From b57927a395df566d8f05487098deb2312304d6e5 Mon Sep 17 00:00:00 2001 From: Jet Date: Thu, 21 May 2026 12:06:10 -0700 Subject: [PATCH] feat: add digitalocean noisebell host --- README.md | 6 +- flake.nix | 41 ++++--- hosts/noisebell-do/configuration.nix | 167 +++++++++++++++++++++++++++ remote/README.md | 20 +++- scripts/deploy-do | 16 +++ secrets/bootstrap-identity.age | 9 +- secrets/cache-to-pi-key.age | Bin 574 -> 684 bytes secrets/discord-token.age | 14 ++- secrets/discord-webhook-secret.age | 15 +-- secrets/homeassistant-webhook-id.age | 20 ++-- secrets/pi-to-cache-key.age | 23 ++-- secrets/relay-webhook-secret.age | 26 ++--- secrets/secrets.nix | 8 ++ secrets/tailscale-auth-key.age | 17 ++- secrets/zulip-api-key.age | 14 ++- secrets/zulip-webhook-secret.age | 14 ++- 16 files changed, 318 insertions(+), 92 deletions(-) create mode 100644 hosts/noisebell-do/configuration.nix create mode 100755 scripts/deploy-do diff --git a/README.md b/README.md index 4d4f39d..c30c505 100644 --- a/README.md +++ b/README.md @@ -20,15 +20,17 @@ Pi (door sensor) ──webhook──> Cache ──webhook──> Discord / Zulip |-----------|------------| | [`pi/`](pi/) | Raspberry Pi OS base with laptop-built Noisebell deploy | | [`remote/`](remote/) | Server-side services (cache, RSS, Discord, Zulip) | +| [`hosts/noisebell-do/`](hosts/noisebell-do/) | Standalone DigitalOcean NixOS host for the remote services | | [`secrets/`](secrets/) | Shared agenix-encrypted secrets and recipient rules | Each directory has its own README with setup and configuration details. -For hosted deployment, another repo such as `../extremist-software` imports `noisebell.nixosModules.default`. That host repo provides deployment-specific values like domains, ports, and the Pi address, while the Noisebell module itself points `agenix` at the encrypted files in `secrets/` and consumes the decrypted runtime files on the target machine. +For hosted deployment, this repo exports `nixosConfigurations.noisebell-do`, a small DigitalOcean NixOS host that imports `noisebell.nixosModules.default`. The host provides deployment-specific values like domains and the Pi address, while the Noisebell module itself points `agenix` at the encrypted files in `secrets/` and consumes the decrypted runtime files on the target machine. Useful commands: -- `./scripts/nhs` redeploys the remote cache host using the local checkout as the flake input +- `./scripts/deploy-do [jet@noisebell-do]` redeploys the DigitalOcean remote host +- `./scripts/nhs` redeploys the old Hetzner host using the local checkout as the flake input - `scripts/deploy-pios-pi.sh pi@100.66.45.36` redeploys the Raspberry Pi OS machine The full Home