diff --git a/.sops.yaml b/.sops.yaml index 943ea6a..be682be 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,3 +6,7 @@ creation_rules: key_groups: - age: - *alpine + - path_regex: certs/.*.key + key_groups: + - age: + - *alpine diff --git a/certs/alpine.prawn-justice.ts.net.crt b/certs/alpine.prawn-justice.ts.net.crt new file mode 100644 index 0000000..2b780d3 --- /dev/null +++ b/certs/alpine.prawn-justice.ts.net.crt @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIDljCCAxygAwIBAgISBBQT2OlSax8juBh/IQex2igaMAoGCCqGSM49BAMDMDIx +CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF +NTAeFw0yNDEwMTMwMTQ4MDFaFw0yNTAxMTEwMTQ4MDBaMCYxJDAiBgNVBAMTG2Fs +cGluZS5wcmF3bi1qdXN0aWNlLnRzLm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABNB7TDo//14hkP6lbTpMessnFDWiXCQ55C/+rPRuMK0kxMV9Uj9hVCaq6YI1 +Nxug1DBmQvAVtMNho60wCUR0ocijggIcMIICGDAOBgNVHQ8BAf8EBAMCB4AwHQYD +VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O +BBYEFL+YrMuDYngdndFxmQ8DyIaF5FZuMB8GA1UdIwQYMBaAFJ8rX888IU+dBLft +KyzExnCL0tcNMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2U1 +Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5vcmcv +MCYGA1UdEQQfMB2CG2FscGluZS5wcmF3bi1qdXN0aWNlLnRzLm5ldDATBgNVHSAE +DDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AD8XS0/XIkdY +lB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAABkoPFMKkAAAQDAEcwRQIhAMB1F+1H +QkW08Lu2AQr8bcYCqg43niOw2EHl9cTqIMngAiBOQz14/mZsA09MjLO4QSgnC8pW +wSHaf791o2N/HPHWiAB1ABNK3xq1mEIJeAxv70x6kaQWtyNJzlhXat+u2qfCq+Ai +AAABkoPFMagAAAQDAEYwRAIgR3BMtNMq8ubpJQanyZ5VPkX7OCIVyjmWD/iQDKHo +VkUCIBXczglskWwyZEwhCv1lNmgCfZmIF32rywaEsKBjQ/2QMAoGCCqGSM49BAMD +A2gAMGUCMQCruWjBoT4D97a/TQACEWs2UZ5ZUm+RmZS7VA4kVm9Q1bFFrftD1FEQ +dB88W+jYPN8CMAervvI7Jb19X+wDktnp958XUodwOhhd0NNvQ4HS/TEUxSDV04Xb +FahrrdXWaqt3nQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw +WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK +a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO +VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw +gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw +i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g +BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C +2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ +bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG +6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV +XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO +koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq +cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI +E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e +K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX +GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL +sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd +VQD9F6Na/+zmXCc= +-----END CERTIFICATE----- diff --git a/certs/alpine.prawn-justice.ts.net.key b/certs/alpine.prawn-justice.ts.net.key new file mode 100644 index 0000000..3b07f1c --- /dev/null +++ b/certs/alpine.prawn-justice.ts.net.key @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:8ILElQXr1whCq6/Jvh2+0RN23cKn4Hd6GHd4/1pwfPzp+dzCcKe3gN4LY4NwTNM3fCeW2gX3DWHqXJxGxxjhlpLnFuEu9Q6eVAhjBIAEdUOAaOefQgBsY805hJ2+3oaASO1gTW64M4Rb7twhlJvtzfvl6dy5JuASv/mp3qlpmoIitFe0h1EAi0QkG5y1K7bDrmca7g9PhdelnJeIBAj9vjevtQAtJe3C1G/R3kfCLnPJQAC1BDBt97CXCux8uWgqSjH4ndp6c2cJH9UK87rB/w1+7ihSQGAfEAHNrdXMCSkcC9w=,iv:GiLNz81b7gLQZiX01wXQlYRogXwdyqX7HwOfVLUQHoo=,tag:MC6YZkidZHePXWTiUogJkQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age106vffwu4y8cx90y0rtzajgpafl8jq7ty5hf6pur2gjsuq3g2lf5qjmdq0q", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbVI0M0o3TEFObEQ0RVJo\ncFp4djEvTzdndFV0OU5PKyt6WlpRYlowUlZBCkJYZm9JS1VZRGhwQ1c0K1JBVHIy\nelJNd3E1eUlPUDVGdUd3YzJrenFUY3cKLS0tIGhWWUt2TUthR1BncjN4UW9kQ1Vl\nM3JuVkUvZkZoM1ZabXhnRG1lRktrazAKesQXHUogJ0bo34Ibp5JxqaG7OCrbUteh\nrIyWr1bUQruhffOVJo+SQzKtNMwA2XwwU1xJb4YbBUXwe9/4G8KpqQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-13T03:10:45Z", + "mac": "ENC[AES256_GCM,data:iY5zcanENCJLwwaK0Gz/HZTAXvwbHDK5AZ7buHVjg22jQlFKlg46abBy1KIBOzurH7Z8i7lLSSF1DFzGbR63NjEWFiv4hJsDuFgvLxFm/GxERl+JnadKaaooYQavkE99J1uiPIr7BCZppC+MdvqG1IqkSeLO737KLniisprKe1g=,iv:VtHXpnZVoTpmLcmSVxvCZSxongAXwelE02OA/5afQ9k=,tag:y2GmUBzg6tspfjZi8TyhuQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/flake.nix b/flake.nix index e420954..ede8ff3 100644 --- a/flake.nix +++ b/flake.nix @@ -44,7 +44,6 @@ ./nixos/programs/hyprland.nix ]; home-modules = [ - ./home/programs/mpd.nix ./home/programs/graphical.nix ./home/programs/gamer.nix ./home/programs/personal/. @@ -61,7 +60,6 @@ ./nixos/programs/hyprland.nix ]; home-modules = [ - ./home/programs/mpd.nix ./home/programs/work.nix ./home/programs/graphical.nix ./home/desktop/cosmic/laptop.nix @@ -89,16 +87,17 @@ ./nixos/services/forgejo.nix ./nixos/services/vaultwarden.nix ./nixos/services/jellyfin.nix - ./nixos/services/mpd.nix ./nixos/services/prometheus.nix ./nixos/services/grafana.nix - ./nixos/services/synapse.nix + ./nixos/services/loki.nix + ./nixos/services/synapse/. ./nixos/services/mautrix/whatsapp.nix ./nixos/services/mautrix/signal.nix ./nixos/services/nextcloud.nix ./nixos/services/ntfy.nix ./nixos/services/authentik.nix ./nixos/services/monero.nix + ./nixos/services/arr.nix ]; }; diff --git a/hardware/alpine.nix b/hardware/alpine.nix index eff81ed..bf4d2d4 100644 --- a/hardware/alpine.nix +++ b/hardware/alpine.nix @@ -59,13 +59,10 @@ in { fsType = "fuse.mergerfs"; depends = ["/mnt/disk1" "/mnt/disk2" "/mnt/disk3"]; options = [ - "direct_io" - "use_ino" - "allow_other" "minfreespace=50G" "fsname=mergerfs" "category.create=mfs" - "func.mkdir=epall" + "dropcacheonclose=true" ]; }; @@ -113,9 +110,13 @@ in { ]; }; + virtualisation.oci-containers.backend = "podman"; + virtualisation = { podman = { enable = true; + autoPrune.enable = true; + defaultNetwork.settings.dns_enabled = true; }; }; @@ -136,6 +137,7 @@ in { globalRedirect = "tristans.cloud"; }; "tristans.cloud" = { + default = true; forceSSL = true; enableACME = true; root = "/srv/www/tristans.cloud"; @@ -147,14 +149,15 @@ in { defaults.email = "tristan@tristans.cloud"; }; + sops.secrets."namecheap" = {}; services.ddclient = { - # enable = true; - protocol = "duckdns"; - use = "if, if=enp4s0"; - ssl = true; - username = ""; - passwordFile = "/home/tristan/duckdnstoken"; - domains = ["tlbean"]; + enable = true; + protocol = "namecheap"; + usev4 = "webv4, webv4=ipify-ipv4"; + usev6 = ""; + username = "tristans.cloud"; + passwordFile = config.sops.secrets."namecheap".path; + domains = ["@" "*"]; }; services.mpd = { @@ -164,4 +167,7 @@ in { services.grafana.settings.server = { http_port = 3001; # forgejo and grafana default to 3000 }; + + systemd.services.NetworkManager-wait-online.enable = false; + } diff --git a/nixos/default.nix b/nixos/default.nix index 77d8579..c9e02e2 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -8,9 +8,6 @@ }: let user = config.user; in { - imports = [ - ./modules/podman.nix - ]; nix = { settings = { diff --git a/nixos/services/arr.nix b/nixos/services/arr.nix new file mode 100644 index 0000000..6f0c0f5 --- /dev/null +++ b/nixos/services/arr.nix @@ -0,0 +1,77 @@ +{config, lib, ...}: let + inherit (config) sops; + inherit (sops) templates placeholder; +in { + nixpkgs.config.permittedInsecurePackages = [ + "aspnetcore-runtime-6.0.36" + "aspnetcore-runtime-wrapped-6.0.36" + "dotnet-sdk-6.0.428" + "dotnet-sdk-wrapped-6.0.428" + ]; + users.groups.media = {}; + services.jackett = { + enable = true; + }; + services.lidarr = { + enable = true; + group = "media"; + }; + services.sonarr = { + enable = true; + group = "media"; + }; + services.radarr = { + enable = true; + group = "media"; + }; + services.jellyseerr.enable = true; + sops.secrets.sonarr-sslkey = { + sopsFile = ../../certs/alpine.prawn-justice.ts.net.key; + format = "binary"; + owner = "nginx"; + }; + # this was fun to figure out, but pointless atm. + services.nginx.virtualHosts."alpine.prawn-justice.ts.net" = { + forceSSL = true; + sslCertificateKey = config.sops.secrets.sonarr-sslkey.path; + sslCertificate = ../../certs/alpine.prawn-justice.ts.net.crt; + }; + # probably easier if i just put this in a nixos-container + virtualisation.oci-containers.containers.transmission = { + autoStart = false; + image = "docker.io/haugene/transmission-openvpn:5.3.1"; + ports = ["9091:9091"]; + volumes = [ + "/mnt/storage/downloads:/data" + "/home/tristan/pods/transmission/config:/config" + "/mnt/storage/media/unsorted:/data/completed" + ]; + environmentFiles = [ templates."transmission/env".path ]; + environment = { + PUID = "1000"; + GUID = "1000"; + LOCAL_NETWORK = "100.0.0.0/8"; + }; + privileged = true; + capabilities = { + "NET_ADMIN" = true; + "NET_RAW" = true; + "MKNOD" = true; + }; + }; + sops.secrets = { + "transmission/auth/OPENVPN_PROVIDER" = {}; + "transmission/auth/OPENVPN_CONFIG" = {}; + "transmission/auth/OPENVPN_USERNAME" = {}; + "transmission/auth/OPENVPN_PASSWORD" = {}; + }; + sops.templates."transmission/env" = { + owner = "tristan"; + content = '' + OPENVPN_PROVIDER="${placeholder."transmission/auth/OPENVPN_PROVIDER"}" + OPENVPN_CONFIG="${placeholder."transmission/auth/OPENVPN_CONFIG"}" + OPENVPN_USERNAME="${placeholder."transmission/auth/OPENVPN_USERNAME"}" + OPENVPN_PASSWORD="${placeholder."transmission/auth/OPENVPN_PASSWORD"}" + ''; + }; +} diff --git a/nixos/services/authentik.nix b/nixos/services/authentik.nix index 48f5b88..c6435cc 100644 --- a/nixos/services/authentik.nix +++ b/nixos/services/authentik.nix @@ -9,7 +9,8 @@ port = "5437"; }; authentik-config = { - image = "ghcr.io/goauthentik/server:2023.10.7"; + autoStart = true; + image = "ghcr.io/goauthentik/server:2025.2.4"; volumes = ["/home/tristan/pods/authentik/media:/media"]; environment = { AUTHENTIK_POSTGRESQL__USER = postgres.user; @@ -20,7 +21,8 @@ AUTHENTIK_EMAIL__FROM = "Authentik "; AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME = "false"; }; - envFile = templates."authentik/environment".path; + environmentFiles = [templates."authentik/environment".path]; + dependsOn = ["authentik-redis" "authentik-postgres"]; }; in { sops.secrets = { @@ -50,34 +52,38 @@ in { ''; }; }; - - podman.authentik-redis = { - image = "redis:latest"; - ports = ["${redis_port}:6379"]; - }; - - podman.authentik-server = - authentik-config - // { - command = "server"; - ports = ["${authentik_port}:9000" "9084:9300"]; + virtualisation.oci-containers.containers = { + authentik-redis = { + autoStart = true; + image = "redis:7.2-alpine"; + ports = ["${redis_port}:6379"]; + volumes = ["authentik-redis:/data"]; }; - podman.authentik-worker = - authentik-config - // { - command = "worker"; - }; + authentik-server = + authentik-config + // { + cmd = ["server"]; + ports = ["${authentik_port}:9000" "9084:9300"]; + }; - podman.authentik-postgres = { - image = "docker.io/postgres:14-alpine"; - ports = ["${postgres.port}:5432"]; - volumes = ["/home/tristan/pods/authentik/db:/var/lib/postgresql/data"]; - environment = { - POSTGRES_USER = postgres.user; - POSTGRES_DB = postgres.db; + authentik-worker = + authentik-config + // { + cmd = ["worker"]; + }; + + authentik-postgres = { + autoStart = true; + image = "docker.io/postgres:14-alpine"; + ports = ["${postgres.port}:5432"]; + volumes = ["/home/tristan/pods/authentik/db:/var/lib/postgresql/data"]; + environment = { + POSTGRES_USER = postgres.user; + POSTGRES_DB = postgres.db; + }; + environmentFiles = [templates."authentik/postgres_env".path]; }; - envFile = templates."authentik/postgres_env".path; }; services.nginx.virtualHosts."auth.tristans.cloud" = { diff --git a/nixos/services/grafana.nix b/nixos/services/grafana.nix index 253fe24..353bbc8 100644 --- a/nixos/services/grafana.nix +++ b/nixos/services/grafana.nix @@ -1,6 +1,15 @@ -{config, ...}: let +{config, lib, pkgs, ...}: let cfg = config.services.grafana; secrets = config.sops.secrets; + mkDashboards = dashboards: pkgs.symlinkJoin { + name = "dashboards"; + paths = map mkDashboard dashboards; + }; + mkDashboard = {name, url, sha256}: pkgs.writeTextFile { + inherit name; + text = builtins.readFile ( builtins.fetchurl {inherit url sha256;} ); + destination = "/dash/${name}.json"; + }; in { sops.secrets."grafana/oidc_client_secret" = { owner = "grafana"; @@ -25,6 +34,22 @@ in { role_attribute_path = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"; }; }; + provision.dashboards.settings.providers = [{ + name = "Node Exporter"; + type = "file"; + options.path = mkDashboards [ + { + name = "node-exporter"; + url = "https://grafana.com/api/dashboards/1860/revisions/37/download"; + sha256 = "sha256:0qza4j8lywrj08bqbww52dgh2p2b9rkhq5p313g72i57lrlkacfl"; + } + { + name = "synapse"; + url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/grafana/synapse.json"; + sha256 = "sha256:07qlr0waw9phmyd38bv22bn5v303w3397b89l44l3lzwhpnhs16s"; + } + ]; + }]; }; services.nginx.virtualHosts = { ${cfg.settings.server.domain} = { diff --git a/nixos/services/jellyfin.nix b/nixos/services/jellyfin.nix index db598f0..583a411 100644 --- a/nixos/services/jellyfin.nix +++ b/nixos/services/jellyfin.nix @@ -1,6 +1,8 @@ { services.jellyfin = { enable = true; + group = "media"; # access to user stuff + openFirewall = true; }; services.nginx.virtualHosts."movies.tristans.cloud" = { forceSSL = true; diff --git a/nixos/services/loki.nix b/nixos/services/loki.nix new file mode 100644 index 0000000..d114318 --- /dev/null +++ b/nixos/services/loki.nix @@ -0,0 +1,98 @@ +{config, ...