Refactor the whole codebase. Most notable changes:

- No more fail2ban. It didn't work properly anyways, I'll need to look into this in the future - No nix-super. I don't need it and the overlay is broken so I'm waiting for that to be fixed first. - Uses nh instead of nixos-rebuild. This is much better.
2025-07-29 19:17:45 +00:00 · 2024-03-27 12:36:50 +03:00 · 2024-03-27 12:36:50 +03:00 · 62c575774b
commit 62c575774b
parent f145bdaa4a
106 changed files with 1252 additions and 1367 deletions
--- a/hosts/cube/acme/default.nix
+++ b/hosts/cube/acme/default.nix
@ -1,15 +1,15 @@
-{ config, ulib, ... }: with ulib;
+{ self, config, lib, ... }: with lib;

 let
  inherit (config.networking) domain;
-in serverSystemConfiguration {
-  age.secrets."hosts/cube/acme/password".file = ./password.age;
+in systemConfiguration {
+  secrets.acmePassword.file = self + /hosts/password.acme.age;

  security.acme = {
    acceptTerms = true;

    defaults = {
-      environmentFile = config.age.secrets."hosts/cube/acme/password".path;
+      environmentFile = config.secrets.acmePassword.path;
      dnsProvider     = "cloudflare";
      dnsResolver     = "1.1.1.1";
      email           = "security@${domain}";
--- a/hosts/cube/acme/password.age
+++ b/hosts/cube/acme/password.age
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -1,4 +1,4 @@
-{ config, ulib, keys, ... }: with ulib; merge
+{ config, lib, keys, ... }: with lib; merge

 (systemConfiguration {
  system.stateVersion  = "23.05";
@ -6,18 +6,30 @@

  networking.domain = "rgbcu.be";

-  time.timeZone = "Europe/Amsterdam";
+  secrets.rgbPassword.file = ./password.rgb.age;

-  age.secrets."hosts/cube/password.rgb".file = ./password.rgb.age;
+  users.users = {
+    root.hashedPasswordFile = config.secrets.rgbPassword.path;

-  users.users.root.hashedPasswordFile = config.age.secrets."hosts/cube/password.rgb".path;
-
-  users.users.rgb = normalUser {
-    description                 = "RGB";
-    extraGroups                 = [ "wheel" ];
-    openssh.authorizedKeys.keys = [ keys.enka ];
-    hashedPasswordFile          = config.age.secrets."hosts/cube/password.rgb".path;
+    rgb = sudoUser {
+      description                 = "RGB";
+      openssh.authorizedKeys.keys = [ keys.enka ];
+      hashedPasswordFile          = config.secrets.rgbPassword.path;
+    };
  };
+
+  services.openssh.banner = ''
+     _______________________________________
+    / If God doesn't destroy San Francisco, \
+    | He should apologize to Sodom and      |
+    \ Gomorrah.                             /
+     ---------------------------------------
+            \   ^__^
+             \  (oo)\_______
+                (__)\       )\/\
+                    ||----w |
+                    ||     ||
+  '';
 })

 (homeConfiguration {
--- a/hosts/cube/forgejo/default.nix
+++ b/hosts/cube/forgejo/default.nix
@ -1,15 +1,17 @@
-{ config, ulib, pkgs, ... }: with ulib;
+{ config, lib, pkgs, ... }: with lib;

 let
  inherit (config.networking) domain;

  fqdn = "git.${domain}";
-in serverSystemConfiguration {
-  age.secrets."hosts/cube/forgejo/password.mail" = {
+
+  port = 8004;
+in systemConfiguration {
+  secrets.forgejoMailPassword = {
    file  = ./password.mail.age;
    owner = "forgejo";
  };
-  age.secrets."hosts/cube/forgejo/password.runner" = {
+  secrets.forgejoRunnerPassword = {
    file  = ./password.runner.age;
    owner = "forgejo";
  };
@ -42,7 +44,7 @@ in serverSystemConfiguration {
        "act:docker://ghcr.io/catthehacker/ubuntu:act-latest"
      ];

-      tokenFile = config.age.secrets."hosts/cube/forgejo/password.runner".path;
+      tokenFile = config.secrets.forgejoRunnerPassword.path;

      settings = {
        cache.enabled     = true;
@ -61,11 +63,12 @@ in serverSystemConfiguration {
    };
  };

+  services.openssh.settings.AcceptEnv = mkForce "COLORTERM GIT_PROTOCOL";

  services.forgejo = enabled {
-    lfs = enabled {};
+    lfs = enabled;

-    mailerPasswordFile = config.age.secrets."hosts/cube/forgejo/password.mail".path;
+    mailerPasswordFile = config.secrets.forgejoMailPassword.path;

    database = {
      socket = "/run/postgresql";
@ -78,7 +81,7 @@ in serverSystemConfiguration {
      default.APP_NAME = description;

      actions = {
-        ENABLED = true;
+        ENABLED             = true;
        DEFAULT_ACTIONS_URL = "https://${fqdn}";
      };

@ -89,9 +92,9 @@ in serverSystemConfiguration {
      mailer = {
        ENABLED = true;

-        PROTOCOL = "smtps";
+        PROTOCOL  = "smtps";
        SMTP_ADDR = config.mailserver.fqdn;
-        USER = "git@${domain}";
+        USER      = "git@${domain}";
      };

      other = {
@ -123,8 +126,8 @@ in serverSystemConfiguration {
        ROOT_URL     = "https://${fqdn}/";
        LANDING_PAGE = "/explore";

-        HTTP_ADDR = "::";
-        HTTP_PORT = 8004;
+        HTTP_ADDR = "::1";
+        HTTP_PORT = port;

        SSH_PORT = builtins.elemAt config.services.openssh.ports 0;

@ -145,7 +148,7 @@ in serverSystemConfiguration {
    };
  };

