feat: migrate all containers and hosts to sops

nix/os/devices/sj-vps-htz0: bump versions nix/os/devices/elias-e525: bump versions nix/os/devices/steveej-t14: bump versions nix/os/devices/justyna-p300: bump versions
2023-07-09 20:15:06 +02:00 · 2023-07-09 20:15:06 +02:00 · ea7caae226
commit ea7caae226
parent 4e0d0c3abd
25 changed files with 241 additions and 180 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -6,7 +6,8 @@
 keys:
  - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
  - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
-  - &elias-e525 100206d53cf92f62efd9d6b2672bf3644233c763
+  - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
+  - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8

  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
@ -20,6 +21,8 @@ creation_rules:
      - *steveej-t14
      - *sj-vps-htz0
      - *srv0-dmz0
+      - *elias-e525
+      - *justyna-p300
  - path_regex: ^secrets/steveej-t14/.+$
    key_groups:
    - pgp:
--- a/flake.nix
+++ b/flake.nix
@ -107,8 +107,8 @@
          "sj-vps-htz0"
          "steveej-t14"
          "srv0-dmz0"
-          # "elias-e525"
-          # "justyna-p300"
+          "elias-e525"
+          "justyna-p300"
        ]);

      # this makes nixos-anywhere work
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -5,9 +5,7 @@
  imapsPort ? 993,
  sievePort ? 4190,
  autoStart ? false,
-}: let
-  passwords = import ../../variables/passwords.crypt.nix;
-in {
+}: {
  config = {
    pkgs,
    config,
@ -22,7 +20,9 @@ in {
      ../profiles/common/user.nix
    ];

+    # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
    # sops.defaultSopsFile = ./mailserver_secrets.yaml;
+
    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    sops.secrets.email_mailStefanjunkerDe = {
      sopsFile = ./mailserver_secrets.yaml;
@ -44,6 +44,15 @@ in {
      domain = "mailserver.svc.stefanjunker.de";
    };

+    # TODO: switch to a let's encrypt certificate
+    sops.secrets.dovecotSslServerCert = {
+      sopsFile = ./mailserver_secrets.yaml;
+      owner = config.users.users.dovecot2.name;
+    };
+    sops.secrets.dovecotSslServerKey = {
+      sopsFile = ./mailserver_secrets.yaml;
+      owner = config.users.users.dovecot2.name;
+    };
    services.dovecot2 = {
      enable = true;

@ -55,8 +64,8 @@ in {
      enablePAM = true;
      showPAMFailure = true;
      mailLocation = "maildir:~/.maildir";
-      sslServerCert = "/etc/secrets/server.pem";
-      sslServerKey = "/etc/secrets/server.key";
+      sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
+      sslServerKey = config.sops.secrets.dovecotSslServerKey.path;

      #configFile = "/etc/dovecot/dovecot2_manual.conf";
      extraConfig = ''
@ -79,9 +88,6 @@ in {
      '';
    };

-    # environment.etc."dovecot/users".text = ''
-    #   steveej:${passwords.email.steveej}
-    # '';
    environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;

    systemd.services.steveej-getmail-stefanjunker = {
@ -154,14 +160,10 @@ in {
  inherit autoStart;

  bindMounts = {
+    # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;

