agenix: rekey secrets

Signed-off-by: Myned <dev@bjork.tech>

README.md

@@ -8,9 +8,9 @@
 
 1. Clone this repository
 
-   ```sh
+```sh
-   git clone https://github.com/Myned/nixos
+git clone https://github.com/myned/nixos
-   ```
+```
 
 2. Enable [Flakes](https://wiki.nixos.org/wiki/Flakes)
 
@@ -18,59 +18,75 @@
 
 4. Create machine-specific modules in `machines/MACHINE/`
 
-   b. Machine configuration and hostname in `default.nix`
+a. Machine configuration and hostname in `default.nix`
 
-   ```nix
+```nix
-   { custom.hostname = "MACHINE"; }
+{ custom.hostname = "MACHINE"; }
-   ```
+```
 
-   c. [Disko](https://github.com/nix-community/disko) layout in `disko.nix`
+b. [Disko](https://github.com/nix-community/disko) layout in `disko.nix`
 
-   ```sh
+```sh
-   # Verify /dev identifier on machine
+# Verify /dev identifier on machine
-   lsblk
+lsblk
 
-   # Verify EFI/BIOS firmware on machine
+# Verify EFI/BIOS firmware on machine
-   [ -d /sys/firmware/efi/efivars ] && echo "UEFI" || echo "BIOS"
+[ -d /sys/firmware/efi/efivars ] && echo "UEFI" || echo "BIOS"
-   ```
+```
 
-   d. Generated hardware configuration in `hardware-configuration.nix`
+c. Generated hardware configuration in `hardware-configuration.nix`
 
-   ```sh
+```sh
-   nixos-generate-config --show-hardware-config --no-filesystems --root /mnt
+nixos-generate-config --show-hardware-config --no-filesystems --root /mnt
-   ```
+```
 
 5. Choose profile and add machine-specific modules to `flake.in.nix`
 
-   ```nix
+```nix
-   MACHINE = BRANCH [ ./profiles/PROFILE ./machines/MACHINE ];
+MACHINE = BRANCH "ARCHITECTURE" [ ./profiles/PROFILE ./machines/MACHINE ];
-   ```
+```
 
-6. Generate `flake.nix` with [flakegen](https://github.com/jorsn/flakegen)
+6. Generate and lock `flake.nix` with [flakegen](https://github.com/jorsn/flakegen)
 
-   ```sh
+```sh
-   git add .
+cd nixos
-   nix run .#genflake flake.nix
+git add .
-   nix flake lock
+nix run .#genflake flake.nix
-   ```
+nix flake lock
+```
 
-7. Copy host public SSH key to root on machine
+7. Generate machine SSH key and rekey agenix secrets with added public key
 
-   ```sh
+```sh
-   # On machine
+mkdir -p tmp/etc/ssh/
-   sudo passwd root
+ssh-keygen -f tmp/etc/ssh/id_ed25519 -N '' -C root@MACHINE
-   ```
+cd secrets
+agenix -r
+```
 
-   ```sh
+8. Add user SSH key to root authorized_keys on machine
-   # On host
-   ssh-copy-id root@MACHINE
-   ```
 
-8. Test and execute [NixOS Anywhere](https://github.com/nix-community/nixos-anywhere)
+```sh
+# On host
+cat ~/.ssh/id_ed25519.pub | wl-copy
+```
 
-   ```sh
+```sh
-   nixos-anywhere --vm-test -f .#MACHINE root@IP
+# On machine
-   nixos-anywhere -f .#MACHINE root@IP
+sudo mkdir /root/.ssh/
-   ```
+sudo nano /root/.ssh/authorized_keys
+```
 
-9. Shutdown, detach ISO, and reboot
+9. Execute [NixOS Anywhere](https://github.com/nix-community/nixos-anywhere)
+
+```sh
+nixos-anywhere --extra-files tmp --flake .#MACHINE root@IP
+```
+
+10. Shutdown, detach ISO, and reboot
+
+11. Remove temporary files
+
+```sh
+rm -r tmp
+```

machines/myarm/default.nix

@@ -7,9 +7,13 @@
   custom = {
     hostname = "myarm";
 
-    settings.networking = {
+    settings = {
-      static = true;
+      boot.systemd-boot = true;
-      ipv6 = "2a01:4f8:c17:321c::1/64";
+
+      networking = {
+        static = true;
+        ipv6 = "2a01:4f8:c17:321c::1/64";
+      };
     };
   };
 }

machines/myne/default.nix

@@ -4,5 +4,16 @@
     ./hardware-configuration.nix
   ];
 
-  custom.hostname = "myne";
+  custom = {
+    hostname = "myne";
+
+    settings = {
+      boot.grub = true;
+
+      networking = {
+        static = true;
+        ipv6 = "2a01:4ff:f0:e193::1/64";
+      };
+    };
+  };
 }

machines/myne/disko.nix

@@ -3,7 +3,7 @@
     disk = {
       master = {
         type = "disk";
-        device = "/dev/sda";
+        device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_53186364";
         content = {
           type = "gpt";
           partitions = {
@@ -54,7 +54,33 @@
 
                   "/swap" = {
                     mountpoint = "/swap";
-                    swap.swapfile.size = "8G";
+                    swap.swapfile.size = "4G";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+
+      myvol = {
+        type = "disk";
+        device = "/dev/disk/by-id/scsi-0HC_Volume_101412796";
+        content = {
+          type = "gpt";
+          partitions = {
+            local = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  "/local" = {
+                    mountpoint = "/mnt/local";
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
                   };
                 };
               };

machines/myne/hardware-configuration.nix

@@ -8,16 +8,11 @@
   modulesPath,
   ...
 }: {
-  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
+  imports = [
-
+    (modulesPath + "/profiles/qemu-guest.nix")
-  boot.initrd.availableKernelModules = [
-    "ahci"
-    "xhci_pci"
-    "virtio_pci"
-    "virtio_scsi"
-    "sd_mod"
-    "sr_mod"
   ];
+
+  boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
   boot.initrd.kernelModules = [];
   boot.kernelModules = [];
   boot.extraModulePackages = [];

options/custom/containers/actualbudget.nix

@@ -12,18 +12,14 @@ in {
     #?? arion-actualbudget pull
     environment.shellAliases.arion-actualbudget = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.actualbudget.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.actualbudget = {
+    virtualisation.arion.projects.actualbudget.settings.services = {
-      serviceName = "actualbudget";
+      actualbudget.service = {
-
+        container_name = "actualbudget";
-      settings.services = {
+        image = "actualbudget/actual-server:24.9.0";
-        actualbudget.service = {
+        ports = ["5006:5006"];
-          container_name = "actualbudget";
+        restart = "unless-stopped";
-          image = "actualbudget/actual-server:24.9.0";
+        volumes = ["${config.custom.containers.directory}/actualbudget/data:/data"];
-          ports = ["5006:5006"];
+        # TODO: Set up trusted proxies
-          restart = "unless-stopped";
-          volumes = ["${config.custom.containers.directory}/actualbudget/data:/data"];
-          # TODO: Set up trusted proxies
-        };
       };
     };
   };

options/custom/containers/coturn.nix

@@ -21,21 +21,17 @@ in {
     #?? arion-coturn pull
     environment.shellAliases.arion-coturn = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.coturn.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.coturn = {
+    virtualisation.arion.projects.coturn.settings.services = {
-      serviceName = "coturn";
+      # https://conduwuit.puppyirl.gay/turn.html
+      coturn.service = {
+        container_name = "coturn";
+        image = "coturn/coturn:4.6";
+        network_mode = "host";
+        restart = "unless-stopped";
 
