chore(flake): comment router0-dmz0 deploy cmd

feat(sj-vps-htz0): separate secrets
feat(router0-dmz0): init bpir3 based router
2023-08-11 18:54:56 +02:00 · 2023-08-11 18:51:47 +02:00 · 2023-08-11 18:51:25 +02:00 · 2023-08-11 18:51:25 +02:00
22 changed files with 1209 additions and 237 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -11,7 +11,8 @@ keys:

  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
-
+  # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz
+  - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
 creation_rules:
  - path_regex: ^(.+/|)secrets/[^/]+$
    key_groups:
@ -19,10 +20,13 @@ creation_rules:
      - *steveej
      age:
      - *steveej-t14
-      - *sj-vps-htz0
-      - *srv0-dmz0
      - *elias-e525
      - *justyna-p300
+
+      - *srv0-dmz0
+      - *router0-dmz0
+
+      - *sj-vps-htz0
  - path_regex: ^secrets/steveej-t14/.+$
    key_groups:
    - pgp:
@ -47,3 +51,15 @@ creation_rules:
      - *steveej
      age:
      - *srv0-dmz0
+  - path_regex: ^secrets/router0-dmz0/.+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *router0-dmz0
+  - path_regex: ^secrets/sj-vps-htz0/.+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *sj-vps-htz0
--- a/flake.lock
+++ b/flake.lock
@ -50,11 +50,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1688690832,
-        "narHash": "sha256-RJIYuOn9FaQWVzj6ytaKsHyur0KsYO9tOgaMz1XHtpQ=",
+        "lastModified": 1691423162,
+        "narHash": "sha256-cReUZCo83YEEmFcHX8CcOVTZYUrcWgHQO34zxQzy7WI=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "bfc1c3dca576e2f9e02eb0176e4058305192afe3",
+        "rev": "b5d9d42ea3fa8fea1805d9af1416fe207d0dd1dc",
        "type": "github"
      },
      "original": {
@ -93,11 +93,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1688624761,
-        "narHash": "sha256-VMvhdWPCLUFhyssTSZXCxFkA9bZ05VgXZVsuYlJcZBg=",
+        "lastModified": 1691648495,
+        "narHash": "sha256-JULr+eKL9rjfex17hZYn0K/fBxxfK/FM9TOCcxPQay4=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "a2ea120926a1234ec804c090f90312e0ec2d4541",
+        "rev": "6c9f0709358f212766cff5ce79f6e8300ec1eb91",
        "type": "github"
      },
      "original": {
@ -158,11 +158,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1688466019,
-        "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
+        "lastModified": 1690933134,
+        "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
+        "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
        "type": "github"
      },
      "original": {
@ -201,11 +201,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1688466019,
-        "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
+        "lastModified": 1690933134,
+        "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
+        "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
        "type": "github"
      },
      "original": {
@ -234,11 +234,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1687709756,
-        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
+        "lastModified": 1689068808,
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
        "type": "github"
      },
      "original": {
@ -252,11 +252,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1687709756,
-        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
+        "lastModified": 1689068808,
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
        "type": "github"
      },
      "original": {
@ -298,11 +298,11 @@
    "jay": {
      "flake": false,
      "locked": {
-        "lastModified": 1683988763,
-        "narHash": "sha256-vaHNBwCIMNf/rnnievmxhF5wxci0Rbu2IUXiUxxKF74=",
+        "lastModified": 1689440887,
+        "narHash": "sha256-+61dHuxk3FCP+H2PCoup6lZDlaTuJBqDzkiBNY6yaJ4=",
        "owner": "mahkoh",
        "repo": "jay",
-        "rev": "80dc8770c51c0409a32b212499e0803dd585cab1",
+        "rev": "eb83505e39ec8c2383ac233a8b8449803db52549",
        "type": "github"
      },
      "original": {
@ -317,11 +317,11 @@
        "nixpkgs-lib": "nixpkgs-lib_2"
      },
      "locked": {
-        "lastModified": 1688299754,
-        "narHash": "sha256-ElNJ28wfORNv8JaCOFb/mniLiQe0cpuaj2DdD/dqdKw=",
+        "lastModified": 1691323683,
+        "narHash": "sha256-G7kMLDbYN03VNO+QYymFIp0o9jv+gflUpde8V4iYri8=",
        "owner": "nix-community",
        "repo": "lib-aggregate",
-        "rev": "6107c923522c233458760d0c7f31ad71bf1d2146",
+        "rev": "99d95d9ca592022832e9f1b4d2a8327b8d50eb60",
        "type": "github"
      },
      "original": {
@ -349,14 +349,15 @@
    "nix-eval-jobs": {
      "inputs": {
        "flake-parts": "flake-parts_3",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
-        "lastModified": 1688608231,
-        "narHash": "sha256-RQeR/tirHIa5jhZYLCK7KnQiYTG/kq/vWdgDFLi+4+g=",
+        "lastModified": 1691371197,
+        "narHash": "sha256-YazAJxDjmAG9kiIEuqc+1CmmYIIt4wRIbEFb+TXf8WA=",
        "owner": "nix-community",
        "repo": "nix-eval-jobs",
-        "rev": "477d7196a493dd011f05704fc7b42cbe95f5b30d",
+        "rev": "b02b4e287fddc969fc490478b5666603f4ab0d3c",
        "type": "github"
      },
      "original": {
@ -393,11 +394,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1687941964,
-        "narHash": "sha256-/Gr4tOq+tMBbE46njUt1aJGbsB9lpwnK99/oeC9uTXE=",
+        "lastModified": 1691224484,
+        "narHash": "sha256-0oodXqRRHXjUL7ssi1nIOKC8EzYD4f1e3eAaWexuF4M=",
        "owner": "numtide",
        "repo": "nixos-anywhere",
-        "rev": "22a2964bef34f92fe1c093ae54a8ab52eefdd5df",
+        "rev": "9df79870b04667f2d16f1a78a1ab87d124403fb7",
        "type": "github"
      },
      "original": {
@ -434,11 +435,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1688607075,
-        "narHash": "sha256-KDWpwZ4xl4au5R+A+Ka+uVbyiwMDVczjwRTSqBOyqWM=",
+        "lastModified": 1691370583,
+        "narHash": "sha256-LnKMx9NQ0Qx0DTYQVewkcRr+7uW5NY7xU9kjh+Lxnb0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ff81c24d1dd4dc3698aeb27d2cc3991124e627e6",
+        "rev": "b51660a128c09baf31c614284b500eb53772496f",
        "type": "github"
      },
      "original": {
@ -466,11 +467,11 @@
    },
    "nixpkgs-2305": {
      "locked": {
-        "lastModified": 1688594934,
-        "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=",
+        "lastModified": 1691592289,
+        "narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "e11142026e2cef35ea52c9205703823df225c947",
+        "rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7",
        "type": "github"
      },
      "original": {
@ -483,11 +484,11 @@
    "nixpkgs-lib": {
      "locked": {
        "dir": "lib",
-        "lastModified": 1688049487,
-        "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
+        "lastModified": 1690881714,
+        "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
+        "rev": "9e1960bc196baf6881340d53dccb203a951745a2",
        "type": "github"
      },
      "original": {
@ -500,11 +501,11 @@
    },
    "nixpkgs-lib_2": {
      "locked": {
-        "lastModified": 1688259758,
-        "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=",
+        "lastModified": 1691282883,
+        "narHash": "sha256-YLu1Fs+J+hw0BebUhWIeFzSqhlsnf0K88RqhVJebF9E=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6",
+        "rev": "b1d35b759161787e1cda815c460050142bda9adb",
        "type": "github"
      },
      "original": {
@ -515,11 +516,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1688256355,
-        "narHash": "sha256-/E+OSabu4ii5+ccWff2k4vxDsXYhpc4hwnm0s6JOz7Y=",
+        "lastModified": 1690066826,
+        "narHash": "sha256-6L2qb+Zc0BFkh72OS9uuX637gniOjzU6qCDBpjB2LGY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f553c016a31277246f8d3724d3b1eee5e8c0842c",
+        "rev": "ce45b591975d070044ca24e3003c830d26fea1c8",
        "type": "github"
      },
      "original": {
@ -531,11 +532,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1690179384,
-        "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=",
+        "lastModified": 1691565530,
+        "narHash": "sha256-qZZ6DxvS1X/tjxXNUwJrPiaIWLZyWUDM2gkJCi5uZpE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a",
+        "rev": "e528fa15d5f740a25b5f536c33932db64cb10fc8",
        "type": "github"
      },
      "original": {
@ -547,11 +548,11 @@
    },
    "nixpkgs-unstable-small": {
      "locked": {
-        "lastModified": 1691472822,
-        "narHash": "sha256-XVfYZ2oB3lNPVq6sHCY9WkdQ8lHoIDzzbpg8bB6oBxA=",
+        "lastModified": 1691644995,
+        "narHash": "sha256-/OL3sk+9iPv+pto8hs/3cPhGmcS+ugKowQ8FvopLMEA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "41c7605718399dcfa53dd7083793b6ae3bc969ff",
+        "rev": "f6f59fdce76ca4ee03852417a642b77a960229cd",
        "type": "github"
      },
      "original": {
@ -569,11 +570,11 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1688653033,
-        "narHash": "sha256-iRtkfin+7PLWd0ce/pQ8bDSo1v6N+nfgjFDFCFEKUCA=",
+        "lastModified": 1691518836,
+        "narHash": "sha256-sY9Unk1pCbMxMSX/SuoSUg8TY4TDN+edKY83cCEqb8g=",
        "owner": "nix-community",
        "repo": "nixpkgs-wayland",
-        "rev": "bc84572c913933dbb49df2746dc8669f562da454",
+        "rev": "982c0c1ee398e8584d8c9cce011ec98392d2e3cc",
        "type": "github"
      },
      "original": {
@ -584,11 +585,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1688590700,
-        "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=",
+        "lastModified": 1691368598,
+        "narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b",
+        "rev": "5a8e9243812ba528000995b294292d3b5e120947",
        "type": "github"
      },
      "original": {
@ -647,11 +648,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1688576197,
-        "narHash": "sha256-flxGk5OXBfXqlS/ZWNyT23slfPjTCkza3CV/EIfvdSU=",
+        "lastModified": 1691604464,
+        "narHash": "sha256-nNc/c9r1O8ajE/LkMhGcvJGlyR6ykenR3aRkEkhutxA=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "aa91eda9028758839487ad0f0eb120944a549ff3",
+        "rev": "05b061205179dab9a5cd94ae66d1c0e9b8febe08",
        "type": "github"
      },
      "original": {
@ -673,11 +674,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1688351637,
-        "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=",
+        "lastModified": 1691029059,
+        "narHash": "sha256-QwVeE9YTgH3LmL7yw2V/hgswL6yorIvYSp4YGI8lZYM=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "f9b92316727af9e6c7fee4a761242f7f46880329",
+        "rev": "99df4908445be37ddb2d332580365fce512a7dcf",
        "type": "github"
      },
      "original": {
@ -710,11 +711,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1688268466,
-        "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=",
+        "lastModified": 1690199016,
+        "narHash": "sha256-yTLL72q6aqGmzHq+C3rDp3rIjno7EJZkFLof6Ika7cE=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957",
+        "rev": "c36df4fe4bf4bb87759b1891cab21e7a05219500",
        "type": "github"
      },
      "original": {
@ -730,11 +731,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1688619474,
-        "narHash": "sha256-mPPR4iZxOoq3LB2EZTgo72UunV4UWdtaBTiTc3x+iPI=",
+        "lastModified": 1691630941,
+        "narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=",
        "owner": "numtide",
        "repo": "srvos",
-        "rev": "bf8ce44e0d1a380565c51bd6a707a75ac21c1a9a",
+        "rev": "b7407c2dc143402de6f140575398020175f3ae1a",
        "type": "github"
      },
      "original": {
@ -810,6 +811,28 @@
        "type": "github"
      }
    },
+    "treefmt-nix_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-wayland",
+          "nix-eval-jobs",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1690874496,
+        "narHash": "sha256-qYZJVAfilFbUL6U+euMjKLXUADueMNQBqwihpNzTbDU=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "fab56c8ce88f593300cd8c7351c9f97d10c333c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
    "yofi": {
      "inputs": {
        "flake-utils": "flake-utils_4",
--- a/flake.nix
+++ b/flake.nix
@ -100,15 +100,28 @@
            repoFlakeWithSystem = withSystem;
            nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
          }) [
-          "sj-vps-htz0"
          "steveej-t14"
-          "srv0-dmz0"
          "elias-e525"
          "justyna-p300"
+
+          "srv0-dmz0"
+          "router0-dmz0"
+
+          "sj-vps-htz0"
        ]);

