bchmnn/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(MOMO): setup syncthing and vaultwarden

Browse source
This commit is contained in:
Jacob Bachmann 2025-01-01 21:33:50 +01:00
parent 7968a18271
commit 6ca4dd9e57
No known key found for this signature in database
GPG key ID: 7753026D577922A6
33 changed files with 419 additions and 149 deletions
Download patch file Download diff file Expand all files Collapse all files

21
flake.lock generated
View file

@ -45,6 +45,26 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1734701201,
"narHash": "sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk=",
"owner": "nix-community",
"repo": "disko",
"rev": "2ee76c861af3b895b3b104bae04777b61397485b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -138,6 +158,7 @@
"root": {
"inputs": {
"agenix": "agenix",
"disko": "disko",
"home-manager": "home-manager_2",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",

15
flake.nix
View file

@ -12,9 +12,18 @@
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{ nixpkgs, agenix, ... }@inputs:
{
nixpkgs,
agenix,
disko,
...
}@inputs:
let
mkSystem = host: {
"${host}" = nixpkgs.lib.nixosSystem rec {
@ -23,6 +32,7 @@
modules = [
(./hosts + "/${host}")
agenix.nixosModules.default
disko.nixosModules.disko
{ environment.systemPackages = [ agenix.packages.${system}.default ]; }
];
};
@ -32,8 +42,9 @@
nixosConfigurations = nixpkgs.lib.mergeAttrsList (
nixpkgs.lib.forEach [
"APPA"
"T430"
"IROH"
"MOMO"
"T430"
] mkSystem
);
};

2
hosts/APPA/default.nix
View file

@ -13,6 +13,8 @@
];
bchmnn = {
home.enable = true;
git = {
signing = {
key = "0x7753026D577922A6";

20
hosts/APPA/services/adguard-home.nix
View file

@ -50,10 +50,6 @@
domain = "anki.dryb.org";
answer = "192.168.2.40";
}
{
domain = "vaultwarden.dryb.org";
answer = "192.168.2.40";
}
{
domain = "paperless.dryb.org";
answer = "192.168.2.40";
@ -62,6 +58,22 @@
domain = "jellyfin.dryb.org";
answer = "192.168.2.40";
}
{
domain = "momo.dryb.org";
answer = "188.245.216.128";
}
{
domain = "momo.dryb.org";
answer = "2a01:4f8:1c1e:8abc::1";
}
{
domain = "syncthing.dryb.org";
answer = "momo.dryb.org";
}
{
domain = "vaultwarden.dryb.org";
answer = "momo.dryb.org";
}
];
};
dhcp = {

1
hosts/APPA/services/default.nix
View file

@ -11,6 +11,5 @@
./nginx.nix
./paperless.nix
./postgresql.nix
./vaultwarden.nix
];
}

7
hosts/APPA/services/homepage-dashboard.nix
View file

@ -111,13 +111,6 @@
icon = "si-anki";
};
}
{
"Vaultwarden" = {
description = "https://vaultwarden.dryb.org";
href = "https://vaultwarden.dryb.org";
icon = "vaultwarden";
};
}
{
"Paperless" = {
description = "https://paperless.dryb.org";

7
hosts/APPA/services/nginx.nix
View file

@ -36,13 +36,6 @@
proxyPass = "http://127.0.0.1:8004";
};
};
virtualHosts."vaultwarden.dryb.org" = {
useACMEHost = "dryb.org";
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8005";
};
};
virtualHosts."paperless.dryb.org" = {
useACMEHost = "dryb.org";
forceSSL = true;

7
hosts/APPA/services/postgresql.nix
View file

@ -5,15 +5,10 @@
enable = true;
ensureDatabases = [
config.services.gitea.user
"vaultwarden"
config.services.paperless.user
];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
{
name = config.services.paperless.user;
ensureDBOwnership = true;
@ -23,14 +18,12 @@
# type database DBuser auth-method mapping
authentication = ''
local gitea all ident map=gitea-users
local vaultwarden all ident map=vaultwarden-users
local paperless all ident map=paperless-users
'';
# name sysuser dbuser
identMap = ''
gitea-users gitea gitea
vaultwarden-users vaultwarden vaultwarden
paperless-users paperless paperless
'';
};