-    "/etc/secrets/" = {
-      hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
-      isReadOnly = false;
-    };
-
    "/home" = {
      hostPath = "/var/lib/container-volumes/mailserver/home";
      isReadOnly = false;
--- a/nix/os/containers/mailserver_secrets.yaml
+++ b/nix/os/containers/mailserver_secrets.yaml
@ -1,6 +1,8 @@
-email_mailStefanjunkerDe: ENC[AES256_GCM,data:DsPwNMahaSKFF8mof2qGxj6cIdYZeL6uRr4=,iv:2lamFXYKrGkHey5QCXBlEODYksDuJDyW3MYpz/7qj7s=,tag:2L34qD0XSbfsl0djvgYJYw==,type:str]
+email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str]
 email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str]
 email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str]
+dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str]
+dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -16,8 +18,8 @@ sops:
            bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
            T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-02T21:16:00Z"
-    mac: ENC[AES256_GCM,data:bDHu/9Hz2lyzoA92yA4K9/oaO6gxDjog8OSoEduE4Q8KE6VObzkHHvMwsPR46LE74dtRy9LNEXcMTWQzJBYoaKGi+wz0IJ/wy8Japrbu0Kiwx3dIeY0mg/OvBGlsAybvbDpfSjCsxVpgg7g1jQNntejljv1WHp4zD0hKn9hdYm0=,iv:MUaGwoPaHEZQgoTHXxkhMHdTGaIgk0UYx9qwfpt4Uds=,tag:qLa2QBTFbs/BdOH8TJWVxw==,type:str]
+    lastmodified: "2023-07-09T17:29:20Z"
+    mac: ENC[AES256_GCM,data:EUW7B78IB2vRGOwPM4bRoz7kYO9xHGMepF0aCOUVBFL0JCmzZyP9/bWWHYVR2SrQ29P8YgvpF32gWPEdidPReW59QRU1IXpMxnZ20Xoa+8y8H2Pj5w9cs+km6jXtphTcxDdZhQVJfXVyQH6qNb9Ypc9myhVypA2Dp/GLQ8SokoY=,iv:PDhP1TGvSS73RhkjsM2Zc0cGT8o06QVsxwO6tPKFzuQ=,tag:cy6fi3BHIN0c/c2sLVVmhg==,type:str]
    pgp:
        - created_at: "2023-07-02T20:30:30Z"
          enc: |-
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -1,12 +1,11 @@
 {
+  repoFlake,
  hostAddress,
  localAddress,
  httpPort ? 80,
  httpsPort ? 443,
  autoStart ? false,
-}: let
-  passwords = import ../../variables/passwords.crypt.nix;
-in {
+}: {
  config = {
    config,
    pkgs,
@ -15,7 +14,11 @@ in {
  }: {
    system.stateVersion = "22.05"; # Did you read the comment?

-    imports = [../profiles/containers/configuration.nix];
+    imports = [
+      ../profiles/containers/configuration.nix
+
+      repoFlake.inputs.sops-nix.nixosModules.sops
+    ];

    networking.firewall.enable = false;

@ -33,6 +36,12 @@ in {
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };

+    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    sops.secrets.hedgedoc_environment_file = {
+      sopsFile = ./webserver_secrets.yaml;
+      owner = config.users.users.hedgedoc.name;
+    };
+
    services.nginx.enable = true;
    services.nginx.recommendedProxySettings = true;
    services.nginx.virtualHosts."www.stefanjunker.de" = {
@ -81,21 +90,26 @@ in {
        defaultPermission = "private";
        allowEmailRegister = false;

-        # oauth2 provider config
-        inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;
+        # these are set via the `environmentFile`
+        dropbox = {
+          appKey = "$DROPBOX_APPKEY";
+          clientID = "$DROPBOX_CLIENTID";
+          clientSecret = "$DROPBOX_CLIENTSECRET";
+        };

        uploadsPath = "/var/lib/hedgedoc/uploads";
      };
+
+      environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
    };
  };

  inherit autoStart;

  bindMounts = {
-    "/etc/secrets/" = {
-      hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
-      isReadOnly = true;
-    };
+    # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
+    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
+    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;

    "/var/www" = {
      hostPath = "/var/lib/container-volumes/webserver/var-www";
--- a/nix/os/containers/webserver_secrets.yaml
+++ b/nix/os/containers/webserver_secrets.yaml
@ -0,0 +1,36 @@
+hedgedoc_environment_file: ENC[AES256_GCM,data:yPR7lnSssSTc3lvN4fSI5UXIfZHL8bMS0lcHC61aBz2ozjkSOTVUgYOD5XJbijfMCW9UWKLvItboo/nd8iLb3S+/DX4XZfAq8Bt+ootKsneIj9rJgw7bH3HYQnzmtWoFjoXSmLM=,iv:CVbXTlAafaXpo5G6F5CtJiq2LDa/48972kRnGOmhDJI=,tag:FaoL/8SdspZWXbATXPOazg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh
+            U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh
+            YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP
+            eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
+            KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-09T17:55:21Z"
+    mac: ENC[AES256_GCM,data:RIJuExrlGxcMMY2oofqyC9tZxqi/Tnt548cfrVe6UZ7HthlkaU/XkzGH/tw7kk28iiV5fbDRycg3xuOsh30BuHwVzguEdOH5RU8GivAOxRbEr1vxdCUs6x5Zs7PcQktRXXIv6rjJ70uVIO34f15oVE8Ag5nlUHc3lZLabCWs7Ag=,iv:lVD903ph9Mx/wbwsPIcqJi9yfgmX97XNgGB7F6N7xOE=,tag:IhdYpIgV4UzVRtwUs4wf+Q==,type:str]
+    pgp:
+        - created_at: "2023-07-09T17:51:27Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD
+            gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO
+            8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+
+            XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w
+            YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku
+            bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI
+            F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i
+            g+ZF+9NNqOTKsBzEnuGsZRnI
+            =iXfo
+            -----END PGP MESSAGE-----
+          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/nix/os/devices/elias-e525/default.nix
+++ b/nix/os/devices/elias-e525/default.nix
@ -1,11 +1,13 @@
-{repoFlake, ...}: let
-  nodeName = "elias-e525";
+{
+  nodeName,
+  repoFlake,
+  nodeFlake,
+  ...
+}: let
  system = "x86_64-linux";
-
-  nodeFlake = repoFlake.inputs.get-flake ./.;
 in {
  meta.nodeSpecialArgs.${nodeName} = {
-    inherit nodeName nodeFlake;
+    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
  };

