penpot: configure penpot host using oci-containers

2024-08-10 22:38:05 +02:00 · 2024-08-10 22:38:05 +02:00 · f128368c0c
commit f128368c0c
parent 6c7edcc1d3
10 changed files with 570 additions and 0 deletions
--- a/config/hosts/penpot/configuration.nix
+++ b/config/hosts/penpot/configuration.nix
@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+  networking.hostName = "penpot";
+
+  system.stateVersion = "24.05";
+}
--- a/config/hosts/penpot/default.nix
+++ b/config/hosts/penpot/default.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./nginx.nix
+    ./penpot.nix
+    ./sops.nix
+  ];
+}
--- a/config/hosts/penpot/networking.nix
+++ b/config/hosts/penpot/networking.nix
@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.162";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:26:1C:8A";
+    linkConfig.Name = "net0";
+  };
+}
--- a/config/hosts/penpot/nginx.nix
+++ b/config/hosts/penpot/nginx.nix
@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "design.hamburg.ccc.de";
+in
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "acme-${domain}" = {
+        default = true;
+        enableACME = true;
+        serverName = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 31820;
+          }
+        ];
+      };
+
+      "${domain}" = {
+        default = true;
+        forceSSL = true;
+        useACMEHost = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:9001";
+        };
+
+        locations."/ws/notifications" = {
+          proxyPass = "http://127.0.0.1:9001";
+          proxyWebsockets = true;
+        };
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 172.31.17.140;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}
--- a/config/hosts/penpot/penpot.nix
+++ b/config/hosts/penpot/penpot.nix
@ -0,0 +1,198 @@
+# Sources used for this configuration:
+# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
+# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
+# - https://help.penpot.app/technical-guide/configuration/
+# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
+# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
+
+{ config, pkgs, ... }:
+
+let
+  # Flags for both frontend and backend.
+  # https://help.penpot.app/technical-guide/configuration/#common
+  # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
+  commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
+  penpotVersion = "2.1.2";
+in
+{
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers = {
+    backend = "docker";
+    containers = {
+      "penpot-frontend" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/frontend:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        ports = [ "9001:80" ];
+        volumes = [ "penpot_assets:/opt/data/assets" ];
+        dependsOn = [
+          "penpot-backend"
+          "penpot-exporter"
+        ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#frontend
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
+
+          PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
+        };
+      };
+
+      "penpot-backend" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/backend:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        volumes = [ "penpot_assets:/opt/data/assets" ];
+        dependsOn = [
+          "penpot-postgres"
+          "penpot-redis"
+        ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#backend
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
+
+          PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
+
+          # PENPOT_SECRET_KEY st via environmentFile.
+          PENPOT_TELEMETRY_ENABLED = "false";
+
+          # OpenID Connect configuration.
+          # https://help.penpot.app/technical-guide/configuration/#openid-connect
+          PENPOT_OIDC_CLIENT_ID = "penpot";
+          PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
+          # PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
+          PENPOT_OIDC_ROLES = "user";
+          PENPOT_OIDC_ROLES_ATTR = "roles";
+
+          # Database configuration.
+          # https://help.penpot.app/technical-guide/configuration/#database
+          PENPOT_DATABASE_USERNAME = "penpot";
+          # PENPOT_DATABASE_PASSWORD set via environmentFile.
+          PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
+
+          # Email configuration.
+          # https://help.penpot.app/technical-guide/configuration/#email-(smtp)
+          PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
+          PENPOT_SMTP_PORT = "465";
+          PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
+          # PENPOT_SMTP_PASSWORD set via environmentFile.