      # this makes nixos-anywhere work
-      flake.nixosConfigurations = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
+      flake.nixosConfigurations =
+        (inputs.colmena.lib.makeHive self.outputs.colmena).nodes
+        // (let
+          router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
+        in {
+          router0-dmz0 = router0-dmz0.native;
+
+          # for now deploy directly with:
+          # nixos-rebuild switch --flake .\#cross_router0-dmz0 --build-host localhost --target-host root@192.168.10.1
+          cross_router0-dmz0 = router0-dmz0.cross;
+        });

      inherit systems;

--- a/nix/os/containers/backup-target.nix
+++ b/nix/os/containers/backup-target.nix
@ -17,10 +17,10 @@

    networking.firewall.enable = false;

-    services.ddclientovh = {
-      enable = true;
-      domain = containerBackupCfg.addr;
-    };
+    # services.ddclientovh = {
+    #   enable = true;
+    #   domain = containerBackupCfg.addr;
+    # };

    services.openssh.enable = true;

--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -43,14 +43,6 @@
    };

    # TODO: switch to something other than ddclient as it's no longer maintained
-    services.ddclient-hetzner = {
-      enable = false;
-      zone = "stefanjunker.de";
-      domains = [
-        "mailserver.svc.stefanjunker.de"
-      ];
-      passwordFile = config.sops.secrets.hetznerDnsApiToken.path;
-    };

    # TODO: switch to a let's encrypt certificate
    sops.secrets.dovecotSslServerCert = {
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -5,7 +5,9 @@
  httpPort ? 80,
  httpsPort ? 443,
  autoStart ? false,
-}: {
+}: let
+  domain = "www.stefanjunker.de";
+in {
  config = {
    config,
    pkgs,
@ -22,11 +24,6 @@

    networking.firewall.enable = false;

-    services.ddclientovh = {
-      enable = true;
-      domain = "www.stefanjunker.de";
-    };
-
    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    sops.secrets.hedgedoc_environment_file = {
      sopsFile = ./webserver_secrets.yaml;
@ -35,30 +32,30 @@

    services.caddy = {
      enable = true;
-      virtualHosts."${config.services.ddclientovh.domain}" = {
+      virtualHosts."${domain}" = {
        extraConfig = let
          port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
          path = "${config.services.authelia.instances.default.settings.server.path}";
        in ''
-          redir /hedgedoc* https://hedgedoc.${config.services.ddclientovh.domain}
+          redir /hedgedoc* https://hedgedoc.${domain}

          respond "Hi!"
        '';
      };

-      virtualHosts."hedgedoc.${config.services.ddclientovh.domain}" = {
+      virtualHosts."hedgedoc.${domain}" = {
        extraConfig = ''
          reverse_proxy http://[::1]:3000
        '';
      };

-      virtualHosts."authelia.${config.services.ddclientovh.domain}" = {
+      virtualHosts."authelia.${domain}" = {
        extraConfig = ''
          reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
        '';
      };

-      virtualHosts."lldap.${config.services.ddclientovh.domain}" = {
+      virtualHosts."lldap.${domain}" = {
        extraConfig = ''
          reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
        '';
@ -68,7 +65,7 @@
    services.hedgedoc = {
      enable = true;
      settings = {
-        domain = "hedgedoc.${config.services.ddclientovh.domain}";
+        domain = "hedgedoc.${domain}";
        urlPath = "";
        protocolUseSSL = true;
        db = {
@ -185,7 +182,7 @@
        verbose = true;

        ldap_base_dn = "dc=stefanjunker,dc=de";
-        http_url = "https://lldap.${config.services.ddclientovh.domain}";
+        http_url = "https://lldap.${domain}";

