feat: start migrating steveej-t14 and sj-vps-htz-0 to sops

.sops.yaml

@@ -0,0 +1,37 @@
+# This example uses YAML anchors which allows reuse of multiple keys 
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+
+keys:
+  - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+  - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
+  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+  - &elias-e525 100206d53cf92f62efd9d6b2672bf3644233c763
+
+creation_rules:
+  - path_regex: ^(.+/|)secrets/[^/]+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *steveej-t14
+      - *sj-vps-htz0
+  - path_regex: ^secrets/steveej-t14/.+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *steveej-t14
+  - path_regex: ^secrets/servers/.+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *sj-vps-htz0
+  - path_regex: ^nix/os/containers/.+_secrets.+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *sj-vps-htz0

Justfile

@@ -28,44 +28,29 @@ _render_templates:
 		# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
 	fi
 
-rebuild-remote-device device target rebuildarg="dry-activate" :
+rebuild-remote-device device +rebuildargs="dry-activate":
 	#!/usr/bin/env bash
 	set -ex
-	just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'"
+	nix run .#colmena -- apply --on {{device}} {{rebuildargs}}
 
 # Rebuild this device's NixOS
 rebuild-this-device +rebuildargs="dry-activate":
 	nix run .#colmena -- apply-local --sudo {{rebuildargs}}
 
 # Re-render the versions of a remote device and rebuild its environment
-update-remote-device devicename target rebuildmode='switch':
+update-remote-device devicename rebuildmode='build':
 	#!/usr/bin/env bash
 	set -e
 
-	template=nix/os/devices/{{ devicename }}/versions.tmpl.nix
+	(
-	outfile=nix/os/devices/{{ devicename }}/versions.nix
+		set -xe
+		cd nix/os/devices/{{devicename}}
+		nix flake update
+	)
 
-	if ! test -e ${template}; then
+	just -v rebuild-remote-device {{devicename}} {{rebuildmode}}
-		template="$(just _DEFAULT_VERSION_TMPL)"
-	fi
 
-	esh -o ${outfile} ${template}
+	git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions"
-	if ! test "$(git diff ${outfile})"; then
-		echo Already on latest versions
-		exit 0
-	fi
-
-	just -v rebuild-remote-device {{ devicename }} {{target}} dry-activate || {
-		echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile}
-		exit 1
-	}
-
-	just -v rebuild-remote-device {{ devicename }} {{ target }} {{ rebuildmode }} || {
-		echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile}
-		exit 1
-	}
-
-	git commit -v ${outfile} -m "nix/os/devices/{{ devicename }}: bump versions"
 
