From c71e0c7573fbcc0dd3ee73774f1562a7af2f1254 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Fri, 24 Nov 2023 01:19:02 +0300 Subject: [PATCH] move magenta and canigou to infra --- .agenix_config.nix | Bin 6134 -> 5057 bytes nixos/hosts/canigou/data.secret.nix | Bin 53 -> 0 bytes nixos/hosts/canigou/default.nix | 30 --- .../hosts/canigou/hardware-configuration.nix | 13 - nixos/hosts/canigou/networking.secret.nix | Bin 932 -> 0 bytes nixos/hosts/canigou/services/miniflux.nix | 20 -- nixos/hosts/canigou/services/telegram-bot.nix | 12 - nixos/hosts/default.nix | 21 -- nixos/hosts/magenta/data.secret.nix | Bin 52 -> 0 bytes nixos/hosts/magenta/default.nix | 33 --- .../hosts/magenta/hardware-configuration.nix | 13 - nixos/hosts/magenta/networking.secret.nix | Bin 878 -> 0 bytes nixos/hosts/magenta/services/gitea.nix | 152 ----------- .../services/mailserver-accounts.secret.nix | Bin 2944 -> 0 bytes nixos/hosts/magenta/services/mailserver.nix | 73 ------ nixos/hosts/magenta/services/traefik.nix | 133 ---------- .../services/woodpecker/agent-docker.nix | 36 --- .../magenta/services/woodpecker/common.nix | 28 -- .../services/woodpecker/data.secret.nix | Bin 220 -> 0 bytes .../magenta/services/woodpecker/default.nix | 9 - .../magenta/services/woodpecker/server.nix | 68 ----- nixos/modules/docker-stack.nix | 245 ------------------ nixos/modules/traefik.nix | 70 ----- nixos/shared/acme.nix | 8 - nixos/shared/docker-swarm.nix | 16 -- nixos/shared/networking.secret.nix | Bin 482 -> 368 bytes readme.md | 5 - secrets/docker-config.json.age | Bin 2160 -> 0 bytes secrets/gitea-smtp-passfile.age | Bin 1412 -> 0 bytes secrets/mailserver-users-family-passfile.age | Bin 1417 -> 0 bytes secrets/mailserver-users-gitea-passfile.age | Bin 1384 -> 0 bytes secrets/mailserver-users-jan-passfile.age | Bin 1471 -> 0 bytes secrets/mailserver-users-sm1-passfile.age | Bin 1450 -> 0 bytes secrets/miniflux-admin-credentials.age | Bin 1465 -> 0 bytes secrets/traefik-dashboard-basicauth-users.age | Bin 1423 -> 0 bytes secrets/woodpecker-common-env.age | Bin 1544 -> 0 bytes secrets/woodpecker-server-env.age | Bin 1519 -> 0 bytes secrets/yandexgpt-tg-bot-env.age | Bin 1472 -> 0 bytes 38 files changed, 985 deletions(-) delete mode 100644 nixos/hosts/canigou/data.secret.nix delete mode 100644 nixos/hosts/canigou/default.nix delete mode 100644 nixos/hosts/canigou/hardware-configuration.nix delete mode 100644 nixos/hosts/canigou/networking.secret.nix delete mode 100644 nixos/hosts/canigou/services/miniflux.nix delete mode 100644 nixos/hosts/canigou/services/telegram-bot.nix delete mode 100644 nixos/hosts/magenta/data.secret.nix delete mode 100644 nixos/hosts/magenta/default.nix delete mode 100644 nixos/hosts/magenta/hardware-configuration.nix delete mode 100644 nixos/hosts/magenta/networking.secret.nix delete mode 100644 nixos/hosts/magenta/services/gitea.nix delete mode 100644 nixos/hosts/magenta/services/mailserver-accounts.secret.nix delete mode 100644 nixos/hosts/magenta/services/mailserver.nix delete mode 100644 nixos/hosts/magenta/services/traefik.nix delete mode 100644 nixos/hosts/magenta/services/woodpecker/agent-docker.nix delete mode 100644 nixos/hosts/magenta/services/woodpecker/common.nix delete mode 100644 nixos/hosts/magenta/services/woodpecker/data.secret.nix delete mode 100644 nixos/hosts/magenta/services/woodpecker/default.nix delete mode 100644 nixos/hosts/magenta/services/woodpecker/server.nix delete mode 100644 nixos/modules/docker-stack.nix delete mode 100644 nixos/modules/traefik.nix delete mode 100644 nixos/shared/acme.nix delete mode 100644 nixos/shared/docker-swarm.nix delete mode 100644 secrets/docker-config.json.age delete mode 100644 secrets/gitea-smtp-passfile.age delete mode 100644 secrets/mailserver-users-family-passfile.age delete mode 100644 secrets/mailserver-users-gitea-passfile.age delete mode 100644 secrets/mailserver-users-jan-passfile.age delete mode 100644 secrets/mailserver-users-sm1-passfile.age delete mode 100644 secrets/miniflux-admin-credentials.age delete mode 100644 secrets/traefik-dashboard-basicauth-users.age delete mode 100644 secrets/woodpecker-common-env.age delete mode 100644 secrets/woodpecker-server-env.age delete mode 100644 secrets/yandexgpt-tg-bot-env.age diff --git a/.agenix_config.nix b/.agenix_config.nix index c296fdb1abef3d51ff84f68b5ab6e452b84ca1b9..2f70b060a78154cbdc233fb07221a069ea99b79d 100644 GIT binary patch literal 5057 zcmV;y6F%$!M@dveQdv+`09xUDdNmY@=t+EZ<-Aj1#>?vww0jWmG_d;ctL6jd>ON2o znxapSK;F1yaETBULskJl zo%=4GI~F~sy=veBD)Fieg@>m-wq`D3-n5hd0-Vbh*PFX!JmaDr2#cUrY(@m7>4^|o zptH_U0(AxIuwENUtXC<)MjktIpoyPLUpzQN@Y~t^8gs^aGEqE57@byna^Wz!WKj<7 zA^5x?66ypqH)SX@mSM1|IqdRu_wN7OcTT!_B>KP=g&6ovIcS4X>JM#2R0;N*m1!e$ z5?ZD&mjO8#+?VOiV3~Hf@#|i|%^(BAKi6vd%Dp7@jKDg8BQr8p%APn?HV}ReEj9SI zm0k>u6#@UR)m7N!G=&x&KFb-6X?gSXiL0lgB(%Q89G??5sf!>=VycrVH4Qn=QNisC zf8ZZV1lh8Ak z@Jr($^F;oS1UbEbYPyU7q$UD{G2AQ9C1bOJ0@C?2-grS)wBMA%oiBIo>=8?ST)*NV ziB0YK5AE>9t8 zzZ8_z&|ExMW`m@BoJIytm0XDeJ#z20^;T!mSNr5`e@@l$FEU+ow$q#DnX=;t6KA_NVYX{)$0f%P4rPh~IO$cCYc9Xgm%&PX<2oZ~kNE%v{nG`;^ zlKT*35;Z_s^rd|PY($D#DRIFQ*RS$7P!bzwTxH<{?Uw!lgRan6TX`MK{!v&8BEz{g z>>3s5vS-A38-!mzISjvs{Q14!RQO-!jCDKvCJ6bPp znPyR{XLXm15CW{Q5&Khd&j;acc8a>b3oF5IgzYFif0(U7es`9ojl``I)c`VhZBx))prB-RsMb3ix>07h>$NpPLPoc7_NYeC%T z`Ut`R|7}fi-^gE~a4ey78Oi}y!$C!0s{?(xi)sI+>^IB|BH{{Pnj)8$Fi<*Q-p&9d zZfBEEn+H)}xH4cB-x=B{V+pPgWL{Qg0LlW9sM`c-PS`ICFB@>~_|&u#qV75O)-Ha` zR|0N0bc%)Po^dIzK3Ly7DyvZ_c&>kx3^d*X_8&%i81;WZFLfm1PtiWlQV!mS6?+p6 z>C6C!)SfeL1)e;m#_ec&D|?(q+0XAYZfHS1djlWEs#-nYz8>gl%&LqS6Sraxo%ML= zC?;WnBm3@p*p0-98iTk9y-(~^`yM~|6(w@|XVj!Fe6C6}iS--La}Ly;W4Xt_xTYP& z|2BfHbf;y!o$rXAI9UPPTCRv^S^Hp+2o$JIG0H;kcSba=i{J)b2%s%U+XC@SeFTi_ zcbFd5c-1@rd0}=4Esp^J%IQ#F@*xz=6ZE-Y6U!CFm8kEZ_V2R9 z!>X{`m8)_Sgsa5rW2kK#14X_l(C86#JAxYbnsXXf2g<0*NxnS18L&9B%+CBTCISH_ z2gXYsWb=Z_Ikx$l9oIN?3gtDm9QAE;ZTWte7duR5*hcoJ2EF6mz9=|L%-+tmU3ZW{ zcR{XoKfD2N-?2tj~{^?tfRN2QG18^Ri{FF_X(`+E4X=6&)Tl}m%L%} zyz4}U7xoWKOzel$E!gR5Jhp&B#58TNgfb;THbesrsl8UB`bs5GT-;|9*kJoTm4B!X zH1zNAWW#h71TVV)SF<_@Pu3Olmod&lOkjdW0`Q+RE{VAoqgH3DbyXNX__y#fZz+9` zdK=3?-`Ikfk~{5s!oDsH;#tgyiE^3qJqs^uKM?