agenix: rekey secrets

Signed-off-by: Myned <dev@bjork.tech>
borgmatic: force archive name format
2024-10-08 21:31:51 -05:00 · 2024-10-08 21:31:33 -05:00 · 2024-10-08 21:31:09 -05:00 · 2024-10-08 21:30:49 -05:00 · 2024-10-08 21:28:14 -05:00 · 2024-10-08 18:23:50 -05:00
53 changed files with 440 additions and 436 deletions
--- a/README.md
+++ b/README.md
@ -8,9 +8,9 @@

 1. Clone this repository

-   ```sh
-   git clone https://github.com/Myned/nixos
-   ```
+```sh
+git clone https://github.com/myned/nixos
+```

 2. Enable [Flakes](https://wiki.nixos.org/wiki/Flakes)

@ -18,59 +18,75 @@

 4. Create machine-specific modules in `machines/MACHINE/`

-   b. Machine configuration and hostname in `default.nix`
+a. Machine configuration and hostname in `default.nix`

-   ```nix
-   { custom.hostname = "MACHINE"; }
-   ```
+```nix
+{ custom.hostname = "MACHINE"; }
+```

-   c. [Disko](https://github.com/nix-community/disko) layout in `disko.nix`
+b. [Disko](https://github.com/nix-community/disko) layout in `disko.nix`

-   ```sh
-   # Verify /dev identifier on machine
-   lsblk
+```sh
+# Verify /dev identifier on machine
+lsblk

-   # Verify EFI/BIOS firmware on machine
-   [ -d /sys/firmware/efi/efivars ] && echo "UEFI" || echo "BIOS"
-   ```
+# Verify EFI/BIOS firmware on machine
+[ -d /sys/firmware/efi/efivars ] && echo "UEFI" || echo "BIOS"
+```

-   d. Generated hardware configuration in `hardware-configuration.nix`
+c. Generated hardware configuration in `hardware-configuration.nix`

-   ```sh
-   nixos-generate-config --show-hardware-config --no-filesystems --root /mnt
-   ```
+```sh
+nixos-generate-config --show-hardware-config --no-filesystems --root /mnt
+```

 5. Choose profile and add machine-specific modules to `flake.in.nix`

-   ```nix
-   MACHINE = BRANCH [ ./profiles/PROFILE ./machines/MACHINE ];
-   ```
+```nix
+MACHINE = BRANCH "ARCHITECTURE" [ ./profiles/PROFILE ./machines/MACHINE ];
+```

-6. Generate `flake.nix` with [flakegen](https://github.com/jorsn/flakegen)
+6. Generate and lock `flake.nix` with [flakegen](https://github.com/jorsn/flakegen)

-   ```sh
-   git add .
-   nix run .#genflake flake.nix
-   nix flake lock
-   ```
+```sh
+cd nixos
+git add .
+nix run .#genflake flake.nix
+nix flake lock
+```

-7. Copy host public SSH key to root on machine
+7. Generate machine SSH key and rekey agenix secrets with added public key

-   ```sh
-   # On machine
-   sudo passwd root
-   ```
+```sh
+mkdir -p tmp/etc/ssh/
+ssh-keygen -f tmp/etc/ssh/id_ed25519 -N '' -C root@MACHINE
+cd secrets
+agenix -r
+```

-   ```sh
-   # On host
-   ssh-copy-id root@MACHINE
-   ```
+8. Add user SSH key to root authorized_keys on machine

-8. Test and execute [NixOS Anywhere](https://github.com/nix-community/nixos-anywhere)
+```sh
+# On host
+cat ~/.ssh/id_ed25519.pub | wl-copy
+```

-   ```sh
-   nixos-anywhere --vm-test -f .#MACHINE root@IP
-   nixos-anywhere -f .#MACHINE root@IP
-   ```
+```sh
+# On machine
+sudo mkdir /root/.ssh/
+sudo nano /root/.ssh/authorized_keys
+```

-9. Shutdown, detach ISO, and reboot
+9. Execute [NixOS Anywhere](https://github.com/nix-community/nixos-anywhere)
+
+```sh
+nixos-anywhere --extra-files tmp --flake .#MACHINE root@IP
+```
+
+10. Shutdown, detach ISO, and reboot
+
+11. Remove temporary files
+
+```sh
+rm -r tmp
+```
--- a/machines/myarm/default.nix
+++ b/machines/myarm/default.nix
@ -7,9 +7,13 @@
  custom = {
    hostname = "myarm";

-    settings.networking = {
+    settings = {
+      boot.systemd-boot = true;
+
+      networking = {
        static = true;
        ipv6 = "2a01:4f8:c17:321c::1/64";
      };
    };
+  };
 }
--- a/machines/myne/default.nix
+++ b/machines/myne/default.nix
@ -4,5 +4,16 @@
    ./hardware-configuration.nix
  ];

-  custom.hostname = "myne";
+  custom = {
+    hostname = "myne";
+
+    settings = {
+      boot.grub = true;
+
+      networking = {
+        static = true;
+        ipv6 = "2a01:4ff:f0:e193::1/64";
+      };
+    };
+  };
 }
--- a/machines/myne/disko.nix
+++ b/machines/myne/disko.nix
@ -3,7 +3,7 @@
    disk = {
      master = {
        type = "disk";
-        device = "/dev/sda";
+        device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_53186364";
        content = {
          type = "gpt";
          partitions = {
@ -54,7 +54,33 @@

