From 39f0f6963a12e3f63e96fa56e04281e7a5c52f6a Mon Sep 17 00:00:00 2001 From: Malte Brandy Date: Thu, 1 Oct 2020 01:30:40 +0200 Subject: [PATCH] Refactor secrets --- .git-crypt/.gitattributes | 3 -- ...3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg | Bin 796 -> 0 bytes ...3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg | Bin 789 -> 0 bytes ...3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg | Bin 793 -> 0 bytes common/default.nix | 2 - common/secret/.gitattributes | 2 - common/secret/default.nix | Bin 16262 -> 0 bytes common/secret/host-keys | Bin 679 -> 0 bytes common/secret/host-keys.gpg | Bin 5594 -> 0 bytes common/secret/jaliconfig.py | Bin 925 -> 0 bytes common/secret/wireguard-psk | Bin 67 -> 0 bytes common/wireguard.nix | 7 +++ home-manager/roles/accounting.nix | 2 +- home-manager/roles/games.nix | 2 +- home-manager/roles/mail.nix | 25 ++++++----- home-manager/roles/taskwarrior.nix | 8 ++-- home-manager/roles/weechat/default.nix | 4 +- home-manager/roles/zsh/zshrc | 1 + nixos/machines/apollo/configuration.nix | 34 +++++++------- nixos/machines/apollo/secret/.gitattributes | 2 - nixos/machines/apollo/secret/default.nix | Bin 26 -> 0 bytes nixos/machines/apollo/secret/factory.nix | Bin 55 -> 0 bytes nixos/machines/apollo/secret/pw-me | Bin 125 -> 0 bytes .../machines/apollo/secret/syncthing/cert.pem | Bin 637 -> 0 bytes .../machines/apollo/secret/syncthing/key.pem | Bin 310 -> 0 bytes .../apollo/secret/tinc/ed25519_key.priv | Bin 426 -> 0 bytes .../machines/apollo/secret/wireguard-private | Bin 67 -> 0 bytes nixos/machines/hera/boot.nix | 4 +- nixos/machines/hera/cloud.nix | 7 ++- nixos/machines/hera/configuration.nix | 42 ++---------------- nixos/machines/hera/mail.nix | 9 ++-- nixos/machines/hera/network.nix | 9 ++-- nixos/machines/hera/secret/.gitattributes | 2 - nixos/machines/hera/secret/boot_rsa | Bin 827 -> 0 bytes nixos/machines/hera/secret/default.nix | Bin 5622 -> 0 bytes nixos/machines/hera/secret/kassandra.nix | Bin 49 -> 0 bytes nixos/machines/hera/secret/maralorn.sieve | Bin 3891 -> 0 bytes nixos/machines/hera/secret/pw-choreutes | Bin 124 -> 0 bytes nixos/machines/hera/secret/pw-me | Bin 121 -> 0 bytes nixos/machines/hera/secret/secrets.nix | Bin 350 -> 0 bytes nixos/machines/hera/secret/ssh_boot_rsa | Bin 1697 -> 0 bytes nixos/machines/hera/secret/syncthing/cert.pem | Bin 637 -> 0 bytes nixos/machines/hera/secret/syncthing/key.pem | Bin 310 -> 0 bytes nixos/machines/hera/secret/weechat.nix | Bin 618 -> 0 bytes nixos/machines/hera/secret/wireguard-private | Bin 67 -> 0 bytes nixos/machines/hera/web.nix | 4 +- nixos/roles/default.nix | 22 +++++---- nixos/roles/git.nix | 2 +- nixos/roles/mathechor.de.nix | 8 ++-- nixos/roles/matrix-synapse.nix | 19 ++++---- nixos/roles/modules/laptop.nix | 1 + nixos/roles/monitoring/alertmanager.nix | 2 +- nixos/roles/monitoring/default.nix | 6 +-- nixos/roles/standalone/admin.nix | 16 +++---- overlays/private.nix | 16 +++++++ overlays/testing.nix | 4 -- 56 files changed, 117 insertions(+), 148 deletions(-) delete mode 100644 .git-crypt/.gitattributes delete mode 100644 .git-crypt/keys/apollo/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg delete mode 100644 .git-crypt/keys/default/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg delete mode 100644 .git-crypt/keys/hera/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg delete mode 100644 common/secret/.gitattributes delete mode 100644 common/secret/default.nix delete mode 100644 common/secret/host-keys delete mode 100644 common/secret/host-keys.gpg delete mode 100644 common/secret/jaliconfig.py delete mode 100644 common/secret/wireguard-psk create mode 100644 common/wireguard.nix delete mode 100644 nixos/machines/apollo/secret/.gitattributes delete mode 100644 nixos/machines/apollo/secret/default.nix delete mode 100644 nixos/machines/apollo/secret/factory.nix delete mode 100644 nixos/machines/apollo/secret/pw-me delete mode 100644 nixos/machines/apollo/secret/syncthing/cert.pem delete mode 100644 nixos/machines/apollo/secret/syncthing/key.pem delete mode 100644 nixos/machines/apollo/secret/tinc/ed25519_key.priv delete mode 100644 nixos/machines/apollo/secret/wireguard-private delete mode 100644 nixos/machines/hera/secret/.gitattributes delete mode 100644 nixos/machines/hera/secret/boot_rsa delete mode 100644 nixos/machines/hera/secret/default.nix delete mode 100644 nixos/machines/hera/secret/kassandra.nix delete mode 100644 nixos/machines/hera/secret/maralorn.sieve delete mode 100644 nixos/machines/hera/secret/pw-choreutes delete mode 100644 nixos/machines/hera/secret/pw-me delete mode 100644 nixos/machines/hera/secret/secrets.nix delete mode 100644 nixos/machines/hera/secret/ssh_boot_rsa delete mode 100644 nixos/machines/hera/secret/syncthing/cert.pem delete mode 100644 nixos/machines/hera/secret/syncthing/key.pem delete mode 100644 nixos/machines/hera/secret/weechat.nix delete mode 100644 nixos/machines/hera/secret/wireguard-private create mode 100644 overlays/private.nix diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes deleted file mode 100644 index 17ef6016..00000000 --- a/.git-crypt/.gitattributes +++ /dev/null @@ -1,3 +0,0 @@ -# Do not edit this file. To specify the files to encrypt, create your own -# .gitattributes file in the directory where your files are. -* !filter !diff diff --git a/.git-crypt/keys/apollo/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg b/.git-crypt/keys/apollo/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg deleted file mode 100644 index 8e6ae355131a9e23ef0db96712bd51d7fe5e9e36..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 796 zcmV+%1LORK0t^GZK~g4LoxP#~5CEWz#@->CFn90RG++=b(W>YEO$<}0oSrnw>QQ3*4*&K(T7Wsag%-%xe1_97Nr5w#INCFFWlwSwx1Z25(+`i+ z;i@5HnkkYg?T$K{hYXJ=pJ#PV(B~OKKVqSVEt2+W9`ar7TO9&bL||5WO zDFd{QY60a6=6ZK+HpF0G%aH?SBY{^>ZR^>raYTQypZlkS-EJsr4nOQ%h?Kx)#;avX zH=tz_1@H2rN9(>-P=4g2RTp3(I~<26Be=<1P+WdE5#6{@RD{wzgX=C|q381)WTTvPb$DQ+Z29urXir?;X0< zV0b8mIEccNn;)kwU!%?0EQ3VBp`$}77`XOh_nJaggHhDB-S1aG@fA`|f6*!r)GFSeuh`(ERtaz_CEMamK%iw;*G58)^Br(ZWz!#yrWiL+g0s3S-z ak0ou5k!^jBT6)2bq@hZvW4?j7%Jl?KxQdzai(sjjr_7)}(R*lgKC_DCG%4LLF8| zC60FioA>pvjlx@C%eUSandfUdq6wAEm$7qaA|aM&aNszxK(2_siw7$q4x0TUCP3WP zglXmfqFNfYd8YbNpLzU_Uy9`!{NziIUs2=?^M% z;@G@vWcbSak#>hoQVY1h0L)-yc{m&NC*YS%45hmb1QTCMOd;}y*wVfQNk0pan4h#} zoJq`(9PThq%BLarXeBk|u+>U@BZb~qY;L`&+_smsohv934kB(0#E8ceZwx(em_GZo|O#}W63kYEVXI0+V;=>|VIz=Dwq zz!_S8M8LRQvzpDX2^E~ueJ(Ngv6zSxKAh??c=# z^X46#RBMo4$x&MCDA^^^%L#B)0u!PDG?&f)yiM|?-IpVbIbizAUB?;az;t^6K5Fv`ai!3LXL5`1Xx?7 TpPd6h4mGfHHfC3-ED_8hY%hz? diff --git a/.git-crypt/keys/hera/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg b/.git-crypt/keys/hera/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg deleted file mode 100644 index dc46aaef1faba1a08fe13f511b598fb6455b8d2e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 793 zcmV+!1LpjN0t^GZK~g4LoxP#~5B@r_d~`dUg2741g$b7m*5wArw-olr@O*6ScZgF4 zjHIlEQndH(EYC8lyT6Joc~7PKWP*J`)JV1kzcUaXvy#_n(tg2i`BJbhZlnO~aySTA z&=2Q?p*MKS1t_&*+E<7|&+0^jQa>M`3_~sX+;^_|*POErp*WXEVm{Ka{Zz~yP`{1# z_mBV0M>FP_a^W85Uz#^kpz+X-&}n1UN4bB*4nbv-@5wyJt-3N_7N9M&m%OheFW;T_ zjup5Qd%M)!8R5WW9z##dKQGdRGy`LH1$F4r163FOd>X+Gx}OmP$d43_sgNf+EcJ)sUZY`>vodd#hTWsB#UVrYfJALX4S+UID}m_nt@ zp`w<;7y)CBub-rogNo9FCzsS%=}rRA*;yKOs+js8LG{2t*+|tCp@k|ZP$W@$D#=Ei zgZD8(s|)0$UQ<@#%)%XNHMX5Up4hq^@*{vR>|AHp5ba=;;9*2(vxWwYP+sdoZ0Po# z-?%bORpICLd5R1bOCr+1M***pfL>(;i$y9u3}PLf1Ut_YzKf1g*O_@auCf}|AQUcm zm%MOK*UU%qmA~7YS9V0>p6M+=rx0FVX0y`-7rW^;g7?b0KI>x}9;9SzT2r%MYcfEl z%eyy9u|9fUkjplLDd+}qEJnEkuwEr*3gKlQ*xFOuDw8dHwnsSiU7NMK!kjMR`Crn^ zDDmcdm|_f5;dW16$Ka4C|DTGo~SQZ&Sz%`qzRsHm7qy XOh9*=%=$Q2eq6``yqU*2eFNY=ne>94 diff --git a/common/default.nix b/common/default.nix index 4afbd3c5..1c37fd01 100644 --- a/common/default.nix +++ b/common/default.nix @@ -4,8 +4,6 @@ with lib; { - imports = [ ./secret ]; - config = { m-0.monitoring = [{ host = "apollo:9100"; diff --git a/common/secret/.gitattributes b/common/secret/.gitattributes deleted file mode 100644 index 5ccf582d..00000000 --- a/common/secret/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -* filter=git-crypt diff=git-crypt -.gitattributes !filter !diff diff --git a/common/secret/default.nix b/common/secret/default.nix deleted file mode 100644 index 0e554a53a991e31aafb2386030d32b60beaa500e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16262 zcmV;1KY73aM@dveQdv+`0MnfZow#!GQ@x$HzanvW>;+pdlKu+QYeG1F4eojm*lf^R z0_sMO`FK5M$8gvsyqk66;&r zj!735dhB+}N#)8;2Lc#y)>sTJ zj03q?h(&4B8vIHbAm~MaFxp*QzUdWoCJQf;?Y3l%n$)jJl9K+rlP3eK`l)~oA+q0@ z`O9BJ^%&x+kB8WbNgo6)vBOIo3Wa~8x^Gw}Y;q69b-WtQLlWVSL};+q3!cRtM+CWj z2|zKOAxR&A6Q=9a;(WyFd_mUQcj139NNfx2o)K%LSwk}wcP%0tR+nEJME}t6re*7q z_3zn&Uv%zR?!b<(5${D2LYEw`)kIDpnGlQ2h*I7y`0!oC%6*~vGGEb4dh5}gTwQ1p7-GLY51>U|3 zT@M%QXb|w(9*wL!wQ3Z47~>dRHvPNyx14OBSdc8*v@<}p)C@HYB3sRnFD+y7RD4R2 zVH(Pk|0G0#GiEvr>Cs&r8j7{SWmB+qm7>)QRIPAp)>mlM&2&yrCA-3f?zM< zchy{wiW@H+!