jet/noisebell
jet/noisebell
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add digitalocean noisebell host

Browse source
This commit is contained in:
Jet 2026-05-21 12:06:10 -07:00
parent adb929227b
commit b57927a395
No known key found for this signature in database
16 changed files with 318 additions and 92 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -20,15 +20,17 @@ Pi (door sensor) ──webhook──> Cache ──webhook──> Discord / Zulip
|-----------|------------| |-----------|------------|
| [`pi/`](pi/) | Raspberry Pi OS base with laptop-built Noisebell deploy | | [`pi/`](pi/) | Raspberry Pi OS base with laptop-built Noisebell deploy |
| [`remote/`](remote/) | Server-side services (cache, RSS, Discord, Zulip) | | [`remote/`](remote/) | Server-side services (cache, RSS, Discord, Zulip) |
| [`hosts/noisebell-do/`](hosts/noisebell-do/) | Standalone DigitalOcean NixOS host for the remote services |
| [`secrets/`](secrets/) | Shared agenix-encrypted secrets and recipient rules | | [`secrets/`](secrets/) | Shared agenix-encrypted secrets and recipient rules |
Each directory has its own README with setup and configuration details. Each directory has its own README with setup and configuration details.
For hosted deployment, another repo such as `../extremist-software` imports `noisebell.nixosModules.default`. That host repo provides deployment-specific values like domains, ports, and the Pi address, while the Noisebell module itself points `agenix` at the encrypted files in `secrets/` and consumes the decrypted runtime files on the target machine. For hosted deployment, this repo exports `nixosConfigurations.noisebell-do`, a small DigitalOcean NixOS host that imports `noisebell.nixosModules.default`. The host provides deployment-specific values like domains and the Pi address, while the Noisebell module itself points `agenix` at the encrypted files in `secrets/` and consumes the decrypted runtime files on the target machine.
Useful commands: Useful commands:
- `./scripts/nhs` redeploys the remote cache host using the local checkout as the flake input - `./scripts/deploy-do [jet@noisebell-do]` redeploys the DigitalOcean remote host
- `./scripts/nhs` redeploys the old Hetzner host using the local checkout as the flake input
- `scripts/deploy-pios-pi.sh pi@100.66.45.36` redeploys the Raspberry Pi OS machine - `scripts/deploy-pios-pi.sh pi@100.66.45.36` redeploys the Raspberry Pi OS machine
The full Home Assistant relay workflow is documented in `pi/README.md`. The full Home Assistant relay workflow is documented in `pi/README.md`.

17
flake.nix
View file

@ -435,7 +435,8 @@
}; };
}; };
nixosConfigurations.pi = nixos-raspberrypi.lib.nixosSystem { nixosConfigurations = {
pi = nixos-raspberrypi.lib.nixosSystem {
specialArgs = { specialArgs = {
inherit nixos-raspberrypi; inherit nixos-raspberrypi;
}; };
@ -451,15 +452,29 @@
]; ];
}; };
noisebell-do = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
self.nixosModules.default
./hosts/noisebell-do/configuration.nix
];
};
};
devShells.${system}.default = craneLib.devShell { devShells.${system}.default = craneLib.devShell {
packages = [ packages = [
agenix.packages.${system}.default agenix.packages.${system}.default
pkgs.curl
pkgs.doctl
flash-pi-sd flash-pi-sd
pkgs.jq
pi-serial pi-serial
pkgs.nix pkgs.nix
pkgs.parted pkgs.parted
pkgs.rust-analyzer pkgs.rust-analyzer
pkgs.openssh
pkgs.tio pkgs.tio
pkgs.wrangler
pkgs.zstd pkgs.zstd
]; ];
}; };