+          PENPOT_SMTP_SSL = "true";
+          PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
+          PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
+
+          # Storage
+          # https://help.penpot.app/technical-guide/configuration/#storage
+          PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
+          PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
+
+          # Redis
+          # https://help.penpot.app/technical-guide/configuration/#redis
+          PENPOT_REDIS_URI = "redis://penpot-redis/0";
+
+          PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
+        };
+        environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
+      };
+
+      "penpot-exporter" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/exporter:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#exporter
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
+          PENPOT_PUBLIC_URI = "http://penpot-frontend";
+          PENPOT_REDIS_URI = "redis://penpot-redis/0";
+        };
+      };
+
+      "penpot-postgres" = {
+        autoStart = true;
+        image = "docker.io/library/postgres:15";
+        extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
+        volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
+        environment = {
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
+
+          POSTGRES_INITDB_ARGS = "--data-checksums";
+          POSTGRES_DB = "penpot";
+          POSTGRES_USER = "penpot";
+          # POSTGRES_PASSWORD set via environmentFile.
+        };
+        environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
+      };
+
+      "penpot-redis" = {
+        autoStart = true;
+        image = "docker.io/library/redis:7";
+        extraOptions = [ "--network=penpot" ];
+      };
+    };
+  };
+
+  # Docker networks.
+  systemd.services."docker-network-penpot" = {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
+    };
+    script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
+    requiredBy = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+    before = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+  };
+
+  # Pull docker images prior to starting container services, so that a container
+  # service isn't considered up, if it actually is still just pulling the
+  # relevant image.
+  systemd.services."docker-images-penpot" = {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
+    '';
+    requiredBy = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+    before = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+  };
