diff --git a/home-manager/modules/common.nix b/home-manager/modules/common.nix index 69bffda..de2739c 100644 --- a/home-manager/modules/common.nix +++ b/home-manager/modules/common.nix @@ -26,6 +26,7 @@ home.packages = with pkgs; [ + attic-client ncdu minio-client diff --git a/home-manager/modules/ssh.nix b/home-manager/modules/ssh.nix index da190ff..e7fb17a 100644 --- a/home-manager/modules/ssh.nix +++ b/home-manager/modules/ssh.nix @@ -51,6 +51,12 @@ user = "root"; identityFile = "/home/gwg313/.ssh/colmena/id_ed25519"; }; + + "vault-tec" = { + hostname = "10.1.10.13"; + user = "root"; + identityFile = "/home/gwg313/.ssh/colmena/id_ed25519"; + }; }; }; } diff --git a/hosts/vault-tec/attic.nix b/hosts/vault-tec/attic.nix new file mode 100644 index 0000000..6d35bea --- /dev/null +++ b/hosts/vault-tec/attic.nix @@ -0,0 +1,73 @@ +{ config, ... }: +{ + users.users.atticd = { + isSystemUser = true; + group = "atticd"; + }; + users.groups.atticd = { }; + sops.secrets.attic-access-key = { }; + sops.secrets.attic-secret-key = { }; + sops.secrets.attic-jwt-secret = { }; + + sops.templates."atticd.env" = { + content = '' + # AWS_ACCESS_KEY_ID=${config.sops.placeholder."attic-access-key"} + # AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."attic-secret-key"} + ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64=${config.sops.placeholder."attic-jwt-secret"} + ''; + path = "/etc/atticd.env"; + owner = "atticd"; + group = "atticd"; + mode = "0400"; + }; + + # Load it in systemd + systemd.services.atticd.serviceConfig = { + EnvironmentFile = "/etc/atticd.env"; + }; + services.atticd = { + enable = true; + + # Replace with absolute path to your environment file + environmentFile = "/etc/atticd.env"; + + settings = { + listen = "127.0.0.1:8080"; + + jwt = { }; + storage = { + type = "local"; + path = "/cache"; + }; + # storage = { + # type = "s3"; + # region = "us-east-1"; + # bucket = "attic-cache"; + # endpoint = "https://s3.gwg313.xyz"; + # }; + + # Data chunking + # + # Warning: If you change any of the values here, it will be + # difficult to reuse existing chunks for newly-uploaded NARs + # since the cutpoints will be different. As a result, the + # deduplication ratio will suffer for a while after the change. + chunking = { + # The minimum NAR size to trigger chunking + # + # If 0, chunking is disabled entirely for newly-uploaded NARs. + # If 1, all NARs are chunked. + nar-size-threshold = 64 * 1024; # 64 KiB + + # The preferred minimum size of a chunk, in bytes + min-size = 16 * 1024; # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 