-  services.nginx.virtualHosts.${fqdn} = (sslTemplate domain) // {
-    locations."/".proxyPass = "http://[::]:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+  services.nginx.virtualHosts.${fqdn} = merge config.sslTemplate {
+    locations."/".proxyPass = "http://[::1]:${toString port}";
  };
 }
--- a/hosts/cube/forgejo/password.mail.age
+++ b/hosts/cube/forgejo/password.mail.age
@ -1,6 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw k4u86tbxSaZTIr9QzN2P+md9WwGvn93jOXqR2JHWy30
-tG7p/GaP0MhTqbAin3KmIMCrE67Ls3NYoztcJT8r7po
--- cmz8sBFqHk8RyAae/gBqrWgjCyHrVtngjZGn1xQOze8
-9rgM’Ð×¶9±¬¹¥òíªgù<67>šÉzã<7A>
-ý@ÕÙðuO·Þê0×¥ôa
+-> ssh-ed25519 +rZ0Tw UdpGG1O9oC4Z3OasaGJyU3TM9FkwcaXQX9+QT4Wqrjs
+RX+NdBYD+/GtOSGun8Y04S48MKLDHkQsfqjJQ0vVj18
+-> ssh-rsa jPaU3Q
+EVX4PE+5bBQm3tzrUkbPBfG7Ech9dS2Ix8ZLLWYW2DFp30F49tJvYUDLGgpRARa+
+dh0+tuiOdPHENVbyhM8pob+Jk4Ii1+ZYwQdah0bAmewJ88NAHgfNCPMuAZFsR2w7
+r+KeuMa+1PtX3llIVWqTc+pdfrPVnG/DcbQqSgs5a2NVQauMgFgT9eCrwvuWCTSQ
+dlUWdysSTYsnGHSKxSgS/MmMIFsrlxqoUUBYTFdS6yU/w6b7VFSJdGczmzD9zFMJ
+ywkregpi5y0Z8K5byroRMR1IfIl7B0CHcZbsTFqSrlDSX9Rq2D84TGwdhwBK0L17
+Yy1UM3mFIDWgWe2lBY2KRterzxF/XxfDgbDc+1d8NWANVDinoXIOLYg3QBCSupwR
+QmgjfvMcqjDSeg/QaV3PXtK/GyzVk8ehAFQpCyi+XofuavhBzP+9yk6IoHQupEAx
+mQkm1ZXRc//C5w7Svjf6DmR5KKbF/mTRr7QqJp4XuCNCHA4Bf5BQEw5p8NtfqiWh
+
+--- iRy3XLKWkh6sUOkUS79ZRtRAjGdvvlKRZ6L6h6cKzjE
+˘lÚŁYÁ~‡Ď¬¶	Ľšb‚Q“/ľĐÖo×3‡Ş^ůsď“¸‹}+ř‰ş,B
--- a/hosts/cube/forgejo/password.runner.age
+++ b/hosts/cube/forgejo/password.runner.age
@ -1,5 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw rraoMjYwD6IIkmgyiDKlij2+bLqY5PNyMU5IPQ4mvjI
-/yttaAf7neHJ69LYh6p33gRBXIZA4oxWS5DDMnfOhhM
--- o+/I/vPxFdL9orC3PsBTazOrwG6Le8uLMUYiHE4XMj8
-¬¨<EFBFBD>
±]}ÍWž{[a'mdú€AÈU‰Ô¬ì7z*ÌY9"èÍ|±1dvùQxcŸ¶Ç“<C387>à"®0ñÆÔpÖò¿Œr½:ÇÅÑ
+-> ssh-ed25519 +rZ0Tw cQ6Sb/ZjeBy7VCL03h1A4+67kNoEYfQBee90qOXytxg
+pIZpmgRZ9ISGx6CJF0yPX+PYs9VLXXoK01FB+iW4OXo
+-> ssh-rsa jPaU3Q
+aVlBcpE5GdfXtzuu7uHqDhTtiO7mXMYNr0Ww0MluxQxZmuXyxa7IIxeUR6n6eub/
+7H+B2Gcwwnh7txdWGyCytCx1rNp5Dbs0qSm+ufgyzNTSz9rPu2iEHPR0WOB2Y85x
+avpC53ESBFORZ4Zswkc0iYBAGIwbtUGDGAV/ziw1hZCEsRCJZX1Pj57Tvk5Bc9mL
+gaBix4Qo3X0j/Pqzp4NeaaMmIdCv2XOizQwFVAxqvT17xil3+TuZLKAScgbwtj9u
+QfOZjwOQxVZwB5+CHmd7AYX2QCQsi45bBKh9dUU2Fm/MLyDmfSpiwTQ3nIEkSk1n
+B6QwA4Z7v0A/IxDyQ9cWpj5TIxQ96RTf/azlRMg0H4bBuwINHlg0oWNIHfGZG15m
+uRMvs+xxPcmU710b5WEwZRSlaZ1+Lm8uLY7d0j+Ie4V41JKmMh1pOaFbyo4wxWUo
+cwRNFx9Yajiml7VnjaOZOGtA/NCUEall4mCdSJD5vntiTb3Hves0gAtoici1ZrX5
+
+--- 8RA8QeFF0brgptQpnHAO6L0J1DXWeVAKxuXmDcX46Zg
+	ÛtÄÚ< ¶¿&õ¡†ÅVõ9SúCsFÁðÂ“
ŒQoCk‘(Ç{¿¸<>õÐHŠm°Ä a ˜Ë¢T‹°„[>³*»QÛ“Ô
--- a/hosts/cube/grafana/default.nix
+++ b/hosts/cube/grafana/default.nix
@ -1,25 +1,21 @@
-{ config, ulib, ... }: with ulib;
+{ config, lib, ... }: with lib;

 let
  inherit (config.networking) domain;

  fqdn = "metrics.${domain}";
-in serverSystemConfiguration {
-  age.secrets."hosts/cube/grafana/password" = {
+
+  port = 8000;
+in systemConfiguration {
+  secrets.grafanaPassword = {
    file  = ./password.age;
    owner = "grafana";
  };
-  age.secrets."hosts/cube/grafana/password.mail" = {
+  secrets.grafanaMailPassword = {
    file  = ./password.mail.age;
    owner = "grafana";
  };

-  services.fail2ban.jails.grafana.settings = {
-    filter       = "grafana";
-    journalmatch = "_SYSTEMD_UNIT=grafana.service";
-    maxretry     = 3;
-  };
-
  services.postgresql = {
    ensureDatabases = [ "grafana" ];
    ensureUsers     = [{
@ -34,7 +30,7 @@ in serverSystemConfiguration {
  };

  services.grafana = enabled {
-    provision = enabled {};
+    provision = enabled;

    settings = {
      analytics.reporting_enabled = false;
@ -44,15 +40,15 @@ in serverSystemConfiguration {
      database.user = "grafana";

      server.domain    = fqdn;
-      server.http_addr = "[::]";
-      server.http_port = 8000;
+      server.http_addr = "[::1]";
+      server.http_port = port;

      users.default_theme = "system";
    };

    settings.security = {
      admin_email    = "metrics@${domain}";
-      admin_password = "$__file{${config.age.secrets."hosts/cube/grafana/password".path}}";
+      admin_password = "$__file{${config.secrets.grafanaPassword.path}}";
      admin_user     = "admin";

      cookie_secure    = true;
@ -64,7 +60,7 @@ in serverSystemConfiguration {
    settings.smtp = {
      enabled = true;

-      password        = "$__file{${config.age.secrets."hosts/cube/grafana/password.mail".path}}";
+      password        = "$__file{${config.secrets.grafanaMailPassword.path}}";
      startTLS_policy = "MandatoryStartTLS";

      ehlo_identity = "contact@${domain}";
@ -74,9 +70,9 @@ in serverSystemConfiguration {
    };
  };