        ## Options to configure SMTP parameters, to send password reset emails.
        ## To set these options from environment variables, use the following format
--- a/nix/os/devices/router0-dmz0/.gitignore
+++ b/nix/os/devices/router0-dmz0/.gitignore
@ -0,0 +1 @@
+result
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -0,0 +1,524 @@
+{
+  modulesPath,
+  repoFlake,
+  packages',
+  pkgs,
+  lib,
+  config,
+  nodeFlake,
+  nodeName,
+  system,
+  ...
+}: let
+  inherit
+    (nodeFlake.inputs)
+    bpir3
+    nixos-nftables-firewall
+    ;
+in {
+  disabledModules = [
+    # "services/networking/hostapd.nix"
+  ];
+
+  imports = [
+    # nodeFlake.inputs.disko.nixosModules.disko
+    repoFlake.inputs.sops-nix.nixosModules.sops
+
+    ../../profiles/common/user.nix
+
+    "${bpir3}/lib/sd-image-mt7986.nix"
+
+    nixos-nftables-firewall.nixosModules.default
+
+    # TODO
+    # ./network.nix
+    # ./monitoring.nix
+    {
+      services.openssh.enable = true;
+      services.openssh.settings.PermitRootLogin = "yes";
+
+      users.commonUsers = {
+        enable = true;
+        enableNonRoot = false;
+        rootPasswordFile = config.sops.secrets.passwords-root.path;
+      };
+
+      sops.secrets.passwords-root = {
+        sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+        neededForUsers = true;
+        format = "yaml";
+      };
+    }
+  ];
+
+  # sops.secrets.ssh_host_ed25519_key = {
+  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  #   format = "yaml";
+
+  #   path = "/etc/ssh/ssh_host_ed25519_key";
+  #   mode = "0600";
+  # };
+  # sops.secrets.ssh_host_ed25519_key_pub = {
+  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  #   format = "yaml";
+
+  #   path = "/etc/ssh/ssh_host_ed25519_key.pub";
+  #   mode = "0600";
+  # };
+  # sops.secrets.ssh_host_rsa_key = {
+  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  #   format = "yaml";
+
+  #   path = "/etc/ssh/ssh_host_rsa_key";
+  #   mode = "0600";
+  # };
+  # sops.secrets.ssh_host_rsa_key_pub = {
+  #   sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+  #   format = "yaml";
+
+  #   path = "/etc/ssh/ssh_host_rsa_key.pub";
+  #   mode = "0644";
+  # };
+
+  boot = {
+    kernel = {
+      sysctl = {
+        "net.ipv4.conf.all.forwarding" = true;
+        "net.ipv6.conf.all.forwarding" = true;
+      };
+    };
+  };
+
+  networking = {
+    hostName = nodeName;
+    useNetworkd = true;
+    useDHCP = false;
+
+    # No local firewall.
+    nat.enable = lib.mkForce false;
+    firewall.enable = lib.mkForce false;
+
+    # Use the nftables firewall instead of the base nixos scripted rules.
+    # This flake provides a similar utility to the base nixos scripting.
+    # https://github.com/thelegy/nixos-nftables-firewall/tree/main
+    nftables = {
+      enable = true;
+      stopRuleset = "";
+      firewall = {
+        enable = true;
+        zones = {
+          lan.interfaces = ["br-lan"];
+          wan.interfaces = ["wan"];
+        };
+        rules = {
+          lan = {
+            from = ["lan"];
+            to = ["fw"];
+            verdict = "accept";
+          };
+          outbound = {
+            from = ["lan"];
+            to = ["lan" "wan"];
+            verdict = "accept";
+          };
+          nat = {
+            from = ["lan"];
+            to = ["wan"];
+            masquerade = true;
+          };
+
+          incoming-wan = {
+            from = ["wan"];
+            to = ["fw"];
+            verdict = "drop";
+          };
+        };
+      };
+    };
+  };
+
+  systemd.network = {
+    wait-online.anyInterface = true;
+    netdevs = {
+      # Create the bridge interface
+      "20-br-lan" = {
+        netdevConfig = {
+          Kind = "bridge";
+          Name = "br-lan";
+        };
+      };
+    };
+    networks = {
+      # Connect the bridge ports to the bridge
+      "30-lan0" = {
+        matchConfig.Name = "lan0";
+        networkConfig = {
+          Bridge = "br-lan";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+      "30-lan1" = {
+        matchConfig.Name = "lan1";
+        networkConfig = {
+          Bridge = "br-lan";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+      "30-lan2" = {
+        matchConfig.Name = "lan2";
+        networkConfig = {
+          Bridge = "br-lan";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+      "30-lan3" = {
+        matchConfig.Name = "lan3";
+        networkConfig = {
+          Bridge = "br-lan";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+      # Configure the bridge for its desired function
+      "40-br-lan" = {
+        matchConfig.Name = "br-lan";
+        bridgeConfig = {};
+        address = [
+          "192.168.10.1/24"
+        ];
+        networkConfig = {
+          ConfigureWithoutCarrier = true;
+        };
+        # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
+        linkConfig.RequiredForOnline = "no";
+      };
+      "10-wan" = {
+        matchConfig.Name = "wan";
+        networkConfig = {
+          # start a DHCP Client for IPv4 Addressing/Routing
+          DHCP = "ipv4";
+          # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+          IPv6AcceptRA = true;
+          DNSOverTLS = true;
+          DNSSEC = true;
+          IPv6PrivacyExtensions = false;
+          IPForward = true;
+        };
+        # make routing on this interface a dependency for network-online.target
+        linkConfig.RequiredForOnline = "routable";
+      };
+    };
+  };
+
+  # wireless access point
+  services.hostapd = {
+    enable = true;
+    radios = {
+      wlan0 = {
+        band = "2g";
+        countryCode = "CH";
+        channel = 0; # ACS
+
+        # use 'iw phy#1 info' to determine your VHT capabilities
+        wifi4 = {
+          enable = true;
+          capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"];
+        };
+        networks = {
+          wlan0 = {
+            ssid = "justtestingwifi-wpa3";
+            authentication = {
+              mode = "wpa3-sae";
+              # saePasswordsFile = config.sops.secrets.wifiPassword.path;
+              saePasswords = [
+                {password = "justtestingwifi";}
+              ];
+            };
+
+            # generated with https://miniwebtool.com/mac-address-generator/
+            bssid = "34:56:ce:0f:ed:40";
+            settings = {
+              bridge = "br-lan";
+            };
+          };
+
+          wlan0-1 = {
+            ssid = "justtestingwifi-compat";
+            authentication = {
+              mode = "wpa3-sae-transition";
+              # saePasswordsFile = config.sops.secrets.wifiPassword.path;
+              saePasswords = [
+                {password = "justtestingwifi";}
+              ];
+              wpaPassword = "justtestingwifi";
+            };
+
+            # generated with https://miniwebtool.com/mac-address-generator/
+            bssid = "34:56:ce:0f:ed:41";
+            settings = {
+              bridge = "br-lan";
+            };
+          };
+
+          # Uncomment when needed otherwise remove
+          # wlan0-1 = {
+          #   ssid = "koteczkowo3";
+          #   authentication = {
+          #     mode = "none"; # this is overriden by settings
+          #   };
+          #   managementFrameProtection = "optional";
+          #   bssid = "e6:02:43:07:00:00";
+          #   settings = {
+          #     bridge = "br-lan";
+          #     wpa = lib.mkForce 2;
+          #     wpa_key_mgmt = "WPA-PSK";
+          #     wpa_pairwise = "CCMP";
+          #     wpa_psk_file = config.sops.secrets.legacyWifiPassword.path;
+          #   };
+          # };
+        };
+      };
+      # wlan1 = {
+      #   band = "5g";
+      #   # channels with 160 MHz width in Poland: 36, 52, 100 i 116
+      #   channel = 0; # ACS
+      #   countryCode = "PL";
+
+      #   # use 'iw phy#1 info' to determine your VHT capabilities
+      #   wifi4 = {
+      #     enable = true;
+      #     capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"];
+      #   };
+      #   wifi5 = {
+      #     enable = true;
+      #     operatingChannelWidth = "160";
+      #     capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"];
+      #   };
+      #   wifi6 = {
+      #     enable = true;
+      #     singleUserBeamformer = true;
+      #     singleUserBeamformee = true;
+      #     multiUserBeamformer = true;
+      #     operatingChannelWidth = "160";
+      #   };
+      #   settings = {
+      #     # these two are mandatory for wifi 5 & 6 to work
+      #     vht_oper_centr_freq_seg0_idx = 50;
+      #     he_oper_centr_freq_seg0_idx = 50;
+
+      #     # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for
+      #     # transmitting data packets from the second data queue of a network interface.
+      #     # It determines the number of packets that can be sent in a burst.
+      #     # Adjusting this parameter can impact network throughput and latency.
+      #     tx_queue_data2_burst = 2;
+
+      #     # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header.
+      #     # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios.
+      #     # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference.
+      #     he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63
+
+      #     # Magic values that were set by openwrt but I didn't bother inspecting every single one
+      #     he_spr_sr_control = 3;
+      #     he_default_pe_duration = 4;
+      #     he_rts_threshold = 1023;
+
+      #     he_mu_edca_qos_info_param_count = 0;
+      #     he_mu_edca_qos_info_q_ack = 0;
+      #     he_mu_edca_qos_info_queue_request = 0;
+      #     he_mu_edca_qos_info_txop_request = 0;
+
+      #     # he_mu_edca_ac_be_aci=0; missing in 2.10
+      #     he_mu_edca_ac_be_aifsn = 8;
+      #     he_mu_edca_ac_be_ecwmin = 9;
+      #     he_mu_edca_ac_be_ecwmax = 10;
+      #     he_mu_edca_ac_be_timer = 255;
+
+      #     he_mu_edca_ac_bk_aifsn = 15;
+      #     he_mu_edca_ac_bk_aci = 1;
+      #     he_mu_edca_ac_bk_ecwmin = 9;
+      #     he_mu_edca_ac_bk_ecwmax = 10;
+      #     he_mu_edca_ac_bk_timer = 255;
+
+      #     he_mu_edca_ac_vi_ecwmin = 5;
+      #     he_mu_edca_ac_vi_ecwmax = 7;
+      #     he_mu_edca_ac_vi_aifsn = 5;
+      #     he_mu_edca_ac_vi_aci = 2;
+      #     he_mu_edca_ac_vi_timer = 255;
+
+      #     he_mu_edca_ac_vo_aifsn = 5;
+      #     he_mu_edca_ac_vo_aci = 3;
+      #     he_mu_edca_ac_vo_ecwmin = 5;
+      #     he_mu_edca_ac_vo_ecwmax = 7;
+      #     he_mu_edca_ac_vo_timer = 255;
+      #   };
+      #   networks = {
+      #     wlan1 = {
+      #       ssid = "koteczkowo5";
+      #       authentication = {
+      #         mode = "wpa3-sae";
+      #         saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible.
+      #       };
+      #       bssid = "36:b9:02:21:08:a2";
+      #       settings = {
+      #         bridge = "br-lan";
+      #       };
+      #     };
+      #   };
+      # };
+    };
+  };
+
+  services.resolved.enable = false;
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # upstream DNS servers
+      server = ["9.9.9.9" "8.8.8.8" "1.1.1.1"];
+      # sensible behaviours
+      domain-needed = true;
+      bogus-priv = true;
+      no-resolv = true;
+
+      dhcp-range = ["br-lan,192.168.10.50,192.168.10.254,24h"];
+      interface = "br-lan";
+      dhcp-host = "192.168.10.1";
+
+      # local domains
+      local = "/lan/";
+      domain = "lan";
+      expand-hosts = true;
+
+      # don't use /etc/hosts as this would advertise surfer as localhost