                  "/swap" = {
                    mountpoint = "/swap";
-                    swap.swapfile.size = "8G";
+                    swap.swapfile.size = "4G";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+
+      myvol = {
+        type = "disk";
+        device = "/dev/disk/by-id/scsi-0HC_Volume_101412796";
+        content = {
+          type = "gpt";
+          partitions = {
+            local = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = ["-f"];
+                subvolumes = {
+                  "/local" = {
+                    mountpoint = "/mnt/local";
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
                  };
                };
              };
--- a/machines/myne/hardware-configuration.nix
+++ b/machines/myne/hardware-configuration.nix
@ -8,16 +8,11 @@
  modulesPath,
  ...
 }: {
-  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
-
-  boot.initrd.availableKernelModules = [
-    "ahci"
-    "xhci_pci"
-    "virtio_pci"
-    "virtio_scsi"
-    "sd_mod"
-    "sr_mod"
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
  ];
+
+  boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
--- a/options/custom/containers/actualbudget.nix
+++ b/options/custom/containers/actualbudget.nix
@ -12,10 +12,7 @@ in {
    #?? arion-actualbudget pull
    environment.shellAliases.arion-actualbudget = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.actualbudget.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.actualbudget = {
-      serviceName = "actualbudget";
-
-      settings.services = {
+    virtualisation.arion.projects.actualbudget.settings.services = {
      actualbudget.service = {
        container_name = "actualbudget";
        image = "actualbudget/actual-server:24.9.0";
@ -26,5 +23,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/containers/coturn.nix
+++ b/options/custom/containers/coturn.nix
@ -21,10 +21,7 @@ in {
    #?? arion-coturn pull
    environment.shellAliases.arion-coturn = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.coturn.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.coturn = {
-      serviceName = "coturn";
-
-      settings.services = {
+    virtualisation.arion.projects.coturn.settings.services = {
      # https://conduwuit.puppyirl.gay/turn.html
      coturn.service = {
        container_name = "coturn";
@ -37,7 +34,6 @@ in {
        ];
      };
    };
-    };

    # TODO: Use nobody:nogroup instead when docker allows changing mount ownership
    # HACK: Copy with global read-only permissions in container directory which is assumed to be locked down
--- a/options/custom/containers/forgejo.nix
+++ b/options/custom/containers/forgejo.nix
@ -24,10 +24,7 @@ in {

    networking.firewall.allowedTCPPorts = [22]; # SSH

-    virtualisation.arion.projects.forgejo = {
-      serviceName = "forgejo";
-
-      settings.services = {
+    virtualisation.arion.projects.forgejo.settings.services = {
      # https://codeberg.org/forgejo/forgejo
      # https://forgejo.org/docs/latest/admin/
      #?? docker exec -it forgejo bash
@ -55,5 +52,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/containers/foundryvtt.nix
+++ b/options/custom/containers/foundryvtt.nix
@ -21,10 +21,7 @@ in {
    #?? arion-foundryvtt pull
    environment.shellAliases.arion-foundryvtt = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.foundryvtt.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.foundryvtt = {
-      serviceName = "foundryvtt";
-
-      settings.services = {
+    virtualisation.arion.projects.foundryvtt.settings.services = {
      foundryvtt.service = {
        container_name = "foundryvtt";
        env_file = [config.age.secrets."${config.custom.profile}/foundryvtt/.env".path];
@ -35,5 +32,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/containers/headscale.nix
+++ b/options/custom/containers/headscale.nix
@ -22,10 +22,7 @@ in {
    #?? arion-headscale pull
    environment.shellAliases.arion-headscale = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.headscale.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.headscale = {
-      serviceName = "headscale";
-
-      settings.services = {
+    virtualisation.arion.projects.headscale.settings.services = {
      # https://headscale.net/
      # https://github.com/juanfont/headscale
      # BUG: Does not support generic DoH/DoT
@ -57,5 +54,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/containers/homeassistant.nix
+++ b/options/custom/containers/homeassistant.nix
@ -12,10 +12,7 @@ in {
    #?? arion-homeassistant pull
    environment.shellAliases.arion-homeassistant = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.homeassistant.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.homeassistant = {
-      serviceName = "homeassistant";
-
-      settings.services = {
+    virtualisation.arion.projects.homeassistant.settings.services = {
      homeassistant.service = {
        container_name = "homeassistant";
        image = "homeassistant/home-assistant:2024.9.1";
@ -25,5 +22,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/containers/mastodon.nix
+++ b/options/custom/containers/mastodon.nix
@ -22,10 +22,7 @@ in {
    #?? arion-mastodon pull
    environment.shellAliases.arion-mastodon = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.mastodon.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.mastodon = {
-      serviceName = "mastodon";
-
-      settings.services = {
+    virtualisation.arion.projects.mastodon.settings.services = {
      # https://github.com/linuxserver/docker-mastodon
      # https://github.com/mastodon/mastodon/blob/main/docker-compose.yml
      mastodon.service = {
@ -58,5 +55,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/containers/netbox/default.nix
+++ b/options/custom/containers/netbox/default.nix
@ -24,11 +24,8 @@ in {
    environment.shellAliases.arion-netbox = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.netbox.settings.out.dockerComposeYaml}";

    # https://github.com/netbox-community/netbox-docker
-    virtualisation.arion.projects.netbox = {
-      serviceName = "netbox";
-
    # https://github.com/netbox-community/netbox-docker/blob/release/docker-compose.yml
-      settings.services = let
+    virtualisation.arion.projects.netbox.settings.services = let
      netbox = {
        container_name = "netbox";
        depends_on = ["cache" "db"];
@ -82,7 +79,6 @@ in {
        volumes = ["${config.custom.containers.directory}/netbox/db:/var/lib/postgresql/data"];
      };
    };
-    };

