From f535c8d557e747a6799c1473520926e0e16da01e Mon Sep 17 00:00:00 2001 From: oddlama Date: Fri, 11 Oct 2024 01:49:04 +0200 Subject: [PATCH] feat: update flake and add actual --- config/users.nix | 1 + flake.lock | 288 +++++++++--------- hosts/kroma/default.nix | 13 +- hosts/sire/default.nix | 2 + hosts/sire/guests/actual.nix | 66 ++++ hosts/sire/guests/immich.nix | 2 +- hosts/sire/guests/samba.nix | 121 ++++---- hosts/sire/secrets/actual/host.pub | 1 + hosts/ward/guests/web-proxy.nix | 2 + modules/actual.nix | 152 +++++++++ modules/default.nix | 1 + pkgs/actual-server.nix | 92 ++++++ pkgs/default.nix | 1 + .../sentinel/loki-basic-auth-hashes.age | Bin 2770 -> 2866 bytes .../promtail-loki-basic-auth-password.age | Bin 0 -> 509 bytes .../sire-actual/telegraf-influxdb-token.age | 10 + ...oxy-sentinel-psks-sentinel+sire-actual.age | 8 + ...4782d3d45463711-loki-basic-auth-hashes.age | Bin 2628 -> 0 bytes ...53daf77274a95c3-loki-basic-auth-hashes.age | Bin 0 -> 2735 bytes ...oxy-sentinel-psks-sentinel+sire-actual.age | 9 + ...8e6dc49dd75530-telegraf-influxdb-token.age | Bin 0 -> 346 bytes ...2c72-promtail-loki-basic-auth-password.age | 8 + ...eguard-proxy-sentinel-priv-sire-actual.age | 7 + ...41-telegraf-influxdb-token-sire-actual.age | Bin 0 -> 355 bytes ...c-wireguard-proxy-home-priv-sire-samba.age | 8 + ...eguard-proxy-home-psks-sire-samba+ward.age | 7 + ...c5b303169330089-loki-basic-auth-hashes.age | Bin 0 -> 2822 bytes ...5e5cfe39a4f132d-loki-basic-auth-hashes.age | Bin 2666 -> 0 bytes ...eguard-proxy-home-psks-sire-samba+ward.age | Bin 0 -> 283 bytes .../wireguard/proxy-home/keys/sire-samba.age | 10 + .../wireguard/proxy-home/keys/sire-samba.pub | 1 + .../proxy-home/psks/sire-samba+ward.age | 9 + .../proxy-sentinel/keys/sire-actual.age | 11 + .../proxy-sentinel/keys/sire-actual.pub | 1 + .../psks/sentinel+sire-actual.age | 10 + users/myuser/graphical/firefox.nix | 212 +++++++++++++ 36 files changed, 845 insertions(+), 208 deletions(-) create mode 100644 hosts/sire/guests/actual.nix create mode 100644 hosts/sire/secrets/actual/host.pub create mode 100644 modules/actual.nix create mode 100644 pkgs/actual-server.nix create mode 100644 secrets/generated/sire-actual/promtail-loki-basic-auth-password.age create mode 100644 secrets/generated/sire-actual/telegraf-influxdb-token.age create mode 100644 secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age delete mode 100644 secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/sentinel/c9a404b7a1241d00c53daf77274a95c3-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age create mode 100644 secrets/rekeyed/sire-actual/2fd33ed61c4dec36a98e6dc49dd75530-telegraf-influxdb-token.age create mode 100644 secrets/rekeyed/sire-actual/40e86a9c835b1fc304b761baff6e2c72-promtail-loki-basic-auth-password.age create mode 100644 secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age create mode 100644 secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age create mode 100644 secrets/rekeyed/sire-samba/aa84bc3b0cf2b741cb337a7cd5332a8c-wireguard-proxy-home-priv-sire-samba.age create mode 100644 secrets/rekeyed/sire-samba/de013bc8b46968036521628412618c2d-wireguard-proxy-home-psks-sire-samba+ward.age create mode 100644 secrets/rekeyed/ward-web-proxy/3026df7d8e7b352d8c5b303169330089-loki-basic-auth-hashes.age delete mode 100644 secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age create mode 100644 secrets/rekeyed/ward/caa682bdbd1bb1ed58dace27b7c30d50-wireguard-proxy-home-psks-sire-samba+ward.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-samba.age create mode 100644 secrets/wireguard/proxy-home/keys/sire-samba.pub create mode 100644 secrets/wireguard/proxy-home/psks/sire-samba+ward.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/sire-actual.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/sire-actual.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+sire-actual.age diff --git a/config/users.nix b/config/users.nix index 18be875..a1565c8 100644 --- a/config/users.nix +++ b/config/users.nix @@ -36,5 +36,6 @@ netbird-home = uidGid 973; gamemode = uidGid 972; plausible = uidGid 971; + actual = uidGid 970; }; } diff --git a/flake.lock b/flake.lock index ca56dab..bb65f64 100644 --- a/flake.lock +++ b/flake.lock @@ -51,11 +51,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1725722682, - "narHash": "sha256-AzBlGNCl20Rb3XQQNcTofntkZnaYolanvMJrADH11vM=", + "lastModified": 1727102360, + "narHash": "sha256-ZDqf33OAsr46TlP7TXbxmEf48xenYA3iSLs9441fYbQ=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "10ea05a0077aefe03b443fdb63b58ab78d0440f3", + "rev": "62da71e7eadf6b9b52e831d2e516937c30a5f712", "type": "github" }, "original": { @@ -98,30 +98,14 @@ "type": "github" } }, - "base16-foot": { - "flake": false, - "locked": { - "lastModified": 1696725948, - "narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=", - "owner": "tinted-theming", - "repo": "base16-foot", - "rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-foot", - "type": "github" - } - }, "base16-helix": { "flake": false, "locked": { - "lastModified": 1720809814, - "narHash": "sha256-numb3xigRGnr/deF7wdjBwVg7fpbTH7reFDkJ75AJkY=", + "lastModified": 1725860795, + "narHash": "sha256-Z2o8VBPW3I+KKTSfe25kskz0EUj7MpUh8u355Z1nVsU=", "owner": "tinted-theming", "repo": "base16-helix", - "rev": "34f41987bec14c0f3f6b2155c19787b1f6489625", + "rev": "7f795bf75d38e0eea9fed287264067ca187b88a9", "type": "github" }, "original": { @@ -130,38 +114,6 @@ "type": "github" } }, - "base16-kitty": { - "flake": false, - "locked": { - "lastModified": 1665001328, - "narHash": "sha256-aRaizTYPpuWEcvoYE9U+YRX+Wsc8+iG0guQJbvxEdJY=", - "owner": "kdrag0n", - "repo": "base16-kitty", - "rev": "06bb401fa9a0ffb84365905ffbb959ae5bf40805", - "type": "github" - }, - "original": { - "owner": "kdrag0n", - "repo": "base16-kitty", - "type": "github" - } - }, - "base16-tmux": { - "flake": false, - "locked": { - "lastModified": 1696725902, - "narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=", - "owner": "tinted-theming", - "repo": "base16-tmux", - "rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-tmux", - "type": "github" - } - }, "base16-vim": { "flake": false, "locked": { @@ -291,11 +243,11 @@ ] }, "locked": { - "lastModified": 1722113426, - "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", + "lastModified": 1728330715, + "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", "owner": "numtide", "repo": "devshell", - "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", + "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", "type": "github" }, "original": { @@ -356,11 +308,11 @@ ] }, "locked": { - "lastModified": 1722113426, - "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", + "lastModified": 1728330715, + "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", "owner": "numtide", "repo": "devshell", - "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", + "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", "type": "github" }, "original": { @@ -398,11 +350,11 @@ ] }, "locked": { - "lastModified": 1725377834, - "narHash": "sha256-tqoAO8oT6zEUDXte98cvA1saU9+1dLJQe3pMKLXv8ps=", + "lastModified": 1728334376, + "narHash": "sha256-CTKEKPzD/j8FK6H4DO3EjyixZd3HHvgAgfnCwpGFP5c=", "owner": "nix-community", "repo": "disko", - "rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe", + "rev": "d39ee334984fcdae6244f5a8e6ab857479cbaefe", "type": "github" }, "original": { @@ -622,11 +574,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1725234343, - "narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=", + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "567b938d64d4b4112ee253b9274472dc3a346eb6", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "type": "github" }, "original": { @@ -661,11 +613,11 @@ ] }, "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "type": "github" }, "original": { @@ -697,11 +649,11 @@ "nixpkgs-lib": "nixpkgs-lib_4" }, "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", "type": "github" }, "original": { @@ -859,11 +811,11 @@ "systems": "systems_11" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -926,11 +878,11 @@ ] }, "locked": { - "lastModified": 1724857454, - "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=", + "lastModified": 1728092656, + "narHash": "sha256-eMeCTJZ5xBeQ0f9Os7K8DThNVSo9gy4umZLDfF5q6OM=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6", + "rev": "1211305a5b237771e13fcca0c51e60ad47326a9a", "type": "github" }, "original": { @@ -1138,11 +1090,11 @@ ] }, "locked": { - "lastModified": 1725893417, - "narHash": "sha256-fj2LxTZAncL/s5NrtXe1nLfO0XDvRixtCu3kmV9jDPw=", + "lastModified": 1728337164, + "narHash": "sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc=", "owner": "nix-community", "repo": "home-manager", - "rev": "10541f19c584fe9633c921903d8c095d5411e041", + "rev": "038630363e7de57c36c417fd2f5d7c14773403e4", "type": "github" }, "original": { @@ -1159,11 +1111,11 @@ ] }, "locked": { - "lastModified": 1724435763, - "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=", + "lastModified": 1728337164, + "narHash": "sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc=", "owner": "nix-community", "repo": "home-manager", - "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be", + "rev": "038630363e7de57c36c417fd2f5d7c14773403e4", "type": "github" }, "original": { @@ -1197,11 +1149,11 @@ }, "impermanence": { "locked": { - "lastModified": 1725690722, - "narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=", + "lastModified": 1727649413, + "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=", "owner": "nix-community", "repo": "impermanence", - "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5", + "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e", "type": "github" }, "original": { @@ -1232,11 +1184,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1725664757, - "narHash": "sha256-kUMgeF3hHJM8aBpdazNgtCeeOTrWext6lHfrYmC6otU=", + "lastModified": 1728349983, + "narHash": "sha256-VRQm46/W29z87IeITfvxIrS6LUEItgDtEDzqVX59q0E=", "owner": "astro", "repo": "microvm.nix", - "rev": "caac7808d1e31f8a0fa408338cd3736947cb226d", + "rev": "470537e671d743f40812b9c071a4130eabdb3deb", "type": "github" }, "original": { @@ -1293,11 +1245,11 @@ ] }, "locked": { - "lastModified": 1724561770, - "narHash": "sha256-zv8C9RNa86CIpyHwPIVO/k+5TfM8ZbjGwOOpTe1grls=", + "lastModified": 1728385805, + "narHash": "sha256-mUd38b0vhB7yzgAjNOaFz7VY9xIVzlbn3P2wjGBcVV0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "ac5694a0b855a981e81b4d9f14052e3ff46ca39e", + "rev": "48b50b3b137be5cfb9f4d006835ce7c3fe558ccc", "type": "github" }, "original": { @@ -1313,11 +1265,11 @@ ] }, "locked": { - "lastModified": 1725765290, - "narHash": "sha256-hwX53i24KyWzp2nWpQsn8lfGQNCP0JoW/bvQmcR1DPY=", + "lastModified": 1728263287, + "narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "642275444c5a9defce57219c944b3179bf2adaa9", + "rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259", "type": "github" }, "original": { @@ -1351,11 +1303,11 @@ }, "nixlib": { "locked": { - "lastModified": 1725757153, - "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", + "lastModified": 1728176478, + "narHash": "sha256-px3Q0W//c+mZ4kPMXq4poztsjtXM1Ja1rN+825YMDUQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", + "rev": "b61309c3c1b6013d36299bc8285612865b3b9e4c", "type": "github" }, "original": { @@ -1375,11 +1327,11 @@ "pre-commit-hooks": "pre-commit-hooks_5" }, "locked": { - "lastModified": 1723133809, - "narHash": "sha256-CUx2HOkP6Gsd7Hi+jPgm57P9Kgq0dxRG8UrxLhjDmr8=", + "lastModified": 1728505352, + "narHash": "sha256-rhiGjMfjMzayx9YJwWl53QXGWGrI9VgurB1eo7mGFm8=", "owner": "oddlama", "repo": "nixos-extra-modules", - "rev": "2dfcc1f7de2cb36566c5f1b48986dd4555a173dc", + "rev": "4bcc7dd2a113a7bf71bcc4707f384ac2c34891d4", "type": "github" }, "original": { @@ -1396,11 +1348,11 @@ ] }, "locked": { - "lastModified": 1725843519, - "narHash": "sha256-Z6DglUwgFDz6fIvQ89wx/uBVWrGvEGECq0Ypyk/eigE=", + "lastModified": 1728522165, + "narHash": "sha256-UQpsJ0Ev6JBGsCYRlS2oOVvb+eWcDD0xTV3RVlqbeVU=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "214efbd73241d72a8f48b8b9a73bb54895cd51a7", + "rev": "40c8d30c490414910fc63626ad1b67af7db40cd3", "type": "github" }, "original": { @@ -1411,11 +1363,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1725885300, - "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=", + "lastModified": 1728269138, + "narHash": "sha256-oKxDImsOvgUZMY4NwXVyUc/c1HiU2qInX+b5BU0yXls=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e", + "rev": "ecfcd787f373f43307d764762e139a7cdeb9c22b", "type": "github" }, "original": { @@ -1463,14 +1415,14 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1725233747, - "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" } }, "nixpkgs-lib_2": { @@ -1499,14 +1451,14 @@ }, "nixpkgs-lib_4": { "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", + "lastModified": 1725233747, + "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" } }, "nixpkgs-stable": { @@ -1623,11 +1575,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1725634671, - "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=", + "lastModified": 1728492678, + "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c", + "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", "type": "github" }, "original": { @@ -1668,11 +1620,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1725921389, - "narHash": "sha256-RBpN0ToD8O3qniBjqUiB1d2/LQJt5kH5P3Gt6dF91L0=", + "lastModified": 1728485062, + "narHash": "sha256-+2e9hAM2GVDF3gywdQI/OA7s4f0Z9rvFuiVxePI41QM=", "owner": "nix-community", "repo": "nixvim", - "rev": "facf6b2d0c9e22d858956d1d458eac6baf155a08", + "rev": "61ec39764fbe1e4f21cf801ea7b9209d527c8135", "type": "github" }, "original": { @@ -1690,11 +1642,11 @@ ] }, "locked": { - "lastModified": 1724584782, - "narHash": "sha256-7FfHv7b1jwMPSu9SPY9hdxStk8E6EeSwzqdvV69U4BM=", + "lastModified": 1728423244, + "narHash": "sha256-+YwNsyIFj3dXyLVQd1ry4pCNmtOpbceKUrkNS8wp9Ho=", "owner": "NuschtOS", "repo": "search", - "rev": "5a08d691de30b6fc28d58ce71a5e420f2694e087", + "rev": "f276cc3b391493ba3a8b30170776860f9520b7fa", "type": "github" }, "original": { @@ -1871,11 +1823,11 @@ "nixpkgs-stable": "nixpkgs-stable_6" }, "locked": { - "lastModified": 1725513492, - "narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=", + "lastModified": 1728092656, + "narHash": "sha256-eMeCTJZ5xBeQ0f9Os7K8DThNVSo9gy4umZLDfF5q6OM=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "7570de7b9b504cfe92025dd1be797bf546f66528", + "rev": "1211305a5b237771e13fcca0c51e60ad47326a9a", "type": "github" }, "original": { @@ -2023,11 +1975,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1722391647, - "narHash": "sha256-JTi7l1oxnatF1uX/gnGMlRnyFMtylRw4MqhCUdoN2K4=", + "lastModified": 1727663505, + "narHash": "sha256-83j/GrHsx8GFUcQofKh+PRPz6pz8sxAsZyT/HCNdey8=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "0fd4a5d2098faa516a9b83022aec7db766cd1de8", + "rev": "c2099c6c7599ea1980151b8b6247a8f93e1806ee", "type": "github" }, "original": { @@ -2080,10 +2032,7 @@ "inputs": { "base16": "base16", "base16-fish": "base16-fish", - "base16-foot": "base16-foot", "base16-helix": "base16-helix", - "base16-kitty": "base16-kitty", - "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", "flake-compat": "flake-compat_9", "flake-utils": "flake-utils_9", @@ -2094,14 +2043,17 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems_12" + "systems": "systems_12", + "tinted-foot": "tinted-foot", + "tinted-kitty": "tinted-kitty", + "tinted-tmux": "tinted-tmux" }, "locked": { - "lastModified": 1725290973, - "narHash": "sha256-+jwXF9KI0HfvDgpsoJGvOdfOGGSKOrID1wQB79zjUbo=", + "lastModified": 1728487226, + "narHash": "sha256-gTOUdO94Y24QgnPVnHTQ/Kch0eM6pHEk/c1WoIxg+qE=", "owner": "danth", "repo": "stylix", - "rev": "ef81ad9e85e60420cc83d4642619c14b57139d33", + "rev": "5699ba97c60455ebafde0fd4e78ca0a2e5a58282", "type": "github" }, "original": { @@ -2305,6 +2257,54 @@ "type": "github" } }, + "tinted-foot": { + "flake": false, + "locked": { + "lastModified": 1696725948, + "narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=", + "owner": "tinted-theming", + "repo": "tinted-foot", + "rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-foot", + "type": "github" + } + }, + "tinted-kitty": { + "flake": false, + "locked": { + "lastModified": 1727867815, + "narHash": "sha256-cghdwzPyve13JFeW+Mpqy/sDswlJ4DTffY24R0R7r/U=", + "owner": "tinted-theming", + "repo": "tinted-kitty", + "rev": "81b15cb9eb696247af857808d37122188423f73b", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-kitty", + "type": "github" + } + }, + "tinted-tmux": { + "flake": false, + "locked": { + "lastModified": 1696725902, + "narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=", + "owner": "tinted-theming", + "repo": "tinted-tmux", + "rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-tmux", + "type": "github" + } + }, "treefmt": { "inputs": { "nixpkgs": [ @@ -2335,11 +2335,11 @@ ] }, "locked": { - "lastModified": 1724833132, - "narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=", + "lastModified": 1727984844, + "narHash": "sha256-xpRqITAoD8rHlXQafYZOLvUXCF6cnZkPfoq67ThN0Hc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "3ffd842a5f50f435d3e603312eefa4790db46af5", + "rev": "4446c7a6fc0775df028c5a3f6727945ba8400e64", "type": "github" }, "original": { @@ -2380,11 +2380,11 @@ "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1723726454, - "narHash": "sha256-CdsBLja4rJ7VPvtsivyZm9VFKAt4hzL3jZbKrfiDvsQ=", + "lastModified": 1727849733, + "narHash": "sha256-mqxs/nyzOEKiBHa94OtcOLYBXd65P8tO4DUVTHWHn6o=", "owner": "Toqozz", "repo": "wired-notify", - "rev": "946adddcb704806195d976b738066f591b41b7d4", + "rev": "a1f6965737754e7424f9468f6befef885a9ee0ad", "type": "github" }, "original": { diff --git a/hosts/kroma/default.nix b/hosts/kroma/default.nix index 5ef5a56..e4f8cf0 100644 --- a/hosts/kroma/default.nix +++ b/hosts/kroma/default.nix @@ -107,10 +107,11 @@ programs.nix-ld.enable = true; topology.self.icon = "devices.desktop"; - #virtualisation.containers.enable = true; - #virtualisation.podman = { - # enable = true; - # dockerCompat = true; - # defaultNetwork.settings.dns_enabled = true; - #}; + hardware.nvidia-container-toolkit.enable = true; + virtualisation.containers.enable = true; + virtualisation.podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; } diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index d4a1893..c515eb6 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -26,6 +26,7 @@ nixpkgs.hostPlatform = "x86_64-linux"; boot.mode = "efi"; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "e1000e" "alx"]; + systemd.units."dev-tpmrm0.device".enable = false; # https://github.com/systemd/systemd/issues/33412 meta.promtail = { enable = true; @@ -121,6 +122,7 @@ in lib.mkIf (!minimal) ( {} + // mkMicrovm "actual" {} // mkMicrovm "samba" { enableStorageDataset = true; enableBunkerDataset = true; diff --git a/hosts/sire/guests/actual.nix b/hosts/sire/guests/actual.nix new file mode 100644 index 0000000..817c2f3 --- /dev/null +++ b/hosts/sire/guests/actual.nix @@ -0,0 +1,66 @@ +{ + config, + globals, + nodes, + ... +}: let + actualDomain = "finance.${globals.domains.me}"; +in { + wireguard.proxy-sentinel = { + client.via = "sentinel"; + firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.actual.settings.port]; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/actual"; + mode = "0700"; + user = "actual"; + group = "actual"; + } + ]; + + services.actual = { + enable = true; + settings.trustedProxies = [nodes.sentinel.config.wireguard.proxy-sentinel.ipv4]; + }; + + globals.services.actual.domain = actualDomain; + globals.monitoring.http.actual = { + url = "https://${actualDomain}/"; + expectedBodyRegex = "Actual"; + network = "internet"; + }; + + nodes.sentinel = { + services.nginx = { + upstreams.actual = { + servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.actual.settings.port}" = {}; + extraConfig = '' + zone actual 64k; + keepalive 2; + ''; + monitoring = { + enable = true; + expectedBodyRegex = "Actual"; + }; + }; + virtualHosts.${actualDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + # oauth2 = { + # enable = true; + # allowedGroups = ["access_openwebui"]; + # X-Email = "\${upstream_http_x_auth_request_preferred_username}@${globals.domains.personal}"; + # }; + extraConfig = '' + client_max_body_size 256M; + ''; + locations."/" = { + proxyPass = "http://actual"; + proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index b49b0f2..7825680 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -111,7 +111,7 @@ processedConfigFile = "/run/agenix/immich.config.json"; - version = "v1.114.0"; + version = "v1.117.0"; environment = { DB_DATABASE_NAME = "immich"; DB_HOSTNAME = ipImmichPostgres; diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix index 47b55e0..1f66a01 100644 --- a/hosts/sire/guests/samba.nix +++ b/hosts/sire/guests/samba.nix @@ -70,6 +70,9 @@ } ); in { + # For influxdb communication channel + wireguard.proxy-home.client.via = "ward"; + age.secrets."samba-passdb.tdb" = { rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age"; mode = "600"; @@ -145,72 +148,76 @@ in { # Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP # requests, since all of our clients hardcode the server shares. - enableNmbd = false; + nmbd.enable = false; # Disable Samba's winbindd, which provides a number of services to the Name # Service Switch capability found in most modern C libraries, to arbitrary # applications via PAM and ntlm_auth and to Samba itself. - enableWinbindd = false; - extraConfig = lib.concatLines [ - # Show the server host name in the printer comment box in print manager - # and next to the IPC connection in net view. - "server string = SambaOelig" - # Set the NetBIOS name by which the Samba server is known. - "netbios name = SambaOelig" - # Disable netbios support. We don't need to support browsing since all - # clients hardcode the host and share names. - "disable netbios = yes" - # Deny access to all hosts by default. - "hosts deny = 0.0.0.0/0" - # Allow access to local network and TODO: wireguard - "hosts allow = ${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}" - # Don't advertise inaccessible shares to users - "access based share enum = yes" + winbindd.enable = false; + settings = lib.mkMerge ([ + { + global = { + # Show the server host name in the printer comment box in print manager + # and next to the IPC connection in net view. + "server string" = "SambaOelig"; + # Set the NetBIOS name by which the Samba server is known. + "netbios name" = "SambaOelig"; + # Disable netbios support. We don't need to support browsing since all + # clients hardcode the host and share names. + "disable netbios" = "yes"; + # Deny access to all hosts by default. + "hosts deny" = "0.0.0.0/0"; + # Allow access to local network and TODO: wireguard + "hosts allow" = "${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}"; + # Don't advertise inaccessible shares to users + "access based share enum" = "yes"; - # Set sane logging options - "log level = 0 auth:2 passdb:2" - "log file = /dev/null" - "max log size = 0" - "logging = systemd" + # Set sane logging options + "log level" = "0 auth:2 passdb:2"; + "log file" = "/dev/null"; + "max log size" = "0"; + "logging" = "systemd"; - # TODO: allow based on wireguard ip without username and password - # Users always have to login with an account and are never mapped - # to a guest account. - "passdb backend = tdbsam:${config.age.secrets."samba-passdb.tdb".path}" - "server role = standalone" - "guest account = nobody" - "map to guest = never" + # TODO: allow based on wireguard ip without username and password + # Users always have to login with an