assets/ssh.nix

@@ -15,6 +15,7 @@
     kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGK7H4Z29d72HJlI69Vt0YLOyuPcn9XxYjvMZfql80z0 nikodem@rabulinski.com";
     hijiri = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXVPUBYAMn9H3efG/ldWl/ySmZV0CXleyH7E5nKf/N7 nikodem@rabulinski.com";
     tsukasa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPKXcihNVgsStMstnZYvh+Ai+JsydX3vu4O0yhlN+zw niko@tsukasa";
+    youko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAGBazVVFr1+beFxpC701IPz4JwdPIyFJybVVZ9kTkr niko@youko";
   };
 
   system = {
@@ -25,5 +26,6 @@
     kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPN/SXBcIB1WN8GIhYrQrqzFGuVkEP4o0E+x0uQ4f2l";
     hijiri = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsTkICNuUwGqrToisTViFCBoql39+DFYVZSWj7vfbXK";
     tsukasa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKy32XGCkB0KOUm4f0ybrutfAzR7+baifM2yv5KuYV7 root@tsukasa";
+    youko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSbIjEo28aB2TACkvLY+VRKElZEdH9qFlTTfxCrblGZ root@youko";
   };
 }

hosts/default.nix

@@ -14,6 +14,7 @@
     # ./installer
     ./ude
     ./kogata
+    ./youko
   ];
 
   builders =

hosts/youko/default.nix

@@ -0,0 +1,48 @@
+{
+  configurations.nixos.youko =
+    {
+      config,
+      lib,
+      username,
+      ...
+    }:
+    {
+      imports = [
+        ./disks.nix
+        ./hardware.nix
+        ./sway.nix
+        ./msmtp.nix
+        ./nas.nix
+      ];
+
+      nixpkgs.hostPlatform = "x86_64-linux";
+
+      boot = {
+        loader.systemd-boot.enable = true;
+        loader.efi.canTouchEfiVariables = true;
+      };
+
+      networking.networkmanager.enable = true;
+
+      age.secrets.niko-pass.file = ../../secrets/youko-niko-pass.age;
+      users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path;
+
+      settei.user.config = {
+        settei.desktop.enable = true;
+      };
+
+      services.udisks2.enable = true;
+      settei.incus.enable = true;
+      virtualisation.podman.enable = true;
+      hardware.keyboard.qmk.enable = true;
+
+      settei.unfree.allowedPackages = [ "vmware-workstation" ];
+      virtualisation.vmware.host.enable = true;
+      environment.etc."vmware/config" = lib.mkForce {
+        source = "${config.virtualisation.vmware.host.package}/etc/vmware/config";
+        text = null;
+      };
+
+      networking.hostId = "b49ee8de";
+    };
+}

hosts/youko/disks.nix

@@ -0,0 +1,58 @@
+{
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/nvme0n1";
+    content = {
+      type = "gpt";
+      partitions = {
+        esp = {
+          size = "512M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+            mountOptions = [ "umask=0077" ];
+          };
+        };
+        luks = {
+          size = "100%";
+          content = {
+            type = "luks";
+            name = "crypted";
+            settings.allowDiscards = true;
+            content = {
+              type = "btrfs";
+              extraArgs = [ "-f" ];
+              subvolumes =
+                let
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                  ];
+                in
+                {
+                  "/root" = {
+                    inherit mountOptions;
+                    mountpoint = "/";
+                  };
+                  "/home" = {
+                    inherit mountOptions;
+                    mountpoint = "/home";
+                  };
+                  "/nix" = {
+                    inherit mountOptions;
+                    mountpoint = "/nix";
+                  };
+                  "/swap" = {
+                    mountpoint = "/.swapvol";
+                    swap.swapfile.size = "16G";
+                  };
+                };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/youko/hardware.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  boot = {
+    extraModulePackages = with config.boot.kernelPackages; [ it87 ];
+    initrd.availableKernelModules = [
+      "nvme"
+      "xhci_pci"
+      "ahci"
+      "usb_storage"
+      "usbhid"
+      "sd_mod"
+    ];
+    kernelModules = [
+      "kvm-amd"
+      "i2c-dev"
+      "it87"
+    ];
+    extraModprobeConfig = ''
+      options it87 ignore_resource_conflict=1
+    '';
+  };
+
+  services.smartd.enable = true;
+  hardware.cpu.amd.updateMicrocode = true;
+}

