diff --git a/hosts/gerg-desktop/secrets.yaml b/hosts/gerg-desktop/secrets.yaml index 3d36b13..d5050cd 100644 --- a/hosts/gerg-desktop/secrets.yaml +++ b/hosts/gerg-desktop/secrets.yaml @@ -8,6 +8,8 @@ store_key: ENC[AES256_GCM,data:2XioKwoH0V5QuedXl4w2IFrT2qOQWF0kbchYTMhyL9BaUqYHh github_token: ENC[AES256_GCM,data:nIWnOvoO8jcoPvKIF4TDdMZxO5H+mAEjLOfQpPmIh0gUSHjadFCwdI0FpMN3D/+8zUXVuAWd2FfCdzKIxGApGqlXAn3aajkUeBK8rYF554COuxa4B43SjRlfvanCZyfsbxzFxoO1RDlzHUMUSzYgFE8wdvj804luIA==,iv:OcRPCZP3KIKv+OuS28jIEp5zQyFw/41gMMdPBVj5N9w=,tag:t+oJDxqwyFU92kDh0ot+6w==,type:str] gerg_ssl_key: ENC[AES256_GCM,data:pFcpNaMidtLjmVopk6hkDQy4RB8m1Wg0lJpBE04vBlXsCEQ0kP3ZHVN5gT+meu+8DVh0MXag7CNArjWOBQQme+br2J2cCfayHSPiOo2aZP1ZEhmm/aLD3PCK/Goo4Qnp38ypyqrRp7H1I5wzFeiE97oI3jk3CbSgBCjAiD4N7FOKWbXurhBsU3Qulbeyup8eQS7NYdF0aY4a10nLiRrhyefIXpTMhiKBA5dwSfa0VGNOnPvjri4hvA3+nGqDkQBav2t3zb+K3bonx7hYbzW4kzNYPviMTirKPBSad4V4E/+GtZ6N1dpZhE0ADrGsN1ycFnbXG5sic0311cM1xiOZLlSpWC5uLHq257MxwG+pTS22Gc43qhUupTbygPiBihoQFo1BQKSSELwUBymf6iZ1MmEp3b/CDZoZ4eHCFMKsrvdn9gA9Di/tz1wBRZmFPczBmUYxOBMR2QRtct+RhRYPs3+J4GKO9doZ/2uxlMUlo8logD/3KnbvhYQDcpdO0vsOoecVlDRl73RDkNR1NUwuSHubRQKU+ucp6ZCW+uL/1fcXs5PrdjhLsgh2t/vNjZT9Lr3upnkITxQiA5BIx8lNbe2SHYOKnW78KdVJTyJhcNXtu4uS+34me+x4iVNqmW6QbpmImbQHetUAdJMqzT2wE3ha8WV2jyjpYSkRWCjbYBJtT4ScBRPVYXZZJiE0iBBxgRZ4x1tFtl0nGhITQZxWo9Wlkp+5TcLfL5rX/NSSXAkYvBVZQoftgi3/aO73sS8hGm61o2DbD4Q2MLm1fe9nP8oNtzIdtT79xMEj1Dow7Hz/xRwIVHynVKfclVusx4aI3gZs4tWLJIGTUFK5zlFn1aLg2lOOhN5wXU1VaQ9vClO8wEINcw4zLWzjfoDq6NkK6o1se3TzjmC+aYaEGt+vYxiTI14nAtRx8IBB7iyBNp0SgMcgIHl3UuzNGMz4suVDne28G4BOmY6+FkA/wgaYbr5ShY8d+FyaHecX+ohfPBvPDm4wZwRNfaIdFcrvJ3JpqGEGgDEY3mE6eUeRe4VvfMEkkJeCpstHObC9wmkQ/gMOUsk8Q4A1nrZ/BHQxeltn6pYaZT0escjO7IITE4vT0y8/Q2nwMRKp+cDLTyO5yl/4SanPN3N6cYs6ze6jp2zo/9ue9t6YoX0TfpOr99sHinwFmlxSbXeisevZhGYFiVHQjNMaN8w/5/8t/FKrbcwmMQ3LgtGXCfP+5rwvIHVFq4+ItkGoWzw2sDio5vOa5cbYDmV4nq/OJzVbjaIdNGpagHMKK/Lbe/Xr/+GuZxJ7wS5x4ViZtCUDUCtqmFb3foxANM3REZTn+TIYjkKCXklEjVsbcOKRH6dKGQqYQKkeDZyOSiA6DsNwMvqM92oDmnpsSAFTTSxUGic1mnKBEZDqMDA7gfYZLDZM2SL4e9yyj27jv/PDGTL2UEfLfRTkiLcUL3THU3ak9HHymROwp8yWtJ3divDawyghZJEUY/m+WW0wP+SI0ckKEl3sB8fCK6DCAPASK2WVfJ9VzZKDIr7caFHnP+hXndLg40r4IQmClwYcCyO7EZRu4W4GLtCR5tdt2ef9ys0S98/d+Wh3ZQnDOJWQk7AL9FgEDxpXvbN4rOVCWG5HpGIM7RdgCXSluvdfiqv9uL69DsjMbJIFU9OXPm0CPRifKybQNCWbCrwxgGmp7dlSbk7Y7vyz7QAwiBzjiBAPUUipbssq4bJlyT2KJdjKpd4HYVHv0yMWOlmIGxV55XbS/ieItUxjSG+JNODZhclerlR/axaWxZJ1aKleFKbnAZ0F4ugzv05p+HSlRg9h8KHbaXfaFkyO7NLyyk47YMCcTGLXVmIFsPMUcECBqZV/l5vcswcRqwSygT7TR9lewchn1Csido5+ndrr/42kzdFccTfBdt75/WJAdkrS2+vhRH7X8PR1KLD6InSvFFYxDBgTuaJGwwiF2tMvKypyp0Zk2nPp+h1vIWxQQKTe6SVoLzPejMQToqDfiq0g0JK8CiIVne3mOTXQTHT8n+7YgQp73XAJaR2HmTQNa8XcmdCtJ6tCqNGygMSicK1siBcTN/xB2JGLNC4zviK4aFgmeODNdE99nCccU799IbSQrhyMEwmjP2+hSwz9fumwhJfLMge/eG7BqKuaA03402+JVNuAphmSTPXGpu/nf2YHdZ2mMqoqzoAtAmuQ+EcUipvjkSLfEWPp0FczubIVGT5jvnndLCzpIIRio9y/HpRJszdEDfGcDHM1pftxI08q8oVxW1R7SGjibVia38G6ZCJaMX4FdHZlIQ3dsC+A5T4rgxozOfzUTPczGdiMf1+6AqXrVYFvsvn/IwTG8mbTlFmYSWjyr34YfCoHEteeqgGzXd+eTOX46OgbBcOx/6dXe7enoN2fq3Obsp6sSDroRm4SwIve1umO8uAgU6dsqIjGwz+BtvdWs09KyJyvujmx62egpZH54yztnhLSX4Tz9M9CECZiLDm1zMXIFIAyb7LkuajAxeM0mkuYf64BTQXbxB5NjxvXO/DGPGfpGn94YNRzBE2qtBJVN+0j5UnA86tJqFKb9oa1bwALzH2sGmjKXg5aLbbbzvx+10Vz1gqx9OaZU6eG/3zUDnhKcUaWjWjEAFZpFNigadPpOMOK4NViE65zbfkfiabDzIlNaR6sRNDL+7MNZC5a1092Y00FSm2oUlRiKmRlEAHypCzcRNuCZfJ5cYXKkOZAcQT0p2unM72BtpNlQq35xG4QE+q6JA7gfi1Xx/g3kki7YwuNMbdyh61stikqC68RhN6ICtmKfGQiycVJwn78CL1AsGtcAFHhYqmv8mRTuan7fA7DnmLKDewghHA01CKczakhhr8p5PcLLtzzO41Au/lV34qlqUPU5DBCg5EnvZaZh2toxA6W3TfKwkPsb/B4QYW8CPRHSBUq3SjkHbgjR+P6HLOGsmuG4Kpg2RlNfFSdhTyhc3yP92lC5ZFZuY73C+TkD5RQ6dvytQfBtlhF7MXbgK5qpnypDAMAOCwT8t+aITNOwDads8XoiZRfZ5d3g669d2auZKmjfoEXvlqvaUhou97xFNOrMXmToDQk0GTjWPhClbEoPISZA30mEnWbRtyZS83igBruZ9OP/5xoanmp36rUMMr2MYxHw3vkOeUtnFHJNARTBFAsRV/jZxgEE64yP0IXc/VJgHUGpHaKsy29tf+TvhEwQ3f4BxVr6ltkZiv1r4PSxdTrA74dz88MJWUDYI8Q4mjBthWDwyi0bZ4+tXuEzX6bHBZHOJLA/23b0cKePLk3YpF0QnnPBzU61W8piv+7/4Xa50z9puEK5240EqhjQaLpyPSV3ee1wh2t9B3bV3z/p0zmYxFLhpMTLAVpEWGfcu8c/nX1ErlTh1peTzzxXZZm6uf9leB9zCiP5d9AS0vmhOR7EB82Lj3TtEJzZ31We+ntUgYynjbjtaYMvKB73WeFWzVRYqMKqNgPYj8C214gJZXtiLYKdw188nSTp8BprDd1mdiT0Gb0nKc7sgZLatJ3AGtky3pSYH8chQMEO1sAzob1U5DDLvFI5JGZwBosKqJicOGn/Gy8Dd8UqDc75+xHkYY21K7/XZP3rwaIQatCk2N+7lbPY1DoFwua+1q7ySIJiRRl/0z+emrN+wCtyCeNarpTbEjpf0sRLFa/OX0NjyMrpFE2QZyv179E2oyShIeLRVHQlxCJZiBt+1YCx0QIz//mCU5TAg7fDVZShr6viAMzY8vh4YaSmgf6QomNIB6NDmS2+Boyusvz6eL1g0/RER+nb1Riiel1FzL7olII/RlhCNt+5zBdnDyAhzWE90QsYJWW/s9HK0EITcp7zpr4ukJvzCo2Sj9rIfohnLjc9fvDNpI7YuUEfAPY23kMApF4Uvfsd7uM/hit5kNVxlkJrZYSojOelK1535ClKiVtlIPed/N/jbz8CztUWIryck16KCT+oZGYTodw1OZlQnmgHF6SOo/5EG+85rwIpSwNqyLsf45RiLpVfAWqF6AdFH0Yhy5ht1p/vO5xXUGyNp0qgZG6tT2/BfTUB5Q5WhW0COfzelL5X92orWJKM8PeeAQtJ9tteLTwgJWk1Ld3wjKkY1lKzclyY/u/XUurjXaWflFXUKc77q7yRxwucsiIVRcJYcHxbCeB/5yj3+zL4hK6QsY1cwbbSPSeBibvOW2Aj9bKCrCm6DDf18rhXFlrRhlt5tOIjHveVBBy2qjTZWjcypuFZE2Yhhltb2BSf7mes+D9CO62wDBF6K9EcbwWWcvWjS20BbvCFkxKkmDfsP/lmU+c6j5hvAdWA4/SK5eXzMN/VVQ5S9oc1Ahc15PKGs9mjncNBm20ddicB2kNKGPqF4MMLJUeHDE=,iv:fq1npi+bC2O1OqsizTAgK6qRf8MG98ACyydnGGNptwQ=,tag:kBR6cPmS7uvWlRo1CLQG3Q==,type:str] gerg_ssl_cert: ENC[AES256_GCM,data:55drf/NNtx1cTvGLGeISskau3dzXIFl0+KdyNWoy1078bHqiwni/0rQrtpZ8xCCnNs/xRBREWMcgPfMHbGScANaSQofhelleH7OVB6r5LXQdQQ/UA8mLhIasiifaCLzjsG/Y9Ab5vQV1NPJpJ5eI7//tsyeuBhR8AsZQpLxtA3DMzhT3imAzqLVMy0Gc5i/SsnxOeK1NfZf5qiC11ThXahvbp0RLxSsehCVnwZtjLka7/BaFqVqN8R4FkpPvyD7ONYLbIDpPjoKM452NOGsonGYIO9qyoqh0TLXfNnYNlm67TpvRxXZ6WdUSLfpiekdFUhL+/Rv6f/abTcmSqtRb8kEsCA7/CYPL7e0iIuMnwFuM44mks8M9pbXZmm51eaoB6jLSD/fuHv1xIlv25vYlmbfxaXMkNN6L9SLUJ2buFjufvTFjcf4rxZqvHdCBP3gblaUJw1a8MNhlD+naEff4up5eYkdvzxdoBAZRcsstUNEUlKS0HdOmUGv7M6iGBz3rimW9KXXhF2tTzTaL2H5k4WlGID55pswKG4X3Xcr6V/r4dNzOp3LSh5MB3oxqx8aHGqFO53PUzeXFX8m08sHA8cXiC/y9nEhpGzVYbSbmjSqPgA1M4tqwOqEDNdXYzAOE/UM0Fnvsxi5DjOc4XM+GJzRP+VIWBh2vxJl8ro5Bb9llnA9gZCQJ40fwPfUupX+ZZcO9gdPoa6sd9zrPtpFiR960FyIw6AdY8nKAxippm5cG2ALYqPfOUfWUOPxGBH3sdRhkuP1wG5zo/P7bXSMVKf/OH7RUF1PyH2EnhLn5+nxvP0IWZj+GO+qvBAaqZa6rXGtB/FAPky+leSLlamfq6eL9C+dWEVGDwX9KYRsgAT+XnvaZ3IsOJoDdp3ZUNVuT61OdQniXArrpDUf57AmhddkqaNu1sedmerMc0Ikm1kVEmqiSmZ70bZQtG9qbZ8bVqvTwjRs93W+HE6BpLHtysK5x+XPqcmK5OjF+8ABPGjOck8LdWgpHERcxPgcNAyf8c23fnaQuTqPbsJ6w++Mb6llHjt82tdL65BTWuqS9MFQxkkOI3ic6eYHOL0AalkLlBHS64e8KWhtVwxJMLVaO8Azhs09aRsDrnLz52YtvUI0sGxT3rqV8GWgKARqIQf3X5LvP2Q/50ov35zufnMCYG0o0d9wp4PB0wBTTXn2Rqw3uF8ANRZ4slcmUzxS3LGTPfF0Le+X4aPvziYehFSTGiKieH7MO3rV1fPvkpn1S89k6F4eR3KjhkMZ528NGD48kgXeFkSedDOuPkVv+5j7jkFPVAMW3v2eXVHf9i69rxvb9+7S52UuRZhOPVeB2Pj6CLCYGc5gguIctqN2uCW2F1mwZN7FdlDov3BrqHEGUn5Au4r20x7/oKdSHicLmmf5AiVuHJanQQ4Nt3EBSaZwFBbJAr4UMYoXJN9p8EuuZ+88Xdm+X9gyIMcrLEEf95EB5zFCxDhbd02A+R4Ou/dhxK1r0Ma2s74FJX8/joo+ybx2yrpVGztnH22mSAgzQ8ZTTrbHItdM7X7vUKDWeqpglzZpEIfiXRvZtQzj1U1/wAvcyzJyfMtWfj00jSkw0BABbKSf/sdutowmmEvKrxeihDwY4X8Z4Y237ipZDaDKS3+YRS3DfKyXBcQT/7UGAqanJaEzQrNWr1WXucVrsimxMcbhUgcvrughXWGk+bQ9ZtZUwuUE1rblFRG7vDQ2GzDaVq+dtYUHMiwJasrdnLT0Bf2CM9ShsH9/e9XeWOL96vlCSG0Ao4icq09D+0Flx4yjRGDsrSCMsecjuirRmvICsdo9eDVrSwvE35ijcBenTQje8Pjhl2bwoobt6qkGlc2sOu21wnq2JHXMvE5sPIRKLvDGbb6mhjt5fywIlHrxWAVl9vmzK4w0qciyjyvRTdXc1hk+toANC2WrcG95QIytK4ODSLB21+37HWi4/EA4PtCL4Bk4DpnvqutxN5eZLJd6aTAOy1kN2Uz68QNbzQ9ZoW4pmWA0uG4G2zis3IQSG2JJp+VPkm+8C6A122XfN7S8yr4HrKA/ZW/6W6HHH13IGqxQyrjkJm7eGNBebA02eXkG+b4mjTRhpZxPRFR6ggj1umouwQPffc4qFrIsXci+1qN35FfkiZaM6s5Jg952h2tj/y7YUJ+uVEIvJblvHpv9yWxVwtcX6hYPPNzJWIZcLrMLaIzKJS3S3b0t4fBpJAyM/u00izJ79fiyCnUQ4beLLhAiGg0S0Zihpcjqdr9+5DiBGAmE3GRNsGHWVtr54z4EeGlT8vPfc4yUK021K6dj7YtysP9OxtW6rKRGv3GF3l2tCn3i+9EbdUTtY9cu8aQ5Nuvr6luLAWwJJWGcWECE17I9DJ2HYWnbuZm3uKFBjNAE4cM2mMeEvFrgIT5j0k0CQB5PmjsOZsTI9NLEynn733UE+d7ycKx8Eq8zdqFbcE1vfGVNy/j9lHfRtgJtNKAlSmNBHBXn9qHDSGqqU4oc8J4yugpnWOhoJoVyTTnI1bfWNgEDVk+DIz98SYY2uh3JGI6lw5TNrO5g+WFjVCcS3w2mJ82KOQCo5BHgHafuuy8QGdNBReoKhuH553g9/7bD/qS6NIguDfSiLtFybpItsthRbx3qFX3w6iRBA2EjlpZPuSkgxgZua19Eefgz/UrcQAjGRCI2pXIDeeqsPhMHfNGmw3PpxK+K1,iv:VHH48PmpIsrWOtTqHmmT+q7CE+HmsEX9+DaXmGXreFE=,tag:s+zhy9blkNBUZDD8cJJnyg==,type:str] +nixfu_ssl_key: ENC[AES256_GCM,data:gwMbdsu2mlcZvCFrh6G/SQoIJLcUNyMkInw73+gUqR1EJH/kShqQGkQluE1lEoXobnh6wK5Rqz9yN4EJwWw/u4W6gYnXKOIHlb13faJHpRwTu1RPMmiJdJcCfjmW7sx+Yao1WjPq9h5Wr6CQjsACU4KPpIp0FWkVr5I6gGX91gkXyQgksGOKUcLQJYJDKLYbvTBnSA68Yoho4Tv5USG+GuxE1NQn3mc3cysA8V9sSZiR54cx2zK+u5l+MeC1Kcxh2KU9CER+B43jOonYxPj5EID0ZTv8aovkRcxkTTBzSdUvwCiUUx6IEectW0xtMeHxXrdDXwsxyuVCNPfmtgsqt5jIIJmEy985zLFjXNddG1CBgGTqxGamsMZ+McXCSb9ZD0wiMp9KVa6+ohLnc8PLIiN2qGFg1X2PNYzTTyesM6qja/9cV6A1raoQWhZOFfjEbsLmVtTI99QuBUtVJP6Q5lHeELIVm9ALc2W13P4/4waeCo2lQbI0hmU9FcL5hd3oiot0/DotnlqXhi6a9Qa2OSwBgpTHzZIihAPkMnxSskgymcK6CAX6es9m1v+526XG4gRAcSZ0nQWLRnF3++2g7jNCU/ivAdu1exzQRw6Y3UaluyaY46i67V53zVtddgsQlyRAxtCouJNFFCJp5KJ8+6J6ohF4wuN2L8ABR/DrrZ+piiAfgwnrOevGxRwKyKOzL+SjSLwM/ybxhgSDcM0LffMcs8FdUHgV7Qtr4lBvhluFGKza4N5ZYTe5bJLnm2poIKiXjsUPKSJmuipmYzPbRwOm8Y329J418MXNQNhDr8DV/BzOyzzWSWM//B2FMLTgJrn69VWrsdGGUKv/j5dwRRU1iYpO5Of83JiIJzHbWL35iQ0RsfC/O+oTrjYGNw3Bc3XyIogCW054u6kDjxBDTcG+26kSPujUz1D7DxJ4hZwMnr84/CkR5qmktgn1rpH4caz3bUjJjmrO4jeLYQP3eTEXnahTU2N81SjzCekvYsiIB/nq3oVtxnSFlEiAu5KiqswqBv0j8XOABbPu4elyUi09ekYz2ZQ2DtBLz+I5r6seDykIVL9zWmBEJHawGAC1yRAI4CWe28cCTOnpkt2keewBmZG1QwbINvEc21Q0NutGdZ3s27RHkGnsoda8tk5DipF8k5dyxmLy8jzFmHAwNB7m1UG5IYhFy95+C8ihfQF2tJfmO6VEDHuAviSdso/+wgYVsfp1MbtK9w+ACQvEbO90yRDBQ9VBg326C87kk9pXLal7l94JkBMR7cbLTAKH60ApYpLPVIZDvaHV2jxSrXypK6hdyTjpVnpyyC3SQXo1bn/Ixtd/tfA2fP5/IPB7xdNYEYu7lJWa7sY91BjhnnxRPkfCINt491MIXGqTO6LpGc/hJBukQI7rTr+mxJK5ajkvBpgDg7O+5sS/kmCbcFSAFw/T85n+WDo6QMQbrZqgrqmT6PaRtCLVWAIVX5UBDNUvXf6gUX/8WnSdQZtOPfkTBu3JEyDCkF/ETI+OZDnXVnOXKmYT7SMVHbPWxsTtmBuH1FZYi1aw7wyj/M7IC3k1ytm2YfOtRgO+xUi402gWS09fdENVWQ4fyRkNmwFvi9lBBvi9W2gCFWe53X2GO4Z3MQnKAtVCi0Rv8Xwh+hu8MijMwrs3CSSDAX1C3MAYQ9enzSXPeMQuZ84MQi4P664saNBd3gPRHQT52yH3tobpIwIZ8xUnHJ/Q6Rw6HRMtAqE8XWIxBGf7b0qqYkfwquE1uwiCVuq/j/af6qX3aNro1GyRymcPJN0Ko9JNOSn39SQxCqKawPHaFv7HX3JjEI299KNMGlD7lu8RKorD/+gIoz/7BTe1kmoUZDVPrgzudRvFAOrOATCoV/+FC48OQYoa24CITQx5ymJ1zTLE9d4M8vwNiOCpcVPyjabn8kt8rJmajjSidPAY+OX6lHpNbjcORZmjExZNMO5qApIqdl4WW9/pVq/pZSUwM31WbM0/JpJdws1LX5Ao+G2m/CO2fJqQS53mXMHfF85UWkJ1BuO5Be4Z54AWDDp4ZJzNfnQS/Ee84peTEExJ9mFvWYSlPLtzFOeUvI22RAcUJpQ/2vo8pI8S8h3BYCfSRyRW7ISYBCcRCpw/AkLWkgvOvXDYNj8xvPAtzftiP1GkMwjJSpbX3QGOYgO31KTy8lh836ePrJWsZa1MPD9nxyhajxs4MwKm2384UMtqu53mTtx7s2MchhiqrJoRUJW0Brq/oZM/WhhKHSjWssYrwLx5bymhg//Oa9PBP30j,iv:BbD2i/35D8p0/eEQ6RuM5nsDnQV+x2nTLU890LSju38=,tag:to2mYPiNkdYBHsgG7NJDbQ==,type:str] +nixfu_ssl_cert: ENC[AES256_GCM,data:i+fL0beNDGWJ7jwSzwR6vSQ+/HyluQfYu8/OItacDu17lyxTqeZTBkBfSsfpL1QNUnGzDwIunIfQcme0J0gzLQa3Ly+qjWLBQwVL3uyxw9MImXwtXZpGiSq5mH4ofeurP/o3DB+MUwHrny6A82UX0e9zIdHiFD0RxSMCHfxopob9WORmMftp3uK3+Q3VuWU1GKI6dNkYn0X17EB3Fa+oGPcB1azG4+WI/pYxBjISuL1u6WeYCXzLgDZVOr5PHMEUKnMEH3jUf1eCxhiGpTrY6cDKSiCVHQiKO6XlKSf3dH65LAk1FaCKKe/EUX5gbeW/IU5Eq16d60EtlnNesGJy+l5ry1OVSbxsJre0mHi19KfOR4gdOwlEGIOYbyCyt4c1Q6160VF+nun+vPMLTt7NDVLfhbbTxH