account and are never mapped + # to a guest account. + "passdb backend" = "tdbsam:${config.age.secrets."samba-passdb.tdb".path}"; + "server role" = "standalone"; + "guest account" = "nobody"; + "map to guest" = "never"; - # Clients should only connect using the latest SMB3 protocol (e.g., on - # clients running Windows 8 and later). - "server min protocol = SMB3_11" - # Require native SMB transport encryption by default. - "server smb encrypt = required" + # Clients should only connect using the latest SMB3 protocol (e.g., on + # clients running Windows 8 and later). + "server min protocol" = "SMB3_11"; + # Require native SMB transport encryption by default. + "server smb encrypt" = "required"; - # Never map anything to the excutable bit. - "map archive = no" - "map system = no" - "map hidden = no" + # Never map anything to the excutable bit. + "map archive" = "no"; + "map system" = "no"; + "map hidden" = "no"; - # Disable printer sharing. By default Samba shares printers configured - # using CUPS. - "load printers = no" - "printing = bsd" - "printcap name = /dev/null" - "disable spoolss = yes" - "show add printer wizard = no" + # Disable printer sharing. By default Samba shares printers configured + # using CUPS. + "load printers" = "no"; + "printing" = "bsd"; + "printcap name" = "/dev/null"; + "disable spoolss" = "yes"; + "show add printer wizard" = "no"; - # Load in modules (order is critical!) and enable AAPL extensions. - "vfs objects = catia fruit streams_xattr" - # Enable Apple's SMB2+ extension. - "fruit:aapl = yes" - # Clean up unused or empty files created by the OS or Samba. - "fruit:wipe_intentionally_left_blank_rfork = yes" - "fruit:delete_empty_adfiles = yes" - ]; - shares = lib.mkMerge (lib.flatten ( - lib.mapAttrsToList mkUserShares smbUsers - ++ lib.mapAttrsToList mkGroupShares smbGroups - )); + # Load in modules (order is critical!) and enable AAPL extensions. + "vfs objects" = "catia fruit streams_xattr"; + # Enable Apple's SMB2+ extension. + "fruit:aapl" = "yes"; + # Clean up unused or empty files created by the OS or Samba. + "fruit:wipe_intentionally_left_blank_rfork" = "yes"; + "fruit:delete_empty_adfiles" = "yes"; + }; + } + ] + ++ lib.flatten ( + lib.mapAttrsToList mkUserShares smbUsers + ++ lib.mapAttrsToList mkGroupShares smbGroups + )); }; systemd.tmpfiles.settings = lib.mkMerge ( diff --git a/hosts/sire/secrets/actual/host.pub b/hosts/sire/secrets/actual/host.pub new file mode 100644 index 0000000..18801bd --- /dev/null +++ b/hosts/sire/secrets/actual/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARJ59yifkMFmcWWM4sAwhQN6u+H4Bv+VVboPBslHqZj diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix index 9689b35..339187b 100644 --- a/hosts/ward/guests/web-proxy.nix +++ b/hosts/ward/guests/web-proxy.nix @@ -6,6 +6,8 @@ inherit (config.repo.secrets.local) acme; fritzboxDomain = "fritzbox.${globals.domains.me}"; in { + microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files + wireguard.proxy-home = { client.via = "ward"; firewallRuleForAll.allowedTCPPorts = [80 443]; diff --git a/modules/actual.nix b/modules/actual.nix new file mode 100644 index 0000000..aac4907 --- /dev/null +++ b/modules/actual.nix @@ -0,0 +1,152 @@ +{ + lib, + pkgs, + config, + ... +}: let + inherit + (lib) + getExe + mkEnableOption + mkIf + mkOption + mkPackageOption + types + ; + + cfg = config.services.actual; + configFile = formatType.generate "config.json" cfg.settings; + dataDir = "/var/lib/actual"; + + formatType = pkgs.formats.json {}; +in { + options.services.actual = { + enable = mkEnableOption "actual, a privacy focused app for managing your finances"; + package = mkPackageOption pkgs "actual-server" {}; + + user = mkOption { + type = types.str; + default = "actual"; + description = '' + User to run actual as. + + ::: {.note} + If left as the default value this user will automatically be created + on system activation, otherwise the sysadmin is responsible for + ensuring the user exists. + ::: + ''; + }; + + group = mkOption { + type = types.str; + default = "actual"; + description = '' + Group under which to run. + + ::: {.note} + If left as the default value this group will automatically be created + on system activation, otherwise the sysadmin is responsible for + ensuring the user exists. + ::: + ''; + }; + + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified port."; + }; + + settings = mkOption { + default = {}; + type = types.submodule { + freeformType = formatType.type; + + options = { + hostname = mkOption { + type = types.str; + description = "The address to listen on"; + default = "::"; + }; + + port = mkOption { + type = types.port; + description = "The port to listen on"; + default = 3000; + }; + }; + + config = { + serverFiles = "${dataDir}/server-files"; + userFiles = "${dataDir}/user-files"; + inherit dataDir; + }; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.port]; + + users.groups = mkIf (cfg.group == "actual") { + ${cfg.group} = {}; + }; + + users.users = mkIf (cfg.user == "actual") { + ${cfg.user} = { + isSystemUser = true; + inherit (cfg) group; + home = dataDir; + }; + }; + + systemd.services.actual = { + description = "Actual server, a local-first personal finance app"; + after = ["network.target"]; + environment.ACTUAL_CONFIG_PATH = configFile; + serviceConfig = { + ExecStart = getExe cfg.package; + User = cfg.user; + Group = cfg.group; + StateDirectory = "actual"; + WorkingDirectory = dataDir; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + Restart = "always"; + + # Hardening + CapabilityBoundingSet = ""; + LockPersonality = true; + #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@pkey" + ]; + UMask = "0077"; + }; + wantedBy = ["multi-user.target"]; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 260bdb2..2af0661 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,6 +5,7 @@ imports = [ ./acme-wildcard.nix + ./actual.nix ./backups.nix ./deterministic-ids.nix ./distributed-config.nix diff --git a/pkgs/actual-server.nix b/pkgs/actual-server.nix new file mode 100644 index 0000000..4e714f5 --- /dev/null +++ b/pkgs/actual-server.nix @@ -0,0 +1,92 @@ +{ + lib, + stdenv, + stdenvNoCC, + fetchFromGitHub, + makeWrapper, + cacert, + gitMinimal, + nodejs, + yarn, +}: let + version = "24.10.1"; + src = fetchFromGitHub { + owner = "actualbudget"; + repo = "actual-server"; + rev = "v${version}"; + hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s="; + }; + + # We cannot use fetchYarnDeps because that doesn't support yarn2/berry + # lockfiles (see https://github.com/NixOS/nixpkgs/issues/254369) + offlineCache = stdenvNoCC.mkDerivation { + name = "actual-server-${version}-offline-cache"; + inherit src; + + nativeBuildInputs = [ + cacert # needed for git + gitMinimal # needed to download git dependencies + yarn + ]; + + SUPPORTED_ARCHITECTURES = builtins.toJSON { + os = ["darwin" "linux"]; + cpu = ["arm" "arm64" "ia32" "x64"]; + libc = ["glibc" "musl"]; + }; + + buildPhase = '' + export HOME=$(mktemp -d) + yarn config set enableTelemetry 0 + yarn config set cacheFolder $out + yarn config set --json supportedArchitectures "$SUPPORTED_ARCHITECTURES" + yarn + ''; + + installPhase = '' + mkdir -p $out + cp -r ./node_modules $out/node_modules + ''; + dontFixup = true; + + outputHashAlgo = "sha256"; + outputHashMode = "recursive"; + outputHash = "sha256-eNpOS21pkamugoYVhzsEnstxeVN/J06yDZcshfr0Ek4="; + }; +in + stdenv.mkDerivation { + pname = "actual-server"; + inherit version src; + + nativeBuildInputs = [ + makeWrapper + yarn + ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/{bin,lib,lib/actual} + cp -r ${offlineCache}/node_modules/ $out/lib/actual + cp -r ./ $out/lib/actual + + makeWrapper ${lib.getExe nodejs} "$out/bin/actual-server" \ + --add-flags "$out/app.js" \ + --chdir $out/lib/actual \ + --set NODE_PATH "$out/node_modules" + + runHook postInstall + ''; + + passthru = { + inherit offlineCache; + }; + + meta = with lib; { + description = "A super fast privacy-focused app for managing your finances"; + homepage = "https://actualbudget.com/"; + license = licenses.mit; + mainProgram = "actual-server"; + maintainers = with maintainers; [patrickdag oddlama]; + }; + } diff --git a/pkgs/default.nix b/pkgs/default.nix index b7f8b81..44fc3e1 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -7,6 +7,7 @@ _inputs: [ awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix {}; segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {}; zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {}; + actual-server = prev.callPackage ./actual-server.nix {}; neovim-clean = prev.neovim-unwrapped.overrideAttrs (old: { nativeBuildInputs = (old.nativeBuildInputs or []) ++ [prev.makeWrapper]; postInstall = diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index c13a4bb3c8420c6c15968b090ed86c9ffd4def91..3d223aa444323d4fba83755a99eff9ccdb7a53f6 100644 GIT binary patch delta 2863 zcmV+~3()k^6|xqPAb)H`bWCD2L|SJRldP_)pHFGOQF*GoAO=eP4MKwfiF)va? zNg@oQBhiFZwf6w zAaH4REpRe5HXwL$Q)M_&AVD=SPe^KRL2ov4NM}xUOiDviG=FO^G;>yBT1r-wU0nk=*wWw?