167
hosts/noisebell-do/configuration.nix Normal file
View file

@ -0,0 +1,167 @@
{
config,
lib,
modulesPath,
pkgs,
...
}:
{
imports = [ (modulesPath + "/virtualisation/digital-ocean-config.nix") ];
system.stateVersion = "26.05";
boot.kernelParams = [
"net.ifnames=0"
"biosdevname=0"
];
networking.hostName = "noisebell-do";
networking.useDHCP = false;
networking.usePredictableInterfaceNames = false;
networking.nameservers = [
"67.207.67.3"
"67.207.67.2"
];
networking.defaultGateway = "143.198.128.1";
networking.interfaces = {
eth0.ipv4.addresses = [
{
address = "143.198.141.161";
prefixLength = 20;
}
{
address = "10.48.0.5";
prefixLength = 16;
}
];
eth1.ipv4.addresses = [
{
address = "10.124.0.2";
prefixLength = 20;
}
];
};
networking.firewall = {
allowedTCPPorts = [
22
80
443
];
allowedUDPPorts = [ config.services.tailscale.port ];
trustedInterfaces = [ "tailscale0" ];
checkReversePath = "loose";
allowPing = true;
};
virtualisation.digitalOcean.rebuildFromUserData = false;
services.do-agent.enable = false;
boot.kernelPackages = pkgs.linuxPackages_6_12;
boot.loader.grub = {
enable = true;
devices = lib.mkForce [ "/dev/vda" ];
};
fileSystems."/" = {
device = "/dev/vda1";
fsType = "ext4";
autoResize = true;
};
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"
];
users.users.jet = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
};
security.sudo.wheelNeedsPassword = false;
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services.tailscale.enable = true;
services.caddy = {
enable = true;
email = "postmaster@extremist.software";
};
services.noisebell-cache = {
enable = true;
domain = "noisebell.extremist.software";
piAddress = "http://noisebell-pi";
outboundWebhooks = [
{
url = "http://127.0.0.1:${toString config.services.noisebell-discord.port}/webhook";
secretFile = config.age.secrets.noisebell-discord-webhook-secret.path;
}
{
url = "http://noisebell-pi:8090/webhook";
secretFile = config.age.secrets.noisebell-relay-webhook-secret.path;
}
];
};
services.noisebell-discord = {
enable = true;
domain = "discord.noisebell.extremist.software";
channelId = "1034916379486322718";
};
services.noisebell-rss = {
enable = true;
domain = "rss.noisebell.extremist.software";
};
zramSwap = {
enable = true;
memoryPercent = 100;
};
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
];
trusted-users = [
"root"
"jet"
];
max-jobs = 1;
cores = 1;
auto-optimise-store = true;
};
nix.gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 7d";
};
services.journald.extraConfig = ''
SystemMaxUse=100M
'';
environment.systemPackages = [
pkgs.curl
pkgs.jq
pkgs.tailscale
];
}

20
remote/README.md
View file

@ -29,7 +29,7 @@ nix build .#noisebell-zulip
## NixOS deployment ## NixOS deployment
The flake exports a NixOS module for the hosted remote machine. It imports `agenix`, declares the Noisebell secrets from `secrets/*.age`, and wires the cache and Discord services together with sensible defaults. Each service runs as a hardened systemd unit behind Caddy. The flake exports a NixOS module for hosted remote machines and a complete `nixosConfigurations.noisebell-do` host for the small DigitalOcean droplet. The module imports `agenix`, declares the Noisebell secrets from `secrets/*.age`, and wires the cache and Discord services together with sensible defaults. Each service runs as a hardened systemd unit behind Caddy.
```nix ```nix
{ {
@ -62,6 +62,24 @@ The flake exports a NixOS module for the hosted remote machine. It imports `agen
} }
``` ```
The production DigitalOcean host in this repo enables the cache, Discord, and RSS services on the existing public domains:
- `noisebell.extremist.software`
- `discord.noisebell.extremist.software`
- `rss.noisebell.extremist.software`
After installation, authenticate Tailscale interactively on the host with:
```sh
sudo tailscale up --hostname=noisebell-do
```
Redeploy later with:
```sh
scripts/deploy-do jet@noisebell-do
```
`nixosModules.default` handles these secrets automatically: `nixosModules.default` handles these secrets automatically:
| Secret file | Deployed on | Used for | | Secret file | Deployed on | Used for |

