prototype

Move s0 to systemd-boot
Automatically set machine hostname
2023-04-26 14:46:55 -06:00 · 2023-04-25 23:41:08 -06:00 · 2023-04-24 20:52:17 -06:00 · 2023-04-23 10:29:18 -06:00 · 2023-04-23 10:28:55 -06:00 · 2023-04-23 10:16:54 -06:00
62 changed files with 1327 additions and 499 deletions
--- a/README.md
+++ b/README.md
@@ -6,7 +6,6 @@
    - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
    - `/ssh.nix` - all ssh public host and user keys for all `/machines`
 - `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
 - `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys
--- a/TODO.md
+++ b/TODO.md
@@ -73,6 +73,8 @@
 - offsite backup yubikey, pw db, and ssh key with /secrets access
 ### Misc
 - for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
  - https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper
--- a/common/auto-update.nix
+++ b/common/auto-update.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:
 # Modify auto-update so that it pulls a flake
@@ -6,10 +6,20 @@ let
  cfg = config.system.autoUpgrade;
 in
 {
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable (lib.mkMerge [
    {
      system.autoUpgrade = {
        flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
-      flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
+        flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
-    };
+
        # dates = "03:40";
        # kexecWindow = lib.mkDefault { lower = "01:00"; upper = "05:00"; };
        # randomizedDelaySec = "45min";
      };
      system.autoUpgrade.allowKexec = lib.mkDefault true;
      luks.enableKexec = cfg.allowKexec && builtins.length config.luks.devices > 0;
    }
  ]);
 }
--- a/common/boot/default.nix
+++ b/common/boot/default.nix
@@ -5,6 +5,8 @@
    ./firmware.nix
    ./efi.nix
    ./bios.nix
    ./kexec-luks.nix
    ./luks.nix
    ./remote-luks-unlock.nix
  ];
 }
--- a/common/boot/kexec-luks.nix
+++ b/common/boot/kexec-luks.nix
@@ -0,0 +1,121 @@
 # Allows kexec'ing as an alternative to rebooting for machines that
 # have luks encrypted partitions that need to be mounted at boot.
 # These luks partitions will be automatically unlocked, no password,
 # or any interaction needed whatsoever.
 # This is accomplished by fetching the luks key(s) while the system is running,
 # then building a temporary initrd that contains the luks key(s), and kexec'ing.
 { config, lib, pkgs, ... }:
 {
  options.luks = {
    enableKexec = lib.mkEnableOption "Enable support for transparent passwordless kexec while using luks";
  };
  config = lib.mkIf config.luks.enableKexec {
    luks.fallbackToPassword = true;
    luks.disableKeyring = true;
    boot.initrd.luks.devices = lib.listToAttrs
      (builtins.map
        (item:
          {
            name = item;
            value = {
              masterKeyFile = "/etc/${item}.key";
            };
          })
        config.luks.deviceNames);
    systemd.services.prepare-luks-kexec-image = {
      description = "Prepare kexec automatic LUKS unlock on kexec reboot without a password";
      wantedBy = [ "kexec.target" ];
      unitConfig.DefaultDependencies = false;
      serviceConfig.Type = "oneshot";
      path = with pkgs; [ file kexec-tools coreutils-full cpio findutils gzip xz zstd lvm2 xxd gawk ];
      # based on https://github.com/flowztul/keyexec
      script = ''
        system=/nix/var/nix/profiles/system
        old_initrd=$(readlink -f "$system/initrd")
        umask 0077
        CRYPTROOT_TMPDIR="$(mktemp -d --tmpdir=/dev/shm)"
        cleanup() {
          shred -fu "$CRYPTROOT_TMPDIR/initrd_contents/etc/"*.key || true
          shred -fu "$CRYPTROOT_TMPDIR/new_initrd" || true
          shred -fu "$CRYPTROOT_TMPDIR/secret/"* || true
          rm -rf "$CRYPTROOT_TMPDIR"
        }
        # trap cleanup INT TERM EXIT
        mkdir -p "$CRYPTROOT_TMPDIR"
        cd "$CRYPTROOT_TMPDIR"
        # Determine the compression type of the initrd image
        compression=$(file -b --mime-type "$old_initrd" | awk -F'/' '{print $2}')
        # Decompress the initrd image based on its compression type
        case "$compression" in
          gzip)
            gunzip -c "$old_initrd" > initrd.cpio
            ;;
          xz)
            unxz -c "$old_initrd" > initrd.cpio
            ;;
          zstd)
            zstd -d -c "$old_initrd" > initrd.cpio
            ;;
          *)
            echo "Unsupported compression type: $compression"
            exit 1
            ;;
        esac
        # Extract the contents of the cpio archive
        mkdir -p initrd_contents
        cd initrd_contents
        cpio -idv < ../initrd.cpio
        # Generate keys and add them to the extracted initrd filesystem
        luksDeviceNames=(${builtins.concatStringsSep " " config.luks.deviceNames})
        for item in "''${luksDeviceNames[@]}"; do
          dmsetup --showkeys table "$item" | cut -d ' ' -f5 | xxd -ps -g1 -r > "./etc/$item.key"
        done
        # Add normal initrd secrets too
        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (dest: source:
            let source' = if source == null then dest else builtins.toString source; in
              ''
                mkdir -p $(dirname "./${dest}")
                cp -a ${source'} "./${dest}"
              ''
          ) config.boot.initrd.secrets)
        }
        # Create a new cpio archive with the modified contents
        find . | cpio -o -H newc -v > ../new_initrd.cpio
        # Compress the new cpio archive using the original compression type
        cd ..
        case "$compression" in
          gzip)
            gunzip -c new_initrd.cpio > new_initrd
            ;;
          xz)
            unxz -c new_initrd.cpio > new_initrd
            ;;
          zstd)
            zstd -c new_initrd.cpio > new_initrd
            ;;
        esac
        kexec --load "$system/kernel" --append "init=$system/init ${builtins.concatStringsSep " " config.boot.kernelParams}" --initrd "$CRYPTROOT_TMPDIR/new_initrd"
      '';
    };
  };
 }
--- a/common/boot/luks.nix
+++ b/common/boot/luks.nix
@@ -0,0 +1,74 @@
 # Makes it a little easier to configure luks partitions for boot
 # Additionally, this solves a circular dependency between kexec luks
 # and NixOS's luks module.
 { config, lib, ... }:
 let
  cfg = config.luks;
  deviceCount = builtins.length cfg.devices;
  deviceMap = lib.imap
    (i: item: {
      device = item;
      name =
        if deviceCount == 1 then "enc-pv"
        else "enc-pv${builtins.toString (i + 1)}";
    })
    cfg.devices;
 in
 {
  options.luks = {
    devices = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
    };
    allowDiscards = lib.mkOption {
      type = lib.types.bool;
      default = true;
    };
    fallbackToPassword = lib.mkEnableOption
      "Fallback to interactive passphrase prompt if the cannot be found.";
    disableKeyring = lib.mkEnableOption
      "When opening LUKS2 devices, don't use the kernel keyring";
    # set automatically, don't touch
    deviceNames = lib.mkOption {
      type = lib.types.listOf lib.types.str;
    };
  };
  config = lib.mkMerge [
    {
      assertions = [
        {
          assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
          message = ''
            All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
          '';
        }
      ];
    }
    (lib.mkIf (deviceCount != 0) {
      luks.deviceNames = builtins.map (device: device.name) deviceMap;
      boot.initrd.luks.devices = lib.listToAttrs (
        builtins.map
          (item:
            {
              name = item.name;
              value = {
                device = item.device;
                allowDiscards = cfg.allowDiscards;
                fallbackToPassword = cfg.fallbackToPassword;
                disableKeyring = cfg.disableKeyring;
              };
            })
          deviceMap);
    })
  ];
 }
--- a/common/boot/remote-luks-unlock.nix
+++ b/common/boot/remote-luks-unlock.nix
@@ -33,11 +33,6 @@ in
  };
  config = lib.mkIf cfg.enable {
    # boot.initrd.luks.devices.${cfg.device.name} = {
    #   device = cfg.device.path;
    #   allowDiscards = cfg.device.allowDiscards;
    # };
    # Unlock LUKS disk over ssh
    boot.initrd.network.enable = true;
    boot.initrd.kernelModules = cfg.kernelModules;
--- a/common/default.nix
+++ b/common/default.nix
@@ -1,10 +1,5 @@
 { config, pkgs, ... }:
 let
  ssh = import ./ssh.nix;
  sshUserKeys = ssh.users;
  sshHigherTrustKeys = ssh.higherTrustUserKeys;
 in
 {
  imports = [
    ./backups.nix
@@ -15,6 +10,8 @@ in
    ./boot
    ./server
    ./pc
    ./machine-info
    ./ssh.nix
  ];
  nix.flakes.enable = true;
@@ -68,12 +65,12 @@ in
      "dialout" # serial
    ];
    shell = pkgs.fish;
-    openssh.authorizedKeys.keys = sshUserKeys;
+    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
    uid = 1000;
  };
  users.users.root = {
-    openssh.authorizedKeys.keys = sshHigherTrustKeys;
+    openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
  };
  nix.settings = {
    trusted-users = [ "root" "googlebot" ];
--- a/common/machine-info/default.nix
+++ b/common/machine-info/default.nix
@@ -0,0 +1,200 @@
 # Gathers info about each machine to constuct overall configuration
 # Ex: Each machine already trusts each others SSH fingerprint already
 { config, lib, pkgs, ... }:
 let
  machines = config.machines.hosts;
 in
 {
  imports = [
    ./ssh.nix
    ./roles.nix
  ];
  options.machines = {
    hosts = lib.mkOption {
      type = lib.types.attrsOf
        (lib.types.submodule {
          options = {
            hostNames = lib.mkOption {
              type = lib.types.listOf lib.types.str;
              description = ''
                List of hostnames for this machine. The first one is the default so it is the target of deployments.
                Used for automatically trusting hosts for ssh connections.
              '';
            };
            arch = lib.mkOption {
              type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
              description = ''
                The architecture of this machine.
              '';
            };
            systemRoles = lib.mkOption {
              type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
              description = ''
                The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
              '';
            };
            hostKey = lib.mkOption {
              type = lib.types.str;
              description = ''
                The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
                and for decrypting secrets with agenix.