@ -13,17 +15,15 @@ in {
    inherit system;
  };

-  # TODO: build a module with "meta" and "freeformtype" for all the others
-
  ${nodeName} = {
-    deployment.targetHost = nodeName;
+    deployment.targetHost = "192.168.15.198";
    deployment.replaceUnknownProfiles = false;
    # deployment.allowLocalDeployment = true;

    imports = [
-      (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
-
      nodeFlake.inputs.home-manager.nixosModules.home-manager
+
+      ./configuration.nix
    ];
  };
 }
--- a/nix/os/devices/elias-e525/flake.lock
+++ b/nix/os/devices/elias-e525/flake.lock
@ -4,36 +4,35 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "utils": "utils"
+        ]
      },
      "locked": {
-        "lastModified": 1681092193,
-        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
+        "lastModified": 1687871164,
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1681696129,
-        "narHash": "sha256-Ba2y1lmsWmmAOAoTD5G9UnTS/UqV0ZFyzysgdfu7qag=",
+        "lastModified": 1688868408,
+        "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "de66115c552acc4e0c0f92c5a5efb32e37dfa216",
+        "rev": "510d721ce097150ae3b80f84b04b13b039186571",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -43,21 +42,6 @@
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      }
-    },
-    "utils": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/nix/os/devices/elias-e525/flake.nix
+++ b/nix/os/devices/elias-e525/flake.nix
@ -1,8 +1,8 @@
 {
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";

  inputs.home-manager = {
-    url = "github:nix-community/home-manager/release-22.11";
+    url = "github:nix-community/home-manager/release-23.05";
    inputs.nixpkgs.follows = "nixpkgs";
  };

--- a/nix/os/devices/elias-e525/pkg.nix
+++ b/nix/os/devices/elias-e525/pkg.nix
@ -17,15 +17,9 @@
    home.keyboard = keyboard;

    home.packages = with pkgs; [
-      rhythmbox
-      lollypop
      dia

      rustdesk
-
-      kotatogram-desktop
-      jitsi-meet-electron
-      signal-desktop
    ];
  };
 in {
--- a/nix/os/devices/elias-e525/system.nix
+++ b/nix/os/devices/elias-e525/system.nix
@ -43,4 +43,6 @@ in {
  services.xserver.videoDrivers = ["modesetting"];

  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+
+  nix.gc = {automatic = true;};
 }
--- a/nix/os/devices/elias-e525/user.nix
+++ b/nix/os/devices/elias-e525/user.nix
@ -4,19 +4,30 @@
  lib,
  ...
 }: let
-  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
+  inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
 in {
+  sops.secrets.sharedUsers-elias = {
+    sopsFile = ../../../../secrets/shared-users.yaml;
+    neededForUsers = true;
+    format = "yaml";
+  };
+
+  sops.secrets.sharedUsers-justyna = {
+    sopsFile = ../../../../secrets/shared-users.yaml;
+    neededForUsers = true;
+    format = "yaml";
+  };
+
  users.extraUsers.elias = mkUser {
    uid = 1001;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    hashedPassword = passwords.users.elias;
+    passwordFile = config.sops.secrets.sharedUsers-elias.path;
  };

  users.extraUsers.justyna = mkUser {
    uid = 1002;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    hashedPassword = passwords.users.justyna;
+    passwordFile = config.sops.secrets.sharedUsers-justyna.path;
  };
 }
--- a/nix/os/devices/justyna-p300/default.nix
+++ b/nix/os/devices/justyna-p300/default.nix
@ -1,12 +1,13 @@
-{repoFlake, ...}: let
-  nodeName = "justyna-p300";
-  # system = "i686-linux";
+{
+  nodeName,
+  repoFlake,
+  nodeFlake,
+  ...
+}: let
  system = "x86_64-linux";
-
-  nodeFlake = repoFlake.inputs.get-flake ./.;
 in {
  meta.nodeSpecialArgs.${nodeName} = {
-    inherit nodeName nodeFlake;
+    inherit repoFlake nodeName nodeFlake;
    packages' = repoFlake.packages.${system};
  };

