all: cleanup secrets

all: refactor wireguard config
layne: remove protonvpn
2024-11-16 19:00:25 +05:30 · 2024-11-16 19:00:25 +05:30 · 2024-11-16 19:00:24 +05:30 · 2024-11-16 19:00:24 +05:30
16 changed files with 455 additions and 256 deletions
--- a/home/programs/default.nix
+++ b/home/programs/default.nix
@ -33,9 +33,6 @@
    gh
    hcloud
    #localsend
    nixpkgs-review
    nix-init
    nurl
    ripgrep
    signal-desktop-beta
    spotify
--- a/hosts/bifrost/network.nix
+++ b/hosts/bifrost/network.nix
@ -1,12 +1,79 @@
-{ lib, ... }: {
+{ lib, config, ... }:
-  imports = [
+let
-    ../shared/network.nix
+  wireguard-peers = import ../shared/wireguard-peers.nix;
-    ../shared/networkd.nix
+in
-  ];
+{
-  networking = {
+  sops.secrets = {
-    nameservers = lib.mkForce [
+    "wireguard/bifrost/pk" = {
-      "1.1.1.1"
+      mode = "400";
-      "1.0.0.1"
+      owner = config.users.users.root.name;
-    ];
+      group = config.users.users.root.group;
    };
  };
  systemd = {
    network = {
      enable = true;
      wait-online.enable = false;
      networks = {
        "41-ether" = {
          enable = true;
          matchConfig = {
            Type = "ether";
            Name = "e*";
          };
          networkConfig = {
            DHCP = "yes";
            IPv4Forwarding = "yes";
          };
          dhcpV4Config = {
            UseDomains = true;
          };
          linkConfig = {
            RequiredForOnline = "yes";
          };
        };
      };
    };
  };
  services.resolved = {
    enable = true;
    domains = [ "~." ];
    fallbackDns = [ ];
  };
  networking = {
    nameservers = [
      "10.10.10.11"
      "10.10.10.12"
    ];
    useDHCP = lib.mkDefault false;
    useNetworkd = true;
    firewall = {
      allowedUDPPorts = [ 51821 ];
      trustedInterfaces = [ "Homelab" ];
    };
    wg-quick = {
      interfaces = {
        Homelab = {
          listenPort = 51821;
          privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path;
          address = [
            "10.10.10.1/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
            (rico0 // { endpoint = null; })
            (rico1 // { endpoint = null; })
            (rico2 // { endpoint = null; })
            (wynne // { endpoint = null; })
            (layne // { endpoint = null; })
            skipper
            kowalski
          ];
        };
      };
    };
  };
 }
--- a/hosts/layne/network.nix
+++ b/hosts/layne/network.nix
@ -1,41 +1,77 @@
-{ config, ... }: {
+{ lib, config, ... }:
-  imports = [
+let
-    ../shared/network.nix
+  wireguard-peers = import ../shared/wireguard-peers.nix;
-    ../shared/networkd.nix
+in
-    ../shared/wireguard.nix
+{
  ];
  sops.secrets = {
    "wireguard/layne/pk" = {
      mode = "400";
      owner = config.users.users.root.name;
      group = config.users.users.root.group;
    };
-    "wireguard/layne/psk" = {
+  };
-      mode = "400";
+
-      owner = config.users.users.root.name;
+  systemd = {
-      group = config.users.users.root.group;
+    network = {
-    };
+      enable = true;
-    "proton/layne" = {
+      wait-online.enable = false;
-      mode = "400";
+      networks = {
-      owner = config.users.users.root.name;