              '';
            };
            remoteUnlock = lib.mkOption {
              default = null;
              type = lib.types.nullOr (lib.types.submodule {
                options = {
                  hostKey = lib.mkOption {
                    type = lib.types.str;
                    description = ''
                      The system ssh host key of this machine used for luks boot unlocking only.
                    '';
                  };
                  clearnetHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over clearnet used to luks boot unlock this machine
                    '';
                  };
                  onionHost = lib.mkOption {
                    default = null;
                    type = lib.types.nullOr lib.types.str;
                    description = ''
                      The hostname resolvable over tor used to luks boot unlock this machine
                    '';
                  };
                };
              });
            };
            userKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
                TODO: consider auto populating other programs that use ssh keys such as gitea
              '';
            };
            deployKeys = lib.mkOption {
              default = [ ];
              type = lib.types.listOf lib.types.str;
              description = ''
                The list of deployment keys. Each key here can be used to log into all other systems as `root`.
              '';
            };
            configurationPath = lib.mkOption {
              type = lib.types.path;
              description = ''
                The path to this machine's configuration directory.
              '';
            };
          };
        });
    };
  };
  config = {
    assertions = (lib.concatLists (lib.mapAttrsToList
      (
        name: cfg: [
          {
            assertion = builtins.length cfg.hostNames > 0;
            message = ''
              Error with config for ${name}
              There must be at least one hostname.
            '';
          }
          {
            assertion = builtins.length cfg.systemRoles > 0;
            message = ''
              Error with config for ${name}
              There must be at least one system role.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.hostKey != cfg.hostKey;
            message = ''
              Error with config for ${name}
              Unlock hostkey and hostkey cannot be the same because unlock hostkey is in /boot, unencrypted.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || (cfg.remoteUnlock.clearnetHost != null || cfg.remoteUnlock.onionHost != null);
            message = ''
              Error with config for ${name}
              At least one of clearnet host or onion host must be defined.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.clearnetHost == null || builtins.elem cfg.remoteUnlock.clearnetHost cfg.hostNames == false;
            message = ''
              Error with config for ${name}
              Clearnet unlock hostname cannot be in the list of hostnames for security reasons.
            '';
          }
          {
            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.onionHost == null || lib.strings.hasSuffix ".onion" cfg.remoteUnlock.onionHost;
            message = ''
              Error with config for ${name}
              Tor unlock hostname must be an onion address.
            '';
          }
          {
            assertion = builtins.elem "personal" cfg.systemRoles || builtins.length cfg.userKeys == 0;
            message = ''
              Error with config for ${name}
              There must be at least one userkey defined for personal machines.
            '';
          }
          {
            assertion = builtins.elem "deploy" cfg.systemRoles || builtins.length cfg.deployKeys == 0;
            message = ''
              Error with config for ${name}
              Only deploy machines are allowed to have deploy keys for security reasons.
            '';
          }
        ]
      )
      machines));
    # Set per machine properties automatically using each of their `properties.nix` files respectively
    machines.hosts =
      let
        properties = dir: lib.concatMapAttrs
          (name: path: {
            ${name} =
              import path
              //
              { configurationPath = builtins.dirOf path; };
          })
          (propertiesFiles dir);
        propertiesFiles = dir:
          lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
        propertiesFiles' = dir:
          let
            propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
            dirName = path: builtins.baseNameOf (builtins.dirOf path);
          in
          builtins.map (p: { "${dirName p}" = p; }) propFiles;
      in
      properties ../../machines;
  };
 }
--- a/common/machine-info/moduleless.nix
+++ b/common/machine-info/moduleless.nix
@@ -0,0 +1,15 @@
 # Allows getting machine-info outside the scope of nixos configuration
 { nixpkgs ? import <nixpkgs> { }
 , assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
 }:
 {
  machines =
    (nixpkgs.lib.evalModules {
      modules = [
        ./default.nix
        assertionsModule
      ];
    }).config.machines;
 }
--- a/common/machine-info/roles.nix
+++ b/common/machine-info/roles.nix
@@ -0,0 +1,19 @@
 { config, lib, ... }:
 # Maps roles to their hosts
 {
  options.machines.roles = lib.mkOption {
    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
  };
  config = {
    machines.roles = lib.zipAttrs
      (lib.mapAttrsToList
        (host: cfg:
          lib.foldl (lib.mergeAttrs) { }
            (builtins.map (role: { ${role} = host; })
              cfg.systemRoles))
        config.machines.hosts);
  };
 }
--- a/common/machine-info/ssh.nix
+++ b/common/machine-info/ssh.nix
@@ -0,0 +1,44 @@
 { config, lib, ... }:
 let
  machines = config.machines;
  sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
 in
 {
  options.machines.ssh = {
    userKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      description = ''
        List of user keys aggregated from all machines.
      '';
    };
    deployKeys = lib.mkOption {
      default = [ ];
      type = lib.types.listOf lib.types.str;
      description = ''
        List of deploy keys aggregated from all machines.
      '';
    };
    hostKeysByRole = lib.mkOption {
      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
      description = ''
        Machine host keys divided into their roles.
      '';
    };
  };
  config = {
    machines.ssh.userKeys = sshkeys "userKeys";
    machines.ssh.deployKeys = sshkeys "deployKeys";
    machines.ssh.hostKeysByRole = lib.mapAttrs
      (role: hosts:
        builtins.map
          (host: machines.hosts.${host}.hostKey)
          hosts)
      machines.roles;
  };
 }
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -7,7 +7,6 @@ let
 in
 {
  imports = [
    ./hosts.nix
    ./pia-openvpn.nix
    ./pia-wireguard.nix
    ./ping.nix
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@@ -1,66 +0,0 @@
 { config, lib, ... }:
 let
  system = (import ../ssh.nix).system;
  # hostnames that resolve on clearnet for LUKS unlocking
  unlock-clearnet-hosts = {
    ponyo = "unlock.ponyo.neet.dev";
    phil = "unlock.phil.neet.dev";
    s0 = "s0";
  };
  # hostnames that resolve on tor for LUKS unlocking
  unlock-onion-hosts = {
    liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
    router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
    ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
    s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
  };
 in
 {
  programs.ssh.knownHosts = {
    ponyo = {
      hostNames = [ "ponyo" "ponyo.neet.dev" "git.neet.dev" ];
      publicKey = system.ponyo;
    };
    ponyo-unlock = {
      hostNames = [ unlock-clearnet-hosts.ponyo unlock-onion-hosts.ponyo ];
      publicKey = system.ponyo-unlock;
    };
    phil = {
      hostNames = [ "phil" "phil.neet.dev" ];
      publicKey = system.phil;
    };
    phil-unlock = {
      hostNames = [ unlock-clearnet-hosts.phil ];
      publicKey = system.phil-unlock;
    };
    router = {
      hostNames = [ "router" "192.168.1.228" ];
      publicKey = system.router;
    };
    router-unlock = {
      hostNames = [ unlock-onion-hosts.router ];
      publicKey = system.router-unlock;
    };
    ray = {
      hostNames = [ "ray" ];
      publicKey = system.ray;
    };
    s0 = {
      hostNames = [ "s0" ];
      publicKey = system.s0;
    };
    s0-unlock = {
      hostNames = [ unlock-onion-hosts.s0 ];
      publicKey = system.s0-unlock;
    };
  };
  # prebuilt cmds for easy ssh LUKS unlock
  environment.shellAliases =
    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) unlock-onion-hosts
    //
    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) unlock-clearnet-hosts;
 }
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@@ -108,6 +108,6 @@ in
        };
      };
    };
-    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -352,6 +352,6 @@ in
      };
    };
-    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
  };
 }
--- a/common/pc/audio.nix
+++ b/common/pc/audio.nix
@@ -17,45 +17,6 @@ in
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
      # use the example session manager (no others are packaged yet so this is enabled by default,
      # no need to redefine it in your config for now)
      #media-session.enable = true;
      config.pipewire = {
        "context.objects" = [
          {
            # A default dummy driver. This handles nodes marked with the "node.always-driver"
            # properyty when no other driver is currently active. JACK clients need this.
            factory = "spa-node-factory";
            args = {
              "factory.name" = "support.node.driver";
              "node.name" = "Dummy-Driver";
              "priority.driver" = 8000;
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name" = "support.null-audio-sink";
              "node.name" = "Microphone-Proxy";
              "node.description" = "Microphone";
              "media.class" = "Audio/Source/Virtual";
              "audio.position" = "MONO";
            };
          }
          {
            factory = "adapter";
            args = {
              "factory.name" = "support.null-audio-sink";
              "node.name" = "Main-Output-Proxy";
              "node.description" = "Main Output";
              "media.class" = "Audio/Sink";
              "audio.position" = "FL,FR";
            };
          }
        ];
      };
    };
    users.users.googlebot.extraGroups = [ "audio" ];
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -10,6 +10,7 @@
    ./matrix.nix
    ./zerobin.nix
    ./gitea.nix
    ./gitea-runner.nix
    ./privatebin/privatebin.nix
    ./radio.nix
    ./samba.nix
--- a/common/server/gitea-runner.nix
+++ b/common/server/gitea-runner.nix
@@ -0,0 +1,98 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.gitea-runner;
 in
 {
  options.services.gitea-runner = {
    enable = lib.mkEnableOption "Enables gitea runner";
    dataDir = lib.mkOption {
      default = "/var/lib/gitea-runner";
      type = lib.types.str;
      description = lib.mdDoc "gitea runner data directory.";
    };
    instanceUrl = lib.mkOption {
      type = lib.types.str;
    };
    registrationTokenFile = lib.mkOption {
      type = lib.types.path;
    };
  };
  config = lib.mkIf cfg.enable {
    virtualisation.docker.enable = true;
    users.users.gitea-runner = {
      description = "Gitea Runner Service";
      home = cfg.dataDir;
      useDefaultShell = true;
      group = "gitea-runner";
      isSystemUser = true;
      createHome = true;
      extraGroups = [
        "docker" # allow creating docker containers
      ];
    };
    users.groups.gitea-runner = { };
    # registration token
    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
    age.secrets.gitea-runner-registration-token = {
      file = ../../secrets/gitea-runner-registration-token.age;
      owner = "gitea-runner";
    };
    systemd.services.gitea-runner = {
      description = "Gitea Runner";
      serviceConfig = {
        WorkingDirectory = cfg.dataDir;
        User = "gitea-runner";
        Group = "gitea-runner";
      };
      requires = [ "network-online.target" ];
      after = [ "network.target" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ gitea-actions-runner ];
      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
      script = ''
        . ${cfg.registrationTokenFile}
        if [[ ! -s .runner ]]; then
          try=$((try + 1))
          success=0
          LOGFILE="$(mktemp)"
          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
          # the context of a single docker-compose, something similar could be done via healthchecks, but
          # this is more flexible.
          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
            act_runner register \
              --instance "${cfg.instanceUrl}" \
              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
              --name     "${config.networking.hostName}" \
              --no-interactive > $LOGFILE 2>&1
            cat $LOGFILE
            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
            if [[ $? -eq 0 ]]; then
              echo "SUCCESS"
              success=1
            else
              echo "Waiting to retry ..."
