From 5ff60d46c75c9a9633fe598f5a854a4af5f4c16f Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:09:40 +0000 Subject: [PATCH 01/28] chore(secrets): set secret "test.users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0222f74..c9133c2 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,6 +8,15 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] +test.users: + je_moeder: + email: ENC[AES256_GCM,data:oBY+8lUZby+MU2RPNdCx9A==,iv:MAxRGLLrhgsvPAuJua3sR+wmfELo7DLXxICye+BuoCg=,tag:qpEu2ga8rFOU6YoZNizOqQ==,type:str] + firstName: ENC[AES256_GCM,data:RlU=,iv:OK91Ql1em+05YkM6OtGQjfe0P3OexS460EBDm7sJOAo=,tag:Dlg/BZbQFTaSLl4l9/GGrw==,type:str] + lastName: ENC[AES256_GCM,data:1FMBOVqD,iv:Hyl5pQYp2Pr1HHDpwKzVZ5DzaG7Lnm9GG4BDL66im+E=,tag:KwOCbIaTYo8J3iGnFBYuBQ==,type:str] + je_vader: + email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] + firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] + lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -28,7 +37,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-03T15:23:12Z" - mac: ENC[AES256_GCM,data:XJW6H5FTjkGhbXtiGvscfm5W+04OqtUmYPrrzfZ5brNRviYiikwKR4OB2yFFNmRpMxseWOy+3a4Nk+/oTqJ4ycBIlatzoL3GxwfysLi6f5+Qtdjr+EG4MzZRaQobJ9NXjB6pAYGBe5OxDMvHHOuhv5lMI9SFsNzdIHzFRLQv0QQ=,iv:UUZzsyqnJG/eZktkRrnPhC5DYB3MeACh7ldx/k9+ZDk=,tag:42cI9dvQowQzeqkqFvzUGQ==,type:str] + lastmodified: "2025-11-12T13:09:38Z" + mac: ENC[AES256_GCM,data:2+QMYauDL/A9yk7wQ+37yxr2FBZ0EAaYlVtCsZ0gb4CZjolapL8EdHWvD7OuqwA57xpOOyXazUjpw0yOxuqwpvSoBAOwMf/qDTLaAfRAHNoAqcUeuCO1SdX2Yhgy/XMXPAP32LpjOsejQIIcYSmq4xQ8W0bVjUGtSdWRpFOfJJw=,iv:IVI7u2iqLPbthXCa8k7jAX/SK8bPfzSK5CrsYoU4BBA=,tag:6u2BDG+7SZPE3WFVZtIhgg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 61deef854f9ab8c00fe154c8e924382b51be0865 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:11:05 +0000 Subject: [PATCH 02/28] chore(secrets): set secret "test/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index c9133c2..5715896 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -17,6 +17,16 @@ test.users: email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] +test: + users: + je_moeder: + email: ENC[AES256_GCM,data:fqwAh0RW2BbOMblczBl85A==,iv:HGrrFtdVpzv3jxnXcTTB46YzYnG4pd+Rrv0qS7gVg3o=,tag:4vZfHzEffvatg8kF5ASrAQ==,type:str] + firstName: ENC[AES256_GCM,data:hPo=,iv:49TQZVxzOq7cx9FL6mI+c9yzjMQKHgee3BeI0M2uBSY=,tag:hilJ5tkNIVi8UqJ2K2lGPA==,type:str] + lastName: ENC[AES256_GCM,data:m6F+qILM,iv:nzt6ALx5rPzcO7OXJl9r8+BNJ6gy3bwpI5EzjfVCpy4=,tag:giSOQfl6LZvr8Ii/RIJfZg==,type:str] + je_vader: + email: ENC[AES256_GCM,data:UIAQTCfDDtZSGB+R1W2M,iv:5jN7z5ExMHLxdNxJZgGiDCNlKIwYfF/q9r2GlYVONAs=,tag:4JZIk2CMhHt3uERXHCW7JA==,type:str] + firstName: ENC[AES256_GCM,data:yRs=,iv:ktZnOiXLV13xa6Y8jnyCETKwONTmAPtc3jeFoq6TLwA=,tag:LCTRmB3MfgHIAYLh5mlPTg==,type:str] + lastName: ENC[AES256_GCM,data:7F0ebJ0=,iv:iKkexa0DVk40IdMHP9ZtGVHQ+JuwdaUr37ql9ImhMUo=,tag:7VfUTtbdQTyIrgWqhydxog==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -37,7 +47,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:09:38Z" - mac: ENC[AES256_GCM,data:2+QMYauDL/A9yk7wQ+37yxr2FBZ0EAaYlVtCsZ0gb4CZjolapL8EdHWvD7OuqwA57xpOOyXazUjpw0yOxuqwpvSoBAOwMf/qDTLaAfRAHNoAqcUeuCO1SdX2Yhgy/XMXPAP32LpjOsejQIIcYSmq4xQ8W0bVjUGtSdWRpFOfJJw=,iv:IVI7u2iqLPbthXCa8k7jAX/SK8bPfzSK5CrsYoU4BBA=,tag:6u2BDG+7SZPE3WFVZtIhgg==,type:str] + lastmodified: "2025-11-12T13:11:04Z" + mac: ENC[AES256_GCM,data:Wjp8M3j/nhtb6rBTwodkZ3F7oZjLs/iHzBoQha+rI7yFLpOHs1CLju68FDEueD7viP6hO3gvdGOBydsk+DZXD6PoGzFYaY3Q2dSH5Rohh7hOtKbJ65Zf9b8Rsg2zj05moqeB8HU8NwTCOcwlIYiZs/Afs50NQlxD6vdt35ppCCE=,iv:od/nSPOluh7RdM9Rxq6ktXozNEQM5KWa/ROAc2OrN/0=,tag:+oYWtfHHSMXxzeXGDcYQUw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 6fd6b74a745d7b3f0ad752705c02a984b13ce6ce Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:11:36 +0000 Subject: [PATCH 03/28] chore(secrets): removed secret "test.users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 5715896..883e406 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,15 +8,6 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test.users: - je_moeder: - email: ENC[AES256_GCM,data:oBY+8lUZby+MU2RPNdCx9A==,iv:MAxRGLLrhgsvPAuJua3sR+wmfELo7DLXxICye+BuoCg=,tag:qpEu2ga8rFOU6YoZNizOqQ==,type:str] - firstName: ENC[AES256_GCM,data:RlU=,iv:OK91Ql1em+05YkM6OtGQjfe0P3OexS460EBDm7sJOAo=,tag:Dlg/BZbQFTaSLl4l9/GGrw==,type:str] - lastName: ENC[AES256_GCM,data:1FMBOVqD,iv:Hyl5pQYp2Pr1HHDpwKzVZ5DzaG7Lnm9GG4BDL66im+E=,tag:KwOCbIaTYo8J3iGnFBYuBQ==,type:str] - je_vader: - email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] - firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] - lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] test: users: je_moeder: @@ -47,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:11:04Z" - mac: ENC[AES256_GCM,data:Wjp8M3j/nhtb6rBTwodkZ3F7oZjLs/iHzBoQha+rI7yFLpOHs1CLju68FDEueD7viP6hO3gvdGOBydsk+DZXD6PoGzFYaY3Q2dSH5Rohh7hOtKbJ65Zf9b8Rsg2zj05moqeB8HU8NwTCOcwlIYiZs/Afs50NQlxD6vdt35ppCCE=,iv:od/nSPOluh7RdM9Rxq6ktXozNEQM5KWa/ROAc2OrN/0=,tag:+oYWtfHHSMXxzeXGDcYQUw==,type:str] + lastmodified: "2025-11-12T13:11:35Z" + mac: ENC[AES256_GCM,data:L1I7DPNxfUclb75KrArcgLF74jzH0LsNYYxqRUqBtJuhBA/4X/VOhfj6qkE2FsRass7ReRhmzWjXq+MygCcBcwo3ixk5vnqm33+NfjISpdHl8aAyJQXcfIlTofyWMXDemxfxSMpqrOmGejOser3xL5NIxPQ9OpEE853wQh4PYgE=,iv:ocUZbPytKP6cNe2UrVD7B/VKElwEoxcMKxntT+ec8QE=,tag:5I8H8O7CNQlAJzLOABpqBQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From c6f1e93f7ebe7965bc75b6bfb65c0425360f8dc3 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:15 +0000 Subject: [PATCH 04/28] chore(secrets): removed secret "test/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 883e406..fc959c4 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,16 +8,7 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test: - users: - je_moeder: - email: ENC[AES256_GCM,data:fqwAh0RW2BbOMblczBl85A==,iv:HGrrFtdVpzv3jxnXcTTB46YzYnG4pd+Rrv0qS7gVg3o=,tag:4vZfHzEffvatg8kF5ASrAQ==,type:str] - firstName: ENC[AES256_GCM,data:hPo=,iv:49TQZVxzOq7cx9FL6mI+c9yzjMQKHgee3BeI0M2uBSY=,tag:hilJ5tkNIVi8UqJ2K2lGPA==,type:str] - lastName: ENC[AES256_GCM,data:m6F+qILM,iv:nzt6ALx5rPzcO7OXJl9r8+BNJ6gy3bwpI5EzjfVCpy4=,tag:giSOQfl6LZvr8Ii/RIJfZg==,type:str] - je_vader: - email: ENC[AES256_GCM,data:UIAQTCfDDtZSGB+R1W2M,iv:5jN7z5ExMHLxdNxJZgGiDCNlKIwYfF/q9r2GlYVONAs=,tag:4JZIk2CMhHt3uERXHCW7JA==,type:str] - firstName: ENC[AES256_GCM,data:yRs=,iv:ktZnOiXLV13xa6Y8jnyCETKwONTmAPtc3jeFoq6TLwA=,tag:LCTRmB3MfgHIAYLh5mlPTg==,type:str] - lastName: ENC[AES256_GCM,data:7F0ebJ0=,iv:iKkexa0DVk40IdMHP9ZtGVHQ+JuwdaUr37ql9ImhMUo=,tag:7VfUTtbdQTyIrgWqhydxog==,type:str] +test: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -38,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:11:35Z" - mac: ENC[AES256_GCM,data:L1I7DPNxfUclb75KrArcgLF74jzH0LsNYYxqRUqBtJuhBA/4X/VOhfj6qkE2FsRass7ReRhmzWjXq+MygCcBcwo3ixk5vnqm33+NfjISpdHl8aAyJQXcfIlTofyWMXDemxfxSMpqrOmGejOser3xL5NIxPQ9OpEE853wQh4PYgE=,iv:ocUZbPytKP6cNe2UrVD7B/VKElwEoxcMKxntT+ec8QE=,tag:5I8H8O7CNQlAJzLOABpqBQ==,type:str] + lastmodified: "2025-11-12T13:12:14Z" + mac: ENC[AES256_GCM,data:DMRV+I9fJ+WzNyrU/vz5ZYkEchDhfQ1tx6eG5key+FMudorZj2hi8rnVhDeEn4PMqoJacpPYL+8JuBjJR/J13yK1UvtBiobbASzcB821ZTd8qDykAQmrFeXdJIaK1mtSI/nWMhb5CHz8UBPJ+buUnz2XFP4r7MPLGuOddQrkivI=,iv:sUE7on2vNUJWCpdnNOhYfvAPUYRSOnnGAEkHYJzSOIA=,tag:xi9dbQn982Ja/Km+l/XOhw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d02f5fc4ee2a9b61e9886026e68de7418b899fca Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:27 +0000 Subject: [PATCH 05/28] chore(secrets): set secret "users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index fc959c4..b9b8adb 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,6 +9,15 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] test: {} +users: + je_moeder: + email: ENC[AES256_GCM,data:cufs2y9YJkdmMah+DKAokw==,iv:jtmcvA/CIIbTuXnCoI2qnz+gjPyCXsarIEGioPo+fo0=,tag:Nb9nBA+8ulfVaxj6axvcdA==,type:str] + firstName: ENC[AES256_GCM,data:ZsI=,iv:7kUjaEaZfJk11YpyTjd898iUmOKJuKP8U8E2yMVy3i0=,tag:0IGJ1NmAiKrSy8s0xUwPdA==,type:str] + lastName: ENC[AES256_GCM,data:sCBUiXxq,iv:ulK4iEGmzryR0X9K4mYS9Byx1lvQiw+6jKa4rFJaXBI=,tag:Gp8Qb3Aoha+jdPmRTGUS6w==,type:str] + je_vader: + email: ENC[AES256_GCM,data:rN68Hmi1FUPKKpwUhiKq,iv:1vN2ng0VpgjZYPd+UnjbAOEowTCPZzcp/adeWSzFJf4=,tag:qaPblcuIX7r2O8DD2vo/Vg==,type:str] + firstName: ENC[AES256_GCM,data:P3U=,iv:/Hwr3uYxlSAZhoTstPiKviYNWWQiQkmnK0LLnJbzaGc=,tag:0PMGs0eAnWKwr5CxnZGP3g==,type:str] + lastName: ENC[AES256_GCM,data:b1lV0eA=,iv:yHJkXwmobOKENCJ/C/ywhZw0jbRC9QPOMuERbxOYuSk=,tag:l64ky+AoVMleZHLv3HSQGQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -29,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:14Z" - mac: ENC[AES256_GCM,data:DMRV+I9fJ+WzNyrU/vz5ZYkEchDhfQ1tx6eG5key+FMudorZj2hi8rnVhDeEn4PMqoJacpPYL+8JuBjJR/J13yK1UvtBiobbASzcB821ZTd8qDykAQmrFeXdJIaK1mtSI/nWMhb5CHz8UBPJ+buUnz2XFP4r7MPLGuOddQrkivI=,iv:sUE7on2vNUJWCpdnNOhYfvAPUYRSOnnGAEkHYJzSOIA=,tag:xi9dbQn982Ja/Km+l/XOhw==,type:str] + lastmodified: "2025-11-12T13:12:26Z" + mac: ENC[AES256_GCM,data:NwqAfh//TKzJaMYMU2awH8Z5IYfQZ/vZVedRSjy6KF9TSvxd8WeJiGoF1i4i7dGiGtEfvIEVmskDSDRq4sHNrBffg1Hc3j5cprmpayMYz5zCr1H+gbFNyqigzsyVRw12PEY5JhX/3yBcr+aqPvE/9D9Ti3hmh1RVuS9YqdnccaQ=,iv:PhZ/XRDjpWLeD0S+uhIDSn+jitMeghnIyWHx3eOIRjU=,tag:RG+Y1r8O7ck7Jbjb0OuBtA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 95f115f04c8ea52d06520a8526a088666bdd240d Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:57 +0000 Subject: [PATCH 06/28] chore(secrets): removed secret "users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b9b8adb..a66b270 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,15 +9,6 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] test: {} -users: - je_moeder: - email: ENC[AES256_GCM,data:cufs2y9YJkdmMah+DKAokw==,iv:jtmcvA/CIIbTuXnCoI2qnz+gjPyCXsarIEGioPo+fo0=,tag:Nb9nBA+8ulfVaxj6axvcdA==,type:str] - firstName: ENC[AES256_GCM,data:ZsI=,iv:7kUjaEaZfJk11YpyTjd898iUmOKJuKP8U8E2yMVy3i0=,tag:0IGJ1NmAiKrSy8s0xUwPdA==,type:str] - lastName: ENC[AES256_GCM,data:sCBUiXxq,iv:ulK4iEGmzryR0X9K4mYS9Byx1lvQiw+6jKa4rFJaXBI=,tag:Gp8Qb3Aoha+jdPmRTGUS6w==,type:str] - je_vader: - email: ENC[AES256_GCM,data:rN68Hmi1FUPKKpwUhiKq,iv:1vN2ng0VpgjZYPd+UnjbAOEowTCPZzcp/adeWSzFJf4=,tag:qaPblcuIX7r2O8DD2vo/Vg==,type:str] - firstName: ENC[AES256_GCM,data:P3U=,iv:/Hwr3uYxlSAZhoTstPiKviYNWWQiQkmnK0LLnJbzaGc=,tag:0PMGs0eAnWKwr5CxnZGP3g==,type:str] - lastName: ENC[AES256_GCM,data:b1lV0eA=,iv:yHJkXwmobOKENCJ/C/ywhZw0jbRC9QPOMuERbxOYuSk=,tag:l64ky+AoVMleZHLv3HSQGQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -38,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:26Z" - mac: ENC[AES256_GCM,data:NwqAfh//TKzJaMYMU2awH8Z5IYfQZ/vZVedRSjy6KF9TSvxd8WeJiGoF1i4i7dGiGtEfvIEVmskDSDRq4sHNrBffg1Hc3j5cprmpayMYz5zCr1H+gbFNyqigzsyVRw12PEY5JhX/3yBcr+aqPvE/9D9Ti3hmh1RVuS9YqdnccaQ=,iv:PhZ/XRDjpWLeD0S+uhIDSn+jitMeghnIyWHx3eOIRjU=,tag:RG+Y1r8O7ck7Jbjb0OuBtA==,type:str] + lastmodified: "2025-11-12T13:12:56Z" + mac: ENC[AES256_GCM,data:yIDCoYdcBAvwuU/JLxGEiRo5NJQRtC25RzUFHpq6FY6fEg3IsnfL9iJcSZIkKA6MVx1bB7xvRyOxh6AFePznJlOzht/Mr5quP2zX+ARsEvjSgxsz21bbdBTAsz5lorac1zFJp1/eg1ny9YYg2+1yfhXDjH557mCPgqa2MptWI1c=,iv:wrY1OHZSEtHSj7ehWRg5hRq5GBpsY35yYEifjvMXuRg=,tag:TI+viHQqQKMCHLJN1HGvyg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d61e9e19ca57cc9c525bf97b3a8e68bbd7050eec Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:13:06 +0000 Subject: [PATCH 07/28] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index a66b270..60fcd7c 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,15 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] + users: + je_moeder: + email: ENC[AES256_GCM,data:K8pZBUCIDUlGmjjF9S+OCg==,iv:o0Sruyj1JVOg9LcaOVV8WFV9F2F8E5yB+RlunUJt0ak=,tag:JJ1+rYl2i0O5Jw5Yq7PLEw==,type:str] + firstName: ENC[AES256_GCM,data:e5o=,iv:oE7fdhPArt3yCOgVFS+2POn9kYV5xd35CRaQiqVqRLE=,tag:T/rZoZvx+ehuMQXD9mLI/g==,type:str] + lastName: ENC[AES256_GCM,data:HSBa6CbV,iv:5vjdeJNjnvAu2fez4YLKc6FC3KEgn4FSA8oOaCpO2Mo=,tag:bCuE+JelyHk0Kh7Svq3t0A==,type:str] + je_vader: + email: ENC[AES256_GCM,data:Q1ecbn8liNRvuRZa8EOU,iv:+dd6E2BV4+coGtS84myqgW+eTB9i8rnjPhYTMGeK/gs=,tag:owE2iHUFboUvC0nFpMdG4w==,type:str] + firstName: ENC[AES256_GCM,data:KRE=,iv:tHDfQ8pMnO4J1Yu1SgPNQjMtVr26tVTtivyTxGGF1Kc=,tag:N3djEu5AAi8hHAbNq23Czg==,type:str] + lastName: ENC[AES256_GCM,data:rjd/IRM=,iv:inrY04n3XWYhPMPiXKcdaQJr4rjV1zSuCCintc+i7DM=,tag:f72ELx2K6UypllMUFdJ3fA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:56Z" - mac: ENC[AES256_GCM,data:yIDCoYdcBAvwuU/JLxGEiRo5NJQRtC25RzUFHpq6FY6fEg3IsnfL9iJcSZIkKA6MVx1bB7xvRyOxh6AFePznJlOzht/Mr5quP2zX+ARsEvjSgxsz21bbdBTAsz5lorac1zFJp1/eg1ny9YYg2+1yfhXDjH557mCPgqa2MptWI1c=,iv:wrY1OHZSEtHSj7ehWRg5hRq5GBpsY35yYEifjvMXuRg=,tag:TI+viHQqQKMCHLJN1HGvyg==,type:str] + lastmodified: "2025-11-12T13:13:05Z" + mac: ENC[AES256_GCM,data:9cYUu7cuPLg80b+wxRwKQkHIdrc+y4C/XFO42f0hJ8o1uK+syzDFOeP7L5eaeZxAlRGpGtJAdd/LKMwOJ016GgGafF8PAQc6k43I6ZFfc/k/3FqQvvI8inRKJu7ptg6ISPfC5WfAtOIc/rg/uwB0vvfxCd/epEGuKO9Dw7TmaXY=,iv:uMamMMCmHPzNG/JfEZeGHvo30uNpcYYbmuLRv8EMePc=,tag:ioDShXxVb6VM0OaSu2KLiA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4c3adb782c2d887b7deda0f087c5e0d276acb3dc Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:31:01 +0000 Subject: [PATCH 08/28] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 60fcd7c..0844135 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,15 +3,7 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - users: - je_moeder: - email: ENC[AES256_GCM,data:K8pZBUCIDUlGmjjF9S+OCg==,iv:o0Sruyj1JVOg9LcaOVV8WFV9F2F8E5yB+RlunUJt0ak=,tag:JJ1+rYl2i0O5Jw5Yq7PLEw==,type:str] - firstName: ENC[AES256_GCM,data:e5o=,iv:oE7fdhPArt3yCOgVFS+2POn9kYV5xd35CRaQiqVqRLE=,tag:T/rZoZvx+ehuMQXD9mLI/g==,type:str] - lastName: ENC[AES256_GCM,data:HSBa6CbV,iv:5vjdeJNjnvAu2fez4YLKc6FC3KEgn4FSA8oOaCpO2Mo=,tag:bCuE+JelyHk0Kh7Svq3t0A==,type:str] - je_vader: - email: ENC[AES256_GCM,data:Q1ecbn8liNRvuRZa8EOU,iv:+dd6E2BV4+coGtS84myqgW+eTB9i8rnjPhYTMGeK/gs=,tag:owE2iHUFboUvC0nFpMdG4w==,type:str] - firstName: ENC[AES256_GCM,data:KRE=,iv:tHDfQ8pMnO4J1Yu1SgPNQjMtVr26tVTtivyTxGGF1Kc=,tag:N3djEu5AAi8hHAbNq23Czg==,type:str] - lastName: ENC[AES256_GCM,data:rjd/IRM=,iv:inrY04n3XWYhPMPiXKcdaQJr4rjV1zSuCCintc+i7DM=,tag:f72ELx2K6UypllMUFdJ3fA==,type:str] + users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -38,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:13:05Z" - mac: ENC[AES256_GCM,data:9cYUu7cuPLg80b+wxRwKQkHIdrc+y4C/XFO42f0hJ8o1uK+syzDFOeP7L5eaeZxAlRGpGtJAdd/LKMwOJ016GgGafF8PAQc6k43I6ZFfc/k/3FqQvvI8inRKJu7ptg6ISPfC5WfAtOIc/rg/uwB0vvfxCd/epEGuKO9Dw7TmaXY=,iv:uMamMMCmHPzNG/JfEZeGHvo30uNpcYYbmuLRv8EMePc=,tag:ioDShXxVb6VM0OaSu2KLiA==,type:str] + lastmodified: "2025-11-12T13:31:00Z" + mac: ENC[AES256_GCM,data:L+Y6kxveMKadtFSZA7nWa7QEBOvtq5eZDfFfq6UzsHhLsqsMskvzj1UopMYFAjvGT9dXd0Z5rwUQcSaqEAv8DEaPkFLAODY4zMgY563dsSkqEdQfpa6lx1g4h3BlvXu446oKt14q5I4lUDB4QWH2mb+wv2rJQjVbSwYgh3g8vP8=,iv:bbKweYmFwEpzlevRig9JTj1/BvjYuKLo2B8grSuHchs=,tag:VBPskgd5Kaki0aFlVWZ64g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From cebc2ec0403699b8349f61729a360845e3333d67 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:31:42 +0000 Subject: [PATCH 09/28] chore(secrets): removed secret "test" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0844135..04fab75 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,7 +9,6 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -30,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:31:00Z" - mac: ENC[AES256_GCM,data:L+Y6kxveMKadtFSZA7nWa7QEBOvtq5eZDfFfq6UzsHhLsqsMskvzj1UopMYFAjvGT9dXd0Z5rwUQcSaqEAv8DEaPkFLAODY4zMgY563dsSkqEdQfpa6lx1g4h3BlvXu446oKt14q5I4lUDB4QWH2mb+wv2rJQjVbSwYgh3g8vP8=,iv:bbKweYmFwEpzlevRig9JTj1/BvjYuKLo2B8grSuHchs=,tag:VBPskgd5Kaki0aFlVWZ64g==,type:str] + lastmodified: "2025-11-12T13:31:41Z" + mac: ENC[AES256_GCM,data:86tmpvp690SF1Cfeq3xnXmIgaepieKTKlbZXy4BtWOH0uActMD08kIBYG1ycsRkr2glwXdTznEXLddcB5zWC4fFQbrIk8LOYeJ1ZoXz8ocL47IDYN+Yd4BzDUooIYaCocbSIvHj0BULZBz4pwfYm1BwZ2QT6N7ygJDGZOK8jFSc=,iv:dcXCvNhA4ARd9p9RgdL7LbCwduufjxDhFDN4Tk1HEW8=,tag:RNN5rC6luE8xOnbVsmrDWQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 983f1aa7d88d1d7c52298c61e51170490e226a33 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:36:42 +0000 Subject: [PATCH 10/28] chore(secrets): set secret "zitadel/nix/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 04fab75..24e9d30 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,6 +4,8 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] + nix: + users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +31,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:31:41Z" - mac: ENC[AES256_GCM,data:86tmpvp690SF1Cfeq3xnXmIgaepieKTKlbZXy4BtWOH0uActMD08kIBYG1ycsRkr2glwXdTznEXLddcB5zWC4fFQbrIk8LOYeJ1ZoXz8ocL47IDYN+Yd4BzDUooIYaCocbSIvHj0BULZBz4pwfYm1BwZ2QT6N7ygJDGZOK8jFSc=,iv:dcXCvNhA4ARd9p9RgdL7LbCwduufjxDhFDN4Tk1HEW8=,tag:RNN5rC6luE8xOnbVsmrDWQ==,type:str] + lastmodified: "2025-11-12T13:36:41Z" + mac: ENC[AES256_GCM,data:ih21F3CkRcW3Rfh3swiz+1z6HhcGrbW1I+XQN/XDlV0F+b7PTt5NZyCrqPAH/X14x1oGJBwfg+Yz16HJ6+ZtZh4BEGDCudTDGJNSN+1Hq6v6FHEFnG4nHj2SPEptpx5uJ8GnnORh4qxe4lQQelAbUdPktqr1PcQMl0bEhWzTxC8=,iv:7IHRdH09/Kgt5eXJyHxfBtCOCfpFnYU+BpaS4+7qJjQ=,tag:A0sJJDvihszvolCANlmZoA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From c5ec450517973d2dd973fb516d25e09c3b55f297 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:36:56 +0000 Subject: [PATCH 11/28] chore(secrets): removed secret "zitadel/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 24e9d30..173cda3 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,7 +3,6 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] nix: users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] forgejo: @@ -31,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:36:41Z" - mac: ENC[AES256_GCM,data:ih21F3CkRcW3Rfh3swiz+1z6HhcGrbW1I+XQN/XDlV0F+b7PTt5NZyCrqPAH/X14x1oGJBwfg+Yz16HJ6+ZtZh4BEGDCudTDGJNSN+1Hq6v6FHEFnG4nHj2SPEptpx5uJ8GnnORh4qxe4lQQelAbUdPktqr1PcQMl0bEhWzTxC8=,iv:7IHRdH09/Kgt5eXJyHxfBtCOCfpFnYU+BpaS4+7qJjQ=,tag:A0sJJDvihszvolCANlmZoA==,type:str] + lastmodified: "2025-11-12T13:36:55Z" + mac: ENC[AES256_GCM,data:MZkBh/F6MnQUUp2bSp50ZtrnYusQ0rDWx5stIUWfuXD4hh6RW8qxFGL4/JndiOt7iZNQwdAVHgmRGSmTGza7OZoaDV+Mn0b9WPT/IbHst5MqEGdELeGqUkfBm4SPGkCNt+R+SQ6U8UEioi7EruodnkcF/TAg6wjFf1/XbN+djuc=,iv:i2JM8GPnpmbFsJkqWrZI/YQ11DK5nGXQ5brU4XbK7PQ=,tag:bzpIER1GH/b/LHTNo+apgA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9a3f154cab488c5ff7e946fd15f0cee71f5103fd Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:07 +0000 Subject: [PATCH 12/28] chore(secrets): removed secret "zitadel/nix/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 173cda3..c26df47 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,8 +3,7 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - nix: - users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] + nix: {} forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:36:55Z" - mac: ENC[AES256_GCM,data:MZkBh/F6MnQUUp2bSp50ZtrnYusQ0rDWx5stIUWfuXD4hh6RW8qxFGL4/JndiOt7iZNQwdAVHgmRGSmTGza7OZoaDV+Mn0b9WPT/IbHst5MqEGdELeGqUkfBm4SPGkCNt+R+SQ6U8UEioi7EruodnkcF/TAg6wjFf1/XbN+djuc=,iv:i2JM8GPnpmbFsJkqWrZI/YQ11DK5nGXQ5brU4XbK7PQ=,tag:bzpIER1GH/b/LHTNo+apgA==,type:str] + lastmodified: "2025-11-12T13:40:06Z" + mac: ENC[AES256_GCM,data:rVAUscmwGDOEr5wpxu4STvYXvgQ7aY/zqna2GhV1Mihpt1LZJLwHRjEGBx/XTSn6LdR9WQFBdb9a1x/fav1UsrPggrMEZY/gjAWfQMlBpSu0EBPMowheiH+7y/kblSwRevbP0b1A2l0b/iegTAsvAt5cMuzpk8WiUAGMDAPw/Vs=,iv:nxSFea50iNefr/UMXS3+ma+1LytAboj6P+bOBWl7/VU=,tag:upvsqn3BcsJtVc2dxgaFCQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 8203f653f968af835f37de07127e27b57c67aaa7 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:15 +0000 Subject: [PATCH 13/28] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index c26df47..4a4db7e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,6 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} + users: ENC[AES256_GCM,data:HtUJ7qgQofPTHDswx/c1K20DX4GCciZmDh5nknOiKSEClHwrmxeXG88yEYjsrWB2VMqnrFwD9cRj6tn0N50ovClL9Qu/QxOhIvqJM+ZN4+rlhbwWO2qukgPt4Lpyqz7uEbmpykJ503nOVAoLRbA5Kl3M6neb66/1oVyptBWbdHEEz+LhZnjFxybwqDi364B1+hn/9Saa5PJYtMVIrAWCwcIvL1+3TsK5I6SfR+s=,iv:9zll4Wqt526wyOcCjBmu9itmNRtCzimwMItG82G9neE=,tag:3BQwKVWvF6Ur5hNGey/8YA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:06Z" - mac: ENC[AES256_GCM,data:rVAUscmwGDOEr5wpxu4STvYXvgQ7aY/zqna2GhV1Mihpt1LZJLwHRjEGBx/XTSn6LdR9WQFBdb9a1x/fav1UsrPggrMEZY/gjAWfQMlBpSu0EBPMowheiH+7y/kblSwRevbP0b1A2l0b/iegTAsvAt5cMuzpk8WiUAGMDAPw/Vs=,iv:nxSFea50iNefr/UMXS3+ma+1LytAboj6P+bOBWl7/VU=,tag:upvsqn3BcsJtVc2dxgaFCQ==,type:str] + lastmodified: "2025-11-12T13:40:15Z" + mac: ENC[AES256_GCM,data:L2efaWrCNjPXA/nRO78Lq+5vqcs2z2/jOzOz9SDBN5rN/Svt2WxqP7F076eNP9NfFgd7SkTyTekrU0szXkHSMXyAFrg+l8cYV6NLz6KTnwsVm7k7DJNa+i0iWh+GKl8VY+qFFOsDIGQlFNCgxmNmdaqwuldOUgTEBxMltIlpo44=,iv:pZYwaQWKvESvTvI00D/6gHB4On9w2jYeoME6FXrJ+Ak=,tag:s/5oYn3iaDicFDBJroaudg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9a664b243831962c006152ed765297587e570e68 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:34 +0000 Subject: [PATCH 14/28] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4a4db7e..919e826 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:HtUJ7qgQofPTHDswx/c1K20DX4GCciZmDh5nknOiKSEClHwrmxeXG88yEYjsrWB2VMqnrFwD9cRj6tn0N50ovClL9Qu/QxOhIvqJM+ZN4+rlhbwWO2qukgPt4Lpyqz7uEbmpykJ503nOVAoLRbA5Kl3M6neb66/1oVyptBWbdHEEz+LhZnjFxybwqDi364B1+hn/9Saa5PJYtMVIrAWCwcIvL1+3TsK5I6SfR+s=,iv:9zll4Wqt526wyOcCjBmu9itmNRtCzimwMItG82G9neE=,tag:3BQwKVWvF6Ur5hNGey/8YA==,type:str] + users: ENC[AES256_GCM,data:48Mp825G0rIl6xYOL7FrMvwLcRZcGLg1tZTN/MSPR4qwlEmOknE5fg3+ZvJKslncmylBHF8x0GkCaZAotBFcOiXz8R15B0AV4r/G7tvgJtU1ZSQH/T09IUbPZsa0Xp8tsijhqo1IzBsq5loR38wHKZINxW73UB/yuX644uLb/F4+R0UJQc5BS6iI/2sd2CVYQovdDUyugSAQa57Uo0HlkSa1JO30iXWgjgSy2YgyxC4ZreKLT7j8/Q==,iv:IvXwZlyi5pH5aPMiPCHfB3NaCjBuSGtU3JW6rCzth2Y=,tag:JnMMKV1djPLo5aTxtD1qEg==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:15Z" - mac: ENC[AES256_GCM,data:L2efaWrCNjPXA/nRO78Lq+5vqcs2z2/jOzOz9SDBN5rN/Svt2WxqP7F076eNP9NfFgd7SkTyTekrU0szXkHSMXyAFrg+l8cYV6NLz6KTnwsVm7k7DJNa+i0iWh+GKl8VY+qFFOsDIGQlFNCgxmNmdaqwuldOUgTEBxMltIlpo44=,iv:pZYwaQWKvESvTvI00D/6gHB4On9w2jYeoME6FXrJ+Ak=,tag:s/5oYn3iaDicFDBJroaudg==,type:str] + lastmodified: "2025-11-12T13:40:34Z" + mac: ENC[AES256_GCM,data:14yuefNArmFzKi1Jn5H3VEqsB5ZXtLkQ3rgVLrv/eILW2Fngyhsq4WecHZM7C900fHN05fdGtDKzR/EDSIp70/ZXDnEKTYRimBAj8HshPh71EMhBOYRzeDrY1dZlYrNbXu9j4hyhY/qe86NsZPdNwSbl8QkKwgxKO9oIaSOLQxU=,iv:Z/ta3aecrnCU9+f99a3vF2JMZyTtR1kJ/W6KIFh49z4=,tag:xU/1rmyXtti4n97lUSc6Cw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 91d8a32239d6ad0e2628d80d68fea5778a220a96 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 16:13:10 +0000 Subject: [PATCH 15/28] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 919e826..f6e918b 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:48Mp825G0rIl6xYOL7FrMvwLcRZcGLg1tZTN/MSPR4qwlEmOknE5fg3+ZvJKslncmylBHF8x0GkCaZAotBFcOiXz8R15B0AV4r/G7tvgJtU1ZSQH/T09IUbPZsa0Xp8tsijhqo1IzBsq5loR38wHKZINxW73UB/yuX644uLb/F4+R0UJQc5BS6iI/2sd2CVYQovdDUyugSAQa57Uo0HlkSa1JO30iXWgjgSy2YgyxC4ZreKLT7j8/Q==,iv:IvXwZlyi5pH5aPMiPCHfB3NaCjBuSGtU3JW6rCzth2Y=,tag:JnMMKV1djPLo5aTxtD1qEg==,type:str] + users: ENC[AES256_GCM,data:qsl1uHFMRiO26wgVF5798oSyoO/LHmC/TgHekDQB7OHVmlxvG6ehXw2xeo2RW3ehWf64zHyViO2VtUfA5+RbiuHRYPd4tg7dErmUPdvEo6peC72Sr90U9Uc/cTG7yzeTckdYbnv5vqZwNh8YDF+mB6c7MbUocd18xw3+3Hz4/dkHZyOIXHVpfvtl3vc0RLDh6vyNsb61la51FFHYnUkwNApWgnRZD1JpYGdIiDh5R71f9oxK5hHBkL7+KEZ5bVbVf4nAlNwGZA==,iv:c1AoqPzn5oUFn20dPoX2hqZfBk10fxC7xbMjPiGKb5c=,tag:7NCE1fo9g80iFENvZRv1rA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:34Z" - mac: ENC[AES256_GCM,data:14yuefNArmFzKi1Jn5H3VEqsB5ZXtLkQ3rgVLrv/eILW2Fngyhsq4WecHZM7C900fHN05fdGtDKzR/EDSIp70/ZXDnEKTYRimBAj8HshPh71EMhBOYRzeDrY1dZlYrNbXu9j4hyhY/qe86NsZPdNwSbl8QkKwgxKO9oIaSOLQxU=,iv:Z/ta3aecrnCU9+f99a3vF2JMZyTtR1kJ/W6KIFh49z4=,tag:xU/1rmyXtti4n97lUSc6Cw==,type:str] + lastmodified: "2025-11-12T16:13:10Z" + mac: ENC[AES256_GCM,data:Ly+IKYbDg16x7XtlvBLL4DL2y3wX79e+OBJzw60+PaITFkEOuhr7KfYCMD/ZMeNa6UVcDcdJc6xb1xcRvNMcnF2N7UvgCfxoMS9SHZXa38OM2f1buuwxuAeoAV7zJQyzCJg0c2fwG8goICHmMXPNKeaEgBod+RkysJtJbH1TG18=,iv:EuKYDmTSYTKS1klO2cIS61eFkz+/FIDHBQ9daGkf/+4=,tag:tKbQrciiLqe9fdHw6BXslw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4dc24de8eb6e0ea686bef8c0533e9238cd4d6913 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 16:13:37 +0000 Subject: [PATCH 16/28] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index f6e918b..ef9b039 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:qsl1uHFMRiO26wgVF5798oSyoO/LHmC/TgHekDQB7OHVmlxvG6ehXw2xeo2RW3ehWf64zHyViO2VtUfA5+RbiuHRYPd4tg7dErmUPdvEo6peC72Sr90U9Uc/cTG7yzeTckdYbnv5vqZwNh8YDF+mB6c7MbUocd18xw3+3Hz4/dkHZyOIXHVpfvtl3vc0RLDh6vyNsb61la51FFHYnUkwNApWgnRZD1JpYGdIiDh5R71f9oxK5hHBkL7+KEZ5bVbVf4nAlNwGZA==,iv:c1AoqPzn5oUFn20dPoX2hqZfBk10fxC7xbMjPiGKb5c=,tag:7NCE1fo9g80iFENvZRv1rA==,type:str] + users: ENC[AES256_GCM,data:xkjm0+PBt6gmZyfi3n3OIEe5b+d4OtN0Y3UfmdcbcJHbJZuiz+60oUjlAN0vjtsi0muufoAqtGJTIpm9nDZzzN7b7LK43TAhcuSlIm5LpbZFp1U3H4laRbTwauAT6wA0aDCfAkwTozxAuEUk1jAu+65ktJNJb7b0PR7s/I/wf7IgW2+K4Jv3LIOZIipUwfuvXuTzsxCElYRvGZXmIuXrYq1EaymksHHggemrKeMWLAae7mzz5v3aBbwxiVjQNkQkS4ApsO/5nZUat0oqXA==,iv:fptZn4NmX3iYKSEPLJAOFpt+KQ6TR1w9KaY9IF4p/Wk=,tag:UKvMOSIT5/mhfZA3usbLhQ==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T16:13:10Z" - mac: ENC[AES256_GCM,data:Ly+IKYbDg16x7XtlvBLL4DL2y3wX79e+OBJzw60+PaITFkEOuhr7KfYCMD/ZMeNa6UVcDcdJc6xb1xcRvNMcnF2N7UvgCfxoMS9SHZXa38OM2f1buuwxuAeoAV7zJQyzCJg0c2fwG8goICHmMXPNKeaEgBod+RkysJtJbH1TG18=,iv:EuKYDmTSYTKS1klO2cIS61eFkz+/FIDHBQ9daGkf/+4=,tag:tKbQrciiLqe9fdHw6BXslw==,type:str] + lastmodified: "2025-11-12T16:13:36Z" + mac: ENC[AES256_GCM,data:UaUK/qYthw2C2XZeUPeuHV0VZaIKo7dd7EPtaM4PQ6xdJSNNACaMtwd+1u2jGmJysWHI3yjSpz2ZnRTaDX6O99/bLo6ilYPkGTlqjIWh+rzzZjaOP1fsuHwfCRSKkei3niojgcoKku3ohcuWWP1NUe5+EMIb68jGOVogTH2TBjo=,iv:kSLgzJZaef29Uvc/oY9uNQc5CE7iVfQrhE9RMGdmPjE=,tag:1IH/89za43RYLzizoCSb3w==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From df5dfa61a92c58112fdbed96c433f6c537b70710 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:20:21 +0100 Subject: [PATCH 17/28] fix(justfile): escape double quotes for inputs --- .just/vars.just | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.just/vars.just b/.just/vars.just index b4d6be2..944d7cf 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -13,7 +13,7 @@ list machine: {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\"/g')\"" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null From fa37c3eb503d22403ddd6fde652da30def5a7e12 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:23:40 +0100 Subject: [PATCH 18/28] feat(zitadel): add extra users via secrets --- .../authentication/zitadel/default.nix | 59 ++++++++++++++++--- 1 file changed, 50 insertions(+), 9 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 402d59d..c4ceaac 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -336,6 +336,21 @@ in jwt_profile_file = "/var/lib/zitadel/machine-key.json"; }; + locals = { + extra_users = lib.tfRef " + flatten([ for org, users in jsondecode(file(\"${config'.sops.secrets."zitadel/users".path}\")): [ + for name, details in users: { + org = org + name = name + email = details.email + firstName = details.firstName + lastName = details.lastName + } + ] ]) + "; + orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); + }; + resource = { # Organizations zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: @@ -384,15 +399,35 @@ in ); # Users - zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: - { - inherit email userName firstName lastName; + zitadel_human_user = + (cfg.organization + |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + { + inherit email userName firstName lastName; - isEmailVerified = true; - } - |> withRef "org" org - |> toResource "${org}_${name}" - ); + isEmailVerified = true; + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + + // { + "extra_users" = { + for_each = lib.tfRef ''{ + for user in local.extra_users : + "''${user.org}_''${user.name}" => user + }''; + + org_id = lib.tfRef "local.orgs[each.value.org]"; + user_name = lib.tfRef "each.value.name"; + email = lib.tfRef "each.value.email"; + first_name = lib.tfRef "each.value.firstName"; + last_name = lib.tfRef "each.value.lastName"; + + is_email_verified = true; + }; + } + ; # Global user roles zitadel_instance_member = @@ -648,6 +683,12 @@ in key = "email/chris_kruining_eu"; restartUnits = [ "zitadel.service" ]; }; + + "zitadel/users" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadelApplyTerraform.service" ]; + }; }; }; }; From 4e09252e75c6e53a7f6188dcf97d71a8b53ae44c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:26:17 +0100 Subject: [PATCH 19/28] feat(zitadel): add remapping of exported keys --- .../authentication/zitadel/default.nix | 24 ++++++++++++++++--- systems/x86_64-linux/ulmo/default.nix | 10 ++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index c4ceaac..bd74ca2 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -140,6 +140,24 @@ in . ''; }; + + exportMap = + let + strOpt = mkOption { type = types.nullOr types.str; default = null; }; + in + mkOption { + type = types.submodule { options = { client_id = strOpt; client_secret = strOpt; }; }; + default = {}; + example = literalExpression '' + { + client_id = "SSO_CLIENT_ID"; + client_secret = "SSO_CLIENT_SECRET"; + } + ''; + description = '' + Remap the outputted variables to another key. + ''; + }; }; }); }; @@ -492,11 +510,11 @@ in }; # Client credentials per app - local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: nameValuePair "${org}_${project}_${name}" { content = '' - CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} - CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} + ${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} + ${if exportMap.client_secret != null then exportMap.client_secret else "CLIENT_SECRET"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} ''; filename = "/var/lib/zitadel/clients/${org}_${project}_${name}"; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 027dad6..8bb5cea 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -95,6 +95,16 @@ responseTypes = [ "code" ]; }; + vaultwarden = { + redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + exportMap = { + client_id = "SSO_CLIENT_ID"; + client_secret = "SSO_CLIENT_SECRET"; + }; + }; + matrix = { redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; grantTypes = [ "authorizationCode" ]; From 272f48a9ab000b638a18612343743317370c8536 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 13 Nov 2025 07:50:45 +0000 Subject: [PATCH 20/28] chore(secrets): set secret "kaas" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index ef9b039..4864b00 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -10,6 +10,7 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] +kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -30,7 +31,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T16:13:36Z" - mac: ENC[AES256_GCM,data:UaUK/qYthw2C2XZeUPeuHV0VZaIKo7dd7EPtaM4PQ6xdJSNNACaMtwd+1u2jGmJysWHI3yjSpz2ZnRTaDX6O99/bLo6ilYPkGTlqjIWh+rzzZjaOP1fsuHwfCRSKkei3niojgcoKku3ohcuWWP1NUe5+EMIb68jGOVogTH2TBjo=,iv:kSLgzJZaef29Uvc/oY9uNQc5CE7iVfQrhE9RMGdmPjE=,tag:1IH/89za43RYLzizoCSb3w==,type:str] + lastmodified: "2025-11-13T07:50:40Z" + mac: ENC[AES256_GCM,data:tGOipGrlvIwfocpve9/4MGBtgnGuvI380VdIrSc2pCym4f20DC70/QofPo31cRtkWW3sd8nmEReU7+QQ39iZa9Jrlg+e8O8T5sbckjFvO5KWw5UBShjltrcRmhIHH0vUMkfAul5GRJEjCdpMIuOxxQGUMykeP/y8M6sDfnC73vU=,iv:MF9RP4SI4dWX6Rf6puuck5S0KrKKA8U/uQuJCwMYV30=,tag:lsr85wZVCgXr6n3QPmelaw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9116361b908fdddd8a91ac137327484e3f107ebc Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:48:56 +0000 Subject: [PATCH 21/28] chore(secrets): set secret "radarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4864b00..8bb18b7 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -11,6 +11,8 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] +radarr: + apikey: "" sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -31,7 +33,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-13T07:50:40Z" - mac: ENC[AES256_GCM,data:tGOipGrlvIwfocpve9/4MGBtgnGuvI380VdIrSc2pCym4f20DC70/QofPo31cRtkWW3sd8nmEReU7+QQ39iZa9Jrlg+e8O8T5sbckjFvO5KWw5UBShjltrcRmhIHH0vUMkfAul5GRJEjCdpMIuOxxQGUMykeP/y8M6sDfnC73vU=,iv:MF9RP4SI4dWX6Rf6puuck5S0KrKKA8U/uQuJCwMYV30=,tag:lsr85wZVCgXr6n3QPmelaw==,type:str] + lastmodified: "2025-11-19T09:48:55Z" + mac: ENC[AES256_GCM,data:fLLiX6obUBbhtg/XpwUWJmu0jpQraGAOmViQ5SOh82rndcI87fJW0Y2mYN1+VpPdknlsLbuUzFB0styWljmAg3DxRW0OGNz+pL6r4ior0phRRBpGhY9rVHO62f74GZItHgBDzojUQwu7Rhu6jFZMGHLsCgjfRl6QEfakNjT5Py8=,iv:xlZ/q5a0IOiqwjPsD/PQ04URhrX9aGSV6U3suCecqQk=,tag:u4tB8AOJ/jYfiLSbayXpeQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 80e61ec5d8b6fc4f2a370073fa5ef34497739d4c Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:50:35 +0000 Subject: [PATCH 22/28] chore(secrets): set secret "radarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 8bb18b7..0a9d750 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -12,7 +12,7 @@ synapse: oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] radarr: - apikey: "" + apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -33,7 +33,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:48:55Z" - mac: ENC[AES256_GCM,data:fLLiX6obUBbhtg/XpwUWJmu0jpQraGAOmViQ5SOh82rndcI87fJW0Y2mYN1+VpPdknlsLbuUzFB0styWljmAg3DxRW0OGNz+pL6r4ior0phRRBpGhY9rVHO62f74GZItHgBDzojUQwu7Rhu6jFZMGHLsCgjfRl6QEfakNjT5Py8=,iv:xlZ/q5a0IOiqwjPsD/PQ04URhrX9aGSV6U3suCecqQk=,tag:u4tB8AOJ/jYfiLSbayXpeQ==,type:str] + lastmodified: "2025-11-19T09:50:35Z" + mac: ENC[AES256_GCM,data:FgSL58+AHzqp18RyJ4I7fdIQf/vjFI0chkb8T2qXATRJyK3RKrF7JNMOel3ZFgptQvgamUD5LxGgtSO+ucFMjwJpvDmlzrRJ/BbnywuANAeW0M91myI7/Exj/p4QOeIz0RWViX6NGJO+9oF5BMBPE/9tyA+jMN03I8nGCZFGu6o=,iv:8cIUA8/5EexFxwXpJfoY6/A2ZKesHwBUueaMVZq5LbY=,tag:jUmC4qBEXJXxZQEMlDkadg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 6a0195587d6a444edb333e235afa683935550197 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:50:58 +0000 Subject: [PATCH 23/28] chore(secrets): set secret "sonarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0a9d750..0a4b541 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -13,6 +13,8 @@ synapse: kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] radarr: apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] +sonarr: + apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -33,7 +35,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:50:35Z" - mac: ENC[AES256_GCM,data:FgSL58+AHzqp18RyJ4I7fdIQf/vjFI0chkb8T2qXATRJyK3RKrF7JNMOel3ZFgptQvgamUD5LxGgtSO+ucFMjwJpvDmlzrRJ/BbnywuANAeW0M91myI7/Exj/p4QOeIz0RWViX6NGJO+9oF5BMBPE/9tyA+jMN03I8nGCZFGu6o=,iv:8cIUA8/5EexFxwXpJfoY6/A2ZKesHwBUueaMVZq5LbY=,tag:jUmC4qBEXJXxZQEMlDkadg==,type:str] + lastmodified: "2025-11-19T09:50:57Z" + mac: ENC[AES256_GCM,data:j2IhWjN08v5xlEw1KBmd0Zc+NriqVDPx06t9oB20S9p2ARe+UhyHxyGah4jZWyHCoanM1sJe4kN3/FcuwI/U+1LmukSQ+YBQT53R4jlOooje06jkJka9xnoS7QiVJmFF8H0XaR1Ye8Xas8mrHgMMOTza96TtvN3YeXpfXUTF4xQ=,iv:X32tNNl2prYbufy4dzubXi5MvX8s+xtGVy2g88gjHns=,tag:yD+fzF8PIWRuxQ28MGTV4Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d0e374c8bb78aefbbdd9f8158f9ab8a82ac60629 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:51:06 +0000 Subject: [PATCH 24/28] chore(secrets): set secret "lidarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0a4b541..1e8764c 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -15,6 +15,8 @@ radarr: apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] sonarr: apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] +lidarr: + apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -35,7 +37,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:50:57Z" - mac: ENC[AES256_GCM,data:j2IhWjN08v5xlEw1KBmd0Zc+NriqVDPx06t9oB20S9p2ARe+UhyHxyGah4jZWyHCoanM1sJe4kN3/FcuwI/U+1LmukSQ+YBQT53R4jlOooje06jkJka9xnoS7QiVJmFF8H0XaR1Ye8Xas8mrHgMMOTza96TtvN3YeXpfXUTF4xQ=,iv:X32tNNl2prYbufy4dzubXi5MvX8s+xtGVy2g88gjHns=,tag:yD+fzF8PIWRuxQ28MGTV4Q==,type:str] + lastmodified: "2025-11-19T09:51:06Z" + mac: ENC[AES256_GCM,data:/arD30zm/wheVtSkwkQrdMe7REnwQ/XOKKWTqysIFeA5O9+e93wSWj8dpwfXfZ5q0ISOk5n3v8hsqzls8wi5BMLXPaBRyj5Alr5poFZd3vJ9z6uyDCSPlJhYRl8ussjzj0vK3Lr3hzKczfrGgPF7W6CoqBKk0AYI2fFHWfT/B5A=,iv:aq66boBgI/V/pVPuPf9mg/TqLV/VfJTElRt7My5njCc=,tag:7s/qu/6B/bX/Nqs00BNl8Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From ba246b145fc6187d82723204240db5ef5a29cd5c Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:51:27 +0000 Subject: [PATCH 25/28] chore(secrets): set secret "prowlarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1e8764c..7a26401 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -17,6 +17,8 @@ sonarr: apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] lidarr: apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] +prowlarr: + apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -37,7 +39,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:51:06Z" - mac: ENC[AES256_GCM,data:/arD30zm/wheVtSkwkQrdMe7REnwQ/XOKKWTqysIFeA5O9+e93wSWj8dpwfXfZ5q0ISOk5n3v8hsqzls8wi5BMLXPaBRyj5Alr5poFZd3vJ9z6uyDCSPlJhYRl8ussjzj0vK3Lr3hzKczfrGgPF7W6CoqBKk0AYI2fFHWfT/B5A=,iv:aq66boBgI/V/pVPuPf9mg/TqLV/VfJTElRt7My5njCc=,tag:7s/qu/6B/bX/Nqs00BNl8Q==,type:str] + lastmodified: "2025-11-19T09:51:26Z" + mac: ENC[AES256_GCM,data:pMMkxHPochpI8si/oHhU7MHqC1JjNhMP7HCRNQQEkwBQI489xiC02t+qUwpmG4oIheqi8lEcZPpL4t9HzRN9sZImaI2LrJn3cHFojHzXzo7FPfvfUilZe1+JXLfm+wn+bflAEutIcfDiZc/MjiKOxRHwZy5Pr41Mj6uPIUr62zk=,iv:GwvMVgJ6m1DQcRZMVzshbuMK/Kx8vE8Ym83KbxuvYRg=,tag:wVSol9LDRzoFjQppB8J9gA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 09e4e940bcec8073d9ea9827a4450b566c2e0fd5 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 10:27:29 +0000 Subject: [PATCH 26/28] chore: update dependencies --- flake.lock | 230 +++++++++++++++++++++++++++-------------------------- 