-      settings.services = {
+        volumes = [
-        # https://conduwuit.puppyirl.gay/turn.html
+          "${config.custom.containers.directory}/coturn/coturn.conf:/etc/coturn/turnserver.conf"
-        coturn.service = {
+        ];
-          container_name = "coturn";
-          image = "coturn/coturn:4.6";
-          network_mode = "host";
-          restart = "unless-stopped";
-
-          volumes = [
-            "${config.custom.containers.directory}/coturn/coturn.conf:/etc/coturn/turnserver.conf"
-          ];
-        };
       };
     };
 

options/custom/containers/forgejo.nix

@@ -24,35 +24,31 @@ in {
 
     networking.firewall.allowedTCPPorts = [22]; # SSH
 
-    virtualisation.arion.projects.forgejo = {
+    virtualisation.arion.projects.forgejo.settings.services = {
-      serviceName = "forgejo";
+      # https://codeberg.org/forgejo/forgejo
+      # https://forgejo.org/docs/latest/admin/
+      #?? docker exec -it forgejo bash
+      #?? sudo -u git forgejo admin user create --username USERNAME --random-password --email EMAIL --admin
+      forgejo.service = {
+        container_name = "forgejo";
+        depends_on = ["db"];
+        env_file = [config.age.secrets."${config.custom.profile}/forgejo/.env".path];
+        image = "codeberg.org/forgejo/forgejo:8";
+        restart = "unless-stopped";
+        volumes = ["${config.custom.containers.directory}/forgejo/data:/data"];
 
-      settings.services = {
+        ports = [
-        # https://codeberg.org/forgejo/forgejo
+          "127.0.0.1:3333:3000"
-        # https://forgejo.org/docs/latest/admin/
+          "22:2222"
-        #?? docker exec -it forgejo bash
+        ];
-        #?? sudo -u git forgejo admin user create --username USERNAME --random-password --email EMAIL --admin
+      };
-        forgejo.service = {
-          container_name = "forgejo";
-          depends_on = ["db"];
-          env_file = [config.age.secrets."${config.custom.profile}/forgejo/.env".path];
-          image = "codeberg.org/forgejo/forgejo:8";
-          restart = "unless-stopped";
-          volumes = ["${config.custom.containers.directory}/forgejo/data:/data"];
 
-          ports = [
+      db.service = {
-            "127.0.0.1:3333:3000"
+        container_name = "forgejo-db";
-            "22:2222"
+        env_file = [config.age.secrets."${config.custom.profile}/forgejo/db.env".path];
-          ];
+        image = "postgres:15";
-        };
+        restart = "unless-stopped";
-
+        volumes = ["${config.custom.containers.directory}/forgejo/db:/var/lib/postgresql/data"];
-        db.service = {
-          container_name = "forgejo-db";
-          env_file = [config.age.secrets."${config.custom.profile}/forgejo/db.env".path];
-          image = "postgres:15";
-          restart = "unless-stopped";
-          volumes = ["${config.custom.containers.directory}/forgejo/db:/var/lib/postgresql/data"];
-        };
       };
     };
   };

options/custom/containers/foundryvtt.nix

@@ -21,18 +21,14 @@ in {
     #?? arion-foundryvtt pull
     environment.shellAliases.arion-foundryvtt = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.foundryvtt.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.foundryvtt = {
+    virtualisation.arion.projects.foundryvtt.settings.services = {
-      serviceName = "foundryvtt";
+      foundryvtt.service = {
-
+        container_name = "foundryvtt";
-      settings.services = {
+        env_file = [config.age.secrets."${config.custom.profile}/foundryvtt/.env".path];
-        foundryvtt.service = {
+        image = "felddy/foundryvtt:12";
-          container_name = "foundryvtt";
+        ports = ["127.0.0.1:30000:30000"];
-          env_file = [config.age.secrets."${config.custom.profile}/foundryvtt/.env".path];
+        restart = "unless-stopped";
-          image = "felddy/foundryvtt:12";
+        volumes = ["${config.custom.containers.directory}/foundryvtt/data:/data"];
-          ports = ["127.0.0.1:30000:30000"];
-          restart = "unless-stopped";
-          volumes = ["${config.custom.containers.directory}/foundryvtt/data:/data"];
-        };
       };
     };
   };

options/custom/containers/headscale.nix

@@ -22,39 +22,35 @@ in {
     #?? arion-headscale pull
     environment.shellAliases.arion-headscale = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.headscale.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.headscale = {
+    virtualisation.arion.projects.headscale.settings.services = {
-      serviceName = "headscale";
+      # https://headscale.net/
+      # https://github.com/juanfont/headscale
+      # BUG: Does not support generic DoH/DoT
+      # https://github.com/juanfont/headscale/issues/1312
+      headscale.service = {
+        command = "serve";
+        container_name = "headscale";
+        env_file = [config.age.secrets."${config.custom.profile}/headscale/.env".path];
+        image = "headscale/headscale:v0.23.0-beta.4";
+        restart = "unless-stopped";
 
-      settings.services = {
+        ports = [
-        # https://headscale.net/
+          "9999:9999"
-        # https://github.com/juanfont/headscale
+          "9090:9090"
-        # BUG: Does not support generic DoH/DoT
+        ];
-        # https://github.com/juanfont/headscale/issues/1312
-        headscale.service = {
-          command = "serve";
-          container_name = "headscale";
-          env_file = [config.age.secrets."${config.custom.profile}/headscale/.env".path];
-          image = "headscale/headscale:v0.23.0-beta.4";
-          restart = "unless-stopped";
 
-          ports = [
+        volumes = [
-            "9999:9999"
+          "${config.custom.containers.directory}/headscale/config:/etc/headscale"
-            "9090:9090"
+          "${config.custom.containers.directory}/headscale/data:/var/lib/headscale"
-          ];
 