~{ZjagQAqJ%Wr{u1C-D_d`9Rnp~6Yn^Xq4kDJ4nQP_E4l~y1+%=$n! zx=GQTYNt}1?o7%hkd})01f*%?{i@Bp&n@|YSba8nh;55BC{1vLjR%Be@oWZnEb1cf zbxUu2(}1vfumRxm}&ZIG6vQQ$$R8>Duq@V)`z|DO^3bE4Yd zn&)Sgmfa%J3wH3JSAF?Z6qKY!M(G9^_G1$F5gPRK#$KWk#X=CigV#*s6d$!K*`rqh z0!d}h!j&S$U|++l=BeB40?<_1`VLmb-x*GwW!U4vC6i466=T4o*9pB%QSu$z_@n@g z{6)LYVaeaZ5*4Z}V_gmmhETuA=*BFaHg@FODYh)6t7;Es`2SJnlG?>0x1nvP6}8G6 z6lg(9=wMYKMgA;eli_J#wav!sWf}J52ZaxlXyhB<9mMue(plAimot_U)4r9-&*j;nTLQA(ERByVGe5a9GUy?33m=T zcG4@Bc*^Ngzo)!Dkj-%doBq>GmbmxCS_&j3w?7pD-*S*5UfG-yq6XQ-wZ~Sd&b3!; zf?Qt!1HR@GhmM-E#9z9Z(hlilA`h8j3_UW$XuL+CRv4`*<^(?$!*-7`=YK9u{BB-T z^^9)%>5d|PUDV?Wk~$0 z(KPGL?1iFe9^!n61PTW{V7o4Gsf|GT$>QxsZA81~o`>YUm*1oy@zHkJPY_}sf5v(j z)4f%5NQv~#5YICKAg#KYq?m!aJ%I&|CZJ-DN;iR&o=pNl@n!3eQI!>q+1VD8*0{dV zI*-OzF($)Z;uyj%2Jc(Af$wj;8~BqWXfd?`>si~*YUu>7Vq#!~QCYuGL~k`dFJ+DO z3d@{UIuqg_9c@JA;7{w;8R+>pAj6fe07LQBb)2lHn~_^wz{e6Wf&Lzg1E^fnds{hS zCQQrLb;c*HWd5=14xge|oVeJYo_9iJMUUi0P0JnDfJauh*-+G`gOD_VF-=SQsY*w< zld?Hf$+`vG|5EZrZ%{vU(CKq7^EUZC4A>D1n}U)bF(9OPb{H;#JRce<*Ga~~6}N3A`MuYT z>WU8PuyslzP?4rb^q470Fguc^Ly@a*^xtzH(3=@S+;=IPa?w?N5+d=C1ms=Pp`Hv@ z(bB@P->r|hqaHR6CvJ9hF;L;y$exr;ZDV$%)K3=*?@VY}BF~tsrCvLNl1i*7n7Kw> zIPsr`Nrwq`5iEu~pPY_gq{-3)BtY4fIpsJb_QnSwlBaSg5=L0K5lG4{IITt`9dwKb zAV8(;wjmsrA2*1Kt7f6QdicUVRi9=dP191CpW>xQvQe8I?gUP3vhY2H=)S*>_)Eh` zs{^%^o^>zedA$_yKm~tblcX%SrgKwj=<8ohGTWN5AqG<>k-+u15Rji%Pd%3tQm3Mx zAtHdx!s)0h-8be|u2F6?{qTjA#4J`>H5xzFa|;Zvl?JlpVUSMNP)q5PdMVj~=L_1% zGgcVk^*a+8i4Pg5NBe}V!awHMi%miVpU9c(J78(!dHYyp)BsZ|-R7~xqef=W7YJ`f zT1&10IZgih7aI5SvLn51C(vVDS8Q^j4g6w6_Sn+Dd=q_-vd}DO8PD1vI(Q#)JTen# zs}$^)m?^m~6MGDm*w2_G{I;?MKp%)#q&fgz4n?oCY5sj-yn)#aJt~ZVpB{@@{`r|` zgT>WZOZfKT;1$m}Lrt}%5*eTCFAS~m-Bde^o5^I6wmni5FNJx~l;83r=fv@Zt{Xtc zBF<{>#c_XmC&?I3!JD_@l4rW)7Qo3YCHj#Zgq13Oh-!}^8JO1GXr)lWw^1!`e{6?*Iu;M;#tobDJVc(Wg+Q=Y zdAp{eeUcwGW(>AimJ;}BSYGUJPEM*mCoU=v+DIa6OkbE2LXu!AEu|UpNm;{R5MHYN zd_;e)iRBPM%U(lWiO7InHcaB6+-yg{zilLZg6A!xxHb7& zHqWEXq492Oqkh{#fa@b@@XSr?argT_K2N4WDVMd0N}+V2ne6ofbkr%yvc zkqRt}rF|Ln)2aM$0iyG$;@~{A<2gH~rZ7wC#pq2cj9TXDK%{Xhjq`Y_I}4qC9{bXe zxpI}p7jsgaxb$COQK_LjJwaxa_LbB1p}PF;sRZ(gg*xPbbBYJxmA7`A2}KJ|N!gC_ z5;eR?vIV?G=e=QMv=T5j1KS^|J>snDdiN`2kSlXg^GS!ky!j9{ZtN~<4aS~sztE#F zDK?B+?aH^*;1F`6ml`hYR7j}XsmVXIFmF7c2bS1kA2BmBD8d1Vp3VzAA+fqWOLhFe z7FEcP>eg`)r9ZYs4=6lyB`k5V*w2SASq-pJ}eTlY6% z$U(x}Cim7EcE7RX?y{boaLmY`AZ|h9LI*cubEI<=Ehu6GH&IMs%cqrBV{O%*Q5;o( zGD1`EHJ9T;DY3i-;31ladI8cV;ZidTwKnoE-gwAU5a8;-KzM;6WD7 zQSm#xi;zW0sdypMh$o+AU)LRNaO=+9ZrghZr~S@Dsq^+?Zu*6su0_MfaJ%$PdIUV; z4#et5q!&-$jIwoKcaZKRBZwA69WkbP?HiQ;O#_719d;_S%l@y;Ggsl+S7fzz!nMl4 zP4oR;w>ylr6=eh@`EP#Drsx4P(t8PlZ*R*Ujb3hRxYh*y>hEY&^+mp6?MX+AI%E5> zKi(+;A}1ZN+#^-}Zm5GfPfsZgSnNmysn!+gYcrQtFBnuJL9u3Td`x_&-D$DIH_`ZC zPyHPRb)k|5K8zRBgh3G#OBUFy6H;Jrm&Bvsr$e8>Rt9G>U$mvzr{?fWq`9}P_>Z`1 z?~0-!uvZW167qAqTM;tM&~^GG!%@;B*f3C0n(}qs?FRgZ{V}WEJ5pEJrs?K{N0xE$ zYr=EVG6%{w5Yo?iGV~<_<|Ma>qCHO*tt0qCsmJ(m#i+rn-6&CJtb@4;9vtcqb*|X4 zg{NeKtb&hl5nm&ZW?r*pGi#oCq$3^;JGjJ^<(^qs+_Kd9iG$C52>-WvpKY6eZfb<@ z8!dCs428KArg>oqy`tKlhfJv+|RTm&z>W;TzwqyALMlx`H1 z0afwIW`3F$)Ee58corbRnXPya?#JbM zbg1-T%;VNiGHTeXsRkDpy0OSR0<`E6j4$Kd&Bj#$pfZSNX@ zu+pZFQ@Z^9B9kC!I913n2ZxXY$BFeqwIj8WL)P91GJW3~#4}tB;Luz}&XZ6UB7VgO z$DuY$P#d6`7%$mzZ~Oo8^|0R@{$M697Pnrq^Yfp={#4PgTy;Rdotni&!w51ci1oflL2)e08I zk?7(r=y$-<194sFR*stW*zaX7F510GU~h9ui?qjk*~&d8zS03@IXVWONJRcrv{Owi z(jR%3R$X2Wn>&Mu&<^%YY2fBu*2jEmI~4P_6YI1ET7FCggVsc?+9q47xKrku`}&O0 z1HB5)JFH}ntvq$n17;#JPFt9bz$sfQ)^Ce}*&{8q26Dpg?%1G2{TT|$ zL6pMaF17B~Yz88&MH^ffyUi3|A`5`iat<<@{knESEuN2d&DO^OEKQ1F8ITe&Q$7t_ zURXXuB_y@rVY7-u+5auhQ;;8P#C9Ol%9e9Mb3I^b`@&{k8O$?F@a5m#{I7t*I>zA$-6 zkByT9^Vyz;PXg~Pt`d*sP2Jo}<{E7YDU*~sS{i`1@_2(R1@$%8?RM>TC$B@vmm5!Gsb8dZBO9W@2Zj|7#BZ=x{K7|Euq&%2@!W~pc(#&XGl_b9P&eq z?a6J|qOjUX$8$(^_7^~U*$amXZ%fM)3n;*j6kgCMD>G0*oCqzc#Z8kIwM*iEX~P`$ zJU&~drKj(V)PH&4aEcA1T~Zrs6Fx#u&Eqg5*ld!biw4`KkoBmX`}lr?B}-LZ98Jem zA4wQ=w|F|z__T!kUQk$xU>DvUJw5aWIy^nNlr?t5HIyTw`9~1hc1a8;rSS`^?zf(u zA=48Bod4P}Eh~E>I3HAS0|oSItVVnJTF%@MxFCL$$tFmj^91NRrtF>=dAeQEgt{n# zn40^XX)7_p#Z(hrU0j3FQPH7&`ZSJheDULC%Z)W%T-YPl%sw8^7l1>iPYd4hl90Z> zp-^x0WO>DvS2{OTIZg6+z?`= z=_6XUaUG-zec9@2s%qJ=BpNT74L?yLy)yu{Gr~^J6@dbsi1lY`Ex>24>Bg&s!|j|@ zsAlVaZI&He)Rn)L^x_>>A&+@CLfK(6E0jOhcL z=V<*oAE7)>p{=q?^w78VA;>kEU2wl;_P?+|$*R6jBhDkY>VNOH2~^d`{aNGvcY43S zH_rp+lKlv^R2}z3OUsaLSzp;o1A&OVDN02w=t61HKjoCNwDN$?8ckMLmH5>~g{h`_ z^36|SIE%y90+?TK0LaOlD+;rLA(IzS3+tEnKt;svIGjkBxV#hBooUpB>V zlg&?}|1N?@7AU$zs$-NNiU+L$BPH{nspoWy9D72HwF}rvcC6Ys18X2Ebt$ixSuT-h z8rR3baJ&v92hII|v##7oE%CZdF&G$dkxD=a`kE`h#8qN%3ZnJFE#GxGY>v{>ytOx> z9Sa?9!2D<;v;xLBj_s9cvHGEQ!lgY;^Ain83RL{{Lh+bgJg|KBF}RBS*$Z>QZmB?` zDv$w=BIB4;VL=PKfl%n`2A1bgiTU@whAPiH>bQXU}Jb}cxlFDf>>6-th z!?9C_BdrE)b9?xixf4K(-P)wy{^+a zW?wnU_Ybgcqd01+Wcovlk{7hJ!T4pE2^vIo=*qox%DaAdXFG3X%lU<%JlXU*Gd0Iz%uflIy*B?AL=d3y zkrJVPsAV2+JK^cV$M)7|`sDDT+S%hs#lN@OtLISK%ZqDjiZF{SR4b7iBpnPy+(28c z1al4C()z!yZgz&5{6sv?3C#zlD^7MRMJ5Iuq@CZT8oD##DTl<_MF?ph%7Od>H92ga zoE-nMv%icHzz992Y5c_`97!83NqRG>|37ob97IQTO`w>fwVl*sjeC)pv#e=yrh zN`G-Qo>SHG2?E>KRBhj$=ABY@4tvuF<`6)MIbXo4=RUlt2x zuzmJAT?dHl+z=STaaxyZzu|TgH*d^wAhLir%lvjFbMHP%$-e*vTY3%}5+D=7GZiq3 z5Q5bQ{#HkSs$Y$2@B#r|<&G!69yMYQ$tVDF&(|IDqVcerQewo$D9$xJ3VK)b>w{w0 zL_Ce~R+}Uk(?4g733YLAt~yANPx97qkT;OyIB&g4Ui?e(&?#kd%TAKt)nB85mc-$)Bzc!BoYv)9Dr zdj3+r7;My{@mXZH3^zl~U2#Q@VGQ2B))VphLTHZGdnNKp^Y)eabTv}cy(4CCoZFfi zgy#kj>aZ3vuqRLV6tKQy6764IHkf8+fl8sve$=aGu`DmY^YP{ILz5|qM?Ih^ZrW|- zR;VUvfH5I!m#w2>k|l7r?wwg@)S^6NktcQu2kOGZr%_^)(mk=wKHYz7J@M+XJl@#- z!*<@xeuaWNgF5X>HI(G~zul}DS^h>tSNsT=hP_Qa_OAZ4qkD2dvr@-YGrVoZm4b`* z(3AAo=}l-^hB{KWpJD$@nKGCfm0!C`t8ZwS#3#og#*Yyktp051e^lfn*+qSxQU!&!RI<&m$&$hYqO zZd?=-lLc8F{yb1F9b3%gC2~>eRqI8yeJ$SVmZkSwP(Aum?)jIAan~dig%P4`vh<9& znR5NFw862mjR$JGh#7io4uW?igl$^Un$<~2r*C@M8O&^iF0ZTvvj0};a#IMO-h?wx zgUX@fuE$Uj+ubx;qk<^7ox~5BP`O@(-*;QTCzcA8p2F0cHkB_jp%S#2qlg*IuSx4L zn@}PM-~Xzec*atlU(4+1n#Y=Kam3GqxM1S{9^OQ+>*nJGmXH+jLKQyLf8qm7YyKUZ zJpynO_S;X`rBvB2R21IHR`W2zk04JmN0-+8MIKehjd4E$RcWExSKVyaC5H)lz-(ps z*i;`_54rS&DQ8|lA6S8{)`XZ8%kXoF7yNIoXqNzIGl2J;OmeT+oe@E~uEr#I{SE;_ z3bPvIC7cBa`I^Ey+9d^313IX1G{X74{^U{{NBJO?zGn#K?#xPR#YccA{*Dkbw(|YC zTK+>R9#Mc4&cwjq)N~VfsSXf2ter(T_X6Ka*y7(=lr117u)H$*ni}0!m|&;?LJji1 z@jis3tb&$C530$=z&hFy2IR>)Gum%T-sFx8k*}LTESE^{R0o;KeVz^#(8Z{qx7O5C zzP?1}ZkNnGy_>Gf3G{-VHtE}$YE32s+~%F`sU~j;1r=PPK9iodP7uWuWQ=;06i>RgjM2G$g0QjgBGYbuJ40`vpjNq{NB5x*3t21j?tkUS(E3aHqv zpZ}r|vUA>~n|;)DV1=up(~|t1r;bsov_L$q>wqbMYgLK3FRs`+-wvsuMFCp*WDfs4 zg<3MaESc{}!5me0fkre=T~LllQXVhoty+%X;Vag>{dV{TpD?e`09{bIOPQ~`ljXJk7xRFQ;h_%vONwq^Fg!3JLShtQ5W*Jo zJQ78?C-}y)ASu-j^N6B=2^Vz|axZdEG-?At&1zIjl?M>-i-k0{Q;}8``H2616DMh9-r8Bj#t4jmwBy_HWQ=lgke~ zI!&QDMQDk*HPly+2`@7@Buly88uqeqb(Al69|kJBxW|zhM7&!l_})rZ$?P?VRz;`w zryKoS-8|X=QoN;Z+lCdfJ!=a0Z@?bbr2((ydOq2t-V5`gy@_>7DYLhdmHBZrFc7W! zSBg38^47MssxY<@lpi&CK3eY1t6|?r8B^m`f$>^iSo#>84DUc zjXz4k5RF1ZCZbS8it$Ksyw12w*D)=rF_9{;JuHpX1x?lidnU?TbHlUx_%!2=_LWL? zKNrkHj+sERJ$wsmu_=UQGFRPpzKCMRm_G$5Nqtd*Jwa$!36?Jl`Gs?2&=s)Q03G>4 z%0x2%zaZ+FsJvEnAl<7xX+dqw{`!9;zhk6z0^b`DnEOb&-4O>q>z#2F9~Db?Z~@u6 zYtZhwPj;SHiK$(uu!!Ni(7Nx`@^YKu8=CzqY6l&M0^PD|D3c;8lX}iNShmT%;~N9p zUto-DiK=GC*36yVp(PDk$>w*R%xSz9>Uyj08Da89kAKwo60IlQcHIX!w(Au1V$Wrg z-ybZrAMt;`SB5~_FSdbr?7S&|B4p(3c93c>&DR@cl6ORQe!i6+tn``LFLZPpOLEW; z81JAgI^_P%sVt;U<$=KjaC=q$vED%111ogm5>q?xJYDK&4Hy%Ha2+m-0Dd(|mW>|` zS0B>5P+OYGmb?>Y=+c3h{7>m_iCGOopQKlg-(S91z-?LWFK&{?)y5pJw)<|@ojf;y zwfff!ZSz+{D>zj&&)*=Ul@T3wfmB$0B@&en6DW_eBN15Afu+5sUbyP^U5>b2_mH(e zPB1I`%#tf(~GRIoXDdsV}{O+2gr1U_gG-sn7|isote4O__fw~dU^-_voo6` zfA%HC?Rv1;9%cPA=J*$zNv7z&whmH~@Mei}`O#4;3xEdO5G-uxSuWoFPqgcai~DW~ zWKyXXZn(4jr9h~yv|Nvhl%ztW~jh%Gw$dOMpe9_@bz7IcO z6wb44B$hT-E!w+<8lhnX+F7OWx`ZMkRvJQgZ%aC@4 zRj)=q`Vi%Kghm;+n&+XYgfLJvkYX5t+#+Lu?Q&qii%k#HLuN?