├── hosts ├── gaia │ ├── home.nix │ └── configuration.nix ├── phi │ ├── home.nix │ ├── hardware-configuration.nix │ ├── terraform-configuration.nix │ └── configuration.nix ├── hyperion │ ├── home.nix │ └── darwin-configuration.nix ├── sigma │ ├── home.nix │ ├── configuration.nix │ ├── terraform-configuration.nix │ └── hardware-configuration.nix └── flake-module.nix ├── .gitea └── workflows │ └── .do-not-run-github-actions ├── .envrc ├── sops ├── secrets │ ├── b2-key-id │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── desec-api-key │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── gaia-age.key │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── sigma-age.key │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── tf-passphrase │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── vultr-api-key │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── b2-application-key │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── phi-nixos-age.key │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── tailscale-api-key │ │ ├── users │ │ │ └── enzime │ │ └── secret │ └── hyperion-macos-age.key │ │ ├── users │ │ └── enzime │ │ └── secret ├── machines │ ├── gaia │ │ └── key.json │ ├── sigma │ │ └── key.json │ ├── phi-nixos │ │ └── key.json │ └── hyperion-macos │ │ └── key.json └── users │ └── enzime │ └── key.json ├── vars ├── per-machine │ ├── gaia │ │ ├── state-version │ │ │ └── version │ │ │ │ └── value │ │ ├── luks │ │ │ └── password │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ ├── machines │ │ │ │ └── gaia │ │ │ │ └── secret │ │ ├── syncthing │ │ │ └── password │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ ├── machines │ │ │ │ └── gaia │ │ │ │ └── secret │ │ ├── initrd-ssh │ │ │ ├── id_ed25519 │ │ │ │ ├── machines │ │ │ │ │ └── gaia │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ └── secret │ │ │ └── id_ed25519.pub │ │ │ │ └── value │ │ ├── openssh │ │ │ ├── ssh.id_ed25519 │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ ├── machines │ │ │ │ │ └── gaia │ │ │ │ └── secret │ │ │ └── ssh.id_ed25519.pub │ │ │ │ └── value │ │ ├── emergency-access │ │ │ ├── password │ │ │ │ ├── machines │ │ │ │ │ └── gaia │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ └── secret │ │ │ └── password-hash │ │ │ │ └── value │ │ ├── hoopsnake │ │ │ ├── tailscale-client-id │ │ │ │ ├── machines │ │ │ │ │ └── gaia │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ └── secret │ │ │ └── tailscale-client-secret │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ ├── machines │ │ │ │ └── gaia │ │ │ │ └── secret │ │ ├── user-password-root │ │ │ ├── user-password │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ └── secret │ │ │ └── user-password-hash │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ ├── machines │ │ │ │ └── gaia │ │ │ │ └── secret │ │ ├── user-password-enzime │ │ │ ├── user-password │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ └── secret │ │ │ └── user-password-hash │ │ │ │ ├── machines │ │ │ │ └── gaia │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ └── secret │ │ ├── matrix-password-admin │ │ │ └── matrix-password-admin │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ ├── machines │ │ │ │ └── gaia │ │ │ │ └── secret │ │ ├── matrix-password-enzime │ │ │ └── matrix-password-enzime │ │ │ │ ├── machines │ │ │ │ └── gaia │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ └── secret │ │ └── matrix-synapse │ │ │ └── synapse-registration_shared_secret │ │ │ ├── machines │ │ │ └── gaia │ │ │ ├── users │ │ │ └── enzime │ │ │ └── secret │ ├── sigma │ │ ├── state-version │ │ │ └── version │ │ │ │ └── value │ │ ├── luks │ │ │ └── password │ │ │ │ ├── machines │ │ │ │ └── sigma │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ └── secret │ │ ├── openssh │ │ │ ├── ssh.id_ed25519 │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ ├── machines │ │ │ │ │ └── sigma │ │ │ │ └── secret │ │ │ └── ssh.id_ed25519.pub │ │ │ │ └── value │ │ ├── syncthing │ │ │ └── password │ │ │ │ ├── machines │ │ │ │ └── sigma │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ └── secret │ │ ├── emergency-access │ │ │ ├── password │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ └── secret │ │ │ └── password-hash │ │ │ │ └── value │ │ ├── user-password-root │ │ │ ├── user-password │ │ │ │ ├── users │ │ │ │ │ └── enzime │ │ │ │ └── secret │ │ │ └── user-password-hash │ │ │ │ ├── users │ │ │ │ └── enzime │ │ │ │ ├── machines │ │ │ │ └── sigma │ │ │ │ └── secret │ │ └── user-password-enzime │ │ │ ├── user-password │ │ │ ├── users │ │ │ │ └── enzime │ │ │ └── secret │ │ │ └── user-password-hash │ │ │ ├── users │ │ │ └── enzime │ │ │ ├── machines │ │ │ └── sigma │ │ │ └── secret │ └── phi-nixos │ │ ├── state-version │ │ └── version │ │ │ └── value │ │ ├── restic │ │ └── password │ │ │ ├── users │ │ │ └── enzime │ │ │ ├── machines │ │ │ └── phi-nixos │ │ │ └── secret │ │ ├── syncthing │ │ └── password │ │ │ ├── users │ │ │ └── enzime │ │ │ ├── machines │ │ │ └── phi-nixos │ │ │ └── secret │ │ ├── openssh │ │ ├── ssh.id_ed25519 │ │ │ ├── users │ │ │ │ └── enzime │ │ │ ├── machines │ │ │ │ └── phi-nixos │ │ │ └── secret │ │ └── ssh.id_ed25519.pub │ │ │ └── value │ │ ├── restic-backblaze │ │ ├── key-id │ │ │ ├── users │ │ │ │ └── enzime │ │ │ └── secret │ │ └── app-key │ │ │ ├── users │ │ │ └── enzime │ │ │ └── secret │ │ ├── emergency-access │ │ ├── password │ │ │ ├── users │ │ │ │ └── enzime │ │ │ └── secret │ │ └── password-hash │ │ │ └── value │ │ ├── nextcloud │ │ └── admin-password │ │ │ ├── users │ │ │ └── enzime │ │ │ ├── machines │ │ │ └── phi-nixos │ │ │ └── secret │ │ ├── user-password-root │ │ ├── user-password │ │ │ ├── users │ │ │ │ └── enzime │ │ │ └── secret │ │ └── user-password-hash │ │ │ ├── users │ │ │ └── enzime │ │ │ ├── machines │ │ │ └── phi-nixos │ │ │ └── secret │ │ ├── user-password-enzime │ │ ├── user-password │ │ │ ├── users │ │ │ │ └── enzime │ │ │ └── secret │ │ └── user-password-hash │ │ │ ├── users │ │ │ └── enzime │ │ │ ├── machines │ │ │ └── phi-nixos │ │ │ └── secret │ │ └── restic-backblaze-environment │ │ └── environment │ │ ├── users │ │ └── enzime │ │ ├── machines │ │ └── phi-nixos │ │ └── secret └── shared │ ├── acme-desec │ └── token │ │ ├── users │ │ └── enzime │ │ ├── machines │ │ ├── gaia │ │ └── phi-nixos │ │ └── secret │ ├── acme-zoneee │ ├── api-key │ │ ├── users │ │ │ └── enzime │ │ └── secret │ ├── api-user │ │ ├── users │ │ │ └── enzime │ │ └── secret │ └── credentials │ │ ├── users │ │ └── enzime │ │ ├── machines │ │ └── phi-nixos │ │ └── secret │ ├── nix-remote-build │ ├── key │ │ ├── users │ │ │ └── enzime │ │ └── machines │ │ │ ├── gaia │ │ │ ├── sigma │ │ │ ├── phi-nixos │ │ │ └── hyperion-macos │ └── key.pub │ │ └── value │ ├── tailscale │ └── auth-key │ │ ├── machines │ │ ├── gaia │ │ ├── sigma │ │ └── phi-nixos │ │ ├── users │ │ └── enzime │ │ └── secret │ ├── wifi.home │ ├── password │ │ ├── users │ │ │ └── enzime │ │ ├── machines │ │ │ ├── sigma │ │ │ └── phi-nixos │ │ └── secret │ └── network-name │ │ ├── machines │ │ ├── sigma │ │ └── phi-nixos │ │ ├── users │ │ └── enzime │ │ └── secret │ ├── wifi.hotspot │ ├── password │ │ ├── users │ │ │ └── enzime │ │ ├── machines │ │ │ ├── sigma │ │ │ └── phi-nixos │ │ └── secret │ └── network-name │ │ ├── users │ │ └── enzime │ │ ├── machines │ │ ├── sigma │ │ └── phi-nixos │ │ └── secret │ └── wifi.jaden │ ├── password │ ├── users │ │ └── enzime │ ├── machines │ │ ├── sigma │ │ └── phi-nixos │ └── secret │ └── network-name │ ├── users │ └── enzime │ ├── machines │ ├── sigma │ └── phi-nixos │ └── secret ├── flake.systems.nix ├── modules ├── flake-parts │ ├── lib.nix │ ├── flake-module.nix │ ├── checks.nix │ ├── configurations.nix │ ├── devShells.nix │ ├── vm.nix │ ├── clan.nix │ └── formatter.nix ├── bluetooth.nix ├── deluge.nix ├── printers.nix ├── mullvad.nix ├── avahi.nix ├── ios.nix ├── wireless.nix ├── fonts.nix ├── scanners.nix ├── ai.nix ├── gaming.nix ├── android.nix ├── perlless.nix ├── virt-manager.nix ├── samba.nix ├── docker.nix ├── pim.nix ├── macos-vm.nix ├── cache.nix ├── xdg.nix ├── flakes.nix ├── sops.nix ├── builder.nix ├── terranix │ ├── backblaze.nix │ └── base.nix ├── i18n.nix ├── reflector.nix ├── wayvnc.nix ├── greetd.nix ├── nextcloud.nix ├── alacritty.nix ├── termite.nix ├── acme.nix ├── ghostty.nix ├── mpv.nix ├── clan.nix ├── graphical-minimal.nix ├── variants.nix ├── restic.nix ├── linux-builder.nix ├── hoopsnake.nix ├── personal.nix └── vncserver.nix ├── .git-blame-ignore-revs ├── inventory.json ├── overlays ├── powermenu.nix ├── gramps.nix ├── docker-compose.nix ├── karabiner-elements.nix ├── spotify.nix ├── tailscale.nix ├── ranger.nix ├── nixos-rebuild.nix ├── i3-ws.nix ├── terraform.nix ├── zellij.nix ├── vim-plugins.nix ├── firefox-addons │ └── flake.nix └── vscode-extensions.nix ├── .gitignore ├── files ├── post-checkout ├── commands.py └── rc.conf ├── shell.nix ├── .github ├── workflows │ ├── mirror.yml │ └── build.yml └── flake-module.nix ├── README.md └── keys.nix /hosts/gaia/home.nix: -------------------------------------------------------------------------------- 1 | { } 2 | -------------------------------------------------------------------------------- /.gitea/workflows/.do-not-run-github-actions: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | # shellcheck shell=bash 2 | use nix 3 | -------------------------------------------------------------------------------- /sops/secrets/b2-key-id/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/state-version/version/value: -------------------------------------------------------------------------------- 1 | 25.11 -------------------------------------------------------------------------------- /vars/per-machine/sigma/state-version/version/value: -------------------------------------------------------------------------------- 1 | 24.11 -------------------------------------------------------------------------------- /sops/secrets/desec-api-key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /sops/secrets/gaia-age.key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /sops/secrets/sigma-age.key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /sops/secrets/tf-passphrase/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /sops/secrets/vultr-api-key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/state-version/version/value: -------------------------------------------------------------------------------- 1 | 22.05 -------------------------------------------------------------------------------- /sops/secrets/b2-application-key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /sops/secrets/phi-nixos-age.key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /sops/secrets/tailscale-api-key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /flake.systems.nix: -------------------------------------------------------------------------------- 1 | [ "x86_64-linux" "aarch64-darwin" "aarch64-linux" ] 2 | -------------------------------------------------------------------------------- /sops/secrets/hyperion-macos-age.key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../users/enzime -------------------------------------------------------------------------------- /vars/shared/acme-desec/token/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /modules/flake-parts/lib.nix: -------------------------------------------------------------------------------- 1 | { self-lib, ... }: { flake.lib = self-lib; } 2 | -------------------------------------------------------------------------------- /vars/shared/acme-desec/token/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/shared/acme-zoneee/api-key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/acme-zoneee/api-user/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/nix-remote-build/key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/tailscale/auth-key/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/shared/tailscale/auth-key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/wifi.home/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/wifi.hotspot/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/wifi.jaden/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/luks/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/acme-zoneee/credentials/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/nix-remote-build/key/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/shared/nix-remote-build/key/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/shared/tailscale/auth-key/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/shared/wifi.home/network-name/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/shared/wifi.home/network-name/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/wifi.home/password/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/shared/wifi.hotspot/network-name/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/wifi.hotspot/password/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/shared/wifi.jaden/network-name/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/wifi.jaden/password/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/per-machine/gaia/luks/password/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/syncthing/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/luks/password/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/per-machine/sigma/luks/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/acme-desec/token/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/shared/tailscale/auth-key/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/shared/wifi.home/password/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/shared/wifi.hotspot/network-name/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/shared/wifi.jaden/network-name/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/shared/wifi.jaden/password/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/gaia/initrd-ssh/id_ed25519/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/initrd-ssh/id_ed25519/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/openssh/ssh.id_ed25519/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/syncthing/password/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/syncthing/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/openssh/ssh.id_ed25519/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/syncthing/password/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/per-machine/sigma/syncthing/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/acme-zoneee/credentials/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/shared/nix-remote-build/key/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/shared/wifi.home/network-name/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/shared/wifi.hotspot/password/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/shared/wifi.jaden/network-name/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/gaia/emergency-access/password/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/emergency-access/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/openssh/ssh.id_ed25519/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/openssh/ssh.id_ed25519/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic-backblaze/key-id/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/emergency-access/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/openssh/ssh.id_ed25519/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/shared/wifi.hotspot/network-name/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/gaia/hoopsnake/tailscale-client-id/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/hoopsnake/tailscale-client-id/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/hoopsnake/tailscale-client-secret/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-root/user-password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/emergency-access/password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/nextcloud/admin-password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic-backblaze/app-key/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic/password/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-root/user-password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/shared/nix-remote-build/key/machines/hyperion-macos: -------------------------------------------------------------------------------- 1 | ../../../../../sops/machines/hyperion-macos -------------------------------------------------------------------------------- /.git-blame-ignore-revs: -------------------------------------------------------------------------------- 1 | # Run `nixfmt` on the entire repo 2 | a019033eaefb4bfc7dc169e0dd9fa059cc62393b 3 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/hoopsnake/tailscale-client-secret/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-enzime/user-password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-root/user-password-hash/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/syncthing/password/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-root/user-password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-enzime/user-password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-root/user-password-hash/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /inventory.json: -------------------------------------------------------------------------------- 1 | { 2 | "machines": { 3 | "gaia": { 4 | "installedAt": 1759180501 5 | } 6 | } 7 | } -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-password-admin/matrix-password-admin/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-enzime/user-password-hash/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-enzime/user-password-hash/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-root/user-password-hash/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/nextcloud/admin-password/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/openssh/ssh.id_ed25519/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-enzime/user-password/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-root/user-password-hash/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-enzime/user-password-hash/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-root/user-password-hash/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-password-admin/matrix-password-admin/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-password-enzime/matrix-password-enzime/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-password-enzime/matrix-password-enzime/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic-backblaze-environment/environment/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-enzime/user-password-hash/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-enzime/user-password-hash/machines/sigma: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/sigma -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-synapse/synapse-registration_shared_secret/machines/gaia: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/gaia -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-synapse/synapse-registration_shared_secret/users/enzime: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/users/enzime -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic-backblaze-environment/environment/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-enzime/user-password-hash/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-root/user-password-hash/machines/phi-nixos: -------------------------------------------------------------------------------- 1 | ../../../../../../sops/machines/phi-nixos -------------------------------------------------------------------------------- /vars/shared/nix-remote-build/key.pub/value: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYKiMQTkDFdiZJIKQhyqLms4rcUfDw8FCY/vju38lfd 2 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/openssh/ssh.id_ed25519.pub/value: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxRoznXzz/T6s5UeHG1uoHCXGfXSpy27eTEzC0/EUW+ -------------------------------------------------------------------------------- /vars/per-machine/gaia/initrd-ssh/id_ed25519.pub/value: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHU+FoY3ki26aEwbjMkKmej/e1pas0zRl+ONUb9ZnOFf 2 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/openssh/ssh.id_ed25519.pub/value: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7kbujq6OMsNHS4eIxxZLOYo0mugDWUdXQBNCmiH1Y4 2 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/openssh/ssh.id_ed25519.pub/value: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxOi/S1TLBg8/ZRX5XfCTlM8A+I0q0pQksrxtfjdYFP -------------------------------------------------------------------------------- /modules/bluetooth.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { 3 | hardware.bluetooth.enable = true; 4 | services.blueman.enable = true; 5 | }; 6 | } 7 | -------------------------------------------------------------------------------- /modules/deluge.nix: -------------------------------------------------------------------------------- 1 | { 2 | homeModule = { pkgs, ... }: { 3 | home.packages = builtins.attrValues { inherit (pkgs) deluge; }; 4 | }; 5 | } 6 | -------------------------------------------------------------------------------- /overlays/powermenu.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | powermenu = 3 | super.writeScriptBin "powermenu" (builtins.readFile ../files/powermenu); 4 | } 5 | -------------------------------------------------------------------------------- /sops/machines/gaia/key.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "publickey": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 4 | "type": "age" 5 | } 6 | ] -------------------------------------------------------------------------------- /sops/machines/sigma/key.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "publickey": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 4 | "type": "age" 5 | } 6 | ] -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .direnv 2 | result 3 | /.pre-commit-config.yaml 4 | config.tf.json 5 | terragrunt.hcl.json 6 | .terraform* 7 | *.tfstate* 8 | *.qcow2 9 | *.fd 10 | -------------------------------------------------------------------------------- /sops/machines/phi-nixos/key.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "publickey": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 4 | "type": "age" 5 | } 6 | ] -------------------------------------------------------------------------------- /vars/per-machine/gaia/emergency-access/password-hash/value: -------------------------------------------------------------------------------- 1 | $6$KTpGWwPyjvDIXPhG$hGtQf9KxFJFzEyUPQerSnYtRUJCCkpopXlJI4U56tEH9tdlZagIeRhdMfx1PS6VlA7kcwZEfOA2EjJmu.mGFv/ -------------------------------------------------------------------------------- /vars/per-machine/sigma/emergency-access/password-hash/value: -------------------------------------------------------------------------------- 1 | $6$lS4ByMY2SNxvdtNi$2dHvPmAaNUP7icDyN3c0y4yt44Akr30txS9KMG3o9FzeohwcumYE43ljVJlMg43AF3p4Cem6BkHoYofh7Pp8c0 -------------------------------------------------------------------------------- /sops/machines/hyperion-macos/key.