From 979bb915a6fd2a56ae5cd2c1e66e045a37efde3d Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 15:13:56 -0600 Subject: [PATCH 01/12] init --- AGENTS.md | 7 +- .../checklists/requirements.md | 34 ++++ .../contracts/README.md | 3 + specs/003-vps-image-migration/data-model.md | 49 ++++++ specs/003-vps-image-migration/plan.md | 58 +++++++ specs/003-vps-image-migration/quickstart.md | 14 ++ specs/003-vps-image-migration/research.md | 16 ++ specs/003-vps-image-migration/spec.md | 103 ++++++++++++ specs/003-vps-image-migration/tasks.md | 151 ++++++++++++++++++ 9 files changed, 433 insertions(+), 2 deletions(-) create mode 100644 specs/003-vps-image-migration/checklists/requirements.md create mode 100644 specs/003-vps-image-migration/contracts/README.md create mode 100644 specs/003-vps-image-migration/data-model.md create mode 100644 specs/003-vps-image-migration/plan.md create mode 100644 specs/003-vps-image-migration/quickstart.md create mode 100644 specs/003-vps-image-migration/research.md create mode 100644 specs/003-vps-image-migration/spec.md create mode 100644 specs/003-vps-image-migration/tasks.md diff --git a/AGENTS.md b/AGENTS.md index 06fbb06..5f22ae7 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -5,6 +5,8 @@ Auto-generated from feature plans. Last updated: 2026-01-30 ## Active Technologies - Python 3.12 + MCP server library (Python, JSON-RPC/stdin transport), click for CLI entrypoint, pytest + coverage for tests, ruff/black for lint/format (002-mcp-server) - None (in-memory tool definitions; filesystem access for repo interactions) (002-mcp-server) +- Nix (flakes; nixpkgs 25.11) + nixpkgs, flake-parts, sops-nix (003-vps-image-migration) +- N/A (configuration repo) (003-vps-image-migration) - Documentation set (AI-facing constitution and playbooks) in Markdown (001-ai-docs) @@ -26,9 +28,10 @@ specs/001-ai-docs/ # Planning artifacts (plan, research, tasks, data model - Keep language business-level and technology-agnostic in AI-facing docs. ## Recent Changes -- 002-mcp-server: Added Python 3.12 + MCP server library (Python, JSON-RPC/stdin transport), click for CLI entrypoint, pytest + coverage for tests, ruff/black for lint/format +- 003-vps-image-migration: Added Nix (flakes; nixpkgs 25.11) + nixpkgs, flake-parts, sops-nix +- 003-vps-image-migration: Added [if applicable, e.g., PostgreSQL, CoreData, files or N/A] +- 003-vps-image-migration: Added Nix (flakes; nixpkgs 25.11) + nixpkgs, flake-parts, sops-nix -- 001-ai-docs: Documentation-focused stack; added docs/ for constitution/playbooks and specs/001-ai-docs/ for planning outputs. diff --git a/specs/003-vps-image-migration/checklists/requirements.md b/specs/003-vps-image-migration/checklists/requirements.md new file mode 100644 index 0000000..226892f --- /dev/null +++ b/specs/003-vps-image-migration/checklists/requirements.md @@ -0,0 +1,34 @@ +# Specification Quality Checklist: VPS Image Migration + +**Purpose**: Validate specification completeness and quality before proceeding to planning +**Created**: February 3, 2026 +**Feature**: /home/jawz/Development/NixOS/specs/003-vps-image-migration/spec.md + +## Content Quality + +- [x] No implementation details (languages, frameworks, APIs) +- [x] Focused on user value and business needs +- [x] Written for non-technical stakeholders +- [x] All mandatory sections completed + +## Requirement Completeness + +- [x] No [NEEDS CLARIFICATION] markers remain +- [x] Requirements are testable and unambiguous +- [x] Success criteria are measurable +- [x] Success criteria are technology-agnostic (no implementation details) +- [x] All acceptance scenarios are defined +- [x] Edge cases are identified +- [x] Scope is clearly bounded +- [x] Dependencies and assumptions identified + +## Feature Readiness + +- [x] All functional requirements have clear acceptance criteria +- [x] User scenarios cover primary flows +- [x] Feature meets measurable outcomes defined in Success Criteria +- [x] No implementation details leak into specification + +## Notes + +- All checklist items pass based on the current spec. diff --git a/specs/003-vps-image-migration/contracts/README.md b/specs/003-vps-image-migration/contracts/README.md new file mode 100644 index 0000000..4ff5ec0 --- /dev/null +++ b/specs/003-vps-image-migration/contracts/README.md @@ -0,0 +1,3 @@ +# API Contracts + +This feature does not introduce or modify any external HTTP or RPC APIs. Operator actions (image build, provisioning, secrets enrollment, rebuild trigger) are performed via existing infrastructure workflows, so no API schema is required. diff --git a/specs/003-vps-image-migration/data-model.md b/specs/003-vps-image-migration/data-model.md new file mode 100644 index 0000000..cd39550 --- /dev/null +++ b/specs/003-vps-image-migration/data-model.md @@ -0,0 +1,49 @@ +# Data Model: VPS Image Migration + +## Host Profile + +- **Purpose**: Defines a named system configuration (e.g., vps). +- **Key fields**: + - `name` (string, unique) + - `target_environment` (string, e.g., Linode) + - `services_required` (list of service identifiers) + - `secrets_required` (list of secret identifiers) + +## Image Artifact + +- **Purpose**: Represents a build output used to provision a VPS. +- **Key fields**: + - `image_type` (string, Linode-compatible) + - `build_reference` (string, build timestamp or revision) + - `host_profile` (reference to Host Profile) + +## Bootstrap Secret Material + +- **Purpose**: Material required to unlock secrets on the host. +- **Key fields**: + - `bootstrap_method` (enum: generated-on-host) + - `recipient_public_key` (string) + - `enrollment_status` (enum: pending, enrolled) + +## Deployment Target + +- **Purpose**: The environment where the image is launched. +- **Key fields**: + - `provider` (string) + - `region` (string) + - `instance_id` (string) + +## Rebuild Trigger + +- **Purpose**: Represents an authorized rebuild action for the VPS. +- **Key fields**: + - `actor` (string) + - `requested_at` (datetime) + - `status` (enum: queued, running, succeeded, failed) + +## Relationships + +- Host Profile 1..* Image Artifact +- Host Profile 1..* Bootstrap Secret Material +- Deployment Target 1..1 Image Artifact +- Rebuild Trigger *..1 Host Profile diff --git a/specs/003-vps-image-migration/plan.md b/specs/003-vps-image-migration/plan.md new file mode 100644 index 0000000..7888a7a --- /dev/null +++ b/specs/003-vps-image-migration/plan.md @@ -0,0 +1,58 @@ +# Implementation Plan: VPS Image Migration + +**Branch**: `003-vps-image-migration` | **Date**: February 3, 2026 | **Spec**: /home/jawz/Development/NixOS/specs/003-vps-image-migration/spec.md +**Input**: Feature specification from `/specs/003-vps-image-migration/spec.md` + +## Summary + +Migrate image building away from the deprecated generator to the upstream NixOS image workflow, add a new vps host that produces a Linode-compatible image, and implement a secure two-phase secrets bootstrap that requires re-encryption after the host generates its own key. Provide a repeatable remote rebuild workflow limited to explicitly authorized operator machines. + +## Technical Context + +**Language/Version**: Nix (flakes; nixpkgs 25.11) +**Primary Dependencies**: nixpkgs, flake-parts, sops-nix +**Storage**: N/A (configuration repo) +**Testing**: Manual validation (image build, boot, network, secret availability, rebuild) +**Target Platform**: NixOS image for Linode VPS +**Project Type**: Infrastructure configuration (single repo) +**Performance Goals**: N/A +**Constraints**: No regressions for existing hosts; secrets must remain secure; first boot must be reachable for enrollment; rebuilds restricted to authorized operator machines +**Scale/Scope**: Small number of hosts, single vps target + +## Constitution Check + +No enforceable principles are defined in the current constitution file (placeholders only). Gate passes by default. +Post-design re-check: no changes; still pass. + +## Project Structure + +### Documentation (this feature) + +```text +specs/003-vps-image-migration/ +├── plan.md +├── research.md +├── data-model.md +├── quickstart.md +├── contracts/ +└── tasks.md +``` + +### Source Code (repository root) + +```text +flake.nix +parts/ +hosts/ +modules/ +secrets/ +scripts/ +config/ +environments/ +``` + +**Structure Decision**: Use the existing Nix flake layout with host definitions in `hosts/`, shared logic in `modules/`, and flake assembly in `parts/`. + +## Complexity Tracking + +No constitution violations to track. diff --git a/specs/003-vps-image-migration/quickstart.md b/specs/003-vps-image-migration/quickstart.md new file mode 100644 index 0000000..8ea352b --- /dev/null +++ b/specs/003-vps-image-migration/quickstart.md @@ -0,0 +1,14 @@ +# Quickstart: VPS Image Migration + +## Goal + +Provision a Linode-compatible VPS image, bootstrap secrets securely, and enable remote rebuilds. + +## Steps + +1. Build the vps image from the repository and confirm a Linode-compatible artifact is produced. +2. Provision a VPS from the image and verify network connectivity and remote access. +3. On first boot, allow the host to generate its own secrets bootstrap key material. +4. Enroll the host by adding its public key as a secrets recipient and re-encrypt required secrets. +5. Trigger a rebuild from an explicitly authorized operator machine to apply secrets and confirm core services start successfully. +6. Validate the remote rebuild workflow from an explicitly authorized operator machine. diff --git a/specs/003-vps-image-migration/research.md b/specs/003-vps-image-migration/research.md new file mode 100644 index 0000000..b9029a3 --- /dev/null +++ b/specs/003-vps-image-migration/research.md @@ -0,0 +1,16 @@ +# Research: VPS Image Migration + +## Decision 1: Replace deprecated image generator usage + +- **Decision**: Use NixOS's built-in image building workflow (`nixos-rebuild build-image`) for Linode-compatible images. +- **Rationale**: The NixOS manual documents `nixos-rebuild build-image` and lists Linode as a supported image target via `image.modules`, indicating the upstream path for image generation. +- **Alternatives considered**: + - Keep using nixos-generators (rejected due to deprecation and upstream migration). + +## Decision 2: Secure-first secrets bootstrap for vps + +- **Decision**: Use a two-phase bootstrap where the vps generates its own age key on first boot, then the host public key is added as a recipient and secrets are re-encrypted before the second deploy. +- **Rationale**: sops-nix supports generating an age key when missing and can use SSH host keys to derive age identities; this avoids embedding private keys in the image or repository. +- **Alternatives considered**: + - Bake a static age key into the image (rejected for security risk). + - Ship a fixed SSH host key in the image (rejected for key reuse across hosts). diff --git a/specs/003-vps-image-migration/spec.md b/specs/003-vps-image-migration/spec.md