diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..890d970
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,23 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+charset = utf-8
+
+[*.nix]
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.md]
+indent_size = 2
+trim_trailing_whitespace = false
+
+[*.json]
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.yaml]
+indent_size = 2
+trim_trailing_whitespace = true
diff --git a/.sops.yaml b/.sops.yaml
index c42474e..ec660ec 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -15,6 +15,9 @@ keys:
- &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
- &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+ - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
+ - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
+ - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
creation_rules:
- path_regex: config/hosts/git/.*
key_groups:
@@ -96,6 +99,54 @@ creation_rules:
- *admin_gpg_dante
age:
- *host_age_public_web_static
+ - path_regex: config/hosts/mjolnir/.*
+ key_groups:
+ - pgp:
+ - *admin_gpg_djerun
+ - *admin_gpg_stb
+ - *admin_gpg_jtbx
+ - *admin_gpg_yuri
+ - *admin_gpg_june
+ - *admin_gpg_haegar
+ - *admin_gpg_dario
+ - *admin_gpg_echtnurich
+ - *admin_gpg_max
+ - *admin_gpg_c6ristian
+ - *admin_gpg_dante
+ age:
+ - *host_age_mjolnir
+ - path_regex: config/hosts/woodpecker/.*
+ key_groups:
+ - pgp:
+ - *admin_gpg_djerun
+ - *admin_gpg_stb
+ - *admin_gpg_jtbx
+ - *admin_gpg_yuri
+ - *admin_gpg_june
+ - *admin_gpg_haegar
+ - *admin_gpg_dario
+ - *admin_gpg_echtnurich
+ - *admin_gpg_max
+ - *admin_gpg_c6ristian
+ - *admin_gpg_dante
+ age:
+ - *host_age_woodpecker
+ - path_regex: config/hosts/penpot/.*
+ key_groups:
+ - pgp:
+ - *admin_gpg_djerun
+ - *admin_gpg_stb
+ - *admin_gpg_jtbx
+ - *admin_gpg_yuri
+ - *admin_gpg_june
+ - *admin_gpg_haegar
+ - *admin_gpg_dario
+ - *admin_gpg_echtnurich
+ - *admin_gpg_max
+ - *admin_gpg_c6ristian
+ - *admin_gpg_dante
+ age:
+ - *host_age_penpot
- key_groups:
- pgp:
- *admin_gpg_djerun
diff --git a/README.md b/README.md
index b55e1f2..e11de25 100644
--- a/README.md
+++ b/README.md
@@ -62,3 +62,14 @@ This is exactly what we're doing to set the default deployment user to `colmena-
};
```
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
+
+## Build NixOS Proxmox VE Template
+
+Build a new NixOS Proxmox VE Template for the thinkcccore's
+```shell
+nix build .#proxmox-nixos-template
+```
+Build a new NixOS Proxmox VE Template for the chaosknoten
+```shell
+nix build .#proxmox-chaosknoten-nixos-template
+```
diff --git a/config/common/default-state-version.nix b/config/common/default-state-version.nix
index 090e729..a3343c7 100644
--- a/config/common/default-state-version.nix
+++ b/config/common/default-state-version.nix
@@ -13,5 +13,5 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
- system.stateVersion = lib.mkDefault "23.05";
+ system.stateVersion = lib.mkDefault "24.05";
}
diff --git a/config/extra/prometheus-exporter.nix b/config/extra/prometheus-exporter.nix
new file mode 100644
index 0000000..46477ed
--- /dev/null
+++ b/config/extra/prometheus-exporter.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+ services.prometheus.exporters.node = {
+ enable = true;
+ openFirewall = true;
+ };
+}
diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix
index ee01d0b..0118db4 100644
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
{
networking = {
@@ -11,10 +11,9 @@
];
};
defaultGateway = "10.31.210.1";
- nameservers = [
- "10.31.210.1"
- ];
+ nameservers = [ "10.31.210.1" ];
};
+
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "1E:EF:2D:92:81:DA";
linkConfig.Name = "net0";
diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix
index 6052909..37185b7 100644
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
{
networking = {
@@ -11,10 +11,9 @@
];
};
defaultGateway = "10.31.210.1";
- nameservers = [
- "10.31.210.1"
- ];
+ nameservers = [ "10.31.210.1" ];
};
+
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "D2:10:33:B1:72:C3";
linkConfig.Name = "net0";
diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
index 133e39a..c0eafaa 100644
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -57,16 +57,16 @@ in {
; Checked with NixOS 23.11 on 2024-05-02.
extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
'';
- extraConfig = ''
- listen.owner = ${config.services.nginx.user};
- listen.group = ${config.services.nginx.group};
- pm = dynamic
- pm.max_children = 32
- pm.start_servers = 2
- pm.min_spare_servers = 2
- pm.max_spare_servers = 4
- pm.max_requests = 500
- '';
+ settings = {
+ "listen.owner" = "${config.services.nginx.user}";
+ "listen.group" = "${config.services.nginx.group}";
+ "pm" = "dynamic";
+ "pm.max_children" = 32;
+ "pm.start_servers" = 2;
+ "pm.min_spare_servers" = 2;
+ "pm.max_spare_servers" = 4;
+ "pm.max_requests" = 500;
+ };
};
services.nginx = {
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
index bddeabf..fba2da9 100644
--- a/config/hosts/eh22-wiki/networking.nix
+++ b/config/hosts/eh22-wiki/networking.nix
@@ -1,20 +1,19 @@
-# Sources for this configuration:
-# - https://nixos.wiki/wiki/Networking
-
{ ... }:
{
- networking.interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.159";
- prefixLength = 25;
- }
- ];
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.159";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
};
- networking.defaultGateway = "172.31.17.129";
- networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
- networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:37:F0:AB";
diff --git a/config/hosts/esphome/default.nix b/config/hosts/esphome/default.nix
index cfe47bc..8d5150d 100644
--- a/config/hosts/esphome/default.nix
+++ b/config/hosts/esphome/default.nix
@@ -3,6 +3,7 @@
imports = [
./configuration.nix
./esphome.nix
+ ./networking.nix
./nginx.nix
];
}
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
new file mode 100644
index 0000000..a2c64d3
--- /dev/null
+++ b/config/hosts/esphome/networking.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "10.31.208.24";
+ prefixLength = 23;
+ }
+ ];
+ ipv6.addresses = [
+ {
+ address = "2a07:c480:0:1d0::66";
+ prefixLength = 64;
+ }
+ ];
+ };
+ defaultGateway = "10.31.208.1";
+ defaultGateway6 = "2a07:c480:0:1d0::1";
+ nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
+ search = [ "z9.ccchh.net" ];
+ };
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/esphome/nginx.nix b/config/hosts/esphome/nginx.nix
index 3c5cfb9..2b154f0 100644
--- a/config/hosts/esphome/nginx.nix
+++ b/config/hosts/esphome/nginx.nix
@@ -1,35 +1,34 @@
{ config, ... }:
+
{
services.nginx = {
enable = true;
virtualHosts = {
- "acme-esphome.ccchh.net" = {
- enableACME = true;
- serverName = "esphome.ccchh.net";
-
- listen = [
- {
- addr = "0.0.0.0";
- port = 31820;
- }
- ];
- };
-
"esphome.ccchh.net" = {
forceSSL = true;
- useACMEHost = "esphome.ccchh.net";
+ enableACME = true;
+ serverName = "esphome.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
+ {
+ addr = "[::]";
+ port = 80;
+ }
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
+ {
+ addr = "[::]";
+ port = 443;
+ ssl = true;
+ }
];
locations."/" = {
@@ -37,9 +36,38 @@
proxyWebsockets = true;
};
};
+ "esphome.z9.ccchh.net" = {
+ forceSSL = true;
+ useACMEHost = "esphome.ccchh.net";
+ serverName = "esphome.z9.ccchh.net";
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 80;
+ }
+ {
+ addr = "[::]";
+ port = 80;
+ }
+ {
+ addr = "0.0.0.0";
+ port = 443;
+ ssl = true;
+ }
+ {
+ addr = "[::]";
+ port = 443;
+ ssl = true;
+ }
+ ];
+
+ globalRedirect = "esphome.ccchh.net";
+ redirectCode = 307;
+ };
};
};
+ security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
- networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
}
diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix
index 7c5e178..8990224 100644
--- a/config/hosts/forgejo-actions-runner/networking.nix
+++ b/config/hosts/forgejo-actions-runner/networking.nix
@@ -1,17 +1,19 @@
-{ config, pkgs, ... }:
+{ ... }:
{
- networking.interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.155";
- prefixLength = 25;
- }
- ];
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.155";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
};
- networking.defaultGateway = "172.31.17.129";
- networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
- networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index ced70db..bb7099f 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -12,7 +12,6 @@
{
services.forgejo = {
enable = true;
- package = pkgs-unstable.forgejo;
database.type = "postgres";
mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix
index b73b953..34159f9 100644
--- a/config/hosts/git/networking.nix
+++ b/config/hosts/git/networking.nix
@@ -4,27 +4,30 @@
{ ... }:
{
- networking.interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "212.12.51.136";
- prefixLength = 28;
- }
- ];
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "212.12.51.136";
+ prefixLength = 28;
+ }
+ {
+ address = "172.31.17.154";
+ prefixLength = 25;
+ }
+ ];
+ ipv6.addresses = [
+ {
+ address = "2a00:14b0:f000:23:51:136::1";
+ prefixLength = 64;
+ }
+ ];
+ };
+ defaultGateway = "212.12.51.129";
+ defaultGateway6 = "2a00:14b0:f000:23::1";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
};
- networking.defaultGateway = "212.12.51.129";
- networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
- networking.search = [ "hamburg.ccc.de" ];
-
- networking.interfaces.net0 = {
- ipv6.addresses = [
- {
- address = "2a00:14b0:f000:23:51:136::1";
- prefixLength = 64;
- }
- ];
- };
- networking.defaultGateway6 = "2a00:14b0:f000:23::1";
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "92:7B:E6:12:A4:FA";
diff --git a/config/hosts/git/nginx.nix b/config/hosts/git/nginx.nix
index 1dd0aad..ea1a2ac 100644
--- a/config/hosts/git/nginx.nix
+++ b/config/hosts/git/nginx.nix
@@ -34,6 +34,10 @@
return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
};
};
+
+ # Disable checking of client request body size to make container registry
+ # image uploads work.
+ clientMaxBodySize = "0";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/config/hosts/matrix/networking.nix b/config/hosts/matrix/networking.nix
index 370bbbd..5fa1aa1 100644
--- a/config/hosts/matrix/networking.nix
+++ b/config/hosts/matrix/networking.nix
@@ -1,17 +1,19 @@
{ ... }:
{
- networking.interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.150";
- prefixLength = 25;
- }
- ];
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.150";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
};
- networking.defaultGateway = "172.31.17.129";
- networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
- networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "2A:A5:80:C3:8E:32";
diff --git a/config/hosts/mjolnir/configuration.nix b/config/hosts/mjolnir/configuration.nix
new file mode 100644
index 0000000..869c3de
--- /dev/null
+++ b/config/hosts/mjolnir/configuration.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+ networking = {
+ hostName = "mjolnir";
+ };
+
+ system.stateVersion = "24.05";
+}
diff --git a/config/hosts/mjolnir/default.nix b/config/hosts/mjolnir/default.nix
new file mode 100644
index 0000000..7dca51b
--- /dev/null
+++ b/config/hosts/mjolnir/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ imports = [
+ ./configuration.nix
+ ./mjolnir.nix
+ ./networking.nix
+ ./sops.nix
+ ];
+}
diff --git a/config/hosts/mjolnir/mjolnir.nix b/config/hosts/mjolnir/mjolnir.nix
new file mode 100644
index 0000000..91b184f
--- /dev/null
+++ b/config/hosts/mjolnir/mjolnir.nix
@@ -0,0 +1,36 @@
+# Sources for this configuration:
+# - https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md
+# - https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml
+
+{ ... }:
+
+{
+ # Allow deprecated, apparently somewhat insecure libolm to be able to update
+ # the moderation bot.