}: let + inherit (config.services) loki; +in { + services.loki = { + enable = true; + configuration = { + auth_enabled = false; + server.http_listen_port = 3100; + schema_config.configs = [ + { + from = "2024-10-12"; + object_store = "filesystem"; + store = "tsdb"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + storage_config."filesystem".directory = "/tmp/loki/chunks"; + common = { + ring = { + instance_addr = "127.0.0.1"; + kvstore.store = "inmemory"; + }; + replication_factor = 1; + path_prefix = "/tmp/loki"; + }; + limits_config = { + ingestion_rate_strategy = "local"; + ingestion_rate_mb = 24; + ingestion_burst_size_mb = 36; + }; + }; + }; + services.prometheus.scrapeConfigs = [{ + job_name = "loki"; + static_configs = [ + { + targets = ["localhost:3100"]; + } + ]; + }]; + services.promtail = { + enable = true; + # https://grafana.com/docs/loki/latest/send-data/promtail/configuration/ + configuration = { + server = { + http_listen_port = 9080; + grpc_listen_port = 0; + }; + clients = [ + {url = "http://localhost:3100/loki/api/v1/push";} + ]; + scrape_configs = [ + { + job_name = "system"; + journal = { + path = "/var/log/journal/"; + }; + relabel_configs = [ + { + source_labels = ["__journal_message"]; + target_label = "message"; + regex = "(.+)"; + } + { + source_labels = ["__journal__systemd_unit"]; + target_label = "systemd_unit"; + regex = "(.+)"; + } + { + source_labels = ["__journal__systemd_user_unit"]; + target_label = "systemd_user_unit"; + regex = "(.+)"; + } + { + source_labels = ["__journal__transport"]; + target_label = "transport"; + regex = "(.+)"; + } + { + source_labels = ["__journal__priority_keyword"]; + target_label = "severity"; + regex = "(.+)"; + } + ]; + } + ]; + }; + }; + services.grafana.provision.datasources.settings.datasources = [{ + name = "Loki"; + type = "loki"; + url = "http://localhost:${toString loki.configuration.server.http_listen_port}"; + }]; +} diff --git a/nixos/services/mautrix/signal.nix b/nixos/services/mautrix/signal.nix index b6f1194..52468a4 100644 --- a/nixos/services/mautrix/signal.nix +++ b/nixos/services/mautrix/signal.nix @@ -1,9 +1,44 @@ -{config, ...}: let - inherit (config) sops; - inherit (sops) templates placeholder; +{config, lib, ...}: let inherit (import ./lib.nix) toAppRegistration; + inherit (config.sops) templates placeholder; in { + + virtualisation.oci-containers.containers.mautrix-signal = { + image = "dock.mau.dev/mautrix/signal:v0.7.1"; + dependsOn = ["mautrix-signal-psql"]; + volumes = [ + "/home/tristan/pods/signal-bridge/mautrix-signal:/data:z" + ]; + ports = [ + "29328:29328" + "8000:8000" + ]; + }; + +# when you get around to backing this up +# 1. stop the server. +# 2. backup the db. +# 3. migrate to newer version of postgres +# 4. migrate db to local + virtualisation.oci-containers.containers.mautrix-signal-psql = { + image = "docker.io/postgres:14-alpine"; + # ports = [ "127.0.0.1:5435:5432" ]; + ports = [ "5435:5432" ]; + volumes = [ "/home/tristan/pods/signal-bridge/db:/var/lib/postgresql/data" ]; + environmentFiles = [templates."mautrix-signal/psql.env".path]; + }; + sops.templates = { + "mautrix-signal/psql.env" = { + owner = config.users.users.nobody.name; + content = lib.strings.toShellVars { + POSTGRES_PASSWORD = placeholder."mautrix-signal/postgres_password"; + POSTGRES_USER = "signald"; + POSTGRES_DB = "signald"; + }; + }; + }; sops.secrets = { + "mautrix-signal/postgres_password" = {}; "mautrix-signal/as_token" = {}; "mautrix-signal/hs_token" = {}; }; @@ -20,10 +55,8 @@ in { }; }; }; - - # mautrix-signal server currently in ansible/podman - services.matrix-synapse.settings.app_service_config_files = [ templates."mautrix-signal/appservice.yaml".path ]; + } diff --git a/nixos/services/mautrix/whatsapp.nix b/nixos/services/mautrix/whatsapp.nix index 67b9a5e..99ba1f9 100644 --- a/nixos/services/mautrix/whatsapp.nix +++ b/nixos/services/mautrix/whatsapp.nix @@ -1,34 +1,17 @@ -{config, ...