@ -14,17 +15,15 @@ in {
    inherit system;
  };

-  # TODO: build a module with "meta" and "freeformtype" for all the others
-
  ${nodeName} = {
    deployment.targetHost = nodeName;
    deployment.replaceUnknownProfiles = false;
    # deployment.allowLocalDeployment = true;

    imports = [
-      (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
-
      nodeFlake.inputs.home-manager.nixosModules.home-manager
+
+      ./configuration.nix
    ];
  };
 }
--- a/nix/os/devices/justyna-p300/flake.lock
+++ b/nix/os/devices/justyna-p300/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682299489,
-        "narHash": "sha256-bqHo0/82KB+IyBMyjBd6QdyZWJl/YZeGggjBsAgRFlY=",
+        "lastModified": 1688544596,
+        "narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "8ab9e5609929379ab15f03fd3bdc1f85419e5a3a",
+        "rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692",
        "type": "github"
      },
      "original": {
@ -24,36 +24,35 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
-        "utils": "utils"
+        ]
      },
      "locked": {
-        "lastModified": 1681092193,
-        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
+        "lastModified": 1687871164,
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-22.11",
+        "ref": "release-23.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1682303062,
-        "narHash": "sha256-x+KAADp27lbxeoPXLUMxKcRsUUHDlg+qVjt5PjgBw9A=",
+        "lastModified": 1688939073,
+        "narHash": "sha256-jYhYjeK5s6k8QS3i+ovq9VZqBJaWbxm7awTKNhHL9d0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "f5364316e314436f6b9c8fd50592b18920ab18f9",
+        "rev": "8df7a67abaf8aefc8a2839e0b48f92fdcf69a38b",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -64,21 +63,6 @@
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      }
-    },
-    "utils": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
    }
  },
  "root": "root",
--- a/nix/os/devices/justyna-p300/flake.nix
+++ b/nix/os/devices/justyna-p300/flake.nix
@ -1,8 +1,8 @@
 {
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";

  inputs.home-manager = {
-    url = "github:nix-community/home-manager/release-22.11";
+    url = "github:nix-community/home-manager/release-23.05";
    inputs.nixpkgs.follows = "nixpkgs";
  };

--- a/nix/os/devices/justyna-p300/pkg.nix
+++ b/nix/os/devices/justyna-p300/pkg.nix
@ -18,15 +18,9 @@
    home.keyboard = keyboard;

    home.packages = with pkgs; [
-      rhythmbox
-      lollypop
      dia

      rustdesk
-
-      kotatogram-desktop
-      jitsi-meet-electron
-      signal-desktop
    ];
  };
 in {
@ -55,10 +49,14 @@ in {
    variant = "";
  };

-  home-manager.users.justyna = homeEnv {
+  home-manager.users.justyna =
+    lib.attrsets.recursiveUpdate (homeEnv {
      layout = "de";
      options = [];
      variant = "";
+    }) {
+      services.syncthing.enable = true;
+      services.syncthing.tray = true;
    };

  system.stateVersion = "21.11";
--- a/nix/os/devices/justyna-p300/system.nix
+++ b/nix/os/devices/justyna-p300/system.nix
@ -41,4 +41,6 @@ in {
  services.xserver.videoDrivers = ["modesetting"];

  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+
+  nix.gc = {automatic = true;};
 }
--- a/nix/os/devices/justyna-p300/user.nix
+++ b/nix/os/devices/justyna-p300/user.nix
@ -3,19 +3,30 @@
  pkgs,
  ...
 }: let
-  passwords = import ../../../variables/passwords.crypt.nix;
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
+  inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
 in {
+  sops.secrets.sharedUsers-elias = {
+    sopsFile = ../../../../secrets/shared-users.yaml;
+    neededForUsers = true;
+    format = "yaml";
+  };
+
+  sops.secrets.sharedUsers-justyna = {
+    sopsFile = ../../../../secrets/shared-users.yaml;
+    neededForUsers = true;
+    format = "yaml";
+  };
+
  users.extraUsers.elias = mkUser {
    uid = 1001;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    hashedPassword = passwords.users.elias;
+    passwordFile = config.sops.secrets.sharedUsers-elias.path;
  };