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "publickey": "age1ql3xsmeum5pceqycu3ds4vd9yp2lyld4dy2rtqr20lp252cys9asjrx700", 4 | "type": "age" 5 | } 6 | ] -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/emergency-access/password-hash/value: -------------------------------------------------------------------------------- 1 | $6$xoGDJKkQU983ejOY$anlxTaMlV.MkAbddsSUsnAzUnJgitZtm9pDKHCJkDMw3skrU0jKNWUxIJcGm6a7lArSl2i249zTmS13zuU/Uk/ -------------------------------------------------------------------------------- /sops/users/enzime/key.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "publickey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 4 | "type": "age" 5 | } 6 | ] -------------------------------------------------------------------------------- /modules/printers.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ "avahi" ]; 3 | 4 | nixosModule = { 5 | services.printing.enable = true; 6 | services.printing.stateless = true; 7 | }; 8 | } 9 | -------------------------------------------------------------------------------- /modules/mullvad.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { pkgs, ... }: { 3 | services.mullvad-vpn.enable = true; 4 | # Install the GUI as well 5 | services.mullvad-vpn.package = pkgs.mullvad-vpn; 6 | }; 7 | } 8 | -------------------------------------------------------------------------------- /modules/avahi.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { 3 | services.avahi.enable = true; 4 | services.avahi.publish.enable = true; 5 | services.avahi.publish.userServices = true; 6 | services.avahi.nssmdns4 = true; 7 | }; 8 | } 9 | -------------------------------------------------------------------------------- /modules/flake-parts/flake-module.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./checks.nix 4 | ./clan.nix 5 | ./configurations.nix 6 | ./devShells.nix 7 | ./formatter.nix 8 | ./lib.nix 9 | ./terranix.nix 10 | ./vm.nix 11 | ]; 12 | } 13 | -------------------------------------------------------------------------------- /overlays/gramps.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | gramps = super.gramps.overrideAttrs (old: { 3 | buildInputs = old.buildInputs ++ [ super.goocanvas3 ]; 4 | propagatedBuildInputs = (old.propagatedBuildInputs or [ ]) 5 | ++ [ super.graphviz ]; 6 | }); 7 | } 8 | -------------------------------------------------------------------------------- /modules/ios.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { pkgs, ... }: { 3 | environment.systemPackages = 4 | builtins.attrValues { inherit (pkgs) libimobiledevice; }; 5 | 6 | # For connecting to iOS devices 7 | services.usbmuxd.enable = true; 8 | }; 9 | } 10 | -------------------------------------------------------------------------------- /modules/wireless.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { 3 | networking.networkmanager.enable = true; 4 | 5 | preservation.preserveAt."/persist".directories = [{ 6 | directory = "/etc/NetworkManager/system-connections"; 7 | mode = "0700"; 8 | }]; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /modules/fonts.nix: -------------------------------------------------------------------------------- 1 | { 2 | homeModule = { pkgs, ... }: { 3 | home.packages = 4 | builtins.attrValues { inherit (pkgs) dejavu_fonts noto-fonts-cjk-sans; }; 5 | 6 | # Allow fonts to be specified in `home.packages` 7 | fonts.fontconfig.enable = true; 8 | }; 9 | } 10 | -------------------------------------------------------------------------------- /modules/scanners.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { user, pkgs, ... }: { 3 | hardware.sane.enable = true; 4 | 5 | users.users.${user}.extraGroups = [ "scanner" ]; 6 | 7 | environment.systemPackages = 8 | builtins.attrValues { inherit (pkgs) simple-scan; }; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /modules/ai.nix: -------------------------------------------------------------------------------- 1 | { 2 | homeModule = { inputs, pkgs, ... }: { 3 | home.packages = builtins.attrValues { 4 | inherit (inputs.llm-agents.packages.${pkgs.stdenv.hostPlatform.system}) 5 | claude-code; 6 | }; 7 | 8 | home.file.".claude/CLAUDE.md".source = ../files/CLAUDE.md; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /hosts/phi/home.nix: -------------------------------------------------------------------------------- 1 | { 2 | wayland.windowManager.sway.config.output = { 3 | DP-1 = { 4 | mode = "3440x1440@144Hz"; 5 | adaptive_sync = "on"; 6 | }; 7 | }; 8 | 9 | wayland.windowManager.sway.config.workspaceOutputAssign = [{ 10 | workspace = "1"; 11 | output = "DP-1"; 12 | }]; 13 | } 14 | -------------------------------------------------------------------------------- /modules/gaming.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ "personal" ]; 3 | 4 | nixosModule = { programs.steam.enable = true; }; 5 | 6 | homeModule = { 7 | programs.lutris.enable = true; 8 | 9 | preservation = { 10 | directories = [ ".steam" ".local/share/steam" ".local/share/lutris" ]; 11 | }; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /modules/android.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { user, ... }: { 3 | programs.adb.enable = true; 4 | 5 | users.users.${user}.extraGroups = [ "adbusers" ]; 6 | }; 7 | 8 | homeModule = { pkgs, ... }: { 9 | home.packages = 10 | builtins.attrValues { inherit (pkgs) android-tools scrcpy; }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /overlays/docker-compose.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | docker-compose_1 = 3 | super.runCommand "podman-compose-compat-${super.podman-compose.version}" { 4 | inherit (super.podman-compose) meta; 5 | } '' 6 | mkdir -p $out/bin 7 | ln -s ${super.podman-compose}/bin/podman-compose $out/bin/docker-compose 8 | ''; 9 | } 10 | -------------------------------------------------------------------------------- /modules/flake-parts/checks.nix: -------------------------------------------------------------------------------- 1 | { 2 | perSystem = { self', lib, ... }: { 3 | checks = let 4 | packages = 5 | lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages; 6 | devShells = 7 | lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells; 8 | in packages // devShells; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /modules/perlless.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { modulesPath, lib, ... }: { 3 | imports = [ (modulesPath + "/profiles/perlless.nix") ]; 4 | 5 | system.forbiddenDependenciesRegexes = lib.mkForce [ ]; 6 | 7 | image.modules.iso-installer = { 8 | disabledModules = [ (modulesPath + "/profiles/perlless.nix") ]; 9 | }; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /overlays/karabiner-elements.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | karabiner-elements = super.karabiner-elements.overrideAttrs (old: { 3 | version = "14.13.0"; 4 | 5 | src = super.fetchurl { 6 | inherit (old.src) url; 7 | hash = "sha256-gmJwoht/Tfm5qMecmq1N6PSAIfWOqsvuHU8VDJY8bLw="; 8 | }; 9 | 10 | dontFixup = true; 11 | }); 12 | } 13 | -------------------------------------------------------------------------------- /overlays/spotify.nix: -------------------------------------------------------------------------------- 1 | self: super: 2 | super.lib.optionalAttrs super.stdenv.hostPlatform.isDarwin { 3 | spotify = super.spotify.overrideAttrs (old: { 4 | version = "1.2.74.477"; 5 | 6 | src = super.fetchurl { 7 | inherit (old.src) url; 8 | hash = "sha256-0gwoptqLBJBM0qJQ+dGAZdCD6WXzDJEs0BfOxz7f2nQ="; 9 | }; 10 | }); 11 | } 12 | -------------------------------------------------------------------------------- /modules/virt-manager.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { user, ... }: { 3 | virtualisation.libvirtd.enable = true; 4 | virtualisation.spiceUSBRedirection.enable = true; 5 | 6 | users.users.${user}.extraGroups = [ "libvirtd" ]; 7 | }; 8 | 9 | homeModule = { pkgs, ... }: { 10 | home.packages = builtins.attrValues { inherit (pkgs) virt-manager; }; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /files/post-checkout: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | if [[ -e $(git rev-parse --show-toplevel)/.git-blame-ignore-revs ]]; then 4 | echo ".git-blame-ignore-revs detected, setting blame.ignoreRevsFile" 5 | git config --local blame.ignoreRevsFile .git-blame-ignore-revs 6 | else 7 | echo "Unsetting blame.ignoreRevsFile" 8 | git config --local --unset blame.ignoreRevsFile 9 | fi 10 | -------------------------------------------------------------------------------- /hosts/hyperion/home.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | platformConfigDir = if pkgs.stdenv.hostPlatform.isDarwin then 4 | "Library/Application Support" 5 | else 6 | config.xdg.configHome; 7 | in { 8 | home.file."${platformConfigDir}/sops/age/keys.txt".source = 9 | config.lib.file.mkOutOfStoreSymlink 10 | "${config.home.homeDirectory}/${platformConfigDir}/sops/age/keys.txt.combined"; 11 | } 12 | -------------------------------------------------------------------------------- /hosts/sigma/home.nix: -------------------------------------------------------------------------------- 1 | { 2 | wayland.windowManager.sway.config.output = { eDP-1 = { scale = "1.5"; }; }; 3 | 4 | wayland.windowManager.sway.config.workspaceOutputAssign = [{ 5 | workspace = "1"; 6 | output = "eDP-1"; 7 | }]; 8 | 9 | xdg.userDirs.download = "$HOME/Downloads"; 10 | xdg.userDirs.pictures = "$HOME/Pictures"; 11 | 12 | preservation.directories = [ "Code" "Downloads" "Pictures" "Work" ]; 13 | } 14 | -------------------------------------------------------------------------------- /modules/samba.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { user, hostname, ... }: { 3 | services.samba.enable = true; 4 | # Set password for user with `sudo smbpasswd -a ` 5 | services.samba.settings.${hostname} = { 6 | path = "/"; 7 | "read only" = "no"; 8 | "guest ok" = "no"; 9 | "create mask" = "0644"; 10 | "directory mask" = "0755"; 11 | "force user" = user; 12 | "force group" = "users"; 13 | }; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /overlays/tailscale.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | tailscale = super.tailscale.overrideAttrs (old: { 3 | patches = (old.patches or [ ]) ++ [ 4 | (super.fetchpatch { 5 | name = "support-exit-nodes-on-macos.patch"; 6 | url = 7 | "https://github.com/Enzime/tailscale/commit/bfe7be579c71e3fc4a405a2f47e0d8e518e8fc51.patch"; 8 | hash = "sha256-5oqQnfZUs4Y8iERNHrIFCJ5GYyYgfxax7mEQlfaAIeQ="; 9 | }) 10 | ]; 11 | }); 12 | } 13 | -------------------------------------------------------------------------------- /modules/docker.nix: -------------------------------------------------------------------------------- 1 | { 2 | darwinModule = { pkgs, ... }: { 3 | environment.systemPackages = builtins.attrValues { 4 | inherit (pkgs) colima docker-client docker-compose; 5 | }; 6 | }; 7 | 8 | nixosModule = { pkgs, ... }: { 9 | environment.systemPackages = builtins.attrValues { 10 | # Uses podman-compose instead of docker-compose 11 | inherit (pkgs) arion; 12 | }; 13 | 14 | virtualisation.podman.enable = true; 15 | virtualisation.podman.dockerCompat = true; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /shell.nix: -------------------------------------------------------------------------------- 1 | { system ? builtins.currentSystem }: 2 | let 3 | lock = builtins.fromJSON (builtins.readFile ./flake.lock); 4 | 5 | root = lock.nodes.${lock.root}; 6 | inherit (lock.nodes.${root.inputs.flake-compat}.locked) 7 | owner repo rev narHash; 8 | 9 | flake-compat = fetchTarball { 10 | url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; 11 | sha256 = narHash; 12 | }; 13 | 14 | flake = import flake-compat { 15 | inherit system; 16 | src = ./.; 17 | }; 18 | in flake.shellNix 19 | -------------------------------------------------------------------------------- /.github/workflows/mirror.yml: -------------------------------------------------------------------------------- 1 | on: [push, delete] 2 | 3 | jobs: 4 | to_gitea: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - uses: actions/checkout@v4.2.2 8 | with: 9 | fetch-depth: 0 10 | - uses: pixta-dev/repository-mirroring-action@674e65a7d483ca28dafaacba0d07351bdcc8bd75 11 | with: 12 | target_repo_url: 13 | gitea@git.clan.lol:Enzime/hyperconfig.git 14 | ssh_username: gitea 15 | ssh_private_key: 16 | ${{ secrets.GITEA_SSH_PRIVATE_KEY }} 17 | -------------------------------------------------------------------------------- /overlays/ranger.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | ranger = super.ranger.overrideAttrs (old: { 3 | propagatedBuildInputs = (old.propagatedBuildInputs or [ ]) 4 | ++ [ super.xclip ]; 5 | 6 | patches = (old.patches or [ ]) ++ [ 7 | (super.fetchpatch { 8 | name = "fix-ctrl-arrows.patch"; 9 | url = 10 | "https://github.com/Enzime/ranger/commit/9e60541f3e360e2019d0b671852249771b843761.patch"; 11 | hash = "sha256-R3Qia9++n8SC/fG72GwLYbjwmx/oyEm5BfC2/6nziqI="; 12 | }) 13 | ]; 14 | }); 15 | } 16 | -------------------------------------------------------------------------------- /.github/flake-module.nix: -------------------------------------------------------------------------------- 1 | { self, ... }: { 2 | perSystem = { pkgs, lib, ... }: { 3 | packages.github-actions-nix-config = pkgs.writeTextFile { 4 | name = "github-actions-nix.conf"; 5 | text = let 6 | cfg = self.nixosConfigurations.gaia.config.nix.settings; 7 | substituters = 8 | lib.filter (value: !lib.hasInfix "clan.lol" value) cfg.substituters; 9 | in '' 10 | substituters = ${toString substituters} 11 | trusted-public-keys = ${toString cfg.trusted-public-keys} 12 | ''; 13 | }; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /modules/pim.nix: -------------------------------------------------------------------------------- 1 | { 2 | darwinModule = { 3 | system.defaults.iCal.CalendarSidebarShown = true; 4 | system.defaults.iCal."first day of week" = "System Setting"; 5 | system.defaults.iCal."TimeZone support enabled" = true; 6 | }; 7 | 8 | nixosModule = { pkgs, ... }: { 9 | environment.systemPackages = builtins.attrValues { 10 | inherit (pkgs) gnome-calendar gnome-contacts gnome-control-center; 11 | }; 12 | 13 | services.gnome.gnome-online-accounts.enable = true; 14 | services.gnome.evolution-data-server.enable = true; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /modules/macos-vm.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { inputs, pkgs, lib, modulesPath, ... }: { 3 | imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; 4 | 5 | virtualisation.memorySize = 3 * 1024; 6 | 7 | virtualisation.host.pkgs = import inputs.nixpkgs { 8 | system = builtins.replaceStrings [ "linux" ] [ "darwin" ] 9 | pkgs.stdenv.hostPlatform.system; 10 | inherit (pkgs) config overlays; 11 | }; 12 | 13 | services.displayManager.defaultSession = lib.mkForce "none+i3"; 14 | environment.variables.LIBGL_ALWAYS_SOFTWARE = "true"; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /modules/cache.nix: -------------------------------------------------------------------------------- 1 | let 2 | shared = { keys, ... }: { 3 | nix.settings.substituters = 4 | [ "https://enzime.cachix.org" "https://cache.clan.lol" ]; 5 | nix.settings.trusted-public-keys = builtins.attrValues ({ 6 | inherit (keys.signing) aether chi-linux-builder echo; 7 | 8 | "enzime.cachix.org" = keys.signing."enzime.cachix.org"; 9 | } // keys.signing.clan); 10 | }; 11 | in { 12 | nixosModule = shared; 13 | 14 | darwinModule = shared; 15 | 16 | homeModule = { pkgs, ... }: { 17 | home.packages = builtins.attrValues { inherit (pkgs) cachix; }; 18 | }; 19 | } 20 | 21 | -------------------------------------------------------------------------------- /modules/xdg.nix: -------------------------------------------------------------------------------- 1 | { 2 | homeModule = { pkgs, lib, ... }: 3 | let 4 | inherit (pkgs.stdenv) hostPlatform; 5 | inherit (lib) mkIf mkDefault; 6 | in mkIf hostPlatform.isLinux { 7 | xdg.userDirs = { 8 | enable = true; 9 | desktop = mkDefault "$HOME"; 10 | documents = mkDefault "$HOME"; 11 | download = mkDefault "/data/Downloads"; 12 | music = mkDefault "$HOME"; 13 | pictures = mkDefault "/data/Pictures"; 14 | publicShare = mkDefault "$HOME"; 15 | templates = mkDefault "$HOME"; 16 | videos = mkDefault "$HOME"; 17 | }; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /modules/flakes.nix: -------------------------------------------------------------------------------- 1 | let 2 | shared = { pkgs, ... }: { 3 | nix.package = pkgs.nixVersions.latest; 4 | 5 | nix.settings.experimental-features = [ "nix-command" "flakes" ]; 6 | nix.settings.warn-dirty = false; 7 | }; 8 | in { 9 | darwinModule = shared; 10 | 11 | nixosModule = shared; 12 | 13 | homeModule = { config, lib, ... }@args: { 14 | imports = [ shared ]; 15 | 16 | home.packages = builtins.attrValues 17 | (lib.optionalAttrs (!args ? osConfig) { inherit (config.nix) package; }); 18 | 19 | nix = lib.optionalAttrs (args ? osConfig) { 20 | package = lib.mkForce args.osConfig.nix.package; 21 | }; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /overlays/nixos-rebuild.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | nixos-rebuild = super.nixos-rebuild.overrideAttrs (old: 3 | let 4 | patches = [ 5 | (super.fetchpatch { 6 | name = "fix-cross-building-flakes.patch"; 7 | url = 8 | "https://github.com/Enzime/nixpkgs/commit/8f7debeafaff06c2a5f039402d207712f2001770.patch"; 9 | hash = "sha256-7ZS6RLqrekftJVx4C/OSLcESAwS5kaIxw9tujkI4YXo="; 10 | }) 11 | ]; 12 | in { 13 | postInstall = builtins.concatStringsSep "\n" ((map (p: '' 14 | echo "applying patch ${p}" 15 | patch --no-backup-if-mismatch $target ${p}'') patches) 16 | ++ [ (old.postInstall or "") ]); 17 | }); 18 | } 19 | -------------------------------------------------------------------------------- /modules/sops.nix: -------------------------------------------------------------------------------- 1 | { 2 | homeModule = { config, pkgs, lib, ... }: 3 | let 4 | platformConfigDir = if pkgs.stdenv.hostPlatform.isDarwin then 5 | "Library/Application Support" 6 | else 7 | config.xdg.configHome; 8 | in { 9 | home.file."${platformConfigDir}/sops/age/keys.txt".source = lib.mkDefault 10 | (config.lib.file.mkOutOfStoreSymlink 11 | "${config.home.homeDirectory}/${platformConfigDir}/sops/age/keys.txt.1p"); 12 | 13 | home.file."${platformConfigDir}/sops/age/keys.txt.1p".text = '' 14 | # Recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE 15 | AGE-PLUGIN-1P-1X2NELQ 16 | ''; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /modules/builder.nix: -------------------------------------------------------------------------------- 1 | let 2 | shared = { keys, pkgs, ... }: { 3 | users.users.builder = { 4 | shell = pkgs.zsh; 5 | openssh.authorizedKeys.keys = builtins.attrValues { 6 | inherit (keys.users) enzime; 7 | inherit (keys.hosts) sigma; 8 | }; 9 | }; 10 | }; 11 | in { 12 | nixosModule = { ... }: { 13 | imports = [ shared ]; 14 | 15 | users.groups.builder = { }; 16 | 17 | users.users.builder.isNormalUser = true; 18 | users.users.builder.group = "builder"; 19 | }; 20 | 21 | darwinModule = { ... }: { 22 | imports = [ shared ]; 23 | 24 | users.knownUsers = [ "builder" ]; 25 | 26 | users.users.builder.uid = 550; 27 | users.users.builder.home = "/Users/builder"; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /modules/terranix/backblaze.nix: -------------------------------------------------------------------------------- 1 | { config, self', lib, ... }: 2 | 3 | { 4 | terraform.required_providers.b2.source = "Backblaze/b2"; 5 | 6 | data.external.b2-key-id = { 7 | program = [ (lib.getExe self'.packages.get-clan-secret) "b2-key-id" ]; 8 | }; 9 | 10 | data.external.b2-application-key = { 11 | program = 12 | [ (lib.getExe self'.packages.get-clan-secret) "b2-application-key" ]; 13 | }; 14 | 15 | provider.b2.application_key_id = 16 | config.data.external.b2-key-id "result.secret"; 17 | provider.b2.application_key = 18 | config.data.external.b2-application-key "result.secret"; 19 | 20 | resource.b2_bucket.restic = { 21 | bucket_name = "enzime-restic"; 22 | bucket_type = "allPrivate"; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /overlays/i3-ws.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | i3-ws = assert !super ? i3-ws; 3 | super.stdenv.mkDerivation (finalAttrs: { 4 | pname = "i3-ws"; 5 | version = "git-2017-07-30"; 6 | 7 | src = super.fetchFromGitHub { 8 | owner = "Enzime"; 9 | repo = finalAttrs.pname; 10 | rev = "bca34b6b10509088ceac03fb9a1ef27808165ccb"; 11 | hash = "sha256-9nExFLoK+xHZqiATTgKdlNl9IWcM0dtqV5oDFDUkAcQ="; 12 | fetchSubmodules = true; 13 | }; 14 | 15 | buildInputs = 16 | builtins.attrValues { inherit (super) i3 jsoncpp libsigcxx; }; 17 | 18 | nativeBuildInputs = 19 | builtins.attrValues { inherit (super) cmake pkg-config; }; 20 | 21 | meta.mainProgram = finalAttrs.pname; 22 | }); 23 | } 24 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | I use Nix to declaratively manage and configure all of my systems everywhere all at once 2 | 3 | ## Getting started 4 | 5 | Due to subflakes being broken in Nix, before you can use this repo you'll need to run: 6 | 7 | ``` 8 | $ nix-shell --pure -I nixpkgs=flake:nixpkgs -p '(import ./shell.nix { }).packages.${builtins.currentSystem}.add-subflakes-to-store' --command add-subflakes-to-store 9 | ``` 10 | 11 | You can then run a NixOS VM on Linux with: 12 | 13 | ``` 14 | $ nix run .#phi-nixos-vm 15 | ``` 16 | 17 | All the possible hostnames are `gaia`, `phi-nixos` and `sigma` 18 | 19 | ## See also 20 | 21 | - [Frequently Asked Questions about Nix](https://github.com/hlissner/dotfiles/tree/55194e703d1fe82e7e0ffd06e460f1897b6fc404?tab=readme-ov-file#frequently-asked-questions) 22 | -------------------------------------------------------------------------------- /modules/i18n.nix: -------------------------------------------------------------------------------- 1 | { 2 | homeModule = { pkgs, lib, ... }: 3 | lib.mkIf pkgs.stdenv.hostPlatform.isLinux { 4 | i18n.inputMethod.enable = true; 5 | i18n.inputMethod.type = "fcitx5"; 6 | i18n.inputMethod.fcitx5.addons = 7 | builtins.attrValues { inherit (pkgs.qt6Packages) fcitx5-unikey; }; 8 | 9 | xdg.configFile."fcitx5/profile".force = true; 10 | xdg.configFile."fcitx5/profile".text = '' 11 | [Groups/0] 12 | Name=Default 13 | Default Layout=us 14 | DefaultIM=unikey 15 | 16 | [Groups/0/Items/0] 17 | Name=keyboard-us 18 | Layout= 19 | 20 | [Groups/0/Items/1] 21 | Name=unikey 22 | Layout= 23 | 24 | [GroupOrder] 25 | 0=Default 26 | ''; 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /modules/flake-parts/configurations.nix: -------------------------------------------------------------------------------- 1 | { lib, flake-parts-lib, ... }: { 2 | imports = [ 3 | (flake-parts-lib.mkTransposedPerSystemModule { 4 | name = "terraformConfigurations"; 5 | option = lib.mkOption { 6 | type = lib.types.lazyAttrsOf lib.types.raw; 7 | default = { }; 8 | }; 9 | file = ./configurations.nix; 10 | }) 11 | ]; 12 | 13 | options = { 14 | flake.baseDarwinConfigurations = lib.mkOption { 15 | type = lib.types.lazyAttrsOf lib.types.raw; 16 | default = { }; 17 | }; 18 | 19 | flake.baseNixosConfigurations = lib.mkOption { 20 | type = lib.types.lazyAttrsOf lib.types.raw; 21 | default = { }; 22 | }; 23 | 24 | flake.homeConfigurations = lib.mkOption { 25 | type = lib.types.lazyAttrsOf lib.types.raw; 26 | default = { }; 27 | }; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /hosts/phi/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { 2 | boot.initrd.availableKernelModules = 3 | [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; 4 | boot.initrd.kernelModules = [ ]; 5 | boot.kernelModules = [ "kvm-amd" ]; 6 | boot.extraModulePackages = [ ]; 7 | boot.supportedFilesystems = [ "ntfs" ]; 8 | 9 | fileSystems."