adtya/configuration.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: adtya:f11852abdc8cd34609add2a790c880c6a34066e4
Branches Tags
adtya:main
..
compare: adtya:558ac503379abb7127c8ee0a64f1cd80cd314740
Branches Tags
adtya:main

7 commits
f11852abdc ... 558ac50337

Author SHA1 Message Date
Adithya Nair
558ac50337
bifrost: setup NAT for git-over-ssh to forgejo 2024-11-17 11:42:28 +05:30
Adithya Nair
beb635d6db
some cleanups 2024-11-17 10:28:43 +05:30
Adithya Nair
d053b70338
remove custom wireguard module 2024-11-16 23:08:35 +05:30
Adithya Nair
ef3d9510ce
bifrost: move public facing reverse proxies to bifrost 2024-11-16 23:08:16 +05:30
Adithya Nair
940e3a811f
all: move stuff around 2024-11-16 22:10:11 +05:30
Adithya Nair
b694f284f6
rico2: update homepage 2024-11-16 21:25:07 +05:30
Adithya Nair
48c3f9d98e
all: switch to new bifrost 2024-11-16 21:24:51 +05:30
48 changed files with 640 additions and 650 deletions
Show stats Expand all files Collapse all files

2
.sops.yaml
View file

@ -6,7 +6,7 @@ keys:
- &host_rico2 age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf - &host_rico2 age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf
- &host_wynne age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0 - &host_wynne age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0
- &host_layne age1k2wpm88wms6hx3ldvu0n2je7pag9fexs9eq0e8hlkfcs2dx9eg9qlkf95d - &host_layne age1k2wpm88wms6hx3ldvu0n2je7pag9fexs9eq0e8hlkfcs2dx9eg9qlkf95d
- &host_bifrost age1jt8uleg4auf0h8ftl4ykq73epvgqml29q8ty0lz6kasta5h6td3shgxvrr - &host_bifrost age1d2anhmqdewykt3mgz6azsyz0yh7wc9ap6ga46myzwg84c9rpspws9ze3l4
creation_rules: creation_rules:
- path_regex: secrets.yaml - path_regex: secrets.yaml
key_groups: key_groups:

2
flake.nix
View file

@ -267,7 +267,7 @@
}; };
}; };
Bifrost = { Bifrost = {
hostname = "Biforst"; hostname = "Bifrost";
sshUser = "adtya"; sshUser = "adtya";
profiles.system = { profiles.system = {
user = "root"; user = "root";

7
hosts/bifrost/default.nix
View file

@ -1,7 +1,7 @@
{ modulesPath, ... }: { { modulesPath, ... }: {
imports = [ imports = [
(modulesPath + "/virtualisation/digital-ocean-config.nix") (modulesPath + "/virtualisation/digital-ocean-config.nix")
./network.nix ./network
./programs ./programs
./services ./services
./security.nix ./security.nix
@ -10,6 +10,11 @@
nodeconfig = { nodeconfig = {
minimize = true; minimize = true;
nix.auto-gc = true; nix.auto-gc = true;
facts = {
external-ip = "128.199.30.141";
local-ip = "10.122.0.3";
wireguard-ip = "10.10.10.1";
};
}; };
i18n = { i18n = {

49
hosts/bifrost/network/default.nix Normal file
View file

@ -0,0 +1,49 @@
{ lib, ... }: {
imports = [ ./firewall.nix ./wireguard.nix ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
nameservers = [
"1.1.1.1"
"10.10.10.11"
"1.0.0.1"
"10.10.10.12"
];
useDHCP = lib.mkDefault false;
useNetworkd = true;
};
}

27
hosts/bifrost/network/firewall.nix Normal file
View file

@ -0,0 +1,27 @@
_: {
networking = {
firewall.allowedTCPPorts = [ 42069 ];
nftables = {
enable = true;
ruleset = ''
table ip filter {
chain FORWARD {
iifname "ens3" oifname "Homelab" tcp dport 42069 tcp flags syn / fin,syn,rst,ack ct state new accept
iifname "ens3" oifname "Homelab" ct state related,established accept
iifname "Homelab" oifname "ens3" ct state related,established accept
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100 ;
iifname ens3 tcp dport 42069 dnat to 10.10.10.13
}
chain POSTROUTING {
type nat hook postrouting priority 100 ;
ip daddr 10.10.10.13 masquerade
};
}
'';
};
};
}

48
hosts/bifrost/network.nix → hosts/bifrost/network/wireguard.nix
View file

@ -1,8 +1,5 @@
{ lib, config, ... }: { config, ... }:
let let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
wireguard-peers = import ../shared/wireguard-peers.nix;
in
{
sops.secrets = { sops.secrets = {
"wireguard/bifrost/pk" = { "wireguard/bifrost/pk" = {
mode = "400"; mode = "400";
@ -10,45 +7,7 @@ in
group = config.users.users.root.group; group = config.users.users.root.group;
}; };
}; };
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = { networking = {
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useDHCP = lib.mkDefault false;
useNetworkd = true;
firewall = { firewall = {
allowedUDPPorts = [ 51821 ]; allowedUDPPorts = [ 51821 ];
trustedInterfaces = [ "Homelab" ]; trustedInterfaces = [ "Homelab" ];
@ -59,7 +18,7 @@ in
listenPort = 51821; listenPort = 51821;
privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path; privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path;
address = [ address = [
"10.10.10.1/24" "${config.nodeconfig.facts.wireguard-ip}/24"
]; ];
dns = [ "10.10.10.11" "10.10.10.12" ]; dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [ peers = with wireguard-peers; [
@ -75,5 +34,4 @@ in
}; };
}; };
}; };
} }