 # Re-render the versions of the current device and rebuild its environment
 update-this-device rebuild-mode='switch':

flake.lock

@@ -27,11 +27,11 @@
         "stable": "stable"
       },
       "locked": {
-        "lastModified": 1684127527,
+        "lastModified": 1688224393,
-        "narHash": "sha256-tAzgb2jgmRaX9HETry38h2OvBf9YkHEH1fFvIJQV9A0=",
+        "narHash": "sha256-rsAvFNhRFzTF7qyb6WprLFghJnRxMFjvD2e5/dqMp4I=",
         "owner": "zhaofengli",
         "repo": "colmena",
-        "rev": "caf33af7d854c8d9b88a8f3dae7adb1c24c1407b",
+        "rev": "19384f3ee2058c56021e4465a3ec57e84a47d8dd",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1684468982,
+        "lastModified": 1688082682,
-        "narHash": "sha256-EoC1N5sFdmjuAP3UOkyQujSOT6EdcXTnRw8hPjJkEgc=",
+        "narHash": "sha256-nMG/A7qYm9pyHJowKuaNmNYgo748xZrzMJPqtoGozSA=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "99de890b6ef4b4aab031582125b6056b792a4a30",
+        "rev": "4d350bb94fdf8ec9d2e22d68bb13e136d73aa9d8",
         "type": "github"
       },
       "original": {
@@ -71,11 +71,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684003056,
+        "lastModified": 1687747614,
-        "narHash": "sha256-zl11zyRNKzAW7YLvTkxmFjSBqxZbEvfwZqNCT91ELfU=",
+        "narHash": "sha256-KXspKgtdO2YRL12Jv0sUgkwOwHrAFwdIG/90pDx8Ydg=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "8f95856432e091e5ac56fea2df81e905ddd02d27",
+        "rev": "fef67a1ddc293b595d62a660f57deabbcb70ff95",
         "type": "github"
       },
       "original": {
@@ -93,11 +93,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1684650006,
+        "lastModified": 1688278950,
-        "narHash": "sha256-cIWPr9nCddVu3DITyHBNWy9tBbfc86u+BxPEnRWslMM=",
+        "narHash": "sha256-h3J/w3/hCeW6D+VsN/JBQ0Buz76g5wRFznUJF8JomT4=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "fb17fb7db07709d2aca1efc1000fb1cf60b00b4e",
+        "rev": "8e75b5c8506960b49fbc5618717d966d04ee0a7d",
         "type": "github"
       },
       "original": {
@@ -140,11 +140,11 @@
     },
     "flake-compat_3": {
       "locked": {
-        "lastModified": 1680531544,
+        "lastModified": 1688025799,
-        "narHash": "sha256-8qbiDTYb1kGaDADRXTItpcMKQ1TeQVkuof6oEwHUvVA=",
+        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
         "owner": "nix-community",
         "repo": "flake-compat",
-        "rev": "95e78dc12268c5e4878621845c511077f3798729",
+        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
         "type": "github"
       },
       "original": {
@@ -158,11 +158,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1683560683,
+        "lastModified": 1688254665,
-        "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
+        "narHash": "sha256-8FHEgBrr7gYNiS/NzCxIO3m4hvtLRW9YY1nYo1ivm3o=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "006c75898cf814ef9497252b022e91c946ba8e17",
+        "rev": "267149c58a14d15f7f81b4d737308421de9d7152",
         "type": "github"
       },
       "original": {
@@ -179,11 +179,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1683560683,
+        "lastModified": 1687762428,
-        "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
+        "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "006c75898cf814ef9497252b022e91c946ba8e17",
+        "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836",
         "type": "github"
       },
       "original": {
@@ -201,11 +201,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1680392223,
+        "lastModified": 1687762428,
-        "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
+        "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
+        "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836",
         "type": "github"
       },
       "original": {
@@ -234,11 +234,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1681202837,
+        "lastModified": 1685518550,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
         "type": "github"
       },
       "original": {
@@ -252,11 +252,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1681202837,
+        "lastModified": 1687709756,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
         "type": "github"
       },
       "original": {
@@ -317,11 +317,11 @@
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
       "locked": {
-        "lastModified": 1681214977,
+        "lastModified": 1688299754,
-        "narHash": "sha256-pBaG4iKzF/YJQA06f87IZokB15Z13DYd6zsT/wlbWfI=",
+        "narHash": "sha256-ElNJ28wfORNv8JaCOFb/mniLiQe0cpuaj2DdD/dqdKw=",
         "owner": "nix-community",
         "repo": "lib-aggregate",
-        "rev": "19d70ca7a81956bd01a768297b84798f301e150f",
+        "rev": "6107c923522c233458760d0c7f31ad71bf1d2146",
         "type": "github"
       },
       "original": {
@@ -330,14 +330,26 @@
         "type": "github"
       }
     },
+    "logseqNightly": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=",
+        "type": "file",
+        "url": "file:///dev/null"
+      },
+      "original": {
+        "type": "file",
+        "url": "file:///dev/null"
+      }
+    },
     "magmawm": {
       "flake": false,
       "locked": {
-        "lastModified": 1684662176,
+        "lastModified": 1687543996,
-        "narHash": "sha256-jgTAHe4JYAHjm6araJlPJZoLlnz6q/Y21bKrx/kBetk=",
+        "narHash": "sha256-S8vRKXCHF7OHestoGNe6fqqxJIc8slhaOFjvGS3oflc=",
         "owner": "MagmaWM",
         "repo": "MagmaWM",
-        "rev": "e228ed1ff6b6c6181a8b05e1c4e0d74f2634e14b",
+        "rev": "c16fa624b2c86328081a1647f483273e131df29d",
         "type": "github"
       },
       "original": {
@@ -349,14 +361,14 @@
     "nix-eval-jobs": {
       "inputs": {
         "flake-parts": "flake-parts_3",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1682480188,
+        "lastModified": 1688002352,
-        "narHash": "sha256-4LG8Vl/fLWsJg+QAb5/PvZTdLtPFsYFxuGDfEAR5szA=",
+        "narHash": "sha256-jp6MOYWPsLbnDrk3ZWV98c6Z/PolEkfcuHXtAeKu66A=",
         "owner": "nix-community",
         "repo": "nix-eval-jobs",
-        "rev": "73ee1712faeb5db609fc9f991e2dc1de265acff5",
+        "rev": "db318eee754563269536c5e3513abbb9b130481a",
         "type": "github"
       },
       "original": {
@@ -365,18 +377,18 @@
         "type": "github"
       }
     },
-    "nixos-2211": {
+    "nixos-2305": {
       "locked": {
-        "lastModified": 1684141842,
+        "lastModified": 1687938137,
-        "narHash": "sha256-sbdzOwBDcyzz/Dr1ztdF+tElMyM/cgx+4XxVgz+NLRM=",
+        "narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2eb0795720849ae19c068e39b17362d3ebcd585c",
+        "rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -385,7 +397,7 @@
       "inputs": {
         "disko": "disko",
         "flake-parts": "flake-parts_2",
-        "nixos-2211": "nixos-2211",
+        "nixos-2305": "nixos-2305",
         "nixos-images": "nixos-images",
         "nixpkgs": [
           "nixpkgs"
@@ -393,11 +405,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1684473129,
+        "lastModified": 1687941964,
-        "narHash": "sha256-Nmqas06HVswtASU0kwY4tD/dOtKgMIo7OlJaIGrHYwA=",
+        "narHash": "sha256-/Gr4tOq+tMBbE46njUt1aJGbsB9lpwnK99/oeC9uTXE=",
         "owner": "numtide",
         "repo": "nixos-anywhere",
-        "rev": "0586b4da4f58f0d02d94fceb06fa7e15d8d03fff",
+        "rev": "22a2964bef34f92fe1c093ae54a8ab52eefdd5df",
         "type": "github"
       },
       "original": {
@@ -409,9 +421,9 @@
     },
     "nixos-images": {
       "inputs": {
-        "nixos-2211": [
+        "nixos-2305": [
           "nixos-anywhere",
-          "nixos-2211"
+          "nixos-2305"
         ],
         "nixos-unstable": [
           "nixos-anywhere",
@@ -419,11 +431,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684151031,
+        "lastModified": 1686819168,
-        "narHash": "sha256-6bBOxHIRCn4WQBsjsnaLL7bwcHuCLQj1Xd3gnmbZ9LQ=",
+        "narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=",
         "owner": "nix-community",
         "repo": "nixos-images",
-        "rev": "3758c6481cd8ad9571c0401fc634eda05a86489b",
+        "rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37",
         "type": "github"
       },
       "original": {
@@ -434,11 +446,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1684580438,
+        "lastModified": 1688001024,
-        "narHash": "sha256-LUPswmDn6fXP3lEBJFA2Id8PkcYDgzUilevWackYVvQ=",
+        "narHash": "sha256-Zf88j+DUj6rDgveWfdEyUo4fL1KZTowzPAN6gpeqzKg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2c8591ad6a6f9d679817a94f847c59b0d1e3289e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-2211": {
+      "locked": {
+        "lastModified": 1688043300,
+        "narHash": "sha256-UmpvFT0v4U4jxXhrfr+x1NuaOFULkIyCfS/WT6N6T7s=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7dc71aef32e8faf065cb171700792cf8a65c152d",
+        "rev": "c6643a93d25abf3cf5d40a4e05bcf904b9f0e586",
         "type": "github"
       },
       "original": {
@@ -448,14 +476,30 @@
         "type": "github"
       }
     },
+    "nixpkgs-2305": {
+      "locked": {
+        "lastModified": 1688109178,
+        "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-lib": {
       "locked": {
         "dir": "lib",
-        "lastModified": 1682879489,
+        "lastModified": 1688049487,
-        "narHash": "sha256-sASwo8gBt7JDnOOstnps90K1wxmVfyhsTPPNTGBPjjg=",
+        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "da45bf6ec7bbcc5d1e14d3795c025199f28e0de0",
+        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
         "type": "github"
       },
       "original": {
@@ -468,11 +512,11 @@
     },
     "nixpkgs-lib_2": {
       "locked": {
-        "lastModified": 1681001314,
+        "lastModified": 1688259758,
-        "narHash": "sha256-5sDnCLdrKZqxLPK4KA8+f4A3YKO/u6ElpMILvX0g72c=",
+        "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "367c0e1086a4eb4502b24d872cea2c7acdd557f4",
+        "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6",
         "type": "github"
       },
       "original": {
@@ -481,19 +525,35 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1688256355,
+        "narHash": "sha256-/E+OSabu4ii5+ccWff2k4vxDsXYhpc4hwnm0s6JOz7Y=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "f553c016a31277246f8d3724d3b1eee5e8c0842c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-wayland": {
       "inputs": {
         "flake-compat": "flake-compat_3",
         "lib-aggregate": "lib-aggregate",
         "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1684595659,
+        "lastModified": 1688301056,
-        "narHash": "sha256-B1NtPXWF3Xax1FDeMRYyUDr2e30blTiXLKaUSpegq0E=",
+        "narHash": "sha256-UDkmgKP+hFY+s1k4xj+05GGCdBIYHDPBT0LprU4AdO4=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "031ace86d48def582fb8f7e098dc9a94fc25c3f7",
+        "rev": "b948920571b72da0363d2e8c391af5cfead99a6a",
         "type": "github"
       },
       "original": {
@@ -504,27 +564,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1681347147,
+        "lastModified": 1688231357,
-        "narHash": "sha256-B+hTioRc3Jdf4SJyeCiO0fW5ShIznJk2OTiW2vOV+mc=",
+        "narHash": "sha256-ZOn16X5jZ6X5ror58gOJAxPfFLAQhZJ6nOUeS4tfFwo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "1a9d9175ecc48ecd033062fa09b1834d13ae9c69",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1684570954,
-        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
+        "rev": "645ff62e09d294a30de823cb568e9c6d68e92606",
         "type": "github"
       },
       "original": {
@@ -537,11 +581,11 @@
     "ofi-pass": {
       "flake": false,
       "locked": {
-        "lastModified": 1627767117,
+        "lastModified": 1687009458,
-        "narHash": "sha256-JUXW1M4sYWL1Mahy4AXgNzIUM+3T0nshnoKPwBzAkis=",
+        "narHash": "sha256-SgndtGEd3zDztqLJYSdun6IbOqgXsvw0Q8flicPHonY=",
         "owner": "sereinity",
         "repo": "ofi-pass",
-        "rev": "6dc6938b0d45f05e307539c6c5a4609427a2747c",
+        "rev": "e99b15857438bbb6013f7f65513c13ea3f5ebdfa",
         "type": "github"
       },
       "original": {
@@ -559,23 +603,29 @@
         "flake-parts": "flake-parts",
         "get-flake": "get-flake",
         "jay": "jay",
+        "logseqNightly": "logseqNightly",
         "magmawm": "magmawm",
         "nixos-anywhere": "nixos-anywhere",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": [
+          "nixpkgs-2305"
+        ],
+        "nixpkgs-2211": "nixpkgs-2211",
+        "nixpkgs-2305": "nixpkgs-2305",
         "nixpkgs-wayland": "nixpkgs-wayland",
         "ofi-pass": "ofi-pass",
         "salut": "salut",
+        "sops-nix": "sops-nix",
         "yofi": "yofi"
       }
     },
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1684616122,
+        "lastModified": 1688245988,
-        "narHash": "sha256-PLQN+e93BC1Yiqt4QNCj3cJ4mHtsO7Xlgn0VprgxiX4=",
+        "narHash": "sha256-0DlDUvMFCaFGHnxwyG68RJbKsJ8EM7xu3FiWb2Ry8+E=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "a04d8456be1d289c814846178cc1ff63b4fc297b",
+        "rev": "f5f0c48ac37fb19705af2864cb50dd6d82e9134e",
         "type": "github"
       },
       "original": {
@@ -597,11 +647,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1683080331,
+        "lastModified": 1685759304,
-        "narHash": "sha256-nGDvJ1DAxZIwdn6ww8IFwzoHb2rqBP4wv/65Wt5vflk=",
+        "narHash": "sha256-I3YBH6MS3G5kGzNuc1G0f9uYfTcNY9NYoRc3QsykLk4=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "d59c3fa0cba8336e115b376c2d9e91053aa59e56",
+        "rev": "c535b4f3327910c96dcf21851bbdd074d0760290",
         "type": "github"
       },
       "original": {
@@ -626,6 +676,27 @@
         "type": "gitlab"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1688268466,
+        "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "stable": {
       "locked": {
         "lastModified": 1669735802,
@@ -680,11 +751,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1684070360,
+        "lastModified": 1687940979,
-        "narHash": "sha256-WaXr9ayqjp0R2+j9MrE1Ufdujw0vEA0o1G/0CrTt4Ns=",
+        "narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "27107cf3dfdc3c809d2477954d92fc2cc68b4401",
+        "rev": "0a4f06c27610a99080b69433873885df82003aae",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,9 @@
 {
   inputs = {
     # flake and infra basics
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+    nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11";
+    nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05";
+    nixpkgs.follows = "nixpkgs-2305";
     flake-parts.url = "github:hercules-ci/flake-parts";
     get-flake.url = "github:ursi/get-flake";
     nixos-anywhere.url = github:numtide/nixos-anywhere/main;
@@ -25,6 +27,9 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
     # applications
     aphorme_launcher = {
       url = "github:Iaphetes/aphorme_launcher/main";
@@ -56,6 +61,12 @@
       url = "gitlab:snakedye/salut";
       flake = false;
     };
+
+    logseqNightly = {
+      url = "file:///dev/null";
+      # url = "https://github.com/logseq/logseq/releases/download/nightly/Logseq-linux-x64-0.9.10-nightly.20230628.AppImage";
+      flake = false;
+    };
   };
 
   outputs = inputs @ {
@@ -71,7 +82,8 @@
       "aarch64-linux"
     ];
   in
-    flake-parts.lib.mkFlake {inherit inputs;} {
+    flake-parts.lib.mkFlake {inherit inputs;}
+    ({withSystem, ...}: {
       flake.colmena =
         lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
         {
@@ -83,13 +95,15 @@
         # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
         (builtins.map (nodeName:
           import ./nix/os/devices/${nodeName} {
+            inherit nodeName;
             repoFlake = self;
+            repoFlakeWithSystem = withSystem;
+            nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
           }) [
+          "sj-vps-htz0"
           "steveej-t14"
-          "elias-e525"
+          # "elias-e525"
-          "vmd102066.contaboserver.net"
+          # "justyna-p300"
-          "sj-vps-htz0.infra.stefanjunker.de"
-          "justyna-p300"
         ]);
 