/" = { 10 | device = "/dev/disk/by-label/nixos"; 11 | fsType = "ext4"; 12 | }; 13 | 14 | fileSystems."/boot" = { 15 | device = "/dev/disk/by-label/boot"; 16 | fsType = "vfat"; 17 | }; 18 | 19 | fileSystems."/os/windows" = { 20 | device = "/dev/disk/by-label/windows"; 21 | fsType = "ntfs"; 22 | options = [ "rw" ]; 23 | }; 24 | 25 | fileSystems."/data" = { 26 | device = "/dev/disk/by-label/data"; 27 | fsType = "ext4"; 28 | }; 29 | 30 | swapDevices = [{ device = "/dev/disk/by-label/swap"; }]; 31 | } 32 | -------------------------------------------------------------------------------- /modules/reflector.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ "acme" ]; 3 | 4 | nixosModule = { config, ... }: 5 | let hostname = "reflector.enzim.ee"; 6 | in { 7 | services.nginx.enable = true; 8 | services.nginx.recommendedTlsSettings = true; 9 | services.nginx.recommendedOptimisation = true; 10 | services.nginx.recommendedGzipSettings = true; 11 | 12 | # Forwards the Host header which is required for Nextcloud 13 | services.nginx.recommendedProxySettings = true; 14 | 15 | networking.firewall.allowedTCPPorts = [ 80 443 ]; 16 | 17 | services.nginx.virtualHosts.${hostname} = { 18 | forceSSL = true; 19 | enableACME = true; 20 | locations = { "/".proxyPass = "https://nextcloud.enzim.ee"; }; 21 | }; 22 | services.nginx.clientMaxBodySize = 23 | config.services.nextcloud.maxUploadSize; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /hosts/sigma/configuration.nix: -------------------------------------------------------------------------------- 1 | { user, ... }: 2 | 3 | { 4 | imports = [ ./hardware-configuration.nix ]; 5 | 6 | services.fwupd.enable = true; 7 | services.fwupd.extraRemotes = [ "lvfs-testing" ]; 8 | services.fwupd.uefiCapsuleSettings.DisableCapsuleUpdateOnDisk = true; 9 | 10 | boot.loader.systemd-boot.enable = true; 11 | boot.loader.efi.canTouchEfiVariables = true; 12 | 13 | networking.hostId = "215212b4"; 14 | 15 | nix.registry.ln.to = { 16 | type = "git"; 17 | url = "file:///home/${user}/Code/nixpkgs"; 18 | }; 19 | 20 | services.tailscale.useRoutingFeatures = "client"; 21 | 22 | services.fprintd.enable = true; 23 | 24 | preservation.preserveAt."/persist".directories = [ "/var/lib/fprint" ]; 25 | 26 | programs.captive-browser.interface = "wlp170s0"; 27 | 28 | # Check that this can be bumped before changing it 29 | system.stateVersion = "24.11"; 30 | } 31 | -------------------------------------------------------------------------------- /modules/wayvnc.nix: -------------------------------------------------------------------------------- 1 | { 2 | homeModule = { pkgs, lib, ... }: { 3 | systemd.user.services.wayvnc = { 4 | Unit = { 5 | Description = "VNC Server for Sway"; 6 | # Allow it to restart infinitely 7 | StartLimitIntervalSec = 0; 8 | }; 9 | 10 | Service = { 11 | ExecStart = "${pkgs.writeShellScript "wayvnc-start" '' 12 | if [[ $XDG_SESSION_TYPE = "wayland" ]]; then 13 | ${lib.getExe pkgs.wayvnc} && exit 1 14 | else 15 | exit 0 16 | fi 17 | ''}"; 18 | Restart = "on-failure"; 19 | RestartSec = "1m"; 20 | }; 21 | 22 | Install = { WantedBy = [ "graphical-session.target" ]; }; 23 | }; 24 | 25 | # As we don't open the firewall, it should only be accessible over Tailscale 26 | xdg.configFile."wayvnc/config".text = '' 27 | address=0.0.0.0 28 | ''; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /modules/flake-parts/devShells.nix: -------------------------------------------------------------------------------- 1 | { 2 | perSystem = { self', inputs', pkgs, ... }: { 3 | devShells.default = pkgs.mkShell { 4 | buildInputs = builtins.attrValues { 5 | inherit (inputs'.home-manager.packages) home-manager; 6 | inherit (inputs'.clan-core.packages) clan-cli; 7 | inherit (self'.packages) tf; 8 | }; 9 | 10 | shellHook = '' 11 | POST_CHECKOUT_HOOK=$(git rev-parse --git-common-dir)/hooks/post-checkout 12 | TMPFILE=$(mktemp) 13 | if curl -o $TMPFILE --fail https://raw.githubusercontent.com/Enzime/dotfiles-nix/HEAD/files/post-checkout; then 14 | if [[ -e $POST_CHECKOUT_HOOK ]]; then 15 | echo "Removing existing $POST_CHECKOUT_HOOK" 16 | rm $POST_CHECKOUT_HOOK 17 | fi 18 | echo "Replacing $POST_CHECKOUT_HOOK with $TMPFILE" 19 | cp $TMPFILE $POST_CHECKOUT_HOOK 20 | chmod a+x $POST_CHECKOUT_HOOK 21 | fi 22 | 23 | if [[ -e $POST_CHECKOUT_HOOK ]]; then 24 | $POST_CHECKOUT_HOOK 25 | fi 26 | ''; 27 | }; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /modules/greetd.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { pkgs, lib, ... }: { 3 | services.greetd.enable = true; 4 | programs.regreet.enable = true; 5 | 6 | programs.regreet.font.name = "DejaVu Sans"; 7 | programs.regreet.font.size = 12; 8 | programs.regreet.font.package = pkgs.dejavu_fonts; 9 | 10 | services.greetd.settings.default_session.command = 11 | "${lib.getExe' pkgs.dbus "dbus-run-session"} ${ 12 | lib.getExe pkgs.sway 13 | } --config ${ 14 | pkgs.writeText "greetd-sway-config" '' 15 | exec "${lib.getExe pkgs.wayvnc} &" 16 | exec "${lib.getExe pkgs.regreet}; swaymsg exit" 17 | 18 | include /etc/sway/config.d/* 19 | '' 20 | }"; 21 | 22 | users.users.greeter.home = "/var/greeter"; 23 | users.users.greeter.createHome = true; 24 | 25 | home-manager.users.greeter = { 26 | # As we don't open the firewall, it should only be accessible over Tailscale 27 | xdg.configFile."wayvnc/config".text = '' 28 | address=0.0.0.0 29 | ''; 30 | 31 | home.stateVersion = "24.11"; 32 | }; 33 | }; 34 | } 35 | -------------------------------------------------------------------------------- /vars/shared/acme-zoneee/api-user/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:OIBEfT02,iv:lQoYOElFgH4/ijFRRjbxnWpD+tuDuinZXGcEPHuD5x4=,tag:VyZfrqa6LPKeDk/6SGukOw==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyAxaENN\nbkZRMGZodG52bmpic3d5Rndma3hNTnRJakh6b2hEdkdCRERnZ0Y4CmpyZnRzWktU\nelhlc1BTOXBQRWhwRzg5YUhQbTRXSGlzNzFsSEVvU1V0UFEKLS0tIE0vTWEyWk1x\nOUVRVFdIMjNGcEcrRVZ5VExPMmVyZ2RBTUlwbm1TbGt3MlkK4i5wIRVt7y+uMv9e\nZY8Mfrc6iM4/GqeYsX6CCYZDkPcCA5UobgnYn2uYPxDHNpG2EUI8maHURi1usqwZ\nqPUE3A==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-07-04T03:25:37Z", 11 | "mac": "ENC[AES256_GCM,data:X9+3rtfM05J71M8hYN7OtcLql3G0ggUgKTso/rMbhT/1/+egy1g4Zwkn3hnSi0LsogDKI6VsUe1KRvhtAeqrrQs7rX+kRqQmOUPFFvZvCGwce9zfVY4+DHgK+Fp+WE+GHltR2k+mJLnBrLIlK0zP0rvZH8X3ggbYBR1fY/FKFSo=,iv:mo1b2ieuyu0WVQhcNqs0zucrQv/RrBXJCRkJYIggYUg=,tag:z86Lh07un2Z5sqC5aJLAEA==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /modules/flake-parts/vm.nix: -------------------------------------------------------------------------------- 1 | { self, ... }: { 2 | perSystem = { system, pkgs, lib, ... }: { 3 | packages = let 4 | vmWithNewHostPlatform = name: 5 | pkgs.writeShellApplication { 6 | name = "run-${name}-vm-on-${system}"; 7 | runtimeInputs = builtins.attrValues { inherit (pkgs) jq; }; 8 | text = '' 9 | set -x 10 | 11 | drv="$(nix eval --raw ${self}#nixosConfigurations.${name} \ 12 | --apply 'original: 13 | let configuration = original.extendModules { modules = [ ({ lib, ... }: { 14 | _file = ""; 15 | nixpkgs.hostPlatform = lib.mkForce "${system}"; 16 | }) ]; }; 17 | in configuration.config.system.build.vm.drvPath' )" 18 | vm=$(nix build --no-link "$drv^*" --json | jq -r '.[0].outputs.out') 19 | # shellcheck disable=SC2211 20 | "$vm"/bin/run-*-vm 21 | ''; 22 | }; 23 | in lib.mapAttrs' (hostname: configuration: 24 | lib.nameValuePair "${hostname}-vm" (vmWithNewHostPlatform hostname)) 25 | self.nixosConfigurations; 26 | }; 27 | } 28 | -------------------------------------------------------------------------------- /sops/secrets/b2-key-id/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:NwxAE+hD0RSdrOCLNfURKPmyiEZzgmWAzQ==,iv:dkjEPMoDPw1xT0L+HNtvmbHrRETQYw7X1DQt3/pLCfQ=,tag:Xr9Mv2rWpiWIpMynqfT+3Q==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBETnNa\ndHVqdCtweW5zdGhyYWpoUHNJZVc4a21qZURLNDlFdVVVUlYwaEVjCnJCWExBckRt\nazRja3hSWlhyeHFzTVVXaUFud1Q4NDlTMWcxK3hHU0pDR1EKLS0tIHh1V0lFaEg5\nY3ppMWZWNEVLazRGZWpJNDcyMzA2Q3FGMzhUWXdzcFdra1UKPOxkX6GjXBCoBDr1\nczVk0Zk3M4e8FcRE6AN6aUwBTc9t9odoQ44k+uYvHKTPpVMLuUbRWJUNV7SOOW5C\nvF41Kg==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-11-01T23:34:42Z", 11 | "mac": "ENC[AES256_GCM,data:s9LbOvwudPZaEdT5g+exUPc9cXdFyrTNF1HnmGFj5JLR64FcdSI5eqqQVnmIc0HMk6K1DPcEcAL+UtRkNbskzXBhRmEfhMgUK1sScnm6Q/X+dMpLwKU5JXc9yMLwcn0KQDiekcrCUY4dM0WEQ7Btw3WoCZm6kTACE+MR+rCUJjc=,iv:0/DAha803+aIHshG2iy8iBC3NM5/QY6zv14ddots/H8=,tag:WARmx42xi3YRKD+zo7Nz9Q==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /sops/secrets/tf-passphrase/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:qqhyhEhXKKD/rGHwMxRMEosENS0nS8yIeOnC,iv:nuasz1lJXRRU9nDAw7OrRR8bsAJ2yYlEtNAhgXfyWZs=,tag:lhvjw+ysQ/yaXxhR0HMQNQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBQN0da\nZjlDdG5jMkloNVBMM0RzZ25nYzIzcy9NVFdjZzVKdHd1bDNualVJCmh4cTNtMjJE\nVnJrS3VIQjZUbTUrNG94MFM4a3BrVTVIQTFDQlhuVW5CL3cKLS0tIHJKNlNFUVJT\nQlAvOHVtTmdJOEFJVzFFVFo5eUxKOHJNdDBSRkR1cXNvaU0KmK1gF5q1BRbv8VOa\n1Hok1cFMwH2N/mK744C3V7XJtK6/TQ9ujspJP75tL8OhC1N0l4XqWmRWpm6SJ8Wy\nD+Fqzg==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-11-02T00:23:43Z", 11 | "mac": "ENC[AES256_GCM,data:gi8zTtQd2VI9fOX9aqQXEoBd5Pyw3CVO0mMxdgigz+6IZajW4P0Sj3s7hwGMqoBq46LFpjTL7+LDzxkihdoGJh8qBouUqSOlmI+4d5y4J92AUxh/D8MBjJkm9sUS8m059v+ewoggcVtATOi0BGpenG2Pbr1KWdC/GvQubPdZnVA=,iv:oxgmBNSBNGcRfiu/WTsGrezPHxw2gKYuK7O2WP+MF6o=,tag:GlytW69XSYEY3Oz0AlKwow==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /sops/secrets/desec-api-key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:DQLnXfO9lONZb75DZ5PNk+BhlyH4Lsg76hjgwA==,iv:nyi1TXvrvCS4Tcyv5QyQdCzmzA+JH4qwZjaJbcd2xwE=,tag:n64/ht7d5moHGlYtzi8yNA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBudVpX\nbG5KU0EycDdtNnE1b25xdWd6Q3JqcDZmazFTTzJqNjcwaG9WeWpNCjZ5K2xZS21O\nU2F4VnMrZ1NTUk1vc3c0alN6Wjk0cWRTbWs2NHA0WjRrb1EKLS0tIGlULy94WmNn\nRDlSdDJzNHo4OXNMWjRIcUprK1V0UHJ5QzVsQnUxN0hkcTQKxqwMsmfOAm7B89mS\n0eGwnkufAKly4I9a4kbl3QYqyxfvCcYZZw5uyoFwzWf2eoaoU+pR7fxiob8wR48C\n0tS8RQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-11-03T10:43:42Z", 11 | "mac": "ENC[AES256_GCM,data:/b1nIHuBBIwnniKUWLi0nKxw6waPgnQ7mwzClVWyduIgN++nDkaGiVYsoP+3hNUPJk5frMntjGJL29EmKrXmxU+FQOw79zZRXoGCfqx5YZUVbtXQe28E7eW0kq+28vMkN6bz/+QF/lLLPiotqQiUDjU/a+id3wT6+ju6QLIiNmo=,iv:c7qbmtKf8KFLAtmAVr5M3ujkY9u7bIvO7SkTnUt1S6Y=,tag:tscn4jiyuZZf4KR5uMgAug==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /sops/secrets/tailscale-api-key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:BK2VSDjx5SXAMQFQHNyGUAV/LJ3XtGbrL5OVuIXokMl7xHIX45xSbIDRqvkKxiyHBdzd8UCfMbdx/gHjWg==,iv:S5Ycd1eL/ryayOApNX6WMDFud7qBZaLeXbBRTI8YN2Y=,tag:f3+ZXzbaM5jycqpe4gLB/g==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBRZmY0\neUo0R1pyVEhxQ0tIMGtqb0JVenBzbWhHbS9za3dVa0lOUHpCKzB3ClIrMlZjQ0xl\ndnZJVGVEMDBTN0gvcXE4Tllla1JiL2UzK253ZlNQWW5BU2cKLS0tIEowT2NuYjJ4\nbGZZN3o1OFAwSnVwQVdYWEhRV0VxVVF1bitRaWlJT2Z4d1UKvKsYfCxVn7Z0QLxr\najkFsd83Qw8APWLH7eLjTVbNvSAa+UTQDlwdu5T1VgZhqNj4MiOitwDrPiVdotFH\nwmrDWw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-12-05T00:12:15Z", 11 | "mac": "ENC[AES256_GCM,data:TbbrkXJqYBGndlfEd6GD/m4LMNX+JX+it7AMb798+Q4qglUQEIGcoAP856i6E9VrdsTndOX2DLzE8Y/uIQsqdfpaue7V+kdInLnc8nTCnreJ0f0Ly25jdiXPBlEU2u7MUd2oLhaALLeeoBx4CyH34BzFuNxqcMB88gOuh5bqRdE=,iv:InMVwU5jUl700UHyCd2kRFqDEFK9b8usILu6HYUChlc=,tag:i5DhQMLusEIEvfEIbJeHYg==,type:str]", 12 | "version": "3.11.0" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /sops/secrets/b2-application-key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:McvEE86eaTjB26FxMIbHaZ7+9pfdu+o3VYvnxuA3lg==,iv:7zH7On2nx5NxiJDEy2VBlgtccU3BBKLcCc42VzFI0Tg=,tag:yv30pPPoG1DwLWbpTqZyDQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyAvKzhJ\nS2twVFBxZVk3UFQwNERxYWtNNjZ4Nk44QU51VStZOTc3dHArWjA4ClgrK2MrbWRt\nRXVhaXN5MlhPQko5UGwyeG4vRk1GSmR0ck0rSUpFRDlXbHcKLS0tIDJPQTZmMUUz\nTm5vcFJWTWVpb0RyRDdWMVV4SnlkWGI4c3l1Z0xSa2d6aDgKQgRamhfU4WAjcyvI\nERja0AUVBZDtS4lnqgYSXQ0/uTnO3qo9+tnDSRitKMXZrzg008afv4Bi4A5am5es\nZSWbaA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-11-01T23:34:51Z", 11 | "mac": "ENC[AES256_GCM,data:tWSZbpzn3/0zD8OpT7w3ewFnvCyRGG1fpPN09MFrjO1km+rM/enTeVoZ3b43dA597evRK6YqGtMG1cD3rPFtJYx/vKvpTf0qvIdHRxPQOyqC/YEd/26NRre4AX4yA2N7wWNmkfmU8lbOR0bA1BuxI6RJfZDq37lP2s26zocUZtg=,iv:0qU9mB2Oq8WP0C9TZAuIuF5FcmHbvInXTyP9YcHKn8Y=,tag:KFTq0MASmS99EIk+nti25w==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /sops/secrets/vultr-api-key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:5CqcxyPNMPaEoyeuGGs9aD4AYmrwX/st21iX1INoB2d7NaDm,iv:jqolrQ1gFpx30oUw+nPkrZD+FUZZGzb2WhR1aosEDUo=,tag:F9zc2v0aQ8tUqMi8casVkQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBibi9w\nOFBRSGg4aEc2RTNUTWdsV3UzbGJsWWEwdDQxd0lQMWQxOEI3eFdvCllXcWpZWnpO\nNDZFSWh0amtHTThkNklFbXdHV0ZBa3REVEVpUlBjWVNJMGMKLS0tIGFXN1kvRUtY\nNnNYWUY3S0VpT2lXS3BKMmlqVHVzSHRoYzA4TGk5eTZYTXcKNPoe1Rcfuwst1ALz\nYh+ZlRIG82I0M0W8EdhM85/KroplQogt0RMP229KcZ4fbLrB+1JGZQXHM2c4pphz\n/SepAA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-05-22T01:48:37Z", 11 | "mac": "ENC[AES256_GCM,data:XElGVQjf/uSJuSXJT6av/O1sBV6HulXJ54S7R1jNDnLLeS9Nng8PIVOzuFx3deMboEKmlfuL7x9L8YxEvoSepOeydP0JGkDID6Ncqp0gY0RPCIRXpDBNZrNjIYQKTZcytZ3rtDFOk3N2F74kCTsrxJ83G7J2B16vbhGq2H/ReNM=,iv:ijG+pzcQVIAW3bIn8ISCC+SQAorDXybZHt4026Ihbhk=,tag:cVH61I6YvryzOdLPyC9yUg==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-enzime/user-password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:tyklStOm3fx8nKOqURtPoR85Eoi3qrU=,iv:zNe9XcgKNc9dW3ufrQvAw+/WJQmdm2Jy91RbeW1DCC4=,tag:/0Sil5pTPbTarlbrVXV0Sw==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBwYVNW\nSlNUenBZVkYwbkpadW9jQWo3b3JkUHJ0VXJ3RzArcll0N1pybUYwCkZsUlBpMGJX\nU1dLY201U213ZUNUaHU2NGpyTDZSL1hEZlhQS3RHbktqc1kKLS0tIDJ6MTVWNW1p\nV2R1bWxYUjk0WG9DZUlNNENUVHd5TGxPNy9kc1htbCs2bFUKtw3rdoZdUynA4vqD\nLLknTNTcJu/wDZuXKSZll8bBgMRhq/0ZEbKRXCte6p3+/f1xxXDpYMOBsN07n1wK\nRn1BsQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-07-07T01:59:57Z", 11 | "mac": "ENC[AES256_GCM,data:rA/JATllb7UIAjgfqMMTjEyFkatcLQMGZILxOj01/0tNcEaG2thwJblqojn0ouAllhKPvQ5wSF5X6Nw2XaTidaxmmLOBG5IfmFOrAro9p8Prya5T4R2jM6TOPIg+CDd8i2dpNDp/E1szeMSYzuQaJYDvlWjXQdayp5tXk2WOM18=,iv:KByjbTSIoStM23WwjVro7zthOvsVbmoW4Vpe7WvLkfc=,tag:Pw2V44Io926X/QzPzYxbRg==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic-backblaze/key-id/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:HGwPlIXNprRKYQUjwjBUK9lmLmVJeba+/GM=,iv:mfOrlqpKQShTFKM9SFJF1CMxTmhPr5WtQOQzipnh1qU=,tag:V8gK70wUHfQRC85+QQ3reQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBSWVJU\nMGUwQ0xsZ0lOaDg4KzVUQU1rdEdtN1h0alVmVUp5Skc5Y0lYZXpBCmhlWWd0bHEw\nQS9VZ2dCZm0vQi9wVzdHOXpwRDVzc0VrQ0ZtMzZ0QkJVcjgKLS0tIHhGU0ZGQ1RH\nUE5iYzRza3ZHcmlRTS81dXZTV3NOUHhDZlF6OWJYdXd2QlEK1g2VmhLGVkOutGv0\nx2JZABpau11PfZWgKyNMUVKd/3MNXAVgqqyZuJADMwW4FMIqH1B6Pj1fRAYubqL1\nHZ2rHg==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-11-17T09:12:40Z", 11 | "mac": "ENC[AES256_GCM,data:HYO1z7Tj/N1grz/5uEVGGFTeR076e7VbO/iZESVjfWbfkj2Vxc4DxtbrohFZyfKb48IGEcFUgQ15wVkN8OjfRWxiXWT8iT6F/PPbK4/iwCktFXxdacBXJvims7T8MI/G+Bs2zkPYVUUC+5PnbB+bLYyMvwbzfiHjVEC/EaGA0kg=,iv:PlpHvpwmEjmp6BQG4BuAUkNIppWYFt1fK2KYBhus3jA=,tag:YUt3JgROXxuwdObQR1rfAg==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/emergency-access/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:trHLB3WxMes3uX6fCzQlTchl5ujY5DkUQGtFCg==,iv:Txk6VxJBpTqX0LSSG7E0YfbX+cC3IOZqVgYnd2xo0Js=,tag:iNo/IcN+kmKaiHJ2fj7+Tg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBGOFN3\nV0NlMGlQQk9vV1lEbzNUblFhM0txSTAzaFpDUjIvRm01Y1VmSHdVCmk4QlVKMWdP\nb3dsZ3Rjck1oZVpUbHhKOFQySnM3V3U4ZkxRMUphR04xTkUKLS0tIFYyOC9kTVcy\nNDRBM3dJQytPV0tpbzlIVHV0VkY4UTRWV0dESnhYSml4cFkKt/wD5ek4xPnbOtwG\najBP7abkv4xiQ5v5zpOs/fXahL7YZqNNc1Vze3OqfcnAdIP8TRJnTC3aduUIZlIR\nq4mFsA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-18T07:17:47Z", 11 | "mac": "ENC[AES256_GCM,data:EwAApsXXtrAkXwlkXnVS2Yf9Jx5fxRONtSzqzGKnLLoYSvdujZCb17n5WS8PYSsP36huyYjnS5eKUnX2IQgBjeVJ8A4iVCW047S7Tx0LJQwp1lOzKEy/978ld6sHnM8Dw6dotFicM4Vx26mxa24ofB7zRNEKd+AGoHQqvJuIbm4=,iv:yCCxIAeRweenWM/D9hmGSOclZSo+JSRQsFEUavjuZjY=,tag:n9Yp+8mZvpbWm8hYIFf8DQ==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-enzime/user-password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:bLkGVOnSsoT1M3/0Vr/7tmkgZfxR9Q==,iv:QS74jcQPYnKo6yYz1GZT9BQQ2uP8i688SvFdCBSWgb4=,tag:n9lxWtfqfurVdHIAQqIW3A==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBLbERB\nUVR2dXhaUmxsZXN6NVpTdUIyc3htVk9VOWNlV1EwU1c4eVNvUnlnCitaNDMwRVo5\ndnlWQ0pHOFplaWVkU093Z1dtTHcwRTI3TTdQU3d3OXl5N0UKLS0tIGdIR2pQWTZo\nOGFuak4wTVdXUjJGcXVnUUhrQ3RWSG1wYmV3clBGVVBNNDAKOc3xHWstbxk7WAcQ\nGG7FZQikE3K9Hjcia9akwjDJw4OaCZD9MgZdkYw5wewYXei92ltuDfmeOtUZ+HQp\nfavcTQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-07-07T01:53:54Z", 11 | "mac": "ENC[AES256_GCM,data:4zvsMS3ta+vQMHCLFCheRBCamqOBNTSXuM/IfNkqcKt3zMav9algmQ17E0mn/hGd8PjO1HcrEbZfxOqzCuwSuPQ0PlbSHPaHsqED+YMJo/kECEEsqaWJrmyuKRoNgBBW370dE8C6yMgQOItGduU0SGKx5TEGwfficHtXqb8OL+k=,iv:VV078xzo9OXUzo2p/b2g9gMroR3Rj6WDj6or9tb2+rQ=,tag:+HKxbMHIFyQpTgi7Ja5j0w==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-root/user-password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:8BfGWVwzWvbH2Ho68kZQe9c8KpqM7gcC7tAmX+lN,iv:qAwkYL8uaF3Er3rg0JS4Dy9RIKnZJWyrRvwkZGp4jW8=,tag:FNBWp9AM6m3usEbRhla6dw==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBkN1lh\nTGtkS1d6aHd1TlpxZ04vZ2JRSmVMQUFIU01GMHljTzR1RDJRbXg0CnEzSXcrNHUy\neFNzZ1BxNUpmNi80Z0FPRXFCdjhoVkFvVWxEK2J5ODFxWTQKLS0tIGhqekN3UnlY\nejY3T1QyZ0diNVZvU1RUdTZpa3o4am80V2hVWkt2ekNJMVEKDRrrsubhfhetZo8W\na1f2ZLT6+8hCi7prv0xUUOad0pvIC5kJLWxm34Oii3QjiLGqoqmx0j6/DkqpUuv4\nw+APYA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-30T10:32:21Z", 11 | "mac": "ENC[AES256_GCM,data:Oy7mhvYxMENiC1V5TUK/NrMt0WCNDR0TnSYMHjY3WVYd3+tdmt7qMUY1fOpVLjOrAimj1UbS77cSU+fsvNarnnCfi4PI7oFOaOmatitHlGHxHa8XiHuptF6eJXntcEMoLJegYZUGQPwOjRVFUdNNjlSxI+FGYi63uWjTvd+J54Y=,iv:sXNODhDGqHwtc2+6bwcVD4eIRclxvEbs9P1fR30F/yg=,tag:lPHimwubmYWgSwhP1bgNwg==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic-backblaze/app-key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:JIxgCQGIaUPowrzO01gepzofcXMCKou9RswBP+aiayE=,iv:FRz1uS/7rMGAR/mYic6IM2ld/0LYwALnXHNHjeHYrJM=,tag:ix+thvBltPkOmr6bDC6Jpg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBOb1pn\nS1lOQnVWd2h0Q0RYVldjN3gxdVorb3ltRFJaazZ2MC9XRWpWRXhFClpHaDQyZktx\nNlpORFZJMXVwanlpYWhzWU1RM3ZVeExrQzFubHovV0ZLMDgKLS0tIHVYQ1J3NFh1\nbVN5a1dqMlhLUU50Yzl5a1EvdGp5aFNkVU1uUFM2NzcxTjgKg9HZu7FP5ffdgycn\nctTBupha/QzJ/5/le+kvkAKZi8bc2tync5oQLuJEY6LVubuoQPPShVxIgjXCP9P/\no5igQw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-11-17T09:12:47Z", 11 | "mac": "ENC[AES256_GCM,data:36BKuMJ0jROvyJwj3wNeZOvYsbOPdr9GyuYgFMbp5hKkGyQ2AEMlBf8Zzs5ZU2jbjQ0SLSqoU4YpRPkuSTJkbhAfP5G7KU3SbbHL8pFpcVO9CEsLfFfFgJhn6WVDIsPVuOK+6/3moUM5T0iGHjvLmop9Vz5uDP9fLxbWkGZSaAo=,iv:cYYnyci5oExuEPD2/6mkbggzg+iLu2i1jytsjY2kuMA=,tag:joxT/0zVDx9mnszuE537fw==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-enzime/user-password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:t2pjrf+BgSc7jRsXoXurMJ1NqoXOoA==,iv:KLhpjB03nGfLMsQho7vZOzDXPTvL8OAi225Y93U0UVA=,tag:IxxEMGTNBCU+TiBtTfw/LQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBqZHhv\nVmQ4aG5IdUFrenBlYXRmMEhacEx6VnBVTmdCVUx3eU9zQ2w1NHpBCldBTTJRODI2\nVlBIeVJ6SWZ4SS8zY0tEUFZtdFFkaUN2TnNyTkJDKzlGR2MKLS0tIGFhKzRhdUdW\nTGR1aFBlamlkd3pVNzJEWXBzUFBDdmxrNE9sc3BqQldVTFkKVn+nqlD0NNkrrTQO\nZ87iZfLGmcaA8u2yK5q5jx2buJOzn5Y1q/t48wtg2351iMB1KyBbPcCrXFivUQKi\n4rOZ0g==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-07-07T01:56:16Z", 11 | "mac": "ENC[AES256_GCM,data:syIN+bYXTtmsM4K8rRI1MSrxzhjHWqIYPMRsfG5yZxljRuDWoxgHw2mYMq6cx2Y3Qh2hHr66AnguOPQtG/bV4fMZ1r68NQFLzPNMpNNrPcQWE/+fdI2I47yE/kqG56NbprLEsyrTV+T28ZqSsA9bh84hHUckrEhYDwBQaOlHYXE=,iv:e6qyjYcTe8TYPA27PTWpDXmyR2tgj//hESmLFjdYMaA=,tag:j/ua0311H3rZLimnEZyklQ==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/emergency-access/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:6+KwoJ2yqN2MMKd6lWzurO6Trqh38EWjOCcKgntT/Jc=,iv:U/Wr/p/CQfUdf9djxlJv+qE5VSlIhjphHhfBh8glABY=,tag:MLIcYaoCqTfVJQL2RnjCjQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBkalV6\nNE1SWHE2bXArR2pTV0hXOU5jZzB0WUxvMGM4NFM4UElLRU8rRFZFCkp0STB6NFJS\nSXk4Z2ZVdWdsUHhQdmNwNEpobDNRR3BMV3ZKWlBrMlNmdDgKLS0tICtxaWQ2dC9K\ndmJoS3p4SFQ2bWVtVitxbzN1OW52bERFUlpWdnlwaGhmSUEKWmvmrlqT/3Ktkdzx\nA8iizCjj/zUo+svAoxkbAD6MgplFu8sbWnTda7TzsK9yn9DP+HKOq7LrOzcCgB6+\ndWPpAQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-18T07:17:17Z", 11 | "mac": "ENC[AES256_GCM,data:w3yHWMaiqjpypBIdW7ol+Kp1MA7rwq0RNJ8u3+bSdRRAGSu+1KgMJxg5hpfk0VopugdLdrvQZ0HXAKtrvogHaZrno5bUNjA6Fe6NwJgNFWT7u5U2keDJ1W5Fzke913CZnGGRNJAusNdiowzUK7ULGsL72aaQNdkHDTYGOvvVwM8=,iv:UJTkHZay6sRpZmn2HdhD8iK/HgX71sK6ViPPT9RtZpw=,tag:YCAUDZ/ZhZpyoET3LIE1Bw==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/shared/acme-zoneee/api-key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:6e9c+J5zqbPfb4lPRMWl/2yTw56Pi5Y6uqfD8ViAhcLCldTzMmMM3WSaIpneeYpD4Xc=,iv:d7PG8NEaPI6hQaQPHxHxQ60tQf+bwXW+J4vciy32ApM=,tag:OXJFPAlTTBjQ63GyGsiN5g==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyAvQ1dZ\naWhuVitsaXRCaThkb2NZRTBMR0poZWY1WHhHV3NKc1pBZUpUd2xrClg5ZFJyelRW\nd2JUS09SS1RQTHhrbjNYT3VmeDJUdUs0ekhVUDFicWJmcUkKLS0tIHJucFkzM2hj\nSmZreFUvNlZGWWRaVFlISmQxbGpiTitYMzJFdGwyVHJ0MEEKfp4LZuX/xZflvT0X\nJRtLPZB7Luv9jnbZ6baATtUewQQNgh5zqtDKvQORU0UIJstPiHfIM9zmKbERuCq0\nW1uMLQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-07-04T03:25:37Z", 11 | "mac": "ENC[AES256_GCM,data:BTle9wPosRxYvarFrgJXbEQw9KbpRCcIjLoqw3leklbGR5OS+NMxfAIpUBhv794jY5x8ya2A2nm9MPIruqUuWKkmUKhbYStpN1HirQuWTPgl3LrZgtdbcrrcIO42958IPcMf//pHvxNxXc2MpdbT/ybPyBez/FsmImwpdw0wtUE=,iv:ABKJ+FeEdE3EKAkj1MZVNh3FEV/2x4JTuTwmVRExGgg=,tag:hgfxfK4Y9s6uS0MY9yXxDg==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /files/commands.py: -------------------------------------------------------------------------------- 1 | import os 2 | import shutil 3 | 4 | from ranger.api.commands import Command 5 | from ranger.ext.safe_path import get_safe_path 6 | 7 | 8 | class backup_edit(Command): 9 | def execute(self): 10 | if self.arg(1): 11 | original_filename = self.rest(1) 12 | else: 13 | original_filename = self.fm.thisfile.path 14 | 15 | if not os.path.exists(original_filename): 16 | self.fm.notify(f"{original_filename} does not exist", bad=True) 17 | return 18 | 19 | if os.path.isdir(original_filename): 20 | self.fm.notify(f"{original_filename} is a directory", bad=True) 21 | return 22 | 23 | backup_ext = ".link" if