new file mode 100644 index 0000000..72f5051 --- /dev/null +++ b/specs/003-vps-image-migration/spec.md @@ -0,0 +1,103 @@ +# Feature Specification: VPS Image Migration + +**Feature Branch**: `003-vps-image-migration` +**Created**: February 3, 2026 +**Status**: Draft +**Input**: User description: "Remove deprecated image generator usage, add a new vps host that builds a Linode image, ensure first-boot secrets are available, and support remote rebuilds for ongoing changes." + +## Clarifications + +### Session 2026-02-03 + +- Q: Who is allowed to trigger remote rebuilds? → A: Only explicitly authorized operator machines. + +## User Scenarios & Testing *(mandatory)* + +### User Story 1 - Provision a VPS Image (Priority: P1) + +As an operator, I want to build a Linode-compatible image for the new vps host so I can provision a replacement VPS that boots with network connectivity and remote access. + +**Why this priority**: This is the core migration outcome; without a working image, the VPS replacement cannot proceed. + +**Independent Test**: Can be fully tested by building the image, launching a Linode instance from it, and confirming network and remote access. + +**Acceptance Scenarios**: + +1. **Given** a clean repository state, **When** I build the vps image, **Then** the build completes and produces a Linode-compatible image artifact. +2. **Given** a Linode instance created from the vps image, **When** it boots, **Then** it has working network connectivity and remote access is available. + +--- + +### User Story 2 - Secrets Available After Enrollment (Priority: P2) + +As an operator, I want the vps to generate its own secrets key on first boot and then make required secrets available after enrollment so core services can start securely. + +**Why this priority**: The VPS must remain secure; services should start only after the host is enrolled and secrets are re-encrypted for it. + +**Independent Test**: Can be fully tested by provisioning from the image, enrolling the host key, and verifying required secrets become available after the follow-up deployment. + +**Acceptance Scenarios**: + +1. **Given** a freshly provisioned vps instance, **When** the system completes its first boot, **Then** it generates host-specific bootstrap key material and remains reachable for enrollment. +2. **Given** the host key is enrolled and secrets are re-encrypted, **When** a follow-up deployment runs, **Then** required secrets become available to services. + +--- + +### User Story 3 - Remote Rebuild Workflow (Priority: P3) + +As an operator, I want to trigger rebuilds of the vps host from any authorized system so updates (such as firewall changes) can be applied consistently. + +**Why this priority**: Ongoing updates are essential for operations and security, and should not depend on a single workstation. + +**Independent Test**: Can be fully tested by triggering a rebuild from a separate authorized system and verifying the changes apply on the VPS. + +**Acceptance Scenarios**: + +1. **Given** an explicitly authorized operator machine, **When** a rebuild is triggered, **Then** the vps host updates successfully and reflects the new configuration. + +--- + +### Edge Cases + +- What happens when the vps image build completes but the artifact is not compatible with the target environment? +- How does the system handle first-boot secret access when bootstrap material is missing or corrupted? +- What happens when a remote rebuild is triggered but the VPS is unreachable? + +## Requirements *(mandatory)* + +### Functional Requirements + +- **FR-001**: The system MUST stop using any deprecated image-generation dependency currently used for host images. +- **FR-002**: The system MUST define a new vps host configuration that produces a Linode-compatible image artifact. +- **FR-003**: A VPS provisioned from the image MUST boot with working network connectivity and remote access enabled. +- **FR-004**: The system MUST support a secure, two-phase bootstrap where the host generates key material on first boot and secrets become available after enrollment and re-deploy. +- **FR-005**: The system MUST provide a documented, repeatable way for explicitly authorized operator machines to trigger remote rebuilds of the vps host. +- **FR-006**: Existing hosts and images MUST continue to build and operate without regression after the migration. + +### Key Entities *(include if feature involves data)* + +- **Host Profile**: A named system configuration (e.g., vps) that defines the target environment behavior. +- **Image Artifact**: A deployable disk image produced from the host profile. +- **Bootstrap Secret Material**: Data required to unlock or access secrets on first boot. +- **Deployment Target**: The infrastructure environment where the image is launched. +- **Rebuild Trigger**: An authorized action that initiates a configuration update on the VPS. + +## Assumptions + +- The vps host can generate bootstrap key material on first boot and is reachable for enrollment. +- Operators already have a secure, authorized path for remote access to the VPS. +- The Linode environment can accept and boot the produced image artifact. + +## Dependencies + +- Access to the target environment needed to validate image compatibility and boot behavior. +- Existing secrets management process and data required for the vps host. + +## Success Criteria *(mandatory)* + +### Measurable Outcomes + +- **SC-001**: A Linode instance provisioned from the vps image is reachable via remote access within 10 minutes of first boot in at least 95% of test provisions. +- **SC-002**: Required secrets for core services are available after enrollment and follow-up deployment in 100% of test provisions. +- **SC-003**: Existing host builds complete without new failures after the deprecated dependency is removed. +- **SC-004**: Remote rebuilds apply a configuration change to the vps host within 15 minutes in at least 90% of test runs. diff --git a/specs/003-vps-image-migration/tasks.md b/specs/003-vps-image-migration/tasks.md new file mode 100644 index 0000000..ae67c89 --- /dev/null +++ b/specs/003-vps-image-migration/tasks.md @@ -0,0 +1,151 @@ +--- + +description: "Task list for VPS Image Migration" +--- + +# Tasks: VPS Image Migration + +**Input**: Design documents from `/specs/003-vps-image-migration/` +**Prerequisites**: plan.md (required), spec.md (required for user stories), research.md, data-model.md, contracts/ + +**Tests**: Not requested. + +**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story. + +## Format: `[ID] [P?] [Story] Description` + +- **[P]**: Can run in parallel (different files, no dependencies) +- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3) +- Include exact file paths in descriptions + +## Phase 1: Setup (Shared Infrastructure) + +**Purpose**: Project initialization and validation setup + +- [ ] T001 Review current image generation usage in `flake.nix` and `parts/packages.nix` and note all nixos-generators references +- [ ] T002 [P] Review host structure in `hosts/` to mirror patterns for the new `hosts/vps/configuration.nix` + +--- + +## Phase 2: Foundational (Blocking Prerequisites) + +**Purpose**: Remove deprecated generator and ensure existing outputs are preserved + +- [ ] T003 Update `parts/packages.nix` to build `emacs-vm` from nixpkgs/NixOS outputs (remove nixos-generators usage) +- [ ] T004 Remove nixos-generators input from `flake.nix` +- [ ] T005 Update `flake.lock` to drop nixos-generators entries +- [ ] T006 STOP: Ask user to validate `emacs-vm` build works without nixos-generators (confirm before proceeding) (reference `parts/packages.nix`) + +**Checkpoint**: Foundation ready after user confirmation + +--- + +## Phase 3: User Story 1 - Provision a VPS Image (Priority: P1) 🎯 MVP + +**Goal**: Define a new vps host and produce a Linode-compatible image artifact + +**Independent Test**: Build the vps image, launch a Linode instance from it, verify network connectivity and remote access + +### Implementation for User Story 1 + +- [ ] T007 [US1] Create `hosts/vps/configuration.nix` with base imports and minimal networking/remote access enablement +- [ ] T008 [US1] Register vps host in `parts/hosts.nix` using existing `createConfig` pattern +- [ ] T009 [US1] Add a Linode image build output for vps in `parts/packages.nix` using the upstream NixOS image workflow +- [ ] T010 [US1] Document the vps host entry and image artifact location in `docs/reference/index.md` +- [ ] T011 [US1] Add a manual validation checklist entry for vps boot connectivity and remote access in `specs/003-vps-image-migration/quickstart.md` + +**Checkpoint**: vps image builds and can boot with connectivity + +--- + +## Phase 4: User Story 2 - Secrets Available After Enrollment (Priority: P2) + +**Goal**: Secure two-phase secrets bootstrap and enrollment workflow + +**Independent Test**: Boot vps, generate host key, enroll key, re-encrypt secrets, redeploy, verify secrets available + +### Implementation for User Story 2 + +- [ ] T012 [US2] Set secure host posture for vps in `hosts/vps/configuration.nix` (secureHost enabled, secrets gated) +- [ ] T013 [US2] Add vps-specific sops-nix bootstrap settings in `hosts/vps/configuration.nix` (generate key on first boot; no baked key) +- [ ] T014 [US2] Document the enrollment and re-encryption steps in `docs/playbooks/enroll-vps.md` +- [ ] T015 [US2] Update secrets guidance to reference the vps enrollment flow in `docs/constitution.md` + +**Checkpoint**: vps can boot without secrets, then unlocks secrets after enrollment and redeploy + +--- + +## Phase 5: User Story 3 - Remote Rebuild Workflow (Priority: P3) + +**Goal**: Provide a documented, repeatable remote rebuild process + +**Independent Test**: Trigger a rebuild from an explicitly authorized operator machine and verify applied config changes + +### Implementation for User Story 3 + +- [ ] T016 [US3] Add a rebuild helper script in `scripts/rebuild-vps.sh` with clear inputs and safety checks +- [ ] T017 [US3] Document remote rebuild usage and prerequisites (explicitly authorized operator machines only) in `docs/playbooks/vps-rebuild.md` + +**Checkpoint**: remote rebuild flow is repeatable and documented + +--- + +## Phase 6: Polish & Cross-Cutting Concerns + +**Purpose**: Final consistency checks and documentation polish + +- [ ] T018 [P] Ensure vps host is referenced in any host inventories or indexes in `docs/reference/index.md` +- [ ] T019 Validate quickstart steps still match implementation in `specs/003-vps-image-migration/quickstart.md` +- [ ] T020 Validate existing host/image builds after migration (document results in `specs/003-vps-image-migration/quickstart.md`) + +--- + +## Dependencies & Execution Order + +### Phase Dependencies + +- **Setup (Phase 1)**: No dependencies - can start immediately +- **Foundational (Phase 2)**: Depends on Setup completion - BLOCKS all user stories +- **User