-          volumes = [
+          # Minimum config.yaml
-            "${config.custom.containers.directory}/headscale/config:/etc/headscale"
+          # https://github.com/juanfont/headscale/blob/main/config-example.yaml
-            "${config.custom.containers.directory}/headscale/data:/var/lib/headscale"
+          # https://github.com/juanfont/headscale/blob/main/integration/hsic/config.go
-
+          "${pkgs.writeText "config.yaml" ''
-            # Minimum config.yaml
+            noise:
-            # https://github.com/juanfont/headscale/blob/main/config-example.yaml
+              private_key_path: /var/lib/headscale/noise_private.key
-            # https://github.com/juanfont/headscale/blob/main/integration/hsic/config.go
+          ''}:/etc/headscale/config.yaml"
-            "${pkgs.writeText "config.yaml" ''
+        ];
-              noise:
-                private_key_path: /var/lib/headscale/noise_private.key
-            ''}:/etc/headscale/config.yaml"
-          ];
-        };
       };
     };
   };

options/custom/containers/homeassistant.nix

@@ -12,17 +12,13 @@ in {
     #?? arion-homeassistant pull
     environment.shellAliases.arion-homeassistant = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.homeassistant.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.homeassistant = {
+    virtualisation.arion.projects.homeassistant.settings.services = {
-      serviceName = "homeassistant";
+      homeassistant.service = {
-
+        container_name = "homeassistant";
-      settings.services = {
+        image = "homeassistant/home-assistant:2024.9.1";
-        homeassistant.service = {
+        ports = ["8123:8123"];
-          container_name = "homeassistant";
+        restart = "unless-stopped";
-          image = "homeassistant/home-assistant:2024.9.1";
+        volumes = ["${config.custom.containers.directory}/homeassistant/config:/config"];
-          ports = ["8123:8123"];
-          restart = "unless-stopped";
-          volumes = ["${config.custom.containers.directory}/homeassistant/config:/config"];
-        };
       };
     };
   };

options/custom/containers/mastodon.nix

@@ -22,40 +22,36 @@ in {
     #?? arion-mastodon pull
     environment.shellAliases.arion-mastodon = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.mastodon.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.mastodon = {
+    virtualisation.arion.projects.mastodon.settings.services = {
-      serviceName = "mastodon";
+      # https://github.com/linuxserver/docker-mastodon
+      # https://github.com/mastodon/mastodon/blob/main/docker-compose.yml
+      mastodon.service = {
+        container_name = "mastodon";
+        env_file = [config.age.secrets."${config.custom.profile}/mastodon/.env".path];
+        image = "lscr.io/linuxserver/mastodon:4.2.12";
+        ports = ["3000:443"];
+        restart = "unless-stopped";
+        volumes = ["${config.custom.containers.directory}/mastodon/config:/config"];
 
-      settings.services = {
+        depends_on = [
-        # https://github.com/linuxserver/docker-mastodon
+          "cache"
-        # https://github.com/mastodon/mastodon/blob/main/docker-compose.yml
+          "db"
-        mastodon.service = {
+        ];
-          container_name = "mastodon";
+      };
-          env_file = [config.age.secrets."${config.custom.profile}/mastodon/.env".path];
-          image = "lscr.io/linuxserver/mastodon:4.2.12";
-          ports = ["3000:443"];
-          restart = "unless-stopped";
-          volumes = ["${config.custom.containers.directory}/mastodon/config:/config"];
 
-          depends_on = [
+      cache.service = {
-            "cache"
+        container_name = "mastodon-cache";
-            "db"
+        image = "redis:latest";
-          ];
+        restart = "unless-stopped";
-        };
+        volumes = ["${config.custom.containers.directory}/mastodon/cache:/data"];
+      };
 
-        cache.service = {
+      db.service = {
-          container_name = "mastodon-cache";
+        container_name = "mastodon-db";
-          image = "redis:latest";
+        env_file = [config.age.secrets."${config.custom.profile}/mastodon/db.env".path];
-          restart = "unless-stopped";
+        image = "postgres:15";
-          volumes = ["${config.custom.containers.directory}/mastodon/cache:/data"];
+        restart = "unless-stopped";
-        };
+        volumes = ["${config.custom.containers.directory}/mastodon/db:/var/lib/postgresql/data"];
-
-        db.service = {
-          container_name = "mastodon-db";
-          env_file = [config.age.secrets."${config.custom.profile}/mastodon/db.env".path];
-          image = "postgres:15";
-          restart = "unless-stopped";
-          volumes = ["${config.custom.containers.directory}/mastodon/db:/var/lib/postgresql/data"];
-        };
       };
     };
   };

options/custom/containers/netbox/default.nix

@@ -24,63 +24,59 @@ in {
     environment.shellAliases.arion-netbox = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.netbox.settings.out.dockerComposeYaml}";
 
     # https://github.com/netbox-community/netbox-docker
-    virtualisation.arion.projects.netbox = {
+    # https://github.com/netbox-community/netbox-docker/blob/release/docker-compose.yml
-      serviceName = "netbox";
+    virtualisation.arion.projects.netbox.settings.services = let
+      netbox = {
+        container_name = "netbox";
+        depends_on = ["cache" "db"];
+        env_file = [config.age.secrets."${config.custom.profile}/netbox/.env".path];
+        image = "localhost/netbox"; # Built image
+        restart = "unless-stopped";
+        user = "unit:root";
+        volumes = ["${config.custom.containers.directory}/netbox/media:/opt/netbox/netbox/media"];
+      };
+    in {
+      netbox.service =
+        netbox
+        // {
+          ports = ["8585:8080"];
 
-      # https://github.com/netbox-community/netbox-docker/blob/release/docker-compose.yml
+          # https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins
-      settings.services = let
+          #!! Context modifications require a rebuild
-        netbox = {
+          #?? arion-netbox build --no-cache
-          container_name = "netbox";
+          build.context = "${./.}";
-          depends_on = ["cache" "db"];
-          env_file = [config.age.secrets."${config.custom.profile}/netbox/.env".path];
-          image = "localhost/netbox"; # Built image
-          restart = "unless-stopped";
-          user = "unit:root";
-          volumes = ["${config.custom.containers.directory}/netbox/media:/opt/netbox/netbox/media"];
-        };
-      in {
-        netbox.service =
-          netbox
-          // {
-            ports = ["8585:8080"];
-
-            # https://github.com/netbox-community/netbox-docker/wiki/Using-Netbox-Plugins
-            #!! Context modifications require a rebuild
-            #?? arion-netbox build --no-cache
-            build.context = "${./.}";
-          };
-
-        housekeeping.service =
-          netbox
-          // {
-            container_name = "netbox-housekeeping";
-            command = ["/opt/netbox/housekeeping.sh"];
-            depends_on = ["netbox"];
-          };
-
-        worker.service =
-          netbox
-          // {
-            container_name = "netbox-worker";
-            command = ["/opt/netbox/venv/bin/python" "/opt/netbox/netbox/manage.py" "rqworker"];
-            depends_on = ["netbox"];
-          };
-
-        cache.service = {
-          container_name = "netbox-cache";
-          command = ["sh" "-c" "valkey-server --requirepass $$REDIS_PASSWORD"];
-          env_file = [config.age.secrets."${config.custom.profile}/netbox/cache.env".path];
-          image = "docker.io/valkey/valkey:8.0";
-          restart = "unless-stopped";
         };
 