+        "41-ether" = {
-      group = config.users.users.root.group;
+          enable = true;
          matchConfig = {
            Type = "ether";
            Name = "e*";
          };
          networkConfig = {
            DHCP = "yes";
            IPv4Forwarding = "yes";
          };
          dhcpV4Config = {
            UseDomains = true;
          };
          linkConfig = {
            RequiredForOnline = "yes";
          };
        };
      };
    };
  };
-  nodeconfig.wireguard = {
+  services.resolved = {
    enable = true;
-    listen-port = 51834;
+    domains = [ "~." ];
-    pk-file = config.sops.secrets."wireguard/layne/pk".path;
+    fallbackDns = [ ];
    psk-file = config.sops.secrets."wireguard/layne/psk".path;
    node-ips = [
      "10.10.10.14/24"
    ];
  };
-  networking.wg-quick = {
+  networking = {
-    interfaces = {
+    useDHCP = lib.mkDefault false;
-      ProtonVPN.configFile = config.sops.secrets."proton/layne".path;
+    nameservers = [
      "10.10.10.11"
      "10.10.10.12"
    ];
    useNetworkd = true;
    firewall = {
      allowedUDPPorts = [ 51834 ];
      trustedInterfaces = [ "Homelab" ];
    };
    wg-quick = {
      interfaces = {
        Homelab = {
          listenPort = 51834;
          privateKeyFile = config.sops.secrets."wireguard/layne/pk".path;
          address = [
            "10.10.10.14/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
            (bifrost // { persistentKeepalive = 20; })
            rico0
            rico1
            rico2
            wynne
          ];
        };
      };
    };
  };
 }
--- a/hosts/layne/services/apps/transmission.nix
+++ b/hosts/layne/services/apps/transmission.nix
@ -28,7 +28,7 @@ in
        "--lpd"
      ];
      settings = {
-        peer-port = 36840;
+        peer-port = 42069;
        rpc-bind-address = "127.0.0.1";
        rpc-port = 9091;
        rpc-host-whitelist = "transmission.labs.adtya.xyz";
@ -60,23 +60,4 @@ in
    };
  };
  systemd.services.transmission.unitConfig.RequiresMountsFor = [ "/mnt/data" ];
  systemd.timers.transmission-port-mapping = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "*:*:00/30";
      Unit = "transmission-port-mapping.service";
    };
  };
  systemd.services.transmission-port-mapping = {
    script = ''
      set -eu
      ${pkgs.libnatpmp}/bin/natpmpc -g 10.2.0.1 -a 1 0 tcp 60
      ${pkgs.libnatpmp}/bin/natpmpc -g 10.2.0.1 -a 1 0 udp 60
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "root";
    };
  };
 }
--- a/hosts/rico0/network.nix
+++ b/hosts/rico0/network.nix
@ -1,30 +1,77 @@
-{ config, ... }: {
+{ lib, config, ... }:
-  imports = [
+let
-    ../shared/network.nix
+  wireguard-peers = import ../shared/wireguard-peers.nix;
-    ../shared/networkd.nix
+in
-    ../shared/wireguard.nix
+{
  ];
  sops.secrets = {
    "wireguard/rico0/pk" = {
      mode = "400";
      owner = config.users.users.root.name;
      group = config.users.users.root.group;
    };
-    "wireguard/rico0/psk" = {
+  };
-      mode = "400";
+
-      owner = config.users.users.root.name;
+  systemd = {
-      group = config.users.users.root.group;
+    network = {
      enable = true;
      wait-online.enable = false;
      networks = {
