diff --git a/flake.lock b/flake.lock index 104e540..e728e43 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1682237245, - "narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=", + "lastModified": 1707771926, + "narHash": "sha256-PhWWmby82jm1ddLnQoC4sPcRBnn9tMRmqiwbsYdO8Ec=", "owner": "yaxitech", "repo": "ragenix", - "rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50", + "rev": "2d9122fe28c15ca64770f192f7df97e13b1fb098", "type": "github" }, "original": { @@ -27,17 +27,19 @@ "agenix_2": { "inputs": { "darwin": "darwin", + "home-manager": "home-manager", "nixpkgs": [ "agenix", "nixpkgs" - ] + ], + "systems": "systems" }, "locked": { - "lastModified": 1682101079, - "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", + "lastModified": 1703433843, + "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=", "owner": "ryantm", "repo": "agenix", - "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", + "rev": "417caa847f9383e111d1397039c9d4337d024bf0", "type": "github" }, "original": { @@ -54,11 +56,11 @@ ] }, "locked": { - "lastModified": 1706241694, - "narHash": "sha256-OzgzZTpzNOYJGV3FYE8IXxRIAp4ht1FKMX71JXX/CHg=", + "lastModified": 1708200003, + "narHash": "sha256-F35dKFLG1fs/B6+Zi081mi8x2x8CARgrU/xeWSmY4l4=", "ref": "refs/heads/Development", - "rev": "bbb3e7d8ff657ec61b7b1c5d745a0eba30d76f4e", - "revCount": 70, + "rev": "acf0f3a8b17b8eb07166a17badde0d2a04cee778", + "revCount": 72, "type": "git", "url": "https://git.orion-technologies.io/blog/blog" }, @@ -69,26 +71,17 @@ }, "crane": { "inputs": { - "flake-compat": "flake-compat", - "flake-utils": [ - "agenix", - "flake-utils" - ], "nixpkgs": [ "agenix", "nixpkgs" - ], - "rust-overlay": [ - "agenix", - "rust-overlay" ] }, "locked": { - "lastModified": 1681680516, - "narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=", + "lastModified": 1707685877, + "narHash": "sha256-XoXRS+5whotelr1rHiZle5t5hDg9kpguS5yk8c8qzOc=", "owner": "ipetkov", "repo": "crane", - "rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c", + "rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e", "type": "github" }, "original": { @@ -106,11 +99,11 @@ ] }, "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "type": "github" }, "original": { @@ -122,16 +115,16 @@ }, "deploy-rs": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat", "nixpkgs": "nixpkgs", "utils": "utils" }, "locked": { - "lastModified": 1704875591, - "narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=", + "lastModified": 1708091384, + "narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=", "owner": "serokell", "repo": "deploy-rs", - "rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b", + "rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790", "type": "github" }, "original": { @@ -147,11 +140,11 @@ ] }, "locked": { - "lastModified": 1706491084, - "narHash": "sha256-eaEv+orTmr2arXpoE4aFZQMVPOYXCBEbLgK22kOtkhs=", + "lastModified": 1708143835, + "narHash": "sha256-SRGi47kleiyNVQlR9mxp9Ux2t2SLy7Nm3L6b3UKjH2c=", "owner": "nix-community", "repo": "disko", - "rev": "f67ba6552845ea5d7f596a24d57c33a8a9dc8de9", + "rev": "4d81082b2c37a6e1e181cc9f589b5b657774bd63", "type": "github" }, "original": { @@ -161,22 +154,6 @@ } }, "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { "flake": false, "locked": { "lastModified": 1696426674, @@ -192,7 +169,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1687265871, @@ -210,14 +187,14 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -228,7 +205,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1705309234, @@ -246,7 +223,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1705309234, @@ -262,6 +239,28 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1706639736, @@ -295,11 +294,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1706550542, - "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", + "lastModified": 1708118438, + "narHash": "sha256-kk9/0nuVgA220FcqH/D2xaN6uGyHp/zoxPNUmPCMmEE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", + "rev": "5863c27340ba4de8f83e7e3c023b9599c3cb3c80", "type": "github" }, "original": { @@ -315,7 +314,7 @@ "blog": "blog", "deploy-rs": "deploy-rs", "disko": "disko", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_2", "flake-utils": "flake-utils_3", "impermanence": "impermanence", "nixpkgs": "nixpkgs_2" @@ -333,11 +332,11 @@ ] }, "locked": { - "lastModified": 1682129965, - "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "lastModified": 1707703915, + "narHash": "sha256-Vej69igzNr3eVDca6+32uO+TXjVWx6ZUwwy3iZuzhJ4=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "2c417c0460b788328220120c698630947547ee83", + "rev": "e6679d2ff9136d00b3a7168d2bf1dff9e84c5758", "type": "github" }, "original": { @@ -406,9 +405,24 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1701680307, diff --git a/flake.nix b/flake.nix index 28edcb1..623247e 100644 --- a/flake.nix +++ b/flake.nix @@ -5,9 +5,7 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; deploy-rs.url = "github:serokell/deploy-rs"; - impermanence = { - url = "github:nix-community/impermanence"; - }; + impermanence = { url = "github:nix-community/impermanence"; }; agenix = { url = "github:yaxitech/ragenix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -27,14 +25,15 @@ }; }; - - outputs = inputs @ { self, nixpkgs, deploy-rs, impermanence, agenix, disko, flake-utils, blog, ... }: + outputs = inputs@{ self, nixpkgs, deploy-rs, impermanence, agenix, disko + , flake-utils, blog, ... }: let lib = (import ./lib { lib = nixpkgs.lib; }) // nixpkgs.lib; persist-dir = "/persist"; defaults = { config = { - environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id"; + environment.etc.machine-id.source = + "${persist-dir}/ephemeral/etc/machine-id"; environment.persistence.save = { hideMounts = true; persistentStoragePath = "${persist-dir}/save"; @@ -42,59 +41,90 @@ environment.persistence.ephemeral = { persistentStoragePath = "${persist-dir}/ephemeral"; hideMounts = true; - directories = [ - "/var/lib" - "/var/log" - "/etc/nixos" - ]; + directories = [ "/var/lib" "/var/log" "/etc/nixos" ]; }; }; }; - in - { - nixosConfigurations.luna = - let - hostname = "luna"; - in - nixpkgs.lib.nixosSystem - { - system = "x86_64-linux"; - specialArgs = { - inherit self; - inherit blog; - inherit flake-utils; - inherit inputs; - inherit hostname; - inherit nixpkgs; - inherit lib; - inherit persist-dir; - root-disk = "/dev/nvme0n1"; - fqdn = "orion-technologies.io"; - }; - modules = [ - defaults - impermanence.nixosModules.impermanence - agenix.nixosModules.default - disko.nixosModules.disko - { config = (import "${self}/secrets" { agenix = false; inherit lib; }).${hostname}; } - ./hosts/${hostname} - ]; + in { + nixosConfigurations = { + orion = let hostname = "orion"; + in nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit self; + inherit inputs; + inherit hostname; + inherit lib; + inherit persist-dir; + root-disk = "/dev/vda"; }; + modules = [ + defaults + impermanence.nixosModules.impermanence + agenix.nixosModules.default + disko.nixosModules.disko + { + config = (import "${self}/secrets" { + agenix = false; + inherit lib; + }).