+      no-hosts = true;
+      address = "/surfer.lan/192.168.10.1";
+    };
+  };
+
+  # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often.
+  services.irqbalance.enable = true;
+
+  # disko.devices = {
+  #   disk = {
+  #     nvme0n1 = {
+  #       device = "/dev/nvme0n1";
+  #       type = "disk";
+  #       content = {
+  #         type = "table";
+  #         format = "gpt";
+  #         partitions = [
+  #           {
+  #             name = "var-log";
+  #             start = "1MiB";
+  #             end = "20G";
+  #             content = {
+  #               type = "filesystem";
+  #               format = "ext4";
+  #               mountpoint = "/var/log";
+  #             };
+  #           }
+  #           {
+  #             name = "tmp";
+  #             start = "20G";
+  #             end = "60G";
+  #             content = {
+  #               type = "filesystem";
+  #               format = "ext4";
+  #               mountpoint = "/tmp";
+  #             };
+  #           }
+  #           {
+  #             name = "var";
+  #             start = "60G";
+  #             end = "100G";
+  #             content = {
+  #               type = "filesystem";
+  #               format = "ext4";
+  #               mountpoint = "/var";
+  #             };
+  #           }
+  #           {
+  #             name = "swap";
+  #             start = "100G";
+  #             end = "100%";
+  #             content = {
+  #               type = "swap";
+  #               randomEncryption = false;
+  #             };
+  #           }
+  #         ];
+  #       };
+  #     };
+  #   };
+  # };
+
+  system.stateVersion = "23.05";
+
+  boot.kernelPackages = pkgs.linuxPackages_bpir3;
+  # boot.kernelPackages = bpir3.packages.aarch64-linux.linuxPackages_bpir3;
+  # We exclude a number of modules included in the default list. A non-insignificant amount do
+  # not apply to embedded hardware like this, so simply skip the defaults.
+  #
+  # Custom kernel is required as a lot of MTK components misbehave when built as modules.
+  # They fail to load properly, leaving the system without working ethernet, they'll oops on
+  # remove. MTK-DSA parts and PCIe were observed to do this.
+  boot.initrd.includeDefaultModules = false;
+  boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"];
+  boot.initrd.availableKernelModules = ["nvme"];
+
+  boot.kernelParams = ["console=ttyS0,115200"];
+  hardware.enableRedistributableFirmware = true;
+  # Wireless hardware exists, regulatory database is essential.
+  hardware.wirelessRegulatoryDatabase = true;
+
+  # Extlinux compatible with custom uboot patches in this repo, which also provide unique
+  # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices...
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+  # Known to work with u-boot; bz2, lzma, and lz4 should be safe too, need to test.
+  boot.initrd.compressor = "gzip";
+  hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb";
+
+  hardware.deviceTree.overlays = [
+    {
+      name = "bpir3-sd-enable";
+      dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-sd.dts";
+    }
+    {
+      name = "bpir3-nand-enable";
+      dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-nand.dts";
+    }
+    {
+      name = "bpi-r3 wifi training data";
+      dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-wirless.dts";
+    }
+    {
+      name = "reset button disable";
+      dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-pcie-button.dts";
+    }
+    {
+      name = "mt7986a efuses";
+      dtsFile = "${bpir3}/bpir3-dts/mt7986a-efuse-device-tree-node.dts";
+    }
+  ];
+
+  boot.initrd.preDeviceCommands = ''
+    if [ ! -d /sys/bus/pci/devices/0000:01:00.0 ]; then
+      if [ -d /sys/bus/pci/devices/0000:00:00.0 ]; then
+        # Remove PCI bridge, then rescan.  NVMe init crashes if PCI bridge not removed first
+        echo 1 > /sys/bus/pci/devices/0000:00:00.0/remove
+        # Rescan brings PCI root back and brings the NVMe device in.
+        echo 1 > /sys/bus/pci/rescan
+      else
+        info "PCIe bridge missing"
+      fi
+    fi
+  '';
+
+  environment.systemPackages = [
+    pkgs.ethtool
+  ];
+}
--- a/nix/os/devices/router0-dmz0/default.nix
+++ b/nix/os/devices/router0-dmz0/default.nix
@ -0,0 +1,39 @@
+{
+  nodeName,
+  repoFlake,
+  nodeFlake,
+  ...
+}: let
+  system = "aarch64-linux";
+in {
+  meta.nodeSpecialArgs.${nodeName} = {
+    inherit repoFlake nodeName nodeFlake system;
+    packages' = repoFlake.packages.${system};
+
+    inherit
+      (nodeFlake.inputs.bpir3.packages.${system})
+      armTrustedFirmwareMT7986
+      ;
+  };
+
+  meta.nodeNixpkgs.${nodeName} =
+    import nodeFlake.inputs.nixpkgs.outPath
+    {
+      inherit system;
+    };
+
+  ${nodeName} = {
+    deployment.targetHost = "router0.dmz0.noosphere.life";
+    deployment.replaceUnknownProfiles = true;
+
+    # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system};
+
+    imports = [
+      nodeFlake.inputs.home-manager.nixosModules.home-manager
+
+      ./configuration.nix
+    ];
+
+    networking.hostName = nodeName;
+  };
+}
--- a/nix/os/devices/router0-dmz0/flake.lock
+++ b/nix/os/devices/router0-dmz0/flake.lock
@ -0,0 +1,205 @@
+{
+  "nodes": {
+    "bpir3": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688620001,
+        "narHash": "sha256-8ACxxssPiQy/lsUsT8cAaT2te8p8d8ngmPwTc/erPnU=",
+        "owner": "nakato",
+        "repo": "nixos-bpir3-example",
+        "rev": "4210480bdebbf3a7953e22d5d9f183f47b725bff",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nakato",
+        "repo": "nixos-bpir3-example",
+        "type": "github"
+      }
+    },
+    "dependencyDagOfSubmodule": {
+      "inputs": {
+        "nixpkgs": [
+          "nixos-nftables-firewall",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1656615370,
+        "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
+        "owner": "thelegy",
+        "repo": "nix-dependencyDagOfSubmodule",
+        "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "thelegy",
+        "repo": "nix-dependencyDagOfSubmodule",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1691743546,
+        "narHash": "sha256-nS2uWOeEmMgUBEMDCvwLlXBBCLkW7agDcMtOXuf9PDc=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "241c878d4b542fea7c61ed4421e9224af054ff56",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "get-flake": {
+      "locked": {
+        "lastModified": 1673819588,
+        "narHash": "sha256-gRtwKAlu4htvS6dxyZnW3n+vMS1acqnMGVHqxUdETeY=",
+        "owner": "ursi",
+        "repo": "get-flake",
+        "rev": "e0917b6f564aa5acefb1484b5baf76da21746c3c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ursi",
+        "repo": "get-flake",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1691672736,
+        "narHash": "sha256-HNPA/dKHerA0p4OsToEcW/DtTSXBcK5gFRsy/yPgV/Y=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "6e1eff9aac0e8d84bda7f2d60ba6108eea9b7e79",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "master",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixos-nftables-firewall": {
+      "inputs": {
+        "dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1677020959,
+        "narHash": "sha256-r06isoyASAIoYH+zcbb8jescQyYq+AYNccVPUlzivDk=",
+        "owner": "thelegy",
+        "repo": "nixos-nftables-firewall",
+        "rev": "6cb25335de6f1fe0722f02573d0cfbaea4cd7ecf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "thelegy",
+        "repo": "nixos-nftables-firewall",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1691654369,
+        "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-master": {
+      "locked": {
+        "lastModified": 1691753935,
+        "narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "650596759b8b38399a0c4d5e366847d190360e55",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1691703261,
+        "narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "bpir3": "bpir3",
+        "disko": "disko",
+        "get-flake": "get-flake",
+        "home-manager": "home-manager",
+        "nixos-nftables-firewall": "nixos-nftables-firewall",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-master": "nixpkgs-master",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "srvos": "srvos"
+      }
+    },
+    "srvos": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1691630941,
+        "narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=",
+        "owner": "numtide",
+        "repo": "srvos",
+        "rev": "b7407c2dc143402de6f140575398020175f3ae1a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "srvos",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/nix/os/devices/router0-dmz0/flake.nix
+++ b/nix/os/devices/router0-dmz0/flake.nix
@ -0,0 +1,93 @@
+{
+  inputs = {
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    nixpkgs-master.url = "github:nixos/nixpkgs/master";
+
+    get-flake.url = "github:ursi/get-flake";
+
+    home-manager.url = "github:nix-community/home-manager/master";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+    srvos.url = "github:numtide/srvos";
+    srvos.inputs.nixpkgs.follows = "nixpkgs";
+
+    bpir3.url = "github:nakato/nixos-bpir3-example";
+    bpir3.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
+    nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  # outputs = _: {};
+
+  outputs = {
+    self,
+    get-flake,
+    nixpkgs,
+    bpir3,
+    ...
+  } @ attrs: let
+    system = "aarch64-linux";
+    nodeName = "router0-dmz0";
+
+    mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
+      nixpkgs.lib.nixosSystem (
+        nixpkgs.lib.attrsets.recursiveUpdate
+        attrs
+        {
+          specialArgs = {
+            nodeFlake = self;
+            repoFlake = get-flake ../../../..;
+            inherit nodeName;
+            inherit
+              (bpir3.packages.${system})
+              armTrustedFirmwareMT7986
+              ;
+          };
+
+          modules =
+            [
+              ./configuration.nix
+
+              # flake registry
+              {
+                nix.registry.nixpkgs.flake = nixpkgs;
+              }
+
+              {
+                nixpkgs.overlays = [
+                  (final: previous: let
+                    bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {};
+                  in {
+                    inherit
+                      (bpir3Pkgs)
+                      linuxPackages_bpir3
+                      ;
+                  })
+                ];
+              }
+            ]
+            ++ extraModules;
+        }
+      );
+  in {
+    nixosConfigurations = {
+      native = mkNixosConfiguration {
+        inherit system;
+      };
+
+      cross = mkNixosConfiguration {
+        extraModules = [
+          {
+            nixpkgs.buildPlatform.system = "x86_64-linux";
+            nixpkgs.hostPlatform.system = system;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/nix/os/devices/sj-vps-htz0/configuration.nix
+++ b/nix/os/devices/sj-vps-htz0/configuration.nix
@ -1,12 +1,28 @@
-{...}: {
+{
+  nodeName,
+  config,
+  ...
+}: {
  disabledModules = [];
  imports = [
    ../../profiles/common/configuration.nix
+    {
+      users.commonUsers = {
+        enable = true;
+        enableNonRoot = false;
+        rootPasswordFile = config.sops.secrets.passwords-root.path;
+      };
+
+      sops.secrets.passwords-root = {
+        sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+        neededForUsers = true;
+        format = "yaml";
+      };
+    }
    ../../modules/opinionatedDisk.nix