        "41-ether" = {
          enable = true;
          matchConfig = {
            Type = "ether";
            Name = "e*";
          };
          networkConfig = {
            DHCP = "yes";
            IPv4Forwarding = "yes";
          };
          dhcpV4Config = {
            UseDomains = true;
          };
          linkConfig = {
            RequiredForOnline = "yes";
          };
        };
      };
    };
  };
-  nodeconfig.wireguard = {
+  services.resolved = {
    enable = true;
-    listen-port = 51830;
+    domains = [ "~." ];
-    pk-file = config.sops.secrets."wireguard/rico0/pk".path;
+    fallbackDns = [ ];
-    psk-file = config.sops.secrets."wireguard/rico0/psk".path;
+  };
-    node-ips = [
+
-      "10.10.10.10/24"
+  networking = {
    useDHCP = lib.mkDefault false;
    nameservers = [
      "10.10.10.11"
      "10.10.10.12"
    ];
    useNetworkd = true;
    firewall = {
      allowedUDPPorts = [ 51830 ];
      trustedInterfaces = [ "Homelab" ];
    };
    wg-quick = {
      interfaces = {
        Homelab = {
          listenPort = 51830;
          privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path;
          address = [
            "10.10.10.10/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
            (bifrost // { persistentKeepalive = 20; })
            rico1
            rico2
            wynne
            layne
          ];
        };
      };
    };
  };
 }
--- a/hosts/rico1/network.nix
+++ b/hosts/rico1/network.nix
@ -1,30 +1,77 @@
-{ config, ... }: {
+{ lib, config, ... }:
-  imports = [
+let
-    ../shared/network.nix
+  wireguard-peers = import ../shared/wireguard-peers.nix;
-    ../shared/networkd.nix
+in
-    ../shared/wireguard.nix
+{
  ];
  sops.secrets = {
    "wireguard/rico1/pk" = {
      mode = "400";
      owner = config.users.users.root.name;
      group = config.users.users.root.group;
    };
-    "wireguard/rico1/psk" = {
+  };
-      mode = "400";
+
-      owner = config.users.users.root.name;
+  systemd = {
-      group = config.users.users.root.group;
+    network = {
      enable = true;
      wait-online.enable = false;
      networks = {
        "41-ether" = {
          enable = true;
          matchConfig = {
            Type = "ether";
            Name = "e*";
          };
          networkConfig = {
            DHCP = "yes";
            IPv4Forwarding = "yes";
          };
          dhcpV4Config = {
            UseDomains = true;
          };
          linkConfig = {
            RequiredForOnline = "yes";
          };
        };
      };
    };
  };
-  nodeconfig.wireguard = {
+  services.resolved = {
    enable = true;
-    listen-port = 51831;
+    domains = [ "~." ];
-    pk-file = config.sops.secrets."wireguard/rico1/pk".path;
+    fallbackDns = [ ];
-    psk-file = config.sops.secrets."wireguard/rico1/psk".path;
+  };
-    node-ips = [
+
-      "10.10.10.11/24"
+  networking = {
    useDHCP = lib.mkDefault false;
    nameservers = [
      "10.10.10.11"
      "10.10.10.12"
    ];
    useNetworkd = true;
    firewall = {
      allowedUDPPorts = [ 51831 ];
      trustedInterfaces = [ "Homelab" ];
    };
    wg-quick = {
      interfaces = {
        Homelab = {
          listenPort = 51831;
          privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path;
          address = [
            "10.10.10.11/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
            (bifrost // { persistentKeepalive = 20; })
            rico0
            rico2
            wynne
            layne
          ];
        };
      };
    };
  };
 }
--- a/hosts/rico2/network.nix
+++ b/hosts/rico2/network.nix
@ -1,30 +1,77 @@
-{ config, ... }: {
+{ lib, config, ... }:
-  imports = [
+let
-    ../shared/network.nix
+  wireguard-peers = import ../shared/wireguard-peers.nix;
-    ../shared/networkd.nix
+in
-    ../shared/wireguard.nix
+{
  ];
  sops.secrets = {
    "wireguard/rico2/pk" = {
      mode = "400";
      owner = config.users.users.root.name;
      group = config.users.users.root.group;
    };
-    "wireguard/rico2/psk" = {
+  };
-      mode = "400";
+
-      owner = config.users.users.root.name;
+  systemd = {
-      group = config.users.users.root.group;
+    network = {
      enable = true;
      wait-online.enable = false;
      networks = {
        "41-ether" = {
          enable = true;
          matchConfig = {
            Type = "ether";
            Name = "e*";
          };
          networkConfig = {
            DHCP = "yes";
            IPv4Forwarding = "yes";
          };
          dhcpV4Config = {
            UseDomains = true;
          };
          linkConfig = {
            RequiredForOnline = "yes";
          };
        };
      };
    };
  };
-  nodeconfig.wireguard = {
+  services.resolved = {
    enable = true;
-    listen-port = 51832;
+    domains = [ "~." ];
-    pk-file = config.sops.secrets."wireguard/rico2/pk".path;
+    fallbackDns = [ ];
-    psk-file = config.sops.secrets."wireguard/rico2/psk".path;
+  };
-    node-ips = [
+
-      "10.10.10.12/24"
+  networking = {
    useDHCP = lib.mkDefault false;
    nameservers = [
      "10.10.10.11"
      "10.10.10.12"
    ];
    useNetworkd = true;
    firewall = {
      allowedUDPPorts = [ 51832 ];
      trustedInterfaces = [ "Homelab" ];
    };
    wg-quick = {
      interfaces = {
        Homelab = {
          listenPort = 51832;
          privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path;
          address = [
            "10.10.10.12/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
            (bifrost // { persistentKeepalive = 20; })
            rico0
            rico1
            wynne
            layne
          ];
        };
      };
    };
  };
 }
--- a/hosts/shared/network.nix
+++ b/hosts/shared/network.nix
@ -1,15 +0,0 @@
 { lib, ... }: {
  networking = {
    nameservers = [
      "10.10.10.11"
      "10.10.10.12"
    ];
    useDHCP = lib.mkDefault false;
  };
  services.resolved = {
    enable = true;
    domains = [ "~." ];
    fallbackDns = [ ];
  };
 }
--- a/hosts/shared/networkd.nix
+++ b/hosts/shared/networkd.nix
@ -1,40 +0,0 @@
 { lib, config, ... }: {
  networking = {
    useNetworkd = true;
  };
  systemd = {
    network = {
      enable = true;
      wait-online.enable = false;
      networks = {
        "41-ether" = {
          enable = true;
          matchConfig = {
            Type = "ether";
            Name = "e*";
          };
          networkConfig = {
            DHCP = "yes";