$O8lk!gh2$`it{H&aKw0-s&J9mS~HoJmyDrDv~SQ>fz5w=c+b{*DESZRsK}O5EtC)q z7MkZ<+t8KvaO0_+88INVR+7rIKHhB0s$kOd}yv3fitpNviTlv|~+f@TOmXoA4)^exBuyH5y z$Tnm(#zOZeG*hvmZ^R}9?r{mLzvP82RY^O!T7|QJHUmR^qOg=BTyeIUc^%T2n^x}8fybjTjQh4lc z9L%-fa6_GLd?Xd!E>#Q&SD?->N4uPkHw+8l_EY~km3|&b8U@iX1BD5$)uhUyKv_=J zEz~jyqfn)!;U`O=Agx)br$mfd1AF06NB z%#@H^+V#KLz&`spp2|R>6pnT%E)v&@Qx2=-r<46#*dM=uS;P$MMMf$nB-WjfI5|HT zZcjwKl@KcPU7j8`%$Sd`r7tz+L(o9XYn*1}f-L%4ncc?m5mDBj$qUq8)qOw0$O8?N zmA1O%i27`sXZ!4>{tWr@k>=8u9^ zWK*hW>U)1c@(36Wl>qSXpK5ndxM%du-ZEmi(T)qI)T$ zdFi=t_(qKBFu6+vwPek0*wOv*8!gkeoS2!Hytda1Y$ongNZ!G%`>C8)%V3qUNw$hc z<6h-8ZVx51&_nKqEf~0&XDGO38ACsS{m7|a{W7No`2-Bg*0w;U(B^`%N8+rR4RQXz zKKppU{eD$QHW0(0u-+pB)QlLS3K=IpK*xq(PlZz6T)sr!q7x3@T3@#5 zzc6WtPcBsf?x>o2CjPSin1Br2-}ciSi)ya+VX5q7{CyZT7wn&a4f-?^G8#D7-Bl;5 zoWSTomCo&BJC64`rW7AwKauHqQYP|(EJBjpJ(BLuaX{U(7fsR4SA?>-J787Yoa$@i)6k<;KoTiFZySbFn#?!wl2ymvS!lh*O&aKxHf$@ypLq8Aey->L zJbb5yAUlYW6G!v!=>&DIb-=c*zb>d>1Dao;RHzfP+{=*tUY!b$n*)*cv1Xg$sqCfH z{n)=L&fEFw>TR!uxwZmy80RR=@kf~orll&?yka(dG+BtAGO5Dd77Uh(Q!!0J4T)w-L9tqQ;NO$3)ZiitYC zysgs0kPgX9f`t?KR}Bj~zCsL>RsY7`&tn5-ka-&TMi5TLXaBlUA~d$n<(l=5OnI17 zCqW`H4sAmYQE_3%nJ*+|kV>a1?nN2F4FNk&o{0FZ=G>!u7bXCV z>gX34DxW8hwE=$%b`A|kYPRI4#9e1l;sl#xZni%&KEwC=he%3Q>4Dcs<&f8y>DO5{ zrWv3a#7-xxCjCdis~aD)QA;yjStQ^EhgC_?wzlYE;A>Y3|C=FOw_keX#4yk! zPB7Quq{n0$NH8^J%I-FMt#|k%?(}dTPM78=-jm0%Tw*_(V`#}RPmf=pJN?%`=SaJp zUo+T5(*qa|q9jXhucdc>jj#2M9o+G~1tIG|g*A`!m#jkhb@JbFkxklTeuN{~Z&@y| z{Z)&P!fUoh0WD{sEdUi3ub<`m<371r^Zcs>)RaZ?>-A&cJ|qcby6tJ|f_%k`DY?=K z1*lha{S~PZ5vq(=6__1~2_mPQR`Y$vYcb&cPPJZZ+4%b}dOwVh<0Y5jlG}Y!)o%M% z?r3GiBm>yxoFrU#JgX1iMos`fb>i7uU?}8b647ZE18bE({B~)D`U|C<)>1M;jYsRT z9b|N!31T%n%^_4Dk)KOV5dM9L&x0JJU=NM5B`NmrN44;nBmzbEqJ>ATj|^%|j>)Mc zkAy{2^|g((`9=U#dzp?+J^shr*Y`AT25c&=WChm}#@^i+lz0u0$vk=OH;4_D2*H0% zp^;L%Frkr$R|XbMm;6a?>j#Jsi}Ng4j*6keMRq~Uh}(UZ1spDuW`cLA2;r<;7Jnhz zD~0IBE^rCElhgFVE1ZhOP%-ila*;ECQ+w+`ch_qL9CUFi$D|2PD(15mm*C`dGIrs8#?@$$)ZCVEavlf&3yS#R6fp)x+(!EOo8bQ-+hHs=$%!oX_ex$oAoWQ+=o^EI%6F3CJ6x_g>xeb96kw(=cj#fA3n`7kfXq!wjk zzC(!Dl0Nk*LJaB^nX~={C`e;23uUMna!-`Y9_b!gIiYaF{hqmiBh)+l#VYnS?6<9h z7Uop3%Pbd8QZ>=7Ad%9v`<7diDDlcNsqa=y(l%b<98y-)OnF?G((4!YH^wK~5!!hY zJ(X8OzM=tvSlX50^H&Z7pq zYuuq4(rUN?V17H_R^YEDy2gh!OllJUf3u+4pta~RiL5EeuaGC@pqm3<2Y`s!bgLHJ z+KuYDndpDGWGjuYA~j;+792qNtP!B_n$RsZ#(83R2#>WmGrs6jkN!V(-c^QbU`9(UMW++xT`U$`R>hx?;NdjRbmQ2TAGU#NF8 zEyCN!DmEJ9ef0L`zA-ta;&3I><4c4y)AX81QsDpYHR z!$xS^07=lZj34=eVR)zBC;5?_Ap?`d>U~kb)oOujXEkCGPmub+uI*>e`%*`L&mX46 zDLC+hYqIvt-F%L!{`n!lqSip0 zV`&VsK-1!Vhqb1hS5+BY06)-V7Ku=INR#G8G<6%)5}V}Co;Wr_i_;@W-_%gmq4C~V z7oLSX1WqyoG68-Dr_U&ri4V!@xLB!|9myMf6Tt9`^+z@ z!mTWiC+i>aDKMFHdj3b)5z7LJ;+&6cky=E_=`KVd2YKkbgvH)k=Ygm z!L%i$nNRmlwTgqr;c{e@WOHZ*C()FDFkZi49$bylOqysw?47UwOup6^Qj}e!sF!QP zTb_^I=XVUNr!5NRr38&N@4XjtiYL0@Nem_DhPeFs!C+b3ZSr96^&mUn8q*)DPcPvY z@ZW)288~c5u4axZ`nb18W0+8C(P%NaN;TBQrh20y8JjEl9Sok1F-O(>UBN4hiMK?-sY7`1y~PX4?p#Bds~HU0V9`#3t% zjOM1q6{0bnW9SoXCeV0YhzyK)GDgx8TmDj`Gk2=`g!DQ#W)7DIFAB2xt1su`XO<6z z@{P`A@*G6=YjF}l5iu^*sNJi|N1eh6oz5z2%5VE1$IP_jYAY`sO~?B2)MDp4hqoitg090-1`D$R{Fx7V3x z?~XHk*umxg%i#(+MdPXNu{jq>TVsE0_dd1OVj^92 z!v(`&lwCfPf0L4idEnRxYlx|=y6c5ZmJgZUpzdK}Wa@))Waa>03yix?97hHjhB*l% zsYaq;4Dw?f4TZMMVN4I`6A;#@#X>TG`R4c8Hd%4 zmjE<%_*&x36l9`b&<|`YaFo z`Bndd>sV>5w?xr&`|a();_u*gphFDoA_xoXEBQqA5o--?$F!5u!=@(SBrQ2O{gYd? zP3Q{v&6c<-)d;myk8{}~NepGxwG)0*-b=Z6FnHKupoFukNT7qyEX(UFK#qskf~Mes zGv5ANc#OoftTpymv3n1FG{5IV4A2^>Ro@xR!2qy-Xi7C zz_6^uPJyEeO)NS#EviAGB%D}^{SxIo^2CVU{rtN%kl@F`)^_)M`xJps60XNUnWwD( zl(`51MWPgcQ3SJPbiXK)heW;IqFs}Qjl?9()~nkzcgv>Pxs$wpA(F8H1BrQ81}gag zsZHuZBMTf?%Iz)!D}ErO$D{~2BsOO(lMx^~l6Hki>KI(YKl23~O7xAMqa9jjvsc54 zWMgkQ-6U>!SPsyXCdk3tx^?^Tw4oj$<0GU)D#rKbs2lg zm;Q*QvK_mgZVUR4lS{|3)4PJY3@cO;i^t5B(@7Q}2Gs1{+~IbCS`HZh5QKa>Ns?PM$OEeP zuu;KDF*Oa7glQ6pg9nQg?e_YC^VL!fwczn!$>WxA$utCx@da2cQ~sJk`QxP3cw@Jy zz*6vVYjQBO*E7eMhx@>ntDV}q1`JN;OW;u$BB{5GilTu~vt>zft8N~0Gu5R=QSz$} z)F0ml4u1SK3dpHeDQnQn!3MboXnQM}z!+EKvj6*ZHlwm{tQKwXip9t}Yp1|ZDhQ>m zq1C;CZ@v!#55v7S3E15bXAk`ekA@W3gi%&j6<7}fq|=|O0GP^T4@3)*itj*;!=uml z=Nr80a^qoF$YZXZ(Aq^{iAb$0iV#8MYlSf~5yqPB*xi3UN2Ik>n28k7M4+fWVP(#$9RxbpF~%Q9VUD7pjpI8@n;2npfC)BZ=|o{G#%}VG08Y3`t(y?Y!UbEix>v{{{e&8|-*EcP<45I>lt(=y7h zs!wDHeN{K%_awKO!Xsx>-0h$1@)`!MhK+>q6jJYhS>bvgm~i(9iWRDsU;Kp_1A&23|(mRhQhr(I{}1qP73DGiL@uIoiAO-*c)b~b-#aJ2o3iw@S7Gz^a}DCCZ<L=0ya5uj~dv0k~|AP=`3i})z8r8Znxbu zJD!hTA}2l*l??%~3W-~xa$BfFzn2rZQPO&2b1QLy7_RW^a6kg%Exz2I+eC{Ffa^4T_fAkB^O_h7+$AXFU%ai)EL*PTUq zI|XpMQdht*9|j^nl<-k)lwuhE;{tlvu$tvjG)PHS5N&o)1VUqT#KRY3#+xc05KzAq zdD!c1=+GCs0I&2{^%f%HFLO^3uFY~eWfO!WQ`@z(4Z-r0;~nuy1R@*u_tk@j{WWbR zm2CYar5=N%uhE2j=D=_oW;z|fO0Pa|#~<~JFh@l>y6zavF<+d|P!9~CNjZzflN z^S<;gdO1WHv}w`qUw`H$*Sm=x%^z9=j%~~S!xkS{6;lVuT(k(DIp8Uol*N-T3N#G)fqV(CGfmO>Zc}Wbiv59DH1gy2pa3vP{#CvM6Ab*1S6B3{%|O`HDMCV z5^hy*0;geMGwEjkT*dvQ`taHsrVKX>a@je72&t}lTYLNh*D_cM5jKj1lJKZ?k?vMG zP^~x6kY%`onai;6cz~|oX+&_OwX0k2=@z*mC^5zafHdG-^Am;*qX~Q~YcA{)sGGuL zoxb}u4+M5@w1y{AWG}0z)!1#J5g^4#OxS1m0ty0Pue`b(PYQh$oLav&fdp5M3BR=~ zuygXzraNyDSj2G?=SPscVhc=MV+3uKcFB|uB+!Y}z1Oj~1b&JGiVoC5nke(1f3b-S z2D>c7+R5H^BXkR5sKW1RCY`0O(X2Mp!WaZr$&@(*NRBz2{NKI(EZ@ef4Y2uupNa|D z&zOi#E6`2wiRJenaO+~xx3_8C>SHML0ss;QCwbOOmh2LN>A7dggY*!!WB>pF diff --git a/common/secret/host-keys b/common/secret/host-keys deleted file mode 100644 index be249cacfcd1d98ac710e9d237cc150b5a27d6ca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 679 zcmV;Y0$BY3M@dveQdv+`0M@E?F}0;J+=u;Ojdh71rnnb@Z{`82=<3Nx7_<{2A}pH0 z!$*hjlw;}kjaGG}$iy#liS%U3Kb_QG<`wnT__m^%wqV%_ALKx8nPsP9ta}4b z=u+P_q5-F{iBc0P2*)X-s9>>J^%=zjQ+CzuCjExy5@?GIC9(T5tEb@iw=bQWz6Tg2 z+uZ^()xewcvjwknAYIK?r0E29wIb|beTmxTI-OojJ4<{v&4Si>Fo>Nzk zB7c4mlSI-pwts9T$P{5~&2d_%9O+;SZ1(ftg%1~neUjt&$k3F&Je{B-gXf1fH%^z3 zdds(w;S~fvp%ngWMT`cTs1BsMLu^U$j5+ZhO>})sHEfmCdci?_Cl#Pto9hg@BHQQA z+;2WBy?r@r@7Ar7QhA~lQ0m{!iBZ)i=fir2Hd&xivQh-rMZ@HG3FwsplvG`&5dJw%#5xnr7 N-o{z99pO13G!cxz^^M{U~ zj)e#EDo&}C^1QFf*~;SAYVjc7z-bqhR*%Pkx>P&CZXIdowsL)sD|wb91$<+8x9Z^Z1J;&iv@aaE{b|kpI>#wI@MLB z(@Ajg&D19qMwLcL!sc5CU{f<+C<0pPtyd2%TAu6#%2$2gLiu+1){OZuc#LYPz{lJ zIh-83Gh5Rdc#ZaoXL}MYedF`w+OUE6u+S%3roX$Rwx@zIv%$<6?xK0OrJ}69rlLf~ zC53rZP{s;NR{*J%|D0e6kvG|MDi3#ZJS>j8amfXzvnRs(7`E@P2n+=<3;GcfNlH9J zxau5^xqQ{aRI0Hm5EHY_9ZQQbVgM3q0m7nq;?yxB!mu{S(P1@d(JfdpMu)zPJa_~u zHPNgHqgG%4gY0l4v!B9m?!m3Xy4@m=wIncByf%sy!BM<7UCIy*v}M*6dn-N%v-~@- zv3hdt`&#BCaYVd|#tx>|F1vtj{}$?+Wz7vW2V4uiQzB(aX3d4tx{H#v;yOm+(4y7J z1~kH0Mr?T*MPx}~J^H}>5g0Wd8fTr%ovP+|F5p+x{m@_?2chomAVmaxnXeb@vSxT{ zowR@0kw5~}P9!$TGB)+3c!_n0F)OF1K6V?DoBkGt`w2`~JSlXNA}ESMp;ig)*azRx zBpY6EKBH#=R)CwKAqSEBIBHUw607NZC+6S$#yFl_f(>8sSN_pdbubEOjYINoLEhPX zqP&qo&Jxb^4SnOl0KTD1v=Wf3ki-Nn-75?>I6D4g>Mh@+tUBf2D5S-dvj(RL30Pzc zdPJH-R@-cCXE+_gt{Ca?Dy+MK#ucrvp z#5?Uk>8c=c%$d^P{!)H#Z6l)GU|gH`ZvJD*x1z}|h|;yCMY~FH2&wcPQRkptQsri! zfmqo-OwtsDrvkten-2wWQr}RXq_D?a)Ez&g8}5jVViC!By+vKNWO>~A$J!2=fE+DG ze`#wl_bp_0Cz_lg-M>inn*FkpNDNiLnnI8$zkRB&aY&cFibKgB21-2=48u&uSO1T^ zP{UhBj!%jLafMUFLmq!qyw;d;XhHG=?MPS(3I(@={WwhE;C*ZEqT=e>63Kl_czwbQ zDXV6k%$*GggWX8*3dsef{u}KrAOaQ;6?xEtg~~Gc-eOK!azM$xm>lbCY4dh7$_;Sp?Vqi!QKUSL4DrrBvyUZbyW@bQo(XgYL8>jaFp}a zoIxVe`b_eA6EIcz_yheI?jOp_!Er=;gm*->!|-nmCh5k1*LYmJDT`a+2pkKnX$^|8 zFktIh;ajdes{5Ce;0%aF{0qZQYu2F{SZ)F3fa#kOSmM2{ql}W2!WqV2y(@e$gnVAK z0cPh)m1gIJ1MnIc%p+=tL(m2i77qZJvV9~TghKdB|M%%DV-KkFh>SpZ=6>YiP9BeweXcyy4GPr-mu8VZ*AU{UL}jsH6U2( z$9PPKxo?q#A^BILC z^PuJ?&HfIWy`tN#aM|=z*3H9FJUE&%A53{;Qf-j~yGzi8iQuknAs3Wpm;Lb7BqB7N zeJj>xF3*a-6w?F+*&*e#?CFRtg5UHYdh)st=iw-B3&L$|*1ENF@HgxX@C)!vIgLje zMBj9iOa=~}u$YPefv3@&5vJPcivv+YG-T-f9ZFf2Q&_jpBcF~!3y@ghxvA?1QERNLde|)_}M}+DTxwYz|lRk2n zc&@3*W{VT4g_f3`LkfszN5c79eJYeT`-}=Lsl_{wS{Niq3Ftf{@QL)KlRo@RV^k(1 zg&8|6x8}kh8nG3)h>jA%G1*a)YLfY(eN0euZg-$V<#HI+g6XP5j%1C|!cWrm9py6y ztX^PkgHwbjh)8PV2ZGQ;1svkE4otKXNq+6ZiwrJ7o%G%sD5uVP@4?|8-6DqevldOZ~@Be*&P`6esd( zJY8Ny9tZ8WvM1LS_=w6^RlLz4-mb#vJFJLKLCAkB+ zk<~hR;=F=83 z$oY&-r_aXMw7z_5S*xe;TxcGeB%!kGsSU)WxnpdmKDO=!r$fzhneuHVzW&k{L zSfz+3VetA{eVa!hUnO6ZReT7MQe!U8V_b)0${Y?Q?2@FVLF-!wb=V1JAWvT3lH4i* zwu`UM^;ju~K(FUfX)ZHcd4|Se4{Q|u)Ytn9p`B4$_}nrL`3%I#nkHKk_6k#N+i#%^ zmRR`NIPxS?`o6M3l>RrblOU5^B#`rPU61Vd!k>v&9Ot)WK&xhtmer>~fptxkZ6qY& zIKv}!UIfRs2_Sv#^7M8cZ+BDo^VY zJjlDLxf`y#hE%vB+hx0Vih1BBi1`V)YaD$#OMDN^sB_H80V)l%P@Pd{LbeHF0`DhopdXYF1;Gwr-olaC>E`C%zkb8hv|kJ?CmW=H$Z z^w1{M&V(aEBFqTQ3L6WaxLzM2mCrbD-qV0uKB*Ck0d$lgnsJuJ1i-j`$?mkRa2xO3 zf6#8V4LPXLC9fX1xl9rU_?I@%bNtIa!Q_Nk2F@ID{N7!kGGoWD?3r8wq@oExI5G5e zUDo_`t;eTu={r~rENHk;!GSh`3hJ{5hGO5po2axEU8~&_NZ+S0J>(L;>M+&woQCb z9{&D#Of|%z=Ak;KukoJh71!