prototype

Move s0 to systemd-boot
Automatically set machine hostname
2023-04-26 14:46:55 -06:00 · 2023-04-25 23:41:08 -06:00 · 2023-04-24 20:52:17 -06:00 · 2023-04-23 10:29:18 -06:00 · 2023-04-23 10:28:55 -06:00 · 2023-04-23 10:16:54 -06:00
62 changed files with 1428 additions and 679 deletions
--- a/README.md
+++ b/README.md
@@ -6,7 +6,6 @@
    - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
-    - `/ssh.nix` - all ssh public host and user keys for all `/machines`
 - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
 - `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys
--- a/TODO.md
+++ b/TODO.md
@@ -11,7 +11,6 @@

 ### Housekeeping
 - Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
- CI https://gvolpe.com/blog/nixos-binary-cache-ci/
 - remove `options.currentSystem`
 - allow `hostname` option for webservices to be null to disable configuring nginx

@@ -50,7 +49,32 @@
 - https://christine.website/blog/paranoid-nixos-2021-07-18
 - https://nixos.wiki/wiki/Impermanence

+# Setup CI
+- CI
+    - hydra
+    - https://docs.cachix.org/continuous-integration-setup/
+- Binary Cache
+    - Maybe use cachix https://gvolpe.com/blog/nixos-binary-cache-ci/
+    - Self hosted binary cache? https://www.tweag.io/blog/2019-11-21-untrusted-ci/
+    - https://github.com/edolstra/nix-serve
+    - https://nixos.wiki/wiki/Binary_Cache
+    - https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343
+- Both
+    - https://garnix.io/
+    - https://nixbuild.net
+
+
+# Secrets
+- consider using headscale
+- Replace luks over tor for remote unlock with luks over tailscale using ephemeral keys
+- Rollover luks FDE passwords
+- /secrets on personal computers should only be readable using a trusted ssh key, preferably requiring a yubikey
+- Rollover shared yubikey secrets
+- offsite backup yubikey, pw db, and ssh key with /secrets access
+
 ### Misc
+- for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
+  - https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper
--- a/common/auto-update.nix
+++ b/common/auto-update.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:

 # Modify auto-update so that it pulls a flake

@@ -6,10 +6,20 @@ let
  cfg = config.system.autoUpgrade;
 in
 {
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
      system.autoUpgrade = {
        flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
-      flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
-    };
+        flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
+
+        # dates = "03:40";
+        # kexecWindow = lib.mkDefault { lower = "01:00"; upper = "05:00"; };
+        # randomizedDelaySec = "45min";
      };
+
+      system.autoUpgrade.allowKexec = lib.mkDefault true;
+
+      luks.enableKexec = cfg.allowKexec && builtins.length config.luks.devices > 0;
+    }
+  ]);
 }
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@@ -5,6 +5,8 @@
    ./firmware.nix
    ./efi.nix
    ./bios.nix
+    ./kexec-luks.nix
+    ./luks.nix
    ./remote-luks-unlock.nix
  ];
 }
--- a/common/boot/kexec-luks.nix
+++ b/common/boot/kexec-luks.nix
@@ -0,0 +1,121 @@
+# Allows kexec'ing as an alternative to rebooting for machines that
+# have luks encrypted partitions that need to be mounted at boot.
+# These luks partitions will be automatically unlocked, no password,
+# or any interaction needed whatsoever.
+
+# This is accomplished by fetching the luks key(s) while the system is running,
+# then building a temporary initrd that contains the luks key(s), and kexec'ing.
+
+{ config, lib, pkgs, ... }:
+
+{
+  options.luks = {
+    enableKexec = lib.mkEnableOption "Enable support for transparent passwordless kexec while using luks";
+  };
+
+  config = lib.mkIf config.luks.enableKexec {
+    luks.fallbackToPassword = true;
+    luks.disableKeyring = true;
+
+    boot.initrd.luks.devices = lib.listToAttrs
+      (builtins.map
+        (item:
+          {
+            name = item;
+            value = {
+              masterKeyFile = "/etc/${item}.key";
+            };
+          })
+        config.luks.deviceNames);
+
+    systemd.services.prepare-luks-kexec-image = {
+      description = "Prepare kexec automatic LUKS unlock on kexec reboot without a password";
+
+      wantedBy = [ "kexec.target" ];
+      unitConfig.DefaultDependencies = false;
+      serviceConfig.Type = "oneshot";
+
+      path = with pkgs; [ file kexec-tools coreutils-full cpio findutils gzip xz zstd lvm2 xxd gawk ];
+
+      # based on https://github.com/flowztul/keyexec
+      script = ''
+        system=/nix/var/nix/profiles/system
+        old_initrd=$(readlink -f "$system/initrd")
+
+        umask 0077
+        CRYPTROOT_TMPDIR="$(mktemp -d --tmpdir=/dev/shm)"
+
+        cleanup() {
+          shred -fu "$CRYPTROOT_TMPDIR/initrd_contents/etc/"*.key || true
+          shred -fu "$CRYPTROOT_TMPDIR/new_initrd" || true
+          shred -fu "$CRYPTROOT_TMPDIR/secret/"* || true
+          rm -rf "$CRYPTROOT_TMPDIR"
+        }
+        # trap cleanup INT TERM EXIT
+
+        mkdir -p "$CRYPTROOT_TMPDIR"
+        cd "$CRYPTROOT_TMPDIR"
+
+        # Determine the compression type of the initrd image
+        compression=$(file -b --mime-type "$old_initrd" | awk -F'/' '{print $2}')
+
+        # Decompress the initrd image based on its compression type
+        case "$compression" in
+          gzip)
+            gunzip -c "$old_initrd" > initrd.cpio
+            ;;
+          xz)
+            unxz -c "$old_initrd" > initrd.cpio
+            ;;
+          zstd)
+            zstd -d -c "$old_initrd" > initrd.cpio
+            ;;
+          *)
+            echo "Unsupported compression type: $compression"
+            exit 1
+            ;;
+        esac
+
+        # Extract the contents of the cpio archive
+        mkdir -p initrd_contents
+        cd initrd_contents
+        cpio -idv < ../initrd.cpio
+
+        # Generate keys and add them to the extracted initrd filesystem
+        luksDeviceNames=(${builtins.concatStringsSep " " config.luks.deviceNames})
+        for item in "''${luksDeviceNames[@]}"; do
+          dmsetup --showkeys table "$item" | cut -d ' ' -f5 | xxd -ps -g1 -r > "./etc/$item.key"
+        done
+
+        # Add normal initrd secrets too
+        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (dest: source:
+            let source' = if source == null then dest else builtins.toString source; in
+              ''
+                mkdir -p $(dirname "./${dest}")
+                cp -a ${source'} "./${dest}"
+              ''
+          ) config.boot.initrd.secrets)
+        }
+
+        # Create a new cpio archive with the modified contents
+        find . | cpio -o -H newc -v > ../new_initrd.cpio
+
+        # Compress the new cpio archive using the original compression type
+        cd ..
+        case "$compression" in
+          gzip)
+            gunzip -c new_initrd.cpio > new_initrd
+            ;;
+          xz)
+            unxz -c new_initrd.cpio > new_initrd
+            ;;
+          zstd)
+            zstd -c new_initrd.cpio > new_initrd
+            ;;
+        esac
+
+        kexec --load "$system/kernel" --append "init=$system/init ${builtins.concatStringsSep " " config.boot.kernelParams}" --initrd "$CRYPTROOT_TMPDIR/new_initrd"
+      '';
+    };
+  };
+}
--- a/common/boot/luks.nix
+++ b/common/boot/luks.nix
@@ -0,0 +1,74 @@
+# Makes it a little easier to configure luks partitions for boot
+# Additionally, this solves a circular dependency between kexec luks
+# and NixOS's luks module.
+
+{ config, lib, ... }:
+
+let
+  cfg = config.luks;
+
+  deviceCount = builtins.length cfg.devices;
+
+  deviceMap = lib.imap
+    (i: item: {
+      device = item;
+      name =
+        if deviceCount == 1 then "enc-pv"
+        else "enc-pv${builtins.toString (i + 1)}";
+    })
+    cfg.devices;
+in
+{
+  options.luks = {
+    devices = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+
+    allowDiscards = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+
+    fallbackToPassword = lib.mkEnableOption
+      "Fallback to interactive passphrase prompt if the cannot be found.";
+
+    disableKeyring = lib.mkEnableOption
+      "When opening LUKS2 devices, don't use the kernel keyring";
+
+    # set automatically, don't touch
+    deviceNames = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      assertions = [
+        {
+          assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
+          message = ''
+            All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
+          '';
+        }
+      ];
+    }
+    (lib.mkIf (deviceCount != 0) {
+      luks.deviceNames = builtins.map (device: device.name) deviceMap;
+
+      boot.initrd.luks.devices = lib.listToAttrs (
+        builtins.map
+          (item:
+            {
+              name = item.name;
+              value = {
+                device = item.device;
+                allowDiscards = cfg.allowDiscards;
+                fallbackToPassword = cfg.fallbackToPassword;
+                disableKeyring = cfg.disableKeyring;
+              };
+            })
+          deviceMap);
+    })
+  ];
+}
--- a/common/boot/remote-luks-unlock.nix
+++ b/common/boot/remote-luks-unlock.nix
@@ -33,11 +33,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    # boot.initrd.luks.devices.${cfg.device.name} = {
-    #   device = cfg.device.path;
-    #   allowDiscards = cfg.device.allowDiscards;
-    # };
-
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;
--- a/common/default.nix
+++ b/common/default.nix
@@ -1,10 +1,5 @@
 { config, pkgs, ... }:

-let
-  ssh = import ./ssh.nix;
-  sshUserKeys = ssh.users;
-  sshHigherTrustKeys = ssh.higherTrustUserKeys;
-in
 {
  imports = [
    ./backups.nix
@@ -15,6 +10,8 @@ in
    ./boot
    ./server
    ./pc
+    ./machine-info
+    ./ssh.nix
  ];

  nix.flakes.enable = true;
@@ -55,6 +52,7 @@ in
    helix
    lm_sensors
    picocom
+    lf
  ];

  nixpkgs.config.allowUnfree = true;
@@ -67,17 +65,25 @@ in
      "dialout" # serial
    ];
    shell = pkgs.fish;
-    openssh.authorizedKeys.keys = sshUserKeys;
+    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
    uid = 1000;
  };
  users.users.root = {
-    openssh.authorizedKeys.keys = sshHigherTrustKeys;
+    openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
  };
  nix.settings = {
    trusted-users = [ "root" "googlebot" ];
  };

+  # don't use sudo
+  security.doas.enable = true;
+  security.sudo.enable = false;
+  security.doas.extraRules = [
+    # don't ask for password every time
+    { groups = [ "wheel" ]; persist = true; }
+  ];
+
  nix.gc.automatic = true;

