Compare commits

...

2 Commits

24 changed files with 524 additions and 309 deletions

142
flake.lock generated
View File

@ -11,11 +11,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1682237245, "lastModified": 1707771926,
"narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=", "narHash": "sha256-PhWWmby82jm1ddLnQoC4sPcRBnn9tMRmqiwbsYdO8Ec=",
"owner": "yaxitech", "owner": "yaxitech",
"repo": "ragenix", "repo": "ragenix",
"rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50", "rev": "2d9122fe28c15ca64770f192f7df97e13b1fb098",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -27,17 +27,19 @@
"agenix_2": { "agenix_2": {
"inputs": { "inputs": {
"darwin": "darwin", "darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [ "nixpkgs": [
"agenix", "agenix",
"nixpkgs" "nixpkgs"
] ],
"systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1682101079, "lastModified": 1703433843,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,11 +56,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1706241694, "lastModified": 1708200003,
"narHash": "sha256-OzgzZTpzNOYJGV3FYE8IXxRIAp4ht1FKMX71JXX/CHg=", "narHash": "sha256-F35dKFLG1fs/B6+Zi081mi8x2x8CARgrU/xeWSmY4l4=",
"ref": "refs/heads/Development", "ref": "refs/heads/Development",
"rev": "bbb3e7d8ff657ec61b7b1c5d745a0eba30d76f4e", "rev": "acf0f3a8b17b8eb07166a17badde0d2a04cee778",
"revCount": 70, "revCount": 72,
"type": "git", "type": "git",
"url": "https://git.orion-technologies.io/blog/blog" "url": "https://git.orion-technologies.io/blog/blog"
}, },
@ -69,26 +71,17 @@
}, },
"crane": { "crane": {
"inputs": { "inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"agenix",
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"agenix", "agenix",
"nixpkgs" "nixpkgs"
],
"rust-overlay": [
"agenix",
"rust-overlay"
] ]
}, },
"locked": { "locked": {
"lastModified": 1681680516, "lastModified": 1707685877,
"narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=", "narHash": "sha256-XoXRS+5whotelr1rHiZle5t5hDg9kpguS5yk8c8qzOc=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c", "rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -106,11 +99,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1673295039, "lastModified": 1700795494,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943", "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -122,16 +115,16 @@
}, },
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1704875591, "lastModified": 1708091384,
"narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=", "narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b", "rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -147,11 +140,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1706491084, "lastModified": 1708143835,
"narHash": "sha256-eaEv+orTmr2arXpoE4aFZQMVPOYXCBEbLgK22kOtkhs=", "narHash": "sha256-SRGi47kleiyNVQlR9mxp9Ux2t2SLy7Nm3L6b3UKjH2c=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "f67ba6552845ea5d7f596a24d57c33a8a9dc8de9", "rev": "4d81082b2c37a6e1e181cc9f589b5b657774bd63",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -161,22 +154,6 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -192,7 +169,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_3": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1687265871, "lastModified": 1687265871,
@ -210,14 +187,14 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1705309234,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401", "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -228,7 +205,7 @@
}, },
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1705309234, "lastModified": 1705309234,
@ -246,7 +223,7 @@
}, },
"flake-utils_3": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_4" "systems": "systems_5"
}, },
"locked": { "locked": {
"lastModified": 1705309234, "lastModified": 1705309234,
@ -262,6 +239,28 @@
"type": "github" "type": "github"
} }
}, },
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1706639736, "lastModified": 1706639736,
@ -295,11 +294,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1706550542, "lastModified": 1708118438,
"narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", "narHash": "sha256-kk9/0nuVgA220FcqH/D2xaN6uGyHp/zoxPNUmPCMmEE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", "rev": "5863c27340ba4de8f83e7e3c023b9599c3cb3c80",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -315,7 +314,7 @@
"blog": "blog", "blog": "blog",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"disko": "disko", "disko": "disko",
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_3",
"impermanence": "impermanence", "impermanence": "impermanence",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
@ -333,11 +332,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1682129965, "lastModified": 1707703915,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", "narHash": "sha256-Vej69igzNr3eVDca6+32uO+TXjVWx6ZUwwy3iZuzhJ4=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83", "rev": "e6679d2ff9136d00b3a7168d2bf1dff9e84c5758",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -406,9 +405,24 @@
"type": "github" "type": "github"
} }
}, },
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1701680307,