(68-^aH8V%RZljIyGZ8!xxxMHU%tk!8B)Jc{OnTIn| z@(O_4`D$1nbcZwg2jfDX9Cu;kZG=Z2cuy7+aUm&c8FddD`5ebSq(c2+k^(D-y}$7k zn`{b=av{z@WgLwKGq9MR;vTr?qOLdw+ld*G~Y{BvQHSUT-5@Y^cb_J`?P@ z5=YIed7?f4s{4!VU7vnA@*0HW@qRli?dhvW6+83nzsJbd)1$4v^>BHrdB*Wj%5gS1 z+8klFLNE#%NaGJTnY_fVtY-pak(54xv)eJ!4oJRZ!=RYwc3=N8nVwOU;wyV`dyBhG zyTR{n{GDw`H@cew8Pq4{T=>u);p(y8ydAK3Lj6Pkf~u#LIg{PmL(OhUlW zCuS|e1bZiNx7i*9xw1$h@4hQQ15^7gQN(}kW);J_^IOHjC;{F(rel|m1pcA8JeKy| zYB>tbx~SK0#h_*5V&Gwq_rndsDk&z!sjoC|`>Yah0rDYT!kaq|t-?w@J3Bs1fcgPW zW%VVRm$~e!3tIJnmUYe0k=JM^fd{(q988EWu#{l6A9T=z z;s4q?pg`#fl`Spb?WfHINms4(AfmGbR#c5K5XnQe4iZsAlWaFNc!_{Z^-8K=!JiIr z@}od)Am53Z6t#o19=qM;V#@^36UXsxZc!p@$LU0#^Gk2!n2%PDtF7Tw|=zCyK@}Tg*lX$4!llZM>?MSwg3| z-iHNAbT3oXJgYg#`ju3Du*i5e3)E;7*O6qaG7+obnizGR8*P4djQYUp$e6CYJV8nD zXFkXBAbNJ|`5Lewrds{2X{@PB&X->*2Xzn%{Fp4uZ5Ab&j)nBd641hEC|wZN4KRRC z(i3N5Z?|(Q&Ace-Nt??O zW)ie14@|s`nWVP}+r?;<1G&1IYB64NZ2Axl^@$JL(@&1aAHAlb(Z-t={sRG2g^EkU z5VTH}I}0g`iLFfjU8+fEG$|N!;>Ai=$C%5}zeooHAC~(pcm@t6)KQ}-o?eBF;it+9 z1^{-bpQ#sE6{8JUtE8bi3e4}ps`sg6e^%j58?NICBNn&c;oEOZO1%!gV?t}j{c~0p z(M+6x1zn2vyg$H4@D$}h`t8p@;zkO4BXLN52$*V~dJ14wb%xuUD@})u69PYCU1_O7 zyHQ3~kL-h004`+`qrYEcXZloZ4+P--XZNR~<*eFM`2oAOgN{gYKk3cuu5#^1;@dqc zFAa3`vvs77m1EJQ6Lox+U1ovb-R=xM^pCMCYe;^IGSdavGnG|bX2w?~Uz}lfxYaN) z)+}}H)i|KasV1Z1^bnjXO9cug+GsefYFhH9!A?&KOR>9daB-d&OM+3{Cj8~n&N$3O z3&fKt-K(dWwnheFTCb;mg!l8uvEvGOgJ_}?MWSgiF6ATgk<$FrFsT3;5N(v;SB~R4 zt{a4d9>>}zF(dj?>X1f{`h|N6?;gnqa3vP+t~d-6;u!fO@G4Gc%1uWPQfkum4`A1z z(Ma4LMfb5yfNl8cdRhg!BU9ms!VJ;Xo|;^IUMn$zoSAfyKpv)o1itBp2@$9bClYGMvlWuWZyJO4w!4 z?hwy~3kSnND_^oY6o^YUA2b5=7$)>uUs65lu+09EsvfH>sr5^^e@SdDEHuZh=PMjL znKlN^x>~{2c1UK(ot&t`&Ac~LPCSYgB0ZAls)>U+ z>>m~Zx9}i0z+P$0InmvKLN>=f)Iw#WF^p~r`o0Z)o#(Hu5t|h3J3r`TK>$^$gpp_$ zH?*TX8CKC=ly5&;>?a9w14}B7&%^`;M5MXFeNmjOy?gxAju_tMx8U?{Xss?1D6nB6 zoll+xGtiLe*k*>?#x%onkK37~lf#5mh!|1L_`DLtD+sZD)U{3k(s{tOIXlxFDPNXb zy^fhBIe`~v!L=r-w`Oq!!PT)H8LsmPaT($#$#XN9eAIzbwq^|jqF)7rQj@MJNf3`u zj66~j!pM{aTzBG46!zhc-mTYi?`!H6lq?r|T6twQAA{B)}sl zuq4-K^m0xHxQ(o2UP6+Bye8NF6YK&k0alFpkr~{2NHPniW8!9eq_VoQO;0#TogT#HHM{68I1uEX oXNf**o|=+inA3>*qKaoUgRz>5j@9o=Q;j;=?`%ydm`P7LEH*sDga7~l diff --git a/common/secret/jaliconfig.py b/common/secret/jaliconfig.py deleted file mode 100644 index 97246b5096d9fe9ab7f7c8d4cfd505001d7df2ed..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 925 zcmV;O17iFDM@dveQdv+`0MVN7-<_lYkscNKz|2waD1kC!vHe!Y3e_fK!WM-r*>O?# zIw#aN2N(`xwSF)*0efcqvc%G5jHlGWEJlEbo}mq0?$T>O*$;42ZMRQT;AwGZqN4FX zFg4){=h5|G4SVGL0}o$}31cO7rHk(z5gD`S&KLcI5@54K(|;6F<)-^IvKL~y(H**) zGg>~N&pdI*NtcUxKM@*|KzuMq4U(ms63Uj=smGZ+VYal#V*4fdy*R_u7AZrIf(!r= zSA=vDIM1SrdkBt$b|V+U`JI}7H|`tfO|+fEVW?+Qr83(cdMr|fqP$)HRG=_mPl6$!(uSsx!x8z6xJizYMVsVIB!bi<0pqF}_IBOl0;Oi`Km%ug{l^6GKReX(VYtbeYwTJwDvuPA`ku&4m{-r;3t@Nqp15C3 zdn=m;8osVy!te8%3PRfQKgiR4;`OU794H7unCz@4F_?q9BjQEM{cr$UWk2PF7A!f} zS7o9KRI*m8_xlVo30u9(oOFHvDZwV$hQkCZ1Kms>oenq^*uqQ~lX&*yH8b~_ z7t6lxty_2_9e*av04NnC_S& z149&KXSkJnV$|yeaUg={9HQmPE3c<35WWZBuI;3aLUIy}z>`ZMAUY=LG6`aBu;q9; z80=3;>I3mo6FCU8<&xYW0$uPn@L|=9j;B*fy^IOK8Yp^K%8v~NrH*?IWzNd$`LE5H z=URK@-FKmg{$ezK4Odw4M)3*BFWTC|jt)oIu{R71TpKfkhbddgjP-;C# z-|7t^>IXHxZH`y_`3ad{#*Q>NtNis%SIS`KtGi_(+!53^%Aa4gVa-s`d6}SzJbKIV diff --git a/common/secret/wireguard-psk b/common/secret/wireguard-psk deleted file mode 100644 index 121949771b5d71db5947e435bacff2cf06a4c4fc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 67 zcmV-J0KESIM@dveQdv+`02v|s24{0<+T5>EvTrS1uu8r6$$(NLWRAJH+GYUzTe4gJ ZM+434U|vM~nC{O(FrONP9i&u_f-K%C9~b}t diff --git a/common/wireguard.nix b/common/wireguard.nix new file mode 100644 index 00000000..130c2a22 --- /dev/null +++ b/common/wireguard.nix @@ -0,0 +1,7 @@ +{ + port = 51318; + pub = { + hera = "npDW4BUiXcxPXQ/MObP6PlK8/PcMlz/Bwo5FlCCUx3E="; + apollo = "hYziEwk74g7v7GpIafLvC95dje2BI4saoEtJXXu2txs="; + }; +} diff --git a/home-manager/roles/accounting.nix b/home-manager/roles/accounting.nix index c24f913b..a1fd617b 100644 --- a/home-manager/roles/accounting.nix +++ b/home-manager/roles/accounting.nix @@ -1,4 +1,4 @@ { pkgs, ... }: { - home.file.".config/jali/config.py".source = ../../common/secret/jaliconfig.py; + home.file.".config/jali/config.py".source = pkgs.privateFile "jaliconfig.py"; home.packages = builtins.attrValues pkgs.accounting-pkgs; } diff --git a/home-manager/roles/games.nix b/home-manager/roles/games.nix index 495328fc..ffca6091 100644 --- a/home-manager/roles/games.nix +++ b/home-manager/roles/games.nix @@ -48,7 +48,7 @@ in home.packages = builtins.attrValues { factorio = pkgs.factorio.override { username = "maralorn"; - token = import ../../nixos/machines/apollo/secret/factory.nix; + token = pkgs.privateValue "" "factorio"; experimental = true; }; inherit (pkgs) steam minetest; diff --git a/home-manager/roles/mail.nix b/home-manager/roles/mail.nix index bf55056e..265a39df 100644 --- a/home-manager/roles/mail.nix +++ b/home-manager/roles/mail.nix @@ -1,7 +1,10 @@ { lib, config, pkgs, ... }: let - inherit (config.m-0.private) sendmail me; - inherit (config.m-0.private.mail_filters) sortLists stupidLists notifications; + gpg = "6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9"; + name = "Malte Brandy"; + mail = "malte.brandy@maralorn.de"; + alternates = pkgs.privateValue [] "mail/alternates"; + lists = pkgs.privateValue { sortList = []; stupidLists = []; notifications = []; } "mail/filters"; maildir = config.accounts.email.maildirBasePath; # mhdr -h List-ID -d Maildir/hera/Archiv/unsortiert | sort | sed 's/^.*<\(.*\)>$/\1/' | uniq | xargs -I '{}' sh -c "notmuch count List:{} | sed 's/$/: {}/'" | sort # To find candidates @@ -114,7 +117,7 @@ in { }; systemd.user.timers.mbsync.Timer.RandomizedDelaySec = "10m"; - accounts.email.accounts = config.m-0.private.mail_accounts; + accounts.email.accounts = pkgs.privateValue {} "mail/accounts"; systemd.user.services = let mkService = name: account: let @@ -180,7 +183,7 @@ in { packages = [ sortMail ]; file = let mutt_alternates = "@maralorn.de " - + (builtins.concatStringsSep " " me.alternates); + + (builtins.concatStringsSep " " alternates); show-sidebar = pkgs.writeText "show-sidebar" '' set sidebar_visible=yes bind index sidebar-prev @@ -229,9 +232,9 @@ in { set pgp_replyencrypt = yes set crypt_replysignencrypted = yes set crypt_verify_sig = yes - set pgp_sign_as="${me.gpg}" + set pgp_sign_as="${gpg}" set pgp_use_gpg_agent = yes - set pgp_default_key="${me.gpg}" + set pgp_default_key="${gpg}" set timeout = 5 set abort_noattach = ask-yes @@ -244,7 +247,7 @@ in { set sendmail="${pkgs.msmtp}/bin/msmtp --read-envelope-from" set sort=threads set sort_aux=date-sent - set realname="${me.name}" + set realname="${name}" set from=fill-later set use_from=yes set fast_reply=yes @@ -277,11 +280,11 @@ in { color sidebar_highlight white blue set sidebar_format = "%B%* %?N?%N/?%S" - alias f__0 ${me.name} <${me.mail}> + alias f__0 ${name} <${mail}> ${builtins.concatStringsSep "\n" - (lib.imap1 (n: x: "alias f__${toString n} ${me.name} <${x}>") - me.alternates)} - send2-hook '~f fill-later' "push f__${me.mail}" + (lib.imap1 (n: x: "alias f__${toString n} ${name} <${x}>") + alternates)} + send2-hook '~f fill-later' "push f__${mail}" ''; }; }; diff --git a/home-manager/roles/taskwarrior.nix b/home-manager/roles/taskwarrior.nix index 24992f00..1e9f75e7 100644 --- a/home-manager/roles/taskwarrior.nix +++ b/home-manager/roles/taskwarrior.nix @@ -118,10 +118,10 @@ dataLocation = "${config.home.homeDirectory}/.task"; config = { taskd = { - certificate = builtins.toFile "public.cert" cfg.publicCert; - credentials = cfg.credentials; - ca = builtins.toFile "ca.cert" cfg.caCert; - key = builtins.toFile "private.key" cfg.privateKey; + certificate = pkgs.privatePath "taskwarrior/public.cert"; + credentials = pkgs.privateValue "" "taskwarrior/credentials"; + ca = pkgs.privatePath "taskwarrior/ca.cert"; + key = pkgs.privatePath "taskwarrior/private.key"; server = "hera.m-0.eu:53589"; }; }; diff --git a/home-manager/roles/weechat/default.nix b/home-manager/roles/weechat/default.nix index 48fec9c9..027ec4f7 100644 --- a/home-manager/roles/weechat/default.nix +++ b/home-manager/roles/weechat/default.nix @@ -87,7 +87,7 @@ in { ${server}.autoconnect = on ${server}.username = "${serverConfig.user}" ${server}.password = "${serverConfig.password}" - '') weechatConfig.matrix)} + '') pkgs.privateValue { } "weechat/matrix")} ''; }; irc = { @@ -107,7 +107,7 @@ in { ${server}.autoconnect = on ${server}.username = "${serverConfig.user}" ${server}.autojoin = "${serverConfig.channels}" - '') weechatConfig.irc)} + '') pkgs.privateValue { } "weechat/irc")} ''; }; }; diff --git a/home-manager/roles/zsh/zshrc b/home-manager/roles/zsh/zshrc index 0af0a36a..0b7734a4 100644 --- a/home-manager/roles/zsh/zshrc +++ b/home-manager/roles/zsh/zshrc @@ -3,6 +3,7 @@ mkdir -p /var/run/user/$UID/tmp/downloads setopt prompt_subst autoload -U colors && colors # Enable colors in prompt +alias nix-build-remote="nix-build --builders '@/etc/nix/machines' --max-jobs 0" alias cat=bat alias accounting='hledger -f ~/git/buchhaltung/buchhaltung.ledger ui -- --watch --theme=terminal -T -E' alias o=xdg-open diff --git a/nixos/machines/apollo/configuration.nix b/nixos/machines/apollo/configuration.nix index 0b63b1f2..41b6f7dd 100644 --- a/nixos/machines/apollo/configuration.nix +++ b/nixos/machines/apollo/configuration.nix @@ -3,8 +3,8 @@ # You need pw-files for every configured user in ./secret/pw-useralias for login to work. let - inherit (config.m-0) hosts prefix private; - inherit (private) me wireguard; + wireguard = import ../../../common/wireguard.nix; + inherit (config.m-0) hosts prefix; nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware; inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing; in { @@ -12,7 +12,6 @@ in { imports = [ "${nixos-hardware}/lenovo/thinkpad" "${nixos-hardware}/common/pc/ssd" - "${(builtins.fetchGit "ssh://git@git.darmstadt.ccc.de/cdark.net/nixdark")}" ./hardware-configuration.nix ../../roles ../../roles/fonts.nix @@ -28,15 +27,15 @@ in { m0wire = { allowedIPsAsRoutes = false; ips = [ "${hosts.apollo-wg}/112" ]; - privateKeyFile = - "/etc/nixos/nixos/machines/apollo/secret/wireguard-private"; + privateKeyFile = pkgs.privatePath "wireguard/apollo-private"; peers = [{ publicKey = wireguard.pub.hera; allowedIPs = [ "::/0" ]; - endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; + endpoint = + "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; # If v6 is not available: # endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}"; - presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk"; + presharedKeyFile = pkgs.privatePath "wireguard/psk"; persistentKeepalive = 25; }]; postSetup = @@ -80,9 +79,8 @@ in { openDefaultPorts = true; declarative = syncthing.declarativeWith [ "hera" ] "/home/maralorn/media" // { - cert = "/etc/nixos/nixos/machines/apollo/secret/syncthing/cert.pem"; - key = "/etc/nixos/nixos/machines/apollo/secret/syncthing/key.pem"; - }; + cert = pkgs.privatePath "syncthing/apollo/cert.pem"; + key = pkgs.privatePath "syncthing/apollo/key.pem"; }; gnome3.chrome-gnome-shell.enable = true; xserver = { @@ -94,14 +92,14 @@ in { boot.kernel.sysctl = { "fs.inotify.max_user_watches" = 204800; }; #cdark_net = { - #enable = true; - #hostName = "${me.user}_${config.networking.hostName}"; - #ed25519PrivateKeyFile = /etc/nixos/nixos/machines - #+ "/${config.networking.hostName}" + /secret/tinc/ed25519_key.priv; - #hostsDirectory = - #pkgs.fetchgit { url = "ssh://git@git.darmstadt.ccc.de/cdark.net/hosts"; }; - #ip6address = "fd23:42:cda:4342::2"; - #ip4address = "172.20.71.2"; + #enable = true; + #hostName = "${me.user}_${config.networking.hostName}"; + #ed25519PrivateKeyFile = /etc/nixos/nixos/machines + #+ "/${config.networking.hostName}" + /secret/tinc/ed25519_key.priv; + #hostsDirectory = + #pkgs.fetchgit { url = "ssh://git@git.darmstadt.ccc.de/cdark.net/hosts"; }; + #ip6address = "fd23:42:cda:4342::2"; + #ip4address = "172.20.71.2"; #}; system.stateVersion = "19.09"; } diff --git a/nixos/machines/apollo/secret/.gitattributes b/nixos/machines/apollo/secret/.gitattributes deleted file mode 100644 index 7de5522c..00000000 --- a/nixos/machines/apollo/secret/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -* filter=git-crypt-apollo diff=git-crypt-apollo -.gitattributes !filter !diff diff --git a/nixos/machines/apollo/secret/default.nix b/nixos/machines/apollo/secret/default.nix deleted file mode 100644 index 7a41c90275f490af79b4bf273fcbb47d30851cf2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 26 hcmZQ@_Y83kiVO&0I62K)%C+mT&Pj`s-oVQiM*wpv3JU-L diff --git a/nixos/machines/apollo/secret/factory.nix b/nixos/machines/apollo/secret/factory.nix deleted file mode 100644 index 98003302371f1ecebb51511b022d59877b0251fd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 55 zcmV-70LcFUM@dveQdv+`0N+x&Z3kfG<*)XH8w#Kad}BP~g3v?Rh5c~ NzVqd$WNK)N5%!i(8U_FW diff --git a/nixos/machines/apollo/secret/pw-me b/nixos/machines/apollo/secret/pw-me deleted file mode 100644 index 622b367c7ff7393da4de54afcceacf27b08d6479..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 125 zcmV-@0D}JjM@dveQdv+`0Ql76$|rgT;ZnD7v%4YkUtiJ&OC`5QMZR74hV-sIgA)+u z1NhF(w*0;k)34)~O##no#tnjjj);s;Pcr!P;xSzhXF79^8j?Ffe_qUrBwG?zAGN{B fA57s$TDwzvy6zUtJVG9F!xHg8BV({08f}wxmy|j| diff --git a/nixos/machines/apollo/secret/syncthing/cert.pem b/nixos/machines/apollo/secret/syncthing/cert.pem deleted file mode 100644 index 4d2efe18ffa473ac192a1e6a12ac9a97861fd71e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 637 zcmV-@0)qVjM@dveQdv+`0Iu+0Duz-QujtZ=U?KVjwWq{}9P<`QjHu+jQM;LB7=FK& zlG4Z*irMhR@y*fKDS~i%X(ppIR&l8K9u=yTBEUE>$6lk_tW?}X-dj7qQ}GYUnP+MH z<#K@Qt)cnREbl2AC)^;mu#y*1l5Nli&)jIdGLV7js^bbJM^yXSsRZ>rIzl@Wa58Wv zu8dbv%#FEm*ao*~_OXl?*e>Ue`}X8gXVe7@*H`Zq+G-cF7qfO0ROJ<0WY#&d`Xc*C z;sO)EFPK^L(V)}`W(JL!xX}*@4MAK2lX}AJsNwI{Ux1`&BbK$dg`+%`(>J*<8$I+$ zv=;9UF2#&>vL`)J89uB!r3(e-q2bLS7+Vtc9#OFTp>@h{Av z12t7T46NhMI|)8@l)RM0sZ$bO1K{?eLEMxFf;4WK2?H(cHQcW&p92G4F@!qURO7t3 z=t6TKcMFv5SoAd}ZJXe#bju44fL{Os?v|lGs_BD_-eBv+&0;A2t=mXQ1g2csZ5Gy` zGrjXF(YhT|zffXRwU_o7m)TVao(aS{`Ioac_kpW&W>7ff(}8FjbAS*!e%@IiVI%J5 zn|n#cvb6-w@!#Oa(qItPROReF8)oNS!$!E<&$$qT@C9`hJf@mA3mI;Ia6`0_9J~M5 ztyUi)$h)WD=dJGgl|y^uhApe`)6c9H#3P|O!}aNi^l+KNy1cczFKTD*3$5HNesZm8arQER X41h7!tt>G>L`_J2djE-ff`R&8x(h!2 diff --git a/nixos/machines/apollo/secret/syncthing/key.pem b/nixos/machines/apollo/secret/syncthing/key.pem deleted file mode 100644 index ff314e54cd8518abeda9d5aaa9cf8580a9b18d65..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=RVM@dveQdv+`0E8P6A1f9$qLE{Yt*yL3>(^mf2WUd zfZ^J8$e&GBqCA#Y#)v%MDh%5Lh)3~TZ9<1$b3O$S|M7=2665%$SS2j)P_RPLl zht5mgq(0tQf8~aW0cZhM4`*R3IK`E|=Y3M1vo)ICp>rbgZJI0Y>l`D-vTjCufJ!Jnr1bpdHy-o%3a*mE IwE;%4kbM}P)c^nh diff --git a/nixos/machines/apollo/secret/tinc/ed25519_key.priv b/nixos/machines/apollo/secret/tinc/ed25519_key.priv deleted file mode 100644 index da6adc14a33a214271dece4808da1743d9e03308..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 426 zcmV;b0agA0M@dveQdv+`0N4Nwdh9);-Je#e%GzhNVd~T_I1{`{bIzaY-^sH9V!zFH z`zW$e&mFAD`|oItd1;D~w|aR}cc~lYja<2k9&QmZa8MaeN}BIkGY|HQmNK>)W@dvw zq>1q{KEMQsN29oHw?i>_NbzTKbW z_P0{mRh3Kdtu3e2)Qq@xb7}DfN&B?