            IPv4Forwarding = "yes";
          };
          dhcpV4Config = {
            UseDomains = true;
          };
          ipv6AcceptRAConfig = {
            UseDomains = true;
          };
          linkConfig = {
            RequiredForOnline = "yes";
          };
          routes = lib.mkIf ((lib.strings.toLower config.networking.hostName) != "bifrost") [
            {
              Destination = "165.232.180.97";
              Gateway = "_dhcp4";
              GatewayOnLink = "yes";
            }
          ];
        };
      };
    };
  };
 }
--- a/hosts/shared/wireguard-peers.nix
+++ b/hosts/shared/wireguard-peers.nix
@ -0,0 +1,15 @@
 let
  mkPeer = endpoint: publicKey: allowedIPs: {
    inherit endpoint publicKey allowedIPs;
  };
 in
 {
  bifrost = mkPeer "165.232.180.97:51821" "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=" [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ];
  skipper = mkPeer null "ob8Ri5fYBCkksRnpbkq0kBlU0Ll3xjIPpMk8e9TKpl4=" [ "10.10.10.2" ];
  kowalski = mkPeer null "ZgtftftDNAnNsOKo34cgaP3lQim2HMmoCXayALIVsFU=" [ "10.10.10.3" ];
  rico0 = mkPeer "192.168.1.10:51830" "9mfgKUM6hXllEUunvI8szlni9OFpKSbaLVZRAhAh51Q=" [ "10.10.10.10" ];
  rico1 = mkPeer "192.168.1.11:51831" "lFtIm7CX3gcHMAu673ptRzNDQh5QEa7FbzlHSQerRg0=" [ "10.10.10.11" ];
  rico2 = mkPeer "192.168.1.12:51832" "FyFlOHfAprr474cJCXKRvgsU6o22xaQ8gzs1563AQnI=" [ "10.10.10.12" ];
  wynne = mkPeer "192.168.1.13:51833" "re9z2AAKGaJrEn5Q+xp7XnZn4x4+GoJPLZScaXrnMC0=" [ "10.10.10.13" ];
  layne = mkPeer "192.168.1.14:51834" "qhthtzB7vTGRfS1RGyP7RJ+BZLKd/BNxhaTJvAlYuyo=" [ "10.10.10.14" ];
 }
--- a/hosts/shared/wireguard.nix
+++ b/hosts/shared/wireguard.nix
@ -1,33 +0,0 @@
 { config, lib, ... }:
 let
  hostName = lib.strings.toLower config.networking.hostName;
  mkPeer = endpoint: publicKey: ip: {
    inherit endpoint publicKey;
    allowedIPs = [ ip ];
  };
  peer-rico0 = mkPeer "192.168.1.10:51830" "9mfgKUM6hXllEUunvI8szlni9OFpKSbaLVZRAhAh51Q=" "10.10.10.10";
  peer-rico1 = mkPeer "192.168.1.11:51831" "lFtIm7CX3gcHMAu673ptRzNDQh5QEa7FbzlHSQerRg0=" "10.10.10.11";
  peer-rico2 = mkPeer "192.168.1.12:51832" "FyFlOHfAprr474cJCXKRvgsU6o22xaQ8gzs1563AQnI=" "10.10.10.12";
  peer-wynne = mkPeer "192.168.1.13:51833" "re9z2AAKGaJrEn5Q+xp7XnZn4x4+GoJPLZScaXrnMC0=" "10.10.10.13";
  peer-layne = mkPeer "192.168.1.14:51834" "qhthtzB7vTGRfS1RGyP7RJ+BZLKd/BNxhaTJvAlYuyo=" "10.10.10.14";
  selectPeer = host: peer: if hostName == host then [ ] else [ peer ];
  interface-name = "Homelab";
 in
 {
  nodeconfig.wireguard = {
    inherit interface-name;
    dns = [ "10.10.10.11" "10.10.10.12" ];
    endpoint = "165.232.180.97:51821";
    endpoint-publickey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
    allowed-ips = if hostName == "skipper" then [ "10.10.10.0/24" ] else [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ];
  };
  networking = {
    firewall.allowedUDPPorts = [ config.nodeconfig.wireguard.listen-port ];
    wg-quick.interfaces.${interface-name}.peers = if hostName == "skipper" then [ ] else
    ((selectPeer "rico0" peer-rico0)
      ++ (selectPeer "rico1" peer-rico1)
      ++ (selectPeer "rico2" peer-rico2)
      ++ (selectPeer "wynne" peer-wynne)