-;Sf73IG=Mwam>26Gm`~W|^~n2J z$Qtq;boJXlN6ufo*-7skyU&_FvwNb0_B80f{xL17Dg4wk(9XUvY;nB=3m4fbZLHfx zU^s7n&Z4_nYc>WZ^e+R`*^Ch3afL#FQie{mivyZ+8t&*2_vn3DM1rGUenT>L9Sn;R zSg8lsf3HR#7pbWl#KlR_QrTyGpl@xI+HK6%i8s;yJdZM))AG<#81rE9ezh0|4@?ry z=uJj6vaMG&t{ZmV@k`Ik%45)9ncTVUusj1SsnBg}e#F7oq$MdaafE1-#K5w*#asuC z=2o~Z2(PDV+uTl{s3#p9p$JZnfg7~%_dyvu+wk@Hj4+k%>>h5TDy*`d9xb&{_VaO% z7>TrJ`y;mYP1fI(`;!sG4Pj?MyK^W^)-oh!cAo;ed=;h_agU; zie?xAWBnq7?upaxMm*Qxg{`>Na${JIAG!9<&R;lHKAUib1wPqi1+TqLcleidGY}*+ zxXuGLsoa255?Gpa$$dQgl!csyg(pUyiJ8hCq-tWjt6 zA*O$j!Qr#lb6B>HQ9VOS>RheLC}Q#tvz zJDO^gSxsy6ck~-}e_cVM+Hi_Tk6p)PHrpR}`|&tPk;j$%8+u-r8jKjprE2OF88GjT zc5(tuGrj~>vBsYL>Q{IU%J$fDbi!wQW|yly;Hi^MJO8qh&|-pXWt=nQtOiZDoq;Ni zbE{h1Lhq=I6?JvKMXYfW8Y6}b{&f$MYAtw+2kC<_YygF1 zEK`l2Szkb@=jsmwF8;Z*&0alysDuHUMtGMNacQ#~KD>!NezX|FiO6F*D!rwvAA zYkF43A&hYKJ-Db1=AA`>UJ!kN_)>7KKpWywRqWxeZ3dpoXI`z5(5Ywb&xZcJW4VBM z^y2V)ZMXEPq#hd%$w;e<7Q-5T&b{6@?jf_x*8stW$GCT66hQy?RqiIjhOKnC-9rSzaCcSJ228BRq~8J&ShIC75q`(o?3q6TGDLj z8#>?tBh~ciT`}jF;_|&R+*ZJ16R0+)NPNsEGF37qyMer5N2{dsq$574vvwLnBr<=l z{K}Gpe^;qH&8>3hj$)B+o8)neK2um+%!LYl7^b~xsU-bu)5E>Mii~RLSZ#w@(Gyss zUJ{>#cBE+esuY%{2~j~(Z0wyBzKp8%UF`V0;X$xYbkdXLF};Yfi}_o<1ONsK|23WV@T@7ngc^o1gvz-5@im6J^6E`lm7nxL1qVAHO~~N(%qU-36z{<1A}*8jZm;YI3bQ-!r;YVE zemAr(Yu&Rd6+Zo@rL@Ul7F4b^wXvi>3WnW*c5X7Aaw z!PAxq^FF1wP@qCWbP)MIjZJGu>?wd&KIQytr#e&59a8U>9tJUYA8jk8#K9a80xQD| z-cwHJtsvqVa+4Q8n!UtU-~z`Gr7Wqw0Ej!AkRve4A&%;@WxVUuyns0XNh1v7+YG;U z&N;;dtFhz{U?p$tl1XY>xG2VId+;nTRg2O|Zw8;CV6Ga!T9ItJT! zGz7gJS2ER(T#B(LyOWvA`h1CzUkwf~)0WW)lsw)R_}Y(J*Wgo3?dmmA6}$OL!74_! zqS^TgmM@IoO|iR;aWaP@GU!184gWU)`?p`##z8i2;5_65=I7e?)ZdJ_Lu)p_X_lj< zdJPNZ&R@NJ;DhvhJ+3o_@9-B!9xVFmVtUgCi%P20UhVQ+Kz@9e&$ z*Of^|=}XtXrt%)aGN+l@_GebxlZ}EwB5#7Ld@uat?EK>Au~qrnqp*m&bL^?_PZj;w zHV{HwDYG;Sg8bF$Ph1)cJqquP6G-m3j z_FCtql&va%h+;vbRkLBe2=+-pZ9=)o;PrNf0BEg%eTuwwHULQq0wM?6WTt4aX7^D! zrfqi!L4iWR@@tP|!*jJwPZJiRL|5hRx5W6oILglnX$jrcJ8)-PnfcuWAGn1-k_At< zwXi_NV>@3?@eUIizoYreR=Gw^+FT%x0-z?GzUgjGFj3!IIr3_5MQLrudlYcE*5z`L zA)w@kbs?qiPu2qo6se#G-j^WT?#Q{$$3#~#CN#2!c6cG@qZK| zlEjy@Jb0bd+l<>Xmj-HhhpK&G^3h{%+Cdjl0xR)^0x?e+K|)zl#ecT1qVJ7x;UM~} zitD>SkFa~k1r|3Q`naTlJJiu)qNPHwIzD2Z6{UjE2|JSVpZEo3$o8zQZB0+YYb}bU z{}hlJ!W1c3qjvpv&y{$y&tM=}zS z4HC&WB}O|T7DO=TQuAu8NVCjt_*2&s)(4iYM}RJhNsi>;0U4DZkCWehM_dNQLVClx z7IFeS<+L^o2XcXm^#~e=Xl;Z*OI*7(f0926*Y@Jc&iC;YC|rG7)wm1dFp{)Nz_%d{ zbY;i`CX(DW-UUiTcgVLy`{Ltsk9Xc*6 zO;BD^>(-&u9JvZC`c%n~(rp@ruEL_&;IxAFVrI4z2K&%|duW(KvPs=wK0abWtUqfc zHlQ&d@WOAF5JSao2XJz#B=Q8Mv3|rmagvz8`N4Vjw51zlMLCn^tzVNMzL565LA)3Mff`0>mDdutwVJhD_G~`rt zY96Gp$}s{E&%LNlgLIW;UH~}X>N*irwM^H`*5_6Z1d4G3sRERCDm(+XbT`WXJDN47 zHiAw-@8R+JP?zpWsO*7|tSsCHR_Q^$2`&;OB|UbZB<>i58$oDF5yAZ}>P#ZDLf2TC z#cq$!k@6KF)pMeTEP$~y9cH`1mVat}si&Xp&T?~v_ATxDy%(>v+*VJ6^44LIA4#?Y zs4^IV<|el(0+*P)2NEYWc|pvL>{G)r`yD)@=1;@W;%@az76ZZt6jDgEA-EOKhxS57 z21<72;GBcZn3wp+qaoJI>hRX22~mhnEr` z9~2^MmqN11n|bxEJa!+rolNofYQ*Z<+;xDe)iFDf_5Tu~zps+5sq9Z*GotQcKk_o} zt}6NV@VWTvd4rb7%hWNgYBgF_iPdU zPZV8v{+BKYQ)?c2C@T5}V|Z&%MyGXPH62SG@AS`A!!HP_Zjh)+vobj)+Bo1(H3dBr zPj};5&9ob2*UJH&+PqTt$a@p`m_70t3sldhF9(^9MsArjEODU0Fk?!I1x<)-7VlYn zxQlyEWc<`dS!i-OqRH6TC<`GNMv6WjKroqvridVeeGp?Zxjn~~8iAXrKB`h{xDOWe zZGHfiIP`z05^r(tf)0bcnp?i5=t$U%cPJ2B{Q=vexZrU66C#o1%Kg|7!nJ-j^vRek zJ(N&VldPYKLwSikKfDZSbc38XqL^RmqAWJia``7EctHTkA4k?Uq31G#$$LwI!+R5< z8LSjK_Y4`il@Aw+GF`02lI7O2vmEZ%^s8QNNwGV^Vgd`2qgYY1(&odkq*`hR#bk8Y z`E5>4H`wRlB{_Ruw^Mdy6)+4VrsTL_PIe0ceonk8Qr$+16lYfe2TrguXK!hIaHhg5%xAnHpoGSA3Zb zC`2BtTUv2O&^XEf@j4v5^dlfJ9oKroDk6u+1Xn~U-!OQw&vB8*O9jhW0;M&n4`|HR z<+1mIF|{oB#VFt<`c)8mS#}?Cp3yt}1=|1AJw=31L2Y5eAzGQ=sBc_tA`b*B&7Q-V zmIW7s_krZP|H z`<#dBC}{JY$A&t?x)Cwt8~RvZ^=1HO6na@;y7wY*N|&g{gA>Lj zq1?L7S(rdugDN7fEfmXihPDMsf(P_F&$`!^svB!8ZM+ZH0+{T?6Gs}}J=N^~(VRgI zn-qy)UGTM7OsVg0@IhG~Nfozaw=z9H4wOQg5N`Naz}xIh-0uDjgy8ba;bC*a{d9ILNBMG~zIY?G{)}a*Qkw5Fv2iZWR)QL7@I8`~Qf6fUv z^V1SX#cB`j> z7?^KTxUFChmIo#Oe|A37bgn$I)z7jOUaDW&bGWWjTP9GA#-BYT<6Xk&;iJ<0^09nJ ztVa5g^H&E8dGSb(4Kv%-N3qBwkmNN?b<1H9j^s?z*e(I*OoRCWfroR53H-O+jyu^T z_*l6n-{j*4G3CR*W%6KV^GSOR#R6s{=py#moL(;tF(-YX)2U?_k|DXPLQDg1>vW7z zepxjh`=CPTZ9?JE&yV;s{QrRVgu}6n9WVfI! z*?&=&rQ-}PDlGC6AgZ5xouQKtBys`_^Cs}cEIt~A9h6U>b>szn2;duA)dxn%+6*4} z(=LD0bPMZzx)XK_X#HJnf0tfT{JHyVJsA8drD~mullLFj0BvO{uABh{eL|6QhCU^~ zK7z0@l?q)vw=YF^ABvluE7mKku9nMP1;{Q)B|FMQduMjTaLy-&Ge-KMW9n^_MH543 zvCFSw?yAv(%Tnplq_49b+7_yG16u<`9O@qy;ZBLz%cwIv3KEV2fy0CN+bcOh?f$5Q z9!|XI!&wGOpE<>P^9u;S9>sIlL(G-AnWPM2=`EI_27X2UP=Gz;HS}Gr>L^`f4L7r1 z=N)|*C&WWKrEg5Rm!i7ocx_Ph`1Z4fzKrsW^l203CN z^0>Q~ct+9=hF$q*duRMy)zZ-luz3EM8iRGL${H<^76z1<`SkP5T_0u(Uv^gtOg75^GWHpBO8j$9aAslXEMn>;EmrJ z)5jg}lp=F_L2Nq|{+|2k`^^G)n~e>W!v+jlrj8Nl>kYo;CCjyI zj+SwvO*7dxp_T(%r3F)wf~i=6Za+5%O;QmJ}-4uX&VB_&(l&2pR^qr2lI0Wa%C0)eTT`@^nB{+b1OlAtK*(;OPPuT-fwFV z^DR1?@cKTPKIrmoXJSCq!VmB~BXRS&2ePd|?gwajBW@)SBC0DT`pi!Nvu}xg2s}QwCPC z=0^=yv+1y0PT{R}A{L2L7P7wQg)?}^>#lo+lOig5V?nTq(zMPHpN@r|WE(W6{)#VQ z3LoVRxVP5h(UxR5D1kJzlFeeX>zJIF`bW)&Vu z(x!Xd-Ukcb`F$m)_5a+v(!`)h2mi&m5noRaGc;|#ust*Q-W)G~c0{O%^ZUnd=(EEV zSpfHHi^zfUoYP*=4SBkRTc?lPgLMPu2KML3-W8<`c5ZZNY(xUPUScbOIkUP`V7t?n zA?{yXEBwO}Mg;Tn_z!a;dt$2)Inrll8&6J=V(*|HBc!w^Nuk!$7;+s%ol-8hcPYmf z9_rYw87z20FDEU9oGATJI|1CX*62S^_qnRv;5RcNjRjwlj4MU}v-GAm_ctL(y{<^d#oXak{D zW&3%LaN;%c8v7uL@(n*Unvp_C84!MGPx@xG{;ZPF^>Z6urBHn~7Y?NJMjm zAj&KgA+Z1Q-WfRP_^*9iG?#nolCQy$r!23bVE2V{RQkYD=LJ`#F5j7DI~RjDnzs*cEja2RoBC zBtPZs29);GEZ`JV0GqFAL$qo@Hg-VOUDBF6=f|bg`F`Z81fBY>=6SO+Sc`!6Lk{Px48LmZQ2FK#4+VnwNo;WU zx4om&+2=({PFPc$3?BbUL+0huw*2pfcFMsqF+}1nnwkgQW3TEr9!;q?A$g>y^J;IN zYieUmPVTBX50#n=;&+f1^!oyxdcJlKPM-alg9Tm*4-}_GjNtzd@+?rXIGSUW;v{D} zPEAkfupA@RX)PufgA2l>-;e#3Pt~j9Rm6B8U=mv|txmqOsUdvjVbJzu^|4wxaJcmFhxrh6}06m`VEJ|0= z&>icnhUPdg_BKm`PR@LZ$sQc$Iz%;EgnRxQRLEta*5@&aIHxV*@U^&_Fe zdQQK36KIVa7B5CqBs|x5=$`)$Jds&|c-X>7ByK|s9T`cQ}3mPgJv*Yzbz$@!xKpH@ycUCY6sXe$ba zL*UuTg<&$Q@!R0N?t?OLUq)Ln>wfTr4)of+bn{!6@< zwaYY`((mfhGbXtvBetR6cf3w`j<*a>N<_s;aX~as@vzrLjnf&hhSe_{v{GEE?5$Ie zZmtrp6f!$!(*$BjHX-Pn{`!ZZ3zr;lX5Ec~M*^?Ox9v9@PU9WEfhwcppjRRdT|`6f z{*UG2yIHFpSQ-Xt!#3PJJ_b5nBzD}p4)oa{5_ewJo1owgVGB(qT1^!PKgjO=sEy0< zHqWfDT7^kO)Z;Fz_RJtu!Enr<$2?7>6=*l>d0Rby7JZ^)kQxx1^ZtG$ zW^ghw;ZqSJd-QCNEoPXm*>!Ww{vmZp?hJPq*(b#24n1*~iwQPD4=C!&U+s*EEMEWt zn9aER{|FZMNGIbiLe+x<*!c{ZDitIYMTTHCP_i!!CE|{8(i!KBWX@=Z_hlZeKPPEj zG1_tJ>qVxtF01`&q_bxgChy|m$a-OQ5)i5UC~??3#f zIp3|s`jYq3rZ#%Q2@`)^2XwM;Zd{D|XQ>MX2S%4_iCb=YA%ttu;sJ)+#5?muY zDfN*ReWxo6{v{$L1KI>%XMF}MJ8!!!gHz{#O6x09(^Y+u#i008A6XKK1VY67mX{6U zmz$rL4V#5%H$^>DZhOrP?&E$FR<={P;ZVdIM6w^kky{x32m`k|iK=1sSXB|A{Vb*oRBcu$k{Pv!=fQwNB{=@=LS&wS?-gv1Pb|;@psa9JIH;%0npBP#i1vjt+gBvVm6(K)IUnbEz?G$4DN$W!c@@(ZE zu&O<9PJ<{4VV^D;=q4N&Ohcy_!E4UIM8x&N!MY_R{EXFnEv>l%*<^p4d^`?rK9s7~ zq&McNoyYL(aU-%O0Ui@;AIDt8F#J|Dl{P={0MqeR1iDk48MZwEM79G<&+Q2dTZ14O GLEU4vIK8m| diff --git a/nixos/hosts/canigou/services/miniflux.nix b/nixos/hosts/canigou/services/miniflux.nix deleted file mode 100644 index 0edd3b4..0000000 --- a/nixos/hosts/canigou/services/miniflux.