+ # The security issues aren't real world exploitable apparently:
+ # https://matrix.org/blog/2024/08/libolm-deprecation/
+ nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
+ services.mjolnir = {
+ enable = true;
+ homeserverUrl = "https://matrix.hamburg.ccc.de";
+ managementRoom = "#moderation-management:hamburg.ccc.de";
+ settings = {
+ verboseLogging = false;
+ };
+ pantalaimon = {
+ enable = true;
+ username = "moderation";
+ passwordFile = "/run/secrets/matrix_moderation_user_password";
+ options = {
+ ssl = true;
+ };
+ };
+ };
+
+ sops.secrets."matrix_moderation_user_password" = {
+ mode = "0440";
+ owner = "mjolnir";
+ group = "mjolnir";
+ restartUnits = [ "mjolnir.service" ];
+ };
+}
diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix
new file mode 100644
index 0000000..a441814
--- /dev/null
+++ b/config/hosts/mjolnir/networking.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.161";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
+ };
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "BC:24:11:C9:F8:C5";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/mjolnir/secrets.yaml b/config/hosts/mjolnir/secrets.yaml
new file mode 100644
index 0000000..0aaa2f7
--- /dev/null
+++ b/config/hosts/mjolnir/secrets.yaml
@@ -0,0 +1,233 @@
+matrix_moderation_user_password: ENC[AES256_GCM,data:NXJrbRh0A+NQh6Jy9iVAfYhsGR1BSOSuk1LjmArSiVF6jnuJAP9f750cRP7bu7Ai8xgxTlhjAtv9ck6SqlJ6Vw==,iv:IN/siIPCFKE+Nfl/aogYRYAHVgEGhMtTbmEZKZWQYgM=,tag:xxlnl5GU+uusSeh1OvoU1g==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEhUMThoY3Nuc253NnBX
+ ZkplNmRzOGZFNWlQNDVpL08yRk5VTHZDUkZNCnIxMUJoUHJBYlJpbUViMW9GUmhR
+ V1F6SWh2NjRGWk9RWjMycGZYZXFZbkkKLS0tIE5MNk0xekwxY0NYYm9mc1ZGZFlH
+ NDN2dUpuQWFFMTZQRzFIS0ZieTRzQm8KUDRpPJwcWwePKMp6KQMnQLhqqyvuhgQh
+ rXpKW5fjxyT0Sh2u3FM2ET/9U0TUfpBVYBJojAJBFs1ntI8kFmqSYg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-06-20T20:02:16Z"
+ mac: ENC[AES256_GCM,data:5BhSo3YpF3QNqgGnx6YnymaEQB6pchMhokaJqk4rHg22xhbUAzOhWg4BQepT7vrCQlfOZIq4o//dGO+NQxqliiyyywrSYm3CBWD4xfZ9cdfinHC7Pc9lj6Dd4uPNxRjgTRNFuMyC+ATIABI2mHKpg+T2bxSalroIlvNr4vXWZo4=,iv:yPHJZ5PvI5zJlQIMRdbJ6eKGe1xN+teKF5GluD2pyK8=,tag:s4hO9RCdkHDsQ1W+KfXq7A==,type:str]
+ pgp:
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxK/JaB2/SdtAQ//Y/GVthqtuK7bY8Ne5CNfn/CD1RUTdX1+KwX1zy3YsgUC
+ CGxhoFFy1UoXR3QB4Hxnk8R/vaFVHezCWKWY45MAuPtwM1VGwjVsuknrJnSs8k7/
+ jrzVO9xXgTd26H6DLmPVfH1hKB0/lh84hwVgF5rlPS/P7l92LL0hDIIwZz3dB0kU
+ d6jLa1Fajqd4MSdLWbZRBPcioC5v1Ip/SXYAJp7IGLDgXm5MN+MnAdybAFsl1K5p
+ dCUmGqK5IjyPVP564TqL0ZEIXMxSSwex47in3cTYPaOO0L8P3kbKDNWxZQLaqZkn
+ 4RZC4/aBqlfD2STxMez/ksi6kCcPuC7UPRzuq4oH3kOcJHxwIN8Df+DZYA4PJKsl
+ T9QDL1EylHBhsPIZCoxpmnGl3j+hVmONj2V1awlCaOagbgDlClEUEMyw7QCVVbtK
+ CW4DOgVnnTxcUaLHep8BgHxKkYjIDIbDMmg315h2ekT86gGgZavL8IiFTWSLzSrK
+ XChIjUdjpKZhanmSWpj4w8ZpdGOOjernL2EBWtSC23AibBZmQe9OB/QzMpLTdCvV
+ 9t9mMoSayP61oJylBtOKhDnEW0Xib0U7tqzwpaow2V+CU2dr27qie1jh5GqMaoJR
+ qpu1KT3Z9eqpF3Dl8aI3dEovbmvDMVXErU3pmFu2zRJtm6TOXp4NNOYWCetUfxPU
+ aAEJAhCFerTI/ow/LWkCQ78cCMFjgKrYabA3lHu11Mr/PiHirwJ/vCmsUMiOhdRw
+ 49lsyqJlO3IA79yW4exG5tYXvPgeJMTdz36fseUEKsewfrPEqMUa2T4onet2+GN6
+ GALPdepytjg+
+ =v+qv
+ -----END PGP MESSAGE-----
+ fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQILA6EyPtWBEI+2AQ/2L7fbbhBH3BfgD7IbgtVn+nEhNJw5tWR2+0z1k72TIr9j
+ rPAvV6NQY8oVV2+uNLa4fMl+ueqYTFd3/E4IsRXkmexjx+vos27LjDNSu6w0OPJU
+ BSq5TFqZWYIPiWaivQz4+rt+vbxvpv4Lh3FAXlV9YubprJ4GRrlwyheve/l3F0BN
+ 3vCDLsfXijZjxaptb9nf7WiT9vvWrY0sD4g71ARZdWi7Lb+TgCxzbQMue+4VC0Zu
+ y/AWIymVo13BD+apoYltVYYvkn7yz3REzsx3NN4bkJyoCAevr6UeO2fGvlT7b7eG
+ F7CN/TusFlOqWV9M0VbiOGLfL7Q9tGAG3xDAyFh+yMQNadp0M3m9UiYUlHps5DRT
+ CVsIPnPUr3V/oycRm3s+UeVyBg3rpdzWyNtETOjNY/AqVmRQ0toqZOm//ZOg609U
+ 6+EX1Oc/GosfNoHWJuFmfKJRhPpy2gXZX2rQuLWaVJUXzzKM5sbLnycCV03S24PU
+ Fi7Z5lIu334QTLG8PV6agO5UprZb946qPmW+b/QnUol23XXcgh1GIgMV+lEK8+83
+ UPT0aUkdtOTaKbWUg5xokx+0Ni9syJ4Nl7naQq57qOGiecMnBbeE3TYxaNOcjTBh
+ CY0/hdcrZYH6VPeDye4yghSDF9WCaNUvzZNePGzdqKK3F9O/NmBSiYd/cToyDdJe
+ AZMZCKxSw0/HyBqTRd3wC/VhC9uO2I4HWE3LuqBPUXYFWc4W1buJs+P8pFjqT5rZ
+ puHPH8IxIeIiVNO5SFhdL8ecSu/nawakvih65aMGSa102e6B2HfP6tD4SmarmA==
+ =tr5G
+ -----END PGP MESSAGE-----
+ fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAz5uSgHG2iMJARAA02rGmKxyQkvxoXM1i2dLOiH6Gw/pUcdDxYSwKfdkNU3X
+ zc0He4FNG8CAURVq5jARD066VecamkBmlr+rwFJlaeqDPEiITfkz7DEGO8pPxKG0
+ GBnFVA9r/+OU351yLjHYB+72jvw1ey0PPHvKg6/sKjovssYvQLipUcktH33kPqVQ
+ yJzuQWFMWA7Jn/wTa/TP/53o0e//Kw9df69J3BSmnw9F6rKHGsIXLBmyR9HpQsLR
+ KAuClMzjPqHszCICND7vUDEzUvCcOVyizZAcRzWfDi/llwKGUanvEGUVXvyDXw/E
+ Q/FyR+VJXCzRlhsFTTuavjy6nhDsRf/N8N0Vsd9euDXOPQ4wuPAgpvdi58CPBmzP
+ 8jU3xpFSXStYBIMt5u7t+UJT4IwdbjnClyIrSuyaV/7N5UQdYTv0fBy1mRrYLBAj
+ VhlRDa1y79n22Kg8mvDqJ16rC3VypkkQ6DaPvyDwlrG8iRLG/xi3Zz8HHnXxAGAm
+ SzliIolwEDHJZHI9ZE3YzpFJkB6UyOpXS1zMsDycupFvQ4jd2fQ0C7w5OaJHCkeQ
+ 3zTKgtufjJGo7R2Nf0bTWTfi85GU3jpMsOHCEcChgBVXcO32ZZ/zzmqtXa/u3m5v
+ sjUstyBXEmG9eyIaiEtRAMAblwRsJPMszLaCUuBpzQw+mm9uTCsIaf5Xdud7GFzS
+ XgH+whlmbv/UeUC7bo65uxrG8SgTVAaPZpcQ2dP3rXYs45zYmYGKJaZuW+Hrl+nZ
+ pd6zT6rb6R8TMmXkNA1TjhvZ/A+ONlza1fH0dmsh7U9oqINXNFJU7Qm2r7imFvg=
+ =ZIDr
+ -----END PGP MESSAGE-----
+ fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAw5vwmoEJHQ1AQ//f51KkC9oViW/0EA0TLdWgXa76ZXMeu4b3UhWaQvYDT9+
+ 8wuWE+slGEWsRnFZ+pgWZoV3HIv2p+xisX2lmBvepOufaRh6cyNpQaZNl0kFtpBo
+ ShQ66SmkorunYyM+OIh3ceI4PC7ca4KsRKB8nWkA935NWssFN9zMlkVW6GjqzTft
+ 2JVJFL8GRlhIRMhJwSzp8zZ3XiYD0sB/2y+ffCMAOSCnDVcDjANyiSds6MPxfPy0
+ /kaNTXuUI7H50tHQP6vzJ3q1mRpAhUTIxubnmBTdvAQz/kaD0qPt55z+Q0xSXsLa
+ yfb+Zd2g/2o+IFiCrwqcki5yX49Ol89l69JRyIWe1T2VtqBSUVIiiYreX5OnmWPQ
+ OjJ1mAn9tpIlVSHzlaONtmJEmAJ+n55rP0itBMs1CrIBiQleLaCbSWqp6q3RfaJr
+ gpXnfHQpsU7cKEDQeyvxmH8qgrSR9AVh/knyGOJy8LnJQ93aQpr3xr/2MiFPYiKz
+ dcSrxHesrfx2Zl7bNB5OZ7VZTWFSunZQUnOn3F3+7yaaT9ePsvWsyTKBOSGUiA7s
+ VMxT5+P8QM6UOC8KxJj/q1eAVrWvN7vYbCA25+SzbdTtr1RweOVHzNgqZH5/Q2ZY
+ fguwHlCGg5Q7UKYKBk4QJFg6oClDgzBYCFL76K4aymtR7rxKl4sJxWoug84oP6DS
+ XgEZvNS3xsY8Pxm0bAmor93Q08Mii1svnNZ74Eqmbo9GxBjHReIGKDDZ08SaPhbc
+ NJxAP2C2sRUda2R4GvsNYmXHzGYfFTrfe+AXqEV42ZSD9vHDJMCiX9JrY/r4uSM=
+ =+F4l
+ -----END PGP MESSAGE-----
+ fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4HMJd/cQYrVARAAq/cP9y/7kxSXDFOD/xhI/3RjGzIN5dyHlfrmEQWJ8J7z
+ ov0VfBCJp6gFht37dGWuLtWi1qqWRgN+9hiBnkj2zONoph0SRGP9uNfadBSzYSD4
+ wvlOFrWeM9cswnk4i0q8Go+qdCC6U0g1szjirdifF7I9KdqKpOFwXzjnzsPTF42o
+ 9oFCP32esOYv++DfTBgrSv8/STublJYABcs+lzjvURqBsFvdz7PBphH66++yxt7v
+ bTTmu8O9WHC8/5QTfUzOBAfgyu4CwF3YLRZd81ERtzO/udNYgGO3bifofCfpv+nY
+ MMyCbGxoiAfBWcAHhka+8nMnBj0as+ln220O99N6zH1rTmqqDxRQkEiYek1MqEU1
+ f319u3KqB6STWmZvjlwQ5AhwSLCLT2VpIJX4CpMClWlLb3E2rpZ+B1uBRMQQ3fMe
+ jSynatL2vXn3rKWzxIEIxA/BkVKQ8zXgOT9JyqyCZdHTvjEmWuQitILi7wKWJb7/
+ qhTGEBoQbjIKP2Bpso286RKhS3erE0wqLeXXFb7e6bkEEHXa/jVHCZk8/qDcAAIB
+ 3eIb5SNnLxQwo07JlWdDPzCvqeC4fx5AWxXmHsKWI+91PA0jdNjcEPt2sxwAEQYq
+ LWBW6BL22Hqo/VOBXhM1T5mFKomqySLSrxTYeWXtJLZwh0aHbm6RyGGMjHpCiU3S
+ XgE8EQeKefLHoTixb1Rl/amIvtOUUcTtdqlyat9hhIdMl/7ZMesmNuD1ZsEzdCJd
+ 20/DgHzFE7WvZKrjt73GDETUjwLHZSl5fydQMgcNFgzU2mdV6nYNhF18gE/af74=
+ =UA8K
+ -----END PGP MESSAGE-----
+ fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxjNhCKPP69fAQ//RVzQX4Ua5XZHTIe7ffYiqMxy/KoJdbCxpgjbdD0sx2ou
+ zCB13t13UkLjLo5GkTE7kRGtyKOdhQ/7NUA7tOZ+rwWOq3NehOTLfU0wMkgT7tOh
+ byWwNHrY9VHz3ndFnya5nNcnrqILA1rEn32PnioNyWcU6832jyUWvtRqwF+JRrKr
+ yRJMvz4T8vmLwrxqarB1uqU0OVHXy8bq8d9/pVrAmk6+C/H5FINFlApD0dKYftd2
+ phoTSA5WG8j1e0v5p4+r9cRHlYXFMinMMkpzD/JMyNB1WVZ9aGQxU7WiuYzuv1bh
+ PKN/LEgfh3ypI8W960NHv/OMRjVs/VxA+G3ml3Lw6acRnaLr++MhF2G7ZBTx8rgi
+ fjyF6m4XtacwIKYZ7SNt9eQewGI8VU30o8np33qb9KeOt7v8PrMH1G3X+bTLnJGw
+ VjxjvaBaePmPplYYS7xaPuUnzFNabDXTE8XCQpdJMy26ef77gaWr6TQwXbRlZXrx
+ S60EecMLwUj+daR0PkVBkCDxXkW8+0uPkt6EEn5rmPdMXoh4DUw+4A14t7yyUU50
+ j3M9tv6DuYs/KhgZYfLe+6hVD7fY4lAs5Ge6QGLA/TljAatE3zpSZQK+b7C4HKJS
+ 3eRpcAt6CJFhXaCBwl4+gigrg3voX1ykh62oqY/4ecKbAiiVXLIrcflv9kx2Ht7S
+ XgEDhoIRIvXoOUy6j/qjp/OFxwu5y6MpBX4vHxlpL36daL2yShMkCYyY3ajea4eX
+ 9k7B9fpRu3sjbDTNr1heffI+5n/HKc8j9a52hzu5eF0e+v+vKY32uk1jlUhZdj4=
+ =R/pX
+ -----END PGP MESSAGE-----
+ fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA1Hthzn+T1OoAQ/+OHZshi2zBfbVQ91WKLqei7bT4CZGiPxQsl7aogv8JkyL
+ D8p+VgIReMvq4F5QFaIsA8yqMSnjxfIi5bFd9SKjuhOKvuQjyh1rSsFb0t8ESuYi
+ fHBnVw4tDNfTEGQa9YhNJPTq60TwR4P2xYFEgc//AQqfs9XH0cTbvkFS9dkug092
+ u4yJfB2aZEJa0Eh0AenUYzP13bFH0sJwL1hQop1v9gF44JeKHpRNd0Yixlp0Yucs
+ Ccww+WaNFVQ4+zvyW7MnI8/D27/SQGRXXqQE6sOQlsg5SUzF2vIpYbIeuu1NR5WK
+ v1ZB0DlWVuOshIB7M9WUCZcAS5cMAWKc1vvZ/K0l+6tNskZvGE4p/lv1bmZ5zfc3
+ gT/2L6ENuoKW7RoF071SsG9Xn7VJync+iNTtg0m7Je7HRAZAGGc8vfIkrTXAmoIE
+ QkGuog0R+EZxq9L1WMbppV/bnbBxiutFxwWOGTxzsn+DksVrVLvyI/EbHJvcEwzN
+ hISPFmAiCEKzGAGfaO24F5Xcs+U6AgumS5V5kwY6zA/kZpJEdQm38rcC12ZpXR9C
+ oHGs9ACtgf+g8H3/Ks5DL48FTbYuZADamVA5+pV97B7xCS8TxYChuFNPLwU2s52G
+ liiZV9NevlFlbsXFZS/EWgR8b0aH9Nhjl5TAPOajBOu0Nm/83XEP9nbbbjJjGRHS
+ XgHop/OMkJRuZZ35JQjUS6dIBzSivqplpr51wHbyilxbvOHdvuu6w9kqGY9VhuVt
+ nCszg+IQ0SM8YFuu1M5UPO4txYQTHx8zO5SD/d8kh5HEu9fmTNyJXblRcyAzYZc=
+ =TxDz
+ -----END PGP MESSAGE-----
+ fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA46L6MuPqfJqAQ//co7jg6v5QUB7eHXJPMLxsgtbC/VYp7C7QqXQda5qhohW
+ t0F9lysBybhIGoYuvfZGzNMYqqkVpFxzlOO2vFlcYFsQhjCpJrHBWYT4XOmIBR64
+ 6Az/iKqNLS+cG+rFIIuc8BqRk3r4lrM32dCqz0a+3qRkdmbff4yKuzg8FTPlv1RI
+ O9SzRqfptcKDXItnQF+8CAziqcGyy4jL2wnl1Q2I2Pksr+Zw1eZVbFfHmCpG7A5C
+ TVihozz51jeXlggDp9/NPJOQDsmV+KdpvNx2Eqj6PQ6aGWtyYv5YZG3X/eRKW90+
+ qUOJxwpW5KGcROnuvQt1AggcXquOTLHFyJ85M8tpJcl+JYVZsIeNDo+LO8sbrCTA
+ cjp/YSLOms+GullbGAwrJh4TYtwJE9sEKr9OAFUvd+AxVFWj08BqMe1eN5YBbwwB
+ vNurVdvjE8jaTCmZgPPOIP5KXSrsG8bA02YlZ4MnzodYidIhTudJ8VB4NYCtNgOL
+ G/x7h/KA5KYgDWEtr21z2oy0QkGijtrcNa02GpslirjufZ6TPGCbJjAeEsPbYBm7
+ mDXm5+PzZpb1pbcSVNlVG5Ry73JrZxBpYCPGnxLs5yAmWOlNa/xcgDHBU+iXyVg0
+ Wm8pHRAVNfbvL7NB8yeaxSDoTSE7/BsisL6tUHoV+bdlpVsTF26bQZBc/zhxiZrS
+ XgGJ8ChRZbpi2qUzP4nA2jPkYtQ4cquA+ftDx4i+ZqVNtAhVSnTiBZoYu/21+BUB
+ oxDa5m2vD0s0t0fGfmmIvpLZKZIF7NcwnCdNVQve/D3qNNa4T3YnXb8JTGH0PYc=
+ =mu1s
+ -----END PGP MESSAGE-----
+ fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4EEKdYEzV0pAQ/8D4mAcC6vsHLkSryz1yIYoBqqtJnG62pITFEbafhVLR6V
+ nWAw/zP9DqNj15MsrM67xaQxlMVgkVM7QTchgp0CjXsyZ/gWPgDl0NaC92Uj93Ov
+ Gi2OpkfHQFaAW6JsAFl5NrF0ZBw/flx8X0l2klIxBV+ztpkLADEtXWsoGsmz5L4m
+ n41icEp9+nb9nwy7p+Je0s4jZCBB0sVlbkX9i4IpMOgEhA0HcWemc940VJp3UyRg
+ LkOs5C0J4Y4qjS12248y16gV/IhNaJ4PCPgVwSj1Xzz6VXauQosmWhnUbnqJbi3F
+ KWEV0IJJO+dlj5VShzFDnkN2bM1GeyQx1S+FkNp+Mmm6JNrUK+CZL8fUYka06O0V
+ DD/sg1Pyq8VawNG5RxwAWA5F1F1SIrJzF0T4HyIN1UFRCjWC466sdrBTQLtx472k