      ++ (selectPeer "layne" peer-layne));
  };
 }
--- a/hosts/skipper/network/default.nix
+++ b/hosts/skipper/network/default.nix
@ -1,12 +1,20 @@
-_: {
+{ lib, ... }: {
-  imports = [
+  imports = [ ./wireguard.nix ];
-    ../../shared/network.nix
+
-    ./wireguard.nix
+  services.resolved = {
-  ];
+    enable = true;
    domains = [ "~." ];
    fallbackDns = [ ];
  };
  networking = {
    nameservers = [
      "10.10.10.11"
      "10.10.10.12"
    ];
    useDHCP = lib.mkDefault false;
    extraHosts = ''
-      10.10.10.1 Proxy
+      10.10.10.1 Bifrost
      10.10.10.2 Skipper
      10.10.10.10 Rico0
      10.10.10.11 Rico1
--- a/hosts/skipper/network/wireguard.nix
+++ b/hosts/skipper/network/wireguard.nix
@ -1,26 +1,33 @@
-{ config, ... }: {
+{ config, ... }:
-  imports = [ ../../shared/wireguard.nix ];
+let
-
+  wireguard-peers = import ../../shared/wireguard-peers.nix;
 in
 {
  sops.secrets = {
    "wireguard/skipper/pk" = {
      mode = "400";
      owner = config.users.users.root.name;
      group = config.users.users.root.group;
    };
-    "wireguard/skipper/psk" = {
+  };
-      mode = "400";
+  networking = {
-      owner = config.users.users.root.name;
+    firewall = {
-      group = config.users.users.root.group;
+      trustedInterfaces = [ "Homelab" ];
    };
    wg-quick = {
      interfaces = {
        Homelab = {
          listenPort = 51822;
          privateKeyFile = config.sops.secrets."wireguard/skipper/pk".path;
          address = [
            "10.10.10.2/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
            (bifrost // { allowedIPs = [ "10.10.10.0/24" ]; })
          ];
        };
      };
    };
  };
  nodeconfig.wireguard = {
    enable = true;
    listen-port = 51822;
    pk-file = config.sops.secrets."wireguard/skipper/pk".path;
    psk-file = config.sops.secrets."wireguard/skipper/psk".path;
    node-ips = [
      "10.10.10.2/24"
    ];
  };
 }
--- a/hosts/wynne/network.nix
+++ b/hosts/wynne/network.nix
@ -1,10 +1,8 @@
-{ config, ... }: {
+{ lib, config, ... }:
-  imports = [
+let
-    ../shared/network.nix
+  wireguard-peers = import ../shared/wireguard-peers.nix;
-    ../shared/networkd.nix
+in
-    ../shared/wireguard.nix
+{
  ];
  sops.secrets = {
    "wireguard/wynne/pk" = {
      mode = "400";
@ -18,13 +16,67 @@
    };
  };
-  nodeconfig.wireguard = {
+  systemd = {
    network = {
      enable = true;
      wait-online.enable = false;
      networks = {
        "41-ether" = {
          enable = true;
          matchConfig = {
            Type = "ether";
            Name = "e*";
          };
          networkConfig = {
            DHCP = "yes";
            IPv4Forwarding = "yes";
          };
          dhcpV4Config = {
            UseDomains = true;
          };
          linkConfig = {
            RequiredForOnline = "yes";
          };
        };
      };
    };
  };
  services.resolved = {
    enable = true;
-    listen-port = 51833;
+    domains = [ "~." ];
-    pk-file = config.sops.secrets."wireguard/wynne/pk".path;
+    fallbackDns = [ ];
-    psk-file = config.sops.secrets."wireguard/wynne/psk".path;
+  };
-    node-ips = [
+
-      "10.10.10.13/24"
+  networking = {
    useDHCP = lib.mkDefault false;
    nameservers = [