64 * 1024; # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 256 * 1024; # 256 KiB + }; + }; + }; +} diff --git a/hosts/vault-tec/cache.nix b/hosts/vault-tec/cache.nix new file mode 100644 index 0000000..59a1f0a --- /dev/null +++ b/hosts/vault-tec/cache.nix @@ -0,0 +1,15 @@ +{ + atticCacheName ? "mycache", + cacheURLs ? [ + "http://attic.lan:8080" + "http://attic.zt:8080" + ], +}: +{ + nix.settings = { + substituters = map (url: "${url}/${atticCacheName}") cacheURLs; + trusted-public-keys = [ + "${atticCacheName}:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890=" + ]; + }; +} diff --git a/hosts/vault-tec/configuration.nix b/hosts/vault-tec/configuration.nix new file mode 100644 index 0000000..783a8af --- /dev/null +++ b/hosts/vault-tec/configuration.nix @@ -0,0 +1,115 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + pkgs, + lib, + inputs, + ... +}: +{ + # sops + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + age.keyFile = "/home/gwg313/.config/sops/age/keys.txt"; + }; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../common/nixos/ssh/default.nix + inputs.sops-nix.nixosModules.sops + ./traefik.nix + ./attic.nix + ]; + + ssh.enable = true; + ssh_guard.enable = true; + ssh_client.enable = false; + services.openssh.authorizedKeysFiles = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvOfDSjlvegGqfUS18XwXB7SvS2n9/hGYUpKxRb9vgb gwg313@pm.me" + ]; + services.openssh.settings = { + PermitRootLogin = lib.mkForce "yes"; + + AllowUsers = lib.mkForce [ + "gwg313" + "root" + ]; + }; + + users.users.gwg313 = { + isNormalUser = true; + description = "gwg313"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvOfDSjlvegGqfUS18XwXB7SvS2n9/hGYUpKxRb9vgb gwg313@pm.me" + ]; + extraGroups = [ + "networkmanager" + "wheel" + ]; + packages = with pkgs; [ ]; + }; + + users.users = { + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvOfDSjlvegGqfUS18XwXB7SvS2n9/hGYUpKxRb9vgb gwg313@pm.me" + ]; + }; + }; + + # Bootloader. + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "vault-tec"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + # Enable networking + networking.networkmanager.enable = true; + # Set your time zone. + time.timeZone = "America/Toronto"; + # Select internationalisation properties. + i18n.defaultLocale = "en_CA.UTF-8"; + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + # Define a user account. Don't forget to set a password with ‘passwd’. + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + ]; + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + # List services that you want to enable: + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/hosts/vault-tec/hardware-configuration.nix b/hosts/vault-tec/hardware-configuration.nix new file mode 100644 index 0000000..823d691 --- /dev/null +++ b/hosts/vault-tec/hardware-configuration.nix @@ -0,0 +1,63 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "usb_storage" + "usbhid" + "ums_realtek" + "sd_mod" + "sdhci_pci" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/6e483d16-1ff2-46bf-9354-de38b2a9408b"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/9F91-DC0C"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + fileSystems."/cache" = { + device = "/dev/disk/by-label/attic-cache"; + fsType = "ext4"; # or "xfs" + neededForBoot = false; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/97f01621-992c-4af4-8646-15e13d9c2c66"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/vault-tec/routes.nix b/hosts/vault-tec/routes.nix new file mode 100644 index 0000000..020ae8b --- /dev/null +++ b/hosts/vault-tec/routes.nix @@ -0,0 +1,20 @@ +{ + imports = [ + ./services.nix + ]; + services.traefik = { + dynamicConfigOptions = { + http = { + routers = { + attic_local = { + entryPoints = [ "websecure" ]; + rule = "Host(`cache.gwg313.xyz`)"; + service = "attic_local"; + tls.certResolver = "le"; + middlewares = [ "headers" ]; + }; + }; + }; + }; + }; +} diff --git a/hosts/vault-tec/services.nix b/hosts/vault-tec/services.nix new file mode 100644 index 0000000..7a159dd --- /dev/null +++ b/hosts/vault-tec/services.nix @@ -0,0 +1,15 @@ +{ + services.traefik = { + dynamicConfigOptions = { + http = { + services = { + attic_local.loadBalancer.servers = [ + { + url = "http://127.0.0.1:8080"; + } + ]; + }; + }; + }; + }; +} diff --git a/hosts/vault-tec/traefik.nix b/hosts/vault-tec/traefik.nix new file mode 100644 index 0000000..0b4feab --- /dev/null +++ b/hosts/vault-tec/traefik.nix @@ -0,0 +1,140 @@ +# Traefik +{ config, ... }: +{ + imports = [ + ./routes.nix + ]; + sops.secrets.cf-api-token = { + mode = "0440"; + owner = config.users.users.traefik.name; + group = config.users.users.traefik.group; + }; + + systemd.services.traefik.environment = { + CF_DNS_API_TOKEN_FILE = "${config.sops.secrets.cf-api-token.path}"; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.traefik = { + enable = true; + staticConfigOptions = { + serversTransport = { + insecureSkipVerify = true; + forwardingTimeouts = { + dialTimeout = "30s"; + responseHeaderTimeout = "600s"; + idleConnTimeout = "120s"; + }; + }; + entryPoints = { + web = { + address = ":80"; + http = { + redirections = { + entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + }; + }; + websecure = { + address = ":443"; + http = { + tls = { + options = "default"; + }; + }; + + transport = { + respondingTimeouts = { + readTimeout = 0; + }; + }; + }; + }; + api = { + dashboard = true; + }; + certificatesResolvers = { + le = { + acme = { + email = "glen.goodwin@protonmail.com"; + storage = "/var/lib/traefik/acme.json"; + dnsChallenge = { + provider = "cloudflare"; + resolvers = [ "1.1.1.1:53" ]; + }; + }; + }; + }; + # log = { + # level = "DEBUG"; + # filePath = "/var/log/traefik/traefik.log"; + # }; + # + # accessLog = { + # filePath = "/var/log/traefik/access.log"; + # bufferingSize = 0; + # filters = {}; + # fields = { + # defaultMode = "keep"; + # names = { + # StartUTC = "drop"; + # }; + # }; + # }; + }; + dynamicConfigOptions = { + http = { + routers = { + dashboard = { + rule = "Host(`monitor.local.gwg313.xyz`)"; + service = "api@internal"; + middlewares = [ + # "auth" + "headers" + ]; + entrypoints = [ "websecure" ]; + tls = { + certResolver = "le"; + }; + }; + }; + middlewares = { + headers = { + headers = { + browserxssfilter = true; + + contenttypenosniff = true; + customframeoptionsvalue = "SAMEORIGIN"; + forcestsheader = true; + framedeny = true; + sslhost = "gwg313.xyz"; + sslredirect = true; + stsincludesubdomains = true; + stspreload = true; + stsseconds = "315360000"; + }; + }; + }; + }; + tls = { + options = { + default = { + minVersion = "VersionTLS13"; + sniStrict = true; + curvePreferences = [ + "CurveP521" + "CurveP384" + ]; + }; + }; + }; + }; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index a3daec3..31fd4e0 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -4,6 +4,16 @@ cf-api-token: ENC[AES256_GCM,data:7FJtAEOdYnUpGqs5r3pNIkY+lsqn2wtRhyIGXD5G7in3U3 basic-auth: ENC[AES256_GCM,data:/YSAcTnyvM4sjj3cc46YwkXGeP3yG2MHctza+kDuRaNXb8ABMFofUHU6KuifTpsmUWwPQ4BPdamv+JC9ee8tsWRMxw==,iv:CUE70AISBOdYDLUXGAnIPT4t4tOugHWLlCLE6YxTkjM=,tag:MnyHoQCHaTbYjp/jrbWEcg==,type:str] grafana_user: ENC[AES256_GCM,data:EI0aavin,iv:tfkJ2pVyAgH+um+Wb1lgbvngcemdtMa+URXWV30yzBI=,tag:5VoyXtW3U+cuhHr0gPpOsg==,type:str] grafana_password: ENC[AES256_GCM,data:nock2uRcv29OHFRJ,iv:bXrGrTZrGMXLEVn8jWuhoOyfDY/Suqp2TBSMzYx/psA=,tag:tSxo7aZvVUBZFdTXaPjWVA==,type:str] +attic-access-key: ENC[AES256_GCM,data:0/02DzQ=,iv:32KD1pBypkpapxMgXTKBgkXFBQ7G/VEACTi+dagVpIk=,tag:eRn1I25Rfi51jPeHdY8XAg==,type:str] +attic-secret-key: ENC[AES256_GCM,data:YLKF5y75IdeCPH/G,iv:j8LPMQpQbj0pj8oes3GrmQqjc7xu0s3zhiffYrZ1iUI=,tag:hq07RL9Cn9blImtMaLUomA==,type:str] +attic-jwt-secret: ENC[AES256_GCM,data:KIeaLsh9pm/PXQIbAZXiSYNum/1Nvj/VAW2jrx9KHu/fOLs9Y4QcNGnyXbFOoC/E1+aABFqVIeIxmitO2waoIYKeu9ZfOt9Y/6tLnfCZBobf3KDQdvY65EIUrvs9L1xw/NfJgHRYsKL9/WBQVdboA6H7ABB5Y5fJ1atdGwELN4e6i4nRpeiiAg/KOu0NoaRG3/4+C6l5oLy9EmYWrPhmC/75/7YnMEiYbzRI+7eKLCfaiUQi4Z4ifSyBG5H9eiL1HBrf/kAvAINFjp4AHliHuA6Uyyzi+yhCDIeQaetmCQ+QAvzIekP1baiEeaZF2LucW5d5IxTZTejRxXmJfh9JOVPhq3t4D632HxyC7BkMunFVHnYCJvD9QxE15eOKnt0fGTrNKK88823VDZHZLdpGKuPzXfRvgv8rbE1OZaOCmuC2YdREMWTU+q9w/KNKGcfobDSirwuWqWR+9OZ+4Z6+fhMPZN5x499MScBWXWvd+rMhQX+6gRIrqlD8u0KKg3bPsTpEsgzk4gQL/+R0xvj9Fg9Ma/fi1Y+IZg7Ce96I0+ZtdmsWJmVWCYKT07bAn/qE10XWHbt8Nkkb/Gc9Yc9fLSFf53OTsnVUC/f28o30jeA6GFimFIAsvxekfdMafnooXFlxa85UWnkvsRmQJRr8TZGpYWeU2d5+f5Y9Rf9OYZu9ZlRJzdEt9ST97Vpb+4xuO9oYKtZz3I5NTIMBFoWfWIlI6BgvDZ34oLQ1dvtv4V27XQArILG6R6ibY5ZtqB3xE5RlY+5XbUKGEeEsjRFVsabi5B1e/c70adtjCQydsONSWShIUYcgxDk4HRMEXfNfUqVEB8FUFvLnkxkiBJiPlHWni6j7Jd2mfzeagUWGsidz1igyqxrfC73rPtjc2mMlTHu/ZMRBH+f+z8WZD4/K1pGcsqjneM5h5pQPTIA74V7+WKL+eVTCdP/H0quu3tgWAoFKEKhgBSXFvgojuicGa2Lcst2T6gLrCaqKURs1aek+uX8TyFOKm/8Fdq0OXiTfL6wp4F0yRMGBMxDln3DRMRWfCMzNlE9e6kroBjj76o0c+sMffE2DcoJzdcvWU2uggvTB1Cb4xVwiCOHQhbKLWrPpA6EB1/nETqXKJ4oB5qi9hghN9wB4Aeh3dJBPJnnqwGnDNAckqG6syyVmLM+g8vQgnibxd8lLh8PKtIM0iC+oF00Nebjo1Vimcbji8YIUTOdqgcbJ9Gj0FCtOdr6U1wCjq8lEdZTH9YdmjUDkevZ5rPToPpEjjNAjRe7Mn7+SzCXaodYU5L2y2NZ+p4Ne3dBwxpFEkYP0N7MC8b4j128BRqPTFgE6tlRX1VBwVHgZQFOFItjkzQbCEy30qI62CQ/RelPrIarcjOMUwVgTnvg5kaEFXbjEQVFPUnFvaOByekvP6HANBud6n227eHWZiELeQfbLbvKhvuR6G1nwOPLc4cBw0CYNj/IPLqkLsOq0kobsePmkgE5+rmDZEndnSOMiDIl/dvzXzyadzRuoygpH2uFsmGNT/5dCMqQ/xuwwnYcgl9Hpm1fKDwUW2o0kxcAPisl86A9393m1FUMGSI7qfRV/w4mLou+tMgZF22GV4KVfiw9rFRaLTR/1+EIqWGqiEqjTuPncUeoqD0Bri9dMQ49adJwK2Cw4QOBWFj19MyBUmMmNpu26z43WLL+iL6PS2RaUQNWWFvgGRXQw7CMBAhVLJtWsL8GNz2NJe0p8TDnZttIb0bxU1ZWCDJsIKTVO8oNSLqOyu5P50ki3jNpybV+qNtDbJ/2RBtFOAB3+TRTA5OXpMthVNUqfYCI02PZg4O4X5i3lltYP9oYF71xX3Srh4Xvezk7Ctrd0UGD8My6779uPQBgyS0OvBV44z1XBO4tZpgRi+Bp92RfPw5WBF3Pyr6PgMGTEeKbp3AMnPuDvSXYbs1Ug/hJ6n53juHDqnJ5Nzwol8UTUF9gJn/SZygbKhCKiBLSBT/V89DVn39K2VWLboiy9RBH2W2Eu6Z0/BgzhY41WW7WpuLbJEnDBrmmLfbzt6y4h94yBvNzhc6xvStw+Me9GG8v0mGzswk3w2ZQt8VtAcbQ3K34NRx80esUAatQ1r99jC1BVr/vFQ5xKBdtlTKqYkscbJu5GvhXe9O+jbGSWFVRo7fUsa/Xc4A2aSC2WZmnsKYstzUcreaxXitte/wVTmTfLXmKSX1RFROZ64G1d5zZlKJnt8I4418o3C/RCLro8xQbIlM0Oex3N5BOprpcmEGygeElfhtrFzi8aochu7lg0g/mRnE8998qBOlco5u73b2rF9gQIx/6uc3FMJLvm2rLSpUq/DTGY+ANVNRDYgjADNgw06XVD6KMDyMBupgggN/1gQ84xDRBcurWPELacbqtSxmH8f8Vluy+GZOujXI+5lQPcJELHpxtvj5MVdflIP/TxQjoj4nKqEDQJBCPAcRLOewX6j9ws3lQEhFuLldyO0CAdSasgbruWfGUVg/TAii