2
hosts/rico0/services/apps/acomputer.lol.nix → hosts/bifrost/services/apps/acomputer.lol.nix
View file

@ -1,12 +1,10 @@
_: _:
let let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "acomputer.lol"; domainName = "acomputer.lol";
in in
{ {
services = { services = {
caddy.virtualHosts."${domainName}" = { caddy.virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = '' extraConfig = ''
handle /.well-known/matrix/server { handle /.well-known/matrix/server {
header Content-Type application/json header Content-Type application/json

2
hosts/rico0/services/apps/adtya.xyz.nix → hosts/bifrost/services/apps/adtya.xyz.nix
View file

@ -1,13 +1,11 @@
{ inputs, pkgs, ... }: { inputs, pkgs, ... }:
let let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "adtya.xyz"; domainName = "adtya.xyz";
in in
{ {
services = { services = {
caddy.virtualHosts."${domainName}" = { caddy.virtualHosts."${domainName}" = {
serverAliases = [ "www.${domainName}" ]; serverAliases = [ "www.${domainName}" ];
inherit logFormat;
extraConfig = '' extraConfig = ''
handle { handle {
root * ${inputs.adtyaxyz.packages.${pkgs.system}.default}/share/web root * ${inputs.adtyaxyz.packages.${pkgs.system}.default}/share/web

11
hosts/bifrost/services/apps/default.nix Normal file
View file

@ -0,0 +1,11 @@
_: {
imports = [
./adtya.xyz.nix
./acomputer.lol.nix
./dendrite.nix
./forgejo.nix
./ntfy.nix
./proofs.nix
./wiki.nix
];
}

2
hosts/rico0/services/apps/dendrite.nix → hosts/bifrost/services/apps/dendrite.nix
View file

@ -1,12 +1,10 @@
_: _:
let let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "matrix.acomputer.lol"; domainName = "matrix.acomputer.lol";
in in
{ {
services = { services = {
caddy.virtualHosts."${domainName}" = { caddy.virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = '' extraConfig = ''
reverse_proxy 10.10.10.13:8008 reverse_proxy 10.10.10.13:8008
''; '';

7
hosts/rico0/services/apps/forgejo.nix → hosts/bifrost/services/apps/forgejo.nix
View file

@ -1,12 +1,7 @@
_: _:
let let domainName = "forge.acomputer.lol"; in {
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "forge.acomputer.lol";
in
{
services = { services = {
caddy.virtualHosts."${domainName}" = { caddy.virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = '' extraConfig = ''
reverse_proxy 10.10.10.13:3000 reverse_proxy 10.10.10.13:3000
''; '';

13
hosts/bifrost/services/apps/ntfy.nix Normal file
View file

@ -0,0 +1,13 @@
_:
let
domainName = "ntfy.acomputer.lol";
in
{
services = {
caddy.virtualHosts."${domainName}" = {
extraConfig = ''
reverse_proxy 10.10.10.13:8080
'';
};
};
}

13
hosts/bifrost/services/apps/proofs.nix Normal file
View file

@ -0,0 +1,13 @@
_:
let
domainName = "proofs.adtya.xyz";
in
{
services = {
caddy.virtualHosts."${domainName}" = {
extraConfig = ''
redir https://keyoxide.org/hkp/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849
'';
};
};
}

2
hosts/rico0/services/apps/wiki.nix → hosts/bifrost/services/apps/wiki.nix
View file

@ -1,12 +1,10 @@
{ inputs, pkgs, ... }: { inputs, pkgs, ... }:
let let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "wiki.adtya.xyz"; domainName = "wiki.adtya.xyz";
in in
{ {
services = { services = {
caddy.virtualHosts."${domainName}" = { caddy.virtualHosts."${domainName}" = {
inherit logFormat;
extraConfig = '' extraConfig = ''
handle { handle {
root * ${inputs.wiki.packages.${pkgs.system}.default}/share/web root * ${inputs.wiki.packages.${pkgs.system}.default}/share/web

4
hosts/bifrost/services/default.nix
View file

@ -1,5 +1,9 @@
_: { _: {
imports = [ imports = [
./ssh.nix ./ssh.nix
../../shared/caddy.nix
./apps
]; ];
} }

9
hosts/bifrost/services/ssh.nix
View file

@ -1,6 +1,13 @@
_: { { config, ... }:
let facts = config.nodeconfig.facts; in {
networking.firewall.interfaces.ens3.allowedTCPPorts = [ 22 ];
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = false;
listenAddresses = [
{ addr = facts.wireguard-ip; port = 22; }
{ addr = facts.local-ip; port = 22; }
];
settings = { settings = {
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
PasswordAuthentication = false; PasswordAuthentication = false;

7
hosts/layne/default.nix
View file

@ -3,7 +3,7 @@ _: {
./hardware ./hardware
./programs ./programs
./services ./services
./network.nix ./network
./security.nix ./security.nix
./users.nix ./users.nix
]; ];
@ -12,6 +12,11 @@ _: {
minimize = true; minimize = true;
nix.auto-gc = true; nix.auto-gc = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.14";
wireguard-ip = "10.10.10.14";
};
}; };
environment.sessionVariables = { environment.sessionVariables = {