              sleep 5
            fi
          done
        fi
        exec act_runner daemon
      '';
    };
  };
 }
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@@ -39,6 +39,9 @@ in
          USER = "robot@runyan.org";
          FROM = "no-reply@neet.dev";
        };
        actions = {
          ENABLED = true;
        };
      };
      mailerPasswordFile = "/run/agenix/robots-email-pw";
    };
--- a/common/server/mailserver.nix
+++ b/common/server/mailserver.nix
@@ -33,7 +33,7 @@ in
      inherit domains;
      loginAccounts = {
        "jeremy@runyan.org" = {
-          hashedPasswordFile = "/run/agenix/email-pw";
+          hashedPasswordFile = "/run/agenix/hashed-email-pw";
          # catchall for all domains
          aliases = map (domain: "@${domain}") domains;
        };
@@ -54,7 +54,7 @@ in
      ];
      certificateScheme = 3; # use let's encrypt for certs
    };
-    age.secrets.email-pw.file = ../../secrets/email-pw.age;
+    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
    # sendmail to use xxx@domain instead of xxx@mail.domain
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -1,44 +1,38 @@
-rec {
+{ config, lib, pkgs, ... }:
-  users = [
+
 {
  programs.ssh.knownHosts = lib.filterAttrs (n: v: v != null) (lib.concatMapAttrs
    (host: cfg: {
      ${host} = {
        hostNames = cfg.hostNames;
        publicKey = cfg.hostKey;
      };
      "${host}-remote-unlock" =
        if cfg.remoteUnlock != null then {
          hostNames = builtins.filter (h: h != null) [ cfg.remoteUnlock.clearnetHost cfg.remoteUnlock.onionHost ];
          publicKey = cfg.remoteUnlock.hostKey;
        } else null;
    })
    config.machines.hosts);
  # prebuilt cmds for easy ssh LUKS unlock
  environment.shellAliases =
    let
      unlockHosts = unlockType: lib.concatMapAttrs
        (host: cfg:
          if cfg.remoteUnlock != null && cfg.remoteUnlock.${unlockType} != null then {
            ${host} = cfg.remoteUnlock.${unlockType};
          } else { })
        config.machines.hosts;
    in
    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) (unlockHosts "onionHost")
    //
    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) (unlockHosts "clearnetHost");
  # TODO: Old ssh keys I will remove some day...
  machines.ssh.userKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
  ];
  system = {
    ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
    ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
    ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
    phil = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr";
    phil-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN";
    router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
    router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
    s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
    s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
  };
  higherTrustUserKeys = [
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo=" # ray fido
  ];
  # groups
  systems = with system; [
    ponyo
    phil
    ray
    router
    s0
  ];
  personal = with system; [
    ray
  ];
  servers = with system; [
    ponyo
    phil
    router
    s0
  ];
  storage = with system; [
    s0
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -8,11 +8,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1675176355,
+        "lastModified": 1682101079,
-        "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
+        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
+        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
        "type": "github"
      },
      "original": {
@@ -117,11 +117,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1674127017,
+        "lastModified": 1682063650,
-        "narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
+        "narHash": "sha256-VaDHh2z6xlnTHaONlNVHP7qEMcK5rZ8Js3sT6mKb2XY=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
+        "rev": "c2ea4e642dc50fd44b537e9860ec95867af30d39",
        "type": "github"
      },
      "original": {
@@ -147,12 +147,15 @@
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1667395993,
+        "lastModified": 1681202837,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
@@ -168,11 +171,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1677382901,
+        "lastModified": 1681591833,
-        "narHash": "sha256-2idFWlTVG+qUZkU2/W50amGSIxmN56igIkMAXKbv4S4=",
+        "narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "4306fa7c12e098360439faac1a2e6b8e509ec97c",
+        "rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
        "type": "github"
      },
      "original": {
@@ -183,11 +186,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1677823547,
+        "lastModified": 1682133240,
-        "narHash": "sha256-xD2qco8Pw8HAXgjf9OSi2H2N20WaTrtvgcl21525kVE=",
+        "narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "78c4d33c16092e535bc4ba1284ba49e3e138483a",
+        "rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
        "type": "github"
      },
      "original": {
@@ -304,6 +307,21 @@
        "type": "gitlab"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1605370193,
--- a/flake.nix
+++ b/flake.nix
@@ -44,11 +44,18 @@
    nixpkgs-hostapd-pr.flake = false;
  };
-  outputs = { self, nixpkgs, ... }@inputs: {
+  outputs = { self, nixpkgs, ... }@inputs:
-
+    let
      machines = (import ./common/machine-info/moduleless.nix
        {
          inherit nixpkgs;
          assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
        }).machines.hosts;
    in
    {
      nixosConfigurations =
        let
-        modules = system: with inputs; [
+          modules = system: hostname: with inputs; [
            ./common
            simple-nixos-mailserver.nixosModule
            agenix.nixosModules.default
@@ -56,19 +63,23 @@
            archivebox.nixosModule
            nix-index-database.nixosModules.nix-index
            ({ lib, ... }: {
-            config.environment.systemPackages = [
+              config = {
                environment.systemPackages = [
                  agenix.packages.${system}.agenix
                ];
                networking.hostName = hostname;
              };
              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
              options.inputs = lib.mkOption { default = inputs; };
              options.currentSystem = lib.mkOption { default = system; };
            })
          ];
-        mkSystem = system: nixpkgs: path:
+          mkSystem = system: nixpkgs: path: hostname:
            let
-            allModules = modules system;
+              allModules = modules system hostname;
              # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
              patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
@@ -76,6 +87,7 @@
                src = nixpkgs;
                patches = [
                  inputs.nixpkgs-hostapd-pr
                  ./patches/kexec-luks.patch
                ];
              };
              patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
@@ -90,14 +102,10 @@
              };
            };
        in
-      {
+        nixpkgs.lib.mapAttrs
-        "ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
+          (hostname: cfg:
-        # "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
+            mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
-        "ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
+          machines;
        "phil" = mkSystem "aarch64-linux" nixpkgs ./machines/phil/configuration.nix;
        "router" = mkSystem "x86_64-linux" nixpkgs ./machines/router/configuration.nix;
        "s0" = mkSystem "x86_64-linux" nixpkgs ./machines/storage/s0/configuration.nix;
      };
      packages =
        let
@@ -121,19 +129,17 @@
      deploy.nodes =
        let
-        mkDeploy = configName: hostname: {
+          mkDeploy = configName: arch: hostname: {
            inherit hostname;
            magicRollback = false;
            sshUser = "root";
-          profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configName};
+            profiles.system.path = inputs.deploy-rs.lib.${arch}.activate.nixos self.nixosConfigurations.${configName};
          };
        in
-      {
+        nixpkgs.lib.mapAttrs
-        s0 = mkDeploy "s0" "s0";
+          (hostname: cfg:
-        router = mkDeploy "router" "router";
+            mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
-        ponyo = mkDeploy "ponyo" "ponyo.neet.dev";
+          machines;
      };
      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
    };
--- a/machines/ephemeral/minimal.nix
+++ b/machines/ephemeral/minimal.nix
@@ -1,8 +1,10 @@
-{ pkgs, modulesPath, ... }:
+{ config, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/channel.nix")
    ../../common/machine-info
    ../../common/ssh.nix
  ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
@@ -16,6 +18,8 @@
  boot.kernelPackages = pkgs.linuxPackages_latest;
  system.stateVersion = "21.11";
  # hardware.enableAllFirmware = true;
  # nixpkgs.config.allowUnfree = true;
@@ -38,10 +42,12 @@
  services.openssh = {
    enable = true;
-    challengeResponseAuthentication = false;
+    settings = {
-    passwordAuthentication = false;
+      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
    };
  };
  services.getty.autologinUser = "root";
-  users.users.root.openssh.authorizedKeys.keys = (import ../../common/ssh.nix).users;
+  users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
 }
--- a/machines/phil/configuration.nix
+++ b/machines/phil/configuration.nix
@@ -1,9 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  networking.hostName = "phil";
 }
--- a/machines/phil/default.nix
+++ b/machines/phil/default.nix
@@ -0,0 +1,14 @@
 { config, pkgs, lib, ... }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
  services.gitea-runner = {
    enable = true;
    instanceUrl = "https://git.neet.dev";
  };
  system.autoUpgrade.enable = true;
 }
--- a/machines/phil/hardware-configuration.nix
+++ b/machines/phil/hardware-configuration.nix
@@ -9,6 +9,7 @@
      (modulesPath + "/profiles/qemu-guest.nix")
    ];
  # because grub just doesn't work for some reason
  boot.loader.systemd-boot.enable = true;
  remoteLuksUnlock.enable = true;
@@ -19,25 +20,22 @@
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
-  boot.initrd.luks.devices."enc-pv" = {
+  luks.devices = [ "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194" ];
    device = "/dev/disk/by-uuid/9f1727c7-1e95-47b9-9807-8f38531eed47";
    allowDiscards = true;
  };
  fileSystems."/" =
    {
-      device = "/dev/mapper/vg-root";
+      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
      fsType = "btrfs";
    };
  fileSystems."/boot" =
    {
-      device = "/dev/disk/by-uuid/EC6B-53AA";
+      device = "/dev/disk/by-uuid/F185-C4E5";
      fsType = "vfat";
    };
  swapDevices =
-    [{ device = "/dev/disk/by-uuid/b916094f-cf2a-4be7-b8f1-674ba6473061"; }];