os.path.islink(original_filename) else ".bak" 24 | 25 | new_filename = get_safe_path(original_filename + backup_ext) 26 | 27 | if not self.fm.rename(original_filename, new_filename): 28 | self.fm.notify(f"Failed to rename file") 29 | return 30 | 31 | shutil.copyfile(new_filename, original_filename, follow_symlinks=True) 32 | 33 | self.fm.edit_file(original_filename) 34 | 35 | def tab(self, tabnum): 36 | return self._tab_directory_content() 37 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-root/user-password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:l3aL2lKSAqFlKILv8AtPYw8xiCUUAjr1tmrP/b/rZw==,iv:H2yoAF4jZ6lsv0JEejO/nzIOb+oQXHWHR0YRm5Pqw4A=,tag:zspGyNYBgHXfg4Rnpz9B+g==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBtd214\nMXF1bThkSEtvcVRxNmk5M1NZcmE1MUZLNUgrREF6RFpuRGZvams0ClY1NEJjcGgz\nMnIrVU1xNkZzbERCM0FCUUNZVHdIY1hMS3ZsSXJQc2tLLzgKLS0tIGdNbDBBb1ht\nVVVLWDVWUHc2aW8wZ0tKV3UrbW5MaFRYWWhqenQxbm5pVmcKSHF8ePTP1XekBY0i\nmZWUNmorvjfT0L6a59EriXwtajCmNHUQsBUUgrckta/JVgywt8pupFYxaIq3GFXq\npQ9rrw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-30T10:31:16Z", 11 | "mac": "ENC[AES256_GCM,data:rpSTtIPoDBgnNSsqC4TJYjU2ux9SIHGK/6NezfWZL8JE9yFfu6E+1ZD7qhuoTILMg3mSqo3AyirMwyjyJ0xlfOKzycpdlLj/+dZadGQJ8VYa7O8sr4Y+s9WUfOL2WoSvhPUbrJv3sLP+cQY7ndkOMrQxma+Jge9e/58GoJu+JlA=,iv:0bkE3vG6xqepc1L80OyiPkgjv9ar5PW5F5O/t+/2Mw8=,tag:e+Wc0+m9AX1jTNEQ+vU/Kg==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-root/user-password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:7lplFJUZgKf9EM/UhG3DR1MEUaAVk2TV0v+tGYa2Jjb8xA==,iv:EcWPI4D+gAVZg+gyKzfp1TjZQX2wVIUzol3B+f43f4U=,tag:06PucxXEteHGVVo4O4cLTQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBoK0Fl\ndDhzaEhhckZDT0tXdXhYS3Q1eE1PUVBTUitFTWU1aWtSY2dFVXhRCkFSaFEzY3pM\nN2lkNWovWFp0LytMZkFqNS9PMFpnT1c5VjgrUE5HZDFLdGcKLS0tIDNBUm5MQnJu\na2pWd3JyTVBJbXozTDEyM25BbVkyN0gxNjE1M3RCcmp0UzAKjOcfK4iGMmK4IDwP\n64UffqVA5T1ic41NkIDcwyuJes5pgvp7fowugRRTqJWq382ez7BemCHqX7wlqXY2\nK0GTSA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-30T10:31:21Z", 11 | "mac": "ENC[AES256_GCM,data:jzh1JMXI3wvnXfdX5R1lIgbWOyfhcwZ5WLZilFQVWAq7uuUyUjS6Mo1nDWLcWg9lRgzISTBzcmjNgeptq0rCDWunG/oTdr36D1jDE30GRFkC8WXGkaY0srq1kf2Kj2zklsBW7jJAho67CYqIZBbsrIbih6JPRQlhqAsovaAaY2A=,iv:gQFeWSE5KmFKKN3xdJWQCM80PjcueF8rsbTL5C7zg4s=,tag:NHvDzXSUqEtMfVgT+br+DA==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /sops/secrets/gaia-age.key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:nRjCnGopCiI46IKbgsoZvNyn/CaXHA8UqLfLzSwh2A1GH/nKv7l7vl7qsZzcpMYlKHM4a1qbil+8fu8/lRwa5ihzn6jZShtVLTc=,iv:VM+gs1fJcNzmXX8jgNU+y1J15IrIlpo1F1k4xurJR24=,tag:Tk1fuXhgfSJ2rhx/p3a0sQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBacVBN\nbDZzQy9aMTFpRGthVU1iSW9USHRZa1E0M2FZYW1QMUlvSHZmNm5JCkhtTDlXRWN5\nbXJ3UmNYY2V0Slovd1pTTUZ0clJzeXEwSWZzWWZkS3U4Z0UKLS0tIENSdkVMeEJm\ndlFrTkVzNm5HbkpyTS9Hc3lYSU5VR3FIc3IwNld1NFpTTW8K5xcx4j1/ceLtGPzk\nAEhayiZI0ufZPqWX5PbolK8K0zPKdN9PRAl7awUgTEYoWMc3mS1uFwhAmcOGCnPu\nNGfhxw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-11T10:20:31Z", 11 | "mac": "ENC[AES256_GCM,data:vZIt5i7x4IYOnc90HLFoFVe7sC1esGyAzmFIXqeazMCfi8Fy4bLs11LyAA420L4lIG4mQM2YhMWjIHXnoXf8LY5C9chvdv02gFzqTYoHgtqfk8vE96C0ewtXYades7Ud+owd68Yj37wXhWVfYoUYrrL5mTsAiJkv8PEh40pBQ60=,iv:Q1e7XelM0elZvjiv9N68T1hz6w3RcjS8gMTovtYJmMk=,tag:+tA+h75Fwqsl683WfmmBjQ==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /sops/secrets/phi-nixos-age.key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:EcccG85fRxYwtE0iEQxwdKhDI3TiXY37z6SnYXNHjGsQ7n6KQQ7EPRopx0eB127719O+Q1PibAXwZ+BV8j0mPxg8DufJIJsfmLg=,iv:MVqYCA1731VNX8iA9F8yE/NHHYkN3eBBzpCA4bDFDr0=,tag:Ct6iuv6oo+21IyIYAkNDGQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBTSTVI\nZFhhUStlTk5kem5IYTlkOGdXd29IRnZEVlo4NHJjMU4yS3ZjMGlBCllFZVlHNkc4\ncXVyby92ZkNjOXRxa1ZlNENHaDNGdSt5YmhySkRDWUllWmMKLS0tIHhYSWd4NTJB\nTmlvMGFCbkNxSnFhNTFiWkdRRnNQRWVEb3VlZTd2Y2Z5QTgKAa638D/njlABN65f\nrEqefyWnmWrKresyPx7nRdzpd90Aqe4yPyRjd59vPHspDpui9KUlac6YBi3aWV2m\neWbo7g==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-18T07:17:04Z", 11 | "mac": "ENC[AES256_GCM,data:SQfrgy9fqzyBR0snFPAL26FOsJZRke3oK6Jd6h2CmJE5Y+cort+M7FlW5FOQMcEvnuOdoZaoaVKiOIqgj1Jb2b5LNUE9/iKGary1kl6pve0odOgrlYAnYPwqOcGCJP7JIvkzFkme+KYI28ACbdyZLLhU562rrMsxsjH6G49ZMic=,iv:Msd6VZCjxEeM+6QqKj4qh6vwYZBri5Ft1x1/0RlJotw=,tag:EW4Ka5yPSkRQM6YLOM9dJg==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /sops/secrets/sigma-age.key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:TCG5K+hn/c1DG3uYymt87rAoPge2IkE5RF4cp1HBE3TlOrXh9YTCF9pt7EcSEvaU44qw3oyURF9MlGhNK9baJFuWl7JqDT5a7Jc=,iv:2VBpE0RAsFRps8YeURlfRrijf/g6wOZtHm+hGVUMWmY=,tag:m50KcgnEZlKbCJOP4f3mlA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBnR2ZR\nQVBnWk05clJWUmJrNHBNSnFTWUwrOHRPUDlmMGtzc1ZUbWpYYXpJCkhoQ0V1dGUy\nUDRWalZ1cURMS05Qc3pQL09sY015bDlXTnU3azVMeVZsS00KLS0tIDN0MW9tNU9P\nSXJDWFNHalV2Y0d0NUx0bmhVR1hybzJOMG05V2xVWWJ3VWsKSvXy39/0NS0w5pFs\n2jBAI61DsFfYkQjXV5HxELZhur3gj/ZrkT9oZ1AZlptxm1sFSTeTGx5a9+n1WPEJ\nsxSLwA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-18T07:17:20Z", 11 | "mac": "ENC[AES256_GCM,data:l1Uw+vc4IkTwP1mzmewgGkDns3gYB0GdMAzdtbWUFuk2Cce3/u7CdEAF+UQZPX6X1grSODWui+vHxg/TiZlVyzpmepSO7FF9J52Nz8+z6iXundskDVjvnysaf3W3+l3Qb4DF/rcAdR4EOpgZCZjWfvcOOcOjQdapmXCybhLQ1vg=,iv:PtHsaiLxTMmzxaN4Elw75jsDvMsqKJRkJ3TVUb5uvlI=,tag:Y4gD5xRdbFhKwbp2or0VXw==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /sops/secrets/hyperion-macos-age.key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:PLFFfc87YFPvkDqZdkUkWhezu3bjuzUbCiAorA3KiQfO5lk0J+dh3YnQhq/W/uIs8qC3S8Bv4j31N9xEZC9Cxkma811lruIuL4g=,iv:xVXJuZ07PE4uMPrU9a9iDU2Hd1Vq4gUgdwEiDcwMU0Q=,tag:n5OLTaO64yPLrgXnG59pBA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyAxRE5n\nZ3QrNFAvQzltR28yRHhsQitFbGFHWEU3a3I3SStpM0FuR05oTlJNCnhPVVovMFFj\nR1pKSVpNd2I5bXVnb3M1aTY3MWxSVldBOW5tRTN0dHBhajAKLS0tIE9RT1VwN1Fj\nRzJQVmprVENtMUlyTlJjQjRZOEhGdFBnbWRLdnpKUVdicE0KpA3WxacarWlZ+3/S\nvexfAQkDBFxKXZXAK6yVj1FRYd0AoEXlPU8FaD9WDqvK2h0H+mU8Xoj/hW6kdk6+\nY6WcOw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | } 9 | ], 10 | "lastmodified": "2025-06-18T09:08:36Z", 11 | "mac": "ENC[AES256_GCM,data:h7KQZyongOz+mH7SJNd5oYdWlBIa4ejnU8aguY/I0QzHbuoc1RtT2c67N6b7NB0bwcwDwUGvg1O6B73fKG0nCT8xbIdFGtdKZ4PHG9aTDO13lVSqABY8Z9PqwRrLeSi5YouzkR4XJZvCcNQs8CtZWOIbJZez5OBQuCcrS4HKb+0=,iv:qdALNRiyY4cAwKsfoO7ZyJcYkOZNgYe2F/OnH8jbm3s=,tag:Mz+RwnyR5/hcMYbrlSiuUA==,type:str]", 12 | "unencrypted_suffix": "_unencrypted", 13 | "version": "3.10.2" 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /overlays/terraform.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | terraform-providers = super.terraform-providers // (super.lib.mapAttrs 3 | (name: plugin: 4 | if super.terraform-providers ? ${name} then 5 | throw "terraform-providers.${name} already exists" 6 | else 7 | plugin) { 8 | valodim_desec = super.terraform-providers.mkProvider (let 9 | version = "0.6.1"; 10 | owner = "Valodim"; 11 | pname = "desec"; 12 | in { 13 | inherit owner version; 14 | repo = "terraform-provider-${pname}"; 15 | rev = "v${version}"; 16 | hash = "sha256-+uOXwta9/Fq9SnW66HfgpIEGtc2qelfLYSIUdyAnmfY="; 17 | vendorHash = "sha256-z6J9ivGBk60y/ICGV2D4tQpBOz0y2O9lHDaqXy5zf1I="; 18 | provider-source-address = "registry.terraform.io/${owner}/${pname}"; 19 | spdx = "MIT"; 20 | }); 21 | }); 22 | 23 | terragrunt = super.terragrunt.overrideAttrs (old: { 24 | patches = (old.patches or [ ]) ++ [ 25 | (super.fetchpatch { 26 | name = "support-s3-endpoints.patch"; 27 | url = 28 | "https://github.com/gruntwork-io/terragrunt/commit/75e10069932050bd52912a027ea3e53b507bbbd3.patch"; 29 | hash = "sha256-I5HLv893ZmL8t19PPrwFrzfJgUcw72UdGEFOY0iXZHk="; 30 | }) 31 | ]; 32 | }); 33 | } 34 | -------------------------------------------------------------------------------- /modules/nextcloud.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ "acme" ]; 3 | 4 | nixosModule = { user, options, config, pkgs, lib, ... }: 5 | let hostname = "nextcloud.enzim.ee"; 6 | in { 7 | imports = [{ 8 | config = lib.optionalAttrs (options ? clan) { 9 | clan.core.vars.generators.nextcloud = { 10 | files.admin-password = { }; 11 | runtimeInputs = [ pkgs.coreutils pkgs.xkcdpass ]; 12 | script = '' 13 | xkcdpass --numwords 4 --random-delimiters --valid-delimiters='1234567890!@#$%^&*()-_+=,.<>/?' --case random | tr -d "\n" > $out/admin-password 14 | ''; 15 | }; 16 | }; 17 | }]; 18 | 19 | services.nextcloud.enable = true; 20 | services.nextcloud.package = pkgs.nextcloud32; 21 | services.nextcloud.hostName = hostname; 22 | services.nextcloud.settings.trusted_domains = [ "reflector.enzim.ee" ]; 23 | services.nextcloud.https = true; 24 | 25 | services.nextcloud.config = { 26 | dbtype = "sqlite"; 27 | adminuser = "admin"; 28 | adminpassFile = 29 | config.clan.core.vars.generators.nextcloud.files.admin-password.path; 30 | }; 31 | 32 | services.nginx.virtualHosts.${hostname} = { 33 | forceSSL = true; 34 | enableACME = true; 35 | }; 36 | 37 | users.users.${user}.extraGroups = [ "nextcloud" ]; 38 | }; 39 | } 40 | -------------------------------------------------------------------------------- /modules/alacritty.nix: -------------------------------------------------------------------------------- 1 | { 2 | # OS modules are required for running `ranger` as `root` 3 | nixosModule = { pkgs, ... }: { 4 | environment.systemPackages = [ pkgs.alacritty.terminfo ]; 5 | }; 6 | 7 | darwinModule = { pkgs, ... }: { 8 | environment.systemPackages = [ pkgs.alacritty.terminfo ]; 9 | }; 10 | 11 | homeModule = { pkgs, ... }: { 12 | home.packages = [ pkgs.alacritty.terminfo ]; 13 | 14 | programs.alacritty.settings = { 15 | font.normal.family = "DejaVu Sans Mono"; 16 | font.size = 10; 17 | 18 | colors = { 19 | draw_bold_text_with_bright_colors = true; 20 | 21 | primary.background = "#0d0c0c"; 22 | primary.foreground = "#fff5ed"; 23 | 24 | cursor.cursor = "#00ccff"; 25 | 26 | normal.black = "#0a0a0a"; 27 | normal.red = "#e61f00"; 28 | normal.green = "#6dd200"; 29 | normal.yellow = "#fa6800"; 30 | normal.blue = "#255ae4"; 31 | normal.magenta = "#ff0084"; 32 | normal.cyan = "#36fcd3"; 33 | normal.white = "#b6afab"; 34 | 35 | bright.black = "#73645d"; 36 | bright.red = "#ff3f3d"; 37 | bright.green = "#c1ff05"; 38 | bright.yellow = "#ffa726"; 39 | bright.blue = "#00ccff"; 40 | bright.magenta = "#ff65a0"; 41 | bright.cyan = "#96ffe3"; 42 | bright.white = "#fff5ed"; 43 | }; 44 | }; 45 | }; 46 | } 47 | -------------------------------------------------------------------------------- /modules/termite.nix: -------------------------------------------------------------------------------- 1 | { 2 | # OS modules are required for running `ranger` as `root` 3 | nixosModule = { pkgs, ... }: { 4 | environment.systemPackages = [ pkgs.termite.terminfo ]; 5 | }; 6 | 7 | darwinModule = { pkgs, ... }: { 8 | environment.systemPackages = [ pkgs.termite.terminfo ]; 9 | }; 10 | 11 | homeModule = { pkgs, ... }: { 12 | home.packages = [ pkgs.termite.terminfo ]; 13 | 14 | programs.termite = { 15 | font = "DejaVu Sans Mono 10"; 16 | scrollbackLines = -1; 17 | colorsExtra = '' 18 | # special 19 | foreground = #fff5ed 20 | foreground_bold = #fff5ed 21 | cursor = #00ccff 22 | background = #0d0c0c 23 | 24 | # black 25 | color0 = #0a0a0a 26 | color8 = #73645d 27 | 28 | # red 29 | color1 = #e61f00 30 | color9 = #ff3f3d 31 | 32 | # green 33 | color2 = #6dd200 34 | color10 = #c1ff05 35 | 36 | # yellow 37 | color3 = #fa6800 38 | color11 = #ffa726 39 | 40 | # blue 41 | color4 = #255ae4 42 | color12 = #00ccff 43 | 44 | # magenta 45 | color5 = #ff0084 46 | color13 = #ff65a0 47 | 48 | # cyan 49 | color6 = #36fcd3 50 | color14 = #96ffe3 51 | 52 | # white 53 | color7 = #b6afab 54 | color15 = #fff5ed 55 | ''; 56 | }; 57 | }; 58 | } 59 | -------------------------------------------------------------------------------- /hosts/phi/terraform-configuration.nix: -------------------------------------------------------------------------------- 1 | { hostname, ... }: 2 | { config, inputs', lib, ... }: 3 | 4 | let clan = inputs'.clan-core.packages.clan-cli; 5 | in { 6 | resource.b2_application_key.restic = { 7 | key_name = "restic"; 8 | # default list when manually creating application key through Backblaze web interface 9 | capabilities = [ 10 | "deleteFiles" 11 | "listBuckets" 12 | "listFiles" 13 | "readBucketEncryption" 14 | "readBucketLogging" 15 | "readBucketNotifications" 16 | "readBucketReplications" 17 | "readBuckets" 18 | "readFiles" 19 | "shareFiles" 20 | "writeBucketEncryption" 21 | "writeBucketLogging" 22 | "writeBucketNotifications" 23 | "writeBucketReplications" 24 | "writeBuckets" 25 | "writeFiles" 26 | ]; 27 | bucket_id = config.resource.b2_bucket.restic "id"; 28 | 29 | provisioner.local-exec = { 30 | command = '' 31 | set -ex 32 | 33 | echo '${lib.tf.ref "self.application_key_id"}' | ${ 34 | lib.getExe clan 35 | } vars set --debug ${hostname} restic-backblaze/key-id 36 | 37 | echo '${lib.tf.ref "self.application_key"}' | ${ 38 | lib.getExe clan 39 | } vars set --debug ${hostname} restic-backblaze/app-key 40 | 41 | ${ 42 | lib.getExe clan 43 | } vars generate --debug ${hostname} --generator restic-backblaze-environment 44 | ''; 45 | }; 46 | }; 47 | } 48 | -------------------------------------------------------------------------------- /overlays/zellij.nix: -------------------------------------------------------------------------------- 1 | self: super: { 2 | zellij = super.zellij.overrideAttrs (old: { 3 | patches = (old.patches or [ ]) ++ [ 4 | (super.fetchpatch { 5 | name = "add-tmux-session-manager-keybinding.patch"; 6 | url = 7 | "https://github.com/Enzime/zellij/commit/7f4d1e773cb26ab1b0e3800f9d7f90245adbe596.patch"; 8 | hash = "sha256-JCbcwXTd6SXmSuZtf7m+3NdVhJoOxUM6JS2xozGkSpg="; 9 | excludes = [ "**/*.snap" ]; 10 | }) 11 | (super.fetchpatch { 12 | name = "fix-tmux-ctrl-b-o-not-returning-to-normal-mode.patch"; 13 | url = 14 | "https://github.com/Enzime/zellij/commit/a9bea4570f728f08dff631067ab11445d777be6a.patch"; 15 | hash = "sha256-0Iyc+l1GhyDxjei3RQdC2MPepMnEjD3mVYbxPfoYk38="; 16 | excludes = [ "**/*.snap" ]; 17 | }) 18 | (super.fetchpatch { 19 | name = "fix-tmux-ctrl-b-space-not-returning-to-normal-mode.patch"; 20 | url = 21 | "https://github.com/Enzime/zellij/commit/307aa4dff818e4c5808384e6e60250368e00f253.patch"; 22 | hash = "sha256-MjrUI//hq49wcyyuJ5CtUiMqaLGKhlBTz/rXw2qUAMA="; 23 | excludes = [ "**/*.snap" ]; 24 | }) 25 | (super.fetchpatch { 26 | name = "report-osc52.patch"; 27 | url = 28 | "https://github.com/Enzime/zellij/commit/60acd439985339e518f090821c0e4eb366ce6014.patch"; 29 | hash = "sha256-hG1VEtydGy3Q9vL2pL/lVEWidq5OcWQWLXay5HpvU7s="; 30 | }) 31 | ]; 32 | }); 33 | } 34 | -------------------------------------------------------------------------------- /modules/acme.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { options, config, pkgs, lib, ... }: { 3 | imports = [ 4 | { 5 | config = lib.optionalAttrs (options ? clan) { 6 | clan.core.vars.generators.acme-desec = { 7 | share = true; 8 | prompts.token.persist = true; 9 | }; 10 | }; 11 | } 12 | { 13 | # WORKAROUND: `security.acme.defaults.dnsProvider` isn't properly propagated 14 | # https://github.com/NixOS/nixpkgs/issues/210807 15 | options.services.nginx.virtualHosts = lib.mkOption { 16 | type = lib.types.attrsOf 17 | (lib.types.submodule { config.acmeRoot = lib.mkDefault null; }); 18 | }; 19 | } 20 | ]; 21 | 22 | # security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; 23 | security.acme.defaults.email = "letsencrypt@enzim.ee"; 24 | security.acme.defaults.group = config.services.nginx.group; 25 | security.acme.acceptTerms = true; 26 | 27 | security.acme.defaults = { 28 | dnsProvider = "desec"; 29 | # WORKAROUND: propagation takes a really long time with deSEC 30 | # https://talk.desec.io/t/global-record-propagation-issues/332 31 | environmentFile = pkgs.writeText "acme-environment" '' 32 | DESEC_PROPAGATION_TIMEOUT=300 33 | ''; 34 | credentialFiles = { 35 | DESEC_TOKEN_FILE = 36 | config.clan.core.vars.generators.acme-desec.files.token.path; 37 | }; 38 | }; 39 | 40 | preservation.preserveAt."/persist".directories = [ "/var/lib/acme" ]; 41 | }; 42 | } 43 | -------------------------------------------------------------------------------- /hosts/flake-module.nix: -------------------------------------------------------------------------------- 1 | { self-lib, ... }: 2 | let inherit (self-lib) modules; 3 | in { 4 | imports = map self-lib.mkConfiguration [ 5 | { 6 | host = "hyperion"; 7 | hostSuffix = "-macos"; 8 | user = "enzime"; 9 | system = "aarch64-darwin"; 10 | modules = 11 | builtins.attrNames { inherit (modules) ai android laptop personal; }; 12 | } 13 | { 14 | host = "phi"; 15 | hostSuffix = "-nixos"; 16 | user = "enzime"; 17 | system = "x86_64-linux"; 18 | modules = builtins.attrNames { 19 | inherit (modules) 20 | android bluetooth deluge nextcloud personal printers restic samba 21 | scanners sway wireless virt-manager; 22 | }; 23 | tags = [ "wireless-personal" ]; 24 | } 25 | { 26 | host = "sigma"; 27 | user = "enzime"; 28 | system = "x86_64-linux"; 29 | modules = builtins.attrNames { 30 | inherit (modules) impermanence laptop personal sway; 31 | }; 32 | tags = [ "wireless-personal" ]; 33 | } 34 | { 35 | host = "gaia"; 36 | user = "enzime"; 37 | system = "x86_64-linux"; 38 | modules = builtins.attrNames { 39 | inherit (modules) reflector hoopsnake impermanence vncserver; 40 | }; 41 | } 42 | ]; 43 | 44 | clan = { 45 | inventory.instances = { 46 | wifi = { 47 | roles.default.machines.phi-nixos.settings.networks = { 48 | home.autoConnect = false; 49 | hotspot.autoConnect = false; 50 | jaden.autoConnect = false; 51 | }; 52 | }; 53 | }; 54 | }; 55 | } 56 | -------------------------------------------------------------------------------- /modules/ghostty.nix: -------------------------------------------------------------------------------- 1 | { 2 | # OS modules are required for running `ranger` as `root` 3 | nixosModule = { pkgs, ... }: { 4 | environment.systemPackages = [ pkgs.ghostty.terminfo ]; 5 | }; 6 | 7 | darwinModule = { pkgs, ... }: { 8 | environment.systemPackages = [ pkgs.ghostty-bin.terminfo ]; 9 | }; 10 | 11 | homeModule = { pkgs, lib, ... }: { 12 | programs.ghostty.package = if pkgs.stdenv.hostPlatform.isDarwin then 13 | pkgs.ghostty-bin 14 | else 15 | pkgs.ghostty; 16 | programs.ghostty.settings = { 17 | theme = "hybrid-krompus"; 18 | bold-is-bright = true; 19 | 20 | quit-after-last-window-closed = true; 21 | 22 | auto-update = lib.mkIf pkgs.stdenv.hostPlatform.isDarwin "off"; 23 | 24 | keybind = "shift+enter=text:\\n"; 25 | }; 26 | 27 | programs.ghostty.themes.hybrid-krompus = { 28 | palette = [ 29 | # black 30 | "0=#0a0a0a" 31 | "8=#73645d" 32 | 33 | # red 34 | "1=#e61f00" 35 | "9=#ff3f3d" 36 | 37 | # green 38 | "2=#6dd200" 39 | "10=#c1ff05" 40 | 41 | # yellow 42 | "3=#fa6800" 43 | "11=#ffa726" 44 | 45 | # blue 46 | "4=#255ae4" 47 | "12=#00ccff" 48 | 49 | # magenta 50 | "5=#ff0084" 51 | "13=#ff65a0" 52 | 53 | # cyan 54 | "6=#36fcd3" 55 | "14=#96ffe3" 56 | 57 | # white 58 | "7=#b6afab" 59 | "15=#fff5ed" 60 | ]; 61 | background = "0d0c0c"; 62 | foreground = "fff5ed"; 63 | cursor-color = "00ccff"; 64 | }; 65 | }; 66 | } 67 | -------------------------------------------------------------------------------- /modules/mpv.nix: -------------------------------------------------------------------------------- 1 | { 2 | darwinModule = { pkgs, ... }: { 3 | environment.systemPackages = builtins.attrValues { inherit (pkgs) iina; }; 4 | }; 5 | 6 | homeModule = { 7 | programs.mpv.enable = true; 8 | programs.mpv.bindings = { 9 | "BS" = "cycle pause"; 10 | "SPACE" = "cycle pause"; 11 | 12 | "\\" = "set speed 1.0"; 13 | 14 | "UP" = "add volume 2"; 15 | "DOWN" = "add volume -2"; 16 | 17 | "PGUP" = "add chapter -1"; 18 | "PGDWN" = "add chapter 1"; 19 | 20 | "MOUSE_BTN3" = "add volume 2"; 21 | "MOUSE_BTN4" = "add volume -2"; 22 | 23 | "MOUSE_BTN7" = "add chapter -1"; 24 | "MOUSE_BTN8" = "add chapter 1"; 25 | 26 | "Alt+RIGHT" = "add video-rotate 90"; 27 | "Alt+LEFT" = "add video-rotate -90"; 28 | 29 | "h" = "seek -5"; 30 | "j" = "add volume -2"; 31 | "k" = "add volume 2"; 32 | "l" = "seek 5"; 33 | 34 | "Shift+LEFT" = "seek -60"; 35 | "Shift+RIGHT" = "seek +60"; 36 | 37 | "Z-Q" = "quit"; 38 | 39 | "Ctrl+h" = "add chapter -1"; 40 | "Ctrl+j" = "repeatable playlist-prev"; 41 | "Ctrl+k" = "repeatable playlist-next"; 42 | "Ctrl+l" = "add chapter 1"; 43 | 44 | "J" = "cycle sub"; 45 | "L" = "ab_loop"; 46 | 47 | "a" = "add audio-delay -0.001"; 48 | "s" = "add audio-delay +0.001"; 49 | 50 | "O" = "cycle osc; cycle osd-bar"; 51 | }; 52 | 53 | programs.mpv.config = { 54 | volume = 50; 55 | volume-max = 200; 56 | force-window = "yes"; 57 | keep-open = "yes"; 58 | osc = "no"; 59 | osd-bar = "no"; 60 | }; 61 | }; 62 | } 63 | -------------------------------------------------------------------------------- /modules/clan.nix: -------------------------------------------------------------------------------- 1 | let 2 | shared = { options, config, hostname, keys, pkgs, lib, ... }: { 3 | imports = [{ 4 | config = lib.optionalAttrs (options ? clan) { 5 | clan.core.networking.targetHost = "root@${hostname}"; 6 | 7 | clan.core.vars.generators.nix-remote-build = { 8 | share = true; 9 | files.key = { }; 10 | files."key.pub".secret = false; 11 | runtimeInputs = [ pkgs.coreutils pkgs.openssh ]; 12 | script = '' 13 | ssh-keygen -t ed25519 -N "" -C "" -f "$out"/key 14 | ''; 15 | }; 16 | }; 17 | }]; 18 | 19 | config = { 20 | programs.ssh.extraConfig = '' 21 | Host clan-tunnel 22 | Hostname clan.lol 23 | User tunnel 24 | IdentityFile ${config.clan.core.vars.generators.nix-remote-build.files.key.path} 25 | 26 | Match exec "echo %h | grep -q '^fda9:b487:2919:3547:3699:93'" 27 | ProxyJump clan-tunnel 28 | ''; 29 | 30 | programs.ssh.knownHosts = { 31 | "clan.lol".publicKey = keys.hosts.clan.web01; 32 | 33 | "build01.clan.lol" = { 34 | extraHostNames = [ "fda9:b487:2919:3547:3699:9336:90ec:cb59" ]; 35 | publicKey = keys.hosts.clan.build01; 36 | }; 37 | }; 38 | }; 39 | }; 40 | in { 41 | nixosModule = { options, lib, ... }: { 42 | imports = [ shared ]; 43 | 44 | config = lib.optionalAttrs (options ? clan) { 45 | clan.core.vars.generators.tailscale = { 46 | share = true; 47 | prompts.auth-key.persist = true; 48 | }; 49 | }; 50 | }; 51 | 52 | darwinModule = shared; 53 | } 54 | 55 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/syncthing/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:t6InLNnWaur27Bf80rjCNDEIrGy7neM=,iv:7HHbCzOOk2ENzRQujhaRUVSDn0K72ODPc4NGey1ywsA=,tag:Zr6csh+juBEezH2OS+okfQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRHN0UHMrNllUYWxJemZp\nbW9uc2FiR1dLQmlhQnFXSkZ4SmFrYlVrdFJzCjlYSENFcEZjUzdrMUdjcUIvWSsr\nZFIwZU9FS0lHYTBaSTkrdC9oYXNnU1UKLS0tIDFOY0g5L3BtSEMxVzVqM3RoaXpI\nTmw0QXNPSEJhU2RnZ083YStVclIrK3cKmCtELudNwhlbdz0SuM3XzcvADuR4B+bg\noERZfx/UlYUCXUyPgbIln1OqGTSs3ltaxWvTP0twL3eLBuxm71SnsQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBVN0tZ\ndTVyTy96VDJhNzdNRmhaVE1xVzd2alVDcDhsSG4xQ1htT0x3V0NFCmZHUUZpOThh\nNTFIQVU2dVpQUnVIaUxCOFVacjZ2NTBOQ09VUnhhWGtCdWsKLS0tIDExZVpXQ0wz\nTFpuTHVYeVVxZ2VjSnorMXlYTTlCNWtqU0xlZldnNzJDMVkKJRBJW6/91v+E9ifs\nwF2+zQOk8y99aro5TUkoKujRrGqECiVrcXBHYOTUUkAiPuxJ16aa8FPWjUm4dkNv\nd2+dnQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-12-05T04:06:57Z", 