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: - -let - port = 33001; - addr = "0.0.0.0:${toString port}"; -in -{ - services.miniflux = { - enable = true; - package = pkgs.unstable.miniflux; - adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path; - config = { - LISTEN_ADDR = addr; - }; - }; - - age.secrets.miniflux-admin-credentials.file = ../../../../secrets/miniflux-admin-credentials.age; - - networking.firewall.allowedTCPPorts = [ port ]; -} diff --git a/nixos/hosts/canigou/services/telegram-bot.nix b/nixos/hosts/canigou/services/telegram-bot.nix deleted file mode 100644 index 5813a9c..0000000 --- a/nixos/hosts/canigou/services/telegram-bot.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, ... }: - -{ - services.yandexgpt_telegram_bot = { - enabled = true; - environmentFile = config.age.secrets.yandexgpt-tg-bot-env.path; - }; - - age.secrets.yandexgpt-tg-bot-env = { - file = ../../../../secrets/yandexgpt-tg-bot-env.age; - }; -} diff --git a/nixos/hosts/default.nix b/nixos/hosts/default.nix index c705064..7e60c01 100644 --- a/nixos/hosts/default.nix +++ b/nixos/hosts/default.nix @@ -55,27 +55,6 @@ in }; }; - magenta = { - system = "x86_64-linux"; - - targetHost = (import ./magenta/data.secret.nix).addr; - - extraModules = [ - inputs.mailserver.nixosModule - ../modules/docker-stack.nix - ]; - }; - - canigou = { - system = "x86_64-linux"; - - extraModules = [ - yagpt_tg_bot.default - ]; - - targetHost = (import ./canigou/data.secret.nix).addr; - }; - istal = { system = "x86_64-linux"; diff --git a/nixos/hosts/magenta/data.secret.nix b/nixos/hosts/magenta/data.secret.nix deleted file mode 100644 index e85018391743cf51cd7fc80f5dcda345506574bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 52 zcmZQ@_Y83kiVO&0NaMU=oWA>Gy-?z%9#8k==xL(f`s^hVhv_%`Qi&KoZM-*5)Hh=OQfv zvqAQLLaQW1+{$NO5u`8}%Pf|;qyVt&D9*(c0@OR?NjkTrPg@qu70#qYMadRO-977i zlQNg3Qu$V081zyzd|DL`gvku3D4;{sgK>fP;8&Or2w_kooi7Kbso+b={MCJ;$c43D703kcP|-;P<@}M+WkCUC|zW*8;wrwq;yETuZAdq63($M|n{ZR&~xqd`))yM3jSE$0|&nU2U(wCN%GNK~2~ym3eabayoMhkiX& z1y0O=cz<|hX-Q*bWs@uhB^Sjpt^A-4bP>1hx^FlaCf9Nc6m>IfA&b@~U5vxUcgb99 z&ENvMo``qOtGm#()?#Z@9+ju%mC5p8Yx3qTx zKY|>bM~OF77YP2t)1F(YOxc=B z!3r=|eG$(?FP_#Q9rlVZmd!uUYifj5u&u&FzktYqn*cp)N7RuLzM5@rYj&+dm_M{N zTvG@hJFY7J*OWFn5nb@GmBZ+xYN-ryE1?~*5sq;-EFGz1hC`&xD2B2$UPZ4O-4-~_ z?p0veH8hqfJU@TZ=XtTqVyMy8_{ZjV<=zO9r>fi^@aTB?H(K0~c@TJ_0{vZfg*v-d E`k{uZS^xk5 diff --git a/nixos/hosts/magenta/services/gitea.nix b/nixos/hosts/magenta/services/gitea.nix deleted file mode 100644 index 8dd2f1c..0000000 --- a/nixos/hosts/magenta/services/gitea.nix +++ /dev/null @@ -1,152 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - hostname = "git.pleshevski.ru"; - httpPort = 9901; - - giteaCfg = config.services.gitea; - - robotsTxt = pkgs.writeText "robots.txt" '' - User-agent: * - Disallow: /github - Disallow: /external - ''; -in -{ - services.postgresql.package = pkgs.postgresql_14; - - services.gitea = { - enable = true; - package = pkgs.unstable.gitea; - appName = "Pleshevskiy's Gitea"; - mailerPasswordFile = config.age.secrets.gitea-smtp-passfile.path; - database = { - type = "postgres"; - host = "/run/postgresql"; - port = config.services.postgresql.port; - }; - lfs.enable = true; - extraConfig = '' - [DEFAULT] - WORK_PATH = ${giteaCfg.stateDir} - ''; - settings = { - log = { - LEVEL = "Info"; - ENABLE_SSH_LOG = true; - }; - database = { - CHARSET = "utf8"; - LOG_SQL = false; - }; - server = { - DOMAIN = hostname; - HTTP_PORT = httpPort; - ROOT_URL = "https://${hostname}"; - LANDING_PAGE = "explore"; - }; - service = { - ALLOW_ONLY_EXTERNAL_REGISTRATION = false; - DEFAULT_KEEP_EMAIL_PRIVATE = false; - DEFAULT_ALLOW_CREATE_ORGANIZATION = true; - DEFAULT_ENABLE_TIMETRACKING = true; - DEFAULT_ENABLE_DEPENDENCIES = false; - DISABLE_REGISTRATION = true; - ENABLE_NOTIFY_MAIL = false; - ENABLE_CAPTCHA = false; - ENABLE_TIMETRACKING = false; - REQUIRE_SIGNIN_VIEW = false; - REGISTER_EMAIL_CONFIRM = false; - NO_REPLY_ADDRESS = "noreply.pleshevski.ru"; - }; - repository = { - DISABLE_MIGRATIONS = false; - DISABLE_HTTP_GIT = false; - DISABLE_STARS = false; - DEFAULT_BRANCH = "main"; - DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false; - }; - "repository.local" = { - LOCAL_COPY_PATH = "${giteaCfg.stateDir}/tmp/local-repo"; - }; - "repository.upload" = { - TEMP_PATH = "${giteaCfg.stateDir}/uploads"; - ALLOWED_TYPES = "image/*"; - }; - "repository.pull-request" = { - WORK_IN_PROGRESS_PREFIXES = "Draft:,[Draft]:,WIP:,[WIP]:"; - DEFAULT_MERGE_STYLE = "rebase"; - POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES = true; - }; - indexer = { - ISSUE_INDEXER_PATH = "${giteaCfg.stateDir}/indexers/issues.bleve"; - }; - sessions = { - PROVIDER = "file"; - PROVIDER_CONFIG = "${giteaCfg.stateDir}/sessions"; - }; - picture = { - AVATAR_UPLOAD_PATH = "${giteaCfg.stateDir}/avatars"; - REPOSITORY_AVATAR_UPLOAD_PATH = "${giteaCfg.stateDir}/repo-avatars"; - DISABLE_GRAVATAR = false; - ENABLE_FEDERATED_AVATAR = true; - }; - attachment = { - PATH = "${giteaCfg.stateDir}/attachments"; - }; - mailer = { - ENABLED = true; - MAILER_TYPE = "smtp"; - SMTP_ADDR = "mail.pleshevski.ru"; - SMTP_PORT = 465; - USER = "gitea@pleshevski.ru"; - FROM = "\"${giteaCfg.appName}\" "; - }; - openid = { - ENABLE_OPENID_SIGNIN = true; - ENABLE_OPENID_SIGNUP = false; - }; - # Don't check for new Gitea versions - "cron.update_checker".ENABLED = false; - }; - }; - - systemd.services.gitea.preStart = lib.mkAfter '' - cp -f ${robotsTxt} ${giteaCfg.stateDir}/custom/robots.txt - ''; - - services.traefik.dynamicConfigOptions.http = { - routers.to_gitea = { - rule = "Host(`${hostname}`)"; - entryPoints = [ "https" ]; - tls.certResolver = "le"; - service = "gitea"; - }; - services.gitea = { - loadBalancer.servers = [ - { url = "http://host.docker.internal:${toString httpPort}"; } - ]; - }; - }; - - age.secrets.gitea-smtp-passfile = { - file = ../../../../secrets/gitea-smtp-passfile.age; - owner = giteaCfg.user; - group = "gitea"; - }; - - services.fail2ban.jails.gitea = '' - enabled = true - filter = gitea - findtime = 3600 - bantime = 900 - action = iptables-allports - ''; - - environment.etc."fail2ban/filter.d/gitea.conf".text = '' - [Definition] - failregex = .*Failed authentication attempt for .* from - ignoreregex = - journalmatch = _SYSTEMD_UNIT=gitea.service - ''; -} diff --git a/nixos/hosts/magenta/services/mailserver-accounts.secret.nix b/nixos/hosts/magenta/services/mailserver-accounts.secret.nix deleted file mode 100644 index 30edc70e36b20c4b0c8b89b617342df4c610e804..