  security.acme.acceptTerms = true;
--- a/common/machine-info/default.nix
+++ b/common/machine-info/default.nix
@@ -0,0 +1,200 @@
+# Gathers info about each machine to constuct overall configuration
+# Ex: Each machine already trusts each others SSH fingerprint already
+
+{ config, lib, pkgs, ... }:
+
+let
+  machines = config.machines.hosts;
+in
+{
+  imports = [
+    ./ssh.nix
+    ./roles.nix
+  ];
+
+  options.machines = {
+
+    hosts = lib.mkOption {
+      type = lib.types.attrsOf
+        (lib.types.submodule {
+          options = {
+
+            hostNames = lib.mkOption {
+              type = lib.types.listOf lib.types.str;
+              description = ''
+                List of hostnames for this machine. The first one is the default so it is the target of deployments.
+                Used for automatically trusting hosts for ssh connections.
+              '';
+            };
+
+            arch = lib.mkOption {
+              type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
+              description = ''
+                The architecture of this machine.
+              '';
+            };
+
+            systemRoles = lib.mkOption {
+              type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
+              description = ''
+                The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
+              '';
+            };
+
+            hostKey = lib.mkOption {
+              type = lib.types.str;
+              description = ''
+                The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
+                and for decrypting secrets with agenix.
+              '';
+            };
+
+            remoteUnlock = lib.mkOption {
+              default = null;
+              type = lib.types.nullOr (lib.types.submodule {
+                options = {
+
+                  hostKey = lib.mkOption {
+                    type = lib.types.str;
+                    description = ''
+                      The system ssh host key of this machine used for luks boot unlocking only.
+                    '';
+                  };
+
+                  clearnetHost = lib.mkOption {
+                    default = null;
+                    type = lib.types.nullOr lib.types.str;
+                    description = ''
+                      The hostname resolvable over clearnet used to luks boot unlock this machine
+                    '';
+                  };
+
+                  onionHost = lib.mkOption {
+                    default = null;
+                    type = lib.types.nullOr lib.types.str;
+                    description = ''
+                      The hostname resolvable over tor used to luks boot unlock this machine
+                    '';
+                  };
+
+                };
+              });
+            };
+
+            userKeys = lib.mkOption {
+              default = [ ];
+              type = lib.types.listOf lib.types.str;
+              description = ''
+                The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
+
+                TODO: consider auto populating other programs that use ssh keys such as gitea
+              '';
+            };
+
+            deployKeys = lib.mkOption {
+              default = [ ];
+              type = lib.types.listOf lib.types.str;
+              description = ''
+                The list of deployment keys. Each key here can be used to log into all other systems as `root`.
+              '';
+            };
+
+            configurationPath = lib.mkOption {
+              type = lib.types.path;
+              description = ''
+                The path to this machine's configuration directory.
+              '';
+            };
+
+          };
+        });
+    };
+  };
+
+  config = {
+    assertions = (lib.concatLists (lib.mapAttrsToList
+      (
+        name: cfg: [
+          {
+            assertion = builtins.length cfg.hostNames > 0;
+            message = ''
+              Error with config for ${name}
+              There must be at least one hostname.
+            '';
+          }
+          {
+            assertion = builtins.length cfg.systemRoles > 0;
+            message = ''
+              Error with config for ${name}
+              There must be at least one system role.
+            '';
+          }
+          {
+            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.hostKey != cfg.hostKey;
+            message = ''
+              Error with config for ${name}
+              Unlock hostkey and hostkey cannot be the same because unlock hostkey is in /boot, unencrypted.
+            '';
+          }
+          {
+            assertion = cfg.remoteUnlock == null || (cfg.remoteUnlock.clearnetHost != null || cfg.remoteUnlock.onionHost != null);
+            message = ''
+              Error with config for ${name}
+              At least one of clearnet host or onion host must be defined.
+            '';
+          }
+          {
+            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.clearnetHost == null || builtins.elem cfg.remoteUnlock.clearnetHost cfg.hostNames == false;
+            message = ''
+              Error with config for ${name}
+              Clearnet unlock hostname cannot be in the list of hostnames for security reasons.
+            '';
+          }
+          {
+            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.onionHost == null || lib.strings.hasSuffix ".onion" cfg.remoteUnlock.onionHost;
+            message = ''
+              Error with config for ${name}
+              Tor unlock hostname must be an onion address.
+            '';
+          }
+          {
+            assertion = builtins.elem "personal" cfg.systemRoles || builtins.length cfg.userKeys == 0;
+            message = ''
+              Error with config for ${name}
+              There must be at least one userkey defined for personal machines.
+            '';
+          }
+          {
+            assertion = builtins.elem "deploy" cfg.systemRoles || builtins.length cfg.deployKeys == 0;
+            message = ''
+              Error with config for ${name}
+              Only deploy machines are allowed to have deploy keys for security reasons.
+            '';
+          }
+        ]
+      )
+      machines));
+
+    # Set per machine properties automatically using each of their `properties.nix` files respectively
+    machines.hosts =
+      let
+        properties = dir: lib.concatMapAttrs
+          (name: path: {
+            ${name} =
+              import path
+              //
+              { configurationPath = builtins.dirOf path; };
+          })
+          (propertiesFiles dir);
+        propertiesFiles = dir:
+          lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
+        propertiesFiles' = dir:
+          let
+            propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
+            dirName = path: builtins.baseNameOf (builtins.dirOf path);
+          in
+          builtins.map (p: { "${dirName p}" = p; }) propFiles;
+      in
+      properties ../../machines;
+  };
+}
--- a/common/machine-info/moduleless.nix
+++ b/common/machine-info/moduleless.nix
@@ -0,0 +1,15 @@
+# Allows getting machine-info outside the scope of nixos configuration
+
+{ nixpkgs ? import <nixpkgs> { }
+, assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
+}:
+
+{
+  machines =
+    (nixpkgs.lib.evalModules {
+      modules = [
+        ./default.nix
+        assertionsModule
+      ];
+    }).config.machines;
+}
--- a/common/machine-info/roles.nix
+++ b/common/machine-info/roles.nix
@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+# Maps roles to their hosts
+
+{
+  options.machines.roles = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+  };
+
+  config = {
+    machines.roles = lib.zipAttrs
+      (lib.mapAttrsToList
+        (host: cfg:
+          lib.foldl (lib.mergeAttrs) { }
+            (builtins.map (role: { ${role} = host; })
+              cfg.systemRoles))
+        config.machines.hosts);
+  };
+}
--- a/common/machine-info/ssh.nix
+++ b/common/machine-info/ssh.nix
@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+
+let
+  machines = config.machines;
+
+  sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
+in
+{
+  options.machines.ssh = {
+    userKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = ''
+        List of user keys aggregated from all machines.
+      '';
+    };
+
+    deployKeys = lib.mkOption {
+      default = [ ];
+      type = lib.types.listOf lib.types.str;
+      description = ''
+        List of deploy keys aggregated from all machines.
+      '';
+    };
+
+    hostKeysByRole = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+      description = ''
+        Machine host keys divided into their roles.
+      '';
+    };
+  };
+
+  config = {
+    machines.ssh.userKeys = sshkeys "userKeys";
+    machines.ssh.deployKeys = sshkeys "deployKeys";
+
+    machines.ssh.hostKeysByRole = lib.mapAttrs
+      (role: hosts:
+        builtins.map
+          (host: machines.hosts.${host}.hostKey)
+          hosts)
+      machines.roles;
+  };
+}
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -7,7 +7,6 @@ let
 in
 {
  imports = [
-    ./hosts.nix
    ./pia-openvpn.nix
    ./pia-wireguard.nix
    ./ping.nix
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@@ -1,57 +0,0 @@
-{ config, lib, ... }:
-
-let
-  system = (import ../ssh.nix).system;
-
-  # hostnames that resolve on clearnet for LUKS unlocking
-  unlock-clearnet-hosts = {
-    ponyo = "unlock.ponyo.neet.dev";
-    s0 = "s0";
-  };
-
-  # hostnames that resolve on tor for LUKS unlocking
-  unlock-onion-hosts = {
-    liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
-    router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
-    ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
-    s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
-  };
-in
-{
-  programs.ssh.knownHosts = {
-    ponyo = {
-      hostNames = [ "ponyo" "ponyo.neet.dev" "git.neet.dev" ];
-      publicKey = system.ponyo;
-    };
-    ponyo-unlock = {
-      hostNames = [ unlock-clearnet-hosts.ponyo unlock-onion-hosts.ponyo ];
-      publicKey = system.ponyo-unlock;
-    };
-    router = {
-      hostNames = [ "router" "192.168.1.228" ];
-      publicKey = system.router;
-    };
-    router-unlock = {
-      hostNames = [ unlock-onion-hosts.router ];
-      publicKey = system.router-unlock;
-    };
-    ray = {
-      hostNames = [ "ray" ];
-      publicKey = system.ray;
-    };
-    s0 = {
-      hostNames = [ "s0" ];
-      publicKey = system.s0;
-    };
-    s0-unlock = {
-      hostNames = [ unlock-onion-hosts.s0 ];
-      publicKey = system.s0-unlock;
-    };
-  };
-
-  # prebuilt cmds for easy ssh LUKS unlock
-  environment.shellAliases =
-    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) unlock-onion-hosts
-    //
-    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) unlock-clearnet-hosts;
-}
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@@ -108,6 +108,6 @@ in
        };
      };
    };
-    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -352,6 +352,6 @@ in
      };
    };

-    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/pc/audio.nix
+++ b/common/pc/audio.nix
@@ -17,45 +17,6 @@ in
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
-
-      # use the example session manager (no others are packaged yet so this is enabled by default,
-      # no need to redefine it in your config for now)
-      #media-session.enable = true;
-
-      config.pipewire = {
-        "context.objects" = [
-          {
-            # A default dummy driver. This handles nodes marked with the "node.always-driver"
-            # properyty when no other driver is currently active. JACK clients need this.
-            factory = "spa-node-factory";
-            args = {
-              "factory.name" = "support.node.driver";
-              "node.name" = "Dummy-Driver";
-              "priority.driver" = 8000;
-            };
-          }
-          {
-            factory = "adapter";
-            args = {
-              "factory.name" = "support.null-audio-sink";
-              "node.name" = "Microphone-Proxy";
-              "node.description" = "Microphone";
-              "media.class" = "Audio/Source/Virtual";
-              "audio.position" = "MONO";
-            };
-          }
-          {
-            factory = "adapter";
-            args = {
-              "factory.name" = "support.null-audio-sink";
-              "node.name" = "Main-Output-Proxy";
-              "node.description" = "Main Output";
-              "media.class" = "Audio/Sink";
-              "audio.position" = "FL,FR";
-            };
-          }
-        ];
-      };
    };

    users.users.googlebot.extraGroups = [ "audio" ];
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -10,6 +10,7 @@
    ./matrix.nix
    ./zerobin.nix
    ./gitea.nix
+    ./gitea-runner.nix
    ./privatebin/privatebin.nix
    ./radio.nix
    ./samba.nix
--- a/common/server/gitea-runner.nix
+++ b/common/server/gitea-runner.nix
@@ -0,0 +1,98 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.gitea-runner;
+in
+{
+  options.services.gitea-runner = {
+    enable = lib.mkEnableOption "Enables gitea runner";
+    dataDir = lib.mkOption {
+      default = "/var/lib/gitea-runner";
+      type = lib.types.str;
+      description = lib.mdDoc "gitea runner data directory.";
+    };
+    instanceUrl = lib.mkOption {
+      type = lib.types.str;
+    };
+    registrationTokenFile = lib.mkOption {
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.docker.enable = true;
+
+    users.users.gitea-runner = {
+      description = "Gitea Runner Service";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+      extraGroups = [
+        "docker" # allow creating docker containers
+      ];
+    };
+    users.groups.gitea-runner = { };
+
+    # registration token
+    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
+    age.secrets.gitea-runner-registration-token = {
+      file = ../../secrets/gitea-runner-registration-token.age;
+      owner = "gitea-runner";
+    };
+
+    systemd.services.gitea-runner = {
+      description = "Gitea Runner";
+
+      serviceConfig = {
+        WorkingDirectory = cfg.dataDir;
+        User = "gitea-runner";
+        Group = "gitea-runner";
+      };
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ gitea-actions-runner ];
+
+      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
+      script = ''
+        . ${cfg.registrationTokenFile}
+
+        if [[ ! -s .runner ]]; then
+          try=$((try + 1))
+          success=0
+
+          LOGFILE="$(mktemp)"
+
+          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
+          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
+          # the context of a single docker-compose, something similar could be done via healthchecks, but
+          # this is more flexible.
+          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
+            act_runner register \
+              --instance "${cfg.instanceUrl}" \
+              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
+              --name     "${config.networking.hostName}" \
+              --no-interactive > $LOGFILE 2>&1
+
+            cat $LOGFILE
+
+            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
+            if [[ $? -eq 0 ]]; then
+              echo "SUCCESS"
+              success=1
+            else
+              echo "Waiting to retry ..."
+              sleep 5
+            fi
+          done
+        fi
+
+        exec act_runner daemon
+      '';
+    };
+  };
+}
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@@ -39,6 +39,9 @@ in
          USER = "robot@runyan.org";
          FROM = "no-reply@neet.dev";
        };
+        actions = {
+          ENABLED = true;
+        };
      };
      mailerPasswordFile = "/run/agenix/robots-email-pw";
    };
--- a/common/server/mailserver.nix
+++ b/common/server/mailserver.nix
@@ -33,7 +33,7 @@ in
      inherit domains;
      loginAccounts = {
        "jeremy@runyan.org" = {
-          hashedPasswordFile = "/run/agenix/email-pw";
+          hashedPasswordFile = "/run/agenix/hashed-email-pw";
          # catchall for all domains
          aliases = map (domain: "@${domain}") domains;
        };
@@ -54,7 +54,7 @@ in
      ];
      certificateScheme = 3; # use let's encrypt for certs
    };
-    age.secrets.email-pw.file = ../../secrets/email-pw.age;
+    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;

    # sendmail to use xxx@domain instead of xxx@mail.domain
--- a/common/shell.nix
+++ b/common/shell.nix
@@ -21,6 +21,8 @@
    shellInit = ''
      # disable annoying fish shell greeting
      set fish_greeting
+
+      alias sudo="doas"
    '';
  };

--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -1,40 +1,38 @@
-rec {
-  users = [
+{ config, lib, pkgs, ... }:
+
+{
+  programs.ssh.knownHosts = lib.filterAttrs (n: v: v != null) (lib.concatMapAttrs
+    (host: cfg: {
+      ${host} = {
+        hostNames = cfg.hostNames;
+        publicKey = cfg.hostKey;
+      };
+      "${host}-remote-unlock" =
+        if cfg.remoteUnlock != null then {
+          hostNames = builtins.filter (h: h != null) [ cfg.remoteUnlock.clearnetHost cfg.remoteUnlock.onionHost ];
+          publicKey = cfg.remoteUnlock.hostKey;
+        } else null;
+    })
+    config.machines.hosts);
+
+  # prebuilt cmds for easy ssh LUKS unlock
+  environment.shellAliases =
+    let
+      unlockHosts = unlockType: lib.concatMapAttrs
+        (host: cfg:
+          if cfg.remoteUnlock != null && cfg.remoteUnlock.${unlockType} != null then {
+            ${host} = cfg.remoteUnlock.${unlockType};
+          } else { })
+        config.machines.hosts;
+    in
+    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) (unlockHosts "onionHost")
+    //
+    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) (unlockHosts "clearnetHost");
+
+  # TODO: Old ssh keys I will remove some day...
+  machines.ssh.userKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
-  ];
-  system = {
-    ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
-    ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
-    ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
-    router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
-    router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
-    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
-    s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
-  };
-
-  higherTrustUserKeys = [
-    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo=" # ray fido
-  ];
-
-  # groups
-  systems = with system; [
-    ponyo
-    ray
-    router
-    s0
-  ];
-  personal = with system; [
-    ray
-  ];
-  servers = with system; [
-    ponyo
-    router
-    s0
-  ];
-  storage = with system; [
-    s0
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -8,11 +8,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1675176355,
-        "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
+        "lastModified": 1682101079,
+        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
+        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
        "type": "github"
      },
      "original": {
@@ -117,11 +117,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1674127017,
-        "narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
+        "lastModified": 1682063650,
+        "narHash": "sha256-VaDHh2z6xlnTHaONlNVHP7qEMcK5rZ8Js3sT6mKb2XY=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
+        "rev": "c2ea4e642dc50fd44b537e9860ec95867af30d39",
        "type": "github"
      },
      "original": {
@@ -147,12 +147,15 @@
      }
    },
    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
@@ -168,11 +171,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1677382901,
-        "narHash": "sha256-2idFWlTVG+qUZkU2/W50amGSIxmN56igIkMAXKbv4S4=",
+        "lastModified": 1681591833,
+        "narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "4306fa7c12e098360439faac1a2e6b8e509ec97c",
+        "rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
        "type": "github"
      },
      "original": {
@@ -183,11 +186,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1677823547,
-        "narHash": "sha256-xD2qco8Pw8HAXgjf9OSi2H2N20WaTrtvgcl21525kVE=",
+        "lastModified": 1682133240,
+        "narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "78c4d33c16092e535bc4ba1284ba49e3e138483a",
+        "rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
        "type": "github"
      },
      "original": {
@@ -304,6 +307,21 @@
        "type": "gitlab"
      }
    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "utils": {
      "locked": {
        "lastModified": 1605370193,
--- a/flake.nix
+++ b/flake.nix
@@ -44,11 +44,18 @@
    nixpkgs-hostapd-pr.flake = false;
  };