hosts/youko/msmtp.nix

@@ -0,0 +1,36 @@
+# TODO: Potentially make this a common module?
+{
+  pkgs,
+  config,
+  username,
+  ...
+}:
+let
+  mail = "alert@nrab.lol";
+  aliases = pkgs.writeText "mail-aliases" ''
+    ${username}: nikodem@rabulinski.com
+    root: ${mail}
+  '';
+in
+{
+  age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age;
+
+  programs.msmtp = {
+    enable = true;
+    setSendmail = true;
+    defaults = {
+      inherit aliases;
+      tls = "on";
+      auth = "login";
+      tls_starttls = "off";
+    };
+    accounts = {
+      default = {
+        host = "mail.nrab.lol";
+        passwordeval = "cat ${config.age.secrets.alert-plaintext.path}";
+        user = mail;
+        from = mail;
+      };
+    };
+  };
+}

hosts/youko/nas.nix

@@ -0,0 +1,122 @@
+{
+  username,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  boot = {
+    supportedFilesystems = [ "zfs" ];
+    zfs.extraPools = [ "yottapool" ];
+  };
+
+  services.zfs = {
+    autoScrub.enable = true;
+    zed.settings = {
+      ZED_DEBUG_LOG = "/tmp/zed.debug.log";
+      ZED_EMAIL_ADDR = [ username ];
+      ZED_EMAIL_PROG = lib.getExe pkgs.msmtp;
+      ZED_EMAIL_OPTS = "@ADDRESS@";
+
+      ZED_NOTIFY_INTERVAL_SECS = 3600;
+      ZED_NOTIFY_VERBOSE = true;
+
+      ZED_USE_ENCLOSURE_LEDS = true;
+      ZED_SCRUB_AFTER_RESILVER = true;
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  # TODO: Clean up. Potentially make it a separate module
+  services.avahi = {
+    publish.enable = true;
+    publish.userServices = true;
+    nssmdns4 = true;
+    enable = true;
+    openFirewall = true;
+    extraServiceFiles = {
+      timemachine = ''
+        <?xml version="1.0" standalone='no'?>
+        <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+        <service-group>
+          <name replace-wildcards="yes">%h</name>
+          <service>
+            <type>_smb._tcp</type>
+            <port>445</port>
+          </service>
+            <service>
+            <type>_device-info._tcp</type>
+            <port>0</port>
+            <txt-record>model=TimeCapsule8,119</txt-record>
+          </service>
+          <service>
+            <type>_adisk._tcp</type>
+            <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
+            <txt-record>sys=waMa=0,adVF=0x100</txt-record>
+          </service>
+        </service-group>
+      '';
+    };
+  };
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "hosts allow" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+        "getwd cache" = "true";
+        "strict sync" = "no";
+        "use sendfile" = "true";
+      };
+      "tm_share" = {
+        "path" = "/media/data/tm_share";
+        "valid users" = "niko";
+        "public" = "no";
+        "writeable" = "yes";
+        "force user" = "niko";
+        "fruit:aapl" = "yes";
+        "fruit:time machine" = "yes";
+        "vfs objects" = "catia fruit streams_xattr";
+      };
+    };
+  };
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+  services.radarr.enable = true;
+  # TODO: Remove once https://github.com/Sonarr/Sonarr/pull/7443 is merged
+  nixpkgs.config.permittedInsecurePackages = [
+    "dotnet-sdk-6.0.428"
+    "aspnetcore-runtime-6.0.36"
+  ];
+  services.sonarr.enable = true;
+  services.prowlarr.enable = true;
+  services.jellyseerr.enable = true;
+  services.deluge = {
+    enable = true;
+    web.enable = true;
+    config.download_location = "/media/deluge";
+  };
+
+  users = {
+    users = {
+      jellyfin.extraGroups = [
+        "radarr"
+        "sonarr"
+      ];
+      radarr.extraGroups = [ "deluge" ];
+      sonarr.extraGroups = [ "deluge" ];
+      ${username}.extraGroups = [ "deluge" ];
+    };
+  };
+}