77
hosts/layne/network.nix
View file

@ -1,77 +0,0 @@
{ lib, config, ... }:
let
wireguard-peers = import ../shared/wireguard-peers.nix;
in
{
sops.secrets = {
"wireguard/layne/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
firewall = {
allowedUDPPorts = [ 51834 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51834;
privateKeyFile = config.sops.secrets."wireguard/layne/pk".path;
address = [
"10.10.10.14/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico0
rico1
rico2
wynne
];
};
};
};
};
}

45
hosts/layne/network/default.nix Normal file
View file

@ -0,0 +1,45 @@
{ lib, ... }:
{
imports = [ ./wireguard.nix ];
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
nftables.enable = true;
};
}

36
hosts/layne/network/wireguard.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, ... }:
let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
sops.secrets = {
"wireguard/layne/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking = {
firewall = {
allowedUDPPorts = [ 51834 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51834;
privateKeyFile = config.sops.secrets."wireguard/layne/pk".path;
address = [
"${config.nodeconfig.facts.wireguard-ip}/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico0
rico1
rico2
wynne
];
};
};
};
};
}

7
hosts/rico0/default.nix
View file

@ -4,7 +4,7 @@ _: {
./programs ./programs
./services ./services
./containers ./containers
./network.nix ./network
./security.nix ./security.nix
]; ];
@ -13,6 +13,11 @@ _: {
nix.auto-gc = true; nix.auto-gc = true;
is-pi = true; is-pi = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.10";
wireguard-ip = "10.10.10.10";
};
}; };
i18n = { i18n = {

77
hosts/rico0/network.nix
View file

@ -1,77 +0,0 @@
{ lib, config, ... }:
let
wireguard-peers = import ../shared/wireguard-peers.nix;
in
{
sops.secrets = {
"wireguard/rico0/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
firewall = {
allowedUDPPorts = [ 51830 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51830;
privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path;
address = [
"10.10.10.10/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico1
rico2
wynne
layne
];
};
};
};
};
}

44
hosts/rico0/network/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ lib, ... }: {
imports = [ ./wireguard.nix ];
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
};
}

35
hosts/rico0/network/wireguard.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }:
let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
sops.secrets = {
"wireguard/rico0/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking = {
firewall = {
allowedUDPPorts = [ 51830 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51830;
privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path;
address = [
"${config.nodeconfig.facts.wireguard-ip}/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico1
rico2
wynne
layne
];
};
};
};
};
}

8
hosts/rico0/services/apps/default.nix
View file

@ -1,13 +1,5 @@
_: { _: {
imports = [ imports = [
./acomputer.lol.nix
./adtya.xyz.nix
./dendrite.nix
./forgejo.nix
./ntfy.nix
./proofs.nix
./wiki.nix
./dendrite.nix
../../../shared/prometheus-exporters.nix ../../../shared/prometheus-exporters.nix
../../../shared/promtail.nix ../../../shared/promtail.nix
]; ];

18
hosts/rico0/services/apps/ntfy.nix
View file

@ -1,18 +0,0 @@
_:
let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "ntfy.acomputer.lol";
in
{
services = {
caddy.virtualHosts = {
"${domainName}" = {
inherit logFormat;
extraConfig = ''
reverse_proxy 10.10.10.13:8080
'';
};
};
};
}

17
hosts/rico0/services/apps/proofs.nix
View file

@ -1,17 +0,0 @@
_:
let
inherit (import ../../../shared/caddy-helpers.nix) logFormat;
domainName = "proofs.adtya.xyz";
in
{
services = {
caddy.virtualHosts = {
"${domainName}" = {
inherit logFormat;
extraConfig = ''
redir https://keyoxide.org/hkp/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849
'';
};
};
};
}

7
hosts/rico1/default.nix
View file

@ -4,7 +4,7 @@ _: {
./programs ./programs
./services ./services
./containers ./containers
./network.nix ./network
./security.nix ./security.nix
]; ];
@ -13,6 +13,11 @@ _: {
nix.auto-gc = true; nix.auto-gc = true;
is-pi = true; is-pi = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.11";
wireguard-ip = "10.10.10.11";
};
}; };
i18n = { i18n = {

77
hosts/rico1/network.nix
View file

@ -1,77 +0,0 @@
{ lib, config, ... }:
let
wireguard-peers = import ../shared/wireguard-peers.nix;
in
{
sops.secrets = {
"wireguard/rico1/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
firewall = {
allowedUDPPorts = [ 51831 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51831;
privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path;
address = [
"10.10.10.11/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico0
rico2
wynne
layne
];
};
};
};
};
}

44
hosts/rico1/network/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ lib, ... }: {
imports = [ ./wireguard.nix ];
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
};
}

35
hosts/rico1/network/wireguard.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }:
let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
sops.secrets = {
"wireguard/rico1/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking = {
firewall = {
allowedUDPPorts = [ 51831 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51831;
privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path;
address = [
"${config.nodeconfig.facts.wireguard-ip}/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico0
rico2
wynne
layne
];
};
};
};
};
}

7
hosts/rico2/default.nix
View file

@ -4,7 +4,7 @@ _: {
./programs ./programs
./services ./services
./containers ./containers
./network.nix ./network
./security.nix ./security.nix
]; ];
@ -13,6 +13,11 @@ _: {
nix.auto-gc = true; nix.auto-gc = true;
is-pi = true; is-pi = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.12";
wireguard-ip = "10.10.10.12";
};
}; };
i18n = { i18n = {