-  outputs = { self, nixpkgs, ... }@inputs: {
-
+  outputs = { self, nixpkgs, ... }@inputs:
+    let
+      machines = (import ./common/machine-info/moduleless.nix
+        {
+          inherit nixpkgs;
+          assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
+        }).machines.hosts;
+    in
+    {
      nixosConfigurations =
        let
-        modules = system: with inputs; [
+          modules = system: hostname: with inputs; [
            ./common
            simple-nixos-mailserver.nixosModule
            agenix.nixosModules.default
@@ -56,19 +63,23 @@
            archivebox.nixosModule
            nix-index-database.nixosModules.nix-index
            ({ lib, ... }: {
-            config.environment.systemPackages = [
+              config = {
+                environment.systemPackages = [
                  agenix.packages.${system}.agenix
                ];

+                networking.hostName = hostname;
+              };
+
              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
              options.inputs = lib.mkOption { default = inputs; };
              options.currentSystem = lib.mkOption { default = system; };
            })
          ];

-        mkSystem = system: nixpkgs: path:
+          mkSystem = system: nixpkgs: path: hostname:
            let
-            allModules = modules system;
+              allModules = modules system hostname;

              # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
              patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
@@ -76,6 +87,7 @@
                src = nixpkgs;
                patches = [
                  inputs.nixpkgs-hostapd-pr
+                  ./patches/kexec-luks.patch
                ];
              };
              patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
@@ -90,13 +102,10 @@
              };
            };
        in
-      {
-        "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
-        # "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
-        "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
-        "router" = mkSystem "x86_64-linux" nixpkgs ./machines/router/configuration.nix;
-        "s0" = mkSystem "x86_64-linux" nixpkgs ./machines/storage/s0/configuration.nix;
-      };
+        nixpkgs.lib.mapAttrs
+          (hostname: cfg:
+            mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
+          machines;

      packages =
        let
@@ -120,19 +129,17 @@

      deploy.nodes =
        let
-        mkDeploy = configName: hostname: {
+          mkDeploy = configName: arch: hostname: {
            inherit hostname;
            magicRollback = false;
            sshUser = "root";
-          profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configName};
+            profiles.system.path = inputs.deploy-rs.lib.${arch}.activate.nixos self.nixosConfigurations.${configName};
          };
-
        in
-      {
-        s0 = mkDeploy "s0" "s0";
-        router = mkDeploy "router" "router";
-        ponyo = mkDeploy "ponyo" "ponyo.neet.dev";
-      };
+        nixpkgs.lib.mapAttrs
+          (hostname: cfg:
+            mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
+          machines;

      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
    };
--- a/machines/ephemeral/minimal.nix
+++ b/machines/ephemeral/minimal.nix
@@ -1,8 +1,10 @@
-{ pkgs, modulesPath, ... }:
+{ config, pkgs, modulesPath, ... }:

 {
  imports = [
    (modulesPath + "/installer/cd-dvd/channel.nix")
+    ../../common/machine-info
+    ../../common/ssh.nix
  ];

  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
@@ -16,6 +18,8 @@

  boot.kernelPackages = pkgs.linuxPackages_latest;

+  system.stateVersion = "21.11";
+
  # hardware.enableAllFirmware = true;
  # nixpkgs.config.allowUnfree = true;

@@ -38,10 +42,12 @@

  services.openssh = {
    enable = true;
-    challengeResponseAuthentication = false;
-    passwordAuthentication = false;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+    };
  };

  services.getty.autologinUser = "root";
-  users.users.root.openssh.authorizedKeys.keys = (import ../../common/ssh.nix).users;
+  users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
 }
--- a/machines/phil/default.nix
+++ b/machines/phil/default.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  services.gitea-runner = {
+    enable = true;
+    instanceUrl = "https://git.neet.dev";
+  };
+
+  system.autoUpgrade.enable = true;
+}
--- a/machines/phil/hardware-configuration.nix
+++ b/machines/phil/hardware-configuration.nix
@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  # because grub just doesn't work for some reason
+  boot.loader.systemd-boot.enable = true;
+
+  remoteLuksUnlock.enable = true;
+  remoteLuksUnlock.enableTorUnlock = false;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  luks.devices = [ "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194" ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/F185-C4E5";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
+
+  networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
--- a/machines/phil/properties.nix
+++ b/machines/phil/properties.nix
@@ -0,0 +1,20 @@
+{
+  hostNames = [
+    "phil"
+    "phil.neet.dev"
+  ];
+
+  arch = "aarch64-linux";
+
+  systemRoles = [
+    "server"
+    "gitea-runner"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
+    clearnetHost = "unlock.phil.neet.dev";
+  };
+}
--- a/machines/ponyo/configuration.nix
+++ b/machines/ponyo/configuration.nix
@@ -5,9 +5,10 @@
    ./hardware-configuration.nix
  ];

-  networking.hostName = "ponyo";
-
  system.autoUpgrade.enable = true;
+  # I want to manually trigger kexec updates for now on ponyo
+  system.autoUpgrade.allowKexec = false;
+  luks.enableKexec = true;

  # p2p mesh network
  services.tailscale.exitNode = true;
--- a/machines/ponyo/hardware-configuration.nix
+++ b/machines/ponyo/hardware-configuration.nix
@@ -19,12 +19,15 @@
  };

  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
-  boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"; # expanded disk
+
+  luks.devices = [
+    "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2"
+    "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"
+  ];

  fileSystems."/" =
    {
-      device = "/dev/mapper/enc-pv";
+      device = "/dev/mapper/enc-pv1";
      fsType = "btrfs";
    };

--- a/machines/ponyo/properties.nix
+++ b/machines/ponyo/properties.nix
@@ -0,0 +1,28 @@
+{
+  hostNames = [
+    "ponyo"
+    "ponyo.neet.dev"
+    "git.neet.dev"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "server"
+    "email-server"
+    "iodine"
+    "pia"
+    "nextcloud"
+    "dailybot"
+    "gitea"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
+
+    clearnetHost = "unlock.ponyo.neet.dev";
+    onionHost = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
+  };
+}
--- a/machines/ray/configuration.nix
+++ b/machines/ray/configuration.nix
@@ -5,8 +5,6 @@
    ./hardware-configuration.nix
  ];

-  networking.hostName = "ray";
-
  # for luks onlock over tor
  services.tor.enable = true;
  services.tor.client.enable = true;
@@ -18,10 +16,20 @@
  hardware.openrazer.devicesOffOnScreensaver = false;
  users.users.googlebot.packages = [ pkgs.polychromatic ];

-  # depthai
  services.udev.extraRules = ''
+    # depthai
    SUBSYSTEM=="usb", ATTRS{idVendor}=="03e7", MODE="0666"
+
+    # Moonlander
+    # Rules for Oryx web flashing and live training
+    KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
+    KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
+    # Wally Flashing rules for the Moonlander and Planck EZ
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
  '';
+  users.groups.plugdev = {
+    members = [ "googlebot" ];
+  };

  # virt-manager
  virtualisation.libvirtd.enable = true;
@@ -37,6 +45,9 @@

  virtualisation.docker.enable = true;

+  virtualisation.appvm.enable = true;
+  virtualisation.appvm.user = "googlebot";
+
  services.mount-samba.enable = true;

  de.enable = true;
--- a/machines/ray/hardware-configuration.nix
+++ b/machines/ray/hardware-configuration.nix
@@ -36,10 +36,7 @@

  # disks
  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv" = {
-    device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
-    allowDiscards = true;
-  };
+  luks.devices = [ "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce" ];
  fileSystems."/" =
    {
      device = "/dev/vg/root";
@@ -59,7 +56,4 @@
    };
  swapDevices =
    [{ device = "/dev/vg/swap"; }];
-
-  # high-resolution display
-  hardware.video.hidpi.enable = lib.mkDefault true;
 }
--- a/machines/ray/properties.nix
+++ b/machines/ray/properties.nix
@@ -0,0 +1,22 @@
+{
+  hostNames = [
+    "ray"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "personal"
+    "deploy"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
+
+  userKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP"
+  ];
+
+  deployKeys = [
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo="
+  ];
+}
--- a/machines/router/configuration.nix
+++ b/machines/router/configuration.nix
@@ -11,8 +11,6 @@
  # https://github.com/skogsbrus/os/blob/master/sys/router.nix
  # http://trac.gateworks.com/wiki/wireless/wifi 

-  networking.hostName = "router";
-
  system.autoUpgrade.enable = true;

  services.tailscale.exitNode = true;
--- a/machines/router/hardware-configuration.nix
+++ b/machines/router/hardware-configuration.nix
@@ -32,7 +32,7 @@

  # disks
  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
+  luks.devices = [ "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c" ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
--- a/machines/router/properties.nix
+++ b/machines/router/properties.nix
@@ -0,0 +1,21 @@
+{
+  hostNames = [
+    "router"
+    "192.168.1.228"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "server"
+    "wireless"
+    "router"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
+    onionHost = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
+  };
+}
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@@ -5,8 +5,6 @@
    ./hardware-configuration.nix
  ];

-  networking.hostName = "s0";
-
  system.autoUpgrade.enable = true;

  services.iperf3.enable = true;
--- a/machines/storage/s0/hardware-configuration.nix
+++ b/machines/storage/s0/hardware-configuration.nix
@@ -7,7 +7,7 @@
    ];

  # boot
-  efi.enable = true;
+  boot.loader.systemd-boot.enable = true;
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
@@ -25,10 +25,12 @@

  # luks
  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86";
-  boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3";
-  boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
-  boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
+  luks.devices = [
+    "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86"
+    "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3"
+    "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38"
+    "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc"
+  ];

  # mounts
  fileSystems."/" =
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -0,0 +1,20 @@
+{
+  hostNames = [
+    "s0"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "storage"
+    "server"
+    "pia"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
+    onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
+  };
+}
--- a/new_machine.txt
+++ b/new_machine.txt
@@ -1,27 +1,34 @@
+# New Machine Setup
+
+### Prepare Shell If Needed
+
+```sh
 nix-shell -p nixFlakes git
+```
+
+### Disk Setup
+```sh
 cfdisk
-mkfs.ext3 boot
 cryptsetup luksFormat /dev/vda2
 cryptsetup luksOpen /dev/vda2 enc-pv
 pvcreate /dev/mapper/enc-pv
+vgcreate vg /dev/mapper/enc-pv
 lvcreate -L 4G -n swap vg
 lvcreate -l '100%FREE' -n root vg
 mkswap -L swap /dev/vg/swap
 swapon /dev/vg/swap
 mkfs.btrfs /dev/vg/root
 mount /dev/vg/root /mnt
-cd /mnt
-btrfs subvolume create root
-btrfs subvolume create home
-cd
-mount -o subvol=root /dev/vg/root /mnt
-mkdir /mnt/home
-mount -o subvol=home /dev/vg/root /mnt/home
-mkdir /mnt/boot
+mkfs.ext3 boot
 mount /dev/vda1 /mnt/boot
-mkdir /mnt/secret
+```

-/tmp/tor.rc
+### Generate Secrets
+```sh
+mkdir /mnt/secret
+```
+
+In `/tmp/tor.rc`
 ```
 DataDirectory /tmp/my-dummy.tor/
 SOCKSPort 127.0.0.1:10050 IsolateDestAddr
@@ -30,8 +37,23 @@ HiddenServiceDir /mnt/secret/onion
 HiddenServicePort 1234 127.0.0.1:1234
 ```