+ NdBCvabHS/bx5miPKF5iglJYzz4biUdevc3EU7q4hwgMYM2oep3m2EsaTbKWzjnY
+ PLB4d0bCsRlya0YfHaFX5f3xSNb/FzBcUlTHzX2asyB2DolMug1VqS3jCEkWGbk/
+ vfNfR5yRuwkwNlJRqHbGIfH7fYEgwSTW+VW2iUdY7Dra7xjgTzqZgLi5W8QwKJqq
+ 1V5H4KlRQNYwloVJzQZCwoPcY+tBfTZ4LsDKtjyJzFY9vdTGGGqb9lAG7YBUdubS
+ XgE72UuZvbPQZuI7uVKMEORGVssQjwZFhs4InR/Ixe03a7hb8fdRHfu/ueS/3KQx
+ mRXVino/iVQ6M936mtibfeH9TpBpjqH8sBKNHv2hgnoap9QpkrVn1yWqrOcpht8=
+ =+sXL
+ -----END PGP MESSAGE-----
+ fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DQrf1tCqiJxoSAQdA/tIZCvQv0E4dHN5jBHsAGclKEeLFhyf4lIQx+xa+uwQw
+ /VGCdNT8U13EawRC66KLXRrRgsNPpwUg15wAoTzQ8gW/tLpgvL5nsEYPfaowYwBD
+ 0l4BmNV4o4J+NHF7Tk1af2kx0pp6kF9eJynn6irr336tGzY004lZfZlqwgeOk+qN
+ 93XcSfdAOlIktfex1q1oTPrSpGIv32zsLPoRNVa50dO+IKu1tmYAxi9N9sQgbWa4
+ =rnF9
+ -----END PGP MESSAGE-----
+ fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+ - created_at: "2024-06-20T20:01:32Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAzdAjw8ldn6CAQ/9HNG41mTgq8VavF9DBX7+upnsmoDtwblck18l3rurJ1mo
+ k2ki7tWwIxRyLLHtsUxJ9S55cmXuhhPJK8Kzc32SnY5irDkqK/4JZnDvofg+z68B
+ 8pQOunN1BQp50k8vd4Mha43re8s24iqrM+fj59uHM2YYsQYt9TCR/NvUopOdi6l2
+ 8OnKI2KdRvYhtzzCY3wmQKhG7p0hc8y8pP/0DmPW5IGQ6OP4zO+Qnc4EbVnA9Uhr
+ tZ4sTNn0o80kfvILKANkAm81v86KdSRXdd3+1IpH1c7rTqm9o+DEm8nKnwWOF63O
+ P0klsYLlfqiZyQ0AyS67RHPTw/y57mAyWVFbABDLtXQQHWcIkADMLKTJLpnhKkRn
+ Cp94EXBBBwViAUBUzzskE4lgKXncl1h5ogLum8btU+cLky0qa8Hzie5QqszlErf8
+ fci0AEHV8u+Kf5EARf1FiY6K2aVnFOJchdeL98qllwRu6f8zz7+bfLq1UXcGBlQS
+ JnbAlXiL4vEBxQyW5awYYzpaMUTW1ejjujZUitdaUeIQJdv/IJvHe9y6/F0uukdt
+ AMrDI7E+JKa6hLPe4g6H1hUzh6GcaHuNU9z2NSDfzxcOHkqALsCDLVDxsjPhahCc
+ UZkSn8ebyqv7/jpTgWnsls0Fx8XqvKKJNoqXfK81oIvWlJsEwqSaBczkq9HQbO7S
+ XgH2N8XPOJWmqDc+xS26eERNJ8ZlhYaODWwatgqt2si6EdBpVRZL4PXsOrOlI8Xi
+ Uaag1/Uljqbk5mN18+CtSfSt0ded79d44B9zAbc70hgvkRrpcotDBnO8YQ9MxB0=
+ =O0Sg
+ -----END PGP MESSAGE-----
+ fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/config/hosts/mjolnir/sops.nix b/config/hosts/mjolnir/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/mjolnir/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+ sops = {
+ defaultSopsFile = ./secrets.yaml;
+ };
+}
diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix
new file mode 100644
index 0000000..18d0184
--- /dev/null
+++ b/config/hosts/mqtt/configuration.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ networking = {
+ hostName = "mqtt";
+ domain = "z9.ccchh.net";
+ };
+
+ system.stateVersion = "23.11";
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix
new file mode 100644
index 0000000..bb61c12
--- /dev/null
+++ b/config/hosts/mqtt/default.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+ imports = [
+ ./configuration.nix
+ ./networking.nix
+ ./mosquitto.nix
+ ];
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
new file mode 100644
index 0000000..672c05d
--- /dev/null
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -0,0 +1,33 @@
+# Sources for this configuration:
+# - https://search.nixos.org/options?sort=relevance&type=packages&query=services.mosquitto
+# - https://mosquitto.org/man/mosquitto-conf-5.html
+# - https://winkekatze24.de
+{ ... }:
+
+{
+ services.mosquitto = {
+ enable = true;
+ persistence = true;
+
+ # set config for all listeners
+ listeners = [ {
+ settings.allow_anonymous = true;
+ omitPasswordAuth = true;
+ acl = ["topic readwrite #"];
+ } ];
+
+ bridges.winkekatz = {
+ addresses = [
+ { address = "mqtt.winkekatze24.de"; }
+ ];
+ topics = [
+ "winkekatze/allcats/eye/set in 2"
+ "winkekatze/allcats in 2"
+ "+/status out 2 winkekatze/ \"\""
+ "+/connected out 2 winkekatze/ \"\""
+ ];
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [ 1883 ];
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/networking.nix b/config/hosts/mqtt/networking.nix
new file mode 100644
index 0000000..7a34cbb
--- /dev/null
+++ b/config/hosts/mqtt/networking.nix
@@ -0,0 +1,21 @@
+{ ... }:
+
+{
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "10.31.208.14";
+ prefixLength = 23;
+ }
+ ];
+ };
+ defaultGateway = "10.31.208.1";
+ nameservers = [ "10.31.210.1" ];
+ };
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "BC:24:11:48:85:73";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
index ff32349..e0f2df9 100644
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@@ -11,9 +11,19 @@
enable = true;
package = pkgs.netbox;
secretKeyFile = "/run/secrets/netbox_secret_key";
+ keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
settings = {
ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
SESSION_COOKIE_SECURE = true;
+ # CCCHH ID (Keycloak) integration.
+ # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
+ # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
+ REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
+ SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
+ # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
+ SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
+ SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
+ SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
};
};
@@ -21,6 +31,12 @@
mode = "0440";
owner = "netbox";
group = "netbox";
- restartUnits = [ "netbox.service" ];
+ restartUnits = [ "netbox.service" "netbox-rq.service" ];
+ };
+ sops.secrets."netbox_keycloak_secret" = {
+ mode = "0440";
+ owner = "netbox";
+ group = "netbox";
+ restartUnits = [ "netbox.service" "netbox-rq.service" ];
};
}
diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix
index dbfe9a6..a0abcfe 100644
--- a/config/hosts/netbox/networking.nix
+++ b/config/hosts/netbox/networking.nix
@@ -1,23 +1,19 @@
-# Networking configuration for the host.
-# Sources for this configuration:
-# - https://nixos.org/manual/nixos/stable/#sec-networking
-# - https://nixos.wiki/wiki/Systemd-networkd
-# - https://wiki.archlinux.org/title/Systemd-networkd
-
-{ config, pkgs, ... }:
+{ ... }:
{
- networking.interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.149";
- prefixLength = 25;
- }
- ];
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.149";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
};
- networking.defaultGateway = "172.31.17.129";
- networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
- networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "62:ED:44:20:7C:C1";
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
index 6f9e3e5..831a7a1 100644
--- a/config/hosts/netbox/secrets.yaml
+++ b/config/hosts/netbox/secrets.yaml
@@ -1,4 +1,5 @@
netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
+netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
sops:
kms: []
gcp_kms: []
@@ -14,8 +15,8 @@ sops:
V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-26T01:07:35Z"
- mac: ENC[AES256_GCM,data:0zWNPrUqpuC/qXOaTE8ayrTbnZdg9VA2NqxSNnV0bogqxVkg8zhbx8OKYfNQ0DswjxKNEnKsqjp62gA678VfRfGHJU5ZoHfAC7kBbrkDy+pMzS6LRwT+7n0C1AbaaG7hienGJQsx2gUUYqu7OSQuS722lXAw65deFvZGtL6lt8E=,iv:mOLkzF5pJFazmH9XX94Hjd04FcgSh0hY4juEO3vKNBc=,tag:lSk0lnVONQCmuO0KmxlL0Q==,type:str]
+ lastmodified: "2024-10-08T23:54:23Z"
+ mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
pgp:
- created_at: "2024-05-26T01:07:22Z"
enc: |-
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
index 073250b..2c1faee 100644
--- a/config/hosts/nix-box-june/networking.nix
+++ b/config/hosts/nix-box-june/networking.nix
@@ -1,19 +1,19 @@
-# Networking configuration for the host.
-
-{ config, pkgs, ... }:
+{ ... }:
{
- networking.interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.158";
- prefixLength = 25;
- }
- ];
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.158";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
};
- networking.defaultGateway = "172.31.17.129";
- networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
- networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:6A:33:5F";
diff --git a/config/hosts/penpot/configuration.nix b/config/hosts/penpot/configuration.nix
new file mode 100644
index 0000000..4608e1c
--- /dev/null
+++ b/config/hosts/penpot/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+ networking.hostName = "penpot";
+
+ system.stateVersion = "24.05";
+}
diff --git a/config/hosts/penpot/default.nix b/config/hosts/penpot/default.nix
new file mode 100644
index 0000000..b6c8d81
--- /dev/null
+++ b/config/hosts/penpot/default.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./configuration.nix
+ ./networking.nix
+ ./nginx.nix
+ ./penpot.nix
+ ./sops.nix
+ ];
+}
diff --git a/config/hosts/penpot/networking.nix b/config/hosts/penpot/networking.nix
new file mode 100644
index 0000000..a96f70b
--- /dev/null
+++ b/config/hosts/penpot/networking.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+ networking.interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.162";
+ prefixLength = 25;
+ }
+ ];
+ };
+ networking.defaultGateway = "172.31.17.129";
+ networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ networking.search = [ "hamburg.ccc.de" ];
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "BC:24:11:26:1C:8A";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/penpot/nginx.nix b/config/hosts/penpot/nginx.nix
new file mode 100644
index 0000000..dc446f3
--- /dev/null
+++ b/config/hosts/penpot/nginx.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+let
+ domain = "design.hamburg.ccc.de";
+in
+{
+ services.nginx = {
+ enable = true;
+
+ virtualHosts = {
+ "acme-${domain}" = {
+ default = true;
+ enableACME = true;
+ serverName = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 31820;
+ }
+ ];
+ };
+
+ "${domain}" = {
+ default = true;
+ forceSSL = true;
+ useACMEHost = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:9001";
+ };
+
+ locations."/ws/notifications" = {
+ proxyPass = "http://127.0.0.1:9001";
+ proxyWebsockets = true;
+ };
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+ networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/penpot/penpot.nix b/config/hosts/penpot/penpot.nix
new file mode 100644
index 0000000..0629d1f
--- /dev/null
+++ b/config/hosts/penpot/penpot.nix
@@ -0,0 +1,198 @@
+# Sources used for this configuration:
+# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
+# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
+# - https://help.penpot.app/technical-guide/configuration/
+# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
+# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
+
+{ config, pkgs, ... }:
+
+let
+ # Flags for both frontend and backend.