}: let - inherit (config) sops; - inherit (sops) templates placeholder; - inherit (import ./lib.nix) toAppRegistration; -in { - sops.secrets = { - "mautrix-whatsapp/as_token" = {}; - "mautrix-whatsapp/hs_token" = {}; - }; - sops.templates = { - "mautrix-whatsapp/appservice.yaml" = { - owner = "matrix-synapse"; - content = toAppRegistration { - id = "whatsapp"; - port = config.services.mautrix-whatsapp.settings.appservice.port; - as_token = placeholder."mautrix-whatsapp/as_token"; - hs_token = placeholder."mautrix-whatsapp/hs_token"; - sender_localpart = "Gx8tLTHsxVlrdD3qibaPdaP9t7GhfciV"; - "de.sorunome.msc2409.push_ephemeral" = true; - }; - }; - # "mautrix-whatsapp/env".content = '' - # MAUTRIX_WHATSAPP_APPSERVICE_AS_TOKEN=${placeholder."mautrix-whatsapp/as_token"} - # MAUTRIX_WHATSAPP_APPSERVICE_HS_TOKEN=${placeholder."mautrix-whatsapp/hs_token"} - # ''; - }; - +{config, ...}: +{ +# TODO: totally borked for some reason. DB migration? + nixpkgs.config.permittedInsecurePackages = [ + "olm-3.2.16" + ]; services.mautrix-whatsapp = { enable = true; - # environmentFile = templates."mautrix-whatsapp/env".path; + registerToSynapse = true; settings = { + appservice.database = { + type = "sqlite3"; + uri = "/var/lib/mautrix-whatsapp/mautrix-whatsapp.db"; + }; homeserver = { address = "http://localhost:8008"; domain = "tristans.cloud"; @@ -46,9 +29,4 @@ in { }; }; }; - - services.matrix-synapse.settings.app_service_config_files = [ - templates."mautrix-whatsapp/appservice.yaml".path - # "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml" - ]; } diff --git a/nixos/services/monero.nix b/nixos/services/monero.nix index 94cde2b..c502f0d 100644 --- a/nixos/services/monero.nix +++ b/nixos/services/monero.nix @@ -10,6 +10,7 @@ confirm-external-bind=1 out-peers=64 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays in-peers=1024 # The default is unlimited; we prefer to put a cap on this + zmq-pub=tcp://localhost:18083 ''; }; } diff --git a/nixos/services/mpd.nix b/nixos/services/mpd.nix index 9589de5..ab09e2b 100644 --- a/nixos/services/mpd.nix +++ b/nixos/services/mpd.nix @@ -2,6 +2,26 @@ services.mpd = { enable = true; network.listenAddress = "0.0.0.0"; + extraConfig = '' + audio_output { + type "fifo" + name "snapcast" + path "${config.services.snapserver.streams.mpd.location}" + format "${config.services.snapserver.streams.mpd.sampleFormat}" + mixer_type "software" + } + ''; }; networking.firewall.allowedTCPPorts = [config.services.mpd.network.port]; + services.snapserver = { + enable = true; + openFirewall = true; + buffer = 1000; + streams.mpd = { + type = "pipe"; + location = "/run/snapserver/mpd"; + sampleFormat = "44100:16:2"; + codec = "pcm"; + }; + }; } diff --git a/nixos/services/nextcloud.nix b/nixos/services/nextcloud.nix index a5fa2ef..06f4a88 100644 --- a/nixos/services/nextcloud.nix +++ b/nixos/services/nextcloud.nix @@ -1,6 +1,7 @@ { config, pkgs, + lib, ... }: let nextcloud = config.services.nextcloud; @@ -27,6 +28,7 @@ in { services.nextcloud = { enable = true; https = true; + package = pkgs.nextcloud30; hostName = "files.${config.networking.domain}"; configureRedis = true; database.createLocally = true; @@ -35,6 +37,7 @@ in { dbtype = "pgsql"; }; secretFile = sops.templates."nextcloud/secrets.json".path; + phpOptions."opcache.interned_strings_buffer" = "23"; settings = { maintenance_window_start = 2; default_phone_region = "GB"; @@ -78,17 +81,10 @@ in { notes maps previewgenerator + deck + news + oidc_login ; - oidc_login = pkgs.fetchNextcloudApp { - sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI="; - url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz"; - license = "agpl3Only"; - }; - news = pkgs.fetchNextcloudApp { - sha256 = "sha256-aePXUn57U+1e01dntxFuzWZ8ILzwbnsAOs60Yz/6zUU="; - url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha4/news.tar.gz"; - license = "agpl3Only"; - }; }; maxUploadSize = "5G"; }; diff --git a/nixos/services/prometheus.nix b/nixos/services/prometheus.nix index dfc5ade..e38cb64 100644 --- a/nixos/services/prometheus.nix +++ b/nixos/services/prometheus.nix @@ -34,4 +34,9 @@ in { }; }; }; + services.grafana.provision.datasources.settings.datasources = [{ + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:${toString prometheus.port}"; + }]; } diff --git a/nixos/services/synapse.nix b/nixos/services/synapse/default.nix