159
flake.nix
View File

@ -5,9 +5,7 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
impermanence = { impermanence = { url = "github:nix-community/impermanence"; };
url = "github:nix-community/impermanence";
};
agenix = { agenix = {
url = "github:yaxitech/ragenix"; url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -27,14 +25,15 @@
}; };
}; };
outputs = inputs@{ self, nixpkgs, deploy-rs, impermanence, agenix, disko
outputs = inputs @ { self, nixpkgs, deploy-rs, impermanence, agenix, disko, flake-utils, blog, ... }: , flake-utils, blog, ... }:
let let
lib = (import ./lib { lib = nixpkgs.lib; }) // nixpkgs.lib; lib = (import ./lib { lib = nixpkgs.lib; }) // nixpkgs.lib;
persist-dir = "/persist"; persist-dir = "/persist";
defaults = { defaults = {
config = { config = {
environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id"; environment.etc.machine-id.source =
"${persist-dir}/ephemeral/etc/machine-id";
environment.persistence.save = { environment.persistence.save = {
hideMounts = true; hideMounts = true;
persistentStoragePath = "${persist-dir}/save"; persistentStoragePath = "${persist-dir}/save";
@ -42,59 +41,90 @@
environment.persistence.ephemeral = { environment.persistence.ephemeral = {
persistentStoragePath = "${persist-dir}/ephemeral"; persistentStoragePath = "${persist-dir}/ephemeral";
hideMounts = true; hideMounts = true;
directories = [ directories = [ "/var/lib" "/var/log" "/etc/nixos" ];
"/var/lib"
"/var/log"
"/etc/nixos"
];
}; };
}; };
}; };
in in {
{ nixosConfigurations = {
nixosConfigurations.luna = orion = let hostname = "orion";
let in nixpkgs.lib.nixosSystem {
hostname = "luna"; system = "x86_64-linux";
in specialArgs = {
nixpkgs.lib.nixosSystem inherit self;
{ inherit inputs;
system = "x86_64-linux"; inherit hostname;
specialArgs = { inherit lib;
inherit self; inherit persist-dir;
inherit blog; root-disk = "/dev/vda";
inherit flake-utils;
inherit inputs;
inherit hostname;
inherit nixpkgs;
inherit lib;
inherit persist-dir;
root-disk = "/dev/nvme0n1";
fqdn = "orion-technologies.io";
};
modules = [
defaults
impermanence.nixosModules.impermanence
agenix.nixosModules.default
disko.nixosModules.disko
{ config = (import "${self}/secrets" { agenix = false; inherit lib; }).${hostname}; }
./hosts/${hostname}
];
}; };
modules = [
defaults
impermanence.nixosModules.impermanence
agenix.nixosModules.default
disko.nixosModules.disko
{
config = (import "${self}/secrets" {
agenix = false;
inherit lib;
}).${hostname};
}
./hosts/${hostname}
];
};
luna = let hostname = "luna";
in nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit self;
inherit blog;
inherit flake-utils;
inherit inputs;
inherit hostname;
inherit nixpkgs;
inherit lib;
inherit persist-dir;
root-disk = "/dev/nvme0n1";
fqdn = "orion-technologies.io";
};
modules = [
defaults
impermanence.nixosModules.impermanence
agenix.nixosModules.default
disko.nixosModules.disko
{
config = (import "${self}/secrets" {
agenix = false;
inherit lib;
}).${hostname};
}
./hosts/${hostname}
];
};
};
deploy.nodes = { deploy.nodes = {
luna = { orion = {
hostname = "luna.hosts.orion-technologies.io"; hostname = "boot";
fastConnection = true; fastConnection = true;
profiles = { profiles.system = {
system = { sshUser = "price";
sshUser = "price"; user = "root";
user = "root"; path = deploy-rs.lib.x86_64-linux.activate.nixos
path = self.nixosConfigurations.orion;
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.luna;
};
};
}; };
}; };
luna = {
hostname = "luna.hosts.orion-technologies.io";
fastConnection = true;
profiles.system = {
sshUser = "price";
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.luna;
};
};
};
} // flake-utils.lib.eachDefaultSystem (system: } // flake-utils.lib.eachDefaultSystem (system:
let let
@ -102,16 +132,19 @@
inherit system; inherit system;
overlays = [ agenix.overlays.default ]; overlays = [ agenix.overlays.default ];
}; };
in in {
{ devShells.default = pkgs.mkShell {
devShells.default = packages = with pkgs; [
pkgs.mkShell age
{ age-plugin-yubikey
packages = with pkgs; [ age age-plugin-yubikey pkgs.agenix nixos-rebuild pkgs.deploy-rs ]; pkgs.agenix
shellHook = '' nixos-rebuild
export RULES="$PWD/secrets/secrets.nix" pkgs.deploy-rs
nix eval --json --file ./.nixd.nix > .nixd.json ];
''; shellHook = ''
}; export RULES="$PWD/secrets/secrets.nix"
nix eval --json --file ./.nixd.nix > .nixd.json
'';
};
}); });
} }