-  services.nginx.virtualHosts.${fqdn} = (sslTemplate domain) // {
+  services.nginx.virtualHosts.${fqdn} = merge config.sslTemplate {
    locations."/" = {
-      proxyPass       = "http://[::]:${toString config.services.grafana.settings.server.http_port}";
+      proxyPass       = "http://[::1]:${toString port}";
      proxyWebsockets = true;
    };
  };
--- a/hosts/cube/grafana/password.age
+++ b/hosts/cube/grafana/password.age
--- a/hosts/cube/grafana/password.mail.age
+++ b/hosts/cube/grafana/password.mail.age
@ -1,5 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw xkWa1fXAqQk5S+VNegGJpwGGDK0S3U+/QqPqSJgDUzI
-xQRrNt48YL6ueLKKN4VXZuwzP0wu7AykvShOTv06YVQ
--- pEof9mZkQfWKgX5jrFGissq6m8/CvS7O2G52d/XbS8w
-Ñ,5 ÜK¬h×¾#s®(	‘z™_IipY/ð=¸£Ü¯øßRw•S“¹
+-> ssh-ed25519 +rZ0Tw O0H0h+hSKjcOPaWE8iDSpYsR0TGigDeyBUmHtFTCNjQ
+EHORIYFfRAoYEME9SM6l3ef6jfYmLBXEgGxZ7L+wZyA
+-> ssh-rsa jPaU3Q
+bG32pycqaE13cyS0OVqd3mI3lmP91UOgBrhnIhUv6WCDxJdQoshrUNhfF93JAI9+
+HSAsAOM1UHeffdNuucCQsoTxENCFonldrK8+cQwPyQlPSGIP5yE4hFFRUjoct0X5
+qdJsjgHAP53c5707mdwsx7lbpRLFPhW6JvA90wn1LKZPgMHBD5yQRPc+qM0NQ10b
+sOqNU8dVuuIwWGtzHm9vrw3jUZMNiH+AUJ8IcaEC8+5FFAHr1cib3+rzyUmbzrxr
+n2dXsIICLmQZVXoNPMYltcHyM6jf1a+cxh9Z7ZKhVxJvD2jXh9CqrHw5Z2xbQJTL
+rwKNE85xxwQNzldYPMGLWyfn25j08/Jx4uZHXQIGrjVQCRRy+Mmn9d05MY2BNPNC
+vpA848kn1IIM5ybBdsEXSqywoE2+r+J39JVUcQgTdXhjQwfZWcXiaq3haD6mhtRp
+0VIqnBeu4vuvgtOEnWzvqVj0k64sYs+uPVjuXrW6szcSBcHj/QLfIQ//Tw4sRpQy
+
+--- DRdJx69Bkj+MVtk3dlZ0gMQmHG7NC7ZbzuMGbEbNVUQ
+¹
¦ˆñ¥ÈŽ^@„éü%˜”,ƒqå\4a©EÆQEi>ðRÛvêðÞ 
--- a/hosts/cube/hardware.nix
+++ b/hosts/cube/hardware.nix
@ -1,8 +1,10 @@
-{ ulib, modulesPath, ... }: with ulib; merge
+{ lib, modulesPath, ... }: with lib;

-(modulesPath + "/profiles/qemu-guest.nix")
+systemConfiguration {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];

-(serverSystemConfiguration {
  boot.loader.grub = enabled {
    device      = "/dev/vda";
    useOSProber = true;
@ -17,7 +19,7 @@
  ];

  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/a14e3685-693a-4099-a2fe-ce959935dd50";
+    device = "/dev/disk/by-label/root";
    fsType = "ext4";
  };
-})
+}
--- a/hosts/cube/mail/default.nix
+++ b/hosts/cube/mail/default.nix
@ -1,15 +1,18 @@
-{ config, lib, ulib, ... }: with ulib;
+{ config, lib, ... }: with lib;

 let
  inherit (config.networking) domain;

  fqdn = "mail.${domain}";
-in serverSystemConfiguration {
-  age.secrets."hosts/cube/mail/password".file = ./password.age;
+
+  prometheusPort = 9040;
+in systemConfiguration {
+  secrets.mailPassword.file = ./password.age;

  services.prometheus = {
    exporters.postfix = enabled {
-      port = 9040;
+      listenAddress = "[::1]";
+      port          = prometheusPort;
    };

    scrapeConfigs = [{
@ -18,27 +21,12 @@ in serverSystemConfiguration {
      static_configs = [{
        labels.job = "postfix";
        targets    = [
-          "[::]:${toString config.services.prometheus.exporters.postfix.port}"
+          "[::1]:${toString prometheusPort}"
        ];
      }];
    }];
  };

-  services.fail2ban.jails = {
-    dovecot.settings = {
-      filter   = "dovecot";
-      maxretry = 3;
-    };
-
-    postfix.settings = {
-      filter   = "postfix";
-      maxretry = 3;
-    };
-  };
-
-  services.kresd.listenPlain         = lib.mkForce [ "[::]:53" "0.0.0.0:53" ];
-  services.redis.servers.rspamd.bind = "0.0.0.0";
-
  services.dovecot2.sieve = {
    extensions       = [ "fileinto" ];
    globalExtensions = [ "+vnd.dovecot.pipe" "+vnd.dovecot.environment" ];
@ -74,7 +62,7 @@ in serverSystemConfiguration {
    loginAccounts."contact@${domain}" = {
      aliases = [ "@${domain}" ];

-      hashedPasswordFile = config.age.secrets."hosts/cube/mail/password".path;
+      hashedPasswordFile = config.secrets.mailPassword.path;
    };
  };
 }
--- a/hosts/cube/mail/password.age
+++ b/hosts/cube/mail/password.age
--- a/hosts/cube/matrix-synapse/password.secret.age
+++ b/hosts/cube/matrix-synapse/password.secret.age
--- a/hosts/cube/matrix-synapse/password.sync.age
+++ b/hosts/cube/matrix-synapse/password.sync.age
@ -1,6 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw qnll3AmLOYVpsLP78bOa0F20HjoN0dOFK2Rk/Ye5w24
-Gsmy22GHYX+0dlrUJalVlPXTWyzCz7q9W5gQza71XbA
--- UQhQek9ss1w8rqxj7HQxh8H/uaIsTK5SIfxqCAe1xoQ
-ÈfÉ<>ZôržŽ–U¬Z'²P<C2B2>•‹<E280A2>~@þŽf ã‡5_<35>Ëcru<72>ùÒË/<£÷ÚQ°é|–fYŠ‹[‡rò^²<>SO6}Ð>
-d!ÈHkZõXr$j	[—\ín½‹…BüÃ(/ëÈÐÏ#
--- a/hosts/cube/matrix-synapse/default.nix
+++ b/hosts/cube/matrix-synapse/default.nix
@ -1,4 +1,4 @@
-{ config, ulib, ... }: with ulib;
+{ config, lib, ... }: with lib;

 let
  inherit (config.networking) domain;
@ -16,6 +16,7 @@ let

  clientConfig."m.homeserver".base_url        = "https://${chatDomain}";
  clientConfig."org.matrix.msc3575.proxy".url = "https://${syncDomain}";
+
  serverConfig."m.server" = "${chatDomain}:443";

  wellKnownResponseConfig.locations = {
@ -26,8 +27,8 @@ let
  notFoundLocationConfig = {
    locations."/".extraConfig = "return 404;";

-    extraConfig                         = "error_page 404 /404.html;";
-    locations."= /404.html".extraConfig = "internal;";
+    extraConfig                  = "error_page 404 /404.html;";
+    locations."/404".extraConfig = "internal;";

    locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";
  };
@ -35,11 +36,11 @@ let
  synapsePort = 8001;
  syncPort    = 8002;
 in serverSystemConfiguration {
-  age.secrets."hosts/cube/matrix-synapse/password.secret" = {
+  secrets.matrixSecret = {
    file  = ./password.secret.age;
    owner = "matrix-synapse";
  };
-  age.secrets."hosts/cube/matrix-synapse/password.sync" = {
+  secrets.matrixSyncPassword = {
    file  = ./password.sync.age;
    owner = "matrix-synapse";
  };
@ -88,12 +89,12 @@ in serverSystemConfiguration {
    };