=cJ$O(zXU=Chks-beddz>;Iso-t)>XJU34J< z%M;&*S8n%)5jg{>CoP~rBYS=UekwU`X&oMsV!71_;Q)7NrRsfLOKWh*VnEEN>r4?P z^@8Da>}c#_E*}PvQe9XBXh|l0JPYS<8~ zmPSRB^?wCEuY0U@c-ruJq>XnsNoZmGC^$|!e6V}mtdSh%cd(0UN*i|e(_SC8bYF>1 z>4z<_(@gY!ZNXd$D-{ic-}(SMUg2E6LW9v%##Z{{jKr>}MOYUY`{ zE66z4wKK~8&KfkP8dLaVDeKz%Q#n5#p*0~=`_#UBaqC=Jl{?j8-XME6ufU2bF$-r9 z))wO)2T z*5QBI(%b;*1r46El4sMGeaTJf@7{(I-bM5zJrS$8JuGaIjbSKhL#>R-= zBy;bs5b}77wVs_0vR^TXKbZtOWFRDc0tA&F%_%zo=j_pFJA~@c`fy4Zo@G`SvSZp@(O3cL6Ps6ctZckH#o!`nw?;y?+%%Yt9Kk z7Y^zU-yymM24{Ldq#0Iqcd+mLO>qOF-ikY^P{ObQ6XaX((t;s4pA9O))D|!{^MB5P zYsh4OXR00s)|d^|MPP#HwxmRx4AUT$q>p`97CYH>;CEmcR(^?UfLJuUo`Z+wK18th zb5R@Y6r*7|<(I@e$5h=(47wuk{pTVd%&mdK%J-H`)HTiA62?)Xa>CRyv?S)F$+;$_ zV$XQK%V*kOYcz+QsZhy0J`letLw{idZV`1QeAFI3Mu&1WJIZ0gxF>6IKM-<2^M3JN zFc9_3a1*ECSyk*zi_ZxVa6R9ug=ODgF|1ZMr5wYv!NUPvj| zcYzMpz1H->hJ&}pO(!c;#SMn<5=)%B5`B(mrrQlVBc0#-nXS86>G8(3M1RIjQ$*=i z4$D!m-DIhp&hT~x-wg77Fime1V(a?hW``^}wob$zSE~2+n)I;M&9atcqY6R=ip%mAtJkkGT#9TKV4?Gs@dUbt)*JC- z>Gc4+erT&*p0A!=pGD#?We{1KrC)omL4?tTLW1@(J5JCON zd1Pag5t;EMi2_G!iJUvXX1EWd ztxd>JW})+94StN+_;X@4DDqaIY>a!3qKx2Ebt`7<3fJZMMSjzs_!K`Vs>fz)k@|-= zo%Ai|EDU8AV3aX*TlTFdf(fKBz4V70$3GpTc=Xd}?6~$k!he;81s2xl1m3u2LBd0}iQfpav7I)(VhpHJH=#B^0tFHlv~jZH7KjOmOA}*4%iCB|G_W~q zn-e-jZm*ZQW`9*cUXoy@+Q`fqhb#%_2f~cET=x~Hw{A->2EitS5I?G|Si2Zo@b8$< zRz2;E9RPK-Dwr}1aB3W<6CZI~!kdvpMcS`#B(Cb)B!(m9h}U(ZqT0m6Ee}_tqG|*y zghfNPMxU*9ks<8gyaXC}5UU+W9yA=(OT5?ULJ+NacYo0EW?L_-g`Zdp>xeg5x4^oX z)Gc{h)yvsRY8h-QHhJuRSEO%;M&!m_`LSS1?(e`Dv-S}TZ)Wfl^4x8b+3ozhKCj@;>j#wZsU~+TG1Lq3$ zg#|H{w&x2;pV&Y--04Bg{N2MfYTLsWywz6y)R^hb5rSym9;!8v?e!F?d{&U%OqvHA zQH>%E?8yXxTToe{Ph%5$xG}q~=9mJlwXK*)=6{sxwa)5<`1T7Yir6%W%>t96-z0_h z(%F3GzG;o%8}JL4V)uo_3N1|5ARSBOPXnPoa+ige?g-Boi!jLhQLzH>1fQJ?FMJrD zt}@l3#1S4m9u3e0zAS)Y*HCBkMZSBVz#YLYR~TFPbapy3XA>bIr~I!#^|930OTOEV z?thhU9Y~^}5{D4r5_tl+j^S1@j-z3aJ?J8wT=wOx!tALga?9>ycKaAU;hJG%AJ%Hv zx%0;YSY4<9S-R!Y0z(0|R;q#S#MRDS@k3#C$cp@m0R7q!xcIQ2wYx1Un-RIMc1<&WWtx~(bbt8%BiFh>wl_MC)}#!H#8f21o?ut!Gm^;+ zgKy%jOO<5=Vkq;H0g+$Y(V0U8$ZGQ>9N}93A8wJ&G!-u))gWs;xJ@@1-&UwSWLqQ% z@TlB`Z>at+2QW$nnvCgHn$%kB^PmeebU6!B`n&u(Jx1;ndY@*Ra(jSKnu@W|EPq9( z=Lc&^nz%%$;;}(EGGy&wh9H-&dX8(;^*ouKcD;ydq9d~eH_@woC`0g^G=?qn;f0w(DKyjBghOdU=!J;p7RcJ* zOaHEmkD5((%pys2Am!%|4w)qx3MfAqXWS67(^`>!)v_XLJkTGpe+?Ubjc1l)bSVCH9HFsG_Hbr4rW?DfxM@(8y zPg*cXI0{2#Nm_L@SVwYtFEBJXS~*WfWh-S>Wn(u?IeJt}bz((Q)z5!H9}cpRCPgPL25BM zLo^C4J|HtXEoX9NVRL05B_L2cKSo6^P9RSwG73{ubvJfcbvbfLa&~l8X;@iTHB2jW zVNrTwSxs(7D}PUEb$K~XSW|drPI@&{Z&OWAVM;GWcy>f|IAaPeEiE7~R#-J|a!zDq zNoI0bOj$}!Mp$=HGIcXoR&8}eYC%o%Ajnti0uUi%?utxR zI>~h%+M*J!XpEJJ-NCaFDm3AYOqig_&cD|EYfzrRF|Ym0BFt3c*4?u`YCX4rlB_|B z50|_VcPhsheY|;_u2X8_u1&}S-yOpd__5qin=h&9mYrGSkvi>aBIrS=)%va8V#_(L zcci0m0DljYMtm1m#W5OtHw-A$h7*#3u~5AD_4{%x0$yEm z5Rv{OkEw~Wk{McQ8&AOR7=-(d9Jed%1Im55NhIYA%uR{Fqz^8-t35A#N@S-4`e1|8 zxepSjKlgO)j!!$O^buD2CWX-B$qnaoSbk-HhJO?$F!tUvG8B3jsD}|R1%2}7%=@kw z+-RKgm|;pMaT&x7fF!L}%{jI9%IRnfGSxX3W$P{(C8gi@0evWOkpjo&x9=D`S!+!3 zQVhMUV+ZEcAEzG)sat^n>p9&D&PDE}%PUGL5LM%x>wUq5U;Fp;)V8xot&aj_8r)a_ z6o0Ca&x{^Tqa<(0Jp)3UA6`w-2x4?BLc{AhQlGFEq61WGivX6TE@{+Unq0(5)nBL9 zWX5S70<9&R-0x$P;lB#lhB;numU|N|NvqNO2u_K{n!1|{=}DBQ*@8S+AR|@m98Pl% zF=!@tVKn>iIUs6u5(H?pX(U>Q0UGp6^?&(9#qM|_=86_H_VFoP!K z2#Ut2OB;B$8w2E5G+3v07q;H51o{mIC=2V8J%kDro7*!ct*}P0?n>dx6Q4+rdDELh zqN_o3mftS6s*eL5>HjIzh)dsY%>31x8(?~A(9|!alusUEz{8ZHB#HamRzS{QK7W9N z%;U~T?4{UMuBNPOeg7gB&8p*wZlZP+ugkDD#An=t1iY>Y;=SD1qO3v!)dE}IgHAxh znEF~#6~8cZv2yAt6P6k9c6G+ICj^A$FU)&G42BZlDfq&uTJ4>3j4V1scI5U@6SD43 zFgGJY0DuOyB6c~g^8fGM$C`Y%6~s6-)%0~>QrjM?m=G@Cw0}|^^tW4>mB*mTN_|fq9Syc6yxQ8vd8=N|tg;ERZFATc zcC~~(+(7*-n(YQ@A<+U;(Cqn-H&dhdi9kibi+D+}REJs%^H+kuNyVP7HrO$k8&;jF z?PfL7qN2OC!Ff5bt?kizl@ACtXN|F-J#}LLFU@2G*lmGf=jSR;9e+&d$)@L}PPxDe zuQE8y!F#RXkx(P$a{fhYfH9i=&+gu>banzg)FvjBrh) z!zogp29}&`?eg;bMw8SUljKYcaArr2ICC&hC_`Odkj1uF4uNa6kB^wxg!p$XEHN>+ zYdidlPktbqKB;9FC7bzu`rTLA7bomgs)KF(<(qYD zd{NX}YXrYu-EjxAp%^Y#{%FACjgpVG$*ewu1B8~8>bg7BQGZWrijUGb6eI2qKu#gX zwQjiRodF;45Ot2g4oQ64yBqvsG;LqA>F9&V!1lzA7w84Z1z|!aExs|KUKY``OV0H{ zI5A;xDutXb(Umrr?o$=(i`BVRYe}$T-DtDM>ecHed@Z|z?$|W_PoB`EXiAB4(itTc zQLv?X+ERAXNq_V$UEbHOHcs{DxbWahx}To`w$Y<1Lb9F6kc@h~_yLz@Yu6CK2)OT2 zNQ=Q@utNJB>uDz$sAR--4H?6v@7m>KsLmZQHj)myiRz>0;T?f55{>cB1ur0pcx@ zx*mmkP%*bOJK?el${q6+(Y8fn>U|W4DA<=Y|_f2~CXj{|$v zMJje12hWNi*l__`MzUYdwJ^MfO zbICwZaFrMg^Ng^Mj=3D>y`;2;U$_gX$Rb}F;=75zYG*8|LSy!u$l0vbJ=KPV7FMtK zxEEztLaN$6(N9rvHC^Oe+`J5U>PI?*Yd7~r4kuDB>8|eDsL{Pvtj0g3yVombR8(%k z%YWAs5RFqKF^=yo6#NLm|DBVgXq~kiZ{-(N_+kKjM z6>v8*4bgk+C8cZ;nWj?oj}p42uLFGpof*Q-K4~{SW9N(`o81TgbOuo-Ug(AdWk;!k zq*e(b(W$|c`}j!KJB;3%JdZYp|G3{)-Bc#Y*cgSbQ=S&HxG0Bb3`>VUHEO2|O99o9 U?Fu8AOEC2b$iU4A;c_gMT^(K^h5!Hn diff --git a/secrets/generated/sire-actual/promtail-loki-basic-auth-password.age b/secrets/generated/sire-actual/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000000000000000000000000000000000000..9b8a7adcbb88c862faf574182fbaf6ac8fb14666 GIT binary patch literal 509 zcmWm7J&%)M003a4ll%u0rn}@C1lmGDlRKeMXlctw3-qeXz3p3|l<$ug9MqgfoiuK4 zt|q#gxHuXY7h~e!;$Sq!#l*q57<11bcupLM!EljQaqdOojWbk?LOl0{=8 zwCi3xp97FhTmYDb6BO&tFo7+>XV=Qc5$e{c6WHDsnU|^U72SlcY%^jFB~v;QVfkCF z7HKk^=BAyxt5ulGwSP9mUWvs`ibi+I1Ts3xxjQ^q7=x}NjGS-{iI|tx*6}>mjS)|} z3EeKiR3OBLoB(93hAE-n#b&!0d5+C|ovILRd@mRf;m8*=Qj+Ki2^ zu8Vy{WB3ZBE7DsTcnqO2X|~I)4|Y5wlTxEn1)mx6`Ee#vtsLhx-YirylrzGP3ET?s z4dQSJhGFPN-H7tQpA9Pqq}n{8fz`+-!H(-fL(;YF%&K;JUIr#ULIzKtea`xCum3ru z50rP+rAOE)*!%kL=Ec|VpWOKS`xE{B!?z31AKqhb@7-GBFZS!JS3cJGQS$4{ X25519 4WvULDsSwUnj79qPtGG7hHeFxhxnYdvxVOXJQo3aVy4 +lmlUMCVk6k0XA0mzqe77sF4mbDmgYu95K7QWhOlZqPY +-> piv-p256 xqSe8Q A24MXG1xn0Os5ZrM8dA/JXJyzTzIKjEyIIwJBob7wCI0 +HvjPgXYlj0+ZCOagDmY8CIGHbeVTDXTpKV9wOTl/2SM +-> --grease +2gZkjaxrQDQbMYPUf4zUTERBDmKG/ofEC/cDMw5cmkJj/uwEYv+RrBBlPuvcMyGa +SXmlRg +--- qLxt3oDgW5lnehq7C5bRCEYucdLDmkWkGjclbM8j8LY +b f̄'z. YJxYV;1lH@Uzv+5KoH t xw$e \ No newline at end of file diff --git a/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age b/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age new file mode 100644 index 0000000..8bbae3e --- /dev/null +++ b/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 yV7lcA IFccz3iClZKyPf7EdDWd2MzhrVBKhag9IDWc7XUI5Hc +uatqP7QQJnA5mQP9tsHQFaKEHeoDGLgY2kWJpnal674 +-> 7jdci-grease c[y2 alscP1 +H2uNfINe/FUPjgudAkD33U2rIb5+L1KoQ0A5lr5iGYfPPCdscexXunFJY48qSn03 +WpMBYikmzds +--- uugJJPzxMZwJCWH97I/MTlu9WzD4ZQPYDAMXwE989OY +4fI@ɺx-m|Q,jA*q2o6o9Gja'}yaw1kΜ7K \ No newline at end of file diff --git a/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age deleted file mode 100644 index c53d63f68ad480322c80e2800a4b4100123e68ec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2628 zcmV-K3cK}TXJsvAZewzJaCB*JZZ2 zLsU{oIYw|tXg6;-QevIiJ|HiBQY~k4Wnpt=AU$^q za8*fBG-y_0HfL3EQ8GzcD`8rAMKo0kEiEk|MQ%1iK~-mGMo%+qc~nqAb3|fUMQUX; zGd65QWo1WlLw7f0b609IPH0UEgn7uE@BNf7^`SjJ38AQb{h<4n z(g|j`hy_z&tX*sJDUsYv9|uyINn;1Y9}c8`zNyOyBbyBqyM70bHVpMN!bQf6f886&t?Fyt*rZbkuWQC<$pyRaO&u zk*uiglT(#m)V7=F37R*;4TqGPqKu>`qPV{`X!zM!V_BW^5(BCRBJ)W}8^L?Mvmw#5 zK~`6{fT!JeuNc+J1KsjJs@P>pTlf06XeA;R%jGjbBG{ zE31NUFqEAV6JND1O<*cJ7L%Q_KvjGWoMO<#gwj*&J6rB$$9~Bh_eFm!Y3iyjjW@q~ z2OhbNVRsIjL~NUAFBRd>!HfOX0t_{_mXrjQ^2IBT!l>9MRRiJBG)w1XovH|jk$8BW z!