+    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
  networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
--- a/machines/phil/properties.nix
+++ b/machines/phil/properties.nix
@@ -0,0 +1,20 @@
 {
  hostNames = [
    "phil"
    "phil.neet.dev"
  ];
  arch = "aarch64-linux";
  systemRoles = [
    "server"
    "gitea-runner"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
    clearnetHost = "unlock.phil.neet.dev";
  };
 }
--- a/machines/ponyo/configuration.nix
+++ b/machines/ponyo/configuration.nix
@@ -5,9 +5,10 @@
    ./hardware-configuration.nix
  ];
  networking.hostName = "ponyo";
  system.autoUpgrade.enable = true;
  # I want to manually trigger kexec updates for now on ponyo
  system.autoUpgrade.allowKexec = false;
  luks.enableKexec = true;
  # p2p mesh network
  services.tailscale.exitNode = true;
--- a/machines/ponyo/hardware-configuration.nix
+++ b/machines/ponyo/hardware-configuration.nix
@@ -19,12 +19,15 @@
  };
  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
+
-  boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"; # expanded disk
+  luks.devices = [
    "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2"
    "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"
  ];
  fileSystems."/" =
    {
-      device = "/dev/mapper/enc-pv";
+      device = "/dev/mapper/enc-pv1";
      fsType = "btrfs";
    };
--- a/machines/ponyo/properties.nix
+++ b/machines/ponyo/properties.nix
@@ -0,0 +1,28 @@
 {
  hostNames = [
    "ponyo"
    "ponyo.neet.dev"
    "git.neet.dev"
  ];
  arch = "x86_64-linux";
  systemRoles = [
    "server"
    "email-server"
    "iodine"
    "pia"
    "nextcloud"
    "dailybot"
    "gitea"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
    clearnetHost = "unlock.ponyo.neet.dev";
    onionHost = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
  };
 }
--- a/machines/ray/configuration.nix
+++ b/machines/ray/configuration.nix
@@ -5,8 +5,6 @@
    ./hardware-configuration.nix
  ];
  networking.hostName = "ray";
  # for luks onlock over tor
  services.tor.enable = true;
  services.tor.client.enable = true;
--- a/machines/ray/hardware-configuration.nix
+++ b/machines/ray/hardware-configuration.nix
@@ -36,10 +36,7 @@
  # disks
  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv" = {
+  luks.devices = [ "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce" ];
    device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
    allowDiscards = true;
  };
  fileSystems."/" =
    {
      device = "/dev/vg/root";
@@ -59,7 +56,4 @@
    };
  swapDevices =
    [{ device = "/dev/vg/swap"; }];
  # high-resolution display
  hardware.video.hidpi.enable = lib.mkDefault true;
 }
--- a/machines/ray/properties.nix
+++ b/machines/ray/properties.nix
@@ -0,0 +1,22 @@
 {
  hostNames = [
    "ray"
  ];
  arch = "x86_64-linux";
  systemRoles = [
    "personal"
    "deploy"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
  userKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP"
  ];
  deployKeys = [
    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo="
  ];
 }
--- a/machines/router/configuration.nix
+++ b/machines/router/configuration.nix
@@ -11,8 +11,6 @@
  # https://github.com/skogsbrus/os/blob/master/sys/router.nix
  # http://trac.gateworks.com/wiki/wireless/wifi 
  networking.hostName = "router";
  system.autoUpgrade.enable = true;
  services.tailscale.exitNode = true;
--- a/machines/router/hardware-configuration.nix
+++ b/machines/router/hardware-configuration.nix
@@ -32,7 +32,7 @@
  # disks
  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
+  luks.devices = [ "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c" ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
--- a/machines/router/properties.nix
+++ b/machines/router/properties.nix
@@ -0,0 +1,21 @@
 {
  hostNames = [
    "router"
    "192.168.1.228"
  ];
  arch = "x86_64-linux";
  systemRoles = [
    "server"
    "wireless"
    "router"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
    onionHost = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
  };
 }
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@@ -5,8 +5,6 @@
    ./hardware-configuration.nix
  ];
  networking.hostName = "s0";
  system.autoUpgrade.enable = true;
  services.iperf3.enable = true;
--- a/machines/storage/s0/hardware-configuration.nix
+++ b/machines/storage/s0/hardware-configuration.nix
@@ -7,7 +7,7 @@
    ];
  # boot
-  efi.enable = true;
+  boot.loader.systemd-boot.enable = true;
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
@@ -25,10 +25,12 @@
  # luks
  remoteLuksUnlock.enable = true;
-  boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86";
+  luks.devices = [
-  boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3";
+    "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86"
-  boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
+    "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3"
-  boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
+    "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38"
    "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc"
  ];
  # mounts
  fileSystems."/" =
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -0,0 +1,20 @@
 {
  hostNames = [
    "s0"
  ];
  arch = "x86_64-linux";
  systemRoles = [
    "storage"
    "server"
    "pia"
  ];
  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
  remoteUnlock = {
    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
    onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
  };
 }
--- a/new_machine.txt
+++ b/new_machine.txt
@@ -1,27 +1,34 @@
 # New Machine Setup
 ### Prepare Shell If Needed
 ```sh
 nix-shell -p nixFlakes git
 ```
 ### Disk Setup
 ```sh
 cfdisk
 mkfs.ext3 boot
 cryptsetup luksFormat /dev/vda2
 cryptsetup luksOpen /dev/vda2 enc-pv
 pvcreate /dev/mapper/enc-pv
 vgcreate vg /dev/mapper/enc-pv
 lvcreate -L 4G -n swap vg
 lvcreate -l '100%FREE' -n root vg
 mkswap -L swap /dev/vg/swap
 swapon /dev/vg/swap
 mkfs.btrfs /dev/vg/root
 mount /dev/vg/root /mnt
-cd /mnt
+mkfs.ext3 boot
 btrfs subvolume create root
 btrfs subvolume create home
 cd
 mount -o subvol=root /dev/vg/root /mnt
 mkdir /mnt/home
 mount -o subvol=home /dev/vg/root /mnt/home
 mkdir /mnt/boot
 mount /dev/vda1 /mnt/boot
-mkdir /mnt/secret
+```
-/tmp/tor.rc
+### Generate Secrets
 ```sh
 mkdir /mnt/secret
 ```
 In `/tmp/tor.rc`
 ```
 DataDirectory /tmp/my-dummy.tor/
 SOCKSPort 127.0.0.1:10050 IsolateDestAddr
@@ -30,8 +37,23 @@ HiddenServiceDir /mnt/secret/onion
 HiddenServicePort 1234 127.0.0.1:1234
 ```
 ```sh
 nix-shell -p tor --run "tor -f /tmp/tor.rc"
 ssh-keygen -q -N "" -t rsa -b 4096 -f /mnt/secret/ssh_host_rsa_key
 ssh-keygen -q -N "" -t ed25519 -f /mnt/secret/ssh_host_ed25519_key
-nixos-generate-config --root /mnt # copy hardware config
+```
 ### Generate Hardware Config
 ```sh
 nixos-generate-config --root /mnt
 ```
 ### Install
 ```sh
 nixos-install --flake "git+https://git.neet.dev/zuckerberg/nix-config.git#MACHINE_NAME"
 ```
 ### Post Install Tasks
 - Add to DNS
 - Add ssh host keys (unlock key + host key)
 - Add to tailnet
--- a/patches/kexec-luks.patch
+++ b/patches/kexec-luks.patch
@@ -0,0 +1,264 @@
 diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
 index b8f36538e70..cc320a04c70 100644
 --- a/nixos/modules/system/boot/luksroot.nix
 +++ b/nixos/modules/system/boot/luksroot.nix
@@ -146,6 +146,7 @@ let
     csopen = "cryptsetup luksOpen ${dev.device} ${dev.name}"
            + optionalString dev.allowDiscards " --allow-discards"
            + optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue"
 +           + optionalString dev.disableKeyring " --disable-keyring"
            + optionalString (dev.header != null) " --header=${dev.header}";
     cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}";
     fido2luksCredentials = dev.fido2.credentials ++ optional (dev.fido2.credential != null) dev.fido2.credential;
@@ -243,6 +244,26 @@ let
                do_open_passphrase
             fi
         fi
 +        '' else if (dev.masterKeyFile != null) then ''
 +        if wait_target "key file" ${dev.masterKeyFile}; then
 +            ${csopen} --master-key-file=${dev.masterKeyFile}
 +            cs_status=$?
 +            if [ $cs_status -ne 0 ]; then
 +              echo "Key File ${dev.masterKeyFile} failed!"
 +              if ! try_empty_passphrase; then
 +                ${if dev.fallbackToPassword then "echo" else "die"} "${dev.masterKeyFile} is unavailable"
 +                echo " - failing back to interactive password prompt"
 +                do_open_passphrase
 +              fi
 +            fi
 +        else
 +            # If the key file never shows up we should also try the empty passphrase
 +            if ! try_empty_passphrase; then
 +               ${if dev.fallbackToPassword then "echo" else "die"} "${dev.masterKeyFile} is unavailable"
 +               echo " - failing back to interactive password prompt"
 +               do_open_passphrase
 +            fi
 +        fi
         '' else ''
            if ! try_empty_passphrase; then
               do_open_passphrase
@@ -625,6 +646,15 @@ in
             '';
           };
 +          masterKeyFile = mkOption {
 +            default = null;
 +            type = types.nullOr types.str;
 +            description = lib.mdDoc ''
 +              The name of the file (can be a raw device or a partition) that
 +              should be used as the master decryption key for the encrypted device.
 +            '';
 +          };
 +
           tryEmptyPassphrase = mkOption {
             default = false;
             type = types.bool;
@@ -700,6 +730,15 @@ in
             '';
           };
 +          disableKeyring = mkOption {
 +            default = false;
 +            type = types.bool;
 +            description = lib.mdDoc ''
 +              Disables using the kernel keyring for LUKS2 disks.
 +              This is already the default behavior for LUKS1
 +            '';
 +          };
 +
           fallbackToPassword = mkOption {
             default = false;
             type = types.bool;
 diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix
 index 29e3e313336..050bf09c208 100644
 --- a/nixos/modules/tasks/auto-upgrade.nix
 +++ b/nixos/modules/tasks/auto-upgrade.nix
@@ -4,7 +4,8 @@ with lib;
 let cfg = config.system.autoUpgrade;
 -in {
 +in
 +{
   options = {
@@ -22,7 +23,7 @@ in {
       };
       operation = mkOption {
 -        type = types.enum ["switch" "boot"];
 +        type = types.enum [ "switch" "boot" ];
         default = "switch";
         example = "boot";
         description = lib.mdDoc ''
@@ -86,14 +87,14 @@ in {
         '';
       };
 -      allowReboot = mkOption {
 +      allowKexec = mkOption {
         default = false;
         type = types.bool;
         description = lib.mdDoc ''
 -          Reboot the system into the new generation instead of a switch
 +          kexec the system into the new generation instead of a switch
           if the new generation uses a different kernel, kernel modules
           or initrd than the booted system.