5p9W6VdrAVN7pyzlItwwiJ3N4iVsuw8ftzRb3TUQXDMpM+rDsun/qPYW4NhT7dbmBt4a4fQz1E6mzImCYKIpve0jss0kVZYqMPWl1wN+SYUphPF+uoucABAQ3X/KMdWLu6W8E/zlbZcbiFE1NFgWUmS5lr9FyZRjA5A7OYGeO8Tw0yPncWM/Ub08kXoAy6m779vQ24b+i6+Lg47wAPQTlipHVOJ6kgUOWLB5S/XP83ulBqzLSqHDd4vZrZ1huilGkb8pprDigLLQKlaOL8BojqbGpLW7yGYKA3rdqGLwR/n20hfIGEN5huV0WV4F1Xf+acjNKuTI6HuSs8YLJu3T7Gucl9EQxXCvCCXYgMkHnuQ2XHnbh+CGcEIk+O+woIsAMVVZENM5tU9QKst56wVyFvkOc67qfwFsCThNlLsAYJSB1ffr6sdRKqhueoZMwGzzG1YFbTb/7fhNh4Ewgssc53p6ZJewz2TtdzyrhC3WeC2wFJ0F5z5AyzjSCzG7QlsrpWPLQasNQrGXCML4bjmXN/0cPPcNxc9psP1HJ9J2PneSpPJxgBW6ONGfR48ETJBVd695KRyE6BOrbHAjWKWkxHA2tDBTH5BaUEKGene20Ar8e8zFUVQEcxmJxUVFkyaeq9RLpmARFnVQhSeV04NNcNJHcggdk/uI11Wme78U6olArAyI3jazm8Hsm5R+GI/fqyWXeIIrJBkB/vEP0rN6rW0e9+50Ajo2erVAIlD+5Vj4URTBBNcccIilSQ2reYEDKBHz9sEEcPTCkcF2ldSvZ9YQWKlkAu2MfzVgiFAG7ftnKw9uM8BTIf4qzaP2QqujUoqKPeYlhlCQAf7Rld7u1y17lgYxXD0qVyj7Z4Fhi9OCPlQNCA7X5jDGi4W+DPkUUkZlpZDxBA1qEb1aNtK/465Rj0Td290QXO3VXzD8S0bSY7xosKIcaOvJ54zIBhG5C9MqnSSNarQqkRVIbJk4ttFQJFqXWVpBtWPI4X9qiSou5ekKesff+/T96oimCjK7jVPckpb+BgCGmNRFh077GNtDyG3JiD0wfg3NX0HNRpx4UCpTOiSr9vVmIR06WhHNQV3liNbbu00cIB+U7lfgCZUXkEL9qUpBs9okLyyCW2j1TsdraB8EBwvPmblOx5d+Sm7r4DyaZdd4uIt47GGRWKgzWr2RQGaeexpPFYRFB2tFHbJsb2xF6Sx5VpT0Dzqd11wz+np0B/eZQDfFsqsntweZ+BCnQHQDTU+b2gbJFYInSS6viLrx/BhfnFzpsY9tWgEFNTZjlCWeTbHqoY8gh32G0UqgI7oyBJL3g4htcrNTVkW99/GKQPBIQsJfZL84smC7TtKCplgjauW5n+FlPVr2yxq1slz9Rf7wgbwune+VddtOyRpbDi4YitcwB1qnExdS6VjmlpMhl/zhafNSvUBOjEQ07pbkfJ64W8w7sZORAQEP8EUVhttr9v01Ofe8FgjEm8yQEQ3sFMgpb8I6c8YiCfWJjShTuzGwD/ieyb2JYhNkU18q89SWAjlpEUHgF+w+3nTo9klHo3Ltd0w1iJOZ+SpfpExsjbCcvFr6HtxvYkhJcLTrMdiocfEHExFhE38/U50/y4s9TGg4PKMzkYIXUB71CP1XTuzWbCujoUJ7xGgE+hSbjbZLw2NU0UnOS8CTRs1t48vZwEEWfh1NISrNqXKuscCqIcxX9aP6180hx7WMLI41gfIBKyMTUao8b7KJHUpEWYtXz3kgKpi00sF0Q7R8bP2cE5alUaMtcPtkPbEv+2L0WfOLArxKA4XD5CGLf4HCGp5iwIWdM9uhHrXbbbceyGvu/EVRfIkqMWj0qWVV8dszlLIi4JkZ+spahztNxjEbjhjsWWvo5Injm+GJt8CVsopFHkCLVRjmuxbJ5SvN/LtTExpCA9GHFarPp2IKqLWk3GvWPscP0s4sZwng7bTZkfOKu7doRYtSuxfzivxChmmt2px9sshqStzX6fCl9BczlzTBbYZhK9sF8y9ZB2mt/pRG7vRJDwWRVZiGeVoKaNcvnyoQaPB87HlCITgyT+mSojzitFGToaeZ86CsNOdhn14/sfjpHaJsT9u3v4CIH/yQ5+Udp9qHkPHFk2O4cHLygzvmxjZIJPZd54j0ZoMyCKswF2WO7Mz8unTmCZh4JP3JV4N2fYSLeqqCbwJW/DNO9hxhmAEHX1G3TQRuaFK385LCsKnW1gxeNTbgZTM6ROVv65f4WO3Hc36w+acCjqsQM35BEiKUTbpUKF+/YTnKerfHRBVL2kUJyqKkdCnek8N5XtgfSx/Ah6VDg88isXsTGCN4bBfdd0ZpqxWKxRWjpP5FGRX28HA3pIvVSSYJ9Ux7barSbwdUGXTKfw4flC4giK1PjGLwzYd8O4gJrpB31YfSn0xexJWTErTXndQOQY/lPIxM5553PZHER1cQW6aHU9zjOO/jadD1t7mcdHPmPvOItI//A9gNxgUFz5dSqduEXTJOaW0qkJlwO3c+mcnwyz+TZsQ8m5FTOiI7tsdSUqpDlgYXvpgtgjkA3XMr9gKrR6hhAzwDYVMjv37