1 file changed, 116 insertions(+), 114 deletions(-) diff --git a/flake.lock b/flake.lock index 5ed2f72..9d38839 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1762254206, - "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=", - "rev": "43a7652624e76d60a93325c711d01620801d4382", + "lastModified": 1763547157, + "narHash": "sha256-lJcMap2uT+x1R8WUUKKQ6ndynysJ/JOkrMThMGz6DP0=", + "rev": "2cb2134a6ee32d427097077c4fb4c416b52ae988", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/2cb2134a6ee32d427097077c4fb4c416b52ae988.tar.gz" }, "original": { "type": "tarball", @@ -111,11 +111,11 @@ ] }, "locked": { - "lastModified": 1760612273, - "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", - "rev": "0099739c78be750b215cbdefafc9ba1533609393", + "lastModified": 1762942435, + "narHash": "sha256-zIWGs5FIytTtJN+dhDb8Yx+q4TQI/yczuL539yVcyPE=", + "rev": "0ee328404b12c65e8106bde9e9fab8abf4ecada4", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0ee328404b12c65e8106bde9e9fab8abf4ecada4.tar.gz" }, "original": { "type": "tarball", @@ -130,11 +130,11 @@ ] }, "locked": { - "lastModified": 1761899396, - "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", + "lastModified": 1762276996, + "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", "owner": "nix-community", "repo": "disko", - "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", + "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", "type": "github" }, "original": { @@ -149,11 +149,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1759842236, - "narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", + "lastModified": 1762360792, + "narHash": "sha256-YR7vqk+XEvFUQ/miuBAD3+p+97QUN86ya9Aw0K5feJE=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", + "rev": "9075dff5685d3e7269284e53ca496da0beb24596", "type": "github" }, "original": { @@ -170,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1760510549, - "narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", + "lastModified": 1763534658, + "narHash": "sha256-i/51/Zi/1pM9hZxxSuA3nVPpyqlGoWwJwajyA/loOpo=", "owner": "nix-community", "repo": "fenix", - "rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", + "rev": "69e40ddf45698d0115a62a7a15d8412f35dd4c09", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1760548798, - "narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", + "lastModified": 1763504432, + "narHash": "sha256-kpmPI67TdoTxiK7LsmgmkKW3iHoyvZJwZeiJhpwPfmw=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", + "rev": "49d5d8d42a7650e5353f8467c813839290cb7c9f", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "flake-compat_2": { "locked": { - "lastModified": 1746162366, - "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=", + "lastModified": 1761640442, + "narHash": "sha256-AtrEP6Jmdvrqiv4x2xa5mrtaIp3OEe8uBYCDZDS+hu8=", "owner": "nix-community", "repo": "flake-compat", - "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b", + "rev": "4a56054d8ffc173222d09dad23adf4ba946c8884", "type": "github" }, "original": { @@ -306,11 +306,11 @@ ] }, "locked": { - "lastModified": 1762040540, - "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", + "lastModified": 1762980239, + "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "0010412d62a25d959151790968765a70c436598b", + "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", "type": "github" }, "original": { @@ -327,11 +327,11 @@ ] }, "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", + "lastModified": 1760948891, + "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", + "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", "type": "github" }, "original": { @@ -510,18 +510,20 @@ "gnome-shell": { "flake": false, "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", + "host": "gitlab.gnome.org", + "lastModified": 1762869044, + "narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" + "rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad", + "type": "gitlab" }, "original": { + "host": "gitlab.gnome.org", "owner": "GNOME", - "ref": "48.2", + "ref": "gnome-49", "repo": "gnome-shell", - "type": "github" + "type": "gitlab" } }, "grub2-themes": { @@ -551,11 +553,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1760546650, - "narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", + "lastModified": 1763486183, + "narHash": "sha256-10EvBTF9ELezWg+KoKZJ3bxrPzT1Xz95ifurC6HixLY=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", + "rev": "fb27f4bee812e4b4df9df9f78bd5280f0aa2193c", "type": "github" }, "original": { @@ -571,11 +573,11 @@ ] }, "locked": { - "lastModified": 1760500983, - "narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", + "lastModified": 1763416652, + "narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=", "owner": "nix-community", "repo": "home-manager", - "rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", + "rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312", "type": "github" }, "original": { @@ -592,11 +594,11 @@ ] }, "locked": { - "lastModified": 1752603129, - "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", + "lastModified": 1762964643, + "narHash": "sha256-RYHN8O/Aja59XDji6WSJZPkJpYVUfpSkyH+PEupBJqM=", "owner": "nix-community", "repo": "home-manager", - "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", + "rev": "827f2a23373a774a8805f84ca5344654c31f354b", "type": "github" }, "original": { @@ -613,11 +615,11 @@ ] }, "locked": { - "lastModified": 1760534924, - "narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", + "lastModified": 1763453666, + "narHash": "sha256-Hu8lDUlbMFvcYX30LBXX7Gq5FbU35bERH0pSX5qHf/Q=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "100b4e000032b865563a9754e5bca189bc544764", + "rev": "b843b551415c7aecc97c8b3ab3fff26fd0cd8bbf", "type": "github" }, "original": { @@ -668,11 +670,11 @@ ] }, "locked": { - "lastModified": 1762186368, - "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=", + "lastModified": 1763136804, + "narHash": "sha256-6p2ljK42s0S8zS0UU59EsEqupz0GVCaBYRylpUadeBM=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "69921864a70b58787abf5ba189095566c3f0ffd3", + "rev": "973db96394513fd90270ea5a1211a82a4a0ba47f", "type": "github" }, "original": { @@ -710,11 +712,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1760493654, - "narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", + "lastModified": 1763171892, + "narHash": "sha256-6cg9zSiqKA89yJzVtYhBaBptqq6bX4pr4g7WLAHOD4Y=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", + "rev": "316858c27d278b20e776cd4dd8f787812f587ba2", "type": "github" }, "original": { @@ -725,11 +727,11 @@ }, "nix-select": { "locked": { - "lastModified": 1755887746, - "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", - "rev": "92c2574c5e113281591be01e89bb9ddb31d19156", + "lastModified": 1763303120, + "narHash": "sha256-yxcNOha7Cfv2nhVpz9ZXSNKk0R7wt4AiBklJ8D24rVg=", + "rev": "3d1e3860bef36857a01a2ddecba7cdb0a14c35a9", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/3d1e3860bef36857a01a2ddecba7cdb0a14c35a9.tar.gz" }, "original": { "type": "tarball", @@ -768,11 +770,11 @@ }, "nixos-facter-modules": { "locked": { - "lastModified": 1761137276, - "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", + "lastModified": 1762264948, + "narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=", "owner": "nix-community", "repo": "nixos-facter-modules", - "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", + "rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96", "type": "github" }, "original": { @@ -810,11 +812,11 @@ ] }, "locked": { - "lastModified": 1760536587, - "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", + "lastModified": 1763537456, + "narHash": "sha256-/WRqcqeE9C+mxxWgI7jy5blMrvg2lHFSlTFjC8pRWos=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", + "rev": "cd9eb5225fc91eb67629966844d2ff371824abb1", "type": "github" }, "original": { @@ -825,11 +827,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759360550, - "narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", + "lastModified": 1761828793, + "narHash": "sha256-xjdPwMD4wVuDD85U+3KST62VzFkJueI6oBwIzpzUHLY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", + "rev": "843859a08e114403f44aaf5b996b44c38094aa46", "type": "github" }, "original": { @@ -856,11 +858,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1760479263, - "narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", + "lastModified": 1763469780, + "narHash": "sha256-IW67Db/wBNQwJ5e0fF9Yk4SmdivMcecrUVDs7QJoC/s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", + "rev": "a70b03ca5dc9d46294740f165abdef9f9bea5632", "type": "github" }, "original": { @@ -888,11 +890,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760548845, - "narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", + "lastModified": 1763547551, + "narHash": "sha256-YOdXVAqEGmrPUgs71r8ziuu9qqpn3jJEiIxsIls+VQA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "631597d659c37aa267eed8334271d5205244195e", + "rev": "06aa4d5f488875b6af46e10b45b8000ed0906860", "type": "github" }, "original": { @@ -920,11 +922,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", + "lastModified": 1763421233, + "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", + "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", "type": "github" }, "original": { @@ -936,11 +938,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1759386674, - "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", + "lastModified": 