From bdc6057689f33b456af0c59a20a54494f8d8f0be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sat, 7 Feb 2026 18:41:49 +0100 Subject: [PATCH 1/3] hosts: decommission ca host and remove labmon Remove the step-ca host and labmon flake input now that ACME has been migrated to OpenBao PKI. Removed: - hosts/ca/ - step-ca host configuration - services/ca/ - step-ca service module - labmon flake input and module (no longer used) Updated: - flake.nix - removed ca host and labmon references - flake.lock - removed labmon input - rebuild-all.sh - removed ca from host list - CLAUDE.md - updated documentation Note: secrets/ca/ should be manually removed by the user. Co-Authored-By: Claude Opus 4.5 --- CLAUDE.md | 23 ++- flake.lock | 22 --- flake.nix | 16 -- hosts/ca/configuration.nix | 63 -------- hosts/ca/default.nix | 7 - rebuild-all.sh | 1 - services/ca/default.nix | 169 -------------------- services/ca/templates/ssh/ca.tpl | Bin 6656 -> 0 bytes services/ca/templates/ssh/config.tpl | 14 -- services/ca/templates/ssh/known_hosts.tpl | 4 - services/ca/templates/ssh/sshd_config.tpl | 4 - services/ca/templates/ssh/step_config.tpl | 11 -- services/ca/templates/ssh/step_includes.tpl | 1 - 13 files changed, 10 insertions(+), 325 deletions(-) delete mode 100644 hosts/ca/configuration.nix delete mode 100644 hosts/ca/default.nix delete mode 100644 services/ca/default.nix delete mode 100644 services/ca/templates/ssh/ca.tpl delete mode 100644 services/ca/templates/ssh/config.tpl delete mode 100644 services/ca/templates/ssh/known_hosts.tpl delete mode 100644 services/ca/templates/ssh/sshd_config.tpl delete mode 100644 services/ca/templates/ssh/step_config.tpl delete mode 100644 services/ca/templates/ssh/step_includes.tpl diff --git a/CLAUDE.md b/CLAUDE.md index 4e89ad6..546507f 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -92,7 +92,7 @@ Secrets are managed by OpenBao (Vault) using AppRole authentication. Most hosts `vault.secrets` option defined in `system/vault-secrets.nix` to fetch secrets at boot. Terraform manages the secrets and AppRole policies in `terraform/vault/`. -Legacy sops-nix is still present but only actively used by the `ca` host. Do not edit any +Legacy sops-nix is still present but no longer actively used. Do not edit any `.sops.yaml` or any file within `secrets/`. Ask the user to modify if necessary. ### Git Workflow @@ -210,7 +210,6 @@ The **lab-monitoring** MCP server can query Prometheus metrics via PromQL. The ` - `home-assistant` - Home automation metrics - `jellyfin` - Media server metrics - `loki` / `prometheus` / `grafana` - Monitoring stack self-metrics -- `step-ca` - Internal CA metrics - `pve-exporter` - Proxmox hypervisor metrics - `smartctl` - Disk SMART health (gunter) - `wireguard` - VPN metrics (http-proxy) @@ -316,14 +315,14 @@ The `current_rev` label contains the git commit hash of the deployed flake confi - `ns/` - DNS services (authoritative, resolver, zone generation) - `vault/` - OpenBao (Vault) secrets server - `actions-runner/` - GitHub Actions runner - - `http-proxy/`, `ca/`, `postgres/`, `nats/`, `jellyfin/`, etc. -- `/secrets/` - SOPS-encrypted secrets with age encryption (legacy, only used by ca) + - `http-proxy/`, `postgres/`, `nats/`, `jellyfin/`, etc. +- `/secrets/` - SOPS-encrypted secrets with age encryption (legacy, no longer used) - `/common/` - Shared configurations (e.g., VM guest agent) - `/docs/` - Documentation and plans - `plans/` - Future plans and proposals - `plans/completed/` - Completed plans (moved here when done) - `/playbooks/` - Ansible playbooks for fleet management -- `/.sops.yaml` - SOPS configuration with age keys (legacy, only used by ca) +- `/.sops.yaml` - SOPS configuration with age keys (legacy, no longer used) ### Configuration Inheritance @@ -340,7 +339,7 @@ All hosts automatically get: - Nix binary cache (nix-cache.home.2rjus.net) - SSH with root login enabled - OpenBao (Vault) secrets management via AppRole -- Internal ACME CA integration (ca.home.2rjus.net) +- Internal ACME CA integration (OpenBao PKI at vault.home.2rjus.net) - Daily auto-upgrades with auto-reboot - Prometheus node-exporter + Promtail (logs to monitoring01) - Monitoring scrape target auto-registration via `homelab.monitoring` options @@ -351,8 +350,7 @@ All hosts automatically get: Production servers: - `ns1`, `ns2` - Primary/secondary DNS servers (10.69.13.5/6) -- `ca` - Internal Certificate Authority -- `vault01` - OpenBao (Vault) secrets server +- `vault01` - OpenBao (Vault) secrets server + PKI CA - `ha1` - Home Assistant + Zigbee2MQTT + Mosquitto - `http-proxy` - Reverse proxy - `monitoring01` - Full observability stack (Prometheus, Grafana, Loki, Tempo, Pyroscope) @@ -371,7 +369,7 @@ Template hosts: - `nixpkgs` - NixOS 25.11 stable (primary) - `nixpkgs-unstable` - Unstable channel (available via overlay as `pkgs.unstable.`) -- `sops-nix` - Secrets management (legacy, only used by ca) +- `sops-nix` - Secrets management (legacy, no longer actively used) - `nixos-exporter` - NixOS module for exposing flake revision metrics (used to verify deployments) - `homelab-deploy` - NATS-based remote deployment tool for test-tier hosts - Custom packages from git.t-juice.club: @@ -399,10 +397,9 @@ Most hosts use OpenBao (Vault) for secrets: - Fallback to cached secrets in `/var/lib/vault/cache/` when Vault is unreachable - Provision AppRole credentials: `nix develop -c ansible-playbook playbooks/provision-approle.yml -e hostname=` -Legacy SOPS (only used by `ca` host): +Legacy SOPS (no longer actively used): - SOPS with age encryption, keys in `.sops.yaml` -- Shared secrets: `/secrets/secrets.yaml` -- Per-host secrets: `/secrets//` +- Files in `/secrets/` are legacy and can be removed ### Auto-Upgrade System @@ -558,7 +555,7 @@ Prometheus scrape targets are automatically generated from host configurations, - **External targets**: Non-flake hosts defined in `/services/monitoring/external-targets.nix` - **Library**: `lib/monitoring.nix` provides `generateNodeExporterTargets` and `generateScrapeConfigs` -Service modules declare their scrape targets directly via `homelab.monitoring.scrapeTargets` (e.g., `services/ca/default.nix` declares step-ca on port 9000). The Prometheus config on monitoring01 auto-generates scrape configs from all hosts. See "Homelab Module Options" section for available options. +Service modules