feat(MOMO): setup syncthing and vaultwarden

flake.lock

@@ -45,6 +45,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734701201,
+        "narHash": "sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "2ee76c861af3b895b3b104bae04777b61397485b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -138,6 +158,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "disko": "disko",
         "home-manager": "home-manager_2",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",

flake.nix

@@ -12,9 +12,18 @@
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
   outputs =
-    { nixpkgs, agenix, ... }@inputs:
+    {
+      nixpkgs,
+      agenix,
+      disko,
+      ...
+    }@inputs:
     let
       mkSystem = host: {
         "${host}" = nixpkgs.lib.nixosSystem rec {
@@ -23,6 +32,7 @@
           modules = [
             (./hosts + "/${host}")
             agenix.nixosModules.default
+            disko.nixosModules.disko
             { environment.systemPackages = [ agenix.packages.${system}.default ]; }
           ];
         };
@@ -32,8 +42,9 @@
       nixosConfigurations = nixpkgs.lib.mergeAttrsList (
         nixpkgs.lib.forEach [
           "APPA"
-          "T430"
           "IROH"
+          "MOMO"
+          "T430"
         ] mkSystem
       );
     };

hosts/APPA/default.nix

@@ -13,6 +13,8 @@
   ];
 
   bchmnn = {
+    home.enable = true;
+
     git = {
       signing = {
         key = "0x7753026D577922A6";

hosts/APPA/services/adguard-home.nix

@@ -50,10 +50,6 @@
             domain = "anki.dryb.org";
             answer = "192.168.2.40";
           }
-          {
-            domain = "vaultwarden.dryb.org";
-            answer = "192.168.2.40";
-          }
           {
             domain = "paperless.dryb.org";
             answer = "192.168.2.40";
@@ -62,6 +58,22 @@
             domain = "jellyfin.dryb.org";
             answer = "192.168.2.40";
           }
+          {
+            domain = "momo.dryb.org";
+            answer = "188.245.216.128";
+          }
+          {
+            domain = "momo.dryb.org";
+            answer = "2a01:4f8:1c1e:8abc::1";
+          }
+          {
+            domain = "syncthing.dryb.org";
+            answer = "momo.dryb.org";
+          }
+          {
+            domain = "vaultwarden.dryb.org";
+            answer = "momo.dryb.org";
+          }
         ];
       };
       dhcp = {

hosts/APPA/services/default.nix

@@ -11,6 +11,5 @@
     ./nginx.nix
     ./paperless.nix
     ./postgresql.nix
-    ./vaultwarden.nix
   ];
 }

hosts/APPA/services/homepage-dashboard.nix

@@ -111,13 +111,6 @@
               icon = "si-anki";
             };
           }
-          {
-            "Vaultwarden" = {
-              description = "https://vaultwarden.dryb.org";
-              href = "https://vaultwarden.dryb.org";
-              icon = "vaultwarden";
-            };
-          }
           {
             "Paperless" = {
               description = "https://paperless.dryb.org";

hosts/APPA/services/nginx.nix

@@ -36,13 +36,6 @@
         proxyPass = "http://127.0.0.1:8004";
       };
     };
-    virtualHosts."vaultwarden.dryb.org" = {
-      useACMEHost = "dryb.org";
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:8005";
-      };
-    };
     virtualHosts."paperless.dryb.org" = {
       useACMEHost = "dryb.org";
       forceSSL = true;

hosts/APPA/services/postgresql.nix

@@ -5,15 +5,10 @@
     enable = true;
     ensureDatabases = [
       config.services.gitea.user
-      "vaultwarden"
       config.services.paperless.user
     ];
 
     ensureUsers = [
-      {
-        name = "vaultwarden";
-        ensureDBOwnership = true;
-      }
       {
         name = config.services.paperless.user;
         ensureDBOwnership = true;
@@ -23,14 +18,12 @@
     # type   database     DBuser  auth-method  mapping
     authentication = ''
       local  gitea        all     ident        map=gitea-users
-      local  vaultwarden  all     ident        map=vaultwarden-users
       local  paperless    all     ident        map=paperless-users
     '';
 