  users.extraUsers.justyna = mkUser {
    uid = 1002;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-    hashedPassword = passwords.users.justyna;
+    passwordFile = config.sops.secrets.sharedUsers-justyna.path;
  };
 }
--- a/nix/os/devices/sj-vps-htz0/flake.lock
+++ b/nix/os/devices/sj-vps-htz0/flake.lock
@ -23,11 +23,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1688109178,
-        "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=",
+        "lastModified": 1688868408,
+        "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422",
+        "rev": "510d721ce097150ae3b80f84b04b13b039186571",
        "type": "github"
      },
      "original": {
@ -39,11 +39,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1688246754,
-        "narHash": "sha256-OuUvCCMrJgN9K/L1j2ADMxu/nuJhplFjIZFFtelnymc=",
+        "lastModified": 1688925019,
+        "narHash": "sha256-281HjmJycKt8rZ0/vpYTtJuZrQl6mpGNlUFf8cebmeA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b9b176f8b8155c122e01a336b439ce57b2485b40",
+        "rev": "2b356dae6208d422236c4cdc48f3bed749f9daea",
        "type": "github"
      },
      "original": {
@ -55,11 +55,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1688180391,
-        "narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=",
+        "lastModified": 1688891216,
+        "narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd",
+        "rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00",
        "type": "github"
      },
      "original": {
--- a/nix/os/devices/sj-vps-htz0/system.nix
+++ b/nix/os/devices/sj-vps-htz0/system.nix
@ -73,6 +73,8 @@
    webserver =
      import ../../containers/webserver.nix
      {
+        inherit repoFlake;
+
        autoStart = true;

        hostAddress = "192.168.100.12";
--- a/nix/os/devices/steveej-t14/flake.lock
+++ b/nix/os/devices/steveej-t14/flake.lock
@ -39,11 +39,11 @@
    },
    "nixpkgs-2305": {
      "locked": {
-        "lastModified": 1688594934,
-        "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=",
+        "lastModified": 1688868408,
+        "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "e11142026e2cef35ea52c9205703823df225c947",
+        "rev": "510d721ce097150ae3b80f84b04b13b039186571",
        "type": "github"
      },
      "original": {
@ -55,11 +55,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1688722718,
-        "narHash": "sha256-Uralooke0g1EgrNDjboSiqc0BHOCgiugL43JAA1ncDA=",
+        "lastModified": 1688969282,
+        "narHash": "sha256-Ti0dejGXXvhEDATY5nJB0GdKM6AdVwJNTp6LWx8pHyw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5cbff28ae66e5a98386bcbea29f5a7252c33c808",
+        "rev": "9d6e454b857fb472fa35fc8b098fa5ac307a0d7d",
        "type": "github"
      },
      "original": {
@ -71,11 +71,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1688590700,
-        "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=",
+        "lastModified": 1688918189,
+        "narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b",
+        "rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484",
        "type": "github"
      },
      "original": {
@ -87,11 +87,11 @@
    },
    "nixpkgs-unstable-small": {
      "locked": {
-        "lastModified": 1688640665,
-        "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=",
+        "lastModified": 1688951312,
+        "narHash": "sha256-0oG4uv60m5+oOMqgYYQ3ao3OK3YP3n3t7nWFtuyR/uQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712",
+        "rev": "2a5f6cac357616d2596167d0631b4ca729e9a3ea",
        "type": "github"
      },
      "original": {
--- a/nix/os/devices/steveej-utilitepro/configuration.nix
+++ b/nix/os/devices/steveej-utilitepro/configuration.nix
@ -269,6 +269,7 @@ in {