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2944 zcmV-`3xD(gM@dveQdv+`0867fgrzKxu#)G@5~J0wO&>b}4kgEi8NzswInD z-a!c=ukX*ZCc0pt^b85;wx}%NQe{>71&mlUA8xjH*-Vq0`P%t*A9V0*9hh)Alg-V;H;sf@?J^2Pe7`D=kc zuP3eB*7n%u##~nk_{BN3P0!y7J;)K~=>lyW=&Iy6{D}$B@qC;?YVP%YKpdHzz0yJ%v4KGI@YH0e z32Na2XI6R-Q~jRH{v;NUsp~)O9f$KbsoW*DFLdwVbIFMaj3z;&^<4XD8S=%jgaCUr zhfr{#N!jyk5y34w5{yvj!$k}!a*tQsQ4yuQd>UTi!fdz3Bogtb>0@hLFPzmv zR8v@!C>dLf2R9_HMe5pUsln;b{xY0xztgv&pE-52)XiKQ<^V940d4PKkaI>BRa5*N zMi&$76N9f2oWD{^;M?Kqq1>PEP$AXCpA~P>hdt(^N4?^-hwrnPM58$=Q+pNtL=U|VERX37)WmREEt&w#CnS#t9=+|NvX?|o6Z$z1ILqa2Tp$bU>!9l98S$6*2 zIb}Mz&L%=yOhJ;9=MAbN&{z_-fl|N)Q~(gvj?##nS}|nkLh+JVT9-|RN&zJhe2y+1 zHW>ALw;L9W=^;4en^WsWx}sHj`TFA(P%Yr7^@#wy*L}$MN$Pi5b1iNwUe6gnTsUq~ z1qKs$b5V9catsZjk)KK+>EFM8Bn|Al%<1K6Vh4y~KLJyV)b*xhH&9$|lzU(W-}3jG zvG$&GZ1o{6#lKIjPhu0*#%a7!uaga*1*3Ss_WzfZ?y|GN z$W?Jl65H42&e4+G=k=512UhKj6D@(jO$cjWU2TTfz|Uy=V<1>SorN*6(iePioZ?$# zhDl-GwrNVMD8&w=>`n7tMcKVCel>uk>`XTPk8hGO&1x1Ut{CMqZ+;_A+x~x1iQK$@ z-xb({>;Cg@54dn10y4(%$7pEwyf2)<+B5}JEEqS-+f$NRW z)?ShhY)L2MCdx=Fqbhiml)S*qw>(LO1-kM&)Z`&Krur$L#gAs#ASK95vPsEzBUp0r z7BB~{P9K7GxaI-qoEhqVwbNV?WZu-s8cPt;0&5hMp|hSk{R?DB9Oj1LqNVaP-9pWK zI){NCl{MPHT^Xn2lDZ*QPWMJNtK_X|it>x#3Pd6-C>WA^yg|Q?~w6^U{ z!1P5E{%`ot!&o8(JmICqiIIWR0@rI|m;3gnQ0O+1T|7TV($<-1l?bpQT3`KXqSj!i zaiJOH4dOnOr@DR@s(e}CKSI=99;WT>B`vDthF{Fp_~FMoF6QX`aiptnWAWJADFS&Y zA+4ClBFpn0p9rflak#D%TmEykltr*1x(oRIT<%{`cHitW=RzK)Kqn%d<=k1frbD;P zU%N3I0vmmZbK)E0wsKM!nEYH<^jE5Qm8J_m2NzS%Dgg$5NT9H?XHezeNq~R8HzzDP z4!`dRun?rzif(7;;&yQHpedW!ZR zj5BF1RZha>UE4Fjm7#?CG?j*Vgeh8kI)1Pu7|%9$8CpDIn++jEiYD%p|1?p zjr5Ah9P#C(nKLHB;z{Aba93D00kDX^alEi6n4qT?CC=7U)OiBKj3U0?sY2$ z{fDx1*BL(fIo%Xa#Dpnid3O5GmJZtw_4-V%#)+q=*EFu@WKIX&KN$_oxOyZO~|r4C>8ts(@nYRdyYqw-x=0wFRke%J0sbR5WFE|VKR z6uGZNy!iDw7Na+^wJ-_QgO2aJybr*8^(2DUf~Q`Z<`uy?WKt~af5rWNl3q@&1`J#9 q5hwizTpSabO`Ikc9%Y!kq|#t@Gg7Jb4F_VIu>~9r83KqZL4e&RXsML| diff --git a/nixos/hosts/magenta/services/mailserver.nix b/nixos/hosts/magenta/services/mailserver.nix deleted file mode 100644 index de53ed3..0000000 --- a/nixos/hosts/magenta/services/mailserver.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, pkgs, ... }: - -let - cfg = config.mailserver; - - certsDir = "/var/certs"; - - # Extracting a Certificate from Traefik`s acme.json - # Source: https://www.zdyn.net/docker/2022/02/04/acme-certificate.html - dumpTraefikMailCerts = pkgs.writeScript "dump-mail-certs" '' - #!/bin/sh - mkdir -p $(dirname "${cfg.certificateFile}") $(dirname "${cfg.keyFile}") - ${pkgs.jq}/bin/jq -r '.le.Certificates[] | select(.domain.main=="${cfg.fqdn}") | .certificate' /var/lib/traefik/acme.json | base64 -d > ${cfg.certificateFile} - ${pkgs.jq}/bin/jq -r '.le.Certificates[] | select(.domain.main=="${cfg.fqdn}") | .key' /var/lib/traefik/acme.json | base64 -d > ${cfg.keyFile} - systemctl restart dovecot2.service - ''; - -in -{ - imports = [ ./mailserver-accounts.secret.nix ]; - - # See: https://nixos-mailserver.readthedocs.io/en/latest/options.html - mailserver = { - enable = true; - - # We use traefik to generate certificates - certificateScheme = 1; - certificateFile = "${certsDir}/cert-${cfg.fqdn}.pem"; - keyFile = "${certsDir}/key-${cfg.fqdn}.pem"; - - hierarchySeparator = "/"; - }; - - services.traefik.dynamicConfigOptions.http = { - routers.mailserver_acme = { - rule = "Host(`${cfg.fqdn}`)"; - entryPoints = [ "http" ]; - tls = { - certResolver = "le"; - domains = [ - { - main = cfg.fqdn; - sans = cfg.domains; - } - ]; - }; - service = "noop@internal"; - }; - }; - - systemd = { - # Watch traefik`s acme.json to update certs in /var/certs - # Source: https://superuser.com/questions/1171751/restart-systemd-service-automatically-whenever-a-directory-changes-any-file-ins - services.dump-traefik-mail-cert = { - unitConfig = { - Description = "Restart mail cert service"; - After = [ "network.target" ]; - }; - - serviceConfig = { - Type = "oneshot"; - ExecStart = "${dumpTraefikMailCerts}"; - }; - - wantedBy = [ "multi-user.target" ]; - }; - - paths.dump-traefik-mail-cert = { - wantedBy = [ "multi-user.target" ]; - pathConfig.PathChanged = "/var/lib/traefik/acme.json"; - }; - }; -} diff --git a/nixos/hosts/magenta/services/traefik.nix b/nixos/hosts/magenta/services/traefik.nix deleted file mode 100644 index 44e03c8..0000000 --- a/nixos/hosts/magenta/services/traefik.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - magentaData = import ../data.secret.nix; - - dataDir = "/var/lib/traefik"; - - traefikCfg = config.services.traefik; - - user = "traefik"; - group = "traefik"; - - dynamicConfigFile = pkgs.runCommand "config.toml" - { - buildInputs = [ pkgs.remarshal ]; - preferLocalBuild = true; - } - '' - remarshal -if json -of toml \ - < ${pkgs.writeText "dynamic_config.json" (builtins.toJSON traefikCfg.dynamicConfigOptions)} \ - > $out - ''; - - staticConfigFile = pkgs.runCommand "config.toml" - { - buildInputs = [ pkgs.remarshal ]; - preferLocalBuild = true; - } - '' - remarshal -if json -of toml \ - < ${ - pkgs.writeText "static_config.json" (builtins.toJSON - (lib.recursiveUpdate traefikCfg.staticConfigOptions { - providers.file.filename = "${dynamicConfigFile}"; - })) - } \ - > $out - ''; - - mirrorVolume = path: "${path}:${path}"; -in -{ - networking.firewall.allowedTCPPorts = [ 80 443 8080 ]; - - users.users.${user} = { - isSystemUser = true; - createHome = true; - home = dataDir; - inherit group; - }; - users.groups.${group} = { }; - users.groups.docker.members = [ user ]; - - systemd.tmpfiles.rules = [ "d '${dataDir}' 0700 ${user} ${group} - -" ]; - - age.secrets.traefik-dashboard-basicauth-users = { - file = ../../../../secrets/traefik-dashboard-basicauth-users.age; - owner = user; - inherit group; - }; - - virtualisation.docker.stacks.traefik = { - networks.traefik_public.external = true; - services.traefik = { - image = "traefik:v2.9"; - command = [ - "--configFile=${staticConfigFile}" - ]; - ports = [ - "80:80" - "443:443" - "8080:8080" - ]; - extra_hosts = [ "host.docker.internal:host-gateway" ]; - networks = [ "traefik_public" ]; - volumes = [ - "${mirrorVolume "/var/run/docker.sock"}:ro" - "${mirrorVolume dataDir}" - "${mirrorVolume staticConfigFile}:ro" - "${mirrorVolume dynamicConfigFile}:ro" - "${mirrorVolume config.age.secrets.traefik-dashboard-basicauth-users.path}:ro" - ]; - deploy = { - placement.constraints = [ "node.role==manager" ]; - update_config.order = "start-first"; - }; - }; - }; - - services.traefik = { - staticConfigOptions = { - entryPoints = { - http = { - address = ":80"; - http.redirections.entryPoint = { - to = "https"; - scheme = "https"; - }; - }; - https.address = ":443"; - dashboard.address = ":8080"; - }; - api = { }; - log = { }; - accessLog = { }; - certificatesResolvers.le.acme = { - storage = "${dataDir}/acme.json"; - email = "dmitriy@pleshevski.ru"; - tlschallenge = true; - }; - providers.docker = { - network = "traefik_public"; - constraints = "Label(`traefik.constraint-label`, `${config.networking.hostName}_public`)"; - exposedByDefault = false; - swarmMode = true; - }; - }; - - dynamicConfigOptions.http = { - routers.to_traefik_dashboard = { - rule = "Host(`${magentaData.addr}`)"; - entryPoints = [ "dashboard" ]; - middlewares = [ "traefik_dashboard_auth" ]; - service = "api@internal"; - }; - middlewares = { - traefik_dashboard_auth.basicAuth = { - usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path; - }; - }; - }; - }; -} diff --git a/nixos/hosts/magenta/services/woodpecker/agent-docker.nix b/nixos/hosts/magenta/services/woodpecker/agent-docker.nix deleted file mode 100644 index 1f1d1d1..0000000 --- a/nixos/hosts/magenta/services/woodpecker/agent-docker.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ pkgs, config, ... }: - -let - canigouData = import ../../data.secret.nix; - - data = import ./data.secret.nix; - inherit (data) userAgent group grpcPort; - - dockerSockVolume = "/var/run/docker.sock:/var/run/docker.sock"; - dockerConfVolume = "${config.age.secrets.woodpecker-docker-config.path}:/root/.docker/config.json"; -in -{ - systemd.services.woodpecker-agent = { - enable = true; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - restartIfChanged = true; - serviceConfig = { - EnvironmentFile = [ - config.age.secrets.woodpecker-common-env.path - ]; - Environment = [ - "WOODPECKER_DEBUG_PRETTY=true" - "WOODPECKER_LOG_LEVEL=trace" - "WOODPECKER_SERVER=${canigouData.addr}:${toString grpcPort}" - "WOODPECKER_MAX_WORKFLOWS=2" - "WOODPECKER_BACKEND=docker" - "WOODPECKER_BACKEND_DOCKER_VOLUMES=${dockerSockVolume},${dockerConfVolume}" - ]; - ExecStart = "${pkgs.unstable.woodpecker-agent}/bin/woodpecker-agent"; - User = userAgent; - Group = group; - }; - }; -} diff --git a/nixos/hosts/magenta/services/woodpecker/common.nix b/nixos/hosts/magenta/services/woodpecker/common.nix deleted file mode 100644 index e98720a..0000000 --- a/nixos/hosts/magenta/services/woodpecker/common.nix +++ /dev/null @@ -1,28 +0,0 @@ -let - data = import ./data.secret.nix; - inherit (data) userServer userAgent group; -in -{ - users.groups.${group} = { }; - - users.users.${userServer} = { - description = "Woodpecker CI Server"; - isSystemUser = true; - createHome = true; - inherit group; - }; - - users.users.${userAgent} = { - isSystemUser = true; - inherit group; - }; - users.groups.docker.members = [ userAgent userServer ]; - - age.secrets.woodpecker-common-env.file = ../../../../../secrets/woodpecker-common-env.age; - age.secrets.woodpecker-server-env.file = ../../../../../secrets/woodpecker-server-env.age; - age.secrets.woodpecker-docker-config = { - file = ../../../../../secrets/docker-config.json.age; - mode = "440"; - inherit group; - }; -} diff --git a/nixos/hosts/magenta/services/woodpecker/data.secret.nix b/nixos/hosts/magenta/services/woodpecker/data.secret.nix deleted file mode 100644 index c86dcc92e392a8942ce2bf7dca410a35c4d51bc2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 220 zcmV<203-hZM@dveQdv+`0Dz`=_h;V5@=vR&sXVfsVemPcUqrX~;Q?@zM11;jpMG!Z z0E!4J1u1q7TuS|!UqgSwvg;Vihq9_L@m%qXt|Zl7SDlP&A(@7Q;}%9$lJqjwQJAxw z;@Z1fhLEh_3geK#r?5~E3Qa#iq?w<73~w+::` - - `::` - - `:` - - `` - Both `hostPort` and `containerPort` can be specified as a range of - ports. When specifying ranges for both, the number of container - ports in the range must match the number of host ports in the - range. Example: `1234-1236:1234-1236/tcp` - When specifying a range for `hostPort` only, the `containerPort` - must *not* be a range. In this case, the container port is published - somewhere within the specified `hostPort` range. - Example: `1234-1236:1234/tcp` - Refer to the - [Docker engine documentation](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) for full details. - ''; - example = literalExpression '' - [ - "8080:9000" - ] - ''; - }; - - volumes = mkOption { - type = types.listOf types.str; - default = [ ]; - description = lib.mdDoc '' - List of volumes to attach to this container. - Note that this is a list of `"src:dst"` strings to - allow for `src` to refer to `/nix/store` paths, which - would be difficult with an attribute set. There are - also a variety of mount options available as a third - field; please refer to the - [docker engine documentation](https://docs.docker.com/engine/reference/run/#volume-shared-filesystems) for details. - ''; - example = literalExpression '' - [ - "volume_name:/path/inside/container" - "/path/on/host:/path/inside/container" - ] - ''; - }; - - networks = mkOption { - type = types.listOf types.str; - default = [ ]; - description = lib.mdDoc "Networks to join."; - example = literalExpression '' - [ - "backend_internal" - "traefik_public" - ] - ''; - }; - - extra_hosts = mkOption { - type = types.listOf types.str; - default = [ ]; - description = lib.mdDoc "Add hostname mappings."; - example = literalExpression '' - [ - "host.docker.internal:host-gateway" - "otherhost:50.31.209.229" - ] - ''; - }; - - deploy = { - labels = mkOption { - default = [ ]; - type = types.listOf types.str; - description = lib.mdDoc "Specify labels for the service."; - example = literalExpression '' - [ - "com.example.description=This label will appear on the web service" - ] - ''; - }; - - placement = { - constraints = mkOption { - default = [ ]; - type = types.listOf types.str; - description = lib.mdDoc '' - You can limit the set of nodes where a task can be scheduled by defining constraint expressions. - Constraint expressions can either use a match (==) or exclude (!