+ # https://help.penpot.app/technical-guide/configuration/#common
+ # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
+ commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
+ penpotVersion = "2.1.3";
+in
+{
+ virtualisation.docker.enable = true;
+ virtualisation.oci-containers = {
+ backend = "docker";
+ containers = {
+ "penpot-frontend" = {
+ autoStart = true;
+ image = "docker.io/penpotapp/frontend:${penpotVersion}";
+ extraOptions = [ "--network=penpot" ];
+ ports = [ "9001:80" ];
+ volumes = [ "penpot_assets:/opt/data/assets" ];
+ dependsOn = [
+ "penpot-backend"
+ "penpot-exporter"
+ ];
+ environment = {
+ # https://help.penpot.app/technical-guide/configuration/#frontend
+ # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
+
+ PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
+ };
+ };
+
+ "penpot-backend" = {
+ autoStart = true;
+ image = "docker.io/penpotapp/backend:${penpotVersion}";
+ extraOptions = [ "--network=penpot" ];
+ volumes = [ "penpot_assets:/opt/data/assets" ];
+ dependsOn = [
+ "penpot-postgres"
+ "penpot-redis"
+ ];
+ environment = {
+ # https://help.penpot.app/technical-guide/configuration/#backend
+ # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
+
+ PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
+
+ # PENPOT_SECRET_KEY st via environmentFile.
+ PENPOT_TELEMETRY_ENABLED = "false";
+
+ # OpenID Connect configuration.
+ # https://help.penpot.app/technical-guide/configuration/#openid-connect
+ PENPOT_OIDC_CLIENT_ID = "penpot";
+ PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
+ # PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
+ PENPOT_OIDC_ROLES = "user";
+ PENPOT_OIDC_ROLES_ATTR = "roles";
+
+ # Database configuration.
+ # https://help.penpot.app/technical-guide/configuration/#database
+ PENPOT_DATABASE_USERNAME = "penpot";
+ # PENPOT_DATABASE_PASSWORD set via environmentFile.
+ PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
+
+ # Email configuration.
+ # https://help.penpot.app/technical-guide/configuration/#email-(smtp)
+ PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
+ PENPOT_SMTP_PORT = "465";
+ PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
+ # PENPOT_SMTP_PASSWORD set via environmentFile.
+ PENPOT_SMTP_SSL = "true";
+ PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
+ PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
+
+ # Storage
+ # https://help.penpot.app/technical-guide/configuration/#storage
+ PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
+ PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
+
+ # Redis
+ # https://help.penpot.app/technical-guide/configuration/#redis
+ PENPOT_REDIS_URI = "redis://penpot-redis/0";
+
+ PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
+ };
+ environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
+ };
+
+ "penpot-exporter" = {
+ autoStart = true;
+ image = "docker.io/penpotapp/exporter:${penpotVersion}";
+ extraOptions = [ "--network=penpot" ];
+ environment = {
+ # https://help.penpot.app/technical-guide/configuration/#exporter
+ # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
+ PENPOT_PUBLIC_URI = "http://penpot-frontend";
+ PENPOT_REDIS_URI = "redis://penpot-redis/0";
+ };
+ };
+
+ "penpot-postgres" = {
+ autoStart = true;
+ image = "docker.io/library/postgres:15";
+ extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
+ volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
+ environment = {
+ # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
+
+ POSTGRES_INITDB_ARGS = "--data-checksums";
+ POSTGRES_DB = "penpot";
+ POSTGRES_USER = "penpot";
+ # POSTGRES_PASSWORD set via environmentFile.
+ };
+ environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
+ };
+
+ "penpot-redis" = {
+ autoStart = true;
+ image = "docker.io/library/redis:7";
+ extraOptions = [ "--network=penpot" ];
+ };
+ };
+ };
+
+ # Docker networks.
+ systemd.services."docker-network-penpot" = {
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
+ };
+ script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
+ requiredBy = [
+ "docker-penpot-frontend.service"
+ "docker-penpot-backend.service"
+ "docker-penpot-exporter.service"
+ "docker-penpot-postgres.service"
+ "docker-penpot-redis.service"
+ ];
+ before = [
+ "docker-penpot-frontend.service"
+ "docker-penpot-backend.service"
+ "docker-penpot-exporter.service"
+ "docker-penpot-postgres.service"
+ "docker-penpot-redis.service"
+ ];
+ };
+
+ # Pull docker images prior to starting container services, so that a container
+ # service isn't considered up, if it actually is still just pulling the
+ # relevant image.
+ systemd.services."docker-images-penpot" = {
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ };
+ script = ''
+ ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
+ ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
+ ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
+ ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
+ ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
+ '';
+ requiredBy = [
+ "docker-penpot-frontend.service"
+ "docker-penpot-backend.service"
+ "docker-penpot-exporter.service"
+ "docker-penpot-postgres.service"
+ "docker-penpot-redis.service"
+ ];
+ before = [
+ "docker-penpot-frontend.service"
+ "docker-penpot-backend.service"
+ "docker-penpot-exporter.service"
+ "docker-penpot-postgres.service"
+ "docker-penpot-redis.service"
+ ];
+ };
+
+ sops.secrets."penpot_backend_environment_file" = {
+ mode = "0440";
+ owner = "root";
+ group = "root";
+ };
+
+ sops.secrets."penpot_postgres_environment_file" = {
+ mode = "0440";
+ owner = "root";
+ group = "root";
+ };
+}
diff --git a/config/hosts/penpot/secrets.yaml b/config/hosts/penpot/secrets.yaml
new file mode 100644
index 0000000..855590c
--- /dev/null
+++ b/config/hosts/penpot/secrets.yaml
@@ -0,0 +1,234 @@
+penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str]
+penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZVA5WE9JcDBOQVdPbGkz
+ SnNkWEJvaUtGaWVOajd6SzJ6aGNxSXZQaVhnCmgwT01kNFRZa09Gd1o2ZURyZUJQ
+ N0dwK21vUmk1N1duOVNtV2wrVmlyNDQKLS0tIEJtUENHdXhGcXhRRjM5VkhpdEVG
+ Z3UzOGFFUDhwUndoQWtCdHlMenZETW8KI0FjoFG4E1fhOxYiCIxY2BnLOmGcpoyK
+ EbDdNFQEMngwppEm9r1KzG/1cGMoIij2qpmK4Jz1Hzgk/6dZwvGxzw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-08-10T15:40:27Z"
+ mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str]
+ pgp:
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxK/JaB2/SdtAQ/+JKe4fsuAKMJr6kuDt5vjv+hrXamWEwRLBfYPHHZHEUeK
+ AQBs9fG9Ni7Qpelv8RIbxWyophgt2TCEqP2d+7EcGTgDZkdLxx5s2LJuCh+tEZwT
+ bm0sPt+8eYY077MxA1ZtlBgkslMugvdnJaDckGc8xRPldUa7gRp0j3yaLULRxjA6
+ T0nyALAqAaDa2uHgB7mTB3pXJYk4GxZpYbVc+wxAWXEDRLR/bpT18ywAcA6iSerd
+ KGDzWKjgOr1TTJqUxsguqDjnVp1c+xRPirC9uENGqW8mxI7h1+4B//dJvuXV/cYh
+ LKi0aDUTnma78mo2v9faUSJl23LkIehWZwbVG/+Mpkk3yxscLV124Vbwj56IFCzI
+ AiJ7m2QVxY5eXoVLodw6Po2S62gkwg7H5Aw3J4pppNuIAIr/8mJBpJoBy6poTsG3
+ QhbQdEdsF5ikoLu/OV/H7mp86zJt42Q+74xGjKYx/qvLq6SDmDA03kqk9N71URyu
+ FRTEDysEkeAzreFFkxn3Q+K/cXvtv/2Knte1lmDTfpmhg4cFwsLPLPH37A2veaxJ
+ JTyWDLHgrJ8NFgii3gLrwj+XLOZOwmCY0puJKtdAnPaaQiLfyqYfeLVlt7Se4MMJ
+ 8XaFWcaQHBxL9nRZnx7WkE9LfHIG0e+414hT0F/aER+8iKboIbt6rdEHpEMGDWnU
+ aAEJAhD/TpW7E+yYjFVi/xSQ3kCAruHcm6x4BDTE7by0VeTLiRFW+culxiInOYiD
+ kdp+dATm5f7IrQp/qemL02/Me5yqURZlZrDHra7AiCI+MVBJiCRIY/x6xZSew7PX
+ HC+p9sB+PBFL
+ =1qbt
+ -----END PGP MESSAGE-----
+ fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA6EyPtWBEI+2AQ/+Ijn18W+K2je/hpolpY6HmQMTTRpQJZ8YtJ5G35o5WoVP
+ hH+znQMrBBAtnTWeFBeIuIzk4CHjPS0yfnsE4/rP7/lSa177A2xaeiCb74F6k/Es
+ MtDE/TApSlNdPFruN5nkd2I8jAWh1k37nS+/NUhszReR39NNmgA+aCSc2OK04aAz
+ dpPXmaJ+d3zMr7eFoL2NyhNI3A/ZdVP3UmZCp12juckDRl8oeei4PBlw2T6ODJP4
+ tY08I9EyK/5K4auhYJyvayl1RWwRuShFV732ZjztkawLw152W0Rrg75Qoukhs9mr
+ TdyF0zcnVxAcOV4e5wRe13dDV6Ue7zeWFc9bb577thGzUm2Oue0u+oisty16qt9K
+ 0vw0tVSDtT/suodG8HpvSwGQ+/xcV7w8XCH8Yx28N9iO49VZCB1ZYXQBxTHVDl2b
+ J/8AivaK4OOFvPWNr4u6oLaO9nz1aaX6Qsap5zn0Qa2Ls2SSBwWk2Fp/f1dq3KOy
+ /jGR89ocuEuImVacr2G6zxPnbukfa4S8q/FUUDbswQUqmWMcDDq3dOQ1fFPRd7vy
+ 5a9u3P8LFW+ZPPHop3kgozgZ9pBGDOlw3nkjGjFl39lE33E+049gLE6I6+1+umG0
+ EWkNI9y8X+HmHMthVuYapq23Ix09H6Wa452hZmEUxNgp33M8Zx+l3s6D7o7jfrjS
+ XgElPJuUWyGKPoUY9mFaINyVqjOJGEtEOYRP7jvCpFWDq/xQ8jbJvvv7qBy8+i0b
+ cpqRrMJrvMB2PSLeD6cNWymrNhKilLLFOcG9yaIEudDhiuv3L4/ub08QMroDmo8=
+ =80AM
+ -----END PGP MESSAGE-----
+ fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAz5uSgHG2iMJAQ//Vv7IVqc9ReeFgo8RWbYpl1W5atAHerZuUh0oYc4otGpb
+ UseJ2JInyykcUeQWlOGvTK+eauBVNET0E/6jylCoWb8lzffhSMJ4FFpvpsoYjPG9
+ Q8s3r8soOCYB0xscfhinZwJg5to+I2MSd8mppWIp4UCQhxv7MqQpbqEzNTfVP7YO
+ QEUZ/lesVovLvxMzKc2YVWyZFSW2G6HK3LTaJIg8gy5ym/crlUB+awd2ZDePGk6F