     # name               sysuser        dbuser
     identMap = ''
       gitea-users        gitea          gitea
-      vaultwarden-users  vaultwarden    vaultwarden
       paperless-users    paperless      paperless
     '';
   };

hosts/MOMO/default.nix

@@ -0,0 +1,38 @@
+{ ... }:
+{
+  imports = [
+    ./services
+    ./hardware.nix
+    ./network.nix
+    ../../modules
+  ];
+
+  bchmnn = {
+    network = {
+      resolved.enable = true;
+      networkd.enable = true;
+    };
+    collections = {
+      cli-utils.enable = true;
+    };
+  };
+
+  services.openssh = {
+    settings = {
+      PasswordAuthentication = false;
+    };
+  };
+
+  users.users.root = {
+    openssh = {
+      authorizedKeys = {
+        keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrE1fMXjJXI8f1mKvhLquwSsb4tvLh5Tq0n+yOakQks gandalf@appa.dryb.com"
+        ];
+      };
+    };
+  };
+
+  documentation.nixos.enable = false;
+}

hosts/MOMO/hardware.nix

@@ -0,0 +1,68 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "BOOT";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "ROOT";
+            end = "-8G";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+          plainSwap = {
+            size = "100%";
+            content = {
+              type = "swap";
+              discardPolicy = "both";
+            };
+          };
+        };
+      };
+    };
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/MOMO/network.nix

@@ -0,0 +1,22 @@
+{ ... }:
+{
+  networking = {
+    hostName = "MOMO";
+    interfaces.enp1s0 = {
+      ipv6.addresses = [
+        {
+          address = "2a01:4f8:1c1e:8abc::1";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp1s0";
+    };
+    nameservers = [
+      "2a01:4ff:ff00::add:1"
+      "2a01:4ff:ff00::add:2"
+    ];
+  };
+}

hosts/MOMO/services/acme.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "gendulf@posteo.de";
+  };
+}

hosts/MOMO/services/default.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./acme.nix
+    ./nginx.nix
+    ./postgresql.nix
+    ./syncthing.nix
+    ./vaultwarden.nix
+  ];
+}

hosts/MOMO/services/nginx.nix

@@ -0,0 +1,27 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."syncthing.dryb.org" = {
+      addSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8384";
+      };
+    };
+    virtualHosts."vaultwarden.dryb.org" = {
+      addSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8005";
+      };
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}

hosts/MOMO/services/postgresql.nix

@@ -0,0 +1,26 @@
+{ ... }:
+{
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "vaultwarden" ];
+
+    ensureUsers = [
+      {
+        name = "vaultwarden";
+        ensureDBOwnership = true;
+      }
+    ];
+
+    # type   database     DBuser  auth-method  mapping
+    authentication = ''
+      local  vaultwarden  all     ident        map=vaultwarden-users
+    '';
+
+    # name               sysuser        dbuser
+    identMap = ''
+      vaultwarden-users  vaultwarden    vaultwarden
+    '';
+  };
+
+}

hosts/MOMO/services/syncthing.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+  };
+}

hosts/MOMO/services/vaultwarden.nix

@@ -2,9 +2,6 @@
 {
   age.secrets.environments-vaultwarden = {
     file = ../../../secrets/environments/vaultwarden.age;
-    # mode = "640";
-    # owner = "vaultwarden";
-    # group = "vaultwarden";
   };
 
   users.users.vaultwarden = {

modules/core/applications.nix

@@ -32,6 +32,8 @@
       pkgs.inotify-tools # a c library and a set of command-line programs providing a simple interface to inotify
       pkgs.mkcert # a simple tool for making locally-trusted development certificates
       pkgs.hexedit
+      pkgs.gdu # fast disk usage analyzer with console interface written in go
+      pkgs.duf # disk usage/free utility - a better 'df' alternative
     ]
     ++ lib.optionals (config.bchmnn.collections.cli-utils.enable && config.bchmnn.nvidia.enable) [
       pkgs.nvtopPackages.full

modules/core/network.nix

@@ -1,10 +1,22 @@
-{ config
+{
-, lib
+  config,
-, pkgs
+  lib,
-, ...
+  pkgs,
+  ...
 }:
 {
   options.bchmnn = {
+    network = {
+      nm = {
+        enable = lib.mkEnableOption "nm";
+      };
+      resolved = {
+        enable = lib.mkEnableOption "resolved";
+      };
+      networkd = {
+        enable = lib.mkEnableOption "networkd";
+      };
+    };
     collections = {
       vpn = {
         dryborg = {
@@ -15,14 +27,16 @@
   };
   config = {
     networking = {
-      networkmanager.enable = true;
+      networkmanager.enable = config.bchmnn.network.nm.enable;
     };
 
