0+J4LSRnAgkGLnJ1dZIo+d1DJoP7toatUWXmEiMly1I1jNu7nojPI5eOlfAioFe/Gko2P9N3iFotUhSXSCP0Vi6cm33A16JW1xpjExeDz0SsiS0FE3oLX/N9C6dQ1ZpgQgk0Dm0TcjezPeQrMI6YCFyPmOV3dH7lKC5WPg5fPKHoB8cRIAFkx7yJ3ZBHQTEQDCv9LRL+pHeA5USXmRLfpRt6S2kUUdUuKUdMDMZZjaYGM1KSpo46YYGK7fS/41HGJ2mYeUD2iHVI5P51A4oe343Z7XScnM8cyLYdrJq7ghPn4R38p+cnCL4dENh9Pm30Weg2TtfgrnkjPoK9UZ+k6cqMbV46xiqrRwJqhEv7q7e55SaZ7CRiWKVPnT0jFHlqCzCIYdgx9KQi1uL6PuyAoc9T4nVixaanjkLTrdvCXAevanbaUSyRghanNKiYDU1pmMjYOSI2o0k/FMlZIYZIXgOrE1Ac0CMBmVbGu1lQ1PhRQm73+1PkNid9JeBSw0z8K7qjhkN/3oJEE5+S+c3nPBzBu5AN3jsS6y8M2uX6G4Oqv3kSAqjKI2TYwwLbmFH8dMsMt6pr/Zw 5 5 + Fy7tgZSD1w6TWfoJ92PJ/vTBMC0BpsaD0+XeR1DTyIw 6 6 + --- PoMqDYxHM9zBJeCU3FEWXs2x4ItzH+FMbs4VX6lnrI4 7 7 + � �`_s���1��5��6����v,Wڮ����)�L��A���Z���o�\������_�\�mk
���)$DŽ��&,

+1

hosts/marvin/services/secrets/keys/marvin-pq.pub

reviewed

··· 1 1 + age1pq1t5c2dpjscn4ez0lgxkjah9zw0qr2jkcvnkrmy0hvspx2p3a26xyrlmqhqm70xyl4jrzn4z7t4d2xc0zue557wlffa9vuywjz25a9yfzjpjzccrk8c4eduj55f3g6sn44dv67yj59jc28t4kvxq6pdhuf9vmkqta60vv2n59eezt6zmpyhypkkuhjtzga8f2zgcexlc4ugr53vwf423vsnwkgltqqgynfhq2rvck09q5kmau2pgr3kvz9h4mk3qk2jze4869ayd9jknt9wgz8gxu0mpgztvvmrkct5mfmy4npsr37vparxus50sfc4aty0zjn0vtuxzfqrg25qw6vysyyh0wgvxa08zuj72k0lt28vmsszmhrkzkqpydpuxnygmyp6y55qr5l8wu9fy2m4j7yn3r8wz9tqac3tyhkw7wqwdmfvccem0wknu70cgpjtgl35trqduwxndz9cynx0s3gwez93kqxzvmy3ulcwtjfhff9cjayt69w6a9tvnu9dphcjth9n3z54drdp292a3rx9fuucfqhldajlkacpxxqvwgcsmhc2dpm58qxzcpeak9ujsmxpcz5nd6m799mvveru9ve2ygpp03sr2xcyqa2vwz2jxfzgzpfvqlsesq7je8nmy3dakc2utcgf7umspuahygqskpcpnstq7jnc34l5cfzcxzuc9s6vh5jzd9fhw5gtsw4upqes2el75npneatk9q323ufufxvkz5ltud85zkcfamahy7gh2xjea6r8zu4m6yhguj79gm59dp7z66l2yr456qrcda9xdj9pjgqcd3wpasg2zh6jzxas6r2hycg3zz0fa9trdjtwdeeep42knrmdtpzu82yfhtqvncur9euyyqxwdcf7k6hggrv82rc5ljk0yh6epz67v6hane6eg7nq2acwksrjakx72fej3xjvm93nsy0gukexwtv0quelq6jsuvnf997xwkx7qg4mlf65m46yedav5v2nqc3e3yg244cf3smq82qfstrew4y763jnzzzf82mvyq2q46wvjdxpenkl9avv7n5nrpwx4pjk94n8e6zvvj56u73c5lfn8yt2q0x5g5z72vzwmq8wx8ywcmu78rcp7az8a2hftvhhz88sefrrry72yyw5tkrqx3xqyhdc88mxdqf7ysrqnmgllvyzfajnr8r9xymvfjwsf5zrpfzx9tdwavwup44mgremgfzld8394phgkmzjp9hujfwdlapxq94dfgx2edax2vd0zre5ljqvx48nycrqahu75lumdcqgd5zgxpydz26tgehwy2zx4a5wtwvp92ye432zxvlexrskwa9duaqkfmjv25sggpdrzwztpvjl6uy3t4ufdlj9pspjsmrm9kwthmxz2ehw47th9prqrq570zpplek69fq870eew2ffdgfuh94q74nm9gudpne4rh3ppyfq3m9jugvcxf8yer4545tvaxawezecwn675ju3nqqcfx0pxt5ww3t949sd5n54l6eyd5vv3mr0vnlynp60vczrwm82xwvqxhcjamekgjs9ftgeer50wy8qahm7qr9y8uf6xlud6txq4ahzk8ta2quwwt6hxe3quxhynjkrdxa02tpxxfq4jfk0n6xn02jlw7022jty0n6tu2ued2hqwz4wpetdcrstvqjrhhjzzpgqt2cap9dn7ndvnwguh7q5ag6x9kpk47xlwmav6wxt034sxn4gn68c4vr92yxyrvv6pdpy0pffwhhu6nct2gtrnmf7zj2npn95l6pgjuwmgpduhwtcsxeqcscs8xu32njyv58uwt46flp02475vcm6w6tdx3dwzf8t22cnyj43gkesqd6v4g5q5zkrpqqqvw8hq0959rk2584wmu94ce7pd3zqp5m5cs299rk9aqej5qfhvv8wvd3ae5xseek85x520h2