    #!! Required for correct volume permissions
    systemd.tmpfiles.rules = ["z ${config.custom.containers.directory}/netbox/media 0770 999 root"]; # unit:root
--- a/options/custom/containers/nextcloud.nix
+++ b/options/custom/containers/nextcloud.nix
@ -22,10 +22,7 @@ in {
    #?? arion-nextcloud pull
    environment.shellAliases.arion-nextcloud = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.nextcloud.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.nextcloud = {
-      serviceName = "nextcloud";
-
-      settings.services = {
+    virtualisation.arion.projects.nextcloud.settings.services = {
      # https://github.com/nextcloud/docker
      nextcloud.service = {
        container_name = "nextcloud";
@ -78,5 +75,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/containers/redlib.nix
+++ b/options/custom/containers/redlib.nix
@ -12,10 +12,7 @@ in {
    #?? arion-redlib pull
    environment.shellAliases.arion-redlib = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.redlib.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.redlib = {
-      serviceName = "redlib";
-
-      settings.services = {
+    virtualisation.arion.projects.redlib.settings.services = {
      redlib.service = {
        container_name = "redlib";
        image = "quay.io/redlib/redlib:latest";
@ -32,5 +29,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/containers/searxng/default.nix
+++ b/options/custom/containers/searxng/default.nix
@ -21,10 +21,7 @@ in {
    #?? arion-searxng pull
    environment.shellAliases.arion-searxng = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.searxng.settings.out.dockerComposeYaml}";

-    virtualisation.arion.projects.searxng = {
-      serviceName = "searxng";
-
-      settings.services = {
+    virtualisation.arion.projects.searxng.settings.services = {
      # https://github.com/searxng/searxng
      # https://github.com/searxng/searxng-docker
      searxng.service = {
@ -50,5 +47,4 @@ in {
      };
    };
  };
-  };
 }
--- a/options/custom/desktops/hyprland/settings.nix
+++ b/options/custom/desktops/hyprland/settings.nix
@ -139,7 +139,7 @@ in {
        "col.border_inactive" = "rgba(6c71c440)";
        "col.border_locked_active" = "rgb(d33682)";
        "col.border_locked_inactive" = "rgba(d3368240)";
-        auto_group = false;
+        #// auto_group = false;
        insert_after_current = false;

        # https://wiki.hyprland.org/Configuring/Variables/#groupbar
--- a/options/custom/programs/fish.nix
+++ b/options/custom/programs/fish.nix
@ -47,19 +47,25 @@ in {
          poweroff = "systemctl poweroff";
          shutdown = "systemctl poweroff";

-          backup = "borgmatic -v 1 create --progress --stats";
-          extract = "borgmatic -v 1 extract --progress";
-          init = "borgmatic init -e repokey-blake2";
-          key = "borgmatic key export";
-          list = "borgmatic -v 1 list";
-          restore = "borgmatic -v 1 restore";
-
          rsync = "rsync --info progress2";

          a = "adb";
          as = "adb shell";
          asa = "adb shell sh /sdcard/Android/data/com.llamalab.automate/cache/start.sh"; # Automate

+          b = "sudo borgmatic";
+          bb = "sudo borgmatic borg";
+          bc = "sudo borgmatic create --progress --stats";
+          be = "sudo borgmatic extract --progress";
+          bi = "sudo borgmatic init -e repokey-blake2";
+          bk = "sudo borgmatic key export";
+          bl = "sudo borgmatic list";
+          bm = "sudo borgmatic mount";
+          brl = "sudo borgmatic rlist";
+          br = "sudo borgmatic restore";
+          bt = "sudo borgmatic export-tar";
+          bu = "sudo borgmatic unmount";
+
          c = "clear";
          e = "exit";
          m = "mosh";
--- a/options/custom/services/borgmatic.nix
+++ b/options/custom/services/borgmatic.nix
@ -28,6 +28,7 @@ in {

      # https://torsion.org/borgmatic/docs/reference/configuration/
      settings = {
+        archive_name_format = "{now:%Y-%m-%d %H:%M:%S}"; # Remove hostname
        keep_daily = 7;
        keep_weekly = 4;
        keep_monthly = 1;
@ -36,9 +37,7 @@ in {
        retry_wait = 60; # Additive seconds per retry
        compression = "auto,zstd"; # Use heuristics to decide whether to compress with zstd
        ssh_command = "ssh -i /etc/ssh/id_ed25519"; # !! Imperative key generation
-        encryption_passcommand = "${cat} ${
-          config.age.secrets."${config.custom.profile}/borgmatic/borgbase.${config.custom.hostname}".path
-        }";
+        encryption_passcommand = "${cat} ${config.age.secrets."${config.custom.profile}/borgmatic/borgbase".path}";
        repositories = cfg.repositories;
        source_directories = cfg.sources;