      "10.10.10.11"
      "10.10.10.12"
    ];
    useNetworkd = true;
    firewall = {
      allowedUDPPorts = [ 51833 ];
      trustedInterfaces = [ "Homelab" ];
    };
    wg-quick = {
      interfaces = {
        Homelab = {
          listenPort = 51833;
          privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path;
          address = [
            "10.10.10.13/24"
          ];
          dns = [ "10.10.10.11" "10.10.10.12" ];
          peers = with wireguard-peers; [
            (bifrost // { persistentKeepalive = 20; })
            rico0
            rico1
            rico2
            layne
          ];
        };
      };
    };
  };
 }
--- a/hosts/wynne/services/apps/dendrite/default.nix
+++ b/hosts/wynne/services/apps/dendrite/default.nix
@ -1,14 +1,5 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
  sops = {
    secrets = {
      "matrix/syncv3_secret" = {
        mode = "444";
        owner = config.users.users.root.name;
        inherit (config.users.users.root) group;
      };
    };
  };
  systemd.services.dendrite =
    let
      dendrite_package = pkgs.dendrite;
--- a/secrets.yaml
+++ b/secrets.yaml
@ -2,32 +2,24 @@ passwd:
    root: ENC[AES256_GCM,data:sT8S6EgqlUTOj8wx/FWde1ht/LCfhnnJW8aLNR3IawGcjbWh+JCKnlQ/1FpuGuVF7Qm8qScRcl7FPUZPFpBtj9OJ3984S9DtFJachwSNEJ2TRU+9YdYB1WsXx9ZunMQcTLK9MIyWfIVzqw==,iv:1qfkkj3NMvS50Q84BtqYTiNIMVjdxPh1k52MudEK/5A=,tag:HUwaVYDwjKmnHhEIejnfxg==,type:str]
    adtya: ENC[AES256_GCM,data:xBr14ZVeblPbgO2YT+6DPrENsJElj+UkTJebv3/x0U/u+srx82G2Lloda5zZwVBIEc5f6ZPSS4Oko3dM2PW9KUNO7IjDa+Wsm5MQogSjGT+aNtjlub2PkVts5gp+TtCOd6bUQjnf95VXNQ==,iv:ytKVRBsQWJWwXn6DpCOTDYJOVI3N/KnWtyp/GkSs7UQ=,tag:zbPtMMH6MFE6LpBga5X1GQ==,type:str]
 wireguard:
    biforst:
        pk: ENC[AES256_GCM,data:tEdYwVK18IiuctAagNnamqtQqRcUzB5CIvdaH8Of7KGJlmAd9dRZJXcgfw0=,iv:56BpKlIKz8227Fun7lmulnznJJ1CBeX047VBaRkSpWg=,tag:CHoW4IKWTZXy2EEGrsyc0Q==,type:str]
    skipper:
        pk: ENC[AES256_GCM,data:by1Cqt1IYK1+MTGrj8Y6JQcKGuUun3b4XNDi6+eyR2bviRhfEQdxHEEA+ZI=,iv:V8dZy4iWe7t54aDgn22pGYaqf+tN1drt3nFo0ctoUlE=,tag:x4GfT9kY8+fGrM1ELOMbRA==,type:str]
        psk: ENC[AES256_GCM,data:D6S3XPit4SkwsFzOFL7NXXzaxZg5R0oBvTsHVkUDHQxBzfBUA9u1iDRl2Jw=,iv:eqI5twDHGcJDDqPmBelU2XxIi84jV9k+bORgKEpz7EA=,tag:Ljj/7oA7RBEMSd6dXC7FKw==,type:str]
    rico0:
        pk: ENC[AES256_GCM,data:VGhOm7s/wU15h2nhDzrJdImTDv7SvmUNNQhsCJIzFmZh0mKS81au8uDJhVA=,iv:+8sTtCEXyw2fnNXS7kayOb5ldwUPnPzGaJ39UOpXKrQ=,tag:gyejp28gbMbRKaBMYYAoKA==,type:str]
        psk: ENC[AES256_GCM,data:XlnEVm3nIGIB/e5dVnwtoAXyjYAc5iElP5mPXlqX8zttXUsEjD3ifL9/rwc=,iv:K/8EyZaNCAxSscfVrO84P86pEkdvnP9ibBDs2SWoXx8=,tag:HS8CxiSaHxyukdfk5zWIvg==,type:str]
    rico1:
        pk: ENC[AES256_GCM,data:pXAPjrmKYZ2HZtwEhASOIv24BAu1hmA+Gaave4IegqpJyQlpcoPnmUKWnZ8=,iv:FiFq8Uoo0pA7rJCiM5pHss2ElEzIBZ7K73wWfn9oLl8=,tag:PKzhRmqmKwMXQYeKo7nBVw==,type:str]
        psk: ENC[AES256_GCM,data:yaSQc/NT1Res1LjU19GNFK9poeaY2M7BSSicmV237bQKxBo1hM4corPATM4=,iv:d4mOelgktH6wX6vmXhdjC6PQZ04bmCWkqHBP4IGyKog=,tag:B3xSy4avb8hNNzjq3K3uMg==,type:str]
    rico2:
        pk: ENC[AES256_GCM,data:XyiOlPelFLAhW7Dbko+zGnrxvDAcwxLhBPXye+tBEZ4rs/gcoczjqPhfUJo=,iv:DoMIXLUClnosQPg4VhXBdWV41MJ2sN3C3xgZ9jw2qkY=,tag:m0ZfLdWX8u1h1RgIMfVE9w==,type:str]