=) rule. - Multiple constraints find nodes that satisfy every expression (AND match). - ''; - example = literalExample '' - [ - "node.role==manager" - ]; - ''; - }; - }; - - update_config = { - order = mkOption { - default = "stop-first"; - type = types.str; - description = lib.mdDoc '' - Order of operations during updates. - - stop-first (old task is stopped before starting new one), - - start-first (new task is started first, and the running tasks briefly overlap) - - Note: Only supported for v3.4 and higher. - ''; - example = "start-first"; - }; - }; - }; - }; - }; - - networkOptions = { ... }: { - options = with lib; { - external = mkOption { - default = false; - type = types.nullOr types.bool; - description = lib.mdDoc '' - If set to true, specifies that this volume has been created outside of Compose. - The systemd service does not attempt to create it, and raises an error if it doesn’t exist. - ''; - example = "true"; - }; - }; - }; - - stackOptions = { ... }: { - options = with lib; { - version = mkOption { - type = types.str; - default = "3.8"; - }; - - services = mkOption { - default = { }; - type = types.attrsOf (types.submodule serviceOptions); - description = lib.mdDoc ""; - }; - - networks = mkOption { - default = { }; - type = types.attrsOf (types.submodule networkOptions); - description = lib.mdDoc ""; - }; - }; - }; - - mkComposeFile = stack: - pkgs.runCommand "compose.yml" - { - buildInputs = [ pkgs.remarshal ]; - preferLocalBuild = true; - } - '' - remarshal -if json -of yaml \ - < ${ pkgs.writeText "compose.json" (builtins.toJSON stack)} \ - > $out - ''; - - mkStackTimer = stackName: { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "5m"; - OnUnitActiveSec = "5m"; - Unit = "docker-stack-${stackName}.service"; - }; - }; - - mkStackService = stackName: stack: - let - escapedStackName = lib.escapeShellArg stackName; - composeFile = mkComposeFile stack; - in - { - description = "Deploy ${escapedStackName} stack"; - enable = true; - - after = [ "docker.service" "docker.socket" ]; - environment = proxyEnv; - - path = [ config.virtualisation.docker.package ]; - - script = lib.concatStringsSep " \\\n " ([ - "exec docker stack deploy" - "--compose-file=${composeFile}" - escapedStackName - ]); - - serviceConfig = { - Type = "oneshot"; - }; - }; -in - -{ - options.virtualisation.docker.stacks = with lib; mkOption { - default = { }; - type = types.attrsOf (types.submodule stackOptions); - description = lib.mdDoc "Docker stacks to deploy using systemd services."; - }; - - config = lib.mkIf (cfg.stacks != { }) { - systemd.timers = lib.mapAttrs' (n: v: lib.nameValuePair "docker-stack-${n}" (mkStackTimer n)) cfg.stacks; - systemd.services = lib.mapAttrs' (n: v: lib.nameValuePair "docker-stack-${n}" (mkStackService n v)) cfg.stacks; - - virtualisation.docker = { - enable = true; - liveRestore = false; - }; - }; - -} diff --git a/nixos/modules/traefik.nix b/nixos/modules/traefik.nix deleted file mode 100644 index 409f9a7..0000000 --- a/nixos/modules/traefik.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, lib, ... }: - -let - cfg = config.local.traefik; - - traefikCfg = config.services.traefik; -in -{ - options.local.traefik = with lib; { - enable = mkEnableOption "Enable traefik service"; - dashboard = { - enable = mkEnableOption "Enable traefik dashboard"; - host = mkOption { - type = types.nullOr types.str; - description = "Traefik dashboard host"; - }; - }; - }; - - config = lib.mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 80 443 ] ++ lib.optional cfg.dashboard.enable 8080; - - services.traefik = { - enable = true; - staticConfigOptions = { - entryPoints = { - http = { - address = ":80"; - http.redirections.entryPoint = { - to = "https"; - scheme = "https"; - }; - }; - https.address = ":443"; - }; - log = { }; - accessLog = { }; - certificatesResolvers.le.acme = { - storage = "${traefikCfg.dataDir}/acme.json"; - email = "dmitriy@pleshevski.ru"; - tlschallenge = true; - }; - providers.docker = { - network = "rp_public"; - constraints = "Label(`traefik.constraint-label`, `${config.networking.hostName}_public`)"; - exposedByDefault = false; - swarmMode = true; - }; - }; - } // lib.mkIf cfg.dashboard.enable { - staticConfigOptions = { - api = { }; - entryPoints.dashboard.address = ":8080"; - }; - dynamicConfigOptions.http = { - routers.to_traefik_dashboard = { - rule = "Host(`${cfg.dashboard.host}`)"; - entryPoints = [ "dashboard" ]; - middlewares = [ "traefik_dashboard_auth" ]; - service = "api@internal"; - }; - middlewares = { - traefik_dashboard_auth.basicAuth = { - usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path; - }; - }; - }; - }; - }; -} diff --git a/nixos/shared/acme.nix b/nixos/shared/acme.nix deleted file mode 100644 index 7c3e822..0000000 --- a/nixos/shared/acme.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: - -{ - security.acme = { - acceptTerms = true; - defaults.email = "dmitriy@pleshevski.ru"; - }; -} diff --git a/nixos/shared/docker-swarm.nix b/nixos/shared/docker-swarm.nix deleted file mode 100644 index 539c147..0000000 --- a/nixos/shared/docker-swarm.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ pkgs, ... }: - -{ - # Enable docker - virtualisation.docker = { - enable = true; - liveRestore = false; - package = pkgs.unstable.docker; - }; - # Source: https://forums.docker.com/t/error-response-from-daemon-rpc-error-code-unavailable-desc-grpc-the-connection-is-unavailable/39066/12 - networking.firewall = { - allowedTCPPorts = [ 2376 2377 7946 ]; - allowedUDPPorts = [ 7946 4789 ]; - trustedInterfaces = [ "docker0" "docker_gwbridge" ]; - }; -} diff --git a/nixos/shared/networking.secret.nix b/nixos/shared/networking.secret.nix index 5cc35c02b03cd5a508ef3c15a9aa9d696d999583..36ec6e9a8b9c1fae08e5fc73a07d984a4507fbae 100644 GIT binary patch literal 368 zcmV-$0gwIwM@dveQdv+`0NOH^@oDWv2<4>rmc64jhB**(EVlNDcitrN7tF%IMoJZ* zOT=#@&GPTbhq2@^7Th3vkS%|HJKEC7qi}T`8RB&bD!|_!ieCA=3O3x088OWhN0E=b3ogtL@4;?!|7>A2a9Y?&Og7Tp2hr?&p_DH*P|=dhs;ASx3qL zJF%?ZuQoZAe1DT@6SecBLg?|x;;))jx$dejVMILBRCC|W2YY$A;-c@U3I82*B^OOt z&=PJ-e-ru?S(8=;*_l?lrZL+D9{1>1%;hJRjTFG85kq zn%)Aya21jqbJ!8}2vUT$qb1RL=jWBw&vWc0kdLpEy_u43K^ISK!pbeo*Ivs@miSZRmjk_HH literal 482 zcmV<80UiDTM@dveQdv+`0Hh~BUxgW-xcM{ra#x?2n%<2$ux9B3Y!vRcIV8irua9kk z0eNA7&Elg@G8PKJzVG2fiHMb!ORm5TYtrsL+|F>-*{rW#mUbO^n8@07alJeIO1`!K zSxqcpD=UnO-fGbNi7yX9+EKm8Tw1fJM?wbQnI%^wduhwj(CU*z*~s4HUD3A|-*MA~ z(M3XIzaJ)PNipnWf}|gEWfb4aIwHE0BCXuq^rI*gMfl(8Mz!I8favu4LEwjM3+ z3OvLEP!vF>+3yG0b;!iG(?tv;e=(SIN+wvmV&@}*;ipM(zh5(DSr|h4Ga=>{V!Xum zt}ql~Tlx}5uX;&Dig!H!5yO9YgwwZ(m`PKamtF5m7*V)Y3+TeNn5_bP-8|$nCNy)M z$VVC09TjkvIL0F#KuLP@K%OpnlDoAo-()@ Yt;B)NIx0zjzV~}yyEETcEjIPo5I#lkbAk5wGUD=BzI1fs+3)W=KX==PqQDF;o`E0)WHgG_?K(rh{{H z2Lwhe@!b6xX@_WEIQoPTQ+!uU`V>* zz*&S*p1U$`LTuxSVt2ygREQX@6v^~8wXBQM|G5W2XO5Zk$KIK6*{YnROAx1gas)x@ zXB&}Q=hhfua69)U&Sz}uJDeHd;-{ns3Lt%dw8T>3f!k^pF`4K? z%}-y_>49VtD96B_o-4UeBNk9yzTFlGGC%KJIBr7m>P(1IXjF?<*l_+@Y224_MdCJ} zdpF95HIP%xB|XGtaVC-1LILeAfk~)FE`Hps|Di8&yrM_>c|f2}<3L^^aHhGsmHW{8 zq97mT3_a4wGe+smYrgb7(xQmZBX!cAkqr--!ES6zJ^`AV*dJvwf*iWk8ch!|?>;lz z5r*<{0q}@0j5_xH(l#MLC^`hM163EAQ??@?iVS}n z@4s%bmcpLMQpBT_B;luUZ+fnCho&94Qolw0vo^Aub78LpE5h8{e~KO>?