View File

@ -8,7 +8,7 @@
shell = pkgs.bash; shell = pkgs.bash;
hashedPasswordFile = config.age.secrets.users-price-pw.path; hashedPasswordFile = config.age.secrets.users-price-pw.path;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ9ODXLAIfGH/7VNobQsp5nwBvNoh+pQMEH7s2jkHpkqAAAACHNzaDpsdW5h" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkWsSntg1ufF40cALcIBA7WZhiU/f0cncqq0pcp+DZY openpgp:0x15993C90"
]; ];
}; };
}; };

View File

@ -21,7 +21,7 @@
}; };
}; };
fileSystems."/persist".neededForBoot = true; fileSystems."${persist-dir}".neededForBoot = true;
disko.devices = disko.devices =
{ {

View File

@ -1,9 +1,5 @@
{ config, lib, nixpkgs, ... }: { config, lib, nixpkgs, ... }:
{ {
imports = [ imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix");
./modules system.stateVersion = "24.05";
./os/filesystem.nix }
];
system.stateVersion = "23.11";
}

View File

@ -1,13 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./audio.nix
./bluetooth.nix
./hardware.nix
./networking.nix
./nix.nix
./power.nix
./user.nix
];
}

View File

@ -66,7 +66,6 @@ in
UseDNS = networks_dhcp_use_dns; UseDNS = networks_dhcp_use_dns;
}; };
}; };
}; };
}; };
@ -87,6 +86,7 @@ in
networking = { networking = {
hostName = "${hostname}"; hostName = "${hostname}";
wireless.iwd.enable = true; wireless.iwd.enable = true;
useNetworkd = true;
}; };
} }

View File

@ -0,0 +1,62 @@
{ config, ... }:
{
services.openssh = {
enable = true;
startWhenNeeded = true;
# We set the hostkeys manually so they persist through reboots
hostKeys = [
{
path = (config.environment.persistence.ephemeral.persistentStoragePath + "/etc/ssh/ssh_host_ed25519_key");
type = "ed25519";
}
];
sftpFlags = [
"-f AUTHPRIV"
"-l INFO"
];
extraConfig = ''
AllowUsers price
'';
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
GatewayPorts = "yes";
LogLevel = "VERBOSE";
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
};
ports = [
2200
];
banner = ''
Orion Technologies - Security Notice
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have written, explicit, authorized
permission to access or configure this device.
Unauthorized attempts and actions to access or use
this system may result in civil and/or criminal
penalties. All activities performed on this device
are logged and monitored.
'';
};
}

View File

@ -1,37 +0,0 @@
{ pkgs, user, ... }:
let
user = "price";
in
{
programs = {
zsh.enable = true;
};
nixpkgs.config.allowUnfree = true;
users.users = {
root.initialPassword = "pass";
"${user}" = {
initialPassword = "pass";
shell = pkgs.zsh;
isNormalUser = true;
description = "${user}";
extraGroups = [
"wheel"
"docker"
"nix-users"
"libvirt"
"log"
];
};
};
environment.systemPackages = with pkgs; [
ungoogled-chromium
wezterm
yamllint
stylua
eza
];
}

View File

@ -0,0 +1,19 @@
{ pkgs, user, config, ... }: {
security.sudo.wheelNeedsPassword = false;
users.users = {
root.hashedPasswordFile = config.age.secrets.users-root-pw.path;
price = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.bash;
hashedPasswordFile = config.age.secrets.users-price-pw.path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkWsSntg1ufF40cALcIBA7WZhiU/f0cncqq0pcp+DZY openpgp:0x15993C90"
];
};
};
environment.persistence.ephemeral.users = {
price = { files = [ ".bash_history" ]; };
root = { home = "/root"; files = [ ".bash_history" ]; };
};
}