${hostname}; + } + ./hosts/${hostname} + ]; + }; + luna = let hostname = "luna"; + in nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit self; + inherit blog; + inherit flake-utils; + inherit inputs; + inherit hostname; + inherit nixpkgs; + inherit lib; + inherit persist-dir; + root-disk = "/dev/nvme0n1"; + fqdn = "orion-technologies.io"; + }; + modules = [ + defaults + impermanence.nixosModules.impermanence + agenix.nixosModules.default + disko.nixosModules.disko + { + config = (import "${self}/secrets" { + agenix = false; + inherit lib; + }).${hostname}; + } + ./hosts/${hostname} + ]; + }; + }; - deploy.nodes = { - luna = { - hostname = "luna.hosts.orion-technologies.io"; - fastConnection = true; - profiles = { - system = { - sshUser = "price"; - user = "root"; - path = - deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.luna; - }; - }; + deploy.nodes = { + orion = { + hostname = "boot"; + fastConnection = true; + profiles.system = { + sshUser = "price"; + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.orion; }; }; + luna = { + hostname = "luna.hosts.orion-technologies.io"; + fastConnection = true; + profiles.system = { + sshUser = "price"; + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.luna; + }; + }; + }; } // flake-utils.lib.eachDefaultSystem (system: let @@ -102,16 +132,19 @@ inherit system; overlays = [ agenix.overlays.default ]; }; - in - { - devShells.default = - pkgs.mkShell - { - packages = with pkgs; [ age age-plugin-yubikey pkgs.agenix nixos-rebuild pkgs.deploy-rs ]; - shellHook = '' - export RULES="$PWD/secrets/secrets.nix" - nix eval --json --file ./.nixd.nix > .nixd.json - ''; - }; + in { + devShells.default = pkgs.mkShell { + packages = with pkgs; [ + age + age-plugin-yubikey + pkgs.agenix + nixos-rebuild + pkgs.deploy-rs + ]; + shellHook = '' + export RULES="$PWD/secrets/secrets.nix" + nix eval --json --file ./.nixd.nix > .nixd.json + ''; + }; }); } \ No newline at end of file diff --git a/hosts/luna/os/fs.nix b/hosts/luna/os/fs.nix index 35ce300..5e3f457 100644 --- a/hosts/luna/os/fs.nix +++ b/hosts/luna/os/fs.nix @@ -21,7 +21,7 @@ }; }; - fileSystems."/persist".neededForBoot = true; + fileSystems."${persist-dir}".neededForBoot = true; disko.devices = { diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix index da8cde7..079b447 100644 --- a/hosts/orion/default.nix +++ b/hosts/orion/default.nix @@ -1,9 +1,5 @@ { config, lib, nixpkgs, ... }: - { - imports = [ - ./modules - ./os/filesystem.nix - ]; - system.stateVersion = "23.11"; -} + imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix"); + system.stateVersion = "24.05"; +} \ No newline at end of file diff --git a/hosts/orion/modules/default.nix b/hosts/orion/modules/default.nix deleted file mode 100644 index 4d7e0b2..0000000 --- a/hosts/orion/modules/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = [ - ./audio.nix - ./bluetooth.nix - ./hardware.nix - ./networking.nix - ./nix.nix - ./power.nix - ./user.nix - ]; -} diff --git a/hosts/orion/modules/networking.nix b/hosts/orion/modules/networking.nix index b7ab170..b1823d5 100644 --- a/hosts/orion/modules/networking.nix +++ b/hosts/orion/modules/networking.nix @@ -66,7 +66,6 @@ in UseDNS = networks_dhcp_use_dns; }; }; - }; }; @@ -87,6 +86,7 @@ in networking = { hostName = "${hostname}"; wireless.iwd.enable = true; + useNetworkd = true; }; -} +} \ No newline at end of file diff --git a/hosts/orion/modules/services/openssh.nix b/hosts/orion/modules/services/openssh.nix new file mode 100644 index 0000000..d816617 --- /dev/null +++ b/hosts/orion/modules/services/openssh.nix @@ -0,0 +1,62 @@ +{ config, ... }: +{ + services.openssh = { + enable = true; + startWhenNeeded = true; + # We