-    systemd.services = {
+    systemd.services = lib.mkIf (config.bchmnn.network.nm.enable) {
       NetworkManager-wait-online.enable = false;
     };
 
-    services.resolved.enable = config.bchmnn.collections.vpn.enable;
+    services.resolved.enable = (
+      config.bchmnn.network.nm.enable || config.bchmnn.collections.vpn.enable
+    );
 
     environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [
       pkgs.openvpn3
@@ -31,31 +45,35 @@
     ];
     services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable;
 
-    age.secrets = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) {
+    age.secrets =
-      keys-wireguard-dryborg-privatekey = {
+      lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable)
-        file = ../../secrets/keys/wireguard/dryborg/privatekey.age;
+        {
-      };
+          keys-wireguard-dryborg-privatekey = {
-      keys-wireguard-dryborg-presharedkey = {
+            file = ../../secrets/keys/wireguard/dryborg/privatekey.age;
-        file = ../../secrets/keys/wireguard/dryborg/presharedkey.age;
+          };
-      };
+          keys-wireguard-dryborg-presharedkey = {
-    };
+            file = ../../secrets/keys/wireguard/dryborg/presharedkey.age;
+          };
+        };
 
-    networking.wg-quick.interfaces = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) {
+    networking.wg-quick.interfaces =
-      "vpn.dryb.org" = {
+      lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable)
-        autostart = false;
+        {
-        privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path;
+          "vpn.dryb.org" = {
-        address = [ "10.200.200.1/24" ];
+            autostart = false;
-        dns = [ "192.168.2.1" ];
+            privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path;
-        peers = [
+            address = [ "10.200.200.1/24" ];
-          {
+            dns = [ "192.168.2.1" ];
-            publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs=";
+            peers = [
-            presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path;
+              {
-            allowedIPs = [ "0.0.0.0/0" ];
+                publicKey = "JY5fb0RS7C8WyPPEeymzuMSUeIhDtICGk1FYJgTRnTs=";
-            endpoint = "vpn.dryb.org:53280";
+                presharedKeyFile = config.age.secrets.keys-wireguard-dryborg-presharedkey.path;
-            persistentKeepalive = 21;
+                allowedIPs = [ "0.0.0.0/0" ];
-          }
+                endpoint = "vpn.dryb.org:53280";
-        ];
+                persistentKeepalive = 21;
-      };
+              }
-    };
+            ];
+          };
+        };
   };
 }

modules/core/shell.nix

@@ -1,4 +1,9 @@
-{ pkgs, ... }:
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
 let
   common = import ./common.nix;
 in
@@ -7,8 +12,10 @@ in
     enable = true;
   };
 
-  users.users.gandalf = {
+  users.users = lib.mkIf (config.bchmnn.home.enable) {
-    shell = pkgs.zsh;
+    gandalf = {
+      shell = pkgs.zsh;
+    };
   };
 
   environment = {

modules/default.nix

@@ -1,6 +1,11 @@
 { lib, ... }:
 {
   options.bchmnn = with lib; {
+
+    home = {
+      enable = mkEnableOption "home";
+    };
+
     user = {
       extraGroups = mkOption {
         type = types.listOf types.str;

modules/home-manager/applications.nix

@@ -5,8 +5,6 @@
     pkgs.gopass-jsonapi # enables communication with gopass via json messages
     pkgs.bitwarden-cli # secure and free password manager for all of your devices
     pkgs.yt-dlp # command-line tool to download videos from youtube.com and other sites (youtube-dl fork)
-    pkgs.gdu # fast disk usage analyzer with console interface written in go
-    pkgs.duf # disk usage/free utility - a better 'df' alternative
     pkgs.stress # simple workload generator for posix systems. it imposes a configurable amount of cpu, memory, i/o, and disk stress on the system
     pkgs.s-tui # stress-terminal ui monitoring tool
     pkgs.fio # flexible io tester - an io benchmark tool

modules/home-manager/default.nix

@@ -1,63 +1,64 @@
-{ config, ... }@inputs:
+{ lib, config, ... }@inputs:
 let
   common = import ../core/common.nix;
 in
 {
-
   imports = [ inputs.home-manager.nixosModules.home-manager ];
 