+1

hosts/marvin/services/secrets/keys/zaphod-pq.pub

reviewed

··· 1 1 + age1pq1jkpxwtaxq7l6xuyfhdslnyju9pnn8fc30c9svpwv0ff90dwtq9pfdezr5v6cxtglv2ckhs9pwrmpjn5gv5fnf2ssg2dfrjf2fwd9q3ytznc74fq5x93j5ydrkj39t25xgm9k25ztxz47yun2zrnjtkd6pzwn9ytx7zmsuzyw0j7rfxnt2ehggqpgjm8lspn2fjdpqgapnjlaqd8gfwth7ysv0aetumkudvcus03p99tds4emjsjt29pqy9yvw77jz7ydmkf3dqchr5ak84hwd0rww3v8ja6029j5naxcguaajkzgrfzw3lyksgut2gdkf37cxfse55g8urqjtpk2eazpkk8fe8njfjel6kfcct7ttmcnfsvecsh9txqvjd687l6vz7cpwqsyw7tw7j0hfxwft3dy0vwrxzxdsmffj0xmyg6lhw3uj25t5wkfsh2xzff2fvwvxwazqvguv9u8gt433yxc8mqm50dctjhv9vkagwg0tge5cq7swy9qdh9hgxelzt5yl2syp533hkmsaqshhau0gkwjlpjx3uyxqzu9yq2fh0a08qywgap0s2xy8qg939rkkqm6jjzsaszsvv2ank4pezr5r6eufznpnsvy00r4wk6klea85vmn5jvelw5tr74gakyvjjshz2lccgdg677056p3ys5ncgghndkvqg4ll25utadljav4u4nrdywfrw0nv9lykqzpgj56zhx2gdmrzqupuws6r5k2sjghxgn9clc3zz9adwypvdzjxzxv6fwuk44jqxt06sfxwky93rx9wpp44vvg30fka3qtu750lnf9w9txkzc5dq7aq63cy5ztpxrnjt6gpr72sjgr4zfx69quacyxpyxxys03yg3uxjwyk7qn9q54eljx8ks44frplztc946nvgq42p6sq5kahrfmqsmavfjfkmr6mpv4yqkx2ftmm37vkeencjg9ar249yvpgpd6y4yn5nz9q849vag6xpu3h0hgkg4uvggw9ppqqevyvpqt3nk9gdksapqhrcstulttdvgm0yjuy4fgtd9lyhfcnmkt9dsuzqv5w6zxwa49esd8kryjqlad8yh3z0yjzxuy9l5z94t5w0my8pt3wkkzyj4vq3ptdmvkqmya2ykfve2eh9u5y04rtstj809w5yrch30f04jchtrfspjmj677nqx9570m33eaf5mutq84veypj7tq730h94cdlvc57xlsrqkagmnauspnza4f06thx8puyrjl4y3l2p57cs5dvnkxz8l2frcnkue66ugdzf4g2w4el9syrp32vuynyv6tdrz34lmc5569yy30ftulz8pk2958eeaejpf3jfsdjftmm9u55vuluuntwcngkfdx3r4hk36mwjepu2dhn2qr2msa2rtqdd2r5620ypmmpl7ukt30ch6xdtqhwezsql9yzwsyfl4rvkw8chrmhkfmt2zma6csc5h6eq22mwekddst6nr44c0gfuvyk5m2ypv8ad5z6tqgwlw3hzjqe29zp9jzq2qtuukf45chrvp7w85649wx4s3j27dn9py68va68stjqa6dq5tj8pm9kddxq534g0tmvmqdpx69mvnc4juckpt0kkhxzypglzqsavn2tuke3uxuvnf4xcyn2d2us5vexwmtxkcg263y42ss5vskunggcxsjx65r3x0evvdzcd9l33zerdrhxr425d3rxpc948pu762fr5a89x7pg08rysms4cp5r0g9nzeu4r9chsjf93e9q962v7tguquzj3ku3qe60g5te69k97r9tauryj2tvegvy6ny0ddh6zrtahgvqp6tsfl6sz25d5wrs53zsn4nne73wv7dpjkereexls7pkevrhrzrmyt0lycg4x47s4srp5ecwrn0jny069jp7w5cj3j78eq00s76fztp4acfsj0hfuszvld6