hosts/youko/sway.nix

@@ -0,0 +1,137 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  services.greetd = {
+    enable = true;
+    vt = 2;
+    settings.default_session =
+      let
+        swayWrapper = pkgs.writeShellScript "sway-wrapper" ''
+          export XCURSOR_THEME=volantes_cursors
+          exec ${lib.getExe config.programs.sway.package}
+        '';
+      in
+      {
+        command = "${lib.getExe pkgs.greetd.tuigreet} --time --cmd ${swayWrapper}";
+        user = "niko";
+      };
+  };
+
+  programs.sway = {
+    enable = true;
+    wrapperFeatures.base = true;
+    wrapperFeatures.gtk = true;
+  };
+
+  security.pam.services.swaylock = { };
+  xdg.portal.config.common.default = "*";
+
+  settei.user.config =
+    { config, ... }:
+    {
+      home.pointerCursor = {
+        name = "volantes_cursors";
+        package = pkgs.volantes-cursors;
+      };
+
+      home.packages = with pkgs; [
+        (writeShellApplication {
+          name = "lock";
+          text = ''
+            swaymsg output '*' power off
+            swaylock -c 000000
+            swaymsg output '*' power on
+          '';
+        })
+        (writeShellApplication {
+          name = "screenshot";
+          runtimeInputs = [
+            slurp
+            grim
+            wl-clipboard
+          ];
+          text = ''
+            grim -g "$(slurp)" - | \
+              wl-copy -t image/png
+          '';
+        })
+        # Bitwarden stuff, move to separate module or properly package?
+        # Maybe use some other input method?
+        (rofi-rbw.override { waylandSupport = true; })
+        rbw
+        pinentry-rofi
+      ];
+
+      wayland.windowManager.sway =
+        let
+          mod = config.wayland.windowManager.sway.config.modifier;
+        in
+        {
+          enable = true;
+          package = null;
+          config.workspaceAutoBackAndForth = true;
+          config.terminal = "wezterm";
+          config.modifier = "Mod4";
+          config.fonts.names = [ "IosevkaTerm Nerd Font" ];
+          config.keybindings = lib.mkOptionDefault {
+            "${mod}+b" = "exec rofi-rbw --selector rofi";
+            "${mod}+d" = "exec rofi -show drun";
+            "${mod}+Shift+s" = "exec screenshot";
+          };
+          config.keycodebindings = {
+            "${mod}+Shift+60" = "exec lock";
+          };
+          config.window.commands =
+            let
+              alwaysFloating = [
+                { window_role = "pop-up"; }
+                { window_role = "bubble"; }
+                { window_role = "dialog"; }
+                { window_type = "dialog"; }
+                { window_role = "task_dialog"; }
+                { window_type = "menu"; }
+                { app_id = "floating"; }
+                { app_id = "floating_update"; }
+                { class = "(?i)pinentry"; }
+                { title = "Administrator privileges required"; }
+                { title = "About Mozilla Firefox"; }
+                { window_role = "About"; }
+                {
+                  app_id = "firefox";
+                  title = "Library";
+                }
+              ];
+            in
+            map (criteria: {
+              inherit criteria;
+              command = "floating enable";
+            }) alwaysFloating;
+          config.input = {
+            "type:pointer" = {
+              accel_profile = "flat";
+              pointer_accel = "0.2";
+            };
+            "type:keyboard" = {
+              xkb_layout = "pl";
+            };
+          };
+          config.seat."*" = {
+            xcursor_theme = "volantes_cursors 24";
+          };
+          config.startup = [
+            {
+              command = "${lib.getExe' pkgs.glib "gsettings"} set org.gnome.desktop.interface cursor-theme 'volantes_cursors'";
+              always = true;
+            }
+          ];
+        };
+      programs.rofi = {
+        enable = true;
+        package = pkgs.rofi-wayland;
+      };
+    };
+}

modules/system/incus.nix

@@ -49,6 +49,23 @@ let
               };
             }
           ];
+          profiles = [
+            {
+              devices = {
+                eth0 = {
+                  name = "eth0";
+                  network = "incusbr0";
+                  type = "nic";
+                };
+                root = {
+                  path = "/";
+                  pool = "default";
+                  type = "disk";
+                };
+              };
+              name = "default";
+            }
+          ];
         };
       };
       networking = {

modules/system/sane-defaults.nix

@@ -92,7 +92,10 @@ let
         isNormalUser = true;
         home = "/home/${username}";
         group = username;
-        extraGroups = [ "wheel" ];
+        extraGroups = lib.mkMerge [
+          [ "wheel" ]
+          (lib.mkIf config.networking.networkmanager.enable [ "networkmanager" ])
+        ];
       };
       groups.${username} = { };
     };