       # this makes nixos-anywhere work
@@ -165,5 +179,5 @@
           packages' = packages;
         };
       };
-    };
+    });
 }

nix/devShells.nix

@@ -20,6 +20,7 @@ pkgs.stdenv.mkDerivation {
       nixos-install-tools
       dconf2nix
       inputs'.nixos-anywhere.packages.nixos-anywhere
+      nurl
 
       just
       git-crypt
@@ -36,6 +37,12 @@ pkgs.stdenv.mkDerivation {
       # packages'.aphorme_launcher
       packages'.yofi
       # packages'.ofi-pass
+      age
+      age-plugin-yubikey
+      ssh-to-age
+      yubico-piv-tool
+      inputs'.sops-nix.packages.default
+      sops
 
       apacheHttpd
 

nix/home-manager/configuration/graphical-fullblown.nix

@@ -4,10 +4,14 @@
   # these come in via home-manager.extraSpecialArgs and are specific to each node
   nodeFlake,
   packages',
+  repoFlake,
+  # repoFlakeInputs',
   ...
 }: let
   pkgsMaster = nodeFlake.inputs.nixpkgs-master.${pkgs.system};
   pkgsUnstableSmall = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system};
+  pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
+  # pkgs2211 = repoFlakeInputs'.nixpkgs-2211.legacyPackages;
 in {
   imports = [
     ../profiles/common.nix
@@ -22,6 +26,7 @@ in {
     ../programs/redshift.nix
     ../programs/gpg-agent.nix
 
+    # ../programs/espanso.nix
 
     ../programs/firefox.nix
     ../programs/chromium.nix
@@ -31,18 +36,16 @@ in {
     ../programs/pass.nix
     ../programs/vscode
 
-    # TODO: broken since nixos-23.05
+    # TODO: bump these to 23.05 and make it work
-    # ../programs/radicale.nix
+    (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;}))
-    # ../programs/espanso.nix
+    # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;}))
   ];
 
   home.sessionVariables.HM_CONFIG = "graphical-fullblown";
   home.sessionVariables.GOPATH = "$HOME/src/go";
   home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
 
-  # required by logseq as of 2023-05-24
   nixpkgs.config.permittedInsecurePackages = [
-    "electron-20.3.11"
   ];
 
   home.packages =
@@ -90,7 +93,8 @@ in {
       yubikey-personalization-gui
 
       # gnome.gnome-keyring
-      gcr gnome.seahorse
+      gcr
+      gnome.seahorse
 
       # Language Support
       hunspellDicts.en-us
@@ -110,6 +114,59 @@ in {
       # FIXME: depends on insecure openssl 1.1.1t
       # kotatogram-desktop
       tdesktop
+      (let
+        version = "6.20.0-beta.1";
+      in
+        pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: {
+          inherit version;
+          src = builtins.fetchurl {
+            url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb";
+            sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a";
+          };
+          preFixup =
+            old.preFixup
+            + ''
+              gappsWrapperArgs+=(
+                --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
+                --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
+              )
+            '';
+        }))
+
+      # --add-flags "--enable-features=UseOzonePlatform"
+      # --add-flags "--ozone-platform=wayland"
+      (pkgsUnstableSmall.session-desktop.overrideAttrs (old: {
+        nativeBuildInputs =
+          old.nativeBuildInputs
+          ++ [
+            pkgs.wrapGAppsHook
+          ];
+
+        preFixup =
+          (old.preFixup or "")
+          + ''
+            gappsWrapperArgs+=(
+              --add-flags "--enable-features=UseOzonePlatform"
+              --add-flags "--ozone-platform=wayland"
+              # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
+              # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}"
+              # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
+            )
+          '';
+      }))
+
+      #(pkgsUnstableSmall.session-desktop.overrideAttrs(old: {
+      #    nativeBuildInputs = old.nativeBuildInputs ++ [
+      #      pkgs.wrapGAppsHook
+      #    ];
+      #
+      #    preFixup = (old.preFixup or "") + ''
+      #      gappsWrapperArgs+=(
+      #        --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}"
+      #        --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
+      #      )
+      #    '';
+      #  }))
 
       thunderbird
       # gnome.cheese
@@ -129,7 +186,8 @@ in {
       vlc
       audacity
       spotify
-      # youtube-dl-light
+      yt-dlp
+      (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
       libwebcam
 
       # Network Tools
@@ -177,9 +235,15 @@ in {
       cdrtools
 
       # Document Processing and Management
-      mendeley
+      xfce.thunar
+      # mendeley
       evince
-      (logseq.override (_: {electron = pkgs.electron_20;}))
+      ((logseq.overrideAttrs (attrs: {
+        version = "nightly";
+        src = repoFlake.inputs.logseqNightly;
+      })).override (_: {
+        electron = pkgs.electron_24;
+      }))
 
       # File Synchronzation
       dropbox

nix/home-manager/profiles/sway-desktop.nix

@@ -11,12 +11,11 @@
   displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
   displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
   swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
-
 in {
   imports = [
-      ../profiles/wayland-desktop.nix
+    ../profiles/wayland-desktop.nix
-      ../programs/waybar.nix
+    ../programs/waybar.nix
-      ../programs/salut.nix
+    ../programs/salut.nix
   ];
 
   # TODO: autostart
@@ -44,7 +43,7 @@ in {
     pkgs.gnome-icon-theme
 
     ## fonts
-    pkgs.dejavu_fonts   # just a basic good fond
+    pkgs.dejavu_fonts # just a basic good fond
     pkgs.font-awesome_5 # needed by i3status-rust
     pkgs.nerdfonts
     pkgs.font-awesome
@@ -80,6 +79,7 @@ in {
   wayland.windowManager.sway = {
     enable = true;
     systemdIntegration = true;
+    # systemd.enable = true;
     xwayland = false;
 
     config = let
@@ -90,12 +90,14 @@ in {
       bars = [];
 
       input = {
-        "type:keyboard" = {
+        "type:keyboard" =
-          xkb_layout = config.home.keyboard.layout;
+          {
-          xkb_variant = config.home.keyboard.variant;
+            xkb_layout = config.home.keyboard.layout;
-        } // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
+            xkb_variant = config.home.keyboard.variant;
-          xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
+          }
-        };
+          // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
+            xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
+          };
 
         "type:touchpad" = {
           natural_scroll = "enabled";
@@ -105,7 +107,7 @@ in {
       keybindings = lib.mkOptionDefault {
         # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
         # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
-        "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel";
+        "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
 
         # only 1-9 exist on the default config
         "${modifier}+0" = "workspace number 0";
@@ -118,15 +120,15 @@ in {
         # move workspace to output
         "${modifier}+Control+Shift+${left}" = "move workspace to output left";
         "${modifier}+Control+Shift+${right}" = "move workspace to output right";
-        "${modifier}+Control+Shift+${up}" =  "move workspace to output up";
+        "${modifier}+Control+Shift+${up}" = "move workspace to output up";
         "${modifier}+Control+Shift+${down}" = "move workspace to output down";
         # move workspace to output with arrow keys
-        "${modifier}+Control+Shift+Left" =  "move workspace to output left";
+        "${modifier}+Control+Shift+Left" = "move workspace to output left";
         "${modifier}+Control+Shift+Right" = "move workspace to output right";
-        "${modifier}+Control+Shift+Up" =    "move workspace to output up";
+        "${modifier}+Control+Shift+Up" = "move workspace to output up";
-        "${modifier}+Control+Shift+Down" =  "move workspace to output down";
+        "${modifier}+Control+Shift+Down" = "move workspace to output down";
 
-        "${modifier}+Shift+e" =  "exec ${pkgs.sway}/bin/swaymsg exit";
+        "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
         "${modifier}+q" = "kill";
         "${modifier}+x" = "exec ${swapOutputWorkspaces}";
 
@@ -140,20 +142,31 @@ in {
         "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
         "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
 