-        db.service = {
+      housekeeping.service =
-          container_name = "netbox-db";
+        netbox
-          env_file = [config.age.secrets."${config.custom.profile}/netbox/db.env".path];
+        // {
-          image = "docker.io/postgres:16";
+          container_name = "netbox-housekeeping";
-          restart = "unless-stopped";
+          command = ["/opt/netbox/housekeeping.sh"];
-          volumes = ["${config.custom.containers.directory}/netbox/db:/var/lib/postgresql/data"];
+          depends_on = ["netbox"];
         };
+
+      worker.service =
+        netbox
+        // {
+          container_name = "netbox-worker";
+          command = ["/opt/netbox/venv/bin/python" "/opt/netbox/netbox/manage.py" "rqworker"];
+          depends_on = ["netbox"];
+        };
+
+      cache.service = {
+        container_name = "netbox-cache";
+        command = ["sh" "-c" "valkey-server --requirepass $$REDIS_PASSWORD"];
+        env_file = [config.age.secrets."${config.custom.profile}/netbox/cache.env".path];
+        image = "docker.io/valkey/valkey:8.0";
+        restart = "unless-stopped";
+      };
+
+      db.service = {
+        container_name = "netbox-db";
+        env_file = [config.age.secrets."${config.custom.profile}/netbox/db.env".path];
+        image = "docker.io/postgres:16";
+        restart = "unless-stopped";
+        volumes = ["${config.custom.containers.directory}/netbox/db:/var/lib/postgresql/data"];
       };
     };
 

options/custom/containers/nextcloud.nix

@@ -22,60 +22,56 @@ in {
     #?? arion-nextcloud pull
     environment.shellAliases.arion-nextcloud = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.nextcloud.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.nextcloud = {
+    virtualisation.arion.projects.nextcloud.settings.services = {
-      serviceName = "nextcloud";
+      # https://github.com/nextcloud/docker
+      nextcloud.service = {
+        container_name = "nextcloud";
+        env_file = [config.age.secrets."${config.custom.profile}/nextcloud/.env".path];
+        image = "nextcloud:29-apache";
+        ports = ["127.0.0.1:8181:80"];
+        restart = "unless-stopped";
 
-      settings.services = {
+        volumes = [
-        # https://github.com/nextcloud/docker
+          "${config.custom.containers.directory}/nextcloud/app:/var/www/html"
-        nextcloud.service = {
+          "${config.custom.containers.directory}/nextcloud/data:/var/www/html/data"
-          container_name = "nextcloud";
+        ];
-          env_file = [config.age.secrets."${config.custom.profile}/nextcloud/.env".path];
-          image = "nextcloud:29-apache";
-          ports = ["127.0.0.1:8181:80"];
-          restart = "unless-stopped";
 
-          volumes = [
+        depends_on = [
-            "${config.custom.containers.directory}/nextcloud/app:/var/www/html"
+          "db"
-            "${config.custom.containers.directory}/nextcloud/data:/var/www/html/data"
+          "cache"
-          ];
+        ];
+      };
 
-          depends_on = [
+      cron.service = {
-            "db"
+        container_name = "nextcloud-cron";
-            "cache"
+        entrypoint = "/cron.sh";
-          ];
+        image = "nextcloud:29-apache";
-        };
+        restart = "unless-stopped";
+        volumes =
+          config.virtualisation.arion.projects.nextcloud.settings.services.nextcloud.service.volumes; # volumes_from
 
-        cron.service = {
+        depends_on = [
-          container_name = "nextcloud-cron";
+          "db"
-          entrypoint = "/cron.sh";
+          "cache"
-          image = "nextcloud:29-apache";
+        ];
-          restart = "unless-stopped";
+      };
-          volumes =
-            config.virtualisation.arion.projects.nextcloud.settings.services.nextcloud.service.volumes; # volumes_from
 
-          depends_on = [
+      cache.service = {
-            "db"
+        container_name = "nextcloud-cache";
-            "cache"
+        image = "redis:latest";
-          ];
+        restart = "unless-stopped";
-        };
+        volumes = ["${config.custom.containers.directory}/nextcloud/cache:/data"];
+      };
 
-        cache.service = {
+      db.service = {
-          container_name = "nextcloud-cache";
+        container_name = "nextcloud-db";
-          image = "redis:latest";
+        env_file = [config.age.secrets."${config.custom.profile}/nextcloud/db.env".path];
-          restart = "unless-stopped";
+        image = "postgres:15";
-          volumes = ["${config.custom.containers.directory}/nextcloud/cache:/data"];
+        restart = "unless-stopped";
-        };
 
-        db.service = {
+        volumes = [
-          container_name = "nextcloud-db";
+          "${config.custom.containers.directory}/nextcloud/db:/var/lib/postgresql/data"
-          env_file = [config.age.secrets."${config.custom.profile}/nextcloud/db.env".path];
+        ];
-          image = "postgres:15";
-          restart = "unless-stopped";
-
-          volumes = [
-            "${config.custom.containers.directory}/nextcloud/db:/var/lib/postgresql/data"
-          ];
-        };
       };
     };
   };

options/custom/containers/redlib.nix

@@ -12,23 +12,19 @@ in {
     #?? arion-redlib pull
     environment.shellAliases.arion-redlib = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.redlib.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.redlib = {
+    virtualisation.arion.projects.redlib.settings.services = {
-      serviceName = "redlib";
+      redlib.service = {
+        container_name = "redlib";
+        image = "quay.io/redlib/redlib:latest";
+        ports = ["127.0.0.1:8888:8080"];
+        restart = "unless-stopped";
 
-      settings.services = {
+        environment = {
-        redlib.service = {
+          REDLIB_DEFAULT_HIDE_HLS_NOTIFICATION = "on";
-          container_name = "redlib";
+          REDLIB_DEFAULT_SHOW_NSFW = "on";
-          image = "quay.io/redlib/redlib:latest";
+          REDLIB_DEFAULT_THEME = "dracula";
-          ports = ["127.0.0.1:8888:8080"];
+          REDLIB_DEFAULT_USE_HLS = "on";
-          restart = "unless-stopped";
+          REDLIB_DEFAULT_WIDE = "off";
-
-          environment = {
-            REDLIB_DEFAULT_HIDE_HLS_NOTIFICATION = "on";
-            REDLIB_DEFAULT_SHOW_NSFW = "on";
-            REDLIB_DEFAULT_THEME = "dracula";
-            REDLIB_DEFAULT_USE_HLS = "on";
-            REDLIB_DEFAULT_WIDE = "off";
-          };
         };
       };
     };

options/custom/containers/searxng/default.nix

@@ -21,33 +21,29 @@ in {
     #?? arion-searxng pull
     environment.shellAliases.arion-searxng = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.searxng.settings.out.dockerComposeYaml}";
 
-    virtualisation.arion.projects.searxng = {
+    virtualisation.arion.projects.searxng.settings.services = {
-      serviceName = "searxng";
+      # https://github.com/searxng/searxng
+      # https://github.com/searxng/searxng-docker
+      searxng.service = {
+        container_name = "searxng";
+        depends_on = ["cache"];
+        env_file = [config.age.secrets."${config.custom.profile}/searxng/.env".path];
+        image = "searxng/searxng:latest";
+        ports = ["127.0.0.1:8000:8080"];
+        restart = "unless-stopped";
 