    ./system.nix
    ./hw.nix
-    ./pkg.nix
    ./boot.nix
  ];
 }
--- a/nix/os/devices/sj-vps-htz0/pkg.nix
+++ b/nix/os/devices/sj-vps-htz0/pkg.nix
@ -1,26 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  nixpkgs.config.packageOverrides = pkgs:
-    with pkgs; {
-      nixPath =
-        (import ../../../default.nix {
-          versionsPath = ./versions.nix;
-        })
-        .nixPath;
-    };
-  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
-    inherit pkgs;
-    extraPackages = [
-      # required by vscode's remote-ssh plugin
-      pkgs.nodejs
-
-      # allow clipboard exchanges
-      pkgs.xsel
-      pkgs.xclip
-    ];
-  };
-}
--- a/nix/os/devices/steveej-t14/system.nix
+++ b/nix/os/devices/steveej-t14/system.nix
@ -132,4 +132,8 @@ in {
    sopsFile = ../../../../secrets/zerotierone.txt;
    format = "binary";
  };
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+  ];
 }
--- a/nix/os/lib/default.nix
+++ b/nix/os/lib/default.nix
@ -19,6 +19,7 @@ in {
        "video"
        "cdrom"
        "adbusers"
+        "dialout"
      ];
      openssh.authorizedKeys.keys = keys.users.steveej.openssh;