Assistant relay workflow is documented in `pi/README.md`. diff --git a/flake.nix b/flake.nix index 3cf74f2..63f74d2 100644 --- a/flake.nix +++ b/flake.nix @@ -435,31 +435,46 @@ }; }; - nixosConfigurations.pi = nixos-raspberrypi.lib.nixosSystem { - specialArgs = { - inherit nixos-raspberrypi; + nixosConfigurations = { + pi = nixos-raspberrypi.lib.nixosSystem { + specialArgs = { + inherit nixos-raspberrypi; + }; + modules = [ + nixos-raspberrypi.nixosModules.sd-image + agenix.nixosModules.default + piImageBaseModule + (import ./pi/module.nix { + pkg = noisebell-pi; + rev = self.shortRev or "dirty"; + }) + ./pi/configuration.nix + ]; + }; + + noisebell-do = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + self.nixosModules.default + ./hosts/noisebell-do/configuration.nix + ]; }; - modules = [ - nixos-raspberrypi.nixosModules.sd-image - agenix.nixosModules.default - piImageBaseModule - (import ./pi/module.nix { - pkg = noisebell-pi; - rev = self.shortRev or "dirty"; - }) - ./pi/configuration.nix - ]; }; devShells.${system}.default = craneLib.devShell { packages = [ agenix.packages.${system}.default + pkgs.curl + pkgs.doctl flash-pi-sd + pkgs.jq pi-serial pkgs.nix pkgs.parted pkgs.rust-analyzer + pkgs.openssh pkgs.tio + pkgs.wrangler pkgs.zstd ]; }; diff --git a/hosts/noisebell-do/configuration.nix b/hosts/noisebell-do/configuration.nix new file mode 100644 index 0000000..9a0f220 --- /dev/null +++ b/hosts/noisebell-do/configuration.nix @@ -0,0 +1,167 @@ +{ + config, + lib, + modulesPath, + pkgs, + ... +}: + +{ + imports = [ (modulesPath + "/virtualisation/digital-ocean-config.nix") ]; + + system.stateVersion = "26.05"; + + boot.kernelParams = [ + "net.ifnames=0" + "biosdevname=0" + ]; + + networking.hostName = "noisebell-do"; + networking.useDHCP = false; + networking.usePredictableInterfaceNames = false; + networking.nameservers = [ + "67.207.67.3" + "67.207.67.2" + ]; + networking.defaultGateway = "143.198.128.1"; + networking.interfaces = { + eth0.ipv4.addresses = [ + { + address = "143.198.141.161"; + prefixLength = 20; + } + { + address = "10.48.0.5"; + prefixLength = 16; + } + ]; + eth1.ipv4.addresses = [ + { + address = "10.124.0.2"; + prefixLength = 20; + } + ]; + }; + networking.firewall = { + allowedTCPPorts = [ + 22 + 80 + 443 + ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + trustedInterfaces = [ "tailscale0" ]; + checkReversePath = "loose"; + allowPing = true; + }; + + virtualisation.digitalOcean.rebuildFromUserData = false; + services.do-agent.enable = false; + + boot.kernelPackages = pkgs.linuxPackages_6_12; + boot.loader.grub = { + enable = true; + devices = lib.mkForce [ "/dev/vda" ]; + }; + + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + autoResize = true; + }; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu" + ]; + + users.users.jet = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; + }; + security.sudo.wheelNeedsPassword = false; + + age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + services.tailscale.enable = true; + + services.caddy = { + enable = true; + email = "postmaster@extremist.software"; + }; + + services.noisebell-cache = { + enable = true; + domain = "noisebell.extremist.software"; + piAddress = "http://noisebell-pi"; + outboundWebhooks = [ + { + url = "http://127.0.0.1:${toString config.services.noisebell-discord.port}/webhook"; + secretFile = config.age.secrets.noisebell-discord-webhook-secret.path; + } + { + url = "http://noisebell-pi:8090/webhook"; + secretFile = config.age.secrets.noisebell-relay-webhook-secret.path; + } + ]; + }; + + services.noisebell-discord = { + enable = true; + domain = "discord.noisebell.extremist.software"; + channelId = "1034916379486322718"; + }; + + services.noisebell-rss = { + enable = true; + domain = "rss.noisebell.extremist.software"; + }; + + zramSwap = { + enable = true; + memoryPercent = 100; + }; + + nix.settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + trusted-users = [ + "root" + "jet" + ]; + max-jobs = 1; + cores = 1; + auto-optimise-store = true; + }; + + nix.gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + }; + + services.journald.extraConfig = '' + SystemMaxUse=100M + ''; + + environment.systemPackages = [ + pkgs.curl + pkgs.jq + pkgs.tailscale + ]; +} diff --git a/remote/README.md b/remote/README.md index 30b14d4..da6fdda 100644 --- a/remote/README.md +++ b/remote/README.md @@ -29,7 +29,7 @@ nix build .#noisebell-zulip ## NixOS deployment -The flake exports a NixOS module for the hosted remote machine. It imports `agenix`, declares the Noisebell secrets from `secrets/*.age`, and wires the cache and Discord services together with sensible defaults. Each service runs as a hardened systemd unit behind Caddy. +The flake exports a NixOS module for hosted remote machines and a complete `nixosConfigurations.noisebell-do` host for the small DigitalOcean droplet. The module imports `agenix`, declares the Noisebell secrets from `secrets/*.age`, and wires the cache and Discord services together with sensible defaults. Each service runs as a hardened systemd unit behind Caddy. ```nix { @@ -62,6 +62,24 @@ The flake exports a NixOS module for the hosted remote machine. It imports `agen } ``` +The production DigitalOcean host in this repo enables the cache, Discord, and RSS services on the existing public domains: + +- `noisebell.extremist.software` +- `discord.noisebell.extremist.software` +- `rss.noisebell.extremist.software` + +After installation, authenticate Tailscale interactively on the host with: + +```sh +sudo tailscale up --hostname=noisebell-do +``` + +Redeploy later with: + +```sh +scripts/deploy-do jet@noisebell-do +``` + `nixosModules.default` handles these secrets automatically: | Secret file | Deployed on | Used for | diff --git a/scripts/deploy-do b/scripts/deploy-do new file mode 100755 index 0000000..4c660c1 --- /dev/null +++ b/scripts/deploy-do @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -euo pipefail + +target=${1:-jet@noisebell-do} +if [ "$#" -gt 0 ]; then + shift +fi + +SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd) +REPO_ROOT=$(cd -- "$SCRIPT_DIR/.." && pwd) + +exec nixos-rebuild switch \ + --flake "$REPO_ROOT#noisebell-do" \ + --target-host "$target" \ + --sudo \ + "$@" diff --git a/secrets/bootstrap-identity.age b/secrets/bootstrap-identity.age index 640ad23..a5e58b6 100644 --- a/secrets/bootstrap-identity.age +++ b/secrets/bootstrap-identity.age @@ -1,6 +1,5 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw HhAAwL59eDWhqjnkhN134gANCHnfzZWKUKze1G4FlwE -hIz028hPGQZTQLePmiEnvAgam01U8w1LV6gjwcr9oEI ---- KERP4zeE7cbDbEcD1LLqWvSqEU92i16y3inUL8U5640 -mD{(O1 %'C4}'BMduCo{yyWӈk¡cjI]py@Xutzc4]yB*5=8ڵ?~xJiEa9j rbI.RTDžBBRRmbG'k'EZFn/SMox - ssh-ed25519 Ziw7aw UN1o36xuqmTT5yEU0VbvmlXjy5Vi2ap3f2P8a0VYzQM +o/vBWDo78U1Ryxw6YH8Ucs9NaODpwBbhjKsnX3qnqRA +--- 6acvZXBUKhTMv3FYXiaom59plFQ8504JFiuefo17XvQ +gE+j&5`e,t]*wCP^-+wC7hҤ8K &UR.И-_מ )CGyPcSkBCv"qܭ'w"e(5[ YRcxmFl~n=qx0y@M9~ $,:"ߔ _T C:`PФ3 \ No newline at end of file diff --git a/secrets/cache-to-pi-key.age b/secrets/cache-to-pi-key.age index 08fe10ae918510ff7a7cf622926a5509cda90d05..e6acdb283ae26d2464350f258ba238e163284c8b 100644 GIT binary patch delta 652 zcmdnTvW9hnPJLKTgl}@BZ(323iE(OLNdvMWAU!n1@AKmSIYPb8udAva>;MKx(FTmPM|AB$uw8LUD11 zZfc5=si~o*f}fj{Nui^Hf3SXLSV2I(fk~oMmAkfietl7ZcClfGv8h{@Nm4X_ZSh z$hruKO{S(Ujt1FAQJ%qB$@$q)+S>Y_8Bxh@P99+vk?Dcj89r_L<;-bp#xeyJJ$VFqa>h2@Tw8BRXMUWUQ>`IaUXd5&&wzFDDxo**lbeN^h5R^pYe z5TfnuVUgxtm8YE@;%`u4Y2g)|lw+6~;S`o`nrM`iT$O9?Qr1*o|tWzRGgBWXB3(07g6MbVO@@idudp@f>U@-xJ7!P zUusc$XtSFTTxL4jMLQErrLS*256 zioSk$xQ~;6ZlSr4zmthqWp;pXYJHiBlUaCZB$uwPu0n=~p8*C-i{otrL2qk IRxZ~B0PN)5asU7T delta 541 zcmZ3(x{qaoPJKpRvXif~SyWMFg?FZtk*|eed19VHd2V=VNK!^*j%P}#Z@znAc9Ex> zBUgE$zkimie~M9%fq!A8i(z7Fc0_1NX^Kx#d0pl8K|Cey(L`D3`9CLUD11 zZfc5=si~o*f}fj{Nui@cy0@2SUTJuSVPK(tWmRNgNWFegRaBI3N`7c|azuu^XM|^- zQ?`GBnPFu)S5l?7c8+(1k+wyddq`rkWm=hIvRP1BvQuDDKvji_e^OCKaA|2+qM1u1 z$hruKO&%p_*&YVvp2bm7o;leDmbuxbMqWXdjse*vmf5*3sb)p4=HB|5CEhu{T%MNo z$@vlK#wo7m1%^HW&Vk;B+HQ`Oi507@%)zk{MxAZ(wBMpA%M?