+7

hosts/marvin/services/secrets/marvin-pq-privkey.age

reviewed

··· 1 1 + age-encryption.org/v1 2 2 + -> mlkem768x25519 qFe/Qm0hD6Jr6qJH6Aum6IXPPy90L0evEGHfg0uLcKioldyrKWIdbgq8STFV3pz9IHmXPkEYWVgzbHxBdvicV2BTxlO3nubEtjrx8ytXORy6mo3kHiecOLJTCptCIFIHUhlSLTnLqIEEMlSz3xLmEAdkuHEcE3SDOF6TlCd3nal99dAb++iyN4vaiMlRr03gyWioUFkurdnp4bquRm7xGb1LUREG5TDYrcTBUmIlrqcTNffS0BJ3QinAEjfIqhhf0Rtuc1OBbEoLeNNXACTnNAsb5yoepf42nElZXmFooaesA90vFv1lS9Wm0oEU0tUj4Ur/9+yoz86XCFrFHAqHjGOuY9yIQbp/ofD4M87Tp1X7tUxxgUkIXM9mGBGW2/VLXINujgxMpWMmTWY0PvMVgRAUxwn9M2aboSuepePJ28yFQ+jDL/M9R/kMw/3EoPpcg3hvXu2cApMYbEDJk5I2qb1GR1Y/wer10SvsqkOx6l2gPIiahKMAj7foIFzKBDZzNYi5P3fMbA2d5IX8ofbf+Gp+UsZiAs5Faqlip57V+LQe+/7N0eAMFzADENAJHxYamgPJEPYk49C+y8+PRQSCKQi/IMsLeqAB+817DbQOQKVNHJdEonxXGPe50XfAc7p4jT140w+Od5kSShOJ0ge5NpMztEC/ycQ0Q+1oFuXJSh637GQ8ro5RvqL70rKJNovwbUnd7oUTKcKi72ctJTC2GWzhS7JpMeN8aaN/8mrCM8M/IXkhkiLqrjDV1VI7NTz09E0ToGyls5P1MSNoF0eUAJyrptQukJ63ZSXYiHy02Qa7znBuFyFeeRxcSt81FLkDkNouRHmqlzr0dujInpXvKqmblzph5eCI54QDUrzJOHrN5BYY095V7F4jzlOUeGy0EcJrb1LIXv360BZwB89IktVQHFbzFs/GRgD7RcZUXd57wawBexvzwttT/Qm6MPNl61cPu71a8kFbP5i8tfC9QbTJW4303NkN2460X7fz2Vjrw4e2trYTlJOQay3Cqh/MHEfb/iFAjaVcYRY7dwtL1xjv72DlSAhvoWlmEkuzU5zBmtpsJm+AV3xYx8MU9NdXjUKkLzk/G4e9t1kb7jV/5hUbh46dGk9XVDtCHkFIX9uV/1fJXXCvy77ZqaNUn0f5RRstHerJax2bF5sj8w7YTotBXOuXgC3uTR+Tg5UTw2glKIjeCDpPV+VuTPCCo/b/ySF93Hd0mAExUyhEPTuvEve1OT2jpE+YX7ok1mW7n49wgNyshAHpsCQHpPmbPyQdEGpjS4BdKhBCN10G0MumWkCQmW49IYh8WzADjJ52F23aSK9GdVu4GlCM9soNKKCHKOvjMIhEIb3BYdgTP6iUzQAinFeLApkNEGyvwoAFmiVQJNBPUbPESxDs63JyCCw9ff9MjdvQ5tlIXlx5oFuHgLNcJ1UGOfv77vnWMy10MzhPXpVUkAuDYjd1kTNeSBBKktcGscvyLG2z6fDVjKLMdQ 3 3 + umcG7wZtfp2rot49havZSJwsx1fDXk3UEbHj4xe+aKY 4 4 + -> mlkem768x25519 