--- a/nix/os/modules/ddclient-hetzner.nix
+++ b/nix/os/modules/ddclient-hetzner.nix
@ -11,29 +11,4 @@ in {
    domains = mkOption {type = types.listOf types.str;};
    passwordFile = mkOption {type = types.path;};
  };
-
-  config = lib.mkIf cfg.enable {
-    users.groups.ddclient = {};
-    users.users.ddclient = {
-      isSystemUser = true;
-      group = "ddclient";
-    };
-
-    services.ddclient = {
-      enable = cfg.enable;
-      verbose = true;
-      protocol = "hetzner";
-
-      # see https://github.com/ddclient/ddclient/blob/a4eab34ab4719d1e2146d8c9c4449b70dd7e0163/ddclient.in#L775
-      username = "token";
-
-      inherit (cfg) zone domains passwordFile;
-
-      extraConfig = ''
-      '';
-    };
-
-    systemd.services.ddclient.serviceConfig.User = config.users.users.ddclient.name;
-    systemd.services.ddclient.serviceConfig.Group = config.users.groups.ddclient.name;
-  };
 }
--- a/nix/os/modules/ddclient-ovh.nix
+++ b/nix/os/modules/ddclient-ovh.nix
@ -9,15 +9,4 @@ in {
    enable = mkEnableOption "Enable ddclient-ovh";
    domain = mkOption {type = types.str;};
  };
-
-  config = lib.mkIf cfg.enable {
-    services.ddclient = {
-      enable = true;
-      protocol = "dyndns2";
-      server = "www.ovh.com";
-      ssl = true;
-      domains = [cfg.domain];
-      use = "web";
-    };
-  };
 }
--- a/nix/os/profiles/common/user.nix
+++ b/nix/os/profiles/common/user.nix
@ -1,6 +1,7 @@
 {
  config,
  pkgs,
+  lib,
  ...
 }: let
  keys = import ../../../variables/keys.nix;
@ -11,39 +12,61 @@
    })
    mkUser
    ;
+
+  inherit (lib) types;
+
+  cfg = config.users.commonUsers;
 in {
-  sops.secrets.sharedUsers-root = {
-    sopsFile = ../../../../secrets/shared-users.yaml;
-    neededForUsers = true;
-    format = "yaml";
+  options.users.commonUsers = {
+    enable = lib.mkOption {
+      default = true;
+      type = types.bool;
+    };
+
+    enableNonRoot = lib.mkOption {
+      default = true;
+      type = types.bool;
+    };
+
+    rootPasswordFile = lib.mkOption {
+      default = config.sops.secrets.sharedUsers-root.path;
+      type = types.path;
+    };
  };
+  config = lib.mkIf cfg.enable {
+    sops.secrets.sharedUsers-root = {
+      sopsFile = ../../../../secrets/shared-users.yaml;
+      neededForUsers = true;
+      format = "yaml";
+    };