secrets/github-token.age

@@ -1,13 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 IFuY+w nyBEszEusqQE6jM7y9G4KCyzNHawdyy+hTfm9LsuRCY
+-> ssh-ed25519 IFuY+w hrfVBxFIiDTvbm7OMYbme2+97WI3nqxYbjBNRXRS9H4
-1bbg4kmmv9m2Gwp+3x8zvqFOkmTKt898/sGCUK9rpGE
+SaKftmSA+8LitXnkqaw67xw378sNeGs/ENxmMsOVdvQ
--> ssh-ed25519 84j9mw 5s2PNoIOMWf2gBwzmRHmssMOuvu2kv43316E20McKh8
+-> ssh-ed25519 84j9mw opGXl7a35TsSj2/ADgdbS5bp6/EDTsUDkS/IjIgjUBA
-FyA+VjPgPynvMQfxm3d2+SOEpsJFIKJE8pbXeIkOfGI
+Cw5O6wt9vzqCgbWxxCrzmXJQH+/Ae1wwyHCcHLfpEck
--> ssh-ed25519 ioPMHA 4N9PsYYaeqJDbxpQpyCgvR/JWwLPDCAi65YB6M0uT0U
+-> ssh-ed25519 ioPMHA 5fAg0NsD/KlXSAJg1UQYsJEzZMy/wCHfwmv19cbWRyQ
-mFCqo1htPi2WRKiJz/t8Y7TMD/p7X81HsHGG0KIsROQ
+OhDaO75k9xEdCE0GdyJ6iK6B11ie/l4yCfVKp6py31I
--> ssh-ed25519 5A7peQ ZjRTqjDou2xS638dR8AWKCv5uKTSmOSJ/4rkfFckhjY
+-> ssh-ed25519 5A7peQ pqvZetDuRh5pesWPZ9725h7i+XuvSNMn7810ukhNjyM
-yUJABvMDLN0C15XBmnZJZ88khXAXLUP+aEqH5DlJcKY
+96JlWRIyIZ07siNa1kk0HtHhiB4NQbSKQ4KXsDJGGdE
--> ssh-ed25519 GKhvwg w1OKhVPY89J/pbrrXIHVifV++5e1tLqlSL9yM/2rqX0
+-> ssh-ed25519 GKhvwg Ba5tOdWUlE9qs1tPb7t+0ZtHN82a6RmMHP1tzGe/VSg
-VF0cvmdtCZAlPgIqcNZYp7ANPhvDqlFE7h018lCbWyg
+wLWBaFUkWkB5lMEKX0ISEQTGx/RDTF1vbvuGo9w8Qm4
---- YWa0wXlaYVF+g06+w/u/h+NURlfMY8lauf5ZtrrhrF4
+--- yVc69z1O1UOM+93dnjV0wkeqb4StW4HcBYi00z+0dIQ
-3¦Í…P׆øæôÃ?4ƒ·)òçméñ f.ùªª±§þå²’`<60><><EFBFBD>Á½aF<61>CjŒ"JÂÑwd鱇œùBÆŒ+{dK´µ•
+ð"›Š49딹ùbW<62>5v	˜WjsUÚ²ºíoO<6F>Åý#S%\âqn®ã[³ðh½ôA¡ÑjEÊhéœýŽÔÞ¢„Ót¹£“jÿ‚C