1761880412, + "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "625ad6366178f03acd79f9e3822606dd7985b657", + "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", "type": "github" }, "original": { @@ -952,11 +954,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1760164275, - "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", + "lastModified": 1763191728, + "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "362791944032cb532aabbeed7887a441496d5e6e", + "rev": "1d4c88323ac36805d09657d13a5273aea1b34f0c", "type": "github" }, "original": { @@ -968,11 +970,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", + "lastModified": 1762977756, + "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", + "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", "type": "github" }, "original": { @@ -1016,11 +1018,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1760153667, - "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", + "lastModified": 1762622004, + "narHash": "sha256-NpzzgaoMK8aRHnndHWbYNKLcZN0r1y6icCoJvGoBsoE=", "owner": "notashelf", "repo": "nvf", - "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", + "rev": "09470524a214ed26633ddc2b6ec0c9bf31a8b909", "type": "github" }, "original": { @@ -1039,11 +1041,11 @@ ] }, "locked": { - "lastModified": 1759321049, - "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", + "lastModified": 1762784320, + "narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", + "rev": "7911a0f8a44c7e8b29d031be3149ee8943144321", "type": "github" }, "original": { @@ -1080,11 +1082,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1760457219, - "narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", + "lastModified": 1762860488, + "narHash": "sha256-rMfWMCOo/pPefM2We0iMBLi2kLBAnYoB9thi4qS7uk4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", + "rev": "2efc80078029894eec0699f62ec8d5c1a56af763", "type": "github" }, "original": { @@ -1102,11 +1104,11 @@ ] }, "locked": { - "lastModified": 1760495781, - "narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=", + "lastModified": 1759977258, + "narHash": "sha256-hOxEFSEBoqDmJb7BGX1CzT1gvUPK6r+Qs+n3IxBgfTs=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "11e0852a2aa3a65955db5824262d76933750e299", + "rev": "1d0c6173f57d07db7957b50e799240d4f2d7520f", "type": "github" }, "original": { @@ -1145,11 +1147,11 @@ ] }, "locked": { - "lastModified": 1760998189, - "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "lastModified": 1763264763, + "narHash": "sha256-N0BEoJIlJ+M6sWZJ8nnfAjGY9VLvM6MXMitRenmhBkY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "rev": "882e56c8293e44d57d882b800a82f8b2ee7a858f", "type": "github" }, "original": { @@ -1163,11 +1165,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", + "lastModified": 1763509310, + "narHash": "sha256-s2WzTAD3vJtPACBCZXezNUMTG/wC6SFsU9DxazB9wDI=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", + "rev": "3ee33c0ed7c5aa61b4e10484d2ebdbdc98afb03e", "type": "github" }, "original": { @@ -1195,11 +1197,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760472212, - "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", + "lastModified": 1763497248, + "narHash": "sha256-OGP6MYc+lVkLVQOTS6ORszDcCnZm7kDOGpFBdDoLd0k=", "owner": "nix-community", "repo": "stylix", - "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", + "rev": "f19ac46f6aa26188b2020ed40066a5b832be9c53", "type": "github" }, "original": { @@ -1337,11 +1339,11 @@ "systems": "systems_8" }, "locked": { - "lastModified": 1757278723, - "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", + "lastModified": 1762472226, + "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=", "owner": "terranix", "repo": "terranix", - "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", + "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc", "type": "github" }, "original": { @@ -1439,11 +1441,11 @@ ] }, "locked": { - "lastModified": 1761311587, - "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", + "lastModified": 1762938485, + "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", + "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", "type": "github" }, "original": { @@ -1460,11 +1462,11 @@ ] }, "locked": { - "lastModified": 1760466542, - "narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", + "lastModified": 1763521945, + "narHash": "sha256-Zcrafbe4niRJMbzaVOwg7+iedJhwBFttre2DpyCC6qA=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", + "rev": "24d7381b9231c23daceec5d372cc28e877f7785d", "type": "github" }, "original": { From 169b62e6f3dc3cf839004f3da1b781be6e7b640c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 19 Nov 2025 11:49:09 +0100 Subject: [PATCH 27/28] chore: update config after update --- modules/nixos/services/development/forgejo/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index dbcef87..52f026f 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -144,7 +144,7 @@ in openssh.settings.AllowUsers = [ "forgejo" ]; gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; + package = pkgs.forgejo-runner; instances.default = { enable = true; name = "default"; From 2d3da197ee8e549b46a52266af22271a817127fd Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 20 Nov 2025 00:05:34 +0100 Subject: [PATCH 28/28] lets actually commit for once... --- .just/vars.just | 18 +- lib/options/default.nix | 38 ++++ lib/strings/default.nix | 26 ++- modules/home/themes/default.nix | 2 +- .../authentication/zitadel/default.nix | 48 ++-- .../nixos/services/backup/borg/default.nix | 13 +- modules/nixos/services/media/default.nix | 210 ++++++++++++++--- .../nixos/services/media/homer/default.nix | 8 +- .../nixos/services/media/servarr/default.nix | 214 ++++++++++++++++++ .../observability/uptime-kuma/default.nix | 25 ++ .../services/security/vaultwarden/default.nix | 138 ++++++++++- shells/default/default.nix | 2 + systems/x86_64-linux/ulmo/default.nix | 43 +++- 13 files changed, 711 insertions(+), 74 deletions(-) create mode 100644 lib/options/default.nix create mode 100644 modules/nixos/services/media/servarr/default.nix create mode 100644 modules/nixos/services/observability/uptime-kuma/default.nix diff --git a/.just/vars.just b/.just/vars.just index 944d7cf..d8bd181 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,19 +1,23 @@ +set unstable + base_path := invocation_directory() / "systems/x86_64-linux" -sops := "nix shell nixpkgs#sops --command sops" -yq := "nix shell nixpkgs#yq --command yq" +# sops := "nix shell nixpkgs#sops --command sops" +# yq := "nix shell nixpkgs#yq --command yq" +sops := "sops" +yq := "yq" @_default: just --list [doc('list all vars of the target machine')] list machine: - {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml @edit machine: - {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml + sops edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\"/g')\"" + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null @@ -21,10 +25,10 @@ list machine: echo "Done" @get machine key: - {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml | {{ yq }} ".$(echo "{{ key }}" | sed -E 's/\//./g')" + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" @remove machine key: - {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null diff --git a/lib/options/default.nix b/lib/options/default.nix new file mode 100644 index 0000000..72e8621 --- /dev/null +++ b/lib/options/default.nix @@ -0,0 +1,38 @@ +{ lib, ...}: +let + inherit (builtins) isString typeOf; + inherit (lib) mkOption types throwIfNot concatStringsSep splitStringBy toLower map; +in +{ + options = { + mkUrlOptions = + defaults: + { + host = mkOption { + type = types.str; + example = "host.tld"; + description = '' + Hostname + ''; + } // (defaults.host or {}); + + port = mkOption { + type = types.port; + default = 1234; + example = "1234"; + description = '' + Port + ''; + } // (defaults.port or {}); + + protocol = mkOption { + type = types.str; + default = "https"; + example = "https"; + description = '' + Which protocol to use when creating a url string + ''; + } // (defaults.protocol or {}); + }; + }; +} \ No newline at end of file diff --git a/lib/strings/default.nix b/lib/strings/default.nix index 52b05e3..0c15699 100644 --- a/lib/strings/default.nix +++ b/lib/strings/default.nix @@ -1,10 +1,15 @@ { lib, ...}: let - inherit (builtins) isString typeOf; - inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map; + inherit (builtins) isString typeOf match toString head; + inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map concatMapAttrsStringSep; in { strings = { + #======================================================================================== + # Converts a string to snake case + # + # simply replaces any uppercase letter to its lowercase variant preceeded by an underscore + #======================================================================================== toSnakeCase = str: throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" ( @@ -13,5 +18,22 @@ in |> map (p: toLower p) |> concatStringsSep "_" ); + + #======================================================================================== + # Converts a set of url parts to a string + #======================================================================================== + toUrl = + { protocol ? null, host, port ? null, path ? null, query ? null, hash ? null }: + let + trim_slashes = str: str |> match "^\/*(.