declare their scrape targets directly via `homelab.monitoring.scrapeTargets`. The Prometheus config on monitoring01 auto-generates scrape configs from all hosts. See "Homelab Module Options" section for available options. To add monitoring targets for non-NixOS hosts, edit `/services/monitoring/external-targets.nix`. diff --git a/flake.lock b/flake.lock index 0cdaf48..63dbb4c 100644 --- a/flake.lock +++ b/flake.lock @@ -42,27 +42,6 @@ "url": "https://git.t-juice.club/torjus/homelab-deploy" } }, - "labmon": { - "inputs": { - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1748983975, - "narHash": "sha256-DA5mOqxwLMj/XLb4hvBU1WtE6cuVej7PjUr8N0EZsCE=", - "ref": "master", - "rev": "040a73e891a70ff06ec7ab31d7167914129dbf7d", - "revCount": 17, - "type": "git", - "url": "https://git.t-juice.club/torjus/labmon" - }, - "original": { - "ref": "master", - "type": "git", - "url": "https://git.t-juice.club/torjus/labmon" - } - }, "nixos-exporter": { "inputs": { "nixpkgs": [ @@ -119,7 +98,6 @@ "inputs": { "alerttonotify": "alerttonotify", "homelab-deploy": "homelab-deploy", - "labmon": "labmon", "nixos-exporter": "nixos-exporter", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", diff --git a/flake.nix b/flake.nix index fae0a17..1ccd4f0 100644 --- a/flake.nix +++ b/flake.nix @@ -13,10 +13,6 @@ url = "git+https://git.t-juice.club/torjus/alerttonotify?ref=master"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - labmon = { - url = "git+https://git.t-juice.club/torjus/labmon?ref=master"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - }; nixos-exporter = { url = "git+https://git.t-juice.club/torjus/nixos-exporter"; inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -34,7 +30,6 @@ nixpkgs-unstable, sops-nix, alerttonotify, - labmon, nixos-exporter, homelab-deploy, ... @@ -50,7 +45,6 @@ commonOverlays = [ overlay-unstable alerttonotify.overlays.default - labmon.overlays.default ]; # Common modules applied to all hosts commonModules = [ @@ -131,15 +125,6 @@ ./hosts/http-proxy ]; }; - ca = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = { - inherit inputs self sops-nix; - }; - modules = commonModules ++ [ - ./hosts/ca - ]; - }; monitoring01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { @@ -147,7 +132,6 @@ }; modules = commonModules ++ [ ./hosts/monitoring01 - labmon.nixosModules.labmon ]; }; jelly01 = nixpkgs.lib.nixosSystem { diff --git a/hosts/ca/configuration.nix b/hosts/ca/configuration.nix deleted file mode 100644 index d20c608..0000000 --- a/hosts/ca/configuration.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ - pkgs, - ... -}: - -{ - imports = [ - ../template/hardware-configuration.nix - - ../../system - ../../common/vm - ]; - - nixpkgs.config.allowUnfree = true; - # Use the systemd-boot EFI boot loader. - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - configurationLimit = 3; - }; - - networking.hostName = "ca"; - networking.domain = "home.2rjus.net"; - networking.useNetworkd = true; - networking.useDHCP = false; - services.resolved.enable = true; - networking.nameservers = [ - "10.69.13.5" - "10.69.13.6" - ]; - - systemd.network.enable = true; - systemd.network.networks."ens18" = { - matchConfig.Name = "ens18"; - address = [ - "10.69.13.12/24" - ]; - routes = [ - { Gateway = "10.69.13.1"; } - ]; - linkConfig.RequiredForOnline = "routable"; - }; - time.timeZone = "Europe/Oslo"; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - nix.settings.tarball-ttl = 0; - environment.systemPackages = with pkgs; [ - vim - wget - git - ]; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; - - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/ca/default.nix b/hosts/ca/default.nix deleted file mode 100644 index 382bd43..0000000 --- a/hosts/ca/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ../../services/ca - ]; -} diff --git a/rebuild-all.sh b/rebuild-all.sh index a4fa0a4..5dc14ab 100755 --- a/rebuild-all.sh +++ b/rebuild-all.sh @@ -5,7 +5,6 @@ set -euo pipefail HOSTS=( "ns1" "ns2" - "ca" "ha1" "http-proxy" "jelly01" diff --git a/services/ca/default.nix b/services/ca/default.nix deleted file mode 100644 index b5759a0..0000000 --- a/services/ca/default.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ pkgs, unstable, ... }: -{ - homelab.monitoring.scrapeTargets = [{ - job_name = "step-ca"; - port = 9000; - }]; - sops.secrets."ca_root_pw" = { - sopsFile = ../../secrets/ca/secrets.yaml; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/ca_root_pw"; - }; - sops.secrets."intermediate_ca_key" = { - sopsFile = ../../secrets/ca/keys/intermediate_ca_key; - format = "binary"; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/intermediate_ca_key"; - }; - sops.secrets."root_ca_key" = { - sopsFile = ../../secrets/ca/keys/root_ca_key; - format = "binary"; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/root_ca_key"; - }; - sops.secrets."ssh_host_ca_key" = { - sopsFile = ../../secrets/ca/keys/ssh_host_ca_key; - format = "binary"; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/ssh_host_ca_key"; - }; - sops.secrets."ssh_user_ca_key" = { - sopsFile = ../../secrets/ca/keys/ssh_user_ca_key; - format = "binary"; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/ssh_user_ca_key"; - }; - - services.step-ca = { - enable = true; - package = pkgs.step-ca; - intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw"; - address = "0.0.0.0"; - port = 443; - settings = { - metricsAddress = ":9000"; - authority = { - provisioners = [ - { - claims = { - enableSSHCA = true; - maxTLSCertDuration = "3600h"; - defaultTLSCertDuration = "48h"; - }; - encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g"; - key = { - alg = "ES256"; - crv = "P-256"; - kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE"; - kty = "EC"; - use = "sig"; - x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo"; - y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0"; - }; - name = "ca@home.2rjus.net"; - type = "JWK"; - } - { - name = "acme"; - type = "ACME"; - claims = { - maxTLSCertDuration = "3600h"; - defaultTLSCertDuration = "1800h"; - }; - } - { - claims = { - enableSSHCA = true; - }; - name = "sshpop"; - type = "SSHPOP"; - } - ]; - }; - crt = "/var/lib/step-ca/certs/intermediate_ca.crt"; - db = { - badgerFileLoadingMode = ""; - dataSource = "/var/lib/step-ca/db"; - type = "badgerv2"; - }; - dnsNames = [ - "ca.home.2rjus.net" - "10.69.13.12" - ]; - federatedRoots = null; - insecureAddress = ""; - key = "/var/lib/step-ca/secrets/intermediate_ca_key"; - logger = { - format = "text"; - }; - root = "/var/lib/step-ca/certs/root_ca.crt"; - ssh = { - hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key"; - userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key"; - }; - templates = { - ssh = { - host = [ - { - comment = "#"; - name = "sshd_config.tpl"; - path = "/etc/ssh/sshd_config"; - requires = [ - "Certificate" - "Key" - ]; - template = ./templates/ssh/sshd_config.tpl; - type = "snippet"; - } - { - comment = "#"; - name = "ca.tpl"; - path = "/etc/ssh/ca.pub"; - template = ./templates/ssh/ca.tpl; - type = "snippet"; - } - ]; - user = [ - { - comment = "#"; - name = "config.tpl"; - path = "~/.ssh/config"; - template = ./templates/ssh/config.tpl; - type = "snippet"; - } - { - comment = "#"; - name = "step_includes.tpl"; - path = "\${STEPPATH}/ssh/includes"; - template = ./templates/ssh/step_includes.tpl; - type = "prepend-line"; - } - { - comment = "#"; - name = "step_config.tpl"; - path = "ssh/config"; - template = ./templates/ssh/step_config.tpl; - type = "file"; - } - { - comment = "#"; - name = "known_hosts.tpl"; - path = "ssh/known_hosts"; - template = ./templates/ssh/known_hosts.tpl; - type = "file"; - } - ]; - }; - }; - tls = { - cipherSuites = [ - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - ]; - maxVersion = 1.3; - minVersion = 1.2; - renegotiation = false; - }; - }; - }; -} diff --git a/services/ca/templates/ssh/ca.tpl b/services/ca/templates/ssh/ca.tpl deleted file mode 100644 index 5b459eed893ebf348066427ecdf94b4bd602ad91..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6656 zcmeHL+iK%55Y21y6@#HKg*X?x3G``q1KlpAw2&_QVkoMt)TWN*m6UBlnt$)e%FRxi zOOvn^YzVQfnUQp?Gdd$FgBs;=FMPID5|vJJ)$wY%Zb|>+mH)4|S{J2;+io^n*y><= zqv^Qy64XyJnq1InU4 z1y)V>phVce7pxZ!!RlPg{55_Ia3#o-BmqtOP5gHn?HvCd*KHL1KjLTpFw{57gsPH( z3b+W>2+mO+2Mwb?1xdpCX=;Iw?xQ*M4H3Ai!_d(@%E|ZvY1XYg&^@W zgKW?%<}*PQ^D(+ayS2ku^t!zhW;pWUJd1|)2x$J}&wo6j2-wE|M%&Hv-??xL{;&UH z$9;QC6b*nxQKkGKPzy0%@Bf|enwL;xil+N8C3Z4+s+4s;=wQMKdm%;kE(|bfq`G0L zQA>eo{#doc@RP}LXHrD_3<4?tG2Q=1{x=+FmH${06#D-&A9PP2!+$np6f9(a0=OW6 z28_N`wIIwW;0})!8!A-EP_5#Akv_~t{-RYonf(~f0wdkAwlE1oXNgq9r#G{-p&zDd zVY-p;SCEu-fEz7ib;glbVU(61d2Q|C-tQ9>5S>f!k12D!?g-K7 zJ57)FeH-C{8ihGNiFTsK=|F@s?l_o#p$xI=(ikDg*wOsO9O$goGS~v~hO;DFEbRtO zn&vk^^R?z)h{0Xcz&!uYO6?O=fZOz6v$azHwVh^>|9Aa{huH0vXV;(X?0xQHN)0?7 l!fnDF=`01#=WL@t(-TVLaqJV2L(nUH3j_)T3Ix6`0`FCIy=?#h diff --git a/services/ca/templates/ssh/config.tpl b/services/ca/templates/ssh/config.tpl deleted file mode 100644 index 4b9ddf1..0000000 --- a/services/ca/templates/ssh/config.tpl +++ /dev/null @@ -1,14 +0,0 @@ -Host * -{{- if or .User.GOOS "none" | eq "windows" }} -{{- if .User.StepBasePath }} - Include "{{ .User.StepBasePath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes" -{{- else }} - Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes" -{{- end }} -{{- else }} -{{- if .User.StepBasePath }} - Include "{{.User.StepBasePath}}/ssh/includes" -{{- else }} - Include "{{.User.StepPath}}/ssh/includes" -{{- end }} -{{- end }} \ No newline at end of file diff --git a/services/ca/templates/ssh/known_hosts.tpl b/services/ca/templates/ssh/known_hosts.tpl deleted file mode 100644 index 5354b38..0000000 --- a/services/ca/templates/ssh/known_hosts.tpl +++ /dev/null @@ -1,4 +0,0 @@ -@cert-authority * {{.Step.SSH.HostKey.Type}} {{.Step.SSH.HostKey.Marshal | toString | b64enc}} -{{- range .Step.SSH.HostFederatedKeys}} -@cert-authority * {{.Type}} {{.Marshal | toString | b64enc}} -{{- end }} diff --git a/services/ca/templates/ssh/sshd_config.tpl b/services/ca/templates/ssh/sshd_config.tpl deleted file mode 100644 index c8e4b88..0000000 --- a/services/ca/templates/ssh/sshd_config.tpl +++ /dev/null @@ -1,4 +0,0 @@ -Match all - TrustedUserCAKeys /etc/ssh/ca.pub - HostCertificate /etc/ssh/{{.User.Certificate}} - HostKey /etc/ssh/{{.User.Key}} \ No newline at end of file diff --git a/services/ca/templates/ssh/step_config.tpl b/services/ca/templates/ssh/step_config.tpl deleted file mode 100644 index a0521f2..0000000 --- a/services/ca/templates/ssh/step_config.tpl +++ /dev/null @@ -1,11 +0,0 @@ -Match exec "step ssh check-host{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %h" -{{- if .User.User }} - User {{.User.User}} -{{- end }} -{{- if or .User.GOOS "none" | eq "windows" }} - UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts" - ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p -{{- else }} - UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts" - ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p -{{- end }} diff --git a/services/ca/templates/ssh/step_includes.tpl b/services/ca/templates/ssh/step_includes.tpl deleted file mode 100644 index 5f79de6..0000000 --- a/services/ca/templates/ssh/step_includes.tpl +++ /dev/null @@ -1 +0,0 @@ -{{- if or .User.GOOS "none" | eq "windows" }}Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/config"{{- else }}Include "{{.User.StepPath}}/ssh/config"{{- end }} \ No newline at end of file From aedccbd9a055d2e3394c64cd859a2107fc99b2e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sat, 7 Feb 2026 18:46:24 +0100 Subject: [PATCH 2/3] flake: remove sops-nix (no longer used) All secrets are now managed by OpenBao (Vault). Remove the legacy sops-nix infrastructure that is no longer in use. Removed: - sops-nix flake input - system/sops.nix module - .sops.yaml configuration file - Age key generation from template prepare-host scripts Updated: - flake.nix - removed sops-nix references from all hosts - flake.lock - removed sops-nix input - scripts/create-host/ - removed sops references - CLAUDE.md - removed SOPS documentation Note: secrets/ directory should be manually removed by the user. Co-Authored-By: Claude Opus 4.5 --- .sops.yaml | 52 ----------------------------- CLAUDE.md | 12 +------ flake.lock | 23 +------------ flake.nix | 36 +++++++++----------- hosts/template/scripts.nix | 6 ---- hosts/template2/scripts.nix | 6 ---- scripts/create-host/create_host.py | 5 ++- scripts/create-host/manipulators.py | 2 +- system/default.nix | 1 - system/sops.nix | 7 ---- 10 files changed, 20 insertions(+), 130 deletions(-) delete mode 100644 .sops.yaml delete mode 100644 system/sops.nix diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 6530cfe..