 -          See {option}`rebootWindow` for configuring the times at which a reboot is allowed.
 +          See {option}`kexecWindow` for configuring the times at which a kexec is allowed.
         '';
       };
@@ -109,25 +110,25 @@ in {
         '';
       };
 -      rebootWindow = mkOption {
 +      kexecWindow = mkOption {
         description = lib.mdDoc ''
           Define a lower and upper time value (in HH:MM format) which
 -          constitute a time window during which reboots are allowed after an upgrade.
 -          This option only has an effect when {option}`allowReboot` is enabled.
 -          The default value of `null` means that reboots are allowed at any time.
 +          constitute a time window during which kexecs are allowed after an upgrade.
 +          This option only has an effect when {option}`allowKexec` is enabled.
 +          The default value of `null` means that kexecs are allowed at any time.
         '';
         default = null;
         example = { lower = "01:00"; upper = "05:00"; };
         type = with types; nullOr (submodule {
           options = {
             lower = mkOption {
 -              description = lib.mdDoc "Lower limit of the reboot window";
 +              description = lib.mdDoc "Lower limit of the kexec window";
               type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}";
               example = "01:00";
             };
             upper = mkOption {
 -              description = lib.mdDoc "Upper limit of the reboot window";
 +              description = lib.mdDoc "Upper limit of the kexec window";
               type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}";
               example = "05:00";
             };
@@ -165,12 +166,12 @@ in {
     }];
     system.autoUpgrade.flags = (if cfg.flake == null then
 -        [ "--no-build-output" ] ++ optionals (cfg.channel != null) [
 -          "-I"
 -          "nixpkgs=${cfg.channel}/nixexprs.tar.xz"
 -        ]
 -      else
 -        [ "--flake ${cfg.flake}" ]);
 +      [ "--no-build-output" ] ++ optionals (cfg.channel != null) [
 +        "-I"
 +        "nixpkgs=${cfg.channel}/nixexprs.tar.xz"
 +      ]
 +    else
 +      [ "--flake ${cfg.flake}" ]);
     systemd.services.nixos-upgrade = {
       description = "NixOS Upgrade";
@@ -195,54 +196,56 @@ in {
         config.programs.ssh.package
       ];
 -      script = let
 -        nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
 -        date     = "${pkgs.coreutils}/bin/date";
 -        readlink = "${pkgs.coreutils}/bin/readlink";
 -        shutdown = "${config.systemd.package}/bin/shutdown";
 -        upgradeFlag = optional (cfg.channel == null) "--upgrade";
 -      in if cfg.allowReboot then ''
 -        ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
 -        booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
 -        built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
 -
 -        ${optionalString (cfg.rebootWindow != null) ''
 -          current_time="$(${date} +%H:%M)"
 -
 -          lower="${cfg.rebootWindow.lower}"
 -          upper="${cfg.rebootWindow.upper}"
 -
 -          if [[ "''${lower}" < "''${upper}" ]]; then
 -            if [[ "''${current_time}" > "''${lower}" ]] && \
 -               [[ "''${current_time}" < "''${upper}" ]]; then
 -              do_reboot="true"
 +      script =
 +        let
 +          nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
 +          date = "${pkgs.coreutils}/bin/date";
 +          readlink = "${pkgs.coreutils}/bin/readlink";
 +          systemctl_kexec = "${config.systemd.package}/bin/systemctl kexec";
 +          upgradeFlag = optional (cfg.channel == null) "--upgrade";
 +        in
 +        if cfg.allowKexec then ''
 +          ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
 +          booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
 +          built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
 +
 +          ${optionalString (cfg.kexecWindow != null) ''
 +            current_time="$(${date} +%H:%M)"
 +
 +            lower="${cfg.kexecWindow.lower}"
 +            upper="${cfg.kexecWindow.upper}"
 +
 +            if [[ "''${lower}" < "''${upper}" ]]; then
 +              if [[ "''${current_time}" > "''${lower}" ]] && \
 +                 [[ "''${current_time}" < "''${upper}" ]]; then
 +                do_kexec="true"
 +              else
 +                do_kexec="false"
 +              fi
             else
 -              do_reboot="false"
 +              # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h)
 +              # we want to reboot if cur > 23h or cur < 6h
 +              if [[ "''${current_time}" < "''${upper}" ]] || \
 +                 [[ "''${current_time}" > "''${lower}" ]]; then
 +                do_kexec="true"
 +              else
 +                do_kexec="false"
 +              fi
             fi
 +          ''}
 +
 +          if [ "''${booted}" = "''${built}" ]; then
 +            ${nixos-rebuild} ${cfg.operation} ${toString cfg.flags}
 +          ${optionalString (cfg.kexecWindow != null) ''
 +            elif [ "''${do_kexec}" != true ]; then
 +              echo "Outside of configured kexec window, skipping."
 +          ''}
           else
 -            # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h)
 -            # we want to reboot if cur > 23h or cur < 6h
 -            if [[ "''${current_time}" < "''${upper}" ]] || \
 -               [[ "''${current_time}" > "''${lower}" ]]; then
 -              do_reboot="true"
 -            else
 -              do_reboot="false"
 -            fi
 +            ${systemctl_kexec}
           fi
 -        ''}
 -
 -        if [ "''${booted}" = "''${built}" ]; then
 -          ${nixos-rebuild} ${cfg.operation} ${toString cfg.flags}
 -        ${optionalString (cfg.rebootWindow != null) ''
 -          elif [ "''${do_reboot}" != true ]; then
 -            echo "Outside of configured reboot window, skipping."
 -        ''}
 -        else
 -          ${shutdown} -r +1
 -        fi
 -      '' else ''