-        # TODO: screenshot util, flameshot doesn't work in the packaged version
+        "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
-        "Print" = "exec ${pkgs.flameshot}/bin/flameshot gui";
       };
 
       terminal = "alacritty";
-      startup = [
+      startup =
-        {command = builtins.toString(pkgs.writeShellScript "ensure-graphical-session" ''
+        [
-            (
+          {
-              ${pkgs.coreutils}/bin/sleep 0.2
+            command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
-              ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
+              (
-            ) &
+                ${pkgs.coreutils}/bin/sleep 0.2
-          ''); 
+                ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
-        }
+              ) &
-      ];
+            '');
+          }
+        ]
+        ++ lib.optionals config.services.swayidle.enable [
+          {
+            command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
+              (
+                ${pkgs.coreutils}/bin/sleep 0.2
+                ${pkgs.systemd}/bin/systemctl --user restart swayidle
+              ) &
+            '');
+          }
+        ];
 
       colors.focused = lib.mkOptionDefault {
         childBorder = lib.mkForce "#ffa500";
@@ -166,19 +179,37 @@ in {
   services.swayidle = {
     enable = true;
     timeouts = [
-      { timeout = 10; command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi"; resumeCommand = displayOnCmd; }
+      {
-      { timeout = 60 * 5; command = lockCmd; }
+        timeout = 10;
-      { timeout = 60 * 6; command = displayOffCmd; resumeCommand = displayOnCmd; }
+        command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi";
+        resumeCommand = displayOnCmd;
+      }
+      {
+        timeout = 60 * 5;
+        command = lockCmd;
+      }
+      {
+        timeout = 60 * 6;
+        command = displayOffCmd;
+        resumeCommand = displayOnCmd;
+      }
     ];
     events = [
-      { event = "before-sleep"; 
+      {
+        event = "before-sleep";
         command = builtins.concatStringsSep "; " [
           lockCmd
           "${pkgs.playerctl}/bin/playerctl pause"
         ];
       }
-      { event = "after-resume"; command = displayOnCmd; }
+      {
-      { event = "lock"; command = lockCmd; }
+        event = "after-resume";
+        command = displayOnCmd;
+      }
+      {
+        event = "lock";
+        command = lockCmd;
+      }
     ];
   };
 }

nix/home-manager/profiles/wayland-desktop.nix

@@ -54,37 +54,13 @@ in {
     pavucontrol
     playerctl
     pasystray
-    qt5.qtwayland
+    # qt5.qtwayland
-    qt6.qtwayland
+    # qt6.qtwayland
 
     # probably required by flameshot
     # xdg-desktop-portal xdg-desktop-portal-wlr 
     # grim
 
-    (nixpkgs-unstable-small.signal-desktop.overrideAttrs (old: {
-      preFixup = old.preFixup + ''
-        gappsWrapperArgs+=(
-          --add-flags "--enable-features=UseOzonePlatform"
-          --add-flags "--ozone-platform=wayland"
-        )
-      '';
-    }))
-
-    ((nixpkgs-unstable-small.session-desktop.override (old: {
-        inherit (nixpkgs-2211) appimageTools;
-      }))
-        .overrideAttrs(old: {
-        nativeBuildInputs = old.nativeBuildInputs ++ [
-          pkgs.wrapGAppsHook
-        ];
-        
-        preFixup = (old.preFixup or "") + ''
-          gappsWrapperArgs+=(
-            --add-flags "--enable-features=UseOzonePlatform"
-            --add-flags "--ozone-platform=wayland"
-          )
-        '';
-      }))
   ];
 
   home.sessionVariables = {

nix/home-manager/programs/espanso.nix

@@ -2,10 +2,11 @@
   pkgs,
   config,
   ...
-}: let
+}: {
-  passwords = import ../../variables/passwords.crypt.nix;
-in {
   services.espanso = {
+    # package = pkgs.espanso.overrideAttrs(_: {
+    #   # src =
+    # })
     enable = true;
     settings = {
       matches = let

nix/home-manager/programs/firefox.nix

@@ -1,4 +1,5 @@
 {pkgs, ...}: {
+  programs.librewolf = {enable = true;};
   programs.firefox = {enable = true;};
 
   programs.browserpass = {

nix/home-manager/programs/radicale.nix

@@ -1,11 +1,10 @@
 {
   config,
-  pkgs,
   lib,
+  pkgs,
+  osConfig,
   ...
 }: let
-  passwords = import ../../variables/passwords.crypt.nix;
-
   libdecsync = pkgs.python3Packages.buildPythonPackage rec {
     pname = "libdecsync";
     version = "2.2.1";
@@ -16,9 +15,8 @@
     };
 
     propagatedBuildInputs = [
-      pkgs.libxcrypt-legacy
+      # pkgs.libxcrypt-legacy
     ];
-
   };
   radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec {
     pname = "radicale_storage_decsync";
@@ -31,13 +29,13 @@
 
     buildInputs = [
       pkgs.radicale
-      pkgs.libxcrypt-legacy
+      # pkgs.libxcrypt-legacy
-      pkgs.libxcrypt
+      # pkgs.libxcrypt
     ];
 
     nativeCheckInputs = [
-      pkgs.libxcrypt-legacy
+      # pkgs.libxcrypt-legacy
-      pkgs.libxcrypt
+      # pkgs.libxcrypt
     ];
 
     propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
@@ -48,18 +46,17 @@
       ++ [radicale-storage-decsync];
   });
 
-  mkRadicaleService = { suffix, port }: let
+  mkRadicaleService = {
+    suffix,
+    port,
+  }: let
     radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
       [server]
-      hosts = localhost:${builtins.toString(port)}
+      hosts = localhost:${builtins.toString port}
 
       [auth]
       type = htpasswd
-      htpasswd_filename = ${
+      htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
-        pkgs.writeText "radicale" ''
-          radicale:${passwords.users.radicale}
-        ''
-      }
       htpasswd_encryption = bcrypt
 
       [storage]
@@ -77,7 +74,14 @@
       Install.WantedBy = ["default.target"];
     };
   };
-in builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
+in
-  {suffix = "personal"; port = 5232;}
+  builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
-  {suffix = "family"; port = 5233;}
+    {
-]
+      suffix = "personal";
+      port = 5232;
+    }
+    {
+      suffix = "family";
+      port = 5233;
+    }
+  ]

nix/home-manager/programs/waybar.nix

@@ -1,6 +1,9 @@
-{ pkgs, config, repoFlake, ... }:
-
 {
+  pkgs,
+  config,
+  repoFlake,
+  ...
+}: {
   home.packages = [
     # required by any bar that has a tray plugin
     pkgs.libappindicator-gtk3
@@ -10,8 +13,9 @@
   programs.waybar = {
     enable = true;
     package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
-    style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+    style =
-          + pkgs.lib.readFile ./waybar.css;
+      pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+      + pkgs.lib.readFile ./waybar.css;
     systemd.enable = true;
     settings = {
       mainBar = {
@@ -55,22 +59,22 @@
 
         tray.spacing = 10;
 
-        cpu.format = "  {}%";
+        cpu.format = "  {usage}%";
         memory.format = "  {}%";
-        "temperature" =  {
+        "temperature" = {
           hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input";
           format = " {temperatureC} °C";
         };
 
         "custom/cputemp" = {
-            format = " {}";
+          format = " {}";
-            exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'";
+          exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'";
-            interval = 2;
+          interval = 2;
         };
         "custom/fan" = {
-            format = "   {} rpm  ";
+          format = "   {} rpm  ";
-            exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'";
+          exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'";
-            interval = 2;
+          interval = 2;
         };
         battery.format = "🔋 {}%";
         pulseaudio = {

nix/os/containers/mailserver.nix

@@ -1,4 +1,5 @@
 {
+  repoFlake,
   hostAddress,
   localAddress,
   imapsPort ? 993,
@@ -7,10 +8,34 @@
 }: let
   passwords = import ../../variables/passwords.crypt.nix;
 in {
-  config = {pkgs, ...}: {
+  config = {
+    pkgs,
+    config,
+    ...
+  }: {
     system.stateVersion = "21.11"; # Did you read the comment?
 
-    imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix];
+    imports = [
+      ../profiles/containers/configuration.nix
+
+      repoFlake.inputs.sops-nix.nixosModules.sops
+      ../profiles/common/user.nix
+    ];
+
+    # sops.defaultSopsFile = ./mailserver_secrets.yaml;
+    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    sops.secrets.email_mailStefanjunkerDe = {
+      sopsFile = ./mailserver_secrets.yaml;
+      owner = config.users.users.steveej.name;
+    };
+    sops.secrets.email_schtifATwebDe = {
+      sopsFile = ./mailserver_secrets.yaml;
+      owner = config.users.users.steveej.name;
+    };
+    sops.secrets.email_dovecot_steveej = {
+      sopsFile = ./mailserver_secrets.yaml;
+      owner = config.users.users.dovecot2.name;
+    };
 
     networking.firewall.enable = false;
 
@@ -54,9 +79,10 @@ in {
       '';
     };
 
-    environment.etc."dovecot/users".text = ''
+    # environment.etc."dovecot/users".text = ''
-      steveej:${passwords.email.steveej}
+    #   steveej:${passwords.email.steveej}
-    '';
+    # '';
+    environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
 
     systemd.services.steveej-getmail-stefanjunker = {
       enable = true;
@@ -79,7 +105,7 @@ in {
           server = ssl0.ovh.net
           port = 993
           username = mail@stefanjunker.de
-          password = ${passwords.email.mailStefanjunkerDe}
+          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
           mailboxes = ('INBOX',)
 
           [destination]
@@ -112,7 +138,7 @@ in {
           server = imap.web.de
           port = 993
           username = schtif
-          password = ${passwords.email.schtifATwebDe}
+          password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
           mailboxes = ('INBOX',)
 