-      settings.services = {
+        volumes = [
-        # https://github.com/searxng/searxng
+          "${./limiter.toml}:/etc/searxng/limiter.toml"
-        # https://github.com/searxng/searxng-docker
+          "${./settings.yml}:/etc/searxng/settings.yml"
-        searxng.service = {
+        ];
-          container_name = "searxng";
+      };
-          depends_on = ["cache"];
-          env_file = [config.age.secrets."${config.custom.profile}/searxng/.env".path];
-          image = "searxng/searxng:latest";
-          ports = ["127.0.0.1:8000:8080"];
-          restart = "unless-stopped";
 
-          volumes = [
+      # https://github.com/valkey-io/valkey
-            "${./limiter.toml}:/etc/searxng/limiter.toml"
+      cache.service = {
-            "${./settings.yml}:/etc/searxng/settings.yml"
+        command = "valkey-server --save 60 1 --loglevel warning";
-          ];
+        container_name = "searxng-cache";
-        };
+        image = "valkey/valkey:7-alpine";
-
+        restart = "unless-stopped";
-        # https://github.com/valkey-io/valkey
-        cache.service = {
-          command = "valkey-server --save 60 1 --loglevel warning";
-          container_name = "searxng-cache";
-          image = "valkey/valkey:7-alpine";
-          restart = "unless-stopped";
-        };
       };
     };
   };

options/custom/desktops/hyprland/settings.nix

@@ -139,7 +139,7 @@ in {
         "col.border_inactive" = "rgba(6c71c440)";
         "col.border_locked_active" = "rgb(d33682)";
         "col.border_locked_inactive" = "rgba(d3368240)";
-        auto_group = false;
+        #// auto_group = false;
         insert_after_current = false;
 
         # https://wiki.hyprland.org/Configuring/Variables/#groupbar

options/custom/programs/fish.nix

@@ -47,19 +47,25 @@ in {
           poweroff = "systemctl poweroff";
           shutdown = "systemctl poweroff";
 
-          backup = "borgmatic -v 1 create --progress --stats";
-          extract = "borgmatic -v 1 extract --progress";
-          init = "borgmatic init -e repokey-blake2";
-          key = "borgmatic key export";
-          list = "borgmatic -v 1 list";
-          restore = "borgmatic -v 1 restore";
-
           rsync = "rsync --info progress2";
 
           a = "adb";
           as = "adb shell";
           asa = "adb shell sh /sdcard/Android/data/com.llamalab.automate/cache/start.sh"; # Automate
 
+          b = "sudo borgmatic";
+          bb = "sudo borgmatic borg";
+          bc = "sudo borgmatic create --progress --stats";
+          be = "sudo borgmatic extract --progress";
+          bi = "sudo borgmatic init -e repokey-blake2";
+          bk = "sudo borgmatic key export";
+          bl = "sudo borgmatic list";
+          bm = "sudo borgmatic mount";
+          brl = "sudo borgmatic rlist";
+          br = "sudo borgmatic restore";
+          bt = "sudo borgmatic export-tar";
+          bu = "sudo borgmatic unmount";
+
           c = "clear";
           e = "exit";
           m = "mosh";

options/custom/services/borgmatic.nix

@@ -28,6 +28,7 @@ in {
 
       # https://torsion.org/borgmatic/docs/reference/configuration/
       settings = {
+        archive_name_format = "{now:%Y-%m-%d %H:%M:%S}"; # Remove hostname
         keep_daily = 7;
         keep_weekly = 4;
         keep_monthly = 1;
@@ -36,9 +37,7 @@ in {
         retry_wait = 60; # Additive seconds per retry
         compression = "auto,zstd"; # Use heuristics to decide whether to compress with zstd
         ssh_command = "ssh -i /etc/ssh/id_ed25519"; # !! Imperative key generation
-        encryption_passcommand = "${cat} ${
+        encryption_passcommand = "${cat} ${config.age.secrets."${config.custom.profile}/borgmatic/borgbase".path}";
-          config.age.secrets."${config.custom.profile}/borgmatic/borgbase.${config.custom.hostname}".path
-        }";
         repositories = cfg.repositories;
         source_directories = cfg.sources;
 
@@ -67,7 +66,7 @@ in {
     age.secrets = let
       secret = filename: {file = "${inputs.self}/secrets/${filename}";};
     in {
-      "${config.custom.profile}/borgmatic/borgbase.${config.custom.hostname}" = secret "${config.custom.profile}/borgmatic/borgbase.${config.custom.hostname}";
+      "${config.custom.profile}/borgmatic/borgbase" = secret "${config.custom.profile}/borgmatic/borgbase";
     };
   };
 }

secrets/common/tailscale/tailnet

@@ -1,17 +1,17 @@
 age-encryption.org/v1
--> ssh-ed25519 8E6j8Q WGq0X/29cBDG5XKrof9ZThTBP54wgYtNtWliauTZeBI
+-> ssh-ed25519 8E6j8Q jf86WwxzbtdGcWk7aZvGwKsAzQEwR1kQHTpvnwEEh3w
-Fq2goKdemSN0wp73esjvOEPpEMksPPw5JcytAxLaxZ8
+JVYBOissoLVPXxttNS6Wd0n3XWTkdg9KR/rh6Bmy9lw
--> ssh-ed25519 sfxzoQ mxciiI6swnkbLCdkdIUpF7g9xlEUhB0Ve/1CdBkXLFc
+-> ssh-ed25519 sfxzoQ aAEc8GQ5IM6PAwuhbPCOCBGVdKBNgXgMpZ+bNipTowQ
-cdl7iV8alMwxmZf843YO/ZDLlTFD+Ek0ZYdLoj2QqlY
+CkCMmXWvAE+kfEQBSMjjznIXP/OPq+E9kxW/5Tx6YG0
--> ssh-ed25519 BIBw2w esktLODxdL2EEoQdnt0QKkTCI7bORLXBITALvLnLeyA
+-> ssh-ed25519 BIBw2w YhiwU8G6gOx0bLz18zgxXQVra5WnQzlJgZ03bN5UHVc
-gMKxLYZdZjmTxvxaRX+TJtnzDTK4olx7UJDWYSLmVbA
+yr/M74vXLniDTWpkOy48vm7mINAx2IKmdOUBxe9oQWU
--> ssh-ed25519 g5GcDQ wO5BFahsUBF840ht5wGY3hgMqiMLeYvEX9LBFKeUKQI
+-> ssh-ed25519 g5GcDQ 2EuPbnU9TKMjuoh+FAOTz7x2GfpiEm0tYN7KFsjTVUs
-+Z5xCTbzh6BjWWiCO+VrKNAHau7an2sSKyg3WRN8yJ8
+TTmx3iI71xufizHxG0Xep0WUtq3TAqZzjstLtJ2umbM
--> ssh-ed25519 T/dATA 2Bu6U1h0dS2yBj2V4Rl5Jjt0Rj0pjPjMWZpZBx7RESg
+-> ssh-ed25519 T/dATA X6nel+VewJUwY1YpmQvCywHtWUItMkG+XFOFoLKay04
-QRs/+Te7pJNw6HSHkVwVBF2wlzAqwKoR5iyOyiS/PvI
+wdqsygZlAky9hyZEP5UikpU9zpEMLYuuCXL0a8IAoxk
--> ssh-ed25519 kMNckw 7kk/Tp/8iigFhtmcfXBXgm91opyROVLmKwUUHnMWHHE
+-> ssh-ed25519 kMNckw BuhVZ80+Eq4DgnlZfdeIAL0BXzIjNwrLkxkbrNYDpFI
-mjj+LnMPBruu54RBTRikQVQz1WcIH4k4AhsIqWmtTX0
+Cndu2tG4fVFfWdtjPu+aQ1xD3r72lwOY+pfYu6MZjXY
--> ssh-ed25519 fEyKPw VnvJSr8LxV1HVq7a2U48GWQhxap0+x009Ys0k1+h1nU
+-> ssh-ed25519 iw6hqg 5Bq9VBMvp+n/qub83UbfflqCPPtqIELBb88wcicjxlY
-y6n3JJ8ZR741sktuAlwB1x1D1SooyHGdHHt1d8IntxU
+ApYy2SV4GDj+MYiYknNlsan59kLkrXO+pHnEva15yTg
---- y++IobSFLj4gcElykU/W7r2sZ0hQHYThL8P5Cr8l/PY
+--- C0yOWLx18EbGVTRY/RVYltyN3MXJUM5kfMoznhX0ivo
-ä~ŠšSÓEøœˆ7yO–GKÖ¸OZ:¿YjaMOÔÉ+ÃσC—ìçìr\<5C>½89ÈÃ
+Ü™gfS"Dúè;%rÒû;`8jMðŒì¸<C3AC>°×óˆ$±ÿBÛµÕÎN6F<46>K`GÒ"Œ