73
hosts/orion/os/boot.nix Normal file
View File

@ -0,0 +1,73 @@
{ modulesPath, pkgs, ... }: {
# imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
kernelModules = [ "kvm-intel" ];
kernelParams = [ "audit=1" ];
extraModulePackages = [ ];
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
# availableKernelModules =
# [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usbhid" "rtsx_pci_sdmmc" ];
# kernelModules = [ ];
systemd = {
enable = true;
initrdBin = [ pkgs.libuuid pkgs.gawk ];
services.rollback = {
description = "Rollback btrfs root subvolume";
wantedBy = [ "initrd.target" ];
before = [ "sysroot.mount" ];
after = [ "initrd-root-device.target" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
DISK_LABEL="NixOS-Primary"
FOUND_DISK=0
ATTEMPTS=50
printf "Attempting to find disk with label '%s'\n" "$DISK_LABEL"
while ((ATTEMPTS > 0)); do
if findfs LABEL="$DISK_LABEL"; then
FOUND_DISK=1
printf "Found disk!\n"
break;
fi
((ATTEMPTS--))
sleep .1
printf "Remaining disk discovery attempts: %s\n" "$ATTEMPTS"
done
if (( FOUND_DISK == 0 )); then
printf "Discovery of disk with label '%s' failed! Cannot rollback!\n" "$DISK_LABEL"
exit 1
fi
mount -t btrfs -o subvol=/ $(findfs LABEL="$DISK_LABEL") /mnt
btrfs subvolume list -to /mnt/root \
| awk 'NR>2 { printf $4"\n" }' \
| while read subvol; do
printf "Removing Subvolume: %s\n" "$subvol";
btrfs subvolume delete "/mnt/$subvol"
done
printf "Removing /root subvolume\n"
btrfs subvolume delete /mnt/root
printf "Restoring base /root subvolume\n"
btrfs subvolume snapshot /mnt/root-base /mnt/root
umount /mnt
'';
};
};
};
};
}

View File

@ -0,0 +1,6 @@
{ modulesPath, ... }:
{
zramSwap.enable = true;
}

View File

@ -1,78 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
kernelModules = [ ];
luks.devices = {
"luksroot" = {
device = "/dev/disk/by-label/NixOS-Crypt";
allowDiscards = true;
};
};
};
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
zramSwap.enable = true;
fileSystems = {
"/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "noatime" "mode=755" ];
};
"/boot" = {
device = "/dev/disk/by-label/NixOS-Boot";
fsType = "vfat";
options = [ "defaults" "noatime" ];
depends = [ "/" ];
};
"/nix" = {
device = "/dev/disk/by-label/NixOS-Primary";
fsType = "btrfs";
options = [ "subvol=@nix" "compress=zstd" "noatime" ];
};
};
environment.persistence = {
"/nix/persist" = {
hideMounts = true;
directories = [
"/var/lib"
"/var/log"
"/etc/nixos"
];
files = [
"/etc/machine-id"
"/etc/nix/id_rsa"
];
users.price = {
directories = [
"Git"
"ISOs"
"Downloads"
"Keep"
"Notes"
".local/share"
{ directory = ".gnupg"; mode = "0700"; }
{ directory = ".ssh"; mode = "0700"; }
];
files = [
".zsh_history"
];
};
};
};
}

75
hosts/orion/os/fs.nix Normal file
View File

@ -0,0 +1,75 @@
{ modulesPath, config, lib, root-disk, persist-dir, ... }: {
services = {
fstrim.enable = true;
btrfs.autoScrub = {
enable = true;
fileSystems = [ "/" "/nix" "/persist" ];
};
snapper = {
# NOTE: According to `snapper-config(5)` the default timeline count for all timelines is 10
# (see TIMELINE_LIMIT_HOURLY, ...DAILY, etc.)
configs.persist = {
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
SUBVOLUME = "${persist-dir}";
};
};
};
fileSystems."${persist-dir}".neededForBoot = true;
disko.devices = {
disk.${lib.removePrefix "/dev/" root-disk} = {
type = "disk";
device = "${root-disk}";
content = {
type = "gpt";
partitions = {
esp = let label = "NixOS-Boot";
in {
priority = 1;
size = "512M";
type = "EF00";
content = {
extraArgs = [ "-n ${label}" "-F 32" ];
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" "defaults" ];
};
};
root = let label = "NixOS-Primary";
in {
size = "100%";
content = {
type = "luks";
name = "crypted";
settings = { allowDiscards = true; };
content = {
type = "btrfs";
extraArgs = [ "-f" "--label ${label}" ];
postCreateHook = ''
MOUNT="$(mktemp -d)"
mount "/dev/disk/by-label/${label}" "$MOUNT" -o subvol=/
trap 'umount $MOUNT; rm -rf $MOUNT' EXIT
btrfs subvolume snapshot -r "$MOUNT/root" "$MOUNT/root-base"
'';
subvolumes = {
"/root" = { mountpoint = "/"; };
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [ "compress=zstd" "noatime" ];
};
};
};
};
};
};
};
};
};
}

View File

@ -0,0 +1,6 @@
{ lib, config, ... }: {
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
services.fstrim.enable = true;
}

1
hosts/orion/pubkey.nix Normal file
View File

@ -0,0 +1 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuypHJpFMaElzWO2QrPNF5o97LGJK/LckHuWvfwIFWI orion"

View File

@ -15,6 +15,14 @@ let
gitea-db-pass = "${secrets}/gitea-db-pass.age"; gitea-db-pass = "${secrets}/gitea-db-pass.age";
gitea-runner-token = "${secrets}/gitea-runner-token.age"; gitea-runner-token = "${secrets}/gitea-runner-token.age";
}; };
orion =
let
secrets = "orion";
in
{
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
};
}; };
in in
if agenix then if agenix then