secrets/hercules-secrets.age

@@ -1,13 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw P7StDsdpmJLp0ni5ZwdhVy2lx5TSfVlIqFAF9y4Zn34
+-> ssh-ed25519 84j9mw qVTbaORT1Ouwq1uA0cWQ3Q85tLYcq6xuZ9UhcMOTTSk
-UksAEE1WWb2xWgHM8h4lhTW2pwqF8ydgGtFnqcp1KUo
+PE0VZp1P9K4IAnm/BIDusGsp4dtLvaN0/m9q9gNnfx4
--> ssh-ed25519 ioPMHA roPhy0I+dRtPuWsnFSxl2m7Uh7GgXkupwHSgL+LHrzs
+-> ssh-ed25519 ioPMHA +m127XNN1vH6Tg6XGuHDbND0giQgGsMLE7YUKagZbXk
-8rUE3mr9dukcAeR1213wjSm6Bme9ExpGX6TjEhHRYnc
+tKyYRNLt1UgnQR//64yAunpHjE7JyB/Mkdmc4gkMTWw
--> ssh-ed25519 IFuY+w crwMCw/ElBMNFhUMHLAg+ZxpsutBwV7hhG79bXEmCDE
+-> ssh-ed25519 IFuY+w x4WynTbStig1Ay9gyaplDcNlLQT0kMOFOJwVvcco1i0
-7rnOVAVI/HgGbaswauWxCqB7Tkzx3hCxB2RZOi4aIpQ
+i8M7n2tfBJoFNmQHs5jEaZdfKc1UmjL5y6oBCos1mDk
--> ssh-ed25519 5A7peQ bcqPb+IVrI8BKlcpIrZ/qnbnG3p/mLsk/iSCVYlvwmY
+-> ssh-ed25519 5A7peQ +XJDHQntGS+FcrFgy9X/9RDOrBMNCI8rHsicV4Z5sBo
-2q9KmMmyeYey9txiYrmxM5T86qXw7arKZSAbxszgxVo
+i6xfceBN4DE9EYF8Q4PaJjX7qbELJaJ5dxMGoAIE8xU
--> ssh-ed25519 GKhvwg H9Pka72t6kmmxGcoAaRtyn8m9xlP9DJSeBrE6jVtRh4
+-> ssh-ed25519 GKhvwg fzJcotOtNhVeNwOdMQIwPT9GmgbE13HYmCkwbFlCCkQ
-w/lcxBFd5w9mMn/sarr+7yCY+IGJzMJUgvi+KrQA4s4
+mNtYtoX8IUDgHKAQRA5e7HLZgYVI9wCF8QMm530eFEo
---- wO1f52ZjrCtOdgOrnkKWPao5ZS2BhmWFQmvLGliosyM
+--- EIWU+anFU1NSYiu3O+xncDnVvJVrwHzwaAX1YhsaOj4
-S»Úø–¹]l—ŽuâGŸá	ˆc°•U åÖLHb/(ÒfüÜ	ë$Ý&øÌX‘mÝ’<C39D>FPžçt
®»œç.n‚,)¡¥<C2A1>ã¦t8ô 9½gø~”3Ûê×Î.ì×ÑÕÛh±œ`ê<>Ä0àÈiÂ<69>Ø|Zi¡‡9ùS‡´ß«ûÞ”~°vf¼,~\;ÃIÛ®ÖF
VOÀ)uÍj :Ëu[&Çè´œª6£µ¢`ÝO¥Z|yVÆì®É¥_„ƒPeÁ½äùKÍ.vꪹúž^›¹ñŸ•2ç-†Ò€<\^ämîŠ<C3AE>‘!.÷y¿s”¯
›¦Èl‚
ƒÎK`fÂbD‰äcdbÊD–<…í_6¿zãà±R©Å?êg•Ì®Ù`H ,5h Œ$\û¥XlÑÝ
+%§ëDJ#Îä·0Ÿ¨AÉD
+qz›,3sHÿ…µÌÂV
b¦<>‘®ÄÂTùÍÞªˆË‡¹8Ÿ¬[ ÏÈ?VgNVdˆ
+Ä<EFBFBD>È—L=è©í̵žðg%ιî[ÕmdšòíëØ6oqòžEÂ4Å<34>óöÕF3‹@P\(MDM;’%É^<5E>Ü«ïp¾xîª÷p<10>):O9,iBµ¥±„T
+sÇšÏ-—à“ÃJWºÖèEÎ\0£™yÎ>0;î<>öyÑLæå{üt.g%W,ºX} JÆJßÀd‹gê3žŽ\Ž#)ö<>›0h=l‚´ˆüš<C3BC>hBB䃜üXÀ<58>ÄëÍb$õ^Ð
óå”B¨M™ØìÕþ[È~ÌÜu?Ñâ®þþ	h‹¾ªlÿ”
Ìc;z½k

secrets/leet-nrab-lol-pass.age

@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw ZuGILSHnMIMy/GDEjkAriTBKBykkytcIVo63DPd4MhA
+-> ssh-ed25519 84j9mw qRlII1WyhanH2pNwSnl01iMlPWQ7tsyiNNOHPLNMflo
-aa/sGLpf+GrLzo8Jf3JWAPI0Uk96SH/CvGhynNJVx6E
+ZMtYsPCDsgcbN1qoAYWTBQtfBWGHzi4WKbGtpJSzKRA
--> ssh-ed25519 GKhvwg STHVqp1zYhQzu73INk2Cmkuf8X8kJPLtGSY8LJze/Tc
+-> ssh-ed25519 GKhvwg Fck+71BDUxko70r43pDKCYaa5OKZipR4iNveNrJaiC0
-Ny1C5CAnqSCcunIbM8if8oQ2VlerIIW5Dqds/Ztektw
+uZZhlsckmE+mi7Oq8+gtisDFmLEoy0Pm/9BKgRi9VHo
---- gaHP+odPfw8A4f5NJkYOuvvYRWwo5EzRZVkXp6E7dfI
+--- i/jgJHw3pEnMDGSjdK47mOkt87oI8szIHiIqimXVyXY
-NëÑfO÷=¢¨ÿª+T3þT 0w<ˆnXrˆ\—ùä˜XZ´MãX n˜Ò*ªóÞɯòGœ’¼!¡ßG^ ß2ÞúÓÑqê’ô˜/w†ü
+ÚÖßµSÇÞ<Èñ<C388>S‘¨ýjË{B>A¼Ñ¶î°Â„å<>í<EFBFBD>ÏBzœ¸ÜwgÅÙá@"PY^£+E¥×['ÓÞú–ÌŽÕ‘,K©[ÈXÜ~XåÇg’{øÊ2æìí–c4
-ª½“}FPy‹<79>