secrets/console/users/myned.pass

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 8E6j8Q Zc51Xq32k0zcLmBhf5U5uVE0ueFlVuoJlX+F8svMcWg
+-> ssh-ed25519 8E6j8Q uk25wbJOQFIE9f4AywO4sqDuclyW0Oc33hZvwspHMCg
-CwqIxWhp8Zktv0Psco5MwIUSHWb9gQvZoOFXAEGooVM
+DHxrfnGl/FTaJtBckp7f5PA790JT8uNAUzEtDSVufos
--> ssh-ed25519 sfxzoQ 95lEiu7+r9CLCitBQXmv5WTHiTvao61M8Sby1ygcASU
+-> ssh-ed25519 sfxzoQ uH3I+U44vTOqT3hCtgoZrLf1dRYxqc4ZdwfGie86fl4
-LYxDnOJP82Wtl90UTVHBu7Lw9ix4UXwXvRH2OGI0hes
+0FunAhyMgQ8WFq2yBFao6/OlvE6Bi5yz8m+9mG5n83A
--> ssh-ed25519 BIBw2w Y9dXk85Sc24I7wawvdMi+bcmok/4QdWU7NUmlUsUAyc
+-> ssh-ed25519 BIBw2w 7rWsYtFJXcWQetR9OoCbyt0G5N6mLkrQqFBBbPEYQGc
-7E6aP4mArfaAUhwaxTtzMkrMs6BnmZFCvSRniyVoXdw
+/BYRlIRlp8l3CpWcexuiNvdIXxN0yyvwOio2YlNLcR0
---- 6mnfJ4QZOBDTsVB82dCn8eNEYiwLEX09AjV/a9XAP9o
+--- 3y/ivVt0wshO9v8K3NF8Acluzm3vnHkqU9LTxGW5GGk
-B娵亂鵺s<0C>ﾏ昇ﾏﾆﾉ<EFBE86><EFBE89><EFBFBD>ｵﾎqkU呱ｱM:<3A><>頂ﾑﾇﾅｵ鮻Zﾓﾚ8ｸﾒ1(ﾑ炅G<E78285>ﾜ與x<E88887><78>`Eﾌﾜ､ﾍ
u[3|qﾆb夘嫋$5､ﾉ<EFBDA4>瓢 蹼ﾇgV{
+ÛGè&<26><>¿hÇ#CêHAÙµ^PÓ$%=
<w÷"pó{ÑÙr,ÖmùzøR–¡ÈòWˆÍ(ÂN°ç†oήBò$N7<4E>¦pnN€³#úã—$çë<C3A7>Ák-æBp´±e
òuP£³Æ

secrets/desktop/bitwarden/client_secret

@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 8E6j8Q jBMO/99RuISehUyoCcwpTDhHCuJU0ZVZF9lCzBUtg2Q
+-> ssh-ed25519 8E6j8Q 9/XAEOswfZGdcOq/37Q8fl2my6A1Z3pEIBImd5q5AiI
-QAciLwMDMmwd3SWHB0jJ3SK7Li1Bj0pGE/12QkCAN0Q
+8E1c0DX7Fo6PP26bK0aSTlgfyz5r6Q6eK/7wAHnUn7U
--> ssh-ed25519 sfxzoQ ogDXW6qb8L9QWI5Tmi68lU27jfVDE7qr8yF6DIvPmBs
+-> ssh-ed25519 sfxzoQ HLEkfZXE4QzO0Sx6rYNMQUoRnWFlIQADT/rVC1/uUyI
-nUDmMhpdd1or4HA2gRUV5iCoEg15Cem5ehDMZOIGbyA
+NpxDrNjyxgiH1swH5eN6CVzZcQ62JcOaA3EvSVMbrVM
--> ssh-ed25519 g5GcDQ YQJinIC0YUUiNWXRhO81zCOXLUVow29xZI8HDBPaaW4
+-> ssh-ed25519 g5GcDQ 7DdGJYaIWWg/mdBAC3kI2aAqQS9quh3mNKXnZp+6ZwE
-b9KLU7v7IzPXsxUdQw/1737HUFa8YFMgFfibjqKh1Y0
+aExbAbXII0LlglI2ZD02TVCX/bwNpz2E5HvcWFWxhy8
--> ssh-ed25519 T/dATA txfGP3naVimrtPzyOQDf3cA/4Z1bImJoLQlqTJPlzV4
+-> ssh-ed25519 T/dATA rNE4kD0otSqx3Ep5ldk7k/kkZKFvFYDQ7lEunN98SmI
-tGnr0/p/KH1rXZfz/9MSY6RN0XTeslnf7eg6ShsF0Hc
+4vhzKswHh7cIa5SAiHR1aRxjZKroboeFey/9TDmKFhM
---- fMp/+rsSmJ9dh7eMagN6v7snjiWZq/jInVeyWz++kaw
+--- naSlgfkmreMLriRJTiAlzdG9og5s43LQ8MV3bCPGh5E
-hø ÙºŠõúÓ	‘Ö±vÁâH%x“úóâxÝöô–F“PåXúÔƒ$o#R`‘¢¯ŒL)ÉGWyÏv|bs
+|<7C>Bb4Ûjˆ<04>Ю‡ÒáDÕCœq‚¯HþïKâ
Àµ¡<C2B5>$<24>VŽ”ܶ@ƒ<àúëq|5Â.Å^)4@ÚÕ