15 | "mac": "ENC[AES256_GCM,data:zUZf2LfcrcCr0WPAkL8As+96mU1MSo74bvswWrjPr4+9msYW0svKgPX/nY51y01sjCM+9iqiBlWqbNLe7FwH1rv/lENluibqWhlLceao3O0OvZtdhCXSrwXoY525V/IaPOI6NLLVOVOy7pzaanMZ5Rwp4Q4+vsal6EPJgoPGx/I=,iv:nMdR0+uJ8A6QS0f1ic3AUipXs6t1RInukcq5qh+J3nM=,tag:RK2e3tPwUnSz18fgW5Re6g==,type:str]", 16 | "version": "3.11.0" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/syncthing/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:duy/2p8VPbqus6zmXJ05bq8MD0rsYfyPiutjAVc8,iv:UaupiQL0OqqK4xXCbKMNmBGxN2OnxozgeCyYYYX0Kqk=,tag:2cl/kNUCmffrbBucQZ1wuQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VjE3S3k4ZjJ1aUxPSWpy\nRDRPeG1VRWN2VmsvQVFaNGhtYjdDZTE2eHdJCjlDTFBWaWU1eUVNb3ovQkhxRXdV\nZ1VWdEhsZ1ZGRVRHUnM2U3lYWWpKVEEKLS0tIFZlcGh4NGdhSFRDVTdWVVlBckZQ\nWVBqN1ZOT25FYVlJL0FjVWxvc2YvalkKAEaU6qH5BAslMKGwyNyj0JCazbsUH34a\nXm7dNLwDtZZb/bPdd8eWsT8BvVxr6c8wEmeSMCu0SS1+2Pvg7gvL4g==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBVWEhD\nYVNMQzBjVU9xRjhYRnpqTWoybGJtWnBWVmRaMkxEaHowcEpkYzE0CjZyNzUxWGp1\nWGphcTFjNVpjK2hKZjgreG9iNmZ4WGNubnh1UVBaTlVpcG8KLS0tIGdHM2F0NXpW\nelNWNnhZRUtsYTgvYzFURVFTVjNPeklnaGZxdTgrMG0xcUEKxz/h7HQBdlzM6PON\nJSs78SH4QhXYqiT17QpFIVFYF5roJi3nAcOgO022EVqHCyiOrL+G2wnCM6YfHvVe\nOMNo6w==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-12-05T04:06:26Z", 15 | "mac": "ENC[AES256_GCM,data:jiDdSEsLPwOi15EYYVRxun7lNJtX8G8BVgSctkiVD76pANwHUCODCPlYe7meKm3A12gr5rCrVBSEuhGsCsR/sCvm46vCMs/DHHTSZepNFHhNOrgLEQmu5PvBdMFXQcMs03SnS1qvLsghC14+55Ex/LkCza9+a7+qffOstWug+fw=,iv:Kb/8v4reLYmJFRsCY6egrMXMbjC/gRFP3Fp/CVNH8O4=,tag:yQ7+CpbHRn1GQybDMqN9aw==,type:str]", 16 | "version": "3.11.0" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/syncthing/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:V/4jRDE43/9ykcT9LfoUMSUuMtoJ+tkol5GOuV/ZaQI=,iv:ccwWbpbiOLK2Muzf1QR2TfuehUhMMcVR7fSvSpFT/o4=,tag:gVjIiqJCynxv4oxhQNLX6w==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQkNkamozMXgwWXkxbkU4\nTC82MHdNbXBETnlhRlM2cjUxSG8yT2hLbVJrCm02Tml5azdJcCtndE5NbXZ2RkRa\nRElEQmk5bTVMd0VWWGpmdDVLdWZkZTQKLS0tIFY3aFNyaDhNTm4vRnIwU2lyak0v\nQTJjcVdIQ09UYWYrYmlybFB5b3JnZzQKtQaz8y04pVrR/AWlLF1feIwM/p/KZYcm\nVYCg49Fwcdiof8e03fNT0VtJNYnk1bjd4kuuBcY2oaaX4yIZeu7zHA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBjd0tJ\nUnRiRFhpZytyMm5abXhqQ1JMUDRZRndSYlpESS9PdkxjVXZwb1ZvCnNEZGxScXg5\nTHRCZGpULzRqSkVHb2JuZWphc3RyczlWUktWVXJNTXNCcG8KLS0tIEdWRUlmb2lk\nVEcvYmtmL2tzVDBET2h5T3dOZVNLeTBjV3BZUXZLZ1FVbkkKWipdSpTFxY3I+gh4\nsJjC+2hMUR374Qnd1e1cQB4iE4v34ZXBtCfdL27pCgI4DALmPgm9baOEhrjs7bVK\nXYB38Q==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-12-05T04:07:24Z", 15 | "mac": "ENC[AES256_GCM,data:vWt8gvlhQjrxPJyJVhCJm7eKe61DgY39a2ma6yxCd6R5PeRUZSEuenqKB6LZUA9l2LX7if8oxE30TIQefTv5UactPpvYFYVPQWyO54FZYtWrOWXXbS20GN0i8BJpsgViQTSIuX5sbrOean27Y4O9oJPQpxcikmuZGOJ50C0Vk1Y=,iv:r+xKPn+B8CDzbzgmSAb8fbGU4FuYxqolV+lO6tlYHiM=,tag:u9aPCSd0nPYR8Te2IrdB9w==,type:str]", 16 | "version": "3.11.0" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-password-enzime/matrix-password-enzime/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:PHbWfvrDrxOAJN+3viVqR53rCRjY916pUjxP,iv:rhayE+WYIvuHB/lFYHn+L+Vr3sS6oWxHznvjwfvO64g=,tag:Q67J4jaMvW/wIG1GRlvAVw==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dE1NUXl2VWtFeDJ6OEtW\ndU16bWNyK0FPY05TQmJ2T3R3ckljTVdlR0FJCi9hNzI3M1B6YWd2a1M1Mnh6ZndX\ndnREM0RFWU9UMmoyc1JsbkV1akFRNVEKLS0tIG1CYnRCcm9EWjhEaWl3OWlHc1k3\nVE54bmMzLzQrb1FkaDZGWFd3bkh6YTQKI/ejKxoaU+vPttMK+PjZWtlvV/i5Dzr3\nPYjaQW6OrZtIsU7LEV5log3KR4ky2evEE00I9cBQF82ZSiVHwjm/xg==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBVWVM5\nRnI2Y0VFZTVqL3VXR2J2R2h3TDBzMXhnSzRTWjN2NEFzWkpGRldVCjFERFZGaXVL\nM25peFNxcURBeUlycHRhZWN0YmhlS3hmeEpjczQzaFhQc0kKLS0tIGVNRU9mWVdF\nMmErZ2tiMmRLWXZtb0hqbHFvSnExMW5Oajk3V3pHNHBJMzgK8S6JxZYLWBBO+4DS\nm6hZN/7GNUWi8PL+xfiX4DT2zJgSfrjWAcQDxQ/9FEwb05//I0kE/VpdxiKm88tu\nhFiARg==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-12-09T05:01:21Z", 15 | "mac": "ENC[AES256_GCM,data:g46jIRxBtQwoXqrc/ltRdVxq7dVuY2JNOaYUOo5uHtOpls4e/+5fLy+x+3ljVw3E5mwWko3vbXeVfwiUOqw2cWPQfFBVLDDOCLqGoG4zvm2StzxCAh1qWrJaChudC5X5KAz6dS1Mv/UxPWNGRRkpY8f0fQ/RhgYOChgajtk9i9s=,iv:FBTM1cXng0R/KAIYD370T8KgN/ma6rXDQ7h29VlqF5w=,tag:qjH68nts0LRLnRydBzaydg==,type:str]", 16 | "version": "3.11.0" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-password-admin/matrix-password-admin/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:yYfeylmzaSpA9zbXNZPNTtnGGsrcgzD9pyyvU88OYQ==,iv:QffJ745VMZVt5Ak+UEeWAMSRSh3L6RbPOoHes8aFR0A=,tag:v43BJYIW+xWXxqQPOWPQww==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NTRsemg0bDVmU2V3KzUy\nODNaZ1p6OHZIMHYvZC9SL2pJMU8yOWd1RFNVCllhTzFlLzVSRytaZkp5bGw3bUJh\nU0MzOTFtTUR0YUh4NzNEZU10VUxlQU0KLS0tIGxWYzdpZUE0SFNuRGNkZHVTYnZo\ndXVUVHdvT2pneUdDaUlqWjZ3L244YmsKDXHE7W9zmLV8oCae5Xj3QVUHxVAX+TF5\nieaonNcLZ7tIA5Cx0Aj8rliOPj3+cAfOvJEqUjaEOpPl8dBCdTKgww==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBwY284\nclRGaGFtNkc2Tm1hQ0psV2txSmZLYkZWZms5NmVUaW9BTG5ibFZvCmU1YlRGd1Bi\nTlAxT3VLUnArZHgzQW1jeDhwODErYlM3SFlJUWFlZ0ZRcEEKLS0tIEJxSUVVT2Vn\nSVBwVSs1di8xN2NpY2R2NUZWM2x3eVFPYVRQSDNRUkFHdTQKoiwWrzMUZ5gpgV+d\nBVlqN0CjMWJsCH+3QiqbV/ufLWASKXHW3PluXYIpaMiSJ/KOJAa5R/QpY+0qdHly\nRWP4eA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-12-09T05:01:21Z", 15 | "mac": "ENC[AES256_GCM,data:LLe/3KJ+JDfTbCo0w8rBXyBbBHHfaP788Zds06LvuStfiOZlQZy/wAzIth1Q5FxSuMg58nMkAgMy9JCCFvQ7X5DOiGWhW+gsJlb56e6st/UBHLe3uIzTvNtLqEZ5xmrl+iQcDjyRhLOGvpbx07Za0VSe/0ANQyY6SkORlTepEZs=,iv:lVkvWIYmBzFpmQVX52yfXiY+G/u6jdbzcNOfoA9NSMk=,tag:2mQAT0k3ySHShplqAuFmog==,type:str]", 16 | "version": "3.11.0" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/luks/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:9Vk7j/pqSWGnDIvbvYnR66C8BIfj,iv:VrJiQLBOWqQdOhpisZ4gT2VSTK9zzGcyaVMefrKl5uM=,tag:/BTRpUAdhSDe6XM6G3TOsw==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bm5FbHZ1MjFvWUxYYzZH\nQTMwTnBIYzd2NXlxUjVlQ0g2cjBUa1VLSENBCjljcHR0cXVjVWZYRS9uVGRDNGZZ\nTDg3QUhNVHZmMHIxMGhmRXpjbmxhb0EKLS0tICs5QjNXeGJ0VStwbmhKbkJZRUdP\nYkJ2S2x3TkoxcDJ2TG80SkRnL3FCLzAKB/Xl/2BYMK5BdNpv2+IcuoxdBpTpjj+B\nXlMzUYiYVk5S2pBZrw2jR/3ymZ+5K4LOCesNOy4M88qVX9+eqHVcVQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBSUncw\nQWpzWjdBUWJuZ1lRVVRnR2h0cmNMdTVpM21VZndHa2RybktWd2dnCmJ1cTYxQ2N1\nc3hnWmJKTnhGNkRmYXk2UmlLTmpNZ2ZZQjJiTTY0VUtjeE0KLS0tIG1iMHpJbVk2\nTHhmU0JJZ1gvMzMrajBUZDhoQTVHTFB4a284b2ZIL1BoekUKw6lPhBQO87+evpz3\nNa58DhAfIzGchSF5ewSXnamGSpQ0wBM1v2rymDXlPoxsdC+2AQBvB19ayRloYXOs\nydRhbQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-16T14:48:33Z", 15 | "mac": "ENC[AES256_GCM,data:eH3rL0Bsxx4jQlWAsX2iZ6gw1aa5G8deRu1xWsjao/cfO0BXknBXCelOSfZKoecufxqvwPaRmTKUMIQ2//iVvzA9aYalMfOdzJS9bVGv7yjyk5+gNOEVfu7dS2tuy1C8ParM+fw/MWvWfTxUr5ggNez2w48FdyGbTK0eKXGpfXA=,iv:LKCn27sDo1ww+8sK5hBEpBtG+9MqocPuNGER+Zvo0ac=,tag:+m/M6PUpDfQQK9yqz0LeEg==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/matrix-synapse/synapse-registration_shared_secret/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:4HhER4SSeSyrOhLJza2ACSAjvPDwGxYM/VqcGFFQVvk=,iv:6xE/oDLQVbvc1j5dVrH1/imLISPAhrRWtyFuRTaUImk=,tag:jzYqRg8CMRvLSR0NUbRTlg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMRCtWeUdyUEtWN3ZGZHRU\neWNNTUhrUzB3dllVRzZwNUFTZktmeWRIaEUwCmFpSkVBWXlSUzQwZmxSL0JvTzN6\nckdNOURKeWtrYmw4elUyTTBsbU9Nd2sKLS0tIC8vMHBDVXRxd3lCNFpuTVprTWJN\nd2d1djZRQ0c4cW56QXdBekgwampwOXcKsCVgVyFIHa5QNPiMxIhOX+PafXY24Y3D\nFDqDIIDsH5ZoeGpsq6f3FyRjgld5PbypQo4pnRqanX8FniI+DJsfEw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBQRHJD\ndUhDUnVDWkpsODY3ZUZLMWd5dFRwTUd0Mlh3NUpjVUM5emx4TW5RClhWZTRDZEd6\nejlwSHRlZXZESStGY3lwYWF4K3d3alRMQ1h0MW92WHpoaUEKLS0tIHRrcER0dlJP\nM1d0RjV3S0ZsYmdkZTVFSzNkUHArZGhWeSs0d0hqbmdra0UKRmWG/Lc4yeLwO18G\ni5f+lVKHTLnGi9O4+WDV2EF9o9T45O9oQ39mqrlXdcWj7nWKbbmU6N+nALfkAhC2\n4seapw==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-12-09T05:01:21Z", 15 | "mac": "ENC[AES256_GCM,data:MLZLUiXXdxcfpZKtvPOJif8MAaM7GuemaIjdncL/h9t+M8MkTPKoqIkkrZG2nWNOnV4IL+cYNIqOKvr+Fhsmj3X52JpxBaWaC+V0/r415RQ67KJIdqj3D7z19UEp52KiH87HJyxJH+VN2wg8D1P2Chf3Lotk58D1x2klwtyeMcY=,iv:sgQcRlIfh3VbNEfaDJBva9+doRqPuTPczy+hMU0gf6A=,tag:avbvcdvNKk/cK1ewq8DAfw==,type:str]", 16 | "version": "3.11.0" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/hoopsnake/tailscale-client-id/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:BSPotJ7nTr+k+BSU1wMnm5uw,iv:PAq9cK1DDvWjAbNVS9Fntr1kI6BnVNT7Sk04pbpfpwk=,tag:bDf4ubfdCCLdFoIVq/Iucg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdUtlSUNiTjlOYUtvQlhh\nV3NGaGFmNDVESjR2NWJWZ3lxVnZqeEdhODJNCnlmM3NpWkZObFFLdWtUWUI5R3Uy\nUDZhTGs4U0REenltejZTTmJzNUd4cVUKLS0tIEd1M3RTMFI1Vk9TamlRV3ZscWlQ\nQmxKbzliZFd5cTN4NzdOZ0EycG5ENkEKG4fcGZ83ZMwpjYUzzR3VdAsRNpT42ohx\nZSc+7rIoU16r6Wl+ooAFhuZkbUHsZfw/5kLnr8HWHKGbSeaU78LEMA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBkSTFP\nd29TSVRFekljWXdrY2FTYXZXeUN1RWYvejB1Z2VoN3JPMG80a1h3CnVOZDJEU05v\nTkpBRTlMamZWSjdqdERPUzF5TGJjYmVqNDdOTDNhZG5iSnMKLS0tIG80WlRuVGcr\ndDlSMDlkYW12ZHBKRmdjRUlZVkdMd2RzeE5yQVN2YitVWXcKwEBQCMbKyDCErl1n\nc47WdW6sXpim0AmrenKa0cTk1iyr0IRYgfCcaQAXv8JwYDLf8Y4MF71VtQUjJHBS\nzciybA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-09T05:53:45Z", 15 | "mac": "ENC[AES256_GCM,data:zhwwnbyZQsxjUI2CrspcQCjzofWqE7hckiGlP+IT4329MUTP0Cm8XDgvs9fTUzG1jzhHgLdnTao9WpCCUr0cB5JUOO1ApUj05w9T7QO7ZkipcKS6ocY6x7kiSKy/kIhUX1JCppLgKW4hkzcFdrPShQ/Tttn/x3EW7x/e4ezmMRc=,iv:zoSpZ33aTRe9A9KQbVCu3zRyviGh9xqTfaoQiXcr1Vs=,tag:ekolQFZs9GaYHplYlNOpBQ==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/nextcloud/admin-password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:fBXdvwEVU/VxXwc0MauSK6NWRVY9gnp0eMzx,iv:ODhoM45iO93nL96vvROHCqC03lYaw8rhQxGtVu/MAZM=,tag:TOhl+pjIVmxt+EsALughIA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNlZSa2VaSzBNMjBWbDNp\nMmZBUEJhb1pBUVVSRFVISXIzdXI4ZU9FZlM0CnA3SmU1Wnlic2xGNldweFlZSGx3\nRjgyRHh1NGorSGtmYXVkdE9xdEJQODQKLS0tIDJpTDM2STFjdHF0ODY1SVZWaVd5\nVkwzdHErYmlYWVM1QzhDb2dxTWdsN0UK6v3eVBowcC0Mtb2RPjO7+NgwkJjDlOdW\nWWCZ13ZR6QMfTlaEPtiT+HPD6PN0f6ZFplf9Ie9D5GFo8NgnEGBJ5w==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBmYnBp\nZlU3VEZFTWJ2T0xXOFhobmNMSm92b2xhdlhZa2tnRGNicjh0L3hVCmxrSmFML1Vs\nUmxEbThhTmNsRlNNOTVVdzNuSlN2UzVVRlJ1ckpRaWpVOE0KLS0tIE1oVy8vOXN6\ndC9FUjNyUldTL3JEN3dwUkExSjhhUFRQMjZyc1JVNHc0VVEKf+L5TgjOiPR0iU05\nbevPTNGGHYwURESNuCI1IGi8DsQprdcQMyrC4taeAG+sE6FLccId9tuBhsjMar4A\n91nVHw==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-04T03:35:43Z", 15 | "mac": "ENC[AES256_GCM,data:USGw2Ta88y7ijykaTuC5iZz2PUGCyG2KvZQV7a0CbhRJVvXxgzQxLYIEM+R6VJBcBmxOyyn/tyIftZPCymSrfa6ClF6FO6zRFHSkqwxF8hiozsLbsra0gEYfSSrKHzEEtck6nSV+WFX8Hp45jTDur9m9RtaintDowYNZncedNN8=,iv:7eezOPQvoQNXJYBEIpzxOY3s4aIs5ehlFBbqNyz19Zw=,tag:7OAvRqoGh6X4mY7epW6sxQ==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/emergency-access/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:4g16FOmBet8BA00JqzgWeijEJheBtiawxqGhEH5w9Pk=,iv:sqEzFsen5nZdJ9BgOPgRsBHLK8sand8KrGvTLYeDcGw=,tag:sP1NuOtOqWDXnIqS5i9j0w==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWlBEcWhJREV0ZU5SZS9z\ncVl3RmlpdHZEYTNnWVRsNjZDU2hubm5PcG5RCm5iUzM3L0xVTVF2QjkrVUI0eXpk\naTIzZ29mS1g3UWhGQXdTdFh3VlNXaDQKLS0tIHpqbDFFUFdEQTNjSWpiY29Zc0dq\nZnU5d21wNWo2QUtKYTh0TGVpNUpQQjgKSCZLjy89PSRS3S0pIXDRBHR8uuhHGDwo\ndO3BN5GOjy4/fd0NU8Wy47rTNoCy0PeTN1OpgKf/lZdRQvwAE+H7Ow==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBPczdo\nT000NnYvdlhlckJhZk5ER3ZqeVB1YUJNU3I2WmdXYndDeFVJZFU4CjFqek9ORlQ2\nN0c4VWRpVEM0QlprR01HcDZ0R09hV3E1YlFDT011bitSSzAKLS0tIE94SDlPVzZB\nR1lCTzhmUWxjdFJnMEJRQTZTbklrdlNsSnlua1BEZThETFkKC/VgfhRp2VQUApaK\nO1Fi5Ydw8773wy5OJ4LXTwzh5ujWehOr4l6u8v3qOd2QTQHnNPNGqGXbvG6m+SkQ\nrtGxwA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-06-13T08:30:45Z", 15 | "mac": "ENC[AES256_GCM,data:T5EszCmOaAXxAAROwrGLvR6atzefiYVez0tp1POCmPiQQNzxvVQ1G2kM2bSskt0bCUlZWCZq7oWPyyH8SDlL11IsLgScaUDCSyBIAgSLgoxx1RMDN1rSOVmuWPw9nWCrZniCLgg/gV7En1TalGGWhQfw+vM/PbsIKIPIyXjSp3U=,iv:RteHhQ+sIUknwNkY5AW3HiU930Omhqo1wqN9Q6TjZTY=,tag:G1v1Tzs5r2WUqGreEcDylA==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/luks/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:XHaMfQ32KMev5Ak7+2CB2xgjRzEa44+Wt6iyl2Dsl+6VQtoDC8agBrx0Ip/p,iv:a4+9g+MSzHYxOLCZw8bwGbuQTpQRJ13itdisHv0RGM0=,tag:qBipmoV4gxTVurfpOTNYKg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NWJyYUNsREdXWVdrQVdD\nd3NNTmVOQlpYdVc2NldwTi9sWWxHMUJFMlVZCmpGbGp6bnJFclNZQmVmS2hYenll\nZHJOeTE2djNxN3AvMlZVNkEyTEJMd3cKLS0tIHQxQXN0TmQzTFBpUnord25jY0cv\nRjVlOVBCTGJSSnFRejkxdjBDZ2RaM0kKGDHpvLmZ8ikH7Wbqv6jtCJwjlpYUGcWC\nYKPtlZew7nPXv5vzysTcwNVQuziYx6/jnwLCE1FOc3xsja59X98O5Q==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyAxOWJy\ndTl0dTRBcUpIQXRGbXhzVUJPa0dRRGNwTWgwNmx0TGhRYzI0NkY4ClRCTjFTaFht\nNnZCVHYvYXBRVE12L1QrVFBvaStYcHZSb0VKQzgwRmQxN0EKLS0tIERTZFluVjB1\nT2V5VFd4NW85LzM3eGtjbzdKcThLeXI5eWRPTjAzOVJ1bjgK0VHWqwWS+/CXtQd5\nDAUfIZNRhXxm7r/2yFBNWbQuMtmkEPV9b9pskGN/VV5Ci1Ep9buXlHmiDxsUAcz1\n/tu4Ow==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-06-24T05:40:45Z", 15 | "mac": "ENC[AES256_GCM,data:5SGqKIBxNylqGVSM0FLgxFXz7ox37FRn6W6gsUFGv8FuKUTVLfw3Iq21HGknlVhSEd7CSWScgfkXqeqY37GIxT19Jy4HR9OoBmC4d0QaqbNeKDBJCZwWAe/hHjwYlbPto9f4Ism4S6Z5nfBEEfrTo9qUfHSQiOpc6QrCMh79USY=,iv:8pD7Qz1lzUo/qx7BciPFB+A5leTmqPl372cXE7Qy/cs=,tag:TS36ZUcnzWIgjKhe4Ps2ug==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:BjmNfHnyjvjJvORfFZkdlehXiEAV3zUE9oumA7hC/xpEkzI8nOSN6A==,iv:TcEuTlCfv7OfrRYHGoRHj9p6a8kv/xBPi1m7XxIy0us=,tag:7BmMsJSJjnXku48+0RpsFg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGOFk0TSsrb3plc1RHUE9E\nYWVhaTdFdzkyaTZmaWVpdUVpSk9SZERXY25jCkI4R2gxQ0o5YVFObGwwYVRKU0tU\nOThaSDI2UnhTaWpoMDJnaVdrOU1XU1UKLS0tIG9YY0JjOFhWVDBPVnZTMG1Fc2hF\naDNDYmtXcm1YaUczeHpIMjVaSmFOUEkKoOhLjjiADLnmTSxn+Jme3+XHfF5ycUhg\nLnooMHMQD4xi+F5MgZRZvLF7khd7JkE3M4ImzIU2WhLoQdshQX8P/A==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBwQ3Ba\nQlVXQ21WUlFqN2tDWDNMWm5QOFN0N1Ywd0lMVkJpT21qL1ZPNlRvCmd3VnpFc1Jz\nUnZUeGxqY0RLcFJ5Mm9aNXVQWUpIUzE1S09IL0orQnJsMDQKLS0tIGs4V2dVc0ht\nTEI1aXMrS1JlSENUcU1UMkVpemtCRnVKdXVIdTl1UTNQcUUK7R1GcMR89sCQwI0X\nc1yKQDa14HoP5fQ35b0IRLzrpEHak+3Ef8q1Hmm1LDnLkYd4i+KWWJvc56IdcuMp\nxiPWgw==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-11-17T06:23:58Z", 15 | "mac": "ENC[AES256_GCM,data:kKOzUoaLVZE3rI7JGH9j0x0eJgC3omhUIPPedq2Zf1dDz3kilkvZWZ92k1h85+7vLw2GN7H9cWs+jC5HVTgm8Ts4eG23uOCZn683UGD4TBOqDQEaFzuTy3eT9Y2QcvmLSSENAPXXhJxsXAn1JELxla9cLmxXK0vSta5uotqdYjk=,iv:Btnp6bbxnTCLqKZEtIQLo8bWrxDNZqcuAAJ47zgLldQ=,tag:VryLl7DtbDLKBebCVkvrqA==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /keys.nix: -------------------------------------------------------------------------------- 1 | { 2 | users = { 3 | enzime = 4 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE"; 5 | nathan = 6 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/8b0o0mOY2IAadhWxLzDqunZUa9cqh+amVxExKD5co"; 7 | }; 8 | 9 | hosts = { 10 | phi = 11 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxOi/S1TLBg8/ZRX5XfCTlM8A+I0q0pQksrxtfjdYFP"; 12 | sigma = 13 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxRoznXzz/T6s5UeHG1uoHCXGfXSpy27eTEzC0/EUW+"; 14 | 15 | clan = { 16 | web01 = 17 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDypEkNI1qtN/+MBDFfSSuoZm8g2oj4wBaFoUqTWC0JF"; 18 | 19 | build01 = 20 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUr97pcoz2RGJT9VDk1zv+1yxJCPRp1X4f/8vwd1Z7V"; 21 | }; 22 | }; 23 | 24 | signing = { 25 | "enzime.cachix.org" = 26 | "enzime.cachix.org-1:RvUdpEy6SEXlqvKYOVHpn5lNsJRsAZs6vVK1MFqJ9k4="; 27 | aether = "aether-1:fMOnq1aouEVTB6pz6TvszTrXQhrQAbPePlilPafmsHs="; 28 | chi-linux-builder = 29 | "chi-linux-builder-1:u0hwDFmxev8B65kKbSAjBP7nGR+it429j/UbsdZd3gs="; 30 | echo = "echo-1:B0HChd9IxG8P9V2NezeWCBsst8AdVTxesCiePZUaduc="; 31 | hermes-macos = 32 | "hermes-macos-1:H8qFV4OhrWSbfHsQV6R2VzE2t3N+3nzItt856oWG0Kc="; 33 | hermes-linux-builder = 34 | "hermes-linux-builder-1:tibNs5BpVb54V17EimjfobHDgut+y9cfHMD57vojLmo="; 35 | 36 | clan = { 37 | cache = "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28="; 38 | 39 | build01 = "build01-1:IqW8nGF/1I5wsTSn8tytzaTI+/4+4qkZ4HVKHTN1yfY="; 40 | build02 = "build02-1:niCWHDbtJ8q51n53apuW28B4BoNbqh7rwBfm2A4XeyI="; 41 | build-x86-01 = 42 | "build-x86-01-1:6ttBEKGF+6oOGJCQDbbaylpXmVcgoXNuKqlDHRsMv5Q="; 43 | }; 44 | }; 45 | } 46 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/hoopsnake/tailscale-client-secret/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:6QRK7tybo4XS9nr0tPIXEQbfXhobEFoeFivxWBM7R7F+uODNAK5gw2hSunXfYrCuRa9x2pYX2NmaXW0avwlcWA==,iv:CuWqBY0n7c/bYn1/40qhNE5i0HI15IzQVN9gS6Qew1w=,tag:7r47hdguALWtZQUr4XzZag==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2R1lPOExLNi9jQlNVbXNo\neHNUSjczQVMvSS8yYlhtUUJyQXRlZGRkMlZBCkZYRHRpM09pMmx6YnhHNHZmSmx0\nVW5DN0gvLzF2YzBMcTBWNCtmK0o1aUEKLS0tIGxQQ0Y5dW95UjZGVEFQeUZlRVIw\nWFJ0b0lYR3FnYW9RTDdvMDJUSjA0NTQKEdmVseKltWlqD+eGszd/ju9LGyEehI/4\nosXdBRD1JrVvRNbj875QzTzZDvRe4cdnZg4QBhHZyirFO1QwMkuETw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBiN2RP\nT0JTb2JWQitoSWcwRk9MU2xPMlgxT2tma2s0QVdXMjllcCtnS2xFCjduMXRJWTh4\nQkI1MHNsRkpaMzIyNVNXdUZZV0JPaTQveWkzRVNXS2hsbkEKLS0tIHNhTE5yVU1v\nbTNueXdsZ0pTSmNQRTI3QUJwS1BRa0NEVnZMdUdNeDJ1ajQKysT8DjPrPPuRRBy1\nzC4XmmAsDp4IvVAfzoOVnMpAUkb4rab7BCZ2MSNT1Z7rsp8kwQ9CjbpV3rDmz3V8\nRaeyiA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-09T05:53:53Z", 15 | "mac": "ENC[AES256_GCM,data:Af1uuFf2w049eTiJcsIQvouR7beuNBdMzZ5WMZLxzFY9Sb+++C+8nvZbQs2iCY7E7pOA8eB3TKOiSVFm0pZhd3wDM/WmpCfwBdM/FqfqtDA5JYdbvYCV7X1MXUaNGRIXE43uC3SVyM/IRWbbbjgf+mvDG2owr1CenkZ6o0DgJf8=,iv:NJbLo0ePbwj7SSk4xDiGU+K0aL4dhNZ6EN1zgKpc7Rg=,tag:9W9cRndVgBL/GJNPyEf6dw==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/shared/acme-zoneee/credentials/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:dCoDEZeqFXAlBEILrzGCoNsyFY090Qhdo2SggojaajdXlp9iKZKGVORfMYCzlwj/YsugRv4jfh6Do2zRJYL01K/g8zC1QUUkAS2F0olhaUWj971XIzXFKk4=,iv:mFGH/L51134piuzG0pJiA9LK7ZnjUaXtbvElICOz+qE=,tag:RvOv7pqGi28VdengBkojMA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieVlXZ1BCUEtRdXR3OE1p\nbkZ2T1hCTFMrNUpwUEUvaTAvc093c1VzbEdRCng2NmNJTlJSVTQxcUFPdjllU1Na\nMjMwcXUvY1puWXM1L0dRT2N2cVc1azAKLS0tIDhiTWU3NVowWFhpWm5tV0d2YTFV\nNm52eklSOHVKc2VtajV2elM2aVRIS28Km4KAwX45/b+7SKPsKd8QA8cCNty6L1+S\nj3aGKqN5h0m9OI7MzBYTHQIcmTdJRXnXXLhwWUamZG+Tl6YVpe7Pmw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBiVDVL\nRVBuRkhtNHllQkFPRTJ4TXNaeklUV3RjY3YvVkp6NGJGRkZiWkFVCjJlb3RDNEgw\nQm5UNmhJQmovNmYzMENyU1ZWenl4Q0k1OGRiaVp2a3pIM2sKLS0tIDVkOXh5UnND\nTDFkRUxOZ1hKUnVpM250ZXZmdWx0Y0lGOGNSV01McnhsSnMKsBxbG0Jq36LvCVij\nS0+zbZWbzfu2YRcN8SjqsfLvFN7USQ3TjtkvnteMviMkJQC8p06UVsDnlDIlez8Y\nVu57vQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-04T03:25:37Z", 15 | "mac": "ENC[AES256_GCM,data:G57RMl/pzby/MA1iTddVnET97nfiHtIdAaz5erzBpRrTJpZaohfRoixKxBO2rGmB5+MAZOEy8VYasXg45dViLd0nelVn5gpebdWAj9zhYI8ohTep4zV1P3vAsOTQWu0tGlbE5immTnyEL3VQ+r7GJsAqCm5A/YmQDLIcKDUiKzk=,iv:U4p651gHaZL263uJh9boksfFrexnr/Xd1qgofJjzsCU=,tag:vOtskjoaL80b5rCRVOZ8CQ==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-enzime/user-password-hash/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:Eko1X4Tu0R3YJ/vROuhWs3CCNqQogq9cgWMrShlQzr0Zk137KhxMqJVrd7ogx3RqLSrEuhOjHNqfdcar8GH87JE7hvSc8ACFnmE=,iv:6iemtyscfnHOPwzluZQNwvhs/I4oievwi9q20fOc8ig=,tag:gwlqR7SM8ovHKVeaUFzBgw==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdGVtQnFyS0F0L3BORUhS\neHVrNWFuQTBOOHoycVlJZ0ZLL0tuUGh6WFNVCk1LRklQWXNBcDRNaDBoVEc5VHh5\nMzM5UHVVK1FSRy8zaXdFbVRNd3Jmb2sKLS0tIDA5ZGFoTm5qVzRjSkkvemJzb0pV\nUUpsT3ZNaFFsNlFLM1RJNG9XSWpjbDgKQ9IiEEsP9clRSks7ADhXfKmhm/TFIwqN\nJLrVkfDKtf5Oxn2uVsswBs/o15vUGY2MuW+dWSlH4jREeiQqm1kkuw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBQdzMv\nZEFOM0M1N0RIUW1KWGFSbTZGdHRXV2dwWFRPVkNnMEpyS1AvdkFFCjlOa2h3UVda\nd3EvRDk1VEFhTDhPMUk0bDA3Y0prT1NaMFUzTXZ1ZUh2Tm8KLS0tIGs2T0tVZU04\nMFVYRjJhMUJQMlRmdjdZUFhjRGpySlBYSjcvcWZ6cmRrTGsK2HTCCEQpp9+ma7x/\nvVR7WyeVu3AWWo+IT+nT0r/XPuWDyvBCiPfYNcNY3IVO5Drsierqd60ITIJdUCif\nqUvCmQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-07T02:00:15Z", 15 | "mac": "ENC[AES256_GCM,data:k2ZzisVclKGki+jkBqq7hHjb9DGdQ9OwbUlVnVAbqp4fhN8sy4oj1G+bm168UlALgJQSHTnb+ioPk8SJ7K8GxpFDpAxKmT/98/6mtt/J/4Moe04VdF67cqBoCryGFeWA18NJgn3B9R2tOVrTSDO1kKGs6zys5tM/MmdEFLcbGwA=,iv:gPzIzxn/JesgtI0KWvpMgNO/Mj89uu0lUg/LqSIRRa4=,tag:zh5yeFckg5kW3LsFs/LQkg==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-enzime/user-password-hash/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:4iPfLHFyCq9bkDdxHhYHVchA1Oi3MV5yTIPHRmy0sjA3t1GeXbKGIzukLR1RgHTED1hNUIKBnRApER8oc6P0S+Xtlaz+UPv+FX0=,iv:8Dnfx4h9JzDjbkMYFBmFyc7PH27XzdkAY98G6nC1FoQ=,tag:yqW6vfC7WhVEYT02VneCoQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVktWZ0lWTm9hUkRkRGdP\nUlk4ZS96ekZKTytzSklIS1hwWGNudVc3TTFrCjZvN2pCbkJkakJzZkRHeGMwQVZH\nRVBVb2UybXdCc2ZLdVRzQTNEVFdsQWsKLS0tIEN1Mno3UnpBS1FDK0laU3o2RFJZ\nOWQ0cUJGTTdNTEt6THAyY1FkQTBIanMKtGpxE9jK8AtnYXiA4xoCW2xzW44sdtYO\nUSR1RIKwZmj4a73lsBX70KmTuE+o6rHzcurtXAAxfWx8P3aHWKkB8w==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBSQzZy\nRFFTV2VHUzRGaElqdGNWQnFVeDVIODVsVFM1dmRZOE5rbU51bkUwCmJaWFVKYWpQ\nclVCWVU4T1RxWXFoREsxQWgzQkViODhoQ0dTK0gzdjZYN0EKLS0tIDBFaUVVQ004\nNzRrcXdES2pqbEFHQ3lQZ1ZjN3UxNVAvc2Mvd2NjOHRaZkUK8kV2D5OnlTcuR3nG\n1NEz/Y6QYyLzcocHGK49bgQh8HEFNwmTxYiJKPBTLwF894FbYqMB3zSg5vMR404V\nw6npng==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-07T01:54:12Z", 15 | "mac": "ENC[AES256_GCM,data:5bY5pQdEk8fb/6cA05Y7HMGuKtLjV0SW6d+2qoXtb8UqZqVVsbeIfdkxgax2KGERt7Pgyw5+wK2vnou49JgnNUAPz7BTt42/8x9g0T6rRBGVk10xU/UPvUehMTx1qd4xTHLvRhrLSCX0bRHiDzU3Zo6ct9IoQtIa0t3592SZyi0=,iv:nvMkZ3kutyn7bAIDpuCj3edzBHr3i5TI70ao+OAuprI=,tag:70W1NV7G5bypPlE+wIKCDw==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-enzime/user-password-hash/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:y6r0JsdVcN0MxAwELGt0GhCMCnHhzloGpjaDkqrZbvd/QgdrabuNLaSG3mRbR8yHeAyftiNgEUvoEOYE8pGgDpfBdwHKw2Tc+uI=,iv:UUGuegkwlHpOVSjSofkeOGG6vuGBNUviQb1WkIJiHJE=,tag:ePcVbNqnFdHPXzxfUNlZWw==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOEZyMWRxc2FGOHRzSnJJ\nL2Y4elRIZHZselEyQXBQNktVMjZGTGZDVmhjCi9RVWt3dTF4cnJlcDB2OWoyY2d4\nemgzL096QWhIWVJJS243dHY0VytnK2sKLS0tIFpBMDlwanZYQnBNYk5qL1FDQ2Zy\nVjZIUzgyZDEzVlRMK1VnVzN1RnQrSWcKdozAIdEz8G69n5SZ3aUfn5cVp/iajku/\nCXD7kP0x6xgYdfZ2K2V4kKmAhBQlP6960Z/8L9ZmD4XsU8K2MRlc/w==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyA3OEpE\neWNmU1ZOWVJNaUxCTmM3Z3FrSGxPaHVOaXJQZzZ3OHA1SXdlQ3k0ClMxbGZXK0lz\nQlJiL3BFWHVRZFdlRzdpd21VeXZFcWZRblV6ckRMK1prRkEKLS0tIEZYS0tRUy9w\nR2N6MWFwQStRYjNGT2h6MXFuU0dBRm0xUXJTSEt6aklhTzAKV9ReUd6YF5pFtlEN\nTkXbbajUuDerTO25KkrQ2IORmwIYz/RbvCzST4uufxcPntxfDZiyq7m3FWlVfEkN\nHLWpKw==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-07T01:56:34Z", 15 | "mac": "ENC[AES256_GCM,data:rvVJKgih7HGMLlqUiRwH9k0if4G0IsBbtuKm8TwOKgFMTVAGyHGR8QbdrxiwN6MGwm5kQXMA0P+qIVFSXYMxtK5PI2piedt7SKf7brBRiWXCfwQTy43TM5k1i84L4iBsMkU6QHzAS7zXR/FSrrlxjopD1yLgSgdFuerZv+g5o10=,iv:R8ZiDNBuHuqKCEe0V7r1GksYVTnxkz4Yhqgh3Oqw92g=,tag:Q0JK67TL648GZWq4mYXCZA==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /modules/graphical-minimal.