16
scripts/deploy-do Executable file
View file

@ -0,0 +1,16 @@
#!/usr/bin/env bash
set -euo pipefail
target=${1:-jet@noisebell-do}
if [ "$#" -gt 0 ]; then
shift
fi
SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)
REPO_ROOT=$(cd -- "$SCRIPT_DIR/.." && pwd)
exec nixos-rebuild switch \
--flake "$REPO_ROOT#noisebell-do" \
--target-host "$target" \
--sudo \
"$@"

9
secrets/bootstrap-identity.age
View file

@ -1,6 +1,5 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw HhAAwL59eDWhqjnkhN134gANCHnfzZWKUKze1G4FlwE -> ssh-ed25519 Ziw7aw UN1o36xuqmTT5yEU0VbvmlXjy5Vi2ap3f2P8a0VYzQM
hIz028hPGQZTQLePmiEnvAgam01U8w1LV6gjwcr9oEI o/vBWDo78U1Ryxw6YH8Ucs9NaODpwBbhjKsnX3qnqRA
--- KERP4zeE7cbDbEcD1LLqWvSqEU92i16y3inUL8U5640 --- 6acvZXBUKhTMv3FYXiaom59plFQ8504JFiuefo17XvQ
¤úümîDûá{¾(ùΤO1æÙ þ‘%Ô²•C4}’ŽðèÄ'B±Mád¼u®Co{ÒÙÁyyWÓˆkºÐ¡cjŠIÒ]pyÒå@X“uützc¨4]<5D>ðy¾B¤*ì5=Òñ™8ºÚµò?¨¼~xÄìϨ<>Ìì‰J®³ˆöéÊÇéiÚîð®EŠa9j rïbóI.óRT€Ç…ÍBB·RR¢Žmbìä©G'k'EÑZ¥ªÓFn»/ÏSÖ¬Mo¢xÞ ¦ ´gE+jûƒþÌì‹&Ä5`¸á<>e,t]*œwÌCP¿îû^Ý-+¬wäCž…Ù7ÐúhÉÒ¤8½K Ñ&€UÍR.ûŽ§•®ÞИ£Øè-_·×ž¢ )CGyPúcS±kéØB¬¬CývÐÑ"­¹'w¬òŸí¬"ÆÂÏe(5[ øYRc¥žxmõäF¼àl~<7E>­n=Õýq¼Šx0ëy¤@M9Ùé~” $,<2C>Ïá:Ù"¼·ß”Éý ‡šÇÏ_¼öÔT …™C:¾Š`P…€Ð¤3
<sâCi½¢ü<05>×±

BIN
secrets/cache-to-pi-key.age
View file

Binary file not shown.

14
secrets/discord-token.age
View file

@ -1,7 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw 756HU1sPe5g3sa0YYfzMnXiToT5K+nfAPhfABEetgRI -> ssh-ed25519 Ziw7aw 0xkRcZAenJ0AtyrZhXvhNtW71BYphs4kEFgoXxieE1o
E8dqhn7hN77qM0PhHMEAsZySd1hfk0w1tlsiWj4aEOQ J/WUXCDNeNB5kBWvBVGfGnyNl9nNhDcPnuLY4USwSD8
-> ssh-ed25519 uKftJg eGfmzvHseauAFPOR1QXfdmaQy5TjpNsoBWq27mbO50w -> ssh-ed25519 uKftJg zLZMo3cOHmtJL3YzUd4BWRIpbRAFL7MU2jnpcrsEUWk
KRuGUW65uQ5+IdREyg6X1oj0P5IkuuxFEl1WylGpAHc qqeTIlJikW57D9tTmh7dDpYeNiZAAJn0QBfPcMuX4Uw
--- 2Ya08payqNiMCEqBXrbKEA53ETupxwgUNRcMNu9IP6k -> ssh-ed25519 l4GuVg Db8aGfZ1kOQNJo/aN0S6R6aVqCKL+1iTC3xMATGapGU
&°‰¢ÏvÄ<76>tBšL˜.¬HéÚ“Y P®Sç3Tó¹•4䱟D¬ s,9Ñeã4TpåÌ,Gë?KtJmwF' ®0³ÉXy»<á÷<E28099>î>½\Áç^þ°m»ÜrÊÏùµŸÏü lqiz9Ck6UqiXyI16yLDHG5rZjIu+8jXV7INm/YnJM4w
--- wRrLhnRAiJJ4rzfeE4wCAGCwAXfoExTcNNnIItOTVXA
æøti£Êýgݹ¡Ž 7Ò¶”Øïrs5 ²N,Lµ+mt³_{À:ºË$«V·ïg Sþ¿µ,¬‹†*PÇ`?#11/tMï¸È}åƒ$¦TNV@;ÇQý<51>á1zµ“Š”