@ -67,7 +66,7 @@ in {
    age.secrets = let
      secret = filename: {file = "${inputs.self}/secrets/${filename}";};
    in {
-      "${config.custom.profile}/borgmatic/borgbase.${config.custom.hostname}" = secret "${config.custom.profile}/borgmatic/borgbase.${config.custom.hostname}";
+      "${config.custom.profile}/borgmatic/borgbase" = secret "${config.custom.profile}/borgmatic/borgbase";
    };
  };
 }
--- a/secrets/common/geoclue2/geolocation
+++ b/secrets/common/geoclue2/geolocation
--- a/secrets/common/nix/access-tokens.conf
+++ b/secrets/common/nix/access-tokens.conf
--- a/secrets/common/tailscale/tailnet
+++ b/secrets/common/tailscale/tailnet
@ -1,17 +1,17 @@
 age-encryption.org/v1
-> ssh-ed25519 8E6j8Q WGq0X/29cBDG5XKrof9ZThTBP54wgYtNtWliauTZeBI
-Fq2goKdemSN0wp73esjvOEPpEMksPPw5JcytAxLaxZ8
-> ssh-ed25519 sfxzoQ mxciiI6swnkbLCdkdIUpF7g9xlEUhB0Ve/1CdBkXLFc
-cdl7iV8alMwxmZf843YO/ZDLlTFD+Ek0ZYdLoj2QqlY
-> ssh-ed25519 BIBw2w esktLODxdL2EEoQdnt0QKkTCI7bORLXBITALvLnLeyA
-gMKxLYZdZjmTxvxaRX+TJtnzDTK4olx7UJDWYSLmVbA
-> ssh-ed25519 g5GcDQ wO5BFahsUBF840ht5wGY3hgMqiMLeYvEX9LBFKeUKQI
-+Z5xCTbzh6BjWWiCO+VrKNAHau7an2sSKyg3WRN8yJ8
-> ssh-ed25519 T/dATA 2Bu6U1h0dS2yBj2V4Rl5Jjt0Rj0pjPjMWZpZBx7RESg
-QRs/+Te7pJNw6HSHkVwVBF2wlzAqwKoR5iyOyiS/PvI
-> ssh-ed25519 kMNckw 7kk/Tp/8iigFhtmcfXBXgm91opyROVLmKwUUHnMWHHE
-mjj+LnMPBruu54RBTRikQVQz1WcIH4k4AhsIqWmtTX0
-> ssh-ed25519 fEyKPw VnvJSr8LxV1HVq7a2U48GWQhxap0+x009Ys0k1+h1nU
-y6n3JJ8ZR741sktuAlwB1x1D1SooyHGdHHt1d8IntxU
--- y++IobSFLj4gcElykU/W7r2sZ0hQHYThL8P5Cr8l/PY
-ä~ŠšSÓEøœˆ7yO–GKÖ¸OZ:¿YjaMOÔÉ+ÃÏƒC—ìçìr\<5C>½89ÈÃ
+-> ssh-ed25519 8E6j8Q jf86WwxzbtdGcWk7aZvGwKsAzQEwR1kQHTpvnwEEh3w
+JVYBOissoLVPXxttNS6Wd0n3XWTkdg9KR/rh6Bmy9lw
+-> ssh-ed25519 sfxzoQ aAEc8GQ5IM6PAwuhbPCOCBGVdKBNgXgMpZ+bNipTowQ
+CkCMmXWvAE+kfEQBSMjjznIXP/OPq+E9kxW/5Tx6YG0
+-> ssh-ed25519 BIBw2w YhiwU8G6gOx0bLz18zgxXQVra5WnQzlJgZ03bN5UHVc
+yr/M74vXLniDTWpkOy48vm7mINAx2IKmdOUBxe9oQWU
+-> ssh-ed25519 g5GcDQ 2EuPbnU9TKMjuoh+FAOTz7x2GfpiEm0tYN7KFsjTVUs
+TTmx3iI71xufizHxG0Xep0WUtq3TAqZzjstLtJ2umbM
+-> ssh-ed25519 T/dATA X6nel+VewJUwY1YpmQvCywHtWUItMkG+XFOFoLKay04
+wdqsygZlAky9hyZEP5UikpU9zpEMLYuuCXL0a8IAoxk
+-> ssh-ed25519 kMNckw BuhVZ80+Eq4DgnlZfdeIAL0BXzIjNwrLkxkbrNYDpFI
+Cndu2tG4fVFfWdtjPu+aQ1xD3r72lwOY+pfYu6MZjXY
+-> ssh-ed25519 iw6hqg 5Bq9VBMvp+n/qub83UbfflqCPPtqIELBb88wcicjxlY
+ApYy2SV4GDj+MYiYknNlsan59kLkrXO+pHnEva15yTg
+--- C0yOWLx18EbGVTRY/RVYltyN3MXJUM5kfMoznhX0ivo
+Ü™gfS"Dúè;%rÒû;`8jMðŒì¸<C3AC>°×óˆ$±ÿBÛµÕÎN6F<46>K`GÒ"Œ
--- a/secrets/console/users/myned.pass