    # Sets registration_shared_secret.
-    extraConfigFiles = [ config.age.secrets."hosts/cube/matrix-synapse/password.secret".path ];
+    extraConfigFiles = [ config.secrets.matrixSecret.path ];

    settings.listeners = [{
      port = synapsePort;

-      bind_addresses = [ "::" ];
+      bind_addresses = [ "::1" ];
      tls            = false;
      type           = "http";
      x_forwarded    = true;
@ -107,29 +108,29 @@ in serverSystemConfiguration {

  services.nginx.virtualHosts.${domain} = wellKnownResponseConfig;

-  services.nginx.virtualHosts.${chatDomain} = ulib.recursiveUpdateAll [ (sslTemplate domain) wellKnownResponseConfig notFoundLocationConfig {
+  services.nginx.virtualHosts.${chatDomain} = merge config.sslTemplate wellKnownResponseConfig notFoundLocationConfig {
    root = "${sitePath}";

-    locations."/_matrix".proxyPass         = "http://[::]:${toString synapsePort}";
-    locations."/_synapse/client".proxyPass = "http://[::]:${toString synapsePort}";
-  }];
+    locations."/_matrix".proxyPass         = "http://[::1]:${toString synapsePort}";
+    locations."/_synapse/client".proxyPass = "http://[::1]:${toString synapsePort}";
+  };

  services.matrix-sliding-sync = enabled {
-    environmentFile = config.age.secrets."hosts/cube/matrix-synapse/password.sync".path;
+    environmentFile = config.age.secrets.matrixSyncPassword.path;
    settings        = {
      SYNCV3_SERVER   = "https://${chatDomain}";
      SYNCV3_DB       = "postgresql:///matrix-sliding-sync?host=/run/postgresql";
-      SYNCV3_BINDADDR = "[::]:${toString syncPort}";
+      SYNCV3_BINDADDR = "[::1]:${toString syncPort}";
    };
  };

-  services.nginx.virtualHosts.${syncDomain} = ulib.recursiveUpdateAll [ (sslTemplate domain) notFoundLocationConfig {
-    root = "${sitePath}";
+  services.nginx.virtualHosts.${syncDomain} = merge config.sslTemplate notFoundLocationConfig {
+    root = sitePath;

    locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)"
-      .proxyPass = "http://[::]:${toString synapsePort}";
+      .proxyPass = "http://[::1]:${toString synapsePort}";

    locations."~ ^(\\/_matrix|\\/_synapse\\/client)"
-      .proxyPass = "http://[::]:${toString syncPort}";
-  }];
+      .proxyPass = "http://[::1]:${toString syncPort}";
+  };
 }
--- a/hosts/cube/matrix/password.secret.age
+++ b/hosts/cube/matrix/password.secret.age
--- a/hosts/cube/matrix/password.sync.age
+++ b/hosts/cube/matrix/password.sync.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw 0X0Ku7Shx9cZTtdBQvBT0yNdiRBCA72grq9mbBn5w30
+pv1SwZo5Sw2Y0AH5r0U4oIE+l2HLUfAMZa7MdExmi/0
+-> ssh-rsa jPaU3Q
+yQ4L8WaeBIqJmXXnXiZAq0l0hwaWoIZDUsx1Yfu65CwkhNzxE3zC7qn8TG+/yz90
+jxv3qCwkCfKUA12R1JHJj4TAvDXgBw8Icd24M5KcXaCQGZdTGEhGSod1kHFDx30R
+J5xJ4a+kJRUGL2UOsXwFBM/7pk/gMgfPvY8kckc0jCXR4w6UxQ2g1T29uqGo17CP
+GVHnHW+Kckc34x7Szry9gLKORNlwXskfkAOhXRnoSoj6pMNiTi6qY36DJZtrO38b
+CBSx3xe5JzRn+/SwumV+lk5LG/7rqQYttffdIY/qkB322Yl5pJF8eglc/fOShbaM
+AgMsOSioE17Kp7dlWOVnYjhcFqPITUryfeCnOzmeWAK7FG1s4nErSw0X9sKn1fYr
+zXPnu/J+f862skfkgnJwUEe3hjzwEvnxNGPaTLCBluYeyKQs8L/veTMQkgEjAJKn
+/Gzoh/aYEiYgSFsAid9jteup5jNhQS+j7jvF+zjlKgWaQ8k6IcqVK8p2fd8NQ47Y
+
+--- KeyAgC1N1Th+hPkr7kT2b5tk+yd+oN8z7MbVtzHTQHE
+3†n”)õ‹Ã¤„%ý<>(…'šR?e5ˆO¬´ÁQï®Ç<C2AE>˜Ã7<çèMd«H€õ<E282AC>rË0ÔyhlÔÔõ¸E…G{ì˜·ÇŠÝßÇŒã”°®;™³tEp»éy÷¿Oãbm1<14>Ý°}®Ê‹éÈHž=·ÌÎ±[ß
--- a/hosts/cube/nextcloud/default.nix
+++ b/hosts/cube/nextcloud/default.nix
@ -1,19 +1,49 @@
- { config, lib, ulib, pkgs, ... }: with ulib;
+ { config, lib, pkgs, ... }: with lib;

 let
  inherit (config.networking) domain;

  fqdn = "cloud.${domain}";
-in serverSystemConfiguration {
-  age.secrets."hosts/cube/nextcloud/password" = {
+
+  prometheusPort = 9060;
+
+  nextcloudPackage = pkgs.nextcloud28;
+in systemConfiguration {
+  secrets.nextcloudPassword = {
    file  = ./password.age;
    owner = "nextcloud";
  };
+  secrets.nextcloudExporterPassword = {
+    file  = ./password.age;
+    owner = "nextcloud-exporter";
+  };
+
+  services.prometheus = {
+    exporters.nextcloud = enabled {
+      listenAddress = "[::1]";
+      port          = prometheusPort;
+
+      username     = "admin";
+      url          = "https://${fqdn}";
+      passwordFile = config.secrets.nextcloudExporterPassword.path;
+    };
+
+    scrapeConfigs = [{
+      job_name = "nextcloud";
+
+      static_configs = [{
+        labels.job = "nextcloud";
+        targets    = [
+          "[::1]:${toString prometheusPort}"
+        ];
+      }];
+    }];
+  };

  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
    ensureUsers     = [{
-      name = "nextcloud";
+      name              = "nextcloud";
      ensureDBOwnership = true;
    }];
  };
@ -22,7 +52,7 @@ in serverSystemConfiguration {
    after    = [ "postgresql.service" ];
    requires = [ "postgresql.service" ];

-    script = lib.mkAfter ''
+    script = mkAfter ''
      nextcloud-occ theming:config name "RGBCube's Depot"
      nextcloud-occ theming:config slogan "RGBCube's storage of insignificant data."