15
secrets/discord-webhook-secret.age
View file

@ -1,8 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw rZ/ka797yEKkW7xRwxbSJK9NBym4/D2BuC8jQvofwDE -> ssh-ed25519 Ziw7aw iAMwtlZYTaco91cAKjOWMeHxOyStgNpsn2H+9ITaIiI
tj9Bjlz4LHH08T4TWbsdyND1jUVPMgOZ0FH0YwBqQ/U 5+nCUM1pD5kGNQfAtJmBVVxsQTqOP0JOGUDSxq3cdAk
-> ssh-ed25519 uKftJg dBonrYNHmF+jvS6/bBLhPoB6t3pu8A/77YOxG1NRE18 -> ssh-ed25519 uKftJg ohDuFQgByMxfagkHkLNn2oGavfAcDo1m95fXLY4XUSM
fKe4h8fWURBeSd16fiGGh2fyOO5pAzpwn13bYtnNHwo tjji67gI3nxhgwSszBxAriCuPwgjPLy3iu+usT16Vic
--- NssWFWKEXWgN7U1HUo3UlW1vhYKUeRuyQPVqnWVXyEY -> ssh-ed25519 l4GuVg 6vtnUc22qj6MPfDCBPCWsYkNeaOwcrpGDX8cuUCdu0w
X-“Þô¥oÇËÑ­îJ%>#ã?ØO¹š/ÜɈE*7·ø/ yvwpA+kIsxEuCQHkng5kGswDyxTeZGKlgxeCQ7xymrQ
œ¸J“ù´nEª½Yÿ Oynüï6¤yË(oÏž2Í…còõ‰ÚBOR,Í¿˜ --- 4Te4wdjCTn2UF6lPs+p0lGhiWtrcaMPUuAfpuEmPzFM
î6SÞ~üÄÈ_$†µ¬ÚÇ¢ˆ«ÝFò¾¨h{ô<>;è ¶ïÊö®8agKëñæõü¸9(-VÔ sä§<>¦ñÜïæ÷¾RE

20
secrets/homeassistant-webhook-id.age
View file

@ -1,13 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw v3z9Oh1DYMesxOG184H6mSS7NYqhdvjo8iYlJ5kQYzM -> ssh-ed25519 Ziw7aw H8kYx+1tkUTWGNcqrZRTplNKVJ0mNJEZJZmGaRYP2mo
O+OWaXU7uwy8krNNjUdyUWjvEdb62cVt1+tSaEwfHkc sCr5MTCG7NkM5l8K17zvinnmSSGei0hGSy4aqp1EAG8
-> ssh-ed25519 NFB4qA k6ZSOTL5p6Ek3Dkw5sWnjdwwKWwMJEbXXq8vWosz1QI -> ssh-ed25519 NFB4qA jEpRgq7/FG6BWYWDkfXUvrU5Hgrq1YXrSty+kkw5AgU
vooc7eaB5s4ib9gzKdK9u/Cqyeud2h7BhMaxCZGbFWI MMeYvJelH2aKke4VagZCizOt1jntLI8WjstRx5r9Qxw
-> X25519 RmqIi6m7+iE8ACgfTRl7oiOdfCEMv7u2o0m/5wr87jY -> X25519 QWrkAXUKDeRLgkkkQ1ocQK/bJFlB+M3wntjt8BEKgRs
8gUgzgjbVKhW6NagnFqUv849nD6UaUxZoRsEaPmS+SQ fqih2zeA3okdBfphDPkdbxaSnadR5UbdvdXd9aHlBDs
-> 0\[*-grease ]^ Q< Ejv ndNP1G` --- MnXm0lW6bZFXkl4VLuc2brMiSPrXzGMAPnSs/ekvcAY
MVT8TeupnrxLy09AluP8AflxxORyLJSXclKVaqFjLKik20VE9Q0NvwhDPgcv24aS wr<EFBFBD>·â@¶pl<þʇ+ƒð>­ßNpYK8É4H䦋Ìû)EÝ3ËÅÆŠ§H¨"y>sî<73>'Ã.z
zQTuJpmKDsTJV0I/WofypfV0hZFIbDBTuVTxCWqwtzU4IsfEIXHXUVdoyseL4FS6
--- eMEg3OcfDfdlEKSy688XEXQAXJ8xydvzWrkQwdrvIPg
§nŽÉ¹€,êÀ26o#¦cϬVàÑ-s[$¯>¶Ã7-,D,º²ZZ¶æ% mºg°O‰