}uz(JBknlvTa8lEsoLHnFuvMS7&ycyP1ju0G UWg`xkTw~X4(e^|xvt(&{h$;!xCIA2c diff --git a/nixos/machines/apollo/secret/wireguard-private b/nixos/machines/apollo/secret/wireguard-private deleted file mode 100644 index bf2655ab621d09e5128414a5852fbeb8fe9ed64c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 67 zcmV-J0KESIM@dveQdv+`0B*q#SrrEV#OoWND^O)h9;YVLl}CCQ_096R!noi6p3K;J Z|Bap|z6o-uUXO_|Djx}jVC9;a3MSU99=!kn diff --git a/nixos/machines/hera/boot.nix b/nixos/machines/hera/boot.nix index a118c93b..043b6c79 100644 --- a/nixos/machines/hera/boot.nix +++ b/nixos/machines/hera/boot.nix @@ -1,6 +1,6 @@ -{ ... }: { +{ pkgs, ... }: { - m-0.server.initSSHKey = "/etc/nixos/nixos/machines/hera/secret/ssh_boot_rsa"; + m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key"; boot = { loader.grub = { diff --git a/nixos/machines/hera/cloud.nix b/nixos/machines/hera/cloud.nix index c3931949..20a38a15 100644 --- a/nixos/machines/hera/cloud.nix +++ b/nixos/machines/hera/cloud.nix @@ -66,8 +66,11 @@ let dbname = "nextcloud"; dbuser = "nextcloud"; dbhost = "localhost"; - inherit (cloud) adminpass dbpass adminuser; - }; + } // pkgs.privateValue { + adminpass = ""; + dbpass = ""; + adminuser = ""; + } "nextcloud-admin"; autoUpdateApps = { enable = true; startAt = "20:30"; diff --git a/nixos/machines/hera/configuration.nix b/nixos/machines/hera/configuration.nix index f6c85d60..5bca8842 100644 --- a/nixos/machines/hera/configuration.nix +++ b/nixos/machines/hera/configuration.nix @@ -55,41 +55,7 @@ in { startAt = "23:00"; }; services = { - borgbackup.jobs = let - passphrases = (import secret/secrets.nix).borgbackup; - defaultBackup = { - doInit = false; - compression = "zstd,5"; - exclude = [ "/var/lib/containers/*/var/lib/nextcloud/data/appdata_*" ]; - paths = [ - "/media" - "/var/lib/containers/mail/var/vmail" - "/var/lib/containers/chor-cloud/var/lib/nextcloud/data" - "/var/lib/containers/cloud/var/lib/nextcloud/data" - "/var/lib/matrix-synapse" - "/var/lib/db-backup-dumps/cur" - "/var/lib/gitolite" - "/var/lib/taskserver" - ]; - }; - in { - fb04217 = defaultBackup // { - encryption = { - mode = "keyfile-blake2"; - passphrase = passphrases.fb04217; - }; - extraArgs = "--remote-path=bin/borg"; - repo = - "brandy@fb04217.mathematik.tu-darmstadt.de:/media/maralorn-backup/hera-borg-repo"; - }; - cysec = defaultBackup // { - encryption = { - mode = "keyfile-blake2"; - passphrase = passphrases.cysec; - }; - repo = "maralorn@borg.cysec.de:/srv/cube/maralorn/hera-borg-repo"; - }; - }; + borgbackup.jobs = pkgs.privateValue {} "borgbackup"; taskserver = { enable = true; fqdn = "hera.m-0.eu"; @@ -102,8 +68,8 @@ in { user = "maralorn"; openDefaultPorts = true; declarative = syncthing.declarativeWith [ "apollo" ] "/media" // { - cert = "/etc/nixos/nixos/machines/hera/secret/syncthing/cert.pem"; - key = "/etc/nixos/nixos/machines/hera/secret/syncthing/key.pem"; + cert = pkgs.privatePath "syncthing/hera/cert.pem"; + key = pkgs.privatePath "syncthing/hera/key.pem"; }; }; }; @@ -116,7 +82,7 @@ in { isNormalUser = true; uid = 1001; extraGroups = [ "wheel" "systemd-journal" ]; - passwordFile = "/etc/nixos/nixos/machines/hera/secret/pw-choreutes"; + passwordFile = pkgs.privatePath "pam-login-password-choreutes"; }; # This value determines the NixOS release with which your system is to be diff --git a/nixos/machines/hera/mail.nix b/nixos/machines/hera/mail.nix index 2677bdfd..15e47e61 100644 --- a/nixos/machines/hera/mail.nix +++ b/nixos/machines/hera/mail.nix @@ -80,11 +80,8 @@ in { postfix = { networks = [ "[${config.m-0.prefix}::]/64" "10.0.0.0/24" ]; transport = "email2matrix.maralorn.de smtp:[::1]:2525"; - virtual = attrsToAliasList (config.m-0.private.lists // { - "weather-channel@maralorn.de" = "weather@email2matrix.maralorn.de"; - "subjects-channel@maralorn.de" = - "subjects@email2matrix.maralorn.de"; - "notify-channel@maralorn.de" = "notify@email2matrix.maralorn.de"; + virtual = attrsToAliasList (pkgs.privateValue {} "mailing-lists" + // { }); }; opendkim.keyPath = "/var/dkim"; @@ -94,7 +91,7 @@ in { enableImapSsl = true; fqdn = "hera.m-0.eu"; domains = [ "m-0.eu" "maralorn.de" "choreutes.de" "mathechor.de" ]; - loginAccounts = config.m-0.private.mailUsers; + loginAccounts = pkgs.privateValue {} "mail-users"; hierarchySeparator = "/"; certificateScheme = 1; certificateFile = "${certPath}/fullchain.pem"; diff --git a/nixos/machines/hera/network.nix b/nixos/machines/hera/network.nix index 7798ce38..a6a152bf 100644 --- a/nixos/machines/hera/network.nix +++ b/nixos/machines/hera/network.nix @@ -1,7 +1,7 @@ { pkgs, config, ... }: let + wireguard = import ../../../common/wireguard.nix; inherit (config.m-0) hosts; - inherit (config.m-0.private) wireguard; in { networking = { hostName = "hera"; @@ -54,15 +54,16 @@ in { nameservers = [ "213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53" ]; firewall.allowedTCPPorts = [ 8666 ]; firewall.allowedUDPPorts = [ wireguard.port ]; - wireguard.interfaces = { + wireguard.interfaces = let + { m0wire = { ips = [ "${hosts.hera-wg}/112" ]; - privateKeyFile = "/etc/nixos/nixos/machines/hera/secret/wireguard-private"; + privateKeyFile = pkgs.privatePath "wireguard/hera-private"; listenPort = wireguard.port; peers = [{ publicKey = wireguard.pub.apollo; allowedIPs = [ "${hosts.apollo-wg}/128" ]; - presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk"; + presharedKeyFile = pkgs.privatePath "wireguard-psk"; }]; }; }; diff --git a/nixos/machines/hera/secret/.gitattributes b/nixos/machines/hera/secret/.gitattributes deleted file mode 100644 index 3996a7c6..00000000 --- a/nixos/machines/hera/secret/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -* filter=git-crypt-hera diff=git-crypt-hera -.gitattributes !filter !diff diff --git a/nixos/machines/hera/secret/boot_rsa b/nixos/machines/hera/secret/boot_rsa deleted file mode 100644 index 040cd798322a34ab41ffff3f0400453aa25dfac1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 827 zcmV-B1H}9QM@dveQdv+`0P=te& z4yxkrAs4jNkWo_&%0WY!y$t+4@J)%ajbn!p!k?|>q0R(1j|ACVLJ7~*tA_Z(ckf!H z-2MW~J*FT6w&JYTQt_>4<`5Dsxf-zI=hUKrRa5@rWzK|MFEZTevT$ysk}i^6Sg_FHYk(F|4psf&JePrPt% zy#|Awbm=#dJ)@gXa+sG{bS+C!l&)vTs6rm4O-#m|xKgd>iE&Q6+0NhGHclE7J3+HJ zoFu0qz04qf8R8tvS9{2N0?UAO&g8kG6Et3Pp#mzMs#R%${i z$+Zzi^YoFb{fk9%>zii)H0Edusjy~5RF}h_#`AjVp|Wzz87Z9K(dH;K-%%dfh4uQ2m0`onX zJ=+m{S;0m*@ni8ZXQFIf!Gl%-O}Cmgv~GS9uozD+4v03|{SE-{<*<`$eE(Uf3_s2h zcy!5#0p-5!iPt@RRi7YON_0$4KxzO$C z!lN*-lCASh+G0c$_*W@1`ELku6pl+SOox?}%B8ntO@G)Q7Ael!og)^4)+4L&KJ7!` zEi~JmEVm6PTtdI)VG*riWzgA?#cJdcbBOnAnze+yQt)1n7b#cCEJ?5hSxz%e{{#^< zHdNbsop<-WIC%82F8N~vh@tzdMwYe8s!!t}FujnG5slwrpW6XVCdo|zN9120Fm@7) zdT+b{bCaT79Rur;xbP@Epo{1kp`2IYDouba(wCgiBDN+S?DV@{oI8{9FmQ9oGB3nB zkJ;6cPbT`~K@VC$X4lxb)D$x2ECR2aCLhPC>bv6IgUzMogzPm02y*?R8pGI;&qtZY F7gL5~pvwRN diff --git a/nixos/machines/hera/secret/default.nix b/nixos/machines/hera/secret/default.nix deleted file mode 100644 index 2277246d60e886b069445f95832b884acf4ddd6c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5622 zcmVoxvu}vpdh&U6LyzPT1S>1!QM@oSfi2g*?U>!Dr7GwXc4|ib-ds(aaQAa=RL@-yh# zxUHit^#4nm#Z-iQSNRsgGZpI}AN+5F*R*5OX8UX348^1NFaVNf{YofFXGui=AR(Nb zVs@)G_Qq!lF%#@#Xz;OYr4tC6K`tFEVAB61p|qnEhjTsnHXCHywx*v>9dOG0#bVdV zFBui;6km7At&_~Kby3Uv!=1R|TU4im*ya$mArl68tadHMOR|ChGw*_}$@;scMdW!T z-E|r9ab*=+Me~}Dvf5A7fxZm=B352IiX(9h0MH~VAe#%7=0C3hwZmLu4V2s(Tx0~P ziaoAh5-i%>_6%4258EcZY6q*^yUe3xODT)#nVP2BL=6FEUxPdq(&Fm^%8$DS znb)A}Qw#imlB?C@e!cePU-2Xf$Qk(@K{ydZ5>A{r@Y!*biqnHvC;Oh_!T+-h_FNFC zicdt+`5@?(n5G9$qKRba>$dfr(U$7Q)@)!a)djN@cSg&^AxoSjAE^)iXw^JvVzzB| zinS1Dx;T_X1~LEOt(A=XhfwLwFv#0EdZwTxO%Yv?o3RDYe!0j{pWhXSTi z5H{f2ga}M)#;qLDc@|wBd=hW?Y%N>gDHID& z2ma9@D$G;}6pFtY=$nnxXmX$+)`IA#BDyY{|FK|+E zu%VI(@RYr_)n3#9X5{U_)RkE89dH&+%nG2n#G4+nZgw>r<~t#`#miO4#1TApn6K?e z+yZ%7U@&ZCTaEPL)atpiL_94XYLC1y=8d7MsrVLvp+9fEwj-}1 zBrnOJy=*++C!6EfM*^mL7-1SqHQ*&>W>4f5myvUr(zdC9Eg>AP88?gXpJbF}P}kDY zf=`*L!s&-$$J6N7Ty;d21sJ(I4E(La2I7w9*J7{8S!hY(pt0-7$k>=uLDYn-sc7vQ z+Md~R56k8txGxv8HGwpvszvmXSIA>Jp=)x~T-M9{h6!?A!TBw7HbiqllZ4<(#gv~> zudELXJ1nVS0a0y?=O})7jz$Wr0=FXV;KM(vJ2aO#YcH#imQ z`Dov7GuGI``PQ|%vsk_Js`oMiK_1+kr7Z~H2gS?s>zg@Etsal{kSbF`Vj4WqA+z?4 z<=PQ)L^>q^K+7S+xJp0ZR#KDuG|b>D5I5cPh)x&BM5!)0){3=36^x zKL%nHgWiUZ!9xcrC$wj`^!66wa}zZbYVgPA$L2qBX>NSYW4Us9lOwv$9r;8yaS!j2 zSOyg38!DT>+@}N<-3VQq6ct3ZTJR_Xy6@f~kbp_hEYXYN<~yg+FD&r(7}yGBc@>>Z z$^85NCUHb94^l8DuGB*|=5<5X{V3Sas4RsQK z(?BRX)FdggLHgK1^vjw1=(RFX1^7akSIKxfpPeFAHP*jSav~s%Rf}B;2_{rm#LkDW zZxM1*kI6OiGxO7%yTme&{__WZ71u%nIvvi7iEJ;I*ZL}b)xt?5;4{-+I{ruqkPVdZ z7F?@!L-5w4W1yud*l;5UX{xL7N{SJ;Gr&=LOx|(fbnMs{eGfTdXIm&RUohyO4Q+$ne*?kCXofjR=FJY6~8SLl@E1xbE#T=Uctu=||dZ3C8xsc2e9|Q$;D+~dO znBzs7t^s+%{P7K*Cr$V7#q8^C7 zFCjtE2*iZu%NW~zS}pqIV|4L)%&HcWD^7qZqm0?V4yZ>1=Q8kN(j1@o0dk;-jj*dX z5Q24Y!@9h=iu5~B8lMjv*vvoe!5jN<+deFWDf7jUs0&6Y8ufl#-Z2b!Y2O7Jt~ zoS5#(ewq)I7cSjBH8^zmQI&x06_5$66YsLEdbZs8`;0fNEcwuGn`^zUBc9EAG7^bW zjvI~+XQ6Uky!cB^UQ4*F&Wz~`UmEL=+A~-UYpEA+3Yr04tqxu&H=*nX%1&hX>0#E| zpznBz2;nX}BUE~xEIL@k()1kYg=6NlZ(7MWa7tIm8wz%CGu`QSq!kxyob1sYsLD{; z3`=${jpfVj&^Fm%25)kJ3wy0 z;85V`nf9tXQi>@yqWyIk;*3U^eQ-(m9o{M2bqVZGjq1=~-*`@Gceup0;3j%P01-WW zH9Ia-vwaE;6oAxmbp3QaQ zd}($YA;-iq1dmj$f_RAoT7Qu^!&2BWQ&K8|tK=*d~@OGfY67l=ra2a2f{EqNwyDvkesdoLC!H?tsp91#wVnxj#sh}brXULj2dw+|~Oxo$UC z6*_VfC{nLD49>Y)9oQ61eYhkd$N27|W}NtAu<#nWRYD@Qd2m7-^@kdD6y;V@7N zIfuT0!8ng*#=3{$=M1ZP7O3E7`ph=^t2mWjd13>*cv*UN7}UDU0^8!