@ -34,7 +64,7 @@ in serverSystemConfiguration {
  };

  services.nextcloud = enabled {
-    package  = pkgs.nextcloud28;
+    package  = nextcloudPackage;

    hostName = fqdn;
    https    = true;
@ -42,7 +72,7 @@ in serverSystemConfiguration {
    configureRedis = true;

    config.adminuser     = "admin";
-    config.adminpassFile = config.age.secrets."hosts/cube/nextcloud/password".path;
+    config.adminpassFile = config.secrets.nextcloudPassword.path;

    config.dbhost = "/run/postgresql";
    config.dbtype = "pgsql";
@ -50,7 +80,7 @@ in serverSystemConfiguration {
    settings = {
      default_phone_region = "TR";

-      mail_smtphost     = "::";
+      mail_smtphost     = "::1";
      mail_smtpmode     = "sendmail";
      mail_from_address = "cloud";
    };
@ -76,16 +106,15 @@ in serverSystemConfiguration {

    extraAppsEnable = true;
    extraApps       = {
-      inherit (config.services.nextcloud.package.packages.apps)
+      inherit (nextcloudPackage.packages.apps)
        bookmarks calendar contacts deck
-        forms groupfolders impersonate
-        mail maps notes phonetrack
-        polls previewgenerator tasks;
+        forms groupfolders impersonate mail
+        maps notes polls previewgenerator tasks;
        # Add: files_markdown files_texteditor memories news
    };

    nginx.recommendedHttpHeaders = true;
  };

-  services.nginx.virtualHosts.${fqdn} = sslTemplate domain;
+  services.nginx.virtualHosts.${fqdn} = config.sslTemplate;
 }
--- a/hosts/cube/nextcloud/password.age
+++ b/hosts/cube/nextcloud/password.age
@ -1,5 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw 3QOn//uIWJTnBEVz3bn3s3yQlAeGDCynaJ4C+2Zi8iE
-AsPa4woWILuLVS0bvkLBddda9mQqJ9CS1hkWwhNrLg8
--- 7XNX3eRRei1LrcRiQSLgHJ0OkYt145uDVq+gtN/A9tk
-\õ˜²KD r.'Q…î‰ø°ü<C2B0>¦”¡DöÕML3óIš•Çû½3ðì
+-> ssh-ed25519 +rZ0Tw HGa+kmHedio/tQYp0ZuMCMjdEOtETkioVoRf0a5pkkY
+OoAFxkLB8pSADTgUcCwdqInYwF83//28Cza8jblQzaU
+-> ssh-rsa jPaU3Q
+W1fQyikhppgQKqASdAuKX2tpDrNgdXhe5LD1KjPuocTUa3sS+DM9UYf8Ap/uNDlA
+V481pDnrzO9c7lwP/HzUU4O2cm5APbT+Ho0kF1B+W4T3DiXt4/pvzxcufApoloY5
+bM7l3eH4gsp6Buiqr0EowZ48KNi9wW4OXxqjVRSCbyyfygEAl80zT8QP1/cF7A4q
+JwHVM6oyGLwLkfXrdLdxQw9T1Q/5wTCePBfzNzCE6XhmL48Hb1vKXnOwTpobVb1v
+Dn0FuD7GvhkgV06sd34sN6YO90lJAgPKvE0up2gIHG2FEJK0Pt8Er+SFJ5gag+W6
+fNZ/0P3lT/sB1WSWNn5w4nzmCU5VhxdJf+8hkdRwYqnGoE29YJXT/vW8PX4qFDGf
++0HDup6FHFp4VZf6NwVI/Ua68IfyX53Y7iAeLvMiSF/SK5b4KezR0oTRd88t6x+
+qA/iv9wcV5z2qDXaVyitcREpC+bwvF7HdI+qmFIl9i5oMFv+pSoxuQRrTtAoBwup
+
+--- TsR5Ga8FM1YlCiUXVghF3MoWq9jvAo4/2g8IvOrBMCg
+„NÐyÌjÆã¦©ÝÞu2àÒƒp£™ÅB,0l<Mð¨›Î<E280BA>Õ²¯{Ôðƒ
--- a/hosts/cube/nginx.nix
+++ b/hosts/cube/nginx.nix
@ -1,12 +1,17 @@
-{ config, ulib, pkgs, ... }: with ulib;
+{ lib, pkgs, ... }: with lib;

-serverSystemConfiguration {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 443 ];
+let
+  prometheusPort = 9030;
+in systemConfiguration {
+  networking.firewall = {
+    allowedTCPPorts = [ 443 80 ];
+    allowedUDPPorts = [ 443 ];
+  };

  services.prometheus = {
    exporters.nginx = enabled {
-      port = 9030;
+      listenAddress = "[::1]";
+      port          = prometheusPort;
    };

    scrapeConfigs = [{
@ -14,7 +19,7 @@ serverSystemConfiguration {

      static_configs = [{
        labels.job = "nginx";
-        targets    = [ "[::]:${toString config.services.prometheus.exporters.nginx.port}" ];
+        targets    = [ "[::1]:${toString prometheusPort}" ];
      }];
    }];
  };
--- a/hosts/cube/password.rgb.age
+++ b/hosts/cube/password.rgb.age
@ -1,5 +1,16 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw 5+B9syGilyIjTRiIbR/tQqIRZ5ZUax8gOIZR62lYGhw
-vTzxsGNvqnZKGkDHy2+gyIIPqLXZltVBzwEQ5HeuLO0
--- eRFepEnDGHeb96HOq0kZOvILnQlL/WCf8fnVJbFHP8w
-iaõþëo'DÝÌ—êc[‰º\;m/¤ÖëKÝ‚Éù€ªðsÒê0óñ rð½û)Vàöh}–¬™Ïxhðâzq¡A}w¢ÚDª—Ù«V÷×P1jÛ›Ó%ÁµJ-
+-> ssh-ed25519 +rZ0Tw AMjDOXqRZGRFrMUIlDdqbSkwXuDSwg+0I7WLgYOnqAU
+awL2vueTU9BIRVBcvWQOtV3xoqC8BCrePg/D/FHtz28
+-> ssh-rsa jPaU3Q
+wIBOZFIsnXTf0fC3u2EOBdx4WSRefY3rcvG1pjwhUhpkSYc0E9U0EgZHFvfIk2kD
+uJUxtob3X45oJtM+8IS5vPrOHJMg8HFUJ/8h8uLJ8Jv2MTZvLeIxg5eFZBtXXR3m
+pR8gY0jCTzzrRjwVvF6RHYYFtdVtAKJ9ikI7Y/Q6UKI0Qk5jWBcAVBW0fkW4BM9i
+qj0fzByXXnzORePvFItlh8JXI07L8lUgt5cPOtMnoAXZDQRvzTAbHiigHYZZKDgl
+s0rw+CZ/lbUm9fvjPdGSOZ2v8Xo147Gf0bUgHMdBpDbFHglBiW2SeP7+JJNV0M3q
+eLGgI/eMeBBoQVV/cTRkKZzeB2S7Gsh3ogSBFqmHa9nLEitzATcgW5xyVBN9YdnG
+ZDi0GcPbe0VzpGaLIiF+qSNtUjIgKQKFuMoMKT6lcSUUhDw6OK5YeliK7P6JOS30
+rlwsZcxGDEcvJp8lRFKal9Kkv6+0EOr4b3d2NLWe3Wdd5uCpVF3FusAdwgxW8VH+
+
+--- jLhThmnzFUBiv2G29RihvdYKXuk6b7JLWyPC+quwX8w
+ŻąeäČ*‚V71ůFňpáŚćŁvĹPE_uś‘š‹<C5A1>â¦GŞ<útë¨%ľĹŇôŕ@<40>/f^“ËxĎŚş<C59A>7*Ňř`YłčFNĆ0™Ŕ•N¬ÜR<08>¤“e<E2809C> N<C2A0>~xĄYĎőˇ(<28>˛úň
+ˇaWŹ
--- a/hosts/cube/podman.nix
+++ b/hosts/cube/podman.nix
@ -1,9 +1,9 @@
-{ ulib, ... }: with ulib;
+{ lib, ... }: with lib;