23
secrets/pi-to-cache-key.age
View file

@ -1,12 +1,13 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw ZaLRvgj6V9ukim0lfxHftVUvCXi7tIXPn5O/2nzQqCE -> ssh-ed25519 Ziw7aw soxQRZjcwuFkOqFS6x2Cw/1YtOD4CkTnsWpY4K2Moiw
cem5AxKMkYOs8iifYP80hkbr5km7bFOdjCt7Ym6lQcs KxdY3gJTKxj6YqiMK+Oh+26qzbFEkcsZEpzb5HDE0T0
-> ssh-ed25519 NFB4qA ssMeOzGjehzTeppIGHpzPViIKObSwnXw6OZ1DfXs6Ew -> ssh-ed25519 NFB4qA xYDzW2Qxw8nLi5wLJ2SWeuVwRfi673PqgMzBEg+WT3I
Y813udN4YGDMszEC8FVZz7Na6XQigVNFTdusLomMusg SxngK4GNmLIeqGggWTqSVaaOBNyDqtC93xK82rX7sVQ
-> X25519 qmoLWSdRljn6daPlUyqk9TOOvBaUx42CvqcpXe/xUCE -> X25519 TQIdaqxCpOfSnOKiNqjE+IIpw076cdKCUAMLay2xqSg
7xMN5RbYnpgw3+/pHyCiEyEhyUmQOwa1zSlAbuVwlQo V+IgmEjW/3Jj0Rv3EJRCbi6KyDa+Vr4MiYquV2YgY0Q
-> ssh-ed25519 uKftJg Fv8M0RogkcYWd46bJY3OJCoCFAW8QMjzLueDZowylSA -> ssh-ed25519 uKftJg WE6KAFY2s2e3sAY9lW/Fqs8pEVziif7119vv2WL9tUM
R3w6E2RvDmgaKKhxqWHjEeIQxNSCHzX7+nLb3Ls+iHs 4u3LlOECC+IO+x8uD3gr0LZBg48nuDD+2iiXh1MCLxU
--- 13dp1N6I6pPdDx+FrxsT+ZS5rsFfrK3x0F7Rs6vN6/I -> ssh-ed25519 l4GuVg huZR6w6uZIs6nlPFda5A29Tm+YQNP7ZDc53/RnlcRDA
ÖBI¬8Ż nZ3dWTIJDChrfQSGUvI3/3g7JmFZ0pmCzFRuzkLcLkQ
9”<39>úŠ/ěšÂÚqXžŕÄÇ[𮠼™Í ;ž§Ž†*Ć·¨»ńJ2|ŃS(đ‚$Ó©ŘÎ<>SÁ*m --- +mkAGvbKXfMqdgTSfV4t36anO8Nqn0F/EsBBvtuAkQ4
GW.§®¼´›~å©×êaÑNÕxº`ÒqŒ%bÄ&ÞñülSÙ2~Zs4Õöâq×öνAÌÀÂÆ¥“?BTlÞl™„†7ØÌ­ˆçœ