>s#UJo2Q?nZCK(H>{ptb&84fWt5E9d=w2D@=3nXJ zZ{!mh;^~^~YUE;JSy1NU7HH;{8)@ki&Sibk-dDhW>7|-|3$D311-Kn3 z{{KH?wmwVRi;}&01>4+{ygr???KsrJaE;yj-qz!s-iaG#{;Uz3aE8}!lbv{tekOa{ P>HB>?OFhnu&YA-NT;sXA diff --git a/secrets/discord-token.age b/secrets/discord-token.age index 804e6f6..332f9fe 100644 --- a/secrets/discord-token.age +++ b/secrets/discord-token.age @@ -1,7 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw 756HU1sPe5g3sa0YYfzMnXiToT5K+nfAPhfABEetgRI -E8dqhn7hN77qM0PhHMEAsZySd1hfk0w1tlsiWj4aEOQ --> ssh-ed25519 uKftJg eGfmzvHseauAFPOR1QXfdmaQy5TjpNsoBWq27mbO50w -KRuGUW65uQ5+IdREyg6X1oj0P5IkuuxFEl1WylGpAHc ---- 2Ya08payqNiMCEqBXrbKEA53ETupxwgUNRcMNu9IP6k -&vďtBL.HړY PS3T4D s,9e4Tp,G?KtJmwF' 0Xy<>\^mr \ No newline at end of file +-> ssh-ed25519 Ziw7aw 0xkRcZAenJ0AtyrZhXvhNtW71BYphs4kEFgoXxieE1o +J/WUXCDNeNB5kBWvBVGfGnyNl9nNhDcPnuLY4USwSD8 +-> ssh-ed25519 uKftJg zLZMo3cOHmtJL3YzUd4BWRIpbRAFL7MU2jnpcrsEUWk +qqeTIlJikW57D9tTmh7dDpYeNiZAAJn0QBfPcMuX4Uw +-> ssh-ed25519 l4GuVg Db8aGfZ1kOQNJo/aN0S6R6aVqCKL+1iTC3xMATGapGU +lqiz9Ck6UqiXyI16yLDHG5rZjIu+8jXV7INm/YnJM4w +--- wRrLhnRAiJJ4rzfeE4wCAGCwAXfoExTcNNnIItOTVXA +tigݹ 7Ҷrs5 N,L+mt_{:$VgTàS,*P`?#11/tM}$TNV@;Q1z \ No newline at end of file diff --git a/secrets/discord-webhook-secret.age b/secrets/discord-webhook-secret.age index 8525561..0fabaad 100644 --- a/secrets/discord-webhook-secret.age +++ b/secrets/discord-webhook-secret.age @@ -1,8 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw rZ/ka797yEKkW7xRwxbSJK9NBym4/D2BuC8jQvofwDE -tj9Bjlz4LHH08T4TWbsdyND1jUVPMgOZ0FH0YwBqQ/U --> ssh-ed25519 uKftJg dBonrYNHmF+jvS6/bBLhPoB6t3pu8A/77YOxG1NRE18 -fKe4h8fWURBeSd16fiGGh2fyOO5pAzpwn13bYtnNHwo ---- NssWFWKEXWgN7U1HUo3UlW1vhYKUeRuyQPVqnWVXyEY -X-oѭJ%>#?O/ɈE*7/ -JnEYOyn6y(oϞ2ͅcBOR,Ϳ \ No newline at end of file +-> ssh-ed25519 Ziw7aw iAMwtlZYTaco91cAKjOWMeHxOyStgNpsn2H+9ITaIiI +5+nCUM1pD5kGNQfAtJmBVVxsQTqOP0JOGUDSxq3cdAk +-> ssh-ed25519 uKftJg ohDuFQgByMxfagkHkLNn2oGavfAcDo1m95fXLY4XUSM +tjji67gI3nxhgwSszBxAriCuPwgjPLy3iu+usT16Vic +-> ssh-ed25519 l4GuVg 6vtnUc22qj6MPfDCBPCWsYkNeaOwcrpGDX8cuUCdu0w +yvwpA+kIsxEuCQHkng5kGswDyxTeZGKlgxeCQ7xymrQ +--- 4Te4wdjCTn2UF6lPs+p0lGhiWtrcaMPUuAfpuEmPzFM +6S~_$=ǢFh{;蠶8agK9(-V sRE \ No newline at end of file diff --git a/secrets/homeassistant-webhook-id.age b/secrets/homeassistant-webhook-id.age index 78b774f..afb0892 100644 --- a/secrets/homeassistant-webhook-id.age +++ b/secrets/homeassistant-webhook-id.age @@ -1,13 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw v3z9Oh1DYMesxOG184H6mSS7NYqhdvjo8iYlJ5kQYzM -O+OWaXU7uwy8krNNjUdyUWjvEdb62cVt1+tSaEwfHkc --> ssh-ed25519 NFB4qA k6ZSOTL5p6Ek3Dkw5sWnjdwwKWwMJEbXXq8vWosz1QI -vooc7eaB5s4ib9gzKdK9u/Cqyeud2h7BhMaxCZGbFWI --> X25519 