  users.mutableUsers = false;
  users.extraUsers.root = {
+    # FIXME: this is deprecated but so is this device probably
    hashedPassword = passwords.users.root;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"
@ -279,6 +280,7 @@ in {
    isNormalUser = true;
    home = "/home/steveej";
    extraGroups = ["wheel" "libvirtd"];
+    # FIXME: this is deprecated but so is this device probably
    hashedPassword = passwords.users.steveej;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"
--- a/nix/os/modules/ddclient-ovh.nix
+++ b/nix/os/modules/ddclient-ovh.nix
@ -4,7 +4,6 @@
  ...
 }: let
  cfg = config.services.ddclientovh;
-  # passwords = import ../../variables/passwords.crypt.nix;
 in {
  options.services.ddclientovh = with lib; {
    enable = mkEnableOption "Enable ddclient-ovh";
@ -19,8 +18,6 @@ in {
      ssl = true;
      domains = [cfg.domain];
      use = "web";
-      # inherit (passwords.dyndns.${cfg.domain}) username;
-      # passwordFile = config.sops.secrets."dyndns_${cfg.domain}".path;
    };
  };
 }
--- a/nix/variables/passwords.crypt.nix
+++ b/nix/variables/passwords.crypt.nix
--- a/secrets/shared-users.yaml
+++ b/secrets/shared-users.yaml
@ -16,46 +16,64 @@ sops:
        - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUGxsbitMNnlTZlRZQVJl
-            RVc3TUtHaWpQdk5RVFkvS0MxSkVxWHQ1MFZvCmw0M2M4VGRxb21nVzkrNWIzK3Aw
-            dVB6bWEvQ0dtbjZobTVCeE9DUEpGV2sKLS0tIGhya2RMM2w5VHlHNUdGK1FNZit3
-            OWUyYnZhSEhtMzhTenZMRU1yRis0WkkK/iDe1XgGJumprZU23G/Imhbqpp5ehfMe
-            I+XlSGn0/ry1SpEV0bQi7ZMzFxEfhX0avLsmxTeoxQJuN2m7ZOQCdQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov
+            TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho
+            TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3
+            b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh
+            7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OVJ5d1p1RURkTjdzaWpv
-            OXViZkhzZEZwYzNIZHdpeUVNWlM5SWJGYkFjCnRrQWV6UUM0akIzaFVxY1dzaUNa
-            OVFRczZaUjRXSGphcTJ5TGtZOHlSeHcKLS0tIG5QTWMyTzFlZkdIdnVGT2lpTXR4
-            TXJybjNjdmwxRVMxdERIS25wRTRCV0UKy/N8YBkxD3f5qTBOPj/iysFr/Ona1p9H
-            JYhjZCojB4Ua1b2Tv4Gz2Fvi9B2fOWBy0/LSPA6CRchG3IWgKm/B6g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4
+            aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo
+            RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP
+            V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH
+            8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNVJBRlptQ2hWVy9MRGhj
-            MVduVkl3YXZEVlMzNksybkZjR1Z6VnQ1MGdRCjRTWjY3RTlpY096c3UrMHlaUms0
-            MDc3V0dTUnpWTjcxcGZNSmVkUElLMjgKLS0tIGFkMzZ1eVh1a1ZzckxseFh5T1VK
-            eDZSbXdzSmJ3dkJHSkU2R3JTRjlxNDAK1k/SYCf1nWEHKRzlJbvx1U5NKYSEzi0/
-            wE4SdLjMi4io2ThNif4gqVRCiRQupiILx4VnlM4lN6Fk924zATUUYA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM
+            ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK
+            cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02
+            TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+
+            q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU
+            ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1
+            SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW
+            QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F
+            rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB
+            dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG
+            S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq
+            RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz
+            wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-06T20:14:22Z"
    mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str]
    pgp:
-        - created_at: "2023-07-06T18:55:17Z"
+        - created_at: "2023-07-10T08:17:16Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            wcBMA0SHG/zF3227AQgAo5WdFio56L/EtWKV590N9QQ9Gjm9IWm0G+H6YHTNlpfO
-            erhl1AZds+MNrInw0uSW7Mx/wZ4awv8+JVkMN43qupmDIcgHmWmVoqB2SaUA60qd
-            gkFYP2fWlmgzihl/DnWUn1M4WrD8sGJIwkulg8FX9h40f7mEhb0MsftsUuhmxOBp
-            GTJDtT/A7wHMRY71mEzIyem8XOA7nAIO7r802Tyni6H7zP1qG00vF/sastbbzB26
-            +7MTpSZz8AuNPG/P7rue7J2BL0S8ldwcPsGX9XGt2qFbeNbsOUfJn12miPSEZHWU
-            jIYC1rWLVJ110O0ZDDMJXyfBW5XrFAkA6XkCzzPgodJRAYKzTD+bMg44vuwTCRmG
-            wcdv71+hBJeXtF1g8/YueaTWpPJ5j8m6Ntp1d5pYPetlRmhwLzfSoY1BUXA6YkGb
-            Qeqr3q7oGL91sjasjZQorc3h
-            =6rU4
+            wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm
+            dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98
+            OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP
+            sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf
+            q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx
+            YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW
+            w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c
+            OUwOtIhmRp4PNBU+402xfgYI
+            =X23Q
            -----END PGP MESSAGE-----
          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
    unencrypted_suffix: _unencrypted