0Dn4pqKqVaAFc9dYeuBVI1J31A7oWGD1THy//9JIrnYdDau/U4//vO9TuOoQiys+c4vR1nv4E9rCFdYgzbOHIboXAo5xzvHpgG7D+h0fl4g16pqGu+f2S74vAR9du0pl3H7VWMv3gPn4JmHG77lg8yutuKXFojRzX8J9aOcqOyPlEwPhwfx9p2/bggJbD9nthrxTZK9Uixf1vWudDHRPfskv9XxcFB1ljVcSZBqnAQvxQMX0ti9+VM/tWiArWgS3OGCxHesLSAmBPm1xXxDQnoBoaE1834kMYAAvbK68UgUnOpjYKuqdIss7ViVLhsMkJiQu0Jxat1TM1VXdWqqV5EzEPWMuzlu0fFVD0Uf7LRhZlTNkxCl1w/zRI5O499G6QopWvIiom/AXLn8hrBjsRdpE2FOWkwAE3uaUIwQ6GmYPnVP4WQN6IEjsUz9ZA88vkwdU0ft1jbBlreAyeIX/iv7KzJL2ODZprAGPLbN1jJvgkmq27efnE8xmsP2gYiYGR0WGNuZl4VYxr/kw2Aw42bKz+WIdfewfib/8nHdAjigH9avPg8uLDxT2OndVlQeg2HN0/qmf2OGAsZaVb2nfOiIY1nB7L2KayMfdSIrYp8l4M54oibMFWFjlVq6sK/+Cecf9c8dj/TXtJVLvGOMbyEbg1JN/7Jcx24ZNoIaiCNBXl28jSkCoP2leiRsMaPUdr5OlyxJtw/piuYTSYztf2Dl4agIhBXZbjIAMsNE2R6RjtLLT3hXn9+AZDtG32Z6Cx79WcU4YH/b9CmR7i57E6sc2aHwp08056xyZnT6S2B+HJxyxr9ADkDaElxPk4aB4Kt3sK4h2U/TXZvxwrfw6GBEc92bDYkTNCFr7Mo+DdcFuOe0Gz5Wz7xTt7dvWxRBUCrOJ9RLcV5CKNl4CYNG2TNah/fIewFDnrRHIrQOKeNtfMb0cTsY4Mv25V3/uyXjDp3TlQRdFi8JaJmZy6dXUMuIu02ruLqt8HvxJSnGzQCieZluXGwzRn7NMITxEncfPIspFuU7t2dCdW29X5nJDzALrYVZFxGgD+Y8V4ATiGgwqA2M2On1x0RFMHy/9f2fK5CLJrcNJPycVugVAhYcALqfLzAb3T5BMVU8/TvbgOrOU9G872CNQpELDCPHbbIfY6Mget0XOQe5/747V8KIxoqOcYyUm6d+kDBcr4N+jXpbYzh1/bCHFjNKVCknnxGiTx/kUnJ9DMiCf2t+6Ml6rEI0lOyIeKta4FMv3fU9+PxlWJ7WA08NDBZd/NcJjoD1unLishyfpwfP2LhCfvf+g+REjwc0xFPzkhpyKJyXRNAQeQJvjv7Ez+A2x2JBcf2o8/iL+5FmZM6uDQigLYzd+/6E/kFJbQCjUusl50KHGLqyu4bf+7+F+GUWIxa8xh6pFl8JSYDfX986Zy2NvBgWn+Z3yKGdz1Qe9UWfOhJGlswnDnkpBO/NdkCYFUrT0Nrry+JNW4+I/0Ul/blTdahR9A5YKBEe4+L8P3N4Vq3ob9DqKfggauPZMFcPSsT08BqbNs/i1ycFPf4xNuirG4sPlr5BY5sER+6UcIMgeyR8Yj4f8YhmHQaw9mpwNu6dYdwa6d7bDn6OKR/e2/OUt6+2MPx+TT2uIrTUJk1DZ1uEYDpbZ8UiQU03RPJwksU04wwIGsoeIO7RV/LE+E1bkftemLuJFc7r4gDKNNDtGZ7ExJle3/h6phxM6jp8d1ROKxHkAnUkIIOTtF91XK72UPIs9sUv8ntz2qGEHAuPhIsLHoUGRjr71c7Keo/X2gSbhT9OWzK1oNwoBmoxQ==,iv:lWS91xOUh6q3dqcKAhJLW1mvqZVZ0221IPezbpPBR6Y=,tag:kpJiMPC/XwStx+xHk2VDhQ==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-12T23:25:07Z" - mac: ENC[AES256_GCM,data:5qyOCYaKi42Yeqgoiu/csmWbDN4KlQHgtuz9GoW1UNoUNMPgBfIXSE5gtOjMT4j7qQ4JC7zIfIG8UZ7S/HgrnDemjlr5z5U2Ub+eVoV38Ve+i2V0O91RPQZ5lyRdCKTNSlLvob4W8uMJAtUeI3Zemv2DB/P7RMtMuz2kZmPwpD8=,iv:wZfTu3Ss7nb60fok5CbB99NXpcqPRSfAUhuliK5bTnY=,tag:pj3fYSSHFhdY9oXK4CUh0Q==,type:str] + lastmodified: "2024-12-12T02:54:09Z" + mac: ENC[AES256_GCM,data:35sEYE7m/B2M0hZIQuVLIBtYxMcCzwSqf+airqCevcOF1TR/2TaMIuBlFYYx/EhYF+St/iIrXezk/3N8L88Vhsxkz9KZzURFK+0WijAafa7gObWGrFbacQVaLQJpsYawvWsFIhK6BwLByGyzwn8VPZJvrI7Y3XwWCd/E9/sJ/WE=,iv:IaZZf/iGDK6YUTLq9Q3H8dEeQAsXTGPFxyEczOtyWgc=,tag:/T/Hikiiip3w+DVfdFPd9Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 diff --git a/hosts/gerg-desktop/services/ddns_script.sh