RmqIi6m7+iE8ACgfTRl7oiOdfCEMv7u2o0m/5wr87jY -8gUgzgjbVKhW6NagnFqUv849nD6UaUxZoRsEaPmS+SQ --> 0\[*-grease ]^ Q< Ejv ndNP1G` -MVT8TeupnrxLy09AluP8AflxxORyLJSXclKVaqFjLKik20VE9Q0NvwhDPgcv24aS -zQTuJpmKDsTJV0I/WofypfV0hZFIbDBTuVTxCWqwtzU4IsfEIXHXUVdoyseL4FS6 - ---- eMEg3OcfDfdlEKSy688XEXQAXJ8xydvzWrkQwdrvIPg -nɹ,26o#cϬV-s[$>7-,D,ZZ% mgO \ No newline at end of file +-> ssh-ed25519 Ziw7aw H8kYx+1tkUTWGNcqrZRTplNKVJ0mNJEZJZmGaRYP2mo +sCr5MTCG7NkM5l8K17zvinnmSSGei0hGSy4aqp1EAG8 +-> ssh-ed25519 NFB4qA jEpRgq7/FG6BWYWDkfXUvrU5Hgrq1YXrSty+kkw5AgU +MMeYvJelH2aKke4VagZCizOt1jntLI8WjstRx5r9Qxw +-> X25519 QWrkAXUKDeRLgkkkQ1ocQK/bJFlB+M3wntjt8BEKgRs +fqih2zeA3okdBfphDPkdbxaSnadR5UbdvdXd9aHlBDs +--- MnXm0lW6bZFXkl4VLuc2brMiSPrXzGMAPnSs/ekvcAY +wr@pl<ʇ+>NpYK84H䦋)E3ƊH"y>s'.z \ No newline at end of file diff --git a/secrets/pi-to-cache-key.age b/secrets/pi-to-cache-key.age index 612cf4f..6f92b93 100644 --- a/secrets/pi-to-cache-key.age +++ b/secrets/pi-to-cache-key.age @@ -1,12 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw ZaLRvgj6V9ukim0lfxHftVUvCXi7tIXPn5O/2nzQqCE -cem5AxKMkYOs8iifYP80hkbr5km7bFOdjCt7Ym6lQcs --> ssh-ed25519 NFB4qA ssMeOzGjehzTeppIGHpzPViIKObSwnXw6OZ1DfXs6Ew -Y813udN4YGDMszEC8FVZz7Na6XQigVNFTdusLomMusg --> X25519 qmoLWSdRljn6daPlUyqk9TOOvBaUx42CvqcpXe/xUCE -7xMN5RbYnpgw3+/pHyCiEyEhyUmQOwa1zSlAbuVwlQo --> ssh-ed25519 uKftJg Fv8M0RogkcYWd46bJY3OJCoCFAW8QMjzLueDZowylSA -R3w6E2RvDmgaKKhxqWHjEeIQxNSCHzX7+nLb3Ls+iHs ---- 13dp1N6I6pPdDx+FrxsT+ZS5rsFfrK3x0F7Rs6vN6/I -BI8 -|9/tqX[ ;*ƷJ2|S($ө΁S*m \ No newline at end of file +-> ssh-ed25519 Ziw7aw soxQRZjcwuFkOqFS6x2Cw/1YtOD4CkTnsWpY4K2Moiw +KxdY3gJTKxj6YqiMK+Oh+26qzbFEkcsZEpzb5HDE0T0 +-> ssh-ed25519 NFB4qA xYDzW2Qxw8nLi5wLJ2SWeuVwRfi673PqgMzBEg+WT3I +SxngK4GNmLIeqGggWTqSVaaOBNyDqtC93xK82rX7sVQ +-> X25519 TQIdaqxCpOfSnOKiNqjE+IIpw076cdKCUAMLay2xqSg +V+IgmEjW/3Jj0Rv3EJRCbi6KyDa+Vr4MiYquV2YgY0Q +-> ssh-ed25519 uKftJg WE6KAFY2s2e3sAY9lW/Fqs8pEVziif7119vv2WL9tUM +4u3LlOECC+IO+x8uD3gr0LZBg48nuDD+2iiXh1MCLxU +-> ssh-ed25519 l4GuVg huZR6w6uZIs6nlPFda5A29Tm+YQNP7ZDc53/RnlcRDA +nZ3dWTIJDChrfQSGUvI3/3g7JmFZ0pmCzFRuzkLcLkQ +--- +mkAGvbKXfMqdgTSfV4t36anO8Nqn0F/EsBBvtuAkQ4 +GW.~aNx`q%b&lS2~Zs4qAƥ?BTll7̭ \ No newline at end of file diff --git a/secrets/relay-webhook-secret.age b/secrets/relay-webhook-secret.age index 79c8d54..c20e302 100644 --- a/secrets/relay-webhook-secret.age +++ b/secrets/relay-webhook-secret.age @@ -1,15 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw LgNC5vZwo/fdnY9FzszAmVBb6E6BkDsy302kU6psElE -AWMlR/lsYKT3d2i8af7bD98tBYLM9HIbMugcrzaKuPM --> ssh-ed25519 NFB4qA 7SDpxJZHHr52Mv3MVxJj1hVc/ZiMSSo4tzmsh62/jHg -4qne6NwF53k/Ib03T/qlRvzrLdn0RSMxmzoD2c7b4po --> X25519 