+
+  sops.secrets."penpot_backend_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+
+  sops.secrets."penpot_postgres_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+}
--- a/config/hosts/penpot/secrets.yaml
+++ b/config/hosts/penpot/secrets.yaml
@ -0,0 +1,234 @@
+penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str]
+penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZVA5WE9JcDBOQVdPbGkz
+            SnNkWEJvaUtGaWVOajd6SzJ6aGNxSXZQaVhnCmgwT01kNFRZa09Gd1o2ZURyZUJQ
+            N0dwK21vUmk1N1duOVNtV2wrVmlyNDQKLS0tIEJtUENHdXhGcXhRRjM5VkhpdEVG
+            Z3UzOGFFUDhwUndoQWtCdHlMenZETW8KI0FjoFG4E1fhOxYiCIxY2BnLOmGcpoyK
+            EbDdNFQEMngwppEm9r1KzG/1cGMoIij2qpmK4Jz1Hzgk/6dZwvGxzw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-10T15:40:27Z"
+    mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str]
+    pgp:
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxK/JaB2/SdtAQ/+JKe4fsuAKMJr6kuDt5vjv+hrXamWEwRLBfYPHHZHEUeK
+            AQBs9fG9Ni7Qpelv8RIbxWyophgt2TCEqP2d+7EcGTgDZkdLxx5s2LJuCh+tEZwT
+            bm0sPt+8eYY077MxA1ZtlBgkslMugvdnJaDckGc8xRPldUa7gRp0j3yaLULRxjA6
+            T0nyALAqAaDa2uHgB7mTB3pXJYk4GxZpYbVc+wxAWXEDRLR/bpT18ywAcA6iSerd
+            KGDzWKjgOr1TTJqUxsguqDjnVp1c+xRPirC9uENGqW8mxI7h1+4B//dJvuXV/cYh
+            LKi0aDUTnma78mo2v9faUSJl23LkIehWZwbVG/+Mpkk3yxscLV124Vbwj56IFCzI
+            AiJ7m2QVxY5eXoVLodw6Po2S62gkwg7H5Aw3J4pppNuIAIr/8mJBpJoBy6poTsG3
+            QhbQdEdsF5ikoLu/OV/H7mp86zJt42Q+74xGjKYx/qvLq6SDmDA03kqk9N71URyu
+            FRTEDysEkeAzreFFkxn3Q+K/cXvtv/2Knte1lmDTfpmhg4cFwsLPLPH37A2veaxJ
+            JTyWDLHgrJ8NFgii3gLrwj+XLOZOwmCY0puJKtdAnPaaQiLfyqYfeLVlt7Se4MMJ
+            8XaFWcaQHBxL9nRZnx7WkE9LfHIG0e+414hT0F/aER+8iKboIbt6rdEHpEMGDWnU
+            aAEJAhD/TpW7E+yYjFVi/xSQ3kCAruHcm6x4BDTE7by0VeTLiRFW+culxiInOYiD
+            kdp+dATm5f7IrQp/qemL02/Me5yqURZlZrDHra7AiCI+MVBJiCRIY/x6xZSew7PX
+            HC+p9sB+PBFL
+            =1qbt
+            -----END PGP MESSAGE-----
+          fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6EyPtWBEI+2AQ/+Ijn18W+K2je/hpolpY6HmQMTTRpQJZ8YtJ5G35o5WoVP
+            hH+znQMrBBAtnTWeFBeIuIzk4CHjPS0yfnsE4/rP7/lSa177A2xaeiCb74F6k/Es
+            MtDE/TApSlNdPFruN5nkd2I8jAWh1k37nS+/NUhszReR39NNmgA+aCSc2OK04aAz
+            dpPXmaJ+d3zMr7eFoL2NyhNI3A/ZdVP3UmZCp12juckDRl8oeei4PBlw2T6ODJP4
+            tY08I9EyK/5K4auhYJyvayl1RWwRuShFV732ZjztkawLw152W0Rrg75Qoukhs9mr
+            TdyF0zcnVxAcOV4e5wRe13dDV6Ue7zeWFc9bb577thGzUm2Oue0u+oisty16qt9K