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ "firefox" "fonts" "greetd" ]; 3 | 4 | darwinModule = { user, pkgs, ... }: { 5 | environment.systemPackages = 6 | builtins.attrValues { inherit (pkgs) rectangle; }; 7 | 8 | launchd.user.agents.rectangle = { 9 | command = 10 | ''"/Applications/Nix Apps/Rectangle.app/Contents/MacOS/Rectangle"''; 11 | serviceConfig.RunAtLoad = true; 12 | }; 13 | 14 | # Close Terminal if shell exited cleanly 15 | system.activationScripts.extraActivation.text = '' 16 | if [[ -f ~${user}/Library/Preferences/com.apple.Terminal.plist ]]; then 17 | sudo -u ${user} plutil -replace "Window Settings.Basic.shellExitAction" -integer 1 ~${user}/Library/Preferences/com.apple.Terminal.plist 18 | fi 19 | ''; 20 | 21 | # WORKAROUND: Screensaver starts on the login screen and cannot be closed from VNC 22 | system.defaults.CustomSystemPreferences."/Library/Preferences/com.apple.screensaver".loginWindowIdleTime = 23 | 0; 24 | 25 | system.defaults.screencapture.location = "~/Pictures/Screenshots"; 26 | 27 | system.defaults.NSGlobalDomain.NSAutomaticCapitalizationEnabled = false; 28 | 29 | # disable `Add full stop with double-space` 30 | system.defaults.NSGlobalDomain.NSAutomaticPeriodSubstitutionEnabled = false; 31 | 32 | system.defaults.dock.autohide = true; 33 | }; 34 | 35 | nixosModule = { pkgs, ... }: { 36 | environment.systemPackages = 37 | builtins.attrValues { inherit (pkgs) gparted pavucontrol; }; 38 | 39 | services.xserver.enable = true; 40 | 41 | services.pulseaudio.enable = false; 42 | services.pipewire.enable = true; 43 | services.pipewire.alsa.enable = true; 44 | services.pipewire.alsa.support32Bit = true; 45 | services.pipewire.pulse.enable = true; 46 | }; 47 | } 48 | 49 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/user-password-root/user-password-hash/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:j1bysMV20WJTn7xu8QZ2cOOS6nBw0kduCJo94qyzstaQBihwiYAB286rCuwaCqKCElxxKCl6FoxJGvESBNWURShvxTE/04IUpL8L3ALk5Z0IHXTLyZhOodnxtf1ZvuAXe+vMwYlvvgffWw==,iv:LsQzXZMh8PXO6oDVuefgSO+489By5sIs3XRAvW8WK9Y=,tag:3sopLuMZon6cuhVIFzZ1BA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwREdlaWpKV2xKSzJYVFNG\nUHZTWTlTRnVpRHpLVVhFU3Y3dVRDTVhDczBJCjd5Nlg5TnBCK1VMaEFsdTV5NGxM\nTE1uU2F4VmZxbzAyejdzd3dvSTVWdWsKLS0tIHRGRE5vQnRUL3VMTnJyWXlScVpS\ndXQwenhqMDkyZjdTajBBYStMOGdEQ0UKbr/kjPJS3CHgqD+G/iDtSJGdihImW597\nbuf2zYiJIgtPhydwzRu8iJb5xoJeEiC7XPtARWUscbdBiB4pfDM/zA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBlQ2NV\nVmJPRUdXV0hjNjYxQSt3MVluTlIrT3ZJSzIrVmZPamM0MHRzTVRrCmhMWUdzTlpI\ndmVRTWd0YVJidzlGdm14QzdDdENjUW94SnltZzJ4YVpFQmcKLS0tIHI2bXptbXRs\nRnY0RGtqUWhUL01yYWRnQWhUSTh4aTY3RnM3WmdrdFZBazgKUQ9fZ6OHCOHDYmgg\nNjBzhZpeGnthY1XbZ3+cZ3cosz1NbpO9gnEqAU8dPUMn3WDrNBr8adOnSs9O7UGS\n2aqwkg==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-06-30T10:32:22Z", 15 | "mac": "ENC[AES256_GCM,data:cS/v1ROKZhpxJdxWtMLEldPmVFNw2UaPP+2g426rNsctXWbc2NyVwKfMPeXi/hyUcXIZvbRLvEczISBoc/laa4GXM+NG1GcSUmp9gv9nKR9+le2YZgUScWv4/SiadeWJkU4Qo2WVvSHtwb3Xv34h16fpQx/zS5Y4B6y0pCDVrYA=,iv:Js6e3duLQueAYJ0gd8osWYhfmaXGNqCwbRf7iW7KFkE=,tag:VaOxT0UZEw+kCjgk/QXVMg==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/restic-backblaze-environment/environment/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:B5r4UNP1Xl3zaUhbFdmhKe8z19Mv3v0FXeNlGfWUHk9Lw39evGUUJB7tuwjkH34wUDY9lYMfOPdGP2/tOw7gWi8jlVpl5sF7sTqsy/TrkzXpBUDri0kpA4+rX+2BIPSFrXIHjjBj,iv:+nBzL+SC6mMgHEyPAU1jGZcKD+gV8phNdf1brzKUP4Y=,tag:KTVb8K64cTKwbLPfv2kV6Q==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMXhPZkcvYVFyRFFMejNm\nakE1UHJMQ1FuLzBGSG15WkNmcUQwMUoyM3cwCmNuM3IrSEt0a2pyUUwrb3F3dFpC\nMlp5WDJzbzhnanIwZ015Tm5MU2k0TlUKLS0tIHhJSWkwWWlVODVVSnVZZUNqbmxJ\nZ1RVZHl3aHhkcDlaMy9sZHdrNUkrTmMK11U+qlZWcdqPmzJ20svNgoNTpfdetjbF\nNDJMTEpqO9SY3wGjMjSjSzIQBsYEJV01eJnNN2j91/uqxwsn4v6NAA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBLZHBP\nT3l4ditsQkhsL2NNa2pucFc1SHRkTWJlOWpBSWY4cmJTOENSaXpBCjVXa2pkOGhs\nUFIvSVdoS2RKTnBMbVlmNHdTNmJBVGxxM3BKNzZSMGZZb0EKLS0tIDVUcmZsSTVq\nYTE0bitzdXFaWTFSaXZrTlBocklJVGxyT1JaczRwTko0TEUKTVP9tKYOM6iSkL8H\nf+Fqkd8m9GshIoTIj/xpYnmu7PJZQZ8moolbkozzUes0IcaAZM//NzNQ20z6S4Ag\n8DuHZQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-11-17T09:13:30Z", 15 | "mac": "ENC[AES256_GCM,data:ttxdCuIx8i/omDkSc5yF7VisyDCvZzFsl9HBToQ5Egut7G5Ce8jvYqkwwnfKSCX8uBhsv/kY7cIPMtsqA3gDtk0XAdtUO0ykJ63E9sdiyhENlw70PVp9xjFNfTH23PH2YIUnDgXN+jLlJ6msQVDB0L9jVUICWZi7Fxkh/ofO0iw=,iv:OTBfPwdX2JBr9lKE4NK9AmqTZcXGuiquSWdQ37LvvdA=,tag:Dr/QS5Ykewso74G8gPs0DA==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/user-password-root/user-password-hash/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:TijtLPd4+5nGZU5JkKOT+DgVds+NRnQgoFfeJhccqjOTJVJgaEiRwGVvnaOhFnffuJtCFrZcIUqmoAjFOfUYhzUt0TpLsMLw6VBLodj7lSNoM+uRnksd4fdKKR4YpkTxKq4VqouxT+R0VA==,iv:9FDDyA1J7AFnr+AC46WFyJAmU0m6DkVq/ukmb/Nj4H0=,tag:mmJN9Abo/u0FdNX+KedZig==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWDNPc045QTlHZktwcitP\nRzhockx5bUVvVU1tL3d5U2QvYVVUeXlFSWswCjBaRGFOVnN1cmVlOE0wM25wVjhC\nV3ZZVE05aU9qNDJ0Zk1jUTlnWDhTemsKLS0tIHg5Q2pWbFhVU0NKYlJya1M1dkt4\nUlhUa1B0SHVxS2tpV2JhQ1hGZTArWHcKsmdtO5z5zGhcvpeSlAIufaSj6LEi+ouk\ne/Fca/uSmcj3Q+yGIHMG4emvSb5Vn7nNSZi09DELS8HS6bn/z5gYMw==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBUQXR4\nSGE4eDY2MG1ObEdLcDZXSi9LRGxNYTFpM2J4bUpBRk1lQktiYURVCktoRFhLaXBq\ncGRwZmUyZitYb1cvMy9hamtjVzVFTVc5eHFXNWtueFlweWcKLS0tIElqRWgzZ1Q2\nZU13cGxyOXRoVnJOT1UwL1dRY2htMXUrUUFlNEwyb2orOTAKd7WfR2tHmZB6skdR\nW9jch0OihVQcvpGt8+7YsCuTuoEQtvBL5yQ1NqImR/de/QBbT3ViLtYWbYP+faX9\n6uXBug==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-06-30T10:31:21Z", 15 | "mac": "ENC[AES256_GCM,data:Au/PYVTV8ZQcVCwCQlopNquqcSga9qYye7VK11b1yO4HwyqvT3ajD2LcAjmu2Tpksz10fjeMJ+i/93ajYkyywaMoZmk65KKx41H4LsHA5QY7zof6JIpewKaVWald3PFzAGNhWufB/P+cRs2ipZvnjwsXZdPEevOzxqLoFsRff/w=,iv:HQiv13n9x2s1OcWZlgA6t2vJiszu+U3HHvrnTqo8w5s=,tag:I1CXIbVQbiqZb7m+q1/tPg==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/user-password-root/user-password-hash/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:b+uwg9jKrLCrlGC5ku0xPODxOEmWHEhgurPpiMPc+P75bo/FUOQQY71tOQ6XX2jSdyvyt1hRYzo2QmHD7X6JbtFQqwcoBJ1hbWk4yXpENzAc5UZhgS9vO39jNMNPADgdNzBMa4tobcoBuQ==,iv:krMQnLrkblf/yyaEfNO3iuh3/5lcBTzfjenIk9bcTAc=,tag:G9Job/wDu4bg9saW7y8ZGA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlhVUjhhb1FSUy9ZbHBl\nQ09MYmF1WllsSldGWkhFZlBqd2ZJSkZiREFjClZRVmkxdDBucE1iOW5nYjRPZWhs\nYUtGT3NTVXFIYThkTWJvNW9jSGw2Y0EKLS0tIGdUeDNPMlBDR1hkSVJhS3JZMVh3\nYTlsMldEbDFtUWg0ZERDSUJhRnNra2MKfRhWAW3vdN0R3tw8uDvqe60zQpwNJzQZ\nf66oIDRJ8WzJCuDZ2TVcGGhqj5xLanOUhEHbfDzddOTE9zTzl5QO2w==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBaSmpF\nOW03eDh1ZGpmOGVtNFZIMW1QeFJRUkxCbUhLYlZoWDgxMDkxMDFFCnJPZDd1UVVw\nRXZMcXpHNmlSdDIzenlQek5Vc29sUlE3VGhFTEN4Uk9POVEKLS0tIE9mNEdpV1N4\ncklOc3MvclRZQlpCOFdqUFNNbjVuZFc0MDRXZm94ZGRxZU0K2EMAiL65Q1q6HeAX\ny9vK24XA43mlsIMEGT92QLbnvRmhuDtTgxlCM3LmOwyRZxWLZi9olC1h9gzi++HE\nONJopA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-06-30T10:31:17Z", 15 | "mac": "ENC[AES256_GCM,data:9cZvGrEOFTvO07f/ltV2qjuhqVY9Cz7EQdGftTGXNr8tSnjK8i/vlt66LcKMx6hFJANw2uHzvRDKX+39Dj5OsVDjSI/LbuDPlYFIpGQ3e91+7iHMgSo9il1dRldiwLTz3d1TIxay8ThEZHVq1JfHObqHS7KUvrrwNp3YUqkXhMU=,iv:VZA8Qf2f6GHRSlEr+1dZMaDgcZeZm2tX/To6gFxZ3Rs=,tag:gEMFoHK4F4uQ5/PiUmGCig==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /hosts/hyperion/darwin-configuration.nix: -------------------------------------------------------------------------------- 1 | { user, config, pkgs, ... }: 2 | 3 | { 4 | networking.knownNetworkServices = [ "Wi-Fi" ]; 5 | 6 | nix.registry.ln.to = { 7 | type = "git"; 8 | url = "file://${config.users.users.${user}.home}/Code/nixpkgs"; 9 | }; 10 | nix.registry.lnd.to = { 11 | type = "git"; 12 | url = "file://${config.users.users.${user}.home}/Code/nix-darwin"; 13 | }; 14 | 15 | system.defaults.dock.persistent-apps = [ 16 | "/Applications/Firefox.app" 17 | "${pkgs.ghostty-bin}/Applications/Ghostty.app" 18 | "/Applications/1Password.app" 19 | "${pkgs.vscode}/Applications/Visual Studio Code.app" 20 | "${pkgs.spotify}/Applications/Spotify.app" 21 | "/System/Applications/Calendar.app" 22 | "${pkgs.joplin-desktop}/Applications/Joplin.app" 23 | "/System/Applications/System Settings.app" 24 | "/System/Applications/iPhone Mirroring.app" 25 | ]; 26 | 27 | nix.distributedBuilds = true; 28 | 29 | # Use ssh-ng for trustless remote building of input-addressed derivations 30 | # i.e. not requiring remote user to be a trusted-user 31 | nix.buildMachines = [ 32 | { 33 | protocol = "ssh-ng"; 34 | hostName = "clan.lol"; 35 | sshUser = "builder"; 36 | sshKey = config.clan.core.vars.generators.nix-remote-build.files.key.path; 37 | system = "x86_64-linux"; 38 | supportedFeatures = [ "kvm" "benchmark" "big-parallel" "nixos-test" ]; 39 | maxJobs = 96; 40 | } 41 | { 42 | protocol = "ssh-ng"; 43 | hostName = "build01.clan.lol"; 44 | sshUser = "builder"; 45 | sshKey = config.clan.core.vars.generators.nix-remote-build.files.key.path; 46 | system = "aarch64-linux"; 47 | supportedFeatures = [ "kvm" "benchmark" "big-parallel" "nixos-test" ]; 48 | maxJobs = 96; 49 | } 50 | ]; 51 | 52 | system.stateVersion = 6; 53 | } 54 | -------------------------------------------------------------------------------- /hosts/gaia/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | imports = [ ./hardware-configuration.nix ]; 5 | 6 | boot.loader.systemd-boot.enable = true; 7 | boot.loader.efi.canTouchEfiVariables = true; 8 | 9 | networking.hostId = "8425e349"; 10 | 11 | services.openssh.openFirewall = lib.mkForce false; 12 | 13 | zramSwap.enable = true; 14 | zramSwap.memoryPercent = 250; 15 | 16 | services.matrix-synapse.settings.federation_domain_whitelist = [ ]; 17 | 18 | services.mautrix-signal.enable = true; 19 | services.mautrix-signal.settings = { 20 | network.displayname_template = '' 21 | {{or .Nickname .ContactName .ProfileName .PhoneNumber "Unknown user"}} (Signal)''; 22 | 23 | bridge = { 24 | permissions = { 25 | "test.enzim.ee" = "user"; 26 | "@enzime:test.enzim.ee" = "admin"; 27 | }; 28 | 29 | bridge_matrix_leave = false; 30 | mute_only_on_create = false; 31 | personal_filtering_spaces = false; 32 | }; 33 | 34 | homeserver = { address = "http://localhost:8008"; }; 35 | 36 | logging.min_level = "debug"; 37 | }; 38 | 39 | nixpkgs.config.permittedInsecurePackages = 40 | assert pkgs.mautrix-signal.version == "25.12"; 41 | [ "olm-3.2.16" ]; 42 | 43 | nix.distributedBuilds = true; 44 | 45 | # Use ssh-ng for trustless remote building of input-addressed derivations 46 | # i.e. not requiring remote user to be a trusted-user 47 | nix.buildMachines = [{ 48 | protocol = "ssh-ng"; 49 | hostName = "clan.lol"; 50 | sshUser = "builder"; 51 | sshKey = config.clan.core.vars.generators.nix-remote-build.files.key.path; 52 | system = "x86_64-linux"; 53 | supportedFeatures = [ "kvm" "benchmark" "big-parallel" "nixos-test" ]; 54 | maxJobs = 96; 55 | }]; 56 | 57 | # Check that this can be bumped before changing it 58 | system.stateVersion = "25.11"; 59 | } 60 | -------------------------------------------------------------------------------- /overlays/vim-plugins.nix: -------------------------------------------------------------------------------- 1 | self: super: 2 | let 3 | inherit (super) fetchFromGitHub; 4 | inherit (super.vimUtils) buildVimPlugin; 5 | in { 6 | vimPlugins = super.vimPlugins // super.lib.mapAttrs (name: plugin: 7 | if super.vimPlugins ? ${name} then 8 | throw "vimPlugins.${name} already exists" 9 | else 10 | plugin) { 11 | hybrid-krompus-vim = buildVimPlugin { 12 | pname = "hybrid-krompus.vim"; 13 | version = "2016-07-02"; 14 | src = fetchFromGitHub { 15 | owner = "airodactyl"; 16 | repo = "hybrid-krompus.vim"; 17 | rev = "1b008739e0fcc04c69f0a71e222949f38bf3fada"; 18 | hash = "sha256-ZOuuHeeZaIZVVdf1mh35Y4WaVTWVYXboG0+l/GscVUg="; 19 | }; 20 | meta.homepage = "https://github.com/airodactyl/hybrid-krompus.vim"; 21 | }; 22 | 23 | neovim-ranger = buildVimPlugin { 24 | pname = "neovim-ranger"; 25 | version = "2015-09-30"; 26 | src = fetchFromGitHub { 27 | owner = "airodactyl"; 28 | repo = "neovim-ranger"; 29 | rev = "8726761cb7582582e60f3b1ee6498acc6d3c03a7"; 30 | hash = "sha256-gHFO39R5/YdJ2wm5x3pjNZF30HOWLHmH/bcou920IwY="; 31 | }; 32 | meta.homepage = "https://github.com/airodactyl/neovim-ranger"; 33 | }; 34 | 35 | vim-operator-flashy = buildVimPlugin { 36 | pname = "vim-operator-flashy"; 37 | version = "2016-10-09"; 38 | src = fetchFromGitHub { 39 | owner = "haya14busa"; 40 | repo = "vim-operator-flashy"; 41 | rev = "b24673a9b0d5d60b26d202deb13d4ebf90d7a2ae"; 42 | hash = "sha256-CGU7wzr2SQHH0oT9S5Oj3K1XxznRNAA9qdi7QNlRW4A="; 43 | }; 44 | meta.homepage = "https://github.com/haya14busa/vim-operator-flashy"; 45 | }; 46 | }; 47 | } 48 | -------------------------------------------------------------------------------- /modules/variants.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { config, inputs, lib, extendModules, ... }: 3 | let 4 | systems = import inputs.systems; 5 | 6 | forAllSystems = lib.genAttrs systems; 7 | 8 | forLinuxSystems = 9 | lib.genAttrs (lib.filter (lib.hasSuffix "linux") systems); 10 | 11 | in { 12 | options = { 13 | extendModules = lib.mkOption { default = extendModules; }; 14 | 15 | as = forLinuxSystems (system: 16 | lib.mkOption { 17 | description = '' 18 | Extra configuration when using `as.${system}` 19 | ''; 20 | inherit (extendModules { 21 | modules = [{ nixpkgs.hostPlatform = lib.mkOverride 0 system; }]; 22 | }) 23 | type; 24 | default = { }; 25 | visible = "shallow"; 26 | }); 27 | 28 | on = forAllSystems (system: 29 | lib.mkOption { 30 | description = '' 31 | Extra configuration when using `on.${system}` 32 | ''; 33 | inherit (config.virtualisation.vmVariant.extendModules { 34 | modules = [ 35 | (let 36 | shared = { pkgs, ... }: { 37 | virtualisation.host.pkgs = import pkgs.path { 38 | inherit system; 39 | inherit (pkgs) config overlays; 40 | }; 41 | }; 42 | in { 43 | virtualisation.vmVariant = shared; 44 | virtualisation.vmVariantWithBootLoader = shared; 45 | virtualisation.vmVariantWithDisko = shared; 46 | }) 47 | ]; 48 | }) 49 | type; 50 | default = { }; 51 | visible = "shallow"; 52 | }); 53 | }; 54 | 55 | # uses extendModules to generate a type 56 | meta.buildDocsInSandbox = false; 57 | }; 58 | } 59 | -------------------------------------------------------------------------------- /files/rc.conf: -------------------------------------------------------------------------------- 1 | set hidden_filter ^\.|\.(?:pyc|pyo|swp)$|^lost\+found$|^__(py)?cache__$ 2 | 3 | set preview_images true 4 | 5 | set dirname_in_tabs true 6 | 7 | map q eval fm.notify("Use ZQ to quit") 8 | map ZQ eval cmd("quitall") if not len(fm.loader.queue) else fm.notify("Use to cancel currently running task") 9 | copymap q Q ZZ 10 | 11 | map MF console touch%space 12 | map MD console mkdir%space 13 | map MM console mark%space 14 | 15 | map T tag_toggle 16 | map uT tag_remove 17 | 18 | unmap gL 19 | unmap gM 20 | unmap gR 21 | map ga cd -r . 22 | map gc cd ~/.config 23 | map gC eval fm.cd(ranger.CONFDIR) 24 | map gd cd /data 25 | map gD cd /dev 26 | map gH cd /home 27 | map gl cd ~/.local/share 28 | map gm cd /mnt 29 | map gn cd /etc/nix 30 | map gN cd /nix/var/nix 31 | 32 | map C eval fm.open_console('rename ') 33 | map cw bulkrename 34 | 35 | unmap 36 | map tab_move 1 37 | map tab_move -1 38 | map t draw_bookmarks 39 | map t eval fm.tab_new(path=fm.bookmarks[str(fm.ui.keybuffer)[-1]]) 40 | map t. tab_new . 41 | map dt tab_close 42 | map ut tab_restore 43 | 44 | # M A G I C 45 | # `tg` makes a new tab then goes to the folder specified by `g` 46 | eval -q [cmd("map tg{} eval fm.tab_new(path='{}')".format(chr(k), fm.ui.keymaps['browser'][103][k][3:]))for k in fm.ui.keymaps['browser'][103] if fm.ui.keymaps['browser'][103][k].startswith('cd ')] 47 | 48 | ### GNOME TERMINAL 49 | # = 50 | # = 51 | # 52 | ### TERMITE 53 | # = | 54 | 55 | # Use `zh` to toggle hidden 56 | unmap 57 | 58 | map zF filter 59 | map zz console flat%space 60 | 61 | map ,R source ~/.config/ranger/rc.conf 62 | 63 | map backup_edit 64 | copymap 65 | 66 | cmap eval fm.ui.console.move_word(left=1) 67 | cmap eval fm.ui.console.move_word(right=1) 68 | -------------------------------------------------------------------------------- /modules/restic.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { options, config, pkgs, lib, ... }: { 3 | imports = [{ 4 | config = lib.optionalAttrs (options ? clan) { 5 | clan.core.vars.generators.restic = { 6 | files.password = { }; 7 | runtimeInputs = [ pkgs.coreutils pkgs.xkcdpass ]; 8 | script = '' 9 | xkcdpass --numwords 6 --random-delimiters --valid-delimiters='1234567890!@#$%^&*()-_+=,.<>/?' --case random | tr -d "\n" > $out/password 10 | ''; 11 | }; 12 | 13 | clan.core.vars.generators.restic-backblaze = { 14 | prompts.key-id.persist = true; 15 | prompts.app-key.persist = true; 16 | files.key-id.deploy = false; 17 | files.app-key.deploy = false; 18 | }; 19 | 20 | clan.core.vars.generators.restic-backblaze-environment = { 21 | files.environment = { }; 22 | dependencies = [ "restic-backblaze" ]; 23 | script = '' 24 | keyId=$(<$in/restic-backblaze/key-id) 25 | appKey=$(<$in/restic-backblaze/app-key) 26 | printf 'AWS_ACCESS_KEY_ID="%s"\n' $keyId >> $out/environment 27 | printf 'AWS_SECRET_ACCESS_KEY="%s"\n' $appKey >> $out/environment 28 | ''; 29 | }; 30 | }; 31 | }]; 32 | 33 | services.restic.backups.b2 = { 34 | repository = "s3:https://s3.us-west-001.backblazeb2.com/enzime-restic"; 35 | environmentFile = 36 | config.clan.core.vars.generators.restic-backblaze-environment.files.environment.path; 37 | passwordFile = 38 | config.clan.core.vars.generators.restic.files.password.path; 39 | 40 | pruneOpts = [ 41 | "--keep-daily 7" 42 | "--keep-weekly 5" 43 | "--keep-monthly 12" 44 | "--keep-yearly 75" 45 | ]; 46 | 47 | # From https://restic.readthedocs.io/en/stable/080_examples.html#full-backup-without-root 48 | exclude = 49 | [ "/dev/*" "/mnt/*" "/proc/*" "/run/*" "/sys/*" "/tmp/*" "/var/tmp/*" ]; 50 | 51 | extraBackupArgs = [ "-vv" ]; 52 | }; 53 | }; 54 | } 55 | -------------------------------------------------------------------------------- /hosts/sigma/terraform-configuration.nix: -------------------------------------------------------------------------------- 1 | { host, hostname, ... }: 2 | { config, inputs', lib, ... }: 3 | 4 | let clan = inputs'.clan-core.packages.clan-cli; 5 | in { 6 | resource.tailscale_oauth_client."hoopsnake-${hostname}" = { 7 | description = "Hoopsnake on ${hostname}"; 8 | scopes = [ "auth_keys" "devices:core" ]; 9 | tags = [ "tag:initrd" ]; 10 | 11 | provisioner.local-exec = { 12 | command = '' 13 | set -ex 14 | 15 | echo '${lib.tf.ref "self.id"}' | ${ 16 | lib.getExe clan 17 | } vars set --debug ${hostname} hoopsnake/tailscale-client-id 18 | 19 | echo '${lib.tf.ref "self.key"}' | ${ 20 | lib.getExe clan 21 | } vars set --debug ${hostname} hoopsnake/tailscale-client-secret 22 | ''; 23 | }; 24 | }; 25 | 26 | resource.null_resource."install-${hostname}" = { 27 | depends_on = [ 28 | "tailscale_tailnet_key.terraform" 29 | "tailscale_oauth_client.hoopsnake-${hostname}" 30 | ]; 31 | provisioner.local-exec = { 32 | command = let targetHost = "root@sigma-installer"; 33 | in '' 34 | set -ex 35 | 36 | # Remove this section when `clan machines install --update-hardware-config nixos-facter` 37 | # supports writing to `hosts//facter.json` 38 | ${lib.getExe clan} machines install ${hostname} \ 39 | --update-hardware-config nixos-facter \ 40 | --target-host ${targetHost} \ 41 | -i '${ 42 | config.resource.local_sensitive_file.ssh_deploy_key "filename" 43 | }' \ 44 | --phases kexec \ 45 | --yes --debug 46 | 47 | mv machines/${host}/facter.json hosts/${host} 48 | rm -d machines/${host} 49 | rm -d machines 50 | 51 | ${lib.getExe clan} machines install ${hostname} \ 52 | --target-host ${targetHost} \ 53 | --build-on remote \ 54 | -i '${ 55 | config.resource.local_sensitive_file.ssh_deploy_key "filename" 56 | }' \ 57 | --phases disko,install,reboot \ 58 | --yes --debug 59 | ''; 60 | }; 61 | }; 62 | } 63 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/initrd-ssh/id_ed25519/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:y7aBiT03cC9hAIrRHRhvMz3hJ1sJw5QUgjJf0FtGWc68Jdl+LrCJpESXpiiRVglXqEB03FHsPaPqTenRkAHi2g/pDm34+5UjBi9IGcdytvBm16T62qn3/S/rhxhlrGUFzpxawYaI3XSPWnx1EQJ/b2D+hWliQuey6QUvnk1NNC5QtGKgw5wP7KYO9n1erRy7FSfNJG/lythQUGhjPnqZIfCTmUw6r9SDhqse8ie3HIlAIwrBht2VjqPmwqp/X1yKh9/xaR+M+DRNgz8DU+ppEIqYhTSIayjDiBgTDhj/7gSpGH0Kf6TbjNSfgxIWKQoGNh8lILk7M3TS4A8KUkJeQFIGtf+3n1OkDUYvRTFpofXs8ADT/hNEiTftq9PN6qDIB1PLOnIsDwZwjYOq29PuY/LdNc0BhQkoR2ghxZepyMwBKtcf9OpJMrGyY2QEg7aGmsNFnWknj388vK5Ja26dT+CgQiLfGuGlUET+qGwYPNfM9V1tnO752La7c4EVl6uy5grK,iv:1hDeDMXK94nxKobk9TeugOHWxOIOHlCYAcPemGJm46g=,tag:L9WwbaXOglnP/WnrNOV/RQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSOE9sUkpTeGFmelQ4bGFB\nZ3AxdWNGRWFjVlMydDZJbUswcC9kRHdneFRjCjN1amxYZVJjS0Vrd2hZZ04zWTIy\nMHFFZmZTZWowVTdzY2FVUFo4Zk1mOE0KLS0tIHN1dW50dTZteGJ6SXg2ZHl4emh5\nNHAweHdCbGJ0UnZnSzQvNVRPNm5GUUEKulwjz4qv+iK82xfcpfIdnyuziAdctTuu\n1V8KFSKDprOtaSiajAdjjKO979JE9UaSVP+8DJyBJ/c5vm+vvRU1Sg==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyArVTlQ\nV2ZEbGp0S3BlU3lmSVIwVnB4d1ZUVjRZUmlxaGJwUVZnQ01VNkNZCmZWK3ZDaWRU\nWW53dmdMVWgzSnNDdkNaOVZKRXZXL0x6SW5QUHpYSUFXUWcKLS0tIGFWY3dNQmtz\nT05ydDk2UDY5RzVxSmQzcHI1L1phWUdqUEllNTR1bWRWVVkKPDp8WVZvAP6B8QMa\nkk3O43rWTfKSS3ULBMEkObUEUNKqVOmVt2+OJNA1RmjYkp40EEmHVC9nvoKPzDE1\n/ptzSg==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-09T05:59:44Z", 15 | "mac": "ENC[AES256_GCM,data:VAJ8Tvz1xH+hmdWJqJLG79+UqTM3JRlAMtnlUzKWXYyVhviXd0hpuZzKZrrqrncVSX8faS9EbitUkI7m30yGOOf7vnFSuXd68M3FmAujNyJG2aLhhi/qeGeuX9AOXeITGbiWWttER4MmLpMWzqRi3jWZe+REFfl/DjB/ucBK1yg=,iv:F8byRawCfsJNif2HDU6I7uw7oFmS3HNfPtVfSbQ6wws=,tag:w8CyT3l0YBDp+GthPIlEAg==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/gaia/openssh/ssh.id_ed25519/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:JFy9Rg8JVyNW9WMKZX4TBtKNfzvF5w/OyvttVVR0oC95YKXglEHEGDNnShchUCjOx9Gn6MZkvgGgBRNs+EueBq+Dmbrapwmr/ok4P2gHpsywwhZ4mV95mrKD0C9lDCuN9OtTA+ZFOXlQPrs2kRHh7V2GtKFfgWQKtTkG9+ru+VNms37adMvr13d4wsS2P7b/ciMR4azPt4V6V2jKEDNgAQxl0nAnuNSUg0RC55poJkRAVmpCelnvDr7BhHS820LI0LIrQ2RQZBFmzv9Pxd/FYdCGgwqVsBwH6YxIsxMa5yrbTFSIjFlvnsH6VisZfkH9R8pCakyxy+itAl+SLNHlmViv4NkDQ58gJbX/Hm5xT3nnbBz5AKvrHbNDPS6+bqQZV4wiELWar7sbGA4XWB8BtNlMgOMfeJRTVE9rLnTIkeHrOBMCcylQO4LxAsWMq5j4tuVD5euT9S3bxe4GgpBJyjK8KdNVKUuvlJ1nI3hYPXynAud31EK+Gcvxn9/YEM5OuqpQ,iv:m9siehm16X3HXHYRWt9Ts+RdkvxRCsiIUr6bFaaDR2Q=,tag:T3mpBL11SrpRheqadfWIUQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZERBZFduZ1B2M1U0L1Vw\nSW5tVlJlZ0F6Mm5Wb3VBTW9JVjAyMHJNTHkwClIyRk50Z2NvemE0ODFHMGdUN0da\nVHY3aHNnWUk3eGI3WjlyUC9aWmRMTmcKLS0tIHBucExmTVdxbnBVd2EvYktnZmhF\nNFdWUURsOXh1VzNpMWVNbkpVd3ZjcXcK/n37H2m9VO7tMFbQ6wyrN4B66LtJ2Yb0\nCLhxh0JlbDKa7cVF7IMULWjvQPjkjeU8usbW9JCTNsMNlr1pPrALig==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyB3Z2J6\nanVnNFFmb3JPQjF2TTJEd1NzV2ZsV2xPbkZwOWpXa095YzdTNEU4Ck40U1k3T0My\nRlJadXRETDkvUUlaVWNUSUFNeHpNdzg5OFNEMzNzSVd6bncKLS0tIE10QUE0aHNS\nYmpDa2NNUFAzTm8xSGhMRERQTTFOdVdvZlE0ODlUZkRLVk0KdCQl+wYE32hDGN+F\n5ho1AVd0YFnwhl57esPvRQ3CB9sDr0OGRI/24Z0+qFVfbvz7i1E0gRcuWJi08NU8\nbx1Q2Q==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-09T00:40:07Z", 15 | "mac": "ENC[AES256_GCM,data:Br/pvbJN5A6bFbbiLMG5+KVbOO+PXiLO4grxb9Qo0DRZuYcFlqyle34j8UlyXeVu28sF58MwMUQSidIC38mq/eXagWPTemsrvhIm3s1UFiyUvm/8UMcLxpW4QejB2aEBvZTQbfgQ+qjTKzsfTZ9H2u9oKvcfBcfO44kISyI+H/4=,iv:Pk/gR+0iCgzbMcp9eXvO9thgVNskc/WA2bbl3LEdyzY=,tag:ygBKQH4cAiHgQotJ5FsRBQ==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/shared/wifi.hotspot/network-name/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:2cTTuH3h,iv:ZlFsLFAYiyQgyB9YWKFzGPVbt/JKil0hUlZfSe9Hle0=,tag:NYKpUbaux7riUmPl980hzQ==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYW8rYVQrTndUOVBnV3Z3\nZlBwY1NTMmdHUjUzWXYwNWx3WVlDWUd6RnpRCndYZ1dpdCtKV0JzdnlRTjRLS05y\naUVxOUdIbnh0MHRML3V4dTlXVXNrS0EKLS0tIHJyWnBBSEYzNG1lQnd4bi9reXo0\nVGJRandHQnVUcVRUbGVsc0N3aURZZFEKwOFQa17wJnowMVq8DwG8p9ukM9gToblK\nixRkIxOKsdo10t7l5oaHcMPkFkc/PvkC0/NpN8eCADUUVzik2enr1A==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBZVXNY\naExxQkkrQncrVEY3MGJ6RzdXQU9rRHR0dlVCNG54dDhTYmY2SEh3ClNBSVkvd2l6\nWHprMXlEcEQ0RExzQVBNa1diTjVHVU1FcHdrYVkrZmlZTzQKLS0tIDFIbCtuTzgx\nemNYVTc2OXZ3OThabUE0TUl5SUdwWlB3ZU9Sa2dlUzZIbmMKC7EOS2O428U2imCm\nNn3PUvQtuBkO81OQgr101wNp9YAucqrHi1QZbk/mOnzFlqJk1x7uw1sTqGWMPPe2\nkVk7Sg==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU0p3UHZjcC9mUFEvKzRU\nK2lNNGFtRXo3QVpyRmZXaGEwVjBZcU1XTFVRCm5tMG1CTmU4aHE0blZ0R2svelZz\nQUkvVzFPaGhkM09WcVoyZUpCZUh0R3MKLS0tIDRHck90U0MzaWI5bWNLQWExbzd4\nMlljQ255L0lvNzZ4Y0JxMmo2QW00dXMKtTlZV7+pSWiIvayvYCN8VcMc8N77z5ry\nLlYjaY3tG0Clz0GqYw2r2MDXaoOggBDE/C2ZgMlC8kuCvrbI3RlBiw==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2025-07-04T04:04:52Z", 19 | "mac": "ENC[AES256_GCM,data:l23lx6o+xU/DCda4TEOo0QPKZJ4rAKklXWAYmX/E/cegkMXs7oTAnvtoT7bbPJCxUas9UpAlOInzwdfaLd2lOj20qNWFytHXZg0DgmZsvAH+cWHZIhD4p4B5A3BlD0OrzjIzj25PcBkPLwX2u8SsupcxS1nl4Pz/bIimqkkMbDM=,iv:skCOi0a1qJLjGgPp5HzuO8imy7nv+iZp8dxPxDcobDo=,tag:pzKt8f7QrqLT9tCjLa+GCA==,type:str]", 20 | "unencrypted_suffix": "_unencrypted", 21 | "version": "3.10.2" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vars/shared/wifi.hotspot/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:quULdcimR2mBog==,iv:yHiFNAPk8RFtmJt0inF/z8W9dMLO4ZyJFbXo22xRNhs=,tag:oLADKteaFuYfij0KZ5LzKA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVzVJenlXQ0JvdUpJaHYv\ndzM0QkQ0WW83ZDVrKzNpcDBNeC9DVDhjQUhVCm9DdWRsRWthRjFNcW9JTjFaTEh2\ndkpKVnRSKzNEMXVvS2ZsZGlkeVRXb3MKLS0tIHlRSzcyTE1HWlczQTNmK2dVYllX\ncnBPQ2phWWR4SENKdjBHbmQwd2xZcjQKSE2GNr4w8h9URoebNgY7xVvJXzD5CPB3\nq1pvjEjCzQDEGqBQIENR9onBVSXKt7mkTf1/YnGN0h5EIkmxHLpB7g==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBUb1V2\nTnRKdkVueGMyRWRVb2djc2JEVUM0WVphUmdJOE9UUkZxNVptM1hjCnZTK3pMZlF3\nY1hia25TQWpNaXNRZWxid3RIZkIwd0FBYll5dmk0ZTJDTmcKLS0tIDhTNXhyT0l4\ndGp0V3cwWHRab1NsRmpXZnArc0tMZ3pyeUh2T2NrT2twNXcKqmGjU1VWqj5GIoN+\nwoERbhozx37oXwO7wRzC257nwsWMr4WtrES6oOPQ5vtyD9wtT+xBK+Z0pmaxQv9P\nSt1gxQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVmxGRURhdHROZGxhQlJW\nWjYvdmNCcjcvb1grRkVxQXNNd3JzRnIzTjJRCi8wSXNZa3IvcmdNYktCZzNNbGhC\nNXJrMUE4WXB3bGdPaXkvQTZWUGNkZlEKLS0tIHFMc1VzNUJHYXN1OXdlUUVyVGdx\nV3R1U1JKWXFsY21xNjdUUkVhVXpqVHcKJ5UN0Ki19agVPS6eZpEKfBr/vut0+AEq\nPxGfDPmEa5aM+CRhx9xpIf9h7g205vs9XriOZigGOzNskSLwXK/tgA==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2025-07-04T04:04:52Z", 19 | "mac": "ENC[AES256_GCM,data:OaQEbvlJDpOFpsCR/2UaLbcvpHMvFjCrREMMlhAZbtap1c5WzBO87U6wXHfLhhxCTulOo5G9iR2jigt89e0ZoD8V168GV8rxy44IthrGi0L4WRZuSm57p8yn3YbkV033BTKHoHiE5Q1+77VjyoXUhHwTnq1SBOKvdvufDcRq5H4=,iv:3AlCRpbfSIwxxdnwMtXyWh+gO3pinzwDWSyZvhC87hM=,tag:CayM5lfUWwPly+47zg0Jlg==,type:str]", 20 | "unencrypted_suffix": "_unencrypted", 21 | "version": "3.10.2" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vars/shared/wifi.jaden/network-name/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:ZG6ANt1YyTA=,iv:rVuDEA5dJ/RPPCR7CCrbDqQl3WYqR4N14lst6cL+K08=,tag:PvScMyKgFdPdBjvxjalwrg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcUQxQ1FkS0ZwYmlDelR1\nMTAzbUlncnVNb3ZRdnI4eGJWYVdYSU9iRzJ3CmEwa1NVUjFiOTN4ZG5PR1NSc1N5\nUHptSGhodmljUWhNR21HbmhnSVQ0YkUKLS0tIGlwYkVpN2NOeDNWVU9SVzVNSnpo\ncUhpSzh0YXhSTWl5RnVDN21IZitEZjQKRIDGoa0O5bYDFwfCISFrXxiCjKh30yJA\nI1esJJsqnMDXkZWJZ7x96afoS22sstcLw/k/SJ+NYTz6UCbZF0L6FQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGxyTE5YNC92UVRib0Fq\nOGhzR0gxNDdpOXdlckR6WHlwMmQyYzdVMWg4CnRYbFdoNmhEVTNEMlp0UjNJRG1z\neGZUZExyTmxiTzErTzRQa1RqMHBXQlkKLS0tIGlodE1LcWVKRk9Ud3J3NVgxTHJQ\nS3E5VTAwam8rRkRIZWNWUmZoY3hvbVUK/Rb3BhAelHCaVUEQgDd/VnlMhOTqaAxT\nqnmIX8P+7zURGAzycIwXtPz0p1rWwvjlmN6WZX/fuLVteP/NDVtGFA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBUR0pj\naTRndjhZUDN3cm5aMkd3N1MxU2lXdGpqd2VCeHVKQXY1b28xWFhRCnlHbWlFYzJz\nR2RtVlhwekxUdFlUOWVOVTlXaGptd1RrOFZsVjhnYnh3akkKLS0tIEd4QStZNFhK\nTHNLUnd0NTlZN0ZiU0xydFlEdnRZWklLY21iVER2UDNhQWcKTbAZuEZaa+52BJVM\n2Rx9ySAPK8V6QB3Zf9OY+fOvQoFGSHoqYcoNoT5j/jjL0Ns6dE9UCCqi6N7a+BZ+\nqJISnw==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2025-07-17T08:57:47Z", 19 | "mac": "ENC[AES256_GCM,data:i3F+NtLUUZZ/q4gVSMEo06NsyGaCxPWtFkxlVHKddMG/lNp8hd22/Du6P9S17U0ZZAAILw+cRAT84BWOoZzkAas+4Fyk59WU8u/eJliKmxIzXQ6y4oXx6X7pS5jYcJXERIwYJaVewpW3jmolwjOmiYmFJnsLZTCiu70sAyQn7qw=,iv:hudMH9VaA5EdJqTh9TgP9Y5YIh9X4QP3SQDQPRvaWkc=,tag:T+n/ovb2tfRkhG+4wX6ZsA==,type:str]", 20 | "unencrypted_suffix": "_unencrypted", 21 | "version": "3.10.2" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vars/shared/wifi.home/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:+iwx5vgtvnc2tNFmGxgA/Pwi,iv:aS7m7Q+xiP+YL7zNMPthD4RR0DpcUs9dGds3ttQkfyU=,tag:fzvFyOstNTHqoZ8fa0HIWw==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MGp3MFFRUnZiQ1M3WXhu\nYTZDYWpOajZlTXBHY1VoQUg3ZXRsM1VqODF3CmNVTzNyU3Nvc0xLU3BlSTc2NDdl\nMDE0Zko1Q3IvRE5jSUM3UTNoTldzd1UKLS0tIHVqSHg3QURoWDVmWmJydjJTNTZ6\nTmJYU0dPQ0J6elZzZktZOEd5Qzd3VkkKMNQC9xZb7n+TY0BvpAZbXWLUjilZfaqa\nKJ+BFo9sul02w7SWuL+70BV9+ZDP2e6rDWAYY2wT+1i8BNhPTE9SwQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBZRmZV\nRXVHb2ZKM1N0MVl6bFBmUlZnc1RnODM5SG03czFsOHlieDgyMjNzClRsS3lQbmtt\nbEpDSVNURllhdlorU1FxUGhXQ2ZPQUc2aTJRekxtT2hMK0EKLS0tIFlIVFdpTzFj\nYzdDdUk4YzBXZHd2Z0o5M29NdTNoYkgrWXNac3VPYURtK0EKutD5ZHjQ4mw5/Nsa\nIp9fLVICPgBicw1fVBIXXnQqCgEnmi1cHK7IHj130CgIn5kcZo1006+3JANtuAuy\nJ1Wsbw==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTExDdko3RytZVXAyNkUx\nQ0JLUkloWnNpZ3h5K25vOGRGNG1pN2tRR0NjCkJSSVQ0ZnhnZ0p5K0g1UVh0SmdT\nS0MrNGdwbW9UN3o5bzR4RlZoQndrdGsKLS0tIGNCSUVURlh5YjZtQXhhd2xzMHVm\nNWVETzRNOGw3N3Y1UzZoWjkzMFcyNU0KLBa89L0ORtc7oQajF19mCow4s7qL56U7\niX53aJxm/q/uZgatN6+dFFAFTew01rsX7m0ZNn/cGbueThBhzoU+fA==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2025-07-04T04:04:44Z", 19 | "mac": "ENC[AES256_GCM,data:iMV24GgtzzY/yGdPhfSzfDGqbewEf8ak6KDZxxy1M3z3RrvEHtSJnBqct192T5K+yMP2gcbNV/gvxwduV63BTJMWVOpqrVyItVhlwzGXI0fN5jZb97gAi2HQDxRqqkMcrJpLNEgm2zm413JC5MCE6utsNQNUWmf90f/mu/qaKXc=,iv:OD8niqg92IWVGk09S3lwHqdoxpJfYSLTCDrqf79YxII=,tag:wVtSm9UIU/FFMOJrm2Zi8w==,type:str]", 20 | "unencrypted_suffix": "_unencrypted", 21 | "version": "3.10.2" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vars/shared/wifi.jaden/password/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:2uP8gf5MInpEejTP/N2WJp1uAMC1,iv:aG2TZnd1OIIqLvC+SPnpoxzuchDISbOFIgeML/24JrM=,tag:fkbBs6efJvKYnIbm/GHvdg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPakhyQ3RONzBRR3ZVZEVk\nQkVjUGhmUUxNR09WdDBsOE0zaDZEVW9LM3lBCmFGZW8zcS8rWFVWSGhReUJ4RFV3\nODdqamJqV01yTysvbzBSQlloNlZneVkKLS0tIGN5d2RIQlVZVllMS3oxSW1zZC9D\ndlVwdi9TOGdXSDZuQ0VMTVFGbXBsZUEKIlMyk+/dj0PP77ebTTz3qrC9Kx0ToCVW\n+NJCH89VE8zgIR9Tmx7x7eNPVlelJnRxqi9xjB3TQYqZvnRQxA7Hjg==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXL29Ba2QvaUtGSHZmUDhX\nZTl2OWt6TGY1bmxqanptaFBGYUQ4ZWtGY0FZCmVXQ2NPNDdyS0U4SGg3RHV3V1ZJ\ndVREQ09PRnVnRFlLRENEdG1pcTJXaXMKLS0tIDVMMHRtSlJyYlB3dUc4MmtqRG5C\nQkxZb2pCeVozZ3RBSXA2Y21ucTBRNG8KkknTGE3K9nM2/QWG7r9wSLKffGU/+Dnu\nDJzdFKFo9rOftioT/qjLUvC7JnzCG+PmV09phdjfJjII6mfPU+X3iw==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBuQkFp\nNi9CTmtJVzh2R2t1MzNXYjlYbHUwMXJhMEZMZG9SQkY2Q0dCdlRzClM1RFYxcHZa\nT20wLy9xMERDS01mMjkxbEw1T0g5ZDVFbUlHSUlLdDJkcVkKLS0tIGcrQ0xRVHgx\nSmIvOExoSEdHL1RPSlNDSWlIaEp5dURMSkMwT0E0RFVYMlkKkjxrv9ND8nUWX005\np8epoSK8UdWuCwrtC93L3zd98M0TC3rkNz91sI4YQ7kcpLXPagBnlE4HIc4fTooX\npRGhfw==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2025-07-17T08:57:47Z", 19 | "mac": "ENC[AES256_GCM,data:VJ14nz8UqQaLKgrEdWCZz/Hsc+BUq8jreOxv+l5AnN2xuYJSCX2MLHIHVbxhmq79Gf0PJVprjmt5vgcEkt0OSLMsfT95vFza/UGFfLAbBR6hXOUrc1guFTsH1H8GRAPgYOCR6tZld/VUTjRe+fB2b9qpfaotNmzPpGdYmz4icJk=,iv:rz4HPpolzgogqdx0BQacmCSWppmEJig7VPmDVUyoFaY=,tag:w8vV3ZZZRWql6GvZaGFGew==,type:str]", 20 | "unencrypted_suffix": "_unencrypted", 21 | "version": "3.10.2" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vars/shared/acme-desec/token/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:O2f0BllDmAxwDE2SzEoVXM/JwLTWjQIRTj1V+A==,iv:usoq8DhqjIl+9UfIUc1z09QHSgo0pEpjUMZNzY+SKjw=,tag:eyQZF2PoxW50GNSoZq7UWA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBqRkkv\nR09zeEhoaWluOGh6U25DTFhNaUZCemhVa2U3RHYwcEdnMHloZkMwCmtDaTk2WEIw\naWh1bmhDZmFxdGtvZTZhOXRHV0xSdDREWHpiWk9Mc0FlOGcKLS0tIGN3VE1PRkhR\nZzR4MzZzNHF4dU1sYnNQQ0VxYjI1UGZFZnJBZTNTZmpTdk0K7Q9DlkE/D5tK6OaM\nrQgTqy4OqW+9etzzzYU1DnIOf5dK3d0j/nuebL7h/AotcSV9HFq7C7722sH8TwdD\niyNLGg==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMcHhiN2xON1cxMHZ6OU92\nYlBnUTN0SkM2bDN0RWROdjVWQXBUL2dJTFdnCjlnaklvK010ZmIzTE05M0toNVND\nNjl6dGJpRnhBakRXNlpDOGRVeW1NczgKLS0tIDRuRUpRWms1T2tJV1prWi9qOUFu\nWmZkK2dwbVk4OG5VNHdYaVZWend2cFkKtIsskAS86JJAOzLx5mCrO3WXVTkfJw8i\nqmL/kIyefcQl9W7jOI07kGt4vue+SlE7wfRE0M0l1NRua9C7ogcvWw==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdk5GTjlkaUxSR2c5SFhG\nbnlxWmMvNW9Oamkwa2ExMGJlU2lrZVp4cVNNCnZVQkgvTGZjOXY5czFUb05RV1dm\ndHBHYU1EeW5VUVhlNk82UHc4ZnowaE0KLS0tIGpVSmtONkhzUnZIWWFiOW0zQU83\ncWtVQm5aY01VL2NGMGtSRlNmeVJLLzgK6JVcM09LohrXDaBj7FcwKbbQ5xW99P5r\n5/U2wr/W5ErRuKioG5gEGI8PaD35XBUxUFLH35roG/7VHkWxlGTing==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2025-11-26T04:11:48Z", 19 | "mac": "ENC[AES256_GCM,data:rhH5Gs2fhBHQW+WV4zTPbWXcyLG1hwmm7/irBRw+OvhaWC1ktNOy4xlPqGd0UMe0qLsjCNWak0Fnn2GZNqJ01S5BAKTcUzye2oZau0hC4PBo4dhYdMemt3M6i0mXTVjzwE7e+gVfOnYKDLqLTmbo8N+86FyP51m8jm2rpq5BTVA=,iv:ixRSE1cPESviZS3is3yakgao2Ve9qpeEoeZKdoaP3fY=,tag:JJtN7qU8z9xqD1s4yuIQwA==,type:str]", 20 | "unencrypted_suffix": "_unencrypted", 21 | "version": "3.10.2" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vars/shared/wifi.home/network-name/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:db/lnxBYjA+JDrDtyZNyEfojUcZM5ig=,iv:zaiHsOS2j8AmHBUuqy+QSIB11BhPZZn02kit8TmQBb4=,tag:F8z0OxSbf7Zwng47VeNeIg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvd0gwcHdSN1FnMFlsNThF\nRzJLc3hkUVJ1c1dNNXBUOVZLdkx3WUhDNFRZCkxuTUt1Q1dROVdnOWNWRTR1KzJU\nRXlMbmhkNFNPTVhjN3E2TzZhdTdMNkEKLS0tIGFPd0xJdjlTcDVWakxEM3k0RTYw\nUGYycXBvdkE2bmliNWFYTHVMYVpHUFEKLSvcm229DMwM5O21J51qpPI+Gc22cXJI\n3d+VS/g+kq3FhXTRVvvcBWWcoUhU5y/y6TMVBY4GiDUdGvmPNKRU7g==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBRTEYr\nZDZzM3EraitvQ2R0UkpqWHRuOTVzbmd1Mzg4UXpqV2MxOFlCSDFVCjFEdDhuOHlh\neXhmbmdSYmFTaTNyZlVUN3NZZHI4WXFJcXpHNUtHbWxVeWMKLS0tIEcxclE0MkN0\ndEdtSzI2NHpwbGtJTlJTa2VzbGo1aFNjbXd6UkJad3BVTzQKw4kM91HCoMHRp2t2\nb03tpzw+lDaI4GUxRKNj1xxxuPSjK3xjNMvb1t2zghzJQqCz3DNjIZk5JK0lEWkP\n6Xh9rQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RytmWnloODFBdDh3NHlN\nT2NoNFJ1dFhLaGJUVE9KVUxKN3Z5ZTh4Z3dVCitpcVdhbHIzd255SGpUTTZTa0s0\nYlZxcmU1dFNPYWh4ekhmWXpzZ0FSYzgKLS0tIERUL0FyeGloTVFYVE1QRC9Weisr\nZTFIVjlXSXRINVRHLzhQWkZpa1FVdGMKn/6/cC/QEDv8N27JTrSlnayH5vrCOuZ4\nCLnw4EKbKyz4WEXs5C1evFsVhJFIkP8HJ874sVtFZoP3bAMnf9u+YA==\n-----END AGE ENCRYPTED FILE-----\n" 16 | } 17 | ], 18 | "lastmodified": "2025-07-04T04:04:44Z", 19 | "mac": "ENC[AES256_GCM,data:r0tRwV28FzLEBnbs7eZ3RmSL7GbLTxZbcpmcfzuWptyaJ6CnPBEN9MTyKZNLvKKYOcHUxpGAK7LYOGbzrAqRTh0UsmHFZAbMY2HrR6qy0C3buW8qy86dR0WMvCa+pez4cN08gGRZ7ZiESavogLIpGAsmCFMC2ZIf6NEF/BNDmyg=,iv:s+VH8L9RHNLHphBtDiGnsuP1YatDC5982A8NLStU+2Q=,tag:VWkh496oh0FhSgK3na5YRg==,type:str]", 20 | "unencrypted_suffix": "_unencrypted", 21 | "version": "3.10.2" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /vars/per-machine/sigma/openssh/ssh.id_ed25519/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:V9hlejklYlz4mwPuKTUvT9qxlLoe9NSBPbRHZR+MBVXPVViXMLAh6TittJ/uD27DL18COJ30sMGYNlQxBUf7Aezgdc/H+FCWcUg0qHJUdljkXdhVsYJhjyiP6/WJKpSAC9mbs60J+e18JET3u62rZ2D6xGUumZuMLpOOjmkbfBqLDEo9TQTTo+EvRXbtnLrBKyyO0gI5ttZguXS5EJ7b4LG1/ZG5S0NlD+02fe+GuXGX1JNWQ7vhu0G/Gh6fYOeMjOp9tfGAFUFBBYeok2fUdj7i3IOfzz6Q+pLx4Af1/NqjvDKdyoMYVV39hhGrelyqDsE9r/4pC6RzxerrFe8kkOSYA8pIZpT8wifl42LaeGQBSI+HR+jAd9XpFjXuamlJuarUAQCcOow5EIvS5e7Km4mHel8zpmUNNqDBa0JvXFq9GVvccvVh8nVfkKbaorjs5nQI89jwPHnQmvAD1b1N7zCD5utUQFOrB7dDOizRvsYXk+bJr0si5GGeGT2vs/OJrq3por6msPajMUu/fIpwlB53V2WGdzdeXhX/,iv:Ys2CG5yFhBPhe9BsqPvpn2oj/YYBLAk0xPfM8mkMJp4=,tag:kOICwi9wkBka86mT6lbyDA==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL2swQlVkNUJiU3hEUHZQ\nb1drSmY0bXhMK0NLYmpOcldmQTFTMlF5dmhvCnJCSVRZWk5kWTR4UTdqRjlqT1Ba\nRkF3VHVzTzBVNWZ3TWR6anFGRnI5UXcKLS0tIHV5WDlQOWRkT0tNb05qVGNiOE94\nS3QxdVBPWmFqdUNyTDAxM3BSSFNyMjQKPebOCwdRpdXxNwtQYiOf6Xd6bCm8LN3A\npy+hggQxSewpF3piI8z1uReHpyaeQM2jcPRd78MRVZxC69cMe0B0ww==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBRS1Vp\nSGdTeGI4ZlIrLzRSM2pkNE82OXdtclRsVzNHVmJpUVRvSG0yMW5jCjBUQzJBVmF6\nalBtanBlZ1J6ODlUMW50WERKNlZVR3c0MEg3VFZEdmZDOU0KLS0tIGNiU3YybFhw\nTi9NYmZ1YkFZcm1GL3FIL0VmOE5tZ09iSzZXWTc1TGZPeTAKs+iNPVPETfAJHc/v\nJerd1Ygqp1Em37e+a9zXMMfDmiJNf1X9509b9WFo+HDedi7DrUqiPUV4xZmyaf0E\nk6uz/A==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-09T00:19:18Z", 15 | "mac": "ENC[AES256_GCM,data:ar2MkjgTMqrwYVYTf+IR2Y/M6fAlV7ntOjDQX2zxX+N6XuP1kORdpySlFoUfYZ9KZrt/9g3yTHftNutI2E5XM9q5mgqwHCcosYDG4uEFU5bhcXa6bBs/3xBZ9Z7lAH4g4dD/yA6sPpk8r/ni5z73d7h4FvMGjaOrQQfMBip4slU=,iv:c/uwyGUR/WcGKdRaE509X+qE3Ysm0t2/svnBKcii0Uw=,tag:67aw88OcmYGLaaow1Gp/lQ==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /vars/per-machine/phi-nixos/openssh/ssh.id_ed25519/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:X3GmqXsFj8qzJ0rf7UrE2puUKfagMWrnY0dipsKsFRjIRQb0xScd2NRJXWvIJhTzmJin6L1xVv459lPdyVBMs4qP/gMp6MmMnTOvuw+fF/i7W9oXfoQbD1pU47+u+cY1opd+lqueTa8mCBQNJD2FA6M2aZqnedXyzFsgXGpM28m6hnJGMgKFdZy42jv1ewjVud5+2pWsKqoF4c3XL4tLDHnAJmln3tJK1GUEOONmTbTiWNYKWK9hMZhoE8otUFQ9+s+WSIrXpAKaxPa7l0hWK/ryMYnkoHQInSq9VstLWyIsiZ8WrzEXfiunWrjfGVUyGLLL5dOOVKEEGDEJL8GaQ9jPbTFhVlkoguYmVc5dbcD+xKCYyl6CjTBUbmPAzUyK0HJl/XhGRCn7JtHucWx4NxY7wmZp3rl23RzOzLSBAexqrQzmiQIT8nPitGII5Ox99GM0AfOmJHXvxZ1tm4gJG4mCO2PgUaNaRH2rWSTh78YvBNRPhLkeBVm6xMN4ruHKyFBq/v3hHFZDOHw8YgRGnDO/FSIbqAl36y7U,iv:fiQzobLnk9SUdALhgTVRmEv9JHSvZmFSwEVHmFBNR+I=,tag:u5E6bwFHFxRWENRfyUdJWg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdE0ra3pTVGVicVEyOFVw\nZ09XTXVyMVdQWlE4RnhHRitWZGhNM1FkdzN3CmVMTWhoNE41VU9JVUFYWXJrTEMz\ndFU3QStLVnZLNlZGZkZUdGp1eEZ0UmMKLS0tIDRCOHdhL1Baanl4T0RDblQ1andv\nVTIzMzhMQ1JidCtDeko4NVdRclZYTDAKCMxJiAzovVAYlac7kWJcUHjph8LUxDDc\nArc7lfZeKJORWA19Bq3+8kLirK6KwScpbw30m5nTTjzDKotoyHIVkg==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyBBZ0cx\nT0tPYkR3aUdzRHhrMVU0V2syc1E3ak41a3RsY252aEd1M3g0cXhBCjFadUhFc1FH\nV1BVaDRpUUN1YVAzOUF6WVVyK3B3dTdxMWM3dHlHcHlUNGMKLS0tIEtCSjJuK2M3\nL3VjZFlTY1dVblR0Z3FJc2UwTmVJTUk5RmduWTQxS0V6OTgKSCIS67OYhMdkTb3Y\nsHu/r0w4sJo/0poMb7spmXwi87w5Ct5bQzXJQGSd0LdOGbTKVMbwjMrnqkTcHnd7\nI2MB9g==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2025-07-07T05:32:39Z", 15 | "mac": "ENC[AES256_GCM,data:ZLzFv2eBsA+twR5vg7T0tlaEEp89gwOrWdmtrgOhVN+3vnOZJvRoLLbUEcFqOSwA9sh1hrNGbtIJSOjMbv8/OTpos4mTN3nrW0nwIWDOiWgHgFlQTmVdWRRA3sq44JIOGP3p1jnlLgEUwpzOc0/zqnuVjni/UXjy8WxA5q9VV6Q=,iv:0wT7ePNQQ8pBUbLsjs0eGj5G7HdlOVsHgrSPU/DNeYY=,tag:ATKTvhSlJ01opSDF5fnGBw==,type:str]", 16 | "unencrypted_suffix": "_unencrypted", 17 | "version": "3.10.2" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /overlays/firefox-addons/flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; 3 | 4 | inputs.firefox-addons.url = 5 | "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; 6 | inputs.firefox-addons.inputs.nixpkgs.follows = "nixpkgs"; 7 | 8 | outputs = { firefox-addons, ... }: { 9 | overlay = final: prev: 10 | let 11 | # We need to import default.nix to use buildFirefoxXpiAddon which doesn't get exported in flake.nix 12 | # WORKAROUND: In Nix 2.14+, firefox-addons.outPath points to the subdirectory rather than the root 13 | # so we need to use sourceInfo.outPath to maintain backwards compatibility 14 | addons = 15 | import "${firefox-addons.sourceInfo.outPath}/pkgs/firefox-addons" { 16 | inherit (prev) fetchurl lib stdenv; 17 | }; 18 | in { 19 | firefox-addons = addons // (let 20 | inherit (prev.lib) mapAttrs; 21 | inherit (addons) buildFirefoxXpiAddon; 22 | in mapAttrs (name: addon: 23 | if addons ? ${name} then 24 | throw "firefox-addons.${name} already exists" 25 | else 26 | addon) { 27 | masked-email-manager = buildFirefoxXpiAddon { 28 | pname = "masked-email-manager"; 29 | version = "1.7.2"; 30 | addonId = "{c48d361c-1173-11ee-be56-0242ac120002}"; 31 | url = 32 | "https://addons.mozilla.org/firefox/downloads/file/4585287/masked_email_manager-1.7.2.xpi"; 33 | sha256 = "sha256-UBcHS4ackk1RpWTRAyj8SB2VYe4hVIfive23hN/hd1I="; 34 | meta = { }; 35 | }; 36 | 37 | purple-private-windows = buildFirefoxXpiAddon { 38 | pname = "purple-private-windows"; 39 | version = "1.1"; 40 | addonId = "purplePrivateWindows@waldemar.b"; 41 | url = 42 | "https://addons.mozilla.org/firefox/downloads/file/3423600/purple_private_windows-1.1.xpi"; 43 | sha256 = "sha256-FMu5tY7PwPTpUzrnbK2igfJhSCKUb1OMSPIhjIBwLok="; 44 | meta = { }; 45 | }; 46 | }); 47 | }; 48 | }; 49 | } 50 | -------------------------------------------------------------------------------- /modules/linux-builder.nix: -------------------------------------------------------------------------------- 1 | { 2 | darwinModule = { host, keys, extendModules, pkgs, lib, ... }: 3 | let 4 | withoutLinuxBuilderVariant = extendModules { 5 | modules = [{ nix.linux-builder.enable = lib.mkForce false; }]; 6 | }; 7 | in { 8 | options = { 9 | withoutLinuxBuilder = lib.mkOption { 10 | inherit (withoutLinuxBuilderVariant) type; 11 | default = { }; 12 | visible = "shallow"; 13 | }; 14 | }; 15 | config = { 16 | nix.linux-builder.enable = true; 17 | nix.linux-builder.config = { lib, ... }: { 18 | imports = [ 19 | (import ./cache.nix).nixosModule 20 | (import ./flakes.nix).nixosModule 21 | (import ./ghostty.nix).nixosModule 22 | ]; 23 | 24 | system.build.bootstrap = pkgs.writeShellApplication { 25 | name = "bootstrap-${host}-linux-builder"; 26 | runtimeInputs = [ ]; 27 | text = '' 28 | set -x 29 | 30 | op read "op://trimcmujfu5fjcx5u4u752yk2i/${host}-linux-builder Nix signing key/key" | ssh root@linux-builder bash -c "cat > /etc/nix/key; chmod 400 /etc/nix/key" 31 | ssh root@linux-builder tailscale up 32 | ''; 33 | }; 34 | 35 | _module.args = { inherit keys; }; 36 | 37 | networking.hostName = "${host}-linux-builder"; 38 | 39 | services.tailscale.enable = true; 40 | 41 | users.users.enzime = { 42 | isNormalUser = true; 43 | extraGroups = [ "wheel" ]; 44 | 45 | openssh.authorizedKeys.keys = 46 | builtins.attrValues { inherit (keys.users) enzime; }; 47 | }; 48 | 49 | users.users.root.openssh.authorizedKeys.keys = 50 | builtins.attrValues { inherit (keys.users) enzime; }; 51 | 52 | nix.settings.secret-key-files = [ "/etc/nix/key" ]; 53 | 54 | nix.settings.trusted-users = lib.mkForce [ "root" ]; 55 | 56 | # By default NixOS and nix-darwin oversubscribe a lot (max-jobs = auto, cores = 0) 57 | # instead we would rather only oversubscribe a little bit 58 | nix.settings.cores = 2; 59 | }; 60 | 61 | nix.settings.trusted-public-keys = 62 | [ keys.signing."${host}-linux-builder" ]; 63 | }; 64 | }; 65 | } 66 | -------------------------------------------------------------------------------- /hosts/phi/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, user, keys, pkgs, lib, ... }: 2 | 3 | { 4 | imports = [ ./hardware-configuration.nix ]; 5 | 6 | boot.loader.systemd-boot.enable = true; 7 | boot.loader.efi.canTouchEfiVariables = true; 8 | boot.loader.systemd-boot.netbootxyz.enable = true; 9 | 10 | hardware.cpu.amd.updateMicrocode = 11 | lib.mkIf pkgs.stdenv.hostPlatform.isx86_64 true; 12 | 13 | networking.nameservers = [ "1.1.1.1" ]; 14 | networking.dhcpcd.extraConfig = '' 15 | nohook resolv.conf 16 | ''; 17 | 18 | nix.registry.ln.to = { 19 | type = "git"; 20 | url = "file:///home/${user}/nix/nixpkgs"; 21 | }; 22 | 23 | # Install firmware-linux-nonfree (includes Navi10 drivers) 24 | hardware.enableRedistributableFirmware = true; 25 | services.xserver.videoDrivers = [ "amdgpu" ]; 26 | 27 | # Enable FreeSync 28 | services.xserver.deviceSection = '' 29 | Option "VariableRefresh" "true" 30 | ''; 31 | 32 | # LWJGL 2 doesn't support modelines with text after WxH 33 | services.xserver.xrandrHeads = [{ 34 | output = "DisplayPort-0"; 35 | primary = true; 36 | monitorConfig = '' 37 | ModeLine "3440x1441" 1086.75 3440 3744 4128 4816 1440 1443 1453 1568 -hsync +vsync 38 | Option "PreferredMode" "3440x1441" 39 | ''; 40 | }]; 41 | 42 | services.udev.extraHwdb = '' 43 | evdev:name:USB-HID Keyboard:dmi:* 44 | KEYBOARD_KEY_70039=esc 45 | ''; 46 | 47 | security.pam.u2f.enable = true; 48 | security.pam.u2f.settings.cue = true; 49 | security.pam.u2f.settings.authfile = pkgs.writeText "u2f-mappings" '' 50 | enzime:aZod0R2utyFHotPvicvh1Kj1hcrGjT+5cHAFdnB7X8lJoDpiPDGqEvYXOCEaFsudXD3YFFjEvBiinXsj90jcXg==,mQCyOcbnehUfXRb2Jp/y40ixSeE69rhLnD66Q8bA209moCJmGMwShxT2SIwHJZPGutNTfyqaht2XRK9x27CpLg==,es256,+presence% 51 | ''; 52 | 53 | # For /mnt/phi on other systems 54 | users.users.${user} = { 55 | openssh.authorizedKeys.keys = 56 | builtins.attrValues { inherit (keys.hosts) sigma; }; 57 | }; 58 | 59 | services.nextcloud.home = "/data/Nextcloud"; 60 | 61 | services.tailscale.extraSetFlags = [ "--advertise-exit-node" ]; 62 | services.tailscale.useRoutingFeatures = "both"; 63 | 64 | services.syncthing.dataDir = "${config.users.users.${user}.home}/sync"; 65 | 66 | services.restic.backups.b2.paths = [ "/" ]; 67 | services.restic.backups.b2.exclude = [ "/os/windows/*" ]; 68 | 69 | # Check that this can be bumped before changing it 70 | system.stateVersion = "22.05"; 71 | } 72 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | on: 2 | push: 3 | 4 | jobs: 5 | build: 6 | timeout-minutes: 7200 7 | 8 | strategy: 9 | matrix: 10 | include: 11 | - name: hyperion-macos 12 | output: darwinConfigurations.hyperion-macos.config.system.build.toplevel 13 | runs-on: macos-latest 14 | - name: phi-nixos 15 | output: nixosConfigurations.phi-nixos.config.system.build.toplevel 16 | runs-on: ubuntu-latest 17 | - name: sigma 18 | output: nixosConfigurations.sigma.config.system.build.toplevel 19 | runs-on: ubuntu-latest 20 | - name: gaia 21 | output: nixosConfigurations.gaia.config.system.build.toplevel 22 | runs-on: ubuntu-latest 23 | 24 | name: ${{ matrix.name }} 25 | runs-on: ${{ matrix.runs-on }} 26 | steps: 27 | - name: Free space on GitHub-hosted Runner 28 | if: runner.environment == 'github-hosted' 29 | run: | 30 | # 13.5GiB 31 | sudo rm -rf /usr/local/lib/android 32 | # 8.6GiB 33 | sudo rm -rf "$AGENT_TOOLSDIRECTORY" 34 | # 4.7GiB 35 | sudo rm -rf /usr/local/.ghcup 36 | - uses: actions/checkout@v6.0.1 37 | - uses: cachix/install-nix-action@v31.8.4 38 | with: 39 | install_url: https://releases.nixos.org/nix/nix-2.32.4/install 40 | github_access_token: ${{ secrets.GITHUB_TOKEN }} 41 | extra_nix_config: | 42 | !include /etc/nix/nix.conf.extra 43 | - name: Run nix build --print-build-logs .