-  sops.secrets.sharedUsers-steveej = {
-    sopsFile = ../../../../secrets/shared-users.yaml;
-    neededForUsers = true;
-    format = "yaml";
-  };
+    sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot {
+      sopsFile = ../../../../secrets/shared-users.yaml;
+      neededForUsers = true;
+      format = "yaml";
+    };

-  sops.secrets.sharedSshKeys-steveej = {
-    sopsFile = ../../../../secrets/shared-users.yaml;
-    # neededForUsers = true;
-    format = "yaml";
-  };
+    sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot {
+      sopsFile = ../../../../secrets/shared-users.yaml;
+      # neededForUsers = true;
+      format = "yaml";
+    };

-  users.mutableUsers = false;
+    users.mutableUsers = lib.mkForce false;

-  users.extraUsers.root = {
-    passwordFile = config.sops.secrets.sharedUsers-root.path;
-    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+    users.extraUsers.root = {
+      passwordFile = cfg.rootPasswordFile;
+      openssh.authorizedKeys.keys = keys.users.steveej.openssh;

-    # TODO: investigate why this secret cannot be found
-    # openssh.authorizedKeys.keyFiles = [
-    #   config.sops.secrets.sharedSshKeys-steveej.path
-    # ];
-  };
+      # TODO: investigate why this secret cannot be found
+      # openssh.authorizedKeys.keyFiles = [
+      #   config.sops.secrets.sharedSshKeys-steveej.path
+      # ];
+    };

-  users.extraUsers.steveej = mkUser {
-    uid = 1000;
-    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
+    users.extraUsers.steveej = lib.mkIf cfg.enableNonRoot (mkUser {
+      uid = 1000;
+      passwordFile = config.sops.secrets.sharedUsers-steveej.path;
+    });
  };
 }
--- a/nix/os/profiles/containers/configuration.nix
+++ b/nix/os/profiles/containers/configuration.nix
@ -14,7 +14,7 @@
  };