+?)\/*$" |> head; + encode_to_str = set: concatMapAttrsStringSep "&" (n: v: "${n}=${v}") set; + + _protocol = if protocol != null then "${protocol}://" else ""; + _port = if port != null then ":${toString port}" else ""; + _path = if path != null then "/${path |> trim_slashes}" else ""; + _query = if query != null then "?${query |> encode_to_str}" else ""; + _hash = if hash != null then "#${hash |> encode_to_str}" else ""; + in + "${_protocol}${host}${_port}${_path}${_query}${_hash}"; }; } \ No newline at end of file diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index 3fa74b9..3fb8f15 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -52,7 +52,7 @@ in { }; emoji = { - package = pkgs.noto-fonts-emoji; + package = pkgs.noto-fonts-color-emoji; name = "Noto Color Emoji"; }; }; diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index bd74ca2..9a02f01 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs concatMapStringsSep filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -334,6 +334,16 @@ in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set ; + append = attrList: set: set // (listToAttrs attrList); + forEach = src: key: set: + let + _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; + in + { + forEach = "{ for item in ${src} : \"${_key}\" => item }"; + } + // set; + config' = config; # this is a nix package, the generated json file to be exact @@ -418,7 +428,7 @@ in # Users zitadel_human_user = - (cfg.organization + cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: { inherit email userName firstName lastName; @@ -427,24 +437,20 @@ in } |> withRef "org" org |> toResource "${org}_${name}" - )) - - // { - "extra_users" = { - for_each = lib.tfRef ''{ - for user in local.extra_users : - "''${user.org}_''${user.name}" => user - }''; - - org_id = lib.tfRef "local.orgs[each.value.org]"; - user_name = lib.tfRef "each.value.name"; + ) + |> append + [ + (forEach "local.extra_users" [ "org" "name" ] { + orgId = lib.tfRef "local.orgs[each.value.org]"; + userName = lib.tfRef "each.value.name"; email = lib.tfRef "each.value.email"; - first_name = lib.tfRef "each.value.firstName"; - last_name = lib.tfRef "each.value.lastName"; + firstName = lib.tfRef "each.value.firstName"; + lastName = lib.tfRef "each.value.lastName"; - is_email_verified = true; - }; - } + isEmailVerified = true; + } + |> toResource "extraUsers") + ] ; # Global user roles @@ -708,6 +714,12 @@ in restartUnits = [ "zitadelApplyTerraform.service" ]; }; }; + + templates = { + "users.yml" = { + + }; + }; }; }; } diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix index e200505..9cbbea0 100644 --- a/modules/nixos/services/backup/borg/default.nix +++ b/modules/nixos/services/backup/borg/default.nix @@ -10,13 +10,22 @@ in }; config = mkIf cfg.enable { + programs.ssh.extraConfig = '' + Host beheer.hazelhof.nl + Port 222 + User chris + AddressFamily inet + IdentityFile /home/chris/.ssh/id_ed25519 + ''; + services = { borgbackup.jobs = { media = { paths = "/var/media/test"; encryption.mode = "none"; - environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/media"; + # environment.BORG_SSH = "ssh -4 -i /home/chris/.ssh/id_ed25519"; + environment.BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + repo = "ssh://beheer.hazelhof.nl//media"; compression = "auto,zstd"; startAt = "daily"; }; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 9d915da..1950bf0 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -1,9 +1,11 @@ -{ pkgs, lib, namespace, config, ... }: +{ pkgs, lib, namespace, config, inputs, system, ... }: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media; + + arr = ["radarr" ]; in { options.${namespace}.services.media = { @@ -60,47 +62,48 @@ in "d '${cfg.path}/reiverr/config' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.path}/downloads/incomplete' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.path}/downloads/done' 0700 ${cfg.user} ${cfg.group} - -" + "d /var/lib/radarrApplyTerraform 0755 ${cfg.user} ${cfg.group} -" ]; #========================================================================= # Services #========================================================================= services = let - arrService = { - enable = true; - openFirewall = true; + arr-services = + arr + |> lib.imap (i: service: { + name = service; + value = { + enable = true; + openFirewall = true; - settings = { - auth.AuthenticationMethod = "External"; - }; - }; + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; - withPort = port: service: service // { settings.server.Port = builtins.toString port; }; + settings = { + auth.authenticationMethod = "External"; - withUserAndGroup = service: service // { - user = cfg.user; - group = cfg.group; - }; - in { - radarr = - arrService - |> withPort 2001 - |> withUserAndGroup; - - sonarr = - arrService - |> withPort 2002 - |> withUserAndGroup; - - lidarr = - arrService - |> withPort 2003 - |> withUserAndGroup; - - prowlarr = - arrService - |> withPort 2004; + server = { + bindaddress = "0.0.0.0"; + port = 2000 + i; + }; + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; + }; + } + // (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {}); + }) + |> lib.listToAttrs + ; + in + arr-services // { bazarr = { enable = true; openFirewall = true; @@ -146,6 +149,19 @@ in group = cfg.group; }; + postgresql = + let + databases = arr |> lib.concatMap (s: [ s "${s}-log" ]); + in + { + enable = true; + ensureDatabases = arr; + ensureUsers = arr |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + caddy = { enable = true; virtualHosts = { @@ -156,6 +172,136 @@ in }; }; + systemd.services.radarrApplyTerraform = + let + # this is a nix package, the generated json file to be exact + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { + inherit system; + + modules = [ + ({ config, lib, ... }: { + config = { + variable = { + api_key = { + type = "string"; + description = "Radarr api key"; + }; + }; + + terraform.required_providers.radarr = { + source = "devopsarr/radarr"; + version = "2.2.0"; + }; + + provider.radarr = { + url = "http://127.0.0.1:2001"; + api_key = lib.tfRef "var.api_key"; + }; + + resource = { + radarr_root_folder.local = { + path = "/var/media/movies"; + }; + }; + }; + }) + ]; + }; + in + { + description = "Radarr terraform apply"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "radarr.service" ]; + + script = '' + #!/usr/bin/env bash + + if [ "$(systemctl is-active radarr)" != "active" ]; then + echo "Radarr is not running" + exit 1 + fi + + # Sleep for a bit to give radarr the chance to start up + sleep 5s + + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + + # Copy infra code into workspace + cp -f ${terraformConfiguration} config.tf.json + + # Initialize OpenTofu + ${lib.getExe pkgs.opentofu} init + + # Run the infrastructure code + # ${lib.getExe pkgs.opentofu} plan -var-file='${config.sops.templates."radarr/config.tfvars".path}' + ${lib.getExe pkgs.opentofu} apply -auto-approve -var-file='${config.sops.templates."radarr/config.tfvars".path}' + ''; + + serviceConfig = { + Type = "oneshot"; + User = cfg.user; + Group = cfg.group; + + WorkingDirectory = "/var/lib/radarrApplyTerraform"; + + EnvironmentFile = [ + config.sops.templates."radarr/config.env".path + ]; + }; + }; + systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; + + sops = { + secrets = + arr + |> lib.map (service: { + name = "${service}/apikey"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}.service" ]; + }; + }) + |> lib.listToAttrs + ; + + templates = + let + apikeys = + arr + |> lib.map (service: { + name = "${service}/config.env"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}.service" ]; + content = '' + ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }) + |> lib.listToAttrs; + + tfvars = + arr + |> lib.map(service: { + name = "${service}/config.tfvars"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}ApplyTerraform.service" ]; + content = '' + api_key = "${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }) + |> lib.listToAttrs; + in + apikeys // tfvars + ; + }; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 41535cd..79633ab 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -103,7 +103,7 @@ in type = "Radarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2001"; target = "_blank"; } @@ -112,7 +112,7 @@ in type = "Sonarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2002"; target = "_blank"; } @@ -121,7 +121,7 @@ in type = "Lidarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2003"; target = "_blank"; } @@ -130,7 +130,7 @@ in type = "Prowlarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2004"; target = "_blank"; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix new file mode 100644 index 0000000..097a36b --- /dev/null +++ b/modules/nixos/services/media/servarr/default.nix @@ -0,0 +1,214 @@ +{ pkgs, config, lib, namespace, inputs, system, ... }: +let + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption mkOption types; + + cfg = config.${namespace}.services.media.servarr; +in +{ + options.