-serverSystemConfiguration {
+systemConfiguration {
  virtualisation.podman = enabled {
    dockerCompat = true;
-    dockerSocket = enabled {};
+    dockerSocket = enabled;

    defaultNetwork.settings.dns_enabled = true;

--- a/hosts/cube/postgresql.nix
+++ b/hosts/cube/postgresql.nix
@ -1,9 +1,12 @@
-{ config, lib, ulib, pkgs, ... }: with ulib; merge
+{ lib, pkgs, ... }: with lib; merge

-(serverSystemConfiguration {
+(let
+  prometheusPort = 9020;
+in systemConfiguration {
  services.prometheus = {
    exporters.postgres = enabled {
-      port                = 9020;
+      listenAddress       = "[::1]";
+      port                = prometheusPort;
      runAsLocalSuperUser = true;
    };

@ -12,7 +15,7 @@

      static_configs = [{
        labels.job = "postgres";
-        targets    = [ "[::]:${toString config.services.prometheus.exporters.postgres.port}" ];
+        targets    = [ "[::1]:${toString prometheusPort}" ];
      }];
    }];
  };
@ -22,7 +25,7 @@

    initdbArgs = [ "--locale=C" "--encoding=UTF8" ];

-    authentication = lib.mkOverride 10 ''
+    authentication = mkOverride 10 ''
    # Type  Database DBUser Authentication IdentMap
      local sameuser all    peer           map=superuser_map
    '';
@ -58,7 +61,7 @@
    ];

    settings = {
-      listen_addresses = lib.mkForce "";
+      listen_addresses = mkForce "";

      # https://pgconfigurator.cybertec.at/
      max_connections                = 100;
@ -118,6 +121,6 @@
  };
 })

-(serverSystemPackages (with pkgs; [
+(systemPackages (with pkgs; [
  postgresql
 ]))
--- a/hosts/cube/prometheus.nix
+++ b/hosts/cube/prometheus.nix
@ -1,11 +1,15 @@
-{ config, ulib, ... }: with ulib;
+{ lib, ... }: with lib;

-serverSystemConfiguration {
+let
+  port = 9000;
+
+  nodeExporterPort = 9010;
+in systemConfiguration {
  services.grafana.provision.datasources.settings = {
    datasources = [{
      name = "Prometheus";
      type = "prometheus";
-      url  = "http://[::]:${toString config.services.prometheus.port}";
+      url  = "http://[::1]:${toString port}";

      orgId = 1;
    }];
@ -17,12 +21,14 @@ serverSystemConfiguration {
  };

  services.prometheus = enabled {
-    port          = 9000;
+    inherit port;
+
    retentionTime = "1w";

    exporters.node = enabled {
      enabledCollectors = [ "processes" "systemd" ];
-      port              = 9010;
+      listenAddress     = "[::1]";
+      port              = nodeExporterPort;
    };

    scrapeConfigs = [{
@ -30,7 +36,7 @@ serverSystemConfiguration {

      static_configs = [{
        labels.job = "node";
-        targets    = [ "[::]:${toString config.services.prometheus.exporters.node.port}" ];
+        targets    = [ "[::1]:${toString nodeExporterPort}" ];
      }];
    }];
  };
--- a/hosts/cube/site.nix
+++ b/hosts/cube/site.nix
@ -1,52 +1,54 @@
-{ config, ulib, ... }: with ulib;
+{ config, lib, ... }: with lib;

 let
  inherit (config.networking) domain;

-  path = "/var/www/site";
+  sitePath = "/var/www/site";

  notFoundLocationConfig = {
-    extraConfig                         = "error_page 404 /404.html;";
-    locations."= /404.html".extraConfig = "internal;";
+    extraConfig                  = "error_page 404 /404.html;";
+    locations."/404".extraConfig = "internal;";
  };
-in serverSystemConfiguration {
-  services.nginx.appendHttpConfig = ''
-    map $http_origin $allow_origin {
-      ~^https://.+\.rgbcu.be$ $http_origin;
-    }
-
-    map $http_origin $allow_methods {
-      ~^https://.+\.rgbcu.be$ "GET, HEAD, OPTIONS";
-    }
-  '';
-
-  services.nginx.virtualHosts.${domain} = ulib.recursiveUpdateAll [ (sslTemplate domain) notFoundLocationConfig {
-    root = "${path}";
-
-    locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";
-
-    locations."/assets/".extraConfig = ''
-      add_header Access-Control-Allow-Origin $allow_origin;
-      add_header Access-Control-Allow-Methods $allow_methods;
-
-      if ($request_method = OPTIONS) {
-        add_header Content-Type text/plain;
-        add_header Content-Length 0;
-        return 204;
+in systemConfiguration {
+  services.nginx = enabled {
+    appendHttpConfig = ''
+      map $http_origin $allow_origin {
+        ~^https://.+\.rgbcu.be$ $http_origin;
      }

-      expires 24h;
+      map $http_origin $allow_methods {
+        ~^https://.+\.rgbcu.be$ "GET, HEAD, OPTIONS";
+      }
    '';
-  }];