Stories (Phase 3+)**: Depend on Foundational completion and user validation at T006 +- **Polish (Final Phase)**: Depends on desired user stories being complete + +### User Story Dependencies + +- **User Story 1 (P1)**: Starts after Phase 2 and user validation at T006 +- **User Story 2 (P2)**: Starts after Phase 2 and user validation at T006; depends on vps host existing (T007/T008) +- **User Story 3 (P3)**: Starts after Phase 2 and user validation at T006; can be done in parallel with US2 + +### Parallel Opportunities + +- T002 can run in parallel with T001 +- T018 and T019 can run in parallel in the Polish phase +- After T006, US2 and US3 can proceed in parallel once US1 host scaffolding exists + +--- + +## Parallel Example: User Story 2 + +```bash +Task: "Set secure host posture for vps in hosts/vps/configuration.nix" +Task: "Document the enrollment and re-encryption steps in docs/playbooks/enroll-vps.md" +``` + +--- + +## Implementation Strategy + +### MVP First (User Story 1 Only) + +1. Complete Phase 1: Setup +2. Complete Phase 2: Foundational +3. Pause at T006 for user validation of emacs-vm +4. Complete Phase 3: User Story 1 +5. Stop and validate the image boot and connectivity + +### Incremental Delivery + +1. Complete Setup + Foundational → user validates emacs-vm +2. Add User Story 1 → validate image build/boot +3. Add User Story 2 → validate secrets enrollment flow +4. Add User Story 3 → validate remote rebuild workflow +5. Polish and doc consistency checks -- 2.51.2 From f6b1a0143817964e47ca74648db47c9b6e3a3771 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 15:17:18 -0600 Subject: [PATCH 02/12] removed nixos-generators --- flake.lock | 37 -------------------------- flake.nix | 4 --- parts/packages.nix | 10 +------ specs/003-vps-image-migration/tasks.md | 10 +++---- 4 files changed, 6 insertions(+), 55 deletions(-) diff --git a/flake.lock b/flake.lock index 180876d..88ace98 100644 --- a/flake.lock +++ b/flake.lock @@ -819,42 +819,6 @@ "type": "github" } }, - "nixlib": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixos-generators": { - "inputs": { - "nixlib": "nixlib", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1769813415, - "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "8946737ff703382fda7623b9fab071d037e897d5", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1743576891, @@ -1104,7 +1068,6 @@ "jawz-scripts": "jawz-scripts", "lidarr-mb-gap": "lidarr-mb-gap", "nix-gaming": "nix-gaming", - "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs_2", "nixpkgs-small": "nixpkgs-small", "nixpkgs-unstable": "nixpkgs-unstable", diff --git a/flake.nix b/flake.nix index 211f290..f3773d5 100644 --- a/flake.nix +++ b/flake.nix @@ -50,10 +50,6 @@ url = "github:nyawox/nixtendo-switch"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-generators = { - url = "github:nix-community/nixos-generators"; - inputs.nixpkgs.follows = "nixpkgs"; - }; wallpapers = { url = "git+https://git.lebubu.org/jawz/wallpapers.git"; flake = false; diff --git a/parts/packages.nix b/parts/packages.nix index 9a2eab4..3448711 100644 --- a/parts/packages.nix +++ b/parts/packages.nix @@ -29,15 +29,7 @@ in { packages = (inputs.jawz-scripts.packages.${system} or { }) // { - emacs-vm = inputs.nixos-generators.nixosGenerate { - inherit system; - modules = inputs.self.lib.commonModules "emacs"; - format = "vm"; - specialArgs = { - inherit inputs; - outputs = inputs.self; - }; - }; + emacs-vm = inputs.self.nixosConfigurations.emacs.config.system.build.vm; nixos-mcp = nixosMcp; nixos-mcp-server = mcpServerPkg; }; diff --git a/specs/003-vps-image-migration/tasks.md b/specs/003-vps-image-migration/tasks.md index ae67c89..34eddfa 100644 --- a/specs/003-vps-image-migration/tasks.md +++ b/specs/003-vps-image-migration/tasks.md @@ -22,8 +22,8 @@ description: "Task list for VPS Image Migration" **Purpose**: Project initialization and validation setup -- [ ] T001 Review current image generation usage in `flake.nix` and `parts/packages.nix` and note all nixos-generators references -- [ ] T002 [P] Review host structure in `hosts/` to mirror patterns for the new `hosts/vps/configuration.nix` +- [X] T001 Review current image generation usage in `flake.nix` and `parts/packages.nix` and note all nixos-generators references +- [X] T002 [P] Review host structure in `hosts/` to mirror patterns for the new `hosts/vps/configuration.nix` --- @@ -31,9 +31,9 @@ description: "Task list for VPS Image Migration" **Purpose**: Remove deprecated generator and ensure existing outputs are preserved -- [ ] T003 Update `parts/packages.nix` to build `emacs-vm` from nixpkgs/NixOS outputs (remove nixos-generators usage) -- [ ] T004 Remove nixos-generators input from `flake.nix` -- [ ] T005 Update `flake.lock` to drop nixos-generators entries +- [X] T003 Update `parts/packages.nix` to build `emacs-vm` from nixpkgs/NixOS outputs (remove nixos-generators usage) +- [X] T004 Remove nixos-generators input from `flake.nix` +- [X] T005 Update `flake.lock` to drop nixos-generators entries - [ ] T006 STOP: Ask user to validate `emacs-vm` build works without nixos-generators (confirm before proceeding) (reference `parts/packages.nix`) **Checkpoint**: Foundation ready after user confirmation -- 2.51.2 From dbd3af3d0fa69f92d69133bb008927323a3995ed Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 15:31:47 -0600 Subject: [PATCH 03/12] new hosts vps --- docs/constitution.md | 1 + docs/playbooks/enroll-vps.md | 16 ++++++++++ docs/playbooks/vps-rebuild.md | 15 +++++++++ docs/reference/index.md | 3 +- hosts/vps/configuration.nix | 34 +++++++++++++++++++++ parts/hosts.nix | 1 + parts/packages.nix | 1 + scripts/rebuild-vps.sh | 15 +++++++++ specs/003-vps-image-migration/quickstart.md | 14 +++++++++ specs/003-vps-image-migration/tasks.md | 28 ++++++++--------- 10 files changed, 113 insertions(+), 15 deletions(-) create mode 100644 docs/playbooks/enroll-vps.md create mode 100644 docs/playbooks/vps-rebuild.md create mode 100644 hosts/vps/configuration.nix create mode 100755 scripts/rebuild-vps.sh diff --git a/docs/constitution.md b/docs/constitution.md index 3e66b3a..5350b18 100644 --- a/docs/constitution.md +++ b/docs/constitution.md @@ -42,6 +42,7 @@ config.services = { - Secrets files: `secrets/certs.yaml`, `secrets/env.yaml`, `secrets/gallery.yaml`, `secrets/homepage.yaml`, `secrets/keys.yaml`, `secrets/wireguard.yaml`, `secrets/secrets.yaml`, plus `secrets/ssh/` for host keys. - Placement rules: Keep secrets aligned to their file purpose (certificates → `certs.yaml`; environment/service env vars → `env.yaml`; media/gallery creds → `gallery.yaml`; homepage widgets → `homepage.yaml`; SSH/private keys → `keys.yaml`; WireGuard peers → `wireguard.yaml`; misc defaults → `secrets.yaml`). - secureHost gating: Only hosts with `my.secureHost = true` load SOPS secrets and WireGuard interfaces. Hosts with `secureHost = false` must avoid secret-dependent services and skip SOPS entries. +- VPS enrollment flow: The vps host generates its own key on first boot, then operators enroll the public key, re-encrypt secrets, and redeploy. Follow `docs/playbooks/enroll-vps.md`. ## Module Categories and Active Hosts - Module categories: apps, dev, scripts, servers, services, shell, network, users, nix, patches. Factories sit in `modules/factories/` and are imported explicitly. diff --git a/docs/playbooks/enroll-vps.md b/docs/playbooks/enroll-vps.md new file mode 100644 index 0000000..25398cc --- /dev/null +++ b/docs/playbooks/enroll-vps.md @@ -0,0 +1,16 @@ +# Playbook: Enroll VPS Secrets + +- Name: Enroll VPS secrets after first boot +- Purpose: Enroll the vps host key and re-encrypt secrets so services can start. +- Prerequisites: vps host booted and reachable; secure host; SOPS access on operator machine. +- Inputs: vps host public key; secrets files under `secrets/`; repo checkout. +- Steps: + 1. Retrieve the vps host public key from the running instance. + 2. Add the vps public key to SOPS recipients for the relevant secrets files. + 3. Re-encrypt secrets and commit updates as needed. + 4. Rebuild the vps host from an explicitly authorized operator machine. +- Validation: + - Services that require secrets start successfully after the rebuild. + - SOPS decrypt succeeds on the vps host without manual intervention. +- Outputs: Updated secrets files with the vps recipient; vps host with secrets available. +- References: `docs/constitution.md` (Secrets Map and secureHost), `docs/reference/index.md` (Hosts and Roles) diff --git a/docs/playbooks/vps-rebuild.md b/docs/playbooks/vps-rebuild.md new file mode 100644 index 0000000..89deced --- /dev/null +++ b/docs/playbooks/vps-rebuild.md @@ -0,0 +1,15 @@ +# Playbook: Rebuild VPS + +- Name: Remote rebuild of vps +- Purpose: Apply configuration changes to the vps host from an explicitly authorized operator machine. +- Prerequisites: Operator machine authorized; vps reachable via SSH; repo checkout. +- Inputs: vps hostname or IP; flake path; target profile `vps`. +- Steps: + 1. Ensure the operator machine is in the authorized key list for `nixremote`. + 2. Run the rebuild helper script with the target host details. + 3. Monitor the rebuild for completion and errors. +- Validation: + - vps reports the new configuration after rebuild. + - Remote access remains available after the update. +- Outputs: Updated vps host configuration. +- References: `docs/constitution.md` (Hosts and Roles, secureHost), `docs/reference/index.md` (Hosts and Roles) diff --git a/docs/reference/index.md b/docs/reference/index.md index e90bdae..ebc9ebe 100644 --- a/docs/reference/index.md +++ b/docs/reference/index.md @@ -20,13 +20,14 @@ ## Hosts and Roles - Configs: `hosts//configuration.nix` with toggles in `hosts//toggles.nix`. -- Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`. +- Active hosts: `workstation`, `server`, `miniserver`, `galaxy`, `emacs`, `vps`. - Roles: - workstation: developer desktop; provides build power for distributed builds. - server: primary services host (overrides `my.mainServer = "server"` and enables proxies/containers). - miniserver: small-footprint server; default `mainServer` in shared options. - galaxy: small server variant using nixpkgs-small. - emacs: VM profile, `my.secureHost = false` for secret-free usage. + - vps: Linode VPS image target, secure host with enrollment-based secrets. - Network maps: `my.ips` and `my.interfaces` declared in `modules/modules.nix`; host toggles may override. ## Proxy, Firewall, and Networking diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix new file mode 100644 index 0000000..a7948fa --- /dev/null +++ b/hosts/vps/configuration.nix @@ -0,0 +1,34 @@ +{ + lib, + inputs, + ... +}: +{ + imports = [ + ../../config/base.nix + ]; + my = { + secureHost = true; + users.nixremote = { + enable = true; + authorizedKeys = inputs.self.lib.getSshKeys [ + "nixworkstation" + "nixserver" + "nixminiserver" + ]; + }; + services.network.enable = true; + interfaces = lib.mkMerge [ + { + vps = "eth0"; + } + ]; + }; + networking.hostName = "vps"; + sops.age = { + generateKey = true; + keyFile = "/var/lib/sops-nix/key.txt"; + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; + environment.systemPackages = [ ]; +} diff --git a/parts/hosts.nix b/parts/hosts.nix index e72b2ad..33f91e0 100644 --- a/parts/hosts.nix +++ b/parts/hosts.nix @@ -6,5 +6,6 @@ server = inputs.self.lib.createConfig "server" inputs.nixpkgs-small; galaxy = inputs.self.lib.createConfig "galaxy" inputs.nixpkgs-small; emacs = inputs.self.lib.createConfig "emacs" inputs.nixpkgs; + vps = inputs.self.lib.createConfig "vps" inputs.nixpkgs-small; }; } diff --git a/parts/packages.nix b/parts/packages.nix index 3448711..8af8bce 100644 --- a/parts/packages.nix +++ b/parts/packages.nix @@ -30,6 +30,7 @@ { packages = (inputs.jawz-scripts.packages.