+++ b/secrets/console/users/myned.pass
@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 8E6j8Q Zc51Xq32k0zcLmBhf5U5uVE0ueFlVuoJlX+F8svMcWg
-CwqIxWhp8Zktv0Psco5MwIUSHWb9gQvZoOFXAEGooVM
-> ssh-ed25519 sfxzoQ 95lEiu7+r9CLCitBQXmv5WTHiTvao61M8Sby1ygcASU
-LYxDnOJP82Wtl90UTVHBu7Lw9ix4UXwXvRH2OGI0hes
-> ssh-ed25519 BIBw2w Y9dXk85Sc24I7wawvdMi+bcmok/4QdWU7NUmlUsUAyc
-7E6aP4mArfaAUhwaxTtzMkrMs6BnmZFCvSRniyVoXdw
--- 6mnfJ4QZOBDTsVB82dCn8eNEYiwLEX09AjV/a9XAP9o
-B娵亂鵺s<0C>ﾏ昇ﾏﾆﾉ<EFBE86><EFBE89><EFBFBD>ｵﾎqkU呱ｱM:<3A><>頂ﾑﾇﾅｵ鮻Zﾓﾚ8ｸﾒ1(ﾑ炅G<E78285>ﾜ與x<E88887><78>`Eﾌﾜ､ﾍu[3|qﾆb夘嫋$5､ﾉ<EFBDA4>瓢 蹼ﾇgV{
+-> ssh-ed25519 8E6j8Q uk25wbJOQFIE9f4AywO4sqDuclyW0Oc33hZvwspHMCg
+DHxrfnGl/FTaJtBckp7f5PA790JT8uNAUzEtDSVufos
+-> ssh-ed25519 sfxzoQ uH3I+U44vTOqT3hCtgoZrLf1dRYxqc4ZdwfGie86fl4
+0FunAhyMgQ8WFq2yBFao6/OlvE6Bi5yz8m+9mG5n83A
+-> ssh-ed25519 BIBw2w 7rWsYtFJXcWQetR9OoCbyt0G5N6mLkrQqFBBbPEYQGc
+/BYRlIRlp8l3CpWcexuiNvdIXxN0yyvwOio2YlNLcR0
+--- 3y/ivVt0wshO9v8K3NF8Acluzm3vnHkqU9LTxGW5GGk
+ÛGè&<26><>¿hÇ#CêHAÙµ^PÓ$%=
<w÷"pó{ÑÙr,ÖmùzøR–¡ÈòWˆÍ(ÂN°ç†oÎ®Bò$N7<4E>¦pnN€³#úã—$çë<C3A7>Ák-æBp´±eòuP£³Æ
--- a/secrets/console/users/root.pass
+++ b/secrets/console/users/root.pass
--- a/secrets/desktop/bitwarden/client_id
+++ b/secrets/desktop/bitwarden/client_id
--- a/secrets/desktop/bitwarden/client_secret
+++ b/secrets/desktop/bitwarden/client_secret
@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 8E6j8Q jBMO/99RuISehUyoCcwpTDhHCuJU0ZVZF9lCzBUtg2Q
-QAciLwMDMmwd3SWHB0jJ3SK7Li1Bj0pGE/12QkCAN0Q
-> ssh-ed25519 sfxzoQ ogDXW6qb8L9QWI5Tmi68lU27jfVDE7qr8yF6DIvPmBs
-nUDmMhpdd1or4HA2gRUV5iCoEg15Cem5ehDMZOIGbyA
-> ssh-ed25519 g5GcDQ YQJinIC0YUUiNWXRhO81zCOXLUVow29xZI8HDBPaaW4
-b9KLU7v7IzPXsxUdQw/1737HUFa8YFMgFfibjqKh1Y0
-> ssh-ed25519 T/dATA txfGP3naVimrtPzyOQDf3cA/4Z1bImJoLQlqTJPlzV4
-tGnr0/p/KH1rXZfz/9MSY6RN0XTeslnf7eg6ShsF0Hc
--- fMp/+rsSmJ9dh7eMagN6v7snjiWZq/jInVeyWz++kaw
-hø ÙºŠõúÓ	‘Ö±vÁâH%x“úóâxÝöô–F“PåXúÔƒ$o#R`‘¢¯ŒL)ÉGWyÏv|bs
+-> ssh-ed25519 8E6j8Q 9/XAEOswfZGdcOq/37Q8fl2my6A1Z3pEIBImd5q5AiI
+8E1c0DX7Fo6PP26bK0aSTlgfyz5r6Q6eK/7wAHnUn7U
+-> ssh-ed25519 sfxzoQ HLEkfZXE4QzO0Sx6rYNMQUoRnWFlIQADT/rVC1/uUyI
+NpxDrNjyxgiH1swH5eN6CVzZcQ62JcOaA3EvSVMbrVM
+-> ssh-ed25519 g5GcDQ 7DdGJYaIWWg/mdBAC3kI2aAqQS9quh3mNKXnZp+6ZwE
+aExbAbXII0LlglI2ZD02TVCX/bwNpz2E5HvcWFWxhy8
+-> ssh-ed25519 T/dATA rNE4kD0otSqx3Ep5ldk7k/kkZKFvFYDQ7lEunN98SmI
+4vhzKswHh7cIa5SAiHR1aRxjZKroboeFey/9TDmKFhM
+--- naSlgfkmreMLriRJTiAlzdG9og5s43LQ8MV3bCPGh5E
+|<7C>Bb4Ûjˆ<04>Ð®‡ÒáDÕCœq‚¯HþïKâÀµ¡<C2B5>$<24>VŽ”Ü¶@ƒ<àúëq|5Â.Å^)4@ÚÕ