+1~4lN@T` z-%MYcYY9YcPPtyP_E>m&p8f<_rdE?K*<2lh&t-1tp50kTae^O%*HOhd6X%eHTntua z&xR}KL?%$F0MjRr>I$|BSt-8C7&-{}&&s%!SdT9BDl>G==0p`wdq3V@S1qlz{p7#n zR+MqUGXS3OQeifZ3VpV>5LOVc#VLE1hdgu-YD^ox7D=&T4l_ZRT4DiPmcd#wo+2aT zJL36}07vA6)Yh}NgNf=`IVBE)~q&+;r zlxJVGr%HIfI(mwJR47BJJY|a|^suQR6=WsHK6+2O$)9(nPcihAMC)zaOFD}}fnnkM z5L(F52=Ob?Rv)0IgNTbbQ603HEs_3 zx6a(ivc`kQy9;&Tz|;kMyIiQ~6ponCB@O5PiqMr9Ydx1A|DT)r(x2|~{*k})Juc-(LmVj~5LkbY}4Y1VI?@oOUxW@TAsSdVA1gUH8n$P{Mu>2RU z0CG;Jh&*zg`gJt9R>blStAgo8(86fiu#vR9NCN3i`-}Gt;T9ns%dxOvK0o&Mu6%vw z>-mD=et61s`V|Fjk7=o{l$%WCt?dz`Cq`t;KWlhEyz0<_fNW!L=)iRqH6Ya<0K zeV&(!8IcW-Wpe@J!9iI!1u+_#q`){zwwV!U|D)CSk@tR;NU3u`R4BUxH1M(DgrN4n_ mQ0!6rv`KfYh+n<@FdEMAxrR>ow%#r2VF|4aQWPbY5_3v;iYA|!tu*&o_o5j=)k2K z14O%nNvj7w5p#M6sjaoP`h^{m{8u|R8y~y{A!CC8(1aySq|KlRsKlQzXf3A!UOu{O z8Dlckf#@k;lwp!b-w>ljfS#r&MV$bO=QAmj27Dl@E^mN)La_QU4c}kGodh+Dgpvpv{w> zBH!@jAn4c2N~38~xt+Fl@Y2gWpkbL-Iwi+X>TV0r5LVEKA%8S3Z^I(qxj~BW80i08 z4zYr^nSn4zo~J^m=Z2z6xbAu&2AR70`*RJdTI&39Ky)9BCqV=nb-t21PclZ-CXuVs z&6;9s6o*YX5=XMLgql8<37up9HK!4bx%hLiFd#&A7MUOWPMNls^i48kPg6N(q6(!? z$F?&RJk`@RS4Y$55sK{<2-G=(kN=aGok%qb(kbX?sa=qpT# zA9DiQbG@nLq9mxMusO}%HHr7T&d~1pRCZ-T64bTN?AlJ~KJDd9W2N4r@4#T@L@Cay z4;VZ7l34`05ZhG1i*0+&uTW@9z}x?Fw*QGu36ugoPmfWuHYR66O=P#rqtx-(m(}AI zvqeROsKYY~qbt$iVl>O2!k^eceS`*md;7tgs`ICdzx!O>Y!=&(^sZD<{-1Pikv>KX45flwc92Mk7|(* zVOsrW8x6WzN%?2FR4hN|-m1cWKe&sKMKUPNm7~Ej~?1z7nQUcB2Z&229Vaj zBwg#&%m98g{5N>6zD9I#EDigyQ*}eP71dh+mZ_PXY6hT-B)gN!iYXLd^E@lr5%*bg z3JDAQv^8I&Nl9$QFt<4QJ48}~Hg2~caY&!@*44v48#~$Ra}c9)>W+#u>P^N{;oKr~ z0}dlHnG_h4$Ew_ecQt*6%eh?gfj*Ayn{U;FDmmU@GRkDnX~M@P&$ZHF0M|IgSY(Jh z8%_g)dJ!K5MWoXpToO-_=P?t>H2l=O{vOpG SvC(?bbrOn5eCD$yK{oqvDZb+X diff --git a/secrets/mailserver-users-family-passfile.age b/secrets/mailserver-users-family-passfile.age deleted file mode 100644 index 192e765f64b98ed26d3b0f0c5da4188c0dfe348a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1417 zcmV;41$O!XM@dveQdv+`0J98F=(XO!sZ*)u!kxg~9jNqZJ0)r8))sVY)k&<;YEvyI zJ+sw(#ged=0uP@YOerM_Q^IlGjHs=-=T~gfWy4NurhIUS3N72BJSz${)oh$U=&pEx+@bs%hVy&lM*E3>nfg)N;qTL&7kt*yg+BK*3=DA2gRFR^jzYXLb*m|LnkIQJ zi}3tAeRb`Tp-pWWP|mgmtIL^WtE3JHH&UByW6n8+uaqx2Qa!04+hefS@ul0;%Amyz z`aGG)cj6vXp=DVZAN_uSzHvS@&=%cf9mtogQ}I7IY96AIA$;rr6GqKD8pt2dje z=I3_j$&?MhMe_~l3eVH6Z#hnc*Pknr{clpFk@2Qnm zZ;i9LaGRF8f@jHICEZKB#nQxM6W?39+Jemr(xotDD>sqK0!bs7`NwpPk6}KyR=AWr zx%g=TQXNGPNjC~z813Ou$D{9~m733vgh*rwa{Ac;CN9Z}b^hjR zwsrS?X^VHVT9{z*xO^G>myVCVv7P4#PFTE15R==UU&<+cwXHmw7mj`dwm}epn^|;I zaD&8ET%Yw-B^L0MuNKAOP(HNzx?#!JaR2tT%G%8*&Q4|SW2veh`C1z0)l~j`=AL!Z z?*uFC+OPEeBg}>Cc%9*EnM7CBP*Z6$&F(;qU_HENFaDaCGS6I*jD;f1{dD|Oc3K(O z46)F^b|(O0<_cXV*yjO1m0(ly^$cYe7V13(6d8w@9DZaN`rB3UThm<|c+ev^3t?~3 z#gs8TXp3m_vk%_e5)R!5s zZp^EhLcstDMjE0|wPqcCg_@6=#~8n@(pf0QdMHz8E}$@bhndT)1--pJVGAFszKz?S zB?Wx)NRSPb+Dbv2AfIIk4)MIW%LC95Q+GmRAH)5H(BwaN*H(ggcq=lrJ^MIsP5_tE zv}>z-LVIQ#Un$5s635PYMFPkalHXiDL)a(Ib*K)JbXM8Dt?*%UaoUcU$n!A z9kIiGwR-d~NEBDiZ@vA55p>bi4B4dSB4!QA9;XvX@gq!m#1PpJYbPFR2F8?wWlvoNIrxeQw>3*+>9g*B_4w- zEcXeD9Fg!5xW=rq6IKQ808f3W!a{>0M-Axby*8&*yeoaLy@qvpotN)I7tlkogiJxQ zT>iWEP%T&&r<)&_4yFe67yfj$S{&{x;3n@;J|-TPjH*2rTq$(P!0MIwED%Kiu|4JA zXp&T-Y_HANhAPeh!&FJrW6+AKJR3ec&i_xRe1yJ$CXU$)f6_1Ai(X`I(rHXMs$}Hm X>Qi`ceswaniHKqTU9ckJ)rFm#Aji9# diff --git a/secrets/mailserver-users-gitea-passfile.age b/secrets/mailserver-users-gitea-passfile.age deleted file mode 100644 index a8304344c3cb22a902926920a1a36346503a46f4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1384 zcmV-u1(*5&M@dveQdv+`0F?=WwU-0ROhlu_9a*1D5?nTUe!V*3+x5L5A*RHSaQp~h zrdn0~K+i&M!(QMos<11W8%vUfM`jkv4l;x8eI{SkUsGX>oZueJ+Ry>PD|%l_!ks;J zE_QdJ@9C`K2&d>Qw!`D=W?cy=4d{>7CJgxIFz0&pbU9TU5ChuL>o*o_vHy;JFL5oG z;P=AD%*U8U9#-3j8O3P|m|&fmHL)A>}KuKg$o6Nx>4_IGtYo z7NRZDne0O2vMyjW4_+s#AKknuA)3u?MA90fsvaQ!>w<0^RVx4YLYyj?rx^o4{7gNy zj)>>w&0GA~erkp_Vrr~oWwCPCL`>%mLw*wL@jH%CP`F4CvV$UDkv<{4cs3H6&O1!f z+E1gjZWFPLPWv%Kg?gUtr{{L_1;(o{t)u}5zAowrA;+yRO8)@hrNlKVW}-L+Ue~W6^m$3>00bb?~r}^q5W>2H)P1gg3>fzi?Aw(#RugF z)!`Dm;eY6lGncYb#_=&rN79)c!~xLZuP**peHOpy$L7mPA8$*q8*ujyMP$!TpbON& z{{8~H^xN_u7@^pk2|wygDUT(o#u%p-T}){CA3G;6 z%;?qhVN7v1rzlbK3bR%I9BKFpj9sk$%FXI@RudL)Q82 zlol{v0q19Qe+3c;x|zKpd*IDbbN_TWjKerOBggs494;E1h+;66T#968{-F1EmVVyu z@p*8H@S&2yt1%9>ecNEkTT+)%(6J{6<`aDj7%l))94KO1!nz(~Kc#lM6{LAGaK*I5 z_Or4TcpsYM3A`(t#YkofkJhU?RRoMay_s@c*B({vU!724ntZl?;4FVapNI+U8z+F?nALyvX%kwLiIoAX9ctNvp_u-`m z@vlb1kL{9g!I@kDu4oeOzlg6y82|GQQ(6C)7h4W!48V`s#RAJ>*)40)@sZ08>m)hN z5nE~J&BHG`u&_OurP2ymJiCMkU%CRM!w!NIVf(nqntAR2IL=gQ(dA+9wR*LPTS=wT z({;Lx@ph~#2?%G8oeAzg{mSv)XM4e~8GDOth4twRdcON`jpwTEkKkuEs2Lu}x z`j6tQc=ydvk&RQ^msP8v>Pw3$iG(sysgK*foIDj;DQ#1faqjJA-#4jQ?HxXf2oRcJ zhC$&Tprr_seiIFV5H>HrQ%&6EST(T8#0%?E?d=c0TCL-c&jm0-1n!p~4I?ov`+x}nWt*XQ}T)f^Za-F9&9-CNi!7dgP}HDZ}OtR}>Cj3YU& zXUV!_cVUIZeAqhgz)n5%0x8ALY$euSEI~v^2M<#m*5Ub|lw}0rfr+f-h2=Obquye8 zeFjUMAVIpT2>Hn#7s`0{^)YJrQ^sM2HxP@1uitiB-@v0Xvgz>>0uCN6?UX-|&aTq{ zbt)Oi3HWf^w8WTmEEl%~(;IAg`APeG#n(Y{o2KmwDx~54DQ+4GMkmxrKFawCD4237 zu1nI`%PlOP>w?YH-N5(dgKN2?K{Q><=xF>9vLD+%mN?)BBI%MGO<_XL^g0%g zbta{PPoYzN*&sM6LY(%FO=+QqR3u5_Iu%EWU*ge1(hWULeH|rkY>Q zmlHs=l!EZ&TyW)7cy(x+;6LD>IWM>$5xko~ZdtR?6Hk(*6w@>6tImP)(D z*Ds)*@H0*jZT!glcc@rKHoJ4FXU$VG#;zBjizQ)T$e(|STq2=V&Q15&q~OrXN>6zF zmK%lwbjCgzS&oHRt#iI~{+J`J9N_>AzL1t#XKM?2&_@nLSzmCKS1cY5*jTebJ7?cs zyr=-B9FB+1&=xGbPPVDu+;(Rl#JyjLM;NV{cqDe*bO)|DrV*hV#F7BeqGe0#@Mob z_)*QAEUYE@-HP!x+42lX3=cHc=@2u1J}UyKaC2kRfcjcVCcl|$PE!mnlkS$kBEx)} zI_jvKv2a{@kX!ZuW}8BqtcUtb`v}IH{V`CrskCYzR2bQ?gnkQ~+IhTj16%*uG92pa zl6|9-f>?UzPJy)#cLOKh20a{XTVSaG{Yb@8&neH~j+C#dK$?>(1b<=$*KuI4-lHVw z0f39ZqPlYj{xICW-a$Dl$o2xscvm_p<#GIaQ00&al?O%1Il(tj>rTaXWdttxaAnK3?5wYMa|F&r;ilU&STPP;#67$-pqIKG_YRXwW+b=Tl*G7fl{F? z0z!Nt^K>(Q`{i|`p8>G}@uxT=TYY|>Y(W*i<*)Gbv*}piZtsp5{`_8@aWqB7JQh## zm@>kfo^4x}=fP6T60aGcD8K?iXt3p#VxwN}gVms87HiBvSZ?2{F^{af$u;58+z|JZ zsVlL-TwqztftqY&S3rG$A_3pZsbn-j-8_g+j41VFx1#FcL5!{*bdyiy5(FHT^r+;1 ZU5lZJ`D`BaX@N0m(kNAQ*wq};H@nA}{y*ZUX^+(O!tbT= zcGakk2}TM@g`F{m4osi)yHX3<^IEb~}~ITkLUAXr|2 z2){3F^;IGbl(w;MLWwh4-QUScKF5N`dLW$>a%pT7OxCb}7i0C3TrfHa zwJ6#k>=1pS#bMPWmXA0P#W4X5M#}#MPJng3fVU*s3tG^-zD~x^hPLrM@+3RMi6%vDHw@DY>Q2t$lXtayF$8p-?cF~kE|sgw4K83a3YkXZtYS9r>^QYX z4++&&>+ig*9>bb0D}6en7uG*jiXeXy0DbE=o=&Ex3eR|@eTqXnvZjNr+o$d$lI`tq zO`kND3$276;``tEP!a{#pZR8~Kt1mwLnj>%!FWE|CCD+e&XT!!s%zc6OIlx~F&h#5 zXHfDISa)QS85+y|&G2cy3Q&FfLJn562a4IqKuD?;gWdT((+J40Ep;4K9C| z52gM>HrtNzQKA9PA7s|lC`>gOI5|45Nn??amsRDwZijj@OUGewh)9p$*GHgD0Wp8E z$7H8z;{zj+=0^MJDK<50@Xo()C|AyOQSWHwDFiX|+s@<( zv06#-%71j&>>(TjTVU!B{fVJiHy%BY>hg5cHeA$_3A*MfiECU~fuy>VmJ@ksB#oMa zXLh?VXsDy3(YUc;{Uxn*l#Q=PYeRn%osjItzuDGLNF@XmvV3T$JY^2gW_ZUdvR{-A zOY|0!?c~j!;!?LCE2D*Ug8EuRKv|%Dn|-CqEPj8Nt=SP1(Vm5`y*g;IQ&4c6giIGe zw3pc>?!