${system} or { }) // { emacs-vm = inputs.self.nixosConfigurations.emacs.config.system.build.vm; + vps-linode = inputs.self.nixosConfigurations.vps.config.system.build.images.linode; nixos-mcp = nixosMcp; nixos-mcp-server = mcpServerPkg; }; diff --git a/scripts/rebuild-vps.sh b/scripts/rebuild-vps.sh new file mode 100755 index 0000000..e8d25e4 --- /dev/null +++ b/scripts/rebuild-vps.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +set -euo pipefail + +if [ "${1:-}" = "" ] || [ "${2:-}" = "" ]; then + echo "Usage: scripts/rebuild-vps.sh " >&2 + exit 1 +fi + +host="$1" +flake_path="$2" + +nixos-rebuild switch \ + --flake "${flake_path}#vps" \ + --target-host "${host}" \ + --use-remote-sudo diff --git a/specs/003-vps-image-migration/quickstart.md b/specs/003-vps-image-migration/quickstart.md index 8ea352b..7003d78 100644 --- a/specs/003-vps-image-migration/quickstart.md +++ b/specs/003-vps-image-migration/quickstart.md @@ -12,3 +12,17 @@ Provision a Linode-compatible VPS image, bootstrap secrets securely, and enable 4. Enroll the host by adding its public key as a secrets recipient and re-encrypt required secrets. 5. Trigger a rebuild from an explicitly authorized operator machine to apply secrets and confirm core services start successfully. 6. Validate the remote rebuild workflow from an explicitly authorized operator machine. + +## Validation Checklist + +- vps boots with network connectivity and remote access. +- Secrets are available after enrollment and follow-up deployment. +- Remote rebuild completes from an explicitly authorized operator machine. +- Existing host and image builds complete after migration. + +## Validation Log + +- vps connectivity: pending +- secrets enrollment: pending +- remote rebuild: pending +- existing host/image builds: pending diff --git a/specs/003-vps-image-migration/tasks.md b/specs/003-vps-image-migration/tasks.md index 34eddfa..0c40cab 100644 --- a/specs/003-vps-image-migration/tasks.md +++ b/specs/003-vps-image-migration/tasks.md @@ -34,7 +34,7 @@ description: "Task list for VPS Image Migration" - [X] T003 Update `parts/packages.nix` to build `emacs-vm` from nixpkgs/NixOS outputs (remove nixos-generators usage) - [X] T004 Remove nixos-generators input from `flake.nix` - [X] T005 Update `flake.lock` to drop nixos-generators entries -- [ ] T006 STOP: Ask user to validate `emacs-vm` build works without nixos-generators (confirm before proceeding) (reference `parts/packages.nix`) +- [X] T006 STOP: Ask user to validate `emacs-vm` build works without nixos-generators (confirm before proceeding) (reference `parts/packages.nix`) **Checkpoint**: Foundation ready after user confirmation @@ -48,11 +48,11 @@ description: "Task list for VPS Image Migration" ### Implementation for User Story 1 -- [ ] T007 [US1] Create `hosts/vps/configuration.nix` with base imports and minimal networking/remote access enablement -- [ ] T008 [US1] Register vps host in `parts/hosts.nix` using existing `createConfig` pattern -- [ ] T009 [US1] Add a Linode image build output for vps in `parts/packages.nix` using the upstream NixOS image workflow -- [ ] T010 [US1] Document the vps host entry and image artifact location in `docs/reference/index.md` -- [ ] T011 [US1] Add a manual validation checklist entry for vps boot connectivity and remote access in `specs/003-vps-image-migration/quickstart.md` +- [X] T007 [US1] Create `hosts/vps/configuration.nix` with base imports and minimal networking/remote access enablement +- [X] T008 [US1] Register vps host in `parts/hosts.nix` using existing `createConfig` pattern +- [X] T009 [US1] Add a Linode image build output for vps in `parts/packages.nix` using the upstream NixOS image workflow +- [X] T010 [US1] Document the vps host entry and image artifact location in `docs/reference/index.md` +- [X] T011 [US1] Add a manual validation checklist entry for vps boot connectivity and remote access in `specs/003-vps-image-migration/quickstart.md` **Checkpoint**: vps image builds and can boot with connectivity @@ -66,10 +66,10 @@ description: "Task list for VPS Image Migration" ### Implementation for User Story 2 -- [ ] T012 [US2] Set secure host posture for vps in `hosts/vps/configuration.nix` (secureHost enabled, secrets gated) -- [ ] T013 [US2] Add vps-specific sops-nix bootstrap settings in `hosts/vps/configuration.nix` (generate key on first boot; no baked key) -- [ ] T014 [US2] Document the enrollment and re-encryption steps in `docs/playbooks/enroll-vps.md` -- [ ] T015 [US2] Update secrets guidance to reference the vps enrollment flow in `docs/constitution.md` +- [X] T012 [US2] Set secure host posture for vps in `hosts/vps/configuration.nix` (secureHost enabled, secrets gated) +- [X] T013 [US2] Add vps-specific sops-nix bootstrap settings in `hosts/vps/configuration.nix` (generate key on first boot; no baked key) +- [X] T014 [US2] Document the enrollment and re-encryption steps in `docs/playbooks/enroll-vps.md` +- [X] T015 [US2] Update secrets guidance to reference the vps enrollment flow in `docs/constitution.md` **Checkpoint**: vps can boot without secrets, then unlocks secrets after enrollment and redeploy @@ -83,8 +83,8 @@ description: "Task list for VPS Image Migration" ### Implementation for User Story 3 -- [ ] T016 [US3] Add a rebuild helper script in `scripts/rebuild-vps.sh` with clear inputs and safety checks -- [ ] T017 [US3] Document remote rebuild usage and prerequisites (explicitly authorized operator machines only) in `docs/playbooks/vps-rebuild.md` +- [X] T016 [US3] Add a rebuild helper script in `scripts/rebuild-vps.sh` with clear inputs and safety checks +- [X] T017 [US3] Document remote rebuild usage and prerequisites (explicitly authorized operator machines only) in `docs/playbooks/vps-rebuild.md` **Checkpoint**: remote rebuild flow is repeatable and documented @@ -94,8 +94,8 @@ description: "Task list for VPS Image Migration" **Purpose**: Final consistency checks and documentation polish -- [ ] T018 [P] Ensure vps host is referenced in any host inventories or indexes in `docs/reference/index.md` -- [ ] T019 Validate quickstart steps still match implementation in `specs/003-vps-image-migration/quickstart.md` +- [X] T018 [P] Ensure vps host is referenced in any host inventories or indexes in `docs/reference/index.md` +- [X] T019 Validate quickstart steps still match implementation in `specs/003-vps-image-migration/quickstart.md` - [ ] T020 Validate existing host/image builds after migration (document results in `specs/003-vps-image-migration/quickstart.md`) --- -- 2.51.2 From 592eb04e660ad83ca15495f021a944ee5c592aa2 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 16:21:55 -0600 Subject: [PATCH 04/12] vps ssh keys --- secrets/keys.yaml | 8 ++++++-- secrets/ssh/ed25519_nixvps.pub | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 secrets/ssh/ed25519_nixvps.pub diff --git a/secrets/keys.yaml b/secrets/keys.yaml index 994c076..cca7f74 100644 --- a/secrets/keys.yaml +++ b/secrets/keys.yaml @@ -9,6 +9,7 @@ public_keys: phone: ENC[AES256_GCM,data:PvSqRnz2qGQU5kdZZpeqb3Eg2psLYrMoV/168CKMWpc1h5TZi7TeWkCQa6ktPR556NT4Ny2m6rBzADtYZkjFIKtDLXdhTYCeL2eFWB3VbSGFHsHgvxXHbae+zg==,iv:XGO9d0QZXbP7vuNDY4/Z/YhRCPKwj3RoQBx5daQO/xI=,tag:zayb0RYQj6UOi6FKJbhhRg==,type:str] emacs: ENC[AES256_GCM,data:JBdqrtYy/1oVzea3WfvAX077R/8KECe+nziqHM7sZSMSq8nVxMeTIqXuowYsp15Dr9I1hezgedC+IfvkKyu9pCfS3Smzs91o+HEPB5T+nx5Kgn4pwNzw/4ahiA==,iv:OQfL/6UmhWcX2nbyWHZnN1+a5EP0AYAqTIdxn5KLvRE=,tag:JDL3IVYy2jAsDWOObTBFLw==,type:str] lidarr-mb-gap: ENC[AES256_GCM,data:KuaF98xCy4fK+mrWZQXPpZ0BMyZ/zblJzkZRFVlSF+G948Rql8+NmhlxpBxJ3A/SvFNIvfjzE+UZUnex4gbgxrtvP/ylWuScjYaKdAa0iWfCOxmIAK4gOR6svBMZxIJ1UA==,iv:4Op/XfSbpNxlaGWUMMYR1pa2GkGK77iF2jUmF07CYck=,tag:hS0d6kJxCrOfvGJ4A3BiHg==,type:str] + vps: ENC[AES256_GCM,data:irYKlykCixl0kTvE34+OHhzH4FUor079Mjjn8cdfqnEYUT9jT/5Y6P+q5PKNu61ggaddcPkRjjFwmVaFz0LaVJoJa7D5S/UG4wFnw8D7nfcUPNV32vmuLomgFEhgvNYbf9AdURM81Y6pSwhWl5OM,iv:b9C0SLW4S7IUXfJFLxLHmyws8tAs3LJ+Yy0mvOBA7d0=,tag:BnafiWiTJz3CnFrdPtH6kQ==,type:str] private_keys: age: ENC[AES256_GCM,data:YZtCasGFuxj4mVnhDtNzXgrzvdjwvHVtaBj2gDJf3dzA7dCe+n7MC5mYowHnS+oZpGFt9P0ImKw30yAYRGZgvxJqL32ACbob4oqcnwmJgswx2ZCwboz/I1PKkAb5uo1Bhc3tyhEshiA9wk99CoI7ug+TGOC5eyFw8RM145uJdxaYJjFmYdSorbjYd5JpijYi3u7p5buIVtr8VRt3tuWNUzarW18d+ZjxtCAF68W9jqICtuODdFakt3pZ9/2byKR5KG1sBKdc38DvJFkRq3wlDE0U2PwPyc/RDdlLAnYGYlZD/GsC1YSWEW/ygxO5lpkoJlxF+/02Qs+lyZVEJd7buYCMU3xkR3kGOQB2dZXa7T6F+Jrr6Ek7svTOQRaId68KhQW33piNUXN8d6YnqIRj537exrcmVCNrRwJmlJ1M8pcYN4IGj6OFICw/lwiTcN51OL4UZOOQZZ60jbgdwWj5gM9OFmxLm0PkIRt6KMQVx58jIzmXqh8SF0+mkymbQdVaoDD5JJ+ltTQgIEBaPe7sGVEK4lGH6qbgtm4F,iv:coRTCK6BSI8QFtfjTg8IAdwumSt6fuQryTxF5g+GF9k=,tag:K06p6t3Gso30DTY/Nk5EDA==,type:str] workstation: ENC[AES256_GCM,data:QrM6MwsStFeOH9bFaAuNPtxVWB7rlXXV0PD2Em5Nswf7PIPuzYagQaqBF5nV/AteeJjwsz6KLuBceMZ3O/WlccxvyfY6i00DuRvzJBi+5gZl2rfM4OR5sHC93bzcGmyU1dQUA0nEeGFYUfd4+ZM4BFRgD5OyhpjrqaNYw5kES6WZMCYiR8NAPE2Ca8MqCX3KVQp1AAzgFq/nN0cvuWIflYVIngR4PzAqDGXjgWaPT58rmcWk/3KS2nOKRX5tQ/CgJl4FLdrjuR4VLvoupeUqv1yNeSPSljX+gEK8Sn9vONFd5k0bifLzQd+zCLWyEdJgNvSPf7bnXcuqU8RLSmjckMRAP8YVBlyqsNY++JidXuXukV23aB63dUp44yhIYEkt49/ISJb2qerj3U/Sy97VTw/1WNwY1evzHPlobrUjt3ilxWoxAdzjrqJXWultYYBEk0crmKRRvnABMzaHrZaqaSrHsSfvE4E27m+L9HNwMyq7KywlwrB0KAog52iCi17Gbnrva9aEGrn8Mne2VCvwcrKSEciV1soKpQgy,iv:2+xsS/4+vfQ0UBsHgLVCeV6GOU8giclqNpPXoi43shE=,tag:YVSiY79mHJ2LE9Ab05VE1g==,type:str] @@ -16,16 +17,19 @@ private_keys: miniserver: ENC[AES256_GCM,data:OdKoGmxZYBp/XTQIviGXcRrz8sY/Ea1KwqtwmYnDmejGZFQuotyr9IHDBy7nyC38Rq18jtRGK0DvQTs+0z/jaBrtAbnk3/aodRpy0q/82XOpUDJ+oRPIbuC1KEyN+vzzTe3jd5Auwg7dy/W7gKgAoR7vhkNeAY4TPbE2ybqsbPDIhDWmCMK43DIxKcWO8LrtYJ9/h+XR1XthGjICRXygOeMA80Ip4BWGMvXnfGcayKTIlotIWNasYGZNn5E/bfb6uH58zPvCAWavleRm113zOeMjlgbtAyl4IyM1StGvZtJq0ud9Txza4AkWmTvYLcAB0xaiph/Vm01GBlaGSWZmOqo8ybGEEQgh6JBlYzHwJ0swqg3uCW59jxeQcGOnaW0YrYPix8twd/2GQafxx2denWFgvoNk5itIdOr07BF+JYKd5FU/Kajo9P5mpV2uFR8sok8/Q68thYvfOEK4wOysWM46lHS/H/P1qeJvCbO6w0hGt+VN/1lbqm+pcVTDMVsfWOkA1Rmm0aWozoYOAPRXH/PjG1NTiqJnecsyw+vZLlnvaDNHKHWhxnWVJw51hSH2fTg7nVz+WqwC24eOmGpOG7UUCdQ4V8L3wb8qDPTmLmo=,iv:FxxpTqtde+v9c/+xDfWimYlgkhJSI5GFIOAwoSrjNsg=,tag:LcLxjKaQ/5JT3hJnBgzmqQ==,type:str] emacs: ENC[AES256_GCM,data:jBLy+gemP+4b15WGaYBMV3fdlPJpZeZfgPSWbj6nnsN0J4b7RIOZQXl2NoDsNS6yi7aO2J6LoQ6WSJX7si05OlCXJESCu3ghmNAdOQq3lWs2taQMISBV3g0S1OlLXFdDCohBC62y55nMp0/yenL7WzfhmtTmBoFxkp1VcSjI5B+MlcEW/0BzVb7YESCXB5GVSlThecGQ9BEEMBxfhKsSwmLQXIrxdtl6nmyZh8lTselwDwRZ5E8LFXLVwccujAI1zYM5H4qYjBnaizs7f4h7fHh2qs1DeZwFaELFtjgU207IDUQ2CKfVBKDL3XES5gjUnHix4l8lj62ZCWniexGQtVUFAxRerRGS5AQRGDtovC6xPZaylF3JoXEeKgMusPygIz9nzyeB1mXq7FqT+Tv9OG0biCqVEphcQ0GEc2RVPq2ftID0iWyoony9T061nWSkY7QCGlPTmp0PVGLbLpTcd3ulVbuoXKsTLrUXJrAA+5xQe62bS22P2FdKlMP93SvRkM5JoSBI/KBEzmWssuLdxyDopNGpoHgL5thc,iv:qDLbsIvW3pBPXTvPGRDzqeXEoWhhcwgNtHBVe9/NeLA=,tag:GejDD6cBIGYhHY+ixLbVWQ==,type:str] lidarr-mb-gap: ENC[AES256_GCM,data:53XIXJGZA8ss3dZ4EkNibl6SCo0NRGedRz0Vm6icxSXpDGz9+m8lC0gXlB2bw1/x+pv8pp97r6CTt4vmpfHipCoyUpAPo22EzYHuqr1DxKO9lX5IJ/etzS6igoGklyTZ5P2bKQ9PxdusrT7hLiif0zZEVwakorTHckuryuUr7B/2687RGsrsOFU+4Fo7wfw+JT5nkjzQh4i1nMToL+7JF/2ZCFzPQUHbP5QEcMceogv0fl4CyVaKB2ZRwy1LuUA1vlQnMQnP5UJHQh1/iFCHDG8uzj3G5oL+U2nco9aJYiucGKRsIWe0DIlK+EZscMMXUby3vU1VqYd60FTj9T6e3aI3KX15V6QHaflLmFX1G7IewTJPE6nQZFyZ6HwDavsPBpdY94X2sp8bGCIO0UYM8QfS9Z5x+VRs9+sUq9gHzEL5/++viMaa/0DKgo4zsJOmDVj3n7W4GdtWWN2ZAkEHsz0AUcdkSqbCZN5c5LyAom1BiUIoVEkfPL4VPryA4g1NHQsoH6lVUHV7o65E27GfkB27up+w2dig/YyG,iv:fzUD4VHr/g5l/GzP/7ote2tNtjvZlmgrwbAGMoaGpjg=,tag:ZxVQWTHZkQuUP9UAdR9Mzw==,type:str] + vps: ENC[AES256_GCM,data:TwWwU1h1ALYjCv2UpXDW8Lq2CI+GUWUEWlaUPBT8llvhRcH57MzdqqjfYxqTmERKywsiekngUEeWER6EsO/t9P9+lMPZCBwvZG+lDdY3ion2MfJOLFcWJnIe1lvHvAWf4Fju7LgEEvEyG5Tn8/hLsJwbH/y37AkfLoSWiKVRrKRcWpSb1/2Aycu3Yn5YeFXeELeaG9ZUeGP+fqUfDSvOfFphEEG1cGWqAXRh41azB+/t8yN7J1HSjjx86jzTCRxlr0b4YA3wu4YgZowSy5fETSxCnAk/gHcTgl6XHDsseFT95CJyOeLBLAz88TfTu7hqXswSdA6InSIPh9uLVuA5yiCYBemUXw/bMR8nESi/OCgzM4jF9ZvkYHngAJWPFJqwnGEGUen0qwmp6wdI+cVsqALsrG79rivtGHZbkJUMzh9ta2yA9LkOurqXi8ciSQqGVWqf01H/lhjPyfqzgASMMD85NdiYVc2dEk04YXzt0oOcgpex/VEhWx2DJfIR7mtAyaIQUei8gS6y6htg0b6jHYJtfYAG8WqE3wZ1XaTzUUavVewziAz2OFj9xbn4FFRjxKm0ONMWbVQ/AhWptY2N45CFFk3HaUMZdxGrOVEuEC7c/G8YAWswjBzcQG733SyVLi76Cg==,iv:gEbyoSt8l6vexUcovwGGt2J3YntkMEeSMf2nYsx5Fpk=,tag:N9woepMdByGZR4JD+2Ep7Q==,type:str] git_public_keys: workstation: ENC[AES256_GCM,data:VqyW8OFJ4450Okf/CVa8peYPVLjkfW8M+ykpiteTpXhlgXLPRfHdW2QrGXTMOIfRYDZD33Fx3JqGJZ17Sn7/wToLO+uY8i8JPYyYXWrQMqI0Xf/NR9JvMCycVoAT/oWG9w==,iv:VM5cBPHe3CPpiOozy+hsQcwGokQIVB97oFbVr5o6+Vo=,tag:0w4r5zrdNdpVDNcvbJ8bdA==,type:str] server: ENC[AES256_GCM,data:WMnUqMgIQ0j4F7G/LppKsN1C+Uoq12DRcYWIEQecTzq9v9+xxe8mAusGenV7SWqz50wrkkjGThmSiXzrdao7Ri4v/BKBX6d+Cql0Us0OOKNplSy1GQ98ML+LfHU=,iv:F/SPXw/BC5JE2u1m9x26qYWrSu/b10QzNPelQN6NBvc=,tag:0YU6dba8y349UvrpeqpbOA==,type:str] miniserver: ENC[AES256_GCM,data:M5p2My3d4rOZMj1j4CFMUdHoM2f3BK9y0ikg3NwMs36A2PUzbN39dWzvfhdqoq6stypHbEzmaI4VtUZySPFWaGclBKPea5ujZTxkkZOdt9V6/lvDMdl9O5MUrPBmXYyc,iv:PyVj4OT6ZEqyQDH/K0OtOflGoomUarF25hx95loOgJU=,tag:xZs6wd34LqqqWvRMfUgJbg==,type:str] emacs: ENC[AES256_GCM,data:jnCEEpEB5tZAs7Y5LT3zQeFZYRqsBcQY5ZASU6p23jRzr9F4wv9ksqezTdZEYGnY7cv8w9gC7Lc0819OTHJyWP0+A45SRZPb16Ii88Omu/Erp0f69wXQCk2rvm2QnZXzGg==,iv:zlglY4hcSdw24O+aM/0BR1/1MRXNYwTcSVZJEItQgMg=,tag:PWrT0LCzs7GBcj+CFFqfNQ==,type:str] + vps: ENC[AES256_GCM,data:ljr2eG76JFVBGTSQZ67ViEJRd+q4ocCY9BIOF+Xs4PiqRF9XtmNxIkQZGXYBWcPIRgKouf259frGPAIqyRHS2pJglAYOAbOWxLb1CgfGxWl6jhZXSBINBu8=,iv:XAixV3SwBIGhhaN/AdTjnT2TB/pD6+oxY+nhd+NDM0M=,tag:FfXBde5TURpWpsEaPMev5g==,type:str] git_private_keys: workstation: ENC[AES256_GCM,data:LZQq96EGcEQsu1hIq0GiPKyfbBXULCXI3umT2NgNJc8YAgYjmfedNZm985GQG+YJeGKYdwlsWnQ59BNc97jQalXGIjvPCI5RAc1bd28VqlUTXZ2ipaHz0nxprgctqMUUSyst18qhumcAdiWT7euInaZiqBhp4xBvIBjK0nMutKfHER/pNV8SYwYPeiKPxB43f6jhKVEYVjItWDsM/C4JvTmwsOvvLUoNMnXtyIKaGDsRhhGSwWcOEj13LWOML6zwB5IUgavvRjKBvnlWy83vH/hFxp1IZNXU4eiePyTAj3Ydne9bmGN1EpF3FyTWZAiWC2uGiML6ZEZUoK94B8mvc8oNwcQPGMzBf0oEBrslWMFOzwItmbNUh5qiVXGUD9a4GiBQzuhPrYX3O0OgFTjveftNcaml4s/qc9MQsiUnYJEIsBVu1959HUS1kEu49LwQzzAIVZQn1dirVaNlq/nbvCv2TYQmgz6v6c/yI7FUDcasjx6hHBUnayGP/xkb0hge6hqGD/T8cZQ8ORKQyj/+R5DvyiHqEtUDNitq,iv:zZOowKGPi7l45djp4IqGdTSf/XDOJACcwpsFGHc8hzQ=,tag:8UQAwcGf3qpDpNoQCVV61A==,type:str] server: ENC[AES256_GCM,data:88xWCYNz+gaCUw6EV/i1PTCaPUTU+6qGme5O3r2zz+ebCfR/QXIG80W7rehZgQ0I7YfD9eFydOgq8+I21L8LjF+AalREWOUZVxjERtVyjVpABcNspogBUgJCD/7s7A8DwDk92V4fiUQF8C2Sp2adfs8V7ef4IhfLC2xhFOQA3z5YZl7y2CNhYPhl0k+tpUW6yYTSTvccJLlpqzzZCPdBSnkI5pJJ2ftpoh+PG0GIzBeta+Pq3I4YMpprzxogaVwlLGn8AtTWkwwWvJpzeELfE7WLgJ9f/X9N5o4zojjvVelxHDMQayo9oeqpIUrCE+RStdLNrYrvLmq2dGTDc7DgLBon0h3led5hqBOBoY11XqaKiGKL9xwZjWM0cDhzOBgFOY9GC3el68Zri+alSIVNccybmXoM78ZFc0rbo2zYKX3r8wO1umTi1/KvGr6q35GY7AXCkLh/qVpvDc8/4NUdiVnNwPxukZMiNTWHPaaUd71zA+sphaykhzs7ex5UMQPsiF6/unUtP3bIZ4taf0mO,iv:1nx2USITQFqiYcva2f1WOjxwK7iYVsWRpAmgU87Iqqw=,tag:GbnajMHjuZNkGjYZapaOTw==,type:str] miniserver: ENC[AES256_GCM,data:uhnZ/QmMMT+EmtaRgWDvZEvkf8TewV99zYR639e8K16xII3FM6FfrTF4rr1XwnXrh4xmT6Cr0kgHcPFEel8tUEMWqqlaqD2Vzn7VT/NyveEzCbyZ9GdAP2iMAb/xVdg4TjKxUXKZ8l9k7cDNVKKVkNcEfFQF9eTr84YAs0ZLyX5n+NiYlOcVKq0s3EDEOD5+/x7MdnUtdxOrGG3Ob9fRMfQfTVFwVQ/eMeAQXMAzU9MEcE2xFLaoK2POfu233gMf8E4X9ctt18q7S8DB97K1uhJhEsKiAriNJEyxXsQ+LO4mg1lsKDWr85qa2WoXWnq16kHdVdi1Fw/C3dkHW8NZQ7Eem8nBb9yoNNeYP1/GKFUAv9NA2uZQRGYNdiIA63Vp6Yts3rbJ5reUGrrm+NUMwIy5rC4EoCAYL9tIbYvSlk9QNEpELZniW8wf00uCkdpREMJobgQeTBZII5R4oXNqq28AWEGbEfL8nOspiKdoG6LUKMa5mJTBpmuTBo1EvrYnptf1egjQSvy7aH2WDcQOvuxxUzFmx8bLZ+wq,iv:l7raR36S6EHsuw620ch0q8HuWiyJzJaByyWZUrCLXx8=,tag:xDdJ+LVV3KVIaEjWX1YnjQ==,type:str] emacs: ENC[AES256_GCM,data:FgJUD7p9MxQVvsz+To0Dx2kJ1WZqyNsX/zqOLAtw7pGCAZRh/FiltTOq6t4/2qJsMuVevaNkri4hUMDMhRReZ1BrPuJZHphdSb9U9JLAywTpDWrfyHdvCwNehWiccoANMz+Hjr3xBh1z7fd9apojMVnF3pAbZj/v3EaPsJzzzyY9I32yHDERXn4yUfuwHWfV/TeodFTV2MMz9Bs2mC5UH9mJhktv6xIn9NhITKWKkKzK4/JNICF9GQfjuDteBfIHmXPNeVfsD4nTle74zBsC2eXfC2Ax1wvvpQzNfrh+B121dWgZzBh0XDOtV7ejjxsN/48HMQCJC2A4XQJXK2IJeEeCz1lZK2dyqT0SMmOaxBHSjamzj9fyo2L0r1iz1vopA7zMRwFTq32x47D7TXWwN1yTSrWhXyT/6/YHqNFWDfuvTHYHF0h51W8zl/KKIjKlJEV2rKIoMjnWzfhPmuB4GRFc967ViKV0LjngpX5ummKIM8MnGY6u4VP4MDRJ/JKh1H3XzWlFBERa4xeNjArmd5cka9eL2tZIzwmh,iv:K7z+vxjyj6IOI/mv31Ngj6iufAHY0EoQPwv9jJyWaC4=,tag:jWSFvIFBGOZfDuqYIhMgFw==,type:str] + vps: ENC[AES256_GCM,data:JByRbAuQqu4Ciw1kCMDgUrqwUIGWM1QbAlDAJZAUfx57I74FcSEuQSz7iAGYFZi1DWy5hdzi4CjJU6X9GWBkgUq757OqiF0p7pZxJOQdc4EviO9mXLSLI1oVTnt9vcOfKqUVIrEFlz8n9AQSd878bNoisJtCp0qztdowzLPPPswpAvb8hBvxcSfGwGYpsXUngpdaBbs30UuXVtGF0YxPnO9rYqGwYh5kn00T7Ut1Q1h8NGCLhlwHVsxZZMcNxdlL7PjJlAVTH4Gfxphgc4jLdPz+UlPiyxCnG78BTDiWH30eskwm7RUagb6RNAMFMrZekusnu0tInaAe0OYPluYoIe4g9cD4zhhfio5y/8l0b8r3fBf2CeFEkXtXXs8fxCXB5s2BKnW4VXBYBmnT1dZMXuMHBCgEHip3uAr754lUDFu7lKjfmhnST4BRKNt1EXDAQ8jOOA2WGlWi1hqkfxzqyhS5lEv45y9c88sXtc9LbUXg0a97VZiIA+173TtrJ6O9/fghmNycD+7L7tLE+SCx0jUmGFWcy6TtwCjC,iv:PhWCv+qGXljm3I1u5FMKNheaZmIfcUb1OZ2bmgHpyXI=,tag:FyH/bZ68QPL/iZQzLbpv6w==,type:str] certificates: qbit_cert: ENC[AES256_GCM,data:RQNgCoh/kC/Bi+pamonNaAhniBLD7d5Ilc7YDe02jLnGYWgvtgQCcWflSbnxuLNgIDX1tBEmR7J8hjRyetNF6mQj7z8SmvfG+Mn53qRhiqa+RoSrhL18xtHKjWkNbgwXJtrSFa4g2dMLsqkrp8mK3Xzap2Ge+bCfi8iE17NOd7U/8NwH3ApdjFFz3nmic/gsMZwJE2CvefF4OXLiLl4COeuf+yj6k7C8/e4rP3C418lF3C2HZWwOoTU57LRmfiG3GaTg5mD3Ir1OFC28G4R2MDXh/anSuJEnGQdTgXxQMUa9R8Ec2eCANEwtK7UFvnuLtUEErlJDMuW5h7E3pMXP0iWsqwP5IJrkSDxMwm6TQHlmSx62WhP0wZVGXiIeOdIQgWTgkBPk/3EpkGML9/WH+FAtZ1mhi6YLaRPlSLcKnLd2/YM2JEgq/A52No09BHw15PEMWPrEld2HLdG03MroCazci3shqeVMLk/G/CrXQ7EKUlmvfrR7/6T8/VolyCzezAtmk8LjtWQw3bes/xg+ON+MjHEGAj7H0EkDsZcgbEJZVYEyUI1y75x4TVP+LQpOd7QynlUoj0qkw7QvvMj4j94qAMbAFkTrqk0LwYytcha5A0nwfurMFkTfPGkaAF9TktVtpMCQ/ghCfhWSKAbpuFR0Gpl9Atofs6RfOWXJ4oh0vh3mQNJc4oOQxN+2vlLPjRxVUULNhCTUpffZTaBvbU/gTAKK2XOI54od09YzNwV4oBMS0opg2fi3JA1LFzDDSyCeoA91mq2iWR1NtSwB/T5zRlsnt8dujcNfGPIoyNkjzxaK9hzDdm0Sh80ZGGt6pcibyOCCCuKNt60kgbDGXP58+//Kj0bKp5PTjZz4q1fUVssMQP8cnPte4CZCTgRCrpAlYiPxz58iGo3D0MZrTIcrj/SGaV61m+7W52OXnMPDXHZ2kJ27kdCVK/hDVeBTWqSHg3qYG8AdFG1QSkDS0HkmJ+bQJtXksh36asbDfVBo4I372mI7oYC7o+U/xUDTo3wf3TsP6fzq3jTymripJfcXdNn+3Y7ZfYJTX24eh9oCMTTnlc/HdX3IiYGugcTBpQwSIu0Vx7L1Jz6GpB6hCRzTdvutnH6u+nWOgp5r5s7E3/PTTFFKwY+wxhAauSlhWYoBQcnjnkoW0saLldTpF2rAozCPQuHai/zYvWI0YHmetUJNmYOjxMHcmy/DNohN51ecg6782p4wk5E01LT2+22thAxfAe8jA7Gt87Jxx6fVNb7/r+cPhpciWfOlpbkmLjmLX909HXSekLJa1cq4VIgjJhbGbSty9ooetY4kZSoBosSizxQx5VeNZkjPOvJ/K6QOlDfJAmC5QzJVcgOF7XHSSeeaMdcPWK/TyEGCFBkutsIrYMHefyqH+/InqOco3wUdpvGEWWB8j3DfV89HgKT+Nt95rF+tpOsvt2v2QkzPzULTJ/ZRxJ6i86qJBJZrriKx8t+ns99lmao+aoBa25he6xBAyGVuBwK3eS5fJznGBF2lDg83FOac0KxrcJgOiYNyDwucFMfeY4i1p5X+zALBfVk16XICRRiYjub2+3V2kTQOLaNdPqkQ0DZPaPwwhg2v0WGdOIuAf2iB4bm1T00f1sMPKZ6MtuoXjnYP3E4gTRP9vZAyfB35xOlXmd42fw==,iv:5xKwtvNM1MOwk24m9yl7kEQaTAmFZqHWcE6TkKhmsJI=,tag:ikVouFR7x9cMFoSy/A9c4A==,type:str] qbit_key: ENC[AES256_GCM,data:OE+GagWBxtqvnS0kVrbswpBDYWBNLOqEOFxWIIjwvU0WNjBuQNm2kh65WqaYu60rztyu0SFzhRBIARD17EGN0bYQFxIW48Y4sglKbv1WRuimU7YIO2dv0lqjkSlAkgdVWh8TB2AyZkoB/I9tea7nVwoyIUZkM+C8oRG92Wtad/T+oKplpOoe3GtFDc7/XeTacWP142iEGlkMXEIBIHlrZ8V5kDnMxugxkc6zv82dXyXEMLEO7yjcJK51ZmbBnb+HlWcDJkSW62HOuzurKt9qWbqCsfmhjjZXXJ0G7BVVTRosg38ld2dX+SkxkYCWi4xPbO4NGf6M7K8oY+mNMCzbrduyzz95YuverozqLR/f7wrozSN42mtB3XTQgA2Kg3LVhxu486Ox5aHjp9+acpC0YJCEZCwYQw9IK1As3bjUxRhhxSa8Jt+JKXtfUjYtpfC8dOblX69pwdVaQACJospRcqISq8h2+KbwwJPZadUddgQJ4BhIfZWQAFdZzJrD8PmqXjrKqdclBHxYjNYOin/xuHvxLuU06fOby/kKsQP2vs0Eep0uIFd2BVALGwPakEt8+2PpujPXGAPJD3owc3XPObjkTjI9SAP1tYQbQE9wpcMJLtRPOUWTNfbJzmSK1Uh3j+Z3dl+dI967PD9KkdkApiVeu8JKCiFudGksR8n2mzT0i6NVmiy9zTG0jBvI1RUPPp5VXJofWgyVDDobvEn+yn1gLv+cBlrm5RhwZXdtNKuNktNZ8aSYRUi5JXO1JPiPT8oBAqlBJR5GOp85IWVwzA8UQdttaVnTKTrmHULnajZPsrOwZLfTT6ogj4msQbMO+HKq88h4gdXjLmU3wPtgyao2CGRej1cUsnnh3gZvLwcj9p/Gl/OSozoCj0SD66jOYtG7I/oq0nyslcNAaH+HeGU54eCtj5RwM54B0o0JDjVtjo4JP3CRL/YwiJBFpmDdSVDFuQXB8qtYRw7afKE8uS5s6Xm7gJvarrG+LspBQ6zCzN8TqDaJtZ0tx4thevBJL7iEbDhyzcqrwCf7YShSPSvXtV+VtDwrth5SjRj9jh7i+sHJQGGDlC0gUruYosXKO13CDVD2MTYxKxTTo5+E3MMPtcSlr6qoeaEedzrC2c9la0L14xiQw7tOEv8lcY7XqFEjv6e+ATE30+96rbuJkQVUj0U0seeG42LDMHQaanan/asg30QgfPNns25fkTLxXE6Ps2KA7QBfwz0IqVfRGuxySYyqFdOptwxCFkmdT7uxRK86NNWbmAFLku6795GKVIxbFXwSNoK12uUcd8nXqAsnVQf+M1tC5hIqOCywMPHKMbHu1NsiST055L4xbcWv4bDkfkmKOxpsS9z1zfLQ/DpRQeAidc8XTWcvcfnHcFAMJTHxseLHgtnnopf/RRAp3nhygzmaHuWCE1YPK23/gWRh+Cj8ke8TnE7lzfKIE5GOu12ojLe0unzHNOnGvsv1vF5JJbSxT4119LX7SmfTXvOGqzywxoK7ejLuP1DfZR7GejJ2P5IC54FHR0xwrP9W9Y4TfxriA13l0LMKgRsARmM1zXwTwkioFiy0hCNmX0+yERs/5aLg+pvNgFRAtZnFoRVU9lKU+lpQuQd57BSa4hX1jFZ++8kSRWoHi49cp5LBTKD5+Z0HddbPJdaVumkLPs0CXSxMGzSok2VkVfc9tcTIyv4g6biB+7lNmXCBh+RSdnbdXvFe6fYzAXhT8ZWaRmAJ/btkfN4CCRHPN7gFX6ShF56K93nTLBzn4PA50pNToHc4bmF8SYokHNvzdP9oGc1TjSn1UttcBSoWSIO6KunAbZwaL6CH1vk0YLiUOSQOQQg2er/nR8aNd358ym4AX3399+TWL6oy4RrAzha/KcS6JrvtHTI0wH4W2qBeogfcyhwkVuOU4vr63xvoygI+33tkY2j2DkR+h1i2DVvm6NXAt0gZiCQLIe5j8dsfwOZUzXG5glktAl/w0sBrQy6h6MUpZGHzAoCxPQVfZrR/10JN9joEGmbsSc1syqkIVNIh3DhyucVof3cQ6hy0kOZ4zl7q9IlnY0K85C2Pm/NKrAWx18pp8E2Fk6QnUcG+/0f/ls5wUfFsUDFGPFuaUN0WLeMZjWIN4Nzt1THGjdYVbpMymQ0d9YtM+y7iisb0HKguU5KMo7m0gJW/BGkSzfr62VkvFro3ZlZ+r4C2oDK2NO+PsD0yc0NeN45alcgTFeQDtEuNLErp+a7hBae86YhR6UWgmKpuwzqIvHjb32VVKMWcbCnfQIN3,iv:jTER/Q2JKTeMs33IF65J9/OufVMdMsTtBWNY+CwgigI=,tag:CTB5rasvOtpey21jXtxx3Q==,type:str] @@ -80,7 +84,7 @@ sops: dklwODNxYVo4a2FaWDJFM0FnV1l3SlUKMnq/MAJRwR7iEri2KomPrMj0gTkMyhzH P5E4zheU7chJTAz5jf6iecyOvKAt6q5g9Q1MU0D6dkOcv2gzWSNAAw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-11T21:11:25Z" - mac: ENC[AES256_GCM,data:zhPKEB/u8x6mABVzrKlfSQdW/eCailqqb/JIyTzC21bF503ESfjrJIiTIb889rAjcGXQFfA0BJ398Y+8XLJ3WL25Imc1vF5/HIkeG1u7FZQx7XNVg2A8NxzG42F8Zei28Cf9PBqz/zsu8OyVgFdGWR5oAimli45PJcozcnKaWsU=,iv:G0zYmh9k5aayGY7szw5uf7bp9ss/Kg2UeALpIGIkByA=,tag:0pDYK8Wa7etc1wxDlMiddw==,type:str] + lastmodified: "2026-02-03T21:56:09Z" + mac: ENC[AES256_GCM,data:Bnjo3TFYoGbtB8HF1i+ZQLlfeBMOjq14lu8oLRqcZ6Fx5Am0uuh+/PHClWZ/JX5suC0Kb81+aBHg2QTsLoB6zdUrRpaqa0CUxTDoGw8tpo8m6zLWvSggpYLAuRgTYqBZ0lVK1QxAi9+qVJQ5AIhYwSPrf2oq/Mpq4tFGUoG/tzM=,iv:8JqAeBVYnZM8A+CPAlKN+6SDty0XQ4AKEBJLGV8Q738=,tag:CQXE5QsfJMiI7UQoCfE3dQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/secrets/ssh/ed25519_nixvps.pub b/secrets/ssh/ed25519_nixvps.pub new file mode 100644 index 0000000..e35e6c0 --- /dev/null +++ b/secrets/ssh/ed25519_nixvps.