-  services.nginx.virtualHosts."www.${domain}" = (sslTemplate domain) // {
-    locations."/".extraConfig = "return 301 https://${domain}$request_uri;";
+    virtualHosts.${domain} = merge config.sslTemplate notFoundLocationConfig {
+      root = sitePath;
+
+      locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";
+
+      locations."/assets/".extraConfig = ''
+        add_header Access-Control-Allow-Origin $allow_origin;
+        add_header Access-Control-Allow-Methods $allow_methods;
+
+        if ($request_method = OPTIONS) {
+          add_header Content-Type text/plain;
+          add_header Content-Length 0;
+          return 204;
+        }
+
+        expires 24h;
+      '';
+    };
+
+    virtualHosts."www.${domain}" = merge config.sslTemplate {
+      locations."/".extraConfig = "return 301 https://${domain}$request_uri;";
+    };
+
+    virtualHosts._ = merge config.sslTemplate notFoundLocationConfig {
+      root = sitePath;
+
+      locations."/".extraConfig        = "return 404;";
+      locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";
+    };
  };
-
-  services.nginx.virtualHosts._ = ulib.recursiveUpdateAll [ (sslTemplate domain) notFoundLocationConfig {
-    root = "${path}";
-
-    locations."/".extraConfig = "return 404;";
-    locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";
-  }];
 }
--- a/hosts/disk/default.nix
+++ b/hosts/disk/default.nix
@ -0,0 +1,41 @@
+{ config, lib, keys, ... }: with lib; merge
+
+(systemConfiguration {
+  system.stateVersion  = "23.11";
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  networking.domain = "rgbcu.be";
+
+  secrets.floppyPassword.file  = ./password.floppy.age;
+
+  users.users = {
+    root.hashedPasswordFile = config.secrets.floppyPassword.path;
+
+    floppy = sudoUser {
+      description                 = "Floppy";
+      openssh.authorizedKeys.keys = [ keys.enka ];
+      hashedPasswordFile          = config.secrets.floppyPassword.path;
+    };
+  };
+
+  networking = {
+    defaultGateway  = "23.164.232.1";
+    defaultGateway6 = "2602:f9f7::1";
+
+    interfaces.ens32 = {
+      ipv4.addresses = [{
+        address      = "23.164.232.40";
+        prefixLength = 25;
+      }];
+
+      ipv6.addresses = [{
+        address      = "2602:f9f7::40";
+        prefixLength = 64;
+      }];
+    };
+  };
+})
+
+(homeConfiguration {
+  home.stateVersion = "23.11";
+})
--- a/hosts/disk/hardware.nix
+++ b/hosts/disk/hardware.nix
@ -0,0 +1,27 @@
+{ config, lib, ... }: with lib;
+
+systemConfiguration {
+  boot.loader = {
+    systemd-boot = enabled {
+      editor = false;
+    };
+
+    efi.canTouchEfiVariables = true;
+  };
+
+  boot.initrd.availableKernelModules = [ "ahci" "ata_piix" "nvme" "sr_mod" ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
+  swapDevices = [{
+    device = "/dev/disk/by-label/swap";
+  }];
+}
--- a/hosts/disk/password.floppy.age
+++ b/hosts/disk/password.floppy.age
--- a/hosts/disk/site6.nix
+++ b/hosts/disk/site6.nix
@ -0,0 +1,9 @@
+{ self, lib, ... }: with lib;
+
+systemConfiguration {
+  imports = [
+    (self + /hosts/cube/acme.nix)
+    (self + /hosts/cube/nginx.nix)
+    (self + /hosts/cube/site.nix)
+  ];
+} 
--- a/hosts/enka/default.nix
+++ b/hosts/enka/default.nix
@ -1,4 +1,4 @@
-{ config, ulib, ... }: with ulib; merge
+{ config, lib, ... }: with lib; merge

 (systemConfiguration {
  system.stateVersion  = "23.05";
@ -6,26 +6,23 @@

  time.timeZone = "Europe/Istanbul";

-  age.secrets."hosts/enka/password.said".file  = ./password.said.age;
-  age.secrets."hosts/enka/password.orhan".file = ./password.orhan.age;
-
-  users.users.root.hashedPasswordFile = config.age.secrets."hosts/enka/password.said".path;
-
-  users.users.said = graphicalUser {
-    description        = "Said";
-    extraGroups        = [ "wheel" ];
-    hashedPasswordFile = config.age.secrets."hosts/enka/password.said".path;
-    uid                = 1000;
+  secrets = {
+    orhanPassword.file = ./password.orhan.age;
+    saidPassword.file  = ./password.said.age;
  };

-  users.users.orhan = graphicalUser {
-    description        = "Orhan";
-    hashedPasswordFile = config.age.secrets."hosts/enka/password.orhan".path;
-    uid                = 1001;
-  };
+  users.users = {
+    root.hashedPasswordFile = config.secrets.saidPassword.path;

-  networking.firewall = enabled {
-    allowedTCPPorts = [ 8080 ];
+    orhan = desktopUser {
+      description        = "Orhan";
+      hashedPasswordFile = config.secrets.orhanPassword.path;
+    };
+
+    said = sudoUser (desktopUser {
+      description        = "Said";
+      hashedPasswordFile = config.secrets.saidPassword.path;
+    });
  };
 })

--- a/hosts/enka/hardware.nix
+++ b/hosts/enka/hardware.nix
@ -1,10 +1,13 @@
-{ ulib, ... }: with ulib;
+{ config, lib, ... }: with lib;

-desktopSystemConfiguration {
+systemConfiguration {
  boot.loader = {
+    systemd-boot = enabled {
+      editor      = false;
+      consoleMode = "max";
+    };
+
    efi.canTouchEfiVariables = true;
-    systemd-boot.enable      = true;
-    systemd-boot.editor      = false;
  };

  boot.initrd.availableKernelModules = [
@ -20,14 +23,14 @@ desktopSystemConfiguration {
    fsType = "btrfs";
  };

-  fileSystems."/boot" = {
+  fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
    device = "/dev/disk/by-label/boot";
    fsType = "vfat";
  };

-  swapDevices = [
-    { device = "/dev/disk/by-label/swap"; }
-  ];
+  swapDevices = [{
+    device = "/dev/disk/by-label/swap";
+  }];

  hardware.enableAllFirmware         = true;
  hardware.cpu.intel.updateMicrocode = true;
--- a/hosts/enka/password.orhan.age
+++ b/hosts/enka/password.orhan.age
@ -1,13 +1,13 @@
 age-encryption.org/v1
 -> ssh-rsa jPaU3Q
-M19jE1+l5CGuAbWy3AAhJcVtW9E1b8al9rgjSJ26ESewP5fipabiW8/KEA6QowU4
-NbFFu9Za0Sqo2ly5AS7kubYROCYQE238cZgMfVG15nFmIP1s3MY8hNZFaeJdjYJW
-W8SLTddBA5xWBzfNH2ZtW7KBICMgl5+mKAj35pB6qxcZjj274llFy8d8Xs0UsyDW
-4exLZdzbgCXC5JXVgZpOR0Ou0AdJPtHIxYmkaS+gjkr45fSo3XGSepxRw+SOlkV/
-0kQgyw5KPPNZZ9wXo89P4zponyWNqQCKPaxXbGJl44mKBXLxFSvCPjjuAZ7cZ+xn
-vd2ZcwztgLV84JT5pSJbUwjo6a5GrzOJ3/frxYgG4MK5foM8iyZ6cHFpNVeyOx/b
-IhfCdFc71+c+hfLpa1OETlKYEVYHDQ/nuAELAy81bfEa8OL1yh8q75gJZukgwWX8
-QEJLzwsN/496uBbFwwjj05R4feu35Iql1XLqOrTaixUA6uSdWjsnJscENFpchfzI
+Ra86YZeGq1g0NlPLVj/mdqFDp/SZQHL/CDJ3SaFTYtmfUqSER/hXOz7X5wqOZ+Yf
+SC0DUxrAaPobkuK9QMayBNmwB8Rq/cGXOb/vKmT5PnLpqNVu0ggIoaO+ZTEiUG8g
+ATdjUU+xPQpOCkk7wsdW4AzW1G4bOAS7AXFipfU+BhVtLzGziDJ6Uuglvt0ussku
+FHdIaD3AJcQQ1/kMdYtiLPQUaGdBnuUqOLzcoAgsp+4SDMHXKfuvyO7EsOaGVCc1
+RmCwWZ7UqQdwsn2pXUoAXOlhr3QdjiDTcBd6nVbxWCxy/GBpHgD4ffyMrF+Xv48n
+fyX9dMhb4AAz6kAN+/7g/WNHuv0kRCjggHCcd9BhRvrZKGBs7h1B6OvUcREDxVr8
+45QpKo2bpQqPBUJPlZXuHRWiQrInGJJHdA2JU1VBGJMnIumVrUCGeJSnBP3Ui46z
+GXIqHhgUYvBLXH0eLaHH17fx7ytWez88dDL8wwaHzL8AEtN+/XPFU7kNEU97QZJo