26
secrets/relay-webhook-secret.age
View file

@ -1,15 +1,13 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw LgNC5vZwo/fdnY9FzszAmVBb6E6BkDsy302kU6psElE -> ssh-ed25519 Ziw7aw fhKhnBldih6kd4HdQdFS/T7Wf3Evg0EPbcEl5W6vNx0
AWMlR/lsYKT3d2i8af7bD98tBYLM9HIbMugcrzaKuPM K8ax57mGEp69FCVF3UiGUBDMmT95pbij3+yDB1N9WCw
-> ssh-ed25519 NFB4qA 7SDpxJZHHr52Mv3MVxJj1hVc/ZiMSSo4tzmsh62/jHg -> ssh-ed25519 NFB4qA ttL1cUZWVlZwTZiFDYCsqxb+LpOESuI1a6JF1jCTuEI
4qne6NwF53k/Ib03T/qlRvzrLdn0RSMxmzoD2c7b4po E0hheZeqVU6rZ9DuRDDybTLPrXwQJEqpmwLoKsw6cIk
-> X25519 Ps/z3IuGnygYRf6YAYa/TFpvHrNjx2BdplT9zswz/hY -> X25519 999iufykXmRVaC/UVxNlV5xNn72Aj2N56995k2rx1Hg
Bjgas+BRm/1fi/S7i3NOEB703sYg5DFrEwWixYqGaeo KB8fl3kzo8LTC3uroZvGG3FIep6V2ZXIlBq9T50I5ig
-> ssh-ed25519 uKftJg AMV3loJMEW6B+nW/IPxcJc2xqJubOlGXGJkWlMWoLEU -> ssh-ed25519 uKftJg ADJl5ur5o1pbaaQGNyuni16Vm7kqJKx+m3Zezx3ETBc
54zihHrr1sgdderBh/fyj3sifPQc+A/M8ca6vlq1/XE Pf6SQ1JzwZkfwK8wZxSZ9Vd14o+q+bS/vA6iB1milD8
-> 9.gStO-grease ]H[$m[ax Elz_qFV )#FNFqG b~mv$n8 -> ssh-ed25519 l4GuVg tPSh2Ww/Id+zgNtXUVocbCpw8zNY7AWkPSnXVzjkGyk
JKxci4Ph7xZCVBr4dX5Gh7Q1GMRxFM2lPcJfGL0iFhwvSGxec+QD0VkZ9+zLVCMD /jijxdK9CFpVXR/M7ir1NSXWhR4iMbCIymSQ946/OQg
bZvSQ0LJCh5XucekWtR66ZlVSrURWjxdJQh3YhBTUMEezLdZIbe/Rg --- +5H40eoLK4HvSDwR+mKpLiDpVJYzHjQ9qjmqoiOaHDM
--- w6fTJ89HtOUIGgw1jUdITJwcahPHxxHKqR0KPi0Zphs ×vqŒú>üßasgC£}%&åš<C3A5>·6·ðÝëøçcu¼3݈°nGQ9XjÂ<6A>{²2h³;jÈM©(äqfiŠÝXÄe¨E%|ÿn ¥Èþ±èy¼*ÔûÙýw´H
šÉ Þ3¨û¯ºâ<C2BA>ൺ»O`˜ë=ýÎ^ÓW«Nœx<nÅ
åh—û4î'r<0F>$­à¹šõ ~¶-ƒR¨çPøÍ-.<> JãŸØY4Žä¶¢bL}¥ü¥œ