PhSbmDRGp4G7XTkKLn3QFVn1U86KemsqgE5PLQvknt+IyyFacpfxXFqWVSDJSkgu+h8dTWRushp2qq6v9WuB8YjvPoAhNM/jDFdPqhmuxRFqdPMs3oB/Hv9Rv3QA8dZnuW8fgYAl17qsCQalKXasLgY7OZwdmY/+2YsgMHbBVdPPeV5bIjOd00bV8v9nc4oJ0uZDcJv+41FsKiJz8B57OYLvvffd28K/tSDWp1Rl/gayKsLlSiihtkjxC629u8gtQhhhBDfuwmtaXMWyf2d+u2yReRNf+1ARwPExfEb+pCXRvGnvZBBNwKeZ7VFARznEDzqARX8ID8Sqas5sPfBVGjgwBJrkYVF5vsUEAghoP/TFYaSqXDRFpR5Py7+Kr7HbkC/4SmMq4ktsebSRyJDoGM4EaQbQjjP76QM0RHToEXO8f8FUVKyo7G1KLz06XwegH1wgKrohhfTEKPVkhd6XGhb4Rjf/Q9w22G+mF2DLOpUOwbDdQUsKIaNV62gFbHJn6UmwRY7lph2Mgqu/jso/hZbZ1TV11qQFN9X46tZ6sIVV/boXw53pnlRTmJoh+/1uef+g1nswpko55Q4a9Zl3/QTPRtKIJ6WsstEJZUcA2czZdJIpOX4dlzzmsEfmkVX2ypLCdqVHRF6VzQVQThmmYU28YWYZlVMS0cS5VINNQPTLxHAy2Tn29FmC8jBdOGU29VEBh6dfLeNu44gTcssWKFAyskt1GLYgDottjVNCAGoOMisEW2UdfVQQYi+RdP5w8l0JZ0y48aUzFmrdtfoekrApJw1NZg13OGlUFr5VkKWgvdnnfNVBNLKOIAtI5Xl3WOQtvOsSLxmcHK4mG4Y9te+btaAtqEi9N9swW7SfZ2Sg8WL7x25VOxc9RO8JZZUcerPAkHvPa57PZBeV5mwDiK+8qmvZrh9l1bIrGofj/dfhcY3ETVUippFfua7Z2MIPIsvGzPdn1Yv0sOmDCOpO1sCtZpG/ybZ6l0GhlhgWZdGu9xFw0nwvO/hYTfeN8ti2reIXVtKNsV5gUEJZi3nGivzWDKrgIQl+/LaffVFY6Wr0ayEXbiHayEnLBy2FARTlh/5eSIXUlFlJtqXtjuST+m5nxAsAVtWoeEevRltoDk9kBVaAjspf31ohKzerZ5niiAbbDnUq0n/9omIYL22drxBwiCVq0RcTn74cE4m2n/VuTc3GgTa7dSSiS5pOF7r9AbBMgggZuT9hrpWAEG9rl6BsAvJp28Hxrepnds2mYZj2NFp3NlxHuRVG6OvMuLn8XA+fhDizszYR+nfT7dBjadNkQ0vxQr56mn5ck7J1RKUebYBt85ddIUduSEr/UItHp9jSPtrq1FBORFfbZvD6YskjkkyqZ6ZbPQKuUQ9CJiT/YwNZacJEfQeWwgHknLoufB87CRVP2Kl8vQkvPn5Nw2Ra+Nuqs1VvceBoqaoffMzIP4A+9UdCrGGxS5CqhFf5ucLiJj1Mm4EN7+AiZzxSTA 5 5 + Ykoj3OScFfhJRGJz4oK9j8Q0P00VvmbyOAdNrPVmfnM 6 6 + --- tTsDTFdMdJLcXdEl1EpOKNW+7jJvblodWw1myEgWnLA 7 7 + y�NQ�����5��x#�y*^�Hr]�۔:�n�|�Ø�E�����I �=CZ�
���޼)T|è��s�_m��B97�/u)6��Cnj W���l/�&Y�+δ͞