        psk: ENC[AES256_GCM,data:vKHqJDkpyj05UnnSU0PTG3byrXs9gwJISRmwgG93jaOUCUKfsJuSDeQCfQw=,iv:/v7sEH03zsVfDxY6oCvnRfNQfNvqXi5Bt5ONM7zFxoI=,tag:WzDTlFU7frYwAGHkUHlxEQ==,type:str]
    wynne:
        pk: ENC[AES256_GCM,data:50L8Rru7pVWa+19qltLynzYwh37HK3IbnjfBtf6REb7KpSTWvmK48JVchxw=,iv:PQylNCEGiyBIk/NxFSAFqrzCu5st9dkshQ6jyRt7yKs=,tag:ddhaCFCBQVxrPaqaHIvg2Q==,type:str]
        psk: ENC[AES256_GCM,data:cbO8D/kwhdsiYAqXAbdud0Bhm/tpmwcpdCmKcsvsnUFjy2fO9dYrd0/KbSA=,iv:oByAtlZTY7+taMoniU/dIecZG8XoHWwKVBHGri4xUv0=,tag:8vJm4n/8/jxHtS+E+iVvLw==,type:str]
    layne:
        pk: ENC[AES256_GCM,data:tmuYhe/7n65asRwmXXk7ZeYeS8SDovkLpaysXTmNvL+40IZw71Ju1lpJIrI=,iv:B4fhKqOkLwTWBpHD557Xrtn5GgTJJpWlFYCzNU1/Ipc=,tag:HBFGG35FB/UWkuVQWqo1EA==,type:str]
        psk: ENC[AES256_GCM,data:5psT1pbRMDCBXHYg4z5zqsYTmgQgg0Df+xEtbEhf1YBzl6qEYyjLDhvpvaQ=,iv:wH9CqNBmLjlGlDPFZtTQ+tCVYBTkhLfwLc2nWNhlYCM=,tag:YWtFcx4YD6gh5qDnIYshfQ==,type:str]
 matrix:
    syncv3_secret: ENC[AES256_GCM,data:05lLSSolNO55VjJQL3nLNGo2jiZUZht2FKNvc2O2dCccSfglrwm6J5Guzns9ZlT8X9j74lvlWlbM6Q==,iv:1zARbgZ9GJV1UMJ+WjFPNYPqhRjGVj4iLYMpfsRjrko=,tag:fQ9Vg1xD1k2eYlEbtF6q8A==,type:str]
 caddy:
    env_file: ENC[AES256_GCM,data:PKtILX7o0D3rj78JXIXad9UcQz0ZiihXK1nY/kb08fh3i54hYrFyJyGt04b9mAufxTnhDV4=,iv:I/EtxopCFmRxgsGJIcFDufTiM1JyPPoIQkgKIDiCP24=,tag:5QlGMp839p9RYKB09tr61A==,type:str]
 forgejo:
    runner_registration_token_file: ENC[AES256_GCM,data:CM5hQEd1YHuCpzN6ZVGVzxRgQcUuq/KZ+o5JcB3kRAyVJVYjCyRfNPD2SA/ruw==,iv:L3tLN0C/d3lztvnBHyRzSFdkjtR8bnd5IrROGBSw/0E=,tag:R+o7E47DNvRr8S+hqR+v5w==,type:str]
 proton:
    layne: ENC[AES256_GCM,data:wAY2uoxjM1ubHzvwBfsgQzx+OLsno4Q/gP5XPiDPHwWy3IbmU14EhSH942mdjixRlHK2/T3l3NYqFSOm//8Ri9+GyfmJBcIKY/A8vgui0DbkGOb5+h7AKDoCwyUrredtCtFSWk5Hahl19BnJtoLEzmOjbF6su7P2PgAdpxlkWiiyR3ZVSC+PD/2KjdkgNSEXV8V7fxTSaiMqAYXiIqe33Kx5gKIVHPuHf8qrnKYQ92q2BUolpXpcg24FlbavjgmkTI3wCw9V/o/zo5lJnCzi8TSdVelJ5fOKDUA+8FemJcquYQ==,iv:dsbKPzNUAYnH1yaflxEAoKaTj+QtflkMdqAQqQQi418=,tag:jsSTKjmk6nTUfUAxcTsMtA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -106,8 +98,8 @@ sops:
            UXJhWFFnQnFvOEF0M0JFb3E4UVB4UU0KSUq4d8eudY03p/fd8S8f1wk0OU4BlNYB
            tldkOx2DhSvcVr/FcIJIR2PFbU8o50kYj9R0HR2sHJ5C5fJ0cDXY4A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-31T05:28:50Z"
+    lastmodified: "2024-11-16T13:28:44Z"
-    mac: ENC[AES256_GCM,data:PbyhjXr/IZw+5q0PqTjXowHaiB31NjZzYpKhVV5s43+XrdMpVhcaqr9Gs7yTsqNsSc36uZ1YRymwYr8i+bF1k81lvDgyEr38Pl3vcEoIy+jNPaVnxXBRW6CL69cKfC058GmuPRYIyevorw3G3DtpLsCT5lGiMS9XedmBMf3rsw0=,iv:lHO27bURe7apOq/2KQXttou/OJMRM4uBrpqH26hBIDE=,tag:1ulMCx3/UCWCplUv+NJqNA==,type:str]
+    mac: ENC[AES256_GCM,data:HSpdXpDRlP7IamrmvQInn1coo+T59r5AowbH9uEr6cntWhOVjI6xJb91dd647uhnl9RQ4KN6QjNiBU3u4/9ie/hHAOzuX4vzYHjaWV0iO1pAHVOkT5jmker767je7rKVOu9BdtDgckGWQfC599bEL2PzS5megjo5Jbg/trZXHx0=,iv:EmnH2nwuBHdrtoJXSvOUdob0YKzl88jyJbXN+qFX0zQ=,tag:kUicG4NTK8DiY7OUvOgv3w==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
Author	SHA1	Message	Date
Adithya Nair	f97c01a604	all: cleanup secrets	2024-11-16 19:00:25 +05:30
Adithya Nair	35011d7f89	all: refactor wireguard config	2024-11-16 19:00:25 +05:30
Adithya Nair	05457d3712	layne: remove protonvpn	2024-11-16 19:00:24 +05:30
Adithya Nair	1a695fb7bb	skipper: remove packages	2024-11-16 19:00:24 +05:30