--- a/secrets/desktop/users/myned.pass
+++ b/secrets/desktop/users/myned.pass
--- a/secrets/desktop/users/root.pass
+++ b/secrets/desktop/users/root.pass
--- a/secrets/sbc/borgmatic/borgbase.mypi3
+++ b/secrets/sbc/borgmatic/borgbase.mypi3
--- a/secrets/sbc/create_ap/passphrase
+++ b/secrets/sbc/create_ap/passphrase
--- a/secrets/sbc/create_ap/ssid
+++ b/secrets/sbc/create_ap/ssid
@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 8E6j8Q eBSAWepYbY3v6gvrkkPFAkWItSsNI0KMU7XUp6omTmw
-jhFiBIQUCTxMP6A349SjOe7shr1g8uDgfLnwS0KoTQ8
-> ssh-ed25519 sfxzoQ NniUfTChtIN6hYjn9nyU5hDoO0er8OgJI8qbtgXJdR0
-/ZIcwDpoRVE7HckWyUBNttE4fxsDUuHCoL0IAri2IY4
-> ssh-ed25519 kMNckw Wgkk6woUFGbIsQ+4GmO4IYouyROKWCgYJpZyQNMFihA
-BOfBxs5xrPyIum+YxvXGq0CK+9HMzgxdbECzZ75F6qo
--- ByHALf89ealwBGs6w9Rv4ku+UHPLbY5wJLuCIZpCRbU
-”K@°Ñü(Ò‘£N ".¿cÔA†§"é 
 †S=†kAËèºÁÃ
+-> ssh-ed25519 8E6j8Q qdM2Rf/PoHS7Zs0LpQAEr5pEc4G9jHGZUDzEBc/e9yY
+oDn74ckYbNIt6iv+dqoSppYQlOI/X4RrfPbjvBtXYMw
+-> ssh-ed25519 sfxzoQ KDtcQO1AR/Kr18LlCM3sge2oF6FkAV2lEwTjvscXOT8
+nc+fjbMsCttZNLZlWmu+sAGWPMl1Swbn8BBGDrz9NqE
+-> ssh-ed25519 kMNckw KfIViI1UpHmQ3Eniak+9TavQ5xRbhJj8qaiQE0UYXlY
+tCejs74W4GTdCt3miKQgs9zRblfxm212tS0068z95n8
+--- VZHPcNr19f9Mk+VJUlGmF/BFAEzPBWBQa0Iff5CqEhU
+â<ü8V»Hln!Roîˆ»%WÌG_£°D†M=*¾‘%O/
--- a/secrets/sbc/users/myned.pass
+++ b/secrets/sbc/users/myned.pass
@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 8E6j8Q w8WUcoqRugI5GwFzcwDCiTZJBeBk5naaw/inEKQwHTk
-p7ZuZMrDqBzFGtrFzgg8F1n3/a3VrFrmOUoyK+4StIA
-> ssh-ed25519 sfxzoQ xuzuP3FcwA5nWKt2CDk/DVTzEazS3zp+XNZA19eqWGE
-7OeF2pZVrPgXgqEGsndwDyAuLHtI+EX2VnUVT5NnF4c
-> ssh-ed25519 kMNckw RYoe/cBKTCYil/4dsES4r0nOrJxaO9XbMbYiazoOeSI
-T5t9/SGZmKZbo6B0pprh/aNpFM20ZryysibshkJbnxE
--- veqh4r1ODD6xTPjHE3BZSJJqmEcYVs8VhqTlRcH12lg
-ÒÐ?}Ÿ"ÉÐÿeØýo<C3BD><<ý¢9‡UŠGE’JŒÃ®¦º8ÂÕ<05>#];>«fŒõz®R
-1ã’ªÀü.Ï»õ¹|§óÜ=û¦aèÉ<03>g
-1öyÛlº£±çO·³ñP
+-> ssh-ed25519 8E6j8Q bA32ozwutXBQ/2H3m7at9O/Gfsmu3dmJZbhkxPrOCDA
+eoWFyVDzxxFrk2xhz0fIyb1u8ZGE1o8+Wb8kisIJVic
+-> ssh-ed25519 sfxzoQ So4pMhmq1rBbLbZ5TdVj5ABgPNLWFFMsOLaPhhasdEY
+82HhkzHtE6yHEIlEtXQClThNEKiDVAby0tdCVWJe5tQ
+-> ssh-ed25519 kMNckw mOIazN7a5pJ7/z+vnoHMX1M1rk3sFc1Oh2QXRsvjIz8
+MrtznSiAbVLf5ZwhNMurfVBbTS4l5rMheluGQx6srSQ
+--- HUHnLJ99Igkz9CzZM3vX1LrbgcZYioEr+Spdq3Mstsw
+1ˆÎy}-ÜLáÉt
+û‚[/(r"›Ç„]°ïú7‹"ÿ03<07>)UÐ1uà(¬+Uï\»õ¾`J
+gÓ’ð‰~A»<41>_…‡WÛþŽ%5Š˜ŽxlBýÆWÚ}“ž”í%Zú¥Å+
--- a/secrets/sbc/users/root.pass
+++ b/secrets/sbc/users/root.pass
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -29,7 +29,7 @@ let
  ];