           [destination]
@@ -128,6 +154,9 @@ in {
   inherit autoStart;
 
   bindMounts = {
+    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
+    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
+
     "/etc/secrets/" = {
       hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
       isReadOnly = false;

nix/os/containers/mailserver_secrets.yaml

@@ -0,0 +1,38 @@
+email_mailStefanjunkerDe: ENC[AES256_GCM,data:DsPwNMahaSKFF8mof2qGxj6cIdYZeL6uRr4=,iv:2lamFXYKrGkHey5QCXBlEODYksDuJDyW3MYpz/7qj7s=,tag:2L34qD0XSbfsl0djvgYJYw==,type:str]
+email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str]
+email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
+            R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
+            dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
+            bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
+            T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-02T21:16:00Z"
+    mac: ENC[AES256_GCM,data:bDHu/9Hz2lyzoA92yA4K9/oaO6gxDjog8OSoEduE4Q8KE6VObzkHHvMwsPR46LE74dtRy9LNEXcMTWQzJBYoaKGi+wz0IJ/wy8Japrbu0Kiwx3dIeY0mg/OvBGlsAybvbDpfSjCsxVpgg7g1jQNntejljv1WHp4zD0hKn9hdYm0=,iv:MUaGwoPaHEZQgoTHXxkhMHdTGaIgk0UYx9qwfpt4Uds=,tag:qLa2QBTFbs/BdOH8TJWVxw==,type:str]
+    pgp:
+        - created_at: "2023-07-02T20:30:30Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
+            0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
+            SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
+            5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
+            Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
+            RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
+            44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
+            uGcEfsNiUXPngkNrh/Nvhh9w
+            =yHDZ
+            -----END PGP MESSAGE-----
+          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

nix/os/devices/default.nix

@@ -1,7 +1,7 @@
 {
   dir,
   pkgs ? import <channels-nixos-stable> {},
-  ownLib ? import ../lib/default.nix {},
+  ownLib ? import ../lib/default.nix {inherit (pkgs) lib;},
   gitRoot ? "$(git rev-parse --show-toplevel)",
   # FIXME: why do these need explicit mentioning?
   moreargs ? "",

nix/os/devices/elias-e525/default.nix

@@ -1,4 +1,4 @@
-{repoFlake}: let
+{repoFlake, ...}: let
   nodeName = "elias-e525";
   system = "x86_64-linux";
 

nix/os/devices/elias-e525/user.nix

@@ -1,11 +1,12 @@
 {
   config,
   pkgs,
+  lib,
   ...
 }: let
   passwords = import ../../../variables/passwords.crypt.nix;
   keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
   users.extraUsers.elias = mkUser {
     uid = 1001;

nix/os/devices/fwhost2/user.nix

@@ -5,7 +5,7 @@
 }: let
   passwords = import ../../../variables/passwords.crypt.nix;
   keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
   # users.extraUsers.steveej2 = mkUser {
   #   uid = 1001;

nix/os/devices/justyna-p300/default.nix

@@ -1,4 +1,4 @@
-{repoFlake}: let
+{repoFlake, ...}: let
   nodeName = "justyna-p300";
   # system = "i686-linux";
   system = "x86_64-linux";

nix/os/devices/justyna-p300/user.nix

@@ -5,7 +5,7 @@
 }: let
   passwords = import ../../../variables/passwords.crypt.nix;
   keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
   users.extraUsers.elias = mkUser {
     uid = 1001;

nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix

@@ -1,36 +0,0 @@
-let
-  nixpkgs = {
-    url = "https://github.com/NixOS/nixpkgs/";
-    ref = "nixos-22.11";
-    rev = ''
-      a7cc81913bb3cd1ef05ed0ece048b773e1839e51'';
-  };
-in {
-  inherit nixpkgs;
-  nixos = nixpkgs // {suffix = "/nixos";};
-  "channels-nixos-stable" = nixpkgs;
-  "channels-nixos-unstable" = {
-    url = "https://github.com/NixOS/nixpkgs/";
-    ref = "nixos-unstable";
-    rev = ''
-      c707238dc262923da5a53a5a11914117caac07a2'';
-  };
-  "channels-nixos-unstable-small" = {
-    url = "https://github.com/NixOS/nixpkgs/";
-    ref = "nixos-unstable-small";
-    rev = ''
-      09c509a5075931382582dee69f3e44bf1535c092'';
-  };
-  "nixpkgs-master" = {
-    url = "https://github.com/NixOS/nixpkgs/";
-    ref = "master";
-    rev = ''
-      3d57138bd9abe31bae25704cebaab7527010cc5e'';
-  };
-  "home-manager-module" = {
-    url = "https://github.com/nix-community/home-manager";
-    ref = "release-22.11";
-    rev = ''
-      b0be47978de5cfd729a79c3f57ace4c86364ff45'';
-  };
-}

nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix

@@ -1,41 +0,0 @@
-let
-  nixpkgs = {
-    url = "https://github.com/NixOS/nixpkgs/";
-    ref = "nixos-22.11";
-    rev = ''
-      <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d '
-      ' -%>'';
-  };
-in {
-  inherit nixpkgs;
-  nixos = nixpkgs // {suffix = "/nixos";};
-  "channels-nixos-stable" = nixpkgs;
-  "channels-nixos-unstable" = {
-    url = "https://github.com/NixOS/nixpkgs/";
-    ref = "nixos-unstable";
-    rev = ''
-      <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '
-      ' -%>'';
-  };
-  "channels-nixos-unstable-small" = {
-    url = "https://github.com/NixOS/nixpkgs/";
-    ref = "nixos-unstable-small";
-    rev = ''
-      <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable-small | awk '{ print $1 }' | tr -d '
-      ' -%>'';
-  };
-  "nixpkgs-master" = {
-    url = "https://github.com/NixOS/nixpkgs/";
-    ref = "master";
-    rev = ''
-      <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '
-      ' -%>'';
-  };
-  "home-manager-module" = {
-    url = "https://github.com/nix-community/home-manager";
-    ref = "release-22.11";
-    rev = ''
-      <% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d '
-      ' -%>'';
-  };
-}

nix/os/devices/sj-vps-htz0/default.nix

@@ -1,11 +1,13 @@
-{repoFlake}: let
+{
-  nodeName = "sj-vps-htz0.infra.stefanjunker.de";
+  nodeName,
+  repoFlake,
+  nodeFlake,
+  ...
+}: let
   system = "x86_64-linux";
-
-  nodeFlake = repoFlake.inputs.get-flake ./.;
 in {
   meta.nodeSpecialArgs.${nodeName} = {
-    inherit nodeName nodeFlake;
+    inherit repoFlake nodeName nodeFlake;
     packages' = repoFlake.packages.${system};
   };
 
@@ -14,13 +16,13 @@ in {
   };
 
   ${nodeName} = {
-    deployment.targetHost = nodeName;
+    deployment.targetHost = "${nodeName}.infra.stefanjunker.de";
-    deployment.replaceUnknownProfiles = true;
+    deployment.replaceUnknownProfiles = false;
 
     imports = [
-      (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
-
       nodeFlake.inputs.home-manager.nixosModules.home-manager
+
+      ./configuration.nix
     ];
   };
 }

nix/os/devices/sj-vps-htz0/flake.lock

@@ -4,47 +4,46 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
+        ]
-        "utils": "utils"
       },
       "locked": {
-        "lastModified": 1681092193,
+        "lastModified": 1687871164,
-        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
         "repo": "home-manager",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1681759395,
+        "lastModified": 1688109178,
-        "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=",
+        "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50",
+        "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1681895322,
+        "lastModified": 1688246754,
-        "narHash": "sha256-dtduardGFljEIh0Whlnhzda7Au0s1WnnSdzh2ZhCu9c=",
+        "narHash": "sha256-OuUvCCMrJgN9K/L1j2ADMxu/nuJhplFjIZFFtelnymc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "57aad37a2eab85fb5522cbc8568fe27872071a1c",
+        "rev": "b9b176f8b8155c122e01a336b439ce57b2485b40",
         "type": "github"
       },
       "original": {
@@ -56,11 +55,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1681770396,
+        "lastModified": 1688180391,
-        "narHash": "sha256-tq+GZOkRA3uF3I/jIzuBGfnTRQFT4QnnRCWJ8DKSaMg=",
+        "narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4df48038a44e9f3a3da8e9b42ca182726b743de4",
+        "rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd",
         "type": "github"
       },
       "original": {
@@ -77,21 +76,6 @@
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-unstable": "nixpkgs-unstable"
       }
-    },
-    "utils": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
     }
   },
   "root": "root",

nix/os/devices/sj-vps-htz0/flake.nix

@@ -1,10 +1,10 @@
 {
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
   inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
   inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master";
 
   inputs.home-manager = {
-    url = "github:nix-community/home-manager/release-22.11";
+    url = "github:nix-community/home-manager/release-23.05";
     inputs.nixpkgs.follows = "nixpkgs";
   };
 

nix/os/devices/sj-vps-htz0/system.nix

@@ -2,10 +2,9 @@
   pkgs,
   lib,
   config,
+  repoFlake,
   ...
-}: let
+}: {
-  keys = import ../../../variables/keys.nix;
-in {
   networking.firewall.enable = true;
   networking.firewall.allowedTCPPorts = [
     # iperf3
@@ -58,12 +57,10 @@ in {
 
   nix.gc = {automatic = true;};
 