77
hosts/rico2/network.nix
View file

@ -1,77 +0,0 @@
{ lib, config, ... }:
let
wireguard-peers = import ../shared/wireguard-peers.nix;
in
{
sops.secrets = {
"wireguard/rico2/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
firewall = {
allowedUDPPorts = [ 51832 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51832;
privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path;
address = [
"10.10.10.12/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico0
rico1
wynne
layne
];
};
};
};
};
}

44
hosts/rico2/network/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ lib, ... }: {
imports = [ ./wireguard.nix ];
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
};
}

35
hosts/rico2/network/wireguard.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }:
let wireguard-peers = import ../shared/wireguard-peers.nix; in {
sops.secrets = {
"wireguard/rico2/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking = {
firewall = {
allowedUDPPorts = [ 51832 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51832;
privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path;
address = [
"${config.nodeconfig.facts.wireguard-ip}/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico0
rico1
wynne
layne
];
};
};
};
};
}

2
hosts/rico2/services/apps/homepage.nix
View file

@ -83,6 +83,8 @@ in
{ title = "Email"; url = "https://app.fastmail.com/mail/Inbox/"; } { title = "Email"; url = "https://app.fastmail.com/mail/Inbox/"; }
{ title = "GitHub Notifications"; url = "https://github.com/notifications"; } { title = "GitHub Notifications"; url = "https://github.com/notifications"; }
{ title = "Nixpkgs PR Tracker"; url = "https://nixpk.gs/pr-tracker.html"; } { title = "Nixpkgs PR Tracker"; url = "https://nixpk.gs/pr-tracker.html"; }
{ title = "DigitalOcean"; url = "https://cloud.digitalocean.com"; }
{ title = "Hetzner DNS Console"; url = "https://www.hetzner.com/dns-console/"; }
]; ];
} }
]; ];

7
hosts/shared/caddy-helpers.nix
View file

@ -1,7 +0,0 @@
{
logFormat = ''
output stderr
format json
level ERROR
'';
}

10
hosts/shared/caddy.nix
View file

@ -1,8 +1,4 @@
{ config, inputs, pkgs, ... }: { config, inputs, pkgs, ... }: {
let
inherit (import ./caddy-helpers.nix) logFormat;
in
{
sops = { sops = {
secrets = { secrets = {
"caddy/env_file" = { "caddy/env_file" = {
@ -17,14 +13,12 @@ in
package = inputs.caddy.packages.${pkgs.system}.caddy; package = inputs.caddy.packages.${pkgs.system}.caddy;
email = "admin@acomputer.lol"; email = "admin@acomputer.lol";
globalConfig = '' globalConfig = ''
admin ${config.nodeconfig.facts.wireguard-ip}:2019
acme_dns hetzner {env.HETZNER_ACCESS_TOKEN} acme_dns hetzner {env.HETZNER_ACCESS_TOKEN}
servers { servers {
trusted_proxies static private_ranges 10.10.10.0/24
client_ip_headers X-Forwarded-For X-Real-IP
metrics metrics
} }
''; '';
inherit logFormat;
}; };
systemd.services.caddy.serviceConfig.EnvironmentFile = config.sops.secrets."caddy/env_file".path; systemd.services.caddy.serviceConfig.EnvironmentFile = config.sops.secrets."caddy/env_file".path;
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

8
hosts/shared/prometheus-exporters.nix
View file

@ -1,8 +1,4 @@
{ lib, config, ... }: { lib, config, ... }: {
let
inherit (import ./caddy-helpers.nix) logFormat;
in
{
services = { services = {
caddy = caddy =
let let
@ -10,9 +6,7 @@ in
in in
{ {
virtualHosts."${vHost}" = { virtualHosts."${vHost}" = {
inherit logFormat;
extraConfig = '' extraConfig = ''
metrics /caddy-metrics
handle /metrics { handle /metrics {
reverse_proxy ${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port} reverse_proxy ${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}
} }

2
hosts/shared/wireguard-peers.nix
View file

@ -4,7 +4,7 @@ let
}; };
in in
{ {
bifrost = mkPeer "165.232.180.97:51821" "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=" [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ]; bifrost = mkPeer "128.199.30.141:51821" "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=" [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ];
skipper = mkPeer null "ob8Ri5fYBCkksRnpbkq0kBlU0Ll3xjIPpMk8e9TKpl4=" [ "10.10.10.2" ]; skipper = mkPeer null "ob8Ri5fYBCkksRnpbkq0kBlU0Ll3xjIPpMk8e9TKpl4=" [ "10.10.10.2" ];
kowalski = mkPeer null "ZgtftftDNAnNsOKo34cgaP3lQim2HMmoCXayALIVsFU=" [ "10.10.10.3" ]; kowalski = mkPeer null "ZgtftftDNAnNsOKo34cgaP3lQim2HMmoCXayALIVsFU=" [ "10.10.10.3" ];
rico0 = mkPeer "192.168.1.10:51830" "9mfgKUM6hXllEUunvI8szlni9OFpKSbaLVZRAhAh51Q=" [ "10.10.10.10" ]; rico0 = mkPeer "192.168.1.10:51830" "9mfgKUM6hXllEUunvI8szlni9OFpKSbaLVZRAhAh51Q=" [ "10.10.10.10" ];

7
hosts/wynne/default.nix
View file

@ -3,7 +3,7 @@ _: {
./hardware ./hardware
./programs ./programs
./services ./services
./network.nix ./network
./security.nix ./security.nix
]; ];
@ -11,6 +11,11 @@ _: {
minimize = true; minimize = true;
nix.auto-gc = true; nix.auto-gc = true;
is-server = true; is-server = true;
facts = {
external-ip = null;
local-ip = "192.168.1.13";
wireguard-ip = "10.10.10.13";
};
}; };
environment.sessionVariables = { environment.sessionVariables = {