-  users.users.gandalf = {
+  config = lib.mkIf (config.bchmnn.home.enable) {
-    isNormalUser = true;
+    users.users.gandalf = {
-    extraGroups = config.bchmnn.user.extraGroups;
+      isNormalUser = true;
-    openssh = {
+      extraGroups = config.bchmnn.user.extraGroups;
-      authorizedKeys = {
+      openssh = {
-        keys = [
+        authorizedKeys = {
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de"
+          keys = [
-        ];
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de"
+          ];
+        };
       };
     };
-  };
 
-  home-manager.useGlobalPkgs = true;
+    home-manager.useGlobalPkgs = true;
-  home-manager.useUserPackages = true;
+    home-manager.useUserPackages = true;
-  home-manager.extraSpecialArgs = {
+    home-manager.extraSpecialArgs = {
-    inherit inputs;
+      inherit inputs;
-  };
+    };
 
-  home-manager.users.gandalf = rec {
+    home-manager.users.gandalf = rec {
-    imports = [
+      imports = [
-      ./gui
+        ./gui
-      ./scripts
+        ./scripts
-      ./applications.nix
+        ./applications.nix
-      ./audio.nix
+        ./audio.nix
-      ./dconf.nix
+        ./dconf.nix
-      ./git.nix
+        ./git.nix
-      ./gnupg.nix
+        ./gnupg.nix
-      ./keyd.nix
+        ./keyd.nix
-      ./neovim.nix
+        ./neovim.nix
-      ./shell.nix
+        ./shell.nix
-      ./zsh.nix
+        ./zsh.nix
-    ];
+      ];
 
-    config = {
+      config = {
-      home = {
+        home = {
-        username = "gandalf";
+          username = "gandalf";
-        homeDirectory = "/home/gandalf";
+          homeDirectory = "/home/gandalf";
-        shellAliases = common.aliases;
+          shellAliases = common.aliases;
-        stateVersion = "23.05";
+          stateVersion = "23.05";
-      };
+        };
 
-      xdg.userDirs = {
+        xdg.userDirs = {
-        enable = true;
+          enable = true;
-        createDirectories = true;
+          createDirectories = true;
-        desktop = "${config.home.homeDirectory}/tmp";
+          desktop = "${config.home.homeDirectory}/tmp";
-        documents = "${config.home.homeDirectory}/docs";
+          documents = "${config.home.homeDirectory}/docs";
-        download = "${config.home.homeDirectory}/dl";
+          download = "${config.home.homeDirectory}/dl";
-        music = "${config.home.homeDirectory}/music";
+          music = "${config.home.homeDirectory}/music";
-        pictures = "${config.home.homeDirectory}/pics";
+          pictures = "${config.home.homeDirectory}/pics";
-        publicShare = "${config.home.homeDirectory}/public";
+          publicShare = "${config.home.homeDirectory}/public";
-        templates = "${config.home.homeDirectory}/templates";
+          templates = "${config.home.homeDirectory}/templates";
-        videos = "${config.home.homeDirectory}/vids";
+          videos = "${config.home.homeDirectory}/vids";
+        };
       };
     };
   };

secrets/keys/wireguard/dryborg/privatekey.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 lfMVeg wulS3MiEAmeRiQWR+2m6WB2lPgPvbGLIoPpIcpTjwEE
+-> ssh-ed25519 OFTJeQ GLjSObPnRwi54E90PLmN56+01/XWV4ncMb2hIQVAIRM
-I0SrCm+wG3tRn1St9+bnwAJGSWAIA2TP6LKPQCaVCdc
+K5wnX6U4R7vWxJIAhR46Y93nYbfY8ywgCBTpl32h3Ok
--> ssh-ed25519 2ycGcg +gfN9hAI6S+2CVGp0xi+M3OJ2JfqNCubYFhKwXa86yM
+-> ssh-ed25519 lfMVeg P/y5kw0684nepV8zw7AVrKJdVXp1m9QRB92emoZtgic
-yWls3U6P8ViO9a+gNuT/fW4txOfDD7wqOmQz6k6O2fA
+3jdvPwfHqNCipa4FZCheRyloGTpl+nWopB+VmYxmnEo
--> ssh-ed25519 SiBV3Q 8+vLtNNsx2DWecy31lkXpGac78wpHu2xSu/NF+RDZGM
+-> ssh-ed25519 2ycGcg i/V1Jxl9MZXbkFceyTx/jA5mgt55u6pXvyZMUnJKnSI
-l4FaoEWeMgPIGnEuPJkDoFAmoxAM3gFLmiASxqZ/Gt4
+mzZDa0QvpixtEyk7kR98a2MBTHq3FXLIifQ/RH7WsIo
---- RsgxQpG7CP2JVKUmJC5975cY5hCuXeDYF4wMoOBM2XM
+-> ssh-ed25519 SiBV3Q 3ihfgMuU8fsUkCHOjhg9+lZxK3hreLV+OD38nfJvNVQ
-,\à j^NåvÏ•Þì‘Çw‹‘”GÏ„I
äY‘Ô…D¨ËÕOÍÞÌ_‘œ@u¢“nõƒääúìÓàÙþ¶è¯”S'HŽ³&v)lQ
+TzKuRHW2Za7NLK32MFzXlXlBJnyTvaL7907Fv42s2/k
+--- fMhdIsuJ19h9GqERg+zyub8z2L46vIoIb/RF3NC3Izs
+¨Qg¢yzË„×1„Ör¤…&–ºÊ¿MÁÞV9*<2A>T#ÇýŸ`¦î:TÅQt™£„ ÓãÆ–92$vR_ïQ„4såßÀçFfü4