secrets/sbc/create_ap/ssid

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 8E6j8Q eBSAWepYbY3v6gvrkkPFAkWItSsNI0KMU7XUp6omTmw
+-> ssh-ed25519 8E6j8Q qdM2Rf/PoHS7Zs0LpQAEr5pEc4G9jHGZUDzEBc/e9yY
-jhFiBIQUCTxMP6A349SjOe7shr1g8uDgfLnwS0KoTQ8
+oDn74ckYbNIt6iv+dqoSppYQlOI/X4RrfPbjvBtXYMw
--> ssh-ed25519 sfxzoQ NniUfTChtIN6hYjn9nyU5hDoO0er8OgJI8qbtgXJdR0
+-> ssh-ed25519 sfxzoQ KDtcQO1AR/Kr18LlCM3sge2oF6FkAV2lEwTjvscXOT8
-/ZIcwDpoRVE7HckWyUBNttE4fxsDUuHCoL0IAri2IY4
+nc+fjbMsCttZNLZlWmu+sAGWPMl1Swbn8BBGDrz9NqE
--> ssh-ed25519 kMNckw Wgkk6woUFGbIsQ+4GmO4IYouyROKWCgYJpZyQNMFihA
+-> ssh-ed25519 kMNckw KfIViI1UpHmQ3Eniak+9TavQ5xRbhJj8qaiQE0UYXlY
-BOfBxs5xrPyIum+YxvXGq0CK+9HMzgxdbECzZ75F6qo
+tCejs74W4GTdCt3miKQgs9zRblfxm212tS0068z95n8
---- ByHALf89ealwBGs6w9Rv4ku+UHPLbY5wJLuCIZpCRbU
+--- VZHPcNr19f9Mk+VJUlGmF/BFAEzPBWBQa0Iff5CqEhU
-”K@°Ñü(Ò‘£N ".¿cÔA†§"é 
 †S=†kA­ËèºÁÃ
+â<ü8V»Hln!
Ro%WÌG_£°D†M=*¾‘%O/

secrets/sbc/users/myned.pass

@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 8E6j8Q w8WUcoqRugI5GwFzcwDCiTZJBeBk5naaw/inEKQwHTk
+-> ssh-ed25519 8E6j8Q bA32ozwutXBQ/2H3m7at9O/Gfsmu3dmJZbhkxPrOCDA
-p7ZuZMrDqBzFGtrFzgg8F1n3/a3VrFrmOUoyK+4StIA
+eoWFyVDzxxFrk2xhz0fIyb1u8ZGE1o8+Wb8kisIJVic
--> ssh-ed25519 sfxzoQ xuzuP3FcwA5nWKt2CDk/DVTzEazS3zp+XNZA19eqWGE
+-> ssh-ed25519 sfxzoQ So4pMhmq1rBbLbZ5TdVj5ABgPNLWFFMsOLaPhhasdEY
-7OeF2pZVrPgXgqEGsndwDyAuLHtI+EX2VnUVT5NnF4c
+82HhkzHtE6yHEIlEtXQClThNEKiDVAby0tdCVWJe5tQ
--> ssh-ed25519 kMNckw RYoe/cBKTCYil/4dsES4r0nOrJxaO9XbMbYiazoOeSI
+-> ssh-ed25519 kMNckw mOIazN7a5pJ7/z+vnoHMX1M1rk3sFc1Oh2QXRsvjIz8
-T5t9/SGZmKZbo6B0pprh/aNpFM20ZryysibshkJbnxE
+MrtznSiAbVLf5ZwhNMurfVBbTS4l5rMheluGQx6srSQ
---- veqh4r1ODD6xTPjHE3BZSJJqmEcYVs8VhqTlRcH12lg
+--- HUHnLJ99Igkz9CzZM3vX1LrbgcZYioEr+Spdq3Mstsw
-ÒÐ?}Ÿ"ÉÐÿeØýo<C3BD><<ý¢9‡UŠGE’JŒÃ®¦º8ÂÕ<05>#];>«fŒõz®R
+1ˆÎy}-ÜLáÉt
-1ã’ªÀü.Ï»õ¹|§óÜ=û¦aèÉ<03>g
+û‚[/(r"›Ç„]°ïú7‹"ÿ03<07>)UÐ1uà(¬+Uï\»õ¾`J
-1öyÛlº£±çO·³ñP
+gÓ’ð‰~A»<41>_…­‡WÛþŽ%5Š˜ŽxlBýÆWÚ}“ž”í%Zú¥Å+

secrets/secrets.nix

@@ -29,7 +29,7 @@ let
   ];
 
   servers = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPlG7FWZ5Us4Ix5fGMHn2DJU1/ma/7kQu39cPKKQMXJ root@myarm"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgrWvzp14Vj+aMd3b9w6e3/xbkHfNZoswsAg9QtUcDc root@myne"
   ];
 
   common = users ++ consoles ++ desktops ++ sbcs ++ servers;
@@ -65,7 +65,7 @@ in {
   "sbc/users/root.pass".publicKeys = sbc;
 
   ### Server
-  "server/borgmatic/borgbase.myarm".publicKeys = server;
+  "server/borgmatic/borgbase".publicKeys = server;
   "server/caddy/Caddyfile".publicKeys = server;
   "server/coturn/coturn.conf".publicKeys = server;
   "server/forgejo/.env".publicKeys = server;

secrets/server/borgmatic/borgbase.myarm

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 8E6j8Q xrvbTgTwyUl3TMj2FqjHXU8BD/Vdv3m6neBHvUHenkA
-fkqOe06bUTi1oPkwdK+MoQpG+u0/g098EppsvgSZPNE
--> ssh-ed25519 sfxzoQ bLqMGk0GecuAPzvT6DdXQPTZvTGNwOuHeTYCI4wqiVs
-w/CfmvGZipntpLcNEh8cQ5q1QjRc/mcYZhq+5Wdmrk4
--> ssh-ed25519 fEyKPw KXgvkZSllT7L1AQY0SV15mKLks+vKyrh7fwiAg7sFF0
-iXaZ7/rzCluo2acEfk66lFvlapazhDHM8Roq+uOr6Es
---- Vj2nOYtxOlo9a9gJt75P1TVVLzmhPT5Ko7N5M31/YXA
-€F°&ÅRÚ½°•^x]Í6¡¬þ‘
-žÕVÜE—$£‹Ó½ –4¸]•Iè6Ô
-…