+```sh
 nix-shell -p tor --run "tor -f /tmp/tor.rc"
 ssh-keygen -q -N "" -t rsa -b 4096 -f /mnt/secret/ssh_host_rsa_key
 ssh-keygen -q -N "" -t ed25519 -f /mnt/secret/ssh_host_ed25519_key
-nixos-generate-config --root /mnt # copy hardware config
+```
+
+### Generate Hardware Config
+```sh
+nixos-generate-config --root /mnt
+```
+
+### Install
+```sh
 nixos-install --flake "git+https://git.neet.dev/zuckerberg/nix-config.git#MACHINE_NAME"
+```
+
+### Post Install Tasks
+- Add to DNS
+- Add ssh host keys (unlock key + host key)
+- Add to tailnet
--- a/patches/kexec-luks.patch
+++ b/patches/kexec-luks.patch
@@ -0,0 +1,264 @@
+diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
+index b8f36538e70..cc320a04c70 100644
+--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
+@@ -146,6 +146,7 @@ let
+     csopen = "cryptsetup luksOpen ${dev.device} ${dev.name}"
+            + optionalString dev.allowDiscards " --allow-discards"
+            + optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue"
+           + optionalString dev.disableKeyring " --disable-keyring"
+            + optionalString (dev.header != null) " --header=${dev.header}";
+     cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}";
+     fido2luksCredentials = dev.fido2.credentials ++ optional (dev.fido2.credential != null) dev.fido2.credential;
+@@ -243,6 +244,26 @@ let
+                do_open_passphrase
+             fi
+         fi
+        '' else if (dev.masterKeyFile != null) then ''
+        if wait_target "key file" ${dev.masterKeyFile}; then
+            ${csopen} --master-key-file=${dev.masterKeyFile}
+            cs_status=$?
+            if [ $cs_status -ne 0 ]; then
+              echo "Key File ${dev.masterKeyFile} failed!"
+              if ! try_empty_passphrase; then
+                ${if dev.fallbackToPassword then "echo" else "die"} "${dev.masterKeyFile} is unavailable"
+                echo " - failing back to interactive password prompt"
+                do_open_passphrase
+              fi
+            fi
+        else
+            # If the key file never shows up we should also try the empty passphrase
+            if ! try_empty_passphrase; then
+               ${if dev.fallbackToPassword then "echo" else "die"} "${dev.masterKeyFile} is unavailable"
+               echo " - failing back to interactive password prompt"
+               do_open_passphrase
+            fi
+        fi
+         '' else ''
+            if ! try_empty_passphrase; then
+               do_open_passphrase
+@@ -625,6 +646,15 @@ in
+             '';
+           };
+ 
+          masterKeyFile = mkOption {
+            default = null;
+            type = types.nullOr types.str;
+            description = lib.mdDoc ''
+              The name of the file (can be a raw device or a partition) that
+              should be used as the master decryption key for the encrypted device.
+            '';
+          };
+
+           tryEmptyPassphrase = mkOption {
+             default = false;
+             type = types.bool;
+@@ -700,6 +730,15 @@ in
+             '';
+           };
+ 
+          disableKeyring = mkOption {
+            default = false;
+            type = types.bool;
+            description = lib.mdDoc ''
+              Disables using the kernel keyring for LUKS2 disks.
+              This is already the default behavior for LUKS1
+            '';
+          };
+
+           fallbackToPassword = mkOption {
+             default = false;
+             type = types.bool;
+diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix
+index 29e3e313336..050bf09c208 100644
+--- a/nixos/modules/tasks/auto-upgrade.nix
+++ b/nixos/modules/tasks/auto-upgrade.nix
+@@ -4,7 +4,8 @@ with lib;
+ 
+ let cfg = config.system.autoUpgrade;
+ 
+-in {
+in
+{
+ 
+   options = {
+ 
+@@ -22,7 +23,7 @@ in {
+       };
+ 
+       operation = mkOption {
+-        type = types.enum ["switch" "boot"];
+        type = types.enum [ "switch" "boot" ];
+         default = "switch";
+         example = "boot";
+         description = lib.mdDoc ''
+@@ -86,14 +87,14 @@ in {
+         '';
+       };
+ 
+-      allowReboot = mkOption {
+      allowKexec = mkOption {
+         default = false;
+         type = types.bool;
+         description = lib.mdDoc ''
+-          Reboot the system into the new generation instead of a switch
+          kexec the system into the new generation instead of a switch
+           if the new generation uses a different kernel, kernel modules
+           or initrd than the booted system.
+-          See {option}`rebootWindow` for configuring the times at which a reboot is allowed.
+          See {option}`kexecWindow` for configuring the times at which a kexec is allowed.
+         '';
+       };
+ 
+@@ -109,25 +110,25 @@ in {
+         '';
+       };
+ 
+-      rebootWindow = mkOption {
+      kexecWindow = mkOption {
+         description = lib.mdDoc ''
+           Define a lower and upper time value (in HH:MM format) which
+-          constitute a time window during which reboots are allowed after an upgrade.
+-          This option only has an effect when {option}`allowReboot` is enabled.
+-          The default value of `null` means that reboots are allowed at any time.
+          constitute a time window during which kexecs are allowed after an upgrade.
+          This option only has an effect when {option}`allowKexec` is enabled.
+          The default value of `null` means that kexecs are allowed at any time.
+         '';
+         default = null;
+         example = { lower = "01:00"; upper = "05:00"; };
+         type = with types; nullOr (submodule {
+           options = {
+             lower = mkOption {
+-              description = lib.mdDoc "Lower limit of the reboot window";
+              description = lib.mdDoc "Lower limit of the kexec window";
+               type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}";
+               example = "01:00";
+             };
+ 
+             upper = mkOption {
+-              description = lib.mdDoc "Upper limit of the reboot window";
+              description = lib.mdDoc "Upper limit of the kexec window";
+               type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}";
+               example = "05:00";
+             };
+@@ -165,12 +166,12 @@ in {
+     }];
+ 
+     system.autoUpgrade.flags = (if cfg.flake == null then
+-        [ "--no-build-output" ] ++ optionals (cfg.channel != null) [
+-          "-I"
+-          "nixpkgs=${cfg.channel}/nixexprs.tar.xz"
+-        ]
+-      else
+-        [ "--flake ${cfg.flake}" ]);
+      [ "--no-build-output" ] ++ optionals (cfg.channel != null) [
+        "-I"
+        "nixpkgs=${cfg.channel}/nixexprs.tar.xz"
+      ]
+    else
+      [ "--flake ${cfg.flake}" ]);
+ 
+     systemd.services.nixos-upgrade = {
+       description = "NixOS Upgrade";
+@@ -195,54 +196,56 @@ in {
+         config.programs.ssh.package
+       ];
+ 
+-      script = let
+-        nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
+-        date     = "${pkgs.coreutils}/bin/date";
+-        readlink = "${pkgs.coreutils}/bin/readlink";
+-        shutdown = "${config.systemd.package}/bin/shutdown";
+-        upgradeFlag = optional (cfg.channel == null) "--upgrade";
+-      in if cfg.allowReboot then ''
+-        ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
+-        booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
+-        built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+-
+-        ${optionalString (cfg.rebootWindow != null) ''
+-          current_time="$(${date} +%H:%M)"
+-
+-          lower="${cfg.rebootWindow.lower}"
+-          upper="${cfg.rebootWindow.upper}"
+-
+-          if [[ "''${lower}" < "''${upper}" ]]; then
+-            if [[ "''${current_time}" > "''${lower}" ]] && \
+-               [[ "''${current_time}" < "''${upper}" ]]; then
+-              do_reboot="true"
+      script =
+        let
+          nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
+          date = "${pkgs.coreutils}/bin/date";
+          readlink = "${pkgs.coreutils}/bin/readlink";
+          systemctl_kexec = "${config.systemd.package}/bin/systemctl kexec";
+          upgradeFlag = optional (cfg.channel == null) "--upgrade";
+        in
+        if cfg.allowKexec then ''
+          ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
+          booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
+          built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+
+          ${optionalString (cfg.kexecWindow != null) ''
+            current_time="$(${date} +%H:%M)"
+
+            lower="${cfg.kexecWindow.lower}"
+            upper="${cfg.kexecWindow.upper}"
+
+            if [[ "''${lower}" < "''${upper}" ]]; then
+              if [[ "''${current_time}" > "''${lower}" ]] && \
+                 [[ "''${current_time}" < "''${upper}" ]]; then
+                do_kexec="true"
+              else
+                do_kexec="false"
+              fi
+             else
+-              do_reboot="false"
+              # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h)
+              # we want to reboot if cur > 23h or cur < 6h
+              if [[ "''${current_time}" < "''${upper}" ]] || \
+                 [[ "''${current_time}" > "''${lower}" ]]; then
+                do_kexec="true"
+              else
+                do_kexec="false"
+              fi
+             fi
+          ''}
+
+          if [ "''${booted}" = "''${built}" ]; then
+            ${nixos-rebuild} ${cfg.operation} ${toString cfg.flags}
+          ${optionalString (cfg.kexecWindow != null) ''
+            elif [ "''${do_kexec}" != true ]; then
+              echo "Outside of configured kexec window, skipping."
+          ''}
+           else