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,52 +0,0 @@ -keys: - - &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - - &server_ns1 age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0 - - &server_ns2 age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um - - &server_ha1 age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l - - &server_http-proxy age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m - - &server_ca age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk - - &server_monitoring01 age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey - - &server_jelly01 age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq - - &server_nix-cache01 age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq - - &server_pgdb1 age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv - - &server_nats1 age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga -creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env|ini) - key_groups: - - age: - - *admin_torjus - - *server_ns1 - - *server_ns2 - - *server_ha1 - - *server_http-proxy - - *server_ca - - *server_monitoring01 - - *server_jelly01 - - *server_nix-cache01 - - *server_pgdb1 - - *server_nats1 - - path_regex: secrets/ca/[^/]+\.(yaml|json|env|ini|) - key_groups: - - age: - - *admin_torjus - - *server_ca - - path_regex: secrets/monitoring01/[^/]+\.(yaml|json|env|ini) - key_groups: - - age: - - *admin_torjus - - *server_monitoring01 - - path_regex: secrets/ca/keys/.+ - key_groups: - - age: - - *admin_torjus - - *server_ca - - path_regex: secrets/nix-cache01/.+ - key_groups: - - age: - - *admin_torjus - - *server_nix-cache01 - - path_regex: secrets/http-proxy/.+ - key_groups: - - age: - - *admin_torjus - - *server_http-proxy diff --git a/CLAUDE.md b/CLAUDE.md index 546507f..5a9bf69 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -92,9 +92,6 @@ Secrets are managed by OpenBao (Vault) using AppRole authentication. Most hosts `vault.secrets` option defined in `system/vault-secrets.nix` to fetch secrets at boot. Terraform manages the secrets and AppRole policies in `terraform/vault/`. -Legacy sops-nix is still present but no longer actively used. Do not edit any -`.sops.yaml` or any file within `secrets/`. Ask the user to modify if necessary. - ### Git Workflow **Important:** Never commit directly to `master` unless the user explicitly asks for it. Always create a feature branch for changes. @@ -301,7 +298,7 @@ The `current_rev` label contains the git commit hash of the deployed flake confi - `default.nix` - Entry point, imports configuration.nix and services - `configuration.nix` - Host-specific settings (networking, hardware, users) - `/system/` - Shared system-level configurations applied to ALL hosts - - Core modules: nix.nix, sshd.nix, sops.nix (legacy), vault-secrets.nix, acme.nix, autoupgrade.nix + - Core modules: nix.nix, sshd.nix, vault-secrets.nix, acme.nix, autoupgrade.nix - Additional modules: motd.nix (dynamic MOTD), packages.nix (base packages), root-user.nix (root config), homelab-deploy.nix (NATS listener) - Monitoring: node-exporter and promtail on every host - `/modules/` - Custom NixOS modules @@ -316,13 +313,11 @@ The `current_rev` label contains the git commit hash of the deployed flake confi - `vault/` - OpenBao (Vault) secrets server - `actions-runner/` - GitHub Actions runner - `http-proxy/`, `postgres/`, `nats/`, `jellyfin/`, etc. -- `/secrets/` - SOPS-encrypted secrets with age encryption (legacy, no longer used) - `/common/` - Shared configurations (e.g., VM guest agent) - `/docs/` - Documentation and plans - `plans/` - Future plans and proposals - `plans/completed/` - Completed plans (moved here when done) - `/playbooks/` - Ansible playbooks for fleet management -- `/.sops.yaml` - SOPS configuration with age keys (legacy, no longer used) ### Configuration Inheritance @@ -369,7 +364,6 @@ Template hosts: - `nixpkgs` - NixOS 25.11 stable (primary) - `nixpkgs-unstable` - Unstable channel (available via overlay as `pkgs.unstable.`) -- `sops-nix` - Secrets management (legacy, no longer actively used) - `nixos-exporter` - NixOS module for exposing flake revision metrics (used to verify deployments) - `homelab-deploy` - NATS-based remote deployment tool for test-tier hosts - Custom packages from git.t-juice.club: @@ -397,10 +391,6 @@ Most hosts use OpenBao (Vault) for secrets: - Fallback to cached secrets in `/var/lib/vault/cache/` when Vault is unreachable - Provision AppRole credentials: `nix develop -c ansible-playbook playbooks/provision-approle.yml -e hostname=` -Legacy SOPS (no longer actively used): -- SOPS with age encryption, keys in `.sops.yaml` -- Files in `/secrets/` are legacy and can be removed - ### Auto-Upgrade System All hosts pull updates daily from: diff --git a/flake.lock b/flake.lock index 63dbb4c..a46d98d 100644 --- a/flake.lock +++ b/flake.lock @@ -100,28 +100,7 @@ "homelab-deploy": "homelab-deploy", "nixos-exporter": "nixos-exporter", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "sops-nix": "sops-nix" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1770145881, - "narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" + "nixpkgs-unstable": "nixpkgs-unstable" } } }, diff --git a/flake.nix b/flake.nix index 1ccd4f0..918d312 100644 --- a/flake.nix +++ b/flake.nix @@ -5,10 +5,6 @@ nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable"; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - }; alerttonotify = { url = "git+https://git.t-juice.club/torjus/alerttonotify?ref=master"; inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -28,7 +24,6 @@ self, nixpkgs, nixpkgs-unstable, - sops-nix, alerttonotify, nixos-exporter, homelab-deploy, @@ -55,7 +50,6 @@ system.configurationRevision = self.rev or self.dirtyRev or "dirty"; } ) - sops-nix.nixosModules.sops nixos-exporter.nixosModules.default homelab-deploy.nixosModules.default ./modules/homelab @@ -74,7 +68,7 @@ ns1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/ns1 @@ -83,7 +77,7 @@ ns2 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/ns2 @@ -92,7 +86,7 @@ ha1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/ha1 @@ -101,7 +95,7 @@ template1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/template @@ -110,7 +104,7 @@ template2 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/template2 @@ -119,7 +113,7 @@ http-proxy = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/http-proxy @@ -128,7 +122,7 @@ monitoring01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/monitoring01 @@ -137,7 +131,7 @@ jelly01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/jelly01 @@ -146,7 +140,7 @@ nix-cache01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/nix-cache01 @@ -155,7 +149,7 @@ pgdb1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/pgdb1 @@ -164,7 +158,7 @@ nats1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/nats1 @@ -173,7 +167,7 @@ vault01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/vault01 @@ -182,7 +176,7 @@ testvm01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/testvm01 @@ -191,7 +185,7 @@ testvm02 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/testvm02 @@ -200,7 +194,7 @@ testvm03 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/testvm03 diff --git a/hosts/template/scripts.nix b/hosts/template/scripts.nix index f6209e6..a423008 100644 --- a/hosts/template/scripts.nix +++ b/hosts/template/scripts.nix @@ -2,7 +2,6 @@ let prepare-host-script = pkgs.writeShellApplication { name = "prepare-host.sh"; - runtimeInputs = [ pkgs.age ]; text = '' echo "Removing machine-id" rm -f /etc/machine-id || true @@ -22,11 +21,6 @@ let echo "Removing cache" rm -rf /var/cache/* || true - - echo "Generate age key" - rm -rf /var/lib/sops-nix || true - mkdir -p /var/lib/sops-nix - age-keygen -o /var/lib/sops-nix/key.txt ''; }; in diff --git a/hosts/template2/scripts.nix b/hosts/template2/scripts.nix index f6209e6..a423008 100644 --- a/hosts/template2/scripts.nix +++ b/hosts/template2/scripts.nix @@ -2,7 +2,6 @@ let prepare-host-script = pkgs.writeShellApplication { name = "prepare-host.sh"; - runtimeInputs = [ pkgs.age ]; text = '' echo "Removing machine-id" rm -f /etc/machine-id || true @@ -22,11 +21,6 @@ let echo "Removing cache" rm -rf /var/cache/* || true - - echo "Generate age key" - rm -rf /var/lib/sops-nix || true - mkdir -p /var/lib/sops-nix - age-keygen -o /var/lib/sops-nix/key.txt ''; }; in diff --git a/scripts/create-host/create_host.py b/scripts/create-host/create_host.py index 941fdda..8339a14 100644 --- a/scripts/create-host/create_host.py +++ b/scripts/create-host/create_host.py @@ -314,11 +314,10 @@ def handle_remove( for secret_path in host_secrets: console.print(f" [white]vault kv delete secret/{secret_path}[/white]") - # Warn about secrets directory + # Warn about legacy secrets directory if secrets_exist: - console.print(f"\n[yellow]⚠️ Warning: secrets/{hostname}/ directory exists and will NOT be deleted[/yellow]") + console.print(f"\n[yellow]⚠️ Warning: secrets/{hostname}/ directory exists (legacy SOPS)[/yellow]") console.print(f" Manually remove if no longer needed: [white]rm -rf secrets/{hostname}/[/white]") - console.print(f" Also update .sops.yaml to remove the host's age key") # Exit if dry run if dry_run: diff --git a/scripts/create-host/manipulators.py b/scripts/create-host/manipulators.py index 28f7671..58a0258 100644 --- a/scripts/create-host/manipulators.py +++ b/scripts/create-host/manipulators.py @@ -219,7 +219,7 @@ def update_flake_nix(config: HostConfig, repo_root: Path, force: bool = False) - new_entry = f""" {config.hostname} = nixpkgs.lib.nixosSystem {{ inherit system; specialArgs = {{ - inherit inputs self sops-nix; + inherit inputs self; }}; modules = commonModules ++ [ ./hosts/{config.hostname} diff --git a/system/default.nix b/system/default.nix index a4d9949..a04e2bb 100644 --- a/system/default.nix +++ b/system/default.nix @@ -10,7 +10,6 @@ ./nix.nix ./root-user.nix ./pki/root-ca.nix - ./sops.nix ./sshd.nix ./vault-secrets.nix ]; diff --git a/system/sops.nix b/system/sops.nix deleted file mode 100644 index 0918117..0000000 --- a/system/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: { - sops = { - defaultSopsFile = ../secrets/secrets.yaml; - age.keyFile = "/var/lib/sops-nix/key.txt"; - age.generateKey = true; - }; -} From f36457ee0d810fb8606e0283ae661ca617fee527 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sat, 7 Feb 2026 18:49:31 +0100 Subject: [PATCH 3/3] cleanup: remove legacy secrets directory and move TODO.md to completed plans - Remove secrets/ directory (sops-nix no longer in use, all hosts use Vault) - Move TODO.md to docs/plans/completed/automated-host-deployment-pipeline.md Co-Authored-By: Claude Opus 4.5 --- .../automated-host-deployment-pipeline.md | 0 secrets/ca/keys/intermediate_ca_key | 24 ---- secrets/ca/keys/root_ca_key | 24 ---- secrets/ca/keys/ssh_host_ca_key | 24 ---- secrets/ca/keys/ssh_user_ca_key | 24 ---- secrets/ca/secrets.yaml | 30 ----- secrets/http-proxy/wireguard.yaml | 25 ---- secrets/monitoring01/pve-exporter.yaml | 33 ------ secrets/nix-cache01/actions_token_1 | 19 --- secrets/nix-cache01/cache-secret | 19 --- secrets/secrets.yaml | 109 ------------------ 11 files changed, 331 deletions(-) rename TODO.md => docs/plans/completed/automated-host-deployment-pipeline.md (100%) delete mode 100644 secrets/ca/keys/intermediate_ca_key delete mode 100644 secrets/ca/keys/root_ca_key delete mode 100644 secrets/ca/keys/ssh_host_ca_key delete mode 100644 secrets/ca/keys/ssh_user_ca_key delete mode 100644 secrets/ca/secrets.yaml delete mode 100644 secrets/http-proxy/wireguard.yaml delete mode 100644 secrets/monitoring01/pve-exporter.yaml delete mode 100644 secrets/nix-cache01/actions_token_1 delete mode 100644 secrets/nix-cache01/cache-secret delete mode 100644 secrets/secrets.yaml diff --git a/TODO.md b/docs/plans/completed/automated-host-deployment-pipeline.md similarity index 100% rename from TODO.md rename to docs/plans/completed/automated-host-deployment-pipeline.md diff --git a/secrets/ca/keys/intermediate_ca_key b/secrets/ca/keys/intermediate_ca_key deleted file mode 100644 index 3e20331..0000000 --- a/secrets/ca/keys/intermediate_ca_key +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:TgGIuklFPUSCBosD86NFnkAtRvYijQNQP4vvTkKu3dRAOjdDa2li5djZDUS4NEEPEihpOcMXqHBb+ABk3LmoU5nLmsKCeylUp7+DhcGi9f3xw2h1zbHV37mt40OVLTF3cYufRdydIkCGQA3td3q1ue/wCna2ewe73xwGg5j6ZVJCZAtW4VCNZM+rcG+YxPUC0gmBH59+O0VSrZrkvSnifbr+K0dGwg4i17KwAukI4Ac7YMkQoeuAPXq38+ZftlRx4tq9xBUko6wpPY9zOaFzeagWYMF0n1UYqDt+/3XZI/mukPhJc9tzbWneqgkQBOx3OiDwrNglCHvEpnb+bZePIRLOnNHd1ShETgBqhsHGp9OAwwbAt4tO+HFpCQtVz7s2LWQFLbWiN0SCGzYUkFGCgoXae5H58lxFav8=,iv:UzaWlJ+M+VQx3CcPSGbFZh5/rGbKpS2Rq2XVZAIDFiQ=,tag:F3waoAMuEKTvN2xANReSww==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRGZSVHRSMGlyazAwQU5j\nd1o1L0Y1ckhQMkh4MVZiRmZlR2ozcmdsUW1vCk4xZ1ZibDBrUWZhYmxVVjBUczRn\nYlJtUWF3Y1lHWG56NkhmK2JOUHVGajQKLS0tIDN2S2doQURpTis2U3lWV0NxdWEz\ncjNZaEl1dEQwOXhsNE9xbHhYUzNTV3cKVmVIe05JwgXKSku7AJmrujYXrbBSbpBJ\nnqCuDIhok1w/fiff+XXn8udbgPVq5bC2SOhHbtVxImgBCFzrj5hQ0A==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4V3NaUEdvMmJvakQ0L1F0\nUnkvQ2F5dEVlZ2pMdlBZcjJac0tERnF5ZWljCmFrdU1NZ29jMkJ1a1ZLdURmVWI0\ncm1vNytFVzZjbVY2aVd2N3laMWNRNFEKLS0tIGgzOTFZY0lxc0JyVmd5cFBlNkRr\nVDBWc0t4c3pVV3RhSTB1UUVpNHd6NUkKNn6Sxb5oxP7iWqTF1+X9nOiYum3U+Rzk\nkryxVnf9EvQIVIFKDaTb+yAEO8otjqj+C4mHA9fannnNEJduOiPWOg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-11-30T13:18:08Z", - "mac": "ENC[AES256_GCM,data:9R9RJzPMr9Bv8aeCDxhExTfbr+R2hjap6FGSk5QxBdbNpOcNS78ica0CLEmkAYVAfjmx/X2jC5ZnsAueSPUK7nAgNX2gJXbUTpY0F+oKt35GJziLrFLl3u/ahpF9lQ50EL9OqqgS+igDqtodJhKme5DXH5/GXQHhz++O3VZkR78=,iv:XgN3PiowiEosi2DmrjP82HhJMvnwaV530tsBE8GQfjs=,tag:U243BrtH7H/DU9LcjN/MMg==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.1" - } -} \ No newline at end of file diff --git a/secrets/ca/keys/root_ca_key b/secrets/ca/keys/root_ca_key deleted file mode 100644 index 2a95f17..0000000 --- a/secrets/ca/keys/root_ca_key +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:5AePh5uXcUseYBGWvlztgmg8mGBGy3ngKRa6+QxOaT0/fzSB1pKkaMtZJo76tV9wwjdL6/b6VVUI7GIaCBD5kgdZuA8RdBTXguHyjjdxAlI9xcrQaWWdATd8JJt+eQp/m2Y+0dioyXKaDV2ukI3GtHYjp/ixMoHHWEocnEEb40wG6c3CZcvsLWJvKTkFc2OvcjcU2RTfuNlYtEETidiD9iC/dtCakNQHmLP1UFYgcn0ebXBKmlqD6+x2o7BVT1SLwVCyGNvH3eKA2AWvddZChnhaNCUIXcRwBFCgS8lPs4iXhAhly+nwuj7ssFpuu3sjm5pq196tRS8WQl2iNUEJ2tzoOpceg1kZZ7KHX3wCbdBlCRqhy9Q4JMvWPDssO+zz2aU21+BDEySDTCnTYX9Hu2/iFvZejt++mKY=,iv:u/Ukye0BAj2ka++AA72W8WfXJAZZ/YJ3RC/aydxdoUc=,tag:ihTP5bCCigWEPcLFaYOhMA==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VElDNHArZXlXa2JRQjd0\nQmVIbGpPWk43NDdiTkFtcEd1bDhRdXJWOUY0CndITHdKTFNJQXFOVFdyUGNtQ09k\nN2hnQmFYR0ZORWtxcUN0ZFhsM0U3N2cKLS0tIFh1TTBpMjFIZ2NYM1QxeDRjYlJx\nYkdrUDZmMUpGbjk3REJCVVRpeFk5Z28KJcia0Bk+3ZoifZnRLwqAko526ODPnkSS\nzymtOj/QYTA0++NP3B1aScIyhWITMEZX1iSoWDmgHj8ZQoNMdkM7AQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNlNHRWNEcUZGNXNBMDFR\nTzE5RnNMQUMvU1k2OS9XMlpvUktMRzQ5RmxvCnlCS3lzRVpGUHJLRGZ6SWZ2ZktR\na3l0TVN2NUlRVEQwRHByYkNEMDQyWUkKLS0tIEh3RjBWT3c5K2RWeDRjWFpsU1lP\ncStqY2xta3RSNkR6Vkt5YXhYUTZmbDgKvVKmZc8S/RwurJGsGiJ5LhM4waLO9B9k\n2cawxHmcYM3KfXDFwp9UZWhIwF7SRkG56ZE4OjGI3sOL+74ixnePxA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-11-30T13:18:16Z", - "mac": "ENC[AES256_GCM,data:JwjbQ129cYCBNA5Fb8lN9rW7/y4wuVOqLeajIMcYyCzlBcjzCZAV1DKN5n75xMamb/hb1AUkmtp/K82PKM0Vg5X4/lpWTUZXZOzn/TrwHx+yqlJjL9mUdGuHnSY5DwME38Dde3UxdtUa0CVgQOxvMIycW27w8+8NNfO2zxGxkzc=,iv:ZMZASOsqXZOb0NkBqG3GGaqqKgQdjZLiku2yU5QonB8=,tag:/lb/HMxsYOV5XX/5kWnFHA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.1" - } -} \ No newline at end of file diff --git a/secrets/ca/keys/ssh_host_ca_key b/secrets/ca/keys/ssh_host_ca_key deleted file mode 100644 index 607cf59..0000000 --- a/secrets/ca/keys/ssh_host_ca_key +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:vqQ3HwSmuDlI4UwraLWvwkBSj9zTFeNEWI1xzhVrO/gpx8+WBZOt2F0J7/LSTGAWsWW/9Gov+XXXAOtfnKfjYVzizyT/jE8EQwMuItWiFEVA6hohgwtsk7YKJjXdJIxmiv+WKs73gWb0uFVGh1ArMzsVkGPj1W1AKMFAneDPgsfSCy9aVOMuF8zQwypFC8eaxqOQhLpiN2ncRm8e7khwGurSgYfHDgFghaDr8torgUrZTOPNFk+LEdxB3WcC17+4a8ZyuBapmYdRTrP73czTAuxOF8lMwddJhO99SF7nWuOYVF1FOKLGtK04oKci5/xRIzvWo3I0pGajkxtuF5CyWbd1KblcPfBALIU/J5hU/puGJ7M2sE/qsg/4kaTFxnhq32rPZj291jFb4evDdOhVodfC1axOQUbzAC0=,iv:yOeQ384ikqgDqfthl7GIVSIMNA/n0BYTSIqFN3T9MAY=,tag:Y6nhOCrkWx7MnVpEeKN0Jg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTjRMWlNtYVQ2WnJEaGFN\nVFU2TXRTK2FHREpqREhOWHBKemxNc2U4WW44CnV4OWlBdXlFUWhJYi9jTTRuUWJV\nOWFPV2I4UytDRFo3blN3bUtFQ1NGU0kKLS0tIGp2VHlDc1JMMUdDUjlNNDFwUUxj\nVnhHbCtrNVNpZXo0K2dDVU5YTVJJUEkKk9mVTbzQVGZo3RKDLPDwtENknh+in1Q5\njf4DA1cGDDNzcEIWOOYyS+1mzT9WY8gU0hWqihX/bAx7CVsNUallZw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVFNwUGpkOUhkUXFWWERq\nMVdueC9VSE9KbGZkenBVK3NRMjRNVXVmcVRRCjNLa0QzbWVCQks3ZmV3eFVjcEp0\nRmxDSlZIZU1IbEdnbE83WlkxV3VZV1EKLS0tICtsRXArajQ4Um9mNEV5OWZBdS85\nVGFSU2wwODZ3Zm44M3pWcTdDV1dxejQKM2BK5Axb1cF344ea89gkzCLzEX6j4amK\nzxf+boBK7JUX7F6QaPB0sRU8J4Cei9mALz96C8xNHjX00KcD3O2QOA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-11-30T13:18:20Z", - "mac": "ENC[AES256_GCM,data:AllgcWxHnr3igPi/JbfJCbEa6hKtmILnAjiaMojRZNO4p6zYSoF0s8lo9XX05/vIrFUo+YaCtsuacv+kfz9f6vQafPn7Vulbh6PeH1VlAmzyVfJOTmHP3YX8ic3uM56A4+III1jOERCFOIcc/CKsnRLFhLCRQRMgtgT0hTl5aPw=,iv:60dOYhoUTu1HIHzY36eJeRZ66/v6JmRRpIW99W2D+CI=,tag:F7nLSFm933K5M+JE4IvNYw==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.1" - } -} \ No newline at end of file diff --git a/secrets/ca/keys/ssh_user_ca_key b/secrets/ca/keys/ssh_user_ca_key deleted file mode 100644 index e33bff2..0000000 --- a/secrets/ca/keys/ssh_user_ca_key +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:YRdPrTLQH0xdWiIzOyjfEGpvfmuj6me6GzZZcauh9bUUywyA1ranDnWqbJYgawQQxIXsq9dhXD0uco+7mmXq2598kF1NI9jh6uLf3k0H494zZOalRBv/k8u9oJDLIiVAkg9eNNLbGX0PMZr/Yue/qdkuXx2Hg9E7bQJwpU/NXF+jKKs+3NmKT5NBlegwAzUs530D4DUoaq5AhvVvdC6a1UcE+KJzQ8pRiz1GjFIxAB7qX+GVwa3yNdLgo2tlAbOzjGtaDfJnhZIHSNEq+4TEhjlF9lCmFCGFDUVupvMOWs0kBywJEzIrDmxmvGHlPj3FfyytPb7qhlsOXDDDS67IoiwluKOnw+sALAG0Iv9LMrDZ3z8MXeEGvRWu0VDMuGXN905/9kGx/A40mPjcfnZvI+qSRIKjER5R8aU=,iv:qiP2Ml59AnK24MBbs7N/HqJIylf+fXGqJAo2N8iFNB0=,tag:0Dj5fVs6OB07kvV4qzuvfw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUFlvNmRNYUlJSHZYUkpJ\nMEloQXFSdENIWGJVVDNIOVY5MS9SYWRoL0FrCnRJc05wZUZBSDRvMHNUUEhNRXQ4\nTWhYOUp6YUNGZFNWUFRrSmlJM1c4aWcKLS0tIFc1b3NlSEo2eFJhdDgwejRqcHlT\nZE5wN01uaE04cTlIbVJMVWQvQ1pXajgKQ1n6UmP7LEBsnIBXVc0BceOqvwCqQzBP\ncI8C5Io4ILgMjY4dr6sd0SeJG6mfDdiMA+k7c6jqoyZCW/Pkd3LANQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM2lyeXVzdE9nL1k5L3dC\nTkl2MjhMb1FKMFdCeXFPSmNST0pvOTRUaEVvCmdwMnhjSFFHVFhidmIySS9jMEJu\nNTJpRjdFOWpZZ3ZuZFJwZUUrRFU5NnMKLS0tIDJ1UjdVQkpMNm5Pd01JRnZNOEtr\nb1lpMlBkVHpiT2lYdWtZaUQrRW1HUDgKq/JVMf5gdu6lNEmqY6zU2SymbT+jklem\nnUQ9yieJGF+PanutNW6BCJH8jb/fH+Y6AeJ9S+kKCB4Yi75i4d+oHg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-11-30T13:18:24Z", - "mac": "ENC[AES256_GCM,data:6FJTKEdIpCm+Dz7Ua8dZOMZQFaGU0oU/HRP6ly5mWbXCv81LRbZXRBd+5RDY3z9g9nb0PXZrOMNps63F6SKxK52VfzLIOap3UGeMNQn5P4/yyFj7JQHQ5Gjcf2l2z2VZ7NhUdNoSCV/6lwjValbKtids48Q5c3sFX997ZiqIUnY=,iv:nUeyJd/v8d9v7QsLLckziD9K5qjOZKK4vOQJw/ymi18=,tag:6n5EE3oklWdVcedvB2J/zA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.9.1" - } -} \ No newline at end of file diff --git a/secrets/ca/secrets.yaml b/secrets/ca/secrets.yaml deleted file mode 100644 index 1597f0a..0000000 --- a/secrets/ca/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -ca_root_pw: ENC[AES256_GCM,data:jS5BHS9i/pOykus5aGsW+w==,iv:aQIU7uXnNKaeNXv1UjRpBoSYcRpHo8RjnvCaIw4yCqc=,tag:lkjGm5/Ve93nizqGDQ0ByA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5anlORWxJalhRWkJPeGIy - OStyVG8vMFRTTEZOWHR3Q3N1UWJQbFlxV3pBCmVKQVM1SlJ2L0JOb3U3cTh3YkZ4 - WHAxSUpTT1dyRHJHYVd1Qkh1ZWxwYW8KLS0tIEhXeklsSmlGaFlaaWF5L0Nodk5a - clZ4M3hFSlFqaEZ0UWREdHpTQ29GVUEKAxj5P05Ilpwis2oKFe54mJX+1LfTwfUv - 2XRFOrEQbFNcK5WFu46p1mc/AAjKTeHWuvb2Yq43CO+sh1+kqKz0XA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaS0dqQ1p4MEE2d2JaeFRx - UnB4ejhrS3hLekpqeWJhcEJGdnpzMTZDelVRCmFjVGswd3VtRUloWG1WbWY5N0s3 - cG9aV2hGU3lFZkkvcUJNWE1rWUIwMmMKLS0tIG1KdlhoQzREWDhPbXVSZVBUQkdE - N1hmcEwxWXBIWkQ3a3BrdGhvUFoxbzgKX6hLoz7o/Du6ymrYwmGDkXp2XT+0+7QE - YhD5qQzGLVQSh3XM/wWExj2Ue5/gw/NqNziHezOh2r9gQljbHjG2/g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-21T09:12:26Z" - mac: ENC[AES256_GCM,data:hfPRIXt/kZJa6lsj7rz+5xGlrWhR/LX895S2d8auP/4t3V//80YE/ofIsHeAY9M7eSFsW9ce2Vp0C/WiCQefVWNaNN7nVAwskCfQ6vTWzs23oYz4NYIeCtZggBG3uGgJxb7ZnAFUJWmLwCxkKTQyoVVnn8i/rUDIBrkilbeLWNI=,iv:lm1HVbWtAifHjqKP0D3sxRadsE9+82ugbA2x54yRBTo=,tag:averxmPLa131lJtFrNxcEA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/secrets/http-proxy/wireguard.yaml b/secrets/http-proxy/wireguard.yaml deleted file mode 100644 index bdcaa39..0000000 --- a/secrets/http-proxy/wireguard.yaml +++ /dev/null @@ -1,25 +0,0 @@ -wg_private_key: ENC[AES256_GCM,data:DlC9txcLkTnb7FoEd249oJV/Ehcp50P8uulbE4rY/xU16fkTlnKvPmYZ7u8=,iv:IsiTzdrh+BNSVgx1mfjpMGNV2J0c88q6AoP0kHX2aGY=,tag:OqFsOIyE71SBD1mcNS/PeQ==,type:str] -sops: - age: - - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdm9HTTN1amwxQ2Z6MUQv - dGJ0cEgyaHNOZWtWSWlXNXc5bGhUdSsvVlVzCkJkc3ZQdzlBNDNxb3Avdi96bXFt - TExZY29nUDI3RE5vanh6TVBRME1Fa1UKLS0tIG8vSHdCYzkvWmJpd0hNbnRtUmtk - aVcwaFJJclZ3YUlUTTNwR2VESmVyZWMKHvKUJBDuNCqacEcRlapetCXHKRb0Js09 - sqxLfEDwiN2LQQjYHZOmnMfCOt/b2rwXVKEHdTcIsXbdIdKOJwuAIQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeU01UTc2V1UyZXRadE5I - VE1aakVZUEZUNnJxbzJ1K3J1R3ZQdFdMbUhBCjZBMDM3ZkYvQWlyNHBtaDZRWkd4 - VzY0L3l4N2RNZjJRTDJWZTZyZVhHbW8KLS0tIGVNZ0N0emVmaVRCV09jNmVKRlla - cWVSNkJqWHh5c21KcWFac2FlZTVaMTAK1UvfPgZAZYtwiONKIAo5HlaDpN+UT/S/ - JfPUfjxgRQid8P20Eh/jUepxrDY8iXRZdsUMON+OoQ8mpwoAh5eN1A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-15T18:56:55Z" - mac: ENC[AES256_GCM,data:J2kHY7pXBJZ0UuNCZOhkU11M8rDqCYNzY71NyuDRmzzRCC9ZiNIbavyQAWj2Dpk1pjGsYjXsVoZvP7ti1wTFqahpaR/YWI5gmphrzAe32b9qFVEWTC3YTnmItnY0YxQZYehYghspBjnJtfUK0BvZxSb17egpoFnvHmAq+u5dyxg=,iv:/aLg02RLuJZ1bRzZfOD74pJuE7gppCBztQvUEt557mU=,tag:toxHHBuv3WRblyc9Sth6Iw==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/secrets/monitoring01/pve-exporter.yaml b/secrets/monitoring01/pve-exporter.yaml deleted file mode 100644 index 8fd9fab..0000000 --- a/secrets/monitoring01/pve-exporter.yaml +++ /dev/null @@ -1,33 +0,0 @@ -default: - user: ENC[AES256_GCM,data:4Zzjm6/e8GCKSPNivnY=,iv:Y3gR+JSH/GLYvkVu3CN4T/chM5mjGjwVPI0iMB4p1t4=,tag:auyG8iWsd/YGjDnnTC21Ew==,type:str] - password: ENC[AES256_GCM,data:9cyM9U8VnzXBBA==,iv:YMHNNUoQ9Az5+81Df07tjC+LaEWPHV6frUjd4PZrQOs=,tag:3hKR+BhLJODJp19nn4ppkA==,type:str] - verify_ssl: ENC[AES256_GCM,data:Cu5Ucf0=,iv:QFfdV7gDBQ+L2kSZZqlVqCrn9CRg5RNG5DNTFWtVf5Y=,tag:u24ZbpWA65wj3WOwqU1v+g==,type:bool] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUXdMMG5YaHRJbThQZW9u - RHVBbXFiSHNiUWdLTDdPajIyQjN3OGR0dGpzCm9ZVkdNWjhBakU3dVdhRU9kbU81 - aDlCNzJBQ1hvQ3FnTUk2N2RWQkZpUUEKLS0tIEZacTNqa3FWc2p1NXVtRWhwVExj - cUJtYXNjb2Z4QkF4MjlidEZxSUFNa3MKAGHGksPc9oJheSlUQ3ARK5MuR5NFbPmD - kmSDSgRmzbarxT8eJnK8/K4ii3hX5E9vGOohUkyc03w4ENsh/dw43g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVGhvdGE5Mzl0ckhBM21D - RXJwb09OS25PMGViblViM21wTVZiZWhtWmhFCnAzL1NqeUVyOGZFVDFvdXFPbklQ - ZkJPWDVIdUdCdjZGUjcrcmtvak5CWG8KLS0tIDhLUHJNN2VqNy9CdVh0K0N0b0k1 - RUE4U0E0aGxiRkF0NWdwSEIrQTU4MjgKeOU6bIWO6ke9YcG+1E3brnC21sSQxZ9b - SiG2QEnFnTeJ5P50XQoYHqUY3B0qx7nDLvyzatYEi6sDkfLXhmHGbw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-03T16:25:12Z" - mac: ENC[AES256_GCM,data:gemq8YpMZQC+gY7lmMM3tfZh9XxL40qdGlLiB2CD4SIG49w0V6E/vY7xygt0WW0zHbhMI9yUIqlRc/PaXn+QfyxJEr3IjaT05rrWUqQAeRP9Zss74Y3NtQehh8fM8SgeyU4j2CQ9f9B/lW9IgdOW/TNgQZVXGg1vXZPEzl7AZ4A=,iv:LG5ojv3hAqk+EvFa/xEn43MBqL457uKFDE3dG5lSgZo=,tag:AxzcUzmdhO411Sw7Vg1itA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/secrets/nix-cache01/actions_token_1 b/secrets/nix-cache01/actions_token_1 deleted file mode 100644 index 78d18eb..0000000 --- a/secrets/nix-cache01/actions_token_1 +++ /dev/null @@ -1,19 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:P84qHFU+xQjwQGK8I1gIdcBsHrskuUg0M1nGMMaA+hFjAdFYUhdhmAN/+y0CO28=,iv:zJtk01zNMTBDQdVtZBTM34CHRaNYDkabolxh7PWGKUI=,tag:8AS80AbZJbh9B3Av3zuI1w==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRFB6QTIyWWdwVkV4ZXNB\nWkdSdEhMc0s4cnByWVZXTGhnSWZ0MTdEUWhJCnFlOFQ5TU1hcE91azVyZXVXRCtu\nZjIxalRLYlEreGZ6ZDNoeXNPaFN4b28KLS0tIHY5WVFXN1k4NFVmUjh6VURkcEpv\ncklGcWVhdTdBRnlOdm1qM2h5SS9UUkEKq2RyxSVymDqcsZ+yiNRujDCwk1WOWYRW\nDa4TRKg3FCe7TcCEPkIaev1aBqjLg9J9c/70SYpUm6Zgeps7v5yl3A==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTGVuckp2NlhMZXRNMVhO\naUV3K0h3cmZ5ZGx4Q3dJWHNqZXFJeE1kM0dFCmF4TUFUMm9mTHJlYzlYWVhNa1RH\nR29VNDIrL1IvYUpQYm5SZEYzbWhhbkkKLS0tIEJsK1dwZVdaaHpWQkpOOS90dkhx\nbGhvRXhqdFdqQmhZZmhCdmw4NUtSVG8K3z2do+/cIjAqg6EMJnubOWid1sMeTxvo\nrq6eGJ7YzdgZr2JBVtJdDRtk/KeHXu9In4efbBXwLAPIfn1pU0gm1w==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-08-21T19:08:48Z", - "mac": "ENC[AES256_GCM,data:5CkO09NIqttb4UZPB9iGym8avhTsMeUkTFTKZJlNGjgB1qWyGQNeKCa50A1+SbBCCWE5EwxoynB1so7bi8vnq7k8CPUHbiWG8rLOJSYHQcZ9Tu7ZGtpeWPcCw1zPWJ/PTBsFVeaT5/ufdx/6ut+sTtRoKHOZZtO9oStHmu/Rlfg=,iv:z9iJJlbvhgxJaART5QoCrqvrqlgoVlGj8jlndCALmKU=,tag:ldjmND4NVVQrHUldLrB4Jg==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } -} diff --git a/secrets/nix-cache01/cache-secret b/secrets/nix-cache01/cache-secret deleted file mode 100644 index 9f21c4e..0000000 --- a/secrets/nix-cache01/cache-secret +++ /dev/null @@ -1,19 