secrets/miyagi-niko-pass.age

@@ -1,8 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 g2vRWw //TMaNWwTNS5wE3Hg/SEwqriIaOiOUE5remdVF449Vk
+-> ssh-ed25519 g2vRWw Pdv9mU1heeteeLbLFVUAIyZxmCWHNmhnw0TphSVMczg
-8K3isM05ep9HJ58TlNE9bmiIuqJPoq3lI/3AbUrLw8Q
+xks6yrF0BziJFp1QHSJdv5Svo1bCu9DF6s3wa2h0Xmg
--> ssh-ed25519 GKhvwg GANoFnELye0945KaMuS7xw6CGPhI5vigD+vScnpbQxI
+-> ssh-ed25519 GKhvwg H2DeS0HP/vWKRrBszwCffNgIZo8nVymGSkWEH26Y/2k
-CSx0E7fOB8A5MSc1ySywNFj5mkkdi6DDUc+ObaW/kew
+2y9DCIwpFsFXpgOwOrrD9+HpRzEuno1fW2upd2FLbZc
---- +BiFZI/o5loCYZ95bkY4zQYr2y6SYc2bmnRuAMg2MPM
+--- LNHsLxE4XBziNhnXmARcxB7UWhcKNvon1sDdX6mfZaw
-"D1ŠMh»›`dcó…Þl©U;]PuÍ×Õ¼	/?¸Éì5«\\ì½D»ô¯È1l6øz‘ÍÕNé¼Sì™Æ
+-1Šdmÿ<6D>
-N;<+^BpømÕšÁy»
ñ¦s°Z;ûúVª«¥ÉÝj’
+öf——ŽR´¸…,È[Û#[-ô;øMÓ}ävžêi4üx˜~=èÌ)ño¬º¡›N^Ènþê„"X<>§Bª}W583Ùæƒ<C3A6>fšvÞÀò:Î¥çôu†Z«µ<C2AB>åɶ

secrets/ntfy-niko-pass.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw tR4gg/XeVdS8xCIuHxN25uaRKu6a09DSW26SI3AWDlM
+-> ssh-ed25519 84j9mw VodL+EHOjoXj8R/F0vMQzEcnnCFzzes0QByGCDCgVQw
-uC2gJ9UWDE6uVXkUDlaVZlWAH5iLDgagkN+54msvyoY
+tZLaDA1FLFwbK0AGo8lpTJjMUnPhJh1czYVLIYjkcEc
--> ssh-ed25519 GKhvwg q27QskTYhI5gjIKKpNHn5V2FRmhIg8QFJ8m0TPZiwSY
+-> ssh-ed25519 GKhvwg gHaR4I4l0I+/XrbjTMp/mevEzxPJXNLB1eHs33WKwGw
-/0RIbiG/nwxKDJ613BLoCNvjej6f65mr1xwCN7/aueI
+GTAzrhyyDylZgExteDGpGbcS/TFX1q+NhF1FWHzNV0s
---- XU82wFZVE+zTZ/mGhnoxqWrdUOv3n6VOwQizZSHPLfw
+--- QS1dAgdS96KwIprDjzz6OD4qSIZs4/m9JEIsi3+kgPk
-«ÁěĎ"˝ô˛čů1ëKË×Ä˝°˝.Ž J<>'!nlO]>ˇďĹYç
ąEűëÝX‘
+¼ÐzêÐPCžSÖx€ªf	¹Â-èÕžÀiŒ¡cû7˜_¸2ÅŠ~¶ÛjA