8
secrets/secrets.nix
View file

@ -2,6 +2,7 @@ let
jet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"; jet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu";
pi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEfZfAQEFy8QU5P7deC2vWPN76YpUKcBF8fiWwuANumG"; pi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEfZfAQEFy8QU5P7deC2vWPN76YpUKcBF8fiWwuANumG";
server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAING219cDKTDLaZefmqvOHfXvYloA/ErsCGE0pM022vlB"; server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAING219cDKTDLaZefmqvOHfXvYloA/ErsCGE0pM022vlB";
noisebellDo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSxn7Fz4FYf9cwVgjPICdS07S6pHLoet9iOKKHIBR2g";
piBootstrap = "age1sfqn46dgztr35dtyhpzyzzam5m6kcqu495qs7fcsdxtac56pc4dsj3t862"; piBootstrap = "age1sfqn46dgztr35dtyhpzyzzam5m6kcqu495qs7fcsdxtac56pc4dsj3t862";
in in
{ {
@ -11,12 +12,14 @@ in
pi pi
piBootstrap piBootstrap
server server
noisebellDo
]; ];
"cache-to-pi-key.age".publicKeys = [ "cache-to-pi-key.age".publicKeys = [
jet jet
pi pi
piBootstrap piBootstrap
server server
noisebellDo
]; ];
"tailscale-auth-key.age".publicKeys = [ "tailscale-auth-key.age".publicKeys = [
jet jet
@ -26,14 +29,17 @@ in
"discord-token.age".publicKeys = [ "discord-token.age".publicKeys = [
jet jet
server server
noisebellDo
]; ];
"zulip-api-key.age".publicKeys = [ "zulip-api-key.age".publicKeys = [
jet jet
server server
noisebellDo
]; ];
"discord-webhook-secret.age".publicKeys = [ "discord-webhook-secret.age".publicKeys = [
jet jet
server server
noisebellDo
]; ];
"homeassistant-webhook-id.age".publicKeys = [ "homeassistant-webhook-id.age".publicKeys = [
jet jet
@ -45,9 +51,11 @@ in
pi pi
piBootstrap piBootstrap
server server
noisebellDo
]; ];
"zulip-webhook-secret.age".publicKeys = [ "zulip-webhook-secret.age".publicKeys = [
jet jet
server server
noisebellDo
]; ];
} }

17
secrets/tailscale-auth-key.age
View file

@ -1,10 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw Wx6m6fWrZstI1M3mFySXEtCEeiYOK3EB8xUVLKe8my4 -> ssh-ed25519 Ziw7aw K8xQD89TLP/kHNcC5JrkXH0hyI2cHRUdwJbys+Ph5l4
T0Evdcs7+hsWYU0M2AEWbGCtdOwHNHgk/bBXZ0jpPg4 p2VjT1xtbFONoUoxkKZ9hd6I4EkCZkduYXGEUwDP+jo
-> ssh-ed25519 NFB4qA KlrsRc4Us/7WCoCk3hYNVvmeNYvfMH4hOuXAkLFipkw -> ssh-ed25519 NFB4qA t4EM6KhJ83LYWFI8xD1HhACoSi+lDaYvvU5Y79IyIxQ
y/rCNHka6HDr5HdfMazlqaebcBO0K50rzcb3igcMxpw lKm+T/vHSRMOXRwVP8hupyPhZ4RbqEg9p4YyoIRE9FQ
-> X25519 XTXs2qhJK1noZZtCHCol6IlN48s3nDOqIHX86PmQo2o -> X25519 fLnnms5u3DLhpjl8rYAavGGiFnTc/5AMkNpN5kjpVzc
eHxpTg3QsTd3EzLUQAecNtGI7+NvP3zxFhUd8zHTuvQ F2slc8rpxaNSbRnJ0COvSdZBBrfHI/FqbAUGmL9CigE
--- mFSpkYW6U5vQaH+a3fqVW5/ODOZwounsybqkLQoLqY0 --- p96hcRVjtMIwOMFyL4mbLMtD/0jqkyIS2W/THaJPh2E
yqÙ¶GŠŒ ƒõ~,<2C>Aâ[\ú‰¥÷FhGà? q49ာ2Ûj5Nß}Ä2z´Htðþ×)“Üu†)øC<C3B8>Èx‡_}ì8y»Ü0pÀå¼@<40>=¹+šùêΘvnkûÈxÕ˼
ƵM“V=ÙÚXI£cÕò<C395>|³,ìÊQQÁð|×É<C397>±ÅÄŽ×y= ¶¬÷ê +.·x«·“úRlÉÔóË4´Yï_N©é Á&—0TVƒß,X@½4ª7