^E(_u$saUR}wJ<$yI{ShfIIL{aiqqkq2}YkyKk>RM>r)bgi&lYkK+Gby&?*%9QM3 z<}1?$0JlYHK*rxgqYAcq zWu!c9&J$(FdMKcVjJ2AHTXGv7YpM>CI zf5~X-OY#{V%o#Y=#=9>p)pp^p8-vudzNjI7XY#4Tvq1i7fu>~wwi0}{aQbn3OUN#D z7_)wJ8LL({H1b;bh31W@3f&p{V)CT>zXTBJQ$?xAcui)GfNecjwQW7=VD@SI;hKFw zJT2NFvD^v_6N(~po^HG zEgv9Sj1@!o)Nx`IcK*Ba`t$RYOrEaE%z`*ufnRWw)Tek!{dV{Hkz%8hh z&E7E(0K6$pVS(R8t3O(_Z10|U?{NP!WDS@qEuzEDLtM-)&J8j@(-9SmbtM?w zbGoL=Mmjq}{{pffit;Z{+%XH;6t3fcVV9v&S9BS9-!<$>5Pmc}a@G7APozx*Z+ZdU zVAg<3>@tyNB^w7vv)ZzHVR6RPeYv27)|((c^aC8{nl0*2s{WeVD6X+xENYK(TM@ z1r8r3!UYA4l`^q5RIMlH%;<1-a)}vdWt1+?miGq~2}mdfdx|mCU~|L*$JPEyV-0;y zKvI9|(eb4?H}QQVh8n?ImCNgm@8x}W#7FTwnd&VgNWSRIW}xJw9}-9((sxJkO$jsA z>F_=$T|Y|QrK8LcNi%XNspXjy!WD_!&uPh<%9Km$%gfv!OF^4+~R=Y+eaIkS97ALs<@8_dPr__BlJ=P^y7$##Z`vBED>yA zp21_@aGwXjpzr_1h*2&Hk2Q8diTVvGRv8^APMOz9)WEc$aklHt?q`Ff0-h$0cAc6M z{5W!|Z`0yZ! zl74(%J9Yf>hSXNP$c$%?r2nAfB(~P`Gd5|xcOE^8{VAYl%S9JuUdLHjHDkB_TlryP zme^P3(t0}aRmvKLBNI%IOT}v&x6-)(UprHNgb((Qu;5;4CQzq=P>#cyPeVVwb29Of zvs~(?3}(=l%wEiqOC`f5Ey)Ceu(pFVsm)1*2-u6DTR{k8XPX5Fg(Z!Ae9$b`U%I#6a+ky)!s0Fe{jFe>G%ch4K9%GH-N40A zPcA(13_Pc-6$lEOk!&{a7&P0^DeXYTv~1Uor=`O22%;du^5lYCnvmnhgi_!1Sg7 diff --git a/secrets/rekeyed/sentinel/c9a404b7a1241d00c53daf77274a95c3-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/c9a404b7a1241d00c53daf77274a95c3-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..290407ddd33fc7fc22339b7c1d31aa0a3c9a5b54 GIT binary patch literal 2735 zcmV;g3Q+Z7XJsvAZewzJaCB*JZZ2Yb|GTWnpt=Aa+%B zb|5EEKw%1QWL0f3Mn*b#G%#63IcYL7aBOaHPhn+JQDbZ~ zV{m#jMp#*Lb7V?kX+=^pN;nGf#j9U^%hnDSsmL3wU^Pp+wnm>$c{ieF6{1o9R@bF# zY=!4RGdwkYw0d9JCfj%t+YUzMSaUOt`vZq95ecADFQB-E;UV&3l&7=b=~J3~n3MYY zS)CjR&`YTkd%DJGGK1WR*hmny`D007q)0I1D`=Y6r=c@fR3bS3bv9DRZAXLOsxfnL zX5^l<=-rw53TP2jKF-C8IF}gzn0j;G7BIO_x3YD_Eb?i>3pU;hV&;OaaKK0Li!&ps_X0J}pb7XsnJSx8kxbw_0GVaA_C@~r{c=F(d zo4&$cVr(!Q9W4TnDk7u=@gO=07(J81{OL0h&?EdGPlQ42*#2A-eOz9n)-J&8lj#N1i2;?MOFbIS;Ybv zs%cCLJGCZY=EqngI(>>ihW5sV&0{vq?MnB8s#a=Z?KI8p7&*nFbjk8+uV^}##+`?| z_yoJn$`VkgAJQ+fv?kH^nQ9O{T2ToYHxDUnaNC9QxlSzIImwpRWoORsq8^A%r0mL` zS;5|@6CR+2PT`uC4MISu5k1~K&6x=WYG#?=Ez)S_glLSs#ZM7+s}#s~2V1zkm%Gw1 ztZYeu!`n3P6qeAHp`T;+!x5G~74P@1LTe4`{{5?L!7o3}tf~68HqTl>JHfLgO^;+75i8-Q%GcG*olQ#&FmZ-{lldp2YA~sa%%zAd%XfcM ze$`S*MP0QEvWy0U3<_=E45&vu&YfD(>NQ1o4&%Cgq+B6x^#li>KcISW@4tmn$LSEf zR}Eu-OeUyN-#&g34(g*|$#eF2_=_Po_N(vb4Q~gQ{*!!~vw(=2GT72GX4a=XB(21m+{=cf0 zP)2?oEctnpC~R2wmg)&l_%AD%aiJYWTFOI5F&Y;wt1tPL5G@(1{OiX^)F`fScRIIGGE{Nj|mowyk10^lR}2w{?!+Nd=kc!2;Ff||xLye~~E zFycZ9{QZGJADt>Nsc;Rt>yZ4#!Q;zyxO@9}YEiFME6)MowuW+j&qfue$+X4R5xm|+ z?SI0#dByGwRj{Wt@X-?}lbYPx1E0~7NuS7T*If`TBs)5D32@d(1VM9dR+~$wjuO$% zqs5#Ee1G5!TE;g`8ksxu4l4mbGv#t zf6t&UI~%KKUBGy4cdB`D>4SJe{JGX^CehBy#>Hh{Hs5BI6 zSoky9rSb;8Lxb?ORy)+SB~_L*v=waaJgYW55Rd`2Vlm4s@z$@pH3?AoPWc(+l|&bu zwlIBOcb+g*b~w2=hq6?fj20fjRKE8-scc{%@`GgQ_H~yc5Y{s2Qcfxd5RQ6&WTS54 z&g}KIXtyYGXDdW4V6`aA3b3cG8F;PnlLe{%8fcT{KCiSzOBgl%0~E*)mF17`86$=} zRa4Ec1JC7#Djpuvy-E_wq6QZ;%%Hu!{Vn@8Ms8f{Onskw`3Ov^luP2-oI@5Jknaar z8NYx<9V4Vp-5f@7iB_sAZbUsx1(d|LcOYyWY&%LS4S1Wu5Y)Oo3^~!V8C9uV1(qYf zyDU>BYxnwj2MuFW0G}Ej*3rYT+Y|dw*oHql3>0z3_r)w|hS)Zd^P{bFFkL&C0A zgKSTmB$V{8QGG^yg4Yin&zP2nZB>o=30tL&UL+0x%CR}pw7;+|cg}IkZYnNNYF1cl zCoV@kasA$PTR}I_#$Zh%ptMO`kgx!CFDGD+eTfb0(#i{u@e|J9#G>k(m7<1xM?3Yl zElgt9_dDcR68%J68-px@fkt+N0D3S_@zJ*O5o-3l&F=5-jCPhHp5k+AkJ zTIwjn1z)Lr zB`i{&TZS@n7`oxzVjsOCdx7D6u~hv4e9^@ literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age b/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age new file mode 100644 index 0000000..ea548d6 --- /dev/null +++ b/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 11F4Ig gNdfKSW0SI5OHV3WV8Z2gMaIyvpEpKtgEynkBPXO2SU +Atd1AyDvRmX1106aMzZhx9GJEd17nYu9pJiM5/kI3Do +-> ;-grease j+0 +cIGZ9KVirP5q/dCKsUjPBzkUXTw+Yo+i8UJ69ndD49smdN2BxmzouELydH5Bva9i +anw8o8lTvqVvso3PDBrgZy7iFcgTJWto +--- jilcU1phIjP8JI2AUkhQbc5Smot9XoJ8t9mGsGtznx0 +.@h8ME]Ư+1m<歧rq``sӱW{@Q +߱H`})QKft_ \ No newline at end of file diff --git a/secrets/rekeyed/sire-actual/2fd33ed61c4dec36a98e6dc49dd75530-telegraf-influxdb-token.age b/secrets/rekeyed/sire-actual/2fd33ed61c4dec36a98e6dc49dd75530-telegraf-influxdb-token.age new file mode 100644 index 0000000000000000000000000000000000000000..62051775661448b181f132c174fe634459a30e56 GIT binary patch literal 346 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSPG;}lZOjmHK@-H&f z&M>jCbnyzvO*AWYPV@IqHptWWGjq~Tb;;Cr4KB(ri;A!eD(6b{@+fvIj0`n(Ne!?} zHz+mpsVL4W$&M^CNOH4u49trt^iCEu(EQ&Q^Vnp75ITIy)z zVLQ2@e227 qDw>e7a>{=9>b{ls@%8!)yRWW!v@nwAc;v^h&s`BbleHt0oXY_IA9v#b literal 0 HcmV?d00001 diff --git a/secrets/rekeyed/sire-actual/40e86a9c835b1fc304b761baff6e2c72-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sire-actual/40e86a9c835b1fc304b761baff6e2c72-promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..d64444f --- /dev/null +++ b/secrets/rekeyed/sire-actual/40e86a9c835b1fc304b761baff6e2c72-promtail-loki-basic-auth-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 11F4Ig Q/+byIi1VChVqi+Nh3HHAGVHM5TTIUOmiZwH9Dw9tV4 +qHOXa+Oe94aB0JEfnXESVcT8EQW4Hs5Ml8Wf6oEAysc +-> &~6vWU.@-grease &l{i5I O1rTi +LU9Mvv5nuRU5IArjaZkbWJqabahPhbiRCMtJsgTE8mpoQpmA+1I5gEBFS7LAAAHU +/WfbRgCbMmMga22vot5Z9M2PYLTcUp5sQoRAOAUUGvDq1Iaa2jcxJHO3uQ +--- YYwZsRvZ61nqaQxAzP87bRFHluC0gOdLpQuEXsEQGpY +_Q-Z봵5=+}#uiT ZlflRF4;`O,,\ZcͯnޮEEqm_.Bڌǃ 2 \ No newline at end of file diff --git a/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age b/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age new file mode 100644 index 0000000..f4a3a62 --- /dev/null +++ b/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 11F4Ig xNoQ1/f/e3Jv57Npi3I58y7Z/RvK6l3V7Vo5H81d4FA +3/Fb14I4nNObYCbPUNZZdWfa6/+ZaSTAB24NTjLPy8U +-> %>-grease +itFTJfCmI/7Rt9rvPeKLsrbDUR64w390pprq98A2y8gM +--- AbhEcUA9Qn1KwfouM6bRE9xHWaUKesHHrLc5L3bgS0U +AQ?-{1oyM(zI(?l`GGӇK98mwwJvƧ;J_G6G \ No newline at end of file diff --git a/secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age b/secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age new file mode 100644 index 0000000000000000000000000000000000000000..632634896992a164aa73265e51977fa28c81f098 GIT binary patch literal 355 zcmV-p0i6C}XJsvAZewzJaCB*JZZ2k_gRbvWvazRRER5?Ur zFgasFM`>0_K{;h-VRcP2MoD^fQDRbQNO@>OMNvU-He(7cJ|KQpL2D;pJ}qZ*Wnpt= zATB>3O?xn0Zh0a?3S>5UZgDnrIaO^;Z&!F?Z#GDJO*utPQek&=XKQ6pNN7W7S7Uff zb!BsTFL*dvMKNtMO?P%@a%ydDO?6RY3N0-yAa^riQDJggZ(&Y#F)K88cVt>;Q8#l& zb5==uZ#Xt+GFo~uF)KEBGjT*g3ew$V8K$SL&!{)zoZ63!vZq&mo9pN+XM<@Tbb7f> z{GkpkILiPlRERC3gt6iQ#fBTL5eG4H=egwrf?8+6H>}UIn ssh-ed25519 rQrJ/w DWkPhlrCa5T1PSATq4viZ5NIzeqcoIRWd6RLave7NiQ +8RQc28sjhRgEF+RdPSlzlQtEbG5rO8aNythv2MCy0To +-> J-!;ug8-grease yL_ N W"pE $Bjux +XTsz3Lz1yIlotekskrOu1ZQypmLfAsKzBTDswz2jdAYwceWAaNKX2t8Bw8DJKp3L +VOJMryelTENqT6XJPdR7EEg+9SMRCPTcoZOuCwyEL9Wn8WHk3IuqhbxwvOE +--- dXp3JMlVtvtz4v20d3yaGh79+GdfnULhxdo1Bz9hwTk +8!xXb3m\֙ۼZcQ jת#6ăMz&@ %?@r4 \ No newline at end of file diff --git a/secrets/rekeyed/sire-samba/de013bc8b46968036521628412618c2d-wireguard-proxy-home-psks-sire-samba+ward.age b/secrets/rekeyed/sire-samba/de013bc8b46968036521628412618c2d-wireguard-proxy-home-psks-sire-samba+ward.age new file mode 100644 index 0000000..c2f134b --- /dev/null +++ b/secrets/rekeyed/sire-samba/de013bc8b46968036521628412618c2d-wireguard-proxy-home-psks-sire-samba+ward.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 rQrJ/w jq2XfdX/2OM/GjQeZYYUcduu+51XU0hurR6lI7OkVhI +NGx48KHWx35o47Iib98j+9KUXa4unsLpZ25nlmiLwNE +-> ]jsC-grease ^6n C15&W5 ufr M48 +mMp1PbB+pbm7uRhihpeTiKMHi/kN/8fxu89JehNVMQ +--- 9h4tOHU1KcZYb7hA+W+a5xZbjE1nNWvTSTxyLc/DoqE +asŢHD?`iws0# i;;d2x3ͳC үPYÈjf]`مe`f \ No newline at end of file diff --git a/secrets/rekeyed/ward-web-proxy/3026df7d8e7b352d8c5b303169330089-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/3026df7d8e7b352d8c5b303169330089-loki-basic-auth-hashes.age new file mode 100644 index 0000000000000000000000000000000000000000..d64c8d1745dcf0bb43d1874c8612254db11d5fa1 GIT binary patch literal 2822 zcmV+h3;Fb6XJsvAZewzJaCB*JZZ2cu`_UQ*JM7RaFWtJ|H43XL4m>b7dejT6A7* zAZT4>V<2m8eIQkAO=vj^HDWnMPe?