 -        ${nixos-rebuild} ${cfg.operation} ${toString (cfg.flags ++ upgradeFlag)}
 -      '';
 +        '' else ''
 +          ${nixos-rebuild} ${cfg.operation} ${toString (cfg.flags ++ upgradeFlag)}
 +        '';
       startAt = cfg.dates;
--- a/secrets/backblaze-s3-backups.age
+++ b/secrets/backblaze-s3-backups.age
--- a/secrets/email-pw.age
+++ b/secrets/email-pw.age
@@ -1,23 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 xoAm7w uMSr0mNTntr9oRqEtrJ+LJKBxI+s+cTbXYAag6kb/hM
 JIylg1Xg08Ar/AuaE5e9O3qgsNAGG48Mw/Zvs8fdGdQ
 -> ssh-ed25519 mbw8xA ngrNg4m5aiqUyudZ4Y4Y37ApFDXxq2UBOrbEajIdBAg
 1Z9hKOwNYe+o64b98WTXR30s8tv5geRCRIKe6Y6F35Y
 -> ssh-ed25519 2a2Yhw U89mACfmGm2hOOHZfvVfxkWX2G54D5aw1shiyqC6T04
 2TVJ4/do2jbEJZHegTDO8Q/CiLNNT0f3GpSpEWoIHnM
 -> ssh-ed25519 dMQYog BjQXtlw+fWSg2mzdbvpZdgU/UpQnByvj8QY2vf3f/Qg
 S/OFhJGyj3YhmPNiOcmAAAnxkzMwt7PnVvUxSxNWYp0
 -> ssh-ed25519 6AT2/g sgzaa1V1+i3ADN/Lgn8LSCL1Mp7tCmNbG6HTo25qzVs
 q7Xfxu40RzjQORhZbGfq7U9FolNtWo3eDswxVUJ9uRw
 -> ssh-ed25519 fwBF+g s3FQ1pwQYfGyQcQAtlpXFNA61BsJrEV+cDnBGot20ic
 M74z4r8nz6JvaougCsnyRVyNvLWBtwqhwGC6Oqe1YzI
 -> ssh-ed25519 yHDAQw XXxh2eQf9tCEQyZKAppYu9M/EAYbsriGR/xK/ca1hE4
 GoNmSmuzuaD6DrhFD4vv+N/K6ySorZQXHqkEy59fFa4
 -> ssh-ed25519 VyYH/Q X83OJlxNPRG+kRylIceDDE3hzs5BjbLRYTa4A9t76UE
 fdZcV7RRzKxeWQrniKT53UlunCWAuWIP4CAxeIHHbX4
 -> ssh-ed25519 hPp1nw eIE4zQqBKr8SIW9Uqxn/HqA/wc4GIrck44k2iYbwSic
 wjemabf9WrL7dU0H5T32xKCW9FYogTuA7cTCZlVW9yU
 -> r|n4m-grease AXlh $ozYI bvs$"
 AKr3E49skiQ2WLy320wi3qlafLyGnLTjCvLHz2eK3A
 --- qtFNqGCcR6VAQnbPg7n52u1aJYJUDo9lV6Qnz/Y1bq4
 ’¿Ëì¶+\Ù×m´®UYBa…³2·$´š7ÅQ¿xƒåôˆ+<1E>ÁUyiMoËæ,Vº	1‘W<E28098>ò´R(å<>´e5qq8ª¦ ²A^“¼}C7œïDÂ$3˜÷
--- a/secrets/gitea-runner-registration-token.age
+++ b/secrets/gitea-runner-registration-token.age
--- a/secrets/hashed-email-pw.age
+++ b/secrets/hashed-email-pw.age
@@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 6AT2/g 93Az2iuqeWL6H/S3XDPXFoEPcrY/n/z9mlSNb5wABkU
 LpMPjpDtBrY2aHpqHwT5AY7vtsYHNcOjpz+LFY4TGCg
 -> ssh-ed25519 dMQYog 4qT0aF1IHsTtN1avMPWYG5Az2xmEZhVUhqcwyNFdfU4
 +wD0hE035JqYdDgJmkvNXwJyMzXrquA+RsD8QdK3xP8
 -> !vfM7-grease
 7nQGFFUWY9UIjfrb+/VfaG0zJ21zmDnDh5khs/0tioJevrrrlhub9Bz8iM/Jsfxy
 KUhwV8O8tL/5+30RFSlFRaAB6xPCGg24Yq6E
 --- jVsDtz2xpvK/XCHcdN5JVZx5zSxyEAM6D/xJIgN4YfY
 Ñì°ßév.rK,Æ$ 
--- a/secrets/hashed-robots-email-pw.age
+++ b/secrets/hashed-robots-email-pw.age
--- a/secrets/hostapd-pw-CXNK00BF9176.age
+++ b/secrets/hostapd-pw-CXNK00BF9176.age
@@ -1,16 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 VyYH/Q 3383IYDpr6jhePY89sI7RO5KY6i5Wr/Miy4Tx1IeZEI
+-> ssh-ed25519 VyYH/Q X+fXLJz227KkBLu45rb9mUkkIpENSMtZeEJjl6qj5Xw
-Z4nN390wcZiDQCEJvTBD+v5LetZpjdcVhF8uYIUSkNA
+AFAFnvsiogoMMwsAJO0DDoaizL9lmCLsF4QHDjmubr0
-> ssh-ed25519 xoAm7w vO5L5G+aDSXJvD5MLKHtdfo3Ypd//vl7uO644j0S+ig
+-> ssh-ed25519 dMQYog P84+7TBcMFSALTn6FR/aXyqFE9DfOzp38ImkdWj7nE0
-LRIiQOSb4M9FItfqci10ELYgzkCXhOBaWv8iz2He6zA
+PqOn1OL9Zt0x1pBIYOSKkkS//mbk1OX5pnDGp+OLYeI
-> ssh-ed25519 mbw8xA RxxUEOVUfKZyUM7KkUjMm9Z+Ts/et15dMxJm4XVKbzg
+-> @?-grease
-hKS82nZ2v88jqxGW1xprsPk67Czn+PLTxIuOrlgXkpw
+3JvpmcTxdTgvv6vPL8dXEwjR+g
-> ssh-ed25519 2a2Yhw FRSIexkNO39x9h4wLVKscOmBIE5I/rOlNGfX+MdUfGo
+--- aMYF1SbC+p01YWmg24+Ih78VPQcwzGU/P1cEfgRvXV8
-1OcV1pJ+/M3wtPnRMDxgcpnsyeFYBqBe5Gbj55dJiCY
+Ÿ	@$™sžQÂ¼z<15><>®xkÊNfÛuÕ;§¿ ÎvI0•ªÇÎ^4.?, 8…çî
 -> ssh-ed25519 dMQYog lqtpfP3zAArnAF2M9MtUBhFymnG2S15X88YcW949PTI
 2po8qHUuVbMIzrZ+q746cb9BQ06emGowJJcIGHdHeH8
 -> aH,?XIq9-grease ]Y I]hNq dZyR2f@@ Xl"1A`
 U/BZHrNalVSmBUEekZbQ1w95VrFtkskMOuI5lm9thRe2bvTe7Rue382uf0fcfvSE
 Jq7+f/b257KiFaUg8Is1WNNMY55Rw0wrnv9yIBMESxCWmgo
 --- rUwKbA9SH9XIRdEXLhDIRj+mEu7BV4w7EwkAd4wZPGI
 ř@±ľ·¦ţµÉćS*ÚŘŔi(˙jW˛(WĆŇ-–€ď”ŤyFůů™ Î<7F><C38E>9 
--- a/secrets/hostapd-pw-experimental-tower.age
+++ b/secrets/hostapd-pw-experimental-tower.age
--- a/secrets/iodine.age
+++ b/secrets/iodine.age
@@ -1,23 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w CP4pzePo50HW4IbP92NiCEhe4fz6q69c04nZzY97uls
+-> ssh-ed25519 6AT2/g yTW46JmDIftcOqogIDjheXJf2sw/dG2WEJxfCXU/LDk
-q0ZLpztMhRToqsr0yWpXJG2+7ExjDW2xQuW840gFG74
+0Co5/Rn22kmdcPr61ZOrmZJbPFHx2wJ8/YkbDjcjqKo
-> ssh-ed25519 mbw8xA L39AxT7TEaPo94c3SPwqsLk6fgvasrU+RPKQgXZXXnY
+-> ssh-ed25519 dMQYog RtZT0PwVL4kxUHilOhH2GBp8Z9WfyBkaxB62pjKpHA4
-6AvJRJ4dtkgCWd+f2y1hJ0nfNz2u8mydmZ9Ymq7ZLZw
+muMlIt8VYQftMYacfdnQFeejfWpKTEG5gxbFNy97GTc
-> ssh-ed25519 2a2Yhw tJFWqpzbukVDKXmaQvUA6dbdUzguxphaDiZq0+2jFDs
+-> 4|)`7yq-grease P#\5k8 +f
-DHT27/cLh2cBcQHOXuV9CyYV6+OEUIuJ5nBB0RYslXg
+jMegn6ATsj2Ai9B5Xmy+tay1nppwxvF1IGJH+hLNanYMsTIDZypM6UsNdzYQ/3mw
-> ssh-ed25519 dMQYog Fba2ll/kUWO+4KnFP/H7UUikcxU+KpBYvJ1YYbsrom8
+VZ9ooy8TKUgAJ7jsd6IrKw
-sew8S9ajmoB4uJkxRkLVJPvayYh0bz3IxK2gE8znfl0
+--- tLaPQWJA0Hh5MrxfhaySURgY02K16IlzvsxKpOWGva0
-> ssh-ed25519 6AT2/g xsTbT+roSioaX4C7i2/PtmC3sXeIv41y62X+vBhmJ2A
+5?lﾇ'ｼ!ｹｺ<EFBDB9><EFBDBA>ﾜｷ匪Nxｽ+<2B>A9ﾟﾑﾘl/ｸﾞ諟ﾎ|旙<>Sｵ&ｺｻ､繃<>Q;_<>K
 Ju57nxnIXuZTflJ8Aknc61vhiKPOiT34pDaeoGJsYgo
 -> ssh-ed25519 fwBF+g V0DzCK8NAs2hSeILNos3Wafh2OfkzphGc/+UHxtqFBk
 dbExOeSn87sZD5dapKB0qoZjVK36SE0A3ww1S08qeio
 -> ssh-ed25519 yHDAQw O3FaVzF4vvoRoUoF05Mr0yTIcDbJ2gdAVsIHKz4tFCk
 l1rYVVZyNlRfYXPri2jOwS9IUwIEI02lRSw8L4jjjeE
 -> ssh-ed25519 VyYH/Q CHERKccp9OVM0zMn4EomXJkW2D65wvPOz9V5dshBGD8
 dyxEW+Yzrq+gn2dQEbdNejX6RKTCz0ENe1bWLBb/wEk
 -> ssh-ed25519 hPp1nw wND54MJv1efUe5HkN4qRlnuX0+BQPYn69YYxPQExBF0
 zZB7mIDsgKmpTz2HtU8+p2UeG98a1cYD72gjoPraFIE
 -> X6XuI-grease DM 71
 /87RWErV1DecX+zr2HLnmri/cQVoXYcdcg7oPeCmIcY/3g
 --- KyKWk2cIfo7bc9RVzjYYfQ66omtJUJI4ite2z9eXa0k
 ;<3B>‚±1ù¾^Dx‚Ã<ËF<C38B>ü‡ÿ³Z¶cP@<13>ZPÈ-^ˆ´b_ÙZû’*ø*ŽEUFtÐØ&Mby˜¡z
--- a/secrets/nextcloud-pw.age
+++ b/secrets/nextcloud-pw.age
@@ -1,24 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w nxbI6qoO7i4zsLRqt/7P1+sxrWy+iqI/+wpG2gAe6TA
+-> ssh-ed25519 6AT2/g hXS7zxzYhlu5GrUAEAnaO+CizpbifjDxIwoAK55cjV0
-Wt6xkwHMhfwsJ7rtH9PGjVhR45K0SF27S9uR/SJeIzw
+xU7Z52cjARU8tmd1AJ9v8+QTQzfL/mNxP/f/bJAzYvo
-> ssh-ed25519 mbw8xA cRw8P7vAvbBzAT35551y4NodC4dgzRhSzXRmckfKCjg
+-> ssh-ed25519 dMQYog 8PEp5TmEOumhWUZvko42sOKpkqOCW9/zCrMqn+fJ2ws
-aVVupspcV0jG8ycsXuoW+9lTN16MN7a5jTcLh12qBg4
+wJo8x6+hyU8iJkTqGVecZ88hG661F3ZvEvVqpJzox5w
-> ssh-ed25519 2a2Yhw E+kUd+Y6saJx52Eyy6MkIuH54h4zUMWRe2OwvIYsqC8
+-> x-grease tdW'\ +(>9 da%@^H6