>Z)_1@2jPv?jVD43O@3RlHpJ^={~Z zMpf+@Q>Nkj%^m-u1J@{|5}njsfcY)!M9W8?4hYfGvfS#$s(gM_DGl>1yvPH;p;wLr>y*~&!9@v!46^hY3TFHyV z(w4p=YkzCsaExu3_&0Byuv2R?G`T`P4XIv(M{+3=^waVW28Q4#F53}*QUZl&kO}#{ z26KxihJ025(BN6~EW8dGM7mqiqIprL9whyN20NKz?G)kG^E0w8K@8#wysrq+F2RUP zOkg&cPr-_Csu7I1N7c(f5mO5sd8-CtwgGP$ORf!Lddh5 zg!8YQS~r+KgOWeY=yPkqB8(6;;III8I1KDB+1Z+GzyA(LWotMjG%LCE5Rzkk-^UR) zjzRjmwCPiQIA3)>Iq8y5cmyD5%T5zC<3W!C;?2Q-(mGHydK z(rV)Y7BluPbq8C$)w@|Glq{cYUm1<+kfu!%kjY>KjfUnHPP@@(t=FFH%+_4fRT6o! zK*^$sfPg@u(&PtI=Uk75psU8DgAjZUEJ&5ag_<|l#f!RC@Xl_wAyK(BQo&qUf#s}rHn%#XzW#Jx`?w)|^hUbL+~FND=!c}ew~rhifnF@(`v=e>-qaL ziFhk=&zT!QgFUPmL9`;8uU5mi)P;gkQJGkAnw%uGeK>}i`k9VxK2NfZEkZ>?#Pq_& zR+~JIppJL0xZ#AY|7)=^>@QOn2{@8|!+KliuFiDPu?cMfR&Qx-lqKeCR-~Ow43Z)` znU>qL$FD>Nr$QYE2;0v{=1i|PdOGHeh=NHftJE-0kzf1tU;X*$ZW_i2$Srz2etG1m zO25yqd%+)TTC-+mQTl+g~*s>e6h6e6EIQsJimd zQ=U)FsBgEdXt05Kqb1o75-Rnq9;QYLYgJE;|J`NTmnj$5Wy}6`=qPjMOeZTJ50?PT zv9B9#MSwg{*iw~TalPJY@xHP4wm?nGo|=i-rb5qdDIt|*b`Z${i}TCXvoKRBcJYp^yOBTZ_?6rfQsEk+X8FSAkFfspruM#BYio-89VF6O?U=dgn|88m8;0n? zhP{6@h3fqzY8yl-Yb70t+b1_~ZmSqL16N9evGQj)747LgB1Po7Jq$UwF_{lK`lz!j86bD;TL z*rVydi&)g@_#`@xMgubbTAHGN3&tVS*b*}Yus45qg9!&M3U?t86FTgaYXiqR;n3|a zC>k}|Cv0~oGKY3hmc%`oMaOiL^`30neurWOrs2cf{>3l8YNOrBL$k1E9&dieR2tB? zr_KAvr^~kCn0Nix;?MJ6X1fPkhT5yMfam(cJgi=;)bNSb4!T(*_Y}+U<_`N`(W>q{ zAUSjJp$^D=>O$s_dQa*MaK116-czz=eO;gcb(%RU6v%-kLF*$b^@P4C^hr}guN-cq z+k{8nNQEE>?!8qSbG_*8XjVR(X4u=IZBDtWI38E>o;2>Q{%2PK_Et;^qP7bm(srQ@ zfq@z`t#Uc14L337glqk(gX{@3sw?DHja*yH8p}voWEtrK`WD4}H6&%m+6LL~fa|_D z(-%w;oBZEC%aUB5s7fz4Y_C*X1S@^K5`*_TXv3f|+5u2O zgyZ}UnFctGpSZvO;oUgGy7)OG@bR`RD(IfyGxnl-34x1zahSwK*T)~8F#p@6GdMTU=~iW~u)cb4)-3}daL2P_d2 QaH!ti-8eNS7>_GPNwEL@F8}}l diff --git a/nixos/machines/hera/secret/kassandra.nix b/nixos/machines/hera/secret/kassandra.nix deleted file mode 100644 index 4887e759c6eea47d6d3645c3be0e56ce09f06904..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 49 zcmV-10M7paM@dveQdv+`0Bjw-;^5q#$Ndix!%66QFKlV2C;>ixAd_AlHxxeTWaJ_Bs_W diff --git a/nixos/machines/hera/secret/maralorn.sieve b/nixos/machines/hera/secret/maralorn.sieve deleted file mode 100644 index dd4ae93736ab0e7bc4976fdc2d702f80e4e743cf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3891 zcmV-356tiYM@dveQdv+`07{G~gNq@m9KT{jZws%R1|??7njBe^c$;~x`RlZy&VZ9* zv42{h!s5!)a{By@?g90R=Qf?IBkQpjo8!|<8%j=w_MuU41g;B8Oxw!N^TB0xa|E3! zT^A$Pj_TyDv`~BhzH*1!Yr>P8XA&Lkxp!SbM`g?%9MJ;AxwhjlWWN0#7 zKNV(ef;wrDU%!M|24DK7?8eg0T|Nx&$P7Z~lx~m2ss-|w%!VK&}j^W*Er?rlLs?^F*${SBa+y7K#R#0a906R%YtfHco#-4t+6?#2X*Xej304LfD?YX~Q32p#Ut@ip!kucXI(DKL@ z+Km1ez=}VK3?CS%-!}!p!5R@rPzFItOwv_Dg~iTdV7A0pP+;|Jo>1FU4g&T!ajWAa zwsaCJ@rGiyD%RQ;#tqN#ec0tAA!cV^%NJ7ttE@Xf-Bs0Lwc8tsHCon z$`(5vo;plznlO8uh)xNNPk?t2+pfZ7wcm`AcerQJ@rkw%HJ|B=A((P&T(Y@LdK_Eh zf%L`nK`0-FLVMB&KzKayW=^}C`$4f0d_pIrd71i+V4sy?3n%pBw9*TN>ogj^H{C-Y z^fli2h!YyH#4$7*mMJDLE{c#>6PAW{(=Z7lwTJBR#si_tG)wzz7l!KR3MLzyYomJg zOl~;Zh*g~eDw(x(7Xn_7zaRpU6CNhj?3*NAWd>F683Qp*72f=mN$pWe_4Yuf zh7$LL;h!FgfyK*6T_5u{5F$4X(>1izI6{$_V_eQvEano3D^|sRiOV@oy4qaKsGHEi!%u13Z_-I zp?!7xOMw<1Q?_Fl@G&4jf85RZO(~cKP5pWFOj*FypDE-1$?d(qqIje&%9vq~i z6WX0TblqlU=JdQ0z1r&1R+k)AI(<~){+6W#YIE)0dI0nKmJvjnRY&$mL_rF?STk6-tb}NwyMF)+WHXBwtV;y3a9iZmb=}F`L(PfiH+C zBd$0zQbsV?RxtvX()j0)cGnk})CrvgQDm7ResdQBzIyUk)EA_{g^0T>2fCa=6$$Tg z6brC|z(K?8Uw2X(FJXrVP3~vKL9S|~u~9Jp%>Kv<`Y-4Ls9C{>=P&~3adzXAzAssn zt@ttwsn%jOs6=4h-?P$G2_vo*8?j6$D1Uu3XPpCK#E7{t?`h@vw71j|fUTH_zT&{e zGOS=wue;&BCVQVbMcj+}pWRFRCr%A@uG{)cBrCEH^tyAk#gJuo7KkJjC30ayQy|1#;wOoa0Lg?&vF5}5M zOsd#$wJyHYRTNzzq<=e>N_nh&Xj8S*0u~@(wXEUL*+V%`hkz9jQOXqFNbmYhzD^)K zNHNN!2{=&6E0o=d(du%zv_8woBv?wr`i{r5WyYOg2Hh>0bDN8uBgdfvX5Hw=@VdyD z%0GA<@Q|Eenx_TMErF3GF`W)PmTb|Q3%82Ywy6T&C6Dwi3vZ^zkE+f_Pr)|e+4uUO z{NQYccuoH9-8>Ux%REd%u3$|-iO^eXMdV&P#vK_=VUFkJ_f)aLDZ#bi8}(a!ohv0O zG)2#3q8>-uU8j5%SI$>EbTcdoKz`qDgDE8LKN~Jl@j;eX*$a^#vk0cBd#kb zcSpMC0|CyW@XrR#>V@}E&}ApXQ~ONEN;mr_E7s->B!{a^puSpXt~y2!4~~U}4M7KN ztL68{)!c7F;CGpcqC$_;-xPZJw`*!D{-LqV2RFAF1l3`%tt#8L#F-p)iYXtDo%2e4 zAK}9A@@APqdcUvHW>#zL|1nj3=%z9a2)U7w*8t5=sr=4l-#M#&|0T%li~5mZ%=$v! z#hWEti0U%<=)GIe0t?jqN<;i5aRiU8w@6o?Hgu!$hHPzKpy#`k2Fg}c9Ihe)|H;xN!Ev45S=sMm-(YtcF&&KhX_Ls0m^sW8V;+f!+gl2 zODer(N|o_0nOXnEL^F3&^gnysUHtA9Im(hIWj$S+=(vN1MQCP^Rv8obj(v+`&6A*} zY{?v;X$+4ZDa&$fkU}X8mKmF3#iz=MC$A+y9)L(XuETXTB)1ZCs(K&qB|tv4p(bX* zdm3~`wGk|jH(K!-(Nd-cCHWJ_R=`3yHn(!g5@E7^I^qAP>)!W9$5*s~`QUK<-gW3m z#6fDdDfSS}<`Q!Nt62}cub^`&Q$_;LMG$YT*l?3hy5_0xPr?sam&&% zAhM5ezf5m&4%ERmt^kQP_XWSZEaeU~m^+h3AYS+`OV%dZuma;!`LC0=_5B9Fapw~q z7IkC?AagP?U&I#UzEg6ziGr(te3i$h(tY>;cHl$FXTfb10jHjzh-0vDAuF*D+CxXe zF3cvqTT;++M3wCcDl6I;P~^~|l)c+xVw;@(aU}cd!|YFKr9ae+X;S?ZLqGb%oLIx) zMrbhxx+YwjIo<^#6ip`8j8JrWJfsvn&W=^Op+xB41&;Wm6#C*rs12z$btD5r@%XNz zZO$7cczT%b^lk>oZK0C*bk8)?wunr!H2>a5nlax3mDv!q;i!GPNR*v!$UdQix2aRF{!p# zE{b2=A^$yT011M2WcAV5w1IjZM0Dnb+uG`#RWn~wwxTPL_3V@K@W#I$Yf4e~FD8&k zly&^UajxI!V=+qtkk{$v2WRjv_!q9NcqP4gSI|~mDCBDMvC_*2z)!-|l?W@@GK}bqrDnJ6|rZo7prglvFq>`zT~a+AMU2EqOTwDUhh~x_{Sg=oKc1H#BonOY6L3m~ykQrI zPYTDsdXYmzJ)PJ9nKeR%NihOO>PDHIj_NyPzAv|bhq1FfFbSrrVx$XXAwI2dlPA5B z3~Fbl6~O`*J8&sVpD^@g8W*o@17H>icnOm6q5H$|exIhP+4hJgBGG5HTkP~r3ht4? z_B`%azHg%#0(I`RdC}@pDUeE8B|U7s2_T;>g~0_==?TR%R%$b6vWyP;?S-3Z eGeDYvoQ1%U4*(O3#NZ5#<7c=HigAu%)-}q{^+5Lk diff --git a/nixos/machines/hera/secret/pw-me b/nixos/machines/hera/secret/pw-me deleted file mode 100644 index 52fa7281fc95587fc797e2ac0fc04fc6d1300ca4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 121 zcmV-<0EYhnM@dveQdv+`06h=emx?Ocmn<^aab~_H?W@mpdt8_kN-?OOw`Oc5ttWCc2vI(Id%bU?=@F;jgs$Kv22M bGFJvW2&Z@9b9E-S`@786YYocrjN)h{-&i^j diff --git a/nixos/machines/hera/secret/secrets.nix b/nixos/machines/hera/secret/secrets.nix deleted file mode 100644 index 7521fe657cddc37bfd72396443868e74655e4fc0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 350 zcmV-k0ipf?M@dveQdv+`0MDuH_n=w5^+Q1Tf_QZHwY$_UgF$tm`(cpX!B9>h6Y^7% z^GGs+;=t@6j?hVz1~m-A#pI^}bNK!l@EeMwbMU+@e;!vrw(Krw6#*J^u;M8H7;E0s zJ6Bff5w~4){g7D-y`mDluT)OvKo^}sMNciLIK_B0Tyvfcy?J|$jXao|Sbh^Sn;(oO{C-mvI!x$Tzah&3g)&Sly@P`#k3Jhu5H6S|hOWdHyG diff --git a/nixos/machines/hera/secret/ssh_boot_rsa b/nixos/machines/hera/secret/ssh_boot_rsa deleted file mode 100644 index 39f2582ba8f5f48f3c9590f48ee9def5c8aa07a4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1697 zcmV;S24499M@dveQdv+`0LVug8a`Q$Wge2uk1Ek>6|WVakDh;}yalkw_?>x{>HTa{+~q;<5Dsti z^8imCl&uGJp*6$SLqc*M@ax6^YkJFFW~*d{gowDkkm<~reBn(A{W=^horB;<2qtiz zWW^kbV9`sguFn;}h-KD$oJ2sL8tr+ExE1@(r1YKI*{Y0?XyuqO4?HX#!(KYibzI!p zXo1CQw8?-Hf0v7%-86aRbO&lk0kB!BX1}J*GHsOoi?A&r!IpIV(2`C6`FC5&TI`E< zV{?pree8va63<<*q^LNsqQ>PsRWk?9K~QV3LQX%e=|biE>2_vyfnQxh)TMn=60ut` zmTczCNnp+k2Gsxhc&mOqL^G_tZE0<4@Lcie%7q^k$g^ODNxf$jy{#J3Ko*t7+!A0v zrro1JWC6rBzi4OD&2#QwpGob#P)VcBl?rtSh^3;KG2#yK<$~~Q_XRr0YtE(Gu+!^4 zNUuZ^S1BvPnE`J!salyDeCE!@e~pT_MA75J08gm>TD6vxc*b6me)P-5s|#Ibw=_#5(anoov~opDvTT0Y;1fOQ#T3uEr%#Id3p z64_DKWBclH*rHApddzD=huSyVWG)B4Q|gAq z2#Z~zxl1J~n}|wae30za(YiyJ!f5=pwuE4M)5V@EO#vk)7nAHJ0(jeQtQ7fX0HdAz zoH(Z;gK!%&Aj(c~nH1y$24@pH$bJ~IdO@XfVs>z}bx{`kudtR=e9R-ojI+P*5C**T z@wn5C7MpRL{t9Xwq)H%Nhs_$%CA%l`tFO-9}eVYhWKy}l=S!2Eb=3LwKgRBArkrOV#LX(yX~oE*8fM2N#D-qL2L5GCD7tOXC4_pm3pw?IJTjok%F}2 z01iIh(|a3$ne<iAI3nj(K zsF)2KxOK>y%+r>cD$QtB%iM=EHvI<<%wK}hf6lpx5f*k3c@6cfU;Pz2{$NyD4O6Vj zJZV-oreyj<)~QP-bRMpo;_4}`)U@7br?vnMa3pICCy{1tI;Z$_GwEB(QI5ua<~rK+ z;7kkQ?lz~k~GUCTB)kj_q@xLu*RkNlFQNPx_Pv-)p zanV66R3^4pwkG)n%^$1f+`pQ#Qp6`+u)cz(=A{tQbyg znC&*jHnJFqha0&Ow>S?#T&PgDHm}_<>~Iz^K9(4FQ`K690dq_}=9Quo>}rLfP>S{R zyl7vFidl;8Y4Ydr@cMQ__||c@v|88Q3I=C!B{r>yAlRB+)vmzkz)Ey~0_Y5;AGj@0 zKRhDMTaq8842_D66yvkvYG7BUdH7`DnUnEigt|Clqd~0@;0x%z&0F78KS?AvEwB9g)qNke|Ms`vdFj}4K!!l5?F}z&_4YE`MF+B zR-y|2UVs_-)eiwwlN$(%_^jUl!)7VS^6-?~pdW<=Z4-!( zS-h*-GVs|vvz0C{1bN`;;WZij*ogFnud3CZ I=-EAEJoPS?*Z=?k diff --git a/nixos/machines/hera/secret/weechat.nix b/nixos/machines/hera/secret/weechat.nix deleted file mode 100644 index 381e03aec51bc56b17a1b737e401869fd2cf4378..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 618 zcmV-w0+sy$M@dveQdv+`0MP>VyJL|e1NDScwd3Bs>krS2p;X$v2igRlC4So{W+k~t z3eSvXbVt&v^U1wbXc3b6rg~qqcy%>Apbd6MJf1r{48Pf~QB>!WMpy9{7qXj}1PJwoG`sI95m9I$o0bXwYcajMA1d!KRZoc`aNTnA>;&XU*d#? zIN>QDWpd?_s4RV~n!lj!s?La@S?K`7N=a|wUBZmKtN5i%>98h7uADQ)zBnnZ;5Jv0q2T5GNw48K^>HBk_HxSX-NL2`QrMV zd&AL8t3&Z$V$vl?Jp`>e2I%l%!Gp0YM+Jb=1W7})EQ4%-%u8a`uE-XHs~QuVZjMx- zF>-EEs}JM8^$%T=M*!S-QT<+CdMGVEE1vg+QHf69*6(3SHOpw*Fo<^y}+9JfJ diff --git a/nixos/machines/hera/web.nix b/nixos/machines/hera/web.nix index 31fb6482..a53d29f1 100644 --- a/nixos/machines/hera/web.nix +++ b/nixos/machines/hera/web.