82
hosts/wynne/network.nix
View file

@ -1,82 +0,0 @@
{ lib, config, ... }:
let
wireguard-peers = import ../shared/wireguard-peers.nix;
in
{
sops.secrets = {
"wireguard/wynne/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
"wireguard/wynne/psk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
firewall = {
allowedUDPPorts = [ 51833 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51833;
privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path;
address = [
"10.10.10.13/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico0
rico1
rico2
layne
];
};
};
};
};
}

44
hosts/wynne/network/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ lib, ... }: {
imports = [ ./wireguard.nix ];
systemd = {
network = {
enable = true;
wait-online.enable = false;
networks = {
"41-ether" = {
enable = true;
matchConfig = {
Type = "ether";
Name = "e*";
};
networkConfig = {
DHCP = "yes";
IPv4Forwarding = "yes";
};
dhcpV4Config = {
UseDomains = true;
};
linkConfig = {
RequiredForOnline = "yes";
};
};
};
};
};
services.resolved = {
enable = true;
domains = [ "~." ];
fallbackDns = [ ];
};
networking = {
useDHCP = lib.mkDefault false;
nameservers = [
"10.10.10.11"
"10.10.10.12"
];
useNetworkd = true;
};
}

35
hosts/wynne/network/wireguard.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }:
let wireguard-peers = import ../../shared/wireguard-peers.nix; in {
sops.secrets = {
"wireguard/wynne/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking = {
firewall = {
allowedUDPPorts = [ 51833 ];
trustedInterfaces = [ "Homelab" ];
};
wg-quick = {
interfaces = {
Homelab = {
listenPort = 51833;
privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path;
address = [
"${config.nodeconfig.facts.wireguard-ip}/24"
];
dns = [ "10.10.10.11" "10.10.10.12" ];
peers = with wireguard-peers; [
(bifrost // { persistentKeepalive = 20; })
rico0
rico1
rico2
layne
];
};
};
};
};
}

2
modules/default.nix
View file

@ -1,9 +1,9 @@
_: { _: {
imports = [ imports = [
./facts.nix
./general.nix ./general.nix
./nix.nix ./nix.nix
./pi.nix ./pi.nix
./server.nix ./server.nix
./wireguard.nix
]; ];
} }

24
modules/facts.nix Normal file
View file

@ -0,0 +1,24 @@
{ lib, ... }: {
options.nodeconfig = {
facts = {
wireguard-ip = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "10.0.0.1";
description = "Wireguard IP of the node";
};
local-ip = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "192.168.1.1";
description = "Local IP of the node";
};
external-ip = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "11.1.1.2";
description = "Public facing IP of the node";
};
};
};
}

80
modules/wireguard.nix
View file

@ -1,80 +0,0 @@
{ lib, config, ... }:
let cfg = config.nodeconfig; in {
options.nodeconfig = {
wireguard = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Use WireGuard on the node";
};
listen-port = lib.mkOption {
type = lib.types.int;
default = 51820;
description = "Listen port used by WireGuard on the the default interface";
};
pk-file = lib.mkOption {
type = lib.types.str;
default = "/etc/wireguard/private.key";
description = "Path to the file containing the WireGuard private key";
};
endpoint = lib.mkOption {
type = lib.types.str;
example = "123.122.121.120:51820";
description = "IP and port of the default peer";
};
endpoint-publickey = lib.mkOption {
type = lib.types.str;
description = "Public key of the default peer";
};
psk-file = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "";
example = "/etc/wireguard/preshared.key";
description = "Path to the file containing the pre-shared key";
};
interface-name = lib.mkOption {
type = lib.types.str;
default = "wg0";
description = "Name of the WireGuard interface created";
};
dns = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "list of DNS servers";
};
allowed-ips = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "10.0.0.0/24" "fd7c::/64" ];
description = "IP ranges used with WireGuard";
};
node-ips = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "10.0.0.1/24" "fd7c::1/64" ];
description = "WireGuard IPs of this node";
};
};
};
config = lib.mkIf cfg.wireguard.enable {
networking.firewall.trustedInterfaces = [ cfg.wireguard.interface-name ];
networking.wg-quick = {
interfaces = {
"${cfg.wireguard.interface-name}" = {
address = cfg.wireguard.node-ips;
dns = cfg.wireguard.dns;
listenPort = cfg.wireguard.listen-port;
privateKeyFile = cfg.wireguard.pk-file;
peers = [
{
endpoint = cfg.wireguard.endpoint;
publicKey = cfg.wireguard.endpoint-publickey;
presharedKeyFile = cfg.wireguard.psk-file;
persistentKeepalive = 20;
allowedIPs = cfg.wireguard.allowed-ips;
}
];
};
};
};
};
}