b/hosts/gerg-desktop/services/ddns_script.sh index 21e291a..c8ba210 100755 --- a/hosts/gerg-desktop/services/ddns_script.sh +++ b/hosts/gerg-desktop/services/ddns_script.sh @@ -53,4 +53,6 @@ func () { func "*.gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8" func "gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8" "false" func "ipv6.gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8" "false" +func "*.nix-fu.com" "cc2df9163c3730f58b866409ac5a108c" +func "nix-fu.com" "cc2df9163c3730f58b866409ac5a108c" diff --git a/hosts/gerg-desktop/services/forgejo.nix b/hosts/gerg-desktop/services/forgejo.nix index 5595c58..3c5fcff 100644 --- a/hosts/gerg-desktop/services/forgejo.nix +++ b/hosts/gerg-desktop/services/forgejo.nix @@ -34,7 +34,4 @@ createDatabase = true; }; }; - - local.nginx.proxyVhosts."git.gerg-l.com" = - "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}"; } diff --git a/hosts/gerg-desktop/services/immich.nix b/hosts/gerg-desktop/services/immich.nix index 6e5ce16..919e497 100644 --- a/hosts/gerg-desktop/services/immich.nix +++ b/hosts/gerg-desktop/services/immich.nix @@ -14,7 +14,4 @@ port = 2283; host = "0.0.0.0"; }; - - local.nginx.proxyVhosts."photos.gerg-l.com" = - "http://localhost:${toString config.services.immich.port}"; } diff --git a/hosts/gerg-desktop/services/miniflux.nix b/hosts/gerg-desktop/services/miniflux.nix index aaa50d9..b65b8fd 100644 --- a/hosts/gerg-desktop/services/miniflux.nix +++ b/hosts/gerg-desktop/services/miniflux.nix @@ -1,22 +1,88 @@ { config, lib, + pkgs, }: { sops.secrets.minifluxenv = { }; - services.miniflux = { - enable = true; - config = { - BASE_URL = "https://flux.gerg-l.com"; - LISTEN_ADDR = "/run/miniflux/miniflux.sock"; - }; - adminCredentialsFile = config.sops.secrets.minifluxenv.path; - createDatabaseLocally = true; - }; + systemd.services = { + miniflux = { + enable = true; + description = "Miniflux service"; + wantedBy = [ "multi-user.target" ]; + requires = [ "miniflux-dbsetup.service" ]; + after = [ + "network.target" + "postgresql.service" + "miniflux-dbsetup.service" + ]; + + serviceConfig = { + ExecStart = lib.getExe pkgs.miniflux; + User = "miniflux"; + RuntimeDirectory = "miniflux"; + RuntimeDirectoryMode = "0770"; + EnvironmentFile = config.sops.secrets.minifluxenv.path; + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + + environment = { + BASE_URL = "https://flux.gerg-l.com"; + LISTEN_ADDR = "/run/miniflux/miniflux.sock"; + DATABASE_URL = "user=miniflux host=/run/postgresql dbname=miniflux"; + RUN_MIGRATIONS = "1"; + CREATE_ADMIN = "1"; + }; + }; + miniflux-dbsetup = { + description = "Miniflux database setup"; + requires = [ "postgresql.service" ]; + after = [ + "network.target" + "postgresql.service" + ]; + serviceConfig = { + ExecStart = "${lib.getExe' config.services.postgresql.package "psql"} 'miniflux' -c 'CREATE EXTENSION IF NOT EXISTS hstore'"; + Type = "oneshot"; + User = config.services.postgresql.superUser; + }; + }; + }; users = { - groups.miniflux.gid = 377; + groups.miniflux = { + gid = 377; + }; users = { miniflux = { group = "miniflux"; @@ -27,12 +93,4 @@ ${config.services.nginx.user}.extraGroups = [ "miniflux" ]; }; }; - - systemd.services.miniflux.serviceConfig = { - RuntimeDirectoryMode = lib.mkForce "0770"; - DynamicUser = lib.mkForce false; - }; - - local.nginx.proxyVhosts."flux.gerg-l.com" = - "http://unix:${config.services.miniflux.config.LISTEN_ADDR}"; } diff --git a/hosts/gerg-desktop/services/nginx.nix b/hosts/gerg-desktop/services/nginx.nix index f3257b4..8262374 100644 --- a/hosts/gerg-desktop/services/nginx.nix +++ b/hosts/gerg-desktop/services/nginx.nix @@ -1,64 +1,98 @@ { config, lib }: { - options.local.nginx = { - proxyVhosts = lib.mkOption { - type = lib.types.attrsOf lib.types.str; - }; - defaultVhosts = lib.mkOption { - type = lib.types.attrs; + sops.secrets = + lib.genAttrs + [ + "nixfu_ssl_cert" + "nixfu_ssl_key" + "gerg_ssl_key" + "gerg_ssl_cert" + ] + (_: { + owner = config.services.nginx.user; + inherit (config.services.nginx) group; + }); + + security.acme = { + acceptTerms = true; + certs."gerg-l.com" = { + email = "GregLeyda@proton.me"; + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = [ + "search.gerg-l.com" + "git.gerg-l.com" + "flux.gerg-l.com" + "cache.gerg-l.com" + "photos.gerg-l.com" + ]; }; }; - config = { - local.nginx.defaultVhosts = - { - "_" = { - default = true; - locations."/".return = "404"; + systemd.tmpfiles.rules = [ "L+ /var/lib/acme - - - - /persist/services/acme" ]; + + users.users.${config.services.nginx.user}.extraGroups = [ "acme" ]; + + services.nginx = { + enable = true; + recommendedZstdSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "_" = { + default = true; + forceSSL = true; + useACMEHost = "gerg-l.com"; + + locations."/".return = "404"; + }; + "search.gerg-l.com" = { + forceSSL = true; + useACMEHost = "gerg-l.com"; + + locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};"; + extraConfig = "access_log off;"; + }; + "git.gerg-l.com" = { + forceSSL = true; + useACMEHost = "gerg-l.com"; + + locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}"; + }; + "flux.gerg-l.com" = { + forceSSL = true; + useACMEHost = "gerg-l.com"; + + locations."/".proxyPass = "http://unix:${config.systemd.services.miniflux.environment.LISTEN_ADDR}"; + }; + "cache.gerg-l.com" = { + forceSSL = true; + useACMEHost = "gerg-l.com"; + + locations."