14
secrets/zulip-api-key.age
View file

@ -1,7 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw 6YAV0osp6aSWIIPCsP2kxAMkrDU28P1zBmUBwQ+p8zg -> ssh-ed25519 Ziw7aw mlvpnohGOe65UnuqKk7yK7iIXxokhsI7+Wj99L5rkAY
AfON2WAv+DlE6huU1/A16RAcYvs/HTmbST7gtOcn4HA NMe3hGW6SSu241yv5QLFzUnJNLtlMCcx09GPuNUTBYs
-> ssh-ed25519 uKftJg r9Ci+Heth7AyRm2ZXNH1Sa/jpnepEPfyYfT2uf9q9jc -> ssh-ed25519 uKftJg 1JmAexX9Yl4kKKMmgUjdRWy9L1ryu4Yq7JGlECRn4nQ
NQI11W4r8JRkoSsJUnGPc97DFfJy0Gqj83IlRShXgcU RUHrVZcDW9Uqe9v/WqtBfJk93WtK6tiYI74VHslsLng
--- ZY8XqiGC40WiD9RRAYWC5nQ+ymXdMsTdt1G+YohJxxk -> ssh-ed25519 l4GuVg Cju7F4S2BPdPsBT2DzRJt6vt4pss2Xpmvqys//troz8
‘”+…¦qžm€DZ÷ÉÙ¹ROߣF[ThÊ<13>ˆöš\";WðÁ‹5‡{v„°¥ùšötügWCb,Ñ»:b9 sBCKhFu9R1ju/Tcoe2OkYCHt5IeSmq3nXA92ZGiIScg
--- LXuVK8LF5PO0wdILxDZFWas9GG4edScLr2Zpp6OOU0M
©†J}°ê³f,|¼›ÔͶͼ*» ÆF¡”¢.<2E>¼k((HU$|aÉrkJh¾'…ØݽÔ"yÇÿ¨í

14
secrets/zulip-webhook-secret.age
View file

@ -1,7 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 Ziw7aw 9Da19useHIZG/q7hc3+FcMTfV0hsS4A3E/e16TTNgCU -> ssh-ed25519 Ziw7aw Pu31idlsUcfsOWNF4ynRoIXsy+PsDW9opMcZiPHxtRs
y4/UsjxFSbAgdC1ADa/Mz3NxTutPayOPHE2Kczu69Yg stEIbEP7AS5HnWPV9A538J5CYsqGWi7ZyiUtFCygqto
-> ssh-ed25519 uKftJg Sr4MInGNiNaL9LleBT9i7vbI5VrVkOr//h5Jm7ktwCA -> ssh-ed25519 uKftJg TvJ6E08Ae0gfsyuZT7CVSPXTdmCGjKVj6y2Lvnds3hg
lI3v7oSGgtnR78+hKEFft1O1B1JPlJTx2JB66NFGYdQ KwX0gfyFPAUOoEXjMlgfPw69HbSqDCty2dwWW0J8Z1I
--- 72Wb0XrPWRaPWxh6hmgB+BAEC1CI+oI0EsDIQRNZP4M -> ssh-ed25519 l4GuVg PubeSLY7DALHmWGvOfxaHKe2rbdopfrNtHh3uUCzTCI
BÀ;Ê“€²úŸ(ùäó8_FžÈ#Z£m­êFÄ™îJô_j¤novyYË2JfJœ&úŠ„aMÁ¬9—33©[ ¿rÿ Ó(+t XEybAIvk1r5jLP9TMr5ckERf4qDnzBosatALZpsP6HM
--- vLCQqr/Wg4hD/HNTi5b+qblUh4DFbD2zrud90z7Bycw
@<>[¡ï:…â'6ž1Ñ.þÒ,U rÜ»¥Àïf&3<>C””­ú$¬…r„¬4p@N"bf>Äd—Iå<49>Å„ëÃöçy+jK#~½<>y