set the hostkeys manually so they persist through reboots + hostKeys = [ + { + path = (config.environment.persistence.ephemeral.persistentStoragePath + "/etc/ssh/ssh_host_ed25519_key"); + type = "ed25519"; + } + ]; + sftpFlags = [ + "-f AUTHPRIV" + "-l INFO" + ]; + extraConfig = '' + AllowUsers price + ''; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + GatewayPorts = "yes"; + LogLevel = "VERBOSE"; + KexAlgorithms = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + Ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + ]; + }; + ports = [ + 2200 + ]; + banner = '' + ┌────────────────────────────────────────────────────┐ + │ Orion Technologies - Security Notice │ + │ ┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄ │ + │ UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED │ + │ │ + │ You must have written, explicit, authorized │ + │ permission to access or configure this device. │ + │ Unauthorized attempts and actions to access or use │ + │ this system may result in civil and/or criminal │ + │ penalties. All activities performed on this device │ + │ are logged and monitored. │ + └────────────────────────────────────────────────────┘ + ''; + }; +} \ No newline at end of file diff --git a/hosts/orion/modules/user.nix b/hosts/orion/modules/user.nix deleted file mode 100644 index 1b69a50..0000000 --- a/hosts/orion/modules/user.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, user, ... }: - -let - user = "price"; -in -{ - programs = { - zsh.enable = true; - }; - - nixpkgs.config.allowUnfree = true; - - users.users = { - root.initialPassword = "pass"; - "${user}" = { - initialPassword = "pass"; - shell = pkgs.zsh; - isNormalUser = true; - description = "${user}"; - extraGroups = [ - "wheel" - "docker" - "nix-users" - "libvirt" - "log" - ]; - }; - }; - - environment.systemPackages = with pkgs; [ - ungoogled-chromium - wezterm - yamllint - stylua - eza - ]; -} diff --git a/hosts/orion/modules/users.nix b/hosts/orion/modules/users.nix new file mode 100644 index 0000000..c433482 --- /dev/null +++ b/hosts/orion/modules/users.nix @@ -0,0 +1,19 @@ +{ pkgs, user, config, ... }: { + security.sudo.wheelNeedsPassword = false; + users.users = { + root.hashedPasswordFile = config.age.secrets.users-root-pw.path; + price = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.bash; + hashedPasswordFile = config.age.secrets.users-price-pw.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkWsSntg1ufF40cALcIBA7WZhiU/f0cncqq0pcp+DZY openpgp:0x15993C90" + ]; + }; + }; + environment.persistence.ephemeral.users = { + price = { files = [ ".bash_history" ]; }; + root = { home = "/root"; files = [ ".bash_history" ]; }; + }; +} \ No newline at end of file diff --git a/hosts/orion/os/boot.nix b/hosts/orion/os/boot.nix new file mode 100644 index 0000000..1818c9d --- /dev/null +++ b/hosts/orion/os/boot.nix @@ -0,0 +1,73 @@ +{ modulesPath, pkgs, ... }: { + + # imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelModules = [ "kvm-intel" ]; + kernelParams = [ "audit=1" ]; + extraModulePackages = [ ]; + initrd = { + availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + # availableKernelModules = + # [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usbhid" "rtsx_pci_sdmmc" ]; + # kernelModules = [ ]; + systemd = { + enable = true; + initrdBin = [ pkgs.libuuid pkgs.gawk ]; + services.rollback = { + description = "Rollback btrfs root subvolume"; + wantedBy = [ "initrd.target" ]; + before = [ "sysroot.mount" ]; + after = [ "initrd-root-device.target" ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + mkdir -p /mnt + DISK_LABEL="NixOS-Primary" + FOUND_DISK=0 + ATTEMPTS=50 + printf "Attempting to find disk with label '%s'\n" "$DISK_LABEL" + while ((ATTEMPTS > 0)); do + if findfs LABEL="$DISK_LABEL"; then + FOUND_DISK=1 + printf "Found disk!