+            0vw0tVSDtT/suodG8HpvSwGQ+/xcV7w8XCH8Yx28N9iO49VZCB1ZYXQBxTHVDl2b
+            J/8AivaK4OOFvPWNr4u6oLaO9nz1aaX6Qsap5zn0Qa2Ls2SSBwWk2Fp/f1dq3KOy
+            /jGR89ocuEuImVacr2G6zxPnbukfa4S8q/FUUDbswQUqmWMcDDq3dOQ1fFPRd7vy
+            5a9u3P8LFW+ZPPHop3kgozgZ9pBGDOlw3nkjGjFl39lE33E+049gLE6I6+1+umG0
+            EWkNI9y8X+HmHMthVuYapq23Ix09H6Wa452hZmEUxNgp33M8Zx+l3s6D7o7jfrjS
+            XgElPJuUWyGKPoUY9mFaINyVqjOJGEtEOYRP7jvCpFWDq/xQ8jbJvvv7qBy8+i0b
+            cpqRrMJrvMB2PSLeD6cNWymrNhKilLLFOcG9yaIEudDhiuv3L4/ub08QMroDmo8=
+            =80AM
+            -----END PGP MESSAGE-----
+          fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAz5uSgHG2iMJAQ//Vv7IVqc9ReeFgo8RWbYpl1W5atAHerZuUh0oYc4otGpb
+            UseJ2JInyykcUeQWlOGvTK+eauBVNET0E/6jylCoWb8lzffhSMJ4FFpvpsoYjPG9
+            Q8s3r8soOCYB0xscfhinZwJg5to+I2MSd8mppWIp4UCQhxv7MqQpbqEzNTfVP7YO
+            QEUZ/lesVovLvxMzKc2YVWyZFSW2G6HK3LTaJIg8gy5ym/crlUB+awd2ZDePGk6F
+            Y7DcKwL1EpCL+hoPWGF9PclYKrOBIZVznYQuwHAqG+Bxr9Ln/NmS/OoCrJDMN6gG
+            2YMZ3Q7GQ82zZESxYA7g+ef9/lGCm7DIkt80or72x7eS6/OP7c1bjGFgKLQNyHFU
+            Th6cOy/TzK8Sq2g1mWB2zyV3xk6mb9C0ETAFD5vvPGVC3Sb4549Y+epe1T3ZLFTA
+            t09nUIpTC05PEdGsWs5Z5MDp8ZCsPZpipbVrWENesNOfaFYG+p7aM0LjgTqZcadD
+            B/Foejayc3XYI0T/NoP43mAZ2nEOw2Bz9lBpwz0PeTfzyrhz9XlJ7Dw462XTFA3i
+            voTHA5+DzGNPf6zC1fH9GcESmpC2nqXit8ZV+Y7Zb9/cAsx3E05S8ayxdBZUrOtJ
+            JSWGOAfPuzGXgL6Ht3iKcmCxQ/pSi1aH0h+bYqlrxTvP9IMyNCrxmP6+YsXCv8XS
+            XgE0NjzRMClq4/HhQ5X0ANGHWxbZJLAbm8yfgK5rnnmvi53RNJhRUHDnNca93brF
+            n27gnVLKM+2FdwRjwNIznkbZV/iNM6zIfRWwmJs9gHRuX/J/XWzD1KjDsn2rmiQ=
+            =bAYZ
+            -----END PGP MESSAGE-----
+          fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAw5vwmoEJHQ1ARAAkdXjf9h4iyYtKPwR9V8hgIfpt3s3zMduuJN3u76ZHdfE
+            87t5K8eL2yIVN2DeOqtXRG28Broy3LLwMlLOJhxVxS5LAOEjT4ScZyb9H7MLnDsp
+            boW210SLkeQ5vTW9hgjAU9V6wbemxoiNPYTcBUsuirI8a+jpnALLY0jeOILBEmHQ
+            c+wbeo+VnlTQkTKCFI7TwlG1JnRnv3DMATVkOjC2PXmXPNkhr04Ivvf0+yBELY/1
+            hLirTfk/W6vFodPaoaRaeWjGJOo+FbqKLxr2xYzVu6SkF+i4CvDPb1x0t/laTpPA
+            qC6KJ1wyVwG4k7ZBLgRcf5Scn1zgGFzZexUAhdIYp0tKPycphUQxEMOI8/OeBP1V
+            68gBcilvv42zs+ed2RUK4j1e9YklxazZgaUhPfdrBrw/HiDJ8ILaq6LQQZSNrxZx
+            koAV/qw8ylU7vkciyA8bGLOiWc/Ub9vkRSuEi5TMOhmT7bVZ+W/26bWgDcAMmCpa
+            13H1uLXLuHnfDavdesh+RAxRgEavPTMz+HFbqhvkv8sy0RPCodyJv69J7dsS7a2C
+            71Ub7jyZIQyRtTGGZH5EjMQVStBMccE2KrJRzZCKbCmQDofKb4M67caaHBnVrs7D