hosts/marvin/services/secrets/miniflux-admin.age

reviewed

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/pinchflat-secrets.age

reviewed

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/planka-env.age

reviewed

This is a binary file and will not be displayed.

+21 -5

hosts/marvin/services/secrets/secrets.nix

reviewed

··· 7 7 yubi-back 8 8 ssh-new 9 9 ]; 10 10 + 11 11 + # These are the private keys for the post-quantum encrypted secrets. 12 12 + # All secrets will slowly be converted to use these, but that will take time. 13 13 + # As I do so, git-filter-repo may be used to remove the old secrets from history, 14 14 + # as well as rotating the secrets as the original protection. 15 15 + zaphod-pq = builtins.readFile ./keys/zaphod-pq.pub; 16 16 + marvin-pq = builtins.readFile ./keys/marvin-pq.pub; 17 17 + 18 18 + pqKeys = [ 19 19 + zaphod-pq 20 20 + marvin-pq 21 21 + ]; 10 22 in 11 23 { 24 24 + "marvin-pq-privkey.age".publicKeys = pqKeys; 25 25 + 12 26 "anubis-key.age".publicKeys = marvinDefault; 13 27 "golink-authkey.age".publicKeys = marvinDefault; 14 14 - "jellyfin-exporter-config.age".publicKeys = marvinDefault; 28 28 + "jellyfin-exporter-secrets.age".publicKeys = pqKeys; 15 29 "mail-archiver-secrets.age".publicKeys = marvinDefault; 16 16 - "miniflux-admin.age".publicKeys = marvinDefault; 30 30 + "miniflux-admin.age".publicKeys = pqKeys; 17 31 "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault; 18 18 - "pinchflat-secrets.age".publicKeys = marvinDefault; 32 32 + "pinchflat-secrets.age".publicKeys = pqKeys; 19 33 "planka-env.age".publicKeys = marvinDefault; 20 34 "pocket-id-secrets.age".publicKeys = marvinDefault; 21 21 - "shelfmark-secrets.age".publicKeys = marvinDefault; 22 22 - "vaultwarden-vars.age".publicKeys = marvinDefault; 35 35 + "vaultwarden-vars.age".publicKeys = pqKeys; 23 36 24 37 "buildbot/gitea-token.age".publicKeys = marvinDefault; 25 38 "buildbot/oauth-secret.age".publicKeys = marvinDefault; ··· 46 59 47 60 "paperless/admin-password.age".publicKeys = marvinDefault; 48 61 "paperless/secrets.age".publicKeys = marvinDefault; 62 62 + 63 63 + "shelfmark/secrets.age".publicKeys = pqKeys; 64 64 + "shelfmark/oidc-secret.age".publicKeys = pqKeys; 49 65 }

hosts/marvin/services/secrets/shelfmark-secrets.age

reviewed

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/shelfmark/oidc-secret.age

reviewed

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/shelfmark/secrets.age

reviewed

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/vaultwarden-vars.age

reviewed

This is a binary file and will not be displayed.

+1 -1

hosts/marvin/services/shelfmark.nix

reviewed

··· 53 53 }; 54 54 55 55 age.secrets.shelfmark-secrets = { 56 56 - file = ./secrets/shelfmark-secrets.age; 56 56 + file = ./secrets/shelfmark/secrets.age; 57 57 owner = "booklore"; 58 58 group = "booklore"; 59 59 };