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let locations = { "/" = { @@ -18,7 +18,7 @@ in { nginx = { enable = true; virtualHosts."tasks.maralorn.de" = { - basicAuth.kassandra = (import secret/kassandra.nix).password; + basicAuthFile = pkgs.privatePath "basic-auth/kassandra"; forceSSL = true; enableACME = true; locations = { diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 6734b775..e156d62f 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -1,11 +1,5 @@ -{ pkgs, config, lib, ... }: -let me = config.m-0.private.me; -in { - imports = [ - ../../common - ./modules/laptop.nix - ./modules/loginctl-linger.nix - ]; +{ pkgs, config, lib, ... }: { + imports = [ ../../common ./modules/laptop.nix ./modules/loginctl-linger.nix ]; i18n = { defaultLocale = "en_US.UTF-8"; }; @@ -27,10 +21,7 @@ in { acceptTerms = true; }; - users = { - mutableUsers = false; - users.root.openssh.authorizedKeys = { inherit (me) keys; }; - }; + users.mutableUsers = false; environment = { etc = lib.mapAttrs' @@ -43,15 +34,22 @@ in { (_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"); }; + system.activationScripts = + lib.mkIf (!pkgs.withSecrets) { text = "echo No secrets loaded!; exit 1;"; }; + nix = { binaryCaches = [ "https://cache.nixos.org/" "https://nixcache.reflex-frp.org" ]; binaryCachePublicKeys = [ "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ]; nixPath = [ "/etc/nix-path" ]; + trustedUsers = [ "maralorn" ]; + buildMachines = pkgs.privateValue [ ] "remote-builders"; extraOptions = '' fallback = true keep-outputs = true + auto-optimise-store = true + builders-use-substitutes = true ''; }; diff --git a/nixos/roles/git.nix b/nixos/roles/git.nix index 2318fa3d..286cc71f 100644 --- a/nixos/roles/git.nix +++ b/nixos/roles/git.nix @@ -54,7 +54,7 @@ in { services.gitolite = { enable = true; user = "git"; - adminPubkey = builtins.elemAt me.keys 0; + adminPubkey = builtins.elemAt (pkgs.privateValue [""] "ssh-keys" )0; commonHooks = [ "${post-update}/bin/post-update" ]; }; } diff --git a/nixos/roles/mathechor.de.nix b/nixos/roles/mathechor.de.nix index 281bdff2..51c643d6 100644 --- a/nixos/roles/mathechor.de.nix +++ b/nixos/roles/mathechor.de.nix @@ -1,6 +1,5 @@ { config, pkgs, lib, ... }: -let inherit (config.m-0.private) mathechor-pw me; -in { +{ services = { nginx = { enable = true; @@ -20,15 +19,14 @@ in { virtualHosts."intern.mathechor.de" = { forceSSL = true; enableACME = true; - basicAuth.mathechor = mathechor-pw; + basicAuthFile = pkgs.privatePath "basic-auth/mathechor.de"; locations = { "/" = { root = "/var/www/mathechor/intern"; index = "index.html"; }; "/mathechor.ics" = { - proxyPass = - "https://cloud.mathechor.de/remote.php/dav/public-calendars/nebsfFTzQKGSSsDc?export"; + proxyPass = pkgs.privateValue "" "mathechor-ics"; extraConfig = '' proxy_ssl_name cloud.mathechor.de; proxy_ssl_server_name on; diff --git a/nixos/roles/matrix-synapse.nix b/nixos/roles/matrix-synapse.nix index a8076997..3bab7ce7 100644 --- a/nixos/roles/matrix-synapse.nix +++ b/nixos/roles/matrix-synapse.nix @@ -19,11 +19,8 @@ in { return 200 "{\"m.homeserver\": { \"base_url\":\"https://matrix.maralorn.de\"} }"; ''; }; - extraConfig = " - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization'; - "; + extraConfig = + "\n add_header 'Access-Control-Allow-Origin' '*';\n add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';\n add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';\n "; }; virtualHosts."${hostName}" = { forceSSL = true; @@ -41,7 +38,13 @@ in { postgresql.enable = true; # Synapse - matrix-synapse = { + matrix-synapse = let + server-secrets = pkgs.privateValue { + registration_shared_secret = ""; + macaroon_secret_key = ""; + turn_shared_secret = ""; + } "matrix/server-secrets"; + in server-secrets // { enable = true; package = pkgs.matrix-synapse; enable_metrics = true; @@ -51,11 +54,7 @@ in { database_type = "psycopg2"; max_upload_size = "30M"; dynamic_thumbnails = true; - registration_shared_secret = - config.m-0.private.matrix_registration_secret; - macaroon_secret_key = config.m-0.private.macaroon_secret; turn_uris = [ "turn:hera.m-0.eu:3478?transport=udp" ]; - turn_shared_secret = config.m-0.private.turn_secret; turn_user_lifetime = "5h"; allow_guest_access = true; logConfig = '' diff --git a/nixos/roles/modules/laptop.nix b/nixos/roles/modules/laptop.nix index c5b1ca1c..3a2a7221 100644 --- a/nixos/roles/modules/laptop.nix +++ b/nixos/roles/modules/laptop.nix @@ -32,6 +32,7 @@ in { }; programs.dconf.enable = true; + virtualisation.docker.enable = true; services = { upower.enable = true; printing = { diff --git a/nixos/roles/monitoring/alertmanager.nix b/nixos/roles/monitoring/alertmanager.nix index 04080bd8..94695d02 100644 --- a/nixos/roles/monitoring/alertmanager.nix +++ b/nixos/roles/monitoring/alertmanager.nix @@ -12,7 +12,7 @@ smtp_smarthost = "hera.m-0.eu:587"; smtp_from = "alertmanager@m-0.eu"; smtp_auth_username = "alertmanager@m-0.eu"; - smtp_auth_password = config.m-0.private.alertmanager-mail-pw; + smtp_auth_password = pkgs.privateValue "" "alertmanager/mail-pw"; }; route = { group_by = [ "alert_type" ]; diff --git a/nixos/roles/monitoring/default.nix b/nixos/roles/monitoring/default.nix index 62517f4a..a6aa398f 100644 --- a/nixos/roles/monitoring/default.nix +++ b/nixos/roles/monitoring/default.nix @@ -1,6 +1,5 @@ { config, ... }: let - inherit (config.m-0.private) monitoring-guest-pw monitoring-pw; commonOptions = { enableACME = true; forceSSL = true; @@ -9,10 +8,7 @@ let allow ${config.m-0.prefix}::/64; deny all; ''; - basicAuth = { - guest = monitoring-guest-pw; - maralorn = monitoring-pw; - }; + basicAuthFile = pkgs.privatePath "basic-auth/monitoring"; }; in { imports = [ diff --git a/nixos/roles/standalone/admin.nix b/nixos/roles/standalone/admin.nix index 9fe50cd7..192c15b2 100644 --- a/nixos/roles/standalone/admin.nix +++ b/nixos/roles/standalone/admin.nix @@ -1,18 +1,18 @@ -{ config, lib, ... }: -with lib; -let me = config.m-0.private.me; +{ config, pkgs, lib, ... }: +let + passwordFile = pkgs.privatePath "pam-login-password"; + openssh.authorizedKeys.keys = pkgs.privateValue [ ] "ssh-keys"; in { users.users = { - "${me.user}" = { + maralorn = { linger = true; - description = me.name; + description = "maralorn"; isNormalUser = true; uid = 1000; extraGroups = [ "wheel" "systemd-journal" "networkmanager" "docker" "video" ]; - openssh.authorizedKeys.keys = me.keys; - passwordFile = me.pw-file; + inherit openssh passwordFile; }; - root = { passwordFile = me.pw-file; }; + root = { inherit openssh passwordFile; }; }; } diff --git a/overlays/private.nix b/overlays/private.nix new file mode 100644 index 00000000..daf2dcf9 --- /dev/null +++ b/overlays/private.nix @@ -0,0 +1,16 @@ +final: prec: { + withSecrets = let val = builtins.pathExists ../private/submodule-is-checked-out; + in builtins.trace + (if val then "Building _with_ secrets!" else "Building _without_ secrets!") + val; + privatePath = name: + let path = "/etc/nixos/private/${name}"; + in if final.withSecrets then + assert builtins.pathExists path; path + else + path; + privateValue = default: name: + if final.withSecrets then import (../private + "/${name}.nix") else default; + privateFile = name: + if final.withSecrets then ../private + "/${name}" else builtins.toFile "missing-secret-file-${name}" ""; +} diff --git a/overlays/testing.nix b/overlays/testing.nix index caf437fa..cc6a3f97 100644 --- a/overlays/testing.nix +++ b/overlays/testing.nix @@ -5,7 +5,6 @@ let configPath = "/etc/nixos"; systems = [ "apollo" "hera" ]; homes = self.lib.attrNames (import ../home-manager/machines.nix); - keys = [ "default" "apollo" "hera" ]; imports = [ "Control.Exception (onException)" ]; haskellBody = name: commandline: '' main = do @@ -55,9 +54,6 @@ in { bump <- (maybe False (== "bump") . listToMaybe) <$> getArgs bracket checkout (rm "-rf") $ \repoDir -> do withCurrentDirectory repoDir $ do - mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ${ - self.haskellList keys - } when bump $ ignoreFailure $ niv "update" changed <- (mempty /=) <$> (git "-C" repoDir "status" "--porcelain" |> captureTrim) when changed $ do