+-            # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h)
+-            # we want to reboot if cur > 23h or cur < 6h
+-            if [[ "''${current_time}" < "''${upper}" ]] || \
+-               [[ "''${current_time}" > "''${lower}" ]]; then
+-              do_reboot="true"
+-            else
+-              do_reboot="false"
+-            fi
+            ${systemctl_kexec}
+           fi
+-        ''}
+-
+-        if [ "''${booted}" = "''${built}" ]; then
+-          ${nixos-rebuild} ${cfg.operation} ${toString cfg.flags}
+-        ${optionalString (cfg.rebootWindow != null) ''
+-          elif [ "''${do_reboot}" != true ]; then
+-            echo "Outside of configured reboot window, skipping."
+-        ''}
+-        else
+-          ${shutdown} -r +1
+-        fi
+-      '' else ''
+-        ${nixos-rebuild} ${cfg.operation} ${toString (cfg.flags ++ upgradeFlag)}
+-      '';
+        '' else ''
+          ${nixos-rebuild} ${cfg.operation} ${toString (cfg.flags ++ upgradeFlag)}
+        '';
+ 
+       startAt = cfg.dates;
+ 
--- a/secrets/backblaze-s3-backups.age
+++ b/secrets/backblaze-s3-backups.age
--- a/secrets/email-pw.age
+++ b/secrets/email-pw.age
@@ -1,38 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xoAm7w H4pJd+lWWypSgHCz6JQ2I2Yqhtabmts6LMpHq/MXwwA
-izP31JcNATRlNq6m8FYC7uis+RrZo88ckluXUCqtDkU
-> ssh-ed25519 mbw8xA llqgasmhheEDBVbl0sU4O269iS3DY+ExSpUfockvBmE
-4b+10lAkTlsIIIbqafjqgPYVNOs78dqw3mhGNt/Kr+U
-> ssh-ed25519 2a2Yhw qPg4uxTQhi/pBSbiZ1tDjmbuLFqrmVck5s52Seu9WyI
-NRJnXzFPdf9m/eL2zoS8yeaz9OqMdHbbX8F9FOVedmM
-> ssh-ed25519 dMQYog l68vM+Hj4TdBVWXG8DH5wz1U2ZEuL9sz04B5ykY0GTE
-QKDaeV8CUxf34zS6FJneaP49UCeXondKMPURipqR3AQ
-> ssh-ed25519 G2eSCQ 9Sz80YngHh8GimDhEeMtqrOk3hai+YBUUt71mdmjs20
-Sc3Tit/RZ9xlrvVK92RJS9dhyPIJ/mZ1NsZo4dmiRnI
-> ssh-ed25519 6AT2/g aQOztqgJ+lmACELQnewjsKhpwRoAc4Xu6j4L0DI2+n8
-TX37F7ZCQfFOddgdllnxqKk85PBY04O48VJZvovpk1k
-> ssh-ed25519 yHDAQw /WlCVe+BEy43M37s89SahbmmLzT1jTGYEliZ5EEW1Vo
-FGwQj00KhuyAj5cYJhuiR/uZY03GQwKGm8iOSm7VGNo
-> ssh-ed25519 VyYH/Q AWfQDDmiGyVM+r7uIHE+OqhwMPSclTfSJiYjimIl4TA
-2STrZzCDqprYylCIB0b6FJK+ipMZx+08RN6ifsOqIyw
-> ssh-ed25519 hPp1nw QEaJAqCwiz0IZMbZ8AaoHi4LNj3MDGARsC4r8bLQhyY
-SxjnCzanVkfyF4moOkYyxYKgY+TOSHdX7PnesmkP42A
-> ssh-ed25519 CRfjsA GTOd0wL35nL91iLdJKzNTQ3+e3gRqEO+y3ppLjWzuQM
-QiOdvtSkwrCzdMOTpxQW29J49T6JIU/lwdy/4YoFZ6E
-> ssh-ed25519 vwVIvQ jdSld1nAFuUn14W6gOzg1k32JrZEuKFBV4KAP8/Ilhs
-4H7jlaf6wPG6xOLGSz28asD/GirT52LVfELviEFHsiY
-> ssh-ed25519 fBrw3g vu/yjmGNPBUJR/qU/tBTSz4QhTb8NR41lG55NZl+YGg
-YqF18PP5zdgRExyszHSs35212EOVLXTtN9oREduuI5Q
-> ssh-ed25519 S5xQfg L3uspJyJKVdChakXgXTcmIzDXeoXK5GVmU+DszgS1z4
-0kXsfDav+LEL6aYgpWzrD5cpb0zhjdT2v8/p3Q/Y1rI
-> ssh-ed25519 XPxfUQ 1D6dQ8Pbn5EKtdLzw1VMe28jmd4PjzAaxtoDQJ3qPjY
-u6Y3NrdowSWLw0YyRXYYEIQUTcb9NGn0UhSzK4HeGlI
-> ssh-ed25519 SpD5mg M66nCAQ05Iam/GAjfcvBvV1FwSsm0MjUsD6awuidsVY
-DZWfw5iqujq/ZU3wVuL1kvC7l5NdPSTi2uq48Oc03zA
-> ssh-ed25519 Kk8sng fsfCIcdBVu3xAreLxvq9zHu0MdL77D2cd6PxJAui804
-EqNbLicyIkWjmCABaShEmcxEftmjnvQYFFKd1AFMQs8
-> z;-grease !G/_ ;L|^3hU }
-bCokcBX9NxBIh97Cf+qsjRq92nbhFTG1E/ygPscvCeexFIgvBkBATLFlxlFZbfHo
-jU1hBN7/lA
--- Gf9q3ird84+YdfWY/WJXiO3nz5T4IHa/geMyfSTmzC0
-C+ÖÒSI=5Ñ4c²š>^ ÒI„ÍK+šK<C5A1>hŸÕ6J·É§w†íE‘àíŽšüy4iˆ8Ù[ÅšOþûBÅn<C385>;ö%³®	ÎÏ)²ïÑ†œa5ßšÛ%Iô[
--- a/secrets/gitea-runner-registration-token.age
+++ b/secrets/gitea-runner-registration-token.age
--- a/secrets/hashed-email-pw.age
+++ b/secrets/hashed-email-pw.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 6AT2/g 93Az2iuqeWL6H/S3XDPXFoEPcrY/n/z9mlSNb5wABkU
+LpMPjpDtBrY2aHpqHwT5AY7vtsYHNcOjpz+LFY4TGCg
+-> ssh-ed25519 dMQYog 4qT0aF1IHsTtN1avMPWYG5Az2xmEZhVUhqcwyNFdfU4
+wD0hE035JqYdDgJmkvNXwJyMzXrquA+RsD8QdK3xP8
+-> !vfM7-grease
+7nQGFFUWY9UIjfrb+/VfaG0zJ21zmDnDh5khs/0tioJevrrrlhub9Bz8iM/Jsfxy
+KUhwV8O8tL/5+30RFSlFRaAB6xPCGg24Yq6E
+--- jVsDtz2xpvK/XCHcdN5JVZx5zSxyEAM6D/xJIgN4YfY
+Ñì°ßév.rK,Æ$ 
--- a/secrets/hashed-robots-email-pw.age
+++ b/secrets/hashed-robots-email-pw.age
--- a/secrets/hostapd-pw-CXNK00BF9176.age
+++ b/secrets/hostapd-pw-CXNK00BF9176.age
@@ -1,16 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 VyYH/Q I1gFDOOOEfSDSUtZ4YtZK/qxWJqWIFFHsilSCmZbJHA
-EpY7XZ28RrBvJ7NEQYhEnp2vpKEkge6SzGCKJYkeH14
-> ssh-ed25519 xoAm7w +2NRmQIyrHZ3BcwclLxDOatDL+za1u3lHp6v9HEtmEs
-L8wjpBk6FcrRmaBfJfxZAN9v/aE5G//MpwU4WuiDX1Q
-> ssh-ed25519 mbw8xA fpiGYGRxYwc1BS+U6NaomHuC2zxCY3ijuYQi6XUg6lw
-yWgTUbvvx3Hsnz3suPdYPVNTb3errqd5GXmtUHJnrEM
-> ssh-ed25519 2a2Yhw sr15CIyZX/FznIcn48vTCl8bva8b/fC+9VKacnEImHE
-oN34RfbM14+4kKyr5aLdioxKPWsnsLbBc9bCRIgLObc
-> ssh-ed25519 dMQYog NRUfD/s+mS4fKiKN/hDTXBe0TD2IVnnWMptEUbPOhm0
-FXUCV9DnNjVC3fcDelE9c3Facl2/SuKXwyeb3ywW4N0
-> 6[iGZC;-grease .
-9nz6/4cWYXy0/9QHBMKVngqDjEfaIdPjdgESEf0EZYo7y+xtTUKd4QNq3N0C6+dz
-MTUMD6eVwNlf990aLihSGriHuEgoBEEHBvdPxw4tn6tVZBRfvImi5caLbRZT
--- fKgNkprjYxTkoHrZFYSgS+Y/Dbe9zner89UuZalEv8M
-Õ(Ae Lžà/3L—¨o=ä€†‘Ãè³Ãñ±Å||´dª“'ÇiOšÊßìó
+-> ssh-ed25519 VyYH/Q X+fXLJz227KkBLu45rb9mUkkIpENSMtZeEJjl6qj5Xw
+AFAFnvsiogoMMwsAJO0DDoaizL9lmCLsF4QHDjmubr0
+-> ssh-ed25519 dMQYog P84+7TBcMFSALTn6FR/aXyqFE9DfOzp38ImkdWj7nE0
+PqOn1OL9Zt0x1pBIYOSKkkS//mbk1OX5pnDGp+OLYeI
+-> @?-grease
+3JvpmcTxdTgvv6vPL8dXEwjR+g
+--- aMYF1SbC+p01YWmg24+Ih78VPQcwzGU/P1cEfgRvXV8
+Ÿ	@$™sžQÂ¼z<15><>®xkÊNfÛuÕ;§¿ ÎvI0•ªÇÎ^4.?, 8…çî
--- a/secrets/hostapd-pw-experimental-tower.age
+++ b/secrets/hostapd-pw-experimental-tower.age
@@ -1,23 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w j3b4I8BlfjbyJ2Yxef57ihKgYNZKJ/LHj0fxJq0uYTg
-i9SXMkfGdK+7y39e74KjTtYnEIDsnawR+AIklGrDPcc
-> ssh-ed25519 mbw8xA 1XW5+CDzbuAN4yoWUxugOLjMvgqDgfY8TXPlK5HKglo
-9howcz96J/Tm7zdQwVQUkQRbAf6qVg95veCMJb34XPY
-> ssh-ed25519 2a2Yhw PP3vG9MJeH+LGmwtqtm+y29GDh7falcclqFz6aArOhk
-FNAldZ1i4Sp4HgWfSR7pbc14aWb0bKpDHaJKtOpcLvI
-> ssh-ed25519 dMQYog P7CL7hkjSEaSSc0sKO+9dAKmYvFl/sx2J62I6fZxcDI
-p8npETMIJm+5xV5UW2fPjKedzaKrWr2cYXWGQLuP3As
-> ssh-ed25519 6AT2/g fLO3IT6xKRZJ5s1Jz+tJmf9ze72069GWbSssUKUGVnw
-lTsroAJY36etAROH/UDsJYSROFAuDJDl7w4eRHsid7s
-> ssh-ed25519 yHDAQw O6gMZ7W6074+gzHYsQmVfhGfFDaxxSpPyzCvHF8HPw4
-5bb5PiHTKOdYMeBfKw7ynV+Y7Tpr3QilNpch4uB+TuA
-> ssh-ed25519 VyYH/Q JpMmSBCi/Q911VpXzhHsHGTzqLjguOwc37FiiAQ2dVY
-waX+j1Urj2GmYGX5uZkZ55sG051+OdYdHhJaXfogO8c
-> ssh-ed25519 hPp1nw EfWqRoxo08D2An+yEc1e1NCGwcyfoOzRfBJP2WCqiGc
-hGjdDZdyEn2w5uaQEz6MLi5GTMEDkhzS/sT4zRwUI54
-> #RLU8aJw-grease 389"AoX pIrn%*Qm ^W$ 3Y+%99;
-AshAkiQFyywtltjNEkGxC0eHLFVYK1azVOySDOvcZEugtm9uGE46kM1Gz6kLVN59
-LlO9Do+6pdVd3LEb4sqRHQR4fh6DDF8n3VDnnO9Hzu5YQbJ1kEoxB6P1do/YFA
--- AiQzm6IGLwPgglj9y/75m63+5b5UwUn6DHw33LL4Njw
-iÎ§W–Ìè=ŸÖ“#T4yè¤/<2F>ÐâYíÈ¯iÃd^ 	ïêòçß=D‘Rr@UY´rý·
-’³y|ƒ¹<C692>fôÂ
+-> ssh-ed25519 VyYH/Q biHhTmstx4FJmstCt7pYUjQlwZpgbFkZVlpzQu2Lf1w
+K2lHbhdETesM86K6fKk91/2Z0LRQcwVtnXxYOtVCCaE
+-> ssh-ed25519 dMQYog cyeabgOaV3nLPdLYs4G1g41bMAEBnHlEXoeW+A7NLFw
+FRGdlHVQ81JjjYQ/PRoAq+JRMZ28rSBEUko8VHKNeDM
+-> cyfV-grease +X51me hk_`YB> 6DFo`? V
+/EoPdwBCc9S2GafKdhDnPZE06kxZBlzAob0Eb2qEMuwzVJF+7LesiK0ilpSrzdPU
+cVN1ka2+k4pH7os/QUuu6oW9r3SxCw
+--- FJOYm8/TVXlxV+9Ih376xWyJlKz2uk8KzPoY5FpIJjo
+C`Ñ” -“Ýþo’YIEœ_.y˜XãÝÈË›iþëµFØW±…Š¨Im5ŽA“õ*÷}Àßêkî”þ9ûzë
--- a/secrets/iodine.age
+++ b/secrets/iodine.age
@@ -1,39 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w ubom+8Q47IB+J+Oq2engREnGa0DE+H2wmG2fz2mjxi8
-wpYS6ylA2PFgcsvClvv1nZBgG+Cy4RD4sVpqRcdW820
-> ssh-ed25519 mbw8xA lh99YoeAM6ktJXa5z46A0JVuUcfLcwvFj3ncaf4gmxU
-WCOvhJJU+A6Slju2HN9kAQsGRm/0aE/rhprkMG+17BU
-> ssh-ed25519 2a2Yhw PVqMJAGJZOb62UAfQF5shDnGUu5VPUHFZjLOCOPfIgg
-+fRdzAagc+MmbgPdx6sOp3Vna97gaxnc4L5KZuXciRU
-> ssh-ed25519 dMQYog f0o48KwYRsZ9w1WowdZtH8aag/TgrV0w9r4DwJ4SdBo
-VGtlt0K/IpbJhOnqc/IEdcqDMt90pjUR+FwRco7Ca0U
-> ssh-ed25519 G2eSCQ vtbTZPGjRxUmWiE/V41pwPYw0y8rDSqSlK9g8FF8rmc
-iHQjLPdVYWCnuHEcQiOPwG/ymWS873dmEQ3YBeypdlE
-> ssh-ed25519 6AT2/g CTGtBM6qUCPKIp6SsipQtGIM4K2gKYlcKm1lZ7oU5Gg
-2toLIu43LGBsK4zEzPe3xu1sGdf0TiH61TuvaI1uu7Q
-> ssh-ed25519 yHDAQw mgKQj9uQitIfCzLATi0QeDjj/ZNdfmLN3mDMq4lhBxo
-HWt4Q0ZjKeoxkT4XB/doa6YhgF5OgrJEVe0NRPPpT4Y
-> ssh-ed25519 VyYH/Q zrxZoR6lY4yTOYvqxLVnJ1B/tLJqP3JiuhkFVRaUmF8
-rHBLx0H/70YLpdHfYzlqbRjFgCso3voEu0Nht7UlZz0
-> ssh-ed25519 hPp1nw 0zPkmUgLopoLsvG2pk3hXLFZ4y1U2zLYAnw6EnrsEis
-bcbjMtvpDs+aKUf5GUW2x8mXMm5xBZ2S/aS6ePYoZOM
-> ssh-ed25519 CRfjsA x5fkEqFAn2gyPjOL91H+TU0t8fGbelyYNF3Gkm2PM2I
-CCS0OxGVfRKCXzIEGIGGtVbEmzzY/uE30snLB9kRaK8
-> ssh-ed25519 vwVIvQ 1WBqhGRWns+zq69pFhRGPKWE2UwXmwAp7XPGgU8MG1o
-TAEdHH7heHvG+i/jOTAxUbtosLIJ4TL012eoivpYbF0
-> ssh-ed25519 fBrw3g rnGGZG45LWTLl9rMUtusEADK//cskSRDbVNHqymaRX0
-eQyOhsDPF3o1hlfrVJqHd873wPtMkWW1QhslCY9qyL4
-> ssh-ed25519 S5xQfg /SYkIjBEuboiTRBN3/Hy54WCm30rPeTb7hyW8Ne8XQo
-Zixg9/lPh8sEylM0k4UZMbKiM7G07C1s8z0U+RWGxb0
-> ssh-ed25519 XPxfUQ YMnUrS3KvUfwX+QXvHMDWj/dF58e8CpaFMMuQlHaBCc
-qtOCQrVvAzaG3TlG2EUHwMHXC6Q1STC5ZnEGZ/yh6U4
-> ssh-ed25519 SpD5mg e+roG6erU7LFz/JG081vYo2QG5/72pGhxrrmJfNTLVM
-taKovBNCmrYb5712fnZ2Gq1GLQfog9IyezIhyN2hYkA
-> ssh-ed25519 Kk8sng T+387c8n+DojonjyQnB19JJifJWHufU+/oTLrvjzW2I
-nhjogEUDM7m6jTLiY3qZibKfe/8SPDkoz4v5TqY0Or0
-> Nd\-#+C1-grease ~l H Gz#
-52s5cUftipJSF08pl6py9q7wRH03s++6wqZZwNXTWfTyfVRpiv+LT+1vG8G40ByB
-XZHLe7A6CJuPj6FEabA5Yz5Q9IcY5KklKoCSzlJPaWHUySon
--- VqPdz+C6jxXzt5awQag/7jMrGk8dkpe4JSPBB91fKUo
-l ˆÎyÌn‡	Œéë„<C3AB>üFŸÕ‘_Ÿ1„%~²×‰9ÌÿîŠ%üÍp^ocý<63>k
-¥:tcƒéþ<>
+-> ssh-ed25519 6AT2/g yTW46JmDIftcOqogIDjheXJf2sw/dG2WEJxfCXU/LDk
+0Co5/Rn22kmdcPr61ZOrmZJbPFHx2wJ8/YkbDjcjqKo
+-> ssh-ed25519 dMQYog RtZT0PwVL4kxUHilOhH2GBp8Z9WfyBkaxB62pjKpHA4
+muMlIt8VYQftMYacfdnQFeejfWpKTEG5gxbFNy97GTc
+-> 4|)`7yq-grease P#\5k8 +f
+jMegn6ATsj2Ai9B5Xmy+tay1nppwxvF1IGJH+hLNanYMsTIDZypM6UsNdzYQ/3mw
+VZ9ooy8TKUgAJ7jsd6IrKw
+--- tLaPQWJA0Hh5MrxfhaySURgY02K16IlzvsxKpOWGva0
+5?lﾇ'ｼ!ｹｺ<EFBDB9><EFBDBA>ﾜｷ匪Nxｽ+<2B>A9ﾟﾑﾘl/ｸﾞ諟ﾎ|旙<>Sｵ&ｺｻ､繃<>Q;_<>K
--- a/secrets/nextcloud-pw.age
+++ b/secrets/nextcloud-pw.age
@@ -1,38 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w TBgxtsm66foJGt2nHrXtgzpohAgCjlFZKJJ92wVRwHE
-3v4D4OIsYkS/f1cFzjkqsZWRY+06H/hK5BRUlK0rezE