--- 06pUnwHPhIIgovnUcakwOCjfK5Et4twJF8NChBf3G9o
-
àçg–0FÓ»ÄÍ±õ*¯›’ŠŽUö;¢ÄÇÍGK½sÏqH-ÞŒ-Mí«
v%Ç ¾o÷ºjdOx¸çCkìëÞÕÌçJrº‹ªeÑn±:ÿKãBÓMœ7’
+--- RNDo4JKbsihikrIB+cxCXuDCbvd2BqdIEKfLsBplLsI
+<EFBFBD>~59\<5C>[{ZV7J2<<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><C295><EFBFBD>!U<>ID<49><44><EFBFBD><EFBFBD><EFBFBD><H!<21>s<EFBFBD>L<><4C><EFBFBD><02>R<EFBFBD>[()<29>V<EFBFBD>ja<6A>s<EFBFBD><73><EFBFBD><EFBFBD>><3E>><3E>GGT<47>*<2A><>JAI1:zx
<0A><>ͺ?<3F><>t<EFBFBD>
--- a/hosts/enka/password.said.age
+++ b/hosts/enka/password.said.age
@ -1,13 +1,13 @@
 age-encryption.org/v1
 -> ssh-rsa jPaU3Q
-fNM8bL9QB/wvgB+MZOfWXDrPMCc/2bs3B5t1xgXe/Z6I0HXcnL/G1ipebvth/+Mr
-Wv6bMPgPPwrxvWaoC84PHTclp8kqsipTYO4r40cB5F7Yyq+oBOHlm3Kd1SGSPQQn
-FPCA0BxFhYQuHtQuqEdoMRZ5YxgoxWoso1gAAMzcnhac9HVK595F4HITpYzs453Q
-UTW+c1UigqvI70YNKo2jNSqAwJh2rA4EP/ivz5Y0fOv/WD8TpygbFdbFhvLZ4rBS
-NveQrMJcha/KArzu5cxYuQq+vF7ckGmPygGSMGkXCbb66ET8Mj/daBhfPfZ+nC+v
-eaBOlAJ4y+jUwajn3PlWelOjUTNoDHdp8I/xHtJs1avmlWhv8pdA/vR/61C0mApd
-39uzl2XsnvKQkqlE2CD618h1xsmXk9RDxzUzDuejO0Kv1Of7+SsR1Swk7IKaJQpB
-SzAfBCtnJxRsTIDVcBvqtb1cJiBgJt5/FFN8IGa9C0Hf3lFvB8qqR2BlwijhfGi/
+u3Kl4BwfKKxIk1ASkkOeEBOFbusd/hYapO/Ab78sc0ufOIJvso7rXgK8pjIoKhlD
+FLJ6kD8m+z79MDJU5o0UdqAEvzT/O5vUAxVI1XWGdDliSAzEQkaLDtz/Hhg8wlel
+9l/oCaV5cEB/3JXPI++4Ck+TaZ61+DGcfkQFXBGFITQyQOcErfGP54KyYeMPPKH6
+XB57IahfwK1G9DaIhGxHni328H1d4xmoWobEOS+RalIW9Yc+oJBTw5LEJZpgt8+t
+HUQ5x1kKRqqIgZYSuyTV33LI4JxiXpJgPSQIUyUFHCN+0tkshaOa6VjZvIxX+LKi
+ZUgAsWTkA/nfpQqX9zOpyhTN1cVR8xUptZWIFlSeu2W9O6xjirOSo6+3574ANrD4
+pvUQe+VEV+U7ePnx81YS9BhESQ8lmqUlaX1d8uGHSWas5DjE8Kcaa6K9k9ab7u9q
+mh+g2b/P2w2lVRgrcUyqn2S/coEzaHgskx8fyV23w4BbMefoHWdmsNwGhIew8Uhr

--- JmxH14QpQiLryhESgYyK4H7fpol168CbjecUwfnRFRM
-bd!<&Š¦<C5A0>-1e³ƒs”Äƒ¼{OqóG¡~Çû.c¸Šm‰u!Õ$(!/Ää¾aš§§æ´svz¡áw6ãCü¾êE2¢÷>ñ.xBÞb=€ËÿºÔ<C2BA>gjÎ<xàáýN
+--- C4f6KVF7Y1hMY+aD+qNTbMeGj9CJ2K5nMkJAzib7QHE
+iäH)‰9f*âêµgbd\À)/A2Vc·îø´¼¬Tÿ'Õü/»Ò£`Ó½Æ¿¾Èh<C388>GÓºåÜ©<19>{¤hÈ££ulêµ]…f9àú	1^ø‹.¾‘C·aYS
--- a/hosts/password.acme.age
+++ b/hosts/password.acme.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw jXnHlBEI/Soqpgq1ivfJHfyG1Vu6587MRmsiiY/s3Gc
+PzOumPaUFNwlkD0e0c9ES7Ix1RGsdnqRKgHPBKpIGuc
+-> ssh-ed25519 spFFQA wGPxs3a6og3Hjx5a/EHY8cRoFCGHDu9Ce3BH87FwiEc
+X3FdpYD1OftG9xaFzQ3mlvZkQPn4AQmCqfB/6KnCVvE
+-> ssh-rsa jPaU3Q
+WfcscVagmu1lL48CmP+QLrswXBJVGqMvBpOGbIDDbMXXXGQhuDhKX3f/j35ThUeq
+snuV+Nz7Fs4y0RRYlZ5ieWbCV3Xa/TaEA1TfoQD4GMZreX7Fn+w4AhfiPFrc9sUV
+ZGpfIxBx2HSkV36c0iLS4Vp14wTYJzrY3gJuldMbHLY9tLD0AVF2EJ456WI4KE0v
+XpyvdH37BXwpUrWMk7dGvLS0CnQjGBceRcaWaTU93izFO2GiwE0Vk2nRO9EOxaw/
+M08VC7LvAm9Uj4iAJonfnCIf4KdrDlwbBkjDA0FPl2Wg3dOo1/qgGYuMi8wzcuYF
+OLbh5kQAcOZ/3QsWnhEd8Vf1BVaQyE/hhelj1R0ZJDB3CeVLdzTlg/MFKUOC9SPw
+5znm8ELiQziBariOgGmvAwCYt3O4Wpp7UqWjlnyPBWp94Q6teaj7PuIQ0OCuixPZ
+QQikdfG0u0FgXK0fQAmO7/UChbKcrq+xEb84NUd0WiH0t+GTuMq0CpRSg9B1fE0r
+
+--- iJOaeMlcZ5LkNlwPuRdcpyzARZpDxQB0Mn73JKZLCyM
+ÜKŠ`Úº€ìÕ^HZL¹úèûù|îfTºß†öÃ€‰Ö¢E_ô%Êó?œšk¡'ÆùÐî<C390>ZT&YÎ^¥‹áPA•¿~Ú÷ŸÜ	Æ<>·*tÓ•ÝW˜/›Pïh©¯h‡MðšÔØþEAÑHs¨Î^ÖOÉÆ!žèõŒ±HÜJƒ~¸'g¿9ÑHTIŒO"I§GÆ;][¡¨²ç…_T}SÆ5‹eîG<C3AE>×®ìg•=]ËbK HQ°QáóXS ¢Î•(Z’XÂÏ¶Ž%}OØ: