diff --git a/.envrc b/.envrc index 9cfafa6..3550a30 100644 --- a/.envrc +++ b/.envrc @@ -1,2 +1 @@ use flake -export RULES="$PWD/agenix.nix" diff --git a/README.md b/README.md index 83684fb..0d12e21 100644 --- a/README.md +++ b/README.md @@ -16,47 +16,42 @@ services: ## Deployment -Secrets are managed with [agenix](https://github.com/ryantm/agenix) — encrypted in git, decrypted on the server at runtime. +This repository uses **untracked secrets**, so you must build the system locally before deploying. ### 1. Setup Secrets +1. `cp secrets/secrets.nix.example secrets/secrets.nix` +2. Fill in the values (generate random keys, etc). + - `openssl rand -base64 32` is a good way to make a new key + - `tailscaleKey` must be a **Reusable** key from the Tailscale admin console. -Key mapping is in `agenix.nix`. The `agenix` CLI and `RULES` env var are provided by the devShell via direnv. +### 2. Verify Configuration Locally +Because `secrets/secrets.nix` is untracked by git, standard `nix flake check` will fail. +To build the server configuration locally and ensure there are no syntax or evaluation errors before pushing to the server, run: ```bash -direnv allow -agenix -e secrets/forgejo-db.age -agenix -e secrets/stalwart-admin.age -agenix -e secrets/searx-env.age # SEARXNG_SECRET= -agenix -e secrets/tailscale-key.age -agenix -e secrets/grafana-secret.age -agenix -e secrets/matrix-macaroon.age # macaroon_secret_key: "" -agenix -e secrets/ntfy-admin-hash.age -agenix -e secrets/mymx-webhook.age -``` - -To edit an existing secret, run the same command again. - -### 2. Verify Configuration - -```bash -nix flake check +nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --dry-run ``` ### 3. Initial Install (Wipe & Install) - -**Warning: Wipes the server disk.** +Run this command to build and deploy. **Warning: Wipes the server disk.** ```bash +# Replace with your server's IP nix run github:nix-community/nixos-anywhere -- --store-paths \ - $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --print-out-paths --no-link) \ - $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --print-out-paths --no-link) \ + $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \ + $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \ root@ | tee install.log ``` -### 4. Update Existing Server - -`nhs` and `nh` are provided via direnv. +### 4. Update Existing Server (No Wipe) +Once the server is running NixOS, use the `nhs` script to push updates. This repository provides `nhs` and `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first. ```bash +# Update via Tailscale (uses nhs convenience script) nhs + +# Or manually via IP +nh os switch --hostname extremist-software --target-host root@ --impure path:. ``` + +repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git. diff --git a/agenix.nix b/agenix.nix deleted file mode 100644 index c8acf14..0000000 --- a/agenix.nix +++ /dev/null @@ -1,13 +0,0 @@ -let - server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAING219cDKTDLaZefmqvOHfXvYloA/ErsCGE0pM022vlB"; - jet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"; -in { - "secrets/forgejo-db.age".publicKeys = [ server jet ]; - "secrets/stalwart-admin.age".publicKeys = [ server jet ]; - "secrets/searx-env.age".publicKeys = [ server jet ]; - "secrets/tailscale-key.age".publicKeys = [ server jet ]; - "secrets/grafana-secret.age".publicKeys = [ server jet ]; - "secrets/matrix-macaroon.age".publicKeys = [ server jet ]; - "secrets/ntfy-admin-hash.age".publicKeys = [ server jet ]; - "secrets/mymx-webhook.age".publicKeys = [ server jet ]; -} diff --git a/configuration.nix b/configuration.nix index cfcde9d..733cdc2 100644 --- a/configuration.nix +++ b/configuration.nix @@ -12,19 +12,13 @@ ./modules/ntfy.nix ./modules/uptime-kuma.nix # mymx module is imported via flake input in flake.nix + ./secrets/secrets-scheme.nix + # Impure Secrets + ./secrets/secrets.nix ]; - # Agenix secrets - age.secrets = { - forgejo-db.file = ./secrets/forgejo-db.age; - stalwart-admin = { file = ./secrets/stalwart-admin.age; owner = "stalwart-mail"; }; - searx-env.file = ./secrets/searx-env.age; - tailscale-key.file = ./secrets/tailscale-key.age; - grafana-secret = { file = ./secrets/grafana-secret.age; owner = "grafana"; }; - matrix-macaroon = { file = ./secrets/matrix-macaroon.age; owner = "matrix-synapse"; }; - ntfy-admin-hash.file = ./secrets/ntfy-admin-hash.age; - mymx-webhook = { file = ./secrets/mymx-webhook.age; owner = "mymx"; }; - }; + # ... (rest of imports block replaced by ./secrets/secrets.nix being added to imports) + # Bootloader boot.loader.grub.enable = true; @@ -42,7 +36,7 @@ # Users users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu" + config.mySecrets.sshPublicKey ]; # SSH - Secure it @@ -83,17 +77,9 @@ clean.extraArgs = "--keep 2"; }; - # Automatic upgrades - system.autoUpgrade = { - enable = true; - dates = "04:00"; - allowReboot = false; - }; - # System system.stateVersion = "24.05"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; - services.postgresql.package = pkgs.postgresql_15; nixpkgs.config.allowUnfree = true; # Allow unfree packages (Minecraft, etc.) # Time @@ -103,14 +89,15 @@ zramSwap.enable = true; zramSwap.memoryPercent = 50; - services.tailscale.authKeyFile = config.age.secrets.tailscale-key.path; + # Secrets handled via ./secrets.nix importing to config.mySecrets + environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey; + environment.etc."secrets/mymx-webhook".text = config.mySecrets.mymxWebhookSecret; + services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth"; # MyMX - services.jetpham-website.enable = true; - services.mymx = { enable = true; - webhookSecretFile = config.age.secrets.mymx-webhook.path; + webhookSecretFile = "/etc/secrets/mymx-webhook"; }; # Allow Tailscale traffic diff --git a/flake.lock b/flake.lock index 92021b4..349dacd 100644 --- a/flake.lock +++ b/flake.lock @@ -1,50 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems" - }, - "locked": { - "lastModified": 1770165109, - "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", - "owner": "ryantm", - "repo": "agenix", - "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -65,27 +20,6 @@ "type": "github" } }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "mymx": { "inputs": { "nixpkgs": [ @@ -125,7 +59,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "disko": "disko", "mymx": "mymx", "nixpkgs": "nixpkgs" @@ -151,21 +84,6 @@ "repo": "rust-overlay", "type": "github" } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index b5dd818..40e40fb 100644 --- a/flake.nix +++ b/flake.nix @@ -10,11 +10,7 @@ mymx.url = "git+https://git.extremist.software/jet/mymx"; mymx.inputs.nixpkgs.follows = "nixpkgs"; - website.url = "git+https://git.extremist.software/jet/website"; - website.inputs.nixpkgs.follows = "nixpkgs"; - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, disko, ... }@inputs: { @@ -24,8 +20,6 @@ modules = [ disko.nixosModules.disko inputs.mymx.nixosModules.default - inputs.website.nixosModules.default - inputs.agenix.nixosModules.default ./disk-config.nix ./configuration.nix @@ -35,12 +29,11 @@ devShells.x86_64-linux.default = let pkgs = nixpkgs.legacyPackages.x86_64-linux; deploy = pkgs.writeShellScriptBin "nhs" '' - nh os switch --hostname extremist-software --target-host root@extremist-software path:. "$@" + nh os switch --hostname extremist-software --target-host root@extremist-software --impure path:. "$@" ''; in pkgs.mkShell { - packages = [ - pkgs.nh - inputs.agenix.packages.x86_64-linux.default + packages = [ + pkgs.nh deploy ]; }; diff --git a/modules/caddy.nix b/modules/caddy.nix index 144d8b4..399c5d3 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -125,6 +125,18 @@ ''; }; + "mymx.extremist.software" = { + extraConfig = '' + rate_limit { + zone mymx_per_ip { + key {remote.ip} + events 60 + window 1m + } + } + reverse_proxy localhost:4002 + ''; + }; "matrix.extremist.software" = { extraConfig = '' @@ -158,4 +170,5 @@ # Ensure Caddy can read the certs too now that they are in the acme group users.users.caddy.extraGroups = [ "acme" ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/modules/forgejo.nix b/modules/forgejo.nix index 88c4d73..7ba72a4 100644 --- a/modules/forgejo.nix +++ b/modules/forgejo.nix @@ -14,8 +14,12 @@ }; # You can configure SMTP here using secrets if needed }; - database.passwordFile = config.age.secrets.forgejo-db.path; + # Secret for DB password + settings.database.PASSWORD = config.mySecrets.forgejoDb; }; - services.postgresql.enable = true; + services.postgresql = { + enable = true; + package = pkgs.postgresql_15; + }; } diff --git a/modules/mail.nix b/modules/mail.nix index 5dae503..dc60e4f 100644 --- a/modules/mail.nix +++ b/modules/mail.nix @@ -43,7 +43,7 @@ authentication.fallback-admin = { user = "admin"; - secret = "%{file:/run/agenix/stalwart-admin}%"; + secret = config.mySecrets.stalwartAdmin; }; }; }; @@ -51,4 +51,10 @@ # Allow Stalwart to read the ACME certificate procured for Caddy systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ]; + # Open Firewalls for Mail + networking.firewall.allowedTCPPorts = [ + 993 # IMAP (Secure) + 4190 # Sieve + 8080 # Admin UI (Reverse proxied, but good to double check loopback) + ]; } diff --git a/modules/matrix.nix b/modules/matrix.nix index eb7db69..9b45778 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -3,7 +3,6 @@ { services.matrix-synapse = { enable = true; - extraConfigFiles = [ config.age.secrets.matrix-macaroon.path ]; settings = { server_name = "extremist.software"; public_baseurl = "https://matrix.extremist.software"; @@ -25,6 +24,8 @@ ]; enable_registration = false; + registration_shared_secret = "extremist_software_admin_creation"; + macaroon_secret_key = config.mySecrets.matrixMacaroon; database = { name = "psycopg2"; allow_unsafe_locale = true; diff --git a/modules/monitoring.nix b/modules/monitoring.nix index 68b5bc8..2fb7ab4 100644 --- a/modules/monitoring.nix +++ b/modules/monitoring.nix @@ -31,7 +31,7 @@ domain = "status.extremist.software"; }; security = { - secret_key = "$__file{/run/agenix/grafana-secret}"; + secret_key = config.mySecrets.grafanaSecret; }; }; provision = { diff --git a/modules/ntfy.nix b/modules/ntfy.nix index f4668f7..a7a1407 100644 --- a/modules/ntfy.nix +++ b/modules/ntfy.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, ... }: { services.ntfy-sh = { @@ -10,22 +10,12 @@ auth-file = "/var/lib/ntfy-sh/user.db"; auth-default-access = "deny-all"; enable-login = true; + auth-users = [ + "jet:${config.mySecrets.ntfyAdminHash}:admin" + ]; auth-access = [ "*:up*:write-only" ]; }; }; - - # Patch the generated config at runtime to inject the admin bcrypt hash - systemd.services.ntfy-sh = { - serviceConfig.RuntimeDirectory = "ntfy-sh"; - serviceConfig.ExecStartPre = let - script = pkgs.writeShellScript "ntfy-patch-config" '' - cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml - HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path}) - printf '\nauth-users:\n - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml - ''; - in [ "+${script}" ]; - serviceConfig.ExecStart = lib.mkForce "${pkgs.ntfy-sh}/bin/ntfy serve --config /run/ntfy-sh/server.yml"; - }; } diff --git a/modules/searx.nix b/modules/searx.nix index f9d1125..262480a 100644 --- a/modules/searx.nix +++ b/modules/searx.nix @@ -5,12 +5,11 @@ enable = true; package = pkgs.searxng; redisCreateLocally = true; - environmentFile = config.age.secrets.searx-env.path; settings = { server = { port = 8082; bind_address = "127.0.0.1"; - secret_key = "@SEARXNG_SECRET@"; + secret_key = config.mySecrets.searxKey; }; search = { request_timeout = 1.5; diff --git a/secrets/forgejo-db.age b/secrets/forgejo-db.age deleted file mode 100644 index 989d149..0000000 --- a/secrets/forgejo-db.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uKftJg mtSxHYyX33fx/dUTpNGgu4ah3X/I6zTB0amu7Ji+iWU -6EXDWMEoDuDZ36rYqUR52IQFASZb5s0bm3KRyAKIXUg --> ssh-ed25519 Ziw7aw zqjgjZGh9C3H/gpuLx+dUC9EngSoHB/feiyCgqss+F4 -MyCY88yFfDSqAr0PbYSg/FbHo+B6rxXBPkVxczgW93E ---- qGC9Dxmqtgm92IqNd3azWYEtkMEwwWRNsuXow6oZjlE -X)1str(fP,ۂ78փ V֔11&%(F-D"(7w=xmٞvS \ No newline at end of file diff --git a/secrets/grafana-secret.age b/secrets/grafana-secret.age deleted file mode 100644 index b661c2a..0000000 --- a/secrets/grafana-secret.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uKftJg 6TMM/HxgvFAlsOOJuEhoKfnN5CcjEvck9BKUXTNQsjk -Y0G/GK6+t5jFK+cPqovD/oxs1ZLRAprstr27pZ6mb0c --> ssh-ed25519 Ziw7aw TQWn+XR8FHTv2+ol4id6hcL3C+Jk92jsB2hHFacoD3o -fr+xO4DvOHLSPn05u6JZi++wBABw0z9WqghdwJ62pz0 ---- PS3uOR8IZPAUoS8XA5WsBcCsLEfTxwS+vW6eHdZy3Fo -ȯʔ1/ۜ%r)+0Wg?hJYۮi݌%[=ydw,xS \ No newline at end of file diff --git a/secrets/matrix-macaroon.age b/secrets/matrix-macaroon.age deleted file mode 100644 index a72bc68..0000000 --- a/secrets/matrix-macaroon.age +++ /dev/null @@ -1,8 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uKftJg gbXdVVx0trOnWR5v3V4jjfP58B5jXWKwoi8Da2JKx1Y -s8rPw207y5TzjlLPXm+gG+eQqBqh6geeFvnn4iH3s84 --> ssh-ed25519 Ziw7aw 99vuNfyVaByhU5bwxJTuoxeYoQWryP36ddAd/fZOhBY -hdtoLgoFVslZpm9luo3Edns4hYMQESIReI7laFDjeOQ ---- Zgwav28km0/q1wX2FZDT5xpVQurkcjqu0lmOWr8ZH38 -K)-y.u%To(:^Ep"9>j#F*8W- S1jI4n -2 \ No newline at end of file diff --git a/secrets/mymx-webhook.age b/secrets/mymx-webhook.age deleted file mode 100644 index 13a07b6..0000000 --- a/secrets/mymx-webhook.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uKftJg EC9vi+nqoSqUHET3/4fWoiuW9vTZo5XOB1dc+Fe36U0 -FYKWAiLaAbotst3AuOulpgqAg+JHUqD3uWWLk7hxrH8 --> ssh-ed25519 Ziw7aw naV+WKfldJhOnIzz13Q9zKSK+z+oRhiVfeEYuG+dtS0 -/GLmF3ws0aUsSVTAv9zzzD+8Cp/IkMlHWFzv1CbgSiM ---- PdqmGwHvR/R0tqf46e1ZJl/QIzB1qadFtNyONpoQl30 -wn4@D~r*j!