38
hosts/MOMO/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ ... }:
{
imports = [
./services
./hardware.nix
./network.nix
../../modules
];
bchmnn = {
network = {
resolved.enable = true;
networkd.enable = true;
};
collections = {
cli-utils.enable = true;
};
};
services.openssh = {
settings = {
PasswordAuthentication = false;
};
};
users.users.root = {
openssh = {
authorizedKeys = {
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrE1fMXjJXI8f1mKvhLquwSsb4tvLh5Tq0n+yOakQks gandalf@appa.dryb.com"
];
};
};
};
documentation.nixos.enable = false;
}

68
hosts/MOMO/hardware.nix Normal file
View file

@ -0,0 +1,68 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "BOOT";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "ROOT";
end = "-8G";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
plainSwap = {
size = "100%";
content = {
type = "swap";
discardPolicy = "both";
};
};
};
};
};
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

22
hosts/MOMO/network.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
hostName = "MOMO";
interfaces.enp1s0 = {
ipv6.addresses = [
{
address = "2a01:4f8:1c1e:8abc::1";
prefixLength = 64;
}
];
};
defaultGateway6 = {
address = "fe80::1";
interface = "enp1s0";
};
nameservers = [
"2a01:4ff:ff00::add:1"
"2a01:4ff:ff00::add:2"
];
};
}

7
hosts/MOMO/services/acme.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "gendulf@posteo.de";
};
}

9
hosts/MOMO/services/default.nix Normal file
View file

@ -0,0 +1,9 @@
{
imports = [
./acme.nix
./nginx.nix
./postgresql.nix
./syncthing.nix
./vaultwarden.nix
];
}

27
hosts/MOMO/services/nginx.nix Normal file
View file

@ -0,0 +1,27 @@
{ ... }:
{
services.nginx = {
enable = true;
virtualHosts."syncthing.dryb.org" = {
addSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
};
};
virtualHosts."vaultwarden.dryb.org" = {
addSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8005";
};
};
};
networking.firewall = {
allowedTCPPorts = [
80
443
];
};
}

26
hosts/MOMO/services/postgresql.nix Normal file
View file

@ -0,0 +1,26 @@
{ ... }:
{
services.postgresql = {
enable = true;
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
# type database DBuser auth-method mapping
authentication = ''
local vaultwarden all ident map=vaultwarden-users
'';
# name sysuser dbuser
identMap = ''
vaultwarden-users vaultwarden vaultwarden
'';
};
}

7
hosts/MOMO/services/syncthing.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
services.syncthing = {
enable = true;
openDefaultPorts = true;
};
}

3
hosts/APPA/services/vaultwarden.nix → hosts/MOMO/services/vaultwarden.nix
View file

@ -2,9 +2,6 @@
{
age.secrets.environments-vaultwarden = {
file = ../../../secrets/environments/vaultwarden.age;
# mode = "640";
# owner = "vaultwarden";
# group = "vaultwarden";
};
users.users.vaultwarden = {

2
modules/core/applications.nix
View file

@ -32,6 +32,8 @@
pkgs.inotify-tools # a c library and a set of command-line programs providing a simple interface to inotify
pkgs.mkcert # a simple tool for making locally-trusted development certificates
pkgs.hexedit
pkgs.gdu # fast disk usage analyzer with console interface written in go
pkgs.duf # disk usage/free utility - a better 'df' alternative
]
++ lib.optionals (config.bchmnn.collections.cli-utils.enable && config.bchmnn.nvidia.enable) [
pkgs.nvtopPackages.full

36
modules/core/network.nix
View file

@ -1,10 +1,22 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
{
options.bchmnn = {
network = {
nm = {
enable = lib.mkEnableOption "nm";
};
resolved = {
enable = lib.mkEnableOption "resolved";
};
networkd = {
enable = lib.mkEnableOption "networkd";
};
};
collections = {
vpn = {
dryborg = {
@ -15,14 +27,16 @@
};
config = {
networking = {
networkmanager.enable = true;
networkmanager.enable = config.bchmnn.network.nm.enable;
};
systemd.services = {
systemd.services = lib.mkIf (config.bchmnn.network.nm.enable) {
NetworkManager-wait-online.enable = false;
};
services.resolved.enable = config.bchmnn.collections.vpn.enable;
services.resolved.enable = (
config.bchmnn.network.nm.enable || config.bchmnn.collections.vpn.enable
);
environment.systemPackages = lib.optionals (config.bchmnn.collections.vpn.enable) [
pkgs.openvpn3
@ -31,7 +45,9 @@
];
services.mullvad-vpn.enable = config.bchmnn.collections.vpn.enable;
age.secrets = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) {
age.secrets =
lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable)
{
keys-wireguard-dryborg-privatekey = {
file = ../../secrets/keys/wireguard/dryborg/privatekey.age;
};
@ -40,7 +56,9 @@
};
};
networking.wg-quick.interfaces = lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable) {
networking.wg-quick.interfaces =
lib.mkIf (config.bchmnn.collections.vpn.enable && config.bchmnn.collections.vpn.dryborg.enable)
{
"vpn.dryb.org" = {
autostart = false;
privateKeyFile = config.age.secrets.keys-wireguard-dryborg-privatekey.path;