-  # networking.useHostResolvConf = true;
-
-  services.openssh.forwardX11 = true;
-
   containers = {
     mailserver = import ../../containers/mailserver.nix {
+      inherit repoFlake;
+
       autoStart = true;
 
       hostAddress = "192.168.100.10";

nix/os/devices/steveej-nuc7pjyh-work/user.nix

@@ -5,7 +5,7 @@
 }: let
   passwords = import ../../../variables/passwords.crypt.nix;
   keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
   users.extraUsers.sjunker = mkUser {
     uid = 1001;

nix/os/devices/steveej-pa600/user.nix

@@ -5,7 +5,7 @@
 }: let
   passwords = import ../../../variables/passwords.crypt.nix;
   keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
   users.extraUsers.steveej2 = mkUser {
     uid = 1001;

nix/os/devices/steveej-t14/boot.nix

@@ -8,7 +8,8 @@
   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
 
   # boot.tmpOnTmpfs = lib.mkForce false;
-  boot.tmpOnTmpfsSize = "100%";
+  boot.tmp.tmpfsSize = "100%";
+
   # TODO: make this work
   # systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ];
 }

nix/os/devices/steveej-t14/configuration.nix

@@ -10,5 +10,6 @@
     ./pkg.nix
     ./user.nix
     ./boot.nix
+    ./secrets.nix
   ];
 }

nix/os/devices/steveej-t14/default.nix

@@ -1,12 +1,15 @@
-{repoFlake}: let
+{
-  nodeName = "steveej-t14";
+  nodeName,
+  repoFlake,
+  repoFlakeWithSystem,
+  nodeFlake,
+}: let
   system = "x86_64-linux";
-
-  nodeFlake = repoFlake.inputs.get-flake ./.;
 in {
   meta.nodeSpecialArgs.${nodeName} = {
     inherit repoFlake nodeName nodeFlake;
     packages' = repoFlake.packages.${system};
+    repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs');
   };
 
   meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {

nix/os/devices/steveej-t14/hw.nix

@@ -20,48 +20,47 @@ in {
   services.tlp = {
     enable = true;
     settings = {
-      CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
+      # CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
       CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
 
-      CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
+      # CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
       CPU_ENERGY_PERF_POLICY_ON_BAT="power";
 
-      SCHED_POWERSAVE_ON_AC="1";
+      # SCHED_POWERSAVE_ON_AC="1";
       SCHED_POWERSAVE_ON_BAT="1";
 
       CPU_BOOST_ON_AC="0";
       CPU_BOOST_ON_BAT="0";
 
-
+      # RADEON_DPM_PERF_LEVEL_ON_AC="auto";
-      RADEON_DPM_PERF_LEVEL_ON_AC="auto";
       RADEON_DPM_PERF_LEVEL_ON_BAT="low";
-      RADEON_DPM_STATE_ON_AC="balanced";
+      # RADEON_DPM_STATE_ON_AC="balanced";
       RADEON_DPM_STATE_ON_BAT="battery";
 
-      SOUND_POWER_SAVE_ON_AC="1";
+      # SOUND_POWER_SAVE_ON_AC="1";
       SOUND_POWER_SAVE_ON_BAT="1";
 
-      # PLATFORM_PROFILE_ON_AC="low-power";
+      # # PLATFORM_PROFILE_ON_AC="low-power";
-      # PLATFORM_PROFILE_ON_BAT="low-power";
+      # # PLATFORM_PROFILE_ON_BAT="low-power";
-      PLATFORM_PROFILE_ON_AC="balanced";
+      # PLATFORM_PROFILE_ON_AC="balanced";
       PLATFORM_PROFILE_ON_BAT="low-power";
 
-      RUNTIME_PM_ON_AC = "auto";
+      # RUNTIME_PM_ON_AC = "auto";
       RUNTIME_PM_ON_BAT = "auto";
 
-      PCIE_ASPM_ON_AC="default";
+      # PCIE_ASPM_ON_AC="default";
       PCIE_ASPM_ON_BAT="powersave";
 
       START_CHARGE_THRESH_BAT0 = "75";
       STOP_CHARGE_THRESH_BAT0 = "80";
 
       WOL_DISABLE="Y";
-      WIFI_PWR_ON_AC="on";
+      # WIFI_PWR_ON_AC="on";
       WIFI_PWR_ON_BAT="on";
       DEVICES_TO_DISABLE_ON_STARTUP="wwan";
-      #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
+      # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
-      #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
+      # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
-      #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
+      # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
     };
   };
 
@@ -71,12 +70,13 @@ in {
       [0    0      55]
       [1    55     65]
       [1    65     75]
-      [3    75     78]
+      [2    75     78]
-      [4    78     80]
+      [3    78     80]
-      [5    80     82]
+      [4    80     82]
-      [6    82     84]
+      [5    82     84]
-      [7    84     86]
+      [6    84     86]
-      ["level full-speed"    86     999]
+      [7    86     88]
+      ["level full-speed"    88     999]
     ];
   };
 

nix/os/devices/steveej-t14/pkg.nix

@@ -9,6 +9,9 @@
         ];
       })
     ];
+
+    home.sessionVariables = {
+    };
   };
 
   # TODO: fix the following errors with regreet

nix/os/devices/steveej-t14/secrets.nix

@@ -0,0 +1,7 @@
+{config, ...}: {
+  sops.secrets.radicale_htpasswd = {
+    sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd;
+    format = "binary";
+    owner = config.users.users.steveej.name;
+  };
+}

nix/os/devices/steveej-t14/system.nix

@@ -3,6 +3,7 @@
   lib,
   config,
   nodeName,
+  repoFlake,
   ...
 }: let
   passwords = import ../../../variables/passwords.crypt.nix;
@@ -10,18 +11,37 @@ in {
   nix.settings = {
     substituters = [
       "https://holochain-ci.cachix.org"
-      # "https://cache.holo.host/"
+      "https://cache.holo.host/"
     ];
     trusted-public-keys = [
       "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8="
-      # "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
+      "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
-      # "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
+      "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
     ];
 
     extra-experimental-features = ["impure-derivations"];
     system-features = ["recursive-nix" "big-parallel"];
   };
 
+  networking.extraHosts = ''
+    # qemu box
+    172.24.40.13 steveej-qemu.infra.holochain.org
+    172.24.40.13 steveej-qemu.d.dweb.city
+
+    # bare metal
+    192.168.14.117 steveej-hw1.infra.holochain.org
+    192.168.14.117 steveej-hw1.d.dweb.city
+    192.168.14.117 steveej-hw2.infra.holochain.org
+    192.168.14.117 steveej-hw2.d.dweb.city
+    192.168.14.117 steveej-hw3.infra.holochain.org
+    192.168.14.117 steveej-hw3.d.dweb.city
+    192.168.14.117 steveej-hw4.infra.holochain.org
+    192.168.14.117 steveej-hw4.d.dweb.city
+
+    172.24.135.11 emerge3.d.dweb.city
+    172.24.74.194 emerge4.d.dweb.city
+  '';
+
   networking.bridges."virbr1".interfaces = [];
   networking.interfaces."virbr1".ipv4.addresses = [
     {
@@ -45,7 +65,8 @@ in {
   ];
   networking.firewall.interfaces."eth+".allowedUDPPorts = [
     # syncthing
-    22000 21027
+    22000
+    21027
   ];
 
   networking.firewall.logRefusedConnections = false;
@@ -96,8 +117,50 @@ in {
   services.zerotierone = {
     enable = true;
     joinNetworks = [
-      "93afae5963c547f1"
+      # moved to the service below as it's now secret
-      passwords.zerotier.dweb2023.networkId
     ];
   };
+
+  systemd.services.zerotieroneSecretNetworks = {
+    enable = true;
+    requiredBy = ["zerotierone.service"];
+    partOf = ["zerotierone.service"];
+
+    serviceConfig.Type = "oneshot";
+    serviceConfig.RemainAfterExit = true;
+
+    script = let
+      secret = config.sops.secrets.zerotieroneNetworks;
+    in ''
+      # include the secret's hash to trigger a restart on change
+      # ${builtins.hashString "sha256" (builtins.toJSON secret)}
+
+      ${config.systemd.services.zerotierone.preStart}
+
+      rm -rf /var/lib/zerotier-one/networks.d/*.conf
+      for network in `grep -v '#' ${secret.path}`; do
+        touch /var/lib/zerotier-one/networks.d/''${network}.conf
+      done
+    '';
+  };
+
+  sops.secrets.zerotieroneNetworks = {
+    sopsFile = ../../../../secrets/zerotierone.txt;
+    format = "binary";
+  };
+
+  sops.secrets.nomad-holochain-agent-ca = {
+    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    owner = config.users.extraUsers.steveej.name;
+  };
+
+  sops.secrets.nomad-holochain-cli-cert = {
+    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    owner = config.users.extraUsers.steveej.name;
+  };
+
+  sops.secrets.nomad-holochain-cli-key = {
+    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    owner = config.users.extraUsers.steveej.name;
+  };
 }

nix/os/devices/steveej-t14/user.nix

@@ -1,15 +1,16 @@
 {
   config,
   pkgs,
+  lib,
   ...
 }: let
-  passwords = import ../../../variables/passwords.crypt.nix;
   keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
   users.extraUsers.steveej2 = mkUser {
     uid = 1001;
     openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
   };
 
   nix.settings.trusted-users = ["steveej"];

nix/os/devices/vmd102066.contaboserver.net/default.nix

@@ -1,4 +1,4 @@
-{repoFlake}: let
+{repoFlake, ...}: let
   nodeName = "vmd102066.contaboserver.net";
   system = "x86_64-linux";
 