-xogfXlNu17ttnxElUI2Ya3Rc8kH3Ajk4AVnBnQ/slfg
+q04xwjRaNOBfNhAvik762vJHio/qTfR6qQW4QsD+wzEidRYRggNdQwTl+G4jkWAu
-> ssh-ed25519 dMQYog GsLYEBZmG9W+1bUPZjGyo1I55x7Xjp18z6D6EZEYZl4
+fx0xZeiI5qVm6WG8lg
-7VE5glX6in2Wna5sBwP2B2gPewyQ56/yAdMkSsXthaU
+--- pHx5BdqI3HubR9wAtPyfMaYbr8uqRwOS1qFJhtC4wuM
-> ssh-ed25519 6AT2/g 2pHPOxQSwa7XNhPLpCo3b5VkD7ytu0qsfDE4PN3KQ0E
+Èv°ºg9sÉÉ¡§6:`Nlëªø`.‘•ÓÍPebÅSNn<>åÄ8C<<3C>¥a=-¨Gh¤ò.ªfHm<48>»æUëçPGpS}µxýùã#ÎT
 vEj6igHfl5sQtVUsHXmdNtK2VQin2dDb9XOrUFhyahY
 -> ssh-ed25519 fwBF+g 6xUfafFpXs1v6PzSBR2q0KATyx1QB20oyZUghh2lOlY
 Pzc+lgRzzG2nK59ofhsudsIZyfI2JCHxLjyZYGYcCFo
 -> ssh-ed25519 yHDAQw bzxN6gY98TJjX0tUzT9fkp8FohD1PR17JQ4HsGSEEkU
 Ws5f1wVhJgd7LhWW1TrUXrHiggX1J77It57EqTTBqWw
 -> ssh-ed25519 VyYH/Q qLxrHDC+Hen/oSivOuRONDZbF/wwIdEYD2Ci3cn5XV0
 qgqRuHSTb0gETpsZj5oJ3RmNEIlgRolmfVIO7hZ34IQ
 -> ssh-ed25519 hPp1nw rXaGNPqhVQfwR7ZxX2yPI+LXmiJvhoIouFRwPAfUnR8
 RRZCtJSlBGaK54l4tvJm2LT7UL/4yiEBE10adx0j3kU
 -> qvCWm(-grease /[nA+Vkr d_!rw< 6 sgv)(
 UZ9Y+nrSjym+veC9SbnQjkRZmDt3UTkSbtx90slbmrdGIAJ2zLZzRckhriF5z2Jr
 9FPuX356sGdy0XGWoUzWCqvmzByL9KIftPY
 --- huMR4jZ8uXzj3YnT9sG5EeUTsZyeTnfBWHs8U2CAWMU
 ˆÑµJA’’	ÎØ1ªÝÃð+S¸Åƒ¯ŒHaq<61>ÞT9"~Ûí•ÚºV`IðÅÄ˜üKA}h[<5B>²Iu/QÚ¨ìÚ(*¥^HÃ3:H@ÎJJ
--- a/secrets/pia-login.age
+++ b/secrets/pia-login.age
@@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 6AT2/g J3H9xUUwUMB7VkHHGtsZaCm/GiyqTFUrEmsuwcrgrhE
 tn+zbj5cISZzkUzJcu7JlaqhE4Dr4fhczSJU2kV91AU
 -> ssh-ed25519 hPp1nw 370YNPQn4mqeHjOvnIXkm+BzbrRNHkFICJaJhHCSHDQ
 WLhDRA8jp50aKkY8t9GvyAHoLxYQD2Bhw3y01hwhoOA
 -> ssh-ed25519 dMQYog 1dwQN8hmbLY54OnRTXtcwAXHoYLLNV0IK/rQQ9ZgV2A
 gP2HQinVYW72oJRFW69qAeF/iNEEtJqya1iRMOugNKk
 -> ~-grease 2%p4s G:$f41y " vZ87PA*|
 +hI029392lrjxlsXUI8opFVcUK+JOjgBYGMH
 --- juX+tgNpNr8it5QnbcBkR9u88vZkC47L5fIlZQNxPYg
 ,J}¸œ}Y§˜B%ˆo~3M×½HÊ—]ºˆû©ðÔ¤–žËn0cVs(´;axc#o™Üüv'kˆù#]o<>N`ÆœøÁ´Ì¿<C38C>˜¼ûp<>ÒšKàøk†0(
--- a/secrets/pia-login.conf
+++ b/secrets/pia-login.conf
--- a/secrets/restic-password.age
+++ b/secrets/restic-password.age
@@ -1,23 +1,20 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w YfFXfkiV/OEhL9zmHK3bioQUUzlu9DHyhbzxenTVWWY
+-> ssh-ed25519 yHDAQw LyoiocIPWoX81W5lD5OBD5P48QC3CtVHmpATJTfz70Y
-PY6ykXYKNxfT4IMIvsdyEg+CMzMllPcacboJ3mj2CXU
+fnRfSV68RLkMc+W6WX5aqxMQxDz7UviTNQqB5KAtKYs
-> ssh-ed25519 mbw8xA dMVsqzPuMGCSxsjwo0HTq4O4ayY8S0C5UGJ5STaiO3g
+-> ssh-ed25519 dMQYog nQ49ARJDvvVmZEQu1YlYKGba5Dh5U4bGKsLAZfPDqUg
-YwY4col/fbt5gQF4GBfGTJuaCYEDQG/yPLuS6TDTYAw
+9Rs0zISa1FDT3ngBBwp5vXi8aR+a/Z+BrGIEKVUJWkQ
-> ssh-ed25519 2a2Yhw LOwqoLJtGV4e/vd9h7ks+h2Cu2AcfPs5fObQBjY1qlU
+-> ssh-ed25519 fwBF+g Zap6yPIuauggXP00/It4kYJV2G539vUblQsfwgVzVHg
-p4vpGEBh1ucCvwwfY+jio1eqZLaz+3UNc+k8qHwvkIc
+83K5JgUeHjf6lYv8H3YvsbBzrFOgsQyqLVm4h5Be5gE
-> ssh-ed25519 dMQYog spGr30/0nW6I8gnlDXB2fNiNm6mW3jVdV0HxbAYOtCI
+-> ssh-ed25519 6AT2/g 7QlvTxNNubo2dRwVwfjxr+9MOge9XIsrJVLeAtpkewg
-GEA6ggfl7yv6XYj1/e4wF/xHOTgfC29vXwz3N4wQnNA
+lxzXO7PIKNzrKwj0KhyHetavLM3zqjbXu4h/S7tDJns
-> ssh-ed25519 6AT2/g ZA1c7ZNBdi/H02k+LhBol39RoX6uXqvtlAbePJ6/rQk
+-> ssh-ed25519 VyYH/Q tfgTbXGhdOru7FyVWPVf9tBLcuLZJQWnWZkL8yOjQyg
-cgJTVWDBYdfT/4tpjeQLkQlmCh0h42BKtxC80a8RGqE
+HIKUKzWhEM0PD+EKpI5asIwQF3Lx8CYeURVce2QAMZU
-> ssh-ed25519 fwBF+g 7yzxxo42BMU7z9LWd2Dzo9rq6utpmLgNIy3mUuvIAXI
+-> ssh-ed25519 hPp1nw xHd4/TCZAi/zwSL0fj7FVGHkykKAmvh29tJReIAUDFg
-dazG882otsFAb4Qo9xeG5zM1Xp7LLS6d7eAiQ/ucMsk
+/TrZ77mu8vGmudrrPkDgQPiLr2o84lDrsVgY31xMHUQ
-> ssh-ed25519 yHDAQw eKxZ3ubH/St4ADh9/V6K04TqJWxvp9Oc+1C4MSFlkgk
+-> ssh-ed25519 dMQYog 20tuoqjWl4dQBpEKiiSrbEmwW9ZLml3F8MS7riyu1GI
-p3yCmtEsEieyBHuggp9DbBsSm7xKbevnJLiIbmJafEY
+I/jrnGVCw37hxoKnf/yGPlvGlXPXy+c1sz1ouY44KF8
-> ssh-ed25519 VyYH/Q sqoBr8012iw3O72fw6fTcBrq6o5vfyAltfO+tqBU21Q
+-> 0UxZ/o4-grease V+d
-ELlo9KI0y+ixRylkWnDR50eISvGsX3xzwP77+OBhrhw
+VgDtDiYRn+VzFbhXGHjOTbdN/V/vSW7STbKquW96A68DRzKH6yDn/4Ia4tX469eA
-> ssh-ed25519 hPp1nw 8LfZncfhKV7QKrglch3Sx+/4zErTmdiVSL+a3ZLyzUQ
+y6swdFIvbsPFnldalFKxKhHqjKRSJPLAKeWECe/I
-DlU7/EZaTYLrlUu+Q4A6qDL+v/YKD3JEbCfZkUJ/bwA
+--- ZEnygego6ke0cW4acYxInaRQXXOaKoSNklgTn7KPOfg
-> V{dl'-grease `i* Eww uPgzl* f5zjP;
+ZÔPÊ|>ªîÃÆÍË<C38D>+:NdÌñ*Pû¢i+¾¡ä§²çÙ3ôGÛ	J´”Ž÷bkc<>ìF<‡’Ö0zá€Í½÷<C2BD>`W/2 ƒ<>4‚¯{O"‘áüF°jS^f_¸£€
 PMMK0yN9kZ9R0+ZyibiQqtJ4kXMCQEqY9Se/80nCkY7zvg2lVHq6UJUD
 --- IIg4b0+vVeyISKd7zkVovNeCsUkkX/DhZMDc214vwa8
 È€£ISÞ–ùÕjSp^`5S-sËíFžmLÃÙåïeê	qÛÀ’]9ü€¡…Jf?¯TÆ7¹Ð»ÃíçäA0õ‹KæÞöz¾Z\Yƒ1Ã@htÔné-ˆí™
--- a/secrets/robots-email-pw.age
+++ b/secrets/robots-email-pw.age
--- a/secrets/sasl_relay_passwd.age
+++ b/secrets/sasl_relay_passwd.age
--- a/secrets/searx.age
+++ b/secrets/searx.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,41 +1,44 @@
 let
-  keys = import ../common/ssh.nix;
+  lib = (import <nixpkgs> { }).lib;
-  system = keys.system;
+  sshKeys = (import ../common/machine-info/moduleless.nix { }).machines.ssh;
  systemsList = keys.systems;
  usersList = keys.users;
  all = usersList ++ systemsList;
-  wireless = [
+  # add userkeys to all roles so that I can r/w the secrets from my personal computers
-    system.router
+  roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole;
-  ] ++ usersList;
+
  # nobody is using this secret but I still need to be able to r/w it
  nobody = sshKeys.userKeys;
 in
 {
  # TODO: Minimum necessary access to keys
 with roles;
 {
  # email
-  "email-pw.age".publicKeys = all;
+  "hashed-email-pw.age".publicKeys = email-server;
-  "sasl_relay_passwd.age".publicKeys = all;
+  "sasl_relay_passwd.age".publicKeys = email-server;
-  "hashed-robots-email-pw.age".publicKeys = all;
+  "hashed-robots-email-pw.age".publicKeys = email-server;
-  "robots-email-pw.age".publicKeys = all;
+  "robots-email-pw.age".publicKeys = gitea;
  # gitea
  "gitea-runner-registration-token.age".publicKeys = gitea-runner;
  # vpn
-  "iodine.age".publicKeys = all;
+  "iodine.age".publicKeys = iodine;
-  "pia-login.conf".publicKeys = all;
+  "pia-login.age".publicKeys = pia;
  # cloud
-  "nextcloud-pw.age".publicKeys = all;
+  "nextcloud-pw.age".publicKeys = nextcloud;
-  "smb-secrets.age".publicKeys = all;
+  "smb-secrets.age".publicKeys = personal;
  # services
-  "searx.age".publicKeys = all;
+  "searx.age".publicKeys = nobody;