+ Y7DcKwL1EpCL+hoPWGF9PclYKrOBIZVznYQuwHAqG+Bxr9Ln/NmS/OoCrJDMN6gG
+ 2YMZ3Q7GQ82zZESxYA7g+ef9/lGCm7DIkt80or72x7eS6/OP7c1bjGFgKLQNyHFU
+ Th6cOy/TzK8Sq2g1mWB2zyV3xk6mb9C0ETAFD5vvPGVC3Sb4549Y+epe1T3ZLFTA
+ t09nUIpTC05PEdGsWs5Z5MDp8ZCsPZpipbVrWENesNOfaFYG+p7aM0LjgTqZcadD
+ B/Foejayc3XYI0T/NoP43mAZ2nEOw2Bz9lBpwz0PeTfzyrhz9XlJ7Dw462XTFA3i
+ voTHA5+DzGNPf6zC1fH9GcESmpC2nqXit8ZV+Y7Zb9/cAsx3E05S8ayxdBZUrOtJ
+ JSWGOAfPuzGXgL6Ht3iKcmCxQ/pSi1aH0h+bYqlrxTvP9IMyNCrxmP6+YsXCv8XS
+ XgE0NjzRMClq4/HhQ5X0ANGHWxbZJLAbm8yfgK5rnnmvi53RNJhRUHDnNca93brF
+ n27gnVLKM+2FdwRjwNIznkbZV/iNM6zIfRWwmJs9gHRuX/J/XWzD1KjDsn2rmiQ=
+ =bAYZ
+ -----END PGP MESSAGE-----
+ fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAw5vwmoEJHQ1ARAAkdXjf9h4iyYtKPwR9V8hgIfpt3s3zMduuJN3u76ZHdfE
+ 87t5K8eL2yIVN2DeOqtXRG28Broy3LLwMlLOJhxVxS5LAOEjT4ScZyb9H7MLnDsp
+ boW210SLkeQ5vTW9hgjAU9V6wbemxoiNPYTcBUsuirI8a+jpnALLY0jeOILBEmHQ
+ c+wbeo+VnlTQkTKCFI7TwlG1JnRnv3DMATVkOjC2PXmXPNkhr04Ivvf0+yBELY/1
+ hLirTfk/W6vFodPaoaRaeWjGJOo+FbqKLxr2xYzVu6SkF+i4CvDPb1x0t/laTpPA
+ qC6KJ1wyVwG4k7ZBLgRcf5Scn1zgGFzZexUAhdIYp0tKPycphUQxEMOI8/OeBP1V
+ 68gBcilvv42zs+ed2RUK4j1e9YklxazZgaUhPfdrBrw/HiDJ8ILaq6LQQZSNrxZx
+ koAV/qw8ylU7vkciyA8bGLOiWc/Ub9vkRSuEi5TMOhmT7bVZ+W/26bWgDcAMmCpa
+ 13H1uLXLuHnfDavdesh+RAxRgEavPTMz+HFbqhvkv8sy0RPCodyJv69J7dsS7a2C
+ 71Ub7jyZIQyRtTGGZH5EjMQVStBMccE2KrJRzZCKbCmQDofKb4M67caaHBnVrs7D
+ vyx8V7JQGkNOWIgWFb23dtCtRiMzFaRk31mihFmFF2tSgg6XMqNmTp0pc3zQBarS
+ XgFZKRlYE7H1tMUCDwyKB7G3r1jsxBlUSbH1J6XjUBWKkTD4iMHI/4YStvghLjm2
+ 0qqgKH/Njd9xBXc3x4Ut7kh8tFMMa07xF7/V0Pgwq+7J7EgckEfKHKA5vcQt17Q=
+ =23io
+ -----END PGP MESSAGE-----
+ fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4HMJd/cQYrVAQ//RH/jOrYE9MD9IjkUfsQZ79rjEwDdtmsXs+gS/XUr0MpI
+ f/aDyw/vfvD7ZgY86yqp68x0OQLIyRIx9O05FNB3giVN4YFvZpFblLotpMzCFa2d
+ 5xKLIQ1oviDSnE0kKpNM+QKITKjCxyke7MgW/laXvF0zMaVdPj0qo3Zn07MUKULs
+ btxZgPhzwWLjveZGn+72QiBGTF0ce49TWoh6y/l7PDsXhojau2KP556hI3rp/nC0
+ PunbLVRntpz+bOoyOk+xvKen+8b/Vwp+GYA2NBDbZSEY9H3YF5ugZBR/jUc8da7D
+ 9EBA35udmQVKtD2XZrIyfhETC1eqLXORo0JKld5oC03JPkqvV+QpMF+8JBjXe1Cy
+ qI4pBmdhTJYFoJHpvMH7eC4CWgZZRMD5mB2nk1hYd9oIiYUPABfdeGxKiFnC8zHH
+ cEY3jgGzetZTxnpk2mxZvFMMwFqyOJA2PnwMTv3IraARkFrLxGzUIG4uOjo+l2fp
+ igOKsw9p46RR1gkuKF4u3yB3/1RloDyqGCU1/n4BCWy5/UkjSQpWKShZt3qMd2G2
+ A6si2zgSHIQ+ubR7MPB3Q3U/Rnw7pSbTbdDc73pZ2SPZfUuJplPSDUvXICGlj8cO
+ jO8s926qp4X9C4mi5um6EX5nLG+pfuKowIBdB2HWmxu2idwyrmNdlIgAcWcteazS
+ XgF9W6THXau4lEmrBqWEiC0K/9NA0cDJqRdvj6wqZ/OIAo86q3yRlm8yY8U7D00j
+ wNS8WSHq+EX0K9LpwQiHAJoxNXABEx/DbRqVeuLn2FaCocZigbvu3k/pePuOsK0=
+ =ZLl2
+ -----END PGP MESSAGE-----
+ fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxjNhCKPP69fAQ//dCKpiens8kqp+I9HtwP2CQOVMLLAle1VYB7pJ5pfcyzI
+ /3tAmwcxBmg+jhkFiqheBQYV2yNmBMHc5ulx+MxSDKd9mzCTavlGlE+intPjON8k
+ sis68RnU5OFsnGVXSmJji1vN37cCY4jHkf2vYzz6HJ6FLPrda/W3ZfXI+ZnOCao5
+ wGYrqPcYUj+7gnN1S42HM492oqeCNLcENDvegf8AxtBEgfp7UQ0V3ZC0wZEYhz0V
+ p9bdivFoEZ3Zo0sJTWKj3Df3IA5T6c4dbSPj8r7IZ5iNDguKAjvegXujco7pow51
+ fNNJB02hnYHLMRAbeRqaWyJ7qUQSWbQEgb8NuonspnXnajKc/OddgoTN91gTRgMb
+ op2T3HOFv3lKZPA/xIeDZpIm6GqOW6eJLjqiLP39VGvvNRYg+zxhNg/ZBVkFuSAf
+ U5uDPUyIAr10zdm7NqJKL8wKRbQzBg5OYovrXqSl96+KNenJqbMNv1N7kfSF6FuF
+ x8joEDXIaBSwINE4oXD5SN7Z5L2SuuMJ2nvuXFmmXKerRlrBiGsBzUVMt1bGqKEU
+ KoAAwbInZ9SprSxqJ1EkSVXpNGnFFNlbBB1j2u9BoGygOkVM4ZxIS19DBDLG0Tls
+ Fq6GI5d3axcf7t024UmwcU9yaP1BzrV0bDvDg3X+Azuo5JqpT3pSUvqv+Sy1C3nS
+ XgHK1C7XTOfcvmcxJ1f++xELwRkgNo1OqSG3cIZ8i1tKZFKTyYCiNHa/ajSr+wER
+ 4phM7Tdr6ubjLkqvDkMeXvtiGyUoAvbtLC0wqSaE8sEZ28eFGEAaECV/uOW81X0=
+ =0jv9
+ -----END PGP MESSAGE-----
+ fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA1Hthzn+T1OoAQ/9GTEI65w8icqppqTuvQD50vaR+lCY1NjWT0HekgvNuCLV
+ 4gL1cYv7tJ5UU6jOnREoScamWnUTYf/sLINIfa+FgvH+apswQeQCFrdCb8/61/Xc
+ 3hsJ8gwmguP1zJabKFI6/Yo3vPPa+kpj0Am6M7dUUxEKw4Lqy6Hc32O6ULNJOvdo
+ 56oqr6KoemrpU0TzqkKTpgAZaQjFfVzPWfC8moUL1pvxrHm7rqDPiYcl7fZP3JFD
+ gQMZokH205u1elxiFxuQGtW8jbeBqCZUm1UorEgD2EJYEPfyphIaHaQnCpW8zXkI
+ gt9QT3cqJpGJAobCPbh6vKPtbGPEqZOzOaCMFl07pkOSGPAVGMVfV+FdsfszPYY6
+ Rqsk7zlCFv/iNFWKpkdfI66JLvhmgNwXRv+rkYzH3QrQikjLmAeTzyL69SPujgDK
+ qXBRZiAPwEDScr2Qcum36jDVrT3jRfC1opzwpRxM2ompJ0F6caBPNVjY10BScl7Y
+ RWVmkFrPL9MdEelFLscG17K+y5S/50sLcU+sGbMkmPsmizA0boK5XBXJz3cTadYy
+ Asr2b4aWTqBS5iW1vbWIGJVrUUk3U1S4fFaSvsL3I6O0E+sOB3eEEpQZqpF9Genr
+ hCE8GVE5yQWb3YYK0ZA7j4u+dwA+QfRIuQuMWFoRKp8oqEitjjix3je2R3u8/ILS
+ XgFcAp8Jh+VbnQg/pq92u3dX6afGv6nENpMVPn73yob+sfE5xUFEfEzE1E1WCWdR
+ HiLZVOgpVOYmo2s8/UW60hLNBULpqyf6ZTQsr7IqaGw4g+Ew116cwDawywRSJMg=
+ =T0nI
+ -----END PGP MESSAGE-----
+ fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA46L6MuPqfJqARAApsnPRzTCIkbKT6jaVHixgP6wyCjfVmvgb0NnMrN2Ygup
+ pafb6GNWoFq9WdiSqwFIJPZlZxJFiIgSxplDI63Wj1MgfvQBEnKUQvnvR+UtnB22
+ bGr9mIrq/wKgslhPLFB0qT81RK/GqJKvRNpI3trGmB1pBnDdb5jiFeDHStv41XrP
+ hezAvmDGBKlM74fehu0pKOanIspyvFAjs31NULSHGJGzBxyM6OGcg/XLt9ea6bI5
+ jHwu3+M/7nixjtaIdCtEFPv/Mdimq9p64+c6AvbEVikUH/omRebRFIRrJCotYENT
+ ak6/2F+Fze2cof6pJPaq1KTF7LQHi1ZaQ/N+YNDsMJIYYuX3lVg/ClEjeo5k1HJ4
+ Jc+ul2KF/dAh8UsJPIdhJDlxIPdnof7xBLax1xmOQTHpqsfhZe5BP/0KMeeXzG6s
+ TlozMaCY0ok4JiQmiJcs+TjHX+uiiih6Wi756v7qwpCk5u3/BM+veHB/slD5Xezn
+ KmuHzwcbaP1n5JlOtv1PLAPfqX9EDsAVr2xhYTBISZiIKXyfagUWzPNX6toYtBfV
+ cQ/m9nfc5/STna7XGucnKkYFG5U2a+olIqCcbbNkN4NcW5ly0M5g1VW3oh02NO8r
+ A/4aU8ECj+79XXx0XCuVojnkGdTT3SQex7bkV2stBpuc5xfESbuOMWXgK0qZrYrS
+ XgEfX0ySVVrCxhtJgsQvZl0zrOwIttomV6hlQgo+n23HNPwjEf4nf1p2sje0uPvb
+ bPC7u5y1eDdy5E0XyWkAg4hxPLg7yOj7ET84Bg9S3NE8cE0nM50qL0N6aCAb4II=
+ =Is94
+ -----END PGP MESSAGE-----
+ fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4EEKdYEzV0pAQ/7Bx/s7WlB9TE30vyqVWw6H4DoZS8s03Z21tDAtrUEK+k5
+ QtMPvAIE0SG4lXersM3L6VMmhvPQlwZf+zSzBnO0J5vacvMG8dch4/ZH7YTM0VX6
+ T0Ix9ScamEI8J5Fr1LAeBoqtTa8n1/3N2ILBVPRTTX5Wu4lSUw/voeePXAYxSSMv
+ 9vzrxJNcRgzbd/8Fbo3i2vzn4GvrP1JzsprLrUMVFaek5khD0hRDJMM0IhBWFRRh
+ L241zX/IBZDQVz0x1QVUBFmkoUjyNn94CTezTmGvqCXfkLRmcKzTZXd0dhORBPFa
+ LygVSLdor0v5ru70rMds6YN5WvqbmG7KUY8M3gcVXutvID58vw6ZE83T8ZAYj9S5
+ r9hXegeb2e03tCvSrHmQFf37+298/E8/kBrBQgoevnHmm3p0yN3ZbrWLIRhbx2iF
+ NzL5s17PnGzmuSigoZERsN2Flx2fzUbtwVDP3AyLVpQ7NoqTZkJTcGQuvkYawnEa
+ 3RxUQySR+a7bED38wJ6zEpVg10ye7c8mVkzQnda1Qp3lnPZxz+1qg1n25I9hjNO6
+ X1E8gtXx2EcwaoWcPO0W/sNBwE09SCM68KWSykwOLvZb5tq/HnhrwSisps5sAg9V
+ Z1c0OCwgJvYoTY46rqk7scN9YkE16LDCtAzgppZerli179E/f/7O3d59CA1mCEXS
+ XgHbdM2nxaBPCPgXXNRVq13R8JXiOokuxUZofwl6FaG8A6yc9z5F4Ygr/KKDeT0i
+ YMBezxQtQ5uKY0jIx5g2r6aSdly3QPNKiFS/rxDCrmtaBqw+OvhvLrnCn6IaRVY=
+ =XAoN
+ -----END PGP MESSAGE-----
+ fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DQrf1tCqiJxoSAQdAFvRDMKG3Vjs98kRqcs4ep+bYoUcBHbMA7WgzI7CcaGQw
+ FjdmSwvWaHJZQGEbGk4uDHKPHqXRD3HnD9d75Azu2HXnCA29aU2c0zn0PziIi7Aa
+ 0l4BbcavPKNBkZpJNgW0uII7xMYJWJ/9vStTxXG/WzNia6nk/Cv7PMJW7EwIeUga
+ +PWB4yGfPXgqJGnJj0H1EdCVPrM/+f19GcFxNKKzkGaKTyVTW9NxntlsFl1vbmRx
+ =YRc6
+ -----END PGP MESSAGE-----
+ fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+ - created_at: "2024-08-09T01:28:41Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAzdAjw8ldn6CAQ/5ARLA8sAZHMwNhHJycVof+ZergR58hXCBjbIy5zgyAwYU
+ IJ5OwhTpWqniZjt0b9pvlzU4JO1k73B1WrF7mAYEOKET32GPVatrQ64yInQbORSZ
+ zNQgX3aQ8tEtyBsKAWqwqRjOaP6Plee6G0RCksJBAkjIZik0diTOBwi+ZhgYSRLE
+ G1NAETqMKkLleYQbUWCFNveJOd/7pfhE4xhAEaSxL3dgXNPV2TOngvjCqMXvz0K2
+ hEz6OYC8idpmAJv+S+HOaZbKV+giCopsPyFnbeu8jf1UpbsBRbHPnLOO6lLby2gf
+ 2P9MhwSeMjjCZFX/ys8vHQ2jUwXK8jfW3xfVie4hVJgh6vO+uHcomjnk2b+34SRk
+ 7ttoozLbMFxwrcP9trV0TgT2uzjFCe4fHccpY1VLTCX/O0eYtlhDhur0Wojp1z9v
+ h5mcqySEtJfHXJbTXkgMA2+QSyUaTTfvZ6oJqX3yAoq5eIzC0CcF+IMa6NS1XkY0
+ TNd3FEhwe7TvKGCy/3bJx6jMUnhT71r6KW/w7RVIHgdp1hfUS9JBhxVB+agQVyRv
+ +HBmvWHqUdwnFzotGRzLU1g6soWa+fRVQQ80qAi1U8e+u9IX3EG0KoIXLjpkvXxK
+ y520NcOdN4wR0xILPP/+47QDN+kM6lunm/EMgrff4YDE8J83qMhH2IP5s/tV023S
+ XgH1hiB0U4SYt0Rp6OGDV+CjBCFaCkPPlync/SVuXddfLC1owGlY9L3jwu7j2PR7
+ jy2jPPTWrOvT0wZKEh4k501LRb0n6LGqW6gDTgOnZKNg2iQ6jybv2HeyyExYllg=
+ =1o5H
+ -----END PGP MESSAGE-----
+ fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/config/hosts/penpot/sops.nix b/config/hosts/penpot/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/penpot/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+ sops = {
+ defaultSopsFile = ./secrets.yaml;
+ };
+}
diff --git a/config/hosts/ptouch-print-server/networking.nix b/config/hosts/ptouch-print-server/networking.nix
index 7c7cb62..83031a1 100644
--- a/config/hosts/ptouch-print-server/networking.nix
+++ b/config/hosts/ptouch-print-server/networking.nix
@@ -11,9 +11,7 @@
];
};
defaultGateway = "10.31.208.1";
- nameservers = [
- "10.31.208.1"
- ];
+ nameservers = [ "10.31.208.1" ];
};
systemd.network.links."10-net0" = {
diff --git a/config/hosts/ptouch-print-server/printing.nix b/config/hosts/ptouch-print-server/printing.nix