11
modules/core/shell.nix
View file

@ -1,4 +1,9 @@
{ pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
let
common = import ./common.nix;
in
@ -7,9 +12,11 @@ in
enable = true;
};
users.users.gandalf = {
users.users = lib.mkIf (config.bchmnn.home.enable) {
gandalf = {
shell = pkgs.zsh;
};
};
environment = {
shellAliases = common.aliases;

5
modules/default.nix
View file

@ -1,6 +1,11 @@
{ lib, ... }:
{
options.bchmnn = with lib; {
home = {
enable = mkEnableOption "home";
};
user = {
extraGroups = mkOption {
type = types.listOf types.str;

2
modules/home-manager/applications.nix
View file

@ -5,8 +5,6 @@
pkgs.gopass-jsonapi # enables communication with gopass via json messages
pkgs.bitwarden-cli # secure and free password manager for all of your devices
pkgs.yt-dlp # command-line tool to download videos from youtube.com and other sites (youtube-dl fork)
pkgs.gdu # fast disk usage analyzer with console interface written in go
pkgs.duf # disk usage/free utility - a better 'df' alternative
pkgs.stress # simple workload generator for posix systems. it imposes a configurable amount of cpu, memory, i/o, and disk stress on the system
pkgs.s-tui # stress-terminal ui monitoring tool
pkgs.fio # flexible io tester - an io benchmark tool

5
modules/home-manager/default.nix
View file

@ -1,11 +1,11 @@
{ config, ... }@inputs:
{ lib, config, ... }@inputs:
let
common = import ../core/common.nix;
in
{
imports = [ inputs.home-manager.nixosModules.home-manager ];
config = lib.mkIf (config.bchmnn.home.enable) {
users.users.gandalf = {
isNormalUser = true;
extraGroups = config.bchmnn.user.extraGroups;
@ -61,4 +61,5 @@ in
};
};
};
};
}

BIN
secrets/environments/acme.age
View file

Binary file not shown.

BIN
secrets/environments/vaultwarden.age
View file

Binary file not shown.

BIN
secrets/keys/wireguard/dryborg/presharedkey.age
View file

Binary file not shown.

18
secrets/keys/wireguard/dryborg/privatekey.age
View file

@ -1,9 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 lfMVeg wulS3MiEAmeRiQWR+2m6WB2lPgPvbGLIoPpIcpTjwEE
I0SrCm+wG3tRn1St9+bnwAJGSWAIA2TP6LKPQCaVCdc
-> ssh-ed25519 2ycGcg +gfN9hAI6S+2CVGp0xi+M3OJ2JfqNCubYFhKwXa86yM
yWls3U6P8ViO9a+gNuT/fW4txOfDD7wqOmQz6k6O2fA
-> ssh-ed25519 SiBV3Q 8+vLtNNsx2DWecy31lkXpGac78wpHu2xSu/NF+RDZGM
l4FaoEWeMgPIGnEuPJkDoFAmoxAM3gFLmiASxqZ/Gt4
--- RsgxQpG7CP2JVKUmJC5975cY5hCuXeDYF4wMoOBM2XM
,\à j^NåvÏ•ÞìÇw”GÏ„I äYÔ…D¨ËÕOÍÞÌ_œ@u¢“nõƒääúìÓàÙþ¶è¯”S'HŽ³&v)lQ
-> ssh-ed25519 OFTJeQ GLjSObPnRwi54E90PLmN56+01/XWV4ncMb2hIQVAIRM
K5wnX6U4R7vWxJIAhR46Y93nYbfY8ywgCBTpl32h3Ok
-> ssh-ed25519 lfMVeg P/y5kw0684nepV8zw7AVrKJdVXp1m9QRB92emoZtgic
3jdvPwfHqNCipa4FZCheRyloGTpl+nWopB+VmYxmnEo
-> ssh-ed25519 2ycGcg i/V1Jxl9MZXbkFceyTx/jA5mgt55u6pXvyZMUnJKnSI
mzZDa0QvpixtEyk7kR98a2MBTHq3FXLIifQ/RH7WsIo
-> ssh-ed25519 SiBV3Q 3ihfgMuU8fsUkCHOjhg9+lZxK3hreLV+OD38nfJvNVQ
TzKuRHW2Za7NLK32MFzXlXlBJnyTvaL7907Fv42s2/k
--- fMhdIsuJ19h9GqERg+zyub8z2L46vIoIb/RF3NC3Izs
¨Qg¢yzË„×1„Ör¤…&ºÊ¿MÁÞV9*<2A>T#ÇýŸ`¦î:TÅQt™£„ ÓãÆ 92$vR_ ïQ„4såßÀçFfü4