90
secrets.yaml
View file

@ -2,8 +2,8 @@ passwd:
root: ENC[AES256_GCM,data:sT8S6EgqlUTOj8wx/FWde1ht/LCfhnnJW8aLNR3IawGcjbWh+JCKnlQ/1FpuGuVF7Qm8qScRcl7FPUZPFpBtj9OJ3984S9DtFJachwSNEJ2TRU+9YdYB1WsXx9ZunMQcTLK9MIyWfIVzqw==,iv:1qfkkj3NMvS50Q84BtqYTiNIMVjdxPh1k52MudEK/5A=,tag:HUwaVYDwjKmnHhEIejnfxg==,type:str] root: ENC[AES256_GCM,data:sT8S6EgqlUTOj8wx/FWde1ht/LCfhnnJW8aLNR3IawGcjbWh+JCKnlQ/1FpuGuVF7Qm8qScRcl7FPUZPFpBtj9OJ3984S9DtFJachwSNEJ2TRU+9YdYB1WsXx9ZunMQcTLK9MIyWfIVzqw==,iv:1qfkkj3NMvS50Q84BtqYTiNIMVjdxPh1k52MudEK/5A=,tag:HUwaVYDwjKmnHhEIejnfxg==,type:str]
adtya: ENC[AES256_GCM,data:xBr14ZVeblPbgO2YT+6DPrENsJElj+UkTJebv3/x0U/u+srx82G2Lloda5zZwVBIEc5f6ZPSS4Oko3dM2PW9KUNO7IjDa+Wsm5MQogSjGT+aNtjlub2PkVts5gp+TtCOd6bUQjnf95VXNQ==,iv:ytKVRBsQWJWwXn6DpCOTDYJOVI3N/KnWtyp/GkSs7UQ=,tag:zbPtMMH6MFE6LpBga5X1GQ==,type:str] adtya: ENC[AES256_GCM,data:xBr14ZVeblPbgO2YT+6DPrENsJElj+UkTJebv3/x0U/u+srx82G2Lloda5zZwVBIEc5f6ZPSS4Oko3dM2PW9KUNO7IjDa+Wsm5MQogSjGT+aNtjlub2PkVts5gp+TtCOd6bUQjnf95VXNQ==,iv:ytKVRBsQWJWwXn6DpCOTDYJOVI3N/KnWtyp/GkSs7UQ=,tag:zbPtMMH6MFE6LpBga5X1GQ==,type:str]
wireguard: wireguard:
biforst: bifrost:
pk: ENC[AES256_GCM,data:tEdYwVK18IiuctAagNnamqtQqRcUzB5CIvdaH8Of7KGJlmAd9dRZJXcgfw0=,iv:56BpKlIKz8227Fun7lmulnznJJ1CBeX047VBaRkSpWg=,tag:CHoW4IKWTZXy2EEGrsyc0Q==,type:str] pk: ENC[AES256_GCM,data:X5FbbtekQAns5nWAACBZDvxArxRjulr3gpHOOLMJI/a8G1YHUurJnihc0WY=,iv:y/RH/H7yUClxauIzYjCZoyusu1rn4bar9Rx1mvsfmS0=,tag:e+heeN8D397oSaOyS9uHzA==,type:str]
skipper: skipper:
pk: ENC[AES256_GCM,data:by1Cqt1IYK1+MTGrj8Y6JQcKGuUun3b4XNDi6+eyR2bviRhfEQdxHEEA+ZI=,iv:V8dZy4iWe7t54aDgn22pGYaqf+tN1drt3nFo0ctoUlE=,tag:x4GfT9kY8+fGrM1ELOMbRA==,type:str] pk: ENC[AES256_GCM,data:by1Cqt1IYK1+MTGrj8Y6JQcKGuUun3b4XNDi6+eyR2bviRhfEQdxHEEA+ZI=,iv:V8dZy4iWe7t54aDgn22pGYaqf+tN1drt3nFo0ctoUlE=,tag:x4GfT9kY8+fGrM1ELOMbRA==,type:str]
rico0: rico0:
@ -29,77 +29,77 @@ sops:
- recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt - recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ2NPRVZxUlFZbVArSlNz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMHVtdzBwTFZ1Wk0vZnJ6
aGxBMCszb0JRbWJFNFhkcVJoa00xV3BJQ1JZCmcvZUpRODBkLzVWTDVqUWtCR3V3 aDVTcTFTaElaWW1BcVlwa0FBUlBtVERjbnhBClJ0c3F1S0NwM2lqSlRyd3JWcnpt
ektBTkprdzFENTIxaEZZQ0RpZGRrUm8KLS0tIFc0aVhuZVh6dW4wbnZ1ajNDazdk dWlOV3VaWEFiN0I3U0dmcmtCTkdQOTQKLS0tICtoczZvN1NFaDBqTS9vQzNuVk44
aXRQZUI4RVlEeGdUMXoya2RCRnMxRDQKWxogRGGH5dP8w80xBBchjxs0Hhw0o+BX aHlwWlZYSElMeVZCbXdoWkxjMGZ3MFUKYSqnaxaJzeDXsWPmo8hocgIyKvFLR0+O
uxNQZoSYENIPESR7ydO7642r8xjLdQdfMEjKz/rnooCgB1Zy7X7kGw== A1Axsokssk7qkx3k/5sHOl/HGJ9gQ8yamBiuIJxAJPYuhzIO7hMhhg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a - recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeDZYeTNtczE4eWVYcTcy YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPYmZCMENwNVFHeFNkUlBs
ZDZmeU8xZlppMHlQUlkyb3h2cWRGbXpBeUFNCjUzNGs1endaZ2tzTzE2SE1CYWg2 bG53UmRsMzBvN1cvNE0xNVpHUU94K0thKzJnCjIrN3g5eENXcnNsYUZjUUFxclp2