secrets/server/mastodon/db.env

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 8E6j8Q MsoA/cBAVEWTzonfCmI/66Oi8S/47AZtUEQlmAORdgo
+-> ssh-ed25519 8E6j8Q IUSkESGcFyING6GSrQlpQSYcJJ9aAjeB4Dtp1jxAzV4
-NVPWxOV4cXRIxQXtkpwPEMvy2aDc7DVr7ApNE6viarY
+Mphi9EZNZRRDr0JRvRQw/YDVvqCujonnH6hVhD1m+HQ
--> ssh-ed25519 sfxzoQ juVgUyBHUKT5tb1ZfzuZpij9I4AkscZQq7WsdVDZYE0
+-> ssh-ed25519 sfxzoQ YCNUpEeRyODxDEOB3IRiyCJHqFSxC4DOJSRyvKChpXQ
-5eDZjmkzJTOqKlvqVr6xDg16R7cd1E3W8DwwaRqnvHw
+IG0RBLuphWgQD37wYQPRcZuw/1V4xRRL2C6WJwNosbY
--> ssh-ed25519 fEyKPw BlNMN0xeAKYqxYxwB2XTgg9qLZNVajd32HL/kgqZq1Q
+-> ssh-ed25519 iw6hqg 28e2FqcU4qmpzCpef6vOearGv/v2pLAIEl8rKxPoJDA
-045aAtmM83csNCpNI0NgpnjsaA94fXFBN7iAM/iGwHU
+4X7MKOFfS0w5Gwz5Sahvl2wevmI5TBA2JJptHDoip3o
---- S5m6cti6BKq8xm9iED6Vemdw8IX97g/5wOYrVsFo6Vw
+--- tBaFFYRxG+rxgptY0Ud3baYuQAq8EKAZ60+s5Pj/Isg
-=Ôë<11>áyÅæBXq:XÎjá:«ÿã%q
P‡
<0A>JYOyújm|Ä<0F>"~®u<<3C>‰e£«yð#m“j:5¨!ˆA×W/ÑC¾É‡`l³OÃs“59®DÝçWÍQG³ãžS¬¤ÖÓkÝ
+y>-Š>ôN€Ê—;ýÆ	2îå°E­_H‰Õîús@ðº´_z‡Õ¢~¦âNÀÃoËÔ_T±>“MÜb¤0ט¨„ñ<E2809E>Ì!Ä ¼7ˆ;;ëö€w:¥ç5äÏøÿ¨ìÖ­3Ò±Àš!

secrets/server/users/myned.pass

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 8E6j8Q gXAQbeuawSxnJ1kH55dABXygbh/xtjoAdpBCGgeNck8
+-> ssh-ed25519 8E6j8Q t+N18Bvdi6ifpBh6WVAzwmq/NZuNWQFe2sUAqa0PFhA
-EfUQ4m+C6kJ7RyajNQN5/nA56WW6fEarTUjRj1O1018
+bDPDSPENggEkfGTDqBgmP6a/7ZtOvoC3dAsbR9Iumcg
--> ssh-ed25519 sfxzoQ PqVDfFVuRkURQvPc2ycnnU591geuK1FSi4WU6nVQKFQ
+-> ssh-ed25519 sfxzoQ QpOw4kgXb6qPk/ZjRqb5rNZKn/doJUSfYuKeauiZKFs
-q9ZALua6toEt3QfRrr+WEd2DkyNg0lKRf398BBMqey0
+SiYN8xRLPcyOalJ4Aw1MTtq8UoJGBDxCdRjJ4R34afU
--> ssh-ed25519 fEyKPw 91E+SqBUNOJ75TrFEggr0nIWg2pMuZgWiSqh4//Y/jk
+-> ssh-ed25519 iw6hqg 1VUUszNoSU6VCPG7MtEPgriTLvBHL36HKhJskzSOgWI
-yWC5XfUa/UCijo+Dm/9yKnoPoA+HSieHJMc38zYEZHI
+sI8P4v2VJyqEdm1mmmcV6zak+a0vfFZnOnH2s8i2za8
---- wtARYv4Q4nvS36EX4HtQzwX4grgPw1J84Ljvg48Bv0c
+--- +9nCRrInPL79KWQeb1NPjETyQ/8JcsOV4MamsEO10uQ
-¢¯Û-.Xæ<58>|¦½ÑX~¢ºÅ!©ºn„ž8rZŸÔ³3Wë- <20>×щh<E280B0>ó0
¨K1Iæ¥\„ÞÎ.ŠŽ]¢‚º±Ô^XÑÙëm´ÞÔþUiq®jO®…w<Ï°HÑ
<óöí«Z¾2¯
+Ëu,d<>Ěť¸aÂ9b#*í
0´|m]věvßÄáúÝ—ÉáHJo‚>U⤑×H‰{.><1C>üł‹9ź¤u^7ä蝀e,§·pTg˙…·ÜV©ôłĆbeĐçŘűřůH<óĚ&F@Ô$fv

secrets/server/users/root.pass

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 8E6j8Q 3wQ9vi56qeTLVAn0CrnMNbU9fMb8m6JEK0Y3Y7LAtnc
+-> ssh-ed25519 8E6j8Q 52z13TdgikuW8OSLj5V2k82rLd/JPgmcP+TJdhcw5XA
-KMtukbBQvOuec9CnWjFlNmBFju+i1Yr+BA86wl5G+HQ
+KT07+bT6LqL//7+qe5MjGg4shxmxTlG25VyG8BOx4eo
--> ssh-ed25519 sfxzoQ j+QkWOeBHSkwvxwFefpG3mKZbpy/rE0WRP9ZCyIWfQM
+-> ssh-ed25519 sfxzoQ DSjiWUc/fJWxPRw/DDn91kzLBa98Xv9/4vXFA7LmFhE
-nMGvr3aivDlqRg/NFSwzlFBUxehuSTzLZdpbWhiOAEA
++ynfjS70e6ZM7cN7w7WZs0db8Wr3hpDaU1LXL2GAXqA
--> ssh-ed25519 fEyKPw eTGlDsXmDKuHG4/wu5UPz/MKTQ+dF1XzKSlEIrjxAU8
+-> ssh-ed25519 iw6hqg cMKqC5xWs81i3ClGZjv3w8TXOq1mhcHVb8kn4/NFFTk
-zy73tdCmomqVjGu8iG1Pa/6XA4R5U5g4TRRVV5GFnrc
+VNO7raXst/0wZCTL1T0nHX/hVdVSp2+3mB2+4fHQ4kw
---- eK8BlTPjlQIZB7j7TiuUJJFkiLHNFnQqRDRzklc/bCk
+--- EyslIKZFTtI2hgoWVk8XPWSueMHYlnzCtFV9NkmlrKg
-<EFBFBD>ÞËï"öβàãÕ%Õæ§À‚Üf4ß,_{T…»œÌDšiˆž³óËr¬¼Í\Â<>®.wDxeU¨ŒÐAX6ç5öfªÜ-:_Nã„Z3§LxéªeUpÝØÿî¨îóÀÇŠC\ïÜÏrÉÙÛ†ƒ
+Òú”!}F9’Q
+‚Æäé¤Ó¢—ul7ðX²úZ¤Õç-’ØÉ¡@žšá©ž_ý4’®¾8.™ÎþE‹tì¡[žÇ˜TþË&(ûÛ<C3BB>eÂñ;å»Ó6j
+<EFBFBD>z<EFBFBD>3¨«TW ;¶Ÿ©P¨Î»ÙDzÁ×