BIN
secrets/passwords/anki/admin.age
View file

Binary file not shown.

18
secrets/passwords/ddclient/cloudflare.age
View file

@ -1,9 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 OFTJeQ Duzy5R4T6qjIQNDaM/rMLtn6owinrOPR7bsj+zNyF1s
vuz3upwrRY+p9neicV+/MYqIpqPP8LxKjb/MSd3AG50
-> ssh-ed25519 lfMVeg F5b0npiotrpPjEqEEmq13iIWrEG1duL/r+A+fFt9MUw
hXV7o5UqSnrOYmTO4PudLMH2nTn3z134YuD78ogNS+Q
-> ssh-ed25519 ueRyzQ Msn3gbqPbt4anEbYGvuroa3Clgldv0c2yjJm8sviWig
qwsS+8V0LvR6aWWlC6/8V7oP4ClTPIH6UF7vIbSFLM0
--- /UJ64tEwx0Jus9JEby8z4X9LtlPoYMCUTMk3T50Flbk
Öþ}”ñ EuKôh§°<}gîÃ×£§¸£“)íNGñxž©˜³Mߣ{*$ g`)?õrNýFò*ˆ(„é„Ìw 'i
-> ssh-ed25519 OFTJeQ YV3PYBAAYyXqFKJZMzgWcvUiUMr0FXT1mIVu5c8ADi0
iYOSAD0fp2AQx2xYrwZVKz8jcxLI6dZaUYAEeRco6n0
-> ssh-ed25519 lfMVeg aTw9/kKTrhfe3wuJU61+4WWhu0boEmNQW4PH4WymfQc
pW37WMQO10S9gn4FPlNQ9I8SZiJ8zrN539WjZ5riG4U
-> ssh-ed25519 ueRyzQ jduJfxSB+1+TXaoZQk8IC2OluzEhIf2PKLrqgZPgPgU
DFnKYH1DGcvdBblibUO+1apJ6658bUJOsb+ZCVPScy0
-> ssh-ed25519 IYnDOQ ccAK15UhEam0UtwKEPpjPdIOdOFmBRY6riNAaoUNfRE
RqOsV0RIp8kB+pDQeidONMviP4dKu1hiwTR73oa3Uxo
--- 67ZWOJB/9Zc7tUTHgVFFMWWeHOU6RzIf2HN2qXH05RQ
IÄ%8!Fê;ww¿ò¡kÌKÿ}¹¥äÇÚÿó?K ùÁõŽ§dÊ ÈyÇþ.ù¼ÐN$»›£fçeŠðü‡?rÇò­

BIN
secrets/passwords/gitea/db.age
View file

Binary file not shown.