-> ssh-ed25519 mbw8xA DGk5uuy20YbA60OCsRRUpDPDn8/34kXB6fLPM5EaM1A
-gX+54o4ZGMepfR+IgWtnfRrQyJI7cIaVfrB6F0bhJpM
-> ssh-ed25519 2a2Yhw 4duxFtOvot0/yg/mat9/mq7e+3FyBRVZbDxab1kUIz0
-eYGM5bSmdkepVFtC/hu9QryA7bAmyZ1aGk+Gz11IUeI
-> ssh-ed25519 dMQYog j1ltBo3adLkVjynrfftU3SUuXbtkPJwqvLScqV3Egi0
-8MPpwdCulNGlw261+weh0Lg5Nn7nztUrMHyai9WFV5Q
-> ssh-ed25519 G2eSCQ /IbtFM08snzoYcw59E0VDWE3Y8GUSqJDZ5X6i6l5ghU
-x0TAzntr4kHb9iZVqsSYAdS0mIBjdZjG6muniNz/R1A
-> ssh-ed25519 6AT2/g htY9fgi/p9aGNEGsUdcVJ7tQ5cEXDxFXAXNRvf2aAlU
-gxhbdfZuyPVHYLl9lsfSe1Hu/cNwgFNbT8BzScL23AM
-> ssh-ed25519 yHDAQw r/Q4+U6D9kBM+2Tks18bVh3ketV6XPsPooq+mD84WhQ
-Mpy9wGJRPhBvpnI9Nl38BkRdXgezKg8aOdXZIzuttds
-> ssh-ed25519 VyYH/Q bj6YIiIkAWr9f7jagbx57jRvSDcnmbqtx6Q1ijcOTDk
-IWktummkI2rkjpxG1wP7VG5NAZKixC/qEi//fBfPWCs
-> ssh-ed25519 hPp1nw Q4EhATKtqAuvaaSZ6mvdHYxLtEUIiq6vXCt2TIW3ujw
-XzrrxplNBzH84lzWheGA7GFtw6KAhD/Fn1dUh/IC0RQ
-> ssh-ed25519 CRfjsA tJMmvRH7ycObgJ5ZjVnIsC1NuqmUwpcAfIl6zxRfdTg
-eDxKa8mqdbZbmbv+WmhbQWO+0KG7vsu3i1V+Fj1/1IU
-> ssh-ed25519 vwVIvQ mAizKoyN4QkTztzMBiz53+H7pJunPT6mZmXW75hcMh8
-/T03UWjaTw9TcJg9wrFJINs02PG11vabRgptlY/QyTk
-> ssh-ed25519 fBrw3g wTn+uGVURTaLh2uuy+hOMXADU8Y5X5rjt/I5hlgkiEU
-djupGCAIbmou/kaeS8bvCHFU4h/tDJUPj1D7Ad3uGOg
-> ssh-ed25519 S5xQfg ndVRf5DZJG6ppRG4BLadwFdHcJBO7YsLamdY8h6M4GU
-GdYFdMZtd7zRAejs0CoGkKEg3LquMD3rXqbXIakfv2g
-> ssh-ed25519 XPxfUQ OzGJy6jOdsX2FOaqyPaGfGVvnmMessbQSFaaRSiJrkA
-/F4Rb1DdKrq8cXW1wJZQME3cjdvCg8uGnORzJH4apIA
-> ssh-ed25519 SpD5mg rwLBuiTLSo3Sg1pfrKX72AtOYylGVsUqVvpPjfWy+n8
-Ly2MAPdLr5T91QEaDK/SzBHa6eRXM4qnl6AUzc1LkMk
-> ssh-ed25519 Kk8sng MPQqZeCMmHpseUkC1ysBlqhfOFZBWvb0rII9vLj2fG4
-bx/POtqvkke0V8mtug14PzjekwvKu8lqY1C3BBHdrq0
-> H;;#1-grease NIQ|aNi" ^ m ub=UpUr`
-62l691hcYEUai/MhlIgoxGmJwGl1NA6CgWl8LSGbHHfAwtCa6pO7kORspVcI1nBY
-fm6hfhPep5Djdinrz3ti+fprTjOpJafJoAsvxE14
--- fxAevZGLf/QUXm/kEserDh7XPyy0lfDaUI+NnCfrZbA
-^ÅœË¡Á2Í?éÈüÇ‚‚tve<76>
+-> ssh-ed25519 6AT2/g hXS7zxzYhlu5GrUAEAnaO+CizpbifjDxIwoAK55cjV0
+xU7Z52cjARU8tmd1AJ9v8+QTQzfL/mNxP/f/bJAzYvo
+-> ssh-ed25519 dMQYog 8PEp5TmEOumhWUZvko42sOKpkqOCW9/zCrMqn+fJ2ws
+wJo8x6+hyU8iJkTqGVecZ88hG661F3ZvEvVqpJzox5w
+-> x-grease tdW'\ +(>9 da%@^H6
+q04xwjRaNOBfNhAvik762vJHio/qTfR6qQW4QsD+wzEidRYRggNdQwTl+G4jkWAu
+fx0xZeiI5qVm6WG8lg
+--- pHx5BdqI3HubR9wAtPyfMaYbr8uqRwOS1qFJhtC4wuM
+Èv°ºg9sÉÉ¡§6:`Nlëªø`.‘•ÓÍPebÅSNn<>åÄ8C<<3C>¥a=-¨Gh¤ò.ªfHm<48>»æUëçPGpS}µxýùã#ÎT
--- a/secrets/pia-login.age
+++ b/secrets/pia-login.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 6AT2/g J3H9xUUwUMB7VkHHGtsZaCm/GiyqTFUrEmsuwcrgrhE
+tn+zbj5cISZzkUzJcu7JlaqhE4Dr4fhczSJU2kV91AU
+-> ssh-ed25519 hPp1nw 370YNPQn4mqeHjOvnIXkm+BzbrRNHkFICJaJhHCSHDQ
+WLhDRA8jp50aKkY8t9GvyAHoLxYQD2Bhw3y01hwhoOA
+-> ssh-ed25519 dMQYog 1dwQN8hmbLY54OnRTXtcwAXHoYLLNV0IK/rQQ9ZgV2A
+gP2HQinVYW72oJRFW69qAeF/iNEEtJqya1iRMOugNKk
+-> ~-grease 2%p4s G:$f41y " vZ87PA*|
+hI029392lrjxlsXUI8opFVcUK+JOjgBYGMH
+--- juX+tgNpNr8it5QnbcBkR9u88vZkC47L5fIlZQNxPYg
+,J}¸œ}Y§˜B%ˆo~3M×½HÊ—]ºˆû©ðÔ¤–žËn0cVs(´;axc#o™Üüv'kˆù#]o<>N`ÆœøÁ´Ì¿<C38C>˜¼ûp<>ÒšKàøk†0(
--- a/secrets/pia-login.conf
+++ b/secrets/pia-login.conf
@@ -1,38 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xoAm7w xqcRHP0MHuiK/zomHCYc66ovGuTBwG3e74adAtR8Mwc
-GxxxVe1BtI+XFgivxLx4iqPs/bOqY0YgRUaN5WL+J6Q
-> ssh-ed25519 mbw8xA d5zP1zd7jaeoDurJdLaZH3bqRuuKaSLhvYW0ZJR5Ei0
-vDZiTBxgzUUv5F7k9DNWyHmDq+72zZ++fK/QsNMejQw
-> ssh-ed25519 2a2Yhw PflULmGrCX2W7PTYFuu36LudH9P1w2T9Ac2BkWDtR1o
-cKCcIGfBgnVhyBQ9/w1en4QV5OnfkKahv+iWbY75rcA
-> ssh-ed25519 dMQYog MPQk/1Vo/ZYw3gPBU0pWlDgrc0OV+gwW+5RS08C6w18
-89xYLEHa67LA/3WJZLPaZjubI215XlLXFOu/Eya85fc
-> ssh-ed25519 G2eSCQ U0xOVFq1wFNyT/BnkYI4w5KsNrOo+Hwx273zZI8PlQw
-FUcdjrHZgjokvc5qZ7VeIw0Z8CJMNjMOmf78Gg1b6Hw
-> ssh-ed25519 6AT2/g geU2DAuZLH0NDF+0h8A/rp2FrfaXAumy2GC1O2p/CHE
-Oh8GY149dxknV6QhpUrD39fwP9bREGkgVm8YPLpZdvg
-> ssh-ed25519 yHDAQw m4eSQTxExlAHfmyQ1DdBCWemb+z6ldeaEKmBwbrgTRk
-+kYjyUWVP7PHVoqqYG5JxwLmmCc1ezDUCGIFnX02lx0
-> ssh-ed25519 VyYH/Q 22pJQ5qJFkDpyhhJ8PgpI8BVSN70kkMGJHZqbgkIACw
-8sPrt+XceTHR4PvelbxfAwH1/IUOB1f1/aVyBFISCL8
-> ssh-ed25519 hPp1nw oemF2kqJpkM5wmPzV7pxWq7gwyeBtHMA2ZDcKQ8AuBM
-jKnhqbGtI8Ll7n8APN4ppWomGVwCNxeMobMfn51baHU
-> ssh-ed25519 CRfjsA n1rHsp+O9p67x98MXOq0p1Z01IAvDmQEeOrxb3bsfAU
-jQqxXAuT0Z0xNn6YKAs+KOkG7wxDFDxq5Fm2gKxB1j4
-> ssh-ed25519 vwVIvQ Ydiw3i6yquUvUh9dhFST8Dnpsm6/4SJMuDGm7ka/UnE
-R0wpu+tP+apJFWOxfb6B1eFqHtx8CfgxrVM+hGmPF/I
-> ssh-ed25519 fBrw3g nJVo9VPVhidY50WrecFb4Z3gvbVa+HvJVoWtcTqUSiI
-gi+5LVtpaKI/RzpB26PPwb3Z2bznBMWyYy5T1iVDnLw
-> ssh-ed25519 S5xQfg Qg3EG+SWYIbt6bb5KIHPB3IsrVp4dOCtxDwsDfPxwzo
-XS5K+J6Rdg0ffVKPxDjhqG14ue4sZ+2AWvTrGgUcqzQ
-> ssh-ed25519 XPxfUQ +dpWU2v78/sgzjCKMI/PF7dUH6gvyQH/Sq7IepJ5Iks
-e+sjwJ5yVVIqi/XFNEunzddKaeZoyt6SSQIaARKQKcA
-> ssh-ed25519 SpD5mg LNEibIixLpNDeI29JpwyAy7Yj98hz+crpA3CUrdLCh8
-/ecP3HwrkcqMEi5KHKJ2GDs/FVMBYiOogbsmbnsKcXg
-> ssh-ed25519 Kk8sng XYXpGlL5N5Q0fW/CNR/MM5l1H4wnGc07PmG7pfIYPEA
-ZHDIG4o16QpkXOgEoMEElVdjuMHBOYnu1+r9j7oWJqc
-> uz.p77*-grease \LNG +]\N }$z/#os
-v9I+wGZRCAIjCEeJespiFlyqUu+OblQlv9/hJcSTjEo8jMIlhjTgitVN0gcG/iGc
-Eb8YAQ
--- 6EmzITbtgIPahwrQlzo06L8D2UykOG023TWIcXmflJ4
-úPá™.Öú¥RvÎûÎ7*@»Ò¨Ngá3^¸†‰ßáá"{&²ÛZOb¦Š\ÑÙB$cb¤I20F/FYºýGæ—»ÂJ%™?¢P<C2A2>¾Ü3ÐdÖÂ½˜<C2BD>$<24>øP
--- a/secrets/restic-password.age
+++ b/secrets/restic-password.age
--- a/secrets/robots-email-pw.age
+++ b/secrets/robots-email-pw.age
@@ -1,23 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w z1fxpf+Jm5u9X2aVzw4zecDTFJ3klYw53XOW1/0qH2U
-RVtqofMRtxGor9xPdLGe/Ppjm9HQdL8B6VgiF0EFD0M
-> ssh-ed25519 mbw8xA uhLNHRL+ap5kA9I0s1uM3tMi0pwCF4CYNrlA8FDMwho
-ftIAF58RdG7wj4qQbFRnqvtZEO9by++yWiD4WVHQYMQ
-> ssh-ed25519 2a2Yhw 8ZE3Y0pZuNTHCP859v261kz3KjTscNWbhkS0t0WZv28
-jlQLe6xJj4GVZvrYKtPN3iIozS/3xFUfWk8czHvZCRU
-> ssh-ed25519 dMQYog zUfDw5zWCgOLoocWhGQ+7tRPHua1nTEP0sUMCeC5WGY
-+YqAvE6jpQuupF/E+WzzJDl+wELfIhNZDjtwSL4LlTs
-> ssh-ed25519 6AT2/g wMCXvTNxgA0JBTptb0yjsnuQNKvs9MhKU+JkDBPl7GI
-nvLS6DnCId4HGKIEuVMDTk2vdsQXoij5aZEm3WRsxno
-> ssh-ed25519 yHDAQw Ln5gBVawaqRbl9nXkjayOnrBV8jp8teqUFnqIwihki4
-kdUDhAD9mV2kIeIvyIvNLalQeY2kY51p19Q5j8Eqc5k
-> ssh-ed25519 VyYH/Q jDcKHAOt/XiWD8q7v1J4FQLP6WHYAfjXU9uSBrHYoSc
-Rv5EIZfUpvH1YYa47qnEGiHZMVDgv7ox1x0yWs8WQOw
-> ssh-ed25519 hPp1nw r0q90tYd8txtSFGBgqydSudT4Fi6BJqSCZeGoxQjNTU
-+ohGYkbv2/1Y5oLD3MeQWTxkniVMzsAiUzEfWb711/8
-> `Tw<V-grease
-Js58anBVCK2UpYFYp+UyFpSkiPdV2bp1kvwSdu6QLB7qjt1xmyL0wsdoliqO/Kdh
-c9EqHx4M8ZIj+K9lfU/ivFdS5p4J2A5Chg8pzK6V
--- RmxdkBFUtF/HV6P8MMNYGLR+ELWeeIYpvfgyHJSDAlw
-ãÅ¼ÙC×ßz¿âÁà´›…ìcÔ_–ûæ3Ž<1F>ay|L.3!›<3T´oÁ™‡@ä\\
-#‹Ô,J?A¦æ7ÍrÕí%Þ›‡xÃ]ð>Ü$É
+-> ssh-ed25519 6AT2/g QHqc7SI3Z2k1atMtYR9aFBJKf0oElbI9dd1vcQbchxg
+4bklX308iFaN35PYgA0rqO5ZoXDdgPkB9SO87AgwOwk
+-> ssh-ed25519 dMQYog lF9CFZYQC1ELLuQ1mffIdN6WzHK6/gZzyrv5Ur5my1A
+4MowtIVjMECAfAKxMxtwVi6kt1h8dLAkYItTeZtzNe8
+-> nRNy(o-grease &%h@^ BlVF[M? YjD3^0 |ey
+atUcl9jHhtLgHLr7qkguIZZtMjbqndHsq1UCkKzl/NhEXmlCp37PKq1vIbF81/Aj
+RG+Cc0A9H5WsJ9OjmyDiU8r4P42fmdd0ocu7nSxMMhUbr1LvcPM+WxUZGPtV3gc
+--- LkZ3ouICKivFii191r+z57Ikz2wB8zTcicE3DoVOkPE
+žÜòØyäµW_*yÇ6i³¨¼®JZ†£æÆ‹g¦ƒz÷²Ú<18><>³NÇG>ŒÏÃÈ!ð‰>²éâ›``Ù•¤ÜéÒJN$ÚHêŸÑy›o_›×
--- a/secrets/sasl_relay_passwd.age
+++ b/secrets/sasl_relay_passwd.age
--- a/secrets/searx.age
+++ b/secrets/searx.age
@@ -1,38 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w 8X/mQQdaVvKGFTa8S8Kq0gjXQizdQqKjCbLPbj+E+xg
-ztcO7CI7PlIg+kqGi5mIriGs1uYAdsvsA5TC+vU2D0E
-> ssh-ed25519 mbw8xA fcD+NYtWgZaXpIwe0kIGplhsHphwjwr5bWn3fu9bCxY
-HEdS7uNl7BEajuPvMVhWM/B2Z5SLavZ1go6wSCuUN20
-> ssh-ed25519 2a2Yhw 6exAx6FTladZDoIkXDFwiH4b2qYCMUWgPDrXzP//uQI
-HAN7bkNCLhYPwt6Fcdkij+9c+EBrN88lxhJr9rJlfc4
-> ssh-ed25519 dMQYog ZFiEF1MYdIha67bN75Rv+6Wr6Z9E34NVk3tHsSEEQyY
-Y24l9R+jd1kN3mwSnaaZ+kogwIgNtIUb2gLW0eLAi54
-> ssh-ed25519 G2eSCQ sYOr9ilW7CW+P/0hsv/RAmv/v34JevYIyYN+I6lHph8
-SzmVgwmecQuo5c468CMh4yXpHFUi5EovS9GeYGerFbs
-> ssh-ed25519 6AT2/g HRkU3oRZwF826qweInLFI6+3rrOdsVhDJWoYdmuuWHQ
-OCoS/Ody/GzMr2TFXDf3VXUwE0gCu/cHFl+AHcnU6i0
-> ssh-ed25519 yHDAQw TxlUhpGkdVzkBa51kUb4ry5oibol/QD+VPj0h4XOhWc
-48aqzpCdhR2rYltDlpsq8FdnCAOaRZ+t8RdIFsWjHjk
-> ssh-ed25519 VyYH/Q ctWC4UZPhsQngMldM97HwJuvQKMuJm5ANSs3bSIjJFg
-evx82bQ4zeuFDRunameiCgn5UjwhAPa46w7KHQkjVe8
-> ssh-ed25519 hPp1nw oKSXL61Cjahb3BHYybXWFZ5eQyzGtjG0arMU8xWpABo
-1KvSvzZoLMuAR9+ekO8hjE2yOqZgRtEghD6pSgfOi44
-> ssh-ed25519 CRfjsA /lA/ylPuiOtKXYQynlwDoMiZknOf/BCR9UUJqxZTQiE
-yGVXz5L3UxxNN2z2mx51o/GGb3Q02z3ZDm3JrP2/3/g
-> ssh-ed25519 vwVIvQ bgVIF75qEP72heamHRLHB+21R9NTQ1tBbbYVcAXVWn0
-brIkrynLCEDIEwYe86w9auMkpZKgDNPs1JIUYdP3eQE
-> ssh-ed25519 fBrw3g AWnifShqHcTU/eUuLQvuexV9KVWIssqkXz6SzvIrgDc
-tbAY5ZgkiolGeZsSmFqahBARhXkiur2DuXhY0xLAcYw
-> ssh-ed25519 S5xQfg Bdl1p1oV/YXfIIYfWJpghpxW0iyVdBHoFExbODeRAEA
-3NOolEtebZWathrLTUYx8xj0Lox2AA15pPGFHAJLoLs
-> ssh-ed25519 XPxfUQ b9EHQK/9OnEDTRAlpW02LM2aCb6o2EY5yi3QI5bmyHI
-xChQko2D2OhElau65jID1OpLlsSF7K80zxIb5m7l+VI
-> ssh-ed25519 SpD5mg KnEt9/djsQISjA3foA2ZQzPdyWTg9jXnROLQo9vG6Ec
-qq3t1LPxKYQLuZQdD+Dv/OsxTJHhO/0Qe6wFNXJFIEU
-> ssh-ed25519 Kk8sng vMGJcs3ihnJ35jqfC7gpcr42wcRoOvk5+PbLF2BokWo
-rR9PrXl+aSQhyx0DYl0mSbrSbAe1+Q8JbHfitwfOlOM
-> )!'e>x-grease )w;#| HUZG$ lzX;qm0
-JAhpSw3t1WV3CFI/YTh3GPjMjGg3HRXqJH+jtwa7LjpTymLsQsC4spxLugccRSL8
-1P6SN9WEL5lmoyf+wSirBayoYsdduG7NtGJW
--- UCMko0rEs8lHjZnQSJJJBrRAgJjfCDfKHTFNlsHi5SQ
-Žì÷ôG%)—½íŽ™U(Û(<ÅÚó‹BÒZŽÄ?îàêü6+£•
+-> ssh-ed25519 dMQYog yPsN2a4x6jsVoICJQrP5sJEiZEuLFcPMAAUOWIlAFAw
+A4cPt0h2miu6maXCZqNDi3eBH+wz089PkTedPgjhVGQ
+-> )0CM-grease {H^$`
+z45BS81IhE6Xqdtz/idIzEExM7T8Sb7zl6NH6ODSJ7p6nRM
+--- 9P/MF94zA5XDi+jwUMKHqVFqGCgGaYMaryevwvI5gsk
+½èá=¸,ööîó£ oá¯H¸uVÊ·HãŸè–25êÿ<C3AA>î1&£C‰IŠä.áDs!¥Íh?öPuo$"ª-’m}Ñ!úi<•'
+wT»‘¼÷À([‘UÿH6¦Úï9×67Z_ÄÅ·³…Ü±À”Rü?„{^ÄH/{C©ùd?nð¢ã÷œÈ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,41 +1,44 @@
 let
-  keys = import ../common/ssh.nix;
-  system = keys.system;
-  systemsList = keys.systems;
-  usersList = keys.users;
-  all = usersList ++ systemsList;
+  lib = (import <nixpkgs> { }).lib;
+  sshKeys = (import ../common/machine-info/moduleless.nix { }).machines.ssh;