aHU0dnlpeU9aRTYyc2hCMU1YYlBFQ1UKLS0tIERsS2VUSVllcVhUNzExOEJqSlF4 VS9zT05HSFBrR3Bmb2lGbmJRemVGQU0KLS0tIFVLSlVsS1lSQVpTcEZNbllDeE9Q
SVNNaHl0ckt4bmtSazloUnREM3VWZ28K2/DfdwYi7iMiNrHn/9FMEJX5aaL/PLoR dGN2cUpHWFErb0FNWjlRZGZmaW1QYXcKeAe2bsynzdtlKzXDplmbY1WYSZjIJtQ6
GYtO9JpFHFWngDSVsJm013NlsvAtCY1ep382EWK8Z/I+QahkoyBW2w== Vz1iUUFdAol3qs8VbUdrc6vASxZT5MAWGbe+cSl/D3XWizspVyGblw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age106k9u5ns9h7smh3gqc40k9fft5emknvq669qdv8a29ak3ah4j38s5ng2gt - recipient: age106k9u5ns9h7smh3gqc40k9fft5emknvq669qdv8a29ak3ah4j38s5ng2gt
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZOVBSdllDeWlaSWIvbWNq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGT3VRcUpRWmxSZDYvMnBQ
ZVU3SDAvUlhOK0NXZWpDK1g2YlhBbnJoNEZZCnVMb2lRVjlIZDdQaDZONVRlSUJa cCtheTNiempOT0ZOdzZmcE5vcEk2Z0dVMFRzCktmODRFamRGbWgrLzNCTFlRNHdn
VElXOGl1T1ZseUFBY3ppUUZocGwyR3cKLS0tIG0xZE9BSlcxazRHQXZnNHl2RXRm cjNuOThPV0xuYUIzbVMyUHhwUitOblEKLS0tIDV6d2lhcHR1UmRrZGYrdGxrREhY
bjVsNkk5MGxHVW15RHF0ZGE1czgrQlUK43DGYjIydqND7bSG/9fE8HMm3jzJ7KzI TktweVg3KzlITmJYS1drZG94TDNycVUKliVvdGzIWfQFglMF7OgfvE77PT8cXnWq
tS94Djek5QSY2xQxXVdLQ3g9Rnbm7HF8bTjDlOhBM7drryuraLEBlg== +lOBhJZV57EFxNUaQ7B4HEzTSrs7cXxpoTfww4xELgVGsXidRdP9zA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1829x4l8vdhcn97af0zq898tupll0smrqywxka4pswkt6mtn8qp7qqnnnl4 - recipient: age1829x4l8vdhcn97af0zq898tupll0smrqywxka4pswkt6mtn8qp7qqnnnl4
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVW03RVlVUlZYOW5VdWdT YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTXc5VDJyTVlvYzRpTjFm
K1NjaWswK0xSUzduUHgra1ZON3dsTVBFSWxjCkt0NnRVVXA3TnYwTlBQNXZTdG1t M2svWVVmVlE0bkJGS0NtWGpKckoxTnJxWGl3CjZlZXNJSFJtb0ZBY3dobll3UDJG
YVRQTWcySVRrQitOQjNlc2JBWmNXME0KLS0tIFhUa1IzY0dSSWJRR0FIOGZ5QkQv RERlaTF4RTU3U0oreGgwNVhVMkcreTAKLS0tIGpCN2lLUFozaC9tSWZZK1lhaHBh
dXQzNXkyTlVPdzhGMXdjRS9ENnFHL0EKB4YiqGAcL0VlRRj0TPwfgSKHKTEnGBsO aU5Qc3NQcEl4NUJTQVZwTFd0a2pxc3MKmDqrWH8QcJoSmco+Wv6sFvAABxb4BEqV
cbSd3iKO9TDxWQwz46cpY6NmRTORlq4j0kzPAm4k5JLHUVwulgwb0g== 0zYwJvu8WJfyZM9fjXwbiSThX3AmheHYmvu8D4N4TDPXh1vPduK9SQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf - recipient: age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSU40amdyMzZ6Wm9TUHc2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaDdHUmlxT0hBazduNi9Q
VXcwN3Q1azQwaEtxZDZpdW8xemMwcVZJb1E4ClVHRjY1TEFMZXdtWVExYmRVWkJk ZXlhNkMzcEE3bFFIUXhieVMwRGFRczJOY1VVCnhKV3RDTG9yRjIrNEl4UHpQSDd0
NmhHZysyUkI4VnJOZzVSQlRwbXI2QU0KLS0tIFJpbmRFRUM5MzlSNDF2RC9Fd0dY OFk4NXpuNmVWQjZjZHVINjUxMG1NYzgKLS0tIGt4RGJudENhTE5zMnVlWG9yaHd3
VlByaWhmemc1WWxCQmkyQUxVOEc1SDAK42kD7infmLQKLjZUcsu6EHAMV5zRzGRb R1JtRWR2cXh2RjZWeXFOWXI4ZVRJYjQKcxj4IYW0N67chn3nvkVD4fpaPLG4pIsA
E6hv2YYUHF7uLgEcPEq4hJZ72kjMyyqyebv0qLQB5VIylifrMJrO2g== NSHHuUJVkyWzagfr7KwlTNy732Pmo+Z0/tsPgU6tujEJ6UZHCV990w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0 - recipient: age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQU3ZTOGtIamlOQzNrTDg0 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIckk3VVNWcWFtRG1NSHlu