View File

@ -1,8 +1,15 @@
age-encryption.org/v1 -----BEGIN AGE ENCRYPTED FILE-----
-> ssh-ed25519 1fG0ow ItVCvyKKXcmZVvuomgGsRw91c1jQCLXGPkIh2VXvGFg YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyB5Sm54
NjOqD/+g+6FvOqurcaKw5LrZpmc2Tlo277ZYkv3loWU eEZVbVJZeENxVm5YWjBzNHlSRG1FTEJvRm5QU0pnU0RSSkVPMlFJCk1mTHQ2eUVs
-> piv-p256 rJs1HA AuseeP2+foV1YzNuU85cqXN/t/MxL1CSMfev9EBnn547 WUFTa3hwM0Ivc0JnWjJPdUJLWTJxUnIrcVkxV29jQmF1R0EKLT4gcGl2LXAyNTYg
ErXvkp3KKibgLNbOQmE3iM1CjgooVs/Nsup84i4U8ds ckpzMUhBIEF5T2FReDJ6akp1MjBCMWlKTnV0NnFyZVY3b1hnbVhwZmhVN3c5TDVP
--- lWtn0ntT2K5N9LlQR69UYGyJvELufjKuEqnWceJWZdQ YW9DCkxUNk1lR1N4TzFHSGdLNERaQ2wxdXd4bjVtUWFKT1h1QWYwUVpjazZPUlEK
~eàt!ß„¦®…p`±8ÙîÓïó&nS ØW?§JåÎKY°U Ÿ”6?|I´Œ£MÇQ0ÿÛ¸ssêR,=¡??O²e{)^ŸiöœÇ÷ LT4gJjVRQU8tZ3JlYXNlIDpICkxWSHdOT0EwSVpXdzJoQmVEeHdIdGlxVEdXUk1w
 åéAg</綵ñsºÝØ<1F>ÔêSjœŠýÁÐB—'áÕÙ§ <0B>¿~PTQ—¯Öy“ئkœ>ªnò4}(ˆóe£QHU"ð^ؘ?ไ}'*ò¼%†,Pˆ¤ªg½A Iêy9“15<35>ëU¿ôt MkoraTB5anIrUStOMGpMbEdpYkhadUliZTA1R0N1d3h1Y1IKWkc2NzVRCi0tLSBR
Y2cxTnB6bElHWHlMeXhxajhjeDF2TTJqMndJbjlNUWVUQ1c3QjhJTVdnChQsSDjC
IWGSOJD8wfLlou/BFvp7x/e/dobgW3FMazunhUqV5K09jp1Ak7nTeeyRDUz+Mpv5
HaZqL6aCWNn6ZhprF+ZBZfYVyw7EdaCWNAFrR25DP8/JQrQ3lrJIoJZ3VF1a4y+l
55rLJIfBkho6HHycZ6hde8fo4lGUMhsSC2cKviMwa4FvMH3QpodOuN0h5PAX20mg
19uVVQnw4AOUgzm7QZ32Gesj8vORnQHQbFhERlooDuxTSrvnkpBztaxSTVPcv5d+
wDf/rxP05UA=
-----END AGE ENCRYPTED FILE-----