  imports = [
-    ../../modules/ddclient-ovh.nix
-    ../../modules/ddclient-hetzner.nix
+    # ../../modules/ddclient-ovh.nix
+    # ../../modules/ddclient-hetzner.nix
  ];
 }
--- a/secrets/router0-dmz0/secrets.yaml
+++ b/secrets/router0-dmz0/secrets.yaml
@ -0,0 +1,41 @@
+#ENC[AES256_GCM,data:QydWKuMH8uixprFup1rEwvPkKAMw0yat9MOOK1DleeCJ5tqRqrPh9NiOpJs6nve8Rmji3WyrHAkUaK9zT/f8VKk=,iv:I6OHO6sLTtFBV6CYGmLh5owCrNjzS/LBjOjW9VovGlE=,tag:Vg0IZSFbYa7UQvuPpmMVKw==,type:comment]
+passwords-root: ENC[AES256_GCM,data:+8IcZ4pbJ1qIjRCK7oycmgOVWy6hzc2oDISYMMqE9SmgRE//PQ5ABwtBtpaghrhZTXrUV2l3qsvTHD9UdYRNMB1VBlM6vn4Iug==,iv:2eUIa46QNby++yLK9dax/SD7Ajtj+U0ptheRuKV9r+g=,tag:5tA5rhm1eztDh7Q4d+C1BQ==,type:str]
+ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str]
+ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str]
+ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str]
+ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk
+            REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P
+            T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r
+            THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv
+            J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-08-11T16:46:38Z"
+    mac: ENC[AES256_GCM,data:W9aRsPPRKro6rGbNvBV8bftPklQn6LN6Lq+G45vYTVRZs5t0F1qFqUpXDXKTrZ040mkYnECi7JSRWeJvyfGqHK5KPY1uWtBxDoghYfO/J7VXBNv+NbROO4KoAKYAoOpZSECVqXgm6U69G1GGu8yyrDPDFAcfbFXivXqH+e7t42A=,iv:uUndgDmUHBYCKvb2LHC9zRp+eBwcy6107ocaJFniV6o=,tag:VGKODnvz107hvEoCT0risw==,type:str]
+    pgp:
+        - created_at: "2023-08-11T16:15:11Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+
+            NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3
+            pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8
+            ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a
+            8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB
+            596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY
+            pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O
+            v5QlxcXSMuOeGygclwHdxzs+
+            =NQjH
+            -----END PGP MESSAGE-----
+          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/secrets/shared-users.yaml
+++ b/secrets/shared-users.yaml
@ -16,64 +16,73 @@ sops:
        - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov
-            TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho
-            TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3
-            b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh
-            7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4
-            aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo
-            RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP
-            V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH
-            8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM
-            ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK
-            cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02
-            TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+
-            q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVEs2NzlqWnExV28vOG9j
+            Zjc0QXgrc2M3SkkvS3dyL3QrSHFYa0JSRmhZCmZFd3EzcURSWmRvK3VIakQyNFhR
+            dWN0c1FqR09XSkFUV3pEOFpsRlZhVlUKLS0tIDVDb25JMUh3TkJYa0pTdDUrYnpl
+            R3RVdkdvVnhIc2ZKUldGYjlnMzdicHcKL0Bcw6N93/v32cqFuoalcdmTv8/MLs7f
+            9EgegS0+/xOriZmrwel6kNZlcoBR1JbC9qZO6s0D1B5nA1QLHnwvRw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU
-            ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1
-            SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW
-            QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F
-            rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MFg3TkhOY3hNZE9Uc1pF
+            OWJGWHh2cHJDUlhJUmVSMlFGR0lxSG1pcVRjCjZqMTdOTkJyT2N1QWdBOC9sbVo2
+            NnIvRUtqUTZkbFI3WGZJaHg5M01DUnMKLS0tIGY1eG44NHlSY2RPeVFWWlpaQ2w5
+            dGNsUHhEYjhkTVY1bFdpQmJMSzh5aVkKK6t7EUzhCUNjxl5dFXPezX53EVCworvn
+            NMaDqS5RgwQhILl04/eGyb5KcQksGQBdN5MacXX872BlOUeuWOez2g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB
-            dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG
-            S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq
-            RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz
-            wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdXA0SllGSjZRMDhXajFK
+            REp4RzBjQ3pqYnRZLzRMb0NGQVJyeDJYa2dRCk4ydjFmU0pEazJaUTNDV2pKQUUr
+            cExrU09iTHFWdXB1UGJBcnRsd3VraGcKLS0tIHVid2dhUWpSN09uU0IwUVFBcmdM
+            OGxuOTZJR3JnVUFGbjczYzQwSGc1Sm8KhzJ0+4No3Z8sAshkEIj5/4Sz3rJxC7Ki
+            0VTPwftdnPcnOAhZ3z8xrZILeOPjzHwCC4N45vAvYbiNOXCr8VF5NA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZEFoTWFWMHl0dkoycXU5
+            TmhYU3hCWENGMzRqdnZNckVhODhzUUFlcWpFCldBYkkveTBPSGkvSEVrUXRXcE5E
+            UnFkNnB4TjZBN2Z1ODZVOHlacHZkc0EKLS0tIEI3Vjhzb2FXU05aSTNpT2pzWndV
+            NEdsK2xDaEkwekR2SS9DUmxzc2pKdTQKq/blmeAXpmo9Gmh8Ws1kLuio+sJUZXaC
+            BOBc0m4Dp5y+lTpqvyA9jA9sAZngPo502B+M9tY5rdIxkAR+aCbVUQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUGorR0ZIa3hNRWJvc0Zl
+            a1pPRExtbWc3a0VRS2duamZKTVBvL2FtaTFFCkpyTzdoRTh1bHJTclNFQXJBdDlw
+            M3RSQk9jMWh5ODdxY3FRamw1eWYwcFEKLS0tIHRIVk1ESk4yNkZ0MGxBTmtUVTJB
+            czlMQml3R1FlNEh6cnNoaGxXQk5jSk0KWuhdW4hVOTHaLwmmlnUazb5XLQdRcZRz
+            aN2qDOsAnSOqPgE/iXp4+88Y3iu05dWHgbMuWpS1lAFN+bv4s0zxCg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VG5odWxKdkN5NFRUcnA3
+            ZFZpWDl3MGlzUmVrWVBEaWhrczVDdDgrM0FVCk5pOFJYSlcyclE1V3lUT1JWY01a
+            czVHcnlMcVZISFprdEZvRGxKditsVlUKLS0tIGJmZVVnTngyZWZaSkoyZ0doa0VD
+            bkIzU1ZCV20wRHhNaWtFcTMrNlQvSUEKrd4c5oMU+UqxbDM4sc2JVmlK+Qmoj/zp
+            2Qc29mNIxP98cjfiPKe3IHidXIbzH0OluYfeFTfBCclbsn3mLpvltg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-07-06T20:14:22Z"
    mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str]
    pgp:
-        - created_at: "2023-07-10T08:17:16Z"
+        - created_at: "2023-08-11T16:15:15Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm
-            dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98
-            OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP
-            sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf
-            q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx
-            YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW
-            w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c
-            OUwOtIhmRp4PNBU+402xfgYI
-            =X23Q
+            wcBMA0SHG/zF3227AQf/aAO5OvMbhN/6/U9b1gj415csZ/PYBB8GJuQ+disXV/Tp
+            mTMdzmsQVcfefdVoBhd2HUfLv/OlcM2eF4751eu6NP7MBDad5XHZpYON0SCRjiJv
+            vG0xl+KwI/AQYUWQjBhyMcECqjRLJL6EyyW37ykSGMLNMjbdDCISkVniNYFt9pRE
+            XkuWQNnDF++vDSZtVxDZvuCIXNZC7isSh5UNjtFdGpc9nMcAra/ALuWx2NjOTKpG
+            QJ4Ilic2mrE4PIQuf60MnC5lfOJWWbKgR832Sik+ZY/2Nocp2KYsrDyrKRglUu2S
+            AGdmQrPl3nq0yp1zCGujYFQIQmCQKLPTcoz99x5xR9JRAeK6e/xKJcCM5UgRk6IK
+            ULdIYK3EGv432KHj6DJFhW6lYWJBnZwkcNsVhxS3qbuccP7CJr51UDZ4ipfoQQtV
+            irHq+0IfShQpgoPu8YJ+A1T1
+            =qLIi
            -----END PGP MESSAGE-----
          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
    unencrypted_suffix: _unencrypted
--- a/secrets/sj-vps-htz0/secrets.yaml
+++ b/secrets/sj-vps-htz0/secrets.yaml
@ -0,0 +1,37 @@
+#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment]
+passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v
+            ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL
+            dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2
+            czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0
+            iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-08-11T16:32:20Z"
+    mac: ENC[AES256_GCM,data:dgiAU9oMoHi1KvmkSbmNYRA6s2dIrsn8JC5UVpmfUUV5X+u+xwzt+QA/9IRHQoBWL3UZNz4E5qIvitEDx0xP8BktfNd2cGmeaBWT5e7YiSYGWNek0r/2SgXf8aSKsay4g+qdkE4mnxhRcj1pOc6dP5cKE/qh7vjnjlpTOMdp1wE=,iv:M7HE/XQGwttkwY7uXf7SHffwcaSzLqATB5Vqes3+W9w=,tag:vBhNC8zgNPPIzeNjikLt9A==,type:str]
+    pgp:
+        - created_at: "2023-08-11T16:31:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n
+            TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7
+            R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ
+            JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP
+            kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy
+            0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT
+            eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7
+            C5Jot9exml6467YZkApBm0eM
+            =HulH
+            -----END PGP MESSAGE-----
+          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
Author	SHA1	Message	Date
Stefan Junker	f7de354cbe	chore(flake): comment router0-dmz0 deploy cmd	2023-08-11 18:54:56 +02:00
Stefan Junker	7ecc31cfcf	feat(sj-vps-htz0): separate secrets	2023-08-11 18:51:47 +02:00
Stefan Junker	5de5e57518	feat(router0-dmz0): init bpir3 based router	2023-08-11 18:51:25 +02:00
Stefan Junker	742e432ce7	feat(common/users): init module and add customization options	2023-08-11 18:51:25 +02:00