secrets/rab-lol-cf.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 ioPMHA efHpBvtB+mXXa7RoRdqePHGOmsY5BXVOgGsfOhPm30w
+-> ssh-ed25519 ioPMHA ftS+6CMGsySkp/KbDBLPKeWNDK83bZ2VB8ZKMRijkkY
-2GvumVVuuLGEarpdauTCrB61aLtVtrkM3/pPlWIODnk
+U+2wopG3G2AvI4KUD9tZGIrHZSM3UdyDdYmbbkllWPo
--> ssh-ed25519 84j9mw rqj6xvESlvrfcjhVEWCbpd//vvdKjrTjt3ZDPeLHowQ
+-> ssh-ed25519 84j9mw xek41MX1ETVgRZa24I7n5U/XkJOqItQWK3Qz1FfkDCc
-dcUD131zvVQGiUYQWt9A51CnIpLGNSGinSZk7HSGHoc
+40CWzCUmxsjgmiObbqKuSieifZ2vNo965jOeTrZ8hT8
--> ssh-ed25519 GKhvwg cIji8zRSGWEbC/xxS8C4jyDCpQsFv05j2Yo8UjaHSAk
+-> ssh-ed25519 GKhvwg X2YSREIPjoaWaku9qrVu04hOlZjUF3LFEUZaIMgg02s
-+c/tIYPigZdPQWKvGYaoA6AYRAB83XlEEdfucihB984
+jbjT6qoIFGXRv2wrkzf2GHx3tcku/tgWfK6Sns3uFVc
---- TEQTQ/lm/JqyyWU2sC10qHl4AL/2IP9yCUfhXG4LdP4
+--- B/FIIz8dDg9YXbtDxfAQFZj9PCLHwI/mboBJQBuFmJg
-ŮČ®żöˇS¨Fâ-dc‹D€\<5C>?hî Qg@W’âî
+„ýÎãì4®L7Hç3F¼
À<0B>íÍ„"ºæfU(ëÁLÎ×Û~î‡%sb£ìùãæ¾Ô€~ZÂ}Z>2KO¨'Q\Á¿W[š„·ÏŒe…š¡1ö^IÖ‘
-xA|M*Űr—t0Üű~Ń°XaŇ{¸ÎĂy/ŹëWUѸˇ¤Y˛‹ë ¬¨{đ×°}TAxDç

secrets/rabulinski-com-cf.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw LuZiZnebklpoXQ6RPZSrELwY4CzwY+Qb/LrlVPFiSC4
+-> ssh-ed25519 84j9mw d9KZV9S1hRXBvVcFe40S0NqWKlQ/AdRgAqdYXKicXR8
-QVi6XyetJxwvOB+v+CyKEdcq96ykcK3wfWh3i75Dq1o
+SgTn9MXrft+sRr4I96fqQHzAdm0b21Bd0eSoYFfq7/4
--> ssh-ed25519 GKhvwg V3iEXNodDDKKKrHSfNYVKTphsMQfgl3Z/LUwTyArx3A
+-> ssh-ed25519 GKhvwg B9qTfegTwDH/X0nQMGvTKCsK2GyzJ7yWgFIo+nKhsGc
-FQJLg7uHWzc6/U+/QOCYwrkwvvw8rQNG+h+PJ1rRKXA
+Is4Hi8B2/9s0pz/quvNER2hTkabPbr7qeILL4PhQO1c
---- FVExbzlz8e7moZFIkpMR+sj4Kurv+Ge6yMW/uJLr5H4
+--- 1BhfbNEwYq0ra5slik651qbC8jffR2FmnDHV3FDtom0
-¨Ñ ç׿I-‡iO–Jbzk÷Œ€1¨"œ„’ø™Kx—I{¨BÆšd#¦éê71Ü®âm-Ø¡ø0D°¢£f\¥y}ƒ‡ˆâùŸ‘ôÿ
Õ=Ú¸º
ëû4òÝ£
+Œ-…oS‚Ô<E2809A>¢-?{¢r]5«°ó–â”;Ä+0Â
’GÏÁoE9tƒ”µHXjqâj2@3@¦üÞ ¶¼µº©÷m°mkúðyQâØ;_<>ŸW°Ñ϶Qœ~

secrets/secrets.nix

@@ -33,9 +33,8 @@ in
     keys.other.bootstrap
   ];
   "alert-plain-pass.age".publicKeys = [
-    keys.system.legion
     keys.other.bootstrap
-  ];
+  ] ++ builtins.attrValues keys.system;
   "legion-niko-pass.age".publicKeys = [
     keys.system.legion
     keys.other.bootstrap
@@ -89,4 +88,8 @@ in
     keys.system.ude
     keys.other.bootstrap
   ];
+  "youko-niko-pass.age".publicKeys = [
+    keys.system.youko
+    keys.other.bootstrap
+  ];
 }