View File

@ -1,13 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBlUHdp YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBYTndG
cVNLL1JFQklDckkzL0U3a0FDUVZOZWhwZG1naVJqNVpoRVd5cmpZCmwwQ2ZvaUNj b3pCWDA0T3hnMC9mOXlEaWRLMVpSbzhmeWliMVc2MElsekJhc2dVCmFicFY1WXAv
Nlh1MFNGYU1JYlAxT0pUdkoxci9FTmJsZ1lSRDZkY3pPWjAKLT4gcGl2LXAyNTYg ZEZNaUNLcE11V3pqZHBBWHZXTzRXTnBHN2h3a1R5ZkhzaFEKLT4gcGl2LXAyNTYg
ckpzMUhBIEFocExaRzlJRTBraGExcU1SeDlwc0doeFg0bVM2UTcyMmM5M0dCd0FW ckpzMUhBIEE3V2dzUkhYYmFTSHAvdlNmeUgvRENzbmV1N05QQUNoMlRMMjZPVy9w
RWdhCnQxRkxTMGsrR3NCMXpUK1cwWnloL21qUHZqSFU3bWxFS0VkclpYWXBnbFEK WmV0CjJsZFowa3d5dEpZTXF2c05tSkJEalc5bFJUNmxGdUZwQTlTQjVEQXJxSkUK
LT4gTShmXXkvUS1ncmVhc2UgNzVuKF4mMyArPCV3eUcgMmBERXtCKFIKSDF3bC9S LT4gQUZ3c2BxRS1ncmVhc2UKa0dwbElwS2NYaU5ubzdUSHpQR1RTWmFXOUxweStD
ck12T2hJTVpoR0svcnlqVVBMYk1zc0tSdGlQL012T1hZYm1veGJSSVAveU15dFJH Y0Z4emdFNHpIb2ViQnZmWFdnUVB3YU9CL3I2Vk1Nc2Y1MgpGdTFLeHNwVlBzd2la
V3FRK0NmZXF1UwpaR25sTUhEZUJRaFQxbTF2cGFCUUJIdEZ4a1l1NFlGRHlzQ0RO NTdNT1c2T05uQkpUT0t4c2ZSeFNiZ3ZXSzhzUXNHOUtUMDRKQyttQVF5QXB3Ci0t
NkFOcnhvVAotLS0geGp3WVlLUjg1RnB0cnB2MGJoRk9rRkFDcmFsUnpXRWhkekpP LSBqYUdhdGdqckRRcE5IS0EwTlZ1dEZlRm90TStiYkxzdTZabGV0VjlSK0N3Cu+b
cWRpLzZiQQrrB7VhL4u7FMMZeSI9ruONPo9wpa77+JH8y/g8Dm5ORaxp+OAOihAP 4KRcjCda0CxdH4Z2pw3ndhUU596wdGT7Py92uIiV3kdPLFgaUXHL8qMiAoC74o9T
D25jGbe5+KgTU/wQb5piJLAB2PyBl+2z57RXPXquZ9eJ85L+rb00 BzCx4IobN6ysTTSqT3awzFpJGt8Mqt4sjt1zEz4=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

View File

@ -1,7 +1,14 @@
age-encryption.org/v1 -----BEGIN AGE ENCRYPTED FILE-----
-> ssh-ed25519 1fG0ow oP4nP83S4Hjf4MScoNCBbE3i4Vnzz5XiuJqaLXzRbw0 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBEUlZU
rNOkeT8FfDLCoUnghLs8/Fpzy4qINhhIhtgB3Ep3REc ckVzR0ZKTlBXREpNa050RWtXMUtPRkMxWmNTTWRDUGgwckdSZUFrCmUwMGIyZ0dn
-> piv-p256 rJs1HA AiyT5IFnxwxoONmRezlvneUSYSEjglGeXYav8x7Xt+HB a2k2UGszRkNScXFCTmJYbDBybHpyU3BVVUdCdFZtMU1sQUkKLT4gcGl2LXAyNTYg
JWAyCMNQNe0+LSRqdQV+f5PGixWMXFMf/wQmyoMEKNE ckpzMUhBIEEwbWdxYkhDaWdmcXV3QmwvSEV3WlR5Yy9manVkQllTVjhFcjdNcWRF
--- ZnfbHqBM/51+BXYGhcSzBN6k1UtZpKJshgmxrr2eFGo bldOCnFHbkdoZGZKMUQrMXNRSGMvalpMTHBkMm1kZTV1S1NmNndUVHVnUkhxVlUK
ô<EFBFBD>™?f èÇíÇ$®À<08>Æb t,ñ$åÌ<C3A5>á€o8R«¸ûò­;¾Øn!õchzg•ý‰—lÁ= 5îOcâÀ—¯BNJð½„ÉaH1Ïýuƒ?ÙQCþfºN{†$ûM¨wLbs¾€:+•Ãá?ZC0™òÚ LT4gezRJVzwwVC1ncmVhc2UgNFhtO09BJG8KU0N0K2c0c1NUaHhFeTdQb1lnMlZL
K0ppVkpEU3M2R3dGWUxIdkE4OFBhZ2pwRmF3d1NERVB1QUhrVk9yYVZxcQo1bEpP
OTBpdW9rc3RwWGpOV0NCakJiZGhEdXFvQUIzNVg0WlJkZysybGlNCi0tLSBjOEUz
ZUNxQXJ1WWk2R1BWQUpLemJkTXZkYmhLYkJpMitVbHJVUWl0SzEwCh1AImuieRv+
7+iqnBDVtJWT2qTv3X9wTRe0eyOWiYSpeXKiaIpUOf8K09n20dVHBFFSWZ5aRMhZ
pDqcj5ibodPGY7eJMgQhiAfzOVTxZo2oWyA4vmO9RRYbFKM6L6KHVP0vb+1n9cYp
GumKH5zthkXJmPNJECwTQ2Bf15ggbA+K
-----END AGE ENCRYPTED FILE-----