nix/os/lib/default.nix

@@ -1,21 +1,9 @@
 {
+  lib,
   keys ? import ../../variables/keys.nix,
-  passwords ? import ../../variables/passwords.crypt.nix,
 }: {
-  mkRoot = {} @ args:
+  mkUser = args: (
-    {
+    lib.attrsets.recursiveUpdate {
-      hashedPassword = passwords.users.root;
-      openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    }
-    // args;
-
-  mkUser = {
-    uid,
-    hashedPassword ? passwords.users.steveej,
-    ...
-  } @ args:
-    {
-      inherit uid hashedPassword;
       isNormalUser = true;
       extraGroups = [
         "docker"
@@ -32,7 +20,8 @@
       ];
       openssh.authorizedKeys.keys = keys.users.steveej.openssh;
     }
-    // args;
+    args
+  );
 
   disk = rec {
     # TODO: verify the GPT PARTLABEL cap at 36 chars

nix/os/modules/ddclient-ovh.nix

@@ -4,8 +4,7 @@
   ...
 }: let
   cfg = config.services.ddclientovh;
-
+  # passwords = import ../../variables/passwords.crypt.nix;
-  passwords = import ../../variables/passwords.crypt.nix;
 in {
   options.services.ddclientovh = with lib; {
     enable = mkEnableOption "Enable ddclient-ovh";
@@ -20,10 +19,8 @@ in {
       ssl = true;
       domains = [cfg.domain];
       use = "web";
-      inherit (passwords.dyndns.${cfg.domain}) username;
+      # inherit (passwords.dyndns.${cfg.domain}) username;
-      passwordFile =
+      # passwordFile = config.sops.secrets."dyndns_${cfg.domain}".path;
-        builtins.toFile passwords.dyndns._filename
-        passwords.dyndns.${cfg.domain}.password;
     };
   };
 }

nix/os/modules/opinionatedDisk.nix

@@ -5,7 +5,7 @@
 }:
 with lib; let
   cfg = config.hardware.opinionatedDisk;
-  ownLib = import ../lib/default.nix {};
+  ownLib = import ../lib/default.nix {inherit lib;};
 in {
   options.hardware.opinionatedDisk = {
     enable = mkEnableOption "Enable opinionated filesystem layout";

nix/os/profiles/common/boot.nix

@@ -4,12 +4,11 @@
     enable = true;
     efiSupport = true;
     efiInstallAsRemovable = false;
-    version = 2;
   };
 
   boot.loader.systemd-boot.enable = false;
   boot.loader.efi.canTouchEfiVariables = true;
-  boot.tmpOnTmpfs = true;
+  boot.tmp.useTmpfs = true;
 
   # Workaround for nm-pptp to enforce module load
   boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"];

nix/os/profiles/common/configuration.nix

@@ -1,3 +1,17 @@
-{...}: {
+{
-  imports = [./boot.nix ./pkg.nix ./user.nix ./system.nix ./hw.nix];
+  config,
+  pkgs,
+  repoFlake,
+  ...
+}: {
+  imports = [
+    ./boot.nix
+    ./pkg.nix
+    ./system.nix
+    ./hw.nix
+
+    ./user.nix
+
+    repoFlake.inputs.sops-nix.nixosModules.sops
+  ];
 }

nix/os/profiles/common/pkg.nix

@@ -1,7 +1,9 @@
 {
+  config,
   pkgs,
   # these come in via nodeSpecialArgs and are expected to be defined for every node
   repoFlake,
+  repoFlakeInputs',
   nodeFlake,
   packages',
   ...
@@ -20,9 +22,12 @@
   home-manager.extraSpecialArgs = {
     inherit
       repoFlake
+      repoFlakeInputs'
       packages'
       nodeFlake
       ;
+
+    osConfig = config;
   };
 
   nixpkgs.config = {

nix/os/profiles/common/user.nix

@@ -3,13 +3,31 @@
   pkgs,
   ...
 }: let
-  passwords = import ../../../variables/passwords.crypt.nix;
+  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {}) mkUser mkRoot;
+  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
 in {
+  sops.secrets.sharedUsers-root = {
+    sopsFile = ../../../../secrets/shared-users.yaml;
+    neededForUsers = true;
+  };
+
+  sops.secrets.sharedUsers-steveej = {
+    sopsFile = ../../../../secrets/shared-users.yaml;
+    neededForUsers = true;
+    format = "yaml";
+  };
+
   users.mutableUsers = false;
 
-  users.extraUsers.root = mkRoot {};
+  users.extraUsers.root = {
-  users.extraUsers.steveej = mkUser {uid = 1000;};
+    passwordFile = config.sops.secrets.sharedUsers-root.path;
+    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+  };
+
+  users.extraUsers.steveej = mkUser {
+    uid = 1000;
+    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
+  };
 
   security.pam.u2f.enable = true;
   security.pam.services.steveej.u2fAuth = true;

nix/os/profiles/graphical/system.nix

@@ -21,7 +21,7 @@
 
   # hardware related services
   services.illum.enable = true;
-  services.pcscd.enable = false;
+  services.pcscd.enable = true;
   hardware.opengl.enable = true;
   hardware.bluetooth.enable = true;
   # required for running blueman-applet in user sessions

secrets/servers/dyndns.yaml

@@ -0,0 +1,47 @@
+dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str]
+dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str]
+dyndns_container-backup.svc.stefanjunker.de: ENC[AES256_GCM,data:eVRz5btXqtFwLfud,iv:D7QmO003/xgDytsU4a3dBuY2zalIHq/4+CwMkLwLVRA=,tag:fd4NZ/fOkBW1keMgqXkroA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhT0t1U2hOR2RpVU5HWVU2
+            aWpSNklwak9HYUYwSEltaWlUNyt1OENLdTNRCkxyTGZZQ0ZncmZnYTdTMC90RnpT
+            dlRpWGVtNWhtUS9IeEJsb0VpU3greEUKLS0tIHNBQlh4NEFsZC9NQ3hRSTBTdC9W
+            TjVwOWJVQkZIc2RuWEU3QkxyVnc0UXcKIQm61AimM7hch3tT/KownHqZT7NyLNv+
+            H69zogFe63Oj27a5OK5cdcy9W6u4ew7b35ybkpeooMBuy2WbUld5LQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SWZSRHF6L1d6dVd1dTVB
+            elBvaGR4V1ZySW03S2Z4SWliZDVscjZQM1JJCjNscTJRM29HUXVxOWhUU0tZZllm
+            dHRKUlpqTDdjd3paWjViYlIrL2g5RUEKLS0tIEJLdDJVbkVYTDVRd0toZGZVOGxu
+            Vm8rS25SbE56c2RiRFFtM29pRm1ZR1kK4yKaQ5VP+X+WnIPNpVWniCX+NisVBhaO
+            DM4Tz7OJuDSSWZ19kVIN+eXrLftQbKCj8+9QgbzzjgoIpER+N2Z28A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-01T21:10:42Z"
+    mac: ENC[AES256_GCM,data:8peJxGulSe3XROk0uwjUeRJA3bY7LoR1xQB+D+NUCVFOjIqy8ROu9ZC+IAVxgDL0Y6jpO8Ob06qQ3yvGA1lgnLnDBQ9NeKLKI5KDBcY4mNChS3C5DsB7WlPZMrlp4u9dp+wbVnba6CFiSqCEvp1+D1gi6Da/QVdN/EY55Vv8l0s=,iv:GNxJf/cfA9NrhbEwzHTm/UH+jIMWBSSDF58eQjm4xd8=,tag:+WhthtHSUNzan+p9RNBD2Q==,type:str]
+    pgp:
+        - created_at: "2023-07-01T21:42:42Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA0SHG/zF3227AQf/XI/S30xYCkzBweU75bCZBYDwR7hprSygW4xCI5qc8xax
+            dpT5RpIrfPOelxrtjuDvkWCMa5Xfu/A6eQAF0EABZVMNiy1PpMTuarU1Np1Zfgoo
+            vhYJDCe329/kQBlMFT8/6wyxQRi7bEjK19wsYrsFbKA9wSXIpz2Drx6DG5Zck4bU
+            5RvAdeWgZUcnuPAlc0SYZOfl/8EBqKG83U7NW8VdoJpphifYHK2HMJpOD0mxzZ8V
+            sR93tVdRA856O8ZhxdC1l1HkSSnR+0B+Dku8t4Bmy+4H6Y4KqmMhbKUIMFY+0pW9
+            MDIPJ8zVGkU4PyCjDwCqoYu/XgoJvTCAYgZFpyCyPdJRAftjWvzD59u31zjJKwiG
+            eyU7I73Q+jDIJDYPIrt8K7+CpEmDBpIZBQxsfmP5xFznNt4LPB07HFgC/yPDmjiC
+            Vu3cIGSwFgRRdXUYnLTQCQM/
+            =g1+E
+            -----END PGP MESSAGE-----
+          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