-*v})0F7)}r/>H/3S$ }ٵ@ \ No newline at end of file diff --git a/secrets/ntfy-admin-hash.age b/secrets/ntfy-admin-hash.age deleted file mode 100644 index 701609c..0000000 --- a/secrets/ntfy-admin-hash.age +++ /dev/null @@ -1,8 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uKftJg Cccnzwl3XTJOW5+IuxDAsiI0L8Fy8JhJnpdERg9qgXU -vgvQdUbmwRna+gLjGsmsheGGeG2KIxsWoDw4XAVSjEA --> ssh-ed25519 Ziw7aw vMnvy4HgMvhwALtUI14DmX6LbQiLXROINbJPlVfoW0g -FGxDYfiejy2a5W9eZKww1YgQ3mQFTj/mORwBwTsEW80 ---- lThDR400zmmiBqnNmi2QKp2l3z3wCZ0jAxqIROLWn74 -?3J4zrK -k[5D/DTX+lfrjг v΀,#z*}*QǤJ蜴ơX1 ssh-ed25519 uKftJg s5orwA5GrqKWguh/hIhdJGyUP+Vx7iGqoQKuEO48DiY -K+CrOTAFATdTsax+GwQBjJkni4IYDnfPdsVop8eMkKs --> ssh-ed25519 Ziw7aw 27Zr3vWFaQNfeTxJmNajNkigC5RUcwgz6Qs7183fUTM -Bmj69hGO8tIZUJG5tiXqZHy+Ft6T5J2iJAYIxyYxZj8 ---- rC5PWCFkjuuPrSWRImrY7IzODjxevS30MFSXdV5qpG4 -#NR!F3{ - !61bF?ǯg!o}$iR5 -jMgqS,_r:qf \ No newline at end of file diff --git a/secrets/secrets-scheme.nix b/secrets/secrets-scheme.nix new file mode 100644 index 0000000..63d4eef --- /dev/null +++ b/secrets/secrets-scheme.nix @@ -0,0 +1,45 @@ +{ lib, ... }: + +with lib; + +{ + options.mySecrets = { + forgejoDb = mkOption { + type = types.str; + description = "Forgejo Database Password"; + }; + stalwartAdmin = mkOption { + type = types.str; + description = "Stalwart Mail Admin Password"; + }; + searxKey = mkOption { + type = types.str; + description = "Searx Secret Key"; + }; + + tailscaleKey = mkOption { + type = types.str; + description = "Tailscale Auth Key"; + }; + sshPublicKey = mkOption { + type = types.str; + description = "SSH Public Key for Root User"; + }; + grafanaSecret = mkOption { + type = types.str; + description = "Grafana Secret Key for security"; + }; + matrixMacaroon = mkOption { + type = types.str; + description = "Macaroon Secret Key for Matrix Synapse"; + }; + ntfyAdminHash = mkOption { + type = types.str; + description = "Bcrypt hash for ntfy admin user"; + }; + mymxWebhookSecret = mkOption { + type = types.str; + description = "MyMX Webhook Secret for signature verification"; + }; + }; +} diff --git a/secrets/secrets.nix.example b/secrets/secrets.nix.example new file mode 100644 index 0000000..8307b22 --- /dev/null +++ b/secrets/secrets.nix.example @@ -0,0 +1,17 @@ +{ pkgs, config, lib, ... }: + +{ + # Copy this file to secrets.nix and fill in real values + mySecrets = { + forgejoDb = "changeme_forgejo_db"; + stalwartAdmin = "changeme_stalwart_admin"; + searxKey = "changeme_searx_secret"; + minecraftRcon = "changeme_rcon"; + tailscaleKey = "tskey-auth-PLACEHOLDER"; + sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..."; + grafanaSecret = "changeme_grafana_secret"; + matrixMacaroon = "changeme_matrix_macaroon_secret_key"; + ntfyAdminHash = "changeme_bcrypt_hash_from_ntfy_user_hash"; + mymxWebhookSecret = "changeme_mymx_webhook_secret"; + }; +} diff --git a/secrets/stalwart-admin.age b/secrets/stalwart-admin.age deleted file mode 100644 index 2c123f4..0000000 --- a/secrets/stalwart-admin.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uKftJg E7BMWjT2cbnomhydZCaRs5EMKoDGyU9O+NAvKHjflzs -8yl7y2iXNrBuCyT05sOatAHiJhizUSFgFJt0NlMZ9pY --> ssh-ed25519 Ziw7aw PTAzjpRIfFk86q3docaVsh4CbXjDiCNJR2Of8YAYSBQ -5WLY3czA6TKBJyTMwGVxSR7kuIVxBDMaKZ41VYgGhN8 ---- DHfY8BOaO+vb2MYxX/3XbgAIlwilFEPLRGUlZGJh1g0 -{-L^8;ljO -7Lya]ڀ, jE\m\ -:"yX< 7XȵVՕlM \ No newline at end of file diff --git a/secrets/tailscale-key.age b/secrets/tailscale-key.age deleted file mode 100644 index 0fbd734..0000000 --- a/secrets/tailscale-key.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uKftJg c78IHZJHcr9y//w/tqXHsuwqPjclpCPeGUzCQ1Huwkw -h/3PruYSzkFbrGPPLrYpqoo+btj2NAHS0BlJk//U8x0 --> ssh-ed25519 Ziw7aw O/aFm27iQeYXA04hqRNGcoUy0JmAAKDLsK1Bp/p/miY -EBqXc31Ymh3YgjagBvICwQvX6KKwkkMF3Tv7XqsAvPs ---- sIkeKQZHLKTLXEVZdwmP/FpjbUWyyIZYx2/nKswFWoQ -6vI.`\cZB;xmHR3o ӣTqeld"'\I]T2Kl~OB0 \ No newline at end of file