View File

@ -1,12 +1,14 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBxWWpi YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyA4VGhH
V2c2RkxLanlGYjZ6L2dPYmRHRWwxK0Q0aVNCakNzdFdtZ0k4dW1vCjcrQmptaGgz VVZrUUE3SUg3SGNMTWdYUDROZFRqRW13WHVjQmpmWHVOdHFtakE0CkRiQ0VnQ215
SmpOb2RFTUlYM1ZWc2U2RkF5eGJzWkI3ekk5RTJXLytHYmcKLT4gcGl2LXAyNTYg bU9XZDlMYWVtcEd1c09BYlFkcVZnL0xYLzd3akREdkxoMTQKLT4gcGl2LXAyNTYg
ckpzMUhBIEF4enp2K0FvSFlEWWowT3JSaGV0Rkd6WTlrMlRlZUlhK1B0bFRyWkhD ckpzMUhBIEEvSytKaU45NC9Pa3d2OWtFUWltdjdpM3cwRmhCOU5YRWlSNUFFZThP
dTJ1CklMcFlLYTMwQ2YyZUdEaHZ2ZW10VEN0NCsxWGJQL2JvZG40NGtobVE0TXcK NWp3CjF5YzlYaU9jOFlsZ0xBWHdXS09TVHc4VVBxOGdoR3kxcjZnczY0cWhJRG8K
LT4gZmtMNilcfS1ncmVhc2UgI3ZZX243IEkrUSRdblp6IC8KTC9FRERrUGNLTlJs LT4gOXN0LWdyZWFzZSAnSnVjMGpPdyBWbXN8WEkgcX1eQmFpClY3NlhUMFRyMURJ
SEEKLS0tIFVHQlovUTVTMk9WY0NwN0cycjJEa0p1L0h0R1BpNFh4am5TVWp4WU5L Wmw4d0plM3R4VzNCeXZnK29jbVl1NHc2ZjdCb1R5M2xEYlhXMFBTbVlHdngxb3hJ
eGcKXXflLkUPB2sSYVNl+4O1QsWXEKtBItZbM7RP+glsuWQfHJBY133UzVMgXTy0 Y2lIdlAKVTF3Ci0tLSBZR216cXRYNmJ1ZHJ4RHlmaWdTcmpSR0cwMVpDVTh4QjBl
4yvEcD/ixQaKpSIkeOM+bz0IWjyU0y+zL8opR5xX0AMGJZfeNemIZAo8KpmQsoXC Z013Uktsbjg4CnXf38il0oLVMjg7GwLmE6GCh4R3EJ7Bs6fPZLf7ktcCmy3FAiVQ
7U0McvbgHkfakV1ONxYCgurPZPDW97Mk146oyU9bE/amgKh2MvNM14RmY4y2uw== nZ3nndURKmcvawZHCnnANYKxzILcwgF1eQrtV4Mf/giBJGQASu8zx/F7NIR1vXnt
IOXiboxism7lhh2Za+qK0hdxaDsmXvB46kuxgtG0x2E3jC0NaANKFEmE+aS3iMTl
q1cdOuM=
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

View File

@ -1,7 +1,12 @@
age-encryption.org/v1 -----BEGIN AGE ENCRYPTED FILE-----
-> ssh-ed25519 1fG0ow +SBbIzQJWyDWdD0tj2OWJ3dRLL2gHQsIGiAInsPwyBQ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBJbnRJ
GoWyi5Gnh19JavszjXPzAspL9aHzdoJSvYCIWMfaSEY MTl2TGR4OTQyV0VVSm9CQ0F3K24yZmRpK0xrODdHWDZTTUtyRFFvCjB1dnAzdkxu
-> piv-p256 rJs1HA A6Yi0bpMERl4TtMhIrJcqpr8Wp9kGwVcam4UFERNhWVz REREamdiZmRqdmxSQm1ONHZiKzVpZnZBczFrcklJRnZzSDQKLT4gcGl2LXAyNTYg
PHzAZ115Ua58SKtTNIpVvNOwSJGvedwn7EozWCDnh7I ckpzMUhBIEFzMFRXOEJPUDIrb2N5MzdoQmZmR0VlQ285SnBxRk9heGh1SmxaYTJR
--- D0hr9/p2mwX7QizZ8UvEEttJZDwW9z4aTqrEOOc2m9s MmhECmhFV1BiL00xMFdpOHlublJHamhmOVVaODB5TE5uT2NCVE5Uc0l2SURWU1UK
úJ‡x<Åc1À„ÐjÙÁ÷ëlˆ!qVŸ°øàªÍ¡t­ïð¿?ß<-÷hÉ"´êbÉbǨHƒaŒUÙ<55> ™Èô¢ó݆ ¤jÏS©çF`!Aªˆ¥gkz´•‰wWQÐ_°VU•íâˆÓâYm±>\]úÀ^ÍüMŒžÖîghk>­ñ8¤´b LT4gWnxYO3RGLWdyZWFzZSBxVQoKLS0tIE13WGJqR0dpY0p3UlBkeWFVVm96M0Qw
Y0ttK0FGTHZDa1I2b0xCeE1aT1UK7DcEAWPiclnaKA9MZNtiIf89clLK3aADLgA1
Dj3VvSYQbC2/GlS8KKpnB5KrwuMHEiCFk8QNzP3u5kmxtoxR88mxGgOczNoQu8Fd
2rDXEQGmt+1xt8mO4nj0THABrxvQTr1lYappdvmuT1w8py1ip4qTZWw2hv9kiCQ1
Lu6rJssCAUEs/NWAWfD2Mg==
-----END AGE ENCRYPTED FILE-----

View File

@ -0,0 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNmNCtpdyA3UHl3
QmhOR0tjcFErNVpJd1JNbzZoWmRmVEtiNFR3d0xia1dNOXd2WURVClc2S1laWDZ2
Q2E0dU56RUVoN1RmS2lpazlnVFhEUkJyUnE4WmZ5OGNnL00KLT4gcGl2LXAyNTYg
ckpzMUhBIEF0emdpQTkvaHoxakRIUHFNZnBKNzZoRkpmYzM3L09yeko5SW91ajRH
dy9iCklwTFB5Z01pc1A0ZnRKVEFoYlZsQjBiL0l0cVVwcm13cnNHTEN1ZDZnV0UK
LT4gfDZrMWtaPXEtZ3JlYXNlIHwrfV8geFY1Mz53Ogp3QTdqM0wyMGx4ZTNicEtP
UktIYkpMLzhSaC9JSG9FeWNvNGlvQUF6VDE0bW5HSEUvVCs3L01FU2lnNVNqNysy
Ckt0WFg5REJRdnZ0ZDF4T2I1eFRkb1ZLcjliWjNNNytxYk5RcWpKSDR6MUpsWURu
OWdDQWlBQU9rWTk5RU9sQ28KblEKLS0tIEF6Skh4N0NWMVlZOXcyWVhiMUtWRXcv
dUpNS2xnMHBRd1djbC92TUI5bFUK1ZM/H3yxgBVHspKrfNM6sag7ZiT+ZypSDouI
RoNZBcEjQUarcS2Dxn4G9amAUor0gZcl9hlx3OQnG8HLrFLhryu/550aKeVJZxtV
9AJdDMV2XuEqSEx+mjNeUwAc1nvO9nTC0YKwvFILtvJPPateLZhbGfOzba2UO4EM
aoX5QgifkfqJx7ZZ9Qmb3Q==
-----END AGE ENCRYPTED FILE-----

View File

@ -0,0 +1,14 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNmNCtpdyA0T2Y3
RjdlVHRGVzdTa2VmQ05tNFUvc2xVV1NxZ0xRV0JXOXRCa0V6ZHowCnVsaERWYjN5
c2J3V3A1LzRqZUNUQWU0Y0ZMSkQ2OHRkRzJIY045L2VjQW8KLT4gcGl2LXAyNTYg
ckpzMUhBIEFsMnJ3ZGhkNHRaTi9BNjk2MnBsMnprNE5CdEhTVGJJMHR4aG1CbVZJ
WnhYClVvNUh6L1AvaERGb0pZVU1kUzZLWGNLSVo3NWZSQ0dZSFI2WDlxcFlpNDAK
LT4gPmZIbidXYi4tZ3JlYXNlIEdLKDI4cmggSgpOWDVqak1iald1ZlRPcm05VVEv
ZXhzMHE3RGo3SEs3blRMSHpoRU9QeFVpdENERXFnNE04NDBuMzEzSUhhRUw5Cjh3
bUNYRkl4L1plQk5mRzZHSmtPUTZaMCswR052bndrbWpNL3lYRQotLS0gQ2pMTVBx
VlZyaUFvc0NJOTFkZGVsZnJUYUlnVmdlem5SdFV4OGMvYUhvQQocxqI0TBwKWsSJ
amGmeBJsUze1Rhlg9ErW7ei+dA//DuPIEK4nqCpwTNyhJGbBUBJKOW3plX2NyQwH
ReC0GvHQRSxQWUyzPdDRefAhJpbFX/TB/TlB5k/iq3/BgXacLOuUtbkUWtPu0X+R
jdYtCHiJGY5IuXrfhP4OZcPbVhVGEx67e5ca0RMbsAqJ
-----END AGE ENCRYPTED FILE-----