\n" + break; + fi + ((ATTEMPTS--)) + sleep .1 + printf "Remaining disk discovery attempts: %s\n" "$ATTEMPTS" + done + if (( FOUND_DISK == 0 )); then + printf "Discovery of disk with label '%s' failed! Cannot rollback!\n" "$DISK_LABEL" + exit 1 + fi + + mount -t btrfs -o subvol=/ $(findfs LABEL="$DISK_LABEL") /mnt + btrfs subvolume list -to /mnt/root \ + | awk 'NR>2 { printf $4"\n" }' \ + | while read subvol; do + printf "Removing Subvolume: %s\n" "$subvol"; + btrfs subvolume delete "/mnt/$subvol" + done + + printf "Removing /root subvolume\n" + btrfs subvolume delete /mnt/root + + printf "Restoring base /root subvolume\n" + btrfs subvolume snapshot /mnt/root-base /mnt/root + + umount /mnt + ''; + }; + }; + }; + }; + +} \ No newline at end of file diff --git a/hosts/orion/os/default.nix b/hosts/orion/os/default.nix new file mode 100644 index 0000000..63130c3 --- /dev/null +++ b/hosts/orion/os/default.nix @@ -0,0 +1,6 @@ +{ modulesPath, ... }: + +{ + zramSwap.enable = true; +} + diff --git a/hosts/orion/os/filesystem.nix b/hosts/orion/os/filesystem.nix deleted file mode 100644 index de1c23e..0000000 --- a/hosts/orion/os/filesystem.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - initrd = { - availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - kernelModules = [ ]; - luks.devices = { - "luksroot" = { - device = "/dev/disk/by-label/NixOS-Crypt"; - allowDiscards = true; - }; - }; - }; - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - }; - - zramSwap.enable = true; - - fileSystems = { - "/" = { - device = "none"; - fsType = "tmpfs"; - options = [ "defaults" "noatime" "mode=755" ]; - }; - - "/boot" = { - device = "/dev/disk/by-label/NixOS-Boot"; - fsType = "vfat"; - options = [ "defaults" "noatime" ]; - depends = [ "/" ]; - }; - - "/nix" = { - device = "/dev/disk/by-label/NixOS-Primary"; - fsType = "btrfs"; - options = [ "subvol=@nix" "compress=zstd" "noatime" ]; - }; - }; - - - environment.persistence = { - "/nix/persist" = { - hideMounts = true; - directories = [ - "/var/lib" - "/var/log" - "/etc/nixos" - ]; - files = [ - "/etc/machine-id" - "/etc/nix/id_rsa" - ]; - users.price = { - directories = [ - "Git" - "ISOs" - "Downloads" - "Keep" - "Notes" - ".local/share" - { directory = ".gnupg"; mode = "0700"; } - { directory = ".ssh"; mode = "0700"; } - ]; - files = [ - ".zsh_history" - ]; - }; - }; - }; -} diff --git a/hosts/orion/os/fs.nix b/hosts/orion/os/fs.nix new file mode 100644 index 0000000..d0a91bf --- /dev/null +++ b/hosts/orion/os/fs.nix @@ -0,0 +1,75 @@ +{ modulesPath, config, lib, root-disk, persist-dir, ... }: { + services = { + fstrim.enable = true; + btrfs.autoScrub = { + enable = true; + fileSystems = [ "/" "/nix" "/persist" ]; + }; + snapper = { + # NOTE: According to `snapper-config(5)` the default timeline count for all timelines is 10 + # (see TIMELINE_LIMIT_HOURLY, ...DAILY, etc.) + configs.persist = { + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + SUBVOLUME = "${persist-dir}"; + }; + }; + }; + + fileSystems."${persist-dir}".neededForBoot = true; + + disko.devices = { + disk.