>xI@jy6^B@sRSX(aKeQVt83>}7E9Z%xw06ELChxC%k5Dooc%;pk;-d7(~i z@3sAm^e?kbRr9;Uxay)Fn+a diff --git a/secrets/miniflux-admin-credentials.age b/secrets/miniflux-admin-credentials.age deleted file mode 100644 index 237927ab6eb6ab2d53d5608f9f5d20a3200176de..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1465 zcmV;q1xES+M@dveQdv+`07zO?vJ-@9^&nd$>L+djpM0p{wIr(@{Nit4Hf6QGk{sGL z5f(Wus4%?SGTt`>y)O_kZLQQ6c5cxMLZ( z6f4$~n^DO8bZm76CV*(h+90!)-3&n|Ij1AZ+o65b(whO&IkEQ?fl*$H z!s>SB9?aLJ=sX{0dhwQC6b?!;pFEELM89XdI&PQl$Knr2mVHNsOK!NBwB}I1KKBRB~-ie&cF%=DaLScc|IM6lcr?lRU{qlYO zC+KJyQ#e%*Xm{SA=R9&Eq;2SHfZrXSPGWT+mDu$Ha`KvJ;lG*_oumVlcv?L5NjV8aJziLu!$DP1ZBpgmG2Pa_ZyujfsoqvloYC;WeWLwLJBa zlo=ut1b1ZExkGOA$Ch1YZ`PqLW2D}yJMeR?`F_R_VtOt-3@21r@8=T{aBanOiObuc z(0@PwcJ{v}p~VWW+Qfzv@-2$FZ#fncvKf^QU`w>hvoO_P0f4ab<}@ugDU=7WXvKo+ zr(A4gGv_g4j24+GqYJzjPWJyU9B`w5h7sv}fU@iqRb0%4F$n*q@XMydihp9Xy#(to z5RF<&39=Nw6P#JXORR5y|4idcYRMRal;9wY+G1cH+Hr>g0jSVjfgcq;Fbf#56C)oc zTNyf=Adjij}MQ}R~CCl znZ;2#}f>aOdw$>LQaq#r^0DR*@KMh(H4J~iHXvv?UYa5x4&>r zZ8zbS3~F_=*Zwi^?0`4_Z_tRno%EO#!O2n=3G5Un{l58}EAaI-nGtgdGB&PR|Ljcv z%wY#I4B{BaDomW28Y-Lh7*5b{q_ygQl&H%)`ihd@*gsnCgyASUx)$+x5v~lXL-i|Q z*dL4k*}z(dwj9Ek{(s|`NB`Pz3kP308Ym2Il8VZ7R}9xAQWHU6m2^VseZWEn<}MKp zD|b=IoQ4L0VS1u7F1ECG@vNT^z682vBR0}Ux35@0O6gBs`%c^7;eqC}#~F(n zu+y2evPT|fM>M8hNl671F$(Oy5L?n$;$v%WFRv}3T47}!Os&Qtq-d9u#_B7Z|9|EY z6!G0a>?h7>53Qoa){RL3N2=f6<(wJoi|K80@@0%~1v=rnunboE|8ql3wFnneW|6eZ z9`#Y@G5^f?nE#F6$}a2*UoYaqMZSaq$52mxMm+q#@sUVPfiL0(YFVM?nW<&oyFe7Q z^rb+C5)7{un(tg+OmE@Q5U0`}WPq`xk@9pT9}{NOR2?zAkQj~{K`jfWgQLjgcAHqW zpSS673Sw`_>|sG!Fpk~db;Na(Vvv<7>G(=NDS4~YBlj(ml}=fpM1^kom|G>QZiYKc z;Ypi_$1I-41=2iGA>LB)hW^e_?x&D{40FA>J5rRAVLH~&V1`#V(P_}i`c;6-VI!CUr*j>T@2JhzPVLT^v>(RTrn*tHP zt-8+K57_vs1j1qcZBZE)6!TL2mf=CWDyM2(6qT%urcWg>DDGAaPpzhDF=(eO`-lbK z>2hlxp6uSxkbC%Z;M4{>ZKe~lh-{!j%>m3zTJAtJJKF0Sbx`5UU`%{#QJlxj{=M3y zK#(L4K-Kg)egzie2Mqn)1_i>jV(+UL#YdtUh@l{ePv5U};pS=}FO5l`xDASamG?|}Mh1T`Gn7t&SWWz>vJa+L9^#;r#`~_fW|3E> zVj?)tQ3k%)qRXa;iO8+yXuODsbk4#5L)TghT;Hb;oyxm*3z`jtIsyFxaq{MF%^z_^?EO7v z58+w01v{(}|4~qCYY6olfHf(a5w!(i7S^Nkk$x@Pd5NfX066D)p<_c(GI%BkK~9oq z7~$dd!FgApSWzzh00oyY4{X(-#`^3>GcwtkDWnEwrTCbt!B(q|8!xh0d zmrjG|`>7jA9QY%eKTPoiHW=ST(>+@|Zec06-&7aEq$be25|0fybO6E5wQsQBO9d6c z%c=wP%bB<9OV@=>@#v6Em}94FqF9Y=!lmWTio?;VeiFiyMEbw_&`lz2F0GcB({i@UgFAc9D1E>h7mT4gU_U-7kznw}c)9N0PrlPUh-jw)%>LNq&bS+S z{&2Pk0;^!LAD5hzA^seP#*$)G^^X(-86052^^ul;7%!CXqhOT>o*2I~T7jwgd~3io dn_hgVQ-=wUTFJ522vZ-lHldss?9QF5SO*Sq%uWCR diff --git a/secrets/woodpecker-common-env.age b/secrets/woodpecker-common-env.age deleted file mode 100644 index 938b0a99e8ee5816b04aa40778cd37e30ea1c21b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1544 zcmV+j2KV^@M@dveQdv+`00i`*@O*xg!K#Y%ja{5{@}&kyBaYH?Rf+*$u6p6yie19g zXW|{CawrUNIYa)dNy)!`XHJG*uPgRX0v?(>(XmE`r~eH7>h`REG8dsN-5k4C;)|fB zWi5Jv>!!;XNs2FBMMOqo2VxTLbC(L1iHJ(2xrHqyt^OsCobW@zj6;bg-lbXzC!{MV zxvKpHIsnN9=lzqxs#BUm7RRD#MM{GrrQkDGZ%K0AT-?|_!PW?FwZFmh-)o%t)^4FT zxsI~sd>912keLQ;Y7keo!RzL%3$R* z3;2&I6RRa<38hM-pEbZE*wv;dm&;1L&#waWBV^Woh8>-ah@I%|BXlg)Y)5D^PUJSs zCIwA}tjg1Mg$TL`SzjC>vYxHvtcCrPNv&oPYrQ=ELLs7_Ps{+X9eI=CsUenuE-k6SQ+bz}|I1&MBRm|1h=$+6usXX! zz^gfDa)_qd(_lBWN}{DNY8=lZ>{jYJmY@l5J`p`J)C;u2niGlLELA$)k&?pnaQvX+ zIUeEg6u*Mm(e9^}HWIXurGP_S{i-No%pTRgwhxR@hO5DD+;+%6*<}fiBBu&O8U{SF zq)iAc_dHB-k5Z0b{ivcLJBB&>XDn?HOqBg8iLL6^#f^zgyi3_s4m&B0A~PZere9z;U3(QSLs|@oH&>nlDkfv)7^TL8rxE+w@bhl5l*7q*}xO)2XrbZk%?o zQN0>n^W&TaPEdpYz62a~b**X)rN(V|nKh&G@aZw3FdIOM39I4a#O@75?=;Bb07BdnI-x-pK!%%{nHwKeK}@#X38idAOnW#n&rs^QVdiTBML} zUg1X_>1Jy1lt-HkdmV|Io`C7!S8`A5@cqy%4_ns~zozeI2}h|`MWr3IF`xOGFJ353 z7k9 z(C0}lA@vI^{QL+d;@-qxSbc#00ZJeBc;8&p@2%l_0N@?%oB4KzovK@JW(V>+J;&EgSh6Y(D&Bl-2+x z;r4@j#D{Nbcq{)A2Srqvg7d$jENYA>gqMxb0TR*~kT`ep5H!^gBt(k>hfx{Cfa~Q% zE#kFCSG!yppV2ZX817yJ%Ld&ABCz2iA0|y`d0M<};kcTiPRIhAu&YgvaF^@?RQ558 z8(lYwUS+okr>^4O0B#9wvh-|sqPdhVzr6(cGGNFo9QuEJmg2GjwEtCoAZo1KTK{GU zFMlmSy|D=Ceb`>U`*@zgA-75=(~X^qZNkMlXa}2xf;RBbI`-f%h2WAkg`0`1WjftP zmgR(mkxiUndj7|)5RJw7Xzbt5)q=3+)(yu|+RtE*er^YG(9-7g-Sc0nyk5uE6(}Qq2ad<@ihD|F&Ny3o3rd};O_We%3bAXTTbfrJr$sN5sD(BC1vbn9j$`T=q^`b`*EAP*GMOhgGtM5+o(+pQ}`qZO3nhYAkh!5 zah)?r*f>UWYS3EV!}Zq>&^SCT(ltPe*7@1=QPa@kJX!i3&4~ zOyFEVrob+v8>i9Q(bdHIN9Rsw{P~N0hU6r=s#bdO3uFf+qDGG>Qq2n318p`7f} zzB=iGH;H#WN!*ct)b*Ol5^M4X;O?Q8Ci)rT8?=gYz4m2d*_3T0SnOPQoyvF(R$&%j z;6W7wLsl@x4QEWaVgzNZVhD>HxAW=Kbn~1^Uj5EkPe;}z%$_1SHAeor0Zo$mLpCM& zKW#9mwKqrF!Gsg!yYh|A2e3n4|84TzFOIl~+;xa+T>gLY3ty)Hn!HT*`m0C?^lF;R zgGEpg^a;ZoO=n5-q&yDDpiC-`HYt&^RM|oElG!ptE4XGJEj*Z80iKVZ`;Zr&+pg~A?Ohhe(zbZK(3jl0AW;vj*wMaAOV{h)* zaiB1`b=|Q~0b9r~qXH)ZA0=HJ?>{z)9S{p7x%UyBQ^ZbN{C-mE+VKWKUT=QaV)L~} z+GsFc=K7FT6P-q%#(&WBh%+k0!F!e}45fT{kX029&tB}OEPzbcJ;3)5%IHWEXHxjf z=Elf=_D}eVFRCRxR<+$-=9@V>(#%QZq18D&Un1reek#GfY4~yLx zT??T7Ml5UkX}T!wJxLe0q2m=r%V~J(%p7WNDC})E8~;j+!B6vNw8ziHBXw5eRVj`c z1@(aj{26t|cZ>Yg0YYHkYT)K@=rDcPjo! zQ_q4y?fZe=ScLGmZvLsp26T;ie zUu3aQ9je`Z02}GRp!nr|ikd$y;_p_VdP^19{~+{JnOXP-BUx2<_gAXSwidi~q1Enb zWji-mokx+-xj5$@n2##+&iJ0t^{IxtNK;PB8?3LL!s7goS$7Z!7m(r@Vo}y((X~>i zwC!b>ld$w-7pWL@P!De7>%=!g>Ax4!dD6ji1`Y(HpOzgu7FXZ>%d4LSRPv`=?F7~? zY=&R_YP)1oix*;2u+Qb0o+4zGZQ+XG?eS2K8DK-yi&0OZMA;p0X1DAM>^hgU_!Gqv zf_S0K)FP+cyL<@!0V2Ab_UvkQR#PM`@*_(fD+!2KRIw!}JvzaoL0@Co4^9|< zA<>sQf9sYVHRa`(bR#6buj;5_tijqssATSq^%9Sabfq1*Bale@2J#(<95Fs@ZWnv} V%1iB48+1}F4IUf4ifVkK5*+^uZD36jT*t;4>D5>0HAR(}hEedsjwsJLKtx_=b+Ikb%ZnDF4ZUOI&JRl*9v zELBcF$$}54AYdq)-tKJTu}t5+Dw39&qJ|$$k+tSN$P)VM18IE0!uRu;d7_{W*KO(e zd|LJvq zLsZUO3UuN{ANunO-3Mc2660K0CV6IPpzDbxYVbf7VZPk9o8CEG9_da1#V4 z&_d%8M5ZcV>nrhi;raPZrVT4eq?frADyWDK_>V4my+YMN8%`M%ci%tp-HRXOSjE>u z>vcyV+w=x&nWy6u!sZ91CT6ZO^p+o?*VUoFSjKT2u#;Z!Wi@Sp6O7l(&U3l;>TaP; zS=L{Iwz37+(LgBza=t(YFMPu4)R9iNH@ku0lbUYwn5OkSzi;QxhauWpV7go=9IV7A zLVQtff*W55E(m_Mon8y%JJ=PyNA9_f1}tGj?zyBW=YtmF9Gy??AG@y7AZj%*8NQxG zM)Nj1N+^6Dt0P<_XG=2f?IE8l>UMkQxt-_#lUv$9u9NVNsD`FLw9wi6VZFrs+6Qdh zX@LxGP@UIVRoHQB(LmvVafVx(Znyem%SUya4PcD&tt*MWf3`;zZ1+9#v@eU>krkxw z7oBww%5(hVK5zJ+sskus>TjX=puLL)Y!(N}|4bdK%t2!TAc{&NepX{0hW24Uu)G9_ zPRUb1okuT>r>o@&KJdX`28A$R=dA0S4Q8xoiU94(tnuC-(f{HKy0srhh;H9MNwS^G zRHqshrH(n8@O`(stV{|RdwA(?H4gya0ZtOeebic)e(k)QGsrrN0JO#MUuvg%@tOpI zHTW(84uFzt*peeVg(B~q0l6ixblh6Lv=w3r4nI?1WGdVPlqC5vvv{nW0!%d1^gBmc zubHP=*;>R_kVO;YqEM%J+s?^!+Y!O|jcky4?PF{?@b_-hpNh0Mn4$|wIQH5{0I zbU<{rN0q==(gnq1MD*cjK?R=I&P&d!5SX2R6cm1khngp5j{>-b6B$t+PxKcZ)!3xj zmSR+g;YHmAtnN`}okIq5<{YrLslh`}T(17W%P@LV>J=f8a{Vrs^@1YWq98!cpOp|( zWL4T~n*LlQYGx!?7HcQkep0d zLhE1Z9pkTygk+4xT4(NVd<3pQ=~lCC7IW%lK9qcjV_Z-{Mwt3En2&DoMEqG|dvuTu z%zmFzGu*316X)LAv_^w{K9kTo$c6rP?ft~KNJC2@2vZg>jX5aFZ~x#u`xpA5e=ngq aO2WH!3UI1Vze`}YMhEFq1ay}_1J&Vecht22