18
secrets/passwords/nextcloud/admin.age
View file

@ -1,9 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 OFTJeQ ZR/HXJbMffa0GONFhLI54XbnMfUa44IBtmc35WfFalE
5k336aLzA40CP1qy1bhpAeOBMf/v8acDsbT3ehJgNH8
-> ssh-ed25519 lfMVeg rNkPlKPIOnU3MX1DRAAqUrVCl2aFCD1LiULqgT94ih0
s1dizDfvjFexbtOaY+8LHT4rASAmna+YtI6sThwY2lo
-> ssh-ed25519 ueRyzQ yXUlKmMDvGQpYHDPax8AOmAupPm1MlOB8O0dWLZlPxI
a/+l6l8f6Bwl6cmfob0lZnBriQ5uGE/zK/JDRwsp3+o
--- k6YDdEeu5493P74E1pt8yOaWrlKxq5KEEfokK+FaFq4
Є€¤u¨nh(§QðyëòÈ5b¥¥Yω<·›ˆ —ä¦éZ„Döwæƒ0 ¶Ì #8¥¨t¸Ò…! ±¯‡
-> ssh-ed25519 OFTJeQ Z0zahyJ9ZN+iPyEGZcdqkctRGtZHedg0n9hpw7yCr1w
tTaDe8+Ki2S7v3F/+0KgJ6EyS89WETy3/pSWUf3qA2g
-> ssh-ed25519 lfMVeg 7yJmsdpEXhgRekyoMU5Ut62hvo7sI+ZyLoasrzjtOmI
qpH5kucqYFin9PZw38am7WkJWH+Cp0C7em22QiQsQJ4
-> ssh-ed25519 ueRyzQ WGMVo2WuCuHNTZ6/a+3cPOXU50EEK/yhnyX//IrtUx8
2t+CUgdBuivea8Ij4tavUQTX2mzTpIUz/8FuweVJ6uA
-> ssh-ed25519 IYnDOQ P5amA/utlNaNK4/YP1L3RkL/k1N0MtucTobGZxeKqw8
TBwo9Y/YTzJxw0rmzz6V1W8kmQYHw8YNt+/MLOQalyM
--- Ykljx1ff/c4OkoyHs4rzrKnfIEuAW3zM5MCk5p/UT1g
†„.˜ÁÙ gåã:Õ¸¾…ód–§«¾J·¿~ËxíYe߬<C39F>ù,”«@<¹CKk0†w`¼rÆ~} K

BIN
secrets/passwords/paperless/admin.age
View file

Binary file not shown.

26
secrets/secrets.nix
View file

@ -2,6 +2,8 @@ let
APPA = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvQbYHiB17BfsvHBgPYJN50Th+da+rtbsTIjOSaT+1Y root@APPA";
gandalf_at_appa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrE1fMXjJXI8f1mKvhLquwSsb4tvLh5Tq0n+yOakQks gandalf@appa.dryb.com";
MOMO = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQ8YOOaQj3NnMlTjlFX9iWDIpPMrO2W4EkL65GJP+y4 root@MOMO";
T430 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPQKzUqdLY58tFTB5zOeiTjbbrDvHA1speD/Rg6oOfz root@T430";
IROH = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYiK3Dl8QvAZfY7Cl1OlF9aXKa/an32mtrCNkavlSNG root@IROH";
@ -14,10 +16,16 @@ let
systems = [
APPA
MOMO
T430
IROH
];
servers = [
APPA
MOMO
];
clients = [
T430
IROH
@ -25,13 +33,13 @@ let
in
{
"environments/acme.age".publicKeys = users ++ [ APPA ];
"environments/vaultwarden.age".publicKeys = users ++ [ APPA ];
"keys/wireguard/dryborg/privatekey.age".publicKeys = [ gandalf ] ++ clients;
"keys/wireguard/dryborg/presharedkey.age".publicKeys = [ gandalf ] ++ clients;
"passwords/anki/admin.age".publicKeys = users ++ [ APPA ];
"passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ];
"passwords/gitea/db.age".publicKeys = users ++ [ APPA ];
"passwords/nextcloud/admin.age".publicKeys = users ++ [ APPA ];
"passwords/paperless/admin.age".publicKeys = users ++ [ APPA ];
"environments/acme.age".publicKeys = users ++ servers;
"environments/vaultwarden.age".publicKeys = users ++ servers;
"keys/wireguard/dryborg/privatekey.age".publicKeys = users ++ clients;
"keys/wireguard/dryborg/presharedkey.age".publicKeys = users ++ clients;
"passwords/anki/admin.age".publicKeys = users ++ servers;
"passwords/ddclient/cloudflare.age".publicKeys = users ++ servers;
"passwords/gitea/db.age".publicKeys = users ++ servers;
"passwords/nextcloud/admin.age".publicKeys = users ++ servers;
"passwords/paperless/admin.age".publicKeys = users ++ servers;
}