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:MQkR6FQGHK2AuhOmy2was49RY2XlLO5NwaXnUFzFo5Ata/2ufVoAj4Jvotw/dSrKL7f62A6s+2BPAyWrvACJ+pwYFlfyj3T9bNwhxwZPkEmiHEubJjWSiD6jkSW0gOxbY8ib6g/GbyF8I1cPeYr/hJD5qQ==,iv:eBL2Y3MOt9gYTETUZqsHo1D5hPOHxb4JR6Z/DFlzzqI=,tag:Qqbt39xZvQz/QhsggsArsw==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZzFXaEsyUkZGNFV0bVlW\nRkpPRHpUK2VwUHpOQXZCUUpoVzFGa3hycnhvCndTN0toVFdoU2E5N3V3UFhTTjU0\nNDByWTkrV0o3T295dE0zS08rVGpyQjAKLS0tIC96M0VEcWpjRk5DMjJnMFB4ZHI3\nM2Jod2x4ZzMyZm1pbDhZNTFuWGNRUlEKHs5jBSfjml09JOeKiT9vFR0Fykg6OxKG\njhFU/J2+fWB22G7dBc4PI60SNqhxIheUbGTdcz4Yp4BPL6vW3eArIw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJT3lxamcrQUpFdjZteFlF\nYUQ3aGdadGpuNXd2Z3RtZ3dQU0cvMlFUMUNRClBDR3U0OXZJU0NDamVMSlR5NitN\nYlhvNVlvUE0wRjErYzkwVHFOdGVCVjgKLS0tIEttR1BLTGpDYTRSQ0lUZmVEcnNi\nWkNaMEViUHVBcExVOEpjNE5CZHpjVkEKuX/Rf8kaB3apr1UhAnq3swS6fXiVmwm8\n7Key+SUAPNstbWbz0u6B9m1ev5QcXB2lx2/+Cm7cjW+6VE2gLHjTsQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-01-24T12:19:16Z", - "mac": "ENC[AES256_GCM,data:X8X91LVP1MMJ8ZYeSNPRO6XHN+NuswLZcHpAkbvoY+E9aTteO8UqS+fsStbNDlpF5jz/mhdMsKElnU8Z/CIWImwolI4GGE6blKy6gyqRkn4VeZotUoXcJadYV/5COud3XP2uSTb694JyQEZnBXFNeYeiHpN0y38zLxoX8kXHFbc=,iv:fFCRfv+Y1Nt2zgJNKsxElrYcuKkATJ3A/jvheUY2IK4=,tag:hYojbMGUAQvx7I4qkO7o9w==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.9.3" - } -} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml deleted file mode 100644 index 0602ce3..0000000 --- a/secrets/secrets.yaml +++ /dev/null @@ -1,109 +0,0 @@ -root_password_hash: ENC[AES256_GCM,data:wk/xEuf+qU3ezmondq9y3OIotXPI/L+TOErTjgJz58wEvQkApYkjc3bHaUTzOrmWjQBgDUENObzPmvQ8WKawUSJRVlpfOEr5TQ==,iv:I8Z3xJz3qoXBD7igx087A1fMwf8d29hQ4JEI3imRXdY=,tag:M80osQeWGG9AAA8BrMfhHA==,type:str] -ns_xfer_key: ENC[AES256_GCM,data:VFpK7GChgFeUgQm31tTvVC888bN0yt6BAnHQa6KUTg4iZGP1WL5Bx6Zp8dY=,iv:9RF1eEc7JBxBebDOKfcDjGS2U7XsHkOW/l52yIP+1LA=,tag:L6DR2QlHOfo02kzfWWCrvg==,type:str] -backup_helper_secret: ENC[AES256_GCM,data:EvXEJnDilbfALQ==,iv:Q3dkZ8Ee3qbcjcoi5GxfbaVB4uRIvkIB6ioKVV/dL2Y=,tag:T/UgZvQgYGa740Wh7D0b7Q==,type:str] -nats_nkey: ENC[AES256_GCM,data:N2CVXjdwiE7eSPUtXe+NeKSTzA9eFwK2igxaCdYsXd4Ps0/DjYb/ggnQziQzSy8viESZYjXhJ2VtNw==,iv:Xhcf5wPB01Wu0A+oMw0wzTEHATp+uN+wsaYshxIzy1w=,tag:IauTIOHqfiM75Ufml/JXbg==,type:str] -sops: - age: - - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWXhzQWFmeCt1R05jREcz - Ui9HZFN5dkxHNVE0RVJGZUJUa3hKK2sxdkhBCktYcGpLeGZIQzZIV3ZZWGs3YzF1 - T09sUEhPWkRkOWZFWkltQXBlM1lQV1UKLS0tIERRSlRUYW5QeW9TVjJFSmorOWNI - ZytmaEhzMjVhRXI1S0hielF0NlBrMmcK4I1PtSf7tSvSIJxWBjTnfBCO8GEFHbuZ - BkZskr5fRnWUIs72ZOGoTAVSO5ZNiBglOZ8YChl4Vz1U7bvdOCt0bw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcXM0RHlGcmZrYW4yNGZs - S1ZqQzVaYmQ4MGhGaTFMUVIwOTk5K0tZZjB3ClN0QkhVeHRrNXZHdmZWMzFBRnJ6 - WTFtaWZyRmx2TitkOXkrVkFiYVd3RncKLS0tIExpeGUvY1VpODNDL2NCaUhtZkp0 - cGNVZTI3UGxlNWdFWVZMd3FlS3pDR3cKBulaMeonV++pArXOg3ilgKnW/51IyT6Z - vH9HOJUix+ryEwDIcjv4aWx9pYDHthPFZUDC25kLYG91WrJFQOo2oA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBabTdsZWxZQjV2TGx2YjNM - ZTgzWktqTjY0S0M3bFpNZXlDRDk5TSt3V2k0CjdWWTN0TlRlK1RpUm9xYW03MFFG - aWN4a3o4VUVnYzBDd2FrelUraWtrMTAKLS0tIE1vTGpKYkhzcWErWDRreml2QmE2 - ZkNIWERKb1drdVR6MTBSTnVmdm51VEkKVNDYdyBSrUT7dUn6a4eF7ELQ2B2Pk6V9 - Z5fbT75ibuyX1JO315/gl2P/FhxmlRW1K6e+04gQe2R/t/3H11Q7YQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSFhDOFRVbnZWbVlQaG5G - U0NWekU0NzI1SlpRN0NVS1hPN210MXY3Z244CmtFemR5OUpzdlBzMHBUV3g0SFFo - eUtqNThXZDJ2b01yVVVuOFdwQVo2Qm8KLS0tIHpXRWd3OEpPRkpaVDNDTEJLMWEv - ZlZtaFpBdzF0YXFmdjNkNUR3YkxBZU0KAub+HF/OBZQR9bx/SVadZcL6Ms+NQ7yq - 21HCcDTWyWHbN4ymUrIYXci1A/0tTOrQL9Mkvaz7IJh4VdHLPZrwwA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWkhBL1NTdjFDeEhQcEgv - Z3c3Z213L2ZhWGo0Qm5Zd1A1RTBDY3plUkh3CkNWV2ZtNWkrUjB0eWFzUlVtbHlk - WTdTQjN4eDIzY0c0dyt6ajVXZ0krd1UKLS0tIHB4aEJqTTRMenV3UkFkTGEySjQ2 - YVM1a3ZPdUU4T244UU0rc3hVQ3NYczQK10wug4kTjsvv/iOPWi5WrVZMOYUq4/Mf - oXS4sikXeUsqH1T2LUBjVnUieSneQVn7puYZlN+cpDQ0XdK/RZ+91A== - -----END AGE ENCRYPTED FILE----- - - recipient: age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcEtHbjNWRkdodUxYdHRn - MDBMU08zWDlKa0Z4cHJvc28rZk5pUjhnMjE0CmdzRmVGWDlYQ052Wm1zWnlYSFV6 - dURQK3JSbThxQlg3M2ZaL1hGRzVuL0UKLS0tIEI3UGZvbEpvRS9aR2J2Tnc1YmxZ - aUY5Q2MrdHNQWDJNaGt5MWx6MVRrRVEKRPxyAekGHFMKs0Z6spVDayBA4EtPk18e - jiFc97BGVtC5IoSu4icq3ZpKOdxymnkqKEt0YP/p/JTC+8MKvTJFQw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQL3ZMUkI1dUV1T2tTSHhn - SjhyQ3dKTytoaDBNcit1VHpwVGUzWVNpdjBnCklYZWtBYzBpcGxZSDBvM2tIZm9H - bTFjb1ZCaDkrOU1JODVBVTBTbmxFbmcKLS0tIGtGcS9kejZPZlhHRXI5QnI5Wm9Q - VjMxTDdWZEltWThKVDl0S24yWHJxZHcKgzH79zT2I7ZgyTbbbvIhLN/rEcfiomJH - oSZDFvPiXlhPgy8bRyyq3l47CVpWbUI2Y7DFXRuODpLUirt3K3TmCA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcm9zUm1XUkpLWm1Jb3Uw - RncveGozOW5SRThEM1Y4SFF5RDdxUEhZTUE4CjVESHE5R3JZK0krOXZDL0RHR0oy - Z3JKaEpydjRjeFFHck1ic2JTRU5yZTQKLS0tIGY2ck56eG95YnpDYlNqUDh5RVp1 - U3dRYkNleUtsQU1LMWpDbitJbnRIem8K+27HRtZihG8+k7ZC33XVfuXDFjC1e8lA - kffmxp9kOEShZF3IKmAjVHFBiPXRyGk3fGPyQLmSMK2UOOfCy/a/qA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZHlldDdSOEhjTklCSXQr - U2pXajFwZnNqQzZOTzY5b3lkMzlyREhXRWo4CmxId2F6NkNqeHNCSWNrcUJIY0Nw - cGF6NXJaQnovK1FYSXQ2TkJSTFloTUEKLS0tIHRhWk5aZ0lDVkZaZEJobm9FTDNw - a29sZE1GL2ZQSk0vUEc1ZGhkUlpNRkEK9tfe7cNOznSKgxshd5Z6TQiNKp+XW6XH - VvPgMqMitgiDYnUPj10bYo3kqhd0xZH2IhLXMnZnqqQ0I23zfPiNaw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bk9NVjJNWmMxUGd3cXRx - amZ5SWJ3dHpHcnM4UHJxdmh6NnhFVmJQdldzCm95dHN3R21qSkE4Vm9VTnVPREp3 - dUQyS1B4MWhhdmd3dk5LQ0htZEtpTWMKLS0tIGFaa3MxVExFYk1MY2loOFBvWm1o - L0NoRStkeW9VZVdpWlhteC8yTnRmMUkKMYjUdE1rGgVR29FnhJ5OEVjTB1Rh5Mtu - M/DvlhW3a7tZU8nDF3IgG2GE5xOXZMDO9QWGdB8zO2RJZAr3Q+YIlA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBU0xYMnhqOE0wdXdleStF - THcrY2NBQzNoRHdYTXY3ZmM5YXRZZkQ4aUZnCm9ad0IxSWxYT1JBd2RseUdVT1pi - UXBuNzFxVlN0OWNTQU5BV2NiVEV0RUUKLS0tIGJHY0dzSDczUzcrV0RpTjE0czEy - cWZMNUNlTzBRcEV5MjlRV1BsWGhoaUUKGhYaH8I0oPCfrbs7HbQKVOF/99rg3HXv - RRTXUI71/ejKIuxehOvifClQc3nUW73bWkASFQ0guUvO4R+c0xOgUg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-11T21:18:22Z" - mac: ENC[AES256_GCM,data:5//boMp1awc/2XAkSASSCuobpkxa0E6IKf3GR8xHpMoCD30FJsCwV7PgX3fR8OuLEhOJ7UguqMNQdNqG37RMacreuDmI1J8oCFKp+3M2j4kCbXaEo8bw7WAtyjUez+SAXKzZWYmBibH0KOy6jdt+v0fdgy5hMBT4IFDofYRsyD0=,iv:6pD+SLwncpmal/FR4U8It2njvaQfUzzpALBCxa0NyME=,tag:4QN8ZFjdqck5ZgulF+FtbA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.9.4