secrets/passwords/ddclient/cloudflare.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 OFTJeQ Duzy5R4T6qjIQNDaM/rMLtn6owinrOPR7bsj+zNyF1s
+-> ssh-ed25519 OFTJeQ YV3PYBAAYyXqFKJZMzgWcvUiUMr0FXT1mIVu5c8ADi0
-vuz3upwrRY+p9neicV+/MYqIpqPP8LxKjb/MSd3AG50
+iYOSAD0fp2AQx2xYrwZVKz8jcxLI6dZaUYAEeRco6n0
--> ssh-ed25519 lfMVeg F5b0npiotrpPjEqEEmq13iIWrEG1duL/r+A+fFt9MUw
+-> ssh-ed25519 lfMVeg aTw9/kKTrhfe3wuJU61+4WWhu0boEmNQW4PH4WymfQc
-hXV7o5UqSnrOYmTO4PudLMH2nTn3z134YuD78ogNS+Q
+pW37WMQO10S9gn4FPlNQ9I8SZiJ8zrN539WjZ5riG4U
--> ssh-ed25519 ueRyzQ Msn3gbqPbt4anEbYGvuroa3Clgldv0c2yjJm8sviWig
+-> ssh-ed25519 ueRyzQ jduJfxSB+1+TXaoZQk8IC2OluzEhIf2PKLrqgZPgPgU
-qwsS+8V0LvR6aWWlC6/8V7oP4ClTPIH6UF7vIbSFLM0
+DFnKYH1DGcvdBblibUO+1apJ6658bUJOsb+ZCVPScy0
---- /UJ64tEwx0Jus9JEby8z4X9LtlPoYMCUTMk3T50Flbk
+-> ssh-ed25519 IYnDOQ ccAK15UhEam0UtwKEPpjPdIOdOFmBRY6riNAaoUNfRE
-Öþ}”ñEuKôh§°<}gîÃ×£§¸£“)íNGñxž©˜³Mߣ‘{*$ g`)?õrNýFò*ˆ(„é„Ìw	'i
+RqOsV0RIp8kB+pDQeidONMviP4dKu1hiwTR73oa3Uxo
+--- 67ZWOJB/9Zc7tUTHgVFFMWWeHOU6RzIf2HN2qXH05RQ
+IÄ%8!Fê;ww¿ò¡kÌKÿ}¹¥äÇÚÿó?KùÁõŽ§dÊ ÈyÇþ.ù¼ÐN$»›£fçeŠð‘ü‡
?rÇò­