-  "spotifyd.age".publicKeys = all;
+  "spotifyd.age".publicKeys = personal;
-  "wolframalpha.age".publicKeys = all;
+  "wolframalpha.age".publicKeys = dailybot;
  # hostapd
  "hostapd-pw-experimental-tower.age".publicKeys = wireless;
  "hostapd-pw-CXNK00BF9176.age".publicKeys = wireless;
  # backups
-  "backblaze-s3-backups.age".publicKeys = all;
+  "backblaze-s3-backups.age".publicKeys = personal ++ server;
-  "restic-password.age".publicKeys = all;
+  "restic-password.age".publicKeys = personal ++ server;
 }
--- a/secrets/smb-secrets.age
+++ b/secrets/smb-secrets.age
--- a/secrets/spotifyd.age
+++ b/secrets/spotifyd.age
@@ -1,24 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w nK+/qKKiipFhaF8SlrPA+1MXBmL0g3X+VX0o2eDurXk
+-> ssh-ed25519 yHDAQw R1weIMur0s9HsBBwNn+XyBNfAB8CrQf6QEzIJFklcG8
-vyeRKIBbBpNQ6fg2GnUe/rSzwZEg9pajaTygFCTEd84
+DTK0seypjzSX1B2ce2IWyYwygBeeKlbFpYgzH7i1DHA
-> ssh-ed25519 mbw8xA u1l5e1uS2/U5ha5EGAp4x790uKJyRN4L7vPKLkGcqRA
+-> ssh-ed25519 dMQYog DU9sxA0/cG/O9EG3JYFjL1d2OiqOSZvFjZ1S2zTTWDw
-bGAA/pFSsNT+ZGOEVxqz5tfORvbdZ2HU/+1QpS6r1hI
+nGlUCvjpUp50ykTIUzSQ19uj2tiVMPo1Ois8xFSWB58
-> ssh-ed25519 2a2Yhw 9liF3i4BNYAS3N/wCIwD/ks0UEYzEQNBtISNostxoXU
+-> z%z.3-grease lF#S
-L8zcyadtJyMl+H5ndJDc2eZS8nHDfUb/dER+hSTS9sw
+H+5548VgikG9upeHi2GIQ3U71TC0ds+dn8yWOoixHnRhiYZRIhODffjI3D8T18gk
-> ssh-ed25519 dMQYog YgBTvIkJEm7IrC75tuLsRyRJDe4bJvMFXlxbfW8E+Bw
+1mjtW+c34E+ALRkSIf5iWwChJxsomS6LiMS3sqtJg4c
-2synWFO1aCMPup44qx9m9+Q3VIHyReJEmgaSXXdeNdY
+--- o2hgAcfMDZyGIehN07CO7OjSCrmwUDRTrwxAKmGcfAY
-> ssh-ed25519 6AT2/g XWEVpDjWhUgz8kQn26jOlK9pmzyaLY/zZHHCL3zmOTY
+<<3C>¹ CÜGàÝ<C3A0>Ï0<C38F>
 LISRuoS5+PXLqN8UfMp6W2lhntejObGWeVGMQmZ8GaQ
 -> ssh-ed25519 fwBF+g v/YxEBKCPcrsw17S7qxVfZZMfmOiA4+PPTPEsLuNFl0
 Gqu0LoYGraAQoRuCaMxLKZYFxxPTqJXno+gtIfPwS+w
 -> ssh-ed25519 yHDAQw ETqeum+DKSj8P8+GYt6aqplIElw71E8qS7XFEfdk9Hs
 5fDPFlLpm5uoM9ASrxyEnJDURLpjvLcap/TTbrnes48
 -> ssh-ed25519 VyYH/Q JgQLP5848LEJNjEYDtWO+pildvixJwr548a3WDuUk3c
 K9RH2E+vmsemxFuoENVDOyU2APB0JGKWLCRv1YFwblE
 -> ssh-ed25519 hPp1nw 2H3olp3s1Ong037spS7tekMKwB8FemQYdWXAvdLBjEY
 4BhO0GhFC/zqGUs1R4yigIuLtLaWswrmv/9lFuQ+jXI
 -> 5y'BWp-grease 4\h10!^" 47#Gqf VQbey`1
 pRs8xYTuqqZ+6B5W2+zAWCXMpgO2k2/x77RKjCmbf48p0LM
 --- ymSK6Hd6lQSBtkIPdfWdMoI+ty8BMo+QM5FC/fQsIpY
 /eÁÄæ<C384>B.`õ+Îî–BÙÃ6¬
 &%¿¥Ö}+Ì"<¤ýå2Ñ°Ù~ñ‹@Q€ˆÙtþàÎmLdIJ½öýƒ»òžÂŒÀu	L\Þ{“Dcà°1ÅŒ@{Ã7ïô‡èÞî
--- a/secrets/wolframalpha.age
+++ b/secrets/wolframalpha.age
@@ -1,24 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 xoAm7w uiG2dFOijKdrdBXfdbO36C58tRkmz4MjBX8rEGfsl1Y
+-> ssh-ed25519 6AT2/g xp04CsJvlYhBZS5W/MSDLWGiNCegAjg4XPv43wU5u0g
-eIOekwe5iDZZUcVYEXie+j5qok84fIx1cF8Sna0GdZY
+i6q0YgKOFGaHOKVYMppNtcvjCFfHHqOS9M+oh2mqc1M
-> ssh-ed25519 mbw8xA IGrOTs8sVX3qZQ6l0160q/xYsAvFEj69kN1Dj7yKYi8
+-> ssh-ed25519 dMQYog Mk90WFb+fYCFV7afu3+VbuAtOlvRAgpJGFGqn4ZWGjE
-EnhYbIDhGyirnlsbUCk3GOVzE7QTMkncRFmpiRAOvs0
+wHeScgV248lHiL0B/QEraD4QOBudezhJPrppY50u7S8
-> ssh-ed25519 2a2Yhw wl2vaJQ1gXLb46y/IXJMgCYUvhW3cgjJ10+fLhoS/Bw
+-> G/9-grease
-EOwsKVzPjbYWXQ+c8KWVd4FadamJrn3+qDb5G4R6Moc
+0hCyP7pGu5xkk4eWJTpLWy6f8Zuo8wmgBSNFK7bgzfYdW29mdOrO2Ey3Oa2Gvtji
-> ssh-ed25519 dMQYog QAVPULFTcffOptY4nML8/DyYb95IqBOomztdNaRN1g0
+rze9v27gMUFRXOqPHNmaSjAneCwtcqTMReV+LZr9q9FN6qZnzAE
-qfSGtU3pl/7fMCjZM8syfLvgHhyd38AA/SICm3maHbI
+--- /SN6cSyrvbDEHTiIvv4MdoVkIjz3yZkvtr2SVBE1rRk
-> ssh-ed25519 6AT2/g oaH9KRPHLkl1WXKIvtP7liWf8Apy1yEf41UHkFvdJjk
+=„ñ1fJ…XÍô‹~ÃÝÆD¬c¹aFâ¨@Ý¹c=89;¿sôv®Ïú´‘
 Rpfn7Gt6bORSI2qITHC7HAb1zlzOK4gDh3Ya7JwUUzk
 -> ssh-ed25519 fwBF+g ilPZbir/rHhDv+drBmEsVEgjmIJHeISK9cZGltytClc
 ODhQutW6IMHsFw+wQC4n6TOMCbydrPUWXlfwgQelpZs
 -> ssh-ed25519 yHDAQw xbtvz5r0XfNY/cKWiIuUKO5tt+iGZMbc0d/PT4HhyGs
 g/3IKnsKniQ3aB++htgM1JUmfsDzWWJ4lylAw5rBpyI
 -> ssh-ed25519 VyYH/Q yhDle9FTAXot4gB23F7rOLNqJ1j3PMZmk7OMbKaGayE
 j2XnSG589GUmvM4NunfgbcvdDBCpDJ6GubxI2UR3IE4
 -> ssh-ed25519 hPp1nw I86wd3J4YZTlis1s/Q6SQP7j492NVe64DWu6Pe8ujFI
 jgkh4YTEuBE1qCTooWPWZxQri8KSPYnWYkIhcEhIAIM
 -> C+QwV1[-grease 7bFy^.lq Y) 5
 Vw2f+pwTja8b9veFqdxVZSMGsgii+SMUfn9eAVqTjEAmWxawSQ
 --- V75Y+46buomIjWtz/zwOBNkZ9ZAKcKV3NDy42NDjPU4
 äìº–öC<C3B6>rF<72>Ï¦A
 Bì—„62-¾§Ì<C2A7>©©’ŠD	s&˜H–
Author	SHA1	Message	Date
Zuckerberg	b7549e63f5	prototype	2023-04-26 14:46:55 -06:00
Zuckerberg	306ce8bc3f	Move s0 to systemd-boot	2023-04-25 23:41:08 -06:00
Zuckerberg	b5dd983ba3	Automatically set machine hostname	2023-04-24 20:52:17 -06:00
Zuckerberg	832894edfc	Gitea runner	2023-04-23 10:29:18 -06:00
Zuckerberg	feb6270952	Update options for newer nixpkgs	2023-04-23 10:28:55 -06:00
Zuckerberg	b4dd2d4a92	update TODOs	2023-04-23 10:16:54 -06:00
Zuckerberg	38c2e5aece	Fix properties.nix path loading	2023-04-21 23:24:05 -06:00
Zuckerberg	0ef689b750	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31) → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21) • Updated input 'deploy-rs': 'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19) → 'github:serokell/deploy-rs/c2ea4e642dc50fd44b537e9860ec95867af30d39' (2023-04-21) • Updated input 'flake-utils': 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) → 'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11) • Added input 'flake-utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/4306fa7c12e098360439faac1a2e6b8e509ec97c' (2023-02-26) → 'github:Mic92/nix-index-database/68ec961c51f48768f72d2bbdb396ce65a316677e' (2023-04-15) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/78c4d33c16092e535bc4ba1284ba49e3e138483a' (2023-03-03) → 'github:NixOS/nixpkgs/8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8' (2023-04-22)	2023-04-21 21:22:00 -06:00
Zuckerberg	e72e19b7e8	Fix auto upgrade	2023-04-21 18:58:54 -06:00
Zuckerberg	03603119e5	Fix invalid import issue.	2023-04-21 18:57:06 -06:00
Zuckerberg	71baa09bd2	Refactor imports and secrets. Add per system properties and role based secret access. Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.	2023-04-21 12:58:11 -06:00
Zuckerberg	a02775a234	Update install steps	2023-04-19 21:17:45 -06:00
Zuckerberg	5800359214	Update install steps	2023-04-19 21:17:03 -06:00
Zuckerberg	0bd42f1850	Update install steps	2023-04-19 21:15:58 -06:00
Zuckerberg	40f0e5d2ac	Add Phil	2023-04-19 18:12:42 -06:00