+            vyx8V7JQGkNOWIgWFb23dtCtRiMzFaRk31mihFmFF2tSgg6XMqNmTp0pc3zQBarS
+            XgFZKRlYE7H1tMUCDwyKB7G3r1jsxBlUSbH1J6XjUBWKkTD4iMHI/4YStvghLjm2
+            0qqgKH/Njd9xBXc3x4Ut7kh8tFMMa07xF7/V0Pgwq+7J7EgckEfKHKA5vcQt17Q=
+            =23io
+            -----END PGP MESSAGE-----
+          fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4HMJd/cQYrVAQ//RH/jOrYE9MD9IjkUfsQZ79rjEwDdtmsXs+gS/XUr0MpI
+            f/aDyw/vfvD7ZgY86yqp68x0OQLIyRIx9O05FNB3giVN4YFvZpFblLotpMzCFa2d
+            5xKLIQ1oviDSnE0kKpNM+QKITKjCxyke7MgW/laXvF0zMaVdPj0qo3Zn07MUKULs
+            btxZgPhzwWLjveZGn+72QiBGTF0ce49TWoh6y/l7PDsXhojau2KP556hI3rp/nC0
+            PunbLVRntpz+bOoyOk+xvKen+8b/Vwp+GYA2NBDbZSEY9H3YF5ugZBR/jUc8da7D
+            9EBA35udmQVKtD2XZrIyfhETC1eqLXORo0JKld5oC03JPkqvV+QpMF+8JBjXe1Cy
+            qI4pBmdhTJYFoJHpvMH7eC4CWgZZRMD5mB2nk1hYd9oIiYUPABfdeGxKiFnC8zHH
+            cEY3jgGzetZTxnpk2mxZvFMMwFqyOJA2PnwMTv3IraARkFrLxGzUIG4uOjo+l2fp
+            igOKsw9p46RR1gkuKF4u3yB3/1RloDyqGCU1/n4BCWy5/UkjSQpWKShZt3qMd2G2
+            A6si2zgSHIQ+ubR7MPB3Q3U/Rnw7pSbTbdDc73pZ2SPZfUuJplPSDUvXICGlj8cO
+            jO8s926qp4X9C4mi5um6EX5nLG+pfuKowIBdB2HWmxu2idwyrmNdlIgAcWcteazS
+            XgF9W6THXau4lEmrBqWEiC0K/9NA0cDJqRdvj6wqZ/OIAo86q3yRlm8yY8U7D00j
+            wNS8WSHq+EX0K9LpwQiHAJoxNXABEx/DbRqVeuLn2FaCocZigbvu3k/pePuOsK0=
+            =ZLl2
+            -----END PGP MESSAGE-----
+          fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxjNhCKPP69fAQ//dCKpiens8kqp+I9HtwP2CQOVMLLAle1VYB7pJ5pfcyzI
+            /3tAmwcxBmg+jhkFiqheBQYV2yNmBMHc5ulx+MxSDKd9mzCTavlGlE+intPjON8k
+            sis68RnU5OFsnGVXSmJji1vN37cCY4jHkf2vYzz6HJ6FLPrda/W3ZfXI+ZnOCao5
+            wGYrqPcYUj+7gnN1S42HM492oqeCNLcENDvegf8AxtBEgfp7UQ0V3ZC0wZEYhz0V
+            p9bdivFoEZ3Zo0sJTWKj3Df3IA5T6c4dbSPj8r7IZ5iNDguKAjvegXujco7pow51
+            fNNJB02hnYHLMRAbeRqaWyJ7qUQSWbQEgb8NuonspnXnajKc/OddgoTN91gTRgMb
+            op2T3HOFv3lKZPA/xIeDZpIm6GqOW6eJLjqiLP39VGvvNRYg+zxhNg/ZBVkFuSAf
+            U5uDPUyIAr10zdm7NqJKL8wKRbQzBg5OYovrXqSl96+KNenJqbMNv1N7kfSF6FuF
+            x8joEDXIaBSwINE4oXD5SN7Z5L2SuuMJ2nvuXFmmXKerRlrBiGsBzUVMt1bGqKEU
+            KoAAwbInZ9SprSxqJ1EkSVXpNGnFFNlbBB1j2u9BoGygOkVM4ZxIS19DBDLG0Tls
+            Fq6GI5d3axcf7t024UmwcU9yaP1BzrV0bDvDg3X+Azuo5JqpT3pSUvqv+Sy1C3nS
+            XgHK1C7XTOfcvmcxJ1f++xELwRkgNo1OqSG3cIZ8i1tKZFKTyYCiNHa/ajSr+wER
+            4phM7Tdr6ubjLkqvDkMeXvtiGyUoAvbtLC0wqSaE8sEZ28eFGEAaECV/uOW81X0=
+            =0jv9
+            -----END PGP MESSAGE-----
+          fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Hthzn+T1OoAQ/9GTEI65w8icqppqTuvQD50vaR+lCY1NjWT0HekgvNuCLV
+            4gL1cYv7tJ5UU6jOnREoScamWnUTYf/sLINIfa+FgvH+apswQeQCFrdCb8/61/Xc
+            3hsJ8gwmguP1zJabKFI6/Yo3vPPa+kpj0Am6M7dUUxEKw4Lqy6Hc32O6ULNJOvdo
+            56oqr6KoemrpU0TzqkKTpgAZaQjFfVzPWfC8moUL1pvxrHm7rqDPiYcl7fZP3JFD
+            gQMZokH205u1elxiFxuQGtW8jbeBqCZUm1UorEgD2EJYEPfyphIaHaQnCpW8zXkI
+            gt9QT3cqJpGJAobCPbh6vKPtbGPEqZOzOaCMFl07pkOSGPAVGMVfV+FdsfszPYY6
+            Rqsk7zlCFv/iNFWKpkdfI66JLvhmgNwXRv+rkYzH3QrQikjLmAeTzyL69SPujgDK
+            qXBRZiAPwEDScr2Qcum36jDVrT3jRfC1opzwpRxM2ompJ0F6caBPNVjY10BScl7Y
+            RWVmkFrPL9MdEelFLscG17K+y5S/50sLcU+sGbMkmPsmizA0boK5XBXJz3cTadYy
+            Asr2b4aWTqBS5iW1vbWIGJVrUUk3U1S4fFaSvsL3I6O0E+sOB3eEEpQZqpF9Genr
+            hCE8GVE5yQWb3YYK0ZA7j4u+dwA+QfRIuQuMWFoRKp8oqEitjjix3je2R3u8/ILS
+            XgFcAp8Jh+VbnQg/pq92u3dX6afGv6nENpMVPn73yob+sfE5xUFEfEzE1E1WCWdR
+            HiLZVOgpVOYmo2s8/UW60hLNBULpqyf6ZTQsr7IqaGw4g+Ew116cwDawywRSJMg=
+            =T0nI
+            -----END PGP MESSAGE-----
+          fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA46L6MuPqfJqARAApsnPRzTCIkbKT6jaVHixgP6wyCjfVmvgb0NnMrN2Ygup
+            pafb6GNWoFq9WdiSqwFIJPZlZxJFiIgSxplDI63Wj1MgfvQBEnKUQvnvR+UtnB22
+            bGr9mIrq/wKgslhPLFB0qT81RK/GqJKvRNpI3trGmB1pBnDdb5jiFeDHStv41XrP
+            hezAvmDGBKlM74fehu0pKOanIspyvFAjs31NULSHGJGzBxyM6OGcg/XLt9ea6bI5
+            jHwu3+M/7nixjtaIdCtEFPv/Mdimq9p64+c6AvbEVikUH/omRebRFIRrJCotYENT
+            ak6/2F+Fze2cof6pJPaq1KTF7LQHi1ZaQ/N+YNDsMJIYYuX3lVg/ClEjeo5k1HJ4
+            Jc+ul2KF/dAh8UsJPIdhJDlxIPdnof7xBLax1xmOQTHpqsfhZe5BP/0KMeeXzG6s
+            TlozMaCY0ok4JiQmiJcs+TjHX+uiiih6Wi756v7qwpCk5u3/BM+veHB/slD5Xezn
+            KmuHzwcbaP1n5JlOtv1PLAPfqX9EDsAVr2xhYTBISZiIKXyfagUWzPNX6toYtBfV
+            cQ/m9nfc5/STna7XGucnKkYFG5U2a+olIqCcbbNkN4NcW5ly0M5g1VW3oh02NO8r
+            A/4aU8ECj+79XXx0XCuVojnkGdTT3SQex7bkV2stBpuc5xfESbuOMWXgK0qZrYrS
+            XgEfX0ySVVrCxhtJgsQvZl0zrOwIttomV6hlQgo+n23HNPwjEf4nf1p2sje0uPvb
+            bPC7u5y1eDdy5E0XyWkAg4hxPLg7yOj7ET84Bg9S3NE8cE0nM50qL0N6aCAb4II=
+            =Is94
+            -----END PGP MESSAGE-----
+          fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4EEKdYEzV0pAQ/7Bx/s7WlB9TE30vyqVWw6H4DoZS8s03Z21tDAtrUEK+k5
+            QtMPvAIE0SG4lXersM3L6VMmhvPQlwZf+zSzBnO0J5vacvMG8dch4/ZH7YTM0VX6
+            T0Ix9ScamEI8J5Fr1LAeBoqtTa8n1/3N2ILBVPRTTX5Wu4lSUw/voeePXAYxSSMv
+            9vzrxJNcRgzbd/8Fbo3i2vzn4GvrP1JzsprLrUMVFaek5khD0hRDJMM0IhBWFRRh