/" = { + proxyPass = "http://unix:/run/nix-serve/nix-serve.sock"; + extraConfig = '' + zstd on; + zstd_types "*"; + client_max_body_size 50000M; + ''; }; - } - // (builtins.mapAttrs (_: v: { - locations."/".proxyPass = v; - }) config.local.nginx.proxyVhosts); - - sops.secrets = { - gerg_ssl_key.owner = config.services.nginx.user; - gerg_ssl_cert.owner = config.services.nginx.user; - }; - - security.acme = { - acceptTerms = true; - certs."gerg-l.com" = { - email = "GregLeyda@proton.me"; - webroot = "/var/lib/acme/acme-challenge"; + }; + "photos.gerg-l.com" = { + forceSSL = true; + useACMEHost = "gerg-l.com"; + locations."/".proxyPass = "http://localhost:${toString config.services.immich.port}"; + extraConfig = '' + zstd on; + zstd_types "*"; + client_max_body_size 50000M; + ''; }; }; - - systemd.tmpfiles.rules = [ "L+ /var/lib/acme - - - - /persist/services/acme" ]; - - users.users.${config.services.nginx.user}.extraGroups = [ "acme" ]; - - services.nginx = { - enable = true; - recommendedZstdSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - # For immich - clientMaxBodySize = "50000M"; - virtualHosts = builtins.mapAttrs ( - _: v: - { - forceSSL = true; - useACMEHost = "gerg-l.com"; - } - // v - ) config.local.nginx.defaultVhosts; - }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; } diff --git a/hosts/gerg-desktop/services/nix-serve.nix b/hosts/gerg-desktop/services/nix-serve.nix index 39a8ef4..d9b840e 100644 --- a/hosts/gerg-desktop/services/nix-serve.nix +++ b/hosts/gerg-desktop/services/nix-serve.nix @@ -72,6 +72,4 @@ }; }; systemd.tmpfiles.rules = [ "d /run/nix-serve - nix-serve nix-serve - -" ]; - - local.nginx.proxyVhosts."cache.gerg-l.com" = "http://unix:/run/nix-serve/nix-serve.sock"; } diff --git a/hosts/gerg-desktop/services/postgresql.nix b/hosts/gerg-desktop/services/postgresql.nix index f8509dd..289fcb7 100644 --- a/hosts/gerg-desktop/services/postgresql.nix +++ b/hosts/gerg-desktop/services/postgresql.nix @@ -4,6 +4,15 @@ enable = true; package = pkgs.postgresql_16; dataDir = "/persist/services/postgresql"; + + ensureDatabases = [ "miniflux" ]; + ensureUsers = [ + { + name = "miniflux"; + ensureDBOwnership = true; + } + ]; + settings.unix_socket_permissions = "0770"; }; } diff --git a/hosts/gerg-desktop/services/searxng.nix b/hosts/gerg-desktop/services/searxng.nix index 4fcc4c2..f7c7a70 100644 --- a/hosts/gerg-desktop/services/searxng.nix +++ b/hosts/gerg-desktop/services/searxng.nix @@ -35,9 +35,4 @@ ui.theme_args.simple_style = "dark"; }; }; - - local.nginx.defaultVhosts."search.gerg-l.com" = { - locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};"; - extraConfig = "access_log off;"; - }; }