  servers = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPlG7FWZ5Us4Ix5fGMHn2DJU1/ma/7kQu39cPKKQMXJ root@myarm"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgrWvzp14Vj+aMd3b9w6e3/xbkHfNZoswsAg9QtUcDc root@myne"
  ];

  common = users ++ consoles ++ desktops ++ sbcs ++ servers;
@ -65,7 +65,7 @@ in {
  "sbc/users/root.pass".publicKeys = sbc;

  ### Server
-  "server/borgmatic/borgbase.myarm".publicKeys = server;
+  "server/borgmatic/borgbase".publicKeys = server;
  "server/caddy/Caddyfile".publicKeys = server;
  "server/coturn/coturn.conf".publicKeys = server;
  "server/forgejo/.env".publicKeys = server;
--- a/secrets/server/borgmatic/borgbase
+++ b/secrets/server/borgmatic/borgbase
--- a/secrets/server/borgmatic/borgbase.myarm
+++ b/secrets/server/borgmatic/borgbase.myarm
@ -1,11 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 8E6j8Q xrvbTgTwyUl3TMj2FqjHXU8BD/Vdv3m6neBHvUHenkA
-fkqOe06bUTi1oPkwdK+MoQpG+u0/g098EppsvgSZPNE
-> ssh-ed25519 sfxzoQ bLqMGk0GecuAPzvT6DdXQPTZvTGNwOuHeTYCI4wqiVs
-w/CfmvGZipntpLcNEh8cQ5q1QjRc/mcYZhq+5Wdmrk4
-> ssh-ed25519 fEyKPw KXgvkZSllT7L1AQY0SV15mKLks+vKyrh7fwiAg7sFF0
-iXaZ7/rzCluo2acEfk66lFvlapazhDHM8Roq+uOr6Es
--- Vj2nOYtxOlo9a9gJt75P1TVVLzmhPT5Ko7N5M31/YXA
-€F°&ÅRÚ½°•^x]Í6¡¬þ‘
-žÕVÜE—$£‹Ó½ –4¸]•Iè6Ô
-…
--- a/secrets/server/caddy/Caddyfile
+++ b/secrets/server/caddy/Caddyfile
--- a/secrets/server/coturn/coturn.conf
+++ b/secrets/server/coturn/coturn.conf
--- a/secrets/server/forgejo/.env
+++ b/secrets/server/forgejo/.env
--- a/secrets/server/forgejo/db.env
+++ b/secrets/server/forgejo/db.env
--- a/secrets/server/foundryvtt/.env
+++ b/secrets/server/foundryvtt/.env
--- a/secrets/server/headscale/.env
+++ b/secrets/server/headscale/.env
--- a/secrets/server/mastodon/.env
+++ b/secrets/server/mastodon/.env
--- a/secrets/server/mastodon/db.env
+++ b/secrets/server/mastodon/db.env
@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 8E6j8Q MsoA/cBAVEWTzonfCmI/66Oi8S/47AZtUEQlmAORdgo
-NVPWxOV4cXRIxQXtkpwPEMvy2aDc7DVr7ApNE6viarY
-> ssh-ed25519 sfxzoQ juVgUyBHUKT5tb1ZfzuZpij9I4AkscZQq7WsdVDZYE0
-5eDZjmkzJTOqKlvqVr6xDg16R7cd1E3W8DwwaRqnvHw
-> ssh-ed25519 fEyKPw BlNMN0xeAKYqxYxwB2XTgg9qLZNVajd32HL/kgqZq1Q
-045aAtmM83csNCpNI0NgpnjsaA94fXFBN7iAM/iGwHU
--- S5m6cti6BKq8xm9iED6Vemdw8IX97g/5wOYrVsFo6Vw
-=Ôë<11>áyÅæBXq:XÎjá:«ÿã%q
P‡
<0A>JYOyújm|Ä<0F>"~®u<<3C>‰e£«yð#m“j:5¨!ˆA×W/ÑC¾É‡`l³OÃs“59®DÝçWÍQG³ãžS¬¤ÖÓkÝ
+-> ssh-ed25519 8E6j8Q IUSkESGcFyING6GSrQlpQSYcJJ9aAjeB4Dtp1jxAzV4
+Mphi9EZNZRRDr0JRvRQw/YDVvqCujonnH6hVhD1m+HQ
+-> ssh-ed25519 sfxzoQ YCNUpEeRyODxDEOB3IRiyCJHqFSxC4DOJSRyvKChpXQ
+IG0RBLuphWgQD37wYQPRcZuw/1V4xRRL2C6WJwNosbY
+-> ssh-ed25519 iw6hqg 28e2FqcU4qmpzCpef6vOearGv/v2pLAIEl8rKxPoJDA
+4X7MKOFfS0w5Gwz5Sahvl2wevmI5TBA2JJptHDoip3o
+--- tBaFFYRxG+rxgptY0Ud3baYuQAq8EKAZ60+s5Pj/Isg
+y>-Š>ôN€Ê—;ýÆ	2îå°E_H‰Õîús@ðº´_z‡Õ¢~¦âNÀÃoËÔ_T±>“MÜb¤0×˜¨„ñ<E2809E>Ì!Ä ¼7ˆ;;ëö€w:¥ç5äÏøÿ¨ìÖ3Ò±Àš!
--- a/secrets/server/matrix-conduit/conduwuit.toml
+++ b/secrets/server/matrix-conduit/conduwuit.toml
--- a/secrets/server/netbox/.env
+++ b/secrets/server/netbox/.env
--- a/secrets/server/netbox/cache.env
+++ b/secrets/server/netbox/cache.env
--- a/secrets/server/netbox/db.env
+++ b/secrets/server/netbox/db.env
--- a/secrets/server/nextcloud/.env
