jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jawz:weekly-2026-02-02
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2026-02-06 jawz:weekly-2026-02-02 jawz:weekly-2026-01-30 jawz:weekly-2026-01-26 jawz:weekly-2026-01-24 jawz:weekly-2026-01-19 jawz:weekly-2026-01-16 jawz:weekly-2026-01-10 jawz:weekly-2026-01-05 jawz:weekly-2026-01-02 jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28
...
compare: jawz:ad9179fe520a8913f72ca54ac10b446342720d2e
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2026-02-06 jawz:weekly-2026-02-02 jawz:weekly-2026-01-30 jawz:weekly-2026-01-26 jawz:weekly-2026-01-24 jawz:weekly-2026-01-19 jawz:weekly-2026-01-16 jawz:weekly-2026-01-10 jawz:weekly-2026-01-05 jawz:weekly-2026-01-02 jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28

44 Commits
weekly-202 ... ad9179fe52

Author SHA1 Message Date
Danilo Reyes
ad9179fe52 testing on lebubu 2026-02-05 12:06:28 -06:00
Danilo Reyes
9e64325f5e nextcloud uses different proxy 2026-02-05 11:12:37 -06:00
Danilo Reyes
6603fac1c4 nextcloud nginx split 2026-02-05 10:58:35 -06:00
Danilo Reyes
cb1776d670 fixing 2026-02-05 10:41:29 -06:00
Danilo Reyes
3517e394c6 nextcloud proxy logic attempt 2026-02-05 06:54:14 -06:00
Danilo Reyes
81f9025dc9 documentation update 2026-02-05 06:36:09 -06:00
Danilo Reyes
2ef113bc0e synapse cert logic 2026-02-05 06:30:45 -06:00
Danilo Reyes
d14a7ba395 private certificate fix 2026-02-05 06:26:40 -06:00
Danilo Reyes
eddef549e7 hmmm 2026-02-05 06:18:42 -06:00
Danilo Reyes
4ba0fa0dd5 nextcloud nginx logic needs to exists in two place 2026-02-05 06:04:42 -06:00
Danilo Reyes
08cc3379ad use merge to segment the complex nginx proxy settings 2026-02-05 05:32:46 -06:00
Danilo Reyes
2a290f2fe2 it was the nginx module... 2026-02-05 05:16:43 -06:00
Danilo Reyes
0c7e745e55 plausible actually ran on server im dumb 2026-02-05 05:06:43 -06:00
Danilo Reyes
caf7fbc590 nginx ip fix attempt 2026-02-05 04:58:41 -06:00
Danilo Reyes
ee11d72de8 domain sandbox 2026-02-05 04:16:21 -06:00
Danilo Reyes
dce2142794 proper ip assignation for nginx 2026-02-05 03:39:27 -06:00
Danilo Reyes
237e120124 working 2026-02-04 19:16:04 -06:00
Danilo Reyes
afdb5bfd99 chichis 2026-02-04 15:03:46 -06:00
Danilo Reyes
d7f9ea971c vps keys fix 2026-02-04 12:39:33 -06:00
Danilo Reyes
f01817a15f iptables 2026-02-04 11:42:39 -06:00
Danilo Reyes
917e741b7f rg_filter 2026-02-04 11:21:35 -06:00
Danilo Reyes
0997fad0c6 plausible + other fixes 2026-02-04 11:16:45 -06:00
Danilo Reyes
ba4cf6c86b root logic 2026-02-04 06:34:40 -06:00
Danilo Reyes
3f13527e51 "fixes" 2026-02-04 06:31:41 -06:00
Danilo Reyes
efe5cb0f99 remediations 2 2026-02-03 20:44:09 -06:00
Danilo Reyes
86557548db remediations 2026-02-03 20:43:25 -06:00
Danilo Reyes
a74adc7f95 init 2026-02-03 20:35:44 -06:00
Danilo Reyes
b5e358ee22 Merge pull request '003-vps-image-migration' (#4) from 003-vps-image-migration into main
Some checks failed
MCP Tests / mcp-tests (push) Failing after 6s
Details 
Reviewed-on: #4
 2026-02-03 19:54:21 -06:00
Danilo Reyes
f845699845 meh
Some checks failed
MCP Tests / mcp-tests (pull_request) Failing after 8s
Details
2026-02-03 19:53:15 -06:00
Danilo Reyes
47910ab3a0 vps hardware 2026-02-03 17:53:00 -06:00
Danilo Reyes
26dcef64ca new sops 2026-02-03 17:43:14 -06:00
Danilo Reyes
d99da36f3e syncthing function parameters 2026-02-03 17:35:42 -06:00
Danilo Reyes
a90eb89af2 hmmm 2026-02-03 17:29:14 -06:00
Danilo Reyes
59c8234d3c fix? 2026-02-03 17:24:05 -06:00
Danilo Reyes
b07d867d78 linode-image imports 2026-02-03 17:21:29 -06:00
Danilo Reyes
2f535cc91a linode setup 2026-02-03 17:02:16 -06:00
Danilo Reyes
42b39513a1 finish linode image 2026-02-03 16:28:26 -06:00
Danilo Reyes
592eb04e66 vps ssh keys 2026-02-03 16:21:55 -06:00
Danilo Reyes
dbd3af3d0f new hosts vps 2026-02-03 15:31:47 -06:00
Danilo Reyes
f6b1a01438 removed nixos-generators 2026-02-03 15:17:18 -06:00
Danilo Reyes
979bb915a6 init 2026-02-03 15:13:56 -06:00
Danilo Reyes
da352265f6 whitelist syncthing 2026-02-03 15:09:04 -06:00
Danilo Reyes
d2f8e279d1 branch fixes
Some checks failed
MCP Tests / mcp-tests (push) Failing after 8s
Details
2026-02-03 13:41:25 -06:00
Danilo Reyes
6fcb1b50b4 yamtrack apis 2026-02-03 13:25:10 -06:00
80 changed files with 3508 additions and 715 deletions
Expand all files Collapse all files

16
.sops.yaml
View File

@@ -2,7 +2,7 @@ keys:
- &devkey age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
- &workstation age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
- &server age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
- &miniserver age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
- &vps age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
@@ -10,46 +10,46 @@ creation_rules:
- *devkey
- *workstation
- *server
- *miniserver
- *vps
- path_regex: secrets/keys.yaml$
key_groups:
- age:
- *devkey
- *workstation
- *server
- *miniserver
- *vps
- path_regex: secrets/env.yaml$
key_groups:
- age:
- *devkey
- *workstation
- *server
- *miniserver
- *vps
- path_regex: secrets/gallery.yaml$
key_groups:
- age:
- *devkey
- *workstation
- *server
- *miniserver
- *vps
- path_regex: secrets/wireguard.yaml$
key_groups:
- age:
- *devkey
- *workstation
- *server
- *miniserver
- *vps
- path_regex: secrets/homepage.yaml$
key_groups:
- age:
- *devkey
- *workstation
- *server
- *miniserver
- *vps
- path_regex: secrets/certs.yaml$
key_groups:
- age:
- *devkey
- *workstation
- *server
- *miniserver
- *vps

13
AGENTS.md
View File

@@ -3,8 +3,12 @@
Auto-generated from feature plans. Last updated: 2026-01-30
## Active Technologies
- Python 3.12 + MCP server library (Python, JSON-RPC/stdin transport), click for CLI entrypoint, pytest + coverage for tests, ruff/black for lint/format (001-mcp-server)
- None (in-memory tool definitions; filesystem access for repo interactions) (001-mcp-server)
- Python 3.12 + MCP server library (Python, JSON-RPC/stdin transport), click for CLI entrypoint, pytest + coverage for tests, ruff/black for lint/format (002-mcp-server)
- None (in-memory tool definitions; filesystem access for repo interactions) (002-mcp-server)
- Nix (flakes; nixpkgs 25.11) + nixpkgs, flake-parts, sops-nix (003-vps-image-migration)
- N/A (configuration repo) (003-vps-image-migration)
- Nix (flakes; nixpkgs 25.11) + NixOS modules, sops-nix, nginx, wireguard, openssh, iptables (004-vps-migration)
- Files (configuration and secrets) (004-vps-migration)
- Documentation set (AI-facing constitution and playbooks) in Markdown (001-ai-docs)
@@ -26,9 +30,10 @@ specs/001-ai-docs/ # Planning artifacts (plan, research, tasks, data model
- Keep language business-level and technology-agnostic in AI-facing docs.
## Recent Changes
- 001-mcp-server: Added Python 3.12 + MCP server library (Python, JSON-RPC/stdin transport), click for CLI entrypoint, pytest + coverage for tests, ruff/black for lint/format
- 004-vps-migration: Added Nix (flakes; nixpkgs 25.11) + NixOS modules, sops-nix, nginx, wireguard, openssh, iptables
- 003-vps-image-migration: Added Nix (flakes; nixpkgs 25.11) + nixpkgs, flake-parts, sops-nix
- 003-vps-image-migration: Added [if applicable, e.g., PostgreSQL, CoreData, files or N/A]
- 001-ai-docs: Documentation-focused stack; added docs/ for constitution/playbooks and specs/001-ai-docs/ for planning outputs.
<!-- MANUAL ADDITIONS START -->
<!-- MANUAL ADDITIONS END -->

36
caddy/Caddyfile Normal file
View File

@@ -0,0 +1,36 @@
# The Caddyfile is an easy way to configure your Caddy web server.
#
# https://caddyserver.com/docs/caddyfile
# The configuration below serves a welcome page over HTTP on port 80. To use
# your own domain name with automatic HTTPS, ensure your A/AAAA DNS record is
# pointing to this machine's public IP, then replace `http://` with your domain
# name. Refer to the documentation for full instructions on the address
# specification.
#
# https://caddyserver.com/docs/caddyfile/concepts#addresses
http:// {
# Set this path to your site's directory.
root * /usr/share/caddy
# Enable the static file server.
file_server
# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080
# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000
# Refer to the directive documentation for more options.
# https://caddyserver.com/docs/caddyfile/directives
}
# As an alternative to editing the above site block, you can add your own site
# block files in the Caddyfile.d directory, and they will be included as long
# as they use the .caddyfile extension.
import Caddyfile.d/*.caddyfile

20
caddy/Caddyfile.d/10-nextcloud.caddyfile Normal file
View File

@@ -0,0 +1,20 @@
cloud.lebubu.org cloud.rotehaare.art {
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy 10.77.0.2:8081 {
header_up Host {upstream_hostport}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
header {
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
X-Permitted-Cross-Domain-Policies "none"
X-XSS-Protection "1; mode=block"
Referrer-Policy "no-referrer-when-downgrade"
Strict-Transport-Security "max-age=15552000; includeSubDomains"
-Server
}
}

18
caddy/Caddyfile.d/15-private.caddyfile Normal file
View File

@@ -0,0 +1,18 @@
(secure_mtls) {
tls {
client_auth {
mode require_and_verify
trusted_ca_cert_file /etc/caddy/client_ca.pem
}
}
}
home.lebubu.org, indexer.lebubu.org, xxx.lebubu.org {
import secure_mtls
@home host home.lebubu.org
@indexer host indexer.lebubu.org
reverse_proxy @home 10.77.0.2:8082
reverse_proxy @indexer 10.77.0.2:9696
}

29
caddy/Caddyfile.d/15-private.caddyfile__ Normal file
View File

@@ -0,0 +1,29 @@
(oauth2_common) {
@oauth2path path /oauth2/*
handle @oauth2path {
reverse_proxy 10.77.0.2:4180
}
handle {
forward_auth 10.77.0.2:4180 {
uri /oauth2/auth
copy_headers X-Auth-Request-User X-Auth-Request-Email
}
}
}
auth-proxy.lebubu.org {
reverse_proxy 10.77.0.2:4180
}
home.lebubu.org, indexer.lebubu.org, xxx.lebubu.org {
import oauth2_common
@home host home.lebubu.org
@indexer host indexer.lebubu.org
@xxx host xxx.lebubu.org
handle {
reverse_proxy @home 10.77.0.2:8082
reverse_proxy @indexer 10.77.0.2:9696
reverse_proxy @xxx 10.77.0.2:9999
}
}

79
caddy/Caddyfile.d/20-servers.caddyfile Normal file
View File

@@ -0,0 +1,79 @@
analytics.lebubu.org {
reverse_proxy 10.77.0.2:8439
}
cache.lebubu.org {
reverse_proxy 10.77.0.2:2343
}
audiobooks.lebubu.org {
reverse_proxy 10.77.0.2:5687
}
mealie.lebubu.org {
reverse_proxy 10.77.0.2:9925
}
git.lebubu.org {
reverse_proxy 10.77.0.2:9083
}
subs.lebubu.org {
reverse_proxy 10.77.0.2:6767
}
collabora.lebubu.org {
reverse_proxy 10.77.0.2:9980
}
library.lebubu.org {
reverse_proxy 10.77.0.2:5000
}
music.lebubu.org {
reverse_proxy 10.77.0.2:8686
}
maloja.lebubu.org {
reverse_proxy 10.77.0.2:42010
}
copy.lebubu.org {
reverse_proxy 10.77.0.2:8086
}
scrobble.lebubu.org {
reverse_proxy 10.77.0.2:9078
}
plex.lebubu.org plex.rotehaare.art {
reverse_proxy 10.77.0.2:32400
}
movies.lebubu.org {
reverse_proxy 10.77.0.2:7878
}
laters.lebubu.org {
reverse_proxy 10.77.0.2:9546
}
links.lebubu.org {
reverse_proxy 10.77.0.2:3000
}
tracker.lebubu.org {
reverse_proxy 10.77.0.2:8765
}
series.lebubu.org {
reverse_proxy 10.77.0.2:8989
}
vault.lebubu.org {
reverse_proxy 10.77.0.2:8222
}
bajameesta.lebubu.org {
reverse_proxy 10.77.0.2:8881
}

98
caddy/Caddyfile.d/25-static.caddyfile Normal file
View File

@@ -0,0 +1,98 @@
(hugo_common) {
encode zstd gzip
header {
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
X-XSS-Protection "1; mode=block"
Referrer-Policy "strict-origin-when-cross-origin"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
@static {
path *.jpg *.jpeg *.png *.gif *.ico *.css *.js *.svg *.woff *.woff2 *.ttf *.xml
}
handle @static {
file_server
header {
Cache-Control "public, max-age=31536000, immutable"
}
}
@html {
path *.html
}
handle @html {
file_server
try_files {path} {path}/ /index.html
}
handle {
file_server
try_files {path} {path}/ /index.html
}
@hidden {
path_regexp ^.*/\..*$
}
respond @hidden 404
handle /js/script.js {
rewrite * /js/script.file-downloads.hash.outbound-links.js
reverse_proxy https://analytics.lebubu.org {
header_up Host analytics.lebubu.org
}
}
handle /api/event {
reverse_proxy https://analytics.lebubu.org {
header_up Host analytics.lebubu.org
}
}
}
www.danilo-reyes.com {
redir https://danilo-reyes.com{uri}
}
www.blog.danilo-reyes.com {
redir https://blog.danilo-reyes.com{uri}
}
danilo-reyes.com {
root * /var/www/html/portfolio
import hugo_common
}
blog.danilo-reyes.com {
route {
handle_path /isso* {
reverse_proxy 10.77.0.2:8180
}
root * /var/www/html/blog
import hugo_common
}
}
mb-report.lebubu.org {
root * /var/www/html/lidarr-mb-gap
file_server
encode gzip zstd
try_files {path} /missing_albums.html
@html {
path *.html
}
header @html Content-Type "text/html; charset=utf-8"
@json {
path *.json
}
header @json Content-Type "application/json"
header {
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
}
}

13
caddy/Caddyfile.d/40-jellyfin.caddyfile Normal file
View File

@@ -0,0 +1,13 @@
flix.lebubu.org {
reverse_proxy 10.77.0.2:8096 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
# WebSocket support (automatic in Caddy, but explicit is fine)
header_up Connection {>Connection}
header_up Upgrade {>Upgrade}
}
}

9
caddy/Caddyfile.d/5-keycloak.caddyfile Normal file
View File

@@ -0,0 +1,9 @@
auth.lebubu.org {
tls internal
reverse_proxy 10.77.0.2:8090 {
header_up X-Forwarded-Proto https
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Host {host}
header_up Host {host}
}
}

4
caddy/Caddyfile.d/75-qbittorrent.caddyfile Normal file
View File

@@ -0,0 +1,4 @@
torrent.lebubu.org {
reverse_proxy 127.0.0.1:9345
}

33
caddy/client_ca.pem Normal file
View File

@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFmzCCA4OgAwIBAgIUPBgrOAnSgT+y9+zaFaCuVkwi/M4wDQYJKoZIhvcNAQEL
BQAwXTELMAkGA1UEBhMCTVgxEjAQBgNVBAgMCVNvbWVTdGF0ZTERMA8GA1UEBwwI
U29tZUNpdHkxEDAOBgNVBAoMB0phd1pEZXYxFTATBgNVBAMMDEphd1ogUm9vdCBD
QTAeFw0yNTA3MTYxOTMxMTBaFw0zNTA3MTQxOTMxMTBaMF0xCzAJBgNVBAYTAk1Y
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRAwDgYDVQQK
DAdKYXdaRGV2MRUwEwYDVQQDDAxKYXdaIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDwcWfnMDBzdukPZUa0pbY3tHG2ONEZMDUsxo5T5veq
KrMfsu7U9tE8AY+AVl0Qz9hpBHN+GmktXQlimPkm4tSVKJMjk0iWYgZn8tTMB+AL
i3gl/bt7qP+59U7gQbojkp6B0xCMCynPlsgcMiIcZWFmNVrG6ehh4B+wuG52gWVw
TrwhDjHhxsrc66DkgC/59Pm60JqHlBhuhv9HB/q9JM3HLQ63XUwhvTVJ29tSiJZl
WpKFr5s8nfE2FIXIHzi+o+Lo3n9wvdCzNfaRUStLWbROzF97jY4VIxIDk/loQH4T
6oXBGlRe8M+G1XL/waRDySxL26jRVG8bUEv4mh/Hd9Rs0JcUOl6lFiGndJMjMyom
ZgAlhi2Id2AzkT28utdYQqKUuaTy1SwLkrcOu9k2/dw7Uf7aK5WCraOth5ys+lw+
mzga4gNGc3Am9soFHjI56Qxvhf+Aa5tlASwpzrjsc7PJEZJXorE40uZsB/q1PafP
AIqVsSoT+Q6h6bld0EuQ5W4i1LTipZEPUaF673tGCXuI40AeTI44SFKcGm9XG1ic
I25OxuIKyl5sCANkryOHjNKY4SkzXKSpML3PYbfSKK7xDpeFofIYKnRfJm4qmBNd
lKT+ti4Hnvr8NZDRWyxC5SIDF1fdkslNu/HoAoL8JdXPYnitlTL7A5mF5PVPHom7
XwIDAQABo1MwUTAdBgNVHQ4EFgQUhquhsVpNS4shC+7DMxOK4/wYYEswHwYDVR0j
BBgwFoAUhquhsVpNS4shC+7DMxOK4/wYYEswDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEAU8nSV6DqCZSDxWpa8JSBmZFnO2oZIRF9Nw/1QcpMOGUR
pnWyQ03QtEgXYMwvxN/FOcGvYwg0LyYy07rzlpe5n2wRBaTrPCZ928f5j0nhADjC
GYutxhbO4WYvBKUY88qYCrJRa1Aw1B/CsGCmH5f+aND6fyxZ6Lx9CQ8O43f+QCOE
ltkbHRvjxYyVpDkgccDwetMDURKKrzkibUskeCPt0TjZbLKUq/cDspdAjSJgIJrz
a50JbniKUG5Qcav3P2aA6NluOKFJfYh+146uafC6WofUtx2Vv5lViYMlIDnqN4L0
xUzN5hB1kwF+4v1PO9/olafKqmgZ8FD/ipMYq2aYX4u9RJHLD6hMPUJpgKPRhGfi
ul9rYv6rC+pQNIn4s287sAPru5IgIzPBBCbqXSkoue7V/mpqRuZZRX84V6CzlYDc
0knoG2TL6aEWO+vj1mROgOuagyqyb3NZvgySE7GieW4tdvZhdYJJxdXh/tBQCg9E
iVcQH0rNJ+0jsybFWPqdOIZ6sH78SvY+J4KhqZ3Il/WCxCTs/Ccb/RMkhRm+bfSX
1FxoKF20b3RJ6g9N1oOj+12oK8jwMpUbaG/oAZh0TgZf1FUKic2f6jhMZLus8fGe
nyHza9mHbN1M8d9hX7U3gkepY8RVhSNL5erNp1zsBtZ4UNmouGm53wgjYZPYkrc=
-----END CERTIFICATE-----

7
docs/constitution.md
View File

@@ -9,8 +9,8 @@
- Architecture: Flake-based repo using `flake-parts` with inputs for pkgs (stable/unstable), stylix, home-manager, sops-nix, and service overlays. Common modules are composed through `parts/core.nix` and `parts/hosts.nix`.
- Module auto-import: `modules/modules.nix` auto-imports `.nix` files under `modules/apps`, `modules/dev`, `modules/scripts`, `modules/servers`, `modules/services`, `modules/shell`, and `modules/network`, excluding `librewolf.nix`. Factories live in `modules/factories/` (`mkserver`, `mkscript`), and shared options are in `modules/nix` and `modules/users`.
- Hosts and toggles: Host definitions live in `hosts/<name>/configuration.nix` with host-specific toggles in `hosts/<name>/toggles.nix`. The `my` namespace carries toggles for apps/dev/scripts/services/shell, feature flags like `enableProxy` and `enableContainers`, and per-host `interfaces` and `ips` maps.
- Main server and proxies: `my.mainServer` selects the host that should serve traffic by default (default `miniserver`; overridden to `server` in `hosts/server/toggles.nix`). Reverse proxies use helpers in `parts/core.nix` (`proxy`, `proxyReverse`, `proxyReverseFix`, `proxyReversePrivate`) and pick IPs from `my.ips` plus the hostName/ip set by `mkserver` options.
- Secure hosts and secrets: `my.secureHost` gates SOPS secrets. Secure hosts load secrets from `secrets/*.yaml` and wireguard definitions; non-secure hosts (e.g., `hosts/emacs`) skip secret-dependent services. Default SOPS file is `secrets/secrets.yaml` via `config/base.nix`.
- Main server and proxies: `my.mainServer` selects the host that should serve traffic by default (default `vps`). Reverse proxies use helpers in `parts/core.nix` (`proxy`, `proxyReverse`, `proxyReverseFix`, `proxyReversePrivate`) and pick IPs from `my.ips` plus the hostName/ip set by `mkserver` options. Nginx defaults to `proxyReverse` for any server with `enableProxy = true` unless `useDefaultProxy = false` or the server is listed in the Fix/Private proxy lists.
- Secure hosts and secrets: `my.secureHost` gates SOPS secrets. Secure hosts load secrets from `secrets/*.yaml` and wireguard definitions; non-secure hosts (e.g., `hosts/emacs`) skip secret-dependent services. Default SOPS file is `secrets/secrets.yaml` via `config/base.nix`. Proxy-only services that need private certificates must still define their cert secrets when `enableProxy = true`.
## Coding Conventions
- No blank lines between code blocks; keep markdown examples tight.
@@ -33,7 +33,7 @@ config.services = {
- Factory: Shared option constructors in `modules/factories/` (use `mkserver` for server modules, `mkscript` for script units).
- Options: Settings under the `my` namespace (e.g., `my.services.<service>`, `my.scripts.<script>`).
- Toggles: Enablement maps in `hosts/<name>/toggles.nix` controlling categories (apps/dev/shell/scripts/services/servers/units) and features (`enableProxy`, `enableContainers`).
- Servers: Reverse-proxied services under `modules/servers/`, normally created with `mkserver` options.
- Servers: Reverse-proxied services under `modules/servers/`, normally created with `mkserver` options (including `useDefaultProxy` to opt out of default proxyReverse).
- Scripts: Units defined via `mkscript` with `enable`, `install`, `service`, `users`, `timer`, and `package` fields.
- Playbooks: Workflow guides under `docs/playbooks/` for repeatable tasks.
- Reference map: Navigation index under `docs/reference/index.md` for paths and responsibilities.
@@ -42,6 +42,7 @@ config.services = {
- Secrets files: `secrets/certs.yaml`, `secrets/env.yaml`, `secrets/gallery.yaml`, `secrets/homepage.yaml`, `secrets/keys.yaml`, `secrets/wireguard.yaml`, `secrets/secrets.yaml`, plus `secrets/ssh/` for host keys.
- Placement rules: Keep secrets aligned to their file purpose (certificates → `certs.yaml`; environment/service env vars → `env.yaml`; media/gallery creds → `gallery.yaml`; homepage widgets → `homepage.yaml`; SSH/private keys → `keys.yaml`; WireGuard peers → `wireguard.yaml`; misc defaults → `secrets.yaml`).
- secureHost gating: Only hosts with `my.secureHost = true` load SOPS secrets and WireGuard interfaces. Hosts with `secureHost = false` must avoid secret-dependent services and skip SOPS entries.
- VPS enrollment flow: The vps host generates its own key on first boot, then operators enroll the public key, re-encrypt secrets, and redeploy. Follow `docs/playbooks/enroll-vps.md`.
## Module Categories and Active Hosts
- Module categories: apps, dev, scripts, servers, services, shell, network, users, nix, patches. Factories sit in `modules/factories/` and are imported explicitly.

16
docs/playbooks/enroll-vps.md Normal file
View File

@@ -0,0 +1,16 @@
# Playbook: Enroll VPS Secrets
- Name: Enroll VPS secrets after first boot
- Purpose: Enroll the vps host key and re-encrypt secrets so services can start.
- Prerequisites: vps host booted and reachable; secure host; SOPS access on operator machine.
- Inputs: vps host public key; secrets files under `secrets/`; repo checkout.
- Steps:
1. Retrieve the vps host public key from the running instance.
2. Add the vps public key to SOPS recipients for the relevant secrets files.
3. Re-encrypt secrets and commit updates as needed.
4. Rebuild the vps host from an explicitly authorized operator machine.
- Validation:
- Services that require secrets start successfully after the rebuild.
- SOPS decrypt succeeds on the vps host without manual intervention.
- Outputs: Updated secrets files with the vps recipient; vps host with secrets available.
- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Hosts and Roles)

15
docs/playbooks/vps-rebuild.md Normal file
View File

@@ -0,0 +1,15 @@
# Playbook: Rebuild VPS
- Name: Remote rebuild of vps
- Purpose: Apply configuration changes to the vps host from an explicitly authorized operator machine.
- Prerequisites: Operator machine authorized; vps reachable via SSH; repo checkout.
- Inputs: vps hostname or IP; flake path; target profile `vps`.
- Steps:
1. Ensure the operator machine is in the authorized key list for `nixremote`.
2. Run the rebuild helper script with the target host details.
3. Monitor the rebuild for completion and errors.
- Validation:
- vps reports the new configuration after rebuild.
- Remote access remains available after the update.
- Outputs: Updated vps host configuration.
- References: `docs/constitution.md` (Hosts and Roles, secureHost), `docs/reference/index.md` (Hosts and Roles)

14
docs/reference/index.md
View File

@@ -20,19 +20,21 @@
## Hosts and Roles
- Configs: `hosts/<name>/configuration.nix` with toggles in `hosts/<name>/toggles.nix`.
- Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`.
- Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`, `vps`.
- Roles:
- workstation: developer desktop; provides build power for distributed builds.
- server: primary services host (overrides `my.mainServer = "server"` and enables proxies/containers).
- miniserver: small-footprint server; default `mainServer` in shared options.
- server: primary services host; runs most services and WireGuard targets.
- miniserver: small-footprint server.
- galaxy: small server variant using nixpkgs-small.
- emacs: VM profile, `my.secureHost = false` for secret-free usage.
- vps: Linode VPS image target, secure host with enrollment-based secrets.
- Network maps: `my.ips` and `my.interfaces` declared in `modules/modules.nix`; host toggles may override.
## Proxy, Firewall, and Networking
- Proxy enablement: `my.enableProxy` toggles Nginx reverse proxy; assertions require at least one `my.servers.*.enableProxy` when enabled.
- Proxy helpers: use `parts/core.nix` helpers (`proxy`, `proxyReverse`, `proxyReverseFix` for header preservation, `proxyReversePrivate` for mutual TLS). `mkserver` supplies `host`, `ip`, `url`, and `enableProxy` defaults per service.
- Main server selection: `my.mainServer` chooses where services live by default; `mkserver` sets `isLocal` based on this and picks IPs from `my.ips`.
- Proxy helpers: use `parts/core.nix` helpers (`proxy`, `proxyReverse`, `proxyReverseFix` for header preservation, `proxyReversePrivate` for mutual TLS). `mkserver` supplies `host`, `ip`, `url`, `enableProxy`, and `useDefaultProxy`.
- Default proxying: any server with `enableProxy = true` gets a `proxyReverse` vhost unless `useDefaultProxy = false` or it is listed in `proxyReverseFix` / `proxyReversePrivate`.
- Main server selection: `my.mainServer` chooses where services live by default (default `vps`); `mkserver` sets `isLocal` based on this and picks IPs from `my.ips`.
- Firewall generation: `inputs.self.lib.generateFirewallPorts` combines static ports, additional ports, and service ports from `my.servers` (excluding native firewall services). Use `my.network.firewall` settings and `getServicesWithNativeFirewall` to derive open ports.
## Secrets Map
@@ -45,7 +47,7 @@
- `secrets/wireguard.yaml` → WireGuard peers and private keys.
- `secrets/secrets.yaml` → default SOPS file (general secrets, fallback when unspecified).
- `secrets/ssh/` → host SSH keys and related artifacts.
- secureHost: Only hosts with `my.secureHost = true` consume SOPS entries and WireGuard interfaces. Keep secret references behind `lib.mkIf config.my.secureHost`.
- secureHost: Only hosts with `my.secureHost = true` consume SOPS entries and WireGuard interfaces. Keep secret references behind `lib.mkIf config.my.secureHost`; proxy-only services that use private certs must still declare their cert secrets when `enableProxy = true`.
## Stylix and Theming
- Stylix module: `config/stylix.nix` and stylix inputs in `flake.nix` apply theming. Host toggle `my.stylix.enable` controls activation (see host toggles).

4
docs/reference/mcp-server.md
View File

@@ -27,8 +27,8 @@
- Inputs: `query` (string).
- Docs anchor: `docs/reference/mcp-server.md``#search-docs`.
### list-mcp-tasks
- Purpose: Show MCP feature task list from `specs/001-mcp-server/tasks.md`.
- Docs anchor: `specs/001-mcp-server/tasks.md``#tasks-mcp-server-for-repo-maintenance`.
- Purpose: Show MCP feature task list from `specs/002-mcp-server/tasks.md`.
- Docs anchor: `specs/002-mcp-server/tasks.md``#tasks-mcp-server-for-repo-maintenance`.
### sync-docs
- Purpose: Compare tool catalog against documented anchors for drift reporting.
- Docs anchor: `docs/reference/mcp-server.md``#sync-docs`.

37
flake.lock generated
View File

@@ -819,42 +819,6 @@
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1736643958,
"narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769813415,
"narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "8946737ff703382fda7623b9fab071d037e897d5",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1743576891,
@@ -1104,7 +1068,6 @@
"jawz-scripts": "jawz-scripts",
"lidarr-mb-gap": "lidarr-mb-gap",
"nix-gaming": "nix-gaming",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_2",
"nixpkgs-small": "nixpkgs-small",
"nixpkgs-unstable": "nixpkgs-unstable",

4
flake.nix
View File

@@ -50,10 +50,6 @@
url = "github:nyawox/nixtendo-switch";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
wallpapers = {
url = "git+https://git.lebubu.org/jawz/wallpapers.git";
flake = false;

5
hosts/server/toggles.nix
View File

@@ -4,7 +4,6 @@ let
mkEnabledIp = inputs.self.lib.mkEnabledIp config.my.ips.wg-server;
in
{
mainServer = "server";
emacs = {
enable = true;
users = "jawz";
@@ -71,6 +70,7 @@ in
"microbin"
"multi-scrobbler"
"paperless"
"plausible"
"plex"
"postgres"
"prowlarr"
@@ -78,11 +78,11 @@ in
"radarr"
"sabnzbd"
"sonarr"
"yamtrack"
"stash"
"synapse"
"syncplay"
"unpackerr"
"yamtrack"
]
// enableList mkEnabledIp [
"audiobookshelf"
@@ -90,7 +90,6 @@ in
"keycloak"
"linkwarden"
"oauth2-proxy"
"plausible"
"vaultwarden"
];
}

75
hosts/vps/configuration.nix Normal file
View File

@@ -0,0 +1,75 @@
{
config,
lib,
inputs,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
../../config/base.nix
];
my = import ./toggles.nix { inherit config inputs; } // {
secureHost = true;
users.nixremote = {
enable = true;
authorizedKeys = inputs.self.lib.getSshKeys [
"nixworkstation"
"nixserver"
"nixminiserver"
];
};
};
environment.etc."iptables.rules".source = ../../iptables;
networking.firewall.enable = lib.mkForce false;
networking.nftables.enable = false;
systemd.services.iptables-restore = {
description = "Apply iptables ruleset";
wantedBy = [ "multi-user.target" ];
after = [ "network-pre.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iptables}/bin/iptables-restore --wait /etc/iptables.rules";
};
};
image.modules.linode = { };
networking.hostName = "vps";
security.sudo-rs.extraRules = [
{
users = [ "nixremote" ];
commands = [
{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}
];
}
];
services.openssh.ports = [ 3456 ];
sops.age = {
generateKey = true;
keyFile = "/var/lib/sops-nix/key.txt";
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
users = {
groups = {
deploy = { };
lidarr-reports = { };
};
users = {
deploy = {
isSystemUser = true;
group = "deploy";
openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ];
};
lidarr-reports = {
isSystemUser = true;
group = "lidarr-reports";
openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ];
};
};
};
environment.systemPackages = [ ];
}

42
hosts/vps/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,42 @@
{
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
kernelModules = [ ];
extraModulePackages = [ ];
kernelParams = [ "console=ttyS0,19200n8" ];
kernel.sysctl."net.ipv4.conf.wg0.rp_filter" = 0;
initrd.availableKernelModules = [
"virtio_pci"
"virtio_scsi"
"ahci"
"sd_mod"
];
loader = {
timeout = 10;
grub = {
device = "nodev";
forceInstall = true;
extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
};
};
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/f222513b-ded1-49fa-b591-20ce86a2fe7f";
fsType = "ext4";
};
swapDevices = [
{
device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001";
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

61
hosts/vps/toggles.nix Normal file
View File

@@ -0,0 +1,61 @@
{ config, inputs }:
let
inherit (inputs.self.lib)
enableList
mkEnabled
mkEnabledWithUsers
;
wgServerIp = config.my.ips.wg-server;
mkEnabledProxyIp = inputs.self.lib.mkEnabledProxyIp wgServerIp;
in
{
enableProxy = true;
enableContainers = true;
apps.dictionaries.enable = true;
apps.dictionaries.users = "jawz";
services = enableList mkEnabled [
"network"
"wireguard"
];
shell = enableList mkEnabledWithUsers [
"multimedia"
"tools"
];
dev = enableList mkEnabledWithUsers [
"nix"
"sh"
];
servers = {
nextcloud = {
enableProxy = true;
ip = wgServerIp;
port = 8081;
};
}
// enableList mkEnabledProxyIp [
"audiobookshelf"
"bazarr"
"collabora"
"gitea"
"homepage"
"isso"
"jellyfin"
"kavita"
"keycloak"
"lidarr"
"linkwarden"
"maloja"
"mealie"
"metube"
"microbin"
"multi-scrobbler"
"oauth2-proxy"
"plausible"
"plex"
"prowlarr"
"radarr"
"sonarr"
"vaultwarden"
"yamtrack"
];
}

126
iptables Normal file
View File

@@ -0,0 +1,126 @@
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
*mangle
:PREROUTING ACCEPT [95853893:179831236298]
:INPUT ACCEPT [94316554:179510512585]
:FORWARD ACCEPT [1536524:320567864]
:OUTPUT ACCEPT [49857522:93072472240]
:POSTROUTING ACCEPT [51393797:93393029789]
COMMIT
# Completed on Fri Jan 2 03:44:23 2026
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
*raw
:PREROUTING ACCEPT [95853893:179831236298]
:OUTPUT ACCEPT [49857522:93072472240]
COMMIT
# Completed on Fri Jan 2 03:44:23 2026
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
*filter
:INPUT ACCEPT [94315678:179510353216]
:FORWARD ACCEPT [46534:2774394]
:OUTPUT ACCEPT [49857520:93072471971]
# --- Incoming (INPUT) rules for VPS itself ---
# Accept SSH on port 3456 (new SSH port)
# allow SSH to VPS
-A INPUT -p tcp --dport 3456 -m conntrack --ctstate NEW -j ACCEPT
# allow established connections (responses)
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# (Optionally, add other INPUT rules for any services the VPS itself runs, if any, like HTTP/HTTPS if needed)
# If a default DROP policy is desired on INPUT, or an explicit drop rule:
# -A INPUT -j DROP # (optional: lock down any other input)
# --- Forwarding (FORWARD) rules for VPN traffic ---
# allow return traffic for established sessions
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Syncthing between 10.8.0.2 and home server
# 10.8.0.2 -> 10.77.0.0 Syncthing
-A FORWARD -s 10.8.0.2/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.3/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.4/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.5/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
# home -> 10.8.0.0 Syncthing
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.3/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.4/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.5/32 -p tcp --dport 22000 -j ACCEPT
# Matrix/Synapse access from 10.8 subnet to home server
# allow Matrix client port
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8008 -j ACCEPT
# allow Matrix federation port
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8448 -j ACCEPT
# allow TURN/other (if used)
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8999 -j ACCEPT
# ICMP between 10.8 subnet and home
# ping home from 10.8 clients
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
# ping 10.8 clients from home
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.0/24 -p icmp -j ACCEPT
# New Friend's subnet (10.9) access rule
# allow new subnet to access port 9999 on home
-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p tcp --dport 9999 -j ACCEPT
# allow ping to home
-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
# allow ping reply from home
-A FORWARD -s 10.77.0.2/32 -d 10.9.0.2/24 -p icmp -j ACCEPT
# Allow VPN subnets to reach Internet (MASQUERADE will SNAT them)
# 10.8 clients to internet
-A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
# 10.9 clients to internet
-A FORWARD -s 10.9.0.2/24 -o eth0 -j ACCEPT
# Drop all other traffic between these subnets and home or between subnets (isolation)
# drop any 10.8 -> home not allowed
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.0/24 -j DROP
# drop any home -> 10.8 not allowed
-A FORWARD -s 10.77.0.0/24 -d 10.8.0.0/24 -j DROP
# drop any 10.9 -> home not allowed (except 9999/ping above)
-A FORWARD -s 10.9.0.0/24 -d 10.77.0.0/24 -j DROP
# drop any home -> 10.9 not allowed
-A FORWARD -s 10.77.0.0/24 -d 10.9.0.0/24 -j DROP
# drop 10.9 -> 10.8 (no client-to-client)
-A FORWARD -s 10.9.0.0/24 -d 10.8.0.0/24 -j DROP
# drop 10.8 -> 10.9
-A FORWARD -s 10.8.0.0/24 -d 10.9.0.0/24 -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [3368888:178175988]
:INPUT ACCEPT [3348703:174454011]
:OUTPUT ACCEPT [30120:1902454]
:POSTROUTING ACCEPT [32339:2018208]
# Port forwarding (DNAT) rules:
# forward SSH (port 22) to home server
-A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.77.0.2:22
# forward port 51412 to home (TCP)
-A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
# forward port 51412 to home (UDP)
-A PREROUTING -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
# (Remove the above 51412 rules if not used; keep 22 as its for Giteas SSH access)
# Masquerade (SNAT) rules:
# masquerade replies from home for SSH
-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 22 -j MASQUERADE
# masquerade replies for 51412 (TCP)
-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 51412 -j MASQUERADE
#masquerade replies for 51412 (UDP)
-A POSTROUTING -d 10.77.0.2/32 -p udp --dport 51412 -j MASQUERADE
# (If 51412 rules removed above, remove their masquerade lines too)
# NAT for 10.8.0.x clients to internet
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# NAT for 10.9.0.x clients to internet
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
COMMIT

634
jawz_hist Normal file
View File

@@ -0,0 +1,634 @@
exit
cd
ls
ls .ssh
ls ~/.ssh/
ls -lag
ls -la
sudo chown -R jawz:jawz ./
ls -lag
ls -la
ls .ssh/
ls .ssh/ -la
sudo systemctl enable --now wg-quick@wg0
sudo nano /etc/sysctl.d/99-ipforward.conf
ls
sudo -i
sudo systemctl status sshd.service
sudo systemctl restart sshd.service
journalctl -xeu sshd
sudo -i
sudo systemctl status sshd
sudo ss -ltnp | grep ssh
sudo semanage port -l | grep ssh_port_t
sudo ss -ltnp | grep 3456 || sudo ss -ltnp | grep sshd
ping google.com
sudo systemctl stop wg-quick@wg0.service
ping google.com
sudo systemctl disable wg-quick@wg0.service
exi
exit
sudo rmdir /etc/caddy/Caddyfile.d/
sudo -i
exit
ls
rm histfile
rm iptables*
ls
rm sudo_histfile
cat syncthingblocked
rm syncthingblocked
ls
exit
sudoedit /etc/wireguard/wg0.conf
export TERM=xterm-256color
sudoedit /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick
sudo systemctl restart wg-quick@wg0.service
sudoedit /etc/wireguard/wg0.conf
sudo -i
sudo tcpdump
sudo dnf install tcpdump
sudo tcpdump -i wg0 host 10.77.0.2 -n -v
sudoedit /etc/sysconfig/iptables
export TERM=xterm-256color
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
ping google.com
sudo ss -ltnp | grep 3456 || sudo ss -ltnp | grep sshd
sudo sed -n '1,200p' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 2>/dev/null | egrep -n '^(Port|ListenAddress)'
sudo iptables -S
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
sudo systemctl enable --now iptables
sudo systemctl start iptables
sudo systemctl restart iptables
sudo iptables -S
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
ping google.com
sudo -i
sudo wg sow
sudo wg show
ls
cd /etc/caddy/Caddyfile.d/
ls
cat fun.caddyfile__
ls
clear
mv portfolio.caddyfile_bkp portfolio.caddyfile
sudo mv portfolio.caddyfile_bkp portfolio.caddyfile
sudo systemctl restart caddy
clear
export TERM=xterm-256color
iptables-s
sudo iptables -S
sudo iptables -s
sudo iptables -S
clear
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
sudo -i
sudo reboot
exit
ping google.com
sudo systemctl restart iptables
sudo systemctl enable iptables
exit
sudo -i
exit
sudo iptables -vnL FORWARD | grep 22000
sudo -i
sudo iptables -L FORWARD -n -v --line-numbers
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
sudoedit /etc/sysconfig/iptables
export TERM=xterm-256color
sudoedit /etc/sysconfig/iptables
clear
sudo cat /etc/sysconfig/iptables
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudoedit /etc/sysconfig/iptables
wg show
sudo wg show
ping -c 3 10.8.0.2
nc -zv 10.77.0.2 22000
sudo -i
exit
sudo -i
exit
sudo systemctl disable iptables
sudo systemctl enable iptables
sudo systemctl status iptables
sudo systemctl start iptables
sudo -i
exit
sudo dnf install starship
sudo dnf copr enable atim/starship
sudo dnf install starship
nano .bashrc
export TERM=xterm-256color
nano .bashrc
bash
exit
nano /etc/hostname
export TERM=xterm-256color
nano /etc/hostname
sudoedit /etc/hostname
exit
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
export TERM=xterm-256color
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
export EDITOR=neovim
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
EDITOR=neovim sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
EDITOR=nvim sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo -i
exit
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
exit
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo -i
exit
export TERM=xterm-256color
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
export TERM=xterm-256color
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
sudo -i
exit
sudo mkdir -p /var/www/html
sudo mkdir -p /var/www/html/lidarr-mb-gap
sudo useradd -m -s /bin/bash lidarr-reports
sudo chown -R lidarr-reports:lidarr-reports /var/www/html/lidarr-mb-gap/
exit
sudo -u lidarr-reports bash
exit
sudo -u lidarr-reports
sudo -u lidarr-reports bash
sudo -i
exit
sudo -u lidarr-mb-gap cat /var/lib/lidarr-mb-gap/.ssh/id_ed25519.pub
exit
sudo -u lidarr-reports
sudo -u lidarr-reports bash
exit
sudo -u lidarr-reports ssh-keygen -l -f /home/lidarr-reports/.ssh/ed25519_lidarr-mb-gap.pub
exit
sudo -u lidarr-reports -u bash
sudo -u lidarr-reports bash
exit
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
exit
sudo dnf install rsync
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy.service
ls
cd /var/www/html/lidarr-mb-gap/
ls
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy.service
nc -zv 10.77.0.2 8999
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/5-keycloak.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/10-nextcloud.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/5-keycloak.caddyfile
sudo systemctl restart caddy
ls
cd /etc/wireguard/
sudo -i
exit
cd /etc/caddy/Caddyfile.d/
ls
nvim 15-private.caddyfile
mv 15-private.caddyfile 15-private.caddyfile_
sudo mv 15-private.caddyfile 15-private.caddyfile_
nvim 15-private.caddyfile
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
exit
cd /etc/caddy/Caddyfile.d/
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
exit
cd /etc/caddy/Caddyfile.d/
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
exit
sudo nvim /etc/caddy/Caddyfile.d/5-keycloak.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/10-nextcloud.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/5-keycloak.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
cd /etc/caddy/Caddyfile.d/
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
cat 15-private.caddyfile
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
sudo nvim 15-private.caddyfile_
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
exit
sudo systemctl restart caddy
sudo nvim
cd /etc/caddy/Caddyfile.d/
sudo nvim 15-private.caddyfile
cat 15-private.caddyfile_
sudo nvim 15-private.caddyfile
cat 15-private.caddyfile
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/15-private.caddyfile
sudo systemctl restart caddy
systemctl status caddy
sudo nvim /etc/caddy/Caddyfile.d/15-private.caddyfile
sudo systemctl restart caddy
cd /etc/caddy/Caddyfile.d/
ls
sudo nvim 20-servers.caddyfile
sudo nvim 40-jellyfin.caddyfile
sudo systemctl restart jel
sudo systemctl restart caddy
cd /etc/caddy/Caddyfile.d/
ls
mv 15-private.caddyfile 15-private.caddyfile__
sudo mv 15-private.caddyfile 15-private.caddyfile__
sudo mv 15-private.caddyfile_ 15-private.caddyfile
sudo systemctl restart caddy
exit
dig servidos.lat A
sudo dnf install dig
dig servidos.lat A
exit
curl servidos.lat
exit
curl servidos.lat
dig servidos.lat A
curl -v 130.211.27.102
curl -v 130.211.27.102:443
curl -v https://130.211.27.102
curl servidos.lat
curl https://servidos.lat
curl-v https://servidos.lat
curl -v https://servidos.lat
dig servidos.lat A
exit
dig servidos.lat A
exit
dig servidos.lat A
exit
dig servidos.lat A
exit
dig servidos.lat A
exit
dig servidos.lat A
curl -v https://servidos.lat
exit
sudo useradd -m -s /bin/bash deploy
sudo groupadd -f www-data
sudo usermod -aG www-data deploy
ls -lag /var/www/html/
sudo mkdir /var/www/html/portfolio
sudo chown -R root:www-data /var/www/html/portfolio/
sudo chmod -R 775 /var/www/html/portfolio/
ssh-keygen -t ed25519 -C "deploy@portfolio" -f ~/.ssh/portfolio_deploy
cat ~/.ssh/portfolio_deploy.pub
sudo -u deploy
sudo -u deploy bash
ls
ls -lag
cat ~/.ssh/portfolio_deploy
exit
su
sudo -u
sudo -i
cat ~/.ssh/portfolio_deploy
exit
sudo systemctl restart iptables
exit
ls
ls ~/.ssh/authorized_keys
cat ~/.ssh/authorized_keys
sudo systemctl restart iptables.service
sudo systemctl status iptables.service
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
exit
ls
exit
cd /var/www/html/portfolio/
ls -lag
ls
sudo -u deploy bash
ls
exit
sudo systemctl restart caddy
cd /var/www/html/portfolio/
ls
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
sudo chown -R deploy:www-data /var/www/html/portfo
sudo chown -R deploy:www-data /var/www/html/portfolio/
exit
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo mkdir /var/www/html/blog
sudo chown deploy:www-data /var/www/html/blog/ -R
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
sudo chmod -R 775 /var/www/html/portfolio
ls -la /var/www/html/portfolio/
sudo chown -$ deploy:www-data /var/www/html/portfolio/
sudo chown -R deploy:www-data /var/www/html/portfolio/
sudo -i
ls -la /var/www/html/portfolio/friends/ | grep "001_chicken_hu"
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
df -h
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy && exit
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy && exit
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
journalctl -xeu caddy.service
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
journalctl -xeu caddy.service
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy && exit
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
curl -sI "https://danilo-reyes.com/isso/js/embed.min.js"
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy && exit
curl -sI "https://danilo-reyes.com/isso/js/embed.min.js"
curl -vkI https://blog.danilo-reyes.com/isso/js/embed.min.js
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
curl -vkI https://blog.danilo-reyes.com/isso/
curl -vkI https://blog.danilo-reyes.com/isso/js/embed.min.js
curl -vkI http://10.77.0.2:8180/
curl -vkI http://10.77.0.2:8180/js/embed.min.js
curl -vkI http://10.77.0.2:8180/
curl -vkI http://10.77.0.2:8180/js/embed.min.js
curl -vkI https://blog.danilo-reyes.com/isso/js/embed.min.js
curl -vkI https://blog.danilo-reyes.com/isso/
curl -vkI https://blog.danilo-reyes.com/isso
9;6u
timedatectl status
date-u
date -u
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
exit
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
exit
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo cat /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo dnf search opentracker
sudo dnf install -y git gcc make libowfat-devel
git clone https://erdgeist.org/gitweb/opentracker
cd opentracker/
make
sudo dnf install -y libowfat-devel
make clean
make CFLAGS="-I/usr/include/libowfat"
sudo dnf install -y zlib-devel
make CFLAGS="-I/usr/include/libowfat"
git submodule update --init
make clean
make
ls
cd ..
git clone git@github.com:masroore/libowfat.git
sudo dnf install libowfat
git clone git@github.com:masroore/libowfat.git
podman
docker
exit
sudo dnf copr enable dlk/rpms
sudo dnf install opentracker
rm opentracker/
rm opentracker/ -rf
sudo systemctl enable --now opentracker
sudo systemctl status opentracker
sudo cat /etc/opentracker.conf
sudo nvim /etc/opentracker.conf
sudo nvim /etc/caddy/Caddyfile.d/15-private.caddyfile
sudo grep -r 6969 /etc/caddy/Caddyfile.d/
sudo nvim /etc/opentracker.conf
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
sudo nvim /etc/opentracker.conf
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
sudo install -d -m 0750 /var/lib/opentracker
sudo install -m 0640 /dev/null /var/lib/opentracker/whitelist
sudo install -m 0640 /dev/null /var/lib/opentracker/blacklist
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
ls -lag /var/lib/opentracker/
sudo ls -lag /var/lib/opentracker/
sudo nvim /etc/opentracker.conf
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
sudo chmod 666 /var/lib/opentracker/blacklist
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
sudo iptables -A INPUT -p tcp --dport 6969 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 6969 -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -L INPUT -n -v --line-numbers | grep 6969
sudo service iptables save
exit
ls /etc/wireguard/
sudo ls /etc/wireguard/
sudo cat /etc/wireguard/wg0.conf
cat /etc/sysctl.d/99-forward.conf
sudo ls /etc/sysctl.d
cat /etc/sysctl.d/99-ipforward.conf
sudo sysctl net.ipv4.ip_forward
sudo -i
sudo systemctl status opentracker
journalctl -xefu opentracker
ss -tnp | grep 6969
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0
sudo sysctl -w net.ipv4.conf.wg0.rp_filter=0
journalctl -xefu opentracker
sudo cat /etc/sysconfig/iptables
sysctl -w net.ipv4.ip_forward=1
# ---- NAT (insert at top) ----
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I POSTROUTING 1 -s 10.77.0.0/24 -o eth0 -j MASQUERADE
# ---- FORWARD ----
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 -p tcp --sport 51412 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 4 -i wg0 -o eth0 -s 10.77.0.2 -p udp --sport 51412 -j ACCEPT
iptables -I FORWARD 5 -i wg0 -o eth0 -j ACCEPT
iptables -I FORWARD 6 -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
net.ipv4.ip_forward = 1
sudo -i
mkfs.ext4 "/dev/disk/by-id/scsi-0Linode_Volume_box"
sudo -i
mkdir /mnt/box/downloads
sudo mkdir /mnt/box/downloads
sudo chown jawz:users /mnt/box/downloads/
ls -la
sudo chown jawz:jawz /mnt/box/downloads/
qbittorrent-nox
sudo useradd --system --create-home --home-dir /var/lib/qbittorrent --shell /sbin/nologin qbittorrent
sudo mkdir -p /srv/torrents/{downloads,incomplete,watch}
sudo chown -R qbittorrent:qbittorrent /srv/torrents /var/lib/qbittorrent
sudo tee /etc/systemd/system/qbittorrent-nox.service >/dev/null <<'EOF'
[Unit]
Description=qBittorrent (nox)
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=qbittorrent
Group=qbittorrent
UMask=0027
WorkingDirectory=/var/lib/qbittorrent
ExecStart=/usr/bin/qbittorrent-nox --profile=/var/lib/qbittorrent
Restart=on-failure
RestartSec=3
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now qbittorrent-nox
sudo systemctl status qbittorrent-nox --no-pager
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
sudo systemctl restart qbittorrent-nox
sudo nvim /etc/caddy/Caddyfile.d/75-qbittorrent.caddyfile
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
sudo systemctl stop qbittorrent-nox
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
sudo systemctl start qbittorrent-nox
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
sudo nvim /etc/caddy/Caddyfile.d/75-qbittorrent.caddyfile
sudo systemctl restart caddy
sudo systemctl status qbittorrent-nox --no-pager
ls
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
ls /mnt/
ls /mnt/box/
rm /mnt/box/downloads/
rmdir /mnt/box/downloads/
sudo rmdir /mnt/box/downloads/
sudo mv /srv/torrents/* /mnt/box/
sudo umount /mnt/box
sudo nvim /etc/fstab
sudo mount -a
sudo systemctl daemon-reload
sudo mount -a
ls -lag /srv/torrents/
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
cd /var/lib/qbittorrent/
sudo -i
exit
sudo -i
ssh server
exitr
exit
ls /srv/torrents/
sudo mkdir /srv/torrents/tits
sudo chown jawz:jawz /srv/torrents/tits/
ls /srv/torrents/tits/
sudo -i
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
exit
ls
df -h
ssh server
exit
clear
sudoedit /etc/sysconfig/iptables
exit
sudo grep 6060 /etc/
sudo grep 6060 /etc/ -r
sudo grep -r 6969 /etc/
sudo cat /etc/ssh/sshd_config
ls
clear
exit
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
sudo ls /etc/wireguard/
sudo cat /etc/wireguard/wg0.conf
sudo -i
exit
sudo -i
sudo -i
sudo -i
iptables -S
sudo iptables -S
sudo nvim /etc/wireguard/wg0.conf
exit
curl # Test paperless (should fail)
curl -v --connect-timeout 5 http://192.168.100.15:8000
# Test sabnzbd (should fail)
curl -v --connect-timeout 5 http://192.168.100.15:3399
curl -v --connect-timeout 5 http://192.168.100.15:8686
sudo wg show
exit
sudo systemctl restart wg-quick@wg0.service
exit
sudo nvim /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0.service
sudo nvim /etc/wireguard/wg0.conf
exit
sudo wg show
exit
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
exit
sudo systemctl restart wg-quick@wg0.service
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
z nixos
exit
cat .ssh/id_ed25519.pub
cat .ssh/id_ed25519
exit
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
exit
sudo -i
ls
cat vps_public.key
ls .ssh/authorized_keys
cat .ssh/authorized_keys
exit

4
modules/factories/mkserver.nix
View File

@@ -48,6 +48,10 @@ let
type = lib.types.bool;
default = false;
};
useDefaultProxy = lib.mkOption {
type = lib.types.bool;
default = true;
};
certPath = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;

5
modules/modules.nix
View File

@@ -49,7 +49,7 @@ in
server = "192.168.100.15";
miniserver = "192.168.1.100";
workstation = "192.168.100.18";
vps = "45.79.25.87";
vps = "45.33.0.228";
wg-vps = "10.77.0.1";
wg-server = "10.77.0.2";
wg-g1 = "10.9.0.2";
@@ -68,12 +68,13 @@ in
server = "enp0s31f6";
miniserver = "enp2s0";
workstation = "enp5s0";
vps = "eth0";
};
description = "Set of network interface names for all my computers.";
};
mainServer = lib.mkOption {
type = lib.types.str;
default = "miniserver";
default = "vps";
description = "The hostname of the main server.";
};
postgresSocket = lib.mkOption {

40
modules/network/nginx.nix
View File

@@ -5,44 +5,24 @@
...
}:
let
proxyReverseServices = [
"bazarr"
"firefox-syncserver"
"flame"
"flameSecret"
"isso"
"kavita"
"linkwarden"
"maloja"
"mealie"
"metube"
"microbin"
"multi-scrobbler"
"nix-serve"
"plausible"
"shiori"
"vaultwarden"
"yamtrack"
];
proxyReverseFixServices = [
"atticd"
"audiobookshelf"
"gitea"
"lidarr"
"ombi"
"prowlarr"
"radarr"
"sonarr"
"stash"
];
proxyReversePrivateServices = [
"homepage"
"prowlarr"
"stash"
];
mkServiceConfig =
type: services: lib.listToAttrs (map (name: lib.nameValuePair name { inherit type; }) services);
standardProxyServices =
(mkServiceConfig "proxyReverse" proxyReverseServices)
// (mkServiceConfig "proxyReverseFix" proxyReverseFixServices)
(mkServiceConfig "proxyReverseFix" proxyReverseFixServices)
// (mkServiceConfig "proxyReversePrivate" proxyReversePrivateServices);
generateProxyConfig =
serviceName: serviceConfig:
@@ -59,9 +39,21 @@ let
throw "Unknown proxy type: ${serviceConfig.type}";
in
lib.nameValuePair cfg.host (lib.mkIf cfg.enableProxy (proxyFunc cfg));
standardProxyNames = builtins.attrNames standardProxyServices;
customProxyServices =
config.my.servers
|> lib.filterAttrs (
name: srv:
(srv.enableProxy or false)
&& (srv.useDefaultProxy or true)
&& !(builtins.elem name standardProxyNames)
)
|> lib.mapAttrs (_name: _srv: { type = "proxyReverse"; });
in
{
config = lib.mkIf config.my.enableProxy {
services.nginx.virtualHosts = lib.mapAttrs' generateProxyConfig standardProxyServices;
services.nginx.virtualHosts = lib.mapAttrs' generateProxyConfig (
standardProxyServices // customProxyServices
);
};
}

48
modules/servers/homepage.nix
View File

@@ -9,31 +9,33 @@ let
in
{
options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
config = lib.mkIf config.my.secureHost {
sops.secrets = lib.mkIf cfg.enable {
homepage.sopsFile = ../../secrets/homepage.yaml;
"private-ca/pem" = {
config = lib.mkMerge [
(lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.homepage.sopsFile = ../../secrets/homepage.yaml;
services.homepage-dashboard = {
inherit (cfg) enable;
listenPort = cfg.port;
environmentFile = config.sops.secrets.homepage.path;
settings = {
providers.openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}";
layout = import ./homepage/layout.nix;
};
widgets = import ./homepage/widgets.nix;
services = import ./homepage/services.nix { inherit lib config; };
bookmarks =
builtins.readDir ./homepage/bookmarks
|> builtins.attrNames
|> builtins.filter (file: builtins.match ".*\\.nix" file != null)
|> map (file: import ./homepage/bookmarks/${file});
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
sops.secrets."private-ca/pem" = {
sopsFile = ../../secrets/certs.yaml;
owner = "nginx";
group = "nginx";
};
};
my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
services.homepage-dashboard = lib.mkIf cfg.enable {
inherit (cfg) enable;
listenPort = cfg.port;
environmentFile = config.sops.secrets.homepage.path;
settings = {
providers.openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}";
layout = import ./homepage/layout.nix;
};
widgets = import ./homepage/widgets.nix;
services = import ./homepage/services.nix { inherit lib config; };
bookmarks =
builtins.readDir ./homepage/bookmarks
|> builtins.attrNames
|> builtins.filter (file: builtins.match ".*\\.nix" file != null)
|> map (file: import ./homepage/bookmarks/${file});
};
};
my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
})
];
}

79
modules/servers/jellyfin.nix
View File

@@ -23,22 +23,48 @@ let
in
{
options.my.servers.jellyfin = setup.mkOptions "jellyfin" "flix" 8096;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
environment.systemPackages = [
pkgs.jellyfin-ffmpeg
]
++ (lib.optional cfg.enableCron [ sub-sync-path ]);
users.users.jellyfin = {
uid = 984;
group = "piracy";
isSystemUser = true;
};
services = {
jellyfin = {
config = lib.mkMerge [
(lib.mkIf (cfg.enable && config.my.secureHost) {
environment.systemPackages = [
pkgs.jellyfin-ffmpeg
]
++ (lib.optional cfg.enableCron [ sub-sync-path ]);
users.users.jellyfin = {
uid = 984;
group = "piracy";
isSystemUser = true;
};
services.jellyfin = {
inherit (cfg) enable;
group = "piracy";
};
nginx = lib.mkIf cfg.enableProxy {
systemd = lib.mkIf cfg.enableCron {
services.sub-sync = {
restartIfChanged = true;
description = "syncronizes subtitles downloaded & modified today";
wantedBy = [ "default.target" ];
path = sub-sync-path;
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${sub-sync}/bin/sub-sync all";
Type = "simple";
User = "root";
};
};
timers.sub-sync = {
enable = true;
description = "syncronizes subtitles downloaded & modified today";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "20:00";
};
};
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
my.servers.jellyfin.useDefaultProxy = false;
services.nginx = {
appendHttpConfig = ''
# JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=1d use_temp_path=off;
@@ -94,29 +120,6 @@ in
};
};
};
};
systemd = lib.mkIf cfg.enableCron {
services.sub-sync = {
restartIfChanged = true;
description = "syncronizes subtitles downloaded & modified today";
wantedBy = [ "default.target" ];
path = sub-sync-path;
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${sub-sync}/bin/sub-sync all";
Type = "simple";
User = "root";
};
};
timers.sub-sync = {
enable = true;
description = "syncronizes subtitles downloaded & modified today";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "20:00";
};
};
};
};
})
];
}

61
modules/servers/keycloak.nix
View File

@@ -10,35 +10,38 @@ let
in
{
options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml;
sops.secrets.keycloak = {
sopsFile = ../../secrets/env.yaml;
restartUnits = [ "keycloak.service" ];
};
services.keycloak = {
inherit (cfg) enable;
database = {
type = "postgresql";
host = "localhost";
createLocally = false;
username = "keycloak";
name = "keycloak";
passwordFile = config.sops.secrets.postgres-password.path;
config = lib.mkMerge [
(lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml;
sops.secrets.keycloak = {
sopsFile = ../../secrets/env.yaml;
restartUnits = [ "keycloak.service" ];
};
settings = {
hostname = cfg.host;
hostname-strict = true;
hostname-strict-https = false;
http-enabled = true;
http-port = cfg.port;
http-host = cfg.ip;
proxy-headers = "xforwarded";
services.keycloak = {
inherit (cfg) enable;
database = {
type = "postgresql";
host = "localhost";
createLocally = false;
username = "keycloak";
name = "keycloak";
passwordFile = config.sops.secrets.postgres-password.path;
};
settings = {
hostname = cfg.host;
hostname-strict = true;
hostname-strict-https = false;
http-enabled = true;
http-port = cfg.port;
http-host = cfg.ip;
proxy-headers = "xforwarded";
};
};
};
systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path;
services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) (
inputs.self.lib.proxyReverseFix cfg
);
};
systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path;
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
my.servers.keycloak.useDefaultProxy = false;
services.nginx.virtualHosts.${cfg.host} = inputs.self.lib.proxyReverseFix cfg;
})
];
}

416
modules/servers/nextcloud.nix
View File

@@ -38,137 +38,141 @@ let
in
{
options.my.servers = {
nextcloud = setup.mkOptions "nextcloud" "cloud" 80;
nextcloud = setup.mkOptions "nextcloud" "cloud" 8081;
collabora = setup.mkOptions "collabora" "collabora" 9980;
go-vod.enable = lib.mkEnableOption "Go-VOD video transcoding service";
};
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
sops.secrets.nextcloud-adminpass = {
owner = config.users.users.nextcloud.name;
inherit (config.users.users.nextcloud) group;
};
nixpkgs.config.permittedInsecurePackages = [
"nodejs-14.21.3"
"openssl-1.1.1v"
];
users.groups.nextcloud = { inherit gid; };
users.users.nextcloud = {
inherit uid;
isSystemUser = true;
group = "nextcloud";
extraGroups = [ "render" ];
packages = builtins.attrValues {
inherit exiftool pytensorflow;
inherit (pkgs)
ffmpeg
mediainfo
nodejs
perl
;
config = lib.mkMerge [
{ my.servers.nextcloud.useDefaultProxy = false; }
(lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) {
sops.secrets.nextcloud-adminpass = {
owner = config.users.users.nextcloud.name;
inherit (config.users.users.nextcloud) group;
};
};
services = {
nextcloud = {
enable = true;
https = false; # vps
package = pkgs.nextcloud32;
appstoreEnable = true;
configureRedis = true;
extraAppsEnable = true;
enableImagemagick = true;
maxUploadSize = "4096M";
hostName = cfg.host;
caching = {
redis = true;
memcached = true;
apcu = true;
nixpkgs.config.permittedInsecurePackages = [
"nodejs-14.21.3"
"openssl-1.1.1v"
];
users = {
groups.nextcloud = { inherit gid; };
users.nextcloud = {
inherit uid;
isSystemUser = true;
group = "nextcloud";
extraGroups = [ "render" ];
packages = builtins.attrValues {
inherit exiftool pytensorflow;
inherit (pkgs)
ffmpeg
mediainfo
nodejs
perl
;
};
};
config = {
adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
dbtype = "pgsql";
dbhost = config.my.postgresSocket;
dbname = "nextcloud";
};
phpOptions = {
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
preview_max_x = 2048;
preview_max_y = 2048;
short_open_tag = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "256M";
"opcache.max_accelerated_files" = "10000";
"opcache.huge_code_pages" = "1";
"opcache.enable_file_override" = "1";
"opcache.memory_consumption" = "256";
"opcache.revalidate_freq" = "60";
"opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
};
settings = {
log_type = "file";
loglevel = 1;
trusted_proxies = [
config.my.localhost
config.my.localhost6
config.my.ips.router
config.my.ips.wg-vps
};
services = {
nextcloud = {
enable = true;
https = false; # vps
package = pkgs.nextcloud32;
appstoreEnable = true;
configureRedis = true;
extraAppsEnable = true;
enableImagemagick = true;
maxUploadSize = "4096M";
hostName = cfg.host;
caching = {
redis = true;
memcached = true;
apcu = true;
};
config = {
adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
dbtype = "pgsql";
dbhost = config.my.postgresSocket;
dbname = "nextcloud";
};
phpOptions = {
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
preview_max_x = 2048;
preview_max_y = 2048;
short_open_tag = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "256M";
"opcache.max_accelerated_files" = "10000";
"opcache.huge_code_pages" = "1";
"opcache.enable_file_override" = "1";
"opcache.memory_consumption" = "256";
"opcache.revalidate_freq" = "60";
"opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
};
settings = {
log_type = "file";
loglevel = 1;
trusted_proxies = [
config.my.localhost
config.my.localhost6
config.my.ips.router
config.my.ips.wg-vps
];
trusted_domains = [
cfg.host
config.my.ips.${config.networking.hostName}
"localhost"
"cloud.rotehaare.art"
];
overwriteprotocol = "https";
"overwrite.cli.url" = "${cfg.url}";
forwarded_for_headers = [ "HTTP_X_FORWARDED_FOR" ];
default_phone_region = "MX";
allow_local_remote_servers = true;
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
preview_ffmpeg_path = "${pkgs.ffmpeg}/bin/ffmpeg";
"memories.exiftool" = "${exiftool}/bin/exiftool";
"memories.ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg";
"memories.ffprobe_path" = "${pkgs.ffmpeg}/bin/ffprobe";
enabledPreviewProviders = [
"OC\\Preview\\AVI"
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\HEIC"
"OC\\Preview\\Image"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MKV"
"OC\\Preview\\MP3"
"OC\\Preview\\MP4"
"OC\\Preview\\MarkDown"
"OC\\Preview\\Movie"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TIFF"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
];
};
phpExtraExtensions = all: [
all.pdlib
all.bz2
];
trusted_domains = [
cfg.host
config.my.ips.${config.networking.hostName}
"localhost"
};
nginx.virtualHosts.${cfg.host} = {
forceSSL = false;
enableACME = false;
http2 = false;
serverAliases = [
"cloud.rotehaare.art"
];
overwriteprotocol = "https";
"overwrite.cli.url" = "${cfg.url}";
forwarded_for_headers = [ "HTTP_X_FORWARDED_FOR" ];
default_phone_region = "MX";
allow_local_remote_servers = true;
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
preview_ffmpeg_path = "${pkgs.ffmpeg}/bin/ffmpeg";
"memories.exiftool" = "${exiftool}/bin/exiftool";
"memories.ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg";
"memories.ffprobe_path" = "${pkgs.ffmpeg}/bin/ffprobe";
enabledPreviewProviders = [
"OC\\Preview\\AVI"
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\HEIC"
"OC\\Preview\\Image"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MKV"
"OC\\Preview\\MP3"
"OC\\Preview\\MP4"
"OC\\Preview\\MarkDown"
"OC\\Preview\\Movie"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TIFF"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
];
};
phpExtraExtensions = all: [
all.pdlib
all.bz2
];
};
nginx.virtualHosts = {
"${cfg.host}" = lib.mkIf cfg.enableProxy {
forceSSL = false; # vps
enableACME = false; # vps
http2 = false; # vps
# default = true; #vps
#vps
listen = [
{
addr = config.my.ips.wg-server;
@@ -179,7 +183,86 @@ in
port = 8081;
}
];
#vps
};
};
virtualisation.oci-containers.containers = {
go-vod = lib.mkIf config.my.servers.go-vod.enable {
autoStart = true;
image = "radialapps/go-vod";
environment = {
TZ = config.my.timeZone;
NEXTCLOUD_HOST = "https://${config.services.nextcloud.hostName}";
NVIDIA_VISIBLE_DEVICES = "all";
};
volumes = [ "ncdata:/var/www/html:ro" ];
extraOptions = [
"--device=/dev/dri" # VA-API (omit for NVENC)
];
};
collabora = lib.mkIf cfgC.enable {
autoStart = true;
image = "collabora/code:latest";
ports = [ "${toString cfgC.port}:${toString cfgC.port}" ];
environment = {
TZ = config.my.timeZone;
domain = cfg.host;
aliasgroup1 = "${cfg.url}:443";
aliasgroup2 = "https://cloud.rotehaare.art:443";
server_name = cfgC.host;
dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru";
extra_params = ''
--o:ssl.enable=false
--o:ssl.termination=true
--o:remote_font_config.url=${cfg.url}/apps/richdocuments/settings/fonts.json
--o:logging.level=information
'';
DONT_GEN_SSL_CERT = "1";
SLEEPFORDEBUGGER = "0";
};
extraOptions = [
"--cap-add"
"MKNOD"
];
};
};
systemd = lib.mkIf cfg.enableCron {
services = {
nextcloud-cron.path = [ pkgs.perl ];
nextcloud-cronjob =
let
inherit (inputs.jawz-scripts.packages.x86_64-linux) nextcloud-cronjob;
in
{
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "multi-user.target" ];
path = [
pkgs.bash
nextcloud-cronjob
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${nextcloud-cronjob}/bin/nextcloud-cronjob";
};
};
};
timers.nextcloud-cronjob = {
enable = true;
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/10";
};
};
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.networking.hostName == "vps") {
services.nginx.virtualHosts = {
"${cfg.host}" = {
forceSSL = true;
enableACME = true;
http2 = true;
default = true;
serverAliases = [ "cloud.rotehaare.art" ];
extraConfig = ''
add_header X-XSS-Protection "1; mode=block" always;
@@ -188,11 +271,16 @@ in
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
'';
locations = {
"/".proxyWebsockets = true;
"~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
{ };
"/" = {
proxyPass = cfg.local;
proxyWebsockets = true;
};
};
};
"${cfgC.host}" = lib.mkIf cfgC.enableProxy {
@@ -243,76 +331,6 @@ in
};
};
};
};
virtualisation.oci-containers.containers = {
go-vod = lib.mkIf config.my.servers.go-vod.enable {
autoStart = true;
image = "radialapps/go-vod";
environment = {
TZ = config.my.timeZone;
NEXTCLOUD_HOST = "https://${config.services.nextcloud.hostName}";
NVIDIA_VISIBLE_DEVICES = "all";
};
volumes = [ "ncdata:/var/www/html:ro" ];
extraOptions = [
"--device=/dev/dri" # VA-API (omit for NVENC)
];
};
collabora = lib.mkIf cfgC.enable {
autoStart = true;
image = "collabora/code:latest";
ports = [ "9980:9980" ];
environment = {
TZ = config.my.timeZone;
domain = cfg.host;
aliasgroup1 = "${cfg.url}:443";
aliasgroup2 = "https://cloud.rotehaare.art:443";
server_name = cfgC.host;
dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru";
extra_params = ''
--o:ssl.enable=false
--o:ssl.termination=true
--o:remote_font_config.url=${cfg.url}/apps/richdocuments/settings/fonts.json
--o:logging.level=information
'';
DONT_GEN_SSL_CERT = "1";
SLEEPFORDEBUGGER = "0";
};
extraOptions = [
"--cap-add"
"MKNOD"
];
};
};
systemd = lib.mkIf cfg.enableCron {
services = {
nextcloud-cron.path = [ pkgs.perl ];
nextcloud-cronjob =
let
inherit (inputs.jawz-scripts.packages.x86_64-linux) nextcloud-cronjob;
in
{
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "multi-user.target" ];
path = [
pkgs.bash
nextcloud-cronjob
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${nextcloud-cronjob}/bin/nextcloud-cronjob";
};
};
};
timers.nextcloud-cronjob = {
enable = true;
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/10";
};
};
};
};
})
];
}

4
modules/servers/oauth2-proxy.nix
View File

@@ -40,7 +40,7 @@ in
secure = true;
expire = "168h";
refresh = "1h";
domain = ".lebubu.org";
domain = ".${config.my.domain}";
secret = config.sops.secrets.oauth2-proxy-cookie.path;
};
extraConfig = {
@@ -53,7 +53,7 @@ in
session-store-type = "cookie";
skip-provider-button = true;
code-challenge-method = "S256";
whitelist-domain = [ ".lebubu.org" ];
whitelist-domain = [ ".${config.my.domain}" ];
};
};
};

85
modules/servers/plex.nix
View File

@@ -9,51 +9,52 @@ let
in
{
options.my.servers.plex = setup.mkOptions "plex" "plex" 32400;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
users.users.plex = {
uid = 193;
group = "piracy";
isSystemUser = true;
};
services = {
plex = {
config = lib.mkMerge [
(lib.mkIf (cfg.enable && config.my.secureHost) {
users.users.plex = {
uid = 193;
group = "piracy";
isSystemUser = true;
};
services.plex = {
inherit (cfg) enable;
group = "piracy";
};
nginx = lib.mkIf cfg.enableProxy {
virtualHosts."${cfg.host}" = {
forceSSL = true;
enableACME = true;
http2 = true;
serverAliases = [
"plex.rotehaare.art"
];
extraConfig = ''
# Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m;
# Plex headers
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
# Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off;
proxy_buffering off;
'';
locations."/" = {
proxyPass = cfg.local;
proxyWebsockets = true;
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
my.servers.plex.useDefaultProxy = false;
services.nginx.virtualHosts."${cfg.host}" = {
forceSSL = true;
enableACME = true;
http2 = true;
serverAliases = [
"plex.rotehaare.art"
];
extraConfig = ''
# Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m;
# Plex headers
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
# Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off;
proxy_buffering off;
'';
locations."/" = {
proxyPass = cfg.local;
proxyWebsockets = true;
};
};
};
};
})
];
}

1
modules/servers/postgres.nix
View File

@@ -37,6 +37,7 @@ let
"mealie"
"nextcloud"
"paperless"
"plausible"
"shiori"
"sonarqube"
"vaultwarden"

36
modules/servers/prowlarr.nix
View File

@@ -9,19 +9,29 @@ let
in
{
options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
config = lib.mkIf cfg.enable {
users.users.prowlarr = {
uid = 987;
group = "piracy";
isSystemUser = true;
};
services = {
prowlarr = {
inherit (cfg) enable;
config = lib.mkMerge [
(lib.mkIf cfg.enable {
users.users.prowlarr = {
uid = 987;
group = "piracy";
isSystemUser = true;
};
flaresolverr = {
inherit (cfg) enable;
services = {
prowlarr = {
inherit (cfg) enable;
};
flaresolverr = {
inherit (cfg) enable;
};
};
};
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
sops.secrets."private-ca/pem" = {
sopsFile = ../../secrets/certs.yaml;
owner = "nginx";
group = "nginx";
};
my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path;
})
];
}

88
modules/servers/stash.nix
View File

@@ -29,46 +29,56 @@ let
in
{
options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = {
"stash/password".sopsFile = ../../secrets/secrets.yaml;
"stash/jwt".sopsFile = ../../secrets/secrets.yaml;
"stash/session".sopsFile = ../../secrets/secrets.yaml;
};
services.stash = {
inherit (cfg) enable;
group = "glue";
mutableSettings = true;
username = "Suing8150";
passwordFile = config.sops.secrets."stash/password".path;
jwtSecretKeyFile = config.sops.secrets."stash/jwt".path;
sessionStoreKeyFile = config.sops.secrets."stash/session".path;
settings = {
inherit (cfg) port;
host = "0.0.0.0";
stash = [
{
path = "/srv/pool/glue/";
}
];
config = lib.mkMerge [
(lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = {
"stash/password".sopsFile = ../../secrets/secrets.yaml;
"stash/jwt".sopsFile = ../../secrets/secrets.yaml;
"stash/session".sopsFile = ../../secrets/secrets.yaml;
};
};
systemd.services.stash = {
environment = {
PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
services.stash = {
inherit (cfg) enable;
group = "glue";
mutableSettings = true;
username = "Suing8150";
passwordFile = config.sops.secrets."stash/password".path;
jwtSecretKeyFile = config.sops.secrets."stash/jwt".path;
sessionStoreKeyFile = config.sops.secrets."stash/session".path;
settings = {
inherit (cfg) port;
host = "0.0.0.0";
stash = [
{
path = "/srv/pool/glue/";
}
];
};
};
serviceConfig = {
PrivateUsers = lib.mkForce false;
BindReadOnlyPaths = lib.mkForce [ ];
BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
systemd.services.stash = {
environment = {
PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
};
serviceConfig = {
PrivateUsers = lib.mkForce false;
BindReadOnlyPaths = lib.mkForce [ ];
BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
};
};
};
users.users.stash = {
uid = 974;
isSystemUser = true;
group = "glue";
packages = [ stashPythonFHS ];
};
};
users.users.stash = {
uid = 974;
isSystemUser = true;
group = "glue";
packages = [ stashPythonFHS ];
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
sops.secrets."private-ca/pem" = {
sopsFile = ../../secrets/certs.yaml;
owner = "nginx";
group = "nginx";
};
my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path;
})
];
}

83
modules/servers/synapse.nix
View File

@@ -25,42 +25,37 @@ in
synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
element = setup.mkOptions "element" "55a608953f6d64c199" 5345;
};
config = lib.mkIf (cfg.enable && config.my.secureHost) {
my.servers = {
synapse = { inherit domain; };
element = { inherit domain; };
};
users.groups.matrix-synapse = { inherit gid; };
users.users.matrix-synapse = {
inherit uid;
isSystemUser = true;
group = "matrix-synapse";
};
sops.secrets = {
synapse = {
sopsFile = ../../secrets/env.yaml;
owner = "matrix-synapse";
config = lib.mkMerge [
(lib.mkIf (cfg.enable && config.my.secureHost) {
my.servers = {
synapse = { inherit domain; };
element = { inherit domain; };
};
users.groups.matrix-synapse = { inherit gid; };
users.users.matrix-synapse = {
inherit uid;
isSystemUser = true;
group = "matrix-synapse";
};
"iqQCY4iAWO-ca/pem" = {
sopsFile = ../../secrets/certs.yaml;
owner = "nginx";
group = "nginx";
sops.secrets = {
synapse = {
sopsFile = ../../secrets/env.yaml;
owner = "matrix-synapse";
group = "matrix-synapse";
};
"matrix/key" = {
sopsFile = ../../secrets/certs.yaml;
owner = "matrix-synapse";
group = "matrix-synapse";
};
"matrix/cert" = {
sopsFile = ../../secrets/certs.yaml;
owner = "matrix-synapse";
group = "matrix-synapse";
};
};
"matrix/key" = {
sopsFile = ../../secrets/certs.yaml;
owner = "matrix-synapse";
group = "matrix-synapse";
};
"matrix/cert" = {
sopsFile = ../../secrets/certs.yaml;
owner = "matrix-synapse";
group = "matrix-synapse";
};
};
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
services = {
matrix-synapse = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
services.matrix-synapse = {
inherit (cfg) enable;
extraConfigFiles = [
config.sops.secrets.synapse.path
@@ -100,7 +95,18 @@ in
];
};
};
nginx.virtualHosts = lib.mkIf cfg.enableProxy {
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
sops.secrets."iqQCY4iAWO-ca/pem" = {
sopsFile = ../../secrets/certs.yaml;
owner = "nginx";
group = "nginx";
};
my.servers.synapse = {
useDefaultProxy = false;
certPath = config.sops.secrets."iqQCY4iAWO-ca/pem".path;
};
services.nginx.virtualHosts = {
"${cfgE.host}" = {
enableACME = true;
forceSSL = true;
@@ -125,13 +131,8 @@ in
"/_matrix".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
"/_synapse/client".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
};
# extraConfig = ''
# ssl_verify_client on;
# ssl_client_certificate ${config.sops.secrets."iqQCY4iAWO-ca/pem".path};
# error_page 403 /403.html;
# '';
};
};
};
};
})
];
}

2
modules/services/syncthing.nix
View File

@@ -71,7 +71,7 @@ in
phone.id = "OSOX2VZ-AO2SA3C-BFB6NKF-K6CR6WX-64TDBKW-RRKEKJ4-FKZE5CV-J2RGJAJ";
wg-friend1 = mkWgDevice "wg-friend1" "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF";
wg-friend2 = mkWgDevice "wg-friend2" "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF";
wg-friend3 = mkWgDevice "wg-friend3" "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF";
wg-friend3 = mkWgDevice "wg-friend3" "3XE2ZG5-E5IKNI2-VJWSGDX-BW73BOZ-UFFI3GL-DYE6KOV-PTBWLQJ-YOBRFQ3";
wg-friend4 = mkWgDevice "wg-friend4" "7YPUQ4Y-2UVEAXI-KBQVU7R-B6R5O36-GDQPTOY-3R3OG7H-BVWVOTD-EX52VQM";
};
folders = {

47
modules/services/wireguard.nix
View File

@@ -1,7 +1,6 @@
{
config,
lib,
pkgs,
...
}:
let
@@ -11,7 +10,7 @@ in
{
options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration";
config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
sops.secrets."vps/server/private".sopsFile = ../../secrets/wireguard.yaml;
networking = {
firewall.allowedUDPPorts = [ port ];
nat = {
@@ -20,32 +19,36 @@ in
internalInterfaces = [ "wg0" ];
};
wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" ];
ips = [
"${config.my.ips.wg-vps}/24"
"10.8.0.1/24"
"10.9.0.1/24"
];
listenPort = port;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
'';
privateKeyFile = config.sops.secrets."wireguard/private".path;
postSetup = "";
postShutdown = "";
privateKeyFile = config.sops.secrets."vps/server/private".path;
peers = [
{
publicKey = "ciupBjCcIpd3K5vlzNMJC8iiyNqB9xXwkSC6UXPKP3g=";
allowedIPs = [ "10.100.0.2/32" ];
} # phone
publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
allowedIPs = [ "${config.my.ips.wg-server}/32" ];
}
{
publicKey = "JgeA1ElDwR7oLmyGn8RzvxiscMBhR8+L+mEjY1Cq7gk=";
allowedIPs = [ "10.100.0.3/32" ];
} # tablet
publicKey = "rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=";
allowedIPs = [ "${config.my.ips.wg-friend1}/32" ];
}
{
publicKey = "giPVRUTLtqPGb57R4foGZMNS0tjIp2ry6lMKYtqHjn4=";
allowedIPs = [ "10.100.0.15/32" ];
} # jeancarlos
publicKey = "R1CTx5+CXivMI6ZEmRYsyFUFILhe6Qnub0iEIRvvrEY=";
allowedIPs = [ "${config.my.ips.wg-friend2}/32" ];
}
{
publicKey = "92JdW/NExg1tUE4cEyl6Yn+0Eex+iFVA37ahPRhRnRM=";
allowedIPs = [ "10.100.0.16/32" ];
} # gorilia
publicKey = "ecPNSacD6yVwpnLBs171z0xkw9M1DXKh/Kn70cIBcwA=";
allowedIPs = [ "${config.my.ips.wg-friend3}/32" ];
}
{
publicKey = "yg+2miZCrx89znFaUlU/le/7UIPgEAMY74fZfEwz8g4=";
allowedIPs = [ "${config.my.ips.wg-friend4}/32" ];
}
];
};
};

7
parts/core.nix
View File

@@ -196,6 +196,13 @@ in
inherit ip;
};
};
mkEnabledProxyIp = ip: name: {
inherit name;
value = {
enableProxy = true;
inherit ip;
};
};
enableList = func: list: list |> map func |> builtins.listToAttrs;
mkPostgresDependency = config: serviceName: displayName: {
assertion = config.my.servers.${serviceName}.enable -> config.my.servers.postgres.enable;

1
parts/hosts.nix
View File

@@ -6,5 +6,6 @@
server = inputs.self.lib.createConfig "server" inputs.nixpkgs-small;
galaxy = inputs.self.lib.createConfig "galaxy" inputs.nixpkgs-small;
emacs = inputs.self.lib.createConfig "emacs" inputs.nixpkgs;
vps = inputs.self.lib.createConfig "vps" inputs.nixpkgs-small;
};
}

11
parts/packages.nix
View File

@@ -29,15 +29,8 @@
in
{
packages = (inputs.jawz-scripts.packages.${system} or { }) // {
emacs-vm = inputs.nixos-generators.nixosGenerate {
inherit system;
modules = inputs.self.lib.commonModules "emacs";
format = "vm";
specialArgs = {
inherit inputs;
outputs = inputs.self;
};
};
emacs-vm = inputs.self.nixosConfigurations.emacs.config.system.build.vm;
vps-linode = inputs.self.nixosConfigurations.vps.config.system.build.images.linode;
nixos-mcp = nixosMcp;
nixos-mcp-server = mcpServerPkg;
};

4
scripts/mcp-server/src/mcp_server/tools.py
View File

@@ -131,7 +131,7 @@ def search_docs(params: Mapping[str, str]) -> tuple[str, str, list[str]]:
def list_tasks(_: Mapping[str, str]) -> tuple[str, str, list[str]]:
"""Return MCP task list contents."""
tasks_file = RepoPath / "specs" / "001-mcp-server" / "tasks.md"
tasks_file = RepoPath / "specs" / "002-mcp-server" / "tasks.md"
return ("ok", _read_text(tasks_file) or "Tasks not found.", [])
@@ -177,7 +177,7 @@ def tool_catalog() -> tuple[Tool, ...]:
summary="Search across docs for maintenance topics",
)
anchor_tasks = DocsAnchor(
path=RepoPath / "specs" / "001-mcp-server" / "tasks.md",
path=RepoPath / "specs" / "002-mcp-server" / "tasks.md",
anchor="tasks-mcp-server-for-repo-maintenance",
summary="Implementation tasks for MCP feature",
)

15
scripts/rebuild-vps.sh Executable file
View File

@@ -0,0 +1,15 @@
#!/usr/bin/env bash
set -euo pipefail
if [ "${1:-}" = "" ] || [ "${2:-}" = "" ]; then
echo "Usage: scripts/rebuild-vps.sh <host> <flake-path>" >&2
exit 1
fi
host="$1"
flake_path="$2"
nixos-rebuild switch \
--flake "${flake_path}#vps" \
--target-host "${host}" \
--use-remote-sudo

42
secrets/certs.yaml
View File

@@ -22,38 +22,38 @@ sops:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbWtvSXZ2MVdpdldmNUhx
OXlXSkxQUEdrY2wyMXZFdDNoR0VXU3hhODFzCldQOXFpamRsSmJrMXpDSU45aE55
QzVESG9mdWN2Z2JvdEJzbElud2hWQTAKLS0tIHQvWkxRdXJlRGp0NGhoZWFaRHE5
N1NHa25pT1FscmJ0WUowcXluaDg2WGMKigU7SPfaPWuW0gNF6yQIVWMDkddYWK+/
BETBlD1+yyFk8pF4IfR9iU2JgWLSCzMK5JDZXjm095eoDS5xTQHj3g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VUMzYjZ5WlZtQ05LdnVt
b3V3RmFyM0VZWmh4dC9YZFpsZkRIdC9TRzFrCnBuYnhSaUgwb3JuSUNFSWlwSmVq
bEoyQ09XSjNBMks3M2ZYdlh0eDFNYjAKLS0tIERpaGhISDFYd3RCYUV6Y0lmdGNQ
VTNibTBMN2RuN3doU3lYK1drNjVTVkkKMmRW0NtiYKBcUQ8kKjXcS6KjoPdVfN5d
6vczsKTTbUwI0n6T5xrwRdbVIFsP4HisjceQWxJIVBthR0u9dLfXGw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweGpWcDczZFFoTXNDc2xV
b01BYVJiYjlvQy80NlF6K0lRTWN1Y0pYcUZrCklsbzAyMFFqNXVRK0x4NU1zc2JL
WXA1OUhPQzZMNDhxMkU5K2pvc1lCOUEKLS0tIGo1aHA0b2lSdW9HM3ZPTU92Q3VU
dVgyamc5bzJ2T1M3TXh3dEg1d2xlbVEKvEWuB9hPQXkI8AQ5oKs0AU8v9bE4PpLu
x35YD4Wvfva9l21o1d1474bk9+nQnksj1ofgQKYilvKSetH11KkuQA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvb1ZtMjV5TjlhMVRwdWNU
ME93Y0xhVGlxdGxmeWtXQ09EN3lORlJpV3k0CkJxdE14YXpwcytjbnZuMWpHVzZ3
dVVBYVE0RW1naWVVQ0JRY0NoWG9LZTQKLS0tIG1udE1GbEtTQ2o3bGl0SW9NZmtF
OFNqTncyaHFUSzBNRzZiSTVBdkhFWVkK2v81N8c8cU1Ig9fQZOn0fltqO+Ej8Wtk
D0nMQv2fbWp6YlyE17VYPgmhdEY6+Zstve6PlBG86iQE3LTAfjG3Uw==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmem1iZmRqSXhVcVA3djBo
SFVQemRuS211Q3kvZEZzVkIxSmIrbGdtcDE0ClFwN0NydUNYU0Vpaml5bmhXSDJN
QlNMWExNRFNUMEYwa0QrbWUyUGFtNjQKLS0tIDcwYzVHYXBOejhHN0Z4Njk3OHNL
SzJoUVArZ2xkOGpYZG5pWEpGejVyUlEK5VRrn6jp40iXOdoDDLxk4DhcprKBZd8v
yHp6GBf7mFWxkvw77fl2/q7J6krlwix2sC5TLlk26zfgSaISz/mR1w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSVdUWXRUa2tHVGczelhu
UWk5RFl6azRJTkdxZGxvbWlnSDc3K3NlNlgwCjBRZEVta3RuNW1DZmo4RXJyTTNk
cnpxTDRGL0kwQXJmc29LNE0wV01hUGsKLS0tIGgyTWZrOHVNTGExRWtYMzJ1aXhp
cURNZXBtbnp2OUZDZDZKeEMrZlN0TEEKznlmLKFHYDm/hv3EPcHjT0A8r06GL7if
tbuJei8aWWg+uuvCBTZjHqmPUyNR1ixt84vxy1HlwXVu3dYHcG0Wug==
-----END AGE ENCRYPTED FILE-----
- recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
- recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOXRFVjBENnJqY21ZNkw1
WXIvRURMSGRJUU9WMkRtOVAycHVGQkZnZkZRCnZlYUhYLzYwaEF1UTBCck9lV2c2
Q2pmS1hVR2xkeitGSEpGNXptdDk2cEEKLS0tIDJURXNKUjV4S2VXbXdyNVRJWVhj
Y2FnZXZYZzNrZkZubCtneGNHVlVKUHMKTasbVdxTpuK3UYmeAXWt4Gs+M9NnodWF
fGuCUVkGNrXHiLBYUjomvmtYIul22xiGzes0xHzSBE9jiZuVnu4qlA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZYnlaTkd3LzFRbldWL3RZ
N2ZneVIzMnRpVVNHVWRMdXJLdjQwSWFKS2pFCmlQZUZMbG03VFVuUXcxZ3NRWjVH
SHVPYzk5NGpkeUVSU1BmQnNuaWZnZFUKLS0tIFdQZEU1YnhHZWRIajNYWTYxMEwr
UVBjaDFtSWs1b29DR0R2WS9pSGh3OEkKmG34ldBy4s9nj3ng/HQr+gN0LHJCOPJ8
EWhh7cTLSF9AmZKP0sBsj7I4hHhZlOn85bvTM9RDiRVOSz8VrObXHA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-21T20:28:29Z"
mac: ENC[AES256_GCM,data:e267Kxv1Pyun/VOcLepBDBEKN6uSf8/iuY8KQ8u4xK58wsWkMdSDVcDKvO/iKF/Tj9hj+lZapkaKmp5SdeX+gjpyWiZi6QmUuKsCs0jlkV2NydLtZZt9vkmY/LCguIBRMmhDgidrNcfoghTxDDK5lng5H+2MBs0r2zLID65pHUQ=,iv:tr4YFdBltnsD4uTt+0NCam7r1QzhOmdoEbfz5/+JGPI=,tag:R2dDWTC1qrwPI9ghaf1FEw==,type:str]

48
secrets/env.yaml
View File

@@ -6,7 +6,7 @@ oauth2-proxy: ENC[AES256_GCM,data:MnAMX4adm8joZGaxZhgMDGf/15U2tk3dE/0dHFwETIi4Jd
cloudflare-api: ENC[AES256_GCM,data:iNUMlY8rz5yHVitpK4HGaFSK7j+c8Pm7rOQMOQGmSJ3a8ASyrtouPgLbcnoPY/jalsJYAj991dSiui+Vwqs=,iv:qWONG/KLd9/F4tqrWF5T25Zxst3bk+kOYaOFBFSBAAY=,tag:gRFxar8KS8gnX8oaCD156Q==,type:str]
synapse: ENC[AES256_GCM,data:IR0pFwQBEM4O8mzzYXrPe2FjulSUGuitzLDLms2uovr6gEU82mCkRO/UCQOybNm03iOQeXX0Whz739kpYSGSInEyx69BNG/etH+bMu+GbYeMdrTEyXHSa7kcH4Ug,iv:Vn2ILYXnCj+Op/E2kWoxV+2ZtlxYJxO6XK3Ql41KW6w=,tag:9wogJFLlmfM5PRgPdwFlcw==,type:str]
readeck: ENC[AES256_GCM,data:TsIkHLji37dDHQRt78SquBhoSREHDgvgbc6+M1k2MLrgMGJ/Ejfy5AZXCIp/Qj5sXDzKP4j6Y6xFvGLswCqe02XjqGCpX13gZVCFPuKr8Nq051Xg,iv:Rc/pjYP+Vd/DvLCYsfJjDrnAlAiUlZOcNeeYzE6O3UY=,tag:OvR+CXMmrUFbsrHvduhnjA==,type:str]
yamtrack: ENC[AES256_GCM,data:bmDBNenbzuYWxoXuRl3Mkd9zlgFy0ebprCYK6Xvwf4x/xoHVic1cG+IdKYCOx83aWQtHNq9SHw9vytN+XBzy9xJKS+r2j39ECvQ41cIbepEj785JNV1Esixash6h5QZhCLdPmOqalTBAPWu3pIK55Ka7MRXKQKophy/6lRkgFKZ0XVa/gPiDsP0uIOk9PEiL8F19hcORfMKVUtiata9eXIK9Gj12P7PE5eVWsWbRlI6Xux9H2H9dHnqhAueeriuJoA/y/3OpUpdC9u0yYKn0wJHDvD90lAz3GzcK3rHu+rviUJv/Mn4k+mmiqcfARMuDxlSBrmIyooHKn/WgOkoNyeFUYsB7xGn+pZGDO2luM58/pAat4H+nXtLYj5vLKF9Bhl8blgRK77XS1WtZc3w+9J6pxD9uHSk3YmBYK4F+7USwVOi0TmzRH9NDFUL9yKinjH3BfzXD/Hg+WwIUA6ajAhOvp13zdg7EhCBGab9qHilcdPE55jTPks74n7Qxw659Rl9aiw7i0TKlifu4PNXzOjm/OAYWhWChc/BgZ+2Akf2XyXh3UfE4W2bGySPpGrZC/S62d0xDSA/1c/EEXtai+GSLGL+mhPN0HRvf0m+md78cZnTaPLlVC0L5U5Czs0i0m1Kuhg1TCIG1mUxj6R/oTVm2ROYK2ewfzXVLA/soh8R3S4wGH7JJktinwzN/Ofc1OvJmuAIrTmujrV5rlJmanSNR4u311Kb6v7xjYczR7HC3lQnbTVh+OA2zUKaXJvmjXmhav84MYA6Syh+14HyphVulqPBe/FeaPe750daEV62CDjwSr6nHiBBzdTSyrJOg2vicsdb1yVVBCH6/g41jBtQ6CM0LfWMCQfczH7YSKgTXbSi7VWU8ZsyVZIFLUYOie/c/fP2ROwUcwfzET7q4x78VaWa4CLlPeDk+rlY8+ZkfLzzPgzrPl2WIxiKaH9QnqAnuRJ2QO8jNdxm65PNo/Zlz0B5A6q0bo/8nPGU4Z1exVzEy21HzduwXsd5ARkyxxfunHcA7pA==,iv:0RJcr1l6hyDhqakhFNSkYuZPsdhHef+O7ith4G1zx24=,tag:GqndS/sMbmQNXHuxiByDHA==,type:str]
yamtrack: ENC[AES256_GCM,data:Rqisots808pJQIVSIkOjd0oHF48zDSd662SUmp5sQOo5z+EQjSQusb48vDUkBE6leT/S+vB/xluiv6sKLPT+TkVTx/cXVmaGY8ursXDKJc6QoE5nop0eFj1S0eSIeDYLn4tlN8y8uzPl2NjDk356j1THr6XwOqCMxYaKdhQZcF6tZIlbSNrQsnC/Jgzclloxu5KSSTj7d8QbSvXhE53c9YHereEXY7HMD+aVcbwAWF8onjMekSTnL6/VUua0urwUEa+BpdL/V3qBTzSJHHxlmusmo0xdUVDE9gw8htKv16ltVQ0CkKtAtFyeaGF+js3Zm1/IQxhMvDh0OZyooFpxk30VqGlcq8kO3ErixKkUwwmgypxNsGtHyrs2qBGjalwc2zqCY4MRCvjfYZ7LfhXReQtmWTuABJE0WL1spbSeWPKwQEGKS0/8sVyFPwuKY8C0CJO0W3AHq/+Q/cGgNHqckeivQ5pyQNBniGY5ukZtIgA7tBP4pbyEyMhohPKXEi3V6I9j50RKi6o8H6zTysQtZXUAFM+AcOUJBFYjLR20J9Dqsn6WFuTNZUc3RfIi4so3STWmAx47irC6Liq5hkPLgDZkLP7LCCV1SsWabLzKB9abP6Kct5jtJA8FltWbtAXImkyFt38IULywzoyjsUAfj3mENJLGLhi2jZEA1Js02u+TbZnw9B4D67IXtyTYu7kKt8U7//B4R31AjYLOkmE0AyLbPbhQt0cBJysawewOKMT+omMNv0BazfCrIwpjry04um8cg6LMrUD7uN7N7rqKfOaf67aToN0D3wIG8Zq4wRVZZOcYlTeORZie5tVEP3FpCXGtF+P3,iv:PMZCRPb+08lmaT9bJmaIQ5cTCtOy6kzdewxkX/3bNX4=,tag:Ut6aOzXKImLSVLbZx6ac0g==,type:str]
keycloak: ENC[AES256_GCM,data:BmwZxuJaOB8F7zmBNAf42lkw36s5TepimtdyT2xjdGVyuHgRHbTZqeVen7/0II39qrJjko4agZJgToIZ1uhaC/gpGSoHZlib3rJozPCqmBc42nO6SOtpIO8=,iv:kPModK85937/liNk6iLIRiQ/G5yB7S7h24ZzPb8A1zo=,tag:lWvDQAHVRiBz8XZUoADKvw==,type:str]
linkwarden: ENC[AES256_GCM,data:G73i29pEyjmcHqo9NbHFUL6XMyLRzxln8WJyon+pk1uqb4I+eqYWlxk+uHNARPXOg0vXfDkDXDGPP7ogCa1En4yOZoY7ApuC0iTUOxicZY3/E8WQGXDEsvOlbr8yPiNLWQGj9aDtSMOOMv/NMv0GN2d7AfT5Kso9Rjrza4bUeq29DMttwa2Nfoum+zykGS3/zbsVH+aHYLJU3dCyY7RSdq84JfVBPaINVgBG+akeO7Uz3ArUOBn5sjmva9Ve5pbY6c5pBLnC//ypmGkqu4sb9Fy84XUw739Ay2kOZeB3oiZ59GwIdoUmx4JLVDaq2ykqJ09YFDf9OdKnMjYel8iHr7zq/+fgvfefiUz9riYuhQ9DLzQO+WQwQMYJL2SX8jeNiACNNTF0zoPitZqXKbZZLb542wUKN9ucbR/w,iv:Yc04FHnaZfbhOmDyaY3/hePmjgWvjWmtt+B8lB8e0xQ=,tag:1nwtm1bDbVRx8frgbLNh5Q==,type:str]
ryot: ENC[AES256_GCM,data:VMWf3VqcUdyJu2Ygd3XmoqGNWY/W/VJ4213ej0FrA95kAoX+S+j0+4a4B65NtW9UheDSxD1swTXebyenJCIN/tEZwH2wj9I12akNNvSDpt/LG3d1/BZ62cvLCb5n9vyE/vcXgJVfPUqmc67pYDWLpEV/vkKjpqwNH4Y8vnapVo1ytIgsjkTuBb7VFbnRPvYs6J1M0rnaTtkVhOBoRxv+Xg3pWYCgFEXdM/Pg/WKqdHpyh+tJqR74Z91Mwv6G56ZYEDQmAp+Cn+Kk2zZ+t44UAu1SQOgYXPLep+4/PgWw/vQMuyN7GNNP6TrsX3g+ONtJtkdmGu6ArcfbRAky4vM14DxlQP4xSjYSu+FDWGJL/J4TMw6IVDuw/TDVNpMrhBmZdPujYLUW1c6GCCEchBknNfw/Wt+NyTjOzCmZLVw760jY05Fa9kcW2kz+P0iAGTviY7yJZWDctP6PrVNtG1cXc4noJqV/uJ9sQmuGWCiTzaCIIZEhwRKnvjpvZNisKPhx4tctZMWm8l9gKO/TJC/SHMIhvEazmH4v0AzCiRUzdTfnWQZGTNenDrCUetztPh/UUJbLZjhFBH3QR26w/3I5oNpUzUDhfDhcEYtfWuB7ckbkXT8nyYMfe0OR16yJTfQCdnIPBhAUi1g1ZV3jFg+OhYWxk73lPiqC1ADRNh01L1k90PMMWtLXXm6aQ28cB+iQTvvgKbDrr76U8bXoZUyEl30waOQ2HT6nDG61OBUtQHTu6/cFhfhrnU6poAD/k+L7SyqcBoMYAZJN6Us1y3SKhV/3mXVKjRwSl5XZSW+ZpcRe/Cg4bonxFBYsZyY3VjK0LC4Cj8ijh4LpYWrGWtVmWOt/gg7UQPTd81A=,iv:Oa2pvfDpfPr3pqeAg2kYIzjf8KUK9ckMfbVymM78FyE=,tag:XyjYEvWo46BliYXdDH8QrQ==,type:str]
@@ -21,40 +21,40 @@ sops:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDclRxNVVzaC9lazNQSEdp
UzNBaTRnNzhzM0dLaVk1QlBaK2ZUelhoWmcwCjAzcnNsakxONSs2UThpNjhMMGpr
TGtnY21OTnd5NXdvdlpKamNCdXNjbzAKLS0tIFVxbGNLNWhudFRoRjBOblNrdW9k
VkhOV1BScVQ0RkF2bDBabUs1a2toMTQKDAeEu3+vuVKcpm27igmQuBvFfsMd7o9H
Wbinft1NiaQhc+7KtDEx51+tS+cgaGzObkWabyQutDqWEa/2PZLZLA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWpKQ3RqSVdxcDllajc2
UzVtdmxBWmJ2QkI3SGhYRlRadGJYaDU3UVN3CkpQYkxhVm5ZQ2djbldYL2VmQWsv
SEJmam0zMzlJSFpHS3JZWVorUmh5ZDgKLS0tIFdWdU44VlRDZllCYXRTQzNyajRy
cDJqNzA3ektRWll6SkFsVnFMd1FBUEEK0j9X4lYcFaj4MnVh4jnNwrTg2Sl5TTdZ
uFvTdE4ZNtZsh3nKmj+v2J3JM8dDUtw2NSooqpoqEvCYdDqwK1kDXQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RC9Ea2VSZy95Q3JJWlhB
VFVBVGxnQit0WC9Vc29Ic0g1aDNBNWFySmxzCngyTDg3R292c3VNUkhvUWNXaThE
NjVjTVlEZHhVODlFeklKNU9peWdad2MKLS0tIFhVTHZoeHV4eVVGOWNHeml0b2JE
ZVZiemVkYmZxMFVEQmVvVkZnaU81OUUKPHdwj8s0Ju2Y0Vh31jnR83nQ3jpqjkhr
4z5OxYJk2d0uO9f1jNaiIVLRxCdbj3h84f4fQqoQv5csrc5H9mg7Rg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSXlITkpxcHZqR0kzMlFY
TStOVitPSm0zTURZcE92NkM2ak8xcVF6OVZBCkRRbkpBNW9yek9rWFlOa1pLSk0r
ViszS3pMNFhLQlcwdW83R1hhTUJLT0UKLS0tIG9NTm5tNzlidlJmejdoOUkvUE9X
RzV2MUFEMnlHVmp3UmgvNmJKSDFrWHcKQ7y2W0PFLs/I6Tb0J/M91+toDP8XmgWh
LYuNc9lkjTs+ylIWuMTwtXdceI+kK8hJlELT47FyKl755DzuB1ufAg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNkNLTzcxa3d0M0pJbXlp
b2V1alhBUFY1VVZIZUY3ZHYyVmFKQW5tbGdjCnJXSHpmeDdTWWtHTWt3TVlCR3BU
TXFXZDVabjF3d0JYUk5Mb1c1dkVjMTgKLS0tIDFFbHBCSXlPVlM5YUk4MUNiNWdx
bjg3aWdMbkNDMVd1cTU3NGxPU3cwVjQK4zDOWDUHhK0JVjiYTMTSmGej7yXb5X6G
SLPWPbrB8WLGyK/gdxDrZAxucxe/n/O0CsR5DQubmetfUSowk9RIIw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYXRodjgzR1hoR2VDNHd6
NGJ3SXpqRmJKVlY5aTI0R0hBLzFGQ0VSYmpVCi9BakFwRGlXd1ZPbWpHY2h6RUo0
VGl0T0d1LzdaZGNOZ0pDekZxVVBWUlEKLS0tIEdtVDZlN2FrcFhEU2pTMUdiZ3NH
d3ZSMGdkNzNaczBYOHFuZWJmcEM4MXMK6ayh37HUhOYPryv2Y2WlE1U0CX7qZF89
PzvHQZYcbZ2gsRW2f1uU2VoJp/6XnSipD7fCjma3iNovoPlu2+A0yw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
- recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WlF0WkxIRkpnR1RhcVJX
b05ZYzk3YU84TDI0cUpBdnRpNGxEQmFIMEVNCkxrTkdkUzBnUDdDQ1RqV3hnamYy
c0owbnVHbjFPY3JsOGIzN0xIZHp5dmsKLS0tIFJwZ1ZFbG5SSmNoMVFYYlNXNWx1
QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb
9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4aUk0WVhTUTZXOVRqam9O
WkVNd1FKdDA1SWpwWndHbmVBRlNaSWI4aEVnCnJTTDNYTkRtNkR5cUl0SURVQWxh
d0c5cEhJVTZ2YXdLdHFQRk9KN04vcW8KLS0tIGF3Rmp2Z0pwM0x1WnpKaVBiUE5x
MVBONDBmQjI2enNIVFFQT1hyYm45YXMK2NXWvm8G+Yrvw1NAC6AiDaxA9UftuqYe
ZB7QpfkdCT3vS52lBgcEJrM1TbaVX2868trk5kB4gjqVMPVPYxcGHg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-02T01:45:35Z"
mac: ENC[AES256_GCM,data:B9zBOpztJu2HYLh8k1UeA4UWb2gppHErEATiOB+mYMhcw2JnvEVHqN3X5S2y40M/ZRdR2V7y6MFG1PBxNYlQJrcjrojTz7stshQd8vj8saDttUXVtB8CwTD9tey2HK/K4980dUBqpXtjSi68RyoDlJW9Zz56ud8bPGXCHJFQ0i8=,iv:t8y2ItY8rTW1sQscTqEDOY1w+7Fo5e+Pk8gd2ZH8qC8=,tag:WuLeQwqLE/wVAFR6XIFTOg==,type:str]
lastmodified: "2026-02-02T03:55:24Z"
mac: ENC[AES256_GCM,data:+NN+RgkHAIox1IgUuC2ACHneRBzgn5FzsujpbPtmw1IecxeKMMXM7Wa1ZziSkWJSjjDCcBoanox57e+BoNWN5WhWuMdCed04AKcknfKlHAtHrKhoLCsi1sZnsQX7xBmTsA5qHD8788EWfIgPk4gToXkq5KkEfvEWLvalClRK7tY=,iv:kGyw9hk6vp5iu0iMHaCLgVqdcv1gNUBqBhZbRSCa4Ks=,tag:FdKL/5ZraejphDIE2ig8GQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

42
secrets/gallery.yaml
View File

@@ -5,38 +5,38 @@ sops:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIY05VY1FPOU5FTFFnazlQ
RStQVExNdWIySE5qSVMxMFd3NFM0L2VCRWxzClhleTEzNTVOaVl1cGovM1hmWEoy
eGNxZ2E4U1pRNlBaTDZ0ZW4wbVZjT0EKLS0tIEJ0ZXR5blBlckIxSVlmT0hxY1Bz
TGVGRFgzaHI5VW5GdjJvcmswUWFvaWMKQCK47p7OQUXq45aYo9BkkcGrzmPKCJOI
OKu/+W4xYOnfIo03GGL6f4LrbCaKr1mdtsRnuHmaFXiXdaKbZFDEhw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4R05sUnl0UFd3T3pzRm1y
U3piNzlpTmpZeEhkeWJxRkMzRzBWRW9LQmtBCjRHTVg5ZlozUnpsVjhIK05xYjlz
c2dwbWVKWVNXWFhTWEtlUUFjVUw2RkkKLS0tIElaNXN2ZmROdHd4bWljM3FyMEh6
Szg3WTdrVlFmSUJ1S05xNXY5RlM1V1UK7YETep9hn49UqRUjbRv6oGFUT/8lRgXx
5O5eGB1X8kPCY8zXiGWSzfo6X8O5659vWIvqjoY8nZxekgvsISS/WA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJb0MzQVZvY0ZCNlAwT2Qw
RnJOUXJISFg1Smt4VWdoYy9PT2hQNG1MNm5ZCmVhUFI5UGpQUkR4MTA4VktuVyt1
TXlVZ3haNjd4OHNYNE4rVzd2MkNGTkEKLS0tICtkZDRvODBZaGRCTmdlUkRESjMv
bElZc21OSXJsZnZaSHF5ZTBDSlNXaHcKixDNfM98AqYagtidcYE3lgkFM9XTIrVg
gbYoSOk5rL9Hi2rvP+BCEgsrRSuExGKVvdqODYltD+nNfTI1zcnTFg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpT1oraHpJb0NUQndMZW9l
YWZrOVBqOG1KME5PYS9YVE4zd2VQb0hRN1dJCmVqSzhkbU5DVmc4MFVnSnVYTi9V
RUR2UDNEK3JGOEFUWVoraGtqQVFFWkUKLS0tIDVRdU8rV3diVXNUQSsrKzlBdmFN
Q0x5QXdaOXRMc211TUhqTndQOXR6ODAKtJYiAeVTYPOpS+GykBDOLx1g3VloFo2P
fDIkOCrINnAU4y07KPhGBxCV3/2cvOPhIgsd02XqxfZPCEU/cYdCgQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZncwdllnQjYyc284RXVm
VVVJTHI1Z25FWXBhY3o1SmgyVW01alRlcVVVCklDNDYvMktDU1U4L0RTMVgvaU0v
d0NlK3pqYzZ4NFRUd3V1WHZTTkVpK00KLS0tIHVQSmRDekcrK093QUJQVHNZcUg3
WGVJQm5MdGhMbzd5RkNPU1VuNTZVeFkKQq/WyqLOOde86NNYnVq0Lw31YB2OcLY/
h/HtFN4GynmBOYcTuqIvBJ/TksXs30kWFKW2XSY0jP0JSY7Yo0BxhA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dTIzeCttSGNVNmhPejdW
ZFkySng2T2ZYdkRrRGRXQVpER1NJMW5XN2xVCkc0VTdsbXdLUkg5d29zZ3VmY0hH
U1cybHNob3VkdzRWbGt1bFhNeW9XN0EKLS0tIDdoc2cyaEIybjBHOU5tdVRsTWFZ
TmdZTGNDOFovMDVPakF0WTdHaUpHeFUKl0ub1OOylE2JGJNpeReebiOaVdxbd0wv
nvJD7tYYXI666Pi31OHttWhsHR+xkL8TU9Dd6uDs4QxIRQfwy/VxcA==
-----END AGE ENCRYPTED FILE-----
- recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
- recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZU0zK3V6M2IyMkFOdm5U
UG1oVi9IMzM0SllUQUMwMlh4NkF2V2pCcWtvCk1kR0QxVWRPM1pyWmdVOE1UdWxs
NldjZXBOZU1uK1JELzF1blhTQy83Zm8KLS0tIFFVRjVScVVGa09sbEdBdjNXNTZR
d0YvYk8vNitDbzNCQ1VqS20xUWx6ZDgK+kIRATTtC0Vd7/uPf8E4pIans79Ksh6J
Y77+owFFw1AvQ3KvaI7QVfKW61MzxI+S1bWqI3ZNOJ19Qv4ZoVhnVg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUldWbldqTTEwMGF5RVFV
ZkZ0Y24ycU1hVDlaTnpGQW1SeFlzaXc2a1FrCmtrUkxLcjNsVHNXemd1cWJJdXI5
bDFxUThzSFptNWtXMlNqM09aeklUMTgKLS0tIHR5KzE3dStMTXlhUWhtUWUwSkY0
ZldyVmtRVGppQ0d0SnN5Tld4cEtmQ28K1Yij+7OxQUpEsPt/GTnP+dhEErBH1HuL
pBFXqHLAwpqiEiiNhYnb0KVWeQnIqDo9WUnrbPavcWSrSkmCsszgxQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-10T05:09:54Z"
mac: ENC[AES256_GCM,data:N/BwfrwWcnot36Kn6RFZjjpUIluzq5Upy5iVVV4XSs+/0PYdlZGytjoAB+E3gXyPsLZ93UqI0A9/5KbfXBuR2oY2F7iKsu5puzgyYWa0Gl2z9YcPnyDnk1dj7Ne77xJlqR9YquGzFKF8QdqFXFA9cdE3b/1usTFhP26oxofMXs0=,iv:Iz/LzS8yeKQgDiGchYdKNymBeekhopJtBWaQGOwRZlE=,tag:hMRwxJlKR21W7otW01GmGw==,type:str]

42
secrets/homepage.yaml
View File

@@ -4,38 +4,38 @@ sops:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdnhZNkx1S1IyWmwvdkVh
VGxNM1lUczd4Z0JKaHVlM3N6RWRWS1dBN0IwCmcvcHJnQ2h4WVV0S01OelA3eldE
Q0lNR0w2Z0owWnNjR3hXWGF6UzhyOTgKLS0tIFMvbW1rd1A1VDRJWW9TemJzQUl5
d2hISHVLUnpBVlAydEd1eHo4WGxLSG8K4uAVlEvgrohFbpvLexcfom5HRXMwTYrv
ftuFhDAyNHlTNABiPH/dmjy/A86Veb1LKXF0Y1r/RPWRHaxyw5f23g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDa3NpNG5tenhqWVQ5RFAv
bjhhRWJWK0NFQVk0cGVpcVJGS3BFeWlSQWc0Ci9IT05mQTVWbmk3SFFpWE9KUnh6
bHhCSktlbzVUQm1lOHp3cVpiSHU3MDgKLS0tIGg1UU4vVVo0SXRwMjJsVUZEZkFC
TC9Eb2JaVUFDSWRMYm5jR1BBa2lEamMK4V77WUVbMXcsw83FFdL2Rk30oR4cAkqQ
kc8Z0+5kNJFUFilFb54dnWTOh27K7KZvU1qIdhG3X9fuMIHSuPnyTw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQkFPN3owRjRuZjJ5M3JX
U3FaMk5XL2xoUmo3eFFGRXc3Q0Nwd2gyV1FjCjFjL2pUaWJyVXZIUHI2OWhPYnlt
ODdFVjVvMDhGSnRGejNTWFRUdXdleHMKLS0tIHpCZlc0TTVxYk1UUUk2NkVpcm1M
NjFnY2JqNkh0NFJkcU40NEFsNjRuTW8KMRIBZVBnxe+Drs5VqGzBLI6AsVJj2Vka
bmPFMl5ZJ97HxpdqQ1xkUqjoebp9KT5osOSglSK3CTkMRTEtyWQ11A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRVdYVTY3QzR2MFJPVW9j
SUtmTldMRCs0dTlJcGFoMDVnaWMyNlF4OHlnCjg0OFFrOERKRFZVMm9NREhBOGRs
dTEwc0NZUk9hOEtvNVJDRXl0TDhCaTQKLS0tIE5OWm5CNzc5SW9IdGFud1N6Vm1D
djhzM29HK0FIdXIvaGIrRXlOMisxaTgKVCAiniAmfqJuwwiUpcGAvoyqnUEZ9gOS
SyhXMzv2cbomuOb0NiALRkd2up/uX0TVuz9wuBQvYYjJhqpFuSnbRg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQkxwV2lQRzNPRUtvclVE
Tkl5MVQyUUtxUVJpbnZmVTVNRThBd1JYZUVjCk9GSklFWUJBU2owVDVxTjdncEtI
WXp3bkRtS2NEazd1KzZTZmlMZ3Q5U1kKLS0tIFhGby9NV0tidU9MdWRnY0JNNTZ2
enphU0dnNE84Qkc2V2hxZWRqOUg5QmcKk3qdK28b9072s7bPj+TgqeYVS2lnR8uf
R9BUS6c72aJjxPm11JqNW8UPu0ODhZrVMyyv+p+KY1J2iaCNGNdvXw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UlM2MC90SEM5elBtNmpm
cnpTQVF0VEpLUDJPZkEyeGNuYnl0cEY4M0U0CjhOY25BcERjOThkbkVhNnJtaVpv
N00zOUZPWnNYaEtYMzlXZk56dGVPeGsKLS0tIDVDcGY5cG1ETHk4eXRFN1hVOXhV
Y2xncFJuNUs5ZkhLSjJyc2pzdDZxbEkKn/8BtUXPQ0OdR35ZwiHWFB0AqaDtAlG7
N4Z7iztqiscuxn8G8VVVFdkQLBY3JcrXhxPYWK4xtJeEtpIMhegxeQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
- recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTEZFalVYbUdNb2YvOW95
M1doTEp1ZHRjUFJSNm14V1VWNE5hTWRpemdZCk1GMTdrck04N2Zydm5aYmQvTzdH
TEhrK2dES1lWVGJaOU5CUUY3a0ZtSTAKLS0tIHJXdzRGY1laZnJ2em02ejB4RUpQ
N3BtMkE1Y3d6Tk50ald2clJ5VVZaVG8K6BDcM8UAtBf0eBYosTvrRmi0Fcw05q4a
FOltP/mH09OQBHYJ466s8eaPj0TwqMl3524Byr4vTPYTy0keRN9EWQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1VYanVSZTd5elNlZ2NC
bnd0V0VZVmtrVDhBbW5KUHJDMUkrekVZeldRCjBNY3g1SkVKUzhRL2xsbjloUERi
UXM4T1A0a1V2eEFlQWlTQ2tDdFdaZ1kKLS0tIFFtNDZzbzYyaE5UT3R4eDJzNnU1
RG9UbWM4YTVHcFpKblQwemNScDVteVEKA6fibq6Ozwrz/tg9Hrx4bH9LCadmW5fR
IkFalgD7nqew8KwS0keyKFk93i2p6sTDZPy2/t+WryMXBIc/y0iQ5Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-01T22:31:04Z"
mac: ENC[AES256_GCM,data:gtTuLmgVd5t1Eic+ld6x3pmAlv2+SVf4OgUICu78DJ9L1YCtmJ+LsqIoHFueMdQAmubPA8c4xYsHWCDu2dbrUDUs/79BF2u4P9lbNkJx5cco8bnPdy2tmkhcLwb0HwRduVIbgcm0wzYKUMd76Y0ChxdCddkrkk+PjXkUE7OBNg8=,iv:Eqhoc6GjB1NOnIIeRIdVoQNQm51DguH3vEX4zRUgeBE=,tag:V25oIemZpdJDMRFcZkH4bA==,type:str]

50
secrets/keys.yaml
View File

@@ -9,6 +9,7 @@ public_keys:
phone: ENC[AES256_GCM,data:PvSqRnz2qGQU5kdZZpeqb3Eg2psLYrMoV/168CKMWpc1h5TZi7TeWkCQa6ktPR556NT4Ny2m6rBzADtYZkjFIKtDLXdhTYCeL2eFWB3VbSGFHsHgvxXHbae+zg==,iv:XGO9d0QZXbP7vuNDY4/Z/YhRCPKwj3RoQBx5daQO/xI=,tag:zayb0RYQj6UOi6FKJbhhRg==,type:str]
emacs: ENC[AES256_GCM,data:JBdqrtYy/1oVzea3WfvAX077R/8KECe+nziqHM7sZSMSq8nVxMeTIqXuowYsp15Dr9I1hezgedC+IfvkKyu9pCfS3Smzs91o+HEPB5T+nx5Kgn4pwNzw/4ahiA==,iv:OQfL/6UmhWcX2nbyWHZnN1+a5EP0AYAqTIdxn5KLvRE=,tag:JDL3IVYy2jAsDWOObTBFLw==,type:str]
lidarr-mb-gap: ENC[AES256_GCM,data:KuaF98xCy4fK+mrWZQXPpZ0BMyZ/zblJzkZRFVlSF+G948Rql8+NmhlxpBxJ3A/SvFNIvfjzE+UZUnex4gbgxrtvP/ylWuScjYaKdAa0iWfCOxmIAK4gOR6svBMZxIJ1UA==,iv:4Op/XfSbpNxlaGWUMMYR1pa2GkGK77iF2jUmF07CYck=,tag:hS0d6kJxCrOfvGJ4A3BiHg==,type:str]
vps: ENC[AES256_GCM,data:irYKlykCixl0kTvE34+OHhzH4FUor079Mjjn8cdfqnEYUT9jT/5Y6P+q5PKNu61ggaddcPkRjjFwmVaFz0LaVJoJa7D5S/UG4wFnw8D7nfcUPNV32vmuLomgFEhgvNYbf9AdURM81Y6pSwhWl5OM,iv:b9C0SLW4S7IUXfJFLxLHmyws8tAs3LJ+Yy0mvOBA7d0=,tag:BnafiWiTJz3CnFrdPtH6kQ==,type:str]
private_keys:
age: ENC[AES256_GCM,data:YZtCasGFuxj4mVnhDtNzXgrzvdjwvHVtaBj2gDJf3dzA7dCe+n7MC5mYowHnS+oZpGFt9P0ImKw30yAYRGZgvxJqL32ACbob4oqcnwmJgswx2ZCwboz/I1PKkAb5uo1Bhc3tyhEshiA9wk99CoI7ug+TGOC5eyFw8RM145uJdxaYJjFmYdSorbjYd5JpijYi3u7p5buIVtr8VRt3tuWNUzarW18d+ZjxtCAF68W9jqICtuODdFakt3pZ9/2byKR5KG1sBKdc38DvJFkRq3wlDE0U2PwPyc/RDdlLAnYGYlZD/GsC1YSWEW/ygxO5lpkoJlxF+/02Qs+lyZVEJd7buYCMU3xkR3kGOQB2dZXa7T6F+Jrr6Ek7svTOQRaId68KhQW33piNUXN8d6YnqIRj537exrcmVCNrRwJmlJ1M8pcYN4IGj6OFICw/lwiTcN51OL4UZOOQZZ60jbgdwWj5gM9OFmxLm0PkIRt6KMQVx58jIzmXqh8SF0+mkymbQdVaoDD5JJ+ltTQgIEBaPe7sGVEK4lGH6qbgtm4F,iv:coRTCK6BSI8QFtfjTg8IAdwumSt6fuQryTxF5g+GF9k=,tag:K06p6t3Gso30DTY/Nk5EDA==,type:str]
workstation: ENC[AES256_GCM,data:QrM6MwsStFeOH9bFaAuNPtxVWB7rlXXV0PD2Em5Nswf7PIPuzYagQaqBF5nV/AteeJjwsz6KLuBceMZ3O/WlccxvyfY6i00DuRvzJBi+5gZl2rfM4OR5sHC93bzcGmyU1dQUA0nEeGFYUfd4+ZM4BFRgD5OyhpjrqaNYw5kES6WZMCYiR8NAPE2Ca8MqCX3KVQp1AAzgFq/nN0cvuWIflYVIngR4PzAqDGXjgWaPT58rmcWk/3KS2nOKRX5tQ/CgJl4FLdrjuR4VLvoupeUqv1yNeSPSljX+gEK8Sn9vONFd5k0bifLzQd+zCLWyEdJgNvSPf7bnXcuqU8RLSmjckMRAP8YVBlyqsNY++JidXuXukV23aB63dUp44yhIYEkt49/ISJb2qerj3U/Sy97VTw/1WNwY1evzHPlobrUjt3ilxWoxAdzjrqJXWultYYBEk0crmKRRvnABMzaHrZaqaSrHsSfvE4E27m+L9HNwMyq7KywlwrB0KAog52iCi17Gbnrva9aEGrn8Mne2VCvwcrKSEciV1soKpQgy,iv:2+xsS/4+vfQ0UBsHgLVCeV6GOU8giclqNpPXoi43shE=,tag:YVSiY79mHJ2LE9Ab05VE1g==,type:str]
@@ -16,16 +17,19 @@ private_keys:
miniserver: ENC[AES256_GCM,data:OdKoGmxZYBp/XTQIviGXcRrz8sY/Ea1KwqtwmYnDmejGZFQuotyr9IHDBy7nyC38Rq18jtRGK0DvQTs+0z/jaBrtAbnk3/aodRpy0q/82XOpUDJ+oRPIbuC1KEyN+vzzTe3jd5Auwg7dy/W7gKgAoR7vhkNeAY4TPbE2ybqsbPDIhDWmCMK43DIxKcWO8LrtYJ9/h+XR1XthGjICRXygOeMA80Ip4BWGMvXnfGcayKTIlotIWNasYGZNn5E/bfb6uH58zPvCAWavleRm113zOeMjlgbtAyl4IyM1StGvZtJq0ud9Txza4AkWmTvYLcAB0xaiph/Vm01GBlaGSWZmOqo8ybGEEQgh6JBlYzHwJ0swqg3uCW59jxeQcGOnaW0YrYPix8twd/2GQafxx2denWFgvoNk5itIdOr07BF+JYKd5FU/Kajo9P5mpV2uFR8sok8/Q68thYvfOEK4wOysWM46lHS/H/P1qeJvCbO6w0hGt+VN/1lbqm+pcVTDMVsfWOkA1Rmm0aWozoYOAPRXH/PjG1NTiqJnecsyw+vZLlnvaDNHKHWhxnWVJw51hSH2fTg7nVz+WqwC24eOmGpOG7UUCdQ4V8L3wb8qDPTmLmo=,iv:FxxpTqtde+v9c/+xDfWimYlgkhJSI5GFIOAwoSrjNsg=,tag:LcLxjKaQ/5JT3hJnBgzmqQ==,type:str]
emacs: ENC[AES256_GCM,data:jBLy+gemP+4b15WGaYBMV3fdlPJpZeZfgPSWbj6nnsN0J4b7RIOZQXl2NoDsNS6yi7aO2J6LoQ6WSJX7si05OlCXJESCu3ghmNAdOQq3lWs2taQMISBV3g0S1OlLXFdDCohBC62y55nMp0/yenL7WzfhmtTmBoFxkp1VcSjI5B+MlcEW/0BzVb7YESCXB5GVSlThecGQ9BEEMBxfhKsSwmLQXIrxdtl6nmyZh8lTselwDwRZ5E8LFXLVwccujAI1zYM5H4qYjBnaizs7f4h7fHh2qs1DeZwFaELFtjgU207IDUQ2CKfVBKDL3XES5gjUnHix4l8lj62ZCWniexGQtVUFAxRerRGS5AQRGDtovC6xPZaylF3JoXEeKgMusPygIz9nzyeB1mXq7FqT+Tv9OG0biCqVEphcQ0GEc2RVPq2ftID0iWyoony9T061nWSkY7QCGlPTmp0PVGLbLpTcd3ulVbuoXKsTLrUXJrAA+5xQe62bS22P2FdKlMP93SvRkM5JoSBI/KBEzmWssuLdxyDopNGpoHgL5thc,iv:qDLbsIvW3pBPXTvPGRDzqeXEoWhhcwgNtHBVe9/NeLA=,tag:GejDD6cBIGYhHY+ixLbVWQ==,type:str]
lidarr-mb-gap: ENC[AES256_GCM,data:53XIXJGZA8ss3dZ4EkNibl6SCo0NRGedRz0Vm6icxSXpDGz9+m8lC0gXlB2bw1/x+pv8pp97r6CTt4vmpfHipCoyUpAPo22EzYHuqr1DxKO9lX5IJ/etzS6igoGklyTZ5P2bKQ9PxdusrT7hLiif0zZEVwakorTHckuryuUr7B/2687RGsrsOFU+4Fo7wfw+JT5nkjzQh4i1nMToL+7JF/2ZCFzPQUHbP5QEcMceogv0fl4CyVaKB2ZRwy1LuUA1vlQnMQnP5UJHQh1/iFCHDG8uzj3G5oL+U2nco9aJYiucGKRsIWe0DIlK+EZscMMXUby3vU1VqYd60FTj9T6e3aI3KX15V6QHaflLmFX1G7IewTJPE6nQZFyZ6HwDavsPBpdY94X2sp8bGCIO0UYM8QfS9Z5x+VRs9+sUq9gHzEL5/++viMaa/0DKgo4zsJOmDVj3n7W4GdtWWN2ZAkEHsz0AUcdkSqbCZN5c5LyAom1BiUIoVEkfPL4VPryA4g1NHQsoH6lVUHV7o65E27GfkB27up+w2dig/YyG,iv:fzUD4VHr/g5l/GzP/7ote2tNtjvZlmgrwbAGMoaGpjg=,tag:ZxVQWTHZkQuUP9UAdR9Mzw==,type:str]
vps: ENC[AES256_GCM,data:TwWwU1h1ALYjCv2UpXDW8Lq2CI+GUWUEWlaUPBT8llvhRcH57MzdqqjfYxqTmERKywsiekngUEeWER6EsO/t9P9+lMPZCBwvZG+lDdY3ion2MfJOLFcWJnIe1lvHvAWf4Fju7LgEEvEyG5Tn8/hLsJwbH/y37AkfLoSWiKVRrKRcWpSb1/2Aycu3Yn5YeFXeELeaG9ZUeGP+fqUfDSvOfFphEEG1cGWqAXRh41azB+/t8yN7J1HSjjx86jzTCRxlr0b4YA3wu4YgZowSy5fETSxCnAk/gHcTgl6XHDsseFT95CJyOeLBLAz88TfTu7hqXswSdA6InSIPh9uLVuA5yiCYBemUXw/bMR8nESi/OCgzM4jF9ZvkYHngAJWPFJqwnGEGUen0qwmp6wdI+cVsqALsrG79rivtGHZbkJUMzh9ta2yA9LkOurqXi8ciSQqGVWqf01H/lhjPyfqzgASMMD85NdiYVc2dEk04YXzt0oOcgpex/VEhWx2DJfIR7mtAyaIQUei8gS6y6htg0b6jHYJtfYAG8WqE3wZ1XaTzUUavVewziAz2OFj9xbn4FFRjxKm0ONMWbVQ/AhWptY2N45CFFk3HaUMZdxGrOVEuEC7c/G8YAWswjBzcQG733SyVLi76Cg==,iv:gEbyoSt8l6vexUcovwGGt2J3YntkMEeSMf2nYsx5Fpk=,tag:N9woepMdByGZR4JD+2Ep7Q==,type:str]
git_public_keys:
workstation: ENC[AES256_GCM,data:VqyW8OFJ4450Okf/CVa8peYPVLjkfW8M+ykpiteTpXhlgXLPRfHdW2QrGXTMOIfRYDZD33Fx3JqGJZ17Sn7/wToLO+uY8i8JPYyYXWrQMqI0Xf/NR9JvMCycVoAT/oWG9w==,iv:VM5cBPHe3CPpiOozy+hsQcwGokQIVB97oFbVr5o6+Vo=,tag:0w4r5zrdNdpVDNcvbJ8bdA==,type:str]
server: ENC[AES256_GCM,data:WMnUqMgIQ0j4F7G/LppKsN1C+Uoq12DRcYWIEQecTzq9v9+xxe8mAusGenV7SWqz50wrkkjGThmSiXzrdao7Ri4v/BKBX6d+Cql0Us0OOKNplSy1GQ98ML+LfHU=,iv:F/SPXw/BC5JE2u1m9x26qYWrSu/b10QzNPelQN6NBvc=,tag:0YU6dba8y349UvrpeqpbOA==,type:str]
miniserver: ENC[AES256_GCM,data:M5p2My3d4rOZMj1j4CFMUdHoM2f3BK9y0ikg3NwMs36A2PUzbN39dWzvfhdqoq6stypHbEzmaI4VtUZySPFWaGclBKPea5ujZTxkkZOdt9V6/lvDMdl9O5MUrPBmXYyc,iv:PyVj4OT6ZEqyQDH/K0OtOflGoomUarF25hx95loOgJU=,tag:xZs6wd34LqqqWvRMfUgJbg==,type:str]
emacs: ENC[AES256_GCM,data:jnCEEpEB5tZAs7Y5LT3zQeFZYRqsBcQY5ZASU6p23jRzr9F4wv9ksqezTdZEYGnY7cv8w9gC7Lc0819OTHJyWP0+A45SRZPb16Ii88Omu/Erp0f69wXQCk2rvm2QnZXzGg==,iv:zlglY4hcSdw24O+aM/0BR1/1MRXNYwTcSVZJEItQgMg=,tag:PWrT0LCzs7GBcj+CFFqfNQ==,type:str]
vps: ENC[AES256_GCM,data:ljr2eG76JFVBGTSQZ67ViEJRd+q4ocCY9BIOF+Xs4PiqRF9XtmNxIkQZGXYBWcPIRgKouf259frGPAIqyRHS2pJglAYOAbOWxLb1CgfGxWl6jhZXSBINBu8=,iv:XAixV3SwBIGhhaN/AdTjnT2TB/pD6+oxY+nhd+NDM0M=,tag:FfXBde5TURpWpsEaPMev5g==,type:str]
git_private_keys:
workstation: ENC[AES256_GCM,data:LZQq96EGcEQsu1hIq0GiPKyfbBXULCXI3umT2NgNJc8YAgYjmfedNZm985GQG+YJeGKYdwlsWnQ59BNc97jQalXGIjvPCI5RAc1bd28VqlUTXZ2ipaHz0nxprgctqMUUSyst18qhumcAdiWT7euInaZiqBhp4xBvIBjK0nMutKfHER/pNV8SYwYPeiKPxB43f6jhKVEYVjItWDsM/C4JvTmwsOvvLUoNMnXtyIKaGDsRhhGSwWcOEj13LWOML6zwB5IUgavvRjKBvnlWy83vH/hFxp1IZNXU4eiePyTAj3Ydne9bmGN1EpF3FyTWZAiWC2uGiML6ZEZUoK94B8mvc8oNwcQPGMzBf0oEBrslWMFOzwItmbNUh5qiVXGUD9a4GiBQzuhPrYX3O0OgFTjveftNcaml4s/qc9MQsiUnYJEIsBVu1959HUS1kEu49LwQzzAIVZQn1dirVaNlq/nbvCv2TYQmgz6v6c/yI7FUDcasjx6hHBUnayGP/xkb0hge6hqGD/T8cZQ8ORKQyj/+R5DvyiHqEtUDNitq,iv:zZOowKGPi7l45djp4IqGdTSf/XDOJACcwpsFGHc8hzQ=,tag:8UQAwcGf3qpDpNoQCVV61A==,type:str]
server: ENC[AES256_GCM,data:88xWCYNz+gaCUw6EV/i1PTCaPUTU+6qGme5O3r2zz+ebCfR/QXIG80W7rehZgQ0I7YfD9eFydOgq8+I21L8LjF+AalREWOUZVxjERtVyjVpABcNspogBUgJCD/7s7A8DwDk92V4fiUQF8C2Sp2adfs8V7ef4IhfLC2xhFOQA3z5YZl7y2CNhYPhl0k+tpUW6yYTSTvccJLlpqzzZCPdBSnkI5pJJ2ftpoh+PG0GIzBeta+Pq3I4YMpprzxogaVwlLGn8AtTWkwwWvJpzeELfE7WLgJ9f/X9N5o4zojjvVelxHDMQayo9oeqpIUrCE+RStdLNrYrvLmq2dGTDc7DgLBon0h3led5hqBOBoY11XqaKiGKL9xwZjWM0cDhzOBgFOY9GC3el68Zri+alSIVNccybmXoM78ZFc0rbo2zYKX3r8wO1umTi1/KvGr6q35GY7AXCkLh/qVpvDc8/4NUdiVnNwPxukZMiNTWHPaaUd71zA+sphaykhzs7ex5UMQPsiF6/unUtP3bIZ4taf0mO,iv:1nx2USITQFqiYcva2f1WOjxwK7iYVsWRpAmgU87Iqqw=,tag:GbnajMHjuZNkGjYZapaOTw==,type:str]
miniserver: ENC[AES256_GCM,data:uhnZ/QmMMT+EmtaRgWDvZEvkf8TewV99zYR639e8K16xII3FM6FfrTF4rr1XwnXrh4xmT6Cr0kgHcPFEel8tUEMWqqlaqD2Vzn7VT/NyveEzCbyZ9GdAP2iMAb/xVdg4TjKxUXKZ8l9k7cDNVKKVkNcEfFQF9eTr84YAs0ZLyX5n+NiYlOcVKq0s3EDEOD5+/x7MdnUtdxOrGG3Ob9fRMfQfTVFwVQ/eMeAQXMAzU9MEcE2xFLaoK2POfu233gMf8E4X9ctt18q7S8DB97K1uhJhEsKiAriNJEyxXsQ+LO4mg1lsKDWr85qa2WoXWnq16kHdVdi1Fw/C3dkHW8NZQ7Eem8nBb9yoNNeYP1/GKFUAv9NA2uZQRGYNdiIA63Vp6Yts3rbJ5reUGrrm+NUMwIy5rC4EoCAYL9tIbYvSlk9QNEpELZniW8wf00uCkdpREMJobgQeTBZII5R4oXNqq28AWEGbEfL8nOspiKdoG6LUKMa5mJTBpmuTBo1EvrYnptf1egjQSvy7aH2WDcQOvuxxUzFmx8bLZ+wq,iv:l7raR36S6EHsuw620ch0q8HuWiyJzJaByyWZUrCLXx8=,tag:xDdJ+LVV3KVIaEjWX1YnjQ==,type:str]
emacs: ENC[AES256_GCM,data:FgJUD7p9MxQVvsz+To0Dx2kJ1WZqyNsX/zqOLAtw7pGCAZRh/FiltTOq6t4/2qJsMuVevaNkri4hUMDMhRReZ1BrPuJZHphdSb9U9JLAywTpDWrfyHdvCwNehWiccoANMz+Hjr3xBh1z7fd9apojMVnF3pAbZj/v3EaPsJzzzyY9I32yHDERXn4yUfuwHWfV/TeodFTV2MMz9Bs2mC5UH9mJhktv6xIn9NhITKWKkKzK4/JNICF9GQfjuDteBfIHmXPNeVfsD4nTle74zBsC2eXfC2Ax1wvvpQzNfrh+B121dWgZzBh0XDOtV7ejjxsN/48HMQCJC2A4XQJXK2IJeEeCz1lZK2dyqT0SMmOaxBHSjamzj9fyo2L0r1iz1vopA7zMRwFTq32x47D7TXWwN1yTSrWhXyT/6/YHqNFWDfuvTHYHF0h51W8zl/KKIjKlJEV2rKIoMjnWzfhPmuB4GRFc967ViKV0LjngpX5ummKIM8MnGY6u4VP4MDRJ/JKh1H3XzWlFBERa4xeNjArmd5cka9eL2tZIzwmh,iv:K7z+vxjyj6IOI/mv31Ngj6iufAHY0EoQPwv9jJyWaC4=,tag:jWSFvIFBGOZfDuqYIhMgFw==,type:str]
vps: ENC[AES256_GCM,data:JByRbAuQqu4Ciw1kCMDgUrqwUIGWM1QbAlDAJZAUfx57I74FcSEuQSz7iAGYFZi1DWy5hdzi4CjJU6X9GWBkgUq757OqiF0p7pZxJOQdc4EviO9mXLSLI1oVTnt9vcOfKqUVIrEFlz8n9AQSd878bNoisJtCp0qztdowzLPPPswpAvb8hBvxcSfGwGYpsXUngpdaBbs30UuXVtGF0YxPnO9rYqGwYh5kn00T7Ut1Q1h8NGCLhlwHVsxZZMcNxdlL7PjJlAVTH4Gfxphgc4jLdPz+UlPiyxCnG78BTDiWH30eskwm7RUagb6RNAMFMrZekusnu0tInaAe0OYPluYoIe4g9cD4zhhfio5y/8l0b8r3fBf2CeFEkXtXXs8fxCXB5s2BKnW4VXBYBmnT1dZMXuMHBCgEHip3uAr754lUDFu7lKjfmhnST4BRKNt1EXDAQ8jOOA2WGlWi1hqkfxzqyhS5lEv45y9c88sXtc9LbUXg0a97VZiIA+173TtrJ6O9/fghmNycD+7L7tLE+SCx0jUmGFWcy6TtwCjC,iv:PhWCv+qGXljm3I1u5FMKNheaZmIfcUb1OZ2bmgHpyXI=,tag:FyH/bZ68QPL/iZQzLbpv6w==,type:str]
certificates:
qbit_cert: ENC[AES256_GCM,data:RQNgCoh/kC/Bi+pamonNaAhniBLD7d5Ilc7YDe02jLnGYWgvtgQCcWflSbnxuLNgIDX1tBEmR7J8hjRyetNF6mQj7z8SmvfG+Mn53qRhiqa+RoSrhL18xtHKjWkNbgwXJtrSFa4g2dMLsqkrp8mK3Xzap2Ge+bCfi8iE17NOd7U/8NwH3ApdjFFz3nmic/gsMZwJE2CvefF4OXLiLl4COeuf+yj6k7C8/e4rP3C418lF3C2HZWwOoTU57LRmfiG3GaTg5mD3Ir1OFC28G4R2MDXh/anSuJEnGQdTgXxQMUa9R8Ec2eCANEwtK7UFvnuLtUEErlJDMuW5h7E3pMXP0iWsqwP5IJrkSDxMwm6TQHlmSx62WhP0wZVGXiIeOdIQgWTgkBPk/3EpkGML9/WH+FAtZ1mhi6YLaRPlSLcKnLd2/YM2JEgq/A52No09BHw15PEMWPrEld2HLdG03MroCazci3shqeVMLk/G/CrXQ7EKUlmvfrR7/6T8/VolyCzezAtmk8LjtWQw3bes/xg+ON+MjHEGAj7H0EkDsZcgbEJZVYEyUI1y75x4TVP+LQpOd7QynlUoj0qkw7QvvMj4j94qAMbAFkTrqk0LwYytcha5A0nwfurMFkTfPGkaAF9TktVtpMCQ/ghCfhWSKAbpuFR0Gpl9Atofs6RfOWXJ4oh0vh3mQNJc4oOQxN+2vlLPjRxVUULNhCTUpffZTaBvbU/gTAKK2XOI54od09YzNwV4oBMS0opg2fi3JA1LFzDDSyCeoA91mq2iWR1NtSwB/T5zRlsnt8dujcNfGPIoyNkjzxaK9hzDdm0Sh80ZGGt6pcibyOCCCuKNt60kgbDGXP58+//Kj0bKp5PTjZz4q1fUVssMQP8cnPte4CZCTgRCrpAlYiPxz58iGo3D0MZrTIcrj/SGaV61m+7W52OXnMPDXHZ2kJ27kdCVK/hDVeBTWqSHg3qYG8AdFG1QSkDS0HkmJ+bQJtXksh36asbDfVBo4I372mI7oYC7o+U/xUDTo3wf3TsP6fzq3jTymripJfcXdNn+3Y7ZfYJTX24eh9oCMTTnlc/HdX3IiYGugcTBpQwSIu0Vx7L1Jz6GpB6hCRzTdvutnH6u+nWOgp5r5s7E3/PTTFFKwY+wxhAauSlhWYoBQcnjnkoW0saLldTpF2rAozCPQuHai/zYvWI0YHmetUJNmYOjxMHcmy/DNohN51ecg6782p4wk5E01LT2+22thAxfAe8jA7Gt87Jxx6fVNb7/r+cPhpciWfOlpbkmLjmLX909HXSekLJa1cq4VIgjJhbGbSty9ooetY4kZSoBosSizxQx5VeNZkjPOvJ/K6QOlDfJAmC5QzJVcgOF7XHSSeeaMdcPWK/TyEGCFBkutsIrYMHefyqH+/InqOco3wUdpvGEWWB8j3DfV89HgKT+Nt95rF+tpOsvt2v2QkzPzULTJ/ZRxJ6i86qJBJZrriKx8t+ns99lmao+aoBa25he6xBAyGVuBwK3eS5fJznGBF2lDg83FOac0KxrcJgOiYNyDwucFMfeY4i1p5X+zALBfVk16XICRRiYjub2+3V2kTQOLaNdPqkQ0DZPaPwwhg2v0WGdOIuAf2iB4bm1T00f1sMPKZ6MtuoXjnYP3E4gTRP9vZAyfB35xOlXmd42fw==,iv:5xKwtvNM1MOwk24m9yl7kEQaTAmFZqHWcE6TkKhmsJI=,tag:ikVouFR7x9cMFoSy/A9c4A==,type:str]
qbit_key: ENC[AES256_GCM,data:OE+GagWBxtqvnS0kVrbswpBDYWBNLOqEOFxWIIjwvU0WNjBuQNm2kh65WqaYu60rztyu0SFzhRBIARD17EGN0bYQFxIW48Y4sglKbv1WRuimU7YIO2dv0lqjkSlAkgdVWh8TB2AyZkoB/I9tea7nVwoyIUZkM+C8oRG92Wtad/T+oKplpOoe3GtFDc7/XeTacWP142iEGlkMXEIBIHlrZ8V5kDnMxugxkc6zv82dXyXEMLEO7yjcJK51ZmbBnb+HlWcDJkSW62HOuzurKt9qWbqCsfmhjjZXXJ0G7BVVTRosg38ld2dX+SkxkYCWi4xPbO4NGf6M7K8oY+mNMCzbrduyzz95YuverozqLR/f7wrozSN42mtB3XTQgA2Kg3LVhxu486Ox5aHjp9+acpC0YJCEZCwYQw9IK1As3bjUxRhhxSa8Jt+JKXtfUjYtpfC8dOblX69pwdVaQACJospRcqISq8h2+KbwwJPZadUddgQJ4BhIfZWQAFdZzJrD8PmqXjrKqdclBHxYjNYOin/xuHvxLuU06fOby/kKsQP2vs0Eep0uIFd2BVALGwPakEt8+2PpujPXGAPJD3owc3XPObjkTjI9SAP1tYQbQE9wpcMJLtRPOUWTNfbJzmSK1Uh3j+Z3dl+dI967PD9KkdkApiVeu8JKCiFudGksR8n2mzT0i6NVmiy9zTG0jBvI1RUPPp5VXJofWgyVDDobvEn+yn1gLv+cBlrm5RhwZXdtNKuNktNZ8aSYRUi5JXO1JPiPT8oBAqlBJR5GOp85IWVwzA8UQdttaVnTKTrmHULnajZPsrOwZLfTT6ogj4msQbMO+HKq88h4gdXjLmU3wPtgyao2CGRej1cUsnnh3gZvLwcj9p/Gl/OSozoCj0SD66jOYtG7I/oq0nyslcNAaH+HeGU54eCtj5RwM54B0o0JDjVtjo4JP3CRL/YwiJBFpmDdSVDFuQXB8qtYRw7afKE8uS5s6Xm7gJvarrG+LspBQ6zCzN8TqDaJtZ0tx4thevBJL7iEbDhyzcqrwCf7YShSPSvXtV+VtDwrth5SjRj9jh7i+sHJQGGDlC0gUruYosXKO13CDVD2MTYxKxTTo5+E3MMPtcSlr6qoeaEedzrC2c9la0L14xiQw7tOEv8lcY7XqFEjv6e+ATE30+96rbuJkQVUj0U0seeG42LDMHQaanan/asg30QgfPNns25fkTLxXE6Ps2KA7QBfwz0IqVfRGuxySYyqFdOptwxCFkmdT7uxRK86NNWbmAFLku6795GKVIxbFXwSNoK12uUcd8nXqAsnVQf+M1tC5hIqOCywMPHKMbHu1NsiST055L4xbcWv4bDkfkmKOxpsS9z1zfLQ/DpRQeAidc8XTWcvcfnHcFAMJTHxseLHgtnnopf/RRAp3nhygzmaHuWCE1YPK23/gWRh+Cj8ke8TnE7lzfKIE5GOu12ojLe0unzHNOnGvsv1vF5JJbSxT4119LX7SmfTXvOGqzywxoK7ejLuP1DfZR7GejJ2P5IC54FHR0xwrP9W9Y4TfxriA13l0LMKgRsARmM1zXwTwkioFiy0hCNmX0+yERs/5aLg+pvNgFRAtZnFoRVU9lKU+lpQuQd57BSa4hX1jFZ++8kSRWoHi49cp5LBTKD5+Z0HddbPJdaVumkLPs0CXSxMGzSok2VkVfc9tcTIyv4g6biB+7lNmXCBh+RSdnbdXvFe6fYzAXhT8ZWaRmAJ/btkfN4CCRHPN7gFX6ShF56K93nTLBzn4PA50pNToHc4bmF8SYokHNvzdP9oGc1TjSn1UttcBSoWSIO6KunAbZwaL6CH1vk0YLiUOSQOQQg2er/nR8aNd358ym4AX3399+TWL6oy4RrAzha/KcS6JrvtHTI0wH4W2qBeogfcyhwkVuOU4vr63xvoygI+33tkY2j2DkR+h1i2DVvm6NXAt0gZiCQLIe5j8dsfwOZUzXG5glktAl/w0sBrQy6h6MUpZGHzAoCxPQVfZrR/10JN9joEGmbsSc1syqkIVNIh3DhyucVof3cQ6hy0kOZ4zl7q9IlnY0K85C2Pm/NKrAWx18pp8E2Fk6QnUcG+/0f/ls5wUfFsUDFGPFuaUN0WLeMZjWIN4Nzt1THGjdYVbpMymQ0d9YtM+y7iisb0HKguU5KMo7m0gJW/BGkSzfr62VkvFro3ZlZ+r4C2oDK2NO+PsD0yc0NeN45alcgTFeQDtEuNLErp+a7hBae86YhR6UWgmKpuwzqIvHjb32VVKMWcbCnfQIN3,iv:jTER/Q2JKTeMs33IF65J9/OufVMdMsTtBWNY+CwgigI=,tag:CTB5rasvOtpey21jXtxx3Q==,type:str]
@@ -47,40 +51,40 @@ sops:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRcXFhSU03M0U4azM5VnJV
UExReVBmRnpNaUx3WDViU2hLalpnbE4wTVFjCkkzQzhlVjcrVndaUmVRNUhmSWZT
RlByQUxSSWtNeDJiTEJMR2JhWG1MM2sKLS0tIC9mUDVhNUtQei9VN3dJdmVBK0Y2
NDM5SFhNbWp0WWdMYVc4NC9HdHhSR2cKGj8ur7g1F5OTv+XKg5pmFiSMgAcNL3b8
PjhyPcZqxCB4J8utMf8yxmZkVqbyd3UjZRBUUXSgzg/i1nx0GTGcDA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRGVscDJsU0ErZ1VBRzVq
dE5aNUZvcmhVRHVjYUJFT09hdDd0UzhIS3hNCkRFRlphRXBTd3VFTE81RjJRaE5w
bzJSaCtsT0QwMkx2WDVyZ0FzeFphWk0KLS0tIGN5M0QyWmQ4Y3lCU0FXaU9vL0hv
MEp1ekxTdWp2b2g4dFd3OVNkUlZBMGMKzNGSzYgQsNW6HEvzTWmo73GShAAv/g8+
h3/6n/ObqlKsjDyVFgiOYop3LWfwPMzmOhx4S0wsOHit0UxdyoJwWA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1V0JUSk9FOUkrSzBmZFNY
M1JlZEMxSFVEV0d3NGttZFFrK0U3MWtlb1RBCjJQbmRGSVQ0M0p0NHdGK1ZHSlNo
TkVHS3lnN3VOUUNjTVI2V1B6bzlDb1EKLS0tIFRtdko2cjkzMlZyV1hRcWFnWFlv
TWVXMlpVUWJIZEhLOVVpblhwZjJDOGsKwgqjQZ1XzQNkFPItT+/gjBNnvxiYHbQ/
JP/cse3TR7VsC5dq0SGCFY8zPBPiZPvuU+f9Bq9wfJWDG79CintBnQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUGFaaHFtVWl1cG1XdlRT
TUh0MHZTa0JhdDFSTVJZOWJBd0F0SWI0N2tNCkdnaG5DcXdDT3dqRVJDcjlsZ3Fz
ZFFaeTB4UTBQRVYzcldndm1RSjhCTzQKLS0tIDJySFIvbGpBd0l4RzYwVUd1MWpF
ZHhxdERrd3VNUGpTTlZUM25RYzJwSjAKG2DZUyomWm8Nxn6mPDKbBh1YsEUr642a
nGYxmuRVBVINbOB3gBPwgLeD+S2Vlm4vrC/u2761fTgm8KFLC+txpQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaFFlM2M5ZHZIM3FNSEYv
bnlnbG01YWRPcFR1Z2tUNTdvSmdGZ0QrMjNZCkJPemFBYktBWldPWFdyVS9ZOVBv
ZU5zRWpqYXJ4MVVQdFdWcmQ4am5DSkkKLS0tIDNudUpUNnNJUHQyYTM3Y3pwb0FT
VUY1c0ZtWDA0THZ3ekVmUFl4ZjgvaHcKuyh3cIwboc2wxectPk0La0CLRX7VvaBR
XoBMk4PbfQLS1PuaavH+NLNAp3N7LmF9IlZBS3zFW26Dy1viqWbhFw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTnc0N3JWUGk3cWV0QXNK
L0ZWM0I0NVlVbTdsZmdRall2V3FUTllidlJnCjQwbFJ1TjVNQjl3NURQenBDZVhy
QXEybkIvc0RnV1dNL1Rhem9GajhzY2cKLS0tIFk0Nm9JK2ZvenJsYVF2RUJLVzVL
bzFWRnFjd01wbDVrQnhlb3NYampEVEkKWl3/oymEX/TdMHyxE8mOopIwu4Kots27
teyBmo6aVTAQ1zSxGDszI6kgK6PC3Z/WqaMaoJilGI6k8vCkOT3oMw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
- recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T3krdSthSnhkVGk5RHg3
MUVWdXVqM0o3LzZtSzFsZURiSGlLTEd6SlhNCllyaW5BcHZueDRGNlMwWTNaQTNC
bTBMRWFRSG42WVg0cU9CR1F5ZmpTQ1kKLS0tIFdDaGloemJNWUJWcCtOeUhnMmlQ
dklwODNxYVo4a2FaWDJFM0FnV1l3SlUKMnq/MAJRwR7iEri2KomPrMj0gTkMyhzH
P5E4zheU7chJTAz5jf6iecyOvKAt6q5g9Q1MU0D6dkOcv2gzWSNAAw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaG1Ea0ZyZ1IrRGxEaUdw
TzlMRE84ZDBXRTNFWHcwNE81MDZlYStTZWdFCmxLbUxORFNVVHRGYXV4bDRvV1Ra
Rzg0YnpkaDJ3alhxalFFck10MjF4MG8KLS0tIDgwSEhReERtZHZ3U2RWcnFaaHlI
UmQzNEJVVTVPRHFqVlAraTR2bHNOdmsKKCVCzZ10sEA7rGRCUxbpYlaR6Y2jZvho
THbZe5MHY1a44L2XQSZe3I+1qOVBWVSL10KYTjJIBTxoeBtjlQJAVQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-11T21:11:25Z"
mac: ENC[AES256_GCM,data:zhPKEB/u8x6mABVzrKlfSQdW/eCailqqb/JIyTzC21bF503ESfjrJIiTIb889rAjcGXQFfA0BJ398Y+8XLJ3WL25Imc1vF5/HIkeG1u7FZQx7XNVg2A8NxzG42F8Zei28Cf9PBqz/zsu8OyVgFdGWR5oAimli45PJcozcnKaWsU=,iv:G0zYmh9k5aayGY7szw5uf7bp9ss/Kg2UeALpIGIkByA=,tag:0pDYK8Wa7etc1wxDlMiddw==,type:str]
lastmodified: "2026-02-03T21:56:09Z"
mac: ENC[AES256_GCM,data:Bnjo3TFYoGbtB8HF1i+ZQLlfeBMOjq14lu8oLRqcZ6Fx5Am0uuh+/PHClWZ/JX5suC0Kb81+aBHg2QTsLoB6zdUrRpaqa0CUxTDoGw8tpo8m6zLWvSggpYLAuRgTYqBZ0lVK1QxAi9+qVJQ5AIhYwSPrf2oq/Mpq4tFGUoG/tzM=,iv:8JqAeBVYnZM8A+CPAlKN+6SDty0XQ4AKEBJLGV8Q738=,tag:CQXE5QsfJMiI7UQoCfE3dQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

42
secrets/secrets.yaml
View File

@@ -19,38 +19,38 @@ sops:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSTFDNHN2cm5UMDkvb3h3
RUs3aEIrZmlhQ3JvcCtKa09WUkRpZ1o4b3pnCmtiaUJnYUVWcFdpRk9vdmNQRjJT
R1NlMUJnRHQwdGRmQWJrc1NySmhPZW8KLS0tIFhnNmE4bGFUYW5GdVprc09PTTBt
N2VpQU5aeUJuRThyQVFwaEs3QnUwSDgKdgsuwN4/dfAVzXnJ7LPwhUpD8kuh3VxO
vB9iva29YN85E+CKZ7CryGdrnCy1a1fUC0YiAakbzQejon62fK2d5Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTUEycms3ZkdMd3hpcXJz
R2pZZEc5STZ3dUdYbUdsSGJaRWI5TWNMK1RRCjVxR1pzY0ZVUmcwSjJFYktteWoz
YmlaVkFPRnZha3h5ckV1TVQyVWZKdGMKLS0tIFgvdWF5VEJwTTcwdXZ6SDRMU3BL
V2x6NlhyY0pmUVBsYmZITjArdjJRbEkKvzsJxs5EHR0uumwhZ36MhKuMS+WkogXU
nSVRQoc5TClzYwShY1ltHK+LCl0DlB4xFoMiO4GWwH1TySKe/ywpUQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRnEvNzlxT0dWMDNZOEhS
TVpRSHpGM1JvZ0JQRW4zMXpXL3Rza3NiRVVNClovaGF0Z1hPdXltY3pTaGRKUTY2
MGJtYmFqaDQ4THRRTE1rUURhR0N1Y1UKLS0tIGtOOUxVNTdFZGZ3TS8zdUJFWWxO
MG1yLzNRaTdmVEJaSnBlbGR0SjR0TlUK7iNC+uyUN3s5T7b1PD+BZ+LvlsKdOpbM
pA2P4ZaUcBXCOEonmG4LnflEyUDXrxBoTkswkpBpG/SowF+yXe0Fwg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQytNaUs1M0hiYi8vdDUx
V1NtZ3VGNFVjRHRWUzliR3M3Q2Z6K3RWSHo4ClQ1RE1PeHJ4REpubVJHb0lJcGJ2
SEFvT2YvNWhMc2lneWR5NmRYc2pzVE0KLS0tIGxkRWRRRTNtVDUzVXh2L0lEa3RK
YjFSUDJHUjFUeVBFbUlKOS8ya1ZhMW8KssRH3/XT1iCVgV+6Sh25Axp0c96aHtVX
/HXN3AwTm0GJZCQnZsVIIPtoCzhUZSza+bzGZIZODYtgtCIxtdzVSw==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcU05d2R4a3k4Z2VGVlcr
VXJWeUZtWjZuY0lDM2dBNWFxbUxyaUdPVm1RCkxkNjFNbmh6L2ZMeitlY3ZwTEw4
MUhTVnBLdmRVblFOa09nWTlXVHNIWHcKLS0tIC91aHR5d3JlRDlBWFJtWDNsNFUw
QjhiSVNRMlgwTTAvNmE4SDdQOS8rNVUKIYVulp/SpDmewQkotisfUsSZFh0r1eNB
59ysWy09dse8Oed9lwMVMLI7B4DBT6CRWuefOU//urI/pB9itV6jvw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbkZpZFJCY21IRkJjNkRB
UEdEVlZhRWhRb1ZDMjJtMmpkUmpnY3ZvMGlFCnBLcHlkMWNyMy8wenYwT2pmRTZL
dWtiWFlaR1FrL21HQTFZM2N3a3BHYW8KLS0tIFlYZWVHb0VEeDU5NnRjbDk5M2po
K0xRRFhua09DRE04WUd6NlZuQldFbEEK2OgiawCbCtbrk8l45QdjVu8+VNWbrl4i
3U9iwek30JkQSZaWBXaCZlWLvbKNjIMpwTtxDOhxmu4DUh3Hx6In/g==
-----END AGE ENCRYPTED FILE-----
- recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
- recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyazBBS0xKakE0Z0hHRnZo
R0VZUk5qSVF3L2NTb2p6Z29QMnp1MkIrVHowClJVZ3VzUTc4aDVha2tBUE93R2Nw
T29nakxRQkpidzlrdFZQTFlxMXFwOEkKLS0tIGJWRkdJaVpLWXBVNnZUQ2l3dm9Q
RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM
QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySjBmaC9rREpUQ3BvWWNU
MWEvM3ZGb2RXZ0dMdWxLRTJCR2VSdyt5VUhBCjBvL3MxZ3pTaFQ4aGdZVnAxUmd3
YUtoZkhEV01TU0drRUdDaFZ5M2tZLzAKLS0tIHpBL3NwV2NhN0QwcHdwbFpQWlZn
eUNjc2RPOUxLTGowTlRqN3lEdjRLU2cKTTEXmHyhnL/hZGDr8ONrmzdU6Or5xkKY
GHADDt+LCg8njcZom39Aj4kpCx+f7HlV65glKwr37vZ0sL9KE+O9+w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-16T15:38:39Z"
mac: ENC[AES256_GCM,data:4xaoGvLq1UIdozNqQ7v+pORVPDCk+FZRsCRvZ3C5AZOwSaM+UfDYZcI32AI0K80yFyhVIrrjqylykvXghbpQGAju3mv7+7Tbn5p2gqXrB/m1FuyVe/ftw7SSn8FTGL14cdHuPPkQTvV/u7z1IfX4YAOEGqtWiEfOe4YoWT3xc3A=,iv:dygbKjQ0ljgBPyk2aEIa/Mpbs/At+UzuhYy8Sndx/nk=,tag:jYbROlRxeDxqF1YqrBGL8A==,type:str]

1
secrets/ssh/ed25519_deploy.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6scNSRnOprOvqm5DSTSMORvh9c5z0S1GzX1D7u+gMw deploy@portfolio

1
secrets/ssh/ed25519_lidarr-reports.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbCQ/f117hL7Z02Vog1RCaOVUi95beYf//Qppnqf2Ha lidarr-reports@lidarr-reports

7
secrets/ssh/ed25519_nixvps Normal file
View File

@@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAg2NEQIaCDPaucUAqi1iUIppNyQJH2AHGm8RhZ8ZjQagAAAJggRAEdIEQB
HQAAAAtzc2gtZWQyNTUxOQAAACAg2NEQIaCDPaucUAqi1iUIppNyQJH2AHGm8RhZ8ZjQag
AAAECI12wNotU67+KnPGhWMcLUxotEQdz4jry+aijaiHP26CDY0RAhoIM9q5xQCqLWJQim
k3JAkfYAcabxGFnxmNBqAAAAEGphd3pAd29ya3N0YXRpb24BAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

1
secrets/ssh/ed25519_nixvps.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDY0RAhoIM9q5xQCqLWJQimk3JAkfYAcabxGFnxmNBq jawz@workstation

49
secrets/wireguard.yaml
View File

@@ -5,6 +5,7 @@ vps:
server:
private: ENC[AES256_GCM,data:wrP/069tuQs3ObYE8Q0MNVxe3+4vZ2HIImoIdZpj1uPgdBknboX1wmANv/k=,iv:FJL5KumHos8PoXra+BB2Uc6YedsF6MD3wWyuugXzJ+E=,tag:nVuTrW2P7JvnWnv6H1SmdQ==,type:str]
public: ENC[AES256_GCM,data:YnKOf9725v9FkzdNPDVf/iinMbY/YWn6ksqEz+mpB4KHVlOvpbV6vLSKRcs=,iv:aWQNy6mT4sxVbzaXKgRzZ9XVsiBCRsOlLORRqC+uiKE=,tag:mLWv6mr3VVfw0J5BrqByXg==,type:str]
#ENC[AES256_GCM,data:u5SEQfK0Hw==,iv:+qr9WmOzQowZ/JyN1KoWhoyHA2132fmmZzIQy7o5y6k=,tag:9TPVeQgoo2nWQ9dhuYULGw==,type:comment]
home:
private: ENC[AES256_GCM,data:YZ0jvBzkMv8Bwc9u3LDJzwSqQvPj8wPUxTIeBFiLYVQQIBjm8aS1dTYuPvo=,iv:mXuW7TVERxOMmGIit3a7Spmbk/EgYuGkO66AWJUnMF0=,tag:xM7C3F3JCiud/A9yPD5ydQ==,type:str]
public: ENC[AES256_GCM,data:DcwAHhHjIxFqRL5h7p/0nkFnWiI/iqR8Fws6AuFaxjgUHKYd/6l3D6q/O/0=,iv:bBJ0bsKRiGQUSlRmHqeLQWkOIUNfG5VVpuV6MOtKZO0=,tag:harMG6GDIfclmSq3D36bTw==,type:str]
@@ -13,40 +14,40 @@ sops:
- recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTXplR3BHYzl1bmxuSzlW
ZVQvTlg2amFnMCtTKzRoZXNYaXBNcmRyWGhZCmpLT1NqbGRtUFpxUzlTMFdYemRJ
ZXF6c2dhOG9LbXVkczU0N1RVK1lqajAKLS0tIHFmQ0FrbVQ2QldiUS9oT2J2RkU0
N0pFQ095Uzdid2NmZXRVZ2l6N285bFUKG52XE8nf9GfESCfNfoP6L8GxLfvrihs4
CaZSkRzkuZUsfBND0B2BX/UlrjVHWPQCYMqqTtMpLXoRSmRsvWYCTA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemJmbnAwUHZHT3ozdWxH
Njh1ZFUvVW8zcVV6SGxrVW1IWW9ZUFBaTEh3CnJsMnFnM0d5YnBKWE5CT2Flang0
TkNZb0xCY2c4Qk1kdXRkRXcvOU1TSW8KLS0tIE1VdGEraW03bnV4VEc5c0ZheFJ0
MFJpVTlvTGJ0YXBKSnFFbXhEUEwwSmMKxOtHLbRw5e6dRW4jvqFLsl6UzKZ+mvfR
hwKJ4KEbXuCqwtPQEWk/pF0i4vzrgUP1Cp1Y7BxGGyK9ufyV/CCQIg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdWpKeU90cTV6blNZckt0
a2hpWms2b1ZuKzEwZUZFbEp0bFlPellVaHdVCkF5RENObjMvalJNc2FNYXk1UUxR
anE0SUI5ZWY5ZUlteVArSVN4T01DS2MKLS0tIEpDWDkzWm1mampQZDkwRCt5STVk
RHg4UklFQUp1KzFWRnpDOEIzRVJWZ2sKyS6bXtqJ3J7FrCyTa16Ithy2JS4HdkOg
NzTn/6RL+F61PLDGvEEa7Ypk/OGIjfJYxDQ5Sd9LODja47jIK5T6Aw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cnE5VENCMUxxOVZUdC9X
QWFMRytGamhaWENZY1Q4STR5L0Jsdk90SlUwCis4ekFWYmMwN2dESXMrVFNIamFG
RzhET2ZGdGN6b1V1ZHkyOCtDNzBWVjQKLS0tIEF1NGdoU2lqYVdIN3hwRk13SFpP
RHNOeDBlSHFpays2VkRuR2RxaGpYZ1EKwxZfRZthZHVuJe3D5pamCSxYo3hyaaVc
I0UvMDMgcDRZuEzV9g1ZEYnaVXg5InyOO0dDZuCYX/HZqTLPiaOIxg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueWZlTThKV1d5UEpJUVBE
SlFDMmFYSVREWXVvaDZYWk5TYXFRdTlpeVFZCnM4K3FYNk9hZ3R1K3c3Y0lURzZx
ZXdsWFNNSSt1VUtZdmRUUFdEK3BEdUkKLS0tIHB6ckZPMUkyM0ljK0RScWJSQlIz
UzVRQ3JzS1Q3N3EzTkhpNDZwZEtPbm8K0BzKOk9ljAnc5eydHfNha/QPfq9Eltfb
X/pNFkeW/b6FgLwo+3pc+NfgOFvpOuq7/bRWUCxGSJP/4w9+9q1a6A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaUhOcHV2TkYrZWxnOCtI
TzF1RVpFY3pSa1Y2MmJjVlpKcWZnWGtOOTJ3CmRnTUpyRms2aUtvS1ZvVXFsb0ZQ
U0RiYXM3S0RKQjVwL2hqYllhZENUdmsKLS0tIDNTRHR2ZU1VTzdNNXRDU0xkcTRM
ckowd2p5bitGYVhMNU9Qc0NUeFFJV3MKPKT1/06/fKpWPOMsRaU/fpyVUf7onWGB
0P22NBzP1i5caqSrFnVVeyuhgYxabC4oUKVmjU5QIj1R8Rqh7gworw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl
- recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkV1Fsb3FMZGxGZ1A5dk9y
SllKMjZRby9KNzhVSUVpODh0MW1Ya1JzdzBjCjZmQUFoaCtTSS9ybE1hVjExaFVR
bWlKcFdlQmRIdEJrUE5jKzRlNFdQTVEKLS0tIEtMOW8xb2hLOGluMnVDaWxFMXQw
KzZFSWprL0l0MDdVdEVKbEV5eklZdTAK/1ZyGvElfp+LVloSR6aJUtvrgU0CrzaJ
SQtO7vc4oDedkiTz6LKySta+uyn3e17Jzdyy9nU2D/Q5X+CpKGP3cg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SHdHTDhKQzFUQVdqM0hW
Tm9QdVozaHViQVRuTExhV1BpdWYvY012enk0CmhjODlUN0FkNldGRG94bVFSTVBv
QUNWZmszRStZN24vZWhnajhIcWdXVDgKLS0tIG9ueVZsT29KRE1iM2oreWtGWGVC
SG40OS8wMHlKNmxQa0VScHQrU2NmT2sKt9xw/8jsgnV1cZndqYNiHvIf8VdEJYCl
UUJ1KPz9mvUx3ny+rK50FSD61U8PHEZm2UC0w+/qkZwRtCx21Ku6dw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-08T00:14:52Z"
mac: ENC[AES256_GCM,data:O2herKRy4k9ZMuPzzPF5QlBC2isXdRoIsbYLJ/6X7esxtxxgNuAljx4SCR6UMT7pl3G2E33cnnBEkuAIy6SMXOaZNfOuAEJXaCwpRwCXu26lrcTf6n7UdP36GWfIRsR4utD5/vv66ch6MqmQWkW7E5zydy5dOv+BJ4XS/50OUQs=,iv:TscYNQaeI+mBxyobxI1O4wUzRtA27pvjXz27kqMJhA0=,tag:zx/xrYAWJCxYz5HRTKzYfQ==,type:str]
lastmodified: "2026-02-04T18:37:11Z"
mac: ENC[AES256_GCM,data:AlrMK34dWDm5hfVwnQnzk3l8NIRbiVV6KHa6io9S9l07WvC3TYLTOJS6xOi4pkEz6sqQ7IpZU7RRdosxuQp50NmMEt2QYawTHFZIgzFYeKRbl5N5LCu9afC6yTtvG/sT7uenTMhh2qT1JBwebJiUdM9zNVUzWlW5d1SdxrHgIbs=,iv:dvqsDaC+trhY1kheYUEOEwHfCDz0Mu7N0LpfjnKko5g=,tag:tuqyK8vuwSrk1kf+Vi7MKg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0

2
specs/001-mcp-server/checklists/requirements.md → specs/002-mcp-server/checklists/requirements.md
View File

@@ -2,7 +2,7 @@
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2026-01-30
**Feature**: specs/001-mcp-server/spec.md
**Feature**: specs/002-mcp-server/spec.md
## Content Quality

0
specs/001-mcp-server/contracts/mcp-tools.md → specs/002-mcp-server/contracts/mcp-tools.md
View File

0
specs/001-mcp-server/data-model.md → specs/002-mcp-server/data-model.md
View File

8
specs/001-mcp-server/plan.md → specs/002-mcp-server/plan.md
View File

@@ -1,7 +1,7 @@
# Implementation Plan: MCP Server for Repo Maintenance
**Branch**: `001-mcp-server` | **Date**: 2026-01-30 | **Spec**: specs/001-mcp-server/spec.md
**Input**: Feature specification from `/specs/001-mcp-server/spec.md`
**Branch**: `002-mcp-server` | **Date**: 2026-01-30 | **Spec**: specs/002-mcp-server/spec.md
**Input**: Feature specification from `/specs/002-mcp-server/spec.md`
## Summary
@@ -34,7 +34,7 @@ Build a local-only MCP server under `scripts/` that Codex CLI can use to run doc
### Documentation (this feature)
```text
specs/001-mcp-server/
specs/002-mcp-server/
├── plan.md
├── research.md
├── data-model.md
@@ -59,7 +59,7 @@ scripts/mcp-server/
└── test_docs_sync.py
```
**Structure Decision**: Single Python project under `scripts/mcp-server` with src/tests layout; documentation lives in `docs/` and spec artifacts in `specs/001-mcp-server/`.
**Structure Decision**: Single Python project under `scripts/mcp-server` with src/tests layout; documentation lives in `docs/` and spec artifacts in `specs/002-mcp-server/`.
## Complexity Tracking

0
specs/001-mcp-server/quickstart.md → specs/002-mcp-server/quickstart.md
View File

0
specs/001-mcp-server/research.md → specs/002-mcp-server/research.md
View File

2
specs/001-mcp-server/spec.md → specs/002-mcp-server/spec.md
View File

@@ -1,6 +1,6 @@
# Feature Specification: MCP Server for Repo Maintenance
**Feature Branch**: `001-mcp-server`
**Feature Branch**: `002-mcp-server`
**Created**: 2026-01-30
**Status**: Draft
**Input**: User description: "build a mcp server under the directory /scripts the intention for this mcp server is to be consumed by codex-cli to help on modifying the repository by doing but not limited to, the tasks declared on the ai-oriented documentation found in /docs. as an extra, I want this mcp to have tests, which run on the gitea pipeline when any changes done to the mcp or docs directories are commited. expand the ai-documentation on /docs with info about the built mcp so that it is compliant with what of the available tools of the mcp can be called for what specific tasks, ensuring that the mcp provides the easiest up to date assistance to giving this repository maintenance. When it comes to the coding preferences for the server, I want: 1) indentation kept to the bare minimum 2) guard clauses & early returns 3) easy to read coding style, with no comments, but professional easy to maintain code structure 4) functions with docstrings, typehints, etc. 5) give preference to iteration tools such as lambdas, map, filters, as opposed to for loops and multiple ifs. 6) functional code, with reduced duplicated code 7) lint & format the code"

2
specs/001-mcp-server/tasks.md → specs/002-mcp-server/tasks.md
View File

@@ -1,6 +1,6 @@
# Tasks: MCP Server for Repo Maintenance
**Input**: Design documents from `/specs/001-mcp-server/`
**Input**: Design documents from `/specs/002-mcp-server/`
**Prerequisites**: plan.md, spec.md, research.md, data-model.md, contracts/
## Phase 1: Setup (Shared Infrastructure)

34
specs/003-vps-image-migration/checklists/requirements.md Normal file
View File

@@ -0,0 +1,34 @@
# Specification Quality Checklist: VPS Image Migration
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: February 3, 2026
**Feature**: /home/jawz/Development/NixOS/specs/003-vps-image-migration/spec.md
## Content Quality
- [x] No implementation details (languages, frameworks, APIs)
- [x] Focused on user value and business needs
- [x] Written for non-technical stakeholders
- [x] All mandatory sections completed
## Requirement Completeness
- [x] No [NEEDS CLARIFICATION] markers remain
- [x] Requirements are testable and unambiguous
- [x] Success criteria are measurable
- [x] Success criteria are technology-agnostic (no implementation details)
- [x] All acceptance scenarios are defined
- [x] Edge cases are identified
- [x] Scope is clearly bounded
- [x] Dependencies and assumptions identified
## Feature Readiness
- [x] All functional requirements have clear acceptance criteria
- [x] User scenarios cover primary flows
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation details leak into specification
## Notes
- All checklist items pass based on the current spec.

3
specs/003-vps-image-migration/contracts/README.md Normal file
View File

@@ -0,0 +1,3 @@
# API Contracts
This feature does not introduce or modify any external HTTP or RPC APIs. Operator actions (image build, provisioning, secrets enrollment, rebuild trigger) are performed via existing infrastructure workflows, so no API schema is required.

49
specs/003-vps-image-migration/data-model.md Normal file
View File

@@ -0,0 +1,49 @@
# Data Model: VPS Image Migration
## Host Profile
- **Purpose**: Defines a named system configuration (e.g., vps).
- **Key fields**:
- `name` (string, unique)
- `target_environment` (string, e.g., Linode)
- `services_required` (list of service identifiers)
- `secrets_required` (list of secret identifiers)
## Image Artifact
- **Purpose**: Represents a build output used to provision a VPS.
- **Key fields**:
- `image_type` (string, Linode-compatible)
- `build_reference` (string, build timestamp or revision)
- `host_profile` (reference to Host Profile)
## Bootstrap Secret Material
- **Purpose**: Material required to unlock secrets on the host.
- **Key fields**:
- `bootstrap_method` (enum: generated-on-host)
- `recipient_public_key` (string)
- `enrollment_status` (enum: pending, enrolled)
## Deployment Target
- **Purpose**: The environment where the image is launched.
- **Key fields**:
- `provider` (string)
- `region` (string)
- `instance_id` (string)
## Rebuild Trigger
- **Purpose**: Represents an authorized rebuild action for the VPS.
- **Key fields**:
- `actor` (string)
- `requested_at` (datetime)
- `status` (enum: queued, running, succeeded, failed)
## Relationships
- Host Profile 1..* Image Artifact
- Host Profile 1..* Bootstrap Secret Material
- Deployment Target 1..1 Image Artifact
- Rebuild Trigger *..1 Host Profile

58
specs/003-vps-image-migration/plan.md Normal file
View File

@@ -0,0 +1,58 @@
# Implementation Plan: VPS Image Migration
**Branch**: `003-vps-image-migration` | **Date**: February 3, 2026 | **Spec**: /home/jawz/Development/NixOS/specs/003-vps-image-migration/spec.md
**Input**: Feature specification from `/specs/003-vps-image-migration/spec.md`
## Summary
Migrate image building away from the deprecated generator to the upstream NixOS image workflow, add a new vps host that produces a Linode-compatible image, and implement a secure two-phase secrets bootstrap that requires re-encryption after the host generates its own key. Provide a repeatable remote rebuild workflow limited to explicitly authorized operator machines.
## Technical Context
**Language/Version**: Nix (flakes; nixpkgs 25.11)
**Primary Dependencies**: nixpkgs, flake-parts, sops-nix
**Storage**: N/A (configuration repo)
**Testing**: Manual validation (image build, boot, network, secret availability, rebuild)
**Target Platform**: NixOS image for Linode VPS
**Project Type**: Infrastructure configuration (single repo)
**Performance Goals**: N/A
**Constraints**: No regressions for existing hosts; secrets must remain secure; first boot must be reachable for enrollment; rebuilds restricted to authorized operator machines
**Scale/Scope**: Small number of hosts, single vps target
## Constitution Check
No enforceable principles are defined in the current constitution file (placeholders only). Gate passes by default.
Post-design re-check: no changes; still pass.
## Project Structure
### Documentation (this feature)
```text
specs/003-vps-image-migration/
├── plan.md
├── research.md
├── data-model.md
├── quickstart.md
├── contracts/
└── tasks.md
```
### Source Code (repository root)
```text
flake.nix
parts/
hosts/
modules/
secrets/
scripts/
config/
environments/
```
**Structure Decision**: Use the existing Nix flake layout with host definitions in `hosts/`, shared logic in `modules/`, and flake assembly in `parts/`.
## Complexity Tracking
No constitution violations to track.

16
specs/003-vps-image-migration/research.md Normal file
View File

@@ -0,0 +1,16 @@
# Research: VPS Image Migration
## Decision 1: Replace deprecated image generator usage
- **Decision**: Use NixOS's built-in image building workflow (`nixos-rebuild build-image`) for Linode-compatible images.
- **Rationale**: The NixOS manual documents `nixos-rebuild build-image` and lists Linode as a supported image target via `image.modules`, indicating the upstream path for image generation.
- **Alternatives considered**:
- Keep using nixos-generators (rejected due to deprecation and upstream migration).
## Decision 2: Secure-first secrets bootstrap for vps
- **Decision**: Use a two-phase bootstrap where the vps generates its own age key on first boot, then the host public key is added as a recipient and secrets are re-encrypted before the second deploy.
- **Rationale**: sops-nix supports generating an age key when missing and can use SSH host keys to derive age identities; this avoids embedding private keys in the image or repository.
- **Alternatives considered**:
- Bake a static age key into the image (rejected for security risk).
- Ship a fixed SSH host key in the image (rejected for key reuse across hosts).

103
specs/003-vps-image-migration/spec.md Normal file
View File

@@ -0,0 +1,103 @@
# Feature Specification: VPS Image Migration
**Feature Branch**: `003-vps-image-migration`
**Created**: February 3, 2026
**Status**: Draft
**Input**: User description: "Remove deprecated image generator usage, add a new vps host that builds a Linode image, ensure first-boot secrets are available, and support remote rebuilds for ongoing changes."
## Clarifications
### Session 2026-02-03
- Q: Who is allowed to trigger remote rebuilds? → A: Only explicitly authorized operator machines.
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Provision a VPS Image (Priority: P1)
As an operator, I want to build a Linode-compatible image for the new vps host so I can provision a replacement VPS that boots with network connectivity and remote access.
**Why this priority**: This is the core migration outcome; without a working image, the VPS replacement cannot proceed.
**Independent Test**: Can be fully tested by building the image, launching a Linode instance from it, and confirming network and remote access.
**Acceptance Scenarios**:
1. **Given** a clean repository state, **When** I build the vps image, **Then** the build completes and produces a Linode-compatible image artifact.
2. **Given** a Linode instance created from the vps image, **When** it boots, **Then** it has working network connectivity and remote access is available.
---
### User Story 2 - Secrets Available After Enrollment (Priority: P2)
As an operator, I want the vps to generate its own secrets key on first boot and then make required secrets available after enrollment so core services can start securely.
**Why this priority**: The VPS must remain secure; services should start only after the host is enrolled and secrets are re-encrypted for it.
**Independent Test**: Can be fully tested by provisioning from the image, enrolling the host key, and verifying required secrets become available after the follow-up deployment.
**Acceptance Scenarios**:
1. **Given** a freshly provisioned vps instance, **When** the system completes its first boot, **Then** it generates host-specific bootstrap key material and remains reachable for enrollment.
2. **Given** the host key is enrolled and secrets are re-encrypted, **When** a follow-up deployment runs, **Then** required secrets become available to services.
---
### User Story 3 - Remote Rebuild Workflow (Priority: P3)
As an operator, I want to trigger rebuilds of the vps host from any authorized system so updates (such as firewall changes) can be applied consistently.
**Why this priority**: Ongoing updates are essential for operations and security, and should not depend on a single workstation.
**Independent Test**: Can be fully tested by triggering a rebuild from a separate authorized system and verifying the changes apply on the VPS.
**Acceptance Scenarios**:
1. **Given** an explicitly authorized operator machine, **When** a rebuild is triggered, **Then** the vps host updates successfully and reflects the new configuration.
---
### Edge Cases
- What happens when the vps image build completes but the artifact is not compatible with the target environment?
- How does the system handle first-boot secret access when bootstrap material is missing or corrupted?
- What happens when a remote rebuild is triggered but the VPS is unreachable?
## Requirements *(mandatory)*
### Functional Requirements
- **FR-001**: The system MUST stop using any deprecated image-generation dependency currently used for host images.
- **FR-002**: The system MUST define a new vps host configuration that produces a Linode-compatible image artifact.
- **FR-003**: A VPS provisioned from the image MUST boot with working network connectivity and remote access enabled.
- **FR-004**: The system MUST support a secure, two-phase bootstrap where the host generates key material on first boot and secrets become available after enrollment and re-deploy.
- **FR-005**: The system MUST provide a documented, repeatable way for explicitly authorized operator machines to trigger remote rebuilds of the vps host.
- **FR-006**: Existing hosts and images MUST continue to build and operate without regression after the migration.
### Key Entities *(include if feature involves data)*
- **Host Profile**: A named system configuration (e.g., vps) that defines the target environment behavior.
- **Image Artifact**: A deployable disk image produced from the host profile.
- **Bootstrap Secret Material**: Data required to unlock or access secrets on first boot.
- **Deployment Target**: The infrastructure environment where the image is launched.
- **Rebuild Trigger**: An authorized action that initiates a configuration update on the VPS.
## Assumptions
- The vps host can generate bootstrap key material on first boot and is reachable for enrollment.
- Operators already have a secure, authorized path for remote access to the VPS.
- The Linode environment can accept and boot the produced image artifact.
## Dependencies
- Access to the target environment needed to validate image compatibility and boot behavior.
- Existing secrets management process and data required for the vps host.
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: A Linode instance provisioned from the vps image is reachable via remote access within 10 minutes of first boot in at least 95% of test provisions.
- **SC-002**: Required secrets for core services are available after enrollment and follow-up deployment in 100% of test provisions.
- **SC-003**: Existing host builds complete without new failures after the deprecated dependency is removed.
- **SC-004**: Remote rebuilds apply a configuration change to the vps host within 15 minutes in at least 90% of test runs.

151
specs/003-vps-image-migration/tasks.md Normal file
View File

@@ -0,0 +1,151 @@
---
description: "Task list for VPS Image Migration"
---
# Tasks: VPS Image Migration
**Input**: Design documents from `/specs/003-vps-image-migration/`
**Prerequisites**: plan.md (required), spec.md (required for user stories), research.md, data-model.md, contracts/
**Tests**: Not requested.
**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
## Format: `[ID] [P?] [Story] Description`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3)
- Include exact file paths in descriptions
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Project initialization and validation setup
- [X] T001 Review current image generation usage in `flake.nix` and `parts/packages.nix` and note all nixos-generators references
- [X] T002 [P] Review host structure in `hosts/` to mirror patterns for the new `hosts/vps/configuration.nix`
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Remove deprecated generator and ensure existing outputs are preserved
- [X] T003 Update `parts/packages.nix` to build `emacs-vm` from nixpkgs/NixOS outputs (remove nixos-generators usage)
- [X] T004 Remove nixos-generators input from `flake.nix`
- [X] T005 Update `flake.lock` to drop nixos-generators entries
- [X] T006 STOP: Ask user to validate `emacs-vm` build works without nixos-generators (confirm before proceeding) (reference `parts/packages.nix`)
**Checkpoint**: Foundation ready after user confirmation
---
## Phase 3: User Story 1 - Provision a VPS Image (Priority: P1) 🎯 MVP
**Goal**: Define a new vps host and produce a Linode-compatible image artifact
**Independent Test**: Build the vps image, launch a Linode instance from it, verify network connectivity and remote access
### Implementation for User Story 1
- [X] T007 [US1] Create `hosts/vps/configuration.nix` with base imports and minimal networking/remote access enablement
- [X] T008 [US1] Register vps host in `parts/hosts.nix` using existing `createConfig` pattern
- [X] T009 [US1] Add a Linode image build output for vps in `parts/packages.nix` using the upstream NixOS image workflow
- [X] T010 [US1] Document the vps host entry and image artifact location in `docs/reference/index.md`
- [X] T011 [US1] Add a manual validation checklist entry for vps boot connectivity and remote access in `specs/003-vps-image-migration/quickstart.md`
**Checkpoint**: vps image builds and can boot with connectivity
---
## Phase 4: User Story 2 - Secrets Available After Enrollment (Priority: P2)
**Goal**: Secure two-phase secrets bootstrap and enrollment workflow
**Independent Test**: Boot vps, generate host key, enroll key, re-encrypt secrets, redeploy, verify secrets available
### Implementation for User Story 2
- [X] T012 [US2] Set secure host posture for vps in `hosts/vps/configuration.nix` (secureHost enabled, secrets gated)
- [X] T013 [US2] Add vps-specific sops-nix bootstrap settings in `hosts/vps/configuration.nix` (generate key on first boot; no baked key)
- [X] T014 [US2] Document the enrollment and re-encryption steps in `docs/playbooks/enroll-vps.md`
- [X] T015 [US2] Update secrets guidance to reference the vps enrollment flow in `docs/constitution.md`
**Checkpoint**: vps can boot without secrets, then unlocks secrets after enrollment and redeploy
---
## Phase 5: User Story 3 - Remote Rebuild Workflow (Priority: P3)
**Goal**: Provide a documented, repeatable remote rebuild process
**Independent Test**: Trigger a rebuild from an explicitly authorized operator machine and verify applied config changes
### Implementation for User Story 3
- [X] T016 [US3] Add a rebuild helper script in `scripts/rebuild-vps.sh` with clear inputs and safety checks
- [X] T017 [US3] Document remote rebuild usage and prerequisites (explicitly authorized operator machines only) in `docs/playbooks/vps-rebuild.md`
**Checkpoint**: remote rebuild flow is repeatable and documented
---
## Phase 6: Polish & Cross-Cutting Concerns
**Purpose**: Final consistency checks and documentation polish
- [X] T018 [P] Ensure vps host is referenced in any host inventories or indexes in `docs/reference/index.md`
- [X] T019 Validate quickstart steps still match implementation in `specs/003-vps-image-migration/quickstart.md`
- [X] T020 Validate existing host/image builds after migration (document results in `specs/003-vps-image-migration/quickstart.md`)
---
## Dependencies & Execution Order
### Phase Dependencies
- **Setup (Phase 1)**: No dependencies - can start immediately
- **Foundational (Phase 2)**: Depends on Setup completion - BLOCKS all user stories
- **User Stories (Phase 3+)**: Depend on Foundational completion and user validation at T006
- **Polish (Final Phase)**: Depends on desired user stories being complete
### User Story Dependencies
- **User Story 1 (P1)**: Starts after Phase 2 and user validation at T006
- **User Story 2 (P2)**: Starts after Phase 2 and user validation at T006; depends on vps host existing (T007/T008)
- **User Story 3 (P3)**: Starts after Phase 2 and user validation at T006; can be done in parallel with US2
### Parallel Opportunities
- T002 can run in parallel with T001
- T018 and T019 can run in parallel in the Polish phase
- After T006, US2 and US3 can proceed in parallel once US1 host scaffolding exists
---
## Parallel Example: User Story 2
```bash
Task: "Set secure host posture for vps in hosts/vps/configuration.nix"
Task: "Document the enrollment and re-encryption steps in docs/playbooks/enroll-vps.md"
```
---
## Implementation Strategy
### MVP First (User Story 1 Only)
1. Complete Phase 1: Setup
2. Complete Phase 2: Foundational
3. Pause at T006 for user validation of emacs-vm
4. Complete Phase 3: User Story 1
5. Stop and validate the image boot and connectivity
### Incremental Delivery
1. Complete Setup + Foundational → user validates emacs-vm
2. Add User Story 1 → validate image build/boot
3. Add User Story 2 → validate secrets enrollment flow
4. Add User Story 3 → validate remote rebuild workflow
5. Polish and doc consistency checks

34
specs/004-vps-migration/checklists/requirements.md Normal file
View File

@@ -0,0 +1,34 @@
# Specification Quality Checklist: VPS Migration
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2026-02-04
**Feature**: /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md
## Content Quality
- [x] No implementation details (languages, frameworks, APIs)
- [x] Focused on user value and business needs
- [x] Written for non-technical stakeholders
- [x] All mandatory sections completed
## Requirement Completeness
- [x] No [NEEDS CLARIFICATION] markers remain
- [x] Requirements are testable and unambiguous
- [x] Success criteria are measurable
- [x] Success criteria are technology-agnostic (no implementation details)
- [x] All acceptance scenarios are defined
- [x] Edge cases are identified
- [x] Scope is clearly bounded
- [x] Dependencies and assumptions identified
## Feature Readiness
- [x] All functional requirements have clear acceptance criteria
- [x] User scenarios cover primary flows
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation details leak into specification
## Notes
- All checks passed on first review.

38
specs/004-vps-migration/contracts/openapi.yaml Normal file
View File

@@ -0,0 +1,38 @@
openapi: 3.0.3
info:
title: VPS Migration Verification API
version: 0.1.0
description: |
Optional verification endpoints for migration validation. These describe
checks that can be automated; if no API is implemented, treat as a checklist.
paths:
/verify/proxy:
get:
summary: Verify reverse proxy routing to host services
responses:
"200":
description: Proxy mappings resolve to services on host server
/verify/firewall:
get:
summary: Verify iptables ruleset parity
responses:
"200":
description: Firewall flows match expected allow/deny behavior
/verify/vpn:
get:
summary: Verify VPN peer connectivity and address assignment
responses:
"200":
description: All peers connect with correct addresses
/verify/ssh:
get:
summary: Verify SSH access for authorized principals
responses:
"200":
description: Authorized keys allow expected access only
/verify/analytics:
get:
summary: Verify analytics data migrated successfully
responses:
"200":
description: Historical analytics data present on new server

41
specs/004-vps-migration/data-model.md Normal file
View File

@@ -0,0 +1,41 @@
# Data Model: VPS Migration
## Host
- **Fields**: name, role (primary/secondary), publicIp, vpnEndpoint, services[], proxyMappings[], firewallRuleSet
- **Rules**: Exactly one primary host for reverse proxying.
## Service
- **Fields**: name, enabled, runsOnHost, proxyEnabled, domains[]
- **Rules**: Services remain on host server; proxyEnabled true on VPS for all enabled services.
## ProxyMapping
- **Fields**: domain, targetService, tlsRequired
- **Rules**: domain must be unique across mappings; domain must match service definitions.
## FirewallRuleSet
- **Fields**: sourceFile (iptables), rules[], appliedHost
- **Rules**: Ruleset must be applied as-is; no translation allowed.
## VPNPeer
- **Fields**: name, publicKeyRef, allowedIps[]
- **Rules**: allowedIps must be unique across peers; publicKeyRef must resolve via secrets system.
## VPNInterface
- **Fields**: addressRanges[], listenPort, privateKeyRef
- **Rules**: privateKeyRef stored in secrets system; listenPort exposed on VPS.
## ServiceUser
- **Fields**: username, group, authorizedKeys[]
- **Rules**: deploy uses ed25519_deploy.pub; lidarr-reports uses ed25519_lidarr-reports.pub.
## MigrationChecklistItem
- **Fields**: task, verificationStep, status
- **Rules**: each migration task must have a verification step.

52
specs/004-vps-migration/plan.md Normal file
View File

@@ -0,0 +1,52 @@
# Implementation Plan: VPS Migration
**Branch**: `004-vps-migration` | **Date**: 2026-02-04 | **Spec**: /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md
**Input**: Feature specification from `/specs/004-vps-migration/spec.md`
## Summary
Migrate VPS responsibilities to the new NixOS host by making it the primary reverse-proxy host (nginx only), mirroring the existing iptables ruleset, enabling wireguard with secret-managed keys, and restoring SSH/service-user access, while keeping all services running on the host server. Provide validation steps, review historical configs for gaps, and document analytics data migration.
## Technical Context
**Language/Version**: Nix (flakes; nixpkgs 25.11)
**Primary Dependencies**: NixOS modules, sops-nix, nginx, wireguard, openssh, iptables
**Storage**: Files (configuration and secrets)
**Testing**: Manual validation steps (no automated test harness)
**Target Platform**: Linux server (NixOS)
**Project Type**: configuration repo
**Performance Goals**: N/A (configuration change)
**Constraints**: Services remain on host server; VPS only terminates proxy and exposes wireguard port; iptables parity required
**Scale/Scope**: Single VPS + host server, small set of VPN peers and admin SSH principals
## Constitution Check
No enforceable constitution rules are defined (placeholders only). Gate passes by default.
Post-design check: unchanged (no enforceable gates found).
## Project Structure
### Documentation (this feature)
```text
specs/004-vps-migration/
├── plan.md
├── research.md
├── data-model.md
├── quickstart.md
├── contracts/
└── tasks.md
```
### Source Code (repository root)
```text
hosts/
modules/
secrets/
iptables
scripts/
```
**Structure Decision**: Use the existing NixOS configuration layout (`hosts/`, `modules/`, `secrets/`) and the root `iptables` ruleset file.

103
specs/004-vps-migration/quickstart.md Normal file
View File

@@ -0,0 +1,103 @@
# Quickstart: VPS Migration
## Prerequisites
- Access to this repo and the new VPS host configuration
- Existing iptables ruleset file available at repo root: `iptables`
- VPN keys present in the secrets system
- SSH public keys present in `secrets/ssh/`
## Steps
1. Review the spec and clarifications:
- `/home/jawz/Development/NixOS/specs/004-vps-migration/spec.md`
2. Ensure secrets are available:
- VPN private/public keys are stored in the secrets system
- `secrets/ssh/ed25519_deploy.pub` and `secrets/ssh/ed25519_lidarr-reports.pub` exist
3. Update host configuration:
- Set new VPS as primary reverse proxy host
- Enable proxying for all enabled services (services remain on host server)
- Apply iptables ruleset as-is
- Enable wireguard on VPS and expose port
- Add service users and admin SSH keys
- Update VPS public IP to `45.33.0.228` in SSH configuration
- Update host server VPN client to target the new VPS
4. Provide and review legacy proxy config snapshot:
- Supply caddy files for subdomain comparison
- Treat caddy as migration input only; nginx is the only proxy target for NixOS runtime
## Caddy vs Nix Subdomain Comparison (from provided caddy/ directory)
**Caddy-only domains (present in caddy, not found in current Nix server hosts):**
- danilo-reyes.com
- www.danilo-reyes.com
- blog.danilo-reyes.com
- www.blog.danilo-reyes.com
- mb-report.lebubu.org
- torrent.lebubu.org
**Nix-only domains (present in Nix server hosts, not in caddy config):**
- auth-proxy.lebubu.org
- comments.danilo-reyes.com
- flix.rotehaare.art
- 55a608953f6d64c199.lebubu.org
- pYLemuAfsrzNBaH77xSu.lebubu.org
- bookmarks.lebubu.org
- drpp.lebubu.org
- portfolio.lebubu.org
- qampqwn4wprhqny8h8zj.lebubu.org
- requests.lebubu.org
- start.lebubu.org
- sync.lebubu.org
- tranga.lebubu.org
**Notes:**
- `auth-proxy.lebubu.org` appears only in `15-private.caddyfile__` (not imported by Caddy), so it is currently inactive in caddy.
- `danilo-reyes.com` and `blog.danilo-reyes.com` are handled as static sites in caddy; Nix has `my.websites.portfolio` and `isso` which may need mapping to these domains.
- `mb-report.lebubu.org` and `torrent.lebubu.org` are present in caddy but no matching Nix server host was found.
5. Migrate analytics data:
- Export data from existing server
- Import into new server
- Validate historical data is present
6. Run verification steps for each task (per spec FR-012).
## Clarification Candidates From History Review
- `opentracker` was installed and enabled (`systemctl enable --now opentracker`) with firewall rules for TCP/UDP `6969`; confirm if tracker service is still required on NixOS.
- `ip6tables` was enabled on Fedora (`systemctl enable ip6tables`); confirm if equivalent IPv6 policy is required on VPS.
- `net.ipv4.conf.wg0.rp_filter=0` was set during forwarding troubleshooting; confirm if this sysctl needs to be persisted on VPS.
- Fedora-specific SELinux SSH port handling (`semanage ssh_port_t`) appears in history; confirm it can remain excluded on NixOS.
## Verification Steps
- **T001**: `test -f ./iptables && test -f ./secrets/ssh/ed25519_deploy.pub && test -f ./secrets/ssh/ed25519_lidarr-reports.pub && test -f ./secrets/wireguard.yaml`
- **T002**: verify this section exists in `/home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md`
- **T003**: `rg -n "mainServer|enableProxy" hosts/server/toggles.nix modules/modules.nix`
- **T004**: `rg -n "wireguard|wg0|services.wireguard" modules/services/wireguard.nix hosts/vps/configuration.nix`
- **T005**: `rg -n "vps|45.33.0.228|programs.ssh" config/jawz.nix modules/modules.nix`
- **T006**: `rg -n "/etc/caddy/Caddyfile.d" sudo_hist jawz_hist`
- **T007**: `rg -n 'mainServer = "vps"' hosts/server/toggles.nix modules/modules.nix`
- **T008**: `rg -n "enableProxy = true" hosts/vps/toggles.nix hosts/vps/configuration.nix hosts/server/toggles.nix`
- **T009**: ensure Caddy vs Nix comparison section remains in this file
- **T010**: `rg -n "iqQCY4iAWO-ca/pem|certPath|proxyReversePrivate" modules/network/nginx.nix modules/servers`
- **T011**: `rg -n "iptables.rules|iptables-restore|networking.firewall.enable = false" hosts/vps/configuration.nix`
- **T012**: `rg -n "services.wireguard.enable = true" hosts/vps/configuration.nix`
- **T013**: confirm `wireguard/private` exists in `secrets/wireguard.yaml`
- **T014**: `rg -n "10.77.0.1/24|10.8.0.1/24|10.9.0.1/24|AllowedIPs|allowedIPs" modules/services/wireguard.nix`
- **T015**: `rg -n "users\\.deploy|users\\.lidarr-reports|ed25519_deploy|ed25519_lidarr-reports" hosts/vps/configuration.nix`
- **T016**: `rg -n "workstation|server|deacero|galaxy" hosts/vps/configuration.nix`
- **T017**: `rg -n "ports = \\[ 3456 \\]|PermitRootLogin = \"no\"" hosts/vps/configuration.nix`
- **T018**: `rg -n "sudo-rs\\.extraRules|nixos-rebuild|nixremote" hosts/vps/configuration.nix`
- **T019**: `rg -n "nixworkstation" hosts/vps/configuration.nix`
- **T020**: `rg -n "45\\.33\\.0\\.228" modules/modules.nix config/jawz.nix`
- **T021**: `rg -n "endpoint = .*my\\.ips\\.vps" hosts/server/configuration.nix`
- **T022**: verify "Clarification Candidates From History Review" section exists in this file
- **T023**: intentionally skipped by operator for this implementation pass
- **T024**: verify each task from T001-T026 has a corresponding verification line in this section
- **T025**: `rg -n "caddy|Caddy" README.org docs || true` and confirm no active-proxy references remain outside legacy migration notes
- **T026**: `rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md` and confirm each task mentions at least one concrete path

31
specs/004-vps-migration/research.md Normal file
View File

@@ -0,0 +1,31 @@
# Research: VPS Migration
## Decision 1: Reverse proxy role
- **Decision**: New VPS runs nginx as the primary reverse proxy; services remain on the host server.
- **Rationale**: Matches the clarified scope and minimizes service migration risk while restoring proxy functionality.
- **Alternatives considered**: Migrating services to VPS; keeping old proxy (caddy) on Fedora VPS.
## Decision 2: Firewall parity
- **Decision**: Apply the existing iptables ruleset as-is on the new VPS.
- **Rationale**: Ensures exact behavioral parity for complex routing and hot-swap behavior.
- **Alternatives considered**: Translating to another firewall system; partial translation with mixed rules.
## Decision 3: VPN key handling
- **Decision**: Store VPN keys only in the existing secrets system; no plaintext keys in config.
- **Rationale**: Preserves confidentiality and aligns with encrypted secrets workflow.
- **Alternatives considered**: Plaintext inline keys; separate unmanaged secrets store.
## Decision 4: Admin SSH principals
- **Decision**: Limit admin SSH authorized_keys entries to workstation, server, deacero, and galaxy.
- **Rationale**: Keeps access scope bounded to explicitly requested principals.
- **Alternatives considered**: Auto-adding other hosts found in config; adding only after confirmation.
## Decision 5: Analytics (Plausible) migration
- **Decision**: Migrate existing analytics data to the new server.
- **Rationale**: Preserves historical reporting and continuity of metrics.
- **Alternatives considered**: Fresh start with no history; read-only legacy instance for history.

177
specs/004-vps-migration/spec.md Normal file
View File

@@ -0,0 +1,177 @@
# Feature Specification: VPS Migration
**Feature Branch**: `004-vps-migration`
**Created**: 2026-02-04
**Status**: Draft
**Input**: User description: "start feature branch 004, the git fetch command will fail, so force 004. Feature 003 added a new hosts vps, as a linode host, I want to now fully migrate my existing fedora vps to this new nixos vps. to do so I want to bring in the configurations fedora vps has. 1. right now the nginx logic of my servers is disabled, because I let the fedora vps handle the reverse proxy through caddy. But I dont want that caddy logic, on nixos I want to let nginx take care of the reverse proxies, plus the logic is already backed in, there is a isLocal logic to the factory, and I dont remember exactly the name of the code. but there is some flag under the my. options that specifies the mainHost, the constitution mentions that mainHost is the host handling nginx and because the vps will be it, then main host needs to become vps, I think before it was miniserver. This change means, that all the currently enabled servers on the toggles.nix from the host server, should have the enableProxy flag on vps (double check the logic) this should make it so, that nginx runs on vps, and the servers run on server. 2. Add a step to ask me for the caddy files, just to check that the subdomains caddy handles for each server match the subdomains on the servers/.*nix files. 3. I use iptables on the fedora vps, and the nixos vps, well I dont mind you using another firewall but there are some complex firewall rules that I need them to work 100% as the original vps, the rules will be on a file named iptables, this is perhaps the most important step, otherwise the complex network configuration this vps has wont be able to hot swap and serve my servers to the world.
4. modify the existing wireguard.nix module, doublecheck that isnt toggled anywhere, toggle it on vps and add this configuration to it
[Interface]
#DNS = 10.77.0.1
Address = 10.77.0.1/24, 10.8.0.1/24, 10.9.0.1/24
ListenPort = 51820
PrivateKey = aDQHN3DfAGEFjVHRKIJ34CJKPcKx7HdYzkEbRNBNWGw=
# me
[Peer]
PublicKey = OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=
AllowedIPs = 10.77.0.2/32
# friends
[Peer] # 7351
PublicKey = rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=
AllowedIPs = 10.8.0.2/32
[Peer]
PublicKey = R1CTx5+CXivMI6ZEmRYsyFUFILhe6Qnub0iEIRvvrEY=
AllowedIPs = 10.8.0.3/32
[Peer]
PublicKey = ecPNSacD6yVwpnLBs171z0xkw9M1DXKh/Kn70cIBcwA=
AllowedIPs = 10.8.0.4/32
[Peer]
PublicKey = yg+2miZCrx89znFaUlU/le/7UIPgEAMY74fZfEwz8g4=
AllowedIPs = 10.8.0.5/32
# # gooners
# [Peer]
# PublicKey = GawtOvsZ75avelIri5CjGoPXd8AFpi9qlZ6dSsqUISE=
# AllowedIPs = 10.77.0.2/32, 10.9.0.2/32
can I use sops to encrypt the public and private keys? if so, on modules.nix you will see that the ips on that wireguard config correspond to wg-friend1...n when you get to this step pause and tell me to create the sops secrets for these public keys.
5. I have two cicds on this server
drwxrwxr-x. 11 deploy www-data 4096 Dec 26 20:47 blog
drwxr-xr-x. 2 lidarr-reports lidarr-reports 4096 Nov 11 17:52 lidarr-mb-gap
drwxrwxr-x. 12 deploy www-data 4096 Dec 26 21:01 portfolio
I need you to create the service users and groups for deploy and lidarr-reports.
in those, I need you to add ./secrets/ssh/ed25519_deploy.pub to authorized_keys for the user deploy
and for lidarr-reports ed25519_lidarr-reports.pub
6. similar to every other host, add ssh login authorized_keys for workstation, server, deacero, galaxy and check if Im missing one. Because this will replace the ssh vps on the ssh config, you need to replace the existing vps ip with 45.33.0.228. 7. change the configuration on the host server, so that its wireguard session, connects to this server (i think will ve done automagically when the ip changes right?) 8. Ive added sudo_hist and jawz_hist, which are a dump of the histfile of this server, just check if there is a configuration that Im missing, something I did on there that I missed, and add it to the clarification list, so when I run clarify I tell you if I want that or not, granted lots of those commands are trial and error, so I think I have everything. 9. I have setup a plausible server, write the steps necesary to migrate it, I dont know.
10. add verification steps for every task we did, when youre done and"
## Clarifications
### Session 2026-02-04
- Q: Are any services being migrated to the new VPS, and what does enableProxy do? → A: No services are migrated; enableProxy only configures nginx on the VPS, wireguard exposes the port, and services continue running on the host server.
- Q: How should the analytics service be migrated? → A: Migrate existing analytics data to the new server.
- Q: How should firewall parity be achieved on the new VPS? → A: Use the existing iptables ruleset as-is.
- Q: Where should VPN keys be stored? → A: Preserve keys only in the existing secrets system.
- Q: Which admin hosts should receive SSH authorized_keys entries? → A: Only the listed hosts (workstation, server, deacero, galaxy).
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Migrate VPS as Primary Host (Priority: P1)
As an operator, I want the new VPS to become the primary host for reverse proxying and networking while services continue running on the host server, so public traffic and internal tunnels continue working after the migration.
**Why this priority**: This is the core migration goal and failure would cause outages.
**Independent Test**: Can be fully tested by switching the primary host role to the new VPS and verifying proxy and tunnel connectivity without depending on the other stories.
**Acceptance Scenarios**:
1. **Given** the new VPS is designated as the primary host, **When** proxying is enabled, **Then** public endpoints resolve through the new VPS while services remain on the host server.
2. **Given** the previous VPS is no longer handling proxying, **When** traffic is routed through the new VPS, **Then** no service loses external access.
---
### User Story 2 - Preserve Firewall Behavior (Priority: P1)
As an operator, I want the firewall behavior on the new VPS to match the existing VPS so that all current network paths continue to function.
**Why this priority**: Firewall parity is critical to avoid breaking complex routing and hot-swap behavior.
**Independent Test**: Can be fully tested by comparing allowed/blocked traffic and confirming all required network paths remain functional.
**Acceptance Scenarios**:
1. **Given** the firewall rules are applied to the new VPS, **When** all known inbound and outbound paths are exercised, **Then** they behave identically to the existing VPS.
---
### User Story 3 - Restore Secure Access and VPN Peers (Priority: P2)
As an operator, I want VPN peers and SSH access to be configured on the new VPS so administration and CI/CD access remain available.
**Why this priority**: Secure access is required for operating and deploying services.
**Independent Test**: Can be fully tested by connecting each VPN peer and verifying SSH access for each authorized user.
**Acceptance Scenarios**:
1. **Given** the VPN configuration is enabled on the new VPS, **When** each peer connects, **Then** each peer receives the correct addresses and can reach intended resources.
2. **Given** service users and admin users are created on the new VPS, **When** their authorized keys are used, **Then** SSH access succeeds with the expected permissions.
---
### User Story 4 - Capture Migration Gaps and Validation (Priority: P3)
As an operator, I want a checklist of potential missing configuration from existing server history and clear verification steps so the migration is safe and complete.
**Why this priority**: This reduces risk of overlooked manual changes and provides confidence during cutover.
**Independent Test**: Can be fully tested by running the verification steps and confirming no missing items remain.
**Acceptance Scenarios**:
1. **Given** historical command logs are reviewed, **When** likely missing configurations are identified, **Then** they are listed as clarifications for user confirmation.
2. **Given** verification steps are provided for each task, **When** the operator executes them, **Then** each migration task can be validated.
---
### Edge Cases
- What happens when a subdomain mapping differs between the previous proxy configuration and the current service definitions?
- How does the system handle a firewall rule that is ambiguous or conflicts with existing policy?
- What happens if an SSH key file is missing or invalid for a service user?
## Requirements *(mandatory)*
### Functional Requirements
- **FR-001**: The system MUST designate the new VPS as the primary host for reverse proxying and ensure all enabled services are routed through it without relocating the services.
- **FR-002**: The system MUST ensure proxy configuration is enabled for all services currently enabled on the host server so traffic flows through the new VPS while services remain on the host server.
- **FR-003**: The system MUST request existing proxy configuration files for verification and flag any subdomain mismatches against current service definitions.
- **FR-004**: The system MUST apply the existing iptables ruleset as-is on the new VPS to match the existing VPS behavior for all documented inbound and outbound flows.
- **FR-005**: The system MUST enable the VPN configuration on the new VPS with the specified peer addresses and ensure each peer is uniquely identified.
- **FR-006**: The system MUST support encrypting sensitive VPN keys and pause for user-provided secret material when required.
- **FR-015**: The system MUST store VPN keys only in the existing secrets system and must not place them in plaintext configuration.
- **FR-007**: The system MUST create service users and groups for deployment workflows and grant SSH access via specified public keys.
- **FR-008**: The system MUST configure SSH access for all standard admin hosts and update the VPS connection target to the new public IP.
- **FR-016**: The system MUST grant SSH access only to workstation, server, deacero, and galaxy admin hosts.
- **FR-017**: The system MUST configure SSHD to use port 3456 and disable root/password authentication to match the existing VPS security posture.
- **FR-018**: The system MUST harden remote rebuild access by using a non-root SSH user with least-privilege access for rebuild operations.
- **FR-009**: The system MUST update dependent host configurations so existing VPN client connections target the new VPS.
- **FR-010**: The system MUST review provided history logs and produce a clarification list of potential missing configurations.
- **FR-011**: The system MUST document migration steps for the analytics service and include them in the migration plan.
- **FR-013**: The system MUST include analytics data migration as part of the analytics service migration steps.
- **FR-012**: The system MUST provide verification steps for each migration task performed.
### Key Entities *(include if feature involves data)*
- **Host**: A server instance that can be assigned primary or secondary roles and hosts services.
- **Service**: A deployable workload with external endpoints and internal configuration.
- **Proxy Mapping**: The set of subdomains and routing rules that map public traffic to services.
- **Firewall Rule Set**: The collection of allowed and blocked network flows required for the VPS.
- **VPN Peer**: A client identity with assigned addresses and access constraints.
- **SSH Key**: A public key used for authenticated access to a user account.
- **Migration Checklist**: A list of tasks and verification steps that confirm readiness.
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: 100% of services previously reachable via the old VPS are reachable via the new VPS after cutover.
- **SC-002**: All documented firewall flows (inbound and outbound) pass or block with the same outcomes as the old VPS.
- **SC-003**: 100% of configured VPN peers can connect and reach required internal addresses.
- **SC-004**: 100% of authorized SSH users can authenticate using their specified keys.
- **SC-005**: Migration verification steps can be completed in a single run without unresolved failures.
## Assumptions
- The existing proxy configuration files will be provided by the user for comparison.
- The firewall rules from the existing VPS are authoritative and should be mirrored on the new VPS.
- The list of standard admin hosts for SSH access is complete unless the review identifies an omission.
- The analytics service migration steps are documentation-only and do not require immediate cutover.

92
specs/004-vps-migration/tasks.md Normal file
View File

@@ -0,0 +1,92 @@
# Tasks: VPS Migration
**Branch**: `004-vps-migration`
**Date**: 2026-02-04
**Spec**: /home/jawz/Development/NixOS/specs/004-vps-migration/spec.md
**Plan**: /home/jawz/Development/NixOS/specs/004-vps-migration/plan.md
## Implementation Strategy
Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host server). Then complete firewall parity (US2), secure access (US3), and migration gap review + verification (US4).
## Phase 1: Setup
- [x] T001 Confirm baseline files exist: iptables, secrets/ssh/ed25519_deploy.pub, secrets/ssh/ed25519_lidarr-reports.pub, secrets system entries for VPN keys
- [x] T002 Create working checklist placeholder for verification steps in /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md (this file)
## Phase 2: Foundational
- [x] T003 [P] Review mainServer and enableProxy options in hosts/server/toggles.nix and modules/modules.nix
- [x] T004 [P] Review wireguard module in modules/services/wireguard.nix and VPS host config in hosts/vps/configuration.nix
- [x] T005 [P] Review SSH host/IP settings in config/jawz.nix and modules/modules.nix for vps IP updates
- [x] T006 [P] Review caddy file list references in ./jawz_hist and ./sudo_hist to prepare subdomain comparison inputs
## Phase 3: User Story 1 (P1) - Primary VPS reverse proxy
**Story goal**: New VPS is primary reverse-proxy host (nginx only) while services remain on host server.
**Independent test criteria**: Proxy mappings resolve through VPS to host server services without relocating services.
- [x] T007 [US1] Set mainServer to \"vps\" in hosts/server/toggles.nix
- [x] T008 [US1] Enable proxying on VPS by setting my.enableProxy = true in hosts/vps/configuration.nix and ensure services in hosts/server/toggles.nix have enableProxy = true
- [x] T009 [US1] Capture provided caddy config files (e.g., /etc/caddy/Caddyfile.d/*) and compare subdomains to modules/servers/*.nix domain definitions; document mismatches in specs/004-vps-migration/quickstart.md
- [x] T010 [US1] Add shared client certificate handling from modules/servers/synapse.nix into the factory or shared module and apply it to mTLS-protected sites (use secrets/certs.yaml for client CA)
## Phase 4: User Story 2 (P1) - Firewall parity
**Story goal**: Firewall behavior on new VPS matches old VPS by applying iptables ruleset as-is.
**Independent test criteria**: Known inbound/outbound flows match existing VPS behavior.
- [x] T011 [US2] Apply iptables ruleset as-is to VPS configuration in hosts/vps/configuration.nix using the repo root iptables file
## Phase 5: User Story 3 (P2) - Secure access and VPN peers
**Story goal**: Wireguard enabled on VPS with secrets-managed keys; SSH access for service users and admin hosts.
**Independent test criteria**: VPN peers connect with correct addresses; SSH keys authenticate as expected.
- [x] T012 [US3] Enable wireguard module on VPS in hosts/vps/configuration.nix (my.services.wireguard.enable = true) and ensure listen port exposed
- [x] T013 [US3] Add sops secrets entries for wireguard keys in secrets/wireguard.yaml and confirm user-provided key material
- [x] T014 [US3] Update wireguard peer configuration in modules/services/wireguard.nix using sops secrets refs for public/private keys (no plaintext)
- [x] T015 [US3] Add service users and groups deploy and lidarr-reports with authorized_keys in hosts/vps/configuration.nix using secrets/ssh/ed25519_deploy.pub and secrets/ssh/ed25519_lidarr-reports.pub
- [x] T016 [US3] Add admin SSH authorized_keys for workstation, server, deacero, galaxy in hosts/vps/configuration.nix
- [x] T017 [US3] Configure sshd port and auth settings in hosts/vps/configuration.nix to match: Port 3456, PermitRootLogin no, PasswordAuthentication no
- [x] T018 [US3] Harden remote rebuild access by switching to a non-root SSH user for rebuilds (nixremote) and requiring sudo for nixos-rebuild in hosts/vps/configuration.nix and modules/users/nixremote.nix
- [x] T019 [US3] Restrict SSH access for remote rebuilds by limiting allowed users/keys for nixremote (update inputs.self.lib.getSshKeys list in hosts/vps/configuration.nix)
- [x] T020 [US3] Update VPS IP to 45.33.0.228 in modules/modules.nix and config/jawz.nix SSH host entry
- [x] T021 [US3] Update host server wireguard client configuration in hosts/server/configuration.nix to target the new VPS endpoint
## Phase 6: User Story 4 (P3) - Migration gaps and verification
**Story goal**: Identify missing configuration from history logs and provide verification steps for every task.
**Independent test criteria**: Clarification list exists and each task has a verification step.
- [x] T022 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
- [ ] T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
- [x] T024 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md
## Phase 7: Polish & Cross-Cutting Concerns
- [x] T025 [P] Update references to old VPS proxy logic (caddy) to ensure nginx is the only runtime proxy in README.org and docs/*.md
- [x] T026 [P] Validate all task descriptions include explicit file paths in specs/004-vps-migration/tasks.md and update mismatches
## Dependencies
- US1 → US2 → US3 → US4
## Parallel Execution Examples
- US1: T007, T008, T009 can proceed once T003 and T006 are reviewed.
- US2: T011 can proceed once iptables application location is identified.
- US3: T012, T016, T017, T018, and T020 can proceed after T004 and T005 review; T013 depends on user-provided secrets.
- US4: T022, T023, T024 can proceed independently once logs are reviewed and quickstart.md is open.
## Validation
- All tasks use the required checklist format with IDs, story labels, and explicit file paths.
## Verification Steps (Placeholder)
- To be filled during T024 with per-task verification steps.

457
sudo_hist Normal file
View File

@@ -0,0 +1,457 @@
clear
exit
clear
dnf install wireguard-tools neovim caddy
systemctl enable --now caddy
systemctl enable --now iptables
dnf install iptables-services
systemctl enable --now iptables
ls /home/
ls /home/fedora
nano /etc/ssh/sshd_config
nano /etc/wireguard/wg0.conf
nano /etc/wireguard/home_private.key
sudo useradd -m -s /bin/bash jawz
sudo passwd jawz
sudo usermod -aG wheel jawz
visudo
ls
su jawz
cat /home/jawz/iptables /etc/sysconfig/iptables
cat /home/jawz/iptables > /etc/sysconfig/iptables
cat /home/jawz/iptables-config /etc/sysconfig/iptables-config
cat /home/jawz/iptables-config > /etc/sysconfig/iptables-config
sudo systemctl restart iptables.service
nano /etc/hosts
ls
sudoedit /etc/ssh/sshd_config
ls
sudo reboot
mv /home/jawz/Caddyfile.d/ /etc/caddy/
ls /etc/caddy/
ls /etc/caddy/ -la
sudo chown root:root /etc/caddy/Caddyfile -R
ls /etc/caddy/ -la
chown root:root -R /etc/caddy/Caddyfile
ls /etc/caddy/ -la
chown root:root -R /etc/caddy/Caddyfile.d/
ls /etc/caddy/ -la
sudo systemctl restart caddy
exit
528491
clear
export TERM=xterm-256color
clear
sudo iptables -S
ping google.com
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudo systemctl restart wg-quick@wg0.service
sudo iptables -L FORWARD -n -v --line-numbers
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudoedit /etc/sysconfig/iptables
sudo iptables-save > /root/iptables-backup-$(date +%s)
sudo iptables -F FORWARD
sudo iptables-restore < /tmp/iptables
sudo iptables -D FORWARD 4
sudo iptables -S
sudo systemctl restart iptables.service
sudo iptables -S
sudoedit /etc/sysconfig/iptables
sud nvim /etc/sysconfig/iptables
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudo journalctl -xeu iptables
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudo systemctl restart caddy
cd /etc/caddy/Caddyfile.d/
ls
mv portfolio.caddyfile portfolio.caddyfile_
sudo systemctl restart caddy
sudoedit /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0.service
ping 10.77.0.2:80
sudoedit /etc/wireguard/wg0.conf
ping 10.77.0.2
sudo journalctl -xefu wg-quick@wg0
ping 10.77.0.2
ping server
wg show
sudoedit /etc/wireguard/wg0.conf
wg show
cd /etc/caddy/Caddyfile.d/
mv portfolio.caddyfile_ portfolio.caddyfile
mv portfolio.caddyfile portfolio.caddyfile_
cat /etc/sysconfig/iptables
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
journalctl -xeu iptables
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudo iptables -L FORWARD -n -v --line-numbers
# In one terminal, watch the iptables counters
sudo watch -n1 'iptables -L FORWARD -n -v --line-numbers'
export TERM=xterm-256color
sudo watch -n1 'iptables -L FORWARD -n -v --line-numbers'
sudo tcpdump -i any icmp -n
ip addr show wg0
sudo iptables -I FORWARD 6 -s 10.8.0.0/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
sudo iptables -I FORWARD 7 -s 10.77.0.2/32 -d 10.8.0.0/24 -p icmp -j ACCEPT
sudo iptables -L FORWARD -n -v --line-numbers
sudo iptables-save > /etc/sysconfig/iptables
nano /etc/wireguard/wg0.conf
export TERM=xterm-256color
nano /etc/wireguard/wg0.conf
systemctl restart wg-quick.target
systemctl restart wg-quick@wg0
cat /etc/wireguard/wg0.conf
sudo nvim /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0.service
wg show
sudo nvim /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0.service
wg show
sudo systemctl enable ip6tables
sudo systemctl disable --now nftables 2>/dev/null || true
sudo systemctl mask nftables 2>/dev/null || true
exit
export TERM=xterm-256color
sudo nano /etc/sysconfig/iptables
cd /etc/caddy/Caddyfile.d/
ls
cat fun.caddyfile__
rm fun.caddyfile__
ls
nano simple.caddyfile
export TERM=xterm-256color
nano simple.caddyfile
nvim simple.caddyfile
mv simple.caddyfile servers.caddyfile
systemctl restart caddy
ls
exit
export TERM=xterm-256color
cd /etc/caddy/Caddyfile.d/
nvim servers.caddyfile
sudo systemctl restart caddy
journalctl -xeu caddy
cd /etc/caddy/Caddyfile.d/
nvim redirect.caddyfile
sudo systemctl restart caddy
nvim redirect.caddyfile
sudo journalctl -u caddy -f
ls
nvim redirect.caddyfile
mv redirect.caddyfile 10-redirect.caddyfile
nvim 00-allowlist.caddyfile
mv servers.caddyfile 20-servers.caddyfile
cd ..
ls
nvim Caddyfile
sudo systemctl restart caddy
sudo journalctl -u caddy -f
nvim Caddyfile
sudo systemctl restart caddy
nvim Caddyfile
ls
cd Caddyfile.d/
ls
mv 00-allowlist.caddyfile 00-allowlist.caddyfile_
mv 10-redirect.caddyfile 10-redirect.caddyfile_
sudo systemctl restart caddy
exit
cd /etc/caddy/Caddyfile.d/
nvim servers.caddyfile
nvim redirect.caddyfile
sudo caddy fmt --overwrite redirect.caddyfile
sudo caddy validate --config redirect.caddyfile
nvim /etc/caddy/Caddyfile.d/servers.caddyfile
systemctl restart caddy
cd /etc/caddy/Caddyfile.d/
ls
rm 00-allowlist.caddyfile_ 10-redirect.caddyfile_ portfolio.caddyfile_
ls
mv portfolio.caddyfile_ 30-portfolio.caddyfile_
nvim 30-portfolio.caddyfile_
ls
cat 20-servers.caddyfile
nvim 20-servers.caddyfile
systemctl restart caddy
nvim 20-servers.caddyfile
nvim 10-nextcloud.caddyfile
nvim 20-servers.caddyfile
cd ..
cat Caddyfile.d/20-servers.caddyfile
cat Caddyfile.d/20-servers.caddyfile | head -n 30
cat Caddyfile.d/20-servers.caddyfile | head -n 10
nvim /etc/caddy/client_ca.pem
nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
systemctl restart caddy
cat Caddyfile.d/20-servers.caddyfile | head -n 10
exit
nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
nvim /etc/caddy/Caddyfile.d/15-private.caddyfile
sudo systemctl restart caddy
nvim /etc/caddy/Caddyfile.d/10-nextcloud.caddyfile
nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
cat /etc/caddy/Caddyfile.d/20-servers.caddyfile
exit
cd /etc/
ls
cd sysconfig/
ls
nvim iptables
cat iptables
curl 10.77.0.2:8999
nvim iptables
sudo systemctl restart iptables.service
exit
curl 10.77.0.2:8999
curl 10.8.0.2:8999
curl 10.8.0.1:8999
exit
cd /etc/wireguard/
ls
cat wg0.conf
exit
cd /etc/caddy/
ls
cd Caddyfile.d/
ls
mv 30-portfolio.caddyfile_ 30-portfolio.caddyfile
cat 15-private.caddyfile__
ls
cat 25-static.caddyfile
cat 30-portfolio.caddyfile
rm 30-portfolio.caddyfile
nvim 25-static.caddyfile
systemctl restart caddy
exit
cat /etc/caddy/Caddyfile.d/25-static.caddyfile
nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
cat /etc/caddy/Caddyfile.d/25-static.caddyfile
nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
cat /etc/caddy/Caddyfile.d/25-static.caddyfile
caddy validate --config /etc/caddy/Caddyfile.d/25-static.caddyfile
caddy fmt --overwrite /etc/caddy/Caddyfile.d/*
caddy fmt --overwrite /etc/caddy/Caddyfile.d/25-static.caddyfile
find -tf /etc/caddy/Caddyfile.d/25-static.caddyfile
find -type f /etc/caddy/Caddyfile.d/
find /etc/caddy/Caddyfile.d/ -type f
find /etc/caddy/Caddyfile.d/ -type f -exec caddy fmt --overwrite {}
find /etc/caddy/Caddyfile.d/ -type f -exec caddy fmt --overwrite {} \;
caddy validate --config /etc/caddy/Caddyfile.d/25-static.caddyfile
ls -la /var/www/html/portfolio/
ls -la /var/www/html/portfolio/images/
ls -la /var/www/html/portfolio/old_ijwbs/
du -sh /var/www/html/portfolio/
ls -la /var/www/html/portfolio/
ls -la /var/www/html/portfolio/friends/
cd /etc/sysconfig/
ls
cat iptables
rg 51413
rg 51412
cat iptables
sudo tcpdump -ni eth0 port 51412
sudo tcpdump -ni wg0 port 51412
sudo tcpdump -ni eth0 port 51412
ss -ltnp | grep ":51412"
sysctl -w net.ipv4.ip_forward=1
# ---- NAT (insert at top) ----
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I POSTROUTING 1 -s 10.77.0.0/24 -o eth0 -j MASQUERADE
# ---- FORWARD ----
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 -p tcp --sport 51412 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 4 -i wg0 -o eth0 -s 10.77.0.2 -p udp --sport 51412 -j ACCEPT
iptables -I FORWARD 5 -i wg0 -o eth0 -j ACCEPT
iptables -I FORWARD 6 -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
net.ipv4.ip_forward = 1
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I POSTROUTING 1 -s 10.77.0.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 -p tcp --sport 51412 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 4 -i wg0 -o eth0 -s 10.77.0.2 -p udp --sport 51412 -j ACCEPT
iptables -I FORWARD 5 -i wg0 -o eth0 -j ACCEPT
iptables -I FORWARD 6 -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -L FORWARD -n -v --line-numbers
iptables -t nat -L -n -v --line-numbers
iptables -L FORWARD -n -v --line-numbers
iptables -t nat -L -n -v --line-numbers
sudo tcpdump -ni eth0 port 51412
curl -4 ifconfig.me
tcpdump -ni eth0 port 51412
ss -lntup | grep 51412
iptables -t raw -I PREROUTING 1 -p tcp --dport 51412 -j NOTRACK
iptables -t raw -I PREROUTING 1 -p udp --dport 51412 -j NOTRACK
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 --sport 51412 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -s 10.77.0.2 -o eth0 -j MASQUERADE
tcpdump -ni wg0 port 51412
sysctl net.ipv4.ip_forward
iptables -t raw -I PREROUTING 1 -p tcp --dport 51412 -j NOTRACK
iptables -t raw -I PREROUTING 2 -p udp --dport 51412 -j NOTRACK
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 --sport 51412 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -s 10.77.0.2 -o eth0 -j MASQUERADE
tcpdump -ni wg0 port 51412
tcpdump -ni eth0 'tcp port 51412'
sysctl net.ipv4.conf.eth0.route_localnet
sysctl -w net.ipv4.conf.eth0.route_localnet=1
ip rule add fwmark 0x1 lookup 100
ip route add default dev wg0 table 100
iptables -t mangle -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j MARK --set-mark 1
tcpdump -ni eth0 'tcp port 51412'
reboot
mkfs.ext4 "/dev/disk/by-id/scsi-0Linode_Volume_box"
mkdir /mnt/box
mount "/dev/disk/by-id/scsi-0Linode_Volume_box" "/mnt/box"
nvim /etc/fstab
cd /mnt/box/
ls -lag
sudo dnf install -y qbittorrent-nox
exit
cd /srv/torrents/downloads/
ls
cd The.Sims.4.Jenny/
ls
du -sh
rm rune
rm rune.nfo
exit
cd /srv/torrents/downloads/
ls
ls ../incomplete/
ls
ls in
ls ../incomplete/
ls
ls -lag
cd ..
su -sh
dh -sh
du -sh
df -h
ls
rm -rf incomplete/The.Sims.4.Jenny/
exit
cd
cd /srv/torrents/
ls -lag
du -sh
ls
mv tits/The.Sims.4.Jenny/ incomplete/
rmdir tits/
chown -R qbittorrent:qbittorrent incomplete/
cd /etc/sysconfig/
ls
cp iptables iptables_working
nvim iptables
systemctl restart iptables.service
journal -xeu iptables
journalctl -xeu iptables
nvim iptables
systemctl restart iptables.service
journalctl -xeu iptables
exit
nvim iptables
cd /etc/sysconfig/
nvim iptables
cd /etc/wireguard/
ls
nvim wg0.conf
nvim /etc/sysconfig/iptables
cd /etc/wireguard/
ls
wg genkey | tee privatekey | wg pubkey > publickey
ls
rm privatekey publickey
ls
mkdir friend
cd friend/
wg genkey | tee privatekey | wg pubkey > publickey
ls
cat privatekey
cat publickey
nvim ../wg0.conf
cat privatekey
nvim ../wg0.conf
systemctl restart wireguard
systemctl restart wg-quick@wg0.service
nvim /etc/sysconfig/iptables
nvim ../wg0.conf
systemctl restart wg-quick@wg0.service
nvim ../wg0.conf
wg show
nvim ../wg0.conf
nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
nvim ../wg0.conf
cd /etc/wireguard/
ls
cd friend/
ls
rm *
wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
nvim ../wg0.conf
cat privatekey
nvim ../wg0.conf
rm *
wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
nvim ../wg0.conf
cat privatekey
rm *
wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
nvim ../wg0.conf
cat privatekey
nvim /etc/sysconfig/iptables
sudo reboot
cd /etc/caddy/Caddyfile.d/
ls
rg xxx
nvim 15-private.caddyfile
sudo systemctl restart caddy
nvim 15-private.caddyfile
nvim 15-private.caddyfile__
exit
cd /etc/wireguard/
ls
cat wg0.conf
ls
ls friend/
rm friend/ -rf
ls
cd /var/www/html/
ls -lag blog/ lidarr-mb-gap/ portfolio/
ls -lag
ls -la
ls
cd
su deploy
su lidarr-reports
exit