SHUzR1F6RTBtZU1zNDVFUFFFejBlUFRYUkVJCnkxZWFuVGJCV1Nzb29Sa3lxU2x2 bWR2MTRCM1hBM0ZFNk9UL1h0OWRJQVFlU0RjCmNKcmdIZWhEeVlySkF1dDZUSUpM
bm4zSFp3Q0hHUEJUTEpuem9rYmE3YnMKLS0tIHUxSEZQV1B3ek5KYUZjbG03c1Rh bHlVOW1SMUNZcXVJa2QrOFdyc053djgKLS0tIDYxSVI5MGhLQ3N6NSs5empjSFRK
Zm10bjJwWkQwcVVVVjVxWGFRVGwrOFkK/LmuPpecWWHnTa4DXY2UiCUOfsxUG04Z bitpYzl1cUxrb3pSelFDT1h6RDlWL0EKjXmQt08XgxJ6JBjjXmrtEqFqFQH9HG1j
dKZ9GAyA6QPsBJgrEHxNd/PHmLIEA/Vhw12ZsSKCksaFD2at8q513w== d1uWcoKE1lYJifBtGUL1/U26RelucSYpBf09czN1DcOqGziyhlRg0g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1k2wpm88wms6hx3ldvu0n2je7pag9fexs9eq0e8hlkfcs2dx9eg9qlkf95d - recipient: age1k2wpm88wms6hx3ldvu0n2je7pag9fexs9eq0e8hlkfcs2dx9eg9qlkf95d
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaVpYU3JJQ05iNGdYNHMv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUHgvZHcyVkIxc2NIWCtk
MjFIcEw4bk9UdWVaSnhncUJkYmlaaHlxSnpRClJMemtIcklGUzE0ZzZaVXNiS0dO OEZkMFE5VFdKQ0NuSjBzdndsTit4YWpHdzE0Cjl5a09KRDA4aUtXTGpDTkJZRnJn
SGdxWVpjRzdHSDROcVl2bTNxVzlwTmsKLS0tIFE4cHFpOWpSYlRLYnZjVmlTc1V2 RXhLSXhoTVFwa2NRU3hUTjdQYW4vN28KLS0tIE5XRSsxN3FqbGZmTkFlY0N5NkdJ
UVV6WlpRbzk0UjZVL2RMQmNnNnlvZ1UKhrTqF6vq1c2jsrvjtMv+03fwj5MZIVTn OXJsTUkzeFpCd1NkWkNnaUZRKzFkeVEKhPv18blHw8cJpF63eo1yulMB5QFLRfZB
uPY7OHqm0scOxARNIW7nVYeTIxNYFEPvfZiriydrOtXfrVZB4u82IQ== bsWMe8pVgM/9uuYb8cpDNulYL8caIcbLoAiIg1xMBqlsiSBgIlF7Zw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1jt8uleg4auf0h8ftl4ykq73epvgqml29q8ty0lz6kasta5h6td3shgxvrr - recipient: age1d2anhmqdewykt3mgz6azsyz0yh7wc9ap6ga46myzwg84c9rpspws9ze3l4
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ajFvYVJxejJkcTM0Rm5n YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUT3NKclcwaERiM3gzV2o1
a0tOWFE4Q1R6ZS9qZE1BTVZybnRSTS94Y0NFCjJIUjRwODMvcmFKN3VvYUNVOFB3 SGw5MVY0SjhNZ1Yyc0dFbm9DMFdseGU0UUVFCkVXd1IvU3ZPWm5pVnFOb21kbWVr
V1lJZW56STFra0JsRXF0RVM3eWtLaTQKLS0tIC95SmtrRTFRbW0raCtZWTN4RkFJ emFFVGg0MXFienlHd3ZmY2p2Yyt2SjQKLS0tIFpZWGNINnFRdUJZQW9YeGxrUnN4
UXJhWFFnQnFvOEF0M0JFb3E4UVB4UU0KSUq4d8eudY03p/fd8S8f1wk0OU4BlNYB WUc1Tm4wMkxUM2xybjFKK2VqWU9GSFEKVhMLzPF5CT/W0PC5jsNzpIE8wtRrUdfH
tldkOx2DhSvcVr/FcIJIR2PFbU8o50kYj9R0HR2sHJ5C5fJ0cDXY4A== QHKId9QbaEaz8c85iXppJwONJJ2eTWUElj4ZVLUacgiqyS+rBiyuFw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-16T13:28:44Z" lastmodified: "2024-11-16T14:09:27Z"
mac: ENC[AES256_GCM,data:HSpdXpDRlP7IamrmvQInn1coo+T59r5AowbH9uEr6cntWhOVjI6xJb91dd647uhnl9RQ4KN6QjNiBU3u4/9ie/hHAOzuX4vzYHjaWV0iO1pAHVOkT5jmker767je7rKVOu9BdtDgckGWQfC599bEL2PzS5megjo5Jbg/trZXHx0=,iv:EmnH2nwuBHdrtoJXSvOUdob0YKzl88jyJbXN+qFX0zQ=,tag:kUicG4NTK8DiY7OUvOgv3w==,type:str] mac: ENC[AES256_GCM,data:jadem1cX0PbeWeCUxZy8svPB0PbthNfKKomvsEILTbl99rlsQJmeiFtA5eaewu4qjC+UUfJrrLrArJDCDweYrCGMyCnfwh5+xN+q5SF4dCoWon1DeE4G+OZ3R6Kv4XPfdg7l/mDblndIp7WbhlsCEoZM4Sl2e7VheXfnFtacpK4=,iv:v/vEBnnLirIItGiUqAHs5CYzMduw7u3TK5UpiaNCjmE=,tag:t5fKPnJYg9Zm0uAOsi9N/g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1