secrets/passwords/nextcloud/admin.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 OFTJeQ ZR/HXJbMffa0GONFhLI54XbnMfUa44IBtmc35WfFalE
+-> ssh-ed25519 OFTJeQ Z0zahyJ9ZN+iPyEGZcdqkctRGtZHedg0n9hpw7yCr1w
-5k336aLzA40CP1qy1bhpAeOBMf/v8acDsbT3ehJgNH8
+tTaDe8+Ki2S7v3F/+0KgJ6EyS89WETy3/pSWUf3qA2g
--> ssh-ed25519 lfMVeg rNkPlKPIOnU3MX1DRAAqUrVCl2aFCD1LiULqgT94ih0
+-> ssh-ed25519 lfMVeg 7yJmsdpEXhgRekyoMU5Ut62hvo7sI+ZyLoasrzjtOmI
-s1dizDfvjFexbtOaY+8LHT4rASAmna+YtI6sThwY2lo
+qpH5kucqYFin9PZw38am7WkJWH+Cp0C7em22QiQsQJ4
--> ssh-ed25519 ueRyzQ yXUlKmMDvGQpYHDPax8AOmAupPm1MlOB8O0dWLZlPxI
+-> ssh-ed25519 ueRyzQ WGMVo2WuCuHNTZ6/a+3cPOXU50EEK/yhnyX//IrtUx8
-a/+l6l8f6Bwl6cmfob0lZnBriQ5uGE/zK/JDRwsp3+o
+2t+CUgdBuivea8Ij4tavUQTX2mzTpIUz/8FuweVJ6uA
---- k6YDdEeu5493P74E1pt8yOaWrlKxq5KEEfokK+FaFq4
+-> ssh-ed25519 IYnDOQ P5amA/utlNaNK4/YP1L3RkL/k1N0MtucTobGZxeKqw8
-€Є€¤u¨nh(§Qð‚yëòÈ5b¥¥Yω<·›ˆ—ä¦éZ„Döwæƒ0
¶Ì #8¥¨t¸Ò…!±¯‡
+TBwo9Y/YTzJxw0rmzz6V1W8kmQYHw8YNt+/MLOQalyM
+--- Ykljx1ff/c4OkoyHs4rzrKnfIEuAW3zM5MCk5p/UT1g
+†„.˜ÁÙgåã:Õ¸¾…ód–§«¾J·¿~ËxíYe߬<C39F>ù,”«@<¹CKk0†w`¼rÆ~†} K

secrets/secrets.nix

@@ -2,6 +2,8 @@ let
   APPA = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvQbYHiB17BfsvHBgPYJN50Th+da+rtbsTIjOSaT+1Y root@APPA";
   gandalf_at_appa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrE1fMXjJXI8f1mKvhLquwSsb4tvLh5Tq0n+yOakQks gandalf@appa.dryb.com";
 
+  MOMO = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQ8YOOaQj3NnMlTjlFX9iWDIpPMrO2W4EkL65GJP+y4 root@MOMO";
+
   T430 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPQKzUqdLY58tFTB5zOeiTjbbrDvHA1speD/Rg6oOfz root@T430";
   IROH = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYiK3Dl8QvAZfY7Cl1OlF9aXKa/an32mtrCNkavlSNG root@IROH";
 
@@ -14,10 +16,16 @@ let
 
   systems = [
     APPA
+    MOMO
     T430
     IROH
   ];
 
+  servers = [
+    APPA
+    MOMO
+  ];
+
   clients = [
     T430
     IROH
@@ -25,13 +33,13 @@ let
 
 in
 {
-  "environments/acme.age".publicKeys = users ++ [ APPA ];
+  "environments/acme.age".publicKeys = users ++ servers;
-  "environments/vaultwarden.age".publicKeys = users ++ [ APPA ];
+  "environments/vaultwarden.age".publicKeys = users ++ servers;
-  "keys/wireguard/dryborg/privatekey.age".publicKeys = [ gandalf ] ++ clients;
+  "keys/wireguard/dryborg/privatekey.age".publicKeys = users ++ clients;
-  "keys/wireguard/dryborg/presharedkey.age".publicKeys = [ gandalf ] ++ clients;
+  "keys/wireguard/dryborg/presharedkey.age".publicKeys = users ++ clients;
-  "passwords/anki/admin.age".publicKeys = users ++ [ APPA ];
+  "passwords/anki/admin.age".publicKeys = users ++ servers;
-  "passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ];
+  "passwords/ddclient/cloudflare.age".publicKeys = users ++ servers;
-  "passwords/gitea/db.age".publicKeys = users ++ [ APPA ];
+  "passwords/gitea/db.age".publicKeys = users ++ servers;
-  "passwords/nextcloud/admin.age".publicKeys = users ++ [ APPA ];
+  "passwords/nextcloud/admin.age".publicKeys = users ++ servers;
-  "passwords/paperless/admin.age".publicKeys = users ++ [ APPA ];
+  "passwords/paperless/admin.age".publicKeys = users ++ servers;
 }