index 5964f56..23cacca 100644
--- a/config/hosts/ptouch-print-server/printing.nix
+++ b/config/hosts/ptouch-print-server/printing.nix
@@ -90,9 +90,7 @@ in
# pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
# PasswordAuthentication to have it not do that.
services.openssh.settings.PasswordAuthentication = lib.mkForce true;
- # The following doesn't need to be set in order for empty passwords to work
- # apparently:
- # security.pam.services.sshd.allowNullPassword = true;
+ security.pam.services.sshd.allowNullPassword = true;
services.openssh.extraConfig = ''
Match User print
PubkeyAuthentication no
diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix
index ff14adb..507b71a 100644
--- a/config/hosts/public-reverse-proxy/nginx.nix
+++ b/config/hosts/public-reverse-proxy/nginx.nix
@@ -9,6 +9,7 @@
services.nginx.streamConfig = ''
map $ssl_preread_server_name $address {
status.ccchh.net 10.31.206.15:8443;
+ status.hamburg.ccc.de 10.31.206.15:8443;
}
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
diff --git a/config/hosts/public-web-static/networking.nix b/config/hosts/public-web-static/networking.nix
index 34b36f3..cb22d40 100644
--- a/config/hosts/public-web-static/networking.nix
+++ b/config/hosts/public-web-static/networking.nix
@@ -1,17 +1,19 @@
{ ... }:
{
- networking.interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.151";
- prefixLength = 25;
- }
- ];
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.151";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
};
- networking.defaultGateway = "172.31.17.129";
- networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
- networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "86:72:08:F6:C0:D6";
diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
index b2f9f8e..6f951f9 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
@@ -2,26 +2,6 @@
"dynamic": {
"sensors": {
"temperature": [
- {
- "sensor_data": {
- "unit": "°C",
- "location": "Hauptraum",
- "description": "Sensor im Hauptraum"
- },
- "allowed_credentials": [
- "club-assistant"
- ]
- },
- {
- "sensor_data": {
- "unit": "°C",
- "location": "Loetschlauch",
- "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
- },
- "allowed_credentials": [
- "club-assistant"
- ]
- },
{
"sensor_data": {
"unit": "°C",
@@ -34,26 +14,6 @@
}
],
"humidity": [
- {
- "sensor_data": {
- "unit": "%",
- "location": "Hauptraum",
- "description": "Sensor im Hauptraum"
- },
- "allowed_credentials": [
- "club-assistant"
- ]
- },
- {
- "sensor_data": {
- "unit": "%",
- "location": "Loetschlauch",
- "description": "Sensor im Lötschlauch (Teil der Werkstatt)"
- },
- "allowed_credentials": [
- "club-assistant"
- ]
- },
{
"sensor_data": {
"unit": "%",
@@ -65,12 +25,13 @@
]
}
],
- "CO2": [
+ "3d_printer_state": [
{
"sensor_data": {
- "unit": "ppm",
- "location": "Hauptraum",
- "description": "Sensor im Hauptraum (Typ: SCD41)"
+ "unit": "bool",
+ "location": "Loetschlauch",
+ "name": "mk4",
+ "description": "Prusa mk4 state"
},
"allowed_credentials": [
"club-assistant"
@@ -78,9 +39,10 @@
},
{
"sensor_data": {
- "unit": "ppm",
+ "unit": "bool",
"location": "Loetschlauch",
- "description": "Sensor im Lötschlauch (Teil der Werkstatt, Typ: SCD41)"
+ "name": "mk3.5",
+ "description": "Prusa mk3.5 state"
},
"allowed_credentials": [
"club-assistant"
diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix
index 13de76b..3f1f8fe 100644
--- a/config/hosts/public-web-static/spaceapid.nix
+++ b/config/hosts/public-web-static/spaceapid.nix
@@ -1,19 +1,20 @@
{ pkgs, ... }:
let
- spaceapidSrc = builtins.fetchGit {
+ version = "v0.1.0";
+ spaceapidSrc = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
- ref = "main";
- rev = "17753f535c68157e80f30f50deb488133cc98258";
+ rev = version;
+ hash = "sha256-2SDhliltzyydPPZdNn/htDydiK/SHQcYyG/dQ0EyFrY=";
};
spaceapid = pkgs.buildGoModule rec {
pname = "spaceapid";
- version = "main";
+ inherit version;
src = spaceapidSrc;
ldflags = [
- "-X main.version=${version}-${spaceapidSrc.rev}"
+ "-X main.version=${version}"
];
# Since spaceapid doesn't have any dependencies, we can set this to null and
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 3678a96..c78cf8b 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -5,8 +5,10 @@
./branding-resources.hamburg.ccc.de.nix
./c3cat.de.nix
./element.hamburg.ccc.de.nix
+ ./hacker.tours.nix
./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix
+ ./staging.hacker.tours.nix
./staging.hamburg.ccc.de.nix
./www.hamburg.ccc.de.nix
./historic-easterhegg
diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 0d7792b..5f0792f 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
{ pkgs, ... }:
let
- elementWebVersion = "1.11.68";
+ elementWebVersion = "1.11.80";
element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
- sha256 = "sha256-SsEvc+TWyJG6YPBcyQm9mqQVUegqIcspxSGuL3TzVeY=";
+ sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
};
elementSecurityHeaders = ''
# Configuration best practices
diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
new file mode 100644
index 0000000..7eaa086
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
@@ -0,0 +1,63 @@
+{ pkgs, ... }:
+
+let
+ domain = "hacker.tours";
+ dataDir = "/var/www/${domain}";
+ deployUser = "hackertours-website-deploy";
+in {
+ services.nginx.virtualHosts = {
+ "acme-${domain}" = {
+ enableACME = true;
+ serverName = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 31820;
+ }
+ ];
+ };
+
+ "${domain}" = {
+ forceSSL = true;
+ useACMEHost = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ root = "${dataDir}";
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+
+ error_page 404 /404.html;
+ '';
+ };
+ };
+
+ systemd.tmpfiles.rules = [
+ "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+ ];
+
+ users.users."${deployUser}" = {
+ isNormalUser = true;
+ group = "${deployUser}";
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours"
+ ];
+ };
+ users.groups."${deployUser}" = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
index f9805cf..fe53d04 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -7,5 +7,6 @@
./eh07.nix
./eh09.nix
./eh11.nix
+ ./eh20.nix
];
}
\ No newline at end of file
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
new file mode 100644
index 0000000..947791d
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
@@ -0,0 +1,86 @@
+{ pkgs, ... }:
+
+let
+ eh20 = pkgs.fetchgit {
+ url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website.git";
+ rev = "026932ef2f1fb85c99269e0fb547589a25d3687c";
+ hash = "sha256-YYxHhPYIioJgyHXNieoX6ibasHcNw/AFk+qCNSOxke4=";
+ };
+in
+{
+ security.acme.certs."eh20.easterhegg.eu".extraDomainNames = [
+ "www.eh20.easterhegg.eu"
+ "eh20.hamburg.ccc.de"
+ ];
+
+ services.nginx.virtualHosts = {
+ "acme-eh20.easterhegg.eu" = {
+ enableACME = true;
+ serverName = "eh20.easterhegg.eu";
+ serverAliases = [
+ "www.eh20.easterhegg.eu"
+ "eh20.hamburg.ccc.de"
+ ];
+ listen = [{
+ addr = "0.0.0.0";
+ port = 31820;
+ }];
+ };
+
+ "www.eh20.easterhegg.eu" = {
+ forceSSL = true;
+ useACMEHost = "eh20.easterhegg.eu";
+ serverAliases = [
+ "eh20.hamburg.ccc.de"
+ ];
+
+ listen = [{
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }];
+
+ locations."/".return = "302 https://eh20.easterhegg.eu";
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
+
+ "eh20.easterhegg.eu" = {
+ forceSSL = true;
+ useACMEHost = "eh20.easterhegg.eu";
+
+ listen = [{
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }];
+
+ locations."/" = {
+ index = "start.html";
+ root = "${eh20}/wiki_siteexport";
+ };
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
+ };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
new file mode 100644
index 0000000..382f1b6
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+let
+ domain = "staging.hacker.tours";
+ dataDir = "/var/www/${domain}";
+ deployUser = "hackertours-website-deploy";
+in {
+ services.nginx.virtualHosts = {
+ "acme-${domain}" = {
+ enableACME = true;
+ serverName = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 31820;
+ }
+ ];
+ };
+
+ "${domain}" = {
+ forceSSL = true;
+ useACMEHost = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ root = "${dataDir}";
+
+ # Disallow *, since this is staging and doesn't need to be in any search
+ # results.
+ locations."/robots.txt" = {
+ return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+ };
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
+ };
+
+ systemd.tmpfiles.rules = [
+ "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+ ];
+
+ # Hackertours deploy user already defined in hacker.tours.nix.
+}
diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix
new file mode 100644
index 0000000..c36dc63
--- /dev/null
+++ b/config/hosts/status/configuration.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ networking = {
+ hostName = "status";
+ domain = "z9.ccchh.net";
+ };
+
+ system.stateVersion = "24.05";
+}
diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix
new file mode 100644
index 0000000..d8644c5
--- /dev/null
+++ b/config/hosts/status/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ imports = [
+ ./configuration.nix
+ ./networking.nix
+ ./nginx.nix
+ ./uptime-kuma.nix
+ ];
+}
diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
new file mode 100644
index 0000000..e7f1932
--- /dev/null
+++ b/config/hosts/status/networking.nix
@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "10.31.206.15";
+ prefixLength = 23;
+ }
+ ];
+ ipv6.addresses = [
+ {
+ address = "2a07:c480:0:1ce::f";
+ prefixLength = 64;
+ }
+ ];
+ };
+ defaultGateway = "10.31.206.1";
+ defaultGateway6 = "2a07:c480:0:1ce::1";
+ nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
+ search = [ "z9.ccchh.net" ];
+ };
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "BC:24:11:79:D3:E1";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix
new file mode 100644
index 0000000..8eff61c
--- /dev/null
+++ b/config/hosts/status/nginx.nix
@@ -0,0 +1,149 @@
+# Sources for this configuration:
+# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy
+
+{ config, ... }:
+
+{
+ services.nginx = {
+ enable = true;
+
+ virtualHosts = {
+ "status.hamburg.ccc.de" = {
+ forceSSL = true;
+ enableACME = true;
+ serverName = "status.hamburg.ccc.de";
+
+ listen = [
+ {
+ addr = "[::]";
+ port = 80;
+ }
+ {
+ addr = "[::]";
+ port = 443;
+ ssl = true;
+ }
+ ];
+
+ locations."/" = {
+ proxyPass = "http://localhost:3001";
+ proxyWebsockets = true;
+ };
+ };
+ "status-proxyprotocol.hamburg.ccc.de" = {
+ forceSSL = true;
+ useACMEHost = "status.hamburg.ccc.de";
+ serverName = "status.hamburg.ccc.de";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ locations."/" = {
+ proxyPass = "http://localhost:3001";
+ proxyWebsockets = true;
+ };
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 10.31.206.11;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
+ "status.ccchh.net" = {
+ forceSSL = true;
+ useACMEHost = "status.hamburg.ccc.de";
+ serverName = "status.ccchh.net";
+
+ listen = [
+ {
+ addr = "[::]";
+ port = 80;
+ }
+ {
+ addr = "[::]";
+ port = 443;
+ ssl = true;
+ }
+ ];
+
+ globalRedirect = "status.hamburg.ccc.de";
+ redirectCode = 307;
+ };
+ "status-proxyprotocol.ccchh.net" = {
+ forceSSL = true;
+ useACMEHost = "status.hamburg.ccc.de";
+ serverName = "status.ccchh.net";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ globalRedirect = "status.hamburg.ccc.de";
+ redirectCode = 307;
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 10.31.206.11;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
+ "status.z9.ccchh.net" = {
+ forceSSL = true;
+ useACMEHost = "status.hamburg.ccc.de";
+ serverName = "status.z9.ccchh.net";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 80;
+ }
+ {
+ addr = "[::]";