similarity index 85% rename from nixos/services/synapse.nix rename to nixos/services/synapse/default.nix index d5256df..c09c4ed 100644 --- a/nixos/services/synapse.nix +++ b/nixos/services/synapse/default.nix @@ -16,6 +16,8 @@ inherit (config.services) matrix-synapse matrix-sliding-sync; inherit (sops) secrets templates; in { + imports = [./metrics.nix]; + services.postgresql.enable = true; services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; @@ -66,7 +68,7 @@ in { server_name = domain; baseurl = "https://${domain}"; oidc_providers = []; - settings.listeners = [ + listeners = [ { inherit port; bind_addresses = ["localhost"]; @@ -84,12 +86,6 @@ in { }; }; - services.matrix-sliding-sync = { - enable = true; - environmentFile = templates."synapse/sliding_sync_env".path; - settings.SYNCV3_SERVER = "https://${domain}"; - }; - services.nginx.virtualHosts = { ${domain} = { locations."= /.well-known/matrix/server".extraConfig = mkWellKnown { @@ -97,7 +93,6 @@ in { }; locations."= /.well-known/matrix/client".extraConfig = mkWellKnown { "m.homeserver".base_url = "https://${fqdn}"; - "org.matrix.msc3575.proxy"."url" = "https://${fqdn}"; }; locations."= /.well-known/matrix/support".extraConfig = mkWellKnown { admins = [ @@ -110,14 +105,12 @@ in { }; locations."/_matrix".proxyPass = "http://localhost:${toString port}"; locations."/_synapse/client".proxyPass = "http://localhost:${toString port}"; - locations."/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://${toString matrix-sliding-sync.settings.SYNCV3_BINDADDR}"; }; ${fqdn} = { enableACME = true; forceSSL = true; locations."/_matrix".proxyPass = "http://localhost:${toString port}"; locations."/_synapse/client".proxyPass = "http://localhost:${toString port}"; - locations."/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://${toString matrix-sliding-sync.settings.SYNCV3_BINDADDR}"; }; }; } diff --git a/nixos/services/synapse/metrics.nix b/nixos/services/synapse/metrics.nix new file mode 100644 index 0000000..322bc49 --- /dev/null +++ b/nixos/services/synapse/metrics.nix @@ -0,0 +1,25 @@ +let + port = 9008; +in { + services.prometheus.scrapeConfigs = [{ + job_name = "synapse"; + metrics_path = "/_synapse/metrics"; + static_configs = [{ + targets = ["localhost:${toString port}"]; + }]; + }]; + services.matrix-synapse.settings = { + enable_metrics = true; + listeners = [ + { + port = port; + type = "metrics"; + bind_addresses = ["127.0.0.1"]; + tls = false; + resources = []; # unneeded with type: metrics, just to make the nix module happy + } + ]; + }; +# Grafana rules? +# https://github.com/element-hq/synapse/tree/master/contrib/prometheus/ +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 1f59b15..7ef2c52 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,33 +1,38 @@ nextcloud: - admin_password: ENC[AES256_GCM,data:ZBc/Z5F/DWPM78XhO3mVxEfEYjPoXHgqfg==,iv:ih9YuI+k4ksKBOhpezoJ/L5ac7P/JGLqs2B6ZuqZrj0=,tag:IDFU9NQoXHR1Ph5YtLC4lQ==,type:str] - oidc_client_secret: ENC[AES256_GCM,data:nIVLfC+22fEurR6FXdUwz4+rPuXzlM5HG4lnRI/m1lOaiw+C9DA3WV15DP5IXMn6BeBmDMnXbfdGt0hoV32y8bkfcals0C4wUitI63sYRJ6+f+N85IeAolfvYi+6gCwKZZhwRZdZJOQVOoFH8bvC0zLz6dzjL1/C5POX4C57URs=,iv:uV6KssluRg4+aOg7DPewK9c3eIkY3y/7ij7uYBLx9Kw=,tag:gEvApHIStThboRsP0YEoFw==,type:str] + admin_password: ENC[AES256_GCM,data:oE7SeKE40NsLF5FrxKJheyzSXLcL8Hs1+w==,iv:ih9YuI+k4ksKBOhpezoJ/L5ac7P/JGLqs2B6ZuqZrj0=,tag:tRTNDAaAvRe7FSMMCneYkA==,type:str] + oidc_client_secret: ENC[AES256_GCM,data:dTQlsiPvKPRETEy1cg7RIWxeapFOdoMqp1xpVnYFd8zxRyZGIYJNlSZAkc4ZZIMM76jrAnMw7jVArqCX/pma0GMxb4GqITYAHJfe6yVPZYVY9UHUeCQpwwdIMUxYJqYgcCL4VFn7tdtc6vITl+b0KH0GBFQWg07ROJCGfFiICa4=,iv:uV6KssluRg4+aOg7DPewK9c3eIkY3y/7ij7uYBLx9Kw=,tag:UM7fvtjscORH0BxoiUm++Q==,type:str] grafana: - oidc_client_secret: ENC[AES256_GCM,data:XU81XrM/aTZ/RDc3UPunOFQdfjJldKw3usMA5NfQkgxJYSq5NSu1ZQXsMuly4xbcYULiuUtkTAnb7Xzge+yIDoLfrZHab4mQgtLeK6hzZgLHYeSSEtQCXEYsL0p6ulA2OLrW6KoKl/o1EjiA+8htimgc7yNatdo6pBwwUXZFxpQ=,iv:de2P5uu1t0si7s7BqG4ukvouxH1TlCxgR28wRsz7i/I=,tag:1u0Wd9HRzbJRQtNbwDHOIQ==,type:str] + oidc_client_secret: ENC[AES256_GCM,data:vC/9eABn0slzgiaI372dhD46ggU+dsjgA9B7Kv2SLS15OWFBwqRnRhGxNYO6Iwev656t2RwZlJwbQwS8sIrnFD3NU+IEGMvz4sVWbSj7tHxojNo3+Ne8Kg7b03AlBYcEmYqTIx94Nbx8DsZtFRGAIuFYDpEpVxC9jWgPtqB21OE=,iv:de2P5uu1t0si7s7BqG4ukvouxH1TlCxgR28wRsz7i/I=,tag:wToLDNtOafhuMe9thxZDuQ==,type:str] anki: - password: ENC[AES256_GCM,data:dZsz/Z0rdP8vVFEGlck=,iv:rLjrfKXnz7hiYSOOY+uTGQCmvMLZbo3Xle+069hAB+A=,tag:sNuvL9tGBXs9OPoFVfjdSw==,type:str] + password: ENC[AES256_GCM,data:Lz9WwJ/JgboJEqnClj4=,iv:rLjrfKXnz7hiYSOOY+uTGQCmvMLZbo3Xle+069hAB+A=,tag:PrWQlZYREWGQJwPVFX0byQ==,type:str] synapse: - postgres: ENC[AES256_GCM,data:pP/Clrcd/dTjI81Wr9I=,iv:nx3eVKH1DXGk3tipbzlIGGyZB3/bJP5TSVMFVNHTIPs=,tag:3PbODZtFlb9XtuBfO/Ey/g==,type:str] - oidc_client_secret: ENC[AES256_GCM,data:GXEHHAf5pi/34DY8rUtb1r+0w9HdH2LfeYzREq9BssbspORGd2lOGW22kpUWQzMP/LN8qqx0+EDxlnUuz6MbKofdDPO53Ghrkv7eKsgHdI4g8NbneOEIe4Uurjsg+ibn2EIAWP6HsdwDoLPpS260HyciHJz15i8OpyPatv+bhUc=,iv:pigc8d/LPwy/mBrlUzOFR1nIUrulYZ67nq4bI4Mn+MI=,tag:5fQj8XiXmlC0/T4Muht7bA==,type:str] - signing_key: ENC[AES256_GCM,data:AuXyep/aoKn0EoXFgphhlwyvqiwnmRAbGsjzQtCHOVe1Nsdd1aZZdmANt3NXbNJbtjbowIYGbYTizQ==,iv:jKfEBdXSIrg1WQRvWxi+CUiO2mXOfULkg/i3YSD4d9k=,tag:EZJnoZVyrjb0fcRbvyuiPg==,type:str] - sliding_sync_secret: ENC[AES256_GCM,data:EureGgSONw+29RnTBcG7+Hpjs3mOk1Zr75glc582Tr9ITFfMczAdfY0FlWQgDxiPnl3o2GqlvdQ2CwDmpVGUVQ==,iv:JUKLrxrYQmCF15o+PwY1PzNW1h9FrGxdbSFGCzm3RdA=,tag:/TMv9LcCRLoTw3MDmpE0oQ==,type:str] -mautrix-whatsapp: - as_token: ENC[AES256_GCM,data:x1iIfwaRdSzC7wo684FY5ZCytj+uQSS2k8UZ/Sm/0gy7jnjsb6Eyl0I5tdNf7mYk2gdTtfmc+dVThOP3aGIZXQ==,iv:hvVr1MZfpLewomTW5pUhOvrQ2fEkQy4LNnfqslkeFgQ=,tag:5eUZLn5Bd2D5GWyIx9xevw==,type:str] - hs_token: ENC[AES256_GCM,data:y8q41zg1NFco0fs7Q/yZVIPCdrUsB8/CRiffBpAVWsH0vCCHQvBs6VUGZmZwJVySkxSfFqBdCc/TF38SPwhxCg==,iv:sJ0cldlCTpGRMYT0u9ZGFVI70m3VBCZqn/l4cwUDyAI=,tag:D0QE2TQxLNnEv6/ECCLnRw==,type:str] + postgres: ENC[AES256_GCM,data:/jukTywBVoRi8KkDpAA=,iv:nx3eVKH1DXGk3tipbzlIGGyZB3/bJP5TSVMFVNHTIPs=,tag:DDmnJ1yiiZcGqvGj6uTG7w==,type:str] + oidc_client_secret: ENC[AES256_GCM,data:QdTHn5n+VcZ7EpZRI9EGHm+F5CWWr72nEqyJC4itEnSM+MZfnp941rRBUefU067VCf/mZR8UWkMJYATR2wcQTGluF73nHOeV8c1XUwT0TXNgPNhPdXisRcZF8OCYzU9HmdMKieiH/Bmc/mSXU3AZuTe9UXhf0CyVs1HgoENyfJQ=,iv:pigc8d/LPwy/mBrlUzOFR1nIUrulYZ67nq4bI4Mn+MI=,tag:nKDeJBp9VhzS3fOx64N0kA==,type:str] + signing_key: ENC[AES256_GCM,data:f3EEHTnY5qm2TUKEXMLsrMt9qhJaz9VzRwGFV9+xUP32fwxwbZc/EopOVJ03OvQwG695at+26MRWcQ==,iv:jKfEBdXSIrg1WQRvWxi+CUiO2mXOfULkg/i3YSD4d9k=,tag:EYhdgGZkx0qZqAqlA/RJuQ==,type:str] + sliding_sync_secret: ENC[AES256_GCM,data:zog0Bw+GyNnaLKtxhH3p4nMYtT6CcJ6bpaq1UagIxuywKjxSJkjKdmWXDrQ+mgswvc8rZ1GRDTsuYJmjcr3JwQ==,iv:JUKLrxrYQmCF15o+PwY1PzNW1h9FrGxdbSFGCzm3RdA=,tag:EXxXOAVbGAemOBFRhXKPqg==,type:str] mautrix-signal: - as_token: ENC[AES256_GCM,data:wu9ohlIUn6dBYxa7jZzG9DRVRrBCnmXsc7txntF6U6eW6rpe/bvKWDR5/db1ZtMxAv/MZrTephJ81yqtr8aDsw==,iv:L+Pj1Mg5SlaKs0kb68qPzJX1FI7mV8boh4OonfWBy8o=,tag:J6F3CP5OJbyPBr5iVWhg0w==,type:str] - hs_token: ENC[AES256_GCM,data:8OAHb5+k7uRW5EtjrNiTFjG1lf3txePHjpVYaDtJ1MfbtU8jN/T50PENPwFHR9iJSh2Zma7PGgFjwlWHGQEW8A==,iv:YoHj7qGYVA8C8HL8XLcarHwkVrdc7dQHecYF0yxvqwM=,tag:3y/K1iztmWrWR34/3vjopA==,type:str] + as_token: ENC[AES256_GCM,data:13EBWO8ZD2LjkFLI3Clvn4qU1u+rCrPwlvwLaNDlKt3Zf2YxCvM3m1dprj5FyF3fNETSgzbMe6tXsHcxjMi5ag==,iv:L+Pj1Mg5SlaKs0kb68qPzJX1FI7mV8boh4OonfWBy8o=,tag:nIsr0NdIDU2a3DYGm7OXeA==,type:str] + hs_token: ENC[AES256_GCM,data:PJkY4F3Nu6C79v3FaEw6sVr7Y+IIjLJbc2h+L7pEFYyfyolWPMTeQf85Js1zbGEsRLWvyJTAQXdg68KldYCg2Q==,iv:YoHj7qGYVA8C8HL8XLcarHwkVrdc7dQHecYF0yxvqwM=,tag:xoxt0sprxTpHhf4XLfrCaA==,type:str] + postgres_password: ENC[AES256_GCM,data:k+BHWgiNXQeujuShmDgu3anjLgcd,iv:J8sUNC6S/RsMhu3LW37xp5sddJxicfVaOrsfsptp/W4=,tag:7RB6j19tBEp7Z+VSEUR4mQ==,type:str] mautrix-instagram: - as_token: ENC[AES256_GCM,data:pNO76BcGejQdCc5X4f/UvSsBIPU6QZCCQTJvwVIXRf3rnb9ewWNMEtYXlqj886yh3g5SgqQ4Uhqby/7vrMxREA==,iv:uYU7ACk4wEPzqUCpt5KBt5Y8LoVIdAlNvdWj5Jm94qM=,tag:vJHOhwJBPlgUPu1SFqI4ew==,type:str] - hs_token: ENC[AES256_GCM,data:m1CK8Ae6QyJKgDZm904xMpZ1KgKxEUpmQ1jdKOkjexgwAWjjtYF+RVximtcXwxPg/0jkbK/LMlxA89ic+zajiA==,iv:YLed92mS+2Cpud2f8Gq+zlpSVyPo7RVNGOUPCIRDi94=,tag:rRwhYn88ZZwm5sDI1etR2g==,type:str] + as_token: ENC[AES256_GCM,data:DP/VQGK2DO4ixT/3wLBhvKxCcauEgXmDD4vW8k5uJFXAq7gtUXasLIYZ6pkUx0Vzd5kT/XZMhFOJyOT2Cyv38Q==,iv:uYU7ACk4wEPzqUCpt5KBt5Y8LoVIdAlNvdWj5Jm94qM=,tag:RoOhGoQ2BeDe0n6/w4TuPA==,type:str] + hs_token: ENC[AES256_GCM,data:ljzZE6uwHq7jH5oIej4TWMeFtDolRSCg1oNr7xkjK7t3EpZrkg2YVOvWJtf/B+43cx7/BzVftBM4NOElQfRUDA==,iv:YLed92mS+2Cpud2f8Gq+zlpSVyPo7RVNGOUPCIRDi94=,tag:KEqa64BqbG7lmpV2sTqHkg==,type:str] authentik: - postgres_password: ENC[AES256_GCM,data:mdUFP92PQEsvXpgES/iG+zmse0AKJ2c1KdMQDWDWWzWAOn3YSAYJX/N0IIljoGNC,iv:UxFDFYWNBQospGoHlrvLQJyypIszPqpkeJy1IGr6/7I=,tag:99LWrGMaYpfTl0PM4AQaKg==,type:str] - secret_key: ENC[AES256_GCM,data:JWcHd5FLhFt7gitVyv0l5Fc/sVrBlro026CPKrECPRGQHwjWQWsXTbKisM0vCKdB,iv:WN/LXUNrd+DbxfxwotedlYnyzE2D1c6C2e0UgCXUWX8=,tag:CAo6tX5RGdg67giMWa459g==,type:str] + postgres_password: ENC[AES256_GCM,data:jUVLMW1kFABZ3uWeWp4oWGOQDm7IBpF1BKNg/h88UqbpgakSCVuF+GIOSTxpSdc0,iv:UxFDFYWNBQospGoHlrvLQJyypIszPqpkeJy1IGr6/7I=,tag:IIN24+k4k37IszNFK1+rRg==,type:str] + secret_key: ENC[AES256_GCM,data:qYS0HIImVKnMS9ywEJK2E0WLHgcWIYTZVapA/fL79abqK1qKPeVIQ3u/SqwkGBgg,iv:WN/LXUNrd+DbxfxwotedlYnyzE2D1c6C2e0UgCXUWX8=,tag:E5ABLXy5vDxDPdBGR5HoLg==,type:str] mail: - host: ENC[AES256_GCM,data:TpJCxb8/qtGHA7ZQNFxRfzY0jz82,iv:+hjhL2jbMP9NWYub/etBhFXxAfzoIEneepRw5uHL8bs=,tag:J5Rb6BiFKqgqxZPFSGtXhA==,type:str] - port: ENC[AES256_GCM,data:1DfD,iv:I3dK4v/h5nFLNk4yihQxkJiyAir9MLDAQIeGbSn3j+I=,tag:Xu8E6PN7u9YRVnFMWq85DQ==,type:str] - username: ENC[AES256_GCM,data:yF3a6yJbvscUM8HRL9/Df5ZU4j5a3g==,iv:LkZh8eaBZ+Z3+bjpyB3MkWTRpjtk3/bszseT9KCfDmM=,tag:sdAp283HiwYWlVLc7c4waw==,type:str] - password: ENC[AES256_GCM,data:queuYRYekTyynd6fxK4RNImMzQeR7xfNg9u96Fr+1tw=,iv:Rn30tJAoahkMr2ISDbyHClHDdjSF41MqtTwlSGUQELw=,tag:/sfAJXvFwvv3AMxTCONmkg==,type:str] - ssl: ENC[AES256_GCM,data:K2pczQ==,iv:Us4kZfQ2wIx/qJXDaPDuUNvGU2F+U8EtV21SPbTebe8=,tag:lUY9pGQ7dtxIJqOOtIMA8Q==,type:str] + host: ENC[AES256_GCM,data:FGKGHXYVwbDp17nYwrQtvGp0FYuK,iv:+hjhL2jbMP9NWYub/etBhFXxAfzoIEneepRw5uHL8bs=,tag:Uy3BihID9/h1Y7874KqHMw==,type:str] + port: ENC[AES256_GCM,data:q3NZ,iv:I3dK4v/h5nFLNk4yihQxkJiyAir9MLDAQIeGbSn3j+I=,tag:TAZg45IQF/dlLrH1vjBlmA==,type:str] + username: ENC[AES256_GCM,data:DJ8D7TY2o2PimB0WX4L6gEJr7M6XRQ==,iv:LkZh8eaBZ+Z3+bjpyB3MkWTRpjtk3/bszseT9KCfDmM=,tag:Nf7ePRKAqk+xRpKSem/QSw==,type:str] + password: ENC[AES256_GCM,data:GqR8lvyF21djWQT0smHQb42FOt56ZHPnLYS0ekoyyH0=,iv:Rn30tJAoahkMr2ISDbyHClHDdjSF41MqtTwlSGUQELw=,tag:ab7k7Afi5Dfw4NkLbF/cUg==,type:str] + ssl: ENC[AES256_GCM,data:swCVBQ==,iv:Us4kZfQ2wIx/qJXDaPDuUNvGU2F+U8EtV21SPbTebe8=,tag:Zuc0y6aTyjQBe4ZV7zy3NA==,type:str] +transmission: + auth: + OPENVPN_PROVIDER: ENC[AES256_GCM,data:cgYUsQ==,iv:KXddHlOwqbn97SmLkdRIDrqiAAihfXNpG64uD80UnKI=,tag:s6tkiawsfOOXV3ZMltL4MQ==,type:str] + OPENVPN_CONFIG: ENC[AES256_GCM,data:mHMLA2Rqte+aEGstKCan3fNPEqwb,iv:wvLx3rWNcDVek6bmXBu+39AlnXpviNNwCItLAWWVDzY=,tag:1ArWMperFmOFSCdehWibNg==,type:str] + OPENVPN_USERNAME: ENC[AES256_GCM,data:RQ+hGLE6YEgN/aaa2TLpkg==,iv:oG794WxGe0t1ZI0PyC45ZgCPA0Ar2m/dSVDdMYBKJvY=,tag:CGnEu8ds0s4aH4ImCrNWNQ==,type:str] + OPENVPN_PASSWORD: ENC[AES256_GCM,data:Jw==,iv:uGAaXFWfpSaeqY7yC9cR9iqblH3E3hudnrnIlOvdRCg=,tag:P1XJ2SBY82z9YZP9J/n5SA==,type:str] +namecheap: ENC[AES256_GCM,data:PTEQK8+G1FfmvRk9IxrAZjCAhiKdV0AA+JxaJRZvbHU=,iv:xTrJzPooM0xzs9xgkNGWKRzRHeIIhMGa8EYW2/41ZvA=,tag:KHdLKuip439QNeAiBwreqg==,type:str] sops: kms: [] gcp_kms: [] @@ -37,14 +42,14 @@ sops: - recipient: age106vffwu4y8cx90y0rtzajgpafl8jq7ty5hf6pur2gjsuq3g2lf5qjmdq0q enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4a3EwTXQwV3hxNW1zNXow - Q1UxRHcwaVdhNHo5N0QvbE1maTkxdFBKZUJvCnpVYklIamlic1A4SDluQnhod2Z3 - MTVxRlJLVWd5dkZlTjE1OGRIZVo4QmsKLS0tIHI4bm01WjNucUlvYzFTSzhNSkQ3 - NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG - A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDc1R5TFAvZFFMbTJqWVl5 + STA0YjBRSmk2N1dvUG9ETWYvRTNXMTFoYUVJCk81dmM2c0JLcnpzUjBsazZrenRK + YXZkQ2pqRTNrTDBFK1FrQ3BRNmI0STQKLS0tIHpseXFsSlhLNVhHeFNhVXNEcmM3 + S3ZwcHhkdEEvY0pINDloand5S0NycHcKEpIt5EeIKhLQK7f74sWVN/x5gzh/Jq7x + UUN5QtysRbWVGnWRxdNB8LIMjDJY9jRojycdQfSNebaz5ZLjEp8dZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-08T21:41:24Z" - mac: ENC[AES256_GCM,data:BMM/NP/ls0VdkL1jOqPeEmfxwoQR1Yi5DM2xb1p+Z3u9oo61Tkc2v2G7G9jWMfa2UwVlqYOGIZlwNj2ONhWhDDZBVTd3tTEbssbizNTUWGX7cQBfQm9K0/Mk+qXdug7AfjKnVXZlEbD7QLfqhz7sl/tDaPS9sstnivJENi2sIYI=,iv:nOoc+kiSbf89qJMtGYLURVToh6bCnEjg7zVQivzate4=,tag:ogEOMkRafxKLFX0N9hbOSw==,type:str] + lastmodified: "2025-01-18T02:00:29Z" + mac: ENC[AES256_GCM,data:x3J0tRfNynM2qlB4YUUAUMYI/94opN1kJ1j0kOyeZ1GZHx+EA4dQZif4nPQOERo+5xRt8C4YXVDZEnCjD1TpQE6LYik0n0iY+84sY5fSr2SYiXzq2P72Tk7BzBklI9/zjndeJLJbydTJDMzOCvdEWIfHYZsHODnKXBO9pYwjAqU=,iv:z+QD93t72S2w0CqMV5sQk9oK9LMnQAxyaiExmqEcSp0=,tag:dbtyHUQ+n2EQvHEkQa7zrw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.2