${namespace}.services.media = { + servarr = mkOption { + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + enable = mkEnableOption "Enable ${name}"; + debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} "; + + port = mkOption { + type = types.port; + }; + + rootFolders = mkOption { + type = types.listOf types.str; + default = []; + }; + }; + })); + default = {}; + }; + }; + + config = { + services = + cfg + |> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable { + "${service}" = { + enable = true; + openFirewall = true; + + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; + + settings = { + auth.authenticationMethod = "External"; + + server = { + bindaddress = "0.0.0.0"; + port = port; + }; + + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; + }; + }; + })) + |> lib.mergeAttrsList + |> (set: set // { + postgres = { + ensureDatabases = cfg |> lib.attrNames; + ensureUsers = cfg |> lib.attrNames |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + }) + ; + + systemd = + cfg + |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { + tmpfiles.rules = [ + "d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -" + ]; + + services."${service}ApplyTerraform" = + let + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { + inherit system; + + modules = [ + ({ config, lib, ... }: { + config = { + variable = { + api_key = { + type = "string"; + description = "${service} api key"; + }; + }; + + terraform.required_providers.${service} = { + source = "devopsarr/${service}"; + version = "2.2.0"; + }; + + provider.${service} = { + url = "http://127.0.0.1:${toString port}"; + api_key = lib.tfRef "var.api_key"; + }; + + resource = { + "${service}_root_folder" = + rootFolders + |> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; }) + |> lib.listToAttrs + ; + }; + }; + }) + ]; + }; + in + { + description = "${service} terraform apply"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "${service}.service" ]; + + script = '' + #!/usr/bin/env bash + + # Sleep for a bit to give the service a chance to start up + sleep 5s + + if [ "$(systemctl is-active ${service})" != "active" ]; then + echo "${service} is not running" + exit 1 + fi + + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + + # Copy infra code into workspace + cp -f ${terraformConfiguration} config.tf.json + + # Initialize OpenTofu + ${lib.getExe pkgs.opentofu} init + + # Run the infrastructure code + ${lib.getExe pkgs.opentofu} \ + ${if debug then "plan" else "apply -auto-approve"} \ + -var-file='${config.sops.templates."${service}/config.tfvars".path}' + ''; + + serviceConfig = { + Type = "oneshot"; + User = service; + Group = service; + + WorkingDirectory = "/var/lib/${service}ApplyTerraform"; + + EnvironmentFile = [ + config.sops.templates."${service}/config.env".path + ]; + }; + }; + })) + |> lib.mergeAttrsList + ; + + users.users = + cfg + |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + "${service}".extraGroups = [ "media" ]; + })) + |> lib.mergeAttrsList + ; + + sops = + cfg + |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + secrets."${service}/apikey" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + }; + + templates = { + "${service}/config.env" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + content = '' + ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" + ''; + }; + + "${service}/config.tfvars" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + content = '' + api_key = "${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }; + })) + |> lib.mergeAttrsList + ; + }; + + + # cfg + # |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { + + # # sops = { + # # }; + # })) + # |> lib.mergeAttrsList + # ; +} diff --git a/modules/nixos/services/observability/uptime-kuma/default.nix b/modules/nixos/services/observability/uptime-kuma/default.nix new file mode 100644 index 0000000..c23977b --- /dev/null +++ b/modules/nixos/services/observability/uptime-kuma/default.nix @@ -0,0 +1,25 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.observability.uptime-kuma; +in +{ + options.${namespace}.services.observability.uptime-kuma = { + enable = mkEnableOption "enable uptime kuma"; + }; + + config = mkIf cfg.enable { + services.uptime-kuma = { + enable = true; + + settings = { + PORT = toString 9006; + HOST = "0.0.0.0"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9006 ]; + }; +} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index de50be7..abab566 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,13 +1,87 @@ { pkgs, config, lib, namespace, ... }: let inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; cfg = config.${namespace}.services.security.vaultwarden; + + databaseProviderSqlite = types.submodule ({ ... }: { + options = { + type = mkOption { + type = types.enum [ "sqlite" ]; + }; + + file = mkOption { + type = types.str; + description = ''''; + }; + }; + }); + + databaseProviderPostgresql = types.submodule ({ ... }: + let + urlOptions = lib.${namespace}.options.mkUrlOptions { + host = { + description = '' + Hostname of the postgresql server + ''; + }; + + port = { + default = 5432; + example = "5432"; + description = '' + Port of the postgresql server + ''; + }; + + protocol = mkOption { + default = "postgres"; + example = "postgres"; + }; + }; + in + { + options = { + type = mkOption { + type = types.enum [ "postgresql" ]; + }; + + sslMode = mkOption { + type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; + default = "verify-full"; + example = "verify-ca"; + description = '' + How to verify the server's ssl + + | mode | eavesdropping protection | MITM protection | Statement | + |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | + | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | + | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | + | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | + | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | + | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | + + [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) + ''; + }; + } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); + }); in { options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; + + database = mkOption { + type = types.oneOf [ + (types.addCheck databaseProviderSqlite (x: x ? type && x.type == "sqlite")) + (types.addCheck databaseProviderPostgresql (x: x ? type && x.type == "postgresql")) + null + ]; + default = null; + description = ''''; + }; }; config = mkIf cfg.enable { @@ -15,6 +89,8 @@ in "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; + # systemd.services.vaultwarden.wants = [ "zitadelApplyTerraform.service" ]; + services = { vaultwarden = { enable = true; @@ -26,8 +102,6 @@ in SIGNUPS_ALLOWED = false; DOMAIN = "https://vault.kruining.eu"; - ADMIN_TOKEN = ""; - DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; WEB_VAULT_ENABLED = true; @@ -41,9 +115,6 @@ in SSO_ORGANIZATIONS_REVOCATION = true; SSO_AUTHORITY = "https://auth.kruining.eu/"; SSO_SCOPES = "email profile offline_access"; - SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; - SSO_CLIENT_ID = "335178854421299459"; - SSO_CLIENT_SECRET = ""; ROCKET_ADDRESS = "::1"; ROCKET_PORT = 8222; @@ -53,10 +124,14 @@ in SMTP_PORT = 587; SMTP_SECURITY = "starttls"; SMTP_USERNAME = "chris@kruining.eu"; - SMTP_PASSWORD = ""; SMTP_FROM = "chris@kruining.eu"; SMTP_FROM_NAME = "Chris' Vaultwarden"; }; + + environmentFile = [ + "/var/lib/zitadel/clients/nix_ulmo_vaultwarden" + config.sops.templates."vaultwarden/config.env".path + ]; }; postgresql = { @@ -89,5 +164,54 @@ in }; }; }; + + sops = { + secrets = { + "vaultwarden/email" = { + owner = config.users.users.vaultwarden.name; + group = config.users.users.vaultwarden.name; + key = "email/chris_kruining_eu"; + restartUnits = [ "vaultwarden.service" ]; + }; + }; + + templates = { + "vaultwarden/config.env" = { + content = '' + SMTP_PASSWORD='${config.sops.placeholder."vaultwarden/email"}'; + ''; + owner = config.users.users.vaultwarden.name; + group = config.users.groups.vaultwarden.name; + }; + temp-db-output.content = + let + config = + cfg.database + |> ({ type, ... }@db: + if type == "sqlite" then + { inherit (db) type file; } + else if type == "postgresql" then + { + inherit (db) type; + url = lib.${namespace}.strings.toUrl { + inherit (db) protocol host port; + path = "vaultwarden"; + query = { + sslmode = db.sslMode; + }; + }; + } + else + {} + ) + |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") + ; + in + '' + # GENERATED VALUES + ${config} + ''; + }; + }; }; } diff --git a/shells/default/default.nix b/shells/default/default.nix index 0361f88..1749c48 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -5,6 +5,8 @@ mkShell { bash sops just + yq + pwgen inputs.clan-core.packages.x86_64-linux.clan-cli ]; } \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 8bb5cea..0310818 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -147,15 +147,56 @@ media.enable = true; media.homer.enable = true; media.nfs.enable = true; + media.servarr = { + # radarr = { + # port = 2001; + # }; + + sonarr = { + enable = true; + # debug = true; + port = 2002; + rootFolders = [ + "/var/media/series" + ]; + }; + + lidarr = { + enable = true; + debug = true; + port = 2003; + rootFolders = [ + "/var/media/music" + ]; + }; + + prowlarr = { + enable = true; + debug = true; + port = 2004; + }; + }; observability = { grafana.enable = true; prometheus.enable = true; loki.enable = true; promtail.enable = true; + # uptime-kuma.enable = true; }; - security.vaultwarden.enable = true; + security.vaultwarden = { + enable = true; + database = { + # type = "sqlite"; + # file = "/var/lib/vaultwarden/state.db"; + + type = "postgresql"; + host = "localhost"; + port = 5432; + sslMode = "disabled"; + }; + }; }; editor = {