${lib.removePrefix "/dev/" root-disk} = { + type = "disk"; + device = "${root-disk}"; + content = { + type = "gpt"; + partitions = { + esp = let label = "NixOS-Boot"; + in { + priority = 1; + size = "512M"; + type = "EF00"; + content = { + extraArgs = [ "-n ${label}" "-F 32" ]; + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" "defaults" ]; + }; + }; + root = let label = "NixOS-Primary"; + in { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + settings = { allowDiscards = true; }; + content = { + type = "btrfs"; + extraArgs = [ "-f" "--label ${label}" ]; + postCreateHook = '' + MOUNT="$(mktemp -d)" + mount "/dev/disk/by-label/${label}" "$MOUNT" -o subvol=/ + trap 'umount $MOUNT; rm -rf $MOUNT' EXIT + btrfs subvolume snapshot -r "$MOUNT/root" "$MOUNT/root-base" + ''; + subvolumes = { + "/root" = { mountpoint = "/"; }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/hosts/orion/os/hardware.nix b/hosts/orion/os/hardware.nix new file mode 100644 index 0000000..3c38abe --- /dev/null +++ b/hosts/orion/os/hardware.nix @@ -0,0 +1,6 @@ +{ lib, config, ... }: { + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + services.fstrim.enable = true; +} diff --git a/hosts/orion/pubkey.nix b/hosts/orion/pubkey.nix new file mode 100644 index 0000000..59f8876 --- /dev/null +++ b/hosts/orion/pubkey.nix @@ -0,0 +1 @@ +"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuypHJpFMaElzWO2QrPNF5o97LGJK/LckHuWvfwIFWI orion" \ No newline at end of file diff --git a/secrets/default.nix b/secrets/default.nix index e50ec34..cfeaea6 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -15,6 +15,14 @@ let gitea-db-pass = "${secrets}/gitea-db-pass.age"; gitea-runner-token = "${secrets}/gitea-runner-token.age"; }; + orion = + let + secrets = "orion"; + in + { + users-root-pw = "${secrets}/users-root-pw.age"; + users-price-pw = "${secrets}/users-price-pw.age"; + }; }; in if agenix then diff --git a/secrets/luna/gitea-db-pass.age b/secrets/luna/gitea-db-pass.age index 8f51e90..5d97e02 100644 --- a/secrets/luna/gitea-db-pass.age +++ b/secrets/luna/gitea-db-pass.age @@ -1,8 +1,15 @@ -age-encryption.org/v1 --> ssh-ed25519 1fG0ow ItVCvyKKXcmZVvuomgGsRw91c1jQCLXGPkIh2VXvGFg -NjOqD/+g+6FvOqurcaKw5LrZpmc2Tlo277ZYkv3loWU --> piv-p256 rJs1HA AuseeP2+foV1YzNuU85cqXN/t/MxL1CSMfev9EBnn547 -ErXvkp3KKibgLNbOQmE3iM1CjgooVs/Nsup84i4U8ds ---- lWtn0ntT2K5N9LlQR69UYGyJvELufjKuEqnWceJWZdQ -{ ~et!p`8&nS W?JKYU 6?|IMQ0۸ssR,=??Oe{)^i - Agn4}(eQHU"^ؘ?}'*%,PgA Iy915Ut \ No newline at end of file +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyB5Sm54 +eEZVbVJZeENxVm5YWjBzNHlSRG1FTEJvRm5QU0pnU0RSSkVPMlFJCk1mTHQ2eUVs +WUFTa3hwM0Ivc0JnWjJPdUJLWTJxUnIrcVkxV29jQmF1R0EKLT4gcGl2LXAyNTYg +ckpzMUhBIEF5T2FReDJ6akp1MjBCMWlKTnV0NnFyZVY3b1hnbVhwZmhVN3c5TDVP +YW9DCkxUNk1lR1N4TzFHSGdLNERaQ2wxdXd4bjVtUWFKT1h1QWYwUVpjazZPUlEK +LT4gJjVRQU8tZ3JlYXNlIDpICkxWSHdOT0EwSVpXdzJoQmVEeHdIdGlxVEdXUk1w +MkoraTB5anIrUStOMGpMbEdpYkhadUliZTA1R0N1d3h1Y1IKWkc2NzVRCi0tLSBR +Y2cxTnB6bElHWHlMeXhxajhjeDF2TTJqMndJbjlNUWVUQ1c3QjhJTVdnChQsSDjC +IWGSOJD8wfLlou/BFvp7x/e/dobgW3FMazunhUqV5K09jp1Ak7nTeeyRDUz+Mpv5 +HaZqL6aCWNn6ZhprF+ZBZfYVyw7EdaCWNAFrR25DP8/JQrQ3lrJIoJZ3VF1a4y+l +55rLJIfBkho6HHycZ6hde8fo4lGUMhsSC2cKviMwa4FvMH3QpodOuN0h5PAX20mg +19uVVQnw4AOUgzm7QZ32Gesj8vORnQHQbFhERlooDuxTSrvnkpBztaxSTVPcv5d+ +wDf/rxP05UA= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/luna/gitea-runner-token.age b/secrets/luna/gitea-runner-token.age index e0e07e2..f52778f 100644 --- a/secrets/luna/gitea-runner-token.age +++ b/secrets/luna/gitea-runner-token.