{)VrDQgOi*rkSW#0?GkG;*b83Jn^Z|e-hJTq<73A=^|*-oAJQVdwMM`l-ItmvaI^Lq zv{W4yNOq#ZQv*-(uTvzU+uuK%%@?wzvv7n|JY*$H~z}Z zm@D$XrY!bmq@4W`LM*&n(U&f zlcsF788k^jdD_U^9R&p7FBFbd@}+tl(sEp`3fH$FizJe9MkM(Pynh1UySZk~;MOF7 z!%(5}wkdK%+@A42uy2#U`V%3$2QAw15Ci`_Zmn!{ojLi_HWLEk8sNurBDS_b;+UWr z3QKL2a?a<=g!`U3iV&8a>So=>6*0|Ik}%F9xxYa?<)bjTeZZeC^b!KcZ;>Db%f8$N zhI3M(<`LklVH~iF^}QwJf0rwSbZU=tLDuK=Nu^fhf%A5Rq`@(C;C-4DIG4^o47|6~ zc)>o0T5Xf*K(^7ug``^Qoi42Gk@OL3*v|ERPnI&U1fn}9p)6k!yg9!jz6R$gz8+vU zod9|o{$e4Bgv$&|=TbGf+T{$}+sPN^!*~vv9!5pPY%{P_(>-e4QaDWUMgVdciAYCG zR`nyV!4a57%!5nLn7Wo334)0a@EvIVBV3KFID<=Z$2tC;M%ieN9Ez>{af_`CZ$&L5 z?Og*Fz__Etu^;JJY1LIZGbMO`eP*Dj3SqBf8$AvOOaycTU5Z#1C6xtnDfN)?OnL|? zh2tEZTx?D6oOIt)>Ox?LzHH&z-=upCL^Jss8-z~n=9r@$+wze^^R-#>^|@l{Ci1!hXlg*Q0*#zoin+yfi+_Vwcr%DlSFS;-YlqUSuF^r!DS z7pY0BfPie7N!_zCM@zS4JM&kU546Js$}hTKurBx25&GHjH};d=vs`eH3Wt^HzmTqd z`HOd_sr~ae`$(2@k?GRBv-O4b`gEIvpcKx&d|5FM!Ep6>lfSXGd)t7NtHD-E>Cius z)RJVm6q@DyA7{$FDR8T|)uvdmhMNAzjKpN1%iIDPsxZ055Q{XwdgIK?1$YqYUm09KKiKx`$b0bYnC)8rJ(z2KNEVzt8jz(UMe#-`ZU#An=3 z9OIa|Q~5oxX$_^o)6tC{v>hv}3!#bHw_;B;X6x5~ZG6O^m-cS!$7Gsj+{FsAUv#5X zCmOdg9IY7xM*dRNQFeO1<;=x^CWpNEhc!3b1Rls zNiBKB`vC`9kW6oZqQPz0(SvOE$}58dP0_2%k2)#gUXeL=m6&DVrc@rH{+`S?C=oBG zqEU{?AoQP$G=7dcPurET5pmOB(D7E6={ZJ2iQ#6+!HrUWtgGf9atmHsY*A>Tp!eO$lV4{ z{3;SuVKe4f@!ON@eWkct^<|Ev!frYbXEM5a8A$IhM8ctQWipU+38V5P!qCXKy|4bC z#`zTG>;p0iCS`@s42Xsb0W`o-0|l9&#|V}r35nl>@q`veM%s*MyXuuDg~(>|S;)15 zrl@cZO&t?jRU>DU0U>bl(08Z; zcyEF$R0bYC7yXFgHJ@IP-C8YJZbhr2-&^ut3A}q@lA+V`Ai1o5MN_|7($Bl@M?stk zSGq*ZayAQ9!0+6WJNm7(#%CA_zl{?VkNq6AEgBC>CF8TCiPl_bNmulnSa(at#lrFm z$Bo>@!7uhT8B(zRetu2{j!mr+S@T}Hb9Ly-WE-%&6o{5*Dz7oI^Q+zrqQox*yDM4m zwQ#hmWYrF%K+fGez59VG1hIP548M|5NLTo63qmDeTwLgn{OS9R3f0QGGCM{~vc{K5V?P1%Nu!|O%W z*+@xj`%@5SpPfx9GPkjMjsVlKY$*F0Ys=ugqLt}^n^HsU1;Z*r^DVbQ^F zQKCz2BmM9}3%JLzDr7b&Z-2SIra2bg(r>U!fE=wpc{cpd$Dq*t(#d=MM+i$V9d#cp zLw710QSa}IKbXEL@JOhOS)>q}TD0Dsi44nERAy)$VB2HBPRj0$Nw(RxLBcm<%!}?| zwUSWxv4kHF5P7rKSawgn0gVl|Rr)l?13>aVoT1-@3kgU8ZFGN$<-<85*=}%ZoBPgi z_eJXN-HAx=t&nU@<^fOhvJV=$-Z}KK*=W{GDk;FP;PoSQB4XhJ|Jj!c`avhWnpt=ASf?# zNklDtAU9YbVqqvcdhGC5LZRSGRFEg*R@crSBTad|>|F)&JXQ%hD+bZ12{PGV#@VN)__ zMQ?U^NeaWtfw_4IO`@~OQe5QA)CLb!_x5;`Z5noWc=VuOsTn*O-8P@(b`v$6 zk2tLr$K^4=xfP^gD%~aN@S`PMvC9Nm;Lu>Kn_4PUb?;n*Z4FpLOGzL>tnecIqURRGh1Y&UMmfLf_)9U9m0lrax>V=^E zZdeoWF9&`@silIRtV+q`KIP=6XJ@j%(E=LrKm$(SY#Vb3GbE8GG0)(`O)adcnR?_M z&d={Vsl6ZCWt)N#S`#!V@Z>vD1czwjzwdGG1zu1N(8`o&2&#Q2$zm(r@vuS%SH@a$ z*fWC`WfQF0I7h=#2*YI|gT$E|0-p=kL5VO_Db`NOkeXBU!f>t!D7;!nx4)L94{4&_ z>1x>zKaW{72Ix^98^@kkp+@(ti$=M|4RA$<7k3f__Mgjb5ecQg@u0R>Vjzc?6?HUL zOEjQQChwEEOBgjt14j>7+ERs)TT6a{(jiX&}4DQlF5 zN!oAmbjb2-Ft|KaXXiZ=2gD=-_cs&!9xOpX za!UAa^0b*t%D+J-{omAY*y(n##>d(Z#d`Iok-n~py4Sn+TO4Qm)h}d22P0z{%q7=u zBlj^AswbHkP`HZBA@-qPFA5$I z)Q$eo<~`LSD}&;<4RJjHecP(-Qewo`J^}SFDb$NGb3ifj(dk=w*E2yNUcw>b#F~ZA z@h7Ts%>}RXGO>Gi^R=Il_IWq6?Wk;bHP*u%>2dV=#a?T_Vhv%I-Jv|Z;ng|G7xxOD zoMRWd?fcV`n676JdZh#>`DK&mJ_XD-;~P;!!aWuT?XQa@cFL*gd2BM5- z8U^ZttIK~a`2UY;@&}pI7r3x7n5^SujVUgLt3& zSQ3w8D`T*%>I^0pk)Ar{Y9szvKYbP|h8o&|LqigYW{CY3*(XUGhx|Z9nhOB5ieP?R z0`}M)J<~&Csl^la$SYHCi(Gj-9MIyw>H7@t`M(823!_crX(E8Ne$!+=@LZlH%dbZ* zTtlL0gcCl^AgkQYJRUE0;vIx;?k7jAj=nkdqkqn=5XNMffy@!=E#^m3;C||&@YKsv z?2@yEsB)y0^dL4^guHpS1)GsOMjZD(*7@;gjUHqCYYyM|H$VzS<@CoNr)brX+12zI zudiS_#>4CdL^&y7z^ypZTbW9RTVPkvl)C_@4xJk z#kk+?NgUGZP#Nmj+O|s8IDM0X@9n|~5Kp-74PB4Yl}I+t^QCGoUAoI} zZSS9w&F!W;SSlb?cUfZriyEu};1=*cAVYa6u$m0?B+kC*wtdLjh+ZQ^|v+Ds26YBd%;BtKPAOe#B6yfyTWv|BK|Y zQb1pfNs++)`Gg*L3QL2o9d5mDqcFwbY9k7AtQirqO(+<5laSwY1~$0bu;? z4$O}WW^ZZ8<`SF&Al6{r0U3QsgBJZ%PHwEgQo4s-fddPCMbY~t{rwe0`e`dy2kPlg z93}igINl0g!y)4pODrlKY~)#X8d*N-g&LtgZHOl4*1vo&kL&Tx1^>dv4dz{c3|XcA z`R-3=C>@>k8ENgfa>pleWGzPRv zLgIXa2~y;EuNN5yTHa4~W;m1AM?{j2YuiXnm1-g*d^Wn~|k2D}8+rT)%)5zk$g*5spvw zvh)YsO(bgQGxB%bi@F7SO-6Fg$p>NXqq4bk^NM}baWVg_(p$U5VeM6U+j9MDl-W*) z`%Sma1v!|Lcxlb}H1`eAhfS}hy})sJg%U^I4=K<%d9yg-b>3WWNxBjIjt)iFvnLJL z9(#FJWjKS>`LD>*SZn$xlzpF~2_R;zp-nS*l$b5@FTjJWD|ApGw--i}Qz~Dy1bmqV Y9ydWOew=E#02X<*%tph0w|^8M^XUcu;Q#;t diff --git a/secrets/rekeyed/ward/caa682bdbd1bb1ed58dace27b7c30d50-wireguard-proxy-home-psks-sire-samba+ward.age b/secrets/rekeyed/ward/caa682bdbd1bb1ed58dace27b7c30d50-wireguard-proxy-home-psks-sire-samba+ward.age new file mode 100644 index 0000000000000000000000000000000000000000..e8bb79abc3695195e89060f5bb44a8003aa9852e GIT binary patch literal 283 zcmV+$0p$K+XJsvAZewzJaCB*JZZ2P;)U&3N0-yAV*O|D^E)`NMu)6FIH4cLsv9rX+d{VY&A${MM`B)OGZUPT0>D~ za&lQP3gmzKoOm`h&z>3mBk3z>(W^1^>NUX#l!~f)OWn#k@$}0~g*; X25519 KQPDZldKPDq+HDPYSVlMoKK1JswRYL9uNUdsWLEhZxQ +N1vlljTAWNbM04ekHBHqWg6Jpr3f9Acw5SxRran9CXE +-> piv-p256 xqSe8Q Ao7fH0BAfwN9xYJ71eWsjdJmvs9UGWi4t+l+YyHI4MzL +AU1OncFGzW1vO9vvBGK7x6r9Ot8+8YbsOZKf+hL3S8U +-> ;S&[\-grease `b>RB6 8_!g +h7Qe0q7hW+JoNA +--- wKEw3pXgd1hI0LrqkmmsAFs5JnY+DC4MHP67Ghjldvc + +НNzk͓>b X25519 5pyB5fSTo3cjljOw9e2o1m5dn3/ZMzfMZ/tP3fxJhio +3JmOwt8/A5c8ibCJt4tMK2+xWK/VpGB9/uLPhQvxVqg +-> piv-p256 xqSe8Q Aqpf5FhtcQgIMEezNhF50oXyzCrDuS4DsOS7aVCQVvBm +evNoqwVkERacTx6mVVVOlsBCHO3yetcuMH5QJGummGY +-> |l-grease Q0VZ+}% +QQV9kdqsM2MTG/KyWBQJw0N0UsEn9H8trbKirw +--- KSl7XsmKLEutX1PQuwTb2qIqsJVi9jgGWuxUp2Ae1VU +;u':"249.n\YrfkL['B9Ce\W%c,>EZyb \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-actual.age b/secrets/wireguard/proxy-sentinel/keys/sire-actual.age new file mode 100644 index 0000000..3ae8c65 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/sire-actual.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 LhqhNeE+yY9Dsqe+eXjg6mOWz+wPZImRPAq2eF/vIFk +mk11yKunIgHwdGpnMwEwf/qAUqWWnGfalX1gceHdqbs +-> piv-p256 xqSe8Q AhVlnmWn4ZT3JRI+TIfyw8frbW16g/umN84Aq2qqBQ+R +UlXnESACrhPdj5ByNQKFaFd8LLzEG9+2EB7pFMPzeAA +-> 7uwu-grease Y+) ^1xRk+\ +ECg722RXEJGBhO/HWYB5pVzLHVxZ4fLaDRWbrHQcdyp44yXbdWE49bV7ISauwetd +iEkM+rKNWHtYY+yTafbHfEJiBkLYeGmGmjo22VsrXdef0UE4 +--- tTHVM7jJu4Eb7u+BpQIIjMZn+2NUIFsBTNV1XyfBlVQ +WP-VTYzRRDtf6"EvupnO3L19,#/k9&Y +YCV%2 \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-actual.pub b/secrets/wireguard/proxy-sentinel/keys/sire-actual.pub new file mode 100644 index 0000000..02afb30 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/sire-actual.pub @@ -0,0 +1 @@ +ueK+KbA9vaKOb6bis3nVdSJMPDowMuH6egtsj7C7syA= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-actual.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-actual.age new file mode 100644 index 0000000..64193f8 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-actual.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 wIVO1yG5oYHdHVFcQbge4HpeuqQkTLIfRHsabifRH24 +6cDOSCnJHD6Cxa/fGuqhVSJ51i0uOCbybkS/ZTefBF0 +-> piv-p256 xqSe8Q A1YY5e1n/Y9ODm0t6id46gzvDZd+tIhy7Cz2Z7pxZBQS +7BJEwjoCzt0MTOYcMVuL0O2uVMhpWjiTnf6XWFoxFAA +-> "7I[%-grease SqKNL&b $KEMJq= +szY +--- o2LLtf6UCOi70WgdqzH+5PNpwLzRad+U1lCaqcMdYzE + kMy@߆Q"jyOc0XVKGL`@ +Sde GxԖIL \ No newline at end of file diff --git a/users/myuser/graphical/firefox.nix b/users/myuser/graphical/firefox.nix index 38f3887..871ac18 100644 --- a/users/myuser/graphical/firefox.nix +++ b/users/myuser/graphical/firefox.nix @@ -289,6 +289,218 @@ in { }; }; }; + profiles.empty = { + id = 1; + isDefault = false; + }; + profiles.onlybetterfox = { + id = 2; + isDefault = false; + + extraConfig = builtins.concatStringsSep "\n" [ + (builtins.readFile "${betterfox}/Securefox.js") + (builtins.readFile "${betterfox}/Fastfox.js") + (builtins.readFile "${betterfox}/Peskyfox.js") + ]; + }; + profiles.onlysettings = { + id = 3; + isDefault = false; + + settings = { + # General + "intl.accept_languages" = "en-US,en"; + "browser.startup.page" = 3; # Resume previous session on startup + "browser.aboutConfig.showWarning" = false; # I sometimes know what I'm doing + "browser.ctrlTab.sortByRecentlyUsed" = false; # (default) Who wants that? + "browser.download.useDownloadDir" = false; # Ask where to save stuff + "browser.translations.neverTranslateLanguages" = "de"; # No need :) + "privacy.clearOnShutdown.history" = false; # We want to save history on exit + # Hi-DPI + "layout.css.devPixelsPerPx" = "1.5"; + # Allow executing JS in the dev console + "devtools.chrome.enabled" = true; + # Disable browser crash reporting + "browser.tabs.crashReporting.sendReport" = false; + # Why the fuck can my search window make bell sounds + "accessibility.typeaheadfind.enablesound" = false; + # Why the fuck can my search window make bell sounds + "general.autoScroll" = true; + + # Hardware acceleration + # See https://github.com/elFarto/nvidia-vaapi-driver?tab=readme-ov-file#firefox + "gfx.webrender.all" = true; + "media.ffmpeg.vaapi.enabled" = true; + "media.rdd-ffmpeg.enabled" = true; + "widget.dmabuf.force-enabled" = true; + "media.av1.enabled" = false; # XXX: change once I've upgraded my GPU + # XXX: what is this? + "media.ffvpx.enabled" = false; + "media.rdd-vpx.enabled" = false; + + # Privacy + "privacy.donottrackheader.enabled" = true; + "privacy.trackingprotection.enabled" = true; + "privacy.trackingprotection.socialtracking.enabled" = true; + "privacy.userContext.enabled" = true; + "privacy.userContext.ui.enabled" = true; + + "browser.send_pings" = false; # (default) Don't respect + + # This allows firefox devs changing options for a small amount of users to test out stuff. + # Not with me please ... + "app.normandy.enabled" = false; + "app.shield.optoutstudies.enabled" = false; + + "beacon.enabled" = false; # No bluetooth location BS in my webbrowser please + "device.sensors.enabled" = false; # This isn't a phone + "geo.enabled" = false; # Disable geolocation alltogether + + # ESNI is deprecated ECH is recommended + "network.dns.echconfig.enabled" = true; + + # Disable telemetry for privacy reasons + "toolkit.telemetry.archive.enabled" = false; + "toolkit.telemetry.enabled" = false; # enforced by nixos + "toolkit.telemetry.server" = ""; + "toolkit.telemetry.unified" = false; + "extensions.webcompat-reporter.enabled" = false; # don't report compability problems to mozilla + "datareporting.policy.dataSubmissionEnabled" = false; + "datareporting.healthreport.uploadEnabled" = false; + "browser.ping-centre.telemetry" = false; + "browser.urlbar.eventTelemetry.enabled" = false; # (default) + + # Disable some useless stuff + "extensions.pocket.enabled" = false; # disable pocket, save links, send tabs + "extensions.abuseReport.enabled" = false; # don't show 'report abuse' in extensions + "extensions.formautofill.creditCards.enabled" = false; # don't auto-fill credit card information + "identity.fxaccounts.enabled" = false; # disable firefox login + "identity.fxaccounts.toolbar.enabled" = false; + "identity.fxaccounts.pairing.enabled" = false; + "identity.fxaccounts.commands.enabled" = false; + "browser.contentblocking.report.lockwise.enabled" = false; # don't use firefox password manger + "browser.uitour.enabled" = false; # no tutorial please + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + + # disable EME encrypted media extension (Providers can get DRM + # through this if they include a decryption black-box program) + "browser.eme.ui.enabled" = false; + "media.eme.enabled" = false; + + # don't predict network requests + "network.predictor.enabled" = false; + "browser.urlbar.speculativeConnect.enabled" = false; + + # disable annoying web features + "dom.push.enabled" = false; # no notifications, really... + "dom.push.connection.enabled" = false; + "dom.battery.enabled" = false; # you don't need to see my battery... + "dom.private-attribution.submission.enabled" = false; # No PPA for me pls + }; + }; + profiles.same = { + id = 4; + isDefault = false; + + extraConfig = builtins.concatStringsSep "\n" [ + (builtins.readFile "${betterfox}/Securefox.js") + (builtins.readFile "${betterfox}/Fastfox.js") + (builtins.readFile "${betterfox}/Peskyfox.js") + ]; + + settings = { + # General + "intl.accept_languages" = "en-US,en"; + "browser.startup.page" = 3; # Resume previous session on startup + "browser.aboutConfig.showWarning" = false; # I sometimes know what I'm doing + "browser.ctrlTab.sortByRecentlyUsed" = false; # (default) Who wants that? + "browser.download.useDownloadDir" = false; # Ask where to save stuff + "browser.translations.neverTranslateLanguages" = "de"; # No need :) + "privacy.clearOnShutdown.history" = false; # We want to save history on exit + # Hi-DPI + "layout.css.devPixelsPerPx" = "1.5"; + # Allow executing JS in the dev console + "devtools.chrome.enabled" = true; + # Disable browser crash reporting + "browser.tabs.crashReporting.sendReport" = false; + # Why the fuck can my search window make bell sounds + "accessibility.typeaheadfind.enablesound" = false; + # Why the fuck can my search window make bell sounds + "general.autoScroll" = true; + + # Hardware acceleration + # See https://github.com/elFarto/nvidia-vaapi-driver?tab=readme-ov-file#firefox + "gfx.webrender.all" = true; + "media.ffmpeg.vaapi.enabled" = true; + "media.rdd-ffmpeg.enabled" = true; + "widget.dmabuf.force-enabled" = true; + "media.av1.enabled" = false; # XXX: change once I've upgraded my GPU + # XXX: what is this? + "media.ffvpx.enabled" = false; + "media.rdd-vpx.enabled" = false; + + # Privacy + "privacy.donottrackheader.enabled" = true; + "privacy.trackingprotection.enabled" = true; + "privacy.trackingprotection.socialtracking.enabled" = true; + "privacy.userContext.enabled" = true; + "privacy.userContext.ui.enabled" = true; + + "browser.send_pings" = false; # (default) Don't respect + + # This allows firefox devs changing options for a small amount of users to test out stuff. + # Not with me please ... + "app.normandy.enabled" = false; + "app.shield.optoutstudies.enabled" = false; + + "beacon.enabled" = false; # No bluetooth location BS in my webbrowser please + "device.sensors.enabled" = false; # This isn't a phone + "geo.enabled" = false; # Disable geolocation alltogether + + # ESNI is deprecated ECH is recommended + "network.dns.echconfig.enabled" = true; + + # Disable telemetry for privacy reasons + "toolkit.telemetry.archive.enabled" = false; + "toolkit.telemetry.enabled" = false; # enforced by nixos + "toolkit.telemetry.server" = ""; + "toolkit.telemetry.unified" = false; + "extensions.webcompat-reporter.enabled" = false; # don't report compability problems to mozilla + "datareporting.policy.dataSubmissionEnabled" = false; + "datareporting.healthreport.uploadEnabled" = false; + "browser.ping-centre.telemetry" = false; + "browser.urlbar.eventTelemetry.enabled" = false; # (default) + + # Disable some useless stuff + "extensions.pocket.enabled" = false; # disable pocket, save links, send tabs + "extensions.abuseReport.enabled" = false; # don't show 'report abuse' in extensions + "extensions.formautofill.creditCards.enabled" = false; # don't auto-fill credit card information + "identity.fxaccounts.enabled" = false; # disable firefox login + "identity.fxaccounts.toolbar.enabled" = false; + "identity.fxaccounts.pairing.enabled" = false; + "identity.fxaccounts.commands.enabled" = false; + "browser.contentblocking.report.lockwise.enabled" = false; # don't use firefox password manger + "browser.uitour.enabled" = false; # no tutorial please + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + + # disable EME encrypted media extension (Providers can get DRM + # through this if they include a decryption black-box program) + "browser.eme.ui.enabled" = false; + "media.eme.enabled" = false; + + # don't predict network requests + "network.predictor.enabled" = false; + "browser.urlbar.speculativeConnect.enabled" = false; + + # disable annoying web features + "dom.push.enabled" = false; # no notifications, really... + "dom.push.connection.enabled" = false; + "dom.battery.enabled" = false; # you don't need to see my battery... + "dom.private-attribution.submission.enabled" = false; # No PPA for me pls + }; + }; }; home.persistence."/state".directories = [