Ps/z3IuGnygYRf6YAYa/TFpvHrNjx2BdplT9zswz/hY -Bjgas+BRm/1fi/S7i3NOEB703sYg5DFrEwWixYqGaeo --> ssh-ed25519 uKftJg AMV3loJMEW6B+nW/IPxcJc2xqJubOlGXGJkWlMWoLEU -54zihHrr1sgdderBh/fyj3sifPQc+A/M8ca6vlq1/XE --> 9.gStO-grease ]H[$m[ax Elz_qFV )#FNFqG b~mv$n8 -JKxci4Ph7xZCVBr4dX5Gh7Q1GMRxFM2lPcJfGL0iFhwvSGxec+QD0VkZ9+zLVCMD -bZvSQ0LJCh5XucekWtR66ZlVSrURWjxdJQh3YhBTUMEezLdZIbe/Rg ---- w6fTJ89HtOUIGgw1jUdITJwcahPHxxHKqR0KPi0Zphs - 3ൺO`=^WNx ssh-ed25519 Ziw7aw fhKhnBldih6kd4HdQdFS/T7Wf3Evg0EPbcEl5W6vNx0 +K8ax57mGEp69FCVF3UiGUBDMmT95pbij3+yDB1N9WCw +-> ssh-ed25519 NFB4qA ttL1cUZWVlZwTZiFDYCsqxb+LpOESuI1a6JF1jCTuEI +E0hheZeqVU6rZ9DuRDDybTLPrXwQJEqpmwLoKsw6cIk +-> X25519 999iufykXmRVaC/UVxNlV5xNn72Aj2N56995k2rx1Hg +KB8fl3kzo8LTC3uroZvGG3FIep6V2ZXIlBq9T50I5ig +-> ssh-ed25519 uKftJg ADJl5ur5o1pbaaQGNyuni16Vm7kqJKx+m3Zezx3ETBc +Pf6SQ1JzwZkfwK8wZxSZ9Vd14o+q+bS/vA6iB1milD8 +-> ssh-ed25519 l4GuVg tPSh2Ww/Id+zgNtXUVocbCpw8zNY7AWkPSnXVzjkGyk +/jijxdK9CFpVXR/M7ir1NSXWhR4iMbCIymSQ946/OQg +--- +5H40eoLK4HvSDwR+mKpLiDpVJYzHjQ9qjmqoiOaHDM +vq>asgC}%&嚍6cu3݈nGQ9Xj{2h;jM(qfiXeE%|n y*wH \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ff30fc7..a4ea100 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,6 +2,7 @@ let jet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"; pi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEfZfAQEFy8QU5P7deC2vWPN76YpUKcBF8fiWwuANumG"; server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAING219cDKTDLaZefmqvOHfXvYloA/ErsCGE0pM022vlB"; + noisebellDo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSxn7Fz4FYf9cwVgjPICdS07S6pHLoet9iOKKHIBR2g"; piBootstrap = "age1sfqn46dgztr35dtyhpzyzzam5m6kcqu495qs7fcsdxtac56pc4dsj3t862"; in { @@ -11,12 +12,14 @@ in pi piBootstrap server + noisebellDo ]; "cache-to-pi-key.age".publicKeys = [ jet pi piBootstrap server + noisebellDo ]; "tailscale-auth-key.age".publicKeys = [ jet @@ -26,14 +29,17 @@ in "discord-token.age".publicKeys = [ jet server + noisebellDo ]; "zulip-api-key.age".publicKeys = [ jet server + noisebellDo ]; "discord-webhook-secret.age".publicKeys = [ jet server + noisebellDo ]; "homeassistant-webhook-id.age".publicKeys = [ jet @@ -45,9 +51,11 @@ in pi piBootstrap server + noisebellDo ]; "zulip-webhook-secret.age".publicKeys = [ jet server + noisebellDo ]; } diff --git a/secrets/tailscale-auth-key.age b/secrets/tailscale-auth-key.age index cb0917b..a3880d5 100644 --- a/secrets/tailscale-auth-key.age +++ b/secrets/tailscale-auth-key.age @@ -1,10 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw Wx6m6fWrZstI1M3mFySXEtCEeiYOK3EB8xUVLKe8my4 -T0Evdcs7+hsWYU0M2AEWbGCtdOwHNHgk/bBXZ0jpPg4 --> ssh-ed25519 NFB4qA KlrsRc4Us/7WCoCk3hYNVvmeNYvfMH4hOuXAkLFipkw -y/rCNHka6HDr5HdfMazlqaebcBO0K50rzcb3igcMxpw --> X25519 XTXs2qhJK1noZZtCHCol6IlN48s3nDOqIHX86PmQo2o -eHxpTg3QsTd3EzLUQAecNtGI7+NvP3zxFhUd8zHTuvQ ---- mFSpkYW6U5vQaH+a3fqVW5/ODOZwounsybqkLQoLqY0 -yqٶG -ƵMV=XIc|,QQ|ɁĎy=  +.xRl4Y_N &0TV,X@47 \ No newline at end of file +-> ssh-ed25519 Ziw7aw K8xQD89TLP/kHNcC5JrkXH0hyI2cHRUdwJbys+Ph5l4 +p2VjT1xtbFONoUoxkKZ9hd6I4EkCZkduYXGEUwDP+jo +-> ssh-ed25519 NFB4qA t4EM6KhJ83LYWFI8xD1HhACoSi+lDaYvvU5Y79IyIxQ +lKm+T/vHSRMOXRwVP8hupyPhZ4RbqEg9p4YyoIRE9FQ +-> X25519 fLnnms5u3DLhpjl8rYAavGGiFnTc/5AMkNpN5kjpVzc +F2slc8rpxaNSbRnJ0COvSdZBBrfHI/FqbAUGmL9CigE +--- p96hcRVjtMIwOMFyL4mbLMtD/0jqkyIS2W/THaJPh2E +~,A[\FhG? q492j5N}2zHt)u)CȂx_}8y0p@=+Θvnkx˼ \ No newline at end of file diff --git a/secrets/zulip-api-key.age b/secrets/zulip-api-key.age index 27e16d4..4a454b6 100644 --- a/secrets/zulip-api-key.age +++ b/secrets/zulip-api-key.age @@ -1,7 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw 6YAV0osp6aSWIIPCsP2kxAMkrDU28P1zBmUBwQ+p8zg -AfON2WAv+DlE6huU1/A16RAcYvs/HTmbST7gtOcn4HA --> ssh-ed25519 uKftJg r9Ci+Heth7AyRm2ZXNH1Sa/jpnepEPfyYfT2uf9q9jc -NQI11W4r8JRkoSsJUnGPc97DFfJy0Gqj83IlRShXgcU ---- ZY8XqiGC40WiD9RRAYWC5nQ+ymXdMsTdt1G+YohJxxk -+qmDZٹROߣF[Th\";W5{vtgWCb,ѻ:b9 \ No newline at end of file +-> ssh-ed25519 Ziw7aw mlvpnohGOe65UnuqKk7yK7iIXxokhsI7+Wj99L5rkAY +NMe3hGW6SSu241yv5QLFzUnJNLtlMCcx09GPuNUTBYs +-> ssh-ed25519 uKftJg 1JmAexX9Yl4kKKMmgUjdRWy9L1ryu4Yq7JGlECRn4nQ +RUHrVZcDW9Uqe9v/WqtBfJk93WtK6tiYI74VHslsLng +-> ssh-ed25519 l4GuVg Cju7F4S2BPdPsBT2DzRJt6vt4pss2Xpmvqys//troz8 +sBCKhFu9R1ju/Tcoe2OkYCHt5IeSmq3nXA92ZGiIScg +--- LXuVK8LF5PO0wdILxDZFWas9GG4edScLr2Zpp6OOU0M +J}f,|Ͷͼ* F.k((HU$|arkJh'ݽ"y \ No newline at end of file diff --git a/secrets/zulip-webhook-secret.age b/secrets/zulip-webhook-secret.age index ed9634f..b54ec53 100644 --- a/secrets/zulip-webhook-secret.age +++ b/secrets/zulip-webhook-secret.age @@ -1,7 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 Ziw7aw 9Da19useHIZG/q7hc3+FcMTfV0hsS4A3E/e16TTNgCU -y4/UsjxFSbAgdC1ADa/Mz3NxTutPayOPHE2Kczu69Yg --> ssh-ed25519 uKftJg Sr4MInGNiNaL9LleBT9i7vbI5VrVkOr//h5Jm7ktwCA -lI3v7oSGgtnR78+hKEFft1O1B1JPlJTx2JB66NFGYdQ ---- 72Wb0XrPWRaPWxh6hmgB+BAEC1CI+oI0EsDIQRNZP4M -B;ʓ(8_F#ZmFęJ_jnovyY2JfJ&aM933[ r (+t \ No newline at end of file +-> ssh-ed25519 Ziw7aw Pu31idlsUcfsOWNF4ynRoIXsy+PsDW9opMcZiPHxtRs +stEIbEP7AS5HnWPV9A538J5CYsqGWi7ZyiUtFCygqto +-> ssh-ed25519 uKftJg TvJ6E08Ae0gfsyuZT7CVSPXTdmCGjKVj6y2Lvnds3hg +KwX0gfyFPAUOoEXjMlgfPw69HbSqDCty2dwWW0J8Z1I +-> ssh-ed25519 l4GuVg PubeSLY7DALHmWGvOfxaHKe2rbdopfrNtHh3uUCzTCI +XEybAIvk1r5jLP9TMr5ckERf4qDnzBosatALZpsP6HM +--- vLCQqr/Wg4hD/HNTi5b+qblUh4DFbD2zrud90z7Bycw +@[:'61.,U rܻf&3C$r4p@N"bf>dIńy+jK#~y \ No newline at end of file