-  wireless = [
-    system.router
-  ] ++ usersList;
+  # add userkeys to all roles so that I can r/w the secrets from my personal computers
+  roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole;
+
+  # nobody is using this secret but I still need to be able to r/w it
+  nobody = sshKeys.userKeys;
 in
-{
-  # TODO: Minimum necessary access to keys

+with roles;
+
+{
  # email
-  "email-pw.age".publicKeys = all;
-  "sasl_relay_passwd.age".publicKeys = all;
-  "hashed-robots-email-pw.age".publicKeys = all;
-  "robots-email-pw.age".publicKeys = all;
+  "hashed-email-pw.age".publicKeys = email-server;
+  "sasl_relay_passwd.age".publicKeys = email-server;
+  "hashed-robots-email-pw.age".publicKeys = email-server;
+  "robots-email-pw.age".publicKeys = gitea;
+
+  # gitea
+  "gitea-runner-registration-token.age".publicKeys = gitea-runner;

  # vpn
-  "iodine.age".publicKeys = all;
-  "pia-login.conf".publicKeys = all;
+  "iodine.age".publicKeys = iodine;
+  "pia-login.age".publicKeys = pia;

  # cloud
-  "nextcloud-pw.age".publicKeys = all;
-  "smb-secrets.age".publicKeys = all;
+  "nextcloud-pw.age".publicKeys = nextcloud;
+  "smb-secrets.age".publicKeys = personal;

  # services
-  "searx.age".publicKeys = all;
-  "spotifyd.age".publicKeys = all;
-  "wolframalpha.age".publicKeys = all;
+  "searx.age".publicKeys = nobody;
+  "spotifyd.age".publicKeys = personal;
+  "wolframalpha.age".publicKeys = dailybot;

  # hostapd
  "hostapd-pw-experimental-tower.age".publicKeys = wireless;
  "hostapd-pw-CXNK00BF9176.age".publicKeys = wireless;