#github-actions-nix-config --out-link /etc/nix/nix.conf.extra 44 | if: runner.environment == 'github-hosted' 45 | run: | 46 | nix build --print-build-logs .#github-actions-nix-config --out-link nix.conf.extra 47 | sudo mv nix.conf.extra /etc/nix 48 | - name: Restart Nix daemon to load custom Nix configuration 49 | if: runner.environment == 'github-hosted' 50 | run: | 51 | if [[ "$RUNNER_OS" == "macOS" ]]; then 52 | sudo launchctl kickstart -k system/org.nixos.nix-daemon 53 | else 54 | sudo systemctl restart nix-daemon 55 | fi 56 | - uses: cachix/cachix-action@v16 57 | with: 58 | name: enzime 59 | useDaemon: ${{ runner.environment == 'github-hosted' }} 60 | signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' 61 | skipAddingSubstituter: true 62 | - run: nix build --print-build-logs .#${{ matrix.output }} 63 | -------------------------------------------------------------------------------- /modules/hoopsnake.nix: -------------------------------------------------------------------------------- 1 | { 2 | nixosModule = { options, config, pkgs, lib, ... }: { 3 | imports = [{ 4 | config = lib.optionalAttrs (options ? clan) { 5 | clan.core.vars.generators.initrd-ssh = { 6 | files."id_ed25519".neededFor = "activation"; 7 | files."id_ed25519.pub".secret = false; 8 | runtimeInputs = [ pkgs.coreutils pkgs.openssh ]; 9 | script = '' 10 | ssh-keygen -t ed25519 -N "" -C "" -f "$out/id_ed25519" 11 | ''; 12 | }; 13 | 14 | clan.core.vars.generators.hoopsnake = { 15 | prompts.tailscale-client-id.persist = true; 16 | files.tailscale-client-id.neededFor = "activation"; 17 | 18 | prompts.tailscale-client-secret.persist = true; 19 | files.tailscale-client-secret.neededFor = "activation"; 20 | }; 21 | }; 22 | }]; 23 | 24 | boot.initrd.network.enable = true; 25 | boot.initrd.systemd.extraBin.ping = lib.getExe' pkgs.iputils "ping"; 26 | 27 | # Run `ssh ${hostname}-unlock` then run `systemctl default` 28 | boot.initrd.systemd.services.hoopsnake = { 29 | unitConfig.DefaultDependencies = false; 30 | }; 31 | 32 | boot.initrd.network.hoopsnake = { 33 | enable = true; 34 | systemd-credentials = { 35 | privateHostKey.file = 36 | config.clan.core.vars.generators.initrd-ssh.files.id_ed25519.path; 37 | privateHostKey.encrypted = false; 38 | 39 | clientId.file = 40 | config.clan.core.vars.generators.hoopsnake.files.tailscale-client-id.path; 41 | clientId.encrypted = false; 42 | clientSecret.file = 43 | config.clan.core.vars.generators.hoopsnake.files.tailscale-client-secret.path; 44 | clientSecret.encrypted = false; 45 | }; 46 | ssh = { 47 | authorizedKeysFile = pkgs.writeText "authorized_keys" 48 | (lib.concatStringsSep "\n" 49 | config.users.users.root.openssh.authorizedKeys.keys); 50 | }; 51 | tailscale = { 52 | name = "${config.networking.hostName}-unlock"; 53 | tags = [ "tag:initrd" ]; 54 | }; 55 | }; 56 | 57 | virtualisation.allVmVariants = { 58 | # initrd secrets not supported in VMs yet 59 | boot.initrd.network.hoopsnake.enable = 60 | assert !config.system.build ? vmWithVars; 61 | lib.mkForce false; 62 | 63 | boot.initrd.kernelModules = [ 64 | # for debugging installation in vms 65 | "virtio_pci" 66 | "virtio_net" 67 | ]; 68 | }; 69 | }; 70 | } 71 | -------------------------------------------------------------------------------- /modules/flake-parts/clan.nix: -------------------------------------------------------------------------------- 1 | { self, inputs, ... }: { 2 | clan = { 3 | meta.name = "Enzime"; 4 | 5 | pkgsForSystem = system: inputs.nixpkgs.legacyPackages.${system}; 6 | 7 | secrets.age.plugins = [ "age-plugin-1p" ]; 8 | 9 | machines = builtins.mapAttrs (hostname: configuration: { 10 | imports = configuration._module.args.modules; 11 | 12 | config = { _module.args = configuration._module.specialArgs; }; 13 | }) (self.baseNixosConfigurations // self.baseDarwinConfigurations); 14 | 15 | inventory.machines = 16 | builtins.mapAttrs (hostname: _: { machineClass = "darwin"; }) 17 | self.baseDarwinConfigurations; 18 | 19 | inventory.instances = { 20 | emergency-access = { 21 | module = { 22 | name = "emergency-access"; 23 | input = "clan-core"; 24 | }; 25 | roles.default.tags.nixos = { }; 26 | }; 27 | 28 | sshd = { 29 | module = { 30 | name = "sshd"; 31 | input = "clan-core"; 32 | }; 33 | roles.server.tags.all = { }; 34 | roles.client.tags.all = { }; 35 | }; 36 | 37 | root-password = { 38 | module = { 39 | name = "users"; 40 | input = "clan-core"; 41 | }; 42 | roles.default.tags.nixos = { }; 43 | roles.default.settings.user = "root"; 44 | roles.default.settings.prompt = false; 45 | }; 46 | 47 | primary-user-password = { 48 | module = { 49 | name = "users"; 50 | input = "clan-core"; 51 | }; 52 | roles.default.tags.nixos = { }; 53 | roles.default.settings.prompt = false; 54 | }; 55 | 56 | wifi = { 57 | module = { 58 | name = "wifi"; 59 | input = "clan-core"; 60 | }; 61 | roles.default.settings.networks.home = { }; 62 | roles.default.settings.networks.hotspot = { }; 63 | roles.default.settings.networks.jaden = { }; 64 | roles.default.tags.wireless-personal = { }; 65 | }; 66 | 67 | test-synapse = { 68 | module = { 69 | name = "matrix-synapse"; 70 | input = "clan-core"; 71 | }; 72 | roles.default.machines.gaia.settings = { 73 | acmeEmail = "letsencrypt@enzim.ee"; 74 | server_tld = "test.enzim.ee"; 75 | app_domain = "matrix.test.enzim.ee"; 76 | users.admin.admin = true; 77 | users.enzime = { }; 78 | }; 79 | }; 80 | }; 81 | 82 | specialArgs = { inherit inputs; }; 83 | }; 84 | } 85 | -------------------------------------------------------------------------------- /overlays/vscode-extensions.nix: -------------------------------------------------------------------------------- 1 | self: super: 2 | 3 | let 4 | inherit (super.lib) 5 | foldl getAttrFromPath getVersion hasAttrByPath recursiveUpdate splitString; 6 | inherit (super.vscode-utils) extensionsFromVscodeMarketplace; 7 | 8 | attrsetFromPathValue = { path, value, start ? 0 }: 9 | 10 | if start == builtins.length path then 11 | value 12 | else { 13 | ${builtins.elemAt path start} = attrsetFromPathValue { 14 | inherit path value; 15 | start = start + 1; 16 | }; 17 | }; 18 | 19 | attrsetFromDottedPathValue = path: value: 20 | attrsetFromPathValue { 21 | path = splitString "." path; 22 | inherit value; 23 | }; 24 | 25 | compareVersions = a: b: 26 | builtins.compareVersions (getVersion a) (getVersion b); 27 | 28 | ensureNotOutdatedExtension = ext: 29 | let 30 | path = splitString "." ext.vscodeExtUniqueId; 31 | 32 | alreadyInNixpkgs = hasAttrByPath path super.vscode-extensions; 33 | in if alreadyInNixpkgs 34 | && compareVersions ext (getAttrFromPath path super.vscode-extensions) 35 | != 1 then 36 | throw 37 | "vscode-extensions.${ext.vscodeExtUniqueId} is older than the version in Nixpkgs" 38 | else 39 | ext; 40 | 41 | extensionToAttrset = ext: 42 | attrsetFromDottedPathValue ext.vscodeExtUniqueId 43 | (ensureNotOutdatedExtension ext); 44 | 45 | extensionsAttrsetFromList = extensions: 46 | foldl recursiveUpdate { } (map extensionToAttrset extensions); 47 | fromMarketplaceRefs = mktplcRefs: 48 | extensionsAttrsetFromList (extensionsFromVscodeMarketplace mktplcRefs); 49 | in { 50 | vscode-extensions = recursiveUpdate (recursiveUpdate super.vscode-extensions { 51 | ms-vscode-remote.remote-ssh = 52 | super.vscode-extensions.ms-vscode-remote.remote-ssh.overrideAttrs (old: { 53 | postPatch = (old.postPatch or "") + '' 54 | substituteInPlace "out/extension.js" \ 55 | --replace "wget --no-proxy" "wget --no-proxy --no-continue" 56 | ''; 57 | }); 58 | }) (fromMarketplaceRefs [{ 59 | name = "jjk"; 60 | publisher = "jjk"; 61 | version = "0.8.1"; 62 | hash = "sha256-2JUn6wkWgZKZzhitQy6v9R/rCNLrt7DBtt59707hp6c="; 63 | patches = [ 64 | (super.fetchpatch { 65 | name = "syntax-highlight-git-diffs.patch"; 66 | url = 67 | "https://github.com/Enzime/jjk/commit/ca36c755ef8c34163623dda6bab0b4f3528b2a36.patch"; 68 | hash = "sha256-VjOweKrGY3aLwFIFZNNZemzLpEov/omovLcN+WhYZD4="; 69 | }) 70 | ]; 71 | }]); 72 | } 73 | -------------------------------------------------------------------------------- /modules/personal.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ "graphical" "i18n" "ios" "mullvad" "pim" ]; 3 | 4 | darwinModule = { pkgs, lib, ... }: { 5 | environment.systemPackages = 6 | builtins.attrValues { inherit (pkgs) apparency; }; 7 | 8 | launchd.user.agents.install-flighty = { 9 | command = "${lib.getExe pkgs.mas} install 1358823008"; 10 | serviceConfig.RunAtLoad = true; 11 | }; 12 | }; 13 | 14 | nixosModule = { config, host, lib, utils, ... }: 15 | lib.mkIf (host != "phi") { 16 | fileSystems."/mnt/phi" = { 17 | device = "enzime@phi:/"; 18 | fsType = "fuse.sshfs"; 19 | noCheck = true; 20 | options = [ 21 | "noauto" 22 | "x-systemd.automount" 23 | "_netdev" 24 | "IdentityFile=${ 25 | (lib.findFirst (k: k.type == "ed25519") { } 26 | config.services.openssh.hostKeys).path 27 | }" 28 | "allow_other" 29 | "uid=1000" 30 | "gid=100" 31 | "ConnectTimeout=1" 32 | "x-systemd.mount-timeout=10s" 33 | "ServerAliveInterval=1" 34 | "ServerAliveCountMax=5" 35 | ]; 36 | }; 37 | 38 | systemd.units."${utils.escapeSystemdPath "/mnt/phi"}.mount" = { 39 | text = '' 40 | [Unit] 41 | StartLimitIntervalSec=0 42 | ''; 43 | overrideStrategy = "asDropin"; 44 | }; 45 | }; 46 | 47 | homeModule = { config, pkgs, lib, ... }: 48 | let 49 | inherit (pkgs.stdenv) hostPlatform; 50 | inherit (lib) optionalAttrs; 51 | in { 52 | home.packages = builtins.attrValues ({ 53 | inherit (pkgs) gh gramps nixpkgs-review; 54 | } // optionalAttrs ((hostPlatform.isLinux && hostPlatform.isx86_64) 55 | || hostPlatform.isDarwin) { 56 | # not currently built for `aarch64-linux` 57 | joplin-desktop = 58 | assert (hostPlatform.isLinux && hostPlatform.isAarch64) 59 | -> !pkgs.joplin-desktop.meta.available; 60 | pkgs.joplin-desktop; 61 | } 62 | // optionalAttrs hostPlatform.isDarwin { inherit (pkgs) sequential; }); 63 | 64 | programs.firefox.profiles.personal.isDefault = true; 65 | 66 | home.file."Documents/iCloud" = lib.mkIf hostPlatform.isDarwin { 67 | source = config.lib.file.mkOutOfStoreSymlink 68 | "${config.home.homeDirectory}/Library/Mobile Documents/com~apple~CloudDocs/Documents"; 69 | }; 70 | 71 | preservation.directories = [ ".config/joplin-desktop" ".gramps" ]; 72 | }; 73 | } 74 | -------------------------------------------------------------------------------- /modules/vncserver.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ "greetd" "sway" ]; 3 | 4 | nixosModule = { user, ... }: { users.users.${user}.linger = true; }; 5 | 6 | homeModule = { pkgs, lib, ... }@args: 7 | let 8 | vncEnvironment = [ 9 | "WLR_BACKENDS=headless" 10 | "WLR_LIBINPUT_NO_DEVICES=1" 11 | "WAYLAND_DISPLAY=wayland-1" 12 | ]; 13 | in { 14 | # Move regular wayvnc to another port 15 | xdg.configFile."wayvnc/config".text = '' 16 | port=5901 17 | ''; 18 | 19 | services.swayidle.enable = lib.mkForce false; 20 | 21 | systemd.user.services.import-path = { 22 | Unit = { Description = "Import PATH from zsh"; }; 23 | Service = { 24 | Environment = [ 25 | # Necessary for running interactive Zsh (`zsh -i` which sources `~/.zshrc`) which 26 | # is necessary for setting some components of the PATH 27 | "PATH=/run/current-system/sw/bin" 28 | # NixOS doesn't expose the PATH in the NixOS module system so we need to unset this 29 | # environment variable to get NixOS to set the default PATH for us 30 | "__NIXOS_SET_ENVIRONMENT_DONE=" 31 | ]; 32 | Type = "oneshot"; 33 | ExecStart = "${ 34 | lib.getExe pkgs.zsh 35 | } -ic 'systemctl --user import-environment PATH'"; 36 | RemainAfterExit = true; 37 | }; 38 | }; 39 | 40 | systemd.user.services.wayvnc-headless = lib.mkIf (args ? osConfig) { 41 | Unit = { 42 | Description = "VNC server for headless session"; 43 | Requires = [ "import-path.service" "sway-headless.service" ]; 44 | After = [ "import-path.service" "sway-headless.service" ]; 45 | }; 46 | Service = { 47 | Type = "exec"; 48 | ExecStart = "${lib.getExe pkgs.wayvnc} --config=${ 49 | pkgs.writeTextFile { 50 | name = "wayvnc-headless.conf"; 51 | text = '' 52 | address=0.0.0.0 53 | port=5900 54 | ''; 55 | } 56 | }"; 57 | Environment = vncEnvironment; 58 | }; 59 | Install = { WantedBy = [ "default.target" ]; }; 60 | }; 61 | 62 | systemd.user.services.sway-headless = { 63 | Unit = { 64 | Description = "Wayland compositor for headless session"; 65 | Requires = [ "import-path.service" ]; 66 | After = [ "import-path.service" ]; 67 | }; 68 | Service = { 69 | Environment = vncEnvironment; 70 | ExecStart = lib.getExe pkgs.sway; 71 | }; 72 | Install = { WantedBy = [ "default.target" ]; }; 73 | }; 74 | }; 75 | } 76 | -------------------------------------------------------------------------------- /vars/shared/tailscale/auth-key/secret: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:dtuJn91S3VLG9/umlwbNsu5xU3Rm5SqQV+OC2lRx78WP5a/cQRECz97/Xho2fHNmzq6KZCE8/D6ruts2BXZy,iv:jGz+8BbAzttosotEX0Iay2iX/uoAAk1bD4IhbZzomGY=,tag:qFP3vUOh55STOZ1lUX6Gmg==,type:str]", 3 | "sops": { 4 | "age": [ 5 | { 6 | "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE", 7 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNzMllMdyAvWjBk\ncUhycU81M3VtWEJxZzV6NFVGMVVaQnFzelIrK3NQZUlSSjBtUld3CnpDUlVyZWxv\nQnhmTXptQ1dZSWZCMFFhcGdUdGdzNEpRaVh1NGozNnhDUU0KLS0tIHpmYlBUZVIw\ncTFDQVh3Y2pZN3FFUmpOWmtwQktJMmdscEVIUFk5V0FqWW8KSGEpKVRzO6oP2G8Y\nNxqn/uppMgp7wf7VGuibnzSIln7lwcPmdHifZgoQ8bVyWVzvVjNbZ/FzgShahWtV\nFBszCA==\n-----END AGE ENCRYPTED FILE-----\n" 8 | }, 9 | { 10 | "recipient": "age1qrcxzpuhul3nauxpm2ufc522yjxa6p8nl22jv6rv7phntn5xh9eq3ca2pj", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RmVCTWFkYVBoN1ZOVm5C\nV0FZZDRNWmRxS1ZxNk9mdVk2bk0rR2s1N1RzClc3MGpZTTV4TDdLWkFPWEtaQmhr\nSGZ2aHNzb0lYUWQzUnlWV0lUQnJwRVkKLS0tIGFzd2tIUkdFWjlORnZJWk94dkJS\nS2J6dmo1RzVRUkcxSlA3UGxEK093UWsK7msx4ysMjqPE2n9Y02yq3DLFgKs0tjWN\nwHI5pUushq7XWKfyEq4ZGo2dfLgjetclB+oasK6y77Jy6zvuw5nJ8g==\n-----END AGE ENCRYPTED FILE-----\n" 12 | }, 13 | { 14 | "recipient": "age1ev47j0pj2zkfrhvqey6rhk23tv530w2cmrn9yuk5ss4e2g2kcpxq5p2wy8", 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQWpYclF1TkNPbjhmNnhn\ndnd3QXJlMTVacTcxMnlrWHBsazBRR3BmNWtNCmtJbzZXakZLcEttMHZBdTVkTnFx\nVERsTTVYTms5ZnlnZi94dFpvRVhNa0UKLS0tIDVVaTFXaTZxRHkwZ29zSVRKR1JR\nbWhCS1VhUDBMaCtXYVFsaTI2RzhaYkEKfq1nUrgwUoGfuhNcm7pH8bXxPN2alg9p\n5PYMy4YsfCS/x9lF9TI00E5755RV2EsOOWVSfE7qpRZrrkO6QPyfBQ==\n-----END AGE ENCRYPTED FILE-----\n" 16 | }, 17 | { 18 | "recipient": "age15c9d8dfj6a4wfkz3au37wel6dxeuxf2fdrjjffyejet76vqd85xshwr5tw", 19 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeDdLYlk0MEd5TXVNZDNt\nUTQzREtqVlFoVFhIR0dhN3dtSTBDVk1ZYjFZCjhzdTVGMTNFaW81NGZzWHNNWnpz\ndEZjekVqZGFiUXpYWlVVM2FPMFEyQkEKLS0tIEhoeC9ZanY3dHo4WGgvNUdIQ0xV\nQ0c1cHIwSGphRUtCZEw1NmVGZnR6cGcKmn4y+F4/kQiAbtg1KUOlOXsxIFhp1MNG\neepiBVLyyNZz2iXFgzjeD5kCgVb/4Mp4mqKVMA0BwKz9/O1N9SDz7g==\n-----END AGE ENCRYPTED FILE-----\n" 20 | } 21 | ], 22 | "lastmodified": "2025-11-01T21:47:58Z", 23 | "mac": "ENC[AES256_GCM,data:IKf/EB0U1x/ScyrcysYdq/i9bc7dleqD5rGzSRV2CkOsgQsk/vfK1VGGFvLGkLaHWoPbZ/UqOrdeXo5dso7d4ZsBlNOUykDmLeL+xmY27FaYfS4C4kKAkBaS6JY7zKObUunu+VJVSdfATo6FsRZ8DlIylSzQjbip3IqVmg2P4Po=,iv:lb+EeYEbsdjjrpH72uhUjwAhwrGDozpTgfpQcABe7v0=,tag:JHQOQH2Pk/eLA/V0LOCodA==,type:str]", 24 | "unencrypted_suffix": "_unencrypted", 25 | "version": "3.10.2" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /modules/flake-parts/formatter.nix: -------------------------------------------------------------------------------- 1 | { 2 | perSystem = { self', pkgs, lib, ... }: { 3 | treefmt = { 4 | programs.deadnix.enable = true; 5 | programs.deadnix.no-lambda-arg = true; 6 | 7 | programs.nixfmt-classic.enable = true; 8 | programs.statix.enable = true; 9 | programs.shellcheck.enable = true; 10 | 11 | settings.formatter.nil = { 12 | # https://github.com/cachix/git-hooks.nix/blob/fa466640195d38ec97cf0493d6d6882bc4d14969/modules/hooks.nix#L3242-L3261 13 | command = lib.getExe (pkgs.writeShellApplication { 14 | name = "nil"; 15 | runtimeInputs = [ pkgs.nil ]; 16 | text = '' 17 | errors=false 18 | echo "Checking: $*" 19 | for file in "$@"; do 20 | nil diagnostics "$file" 21 | exit_code=$? 22 | 23 | if [[ $exit_code -ne 0 ]]; then 24 | echo "\"$file\" failed with exit code: $exit_code" 25 | errors=true 26 | fi 27 | done 28 | if [[ $errors == true ]]; then 29 | exit 1 30 | fi 31 | ''; 32 | }); 33 | includes = [ "*.nix" ]; 34 | }; 35 | }; 36 | 37 | packages.cached-nix-fmt = pkgs.writeShellApplication { 38 | name = "cached-nix-fmt"; 39 | runtimeInputs = builtins.attrValues { 40 | inherit (pkgs) coreutils moreutils; 41 | inherit (pkgs.nixVersions) latest; 42 | }; 43 | text = '' 44 | set -x 45 | 46 | TOPLEVEL=$(git rev-parse --show-toplevel) 47 | FORMATTER_DIR="$TOPLEVEL/.formatter" 48 | FORMATTER_BINARY="$FORMATTER_DIR/binary" 49 | 50 | if [[ ! -e "$FORMATTER_BINARY" || "$(stat -c %Y "$FORMATTER_BINARY")" -lt "$(date -d "7 days ago" +%s)" ]]; then 51 | rm -rf "$FORMATTER_DIR" 52 | mkdir -p "$FORMATTER_DIR" 53 | 54 | echo "/*" | sponge "$FORMATTER_DIR/.gitignore" 55 | 56 | if nix eval .#formatter."$(nix config show system)" > /dev/null; then 57 | FORMATTER=$(nix formatter build --out-link "$FORMATTER_DIR/store-path") 58 | else 59 | FORMATTER="${lib.getExe self'.packages.noop-treefmt}" 60 | fi 61 | 62 | ln -sf "$FORMATTER" "$FORMATTER_BINARY" 63 | fi 64 | exec "$FORMATTER_BINARY" "$@" 65 | ''; 66 | }; 67 | 68 | packages.noop-treefmt = pkgs.writeShellApplication { 69 | name = "noop-treefmt"; 70 | text = '' 71 | stdin=false 72 | 73 | for arg in "$@"; do 74 | if [[ "$arg" == "--stdin" ]]; then 75 | stdin=true 76 | fi 77 | done 78 | 79 | if [[ "$stdin" == "true" ]]; then 80 | exec cat 81 | fi 82 | ''; 83 | }; 84 | }; 85 | } 86 | -------------------------------------------------------------------------------- /modules/terranix/base.nix: -------------------------------------------------------------------------------- 1 | { config, self', inputs', lib, ... }: 2 | 3 | let clan = inputs'.clan-core.packages.clan-cli; 4 | in { 5 | terraform.backend.s3 = { 6 | endpoints.s3 = "https://s3.us-west-001.backblazeb2.com"; 7 | bucket = "enzime-dotfiles-tf-state"; 8 | key = "tofu.tfstate"; 9 | region = "us-west-001"; 10 | 11 | skip_credentials_validation = true; 12 | skip_region_validation = true; 13 | skip_metadata_api_check = true; 14 | skip_requesting_account_id = true; 15 | skip_s3_checksum = true; 16 | 17 | skip_bucket_root_access = true; 18 | skip_bucket_enforced_tls = true; 19 | skip_bucket_ssencryption = true; 20 | skip_bucket_public_access_blocking = true; 21 | }; 22 | 23 | terraform.encryption = { 24 | key_provider.external.passphrase = { 25 | command = [ (lib.getExe self'.packages.provide-tf-passphrase) ]; 26 | }; 27 | 28 | key_provider.pbkdf2.state_encryption_password = { 29 | chain = lib.tf.ref "key_provider.external.passphrase"; 30 | }; 31 | 32 | method.aes_gcm.encryption_method.keys = 33 | lib.tf.ref "key_provider.pbkdf2.state_encryption_password"; 34 | 35 | state.enforced = true; 36 | state.method = "method.aes_gcm.encryption_method"; 37 | 38 | plan.enforced = true; 39 | plan.method = "method.aes_gcm.encryption_method"; 40 | }; 41 | 42 | terraform.required_providers.local.source = "hashicorp/local"; 43 | terraform.required_providers.tailscale.source = "tailscale/tailscale"; 44 | terraform.required_providers.tls.source = "hashicorp/tls"; 45 | 46 | data.external.tailscale-api-key = { 47 | program = 48 | [ (lib.getExe self'.packages.get-clan-secret) "tailscale-api-key" ]; 49 | }; 50 | 51 | provider.tailscale.api_key = 52 | config.data.external.tailscale-api-key "result.secret"; 53 | 54 | resource.tailscale_tailnet_key.terraform = { 55 | description = "Terraform"; 56 | expiry = 7776000; # 90 days 57 | reusable = true; 58 | preauthorized = true; 59 | recreate_if_invalid = "always"; 60 | 61 | # We hardcode the machine as `sigma` as we don't have access to 62 | # `hostname` however any machine would work as this is shared 63 | # between all machines. 64 | provisioner.local-exec = { 65 | command = 66 | "echo '${config.resource.tailscale_tailnet_key.terraform "key"}' | ${ 67 | lib.getExe clan 68 | } vars set --debug sigma tailscale/auth-key"; 69 | }; 70 | }; 71 | 72 | resource.tls_private_key.ssh_deploy_key = { algorithm = "ED25519"; }; 73 | 74 | resource.local_sensitive_file.ssh_deploy_key = { 75 | filename = "${lib.tf.ref "path.module"}/.terraform-deploy-key"; 76 | file_permission = "600"; 77 | content = 78 | config.resource.tls_private_key.ssh_deploy_key "private_key_openssh"; 79 | }; 80 | } 81 | -------------------------------------------------------------------------------- /hosts/sigma/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { options, config, pkgs, lib, ... }: 2 | 3 | { 4 | imports = [{ 5 | config = lib.optionalAttrs (options ? clan) { 6 | clan.core.vars.generators.luks = { 7 | files.password.neededFor = "partitioning"; 8 | runtimeInputs = [ pkgs.coreutils pkgs.xkcdpass ]; 9 | script = '' 10 | xkcdpass --numwords 6 --random-delimiters --valid-delimiters='1234567890!@#$%^&*()-_+=,.<>/?' --case random | tr -d "\n" > $out/password 11 | ''; 12 | }; 13 | }; 14 | }]; 15 | 16 | disko.devices = { 17 | disk.primary = { 18 | type = "disk"; 19 | device = "/dev/nvme0n1"; 20 | content = { 21 | type = "gpt"; 22 | 23 | partitions.esp = { 24 | size = "1G"; 25 | type = "EF00"; 26 | content = { 27 | type = "filesystem"; 28 | format = "vfat"; 29 | mountpoint = "/boot"; 30 | }; 31 | }; 32 | 33 | partitions.luks = { 34 | size = "100%"; 35 | content = { 36 | type = "luks"; 37 | name = "crypted"; 38 | passwordFile = 39 | config.clan.core.vars.generators.luks.files.password.path; 40 | content = { 41 | type = "zfs"; 42 | pool = "rpool"; 43 | }; 44 | }; 45 | }; 46 | }; 47 | }; 48 | 49 | zpool.rpool = { 50 | type = "zpool"; 51 | rootFsOptions = { 52 | canmount = "off"; 53 | mountpoint = "none"; 54 | 55 | compression = "zstd"; 56 | "com.sun:auto-snapshot" = "false"; 57 | relatime = "on"; 58 | }; 59 | 60 | datasets.root = { 61 | type = "zfs_fs"; 62 | mountpoint = "/"; 63 | 64 | postCreateHook = 65 | "zfs list -t snapshot -H -o name | grep -E '^rpool/root@blank$' || zfs snapshot rpool/root@blank"; 66 | }; 67 | 68 | datasets.nix = { 69 | type = "zfs_fs"; 70 | mountpoint = "/nix"; 71 | }; 72 | 73 | datasets.persist = { 74 | type = "zfs_fs"; 75 | mountpoint = "/persist"; 76 | }; 77 | 78 | datasets.logs = { 79 | type = "zfs_fs"; 80 | mountpoint = "/var/log"; 81 | 82 | options.acltype = "posixacl"; 83 | options.xattr = "sa"; 84 | }; 85 | }; 86 | }; 87 | 88 | fileSystems."/persist".neededForBoot = true; 89 | 90 | systemd.services.zfs-mount = { 91 | serviceConfig = { 92 | ExecStart = [ "${config.boot.zfs.package}/sbin/zfs mount -a -o remount" ]; 93 | }; 94 | }; 95 | 96 | virtualisation.vmVariantWithDisko = { 97 | disko.devices.disk.primary.content.partitions.luks.content.passwordFile = 98 | lib.mkForce (toString (pkgs.writeText "password" "apple")); 99 | }; 100 | } 101 | --------------------------------------------------------------------------------