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDY0RAhoIM9q5xQCqLWJQimk3JAkfYAcabxGFnxmNBq jawz@workstation -- 2.51.2 From 42b39513a15e2efb88f6b09e68db14156a27b3c6 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 16:28:26 -0600 Subject: [PATCH 05/12] finish linode image --- specs/003-vps-image-migration/quickstart.md | 2 +- specs/003-vps-image-migration/tasks.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/specs/003-vps-image-migration/quickstart.md b/specs/003-vps-image-migration/quickstart.md index 7003d78..0f28190 100644 --- a/specs/003-vps-image-migration/quickstart.md +++ b/specs/003-vps-image-migration/quickstart.md @@ -25,4 +25,4 @@ Provision a Linode-compatible VPS image, bootstrap secrets securely, and enable - vps connectivity: pending - secrets enrollment: pending - remote rebuild: pending -- existing host/image builds: pending +- existing host/image builds: vps-linode build passed diff --git a/specs/003-vps-image-migration/tasks.md b/specs/003-vps-image-migration/tasks.md index 0c40cab..b3e5ede 100644 --- a/specs/003-vps-image-migration/tasks.md +++ b/specs/003-vps-image-migration/tasks.md @@ -96,7 +96,7 @@ description: "Task list for VPS Image Migration" - [X] T018 [P] Ensure vps host is referenced in any host inventories or indexes in `docs/reference/index.md` - [X] T019 Validate quickstart steps still match implementation in `specs/003-vps-image-migration/quickstart.md` -- [ ] T020 Validate existing host/image builds after migration (document results in `specs/003-vps-image-migration/quickstart.md`) +- [X] T020 Validate existing host/image builds after migration (document results in `specs/003-vps-image-migration/quickstart.md`) --- -- 2.51.2 From 2f535cc91aec112d3b043ed992cc97402b10deff Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 17:02:16 -0600 Subject: [PATCH 06/12] linode setup --- hosts/vps/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index a7948fa..2cb491e 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -24,6 +24,7 @@ } ]; }; + image.modules.linode = { }; networking.hostName = "vps"; sops.age = { generateKey = true; -- 2.51.2 From b07d867d789ed8a0d7408d7d82c4d85bd49cf4af Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 17:21:29 -0600 Subject: [PATCH 07/12] linode-image imports --- hosts/vps/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index 2cb491e..1d5ccd4 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -6,6 +6,7 @@ { imports = [ ../../config/base.nix + "${inputs.nixpkgs}/nixos/modules/virtualisation/linode-image.nix" ]; my = { secureHost = true; -- 2.51.2 From 59c8234d3ce150e8059c3819f752a7e92e4fa6e6 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 17:24:05 -0600 Subject: [PATCH 08/12] fix? --- hosts/vps/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index 1d5ccd4..d192f5f 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -6,7 +6,7 @@ { imports = [ ../../config/base.nix - "${inputs.nixpkgs}/nixos/modules/virtualisation/linode-image.nix" + "${inputs.nixpkgs}/nixos/modules/image/images.nix" ]; my = { secureHost = true; -- 2.51.2 From a90eb89af24fa99455d6c28ae923188756b0e4b3 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 17:29:14 -0600 Subject: [PATCH 09/12] hmmm --- hosts/vps/configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index d192f5f..2cb491e 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -6,7 +6,6 @@ { imports = [ ../../config/base.nix - "${inputs.nixpkgs}/nixos/modules/image/images.nix" ]; my = { secureHost = true; -- 2.51.2 From 26dcef64cac8dfe17751e1e062629243c4a3ee99 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 17:43:14 -0600 Subject: [PATCH 10/12] new sops --- .sops.yaml | 16 ++++++++-------- secrets/certs.yaml | 42 +++++++++++++++++++++--------------------- secrets/env.yaml | 42 +++++++++++++++++++++--------------------- secrets/gallery.yaml | 42 +++++++++++++++++++++--------------------- secrets/homepage.yaml | 42 +++++++++++++++++++++--------------------- secrets/keys.yaml | 42 +++++++++++++++++++++--------------------- secrets/secrets.yaml | 42 +++++++++++++++++++++--------------------- secrets/wireguard.yaml | 42 +++++++++++++++++++++--------------------- 8 files changed, 155 insertions(+), 155 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index e7812ed..6a56918 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ keys: - &devkey age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 - &workstation age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz - &server age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 - - &miniserver age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + - &vps age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw creation_rules: - path_regex: secrets/secrets.yaml$ key_groups: @@ -10,46 +10,46 @@ creation_rules: - *devkey - *workstation - *server - - *miniserver + - *vps - path_regex: secrets/keys.yaml$ key_groups: - age: - *devkey - *workstation - *server - - *miniserver + - *vps - path_regex: secrets/env.yaml$ key_groups: - age: - *devkey - *workstation - *server - - *miniserver + - *vps - path_regex: secrets/gallery.yaml$ key_groups: - age: - *devkey - *workstation - *server - - *miniserver + - *vps - path_regex: secrets/wireguard.yaml$ key_groups: - age: - *devkey - *workstation - *server - - *miniserver + - *vps - path_regex: secrets/homepage.yaml$ key_groups: - age: - *devkey - *workstation - *server - - *miniserver + - *vps - path_regex: secrets/certs.yaml$ key_groups: - age: - *devkey - *workstation - *server - - *miniserver + - *vps diff --git a/secrets/certs.yaml b/secrets/certs.yaml index 8842787..5b69ce7 100644 --- a/secrets/certs.yaml +++ b/secrets/certs.yaml @@ -22,38 +22,38 @@ sops: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbWtvSXZ2MVdpdldmNUhx - OXlXSkxQUEdrY2wyMXZFdDNoR0VXU3hhODFzCldQOXFpamRsSmJrMXpDSU45aE55 - QzVESG9mdWN2Z2JvdEJzbElud2hWQTAKLS0tIHQvWkxRdXJlRGp0NGhoZWFaRHE5 - N1NHa25pT1FscmJ0WUowcXluaDg2WGMKigU7SPfaPWuW0gNF6yQIVWMDkddYWK+/ - BETBlD1+yyFk8pF4IfR9iU2JgWLSCzMK5JDZXjm095eoDS5xTQHj3g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VUMzYjZ5WlZtQ05LdnVt + b3V3RmFyM0VZWmh4dC9YZFpsZkRIdC9TRzFrCnBuYnhSaUgwb3JuSUNFSWlwSmVq + bEoyQ09XSjNBMks3M2ZYdlh0eDFNYjAKLS0tIERpaGhISDFYd3RCYUV6Y0lmdGNQ + VTNibTBMN2RuN3doU3lYK1drNjVTVkkKMmRW0NtiYKBcUQ8kKjXcS6KjoPdVfN5d + 6vczsKTTbUwI0n6T5xrwRdbVIFsP4HisjceQWxJIVBthR0u9dLfXGw== -----END AGE ENCRYPTED FILE----- - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweGpWcDczZFFoTXNDc2xV - b01BYVJiYjlvQy80NlF6K0lRTWN1Y0pYcUZrCklsbzAyMFFqNXVRK0x4NU1zc2JL - WXA1OUhPQzZMNDhxMkU5K2pvc1lCOUEKLS0tIGo1aHA0b2lSdW9HM3ZPTU92Q3VU - dVgyamc5bzJ2T1M3TXh3dEg1d2xlbVEKvEWuB9hPQXkI8AQ5oKs0AU8v9bE4PpLu - x35YD4Wvfva9l21o1d1474bk9+nQnksj1ofgQKYilvKSetH11KkuQA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvb1ZtMjV5TjlhMVRwdWNU + ME93Y0xhVGlxdGxmeWtXQ09EN3lORlJpV3k0CkJxdE14YXpwcytjbnZuMWpHVzZ3 + dVVBYVE0RW1naWVVQ0JRY0NoWG9LZTQKLS0tIG1udE1GbEtTQ2o3bGl0SW9NZmtF + OFNqTncyaHFUSzBNRzZiSTVBdkhFWVkK2v81N8c8cU1Ig9fQZOn0fltqO+Ej8Wtk + D0nMQv2fbWp6YlyE17VYPgmhdEY6+Zstve6PlBG86iQE3LTAfjG3Uw== -----END AGE ENCRYPTED FILE----- - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmem1iZmRqSXhVcVA3djBo - SFVQemRuS211Q3kvZEZzVkIxSmIrbGdtcDE0ClFwN0NydUNYU0Vpaml5bmhXSDJN - QlNMWExNRFNUMEYwa0QrbWUyUGFtNjQKLS0tIDcwYzVHYXBOejhHN0Z4Njk3OHNL - SzJoUVArZ2xkOGpYZG5pWEpGejVyUlEK5VRrn6jp40iXOdoDDLxk4DhcprKBZd8v - yHp6GBf7mFWxkvw77fl2/q7J6krlwix2sC5TLlk26zfgSaISz/mR1w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSVdUWXRUa2tHVGczelhu + UWk5RFl6azRJTkdxZGxvbWlnSDc3K3NlNlgwCjBRZEVta3RuNW1DZmo4RXJyTTNk + cnpxTDRGL0kwQXJmc29LNE0wV01hUGsKLS0tIGgyTWZrOHVNTGExRWtYMzJ1aXhp + cURNZXBtbnp2OUZDZDZKeEMrZlN0TEEKznlmLKFHYDm/hv3EPcHjT0A8r06GL7if + tbuJei8aWWg+uuvCBTZjHqmPUyNR1ixt84vxy1HlwXVu3dYHcG0Wug== -----END AGE ENCRYPTED FILE----- - - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOXRFVjBENnJqY21ZNkw1 - WXIvRURMSGRJUU9WMkRtOVAycHVGQkZnZkZRCnZlYUhYLzYwaEF1UTBCck9lV2c2 - Q2pmS1hVR2xkeitGSEpGNXptdDk2cEEKLS0tIDJURXNKUjV4S2VXbXdyNVRJWVhj - Y2FnZXZYZzNrZkZubCtneGNHVlVKUHMKTasbVdxTpuK3UYmeAXWt4Gs+M9NnodWF - fGuCUVkGNrXHiLBYUjomvmtYIul22xiGzes0xHzSBE9jiZuVnu4qlA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZYnlaTkd3LzFRbldWL3RZ + N2ZneVIzMnRpVVNHVWRMdXJLdjQwSWFKS2pFCmlQZUZMbG03VFVuUXcxZ3NRWjVH + SHVPYzk5NGpkeUVSU1BmQnNuaWZnZFUKLS0tIFdQZEU1YnhHZWRIajNYWTYxMEwr + UVBjaDFtSWs1b29DR0R2WS9pSGh3OEkKmG34ldBy4s9nj3ng/HQr+gN0LHJCOPJ8 + EWhh7cTLSF9AmZKP0sBsj7I4hHhZlOn85bvTM9RDiRVOSz8VrObXHA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-09-21T20:28:29Z" mac: ENC[AES256_GCM,data:e267Kxv1Pyun/VOcLepBDBEKN6uSf8/iuY8KQ8u4xK58wsWkMdSDVcDKvO/iKF/Tj9hj+lZapkaKmp5SdeX+gjpyWiZi6QmUuKsCs0jlkV2NydLtZZt9vkmY/LCguIBRMmhDgidrNcfoghTxDDK5lng5H+2MBs0r2zLID65pHUQ=,iv:tr4YFdBltnsD4uTt+0NCam7r1QzhOmdoEbfz5/+JGPI=,tag:R2dDWTC1qrwPI9ghaf1FEw==,type:str] diff --git a/secrets/env.yaml b/secrets/env.yaml index f3cb068..21df4db 100644 --- a/secrets/env.yaml +++ b/secrets/env.yaml @@ -21,38 +21,38 @@ sops: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDclRxNVVzaC9lazNQSEdp - UzNBaTRnNzhzM0dLaVk1QlBaK2ZUelhoWmcwCjAzcnNsakxONSs2UThpNjhMMGpr - TGtnY21OTnd5NXdvdlpKamNCdXNjbzAKLS0tIFVxbGNLNWhudFRoRjBOblNrdW9k - VkhOV1BScVQ0RkF2bDBabUs1a2toMTQKDAeEu3+vuVKcpm27igmQuBvFfsMd7o9H - Wbinft1NiaQhc+7KtDEx51+tS+cgaGzObkWabyQutDqWEa/2PZLZLA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWpKQ3RqSVdxcDllajc2 + UzVtdmxBWmJ2QkI3SGhYRlRadGJYaDU3UVN3CkpQYkxhVm5ZQ2djbldYL2VmQWsv + SEJmam0zMzlJSFpHS3JZWVorUmh5ZDgKLS0tIFdWdU44VlRDZllCYXRTQzNyajRy + cDJqNzA3ektRWll6SkFsVnFMd1FBUEEK0j9X4lYcFaj4MnVh4jnNwrTg2Sl5TTdZ + uFvTdE4ZNtZsh3nKmj+v2J3JM8dDUtw2NSooqpoqEvCYdDqwK1kDXQ== -----END AGE ENCRYPTED FILE----- - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RC9Ea2VSZy95Q3JJWlhB - VFVBVGxnQit0WC9Vc29Ic0g1aDNBNWFySmxzCngyTDg3R292c3VNUkhvUWNXaThE - NjVjTVlEZHhVODlFeklKNU9peWdad2MKLS0tIFhVTHZoeHV4eVVGOWNHeml0b2JE - ZVZiemVkYmZxMFVEQmVvVkZnaU81OUUKPHdwj8s0Ju2Y0Vh31jnR83nQ3jpqjkhr - 4z5OxYJk2d0uO9f1jNaiIVLRxCdbj3h84f4fQqoQv5csrc5H9mg7Rg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSXlITkpxcHZqR0kzMlFY + TStOVitPSm0zTURZcE92NkM2ak8xcVF6OVZBCkRRbkpBNW9yek9rWFlOa1pLSk0r + ViszS3pMNFhLQlcwdW83R1hhTUJLT0UKLS0tIG9NTm5tNzlidlJmejdoOUkvUE9X + RzV2MUFEMnlHVmp3UmgvNmJKSDFrWHcKQ7y2W0PFLs/I6Tb0J/M91+toDP8XmgWh + LYuNc9lkjTs+ylIWuMTwtXdceI+kK8hJlELT47FyKl755DzuB1ufAg== -----END AGE ENCRYPTED FILE----- - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNkNLTzcxa3d0M0pJbXlp - b2V1alhBUFY1VVZIZUY3ZHYyVmFKQW5tbGdjCnJXSHpmeDdTWWtHTWt3TVlCR3BU - TXFXZDVabjF3d0JYUk5Mb1c1dkVjMTgKLS0tIDFFbHBCSXlPVlM5YUk4MUNiNWdx - bjg3aWdMbkNDMVd1cTU3NGxPU3cwVjQK4zDOWDUHhK0JVjiYTMTSmGej7yXb5X6G - SLPWPbrB8WLGyK/gdxDrZAxucxe/n/O0CsR5DQubmetfUSowk9RIIw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYXRodjgzR1hoR2VDNHd6 + NGJ3SXpqRmJKVlY5aTI0R0hBLzFGQ0VSYmpVCi9BakFwRGlXd1ZPbWpHY2h6RUo0 + VGl0T0d1LzdaZGNOZ0pDekZxVVBWUlEKLS0tIEdtVDZlN2FrcFhEU2pTMUdiZ3NH + d3ZSMGdkNzNaczBYOHFuZWJmcEM4MXMK6ayh37HUhOYPryv2Y2WlE1U0CX7qZF89 + PzvHQZYcbZ2gsRW2f1uU2VoJp/6XnSipD7fCjma3iNovoPlu2+A0yw== -----END AGE ENCRYPTED FILE----- - - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WlF0WkxIRkpnR1RhcVJX - b05ZYzk3YU84TDI0cUpBdnRpNGxEQmFIMEVNCkxrTkdkUzBnUDdDQ1RqV3hnamYy - c0owbnVHbjFPY3JsOGIzN0xIZHp5dmsKLS0tIFJwZ1ZFbG5SSmNoMVFYYlNXNWx1 - QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb - 9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4aUk0WVhTUTZXOVRqam9O + WkVNd1FKdDA1SWpwWndHbmVBRlNaSWI4aEVnCnJTTDNYTkRtNkR5cUl0SURVQWxh + d0c5cEhJVTZ2YXdLdHFQRk9KN04vcW8KLS0tIGF3Rmp2Z0pwM0x1WnpKaVBiUE5x + MVBONDBmQjI2enNIVFFQT1hyYm45YXMK2NXWvm8G+Yrvw1NAC6AiDaxA9UftuqYe + ZB7QpfkdCT3vS52lBgcEJrM1TbaVX2868trk5kB4gjqVMPVPYxcGHg== -----END AGE ENCRYPTED FILE----- lastmodified: "2026-02-02T03:55:24Z" mac: ENC[AES256_GCM,data:+NN+RgkHAIox1IgUuC2ACHneRBzgn5FzsujpbPtmw1IecxeKMMXM7Wa1ZziSkWJSjjDCcBoanox57e+BoNWN5WhWuMdCed04AKcknfKlHAtHrKhoLCsi1sZnsQX7xBmTsA5qHD8788EWfIgPk4gToXkq5KkEfvEWLvalClRK7tY=,iv:kGyw9hk6vp5iu0iMHaCLgVqdcv1gNUBqBhZbRSCa4Ks=,tag:FdKL/5ZraejphDIE2ig8GQ==,type:str] diff --git a/secrets/gallery.yaml b/secrets/gallery.yaml index d087678..9d9700a 100644 --- a/secrets/gallery.yaml +++ b/secrets/gallery.yaml @@ -5,38 +5,38 @@ sops: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIY05VY1FPOU5FTFFnazlQ - RStQVExNdWIySE5qSVMxMFd3NFM0L2VCRWxzClhleTEzNTVOaVl1cGovM1hmWEoy - eGNxZ2E4U1pRNlBaTDZ0ZW4wbVZjT0EKLS0tIEJ0ZXR5blBlckIxSVlmT0hxY1Bz - TGVGRFgzaHI5VW5GdjJvcmswUWFvaWMKQCK47p7OQUXq45aYo9BkkcGrzmPKCJOI - OKu/+W4xYOnfIo03GGL6f4LrbCaKr1mdtsRnuHmaFXiXdaKbZFDEhw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4R05sUnl0UFd3T3pzRm1y + U3piNzlpTmpZeEhkeWJxRkMzRzBWRW9LQmtBCjRHTVg5ZlozUnpsVjhIK05xYjlz + c2dwbWVKWVNXWFhTWEtlUUFjVUw2RkkKLS0tIElaNXN2ZmROdHd4bWljM3FyMEh6 + Szg3WTdrVlFmSUJ1S05xNXY5RlM1V1UK7YETep9hn49UqRUjbRv6oGFUT/8lRgXx + 5O5eGB1X8kPCY8zXiGWSzfo6X8O5659vWIvqjoY8nZxekgvsISS/WA== -----END AGE ENCRYPTED FILE----- - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJb0MzQVZvY0ZCNlAwT2Qw - RnJOUXJISFg1Smt4VWdoYy9PT2hQNG1MNm5ZCmVhUFI5UGpQUkR4MTA4VktuVyt1 - TXlVZ3haNjd4OHNYNE4rVzd2MkNGTkEKLS0tICtkZDRvODBZaGRCTmdlUkRESjMv - bElZc21OSXJsZnZaSHF5ZTBDSlNXaHcKixDNfM98AqYagtidcYE3lgkFM9XTIrVg - gbYoSOk5rL9Hi2rvP+BCEgsrRSuExGKVvdqODYltD+nNfTI1zcnTFg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpT1oraHpJb0NUQndMZW9l + YWZrOVBqOG1KME5PYS9YVE4zd2VQb0hRN1dJCmVqSzhkbU5DVmc4MFVnSnVYTi9V + RUR2UDNEK3JGOEFUWVoraGtqQVFFWkUKLS0tIDVRdU8rV3diVXNUQSsrKzlBdmFN + Q0x5QXdaOXRMc211TUhqTndQOXR6ODAKtJYiAeVTYPOpS+GykBDOLx1g3VloFo2P + fDIkOCrINnAU4y07KPhGBxCV3/2cvOPhIgsd02XqxfZPCEU/cYdCgQ== -----END AGE ENCRYPTED FILE----- - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZncwdllnQjYyc284RXVm - VVVJTHI1Z25FWXBhY3o1SmgyVW01alRlcVVVCklDNDYvMktDU1U4L0RTMVgvaU0v - d0NlK3pqYzZ4NFRUd3V1WHZTTkVpK00KLS0tIHVQSmRDekcrK093QUJQVHNZcUg3 - WGVJQm5MdGhMbzd5RkNPU1VuNTZVeFkKQq/WyqLOOde86NNYnVq0Lw31YB2OcLY/ - h/HtFN4GynmBOYcTuqIvBJ/TksXs30kWFKW2XSY0jP0JSY7Yo0BxhA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dTIzeCttSGNVNmhPejdW + ZFkySng2T2ZYdkRrRGRXQVpER1NJMW5XN2xVCkc0VTdsbXdLUkg5d29zZ3VmY0hH + U1cybHNob3VkdzRWbGt1bFhNeW9XN0EKLS0tIDdoc2cyaEIybjBHOU5tdVRsTWFZ + TmdZTGNDOFovMDVPakF0WTdHaUpHeFUKl0ub1OOylE2JGJNpeReebiOaVdxbd0wv + nvJD7tYYXI666Pi31OHttWhsHR+xkL8TU9Dd6uDs4QxIRQfwy/VxcA== -----END AGE ENCRYPTED FILE----- - - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZU0zK3V6M2IyMkFOdm5U - UG1oVi9IMzM0SllUQUMwMlh4NkF2V2pCcWtvCk1kR0QxVWRPM1pyWmdVOE1UdWxs - NldjZXBOZU1uK1JELzF1blhTQy83Zm8KLS0tIFFVRjVScVVGa09sbEdBdjNXNTZR - d0YvYk8vNitDbzNCQ1VqS20xUWx6ZDgK+kIRATTtC0Vd7/uPf8E4pIans79Ksh6J - Y77+owFFw1AvQ3KvaI7QVfKW61MzxI+S1bWqI3ZNOJ19Qv4ZoVhnVg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUldWbldqTTEwMGF5RVFV + ZkZ0Y24ycU1hVDlaTnpGQW1SeFlzaXc2a1FrCmtrUkxLcjNsVHNXemd1cWJJdXI5 + bDFxUThzSFptNWtXMlNqM09aeklUMTgKLS0tIHR5KzE3dStMTXlhUWhtUWUwSkY0 + ZldyVmtRVGppQ0d0SnN5Tld4cEtmQ28K1Yij+7OxQUpEsPt/GTnP+dhEErBH1HuL + pBFXqHLAwpqiEiiNhYnb0KVWeQnIqDo9WUnrbPavcWSrSkmCsszgxQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-10-10T05:09:54Z" mac: ENC[AES256_GCM,data:N/BwfrwWcnot36Kn6RFZjjpUIluzq5Upy5iVVV4XSs+/0PYdlZGytjoAB+E3gXyPsLZ93UqI0A9/5KbfXBuR2oY2F7iKsu5puzgyYWa0Gl2z9YcPnyDnk1dj7Ne77xJlqR9YquGzFKF8QdqFXFA9cdE3b/1usTFhP26oxofMXs0=,iv:Iz/LzS8yeKQgDiGchYdKNymBeekhopJtBWaQGOwRZlE=,tag:hMRwxJlKR21W7otW01GmGw==,type:str] diff --git a/secrets/homepage.yaml b/secrets/homepage.yaml index 4e06bb8..c35a39f 100644 --- a/secrets/homepage.yaml +++ b/secrets/homepage.yaml @@ -4,38 +4,38 @@ sops: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdnhZNkx1S1IyWmwvdkVh - VGxNM1lUczd4Z0JKaHVlM3N6RWRWS1dBN0IwCmcvcHJnQ2h4WVV0S01OelA3eldE - Q0lNR0w2Z0owWnNjR3hXWGF6UzhyOTgKLS0tIFMvbW1rd1A1VDRJWW9TemJzQUl5 - d2hISHVLUnpBVlAydEd1eHo4WGxLSG8K4uAVlEvgrohFbpvLexcfom5HRXMwTYrv - ftuFhDAyNHlTNABiPH/dmjy/A86Veb1LKXF0Y1r/RPWRHaxyw5f23g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDa3NpNG5tenhqWVQ5RFAv + bjhhRWJWK0NFQVk0cGVpcVJGS3BFeWlSQWc0Ci9IT05mQTVWbmk3SFFpWE9KUnh6 + bHhCSktlbzVUQm1lOHp3cVpiSHU3MDgKLS0tIGg1UU4vVVo0SXRwMjJsVUZEZkFC + TC9Eb2JaVUFDSWRMYm5jR1BBa2lEamMK4V77WUVbMXcsw83FFdL2Rk30oR4cAkqQ + kc8Z0+5kNJFUFilFb54dnWTOh27K7KZvU1qIdhG3X9fuMIHSuPnyTw== -----END AGE ENCRYPTED FILE----- - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQkFPN3owRjRuZjJ5M3JX - U3FaMk5XL2xoUmo3eFFGRXc3Q0Nwd2gyV1FjCjFjL2pUaWJyVXZIUHI2OWhPYnlt - ODdFVjVvMDhGSnRGejNTWFRUdXdleHMKLS0tIHpCZlc0TTVxYk1UUUk2NkVpcm1M - NjFnY2JqNkh0NFJkcU40NEFsNjRuTW8KMRIBZVBnxe+Drs5VqGzBLI6AsVJj2Vka - bmPFMl5ZJ97HxpdqQ1xkUqjoebp9KT5osOSglSK3CTkMRTEtyWQ11A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRVdYVTY3QzR2MFJPVW9j + SUtmTldMRCs0dTlJcGFoMDVnaWMyNlF4OHlnCjg0OFFrOERKRFZVMm9NREhBOGRs + dTEwc0NZUk9hOEtvNVJDRXl0TDhCaTQKLS0tIE5OWm5CNzc5SW9IdGFud1N6Vm1D + djhzM29HK0FIdXIvaGIrRXlOMisxaTgKVCAiniAmfqJuwwiUpcGAvoyqnUEZ9gOS + SyhXMzv2cbomuOb0NiALRkd2up/uX0TVuz9wuBQvYYjJhqpFuSnbRg== -----END AGE ENCRYPTED FILE----- - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQkxwV2lQRzNPRUtvclVE - Tkl5MVQyUUtxUVJpbnZmVTVNRThBd1JYZUVjCk9GSklFWUJBU2owVDVxTjdncEtI - WXp3bkRtS2NEazd1KzZTZmlMZ3Q5U1kKLS0tIFhGby9NV0tidU9MdWRnY0JNNTZ2 - enphU0dnNE84Qkc2V2hxZWRqOUg5QmcKk3qdK28b9072s7bPj+TgqeYVS2lnR8uf - R9BUS6c72aJjxPm11JqNW8UPu0ODhZrVMyyv+p+KY1J2iaCNGNdvXw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UlM2MC90SEM5elBtNmpm + cnpTQVF0VEpLUDJPZkEyeGNuYnl0cEY4M0U0CjhOY25BcERjOThkbkVhNnJtaVpv + N00zOUZPWnNYaEtYMzlXZk56dGVPeGsKLS0tIDVDcGY5cG1ETHk4eXRFN1hVOXhV + Y2xncFJuNUs5ZkhLSjJyc2pzdDZxbEkKn/8BtUXPQ0OdR35ZwiHWFB0AqaDtAlG7 + N4Z7iztqiscuxn8G8VVVFdkQLBY3JcrXhxPYWK4xtJeEtpIMhegxeQ== -----END AGE ENCRYPTED FILE----- - - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTEZFalVYbUdNb2YvOW95 - M1doTEp1ZHRjUFJSNm14V1VWNE5hTWRpemdZCk1GMTdrck04N2Zydm5aYmQvTzdH - TEhrK2dES1lWVGJaOU5CUUY3a0ZtSTAKLS0tIHJXdzRGY1laZnJ2em02ejB4RUpQ - N3BtMkE1Y3d6Tk50ald2clJ5VVZaVG8K6BDcM8UAtBf0eBYosTvrRmi0Fcw05q4a - FOltP/mH09OQBHYJ466s8eaPj0TwqMl3524Byr4vTPYTy0keRN9EWQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1VYanVSZTd5elNlZ2NC + bnd0V0VZVmtrVDhBbW5KUHJDMUkrekVZeldRCjBNY3g1SkVKUzhRL2xsbjloUERi + UXM4T1A0a1V2eEFlQWlTQ2tDdFdaZ1kKLS0tIFFtNDZzbzYyaE5UT3R4eDJzNnU1 + RG9UbWM4YTVHcFpKblQwemNScDVteVEKA6fibq6Ozwrz/tg9Hrx4bH9LCadmW5fR + IkFalgD7nqew8KwS0keyKFk93i2p6sTDZPy2/t+WryMXBIc/y0iQ5Q== -----END AGE ENCRYPTED FILE----- lastmodified: "2026-02-01T22:31:04Z" mac: ENC[AES256_GCM,data:gtTuLmgVd5t1Eic+ld6x3pmAlv2+SVf4OgUICu78DJ9L1YCtmJ+LsqIoHFueMdQAmubPA8c4xYsHWCDu2dbrUDUs/79BF2u4P9lbNkJx5cco8bnPdy2tmkhcLwb0HwRduVIbgcm0wzYKUMd76Y0ChxdCddkrkk+PjXkUE7OBNg8=,iv:Eqhoc6GjB1NOnIIeRIdVoQNQm51DguH3vEX4zRUgeBE=,tag:V25oIemZpdJDMRFcZkH4bA==,type:str] diff --git a/secrets/keys.yaml b/secrets/keys.yaml index cca7f74..bf1c1de 100644 --- a/secrets/keys.yaml +++ b/secrets/keys.yaml @@ -51,38 +51,38 @@ sops: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRcXFhSU03M0U4azM5VnJV - UExReVBmRnpNaUx3WDViU2hLalpnbE4wTVFjCkkzQzhlVjcrVndaUmVRNUhmSWZT - RlByQUxSSWtNeDJiTEJMR2JhWG1MM2sKLS0tIC9mUDVhNUtQei9VN3dJdmVBK0Y2 - NDM5SFhNbWp0WWdMYVc4NC9HdHhSR2cKGj8ur7g1F5OTv+XKg5pmFiSMgAcNL3b8 - PjhyPcZqxCB4J8utMf8yxmZkVqbyd3UjZRBUUXSgzg/i1nx0GTGcDA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRGVscDJsU0ErZ1VBRzVq + dE5aNUZvcmhVRHVjYUJFT09hdDd0UzhIS3hNCkRFRlphRXBTd3VFTE81RjJRaE5w + bzJSaCtsT0QwMkx2WDVyZ0FzeFphWk0KLS0tIGN5M0QyWmQ4Y3lCU0FXaU9vL0hv + MEp1ekxTdWp2b2g4dFd3OVNkUlZBMGMKzNGSzYgQsNW6HEvzTWmo73GShAAv/g8+ + h3/6n/ObqlKsjDyVFgiOYop3LWfwPMzmOhx4S0wsOHit0UxdyoJwWA== -----END AGE ENCRYPTED FILE----- - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1V0JUSk9FOUkrSzBmZFNY - M1JlZEMxSFVEV0d3NGttZFFrK0U3MWtlb1RBCjJQbmRGSVQ0M0p0NHdGK1ZHSlNo - TkVHS3lnN3VOUUNjTVI2V1B6bzlDb1EKLS0tIFRtdko2cjkzMlZyV1hRcWFnWFlv - TWVXMlpVUWJIZEhLOVVpblhwZjJDOGsKwgqjQZ1XzQNkFPItT+/gjBNnvxiYHbQ/ - JP/cse3TR7VsC5dq0SGCFY8zPBPiZPvuU+f9Bq9wfJWDG79CintBnQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUGFaaHFtVWl1cG1XdlRT + TUh0MHZTa0JhdDFSTVJZOWJBd0F0SWI0N2tNCkdnaG5DcXdDT3dqRVJDcjlsZ3Fz + ZFFaeTB4UTBQRVYzcldndm1RSjhCTzQKLS0tIDJySFIvbGpBd0l4RzYwVUd1MWpF + ZHhxdERrd3VNUGpTTlZUM25RYzJwSjAKG2DZUyomWm8Nxn6mPDKbBh1YsEUr642a + nGYxmuRVBVINbOB3gBPwgLeD+S2Vlm4vrC/u2761fTgm8KFLC+txpQ== -----END AGE ENCRYPTED FILE----- - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaFFlM2M5ZHZIM3FNSEYv - bnlnbG01YWRPcFR1Z2tUNTdvSmdGZ0QrMjNZCkJPemFBYktBWldPWFdyVS9ZOVBv - ZU5zRWpqYXJ4MVVQdFdWcmQ4am5DSkkKLS0tIDNudUpUNnNJUHQyYTM3Y3pwb0FT - VUY1c0ZtWDA0THZ3ekVmUFl4ZjgvaHcKuyh3cIwboc2wxectPk0La0CLRX7VvaBR - XoBMk4PbfQLS1PuaavH+NLNAp3N7LmF9IlZBS3zFW26Dy1viqWbhFw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTnc0N3JWUGk3cWV0QXNK + L0ZWM0I0NVlVbTdsZmdRall2V3FUTllidlJnCjQwbFJ1TjVNQjl3NURQenBDZVhy + QXEybkIvc0RnV1dNL1Rhem9GajhzY2cKLS0tIFk0Nm9JK2ZvenJsYVF2RUJLVzVL + bzFWRnFjd01wbDVrQnhlb3NYampEVEkKWl3/oymEX/TdMHyxE8mOopIwu4Kots27 + teyBmo6aVTAQ1zSxGDszI6kgK6PC3Z/WqaMaoJilGI6k8vCkOT3oMw== -----END AGE