+            L241zX/IBZDQVz0x1QVUBFmkoUjyNn94CTezTmGvqCXfkLRmcKzTZXd0dhORBPFa
+            LygVSLdor0v5ru70rMds6YN5WvqbmG7KUY8M3gcVXutvID58vw6ZE83T8ZAYj9S5
+            r9hXegeb2e03tCvSrHmQFf37+298/E8/kBrBQgoevnHmm3p0yN3ZbrWLIRhbx2iF
+            NzL5s17PnGzmuSigoZERsN2Flx2fzUbtwVDP3AyLVpQ7NoqTZkJTcGQuvkYawnEa
+            3RxUQySR+a7bED38wJ6zEpVg10ye7c8mVkzQnda1Qp3lnPZxz+1qg1n25I9hjNO6
+            X1E8gtXx2EcwaoWcPO0W/sNBwE09SCM68KWSykwOLvZb5tq/HnhrwSisps5sAg9V
+            Z1c0OCwgJvYoTY46rqk7scN9YkE16LDCtAzgppZerli179E/f/7O3d59CA1mCEXS
+            XgHbdM2nxaBPCPgXXNRVq13R8JXiOokuxUZofwl6FaG8A6yc9z5F4Ygr/KKDeT0i
+            YMBezxQtQ5uKY0jIx5g2r6aSdly3QPNKiFS/rxDCrmtaBqw+OvhvLrnCn6IaRVY=
+            =XAoN
+            -----END PGP MESSAGE-----
+          fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQrf1tCqiJxoSAQdAFvRDMKG3Vjs98kRqcs4ep+bYoUcBHbMA7WgzI7CcaGQw
+            FjdmSwvWaHJZQGEbGk4uDHKPHqXRD3HnD9d75Azu2HXnCA29aU2c0zn0PziIi7Aa
+            0l4BbcavPKNBkZpJNgW0uII7xMYJWJ/9vStTxXG/WzNia6nk/Cv7PMJW7EwIeUga
+            +PWB4yGfPXgqJGnJj0H1EdCVPrM/+f19GcFxNKKzkGaKTyVTW9NxntlsFl1vbmRx
+            =YRc6
+            -----END PGP MESSAGE-----
+          fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+        - created_at: "2024-08-09T01:28:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzdAjw8ldn6CAQ/5ARLA8sAZHMwNhHJycVof+ZergR58hXCBjbIy5zgyAwYU
+            IJ5OwhTpWqniZjt0b9pvlzU4JO1k73B1WrF7mAYEOKET32GPVatrQ64yInQbORSZ
+            zNQgX3aQ8tEtyBsKAWqwqRjOaP6Plee6G0RCksJBAkjIZik0diTOBwi+ZhgYSRLE
+            G1NAETqMKkLleYQbUWCFNveJOd/7pfhE4xhAEaSxL3dgXNPV2TOngvjCqMXvz0K2
+            hEz6OYC8idpmAJv+S+HOaZbKV+giCopsPyFnbeu8jf1UpbsBRbHPnLOO6lLby2gf
+            2P9MhwSeMjjCZFX/ys8vHQ2jUwXK8jfW3xfVie4hVJgh6vO+uHcomjnk2b+34SRk
+            7ttoozLbMFxwrcP9trV0TgT2uzjFCe4fHccpY1VLTCX/O0eYtlhDhur0Wojp1z9v
+            h5mcqySEtJfHXJbTXkgMA2+QSyUaTTfvZ6oJqX3yAoq5eIzC0CcF+IMa6NS1XkY0
+            TNd3FEhwe7TvKGCy/3bJx6jMUnhT71r6KW/w7RVIHgdp1hfUS9JBhxVB+agQVyRv
+            +HBmvWHqUdwnFzotGRzLU1g6soWa+fRVQQ80qAi1U8e+u9IX3EG0KoIXLjpkvXxK
+            y520NcOdN4wR0xILPP/+47QDN+kM6lunm/EMgrff4YDE8J83qMhH2IP5s/tV023S
+            XgH1hiB0U4SYt0Rp6OGDV+CjBCFaCkPPlync/SVuXddfLC1owGlY9L3jwu7j2PR7
+            jy2jPPTWrOvT0wZKEh4k501LRb0n6LGqW6gDTgOnZKNg2iQ6jybv2HeyyExYllg=
+            =1o5H
+            -----END PGP MESSAGE-----
+          fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/config/hosts/penpot/sops.nix
+++ b/config/hosts/penpot/sops.nix
@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}