+++ b/secrets/server/nextcloud/.env
--- a/secrets/server/nextcloud/db.env
+++ b/secrets/server/nextcloud/db.env
--- a/secrets/server/searxng/.env
+++ b/secrets/server/searxng/.env
--- a/secrets/server/users/myned.pass
+++ b/secrets/server/users/myned.pass
@ -1,9 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 8E6j8Q gXAQbeuawSxnJ1kH55dABXygbh/xtjoAdpBCGgeNck8
-EfUQ4m+C6kJ7RyajNQN5/nA56WW6fEarTUjRj1O1018
-> ssh-ed25519 sfxzoQ PqVDfFVuRkURQvPc2ycnnU591geuK1FSi4WU6nVQKFQ
-q9ZALua6toEt3QfRrr+WEd2DkyNg0lKRf398BBMqey0
-> ssh-ed25519 fEyKPw 91E+SqBUNOJ75TrFEggr0nIWg2pMuZgWiSqh4//Y/jk
-yWC5XfUa/UCijo+Dm/9yKnoPoA+HSieHJMc38zYEZHI
--- wtARYv4Q4nvS36EX4HtQzwX4grgPw1J84Ljvg48Bv0c
-¢¯Û-.Xæ<58>|¦½ÑX~¢ºÅ!©ºn„ž8rZŸÔ³3Wë- <20>×Ñ‰h<E280B0>ó0
¨K1Iæ¥\„ÞÎ.ŠŽ]¢‚º±Ô^XÑÙëm´ÞÔþUiq®jO®…w<Ï°HÑ<óöíÂ«Z¾2¯
+-> ssh-ed25519 8E6j8Q t+N18Bvdi6ifpBh6WVAzwmq/NZuNWQFe2sUAqa0PFhA
+bDPDSPENggEkfGTDqBgmP6a/7ZtOvoC3dAsbR9Iumcg
+-> ssh-ed25519 sfxzoQ QpOw4kgXb6qPk/ZjRqb5rNZKn/doJUSfYuKeauiZKFs
+SiYN8xRLPcyOalJ4Aw1MTtq8UoJGBDxCdRjJ4R34afU
+-> ssh-ed25519 iw6hqg 1VUUszNoSU6VCPG7MtEPgriTLvBHL36HKhJskzSOgWI
+sI8P4v2VJyqEdm1mmmcV6zak+a0vfFZnOnH2s8i2za8
+--- +9nCRrInPL79KWQeb1NPjETyQ/8JcsOV4MamsEO10uQ
+Ëu,d<>Ěť¸aÂ9b#*í0´|m]věvßÄáúÝ—ÉáHJo‚>Uâ¤‘×H‰{.><1C>üł‹9ź¤u^7äčť€e,§·pTg˙…·ÜV©ôłĆbeĐçŘűřůH<óĚ&F@Ô$fv
--- a/secrets/server/users/root.pass
+++ b/secrets/server/users/root.pass
@ -1,9 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 8E6j8Q 3wQ9vi56qeTLVAn0CrnMNbU9fMb8m6JEK0Y3Y7LAtnc
-KMtukbBQvOuec9CnWjFlNmBFju+i1Yr+BA86wl5G+HQ
-> ssh-ed25519 sfxzoQ j+QkWOeBHSkwvxwFefpG3mKZbpy/rE0WRP9ZCyIWfQM
-nMGvr3aivDlqRg/NFSwzlFBUxehuSTzLZdpbWhiOAEA
-> ssh-ed25519 fEyKPw eTGlDsXmDKuHG4/wu5UPz/MKTQ+dF1XzKSlEIrjxAU8
-zy73tdCmomqVjGu8iG1Pa/6XA4R5U5g4TRRVV5GFnrc
--- eK8BlTPjlQIZB7j7TiuUJJFkiLHNFnQqRDRzklc/bCk
-<EFBFBD>ÞËï"öÎ²àãÕ%Õæ§À‚Üf4ß,_{T…»œÌDšiˆž³óËr¬¼Í\Â<>®.wDxeU¨ŒÐAX6ç5öfªÜ-:_Nã„Z3§LxéªeUpÝØÿî¨îóÀÇŠC\ïÜÏrÉÙÛ†ƒ
+-> ssh-ed25519 8E6j8Q 52z13TdgikuW8OSLj5V2k82rLd/JPgmcP+TJdhcw5XA
+KT07+bT6LqL//7+qe5MjGg4shxmxTlG25VyG8BOx4eo
+-> ssh-ed25519 sfxzoQ DSjiWUc/fJWxPRw/DDn91kzLBa98Xv9/4vXFA7LmFhE
+ynfjS70e6ZM7cN7w7WZs0db8Wr3hpDaU1LXL2GAXqA
+-> ssh-ed25519 iw6hqg cMKqC5xWs81i3ClGZjv3w8TXOq1mhcHVb8kn4/NFFTk
+VNO7raXst/0wZCTL1T0nHX/hVdVSp2+3mB2+4fHQ4kw
+--- EyslIKZFTtI2hgoWVk8XPWSueMHYlnzCtFV9NkmlrKg
+Òú”!}F9’Q
+‚Æäé¤Ó¢—ul7ðX²úZ¤Õç-’ØÉ¡@žšá©ž_ý4’®¾8.™ÎþE‹tì¡[žÇ˜TþË&(ûÛ<C3BB>eÂñ;å»Ó6j
+<EFBFBD>z<EFBFBD>3¨«TW ;¶Ÿ©P¨Î»ÙÇ²Á×
Author	SHA1	Message	Date
Myned	39eebf7d2d	agenix: rekey secrets Signed-off-by: Myned <dev@bjork.tech>	2024-10-08 21:31:51 -05:00
Myned	a15a0d21e3	borgmatic: force archive name format Signed-off-by: Myned <dev@bjork.tech>	2024-10-08 21:31:33 -05:00
Myned	22dac6aa90	fish: modify borgmatic abbreviations Signed-off-by: Myned <dev@bjork.tech>	2024-10-08 21:31:09 -05:00
Myned	d73715998a	myne: update nixos config Signed-off-by: Myned <dev@bjork.tech>	2024-10-08 21:30:49 -05:00
Myned	74863d2a88	chore: update readme Signed-off-by: Myned <dev@bjork.tech>	2024-10-08 21:28:14 -05:00
Myned	e98e4f41f3	containers: rename sevices to arion-* Signed-off-by: Myned <dev@bjork.tech>	2024-10-08 18:23:50 -05:00
Myned	9e368e5f80	hyprland: enable auto_group Signed-off-by: Myned <dev@bjork.tech>	2024-10-08 18:23:18 -05:00