secrets/storage-box-creds.age

@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw voingQjX/CjAjo63KLaRPFaG74IpxcRb0qv+r2b5wzo
+-> ssh-ed25519 84j9mw auP2WgwsaWjyocQkSzoYShO2kSLjn2UArvAVEhKgDiY
-ccWzQQSJW7cc8RiS9PzN2U5Xj0+Z7804tPsaGrq09KA
+4Uh423ZjS7/Xo6TxLJzWqXgHZAu0xouH0UvFZuJuEz4
--> ssh-ed25519 GKhvwg 2z8J0YRxQ4WP1G/W7DxRK7z1b6UBjodvN8ECP4fLg1U
+-> ssh-ed25519 GKhvwg JHtyTS12OXspSKP9r/a61cfp+ubYbsAXFmEijMTex3Q
-wRG4U9oAJ2KtPUHg5l0yDmmHatmwXOrn2nJlOQJMlpE
+wZYrJ8yIZ3v5cdBzpiI9ocaTpHbtmebEpbr59Bz3rhc
---- qs7kR5AIkwQ8NtDjYnmKZmCl4+1G6MFBNB3Mu3J9Y1M
+--- koWJ57H+ErMJDxW6JDNL2ImmZb6o9v2BJtaFi2OL+dc
-<EFBFBD>ø™
+I
oð5q®&¢C<C2A2>³U*”†[T.Hª€ÉŠ×ʺkkp„Oç£Ys,Óg£49øËʼn$^l-Aú/—¶åë¦QÊX»ÆðÖø
-æ8[ÅÎWÑ•®Sàõòݸ’<C2B8>„<EFBFBD>î]&èZaؼuŸÇæžEBÕå!®pŽÖÏ´åÌ4pYݱ"
-QYê<EFBFBD>qSƬ`œ

secrets/ude-deluge.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 IFuY+w +zbPYKlvvfaIQl+PnnZlEai/TAgzsQ7s/1bLXNXnXEw
+-> ssh-ed25519 IFuY+w EOJQpXxn+NL/BJjpdo8mIGfOYxcMElkVIiGx7KftrQ4
-BTQQRxlaRFbWnV6e+QBPDfN+lyg9URj+2h85tDKZ19k
+OcglvGhSgb1mxH8M19ZMf3m6lSF0clzH7Mjikf7cilM
--> ssh-ed25519 GKhvwg DzWYIGY0CNdA5wp7PkV1gpWmtYG28or8XeNZ7DkLz1c
+-> ssh-ed25519 GKhvwg cr+0J59wCjYBONBcDulN8lpvZiCvULHqnwDu+eKQRAo
-ELQVeuyaIOWVH6+oMDDlI3CikDLe5jijwVPbaRBL2NQ
+9q87PSfr4kq8lCDrw5Od3D1xJjSSmVv2/TXBWEBtBpU
---- vCU0PryisDG8cOKr6CmPcUwjIdThsRjrty/fowZNwOk
+--- FmVR9tb8wjYFb/FBTrblXMCUAMw5KQ7sX8WojcxCrbk
-ð”Êh<1F>+Ñ®ì>³ùöíHV`w|e/³ò]â½kšïyð´S~d¡¡œm&Û9¹ªýY)ÍÉ)T
ôn•ç¡Sê8Ç@Û¿zsSÉÑÒÔg'
+ŃĚÇCÂ<\á}ŹJ<C5B9>Ą ¨„f”é|<7C>6G“Ś•@WXc-"©Ő÷Ď<C3B7>űîüîAGşŹ«Z‚' Ĺxé_ňÔ ˝z,@nÇ"3[Ä?
Lb@óŹďe

secrets/youko-niko-pass.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 rA7dkQ etmPKjKz102knTx/qQAihC9bFvRENB0Q1DtnaQyjfm4
+GPt9OCIwT+/Q/UUDtkHB8d7T6znHy1y1NEUeI+SCeMg
+-> ssh-ed25519 GKhvwg qdCxGyXrdD+WQa/il8fIlV7OKdREqd40Qk0PKITHxlk
+OBJ9gg+KBHi2s1HYLazy3K+yh8tvnUvmuH+riWU7K8c
+--- V3FRy0/TcUdUaBDUK+93r5rH26Is/KVuNJC+1vFMsOI
+ŠýØÀëÐw§±æÏôOÌ.➌añ«÷Ûä
<01>A¨&<26>ößÞ<C39F>z³¹û	ä[oXµÄ‚u<E2809A>ÁßùÅþƒáÖÉ÷”,ášajxGÆœuÕ/šÆñæ–›eL‘²Ì›/6S[SU¾