ESHBxCkmKlrqTMCXmVzfFbHgU/5eLNqQyhbNYKM8Q+Y0Yt6pCHyAtCIn+mUWOS/yQZtXUQ89uk6BAwNFZpVOfMK4/a911JidJe39D6LVWdziSgWkcDv/t+SeVQSEwQxhysVWn7BAdyxC9whhGepL5rvzgfBWpBaWbFWZXH8EkPQ/TFQaUZInMc41HuUEnK+FtdeELFMeWxoTg6EskgIbC0ZOugFkAbHbd4vybIkCmXths/EwGhGIY4OagVA13Y3VVPv4KQbQelaVTmoBqVH0KBW4M7WRTQI2Kq6KVGj3VhlxPBweI57Q1BaedtfTIBJ5cE2o3CGeFBW3BBIXYJNPhObAl0LCowtFZnjz2+fjsoBEr7wv1kmxF0FZe3WPZiDoUB6ztAksTrLdqLPTNsK711TVjkYNhVrvXCYD2H09BJ7i+deNpTfGjBVrVyEKCRjwncqJhKZcz5/fJ4J41GUej7sVhSbCM2CSq3YEi9u/yODSv3s95SeHB+h265ip9ARrIlBc3elhM7mA6KwfswqOcth4AurkLsK4NkeV5IGyC8k41KTHj+UhvReXk4qVmIy9uwcZayNMr1E3fkC6PFmfdytyyuF5ii+bVJwXD4SAhaqaU1XdIFokHmmvnmjSJNPPEk64BISeV+KMr7q7fDQ3vQiTLnpscjaGW7wKZsq6XlwoJ02Awgs+cYDgdYqfkA6hwY7D9kglzpiAJWm1DFj,iv:1pYMYh2pgK12fYievzaaBW/8DD6j2mT9ka5oCuWZIpE=,tag:66EA/Fq/UYp2PFoBEjN6tA==,type:str] +nfs: + devices: + books: ENC[AES256_GCM,data:aIQVGVqF1sVi9uShRHTTIBBrXTitq8MmAYjzYhjl,iv:5zMEdZZGXjxv4VCdrumJafcRa/sShEu3vWxEGbTnGdU=,tag:W8ypAADecOcMFC8KCp/qgg==,type:str] + music: ENC[AES256_GCM,data:KHe3Ywm736RngFcB40prL7EylTURcJ+EpAJZ6/+n,iv:q+MHY8dof3HB0wZMvGYljr+6w2MICz/eYn9aDW1Ohfk=,tag:ruti/m0XZAv5/Nr4/H4JGQ==,type:str] + personal: ENC[AES256_GCM,data:ZBYNODfEVGrkSGIuieFC005oAJ93nkNCMri+,iv:tcatOOlBb/0r48GLq+tvz/1FpCWDpaCfXYBHe8WOw6g=,tag:18Lq7ykZJqiZ/Uq8vXA5HQ==,type:str] + backups: ENC[AES256_GCM,data:T8pOiYVEl6yOpk+xffuQUPGt3s3y905jUw4=,iv:6oo0Y21rplAI+KZqVGrMNgxK0kQI2a0lc1nDO5j3Ab8=,tag:QX1shUNpnNsPPAC4cm4rwA==,type:str] +nfs_backups: ENC[AES256_GCM,data:132wMoiH3JbR3V0PNCVa6kyvLStVQ202pQ==,iv:JyXcD7emBBmjtvqi1gT/zZ6kbtKGRcyKMkTo7qLFeBQ=,tag:eAu8AFyEU+n/3h8XyqOObQ==,type:str] sops: age: - recipient: age1k3hs0gyzrmsdyqh9lpret46q3xaayxxntruzc4euy6h3slqn4u6q36h7rg @@ -15,7 +25,7 @@ sops: US9oa0pORXRVWWlyYlZZTGhXdTdOaWsKClqIK/YNJIIGFqOO0t4oni8dRTTXQniG ioIwAOdEgE/n0vcYhHXxLxWlTeqGZF076g7EFfIqiSNqrDtacRnazg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-01T20:09:32Z" - mac: ENC[AES256_GCM,data:i+Q+2ottIzAINqlUVXxJ6erLEsItjkrSbjGjRg72hSZdAOusI9Er4A7R/JGnR26/+o8i6Ivf/HzYIGL1AX7mA48UCg5MM1gpUNnFlc4pkwP+9PdbhT/V7nvvzlHHyPc3y7AfjeY9SI0kVuStPwrIPtHkh1JYwqkpVl2DSU9OPCg=,iv:nXF7db9V7ZXtcmXFPPTcjWbld69HHYEQp8BhDEugYak=,tag:Dp5wuoWxB5PuxKiXvZWdIA==,type:str] + lastmodified: "2025-07-06T23:00:00Z" + mac: ENC[AES256_GCM,data:YtY37ZQHpYM9bM+T1qv8X8BLOIxn3zhtLo/BSCXHvw6qXqIChLnUxsD+WpiJXU270DsOfIXBY9zeOUlTbz5DKYHGJs6qRAbwQ4WA+k0eQeLdZfKGoF/U/YL6fpIGoSCrdeDhV0vlozIDZRfCT3kxdJx+aeHGNKFow8/wtQhEyEE=,iv:bp00UKjq17KbdhpjJwB0iEIYi3wwP1hp+EJwAa7tiZk=,tag:b/J2eD7eoH+jGQDpa2BAVg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2