ENCRYPTED FILE----- - - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4T3krdSthSnhkVGk5RHg3 - MUVWdXVqM0o3LzZtSzFsZURiSGlLTEd6SlhNCllyaW5BcHZueDRGNlMwWTNaQTNC - bTBMRWFRSG42WVg0cU9CR1F5ZmpTQ1kKLS0tIFdDaGloemJNWUJWcCtOeUhnMmlQ - dklwODNxYVo4a2FaWDJFM0FnV1l3SlUKMnq/MAJRwR7iEri2KomPrMj0gTkMyhzH - P5E4zheU7chJTAz5jf6iecyOvKAt6q5g9Q1MU0D6dkOcv2gzWSNAAw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaG1Ea0ZyZ1IrRGxEaUdw + TzlMRE84ZDBXRTNFWHcwNE81MDZlYStTZWdFCmxLbUxORFNVVHRGYXV4bDRvV1Ra + Rzg0YnpkaDJ3alhxalFFck10MjF4MG8KLS0tIDgwSEhReERtZHZ3U2RWcnFaaHlI + UmQzNEJVVTVPRHFqVlAraTR2bHNOdmsKKCVCzZ10sEA7rGRCUxbpYlaR6Y2jZvho + THbZe5MHY1a44L2XQSZe3I+1qOVBWVSL10KYTjJIBTxoeBtjlQJAVQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2026-02-03T21:56:09Z" mac: ENC[AES256_GCM,data:Bnjo3TFYoGbtB8HF1i+ZQLlfeBMOjq14lu8oLRqcZ6Fx5Am0uuh+/PHClWZ/JX5suC0Kb81+aBHg2QTsLoB6zdUrRpaqa0CUxTDoGw8tpo8m6zLWvSggpYLAuRgTYqBZ0lVK1QxAi9+qVJQ5AIhYwSPrf2oq/Mpq4tFGUoG/tzM=,iv:8JqAeBVYnZM8A+CPAlKN+6SDty0XQ4AKEBJLGV8Q738=,tag:CQXE5QsfJMiI7UQoCfE3dQ==,type:str] diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index fea533d..e798d1d 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -19,38 +19,38 @@ sops: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSTFDNHN2cm5UMDkvb3h3 - RUs3aEIrZmlhQ3JvcCtKa09WUkRpZ1o4b3pnCmtiaUJnYUVWcFdpRk9vdmNQRjJT - R1NlMUJnRHQwdGRmQWJrc1NySmhPZW8KLS0tIFhnNmE4bGFUYW5GdVprc09PTTBt - N2VpQU5aeUJuRThyQVFwaEs3QnUwSDgKdgsuwN4/dfAVzXnJ7LPwhUpD8kuh3VxO - vB9iva29YN85E+CKZ7CryGdrnCy1a1fUC0YiAakbzQejon62fK2d5Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTUEycms3ZkdMd3hpcXJz + R2pZZEc5STZ3dUdYbUdsSGJaRWI5TWNMK1RRCjVxR1pzY0ZVUmcwSjJFYktteWoz + YmlaVkFPRnZha3h5ckV1TVQyVWZKdGMKLS0tIFgvdWF5VEJwTTcwdXZ6SDRMU3BL + V2x6NlhyY0pmUVBsYmZITjArdjJRbEkKvzsJxs5EHR0uumwhZ36MhKuMS+WkogXU + nSVRQoc5TClzYwShY1ltHK+LCl0DlB4xFoMiO4GWwH1TySKe/ywpUQ== -----END AGE ENCRYPTED FILE----- - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRnEvNzlxT0dWMDNZOEhS - TVpRSHpGM1JvZ0JQRW4zMXpXL3Rza3NiRVVNClovaGF0Z1hPdXltY3pTaGRKUTY2 - MGJtYmFqaDQ4THRRTE1rUURhR0N1Y1UKLS0tIGtOOUxVNTdFZGZ3TS8zdUJFWWxO - MG1yLzNRaTdmVEJaSnBlbGR0SjR0TlUK7iNC+uyUN3s5T7b1PD+BZ+LvlsKdOpbM - pA2P4ZaUcBXCOEonmG4LnflEyUDXrxBoTkswkpBpG/SowF+yXe0Fwg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQytNaUs1M0hiYi8vdDUx + V1NtZ3VGNFVjRHRWUzliR3M3Q2Z6K3RWSHo4ClQ1RE1PeHJ4REpubVJHb0lJcGJ2 + SEFvT2YvNWhMc2lneWR5NmRYc2pzVE0KLS0tIGxkRWRRRTNtVDUzVXh2L0lEa3RK + YjFSUDJHUjFUeVBFbUlKOS8ya1ZhMW8KssRH3/XT1iCVgV+6Sh25Axp0c96aHtVX + /HXN3AwTm0GJZCQnZsVIIPtoCzhUZSza+bzGZIZODYtgtCIxtdzVSw== -----END AGE ENCRYPTED FILE----- - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcU05d2R4a3k4Z2VGVlcr - VXJWeUZtWjZuY0lDM2dBNWFxbUxyaUdPVm1RCkxkNjFNbmh6L2ZMeitlY3ZwTEw4 - MUhTVnBLdmRVblFOa09nWTlXVHNIWHcKLS0tIC91aHR5d3JlRDlBWFJtWDNsNFUw - QjhiSVNRMlgwTTAvNmE4SDdQOS8rNVUKIYVulp/SpDmewQkotisfUsSZFh0r1eNB - 59ysWy09dse8Oed9lwMVMLI7B4DBT6CRWuefOU//urI/pB9itV6jvw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbkZpZFJCY21IRkJjNkRB + UEdEVlZhRWhRb1ZDMjJtMmpkUmpnY3ZvMGlFCnBLcHlkMWNyMy8wenYwT2pmRTZL + dWtiWFlaR1FrL21HQTFZM2N3a3BHYW8KLS0tIFlYZWVHb0VEeDU5NnRjbDk5M2po + K0xRRFhua09DRE04WUd6NlZuQldFbEEK2OgiawCbCtbrk8l45QdjVu8+VNWbrl4i + 3U9iwek30JkQSZaWBXaCZlWLvbKNjIMpwTtxDOhxmu4DUh3Hx6In/g== -----END AGE ENCRYPTED FILE----- - - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyazBBS0xKakE0Z0hHRnZo - R0VZUk5qSVF3L2NTb2p6Z29QMnp1MkIrVHowClJVZ3VzUTc4aDVha2tBUE93R2Nw - T29nakxRQkpidzlrdFZQTFlxMXFwOEkKLS0tIGJWRkdJaVpLWXBVNnZUQ2l3dm9Q - RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM - QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySjBmaC9rREpUQ3BvWWNU + MWEvM3ZGb2RXZ0dMdWxLRTJCR2VSdyt5VUhBCjBvL3MxZ3pTaFQ4aGdZVnAxUmd3 + YUtoZkhEV01TU0drRUdDaFZ5M2tZLzAKLS0tIHpBL3NwV2NhN0QwcHdwbFpQWlZn + eUNjc2RPOUxLTGowTlRqN3lEdjRLU2cKTTEXmHyhnL/hZGDr8ONrmzdU6Or5xkKY + GHADDt+LCg8njcZom39Aj4kpCx+f7HlV65glKwr37vZ0sL9KE+O9+w== -----END AGE ENCRYPTED FILE----- lastmodified: "2026-01-16T15:38:39Z" mac: ENC[AES256_GCM,data:4xaoGvLq1UIdozNqQ7v+pORVPDCk+FZRsCRvZ3C5AZOwSaM+UfDYZcI32AI0K80yFyhVIrrjqylykvXghbpQGAju3mv7+7Tbn5p2gqXrB/m1FuyVe/ftw7SSn8FTGL14cdHuPPkQTvV/u7z1IfX4YAOEGqtWiEfOe4YoWT3xc3A=,iv:dygbKjQ0ljgBPyk2aEIa/Mpbs/At+UzuhYy8Sndx/nk=,tag:jYbROlRxeDxqF1YqrBGL8A==,type:str] diff --git a/secrets/wireguard.yaml b/secrets/wireguard.yaml index 602174b..10cfc70 100644 --- a/secrets/wireguard.yaml +++ b/secrets/wireguard.yaml @@ -13,38 +13,38 @@ sops: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTXplR3BHYzl1bmxuSzlW - ZVQvTlg2amFnMCtTKzRoZXNYaXBNcmRyWGhZCmpLT1NqbGRtUFpxUzlTMFdYemRJ - ZXF6c2dhOG9LbXVkczU0N1RVK1lqajAKLS0tIHFmQ0FrbVQ2QldiUS9oT2J2RkU0 - N0pFQ095Uzdid2NmZXRVZ2l6N285bFUKG52XE8nf9GfESCfNfoP6L8GxLfvrihs4 - CaZSkRzkuZUsfBND0B2BX/UlrjVHWPQCYMqqTtMpLXoRSmRsvWYCTA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemJmbnAwUHZHT3ozdWxH + Njh1ZFUvVW8zcVV6SGxrVW1IWW9ZUFBaTEh3CnJsMnFnM0d5YnBKWE5CT2Flang0 + TkNZb0xCY2c4Qk1kdXRkRXcvOU1TSW8KLS0tIE1VdGEraW03bnV4VEc5c0ZheFJ0 + MFJpVTlvTGJ0YXBKSnFFbXhEUEwwSmMKxOtHLbRw5e6dRW4jvqFLsl6UzKZ+mvfR + hwKJ4KEbXuCqwtPQEWk/pF0i4vzrgUP1Cp1Y7BxGGyK9ufyV/CCQIg== -----END AGE ENCRYPTED FILE----- - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdWpKeU90cTV6blNZckt0 - a2hpWms2b1ZuKzEwZUZFbEp0bFlPellVaHdVCkF5RENObjMvalJNc2FNYXk1UUxR - anE0SUI5ZWY5ZUlteVArSVN4T01DS2MKLS0tIEpDWDkzWm1mampQZDkwRCt5STVk - RHg4UklFQUp1KzFWRnpDOEIzRVJWZ2sKyS6bXtqJ3J7FrCyTa16Ithy2JS4HdkOg - NzTn/6RL+F61PLDGvEEa7Ypk/OGIjfJYxDQ5Sd9LODja47jIK5T6Aw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cnE5VENCMUxxOVZUdC9X + QWFMRytGamhaWENZY1Q4STR5L0Jsdk90SlUwCis4ekFWYmMwN2dESXMrVFNIamFG + RzhET2ZGdGN6b1V1ZHkyOCtDNzBWVjQKLS0tIEF1NGdoU2lqYVdIN3hwRk13SFpP + RHNOeDBlSHFpays2VkRuR2RxaGpYZ1EKwxZfRZthZHVuJe3D5pamCSxYo3hyaaVc + I0UvMDMgcDRZuEzV9g1ZEYnaVXg5InyOO0dDZuCYX/HZqTLPiaOIxg== -----END AGE ENCRYPTED FILE----- - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueWZlTThKV1d5UEpJUVBE - SlFDMmFYSVREWXVvaDZYWk5TYXFRdTlpeVFZCnM4K3FYNk9hZ3R1K3c3Y0lURzZx - ZXdsWFNNSSt1VUtZdmRUUFdEK3BEdUkKLS0tIHB6ckZPMUkyM0ljK0RScWJSQlIz - UzVRQ3JzS1Q3N3EzTkhpNDZwZEtPbm8K0BzKOk9ljAnc5eydHfNha/QPfq9Eltfb - X/pNFkeW/b6FgLwo+3pc+NfgOFvpOuq7/bRWUCxGSJP/4w9+9q1a6A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaUhOcHV2TkYrZWxnOCtI + TzF1RVpFY3pSa1Y2MmJjVlpKcWZnWGtOOTJ3CmRnTUpyRms2aUtvS1ZvVXFsb0ZQ + U0RiYXM3S0RKQjVwL2hqYllhZENUdmsKLS0tIDNTRHR2ZU1VTzdNNXRDU0xkcTRM + ckowd2p5bitGYVhMNU9Qc0NUeFFJV3MKPKT1/06/fKpWPOMsRaU/fpyVUf7onWGB + 0P22NBzP1i5caqSrFnVVeyuhgYxabC4oUKVmjU5QIj1R8Rqh7gworw== -----END AGE ENCRYPTED FILE----- - - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + - recipient: age1ml3smrs5mwz4ds84gk0eyss86nwsmp07qh0npxsuae7lfwwpsghssavytw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkV1Fsb3FMZGxGZ1A5dk9y - SllKMjZRby9KNzhVSUVpODh0MW1Ya1JzdzBjCjZmQUFoaCtTSS9ybE1hVjExaFVR - bWlKcFdlQmRIdEJrUE5jKzRlNFdQTVEKLS0tIEtMOW8xb2hLOGluMnVDaWxFMXQw - KzZFSWprL0l0MDdVdEVKbEV5eklZdTAK/1ZyGvElfp+LVloSR6aJUtvrgU0CrzaJ - SQtO7vc4oDedkiTz6LKySta+uyn3e17Jzdyy9nU2D/Q5X+CpKGP3cg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SHdHTDhKQzFUQVdqM0hW + Tm9QdVozaHViQVRuTExhV1BpdWYvY012enk0CmhjODlUN0FkNldGRG94bVFSTVBv + QUNWZmszRStZN24vZWhnajhIcWdXVDgKLS0tIG9ueVZsT29KRE1iM2oreWtGWGVC + SG40OS8wMHlKNmxQa0VScHQrU2NmT2sKt9xw/8jsgnV1cZndqYNiHvIf8VdEJYCl + UUJ1KPz9mvUx3ny+rK50FSD61U8PHEZm2UC0w+/qkZwRtCx21Ku6dw== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-09-08T00:14:52Z" mac: ENC[AES256_GCM,data:O2herKRy4k9ZMuPzzPF5QlBC2isXdRoIsbYLJ/6X7esxtxxgNuAljx4SCR6UMT7pl3G2E33cnnBEkuAIy6SMXOaZNfOuAEJXaCwpRwCXu26lrcTf6n7UdP36GWfIRsR4utD5/vv66ch6MqmQWkW7E5zydy5dOv+BJ4XS/50OUQs=,iv:TscYNQaeI+mBxyobxI1O4wUzRtA27pvjXz27kqMJhA0=,tag:zx/xrYAWJCxYz5HRTKzYfQ==,type:str] -- 2.51.2 From 47910ab3a0e4d30678a4840867def9f90535570a Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 17:52:53 -0600 Subject: [PATCH 11/12] vps hardware --- hosts/vps/configuration.nix | 1 + hosts/vps/hardware-configuration.nix | 41 ++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 hosts/vps/hardware-configuration.nix diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index 2cb491e..a0a5c7f 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -5,6 +5,7 @@ }: { imports = [ + ./hardware-configuration.nix ../../config/base.nix ]; my = { diff --git a/hosts/vps/hardware-configuration.nix b/hosts/vps/hardware-configuration.nix new file mode 100644 index 0000000..f68c714 --- /dev/null +++ b/hosts/vps/hardware-configuration.nix @@ -0,0 +1,41 @@ +{ + lib, + modulesPath, + ... +}: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot = { + kernelModules = [ ]; + extraModulePackages = [ ]; + kernelParams = [ "console=ttyS0,19200n8" ]; + initrd.availableKernelModules = [ + "virtio_pci" + "virtio_scsi" + "ahci" + "sd_mod" + ]; + loader = { + timeout = 10; + grub = { + device = "nodev"; + forceInstall = true; + extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + }; + }; + }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/f222513b-ded1-49fa-b591-20ce86a2fe7f"; + fsType = "ext4"; + }; + swapDevices = [ + { + device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; + } + ]; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} -- 2.51.2 From f8456998451bc132a33ed97a7d4c9babad2f8a98 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 3 Feb 2026 19:53:15 -0600 Subject: [PATCH 12/12] meh --- specs/003-vps-image-migration/quickstart.md | 28 --------------------- 1 file changed, 28 deletions(-) delete mode 100644 specs/003-vps-image-migration/quickstart.md diff --git a/specs/003-vps-image-migration/quickstart.md b/specs/003-vps-image-migration/quickstart.md deleted file mode 100644 index 0f28190..0000000 --- a/specs/003-vps-image-migration/quickstart.md +++ /dev/null @@ -1,28 +0,0 @@ -# Quickstart: VPS Image Migration - -## Goal - -Provision a Linode-compatible VPS image, bootstrap secrets securely, and enable remote rebuilds. - -## Steps - -1. Build the vps image from the repository and confirm a Linode-compatible artifact is produced. -2. Provision a VPS from the image and verify network connectivity and remote access. -3. On first boot, allow the host to generate its own secrets bootstrap key material. -4. Enroll the host by adding its public key as a secrets recipient and re-encrypt required secrets. -5. Trigger a rebuild from an explicitly authorized operator machine to apply secrets and confirm core services start successfully. -6. Validate the remote rebuild workflow from an explicitly authorized operator machine. - -## Validation Checklist - -- vps boots with network connectivity and remote access. -- Secrets are available after enrollment and follow-up deployment. -- Remote rebuild completes from an explicitly authorized operator machine. -- Existing host and image builds complete after migration. - -## Validation Log - -- vps connectivity: pending -- secrets enrollment: pending -- remote rebuild: pending -- existing host/image builds: vps-linode build passed -- 2.51.2