  # backups
-  "backblaze-s3-backups.age".publicKeys = all;
-  "restic-password.age".publicKeys = all;
+  "backblaze-s3-backups.age".publicKeys = personal ++ server;
+  "restic-password.age".publicKeys = personal ++ server;
 }
--- a/secrets/smb-secrets.age
+++ b/secrets/smb-secrets.age
@@ -1,38 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w Y5MLu+HhgDeKPDSyg5vzGIw7jpOkCbkuW07QjqLicjM
-XDsAENs5+79A5f24nXNCwY8RM5Ac9jypxCip5EYG34Q
-> ssh-ed25519 mbw8xA 4ESXjbxaKpfnCYTN+/a/y91jyrhoWyD3lppboLuF2ws
-tc5m9m4/mF/KUvy3QAqf/Wr7qFYGPgACNgu8vHqYl6k
-> ssh-ed25519 2a2Yhw MwU09hKahVJ5QQhcz6F0NJm/3J0JSdNMvL19Uh8Oc2s
-EVJ/POUeJ4ybwC9IIzkNzwnGp4PkO4Zn6P007Y00iKw
-> ssh-ed25519 dMQYog IZltBF7HETAKqvxTjkBtRpLLbmrGfk7s1I88gZedkB4
-K3iu+GfLMnd5PE2XTkDNRcOYWpVQ7uhCx29J3vTMUIM
-> ssh-ed25519 G2eSCQ zBk6wQ4TMoxIS4QBtAphyTyCAFbZ/wNYQqBkps/X/TU
-W+5tTl1P4m93taLUrSljvEdYeob88wgAzrjW8N0flkc
-> ssh-ed25519 6AT2/g 5mX5s28Y8Z1XlpWUHjyi1sqLL4eytYC4MP2r1Oe8xmM
-pfvf78ZSok4qTq07vQzPl5G0YmsshBZvizwEdaywXAY
-> ssh-ed25519 yHDAQw qVbOBU732m24b1z7L6FbkQ60Lz1/Nxsflo1QwmNKyk4
-b26BFy5h0khO6a4wRg3hB2Bkxzh9qssm5JOxWSgwCPI
-> ssh-ed25519 VyYH/Q Q58vyR9AeGSbrh/tVi304IRWv6PFSGRkYbafP6C0IXE
-4v8XAdt3/shftljWDAloEUK8jbhXz8g19i6jYqPanOM
-> ssh-ed25519 hPp1nw nMT+3ux5DZTEttaQDSGR4TFqMjJOnpmw6VuYmYew41A
-pQmpkCPJ7tLusjS5kIgqcujeTjiKf53IpUVv1LrmlZE
-> ssh-ed25519 CRfjsA btyR2YFxYAuBRtNKL3HxPEK4BzYptB5BJ1Et/OOA8Cc
-pT7HayclLxdcCbmfA8Rm3EvXFin13koKKgKYX5D6zd8
-> ssh-ed25519 vwVIvQ Pf2x6AjYZvotGoZHRv2YgLlySxT5MIbgKpo/iKD0cjA
-W4mubpJM7n+rh1U+7220Obhgx2PiCLSmlRB7c8g94Kg
-> ssh-ed25519 fBrw3g aWphvCv0R/42EkyQgbtmrZ3c0+d8Yj+fd3W4BHBrt1I
-unRlUKNZHLdUXpTnMYOKt2r6Ku3IFFN0Qt2KfEzBXRo
-> ssh-ed25519 S5xQfg 4EwsQL2IgpSrucGFE9ycyS4/82vfLKgIR7jtfyK9RQs
-2ytPuFQd0mDPIN7d+k2FlN7fHnKNPJU2Wf04DM2sOGM
-> ssh-ed25519 XPxfUQ cV3abyNYwf8ddo7QTKG/jlLrtMc2EhTlBjvj/3BO7h0
-DLzsdjDvWuiwSQd4tB2TTlVozXc9X3UZY4C1kptpl0g
-> ssh-ed25519 SpD5mg CuXwDlnSjnGrSK2RJmgNFxjTKWdZEVR5wSTYHbjDu3U
-qGYlRJe0x2NvC9gi4IO1907NF2sY3M+3nrsYY9F/6Eo
-> ssh-ed25519 Kk8sng 8+lugR1z3j5TDFCv+eNDsVY0iD9RSBqE1uZw9xkL1w8
-Ey+Y8TSfRnnKUrlT8z1AGs6Ze5P3vylWtH//QENLq7k
-> e;){a}-grease mxF{/I
-ij3j1VjVrATiBw
--- U4dnDq0KmjHdJFRBc85V2AjVPkBlTylAI6gnqrPL5Aw
-‘ÅÌËôõ-lN®p>YxwÆ³”ÉDÒŽ¸r¬÷ùŸVç+oV=€ËùŸâ¿n9ßu¼|Xb]×Ïº‚ÖaØ(M_® ¾Ä×‹
-ƒm4yå@7Fs0V4÷Tö‰XÀºþžõ½Å"±cM
+-> ssh-ed25519 yHDAQw PhR4X0TShLFSW0ukaV2RhC+aNDc3wUg5KzD4x91K7jI
+oY3NkfLrlYzoj4qV8Y2N+RPUveycUxTn7jX5gtKEaFo
+-> ssh-ed25519 dMQYog YOOjjLAm6cO6jkfOhqbtb0MiVzML/pm9CVgfdlDmdSk
+xnrXzif2IA7Ai1sGkaZKrOxcjMBER5KhsxYd8dk9qgI
+-> rs-grease 6 V\t
+o8H+k1mjy1DY0YLxaOaYVgZe+bA93TiD1Bz6H7KSxwX+Hsem5ijjSaBiBVvpuQwK
+1emVGY1WhOXWc3Zpb7kwohY
+--- 1TIT9uR1Plo7w2XEnJSIpmZUF7wfDKCDF2SPCii50iM
+\ùN"åÃÄíñ¨á:ùg´#ßŠóù•ˆY½5QåÕ[ÿ¤Å´#\øÈå›ÇËv ‹#ïÐ!Økp§Bò—å‘Ö¯<C396>Ö<1E>ÐpMq³ÜäÇ¯-ÚÝ¼(çßŒ)\Æ<><C386>Öô¨ê'1s°G–²e^ @Ž~
--- a/secrets/spotifyd.age
+++ b/secrets/spotifyd.age
@@ -1,39 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w kuMA8ICWwTmJRc1yL93aZaZV19JIuPqGxjxKFuVpJUg
-2mT/VTjvxolyhJm5JbkwrPrsuuUjGzqym9M/rcxUkSI
-> ssh-ed25519 mbw8xA gFKcwWHvFNXa2ohvZGo2rwHXhAghdc0dWmC8nQFHEzc
-cCeCLBYa6MbD51gsqVvJCc9tQYMTu8WjNi4E16WjBBM
-> ssh-ed25519 2a2Yhw Ni01ZgIQWBcHK/tPas9XWhHvBKpusGVWT+VLoRaycmU
-FJE6jpgnvjMk7JtRNCie59qnbEC8uVWUqOOFM6yuRXk
-> ssh-ed25519 dMQYog Ux82p5oapnhQ48v5YC7LtUgTkh0z4heN2wIZ4zdkBHc
-617zDYbNTKqtYrR9A8G7KHOiTvu7gM1KTheDENb0Mbo
-> ssh-ed25519 G2eSCQ DXiNCQrPLznpFlNWjAw8AGE7N+2S+bZEPq2pxw7tYQc
-O/cqBzb901Ig+7ve5LMNM9w8TKPlR9AOMJaNrZ5F3hw
-> ssh-ed25519 6AT2/g IKSN6LZpelB1Qa0WxPpGWQ2BLWK71r9J8cqB7XIfMAg
-8HRo/7Wuui5imZ9rr67LlYdAO1mS13HqUv+jrSeLiOA
-> ssh-ed25519 yHDAQw ax0q3ja7Q70+sGUZNdvyUkA0bRZYiNV5nvVhnTtcezo
-GWps1K/7Lf4sBBo+rQCVT42NpJXdF9h+G2vB8/bTPOk
-> ssh-ed25519 VyYH/Q 0bzf+qa/YkcMdfFwn53X/nINPkatTGpJj+fs8/kvOB0
-yu+xVqTTjbQAv8d8Tx814GrP6C4G2Ivikl1yb3kQUA4
-> ssh-ed25519 hPp1nw SDKk2Cwoya2DmFlTNymeoyDCtiOxrr93F4ZpVXKQwxE
-0HwqXkVqE0mPiGenC8H6MTa2ElidAamGXLP3VZaB23I
-> ssh-ed25519 CRfjsA +PqVqX6J1ZhcfjlEBg9hJpDeYQEeCbJifYzC4iVpzBM
-8aOqAQvJIxTcUfxW0QVYJFHpMO0aSUxbF6z4wEo1Y+g
-> ssh-ed25519 vwVIvQ r4wRXXLTg8RpDq4gjWZGuFp9NH33kekLIu4NUvtjoH0
-2FFFi1HMKgqFYZltig76rSL9zHst5rE1/2zltjk/gmo
-> ssh-ed25519 fBrw3g fdCixr2OJQDSJJXcNeGwKbaM22Uj3669/GAZxVNVhEs
-/bIa/EtjEHgAsMsSrGnqJ+owKlZ6WlG2yHcr7tAPpF8
-> ssh-ed25519 S5xQfg 0jb5owsvZa1tApkTRo6Ai9+MiJaWHM09SmffDS6q1R8
-zsfdzGq1HxQtvWgjBwac0BWzoZ81/9mOh3bwLHQ7eZE
-> ssh-ed25519 XPxfUQ Tcaed1l2jarovJJcQcF3aH0oRTHG3+CjRC8nReQMphQ
-aKPAQekq1S2ENodDJ+X9tURYHC5UeYX6IkAiZAwq/2s
-> ssh-ed25519 SpD5mg CI+doikC251HbDmvWkmxMPPuCxs7DhCs5djaV/yK8Q4
-j9mNZ9jOKyC/FoGMl4mSfLUF9jQcxoapUZ7AzJLVaC4
-> ssh-ed25519 Kk8sng tfmmLUnB6P00bnx8oi05hkz1YsumbW3po5TLrUY9UHs
-yh4L1HpuA9QHAl1o3KaMLuPNxcoHrd9xT24BSQB0gHI
-> E^;,0J-grease @1%uq:\
-rsHU3TVrPPYHVgxVVSD69DWk1ms+dBCh2/ET8h7lIz2xrDqQf8bx+oJriPv+78Qb
-bjoq88amMcGrJKSoNrcRxYqj7OGw4SQk2gfzotxF57BdoLSeRNboLwv8DTSJpPLt
-m1o
--- KNvXo+zbpLVsT8S8XMPRoCjjz55fW3d97axYONHvs0U
-ýüGrsTRrÒß	’…eGrÝ†¹02bé:|òmj{øqÂØD~<7E>þP3–5)Ü£^í´ÞH´(\rV›6VŽIÎž»Ì5wL!ã£ó!«|Iañ¾\
+-> ssh-ed25519 yHDAQw R1weIMur0s9HsBBwNn+XyBNfAB8CrQf6QEzIJFklcG8
+DTK0seypjzSX1B2ce2IWyYwygBeeKlbFpYgzH7i1DHA
+-> ssh-ed25519 dMQYog DU9sxA0/cG/O9EG3JYFjL1d2OiqOSZvFjZ1S2zTTWDw
+nGlUCvjpUp50ykTIUzSQ19uj2tiVMPo1Ois8xFSWB58
+-> z%z.3-grease lF#S
+H+5548VgikG9upeHi2GIQ3U71TC0ds+dn8yWOoixHnRhiYZRIhODffjI3D8T18gk
+1mjtW+c34E+ALRkSIf5iWwChJxsomS6LiMS3sqtJg4c
+--- o2hgAcfMDZyGIehN07CO7OjSCrmwUDRTrwxAKmGcfAY
+<<3C>¹ CÜGàÝ<C3A0>Ï0<C38F>
--- a/secrets/wolframalpha.age
+++ b/secrets/wolframalpha.age
@@ -1,38 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w HClJLz2DJRlS7owQ8Wu6lkOWBZY2t4tL3m4Xd1wf6Ts
-T/SjmYmVs4x74n/Q3fFQujyeDTaSMatIDK67N3uo6H8
-> ssh-ed25519 mbw8xA JFGWHAkip5tKBG9ett2/Y0Dr2wsiStKve0mpZVJN/gE
-lwTtXrW+0N5SYkllt6KAQs82KLa7YH/godphEWkhgdw
-> ssh-ed25519 2a2Yhw blLit/oIYe10zPJOu0QOKUd7NHAS3NvSSd0DMvrqiGM
-VlC0shqH1HgAR5EokdgKtWDOAS4tL5C1YKgCJ6kAeCA
-> ssh-ed25519 dMQYog s5CZNbbI00B74zlzP6jNaw6l/YKDbLgTJPQpRlXRfSg
-NQohEMrbchdS433sw3MKRH/8lryh6j4VZFBvjW1qmc0
-> ssh-ed25519 G2eSCQ PbfTCAk1+DJhW7F+26xvaSZlhpIAtfIAvqm9Xfi9xGE
-CbVJJl6zzm2857A5oDhF8Z4Vtq0felJ7j96Tc3aN9eI
-> ssh-ed25519 6AT2/g A2B3VdkSf88kbSQKCSfaAR6bUREanrTyKLiZhVP3ugM
-Z8FvbHNpGMh6Wsaxu44MAUhSFOv8UIRFTugyrtvXr9Q
-> ssh-ed25519 yHDAQw LZPhYf49feALAiKTT2oiM61BgcRfrXTKal+zhjLoMxA
-Qi7Eu6Rq7LjNvhwgN1Cy5/B+VCOLvOdkH5jWsXGvydc
-> ssh-ed25519 VyYH/Q s2gMTJIyJZkWXeVX+kv/bUpNKqN3Zt5FpVR1bfOb+zg
-Ho1k4VljmGXcpr4NGo7RkKhjrxnckMGL3GzDMK1U0NE
-> ssh-ed25519 hPp1nw dg3SZjzCIzJU2Ef68SOwXmZE0Efg9MaE1J6+JKgW9xQ
-8/hJdKcQAcvDtarn8u7W0tKblu02thOylJ+zThWlpic
-> ssh-ed25519 CRfjsA FIF0LZf60q7MExEDJi0UMODKi3Q0c39c26fFUE9tHDc
-TIdABrVJ6FmbqfhWbz3+6xZtyRJAehas83JmBFEoVfU
-> ssh-ed25519 vwVIvQ uXexIx8K6/AOpX0P2JSZP27mo7Iq7kePt54m0B/83Wc
-sakOup9vuUx4/52FltGPHOT1SUG7nIIUbhTlev0Tg+4
-> ssh-ed25519 fBrw3g YoekhSoktfoGXc/soCDSSvOV6Y1SMOwsahtxeOkPgj0
-YD0/HFmw/rJ5h8p0+IF9rfL+PLe7lwvwIV4tp6cb1AY
-> ssh-ed25519 S5xQfg pmm6X5Tl94OTiz9oWoTvfggF4UAOcCUNATbLbTHUg2s
-tFA3SJGfTDi2FhV4JBKWz1/p7SAHtPaQ+dvSmI6edLU
-> ssh-ed25519 XPxfUQ XW93ctvokekrrlNySXSl0b6TFAosf0zBxmT4dc7Ybkk
-chKtenAqQ2tavjBzDxVyi6OwYp6oKW2Cf6g9YxEYqYU
-> ssh-ed25519 SpD5mg me2egMTBnAAwko5Hk+6rtjl7DwcGJsWpiiHFaTG8cgA
-h6Kzkc/jRlNE2p+CeAMLTMzLGrm0bSQEKJj4yQcQ2Eg
-> ssh-ed25519 Kk8sng BEeiCUQ9QWlYscSHtvQKrYPl+/G1BCfJn13J17QTWmo
-3xd4hNsMGmhAg2d8jvsJ3/rVOvIooYMMOgpn9N3t3EM
-> _'bSoQ-grease uFb7xPe, S K.f; Y7i"cG
-D1xxRIgIslR33p/N+cnKEqSGP7iCgVS2pS8DZtGgAz3DzSUf7a1+OF4uRPOz3juH
-b790V0/2CzNGwSbd
--- hNoZqGbHUS8/YCysJPb8fV7RwGv8AViuQXbI5n1aPJc
-+¸‹o…˜•Kui/Ïˆü´²0j!÷œ¯Ð—þâA&½8[èƒsd0þrê@ö1SÙõ
+-> ssh-ed25519 6AT2/g xp04CsJvlYhBZS5W/MSDLWGiNCegAjg4XPv43wU5u0g
+i6q0YgKOFGaHOKVYMppNtcvjCFfHHqOS9M+oh2mqc1M
+-> ssh-ed25519 dMQYog Mk90WFb+fYCFV7afu3+VbuAtOlvRAgpJGFGqn4ZWGjE
+wHeScgV248lHiL0B/QEraD4QOBudezhJPrppY50u7S8
+-> G/9-grease
+0hCyP7pGu5xkk4eWJTpLWy6f8Zuo8wmgBSNFK7bgzfYdW29mdOrO2Ey3Oa2Gvtji
+rze9v27gMUFRXOqPHNmaSjAneCwtcqTMReV+LZr9q9FN6qZnzAE
+--- /SN6cSyrvbDEHTiIvv4MdoVkIjz3yZkvtr2SVBE1rRk
+=„ñ1fJ…XÍô‹~ÃÝÆD¬c¹aFâ¨@Ý¹c=89;¿sôv®Ïú´‘
Author	SHA1	Message	Date
Zuckerberg	b7549e63f5	prototype	2023-04-26 14:46:55 -06:00
Zuckerberg	306ce8bc3f	Move s0 to systemd-boot	2023-04-25 23:41:08 -06:00
Zuckerberg	b5dd983ba3	Automatically set machine hostname	2023-04-24 20:52:17 -06:00
Zuckerberg	832894edfc	Gitea runner	2023-04-23 10:29:18 -06:00
Zuckerberg	feb6270952	Update options for newer nixpkgs	2023-04-23 10:28:55 -06:00
Zuckerberg	b4dd2d4a92	update TODOs	2023-04-23 10:16:54 -06:00
Zuckerberg	38c2e5aece	Fix properties.nix path loading	2023-04-21 23:24:05 -06:00
Zuckerberg	0ef689b750	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31) → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21) • Updated input 'deploy-rs': 'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19) → 'github:serokell/deploy-rs/c2ea4e642dc50fd44b537e9860ec95867af30d39' (2023-04-21) • Updated input 'flake-utils': 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) → 'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11) • Added input 'flake-utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/4306fa7c12e098360439faac1a2e6b8e509ec97c' (2023-02-26) → 'github:Mic92/nix-index-database/68ec961c51f48768f72d2bbdb396ce65a316677e' (2023-04-15) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/78c4d33c16092e535bc4ba1284ba49e3e138483a' (2023-03-03) → 'github:NixOS/nixpkgs/8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8' (2023-04-22)	2023-04-21 21:22:00 -06:00
Zuckerberg	e72e19b7e8	Fix auto upgrade	2023-04-21 18:58:54 -06:00
Zuckerberg	03603119e5	Fix invalid import issue.	2023-04-21 18:57:06 -06:00
Zuckerberg	71baa09bd2	Refactor imports and secrets. Add per system properties and role based secret access. Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.	2023-04-21 12:58:11 -06:00
Zuckerberg	a02775a234	Update install steps	2023-04-19 21:17:45 -06:00
Zuckerberg	5800359214	Update install steps	2023-04-19 21:17:03 -06:00
Zuckerberg	0bd42f1850	Update install steps	2023-04-19 21:15:58 -06:00
Zuckerberg	40f0e5d2ac	Add Phil	2023-04-19 18:12:42 -06:00
Zuckerberg	f90b9f85fd	try out appvm	2023-04-18 23:15:21 -06:00
Zuckerberg	5b084fffcc	moonlander	2023-04-18 23:15:03 -06:00
Zuckerberg	4dd6401f8c	update TODOs	2023-04-18 23:14:49 -06:00
Zuckerberg	260bbc1ffd	Use doas instead of sudo	2023-04-10 22:03:57 -06:00
Zuckerberg	c8132a67d0	Use lf as terminal file explorer	2023-04-10 22:03:29 -06:00