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBlUHdp -cVNLL1JFQklDckkzL0U3a0FDUVZOZWhwZG1naVJqNVpoRVd5cmpZCmwwQ2ZvaUNj -Nlh1MFNGYU1JYlAxT0pUdkoxci9FTmJsZ1lSRDZkY3pPWjAKLT4gcGl2LXAyNTYg -ckpzMUhBIEFocExaRzlJRTBraGExcU1SeDlwc0doeFg0bVM2UTcyMmM5M0dCd0FW -RWdhCnQxRkxTMGsrR3NCMXpUK1cwWnloL21qUHZqSFU3bWxFS0VkclpYWXBnbFEK -LT4gTShmXXkvUS1ncmVhc2UgNzVuKF4mMyArPCV3eUcgMmBERXtCKFIKSDF3bC9S -ck12T2hJTVpoR0svcnlqVVBMYk1zc0tSdGlQL012T1hZYm1veGJSSVAveU15dFJH -V3FRK0NmZXF1UwpaR25sTUhEZUJRaFQxbTF2cGFCUUJIdEZ4a1l1NFlGRHlzQ0RO -NkFOcnhvVAotLS0geGp3WVlLUjg1RnB0cnB2MGJoRk9rRkFDcmFsUnpXRWhkekpP -cWRpLzZiQQrrB7VhL4u7FMMZeSI9ruONPo9wpa77+JH8y/g8Dm5ORaxp+OAOihAP -D25jGbe5+KgTU/wQb5piJLAB2PyBl+2z57RXPXquZ9eJ85L+rb00 +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBYTndG +b3pCWDA0T3hnMC9mOXlEaWRLMVpSbzhmeWliMVc2MElsekJhc2dVCmFicFY1WXAv +ZEZNaUNLcE11V3pqZHBBWHZXTzRXTnBHN2h3a1R5ZkhzaFEKLT4gcGl2LXAyNTYg +ckpzMUhBIEE3V2dzUkhYYmFTSHAvdlNmeUgvRENzbmV1N05QQUNoMlRMMjZPVy9w +WmV0CjJsZFowa3d5dEpZTXF2c05tSkJEalc5bFJUNmxGdUZwQTlTQjVEQXJxSkUK +LT4gQUZ3c2BxRS1ncmVhc2UKa0dwbElwS2NYaU5ubzdUSHpQR1RTWmFXOUxweStD +Y0Z4emdFNHpIb2ViQnZmWFdnUVB3YU9CL3I2Vk1Nc2Y1MgpGdTFLeHNwVlBzd2la +NTdNT1c2T05uQkpUT0t4c2ZSeFNiZ3ZXSzhzUXNHOUtUMDRKQyttQVF5QXB3Ci0t +LSBqYUdhdGdqckRRcE5IS0EwTlZ1dEZlRm90TStiYkxzdTZabGV0VjlSK0N3Cu+b +4KRcjCda0CxdH4Z2pw3ndhUU596wdGT7Py92uIiV3kdPLFgaUXHL8qMiAoC74o9T +BzCx4IobN6ysTTSqT3awzFpJGt8Mqt4sjt1zEz4= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/luna/gitlab-runner-reg-config.age b/secrets/luna/gitlab-runner-reg-config.age index 9e9484a..75d1e6a 100644 --- a/secrets/luna/gitlab-runner-reg-config.age +++ b/secrets/luna/gitlab-runner-reg-config.age @@ -1,7 +1,14 @@ -age-encryption.org/v1 --> ssh-ed25519 1fG0ow oP4nP83S4Hjf4MScoNCBbE3i4Vnzz5XiuJqaLXzRbw0 -rNOkeT8FfDLCoUnghLs8/Fpzy4qINhhIhtgB3Ep3REc --> piv-p256 rJs1HA AiyT5IFnxwxoONmRezlvneUSYSEjglGeXYav8x7Xt+HB -JWAyCMNQNe0+LSRqdQV+f5PGixWMXFMf/wQmyoMEKNE ---- ZnfbHqBM/51+BXYGhcSzBN6k1UtZpKJshgmxrr2eFGo -?f$Ƃb t,$̐o8R;n!chzgl= 5OcBNJaH1ςu?QCfN{$MwLbs:+?ZC0 \ No newline at end of file +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBEUlZU +ckVzR0ZKTlBXREpNa050RWtXMUtPRkMxWmNTTWRDUGgwckdSZUFrCmUwMGIyZ0dn +a2k2UGszRkNScXFCTmJYbDBybHpyU3BVVUdCdFZtMU1sQUkKLT4gcGl2LXAyNTYg +ckpzMUhBIEEwbWdxYkhDaWdmcXV3QmwvSEV3WlR5Yy9manVkQllTVjhFcjdNcWRF +bldOCnFHbkdoZGZKMUQrMXNRSGMvalpMTHBkMm1kZTV1S1NmNndUVHVnUkhxVlUK +LT4gezRJVzwwVC1ncmVhc2UgNFhtO09BJG8KU0N0K2c0c1NUaHhFeTdQb1lnMlZL +K0ppVkpEU3M2R3dGWUxIdkE4OFBhZ2pwRmF3d1NERVB1QUhrVk9yYVZxcQo1bEpP +OTBpdW9rc3RwWGpOV0NCakJiZGhEdXFvQUIzNVg0WlJkZysybGlNCi0tLSBjOEUz +ZUNxQXJ1WWk2R1BWQUpLemJkTXZkYmhLYkJpMitVbHJVUWl0SzEwCh1AImuieRv+ +7+iqnBDVtJWT2qTv3X9wTRe0eyOWiYSpeXKiaIpUOf8K09n20dVHBFFSWZ5aRMhZ +pDqcj5ibodPGY7eJMgQhiAfzOVTxZo2oWyA4vmO9RRYbFKM6L6KHVP0vb+1n9cYp +GumKH5zthkXJmPNJECwTQ2Bf15ggbA+K +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/luna/users-price-pw.age b/secrets/luna/users-price-pw.age index 1a33018..e9da311 100644 --- a/secrets/luna/users-price-pw.age +++ b/secrets/luna/users-price-pw.age @@ -1,12 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBxWWpi -V2c2RkxLanlGYjZ6L2dPYmRHRWwxK0Q0aVNCakNzdFdtZ0k4dW1vCjcrQmptaGgz -SmpOb2RFTUlYM1ZWc2U2RkF5eGJzWkI3ekk5RTJXLytHYmcKLT4gcGl2LXAyNTYg -ckpzMUhBIEF4enp2K0FvSFlEWWowT3JSaGV0Rkd6WTlrMlRlZUlhK1B0bFRyWkhD -dTJ1CklMcFlLYTMwQ2YyZUdEaHZ2ZW10VEN0NCsxWGJQL2JvZG40NGtobVE0TXcK -LT4gZmtMNilcfS1ncmVhc2UgI3ZZX243IEkrUSRdblp6IC8KTC9FRERrUGNLTlJs -SEEKLS0tIFVHQlovUTVTMk9WY0NwN0cycjJEa0p1L0h0R1BpNFh4am5TVWp4WU5L -eGcKXXflLkUPB2sSYVNl+4O1QsWXEKtBItZbM7RP+glsuWQfHJBY133UzVMgXTy0 -4yvEcD/ixQaKpSIkeOM+bz0IWjyU0y+zL8opR5xX0AMGJZfeNemIZAo8KpmQsoXC -7U0McvbgHkfakV1ONxYCgurPZPDW97Mk146oyU9bE/amgKh2MvNM14RmY4y2uw== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyA4VGhH +VVZrUUE3SUg3SGNMTWdYUDROZFRqRW13WHVjQmpmWHVOdHFtakE0CkRiQ0VnQ215 +bU9XZDlMYWVtcEd1c09BYlFkcVZnL0xYLzd3akREdkxoMTQKLT4gcGl2LXAyNTYg +ckpzMUhBIEEvSytKaU45NC9Pa3d2OWtFUWltdjdpM3cwRmhCOU5YRWlSNUFFZThP +NWp3CjF5YzlYaU9jOFlsZ0xBWHdXS09TVHc4VVBxOGdoR3kxcjZnczY0cWhJRG8K +LT4gOXN0LWdyZWFzZSAnSnVjMGpPdyBWbXN8WEkgcX1eQmFpClY3NlhUMFRyMURJ +Wmw4d0plM3R4VzNCeXZnK29jbVl1NHc2ZjdCb1R5M2xEYlhXMFBTbVlHdngxb3hJ +Y2lIdlAKVTF3Ci0tLSBZR216cXRYNmJ1ZHJ4RHlmaWdTcmpSR0cwMVpDVTh4QjBl +Z013Uktsbjg4CnXf38il0oLVMjg7GwLmE6GCh4R3EJ7Bs6fPZLf7ktcCmy3FAiVQ +nZ3nndURKmcvawZHCnnANYKxzILcwgF1eQrtV4Mf/giBJGQASu8zx/F7NIR1vXnt +IOXiboxism7lhh2Za+qK0hdxaDsmXvB46kuxgtG0x2E3jC0NaANKFEmE+aS3iMTl +q1cdOuM= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/luna/users-root-pw.age b/secrets/luna/users-root-pw.age index 577a78a..376fd15 100644 --- a/secrets/luna/users-root-pw.age +++ b/secrets/luna/users-root-pw.age @@ -1,7 +1,12 @@ -age-encryption.org/v1 --> ssh-ed25519 1fG0ow +SBbIzQJWyDWdD0tj2OWJ3dRLL2gHQsIGiAInsPwyBQ -GoWyi5Gnh19JavszjXPzAspL9aHzdoJSvYCIWMfaSEY --> piv-p256 rJs1HA A6Yi0bpMERl4TtMhIrJcqpr8Wp9kGwVcam4UFERNhWVz -PHzAZ115Ua58SKtTNIpVvNOwSJGvedwn7EozWCDnh7I ---- D0hr9/p2mwX7QizZ8UvEEttJZDwW9z4aTqrEOOc2m9s -Jx\]^Mghk>8b \ No newline at end of file +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBJbnRJ +MTl2TGR4OTQyV0VVSm9CQ0F3K24yZmRpK0xrODdHWDZTTUtyRFFvCjB1dnAzdkxu +REREamdiZmRqdmxSQm1ONHZiKzVpZnZBczFrcklJRnZzSDQKLT4gcGl2LXAyNTYg +ckpzMUhBIEFzMFRXOEJPUDIrb2N5MzdoQmZmR0VlQ285SnBxRk9heGh1SmxaYTJR +MmhECmhFV1BiL00xMFdpOHlublJHamhmOVVaODB5TE5uT2NCVE5Uc0l2SURWU1UK +LT4gWnxYO3RGLWdyZWFzZSBxVQoKLS0tIE13WGJqR0dpY0p3UlBkeWFVVm96M0Qw +Y0ttK0FGTHZDa1I2b0xCeE1aT1UK7DcEAWPiclnaKA9MZNtiIf89clLK3aADLgA1 +Dj3VvSYQbC2/GlS8KKpnB5KrwuMHEiCFk8QNzP3u5kmxtoxR88mxGgOczNoQu8Fd +2rDXEQGmt+1xt8mO4nj0THABrxvQTr1lYappdvmuT1w8py1ip4qTZWw2hv9kiCQ1 +Lu6rJssCAUEs/NWAWfD2Mg== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/orion/users-price-pw.age b/secrets/orion/users-price-pw.age new file mode 100644 index 0000000..73442eb --- /dev/null +++ b/secrets/orion/users-price-pw.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNmNCtpdyA3UHl3 +QmhOR0tjcFErNVpJd1JNbzZoWmRmVEtiNFR3d0xia1dNOXd2WURVClc2S1laWDZ2 +Q2E0dU56RUVoN1RmS2lpazlnVFhEUkJyUnE4WmZ5OGNnL00KLT4gcGl2LXAyNTYg +ckpzMUhBIEF0emdpQTkvaHoxakRIUHFNZnBKNzZoRkpmYzM3L09yeko5SW91ajRH +dy9iCklwTFB5Z01pc1A0ZnRKVEFoYlZsQjBiL0l0cVVwcm13cnNHTEN1ZDZnV0UK +LT4gfDZrMWtaPXEtZ3JlYXNlIHwrfV8geFY1Mz53Ogp3QTdqM0wyMGx4ZTNicEtP +UktIYkpMLzhSaC9JSG9FeWNvNGlvQUF6VDE0bW5HSEUvVCs3L01FU2lnNVNqNysy +Ckt0WFg5REJRdnZ0ZDF4T2I1eFRkb1ZLcjliWjNNNytxYk5RcWpKSDR6MUpsWURu +OWdDQWlBQU9rWTk5RU9sQ28KblEKLS0tIEF6Skh4N0NWMVlZOXcyWVhiMUtWRXcv +dUpNS2xnMHBRd1djbC92TUI5bFUK1ZM/H3yxgBVHspKrfNM6sag7ZiT+ZypSDouI +RoNZBcEjQUarcS2Dxn4G9amAUor0gZcl9hlx3OQnG8HLrFLhryu/550aKeVJZxtV +9AJdDMV2XuEqSEx+mjNeUwAc1nvO9nTC0YKwvFILtvJPPateLZhbGfOzba2UO4EM +aoX5QgifkfqJx7ZZ9Qmb3Q== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/orion/users-root-pw.age b/secrets/orion/users-root-pw.age new file mode 100644 index 0000000..2f1f4e3 --- /dev/null +++ b/secrets/orion/users-root-pw.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNmNCtpdyA0T2Y3 +RjdlVHRGVzdTa2VmQ05tNFUvc2xVV1NxZ0xRV0JXOXRCa0V6ZHowCnVsaERWYjN5 +c2J3V3A1LzRqZUNUQWU0Y0ZMSkQ2OHRkRzJIY045L2VjQW8KLT4gcGl2LXAyNTYg +ckpzMUhBIEFsMnJ3ZGhkNHRaTi9BNjk2MnBsMnprNE5CdEhTVGJJMHR4aG1CbVZJ +WnhYClVvNUh6L1AvaERGb0pZVU1kUzZLWGNLSVo3NWZSQ0dZSFI2WDlxcFlpNDAK +LT4gPmZIbidXYi4tZ3JlYXNlIEdLKDI4cmggSgpOWDVqak1iald1ZlRPcm05VVEv +ZXhzMHE3RGo3SEs3blRMSHpoRU9QeFVpdENERXFnNE04NDBuMzEzSUhhRUw5Cjh3 +bUNYRkl4L1plQk5mRzZHSmtPUTZaMCswR052bndrbWpNL3lYRQotLS0gQ2pMTVBx +VlZyaUFvc0NJOTFkZGVsZnJUYUlnVmdlem5SdFV4OGMvYUhvQQocxqI0TBwKWsSJ +amGmeBJsUze1Rhlg9ErW7ei+dA//DuPIEK4nqCpwTNyhJGbBUBJKOW3plX2NyQwH +ReC0GvHQRSxQWUyzPdDRefAhJpbFX/TB/TlB5k/iq3/BgXacLOuUtbkUWtPu0X+R +jdYtCHiJGY5IuXrfhP4OZcPbVhVGEx67e5ca0RMbsAqJ +-----END AGE ENCRYPTED FILE-----