+ port = 80;
+ }
+ {
+ addr = "0.0.0.0";
+ port = 443;
+ ssl = true;
+ }
+ {
+ addr = "[::]";
+ port = 443;
+ ssl = true;
+ }
+ ];
+
+ globalRedirect = "status.hamburg.ccc.de";
+ redirectCode = 307;
+ };
+ };
+ };
+
+ security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [
+ "status.ccchh.net"
+ "status.z9.ccchh.net"
+ ];
+
+ networking.firewall.allowedTCPPorts = [ 80 443 8443 ];
+}
diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix
new file mode 100644
index 0000000..02411f2
--- /dev/null
+++ b/config/hosts/status/uptime-kuma.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+ services.uptime-kuma = {
+ enable = true;
+ };
+}
diff --git a/config/hosts/woodpecker/configuration.nix b/config/hosts/woodpecker/configuration.nix
new file mode 100644
index 0000000..45e228e
--- /dev/null
+++ b/config/hosts/woodpecker/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+ networking.hostName = "woodpecker";
+
+ system.stateVersion = "24.05";
+}
diff --git a/config/hosts/woodpecker/default.nix b/config/hosts/woodpecker/default.nix
new file mode 100644
index 0000000..1db0c8c
--- /dev/null
+++ b/config/hosts/woodpecker/default.nix
@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./woodpecker-agent
+ ./woodpecker-server
+ ./configuration.nix
+ ./networking.nix
+ ./sops.nix
+ ];
+}
diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix
new file mode 100644
index 0000000..3301812
--- /dev/null
+++ b/config/hosts/woodpecker/networking.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.160";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
+ };
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "BC:24:11:5F:A9:B7";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml
new file mode 100644
index 0000000..091ca2e
--- /dev/null
+++ b/config/hosts/woodpecker/secrets.yaml
@@ -0,0 +1,234 @@
+woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
+woodpecker_agent_environment_file: ENC[AES256_GCM,data:rwp6TYYFJ/IZH+3pGhPxjdZMLoyPMr/W1RXm4IkUGn+SmIjHZcdFZ8nEhvOfnkfrXNPc2MR+X6NXUmVOcBjSCbcBjh9sC653UpKimt9I3/Ec,iv:X9JH7dmTayw8BaEsXYil3PrykCdd+/ANGHVfEyRvc7A=,tag:/ErkX1WnruanNgTTBUT6LA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQlN5NmlaUjR5dGJ3Y3BP
+ bW4rWm1KaVFsbytwZDQ1QjV1d1VEOEZlSTJ3Cmgxc1BmMnBmWjRyNmNDWmpWcnJt
+ Q3lBZUFOY3FtREFUYmhJNCtKcTUxY0kKLS0tIHhKbVVBYjN4WHRzdERNbkRQeHlS
+ UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
+ YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-06-22T15:55:25Z"
+ mac: ENC[AES256_GCM,data:UmDbmxSRj8YfCkKEelQNMJ8mzbu5aQdB9yOr9JfUh5TB9r5Z5ttZ1wgJDJqHNtsII3JGXUvbgHbsmbPikkrj4Ege1rrgr4UttN1rtgeaAKlZIlqb9pOnV4//GJL8jbxCgFp2h2O80G05nAXG54DaY//4Y5hfTyPzgyDlGQ6jlhg=,iv:5e8lpFfGAJh8lTFcY4MlZG7PgnzM0UycsU0tB2KN+zQ=,tag:4xUEHg04wjDbhc9MOItzuQ==,type:str]
+ pgp:
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxK/JaB2/SdtAQ//QR84p3zGjW2CtPcPxlmdYui5nx8FV3MHog4R24s4RKNK
+ y4n9993z8m3y2at4yIWDi4LBKrhm/6mSLBHfoxnuiptoaSXSWXfaXebXkYiinkyP
+ GMvwegN6KkRZh4stJMD7W0g7w/trkNEAvPDoInqCnvT4NomrKIV+ZrZuCBLd1tXn
+ JRd2tsH8yYzoZr/PJBBDTZtke/nbosb6drjgG6ow/eHyF++HxKNTWfjCiWn4AWSb
+ c/E1VWsigYdBs8XSTbBkfSLr/b5FcXYb8tyy4gpGe9zOrxc7cW5diK5+x4bM8FHz
+ 85ShPA5S3PXXEnuifuk/ZK8+CEYWUS3MXUhuEFUo7F3Pt/Eb+5CtfTX6kvMe1xe9
+ iqFAsRce/qm9Evns4ygZ4+LoI2ro2HFwgQ2fu1gi7PyZsDyW5eRL5P+vfxPUOxYY
+ z9cXXo+U1NEzWMDEBWt4mgoW9URye6O3k+WLQmYbQIhDkftUYmvRrPYQvP282m4k
+ NMucRIRUMkx7rpRQQP8yU6AlgZ1LsOmruV4XJYVxsTpSZq7YgTQP4kd3wMgBhwOV
+ j3hGc9gI9Sq06SdyU0C8PuUHt+mZGkVnYIOTw6BXHgY1tK8X5XnWK4NJXL9bR0pY
+ kfzDWLjD0hiiM3QYqieTbnDUiVTDGyf7Cop+EifYvy7um+CPjlYLLkDkEsWcy/HU
+ aAEJAhDEzP5eiU1e01GSNbWL49ghD7DqZiYdo0F/BGMk6jQloM1HUDnkhgBhVSZo
+ TjNPV3UFBxeRnT5DvouD6uJ8SDs42ARdb4F80vJVHknt0yBvGWfCQsXqKwuRDd1j
+ zkj4zG7btJRv
+ =sgSP
+ -----END PGP MESSAGE-----
+ fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA6EyPtWBEI+2AQ//V6IIW3Hr3xuQWOWitDGn1bo+x95jePPpXNayKGJuaSMf
+ 00gaOyMpqP5hRd3lEQRyqHgPtmszlGrxq2y77CxnnZMbE6n+axwQQLoMzROBGyGF
+ iqe6hNbNFZPjWv5BTAl3iOHWrw3x/TpgcNmSBDfctU+CZlMWzCMuXJw1bK57wQd4
+ B6xcoBxidK55Ubc7GQ8mlAEuZ89fYorTRBfv2rBgUh8ZAAsUmn1jEz7HsQMMd2a8
+ 5V4TzicdzXO2cZ+0DqU8Xqt5U9C0IjGgZRPzDYkh7slkbyYomAIfCq+zN5ieecz9
+ Mp8vvuMYfT66P+heNRZ7w/sgmGlarcmNKlOcXlakVYm5qVddPMx6M5Ovl4O5sABz
+ V4O4NRehYx0XFbjzXr59LCzpusS9xQoh49288dLTFudOInHUYq6ss0TbGfFJMDYU
+ mjHokzdG3ds8C9/lMR82X9rbyZDchUytHUwX4eGxUDMmhydFpgJko0bbozPbE2ll
+ NTlWegCc1yrkSGn6U9EYKtibitJnIMdas5HapcErMH2vYILsJOl9ifG1GIsuWe1+
+ ipPyZy7jqP7p18WCcDnUhgaGdQ67UjSLqX2zz0SZDcfI46SUeyeSelFVpTlmKriS
+ 4bW6hC1FSe+bLkPZ0y5aRLgL5ipK6jdlZepAj/DNXdKAtchLHcddF3rKdBdzsxrS
+ XgFvvZPgj1JleYr+q/+ju4k1d4cE0HnQZIBnkAfKXZHwSPCw1d9vbeLipuRTJrEH
+ 2CpOjtiXl3S2ZcCS1ama9lgAqPBOOoH7jgHvoCzqfkBsi3/QlIpQs+C8ro4hXE8=
+ =KZWk
+ -----END PGP MESSAGE-----
+ fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAz5uSgHG2iMJARAA5+vcORn/YX2bHcAno9KCUGTzeiCP/DOoSePMdsCAmABj
+ P8XoYJOyZoZgW3qgvtKZ4pLGB26FuJXC2y6Z3yyQ4Xj2PeBj1og9xM8p7GnF6T6n
+ 7wqALwJOamyer3A+OXx2Gc8kZ0ObqgBbbn5QTPnHzsRljC3Irgk+ZZE8ZRshoPmu
+ 6TEuMW0NT5INmijtPAxer/eaAor3KKxMTf+sqqr/VGNopAyFUCGZynlnjcei6X+T
+ tVKh6zqr/eaTlnhoP2kr4u+wKcHvLV8an8sfsyIGL90O11LNcX8Sf4EyPDYSXOe7
+ AXTFcvfw9+ALu3cbTVPN0aI2e8fCir2S00F8x28Ffc2xDSrXjWEDCXLuRNVXz5KA
+ Mjq4afyQN6mtVZ6ZmtvaLQoG8D2f2sGzvrsBjaXwxPLHKPpUFZVBiiP0C08yokUR
+ 7FrYaOjnvQVALLxGJMAhMf02g2dYDFxMw18cY2a+bLrYUVd9EMbuFwCJNzmU0of7
+ EpSvXrA0wTKddk+vL3JoJgIrOxz2IQbaC24NiCUzbyakhT+qDX/oXXILxL2x0GfR
+ RaTL1inkTQO//ooAjlPeMA3OIDQo5CdoV4VlvSUgagYfDvMfDCAO04Xxvezh1uvz
+ //4Jz13+LFoUgbtVUYiT4oqWyfTKOV0D8ILYWKZJtjJt4TeYpEfbQFEzIYyF3OHS
+ XgE7aGyB0ArPBovSr55eQGmW+FaeG1VtH7TRLU367FyQmGep5O2SUxQXqFFiWyDy
+ bseIYdRqNsmlgdXBnADdkVCFJtF4C/VA2DOk+wOO8XtQoMQ8zrIl+0Viq1s66OY=
+ =xc00
+ -----END PGP MESSAGE-----
+ fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAw5vwmoEJHQ1AQ//abtgoFEWd+zbeSbiwey8nCNQUSklHV9kbLuBK8+ipX/Q
+ qjweWnnPVN6ODhgfXm93k1tSqeJjYqjqfxVsAEUiXC61UhvS6JBZuVUt4nRUWHk2
+ cdu3eKlBx7Nhm6th1gZ+Wf7PcryT5fmJQP5a8VEM/nUuRjnAmG7RuSiWbNzBbTDx
+ 4jh4GTvlFkupxZvLsXYf2T+7qn0eHymdQI8+5WSHQH6kApBvINYoq1m55it5ilEp
+ M0tYNFMzi10OjKVbNRQXuKhROzzYGtW8qWGtc33WBB5rvkRVelSDmleTbRywWjE0
+ rNo7vj97SbmGdCHydzcEwPIBOd11ZgFWpamX/36ALeKCxgHgc3HsnjIkDsEffpoN
+ SFHAhyYqXTDRqq5/HuBQBDBJLVVcIbqlJo3us47gI3rhojjSayzTBd5TnGOZt5N0
+ rFOqoZ1i3vf3C5sjKivTzCJ/P3yFgD271hQjv49jSqXgSF8ZIvzaDr0xLiy+XnZ+
+ EsUyqxZBKWy246BtyZ4qBvRjVKbezpxQFh6MzxccY+toUaG2v2I5muvFJRHe7qEA
+ fT6XDl7W6aQ/RBL/Ij9OWYvCMWS27mzkLQi0uBH5gyA1t6Bg9O6+CjGpK6Mmd8fx
+ 1Q2Ml5ClzLnEq94FX3f2hpqLdSlwREPoBYULeJNr+WhayDvfRjuh5+MvN+wjbs/S
+ XgGYwgGCrFmzXN1mWElNGc3+3sMEpiuvJp6Z1nRfr17YvIPUrtCU7zVHWR1lWFKU
+ gjJacBX/Qw9Kly+5jADM0UorWkZxaby+q+j8rN43nPatjDlDRI+BrNta0l0ulOA=
+ =2cbn
+ -----END PGP MESSAGE-----
+ fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4HMJd/cQYrVARAAu8l79uJlVLz++foLhk83zrPSZsX+1TQduJl06Kx2VrJ+
+ dZX/0okzpHmHeZGhGH+e1Gv7MpyM4UxAGwE03NIk32p43LF/biad0zc4TB8yr9r6
+ N3Sr/ZbaB0oYC/K4r1Sj8W1XWmuYZB8lc1dyfwhf96KIXGutvG22O5XI0pOA9yHL
+ x4AWt8OHYsaWCt941M6pbFtBsJEl/TaKgYF7YNITvsfj/oG7cPESKLOkcJdmhN1r
+ ADpJRcs6rVvMLWxUBjZICqZvDlwnXK5gCu30MmLs/oQbFmHjBRB01Ird+Mb5e6l4
+ vrYC+zO3RG3dZ+VXJD0rBn+56nDMtiKISJCy4I4Vz/ekwx94cIci+BlD9/3YYix7
+ HVgR6flBgInZEvaBxyj2e0G5i2gKvYTfea5+6bwPpszLUaYba/YLQQ2mSXcwWPsV
+ ipuNSjJ8swK2OpOFTfzs7Ua1OZChCOhhduxiKCwASYrbncfexObsQfeobj3wrwXH
+ N4M+h5ghm+y7UFKDW+gfN79WGfltWiMdy9vZNwwEYF0NE8jkwPfIt2dLvyU73MFU
+ NivYWp6kUj+gbLkb3gLClAi4CyYqNQyBjbKEbt+470UIMZ44WWMEJy7bMwAVzLBk
+ VxBHphqSuP04pgb5a+PHPApCZC6KEntnW1zX+DKrCn3/+NhoD6COhCvetWxq4f7S
+ XgFop4XZPWYJb6ypqkFLbkHIg7tCbr/xae4HABncVj0BaS1Z7TBdMiGi8SQvHti5
+ 70rNGZIpQe/59DmBrLT06VdQRY5rt20bDoN+DaUrE2tc0k5h+uwI71TG4//Db2A=
+ =m4ec
+ -----END PGP MESSAGE-----
+ fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxjNhCKPP69fAQ//Tz2g90bOkkY942MaLO5/k8MFMf4QEDMZAiw9tVZ39Rqf
+ udMTcGyOX6zLzr+xxNX3gwn8X+bl0yw4Tg/FiyOzl9RjMZDxvzUaj1gYZI9kKPne
+ aEmAYcP2mv+ITUDnApZonDZE5hUnLGAyfEZMU6ExF9XkU94dXFdU4nd+gF5XHzou
+ STiNryBYaxWP1WMkW4SlZqdJiCfrkI0Z7iTF86QtXN5S8qLSIyjP3hIv5QxJg5Xo
+ NwK5IXQhV/0ZHp1Wl8Xys2iUw3iuwPga7sBrMHdJ0PHVBg3Wg/bG7YtrfEAfUbcr
+ UHt9rNGFZluuqNctvcvkSUjv5DISCgl8lSSbzC8DK/vT9o0DQYWvySNpVwXO3tqs
+ 9aCxKc8trCXrd9qePnO259Ni0ALRjyh/GHZipzhZo/mgyUWc5nAdTLM49MsmAKHc
+ PnBBSntXnVHfFoFvgyBAmyISVuH/L5j8mezQ/37AevcTfuWemjDRGWIiIJZ73CyF
+ tG6ida5En9QouMO18gKBBzfR/2s6tt60bEp4bE3j2rRgEhwblBfl1NtGSw2WGVVZ
+ bU8KormLDT8aurMIp/Rd1pzAxDpEhDa13TV1IfRECOQvY35aBC59upt+XLwJ83ch
+ Zgi5cRGtSoj1G9OziQGCtJjGqkZoFy7Htou6AyFUEln+2Px0EKGJC3yCUcOF0orS
+ XgEtK2wEJNnJ84LctjrRM4ZSeb/8nycfWiR9riJi1lq6J+WSeiGME3cvhgObDTtG
+ EwuAjG6vhwUdr3aovsENQhvHnQWID844CeBtB9jMHbFJy41vbt0rC0JJG/6RoRg=
+ =5Ijl
+ -----END PGP MESSAGE-----
+ fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA1Hthzn+T1OoAQ//dwisvTFgYUCFICbaNZ+8jttF4lTQ2fjdP6UHb0evav84
+ PUYpqUfmMF1BUvxDx0rwzzP1OaSKuesxAG46i1Nha1Tq/LOURtzZtXPW4+xSHWge
+ ifbcbGTBkACviKkRuVUqaQBAbzDnFIHtcQy7nbILmzM0aRwm1IC1WzKpPRBgzAy0
+ o/UE4geZjPuNqkix4mcLz8sXvKMz11FE3QpZ44JqiRhmAITTDVo2ymhbvA6R2C1w
+ AL0tjJwKRb0qfoBegyPbuUW399l3CCtEE7voW8AxZ3Y6EGO8DQ1i/MkR81zymFep
+ PUDVYDmhqmh38Z79v5iKqnruzS+rOaitzMRqsUfOJfa4UoFkjO6tYdi5cOY8T4cD
+ w0rgCpvWriaGKGHDuRIdu031GFyf26+SvOWEbiOhMv+h18Hj5P7uT+Is+VuEhHEo
+ i7EYTqzsRwyIfybNkb0mBVluvXb4CpZRdRq5AzC49qu4IezvKoAT99KG1yf7XJvI
+ Ijc/ZITFqCBxE7REA4JBDuivPHfML4CgxG+5PiBJ3JDdaP+xRuoVQQv5E55Y4YwF
+ NM+NTNcvsTv2vKXJ8mmWLBn9xMxN32gmDyy7jW0elW46AQidIL6C+W2Zhxn6GNvc
+ 2faDhNQ3yV0A9mIsgQjdWeQemqhsiVU6Sg4Mmattm/b6plGCM1DIcJgMV2RRAobS
+ XgGt7zD15Ju4S+fQqL7MVGGD3y5v0C5eLx78MScygpNQKS0vfTfTE2+wRCzCjZAG
+ /6HU85E6ru1VeXc0TwQBrpX3Wi2ga/momalsCGoh3oHBd+jRqzwpRxojKLy65qU=
+ =g4RA
+ -----END PGP MESSAGE-----
+ fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA46L6MuPqfJqARAAmTOXbn+qa0wgjSvK3juGqVemxKvaD2zFG57ivYdC1Jdn
+ PIVi5aBCvZ8KY/0W9k83LVcGUY1f8eRkCU8ohJU+rmRbiTvT0qo1hfLzxrqaNbke
+ gN+YsYW8bgXioF6nHVWI158GvqNfmvRl4WyJzBQ41cAyMpdGXiIzUoCba3Y6f+1N
+ muljMhgvEtWUddf4zheZX89xV+aLa9Mga6aQbwRcL451UcKxmE2nk4+00rMn7R7R
+ vmsC677/RrKkI7RxubzCVFFlzaH+ZZ1Ott6ozKUWs2vCcB6vTzwwvmrJwmr760lC
+ pozfNp/+WzLZOkA3rO2qAvIUc1DxYA6CgukrAAObCbvmcgMeLtVR29wwWs01qxI+
+ cTxmH+btbiM0PL8+/sW2KlC19hfMmeryiJXxbUN30a3fMDJz1wVor54DsaqG9kIJ
+ zIxGsQ6t8fzfaVfeQwoxODnTWqUClWCY4is251O4Gxw3C0oPWZvzoPvxljaPrYYY
+ SE3dcktWmGoOxLj56lLfceKq0qAtYmJD4Q5k2GDYYU+8dwp95UTf0lbRwauMBROT
+ OMe4r/emH4Z1LiG2/HLoM4QuV5VVQGSAqoE3c42YjjS9uh/aOtmeNNLehwS93F5E
+ J/bXNY6VnHcALRGMZF60g5OxM3QUioNkGqcCWGjSaRPcKhwaXvvIaTCdz8apnBHS
+ XgHeuszpU9/O1nCsNPF2vQUjcNxz+KsL39RwHCVJBVJskxd4HcJQUM7uArV1Fjbk
+ fl4nQuueBrZ4tXzimRK2QOjgy8F2n/Kxpjlr4rXn+Pi9jyhx0Jq4Blu3wrR4LAg=
+ =4Xvm
+ -----END PGP MESSAGE-----
+ fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4EEKdYEzV0pAQ//fo1yfBspyD2O84d8UCHWoUJTNYql2p26H/vC2BsVzAmL
+ 6nylQACeslISLlXbrW+ILPOFZ5x21THOFcJdvCGAQAkY+jC7Ry3D2gwsZi/RLFpP
+ wbEgbzk9hcimmvuHW/NJtrqvXiTJy7GH7el5Zwqe6rtUkTW5IUtaOmZjn2fQBVoq
+ 9mMT86vOYlqgIISG1o5x4pciRd+fb3JPiPeJiLcyUBEXYqg2THlyYwwp2paFomYf
+ a6Ls/pVT9ICSblFlnfILOexDpqhxcPH+V2nwlbSlOETq3ACcVIgufIRndTkGhDzi
+ HS3GlD5nIb/ep12Gj+qOgKZBsbUdNIAVojNY2qlK2yQJpE5B1aDjmkAZUkk/LqF3
+ 76ZRBDzigU0jfYKh2iGDY3F8cWDsRqjqcTjVB9KF32+1SeUAO4NqDnDpMZgBh2i5
+ rvDOJCJfTgo7DfPqWPyeFM58sow9EEglygASA/XTaDV+CmLzRlqxwlJwpbRrz3OV
+ Mp1gewfGASLPS4xh6gtROac9DAuokmN5VgNg2g+emN8lUNJ/7V7u30TvCEfGP0j0
+ 1Sd6RrNn/ZDMJtOoE8gDua6njbOi9Zk/RN4Y4NKWcmiNZxz/Xi/8XU7F0yk0yEL1
+ DUxYsCEHImib+lAESQ0fF4VMXx3DSXq2/Yt5z782ZvgNrGoGw3B9qVA5FyG5Bt3S
+ XgGgfz/6fGZ0DEtTv3B8Rhqbm6TvwPFgIg+3WuQRXxf3rjjoX1AN0jcuz8OIIfGk
+ o1GuRG0/sYg7P32ysgQMvS1F+rX2PR/myHsz4YMM10soG7OduHgXmiJ0eUq8EtM=
+ =WLCQ
+ -----END PGP MESSAGE-----
+ fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DQrf1tCqiJxoSAQdAUMjy8rV2Zy5nmeMOBsANIUVyhAvVBUF1yunc+EgVeVQw
+ yd4hPHMnQSkasXmcMDS0y2gwixgTOeQbG5PaOr0FA7eGEItLlqwSxz3+GnuD/gEw
+ 0l4BFrUbimEX+/tfI8aymapMVYXFXWe4dUZw9foKN5HqkpPKhusozd9bqPPNKggZ
+ 09tvIJViKP/QufK0WyLYZGWrG+leogDX39GBtAU1SOllFqtq2G0X1qH+s88GVpaO
+ =hxWV
+ -----END PGP MESSAGE-----
+ fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+ - created_at: "2024-06-21T22:42:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAzdAjw8ldn6CAQ//SK6MVXhRsRxYV8jL9HrVTovc84kNFr24nbHHi5z6fuCA
+ 6ZjPr5Btx5Xxi716mEmdDBUSGfeJOOSt6hw4fCqj5ehnCeMLr9GvmJdZx9s2n88m
+ h4Fzd1XF67NMbSAYMPrXpk5dlxBNsgmsAWTaEet9gqGWWYsrZHWPvae7z+GaJJzz
+ h3dix5oVV3tM2OVP9hFhRtu9tv9a0sj5Eu6mz8UsDFwEPynlSDPKUQA0jFTXJnYo
+ yT8UTPSZAUlwnU88JPIhHKCmU8nqUIgDURVNgK4BsuoKSAZ27ueSHr/4IzBiavVD
+ 6V1b1Ttt8usKFp21OCqfNuoiIeEipUdLMFSTjSXqOp38QTaqoDaCsAPc6j3HCvlV
+ vMm1lbSKK+Llpk9WOmqvHQriL50lQGYpa2X/jS8FtlotKFm0uGJoJXZ5Ujc4Wmy9
+ J79/cXLULGFCxdPsoxmd8wJFqz0eiVPHIBFB2Y8Tan+Mg44WeBuY8sAWGzYPp+kB
+ sEOIQ5I9N1Gt+58i1hDTRlqO4I8ihusqKeRemJa954rlzz8YTmZL+JAD5gsMtzuH
+ gMjnfBnNJKw3UmnHMMQm348CRB6SuF6rmjc7Xk1qsnie87HtYbM3dJYh7ixddr/a
+ kTHy66zDX4j3e/y2JdEPQw8/WhhdGnyj6eDioQLNFfvApI7doi5C+XDCR08YxJnS
+ XgG0kP/bfDBkwzzHkr3khuvdtmUEmsxGbR/3abyjLfvM+g3HM6Eqq0uDwuGgYinR
+ DYfWUZTas5uWrgxAWYbBCbhPcevu7CsyJFsBtG4ExTXPSsP2c79+LwtmJjbLQqo=
+ =9C2P
+ -----END PGP MESSAGE-----
+ fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/config/hosts/woodpecker/sops.nix b/config/hosts/woodpecker/sops.nix
new file mode 100644
index 0000000..b4548ed
--- /dev/null
+++ b/config/hosts/woodpecker/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+ sops = {
+ defaultSopsFile = ./secrets.yaml;
+ };
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix
new file mode 100644
index 0000000..279d2bb
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/default.nix
@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./docker.nix
+ ./woodpecker-agent.nix
+ ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/docker.nix b/config/hosts/woodpecker/woodpecker-agent/docker.nix
new file mode 100644
index 0000000..af13f4c
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/docker.nix
@@ -0,0 +1,12 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/backends/docker
+# - https://nixos.wiki/wiki/Docker
+
+{ config, pkgs, ... }:
+
+{
+ virtualisation.docker = {
+ enable = true;
+ };
+}
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
new file mode 100644
index 0000000..dc89021
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -0,0 +1,30 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/agent-config
+# - https://woodpecker-ci.org/docs/administration/backends/docker
+
+{ config, pkgs, pkgs-unstable, ... }:
+
+{
+ services.woodpecker-agents.agents."docker" = {
+ enable = true;
+ # Since we use woodpecker-server from unstable, use the agent from unstable as well.
+ package = pkgs-unstable.woodpecker-agent;
+ extraGroups = [ "docker" ];
+ environment = {
+ WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
+ WOODPECKER_MAX_WORKFLOWS = "4";
+ WOODPECKER_BACKEND = "docker";
+ # Set via enviornmentFile:
+ # WOODPECKER_AGENT_SECRET
+ };
+ environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ];
+ };
+
+ sops.secrets."woodpecker_agent_environment_file" = {
+ mode = "0440";
+ owner = "root";
+ group = "root";
+ restartUnits = [ "woodpecker-agent-docker.service" ];
+ };
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/default.nix b/config/hosts/woodpecker/woodpecker-server/default.nix
new file mode 100644
index 0000000..a713746
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./nginx.nix
+ ./postgresql.nix
+ ./woodpecker-server.nix
+ ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/nginx.nix b/config/hosts/woodpecker/woodpecker-server/nginx.nix
new file mode 100644
index 0000000..962183c
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/nginx.nix
@@ -0,0 +1,57 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/proxy
+
+{ config, pkgs, ... }:
+
+{
+ services.nginx = {
+ enable = true;
+
+ virtualHosts."acme-woodpecker.hamburg.ccc.de" = {
+ default = true;
+ enableACME = true;
+ serverName = "woodpecker.hamburg.ccc.de";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 31820;
+ }
+ ];
+ };
+
+ virtualHosts."woodpecker.hamburg.ccc.de" = {
+ default = true;
+ forceSSL = true;
+ useACMEHost = "woodpecker.hamburg.ccc.de";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ locations."/" = {
+ proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}";
+ };
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+ networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/postgresql.nix b/config/hosts/woodpecker/woodpecker-server/postgresql.nix
new file mode 100644
index 0000000..e715650
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/postgresql.nix
@@ -0,0 +1,18 @@
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069
+
+{ config, pkgs, ... }:
+
+{
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_15;
+ ensureDatabases = [ "woodpecker-server" ];
+ ensureUsers = [
+ {
+ name = "woodpecker-server";
+ ensureDBOwnership = true;
+ }
+ ];
+ };
+}
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
new file mode 100644
index 0000000..464af13
--- /dev/null
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -0,0 +1,45 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/server-config
+# - https://woodpecker-ci.org/docs/administration/database
+# - https://woodpecker-ci.org/docs/administration/forges/forgejo
+# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+
+{ config, pkgs, pkgs-unstable, ... }:
+
+{
+ services.woodpecker-server = {
+ enable = true;
+ # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
+ # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
+ package = pkgs-unstable.woodpecker-server;
+ environment = {
+ WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
+ WOODPECKER_SERVER_ADDR = ":8001";
+ WOODPECKER_GRPC_ADDR = ":9000";
+ WOODPECKER_ADMIN = "june";
+ WOODPECKER_OPEN = "true";
+ WOODPECKER_ORGS = "CCCHH";
+ WOODPECKER_DATABASE_DRIVER = "postgres";
+ WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
+ WOODPECKER_FORGEJO = "true";
+ WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+ # Set via enviornmentFile:
+ # WOODPECKER_FORGEJO_CLIENT
+ # WOODPECKER_FORGEJO_SECRET
+ };
+ environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ];
+ };
+
+ systemd.services.woodpecker-server.serviceConfig = {
+ User = "woodpecker-server";
+ Group = "woodpecker-server";
+ };
+
+ sops.secrets."woodpecker_server_environment_file" = {
+ mode = "0440";
+ owner = "root";
+ group = "root";
+ restartUnits = [ "woodpecker-server.service" ];
+ };
+}
diff --git a/config/hosts/yate/networking.nix b/config/hosts/yate/networking.nix
index 225edd2..a06a019 100644
--- a/config/hosts/yate/networking.nix
+++ b/config/hosts/yate/networking.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
{
networking = {
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 2cc3215..dd0f43d 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -23,6 +23,15 @@
},
"nix-box-june": {
"targetHostname": "nix-box-june-intern.hamburg.ccc.de"
+ },
+ "mjolnir": {
+ "targetHostname": "mjolnir-intern.hamburg.ccc.de"
+ },
+ "woodpecker": {
+ "targetHostname": "woodpecker-intern.hamburg.ccc.de"
+ },
+ "penpot": {
+ "targetHostname": "penpot-intern.hamburg.ccc.de"
}
}
}
diff --git a/flake.lock b/flake.lock
index 9d52703..5caae01 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
"nodes": {
"nixlib": {
"locked": {
- "lastModified": 1712450863,
- "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
+ "lastModified": 1726966855,
+ "narHash": "sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
+ "rev": "575704ff85d3a41dc5bfef7b55380cbc7b87f3c2",
"type": "github"
},
"original": {
@@ -23,11 +23,11 @@
]
},
"locked": {
- "lastModified": 1716210724,
- "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
+ "lastModified": 1727053438,
+ "narHash": "sha256-t/+z1Tf7hSaStU1pBYkY7i0/GkG+YIPSmfeRrK8eYUw=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
+ "rev": "e8c1cd886cc17e31e424f915efd32e84d8af0ce9",
"type": "github"
},
"original": {
@@ -38,43 +38,43 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1716408408,
- "narHash": "sha256-e4pjcLqe1Dexz7enk/+ui0aVdcoSiWnrTGjk7KLtAPw=",
+ "lastModified": 1727076372,
+ "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "dff68ababdd2c2616d03f26546ba632f5f09d3c6",
+ "rev": "7ca0f93c530406c1610defff0b9bf643333cf992",
"type": "github"
},
"original": {
"owner": "nixos",
- "ref": "nixos-23.11-small",
+ "ref": "nixos-24.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1716061101,
- "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
+ "lastModified": 1725762081,
+ "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
+ "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
"type": "github"
},
"original": {
"owner": "NixOS",
- "ref": "release-23.11",
+ "ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1716479278,
- "narHash": "sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q=",
+ "lastModified": 1727104955,
+ "narHash": "sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4",
+ "rev": "d266adc5a77ec8c10ed941c7251b2673004dbd62",
"type": "github"
},
"original": {
@@ -100,11 +100,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1716400300,
- "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
+ "lastModified": 1726524647,
+ "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
+ "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index 8a8ebf7..106daa5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
# Use the NixOS small channels for nixpkgs.
# https://nixos.org/manual/nixos/stable/#sec-upgrading
# https://github.com/NixOS/nixpkgs
- nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11-small";
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
# Add nixos-generators as an input.
@@ -113,6 +113,7 @@
./config/common
./config/proxmox-vm
sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
./config/hosts/netbox
];
};
@@ -123,6 +124,7 @@
./config/common
./config/proxmox-vm
sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
./config/hosts/matrix
];
};
@@ -133,6 +135,7 @@
./config/common
./config/proxmox-vm
sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
./config/hosts/public-web-static
];
};
@@ -143,11 +146,9 @@
./config/common
./config/proxmox-vm
sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
./config/hosts/git
];
- specialArgs = {
- inherit pkgs-unstable;
- };
};
forgejo-actions-runner = nixpkgs.lib.nixosSystem {
@@ -156,6 +157,7 @@
./config/common
./config/proxmox-vm
sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
./config/hosts/forgejo-actions-runner
];
};
@@ -174,6 +176,7 @@
modules = [
./config/common
./config/proxmox-vm
+ ./config/extra/prometheus-exporter.nix
./config/hosts/eh22-wiki
];
};
@@ -183,6 +186,7 @@
modules = [
./config/common
./config/proxmox-vm
+ ./config/extra/prometheus-exporter.nix
./config/hosts/nix-box-june
];
};
@@ -195,6 +199,61 @@
./config/hosts/yate
];
};
+
+ mqtt = nixpkgs.lib.nixosSystem {
+ inherit system;
+ modules = [
+ ./config/common
+ ./config/proxmox-vm
+ ./config/hosts/mqtt
+ ];
+ };
+
+ mjolnir = nixpkgs.lib.nixosSystem {
+ inherit system;
+ modules = [
+ ./config/common
+ ./config/proxmox-vm
+ sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
+ ./config/hosts/mjolnir
+ ];
+ };
+
+ woodpecker = nixpkgs.lib.nixosSystem {
+ inherit system;
+ modules = [
+ ./config/common
+ ./config/proxmox-vm
+ sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
+ ./config/hosts/woodpecker
+ ];
+ specialArgs = {
+ inherit pkgs-unstable;
+ };
+ };
+
+ status = nixpkgs.lib.nixosSystem {
+ inherit system;
+ modules = [
+ ./config/common
+ ./config/proxmox-vm
+ sops-nix.nixosModules.sops
+ ./config/hosts/status
+ ];
+ };
+
+ penpot = nixpkgs.lib.nixosSystem {
+ inherit system;
+ modules = [
+ ./config/common
+ ./config/proxmox-vm
+ sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
+ ./config/hosts/penpot
+ ];
+ };
};
packages.x86_64-linux = {