secrets/shared-users.yaml

@@ -0,0 +1,52 @@
+#ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment]
+sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str]
+sharedUsers-steveej: ENC[AES256_GCM,data:vuvklQJFb0kziB/qr7LNiTB30T/1UmZUV3YE3fFpKLZSlxqwYR7e8pnj94hFMhCtPquw3qdtB8vFAIQSb2LxXUgsfNo1bmkGJU86vz3Vy9Js7oua7KlLyZjoFNpMBgbD7swyXns=,iv:nsymZS1wQ7QSL5ZqoVx/ygaP4UR/e0cYIXHg+UyhbYs=,tag:+/N1QRESOUUK/XJXgiyFfg==,type:str]
+#ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment]
+sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str]
+#ENC[AES256_GCM,data:685Grzm+Qw==,iv:sswI1QEvU3nXgQCJcF/O4n3a1z3r6fAVAOSF7W24PZw=,tag:cH/AroGEBfCnnepyqtjt0Q==,type:comment]
+sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str]
+sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRmJhRHBxU1VnaEQ2eEpG
+            N3NyYmtBTCtJU3FGUmJRckhoQUxQK0p2SldnCmJiZnlLS0tEOEg2a3NOYXAwQWhT
+            eTlWMDc3YlpqRDJyMWpKWTlINS9Gck0KLS0tIFg0V3RkSENqRzhRWEZxUGZZTGRo
+            b0VJcm0vbVNqWEt2TSt0RW5zcXgzbGcKkKul4wrLfQ/mP9o1KfJ3w/hrlyuD2K/h
+            4i8d8q7Yr3ULXpPPrYNWJ+1u5yPrKtj/YjkvsbCR5sQLPe8EcTK15w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bkhNaDZoUFplSC9SZ09a
+            aENIa0NYVkQ4ZGhzdE4vSS9zeER4L1Y2dkFFCnQ5SlZTQ0NKN1Q0WWR0S1hHZmxi
+            Q2pPUHRHb3VyQmFPQW1wVllkR0pva2cKLS0tIGphY0lUTENCVG1PcVo5SldaRVpy
+            RnJYK1hXUWhPZjdkV2FUeThTZmlJS1kKmmoKeEKRQEHtgfXAd7x6VtfZm2nLWxle
+            2k1N0N77p8QzoDIkUY5I8RjQS0V8wOLwOSVYDe8j3erw9e9GhDqEbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-02T16:39:58Z"
+    mac: ENC[AES256_GCM,data:2aw294lkCFt3Yhf3I3Py+mSgQNcFKjyQSJiCvS3+iiraR6ukT6gN3eIwPk9AmUgCDBJBhOe8Nlx3gq9lYz3SI+B2sVnt27Fxe3kp1Ip894Lg2XyA7TynTJJp2eIrFmSO11FhQaMDO8D8+kraJFzLspQ5/j/67f+smkiIFlpXx6g=,iv:DPjOin99RR6EoG1FA4f5BexpYeyb4xy1iWiiq4y+JEA=,tag:i1CQI182/VILveC8Qw8rWQ==,type:str]
+    pgp:
+        - created_at: "2023-07-01T20:51:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA0SHG/zF3227AQf9F7sIYPoz5fsqe8an9+suc5OSoZI/tA/+UMWO++Nn4VSA
+            ZEmxqyDvnc/KxHyFwHjISyOJkbd8L23ZdO6Fgn0wjm+z3houqMQoaKdYgjpOBFrI
+            3nq86WkdKKVy/8RzrDCQ5gKIy4P1zeiyOio12n8G4cUt0B3uo596qKoWc6duUiEt
+            Z6wSPDEaciihTrbZCYYDXvElXO6uY5S8fBRdhsY8aNKLgh0vIYlQw/aflN4EiuC/
+            OiQkRwp8CHcsdkUo/pngmBaRVlW4uOlv/QpZ3/zXTqx5UazQlb+xmilBCFt6jgWs
+            +VhemXci16j6S6myw/heSP2Z+Gv02cRiFcpz64Z0QNJRAQsRJTjdB5OS/IcaqXs3
+            SwgOL9ga8vd4OZW7Jc2LQ1TJCarKUCGT0YcfOjv4CmtLn+2MDCLr+syg535/clbK
+            VXC10xjRrhlBaCQ9vR1N2gBp
+            =TJW7
+            -----END PGP MESSAGE-----
+          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

secrets/steveej-t14/radicale_htpasswd

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:4Oo7a4iL9ry9qFnzd/uwllP8UZ1re+RglnvkEO11XvSqqGhGOCUX0k0kOVD/CYbdLNq7jqVI8h5Fw5grSb6SCDzlknV0bJ70mmBQ9wEhRA82P1M/T50KH6V6XIVR7IlVhjMKkdW6YH0XAyrqaVh3fJUbOk9hJVvrylLvPF4vpc9+aYdzUCvn5jbecpywYY7NRKLI7H7xUmnW,iv:vvyS08x5yXTmlZo1A+Z2zsW9Mj6JrIkNt+CvB7VZJ38=,tag:MrjYVpS+SyYLUAbin85fkw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTVMxdkpjQllIZlRpQjEr\nc0RqNzNnOGplcDR6by9aL0JQY0ZmZjV3OUhrCm1sbHEvQ3hFZVg1YU5wOU5kaGpI\nK25zckJNaXhWd21kUHIyTm8yVW0reWsKLS0tIHVvbDhYZjRSbVRjOWZNaWkwcm1z\neVJyTTRNNTJBeVYxdDFCL1ozQjhQUkUK09k0LVNUugbxtZJB1JEXWmB2Q35mK1MW\nY12rpx4QwFUf1uhZDGmHMU0mrmaZRhkiTXTW+MtbHHtiGCxI8JrgLQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-07-01T17:49:07Z",
+		"mac": "ENC[AES256_GCM,data:DLKp0oBRgqoC1vm7Gt8IgTXQZBVhFMzRlP2CeWUHCi0PhOFFDCQCbJMJ4GnLeVAMgn1PTQXxDBJsqx1dd99oR3xXOqV6s9RUrg7BNql6G1PRnROnvGavVq+K8Oqyc6K3RDMK95Fwd20Svvyplc7fvvJVYA7XE8oVyPCj7adgIzA=,iv:0T60zdgBXTNEUyzWNH2gRJsH7D/mofiBQKD4XpaTdf4=,tag:9s0g5W0fu7PrKybYNQMfxA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2023-07-01T17:45:58Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/e3rEGHYLdAQ3t5Ye7EY8HGj3zplmEm6yX/OD6atnIH56\n1n+buBEsCnj6OMJ8IPBI1KMlR3agvrTcP1U428VaJKEqMAfAbmTxHvuYv17r4z3c\nuxtvnK4BUC0BIgf3b9FP1uQBvmwSR3bIV1JuD1or88j9iY3dO7KbwbAEF+HMqj9/\nz+NM9ZGi/mpdFHLCKp52FgKi+eiNyGiJS1a8VSda/X8GwcmQYUzSkUxOcjGVTmYr\nBzie319eutOq6zf9+8WGO+Jd8XDlFdmucXyb5kkJkKv0kUeEMKePktpxjh/SUH2E\nVWLDa3rLPEZWvvLtDeOgAWdxNVBsvAhFwyUl7hJ+INJRAbgK7jJpGJuNUmN48P/Y\nKj1/x5hKlBOQpqWyoB751Sq2hAITS/UyvpIEL7cH9ASq369SVa7tI6KL0Ut5wSDb\n1681kueTerz2szUe6DPcAC4U\n=Bu6s\n-----END PGP MESSAGE-----",
+				"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

secrets/zerotierone.txt

@@ -0,0 +1,30 @@
+{
+	"data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybUlwMVhVSTlxWjk0aXV1\nRkFKN0d2TWdTNGxFK1o3QitpTG5JN1FUNEVFCmRZdVYrSlJYbVF2NFlkRHBQNFgx\nM2dGOE5yaWl0VnJVU1MzNGJ1VUZYK1kKLS0tIEh4dkI2Vk9yUStHRlNzVUVPeWVB\nVmw0V0MxWWdudE1ONkszRSs5MEtUT28KkIW7Y+9AfxbPu1V0YoL5Brdv+2AaTAn0\nXmJmn8qwOtuyWRR3sJfDfkR2eW85mrMmhJnNa1aHg5lDQUGA/eqinQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGdQN0xOVzYvOFdzbUgy\ncStsYXdxUkY4OEJ5TGhVWitoQnpsSGYxS1VjCkhaYmxOOEh6eS8yeGViZjJZZ3o5\nUVBSYXFOSkJHQnB3aHVTeEk1VWNhblEKLS0tIG9NRTFpZFJlRUVYeHpVN2ljVngv\nRzJNZnZMRlJsL0F0eVIzcnhEbSszSGsKnK0SfJe7hQKyslklwvvFlBX9GjGWf6md\nl7AZLivBP67A0GbD2DztUaiS8NsPtlV899xqIH4/YUIIUGG9M2XHew==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-07-01T20:19:12Z",
+		"mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2023-07-01T20:50:27Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf+JijZCf20beuFsUX5Qjt9IVmeA1VG+iRiSncX6Q9NQWqc\nRlxZP3gZz9a/SQDaG3v7S0v5FBmbCScan2xrHSrJne6ljVkxlsiE4SE9Mq1wczF7\n0gdt1pnmjKMjhVVeG2jzNqL3bPGlhIBIIBB+Sv3FHftiXwfBYP5OJh9MTaokwj5/\ntd2x9LxBi6seH+RShrFk33wKJ3gMA2cF9aFEsbvmdXPHs91glwLD1NHN3vp0lGNX\nm4otFLZ0e36aqSVyAiwpoIgLwInZxtx6nnMWVk25s0fj+fKfgnHE3RNh9BntQ19d\nZDpQn7b2DqrKozUnycwpPRojPkmaqpom5XmbuurrA9JRAQYWSmeOuJXUBfZclzLJ\nERYPWDJIN7bmYPFoMkZ2YdV/GCin6lwFfl6u74VAkpU+AMgB+0c51nEHZcO5UaWT\nLRcMPADwjmk35oiltQYOvOpm\n=CGsu\n-----END PGP MESSAGE-----",
+				"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}